Host multiple webservers as subdirs of one domain

i want to organize several web servers isolated with nixos containers to be available as either dubdirs of the same domain, or as subdomains.

the latter part i got some idea about from this question Reverse Proxy with multiple subdir - #3 by Smithoo4

but the first part is a bit complicated for me. I want those nixos-containers to be configured in a way that nothing is exposed to host, only to a container with nginx that forwards things to and from those containers.

but do not have much idea how to achieve that. nixos wiki on nixos containers does not seem to provide much details about network configuration possibilities for the containers.

on top of that I do lack the base knowledge how those things should be properly organized manually.

What do you actually mean by that? Do you want to serve basic websites (html + js) or are we talking about something else?

Generally what you want to do is to let the server listen to 127.0.0.1:<somePort>. Then you use the example from you first link to expose that as a subdomain. The server/service is not reachable from outside the host directly itself when you only bind it like above. All the traffic will go via the reverse proxy.

the idea was to host different services, maybe nextcloud on one location, jitsi on another, a basic website on third, etc.

I understand that, just like in the link.

But I want to better isolate things, to have every service live in their own nixos container, and them not knowing about each other, even through just an exposed port - only nginx/caddy container will know about other containers in this idea.

Sorry I have a hard time following you. What do you mean by location? Do you mean different machines that run those services?

What is your intention? Many/Most/All services already are quite isolated as they are run as systemd services with dedicated users or even dynamic ones. If you want to know more you need to take a look at the source of each service (e.g. nextcloud: nixpkgs/nixos/modules/services/web-apps/nextcloud.nix at 4c1018dae018162ec878d42fec712642d214fdfa · NixOS/nixpkgs · GitHub, maybe not the easiest example). I doubt that this is your weakest link in your threat model though.

I may be using the wrong terminology here. what i mean is:

www.example.com/nextcloud or nextcloud.example.com leads to the nextcloud instance,

www.example.com/jitsi or jitsi.example.com leads to jitsi instance

www.example.com/secrethamsterexperiments or secrethamsterexperiments.example.com leads to my underground cooking blog or smth

Education. Learning how to configure (especially with nix) what i described in terms of nixos containers.

Im sorry but I think your questions(s) are way to broad to help you. I don’t know where to start to help you.

Do you already have a domain that points to a machine that is reachable from the internet via a static IP? Do you need help setting up the reverse proxy? Is the service already running on that machine and is it already working? Can you connect to it? What did you try that is not working?

ok, i spent some time figuring out the basics to at least replicate the thing with basic systemd services.

for example, with default systemd service to have both nextcloud and jitsi - i can just write subdomained addresses to hostName options of each service, and everything will work as needed.

Now the isolation on those systemd services is not consistent. sometimes it’s pretty tight, sometimes it’s not and requires hardening.

So the next step of the original plan would be to isolate each of the service inside a nixos-container. And then (the hardest part for me) - make it so that network is correctly isolated, and each container only sees neither host’s network, nor other containers’ networks

From a security perspective this is a bad idea, because these apps will share the same origin and therefore share a session and security scope in browsers.

but in case of using subdomains - this is not an issue, right?

Yep, that is correct.