forked from jan-leila/nix-config
simplified nginx config
This commit is contained in:
parent
4c430404b3
commit
2350eb43ec
6 changed files with 71 additions and 72 deletions
|
|
@ -51,7 +51,6 @@ nix multi user, multi system, configuration with `sops` secret management, `home
|
||||||
- syncthing folder passwords
|
- syncthing folder passwords
|
||||||
- nfs export should be backed by the same values for server and client
|
- nfs export should be backed by the same values for server and client
|
||||||
- move fail2ban configs out of fail2ban.nix and into configs for their respective services
|
- move fail2ban configs out of fail2ban.nix and into configs for their respective services
|
||||||
- nginx config should be reworked to give a list of subdomains and then the config information to apply to each proxy
|
|
||||||
## New Features
|
## New Features
|
||||||
- offline access for nfs mounts (overlay with rsync might be a good option here? https://www.spinics.net/lists/linux-unionfs/msg07105.html note about nfs4 and overlay fs)
|
- offline access for nfs mounts (overlay with rsync might be a good option here? https://www.spinics.net/lists/linux-unionfs/msg07105.html note about nfs4 and overlay fs)
|
||||||
- samba mounts
|
- samba mounts
|
||||||
|
|
|
||||||
|
|
@ -58,18 +58,14 @@ in {
|
||||||
host = {
|
host = {
|
||||||
reverse_proxy.subdomains.${config.host.home-assistant.subdomain} = {
|
reverse_proxy.subdomains.${config.host.home-assistant.subdomain} = {
|
||||||
target = "http://localhost:${toString config.services.home-assistant.config.http.server_port}";
|
target = "http://localhost:${toString config.services.home-assistant.config.http.server_port}";
|
||||||
websockets = true;
|
|
||||||
|
websockets.enable = true;
|
||||||
|
forwardHeaders.enable = true;
|
||||||
|
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
add_header Upgrade $http_upgrade;
|
add_header Upgrade $http_upgrade;
|
||||||
add_header Connection \"upgrade\";
|
add_header Connection \"upgrade\";
|
||||||
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection "upgrade";
|
|
||||||
proxy_set_header X-Forwarded-Host $server_name;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
|
|
||||||
proxy_buffering off;
|
proxy_buffering off;
|
||||||
|
|
||||||
proxy_read_timeout 90;
|
proxy_read_timeout 90;
|
||||||
|
|
|
||||||
|
|
@ -19,26 +19,19 @@ in {
|
||||||
host = {
|
host = {
|
||||||
reverse_proxy.subdomains.${config.host.immich.subdomain} = {
|
reverse_proxy.subdomains.${config.host.immich.subdomain} = {
|
||||||
target = "http://localhost:${toString config.services.immich.port}";
|
target = "http://localhost:${toString config.services.immich.port}";
|
||||||
|
|
||||||
|
websockets.enable = true;
|
||||||
|
forwardHeaders.enable = true;
|
||||||
|
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
# allow large file uploads
|
# allow large file uploads
|
||||||
client_max_body_size 50000M;
|
client_max_body_size 50000M;
|
||||||
|
|
||||||
# Set headers
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
|
|
||||||
# enable websockets: http://nginx.org/en/docs/http/websocket.html
|
|
||||||
proxy_http_version 1.1;
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection "upgrade";
|
|
||||||
proxy_redirect off;
|
|
||||||
|
|
||||||
# set timeout
|
# set timeout
|
||||||
proxy_read_timeout 600s;
|
proxy_read_timeout 600s;
|
||||||
proxy_send_timeout 600s;
|
proxy_send_timeout 600s;
|
||||||
send_timeout 600s;
|
send_timeout 600s;
|
||||||
|
proxy_redirect off;
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
postgres = {
|
postgres = {
|
||||||
|
|
|
||||||
|
|
@ -31,45 +31,22 @@ in {
|
||||||
lib.mkMerge [
|
lib.mkMerge [
|
||||||
{
|
{
|
||||||
services.jellyfin.enable = true;
|
services.jellyfin.enable = true;
|
||||||
host.reverse_proxy.subdomains = lib.mkMerge ([
|
|
||||||
{
|
host.reverse_proxy.subdomains.jellyfin = {
|
||||||
${config.host.jellyfin.subdomain} = {
|
|
||||||
target = "http://localhost:${toString jellyfinPort}";
|
target = "http://localhost:${toString jellyfinPort}";
|
||||||
|
|
||||||
|
subdomain = config.host.jellyfin.subdomain;
|
||||||
|
extraSubdomains = config.host.jellyfin.extraSubdomains;
|
||||||
|
|
||||||
|
forwardHeaders.enable = true;
|
||||||
|
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
client_max_body_size 20M;
|
client_max_body_size 20M;
|
||||||
add_header X-Content-Type-Options "nosniff";
|
add_header X-Content-Type-Options "nosniff";
|
||||||
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
proxy_set_header X-Forwarded-Protocol $scheme;
|
|
||||||
proxy_set_header X-Forwarded-Host $http_host;
|
|
||||||
|
|
||||||
proxy_buffering off;
|
proxy_buffering off;
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
}
|
|
||||||
]
|
|
||||||
++ (builtins.map (subdomain: {
|
|
||||||
${subdomain} = {
|
|
||||||
target = "http://localhost:${toString jellyfinPort}";
|
|
||||||
extraConfig = ''
|
|
||||||
client_max_body_size 20M;
|
|
||||||
add_header X-Content-Type-Options "nosniff";
|
|
||||||
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
proxy_set_header X-Forwarded-Protocol $scheme;
|
|
||||||
proxy_set_header X-Forwarded-Host $http_host;
|
|
||||||
|
|
||||||
proxy_buffering off;
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
})
|
|
||||||
config.host.jellyfin.extraSubdomains));
|
|
||||||
environment.systemPackages = [
|
environment.systemPackages = [
|
||||||
pkgs.jellyfin
|
pkgs.jellyfin
|
||||||
pkgs.jellyfin-web
|
pkgs.jellyfin-web
|
||||||
|
|
|
||||||
|
|
@ -24,13 +24,28 @@ in {
|
||||||
default = true;
|
default = true;
|
||||||
};
|
};
|
||||||
subdomains = lib.mkOption {
|
subdomains = lib.mkOption {
|
||||||
type = lib.types.attrsOf (lib.types.submodule ({...}: {
|
type = lib.types.attrsOf (lib.types.submodule ({name, ...}: {
|
||||||
options = {
|
options = {
|
||||||
|
subdomain = lib.mkOption {
|
||||||
|
type = lib.types.str;
|
||||||
|
description = "what is the default subdomain to be used for this application to be used for";
|
||||||
|
default = name;
|
||||||
|
};
|
||||||
|
extraSubdomains = lib.mkOption {
|
||||||
|
type = lib.types.listOf lib.types.str;
|
||||||
|
description = "extra domains that should be configured for this domain";
|
||||||
|
default = [];
|
||||||
|
};
|
||||||
|
|
||||||
target = lib.mkOption {
|
target = lib.mkOption {
|
||||||
type = lib.types.str;
|
type = lib.types.str;
|
||||||
description = "where should this host point to";
|
description = "what url will all traffic to this application be forwarded to";
|
||||||
};
|
};
|
||||||
websockets = lib.mkEnableOption "should websockets be proxied";
|
|
||||||
|
websockets.enable = lib.mkEnableOption "should the default config proxy websockets";
|
||||||
|
|
||||||
|
forwardHeaders.enable = lib.mkEnableOption "should the default config contain forward headers";
|
||||||
|
|
||||||
extraConfig = lib.mkOption {
|
extraConfig = lib.mkOption {
|
||||||
type = lib.types.lines;
|
type = lib.types.lines;
|
||||||
default = "";
|
default = "";
|
||||||
|
|
@ -40,7 +55,6 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}));
|
}));
|
||||||
default = {};
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
@ -53,17 +67,36 @@ in {
|
||||||
|
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
enable = true;
|
enable = true;
|
||||||
virtualHosts = lib.attrsets.mapAttrs' (name: value:
|
virtualHosts = lib.mkMerge (
|
||||||
lib.attrsets.nameValuePair "${name}.${config.host.reverse_proxy.hostname}" {
|
lib.lists.flatten (
|
||||||
|
lib.attrsets.mapAttrsToList (
|
||||||
|
name: value: let
|
||||||
|
hostConfig = {
|
||||||
forceSSL = config.host.reverse_proxy.forceSSL;
|
forceSSL = config.host.reverse_proxy.forceSSL;
|
||||||
enableACME = config.host.reverse_proxy.enableACME;
|
enableACME = config.host.reverse_proxy.enableACME;
|
||||||
locations."/" = {
|
locations = {
|
||||||
|
"/" = {
|
||||||
proxyPass = value.target;
|
proxyPass = value.target;
|
||||||
proxyWebsockets = value.websockets;
|
proxyWebsockets = value.websockets.enable;
|
||||||
extraConfig = value.extraConfig;
|
recommendedProxySettings = value.forwardHeaders.enable;
|
||||||
|
extraConfig =
|
||||||
|
value.extraConfig;
|
||||||
};
|
};
|
||||||
})
|
};
|
||||||
config.host.reverse_proxy.subdomains;
|
};
|
||||||
|
in (
|
||||||
|
[
|
||||||
|
{
|
||||||
|
${"${value.subdomain}.${config.host.reverse_proxy.hostname}"} = hostConfig;
|
||||||
|
}
|
||||||
|
]
|
||||||
|
++ builtins.map (subdomain: {${"${subdomain}.${config.host.reverse_proxy.hostname}"} = hostConfig;})
|
||||||
|
value.extraSubdomains
|
||||||
|
)
|
||||||
|
)
|
||||||
|
config.host.reverse_proxy.subdomains
|
||||||
|
)
|
||||||
|
);
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [
|
networking.firewall.allowedTCPPorts = [
|
||||||
|
|
|
||||||
|
|
@ -20,7 +20,8 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
host = {
|
host = {
|
||||||
reverse_proxy.subdomains.${config.host.searx.subdomain} = {
|
reverse_proxy.subdomains.searx = {
|
||||||
|
subdomain = config.host.searx.subdomain;
|
||||||
target = "http://localhost:${toString config.services.searx.settings.server.port}";
|
target = "http://localhost:${toString config.services.searx.settings.server.port}";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue