diff --git a/configurations/nixos/defiant/configuration.nix b/configurations/nixos/defiant/configuration.nix index 6908eb7..91a8c2c 100644 --- a/configurations/nixos/defiant/configuration.nix +++ b/configurations/nixos/defiant/configuration.nix @@ -102,11 +102,6 @@ directories = ["leyla_documents" "eve_documents" "users_documents" "media"]; }; }; - reverse_proxy = { - enable = true; - enableACME = true; - hostname = "jan-leila.com"; - }; postgres = { extraUsers = { leyla = { @@ -237,6 +232,16 @@ gnome.enable = true; }; + # Enable new reverse proxy system + reverseProxy = { + enable = true; + openFirewall = true; + acme = { + enable = true; + email = "jan-leila@protonmail.com"; + }; + }; + ollama = { enable = true; exposePort = true; @@ -294,33 +299,33 @@ jellyfin = { enable = true; - subdomain = "media"; - extraSubdomains = ["jellyfin"]; + domain = "media.jan-leila.com"; + extraDomains = ["jellyfin.jan-leila.com"]; }; immich = { enable = true; - subdomain = "photos"; + domain = "photos.jan-leila.com"; }; forgejo = { enable = true; - subdomain = "git"; + domain = "git.jan-leila.com"; }; searx = { enable = true; - subdomain = "search"; + domain = "search.jan-leila.com"; }; actual = { enable = false; - subdomain = "budget"; + domain = "budget.jan-leila.com"; }; home-assistant = { enable = true; - subdomain = "home"; + domain = "home.jan-leila.com"; openFirewall = true; database = "postgres"; @@ -333,7 +338,7 @@ paperless = { enable = true; - subdomain = "documents"; + domain = "documents.jan-leila.com"; passwordFile = config.sops.secrets."services/paperless_password".path; }; diff --git a/modules/nixos-modules/server/actual/proxy.nix b/modules/nixos-modules/server/actual/proxy.nix index 6ca51e4..bf1711a 100644 --- a/modules/nixos-modules/server/actual/proxy.nix +++ b/modules/nixos-modules/server/actual/proxy.nix @@ -4,17 +4,26 @@ ... }: { options.services.actual = { - subdomain = lib.mkOption { + domain = lib.mkOption { type = lib.types.str; - default = "actual"; - description = "subdomain of base domain that actual will be hosted at"; + description = "domain that actual will be hosted at"; + default = "actual.arpa"; + }; + extraDomains = lib.mkOption { + type = lib.types.listOf lib.types.str; + description = "extra domains that should be configured for actual"; + default = []; }; }; - config = lib.mkIf (config.services.actual.enable && config.host.reverse_proxy.enable) { - host = { - reverse_proxy.subdomains.${config.services.actual.subdomain} = { - target = "http://localhost:${toString config.services.actual.settings.port}"; + config = lib.mkIf (config.services.actual.enable && config.services.reverseProxy.enable) { + services.reverseProxy.services.actual = { + target = "http://localhost:${toString config.services.actual.settings.port}"; + domain = config.services.actual.domain; + extraDomains = config.services.actual.extraDomains; + + settings = { + forwardHeaders.enable = true; }; }; }; diff --git a/modules/nixos-modules/server/bazarr/default.nix b/modules/nixos-modules/server/bazarr/default.nix index f39d940..86dbb4b 100644 --- a/modules/nixos-modules/server/bazarr/default.nix +++ b/modules/nixos-modules/server/bazarr/default.nix @@ -1,6 +1,5 @@ {...}: { imports = [ - ./proxy.nix ./impermanence.nix ]; } diff --git a/modules/nixos-modules/server/bazarr/proxy.nix b/modules/nixos-modules/server/bazarr/proxy.nix deleted file mode 100644 index fe310d8..0000000 --- a/modules/nixos-modules/server/bazarr/proxy.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ - lib, - config, - ... -}: { - options.services.bazarr = { - subdomain = lib.mkOption { - type = lib.types.nullOr lib.types.str; - default = null; - description = "Subdomain for reverse proxy. If null, service will be local only."; - }; - extraSubdomains = lib.mkOption { - type = lib.types.listOf lib.types.str; - default = []; - description = "Extra subdomains for reverse proxy."; - }; - }; - - config = lib.mkIf (config.services.bazarr.enable && config.services.bazarr.subdomain != null) { - host.reverse_proxy.subdomains.bazarr = { - subdomain = config.services.bazarr.subdomain; - extraSubdomains = config.services.bazarr.extraSubdomains; - target = "http://127.0.0.1:6767"; - websockets.enable = true; - forwardHeaders.enable = true; - }; - }; -} diff --git a/modules/nixos-modules/server/default.nix b/modules/nixos-modules/server/default.nix index 57874d5..4981f28 100644 --- a/modules/nixos-modules/server/default.nix +++ b/modules/nixos-modules/server/default.nix @@ -1,6 +1,6 @@ {...}: { imports = [ - ./reverse_proxy.nix + ./reverseProxy ./fail2ban.nix ./postgres.nix ./network_storage diff --git a/modules/nixos-modules/server/flaresolverr/default.nix b/modules/nixos-modules/server/flaresolverr/default.nix index f39d940..86dbb4b 100644 --- a/modules/nixos-modules/server/flaresolverr/default.nix +++ b/modules/nixos-modules/server/flaresolverr/default.nix @@ -1,6 +1,5 @@ {...}: { imports = [ - ./proxy.nix ./impermanence.nix ]; } diff --git a/modules/nixos-modules/server/flaresolverr/proxy.nix b/modules/nixos-modules/server/flaresolverr/proxy.nix deleted file mode 100644 index 5b8dd4c..0000000 --- a/modules/nixos-modules/server/flaresolverr/proxy.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ - lib, - config, - ... -}: { - options.services.flaresolverr = { - subdomain = lib.mkOption { - type = lib.types.nullOr lib.types.str; - default = null; - description = "Subdomain for reverse proxy. If null, service will be local only."; - }; - extraSubdomains = lib.mkOption { - type = lib.types.listOf lib.types.str; - default = []; - description = "Extra subdomains for reverse proxy."; - }; - }; - - config = lib.mkIf (config.services.flaresolverr.enable && config.services.flaresolverr.subdomain != null) { - host.reverse_proxy.subdomains.flaresolverr = { - subdomain = config.services.flaresolverr.subdomain; - extraSubdomains = config.services.flaresolverr.extraSubdomains; - target = "http://127.0.0.1:${toString config.services.flaresolverr.port}"; - websockets.enable = true; - forwardHeaders.enable = true; - }; - }; -} diff --git a/modules/nixos-modules/server/forgejo/default.nix b/modules/nixos-modules/server/forgejo/default.nix index 1fdc8d9..5d0e7ad 100644 --- a/modules/nixos-modules/server/forgejo/default.nix +++ b/modules/nixos-modules/server/forgejo/default.nix @@ -31,7 +31,7 @@ in { lfs.enable = true; settings = { server = { - DOMAIN = "${config.services.forgejo.subdomain}.${config.host.reverse_proxy.hostname}"; + DOMAIN = config.services.forgejo.reverseProxy.domain; HTTP_PORT = httpPort; START_SSH_SERVER = true; SSH_LISTEN_PORT = sshPort; diff --git a/modules/nixos-modules/server/forgejo/proxy.nix b/modules/nixos-modules/server/forgejo/proxy.nix index 51f769d..bde59d1 100644 --- a/modules/nixos-modules/server/forgejo/proxy.nix +++ b/modules/nixos-modules/server/forgejo/proxy.nix @@ -7,16 +7,29 @@ httpPort = const.httpPort; in { options.services.forgejo = { - subdomain = lib.mkOption { - type = lib.types.str; - description = "subdomain of base domain that forgejo will be hosted at"; - default = "forgejo"; + reverseProxy = { + domain = lib.mkOption { + type = lib.types.str; + description = "domain that forgejo will be hosted at"; + default = "git.jan-leila.com"; + }; + extraDomains = lib.mkOption { + type = lib.types.listOf lib.types.str; + description = "extra domains that should be configured for forgejo"; + default = []; + }; }; }; - config = lib.mkIf (config.services.forgejo.enable && config.host.reverse_proxy.enable) { - host.reverse_proxy.subdomains.${config.services.forgejo.subdomain} = { + config = lib.mkIf (config.services.forgejo.enable && config.services.reverseProxy.enable) { + services.reverseProxy.services.forgejo = { target = "http://localhost:${toString httpPort}"; + domain = config.services.forgejo.reverseProxy.domain; + extraDomains = config.services.forgejo.reverseProxy.extraDomains; + + settings = { + forwardHeaders.enable = true; + }; }; networking.firewall.allowedTCPPorts = [ diff --git a/modules/nixos-modules/server/home-assistant/default.nix b/modules/nixos-modules/server/home-assistant/default.nix index 83d8ba7..4b1846b 100644 --- a/modules/nixos-modules/server/home-assistant/default.nix +++ b/modules/nixos-modules/server/home-assistant/default.nix @@ -82,7 +82,7 @@ login_attempts_threshold = 10; }; homeassistant = { - external_url = "https://${config.services.home-assistant.subdomain}.${config.host.reverse_proxy.hostname}"; + external_url = "https://${config.services.home-assistant.domain}"; # internal_url = "http://192.168.1.2:8123"; }; recorder.db_url = "postgresql://@/${config.services.home-assistant.configDir}"; diff --git a/modules/nixos-modules/server/home-assistant/proxy.nix b/modules/nixos-modules/server/home-assistant/proxy.nix index ba8f20d..1075c59 100644 --- a/modules/nixos-modules/server/home-assistant/proxy.nix +++ b/modules/nixos-modules/server/home-assistant/proxy.nix @@ -4,29 +4,33 @@ ... }: { options.services.home-assistant = { - subdomain = lib.mkOption { + domain = lib.mkOption { type = lib.types.str; - description = "subdomain of base domain that home-assistant will be hosted at"; - default = "home-assistant"; + description = "domain that home-assistant will be hosted at"; + default = "home-assistant.arpa"; + }; + extraDomains = lib.mkOption { + type = lib.types.listOf lib.types.str; + description = "extra domains that should be configured for home-assistant"; + default = []; }; }; - config = lib.mkIf (config.host.reverse_proxy.enable && config.services.home-assistant.enable) { - host = { - reverse_proxy.subdomains.${config.services.home-assistant.subdomain} = { - target = "http://localhost:${toString config.services.home-assistant.config.http.server_port}"; + config = lib.mkIf (config.services.reverseProxy.enable && config.services.home-assistant.enable) { + services.reverseProxy.services.home-assistant = { + target = "http://localhost:${toString config.services.home-assistant.config.http.server_port}"; + domain = config.services.home-assistant.domain; + extraDomains = config.services.home-assistant.extraDomains; - websockets.enable = true; + settings = { + proxyWebsockets.enable = true; forwardHeaders.enable = true; - extraConfig = '' - add_header Upgrade $http_upgrade; - add_header Connection \"upgrade\"; - - proxy_buffering off; - - proxy_read_timeout 90; - ''; + # Custom timeout settings + proxyHeaders = { + enable = true; + timeout = 90; + }; }; }; }; diff --git a/modules/nixos-modules/server/immich/proxy.nix b/modules/nixos-modules/server/immich/proxy.nix index dae2420..a50ea1e 100644 --- a/modules/nixos-modules/server/immich/proxy.nix +++ b/modules/nixos-modules/server/immich/proxy.nix @@ -4,31 +4,34 @@ ... }: { options.services.immich = { - subdomain = lib.mkOption { + domain = lib.mkOption { type = lib.types.str; - description = "subdomain of base domain that immich will be hosted at"; - default = "immich"; + description = "domain that immich will be hosted at"; + default = "immich.arpa"; + }; + extraDomains = lib.mkOption { + type = lib.types.listOf lib.types.str; + description = "extra domains that should be configured for immich"; + default = []; }; }; - config = lib.mkIf (config.services.immich.enable && config.host.reverse_proxy.enable) { - host = { - reverse_proxy.subdomains.${config.services.immich.subdomain} = { - target = "http://localhost:${toString config.services.immich.port}"; + config = lib.mkIf (config.services.immich.enable && config.services.reverseProxy.enable) { + services.reverseProxy.services.immich = { + target = "http://localhost:${toString config.services.immich.port}"; + domain = config.services.immich.domain; + extraDomains = config.services.immich.extraDomains; - websockets.enable = true; + settings = { + proxyWebsockets.enable = true; forwardHeaders.enable = true; + maxBodySize = 50000; - extraConfig = '' - # allow large file uploads - client_max_body_size 50000M; - - # set timeout - proxy_read_timeout 600s; - proxy_send_timeout 600s; - send_timeout 600s; - proxy_redirect off; - ''; + # Custom timeout settings + proxyHeaders = { + enable = true; + timeout = 600; + }; }; }; }; diff --git a/modules/nixos-modules/server/jackett/default.nix b/modules/nixos-modules/server/jackett/default.nix index f39d940..86dbb4b 100644 --- a/modules/nixos-modules/server/jackett/default.nix +++ b/modules/nixos-modules/server/jackett/default.nix @@ -1,6 +1,5 @@ {...}: { imports = [ - ./proxy.nix ./impermanence.nix ]; } diff --git a/modules/nixos-modules/server/jackett/proxy.nix b/modules/nixos-modules/server/jackett/proxy.nix deleted file mode 100644 index af5fa79..0000000 --- a/modules/nixos-modules/server/jackett/proxy.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ - lib, - config, - ... -}: { - options.services.jackett = { - subdomain = lib.mkOption { - type = lib.types.nullOr lib.types.str; - default = null; - description = "Subdomain for reverse proxy. If null, service will be local only."; - }; - extraSubdomains = lib.mkOption { - type = lib.types.listOf lib.types.str; - default = []; - description = "Extra subdomains for reverse proxy."; - }; - }; - - config = lib.mkIf (config.services.jackett.enable && config.services.jackett.subdomain != null) { - host.reverse_proxy.subdomains.jackett = { - subdomain = config.services.jackett.subdomain; - extraSubdomains = config.services.jackett.extraSubdomains; - target = "http://127.0.0.1:9117"; - websockets.enable = true; - forwardHeaders.enable = true; - }; - }; -} diff --git a/modules/nixos-modules/server/jellyfin/proxy.nix b/modules/nixos-modules/server/jellyfin/proxy.nix index 1020a19..f803ecb 100644 --- a/modules/nixos-modules/server/jellyfin/proxy.nix +++ b/modules/nixos-modules/server/jellyfin/proxy.nix @@ -6,33 +6,30 @@ jellyfinPort = 8096; in { options.services.jellyfin = { - subdomain = lib.mkOption { + domain = lib.mkOption { type = lib.types.str; - description = "subdomain of base domain that jellyfin will be hosted at"; - default = "jellyfin"; + description = "domain that jellyfin will be hosted at"; + default = "jellyfin.arpa"; }; - extraSubdomains = lib.mkOption { + extraDomains = lib.mkOption { type = lib.types.listOf lib.types.str; - description = "ex subdomain of base domain that jellyfin will be hosted at"; + description = "extra domains that should be configured for jellyfin"; default = []; }; }; - config = lib.mkIf (config.services.jellyfin.enable && config.host.reverse_proxy.enable) { - host.reverse_proxy.subdomains.jellyfin = { + config = lib.mkIf (config.services.jellyfin.enable && config.services.reverseProxy.enable) { + services.reverseProxy.services.jellyfin = { target = "http://localhost:${toString jellyfinPort}"; + domain = config.services.jellyfin.domain; + extraDomains = config.services.jellyfin.extraDomains; - subdomain = config.services.jellyfin.subdomain; - extraSubdomains = config.services.jellyfin.extraSubdomains; - - forwardHeaders.enable = true; - - extraConfig = '' - client_max_body_size 20M; - add_header X-Content-Type-Options "nosniff"; - - proxy_buffering off; - ''; + settings = { + forwardHeaders.enable = true; + maxBodySize = 20; + noSniff.enable = true; + proxyBuffering.enable = false; + }; }; }; } diff --git a/modules/nixos-modules/server/lidarr/default.nix b/modules/nixos-modules/server/lidarr/default.nix index f39d940..86dbb4b 100644 --- a/modules/nixos-modules/server/lidarr/default.nix +++ b/modules/nixos-modules/server/lidarr/default.nix @@ -1,6 +1,5 @@ {...}: { imports = [ - ./proxy.nix ./impermanence.nix ]; } diff --git a/modules/nixos-modules/server/lidarr/proxy.nix b/modules/nixos-modules/server/lidarr/proxy.nix deleted file mode 100644 index 0146ccf..0000000 --- a/modules/nixos-modules/server/lidarr/proxy.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ - lib, - config, - ... -}: { - options.services.lidarr = { - subdomain = lib.mkOption { - type = lib.types.nullOr lib.types.str; - default = null; - description = "Subdomain for reverse proxy. If null, service will be local only."; - }; - extraSubdomains = lib.mkOption { - type = lib.types.listOf lib.types.str; - default = []; - description = "Extra subdomains for reverse proxy."; - }; - }; - - config = lib.mkIf (config.services.lidarr.enable && config.services.lidarr.subdomain != null) { - host.reverse_proxy.subdomains.lidarr = { - subdomain = config.services.lidarr.subdomain; - extraSubdomains = config.services.lidarr.extraSubdomains; - target = "http://127.0.0.1:8686"; - websockets.enable = true; - forwardHeaders.enable = true; - }; - }; -} diff --git a/modules/nixos-modules/server/panoramax/proxy.nix b/modules/nixos-modules/server/panoramax/proxy.nix index 79f9326..35bc79b 100644 --- a/modules/nixos-modules/server/panoramax/proxy.nix +++ b/modules/nixos-modules/server/panoramax/proxy.nix @@ -4,31 +4,29 @@ ... }: { options.services.panoramax = { - subdomain = lib.mkOption { + domain = lib.mkOption { type = lib.types.str; - description = "subdomain of base domain that panoramax will be hosted at"; - default = "panoramax"; + description = "domain that panoramax will be hosted at"; + default = "panoramax.arpa"; + }; + extraDomains = lib.mkOption { + type = lib.types.listOf lib.types.str; + description = "extra domains that should be configured for panoramax"; + default = []; }; }; - config = lib.mkIf (config.services.panoramax.enable && config.host.reverse_proxy.enable) { - host = { - reverse_proxy.subdomains.${config.services.panoramax.subdomain} = { - target = "http://localhost:${toString config.services.panoramax.port}"; + config = lib.mkIf (config.services.panoramax.enable && config.services.reverseProxy.enable) { + services.reverseProxy.services.panoramax = { + target = "http://localhost:${toString config.services.panoramax.port}"; + domain = config.services.panoramax.domain; + extraDomains = config.services.panoramax.extraDomains; - websockets.enable = true; + settings = { + proxyWebsockets.enable = true; forwardHeaders.enable = true; - - extraConfig = '' - # allow large file uploads for panoramic images - client_max_body_size 100M; - - # set timeout for image processing - proxy_read_timeout 300s; - proxy_send_timeout 300s; - send_timeout 300s; - proxy_redirect off; - ''; + maxBodySize = 100000; + timeout = 300; }; }; }; diff --git a/modules/nixos-modules/server/paperless/default.nix b/modules/nixos-modules/server/paperless/default.nix index a6878eb..d2bc930 100644 --- a/modules/nixos-modules/server/paperless/default.nix +++ b/modules/nixos-modules/server/paperless/default.nix @@ -22,7 +22,6 @@ config = lib.mkIf config.services.paperless.enable { services.paperless = { - domain = "${config.services.paperless.subdomain}.${config.host.reverse_proxy.hostname}"; configureTika = true; settings = { PAPERLESS_DBENGINE = "postgresql"; diff --git a/modules/nixos-modules/server/paperless/proxy.nix b/modules/nixos-modules/server/paperless/proxy.nix index 2910f07..e79c8d9 100644 --- a/modules/nixos-modules/server/paperless/proxy.nix +++ b/modules/nixos-modules/server/paperless/proxy.nix @@ -4,25 +4,30 @@ ... }: { options.services.paperless = { - subdomain = lib.mkOption { - type = lib.types.str; - description = "subdomain of base domain that paperless will be hosted at"; - default = "paperless"; + reverseProxy = { + domain = lib.mkOption { + type = lib.types.str; + description = "domain that paperless will be hosted at"; + default = "paperless.arpa"; + }; + extraDomains = lib.mkOption { + type = lib.types.listOf lib.types.str; + description = "extra domains that should be configured for paperless"; + default = []; + }; }; }; - config = lib.mkIf (config.services.paperless.enable && config.host.reverse_proxy.enable) { - host = { - reverse_proxy.subdomains.${config.services.paperless.subdomain} = { - target = "http://${config.services.paperless.address}:${toString config.services.paperless.port}"; + config = lib.mkIf (config.services.paperless.enable && config.services.reverseProxy.enable) { + services.reverseProxy.services.paperless = { + target = "http://${config.services.paperless.address}:${toString config.services.paperless.port}"; + domain = config.services.paperless.reverseProxy.domain; + extraDomains = config.services.paperless.reverseProxy.extraDomains; - websockets.enable = true; + settings = { + proxyWebsockets.enable = true; forwardHeaders.enable = true; - - extraConfig = '' - # allow large file uploads - client_max_body_size 50000M; - ''; + maxBodySize = 50000; }; }; }; diff --git a/modules/nixos-modules/server/radarr/default.nix b/modules/nixos-modules/server/radarr/default.nix index f39d940..86dbb4b 100644 --- a/modules/nixos-modules/server/radarr/default.nix +++ b/modules/nixos-modules/server/radarr/default.nix @@ -1,6 +1,5 @@ {...}: { imports = [ - ./proxy.nix ./impermanence.nix ]; } diff --git a/modules/nixos-modules/server/radarr/proxy.nix b/modules/nixos-modules/server/radarr/proxy.nix deleted file mode 100644 index ec5f575..0000000 --- a/modules/nixos-modules/server/radarr/proxy.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ - lib, - config, - ... -}: { - options.services.radarr = { - subdomain = lib.mkOption { - type = lib.types.nullOr lib.types.str; - default = null; - description = "Subdomain for reverse proxy. If null, service will be local only."; - }; - extraSubdomains = lib.mkOption { - type = lib.types.listOf lib.types.str; - default = []; - description = "Extra subdomains for reverse proxy."; - }; - }; - - config = lib.mkIf (config.services.radarr.enable && config.services.radarr.subdomain != null) { - host.reverse_proxy.subdomains.radarr = { - subdomain = config.services.radarr.subdomain; - extraSubdomains = config.services.radarr.extraSubdomains; - target = "http://127.0.0.1:7878"; - websockets.enable = true; - forwardHeaders.enable = true; - }; - }; -} diff --git a/modules/nixos-modules/server/reverseProxy/default.nix b/modules/nixos-modules/server/reverseProxy/default.nix new file mode 100644 index 0000000..5d57175 --- /dev/null +++ b/modules/nixos-modules/server/reverseProxy/default.nix @@ -0,0 +1,6 @@ +{...}: { + imports = [ + ./reverseProxy.nix + ./impermanence.nix + ]; +} diff --git a/modules/nixos-modules/server/reverseProxy/impermanence.nix b/modules/nixos-modules/server/reverseProxy/impermanence.nix new file mode 100644 index 0000000..7af55df --- /dev/null +++ b/modules/nixos-modules/server/reverseProxy/impermanence.nix @@ -0,0 +1,21 @@ +{ + lib, + config, + ... +}: let + dataDir = "/var/lib/acme"; +in { + config = lib.mkIf (config.host.impermanence.enable && config.services.reverseProxy.enable) { + environment.persistence."/persist/system/root" = { + enable = true; + hideMounts = true; + directories = [ + { + directory = dataDir; + user = "acme"; + group = "acme"; + } + ]; + }; + }; +} diff --git a/modules/nixos-modules/server/reverseProxy/reverseProxy.nix b/modules/nixos-modules/server/reverseProxy/reverseProxy.nix new file mode 100644 index 0000000..5b8357f --- /dev/null +++ b/modules/nixos-modules/server/reverseProxy/reverseProxy.nix @@ -0,0 +1,158 @@ +{ + lib, + config, + ... +}: { + options.services.reverseProxy = { + enable = lib.mkEnableOption "turn on the reverse proxy"; + openFirewall = lib.mkEnableOption "open the firewall"; + ports = { + http = lib.mkOption { + type = lib.types.port; + description = "HTTP port for the reverse proxy"; + default = 80; + }; + https = lib.mkOption { + type = lib.types.port; + description = "HTTPS port for the reverse proxy"; + default = 443; + }; + }; + acme = { + enable = lib.mkOption { + type = lib.types.bool; + description = "enable ACME certificate management"; + default = true; + }; + email = lib.mkOption { + type = lib.types.str; + description = "email address for ACME certificate registration"; + }; + }; + services = lib.mkOption { + type = lib.types.attrsOf (lib.types.submodule ({name, ...}: { + options = { + target = lib.mkOption { + type = lib.types.str; + description = "what url will all traffic to this application be forwarded to"; + }; + domain = lib.mkOption { + type = lib.types.str; + description = "what is the default subdomain to be used for this application to be used for"; + default = name; + }; + extraDomains = lib.mkOption { + type = lib.types.listOf lib.types.str; + description = "extra domains that should be configured for this domain"; + default = []; + }; + settings = { + certificateRenewal.enable = lib.mkOption { + type = lib.types.bool; + description = "auto renew certificates"; + default = true; + }; + forceSSL.enable = lib.mkOption { + type = lib.types.bool; + description = "auto renew certificates"; + default = true; + }; + proxyHeaders = { + enable = lib.mkEnableOption "should we proxy headers"; + timeout = lib.mkOption { + type = lib.types.int; + default = 60; + }; + }; + proxyWebsockets.enable = lib.mkEnableOption "should the default config proxy websockets"; + forwardHeaders.enable = lib.mkEnableOption "should the default config contain forward headers"; + noSniff.enable = lib.mkEnableOption "should the no sniff flags be set"; + proxyBuffering.enable = lib.mkOption { + type = lib.types.bool; + description = "should proxy buffering be enabled"; + default = true; + }; + maxBodySize = lib.mkOption { + type = lib.types.nullOr lib.types.int; + description = ""; + default = null; + }; + }; + }; + })); + }; + }; + + config = let + httpPort = config.services.reverseProxy.ports.http; + httpsPort = config.services.reverseProxy.ports.https; + in + lib.mkIf config.services.reverseProxy.enable { + security.acme = lib.mkIf config.services.reverseProxy.acme.enable { + acceptTerms = true; + defaults.email = config.services.reverseProxy.acme.email; + }; + + services.nginx = { + enable = true; + virtualHosts = lib.mkMerge ( + lib.lists.flatten ( + lib.attrsets.mapAttrsToList ( + name: service: let + hostConfig = { + forceSSL = service.settings.forceSSL.enable; + enableACME = service.settings.certificateRenewal.enable; + locations = { + "/" = { + proxyPass = service.target; + proxyWebsockets = service.settings.proxyWebsockets.enable; + recommendedProxySettings = service.settings.forwardHeaders.enable; + extraConfig = let + # Client upload size configuration + maxBodySizeConfig = + lib.optionalString (service.settings.maxBodySize != null) + "client_max_body_size ${toString service.settings.maxBodySize}M;"; + + # Security header configuration + noSniffConfig = + lib.optionalString service.settings.noSniff.enable + "add_header X-Content-Type-Options nosniff;"; + + # Proxy buffering configuration + proxyBufferingConfig = + lib.optionalString (!service.settings.proxyBuffering.enable) + "proxy_buffering off;"; + + # Proxy timeout configuration + proxyTimeoutConfig = + lib.optionalString service.settings.proxyHeaders.enable + '' + proxy_read_timeout ${toString service.settings.proxyHeaders.timeout}s; + proxy_connect_timeout ${toString service.settings.proxyHeaders.timeout}s; + proxy_send_timeout ${toString service.settings.proxyHeaders.timeout}s; + ''; + in + maxBodySizeConfig + noSniffConfig + proxyBufferingConfig + proxyTimeoutConfig; + }; + }; + }; + in ( + [ + { + ${service.domain} = hostConfig; + } + ] + ++ builtins.map (domain: {${domain} = hostConfig;}) + service.extraDomains + ) + ) + config.services.reverseProxy.services + ) + ); + }; + networking.firewall.allowedTCPPorts = lib.mkIf config.services.reverseProxy.openFirewall [ + httpPort + httpsPort + ]; + }; +} diff --git a/modules/nixos-modules/server/reverse_proxy.nix b/modules/nixos-modules/server/reverse_proxy.nix deleted file mode 100644 index 26b4374..0000000 --- a/modules/nixos-modules/server/reverse_proxy.nix +++ /dev/null @@ -1,128 +0,0 @@ -{ - lib, - config, - ... -}: let - dataDir = "/var/lib/acme"; - httpPort = 80; - httpsPort = 443; -in { - options.host.reverse_proxy = { - enable = lib.mkEnableOption "turn on the reverse proxy"; - hostname = lib.mkOption { - type = lib.types.str; - description = "what host name are we going to be proxying from"; - }; - forceSSL = lib.mkOption { - type = lib.types.bool; - description = "force connections to use https"; - default = config.host.reverse_proxy.enableACME; - }; - enableACME = lib.mkOption { - type = lib.types.bool; - description = "auto renew certificates"; - default = true; - }; - subdomains = lib.mkOption { - type = lib.types.attrsOf (lib.types.submodule ({name, ...}: { - options = { - subdomain = lib.mkOption { - type = lib.types.str; - description = "what is the default subdomain to be used for this application to be used for"; - default = name; - }; - extraSubdomains = lib.mkOption { - type = lib.types.listOf lib.types.str; - description = "extra domains that should be configured for this domain"; - default = []; - }; - - target = lib.mkOption { - type = lib.types.str; - description = "what url will all traffic to this application be forwarded to"; - }; - - websockets.enable = lib.mkEnableOption "should the default config proxy websockets"; - - forwardHeaders.enable = lib.mkEnableOption "should the default config contain forward headers"; - - extraConfig = lib.mkOption { - type = lib.types.lines; - default = ""; - description = '' - These lines go to the end of the upstream verbatim. - ''; - }; - }; - })); - }; - }; - - config = lib.mkIf config.host.reverse_proxy.enable (lib.mkMerge [ - { - security.acme = lib.mkIf config.host.reverse_proxy.enableACME { - acceptTerms = true; - defaults.email = "jan-leila@protonmail.com"; - }; - - services.nginx = { - enable = true; - virtualHosts = lib.mkMerge ( - lib.lists.flatten ( - lib.attrsets.mapAttrsToList ( - name: value: let - hostConfig = { - forceSSL = config.host.reverse_proxy.forceSSL; - enableACME = config.host.reverse_proxy.enableACME; - locations = { - "/" = { - proxyPass = value.target; - proxyWebsockets = value.websockets.enable; - recommendedProxySettings = value.forwardHeaders.enable; - extraConfig = - value.extraConfig; - }; - }; - }; - in ( - [ - { - ${"${value.subdomain}.${config.host.reverse_proxy.hostname}"} = hostConfig; - } - ] - ++ builtins.map (subdomain: {${"${subdomain}.${config.host.reverse_proxy.hostname}"} = hostConfig;}) - value.extraSubdomains - ) - ) - config.host.reverse_proxy.subdomains - ) - ); - }; - - networking.firewall.allowedTCPPorts = [ - httpPort - httpsPort - ]; - } - (lib.mkIf config.host.impermanence.enable { - # TODO: figure out how to write an assertion for this - # assertions = [ - # { - # assertion = security.acme.certs..directory == dataDir; - # message = "postgres data directory does not match persistence"; - # } - # ]; - environment.persistence."/persist/system/root" = { - enable = true; - hideMounts = true; - directories = [ - { - directory = dataDir; - user = "acme"; - group = "acme"; - } - ]; - }; - }) - ]); -} diff --git a/modules/nixos-modules/server/searx/proxy.nix b/modules/nixos-modules/server/searx/proxy.nix index 0c1eae1..aca5e36 100644 --- a/modules/nixos-modules/server/searx/proxy.nix +++ b/modules/nixos-modules/server/searx/proxy.nix @@ -4,18 +4,28 @@ ... }: { options.services.searx = { - subdomain = lib.mkOption { - type = lib.types.str; - description = "subdomain of base domain that searx will be hosted at"; - default = "searx"; + reverseProxy = { + domain = lib.mkOption { + type = lib.types.str; + description = "domain that searx will be hosted at"; + default = "searx.arpa"; + }; + extraDomains = lib.mkOption { + type = lib.types.listOf lib.types.str; + description = "extra domains that should be configured for searx"; + default = []; + }; }; }; - config = lib.mkIf (config.services.searx.enable && config.host.reverse_proxy.enable) { - host = { - reverse_proxy.subdomains.searx = { - subdomain = config.services.searx.subdomain; - target = "http://localhost:${toString config.services.searx.settings.server.port}"; + config = lib.mkIf (config.services.searx.enable && config.services.reverseProxy.enable) { + services.reverseProxy.services.searx = { + target = "http://localhost:${toString config.services.searx.settings.server.port}"; + domain = config.services.searx.reverseProxy.domain; + extraDomains = config.services.searx.reverseProxy.extraDomains; + + settings = { + forwardHeaders.enable = true; }; }; }; diff --git a/modules/nixos-modules/server/sonarr/default.nix b/modules/nixos-modules/server/sonarr/default.nix index f39d940..86dbb4b 100644 --- a/modules/nixos-modules/server/sonarr/default.nix +++ b/modules/nixos-modules/server/sonarr/default.nix @@ -1,6 +1,5 @@ {...}: { imports = [ - ./proxy.nix ./impermanence.nix ]; } diff --git a/modules/nixos-modules/server/sonarr/proxy.nix b/modules/nixos-modules/server/sonarr/proxy.nix deleted file mode 100644 index 22b90a6..0000000 --- a/modules/nixos-modules/server/sonarr/proxy.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ - lib, - config, - ... -}: { - options.services.sonarr = { - subdomain = lib.mkOption { - type = lib.types.nullOr lib.types.str; - default = null; - description = "Subdomain for reverse proxy. If null, service will be local only."; - }; - extraSubdomains = lib.mkOption { - type = lib.types.listOf lib.types.str; - default = []; - description = "Extra subdomains for reverse proxy."; - }; - }; - - config = lib.mkIf (config.services.sonarr.enable && config.services.sonarr.subdomain != null) { - host.reverse_proxy.subdomains.sonarr = { - subdomain = config.services.sonarr.subdomain; - extraSubdomains = config.services.sonarr.extraSubdomains; - target = "http://127.0.0.1:8989"; - websockets.enable = true; - forwardHeaders.enable = true; - }; - }; -}