Lithospherical/nix-config
1
0
Fork 0
forked from jan-leila/nix-config
Code Pull requests Activity

feat: refactored reverse proxy to be a normally named module

Browse source
This commit is contained in:
Leyla Becker 2025-10-24 12:45:17 -05:00
parent 466926b919
commit 4dd285c122
29 changed files with 352 additions and 426 deletions
Download patch file Download diff file Expand all files Collapse all files

31
configurations/nixos/defiant/configuration.nix
View file

@ -102,11 +102,6 @@
directories = ["leyla_documents" "eve_documents" "users_documents" "media"]; directories = ["leyla_documents" "eve_documents" "users_documents" "media"];
}; };
}; };
reverse_proxy = {
enable = true;
enableACME = true;
hostname = "jan-leila.com";
};
postgres = { postgres = {
extraUsers = { extraUsers = {
leyla = { leyla = {
@ -237,6 +232,16 @@
gnome.enable = true; gnome.enable = true;
}; };
# Enable new reverse proxy system
reverseProxy = {
enable = true;
openFirewall = true;
acme = {
enable = true;
email = "jan-leila@protonmail.com";
};
};
ollama = { ollama = {
enable = true; enable = true;
exposePort = true; exposePort = true;
@ -294,33 +299,33 @@
jellyfin = { jellyfin = {
enable = true; enable = true;
subdomain = "media"; domain = "media.jan-leila.com";
extraSubdomains = ["jellyfin"]; extraDomains = ["jellyfin.jan-leila.com"];
}; };
immich = { immich = {
enable = true; enable = true;
subdomain = "photos"; domain = "photos.jan-leila.com";
}; };
forgejo = { forgejo = {
enable = true; enable = true;
subdomain = "git"; domain = "git.jan-leila.com";
}; };
searx = { searx = {
enable = true; enable = true;
subdomain = "search"; domain = "search.jan-leila.com";
}; };
actual = { actual = {
enable = false; enable = false;
subdomain = "budget"; domain = "budget.jan-leila.com";
}; };
home-assistant = { home-assistant = {
enable = true; enable = true;
subdomain = "home"; domain = "home.jan-leila.com";
openFirewall = true; openFirewall = true;
database = "postgres"; database = "postgres";
@ -333,7 +338,7 @@
paperless = { paperless = {
enable = true; enable = true;
subdomain = "documents"; domain = "documents.jan-leila.com";
passwordFile = config.sops.secrets."services/paperless_password".path; passwordFile = config.sops.secrets."services/paperless_password".path;
}; };

21
modules/nixos-modules/server/actual/proxy.nix
View file

@ -4,17 +4,26 @@
... ...
}: { }: {
options.services.actual = { options.services.actual = {
subdomain = lib.mkOption { domain = lib.mkOption {
type = lib.types.str; type = lib.types.str;
default = "actual"; description = "domain that actual will be hosted at";
description = "subdomain of base domain that actual will be hosted at"; default = "actual.arpa";
};
extraDomains = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = "extra domains that should be configured for actual";
default = [];
}; };
}; };
config = lib.mkIf (config.services.actual.enable && config.host.reverse_proxy.enable) { config = lib.mkIf (config.services.actual.enable && config.services.reverseProxy.enable) {
host = { services.reverseProxy.services.actual = {
reverse_proxy.subdomains.${config.services.actual.subdomain} = {
target = "http://localhost:${toString config.services.actual.settings.port}"; target = "http://localhost:${toString config.services.actual.settings.port}";
domain = config.services.actual.domain;
extraDomains = config.services.actual.extraDomains;
settings = {
forwardHeaders.enable = true;
}; };
}; };
}; };

1
modules/nixos-modules/server/bazarr/default.nix
View file

@ -1,6 +1,5 @@
{...}: { {...}: {
imports = [ imports = [
./proxy.nix
./impermanence.nix ./impermanence.nix
]; ];
} }

28
modules/nixos-modules/server/bazarr/proxy.nix
View file

@ -1,28 +0,0 @@
{
lib,
config,
...
}: {
options.services.bazarr = {
subdomain = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
description = "Subdomain for reverse proxy. If null, service will be local only.";
};
extraSubdomains = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [];
description = "Extra subdomains for reverse proxy.";
};
};
config = lib.mkIf (config.services.bazarr.enable && config.services.bazarr.subdomain != null) {
host.reverse_proxy.subdomains.bazarr = {
subdomain = config.services.bazarr.subdomain;
extraSubdomains = config.services.bazarr.extraSubdomains;
target = "http://127.0.0.1:6767";
websockets.enable = true;
forwardHeaders.enable = true;
};
};
}

2
modules/nixos-modules/server/default.nix
View file

@ -1,6 +1,6 @@
{...}: { {...}: {
imports = [ imports = [
./reverse_proxy.nix ./reverseProxy
./fail2ban.nix ./fail2ban.nix
./postgres.nix ./postgres.nix
./network_storage ./network_storage

1
modules/nixos-modules/server/flaresolverr/default.nix
View file

@ -1,6 +1,5 @@
{...}: { {...}: {
imports = [ imports = [
./proxy.nix
./impermanence.nix ./impermanence.nix
]; ];
} }

28
modules/nixos-modules/server/flaresolverr/proxy.nix
View file

@ -1,28 +0,0 @@
{
lib,
config,
...
}: {
options.services.flaresolverr = {
subdomain = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
description = "Subdomain for reverse proxy. If null, service will be local only.";
};
extraSubdomains = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [];
description = "Extra subdomains for reverse proxy.";
};
};
config = lib.mkIf (config.services.flaresolverr.enable && config.services.flaresolverr.subdomain != null) {
host.reverse_proxy.subdomains.flaresolverr = {
subdomain = config.services.flaresolverr.subdomain;
extraSubdomains = config.services.flaresolverr.extraSubdomains;
target = "http://127.0.0.1:${toString config.services.flaresolverr.port}";
websockets.enable = true;
forwardHeaders.enable = true;
};
};
}

2
modules/nixos-modules/server/forgejo/default.nix
View file

@ -31,7 +31,7 @@ in {
lfs.enable = true; lfs.enable = true;
settings = { settings = {
server = { server = {
DOMAIN = "${config.services.forgejo.subdomain}.${config.host.reverse_proxy.hostname}"; DOMAIN = config.services.forgejo.reverseProxy.domain;
HTTP_PORT = httpPort; HTTP_PORT = httpPort;
START_SSH_SERVER = true; START_SSH_SERVER = true;
SSH_LISTEN_PORT = sshPort; SSH_LISTEN_PORT = sshPort;

23
modules/nixos-modules/server/forgejo/proxy.nix
View file

@ -7,16 +7,29 @@
httpPort = const.httpPort; httpPort = const.httpPort;
in { in {
options.services.forgejo = { options.services.forgejo = {
subdomain = lib.mkOption { reverseProxy = {
domain = lib.mkOption {
type = lib.types.str; type = lib.types.str;
description = "subdomain of base domain that forgejo will be hosted at"; description = "domain that forgejo will be hosted at";
default = "forgejo"; default = "git.jan-leila.com";
};
extraDomains = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = "extra domains that should be configured for forgejo";
default = [];
};
}; };
}; };
config = lib.mkIf (config.services.forgejo.enable && config.host.reverse_proxy.enable) { config = lib.mkIf (config.services.forgejo.enable && config.services.reverseProxy.enable) {
host.reverse_proxy.subdomains.${config.services.forgejo.subdomain} = { services.reverseProxy.services.forgejo = {
target = "http://localhost:${toString httpPort}"; target = "http://localhost:${toString httpPort}";
domain = config.services.forgejo.reverseProxy.domain;
extraDomains = config.services.forgejo.reverseProxy.extraDomains;
settings = {
forwardHeaders.enable = true;
};
}; };
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [

2
modules/nixos-modules/server/home-assistant/default.nix
View file

@ -82,7 +82,7 @@
login_attempts_threshold = 10; login_attempts_threshold = 10;
}; };
homeassistant = { homeassistant = {
external_url = "https://${config.services.home-assistant.subdomain}.${config.host.reverse_proxy.hostname}"; external_url = "https://${config.services.home-assistant.domain}";
# internal_url = "http://192.168.1.2:8123"; # internal_url = "http://192.168.1.2:8123";
}; };
recorder.db_url = "postgresql://@/${config.services.home-assistant.configDir}"; recorder.db_url = "postgresql://@/${config.services.home-assistant.configDir}";

34
modules/nixos-modules/server/home-assistant/proxy.nix
View file

@ -4,29 +4,33 @@
... ...
}: { }: {
options.services.home-assistant = { options.services.home-assistant = {
subdomain = lib.mkOption { domain = lib.mkOption {
type = lib.types.str; type = lib.types.str;
description = "subdomain of base domain that home-assistant will be hosted at"; description = "domain that home-assistant will be hosted at";
default = "home-assistant"; default = "home-assistant.arpa";
};
extraDomains = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = "extra domains that should be configured for home-assistant";
default = [];
}; };
}; };
config = lib.mkIf (config.host.reverse_proxy.enable && config.services.home-assistant.enable) { config = lib.mkIf (config.services.reverseProxy.enable && config.services.home-assistant.enable) {
host = { services.reverseProxy.services.home-assistant = {
reverse_proxy.subdomains.${config.services.home-assistant.subdomain} = {
target = "http://localhost:${toString config.services.home-assistant.config.http.server_port}"; target = "http://localhost:${toString config.services.home-assistant.config.http.server_port}";
domain = config.services.home-assistant.domain;
extraDomains = config.services.home-assistant.extraDomains;
websockets.enable = true; settings = {
proxyWebsockets.enable = true;
forwardHeaders.enable = true; forwardHeaders.enable = true;
extraConfig = '' # Custom timeout settings
add_header Upgrade $http_upgrade; proxyHeaders = {
add_header Connection \"upgrade\"; enable = true;
timeout = 90;
proxy_buffering off; };
proxy_read_timeout 90;
'';
}; };
}; };
}; };

37
modules/nixos-modules/server/immich/proxy.nix
View file

@ -4,31 +4,34 @@
... ...
}: { }: {
options.services.immich = { options.services.immich = {
subdomain = lib.mkOption { domain = lib.mkOption {
type = lib.types.str; type = lib.types.str;
description = "subdomain of base domain that immich will be hosted at"; description = "domain that immich will be hosted at";
default = "immich"; default = "immich.arpa";
};
extraDomains = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = "extra domains that should be configured for immich";
default = [];
}; };
}; };
config = lib.mkIf (config.services.immich.enable && config.host.reverse_proxy.enable) { config = lib.mkIf (config.services.immich.enable && config.services.reverseProxy.enable) {
host = { services.reverseProxy.services.immich = {
reverse_proxy.subdomains.${config.services.immich.subdomain} = {
target = "http://localhost:${toString config.services.immich.port}"; target = "http://localhost:${toString config.services.immich.port}";
domain = config.services.immich.domain;
extraDomains = config.services.immich.extraDomains;
websockets.enable = true; settings = {
proxyWebsockets.enable = true;
forwardHeaders.enable = true; forwardHeaders.enable = true;
maxBodySize = 50000;
extraConfig = '' # Custom timeout settings
# allow large file uploads proxyHeaders = {
client_max_body_size 50000M; enable = true;
timeout = 600;
# set timeout };
proxy_read_timeout 600s;
proxy_send_timeout 600s;
send_timeout 600s;
proxy_redirect off;
'';
}; };
}; };
}; };

1
modules/nixos-modules/server/jackett/default.nix
View file

@ -1,6 +1,5 @@
{...}: { {...}: {
imports = [ imports = [
./proxy.nix
./impermanence.nix ./impermanence.nix
]; ];
} }

28
modules/nixos-modules/server/jackett/proxy.nix
View file

@ -1,28 +0,0 @@
{
lib,
config,
...
}: {
options.services.jackett = {
subdomain = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
description = "Subdomain for reverse proxy. If null, service will be local only.";
};
extraSubdomains = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [];
description = "Extra subdomains for reverse proxy.";
};
};
config = lib.mkIf (config.services.jackett.enable && config.services.jackett.subdomain != null) {
host.reverse_proxy.subdomains.jackett = {
subdomain = config.services.jackett.subdomain;
extraSubdomains = config.services.jackett.extraSubdomains;
target = "http://127.0.0.1:9117";
websockets.enable = true;
forwardHeaders.enable = true;
};
};
}

31
modules/nixos-modules/server/jellyfin/proxy.nix
View file

@ -6,33 +6,30 @@
jellyfinPort = 8096; jellyfinPort = 8096;
in { in {
options.services.jellyfin = { options.services.jellyfin = {
subdomain = lib.mkOption { domain = lib.mkOption {
type = lib.types.str; type = lib.types.str;
description = "subdomain of base domain that jellyfin will be hosted at"; description = "domain that jellyfin will be hosted at";
default = "jellyfin"; default = "jellyfin.arpa";
}; };
extraSubdomains = lib.mkOption { extraDomains = lib.mkOption {
type = lib.types.listOf lib.types.str; type = lib.types.listOf lib.types.str;
description = "ex subdomain of base domain that jellyfin will be hosted at"; description = "extra domains that should be configured for jellyfin";
default = []; default = [];
}; };
}; };
config = lib.mkIf (config.services.jellyfin.enable && config.host.reverse_proxy.enable) { config = lib.mkIf (config.services.jellyfin.enable && config.services.reverseProxy.enable) {
host.reverse_proxy.subdomains.jellyfin = { services.reverseProxy.services.jellyfin = {
target = "http://localhost:${toString jellyfinPort}"; target = "http://localhost:${toString jellyfinPort}";
domain = config.services.jellyfin.domain;
extraDomains = config.services.jellyfin.extraDomains;
subdomain = config.services.jellyfin.subdomain; settings = {
extraSubdomains = config.services.jellyfin.extraSubdomains;
forwardHeaders.enable = true; forwardHeaders.enable = true;
maxBodySize = 20;
extraConfig = '' noSniff.enable = true;
client_max_body_size 20M; proxyBuffering.enable = false;
add_header X-Content-Type-Options "nosniff"; };
proxy_buffering off;
'';
}; };
}; };
} }

1
modules/nixos-modules/server/lidarr/default.nix
View file

@ -1,6 +1,5 @@
{...}: { {...}: {
imports = [ imports = [
./proxy.nix
./impermanence.nix ./impermanence.nix
]; ];
} }

28
modules/nixos-modules/server/lidarr/proxy.nix
View file

@ -1,28 +0,0 @@
{
lib,
config,
...
}: {
options.services.lidarr = {
subdomain = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
description = "Subdomain for reverse proxy. If null, service will be local only.";
};
extraSubdomains = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [];
description = "Extra subdomains for reverse proxy.";
};
};
config = lib.mkIf (config.services.lidarr.enable && config.services.lidarr.subdomain != null) {
host.reverse_proxy.subdomains.lidarr = {
subdomain = config.services.lidarr.subdomain;
extraSubdomains = config.services.lidarr.extraSubdomains;
target = "http://127.0.0.1:8686";
websockets.enable = true;
forwardHeaders.enable = true;
};
};
}

34
modules/nixos-modules/server/panoramax/proxy.nix
View file

@ -4,31 +4,29 @@
... ...
}: { }: {
options.services.panoramax = { options.services.panoramax = {
subdomain = lib.mkOption { domain = lib.mkOption {
type = lib.types.str; type = lib.types.str;
description = "subdomain of base domain that panoramax will be hosted at"; description = "domain that panoramax will be hosted at";
default = "panoramax"; default = "panoramax.arpa";
};
extraDomains = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = "extra domains that should be configured for panoramax";
default = [];
}; };
}; };
config = lib.mkIf (config.services.panoramax.enable && config.host.reverse_proxy.enable) { config = lib.mkIf (config.services.panoramax.enable && config.services.reverseProxy.enable) {
host = { services.reverseProxy.services.panoramax = {
reverse_proxy.subdomains.${config.services.panoramax.subdomain} = {
target = "http://localhost:${toString config.services.panoramax.port}"; target = "http://localhost:${toString config.services.panoramax.port}";
domain = config.services.panoramax.domain;
extraDomains = config.services.panoramax.extraDomains;
websockets.enable = true; settings = {
proxyWebsockets.enable = true;
forwardHeaders.enable = true; forwardHeaders.enable = true;
maxBodySize = 100000;
extraConfig = '' timeout = 300;
# allow large file uploads for panoramic images
client_max_body_size 100M;
# set timeout for image processing
proxy_read_timeout 300s;
proxy_send_timeout 300s;
send_timeout 300s;
proxy_redirect off;
'';
}; };
}; };
}; };

1
modules/nixos-modules/server/paperless/default.nix
View file

@ -22,7 +22,6 @@
config = lib.mkIf config.services.paperless.enable { config = lib.mkIf config.services.paperless.enable {
services.paperless = { services.paperless = {
domain = "${config.services.paperless.subdomain}.${config.host.reverse_proxy.hostname}";
configureTika = true; configureTika = true;
settings = { settings = {
PAPERLESS_DBENGINE = "postgresql"; PAPERLESS_DBENGINE = "postgresql";

29
modules/nixos-modules/server/paperless/proxy.nix
View file

@ -4,25 +4,30 @@
... ...
}: { }: {
options.services.paperless = { options.services.paperless = {
subdomain = lib.mkOption { reverseProxy = {
domain = lib.mkOption {
type = lib.types.str; type = lib.types.str;
description = "subdomain of base domain that paperless will be hosted at"; description = "domain that paperless will be hosted at";
default = "paperless"; default = "paperless.arpa";
};
extraDomains = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = "extra domains that should be configured for paperless";
default = [];
};
}; };
}; };
config = lib.mkIf (config.services.paperless.enable && config.host.reverse_proxy.enable) { config = lib.mkIf (config.services.paperless.enable && config.services.reverseProxy.enable) {
host = { services.reverseProxy.services.paperless = {
reverse_proxy.subdomains.${config.services.paperless.subdomain} = {
target = "http://${config.services.paperless.address}:${toString config.services.paperless.port}"; target = "http://${config.services.paperless.address}:${toString config.services.paperless.port}";
domain = config.services.paperless.reverseProxy.domain;
extraDomains = config.services.paperless.reverseProxy.extraDomains;
websockets.enable = true; settings = {
proxyWebsockets.enable = true;
forwardHeaders.enable = true; forwardHeaders.enable = true;
maxBodySize = 50000;
extraConfig = ''
# allow large file uploads
client_max_body_size 50000M;
'';
}; };
}; };
}; };

1
modules/nixos-modules/server/radarr/default.nix
View file

@ -1,6 +1,5 @@
{...}: { {...}: {
imports = [ imports = [
./proxy.nix
./impermanence.nix ./impermanence.nix
]; ];
} }

28
modules/nixos-modules/server/radarr/proxy.nix
View file

@ -1,28 +0,0 @@
{
lib,
config,
...
}: {
options.services.radarr = {
subdomain = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
description = "Subdomain for reverse proxy. If null, service will be local only.";
};
extraSubdomains = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [];
description = "Extra subdomains for reverse proxy.";
};
};
config = lib.mkIf (config.services.radarr.enable && config.services.radarr.subdomain != null) {
host.reverse_proxy.subdomains.radarr = {
subdomain = config.services.radarr.subdomain;
extraSubdomains = config.services.radarr.extraSubdomains;
target = "http://127.0.0.1:7878";
websockets.enable = true;
forwardHeaders.enable = true;
};
};
}

6
modules/nixos-modules/server/reverseProxy/default.nix Normal file
View file

@ -0,0 +1,6 @@
{...}: {
imports = [
./reverseProxy.nix
./impermanence.nix
];
}

21
modules/nixos-modules/server/reverseProxy/impermanence.nix Normal file
View file

@ -0,0 +1,21 @@
{
lib,
config,
...
}: let
dataDir = "/var/lib/acme";
in {
config = lib.mkIf (config.host.impermanence.enable && config.services.reverseProxy.enable) {
environment.persistence."/persist/system/root" = {
enable = true;
hideMounts = true;
directories = [
{
directory = dataDir;
user = "acme";
group = "acme";
}
];
};
};
}

158
modules/nixos-modules/server/reverseProxy/reverseProxy.nix Normal file
View file

@ -0,0 +1,158 @@
{
lib,
config,
...
}: {
options.services.reverseProxy = {
enable = lib.mkEnableOption "turn on the reverse proxy";
openFirewall = lib.mkEnableOption "open the firewall";
ports = {
http = lib.mkOption {
type = lib.types.port;
description = "HTTP port for the reverse proxy";
default = 80;
};
https = lib.mkOption {
type = lib.types.port;
description = "HTTPS port for the reverse proxy";
default = 443;
};
};
acme = {
enable = lib.mkOption {
type = lib.types.bool;
description = "enable ACME certificate management";
default = true;
};
email = lib.mkOption {
type = lib.types.str;
description = "email address for ACME certificate registration";
};
};
services = lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule ({name, ...}: {
options = {
target = lib.mkOption {
type = lib.types.str;
description = "what url will all traffic to this application be forwarded to";
};
domain = lib.mkOption {
type = lib.types.str;
description = "what is the default subdomain to be used for this application to be used for";
default = name;
};
extraDomains = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = "extra domains that should be configured for this domain";
default = [];
};
settings = {
certificateRenewal.enable = lib.mkOption {
type = lib.types.bool;
description = "auto renew certificates";
default = true;
};
forceSSL.enable = lib.mkOption {
type = lib.types.bool;
description = "auto renew certificates";
default = true;
};
proxyHeaders = {
enable = lib.mkEnableOption "should we proxy headers";
timeout = lib.mkOption {
type = lib.types.int;
default = 60;
};
};
proxyWebsockets.enable = lib.mkEnableOption "should the default config proxy websockets";
forwardHeaders.enable = lib.mkEnableOption "should the default config contain forward headers";
noSniff.enable = lib.mkEnableOption "should the no sniff flags be set";
proxyBuffering.enable = lib.mkOption {
type = lib.types.bool;
description = "should proxy buffering be enabled";
default = true;
};
maxBodySize = lib.mkOption {
type = lib.types.nullOr lib.types.int;
description = "";
default = null;
};
};
};
}));
};
};
config = let
httpPort = config.services.reverseProxy.ports.http;
httpsPort = config.services.reverseProxy.ports.https;
in
lib.mkIf config.services.reverseProxy.enable {
security.acme = lib.mkIf config.services.reverseProxy.acme.enable {
acceptTerms = true;
defaults.email = config.services.reverseProxy.acme.email;
};
services.nginx = {
enable = true;
virtualHosts = lib.mkMerge (
lib.lists.flatten (
lib.attrsets.mapAttrsToList (
name: service: let
hostConfig = {
forceSSL = service.settings.forceSSL.enable;
enableACME = service.settings.certificateRenewal.enable;
locations = {
"/" = {
proxyPass = service.target;
proxyWebsockets = service.settings.proxyWebsockets.enable;
recommendedProxySettings = service.settings.forwardHeaders.enable;
extraConfig = let
# Client upload size configuration
maxBodySizeConfig =
lib.optionalString (service.settings.maxBodySize != null)
"client_max_body_size ${toString service.settings.maxBodySize}M;";
# Security header configuration
noSniffConfig =
lib.optionalString service.settings.noSniff.enable
"add_header X-Content-Type-Options nosniff;";
# Proxy buffering configuration
proxyBufferingConfig =
lib.optionalString (!service.settings.proxyBuffering.enable)
"proxy_buffering off;";
# Proxy timeout configuration
proxyTimeoutConfig =
lib.optionalString service.settings.proxyHeaders.enable
''
proxy_read_timeout ${toString service.settings.proxyHeaders.timeout}s;
proxy_connect_timeout ${toString service.settings.proxyHeaders.timeout}s;
proxy_send_timeout ${toString service.settings.proxyHeaders.timeout}s;
'';
in
maxBodySizeConfig + noSniffConfig + proxyBufferingConfig + proxyTimeoutConfig;
};
};
};
in (
[
{
${service.domain} = hostConfig;
}
]
++ builtins.map (domain: {${domain} = hostConfig;})
service.extraDomains
)
)
config.services.reverseProxy.services
)
);
};
networking.firewall.allowedTCPPorts = lib.mkIf config.services.reverseProxy.openFirewall [
httpPort
httpsPort
];
};
}

128
modules/nixos-modules/server/reverse_proxy.nix
View file

@ -1,128 +0,0 @@
{
lib,
config,
...
}: let
dataDir = "/var/lib/acme";
httpPort = 80;
httpsPort = 443;
in {
options.host.reverse_proxy = {
enable = lib.mkEnableOption "turn on the reverse proxy";
hostname = lib.mkOption {
type = lib.types.str;
description = "what host name are we going to be proxying from";
};
forceSSL = lib.mkOption {
type = lib.types.bool;
description = "force connections to use https";
default = config.host.reverse_proxy.enableACME;
};
enableACME = lib.mkOption {
type = lib.types.bool;
description = "auto renew certificates";
default = true;
};
subdomains = lib.mkOption {
type = lib.types.attrsOf (lib.types.submodule ({name, ...}: {
options = {
subdomain = lib.mkOption {
type = lib.types.str;
description = "what is the default subdomain to be used for this application to be used for";
default = name;
};
extraSubdomains = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = "extra domains that should be configured for this domain";
default = [];
};
target = lib.mkOption {
type = lib.types.str;
description = "what url will all traffic to this application be forwarded to";
};
websockets.enable = lib.mkEnableOption "should the default config proxy websockets";
forwardHeaders.enable = lib.mkEnableOption "should the default config contain forward headers";
extraConfig = lib.mkOption {
type = lib.types.lines;
default = "";
description = ''
These lines go to the end of the upstream verbatim.
'';
};
};
}));
};
};
config = lib.mkIf config.host.reverse_proxy.enable (lib.mkMerge [
{
security.acme = lib.mkIf config.host.reverse_proxy.enableACME {
acceptTerms = true;
defaults.email = "jan-leila@protonmail.com";
};
services.nginx = {
enable = true;
virtualHosts = lib.mkMerge (
lib.lists.flatten (
lib.attrsets.mapAttrsToList (
name: value: let
hostConfig = {
forceSSL = config.host.reverse_proxy.forceSSL;
enableACME = config.host.reverse_proxy.enableACME;
locations = {
"/" = {
proxyPass = value.target;
proxyWebsockets = value.websockets.enable;
recommendedProxySettings = value.forwardHeaders.enable;
extraConfig =
value.extraConfig;
};
};
};
in (
[
{
${"${value.subdomain}.${config.host.reverse_proxy.hostname}"} = hostConfig;
}
]
++ builtins.map (subdomain: {${"${subdomain}.${config.host.reverse_proxy.hostname}"} = hostConfig;})
value.extraSubdomains
)
)
config.host.reverse_proxy.subdomains
)
);
};
networking.firewall.allowedTCPPorts = [
httpPort
httpsPort
];
}
(lib.mkIf config.host.impermanence.enable {
# TODO: figure out how to write an assertion for this
# assertions = [
# {
# assertion = security.acme.certs.<name>.directory == dataDir;
# message = "postgres data directory does not match persistence";
# }
# ];
environment.persistence."/persist/system/root" = {
enable = true;
hideMounts = true;
directories = [
{
directory = dataDir;
user = "acme";
group = "acme";
}
];
};
})
]);
}

24
modules/nixos-modules/server/searx/proxy.nix
View file

@ -4,18 +4,28 @@
... ...
}: { }: {
options.services.searx = { options.services.searx = {
subdomain = lib.mkOption { reverseProxy = {
domain = lib.mkOption {
type = lib.types.str; type = lib.types.str;
description = "subdomain of base domain that searx will be hosted at"; description = "domain that searx will be hosted at";
default = "searx"; default = "searx.arpa";
};
extraDomains = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = "extra domains that should be configured for searx";
default = [];
};
}; };
}; };
config = lib.mkIf (config.services.searx.enable && config.host.reverse_proxy.enable) { config = lib.mkIf (config.services.searx.enable && config.services.reverseProxy.enable) {
host = { services.reverseProxy.services.searx = {
reverse_proxy.subdomains.searx = {
subdomain = config.services.searx.subdomain;
target = "http://localhost:${toString config.services.searx.settings.server.port}"; target = "http://localhost:${toString config.services.searx.settings.server.port}";
domain = config.services.searx.reverseProxy.domain;
extraDomains = config.services.searx.reverseProxy.extraDomains;
settings = {
forwardHeaders.enable = true;
}; };
}; };
}; };

1
modules/nixos-modules/server/sonarr/default.nix
View file

@ -1,6 +1,5 @@
{...}: { {...}: {
imports = [ imports = [
./proxy.nix
./impermanence.nix ./impermanence.nix
]; ];
} }

28
modules/nixos-modules/server/sonarr/proxy.nix
View file

@ -1,28 +0,0 @@
{
lib,
config,
...
}: {
options.services.sonarr = {
subdomain = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
description = "Subdomain for reverse proxy. If null, service will be local only.";
};
extraSubdomains = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [];
description = "Extra subdomains for reverse proxy.";
};
};
config = lib.mkIf (config.services.sonarr.enable && config.services.sonarr.subdomain != null) {
host.reverse_proxy.subdomains.sonarr = {
subdomain = config.services.sonarr.subdomain;
extraSubdomains = config.services.sonarr.extraSubdomains;
target = "http://127.0.0.1:8989";
websockets.enable = true;
forwardHeaders.enable = true;
};
};
}