Lithospherical/nix-config
1
0
Fork 0
forked from jan-leila/nix-config
Code Pull requests Activity

refactor: moved reverse proxy into own section in server modules

Browse source
This commit is contained in:
Leyla Becker 2025-09-14 22:10:57 -05:00
parent 663bdcc012
commit 52801b4bb7
7 changed files with 142 additions and 119 deletions
Download patch file Download diff file Expand all files Collapse all files

12
modules/nixos-modules/server/actual.nix
View file

@ -18,11 +18,6 @@ in {
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d ${dataDirectory} 2770 actual actual" "d ${dataDirectory} 2770 actual actual"
]; ];
host = {
reverse_proxy.subdomains.${config.services.actual.subdomain} = {
target = "http://localhost:${toString config.services.actual.settings.port}";
};
};
services.actual = { services.actual = {
settings = { settings = {
@ -30,6 +25,13 @@ in {
}; };
}; };
} }
(lib.mkIf config.host.reverse_proxy.enable {
host = {
reverse_proxy.subdomains.${config.services.actual.subdomain} = {
target = "http://localhost:${toString config.services.actual.settings.port}";
};
};
})
(lib.mkIf config.services.fail2ban.enable { (lib.mkIf config.services.fail2ban.enable {
# TODO: configuration for fail2ban for actual # TODO: configuration for fail2ban for actual
}) })

10
modules/nixos-modules/server/forgejo.nix
View file

@ -26,9 +26,6 @@ in {
} }
]; ];
host = { host = {
reverse_proxy.subdomains.${config.services.forgejo.subdomain} = {
target = "http://localhost:${toString forgejoPort}";
};
postgres = { postgres = {
enable = true; enable = true;
extraUsers = { extraUsers = {
@ -76,6 +73,13 @@ in {
config.services.forgejo.settings.server.SSH_LISTEN_PORT config.services.forgejo.settings.server.SSH_LISTEN_PORT
]; ];
} }
(lib.mkIf config.host.reverse_proxy.enable {
host = {
reverse_proxy.subdomains.${config.services.forgejo.subdomain} = {
target = "http://localhost:${toString forgejoPort}";
};
};
})
(lib.mkIf config.services.fail2ban.enable { (lib.mkIf config.services.fail2ban.enable {
environment.etc = { environment.etc = {
"fail2ban/filter.d/forgejo.local".text = lib.mkIf config.services.forgejo.enable ( "fail2ban/filter.d/forgejo.local".text = lib.mkIf config.services.forgejo.enable (

37
modules/nixos-modules/server/home-assistant.nix
View file

@ -43,24 +43,6 @@ in {
config = lib.mkIf config.services.home-assistant.enable (lib.mkMerge [ config = lib.mkIf config.services.home-assistant.enable (lib.mkMerge [
{ {
host = {
reverse_proxy.subdomains.${config.services.home-assistant.subdomain} = {
target = "http://localhost:${toString config.services.home-assistant.config.http.server_port}";
websockets.enable = true;
forwardHeaders.enable = true;
extraConfig = ''
add_header Upgrade $http_upgrade;
add_header Connection \"upgrade\";
proxy_buffering off;
proxy_read_timeout 90;
'';
};
};
services.home-assistant = { services.home-assistant = {
configDir = configDir; configDir = configDir;
extraComponents = [ extraComponents = [
@ -173,6 +155,25 @@ in {
]; ];
}; };
}) })
(lib.mkIf config.host.reverse_proxy.enable {
host = {
reverse_proxy.subdomains.${config.services.home-assistant.subdomain} = {
target = "http://localhost:${toString config.services.home-assistant.config.http.server_port}";
websockets.enable = true;
forwardHeaders.enable = true;
extraConfig = ''
add_header Upgrade $http_upgrade;
add_header Connection \"upgrade\";
proxy_buffering off;
proxy_read_timeout 90;
'';
};
};
})
(lib.mkIf config.services.fail2ban.enable { (lib.mkIf config.services.fail2ban.enable {
environment.etc = { environment.etc = {
"fail2ban/filter.d/hass.local".text = lib.mkIf config.services.home-assistant.enable ( "fail2ban/filter.d/hass.local".text = lib.mkIf config.services.home-assistant.enable (

38
modules/nixos-modules/server/immich.nix
View file

@ -17,23 +17,6 @@ in {
config = lib.mkIf config.services.immich.enable (lib.mkMerge [ config = lib.mkIf config.services.immich.enable (lib.mkMerge [
{ {
host = { host = {
reverse_proxy.subdomains.${config.services.immich.subdomain} = {
target = "http://localhost:${toString config.services.immich.port}";
websockets.enable = true;
forwardHeaders.enable = true;
extraConfig = ''
# allow large file uploads
client_max_body_size 50000M;
# set timeout
proxy_read_timeout 600s;
proxy_send_timeout 600s;
send_timeout 600s;
proxy_redirect off;
'';
};
postgres = { postgres = {
enable = true; enable = true;
extraUsers = { extraUsers = {
@ -53,6 +36,27 @@ in {
]; ];
}; };
} }
(lib.mkIf config.host.reverse_proxy.enable {
host = {
reverse_proxy.subdomains.${config.services.immich.subdomain} = {
target = "http://localhost:${toString config.services.immich.port}";
websockets.enable = true;
forwardHeaders.enable = true;
extraConfig = ''
# allow large file uploads
client_max_body_size 50000M;
# set timeout
proxy_read_timeout 600s;
proxy_send_timeout 600s;
send_timeout 600s;
proxy_redirect off;
'';
};
};
})
(lib.mkIf config.services.fail2ban.enable { (lib.mkIf config.services.fail2ban.enable {
environment.etc = { environment.etc = {
"fail2ban/filter.d/immich.local".text = lib.mkIf config.services.immich.enable ( "fail2ban/filter.d/immich.local".text = lib.mkIf config.services.immich.enable (

28
modules/nixos-modules/server/jellyfin.nix
View file

@ -30,6 +30,20 @@ in {
config = lib.mkIf config.services.jellyfin.enable ( config = lib.mkIf config.services.jellyfin.enable (
lib.mkMerge [ lib.mkMerge [
{ {
environment.systemPackages = [
pkgs.jellyfin
pkgs.jellyfin-web
pkgs.jellyfin-ffmpeg
];
networking.firewall.allowedTCPPorts = [jellyfinPort dlanPort];
systemd.tmpfiles.rules = [
"d ${config.services.jellyfin.media_directory} 2770 jellyfin jellyfin_media"
"A ${config.services.jellyfin.media_directory} - - - - u:jellyfin:rwX,g:jellyfin_media:rwX,o::-"
];
}
(lib.mkIf config.host.reverse_proxy.enable {
host.reverse_proxy.subdomains.jellyfin = { host.reverse_proxy.subdomains.jellyfin = {
target = "http://localhost:${toString jellyfinPort}"; target = "http://localhost:${toString jellyfinPort}";
@ -45,19 +59,7 @@ in {
proxy_buffering off; proxy_buffering off;
''; '';
}; };
environment.systemPackages = [ })
pkgs.jellyfin
pkgs.jellyfin-web
pkgs.jellyfin-ffmpeg
];
networking.firewall.allowedTCPPorts = [jellyfinPort dlanPort];
systemd.tmpfiles.rules = [
"d ${config.services.jellyfin.media_directory} 2770 jellyfin jellyfin_media"
"A ${config.services.jellyfin.media_directory} - - - - u:jellyfin:rwX,g:jellyfin_media:rwX,o::-"
];
}
(lib.mkIf config.services.fail2ban.enable { (lib.mkIf config.services.fail2ban.enable {
environment.etc = { environment.etc = {
"fail2ban/filter.d/jellyfin.local".text = ( "fail2ban/filter.d/jellyfin.local".text = (

26
modules/nixos-modules/server/paperless.nix
View file

@ -24,17 +24,6 @@ in {
config = lib.mkIf config.services.paperless.enable (lib.mkMerge [ config = lib.mkIf config.services.paperless.enable (lib.mkMerge [
{ {
host = { host = {
reverse_proxy.subdomains.${config.services.paperless.subdomain} = {
target = "http://${config.services.paperless.address}:${toString config.services.paperless.port}";
websockets.enable = true;
forwardHeaders.enable = true;
extraConfig = ''
# allow large file uploads
client_max_body_size 50000M;
'';
};
postgres = { postgres = {
enable = true; enable = true;
extraUsers = { extraUsers = {
@ -61,6 +50,21 @@ in {
}; };
}; };
} }
(lib.mkIf config.host.reverse_proxy.enable {
host = {
reverse_proxy.subdomains.${config.services.paperless.subdomain} = {
target = "http://${config.services.paperless.address}:${toString config.services.paperless.port}";
websockets.enable = true;
forwardHeaders.enable = true;
extraConfig = ''
# allow large file uploads
client_max_body_size 50000M;
'';
};
};
})
(lib.mkIf config.services.fail2ban.enable { (lib.mkIf config.services.fail2ban.enable {
environment.etc = { environment.etc = {
"fail2ban/filter.d/paperless.local".text = ( "fail2ban/filter.d/paperless.local".text = (

22
modules/nixos-modules/server/searx.nix
View file

@ -12,18 +12,14 @@
}; };
}; };
config = lib.mkIf config.services.searx.enable { config = lib.mkIf config.services.searx.enable (
lib.mkMerge [
{
sops.secrets = { sops.secrets = {
"services/searx" = { "services/searx" = {
sopsFile = "${inputs.secrets}/defiant-services.yaml"; sopsFile = "${inputs.secrets}/defiant-services.yaml";
}; };
}; };
host = {
reverse_proxy.subdomains.searx = {
subdomain = config.services.searx.subdomain;
target = "http://localhost:${toString config.services.searx.settings.server.port}";
};
};
services.searx = { services.searx = {
environmentFile = config.sops.secrets."services/searx".path; environmentFile = config.sops.secrets."services/searx".path;
@ -68,5 +64,15 @@
]; ];
}; };
}; };
}; }
(lib.mkIf config.host.reverse_proxy.enable {
host = {
reverse_proxy.subdomains.searx = {
subdomain = config.services.searx.subdomain;
target = "http://localhost:${toString config.services.searx.settings.server.port}";
};
};
})
]
);
} }