forked from jan-leila/nix-config
refactor: moved reverse proxy into own section in server modules
This commit is contained in:
parent
663bdcc012
commit
52801b4bb7
7 changed files with 142 additions and 119 deletions
|
|
@ -18,11 +18,6 @@ in {
|
|||
systemd.tmpfiles.rules = [
|
||||
"d ${dataDirectory} 2770 actual actual"
|
||||
];
|
||||
host = {
|
||||
reverse_proxy.subdomains.${config.services.actual.subdomain} = {
|
||||
target = "http://localhost:${toString config.services.actual.settings.port}";
|
||||
};
|
||||
};
|
||||
|
||||
services.actual = {
|
||||
settings = {
|
||||
|
|
@ -30,6 +25,13 @@ in {
|
|||
};
|
||||
};
|
||||
}
|
||||
(lib.mkIf config.host.reverse_proxy.enable {
|
||||
host = {
|
||||
reverse_proxy.subdomains.${config.services.actual.subdomain} = {
|
||||
target = "http://localhost:${toString config.services.actual.settings.port}";
|
||||
};
|
||||
};
|
||||
})
|
||||
(lib.mkIf config.services.fail2ban.enable {
|
||||
# TODO: configuration for fail2ban for actual
|
||||
})
|
||||
|
|
|
|||
|
|
@ -26,9 +26,6 @@ in {
|
|||
}
|
||||
];
|
||||
host = {
|
||||
reverse_proxy.subdomains.${config.services.forgejo.subdomain} = {
|
||||
target = "http://localhost:${toString forgejoPort}";
|
||||
};
|
||||
postgres = {
|
||||
enable = true;
|
||||
extraUsers = {
|
||||
|
|
@ -76,6 +73,13 @@ in {
|
|||
config.services.forgejo.settings.server.SSH_LISTEN_PORT
|
||||
];
|
||||
}
|
||||
(lib.mkIf config.host.reverse_proxy.enable {
|
||||
host = {
|
||||
reverse_proxy.subdomains.${config.services.forgejo.subdomain} = {
|
||||
target = "http://localhost:${toString forgejoPort}";
|
||||
};
|
||||
};
|
||||
})
|
||||
(lib.mkIf config.services.fail2ban.enable {
|
||||
environment.etc = {
|
||||
"fail2ban/filter.d/forgejo.local".text = lib.mkIf config.services.forgejo.enable (
|
||||
|
|
|
|||
|
|
@ -43,24 +43,6 @@ in {
|
|||
|
||||
config = lib.mkIf config.services.home-assistant.enable (lib.mkMerge [
|
||||
{
|
||||
host = {
|
||||
reverse_proxy.subdomains.${config.services.home-assistant.subdomain} = {
|
||||
target = "http://localhost:${toString config.services.home-assistant.config.http.server_port}";
|
||||
|
||||
websockets.enable = true;
|
||||
forwardHeaders.enable = true;
|
||||
|
||||
extraConfig = ''
|
||||
add_header Upgrade $http_upgrade;
|
||||
add_header Connection \"upgrade\";
|
||||
|
||||
proxy_buffering off;
|
||||
|
||||
proxy_read_timeout 90;
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
services.home-assistant = {
|
||||
configDir = configDir;
|
||||
extraComponents = [
|
||||
|
|
@ -173,6 +155,25 @@ in {
|
|||
];
|
||||
};
|
||||
})
|
||||
(lib.mkIf config.host.reverse_proxy.enable {
|
||||
host = {
|
||||
reverse_proxy.subdomains.${config.services.home-assistant.subdomain} = {
|
||||
target = "http://localhost:${toString config.services.home-assistant.config.http.server_port}";
|
||||
|
||||
websockets.enable = true;
|
||||
forwardHeaders.enable = true;
|
||||
|
||||
extraConfig = ''
|
||||
add_header Upgrade $http_upgrade;
|
||||
add_header Connection \"upgrade\";
|
||||
|
||||
proxy_buffering off;
|
||||
|
||||
proxy_read_timeout 90;
|
||||
'';
|
||||
};
|
||||
};
|
||||
})
|
||||
(lib.mkIf config.services.fail2ban.enable {
|
||||
environment.etc = {
|
||||
"fail2ban/filter.d/hass.local".text = lib.mkIf config.services.home-assistant.enable (
|
||||
|
|
|
|||
|
|
@ -17,23 +17,6 @@ in {
|
|||
config = lib.mkIf config.services.immich.enable (lib.mkMerge [
|
||||
{
|
||||
host = {
|
||||
reverse_proxy.subdomains.${config.services.immich.subdomain} = {
|
||||
target = "http://localhost:${toString config.services.immich.port}";
|
||||
|
||||
websockets.enable = true;
|
||||
forwardHeaders.enable = true;
|
||||
|
||||
extraConfig = ''
|
||||
# allow large file uploads
|
||||
client_max_body_size 50000M;
|
||||
|
||||
# set timeout
|
||||
proxy_read_timeout 600s;
|
||||
proxy_send_timeout 600s;
|
||||
send_timeout 600s;
|
||||
proxy_redirect off;
|
||||
'';
|
||||
};
|
||||
postgres = {
|
||||
enable = true;
|
||||
extraUsers = {
|
||||
|
|
@ -53,6 +36,27 @@ in {
|
|||
];
|
||||
};
|
||||
}
|
||||
(lib.mkIf config.host.reverse_proxy.enable {
|
||||
host = {
|
||||
reverse_proxy.subdomains.${config.services.immich.subdomain} = {
|
||||
target = "http://localhost:${toString config.services.immich.port}";
|
||||
|
||||
websockets.enable = true;
|
||||
forwardHeaders.enable = true;
|
||||
|
||||
extraConfig = ''
|
||||
# allow large file uploads
|
||||
client_max_body_size 50000M;
|
||||
|
||||
# set timeout
|
||||
proxy_read_timeout 600s;
|
||||
proxy_send_timeout 600s;
|
||||
send_timeout 600s;
|
||||
proxy_redirect off;
|
||||
'';
|
||||
};
|
||||
};
|
||||
})
|
||||
(lib.mkIf config.services.fail2ban.enable {
|
||||
environment.etc = {
|
||||
"fail2ban/filter.d/immich.local".text = lib.mkIf config.services.immich.enable (
|
||||
|
|
|
|||
|
|
@ -30,6 +30,20 @@ in {
|
|||
config = lib.mkIf config.services.jellyfin.enable (
|
||||
lib.mkMerge [
|
||||
{
|
||||
environment.systemPackages = [
|
||||
pkgs.jellyfin
|
||||
pkgs.jellyfin-web
|
||||
pkgs.jellyfin-ffmpeg
|
||||
];
|
||||
|
||||
networking.firewall.allowedTCPPorts = [jellyfinPort dlanPort];
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"d ${config.services.jellyfin.media_directory} 2770 jellyfin jellyfin_media"
|
||||
"A ${config.services.jellyfin.media_directory} - - - - u:jellyfin:rwX,g:jellyfin_media:rwX,o::-"
|
||||
];
|
||||
}
|
||||
(lib.mkIf config.host.reverse_proxy.enable {
|
||||
host.reverse_proxy.subdomains.jellyfin = {
|
||||
target = "http://localhost:${toString jellyfinPort}";
|
||||
|
||||
|
|
@ -45,19 +59,7 @@ in {
|
|||
proxy_buffering off;
|
||||
'';
|
||||
};
|
||||
environment.systemPackages = [
|
||||
pkgs.jellyfin
|
||||
pkgs.jellyfin-web
|
||||
pkgs.jellyfin-ffmpeg
|
||||
];
|
||||
|
||||
networking.firewall.allowedTCPPorts = [jellyfinPort dlanPort];
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"d ${config.services.jellyfin.media_directory} 2770 jellyfin jellyfin_media"
|
||||
"A ${config.services.jellyfin.media_directory} - - - - u:jellyfin:rwX,g:jellyfin_media:rwX,o::-"
|
||||
];
|
||||
}
|
||||
})
|
||||
(lib.mkIf config.services.fail2ban.enable {
|
||||
environment.etc = {
|
||||
"fail2ban/filter.d/jellyfin.local".text = (
|
||||
|
|
|
|||
|
|
@ -24,17 +24,6 @@ in {
|
|||
config = lib.mkIf config.services.paperless.enable (lib.mkMerge [
|
||||
{
|
||||
host = {
|
||||
reverse_proxy.subdomains.${config.services.paperless.subdomain} = {
|
||||
target = "http://${config.services.paperless.address}:${toString config.services.paperless.port}";
|
||||
|
||||
websockets.enable = true;
|
||||
forwardHeaders.enable = true;
|
||||
|
||||
extraConfig = ''
|
||||
# allow large file uploads
|
||||
client_max_body_size 50000M;
|
||||
'';
|
||||
};
|
||||
postgres = {
|
||||
enable = true;
|
||||
extraUsers = {
|
||||
|
|
@ -61,6 +50,21 @@ in {
|
|||
};
|
||||
};
|
||||
}
|
||||
(lib.mkIf config.host.reverse_proxy.enable {
|
||||
host = {
|
||||
reverse_proxy.subdomains.${config.services.paperless.subdomain} = {
|
||||
target = "http://${config.services.paperless.address}:${toString config.services.paperless.port}";
|
||||
|
||||
websockets.enable = true;
|
||||
forwardHeaders.enable = true;
|
||||
|
||||
extraConfig = ''
|
||||
# allow large file uploads
|
||||
client_max_body_size 50000M;
|
||||
'';
|
||||
};
|
||||
};
|
||||
})
|
||||
(lib.mkIf config.services.fail2ban.enable {
|
||||
environment.etc = {
|
||||
"fail2ban/filter.d/paperless.local".text = (
|
||||
|
|
|
|||
|
|
@ -12,61 +12,67 @@
|
|||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf config.services.searx.enable {
|
||||
sops.secrets = {
|
||||
"services/searx" = {
|
||||
sopsFile = "${inputs.secrets}/defiant-services.yaml";
|
||||
};
|
||||
};
|
||||
host = {
|
||||
reverse_proxy.subdomains.searx = {
|
||||
subdomain = config.services.searx.subdomain;
|
||||
target = "http://localhost:${toString config.services.searx.settings.server.port}";
|
||||
};
|
||||
};
|
||||
services.searx = {
|
||||
environmentFile = config.sops.secrets."services/searx".path;
|
||||
|
||||
# Rate limiting
|
||||
limiterSettings = {
|
||||
real_ip = {
|
||||
x_for = 1;
|
||||
ipv4_prefix = 32;
|
||||
ipv6_prefix = 56;
|
||||
};
|
||||
|
||||
botdetection = {
|
||||
ip_limit = {
|
||||
filter_link_local = true;
|
||||
link_token = true;
|
||||
config = lib.mkIf config.services.searx.enable (
|
||||
lib.mkMerge [
|
||||
{
|
||||
sops.secrets = {
|
||||
"services/searx" = {
|
||||
sopsFile = "${inputs.secrets}/defiant-services.yaml";
|
||||
};
|
||||
};
|
||||
};
|
||||
services.searx = {
|
||||
environmentFile = config.sops.secrets."services/searx".path;
|
||||
|
||||
settings = {
|
||||
server = {
|
||||
port = 8083;
|
||||
secret_key = "@SEARXNG_SECRET@";
|
||||
# Rate limiting
|
||||
limiterSettings = {
|
||||
real_ip = {
|
||||
x_for = 1;
|
||||
ipv4_prefix = 32;
|
||||
ipv6_prefix = 56;
|
||||
};
|
||||
|
||||
botdetection = {
|
||||
ip_limit = {
|
||||
filter_link_local = true;
|
||||
link_token = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
settings = {
|
||||
server = {
|
||||
port = 8083;
|
||||
secret_key = "@SEARXNG_SECRET@";
|
||||
};
|
||||
|
||||
# Search engine settings
|
||||
search = {
|
||||
safe_search = 2;
|
||||
autocomplete_min = 2;
|
||||
autocomplete = "duckduckgo";
|
||||
};
|
||||
|
||||
# Enabled plugins
|
||||
enabled_plugins = [
|
||||
"Basic Calculator"
|
||||
"Hash plugin"
|
||||
"Tor check plugin"
|
||||
"Open Access DOI rewrite"
|
||||
"Hostnames plugin"
|
||||
"Unit converter plugin"
|
||||
"Tracker URL remover"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
# Search engine settings
|
||||
search = {
|
||||
safe_search = 2;
|
||||
autocomplete_min = 2;
|
||||
autocomplete = "duckduckgo";
|
||||
}
|
||||
(lib.mkIf config.host.reverse_proxy.enable {
|
||||
host = {
|
||||
reverse_proxy.subdomains.searx = {
|
||||
subdomain = config.services.searx.subdomain;
|
||||
target = "http://localhost:${toString config.services.searx.settings.server.port}";
|
||||
};
|
||||
};
|
||||
|
||||
# Enabled plugins
|
||||
enabled_plugins = [
|
||||
"Basic Calculator"
|
||||
"Hash plugin"
|
||||
"Tor check plugin"
|
||||
"Open Access DOI rewrite"
|
||||
"Hostnames plugin"
|
||||
"Unit converter plugin"
|
||||
"Tracker URL remover"
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
})
|
||||
]
|
||||
);
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue