added extra config to services

2025-03-07 18:18:37 -06:00 · 2025-03-07 18:18:37 -06:00 · 8b39a80849
commit 8b39a80849
parent 62abf65e5a
3 changed files with 56 additions and 1 deletions
--- a/modules/nixos-modules/server/home-assistant.nix
+++ b/modules/nixos-modules/server/home-assistant.nix
@ -18,10 +18,15 @@ in {
    {
      services.home-assistant = {
        enable = true;
        extraComponents = [
          "esphome"
          "met"
          "radio_browser"
        ];
        config.http = {
          server_port = 8082;
          use_x_forwarded_for = true;
-          trusted_proxies = ["127.0.0.1"];
+          trusted_proxies = ["127.0.0.1" "::1"];
          ip_ban_enabled = true;
          login_attempts_threshold = 10;
        };
@ -29,6 +34,18 @@ in {
      host = {
        reverse_proxy.subdomains.${config.host.home-assistant.subdomain} = {
          target = "http://localhost:${toString config.services.home-assistant.config.http.server_port}";
          websockets = true;
          extraConfig = ''
            add_header Upgrade $http_upgrade;
            add_header Connection \"upgrade\";
            proxy_set_header Host $host;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header X-Forwarded-Host $server_name;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_read_timeout 90;
          '';
        };
      };
    }
--- a/modules/nixos-modules/server/jellyfin.nix
+++ b/modules/nixos-modules/server/jellyfin.nix
@ -31,12 +31,42 @@ in {
            {
              ${config.host.jellyfin.subdomain} = {
                target = "http://localhost:${toString jellyfinPort}";
                extraConfig = ''
                  client_max_body_size 20M;
                  add_header X-Content-Type-Options "nosniff";
                  add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
                  add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
                  proxy_set_header Host $host;
                  proxy_set_header X-Real-IP $remote_addr;
                  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                  proxy_set_header X-Forwarded-Proto $scheme;
                  proxy_set_header X-Forwarded-Protocol $scheme;
                  proxy_set_header X-Forwarded-Host $http_host;
                  proxy_buffering off;
                '';
              };
            }
          ]
          ++ (builtins.map (subdomain: {
              ${subdomain} = {
                target = "http://localhost:${toString jellyfinPort}";
                extraConfig = ''
                  client_max_body_size 20M;
                  add_header X-Content-Type-Options "nosniff";
                  add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
                  add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
                  proxy_set_header Host $host;
                  proxy_set_header X-Real-IP $remote_addr;
                  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                  proxy_set_header X-Forwarded-Proto $scheme;
                  proxy_set_header X-Forwarded-Protocol $scheme;
                  proxy_set_header X-Forwarded-Host $http_host;
                  proxy_buffering off;
                '';
              };
            })
            config.host.jellyfin.extraSubdomains));
--- a/modules/nixos-modules/server/reverse_proxy.nix
+++ b/modules/nixos-modules/server/reverse_proxy.nix
@ -31,6 +31,13 @@ in {
            description = "where should this host point to";
          };
          websockets = lib.mkEnableOption "should websockets be proxied";
          extraConfig = lib.mkOption {
            type = lib.types.lines;
            default = "";
            description = ''
              These lines go to the end of the upstream verbatim.
            '';
          };
        };
      }));
      default = {};
@ -53,6 +60,7 @@ in {
            locations."/" = {
              proxyPass = value.target;
              proxyWebsockets = value.websockets;
              extraConfig = value.extraConfig;
            };
          })
        config.host.reverse_proxy.subdomains;