simplified nginx config
This commit is contained in:
parent
4c430404b3
commit
2350eb43ec
|
|
@ -51,7 +51,6 @@ nix multi user, multi system, configuration with `sops` secret management, `home
|
|||
- syncthing folder passwords
|
||||
- nfs export should be backed by the same values for server and client
|
||||
- move fail2ban configs out of fail2ban.nix and into configs for their respective services
|
||||
- nginx config should be reworked to give a list of subdomains and then the config information to apply to each proxy
|
||||
## New Features
|
||||
- offline access for nfs mounts (overlay with rsync might be a good option here? https://www.spinics.net/lists/linux-unionfs/msg07105.html note about nfs4 and overlay fs)
|
||||
- samba mounts
|
||||
|
|
|
|||
|
|
@ -58,18 +58,14 @@ in {
|
|||
host = {
|
||||
reverse_proxy.subdomains.${config.host.home-assistant.subdomain} = {
|
||||
target = "http://localhost:${toString config.services.home-assistant.config.http.server_port}";
|
||||
websockets = true;
|
||||
|
||||
websockets.enable = true;
|
||||
forwardHeaders.enable = true;
|
||||
|
||||
extraConfig = ''
|
||||
add_header Upgrade $http_upgrade;
|
||||
add_header Connection \"upgrade\";
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
proxy_set_header X-Forwarded-Host $server_name;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
|
||||
proxy_buffering off;
|
||||
|
||||
proxy_read_timeout 90;
|
||||
|
|
|
|||
|
|
@ -19,26 +19,19 @@ in {
|
|||
host = {
|
||||
reverse_proxy.subdomains.${config.host.immich.subdomain} = {
|
||||
target = "http://localhost:${toString config.services.immich.port}";
|
||||
|
||||
websockets.enable = true;
|
||||
forwardHeaders.enable = true;
|
||||
|
||||
extraConfig = ''
|
||||
# allow large file uploads
|
||||
client_max_body_size 50000M;
|
||||
|
||||
# Set headers
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
|
||||
# enable websockets: http://nginx.org/en/docs/http/websocket.html
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
proxy_redirect off;
|
||||
|
||||
# set timeout
|
||||
proxy_read_timeout 600s;
|
||||
proxy_send_timeout 600s;
|
||||
send_timeout 600s;
|
||||
proxy_redirect off;
|
||||
'';
|
||||
};
|
||||
postgres = {
|
||||
|
|
|
|||
|
|
@ -31,45 +31,22 @@ in {
|
|||
lib.mkMerge [
|
||||
{
|
||||
services.jellyfin.enable = true;
|
||||
host.reverse_proxy.subdomains = lib.mkMerge ([
|
||||
{
|
||||
${config.host.jellyfin.subdomain} = {
|
||||
target = "http://localhost:${toString jellyfinPort}";
|
||||
extraConfig = ''
|
||||
client_max_body_size 20M;
|
||||
add_header X-Content-Type-Options "nosniff";
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Protocol $scheme;
|
||||
proxy_set_header X-Forwarded-Host $http_host;
|
||||
host.reverse_proxy.subdomains.jellyfin = {
|
||||
target = "http://localhost:${toString jellyfinPort}";
|
||||
|
||||
proxy_buffering off;
|
||||
'';
|
||||
};
|
||||
}
|
||||
]
|
||||
++ (builtins.map (subdomain: {
|
||||
${subdomain} = {
|
||||
target = "http://localhost:${toString jellyfinPort}";
|
||||
extraConfig = ''
|
||||
client_max_body_size 20M;
|
||||
add_header X-Content-Type-Options "nosniff";
|
||||
subdomain = config.host.jellyfin.subdomain;
|
||||
extraSubdomains = config.host.jellyfin.extraSubdomains;
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Protocol $scheme;
|
||||
proxy_set_header X-Forwarded-Host $http_host;
|
||||
forwardHeaders.enable = true;
|
||||
|
||||
proxy_buffering off;
|
||||
'';
|
||||
};
|
||||
})
|
||||
config.host.jellyfin.extraSubdomains));
|
||||
extraConfig = ''
|
||||
client_max_body_size 20M;
|
||||
add_header X-Content-Type-Options "nosniff";
|
||||
|
||||
proxy_buffering off;
|
||||
'';
|
||||
};
|
||||
environment.systemPackages = [
|
||||
pkgs.jellyfin
|
||||
pkgs.jellyfin-web
|
||||
|
|
|
|||
|
|
@ -24,13 +24,28 @@ in {
|
|||
default = true;
|
||||
};
|
||||
subdomains = lib.mkOption {
|
||||
type = lib.types.attrsOf (lib.types.submodule ({...}: {
|
||||
type = lib.types.attrsOf (lib.types.submodule ({name, ...}: {
|
||||
options = {
|
||||
subdomain = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
description = "what is the default subdomain to be used for this application to be used for";
|
||||
default = name;
|
||||
};
|
||||
extraSubdomains = lib.mkOption {
|
||||
type = lib.types.listOf lib.types.str;
|
||||
description = "extra domains that should be configured for this domain";
|
||||
default = [];
|
||||
};
|
||||
|
||||
target = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
description = "where should this host point to";
|
||||
description = "what url will all traffic to this application be forwarded to";
|
||||
};
|
||||
websockets = lib.mkEnableOption "should websockets be proxied";
|
||||
|
||||
websockets.enable = lib.mkEnableOption "should the default config proxy websockets";
|
||||
|
||||
forwardHeaders.enable = lib.mkEnableOption "should the default config contain forward headers";
|
||||
|
||||
extraConfig = lib.mkOption {
|
||||
type = lib.types.lines;
|
||||
default = "";
|
||||
|
|
@ -40,7 +55,6 @@ in {
|
|||
};
|
||||
};
|
||||
}));
|
||||
default = {};
|
||||
};
|
||||
};
|
||||
|
||||
|
|
@ -53,17 +67,36 @@ in {
|
|||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts = lib.attrsets.mapAttrs' (name: value:
|
||||
lib.attrsets.nameValuePair "${name}.${config.host.reverse_proxy.hostname}" {
|
||||
forceSSL = config.host.reverse_proxy.forceSSL;
|
||||
enableACME = config.host.reverse_proxy.enableACME;
|
||||
locations."/" = {
|
||||
proxyPass = value.target;
|
||||
proxyWebsockets = value.websockets;
|
||||
extraConfig = value.extraConfig;
|
||||
};
|
||||
})
|
||||
config.host.reverse_proxy.subdomains;
|
||||
virtualHosts = lib.mkMerge (
|
||||
lib.lists.flatten (
|
||||
lib.attrsets.mapAttrsToList (
|
||||
name: value: let
|
||||
hostConfig = {
|
||||
forceSSL = config.host.reverse_proxy.forceSSL;
|
||||
enableACME = config.host.reverse_proxy.enableACME;
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = value.target;
|
||||
proxyWebsockets = value.websockets.enable;
|
||||
recommendedProxySettings = value.forwardHeaders.enable;
|
||||
extraConfig =
|
||||
value.extraConfig;
|
||||
};
|
||||
};
|
||||
};
|
||||
in (
|
||||
[
|
||||
{
|
||||
${"${value.subdomain}.${config.host.reverse_proxy.hostname}"} = hostConfig;
|
||||
}
|
||||
]
|
||||
++ builtins.map (subdomain: {${"${subdomain}.${config.host.reverse_proxy.hostname}"} = hostConfig;})
|
||||
value.extraSubdomains
|
||||
)
|
||||
)
|
||||
config.host.reverse_proxy.subdomains
|
||||
)
|
||||
);
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
|
|
|
|||
|
|
@ -20,7 +20,8 @@
|
|||
};
|
||||
};
|
||||
host = {
|
||||
reverse_proxy.subdomains.${config.host.searx.subdomain} = {
|
||||
reverse_proxy.subdomains.searx = {
|
||||
subdomain = config.host.searx.subdomain;
|
||||
target = "http://localhost:${toString config.services.searx.settings.server.port}";
|
||||
};
|
||||
};
|
||||
|
|
|
|||
Loading…
Reference in a new issue