diff --git a/README.md b/README.md index 6ddb2a9..6f43733 100644 --- a/README.md +++ b/README.md @@ -51,7 +51,6 @@ nix multi user, multi system, configuration with `sops` secret management, `home - syncthing folder passwords - nfs export should be backed by the same values for server and client - move fail2ban configs out of fail2ban.nix and into configs for their respective services -- nginx config should be reworked to give a list of subdomains and then the config information to apply to each proxy ## New Features - offline access for nfs mounts (overlay with rsync might be a good option here? https://www.spinics.net/lists/linux-unionfs/msg07105.html note about nfs4 and overlay fs) - samba mounts diff --git a/modules/nixos-modules/server/home-assistant.nix b/modules/nixos-modules/server/home-assistant.nix index 01423e6..254e183 100644 --- a/modules/nixos-modules/server/home-assistant.nix +++ b/modules/nixos-modules/server/home-assistant.nix @@ -58,18 +58,14 @@ in { host = { reverse_proxy.subdomains.${config.host.home-assistant.subdomain} = { target = "http://localhost:${toString config.services.home-assistant.config.http.server_port}"; - websockets = true; + + websockets.enable = true; + forwardHeaders.enable = true; + extraConfig = '' add_header Upgrade $http_upgrade; add_header Connection \"upgrade\"; - proxy_set_header Host $host; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header X-Forwarded-Host $server_name; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_buffering off; proxy_read_timeout 90; diff --git a/modules/nixos-modules/server/immich.nix b/modules/nixos-modules/server/immich.nix index f8ea5e3..2756e5c 100644 --- a/modules/nixos-modules/server/immich.nix +++ b/modules/nixos-modules/server/immich.nix @@ -19,26 +19,19 @@ in { host = { reverse_proxy.subdomains.${config.host.immich.subdomain} = { target = "http://localhost:${toString config.services.immich.port}"; + + websockets.enable = true; + forwardHeaders.enable = true; + extraConfig = '' # allow large file uploads client_max_body_size 50000M; - # Set headers - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - - # enable websockets: http://nginx.org/en/docs/http/websocket.html - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_redirect off; - # set timeout proxy_read_timeout 600s; proxy_send_timeout 600s; send_timeout 600s; + proxy_redirect off; ''; }; postgres = { diff --git a/modules/nixos-modules/server/jellyfin.nix b/modules/nixos-modules/server/jellyfin.nix index e3eb986..77d5744 100644 --- a/modules/nixos-modules/server/jellyfin.nix +++ b/modules/nixos-modules/server/jellyfin.nix @@ -31,45 +31,22 @@ in { lib.mkMerge [ { services.jellyfin.enable = true; - host.reverse_proxy.subdomains = lib.mkMerge ([ - { - ${config.host.jellyfin.subdomain} = { - target = "http://localhost:${toString jellyfinPort}"; - extraConfig = '' - client_max_body_size 20M; - add_header X-Content-Type-Options "nosniff"; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Protocol $scheme; - proxy_set_header X-Forwarded-Host $http_host; + host.reverse_proxy.subdomains.jellyfin = { + target = "http://localhost:${toString jellyfinPort}"; - proxy_buffering off; - ''; - }; - } - ] - ++ (builtins.map (subdomain: { - ${subdomain} = { - target = "http://localhost:${toString jellyfinPort}"; - extraConfig = '' - client_max_body_size 20M; - add_header X-Content-Type-Options "nosniff"; + subdomain = config.host.jellyfin.subdomain; + extraSubdomains = config.host.jellyfin.extraSubdomains; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Protocol $scheme; - proxy_set_header X-Forwarded-Host $http_host; + forwardHeaders.enable = true; - proxy_buffering off; - ''; - }; - }) - config.host.jellyfin.extraSubdomains)); + extraConfig = '' + client_max_body_size 20M; + add_header X-Content-Type-Options "nosniff"; + + proxy_buffering off; + ''; + }; environment.systemPackages = [ pkgs.jellyfin pkgs.jellyfin-web diff --git a/modules/nixos-modules/server/reverse_proxy.nix b/modules/nixos-modules/server/reverse_proxy.nix index a406b14..26b4374 100644 --- a/modules/nixos-modules/server/reverse_proxy.nix +++ b/modules/nixos-modules/server/reverse_proxy.nix @@ -24,13 +24,28 @@ in { default = true; }; subdomains = lib.mkOption { - type = lib.types.attrsOf (lib.types.submodule ({...}: { + type = lib.types.attrsOf (lib.types.submodule ({name, ...}: { options = { + subdomain = lib.mkOption { + type = lib.types.str; + description = "what is the default subdomain to be used for this application to be used for"; + default = name; + }; + extraSubdomains = lib.mkOption { + type = lib.types.listOf lib.types.str; + description = "extra domains that should be configured for this domain"; + default = []; + }; + target = lib.mkOption { type = lib.types.str; - description = "where should this host point to"; + description = "what url will all traffic to this application be forwarded to"; }; - websockets = lib.mkEnableOption "should websockets be proxied"; + + websockets.enable = lib.mkEnableOption "should the default config proxy websockets"; + + forwardHeaders.enable = lib.mkEnableOption "should the default config contain forward headers"; + extraConfig = lib.mkOption { type = lib.types.lines; default = ""; @@ -40,7 +55,6 @@ in { }; }; })); - default = {}; }; }; @@ -53,17 +67,36 @@ in { services.nginx = { enable = true; - virtualHosts = lib.attrsets.mapAttrs' (name: value: - lib.attrsets.nameValuePair "${name}.${config.host.reverse_proxy.hostname}" { - forceSSL = config.host.reverse_proxy.forceSSL; - enableACME = config.host.reverse_proxy.enableACME; - locations."/" = { - proxyPass = value.target; - proxyWebsockets = value.websockets; - extraConfig = value.extraConfig; - }; - }) - config.host.reverse_proxy.subdomains; + virtualHosts = lib.mkMerge ( + lib.lists.flatten ( + lib.attrsets.mapAttrsToList ( + name: value: let + hostConfig = { + forceSSL = config.host.reverse_proxy.forceSSL; + enableACME = config.host.reverse_proxy.enableACME; + locations = { + "/" = { + proxyPass = value.target; + proxyWebsockets = value.websockets.enable; + recommendedProxySettings = value.forwardHeaders.enable; + extraConfig = + value.extraConfig; + }; + }; + }; + in ( + [ + { + ${"${value.subdomain}.${config.host.reverse_proxy.hostname}"} = hostConfig; + } + ] + ++ builtins.map (subdomain: {${"${subdomain}.${config.host.reverse_proxy.hostname}"} = hostConfig;}) + value.extraSubdomains + ) + ) + config.host.reverse_proxy.subdomains + ) + ); }; networking.firewall.allowedTCPPorts = [ diff --git a/modules/nixos-modules/server/searx.nix b/modules/nixos-modules/server/searx.nix index b18eb14..c578b41 100644 --- a/modules/nixos-modules/server/searx.nix +++ b/modules/nixos-modules/server/searx.nix @@ -20,7 +20,8 @@ }; }; host = { - reverse_proxy.subdomains.${config.host.searx.subdomain} = { + reverse_proxy.subdomains.searx = { + subdomain = config.host.searx.subdomain; target = "http://localhost:${toString config.services.searx.settings.server.port}"; }; };