From 8b39a8084950929f1c4c260f23bead1ccde6f9f7 Mon Sep 17 00:00:00 2001 From: Leyla Becker Date: Fri, 7 Mar 2025 18:18:37 -0600 Subject: [PATCH] added extra config to services --- .../nixos-modules/server/home-assistant.nix | 19 +++++++++++- modules/nixos-modules/server/jellyfin.nix | 30 +++++++++++++++++++ .../nixos-modules/server/reverse_proxy.nix | 8 +++++ 3 files changed, 56 insertions(+), 1 deletion(-) diff --git a/modules/nixos-modules/server/home-assistant.nix b/modules/nixos-modules/server/home-assistant.nix index ba6d81f..cadb607 100644 --- a/modules/nixos-modules/server/home-assistant.nix +++ b/modules/nixos-modules/server/home-assistant.nix @@ -18,10 +18,15 @@ in { { services.home-assistant = { enable = true; + extraComponents = [ + "esphome" + "met" + "radio_browser" + ]; config.http = { server_port = 8082; use_x_forwarded_for = true; - trusted_proxies = ["127.0.0.1"]; + trusted_proxies = ["127.0.0.1" "::1"]; ip_ban_enabled = true; login_attempts_threshold = 10; }; @@ -29,6 +34,18 @@ in { host = { reverse_proxy.subdomains.${config.host.home-assistant.subdomain} = { target = "http://localhost:${toString config.services.home-assistant.config.http.server_port}"; + websockets = true; + extraConfig = '' + add_header Upgrade $http_upgrade; + add_header Connection \"upgrade\"; + proxy_set_header Host $host; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header X-Forwarded-Host $server_name; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_read_timeout 90; + ''; }; }; } diff --git a/modules/nixos-modules/server/jellyfin.nix b/modules/nixos-modules/server/jellyfin.nix index 78afbc7..4746ad3 100644 --- a/modules/nixos-modules/server/jellyfin.nix +++ b/modules/nixos-modules/server/jellyfin.nix @@ -31,12 +31,42 @@ in { { ${config.host.jellyfin.subdomain} = { target = "http://localhost:${toString jellyfinPort}"; + extraConfig = '' + client_max_body_size 20M; + add_header X-Content-Type-Options "nosniff"; + add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'"; + add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Protocol $scheme; + proxy_set_header X-Forwarded-Host $http_host; + + proxy_buffering off; + ''; }; } ] ++ (builtins.map (subdomain: { ${subdomain} = { target = "http://localhost:${toString jellyfinPort}"; + extraConfig = '' + client_max_body_size 20M; + add_header X-Content-Type-Options "nosniff"; + add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'"; + add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Protocol $scheme; + proxy_set_header X-Forwarded-Host $http_host; + + proxy_buffering off; + ''; }; }) config.host.jellyfin.extraSubdomains)); diff --git a/modules/nixos-modules/server/reverse_proxy.nix b/modules/nixos-modules/server/reverse_proxy.nix index a218b3f..a406b14 100644 --- a/modules/nixos-modules/server/reverse_proxy.nix +++ b/modules/nixos-modules/server/reverse_proxy.nix @@ -31,6 +31,13 @@ in { description = "where should this host point to"; }; websockets = lib.mkEnableOption "should websockets be proxied"; + extraConfig = lib.mkOption { + type = lib.types.lines; + default = ""; + description = '' + These lines go to the end of the upstream verbatim. + ''; + }; }; })); default = {}; @@ -53,6 +60,7 @@ in { locations."/" = { proxyPass = value.target; proxyWebsockets = value.websockets; + extraConfig = value.extraConfig; }; }) config.host.reverse_proxy.subdomains;