added extra config to services

2025-03-07 18:18:37 -06:00 · 2025-03-07 18:18:37 -06:00 · 8b39a80849
parent 62abf65e5a
commit 8b39a80849
3 changed files with 56 additions and 1 deletions
--- a/modules/nixos-modules/server/home-assistant.nix
+++ b/modules/nixos-modules/server/home-assistant.nix
@ -18,10 +18,15 @@ in {
    {
      services.home-assistant = {
        enable = true;
+        extraComponents = [
+          "esphome"
+          "met"
+          "radio_browser"
+        ];
        config.http = {
          server_port = 8082;
          use_x_forwarded_for = true;
-          trusted_proxies = ["127.0.0.1"];
+          trusted_proxies = ["127.0.0.1" "::1"];
          ip_ban_enabled = true;
          login_attempts_threshold = 10;
        };
@ -29,6 +34,18 @@ in {
      host = {
        reverse_proxy.subdomains.${config.host.home-assistant.subdomain} = {
          target = "http://localhost:${toString config.services.home-assistant.config.http.server_port}";
+          websockets = true;
+          extraConfig = ''
+            add_header Upgrade $http_upgrade;
+            add_header Connection \"upgrade\";
+            proxy_set_header Host $host;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+            proxy_set_header X-Forwarded-Host $server_name;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_read_timeout 90;
+          '';
        };
      };
    }
--- a/modules/nixos-modules/server/jellyfin.nix
+++ b/modules/nixos-modules/server/jellyfin.nix
@ -31,12 +31,42 @@ in {
            {
              ${config.host.jellyfin.subdomain} = {
                target = "http://localhost:${toString jellyfinPort}";
+                extraConfig = ''
+                  client_max_body_size 20M;
+                  add_header X-Content-Type-Options "nosniff";
+                  add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
+                  add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
+
+                  proxy_set_header Host $host;
+                  proxy_set_header X-Real-IP $remote_addr;
+                  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+                  proxy_set_header X-Forwarded-Proto $scheme;
+                  proxy_set_header X-Forwarded-Protocol $scheme;
+                  proxy_set_header X-Forwarded-Host $http_host;
+
+                  proxy_buffering off;
+                '';
              };
            }
          ]
          ++ (builtins.map (subdomain: {
              ${subdomain} = {
                target = "http://localhost:${toString jellyfinPort}";
+                extraConfig = ''
+                  client_max_body_size 20M;
+                  add_header X-Content-Type-Options "nosniff";
+                  add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
+                  add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
+
+                  proxy_set_header Host $host;
+                  proxy_set_header X-Real-IP $remote_addr;
+                  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+                  proxy_set_header X-Forwarded-Proto $scheme;
+                  proxy_set_header X-Forwarded-Protocol $scheme;
+                  proxy_set_header X-Forwarded-Host $http_host;
+
+                  proxy_buffering off;
+                '';
              };
            })
            config.host.jellyfin.extraSubdomains));
--- a/modules/nixos-modules/server/reverse_proxy.nix
+++ b/modules/nixos-modules/server/reverse_proxy.nix
@ -31,6 +31,13 @@ in {
            description = "where should this host point to";
          };
          websockets = lib.mkEnableOption "should websockets be proxied";
+          extraConfig = lib.mkOption {
+            type = lib.types.lines;
+            default = "";
+            description = ''
+              These lines go to the end of the upstream verbatim.
+            '';
+          };
        };
      }));
      default = {};
@ -53,6 +60,7 @@ in {
            locations."/" = {
              proxyPass = value.target;
              proxyWebsockets = value.websockets;
+              extraConfig = value.extraConfig;
            };
          })
        config.host.reverse_proxy.subdomains;