diff --git a/README.md b/README.md index 6f43733..6d2c56b 100644 --- a/README.md +++ b/README.md @@ -51,6 +51,7 @@ nix multi user, multi system, configuration with `sops` secret management, `home - syncthing folder passwords - nfs export should be backed by the same values for server and client - move fail2ban configs out of fail2ban.nix and into configs for their respective services +- nginx config should be reworked to give a list of subdomains and then the config information to apply to each proxy ## New Features - offline access for nfs mounts (overlay with rsync might be a good option here? https://www.spinics.net/lists/linux-unionfs/msg07105.html note about nfs4 and overlay fs) - samba mounts @@ -66,7 +67,4 @@ nix multi user, multi system, configuration with `sops` secret management, `home - SMART test with email results - Create Tor guard/relay server - remote distributed builds - https://nix.dev/tutorials/nixos/distributed-builds-setup.html -- migrate away from flakes and move to npins -- fix nfs -- fix home assistant -- create adguard server \ No newline at end of file +- migrate away from flakes and move to npins \ No newline at end of file diff --git a/modules/nixos-modules/server/home-assistant.nix b/modules/nixos-modules/server/home-assistant.nix index 254e183..01423e6 100644 --- a/modules/nixos-modules/server/home-assistant.nix +++ b/modules/nixos-modules/server/home-assistant.nix @@ -58,14 +58,18 @@ in { host = { reverse_proxy.subdomains.${config.host.home-assistant.subdomain} = { target = "http://localhost:${toString config.services.home-assistant.config.http.server_port}"; - - websockets.enable = true; - forwardHeaders.enable = true; - + websockets = true; extraConfig = '' add_header Upgrade $http_upgrade; add_header Connection \"upgrade\"; + proxy_set_header Host $host; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header X-Forwarded-Host $server_name; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_buffering off; proxy_read_timeout 90; diff --git a/modules/nixos-modules/server/immich.nix b/modules/nixos-modules/server/immich.nix index 2756e5c..f8ea5e3 100644 --- a/modules/nixos-modules/server/immich.nix +++ b/modules/nixos-modules/server/immich.nix @@ -19,19 +19,26 @@ in { host = { reverse_proxy.subdomains.${config.host.immich.subdomain} = { target = "http://localhost:${toString config.services.immich.port}"; - - websockets.enable = true; - forwardHeaders.enable = true; - extraConfig = '' # allow large file uploads client_max_body_size 50000M; + # Set headers + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # enable websockets: http://nginx.org/en/docs/http/websocket.html + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_redirect off; + # set timeout proxy_read_timeout 600s; proxy_send_timeout 600s; send_timeout 600s; - proxy_redirect off; ''; }; postgres = { diff --git a/modules/nixos-modules/server/jellyfin.nix b/modules/nixos-modules/server/jellyfin.nix index 77d5744..e3eb986 100644 --- a/modules/nixos-modules/server/jellyfin.nix +++ b/modules/nixos-modules/server/jellyfin.nix @@ -31,22 +31,45 @@ in { lib.mkMerge [ { services.jellyfin.enable = true; + host.reverse_proxy.subdomains = lib.mkMerge ([ + { + ${config.host.jellyfin.subdomain} = { + target = "http://localhost:${toString jellyfinPort}"; + extraConfig = '' + client_max_body_size 20M; + add_header X-Content-Type-Options "nosniff"; - host.reverse_proxy.subdomains.jellyfin = { - target = "http://localhost:${toString jellyfinPort}"; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Protocol $scheme; + proxy_set_header X-Forwarded-Host $http_host; - subdomain = config.host.jellyfin.subdomain; - extraSubdomains = config.host.jellyfin.extraSubdomains; + proxy_buffering off; + ''; + }; + } + ] + ++ (builtins.map (subdomain: { + ${subdomain} = { + target = "http://localhost:${toString jellyfinPort}"; + extraConfig = '' + client_max_body_size 20M; + add_header X-Content-Type-Options "nosniff"; - forwardHeaders.enable = true; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Protocol $scheme; + proxy_set_header X-Forwarded-Host $http_host; - extraConfig = '' - client_max_body_size 20M; - add_header X-Content-Type-Options "nosniff"; - - proxy_buffering off; - ''; - }; + proxy_buffering off; + ''; + }; + }) + config.host.jellyfin.extraSubdomains)); environment.systemPackages = [ pkgs.jellyfin pkgs.jellyfin-web diff --git a/modules/nixos-modules/server/reverse_proxy.nix b/modules/nixos-modules/server/reverse_proxy.nix index 26b4374..a406b14 100644 --- a/modules/nixos-modules/server/reverse_proxy.nix +++ b/modules/nixos-modules/server/reverse_proxy.nix @@ -24,28 +24,13 @@ in { default = true; }; subdomains = lib.mkOption { - type = lib.types.attrsOf (lib.types.submodule ({name, ...}: { + type = lib.types.attrsOf (lib.types.submodule ({...}: { options = { - subdomain = lib.mkOption { - type = lib.types.str; - description = "what is the default subdomain to be used for this application to be used for"; - default = name; - }; - extraSubdomains = lib.mkOption { - type = lib.types.listOf lib.types.str; - description = "extra domains that should be configured for this domain"; - default = []; - }; - target = lib.mkOption { type = lib.types.str; - description = "what url will all traffic to this application be forwarded to"; + description = "where should this host point to"; }; - - websockets.enable = lib.mkEnableOption "should the default config proxy websockets"; - - forwardHeaders.enable = lib.mkEnableOption "should the default config contain forward headers"; - + websockets = lib.mkEnableOption "should websockets be proxied"; extraConfig = lib.mkOption { type = lib.types.lines; default = ""; @@ -55,6 +40,7 @@ in { }; }; })); + default = {}; }; }; @@ -67,36 +53,17 @@ in { services.nginx = { enable = true; - virtualHosts = lib.mkMerge ( - lib.lists.flatten ( - lib.attrsets.mapAttrsToList ( - name: value: let - hostConfig = { - forceSSL = config.host.reverse_proxy.forceSSL; - enableACME = config.host.reverse_proxy.enableACME; - locations = { - "/" = { - proxyPass = value.target; - proxyWebsockets = value.websockets.enable; - recommendedProxySettings = value.forwardHeaders.enable; - extraConfig = - value.extraConfig; - }; - }; - }; - in ( - [ - { - ${"${value.subdomain}.${config.host.reverse_proxy.hostname}"} = hostConfig; - } - ] - ++ builtins.map (subdomain: {${"${subdomain}.${config.host.reverse_proxy.hostname}"} = hostConfig;}) - value.extraSubdomains - ) - ) - config.host.reverse_proxy.subdomains - ) - ); + virtualHosts = lib.attrsets.mapAttrs' (name: value: + lib.attrsets.nameValuePair "${name}.${config.host.reverse_proxy.hostname}" { + forceSSL = config.host.reverse_proxy.forceSSL; + enableACME = config.host.reverse_proxy.enableACME; + locations."/" = { + proxyPass = value.target; + proxyWebsockets = value.websockets; + extraConfig = value.extraConfig; + }; + }) + config.host.reverse_proxy.subdomains; }; networking.firewall.allowedTCPPorts = [ diff --git a/modules/nixos-modules/server/searx.nix b/modules/nixos-modules/server/searx.nix index c578b41..b18eb14 100644 --- a/modules/nixos-modules/server/searx.nix +++ b/modules/nixos-modules/server/searx.nix @@ -20,8 +20,7 @@ }; }; host = { - reverse_proxy.subdomains.searx = { - subdomain = config.host.searx.subdomain; + reverse_proxy.subdomains.${config.host.searx.subdomain} = { target = "http://localhost:${toString config.services.searx.settings.server.port}"; }; };