diff --git a/modules/nixos-modules/server/actual.nix b/modules/nixos-modules/server/actual.nix index 80f4fab..7fc0b93 100644 --- a/modules/nixos-modules/server/actual.nix +++ b/modules/nixos-modules/server/actual.nix @@ -18,6 +18,11 @@ in { systemd.tmpfiles.rules = [ "d ${dataDirectory} 2770 actual actual" ]; + host = { + reverse_proxy.subdomains.${config.services.actual.subdomain} = { + target = "http://localhost:${toString config.services.actual.settings.port}"; + }; + }; services.actual = { settings = { @@ -25,13 +30,6 @@ in { }; }; } - (lib.mkIf config.host.reverse_proxy.enable { - host = { - reverse_proxy.subdomains.${config.services.actual.subdomain} = { - target = "http://localhost:${toString config.services.actual.settings.port}"; - }; - }; - }) (lib.mkIf config.services.fail2ban.enable { # TODO: configuration for fail2ban for actual }) diff --git a/modules/nixos-modules/server/forgejo.nix b/modules/nixos-modules/server/forgejo.nix index 3b19695..de06f94 100644 --- a/modules/nixos-modules/server/forgejo.nix +++ b/modules/nixos-modules/server/forgejo.nix @@ -26,6 +26,9 @@ in { } ]; host = { + reverse_proxy.subdomains.${config.services.forgejo.subdomain} = { + target = "http://localhost:${toString forgejoPort}"; + }; postgres = { enable = true; extraUsers = { @@ -73,13 +76,6 @@ in { config.services.forgejo.settings.server.SSH_LISTEN_PORT ]; } - (lib.mkIf config.host.reverse_proxy.enable { - host = { - reverse_proxy.subdomains.${config.services.forgejo.subdomain} = { - target = "http://localhost:${toString forgejoPort}"; - }; - }; - }) (lib.mkIf config.services.fail2ban.enable { environment.etc = { "fail2ban/filter.d/forgejo.local".text = lib.mkIf config.services.forgejo.enable ( diff --git a/modules/nixos-modules/server/home-assistant.nix b/modules/nixos-modules/server/home-assistant.nix index baf6683..57bedc1 100644 --- a/modules/nixos-modules/server/home-assistant.nix +++ b/modules/nixos-modules/server/home-assistant.nix @@ -43,6 +43,24 @@ in { config = lib.mkIf config.services.home-assistant.enable (lib.mkMerge [ { + host = { + reverse_proxy.subdomains.${config.services.home-assistant.subdomain} = { + target = "http://localhost:${toString config.services.home-assistant.config.http.server_port}"; + + websockets.enable = true; + forwardHeaders.enable = true; + + extraConfig = '' + add_header Upgrade $http_upgrade; + add_header Connection \"upgrade\"; + + proxy_buffering off; + + proxy_read_timeout 90; + ''; + }; + }; + services.home-assistant = { configDir = configDir; extraComponents = [ @@ -155,25 +173,6 @@ in { ]; }; }) - (lib.mkIf config.host.reverse_proxy.enable { - host = { - reverse_proxy.subdomains.${config.services.home-assistant.subdomain} = { - target = "http://localhost:${toString config.services.home-assistant.config.http.server_port}"; - - websockets.enable = true; - forwardHeaders.enable = true; - - extraConfig = '' - add_header Upgrade $http_upgrade; - add_header Connection \"upgrade\"; - - proxy_buffering off; - - proxy_read_timeout 90; - ''; - }; - }; - }) (lib.mkIf config.services.fail2ban.enable { environment.etc = { "fail2ban/filter.d/hass.local".text = lib.mkIf config.services.home-assistant.enable ( diff --git a/modules/nixos-modules/server/immich.nix b/modules/nixos-modules/server/immich.nix index fa376e4..e7088a9 100644 --- a/modules/nixos-modules/server/immich.nix +++ b/modules/nixos-modules/server/immich.nix @@ -17,6 +17,23 @@ in { config = lib.mkIf config.services.immich.enable (lib.mkMerge [ { host = { + reverse_proxy.subdomains.${config.services.immich.subdomain} = { + target = "http://localhost:${toString config.services.immich.port}"; + + websockets.enable = true; + forwardHeaders.enable = true; + + extraConfig = '' + # allow large file uploads + client_max_body_size 50000M; + + # set timeout + proxy_read_timeout 600s; + proxy_send_timeout 600s; + send_timeout 600s; + proxy_redirect off; + ''; + }; postgres = { enable = true; extraUsers = { @@ -36,27 +53,6 @@ in { ]; }; } - (lib.mkIf config.host.reverse_proxy.enable { - host = { - reverse_proxy.subdomains.${config.services.immich.subdomain} = { - target = "http://localhost:${toString config.services.immich.port}"; - - websockets.enable = true; - forwardHeaders.enable = true; - - extraConfig = '' - # allow large file uploads - client_max_body_size 50000M; - - # set timeout - proxy_read_timeout 600s; - proxy_send_timeout 600s; - send_timeout 600s; - proxy_redirect off; - ''; - }; - }; - }) (lib.mkIf config.services.fail2ban.enable { environment.etc = { "fail2ban/filter.d/immich.local".text = lib.mkIf config.services.immich.enable ( diff --git a/modules/nixos-modules/server/jellyfin.nix b/modules/nixos-modules/server/jellyfin.nix index 85c870f..294c8e1 100644 --- a/modules/nixos-modules/server/jellyfin.nix +++ b/modules/nixos-modules/server/jellyfin.nix @@ -30,20 +30,6 @@ in { config = lib.mkIf config.services.jellyfin.enable ( lib.mkMerge [ { - environment.systemPackages = [ - pkgs.jellyfin - pkgs.jellyfin-web - pkgs.jellyfin-ffmpeg - ]; - - networking.firewall.allowedTCPPorts = [jellyfinPort dlanPort]; - - systemd.tmpfiles.rules = [ - "d ${config.services.jellyfin.media_directory} 2770 jellyfin jellyfin_media" - "A ${config.services.jellyfin.media_directory} - - - - u:jellyfin:rwX,g:jellyfin_media:rwX,o::-" - ]; - } - (lib.mkIf config.host.reverse_proxy.enable { host.reverse_proxy.subdomains.jellyfin = { target = "http://localhost:${toString jellyfinPort}"; @@ -59,7 +45,19 @@ in { proxy_buffering off; ''; }; - }) + environment.systemPackages = [ + pkgs.jellyfin + pkgs.jellyfin-web + pkgs.jellyfin-ffmpeg + ]; + + networking.firewall.allowedTCPPorts = [jellyfinPort dlanPort]; + + systemd.tmpfiles.rules = [ + "d ${config.services.jellyfin.media_directory} 2770 jellyfin jellyfin_media" + "A ${config.services.jellyfin.media_directory} - - - - u:jellyfin:rwX,g:jellyfin_media:rwX,o::-" + ]; + } (lib.mkIf config.services.fail2ban.enable { environment.etc = { "fail2ban/filter.d/jellyfin.local".text = ( diff --git a/modules/nixos-modules/server/panoramax.nix b/modules/nixos-modules/server/panoramax.nix index f7d305f..a16588a 100644 --- a/modules/nixos-modules/server/panoramax.nix +++ b/modules/nixos-modules/server/panoramax.nix @@ -33,11 +33,6 @@ in { { # TODO: configure options for the package } - ( - lib.mkIf config.services.fail2ban { - # TODO: configure options for fail2ban - } - ) ( lib.mkIf osConfig.host.impermanence.enable { # TODO: configure impermanence for panoramax data diff --git a/modules/nixos-modules/server/paperless.nix b/modules/nixos-modules/server/paperless.nix index 303d742..b97c48d 100644 --- a/modules/nixos-modules/server/paperless.nix +++ b/modules/nixos-modules/server/paperless.nix @@ -24,6 +24,17 @@ in { config = lib.mkIf config.services.paperless.enable (lib.mkMerge [ { host = { + reverse_proxy.subdomains.${config.services.paperless.subdomain} = { + target = "http://${config.services.paperless.address}:${toString config.services.paperless.port}"; + + websockets.enable = true; + forwardHeaders.enable = true; + + extraConfig = '' + # allow large file uploads + client_max_body_size 50000M; + ''; + }; postgres = { enable = true; extraUsers = { @@ -50,21 +61,6 @@ in { }; }; } - (lib.mkIf config.host.reverse_proxy.enable { - host = { - reverse_proxy.subdomains.${config.services.paperless.subdomain} = { - target = "http://${config.services.paperless.address}:${toString config.services.paperless.port}"; - - websockets.enable = true; - forwardHeaders.enable = true; - - extraConfig = '' - # allow large file uploads - client_max_body_size 50000M; - ''; - }; - }; - }) (lib.mkIf config.services.fail2ban.enable { environment.etc = { "fail2ban/filter.d/paperless.local".text = ( diff --git a/modules/nixos-modules/server/searx.nix b/modules/nixos-modules/server/searx.nix index 0e547af..d357308 100644 --- a/modules/nixos-modules/server/searx.nix +++ b/modules/nixos-modules/server/searx.nix @@ -12,67 +12,61 @@ }; }; - config = lib.mkIf config.services.searx.enable ( - lib.mkMerge [ - { - sops.secrets = { - "services/searx" = { - sopsFile = "${inputs.secrets}/defiant-services.yaml"; + config = lib.mkIf config.services.searx.enable { + sops.secrets = { + "services/searx" = { + sopsFile = "${inputs.secrets}/defiant-services.yaml"; + }; + }; + host = { + reverse_proxy.subdomains.searx = { + subdomain = config.services.searx.subdomain; + target = "http://localhost:${toString config.services.searx.settings.server.port}"; + }; + }; + services.searx = { + environmentFile = config.sops.secrets."services/searx".path; + + # Rate limiting + limiterSettings = { + real_ip = { + x_for = 1; + ipv4_prefix = 32; + ipv6_prefix = 56; + }; + + botdetection = { + ip_limit = { + filter_link_local = true; + link_token = true; }; }; - services.searx = { - environmentFile = config.sops.secrets."services/searx".path; + }; - # Rate limiting - limiterSettings = { - real_ip = { - x_for = 1; - ipv4_prefix = 32; - ipv6_prefix = 56; - }; - - botdetection = { - ip_limit = { - filter_link_local = true; - link_token = true; - }; - }; - }; - - settings = { - server = { - port = 8083; - secret_key = "@SEARXNG_SECRET@"; - }; - - # Search engine settings - search = { - safe_search = 2; - autocomplete_min = 2; - autocomplete = "duckduckgo"; - }; - - # Enabled plugins - enabled_plugins = [ - "Basic Calculator" - "Hash plugin" - "Tor check plugin" - "Open Access DOI rewrite" - "Hostnames plugin" - "Unit converter plugin" - "Tracker URL remover" - ]; - }; + settings = { + server = { + port = 8083; + secret_key = "@SEARXNG_SECRET@"; }; - } - (lib.mkIf config.host.reverse_proxy.enable { - host = { - reverse_proxy.subdomains.searx = { - subdomain = config.services.searx.subdomain; - target = "http://localhost:${toString config.services.searx.settings.server.port}"; - }; + + # Search engine settings + search = { + safe_search = 2; + autocomplete_min = 2; + autocomplete = "duckduckgo"; }; - }) - ] - ); + + # Enabled plugins + enabled_plugins = [ + "Basic Calculator" + "Hash plugin" + "Tor check plugin" + "Open Access DOI rewrite" + "Hostnames plugin" + "Unit converter plugin" + "Tracker URL remover" + ]; + }; + }; + }; }