jan-leila/nix-config
1
0
Fork 1
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: jan-leila:52801b4bb7a71f02115c6f3b05899ed3daf150ab
Branches Tags
jan-leila:main
..
compare: jan-leila:88dcba346f6413963277fdb0f216a4f64811ac08
Branches Tags
jan-leila:main

No commits in common. "52801b4bb7a71f02115c6f3b05899ed3daf150ab" and "88dcba346f6413963277fdb0f216a4f64811ac08" have entirely different histories.
52801b4bb7 ... 88dcba346f

8 changed files with 119 additions and 147 deletions
Download patch file Download diff file Expand all files Collapse all files

12
modules/nixos-modules/server/actual.nix
View file

@ -18,6 +18,11 @@ in {
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d ${dataDirectory} 2770 actual actual" "d ${dataDirectory} 2770 actual actual"
]; ];
host = {
reverse_proxy.subdomains.${config.services.actual.subdomain} = {
target = "http://localhost:${toString config.services.actual.settings.port}";
};
};
services.actual = { services.actual = {
settings = { settings = {
@ -25,13 +30,6 @@ in {
}; };
}; };
} }
(lib.mkIf config.host.reverse_proxy.enable {
host = {
reverse_proxy.subdomains.${config.services.actual.subdomain} = {
target = "http://localhost:${toString config.services.actual.settings.port}";
};
};
})
(lib.mkIf config.services.fail2ban.enable { (lib.mkIf config.services.fail2ban.enable {
# TODO: configuration for fail2ban for actual # TODO: configuration for fail2ban for actual
}) })

10
modules/nixos-modules/server/forgejo.nix
View file

@ -26,6 +26,9 @@ in {
} }
]; ];
host = { host = {
reverse_proxy.subdomains.${config.services.forgejo.subdomain} = {
target = "http://localhost:${toString forgejoPort}";
};
postgres = { postgres = {
enable = true; enable = true;
extraUsers = { extraUsers = {
@ -73,13 +76,6 @@ in {
config.services.forgejo.settings.server.SSH_LISTEN_PORT config.services.forgejo.settings.server.SSH_LISTEN_PORT
]; ];
} }
(lib.mkIf config.host.reverse_proxy.enable {
host = {
reverse_proxy.subdomains.${config.services.forgejo.subdomain} = {
target = "http://localhost:${toString forgejoPort}";
};
};
})
(lib.mkIf config.services.fail2ban.enable { (lib.mkIf config.services.fail2ban.enable {
environment.etc = { environment.etc = {
"fail2ban/filter.d/forgejo.local".text = lib.mkIf config.services.forgejo.enable ( "fail2ban/filter.d/forgejo.local".text = lib.mkIf config.services.forgejo.enable (

37
modules/nixos-modules/server/home-assistant.nix
View file

@ -43,6 +43,24 @@ in {
config = lib.mkIf config.services.home-assistant.enable (lib.mkMerge [ config = lib.mkIf config.services.home-assistant.enable (lib.mkMerge [
{ {
host = {
reverse_proxy.subdomains.${config.services.home-assistant.subdomain} = {
target = "http://localhost:${toString config.services.home-assistant.config.http.server_port}";
websockets.enable = true;
forwardHeaders.enable = true;
extraConfig = ''
add_header Upgrade $http_upgrade;
add_header Connection \"upgrade\";
proxy_buffering off;
proxy_read_timeout 90;
'';
};
};
services.home-assistant = { services.home-assistant = {
configDir = configDir; configDir = configDir;
extraComponents = [ extraComponents = [
@ -155,25 +173,6 @@ in {
]; ];
}; };
}) })
(lib.mkIf config.host.reverse_proxy.enable {
host = {
reverse_proxy.subdomains.${config.services.home-assistant.subdomain} = {
target = "http://localhost:${toString config.services.home-assistant.config.http.server_port}";
websockets.enable = true;
forwardHeaders.enable = true;
extraConfig = ''
add_header Upgrade $http_upgrade;
add_header Connection \"upgrade\";
proxy_buffering off;
proxy_read_timeout 90;
'';
};
};
})
(lib.mkIf config.services.fail2ban.enable { (lib.mkIf config.services.fail2ban.enable {
environment.etc = { environment.etc = {
"fail2ban/filter.d/hass.local".text = lib.mkIf config.services.home-assistant.enable ( "fail2ban/filter.d/hass.local".text = lib.mkIf config.services.home-assistant.enable (

38
modules/nixos-modules/server/immich.nix
View file

@ -17,6 +17,23 @@ in {
config = lib.mkIf config.services.immich.enable (lib.mkMerge [ config = lib.mkIf config.services.immich.enable (lib.mkMerge [
{ {
host = { host = {
reverse_proxy.subdomains.${config.services.immich.subdomain} = {
target = "http://localhost:${toString config.services.immich.port}";
websockets.enable = true;
forwardHeaders.enable = true;
extraConfig = ''
# allow large file uploads
client_max_body_size 50000M;
# set timeout
proxy_read_timeout 600s;
proxy_send_timeout 600s;
send_timeout 600s;
proxy_redirect off;
'';
};
postgres = { postgres = {
enable = true; enable = true;
extraUsers = { extraUsers = {
@ -36,27 +53,6 @@ in {
]; ];
}; };
} }
(lib.mkIf config.host.reverse_proxy.enable {
host = {
reverse_proxy.subdomains.${config.services.immich.subdomain} = {
target = "http://localhost:${toString config.services.immich.port}";
websockets.enable = true;
forwardHeaders.enable = true;
extraConfig = ''
# allow large file uploads
client_max_body_size 50000M;
# set timeout
proxy_read_timeout 600s;
proxy_send_timeout 600s;
send_timeout 600s;
proxy_redirect off;
'';
};
};
})
(lib.mkIf config.services.fail2ban.enable { (lib.mkIf config.services.fail2ban.enable {
environment.etc = { environment.etc = {
"fail2ban/filter.d/immich.local".text = lib.mkIf config.services.immich.enable ( "fail2ban/filter.d/immich.local".text = lib.mkIf config.services.immich.enable (

28
modules/nixos-modules/server/jellyfin.nix
View file

@ -30,20 +30,6 @@ in {
config = lib.mkIf config.services.jellyfin.enable ( config = lib.mkIf config.services.jellyfin.enable (
lib.mkMerge [ lib.mkMerge [
{ {
environment.systemPackages = [
pkgs.jellyfin
pkgs.jellyfin-web
pkgs.jellyfin-ffmpeg
];
networking.firewall.allowedTCPPorts = [jellyfinPort dlanPort];
systemd.tmpfiles.rules = [
"d ${config.services.jellyfin.media_directory} 2770 jellyfin jellyfin_media"
"A ${config.services.jellyfin.media_directory} - - - - u:jellyfin:rwX,g:jellyfin_media:rwX,o::-"
];
}
(lib.mkIf config.host.reverse_proxy.enable {
host.reverse_proxy.subdomains.jellyfin = { host.reverse_proxy.subdomains.jellyfin = {
target = "http://localhost:${toString jellyfinPort}"; target = "http://localhost:${toString jellyfinPort}";
@ -59,7 +45,19 @@ in {
proxy_buffering off; proxy_buffering off;
''; '';
}; };
}) environment.systemPackages = [
pkgs.jellyfin
pkgs.jellyfin-web
pkgs.jellyfin-ffmpeg
];
networking.firewall.allowedTCPPorts = [jellyfinPort dlanPort];
systemd.tmpfiles.rules = [
"d ${config.services.jellyfin.media_directory} 2770 jellyfin jellyfin_media"
"A ${config.services.jellyfin.media_directory} - - - - u:jellyfin:rwX,g:jellyfin_media:rwX,o::-"
];
}
(lib.mkIf config.services.fail2ban.enable { (lib.mkIf config.services.fail2ban.enable {
environment.etc = { environment.etc = {
"fail2ban/filter.d/jellyfin.local".text = ( "fail2ban/filter.d/jellyfin.local".text = (

5
modules/nixos-modules/server/panoramax.nix
View file

@ -33,11 +33,6 @@ in {
{ {
# TODO: configure options for the package # TODO: configure options for the package
} }
(
lib.mkIf config.services.fail2ban {
# TODO: configure options for fail2ban
}
)
( (
lib.mkIf osConfig.host.impermanence.enable { lib.mkIf osConfig.host.impermanence.enable {
# TODO: configure impermanence for panoramax data # TODO: configure impermanence for panoramax data

26
modules/nixos-modules/server/paperless.nix
View file

@ -24,6 +24,17 @@ in {
config = lib.mkIf config.services.paperless.enable (lib.mkMerge [ config = lib.mkIf config.services.paperless.enable (lib.mkMerge [
{ {
host = { host = {
reverse_proxy.subdomains.${config.services.paperless.subdomain} = {
target = "http://${config.services.paperless.address}:${toString config.services.paperless.port}";
websockets.enable = true;
forwardHeaders.enable = true;
extraConfig = ''
# allow large file uploads
client_max_body_size 50000M;
'';
};
postgres = { postgres = {
enable = true; enable = true;
extraUsers = { extraUsers = {
@ -50,21 +61,6 @@ in {
}; };
}; };
} }
(lib.mkIf config.host.reverse_proxy.enable {
host = {
reverse_proxy.subdomains.${config.services.paperless.subdomain} = {
target = "http://${config.services.paperless.address}:${toString config.services.paperless.port}";
websockets.enable = true;
forwardHeaders.enable = true;
extraConfig = ''
# allow large file uploads
client_max_body_size 50000M;
'';
};
};
})
(lib.mkIf config.services.fail2ban.enable { (lib.mkIf config.services.fail2ban.enable {
environment.etc = { environment.etc = {
"fail2ban/filter.d/paperless.local".text = ( "fail2ban/filter.d/paperless.local".text = (

110
modules/nixos-modules/server/searx.nix
View file

@ -12,67 +12,61 @@
}; };
}; };
config = lib.mkIf config.services.searx.enable ( config = lib.mkIf config.services.searx.enable {
lib.mkMerge [ sops.secrets = {
{ "services/searx" = {
sops.secrets = { sopsFile = "${inputs.secrets}/defiant-services.yaml";
"services/searx" = { };
sopsFile = "${inputs.secrets}/defiant-services.yaml"; };
host = {
reverse_proxy.subdomains.searx = {
subdomain = config.services.searx.subdomain;
target = "http://localhost:${toString config.services.searx.settings.server.port}";
};
};
services.searx = {
environmentFile = config.sops.secrets."services/searx".path;
# Rate limiting
limiterSettings = {
real_ip = {
x_for = 1;
ipv4_prefix = 32;
ipv6_prefix = 56;
};
botdetection = {
ip_limit = {
filter_link_local = true;
link_token = true;
}; };
}; };
services.searx = { };
environmentFile = config.sops.secrets."services/searx".path;
# Rate limiting settings = {
limiterSettings = { server = {
real_ip = { port = 8083;
x_for = 1; secret_key = "@SEARXNG_SECRET@";
ipv4_prefix = 32;
ipv6_prefix = 56;
};
botdetection = {
ip_limit = {
filter_link_local = true;
link_token = true;
};
};
};
settings = {
server = {
port = 8083;
secret_key = "@SEARXNG_SECRET@";
};
# Search engine settings
search = {
safe_search = 2;
autocomplete_min = 2;
autocomplete = "duckduckgo";
};
# Enabled plugins
enabled_plugins = [
"Basic Calculator"
"Hash plugin"
"Tor check plugin"
"Open Access DOI rewrite"
"Hostnames plugin"
"Unit converter plugin"
"Tracker URL remover"
];
};
}; };
}
(lib.mkIf config.host.reverse_proxy.enable { # Search engine settings
host = { search = {
reverse_proxy.subdomains.searx = { safe_search = 2;
subdomain = config.services.searx.subdomain; autocomplete_min = 2;
target = "http://localhost:${toString config.services.searx.settings.server.port}"; autocomplete = "duckduckgo";
};
}; };
})
] # Enabled plugins
); enabled_plugins = [
"Basic Calculator"
"Hash plugin"
"Tor check plugin"
"Open Access DOI rewrite"
"Hostnames plugin"
"Unit converter plugin"
"Tracker URL remover"
];
};
};
};
} }