jan-leila/nix-config
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: jan-leila:651a988558bd7b14fe5506e688d7a954c0c30c7c
Branches Tags
jan-leila:main
jan-leila:469ba567
...
compare: jan-leila:86c585111cf58f3aae11697cdf524d5e591f8f0d
Branches Tags
jan-leila:main
jan-leila:469ba567

4 commits
651a988558 ... 86c585111c

Author SHA1 Message Date
Leyla Becker 86c585111c added packages for home assistant 2025-03-07 18:35:41 -06:00
Leyla Becker 8b39a80849 added extra config to services 2025-03-07 18:18:37 -06:00
Leyla Becker 62abf65e5a enabled ACME 2025-03-07 18:14:42 -06:00
Leyla Becker 46615cc361 added task to tech debt 2025-03-07 15:10:37 -06:00
5 changed files with 64 additions and 2 deletions
Show stats Expand all files Collapse all files

1
README.md
View file

@ -51,6 +51,7 @@ nix multi user, multi system, configuration with `sops` secret management, `home
- syncthing folders should just be enabled per devices and then combined with "extraDevices" to give final folder configurations - syncthing folders should just be enabled per devices and then combined with "extraDevices" to give final folder configurations
- syncthing folder passwords - syncthing folder passwords
- move fail2ban configs out of fail2ban.nix and into configs for their respective services - move fail2ban configs out of fail2ban.nix and into configs for their respective services
- nginx config should be reworked to give a list of subdomains and then the config information to apply to each proxy
## New Features ## New Features
- offline access for nfs mounts (overlay with rsync might be a good option here? https://www.spinics.net/lists/linux-unionfs/msg07105.html note about nfs4 and overlay fs) - offline access for nfs mounts (overlay with rsync might be a good option here? https://www.spinics.net/lists/linux-unionfs/msg07105.html note about nfs4 and overlay fs)
- Flake templates - we need to add these to some kind of local registry??? `nix flake show templates` - https://nix.dev/manual/nix/2.18/command-ref/new-cli/nix3-flake-init - Flake templates - we need to add these to some kind of local registry??? `nix flake show templates` - https://nix.dev/manual/nix/2.18/command-ref/new-cli/nix3-flake-init

2
configurations/nixos/defiant/configuration.nix
View file

@ -77,7 +77,7 @@
}; };
reverse_proxy = { reverse_proxy = {
enable = true; enable = true;
enableACME = false; enableACME = true;
hostname = "jan-leila.com"; hostname = "jan-leila.com";
}; };
postgres = { postgres = {

25
modules/nixos-modules/server/home-assistant.nix
View file

@ -18,17 +18,40 @@ in {
{ {
services.home-assistant = { services.home-assistant = {
enable = true; enable = true;
extraComponents = [
"esphome"
"met"
"radio_browser"
"isal"
];
config.http = { config.http = {
server_port = 8082; server_port = 8082;
use_x_forwarded_for = true; use_x_forwarded_for = true;
trusted_proxies = ["127.0.0.1"]; trusted_proxies = ["127.0.0.1" "::1"];
ip_ban_enabled = true; ip_ban_enabled = true;
login_attempts_threshold = 10; login_attempts_threshold = 10;
}; };
extraPackages = python3Packages:
with python3Packages; [
numpy
gtts
];
}; };
host = { host = {
reverse_proxy.subdomains.${config.host.home-assistant.subdomain} = { reverse_proxy.subdomains.${config.host.home-assistant.subdomain} = {
target = "http://localhost:${toString config.services.home-assistant.config.http.server_port}"; target = "http://localhost:${toString config.services.home-assistant.config.http.server_port}";
websockets = true;
extraConfig = ''
add_header Upgrade $http_upgrade;
add_header Connection \"upgrade\";
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 90;
'';
}; };
}; };
} }

30
modules/nixos-modules/server/jellyfin.nix
View file

@ -31,12 +31,42 @@ in {
{ {
${config.host.jellyfin.subdomain} = { ${config.host.jellyfin.subdomain} = {
target = "http://localhost:${toString jellyfinPort}"; target = "http://localhost:${toString jellyfinPort}";
extraConfig = ''
client_max_body_size 20M;
add_header X-Content-Type-Options "nosniff";
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_buffering off;
'';
}; };
} }
] ]
++ (builtins.map (subdomain: { ++ (builtins.map (subdomain: {
${subdomain} = { ${subdomain} = {
target = "http://localhost:${toString jellyfinPort}"; target = "http://localhost:${toString jellyfinPort}";
extraConfig = ''
client_max_body_size 20M;
add_header X-Content-Type-Options "nosniff";
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_buffering off;
'';
}; };
}) })
config.host.jellyfin.extraSubdomains)); config.host.jellyfin.extraSubdomains));

8
modules/nixos-modules/server/reverse_proxy.nix
View file

@ -31,6 +31,13 @@ in {
description = "where should this host point to"; description = "where should this host point to";
}; };
websockets = lib.mkEnableOption "should websockets be proxied"; websockets = lib.mkEnableOption "should websockets be proxied";
extraConfig = lib.mkOption {
type = lib.types.lines;
default = "";
description = ''
These lines go to the end of the upstream verbatim.
'';
};
}; };
})); }));
default = {}; default = {};
@ -53,6 +60,7 @@ in {
locations."/" = { locations."/" = {
proxyPass = value.target; proxyPass = value.target;
proxyWebsockets = value.websockets; proxyWebsockets = value.websockets;
extraConfig = value.extraConfig;
}; };
}) })
config.host.reverse_proxy.subdomains; config.host.reverse_proxy.subdomains;