jawz/NixOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

servers working perfectly, many adjustments

Browse Source
This commit is contained in:
Danilo Reyes 2023-08-30 11:47:23 -06:00
parent 88ae340840
commit 49dda93335
2 changed files with 113 additions and 189 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

145
configuration.org
View File

@ -266,6 +266,8 @@ users.users.nextcloud = {
extraGroups = [ "nextcloud" ];
packages = (with pkgs; [
nodejs_14
perl
exiftool
### Currently incompatible with newer versions, and compiling
### an older version takes 7 hours.
# cudatoolkit
@ -908,65 +910,44 @@ programs = {
};
services = {
jellyfin = {
enable = true;
openFirewall = true;
};
jellyfin.enable = true;
# vaultwarden.enable = true;
nextcloud = {
enable = true;
# package = pkgs.nextcloud27;
maxUploadSize = "50G";
enableImagemagick = true;
appstoreEnable = true;
extraAppsEnable = true;
hostName = "cloud.servidos.lat";
https = true;
caching = {
redis = true;
};
enable = true;
package = pkgs.nextcloud26;
appstoreEnable = true;
configureRedis = true;
maxUploadSize = "512M";
extraAppsEnable = true;
enableImagemagick = true;
hostName = "cloud.servidos.lat";
config = {
adminpassFile = "${pkgs.writeText "adminpass" "Overlying-Hatchback-Charting-Encounter-Deface-Gallantly7"}";
overwriteProtocol = "https";
trustedProxies = [ "nginx" ];
extraTrustedDomains = [ "localhost:80" "cloud.danilo-reyes.com" "cloud.servidos.lat" ];
defaultPhoneRegion = "MX";
dbtype = "pgsql";
dbuser = "nextcloud";
dbpassFile = "${pkgs.writeText "dbpass" "sopacerias"}";
dbtableprefix = "oc_";
dbname = "nextcloud";
trustedProxies = [ "nginx" ];
extraTrustedDomains = [ "danilo-reyes.com" ];
};
extraOptions = {
redis = {
host = "localhost";
port = 6379;
};
memcache = {
local = "\\OC\\Memcache\\Redis";
distributed = "\\OC\\Memcache\\Redis";
locking = "\\OC\\Memcache\\Redis";
};
mail_smtpmode = "sendmail";
mail_sendmailmode = "pipe";
"installed" = true;
};
phpOptions = {
display_errors = "stderr";
error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT";
expose_php = "Off";
"opcache.enable_cli" = "1";
"opcache.fast_shutdown" = "1";
"opcache.interned_strings_buffer" = "10";
"opcache.max_accelerated_files" = "10000";
"opcache.memory_consumption" = "128";
"opcache.revalidate_freq" = "1";
"openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
catch_workers_output = "yes";
short_open_tag = "Off";
# defaults end here
upload_max_filesize = "50G";
post_max_size = "50G";
memory_limit = "2G";
"memories.exiftool" = "/etc/profiles/per-user/nextcloud/bin/exiftool";
enabledPreviewProviders = [
"OC\\Preview\\Image"
"OC\\Preview\\HEIC"
"OC\\Preview\\TIFF"
"OC\\Preview\\MKV"
"OC\\Preview\\MP4"
"OC\\Preview\\AVI"
"OC\\Preview\\Movie"
];
opcache.jit = 1255;
opcache.jit_buffer_size = "128M";
};
phpExtraExtensions = all: [ all.pdlib all.bz2 ];
};
@ -1063,35 +1044,54 @@ systemd.services = {
# ExecStop = "${pkgs.docker-compose}/bin/docker-compose -f \${FILE} down";
# };
# };
"nextcloud_scrapsync" = {
description = "Sync scrapped files with nextcloud";
wantedBy = [ "default.target" ];
path = [
pkgs.bash
jawz_nextcloud_scrapsync
];
serviceConfig = {
RestartSec = 30;
ExecStart = "${jawz_nextcloud_scrapsync}/bin/nextcloud_scrapsync";
};
};
# "nextcloud_scrapsync" = {
# description = "Sync scrapped files with nextcloud";
# wantedBy = [ "default.target" ];
# path = [
# pkgs.bash
# jawz_nextcloud_scrapsync
# ];
# serviceConfig = {
# RestartSec = 30;
# ExecStart = "${jawz_nextcloud_scrapsync}/bin/nextcloud_scrapsync";
# };
# };
# "nextcloud_previews" = {
# description = "Generate previews";
# wantedBy = [ "default.target" ];
# path = [
# pkgs.nextcloud26
# ];
# serviceConfig = {
# RestartSec = 30;
# ExecStart = "${pkgs.nextcloud26}/occ preview:pre-generate";
# };
# };
};
systemd.timers = {
"nextcloud_scrapsync" = {
enable = true;
description = "Sync scrapped files with nextcloud";
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar= [
"*-*-* 01:32:00"
"*-*-* 08:32:00"
"*-*-* 14:32:00"
"*-*-* 20:32:00"
];
RandomizedDelaySec = 30;
Persistent = true;
};
};
# "nextcloud_scrapsync" = {
# enable = true;
# description = "Sync scrapped files with nextcloud";
# wantedBy = [ "timers.target" ];
# timerConfig = {
# OnCalendar= [
# "*-*-* 01:32:00"
# "*-*-* 08:32:00"
# "*-*-* 14:32:00"
# "*-*-* 20:32:00"
# ];
# RandomizedDelaySec = 30;
# Persistent = true;
# };
# };
# "nextcloud_previews" = {
# enable = true;
# description = "Generate previews";
# wantedBy = [ "timers.target" ];
# timerConfig = {
# OnCalendar = "*:0/10";
# };
# };
};
systemd.user.services = {
"HentaiAtHome" = {
@ -1168,7 +1168,6 @@ networking = {
6969 # HentaiAtHome
25152 # ssh
49494 # gerbera
8086 8920 # jellyfin
];
open_firewall_port_ranges = [
{ from = 1714; to = 1764; } # kdeconnect

157
nginx.nix
View File

@ -5,20 +5,29 @@
let
localhost = "127.0.0.1";
jellyfinPort = 8086;
jellyfinPort = "8096";
newflixPort = 8897;
shioriPort = 9001;
flamePort = 5005;
secretFlamePort = 5007;
lidarrPort = 8686;
bazarrPort = 6767;
sonarrPort = 8989;
radarrPort = 7878;
prowlarrPort = 9696;
vaultPort = 9666;
searxPort = 8080;
kavitaPort = 5000;
nextcloudPort = 80;
# unstable_tarball =
# builtins.fetchTarball "https://github.com/nixos/nixpkgs/tarball/master";
# unstable = import unstable_tarball { config = config.nixpkgs.config; };
in {
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
# recommendedProxySettings = true;
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
commonHttpConfig = ''
appendHttpConfig = ''
### GLOBAL
# Add HSTS header with preloading to HTTPS requests.
# Adding this header to HTTP requests is discouraged
@ -34,7 +43,7 @@ in {
add_header 'Referrer-Policy' 'origin-when-cross-origin';
# Disable embedding as a frame
add_header X-Frame-Options DENY;
# add_header X-Frame-Options DENY;
# Prevent injection of code in other mime types (XSS Attacks)
add_header X-Content-Type-Options nosniff;
@ -45,9 +54,9 @@ in {
# This might create errors
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
### NEXTCLOUD
# NEXTCLOUD
# upstream php-handler {
# server 127.0.0.1:9000;
# server ${localhost}:9000;
# #server unix:/var/run/php/php7.4-fpm.sock;
# }
@ -56,7 +65,7 @@ in {
# "" "";
# default "immutable";
# }
### JELLYFIN
# JELLYFIN
proxy_cache_path /var/cache/nginx/jellyfin-videos levels=1:2 keys_zone=jellyfin-videos:100m inactive=90d max_size=35000m;
proxy_cache_path /var/cache/nginx/jellyfin levels=1:2 keys_zone=jellyfin:100m max_size=15g inactive=30d use_temp_path=off;
map $request_uri $h264Level { ~(h264-level=)(.+?)& $2; }
@ -70,8 +79,22 @@ in {
http2 = true;
};
proxy = port:
base { "/".proxyPass = "http://127.0.0.1:" + toString (port) + "/"; };
base {
"/".proxyPass = "http://${localhost}:" + toString (port) + "/";
};
in {
"newflix.servidos.lat" = proxy newflixPort // { };
"library.servidos.lat" = proxy kavitaPort // { };
"bookmarks.servidos.lat" = proxy shioriPort // { };
"start.servidos.lat" = proxy flamePort // { };
"qampqwn4wprhqny8h8zj.servidos.lat" = proxy secretFlamePort // { };
"music.servidos.lat" = proxy lidarrPort // { };
"subs.servidos.lat" = proxy bazarrPort // { };
"series.servidos.lat" = proxy sonarrPort // { };
"movies.servidos.lat" = proxy radarrPort // { };
"indexer.servidos.lat" = proxy prowlarrPort // { };
"vault.servidos.lat" = proxy vaultPort // { };
"searx.servidos.lat" = proxy searxPort // { };
"flix.servidos.lat" = {
forceSSL = true;
enableACME = true;
@ -80,9 +103,7 @@ in {
# use a variable to store the upstream proxy
# in this example we are using a hostname which is resolved via DNS
# (if you aren't using DNS remove the resolver line and change the variable to point to an IP address
# e.g `set $jellyfin 127.0.0.1`)
set $jellyfin 127.0.0.1;
resolver 127.0.0.1 valid=30;
resolver ${localhost} valid=30;
location = / {
return 302 http://$host/web/;
@ -90,7 +111,7 @@ in {
}
location = /web/ {
# Proxy main Jellyfin traffic
proxy_pass http://$jellyfin:8096/web/index.html;
proxy_pass http://${localhost}:${jellyfinPort}/web/index.html;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@ -101,11 +122,11 @@ in {
'';
locations = {
"/" = {
proxyPass = "http://$jellyfin:8096";
proxyPass = "http://${localhost}:${jellyfinPort}";
proxyWebsockets = true;
};
"/socket" = {
proxyPass = "http://$jellyfin:8096";
proxyPass = "http://${localhost}:${jellyfinPort}";
extraConfig = ''
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
@ -113,7 +134,7 @@ in {
'';
};
"~ /Items/(.*)/Images" = {
proxyPass = "http://$jellyfin:8096";
proxyPass = "http://${localhost}:${jellyfinPort}";
extraConfig = ''
proxy_cache jellyfin;
proxy_cache_revalidate on;
@ -121,7 +142,7 @@ in {
'';
};
"~* ^/Videos/(.*)/(?!live)" = {
proxyPass = "http://$jellyfin:8096";
proxyPass = "http://${localhost}:${jellyfinPort}";
extraConfig = ''
# Set size of a slice (this amount will be always requested from the backend by nginx)
# Higher value means more latency, lower more overhead
@ -151,107 +172,11 @@ in {
};
};
};
"library.servidos.lat" = proxy 5000 // { };
${config.services.nextcloud.hostName} = {
forceSSL = true;
enableACME = true;
http2 = true;
# extraConfig = ''
# server_tokens off;
# # set max upload size and increase upload timeout:
# client_body_timeout 300s;
# # fastcgi_buffers 64 4K;
# # The settings allows you to optimize the HTTP2 bandwitdth.
# # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
# # for tunning hints
# client_body_buffer_size 512k;
# # HTTP response headers borrowed from Nextcloud `.htaccess`
# add_header Referrer-Policy "no-referrer" always;
# add_header X-Download-Options "noopen" always;
# add_header X-Permitted-Cross-Domain-Policies "none" always;
# add_header X-Robots-Tag "noindex, nofollow" always;
# # Remove X-Powered-By, which is an information leak
# fastcgi_hide_header X-Powered-By;
# # Specify how to handle directories -- specifying `/index.php$request_uri`
# # here as the fallback means that Nginx always exhibits the desired behaviour
# # when a client requests a path that corresponds to a directory that exists
# # on the server. In particular, if that directory contains an index.php file,
# # that file is correctly served; if it doesn't, then the request is passed to
# # the front-end controller. This consistent behaviour means that we don't need
# # to specify custom rules for certain paths (e.g. images and other assets,
# # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
# # `try_files $uri $uri/ /index.php$request_uri`
# # always provides the desired behaviour.
# index index.php index.html /index.php$request_uri;
# '';
# locations = {
# "/".extraConfig = ''
# try_files $uri $uri/ /index.php$request_uri;
# '';
# "= /".extraConfig = ''
# # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
# if ( $http_user_agent ~ ^DavClnt ) {
# return 302 /remote.php/webdav/$is_args$args;
# }
# '';
# "^~ /.well-known".extraConfig = ''
# # The rules in this block are an adaptation of the rules
# # in `.htaccess` that concern `/.well-known`.
# location /.well-known/acme-challenge { try_files $uri $uri/ =404; }
# location /.well-known/pki-validation { try_files $uri $uri/ =404; }
# # Let Nextcloud's API for `/.well-known` URIs handle all other
# # requests by passing them to the front-end controller.
# return 301 /index.php$request_uri;
# '';
# "~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)".extraConfig =
# "return 404;";
# "~ ^/(?:.|autotest|occ|issue|indie|db_|console)".extraConfig =
# "return 404;";
# "~ .php(?:$|/)".extraConfig = ''
# # Required for legacy support
# rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
# fastcgi_split_path_info ^(.+?\.php)(/.*)$;
# set $path_info $fastcgi_path_info;
# try_files $fastcgi_script_name =404;
# # include fastcgi_params;
# include "${pkgs.nginx}/conf/fastcgi_params";
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# fastcgi_param PATH_INFO $path_info;
# fastcgi_param HTTPS on;
# fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
# fastcgi_param front_controller_active true; # Enable pretty urls
# fastcgi_intercept_errors on;
# fastcgi_request_buffering off;
# fastcgi_max_temp_file_size 0;
# '';
# "~ .(?:css|js|svg|gif|png|jpg|ico|wasm|tflite|map)$" = {
# extraConfig = ''
# try_files $uri /index.php$request_uri;
# access_log off; # Optional: Don't log access to assets
# location ~ \.wasm$ {
# default_type application/wasm;
# }
# '';
# };
# "~ .woff2?$".extraConfig = ''
# try_files $uri /index.php$request_uri;
# expires 7d; # Cache-Control policy borrowed from `.htaccess`
# access_log off; # Optional: Don't log access to assets '';
# "/remote".extraConfig = "return 301 /remote.php$request_uri;";
# };
serverAliases = [ "danilo-reyes.com" "cloud.servidos.lat" ];
};
};
};