From 49dda933358029a30f6a4361bc92e8a1422514dd Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Wed, 30 Aug 2023 11:47:23 -0600 Subject: [PATCH] servers working perfectly, many adjustments --- configuration.org | 145 +++++++++++++++++++++--------------------- nginx.nix | 157 ++++++++++++---------------------------------- 2 files changed, 113 insertions(+), 189 deletions(-) diff --git a/configuration.org b/configuration.org index dddc096..3543c5c 100755 --- a/configuration.org +++ b/configuration.org @@ -266,6 +266,8 @@ users.users.nextcloud = { extraGroups = [ "nextcloud" ]; packages = (with pkgs; [ nodejs_14 + perl + exiftool ### Currently incompatible with newer versions, and compiling ### an older version takes 7 hours. # cudatoolkit @@ -908,65 +910,44 @@ programs = { }; services = { - jellyfin = { - enable = true; - openFirewall = true; - }; + jellyfin.enable = true; + # vaultwarden.enable = true; nextcloud = { - enable = true; - # package = pkgs.nextcloud27; - maxUploadSize = "50G"; - enableImagemagick = true; - appstoreEnable = true; - extraAppsEnable = true; - hostName = "cloud.servidos.lat"; https = true; - caching = { - redis = true; - }; + enable = true; + package = pkgs.nextcloud26; + appstoreEnable = true; + configureRedis = true; + maxUploadSize = "512M"; + extraAppsEnable = true; + enableImagemagick = true; + hostName = "cloud.servidos.lat"; config = { adminpassFile = "${pkgs.writeText "adminpass" "Overlying-Hatchback-Charting-Encounter-Deface-Gallantly7"}"; overwriteProtocol = "https"; - trustedProxies = [ "nginx" ]; - extraTrustedDomains = [ "localhost:80" "cloud.danilo-reyes.com" "cloud.servidos.lat" ]; defaultPhoneRegion = "MX"; dbtype = "pgsql"; dbuser = "nextcloud"; dbpassFile = "${pkgs.writeText "dbpass" "sopacerias"}"; dbtableprefix = "oc_"; dbname = "nextcloud"; + trustedProxies = [ "nginx" ]; + extraTrustedDomains = [ "danilo-reyes.com" ]; }; extraOptions = { - redis = { - host = "localhost"; - port = 6379; - }; - memcache = { - local = "\\OC\\Memcache\\Redis"; - distributed = "\\OC\\Memcache\\Redis"; - locking = "\\OC\\Memcache\\Redis"; - }; - mail_smtpmode = "sendmail"; - mail_sendmailmode = "pipe"; "installed" = true; - }; - phpOptions = { - display_errors = "stderr"; - error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT"; - expose_php = "Off"; - "opcache.enable_cli" = "1"; - "opcache.fast_shutdown" = "1"; - "opcache.interned_strings_buffer" = "10"; - "opcache.max_accelerated_files" = "10000"; - "opcache.memory_consumption" = "128"; - "opcache.revalidate_freq" = "1"; - "openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt"; - catch_workers_output = "yes"; - short_open_tag = "Off"; - # defaults end here - upload_max_filesize = "50G"; - post_max_size = "50G"; - memory_limit = "2G"; + "memories.exiftool" = "/etc/profiles/per-user/nextcloud/bin/exiftool"; + enabledPreviewProviders = [ + "OC\\Preview\\Image" + "OC\\Preview\\HEIC" + "OC\\Preview\\TIFF" + "OC\\Preview\\MKV" + "OC\\Preview\\MP4" + "OC\\Preview\\AVI" + "OC\\Preview\\Movie" + ]; + opcache.jit = 1255; + opcache.jit_buffer_size = "128M"; }; phpExtraExtensions = all: [ all.pdlib all.bz2 ]; }; @@ -1063,35 +1044,54 @@ systemd.services = { # ExecStop = "${pkgs.docker-compose}/bin/docker-compose -f \${FILE} down"; # }; # }; - "nextcloud_scrapsync" = { - description = "Sync scrapped files with nextcloud"; - wantedBy = [ "default.target" ]; - path = [ - pkgs.bash - jawz_nextcloud_scrapsync - ]; - serviceConfig = { - RestartSec = 30; - ExecStart = "${jawz_nextcloud_scrapsync}/bin/nextcloud_scrapsync"; - }; - }; + # "nextcloud_scrapsync" = { + # description = "Sync scrapped files with nextcloud"; + # wantedBy = [ "default.target" ]; + # path = [ + # pkgs.bash + # jawz_nextcloud_scrapsync + # ]; + # serviceConfig = { + # RestartSec = 30; + # ExecStart = "${jawz_nextcloud_scrapsync}/bin/nextcloud_scrapsync"; + # }; + # }; + # "nextcloud_previews" = { + # description = "Generate previews"; + # wantedBy = [ "default.target" ]; + # path = [ + # pkgs.nextcloud26 + # ]; + # serviceConfig = { + # RestartSec = 30; + # ExecStart = "${pkgs.nextcloud26}/occ preview:pre-generate"; + # }; + # }; }; systemd.timers = { - "nextcloud_scrapsync" = { - enable = true; - description = "Sync scrapped files with nextcloud"; - wantedBy = [ "timers.target" ]; - timerConfig = { - OnCalendar= [ - "*-*-* 01:32:00" - "*-*-* 08:32:00" - "*-*-* 14:32:00" - "*-*-* 20:32:00" - ]; - RandomizedDelaySec = 30; - Persistent = true; - }; - }; + # "nextcloud_scrapsync" = { + # enable = true; + # description = "Sync scrapped files with nextcloud"; + # wantedBy = [ "timers.target" ]; + # timerConfig = { + # OnCalendar= [ + # "*-*-* 01:32:00" + # "*-*-* 08:32:00" + # "*-*-* 14:32:00" + # "*-*-* 20:32:00" + # ]; + # RandomizedDelaySec = 30; + # Persistent = true; + # }; + # }; + # "nextcloud_previews" = { + # enable = true; + # description = "Generate previews"; + # wantedBy = [ "timers.target" ]; + # timerConfig = { + # OnCalendar = "*:0/10"; + # }; + # }; }; systemd.user.services = { "HentaiAtHome" = { @@ -1168,7 +1168,6 @@ networking = { 6969 # HentaiAtHome 25152 # ssh 49494 # gerbera - 8086 8920 # jellyfin ]; open_firewall_port_ranges = [ { from = 1714; to = 1764; } # kdeconnect diff --git a/nginx.nix b/nginx.nix index 3ad18c8..3c33922 100755 --- a/nginx.nix +++ b/nginx.nix @@ -5,20 +5,29 @@ let localhost = "127.0.0.1"; - jellyfinPort = 8086; + jellyfinPort = "8096"; + newflixPort = 8897; + shioriPort = 9001; + flamePort = 5005; + secretFlamePort = 5007; + lidarrPort = 8686; + bazarrPort = 6767; + sonarrPort = 8989; + radarrPort = 7878; + prowlarrPort = 9696; + vaultPort = 9666; + searxPort = 8080; + kavitaPort = 5000; nextcloudPort = 80; - # unstable_tarball = - # builtins.fetchTarball "https://github.com/nixos/nixpkgs/tarball/master"; - # unstable = import unstable_tarball { config = config.nixpkgs.config; }; in { services.nginx = { enable = true; recommendedTlsSettings = true; recommendedGzipSettings = true; recommendedOptimisation = true; - recommendedProxySettings = true; + # recommendedProxySettings = true; sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; - commonHttpConfig = '' + appendHttpConfig = '' ### GLOBAL # Add HSTS header with preloading to HTTPS requests. # Adding this header to HTTP requests is discouraged @@ -34,7 +43,7 @@ in { add_header 'Referrer-Policy' 'origin-when-cross-origin'; # Disable embedding as a frame - add_header X-Frame-Options DENY; + # add_header X-Frame-Options DENY; # Prevent injection of code in other mime types (XSS Attacks) add_header X-Content-Type-Options nosniff; @@ -45,9 +54,9 @@ in { # This might create errors proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; - ### NEXTCLOUD + # NEXTCLOUD # upstream php-handler { - # server 127.0.0.1:9000; + # server ${localhost}:9000; # #server unix:/var/run/php/php7.4-fpm.sock; # } @@ -56,7 +65,7 @@ in { # "" ""; # default "immutable"; # } - ### JELLYFIN + # JELLYFIN proxy_cache_path /var/cache/nginx/jellyfin-videos levels=1:2 keys_zone=jellyfin-videos:100m inactive=90d max_size=35000m; proxy_cache_path /var/cache/nginx/jellyfin levels=1:2 keys_zone=jellyfin:100m max_size=15g inactive=30d use_temp_path=off; map $request_uri $h264Level { ~(h264-level=)(.+?)& $2; } @@ -70,8 +79,22 @@ in { http2 = true; }; proxy = port: - base { "/".proxyPass = "http://127.0.0.1:" + toString (port) + "/"; }; + base { + "/".proxyPass = "http://${localhost}:" + toString (port) + "/"; + }; in { + "newflix.servidos.lat" = proxy newflixPort // { }; + "library.servidos.lat" = proxy kavitaPort // { }; + "bookmarks.servidos.lat" = proxy shioriPort // { }; + "start.servidos.lat" = proxy flamePort // { }; + "qampqwn4wprhqny8h8zj.servidos.lat" = proxy secretFlamePort // { }; + "music.servidos.lat" = proxy lidarrPort // { }; + "subs.servidos.lat" = proxy bazarrPort // { }; + "series.servidos.lat" = proxy sonarrPort // { }; + "movies.servidos.lat" = proxy radarrPort // { }; + "indexer.servidos.lat" = proxy prowlarrPort // { }; + "vault.servidos.lat" = proxy vaultPort // { }; + "searx.servidos.lat" = proxy searxPort // { }; "flix.servidos.lat" = { forceSSL = true; enableACME = true; @@ -80,9 +103,7 @@ in { # use a variable to store the upstream proxy # in this example we are using a hostname which is resolved via DNS # (if you aren't using DNS remove the resolver line and change the variable to point to an IP address - # e.g `set $jellyfin 127.0.0.1`) - set $jellyfin 127.0.0.1; - resolver 127.0.0.1 valid=30; + resolver ${localhost} valid=30; location = / { return 302 http://$host/web/; @@ -90,7 +111,7 @@ in { } location = /web/ { # Proxy main Jellyfin traffic - proxy_pass http://$jellyfin:8096/web/index.html; + proxy_pass http://${localhost}:${jellyfinPort}/web/index.html; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; @@ -101,11 +122,11 @@ in { ''; locations = { "/" = { - proxyPass = "http://$jellyfin:8096"; + proxyPass = "http://${localhost}:${jellyfinPort}"; proxyWebsockets = true; }; "/socket" = { - proxyPass = "http://$jellyfin:8096"; + proxyPass = "http://${localhost}:${jellyfinPort}"; extraConfig = '' proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; @@ -113,7 +134,7 @@ in { ''; }; "~ /Items/(.*)/Images" = { - proxyPass = "http://$jellyfin:8096"; + proxyPass = "http://${localhost}:${jellyfinPort}"; extraConfig = '' proxy_cache jellyfin; proxy_cache_revalidate on; @@ -121,7 +142,7 @@ in { ''; }; "~* ^/Videos/(.*)/(?!live)" = { - proxyPass = "http://$jellyfin:8096"; + proxyPass = "http://${localhost}:${jellyfinPort}"; extraConfig = '' # Set size of a slice (this amount will be always requested from the backend by nginx) # Higher value means more latency, lower more overhead @@ -151,107 +172,11 @@ in { }; }; }; - "library.servidos.lat" = proxy 5000 // { }; ${config.services.nextcloud.hostName} = { forceSSL = true; enableACME = true; http2 = true; - # extraConfig = '' - # server_tokens off; - - # # set max upload size and increase upload timeout: - # client_body_timeout 300s; - # # fastcgi_buffers 64 4K; - - # # The settings allows you to optimize the HTTP2 bandwitdth. - # # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/ - # # for tunning hints - # client_body_buffer_size 512k; - - # # HTTP response headers borrowed from Nextcloud `.htaccess` - # add_header Referrer-Policy "no-referrer" always; - # add_header X-Download-Options "noopen" always; - # add_header X-Permitted-Cross-Domain-Policies "none" always; - # add_header X-Robots-Tag "noindex, nofollow" always; - - # # Remove X-Powered-By, which is an information leak - # fastcgi_hide_header X-Powered-By; - - # # Specify how to handle directories -- specifying `/index.php$request_uri` - # # here as the fallback means that Nginx always exhibits the desired behaviour - # # when a client requests a path that corresponds to a directory that exists - # # on the server. In particular, if that directory contains an index.php file, - # # that file is correctly served; if it doesn't, then the request is passed to - # # the front-end controller. This consistent behaviour means that we don't need - # # to specify custom rules for certain paths (e.g. images and other assets, - # # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus - # # `try_files $uri $uri/ /index.php$request_uri` - # # always provides the desired behaviour. - # index index.php index.html /index.php$request_uri; - # ''; - # locations = { - # "/".extraConfig = '' - # try_files $uri $uri/ /index.php$request_uri; - # ''; - # "= /".extraConfig = '' - # # Rule borrowed from `.htaccess` to handle Microsoft DAV clients - # if ( $http_user_agent ~ ^DavClnt ) { - # return 302 /remote.php/webdav/$is_args$args; - # } - # ''; - # "^~ /.well-known".extraConfig = '' - # # The rules in this block are an adaptation of the rules - # # in `.htaccess` that concern `/.well-known`. - - # location /.well-known/acme-challenge { try_files $uri $uri/ =404; } - # location /.well-known/pki-validation { try_files $uri $uri/ =404; } - - # # Let Nextcloud's API for `/.well-known` URIs handle all other - # # requests by passing them to the front-end controller. - # return 301 /index.php$request_uri; - # ''; - # "~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)".extraConfig = - # "return 404;"; - # "~ ^/(?:.|autotest|occ|issue|indie|db_|console)".extraConfig = - # "return 404;"; - # "~ .php(?:$|/)".extraConfig = '' - # # Required for legacy support - # rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri; - - # fastcgi_split_path_info ^(.+?\.php)(/.*)$; - # set $path_info $fastcgi_path_info; - - # try_files $fastcgi_script_name =404; - - # # include fastcgi_params; - # include "${pkgs.nginx}/conf/fastcgi_params"; - # fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - # fastcgi_param PATH_INFO $path_info; - # fastcgi_param HTTPS on; - - # fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice - # fastcgi_param front_controller_active true; # Enable pretty urls - - # fastcgi_intercept_errors on; - # fastcgi_request_buffering off; - - # fastcgi_max_temp_file_size 0; - # ''; - # "~ .(?:css|js|svg|gif|png|jpg|ico|wasm|tflite|map)$" = { - # extraConfig = '' - # try_files $uri /index.php$request_uri; - # access_log off; # Optional: Don't log access to assets - # location ~ \.wasm$ { - # default_type application/wasm; - # } - # ''; - # }; - # "~ .woff2?$".extraConfig = '' - # try_files $uri /index.php$request_uri; - # expires 7d; # Cache-Control policy borrowed from `.htaccess` - # access_log off; # Optional: Don't log access to assets ''; - # "/remote".extraConfig = "return 301 /remote.php$request_uri;"; - # }; + serverAliases = [ "danilo-reyes.com" "cloud.servidos.lat" ]; }; }; };