servers working perfectly, many adjustments
This commit is contained in:
157
nginx.nix
157
nginx.nix
@@ -5,20 +5,29 @@
|
||||
|
||||
let
|
||||
localhost = "127.0.0.1";
|
||||
jellyfinPort = 8086;
|
||||
jellyfinPort = "8096";
|
||||
newflixPort = 8897;
|
||||
shioriPort = 9001;
|
||||
flamePort = 5005;
|
||||
secretFlamePort = 5007;
|
||||
lidarrPort = 8686;
|
||||
bazarrPort = 6767;
|
||||
sonarrPort = 8989;
|
||||
radarrPort = 7878;
|
||||
prowlarrPort = 9696;
|
||||
vaultPort = 9666;
|
||||
searxPort = 8080;
|
||||
kavitaPort = 5000;
|
||||
nextcloudPort = 80;
|
||||
# unstable_tarball =
|
||||
# builtins.fetchTarball "https://github.com/nixos/nixpkgs/tarball/master";
|
||||
# unstable = import unstable_tarball { config = config.nixpkgs.config; };
|
||||
in {
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
recommendedTlsSettings = true;
|
||||
recommendedGzipSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
recommendedProxySettings = true;
|
||||
# recommendedProxySettings = true;
|
||||
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
|
||||
commonHttpConfig = ''
|
||||
appendHttpConfig = ''
|
||||
### GLOBAL
|
||||
# Add HSTS header with preloading to HTTPS requests.
|
||||
# Adding this header to HTTP requests is discouraged
|
||||
@@ -34,7 +43,7 @@ in {
|
||||
add_header 'Referrer-Policy' 'origin-when-cross-origin';
|
||||
|
||||
# Disable embedding as a frame
|
||||
add_header X-Frame-Options DENY;
|
||||
# add_header X-Frame-Options DENY;
|
||||
|
||||
# Prevent injection of code in other mime types (XSS Attacks)
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
@@ -45,9 +54,9 @@ in {
|
||||
|
||||
# This might create errors
|
||||
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
|
||||
### NEXTCLOUD
|
||||
# NEXTCLOUD
|
||||
# upstream php-handler {
|
||||
# server 127.0.0.1:9000;
|
||||
# server ${localhost}:9000;
|
||||
# #server unix:/var/run/php/php7.4-fpm.sock;
|
||||
# }
|
||||
|
||||
@@ -56,7 +65,7 @@ in {
|
||||
# "" "";
|
||||
# default "immutable";
|
||||
# }
|
||||
### JELLYFIN
|
||||
# JELLYFIN
|
||||
proxy_cache_path /var/cache/nginx/jellyfin-videos levels=1:2 keys_zone=jellyfin-videos:100m inactive=90d max_size=35000m;
|
||||
proxy_cache_path /var/cache/nginx/jellyfin levels=1:2 keys_zone=jellyfin:100m max_size=15g inactive=30d use_temp_path=off;
|
||||
map $request_uri $h264Level { ~(h264-level=)(.+?)& $2; }
|
||||
@@ -70,8 +79,22 @@ in {
|
||||
http2 = true;
|
||||
};
|
||||
proxy = port:
|
||||
base { "/".proxyPass = "http://127.0.0.1:" + toString (port) + "/"; };
|
||||
base {
|
||||
"/".proxyPass = "http://${localhost}:" + toString (port) + "/";
|
||||
};
|
||||
in {
|
||||
"newflix.servidos.lat" = proxy newflixPort // { };
|
||||
"library.servidos.lat" = proxy kavitaPort // { };
|
||||
"bookmarks.servidos.lat" = proxy shioriPort // { };
|
||||
"start.servidos.lat" = proxy flamePort // { };
|
||||
"qampqwn4wprhqny8h8zj.servidos.lat" = proxy secretFlamePort // { };
|
||||
"music.servidos.lat" = proxy lidarrPort // { };
|
||||
"subs.servidos.lat" = proxy bazarrPort // { };
|
||||
"series.servidos.lat" = proxy sonarrPort // { };
|
||||
"movies.servidos.lat" = proxy radarrPort // { };
|
||||
"indexer.servidos.lat" = proxy prowlarrPort // { };
|
||||
"vault.servidos.lat" = proxy vaultPort // { };
|
||||
"searx.servidos.lat" = proxy searxPort // { };
|
||||
"flix.servidos.lat" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
@@ -80,9 +103,7 @@ in {
|
||||
# use a variable to store the upstream proxy
|
||||
# in this example we are using a hostname which is resolved via DNS
|
||||
# (if you aren't using DNS remove the resolver line and change the variable to point to an IP address
|
||||
# e.g `set $jellyfin 127.0.0.1`)
|
||||
set $jellyfin 127.0.0.1;
|
||||
resolver 127.0.0.1 valid=30;
|
||||
resolver ${localhost} valid=30;
|
||||
|
||||
location = / {
|
||||
return 302 http://$host/web/;
|
||||
@@ -90,7 +111,7 @@ in {
|
||||
}
|
||||
location = /web/ {
|
||||
# Proxy main Jellyfin traffic
|
||||
proxy_pass http://$jellyfin:8096/web/index.html;
|
||||
proxy_pass http://${localhost}:${jellyfinPort}/web/index.html;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
@@ -101,11 +122,11 @@ in {
|
||||
'';
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = "http://$jellyfin:8096";
|
||||
proxyPass = "http://${localhost}:${jellyfinPort}";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
"/socket" = {
|
||||
proxyPass = "http://$jellyfin:8096";
|
||||
proxyPass = "http://${localhost}:${jellyfinPort}";
|
||||
extraConfig = ''
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
@@ -113,7 +134,7 @@ in {
|
||||
'';
|
||||
};
|
||||
"~ /Items/(.*)/Images" = {
|
||||
proxyPass = "http://$jellyfin:8096";
|
||||
proxyPass = "http://${localhost}:${jellyfinPort}";
|
||||
extraConfig = ''
|
||||
proxy_cache jellyfin;
|
||||
proxy_cache_revalidate on;
|
||||
@@ -121,7 +142,7 @@ in {
|
||||
'';
|
||||
};
|
||||
"~* ^/Videos/(.*)/(?!live)" = {
|
||||
proxyPass = "http://$jellyfin:8096";
|
||||
proxyPass = "http://${localhost}:${jellyfinPort}";
|
||||
extraConfig = ''
|
||||
# Set size of a slice (this amount will be always requested from the backend by nginx)
|
||||
# Higher value means more latency, lower more overhead
|
||||
@@ -151,107 +172,11 @@ in {
|
||||
};
|
||||
};
|
||||
};
|
||||
"library.servidos.lat" = proxy 5000 // { };
|
||||
${config.services.nextcloud.hostName} = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
http2 = true;
|
||||
# extraConfig = ''
|
||||
# server_tokens off;
|
||||
|
||||
# # set max upload size and increase upload timeout:
|
||||
# client_body_timeout 300s;
|
||||
# # fastcgi_buffers 64 4K;
|
||||
|
||||
# # The settings allows you to optimize the HTTP2 bandwitdth.
|
||||
# # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
|
||||
# # for tunning hints
|
||||
# client_body_buffer_size 512k;
|
||||
|
||||
# # HTTP response headers borrowed from Nextcloud `.htaccess`
|
||||
# add_header Referrer-Policy "no-referrer" always;
|
||||
# add_header X-Download-Options "noopen" always;
|
||||
# add_header X-Permitted-Cross-Domain-Policies "none" always;
|
||||
# add_header X-Robots-Tag "noindex, nofollow" always;
|
||||
|
||||
# # Remove X-Powered-By, which is an information leak
|
||||
# fastcgi_hide_header X-Powered-By;
|
||||
|
||||
# # Specify how to handle directories -- specifying `/index.php$request_uri`
|
||||
# # here as the fallback means that Nginx always exhibits the desired behaviour
|
||||
# # when a client requests a path that corresponds to a directory that exists
|
||||
# # on the server. In particular, if that directory contains an index.php file,
|
||||
# # that file is correctly served; if it doesn't, then the request is passed to
|
||||
# # the front-end controller. This consistent behaviour means that we don't need
|
||||
# # to specify custom rules for certain paths (e.g. images and other assets,
|
||||
# # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
|
||||
# # `try_files $uri $uri/ /index.php$request_uri`
|
||||
# # always provides the desired behaviour.
|
||||
# index index.php index.html /index.php$request_uri;
|
||||
# '';
|
||||
# locations = {
|
||||
# "/".extraConfig = ''
|
||||
# try_files $uri $uri/ /index.php$request_uri;
|
||||
# '';
|
||||
# "= /".extraConfig = ''
|
||||
# # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
|
||||
# if ( $http_user_agent ~ ^DavClnt ) {
|
||||
# return 302 /remote.php/webdav/$is_args$args;
|
||||
# }
|
||||
# '';
|
||||
# "^~ /.well-known".extraConfig = ''
|
||||
# # The rules in this block are an adaptation of the rules
|
||||
# # in `.htaccess` that concern `/.well-known`.
|
||||
|
||||
# location /.well-known/acme-challenge { try_files $uri $uri/ =404; }
|
||||
# location /.well-known/pki-validation { try_files $uri $uri/ =404; }
|
||||
|
||||
# # Let Nextcloud's API for `/.well-known` URIs handle all other
|
||||
# # requests by passing them to the front-end controller.
|
||||
# return 301 /index.php$request_uri;
|
||||
# '';
|
||||
# "~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)".extraConfig =
|
||||
# "return 404;";
|
||||
# "~ ^/(?:.|autotest|occ|issue|indie|db_|console)".extraConfig =
|
||||
# "return 404;";
|
||||
# "~ .php(?:$|/)".extraConfig = ''
|
||||
# # Required for legacy support
|
||||
# rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
|
||||
|
||||
# fastcgi_split_path_info ^(.+?\.php)(/.*)$;
|
||||
# set $path_info $fastcgi_path_info;
|
||||
|
||||
# try_files $fastcgi_script_name =404;
|
||||
|
||||
# # include fastcgi_params;
|
||||
# include "${pkgs.nginx}/conf/fastcgi_params";
|
||||
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
# fastcgi_param PATH_INFO $path_info;
|
||||
# fastcgi_param HTTPS on;
|
||||
|
||||
# fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
|
||||
# fastcgi_param front_controller_active true; # Enable pretty urls
|
||||
|
||||
# fastcgi_intercept_errors on;
|
||||
# fastcgi_request_buffering off;
|
||||
|
||||
# fastcgi_max_temp_file_size 0;
|
||||
# '';
|
||||
# "~ .(?:css|js|svg|gif|png|jpg|ico|wasm|tflite|map)$" = {
|
||||
# extraConfig = ''
|
||||
# try_files $uri /index.php$request_uri;
|
||||
# access_log off; # Optional: Don't log access to assets
|
||||
# location ~ \.wasm$ {
|
||||
# default_type application/wasm;
|
||||
# }
|
||||
# '';
|
||||
# };
|
||||
# "~ .woff2?$".extraConfig = ''
|
||||
# try_files $uri /index.php$request_uri;
|
||||
# expires 7d; # Cache-Control policy borrowed from `.htaccess`
|
||||
# access_log off; # Optional: Don't log access to assets '';
|
||||
# "/remote".extraConfig = "return 301 /remote.php$request_uri;";
|
||||
# };
|
||||
serverAliases = [ "danilo-reyes.com" "cloud.servidos.lat" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
Reference in New Issue
Block a user