jawz/NixOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

better writing of nginx functions

Browse Source
This commit is contained in:
Danilo Reyes 2023-12-23 21:41:43 -06:00
parent edeaf20db6
commit af1d6cbd73
2 changed files with 64 additions and 87 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

109
server/nginx.nix
View File

@ -24,65 +24,16 @@ let
in {
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
# recommendedProxySettings = true;
# recommendedTlsSettings = true;
# recommendedGzipSettings = true;
# recommendedOptimisation = true;
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
appendHttpConfig = ''
### GLOBAL
# client_max_body_size 25G;
# Add HSTS header with preloading to HTTPS requests.
# Adding this header to HTTP requests is discouraged
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
# Enable CSP for your services.
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
# Minimize information leaked to other domains
add_header 'Referrer-Policy' 'origin-when-cross-origin';
# Disable embedding as a frame
# add_header X-Frame-Options DENY;
# Prevent injection of code in other mime types (XSS Attacks)
add_header X-Content-Type-Options nosniff;
# Enable XSS protection of the browser.
# May be unnecessary when CSP is configured properly (see above)
add_header X-XSS-Protection "1; mode=block";
# This might create errors
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
# NEXTCLOUD
# upstream php-handler {
# server ${localhost}:9000;
# #server unix:/var/run/php/php7.4-fpm.sock;
# }
# Set the `immutable` cache control options only for assets with a cache busting `v` argument
# map $arg_v $asset_immutable {
# "" "";
# default "immutable";
# }
# JELLYFIN
proxy_cache_path /var/cache/nginx/jellyfin-videos levels=1:2 keys_zone=jellyfin-videos:100m inactive=90d max_size=35000m;
proxy_cache_path /var/cache/nginx/jellyfin levels=1:2 keys_zone=jellyfin:100m max_size=15g inactive=30d use_temp_path=off;
map $request_uri $h264Level { ~(h264-level=)(.+?)& $2; }
map $request_uri $h264Profile { ~(h264-profile=)(.+?)& $2; }
## upload configs
proxy_read_timeout 600;
proxy_connect_timeout 600;
proxy_send_timeout 600;
send_timeout 600;
fastcgi_read_timeout 600;
# client_max_body_size 0;
fastcgi_buffers 64 4k;
# JELLYFIN
proxy_cache_path /var/cache/nginx/jellyfin-videos levels=1:2 keys_zone=jellyfin-videos:100m inactive=90d max_size=35000m;
proxy_cache_path /var/cache/nginx/jellyfin levels=1:2 keys_zone=jellyfin:100m max_size=15g inactive=30d use_temp_path=off;
map $request_uri $h264Level { ~(h264-level=)(.+?)& $2; }
map $request_uri $h264Profile { ~(h264-profile=)(.+?)& $2; }
'';
virtualHosts = let
base = locations: {
@ -120,25 +71,20 @@ in {
"mealie.servidos.lat" = proxy mealiePort // { };
"qampqwn4wprhqny8h8zj.servidos.lat" = proxy secretFlamePort // { };
"xfwmrle6h6skqujbeizw.servidos.lat" = proxy qbitPort // { };
"audiobooks.servidos.lat" = {
forceSSL = true;
enableACME = true;
http2 = true;
locations = {
"/" = {
proxyPass = "http://${localhost}:${toString (audiobookPort)}";
extraConfig = ''
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
"audiobooks.servidos.lat" = base {
"/" = {
proxyPass = "http://${localhost}:${toString (audiobookPort)}";
extraConfig = ''
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
proxy_http_version 1.1;
proxy_redirect http:// https://;
'';
};
proxy_redirect http:// https://;
'';
};
};
"flix.servidos.lat" = {
@ -155,6 +101,7 @@ in {
return 302 http://$host/web/;
#return 302 https://$host/web/;
}
location = /web/ {
# Proxy main Jellyfin traffic
proxy_pass http://${localhost}:${jellyfinPort}/web/index.html;
@ -221,14 +168,14 @@ in {
${config.services.nextcloud.hostName} = {
forceSSL = true;
enableACME = true;
http2 = true;
serverAliases = [ "cloud.rotehaare.art" ];
locations = {
"/".proxyWebsockets = true;
# uh, equals what?
"~ ^/nextcloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|oc[ms]-provider/.+|.+/richdocumentscode/proxy).php(?:$|/)" =
{ };
};
http2 = true;
# locations = {
# "/".proxyWebsockets = true;
# # uh, equals what?
# "~ ^/nextcloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|oc[ms]-provider/.+|.+/richdocumentscode/proxy).php(?:$|/)" =
# { };
# };
};
};
};

42
server/servers.nix
View File

@ -12,6 +12,38 @@ in {
nixpkgs.config = {
permittedInsecurePackages = [ "nodejs-14.21.3" "openssl-1.1.1v" ];
};
environment.systemPackages = with pkgs;
[
# Upgrades postgres
(let
# XXX specify the postgresql package you'd like to upgrade to.
# Do not forget to list the extensions you need.
newPostgres = pkgs.postgresql_16.withPackages (pp:
[
# pp.plv8
]);
in pkgs.writeScriptBin "upgrade-pg-cluster" ''
set -eux
# XXX it's perhaps advisable to stop all services that depend on postgresql
systemctl stop postgresql
export NEWDATA="/var/lib/postgresql/${newPostgres.psqlSchema}"
export NEWBIN="${newPostgres}/bin"
export OLDDATA="${config.services.postgresql.dataDir}"
export OLDBIN="${config.services.postgresql.package}/bin"
install -d -m 0700 -o postgres -g postgres "$NEWDATA"
cd "$NEWDATA"
sudo -u postgres $NEWBIN/initdb -D "$NEWDATA"
sudo -u postgres $NEWBIN/pg_upgrade \
--old-datadir "$OLDDATA" --new-datadir "$NEWDATA" \
--old-bindir $OLDBIN --new-bindir $NEWBIN \
"$@"
'')
];
users.groups = { piracy.gid = 985; };
users.users = let base = { isSystemUser = true; };
in {
@ -45,7 +77,7 @@ in {
in {
sonarr = base // { package = pkgs.sonarr; };
radarr = base // { package = pkgs.radarr; };
# bazarr = base // { };
bazarr = base // { };
jellyfin = base // { };
prowlarr.enable = true;
microbin = {
@ -114,7 +146,7 @@ in {
configureRedis = true;
extraAppsEnable = true;
enableImagemagick = true;
maxUploadSize = "25G";
maxUploadSize = "16G";
hostName = "cloud.servidos.lat";
config = {
adminpassFile = "${pkgs.writeText "adminpass"
@ -129,8 +161,6 @@ in {
extraTrustedDomains = [ "cloud.rotehaare.art" "danilo-reyes.com" ];
};
phpOptions = {
upload_max_filesize = "25G";
post_max_size = "25G";
catch_workers_output = "yes";
display_errors = "stderr";
error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT";
@ -139,12 +169,12 @@ in {
"opcache.fast_shutdown" = "1";
"opcache.interned_strings_buffer" = "16";
"opcache.jit" = "1255";
"opcache.jit_buffer_size" = "128M";
"opcache.jit_buffer_size" = "256M";
"opcache.max_accelerated_files" = "10000";
"opcache.huge_code_pages" = "1";
"opcache.enable_file_override" = "1";
"opcache.memory_consumption" = "128";
"opcache.revalidate_freq" = "1";
"opcache.revalidate_freq" = "60";
"opcache.save_comments" = "1";
"opcache.validate_timestamps" = "0";
"openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";