diff --git a/server/nginx.nix b/server/nginx.nix index 0a09645..671adbd 100644 --- a/server/nginx.nix +++ b/server/nginx.nix @@ -24,65 +24,16 @@ let in { services.nginx = { enable = true; - recommendedTlsSettings = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - # recommendedProxySettings = true; + # recommendedTlsSettings = true; + # recommendedGzipSettings = true; + # recommendedOptimisation = true; sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; appendHttpConfig = '' - ### GLOBAL - # client_max_body_size 25G; - # Add HSTS header with preloading to HTTPS requests. - # Adding this header to HTTP requests is discouraged - map $scheme $hsts_header { - https "max-age=31536000; includeSubdomains; preload"; - } - add_header Strict-Transport-Security $hsts_header; - - # Enable CSP for your services. - #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; - - # Minimize information leaked to other domains - add_header 'Referrer-Policy' 'origin-when-cross-origin'; - - # Disable embedding as a frame - # add_header X-Frame-Options DENY; - - # Prevent injection of code in other mime types (XSS Attacks) - add_header X-Content-Type-Options nosniff; - - # Enable XSS protection of the browser. - # May be unnecessary when CSP is configured properly (see above) - add_header X-XSS-Protection "1; mode=block"; - - # This might create errors - proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; - # NEXTCLOUD - # upstream php-handler { - # server ${localhost}:9000; - # #server unix:/var/run/php/php7.4-fpm.sock; - # } - - # Set the `immutable` cache control options only for assets with a cache busting `v` argument - # map $arg_v $asset_immutable { - # "" ""; - # default "immutable"; - # } - # JELLYFIN - proxy_cache_path /var/cache/nginx/jellyfin-videos levels=1:2 keys_zone=jellyfin-videos:100m inactive=90d max_size=35000m; - proxy_cache_path /var/cache/nginx/jellyfin levels=1:2 keys_zone=jellyfin:100m max_size=15g inactive=30d use_temp_path=off; - map $request_uri $h264Level { ~(h264-level=)(.+?)& $2; } - map $request_uri $h264Profile { ~(h264-profile=)(.+?)& $2; } - - - ## upload configs - proxy_read_timeout 600; - proxy_connect_timeout 600; - proxy_send_timeout 600; - send_timeout 600; - fastcgi_read_timeout 600; - # client_max_body_size 0; - fastcgi_buffers 64 4k; + # JELLYFIN + proxy_cache_path /var/cache/nginx/jellyfin-videos levels=1:2 keys_zone=jellyfin-videos:100m inactive=90d max_size=35000m; + proxy_cache_path /var/cache/nginx/jellyfin levels=1:2 keys_zone=jellyfin:100m max_size=15g inactive=30d use_temp_path=off; + map $request_uri $h264Level { ~(h264-level=)(.+?)& $2; } + map $request_uri $h264Profile { ~(h264-profile=)(.+?)& $2; } ''; virtualHosts = let base = locations: { @@ -120,25 +71,20 @@ in { "mealie.servidos.lat" = proxy mealiePort // { }; "qampqwn4wprhqny8h8zj.servidos.lat" = proxy secretFlamePort // { }; "xfwmrle6h6skqujbeizw.servidos.lat" = proxy qbitPort // { }; - "audiobooks.servidos.lat" = { - forceSSL = true; - enableACME = true; - http2 = true; - locations = { - "/" = { - proxyPass = "http://${localhost}:${toString (audiobookPort)}"; - extraConfig = '' - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Host $host; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; + "audiobooks.servidos.lat" = base { + "/" = { + proxyPass = "http://${localhost}:${toString (audiobookPort)}"; + extraConfig = '' + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; - proxy_http_version 1.1; + proxy_http_version 1.1; - proxy_redirect http:// https://; - ''; - }; + proxy_redirect http:// https://; + ''; }; }; "flix.servidos.lat" = { @@ -155,6 +101,7 @@ in { return 302 http://$host/web/; #return 302 https://$host/web/; } + location = /web/ { # Proxy main Jellyfin traffic proxy_pass http://${localhost}:${jellyfinPort}/web/index.html; @@ -221,14 +168,14 @@ in { ${config.services.nextcloud.hostName} = { forceSSL = true; enableACME = true; - http2 = true; serverAliases = [ "cloud.rotehaare.art" ]; - locations = { - "/".proxyWebsockets = true; - # uh, equals what? - "~ ^/nextcloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|oc[ms]-provider/.+|.+/richdocumentscode/proxy).php(?:$|/)" = - { }; - }; + http2 = true; + # locations = { + # "/".proxyWebsockets = true; + # # uh, equals what? + # "~ ^/nextcloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|oc[ms]-provider/.+|.+/richdocumentscode/proxy).php(?:$|/)" = + # { }; + # }; }; }; }; diff --git a/server/servers.nix b/server/servers.nix index b143d06..6a87386 100644 --- a/server/servers.nix +++ b/server/servers.nix @@ -12,6 +12,38 @@ in { nixpkgs.config = { permittedInsecurePackages = [ "nodejs-14.21.3" "openssl-1.1.1v" ]; }; + environment.systemPackages = with pkgs; + [ + # Upgrades postgres + (let + # XXX specify the postgresql package you'd like to upgrade to. + # Do not forget to list the extensions you need. + newPostgres = pkgs.postgresql_16.withPackages (pp: + [ + # pp.plv8 + ]); + in pkgs.writeScriptBin "upgrade-pg-cluster" '' + set -eux + # XXX it's perhaps advisable to stop all services that depend on postgresql + systemctl stop postgresql + + export NEWDATA="/var/lib/postgresql/${newPostgres.psqlSchema}" + + export NEWBIN="${newPostgres}/bin" + + export OLDDATA="${config.services.postgresql.dataDir}" + export OLDBIN="${config.services.postgresql.package}/bin" + + install -d -m 0700 -o postgres -g postgres "$NEWDATA" + cd "$NEWDATA" + sudo -u postgres $NEWBIN/initdb -D "$NEWDATA" + + sudo -u postgres $NEWBIN/pg_upgrade \ + --old-datadir "$OLDDATA" --new-datadir "$NEWDATA" \ + --old-bindir $OLDBIN --new-bindir $NEWBIN \ + "$@" + '') + ]; users.groups = { piracy.gid = 985; }; users.users = let base = { isSystemUser = true; }; in { @@ -45,7 +77,7 @@ in { in { sonarr = base // { package = pkgs.sonarr; }; radarr = base // { package = pkgs.radarr; }; - # bazarr = base // { }; + bazarr = base // { }; jellyfin = base // { }; prowlarr.enable = true; microbin = { @@ -114,7 +146,7 @@ in { configureRedis = true; extraAppsEnable = true; enableImagemagick = true; - maxUploadSize = "25G"; + maxUploadSize = "16G"; hostName = "cloud.servidos.lat"; config = { adminpassFile = "${pkgs.writeText "adminpass" @@ -129,8 +161,6 @@ in { extraTrustedDomains = [ "cloud.rotehaare.art" "danilo-reyes.com" ]; }; phpOptions = { - upload_max_filesize = "25G"; - post_max_size = "25G"; catch_workers_output = "yes"; display_errors = "stderr"; error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT"; @@ -139,12 +169,12 @@ in { "opcache.fast_shutdown" = "1"; "opcache.interned_strings_buffer" = "16"; "opcache.jit" = "1255"; - "opcache.jit_buffer_size" = "128M"; + "opcache.jit_buffer_size" = "256M"; "opcache.max_accelerated_files" = "10000"; "opcache.huge_code_pages" = "1"; "opcache.enable_file_override" = "1"; "opcache.memory_consumption" = "128"; - "opcache.revalidate_freq" = "1"; + "opcache.revalidate_freq" = "60"; "opcache.save_comments" = "1"; "opcache.validate_timestamps" = "0"; "openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";