jawz/NixOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

better writing of nginx functions

Browse Source
This commit is contained in:
Danilo Reyes 2023-12-23 21:41:43 -06:00
parent edeaf20db6
commit af1d6cbd73
2 changed files with 64 additions and 87 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

109
server/nginx.nix
View File

@ -24,65 +24,16 @@ let
in { in {
services.nginx = { services.nginx = {
enable = true; enable = true;
recommendedTlsSettings = true; # recommendedTlsSettings = true;
recommendedGzipSettings = true; # recommendedGzipSettings = true;
recommendedOptimisation = true; # recommendedOptimisation = true;
# recommendedProxySettings = true;
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
appendHttpConfig = '' appendHttpConfig = ''
### GLOBAL # JELLYFIN
# client_max_body_size 25G; proxy_cache_path /var/cache/nginx/jellyfin-videos levels=1:2 keys_zone=jellyfin-videos:100m inactive=90d max_size=35000m;
# Add HSTS header with preloading to HTTPS requests. proxy_cache_path /var/cache/nginx/jellyfin levels=1:2 keys_zone=jellyfin:100m max_size=15g inactive=30d use_temp_path=off;
# Adding this header to HTTP requests is discouraged map $request_uri $h264Level { ~(h264-level=)(.+?)& $2; }
map $scheme $hsts_header { map $request_uri $h264Profile { ~(h264-profile=)(.+?)& $2; }
https "max-age=31536000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
# Enable CSP for your services.
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
# Minimize information leaked to other domains
add_header 'Referrer-Policy' 'origin-when-cross-origin';
# Disable embedding as a frame
# add_header X-Frame-Options DENY;
# Prevent injection of code in other mime types (XSS Attacks)
add_header X-Content-Type-Options nosniff;
# Enable XSS protection of the browser.
# May be unnecessary when CSP is configured properly (see above)
add_header X-XSS-Protection "1; mode=block";
# This might create errors
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
# NEXTCLOUD
# upstream php-handler {
# server ${localhost}:9000;
# #server unix:/var/run/php/php7.4-fpm.sock;
# }
# Set the `immutable` cache control options only for assets with a cache busting `v` argument
# map $arg_v $asset_immutable {
# "" "";
# default "immutable";
# }
# JELLYFIN
proxy_cache_path /var/cache/nginx/jellyfin-videos levels=1:2 keys_zone=jellyfin-videos:100m inactive=90d max_size=35000m;
proxy_cache_path /var/cache/nginx/jellyfin levels=1:2 keys_zone=jellyfin:100m max_size=15g inactive=30d use_temp_path=off;
map $request_uri $h264Level { ~(h264-level=)(.+?)& $2; }
map $request_uri $h264Profile { ~(h264-profile=)(.+?)& $2; }
## upload configs
proxy_read_timeout 600;
proxy_connect_timeout 600;
proxy_send_timeout 600;
send_timeout 600;
fastcgi_read_timeout 600;
# client_max_body_size 0;
fastcgi_buffers 64 4k;
''; '';
virtualHosts = let virtualHosts = let
base = locations: { base = locations: {
@ -120,25 +71,20 @@ in {
"mealie.servidos.lat" = proxy mealiePort // { }; "mealie.servidos.lat" = proxy mealiePort // { };
"qampqwn4wprhqny8h8zj.servidos.lat" = proxy secretFlamePort // { }; "qampqwn4wprhqny8h8zj.servidos.lat" = proxy secretFlamePort // { };
"xfwmrle6h6skqujbeizw.servidos.lat" = proxy qbitPort // { }; "xfwmrle6h6skqujbeizw.servidos.lat" = proxy qbitPort // { };
"audiobooks.servidos.lat" = { "audiobooks.servidos.lat" = base {
forceSSL = true; "/" = {
enableACME = true; proxyPass = "http://${localhost}:${toString (audiobookPort)}";
http2 = true; extraConfig = ''
locations = { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
"/" = { proxy_set_header X-Forwarded-Proto $scheme;
proxyPass = "http://${localhost}:${toString (audiobookPort)}"; proxy_set_header Host $host;
extraConfig = '' proxy_set_header Upgrade $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Connection "upgrade";
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1; proxy_http_version 1.1;
proxy_redirect http:// https://; proxy_redirect http:// https://;
''; '';
};
}; };
}; };
"flix.servidos.lat" = { "flix.servidos.lat" = {
@ -155,6 +101,7 @@ in {
return 302 http://$host/web/; return 302 http://$host/web/;
#return 302 https://$host/web/; #return 302 https://$host/web/;
} }
location = /web/ { location = /web/ {
# Proxy main Jellyfin traffic # Proxy main Jellyfin traffic
proxy_pass http://${localhost}:${jellyfinPort}/web/index.html; proxy_pass http://${localhost}:${jellyfinPort}/web/index.html;
@ -221,14 +168,14 @@ in {
${config.services.nextcloud.hostName} = { ${config.services.nextcloud.hostName} = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
http2 = true;
serverAliases = [ "cloud.rotehaare.art" ]; serverAliases = [ "cloud.rotehaare.art" ];
locations = { http2 = true;
"/".proxyWebsockets = true; # locations = {
# uh, equals what? # "/".proxyWebsockets = true;
"~ ^/nextcloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|oc[ms]-provider/.+|.+/richdocumentscode/proxy).php(?:$|/)" = # # uh, equals what?
{ }; # "~ ^/nextcloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|oc[ms]-provider/.+|.+/richdocumentscode/proxy).php(?:$|/)" =
}; # { };
# };
}; };
}; };
}; };

42
server/servers.nix
View File

@ -12,6 +12,38 @@ in {
nixpkgs.config = { nixpkgs.config = {
permittedInsecurePackages = [ "nodejs-14.21.3" "openssl-1.1.1v" ]; permittedInsecurePackages = [ "nodejs-14.21.3" "openssl-1.1.1v" ];
}; };
environment.systemPackages = with pkgs;
[
# Upgrades postgres
(let
# XXX specify the postgresql package you'd like to upgrade to.
# Do not forget to list the extensions you need.
newPostgres = pkgs.postgresql_16.withPackages (pp:
[
# pp.plv8
]);
in pkgs.writeScriptBin "upgrade-pg-cluster" ''
set -eux
# XXX it's perhaps advisable to stop all services that depend on postgresql
systemctl stop postgresql
export NEWDATA="/var/lib/postgresql/${newPostgres.psqlSchema}"
export NEWBIN="${newPostgres}/bin"
export OLDDATA="${config.services.postgresql.dataDir}"
export OLDBIN="${config.services.postgresql.package}/bin"
install -d -m 0700 -o postgres -g postgres "$NEWDATA"
cd "$NEWDATA"
sudo -u postgres $NEWBIN/initdb -D "$NEWDATA"
sudo -u postgres $NEWBIN/pg_upgrade \
--old-datadir "$OLDDATA" --new-datadir "$NEWDATA" \
--old-bindir $OLDBIN --new-bindir $NEWBIN \
"$@"
'')
];
users.groups = { piracy.gid = 985; }; users.groups = { piracy.gid = 985; };
users.users = let base = { isSystemUser = true; }; users.users = let base = { isSystemUser = true; };
in { in {
@ -45,7 +77,7 @@ in {
in { in {
sonarr = base // { package = pkgs.sonarr; }; sonarr = base // { package = pkgs.sonarr; };
radarr = base // { package = pkgs.radarr; }; radarr = base // { package = pkgs.radarr; };
# bazarr = base // { }; bazarr = base // { };
jellyfin = base // { }; jellyfin = base // { };
prowlarr.enable = true; prowlarr.enable = true;
microbin = { microbin = {
@ -114,7 +146,7 @@ in {
configureRedis = true; configureRedis = true;
extraAppsEnable = true; extraAppsEnable = true;
enableImagemagick = true; enableImagemagick = true;
maxUploadSize = "25G"; maxUploadSize = "16G";
hostName = "cloud.servidos.lat"; hostName = "cloud.servidos.lat";
config = { config = {
adminpassFile = "${pkgs.writeText "adminpass" adminpassFile = "${pkgs.writeText "adminpass"
@ -129,8 +161,6 @@ in {
extraTrustedDomains = [ "cloud.rotehaare.art" "danilo-reyes.com" ]; extraTrustedDomains = [ "cloud.rotehaare.art" "danilo-reyes.com" ];
}; };
phpOptions = { phpOptions = {
upload_max_filesize = "25G";
post_max_size = "25G";
catch_workers_output = "yes"; catch_workers_output = "yes";
display_errors = "stderr"; display_errors = "stderr";
error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT"; error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT";
@ -139,12 +169,12 @@ in {
"opcache.fast_shutdown" = "1"; "opcache.fast_shutdown" = "1";
"opcache.interned_strings_buffer" = "16"; "opcache.interned_strings_buffer" = "16";
"opcache.jit" = "1255"; "opcache.jit" = "1255";
"opcache.jit_buffer_size" = "128M"; "opcache.jit_buffer_size" = "256M";
"opcache.max_accelerated_files" = "10000"; "opcache.max_accelerated_files" = "10000";
"opcache.huge_code_pages" = "1"; "opcache.huge_code_pages" = "1";
"opcache.enable_file_override" = "1"; "opcache.enable_file_override" = "1";
"opcache.memory_consumption" = "128"; "opcache.memory_consumption" = "128";
"opcache.revalidate_freq" = "1"; "opcache.revalidate_freq" = "60";
"opcache.save_comments" = "1"; "opcache.save_comments" = "1";
"opcache.validate_timestamps" = "0"; "opcache.validate_timestamps" = "0";
"openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt"; "openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";