diff --git a/server/docker.nix b/server/docker.nix index f35ff26..966f4f9 100644 --- a/server/docker.nix +++ b/server/docker.nix @@ -9,39 +9,38 @@ storageDriver = "btrfs"; }; - oci-containers = { - backend = "docker"; - containers.collabora = { - image = "collabora/code"; - imageFile = pkgs.dockerTools.pullImage { - imageName = "collabora/code"; - imageDigest = - "sha256:aab41379baf5652832e9237fcc06a768096a5a7fccc66cf8bd4fdb06d2cbba7f"; - sha256 = "sha256-M66lynhzaOEFnE15Sy1N6lBbGDxwNw6ap+IUJAvoCLs="; - }; - ports = [ "9980:9980" ]; - environment = { - domain = "cloud.servidos.lat"; - dictionaries = "en_CA en_US es_MX es_ES fr_FR it pt_BR ru"; - extra_params = "--o:ssl.enable=false --o:ssl.termination=true"; - }; - extraOptions = [ "--cap-add" "MKNOD" ]; - }; - }; - # arion = { + # oci-containers = { # backend = "docker"; - # "collabora".settings.services."collabora".service = { - # image = "collabora/code"; - # ports = [ "9980:9980/tcp" ]; - # environment = { - # server_name = "collabora.servidos.lat"; - # aliasgroup1 = "https://cloud.servidos.lat:443"; - # dictionaries = "en_CA en_US es_MX es_ES fr_FR it pt_BR ru"; - # username = "jawz"; - # password = "password"; - # extra_params = "--o:ssl.enable=false --o:ssl.termination=true"; + # containers = { + # flaresolverr = { + # image = "ghcr.io/flaresolverr/flaresolverr:latest"; + # # imageFile = pkgs.dockerTools.pullImage { + # # imageName = "ghcr.io/flaresolverr/flaresolverr:latest"; + # # }; + # ports = [ "8191:8191" ]; + # environment = { + # TZ = "America/Mexico_City"; + # LOG_LEVEL = "\${LOG_LEVEL:-info}"; + # LOG_HTML = "\${LOG_HTML:-false}"; + # CAPTCHA_SOLVER = "\${CAPTCHA_SOLVER:-none}"; + # }; # }; - # extraOptions = [ "--pull=newer" ]; + # # # collabora = { + # # # image = "collabora/code"; + # # # imageFile = pkgs.dockerTools.pullImage { + # # # imageName = "collabora/code"; + # # # imageDigest = + # # # "sha256:aab41379baf5652832e9237fcc06a768096a5a7fccc66cf8bd4fdb06d2cbba7f"; + # # # sha256 = "sha256-M66lynhzaOEFnE15Sy1N6lBbGDxwNw6ap+IUJAvoCLs="; + # # # }; + # # # ports = [ "9980:9980" ]; + # # # environment = { + # # # domain = "cloud.servidos.lat"; + # # # dictionaries = "en_CA en_US es_MX es_ES fr_FR it pt_BR ru"; + # # # extra_params = "--o:ssl.enable=false --o:ssl.termination=true"; + # # # }; + # # # extraOptions = [ "--cap-add" "MKNOD" ]; + # # # }; # }; # }; }; diff --git a/server/nginx.nix b/server/nginx.nix index f39a135..0a09645 100644 --- a/server/nginx.nix +++ b/server/nginx.nix @@ -6,7 +6,6 @@ let localhost = "127.0.0.1"; workstation = "192.168.1.64"; - collabora = "http://127.0.0.1:9980"; jellyfinPort = "8096"; nextcloudPort = 80; flamePort = 5005; @@ -32,57 +31,58 @@ in { sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; appendHttpConfig = '' ### GLOBAL - # client_max_body_size 25G; - # Add HSTS header with preloading to HTTPS requests. - # Adding this header to HTTP requests is discouraged - map $scheme $hsts_header { - https "max-age=31536000; includeSubdomains; preload"; - } - add_header Strict-Transport-Security $hsts_header; + # client_max_body_size 25G; + # Add HSTS header with preloading to HTTPS requests. + # Adding this header to HTTP requests is discouraged + map $scheme $hsts_header { + https "max-age=31536000; includeSubdomains; preload"; + } + add_header Strict-Transport-Security $hsts_header; - # Enable CSP for your services. - #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + # Enable CSP for your services. + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; - # Minimize information leaked to other domains - add_header 'Referrer-Policy' 'origin-when-cross-origin'; + # Minimize information leaked to other domains + add_header 'Referrer-Policy' 'origin-when-cross-origin'; - # Disable embedding as a frame - # add_header X-Frame-Options DENY; + # Disable embedding as a frame + # add_header X-Frame-Options DENY; - # Prevent injection of code in other mime types (XSS Attacks) - add_header X-Content-Type-Options nosniff; + # Prevent injection of code in other mime types (XSS Attacks) + add_header X-Content-Type-Options nosniff; - # Enable XSS protection of the browser. - # May be unnecessary when CSP is configured properly (see above) - add_header X-XSS-Protection "1; mode=block"; + # Enable XSS protection of the browser. + # May be unnecessary when CSP is configured properly (see above) + add_header X-XSS-Protection "1; mode=block"; - # This might create errors - proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; - # NEXTCLOUD - # upstream php-handler { - # server ${localhost}:9000; - # #server unix:/var/run/php/php7.4-fpm.sock; - # } + # This might create errors + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + # NEXTCLOUD + # upstream php-handler { + # server ${localhost}:9000; + # #server unix:/var/run/php/php7.4-fpm.sock; + # } - # Set the `immutable` cache control options only for assets with a cache busting `v` argument - # map $arg_v $asset_immutable { - # "" ""; - # default "immutable"; - # } - # JELLYFIN - proxy_cache_path /var/cache/nginx/jellyfin-videos levels=1:2 keys_zone=jellyfin-videos:100m inactive=90d max_size=35000m; - proxy_cache_path /var/cache/nginx/jellyfin levels=1:2 keys_zone=jellyfin:100m max_size=15g inactive=30d use_temp_path=off; - map $request_uri $h264Level { ~(h264-level=)(.+?)& $2; } - map $request_uri $h264Profile { ~(h264-profile=)(.+?)& $2; } + # Set the `immutable` cache control options only for assets with a cache busting `v` argument + # map $arg_v $asset_immutable { + # "" ""; + # default "immutable"; + # } + # JELLYFIN + proxy_cache_path /var/cache/nginx/jellyfin-videos levels=1:2 keys_zone=jellyfin-videos:100m inactive=90d max_size=35000m; + proxy_cache_path /var/cache/nginx/jellyfin levels=1:2 keys_zone=jellyfin:100m max_size=15g inactive=30d use_temp_path=off; + map $request_uri $h264Level { ~(h264-level=)(.+?)& $2; } + map $request_uri $h264Profile { ~(h264-profile=)(.+?)& $2; } - ## upload configs - proxy_read_timeout 600; - proxy_connect_timeout 600; - proxy_send_timeout 600; - send_timeout 600; - fastcgi_read_timeout 600; - # client_max_body_size 0; - fastcgi_buffers 64 4k; + + ## upload configs + proxy_read_timeout 600; + proxy_connect_timeout 600; + proxy_send_timeout 600; + send_timeout 600; + fastcgi_read_timeout 600; + # client_max_body_size 0; + fastcgi_buffers 64 4k; ''; virtualHosts = let base = locations: { @@ -128,11 +128,11 @@ in { "/" = { proxyPass = "http://${localhost}:${toString (audiobookPort)}"; extraConfig = '' - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Host $host; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; proxy_http_version 1.1; @@ -141,33 +141,6 @@ in { }; }; }; - "collabora.servidos.lat" = let - collaboraLocation = { - proxyPass = collabora; - extraConfig = '' - proxy_set_header Host $host; - ''; - }; - socketConfig = '' - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header Host $host; - proxy_read_timeout 36000s; - ''; - in base { - "^~ /browser" = collaboraLocation; - "^~ /hosting/discovery" = collaboraLocation; - "^~ /hosting/capabilities" = collaboraLocation; - "~ ^/(c|l)ool" = collaboraLocation; - "~ ^/cool/(.*)/ws$" = { - proxyPass = collabora; - extraConfig = socketConfig; - }; - "^~ /cool/adminws" = { - proxyPass = collabora; - extraConfig = socketConfig; - }; - }; "flix.servidos.lat" = { forceSSL = true; enableACME = true; diff --git a/server/servers.nix b/server/servers.nix index c115375..b143d06 100644 --- a/server/servers.nix +++ b/server/servers.nix @@ -198,26 +198,26 @@ in { }; systemd = { services = { - # docker-compose = { - # enable = true; - # restartIfChanged = true; - # description = "Start docker-compose servers"; - # after = [ "docker.service" "docker.socket" ]; - # requires = [ "docker.service" "docker.socket" ]; - # wantedBy = [ "default.target" ]; - # environment = { - # FILE = "/home/jawz/Development/Docker/docker-compose.yml"; - # }; - # path = [ pkgs.docker-compose ]; - # serviceConfig = { - # Restart = "on-failure"; - # RestartSec = 30; - # ExecStart = - # "${pkgs.docker-compose}/bin/docker-compose -f \${FILE} up --remove-orphans"; - # ExecStop = - # "${pkgs.docker-compose}/bin/docker-compose -f \${FILE} down"; - # }; - # }; + docker-compose = { + enable = true; + restartIfChanged = true; + description = "Start docker-compose servers"; + after = [ "docker.service" "docker.socket" ]; + requires = [ "docker.service" "docker.socket" ]; + wantedBy = [ "default.target" ]; + environment = { + FILE = "/home/jawz/Development/Docker/docker-compose.yml"; + }; + path = [ pkgs.docker-compose ]; + serviceConfig = { + Restart = "on-failure"; + RestartSec = 30; + ExecStart = + "${pkgs.docker-compose}/bin/docker-compose -f \${FILE} up --remove-orphans"; + ExecStop = + "${pkgs.docker-compose}/bin/docker-compose -f \${FILE} down"; + }; + }; nextcloud-cronjob = let jawzNextcloudCronjob = pkgs.writeScriptBin "nextcloud-cronjob" (builtins.readFile ../scripts/nextcloud-cronjob.sh);