From fb1a44d2ca06e0e1e0300f4eb32bfc0bfa7ef4c5 Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Sat, 24 Aug 2024 20:55:42 -0600 Subject: [PATCH] servers now have an unique toggle for nginx --- hosts/server/configuration.nix | 24 +++++++-- modules/servers.nix | 73 ++++++++++++++------------ modules/servers/audiobookshelf.nix | 29 +++++------ modules/servers/bazarr.nix | 7 +-- modules/servers/flame.nix | 1 - modules/servers/homepage.nix | 5 +- modules/servers/jellyfin.nix | 1 - modules/servers/kavita.nix | 7 +-- modules/servers/lidarr.nix | 11 ++-- modules/servers/maloja.nix | 5 +- modules/servers/mealie.nix | 5 +- modules/servers/metube.nix | 6 +-- modules/servers/microbin.nix | 7 +-- modules/servers/multi-scrobbler.nix | 5 +- modules/servers/nextcloud.nix | 81 ++++++++++++++--------------- modules/servers/prowlarr.nix | 7 +-- modules/servers/qbittorrent.nix | 7 +-- modules/servers/radarr.nix | 6 +-- modules/servers/ryot.nix | 6 +-- modules/servers/shiori.nix | 7 +-- modules/servers/sonarr.nix | 6 +-- modules/servers/vaultwarden.nix | 7 +-- 22 files changed, 142 insertions(+), 171 deletions(-) diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix index fbbfbac..9ec4ca1 100644 --- a/hosts/server/configuration.nix +++ b/hosts/server/configuration.nix @@ -16,12 +16,30 @@ ffmpreg.enable = true; ffmpeg4discord.enable = true; }; + servers = { + sonarr.enable = true; + radarr.enable = true; + lidarr.enable = true; + jellyfin.enable = true; + bazarr.enable = true; + kavita.enable = true; + }; }; - networking = { + networking = let + ports = [ + 2049 # idk + 8989 # sonarr + 7878 # radarr + 8686 # lidarr + 8096 # jellyfin + 6767 # bazarr + 5000 # kavita + ]; + in { hostName = "server"; firewall = { - allowedTCPPorts = [ 2049 ]; - allowedUDPPorts = [ 2049 ]; + allowedTCPPorts = ports; + allowedUDPPorts = ports; }; }; nixpkgs.hostPlatform = "x86_64-linux"; diff --git a/modules/servers.nix b/modules/servers.nix index 35e7f94..87fcbe6 100644 --- a/modules/servers.nix +++ b/modules/servers.nix @@ -104,43 +104,47 @@ in { description = "localhost smtp email"; }; enableContainers = lib.mkEnableOption "enable"; + enableProxy = lib.mkEnableOption "enable"; }; config = { - my.enableContainers = lib.mkDefault false; - my.servers = { - jellyfin = { - enable = lib.mkDefault false; - enableCron = lib.mkDefault false; + my = { + enableContainers = lib.mkDefault false; + enableProxy = lib.mkDefault false; + servers = { + jellyfin = { + enable = lib.mkDefault false; + enableCron = lib.mkDefault false; + }; + nextcloud = { + enable = lib.mkDefault false; + enableCron = lib.mkDefault false; + }; + adguardhome.enable = lib.mkDefault false; + audiobookshelf.enable = lib.mkDefault false; + bazarr.enable = lib.mkDefault false; + collabora.enable = lib.mkDefault false; + flame.enable = lib.mkDefault false; + flameSecret.enable = lib.mkDefault false; + go-vod.enable = lib.mkDefault false; + homepage.enable = lib.mkDefault false; + kavita.enable = lib.mkDefault false; + lidarr.enable = lib.mkDefault false; + maloja.enable = lib.mkDefault false; + mealie.enable = lib.mkDefault false; + metube.enable = lib.mkDefault false; + microbin.enable = lib.mkDefault false; + multi-scrobbler.enable = lib.mkDefault false; + paperless.enable = lib.mkDefault false; + postgres.enable = lib.mkDefault false; + prowlarr.enable = lib.mkDefault false; + qbittorrent.enable = lib.mkDefault false; + radarr.enable = lib.mkDefault false; + ryot.enable = lib.mkDefault false; + shiori.enable = lib.mkDefault false; + sonarr.enable = lib.mkDefault false; + vaultwarden.enable = lib.mkDefault false; + firefly-iii.enable = lib.mkDefault false; }; - nextcloud = { - enable = lib.mkDefault false; - enableCron = lib.mkDefault false; - }; - adguardhome.enable = lib.mkDefault false; - audiobookshelf.enable = lib.mkDefault false; - bazarr.enable = lib.mkDefault false; - collabora.enable = lib.mkDefault false; - flame.enable = lib.mkDefault false; - flameSecret.enable = lib.mkDefault false; - go-vod.enable = lib.mkDefault false; - homepage.enable = lib.mkDefault false; - kavita.enable = lib.mkDefault false; - lidarr.enable = lib.mkDefault false; - maloja.enable = lib.mkDefault false; - mealie.enable = lib.mkDefault false; - metube.enable = lib.mkDefault false; - microbin.enable = lib.mkDefault false; - multi-scrobbler.enable = lib.mkDefault false; - paperless.enable = lib.mkDefault false; - postgres.enable = lib.mkDefault false; - prowlarr.enable = lib.mkDefault false; - qbittorrent.enable = lib.mkDefault false; - radarr.enable = lib.mkDefault false; - ryot.enable = lib.mkDefault false; - shiori.enable = lib.mkDefault false; - sonarr.enable = lib.mkDefault false; - vaultwarden.enable = lib.mkDefault false; - firefly-iii.enable = lib.mkDefault false; }; virtualisation = { containers.enable = true; @@ -162,6 +166,7 @@ in { defaults.email = config.my.email; }; services.nginx = { + enable = config.my.enableProxy; clientMaxBodySize = "4096m"; sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; }; diff --git a/modules/servers/audiobookshelf.nix b/modules/servers/audiobookshelf.nix index aa9a2e2..39eaf92 100644 --- a/modules/servers/audiobookshelf.nix +++ b/modules/servers/audiobookshelf.nix @@ -4,27 +4,24 @@ in { options.my.servers.audiobookshelf = setup.mkOptions "audiobookshelf" "audiobooks" 5687; config = lib.mkIf config.my.servers.audiobookshelf.enable { - services ={ + services = { audiobookshelf = { enable = true; group = "piracy"; port = cfg.port; }; - nginx = { - enable = true; - virtualHosts."${cfg.host}" = proxy { - "/" = { - proxyPass = cfg.local; - extraConfig = '' - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Host $host; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_http_version 1.1; - proxy_redirect http:// https://; - ''; - }; + nginx.virtualHosts."${cfg.host}" = proxy { + "/" = { + proxyPass = cfg.local; + extraConfig = '' + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_http_version 1.1; + proxy_redirect http:// https://; + ''; }; }; }; diff --git a/modules/servers/bazarr.nix b/modules/servers/bazarr.nix index 3657c32..9782045 100644 --- a/modules/servers/bazarr.nix +++ b/modules/servers/bazarr.nix @@ -6,11 +6,8 @@ enable = true; group = "piracy"; }; - nginx = { - enable = true; - virtualHosts."subs.${config.my.domain}" = - proxyReverse config.services.bazarr.listenPort // { }; - }; + nginx.virtualHosts."subs.${config.my.domain}" = + proxyReverse config.services.bazarr.listenPort // { }; }; }; } diff --git a/modules/servers/flame.nix b/modules/servers/flame.nix index 7ee0540..d8974c3 100644 --- a/modules/servers/flame.nix +++ b/modules/servers/flame.nix @@ -39,7 +39,6 @@ in { }; }; services.nginx = { - enable = true; virtualHosts."start.${config.my.domain}" = proxyReverse port // { }; virtualHosts."qampqwn4wprhqny8h8zj.${config.my.domain}" = proxyReverse portSecret // { }; diff --git a/modules/servers/homepage.nix b/modules/servers/homepage.nix index 675194c..688d848 100644 --- a/modules/servers/homepage.nix +++ b/modules/servers/homepage.nix @@ -40,10 +40,7 @@ in { ]; }]; }; - nginx = { - enable = true; - virtualHosts."home.${config.my.domain}" = proxyReverse port // { }; - }; + nginx.virtualHosts."home.${config.my.domain}" = proxyReverse port // { }; }; }; } diff --git a/modules/servers/jellyfin.nix b/modules/servers/jellyfin.nix index 1934b75..872b266 100644 --- a/modules/servers/jellyfin.nix +++ b/modules/servers/jellyfin.nix @@ -10,7 +10,6 @@ in { group = "piracy"; }; nginx = { - enable = true; appendHttpConfig = '' # JELLYFIN proxy_cache_path /var/cache/nginx/jellyfin-videos levels=1:2 keys_zone=jellyfin-videos:100m inactive=1d max_size=35000m; diff --git a/modules/servers/kavita.nix b/modules/servers/kavita.nix index ea7bd92..0ca2d61 100644 --- a/modules/servers/kavita.nix +++ b/modules/servers/kavita.nix @@ -15,11 +15,8 @@ enable = true; tokenKeyFile = config.sops.secrets.kavita-token.path; }; - nginx = { - enable = true; - virtualHosts."library.${config.my.domain}" = - proxyReverse config.services.kavita.port // { }; - }; + nginx.virtualHosts."library.${config.my.domain}" = + proxyReverse config.services.kavita.port // { }; }; }; } diff --git a/modules/servers/lidarr.nix b/modules/servers/lidarr.nix index a70ea37..6884db2 100644 --- a/modules/servers/lidarr.nix +++ b/modules/servers/lidarr.nix @@ -15,9 +15,9 @@ in { PGID = "100"; }; volumes = [ - "/mnt/pool/multimedia:/data" - "/mnt/pool/multimedia/media/Music:/music" - "/mnt/pool/multimedia/media/MusicVideos:/music-videos" + "/mnt/btrfs/multimedia:/data" + "/mnt/btrfs/multimedia/media/Music:/music" + "/mnt/btrfs/multimedia/media/MusicVideos:/music-videos" "${config.my.containerData}/lidarr/files:/config" "${config.my.containerData}/lidarr/custom-services.d:/custom-services.d" "${config.my.containerData}/lidarr/custom-cont-init.d:/custom-cont-init.d" @@ -31,10 +31,7 @@ in { }; services = { lidarr.enable = true; - nginx = { - enable = true; - virtualHosts."${url}" = proxyReverseArr port // { }; - }; + nginx.virtualHosts."${url}" = proxyReverseArr port // { }; }; }; } diff --git a/modules/servers/maloja.nix b/modules/servers/maloja.nix index 69f341a..6156966 100644 --- a/modules/servers/maloja.nix +++ b/modules/servers/maloja.nix @@ -26,9 +26,6 @@ in { "flame.icon" = "bookmark-music"; }; }; - services.nginx = { - enable = true; - virtualHosts."${url}" = proxyReverse port // { }; - }; + services.nginx.virtualHosts."${url}" = proxyReverse port // { }; }; } diff --git a/modules/servers/mealie.nix b/modules/servers/mealie.nix index ff01565..a59fd5d 100644 --- a/modules/servers/mealie.nix +++ b/modules/servers/mealie.nix @@ -34,9 +34,6 @@ in { "flame.icon" = "fridge"; }; }; - services.nginx = { - enable = true; - virtualHosts."${domain}" = proxyReverse port // { }; - }; + services.nginx.virtualHosts."${domain}" = proxyReverse port // { }; }; } diff --git a/modules/servers/metube.nix b/modules/servers/metube.nix index 9906a49..955601e 100644 --- a/modules/servers/metube.nix +++ b/modules/servers/metube.nix @@ -15,9 +15,7 @@ in { YTDL_OPTIONS = ''{"cookiefile":"/cookies.txt"}''; }; }; - services.nginx = { - enable = true; - virtualHosts."bajameesta.${config.my.domain}" = proxyReverse port // { }; - }; + services.nginx.virtualHosts."bajameesta.${config.my.domain}" = + proxyReverse port // { }; }; } diff --git a/modules/servers/microbin.nix b/modules/servers/microbin.nix index c71518d..b74e6bf 100644 --- a/modules/servers/microbin.nix +++ b/modules/servers/microbin.nix @@ -17,11 +17,8 @@ MICROBIN_ENCRYPTION_SERVER_SIDE = true; }; }; - nginx = { - enable = true; - virtualHosts."copy.${config.my.domain}" = - proxyReverse config.services.microbin.settings.MICROBIN_PORT // { }; - }; + nginx.virtualHosts."copy.${config.my.domain}" = + proxyReverse config.services.microbin.settings.MICROBIN_PORT // { }; }; }; } diff --git a/modules/servers/multi-scrobbler.nix b/modules/servers/multi-scrobbler.nix index 50da582..a951554 100644 --- a/modules/servers/multi-scrobbler.nix +++ b/modules/servers/multi-scrobbler.nix @@ -29,9 +29,6 @@ in { "flame.icon" = "broadcast"; }; }; - services.nginx = { - enable = true; - virtualHosts."${domain}" = proxyReverse port // { }; - }; + services.nginx.virtualHosts."${domain}" = proxyReverse port // { }; }; } diff --git a/modules/servers/nextcloud.nix b/modules/servers/nextcloud.nix index 5dfed82..868ceb9 100644 --- a/modules/servers/nextcloud.nix +++ b/modules/servers/nextcloud.nix @@ -131,54 +131,51 @@ in { # phpExtraExtensions = all: [ all.pdlib all.bz2 ]; phpExtraExtensions = all: [ ]; }; - nginx = { - enable = true; - virtualHosts = { - ${config.services.nextcloud.hostName} = { + nginx.virtualHosts = { + ${config.services.nextcloud.hostName} = { + forceSSL = true; + enableACME = true; + http2 = true; + serverAliases = [ "cloud.rotehaare.art" ]; + locations = { + "/".proxyWebsockets = true; + "~ ^/nextcloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|oc[ms]-provider/.+|.+/richdocumentscode/proxy).php(?:$|/)" = + { }; + }; + }; + "collabora.${config.my.domain}" = + lib.mkIf config.my.servers.collabora.enable { forceSSL = true; enableACME = true; http2 = true; - serverAliases = [ "cloud.rotehaare.art" ]; locations = { - "/".proxyWebsockets = true; - "~ ^/nextcloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|oc[ms]-provider/.+|.+/richdocumentscode/proxy).php(?:$|/)" = - { }; - }; - }; - "collabora.${config.my.domain}" = - lib.mkIf config.my.servers.collabora.enable { - forceSSL = true; - enableACME = true; - http2 = true; - locations = { - # static files - "^~ /loleaflet" = { - proxyPass = collaboraProxy; - extraConfig = commonProxyConfig; - }; - # WOPI discovery URL - "^~ /hosting/discovery" = { - proxyPass = collaboraProxy; - extraConfig = commonProxyConfig; - }; - # Capabilities - "^~ /hosting/capabilities" = { - proxyPass = collaboraProxy; - extraConfig = commonProxyConfig; - }; - # download, presentation, image upload and websocket - "~ ^/lool" = { - proxyPass = collaboraProxy; - extraConfig = commonWebsocketConfig; - }; - # Admin Console websocket - "^~ /lool/adminws" = { - proxyPass = collaboraProxy; - extraConfig = commonWebsocketConfig; - }; + # static files + "^~ /loleaflet" = { + proxyPass = collaboraProxy; + extraConfig = commonProxyConfig; + }; + # WOPI discovery URL + "^~ /hosting/discovery" = { + proxyPass = collaboraProxy; + extraConfig = commonProxyConfig; + }; + # Capabilities + "^~ /hosting/capabilities" = { + proxyPass = collaboraProxy; + extraConfig = commonProxyConfig; + }; + # download, presentation, image upload and websocket + "~ ^/lool" = { + proxyPass = collaboraProxy; + extraConfig = commonWebsocketConfig; + }; + # Admin Console websocket + "^~ /lool/adminws" = { + proxyPass = collaboraProxy; + extraConfig = commonWebsocketConfig; }; }; - }; + }; }; }; virtualisation.oci-containers.containers = { diff --git a/modules/servers/prowlarr.nix b/modules/servers/prowlarr.nix index efdfec6..7930121 100644 --- a/modules/servers/prowlarr.nix +++ b/modules/servers/prowlarr.nix @@ -7,11 +7,8 @@ }; services = { prowlarr.enable = true; - nginx = { - enable = true; - virtualHosts."indexer.${config.my.domain}" = proxyReverseArr 9696 - // { }; - }; + nginx.virtualHosts."indexer.${config.my.domain}" = proxyReverseArr 9696 + // { }; }; virtualisation.oci-containers.containers.flaresolverr = { autoStart = true; diff --git a/modules/servers/qbittorrent.nix b/modules/servers/qbittorrent.nix index ac6be7d..f2d9801 100644 --- a/modules/servers/qbittorrent.nix +++ b/modules/servers/qbittorrent.nix @@ -74,11 +74,8 @@ in { }; }; }; - services.nginx = { - enable = true; - virtualHosts."xfwmrle6h6skqujbeizw.${config.my.domain}" = - proxyReverse port // { }; - }; + services.nginx.virtualHosts."xfwmrle6h6skqujbeizw.${config.my.domain}" = + proxyReverse port // { }; networking.firewall = { allowedTCPPorts = ports; allowedUDPPorts = ports; diff --git a/modules/servers/radarr.nix b/modules/servers/radarr.nix index 7900795..20d0d91 100644 --- a/modules/servers/radarr.nix +++ b/modules/servers/radarr.nix @@ -6,10 +6,8 @@ enable = true; group = "piracy"; }; - nginx = { - enable = true; - virtualHosts."movies.${config.my.domain}" = proxyReverseArr 7878 // { }; - }; + nginx.virtualHosts."movies.${config.my.domain}" = proxyReverseArr 7878 + // { }; }; }; } diff --git a/modules/servers/ryot.nix b/modules/servers/ryot.nix index 93252bc..3e6c1e9 100644 --- a/modules/servers/ryot.nix +++ b/modules/servers/ryot.nix @@ -25,9 +25,7 @@ in { "flame.icon" = "radar"; }; }; - services.nginx = { - enable = true; - virtualHosts."tracker.${config.my.domain}" = proxyReverse port // { }; - }; + services.nginx.virtualHosts."tracker.${config.my.domain}" = + proxyReverse port // { }; }; } diff --git a/modules/servers/shiori.nix b/modules/servers/shiori.nix index 4c74325..ef690e4 100644 --- a/modules/servers/shiori.nix +++ b/modules/servers/shiori.nix @@ -13,11 +13,8 @@ environmentFile = config.sops.secrets.shiori.path; databaseUrl = "postgres:///shiori?host=${config.my.postgresSocket}"; }; - nginx = { - enable = true; - virtualHosts."bookmarks.${config.my.domain}" = - proxyReverse config.services.shiori.port // { }; - }; + nginx.virtualHosts."bookmarks.${config.my.domain}" = + proxyReverse config.services.shiori.port // { }; }; }; } diff --git a/modules/servers/sonarr.nix b/modules/servers/sonarr.nix index 9facb0e..d5e45cd 100644 --- a/modules/servers/sonarr.nix +++ b/modules/servers/sonarr.nix @@ -6,10 +6,8 @@ enable = true; group = "piracy"; }; - nginx = { - enable = true; - virtualHosts."series.${config.my.domain}" = proxyReverse 8989 // { }; - }; + nginx.virtualHosts."series.${config.my.domain}" = proxyReverse 8989 + // { }; }; }; } diff --git a/modules/servers/vaultwarden.nix b/modules/servers/vaultwarden.nix index cf2052c..f19867f 100644 --- a/modules/servers/vaultwarden.nix +++ b/modules/servers/vaultwarden.nix @@ -22,11 +22,8 @@ LOG_LEVEL = "warn"; }; }; - nginx = { - enable = true; - virtualHosts."vault.${config.my.domain}" = - proxyReverse config.services.vaultwarden.config.ROCKET_PORT // { }; - }; + nginx.virtualHosts."vault.${config.my.domain}" = + proxyReverse config.services.vaultwarden.config.ROCKET_PORT // { }; }; }; }