servers now have an unique toggle for nginx

2024-08-24 20:55:42 -06:00 · 2024-08-24 20:55:42 -06:00 · fb1a44d2ca
commit fb1a44d2ca
parent ad97dcf385
22 changed files with 142 additions and 171 deletions
--- a/hosts/server/configuration.nix
+++ b/hosts/server/configuration.nix
@ -16,12 +16,30 @@
      ffmpreg.enable = true;
      ffmpeg4discord.enable = true;
    };
    servers = {
      sonarr.enable = true;
      radarr.enable = true;
      lidarr.enable = true;
      jellyfin.enable = true;
      bazarr.enable = true;
      kavita.enable = true;
    };
  };
-  networking = {
+  networking = let
    ports = [
      2049 # idk
      8989 # sonarr
      7878 # radarr
      8686 # lidarr
      8096 # jellyfin
      6767 # bazarr
      5000 # kavita
    ];
  in {
    hostName = "server";
    firewall = {
-      allowedTCPPorts = [ 2049 ];
+      allowedTCPPorts = ports;
-      allowedUDPPorts = [ 2049 ];
+      allowedUDPPorts = ports;
    };
  };
  nixpkgs.hostPlatform = "x86_64-linux";
--- a/modules/servers.nix
+++ b/modules/servers.nix
@ -104,43 +104,47 @@ in {
      description = "localhost smtp email";
    };
    enableContainers = lib.mkEnableOption "enable";
    enableProxy = lib.mkEnableOption "enable";
  };
  config = {
-    my.enableContainers = lib.mkDefault false;
+    my = {
-    my.servers = {
+      enableContainers = lib.mkDefault false;
-      jellyfin = {
+      enableProxy = lib.mkDefault false;
-        enable = lib.mkDefault false;
+      servers = {
-        enableCron = lib.mkDefault false;
+        jellyfin = {
          enable = lib.mkDefault false;
          enableCron = lib.mkDefault false;
        };
        nextcloud = {
          enable = lib.mkDefault false;
          enableCron = lib.mkDefault false;
        };
        adguardhome.enable = lib.mkDefault false;
        audiobookshelf.enable = lib.mkDefault false;
        bazarr.enable = lib.mkDefault false;
        collabora.enable = lib.mkDefault false;
        flame.enable = lib.mkDefault false;
        flameSecret.enable = lib.mkDefault false;
        go-vod.enable = lib.mkDefault false;
        homepage.enable = lib.mkDefault false;
        kavita.enable = lib.mkDefault false;
        lidarr.enable = lib.mkDefault false;
        maloja.enable = lib.mkDefault false;
        mealie.enable = lib.mkDefault false;
        metube.enable = lib.mkDefault false;
        microbin.enable = lib.mkDefault false;
        multi-scrobbler.enable = lib.mkDefault false;
        paperless.enable = lib.mkDefault false;
        postgres.enable = lib.mkDefault false;
        prowlarr.enable = lib.mkDefault false;
        qbittorrent.enable = lib.mkDefault false;
        radarr.enable = lib.mkDefault false;
        ryot.enable = lib.mkDefault false;
        shiori.enable = lib.mkDefault false;
        sonarr.enable = lib.mkDefault false;
        vaultwarden.enable = lib.mkDefault false;
        firefly-iii.enable = lib.mkDefault false;
      };
      nextcloud = {
        enable = lib.mkDefault false;
        enableCron = lib.mkDefault false;
      };
      adguardhome.enable = lib.mkDefault false;
      audiobookshelf.enable = lib.mkDefault false;
      bazarr.enable = lib.mkDefault false;
      collabora.enable = lib.mkDefault false;
      flame.enable = lib.mkDefault false;
      flameSecret.enable = lib.mkDefault false;
      go-vod.enable = lib.mkDefault false;
      homepage.enable = lib.mkDefault false;
      kavita.enable = lib.mkDefault false;
      lidarr.enable = lib.mkDefault false;
      maloja.enable = lib.mkDefault false;
      mealie.enable = lib.mkDefault false;
      metube.enable = lib.mkDefault false;
      microbin.enable = lib.mkDefault false;
      multi-scrobbler.enable = lib.mkDefault false;
      paperless.enable = lib.mkDefault false;
      postgres.enable = lib.mkDefault false;
      prowlarr.enable = lib.mkDefault false;
      qbittorrent.enable = lib.mkDefault false;
      radarr.enable = lib.mkDefault false;
      ryot.enable = lib.mkDefault false;
      shiori.enable = lib.mkDefault false;
      sonarr.enable = lib.mkDefault false;
      vaultwarden.enable = lib.mkDefault false;
      firefly-iii.enable = lib.mkDefault false;
    };
    virtualisation = {
      containers.enable = true;
@ -162,6 +166,7 @@ in {
      defaults.email = config.my.email;
    };
    services.nginx = {
      enable = config.my.enableProxy;
      clientMaxBodySize = "4096m";
      sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
    };
--- a/modules/servers/audiobookshelf.nix
+++ b/modules/servers/audiobookshelf.nix
@ -4,27 +4,24 @@ in {
  options.my.servers.audiobookshelf =
    setup.mkOptions "audiobookshelf" "audiobooks" 5687;
  config = lib.mkIf config.my.servers.audiobookshelf.enable {
-    services ={
+    services = {
      audiobookshelf = {
        enable = true;
        group = "piracy";
        port = cfg.port;
      };
-      nginx = {
+      nginx.virtualHosts."${cfg.host}" = proxy {
-        enable = true;
+        "/" = {
-        virtualHosts."${cfg.host}" = proxy {
+          proxyPass = cfg.local;
-          "/" = {
+          extraConfig = ''
-            proxyPass = cfg.local;
+            proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
-            extraConfig = ''
+            proxy_set_header X-Forwarded-Proto $scheme;
-              proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+            proxy_set_header Host              $host;
-              proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header Upgrade           $http_upgrade;
-              proxy_set_header Host              $host;
+            proxy_set_header Connection        "upgrade";
-              proxy_set_header Upgrade           $http_upgrade;
+            proxy_http_version                  1.1;
-              proxy_set_header Connection        "upgrade";
+            proxy_redirect                      http:// https://;
-              proxy_http_version                  1.1;
+          '';
              proxy_redirect                      http:// https://;
            '';
          };
        };
      };
    };
--- a/modules/servers/bazarr.nix
+++ b/modules/servers/bazarr.nix
@ -6,11 +6,8 @@
        enable = true;
        group = "piracy";
      };
-      nginx = {
+      nginx.virtualHosts."subs.${config.my.domain}" =
-        enable = true;
+        proxyReverse config.services.bazarr.listenPort // { };
        virtualHosts."subs.${config.my.domain}" =
          proxyReverse config.services.bazarr.listenPort // { };
      };
    };
  };
 }
--- a/modules/servers/flame.nix
+++ b/modules/servers/flame.nix
@ -39,7 +39,6 @@ in {
      };
    };
    services.nginx = {
      enable = true;
      virtualHosts."start.${config.my.domain}" = proxyReverse port // { };
      virtualHosts."qampqwn4wprhqny8h8zj.${config.my.domain}" =
        proxyReverse portSecret // { };
--- a/modules/servers/homepage.nix
+++ b/modules/servers/homepage.nix
@ -40,10 +40,7 @@ in {
          ];
        }];
      };
-      nginx = {
+      nginx.virtualHosts."home.${config.my.domain}" = proxyReverse port // { };
        enable = true;
        virtualHosts."home.${config.my.domain}" = proxyReverse port // { };
      };
    };
  };
 }
--- a/modules/servers/jellyfin.nix
+++ b/modules/servers/jellyfin.nix
@ -10,7 +10,6 @@ in {
        group = "piracy";
      };
      nginx = {
        enable = true;
        appendHttpConfig = ''
          # JELLYFIN
          proxy_cache_path /var/cache/nginx/jellyfin-videos levels=1:2 keys_zone=jellyfin-videos:100m inactive=1d max_size=35000m;
--- a/modules/servers/kavita.nix
+++ b/modules/servers/kavita.nix
@ -15,11 +15,8 @@
        enable = true;
        tokenKeyFile = config.sops.secrets.kavita-token.path;
      };
-      nginx = {
+      nginx.virtualHosts."library.${config.my.domain}" =
-        enable = true;
+        proxyReverse config.services.kavita.port // { };
        virtualHosts."library.${config.my.domain}" =
          proxyReverse config.services.kavita.port // { };
      };
    };
  };
 }
--- a/modules/servers/lidarr.nix
+++ b/modules/servers/lidarr.nix
@ -15,9 +15,9 @@ in {
        PGID = "100";
      };
      volumes = [
-        "/mnt/pool/multimedia:/data"
+        "/mnt/btrfs/multimedia:/data"
-        "/mnt/pool/multimedia/media/Music:/music"
+        "/mnt/btrfs/multimedia/media/Music:/music"
-        "/mnt/pool/multimedia/media/MusicVideos:/music-videos"
+        "/mnt/btrfs/multimedia/media/MusicVideos:/music-videos"
        "${config.my.containerData}/lidarr/files:/config"
        "${config.my.containerData}/lidarr/custom-services.d:/custom-services.d"
        "${config.my.containerData}/lidarr/custom-cont-init.d:/custom-cont-init.d"
@ -31,10 +31,7 @@ in {
    };
    services = {
      lidarr.enable = true;
-      nginx = {
+      nginx.virtualHosts."${url}" = proxyReverseArr port // { };
        enable = true;
        virtualHosts."${url}" = proxyReverseArr port // { };
      };
    };
  };
 }
--- a/modules/servers/maloja.nix
+++ b/modules/servers/maloja.nix
@ -26,9 +26,6 @@ in {
        "flame.icon" = "bookmark-music";
      };
    };
-    services.nginx = {
+    services.nginx.virtualHosts."${url}" = proxyReverse port // { };
      enable = true;
      virtualHosts."${url}" = proxyReverse port // { };
    };
  };
 }
--- a/modules/servers/mealie.nix
+++ b/modules/servers/mealie.nix
@ -34,9 +34,6 @@ in {
        "flame.icon" = "fridge";
      };
    };
-    services.nginx = {
+    services.nginx.virtualHosts."${domain}" = proxyReverse port // { };
      enable = true;
      virtualHosts."${domain}" = proxyReverse port // { };
    };
  };
 }
--- a/modules/servers/metube.nix
+++ b/modules/servers/metube.nix
@ -15,9 +15,7 @@ in {
        YTDL_OPTIONS = ''{"cookiefile":"/cookies.txt"}'';
      };
    };
-    services.nginx = {
+    services.nginx.virtualHosts."bajameesta.${config.my.domain}" =
-      enable = true;
+      proxyReverse port // { };
      virtualHosts."bajameesta.${config.my.domain}" = proxyReverse port // { };
    };
  };
 }
--- a/modules/servers/microbin.nix
+++ b/modules/servers/microbin.nix
@ -17,11 +17,8 @@
          MICROBIN_ENCRYPTION_SERVER_SIDE = true;
        };
      };
-      nginx = {
+      nginx.virtualHosts."copy.${config.my.domain}" =
-        enable = true;
+        proxyReverse config.services.microbin.settings.MICROBIN_PORT // { };
        virtualHosts."copy.${config.my.domain}" =
          proxyReverse config.services.microbin.settings.MICROBIN_PORT // { };
      };
    };
  };
 }
--- a/modules/servers/multi-scrobbler.nix
+++ b/modules/servers/multi-scrobbler.nix
@ -29,9 +29,6 @@ in {
        "flame.icon" = "broadcast";
      };
    };
-    services.nginx = {
+    services.nginx.virtualHosts."${domain}" = proxyReverse port // { };
      enable = true;
      virtualHosts."${domain}" = proxyReverse port // { };
    };
  };
 }
--- a/modules/servers/nextcloud.nix
+++ b/modules/servers/nextcloud.nix
@ -131,54 +131,51 @@ in {
          # phpExtraExtensions = all: [ all.pdlib all.bz2 ];
          phpExtraExtensions = all: [ ];
        };
-        nginx = {
+        nginx.virtualHosts = {
-          enable = true;
+          ${config.services.nextcloud.hostName} = {
-          virtualHosts = {
+            forceSSL = true;
-            ${config.services.nextcloud.hostName} = {
+            enableACME = true;
            http2 = true;
            serverAliases = [ "cloud.rotehaare.art" ];
            locations = {
              "/".proxyWebsockets = true;
              "~ ^/nextcloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|oc[ms]-provider/.+|.+/richdocumentscode/proxy).php(?:$|/)" =
                { };
            };
          };
          "collabora.${config.my.domain}" =
            lib.mkIf config.my.servers.collabora.enable {
              forceSSL = true;
              enableACME = true;
              http2 = true;
              serverAliases = [ "cloud.rotehaare.art" ];
              locations = {
-                "/".proxyWebsockets = true;
+                # static files
-                "~ ^/nextcloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|oc[ms]-provider/.+|.+/richdocumentscode/proxy).php(?:$|/)" =
+                "^~ /loleaflet" = {
-                  { };
+                  proxyPass = collaboraProxy;
-              };
+                  extraConfig = commonProxyConfig;
-            };
+                };
-            "collabora.${config.my.domain}" =
+                # WOPI discovery URL
-              lib.mkIf config.my.servers.collabora.enable {
+                "^~ /hosting/discovery" = {
-                forceSSL = true;
+                  proxyPass = collaboraProxy;
-                enableACME = true;
+                  extraConfig = commonProxyConfig;
-                http2 = true;
+                };
-                locations = {
+                # Capabilities
-                  # static files
+                "^~ /hosting/capabilities" = {
-                  "^~ /loleaflet" = {
+                  proxyPass = collaboraProxy;
-                    proxyPass = collaboraProxy;
+                  extraConfig = commonProxyConfig;
-                    extraConfig = commonProxyConfig;
+                };
-                  };
+                # download, presentation, image upload and websocket
-                  # WOPI discovery URL
+                "~ ^/lool" = {
-                  "^~ /hosting/discovery" = {
+                  proxyPass = collaboraProxy;
-                    proxyPass = collaboraProxy;
+                  extraConfig = commonWebsocketConfig;
-                    extraConfig = commonProxyConfig;
+                };
-                  };
+                # Admin Console websocket
-                  # Capabilities
+                "^~ /lool/adminws" = {
-                  "^~ /hosting/capabilities" = {
+                  proxyPass = collaboraProxy;
-                    proxyPass = collaboraProxy;
+                  extraConfig = commonWebsocketConfig;
                    extraConfig = commonProxyConfig;
                  };
                  # download, presentation, image upload and websocket
                  "~ ^/lool" = {
                    proxyPass = collaboraProxy;
                    extraConfig = commonWebsocketConfig;
                  };
                  # Admin Console websocket
                  "^~ /lool/adminws" = {
                    proxyPass = collaboraProxy;
                    extraConfig = commonWebsocketConfig;
                  };
                };
              };
-          };
+            };
        };
      };
      virtualisation.oci-containers.containers = {
--- a/modules/servers/prowlarr.nix
+++ b/modules/servers/prowlarr.nix
@ -7,11 +7,8 @@
    };
    services = {
      prowlarr.enable = true;
-      nginx = {
+      nginx.virtualHosts."indexer.${config.my.domain}" = proxyReverseArr 9696
-        enable = true;
+        // { };
        virtualHosts."indexer.${config.my.domain}" = proxyReverseArr 9696
          // { };
      };
    };
    virtualisation.oci-containers.containers.flaresolverr = {
      autoStart = true;
--- a/modules/servers/qbittorrent.nix
+++ b/modules/servers/qbittorrent.nix
@ -74,11 +74,8 @@ in {
        };
      };
    };
-    services.nginx = {
+    services.nginx.virtualHosts."xfwmrle6h6skqujbeizw.${config.my.domain}" =
-      enable = true;
+      proxyReverse port // { };
      virtualHosts."xfwmrle6h6skqujbeizw.${config.my.domain}" =
        proxyReverse port // { };
    };
    networking.firewall = {
      allowedTCPPorts = ports;
      allowedUDPPorts = ports;
--- a/modules/servers/radarr.nix
+++ b/modules/servers/radarr.nix
@ -6,10 +6,8 @@
        enable = true;
        group = "piracy";
      };
-      nginx = {
+      nginx.virtualHosts."movies.${config.my.domain}" = proxyReverseArr 7878
-        enable = true;
+        // { };
        virtualHosts."movies.${config.my.domain}" = proxyReverseArr 7878 // { };
      };
    };
  };
 }
--- a/modules/servers/ryot.nix
+++ b/modules/servers/ryot.nix
@ -25,9 +25,7 @@ in {
          "flame.icon" = "radar";
        };
      };
-      services.nginx = {
+      services.nginx.virtualHosts."tracker.${config.my.domain}" =
-        enable = true;
+        proxyReverse port // { };
        virtualHosts."tracker.${config.my.domain}" = proxyReverse port // { };
      };
    };
 }
--- a/modules/servers/shiori.nix
+++ b/modules/servers/shiori.nix
@ -13,11 +13,8 @@
          environmentFile = config.sops.secrets.shiori.path;
          databaseUrl = "postgres:///shiori?host=${config.my.postgresSocket}";
        };
-        nginx = {
+        nginx.virtualHosts."bookmarks.${config.my.domain}" =
-          enable = true;
+          proxyReverse config.services.shiori.port // { };
          virtualHosts."bookmarks.${config.my.domain}" =
            proxyReverse config.services.shiori.port // { };
        };
      };
    };
 }
--- a/modules/servers/sonarr.nix
+++ b/modules/servers/sonarr.nix
@ -6,10 +6,8 @@
        enable = true;
        group = "piracy";
      };
-      nginx = {
+      nginx.virtualHosts."series.${config.my.domain}" = proxyReverse 8989
-        enable = true;
+        // { };
        virtualHosts."series.${config.my.domain}" = proxyReverse 8989 // { };
      };
    };
  };
 }
--- a/modules/servers/vaultwarden.nix
+++ b/modules/servers/vaultwarden.nix
@ -22,11 +22,8 @@
            LOG_LEVEL = "warn";
          };
        };
-        nginx = {
+        nginx.virtualHosts."vault.${config.my.domain}" =
-          enable = true;
+          proxyReverse config.services.vaultwarden.config.ROCKET_PORT // { };
          virtualHosts."vault.${config.my.domain}" =
            proxyReverse config.services.vaultwarden.config.ROCKET_PORT // { };
        };
      };
    };
 }