kopatz/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add stash

Browse Source
This commit is contained in:
Kopatz
2024-06-02 10:43:44 +02:00
parent 1b3110afa8
commit 5067079aa9
5 changed files with 72 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

107
modules/services/nginx.nix
View File

@@ -1,21 +1,24 @@
{ config, pkgs, lib, inputs, ... }:
with lib;
let
cfg = config.custom.services.nginx;
in
{
let cfg = config.custom.services.nginx;
in {
options.custom.services.nginx = {
enable = mkEnableOption "Enables nginx";
https = mkOption {
type = types.bool;
default = true;
description = "Should it use https?";
};
enable = mkEnableOption "Enables nginx";
https = mkOption {
type = types.bool;
default = true;
description = "Should it use https?";
};
};
config = lib.mkIf cfg.enable {
networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowedUDPPorts = [ 80 443 ];
age.secrets.stash-auth = {
file = ../../secrets/stash-auth.age;
owner = "nginx";
};
systemd.tmpfiles.rules = [
"d /data 0770 github-actions-runner nginx -"
"d /data/website 0770 github-actions-runner nginx -"
@@ -31,56 +34,62 @@ in
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
statusPage = lib.mkIf config.services.prometheus.exporters.nginx.enable true;
statusPage =
lib.mkIf config.services.prometheus.exporters.nginx.enable true;
# Only allow PFS-enabled ciphers with AES256
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
appendHttpConfig= ''
more_set_headers 'Strict-Transport-Security: max-age=31536000; includeSubDomains';
more_set_headers 'X-XSS-Protection 1; mode=block';
# add_header X-Frame-Options 'ALLOW-FROM kopatz.ddns.net';
more_set_headers 'X-Content-Type-Options nosniff';
more_set_headers "Content-Security-Policy: frame-ancestors https://kopatz.ddns.net";
more_set_headers "Referrer-Policy: same-origin";
more_set_headers "Permissions-Policy: geolocation=(), microphone=()";
appendHttpConfig = ''
more_set_headers 'Strict-Transport-Security: max-age=31536000; includeSubDomains';
more_set_headers 'X-XSS-Protection 1; mode=block';
# add_header X-Frame-Options 'ALLOW-FROM kopatz.ddns.net';
more_set_headers 'X-Content-Type-Options nosniff';
more_set_headers "Content-Security-Policy: frame-ancestors https://kopatz.ddns.net";
more_set_headers "Referrer-Policy: same-origin";
more_set_headers "Permissions-Policy: geolocation=(), microphone=()";
'';
virtualHosts = {
"kopatz.ddns.net" = {
serverAliases = [
# "www.kopatz.ddns.net"
# "server.home"
# "server.home.arpa"
# "192.168.0.6"
# "localhost"
# "www.kopatz.ddns.net"
# "server.home"
# "server.home.arpa"
# "192.168.0.6"
# "localhost"
];
root = pkgs.kop-website;
forceSSL = cfg.https;
enableACME = cfg.https;
quic = cfg.https;
http3 = cfg.https;
locations."~* \\.(jpg|png)$".extraConfig= ''
add_header Access-Control-Allow-Origin *;
'';
locations."~ ^/(stash|resources|css)".extraConfig=''
client_max_body_size 5000M;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:5091;
'';
locations."/tracker-site" = {
tryFiles = "$uri $uri/ /tracker-site/index.html =404";
};
locations."/tracker-site/api" = {
extraConfig =''
rewrite /tracker-site/api/(.*) /$1 break;
locations = {
"~* \\.(jpg|png)$".extraConfig = ''
add_header Access-Control-Allow-Origin *;
'';
proxyPass = "http://127.0.0.1:8080";
"/stash" = {
basicAuthFile = age.secrets.stash-auth.file;
extraConfig = ''
client_max_body_size 5000M;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:7777;
'';
};
"/tracker-site" = {
tryFiles = "$uri $uri/ /tracker-site/index.html =404";
};
"/tracker-site/api" = {
extraConfig = ''
rewrite /tracker-site/api/(.*) /$1 break;
'';
proxyPass = "http://127.0.0.1:8080";
};
};
};
#discord bot for tracking useractivity public version
@@ -93,19 +102,17 @@ in
enableACME = cfg.https;
quic = cfg.https;
http3 = cfg.https;
locations."/" = {
tryFiles = "$uri $uri/ /index.html =404";
};
locations."/" = { tryFiles = "$uri $uri/ /index.html =404"; };
locations."/api" = {
extraConfig =''
rewrite /api/(.*) /$1 break;
extraConfig = ''
rewrite /api/(.*) /$1 break;
'';
proxyPass = "http://127.0.0.1:8081";
};
};
"adguard.home.arpa" = {
locations."/".proxyPass = "http://127.0.0.1:3000";
};
};
};
};
};

1
secrets/secrets.nix
View File

@@ -27,4 +27,5 @@ in
"grafana-contact-points.age".publicKeys = [ mini-pc server kop ];
"fileshelter-conf.age".publicKeys = [ mini-pc server kop ];
"webhook.age".publicKeys = [ mini-pc server kop ];
"stash-auth.age".publicKeys = [ mini-pc server kop ];
}

12
secrets/stash-auth.age Normal file
View File

@@ -0,0 +1,12 @@
age-encryption.org/v1
-> ssh-ed25519 su0Eyw +VIlBI3Dz8nY5ifjwFXkKh8WFVEMbNAQtaJZ5i1vxTM
IqI7A62j4yC/UIQasFW9KtVcB7ILg2o/k3etWOz8jRw
-> ssh-ed25519 IV3DkQ 14R6yP4LHgNFHvBQoxdRcV0T2ETRp/qZeD+HquKNRzQ
XtcaaDXn/xN6eV42TdyK/vEJ/GcJX69WLCh61UuHdOc
-> ssh-ed25519 DCzi1A Ra23RRc0x2mPCj3CdtzgDUQDmJpyVuAQkup1xenulGY
w971HT7+UAz7of1FdCmxPTN4Ww1NwN+wnoUptZcBIHg
--- MqLymPsV3XHYyFlM1yRFkLT/9nojHs/Y8xqX2RAtS+g
˜U¥ìAmXŠé0OüØvP`E9׈
Ô¶´q¤ž¨É !§JôŒ©x>]ÏlZèãˆd¹š<C2B9>‰J
€±«a­ ì1
u »à³yC^d<>3§ß¦xåoð—KØc¢

2
systems/mini-pc/configuration.nix
View File

@@ -55,9 +55,9 @@
services = {
acme.enable = true;
kop-monitor.enable = true;
kop-fileshare.enable = true;
nginx.enable = true;
ente.enable = true;
fileshelter.enable = true;
kavita = {
enable = true;
dir = "/data/kavita";

2
systems/vm/configuration.nix
View File

@@ -29,7 +29,7 @@
"localhost" = {
forceSSL = false;
enableACME = false;
locations."/".proxyPass = "http://127.0.0.1:4000";
locations."/".proxyPass = "http://127.0.0.1:7777";
};
};
};