kopatz/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add stash

Browse Source
This commit is contained in:
Kopatz
2024-06-02 10:43:44 +02:00
parent 1b3110afa8
commit 5067079aa9
5 changed files with 72 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
modules/services/nginx.nix
View File

@@ -1,9 +1,7 @@
{ config, pkgs, lib, inputs, ... }: { config, pkgs, lib, inputs, ... }:
with lib; with lib;
let let cfg = config.custom.services.nginx;
cfg = config.custom.services.nginx; in {
in
{
options.custom.services.nginx = { options.custom.services.nginx = {
enable = mkEnableOption "Enables nginx"; enable = mkEnableOption "Enables nginx";
https = mkOption { https = mkOption {
@@ -16,6 +14,11 @@ in
networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowedUDPPorts = [ 80 443 ]; networking.firewall.allowedUDPPorts = [ 80 443 ];
age.secrets.stash-auth = {
file = ../../secrets/stash-auth.age;
owner = "nginx";
};
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d /data 0770 github-actions-runner nginx -" "d /data 0770 github-actions-runner nginx -"
"d /data/website 0770 github-actions-runner nginx -" "d /data/website 0770 github-actions-runner nginx -"
@@ -31,7 +34,8 @@ in
recommendedOptimisation = true; recommendedOptimisation = true;
recommendedProxySettings = true; recommendedProxySettings = true;
recommendedTlsSettings = true; recommendedTlsSettings = true;
statusPage = lib.mkIf config.services.prometheus.exporters.nginx.enable true; statusPage =
lib.mkIf config.services.prometheus.exporters.nginx.enable true;
# Only allow PFS-enabled ciphers with AES256 # Only allow PFS-enabled ciphers with AES256
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
@@ -60,10 +64,13 @@ in
enableACME = cfg.https; enableACME = cfg.https;
quic = cfg.https; quic = cfg.https;
http3 = cfg.https; http3 = cfg.https;
locations."~* \\.(jpg|png)$".extraConfig= '' locations = {
"~* \\.(jpg|png)$".extraConfig = ''
add_header Access-Control-Allow-Origin *; add_header Access-Control-Allow-Origin *;
''; '';
locations."~ ^/(stash|resources|css)".extraConfig='' "/stash" = {
basicAuthFile = age.secrets.stash-auth.file;
extraConfig = ''
client_max_body_size 5000M; client_max_body_size 5000M;
proxy_redirect off; proxy_redirect off;
proxy_set_header Host $host; proxy_set_header Host $host;
@@ -71,18 +78,20 @@ in
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-NginX-Proxy true; proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:5091; proxy_pass http://localhost:7777;
''; '';
locations."/tracker-site" = { };
"/tracker-site" = {
tryFiles = "$uri $uri/ /tracker-site/index.html =404"; tryFiles = "$uri $uri/ /tracker-site/index.html =404";
}; };
locations."/tracker-site/api" = { "/tracker-site/api" = {
extraConfig = '' extraConfig = ''
rewrite /tracker-site/api/(.*) /$1 break; rewrite /tracker-site/api/(.*) /$1 break;
''; '';
proxyPass = "http://127.0.0.1:8080"; proxyPass = "http://127.0.0.1:8080";
}; };
}; };
};
#discord bot for tracking useractivity public version #discord bot for tracking useractivity public version
"activitytracker.site" = { "activitytracker.site" = {
#serverAliases = [ #serverAliases = [
@@ -93,9 +102,7 @@ in
enableACME = cfg.https; enableACME = cfg.https;
quic = cfg.https; quic = cfg.https;
http3 = cfg.https; http3 = cfg.https;
locations."/" = { locations."/" = { tryFiles = "$uri $uri/ /index.html =404"; };
tryFiles = "$uri $uri/ /index.html =404";
};
locations."/api" = { locations."/api" = {
extraConfig = '' extraConfig = ''
rewrite /api/(.*) /$1 break; rewrite /api/(.*) /$1 break;

1
secrets/secrets.nix
View File

@@ -27,4 +27,5 @@ in
"grafana-contact-points.age".publicKeys = [ mini-pc server kop ]; "grafana-contact-points.age".publicKeys = [ mini-pc server kop ];
"fileshelter-conf.age".publicKeys = [ mini-pc server kop ]; "fileshelter-conf.age".publicKeys = [ mini-pc server kop ];
"webhook.age".publicKeys = [ mini-pc server kop ]; "webhook.age".publicKeys = [ mini-pc server kop ];
"stash-auth.age".publicKeys = [ mini-pc server kop ];
} }

12
secrets/stash-auth.age Normal file
View File

@@ -0,0 +1,12 @@
age-encryption.org/v1
-> ssh-ed25519 su0Eyw +VIlBI3Dz8nY5ifjwFXkKh8WFVEMbNAQtaJZ5i1vxTM
IqI7A62j4yC/UIQasFW9KtVcB7ILg2o/k3etWOz8jRw
-> ssh-ed25519 IV3DkQ 14R6yP4LHgNFHvBQoxdRcV0T2ETRp/qZeD+HquKNRzQ
XtcaaDXn/xN6eV42TdyK/vEJ/GcJX69WLCh61UuHdOc
-> ssh-ed25519 DCzi1A Ra23RRc0x2mPCj3CdtzgDUQDmJpyVuAQkup1xenulGY
w971HT7+UAz7of1FdCmxPTN4Ww1NwN+wnoUptZcBIHg
--- MqLymPsV3XHYyFlM1yRFkLT/9nojHs/Y8xqX2RAtS+g
˜U¥ìAmXŠé0OüØvP`E9׈
Ô¶´q¤ž¨É !§JôŒ©x>]ÏlZèãˆd¹š<C2B9>‰J
€±«a­ ì1
u »à³yC^d<>3§ß¦xåoð—KØc¢

2
systems/mini-pc/configuration.nix
View File

@@ -55,9 +55,9 @@
services = { services = {
acme.enable = true; acme.enable = true;
kop-monitor.enable = true; kop-monitor.enable = true;
kop-fileshare.enable = true;
nginx.enable = true; nginx.enable = true;
ente.enable = true; ente.enable = true;
fileshelter.enable = true;
kavita = { kavita = {
enable = true; enable = true;
dir = "/data/kavita"; dir = "/data/kavita";

2
systems/vm/configuration.nix
View File

@@ -29,7 +29,7 @@
"localhost" = { "localhost" = {
forceSSL = false; forceSSL = false;
enableACME = false; enableACME = false;
locations."/".proxyPass = "http://127.0.0.1:4000"; locations."/".proxyPass = "http://127.0.0.1:7777";
}; };
}; };
}; };