kopatz/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add stash

Browse Source
This commit is contained in:
Kopatz
2024-06-02 10:43:44 +02:00
parent 1b3110afa8
commit 5067079aa9
5 changed files with 72 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

105
modules/services/nginx.nix
View File

@@ -1,21 +1,24 @@
{ config, pkgs, lib, inputs, ... }: { config, pkgs, lib, inputs, ... }:
with lib; with lib;
let let cfg = config.custom.services.nginx;
cfg = config.custom.services.nginx; in {
in
{
options.custom.services.nginx = { options.custom.services.nginx = {
enable = mkEnableOption "Enables nginx"; enable = mkEnableOption "Enables nginx";
https = mkOption { https = mkOption {
type = types.bool; type = types.bool;
default = true; default = true;
description = "Should it use https?"; description = "Should it use https?";
}; };
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowedUDPPorts = [ 80 443 ]; networking.firewall.allowedUDPPorts = [ 80 443 ];
age.secrets.stash-auth = {
file = ../../secrets/stash-auth.age;
owner = "nginx";
};
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d /data 0770 github-actions-runner nginx -" "d /data 0770 github-actions-runner nginx -"
"d /data/website 0770 github-actions-runner nginx -" "d /data/website 0770 github-actions-runner nginx -"
@@ -31,56 +34,62 @@ in
recommendedOptimisation = true; recommendedOptimisation = true;
recommendedProxySettings = true; recommendedProxySettings = true;
recommendedTlsSettings = true; recommendedTlsSettings = true;
statusPage = lib.mkIf config.services.prometheus.exporters.nginx.enable true; statusPage =
lib.mkIf config.services.prometheus.exporters.nginx.enable true;
# Only allow PFS-enabled ciphers with AES256 # Only allow PFS-enabled ciphers with AES256
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
appendHttpConfig= '' appendHttpConfig = ''
more_set_headers 'Strict-Transport-Security: max-age=31536000; includeSubDomains'; more_set_headers 'Strict-Transport-Security: max-age=31536000; includeSubDomains';
more_set_headers 'X-XSS-Protection 1; mode=block'; more_set_headers 'X-XSS-Protection 1; mode=block';
# add_header X-Frame-Options 'ALLOW-FROM kopatz.ddns.net'; # add_header X-Frame-Options 'ALLOW-FROM kopatz.ddns.net';
more_set_headers 'X-Content-Type-Options nosniff'; more_set_headers 'X-Content-Type-Options nosniff';
more_set_headers "Content-Security-Policy: frame-ancestors https://kopatz.ddns.net"; more_set_headers "Content-Security-Policy: frame-ancestors https://kopatz.ddns.net";
more_set_headers "Referrer-Policy: same-origin"; more_set_headers "Referrer-Policy: same-origin";
more_set_headers "Permissions-Policy: geolocation=(), microphone=()"; more_set_headers "Permissions-Policy: geolocation=(), microphone=()";
''; '';
virtualHosts = { virtualHosts = {
"kopatz.ddns.net" = { "kopatz.ddns.net" = {
serverAliases = [ serverAliases = [
# "www.kopatz.ddns.net" # "www.kopatz.ddns.net"
# "server.home" # "server.home"
# "server.home.arpa" # "server.home.arpa"
# "192.168.0.6" # "192.168.0.6"
# "localhost" # "localhost"
]; ];
root = pkgs.kop-website; root = pkgs.kop-website;
forceSSL = cfg.https; forceSSL = cfg.https;
enableACME = cfg.https; enableACME = cfg.https;
quic = cfg.https; quic = cfg.https;
http3 = cfg.https; http3 = cfg.https;
locations."~* \\.(jpg|png)$".extraConfig= '' locations = {
add_header Access-Control-Allow-Origin *; "~* \\.(jpg|png)$".extraConfig = ''
''; add_header Access-Control-Allow-Origin *;
locations."~ ^/(stash|resources|css)".extraConfig=''
client_max_body_size 5000M;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:5091;
'';
locations."/tracker-site" = {
tryFiles = "$uri $uri/ /tracker-site/index.html =404";
};
locations."/tracker-site/api" = {
extraConfig =''
rewrite /tracker-site/api/(.*) /$1 break;
''; '';
proxyPass = "http://127.0.0.1:8080"; "/stash" = {
basicAuthFile = age.secrets.stash-auth.file;
extraConfig = ''
client_max_body_size 5000M;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:7777;
'';
};
"/tracker-site" = {
tryFiles = "$uri $uri/ /tracker-site/index.html =404";
};
"/tracker-site/api" = {
extraConfig = ''
rewrite /tracker-site/api/(.*) /$1 break;
'';
proxyPass = "http://127.0.0.1:8080";
};
}; };
}; };
#discord bot for tracking useractivity public version #discord bot for tracking useractivity public version
@@ -93,12 +102,10 @@ in
enableACME = cfg.https; enableACME = cfg.https;
quic = cfg.https; quic = cfg.https;
http3 = cfg.https; http3 = cfg.https;
locations."/" = { locations."/" = { tryFiles = "$uri $uri/ /index.html =404"; };
tryFiles = "$uri $uri/ /index.html =404";
};
locations."/api" = { locations."/api" = {
extraConfig ='' extraConfig = ''
rewrite /api/(.*) /$1 break; rewrite /api/(.*) /$1 break;
''; '';
proxyPass = "http://127.0.0.1:8081"; proxyPass = "http://127.0.0.1:8081";
}; };

1
secrets/secrets.nix
View File

@@ -27,4 +27,5 @@ in
"grafana-contact-points.age".publicKeys = [ mini-pc server kop ]; "grafana-contact-points.age".publicKeys = [ mini-pc server kop ];
"fileshelter-conf.age".publicKeys = [ mini-pc server kop ]; "fileshelter-conf.age".publicKeys = [ mini-pc server kop ];
"webhook.age".publicKeys = [ mini-pc server kop ]; "webhook.age".publicKeys = [ mini-pc server kop ];
"stash-auth.age".publicKeys = [ mini-pc server kop ];
} }

12
secrets/stash-auth.age Normal file
View File

@@ -0,0 +1,12 @@
age-encryption.org/v1
-> ssh-ed25519 su0Eyw +VIlBI3Dz8nY5ifjwFXkKh8WFVEMbNAQtaJZ5i1vxTM
IqI7A62j4yC/UIQasFW9KtVcB7ILg2o/k3etWOz8jRw
-> ssh-ed25519 IV3DkQ 14R6yP4LHgNFHvBQoxdRcV0T2ETRp/qZeD+HquKNRzQ
XtcaaDXn/xN6eV42TdyK/vEJ/GcJX69WLCh61UuHdOc
-> ssh-ed25519 DCzi1A Ra23RRc0x2mPCj3CdtzgDUQDmJpyVuAQkup1xenulGY
w971HT7+UAz7of1FdCmxPTN4Ww1NwN+wnoUptZcBIHg
--- MqLymPsV3XHYyFlM1yRFkLT/9nojHs/Y8xqX2RAtS+g
˜U¥ìAmXŠé0OüØvP`E9׈
Ô¶´q¤ž¨É !§JôŒ©x>]ÏlZèãˆd¹š<C2B9>‰J
€±«a­ ì1
u »à³yC^d<>3§ß¦xåoð—KØc¢

2
systems/mini-pc/configuration.nix
View File

@@ -55,9 +55,9 @@
services = { services = {
acme.enable = true; acme.enable = true;
kop-monitor.enable = true; kop-monitor.enable = true;
kop-fileshare.enable = true;
nginx.enable = true; nginx.enable = true;
ente.enable = true; ente.enable = true;
fileshelter.enable = true;
kavita = { kavita = {
enable = true; enable = true;
dir = "/data/kavita"; dir = "/data/kavita";

2
systems/vm/configuration.nix
View File

@@ -29,7 +29,7 @@
"localhost" = { "localhost" = {
forceSSL = false; forceSSL = false;
enableACME = false; enableACME = false;
locations."/".proxyPass = "http://127.0.0.1:4000"; locations."/".proxyPass = "http://127.0.0.1:7777";
}; };
}; };
}; };