patrick/nix-config
1
1
Fork 0
Code Issues Pull requests Projects Wiki Activity

chore: simplified nginx setup

Browse source
This commit is contained in:
Patrick 2024-03-14 20:07:10 +01:00
parent 1c9d12c306
commit aa59594eaa
Signed by: patrick
GPG key ID: 451F95EFB8BECD0F
2 changed files with 70 additions and 212 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

280
hosts/elisabeth/guests.nix
View file

@ -7,231 +7,88 @@
nodes, nodes,
... ...
}: let }: let
adguardhomedomain = "adguardhome.${config.secrets.secrets.global.domains.web}"; domainOf = hostName: let
forgejoDomain = "git.${config.secrets.secrets.global.domains.web}"; domains = {
immichdomain = "immich.${config.secrets.secrets.global.domains.web}"; adguardhome = "adguardhome";
nextclouddomain = "nc.${config.secrets.secrets.global.domains.web}"; forgejo = "git";
ollamadomain = "ollama.${config.secrets.secrets.global.domains.web}"; immich = "immich";
paperlessdomain = "ppl.${config.secrets.secrets.global.domains.web}"; nextcloud = "nc";
ttrssdomain = "rss.${config.secrets.secrets.global.domains.web}"; ollama = "ollama";
vaultwardendomain = "pw.${config.secrets.secrets.global.domains.web}"; paperless = "ppl";
spotifydomain = "sptfy.${config.secrets.secrets.global.domains.web}"; ttrss = "rss";
apispotifydomain = "apisptfy.${config.secrets.secrets.global.domains.web}"; vaultwarden = "pw";
kanidmdomain = "auth.${config.secrets.secrets.global.domains.web}"; spotify = "sptfy";
apispotify = "apisptfy";
kanidm = "auth";
};
in "${domains.${hostName}}.${config.secrets.secrets.global.domains.web}";
ipOf = hostName: lib.net.cidr.host config.secrets.secrets.global.net.ips."${config.guests.${hostName}.nodeName}" config.secrets.secrets.global.net.privateSubnetv4; ipOf = hostName: lib.net.cidr.host config.secrets.secrets.global.net.ips."${config.guests.${hostName}.nodeName}" config.secrets.secrets.global.net.privateSubnetv4;
in { in {
services.nginx = { services.nginx = let
enable = true; blockOf = hostName: {
recommendedSetup = true; virtualHostExtraConfig ? "",
upstreams.vaultwarden = { maxBodySize ? "500M",
servers."${ipOf "vaultwarden"}:3000" = {}; port ? 3000,
}: {
extraConfig = '' upstreams.${hostName} = {
zone vaultwarden 64k ; servers."${ipOf hostName}:${toString port}" = {};
keepalive 5 ; extraConfig = ''
''; zone ${hostName} 64k ;
}; keepalive 5 ;
'';
virtualHosts.${vaultwardendomain} = {
forceSSL = true;
useACMEHost = "web";
locations."/" = {
proxyPass = "http://vaultwarden";
proxyWebsockets = true;
X-Frame-Options = "SAMEORIGIN";
}; };
extraConfig = '' virtualHosts.${domainOf hostName} = {
client_max_body_size 1G ; forceSSL = true;
''; useACMEHost = "web";
}; locations."/" = {
proxyPass = "http://${hostName}";
upstreams.forgejo = { proxyWebsockets = true;
servers."${ipOf "forgejo"}:3000" = {}; X-Frame-Options = "SAMEORIGIN";
};
extraConfig = '' extraConfig =
zone forgejo 64k ; ''
keepalive 5 ; client_max_body_size ${maxBodySize} ;
''; ''
}; + virtualHostExtraConfig;
virtualHosts.${forgejoDomain} = {
forceSSL = true;
useACMEHost = "web";
locations."/" = {
proxyPass = "http://forgejo";
proxyWebsockets = true;
}; };
extraConfig = ''
client_max_body_size 2G ;
'';
}; };
in
upstreams.immich = { {
servers."${ipOf "immich"}:2283" = {}; enable = true;
recommendedSetup = true;
extraConfig = '' }
zone immich 64k ; // blockOf "vaultwarden" {maxBodySize = "1G";}
keepalive 5 ; // blockOf "forgejo" {maxBodySize = "1G";}
''; // blockOf "immich" {maxBodySize = "5G";}
}; // blockOf "ollama" {
virtualHosts.${immichdomain} = { maxBodySize = "5G";
forceSSL = true; virtualHostExtraConfig = ''
useACMEHost = "web";
locations."/" = {
proxyPass = "http://immich";
proxyWebsockets = true;
};
extraConfig = ''
client_max_body_size 5G ;
'';
};
upstreams.ollama = {
servers."${ipOf "ollama"}:3000" = {};
extraConfig = ''
zone ollama 64k ;
keepalive 5 ;
'';
};
virtualHosts.${ollamadomain} = {
forceSSL = true;
useACMEHost = "web";
locations."/" = {
proxyPass = "http://ollama";
proxyWebsockets = true;
};
extraConfig = ''
allow ${config.secrets.secrets.global.net.privateSubnetv4}; allow ${config.secrets.secrets.global.net.privateSubnetv4};
allow ${config.secrets.secrets.global.net.privateSubnetv6}; allow ${config.secrets.secrets.global.net.privateSubnetv6};
deny all; deny all ;
''; '';
}; }
// blockOf "adguardhome" {
upstreams.adguardhome = { virtualHostExtraConfig = ''
servers."${ipOf "adguardhome"}:3000" = {};
extraConfig = ''
zone adguardhome 64k ;
keepalive 5 ;
'';
};
virtualHosts.${adguardhomedomain} = {
forceSSL = true;
useACMEHost = "web";
locations."/" = {
proxyPass = "http://adguardhome";
proxyWebsockets = true;
};
extraConfig = ''
allow ${config.secrets.secrets.global.net.privateSubnetv4}; allow ${config.secrets.secrets.global.net.privateSubnetv4};
allow ${config.secrets.secrets.global.net.privateSubnetv6}; allow ${config.secrets.secrets.global.net.privateSubnetv6};
deny all; deny all ;
''; '';
}; }
// blockOf "paperless" {maxBodySize = "5G";}
upstreams.paperless = { // blockOf "ttrss" {port = 80;}
servers."${ipOf "paperless"}:3000" = {}; // blockOf "yourspotify" {port = 80;}
// blockOf "apispotify" {}
extraConfig = '' // blockOf "nextcloud" {
zone paperless 64k ; maxBodySize = "5G";
keepalive 5 ; port = 80;
''; }
}; // blockOf "kanidm" {
virtualHosts.${paperlessdomain} = { virtualHostExtraConfig = ''
forceSSL = true;
useACMEHost = "web";
locations."/" = {
proxyPass = "http://paperless";
proxyWebsockets = true;
X-Frame-Options = "SAMEORIGIN";
};
extraConfig = ''
client_max_body_size 4G ;
'';
};
upstreams.tt-rss = {
servers."${ipOf "ttrss"}:80" = {};
extraConfig = ''
zone tt-rss 64k ;
keepalive 5 ;
'';
};
virtualHosts.${ttrssdomain} = {
forceSSL = true;
useACMEHost = "web";
locations."/".proxyPass = "http://tt-rss";
extraConfig = ''
'';
};
upstreams.spotify = {
servers."${ipOf "yourspotify"}:80" = {};
extraConfig = ''
zone spotify 64k ;
keepalive 5 ;
'';
};
virtualHosts.${spotifydomain} = {
forceSSL = true;
useACMEHost = "web";
locations."/".proxyPass = "http://spotify";
extraConfig = ''
'';
};
upstreams.apispotify = {
servers."${ipOf "yourspotify"}:3000" = {};
extraConfig = ''
zone spotify 64k ;
keepalive 5 ;
'';
};
virtualHosts.${apispotifydomain} = {
forceSSL = true;
useACMEHost = "web";
locations."/".proxyPass = "http://apispotify";
extraConfig = ''
'';
};
upstreams.nextcloud = {
servers."${ipOf "nextcloud"}:80" = {};
extraConfig = ''
zone nextcloud 64k ;
keepalive 5 ;
'';
};
virtualHosts.${nextclouddomain} = {
forceSSL = true;
useACMEHost = "web";
locations."/".proxyPass = "http://nextcloud";
extraConfig = ''
client_max_body_size 4G ;
'';
};
upstreams.kanidm = {
servers."${ipOf "kanidm"}:3000" = {};
extraConfig = ''
zone kanidm 64k ;
keepalive 5 ;
'';
};
virtualHosts.${kanidmdomain} = {
forceSSL = true;
useACMEHost = "web";
locations."/".proxyPass = "https://kanidm";
extraConfig = ''
proxy_ssl_verify off ; proxy_ssl_verify off ;
''; '';
}; };
};
guests = let guests = let
mkGuest = guestName: { mkGuest = guestName: {
enablePanzer ? false, enablePanzer ? false,
@ -257,6 +114,7 @@ in {
pool = "renaultft"; pool = "renaultft";
dataset = "safe/guests/${guestName}"; dataset = "safe/guests/${guestName}";
}; };
# kinda not necesarry should be removed on next reimaging
zfs."/bunker" = lib.mkIf enableBunker { zfs."/bunker" = lib.mkIf enableBunker {
pool = "panzer"; pool = "panzer";
dataset = "bunker/guests/${guestName}"; dataset = "bunker/guests/${guestName}";

2
modules/services/immich.nix
View file

@ -337,7 +337,7 @@ in {
"${environment.DB_PASSWORD_FILE}:${environment.DB_PASSWORD_FILE}:ro" "${environment.DB_PASSWORD_FILE}:${environment.DB_PASSWORD_FILE}:ro"
]; ];
ports = [ ports = [
"2283:3001/tcp" "3000:3001/tcp"
]; ];
cmd = ["start.sh" "immich"]; cmd = ["start.sh" "immich"];
dependsOn = [ dependsOn = [