swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2025-12-06 00:57:22 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

refactor: cleaner nginx settings

Browse source
This commit is contained in:
Leon Schwarzäugl 2025-06-16 19:40:14 +02:00
parent 057c7e9194
commit 266ad63ceb
Signed by: swarsel
GPG key ID: 26A54C31F2A4FD84
9 changed files with 438 additions and 386 deletions
Download patch file Download diff file Expand all files Collapse all files

94
modules/nixos/server/navidrome.nix
View file

@ -32,7 +32,6 @@ in
};
};
hardware = {
enableAllFirmware = lib.mkForce true;
};
@ -90,57 +89,10 @@ in
enableACME = true;
forceSSL = true;
acmeRoot = null;
locations = {
"/" = {
proxyPass = "http://navidrome";
proxyWebsockets = true;
extraConfig = ''
auth_request /oauth2/auth;
error_page 401 = /oauth2/sign_in;
# pass information via X-User and X-Email headers to backend,
# requires running with --set-xauthrequest flag (done by NixOS)
auth_request_set $user $upstream_http_x_auth_request_user;
auth_request_set $email $upstream_http_x_auth_request_email;
proxy_set_header X-User $user;
proxy_set_header X-Email $email;
# if you enabled --pass-access-token, this will pass the token to the backend
auth_request_set $token $upstream_http_x_auth_request_access_token;
proxy_set_header X-Access-Token $token;
# if you enabled --cookie-refresh, this is needed for it to work with auth_request
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
proxy_redirect http:// https://;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
proxy_buffering off;
proxy_request_buffering off;
client_max_body_size 0;
'';
};
"/oauth2/" = {
proxyPass = "http://oauth2-proxy";
extraConfig = ''
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
'';
};
"= /oauth2/auth" = {
proxyPass = "http://oauth2-proxy/oauth2/auth";
extraConfig = ''
internal;
proxy_set_header X-Scheme $scheme;
# nginx auth_request includes headers but not body
proxy_set_header Content-Length "";
proxy_pass_request_body off;
'';
};
"/share" = {
proxyPass = "http://navidrome";
proxyWebsockets = true;
oauth2.enable = true;
oauth2.allowedGroups = [ "navidrome_access" ];
locations =
let
extraConfig = ''
proxy_redirect http:// https://;
proxy_read_timeout 600s;
@ -148,25 +100,29 @@ in
proxy_buffering off;
proxy_request_buffering off;
client_max_body_size 0;
proxy_set_header X-User "";
proxy_set_header X-Email "";
'';
in
{
"/" = {
proxyPass = "http://navidrome";
proxyWebsockets = true;
inherit extraConfig;
};
"/share" = {
proxyPass = "http://navidrome";
proxyWebsockets = true;
setOauth2Headers = false;
bypassAuth = true;
inherit extraConfig;
};
"/rest" = {
proxyPass = "http://navidrome";
proxyWebsockets = true;
setOauth2Headers = false;
bypassAuth = true;
inherit extraConfig;
};
};
"/rest" = {
proxyPass = "http://navidrome";
proxyWebsockets = true;
extraConfig = ''
proxy_redirect http:// https://;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
proxy_buffering off;
proxy_request_buffering off;
client_max_body_size 0;
proxy_set_header X-User "";
proxy_set_header X-Email "";
'';
};
};
};
};
};