swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2025-12-06 09:07:21 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

refactor: cleaner nginx settings

Browse source
This commit is contained in:
Leon Schwarzäugl 2025-06-16 19:40:14 +02:00
parent 057c7e9194
commit 266ad63ceb
Signed by: swarsel
GPG key ID: 26A54C31F2A4FD84
9 changed files with 438 additions and 386 deletions
Download patch file Download diff file Expand all files Collapse all files

412
SwarselSystems.org
View file

@ -7975,7 +7975,6 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t
}; };
}; };
hardware = { hardware = {
enableAllFirmware = lib.mkForce true; enableAllFirmware = lib.mkForce true;
}; };
@ -8033,57 +8032,10 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
acmeRoot = null; acmeRoot = null;
locations = { oauth2.enable = true;
"/" = { oauth2.allowedGroups = [ "navidrome_access" ];
proxyPass = "http://navidrome"; locations =
proxyWebsockets = true; let
extraConfig = ''
auth_request /oauth2/auth;
error_page 401 = /oauth2/sign_in;
# pass information via X-User and X-Email headers to backend,
# requires running with --set-xauthrequest flag (done by NixOS)
auth_request_set $user $upstream_http_x_auth_request_user;
auth_request_set $email $upstream_http_x_auth_request_email;
proxy_set_header X-User $user;
proxy_set_header X-Email $email;
# if you enabled --pass-access-token, this will pass the token to the backend
auth_request_set $token $upstream_http_x_auth_request_access_token;
proxy_set_header X-Access-Token $token;
# if you enabled --cookie-refresh, this is needed for it to work with auth_request
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
proxy_redirect http:// https://;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
proxy_buffering off;
proxy_request_buffering off;
client_max_body_size 0;
'';
};
"/oauth2/" = {
proxyPass = "http://oauth2-proxy";
extraConfig = ''
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
'';
};
"= /oauth2/auth" = {
proxyPass = "http://oauth2-proxy/oauth2/auth";
extraConfig = ''
internal;
proxy_set_header X-Scheme $scheme;
# nginx auth_request includes headers but not body
proxy_set_header Content-Length "";
proxy_pass_request_body off;
'';
};
"/share" = {
proxyPass = "http://navidrome";
proxyWebsockets = true;
extraConfig = '' extraConfig = ''
proxy_redirect http:// https://; proxy_redirect http:// https://;
proxy_read_timeout 600s; proxy_read_timeout 600s;
@ -8091,25 +8043,29 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t
proxy_buffering off; proxy_buffering off;
proxy_request_buffering off; proxy_request_buffering off;
client_max_body_size 0; client_max_body_size 0;
proxy_set_header X-User "";
proxy_set_header X-Email "";
''; '';
in
{
"/" = {
proxyPass = "http://navidrome";
proxyWebsockets = true;
inherit extraConfig;
};
"/share" = {
proxyPass = "http://navidrome";
proxyWebsockets = true;
setOauth2Headers = false;
bypassAuth = true;
inherit extraConfig;
};
"/rest" = {
proxyPass = "http://navidrome";
proxyWebsockets = true;
setOauth2Headers = false;
bypassAuth = true;
inherit extraConfig;
};
}; };
"/rest" = {
proxyPass = "http://navidrome";
proxyWebsockets = true;
extraConfig = ''
proxy_redirect http:// https://;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
proxy_buffering off;
proxy_request_buffering off;
client_max_body_size 0;
proxy_set_header X-User "";
proxy_set_header X-Email "";
'';
};
};
}; };
}; };
}; };
@ -8126,21 +8082,27 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t
#+begin_src nix :tangle modules/nixos/server/spotifyd.nix #+begin_src nix :tangle modules/nixos/server/spotifyd.nix
{ lib, config, ... }: { lib, config, ... }:
let
servicePort = 1025;
serviceName = "spotifyd";
serviceUser = "spotifyd";
serviceGroup = serviceUser;
in
{ {
options.swarselsystems.modules.server.spotifyd = lib.mkEnableOption "enable spotifyd on server"; options.swarselsystems.modules.server."${serviceName}" = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server.spotifyd { config = lib.mkIf config.swarselsystems.modules.server."${serviceName}" {
users.groups.spotifyd = { users.groups."${serviceGroup}" = {
gid = 65136; gid = 65136;
}; };
users.users.spotifyd = { users.users."${serviceUser}" = {
isSystemUser = true; isSystemUser = true;
uid = 65136; uid = 65136;
group = "spotifyd"; group = serviceGroup;
extraGroups = [ "audio" "utmp" "pipewire" ]; extraGroups = [ "audio" "utmp" "pipewire" ];
}; };
networking.firewall.allowedTCPPorts = [ 1025 ]; networking.firewall.allowedTCPPorts = [ servicePort ];
services.pipewire.systemWide = true; services.pipewire.systemWide = true;
@ -8153,7 +8115,7 @@ Here I am forcing =startWhenNeeded= to false so that the value will not be set t
device = "sysdefault:CARD=PCH"; device = "sysdefault:CARD=PCH";
device_name = "SwarselSpot"; device_name = "SwarselSpot";
mixer = "alsa"; mixer = "alsa";
zeroconf_port = 1025; zeroconf_port = servicePort;
}; };
}; };
}; };
@ -9489,30 +9451,40 @@ This is a WIP Jenkins instance. It is used to automatically build a new system w
#+begin_src nix :tangle modules/nixos/server/jenkins.nix #+begin_src nix :tangle modules/nixos/server/jenkins.nix
{ pkgs, lib, config, ... }: { pkgs, lib, config, ... }:
let
serviceDomain = "servant.swarsel.win";
servicePort = 8088;
serviceName = "jenkins";
in
{ {
options.swarselsystems.modules.server.jenkins = lib.mkEnableOption "enable jenkins on server"; options.swarselsystems.modules.server."${serviceName}" = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server.jenkins { config = lib.mkIf config.swarselsystems.modules.server."${serviceName}" {
services.jenkins = { services.jenkins = {
enable = true; enable = true;
withCLI = true; withCLI = true;
port = 8088; port = 8088;
packages = [ pkgs.stdenv pkgs.git pkgs.jdk17 config.programs.ssh.package pkgs.nix ]; packages = [ pkgs.stdenv pkgs.git pkgs.jdk17 config.programs.ssh.package pkgs.nix ];
listenAddress = "127.0.0.1"; listenAddress = "0.0.0.0";
home = "/Vault/apps/jenkins"; home = "/Vault/apps/jenkins";
}; };
services.nginx = { services.nginx = {
upstreams = {
"${serviceName}" = {
servers = {
"192.168.1.2:${builtins.toString servicePort}" = { };
};
};
};
virtualHosts = { virtualHosts = {
"servant.swarsel.win" = { "${serviceDomain}" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
acmeRoot = null; acmeRoot = null;
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://localhost:8088"; proxyPass = "http://${serviceName}";
extraConfig = '' extraConfig = ''
client_max_body_size 0; client_max_body_size 0;
''; '';
@ -9570,24 +9542,26 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with
let let
serviceName = "freshrss"; serviceName = "freshrss";
serviceDomain = "signpost.swarsel.win"; serviceDomain = "signpost.swarsel.win";
serviceUser = "freshrss";
serviceGroup = serviceName;
in in
{ {
options.swarselsystems.modules.server.freshrss = lib.mkEnableOption "enable freshrss on server"; options.swarselsystems.modules.server.freshrss = lib.mkEnableOption "enable freshrss on server";
config = lib.mkIf config.swarselsystems.modules.server.freshrss { config = lib.mkIf config.swarselsystems.modules.server.freshrss {
users.users.freshrss = { users.users."${serviceUser}" = {
extraGroups = [ "users" ]; extraGroups = [ "users" ];
group = "freshrss"; group = serviceGroup;
isSystemUser = true; isSystemUser = true;
}; };
users.groups.freshrss = { }; users.groups."${serviceGroup}" = { };
sops = { sops = {
secrets = { secrets = {
fresh = { owner = "freshrss"; }; fresh = { owner = serviceUser; };
"kanidm-freshrss-client" = { owner = "freshrss"; group = "freshrss"; mode = "0440"; }; "kanidm-freshrss-client" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
"oidc-crypto-key" = { owner = "freshrss"; group = "freshrss"; mode = "0440"; }; "oidc-crypto-key" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
}; };
# templates = { # templates = {
@ -9643,57 +9617,22 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
acmeRoot = null; acmeRoot = null;
oauth2.enable = true;
oauth2.allowedGroups = [ "ttrss_access" ];
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://${serviceName}"; proxyPass = "http://${serviceName}";
extraConfig = ''
auth_request /oauth2/auth;
error_page 401 = /oauth2/sign_in;
# pass information via X-User and X-Email headers to backend,
# requires running with --set-xauthrequest flag (done by NixOS)
auth_request_set $user $upstream_http_x_auth_request_user;
auth_request_set $email $upstream_http_x_auth_request_email;
proxy_set_header X-User $user;
proxy_set_header X-Email $email;
proxy_set_header Remote-User $user;
# if you enabled --pass-access-token, this will pass the token to the backend
auth_request_set $token $upstream_http_x_auth_request_access_token;
proxy_set_header X-Access-Token $token;
# if you enabled --cookie-refresh, this is needed for it to work with auth_request
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
'';
};
"/oauth2/" = {
proxyPass = "http://oauth2-proxy";
extraConfig = ''
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
'';
};
"= /oauth2/auth" = {
proxyPass = "http://oauth2-proxy/oauth2/auth";
extraConfig = ''
internal;
proxy_set_header X-Scheme $scheme;
# nginx auth_request includes headers but not body
proxy_set_header Content-Length "";
proxy_pass_request_body off;
'';
}; };
"/api" = { "/api" = {
proxyPass = "http://${serviceName}"; proxyPass = "http://${serviceName}";
setOauth2Headers = false;
bypassAuth = true;
}; };
}; };
}; };
}; };
}; };
}; };
} }
#+end_src #+end_src
@ -9705,33 +9644,33 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with
#+begin_src nix :tangle modules/nixos/server/forgejo.nix #+begin_src nix :tangle modules/nixos/server/forgejo.nix
{ lib, config, pkgs, ... }: { lib, config, pkgs, ... }:
let let
forgejoDomain = "swagit.swarsel.win"; serviceDomain = "swagit.swarsel.win";
servicePort = 3000;
serviceUser = "forgejo";
serviceGroup = serviceUser;
serviceName = "forgejo";
in in
{ {
options.swarselsystems.modules.server.forgejo = lib.mkEnableOption "enable forgejo on server"; options.swarselsystems.modules.server."${serviceName}" = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server.forgejo { config = lib.mkIf config.swarselsystems.modules.server."${serviceName}" {
networking.firewall.allowedTCPPorts = [ 3000 ]; networking.firewall.allowedTCPPorts = [ servicePort ];
users.users.forgejo = { users.users."${serviceUser}" = {
group = "forgejo"; group = serviceGroup;
isSystemUser = true; isSystemUser = true;
}; };
users.groups.forgejo = { }; users.groups."${serviceGroup}" = { };
sops.secrets = { sops.secrets = {
kanidm-forgejo-client = { kanidm-forgejo-client = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
owner = "forgejo";
group = "forgejo";
mode = "0440";
};
}; };
services.forgejo = { services.forgejo = {
enable = true; enable = true;
user = "forgejo"; user = serviceUser;
group = "forgejo"; group = serviceGroup;
lfs.enable = lib.mkDefault true; lfs.enable = lib.mkDefault true;
settings = { settings = {
DEFAULT = { DEFAULT = {
@ -9739,10 +9678,10 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with
}; };
server = { server = {
PROTOCOL = "http"; PROTOCOL = "http";
HTTP_PORT = 3000; HTTP_PORT = servicePort;
HTTP_ADDR = "0.0.0.0"; HTTP_ADDR = "0.0.0.0";
DOMAIN = forgejoDomain; DOMAIN = serviceDomain;
ROOT_URL = "https://${forgejoDomain}"; ROOT_URL = "https://${serviceDomain}";
}; };
# federation.ENABLED = true; # federation.ENABLED = true;
service = { service = {
@ -9827,14 +9766,21 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with
}; };
services.nginx = { services.nginx = {
upstreams = {
"${serviceName}" = {
servers = {
"192.168.1.2:${builtins.toString servicePort}" = { };
};
};
};
virtualHosts = { virtualHosts = {
"swagit.swarsel.win" = { "${serviceDomain}" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
acmeRoot = null; acmeRoot = null;
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://localhost:3000"; proxyPass = "http://${serviceName}";
extraConfig = '' extraConfig = ''
client_max_body_size 0; client_max_body_size 0;
''; '';
@ -9857,12 +9803,14 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with
{ lib, config, ... }: { lib, config, ... }:
let let
serviceDomain = "synki.swarsel.win"; serviceDomain = "synki.swarsel.win";
servicePort = 27701;
serviceName = "ankisync";
in in
{ {
options.swarselsystems.modules.server.ankisync = lib.mkEnableOption "enable ankisync on server"; options.swarselsystems.modules.server."${serviceName}" = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server.ankisync { config = lib.mkIf config.swarselsystems.modules.server."${serviceName}" {
networking.firewall.allowedTCPPorts = [ 22701 ]; networking.firewall.allowedTCPPorts = [ servicePort ];
sops.secrets.swarsel = { owner = "root"; }; sops.secrets.swarsel = { owner = "root"; };
@ -9873,7 +9821,7 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with
services.anki-sync-server = { services.anki-sync-server = {
enable = true; enable = true;
port = 27701; port = servicePort;
address = "0.0.0.0"; address = "0.0.0.0";
openFirewall = true; openFirewall = true;
users = [ users = [
@ -9885,6 +9833,13 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with
}; };
services.nginx = { services.nginx = {
upstreams = {
"${serviceName}" = {
servers = {
"192.168.1.2:${builtins.toString servicePort}" = { };
};
};
};
virtualHosts = { virtualHosts = {
"${serviceDomain}" = { "${serviceDomain}" = {
enableACME = true; enableACME = true;
@ -9892,7 +9847,7 @@ FreshRSS claims to support HTTP header auth, but at least it does not work with
acmeRoot = null; acmeRoot = null;
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://localhost:27701"; proxyPass = "http://${serviceName}";
extraConfig = '' extraConfig = ''
client_max_body_size 0; client_max_body_size 0;
''; '';
@ -10166,7 +10121,113 @@ To get other URLs (token, etc.), use https://<kanidmDomain>/oauth2/openid/<clien
oauth2ProxyPort = 3004; oauth2ProxyPort = 3004;
in in
{ {
options.swarselsystems.modules.server.oauth2Proxy = lib.mkEnableOption "enable oauth2-proxy on server"; options = {
swarselsystems.modules.server.oauth2Proxy = lib.mkEnableOption "enable oauth2-proxy on server";
services.nginx.virtualHosts = lib.mkOption {
type = lib.types.attrsOf (
lib.types.submodule (
{ config, ... }:
{
options.oauth2 = {
enable = lib.mkEnableOption "access protection of this virtualHost using oauth2-proxy.";
allowedGroups = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
description = ''
A list of kanidm groups that are allowed to access this resource, or the
empty list to allow any authenticated client.
'';
};
X-User = lib.mkOption {
type = lib.types.str;
default = "$upstream_http_x_auth_request_user";
description = "The variable to set as X-User";
};
X-Email = lib.mkOption {
type = lib.types.str;
default = "$upstream_http_x_auth_request_email";
description = "The variable to set as X-Email";
};
X-Access-Token = lib.mkOption {
type = lib.types.str;
default = "$upstream_http_x_auth_request_access_token";
description = "The variable to set as X-Access-Token";
};
};
options.locations = lib.mkOption {
type = lib.types.attrsOf (
lib.types.submodule (locationSubmodule: {
options = {
setOauth2Headers = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Whether to add oauth2 headers to this location. Only takes effect is oauth2 is actually enabled on the parent vhost.";
};
bypassAuth = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Whether to set auth_request off for this location. Only takes effect is oauth2 is actually enabled on the parent vhost.";
};
};
config = lib.mkIf config.oauth2.enable {
extraConfig = lib.optionalString locationSubmodule.config.setOauth2Headers ''
proxy_set_header X-User $user;
proxy_set_header Remote-User $user;
proxy_set_header X-Email $email;
proxy_set_header X-Access-Token $token;
add_header Set-Cookie $auth_cookie;
'' + lib.optionalString locationSubmodule.config.bypassAuth ''
auth_request off;
'';
};
})
);
};
config = lib.mkIf config.oauth2.enable {
extraConfig = ''
auth_request /oauth2/auth;
error_page 401 = /oauth2/sign_in;
# set variables that can be used in locations.<name>.extraConfig
# pass information via X-User and X-Email headers to backend,
# requires running with --set-xauthrequest flag
auth_request_set $user ${config.oauth2.X-User};
auth_request_set $email ${config.oauth2.X-Email};
# if you enabled --pass-access-token, this will pass the token to the backend
auth_request_set $token ${config.oauth2.X-Access-Token};
# if you enabled --cookie-refresh, this is needed for it to work with auth_request
auth_request_set $auth_cookie $upstream_http_set_cookie;
'';
locations = {
"/oauth2/" = {
proxyPass = "http://oauth2-proxy";
setOauth2Headers = false;
bypassAuth = true;
extraConfig = ''
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
'';
};
"= /oauth2/auth" = {
proxyPass = "http://oauth2-proxy/oauth2/auth" + lib.optionalString (config.oauth2.allowedGroups != [ ]) "?allowed_groups=${lib.concatStringsSep "," config.oauth2.allowedGroups}";
setOauth2Headers = false;
bypassAuth = true;
extraConfig = ''
internal;
proxy_set_header X-Scheme $scheme;
# nginx auth_request includes headers but not body
proxy_set_header Content-Length "";
proxy_pass_request_body off;
'';
};
};
};
}
)
);
};
};
config = lib.mkIf config.swarselsystems.modules.server.oauth2Proxy { config = lib.mkIf config.swarselsystems.modules.server.oauth2Proxy {
sops = { sops = {
@ -10325,12 +10386,11 @@ To get other URLs (token, etc.), use https://<kanidmDomain>/oauth2/openid/<clien
"${fireflyDomain}" = { "${fireflyDomain}" = {
locations = { locations = {
"/api" = { "/api" = {
setOauth2Headers = false;
extraConfig = '' extraConfig = ''
index index.php; index index.php;
try_files $uri $uri/ /index.php?$query_string; try_files $uri $uri/ /index.php?$query_string;
add_header Access-Control-Allow-Methods 'GET, POST, HEAD, OPTIONS'; add_header Access-Control-Allow-Methods 'GET, POST, HEAD, OPTIONS';
proxy_set_header X-User "";
proxy_set_header X-Email "";
''; '';
}; };
}; };
@ -10352,52 +10412,18 @@ To get other URLs (token, etc.), use https://<kanidmDomain>/oauth2/openid/<clien
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
acmeRoot = null; acmeRoot = null;
oauth2.enable = true;
oauth2.allowedGroups = [ "firefly_access" ];
# main config is automatically added by nixos firefly config. # main config is automatically added by nixos firefly config.
# hence, only provide certificate # hence, only provide certificate
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://${serviceName}"; proxyPass = "http://${serviceName}";
extraConfig = ''
auth_request /oauth2/auth;
error_page 401 = /oauth2/sign_in;
# pass information via X-User and X-Email headers to backend,
# requires running with --set-xauthrequest flag (done by NixOS)
auth_request_set $user $upstream_http_x_auth_request_user;
auth_request_set $email $upstream_http_x_auth_request_email;
proxy_set_header X-User $user;
proxy_set_header X-Email $email;
# if you enabled --pass-access-token, this will pass the token to the backend
auth_request_set $token $upstream_http_x_auth_request_access_token;
proxy_set_header X-Access-Token $token;
# if you enabled --cookie-refresh, this is needed for it to work with auth_request
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
'';
};
"/oauth2/" = {
proxyPass = "http://oauth2-proxy";
extraConfig = ''
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
'';
};
"= /oauth2/auth" = {
proxyPass = "http://oauth2-proxy/oauth2/auth";
extraConfig = ''
internal;
proxy_set_header X-Scheme $scheme;
# nginx auth_request includes headers but not body
proxy_set_header Content-Length "";
proxy_pass_request_body off;
'';
}; };
"/api" = { "/api" = {
proxyPass = "http://${serviceName}"; proxyPass = "http://${serviceName}";
setOauth2Headers = false;
bypassAuth = true;
}; };
}; };
}; };

19
modules/nixos/server/ankisync.nix
View file

@ -1,12 +1,14 @@
{ lib, config, ... }: { lib, config, ... }:
let let
serviceDomain = "synki.swarsel.win"; serviceDomain = "synki.swarsel.win";
servicePort = 27701;
serviceName = "ankisync";
in in
{ {
options.swarselsystems.modules.server.ankisync = lib.mkEnableOption "enable ankisync on server"; options.swarselsystems.modules.server."${serviceName}" = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server.ankisync { config = lib.mkIf config.swarselsystems.modules.server."${serviceName}" {
networking.firewall.allowedTCPPorts = [ 22701 ]; networking.firewall.allowedTCPPorts = [ servicePort ];
sops.secrets.swarsel = { owner = "root"; }; sops.secrets.swarsel = { owner = "root"; };
@ -17,7 +19,7 @@ in
services.anki-sync-server = { services.anki-sync-server = {
enable = true; enable = true;
port = 27701; port = servicePort;
address = "0.0.0.0"; address = "0.0.0.0";
openFirewall = true; openFirewall = true;
users = [ users = [
@ -29,6 +31,13 @@ in
}; };
services.nginx = { services.nginx = {
upstreams = {
"${serviceName}" = {
servers = {
"192.168.1.2:${builtins.toString servicePort}" = { };
};
};
};
virtualHosts = { virtualHosts = {
"${serviceDomain}" = { "${serviceDomain}" = {
enableACME = true; enableACME = true;
@ -36,7 +45,7 @@ in
acmeRoot = null; acmeRoot = null;
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://localhost:27701"; proxyPass = "http://${serviceName}";
extraConfig = '' extraConfig = ''
client_max_body_size 0; client_max_body_size 0;
''; '';

45
modules/nixos/server/firefly-iii.nix
View file

@ -52,12 +52,11 @@ in
"${fireflyDomain}" = { "${fireflyDomain}" = {
locations = { locations = {
"/api" = { "/api" = {
setOauth2Headers = false;
extraConfig = '' extraConfig = ''
index index.php; index index.php;
try_files $uri $uri/ /index.php?$query_string; try_files $uri $uri/ /index.php?$query_string;
add_header Access-Control-Allow-Methods 'GET, POST, HEAD, OPTIONS'; add_header Access-Control-Allow-Methods 'GET, POST, HEAD, OPTIONS';
proxy_set_header X-User "";
proxy_set_header X-Email "";
''; '';
}; };
}; };
@ -79,52 +78,18 @@ in
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
acmeRoot = null; acmeRoot = null;
oauth2.enable = true;
oauth2.allowedGroups = [ "firefly_access" ];
# main config is automatically added by nixos firefly config. # main config is automatically added by nixos firefly config.
# hence, only provide certificate # hence, only provide certificate
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://${serviceName}"; proxyPass = "http://${serviceName}";
extraConfig = ''
auth_request /oauth2/auth;
error_page 401 = /oauth2/sign_in;
# pass information via X-User and X-Email headers to backend,
# requires running with --set-xauthrequest flag (done by NixOS)
auth_request_set $user $upstream_http_x_auth_request_user;
auth_request_set $email $upstream_http_x_auth_request_email;
proxy_set_header X-User $user;
proxy_set_header X-Email $email;
# if you enabled --pass-access-token, this will pass the token to the backend
auth_request_set $token $upstream_http_x_auth_request_access_token;
proxy_set_header X-Access-Token $token;
# if you enabled --cookie-refresh, this is needed for it to work with auth_request
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
'';
};
"/oauth2/" = {
proxyPass = "http://oauth2-proxy";
extraConfig = ''
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
'';
};
"= /oauth2/auth" = {
proxyPass = "http://oauth2-proxy/oauth2/auth";
extraConfig = ''
internal;
proxy_set_header X-Scheme $scheme;
# nginx auth_request includes headers but not body
proxy_set_header Content-Length "";
proxy_pass_request_body off;
'';
}; };
"/api" = { "/api" = {
proxyPass = "http://${serviceName}"; proxyPass = "http://${serviceName}";
setOauth2Headers = false;
bypassAuth = true;
}; };
}; };
}; };

45
modules/nixos/server/forgejo.nix
View file

@ -1,32 +1,32 @@
{ lib, config, pkgs, ... }: { lib, config, pkgs, ... }:
let let
forgejoDomain = "swagit.swarsel.win"; serviceDomain = "swagit.swarsel.win";
servicePort = 3000;
serviceUser = "forgejo";
serviceGroup = serviceUser;
serviceName = "forgejo";
in in
{ {
options.swarselsystems.modules.server.forgejo = lib.mkEnableOption "enable forgejo on server"; options.swarselsystems.modules.server."${serviceName}" = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server.forgejo { config = lib.mkIf config.swarselsystems.modules.server."${serviceName}" {
networking.firewall.allowedTCPPorts = [ 3000 ]; networking.firewall.allowedTCPPorts = [ servicePort ];
users.users.forgejo = { users.users."${serviceUser}" = {
group = "forgejo"; group = serviceGroup;
isSystemUser = true; isSystemUser = true;
}; };
users.groups.forgejo = { }; users.groups."${serviceGroup}" = { };
sops.secrets = { sops.secrets = {
kanidm-forgejo-client = { kanidm-forgejo-client = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
owner = "forgejo";
group = "forgejo";
mode = "0440";
};
}; };
services.forgejo = { services.forgejo = {
enable = true; enable = true;
user = "forgejo"; user = serviceUser;
group = "forgejo"; group = serviceGroup;
lfs.enable = lib.mkDefault true; lfs.enable = lib.mkDefault true;
settings = { settings = {
DEFAULT = { DEFAULT = {
@ -34,10 +34,10 @@ in
}; };
server = { server = {
PROTOCOL = "http"; PROTOCOL = "http";
HTTP_PORT = 3000; HTTP_PORT = servicePort;
HTTP_ADDR = "0.0.0.0"; HTTP_ADDR = "0.0.0.0";
DOMAIN = forgejoDomain; DOMAIN = serviceDomain;
ROOT_URL = "https://${forgejoDomain}"; ROOT_URL = "https://${serviceDomain}";
}; };
# federation.ENABLED = true; # federation.ENABLED = true;
service = { service = {
@ -122,14 +122,21 @@ in
}; };
services.nginx = { services.nginx = {
upstreams = {
"${serviceName}" = {
servers = {
"192.168.1.2:${builtins.toString servicePort}" = { };
};
};
};
virtualHosts = { virtualHosts = {
"swagit.swarsel.win" = { "${serviceDomain}" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
acmeRoot = null; acmeRoot = null;
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://localhost:3000"; proxyPass = "http://${serviceName}";
extraConfig = '' extraConfig = ''
client_max_body_size 0; client_max_body_size 0;
''; '';

57
modules/nixos/server/freshrss.nix
View file

@ -2,24 +2,26 @@
let let
serviceName = "freshrss"; serviceName = "freshrss";
serviceDomain = "signpost.swarsel.win"; serviceDomain = "signpost.swarsel.win";
serviceUser = "freshrss";
serviceGroup = serviceName;
in in
{ {
options.swarselsystems.modules.server.freshrss = lib.mkEnableOption "enable freshrss on server"; options.swarselsystems.modules.server.freshrss = lib.mkEnableOption "enable freshrss on server";
config = lib.mkIf config.swarselsystems.modules.server.freshrss { config = lib.mkIf config.swarselsystems.modules.server.freshrss {
users.users.freshrss = { users.users."${serviceUser}" = {
extraGroups = [ "users" ]; extraGroups = [ "users" ];
group = "freshrss"; group = serviceGroup;
isSystemUser = true; isSystemUser = true;
}; };
users.groups.freshrss = { }; users.groups."${serviceGroup}" = { };
sops = { sops = {
secrets = { secrets = {
fresh = { owner = "freshrss"; }; fresh = { owner = serviceUser; };
"kanidm-freshrss-client" = { owner = "freshrss"; group = "freshrss"; mode = "0440"; }; "kanidm-freshrss-client" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
"oidc-crypto-key" = { owner = "freshrss"; group = "freshrss"; mode = "0440"; }; "oidc-crypto-key" = { owner = serviceUser; group = serviceGroup; mode = "0440"; };
}; };
# templates = { # templates = {
@ -75,55 +77,20 @@ in
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
acmeRoot = null; acmeRoot = null;
oauth2.enable = true;
oauth2.allowedGroups = [ "ttrss_access" ];
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://${serviceName}"; proxyPass = "http://${serviceName}";
extraConfig = ''
auth_request /oauth2/auth;
error_page 401 = /oauth2/sign_in;
# pass information via X-User and X-Email headers to backend,
# requires running with --set-xauthrequest flag (done by NixOS)
auth_request_set $user $upstream_http_x_auth_request_user;
auth_request_set $email $upstream_http_x_auth_request_email;
proxy_set_header X-User $user;
proxy_set_header X-Email $email;
proxy_set_header Remote-User $user;
# if you enabled --pass-access-token, this will pass the token to the backend
auth_request_set $token $upstream_http_x_auth_request_access_token;
proxy_set_header X-Access-Token $token;
# if you enabled --cookie-refresh, this is needed for it to work with auth_request
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
'';
};
"/oauth2/" = {
proxyPass = "http://oauth2-proxy";
extraConfig = ''
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
'';
};
"= /oauth2/auth" = {
proxyPass = "http://oauth2-proxy/oauth2/auth";
extraConfig = ''
internal;
proxy_set_header X-Scheme $scheme;
# nginx auth_request includes headers but not body
proxy_set_header Content-Length "";
proxy_pass_request_body off;
'';
}; };
"/api" = { "/api" = {
proxyPass = "http://${serviceName}"; proxyPass = "http://${serviceName}";
setOauth2Headers = false;
bypassAuth = true;
}; };
}; };
}; };
}; };
}; };
}; };
} }

24
modules/nixos/server/jenkins.nix
View file

@ -1,28 +1,38 @@
{ pkgs, lib, config, ... }: { pkgs, lib, config, ... }:
let
serviceDomain = "servant.swarsel.win";
servicePort = 8088;
serviceName = "jenkins";
in
{ {
options.swarselsystems.modules.server.jenkins = lib.mkEnableOption "enable jenkins on server"; options.swarselsystems.modules.server."${serviceName}" = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server.jenkins { config = lib.mkIf config.swarselsystems.modules.server."${serviceName}" {
services.jenkins = { services.jenkins = {
enable = true; enable = true;
withCLI = true; withCLI = true;
port = 8088; port = 8088;
packages = [ pkgs.stdenv pkgs.git pkgs.jdk17 config.programs.ssh.package pkgs.nix ]; packages = [ pkgs.stdenv pkgs.git pkgs.jdk17 config.programs.ssh.package pkgs.nix ];
listenAddress = "127.0.0.1"; listenAddress = "0.0.0.0";
home = "/Vault/apps/jenkins"; home = "/Vault/apps/jenkins";
}; };
services.nginx = { services.nginx = {
upstreams = {
"${serviceName}" = {
servers = {
"192.168.1.2:${builtins.toString servicePort}" = { };
};
};
};
virtualHosts = { virtualHosts = {
"servant.swarsel.win" = { "${serviceDomain}" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
acmeRoot = null; acmeRoot = null;
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://localhost:8088"; proxyPass = "http://${serviceName}";
extraConfig = '' extraConfig = ''
client_max_body_size 0; client_max_body_size 0;
''; '';

94
modules/nixos/server/navidrome.nix
View file

@ -32,7 +32,6 @@ in
}; };
}; };
hardware = { hardware = {
enableAllFirmware = lib.mkForce true; enableAllFirmware = lib.mkForce true;
}; };
@ -90,57 +89,10 @@ in
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
acmeRoot = null; acmeRoot = null;
locations = { oauth2.enable = true;
"/" = { oauth2.allowedGroups = [ "navidrome_access" ];
proxyPass = "http://navidrome"; locations =
proxyWebsockets = true; let
extraConfig = ''
auth_request /oauth2/auth;
error_page 401 = /oauth2/sign_in;
# pass information via X-User and X-Email headers to backend,
# requires running with --set-xauthrequest flag (done by NixOS)
auth_request_set $user $upstream_http_x_auth_request_user;
auth_request_set $email $upstream_http_x_auth_request_email;
proxy_set_header X-User $user;
proxy_set_header X-Email $email;
# if you enabled --pass-access-token, this will pass the token to the backend
auth_request_set $token $upstream_http_x_auth_request_access_token;
proxy_set_header X-Access-Token $token;
# if you enabled --cookie-refresh, this is needed for it to work with auth_request
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
proxy_redirect http:// https://;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
proxy_buffering off;
proxy_request_buffering off;
client_max_body_size 0;
'';
};
"/oauth2/" = {
proxyPass = "http://oauth2-proxy";
extraConfig = ''
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
'';
};
"= /oauth2/auth" = {
proxyPass = "http://oauth2-proxy/oauth2/auth";
extraConfig = ''
internal;
proxy_set_header X-Scheme $scheme;
# nginx auth_request includes headers but not body
proxy_set_header Content-Length "";
proxy_pass_request_body off;
'';
};
"/share" = {
proxyPass = "http://navidrome";
proxyWebsockets = true;
extraConfig = '' extraConfig = ''
proxy_redirect http:// https://; proxy_redirect http:// https://;
proxy_read_timeout 600s; proxy_read_timeout 600s;
@ -148,25 +100,29 @@ in
proxy_buffering off; proxy_buffering off;
proxy_request_buffering off; proxy_request_buffering off;
client_max_body_size 0; client_max_body_size 0;
proxy_set_header X-User "";
proxy_set_header X-Email "";
''; '';
in
{
"/" = {
proxyPass = "http://navidrome";
proxyWebsockets = true;
inherit extraConfig;
};
"/share" = {
proxyPass = "http://navidrome";
proxyWebsockets = true;
setOauth2Headers = false;
bypassAuth = true;
inherit extraConfig;
};
"/rest" = {
proxyPass = "http://navidrome";
proxyWebsockets = true;
setOauth2Headers = false;
bypassAuth = true;
inherit extraConfig;
};
}; };
"/rest" = {
proxyPass = "http://navidrome";
proxyWebsockets = true;
extraConfig = ''
proxy_redirect http:// https://;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
proxy_buffering off;
proxy_request_buffering off;
client_max_body_size 0;
proxy_set_header X-User "";
proxy_set_header X-Email "";
'';
};
};
}; };
}; };
}; };

108
modules/nixos/server/oauth2-proxy.nix
View file

@ -5,7 +5,113 @@ let
oauth2ProxyPort = 3004; oauth2ProxyPort = 3004;
in in
{ {
options.swarselsystems.modules.server.oauth2Proxy = lib.mkEnableOption "enable oauth2-proxy on server"; options = {
swarselsystems.modules.server.oauth2Proxy = lib.mkEnableOption "enable oauth2-proxy on server";
services.nginx.virtualHosts = lib.mkOption {
type = lib.types.attrsOf (
lib.types.submodule (
{ config, ... }:
{
options.oauth2 = {
enable = lib.mkEnableOption "access protection of this virtualHost using oauth2-proxy.";
allowedGroups = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
description = ''
A list of kanidm groups that are allowed to access this resource, or the
empty list to allow any authenticated client.
'';
};
X-User = lib.mkOption {
type = lib.types.str;
default = "$upstream_http_x_auth_request_user";
description = "The variable to set as X-User";
};
X-Email = lib.mkOption {
type = lib.types.str;
default = "$upstream_http_x_auth_request_email";
description = "The variable to set as X-Email";
};
X-Access-Token = lib.mkOption {
type = lib.types.str;
default = "$upstream_http_x_auth_request_access_token";
description = "The variable to set as X-Access-Token";
};
};
options.locations = lib.mkOption {
type = lib.types.attrsOf (
lib.types.submodule (locationSubmodule: {
options = {
setOauth2Headers = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Whether to add oauth2 headers to this location. Only takes effect is oauth2 is actually enabled on the parent vhost.";
};
bypassAuth = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Whether to set auth_request off for this location. Only takes effect is oauth2 is actually enabled on the parent vhost.";
};
};
config = lib.mkIf config.oauth2.enable {
extraConfig = lib.optionalString locationSubmodule.config.setOauth2Headers ''
proxy_set_header X-User $user;
proxy_set_header Remote-User $user;
proxy_set_header X-Email $email;
proxy_set_header X-Access-Token $token;
add_header Set-Cookie $auth_cookie;
'' + lib.optionalString locationSubmodule.config.bypassAuth ''
auth_request off;
'';
};
})
);
};
config = lib.mkIf config.oauth2.enable {
extraConfig = ''
auth_request /oauth2/auth;
error_page 401 = /oauth2/sign_in;
# set variables that can be used in locations.<name>.extraConfig
# pass information via X-User and X-Email headers to backend,
# requires running with --set-xauthrequest flag
auth_request_set $user ${config.oauth2.X-User};
auth_request_set $email ${config.oauth2.X-Email};
# if you enabled --pass-access-token, this will pass the token to the backend
auth_request_set $token ${config.oauth2.X-Access-Token};
# if you enabled --cookie-refresh, this is needed for it to work with auth_request
auth_request_set $auth_cookie $upstream_http_set_cookie;
'';
locations = {
"/oauth2/" = {
proxyPass = "http://oauth2-proxy";
setOauth2Headers = false;
bypassAuth = true;
extraConfig = ''
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
'';
};
"= /oauth2/auth" = {
proxyPass = "http://oauth2-proxy/oauth2/auth" + lib.optionalString (config.oauth2.allowedGroups != [ ]) "?allowed_groups=${lib.concatStringsSep "," config.oauth2.allowedGroups}";
setOauth2Headers = false;
bypassAuth = true;
extraConfig = ''
internal;
proxy_set_header X-Scheme $scheme;
# nginx auth_request includes headers but not body
proxy_set_header Content-Length "";
proxy_pass_request_body off;
'';
};
};
};
}
)
);
};
};
config = lib.mkIf config.swarselsystems.modules.server.oauth2Proxy { config = lib.mkIf config.swarselsystems.modules.server.oauth2Proxy {
sops = { sops = {

20
modules/nixos/server/spotifyd.nix
View file

@ -1,19 +1,25 @@
{ lib, config, ... }: { lib, config, ... }:
let
servicePort = 1025;
serviceName = "spotifyd";
serviceUser = "spotifyd";
serviceGroup = serviceUser;
in
{ {
options.swarselsystems.modules.server.spotifyd = lib.mkEnableOption "enable spotifyd on server"; options.swarselsystems.modules.server."${serviceName}" = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselsystems.modules.server.spotifyd { config = lib.mkIf config.swarselsystems.modules.server."${serviceName}" {
users.groups.spotifyd = { users.groups."${serviceGroup}" = {
gid = 65136; gid = 65136;
}; };
users.users.spotifyd = { users.users."${serviceUser}" = {
isSystemUser = true; isSystemUser = true;
uid = 65136; uid = 65136;
group = "spotifyd"; group = serviceGroup;
extraGroups = [ "audio" "utmp" "pipewire" ]; extraGroups = [ "audio" "utmp" "pipewire" ];
}; };
networking.firewall.allowedTCPPorts = [ 1025 ]; networking.firewall.allowedTCPPorts = [ servicePort ];
services.pipewire.systemWide = true; services.pipewire.systemWide = true;
@ -26,7 +32,7 @@
device = "sysdefault:CARD=PCH"; device = "sysdefault:CARD=PCH";
device_name = "SwarselSpot"; device_name = "SwarselSpot";
mixer = "alsa"; mixer = "alsa";
zeroconf_port = 1025; zeroconf_port = servicePort;
}; };
}; };
}; };