From 6cedde7e1736e940f359f0e48b8537efd91bbc23 Mon Sep 17 00:00:00 2001 From: Dmitriy Kholkin Date: Thu, 10 Jul 2025 18:36:59 +0300 Subject: [PATCH] feat: add nginx integration to some services --- modules/nixos/containers/filestash.nix | 40 ++++++++++++++++++++++++-- modules/nixos/services/authentik.nix | 27 +++++++++++++++-- modules/nixos/services/gitea.nix | 28 +++++++++++++++--- modules/nixos/services/vaultwarden.nix | 37 ++++++++++++++++++------ 4 files changed, 114 insertions(+), 18 deletions(-) diff --git a/modules/nixos/containers/filestash.nix b/modules/nixos/containers/filestash.nix index 43dc431..2c2e087 100644 --- a/modules/nixos/containers/filestash.nix +++ b/modules/nixos/containers/filestash.nix @@ -1,14 +1,28 @@ { config, lib, ... }: let - inherit (lib) mkEnableOption mkIf; + inherit (lib) + mkEnableOption + mkIf + mkOption + recursiveUpdate + ; + inherit (lib.types) bool; inherit (config.virtualisation.quadlet) networks; cfg = config.ataraxia.containers.filestash; + nginx = config.ataraxia.services.nginx; nas-path = "/media/nas/media-stack"; + domain = "files.ataraxiadev.com"; + port = "8334"; in { options.ataraxia.containers.filestash = { enable = mkEnableOption "Enable filestash container"; + nginxHost = mkOption { + type = bool; + default = config.ataraxia.services.nginx.enable; + description = "Enable nginx vHost integration"; + }; }; config = mkIf cfg.enable { @@ -20,18 +34,38 @@ in PGID = "100"; UMASK = "002"; TZ = "Europe/Moscow"; - APPLICATION_URL = "files.ataraxiadev.com"; + APPLICATION_URL = domain; CANARY = "true"; }; # Tags: latest image = "docker.io/machines/filestash@sha256:923c3399768fada3424bb6f3bc01521dad30e9a7a840cfb2eba3610b6acafffe"; networks = [ networks.br-services.ref ]; - publishPorts = [ "127.0.0.1:8334:8334/tcp" ]; + publishPorts = [ "127.0.0.1:${port}:${port}/tcp" ]; volumes = [ "${nas-path}/configs/filestash:/app/data/state" "${nas-path}:/mnt" ]; }; }; + + services.nginx.virtualHosts = mkIf cfg.nginxHost { + ${domain} = recursiveUpdate nginx.defaultSettings { + locations."/" = { + proxyPass = "http://127.0.0.1:${port}"; + proxyWebsockets = true; + extraConfig = '' + allow 127.0.0.1/32; + allow 100.64.0.0/16; + allow 10.10.10.0/24; + allow fd7a:115c:a1e0::/64; + deny all; + proxy_busy_buffers_size 1024k; + proxy_buffers 32 1024k; + proxy_buffer_size 1024k; + proxy_read_timeout 86400; + ''; + }; + }; + }; }; } diff --git a/modules/nixos/services/authentik.nix b/modules/nixos/services/authentik.nix index 527b02e..6e749f7 100644 --- a/modules/nixos/services/authentik.nix +++ b/modules/nixos/services/authentik.nix @@ -6,10 +6,17 @@ ... }: let - inherit (lib) mkEnableOption mkIf mkOption; - inherit (lib.types) str; + inherit (lib) + mkEnableOption + mkIf + mkOption + recursiveUpdate + ; + inherit (lib.types) bool str; cfg = config.ataraxia.services.authentik; + nginx = config.ataraxia.services.nginx; + domain = "auth.ataraxiadev.com"; in { imports = [ inputs.ataraxiasjel-nur.nixosModules.authentik ]; @@ -23,6 +30,11 @@ in Name for sops secrets directory. Defaults to hostname. ''; }; + nginxHost = mkOption { + type = bool; + default = config.ataraxia.services.nginx.enable; + description = "Enable nginx vHost integration"; + }; }; config = mkIf cfg.enable { @@ -45,12 +57,21 @@ in environmentFile = config.sops.secrets.authentik-env.path; outposts.ldap = { enable = true; - host = "https://auth.ataraxiadev.com"; + host = "https://${domain}"; environmentFile = config.sops.secrets.authentik-ldap.path; listen.address = "127.0.0.1"; listen.ldap = 3389; listen.ldaps = 6636; }; }; + + services.nginx.virtualHosts = mkIf cfg.nginxHost { + ${domain} = recursiveUpdate nginx.defaultSettings { + locations."/" = { + proxyPass = "http://127.0.0.1:${toString config.services.authentik.listen.http}"; + proxyWebsockets = true; + }; + }; + }; }; } diff --git a/modules/nixos/services/gitea.nix b/modules/nixos/services/gitea.nix index b9e741f..d9c2012 100644 --- a/modules/nixos/services/gitea.nix +++ b/modules/nixos/services/gitea.nix @@ -6,10 +6,17 @@ ... }: let - inherit (lib) mkEnableOption mkIf mkOption; - inherit (lib.types) str; + inherit (lib) + mkEnableOption + mkIf + mkOption + recursiveUpdate + ; + inherit (lib.types) bool str; cfg = config.ataraxia.services.gitea; + nginx = config.ataraxia.services.nginx; + domain = "code.ataraxiadev.com"; gitea-user = config.services.gitea.user; # gitea-group = "gitea"; @@ -37,6 +44,11 @@ in Name for sops secrets directory. Defaults to hostname. ''; }; + nginxHost = mkOption { + type = bool; + default = config.ataraxia.services.nginx.enable; + description = "Enable nginx vHost integration"; + }; }; config = mkIf cfg.enable { @@ -70,10 +82,10 @@ in mailerPasswordFile = config.sops.secrets.gitea-mailer.path; settings = { server = { - DOMAIN = "code.ataraxiadev.com"; + DOMAIN = domain; HTTP_ADDRESS = "127.0.0.1"; HTTP_PORT = 6000; - ROOT_URL = "https://code.ataraxiadev.com"; + ROOT_URL = "https://${domain}"; }; actions = { ENABLED = false; @@ -128,6 +140,14 @@ in }; }; + services.nginx.virtualHosts = mkIf cfg.nginxHost { + ${domain} = recursiveUpdate nginx.defaultSettings { + locations."/" = { + proxyPass = "http://127.0.0.1:${toString config.services.gitea.settings.server.HTTP_PORT}"; + }; + }; + }; + systemd.services.gitea-dump-clean = let older-than = "3"; # in days diff --git a/modules/nixos/services/vaultwarden.nix b/modules/nixos/services/vaultwarden.nix index 506f38b..6cbb843 100644 --- a/modules/nixos/services/vaultwarden.nix +++ b/modules/nixos/services/vaultwarden.nix @@ -5,10 +5,17 @@ ... }: let - inherit (lib) mkEnableOption mkIf mkOption; - inherit (lib.types) str; + inherit (lib) + mkEnableOption + mkIf + mkOption + recursiveUpdate + ; + inherit (lib.types) bool str; cfg = config.ataraxia.services.vaultwarden; + nginx = config.ataraxia.services.nginx; + domain = "vw.ataraxiadev.com"; in { options.ataraxia.services.vaultwarden = { @@ -20,6 +27,11 @@ in Name for sops secrets directory. Defaults to hostname. ''; }; + nginxHost = mkOption { + type = bool; + default = config.ataraxia.services.nginx.enable; + description = "Enable nginx vHost integration"; + }; }; config = mkIf cfg.enable { @@ -31,7 +43,7 @@ in enable = true; backupDir = "/srv/vaultwarden"; config = { - domain = "https://vw.ataraxiadev.com"; + domain = "https://${domain}"; extendedLogging = true; invitationsAllowed = false; useSyslog = true; @@ -56,11 +68,20 @@ in environmentFile = config.sops.secrets.vaultwarden.path; }; - # We need to do this to successufully create backup folder - # systemd.services.backup-vaultwarden.serviceConfig = { - # User = "root"; - # Group = "root"; - # }; + services.nginx.virtualHosts = mkIf cfg.nginxHost { + ${domain} = recursiveUpdate nginx.defaultSettings { + locations."/" = { + proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.rocketPort}"; + }; + locations."/notifications/hub" = { + proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.websocketPort}"; + proxyWebsockets = true; + }; + locations."/notifications/hub/negotiate" = { + proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.rocketPort}"; + }; + }; + }; persist.state.directories = [ "/var/lib/vaultwarden"