AtaraxiaDev/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

feat: add nginx integration to some services

Browse Source
This commit is contained in:
Dmitriy Kholkin 2025-07-10 18:36:59 +03:00
parent 312fdc791e
commit 6cedde7e17
Signed by: AtaraxiaDev
GPG Key ID: FD266B810DF48DF2
4 changed files with 114 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
modules/nixos/containers/filestash.nix
View File

@ -1,14 +1,28 @@
{ config, lib, ... }: { config, lib, ... }:
let let
inherit (lib) mkEnableOption mkIf; inherit (lib)
mkEnableOption
mkIf
mkOption
recursiveUpdate
;
inherit (lib.types) bool;
inherit (config.virtualisation.quadlet) networks; inherit (config.virtualisation.quadlet) networks;
cfg = config.ataraxia.containers.filestash; cfg = config.ataraxia.containers.filestash;
nginx = config.ataraxia.services.nginx;
nas-path = "/media/nas/media-stack"; nas-path = "/media/nas/media-stack";
domain = "files.ataraxiadev.com";
port = "8334";
in in
{ {
options.ataraxia.containers.filestash = { options.ataraxia.containers.filestash = {
enable = mkEnableOption "Enable filestash container"; enable = mkEnableOption "Enable filestash container";
nginxHost = mkOption {
type = bool;
default = config.ataraxia.services.nginx.enable;
description = "Enable nginx vHost integration";
};
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
@ -20,18 +34,38 @@ in
PGID = "100"; PGID = "100";
UMASK = "002"; UMASK = "002";
TZ = "Europe/Moscow"; TZ = "Europe/Moscow";
APPLICATION_URL = "files.ataraxiadev.com"; APPLICATION_URL = domain;
CANARY = "true"; CANARY = "true";
}; };
# Tags: latest # Tags: latest
image = "docker.io/machines/filestash@sha256:923c3399768fada3424bb6f3bc01521dad30e9a7a840cfb2eba3610b6acafffe"; image = "docker.io/machines/filestash@sha256:923c3399768fada3424bb6f3bc01521dad30e9a7a840cfb2eba3610b6acafffe";
networks = [ networks.br-services.ref ]; networks = [ networks.br-services.ref ];
publishPorts = [ "127.0.0.1:8334:8334/tcp" ]; publishPorts = [ "127.0.0.1:${port}:${port}/tcp" ];
volumes = [ volumes = [
"${nas-path}/configs/filestash:/app/data/state" "${nas-path}/configs/filestash:/app/data/state"
"${nas-path}:/mnt" "${nas-path}:/mnt"
]; ];
}; };
}; };
services.nginx.virtualHosts = mkIf cfg.nginxHost {
${domain} = recursiveUpdate nginx.defaultSettings {
locations."/" = {
proxyPass = "http://127.0.0.1:${port}";
proxyWebsockets = true;
extraConfig = ''
allow 127.0.0.1/32;
allow 100.64.0.0/16;
allow 10.10.10.0/24;
allow fd7a:115c:a1e0::/64;
deny all;
proxy_busy_buffers_size 1024k;
proxy_buffers 32 1024k;
proxy_buffer_size 1024k;
proxy_read_timeout 86400;
'';
};
};
};
}; };
} }

27
modules/nixos/services/authentik.nix
View File

@ -6,10 +6,17 @@
... ...
}: }:
let let
inherit (lib) mkEnableOption mkIf mkOption; inherit (lib)
inherit (lib.types) str; mkEnableOption
mkIf
mkOption
recursiveUpdate
;
inherit (lib.types) bool str;
cfg = config.ataraxia.services.authentik; cfg = config.ataraxia.services.authentik;
nginx = config.ataraxia.services.nginx;
domain = "auth.ataraxiadev.com";
in in
{ {
imports = [ inputs.ataraxiasjel-nur.nixosModules.authentik ]; imports = [ inputs.ataraxiasjel-nur.nixosModules.authentik ];
@ -23,6 +30,11 @@ in
Name for sops secrets directory. Defaults to hostname. Name for sops secrets directory. Defaults to hostname.
''; '';
}; };
nginxHost = mkOption {
type = bool;
default = config.ataraxia.services.nginx.enable;
description = "Enable nginx vHost integration";
};
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
@ -45,12 +57,21 @@ in
environmentFile = config.sops.secrets.authentik-env.path; environmentFile = config.sops.secrets.authentik-env.path;
outposts.ldap = { outposts.ldap = {
enable = true; enable = true;
host = "https://auth.ataraxiadev.com"; host = "https://${domain}";
environmentFile = config.sops.secrets.authentik-ldap.path; environmentFile = config.sops.secrets.authentik-ldap.path;
listen.address = "127.0.0.1"; listen.address = "127.0.0.1";
listen.ldap = 3389; listen.ldap = 3389;
listen.ldaps = 6636; listen.ldaps = 6636;
}; };
}; };
services.nginx.virtualHosts = mkIf cfg.nginxHost {
${domain} = recursiveUpdate nginx.defaultSettings {
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.authentik.listen.http}";
proxyWebsockets = true;
};
};
};
}; };
} }

28
modules/nixos/services/gitea.nix
View File

@ -6,10 +6,17 @@
... ...
}: }:
let let
inherit (lib) mkEnableOption mkIf mkOption; inherit (lib)
inherit (lib.types) str; mkEnableOption
mkIf
mkOption
recursiveUpdate
;
inherit (lib.types) bool str;
cfg = config.ataraxia.services.gitea; cfg = config.ataraxia.services.gitea;
nginx = config.ataraxia.services.nginx;
domain = "code.ataraxiadev.com";
gitea-user = config.services.gitea.user; gitea-user = config.services.gitea.user;
# gitea-group = "gitea"; # gitea-group = "gitea";
@ -37,6 +44,11 @@ in
Name for sops secrets directory. Defaults to hostname. Name for sops secrets directory. Defaults to hostname.
''; '';
}; };
nginxHost = mkOption {
type = bool;
default = config.ataraxia.services.nginx.enable;
description = "Enable nginx vHost integration";
};
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
@ -70,10 +82,10 @@ in
mailerPasswordFile = config.sops.secrets.gitea-mailer.path; mailerPasswordFile = config.sops.secrets.gitea-mailer.path;
settings = { settings = {
server = { server = {
DOMAIN = "code.ataraxiadev.com"; DOMAIN = domain;
HTTP_ADDRESS = "127.0.0.1"; HTTP_ADDRESS = "127.0.0.1";
HTTP_PORT = 6000; HTTP_PORT = 6000;
ROOT_URL = "https://code.ataraxiadev.com"; ROOT_URL = "https://${domain}";
}; };
actions = { actions = {
ENABLED = false; ENABLED = false;
@ -128,6 +140,14 @@ in
}; };
}; };
services.nginx.virtualHosts = mkIf cfg.nginxHost {
${domain} = recursiveUpdate nginx.defaultSettings {
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.services.gitea.settings.server.HTTP_PORT}";
};
};
};
systemd.services.gitea-dump-clean = systemd.services.gitea-dump-clean =
let let
older-than = "3"; # in days older-than = "3"; # in days

37
modules/nixos/services/vaultwarden.nix
View File

@ -5,10 +5,17 @@
... ...
}: }:
let let
inherit (lib) mkEnableOption mkIf mkOption; inherit (lib)
inherit (lib.types) str; mkEnableOption
mkIf
mkOption
recursiveUpdate
;
inherit (lib.types) bool str;
cfg = config.ataraxia.services.vaultwarden; cfg = config.ataraxia.services.vaultwarden;
nginx = config.ataraxia.services.nginx;
domain = "vw.ataraxiadev.com";
in in
{ {
options.ataraxia.services.vaultwarden = { options.ataraxia.services.vaultwarden = {
@ -20,6 +27,11 @@ in
Name for sops secrets directory. Defaults to hostname. Name for sops secrets directory. Defaults to hostname.
''; '';
}; };
nginxHost = mkOption {
type = bool;
default = config.ataraxia.services.nginx.enable;
description = "Enable nginx vHost integration";
};
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
@ -31,7 +43,7 @@ in
enable = true; enable = true;
backupDir = "/srv/vaultwarden"; backupDir = "/srv/vaultwarden";
config = { config = {
domain = "https://vw.ataraxiadev.com"; domain = "https://${domain}";
extendedLogging = true; extendedLogging = true;
invitationsAllowed = false; invitationsAllowed = false;
useSyslog = true; useSyslog = true;
@ -56,11 +68,20 @@ in
environmentFile = config.sops.secrets.vaultwarden.path; environmentFile = config.sops.secrets.vaultwarden.path;
}; };
# We need to do this to successufully create backup folder services.nginx.virtualHosts = mkIf cfg.nginxHost {
# systemd.services.backup-vaultwarden.serviceConfig = { ${domain} = recursiveUpdate nginx.defaultSettings {
# User = "root"; locations."/" = {
# Group = "root"; proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.rocketPort}";
# }; };
locations."/notifications/hub" = {
proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.websocketPort}";
proxyWebsockets = true;
};
locations."/notifications/hub/negotiate" = {
proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.rocketPort}";
};
};
};
persist.state.directories = [ persist.state.directories = [
"/var/lib/vaultwarden" "/var/lib/vaultwarden"