feat: add nginx integration to some services

2025-07-10 18:36:59 +03:00 · 2025-07-10 18:36:59 +03:00 · 6cedde7e17
commit 6cedde7e17
parent 312fdc791e
4 changed files with 114 additions and 18 deletions
--- a/modules/nixos/containers/filestash.nix
+++ b/modules/nixos/containers/filestash.nix
@ -1,14 +1,28 @@
 { config, lib, ... }:
 let
-  inherit (lib) mkEnableOption mkIf;
+  inherit (lib)
+    mkEnableOption
+    mkIf
+    mkOption
+    recursiveUpdate
+    ;
+  inherit (lib.types) bool;
  inherit (config.virtualisation.quadlet) networks;

  cfg = config.ataraxia.containers.filestash;
+  nginx = config.ataraxia.services.nginx;
  nas-path = "/media/nas/media-stack";
+  domain = "files.ataraxiadev.com";
+  port = "8334";
 in
 {
  options.ataraxia.containers.filestash = {
    enable = mkEnableOption "Enable filestash container";
+    nginxHost = mkOption {
+      type = bool;
+      default = config.ataraxia.services.nginx.enable;
+      description = "Enable nginx vHost integration";
+    };
  };

  config = mkIf cfg.enable {
@ -20,18 +34,38 @@ in
          PGID = "100";
          UMASK = "002";
          TZ = "Europe/Moscow";
-          APPLICATION_URL = "files.ataraxiadev.com";
+          APPLICATION_URL = domain;
          CANARY = "true";
        };
        # Tags: latest
        image = "docker.io/machines/filestash@sha256:923c3399768fada3424bb6f3bc01521dad30e9a7a840cfb2eba3610b6acafffe";
        networks = [ networks.br-services.ref ];
-        publishPorts = [ "127.0.0.1:8334:8334/tcp" ];
+        publishPorts = [ "127.0.0.1:${port}:${port}/tcp" ];
        volumes = [
          "${nas-path}/configs/filestash:/app/data/state"
          "${nas-path}:/mnt"
        ];
      };
    };
+
+    services.nginx.virtualHosts = mkIf cfg.nginxHost {
+      ${domain} = recursiveUpdate nginx.defaultSettings {
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:${port}";
+          proxyWebsockets = true;
+          extraConfig = ''
+            allow 127.0.0.1/32;
+            allow 100.64.0.0/16;
+            allow 10.10.10.0/24;
+            allow fd7a:115c:a1e0::/64;
+            deny all;
+            proxy_busy_buffers_size 1024k;
+            proxy_buffers 32 1024k;
+            proxy_buffer_size 1024k;
+            proxy_read_timeout 86400;
+          '';
+        };
+      };
+    };
  };
 }
--- a/modules/nixos/services/authentik.nix
+++ b/modules/nixos/services/authentik.nix
@ -6,10 +6,17 @@
  ...
 }:
 let
-  inherit (lib) mkEnableOption mkIf mkOption;
-  inherit (lib.types) str;
+  inherit (lib)
+    mkEnableOption
+    mkIf
+    mkOption
+    recursiveUpdate
+    ;
+  inherit (lib.types) bool str;

  cfg = config.ataraxia.services.authentik;
+  nginx = config.ataraxia.services.nginx;
+  domain = "auth.ataraxiadev.com";
 in
 {
  imports = [ inputs.ataraxiasjel-nur.nixosModules.authentik ];
@ -23,6 +30,11 @@ in
        Name for sops secrets directory. Defaults to hostname.
      '';
    };
+    nginxHost = mkOption {
+      type = bool;
+      default = config.ataraxia.services.nginx.enable;
+      description = "Enable nginx vHost integration";
+    };
  };

  config = mkIf cfg.enable {
@ -45,12 +57,21 @@ in
      environmentFile = config.sops.secrets.authentik-env.path;
      outposts.ldap = {
        enable = true;
-        host = "https://auth.ataraxiadev.com";
+        host = "https://${domain}";
        environmentFile = config.sops.secrets.authentik-ldap.path;
        listen.address = "127.0.0.1";
        listen.ldap = 3389;
        listen.ldaps = 6636;
      };
    };
+
+    services.nginx.virtualHosts = mkIf cfg.nginxHost {
+      ${domain} = recursiveUpdate nginx.defaultSettings {
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:${toString config.services.authentik.listen.http}";
+          proxyWebsockets = true;
+        };
+      };
+    };
  };
 }
--- a/modules/nixos/services/gitea.nix
+++ b/modules/nixos/services/gitea.nix
@ -6,10 +6,17 @@
  ...
 }:
 let
-  inherit (lib) mkEnableOption mkIf mkOption;
-  inherit (lib.types) str;
+  inherit (lib)
+    mkEnableOption
+    mkIf
+    mkOption
+    recursiveUpdate
+    ;
+  inherit (lib.types) bool str;

  cfg = config.ataraxia.services.gitea;
+  nginx = config.ataraxia.services.nginx;
+  domain = "code.ataraxiadev.com";

  gitea-user = config.services.gitea.user;
  # gitea-group = "gitea";
@ -37,6 +44,11 @@ in
        Name for sops secrets directory. Defaults to hostname.
      '';
    };
+    nginxHost = mkOption {
+      type = bool;
+      default = config.ataraxia.services.nginx.enable;
+      description = "Enable nginx vHost integration";
+    };
  };

  config = mkIf cfg.enable {
@ -70,10 +82,10 @@ in
      mailerPasswordFile = config.sops.secrets.gitea-mailer.path;
      settings = {
        server = {
-          DOMAIN = "code.ataraxiadev.com";
+          DOMAIN = domain;
          HTTP_ADDRESS = "127.0.0.1";
          HTTP_PORT = 6000;
-          ROOT_URL = "https://code.ataraxiadev.com";
+          ROOT_URL = "https://${domain}";
        };
        actions = {
          ENABLED = false;
@ -128,6 +140,14 @@ in
      };
    };

+    services.nginx.virtualHosts = mkIf cfg.nginxHost {
+      ${domain} = recursiveUpdate nginx.defaultSettings {
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:${toString config.services.gitea.settings.server.HTTP_PORT}";
+        };
+      };
+    };
+
    systemd.services.gitea-dump-clean =
      let
        older-than = "3"; # in days
--- a/modules/nixos/services/vaultwarden.nix
+++ b/modules/nixos/services/vaultwarden.nix
@ -5,10 +5,17 @@
  ...
 }:
 let
-  inherit (lib) mkEnableOption mkIf mkOption;
-  inherit (lib.types) str;
+  inherit (lib)
+    mkEnableOption
+    mkIf
+    mkOption
+    recursiveUpdate
+    ;
+  inherit (lib.types) bool str;

  cfg = config.ataraxia.services.vaultwarden;
+  nginx = config.ataraxia.services.nginx;
+  domain = "vw.ataraxiadev.com";
 in
 {
  options.ataraxia.services.vaultwarden = {
@ -20,6 +27,11 @@ in
        Name for sops secrets directory. Defaults to hostname.
      '';
    };
+    nginxHost = mkOption {
+      type = bool;
+      default = config.ataraxia.services.nginx.enable;
+      description = "Enable nginx vHost integration";
+    };
  };

  config = mkIf cfg.enable {
@ -31,7 +43,7 @@ in
      enable = true;
      backupDir = "/srv/vaultwarden";
      config = {
-        domain = "https://vw.ataraxiadev.com";
+        domain = "https://${domain}";
        extendedLogging = true;
        invitationsAllowed = false;
        useSyslog = true;
@ -56,11 +68,20 @@ in
      environmentFile = config.sops.secrets.vaultwarden.path;
    };

-    # We need to do this to successufully create backup folder
-    # systemd.services.backup-vaultwarden.serviceConfig = {
-    #   User = "root";
-    #   Group = "root";
-    # };
+    services.nginx.virtualHosts = mkIf cfg.nginxHost {
+      ${domain} = recursiveUpdate nginx.defaultSettings {
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.rocketPort}";
+        };
+        locations."/notifications/hub" = {
+          proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.websocketPort}";
+          proxyWebsockets = true;
+        };
+        locations."/notifications/hub/negotiate" = {
+          proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.rocketPort}";
+        };
+      };
+    };

    persist.state.directories = [
      "/var/lib/vaultwarden"