From b7b3a22887f708031875d14dcd8f1baf8c2c54e9 Mon Sep 17 00:00:00 2001 From: Dmitriy Kholkin Date: Sat, 11 Nov 2023 03:17:20 +0300 Subject: [PATCH] change nginx config --- profiles/servers/authentik.nix | 2 + profiles/servers/homepage.nix | 78 +++++++++++++++++++---- profiles/servers/nginx.nix | 112 +++++++++++++++------------------ 3 files changed, 121 insertions(+), 71 deletions(-) diff --git a/profiles/servers/authentik.nix b/profiles/servers/authentik.nix index 9a3df69..1c8d275 100644 --- a/profiles/servers/authentik.nix +++ b/profiles/servers/authentik.nix @@ -115,4 +115,6 @@ in { ExecStop = stop; }; }; + + networking.firewall.allowedTCPPorts = [ 389 ]; } \ No newline at end of file diff --git a/profiles/servers/homepage.nix b/profiles/servers/homepage.nix index 1d81b94..57a13df 100644 --- a/profiles/servers/homepage.nix +++ b/profiles/servers/homepage.nix @@ -1,19 +1,75 @@ { config, lib, pkgs, ... }: let + backend = config.virtualisation.oci-containers.backend; nas-path = "/media/nas/containers"; + pod-name = "homepage-pod"; + pod-dns = "192.168.0.5"; + open-ports = [ + "127.0.0.1:3000:3000/tcp" + # "127.0.0.1:2375:2375/tcp" + ]; in { - virtualisation.oci-containers.containers.homepage = { - autoStart = true; - image = "ghcr.io/benphelps/homepage:v0.7.0"; - environment = { - PUID = "1000"; - PGID = "100"; + virtualisation.oci-containers.containers = { + homepage = { + autoStart = true; + image = "ghcr.io/gethomepage/homepage:v0.8.0"; + environment = { + PUID = "1000"; + PGID = "100"; + }; + extraOptions = [ "--pod=${pod-name}" ]; + # ports = [ "127.0.0.1:3000:3000/tcp" ]; + volumes = [ + "${nas-path}/homepage/config:/app/config" + "${nas-path}/homepage/icons:/app/public/icons" + "${nas-path}/homepage/images:/app/public/images" + ]; }; - ports = [ "127.0.0.1:3000:3000/tcp" ]; - volumes = [ - "${nas-path}/homepage/config:/app/config" - "${nas-path}/homepage/icons:/app/public/icons" - "/var/run/docker.sock:/var/run/docker.sock" + docker-proxy = { + autoStart = true; + image = "ghcr.io/tecnativa/docker-socket-proxy:0.1.1"; + environment = { + CONTAINERS = "1"; + SERVICES = "0"; + TASKS = "0"; + POST = "0"; + }; + extraOptions = [ "--pod=${pod-name}" ]; + # ports = [ "127.0.0.1:2375:2375/tcp" ]; + volumes = [ + "${nas-path}/homepage/config:/app/config" + "${nas-path}/homepage/icons:/app/public/icons" + "${nas-path}/homepage/images:/app/public/images" + "/var/run/docker.sock:/var/run/docker.sock:ro" + ]; + }; + }; + + systemd.tmpfiles.rules = [ + "d ${nas-path}/homepage/config 0755 1000 100 -" + "d ${nas-path}/homepage/icons 0755 1000 100 -" + "d ${nas-path}/homepage/images 0755 1000 100 -" + ]; + + systemd.services."podman-create-${pod-name}" = let + portsMapping = lib.concatMapStrings (port: " -p " + port) open-ports; + start = pkgs.writeShellScript "create-pod" '' + podman pod exists ${pod-name} || podman pod create -n ${pod-name} ${portsMapping} --dns ${pod-dns} + ''; + stop = "podman pod rm -i -f ${pod-name}"; + in rec { + path = [ pkgs.coreutils config.virtualisation.podman.package ]; + before = [ + "${backend}-homepage.service" + "${backend}-docker-proxy.service" ]; + requiredBy = before; + partOf = before; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = "yes"; + ExecStart = start; + ExecStop = stop; + }; }; } \ No newline at end of file diff --git a/profiles/servers/nginx.nix b/profiles/servers/nginx.nix index 232e313..8f66d4f 100644 --- a/profiles/servers/nginx.nix +++ b/profiles/servers/nginx.nix @@ -1,8 +1,14 @@ { config, lib, pkgs, ... }: let - authentik = { root ? {}, rootExtraConfig ? "", locations ? {}, ... }: { + authentik = { proxyPass ? null, proxyWebsockets ? false, root ? {}, rootExtraConfig ? "", locations ? {}, extraConfig ? "", ... }: { + extraConfig = '' + proxy_buffers 8 16k; + proxy_buffer_size 32k; + '' + extraConfig; locations = locations // { "/" = { + proxyPass = proxyPass; + proxyWebsockets = proxyWebsockets; extraConfig = '' auth_request /outpost.goauthentik.io/auth/nginx; error_page 401 = @goauthentik_proxy_signin; @@ -15,18 +21,20 @@ let auth_request_set $authentik_email $upstream_http_x_authentik_email; auth_request_set $authentik_name $upstream_http_x_authentik_name; auth_request_set $authentik_uid $upstream_http_x_authentik_uid; + auth_request_set $authentik_authorization $upstream_http_authorization; proxy_set_header X-authentik-username $authentik_username; proxy_set_header X-authentik-groups $authentik_groups; proxy_set_header X-authentik-email $authentik_email; proxy_set_header X-authentik-name $authentik_name; proxy_set_header X-authentik-uid $authentik_uid; + proxy_set_header Authorization $authentik_authorization; '' + rootExtraConfig; } // root; "/outpost.goauthentik.io" = { extraConfig = '' - # proxy_pass http://127.0.0.1:9000/outpost.goauthentik.io; - proxy_pass https://auth.ataraxiadev.com/outpost.goauthentik.io; + proxy_pass http://127.0.0.1:9000/outpost.goauthentik.io; + # proxy_pass https://auth.ataraxiadev.com/outpost.goauthentik.io; proxy_set_header Host $host; proxy_set_header X-Original-URL $scheme://$http_host$request_uri; add_header Set-Cookie $auth_cookie; @@ -39,9 +47,9 @@ let extraConfig = '' internal; add_header Set-Cookie $auth_cookie; - # return 302 /outpost.goauthentik.io/start?rd=$request_uri; + return 302 /outpost.goauthentik.io/start?rd=$request_uri; # For domain level, use the below error_page to redirect to your authentik server with the full redirect path - return 302 https://auth.ataraxiadev.com/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri; + # return 302 https://auth.ataraxiadev.com/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri; ''; }; }; @@ -184,20 +192,12 @@ in { }; } // default; "home.ataraxiadev.com" = default // authentik { - root = { proxyPass = "http://127.0.0.1:3000"; }; + proxyPass = "http://127.0.0.1:3000"; + }; + "openbooks.ataraxiadev.com" = default // authentik { + proxyPass = "http://127.0.0.1:8097"; + proxyWebsockets = true; }; - # "openbooks.ataraxiadev.com" = default // authentik { - # root = { - # proxyPass = "http://127.0.0.1:8097"; - # proxyWebsockets = true; - # }; - # }; - "openbooks.ataraxiadev.com" = { - locations."/" = { - proxyPass = "http://127.0.0.1:8097"; - proxyWebsockets = true; - }; - } // default; "docs.ataraxiadev.com" = { locations."/" = { proxyPass = "http://127.0.0.1:3010"; @@ -235,29 +235,29 @@ in { }; } // default; "bathist.ataraxiadev.com" = default // authentik { - root = { proxyPass = "http://127.0.0.1:9999"; }; + proxyPass = "http://127.0.0.1:9999"; rootExtraConfig = proxySettings; }; - "browser.ataraxiadev.com" = { - locations."/" = { - proxyPass = "http://127.0.0.1:8090"; - proxyWebsockets = true; - extraConfig = '' - proxy_read_timeout 86400; - '' + proxySettings; - }; - } // default; - "fb.ataraxiadev.com" = default // authentik { - root = { proxyPass = "http://127.0.0.1:3923"; }; - rootExtraConfig = '' - proxy_redirect off; - proxy_http_version 1.1; - client_max_body_size 0; - proxy_buffering off; - proxy_request_buffering off; - proxy_set_header Connection "Keep-Alive"; - '' + proxySettings; - }; + # "browser.ataraxiadev.com" = { + # locations."/" = { + # proxyPass = "http://127.0.0.1:8090"; + # proxyWebsockets = true; + # extraConfig = '' + # proxy_read_timeout 86400; + # '' + proxySettings; + # }; + # } // default; + # "fb.ataraxiadev.com" = default // authentik { + # proxyPass = "http://127.0.0.1:3923"; + # rootExtraConfig = '' + # proxy_redirect off; + # proxy_http_version 1.1; + # client_max_body_size 0; + # proxy_buffering off; + # proxy_request_buffering off; + # proxy_set_header Connection "Keep-Alive"; + # '' + proxySettings; + # }; "file.ataraxiadev.com" = { locations."/" = { proxyPass = "http://127.0.0.1:8088"; @@ -292,15 +292,9 @@ in { extraConfig = proxySettings; }; } // default; - # "tools.ataraxiadev.com" = default // authentik { - # root = { proxyPass = "http://127.0.0.1:8070"; }; - # }; - "tools.ataraxiadev.com" = { - locations."/" = { - proxyPass = "http://127.0.0.1:8070"; - extraConfig = proxySettings; - }; - } // default; + "tools.ataraxiadev.com" = default // authentik { + proxyPass = "http://127.0.0.1:8070"; + }; "medusa.ataraxiadev.com" = { locations."/" = { proxyPass = "http://127.0.0.1:8180"; @@ -341,12 +335,12 @@ in { extraConfig = proxySettings; }; } // default; - "fsync.ataraxiadev.com" = { - locations."/" = { - proxyPass = "http://127.0.0.1:5000"; - extraConfig = proxySettings; - }; - } // default; + # "fsync.ataraxiadev.com" = { + # locations."/" = { + # proxyPass = "http://127.0.0.1:5000"; + # extraConfig = proxySettings; + # }; + # } // default; "auth.ataraxiadev.com" = { locations."/" = { proxyPass = "http://127.0.0.1:9000"; @@ -381,12 +375,10 @@ in { '' + proxySettings; }; } // default; - "wiki.ataraxiadev.com" = { - locations."/" = { - proxyPass = "http://127.0.0.1:8190"; - extraConfig = proxySettings; - }; - } // default; + "wiki.ataraxiadev.com" = default // authentik { + proxyPass = "http://127.0.0.1:8190"; + # rootExtraConfig = proxySettings; + }; }; };