AtaraxiaDev/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

change nginx config

Browse Source
This commit is contained in:
Dmitriy Kholkin 2023-11-11 03:17:20 +03:00
parent cbe238a99d
commit b7b3a22887
3 changed files with 121 additions and 71 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
profiles/servers/authentik.nix
View File

@ -115,4 +115,6 @@ in {
ExecStop = stop; ExecStop = stop;
}; };
}; };
networking.firewall.allowedTCPPorts = [ 389 ];
} }

78
profiles/servers/homepage.nix
View File

@ -1,19 +1,75 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
backend = config.virtualisation.oci-containers.backend;
nas-path = "/media/nas/containers"; nas-path = "/media/nas/containers";
pod-name = "homepage-pod";
pod-dns = "192.168.0.5";
open-ports = [
"127.0.0.1:3000:3000/tcp"
# "127.0.0.1:2375:2375/tcp"
];
in { in {
virtualisation.oci-containers.containers.homepage = { virtualisation.oci-containers.containers = {
autoStart = true; homepage = {
image = "ghcr.io/benphelps/homepage:v0.7.0"; autoStart = true;
environment = { image = "ghcr.io/gethomepage/homepage:v0.8.0";
PUID = "1000"; environment = {
PGID = "100"; PUID = "1000";
PGID = "100";
};
extraOptions = [ "--pod=${pod-name}" ];
# ports = [ "127.0.0.1:3000:3000/tcp" ];
volumes = [
"${nas-path}/homepage/config:/app/config"
"${nas-path}/homepage/icons:/app/public/icons"
"${nas-path}/homepage/images:/app/public/images"
];
}; };
ports = [ "127.0.0.1:3000:3000/tcp" ]; docker-proxy = {
volumes = [ autoStart = true;
"${nas-path}/homepage/config:/app/config" image = "ghcr.io/tecnativa/docker-socket-proxy:0.1.1";
"${nas-path}/homepage/icons:/app/public/icons" environment = {
"/var/run/docker.sock:/var/run/docker.sock" CONTAINERS = "1";
SERVICES = "0";
TASKS = "0";
POST = "0";
};
extraOptions = [ "--pod=${pod-name}" ];
# ports = [ "127.0.0.1:2375:2375/tcp" ];
volumes = [
"${nas-path}/homepage/config:/app/config"
"${nas-path}/homepage/icons:/app/public/icons"
"${nas-path}/homepage/images:/app/public/images"
"/var/run/docker.sock:/var/run/docker.sock:ro"
];
};
};
systemd.tmpfiles.rules = [
"d ${nas-path}/homepage/config 0755 1000 100 -"
"d ${nas-path}/homepage/icons 0755 1000 100 -"
"d ${nas-path}/homepage/images 0755 1000 100 -"
];
systemd.services."podman-create-${pod-name}" = let
portsMapping = lib.concatMapStrings (port: " -p " + port) open-ports;
start = pkgs.writeShellScript "create-pod" ''
podman pod exists ${pod-name} || podman pod create -n ${pod-name} ${portsMapping} --dns ${pod-dns}
'';
stop = "podman pod rm -i -f ${pod-name}";
in rec {
path = [ pkgs.coreutils config.virtualisation.podman.package ];
before = [
"${backend}-homepage.service"
"${backend}-docker-proxy.service"
]; ];
requiredBy = before;
partOf = before;
serviceConfig = {
Type = "oneshot";
RemainAfterExit = "yes";
ExecStart = start;
ExecStop = stop;
};
}; };
} }

112
profiles/servers/nginx.nix
View File

@ -1,8 +1,14 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
authentik = { root ? {}, rootExtraConfig ? "", locations ? {}, ... }: { authentik = { proxyPass ? null, proxyWebsockets ? false, root ? {}, rootExtraConfig ? "", locations ? {}, extraConfig ? "", ... }: {
extraConfig = ''
proxy_buffers 8 16k;
proxy_buffer_size 32k;
'' + extraConfig;
locations = locations // { locations = locations // {
"/" = { "/" = {
proxyPass = proxyPass;
proxyWebsockets = proxyWebsockets;
extraConfig = '' extraConfig = ''
auth_request /outpost.goauthentik.io/auth/nginx; auth_request /outpost.goauthentik.io/auth/nginx;
error_page 401 = @goauthentik_proxy_signin; error_page 401 = @goauthentik_proxy_signin;
@ -15,18 +21,20 @@ let
auth_request_set $authentik_email $upstream_http_x_authentik_email; auth_request_set $authentik_email $upstream_http_x_authentik_email;
auth_request_set $authentik_name $upstream_http_x_authentik_name; auth_request_set $authentik_name $upstream_http_x_authentik_name;
auth_request_set $authentik_uid $upstream_http_x_authentik_uid; auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
auth_request_set $authentik_authorization $upstream_http_authorization;
proxy_set_header X-authentik-username $authentik_username; proxy_set_header X-authentik-username $authentik_username;
proxy_set_header X-authentik-groups $authentik_groups; proxy_set_header X-authentik-groups $authentik_groups;
proxy_set_header X-authentik-email $authentik_email; proxy_set_header X-authentik-email $authentik_email;
proxy_set_header X-authentik-name $authentik_name; proxy_set_header X-authentik-name $authentik_name;
proxy_set_header X-authentik-uid $authentik_uid; proxy_set_header X-authentik-uid $authentik_uid;
proxy_set_header Authorization $authentik_authorization;
'' + rootExtraConfig; '' + rootExtraConfig;
} // root; } // root;
"/outpost.goauthentik.io" = { "/outpost.goauthentik.io" = {
extraConfig = '' extraConfig = ''
# proxy_pass http://127.0.0.1:9000/outpost.goauthentik.io; proxy_pass http://127.0.0.1:9000/outpost.goauthentik.io;
proxy_pass https://auth.ataraxiadev.com/outpost.goauthentik.io; # proxy_pass https://auth.ataraxiadev.com/outpost.goauthentik.io;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri; proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
add_header Set-Cookie $auth_cookie; add_header Set-Cookie $auth_cookie;
@ -39,9 +47,9 @@ let
extraConfig = '' extraConfig = ''
internal; internal;
add_header Set-Cookie $auth_cookie; add_header Set-Cookie $auth_cookie;
# return 302 /outpost.goauthentik.io/start?rd=$request_uri; return 302 /outpost.goauthentik.io/start?rd=$request_uri;
# For domain level, use the below error_page to redirect to your authentik server with the full redirect path # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
return 302 https://auth.ataraxiadev.com/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri; # return 302 https://auth.ataraxiadev.com/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
''; '';
}; };
}; };
@ -184,20 +192,12 @@ in {
}; };
} // default; } // default;
"home.ataraxiadev.com" = default // authentik { "home.ataraxiadev.com" = default // authentik {
root = { proxyPass = "http://127.0.0.1:3000"; }; proxyPass = "http://127.0.0.1:3000";
};
"openbooks.ataraxiadev.com" = default // authentik {
proxyPass = "http://127.0.0.1:8097";
proxyWebsockets = true;
}; };
# "openbooks.ataraxiadev.com" = default // authentik {
# root = {
# proxyPass = "http://127.0.0.1:8097";
# proxyWebsockets = true;
# };
# };
"openbooks.ataraxiadev.com" = {
locations."/" = {
proxyPass = "http://127.0.0.1:8097";
proxyWebsockets = true;
};
} // default;
"docs.ataraxiadev.com" = { "docs.ataraxiadev.com" = {
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:3010"; proxyPass = "http://127.0.0.1:3010";
@ -235,29 +235,29 @@ in {
}; };
} // default; } // default;
"bathist.ataraxiadev.com" = default // authentik { "bathist.ataraxiadev.com" = default // authentik {
root = { proxyPass = "http://127.0.0.1:9999"; }; proxyPass = "http://127.0.0.1:9999";
rootExtraConfig = proxySettings; rootExtraConfig = proxySettings;
}; };
"browser.ataraxiadev.com" = { # "browser.ataraxiadev.com" = {
locations."/" = { # locations."/" = {
proxyPass = "http://127.0.0.1:8090"; # proxyPass = "http://127.0.0.1:8090";
proxyWebsockets = true; # proxyWebsockets = true;
extraConfig = '' # extraConfig = ''
proxy_read_timeout 86400; # proxy_read_timeout 86400;
'' + proxySettings; # '' + proxySettings;
}; # };
} // default; # } // default;
"fb.ataraxiadev.com" = default // authentik { # "fb.ataraxiadev.com" = default // authentik {
root = { proxyPass = "http://127.0.0.1:3923"; }; # proxyPass = "http://127.0.0.1:3923";
rootExtraConfig = '' # rootExtraConfig = ''
proxy_redirect off; # proxy_redirect off;
proxy_http_version 1.1; # proxy_http_version 1.1;
client_max_body_size 0; # client_max_body_size 0;
proxy_buffering off; # proxy_buffering off;
proxy_request_buffering off; # proxy_request_buffering off;
proxy_set_header Connection "Keep-Alive"; # proxy_set_header Connection "Keep-Alive";
'' + proxySettings; # '' + proxySettings;
}; # };
"file.ataraxiadev.com" = { "file.ataraxiadev.com" = {
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:8088"; proxyPass = "http://127.0.0.1:8088";
@ -292,15 +292,9 @@ in {
extraConfig = proxySettings; extraConfig = proxySettings;
}; };
} // default; } // default;
# "tools.ataraxiadev.com" = default // authentik { "tools.ataraxiadev.com" = default // authentik {
# root = { proxyPass = "http://127.0.0.1:8070"; }; proxyPass = "http://127.0.0.1:8070";
# }; };
"tools.ataraxiadev.com" = {
locations."/" = {
proxyPass = "http://127.0.0.1:8070";
extraConfig = proxySettings;
};
} // default;
"medusa.ataraxiadev.com" = { "medusa.ataraxiadev.com" = {
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:8180"; proxyPass = "http://127.0.0.1:8180";
@ -341,12 +335,12 @@ in {
extraConfig = proxySettings; extraConfig = proxySettings;
}; };
} // default; } // default;
"fsync.ataraxiadev.com" = { # "fsync.ataraxiadev.com" = {
locations."/" = { # locations."/" = {
proxyPass = "http://127.0.0.1:5000"; # proxyPass = "http://127.0.0.1:5000";
extraConfig = proxySettings; # extraConfig = proxySettings;
}; # };
} // default; # } // default;
"auth.ataraxiadev.com" = { "auth.ataraxiadev.com" = {
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:9000"; proxyPass = "http://127.0.0.1:9000";
@ -381,12 +375,10 @@ in {
'' + proxySettings; '' + proxySettings;
}; };
} // default; } // default;
"wiki.ataraxiadev.com" = { "wiki.ataraxiadev.com" = default // authentik {
locations."/" = { proxyPass = "http://127.0.0.1:8190";
proxyPass = "http://127.0.0.1:8190"; # rootExtraConfig = proxySettings;
extraConfig = proxySettings; };
};
} // default;
}; };
}; };