nyanloutre/nixos-config
1
1
Fork 1
Code Issues Pull requests Releases Wiki Activity

global reformat with treefmt

Browse source
This commit is contained in:
nyanloutre 2025-04-23 11:15:31 +02:00
parent 97f849e454
commit 393e92fe14
17 changed files with 979 additions and 726 deletions
Download patch file Download diff file Expand all files Collapse all files

409
systems/LoutreOS/web.nix
View file

@ -1,4 +1,9 @@
{ config, lib, pkgs, ... }:
{
config,
lib,
pkgs,
...
}:
with lib;
@ -15,7 +20,7 @@ let
internal;
# Access /auth endpoint to query login state
proxy_pass http://127.0.0.1:${toString(config.services.nginx.sso.configuration.listen.port)}/auth;
proxy_pass http://127.0.0.1:${toString (config.services.nginx.sso.configuration.listen.port)}/auth;
# Do not forward the request body (nginx-sso does not care about it)
proxy_pass_request_body off;
@ -53,7 +58,7 @@ in
};
users.groups = {
webdav = {};
webdav = { };
};
users.users = {
webdav = {
@ -83,7 +88,10 @@ in
nginx = {
enable = true;
package = pkgs.nginx.override {
modules = with pkgs.nginxModules; [ dav moreheaders ];
modules = with pkgs.nginxModules; [
dav
moreheaders
];
};
recommendedGzipSettings = true;
recommendedOptimisation = true;
@ -115,7 +123,12 @@ in
};
audit_log = {
targets = [ "fd://stdout" ];
events = [ "access_denied" "login_success" "login_failure" "logout" ];
events = [
"access_denied"
"login_success"
"login_failure"
"logout"
];
};
providers.simple = {
enable_basic_auth = true;
@ -129,165 +142,188 @@ in
acl = {
rule_sets = [
{
rules = [ { field = "x-host"; regexp = ".*"; } ];
rules = [
{
field = "x-host";
regexp = ".*";
}
];
allow = [ "@admins" ];
}
];
};
};
};
virtualHosts = let
base = locations: {
locations = locations // {
"@maintenance" = {
root = "/var/www/errorpages/";
extraConfig = ''
rewrite ^(.*)$ /50x.html break;
'';
virtualHosts =
let
base = locations: {
locations = locations // {
"@maintenance" = {
root = "/var/www/errorpages/";
extraConfig = ''
rewrite ^(.*)$ /50x.html break;
'';
};
};
forceSSL = true;
enableACME = true;
extraConfig = ''
error_page 500 502 503 504 = @maintenance;
'';
};
forceSSL = true;
enableACME = true;
extraConfig = ''
error_page 500 502 503 504 = @maintenance;
'';
};
simpleReverse = rport: base {
"/" = {
proxyPass = "http://127.0.0.1:${toString(rport)}/";
};
};
authReverse = rport: zipAttrsWith (name: vs: if name == "extraConfig" then (concatStrings vs) else elemAt vs 0) [
(base {
simpleReverse =
rport:
base {
"/" = {
proxyPass = "http://127.0.0.1:${toString (rport)}/";
};
};
authReverse =
rport:
zipAttrsWith (name: vs: if name == "extraConfig" then (concatStrings vs) else elemAt vs 0) [
(base {
"/" = {
proxyPass = "http://127.0.0.1:${toString (rport)}/";
extraConfig = ''
auth_request_set $cookie $upstream_http_set_cookie;
auth_request_set $username $upstream_http_x_username;
proxy_set_header X-WEBAUTH-USER $username;
add_header Set-Cookie $cookie;
'';
};
})
{
extraConfig = ''
include ${nginxSsoAuth};
'';
}
];
in
{
"nyanlout.re" =
base {
"/" = {
alias = "/var/www/site-perso/";
};
"/maintenance/" = {
alias = "/var/www/errorpages/";
};
"/.well-known/openpgpkey/" = {
alias = "/var/lib/gnupg/wks/nyanlout.re";
extraConfig = ''
add_header Access-Control-Allow-Origin * always;
'';
};
}
// {
default = true;
};
"musique-meyenheim.fr" = base {
"/" = {
proxyPass = "http://127.0.0.1:${toString(rport)}/";
extraConfig = ''
auth_request_set $cookie $upstream_http_set_cookie;
auth_request_set $username $upstream_http_x_username;
proxy_set_header X-WEBAUTH-USER $username;
add_header Set-Cookie $cookie;
'';
proxyPass = "http://unix:/run/site-musique.sock";
};
})
{
extraConfig = ''
include ${nginxSsoAuth};
'';
}
];
in {
"nyanlout.re" = base {
"/" = {
alias = "/var/www/site-perso/";
};
"/maintenance/" = {
alias = "/var/www/errorpages/";
};
"/.well-known/openpgpkey/" = {
alias = "/var/lib/gnupg/wks/nyanlout.re";
extraConfig = ''
add_header Access-Control-Allow-Origin * always;
'';
};
} // { default = true; };
"musique-meyenheim.fr" = base {
"/" = {
proxyPass = "http://unix:/run/site-musique.sock";
};
"/static/" = {
alias = "/var/www/site-musique/staticfiles/";
};
"/media/" = {
alias = "/var/www/site-musique/media/";
};
};
"www.musique-meyenheim.fr" = {
enableACME = true;
forceSSL = true;
globalRedirect = "musique-meyenheim.fr";
};
"login.nyanlout.re" = simpleReverse config.services.nginx.sso.configuration.listen.port;
"grafana.nyanlout.re" = authReverse config.services.grafana.settings.server.http_port;
"transmission.nyanlout.re" = authReverse config.services.transmission.settings.rpc-port;
"radarr.nyanlout.re" = authReverse 7878;
"sonarr.nyanlout.re" = authReverse 8989;
"syncthing.nyanlout.re" = authReverse 8384;
"prowlarr.nyanlout.re" = authReverse 9696;
"watcharr.nyanlout.re" = simpleReverse 3080;
"emby.nyanlout.re" = recursiveUpdate (simpleReverse 8096) {
locations."/" = {
proxyWebsockets = true;
};
};
"gitea.nyanlout.re" = simpleReverse config.services.forgejo.settings.server.HTTP_PORT;
"photo.nyanlout.re" = recursiveUpdate (simpleReverse config.services.photoprism.port) {
locations."/" = {
proxyWebsockets = true;
};
};
"zigbee.nyanlout.re" = recursiveUpdate (authReverse config.services.zigbee2mqtt.settings.frontend.port) {
locations."/" = {
proxyWebsockets = true;
};
};
"apart.nyanlout.re" = recursiveUpdate (simpleReverse config.services.home-assistant.config.http.server_port) {
locations."/" = {
proxyWebsockets = true;
};
};
"drive.nyanlout.re" = base {
"/" = {
extraConfig = ''
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:${config.services.phpfpm.pools.drive.socket};
include ${pkgs.nginx}/conf/fastcgi_params;
include ${pkgs.nginx}/conf/fastcgi.conf;
fastcgi_param SCRIPT_FILENAME $document_root/index.php;
fastcgi_intercept_errors on;
fastcgi_buffers 64 4K;
client_body_temp_path /mnt/webdav/tmp_upload;
client_max_body_size 0;
proxy_request_buffering off;
'';
};
} // {
root = "/mnt/webdav";
};
"rspamd.nyanlout.re" = zipAttrsWith (name: vs: if name == "extraConfig" then (concatStrings vs) else elemAt vs 0) [
(base {
"/" = {
proxyPass = "http://unix:/run/rspamd/worker-controller.sock";
extraConfig = ''
auth_request_set $cookie $upstream_http_set_cookie;
add_header Set-Cookie $cookie;
'';
"/static/" = {
alias = "/var/www/site-musique/staticfiles/";
};
})
{
extraConfig = ''
include ${nginxSsoAuth};
'';
}
];
"designyourfuture.amandoline-creations.fr" = base {
"/".alias = "/var/www/amandoline-designyourfuture/";
"/media/" = {
alias = "/var/www/site-musique/media/";
};
};
"www.musique-meyenheim.fr" = {
enableACME = true;
forceSSL = true;
globalRedirect = "musique-meyenheim.fr";
};
"login.nyanlout.re" = simpleReverse config.services.nginx.sso.configuration.listen.port;
"grafana.nyanlout.re" = authReverse config.services.grafana.settings.server.http_port;
"transmission.nyanlout.re" = authReverse config.services.transmission.settings.rpc-port;
"radarr.nyanlout.re" = authReverse 7878;
"sonarr.nyanlout.re" = authReverse 8989;
"syncthing.nyanlout.re" = authReverse 8384;
"prowlarr.nyanlout.re" = authReverse 9696;
"watcharr.nyanlout.re" = simpleReverse 3080;
"emby.nyanlout.re" = recursiveUpdate (simpleReverse 8096) {
locations."/" = {
proxyWebsockets = true;
};
};
"gitea.nyanlout.re" = simpleReverse config.services.forgejo.settings.server.HTTP_PORT;
"photo.nyanlout.re" = recursiveUpdate (simpleReverse config.services.photoprism.port) {
locations."/" = {
proxyWebsockets = true;
};
};
"zigbee.nyanlout.re" =
recursiveUpdate (authReverse config.services.zigbee2mqtt.settings.frontend.port)
{
locations."/" = {
proxyWebsockets = true;
};
};
"apart.nyanlout.re" =
recursiveUpdate (simpleReverse config.services.home-assistant.config.http.server_port)
{
locations."/" = {
proxyWebsockets = true;
};
};
"drive.nyanlout.re" =
base {
"/" = {
extraConfig = ''
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:${config.services.phpfpm.pools.drive.socket};
include ${pkgs.nginx}/conf/fastcgi_params;
include ${pkgs.nginx}/conf/fastcgi.conf;
fastcgi_param SCRIPT_FILENAME $document_root/index.php;
fastcgi_intercept_errors on;
fastcgi_buffers 64 4K;
client_body_temp_path /mnt/webdav/tmp_upload;
client_max_body_size 0;
proxy_request_buffering off;
'';
};
}
// {
root = "/mnt/webdav";
};
"rspamd.nyanlout.re" =
zipAttrsWith (name: vs: if name == "extraConfig" then (concatStrings vs) else elemAt vs 0)
[
(base {
"/" = {
proxyPass = "http://unix:/run/rspamd/worker-controller.sock";
extraConfig = ''
auth_request_set $cookie $upstream_http_set_cookie;
add_header Set-Cookie $cookie;
'';
};
})
{
extraConfig = ''
include ${nginxSsoAuth};
'';
}
];
"designyourfuture.amandoline-creations.fr" = base {
"/".alias = "/var/www/amandoline-designyourfuture/";
};
"amandoline-creations.fr" = base {
"/".alias = "/var/www/amandoline-portfolio/";
};
"www.amandoline-creations.fr" = {
enableACME = true;
forceSSL = true;
globalRedirect = "amandoline-creations.fr";
};
"challenge.amandoline-creations.fr" = base {
"/".alias = "/var/www/amandoline-challenge/";
};
${config.services.nextcloud.hostName} = {
forceSSL = true;
enableACME = true;
};
};
"amandoline-creations.fr" = base {
"/".alias = "/var/www/amandoline-portfolio/";
};
"www.amandoline-creations.fr" = {
enableACME = true;
forceSSL = true;
globalRedirect = "amandoline-creations.fr";
};
"challenge.amandoline-creations.fr" = base {
"/".alias = "/var/www/amandoline-challenge/";
};
${config.services.nextcloud.hostName} = {
forceSSL = true;
enableACME = true;
};
};
};
postgresql = {
@ -382,35 +418,50 @@ in
LoadCredential = "nextcloud_admin.pass:/mnt/secrets/nextcloud_admin.pass";
};
systemd.services.site-musique = let
djangoEnv =(pkgs.python3.withPackages (ps: with ps; [ gunicorn django_4 pillow setuptools ]));
in {
description = "Site Django de la musique de Meyenheim";
after = [ "network.target" ];
requires = [ "site-musique.socket" ];
preStart = ''
${djangoEnv}/bin/python manage.py migrate;
${djangoEnv}/bin/python manage.py collectstatic --no-input;
'';
environment = {
DJANGO_SETTINGS_MODULE = "site_musique.settings.prod";
NGINX_DIRECTORY = "/var/www/site-musique";
};
serviceConfig = {
DynamicUser = true;
Group = "nginx";
StateDirectory = "site-musique";
WorkingDirectory = "/var/www/site-musique/";
ReadWritePaths = [ "/var/www/site-musique/staticfiles" "/var/www/site-musique/media" ];
EnvironmentFile = "/mnt/secrets/site-musique.env";
ExecStart = ''${djangoEnv}/bin/gunicorn \
--access-logfile - \
--bind unix:/run/site-musique.sock \
site_musique.wsgi:application
systemd.services.site-musique =
let
djangoEnv = (
pkgs.python3.withPackages (
ps: with ps; [
gunicorn
django_4
pillow
setuptools
]
)
);
in
{
description = "Site Django de la musique de Meyenheim";
after = [ "network.target" ];
requires = [ "site-musique.socket" ];
preStart = ''
${djangoEnv}/bin/python manage.py migrate;
${djangoEnv}/bin/python manage.py collectstatic --no-input;
'';
PrivateTmp = true;
environment = {
DJANGO_SETTINGS_MODULE = "site_musique.settings.prod";
NGINX_DIRECTORY = "/var/www/site-musique";
};
serviceConfig = {
DynamicUser = true;
Group = "nginx";
StateDirectory = "site-musique";
WorkingDirectory = "/var/www/site-musique/";
ReadWritePaths = [
"/var/www/site-musique/staticfiles"
"/var/www/site-musique/media"
];
EnvironmentFile = "/mnt/secrets/site-musique.env";
ExecStart = ''
${djangoEnv}/bin/gunicorn \
--access-logfile - \
--bind unix:/run/site-musique.sock \
site_musique.wsgi:application
'';
PrivateTmp = true;
};
};
};
systemd.sockets.site-musique = {
description = "Site Musique socket";