aboutsummaryrefslogtreecommitdiff
path: root/modules
diff options
context:
space:
mode:
Diffstat (limited to 'modules')
-rw-r--r--modules/hosts/ltrr-block/configuration.nix219
-rw-r--r--modules/hosts/ltrr-block/secrets/rekeyed/487d0f1ce536b1c47d686f069d9215d2-stalwart-admin.age9
-rw-r--r--modules/hosts/ltrr-block/secrets/rekeyed/9384b05f3c1e02246b581adc35f26293-stalwart-pk.agebin0 -> 583 bytes
-rw-r--r--modules/hosts/ltrr-block/secrets/rekeyed/d9016177ce556ace6c3b469e9e10d1e0-stalwart-cert.agebin0 -> 3214 bytes
-rw-r--r--modules/hosts/ltrr-block/secrets/stalwart-admin.key.age9
-rw-r--r--modules/hosts/ltrr-block/secrets/stalwart-cert.agebin0 -> 3159 bytes
-rw-r--r--modules/hosts/ltrr-block/secrets/stalwart-pk.agebin0 -> 582 bytes
-rw-r--r--modules/hosts/ltrr-cloud/configuration.nix170
-rw-r--r--modules/hosts/ltrr-cloud/secrets/authelia-users.yaml.agebin0 -> 595 bytes
-rw-r--r--modules/hosts/ltrr-cloud/secrets/rekeyed/f9330776898d34c69149dfd6e093d324-authelia-users.agebin0 -> 548 bytes
-rw-r--r--modules/nixosModules/nginxProxy.nix55
-rw-r--r--modules/nixosModules/watcharr.nix2
12 files changed, 381 insertions, 83 deletions
diff --git a/modules/hosts/ltrr-block/configuration.nix b/modules/hosts/ltrr-block/configuration.nix
index 5ee4711..556c852 100644
--- a/modules/hosts/ltrr-block/configuration.nix
+++ b/modules/hosts/ltrr-block/configuration.nix
@@ -13,6 +13,7 @@
modulesPath,
pkgs,
config,
+ lib,
...
}: let
domain = "kcu.su";
@@ -63,6 +64,15 @@
};
};
+ users.users.git = {
+ group = "git";
+ extraGroups = ["files"];
+ home = lib.mkForce "/var/lib/git";
+ createHome = true;
+ isSystemUser = true;
+ };
+ users.groups.git = {};
+
users.users.mc = {
isNormalUser = true;
packages = with pkgs; [
@@ -99,8 +109,18 @@
networking.hostName = "ltrr-block";
networking.firewall = {
- allowedTCPPorts = [80 5030 2049 25565];
- allowedUDPPorts = [51820 16261 16262];
+ allowedTCPPorts = [
+ 80
+ # mail
+ 25
+ 465
+ 993
+
+ 25565 # minecraft
+ ];
+ allowedUDPPorts = [
+ 51820
+ ];
};
security.acme = {
@@ -137,13 +157,24 @@
"tube".proxyPass = "http://127.0.0.1:5410";
"torrents".proxyPass = "http://127.0.0.1:7317";
"jellyfin".proxyPass = "http://127.0.0.1:8096";
+ "books" = {
+ proxyPass = "http://127.0.0.1:6458";
+ proxyWebsockets = true;
+ };
"lidarr" = {
proxyPass = "http://127.0.0.1:8686";
proxyWebsockets = true;
};
-
- "prowlarr".proxyPass = "http://127.0.0.1:9696";
"shelfmark".proxyPass = "http://127.0.0.1:8084";
+ "mail".proxyPass = "http://127.0.0.1:7845";
+ };
+ extraVirtualHosts = {
+ "navidrome.${domain}" = {
+ enableAuthelia = false;
+ };
+ "git.${domain}" = {
+ enableAuthelia = false;
+ };
};
};
@@ -235,10 +266,6 @@
group = "music";
};
- services.prowlarr = {
- enable = true;
- };
-
services.qbittorrent = {
enable = true;
user = "files";
@@ -410,7 +437,7 @@
# "127.0.0.1:8083:8083"
# ];
# volumes = [
- # "/srv/files/books:/calibre-library"
+ # "/srv/files/books/library:/calibre-library"
# "/srv/files/books/injest:/cwa-book-ingest"
# "/var/lib/cwa:/config"
# ];
@@ -441,16 +468,36 @@
"host"
];
};
- services.booklore = {
+
+ services.audiobookshelf = {
enable = true;
- subdomain = "books";
- uid = "1000";
- gid = "1001";
- settings = {
- timezone = "Europe/Yekaterinburg";
- booksDir = "/srv/files/books/library";
- bookdropDir = "/srv/files/books/injest";
+ port = 6458;
+ user = "files";
+ group = "books";
+ };
+
+ createPaths."/var/lib/stump" = {
+ owner = "files";
+ group = "books";
+ permissions = "0750";
+ };
+
+ virtualisation.oci-containers.containers.stump = {
+ image = "aaronleopold/stump:nightly";
+ volumes = [
+ "/var/lib/stump:/config"
+ "/srv/files/books/library:/data"
+ ];
+ ports = [
+ "127.0.0.1:10821:10801"
+ ];
+ environment = {
+ PUID = "1000";
+ PGID = "1001";
};
+ networks = [
+ "host"
+ ];
};
services.watcharr = {
@@ -458,6 +505,144 @@
subdomain = "watched";
};
+ age.secrets.stalwart-admin = {
+ rekeyFile = ./secrets/stalwart-admin.key.age;
+ };
+ age.secrets.stalwart-cert = {
+ rekeyFile = ./secrets/stalwart-cert.age;
+ };
+ age.secrets.stalwart-pk = {
+ rekeyFile = ./secrets/stalwart-pk.age;
+ };
+
+ services.stalwart-mail = {
+ enable = true;
+ settings = {
+ server = {
+ hostname = "mail.kcu.su";
+ listener = {
+ smtp = {
+ bind = ["[::]:25"];
+ protocol = "smtp";
+ };
+ submissions = {
+ bind = ["[::]:465"];
+ protocol = "smtp";
+ tls.implicit = true;
+ };
+ imaptls = {
+ bind = ["[::]:993"];
+ protocol = "imap";
+ tls.implicit = true;
+ };
+ management = {
+ bind = ["127.0.0.1:7845"];
+ protocol = "http";
+ };
+ };
+ };
+ storage = {
+ data = "rocksdb";
+ fts = "rocksdb";
+ blob = "rocksdb";
+ lookup = "rocksdb";
+ directory = "internal";
+ };
+ store.rocksdb = {
+ type = "rocksdb";
+ path = "${config.services.stalwart-mail.dataDir}/data";
+ compression = "lz4";
+ };
+ directory.internal = {
+ type = "internal";
+ store = "rocksdb";
+ };
+ tracer.stdout = {
+ type = "stdout";
+ level = "info";
+ ansi = false;
+ enable = true;
+ };
+ authentication.fallback-admin = {
+ user = "admin_fallback";
+ secret = "%{file:/run/credentials/stalwart-mail.service/admin_secret}%";
+ };
+ config = {
+ local-keys = [
+ "store.*"
+ "directory.*"
+ "tracer.*"
+ "!server.blocked-ip.*"
+ "!server.allowed-ip.*"
+ "server.*"
+ "authentication.fallback-admin.*"
+ "cluster.*"
+ "config.local-keys.*"
+ "storage.data"
+ "storage.blob"
+ "storage.lookup"
+ "storage.fts"
+ "storage.directory"
+ "certificate.*"
+ ];
+ };
+ certificate.default = {
+ cert = "%{file:/run/credentials/stalwart-mail.service/cert}%";
+ private-key = "%{file:/run/credentials/stalwart-mail.service/pk}%";
+ default = true;
+ };
+ };
+ credentials = {
+ cert = config.age.secrets.stalwart-cert.path;
+ pk = config.age.secrets.stalwart-pk.path;
+ admin_secret = config.age.secrets.stalwart-admin.path;
+ };
+ };
+
+ createPaths."/srv/files/git" = {
+ owner = "git";
+ group = "git";
+ permissions = "0770";
+ };
+ services.cgit.kcu = {
+ enable = true;
+ user = "git";
+ group = "git";
+ scanPath = "/srv/files/git";
+ gitHttpBackend = {
+ enable = true;
+ checkExportOkFiles = false;
+ };
+ nginx.virtualHost = "git.${domain}";
+
+ settings = {
+ root-title = "kcu.su git";
+ root-desc = "this is where i keep my (dead) projects";
+
+ enable-git-config = 1;
+
+ about-filter = "${pkgs.cgit}/lib/filters/about-formatting.sh";
+ source-filter = "${pkgs.cgit}/lib/filters/syntax-highlighting.py";
+ readme = [
+ "master:README.md"
+ "master:README.org"
+ ];
+ project-list = "/var/lib/git/projects.list";
+ };
+ };
+
+ services.gitolite = {
+ enable = true;
+ user = "git";
+ description = "";
+ group = "git";
+ adminPubkey = "";
+ extraGitoliteRc = ''
+ $RC{GIT_CONFIG_KEYS} = ".*";
+ $RC{GL_REPO_BASE} = "/srv/files/git";
+ '';
+ };
+
services.immich = {
enable = true;
};
diff --git a/modules/hosts/ltrr-block/secrets/rekeyed/487d0f1ce536b1c47d686f069d9215d2-stalwart-admin.age b/modules/hosts/ltrr-block/secrets/rekeyed/487d0f1ce536b1c47d686f069d9215d2-stalwart-admin.age
new file mode 100644
index 0000000..90ca528
--- /dev/null
+++ b/modules/hosts/ltrr-block/secrets/rekeyed/487d0f1ce536b1c47d686f069d9215d2-stalwart-admin.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 ptoveQ vDi/rd7OWJyvz4nnM2kwX+8f9Vvru1lgvEXXHoD5TgQ
+qMckZ4SxsRksF8Yg8MtSlZtvn/sm73xskjI9DSmIQtE
+-> 8-grease k# SA{/ =I;)gK
+844hA/7PS0QSd1dP16JX7JTJW8NWhSouyEF7VBpa8+uIZSrfUOwJDs+Af7dtIEd2
+
+--- TLscAo6DhT5qKf7AAH7GqpigW8L/bMsoSBpoDWmVRtI
+7+"Ry& ( _(Hk VLNm8WCg[pZkΗK`o" eV#KܰDyyRċTiB |uW
+ d%vPH&ۻ:z \ No newline at end of file
diff --git a/modules/hosts/ltrr-block/secrets/rekeyed/9384b05f3c1e02246b581adc35f26293-stalwart-pk.age b/modules/hosts/ltrr-block/secrets/rekeyed/9384b05f3c1e02246b581adc35f26293-stalwart-pk.age
new file mode 100644
index 0000000..8a778bf
--- /dev/null
+++ b/modules/hosts/ltrr-block/secrets/rekeyed/9384b05f3c1e02246b581adc35f26293-stalwart-pk.age
Binary files differ
diff --git a/modules/hosts/ltrr-block/secrets/rekeyed/d9016177ce556ace6c3b469e9e10d1e0-stalwart-cert.age b/modules/hosts/ltrr-block/secrets/rekeyed/d9016177ce556ace6c3b469e9e10d1e0-stalwart-cert.age
new file mode 100644
index 0000000..4279838
--- /dev/null
+++ b/modules/hosts/ltrr-block/secrets/rekeyed/d9016177ce556ace6c3b469e9e10d1e0-stalwart-cert.age
Binary files differ
diff --git a/modules/hosts/ltrr-block/secrets/stalwart-admin.key.age b/modules/hosts/ltrr-block/secrets/stalwart-admin.key.age
new file mode 100644
index 0000000..8ae6dd3
--- /dev/null
+++ b/modules/hosts/ltrr-block/secrets/stalwart-admin.key.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 5YBERzwh+Vis6esJiMwoUQbRSeB3XqufSnpOLvx8qRw
+0tgBOtYD7n5C8yMluNij1rimPAxc4k8/WLWcxdvR7A8
+-> ?&'/-grease bm}^I5I uJ~R_S '/<ECm
+l6zIQMmDjFRA8hqVXsfu+6Qmn9LHQu8X3axNNMSIoId2FCG38gd/xbSq80z3BWhg
+2t1sXRD7+msi8Vxghdh56e++atH5oli36/vQOoyhfcM
+--- fq2O9hy5sEtEpHrayYJ5c6Z6UmN+fW/iukMQJeAjVt4
++WqJ23DȘ(By0
+1ÅRNn W634A&ZA-|E3hry֏L0HYNe^ImBnԮ0Ln^hY̴agVӰu \ No newline at end of file
diff --git a/modules/hosts/ltrr-block/secrets/stalwart-cert.age b/modules/hosts/ltrr-block/secrets/stalwart-cert.age
new file mode 100644
index 0000000..88ae1b9
--- /dev/null
+++ b/modules/hosts/ltrr-block/secrets/stalwart-cert.age
Binary files differ
diff --git a/modules/hosts/ltrr-block/secrets/stalwart-pk.age b/modules/hosts/ltrr-block/secrets/stalwart-pk.age
new file mode 100644
index 0000000..b0f092a
--- /dev/null
+++ b/modules/hosts/ltrr-block/secrets/stalwart-pk.age
Binary files differ
diff --git a/modules/hosts/ltrr-cloud/configuration.nix b/modules/hosts/ltrr-cloud/configuration.nix
index 34a74e0..03d7c1e 100644
--- a/modules/hosts/ltrr-cloud/configuration.nix
+++ b/modules/hosts/ltrr-cloud/configuration.nix
@@ -31,6 +31,8 @@
inputs.agenix.nixosModules.default
inputs.agenix-rekey.nixosModules.default
+
+ inputs.omnisearch.nixosModules.default
];
nixpkgs.hostPlatform = "x86_64-linux";
@@ -86,7 +88,7 @@
swapDevices = [
{
device = "/var/lib/swapfile";
- size = 2 * 1024;
+ size = 1024;
}
];
@@ -108,26 +110,37 @@
preUp = ''
sysctl -w net.ipv4.ip_forward=1
- # 16261
- iptables -t nat -I PREROUTING 1 -i ens3 -p udp --dport 16261 -j DNAT --to-destination 10.1.1.2:16261
- iptables -A FORWARD -p udp -d 10.1.1.2 --dport 16261 -j ACCEPT
- iptables -t nat -A POSTROUTING -o wg0 -p udp --dport 16261 -d 10.1.1.2 -j MASQUERADE
-
- # 16262
- iptables -t nat -I PREROUTING 1 -i ens3 -p udp --dport 16262 -j DNAT --to-destination 10.1.1.2:16262
- iptables -A FORWARD -p udp -d 10.1.1.2 --dport 16262 -j ACCEPT
- iptables -t nat -A POSTROUTING -o wg0 -p udp --dport 16262 -d 10.1.1.2 -j MASQUERADE
+ # 25
+ iptables -t nat -I PREROUTING 1 -i ens3 -p tcp --dport 25 -j DNAT --to-destination 10.1.1.2:25
+ iptables -A FORWARD -p tcp -d 10.1.1.2 --dport 25 -j ACCEPT
+ iptables -t nat -A POSTROUTING -o wg0 -p tcp --dport 25 -d 10.1.1.2 -j MASQUERADE
+
+ # 465
+ iptables -t nat -I PREROUTING 1 -i ens3 -p tcp --dport 465 -j DNAT --to-destination 10.1.1.2:465
+ iptables -A FORWARD -p tcp -d 10.1.1.2 --dport 465 -j ACCEPT
+ iptables -t nat -A POSTROUTING -o wg0 -p tcp --dport 465 -d 10.1.1.2 -j MASQUERADE
+
+ # 993
+ iptables -t nat -I PREROUTING 1 -i ens3 -p tcp --dport 993 -j DNAT --to-destination 10.1.1.2:993
+ iptables -A FORWARD -p tcp -d 10.1.1.2 --dport 993 -j ACCEPT
+ iptables -t nat -A POSTROUTING -o wg0 -p tcp --dport 993 -d 10.1.1.2 -j MASQUERADE
'';
+
postDown = ''
- # 16261
- iptables -t nat -D PREROUTING -i ens3 -p udp --dport 16261 -j DNAT --to-destination 10.1.1.2:16261
- iptables -D FORWARD -p udp -d 10.1.1.2 --dport 16261 -j ACCEPT
- iptables -t nat -D POSTROUTING -o wg0 -p udp --dport 16261 -d 10.1.1.2 -j MASQUERADE
-
- # 16262
- iptables -t nat -D PREROUTING -i ens3 -p udp --dport 16262 -j DNAT --to-destination 10.1.1.2:16262
- iptables -D FORWARD -p udp -d 10.1.1.2 --dport 16262 -j ACCEPT
- iptables -t nat -D POSTROUTING -o wg0 -p udp --dport 16262 -d 10.1.1.2 -j MASQUERADE
+ # 25
+ iptables -t nat -D PREROUTING -i ens3 -p tcp --dport 25 -j DNAT --to-destination 10.1.1.2:25
+ iptables -D FORWARD -p tcp -d 10.1.1.2 --dport 25 -j ACCEPT
+ iptables -t nat -D POSTROUTING -o wg0 -p tcp --dport 25 -d 10.1.1.2 -j MASQUERADE
+
+ # 465
+ iptables -t nat -D PREROUTING -i ens3 -p tcp --dport 465 -j DNAT --to-destination 10.1.1.2:465
+ iptables -D FORWARD -p tcp -d 10.1.1.2 --dport 465 -j ACCEPT
+ iptables -t nat -D POSTROUTING -o wg0 -p tcp --dport 465 -d 10.1.1.2 -j MASQUERADE
+
+ # 993
+ iptables -t nat -D PREROUTING -i ens3 -p tcp --dport 993 -j DNAT --to-destination 10.1.1.2:993
+ iptables -D FORWARD -p tcp -d 10.1.1.2 --dport 993 -j ACCEPT
+ iptables -t nat -D POSTROUTING -o wg0 -p tcp --dport 993 -d 10.1.1.2 -j MASQUERADE
'';
peers = [
@@ -140,9 +153,45 @@
};
};
- networking.firewall.allowedTCPPorts = [80 443 25565];
- networking.firewall.allowedUDPPorts = [51820 16261 16262];
+ networking.firewall.allowedTCPPorts = [
+ # http
+ 80
+ 443
+
+ #mail
+ 25
+ 465
+ 993
+
+ 25565 # minecraft
+ ];
+ networking.firewall.allowedUDPPorts = [
+ 51820 # wg
+ ];
+
+ environment.etc = {
+ "fail2ban/filter.d/authelia.conf".text = ''
+ # Fail2Ban filter for Authelia
+
+ # Make sure that the HTTP header "X-Forwarded-For" received by Authelia's backend
+ # only contains a single IP address (the one from the end-user), and not the proxy chain
+ # (it is misleading: usually, this is the purpose of this header).
+
+ # the failregex rule counts every failed 1FA attempt (first line, wrong username or password) and failed 2FA attempt
+ # second line) as a failure.
+ # the ignoreregex rule ignores debug, info and warning messages as all authentication failures are flagged as errors
+
+ [Definition]
+ failregex = ^.*Unsuccessful 1FA authentication attempt by user .*remote_ip="?<HOST>"? stack.*
+ ^.*Unsuccessful (TOTP|Duo|U2F) authentication attempt by user .*remote_ip="?<HOST>"? stack.*
+
+ ignoreregex = ^.*level=debug.*
+ ^.*level=info.*
+ ^.*level=warning.*
+ journalmatch = _SYSTEMD_UNIT=authelia-kcu.service + _COMM=authelia
+ '';
+ };
services.fail2ban = {
enable = true;
ignoreIP = [
@@ -157,12 +206,6 @@
};
jails = {
- nginx-http-auth.settings = {
- enabled = true;
- port = "http,https";
- logpath = "/var/log/nginx/*.log";
- backend = "auto";
- };
nginx-botsearch.settings = {
enabled = true;
port = "http,https";
@@ -175,6 +218,10 @@
logpath = "/var/log/nginx/*.log";
backend = "auto";
};
+ authelia = ''
+ enabled = true
+ port = http,https
+ '';
};
};
@@ -203,15 +250,14 @@
proxyPass = "http://127.0.0.1:8090";
};
"auth".proxyPass = "http://127.0.0.1:9091";
+
+ "search".proxyPass = "http://127.0.0.1:8087";
};
extraVirtualHosts = {
- "kcu.su" = {
+ "${domain}" = {
forceSSL = true;
enableACME = true;
- locations."/apple" = {
- root = "/var/www";
- };
locations."/" = {
return = 444;
};
@@ -228,6 +274,7 @@
homeConfig = self.nixosConfigurations.ltrr-block.config;
in {
subdomains = homeConfig.nginxProxy.subdomains;
+ virtualHosts = homeConfig.nginxProxy.extraVirtualHosts;
url = "http://10.1.1.2";
};
};
@@ -242,6 +289,11 @@
owner = "authelia-kcu";
group = "authelia-kcu";
};
+ age.secrets.authelia-users = {
+ rekeyFile = ./secrets/authelia-users.yaml.age;
+ owner = "authelia-kcu";
+ group = "authelia-kcu";
+ };
services.authelia.instances.kcu = {
enable = true;
secrets = {
@@ -251,7 +303,7 @@
settings = {
authentication_backend = {
file = {
- path = "/var/lib/authelia-kcu/users_database.yml";
+ path = config.age.secrets.authelia-users.path;
};
};
@@ -285,6 +337,15 @@
];
};
+ server.endpoints.authz.auth-request = {
+ implementation = "AuthRequest";
+ authn_strategies = [
+ {
+ name = "CookieSession";
+ }
+ ];
+ };
+
storage = {
local = {
path = "/var/lib/authelia-kcu/db.sqlite3";
@@ -300,6 +361,15 @@
};
};
+ services.omnisearch = {
+ enable = true;
+ settings = {
+ server = {
+ domain = "https://search.${domain}";
+ };
+ };
+ };
+
services.headscale = {
enable = true;
package = pkgs.headscale;
@@ -321,24 +391,24 @@
};
};
virtualisation.oci-containers.backend = "podman";
- virtualisation.oci-containers.containers = {
- "uptime-kuma" = {
- image = "louislam/uptime-kuma:2";
- volumes = [
- "/var/lib/uptime-kuma:/app/data"
- ];
- ports = [
- "127.0.0.1:8762:3001"
- ];
- capabilities = {
- NET_RAW = true;
- };
- };
- };
-
- services.beszel.hub = {
- enable = true;
- };
+ # virtualisation.oci-containers.containers = {
+ # "uptime-kuma" = {
+ # image = "louislam/uptime-kuma:2";
+ # volumes = [
+ # "/var/lib/uptime-kuma:/app/data"
+ # ];
+ # ports = [
+ # "127.0.0.1:8762:3001"
+ # ];
+ # capabilities = {
+ # NET_RAW = true;
+ # };
+ # };
+ # };
+
+ # services.beszel.hub = {
+ # enable = true;
+ # };
system.stateVersion = "24.05";
};
diff --git a/modules/hosts/ltrr-cloud/secrets/authelia-users.yaml.age b/modules/hosts/ltrr-cloud/secrets/authelia-users.yaml.age
new file mode 100644
index 0000000..aec8015
--- /dev/null
+++ b/modules/hosts/ltrr-cloud/secrets/authelia-users.yaml.age
Binary files differ
diff --git a/modules/hosts/ltrr-cloud/secrets/rekeyed/f9330776898d34c69149dfd6e093d324-authelia-users.age b/modules/hosts/ltrr-cloud/secrets/rekeyed/f9330776898d34c69149dfd6e093d324-authelia-users.age
new file mode 100644
index 0000000..fea60a5
--- /dev/null
+++ b/modules/hosts/ltrr-cloud/secrets/rekeyed/f9330776898d34c69149dfd6e093d324-authelia-users.age
Binary files differ
diff --git a/modules/nixosModules/nginxProxy.nix b/modules/nixosModules/nginxProxy.nix
index 36fdc59..e7af19d 100644
--- a/modules/nixosModules/nginxProxy.nix
+++ b/modules/nixosModules/nginxProxy.nix
@@ -10,7 +10,19 @@
locationOptions = import (pkgs.path + "/nixos/modules/services/web-servers/nginx/location-options.nix");
nginxOptions = import (pkgs.path + "/nixos/modules/services/web-servers/nginx/default.nix");
- autheliaAuth = url: ''
+ authVhostOptions =
+ recursiveUpdate
+ (vhostOptions {inherit config lib;})
+ {
+ options = {
+ enableAuthelia = mkOption {
+ type = types.bool;
+ default = cfg.home.authelia.enable;
+ };
+ };
+ };
+
+ autheliaAuth = ''
auth_request /internal/authelia/authz;
auth_request_set $redirection_url $upstream_http_location;
error_page 401 =302 $redirection_url;
@@ -84,13 +96,13 @@
};
extraVirtualHosts = mkOption {
- type = types.attrsOf (types.submodule (vhostOptions {inherit config lib;}));
+ type = types.attrsOf (types.submodule authVhostOptions);
default = {};
};
home = {
virtualHosts = mkOption {
- type = types.attrsOf (types.submodule (vhostOptions {inherit config lib;}));
+ type = types.attrsOf (types.submodule authVhostOptions);
default = {};
description = ''
Virtual hosts from another nginx configuration, that will be used to decrypt ssl and forward traffic to another server.
@@ -187,29 +199,42 @@
homeRoutes = homeVirtualHosts: homeUrl:
builtins.mapAttrs
(name: value:
- {
- locations."/" =
- value.locations."/"
- // {
- proxyPass = homeUrl;
- recommendedProxySettings = true;
- extraConfig = value.locations."/".extraConfig + (autheliaAuth cfg.home.authelia.publicUrl);
- };
- locations."/internal/authelia/authz" = mkIf cfg.home.authelia.enable {
- extraConfig = autheliaLocation cfg.home.authelia.localUrl;
+ recursiveUpdate value {
+ locations."/" = {
+ proxyPass = homeUrl;
+ recommendedProxySettings = true;
};
}
// ssl)
homeVirtualHosts;
+ removeAuthelia = filterAttrsRecursive (n: v: n != "enableAuthelia");
+
vhosts = makeVhosts cfg.domain cfg.subdomains;
- homeVhosts = homeRoutes ((makeVhosts (cfg.home.domain) cfg.home.subdomains) // cfg.home.virtualHosts) cfg.home.url;
+ homeVhosts = homeRoutes (recursiveUpdate (makeVhosts (cfg.home.domain) cfg.home.subdomains) cfg.home.virtualHosts) cfg.home.url;
+ addAutheliaRoutes = isHome: vhosts:
+ builtins.mapAttrs
+ (name: value: (recursiveUpdate value {
+ locations."/" = {
+ extraConfig =
+ value.locations."/".extraConfig or ""
+ + concatStrings (optional (value.enableAuthelia or true && !isHome) autheliaAuth);
+ };
+ locations."/internal/authelia/authz" = mkIf (value.enableAuthelia or true && !isHome) {
+ extraConfig = autheliaLocation cfg.home.authelia.localUrl;
+ };
+ }))
+ vhosts;
in
{
enable = true;
recommendedProxySettings = cfg.recommendedProxySettings;
- virtualHosts = vhosts // homeVhosts // cfg.extraVirtualHosts;
+ virtualHosts =
+ removeAuthelia
+ (addAutheliaRoutes
+ (homeVhosts == {})
+ (recursiveUpdate (recursiveUpdate vhosts homeVhosts) cfg.extraVirtualHosts));
}
// cfg.extraConfig;
};
diff --git a/modules/nixosModules/watcharr.nix b/modules/nixosModules/watcharr.nix
index 2263e4f..061a18c 100644
--- a/modules/nixosModules/watcharr.nix
+++ b/modules/nixosModules/watcharr.nix
@@ -63,7 +63,7 @@
virtualisation.oci-containers.containers.watcharr = {
image = "ghcr.io/sbondco/watcharr:latest";
ports = [
- "127.0.0.1${port}:3080"
+ "127.0.0.1:${port}:3080"
];
volumes = [
"${cfg.settings.dataDir}:/data"
generated by cgit v1.2.3 (git 2.25.1) at 2026-03-24 07:21:24 +0000