elleoma/nix-flakes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

init

Browse Source
This commit is contained in:
Amoelle
2025-07-23 16:47:48 +03:00
commit 349c65ed1f
22 changed files with 1032 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored Normal file
View File

@@ -0,0 +1,2 @@
flake.lock
result

31
flake.nix Normal file
View File

@@ -0,0 +1,31 @@
{
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
system-manager = {
url = "github:numtide/system-manager";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = { self, nixpkgs, system-manager, ... }: {
systemConfigs = {
default = system-manager.lib.makeSystemConfig {
modules = [
./modules
{
nixpkgs.hostPlatform = "aarch64-linux";
}
];
};
# Add hostname-specific config so it's found immediately
omoelle = system-manager.lib.makeSystemConfig {
modules = [
./modules
{
nixpkgs.hostPlatform = "aarch64-linux";
}
];
};
};
};
}

19
modules/default.nix Normal file
View File

@@ -0,0 +1,19 @@
{ config, lib, pkgs, ... }:
{
imports = [
./nginx.nix
./tailscale.nix
];
config = {
system-manager.allowAnyDistro = true;
nixpkgs.hostPlatform = "aarch64-linux";
environment.systemPackages = with pkgs; [
curl
wget
htop
vim
];
};
}

38
modules/docker.nix Normal file
View File

@@ -0,0 +1,38 @@
{ config, lib, pkgs, ... }:
{
config = {
environment.systemPackages = [
pkgs.docker
pkgs.docker-compose
];
# Create docker group
users.groups.docker = {};
# Simple Docker systemd service
systemd.services.docker = {
enable = true;
description = "Docker Application Container Engine";
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
serviceConfig = {
Type = "notify";
ExecStart = "${pkgs.docker}/bin/dockerd";
ExecReload = "${pkgs.coreutils}/bin/kill -s HUP $MAINPID";
TimeoutStartSec = 0;
RestartSec = 2;
Restart = "always";
StartLimitBurst = 3;
StartLimitInterval = 60;
LimitNOFILE = 1048576;
LimitNPROC = 1048576;
LimitCORE = "infinity";
TasksMax = "infinity";
Delegate = "yes";
KillMode = "process";
OOMScoreAdjust = -500;
};
wantedBy = [ "multi-user.target" ];
};
};
}

60
modules/nginx.nix Normal file
View File

@@ -0,0 +1,60 @@
{ config, lib, pkgs, ... }:
let
nginxConfDir = ./nginx/sites-available;
in
{
config = {
environment.systemPackages = [
pkgs.nginx
];
environment.etc = {
"nginx/nginx.conf".source = ./nginx/nginx.conf;
# Available configs
"nginx/sites-available/forsen-cock.dedyn.io".source = "${nginxConfDir}/forsen-cock.dedyn.io";
"nginx/sites-available/gitea".source = "${nginxConfDir}/gitea";
"nginx/sites-available/gatus".source = "${nginxConfDir}/gatus";
"nginx/sites-available/vaultwarden".source = "${nginxConfDir}/vaultwarden";
"nginx/sites-available/ntfy".source = "${nginxConfDir}/ntfy";
# Enabled configs — point to same file (no symlink needed)
"nginx/sites-enabled/forsen-cock.dedyn.io".source = "${nginxConfDir}/forsen-cock.dedyn.io";
"nginx/sites-enabled/gitea".source = "${nginxConfDir}/gitea";
"nginx/sites-enabled/gatus".source = "${nginxConfDir}/gatus";
"nginx/sites-enabled/vaultwarden".source = "${nginxConfDir}/vaultwarden";
"nginx/sites-enabled/ntfy".source = "${nginxConfDir}/ntfy";
"nginx/mime.types".source = "${pkgs.nginx}/conf/mime.types";
};
# Create necessary directories (without nginx user dependency)
systemd.tmpfiles.rules = [
"d /var/log/nginx 0755 root root -"
"d /var/lib/nginx 0755 root root -"
"d /run/nginx 0755 root root -"
"d /var/www/html 0755 root root -"
];
# Simple nginx systemd service
systemd.services.nginx = {
enable = true;
description = "The nginx HTTP and reverse proxy server";
after = [ "network.target" ];
wants = [ "network.target" ];
serviceConfig = {
Type = "forking";
PIDFile = "/run/nginx.pid";
ExecStartPre = "${pkgs.nginx}/bin/nginx -t -c /etc/nginx/nginx.conf";
ExecStart = "${pkgs.nginx}/bin/nginx -c /etc/nginx/nginx.conf";
ExecReload = "${pkgs.coreutils}/bin/kill -s HUP $MAINPID";
ExecStop = "${pkgs.coreutils}/bin/kill -s QUIT $MAINPID";
Restart = "on-failure";
RestartSec = 2;
TimeoutStartSec = 60;
};
wantedBy = [ "multi-user.target" ];
};
};
}

40
modules/nginx/nginx.conf Normal file
View File

@@ -0,0 +1,40 @@
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# Default server
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
root /var/www/html;
location / {
return 200 "Hello from nginx managed by system-manager!";
add_header Content-Type text/plain;
}
}
# Include additional server configurations
include /etc/nginx/sites-enabled/*;
}

170
modules/nginx/sites-available/default Normal file
View File

@@ -0,0 +1,170 @@
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
#
server {
listen 80 default_server;
listen [::]:80 default_server;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# pass PHP scripts to FastCGI server
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php-fpm (or other unix sockets):
# fastcgi_pass unix:/run/php/php7.4-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}
server {
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
# root /var/www/rickroll;
# Add index.php to the list if you are using PHP
# index index.html index.htm index.nginx-debian.html;
# server_name forsen-cock.dedyn.io; # managed by Certbot
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# pass PHP scripts to FastCGI server
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php-fpm (or other unix sockets):
# fastcgi_pass unix:/run/php/php7.4-fpm.sock;
# # With php-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
# listen [::]:443 ssl ipv6only=on; # managed by Certbot
# listen 443 ssl; # managed by Certbot
# ssl_certificate /etc/letsencrypt/live/forsen-cock.dedyn.io/fullchain.pem; # managed by Certbot
# ssl_certificate_key /etc/letsencrypt/live/forsen-cock.dedyn.io/privkey.pem; # managed by Certbot
# include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
listen 80;
server_name 91.245.123.18;
return 301 https://forsen-cock.dedyn.io$request_uri;
}
server {
if ($host = forsen-cock.dedyn.io) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 ;
listen [::]:80 ;
server_name forsen-cock.dedyn.io;
return 404; # managed by Certbot
}

82
modules/nginx/sites-available/forsen-cock.dedyn.io Normal file
View File

@@ -0,0 +1,82 @@
server {
listen 80;
server_name forsen-cock.dedyn.io;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name forsen-cock.dedyn.io;
access_log /var/log/nginx/forsen-cock.access.log;
error_log /var/log/nginx/forsen-cock.error.log;
ssl_certificate /etc/letsencrypt/live/forsen-cock.dedyn.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/forsen-cock.dedyn.io/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers HIGH:!aNULL:!MD5;
# Serve static files (optional)
root /var/www/forsen-cock.dedyn.io;
index index.html index.htm;
# Optional root tuwunel page ("hewwo from tuwunel woof!")
# location = / {
# proxy_pass http://127.0.0.1:8448$request_uri;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_buffering off;
# client_max_body_size 20M;
# proxy_read_timeout 300s;
# }
# Core Matrix APIs (Client-Server and Server-Server)
location ^~ /_matrix/ {
proxy_pass http://127.0.0.1:8448;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
client_max_body_size 20M;
proxy_read_timeout 300s;
}
# Tuwunel-specific routes
location ^~ /_tuwunel/ {
proxy_pass http://127.0.0.1:8448;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
client_max_body_size 20M;
proxy_read_timeout 300s;
}
# Optional: Federation delegation
location = /.well-known/matrix/server {
default_type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '{"m.server":"forsen-cock.dedyn.io:443"}';
}
# Optional: Client discovery
location = /.well-known/matrix/client {
default_type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '{"m.homeserver":{"base_url":"https://forsen-cock.dedyn.io"}}';
}
# Optional: Support contact
location = /.well-known/matrix/support {
default_type application/json;
add_header Access-Control-Allow-Origin *;
return 200 '{"support":{"email":"amoelle@forsen-cock.dedyn.io"}}';
}
}

40
modules/nginx/sites-available/gatus Normal file
View File

@@ -0,0 +1,40 @@
server {
if ($host = status.forsen-cock.dedyn.io) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name status.forsen-cock.dedyn.io;
# Redirect HTTP to HTTPS
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name status.forsen-cock.dedyn.io;
# Proxy to your actual service
location / {
proxy_pass http://127.0.0.1:8080; # Change to the internal address & port of status UI
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Optional buffering settings:
proxy_buffering off;
proxy_read_timeout 90s;
}
# Recommended security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
ssl_certificate /etc/letsencrypt/live/status.forsen-cock.dedyn.io/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/status.forsen-cock.dedyn.io/privkey.pem; # managed by Certbot
}

33
modules/nginx/sites-available/gitea Normal file
View File

@@ -0,0 +1,33 @@
server {
server_name git.forsen-cock.dedyn.io;
location / {
proxy_pass http://127.0.0.1:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/git.forsen-cock.dedyn.io/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/git.forsen-cock.dedyn.io/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
client_max_body_size 100M;
}
server {
if ($host = git.forsen-cock.dedyn.io) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name git.forsen-cock.dedyn.io;
return 404; # managed by Certbot
}

56
modules/nginx/sites-available/ntfy Normal file
View File

@@ -0,0 +1,56 @@
# /etc/nginx/sites-*/ntfy
#
# This config requires the use of the -L flag in curl to redirect to HTTPS, and it keeps nginx output buffering
# enabled. While recommended, I have had issues with that in the past.
server {
listen 80;
server_name ntfy.forsen-cock.dedyn.io;
location / {
return 302 https://$http_host$request_uri$is_args$query_string;
proxy_pass http://127.0.0.1:8070;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 3m;
proxy_send_timeout 3m;
proxy_read_timeout 3m;
client_max_body_size 0; # Stream request body to backend
}
}
server {
listen 443 ssl http2;
server_name ntfy.forsen-cock.dedyn.io;
# See https://ssl-config.mozilla.org/#server=nginx&version=1.18.0&config=intermediate&openssl=1.1.1k&hsts=false&ocsp=false&guideline=5.6
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
location / {
proxy_pass http://127.0.0.1:8070;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 3m;
proxy_send_timeout 3m;
proxy_read_timeout 3m;
client_max_body_size 0; # Stream request body to backend
}
}

259
modules/nginx/sites-available/peertube Normal file
View File

@@ -0,0 +1,259 @@
# Minimum Nginx version required: 1.13.0 (released Apr 25, 2017)
# Please check your Nginx installation features the following modules via 'nginx -V':
# STANDARD HTTP MODULES: Core, Proxy, Rewrite, Access, Gzip, Headers, HTTP/2, Log, Real IP, SSL, Thread Pool, Upstream, AIO Multithreading.
# THIRD PARTY MODULES: None.
server {
listen 80;
listen [::]:80;
server_name stream.forsen-cock.dedyn.io;
location /.well-known/acme-challenge/ {
default_type "text/plain";
root /var/www/certbot;
}
location / { return 301 https://$host$request_uri; }
}
upstream backend {
server 127.0.0.1:9000;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name stream.forsen-cock.dedyn.io;
access_log /var/log/nginx/peertube.access.log; # reduce I/0 with buffer=10m flush=5m
error_log /var/log/nginx/peertube.error.log;
##
# Certificates
# you need a certificate to run in production. see https://letsencrypt.org/
##
ssl_certificate /etc/letsencrypt/live/stream.forsen-cock.dedyn.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/stream.forsen-cock.dedyn.io/privkey.pem;
location ^~ '/.well-known/acme-challenge' {
default_type "text/plain";
root /var/www/certbot;
}
##
# Security hardening (as of Nov 15, 2020)
# based on Mozilla Guideline v5.6
##
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; # add ECDHE-RSA-AES256-SHA if you want compatibility with Android 4
ssl_session_timeout 1d; # defaults to 5m
ssl_session_cache shared:SSL:10m; # estimated to 40k sessions
ssl_session_tickets off;
# HSTS (https://hstspreload.org), requires to be copied in 'location' sections that have add_header directives
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
##
# Application
##
location @api {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
client_max_body_size 100k; # default is 1M
proxy_connect_timeout 10m;
proxy_send_timeout 10m;
proxy_read_timeout 10m;
send_timeout 10m;
proxy_pass http://backend;
}
location / {
try_files /dev/null @api;
}
location ~ ^/api/v1/videos/(upload-resumable|([^/]+/source/replace-resumable))$ {
client_max_body_size 0;
proxy_request_buffering off;
try_files /dev/null @api;
}
location ~ ^/api/v1/users/[^/]+/imports/import-resumable$ {
client_max_body_size 0;
proxy_request_buffering off;
try_files /dev/null @api;
}
location ~ ^/api/v1/videos/(upload|([^/]+/studio/edit))$ {
limit_except POST HEAD { deny all; }
# This is the maximum upload size, which roughly matches the maximum size of a video file.
# Note that temporary space is needed equal to the total size of all concurrent uploads.
# This data gets stored in /var/lib/nginx by default, so you may want to put this directory
# on a dedicated filesystem.
client_max_body_size 12G; # default is 1M
add_header X-File-Maximum-Size 8G always; # inform backend of the set value in bytes before mime-encoding (x * 1.4 >= client_max_body_size)
try_files /dev/null @api;
}
location ~ ^/api/v1/runners/jobs/[^/]+/(update|success)$ {
client_max_body_size 12G; # default is 1M
add_header X-File-Maximum-Size 8G always; # inform backend of the set value in bytes before mime-encoding (x * 1.4 >= client_max_body_size)
try_files /dev/null @api;
}
location ~ ^/api/v1/(videos|video-playlists|video-channels|users/me) {
client_max_body_size 6M; # default is 1M
add_header X-File-Maximum-Size 4M always; # inform backend of the set value in bytes before mime-encoding (x * 1.4 >= client_max_body_size)
try_files /dev/null @api;
}
##
# Websocket
##
location @api_websocket {
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://backend;
}
location /socket.io {
try_files /dev/null @api_websocket;
}
location /tracker/socket {
# Peers send a message to the tracker every 15 minutes
# Don't close the websocket before then
proxy_read_timeout 15m; # default is 60s
try_files /dev/null @api_websocket;
}
# Plugin websocket routes
location ~ ^/plugins/[^/]+(/[^/]+)?/ws/ {
try_files /dev/null @api_websocket;
}
##
# Performance optimizations
# For extra performance please refer to https://github.com/denji/nginx-tuning
##
root /var/www/peertube/storage;
# Enable compression for JS/CSS/HTML, for improved client load times.
# It might be nice to compress JSON/XML as returned by the API, but
# leaving that out to protect against potential BREACH attack.
gzip on;
gzip_vary on;
gzip_types # text/html is always compressed by HttpGzipModule
text/css
application/javascript
font/truetype
font/opentype
application/vnd.ms-fontobject
image/svg+xml
application/xml;
gzip_min_length 1000; # default is 20 bytes
gzip_buffers 16 8k;
gzip_comp_level 2; # default is 1
client_body_timeout 30s; # default is 60
client_header_timeout 10s; # default is 60
send_timeout 10s; # default is 60
keepalive_timeout 10s; # default is 75
resolver_timeout 10s; # default is 30
reset_timedout_connection on;
proxy_ignore_client_abort on;
tcp_nopush on; # send headers in one piece
tcp_nodelay on; # don't buffer data sent, good for small data bursts in real time
# If you have a small /var/lib partition, it could be interesting to store temp nginx uploads in a different place
# See https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_temp_path
#client_body_temp_path /var/www/peertube/storage/nginx/;
# Bypass PeerTube for performance reasons. Optional.
# Should be consistent with client-overrides assets list in client.ts server controller
location ~ ^/client/(assets/images/(icons/icon-36x36\.png|icons/icon-48x48\.png|icons/icon-72x72\.png|icons/icon-96x96\.png|icons/icon-144x144\.png|icons/icon-192x192\.png|icons/icon-512x512\.png|logo\.svg|favicon\.png|default-playlist\.jpg|default-avatar-account\.png|default-avatar-account-48x48\.png|default-avatar-video-channel\.png|default-avatar-video-channel-48x48\.png))$ {
add_header Cache-Control "public, max-age=31536000, immutable"; # Cache 1 year
root /var/www/peertube;
try_files /storage/client-overrides/$1 /peertube-latest/client/dist/$1 @api;
}
# Bypass PeerTube for performance reasons. Optional.
location ~ ^/client/(.*\.(js|css|png|svg|woff2|otf|ttf|woff|eot))$ {
add_header Cache-Control "public, max-age=31536000, immutable"; # Cache 1 year
alias /var/www/peertube/peertube-latest/client/dist/$1;
}
location ~ ^(/static/(webseed|web-videos|streaming-playlists/hls)/private/)|^/download {
# We can't rate limit a try_files directive, so we need to duplicate @api
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_limit_rate 5M;
proxy_pass http://backend;
}
# Bypass PeerTube for performance reasons. Optional.
location ~ ^/static/(webseed|web-videos|redundancy|streaming-playlists)/ {
limit_rate_after 5M;
set $peertube_limit_rate 5M;
# Use this line with nginx >= 1.17.0
limit_rate $peertube_limit_rate;
# Or this line with nginx < 1.17.0
# set $limit_rate $peertube_limit_rate;
if ($request_method = 'OPTIONS') {
add_header Access-Control-Allow-Origin '*';
add_header Access-Control-Allow-Methods 'GET, OPTIONS';
add_header Access-Control-Allow-Headers 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
add_header Access-Control-Max-Age 1728000; # Preflight request can be cached 20 days
add_header Content-Type 'text/plain charset=UTF-8';
add_header Content-Length 0;
return 204;
}
if ($request_method = 'GET') {
add_header Access-Control-Allow-Origin '*';
add_header Access-Control-Allow-Methods 'GET, OPTIONS';
add_header Access-Control-Allow-Headers 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
}
# Enabling the sendfile directive eliminates the step of copying the data into the buffer
# and enables direct copying data from one file descriptor to another.
sendfile on;
sendfile_max_chunk 1M; # prevent one fast connection from entirely occupying the worker process. should be > 800k.
aio threads;
# web-videos is the name of the directory mapped to the `storage.web_videos` key in your PeerTube configuration
rewrite ^/static/webseed/(.*)$ /web-videos/$1 break;
rewrite ^/static/(.*)$ /$1 break;
try_files $uri @api;
}
}

12
modules/nginx/sites-available/rickroll Normal file
View File

@@ -0,0 +1,12 @@
server {
listen 443;
server_name forsen-cock.dedyn.io;
root /var/www/rickroll;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}

48
modules/nginx/sites-available/roundcube Normal file
View File

@@ -0,0 +1,48 @@
# Configuration for mail.forsen-cock.dedyn.io
# Add this to your existing Nginx configuration
server {
listen 80;
server_name mail.forsen-cock.dedyn.io;
# Redirect all HTTP traffic to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
server_name mail.forsen-cock.dedyn.io;
# SSL configuration
ssl_certificate /etc/nginx/ssl/mail.forsen-cock.dedyn.io.crt;
ssl_certificate_key /etc/nginx/ssl/mail.forsen-cock.dedyn.io.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# Proxy to Roundcube webmail
location / {
proxy_pass http://localhost:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# WebSocket support (if needed)
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
client_max_body_size 100M; # Allow larger attachments
}
# Security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
}

64
modules/nginx/sites-available/vaultwarden Normal file
View File

@@ -0,0 +1,64 @@
# The `upstream` directives ensure that you have a http/1.1 connection
# This enables the keepalive option and better performance
#
# Define the server IP and ports here.
upstream vaultwarden-default {
zone vaultwarden-default 128k;
server 127.0.0.1:5080;
keepalive 2;
}
# Needed to support websocket connections
# See: https://nginx.org/en/docs/http/websocket.html
# Instead of "close" as stated in the above link we send an empty value.
# Else all keepalive connections will not work.
map $http_upgrade $connection_upgrade {
default upgrade;
'' "";
}
# Redirect HTTP to HTTPS
server {
listen 80;
listen [::]:80;
server_name vault.forsen-cock.dedyn.io;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl;
server_name vault.forsen-cock.dedyn.io;
client_max_body_size 525M;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
# If you use Cloudflare proxying, replace $remote_addr with $http_cf_connecting_ip
# See https://developers.cloudflare.com/support/troubleshooting/restoring-visitor-ips/restoring-original-visitor-ips/#nginx-1
# alternatively use ngx_http_realip_module
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Proxy settings for HTTP API and web vault
location / {
proxy_pass http://vaultwarden-default; # Vaultwarden's internal HTTPS port
}
location /admin {
allow 127.0.0.1;
allow 192.168.0.0/24;
allow 91.245.123.18;
deny all;
proxy_pass http://vaultwarden-default;
}
ssl_certificate /etc/letsencrypt/live/vault.forsen-cock.dedyn.io/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/vault.forsen-cock.dedyn.io/privkey.pem; # managed by Certbot
}

20
modules/nginx/sites-available/xmpp-login Normal file
View File

@@ -0,0 +1,20 @@
server {
listen 443 ssl;
server_name forsen-cock.dedyn.io;
ssl_certificate /etc/letsencrypt/live/forsen-cock.dedyn.io/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/forsen-cock.dedyn.io/privkey.pem; # managed by Certbot
location / {
root /var/www/xmpp-login;
index index.html;
}
location /login {
proxy_pass http://localhost:3000; # Assuming your backend listens on port 3000
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}

1
modules/nginx/sites-enabled/forsen-cock.dedyn.io Symbolic link
View File

@@ -0,0 +1 @@
/home/elleoma/modules/nginx/sites-available/forsen-cock.dedyn.io

1
modules/nginx/sites-enabled/gatus Symbolic link
View File

@@ -0,0 +1 @@
/home/elleoma/modules/nginx/sites-available/gatus

1
modules/nginx/sites-enabled/gitea Symbolic link
View File

@@ -0,0 +1 @@
/home/elleoma/modules/nginx/sites-available/gitea

1
modules/nginx/sites-enabled/ntfy Symbolic link
View File

@@ -0,0 +1 @@
/home/elleoma/nix-flakes/modules/nginx/sites-available/ntfy

1
modules/nginx/sites-enabled/vaultwarden Symbolic link
View File

@@ -0,0 +1 @@
/home/elleoma/modules/nginx/sites-available/vaultwarden

53
modules/tailscale.nix Normal file
View File

@@ -0,0 +1,53 @@
{ config, lib, pkgs, ...}:
{
config = {
environment.systemPackages = [
pkgs.tailscale
pkgs.jq
];
systemd.services.tailscaled = {
enable = true;
description = "Tailscale node agent";
after = [ "network-pre.target" ];
wants = [ "network-pre.target" ];
serviceConfig = {
Type = "simple";
ExecStart = "${pkgs.tailscale}/bin/tailscaled --statedir /var/lib/tailscale";
Restart = "on-failure";
RestartSec = 5;
LiminNOFILE = "infinity";
};
wantedBy = [ "multi-user.target" ];
};
systemd.services.tailscale-autoconnect = {
enable = false;
description = "Automatic connection to Tailscale";
# make sure tailscale is running before trying to connect to tailscale
after = [ "network-pre.target" "tailscaled.service" ];
wants = [ "network-pre.target" "tailscaled.service" ];
wantedBy = [ "multi-user.target" ];
# set this service as a oneshot job
serviceConfig.Type = "oneshot";
# have the job run this shell script
script = with pkgs; ''
# wait for tailscaled to settle
sleep 2
# check if we are already authenticated to tailscale
status="$(${pkgs.tailscale}/bin/tailscale status -json | ${pkgs.jq}/bin/jq -r .BackendState)"
if [ $status = "Running" ]; then # if so, then do nothing
exit 0
fi
# otherwise authenticate with tailscale
${pkgs.tailscale}/bin/tailscale up -authkey tskey-examplekeyhere
'';
};
};
}