From 12cfceb2f99d3ae1f8710f253405ff880cc0fbca Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 16 Sep 2025 19:01:56 +0100 Subject: [PATCH] reverse-proxy: Init new module to simplify nginx reverse proxies --- services/default.nix | 1 + services/qenya/actual.nix | 14 ++------- services/qenya/audiobookshelf.nix | 17 ++-------- services/qenya/forgejo.nix | 52 ++++++++++++------------------- services/qenya/headscale.nix | 17 ++-------- services/qenya/jellyfin.nix | 15 ++------- services/qenya/navidrome.nix | 14 ++------- services/qenya/owncast.nix | 17 ++-------- services/reverse-proxy.nix | 33 ++++++++++++++++++++ 9 files changed, 67 insertions(+), 113 deletions(-) create mode 100644 services/reverse-proxy.nix diff --git a/services/default.nix b/services/default.nix index 112bdc9..97e6e70 100644 --- a/services/default.nix +++ b/services/default.nix @@ -5,6 +5,7 @@ ./distributed-builds.nix ./remote-builder.nix + ./reverse-proxy.nix ./web-redirect.nix ]; } diff --git a/services/qenya/actual.nix b/services/qenya/actual.nix index 36a2d33..35ce443 100644 --- a/services/qenya/actual.nix +++ b/services/qenya/actual.nix @@ -13,18 +13,8 @@ in }; config = mkIf cfg.enable { - services.nginx = { - enable = true; - virtualHosts = { - ${cfg.domain} = { - forceSSL = true; - enableACME = true; - locations."/".proxyPass = "http://127.0.0.1:5006/"; - }; - }; - }; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; + fountain.services.reverse-proxy.enable = true; + fountain.services.reverse-proxy.domains.${cfg.domain} = "http://127.0.0.1:5006/"; services.actual = { enable = true; diff --git a/services/qenya/audiobookshelf.nix b/services/qenya/audiobookshelf.nix index 6019108..cf3f7fd 100644 --- a/services/qenya/audiobookshelf.nix +++ b/services/qenya/audiobookshelf.nix @@ -13,21 +13,8 @@ in }; config = mkIf cfg.enable { - services.nginx = { - enable = true; - virtualHosts = { - ${cfg.domain} = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://127.0.0.1:8234/"; - proxyWebsockets = true; - }; - }; - }; - }; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; + fountain.services.reverse-proxy.enable = true; + fountain.services.reverse-proxy.domains.${cfg.domain} = "http://127.0.0.1:8234/"; services.audiobookshelf.enable = true; services.audiobookshelf.port = 8234; diff --git a/services/qenya/forgejo.nix b/services/qenya/forgejo.nix index cf18e8f..f4611dd 100644 --- a/services/qenya/forgejo.nix +++ b/services/qenya/forgejo.nix @@ -13,44 +13,32 @@ in }; config = mkIf cfg.enable { + fountain.services.reverse-proxy.enable = true; + fountain.services.reverse-proxy.domains.${cfg.domain} = "http://[::1]:3000/"; + # TODO: email out # TODO: interface customisation - services = { - nginx = { - enable = true; - virtualHosts = { - ${cfg.domain} = { - forceSSL = true; - enableACME = true; - locations."/".proxyPass = "http://[::1]:3000/"; - }; + services.forgejo = { + enable = true; + settings = { + DEFAULT.APP_NAME = cfg.domain; + cache = { + ADAPTER = "twoqueue"; + HOST = ''{"size": 100, "recent_ratio": 0.25, "ghost_ratio": 0.5}''; }; - }; - - forgejo = { - enable = true; - settings = { - DEFAULT.APP_NAME = cfg.domain; - cache = { - ADAPTER = "twoqueue"; - HOST = ''{"size": 100, "recent_ratio": 0.25, "ghost_ratio": 0.5}''; - }; - database = { - DB_TYPE = "sqlite3"; - SQLITE_JOURNAL_MODE = "WAL"; - }; - security.LOGIN_REMEMBER_DAYS = 365; - server = { - DOMAIN = cfg.domain; - HTTP_PORT = 3000; - ROOT_URL = "https://${cfg.domain}/"; - }; - service.DISABLE_REGISTRATION = true; + database = { + DB_TYPE = "sqlite3"; + SQLITE_JOURNAL_MODE = "WAL"; }; + security.LOGIN_REMEMBER_DAYS = 365; + server = { + DOMAIN = cfg.domain; + HTTP_PORT = 3000; + ROOT_URL = "https://${cfg.domain}/"; + }; + service.DISABLE_REGISTRATION = true; }; }; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; }; } diff --git a/services/qenya/headscale.nix b/services/qenya/headscale.nix index d5f2fe9..84833fa 100644 --- a/services/qenya/headscale.nix +++ b/services/qenya/headscale.nix @@ -16,21 +16,8 @@ in }; config = mkIf cfg.enable { - services.nginx = { - enable = true; - virtualHosts = { - ${cfg.domain} = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://127.0.0.1:32770/"; - proxyWebsockets = true; - }; - }; - }; - }; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; + fountain.services.reverse-proxy.enable = true; + fountain.services.reverse-proxy.domains.${cfg.domain} = "http://127.0.0.1:32770/"; services.headscale = { enable = true; diff --git a/services/qenya/jellyfin.nix b/services/qenya/jellyfin.nix index 154007d..4c2e536 100644 --- a/services/qenya/jellyfin.nix +++ b/services/qenya/jellyfin.nix @@ -13,19 +13,8 @@ in }; config = mkIf cfg.enable { - services.nginx = { - enable = true; - virtualHosts = { - ${cfg.domain} = { - forceSSL = true; - enableACME = true; - locations."/".proxyPass = "http://127.0.0.1:8096/"; - }; - }; - }; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; - + fountain.services.reverse-proxy.enable = true; + fountain.services.reverse-proxy.domains.${cfg.domain} = "http://127.0.0.1:8096/"; services.jellyfin.enable = true; }; } diff --git a/services/qenya/navidrome.nix b/services/qenya/navidrome.nix index d678005..99f7dad 100644 --- a/services/qenya/navidrome.nix +++ b/services/qenya/navidrome.nix @@ -16,18 +16,8 @@ in }; config = mkIf cfg.enable { - services.nginx = { - enable = true; - virtualHosts = { - ${cfg.domain} = { - forceSSL = true; - enableACME = true; - locations."/".proxyPass = "http://127.0.0.1:4533/"; - }; - }; - }; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; + fountain.services.reverse-proxy.enable = true; + fountain.services.reverse-proxy.domains.${cfg.domain} = "http://127.0.0.1:4533/"; services.navidrome.enable = true; services.navidrome.settings = { diff --git a/services/qenya/owncast.nix b/services/qenya/owncast.nix index 1fbf52f..d4dd700 100644 --- a/services/qenya/owncast.nix +++ b/services/qenya/owncast.nix @@ -16,21 +16,10 @@ in }; config = mkIf cfg.enable { - services.nginx = { - enable = true; - virtualHosts = { - ${cfg.domain} = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://127.0.0.1:32769/"; - proxyWebsockets = true; - }; - }; - }; - }; + fountain.services.reverse-proxy.enable = true; + fountain.services.reverse-proxy.domains.${cfg.domain} = "http://127.0.0.1:32769/"; - networking.firewall.allowedTCPPorts = [ 80 443 1935 ]; # 1935 for rtmp + networking.firewall.allowedTCPPorts = [ 1935 ]; # for rtmp services.owncast.enable = true; services.owncast.port = 32769; diff --git a/services/reverse-proxy.nix b/services/reverse-proxy.nix new file mode 100644 index 0000000..f11d017 --- /dev/null +++ b/services/reverse-proxy.nix @@ -0,0 +1,33 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) mkIf mkOption mkEnableOption types; + cfg = config.fountain.services.reverse-proxy; +in +{ + options.fountain.services.reverse-proxy = { + enable = mkEnableOption "Module to use nginx as a reverse proxy"; + domains = mkOption { + type = types.attrsOf types.str; + description = "Mapping from external domain to internal address"; + }; + }; + + config = mkIf cfg.enable { + services.nginx = { + enable = true; + virtualHosts = builtins.mapAttrs + (name: value: { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = value; + proxyWebsockets = true; + }; + }) + cfg.domains; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + }; +}