From 7dce6dd274369d78333d102629d62ace57f38064 Mon Sep 17 00:00:00 2001 From: muon Date: Thu, 1 Jan 2026 17:10:29 +0000 Subject: [PATCH 1/7] Fix typo --- modules/nixos/server/nginx.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nixos/server/nginx.nix b/modules/nixos/server/nginx.nix index c307231..696146c 100644 --- a/modules/nixos/server/nginx.nix +++ b/modules/nixos/server/nginx.nix @@ -82,7 +82,7 @@ in add_header X-XSS-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "no-referrer-when-downgrade" always; - add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self'; script-src 'self'; object-src 'none'; base-uri 'none';"; always; + add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self'; script-src 'self'; object-src 'none'; base-uri 'none';" always; add_header Permissions-Policy "interest-cohort=()" always; # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; ''; From 08344a4843d78aaf4267bd8c93cc4fa593789caf Mon Sep 17 00:00:00 2001 From: muon Date: Fri, 2 Jan 2026 19:24:15 +0000 Subject: [PATCH 2/7] Add seedbox --- hosts/muho/configuration.nix | 13 +- hosts/ports.nix | 11 +- modules/nixos/server/containers/default.nix | 18 +- modules/nixos/server/containers/seedbox.nix | 186 ++++++++++++++++++++ 4 files changed, 218 insertions(+), 10 deletions(-) create mode 100644 modules/nixos/server/containers/seedbox.nix diff --git a/hosts/muho/configuration.nix b/hosts/muho/configuration.nix index e4717a5..8e3315d 100644 --- a/hosts/muho/configuration.nix +++ b/hosts/muho/configuration.nix @@ -1,5 +1,11 @@ -{ config, lib, pkgs, inputs, system, ... }: -let +{ + config, + lib, + pkgs, + inputs, + system, + ... +}: let cfg = config.mods; keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKEio+Y5wBVD1wILaH2R3wV10FvVjiqy/4gGBWHOITTB muon@muon" @@ -8,7 +14,7 @@ let ]; in { # Hardware - imports = [ ./hardware-configuration.nix ../ports.nix ]; + imports = [./hardware-configuration.nix ../ports.nix]; # System mods.user.name = "muon"; @@ -45,6 +51,7 @@ in { mods.server.lemmy.enable = true; mods.server.audio.enable = true; mods.server.atuin.enable = true; + mods.server.seedbox.enable = true; mods.server.dash.enable = false; mods.server.nginx.ports.dash = 3009; diff --git a/hosts/ports.nix b/hosts/ports.nix index 9aa8b9e..04f26c8 100644 --- a/hosts/ports.nix +++ b/hosts/ports.nix @@ -1,8 +1,13 @@ -{ pkgs, lib, config, ... }: { +{ + pkgs, + lib, + config, + ... +}: { options.mods.server = with lib; { local.ports = mkOption { type = types.attrsOf (types.ints.u16); - default = { }; + default = {}; }; }; config = { @@ -19,6 +24,7 @@ ntfy = 3010; audio = 3011; atuin = 3012; + stream = 3013; search = 8081; videos = 8082; @@ -33,6 +39,7 @@ prowlarr = 5006; flaresolverr = 5007; torrent = 5008; + seedbox = 5009; }; }; } diff --git a/modules/nixos/server/containers/default.nix b/modules/nixos/server/containers/default.nix index 416150e..b211cba 100644 --- a/modules/nixos/server/containers/default.nix +++ b/modules/nixos/server/containers/default.nix @@ -1,4 +1,9 @@ -{ pkgs, lib, config, ... }: { +{ + pkgs, + lib, + config, + ... +}: { options.mods.containers = { enable = lib.mkEnableOption { default = false; @@ -6,7 +11,10 @@ }; }; - imports = [ ./steam.nix ]; + imports = [ + ./steam.nix + ./seedbox.nix + ]; config = lib.mkIf config.mods.containers.enable { virtualisation.docker.enable = true; @@ -16,10 +24,10 @@ }; networking.nat = { enable = true; - internalInterfaces = [ "ve-+" ]; + internalInterfaces = ["ve-+"]; externalInterface = "enp0s31f6"; }; - networking.networkmanager.unmanaged = [ "interface-name:ve-*" ]; + networking.networkmanager.unmanaged = ["interface-name:ve-*"]; # networking = { # bridges.br0.interfaces = [ "enp0s31f6" ]; # Adjust interface accordingly @@ -45,6 +53,6 @@ # tcp = { enable = true; anonymousClients = { allowedIpRanges = ["127.0.0.1" "192.168.100.0/24"]; }; }; # }; - environment.systemPackages = with pkgs; [ xorg.xhost ]; + environment.systemPackages = with pkgs; [xorg.xhost]; }; } diff --git a/modules/nixos/server/containers/seedbox.nix b/modules/nixos/server/containers/seedbox.nix new file mode 100644 index 0000000..0bd0ed7 --- /dev/null +++ b/modules/nixos/server/containers/seedbox.nix @@ -0,0 +1,186 @@ +# Auto-generated by compose2nix. +{ + pkgs, + lib, + config, + ... +}: let + cfg = config.mods.server.seedbox; + port = config.mods.server.nginx.ports.stream; + backend-port = config.mods.server.local.ports.seedbox; +in + with lib; { + options.mods.server.seedbox = { + enable = mkEnableOption { + default = false; + description = "enables seedbox-lite containers"; + }; + }; + + config = mkIf cfg.enable { + # Runtime + virtualisation.podman = { + enable = true; + autoPrune.enable = true; + dockerCompat = true; + }; + + # Enable container name DNS for all Podman networks. + networking.firewall.interfaces = let + matchAll = + if !config.networking.nftables.enable + then "podman+" + else "podman*"; + in { + "${matchAll}".allowedUDPPorts = [53]; + }; + + virtualisation.oci-containers.backend = "podman"; + + # Containers + virtualisation.oci-containers.containers."seedbox-backend" = { + image = "localhost/compose2nix/seedbox-backend"; + volumes = [ + "seedbox-lite_seedbox_cache:/app/cache:rw" + "seedbox-lite_seedbox_data:/app/data:rw" + ]; + ports = [ + "${backend-port}:3001/tcp" + ]; + log-driver = "journald"; + extraOptions = [ + "--network-alias=seedbox-backend" + "--network=seedbox-lite_seedbox-network" + ]; + }; + systemd.services."podman-seedbox-backend" = { + serviceConfig = { + Restart = lib.mkOverride 90 "always"; + }; + after = [ + "podman-network-seedbox-lite_seedbox-network.service" + "podman-volume-seedbox-lite_seedbox_cache.service" + "podman-volume-seedbox-lite_seedbox_data.service" + ]; + requires = [ + "podman-network-seedbox-lite_seedbox-network.service" + "podman-volume-seedbox-lite_seedbox_cache.service" + "podman-volume-seedbox-lite_seedbox_data.service" + ]; + partOf = [ + "podman-compose-seedbox-lite-root.target" + ]; + wantedBy = [ + "podman-compose-seedbox-lite-root.target" + ]; + }; + virtualisation.oci-containers.containers."seedbox-frontend" = { + image = "localhost/compose2nix/seedbox-frontend"; + ports = [ + "${port}:80/tcp" + ]; + dependsOn = [ + "seedbox-backend" + ]; + log-driver = "journald"; + extraOptions = [ + "--network-alias=seedbox-frontend" + "--network=seedbox-lite_seedbox-network" + ]; + }; + systemd.services."podman-seedbox-frontend" = { + serviceConfig = { + Restart = lib.mkOverride 90 "always"; + }; + after = [ + "podman-network-seedbox-lite_seedbox-network.service" + ]; + requires = [ + "podman-network-seedbox-lite_seedbox-network.service" + ]; + partOf = [ + "podman-compose-seedbox-lite-root.target" + ]; + wantedBy = [ + "podman-compose-seedbox-lite-root.target" + ]; + }; + + # Networks + systemd.services."podman-network-seedbox-lite_seedbox-network" = { + path = [pkgs.podman]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStop = "podman network rm -f seedbox-lite_seedbox-network"; + }; + script = '' + podman network inspect seedbox-lite_seedbox-network || podman network create seedbox-lite_seedbox-network --driver=bridge + ''; + partOf = ["podman-compose-seedbox-lite-root.target"]; + wantedBy = ["podman-compose-seedbox-lite-root.target"]; + }; + + # Volumes + systemd.services."podman-volume-seedbox-lite_seedbox_cache" = { + path = [pkgs.podman]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + script = '' + podman volume inspect seedbox-lite_seedbox_cache || podman volume create seedbox-lite_seedbox_cache --driver=local + ''; + partOf = ["podman-compose-seedbox-lite-root.target"]; + wantedBy = ["podman-compose-seedbox-lite-root.target"]; + }; + systemd.services."podman-volume-seedbox-lite_seedbox_data" = { + path = [pkgs.podman]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + script = '' + podman volume inspect seedbox-lite_seedbox_data || podman volume create seedbox-lite_seedbox_data --driver=local + ''; + partOf = ["podman-compose-seedbox-lite-root.target"]; + wantedBy = ["podman-compose-seedbox-lite-root.target"]; + }; + + # Builds + systemd.services."podman-build-seedbox-backend" = { + path = [pkgs.podman pkgs.git]; + serviceConfig = { + Type = "oneshot"; + TimeoutSec = 300; + }; + script = '' + cd /home/muon/projects/seedbox-lite/server + podman build -t compose2nix/seedbox-backend . + ''; + }; + systemd.services."podman-build-seedbox-frontend" = { + path = [pkgs.podman pkgs.git]; + serviceConfig = { + Type = "oneshot"; + TimeoutSec = 300; + }; + script = '' + cd /tmp + git clone https://github.com/hotheadhacker/seedbox-lite.git + cd seedbox-lite/client + podman build -t compose2nix/seedbox-frontend --build-arg VITE_API_BASE_URL=http://localhost:${backend-port} . + ''; + }; + + # Root service + # When started, this will automatically create all resources and start + # the containers. When stopped, this will teardown all resources. + systemd.targets."podman-compose-seedbox-lite-root" = { + unitConfig = { + Description = "Root target generated by compose2nix."; + }; + wantedBy = ["multi-user.target"]; + }; + }; + } From d11d502f684b6f9d9d905e13016dac5190f0ffa7 Mon Sep 17 00:00:00 2001 From: muon Date: Fri, 2 Jan 2026 19:25:32 +0000 Subject: [PATCH 3/7] Add nginx headers --- modules/nixos/server/nginx.nix | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/modules/nixos/server/nginx.nix b/modules/nixos/server/nginx.nix index 696146c..17febfe 100644 --- a/modules/nixos/server/nginx.nix +++ b/modules/nixos/server/nginx.nix @@ -82,7 +82,7 @@ in add_header X-XSS-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "no-referrer-when-downgrade" always; - add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self'; script-src 'self'; object-src 'none'; base-uri 'none';" always; + add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline' 'unsafe-eval'; frame-ancestors 'self';" always; add_header Permissions-Policy "interest-cohort=()" always; # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; ''; @@ -103,9 +103,11 @@ in # sh '' client_max_body_size 50000M; - proxy_read_timeout 600s; - proxy_send_timeout 600s; - send_timeout 600s; + proxy_request_buffering off; + client_body_buffer_size 1024k; + proxy_read_timeout 2400s; + proxy_send_timeout 2400s; + send_timeout 2400s; ''; }; }; From f5998e5f982d43ede939bba7f625e845a63f4d7d Mon Sep 17 00:00:00 2001 From: muon Date: Fri, 2 Jan 2026 19:36:02 +0000 Subject: [PATCH 4/7] Fix backend build --- modules/nixos/server/containers/seedbox.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/nixos/server/containers/seedbox.nix b/modules/nixos/server/containers/seedbox.nix index 0bd0ed7..ef4b61b 100644 --- a/modules/nixos/server/containers/seedbox.nix +++ b/modules/nixos/server/containers/seedbox.nix @@ -155,7 +155,9 @@ in TimeoutSec = 300; }; script = '' - cd /home/muon/projects/seedbox-lite/server + cd /tmp + git clone https://github.com/hotheadhacker/seedbox-lite.git + cd seedbox-lite/server podman build -t compose2nix/seedbox-backend . ''; }; From 75eed912b964c29c05c139c2c02d97d6b6b0f365 Mon Sep 17 00:00:00 2001 From: muon Date: Fri, 2 Jan 2026 19:36:31 +0000 Subject: [PATCH 5/7] Fix port --- modules/nixos/server/containers/seedbox.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/nixos/server/containers/seedbox.nix b/modules/nixos/server/containers/seedbox.nix index 0bd0ed7..ca94721 100644 --- a/modules/nixos/server/containers/seedbox.nix +++ b/modules/nixos/server/containers/seedbox.nix @@ -45,7 +45,7 @@ in "seedbox-lite_seedbox_data:/app/data:rw" ]; ports = [ - "${backend-port}:3001/tcp" + "${toString backend-port}:3001/tcp" ]; log-driver = "journald"; extraOptions = [ @@ -77,7 +77,7 @@ in virtualisation.oci-containers.containers."seedbox-frontend" = { image = "localhost/compose2nix/seedbox-frontend"; ports = [ - "${port}:80/tcp" + "${toString port}:80/tcp" ]; dependsOn = [ "seedbox-backend" @@ -169,7 +169,7 @@ in cd /tmp git clone https://github.com/hotheadhacker/seedbox-lite.git cd seedbox-lite/client - podman build -t compose2nix/seedbox-frontend --build-arg VITE_API_BASE_URL=http://localhost:${backend-port} . + podman build -t compose2nix/seedbox-frontend --build-arg VITE_API_BASE_URL=http://localhost:${toString backend-port} . ''; }; From b8961e7263586fd1a7d1dd68dfac1d36fc4ce12f Mon Sep 17 00:00:00 2001 From: muon Date: Fri, 2 Jan 2026 20:43:02 +0000 Subject: [PATCH 6/7] Fix seedbox --- hosts/ports.nix | 4 +- modules/nixos/server/containers/seedbox.nix | 114 ++++++++++---------- 2 files changed, 59 insertions(+), 59 deletions(-) diff --git a/hosts/ports.nix b/hosts/ports.nix index 04f26c8..66a63ad 100644 --- a/hosts/ports.nix +++ b/hosts/ports.nix @@ -24,7 +24,8 @@ ntfy = 3010; audio = 3011; atuin = 3012; - stream = 3013; + stream = 3013; # seedbox-frontend + seedbox = 3014; # seedbox-backend search = 8081; videos = 8082; @@ -39,7 +40,6 @@ prowlarr = 5006; flaresolverr = 5007; torrent = 5008; - seedbox = 5009; }; }; } diff --git a/modules/nixos/server/containers/seedbox.nix b/modules/nixos/server/containers/seedbox.nix index b0f6fc8..559ce8a 100644 --- a/modules/nixos/server/containers/seedbox.nix +++ b/modules/nixos/server/containers/seedbox.nix @@ -7,7 +7,7 @@ }: let cfg = config.mods.server.seedbox; port = config.mods.server.nginx.ports.stream; - backend-port = config.mods.server.local.ports.seedbox; + backend-port = config.mods.server.nginx.ports.seedbox; in with lib; { options.mods.server.seedbox = { @@ -19,27 +19,15 @@ in config = mkIf cfg.enable { # Runtime - virtualisation.podman = { + virtualisation.docker = { enable = true; autoPrune.enable = true; - dockerCompat = true; }; - - # Enable container name DNS for all Podman networks. - networking.firewall.interfaces = let - matchAll = - if !config.networking.nftables.enable - then "podman+" - else "podman*"; - in { - "${matchAll}".allowedUDPPorts = [53]; - }; - - virtualisation.oci-containers.backend = "podman"; + virtualisation.oci-containers.backend = "docker"; # Containers virtualisation.oci-containers.containers."seedbox-backend" = { - image = "localhost/compose2nix/seedbox-backend"; + image = "compose2nix/seedbox-backend"; volumes = [ "seedbox-lite_seedbox_cache:/app/cache:rw" "seedbox-lite_seedbox_data:/app/data:rw" @@ -52,32 +40,39 @@ in "--network-alias=seedbox-backend" "--network=seedbox-lite_seedbox-network" ]; + environment = { + NODE_ENV = "production"; + ACCESS_PASSWORD = "temp_pass"; + }; }; - systemd.services."podman-seedbox-backend" = { + systemd.services."docker-seedbox-backend" = { serviceConfig = { Restart = lib.mkOverride 90 "always"; + RestartMaxDelaySec = lib.mkOverride 90 "1m"; + RestartSec = lib.mkOverride 90 "100ms"; + RestartSteps = lib.mkOverride 90 9; }; after = [ - "podman-network-seedbox-lite_seedbox-network.service" - "podman-volume-seedbox-lite_seedbox_cache.service" - "podman-volume-seedbox-lite_seedbox_data.service" + "docker-network-seedbox-lite_seedbox-network.service" + "docker-volume-seedbox-lite_seedbox_cache.service" + "docker-volume-seedbox-lite_seedbox_data.service" ]; requires = [ - "podman-network-seedbox-lite_seedbox-network.service" - "podman-volume-seedbox-lite_seedbox_cache.service" - "podman-volume-seedbox-lite_seedbox_data.service" + "docker-network-seedbox-lite_seedbox-network.service" + "docker-volume-seedbox-lite_seedbox_cache.service" + "docker-volume-seedbox-lite_seedbox_data.service" ]; partOf = [ - "podman-compose-seedbox-lite-root.target" + "docker-compose-seedbox-lite-root.target" ]; wantedBy = [ - "podman-compose-seedbox-lite-root.target" + "docker-compose-seedbox-lite-root.target" ]; }; virtualisation.oci-containers.containers."seedbox-frontend" = { - image = "localhost/compose2nix/seedbox-frontend"; + image = "compose2nix/seedbox-frontend"; ports = [ - "${toString port}:80/tcp" + "${toString port}:8080/tcp" ]; dependsOn = [ "seedbox-backend" @@ -87,90 +82,95 @@ in "--network-alias=seedbox-frontend" "--network=seedbox-lite_seedbox-network" ]; + environment = { + NODE_ENV = "production"; + ACCESS_PASSWORD = "temp_pass"; + }; }; - systemd.services."podman-seedbox-frontend" = { + systemd.services."docker-seedbox-frontend" = { serviceConfig = { Restart = lib.mkOverride 90 "always"; + RestartMaxDelaySec = lib.mkOverride 90 "1m"; + RestartSec = lib.mkOverride 90 "100ms"; + RestartSteps = lib.mkOverride 90 9; }; after = [ - "podman-network-seedbox-lite_seedbox-network.service" + "docker-network-seedbox-lite_seedbox-network.service" ]; requires = [ - "podman-network-seedbox-lite_seedbox-network.service" + "docker-network-seedbox-lite_seedbox-network.service" ]; partOf = [ - "podman-compose-seedbox-lite-root.target" + "docker-compose-seedbox-lite-root.target" ]; wantedBy = [ - "podman-compose-seedbox-lite-root.target" + "docker-compose-seedbox-lite-root.target" ]; }; # Networks - systemd.services."podman-network-seedbox-lite_seedbox-network" = { - path = [pkgs.podman]; + systemd.services."docker-network-seedbox-lite_seedbox-network" = { + path = [pkgs.docker]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; - ExecStop = "podman network rm -f seedbox-lite_seedbox-network"; + ExecStop = "docker network rm -f seedbox-lite_seedbox-network"; }; script = '' - podman network inspect seedbox-lite_seedbox-network || podman network create seedbox-lite_seedbox-network --driver=bridge + docker network inspect seedbox-lite_seedbox-network || docker network create seedbox-lite_seedbox-network --driver=bridge ''; - partOf = ["podman-compose-seedbox-lite-root.target"]; - wantedBy = ["podman-compose-seedbox-lite-root.target"]; + partOf = ["docker-compose-seedbox-lite-root.target"]; + wantedBy = ["docker-compose-seedbox-lite-root.target"]; }; # Volumes - systemd.services."podman-volume-seedbox-lite_seedbox_cache" = { - path = [pkgs.podman]; + systemd.services."docker-volume-seedbox-lite_seedbox_cache" = { + path = [pkgs.docker]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; }; script = '' - podman volume inspect seedbox-lite_seedbox_cache || podman volume create seedbox-lite_seedbox_cache --driver=local + docker volume inspect seedbox-lite_seedbox_cache || docker volume create seedbox-lite_seedbox_cache --driver=local ''; - partOf = ["podman-compose-seedbox-lite-root.target"]; - wantedBy = ["podman-compose-seedbox-lite-root.target"]; + partOf = ["docker-compose-seedbox-lite-root.target"]; + wantedBy = ["docker-compose-seedbox-lite-root.target"]; }; - systemd.services."podman-volume-seedbox-lite_seedbox_data" = { - path = [pkgs.podman]; + systemd.services."docker-volume-seedbox-lite_seedbox_data" = { + path = [pkgs.docker]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; }; script = '' - podman volume inspect seedbox-lite_seedbox_data || podman volume create seedbox-lite_seedbox_data --driver=local + docker volume inspect seedbox-lite_seedbox_data || docker volume create seedbox-lite_seedbox_data --driver=local ''; - partOf = ["podman-compose-seedbox-lite-root.target"]; - wantedBy = ["podman-compose-seedbox-lite-root.target"]; + partOf = ["docker-compose-seedbox-lite-root.target"]; + wantedBy = ["docker-compose-seedbox-lite-root.target"]; }; # Builds - systemd.services."podman-build-seedbox-backend" = { - path = [pkgs.podman pkgs.git]; + systemd.services."docker-build-seedbox-backend" = { + path = [pkgs.docker pkgs.git]; serviceConfig = { Type = "oneshot"; TimeoutSec = 300; }; script = '' cd /tmp - git clone https://github.com/hotheadhacker/seedbox-lite.git - cd seedbox-lite/server + git clone https://github.com/hotheadhacker/seedbox-lite.git && cd seedbox-lite/server || cd seedbox-lite/server podman build -t compose2nix/seedbox-backend . ''; }; - systemd.services."podman-build-seedbox-frontend" = { - path = [pkgs.podman pkgs.git]; + systemd.services."docker-build-seedbox-frontend" = { + path = [pkgs.docker pkgs.git]; serviceConfig = { Type = "oneshot"; TimeoutSec = 300; }; script = '' cd /tmp - git clone https://github.com/hotheadhacker/seedbox-lite.git - cd seedbox-lite/client + git clone https://github.com/hotheadhacker/seedbox-lite.git && cd seedbox-lite/client || cd seedbox-lite/client podman build -t compose2nix/seedbox-frontend --build-arg VITE_API_BASE_URL=http://localhost:${toString backend-port} . ''; }; @@ -178,7 +178,7 @@ in # Root service # When started, this will automatically create all resources and start # the containers. When stopped, this will teardown all resources. - systemd.targets."podman-compose-seedbox-lite-root" = { + systemd.targets."docker-compose-seedbox-lite-root" = { unitConfig = { Description = "Root target generated by compose2nix."; }; From c54a2dd18353449e3ee0a09a8dc07f61fa76e190 Mon Sep 17 00:00:00 2001 From: muon Date: Fri, 2 Jan 2026 21:28:26 +0000 Subject: [PATCH 7/7] Update nginx --- hosts/mups/configuration.nix | 79 ++++- hosts/ports.nix | 4 +- modules/nixos/server/containers/seedbox.nix | 325 ++++++++++---------- 3 files changed, 237 insertions(+), 171 deletions(-) diff --git a/hosts/mups/configuration.nix b/hosts/mups/configuration.nix index 24fe51b..1fb24b5 100644 --- a/hosts/mups/configuration.nix +++ b/hosts/mups/configuration.nix @@ -1,15 +1,20 @@ -{ config, lib, pkgs, inputs, system, ... }: -let +{ + config, + lib, + pkgs, + inputs, + system, + ... +}: let cfg = config.mods; keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKEio+Y5wBVD1wILaH2R3wV10FvVjiqy/4gGBWHOITTB muon@muon" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKevYmkH7xvYoquBjnYZ7PJiVqf+GOh9fxAJBN6wZGBB gin4@hi.is" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILmAOd9VbhyJeibt6Vrb101MNTk5W8+rh94Djv/C+pyu muon@muho" ]; - in { # Hardware - imports = [ ./hardware-configuration.nix ../ports.nix ]; + imports = [./hardware-configuration.nix ../ports.nix]; # System mods.user.name = "muon"; @@ -46,29 +51,82 @@ in { enable = true; listen = "[::]:8008"; root = "/var/www"; - configuration = { general = { directory-listing = true; }; }; + configuration = {general = {directory-listing = true;};}; }; services.nginx.virtualHosts = { "muon.host" = { enableACME = true; forceSSL = true; default = true; - locations."/" = { proxyPass = "http://localhost:8008"; }; + locations."/" = {proxyPass = "http://localhost:8008";}; }; "nvr.muon.host" = { enableACME = true; forceSSL = true; - locations."/" = { proxyPass = "http://10.0.0.2:8095"; }; + locations."/" = {proxyPass = "http://10.0.0.2:8095";}; }; "tetterodesportcomplex.nl" = { enableACME = true; forceSSL = true; - locations."/" = { proxyPass = "http://10.0.0.3:5001"; }; + locations."/" = {proxyPass = "http://10.0.0.3:5001";}; }; "www.tetterodesportcomplex.nl" = { enableACME = true; forceSSL = true; - locations."/" = { proxyPass = "http://10.0.0.3:5001"; }; + locations."/" = {proxyPass = "http://10.0.0.3:5001";}; + }; + "seedbox.muon.host" = { + forceSSL = true; + enableACME = true; + locations = { + "/" = { + proxyPass = "http://10.0.0.3:3013"; + }; + "/api" = { + proxyPass = "http://10.0.0.3:3014"; + extraConfig = + #sh + '' + limit_req zone=api burst=20 nodelay; + + # CORS headers + add_header Access-Control-Allow-Origin "*" always; + add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always; + add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization" always; + add_header Access-Control-Expose-Headers "Content-Length,Content-Range" always; + + # Handle preflight requests + if ($request_method = 'OPTIONS') { + add_header Access-Control-Allow-Origin "*"; + add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"; + add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"; + add_header Content-Type text/plain; + add_header Content-Length 0; + return 204; + } + ''; + }; + "/api/stream" = { + proxyPass = "http://10.0.0.3:3014"; + extraConfig = + #sh + '' + limit_req zone=download burst=10 nodelay; + proxy_set_header Range $http_range; + + # Streaming optimizations + proxy_buffering off; + proxy_cache off; + proxy_read_timeout 300s; + proxy_connect_timeout 30s; + proxy_send_timeout 300s; + + # Allow large file streaming + client_max_body_size 0; + proxy_max_temp_file_size 0; + ''; + }; + }; }; }; @@ -79,9 +137,8 @@ in { networking.firewall = { enable = true; - allowedTCPPorts = [ 80 8080 ]; + allowedTCPPorts = [80 8080]; }; system.stateVersion = "24.05"; # Did you read the comment? } - diff --git a/hosts/ports.nix b/hosts/ports.nix index 66a63ad..b9da945 100644 --- a/hosts/ports.nix +++ b/hosts/ports.nix @@ -24,8 +24,8 @@ ntfy = 3010; audio = 3011; atuin = 3012; - stream = 3013; # seedbox-frontend - seedbox = 3014; # seedbox-backend + # stream = 3013; # seedbox-frontend + # seedbox = 3014; # seedbox-backend search = 8081; videos = 8082; diff --git a/modules/nixos/server/containers/seedbox.nix b/modules/nixos/server/containers/seedbox.nix index 559ce8a..7cf5dc1 100644 --- a/modules/nixos/server/containers/seedbox.nix +++ b/modules/nixos/server/containers/seedbox.nix @@ -6,8 +6,8 @@ ... }: let cfg = config.mods.server.seedbox; - port = config.mods.server.nginx.ports.stream; - backend-port = config.mods.server.nginx.ports.seedbox; + port = 3013; + bport = 3014; in with lib; { options.mods.server.seedbox = { @@ -17,172 +17,181 @@ in }; }; - config = mkIf cfg.enable { - # Runtime - virtualisation.docker = { - enable = true; - autoPrune.enable = true; - }; - virtualisation.oci-containers.backend = "docker"; + config = + mkIf config.mods.server.nginx.enable { + } + // mkIf cfg.enable { + networking.firewall = { + allowedTCPPorts = [port bport]; + allowedUDPPorts = [port bport]; + }; - # Containers - virtualisation.oci-containers.containers."seedbox-backend" = { - image = "compose2nix/seedbox-backend"; - volumes = [ - "seedbox-lite_seedbox_cache:/app/cache:rw" - "seedbox-lite_seedbox_data:/app/data:rw" - ]; - ports = [ - "${toString backend-port}:3001/tcp" - ]; - log-driver = "journald"; - extraOptions = [ - "--network-alias=seedbox-backend" - "--network=seedbox-lite_seedbox-network" - ]; - environment = { - NODE_ENV = "production"; - ACCESS_PASSWORD = "temp_pass"; + # Runtime + virtualisation.docker = { + enable = true; + autoPrune.enable = true; }; - }; - systemd.services."docker-seedbox-backend" = { - serviceConfig = { - Restart = lib.mkOverride 90 "always"; - RestartMaxDelaySec = lib.mkOverride 90 "1m"; - RestartSec = lib.mkOverride 90 "100ms"; - RestartSteps = lib.mkOverride 90 9; - }; - after = [ - "docker-network-seedbox-lite_seedbox-network.service" - "docker-volume-seedbox-lite_seedbox_cache.service" - "docker-volume-seedbox-lite_seedbox_data.service" - ]; - requires = [ - "docker-network-seedbox-lite_seedbox-network.service" - "docker-volume-seedbox-lite_seedbox_cache.service" - "docker-volume-seedbox-lite_seedbox_data.service" - ]; - partOf = [ - "docker-compose-seedbox-lite-root.target" - ]; - wantedBy = [ - "docker-compose-seedbox-lite-root.target" - ]; - }; - virtualisation.oci-containers.containers."seedbox-frontend" = { - image = "compose2nix/seedbox-frontend"; - ports = [ - "${toString port}:8080/tcp" - ]; - dependsOn = [ - "seedbox-backend" - ]; - log-driver = "journald"; - extraOptions = [ - "--network-alias=seedbox-frontend" - "--network=seedbox-lite_seedbox-network" - ]; - environment = { - NODE_ENV = "production"; - ACCESS_PASSWORD = "temp_pass"; - }; - }; - systemd.services."docker-seedbox-frontend" = { - serviceConfig = { - Restart = lib.mkOverride 90 "always"; - RestartMaxDelaySec = lib.mkOverride 90 "1m"; - RestartSec = lib.mkOverride 90 "100ms"; - RestartSteps = lib.mkOverride 90 9; - }; - after = [ - "docker-network-seedbox-lite_seedbox-network.service" - ]; - requires = [ - "docker-network-seedbox-lite_seedbox-network.service" - ]; - partOf = [ - "docker-compose-seedbox-lite-root.target" - ]; - wantedBy = [ - "docker-compose-seedbox-lite-root.target" - ]; - }; + virtualisation.oci-containers.backend = "docker"; - # Networks - systemd.services."docker-network-seedbox-lite_seedbox-network" = { - path = [pkgs.docker]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - ExecStop = "docker network rm -f seedbox-lite_seedbox-network"; + # Containers + virtualisation.oci-containers.containers."seedbox-backend" = { + image = "compose2nix/seedbox-backend"; + volumes = [ + "seedbox-lite_seedbox_cache:/app/cache:rw" + "seedbox-lite_seedbox_data:/app/data:rw" + ]; + ports = [ + "${toString bport}:3001/tcp" + ]; + log-driver = "journald"; + extraOptions = [ + "--network-alias=seedbox-backend" + "--network=seedbox-lite_seedbox-network" + ]; + environment = { + NODE_ENV = "production"; + ACCESS_PASSWORD = "temp_pass"; + FRONTEND_URL = "http://localhost:${toString port}"; + }; + }; + systemd.services."docker-seedbox-backend" = { + serviceConfig = { + Restart = lib.mkOverride 90 "always"; + RestartMaxDelaySec = lib.mkOverride 90 "1m"; + RestartSec = lib.mkOverride 90 "100ms"; + RestartSteps = lib.mkOverride 90 9; + }; + after = [ + "docker-network-seedbox-lite_seedbox-network.service" + "docker-volume-seedbox-lite_seedbox_cache.service" + "docker-volume-seedbox-lite_seedbox_data.service" + ]; + requires = [ + "docker-network-seedbox-lite_seedbox-network.service" + "docker-volume-seedbox-lite_seedbox_cache.service" + "docker-volume-seedbox-lite_seedbox_data.service" + ]; + partOf = [ + "docker-compose-seedbox-lite-root.target" + ]; + wantedBy = [ + "docker-compose-seedbox-lite-root.target" + ]; + }; + virtualisation.oci-containers.containers."seedbox-frontend" = { + image = "compose2nix/seedbox-frontend"; + ports = [ + "${toString port}:8080/tcp" + ]; + dependsOn = [ + "seedbox-backend" + ]; + log-driver = "journald"; + extraOptions = [ + "--network-alias=seedbox-frontend" + "--network=seedbox-lite_seedbox-network" + ]; + environment = { + NODE_ENV = "production"; + ACCESS_PASSWORD = "temp_pass"; + }; + }; + systemd.services."docker-seedbox-frontend" = { + serviceConfig = { + Restart = lib.mkOverride 90 "always"; + RestartMaxDelaySec = lib.mkOverride 90 "1m"; + RestartSec = lib.mkOverride 90 "100ms"; + RestartSteps = lib.mkOverride 90 9; + }; + after = [ + "docker-network-seedbox-lite_seedbox-network.service" + ]; + requires = [ + "docker-network-seedbox-lite_seedbox-network.service" + ]; + partOf = [ + "docker-compose-seedbox-lite-root.target" + ]; + wantedBy = [ + "docker-compose-seedbox-lite-root.target" + ]; }; - script = '' - docker network inspect seedbox-lite_seedbox-network || docker network create seedbox-lite_seedbox-network --driver=bridge - ''; - partOf = ["docker-compose-seedbox-lite-root.target"]; - wantedBy = ["docker-compose-seedbox-lite-root.target"]; - }; - # Volumes - systemd.services."docker-volume-seedbox-lite_seedbox_cache" = { - path = [pkgs.docker]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; + # Networks + systemd.services."docker-network-seedbox-lite_seedbox-network" = { + path = [pkgs.docker]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStop = "docker network rm -f seedbox-lite_seedbox-network"; + }; + script = '' + docker network inspect seedbox-lite_seedbox-network || docker network create seedbox-lite_seedbox-network --driver=bridge + ''; + partOf = ["docker-compose-seedbox-lite-root.target"]; + wantedBy = ["docker-compose-seedbox-lite-root.target"]; }; - script = '' - docker volume inspect seedbox-lite_seedbox_cache || docker volume create seedbox-lite_seedbox_cache --driver=local - ''; - partOf = ["docker-compose-seedbox-lite-root.target"]; - wantedBy = ["docker-compose-seedbox-lite-root.target"]; - }; - systemd.services."docker-volume-seedbox-lite_seedbox_data" = { - path = [pkgs.docker]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - }; - script = '' - docker volume inspect seedbox-lite_seedbox_data || docker volume create seedbox-lite_seedbox_data --driver=local - ''; - partOf = ["docker-compose-seedbox-lite-root.target"]; - wantedBy = ["docker-compose-seedbox-lite-root.target"]; - }; - # Builds - systemd.services."docker-build-seedbox-backend" = { - path = [pkgs.docker pkgs.git]; - serviceConfig = { - Type = "oneshot"; - TimeoutSec = 300; + # Volumes + systemd.services."docker-volume-seedbox-lite_seedbox_cache" = { + path = [pkgs.docker]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + script = '' + docker volume inspect seedbox-lite_seedbox_cache || docker volume create seedbox-lite_seedbox_cache --driver=local + ''; + partOf = ["docker-compose-seedbox-lite-root.target"]; + wantedBy = ["docker-compose-seedbox-lite-root.target"]; }; - script = '' - cd /tmp - git clone https://github.com/hotheadhacker/seedbox-lite.git && cd seedbox-lite/server || cd seedbox-lite/server - podman build -t compose2nix/seedbox-backend . - ''; - }; - systemd.services."docker-build-seedbox-frontend" = { - path = [pkgs.docker pkgs.git]; - serviceConfig = { - Type = "oneshot"; - TimeoutSec = 300; + systemd.services."docker-volume-seedbox-lite_seedbox_data" = { + path = [pkgs.docker]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + script = '' + docker volume inspect seedbox-lite_seedbox_data || docker volume create seedbox-lite_seedbox_data --driver=local + ''; + partOf = ["docker-compose-seedbox-lite-root.target"]; + wantedBy = ["docker-compose-seedbox-lite-root.target"]; }; - script = '' - cd /tmp - git clone https://github.com/hotheadhacker/seedbox-lite.git && cd seedbox-lite/client || cd seedbox-lite/client - podman build -t compose2nix/seedbox-frontend --build-arg VITE_API_BASE_URL=http://localhost:${toString backend-port} . - ''; - }; - # Root service - # When started, this will automatically create all resources and start - # the containers. When stopped, this will teardown all resources. - systemd.targets."docker-compose-seedbox-lite-root" = { - unitConfig = { - Description = "Root target generated by compose2nix."; + # Builds + systemd.services."docker-build-seedbox-backend" = { + path = [pkgs.docker pkgs.git]; + serviceConfig = { + Type = "oneshot"; + TimeoutSec = 300; + }; + script = '' + cd /tmp + git clone https://github.com/hotheadhacker/seedbox-lite.git && cd seedbox-lite/server || cd seedbox-lite/server + podman build -t compose2nix/seedbox-backend . + ''; + }; + systemd.services."docker-build-seedbox-frontend" = { + path = [pkgs.docker pkgs.git]; + serviceConfig = { + Type = "oneshot"; + TimeoutSec = 300; + }; + script = '' + cd /tmp + git clone https://github.com/hotheadhacker/seedbox-lite.git && cd seedbox-lite/client || cd seedbox-lite/client + podman build -t compose2nix/seedbox-frontend --build-arg VITE_API_BASE_URL=http://localhost:${toString bport} . + ''; + }; + + # Root service + # When started, this will automatically create all resources and start + # the containers. When stopped, this will teardown all resources. + systemd.targets."docker-compose-seedbox-lite-root" = { + unitConfig = { + Description = "Root target generated by compose2nix."; + }; + wantedBy = ["multi-user.target"]; }; - wantedBy = ["multi-user.target"]; }; - }; }