diff --git a/hosts/muho/configuration.nix b/hosts/muho/configuration.nix index 8e3315d..e4717a5 100644 --- a/hosts/muho/configuration.nix +++ b/hosts/muho/configuration.nix @@ -1,11 +1,5 @@ -{ - config, - lib, - pkgs, - inputs, - system, - ... -}: let +{ config, lib, pkgs, inputs, system, ... }: +let cfg = config.mods; keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKEio+Y5wBVD1wILaH2R3wV10FvVjiqy/4gGBWHOITTB muon@muon" @@ -14,7 +8,7 @@ ]; in { # Hardware - imports = [./hardware-configuration.nix ../ports.nix]; + imports = [ ./hardware-configuration.nix ../ports.nix ]; # System mods.user.name = "muon"; @@ -51,7 +45,6 @@ in { mods.server.lemmy.enable = true; mods.server.audio.enable = true; mods.server.atuin.enable = true; - mods.server.seedbox.enable = true; mods.server.dash.enable = false; mods.server.nginx.ports.dash = 3009; diff --git a/hosts/mups/configuration.nix b/hosts/mups/configuration.nix index 1fb24b5..24fe51b 100644 --- a/hosts/mups/configuration.nix +++ b/hosts/mups/configuration.nix @@ -1,20 +1,15 @@ -{ - config, - lib, - pkgs, - inputs, - system, - ... -}: let +{ config, lib, pkgs, inputs, system, ... }: +let cfg = config.mods; keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKEio+Y5wBVD1wILaH2R3wV10FvVjiqy/4gGBWHOITTB muon@muon" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKevYmkH7xvYoquBjnYZ7PJiVqf+GOh9fxAJBN6wZGBB gin4@hi.is" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILmAOd9VbhyJeibt6Vrb101MNTk5W8+rh94Djv/C+pyu muon@muho" ]; + in { # Hardware - imports = [./hardware-configuration.nix ../ports.nix]; + imports = [ ./hardware-configuration.nix ../ports.nix ]; # System mods.user.name = "muon"; @@ -51,82 +46,29 @@ in { enable = true; listen = "[::]:8008"; root = "/var/www"; - configuration = {general = {directory-listing = true;};}; + configuration = { general = { directory-listing = true; }; }; }; services.nginx.virtualHosts = { "muon.host" = { enableACME = true; forceSSL = true; default = true; - locations."/" = {proxyPass = "http://localhost:8008";}; + locations."/" = { proxyPass = "http://localhost:8008"; }; }; "nvr.muon.host" = { enableACME = true; forceSSL = true; - locations."/" = {proxyPass = "http://10.0.0.2:8095";}; + locations."/" = { proxyPass = "http://10.0.0.2:8095"; }; }; "tetterodesportcomplex.nl" = { enableACME = true; forceSSL = true; - locations."/" = {proxyPass = "http://10.0.0.3:5001";}; + locations."/" = { proxyPass = "http://10.0.0.3:5001"; }; }; "www.tetterodesportcomplex.nl" = { enableACME = true; forceSSL = true; - locations."/" = {proxyPass = "http://10.0.0.3:5001";}; - }; - "seedbox.muon.host" = { - forceSSL = true; - enableACME = true; - locations = { - "/" = { - proxyPass = "http://10.0.0.3:3013"; - }; - "/api" = { - proxyPass = "http://10.0.0.3:3014"; - extraConfig = - #sh - '' - limit_req zone=api burst=20 nodelay; - - # CORS headers - add_header Access-Control-Allow-Origin "*" always; - add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always; - add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization" always; - add_header Access-Control-Expose-Headers "Content-Length,Content-Range" always; - - # Handle preflight requests - if ($request_method = 'OPTIONS') { - add_header Access-Control-Allow-Origin "*"; - add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"; - add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"; - add_header Content-Type text/plain; - add_header Content-Length 0; - return 204; - } - ''; - }; - "/api/stream" = { - proxyPass = "http://10.0.0.3:3014"; - extraConfig = - #sh - '' - limit_req zone=download burst=10 nodelay; - proxy_set_header Range $http_range; - - # Streaming optimizations - proxy_buffering off; - proxy_cache off; - proxy_read_timeout 300s; - proxy_connect_timeout 30s; - proxy_send_timeout 300s; - - # Allow large file streaming - client_max_body_size 0; - proxy_max_temp_file_size 0; - ''; - }; - }; + locations."/" = { proxyPass = "http://10.0.0.3:5001"; }; }; }; @@ -137,8 +79,9 @@ in { networking.firewall = { enable = true; - allowedTCPPorts = [80 8080]; + allowedTCPPorts = [ 80 8080 ]; }; system.stateVersion = "24.05"; # Did you read the comment? } + diff --git a/hosts/ports.nix b/hosts/ports.nix index b9da945..9aa8b9e 100644 --- a/hosts/ports.nix +++ b/hosts/ports.nix @@ -1,13 +1,8 @@ -{ - pkgs, - lib, - config, - ... -}: { +{ pkgs, lib, config, ... }: { options.mods.server = with lib; { local.ports = mkOption { type = types.attrsOf (types.ints.u16); - default = {}; + default = { }; }; }; config = { @@ -24,8 +19,6 @@ ntfy = 3010; audio = 3011; atuin = 3012; - # stream = 3013; # seedbox-frontend - # seedbox = 3014; # seedbox-backend search = 8081; videos = 8082; diff --git a/modules/nixos/server/containers/default.nix b/modules/nixos/server/containers/default.nix index b211cba..416150e 100644 --- a/modules/nixos/server/containers/default.nix +++ b/modules/nixos/server/containers/default.nix @@ -1,9 +1,4 @@ -{ - pkgs, - lib, - config, - ... -}: { +{ pkgs, lib, config, ... }: { options.mods.containers = { enable = lib.mkEnableOption { default = false; @@ -11,10 +6,7 @@ }; }; - imports = [ - ./steam.nix - ./seedbox.nix - ]; + imports = [ ./steam.nix ]; config = lib.mkIf config.mods.containers.enable { virtualisation.docker.enable = true; @@ -24,10 +16,10 @@ }; networking.nat = { enable = true; - internalInterfaces = ["ve-+"]; + internalInterfaces = [ "ve-+" ]; externalInterface = "enp0s31f6"; }; - networking.networkmanager.unmanaged = ["interface-name:ve-*"]; + networking.networkmanager.unmanaged = [ "interface-name:ve-*" ]; # networking = { # bridges.br0.interfaces = [ "enp0s31f6" ]; # Adjust interface accordingly @@ -53,6 +45,6 @@ # tcp = { enable = true; anonymousClients = { allowedIpRanges = ["127.0.0.1" "192.168.100.0/24"]; }; }; # }; - environment.systemPackages = with pkgs; [xorg.xhost]; + environment.systemPackages = with pkgs; [ xorg.xhost ]; }; } diff --git a/modules/nixos/server/containers/seedbox.nix b/modules/nixos/server/containers/seedbox.nix deleted file mode 100644 index 7cf5dc1..0000000 --- a/modules/nixos/server/containers/seedbox.nix +++ /dev/null @@ -1,197 +0,0 @@ -# Auto-generated by compose2nix. -{ - pkgs, - lib, - config, - ... -}: let - cfg = config.mods.server.seedbox; - port = 3013; - bport = 3014; -in - with lib; { - options.mods.server.seedbox = { - enable = mkEnableOption { - default = false; - description = "enables seedbox-lite containers"; - }; - }; - - config = - mkIf config.mods.server.nginx.enable { - } - // mkIf cfg.enable { - networking.firewall = { - allowedTCPPorts = [port bport]; - allowedUDPPorts = [port bport]; - }; - - # Runtime - virtualisation.docker = { - enable = true; - autoPrune.enable = true; - }; - virtualisation.oci-containers.backend = "docker"; - - # Containers - virtualisation.oci-containers.containers."seedbox-backend" = { - image = "compose2nix/seedbox-backend"; - volumes = [ - "seedbox-lite_seedbox_cache:/app/cache:rw" - "seedbox-lite_seedbox_data:/app/data:rw" - ]; - ports = [ - "${toString bport}:3001/tcp" - ]; - log-driver = "journald"; - extraOptions = [ - "--network-alias=seedbox-backend" - "--network=seedbox-lite_seedbox-network" - ]; - environment = { - NODE_ENV = "production"; - ACCESS_PASSWORD = "temp_pass"; - FRONTEND_URL = "http://localhost:${toString port}"; - }; - }; - systemd.services."docker-seedbox-backend" = { - serviceConfig = { - Restart = lib.mkOverride 90 "always"; - RestartMaxDelaySec = lib.mkOverride 90 "1m"; - RestartSec = lib.mkOverride 90 "100ms"; - RestartSteps = lib.mkOverride 90 9; - }; - after = [ - "docker-network-seedbox-lite_seedbox-network.service" - "docker-volume-seedbox-lite_seedbox_cache.service" - "docker-volume-seedbox-lite_seedbox_data.service" - ]; - requires = [ - "docker-network-seedbox-lite_seedbox-network.service" - "docker-volume-seedbox-lite_seedbox_cache.service" - "docker-volume-seedbox-lite_seedbox_data.service" - ]; - partOf = [ - "docker-compose-seedbox-lite-root.target" - ]; - wantedBy = [ - "docker-compose-seedbox-lite-root.target" - ]; - }; - virtualisation.oci-containers.containers."seedbox-frontend" = { - image = "compose2nix/seedbox-frontend"; - ports = [ - "${toString port}:8080/tcp" - ]; - dependsOn = [ - "seedbox-backend" - ]; - log-driver = "journald"; - extraOptions = [ - "--network-alias=seedbox-frontend" - "--network=seedbox-lite_seedbox-network" - ]; - environment = { - NODE_ENV = "production"; - ACCESS_PASSWORD = "temp_pass"; - }; - }; - systemd.services."docker-seedbox-frontend" = { - serviceConfig = { - Restart = lib.mkOverride 90 "always"; - RestartMaxDelaySec = lib.mkOverride 90 "1m"; - RestartSec = lib.mkOverride 90 "100ms"; - RestartSteps = lib.mkOverride 90 9; - }; - after = [ - "docker-network-seedbox-lite_seedbox-network.service" - ]; - requires = [ - "docker-network-seedbox-lite_seedbox-network.service" - ]; - partOf = [ - "docker-compose-seedbox-lite-root.target" - ]; - wantedBy = [ - "docker-compose-seedbox-lite-root.target" - ]; - }; - - # Networks - systemd.services."docker-network-seedbox-lite_seedbox-network" = { - path = [pkgs.docker]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - ExecStop = "docker network rm -f seedbox-lite_seedbox-network"; - }; - script = '' - docker network inspect seedbox-lite_seedbox-network || docker network create seedbox-lite_seedbox-network --driver=bridge - ''; - partOf = ["docker-compose-seedbox-lite-root.target"]; - wantedBy = ["docker-compose-seedbox-lite-root.target"]; - }; - - # Volumes - systemd.services."docker-volume-seedbox-lite_seedbox_cache" = { - path = [pkgs.docker]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - }; - script = '' - docker volume inspect seedbox-lite_seedbox_cache || docker volume create seedbox-lite_seedbox_cache --driver=local - ''; - partOf = ["docker-compose-seedbox-lite-root.target"]; - wantedBy = ["docker-compose-seedbox-lite-root.target"]; - }; - systemd.services."docker-volume-seedbox-lite_seedbox_data" = { - path = [pkgs.docker]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - }; - script = '' - docker volume inspect seedbox-lite_seedbox_data || docker volume create seedbox-lite_seedbox_data --driver=local - ''; - partOf = ["docker-compose-seedbox-lite-root.target"]; - wantedBy = ["docker-compose-seedbox-lite-root.target"]; - }; - - # Builds - systemd.services."docker-build-seedbox-backend" = { - path = [pkgs.docker pkgs.git]; - serviceConfig = { - Type = "oneshot"; - TimeoutSec = 300; - }; - script = '' - cd /tmp - git clone https://github.com/hotheadhacker/seedbox-lite.git && cd seedbox-lite/server || cd seedbox-lite/server - podman build -t compose2nix/seedbox-backend . - ''; - }; - systemd.services."docker-build-seedbox-frontend" = { - path = [pkgs.docker pkgs.git]; - serviceConfig = { - Type = "oneshot"; - TimeoutSec = 300; - }; - script = '' - cd /tmp - git clone https://github.com/hotheadhacker/seedbox-lite.git && cd seedbox-lite/client || cd seedbox-lite/client - podman build -t compose2nix/seedbox-frontend --build-arg VITE_API_BASE_URL=http://localhost:${toString bport} . - ''; - }; - - # Root service - # When started, this will automatically create all resources and start - # the containers. When stopped, this will teardown all resources. - systemd.targets."docker-compose-seedbox-lite-root" = { - unitConfig = { - Description = "Root target generated by compose2nix."; - }; - wantedBy = ["multi-user.target"]; - }; - }; - } diff --git a/modules/nixos/server/nginx.nix b/modules/nixos/server/nginx.nix index 17febfe..c307231 100644 --- a/modules/nixos/server/nginx.nix +++ b/modules/nixos/server/nginx.nix @@ -82,7 +82,7 @@ in add_header X-XSS-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "no-referrer-when-downgrade" always; - add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline' 'unsafe-eval'; frame-ancestors 'self';" always; + add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self'; script-src 'self'; object-src 'none'; base-uri 'none';"; always; add_header Permissions-Policy "interest-cohort=()" always; # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; ''; @@ -103,11 +103,9 @@ in # sh '' client_max_body_size 50000M; - proxy_request_buffering off; - client_body_buffer_size 1024k; - proxy_read_timeout 2400s; - proxy_send_timeout 2400s; - send_timeout 2400s; + proxy_read_timeout 600s; + proxy_send_timeout 600s; + send_timeout 600s; ''; }; };