From 0adbcc838bb2d87fa12591b4ade4ad70677955d9 Mon Sep 17 00:00:00 2001 From: William Date: Thu, 16 Oct 2025 19:16:24 -0300 Subject: [PATCH 1/3] merged rclone-webdav with radicale --- .../alexandria/{rclone-webdav.nix => dav.nix} | 59 ++++++++++++++++--- hosts/alexandria/radicale.nix | 17 ------ 2 files changed, 52 insertions(+), 24 deletions(-) rename hosts/alexandria/{rclone-webdav.nix => dav.nix} (59%) delete mode 100644 hosts/alexandria/radicale.nix diff --git a/hosts/alexandria/rclone-webdav.nix b/hosts/alexandria/dav.nix similarity index 59% rename from hosts/alexandria/rclone-webdav.nix rename to hosts/alexandria/dav.nix index 8324d31..8cb510f 100644 --- a/hosts/alexandria/rclone-webdav.nix +++ b/hosts/alexandria/dav.nix @@ -1,6 +1,8 @@ -{ config, pkgs, ... }: - +{ lib, inputs, ... }: let + utils = import ../../utils.nix { inherit inputs; }; + inherit (utils) mkNginxVhosts; + rclone-webdav-start = pkgs.writeShellScript "rclone-webdav-start.sh" '' #!/bin/bash @@ -42,12 +44,49 @@ let --verbose ''; in - { - age.secrets.webdav = { - file = ../../secrets/webdav.age; - owner = "user"; - group = "users"; + services = { + nginx.virtualHosts = mkNginxVhosts { + inherit lib; + acmeHost = "baduhai.dev"; + domains = { + "dav.baduhai.dev".locations = { + "/caldav" = { + proxyPass = "http://unix:/run/radicale/radicale.sock:/"; + extraConfig = '' + proxy_set_header X-Script-Name /caldav; + proxy_pass_header Authorization; + ''; + }; + "/webdav" = { + proxyPass = "http://unix:/run/rclone-webdav/webdav.sock:/webdav/"; + extraConfig = '' + proxy_set_header X-Script-Name /webdav; + proxy_pass_header Authorization; + proxy_connect_timeout 300; + proxy_send_timeout 300; + proxy_read_timeout 300; + client_max_body_size 10G; + proxy_buffering off; + proxy_request_buffering off; + ''; + }; + }; + }; + }; + radicale = { + enable = true; + settings = { + server = { + hosts = [ "/run/radicale/radicale.sock" ]; + }; + auth = { + type = "htpasswd"; + htpasswd_filename = "/etc/radicale/users"; + htpasswd_encryption = "bcrypt"; + }; + }; + }; }; systemd.services.rclone-webdav = { @@ -79,4 +118,10 @@ in chmod 755 /data/webdav ''; }; + + age.secrets.webdav = { + file = ../../secrets/webdav.age; + owner = "user"; + group = "users"; + }; } diff --git a/hosts/alexandria/radicale.nix b/hosts/alexandria/radicale.nix deleted file mode 100644 index d81a228..0000000 --- a/hosts/alexandria/radicale.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ ... }: - -{ - services.radicale = { - enable = true; - settings = { - server = { - hosts = [ "/run/radicale/radicale.sock" ]; - }; - auth = { - type = "htpasswd"; - htpasswd_filename = "/etc/radicale/users"; - htpasswd_encryption = "bcrypt"; - }; - }; - }; -} From 51b6a62f912c1341728e96de56e9b8b9ca15b6cd Mon Sep 17 00:00:00 2001 From: William Date: Thu, 16 Oct 2025 19:36:46 -0300 Subject: [PATCH 2/3] new mkNginxVHosts function --- homeConfigurations.nix | 3 +- hosts/alexandria/dav.nix | 49 +++++++++++++--------------- hosts/alexandria/forgejo.nix | 18 +++++++++-- hosts/alexandria/jellyfin.nix | 12 +++++-- hosts/alexandria/librespeed.nix | 12 +++++-- hosts/alexandria/nginx.nix | 55 ++++++++------------------------ hosts/alexandria/vaultwarden.nix | 18 +++++++++-- nixosConfigurations.nix | 3 +- utils.nix | 17 +++++++++- 9 files changed, 109 insertions(+), 78 deletions(-) diff --git a/homeConfigurations.nix b/homeConfigurations.nix index 3d3a950..112783f 100644 --- a/homeConfigurations.nix +++ b/homeConfigurations.nix @@ -1,6 +1,7 @@ { inputs, ... }: let - utils = import ./utils.nix { inherit inputs; }; + lib = inputs.nixpkgs.lib; + utils = import ./utils.nix { inherit inputs lib; }; inherit (utils) mkUser; in { diff --git a/hosts/alexandria/dav.nix b/hosts/alexandria/dav.nix index 8cb510f..a300e84 100644 --- a/hosts/alexandria/dav.nix +++ b/hosts/alexandria/dav.nix @@ -1,7 +1,7 @@ { lib, inputs, ... }: let - utils = import ../../utils.nix { inherit inputs; }; - inherit (utils) mkNginxVhosts; + utils = import ../../utils.nix { inherit inputs lib; }; + inherit (utils) mkNginxVHosts; rclone-webdav-start = pkgs.writeShellScript "rclone-webdav-start.sh" '' #!/bin/bash @@ -46,31 +46,28 @@ let in { services = { - nginx.virtualHosts = mkNginxVhosts { - inherit lib; + nginx.virtualHosts = mkNginxVHosts { acmeHost = "baduhai.dev"; - domains = { - "dav.baduhai.dev".locations = { - "/caldav" = { - proxyPass = "http://unix:/run/radicale/radicale.sock:/"; - extraConfig = '' - proxy_set_header X-Script-Name /caldav; - proxy_pass_header Authorization; - ''; - }; - "/webdav" = { - proxyPass = "http://unix:/run/rclone-webdav/webdav.sock:/webdav/"; - extraConfig = '' - proxy_set_header X-Script-Name /webdav; - proxy_pass_header Authorization; - proxy_connect_timeout 300; - proxy_send_timeout 300; - proxy_read_timeout 300; - client_max_body_size 10G; - proxy_buffering off; - proxy_request_buffering off; - ''; - }; + domains."dav.baduhai.dev".locations = { + "/caldav" = { + proxyPass = "http://unix:/run/radicale/radicale.sock:/"; + extraConfig = '' + proxy_set_header X-Script-Name /caldav; + proxy_pass_header Authorization; + ''; + }; + "/webdav" = { + proxyPass = "http://unix:/run/rclone-webdav/webdav.sock:/webdav/"; + extraConfig = '' + proxy_set_header X-Script-Name /webdav; + proxy_pass_header Authorization; + proxy_connect_timeout 300; + proxy_send_timeout 300; + proxy_read_timeout 300; + client_max_body_size 10G; + proxy_buffering off; + proxy_request_buffering off; + ''; }; }; }; diff --git a/hosts/alexandria/forgejo.nix b/hosts/alexandria/forgejo.nix index 0b9908e..909d1d1 100644 --- a/hosts/alexandria/forgejo.nix +++ b/hosts/alexandria/forgejo.nix @@ -1,5 +1,13 @@ -{ ... }: - +{ + config, + lib, + inputs, + ... +}: +let + utils = import ../../utils.nix { inherit inputs lib; }; + inherit (utils) mkNginxVHosts; +in { services.forgejo = { enable = true; @@ -18,4 +26,10 @@ actions.ENABLED = false; }; }; + + services.nginx.virtualHosts = mkNginxVHosts { + acmeHost = "baduhai.dev"; + domains."git.baduhai.dev".locations."/".proxyPass = + "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}:/"; + }; } diff --git a/hosts/alexandria/jellyfin.nix b/hosts/alexandria/jellyfin.nix index 87a825f..9555c89 100644 --- a/hosts/alexandria/jellyfin.nix +++ b/hosts/alexandria/jellyfin.nix @@ -1,8 +1,16 @@ -{ ... }: - +{ lib, inputs, ... }: +let + utils = import ../../utils.nix { inherit inputs lib; }; + inherit (utils) mkNginxVHosts; +in { services.jellyfin = { enable = true; openFirewall = true; }; + + services.nginx.virtualHosts = mkNginxVHosts { + acmeHost = "baduhai.dev"; + domains."jellyfin.baduhai.dev".locations."/".proxyPass = "http://127.0.0.1:8096/"; + }; } diff --git a/hosts/alexandria/librespeed.nix b/hosts/alexandria/librespeed.nix index 09e4768..79353bd 100644 --- a/hosts/alexandria/librespeed.nix +++ b/hosts/alexandria/librespeed.nix @@ -1,5 +1,8 @@ -{ ... }: - +{ lib, inputs, ... }: +let + utils = import ../../utils.nix { inherit inputs lib; }; + inherit (utils) mkNginxVHosts; +in { virtualisation.oci-containers.containers."librespeed" = { image = "lscr.io/linuxserver/librespeed:latest"; @@ -11,4 +14,9 @@ "--label=io.containers.autoupdate=registry" ]; }; + + services.nginx.virtualHosts = mkNginxVHosts { + acmeHost = "baduhai.dev"; + domains."speedtest.baduhai.dev".locations."/".proxyPass = "http://librespeed:80/"; + }; } diff --git a/hosts/alexandria/nginx.nix b/hosts/alexandria/nginx.nix index 8c20d5d..192dbda 100644 --- a/hosts/alexandria/nginx.nix +++ b/hosts/alexandria/nginx.nix @@ -1,5 +1,13 @@ -{ config, lib, ... }: - +{ + config, + lib, + inputs, + ... +}: +let + utils = import ../../utils.nix { inherit inputs lib; }; + inherit (utils) mkNginxVHosts; +in { security.acme = { acceptTerms = true; @@ -26,45 +34,10 @@ recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; - virtualHosts = - let - commonVHostConfig = { - useACMEHost = "baduhai.dev"; - forceSSL = true; - kTLS = true; - }; - in - lib.mapAttrs (_: lib.recursiveUpdate commonVHostConfig) { - "_".locations."/".return = "444"; - "dav.baduhai.dev".locations = { - "/caldav" = { - proxyPass = "http://unix:/run/radicale/radicale.sock:/"; - extraConfig = '' - proxy_set_header X-Script-Name /caldav; - proxy_pass_header Authorization; - ''; - }; - "/webdav" = { - proxyPass = "http://unix:/run/rclone-webdav/webdav.sock:/webdav/"; - extraConfig = '' - proxy_set_header X-Script-Name /webdav; - proxy_pass_header Authorization; - proxy_connect_timeout 300; # Increase timeouts for large file uploads - proxy_send_timeout 300; - proxy_read_timeout 300; - client_max_body_size 10G; # Allow large file uploads - proxy_buffering off; # Buffer settings for better performance - proxy_request_buffering off; - ''; - }; - }; - "git.baduhai.dev".locations."/".proxyPass = - "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}:/"; - "jellyfin.baduhai.dev".locations."/".proxyPass = "http://127.0.0.1:8096/"; - "pass.baduhai.dev".locations."/".proxyPass = - "http://unix:${config.services.vaultwarden.config.ROCKET_ADDRESS}:/"; - "speedtest.baduhai.dev".locations."/".proxyPass = "http://librespeed:80/"; - }; + virtualHosts = mkNginxVHosts { + acmeHost = "baduhai.dev"; + domains."_".locations."/".return = "444"; + }; }; users.users.nginx.extraGroups = [ "acme" ]; diff --git a/hosts/alexandria/vaultwarden.nix b/hosts/alexandria/vaultwarden.nix index 058c123..21f7d46 100644 --- a/hosts/alexandria/vaultwarden.nix +++ b/hosts/alexandria/vaultwarden.nix @@ -1,5 +1,13 @@ -{ ... }: - +{ + config, + lib, + inputs, + ... +}: +let + utils = import ../../utils.nix { inherit inputs lib; }; + inherit (utils) mkNginxVHosts; +in { services.vaultwarden = { enable = true; @@ -9,4 +17,10 @@ ROCKET_ADDRESS = "/run/vaultwarden/vaultwarden.sock"; }; }; + + services.nginx.virtualHosts = mkNginxVHosts { + acmeHost = "baduhai.dev"; + domains."pass.baduhai.dev".locations."/".proxyPass = + "http://unix:${config.services.vaultwarden.config.ROCKET_ADDRESS}:/"; + }; } diff --git a/nixosConfigurations.nix b/nixosConfigurations.nix index 65a9e14..f32f422 100644 --- a/nixosConfigurations.nix +++ b/nixosConfigurations.nix @@ -1,6 +1,7 @@ { inputs, ... }: let - utils = import ./utils.nix { inherit inputs; }; + lib = inputs.nixpkgs.lib; + utils = import ./utils.nix { inherit inputs lib; }; inherit (utils) mkHost; in { diff --git a/utils.nix b/utils.nix index e56e3c2..f25a821 100644 --- a/utils.nix +++ b/utils.nix @@ -1,4 +1,4 @@ -{ inputs }: +{ inputs, lib }: let inherit (inputs) self @@ -172,4 +172,19 @@ in } ]; }; + + # Nginx virtual host utilities + mkNginxVHosts = + { + acmeHost, + domains, + }: + let + commonVHostConfig = { + useACMEHost = acmeHost; + forceSSL = true; + kTLS = true; + }; + in + lib.mapAttrs (_: lib.recursiveUpdate commonVHostConfig) domains; } From f7b173457652b7432ae59d3c33da8be2197389fe Mon Sep 17 00:00:00 2001 From: William Date: Thu, 16 Oct 2025 19:37:06 -0300 Subject: [PATCH 3/3] no more dav --- hosts/alexandria/dav.nix | 124 --------------------------------------- 1 file changed, 124 deletions(-) delete mode 100644 hosts/alexandria/dav.nix diff --git a/hosts/alexandria/dav.nix b/hosts/alexandria/dav.nix deleted file mode 100644 index a300e84..0000000 --- a/hosts/alexandria/dav.nix +++ /dev/null @@ -1,124 +0,0 @@ -{ lib, inputs, ... }: -let - utils = import ../../utils.nix { inherit inputs lib; }; - inherit (utils) mkNginxVHosts; - - rclone-webdav-start = pkgs.writeShellScript "rclone-webdav-start.sh" '' - #!/bin/bash - - # Configuration - CREDS_FILE="/run/agenix/webdav" - SERVE_DIR="/data/webdav" - SOCKET_PATH="/run/rclone-webdav/webdav.sock" - - # Check if credentials file exists - if [ ! -f "$CREDS_FILE" ]; then - echo "Error: Credentials file $CREDS_FILE not found" - exit 1 - fi - - # Read credentials from file (format: username:password) - CREDENTIALS=$(cat "$CREDS_FILE") - USERNAME=$(echo "$CREDENTIALS" | cut -d':' -f1) - PASSWORD=$(echo "$CREDENTIALS" | cut -d':' -f2) - - # Validate credentials - if [ -z "$USERNAME" ] || [ -z "$PASSWORD" ]; then - echo "Error: Invalid credentials format. Expected username:password" - exit 1 - fi - - # Ensure serve directory exists - mkdir -p "$SERVE_DIR" - - # Remove existing socket if it exists - rm -f "$SOCKET_PATH" - - # Start rclone serve webdav - exec ${pkgs.rclone}/bin/rclone serve webdav "$SERVE_DIR" \ - --addr unix://"$SOCKET_PATH" \ - --user "$USERNAME" \ - --pass "$PASSWORD" \ - --config="" \ - --baseurl "/webdav" \ - --verbose - ''; -in -{ - services = { - nginx.virtualHosts = mkNginxVHosts { - acmeHost = "baduhai.dev"; - domains."dav.baduhai.dev".locations = { - "/caldav" = { - proxyPass = "http://unix:/run/radicale/radicale.sock:/"; - extraConfig = '' - proxy_set_header X-Script-Name /caldav; - proxy_pass_header Authorization; - ''; - }; - "/webdav" = { - proxyPass = "http://unix:/run/rclone-webdav/webdav.sock:/webdav/"; - extraConfig = '' - proxy_set_header X-Script-Name /webdav; - proxy_pass_header Authorization; - proxy_connect_timeout 300; - proxy_send_timeout 300; - proxy_read_timeout 300; - client_max_body_size 10G; - proxy_buffering off; - proxy_request_buffering off; - ''; - }; - }; - }; - radicale = { - enable = true; - settings = { - server = { - hosts = [ "/run/radicale/radicale.sock" ]; - }; - auth = { - type = "htpasswd"; - htpasswd_filename = "/etc/radicale/users"; - htpasswd_encryption = "bcrypt"; - }; - }; - }; - }; - - systemd.services.rclone-webdav = { - description = "RClone WebDAV Server"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - Type = "exec"; - User = "user"; - Group = "nginx"; - ExecStart = "${rclone-webdav-start}"; - Restart = "always"; - RestartSec = "10"; - NoNewPrivileges = true; - PrivateTmp = true; - ProtectSystem = "strict"; - ProtectHome = true; - ReadWritePaths = [ - "/data/webdav" - "/run" - ]; - RuntimeDirectory = "rclone-webdav"; - RuntimeDirectoryMode = "0750"; - UMask = "0002"; - }; - preStart = '' - mkdir -p /data/webdav - chown user:users /data/webdav - chmod 755 /data/webdav - ''; - }; - - age.secrets.webdav = { - file = ../../secrets/webdav.age; - owner = "user"; - group = "users"; - }; -}