diff --git a/flake.lock b/flake.lock index 2def15d..2160b4e 100644 --- a/flake.lock +++ b/flake.lock @@ -49,11 +49,11 @@ "nixpkgs": "nixpkgs_3" }, "locked": { - "lastModified": 1768336726, - "narHash": "sha256-Os4qn0S0bv7MauXGz16ozyOYZuMrA2FJuXNjDnr5yps=", + "lastModified": 1769470446, + "narHash": "sha256-nze0VZ70K2kbDxjE+BBZLD7juOmnZqNYdOhl9aUNGWg=", "owner": "9001", "repo": "copyparty", - "rev": "c46cd7f57a8ae3b121866485c91ec078c4dd970e", + "rev": "2f57228fd4e62f8cd8e12cb80a3531dc2d4d170a", "type": "github" }, "original": { @@ -91,11 +91,11 @@ ] }, "locked": { - "lastModified": 1766150702, - "narHash": "sha256-P0kM+5o+DKnB6raXgFEk3azw8Wqg5FL6wyl9jD+G5a4=", + "lastModified": 1769524058, + "narHash": "sha256-zygdD6X1PcVNR2PsyK4ptzrVEiAdbMqLos7utrMDEWE=", "owner": "nix-community", "repo": "disko", - "rev": "916506443ecd0d0b4a0f4cf9d40a3c22ce39b378", + "rev": "71a3fc97d80881e91710fe721f1158d3b96ae14d", "type": "github" }, "original": { @@ -233,11 +233,11 @@ "nixpkgs": "nixpkgs_4" }, "locked": { - "lastModified": 1767838769, - "narHash": "sha256-KCLU6SUU80tEBKIVZsBrSjRYX6kn1eVIYI3fEEqOp24=", + "lastModified": 1769567010, + "narHash": "sha256-R4ESxjCluQQlSIPw4NaRYVvEtvsnKGRwmACcXU1at6g=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "4da21f019f6443f513f16af7f220ba4db1cdfc04", + "rev": "1c9c95fea177a4f8430c34dc1f974394e72bca1f", "type": "github" }, "original": { @@ -311,16 +311,16 @@ }, "nixpkgs_5": { "locked": { - "lastModified": 1767313136, - "narHash": "sha256-16KkgfdYqjaeRGBaYsNrhPRRENs0qzkQVUooNHtoy2w=", + "lastModified": 1769318308, + "narHash": "sha256-Mjx6p96Pkefks3+aA+72lu1xVehb6mv2yTUUqmSet6Q=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ac62194c3917d5f474c1a844b6fd6da2db95077d", + "rev": "1cd347bf3355fce6c64ab37d3967b4a2cb4b878c", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-25.05", + "ref": "nixos-25.11", "repo": "nixpkgs", "type": "github" } @@ -452,11 +452,11 @@ }, "unstable": { "locked": { - "lastModified": 1768127708, - "narHash": "sha256-1Sm77VfZh3mU0F5OqKABNLWxOuDeHIlcFjsXeeiPazs=", + "lastModified": 1769461804, + "narHash": "sha256-msG8SU5WsBUfVVa/9RPLaymvi5bI8edTavbIq3vRlhI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "ffbc9f8cbaacfb331b6017d5a5abb21a492c9a38", + "rev": "bfc1b8a4574108ceef22f02bafcf6611380c100d", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 36d54ba..e9a3487 100644 --- a/flake.nix +++ b/flake.nix @@ -3,7 +3,7 @@ # Flake inputs inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11"; unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; colmena.url = "github:zhaofengli/colmena"; diff --git a/hosts/sin/configuration.nix b/hosts/sin/configuration.nix index aacf56a..2404e01 100644 --- a/hosts/sin/configuration.nix +++ b/hosts/sin/configuration.nix @@ -17,7 +17,7 @@ ./secrets.nix ./coredns ./copyparty.nix - # ./trilium.nix + ./trilium.nix ]; boot.initrd.kernelModules = [ "usb_storage" ]; @@ -44,6 +44,8 @@ 3000 # gitea + config.services.trilium-server.port + 53 ]; diff --git a/hosts/sin/jellyfin.nix b/hosts/sin/jellyfin.nix index 3f9edeb..b300712 100644 --- a/hosts/sin/jellyfin.nix +++ b/hosts/sin/jellyfin.nix @@ -11,10 +11,9 @@ in extraPackages = with pkgs; [ intel-media-driver intel-vaapi-driver - vaapiVdpau + libva-vdpau-driver intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in) vpl-gpu-rt # QSV on 11th gen or newer - intel-media-sdk # QSV up to 11th gen ]; }; @@ -91,10 +90,18 @@ in enable = true; openFirewall = true; group = "starr"; + settings = { + authentication.AuthenticationMethod = "external"; + authentication.AuthenticationType = "enabled"; + }; }; prowlarr = { enable = true; openFirewall = true; + settings = { + authentication.AuthenticationMethod = "external"; + authentication.AuthenticationType = "enabled"; + }; }; bazarr = { enable = true; @@ -103,10 +110,18 @@ in lidarr = { enable = true; openFirewall = true; + settings = { + authentication.AuthenticationMethod = "external"; + authentication.AuthenticationType = "enabled"; + }; }; whisparr = { enable = true; openFirewall = true; + settings = { + authentication.AuthenticationMethod = "external"; + authentication.AuthenticationType = "enabled"; + }; }; jellyseerr = { diff --git a/hosts/sin/trilium.nix b/hosts/sin/trilium.nix index c915eb0..d00cbb2 100644 --- a/hosts/sin/trilium.nix +++ b/hosts/sin/trilium.nix @@ -1 +1,9 @@ -{ ... }: { } +{ ... }: +{ + services.trilium-server = { + enable = true; + port = 12783; + host = "0.0.0.0"; + noAuthentication = true; + }; +} diff --git a/hosts/thea/authelia.nix b/hosts/thea/authelia.nix index f2b92ef..bb9c46b 100644 --- a/hosts/thea/authelia.nix +++ b/hosts/thea/authelia.nix @@ -49,10 +49,10 @@ in access_control = { default_policy = "deny"; rules = [ - { - domain = "radarr.shobu.fr"; - policy = "bypass"; - } + # { + # domain = "radarr.shobu.fr"; + # policy = "bypass"; + # } { domain = "*.shobu.fr"; policy = "one_factor"; diff --git a/hosts/thea/lib/autheliaSnippets.nix b/hosts/thea/lib/autheliaSnippets.nix index df916ff..56007ce 100644 --- a/hosts/thea/lib/autheliaSnippets.nix +++ b/hosts/thea/lib/autheliaSnippets.nix @@ -2,7 +2,7 @@ { proxy = pkgs.writeText "proxy.conf" '' ## Headers - proxy_set_header Host $host; + # proxy_set_header Host $host; proxy_set_header X-Original-URL $scheme://$http_host$request_uri; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $http_host; diff --git a/hosts/thea/nginx.nix b/hosts/thea/nginx.nix index a5fef14..fcefa09 100644 --- a/hosts/thea/nginx.nix +++ b/hosts/thea/nginx.nix @@ -1,4 +1,9 @@ -{ inputs, pkgs, ... }: +{ + inputs, + pkgs, + lib, + ... +}: let # striped-front = inputs.striped-front; @@ -18,81 +23,93 @@ in recommendedProxySettings = true; recommendedTlsSettings = true; + typesHashMaxSize = 512; + mapHashMaxSize = 512; + virtualHosts = let - mkStarr = host: port: { + mkVHost = host: port: { "${host}" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://${sin-address}:${port}"; + }; + }; + }; + mkStarr = host: port: { + "${host}" = { + enableACME = true; + forceSSL = true; + + extraConfig = '' + include ${authelia-snippets.authelia-location}; + ''; + + locations."/api" = { + proxyPass = "http://${sin-address}:${port}"; proxyWebsockets = true; extraConfig = '' proxy_ssl_server_name on; + ''; + }; + locations."/" = { + proxyPass = "http://${sin-address}:${port}"; + proxyWebsockets = true; + extraConfig = '' + include ${authelia-snippets.proxy}; + include ${authelia-snippets.authelia-authrequest}; + + proxy_ssl_server_name on; proxy_read_timeout 4800s; ''; }; }; }; + withAuthelia = + vhost: location: + (builtins.mapAttrs ( + name: value: + (lib.recursiveUpdate value { + extraConfig = (if value ? extraConfig then value.extraConfig else "") + '' + include ${authelia-snippets.authelia-location}; + ''; + locations."${location}".extraConfig = + ( + if value.locations."${location}" ? extraConfig then + value.locations."${location}".extraConfig + else + "" + ) + + '' + include ${authelia-snippets.proxy}; + include ${authelia-snippets.authelia-authrequest}; + ''; + }) + ) vhost); + withWebsockets = + vhost: location: + (builtins.mapAttrs ( + name: value: + (lib.recursiveUpdate value { + locations."${location}".proxyWebsockets = true; + }) + ) vhost); in ( - mkStarr "jellyfin.shobu.fr" "8096" - # // mkStarr "radarr.shobu.fr" "7878" + (withWebsockets (mkVHost "jellyfin.shobu.fr" "8096") "/") + // mkStarr "radarr.shobu.fr" "7878" // mkStarr "sonarr.shobu.fr" "8989" // mkStarr "prowlarr.shobu.fr" "9696" // mkStarr "bazarr.shobu.fr" "6767" // mkStarr "lidarr.shobu.fr" "8686" // mkStarr "whisparr.shobu.fr" "6969" - // mkStarr "jellyseerr.shobu.fr" "5055" - // mkStarr "transmission.shobu.fr" "9091" - // mkStarr "zimablade-admin.shobu.fr" "61208" + // mkVHost "jellyseerr.shobu.fr" "5055" + // mkVHost "transmission.shobu.fr" "9091" + // mkVHost "zimablade-admin.shobu.fr" "61208" + // (withWebsockets (withAuthelia (mkVHost "trilium.shobu.fr" "12783") "/") "/") // { - "radarr.shobu.fr" = { - enableACME = true; - forceSSL = true; - - extraConfig = '' - include ${authelia-snippets.authelia-location}; - error_log /var/log/nginx/debug_radarr.log debug; - ''; - - locations."/" = { - proxyPass = "http://${sin-address}:7878"; - proxyWebsockets = true; - extraConfig = '' - include ${authelia-snippets.proxy}; - include ${authelia-snippets.authelia-authrequest}; - - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - - # From https://gist.github.com/R0GGER/916183fca41f02df1471a6f455e5869f - # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years) - add_header Strict-Transport-Security "max-age=63072000; preload" always; - add_header Referrer-Policy strict-origin-when-cross-origin; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Frame-Options SAMEORIGIN; - add_header Content-Security-Policy upgrade-insecure-requests; - add_header Permissions-Policy interest-cohort=(); - add_header Expect-CT 'enforce; max-age=604800'; - more_set_headers 'Server: Proxy'; - more_clear_headers 'X-Powered-By'; - - proxy_ssl_server_name on; - ''; - }; - - locations."/api" = { - proxyPass = "http://${sin-address}:7878"; - proxyWebsockets = true; - extraConfig = '' - proxy_ssl_server_name on; - ''; - }; - - }; "shobu.fr" = { enableACME = true; forceSSL = true;