trilium & authelia setup

2026-01-29 09:45:10 +01:00
parent d7c765b80e
commit b5aa64e74a
8 changed files with 120 additions and 78 deletions
--- a/hosts/thea/nginx.nix
+++ b/hosts/thea/nginx.nix
@@ -1,4 +1,9 @@
-{ inputs, pkgs, ... }:
+{
+  inputs,
+  pkgs,
+  lib,
+  ...
+}:
 let
  # striped-front = inputs.striped-front;

@@ -18,81 +23,93 @@ in
    recommendedProxySettings = true;
    recommendedTlsSettings = true;

+    typesHashMaxSize = 512;
+    mapHashMaxSize = 512;
+
    virtualHosts =
      let
-        mkStarr = host: port: {
+        mkVHost = host: port: {
          "${host}" = {
            enableACME = true;
            forceSSL = true;

            locations."/" = {
              proxyPass = "http://${sin-address}:${port}";
+            };
+          };
+        };
+        mkStarr = host: port: {
+          "${host}" = {
+            enableACME = true;
+            forceSSL = true;
+
+            extraConfig = ''
+              include ${authelia-snippets.authelia-location};
+            '';
+
+            locations."/api" = {
+              proxyPass = "http://${sin-address}:${port}";
              proxyWebsockets = true;
              extraConfig = ''
                proxy_ssl_server_name on;
+              '';
+            };
+            locations."/" = {
+              proxyPass = "http://${sin-address}:${port}";
+              proxyWebsockets = true;
+              extraConfig = ''
+                include ${authelia-snippets.proxy};
+                include ${authelia-snippets.authelia-authrequest};
+
+                proxy_ssl_server_name on;
                proxy_read_timeout 4800s;
              '';
            };
          };
        };
+        withAuthelia =
+          vhost: location:
+          (builtins.mapAttrs (
+            name: value:
+            (lib.recursiveUpdate value {
+              extraConfig = (if value ? extraConfig then value.extraConfig else "") + ''
+                include ${authelia-snippets.authelia-location};
+              '';
+              locations."${location}".extraConfig =
+                (
+                  if value.locations."${location}" ? extraConfig then
+                    value.locations."${location}".extraConfig
+                  else
+                    ""
+                )
+                + ''
+                  include ${authelia-snippets.proxy};
+                  include ${authelia-snippets.authelia-authrequest};
+                '';
+            })
+          ) vhost);
+        withWebsockets =
+          vhost: location:
+          (builtins.mapAttrs (
+            name: value:
+            (lib.recursiveUpdate value {
+              locations."${location}".proxyWebsockets = true;
+            })
+          ) vhost);
      in
      (
-        mkStarr "jellyfin.shobu.fr" "8096"
-        # // mkStarr "radarr.shobu.fr" "7878"
+        (withWebsockets (mkVHost "jellyfin.shobu.fr" "8096") "/")
+        // mkStarr "radarr.shobu.fr" "7878"
        // mkStarr "sonarr.shobu.fr" "8989"
        // mkStarr "prowlarr.shobu.fr" "9696"
        // mkStarr "bazarr.shobu.fr" "6767"
        // mkStarr "lidarr.shobu.fr" "8686"
        // mkStarr "whisparr.shobu.fr" "6969"
-        // mkStarr "jellyseerr.shobu.fr" "5055"
-        // mkStarr "transmission.shobu.fr" "9091"
-        // mkStarr "zimablade-admin.shobu.fr" "61208"
+        // mkVHost "jellyseerr.shobu.fr" "5055"
+        // mkVHost "transmission.shobu.fr" "9091"
+        // mkVHost "zimablade-admin.shobu.fr" "61208"
+        // (withWebsockets (withAuthelia (mkVHost "trilium.shobu.fr" "12783") "/") "/")
        // {
-          "radarr.shobu.fr" = {
-            enableACME = true;
-            forceSSL = true;
-
-            extraConfig = ''
-              include ${authelia-snippets.authelia-location};
-              error_log /var/log/nginx/debug_radarr.log debug;
-            '';
-
-            locations."/" = {
-              proxyPass = "http://${sin-address}:7878";
-              proxyWebsockets = true;
-              extraConfig = ''
-                include ${authelia-snippets.proxy};
-                include ${authelia-snippets.authelia-authrequest};
-
-                proxy_set_header Upgrade $http_upgrade;
-                proxy_set_header Connection "upgrade";
-
-                # From https://gist.github.com/R0GGER/916183fca41f02df1471a6f455e5869f
-                # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
-                add_header Strict-Transport-Security "max-age=63072000; preload" always;
-                add_header Referrer-Policy strict-origin-when-cross-origin; 
-                add_header X-Content-Type-Options nosniff;
-                add_header X-XSS-Protection "1; mode=block";
-                add_header X-Frame-Options SAMEORIGIN;
-                add_header Content-Security-Policy upgrade-insecure-requests;
-                add_header Permissions-Policy interest-cohort=();
-                add_header Expect-CT 'enforce; max-age=604800';
-                more_set_headers 'Server: Proxy';
-                more_clear_headers 'X-Powered-By';
-
-                proxy_ssl_server_name on;
-              '';
-            };
-
-            locations."/api" = {
-              proxyPass = "http://${sin-address}:7878";
-              proxyWebsockets = true;
-              extraConfig = ''
-                proxy_ssl_server_name on;
-              '';
-            };
-
-          };
          "shobu.fr" = {
            enableACME = true;
            forceSSL = true;