From 6ddb56f7227cd4d234902b424a48771796296613 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9o=20Barnouin?= Date: Sun, 13 Oct 2024 18:12:54 +0200 Subject: [PATCH 1/5] Migrate Nginx from microvm to proxmox LXC container --- flake.nix | 9 +-------- services/minimalConfig/default.nix | 10 ++++++++-- 2 files changed, 9 insertions(+), 10 deletions(-) diff --git a/flake.nix b/flake.nix index 1d00d1c..62f9139 100644 --- a/flake.nix +++ b/flake.nix @@ -113,19 +113,12 @@ nginx = nixpkgs.lib.nixosSystem { inherit system; modules = [ - microvm.nixosModules.microvm - "${inputs.self}/systems" "${inputs.self}/services" { + networking.hostName = "nixos-nginx"; services.vm_nginx = { enable = true; }; - services.vm = { - enable = true; - hostname = "nginx"; - vm_ip = proxy_host; - macAddr = "02:00:00:00:00:40"; - }; } ]; }; diff --git a/services/minimalConfig/default.nix b/services/minimalConfig/default.nix index cb2fa79..6757520 100644 --- a/services/minimalConfig/default.nix +++ b/services/minimalConfig/default.nix @@ -1,12 +1,18 @@ -{ config, pkgs, lib, inputs, ... }: +{ config, pkgs, lib, inputs, modulesPath, ... }: { nix = { settings.experimental-features = [ "nix-command" "flakes" ]; settings.trusted-users = [ "root" "@wheel" ]; }; + imports = [ (modulesPath + "/virtualisation/proxmox-lxc.nix") ]; + + systemd.suppressedSystemUnits = [ + "dev-mqueue.mount" + "sys-kernel-debug.mount" + "sys-fs-fuse-connections.mount" + ]; networking = { - hostName = "${config.services.vm.hostname}"; firewall = { enable = true; allowedTCPPorts = [ 22 9002 ]; From fcd44586c1b633dffc99bce42091e0937f60d0c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9o=20Barnouin?= Date: Tue, 15 Oct 2024 15:44:21 +0200 Subject: [PATCH 2/5] Migrate redis to LXC --- flake.nix | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) diff --git a/flake.nix b/flake.nix index 62f9139..a3579a4 100644 --- a/flake.nix +++ b/flake.nix @@ -39,7 +39,6 @@ microvm = { autostart = [ "nginx" - "redis" "grafana" "authentik" ]; @@ -48,10 +47,6 @@ flake = self; updateFlake = "git+file:///etc/nixos"; }; - redis = { - flake = self; - updateFlake = "git+file:///etc/nixos"; - }; grafana = { flake = self; updateFlake = "git+file:///etc/nixos"; @@ -146,19 +141,12 @@ redis = nixpkgs.lib.nixosSystem { inherit system; modules = [ - microvm.nixosModules.microvm - "${inputs.self}/systems" "${inputs.self}/services" { + networking.hostName = "redis"; services.vm_redis = { enable = true; }; - services.vm = { - enable = true; - hostname = "redis"; - vm_ip = "192.168.1.16"; - macAddr = "02:00:00:00:00:16"; - }; } ]; }; From 5455da310d9040707298941e68075e1c4f28ff7f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9o=20Barnouin?= Date: Tue, 15 Oct 2024 15:46:57 +0200 Subject: [PATCH 3/5] Change nginx hostname --- flake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/flake.nix b/flake.nix index a3579a4..104f0c4 100644 --- a/flake.nix +++ b/flake.nix @@ -110,7 +110,7 @@ modules = [ "${inputs.self}/services" { - networking.hostName = "nixos-nginx"; + networking.hostName = "nginx"; services.vm_nginx = { enable = true; }; From a420f97a2a9a8c391f581668ea57a732f0b119ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9o=20Barnouin?= Date: Wed, 16 Oct 2024 11:19:20 +0200 Subject: [PATCH 4/5] Change authentik IP in nginx vshosts --- services/nginx/default.nix | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/services/nginx/default.nix b/services/nginx/default.nix index 40621db..498c894 100644 --- a/services/nginx/default.nix +++ b/services/nginx/default.nix @@ -55,16 +55,16 @@ in https "max-age=31536000; includeSubdomains; preload"; } add_header Strict-Transport-Security $hsts_header; - + # Enable CSP for your services. #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; - + # Minimize information leaked to other domains add_header 'Referrer-Policy' 'origin-when-cross-origin'; - + # Disable embedding as a frame add_header X-Frame-Options DENY; - + # Prevent injection of code in other mime types (XSS Attacks) add_header X-Content-Type-Options nosniff; client_body_buffer_size 400M; @@ -121,7 +121,7 @@ in forceSSL = true; enableACME = true; locations."/" = { - proxyPass = "http://192.168.1.25:9000"; + proxyPass = "http://192.168.1.125:9000"; recommendedProxySettings = true; proxyWebsockets = true; }; From cf429a80412c03a6809d1956253899744bdeb050 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9o=20Barnouin?= Date: Wed, 16 Oct 2024 12:13:08 +0200 Subject: [PATCH 5/5] Allow x-frame on same origin in order for jellyfin SSO to work --- services/nginx/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/nginx/default.nix b/services/nginx/default.nix index 498c894..d6b3bc6 100644 --- a/services/nginx/default.nix +++ b/services/nginx/default.nix @@ -63,7 +63,7 @@ in add_header 'Referrer-Policy' 'origin-when-cross-origin'; # Disable embedding as a frame - add_header X-Frame-Options DENY; + add_header X-Frame-Options SAMEORIGIN; # Prevent injection of code in other mime types (XSS Attacks) add_header X-Content-Type-Options nosniff;