From fc4096d5d9420e34a9985ef7a263e1f9253cd0bb Mon Sep 17 00:00:00 2001 From: mjallen18 Date: Tue, 9 Sep 2025 21:03:08 -0500 Subject: [PATCH] proxy testing --- modules/nixos/services/actual/default.nix | 197 +++++++++------------ modules/nixos/services/traefik/default.nix | 30 ++-- 2 files changed, 99 insertions(+), 128 deletions(-) diff --git a/modules/nixos/services/actual/default.nix b/modules/nixos/services/actual/default.nix index 39ac775..325eae0 100644 --- a/modules/nixos/services/actual/default.nix +++ b/modules/nixos/services/actual/default.nix @@ -13,6 +13,80 @@ let actualUserId = config.users.users.nix-apps.uid; actualGroupId = config.users.groups.jallen-nas.gid; + actualConfig = + { lib, ... }: + { + services.actual = { + enable = true; + openFirewall = true; + settings = { + trustedProxies = [ hostAddress ]; + port = cfg.port; + dataDir = dataDir; + serverFiles = "${dataDir}/server-files"; + userFiles = "${dataDir}/user-files"; + }; + }; + + users.users.actual = { + isSystemUser = true; + uid = lib.mkForce actualUserId; + group = "actual"; + }; + + users.groups = { + actual = { + gid = lib.mkForce actualGroupId; + }; + }; + + # System packages + environment.systemPackages = with pkgs; [ + sqlite + ]; + + # Create and set permissions for required directories + system.activationScripts.actual-dirs = '' + mkdir -p ${dataDir} + chown -R actual:actual ${dataDir} + chmod -R 0700 ${dataDir} + ''; + + systemd.services = { + actual = { + environment.ACTUAL_CONFIG_PATH = lib.mkForce "${dataDir}/config.json"; + serviceConfig = { + ExecStart = lib.mkForce "${lib.getExe pkgs.actual-server} --config ${dataDir}/config.json"; + WorkingDirectory = lib.mkForce dataDir; + StateDirectory = lib.mkForce dataDir; + StateDirectoryMode = lib.mkForce 700; + DynamicUser = lib.mkForce false; + ProtectSystem = lib.mkForce null; + }; + }; + }; + + networking = { + firewall = { + enable = true; + allowedTCPPorts = [ cfg.port ]; + }; + # Use systemd-resolved inside the container + # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686 + useHostResolvConf = lib.mkForce false; + }; + + services.resolved.enable = true; + system.stateVersion = "23.11"; + }; + + bindMounts = { + ${dataDir} = { + hostPath = cfg.dataDir; + isReadOnly = false; + }; + }; + # Create reverse proxy configuration using mkReverseProxy reverseProxyConfig = lib.${namespace}.mkReverseProxy { name = "actual"; @@ -20,124 +94,21 @@ let url = "http://${cfg.localAddress}:${toString cfg.port}"; middlewares = cfg.reverseProxy.middlewares; }; + + actualContainer = (lib.${namespace}.mkContainer { + name = "actual"; + localAddress = cfg.localAddress; + port = cfg.port; + bindMounts = bindMounts; + config = actualConfig; + }) { inherit lib; }; in { imports = [ ./options.nix ]; - + config = mkIf cfg.enable { - containers.actual = { - autoStart = true; - privateNetwork = true; - hostAddress = hostAddress; - localAddress = cfg.localAddress; - - bindMounts = { - ${dataDir} = { - hostPath = cfg.dataDir; - isReadOnly = false; - }; - }; - - config = - { lib, ... }: - { - services.actual = { - enable = true; - openFirewall = true; - settings = { - trustedProxies = [ hostAddress ]; - port = cfg.port; - dataDir = dataDir; - serverFiles = "${dataDir}/server-files"; - userFiles = "${dataDir}/user-files"; - }; - }; - - users.users.actual = { - isSystemUser = true; - uid = lib.mkForce actualUserId; - group = "actual"; - }; - - users.groups = { - actual = { - gid = lib.mkForce actualGroupId; - }; - }; - - # System packages - environment.systemPackages = with pkgs; [ - sqlite - ]; - - # Create and set permissions for required directories - system.activationScripts.actual-dirs = '' - mkdir -p ${dataDir} - chown -R actual:actual ${dataDir} - chmod -R 0700 ${dataDir} - ''; - - systemd.services = { - actual = { - environment.ACTUAL_CONFIG_PATH = lib.mkForce "${dataDir}/config.json"; - serviceConfig = { - ExecStart = lib.mkForce "${lib.getExe pkgs.actual-server} --config ${dataDir}/config.json"; - WorkingDirectory = lib.mkForce dataDir; - StateDirectory = lib.mkForce dataDir; - StateDirectoryMode = lib.mkForce 700; - DynamicUser = lib.mkForce false; - ProtectSystem = lib.mkForce null; - }; - }; - }; - - networking = { - firewall = { - enable = true; - allowedTCPPorts = [ cfg.port ]; - }; - # Use systemd-resolved inside the container - # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686 - useHostResolvConf = lib.mkForce false; - }; - - services.resolved.enable = true; - system.stateVersion = "23.11"; - }; - }; - - # services.traefik.dynamicConfigOptions = lib.mkIf cfg.reverseProxy.enable { - # services.actual.loadBalancer.servers = [ - # { - # url = "http://${cfg.localAddress}:${toString cfg.port}"; - # } - # ]; - # routers.actual = { - # entryPoints = [ "websecure" ]; - # rule = "Host(`${cfg.reverseProxy.host}`)"; - # service = "actual"; - # middlewares = cfg.reverseProxy.middlewares; - # tls.certResolver = "letsencrypt"; - # }; - # }; - ${namespace}.services.traefik = lib.mkIf cfg.reverseProxy.enable { reverseProxies = [ reverseProxyConfig ]; }; - - networking = { - nat = { - forwardPorts = [ - { - destination = "${cfg.localAddress}:${toString cfg.port}"; - sourcePort = cfg.port; - } - ]; - }; - firewall = { - allowedTCPPorts = [ cfg.port ]; - allowedUDPPorts = [ cfg.port ]; - }; - }; - }; + } // actualContainer; } diff --git a/modules/nixos/services/traefik/default.nix b/modules/nixos/services/traefik/default.nix index a73c80f..08570d7 100755 --- a/modules/nixos/services/traefik/default.nix +++ b/modules/nixos/services/traefik/default.nix @@ -295,11 +295,11 @@ in } ]; - actual.loadBalancer.servers = [ - { - url = actualUrl; - } - ]; + # actual.loadBalancer.servers = [ + # { + # url = actualUrl; + # } + # ]; authentik.loadBalancer.servers = [ { url = authentikUrl; @@ -375,16 +375,16 @@ in tls.certResolver = "letsencrypt"; }; - actual = { - entryPoints = [ "websecure" ]; - rule = "Host(`actual.${domain}`)"; - service = "actual"; - middlewares = [ - "crowdsec" - "whitelist-geoblock" - ]; - tls.certResolver = "letsencrypt"; - }; + # actual = { + # entryPoints = [ "websecure" ]; + # rule = "Host(`actual.${domain}`)"; + # service = "actual"; + # middlewares = [ + # "crowdsec" + # "whitelist-geoblock" + # ]; + # tls.certResolver = "letsencrypt"; + # }; authentik = { entryPoints = [ "websecure" ]; rule = "Host(`authentik.${domain}`)";