proxy testing

2025-09-09 21:03:08 -05:00
parent f58006cf8a
commit fc4096d5d9
2 changed files with 99 additions and 128 deletions
--- a/modules/nixos/services/actual/default.nix
+++ b/modules/nixos/services/actual/default.nix
@@ -13,6 +13,80 @@ let
  actualUserId = config.users.users.nix-apps.uid;
  actualGroupId = config.users.groups.jallen-nas.gid;
  
+  actualConfig =
+    { lib, ... }:
+    {
+      services.actual = {
+        enable = true;
+        openFirewall = true;
+        settings = {
+          trustedProxies = [ hostAddress ];
+          port = cfg.port;
+          dataDir = dataDir;
+          serverFiles = "${dataDir}/server-files";
+          userFiles = "${dataDir}/user-files";
+        };
+      };
+
+      users.users.actual = {
+        isSystemUser = true;
+        uid = lib.mkForce actualUserId;
+        group = "actual";
+      };
+
+      users.groups = {
+        actual = {
+          gid = lib.mkForce actualGroupId;
+        };
+      };
+
+      # System packages
+      environment.systemPackages = with pkgs; [
+        sqlite
+      ];
+
+      # Create and set permissions for required directories
+      system.activationScripts.actual-dirs = ''
+        mkdir -p ${dataDir}
+        chown -R actual:actual ${dataDir}
+        chmod -R 0700 ${dataDir}
+      '';
+
+      systemd.services = {
+        actual = {
+          environment.ACTUAL_CONFIG_PATH = lib.mkForce "${dataDir}/config.json";
+          serviceConfig = {
+            ExecStart = lib.mkForce "${lib.getExe pkgs.actual-server} --config ${dataDir}/config.json";
+            WorkingDirectory = lib.mkForce dataDir;
+            StateDirectory = lib.mkForce dataDir;
+            StateDirectoryMode = lib.mkForce 700;
+            DynamicUser = lib.mkForce false;
+            ProtectSystem = lib.mkForce null;
+          };
+        };
+      };
+
+      networking = {
+        firewall = {
+          enable = true;
+          allowedTCPPorts = [ cfg.port ];
+        };
+        # Use systemd-resolved inside the container
+        # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
+        useHostResolvConf = lib.mkForce false;
+      };
+
+      services.resolved.enable = true;
+      system.stateVersion = "23.11";
+    };
+
+    bindMounts = {
+      ${dataDir} = {
+        hostPath = cfg.dataDir;
+        isReadOnly = false;
+      };
+    };
+
  # Create reverse proxy configuration using mkReverseProxy
  reverseProxyConfig = lib.${namespace}.mkReverseProxy {
    name = "actual";
@@ -20,124 +94,21 @@ let
    url = "http://${cfg.localAddress}:${toString cfg.port}";
    middlewares = cfg.reverseProxy.middlewares;
  };
+
+  actualContainer = (lib.${namespace}.mkContainer {
+    name = "actual";
+    localAddress = cfg.localAddress;
+    port = cfg.port;
+    bindMounts = bindMounts;
+    config = actualConfig;
+  }) { inherit lib; };
 in
 {
  imports = [ ./options.nix ];
  
  config = mkIf cfg.enable {
-    containers.actual = {
-      autoStart = true;
-      privateNetwork = true;
-      hostAddress = hostAddress;
-      localAddress = cfg.localAddress;
-
-      bindMounts = {
-        ${dataDir} = {
-          hostPath = cfg.dataDir;
-          isReadOnly = false;
-        };
-      };
-
-      config =
-        { lib, ... }:
-        {
-          services.actual = {
-            enable = true;
-            openFirewall = true;
-            settings = {
-              trustedProxies = [ hostAddress ];
-              port = cfg.port;
-              dataDir = dataDir;
-              serverFiles = "${dataDir}/server-files";
-              userFiles = "${dataDir}/user-files";
-            };
-          };
-
-          users.users.actual = {
-            isSystemUser = true;
-            uid = lib.mkForce actualUserId;
-            group = "actual";
-          };
-
-          users.groups = {
-            actual = {
-              gid = lib.mkForce actualGroupId;
-            };
-          };
-
-          # System packages
-          environment.systemPackages = with pkgs; [
-            sqlite
-          ];
-
-          # Create and set permissions for required directories
-          system.activationScripts.actual-dirs = ''
-            mkdir -p ${dataDir}
-            chown -R actual:actual ${dataDir}
-            chmod -R 0700 ${dataDir}
-          '';
-
-          systemd.services = {
-            actual = {
-              environment.ACTUAL_CONFIG_PATH = lib.mkForce "${dataDir}/config.json";
-              serviceConfig = {
-                ExecStart = lib.mkForce "${lib.getExe pkgs.actual-server} --config ${dataDir}/config.json";
-                WorkingDirectory = lib.mkForce dataDir;
-                StateDirectory = lib.mkForce dataDir;
-                StateDirectoryMode = lib.mkForce 700;
-                DynamicUser = lib.mkForce false;
-                ProtectSystem = lib.mkForce null;
-              };
-            };
-          };
-
-          networking = {
-            firewall = {
-              enable = true;
-              allowedTCPPorts = [ cfg.port ];
-            };
-            # Use systemd-resolved inside the container
-            # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
-            useHostResolvConf = lib.mkForce false;
-          };
-
-          services.resolved.enable = true;
-          system.stateVersion = "23.11";
-        };
-    };
-
-    # services.traefik.dynamicConfigOptions = lib.mkIf cfg.reverseProxy.enable {
-    #   services.actual.loadBalancer.servers = [
-    #     {
-    #       url = "http://${cfg.localAddress}:${toString cfg.port}";
-    #     }
-    #   ];
-    #   routers.actual = {
-    #     entryPoints = [ "websecure" ];
-    #     rule = "Host(`${cfg.reverseProxy.host}`)";
-    #     service = "actual";
-    #     middlewares = cfg.reverseProxy.middlewares;
-    #     tls.certResolver = "letsencrypt";
-    #   };
-    # };
-
    ${namespace}.services.traefik = lib.mkIf cfg.reverseProxy.enable {
      reverseProxies = [ reverseProxyConfig ];
    };
-
-    networking = {
-      nat = {
-        forwardPorts = [
-          {
-            destination = "${cfg.localAddress}:${toString cfg.port}";
-            sourcePort = cfg.port;
-          }
-        ];
-      };
-      firewall = {
-        allowedTCPPorts = [ cfg.port ];
-        allowedUDPPorts = [ cfg.port ];
-      };
-    };
-  };
+  } // actualContainer;
 }
--- a/modules/nixos/services/traefik/default.nix
+++ b/modules/nixos/services/traefik/default.nix
@@ -295,11 +295,11 @@ in
              }
            ];

-            actual.loadBalancer.servers = [
-              {
-                url = actualUrl;
-              }
-            ];
+            # actual.loadBalancer.servers = [
+            #   {
+            #     url = actualUrl;
+            #   }
+            # ];
            authentik.loadBalancer.servers = [
              {
                url = authentikUrl;
@@ -375,16 +375,16 @@ in
              tls.certResolver = "letsencrypt";
            };

-            actual = {
-              entryPoints = [ "websecure" ];
-              rule = "Host(`actual.${domain}`)";
-              service = "actual";
-              middlewares = [
-                "crowdsec"
-                "whitelist-geoblock"
-              ];
-              tls.certResolver = "letsencrypt";
-            };
+            # actual = {
+            #   entryPoints = [ "websecure" ];
+            #   rule = "Host(`actual.${domain}`)";
+            #   service = "actual";
+            #   middlewares = [
+            #     "crowdsec"
+            #     "whitelist-geoblock"
+            #   ];
+            #   tls.certResolver = "letsencrypt";
+            # };
            authentik = {
              entryPoints = [ "websecure" ];
              rule = "Host(`authentik.${domain}`)";