Add Nginx and pict-rs configurations for enhanced web service management

Introduced separate configuration files for Nginx and pict-rs, enabling a streamlined setup for web services. The Nginx configuration includes reverse proxy settings, automatic SSL certificate generation with Let's Encrypt, and fail2ban for security. The pict-rs configuration facilitates image service management with CORS support. Updated the shared configuration to import these new files, improving modularity and maintainability of the NixOS setup.
2025-10-08 17:19:39 +02:00 · 2025-10-08 17:19:39 +02:00 · ef87fc5906
commit ef87fc5906
parent 667912e732
3 changed files with 101 additions and 42 deletions
--- a/config/nginx.nix
+++ b/config/nginx.nix
@ -0,0 +1,34 @@
+{
+  # Enable nginx
+  services.nginx = {
+    enable = true;
+
+    # Recommended settings for reverse proxy (DISABLED recommendedProxySettings for WebSocket compatibility)
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = false;  # DISABLED - was interfering with WebSocket
+    recommendedTlsSettings = true;
+  };
+
+  # Enable automatic SSL certificate generation with Let's Encrypt
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "admin@aiolabs.dev";
+  };
+
+  # Open firewall ports
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  # Optional: Enable fail2ban for additional security
+  services.fail2ban = {
+    enable = true;
+    jails = {
+      nginx-http-auth.settings = {
+        enabled = true;
+        filter = "nginx-http-auth";
+        logpath = "/var/log/nginx/error.log";
+        backend = "systemd";
+      };
+    };
+  };
+}
--- a/config/pict-rs.nix
+++ b/config/pict-rs.nix
@ -0,0 +1,53 @@
+# pict-rs configuration for NixOS
+# Import this file into your configuration.nix to run pict-rs on 0.0.0.0:6033
+
+{ domain, ... }:
+
+{
+  services.pict-rs = {
+    enable = true;
+    port = 6033;
+  };
+
+  # nginx reverse proxy configuration with CORS support
+  services.nginx.virtualHosts."img.${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:6033";
+      proxyWebsockets = true;
+      extraConfig = ''
+        client_max_body_size 50M;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_connect_timeout 30s;
+        proxy_send_timeout 30s;
+        proxy_read_timeout 30s;
+
+        # CORS headers for web app integration
+        add_header Access-Control-Allow-Origin "*" always;
+        add_header Access-Control-Allow-Methods "GET, POST, DELETE, OPTIONS" always;
+        add_header Access-Control-Allow-Headers "Content-Type, Authorization, X-Requested-With" always;
+        add_header Access-Control-Max-Age 86400 always;
+
+        # Handle preflight OPTIONS requests
+        if ($request_method = 'OPTIONS') {
+          add_header Access-Control-Allow-Origin "*";
+          add_header Access-Control-Allow-Methods "GET, POST, DELETE, OPTIONS";
+          add_header Access-Control-Allow-Headers "Content-Type, Authorization, X-Requested-With";
+          add_header Access-Control-Max-Age 86400;
+          add_header Content-Length 0;
+          add_header Content-Type text/plain;
+          return 204;
+        }
+      '';
+    };
+  };
+}
+
+
+# use # Upload a PNG file 
+# curl -X POST -F "images=@myimage.png" https://img.test.mydomain.com/image
+
--- a/config/shared.nix
+++ b/config/shared.nix
@ -1,6 +1,11 @@
 { config, pkgs, domain, ... }:

 {
+  imports = [
+    ./nginx.nix
+    ./pict-rs.nix
+  ];
+
  # Set hostname (passed as parameter)
  networking.hostName = domain;

@ -14,18 +19,12 @@
  # Enable SSH
  services.openssh.enable = true;

-  # Enable and configure nginx
-  services.nginx = {
-    enable = true;
-
-    # Recommended settings
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    recommendedProxySettings = false;  # DISABLED - was interfering with WebSocket
-    recommendedTlsSettings = true;
-
+  # Configure domain-specific virtual hosts
+  services.nginx.virtualHosts = {
    # Web-app service
-    virtualHosts."app.${domain}" = {
+    "app.${domain}" = {
+      forceSSL = true;
+      enableACME = true;
      root = "/var/src/web-app-dist";
      locations."/" = {
        index = "index.html";
@ -33,42 +32,15 @@
      };
    };

-    # LNbits service (example - adjust as needed)
-    virtualHosts."lnbits.${domain}" = {
+    # LNbits service (adjust port as needed)
+    "lnbits.${domain}" = {
+      forceSSL = true;
+      enableACME = true;
      locations."/" = {
        proxyPass = "http://localhost:5000";
        proxyWebsockets = true;
      };
    };
-
-    # Image service (example - adjust as needed)
-    virtualHosts."img.${domain}" = {
-      locations."/" = {
-        proxyPass = "http://localhost:8080";
-      };
-    };
-  };
-
-  # Enable automatic SSL certificate generation with Let's Encrypt
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "admin@aiolabs.dev";
-  };
-
-  # Open firewall for HTTP/HTTPS
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
-
-  # Enable fail2ban for additional security
-  services.fail2ban = {
-    enable = true;
-    jails = {
-      nginx-http-auth.settings = {
-        enabled = true;
-        filter = "nginx-http-auth";
-        logpath = "/var/log/nginx/error.log";
-        backend = "systemd";
-      };
-    };
  };

  # NixOS release version