From ef87fc5906e58241fe49fe3e23c2c5eeb609c7a4 Mon Sep 17 00:00:00 2001 From: padreug Date: Wed, 8 Oct 2025 17:19:39 +0200 Subject: [PATCH] Add Nginx and pict-rs configurations for enhanced web service management Introduced separate configuration files for Nginx and pict-rs, enabling a streamlined setup for web services. The Nginx configuration includes reverse proxy settings, automatic SSL certificate generation with Let's Encrypt, and fail2ban for security. The pict-rs configuration facilitates image service management with CORS support. Updated the shared configuration to import these new files, improving modularity and maintainability of the NixOS setup. --- config/nginx.nix | 34 ++++++++++++++++++++++++++++ config/pict-rs.nix | 53 +++++++++++++++++++++++++++++++++++++++++++ config/shared.nix | 56 ++++++++++++---------------------------------- 3 files changed, 101 insertions(+), 42 deletions(-) create mode 100644 config/nginx.nix create mode 100644 config/pict-rs.nix diff --git a/config/nginx.nix b/config/nginx.nix new file mode 100644 index 0000000..e953890 --- /dev/null +++ b/config/nginx.nix @@ -0,0 +1,34 @@ +{ + # Enable nginx + services.nginx = { + enable = true; + + # Recommended settings for reverse proxy (DISABLED recommendedProxySettings for WebSocket compatibility) + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = false; # DISABLED - was interfering with WebSocket + recommendedTlsSettings = true; + }; + + # Enable automatic SSL certificate generation with Let's Encrypt + security.acme = { + acceptTerms = true; + defaults.email = "admin@aiolabs.dev"; + }; + + # Open firewall ports + networking.firewall.allowedTCPPorts = [ 80 443 ]; + + # Optional: Enable fail2ban for additional security + services.fail2ban = { + enable = true; + jails = { + nginx-http-auth.settings = { + enabled = true; + filter = "nginx-http-auth"; + logpath = "/var/log/nginx/error.log"; + backend = "systemd"; + }; + }; + }; +} diff --git a/config/pict-rs.nix b/config/pict-rs.nix new file mode 100644 index 0000000..e55cd3d --- /dev/null +++ b/config/pict-rs.nix @@ -0,0 +1,53 @@ +# pict-rs configuration for NixOS +# Import this file into your configuration.nix to run pict-rs on 0.0.0.0:6033 + +{ domain, ... }: + +{ + services.pict-rs = { + enable = true; + port = 6033; + }; + + # nginx reverse proxy configuration with CORS support + services.nginx.virtualHosts."img.${domain}" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://127.0.0.1:6033"; + proxyWebsockets = true; + extraConfig = '' + client_max_body_size 50M; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_connect_timeout 30s; + proxy_send_timeout 30s; + proxy_read_timeout 30s; + + # CORS headers for web app integration + add_header Access-Control-Allow-Origin "*" always; + add_header Access-Control-Allow-Methods "GET, POST, DELETE, OPTIONS" always; + add_header Access-Control-Allow-Headers "Content-Type, Authorization, X-Requested-With" always; + add_header Access-Control-Max-Age 86400 always; + + # Handle preflight OPTIONS requests + if ($request_method = 'OPTIONS') { + add_header Access-Control-Allow-Origin "*"; + add_header Access-Control-Allow-Methods "GET, POST, DELETE, OPTIONS"; + add_header Access-Control-Allow-Headers "Content-Type, Authorization, X-Requested-With"; + add_header Access-Control-Max-Age 86400; + add_header Content-Length 0; + add_header Content-Type text/plain; + return 204; + } + ''; + }; + }; +} + + +# use # Upload a PNG file +# curl -X POST -F "images=@myimage.png" https://img.test.mydomain.com/image + diff --git a/config/shared.nix b/config/shared.nix index c9a426d..159df12 100644 --- a/config/shared.nix +++ b/config/shared.nix @@ -1,6 +1,11 @@ { config, pkgs, domain, ... }: { + imports = [ + ./nginx.nix + ./pict-rs.nix + ]; + # Set hostname (passed as parameter) networking.hostName = domain; @@ -14,18 +19,12 @@ # Enable SSH services.openssh.enable = true; - # Enable and configure nginx - services.nginx = { - enable = true; - - # Recommended settings - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = false; # DISABLED - was interfering with WebSocket - recommendedTlsSettings = true; - + # Configure domain-specific virtual hosts + services.nginx.virtualHosts = { # Web-app service - virtualHosts."app.${domain}" = { + "app.${domain}" = { + forceSSL = true; + enableACME = true; root = "/var/src/web-app-dist"; locations."/" = { index = "index.html"; @@ -33,42 +32,15 @@ }; }; - # LNbits service (example - adjust as needed) - virtualHosts."lnbits.${domain}" = { + # LNbits service (adjust port as needed) + "lnbits.${domain}" = { + forceSSL = true; + enableACME = true; locations."/" = { proxyPass = "http://localhost:5000"; proxyWebsockets = true; }; }; - - # Image service (example - adjust as needed) - virtualHosts."img.${domain}" = { - locations."/" = { - proxyPass = "http://localhost:8080"; - }; - }; - }; - - # Enable automatic SSL certificate generation with Let's Encrypt - security.acme = { - acceptTerms = true; - defaults.email = "admin@aiolabs.dev"; - }; - - # Open firewall for HTTP/HTTPS - networking.firewall.allowedTCPPorts = [ 80 443 ]; - - # Enable fail2ban for additional security - services.fail2ban = { - enable = true; - jails = { - nginx-http-auth.settings = { - enabled = true; - filter = "nginx-http-auth"; - logpath = "/var/log/nginx/error.log"; - backend = "systemd"; - }; - }; }; # NixOS release version