nixos/services/nginx.nix

# services/nginx.nix — Native nginx reverse proxy with ACME wildcard cert
{ config, lib, ... }:
let
  # Authelia forward-auth snippet injected into protected locations
  autheliaAuthConfig = ''
    auth_request /authelia;
    auth_request_set $user $upstream_http_remote_user;
    auth_request_set $email $upstream_http_remote_email;
    error_page 401 =302 https://auth.nordhammer.it/?rd=$scheme://$http_host$request_uri;
  '';

  # Internal location that queries Authelia's verification endpoint
  autheliaLocation = {
    "/authelia" = {
      proxyPass = "http://127.0.0.1:9091/api/verify";
      extraConfig = ''
        internal;
        proxy_pass_request_body off;
        proxy_set_header Content-Length "";
        proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
        proxy_set_header X-Forwarded-Method $request_method;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
        proxy_set_header X-Forwarded-Uri $request_uri;
        proxy_set_header X-Forwarded-For $remote_addr;
      '';
    };
  };

  ssl = {
    useACMEHost = "nordhammer.it";
    forceSSL = true;
  };

  # Simple reverse proxy vhost
  proxy = port: ssl // {
    locations."/" = {
      proxyPass = "http://127.0.0.1:${toString port}";
      proxyWebsockets = true;
    };
  };

  # Reverse proxy protected by Authelia forward auth
  protectedProxy = port: ssl // {
    locations = autheliaLocation // {
      "/" = {
        proxyPass = "http://127.0.0.1:${toString port}";
        proxyWebsockets = true;
        extraConfig = autheliaAuthConfig;
      };
    };
  };
in
{
  config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {

    # Wildcard TLS cert via Cloudflare DNS-01 challenge
    security.acme = {
      acceptTerms = true;
      defaults.email = "fredrik@nordhammer.it";
      certs."nordhammer.it" = {
        domain = "*.nordhammer.it";
        extraDomainNames = [ "nordhammer.it" ];
        dnsProvider = "cloudflare";
        credentialFiles = {
          "CF_DNS_API_TOKEN_FILE" = "/var/secrets/cloudflare-token";
        };
      };
    };

    # Give Cloudflare authoritative NS more time to propagate TXT records
    systemd.services."acme-order-renew-nordhammer.it".environment.CLOUDFLARE_PROPAGATION_TIMEOUT = "600";

    users.users.nginx.extraGroups = [ "acme" ];

    services.nginx = {
      enable = true;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;
      recommendedOptimisation = true;
      recommendedGzipSettings = true;

      # File-based access log for fail2ban + fix proxy_headers_hash warning
      appendHttpConfig = ''
        proxy_headers_hash_max_size 1024;
        access_log /var/log/nginx/access.log;
      '';

      virtualHosts = {
        # --- Unprotected (own auth, or by design) ---
        "auth.nordhammer.it"     = proxy 9091;  # Authelia portal itself
        "jellyfin.nordhammer.it" = proxy 8096;  # streaming to external clients

        # --- Protected by Authelia ---
        "bazarr.nordhammer.it"   = protectedProxy 6767;
        "sonarr.nordhammer.it"   = protectedProxy 8989;
        "radarr.nordhammer.it"   = protectedProxy 7878;
        "prowlarr.nordhammer.it" = protectedProxy 9696;
        # qBit trips its own session auth on any SID cookie the browser
        # has cached; strip cookies so localhost-bypass always wins.
        "torrent.nordhammer.it"  = lib.recursiveUpdate (protectedProxy 8080) {
          locations."/".extraConfig = autheliaAuthConfig + ''
            proxy_set_header Cookie "";
            proxy_hide_header Set-Cookie;
          '';
        };
        "camera.nordhammer.it"   = protectedProxy 1984;
        "homepage.nordhammer.it" = protectedProxy 8082;
        "7dtd.nordhammer.it"     = protectedProxy 8090;
        "adguard.nordhammer.it"  = protectedProxy 3000;

        # --- Local-only: serves update history JSON to Homepage's customapi widget ---
        "homepage-updates.local" = {
          listen = [ { addr = "127.0.0.1"; port = 8083; } ];
          locations."/".root = "/var/lib/homepage-updates";
          extraConfig = ''
            default_type application/json;
            add_header Access-Control-Allow-Origin *;
          '';
        };
      };
    };

    networking.firewall.allowedTCPPorts = [ 80 443 ];
  };
}
Replace Docker containers with native NixOS modules for nginx, Authelia, and go2rtc - Native nginx with ACME wildcard cert (*.nordhammer.it) via Cloudflare DNS-01 - Native Authelia SSO with forward auth protecting homepage + camera - Native go2rtc camera streaming (no more Docker) - Auto-migration script for Authelia secrets and user database from Docker - Homepage hrefs updated to use HTTPS domain names - Fail2ban updated for native nginx log paths + new Authelia jail Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-07 15:47:56 +01:00			`# services/nginx.nix — Native nginx reverse proxy with ACME wildcard cert`
			`{ config, lib, ... }:`
			`let`
			`# Authelia forward-auth snippet injected into protected locations`
			`autheliaAuthConfig = ''`
Fix Authelia forward-auth to match proven working NPM config - Use /api/verify endpoint instead of /api/authz/forward-auth - Add proxy_pass_request_body off to auth location - Put redirect URL inline in error_page instead of using a variable - Use X-Forwarded-Uri (matching old config) instead of X-Forwarded-URI Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-04-07 20:35:59 +01:00			`auth_request /authelia;`
Replace Docker containers with native NixOS modules for nginx, Authelia, and go2rtc - Native nginx with ACME wildcard cert (*.nordhammer.it) via Cloudflare DNS-01 - Native Authelia SSO with forward auth protecting homepage + camera - Native go2rtc camera streaming (no more Docker) - Auto-migration script for Authelia secrets and user database from Docker - Homepage hrefs updated to use HTTPS domain names - Fail2ban updated for native nginx log paths + new Authelia jail Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-07 15:47:56 +01:00			`auth_request_set $user $upstream_http_remote_user;`
Fix Authelia forward-auth to match proven working NPM config - Use /api/verify endpoint instead of /api/authz/forward-auth - Add proxy_pass_request_body off to auth location - Put redirect URL inline in error_page instead of using a variable - Use X-Forwarded-Uri (matching old config) instead of X-Forwarded-URI Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-04-07 20:35:59 +01:00			`auth_request_set $email $upstream_http_remote_email;`
			`error_page 401 =302 https://auth.nordhammer.it/?rd=$scheme://$http_host$request_uri;`
Replace Docker containers with native NixOS modules for nginx, Authelia, and go2rtc - Native nginx with ACME wildcard cert (*.nordhammer.it) via Cloudflare DNS-01 - Native Authelia SSO with forward auth protecting homepage + camera - Native go2rtc camera streaming (no more Docker) - Auto-migration script for Authelia secrets and user database from Docker - Homepage hrefs updated to use HTTPS domain names - Fail2ban updated for native nginx log paths + new Authelia jail Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-07 15:47:56 +01:00			`'';`

			`# Internal location that queries Authelia's verification endpoint`
			`autheliaLocation = {`
Fix Authelia forward-auth to match proven working NPM config - Use /api/verify endpoint instead of /api/authz/forward-auth - Add proxy_pass_request_body off to auth location - Put redirect URL inline in error_page instead of using a variable - Use X-Forwarded-Uri (matching old config) instead of X-Forwarded-URI Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-04-07 20:35:59 +01:00			`"/authelia" = {`
			`proxyPass = "http://127.0.0.1:9091/api/verify";`
Replace Docker containers with native NixOS modules for nginx, Authelia, and go2rtc - Native nginx with ACME wildcard cert (*.nordhammer.it) via Cloudflare DNS-01 - Native Authelia SSO with forward auth protecting homepage + camera - Native go2rtc camera streaming (no more Docker) - Auto-migration script for Authelia secrets and user database from Docker - Homepage hrefs updated to use HTTPS domain names - Fail2ban updated for native nginx log paths + new Authelia jail Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-07 15:47:56 +01:00			`extraConfig = ''`
			`internal;`
Fix Authelia forward-auth to match proven working NPM config - Use /api/verify endpoint instead of /api/authz/forward-auth - Add proxy_pass_request_body off to auth location - Put redirect URL inline in error_page instead of using a variable - Use X-Forwarded-Uri (matching old config) instead of X-Forwarded-URI Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-04-07 20:35:59 +01:00			`proxy_pass_request_body off;`
			`proxy_set_header Content-Length "";`
Replace Docker containers with native NixOS modules for nginx, Authelia, and go2rtc - Native nginx with ACME wildcard cert (*.nordhammer.it) via Cloudflare DNS-01 - Native Authelia SSO with forward auth protecting homepage + camera - Native go2rtc camera streaming (no more Docker) - Auto-migration script for Authelia secrets and user database from Docker - Homepage hrefs updated to use HTTPS domain names - Fail2ban updated for native nginx log paths + new Authelia jail Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-07 15:47:56 +01:00			`proxy_set_header X-Original-URL $scheme://$http_host$request_uri;`
			`proxy_set_header X-Forwarded-Method $request_method;`
			`proxy_set_header X-Forwarded-Proto $scheme;`
			`proxy_set_header X-Forwarded-Host $http_host;`
Fix Authelia forward-auth to match proven working NPM config - Use /api/verify endpoint instead of /api/authz/forward-auth - Add proxy_pass_request_body off to auth location - Put redirect URL inline in error_page instead of using a variable - Use X-Forwarded-Uri (matching old config) instead of X-Forwarded-URI Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-04-07 20:35:59 +01:00			`proxy_set_header X-Forwarded-Uri $request_uri;`
Replace Docker containers with native NixOS modules for nginx, Authelia, and go2rtc - Native nginx with ACME wildcard cert (*.nordhammer.it) via Cloudflare DNS-01 - Native Authelia SSO with forward auth protecting homepage + camera - Native go2rtc camera streaming (no more Docker) - Auto-migration script for Authelia secrets and user database from Docker - Homepage hrefs updated to use HTTPS domain names - Fail2ban updated for native nginx log paths + new Authelia jail Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-07 15:47:56 +01:00			`proxy_set_header X-Forwarded-For $remote_addr;`
			`'';`
			`};`
			`};`

			`ssl = {`
			`useACMEHost = "nordhammer.it";`
			`forceSSL = true;`
			`};`

			`# Simple reverse proxy vhost`
			`proxy = port: ssl // {`
			`locations."/" = {`
			`proxyPass = "http://127.0.0.1:${toString port}";`
			`proxyWebsockets = true;`
			`};`
			`};`

			`# Reverse proxy protected by Authelia forward auth`
			`protectedProxy = port: ssl // {`
			`locations = autheliaLocation // {`
			`"/" = {`
			`proxyPass = "http://127.0.0.1:${toString port}";`
			`proxyWebsockets = true;`
			`extraConfig = autheliaAuthConfig;`
			`};`
			`};`
			`};`
			`in`
Create webservices 2026-01-20 21:13:33 +00:00			`{`
Replace Docker containers with native NixOS modules for nginx, Authelia, and go2rtc - Native nginx with ACME wildcard cert (*.nordhammer.it) via Cloudflare DNS-01 - Native Authelia SSO with forward auth protecting homepage + camera - Native go2rtc camera streaming (no more Docker) - Auto-migration script for Authelia secrets and user database from Docker - Homepage hrefs updated to use HTTPS domain names - Fail2ban updated for native nginx log paths + new Authelia jail Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-07 15:47:56 +01:00			`config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {`

			`# Wildcard TLS cert via Cloudflare DNS-01 challenge`
			`security.acme = {`
			`acceptTerms = true;`
			`defaults.email = "fredrik@nordhammer.it";`
			`certs."nordhammer.it" = {`
			`domain = "*.nordhammer.it";`
			`extraDomainNames = [ "nordhammer.it" ];`
			`dnsProvider = "cloudflare";`
			`credentialFiles = {`
			`"CF_DNS_API_TOKEN_FILE" = "/var/secrets/cloudflare-token";`
			`};`
			`};`
			`};`

Increase ACME DNS propagation timeout to 10 minutes Cloudflare's authoritative nameservers take longer than the default 2-minute timeout to propagate TXT records created via API. Set CLOUDFLARE_PROPAGATION_TIMEOUT=600 to give enough time for DNS-01 challenge validation. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-04-14 22:48:58 +01:00			`# Give Cloudflare authoritative NS more time to propagate TXT records`
			`systemd.services."acme-order-renew-nordhammer.it".environment.CLOUDFLARE_PROPAGATION_TIMEOUT = "600";`

Replace Docker containers with native NixOS modules for nginx, Authelia, and go2rtc - Native nginx with ACME wildcard cert (*.nordhammer.it) via Cloudflare DNS-01 - Native Authelia SSO with forward auth protecting homepage + camera - Native go2rtc camera streaming (no more Docker) - Auto-migration script for Authelia secrets and user database from Docker - Homepage hrefs updated to use HTTPS domain names - Fail2ban updated for native nginx log paths + new Authelia jail Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-07 15:47:56 +01:00			`users.users.nginx.extraGroups = [ "acme" ];`

			`services.nginx = {`
			`enable = true;`
			`recommendedProxySettings = true;`
			`recommendedTlsSettings = true;`
			`recommendedOptimisation = true;`
			`recommendedGzipSettings = true;`

Fix nginx proxy_headers_hash warning from Authelia forward-auth headers Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-07 17:27:23 +01:00			`# File-based access log for fail2ban + fix proxy_headers_hash warning`
Replace Docker containers with native NixOS modules for nginx, Authelia, and go2rtc - Native nginx with ACME wildcard cert (*.nordhammer.it) via Cloudflare DNS-01 - Native Authelia SSO with forward auth protecting homepage + camera - Native go2rtc camera streaming (no more Docker) - Auto-migration script for Authelia secrets and user database from Docker - Homepage hrefs updated to use HTTPS domain names - Fail2ban updated for native nginx log paths + new Authelia jail Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-07 15:47:56 +01:00			`appendHttpConfig = ''`
Fix nginx proxy_headers_hash warning from Authelia forward-auth headers Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-07 17:27:23 +01:00			`proxy_headers_hash_max_size 1024;`
Replace Docker containers with native NixOS modules for nginx, Authelia, and go2rtc - Native nginx with ACME wildcard cert (*.nordhammer.it) via Cloudflare DNS-01 - Native Authelia SSO with forward auth protecting homepage + camera - Native go2rtc camera streaming (no more Docker) - Auto-migration script for Authelia secrets and user database from Docker - Homepage hrefs updated to use HTTPS domain names - Fail2ban updated for native nginx log paths + new Authelia jail Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-07 15:47:56 +01:00			`access_log /var/log/nginx/access.log;`
			`'';`

			`virtualHosts = {`
Put Servarr + qBit + games + search behind Authelia Only Jellyfin and the Authelia portal itself stay unprotected externally (Jellyfin because it's streamed to remote clients; Authelia because it is the login gate). Everything else (sonarr, radarr, bazarr, prowlarr, torrent/qBittorrent, games, search) now goes through Authelia forward auth. Internal integrations (Homepage widgets, Prowlarr → Sonarr/Radarr, Bazarr → Sonarr/Radarr, transcode-hevc qBit queries) use 127.0.0.1:PORT directly, so they are unaffected. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-24 11:21:28 +01:00			`# --- Unprotected (own auth, or by design) ---`
			`"auth.nordhammer.it" = proxy 9091; # Authelia portal itself`
			`"jellyfin.nordhammer.it" = proxy 8096; # streaming to external clients`
Replace Docker containers with native NixOS modules for nginx, Authelia, and go2rtc - Native nginx with ACME wildcard cert (*.nordhammer.it) via Cloudflare DNS-01 - Native Authelia SSO with forward auth protecting homepage + camera - Native go2rtc camera streaming (no more Docker) - Auto-migration script for Authelia secrets and user database from Docker - Homepage hrefs updated to use HTTPS domain names - Fail2ban updated for native nginx log paths + new Authelia jail Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-07 15:47:56 +01:00
			`# --- Protected by Authelia ---`
Put Servarr + qBit + games + search behind Authelia Only Jellyfin and the Authelia portal itself stay unprotected externally (Jellyfin because it's streamed to remote clients; Authelia because it is the login gate). Everything else (sonarr, radarr, bazarr, prowlarr, torrent/qBittorrent, games, search) now goes through Authelia forward auth. Internal integrations (Homepage widgets, Prowlarr → Sonarr/Radarr, Bazarr → Sonarr/Radarr, transcode-hevc qBit queries) use 127.0.0.1:PORT directly, so they are unaffected. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-24 11:21:28 +01:00			`"bazarr.nordhammer.it" = protectedProxy 6767;`
			`"sonarr.nordhammer.it" = protectedProxy 8989;`
			`"radarr.nordhammer.it" = protectedProxy 7878;`
			`"prowlarr.nordhammer.it" = protectedProxy 9696;`
nginx: strip cookies on qBit proxy so localhost-bypass always wins qBittorrent's auth logic is "no SID cookie → bypass for localhost; SID cookie present → validate it." If the browser has a stale SID from an earlier session, qBit fails validation and returns 401 even though the connection is from 127.0.0.1 and bypass is enabled. Strip both directions: drop the client's Cookie header on the way in so qBit never sees an SID, and hide Set-Cookie on the way back so the browser never accumulates one in the first place. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-24 14:57:55 +01:00			`# qBit trips its own session auth on any SID cookie the browser`
			`# has cached; strip cookies so localhost-bypass always wins.`
			`"torrent.nordhammer.it" = lib.recursiveUpdate (protectedProxy 8080) {`
			`locations."/".extraConfig = autheliaAuthConfig + ''`
			`proxy_set_header Cookie "";`
			`proxy_hide_header Set-Cookie;`
			`'';`
			`};`
Replace Docker containers with native NixOS modules for nginx, Authelia, and go2rtc - Native nginx with ACME wildcard cert (*.nordhammer.it) via Cloudflare DNS-01 - Native Authelia SSO with forward auth protecting homepage + camera - Native go2rtc camera streaming (no more Docker) - Auto-migration script for Authelia secrets and user database from Docker - Homepage hrefs updated to use HTTPS domain names - Fail2ban updated for native nginx log paths + new Authelia jail Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-07 15:47:56 +01:00			`"camera.nordhammer.it" = protectedProxy 1984;`
			`"homepage.nordhammer.it" = protectedProxy 8082;`
Expose 7DTD WebDashboard behind Authelia at 7dtd.nordhammer.it Publishes the container's web dashboard port only on host loopback (127.0.0.1:8090) so nginx can reverse-proxy it with Authelia forward-auth, matching the Homepage/camera vhost pattern. Also flips WebDashboardEnabled to true in the XML patcher so the server actually starts the web server. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-18 21:43:11 +01:00			`"7dtd.nordhammer.it" = protectedProxy 8090;`
nginx: move adguard vhost behind Authelia forward auth Pairs with the prior commit that added the ACL rule. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-22 14:16:52 +01:00			`"adguard.nordhammer.it" = protectedProxy 3000;`
Add Last Update widget to Homepage via record-update script record-update parses nvd diff after switch and writes latest.json; Homepage polls a local-only nginx listener and renders date/changes/ closure/kernel via a customapi widget. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-16 20:58:19 +01:00
			`# --- Local-only: serves update history JSON to Homepage's customapi widget ---`
			`"homepage-updates.local" = {`
			`listen = [ { addr = "127.0.0.1"; port = 8083; } ];`
			`locations."/".root = "/var/lib/homepage-updates";`
			`extraConfig = ''`
			`default_type application/json;`
			`add_header Access-Control-Allow-Origin *;`
			`'';`
			`};`
Replace Docker containers with native NixOS modules for nginx, Authelia, and go2rtc - Native nginx with ACME wildcard cert (*.nordhammer.it) via Cloudflare DNS-01 - Native Authelia SSO with forward auth protecting homepage + camera - Native go2rtc camera streaming (no more Docker) - Auto-migration script for Authelia secrets and user database from Docker - Homepage hrefs updated to use HTTPS domain names - Fail2ban updated for native nginx log paths + new Authelia jail Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-04-07 15:47:56 +01:00			`};`
			`};`

			`networking.firewall.allowedTCPPorts = [ 80 443 ];`
			`};`
Update webservices.nix 2026-01-20 21:17:17 +00:00			`}`