Replace Docker containers with native NixOS modules for nginx, Authelia, and go2rtc

- Native nginx with ACME wildcard cert (*.nordhammer.it) via Cloudflare DNS-01 - Native Authelia SSO with forward auth protecting homepage + camera - Native go2rtc camera streaming (no more Docker) - Auto-migration script for Authelia secrets and user database from Docker - Homepage hrefs updated to use HTTPS domain names - Fail2ban updated for native nginx log paths + new Authelia jail Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-07 15:47:56 +01:00 · 2026-04-07 15:47:56 +01:00 · eadbc92126
commit eadbc92126
parent cb8ecc1409
6 changed files with 261 additions and 86 deletions
--- a/services/nginx.nix
+++ b/services/nginx.nix
@ -1,34 +1,113 @@
-#nginx.nix
-{ config, pkgs, lib, ... }:
-{
-	config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {
+# services/nginx.nix — Native nginx reverse proxy with ACME wildcard cert
+{ config, lib, ... }:
+let
+  # Authelia forward-auth snippet injected into protected locations
+  autheliaAuthConfig = ''
+    auth_request /internal/authelia/authz;
+    auth_request_set $target_url $scheme://$http_host$request_uri;
+    auth_request_set $user $upstream_http_remote_user;
+    auth_request_set $groups $upstream_http_remote_groups;
+    error_page 401 =302 https://auth.nordhammer.it/?rd=$target_url;
+  '';

-		# Nginx Proxy Manager
-		virtualisation.oci-containers = {
-	      backend = "docker";
-	      
-	      containers."nginx-proxy-manager" = {
-	        image = "jc21/nginx-proxy-manager:latest";
-	        ports = [ 
-	          "80:80"
-	          "81:81"
-	          "443:443"
-	        ];
-	        volumes = [
-	          "/home/fred/docker/nginx-proxy-manager/data:/data"
-	          "/home/fred/docker/nginx-proxy-manager/letsencrypt:/etc/letsencrypt"
-	        ];
-	        # Remove the extraOptions with --restart, it conflicts with --rm
-	      };
-	    };
-	    
-	    # Create directories
-	    systemd.tmpfiles.rules = [
-	      "d /home/fred/docker/nginx-proxy-manager/data 0755 root root -"
-	      "d /home/fred/docker/nginx-proxy-manager/letsencrypt 0755 root root -"
-	    ];
-	    
-	    # Open firewall
-	    networking.firewall.allowedTCPPorts = [ 80 81 443 ];
-	};
+  # Internal location that queries Authelia's verification endpoint
+  autheliaLocation = {
+    "/internal/authelia/authz" = {
+      proxyPass = "http://127.0.0.1:9091/api/authz/forward-auth";
+      extraConfig = ''
+        internal;
+        proxy_set_header X-Original-Method $request_method;
+        proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
+        proxy_set_header X-Forwarded-Method $request_method;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $http_host;
+        proxy_set_header X-Forwarded-URI $request_uri;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header Content-Length "";
+        proxy_set_header Connection "";
+      '';
+    };
+  };
+
+  ssl = {
+    useACMEHost = "nordhammer.it";
+    forceSSL = true;
+  };
+
+  # Simple reverse proxy vhost
+  proxy = port: ssl // {
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${toString port}";
+      proxyWebsockets = true;
+    };
+  };
+
+  # Reverse proxy protected by Authelia forward auth
+  protectedProxy = port: ssl // {
+    locations = autheliaLocation // {
+      "/" = {
+        proxyPass = "http://127.0.0.1:${toString port}";
+        proxyWebsockets = true;
+        extraConfig = autheliaAuthConfig;
+      };
+    };
+  };
+in
+{
+  config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {
+
+    # Wildcard TLS cert via Cloudflare DNS-01 challenge
+    security.acme = {
+      acceptTerms = true;
+      defaults.email = "fredrik@nordhammer.it";
+      certs."nordhammer.it" = {
+        domain = "*.nordhammer.it";
+        extraDomainNames = [ "nordhammer.it" ];
+        dnsProvider = "cloudflare";
+        credentialFiles = {
+          "CF_DNS_API_TOKEN_FILE" = "/var/secrets/cloudflare-token";
+        };
+      };
+    };
+
+    users.users.nginx.extraGroups = [ "acme" ];
+
+    services.nginx = {
+      enable = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      recommendedOptimisation = true;
+      recommendedGzipSettings = true;
+
+      # File-based access log for fail2ban
+      appendHttpConfig = ''
+        access_log /var/log/nginx/access.log;
+      '';
+
+      virtualHosts = {
+        # --- Authelia portal (not behind auth itself) ---
+        "auth.nordhammer.it" = proxy 9091;
+
+        # --- Media ---
+        "jellyfin.nordhammer.it" = proxy 8096;
+        "bazarr.nordhammer.it"  = proxy 6767;
+        "sonarr.nordhammer.it"  = proxy 8989;
+        "radarr.nordhammer.it"  = proxy 7878;
+
+        # --- Downloads ---
+        "prowlarr.nordhammer.it" = proxy 9696;
+        "torrent.nordhammer.it"  = proxy 8080;
+
+        # --- Other ---
+        "games.nordhammer.it"  = proxy 8787;
+        "search.nordhammer.it" = proxy 8087;
+
+        # --- Protected by Authelia ---
+        "camera.nordhammer.it"   = protectedProxy 1984;
+        "homepage.nordhammer.it" = protectedProxy 8082;
+      };
+    };
+
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
+  };
 }