numbus/numbus-server-module
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fixed indentation. Fixed Immich not working correctly behind Traefik (too restrictive headers).

Browse Source
This commit is contained in:
Raphaël Numbus
2026-02-27 14:49:25 +01:00
parent c2b49d7d67
commit bf753471ba
10 changed files with 64 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/services/frigate.nix
+9 -4
View File
@@ -20,6 +20,11 @@ helper.mkPodmanService {
scheme = "https";
dependencies = [ "traefik.service" "${config.numbus.services.dns}.service" "home-assistant.service" ];
envFile = "/var/lib/numbus-server/home-assistant/.env";
dirPermissions = [
"1000:100 ${cfg.configDir}"
"1000:100 ${cfg.dataDir}"
];
middlewares = [ "secureHeaders" ];
extraOptions = {
devices = mkOption {
@@ -52,10 +57,10 @@ helper.mkPodmanService {
environment:
- FRIGATE_MQTT_USER=$HOME_ASSISTANT_MQTT_USER
- FRIGATE_MQTT_PASSWORD=$HOME_ASSISTANT_MQTT_PASSWORD
${lib.optionalString (cfg.devices != []) ''
devices:
${lib.concatStringsSep "\n" (map (d: " - \"${d}\"") cfg.devices)}
''}
${lib.optionalString (cfg.devices != []) ''
devices:
${lib.concatStringsSep "\n" (map (d: " - \"${d}\"") cfg.devices)}
''}
security_opt:
- no-new-privileges:true
cap_drop:
modules/services/gitea.nix
+2
View File
@@ -24,10 +24,12 @@ helper.mkPodmanService {
DB_PASSWORD = "xkcdpass -n 8 -d -";
};
dirPermissions = [
"100999:100 ${cfg.configDir}"
"100999:100 ${cfg.configDir}/data"
"100999:100 ${cfg.configDir}/config"
"100999:100 ${cfg.configDir}/database"
];
middlewares = [ "secureHeaders" ];
composeText = ''
services:
modules/services/home-assistant.nix
+6 -4
View File
@@ -23,9 +23,11 @@ helper.mkPodmanService {
HOME_ASSISTANT_MQTT_PASSWORD = "xkcdpass -n 8 -d -";
};
dirPermissions = [
"1000:100 ${cfg.configDir}"
"1000:100 ${cfg.configDir}/config"
"100999:100 ${cfg.configDir}/mqtt"
];
middlewares = [ "secureHeaders" ];
# Compose file good
composeText = ''
@@ -42,10 +44,10 @@ helper.mkPodmanService {
- ${cfg.configDir}/config:/config
- /etc/localtime:/etc/localtime:ro
- /run/dbus:/run/dbus:ro
${lib.optionalString (cfg.devices != []) ''
devices:
${lib.concatStringsSep "\n" (map (d: " - \"${d}\"") cfg.devices)}
''}
${lib.optionalString (cfg.devices != []) ''
devices:
${lib.concatStringsSep "\n" (map (d: " - \"${d}\"") cfg.devices)}
''}
security_opt:
- no-new-privileges:true
cap_drop:
modules/services/immich.nix
+33 -4
View File
@@ -32,13 +32,15 @@ helper.mkPodmanService {
IMMICH_VERSION = "v2.5.6";
};
dirPermissions = [
"100999:100 ${cfg.configDir}/model-cache"
"100999:100 ${cfg.configDir}/machine-learning-config"
"100999:100 ${cfg.configDir}/machine-learning-cache"
"100999:100 ${cfg.configDir}/database"
"100999:100 ${cfg.configDir}"
"100999:100 ${cfg.configDir}/redis"
"100999:100 ${cfg.configDir}/model-cache"
"100999:100 ${cfg.configDir}/machine-learning-cache"
"100999:100 ${cfg.configDir}/machine-learning-config"
"100999:100 ${cfg.configDir}/database"
"100999:100 ${cfg.dataDir}"
];
middlewares = [ "immichSecureHeaders" ];
# Compose file good
composeText = ''
@@ -64,6 +66,7 @@ helper.mkPodmanService {
DB_DATABASE_NAME: $DB_DATABASE_NAME
DB_USERNAME: $DB_USERNAME
DB_PASSWORD: $DB_PASSWORD
IMMICH_TRUSTED_PROXIES: ${config.numbus.networking.ipAddress}
depends_on:
- immich-redis
- immich-database
@@ -133,4 +136,30 @@ helper.mkPodmanService {
name: immich
driver: bridge
'';
extraConfig = {
environment.etc."traefik/rules/immichSecureHeaders.yaml".text = ''
http:
middlewares:
immichSecureHeaders:
headers:
FrameDeny: true
AccessControlAllowMethods: 'GET,POST,PUT,DELETE,OPTIONS'
AccessControlAllowOriginList:
- https://${cfg.subdomain}.${config.numbus.services.domain}
- origin-list-or-null
AccessControlMaxAge: 100
AddVaryHeader: true
BrowserXssFilter: true
ContentTypeNosniff: true
ForceSTSHeader: true
STSIncludeSubdomains: true
STSPreload: true
ContentSecurityPolicy: "default-src 'self'; base-uri 'self'; img-src 'self' https://static.immich.cloud https://tiles.immich.cloud data: blob:; connect-src 'self' https://${cfg.subdomain}.${config.numbus.services.domain} wss://${cfg.subdomain}.${config.numbus.services.domain} https://static.immich.cloud https://tiles.immich.cloud; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; script-src 'self' 'unsafe-inline' 'unsafe-eval'; worker-src 'self' blob: https://${cfg.subdomain}.${config.numbus.services.domain}; frame-ancestors 'self';"
CustomFrameOptionsValue: SAMEORIGIN
ReferrerPolicy: same-origin
PermissionsPolicy: vibrate 'self'
STSSeconds: 315360000
'';
};
}
modules/services/it-tools.nix
+1
View File
@@ -19,6 +19,7 @@ helper.mkPodmanService {
defaultPort = "8880";
configDir = false;
dataDir = false;
middlewares = [ "secureHeaders" ];
# Compose file good
composeText = ''
modules/services/lib.nix
+2 -2
View File
@@ -12,7 +12,7 @@ with lib;
reverseProxied ? true,
composeText,
scheme ? "http",
middlewares ? [ "secureHeaders" ],
middlewares,
dependencies ? [ "traefik.service" "${config.numbus.services.dns}.service" ],
extraOptions ? {},
extraConfig ? {},
@@ -87,7 +87,7 @@ with lib;
- "websecure"
service: ${name}
middlewares:
${concatStringsSep "\n" (map (m: " - ${m}") middlewares)}
${concatStringsSep "\n" (map (m: " - ${m}") middlewares)}
tls:
certresolver: "cloudflare"
options: "secureTLS"
modules/services/nextcloud.nix
+2
View File
@@ -30,6 +30,7 @@ helper.mkPodmanService {
SMTP_PASSWORD = "cat ${config.numbus.mail.smtpPasswordPath}";
};
dirPermissions = [
"100032:100 ${cfg.configDir}"
"100032:100 ${cfg.configDir}/web"
"100999:100 ${cfg.configDir}/redis"
"100999:100 ${cfg.configDir}/database"
@@ -39,6 +40,7 @@ helper.mkPodmanService {
"100999:100 ${cfg.configDir}/onlyoffice/database"
"100032:100 ${cfg.dataDir}"
];
middlewares = [ "secureHeaders" ];
# Compose file good
composeText = ''
modules/services/passbolt.nix
+1
View File
@@ -26,6 +26,7 @@ helper.mkPodmanService {
SMTP_PASSWORD = "cat ${config.numbus.mail.smtpPasswordPath}";
};
dirPermissions = [
"100032:100 ${cfg.configDir}"
"100032:100 ${cfg.configDir}/gpg"
"100032:100 ${cfg.configDir}/jwt"
"100999:100 ${cfg.configDir}/database"
modules/services/pi-hole.nix
+7 -6
View File
@@ -27,6 +27,7 @@ helper.mkPodmanService {
dirPermissions = [
"100999:100 ${cfg.configDir}"
];
middlewares = [ "secureHeaders" ];
# Compose file good
composeText = ''
@@ -50,12 +51,12 @@ helper.mkPodmanService {
FTLCONF_webserver_domain: ${cfg.subdomain}.${config.numbus.services.domain}
FTLCONF_dns_upstreams: 9.9.9.9;149.112.112.112
FTLCONF_dns_hosts: |
${lib.concatStringsSep "" (lib.mapAttrsToList (name: service:
if builtins.isAttrs service && service ? enable && service.enable && service ? subdomain then
" ${config.numbus.networking.ipAddress} ${service.subdomain}.${config.numbus.services.domain}\n"
else
""
) config.numbus.services)}
${lib.concatStringsSep "" (lib.mapAttrsToList (name: service:
if builtins.isAttrs service && service ? enable && service.enable && service ? subdomain then
" ${config.numbus.networking.ipAddress} ${service.subdomain}.${config.numbus.services.domain}\n"
else
""
) config.numbus.services)}
FTLCONF_dns_listeningMode: "BIND"
FTLCONF_dns_domain_name: "${config.numbus.services.domain}"
FTLCONF_dns_domain_local: "true"
modules/services/traefik.nix
+1 -2
View File
@@ -16,7 +16,6 @@ helper.mkPodmanService {
inherit name;
description = "Traefik reverse proxy, one to rule them all";
pod = "false";
reverseProxied = false;
dataDir = false;
dependencies = [ "network.target" ];
startDelay = 10;
@@ -28,6 +27,7 @@ helper.mkPodmanService {
"100999:100 ${cfg.configDir}/rules"
"100999:100 ${cfg.configDir}/certs"
];
reverseProxied = false;
# Compose file good
composeText = ''
@@ -164,6 +164,5 @@ helper.mkPodmanService {
example = "ERROR";
description = "The level of detail Traefik should print in the logs.";
};
# traefikDynamicConfigDir defined at global.nix
};
}