From bf753471ba00bc47f9f7d08342a04ecf5b31714e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Numbus?= Date: Fri, 27 Feb 2026 14:49:25 +0100 Subject: [PATCH] Fixed indentation. Fixed Immich not working correctly behind Traefik (too restrictive headers). --- modules/services/frigate.nix | 13 ++++++---- modules/services/gitea.nix | 2 ++ modules/services/home-assistant.nix | 10 ++++---- modules/services/immich.nix | 37 +++++++++++++++++++++++++---- modules/services/it-tools.nix | 1 + modules/services/lib.nix | 4 ++-- modules/services/nextcloud.nix | 2 ++ modules/services/passbolt.nix | 1 + modules/services/pi-hole.nix | 13 +++++----- modules/services/traefik.nix | 3 +-- 10 files changed, 64 insertions(+), 22 deletions(-) diff --git a/modules/services/frigate.nix b/modules/services/frigate.nix index 81b3602..9cb3203 100644 --- a/modules/services/frigate.nix +++ b/modules/services/frigate.nix @@ -20,6 +20,11 @@ helper.mkPodmanService { scheme = "https"; dependencies = [ "traefik.service" "${config.numbus.services.dns}.service" "home-assistant.service" ]; envFile = "/var/lib/numbus-server/home-assistant/.env"; + dirPermissions = [ + "1000:100 ${cfg.configDir}" + "1000:100 ${cfg.dataDir}" + ]; + middlewares = [ "secureHeaders" ]; extraOptions = { devices = mkOption { @@ -52,10 +57,10 @@ helper.mkPodmanService { environment: - FRIGATE_MQTT_USER=$HOME_ASSISTANT_MQTT_USER - FRIGATE_MQTT_PASSWORD=$HOME_ASSISTANT_MQTT_PASSWORD -${lib.optionalString (cfg.devices != []) '' - devices: -${lib.concatStringsSep "\n" (map (d: " - \"${d}\"") cfg.devices)} -''} + ${lib.optionalString (cfg.devices != []) '' + devices: + ${lib.concatStringsSep "\n" (map (d: " - \"${d}\"") cfg.devices)} + ''} security_opt: - no-new-privileges:true cap_drop: diff --git a/modules/services/gitea.nix b/modules/services/gitea.nix index d1f3779..36b04c8 100644 --- a/modules/services/gitea.nix +++ b/modules/services/gitea.nix @@ -24,10 +24,12 @@ helper.mkPodmanService { DB_PASSWORD = "xkcdpass -n 8 -d -"; }; dirPermissions = [ + "100999:100 ${cfg.configDir}" "100999:100 ${cfg.configDir}/data" "100999:100 ${cfg.configDir}/config" "100999:100 ${cfg.configDir}/database" ]; + middlewares = [ "secureHeaders" ]; composeText = '' services: diff --git a/modules/services/home-assistant.nix b/modules/services/home-assistant.nix index b5d906d..bb8a0c1 100644 --- a/modules/services/home-assistant.nix +++ b/modules/services/home-assistant.nix @@ -23,9 +23,11 @@ helper.mkPodmanService { HOME_ASSISTANT_MQTT_PASSWORD = "xkcdpass -n 8 -d -"; }; dirPermissions = [ + "1000:100 ${cfg.configDir}" "1000:100 ${cfg.configDir}/config" "100999:100 ${cfg.configDir}/mqtt" ]; + middlewares = [ "secureHeaders" ]; # Compose file good composeText = '' @@ -42,10 +44,10 @@ helper.mkPodmanService { - ${cfg.configDir}/config:/config - /etc/localtime:/etc/localtime:ro - /run/dbus:/run/dbus:ro -${lib.optionalString (cfg.devices != []) '' - devices: -${lib.concatStringsSep "\n" (map (d: " - \"${d}\"") cfg.devices)} -''} + ${lib.optionalString (cfg.devices != []) '' + devices: + ${lib.concatStringsSep "\n" (map (d: " - \"${d}\"") cfg.devices)} + ''} security_opt: - no-new-privileges:true cap_drop: diff --git a/modules/services/immich.nix b/modules/services/immich.nix index c2ad7d5..e0a565a 100644 --- a/modules/services/immich.nix +++ b/modules/services/immich.nix @@ -32,13 +32,15 @@ helper.mkPodmanService { IMMICH_VERSION = "v2.5.6"; }; dirPermissions = [ - "100999:100 ${cfg.configDir}/model-cache" - "100999:100 ${cfg.configDir}/machine-learning-config" - "100999:100 ${cfg.configDir}/machine-learning-cache" - "100999:100 ${cfg.configDir}/database" + "100999:100 ${cfg.configDir}" "100999:100 ${cfg.configDir}/redis" + "100999:100 ${cfg.configDir}/model-cache" + "100999:100 ${cfg.configDir}/machine-learning-cache" + "100999:100 ${cfg.configDir}/machine-learning-config" + "100999:100 ${cfg.configDir}/database" "100999:100 ${cfg.dataDir}" ]; + middlewares = [ "immichSecureHeaders" ]; # Compose file good composeText = '' @@ -64,6 +66,7 @@ helper.mkPodmanService { DB_DATABASE_NAME: $DB_DATABASE_NAME DB_USERNAME: $DB_USERNAME DB_PASSWORD: $DB_PASSWORD + IMMICH_TRUSTED_PROXIES: ${config.numbus.networking.ipAddress} depends_on: - immich-redis - immich-database @@ -133,4 +136,30 @@ helper.mkPodmanService { name: immich driver: bridge ''; + + extraConfig = { + environment.etc."traefik/rules/immichSecureHeaders.yaml".text = '' + http: + middlewares: + immichSecureHeaders: + headers: + FrameDeny: true + AccessControlAllowMethods: 'GET,POST,PUT,DELETE,OPTIONS' + AccessControlAllowOriginList: + - https://${cfg.subdomain}.${config.numbus.services.domain} + - origin-list-or-null + AccessControlMaxAge: 100 + AddVaryHeader: true + BrowserXssFilter: true + ContentTypeNosniff: true + ForceSTSHeader: true + STSIncludeSubdomains: true + STSPreload: true + ContentSecurityPolicy: "default-src 'self'; base-uri 'self'; img-src 'self' https://static.immich.cloud https://tiles.immich.cloud data: blob:; connect-src 'self' https://${cfg.subdomain}.${config.numbus.services.domain} wss://${cfg.subdomain}.${config.numbus.services.domain} https://static.immich.cloud https://tiles.immich.cloud; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; script-src 'self' 'unsafe-inline' 'unsafe-eval'; worker-src 'self' blob: https://${cfg.subdomain}.${config.numbus.services.domain}; frame-ancestors 'self';" + CustomFrameOptionsValue: SAMEORIGIN + ReferrerPolicy: same-origin + PermissionsPolicy: vibrate 'self' + STSSeconds: 315360000 + ''; + }; } \ No newline at end of file diff --git a/modules/services/it-tools.nix b/modules/services/it-tools.nix index 5ee74d2..9ab1203 100644 --- a/modules/services/it-tools.nix +++ b/modules/services/it-tools.nix @@ -19,6 +19,7 @@ helper.mkPodmanService { defaultPort = "8880"; configDir = false; dataDir = false; + middlewares = [ "secureHeaders" ]; # Compose file good composeText = '' diff --git a/modules/services/lib.nix b/modules/services/lib.nix index 328c22c..7fe6ce4 100644 --- a/modules/services/lib.nix +++ b/modules/services/lib.nix @@ -12,7 +12,7 @@ with lib; reverseProxied ? true, composeText, scheme ? "http", - middlewares ? [ "secureHeaders" ], + middlewares, dependencies ? [ "traefik.service" "${config.numbus.services.dns}.service" ], extraOptions ? {}, extraConfig ? {}, @@ -87,7 +87,7 @@ with lib; - "websecure" service: ${name} middlewares: -${concatStringsSep "\n" (map (m: " - ${m}") middlewares)} + ${concatStringsSep "\n" (map (m: " - ${m}") middlewares)} tls: certresolver: "cloudflare" options: "secureTLS" diff --git a/modules/services/nextcloud.nix b/modules/services/nextcloud.nix index dc4df91..3c5024b 100644 --- a/modules/services/nextcloud.nix +++ b/modules/services/nextcloud.nix @@ -30,6 +30,7 @@ helper.mkPodmanService { SMTP_PASSWORD = "cat ${config.numbus.mail.smtpPasswordPath}"; }; dirPermissions = [ + "100032:100 ${cfg.configDir}" "100032:100 ${cfg.configDir}/web" "100999:100 ${cfg.configDir}/redis" "100999:100 ${cfg.configDir}/database" @@ -39,6 +40,7 @@ helper.mkPodmanService { "100999:100 ${cfg.configDir}/onlyoffice/database" "100032:100 ${cfg.dataDir}" ]; + middlewares = [ "secureHeaders" ]; # Compose file good composeText = '' diff --git a/modules/services/passbolt.nix b/modules/services/passbolt.nix index afe9cd9..16879d9 100644 --- a/modules/services/passbolt.nix +++ b/modules/services/passbolt.nix @@ -26,6 +26,7 @@ helper.mkPodmanService { SMTP_PASSWORD = "cat ${config.numbus.mail.smtpPasswordPath}"; }; dirPermissions = [ + "100032:100 ${cfg.configDir}" "100032:100 ${cfg.configDir}/gpg" "100032:100 ${cfg.configDir}/jwt" "100999:100 ${cfg.configDir}/database" diff --git a/modules/services/pi-hole.nix b/modules/services/pi-hole.nix index 4b62f7d..24f4c83 100644 --- a/modules/services/pi-hole.nix +++ b/modules/services/pi-hole.nix @@ -27,6 +27,7 @@ helper.mkPodmanService { dirPermissions = [ "100999:100 ${cfg.configDir}" ]; + middlewares = [ "secureHeaders" ]; # Compose file good composeText = '' @@ -50,12 +51,12 @@ helper.mkPodmanService { FTLCONF_webserver_domain: ${cfg.subdomain}.${config.numbus.services.domain} FTLCONF_dns_upstreams: 9.9.9.9;149.112.112.112 FTLCONF_dns_hosts: | -${lib.concatStringsSep "" (lib.mapAttrsToList (name: service: - if builtins.isAttrs service && service ? enable && service.enable && service ? subdomain then - " ${config.numbus.networking.ipAddress} ${service.subdomain}.${config.numbus.services.domain}\n" - else - "" -) config.numbus.services)} + ${lib.concatStringsSep "" (lib.mapAttrsToList (name: service: + if builtins.isAttrs service && service ? enable && service.enable && service ? subdomain then + " ${config.numbus.networking.ipAddress} ${service.subdomain}.${config.numbus.services.domain}\n" + else + "" + ) config.numbus.services)} FTLCONF_dns_listeningMode: "BIND" FTLCONF_dns_domain_name: "${config.numbus.services.domain}" FTLCONF_dns_domain_local: "true" diff --git a/modules/services/traefik.nix b/modules/services/traefik.nix index 78ed001..d7bf1ba 100644 --- a/modules/services/traefik.nix +++ b/modules/services/traefik.nix @@ -16,7 +16,6 @@ helper.mkPodmanService { inherit name; description = "Traefik reverse proxy, one to rule them all"; pod = "false"; - reverseProxied = false; dataDir = false; dependencies = [ "network.target" ]; startDelay = 10; @@ -28,6 +27,7 @@ helper.mkPodmanService { "100999:100 ${cfg.configDir}/rules" "100999:100 ${cfg.configDir}/certs" ]; + reverseProxied = false; # Compose file good composeText = '' @@ -164,6 +164,5 @@ helper.mkPodmanService { example = "ERROR"; description = "The level of detail Traefik should print in the logs."; }; - # traefikDynamicConfigDir defined at global.nix }; } \ No newline at end of file