diff --git a/modules/services/forgejo.nix b/modules/services/forgejo.nix index a31ae3f..169b6b9 100644 --- a/modules/services/forgejo.nix +++ b/modules/services/forgejo.nix @@ -6,20 +6,8 @@ }: let cfg = config.aux.system.services.forgejo; - cli-cfg = config.services.forgejo; - forgejo-cli = pkgs.writeScriptBin "forgejo-cli" '' - #!${pkgs.runtimeShell} - cd ${cli-cfg.stateDir} - sudo=exec - if [[ "$USER" != forgejo ]]; then - sudo='exec /run/wrappers/bin/sudo -u ${cli-cfg.user} -g ${cli-cfg.group} --preserve-env=GITEA_WORK_DIR --preserve-env=GITEA_CUSTOM' - fi - # Note that these variable names will change - export GITEA_WORK_DIR=${cli-cfg.stateDir} - export GITEA_CUSTOM=${cli-cfg.customDir} - $sudo ${lib.getExe cli-cfg.package} "$@" - ''; + socket = "/run/services/forgejo/web.socket"; in { options = { @@ -49,10 +37,7 @@ in }; config = lib.mkIf cfg.enable { - environment.systemPackages = [ - forgejo-cli - pkgs.podman-tui - ]; + environment.systemPackages = [ pkgs.podman-tui ]; services = { forgejo = { enable = true; @@ -60,7 +45,8 @@ in server = { DOMAIN = pkgs.util.getDomainFromURL cfg.url; ROOT_URL = cfg.url; - HTTP_PORT = 3000; + PROTOCOL = "http+unix"; + HTTP_ADDR = socket; }; indexer.REPO_INDEXER_ENABLED = true; # Enable code indexing }; @@ -71,7 +57,7 @@ in useACMEHost = pkgs.util.getDomainFromURL cfg.url; forceSSL = true; locations."/" = { - proxyPass = "http://127.0.0.1:3000"; + proxyPass = "http://unix:${socket}:"; proxyWebsockets = true; extraConfig = "proxy_ssl_server_name on;"; # required when the target is also TLS server with multiple hosts }; diff --git a/modules/services/jellyfin.nix b/modules/services/jellyfin.nix index cabda67..a7e38fb 100644 --- a/modules/services/jellyfin.nix +++ b/modules/services/jellyfin.nix @@ -7,6 +7,8 @@ let cfg = config.aux.system.services.jellyfin; + socket = "/run/services/jellyfin/web.socket"; + jellyfin-audio-save = pkgs.jellyfin.overrideAttrs ( finalAttrs: prevAttrs: { patches = [ ./jellyfin/jellyfin-audio-save-position.patch ]; } ); @@ -33,11 +35,18 @@ in aux.system.users.media.enable = true; services = { + jellyfin = { + enable = true; + dataDir = cfg.home; + group = "media"; + package = jellyfin-audio-save; + }; + nginx.virtualHosts."${cfg.url}" = { useACMEHost = pkgs.util.getDomainFromURL cfg.url; forceSSL = true; locations."/" = { - proxyPass = "http://127.0.0.1:8096"; + proxyPass = "http://unix:${socket}:"; proxyWebsockets = true; extraConfig = '' # Taken from https://jellyfin.org/docs/general/networking/nginx/ @@ -60,7 +69,7 @@ in ''; }; locations."/socket" = { - proxyPass = "http://127.0.0.1:8096"; + proxyPass = "http://unix:${socket}:"; proxyWebsockets = true; extraConfig = '' # Proxy Jellyfin Websockets traffic @@ -75,13 +84,6 @@ in ''; }; }; - - jellyfin = { - enable = true; - dataDir = cfg.home; - group = "media"; - package = jellyfin-audio-save; - }; }; # Install packages for plugins @@ -91,7 +93,15 @@ in ]; systemd.services = { - jellyfin.unitConfig.RequiresMountsFor = cfg.home; + jellyfin = { + # Use Unix sockets in place of ports + environment = { + JELLYFIN_kestrel__socketPermissions = "0777"; + JELLYFIN_kestrel__socketPath = socket; + JELLYFIN_kestrel__socket = "true"; + }; + unitConfig.RequiresMountsFor = cfg.home; + }; nginx.wants = [ config.systemd.services.jellyfin.name ]; }; }; diff --git a/modules/services/netdata.nix b/modules/services/netdata.nix index 03e88a3..9e5b833 100644 --- a/modules/services/netdata.nix +++ b/modules/services/netdata.nix @@ -6,6 +6,8 @@ }: let cfg = config.aux.system.services.netdata; + + socket = "/run/services/netdata/web.socket"; in { options = { @@ -49,26 +51,6 @@ in config = lib.mkMerge [ (lib.mkIf (cfg.enable && cfg.type == "parent") { services = { - nginx.virtualHosts."${cfg.url}" = { - useACMEHost = pkgs.util.getDomainFromURL cfg.url; - forceSSL = true; - basicAuth = { - "${cfg.auth.user}" = cfg.auth.password; - }; - locations."/" = { - proxyPass = "http://127.0.0.1:19999"; - extraConfig = '' - # Taken from https://learn.netdata.cloud/docs/netdata-agent/configuration/running-the-netdata-agent-behind-a-reverse-proxy/nginx - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Server $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_pass_request_headers on; - proxy_set_header Connection "keep-alive"; - proxy_store off; - ''; - }; - }; - netdata = { enable = true; package = pkgs.unstable.netdataCloud; @@ -87,6 +69,30 @@ in health enabled by default = auto allow streaming from = * ''; + "socket.conf" = pkgs.writeText "socket.conf" '' + [web] + bind to = unix:${socket} + ''; + }; + }; + + nginx.virtualHosts."${cfg.url}" = { + useACMEHost = pkgs.util.getDomainFromURL cfg.url; + forceSSL = true; + basicAuth = { + "${cfg.auth.user}" = cfg.auth.password; + }; + locations."/" = { + proxyPass = "http://unix:${socket}:"; + extraConfig = '' + # Taken from https://learn.netdata.cloud/docs/netdata-agent/configuration/running-the-netdata-agent-behind-a-reverse-proxy/nginx + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_pass_request_headers on; + proxy_set_header Connection "keep-alive"; + proxy_store off; + ''; }; }; };