pyrox.dev / nixpkgs
lol
fork atom

nixos/invidious: bind to 127.0.0.1 instead of 0.0.0.0 if nginx is used

Sophie Tauchert d41706ba 65e8f8a6

+18 -3
unified split
+18 -3
nixos/modules/services/web-apps/invidious.nix
··· 123 123 # Not needed because peer authentication is enabled 124 124 password = lib.mkIf (cfg.database.host == null) ""; 125 125 }; 126 + 127 + host_binding = cfg.address; 126 128 } // (lib.optionalAttrs (cfg.domain != null) { 127 129 inherit (cfg) domain; 128 130 }); ··· 175 177 external_port = 80; 176 178 }; 177 179 178 - services.nginx = { 180 + services.nginx = let 181 + ip = if cfg.address == "0.0.0.0" then "127.0.0.1" else cfg.address; 182 + in 183 + { 179 184 enable = true; 180 185 virtualHosts.${cfg.domain} = { 181 186 locations."/".proxyPass = 182 187 if cfg.serviceScale == 1 then 183 - "http://127.0.0.1:${toString cfg.port}" 188 + "http://${ip}:${toString cfg.port}" 184 189 else "http://upstream-invidious"; 185 190 186 191 enableACME = lib.mkDefault true; ··· 189 194 upstreams = lib.mkIf (cfg.serviceScale > 1) { 190 195 "upstream-invidious".servers = builtins.listToAttrs (builtins.genList 191 196 (scaleIndex: { 192 - name = "127.0.0.1:${toString (cfg.port + scaleIndex)}"; 197 + name = "${ip}:${toString (cfg.port + scaleIndex)}"; 193 198 value = { }; 194 199 }) 195 200 cfg.serviceScale); ··· 265 270 The FQDN Invidious is reachable on. 266 271 267 272 This is used to configure nginx and for building absolute URLs. 273 + ''; 274 + }; 275 + 276 + address = lib.mkOption { 277 + type = types.str; 278 + # default from https://github.com/iv-org/invidious/blob/master/config/config.example.yml 279 + default = if cfg.nginx.enable then "127.0.0.1" else "0.0.0.0"; 280 + defaultText = lib.literalExpression ''if config.services.invidious.nginx.enable then "127.0.0.1" else "0.0.0.0"''; 281 + description = lib.mdDoc '' 282 + The IP address Invidious should bind to. 268 283 ''; 269 284 }; 270 285