haak/dotfiles
1
0
Fork 0
Code Issues Pull requests Wiki Activity Actions

organize configuration by hardware machine

Browse source
This commit is contained in:
Haak Saxberg 2022-07-30 19:41:50 -07:00
parent 378a4dcef7
commit 15dfc5c9b7
6 changed files with 118 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

215
nix/system/xps11/configuration.nix Normal file
View file

@ -0,0 +1,215 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{
imports =
[
# Include the results of the hardware scan.
./hardware-configuration.nix
./glibc-locale-paths.nix
];
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.systemd-boot.configurationLimit = 42;
boot.loader.efi.canTouchEfiVariables = true;
hardware.bluetooth.enable = true;
networking.networkmanager.enable = true;
networking.hostName = "athena"; # Define your hostname.
# Create entries for /etc/wpa_supplicant.conf by running `wpa_passphrase SSID PASSWORD`
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = false;
networking.interfaces.wlp58s0.useDHCP = true;
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
# Select internationalisation properties.
i18n = {
defaultLocale = "en_US.UTF-8";
};
# run the following command to swap escape and caps-lock keys, like a
# civilized person:
# setxkbmap -option caps:swapescape
# Set your time zone.
time.timeZone = "America/Los_Angeles";
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
cachix
firefox
# configure local network sharing, launch app on startup, and auto-connect
# in the preferences menu
mullvad-vpn
p7zip
# Do NOT use qbittorrent unless you have set up interface binding with your
# VPN: https://web.archive.org/web/20210426203101/https://mullvad.net/en/help/bittorrent/
qbittorrent
wget
zsh
];
nixpkgs.config.allowUnfree = true;
fonts.fonts = with pkgs; [ fira-code ];
# Open ports in the firewall.
networking.firewall = {
allowedTCPPorts = [
22 # for ssh access
80
8080 # port for qbittorrent webui
];
};
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# Nginx Reverse SSL Proxy
services.nginx = {
enable = true;
# give a name to the virtual host. It also becomes the server name.
virtualHosts."sub.domain.tld" = {
# http2 can more performant for streaming: https://blog.cloudflare.com/introducing-http2/
http2 = true;
# Provide the ssl cert and key for the vhost
extraConfig = ''
#Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause
send_timeout 100m;
# Why this is important: https://blog.cloudflare.com/ocsp-stapling-how-cloudflare-just-made-ssl-30/
# ssl_stapling on;
# ssl_stapling_verify on;
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ssl_prefer_server_ciphers on;
#Intentionally not hardened for security for player support and encryption video streams has a lot of overhead with something like AES-256-GCM-SHA384.
# ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
# Forward real ip and host to Plex
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $server_addr;
proxy_set_header Referer $server_addr;
proxy_set_header Origin $server_addr;
# Plex has A LOT of javascript, xml and html. This helps a lot, but if it causes playback issues with devices turn it off.
gzip on;
gzip_vary on;
gzip_min_length 1000;
gzip_proxied any;
gzip_types text/plain text/css text/xml application/xml text/javascript application/x-javascript image/svg+xml;
gzip_disable "MSIE [1-6]\.";
# Nginx default client_max_body_size is 1MB, which breaks Camera Upload feature from the phones.
# Increasing the limit fixes the issue. Anyhow, if 4K videos are expected to be uploaded, the size might need to be increased even more
client_max_body_size 100M;
# Plex headers
proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier;
proxy_set_header X-Plex-Device $http_x_plex_device;
proxy_set_header X-Plex-Device-Name $http_x_plex_device_name;
proxy_set_header X-Plex-Platform $http_x_plex_platform;
proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version;
proxy_set_header X-Plex-Product $http_x_plex_product;
proxy_set_header X-Plex-Token $http_x_plex_token;
proxy_set_header X-Plex-Version $http_x_plex_version;
proxy_set_header X-Plex-Nocache $http_x_plex_nocache;
proxy_set_header X-Plex-Provides $http_x_plex_provides;
proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor;
proxy_set_header X-Plex-Model $http_x_plex_model;
# Websockets
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Buffering off send to the client as soon as the data is received from Plex.
proxy_redirect off;
proxy_buffering off;
'';
locations."/" = {
proxyPass = "http://localhost:32400/";
};
};
};
# VPN setup
services.mullvad-vpn.enable = true;
networking.wireguard.enable = true;
networking.firewall.checkReversePath = "loose";
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
# List services that you want to enable:
# Enable the OpenSSH daemon.
services.openssh.enable = true;
# Enable the X11 windowing system.
services.xserver.enable = true;
services.xserver.layout = "us";
services.xserver.xkbOptions = "caps:swapescape";
services.plex = {
enable = true;
user = "haak";
group = "users";
};
# Enable touchpad support.
services.xserver.libinput.enable = true;
# Enable the KDE Desktop Environment.
services.xserver = {
displayManager.sddm.enable = true;
desktopManager.plasma5.enable = true;
};
services.syncthing = {
enable = true;
user = "haak";
dataDir = "/home/haak/synced";
configDir = "/home/haak/synced/.config/syncthing";
};
location.provider = "geoclue2";
# Define a user account. Don't forget to set a password with passwd.
users.users.haak = {
isNormalUser = true;
extraGroups = [
"wheel" # Enable sudo for the user.
"networkmanager" # Allow the user to manage networks
];
};
users.extraUsers.haak = {
shell = pkgs.zsh;
};
nix.settings.trusted-users = [ "root" "haak" ];
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "20.03"; # Did you read the comment?
system.autoUpgrade.enable = true;
}