diff --git a/nix/deployments/hive.nix b/nix/deployments/hive.nix index 9e813cd..fcf64a6 100644 --- a/nix/deployments/hive.nix +++ b/nix/deployments/hive.nix @@ -15,12 +15,6 @@ in ]; - networking.wireless.networks."lbheim" = { - pskRaw = ( - (import ../system/framework/keys.nix).wifi."lbheim".pskRaw - ); - }; - documentation.enable = false; # for nixops to log in and perform operations as haak (instead of root) @@ -63,8 +57,10 @@ in deployment.targetHost = serverIp; imports = [ ../system/xps11/configuration.nix + ../home/programs/nginx ../home/programs/jellyfin ../home/programs/calibre-web + ../home/programs/forgejo/webserver.nix ]; fileSystems."/storage" = { @@ -88,6 +84,7 @@ in ../home/programs/sonarr ../home/programs/readarr ../home/programs/calibre + ../home/programs/forgejo/backendserver.nix ]; fileSystems."/export/storage" = diff --git a/nix/home/programs/calibre-web/default.nix b/nix/home/programs/calibre-web/default.nix index 7440c1a..13b0b11 100644 --- a/nix/home/programs/calibre-web/default.nix +++ b/nix/home/programs/calibre-web/default.nix @@ -1,19 +1,14 @@ { lib, ... }: +let + domain = lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/bookdomain; +in { services.calibre-web = { enable = true; }; - security.acme.acceptTerms = true; - security.acme.defaults.email = lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/email; services.nginx = { - enable = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - - virtualHosts."${lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/bookdomain}" = { + virtualHosts."${domain}" = { forceSSL = true; enableACME = true; # http2 can more performant for streaming: https://blog.cloudflare.com/introducing-http2/ diff --git a/nix/home/programs/forgejo/backendserver.nix b/nix/home/programs/forgejo/backendserver.nix new file mode 100644 index 0000000..11d94dc --- /dev/null +++ b/nix/home/programs/forgejo/backendserver.nix @@ -0,0 +1,29 @@ +{lib, ...}: + +let + domain = lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/forgedomain; + port = 9090; +in +{ + networking.firewall = { + allowedTCPPorts = [ port ]; + allowedUDPPorts = [ port ]; + }; + + services.forgejo = { + enable = true; + # database.type = "postgres"; + # Enable support for Git Large File Storage + lfs.enable = true; + settings = { + server = { + DOMAIN = domain; + # You need to specify this to remove the port from URLs in the web UI. + ROOT_URL = "https://${domain}/"; + HTTP_PORT = port; + }; + # You can temporarily allow registration to create an admin user. + service.DISABLE_REGISTRATION = true; + }; + }; +} diff --git a/nix/home/programs/forgejo/webserver.nix b/nix/home/programs/forgejo/webserver.nix new file mode 100644 index 0000000..941d939 --- /dev/null +++ b/nix/home/programs/forgejo/webserver.nix @@ -0,0 +1,40 @@ +{ lib, ... }: + +let + domain = lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/forgedomain; +in +{ + services.nginx = { + virtualHosts.${domain} = { + forceSSL = true; + enableACME = true; + extraConfig = '' + # Provide the ssl cert and key for the vhost + #Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause + send_timeout 100m; + + # Why this is important: https://blog.cloudflare.com/ocsp-stapling-how-cloudflare-just-made-ssl-30/ + ssl_stapling on; + ssl_stapling_verify on; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + # ssl_prefer_server_ciphers on; + #Intentionally not hardened for security for player support and encryption video streams has a lot of overhead with something like AES-256-GCM-SHA384. + ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; + + # A LOT of javascript, xml and html. This helps a lot, but if it causes playback issues with devices turn it off. + gzip on; + gzip_vary on; + gzip_min_length 1000; + gzip_proxied any; + gzip_types text/plain text/css text/xml application/xml text/javascript application/x-javascript image/svg+xml; + gzip_disable "MSIE [1-6]\."; + + # Nginx default client_max_body_size is 1MB, which breaks Camera Upload feature from the phones. + # Increasing the limit fixes the issue. Anyhow, if 4K videos are expected to be uploaded, the size might need to be increased even more + client_max_body_size 100M; + ''; + locations."/".proxyPass = "http://192.168.1.168:9090"; + }; + }; +} diff --git a/nix/home/programs/jellyfin/default.nix b/nix/home/programs/jellyfin/default.nix index 2f315cf..50fadbc 100644 --- a/nix/home/programs/jellyfin/default.nix +++ b/nix/home/programs/jellyfin/default.nix @@ -22,16 +22,7 @@ # 2. override default hardening measure from NixOS - this is default since 22.05 systemd.services.jellyfin.serviceConfig.PrivateDevices = lib.mkForce false; - - security.acme.acceptTerms = true; - security.acme.defaults.email = lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/email; services.nginx = { - enable = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - virtualHosts."${lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/domain}" = { forceSSL = true; enableACME = true; diff --git a/nix/home/programs/nginx/default.nix b/nix/home/programs/nginx/default.nix new file mode 100644 index 0000000..3095494 --- /dev/null +++ b/nix/home/programs/nginx/default.nix @@ -0,0 +1,15 @@ +{lib, ...}: +let + acmeEmail = lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/email; +in +{ + security.acme.acceptTerms = true; + security.acme.defaults.email = acmeEmail; + services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + }; +} diff --git a/nix/home/programs/sonarr/default.nix b/nix/home/programs/sonarr/default.nix index eaa1e7c..3ad3ca1 100644 --- a/nix/home/programs/sonarr/default.nix +++ b/nix/home/programs/sonarr/default.nix @@ -7,6 +7,14 @@ openFirewall = true; }; + # See https://github.com/NixOS/nixpkgs/issues/360592 + nixpkgs.config.permittedInsecurePackages = [ + "aspnetcore-runtime-6.0.36" + "aspnetcore-runtime-wrapped-6.0.36" + "dotnet-sdk-6.0.428" + "dotnet-sdk-wrapped-6.0.428" + ]; + users.extraUsers.sonarr = { extraGroups = [ "sonarr" "multimedia" ]; }; diff --git a/nix/system/framework/configuration.nix b/nix/system/framework/configuration.nix index e35ce48..86b7fbb 100644 --- a/nix/system/framework/configuration.nix +++ b/nix/system/framework/configuration.nix @@ -121,15 +121,6 @@ services.mullvad-vpn.enable = true; networking.wireguard.enable = true; - - # Enable sound. - # sound.enable turns on pulseaudio, which conflicts with pipwire. As - # Pipewire is now enabled by default (??) we should not enable the default - # sound provider. - # https://github.com/NixOS/nixpkgs/issues/163066 - sound.enable = true; - # hardware.pulseaudio.enable = false; - # security.rtkit.enable = true; services.pipewire = { enable = false; alsa.enable = true; diff --git a/secrets b/secrets index fecfe5a..72c7c13 160000 --- a/secrets +++ b/secrets @@ -1 +1 @@ -Subproject commit fecfe5a04ea935f130173fc32a23c2e2a94a77d4 +Subproject commit 72c7c13dddda3638b7276085204faa8c3da61c50