bump secrets

latest nixos configuration expectations

nix/deployments/hive.nix

@@ -15,12 +15,6 @@ in
         <home-manager/nixos>
       ];
 
-      networking.wireless.networks."lbheim" = {
-        pskRaw = (
-          (import ../system/framework/keys.nix).wifi."lbheim".pskRaw
-        );
-      };
-
       documentation.enable = false;
 
       # for nixops to log in and perform operations as haak (instead of root)
@@ -63,8 +57,10 @@ in
       deployment.targetHost = serverIp;
       imports = [
         ../system/xps11/configuration.nix
+        ../home/programs/nginx
         ../home/programs/jellyfin
         ../home/programs/calibre-web
+        ../home/programs/forgejo/webserver.nix
       ];
 
       fileSystems."/storage" = {
@@ -88,6 +84,7 @@ in
         ../home/programs/sonarr
         ../home/programs/readarr
         ../home/programs/calibre
+        ../home/programs/forgejo/backendserver.nix
       ];
 
       fileSystems."/export/storage" =

nix/home/programs/calibre-web/default.nix

@@ -1,19 +1,14 @@
 { lib, ... }:
+let
+  domain = lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/bookdomain;
+in
 {
   services.calibre-web = {
     enable = true;
   };
 
-  security.acme.acceptTerms = true;
-  security.acme.defaults.email = lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/email;
   services.nginx = {
-    enable = true;
+    virtualHosts."${domain}" = {
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    recommendedProxySettings = true;
-    recommendedTlsSettings = true;
-
-    virtualHosts."${lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/bookdomain}" = {
       forceSSL = true;
       enableACME = true;
       # http2 can more performant for streaming: https://blog.cloudflare.com/introducing-http2/

nix/home/programs/forgejo/backendserver.nix

@@ -0,0 +1,29 @@
+{lib, ...}:
+
+let
+ domain = lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/forgedomain;
+ port = 9090;
+in
+{
+  networking.firewall = {
+    allowedTCPPorts = [ port ];
+    allowedUDPPorts = [ port ];
+  };
+
+  services.forgejo = {
+    enable = true;
+    # database.type = "postgres";
+    # Enable support for Git Large File Storage
+    lfs.enable = true;
+    settings = {
+      server = {
+        DOMAIN = domain;
+        # You need to specify this to remove the port from URLs in the web UI.
+        ROOT_URL = "https://${domain}/";
+        HTTP_PORT = port;
+      };
+      # You can temporarily allow registration to create an admin user.
+      service.DISABLE_REGISTRATION = true;
+    };
+  };
+}

nix/home/programs/forgejo/webserver.nix

@@ -0,0 +1,40 @@
+{ lib, ... }:
+
+let
+ domain = lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/forgedomain;
+in
+{
+   services.nginx = {
+    virtualHosts.${domain} = {
+      forceSSL = true;
+      enableACME = true;
+      extraConfig = ''
+        # Provide the ssl cert and key for the vhost
+        #Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause
+        send_timeout 100m;
+
+        # Why this is important: https://blog.cloudflare.com/ocsp-stapling-how-cloudflare-just-made-ssl-30/
+        ssl_stapling on;
+        ssl_stapling_verify on;
+
+        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+        # ssl_prefer_server_ciphers on;
+        #Intentionally not hardened for security for player support and encryption video streams has a lot of overhead with something like AES-256-GCM-SHA384.
+        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
+
+        # A LOT of javascript, xml and html. This helps a lot, but if it causes playback issues with devices turn it off.
+        gzip on;
+        gzip_vary on;
+        gzip_min_length 1000;
+        gzip_proxied any;
+        gzip_types text/plain text/css text/xml application/xml text/javascript application/x-javascript image/svg+xml;
+        gzip_disable "MSIE [1-6]\.";
+
+        # Nginx default client_max_body_size is 1MB, which breaks Camera Upload feature from the phones.
+        # Increasing the limit fixes the issue. Anyhow, if 4K videos are expected to be uploaded, the size might need to be increased even more
+        client_max_body_size 100M;
+      '';
+      locations."/".proxyPass = "http://192.168.1.168:9090";
+    };
+  };
+}

nix/home/programs/jellyfin/default.nix

@@ -22,16 +22,7 @@
   # 2. override default hardening measure from NixOS - this is default since 22.05
   systemd.services.jellyfin.serviceConfig.PrivateDevices = lib.mkForce false;
 
-
-  security.acme.acceptTerms = true;
-  security.acme.defaults.email = lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/email;
   services.nginx = {
-    enable = true;
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    recommendedProxySettings = true;
-    recommendedTlsSettings = true;
-
     virtualHosts."${lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/domain}" = {
       forceSSL = true;
       enableACME = true;

nix/home/programs/nginx/default.nix

@@ -0,0 +1,15 @@
+{lib, ...}:
+let
+  acmeEmail = lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/email;
+in
+{
+  security.acme.acceptTerms = true;
+  security.acme.defaults.email = acmeEmail;
+  services.nginx = {
+    enable = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+  };
+}

nix/home/programs/sonarr/default.nix

@@ -7,6 +7,14 @@
     openFirewall = true;
   };
 
+  # See https://github.com/NixOS/nixpkgs/issues/360592
+  nixpkgs.config.permittedInsecurePackages = [
+    "aspnetcore-runtime-6.0.36"
+    "aspnetcore-runtime-wrapped-6.0.36"
+    "dotnet-sdk-6.0.428"
+    "dotnet-sdk-wrapped-6.0.428"
+  ];
+
   users.extraUsers.sonarr = {
     extraGroups = [ "sonarr" "multimedia" ];
   };

nix/system/framework/configuration.nix

@@ -121,15 +121,6 @@
   services.mullvad-vpn.enable = true;
   networking.wireguard.enable = true;
 
-
-  # Enable sound.
-  # sound.enable turns on pulseaudio, which conflicts with pipwire. As
-  # Pipewire is now enabled by default (??) we should not enable the default
-  # sound provider.
-  #   https://github.com/NixOS/nixpkgs/issues/163066
-  sound.enable = true;
-  # hardware.pulseaudio.enable = false;
-  # security.rtkit.enable = true;
   services.pipewire = {
     enable = false;
     alsa.enable = true;

secrets

@@ -1 +1 @@
-Subproject commit fecfe5a04ea935f130173fc32a23c2e2a94a77d4
+Subproject commit 72c7c13dddda3638b7276085204faa8c3da61c50