diff --git a/nix/deployments/hive.nix b/nix/deployments/hive.nix index fcf64a6..9e813cd 100644 --- a/nix/deployments/hive.nix +++ b/nix/deployments/hive.nix @@ -15,6 +15,12 @@ in ]; + networking.wireless.networks."lbheim" = { + pskRaw = ( + (import ../system/framework/keys.nix).wifi."lbheim".pskRaw + ); + }; + documentation.enable = false; # for nixops to log in and perform operations as haak (instead of root) @@ -57,10 +63,8 @@ in deployment.targetHost = serverIp; imports = [ ../system/xps11/configuration.nix - ../home/programs/nginx ../home/programs/jellyfin ../home/programs/calibre-web - ../home/programs/forgejo/webserver.nix ]; fileSystems."/storage" = { @@ -84,7 +88,6 @@ in ../home/programs/sonarr ../home/programs/readarr ../home/programs/calibre - ../home/programs/forgejo/backendserver.nix ]; fileSystems."/export/storage" = diff --git a/nix/home/programs/calibre-web/default.nix b/nix/home/programs/calibre-web/default.nix index 13b0b11..7440c1a 100644 --- a/nix/home/programs/calibre-web/default.nix +++ b/nix/home/programs/calibre-web/default.nix @@ -1,14 +1,19 @@ { lib, ... }: -let - domain = lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/bookdomain; -in { services.calibre-web = { enable = true; }; + security.acme.acceptTerms = true; + security.acme.defaults.email = lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/email; services.nginx = { - virtualHosts."${domain}" = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + virtualHosts."${lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/bookdomain}" = { forceSSL = true; enableACME = true; # http2 can more performant for streaming: https://blog.cloudflare.com/introducing-http2/ diff --git a/nix/home/programs/forgejo/backendserver.nix b/nix/home/programs/forgejo/backendserver.nix deleted file mode 100644 index 11d94dc..0000000 --- a/nix/home/programs/forgejo/backendserver.nix +++ /dev/null @@ -1,29 +0,0 @@ -{lib, ...}: - -let - domain = lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/forgedomain; - port = 9090; -in -{ - networking.firewall = { - allowedTCPPorts = [ port ]; - allowedUDPPorts = [ port ]; - }; - - services.forgejo = { - enable = true; - # database.type = "postgres"; - # Enable support for Git Large File Storage - lfs.enable = true; - settings = { - server = { - DOMAIN = domain; - # You need to specify this to remove the port from URLs in the web UI. - ROOT_URL = "https://${domain}/"; - HTTP_PORT = port; - }; - # You can temporarily allow registration to create an admin user. - service.DISABLE_REGISTRATION = true; - }; - }; -} diff --git a/nix/home/programs/forgejo/webserver.nix b/nix/home/programs/forgejo/webserver.nix deleted file mode 100644 index 941d939..0000000 --- a/nix/home/programs/forgejo/webserver.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ lib, ... }: - -let - domain = lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/forgedomain; -in -{ - services.nginx = { - virtualHosts.${domain} = { - forceSSL = true; - enableACME = true; - extraConfig = '' - # Provide the ssl cert and key for the vhost - #Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause - send_timeout 100m; - - # Why this is important: https://blog.cloudflare.com/ocsp-stapling-how-cloudflare-just-made-ssl-30/ - ssl_stapling on; - ssl_stapling_verify on; - - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - # ssl_prefer_server_ciphers on; - #Intentionally not hardened for security for player support and encryption video streams has a lot of overhead with something like AES-256-GCM-SHA384. - ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; - - # A LOT of javascript, xml and html. This helps a lot, but if it causes playback issues with devices turn it off. - gzip on; - gzip_vary on; - gzip_min_length 1000; - gzip_proxied any; - gzip_types text/plain text/css text/xml application/xml text/javascript application/x-javascript image/svg+xml; - gzip_disable "MSIE [1-6]\."; - - # Nginx default client_max_body_size is 1MB, which breaks Camera Upload feature from the phones. - # Increasing the limit fixes the issue. Anyhow, if 4K videos are expected to be uploaded, the size might need to be increased even more - client_max_body_size 100M; - ''; - locations."/".proxyPass = "http://192.168.1.168:9090"; - }; - }; -} diff --git a/nix/home/programs/jellyfin/default.nix b/nix/home/programs/jellyfin/default.nix index 50fadbc..2f315cf 100644 --- a/nix/home/programs/jellyfin/default.nix +++ b/nix/home/programs/jellyfin/default.nix @@ -22,7 +22,16 @@ # 2. override default hardening measure from NixOS - this is default since 22.05 systemd.services.jellyfin.serviceConfig.PrivateDevices = lib.mkForce false; + + security.acme.acceptTerms = true; + security.acme.defaults.email = lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/email; services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + virtualHosts."${lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/domain}" = { forceSSL = true; enableACME = true; diff --git a/nix/home/programs/nginx/default.nix b/nix/home/programs/nginx/default.nix deleted file mode 100644 index 3095494..0000000 --- a/nix/home/programs/nginx/default.nix +++ /dev/null @@ -1,15 +0,0 @@ -{lib, ...}: -let - acmeEmail = lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/email; -in -{ - security.acme.acceptTerms = true; - security.acme.defaults.email = acmeEmail; - services.nginx = { - enable = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - }; -} diff --git a/nix/home/programs/sonarr/default.nix b/nix/home/programs/sonarr/default.nix index 3ad3ca1..eaa1e7c 100644 --- a/nix/home/programs/sonarr/default.nix +++ b/nix/home/programs/sonarr/default.nix @@ -7,14 +7,6 @@ openFirewall = true; }; - # See https://github.com/NixOS/nixpkgs/issues/360592 - nixpkgs.config.permittedInsecurePackages = [ - "aspnetcore-runtime-6.0.36" - "aspnetcore-runtime-wrapped-6.0.36" - "dotnet-sdk-6.0.428" - "dotnet-sdk-wrapped-6.0.428" - ]; - users.extraUsers.sonarr = { extraGroups = [ "sonarr" "multimedia" ]; }; diff --git a/nix/system/framework/configuration.nix b/nix/system/framework/configuration.nix index 86b7fbb..e35ce48 100644 --- a/nix/system/framework/configuration.nix +++ b/nix/system/framework/configuration.nix @@ -121,6 +121,15 @@ services.mullvad-vpn.enable = true; networking.wireguard.enable = true; + + # Enable sound. + # sound.enable turns on pulseaudio, which conflicts with pipwire. As + # Pipewire is now enabled by default (??) we should not enable the default + # sound provider. + # https://github.com/NixOS/nixpkgs/issues/163066 + sound.enable = true; + # hardware.pulseaudio.enable = false; + # security.rtkit.enable = true; services.pipewire = { enable = false; alsa.enable = true; diff --git a/secrets b/secrets index 72c7c13..fecfe5a 160000 --- a/secrets +++ b/secrets @@ -1 +1 @@ -Subproject commit 72c7c13dddda3638b7276085204faa8c3da61c50 +Subproject commit fecfe5a04ea935f130173fc32a23c2e2a94a77d4