9 changed files with 34 additions and 100 deletions
--- a/nix/deployments/hive.nix
+++ b/nix/deployments/hive.nix
@ -15,6 +15,12 @@ in
        <home-manager/nixos>
      ];

+      networking.wireless.networks."lbheim" = {
+        pskRaw = (
+          (import ../system/framework/keys.nix).wifi."lbheim".pskRaw
+        );
+      };
+
      documentation.enable = false;

      # for nixops to log in and perform operations as haak (instead of root)
@ -57,10 +63,8 @@ in
      deployment.targetHost = serverIp;
      imports = [
        ../system/xps11/configuration.nix
-        ../home/programs/nginx
        ../home/programs/jellyfin
        ../home/programs/calibre-web
-        ../home/programs/forgejo/webserver.nix
      ];

      fileSystems."/storage" = {
@ -84,7 +88,6 @@ in
        ../home/programs/sonarr
        ../home/programs/readarr
        ../home/programs/calibre
-        ../home/programs/forgejo/backendserver.nix
      ];

      fileSystems."/export/storage" =
--- a/nix/home/programs/calibre-web/default.nix
+++ b/nix/home/programs/calibre-web/default.nix
@ -1,14 +1,19 @@
 { lib, ... }:
-let
-  domain = lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/bookdomain;
-in
 {
  services.calibre-web = {
    enable = true;
  };

+  security.acme.acceptTerms = true;
+  security.acme.defaults.email = lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/email;
  services.nginx = {
-    virtualHosts."${domain}" = {
+    enable = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    virtualHosts."${lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/bookdomain}" = {
      forceSSL = true;
      enableACME = true;
      # http2 can more performant for streaming: https://blog.cloudflare.com/introducing-http2/
--- a/nix/home/programs/forgejo/backendserver.nix
+++ b/nix/home/programs/forgejo/backendserver.nix
@ -1,29 +0,0 @@
-{lib, ...}:
-
-let
- domain = lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/forgedomain;
- port = 9090;
-in
-{
-  networking.firewall = {
-    allowedTCPPorts = [ port ];
-    allowedUDPPorts = [ port ];
-  };
-
-  services.forgejo = {
-    enable = true;
-    # database.type = "postgres";
-    # Enable support for Git Large File Storage
-    lfs.enable = true;
-    settings = {
-      server = {
-        DOMAIN = domain;
-        # You need to specify this to remove the port from URLs in the web UI.
-        ROOT_URL = "https://${domain}/";
-        HTTP_PORT = port;
-      };
-      # You can temporarily allow registration to create an admin user.
-      service.DISABLE_REGISTRATION = true;
-    };
-  };
-}
--- a/nix/home/programs/forgejo/webserver.nix
+++ b/nix/home/programs/forgejo/webserver.nix
@ -1,40 +0,0 @@
-{ lib, ... }:
-
-let
- domain = lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/forgedomain;
-in
-{
-   services.nginx = {
-    virtualHosts.${domain} = {
-      forceSSL = true;
-      enableACME = true;
-      extraConfig = ''
-        # Provide the ssl cert and key for the vhost
-        #Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause
-        send_timeout 100m;
-
-        # Why this is important: https://blog.cloudflare.com/ocsp-stapling-how-cloudflare-just-made-ssl-30/
-        ssl_stapling on;
-        ssl_stapling_verify on;
-
-        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-        # ssl_prefer_server_ciphers on;
-        #Intentionally not hardened for security for player support and encryption video streams has a lot of overhead with something like AES-256-GCM-SHA384.
-        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
-
-        # A LOT of javascript, xml and html. This helps a lot, but if it causes playback issues with devices turn it off.
-        gzip on;
-        gzip_vary on;
-        gzip_min_length 1000;
-        gzip_proxied any;
-        gzip_types text/plain text/css text/xml application/xml text/javascript application/x-javascript image/svg+xml;
-        gzip_disable "MSIE [1-6]\.";
-
-        # Nginx default client_max_body_size is 1MB, which breaks Camera Upload feature from the phones.
-        # Increasing the limit fixes the issue. Anyhow, if 4K videos are expected to be uploaded, the size might need to be increased even more
-        client_max_body_size 100M;
-      '';
-      locations."/".proxyPass = "http://192.168.1.168:9090";
-    };
-  };
-}
--- a/nix/home/programs/jellyfin/default.nix
+++ b/nix/home/programs/jellyfin/default.nix
@ -22,7 +22,16 @@
  # 2. override default hardening measure from NixOS - this is default since 22.05
  systemd.services.jellyfin.serviceConfig.PrivateDevices = lib.mkForce false;

+
+  security.acme.acceptTerms = true;
+  security.acme.defaults.email = lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/email;
  services.nginx = {
+    enable = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
    virtualHosts."${lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/domain}" = {
      forceSSL = true;
      enableACME = true;
--- a/nix/home/programs/nginx/default.nix
+++ b/nix/home/programs/nginx/default.nix
@ -1,15 +0,0 @@
-{lib, ...}:
-let
-  acmeEmail = lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/email;
-in
-{
-  security.acme.acceptTerms = true;
-  security.acme.defaults.email = acmeEmail;
-  services.nginx = {
-    enable = true;
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    recommendedProxySettings = true;
-    recommendedTlsSettings = true;
-  };
-}
--- a/nix/home/programs/sonarr/default.nix
+++ b/nix/home/programs/sonarr/default.nix
@ -7,14 +7,6 @@
    openFirewall = true;
  };

-  # See https://github.com/NixOS/nixpkgs/issues/360592
-  nixpkgs.config.permittedInsecurePackages = [
-    "aspnetcore-runtime-6.0.36"
-    "aspnetcore-runtime-wrapped-6.0.36"
-    "dotnet-sdk-6.0.428"
-    "dotnet-sdk-wrapped-6.0.428"
-  ];
-
  users.extraUsers.sonarr = {
    extraGroups = [ "sonarr" "multimedia" ];
  };
--- a/nix/system/framework/configuration.nix
+++ b/nix/system/framework/configuration.nix
@ -121,6 +121,15 @@
  services.mullvad-vpn.enable = true;
  networking.wireguard.enable = true;

+
+  # Enable sound.
+  # sound.enable turns on pulseaudio, which conflicts with pipwire. As
+  # Pipewire is now enabled by default (??) we should not enable the default
+  # sound provider.
+  #   https://github.com/NixOS/nixpkgs/issues/163066
+  sound.enable = true;
+  # hardware.pulseaudio.enable = false;
+  # security.rtkit.enable = true;
  services.pipewire = {
    enable = false;
    alsa.enable = true;
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit 72c7c13dddda3638b7276085204faa8c3da61c50
+Subproject commit fecfe5a04ea935f130173fc32a23c2e2a94a77d4