9 changed files with 34 additions and 100 deletions
--- a/nix/deployments/hive.nix
+++ b/nix/deployments/hive.nix
@ -15,6 +15,12 @@ in
        <home-manager/nixos>
      ];
      networking.wireless.networks."lbheim" = {
        pskRaw = (
          (import ../system/framework/keys.nix).wifi."lbheim".pskRaw
        );
      };
      documentation.enable = false;
      # for nixops to log in and perform operations as haak (instead of root)
@ -57,10 +63,8 @@ in
      deployment.targetHost = serverIp;
      imports = [
        ../system/xps11/configuration.nix
        ../home/programs/nginx
        ../home/programs/jellyfin
        ../home/programs/calibre-web
        ../home/programs/forgejo/webserver.nix
      ];
      fileSystems."/storage" = {
@ -84,7 +88,6 @@ in
        ../home/programs/sonarr
        ../home/programs/readarr
        ../home/programs/calibre
        ../home/programs/forgejo/backendserver.nix
      ];
      fileSystems."/export/storage" =
--- a/nix/home/programs/calibre-web/default.nix
+++ b/nix/home/programs/calibre-web/default.nix
@ -1,14 +1,19 @@
 { lib, ... }:
 let
  domain = lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/bookdomain;
 in
 {
  services.calibre-web = {
    enable = true;
  };
  security.acme.acceptTerms = true;
  security.acme.defaults.email = lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/email;
  services.nginx = {
-    virtualHosts."${domain}" = {
+    enable = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    virtualHosts."${lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/bookdomain}" = {
      forceSSL = true;
      enableACME = true;
      # http2 can more performant for streaming: https://blog.cloudflare.com/introducing-http2/
--- a/nix/home/programs/forgejo/backendserver.nix
+++ b/nix/home/programs/forgejo/backendserver.nix
@ -1,29 +0,0 @@
 {lib, ...}:
 let
 domain = lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/forgedomain;
 port = 9090;
 in
 {
  networking.firewall = {
    allowedTCPPorts = [ port ];
    allowedUDPPorts = [ port ];
  };
  services.forgejo = {
    enable = true;
    # database.type = "postgres";
    # Enable support for Git Large File Storage
    lfs.enable = true;
    settings = {
      server = {
        DOMAIN = domain;
        # You need to specify this to remove the port from URLs in the web UI.
        ROOT_URL = "https://${domain}/";
        HTTP_PORT = port;
      };
      # You can temporarily allow registration to create an admin user.
      service.DISABLE_REGISTRATION = true;
    };
  };
 }
--- a/nix/home/programs/forgejo/webserver.nix
+++ b/nix/home/programs/forgejo/webserver.nix
@ -1,40 +0,0 @@
 { lib, ... }:
 let
 domain = lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/forgedomain;
 in
 {
   services.nginx = {
    virtualHosts.${domain} = {
      forceSSL = true;
      enableACME = true;
      extraConfig = ''
        # Provide the ssl cert and key for the vhost
        #Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause
        send_timeout 100m;
        # Why this is important: https://blog.cloudflare.com/ocsp-stapling-how-cloudflare-just-made-ssl-30/
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        # ssl_prefer_server_ciphers on;
        #Intentionally not hardened for security for player support and encryption video streams has a lot of overhead with something like AES-256-GCM-SHA384.
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
        # A LOT of javascript, xml and html. This helps a lot, but if it causes playback issues with devices turn it off.
        gzip on;
        gzip_vary on;
        gzip_min_length 1000;
        gzip_proxied any;
        gzip_types text/plain text/css text/xml application/xml text/javascript application/x-javascript image/svg+xml;
        gzip_disable "MSIE [1-6]\.";
        # Nginx default client_max_body_size is 1MB, which breaks Camera Upload feature from the phones.
        # Increasing the limit fixes the issue. Anyhow, if 4K videos are expected to be uploaded, the size might need to be increased even more
        client_max_body_size 100M;
      '';
      locations."/".proxyPass = "http://192.168.1.168:9090";
    };
  };
 }
--- a/nix/home/programs/jellyfin/default.nix
+++ b/nix/home/programs/jellyfin/default.nix
@ -22,7 +22,16 @@
  # 2. override default hardening measure from NixOS - this is default since 22.05
  systemd.services.jellyfin.serviceConfig.PrivateDevices = lib.mkForce false;
  security.acme.acceptTerms = true;
  security.acme.defaults.email = lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/email;
  services.nginx = {
    enable = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    virtualHosts."${lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/domain}" = {
      forceSSL = true;
      enableACME = true;
--- a/nix/home/programs/nginx/default.nix
+++ b/nix/home/programs/nginx/default.nix
@ -1,15 +0,0 @@
 {lib, ...}:
 let
  acmeEmail = lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/email;
 in
 {
  security.acme.acceptTerms = true;
  security.acme.defaults.email = acmeEmail;
  services.nginx = {
    enable = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
  };
 }
--- a/nix/home/programs/sonarr/default.nix
+++ b/nix/home/programs/sonarr/default.nix
@ -7,14 +7,6 @@
    openFirewall = true;
  };
  # See https://github.com/NixOS/nixpkgs/issues/360592
  nixpkgs.config.permittedInsecurePackages = [
    "aspnetcore-runtime-6.0.36"
    "aspnetcore-runtime-wrapped-6.0.36"
    "dotnet-sdk-6.0.428"
    "dotnet-sdk-wrapped-6.0.428"
  ];
  users.extraUsers.sonarr = {
    extraGroups = [ "sonarr" "multimedia" ];
  };
--- a/nix/system/framework/configuration.nix
+++ b/nix/system/framework/configuration.nix
@ -121,6 +121,15 @@
  services.mullvad-vpn.enable = true;
  networking.wireguard.enable = true;
  # Enable sound.
  # sound.enable turns on pulseaudio, which conflicts with pipwire. As
  # Pipewire is now enabled by default (??) we should not enable the default
  # sound provider.
  #   https://github.com/NixOS/nixpkgs/issues/163066
  sound.enable = true;
  # hardware.pulseaudio.enable = false;
  # security.rtkit.enable = true;
  services.pipewire = {
    enable = false;
    alsa.enable = true;
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit 72c7c13dddda3638b7276085204faa8c3da61c50
+Subproject commit fecfe5a04ea935f130173fc32a23c2e2a94a77d4
		`@ -1 +1 @@`
			`Subproject commit 72c7c13dddda3638b7276085204faa8c3da61c50`				`Subproject commit fecfe5a04ea935f130173fc32a23c2e2a94a77d4`