# Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). { config, pkgs, ... }: { imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix ./glibc-locale-paths.nix ]; # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.configurationLimit = 42; boot.loader.efi.canTouchEfiVariables = true; hardware.bluetooth.enable = true; networking.networkmanager.enable = true; networking.hostName = "athena"; # Define your hostname. # Create entries for /etc/wpa_supplicant.conf by running `wpa_passphrase SSID PASSWORD` # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. # The global useDHCP flag is deprecated, therefore explicitly set to false here. # Per-interface useDHCP will be mandatory in the future, so this generated config # replicates the default behaviour. networking.useDHCP = false; networking.interfaces.wlp58s0.useDHCP = true; # Configure network proxy if necessary # networking.proxy.default = "http://user:password@proxy:port/"; # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; # Select internationalisation properties. i18n = { defaultLocale = "en_US.UTF-8"; }; # run the following command to swap escape and caps-lock keys, like a # civilized person: # setxkbmap -option caps:swapescape # Set your time zone. time.timeZone = "America/Los_Angeles"; # List packages installed in system profile. To search, run: # $ nix search wget environment.systemPackages = with pkgs; [ cachix # configure local network sharing, launch app on startup, and auto-connect # in the preferences menu mullvad-vpn p7zip # Do NOT use qbittorrent unless you have set up interface binding with your # VPN: https://web.archive.org/web/20210426203101/https://mullvad.net/en/help/bittorrent/ qbittorrent wget zsh ]; nixpkgs.config.allowUnfree = true; fonts.fonts = with pkgs; [ fira-code ]; # Open ports in the firewall. networking.firewall = { allowedTCPPorts = [ 22 # for ssh access 80 8080 # port for qbittorrent webui ]; }; # Or disable the firewall altogether. # networking.firewall.enable = false; # Nginx Reverse SSL Proxy services.nginx = { enable = true; # give a name to the virtual host. It also becomes the server name. virtualHosts."sub.domain.tld" = { # http2 can more performant for streaming: https://blog.cloudflare.com/introducing-http2/ http2 = true; # Provide the ssl cert and key for the vhost extraConfig = '' #Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause send_timeout 100m; # Why this is important: https://blog.cloudflare.com/ocsp-stapling-how-cloudflare-just-made-ssl-30/ # ssl_stapling on; # ssl_stapling_verify on; # ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # ssl_prefer_server_ciphers on; #Intentionally not hardened for security for player support and encryption video streams has a lot of overhead with something like AES-256-GCM-SHA384. # ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; # Forward real ip and host to Plex proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $server_addr; proxy_set_header Referer $server_addr; proxy_set_header Origin $server_addr; # Plex has A LOT of javascript, xml and html. This helps a lot, but if it causes playback issues with devices turn it off. gzip on; gzip_vary on; gzip_min_length 1000; gzip_proxied any; gzip_types text/plain text/css text/xml application/xml text/javascript application/x-javascript image/svg+xml; gzip_disable "MSIE [1-6]\."; # Nginx default client_max_body_size is 1MB, which breaks Camera Upload feature from the phones. # Increasing the limit fixes the issue. Anyhow, if 4K videos are expected to be uploaded, the size might need to be increased even more client_max_body_size 100M; # Plex headers proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier; proxy_set_header X-Plex-Device $http_x_plex_device; proxy_set_header X-Plex-Device-Name $http_x_plex_device_name; proxy_set_header X-Plex-Platform $http_x_plex_platform; proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version; proxy_set_header X-Plex-Product $http_x_plex_product; proxy_set_header X-Plex-Token $http_x_plex_token; proxy_set_header X-Plex-Version $http_x_plex_version; proxy_set_header X-Plex-Nocache $http_x_plex_nocache; proxy_set_header X-Plex-Provides $http_x_plex_provides; proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor; proxy_set_header X-Plex-Model $http_x_plex_model; # Websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; # Buffering off send to the client as soon as the data is received from Plex. proxy_redirect off; proxy_buffering off; ''; locations."/" = { proxyPass = "http://localhost:32400/"; }; }; }; # VPN setup services.mullvad-vpn.enable = true; networking.wireguard.enable = true; networking.firewall.checkReversePath = "loose"; # Some programs need SUID wrappers, can be configured further or are # started in user sessions. # programs.mtr.enable = true; programs.gnupg.agent = { enable = true; enableSSHSupport = true; }; # List services that you want to enable: # Enable the OpenSSH daemon. services.openssh.enable = true; # Enable the X11 windowing system. services.xserver.enable = true; services.xserver.layout = "us"; services.xserver.xkbOptions = "caps:swapescape"; services.plex = { enable = true; user = "haak"; group = "users"; }; # Enable touchpad support. services.xserver.libinput.enable = true; # Enable the KDE Desktop Environment. services.xserver = { displayManager.sddm.enable = true; desktopManager.plasma5.enable = true; }; services.syncthing = { enable = true; user = "haak"; dataDir = "/home/haak/synced"; configDir = "/home/haak/synced/.config/syncthing"; }; location.provider = "geoclue2"; # Define a user account. Don't forget to set a password with ‘passwd’. users.users.haak = { isNormalUser = true; extraGroups = [ "wheel" # Enable ‘sudo’ for the user. "networkmanager" # Allow the user to manage networks ]; }; security.sudo.wheelNeedsPassword = false; users.extraUsers.haak = { shell = pkgs.zsh; }; nix.settings.trusted-users = [ "root" "haak" ]; # This value determines the NixOS release with which your system is to be # compatible, in order to avoid breaking some software such as database # servers. You should change this only after NixOS release notes say you # should. system.stateVersion = "20.03"; # Did you read the comment? system.autoUpgrade.enable = true; }