haak/dotfiles
1
0
Fork 0
Code Issues Pull requests Wiki Activity Actions
dotfiles/nix/system/nas-configuration.nix
Haak Saxberg a0eda06da1 plex and torrent and nginx forwarding 
i know it's not "the best" to have plex set up as my own user but i
don't intend to expose this machine outisde of the home network anyway.
the ROI on figuring out how to get files downloaded somwhere that a
separate plex user can scan is not worth it.
2022-07-30 15:27:15 -07:00

215 lines
8 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running nixos-help).
{ config, pkgs, ... }:
{
imports =
[
# Include the results of the hardware scan.
/etc/nixos/hardware-configuration.nix
/etc/nixos/glibc-locale-paths.nix
];
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.systemd-boot.configurationLimit = 42;
boot.loader.efi.canTouchEfiVariables = true;
hardware.bluetooth.enable = true;
networking.networkmanager.enable = true;
networking.hostName = "athena"; # Define your hostname.
# Create entries for /etc/wpa_supplicant.conf by running `wpa_passphrase SSID PASSWORD`
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = false;
networking.interfaces.wlp58s0.useDHCP = true;
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
# Select internationalisation properties.
i18n = {
defaultLocale = "en_US.UTF-8";
};
# run the following command to swap escape and caps-lock keys, like a
# civilized person:
# setxkbmap -option caps:swapescape
# Set your time zone.
time.timeZone = "America/Los_Angeles";
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
cachix
firefox
# configure local network sharing, launch app on startup, and auto-connect
# in the preferences menu
mullvad-vpn
p7zip
# Do NOT use qbittorrent unless you have set up interface binding with your
# VPN: https://web.archive.org/web/20210426203101/https://mullvad.net/en/help/bittorrent/
qbittorrent
wget
zsh
];
nixpkgs.config.allowUnfree = true;
fonts.fonts = with pkgs; [ fira-code ];
# Open ports in the firewall.
networking.firewall = {
allowedTCPPorts = [
22 # for ssh access
80
8080 # port for qbittorrent webui
];
};
# Or disable the firewall altogether.
# networking.firewall.enable = false;
# Nginx Reverse SSL Proxy
services.nginx = {
enable = true;
# give a name to the virtual host. It also becomes the server name.
virtualHosts."sub.domain.tld" = {
# http2 can more performant for streaming: https://blog.cloudflare.com/introducing-http2/
http2 = true;
# Provide the ssl cert and key for the vhost
extraConfig = ''
#Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause
send_timeout 100m;
# Why this is important: https://blog.cloudflare.com/ocsp-stapling-how-cloudflare-just-made-ssl-30/
# ssl_stapling on;
# ssl_stapling_verify on;
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ssl_prefer_server_ciphers on;
#Intentionally not hardened for security for player support and encryption video streams has a lot of overhead with something like AES-256-GCM-SHA384.
# ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
# Forward real ip and host to Plex
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $server_addr;
proxy_set_header Referer $server_addr;
proxy_set_header Origin $server_addr;
# Plex has A LOT of javascript, xml and html. This helps a lot, but if it causes playback issues with devices turn it off.
gzip on;
gzip_vary on;
gzip_min_length 1000;
gzip_proxied any;
gzip_types text/plain text/css text/xml application/xml text/javascript application/x-javascript image/svg+xml;
gzip_disable "MSIE [1-6]\.";
# Nginx default client_max_body_size is 1MB, which breaks Camera Upload feature from the phones.
# Increasing the limit fixes the issue. Anyhow, if 4K videos are expected to be uploaded, the size might need to be increased even more
client_max_body_size 100M;
# Plex headers
proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier;
proxy_set_header X-Plex-Device $http_x_plex_device;
proxy_set_header X-Plex-Device-Name $http_x_plex_device_name;
proxy_set_header X-Plex-Platform $http_x_plex_platform;
proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version;
proxy_set_header X-Plex-Product $http_x_plex_product;
proxy_set_header X-Plex-Token $http_x_plex_token;
proxy_set_header X-Plex-Version $http_x_plex_version;
proxy_set_header X-Plex-Nocache $http_x_plex_nocache;
proxy_set_header X-Plex-Provides $http_x_plex_provides;
proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor;
proxy_set_header X-Plex-Model $http_x_plex_model;
# Websockets
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Buffering off send to the client as soon as the data is received from Plex.
proxy_redirect off;
proxy_buffering off;
'';
locations."/" = {
proxyPass = "http://localhost:32400/";
};
};
};
# VPN setup
services.mullvad-vpn.enable = true;
networking.wireguard.enable = true;
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
programs.gnupg.agent = { enable = true; enableSSHSupport = true; };
# List services that you want to enable:
# Enable the OpenSSH daemon.
services.openssh.enable = true;
# Enable the X11 windowing system.
services.xserver.enable = true;
services.xserver.layout = "us";
services.xserver.xkbOptions = "caps:swapescape";
services.plex = {
enable = true;
openFirewall = true;
user = "haak";
group = "users";
};
# Enable touchpad support.
services.xserver.libinput.enable = true;
# Enable the KDE Desktop Environment.
services.xserver = {
displayManager.sddm.enable = true;
desktopManager.plasma5.enable = true;
};
services.syncthing = {
enable = true;
user = "haak";
dataDir = "/home/haak/synced";
configDir = "/home/haak/synced/.config/syncthing";
};
location.provider = "geoclue2";
# Define a user account. Don't forget to set a password with passwd.
users.users.haak = {
isNormalUser = true;
extraGroups = [
"wheel" # Enable sudo for the user.
"networkmanager" # Allow the user to manage networks
];
};
users.extraUsers.haak = {
shell = pkgs.zsh;
};
nix.settings.trusted-users = [ "root" "haak" ];
# This value determines the NixOS release with which your system is to be
# compatible, in order to avoid breaking some software such as database
# servers. You should change this only after NixOS release notes say you
# should.
system.stateVersion = "20.03"; # Did you read the comment?
system.autoUpgrade.enable = true;
}
Reference in a new issue View git blame Copy permalink