{ config, lib, pkgs, ... }: { environment.etc."gitconfig".text = '' [safe] directory = * ''; networking.firewall.allowedTCPPorts = [ 2049 ]; security.acme = { acceptTerms = true; certs."arrakis.bitgnome.net".postRun = '' ${pkgs.acl}/bin/setfacl -m u:postfix:--x /var/lib/acme/arrakis.bitgnome.net ${pkgs.acl}/bin/setfacl -m u:postfix:r-- /var/lib/acme/arrakis.bitgnome.net/{fullchain,key}.pem ${pkgs.systemd}/bin/systemctl reload postfix.service ''; defaults.email = "nipsy@bitgnome.net"; }; services = { avahi = { enable = true; nssmdns4 = true; openFirewall = true; }; cgit = { "arrakis.bitgnome.net" = { enable = true; nginx.location = "/nipsy/git/"; scanPath = "/home/nipsy/www/git"; settings = { about-filter = "${pkgs.cgit}/lib/cgit/filters/about-formatting.sh"; branch-sort = "age"; clone-url = "https://$HTTP_HOST$SCRIPT_NAME/$CGIT_REPO_URL"; css = "/nipsy/git/cgit.css"; enable-commit-graph = true; enable-follow-links = true; enable-git-config = true; enable-index-links = true; enable-log-filecount = true; enable-log-linecount = true; logo = "/nipsy/git/cgit.png"; max-stats = "quarter"; mimetype-file = "${pkgs.mailcap}/etc/mime.types"; readme = ":README.md"; remove-suffix = 1; root-desc= "Dune. Desert planet."; root-title = "Spice Factory"; snapshots = "all"; source-filter = "${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py"; }; }; }; clamav.updater.enable = true; cron.enable = true; dictd.enable = true; iperf3.openFirewall = true; jellyfin = { enable = true; package = pkgs.master.jellyfin; }; nfs = { server = { enable = true; exports = '' /srv/nfs 192.168.1.0/24(ro,all_squash,insecure,crossmnt,subtree_check,fsid=0) ''; }; settings = { nfsd = { udp = false; vers2 = false; vers3 = false; vers4 = true; }; }; }; nginx = let sys = lib.nixosSystem { system = "x86_64-linux"; modules = [ ({ config, pkgs, lib, modulesPath, ... }: { imports = [ (modulesPath + "/installer/netboot/netboot-minimal.nix") ../common/optional/services/nolid.nix ]; config = { environment.systemPackages = with pkgs; [ git rsync ]; nix.settings.experimental-features = [ "nix-command" "flakes" ]; services.openssh = { enable = true; openFirewall = true; settings = { PasswordAuthentication = false; KbdInteractiveAuthentication = false; }; }; users.users = { nixos.openssh.authorizedKeys.keys = [ (builtins.readFile ../common/users/nipsy/keys/id_arrakis.pub) ]; root.openssh.authorizedKeys.keys = [ (builtins.readFile ../common/users/nipsy/keys/id_arrakis.pub) ]; }; }; }) ]; }; build = sys.config.system.build; in { appendHttpConfig = '' geo $geo { default 0; 127.0.0.1 1; ::1 1; 192.168.1.0/24 1; } map $scheme $req_ssl { default 1; http 0 ; } map "$geo$req_ssl" $force_enable_ssl { default 0; 00 1; } ''; enable = true; # Use recommended settings recommendedGzipSettings = true; recommendedOptimisation = true; #recommendedProxySettings = true; recommendedTlsSettings = true; # Only allow PFS-enabled ciphers with AES256 sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; virtualHosts = { "arrakis.bitgnome.net" = { addSSL = true; enableACME = true; extraConfig = '' if ($force_enable_ssl) { return 301 https://$host$request_uri; } ''; locations = { "= /boot/bzImage" = { alias = "${build.kernel}/bzImage"; }; "= /boot/initrd" = { alias = "${build.netbootRamdisk}/initrd"; }; "= /boot/netboot.ipxe" = { alias = "${build.netbootIpxeScript}/netboot.ipxe"; }; "/" = { tryFiles = "$uri $uri/ =404"; }; "/jellyfin" = { return = "302 $scheme://$host/jellyfin/"; }; "/jellyfin/" = { extraConfig = '' proxy_pass_request_headers on; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $http_host; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_buffering off; # CORS setup add_header 'Access-Control-Allow-Origin' '*' always; add_header 'Access-Control-Expose-Headers' 'Content-Length'; # Allow CORS preflight requests if ($request_method = 'OPTIONS') { add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Max-Age' 1728000; add_header 'Content-Type' 'text/plain charset=UTF-8'; add_header 'Content-Length' 0; return 204; } ''; proxyPass = "http://192.168.1.2:8096/jellyfin/"; }; "/nipsy" = { extraConfig = '' autoindex on; ''; tryFiles = "$uri $uri/ =404"; }; }; root = "/var/www"; }; }; }; postfix = let my_email = "nipsy@bitgnome.net"; in { enable = true; extraAliases = '' nipsy: ${my_email} ''; hostname = "${config.networking.hostName}.${config.networking.domain}"; relayHost = "mail.bitgnome.net"; relayPort = 587; rootAlias = my_email; sslCert = "/var/lib/acme/arrakis.bitgnome.net/fullchain.pem"; sslKey = "/var/lib/acme/arrakis.bitgnome.net/key.pem"; }; printing.enable = true; sabnzbd = { enable = true; user = "nipsy"; group = "nipsy"; configFile = "/home/nipsy/.sabnzbd/sabnzbd.ini"; }; samba = { enable = true; settings = { global = { "invalid users" = [ "root" ]; "passwd program" = "/run/wrappers/bin/passwd %u"; security = "user"; "smb1 unix extensions" = "no"; }; homes = { browseable = "no"; "create mask" = "0775"; "directory mask" = "0775"; "read only" = "no"; "valid users" = "%S"; "wide links" = "yes"; }; nipsy-ro = { browseable = "no"; path = "/home/nipsy"; "read only" = "yes"; "valid users" = "nipsy"; "wide links" = "yes"; }; }; }; smartd = let my_email_addr = "nipsy@bitgnome.net"; in { enable = true; devices = [ { device = "/dev/disk/by-id/nvme-WD_BLACK_SN850X_4000GB_23162P800005"; options = "-a -o on -S on -m ${my_email_addr}"; } { device = "/dev/disk/by-id/nvme-WD_BLACK_SN850X_4000GB_23162P800014"; options = "-a -o on -S on -m ${my_email_addr}"; } { device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUEZNL"; options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; } { device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUUSXL"; options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; } { device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV0H5L"; options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; } { device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUK5EL"; options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; } { device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV5JEL"; options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; } { device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUZ42L"; options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; } { device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV3BSL"; options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; } { device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV338L"; options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; } ]; }; }; #systemd.services.nginx.serviceConfig.ProtectHome = lib.mkForce false; }