{ security.acme = { acceptTerms = true; defaults.email = "nipsy@bitgnome.net"; }; services = { clamav.updater.enable = true; iperf3.openFirewall = true; jellyfin.enable = true; nginx = { enable = true; # Use recommended settings recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; # Only allow PFS-enabled ciphers with AES256 sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; virtualHosts = { "arrakis.bitgnome.net" = { enableACME = true; forceSSL = true; locations = { "/" = { extraConfig = '' default_type text/html; ''; return = "200 'Hot damn, it works!'"; }; "/jellyfin" = { return = "302 $scheme://$host/jellyfin/"; }; "/jellyfin/" = { extraConfig = '' proxy_pass_request_headers on; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $http_host; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_buffering off; # CORS setup add_header 'Access-Control-Allow-Origin' '*' always; add_header 'Access-Control-Expose-Headers' 'Content-Length'; # Allow CORS preflight requests if ($request_method = 'OPTIONS') { add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Max-Age' 1728000; add_header 'Content-Type' 'text/plain charset=UTF-8'; add_header 'Content-Length' 0; return 204; } ''; proxyPass = "http://192.168.1.2:8096/jellyfin/"; }; }; }; }; }; smartd = let my_email_addr = "nipsy@bitgnome.net"; in { enable = true; devices = [ { device = "/dev/disk/by-id/nvme-WD_BLACK_SN850X_4000GB_23162P800005"; options = "-a -o on -S on -m ${my_email_addr}"; } { device = "/dev/disk/by-id/nvme-WD_BLACK_SN850X_4000GB_23162P800014"; options = "-a -o on -S on -m ${my_email_addr}"; } { device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUEZNL"; options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; } { device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUUSXL"; options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; } { device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV0H5L"; options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; } { device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUK5EL"; options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; } { device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV5JEL"; options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; } { device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHUZ42L"; options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; } { device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV3BSL"; options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; } { device = "/dev/disk/by-id/ata-WDC_WD80EFAX-68KNBN0_VAHV338L"; options = "-a -o on -S on -s (S/../.././02|L/../../5/03) -m ${my_email_addr}"; } ]; }; samba = { enable = true; settings = { global = { "invalid users" = [ "root" ]; "passwd program" = "/run/wrappers/bin/passwd %u"; security = "user"; "smb1 unix extensions" = "no"; }; homes = { browseable = "no"; "create mask" = "0775"; "directory mask" = "0775"; "read only" = "no"; "valid users" = "%S"; "wide links" = "yes"; }; nipsy-ro = { browseable = "no"; path = "/home/nipsy"; "read only" = "yes"; "valid users" = "nipsy"; "wide links" = "yes"; }; }; }; }; }