jawz/NixOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

modularized nginx configs and removed config nix

Browse Source
This commit is contained in:
Danilo Reyes 2023-08-28 20:32:37 -06:00
parent 1bc1b219d9
commit c8f851127a
3 changed files with 259 additions and 790 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1,2 +1,3 @@
/dotfiles/*.Appimage
/scripts/download/.direnv/
/configuration.nix

790
configuration.nix
View File

@ -1,790 +0,0 @@
{ config, pkgs, ... }:
let
open_firewall_ports = [
80 # http
443 # https
6969 # HentaiAtHome
25152 # ssh
49494 # gerbera
];
open_firewall_port_ranges = [
{ from = 1714; to = 1764; } # kdeconnect
];
VERSION = "23.05";
# "https://github.com/nix-community/home-manager/archive/master.tar.gz";
unstable_tarball = builtins.fetchTarball
https://github.com/nixos/nixpkgs/tarball/master;
unstable = import unstable_tarball {
config = config.nixpkgs.config;
};
nix-gaming = import (builtins.fetchTarball "https://github.com/fufexan/nix-gaming/archive/master.tar.gz");
jawz_nextcloud_scrapsync = pkgs.writeScriptBin
"nextcloud_scrapsync" (builtins.readFile ./scripts/nextcloud_scrapsync.sh);
jawz_manage_library = pkgs.writeScriptBin
"manage_library" (builtins.readFile ./scripts/manage_library.sh);
jawz_ffmpreg = pkgs.writeScriptBin
"ffmpreg" (builtins.readFile ./scripts/ffmpreg.sh);
jawz_ffmpeg4discord = pkgs.writeScriptBin
"ffmpeg4discord" (builtins.readFile ./scripts/ffmpeg4discord.py);
jawz_chat-dl = pkgs.writeScriptBin
"chat-dl" (builtins.readFile ./scripts/chat-dl.sh);
jawz_tasks = pkgs.writeScriptBin
"tasks" (builtins.readFile ./scripts/tasks.sh);
jawz_split_dir = pkgs.writeScriptBin
"split_dir" (builtins.readFile ./scripts/split_dir.sh);
jawz_pika_list = pkgs.writeScriptBin
"pika_list" (builtins.readFile ./scripts/pika_list.sh);
jawz_run = pkgs.writeScriptBin
"run" (builtins.readFile ./scripts/run.sh);
in
{ # Remember to close this bracket at the end of the document
imports = [
./hardware-configuration.nix
<home-manager/nixos>
<agenix/modules/age.nix>
"${nix-gaming}/modules/pipewireLowLatency.nix"
];
networking.hostName = "workstation";
# networking.wireless.enable = true;
networking.networkmanager.enable = true;
time.timeZone = "America/Mexico_City";
i18n = {
defaultLocale = "en_CA.UTF-8";
extraLocaleSettings = {
LC_MONETARY = "es_MX.UTF-8";
};
};
console = {
font = "Lat2-Terminus16";
keyMap = "us";
# useXkbConfig = true; # use xkbOptions in tty.
};
services = {
xserver = {
enable = true;
videoDrivers = [ "nvidia" ];
displayManager.gdm.enable = true;
desktopManager.gnome.enable = true;
layout = "us";
libinput.enable = true; # Wacom required?
};
};
environment.gnome.excludePackages = (with pkgs; [
gnome-photos
gnome-tour
gnome-text-editor
gnome-connections
# gnome-shell-extensions
baobab
])
++ (with pkgs.gnome; [
# totem
gedit
gnome-music
epiphany
gnome-characters
yelp
gnome-font-viewer
cheese
]);
# Sets up QT to use adwaita themes.
qt = {
enable = true;
platformTheme = "gnome";
style = "adwaita";
};
hardware.pulseaudio.enable = false;
sound.enable = false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
lowLatency = {
enable = true;
quantum = 64;
rate = 48000;
};
};
security.sudo = {
enable = true;
wheelNeedsPassword = false;
};
# security.sudo.enable = false;
# security.doas.enable = true;
# security.doas.extraRules = [{
# users = [ "jawz" ];
# keepEnv = true;
# #persist = true;
# noPass = true;
# }];
nixpkgs.config = {
allowUnfree = true;
};
users.users.jawz = {
isNormalUser = true;
extraGroups = [ "wheel" "networkmanager" "docker" "scanner" "lp" ];
initialPassword = "password";
openssh = {
authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB5GaQM4N+yGAByibOFQOBVMV/6TjOfaGIP+NunMiK76 gpodeacero\cdreyes@100CDREYES" ];
};
packages = (with pkgs; [
blender # cgi animation and sculpting
godot # game development
gdtoolkit # gdscript language server
krita # art to your heart desire!
# drawpile # arty party with friends!!
mypaint # not the best art program
mypaint-brushes # but it's got some
mypaint-brushes1 # nice damn brushes
pureref # create inspiration/reference boards
gimp # the coolest bestest art program to never exist
lutris
heroic
wine64Packages.full
wineWowPackages.full
vulkan-tools
# nix-gaming.packages.${pkgs.hostPlatform.system}.wine-tkg
winetricks
# nix-gaming.packages.${pkgs.hostPlatform.system}.wine-discord-ipc-bridge
# grapejuice # roblox manager
# minecraft # minecraft official launcher
parsec-bin # remote gaming with friends
protonup-qt # update proton-ge
renpy
libreoffice-fresh # office, but based
calibre # ugly af eBook library manager
foliate # gtk eBook reader
newsflash # feed reader, syncs with nextcloud
wike # gtk wikipedia wow!
unstable.furtherance # I made this one tehee track time utility
gnome.simple-scan # scanner
# sequeler # friendly SQL client
blanket # background noise
czkawka # duplicate finder
pika-backup # backups
# tilix # used to be my favourite terminal, but it's so outdated, that each time I use it less and less…
gnome-obfuscate # censor private information
metadata-cleaner # remove any metadata and geolocation from files
gnome-recipes # migrate these to mealie and delete
denaro # manage your finances
# celeste # sync tool for any cloud provider
libgda # for pano shell extension
celluloid # video player
cozy # audiobooks player
gnome-podcasts # podcast player
handbrake # video converter, may be unnecessary
curtail # image compressor
pitivi # video editor
identity # compare images or videos
mousai # poor man shazam
tagger # tag music files
bottles # wine prefix manager
obs-studio # screen recorder & streamer
shortwave # listen to world radio
nextcloud-client # self-hosted google-drive alternative
discord # chat
whatsapp-for-linux # I'll regret this
telegram-desktop # furry chat
google-chrome # web browser with spyware included
firefox # web browser that allows to disable spyware
# librewolf # no spyware web browser
tor-browser-bundle-bin # dark web, so dark!
# hugo # website engine
nicotine-plus # remember Ares?
warp # never used, but supposedly cool for sharing files
HentaiAtHome # uh-oh
unstable.yt-dlp # downloads videos from most video websites
unstable.gallery-dl # similar to yt-dlp but for most image gallery websites
gdu # disk-space utility, somewhat useful
du-dust # rusty du
gocryptfs # encrypted filesystem! shhh!!!
exa # like ls but with colors
trashy # oop! didn't meant to delete that
ffmpeg # coolest video converter!
# neofetch # use once for brag, never again
rmlint # probably my favourite app, amazing dupe finder that integrates well with BTRFS
tldr # man for retards
# ffmpegthumbnailer # create video thumbnails for nautilus, in absence of totem
vcsi # video thumbnails for torrents, can I replace it with ^?
# mediainfo # technical info about videos, needed by some of my scripts
tree-sitter # code parsing, required by Doom emacs
torrenttools # create torrent files from the terminal!
lm_sensors # for extension, displays cpu temp
# My own scripts
jawz_ffmpeg4discord
jawz_ffmpreg
jawz_manage_library
jawz_chat-dl
jawz_tasks
jawz_split_dir
jawz_pika_list
jawz_run
# required by doom emacs, but still are rather useful.
fd # modern find, faster searches
fzf # fuzzy finder! super cool and useful
ripgrep # modern grep
languagetool # proofreader for English. check if works without the service
graphviz # graphs
# these two are for doom everywhere
xorg.xwininfo
xdotool
tetex
# development environment
exercism # learn to code
# SH
bats # testing system, required by Exercism
bashdb # autocomplete
shellcheck # linting
shfmt # a shell parser and formatter
file # required by my tasks script?
# gnome.zenity # dependency of my scripts
xclip # manipulate clipboard from scripts
# NIX
nixfmt # linting
cachix # why spend time compiling?
# PYTHON.
python3 # base language
pipenv # python development workflow for humans
poetry # dependency management made easy
# C# & Rust
# omnisharp-roslyn # c# linter and code formatter
# HASKELL
# cabal-install # haskell interface
# JS
# jq # linting
nodejs # not as bad as I thought
hunspell
hunspellDicts.it_IT
hunspellDicts.es_MX
hunspellDicts.en_CA
# Themes
adw-gtk3
# gradience # theme customizer, allows you to modify adw-gtk3 themes
gnome.gnome-tweaks # tweaks for the gnome desktop environment
qgnomeplatform
# Fonts
(nerdfonts.override {
fonts = [ "Agave" "CascadiaCode" "SourceCodePro" "Ubuntu" "FiraCode" "Iosevka" ];
})
symbola
(papirus-icon-theme.override {
color = "adwaita";
})
]) ++ (with pkgs.python3Packages; [
flake8 # wraper for pyflakes, pycodestyle and mccabe
isort # sort Python imports
nose # testing and running python scripts
pyflakes # checks source code for errors
pytest # framework for writing tests
speedtest-cli # check internet speed from the comand line
editorconfig # follow rules of contributin
black # Python code formatter
pylint # bug and style checker for python
(buildPythonApplication rec {
pname = "download";
version = "1.5";
src = ./scripts/download/.;
doCheck = false;
buildInputs = [ setuptools ];
propagatedBuildInputs =
[ pyyaml types-pyyaml ];
})
(buildPythonApplication rec {
pname = "ffpb";
version = "0.4.1";
src = fetchPypi {
inherit pname version;
sha256 = "sha256-7eVqbLpMHS1sBw2vYS4cTtyVdnnknGtEI8190VlXflk=";
};
doCheck = false;
buildInputs = [ setuptools ];
propagatedBuildInputs =
[ tqdm ];
})
]) ++ (with pkgs.bat-extras; [
batman # man pages
batpipe # piping
batgrep # ripgrep
batdiff # this is getting crazy!
batwatch # probably my next best friend
prettybat # trans your sourcecode!
]) ++ (with pkgs.gnomeExtensions; [
appindicator # applets for open applications
gsconnect # sync data and notifications from your phone
freon # hardware temperature monitor
panel-scroll # scroll well to change workspaces
reading-strip # like putting a finger on every line I read
tactile # window manager
pano # clipboard manager
blur-my-shell # make the overview more visually appealing
# burn-my-windows
# forge # window manager
# ]) ++ (with unstable.pkgs.gnomeExtensions; [
]) ++ (with pkgs.nodePackages; [
dockerfile-language-server-nodejs # LSP
bash-language-server # LSP
pyright # LSP
markdownlint-cli # Linter
prettier # Linter
pnpm # Package manager
]); }; # <--- end of package list
fonts.fontconfig.enable = true;
home-manager.useUserPackages = true;
home-manager.useGlobalPkgs = true;
home-manager.users.jawz = { config, pkgs, ... }:{
home.stateVersion = VERSION;
home.packages = with pkgs; [ ];
programs.bash = {
enable = true;
historyFile = "\${XDG_STATE_HOME}/bash/history";
historyControl = [ "erasedups" ];
shellAliases = {
ls = "exa --icons --group-directories-first --no-permissions --no-user --no-time";
edit = "emacsclient -t";
comic = "download -u jawz -i $(cat $LC | fzf --multi --exact -i)";
gallery = "download -u jawz -i $(cat $LW | fzf --multi --exact -i)";
open_gallery = "cd /mnt/disk2/scrapping/JawZ/gallery-dl && xdg-open $(fd . ./ Husbands -tdirectory -d 1 | fzf -i)";
unique_extensions = "fd -tf | rev | cut -d. -f1 | rev | tr '[:upper:]' '[:lower:]' | sort | uniq --count | sort -rn";
cp = "cp -i";
mv = "mv -i";
mkcd = "mkdir -pv \"$1\" && cd \"$1\" || exit";
mkdir = "mkdir -p";
rm = "trash";
".." = "cd ..";
"..." = "cd ../..";
".3" = "cd ../../..";
".4" = "cd ../../../..";
".5" = "cd ../../../../..";
dl = "download -u jawz -i";
e = "edit";
c = "cat";
f = "fzf --multi --exact -i";
sc = "systemctl --user";
jc = "journalctl --user -xefu";
};
enableVteIntegration = true;
initExtra = ''
/home/jawz/.local/bin/pokemon-colorscripts -r --no-title
# Lists
list_root=${config.home.homeDirectory}/.config/jawz/lists/jawz
export LW=$list_root/watch.txt
export LI=$list_root/instant.txt
export LC=$list_root/comic.txt
export command_timeout=30
# GPG_TTY=$(tty)
# export GPG_TTY
if command -v fzf-share >/dev/null; then
source "$(fzf-share)/key-bindings.bash"
source "$(fzf-share)/completion.bash"
fi
nixos-magic () {
local nix_file="$HOME/Development/NixOS/configuration.nix"
local hardware_file="$HOME/Development/NixOS/hardware-configuration.nix"
nixfmt "$nix_file" && nixfmt "$hardware_file"
sudo nixos-rebuild switch -I nixos-config="$nix_file"
sudo systemctl restart docker
sudo systemctl restart docker-compose
}
'';
};
programs = {
starship.enable = true;
direnv = {
enable = true;
enableBashIntegration = true;
nix-direnv.enable = true;
};
bat = {
enable = true;
config = {
pager = "less -FR";
theme = "base16"; };
};
git = {
enable = true;
userName = "Danilo Reyes";
userEmail = "CaptainJawZ@outlook.com";
};
htop = {
enable = true;
package = pkgs.htop-vim;
};
};
xdg = {
enable = true;
userDirs = {
enable = true;
# createDirectories = true;
desktop = "${config.home.homeDirectory}";
documents = "${config.home.homeDirectory}/Documents";
download = "${config.home.homeDirectory}/Downloads";
music = "${config.home.homeDirectory}/Music";
pictures = "${config.home.homeDirectory}/Pictures";
# publicShare = "${config.home.homeDirectory}/.local/hd/Public";
templates = "${config.home.homeDirectory}/.local/share/Templates";
videos = "${config.home.homeDirectory}/Videos";
};
configFile = {
"wgetrc".source = ./dotfiles/wget/wgetrc;
"configstore/update-notifier-npm-check.json".source = ./dotfiles/npm/update-notifier-npm-check.json;
"npm/npmrc".source = ./dotfiles/npm/npmrc;
"gallery-dl/config.json".source = ./dotfiles/gallery-dl/config.json;
"htop/htoprc".source = ./dotfiles/htop/htoprc;
};
};
services = {
lorri.enable = true;
emacs = {
enable = true;
defaultEditor = true;
package = pkgs.emacs;
};
};
};
environment.systemPackages = with pkgs; [
wget
docker-compose # easy way to migrate my docker anywhere!
];
environment.variables = rec {
# PATH
XDG_CACHE_HOME = "\${HOME}/.cache";
XDG_CONFIG_HOME = "\${HOME}/.config";
XDG_BIN_HOME = "\${HOME}/.local/bin";
XDG_DATA_HOME = "\${HOME}/.local/share";
XDG_STATE_HOME = "\${HOME}/.local/state";
# DEV PATH
CABAL_CONFIG = "\${XDG_CONFIG_HOME}/cabal/config";
CABAL_DIR = "\${XDG_CACHE_HOME}/cabal";
CARGO_HOME = "\${XDG_DATA_HOME}/cargo";
GEM_HOME = "\${XDG_DATA_HOME}/ruby/gems";
GEM_PATH = "\${XDG_DATA_HOME}/ruby/gems";
GEM_SPEC_CACHE = "\${XDG_DATA_HOME}/ruby/specs";
GOPATH = "\${XDG_DATA_HOME}/go";
NPM_CONFIG_USERCONFIG = "\${XDG_CONFIG_HOME}/npm/npmrc";
PNPM_HOME = "\${XDG_DATA_HOME}/pnpm";
# OPTIONS
# HISTFILE = "\${XDG_STATE_HOME}/bash/history";
LESSHISTFILE = "-";
GHCUP_USE_XDG_DIRS = "true";
RIPGREP_CONFIG_PATH = "\${XDG_CONFIG_HOME}/ripgrep/ripgreprc";
ELECTRUMDIR = "\${XDG_DATA_HOME}/electrum";
VISUAL = "emacsclient -ca emacs";
WGETRC = "\${XDG_CONFIG_HOME}/wgetrc";
XCOMPOSECACHE = "${XDG_CACHE_HOME}/X11/xcompose";
"_JAVA_OPTIONS" = "-Djava.util.prefs.userRoot=\${XDG_CONFIG_HOME}/java";
DOCKER_CONFIG="\${XDG_CONFIG_HOME}/docker";
# NVIDIA
CUDA_CACHE_PATH = "\${XDG_CACHE_HOME}/nv";
# WEBKIT_DISABLE_COMPOSITING_MODE = "1";
# GBM_BACKEND = "nvidia-drm";
# "__GLX_VENDOR_LIBRARY_NAME" = "nvidia";
# Themes
# GTK_THEME = "Adwaita:light";
# QT_QPA_PLATFORMTHEME = "adwaita";
# QT_STYLE_OVERRIDE = "adwaita";
CALIBRE_USE_SYSTEM_THEME = "1";
PATH = [
"\${HOME}/.local/bin"
"\${XDG_CONFIG_HOME}/emacs/bin"
"\${XDG_DATA_HOME}/npm/bin"
"\${XDG_DATA_HOME}/pnpm"
];
};
virtualisation.docker = {
enable = true;
storageDriver = "btrfs";
enableNvidia = true;
};
snapraid = {
enable = true;
touchBeforeSync = true;
sync.interval = "02:00";
scrub = {
plan = 10;
olderThan = 10;
interval = "4:00";
};
parityFiles = [
"/mnt/parity/snapraid.parity"
];
extraConfig = ''
autosave 5000
'';
exclude = [
"/tmp/"
"/lost+found/"
"/multimedia/downloads/"
"/scrapping/nextcloud/"
"/backups/"
"/glue/Spankbank/____UNORGANIZED/Chaturbate/"
"/nextcloud/nextcloud.log"
];
dataDisks = {
d1 = "/mnt/disk1/";
d2 = "/mnt/disk2/";
};
contentFiles = [
"/var/snapraid.content"
"/mnt/disk1/snapraid.content"
"/mnt/disk2/snapraid.content"
];
};
programs = {
fzf.fuzzyCompletion = true;
mtr.enable = true;
neovim = {
enable = true;
vimAlias = true;
};
gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
geary = {
enable = true;
};
steam = {
enable = true;
remotePlay.openFirewall = true;
dedicatedServer.openFirewall = true;
};
};
services = {
printing = {
enable = true;
drivers = [ pkgs.hplip pkgs.hplipWithPlugin ];
};
avahi.enable = true;
avahi.nssmdns = true;
fstrim.enable = true;
btrfs.autoScrub = {
enable = true;
fileSystems = [
"/"
"/mnt/disk1"
"/mnt/disk2"
];
};
openssh = {
enable = true;
ports = [ 25152 ];
settings = {
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
};
startWhenNeeded = true;
listenAddresses = [
{
addr = "0.0.0.0";
port = 25152;
}
];
};
emacs = {
enable = true;
defaultEditor = true;
package = pkgs.emacs;
};
};
systemd.services = {
"docker-compose" = {
enable = true;
restartIfChanged = true;
description = "Start docker-compose servers";
after = [ "docker.service" "docker.socket" ];
requires = [ "docker.service" "docker.socket" ];
wantedBy = [ "default.target" ];
environment = {
FILE = "/home/jawz/Development/Docker/docker-compose.yml";
};
path = [
pkgs.docker-compose
];
serviceConfig = {
Restart = "on-failure";
RestartSec = 30;
ExecStart = "${pkgs.docker-compose}/bin/docker-compose -f \${FILE} up --remove-orphans";
ExecStop = "${pkgs.docker-compose}/bin/docker-compose -f \${FILE} down";
};
};
"nextcloud_scrapsync" = {
description = "Sync scrapped files with nextcloud";
wantedBy = [ "default.target" ];
path = [
pkgs.bash
jawz_nextcloud_scrapsync
];
serviceConfig = {
RestartSec = 30;
ExecStart = "${jawz_nextcloud_scrapsync}/bin/nextcloud_scrapsync";
};
};
};
systemd.timers = {
"nextcloud_scrapsync" = {
enable = true;
description = "Sync scrapped files with nextcloud";
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar= [
"*-*-* 01:32:00"
"*-*-* 08:32:00"
"*-*-* 14:32:00"
"*-*-* 20:32:00"
];
RandomizedDelaySec = 30;
Persistent = true;
};
};
};
systemd.user.services = {
"HentaiAtHome" = {
enable = true;
restartIfChanged = true;
description = "Run hentai@home server";
wantedBy = [ "default.target" ];
path = [
pkgs.HentaiAtHome
];
serviceConfig = {
Restart = "on-failure";
RestartSec = 30;
WorkingDirectory="/mnt/hnbox";
ExecStart = "${pkgs.HentaiAtHome}/bin/HentaiAtHome";
};
};
"manage_library" = {
enable = true;
restartIfChanged = true;
description = "Run the manage library bash script";
wantedBy = [ "default.target" ];
path = [
pkgs.bash
pkgs.nix
jawz_manage_library
];
serviceConfig = {
Restart = "on-failure";
RestartSec = 30;
ExecStart = "${jawz_manage_library}/bin/manage_library";
};
};
"tasks" = {
restartIfChanged = true;
description = "Run a tasks script which keeps a lot of things organized";
wantedBy = [ "default.target" ];
path = [
pkgs.bash
pkgs.nix
jawz_tasks
];
serviceConfig = {
Restart = "on-failure";
RestartSec = 30;
ExecStart = "${jawz_tasks}/bin/tasks";
};
};
};
systemd.user.timers = {
"tasks" = {
enable = true;
description = "Run a tasks script which keeps a lot of things organized";
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "*:0/10";
};
};
};
networking.firewall.allowedTCPPorts = open_firewall_ports;
networking.firewall.allowedUDPPorts = open_firewall_ports;
networking.firewall.allowedTCPPortRanges = open_firewall_port_ranges;
networking.firewall.allowedUDPPortRanges = open_firewall_port_ranges;
# networking.firewall.enable = false;
system = {
copySystemConfiguration = true;
stateVersion = VERSION;
};
nix = {
settings = {
substituters = [
"https://nix-gaming.cachix.org"
"https://nixpkgs-python.cachix.org"
"https://devenv.cachix.org"
];
trusted-public-keys = [
"nix-gaming.cachix.org-1:nbjlureqMbRAxR1gJ/f3hxemL9svXaZF/Ees8vCUUs4="
"nixpkgs-python.cachix.org-1:hxjI7pFxTyuTHn2NkvWCrAUcNZLNS3ZAvfYNuYifcEU="
"devenv.cachix.org-1:w1cLUi8dv3hnoSPGAuibQv+f9TZLr6cv/Hm9XgU50cw="
];
};
gc = {
automatic = true;
dates = "weekly";
};
};
}

258
nginx.nix Executable file
View File

@ -0,0 +1,258 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
let
localhost = "127.0.0.1";
jellyfinPort = 8086;
nextcloudPort = 80;
# unstable_tarball =
# builtins.fetchTarball "https://github.com/nixos/nixpkgs/tarball/master";
# unstable = import unstable_tarball { config = config.nixpkgs.config; };
in {
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
commonHttpConfig = ''
### GLOBAL
# Add HSTS header with preloading to HTTPS requests.
# Adding this header to HTTP requests is discouraged
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
# Enable CSP for your services.
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
# Minimize information leaked to other domains
add_header 'Referrer-Policy' 'origin-when-cross-origin';
# Disable embedding as a frame
add_header X-Frame-Options DENY;
# Prevent injection of code in other mime types (XSS Attacks)
add_header X-Content-Type-Options nosniff;
# Enable XSS protection of the browser.
# May be unnecessary when CSP is configured properly (see above)
add_header X-XSS-Protection "1; mode=block";
# This might create errors
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
### NEXTCLOUD
# upstream php-handler {
# server 127.0.0.1:9000;
# #server unix:/var/run/php/php7.4-fpm.sock;
# }
# Set the `immutable` cache control options only for assets with a cache busting `v` argument
# map $arg_v $asset_immutable {
# "" "";
# default "immutable";
# }
### JELLYFIN
proxy_cache_path /var/cache/nginx/jellyfin-videos levels=1:2 keys_zone=jellyfin-videos:100m inactive=90d max_size=35000m;
proxy_cache_path /var/cache/nginx/jellyfin levels=1:2 keys_zone=jellyfin:100m max_size=15g inactive=30d use_temp_path=off;
map $request_uri $h264Level { ~(h264-level=)(.+?)& $2; }
map $request_uri $h264Profile { ~(h264-profile=)(.+?)& $2; }
'';
virtualHosts = let
base = locations: {
inherit locations;
forceSSL = true;
enableACME = true;
http2 = true;
};
proxy = port:
base { "/".proxyPass = "http://127.0.0.1:" + toString (port) + "/"; };
in {
"flix.servidos.lat" = {
forceSSL = true;
enableACME = true;
http2 = true;
extraConfig = ''
# use a variable to store the upstream proxy
# in this example we are using a hostname which is resolved via DNS
# (if you aren't using DNS remove the resolver line and change the variable to point to an IP address
# e.g `set $jellyfin 127.0.0.1`)
set $jellyfin 127.0.0.1;
resolver 127.0.0.1 valid=30;
location = / {
return 302 http://$host/web/;
#return 302 https://$host/web/;
}
location = /web/ {
# Proxy main Jellyfin traffic
proxy_pass http://$jellyfin:8096/web/index.html;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
}
'';
locations = {
"/" = {
proxyPass = "http://$jellyfin:8096";
proxyWebsockets = true;
};
"/socket" = {
proxyPass = "http://$jellyfin:8096";
extraConfig = ''
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
'';
};
"~ /Items/(.*)/Images" = {
proxyPass = "http://$jellyfin:8096";
extraConfig = ''
proxy_cache jellyfin;
proxy_cache_revalidate on;
proxy_cache_lock on;
'';
};
"~* ^/Videos/(.*)/(?!live)" = {
proxyPass = "http://$jellyfin:8096";
extraConfig = ''
# Set size of a slice (this amount will be always requested from the backend by nginx)
# Higher value means more latency, lower more overhead
# This size is independent of the size clients/browsers can request
# slice 2m;
proxy_cache jellyfin-videos;
proxy_cache_valid 200 206 301 302 30d;
proxy_ignore_headers Expires Cache-Control Set-Cookie X-Accel-Expires;
proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
proxy_connect_timeout 15s;
proxy_http_version 1.1;
proxy_set_header Connection "";
# Transmit slice range to the backend
proxy_set_header Range 2m;
# This saves bandwidth between the proxy and jellyfin, as a file is only downloaded one time instead of multiple times when multiple clients want to at the same time
# The first client will trigger the download, the other clients will have to wait until the slice is cached
# Esp. practical during SyncPlay
proxy_cache_lock on;
proxy_cache_lock_age 60s;
proxy_cache_key "jellyvideo$uri?MediaSourceId=$arg_MediaSourceId&VideoCodec=$arg_VideoCodec&AudioCodec=$arg_AudioCodec&AudioStreamIndex=$arg_AudioStreamIndex&VideoBitrate=$arg_VideoBitrate&AudioBitrate=$arg_AudioBitrate&SubtitleMethod=$arg_SubtitleMethod&TranscodingMaxAudioChannels=$arg_TranscodingMaxAudioChannels&RequireAvc=$arg_RequireAvc&SegmentContainer=$arg_SegmentContainer&MinSegments=$arg_MinSegments&BreakOnNonKeyFrames=$arg_BreakOnNonKeyFrames&h264-profile=$h264Profile&h264-level=$h264Level&slicerange=2m";
# add_header X-Cache-Status $upstream_cache_status; # This is only for debugging cache
'';
};
};
};
"library.servidos.lat" = proxy 5000 // { };
${config.services.nextcloud.hostName} = {
forceSSL = true;
enableACME = true;
http2 = true;
# extraConfig = ''
# server_tokens off;
# # set max upload size and increase upload timeout:
# client_body_timeout 300s;
# # fastcgi_buffers 64 4K;
# # The settings allows you to optimize the HTTP2 bandwitdth.
# # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
# # for tunning hints
# client_body_buffer_size 512k;
# # HTTP response headers borrowed from Nextcloud `.htaccess`
# add_header Referrer-Policy "no-referrer" always;
# add_header X-Download-Options "noopen" always;
# add_header X-Permitted-Cross-Domain-Policies "none" always;
# add_header X-Robots-Tag "noindex, nofollow" always;
# # Remove X-Powered-By, which is an information leak
# fastcgi_hide_header X-Powered-By;
# # Specify how to handle directories -- specifying `/index.php$request_uri`
# # here as the fallback means that Nginx always exhibits the desired behaviour
# # when a client requests a path that corresponds to a directory that exists
# # on the server. In particular, if that directory contains an index.php file,
# # that file is correctly served; if it doesn't, then the request is passed to
# # the front-end controller. This consistent behaviour means that we don't need
# # to specify custom rules for certain paths (e.g. images and other assets,
# # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
# # `try_files $uri $uri/ /index.php$request_uri`
# # always provides the desired behaviour.
# index index.php index.html /index.php$request_uri;
# '';
# locations = {
# "/".extraConfig = ''
# try_files $uri $uri/ /index.php$request_uri;
# '';
# "= /".extraConfig = ''
# # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
# if ( $http_user_agent ~ ^DavClnt ) {
# return 302 /remote.php/webdav/$is_args$args;
# }
# '';
# "^~ /.well-known".extraConfig = ''
# # The rules in this block are an adaptation of the rules
# # in `.htaccess` that concern `/.well-known`.
# location /.well-known/acme-challenge { try_files $uri $uri/ =404; }
# location /.well-known/pki-validation { try_files $uri $uri/ =404; }
# # Let Nextcloud's API for `/.well-known` URIs handle all other
# # requests by passing them to the front-end controller.
# return 301 /index.php$request_uri;
# '';
# "~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)".extraConfig =
# "return 404;";
# "~ ^/(?:.|autotest|occ|issue|indie|db_|console)".extraConfig =
# "return 404;";
# "~ .php(?:$|/)".extraConfig = ''
# # Required for legacy support
# rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
# fastcgi_split_path_info ^(.+?\.php)(/.*)$;
# set $path_info $fastcgi_path_info;
# try_files $fastcgi_script_name =404;
# # include fastcgi_params;
# include "${pkgs.nginx}/conf/fastcgi_params";
# fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# fastcgi_param PATH_INFO $path_info;
# fastcgi_param HTTPS on;
# fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
# fastcgi_param front_controller_active true; # Enable pretty urls
# fastcgi_intercept_errors on;
# fastcgi_request_buffering off;
# fastcgi_max_temp_file_size 0;
# '';
# "~ .(?:css|js|svg|gif|png|jpg|ico|wasm|tflite|map)$" = {
# extraConfig = ''
# try_files $uri /index.php$request_uri;
# access_log off; # Optional: Don't log access to assets
# location ~ \.wasm$ {
# default_type application/wasm;
# }
# '';
# };
# "~ .woff2?$".extraConfig = ''
# try_files $uri /index.php$request_uri;
# expires 7d; # Cache-Control policy borrowed from `.htaccess`
# access_log off; # Optional: Don't log access to assets '';
# "/remote".extraConfig = "return 301 /remote.php$request_uri;";
# };
};
};
};
}