diff --git a/.gitignore b/.gitignore index 13aeb89..8289fad 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ /dotfiles/*.Appimage /scripts/download/.direnv/ +/configuration.nix diff --git a/configuration.nix b/configuration.nix deleted file mode 100644 index d2881c4..0000000 --- a/configuration.nix +++ /dev/null @@ -1,790 +0,0 @@ -{ config, pkgs, ... }: -let - open_firewall_ports = [ - 80 # http - 443 # https - 6969 # HentaiAtHome - 25152 # ssh - 49494 # gerbera - ]; - open_firewall_port_ranges = [ - { from = 1714; to = 1764; } # kdeconnect - ]; - VERSION = "23.05"; - # "https://github.com/nix-community/home-manager/archive/master.tar.gz"; - unstable_tarball = builtins.fetchTarball - https://github.com/nixos/nixpkgs/tarball/master; - unstable = import unstable_tarball { - config = config.nixpkgs.config; - }; - nix-gaming = import (builtins.fetchTarball "https://github.com/fufexan/nix-gaming/archive/master.tar.gz"); - jawz_nextcloud_scrapsync = pkgs.writeScriptBin - "nextcloud_scrapsync" (builtins.readFile ./scripts/nextcloud_scrapsync.sh); - jawz_manage_library = pkgs.writeScriptBin - "manage_library" (builtins.readFile ./scripts/manage_library.sh); - jawz_ffmpreg = pkgs.writeScriptBin - "ffmpreg" (builtins.readFile ./scripts/ffmpreg.sh); - jawz_ffmpeg4discord = pkgs.writeScriptBin - "ffmpeg4discord" (builtins.readFile ./scripts/ffmpeg4discord.py); - jawz_chat-dl = pkgs.writeScriptBin - "chat-dl" (builtins.readFile ./scripts/chat-dl.sh); - jawz_tasks = pkgs.writeScriptBin - "tasks" (builtins.readFile ./scripts/tasks.sh); - jawz_split_dir = pkgs.writeScriptBin - "split_dir" (builtins.readFile ./scripts/split_dir.sh); - jawz_pika_list = pkgs.writeScriptBin - "pika_list" (builtins.readFile ./scripts/pika_list.sh); - jawz_run = pkgs.writeScriptBin - "run" (builtins.readFile ./scripts/run.sh); -in -{ # Remember to close this bracket at the end of the document - -imports = [ - ./hardware-configuration.nix - - - "${nix-gaming}/modules/pipewireLowLatency.nix" -]; - -networking.hostName = "workstation"; -# networking.wireless.enable = true; -networking.networkmanager.enable = true; - -time.timeZone = "America/Mexico_City"; - -i18n = { - defaultLocale = "en_CA.UTF-8"; - extraLocaleSettings = { - LC_MONETARY = "es_MX.UTF-8"; - }; -}; -console = { - font = "Lat2-Terminus16"; - keyMap = "us"; - # useXkbConfig = true; # use xkbOptions in tty. -}; - -services = { - xserver = { - enable = true; - videoDrivers = [ "nvidia" ]; - displayManager.gdm.enable = true; - desktopManager.gnome.enable = true; - layout = "us"; - libinput.enable = true; # Wacom required? - }; -}; - -environment.gnome.excludePackages = (with pkgs; [ - gnome-photos - gnome-tour - gnome-text-editor - gnome-connections - # gnome-shell-extensions - baobab -]) -++ (with pkgs.gnome; [ - # totem - gedit - gnome-music - epiphany - gnome-characters - yelp - gnome-font-viewer - cheese -]); - -# Sets up QT to use adwaita themes. -qt = { - enable = true; - platformTheme = "gnome"; - style = "adwaita"; -}; - -hardware.pulseaudio.enable = false; -sound.enable = false; -security.rtkit.enable = true; -services.pipewire = { - enable = true; - alsa.enable = true; - alsa.support32Bit = true; - pulse.enable = true; - lowLatency = { - enable = true; - quantum = 64; - rate = 48000; - }; -}; - -security.sudo = { - enable = true; - wheelNeedsPassword = false; -}; - -# security.sudo.enable = false; -# security.doas.enable = true; -# security.doas.extraRules = [{ -# users = [ "jawz" ]; -# keepEnv = true; -# #persist = true; -# noPass = true; -# }]; - -nixpkgs.config = { - allowUnfree = true; -}; - -users.users.jawz = { - isNormalUser = true; - extraGroups = [ "wheel" "networkmanager" "docker" "scanner" "lp" ]; - initialPassword = "password"; - openssh = { - authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB5GaQM4N+yGAByibOFQOBVMV/6TjOfaGIP+NunMiK76 gpodeacero\cdreyes@100CDREYES" ]; - }; - packages = (with pkgs; [ - -blender # cgi animation and sculpting -godot # game development -gdtoolkit # gdscript language server -krita # art to your heart desire! -# drawpile # arty party with friends!! -mypaint # not the best art program -mypaint-brushes # but it's got some -mypaint-brushes1 # nice damn brushes -pureref # create inspiration/reference boards -gimp # the coolest bestest art program to never exist - -lutris -heroic -wine64Packages.full -wineWowPackages.full -vulkan-tools -# nix-gaming.packages.${pkgs.hostPlatform.system}.wine-tkg -winetricks -# nix-gaming.packages.${pkgs.hostPlatform.system}.wine-discord-ipc-bridge -# grapejuice # roblox manager -# minecraft # minecraft official launcher -parsec-bin # remote gaming with friends -protonup-qt # update proton-ge -renpy - -libreoffice-fresh # office, but based -calibre # ugly af eBook library manager -foliate # gtk eBook reader -newsflash # feed reader, syncs with nextcloud -wike # gtk wikipedia wow! -unstable.furtherance # I made this one tehee track time utility -gnome.simple-scan # scanner - -# sequeler # friendly SQL client -blanket # background noise -czkawka # duplicate finder -pika-backup # backups -# tilix # used to be my favourite terminal, but it's so outdated, that each time I use it less and less… -gnome-obfuscate # censor private information -metadata-cleaner # remove any metadata and geolocation from files -gnome-recipes # migrate these to mealie and delete -denaro # manage your finances -# celeste # sync tool for any cloud provider -libgda # for pano shell extension - -celluloid # video player -cozy # audiobooks player -gnome-podcasts # podcast player -handbrake # video converter, may be unnecessary -curtail # image compressor -pitivi # video editor -identity # compare images or videos -mousai # poor man shazam -tagger # tag music files -bottles # wine prefix manager -obs-studio # screen recorder & streamer -shortwave # listen to world radio -nextcloud-client # self-hosted google-drive alternative - -discord # chat -whatsapp-for-linux # I'll regret this -telegram-desktop # furry chat -google-chrome # web browser with spyware included -firefox # web browser that allows to disable spyware -# librewolf # no spyware web browser -tor-browser-bundle-bin # dark web, so dark! -# hugo # website engine -nicotine-plus # remember Ares? -warp # never used, but supposedly cool for sharing files -HentaiAtHome # uh-oh - -unstable.yt-dlp # downloads videos from most video websites -unstable.gallery-dl # similar to yt-dlp but for most image gallery websites -gdu # disk-space utility, somewhat useful -du-dust # rusty du -gocryptfs # encrypted filesystem! shhh!!! -exa # like ls but with colors -trashy # oop! didn't meant to delete that -ffmpeg # coolest video converter! -# neofetch # use once for brag, never again -rmlint # probably my favourite app, amazing dupe finder that integrates well with BTRFS -tldr # man for retards -# ffmpegthumbnailer # create video thumbnails for nautilus, in absence of totem -vcsi # video thumbnails for torrents, can I replace it with ^? -# mediainfo # technical info about videos, needed by some of my scripts -tree-sitter # code parsing, required by Doom emacs -torrenttools # create torrent files from the terminal! -lm_sensors # for extension, displays cpu temp - -# My own scripts -jawz_ffmpeg4discord -jawz_ffmpreg -jawz_manage_library -jawz_chat-dl -jawz_tasks -jawz_split_dir -jawz_pika_list -jawz_run - -# required by doom emacs, but still are rather useful. -fd # modern find, faster searches -fzf # fuzzy finder! super cool and useful -ripgrep # modern grep -languagetool # proofreader for English. check if works without the service -graphviz # graphs -# these two are for doom everywhere -xorg.xwininfo -xdotool -tetex - -# development environment -exercism # learn to code - -# SH -bats # testing system, required by Exercism -bashdb # autocomplete -shellcheck # linting -shfmt # a shell parser and formatter -file # required by my tasks script? -# gnome.zenity # dependency of my scripts -xclip # manipulate clipboard from scripts - -# NIX -nixfmt # linting -cachix # why spend time compiling? - -# PYTHON. -python3 # base language -pipenv # python development workflow for humans -poetry # dependency management made easy - -# C# & Rust -# omnisharp-roslyn # c# linter and code formatter - -# HASKELL -# cabal-install # haskell interface - -# JS -# jq # linting -nodejs # not as bad as I thought - -hunspell -hunspellDicts.it_IT -hunspellDicts.es_MX -hunspellDicts.en_CA - -# Themes -adw-gtk3 -# gradience # theme customizer, allows you to modify adw-gtk3 themes -gnome.gnome-tweaks # tweaks for the gnome desktop environment -qgnomeplatform - -# Fonts -(nerdfonts.override { - fonts = [ "Agave" "CascadiaCode" "SourceCodePro" "Ubuntu" "FiraCode" "Iosevka" ]; -}) -symbola -(papirus-icon-theme.override { - color = "adwaita"; -}) - -]) ++ (with pkgs.python3Packages; [ - flake8 # wraper for pyflakes, pycodestyle and mccabe - isort # sort Python imports - nose # testing and running python scripts - pyflakes # checks source code for errors - pytest # framework for writing tests - speedtest-cli # check internet speed from the comand line - editorconfig # follow rules of contributin - black # Python code formatter - pylint # bug and style checker for python - (buildPythonApplication rec { - pname = "download"; - version = "1.5"; - src = ./scripts/download/.; - doCheck = false; - buildInputs = [ setuptools ]; - propagatedBuildInputs = - [ pyyaml types-pyyaml ]; - }) - (buildPythonApplication rec { - pname = "ffpb"; - version = "0.4.1"; - src = fetchPypi { - inherit pname version; - sha256 = "sha256-7eVqbLpMHS1sBw2vYS4cTtyVdnnknGtEI8190VlXflk="; - }; - doCheck = false; - buildInputs = [ setuptools ]; - propagatedBuildInputs = - [ tqdm ]; - }) - -]) ++ (with pkgs.bat-extras; [ - batman # man pages - batpipe # piping - batgrep # ripgrep - batdiff # this is getting crazy! - batwatch # probably my next best friend - prettybat # trans your sourcecode! - -]) ++ (with pkgs.gnomeExtensions; [ - appindicator # applets for open applications - gsconnect # sync data and notifications from your phone - freon # hardware temperature monitor - panel-scroll # scroll well to change workspaces - reading-strip # like putting a finger on every line I read - tactile # window manager - pano # clipboard manager - blur-my-shell # make the overview more visually appealing - # burn-my-windows - # forge # window manager -# ]) ++ (with unstable.pkgs.gnomeExtensions; [ - -]) ++ (with pkgs.nodePackages; [ - dockerfile-language-server-nodejs # LSP - bash-language-server # LSP - pyright # LSP - markdownlint-cli # Linter - prettier # Linter - pnpm # Package manager -]); }; # <--- end of package list - -fonts.fontconfig.enable = true; - -home-manager.useUserPackages = true; -home-manager.useGlobalPkgs = true; - -home-manager.users.jawz = { config, pkgs, ... }:{ - home.stateVersion = VERSION; - home.packages = with pkgs; [ ]; - -programs.bash = { - enable = true; - historyFile = "\${XDG_STATE_HOME}/bash/history"; - historyControl = [ "erasedups" ]; - shellAliases = { - ls = "exa --icons --group-directories-first --no-permissions --no-user --no-time"; - edit = "emacsclient -t"; - comic = "download -u jawz -i $(cat $LC | fzf --multi --exact -i)"; - gallery = "download -u jawz -i $(cat $LW | fzf --multi --exact -i)"; - open_gallery = "cd /mnt/disk2/scrapping/JawZ/gallery-dl && xdg-open $(fd . ./ Husbands -tdirectory -d 1 | fzf -i)"; - unique_extensions = "fd -tf | rev | cut -d. -f1 | rev | tr '[:upper:]' '[:lower:]' | sort | uniq --count | sort -rn"; - cp = "cp -i"; - mv = "mv -i"; - mkcd = "mkdir -pv \"$1\" && cd \"$1\" || exit"; - mkdir = "mkdir -p"; - rm = "trash"; - ".." = "cd .."; - "..." = "cd ../.."; - ".3" = "cd ../../.."; - ".4" = "cd ../../../.."; - ".5" = "cd ../../../../.."; - dl = "download -u jawz -i"; - e = "edit"; - c = "cat"; - f = "fzf --multi --exact -i"; - sc = "systemctl --user"; - jc = "journalctl --user -xefu"; - }; - enableVteIntegration = true; - initExtra = '' - -/home/jawz/.local/bin/pokemon-colorscripts -r --no-title -# Lists -list_root=${config.home.homeDirectory}/.config/jawz/lists/jawz -export LW=$list_root/watch.txt -export LI=$list_root/instant.txt -export LC=$list_root/comic.txt -export command_timeout=30 - -# GPG_TTY=$(tty) -# export GPG_TTY - -if command -v fzf-share >/dev/null; then - source "$(fzf-share)/key-bindings.bash" - source "$(fzf-share)/completion.bash" -fi - -nixos-magic () { - local nix_file="$HOME/Development/NixOS/configuration.nix" - local hardware_file="$HOME/Development/NixOS/hardware-configuration.nix" - nixfmt "$nix_file" && nixfmt "$hardware_file" - sudo nixos-rebuild switch -I nixos-config="$nix_file" - sudo systemctl restart docker - sudo systemctl restart docker-compose -} - - ''; -}; - -programs = { - starship.enable = true; - direnv = { - enable = true; - enableBashIntegration = true; - nix-direnv.enable = true; - }; - bat = { - enable = true; - config = { - pager = "less -FR"; - theme = "base16"; }; - }; - git = { - enable = true; - userName = "Danilo Reyes"; - userEmail = "CaptainJawZ@outlook.com"; - }; - htop = { - enable = true; - package = pkgs.htop-vim; - }; -}; - -xdg = { - enable = true; - userDirs = { - enable = true; - # createDirectories = true; - desktop = "${config.home.homeDirectory}"; - documents = "${config.home.homeDirectory}/Documents"; - download = "${config.home.homeDirectory}/Downloads"; - music = "${config.home.homeDirectory}/Music"; - pictures = "${config.home.homeDirectory}/Pictures"; - # publicShare = "${config.home.homeDirectory}/.local/hd/Public"; - templates = "${config.home.homeDirectory}/.local/share/Templates"; - videos = "${config.home.homeDirectory}/Videos"; - }; - configFile = { - "wgetrc".source = ./dotfiles/wget/wgetrc; - "configstore/update-notifier-npm-check.json".source = ./dotfiles/npm/update-notifier-npm-check.json; - "npm/npmrc".source = ./dotfiles/npm/npmrc; - "gallery-dl/config.json".source = ./dotfiles/gallery-dl/config.json; - "htop/htoprc".source = ./dotfiles/htop/htoprc; - }; -}; - -services = { - lorri.enable = true; - emacs = { - enable = true; - defaultEditor = true; - package = pkgs.emacs; - }; -}; - -}; - -environment.systemPackages = with pkgs; [ - wget - docker-compose # easy way to migrate my docker anywhere! -]; - -environment.variables = rec { - # PATH - XDG_CACHE_HOME = "\${HOME}/.cache"; - XDG_CONFIG_HOME = "\${HOME}/.config"; - XDG_BIN_HOME = "\${HOME}/.local/bin"; - XDG_DATA_HOME = "\${HOME}/.local/share"; - XDG_STATE_HOME = "\${HOME}/.local/state"; - - # DEV PATH - CABAL_CONFIG = "\${XDG_CONFIG_HOME}/cabal/config"; - CABAL_DIR = "\${XDG_CACHE_HOME}/cabal"; - CARGO_HOME = "\${XDG_DATA_HOME}/cargo"; - GEM_HOME = "\${XDG_DATA_HOME}/ruby/gems"; - GEM_PATH = "\${XDG_DATA_HOME}/ruby/gems"; - GEM_SPEC_CACHE = "\${XDG_DATA_HOME}/ruby/specs"; - GOPATH = "\${XDG_DATA_HOME}/go"; - NPM_CONFIG_USERCONFIG = "\${XDG_CONFIG_HOME}/npm/npmrc"; - PNPM_HOME = "\${XDG_DATA_HOME}/pnpm"; - - # OPTIONS - # HISTFILE = "\${XDG_STATE_HOME}/bash/history"; - LESSHISTFILE = "-"; - GHCUP_USE_XDG_DIRS = "true"; - RIPGREP_CONFIG_PATH = "\${XDG_CONFIG_HOME}/ripgrep/ripgreprc"; - ELECTRUMDIR = "\${XDG_DATA_HOME}/electrum"; - VISUAL = "emacsclient -ca emacs"; - WGETRC = "\${XDG_CONFIG_HOME}/wgetrc"; - XCOMPOSECACHE = "${XDG_CACHE_HOME}/X11/xcompose"; - "_JAVA_OPTIONS" = "-Djava.util.prefs.userRoot=\${XDG_CONFIG_HOME}/java"; - DOCKER_CONFIG="\${XDG_CONFIG_HOME}/docker"; - - # NVIDIA - CUDA_CACHE_PATH = "\${XDG_CACHE_HOME}/nv"; - # WEBKIT_DISABLE_COMPOSITING_MODE = "1"; - # GBM_BACKEND = "nvidia-drm"; - # "__GLX_VENDOR_LIBRARY_NAME" = "nvidia"; - - # Themes - # GTK_THEME = "Adwaita:light"; - # QT_QPA_PLATFORMTHEME = "adwaita"; - # QT_STYLE_OVERRIDE = "adwaita"; - CALIBRE_USE_SYSTEM_THEME = "1"; - - PATH = [ - "\${HOME}/.local/bin" - "\${XDG_CONFIG_HOME}/emacs/bin" - "\${XDG_DATA_HOME}/npm/bin" - "\${XDG_DATA_HOME}/pnpm" - ]; -}; - -virtualisation.docker = { - enable = true; - storageDriver = "btrfs"; - enableNvidia = true; -}; - -snapraid = { - enable = true; - touchBeforeSync = true; - sync.interval = "02:00"; - scrub = { - plan = 10; - olderThan = 10; - interval = "4:00"; - }; - parityFiles = [ - "/mnt/parity/snapraid.parity" - ]; - extraConfig = '' - autosave 5000 - ''; - exclude = [ - "/tmp/" - "/lost+found/" - "/multimedia/downloads/" - "/scrapping/nextcloud/" - "/backups/" - "/glue/Spankbank/____UNORGANIZED/Chaturbate/" - "/nextcloud/nextcloud.log" - ]; - dataDisks = { - d1 = "/mnt/disk1/"; - d2 = "/mnt/disk2/"; - }; - contentFiles = [ - "/var/snapraid.content" - "/mnt/disk1/snapraid.content" - "/mnt/disk2/snapraid.content" - ]; -}; - -programs = { - fzf.fuzzyCompletion = true; - mtr.enable = true; - neovim = { - enable = true; - vimAlias = true; - }; - gnupg.agent = { - enable = true; - enableSSHSupport = true; - }; - geary = { - enable = true; - }; - steam = { - enable = true; - remotePlay.openFirewall = true; - dedicatedServer.openFirewall = true; - }; -}; - -services = { - printing = { - enable = true; - drivers = [ pkgs.hplip pkgs.hplipWithPlugin ]; - }; - avahi.enable = true; - avahi.nssmdns = true; - fstrim.enable = true; - btrfs.autoScrub = { - enable = true; - fileSystems = [ - "/" - "/mnt/disk1" - "/mnt/disk2" - ]; - }; - openssh = { - enable = true; - ports = [ 25152 ]; - settings = { - PasswordAuthentication = false; - KbdInteractiveAuthentication = false; - }; - startWhenNeeded = true; - listenAddresses = [ - { - addr = "0.0.0.0"; - port = 25152; - } - ]; - }; - emacs = { - enable = true; - defaultEditor = true; - package = pkgs.emacs; - }; -}; - -systemd.services = { - "docker-compose" = { - enable = true; - restartIfChanged = true; - description = "Start docker-compose servers"; - after = [ "docker.service" "docker.socket" ]; - requires = [ "docker.service" "docker.socket" ]; - wantedBy = [ "default.target" ]; - environment = { - FILE = "/home/jawz/Development/Docker/docker-compose.yml"; - }; - path = [ - pkgs.docker-compose - ]; - serviceConfig = { - Restart = "on-failure"; - RestartSec = 30; - ExecStart = "${pkgs.docker-compose}/bin/docker-compose -f \${FILE} up --remove-orphans"; - ExecStop = "${pkgs.docker-compose}/bin/docker-compose -f \${FILE} down"; - }; - }; - "nextcloud_scrapsync" = { - description = "Sync scrapped files with nextcloud"; - wantedBy = [ "default.target" ]; - path = [ - pkgs.bash - jawz_nextcloud_scrapsync - ]; - serviceConfig = { - RestartSec = 30; - ExecStart = "${jawz_nextcloud_scrapsync}/bin/nextcloud_scrapsync"; - }; - }; -}; -systemd.timers = { - "nextcloud_scrapsync" = { - enable = true; - description = "Sync scrapped files with nextcloud"; - wantedBy = [ "timers.target" ]; - timerConfig = { - OnCalendar= [ - "*-*-* 01:32:00" - "*-*-* 08:32:00" - "*-*-* 14:32:00" - "*-*-* 20:32:00" - ]; - RandomizedDelaySec = 30; - Persistent = true; - }; - }; -}; -systemd.user.services = { - "HentaiAtHome" = { - enable = true; - restartIfChanged = true; - description = "Run hentai@home server"; - wantedBy = [ "default.target" ]; - path = [ - pkgs.HentaiAtHome - ]; - serviceConfig = { - Restart = "on-failure"; - RestartSec = 30; - WorkingDirectory="/mnt/hnbox"; - ExecStart = "${pkgs.HentaiAtHome}/bin/HentaiAtHome"; - }; - }; - "manage_library" = { - enable = true; - restartIfChanged = true; - description = "Run the manage library bash script"; - wantedBy = [ "default.target" ]; - path = [ - pkgs.bash - pkgs.nix - jawz_manage_library - ]; - serviceConfig = { - Restart = "on-failure"; - RestartSec = 30; - ExecStart = "${jawz_manage_library}/bin/manage_library"; - }; - }; - "tasks" = { - restartIfChanged = true; - description = "Run a tasks script which keeps a lot of things organized"; - wantedBy = [ "default.target" ]; - path = [ - pkgs.bash - pkgs.nix - jawz_tasks - ]; - serviceConfig = { - Restart = "on-failure"; - RestartSec = 30; - ExecStart = "${jawz_tasks}/bin/tasks"; - }; - }; -}; -systemd.user.timers = { - "tasks" = { - enable = true; - description = "Run a tasks script which keeps a lot of things organized"; - wantedBy = [ "timers.target" ]; - timerConfig = { - OnCalendar = "*:0/10"; - }; - }; -}; - -networking.firewall.allowedTCPPorts = open_firewall_ports; -networking.firewall.allowedUDPPorts = open_firewall_ports; -networking.firewall.allowedTCPPortRanges = open_firewall_port_ranges; -networking.firewall.allowedUDPPortRanges = open_firewall_port_ranges; -# networking.firewall.enable = false; - -system = { - copySystemConfiguration = true; - stateVersion = VERSION; -}; -nix = { - settings = { - substituters = [ - "https://nix-gaming.cachix.org" - "https://nixpkgs-python.cachix.org" - "https://devenv.cachix.org" - ]; - trusted-public-keys = [ - "nix-gaming.cachix.org-1:nbjlureqMbRAxR1gJ/f3hxemL9svXaZF/Ees8vCUUs4=" - "nixpkgs-python.cachix.org-1:hxjI7pFxTyuTHn2NkvWCrAUcNZLNS3ZAvfYNuYifcEU=" - "devenv.cachix.org-1:w1cLUi8dv3hnoSPGAuibQv+f9TZLr6cv/Hm9XgU50cw=" - ]; - }; - gc = { - automatic = true; - dates = "weekly"; - }; -}; - -} diff --git a/nginx.nix b/nginx.nix new file mode 100755 index 0000000..3ad18c8 --- /dev/null +++ b/nginx.nix @@ -0,0 +1,258 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +let + localhost = "127.0.0.1"; + jellyfinPort = 8086; + nextcloudPort = 80; + # unstable_tarball = + # builtins.fetchTarball "https://github.com/nixos/nixpkgs/tarball/master"; + # unstable = import unstable_tarball { config = config.nixpkgs.config; }; +in { + services.nginx = { + enable = true; + recommendedTlsSettings = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + commonHttpConfig = '' + ### GLOBAL + # Add HSTS header with preloading to HTTPS requests. + # Adding this header to HTTP requests is discouraged + map $scheme $hsts_header { + https "max-age=31536000; includeSubdomains; preload"; + } + add_header Strict-Transport-Security $hsts_header; + + # Enable CSP for your services. + #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; + + # Minimize information leaked to other domains + add_header 'Referrer-Policy' 'origin-when-cross-origin'; + + # Disable embedding as a frame + add_header X-Frame-Options DENY; + + # Prevent injection of code in other mime types (XSS Attacks) + add_header X-Content-Type-Options nosniff; + + # Enable XSS protection of the browser. + # May be unnecessary when CSP is configured properly (see above) + add_header X-XSS-Protection "1; mode=block"; + + # This might create errors + proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + ### NEXTCLOUD + # upstream php-handler { + # server 127.0.0.1:9000; + # #server unix:/var/run/php/php7.4-fpm.sock; + # } + + # Set the `immutable` cache control options only for assets with a cache busting `v` argument + # map $arg_v $asset_immutable { + # "" ""; + # default "immutable"; + # } + ### JELLYFIN + proxy_cache_path /var/cache/nginx/jellyfin-videos levels=1:2 keys_zone=jellyfin-videos:100m inactive=90d max_size=35000m; + proxy_cache_path /var/cache/nginx/jellyfin levels=1:2 keys_zone=jellyfin:100m max_size=15g inactive=30d use_temp_path=off; + map $request_uri $h264Level { ~(h264-level=)(.+?)& $2; } + map $request_uri $h264Profile { ~(h264-profile=)(.+?)& $2; } + ''; + virtualHosts = let + base = locations: { + inherit locations; + forceSSL = true; + enableACME = true; + http2 = true; + }; + proxy = port: + base { "/".proxyPass = "http://127.0.0.1:" + toString (port) + "/"; }; + in { + "flix.servidos.lat" = { + forceSSL = true; + enableACME = true; + http2 = true; + extraConfig = '' + # use a variable to store the upstream proxy + # in this example we are using a hostname which is resolved via DNS + # (if you aren't using DNS remove the resolver line and change the variable to point to an IP address + # e.g `set $jellyfin 127.0.0.1`) + set $jellyfin 127.0.0.1; + resolver 127.0.0.1 valid=30; + + location = / { + return 302 http://$host/web/; + #return 302 https://$host/web/; + } + location = /web/ { + # Proxy main Jellyfin traffic + proxy_pass http://$jellyfin:8096/web/index.html; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Protocol $scheme; + proxy_set_header X-Forwarded-Host $http_host; + } + ''; + locations = { + "/" = { + proxyPass = "http://$jellyfin:8096"; + proxyWebsockets = true; + }; + "/socket" = { + proxyPass = "http://$jellyfin:8096"; + extraConfig = '' + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + ''; + }; + "~ /Items/(.*)/Images" = { + proxyPass = "http://$jellyfin:8096"; + extraConfig = '' + proxy_cache jellyfin; + proxy_cache_revalidate on; + proxy_cache_lock on; + ''; + }; + "~* ^/Videos/(.*)/(?!live)" = { + proxyPass = "http://$jellyfin:8096"; + extraConfig = '' + # Set size of a slice (this amount will be always requested from the backend by nginx) + # Higher value means more latency, lower more overhead + # This size is independent of the size clients/browsers can request + # slice 2m; + + proxy_cache jellyfin-videos; + proxy_cache_valid 200 206 301 302 30d; + proxy_ignore_headers Expires Cache-Control Set-Cookie X-Accel-Expires; + proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504; + proxy_connect_timeout 15s; + proxy_http_version 1.1; + proxy_set_header Connection ""; + # Transmit slice range to the backend + proxy_set_header Range 2m; + + # This saves bandwidth between the proxy and jellyfin, as a file is only downloaded one time instead of multiple times when multiple clients want to at the same time + # The first client will trigger the download, the other clients will have to wait until the slice is cached + # Esp. practical during SyncPlay + proxy_cache_lock on; + proxy_cache_lock_age 60s; + + proxy_cache_key "jellyvideo$uri?MediaSourceId=$arg_MediaSourceId&VideoCodec=$arg_VideoCodec&AudioCodec=$arg_AudioCodec&AudioStreamIndex=$arg_AudioStreamIndex&VideoBitrate=$arg_VideoBitrate&AudioBitrate=$arg_AudioBitrate&SubtitleMethod=$arg_SubtitleMethod&TranscodingMaxAudioChannels=$arg_TranscodingMaxAudioChannels&RequireAvc=$arg_RequireAvc&SegmentContainer=$arg_SegmentContainer&MinSegments=$arg_MinSegments&BreakOnNonKeyFrames=$arg_BreakOnNonKeyFrames&h264-profile=$h264Profile&h264-level=$h264Level&slicerange=2m"; + + # add_header X-Cache-Status $upstream_cache_status; # This is only for debugging cache + ''; + }; + }; + }; + "library.servidos.lat" = proxy 5000 // { }; + ${config.services.nextcloud.hostName} = { + forceSSL = true; + enableACME = true; + http2 = true; + # extraConfig = '' + # server_tokens off; + + # # set max upload size and increase upload timeout: + # client_body_timeout 300s; + # # fastcgi_buffers 64 4K; + + # # The settings allows you to optimize the HTTP2 bandwitdth. + # # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/ + # # for tunning hints + # client_body_buffer_size 512k; + + # # HTTP response headers borrowed from Nextcloud `.htaccess` + # add_header Referrer-Policy "no-referrer" always; + # add_header X-Download-Options "noopen" always; + # add_header X-Permitted-Cross-Domain-Policies "none" always; + # add_header X-Robots-Tag "noindex, nofollow" always; + + # # Remove X-Powered-By, which is an information leak + # fastcgi_hide_header X-Powered-By; + + # # Specify how to handle directories -- specifying `/index.php$request_uri` + # # here as the fallback means that Nginx always exhibits the desired behaviour + # # when a client requests a path that corresponds to a directory that exists + # # on the server. In particular, if that directory contains an index.php file, + # # that file is correctly served; if it doesn't, then the request is passed to + # # the front-end controller. This consistent behaviour means that we don't need + # # to specify custom rules for certain paths (e.g. images and other assets, + # # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus + # # `try_files $uri $uri/ /index.php$request_uri` + # # always provides the desired behaviour. + # index index.php index.html /index.php$request_uri; + # ''; + # locations = { + # "/".extraConfig = '' + # try_files $uri $uri/ /index.php$request_uri; + # ''; + # "= /".extraConfig = '' + # # Rule borrowed from `.htaccess` to handle Microsoft DAV clients + # if ( $http_user_agent ~ ^DavClnt ) { + # return 302 /remote.php/webdav/$is_args$args; + # } + # ''; + # "^~ /.well-known".extraConfig = '' + # # The rules in this block are an adaptation of the rules + # # in `.htaccess` that concern `/.well-known`. + + # location /.well-known/acme-challenge { try_files $uri $uri/ =404; } + # location /.well-known/pki-validation { try_files $uri $uri/ =404; } + + # # Let Nextcloud's API for `/.well-known` URIs handle all other + # # requests by passing them to the front-end controller. + # return 301 /index.php$request_uri; + # ''; + # "~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)".extraConfig = + # "return 404;"; + # "~ ^/(?:.|autotest|occ|issue|indie|db_|console)".extraConfig = + # "return 404;"; + # "~ .php(?:$|/)".extraConfig = '' + # # Required for legacy support + # rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri; + + # fastcgi_split_path_info ^(.+?\.php)(/.*)$; + # set $path_info $fastcgi_path_info; + + # try_files $fastcgi_script_name =404; + + # # include fastcgi_params; + # include "${pkgs.nginx}/conf/fastcgi_params"; + # fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + # fastcgi_param PATH_INFO $path_info; + # fastcgi_param HTTPS on; + + # fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice + # fastcgi_param front_controller_active true; # Enable pretty urls + + # fastcgi_intercept_errors on; + # fastcgi_request_buffering off; + + # fastcgi_max_temp_file_size 0; + # ''; + # "~ .(?:css|js|svg|gif|png|jpg|ico|wasm|tflite|map)$" = { + # extraConfig = '' + # try_files $uri /index.php$request_uri; + # access_log off; # Optional: Don't log access to assets + # location ~ \.wasm$ { + # default_type application/wasm; + # } + # ''; + # }; + # "~ .woff2?$".extraConfig = '' + # try_files $uri /index.php$request_uri; + # expires 7d; # Cache-Control policy borrowed from `.htaccess` + # access_log off; # Optional: Don't log access to assets ''; + # "/remote".extraConfig = "return 301 /remote.php$request_uri;"; + # }; + }; + }; + }; +}