diff --git a/hosts/muon/home.nix b/hosts/muon/home.nix index 063bfdd..75d1367 100644 --- a/hosts/muon/home.nix +++ b/hosts/muon/home.nix @@ -1,11 +1,5 @@ -{ - pkgs, - lib, - osConfig, - ... -}: let - cfg = osConfig.mods; -in { +{ pkgs, lib, osConfig,... }: +let cfg = osConfig.mods; in { # Modules mods.xdg.enable = true; mods.social.enable = true; @@ -17,22 +11,17 @@ in { mods.desktop.development.enable = true; mods.desktop.productivity.enable = true; mods.desktop.media.enable = true; - mods.zen.enable = true; - mods.obsidian.enable = true; # Hardware preferences ## Monitors - xsession.windowManager.i3.config.workspaceOutputAssign = [ - { - workspace = "1"; - output = "${cfg.monitors.primary.name}"; - } - { - workspace = "2"; - output = "${cfg.monitors.secondary.name}"; - } - ]; + xsession.windowManager.i3.config.workspaceOutputAssign = [{ + workspace = "1"; + output = "${cfg.monitors.primary.name}"; + } { + workspace = "2"; + output = "${cfg.monitors.secondary.name}"; + }]; services.autorandr.enable = true; programs.autorandr = { enable = true; @@ -49,9 +38,9 @@ in { }; config = { "${cfg.monitors.primary.name}" = - cfg.monitors.primary.config; + cfg.monitors.primary.config; "${cfg.monitors.secondary.name}" = - cfg.monitors.secondary.config; + cfg.monitors.secondary.config; }; }; }; diff --git a/modules/home/desktop/media.nix b/modules/home/desktop/media.nix index b2853fd..2f4fe79 100644 --- a/modules/home/desktop/media.nix +++ b/modules/home/desktop/media.nix @@ -14,7 +14,7 @@ pavucontrol # Video - # (callPackage ./packages/stremio-linux-shell.nix {}) + (callPackage ./packages/stremio-linux-shell.nix {}) # Podcasts gpodder diff --git a/modules/home/desktop/productivity.nix b/modules/home/desktop/productivity.nix index f18c5b5..6072d85 100644 --- a/modules/home/desktop/productivity.nix +++ b/modules/home/desktop/productivity.nix @@ -17,8 +17,8 @@ in home.packages = with pkgs; [ # ISO downloader qbittorrent - # xd - # biglybt + xd + biglybt # transmission_4-gtk # email diff --git a/modules/nixos/core/network.nix b/modules/nixos/core/network.nix index b1886ac..8eea024 100644 --- a/modules/nixos/core/network.nix +++ b/modules/nixos/core/network.nix @@ -1,107 +1,103 @@ -{ - pkgs, - lib, - config, - ... -}: let +{ pkgs, lib, config, ... }: + +let cfg = config.mods; wg = cfg.wireguard; -in - with lib; { - options.mods = { - i2p.enable = mkEnableOption "enables i2p network"; - tailscale.enable = mkEnableOption "enables tailscale"; - wireguard.id = mkOption { - type = with types; nullOr ints.u8; - default = null; - }; +in with lib; { + options.mods = { + i2p.enable = mkEnableOption "enables i2p network"; + tailscale.enable = mkEnableOption "enables tailscale"; - openvpn.enable = mkEnableOption "enables openvpn config"; - openvpn.config = let - username = "${config.mods.user.name}"; - folder = "${config.users.users.${username}.home}/documents/openvpn/"; - file = "${config.mods.user.name}.ovpn"; - in - mkOption { - description = "the config location"; - default = "${folder}${file}"; - }; + wireguard.id = mkOption { + type = with types; nullOr ints.u8; + default = null; }; - config = { - networking.networkmanager.enable = true; - # networking.nameservers = [ "45.90.28.97" "45.90.30.97" ]; - networking.nameservers = ["194.242.2.4#base.dns.mullvad.net"]; - # services.resolved = { - # enable = true; - # dnssec = "false"; - # dnsovertls = "true"; - # domains = [ "~." ]; - # fallbackDns = [ "194.242.2.4#base.dns.mullvad.net" ]; - # }; - - # udev 250 doesn't reliably reinitialize devices after restart - systemd.services.systemd-udevd.restartIfChanged = false; - # systemd.services.NetworkManager-wait-online.enable = lib.mkForce false; - # systemd.services.systemd-networkd-wait-online.enable = lib.mkForce false; - - services.tailscale.enable = cfg.tailscale.enable; - - services.openvpn.servers = mkIf cfg.openvpn.enable { - remote.config = "config ${cfg.openvpn.config}"; - }; - - networking.firewall.allowedTCPPorts = [ - 7656 # default proto sam port - 7070 # default web interface port - 4447 # default socks proxy port - 4444 # default http proxy port - ]; - services.i2pd = lib.mkIf cfg.i2p.enable { - enable = true; - proto.sam.enable = true; - address = "127.0.0.1"; - proto = { - http.enable = true; - socksProxy.enable = true; - httpProxy.enable = true; - }; - }; - - networking.firewall.allowedUDPPorts = [51820 16261]; - networking.wg-quick.interfaces = lib.mkIf (wg.id != null) { - wg0 = { - address = [ - "10.0.0.${toString wg.id}/24" - "fdc9:281f:04d7:9ee9::${toString wg.id}/64" - ]; - # dns = ["10.0.0.1" "fdc9:281f:04d7:9ee9::1"]; - mtu = 1500; - privateKeyFile = "/home/muon/wireguard-keys/private"; - - peers = [ - { - publicKey = "2RF8GmTZwQdzVm2l2piYy6U0qiMU3wSxC7Lt8urAjwA="; - presharedKeyFile = "/home/muon/wireguard-keys/psk-${config.networking.hostName}"; - allowedIPs = ["10.0.0.${toString wg.id}/24"]; - # allowedIPs = [ "0.0.0.0/0" ]; - # ip route add 93.95.230.11 via 192.168.0.1 - endpoint = "93.95.230.11:51820"; - persistentKeepalive = 25; - } - ]; - }; - }; - - networking.extraHosts = '' - 10.0.0.1 mups - 10.0.0.2 muon - 10.0.0.3 muho - 10.0.0.4 muop - ''; - - # gateway = - # "${pkgs.networkmanager}/bin/nmcli dev show ${interface} | ${pkgs.gnugrep}/bin/fgrep IP4.GATEWAY | ${pkgs.awk}/bin/awk {print $2}"; + openvpn.enable = mkEnableOption "enables openvpn config"; + openvpn.config = let + username = "${config.mods.user.name}"; + folder = "${config.users.users.${username}.home}/documents/openvpn/"; + file = "${config.mods.user.name}.ovpn"; + in mkOption { + description = "the config location"; + default = "${folder}${file}"; }; - } + }; + + config = { + networking.networkmanager.enable = true; + # networking.nameservers = [ "45.90.28.97" "45.90.30.97" ]; + networking.nameservers = [ "194.242.2.4#base.dns.mullvad.net" ]; + # services.resolved = { + # enable = true; + # dnssec = "false"; + # dnsovertls = "true"; + # domains = [ "~." ]; + # fallbackDns = [ "194.242.2.4#base.dns.mullvad.net" ]; + # }; + + # udev 250 doesn't reliably reinitialize devices after restart + systemd.services.systemd-udevd.restartIfChanged = false; + # systemd.services.NetworkManager-wait-online.enable = lib.mkForce false; + # systemd.services.systemd-networkd-wait-online.enable = lib.mkForce false; + + services.tailscale.enable = cfg.tailscale.enable; + + services.openvpn.servers = mkIf cfg.openvpn.enable { + remote.config = "config ${cfg.openvpn.config}"; + }; + + networking.firewall.allowedTCPPorts = [ + 7656 # default proto sam port + 7070 # default web interface port + 4447 # default socks proxy port + 4444 # default http proxy port + ]; + services.i2pd = lib.mkIf cfg.i2p.enable { + enable = true; + proto.sam.enable = true; + address = "127.0.0.1"; + proto = { + http.enable = true; + socksProxy.enable = true; + httpProxy.enable = true; + }; + }; + + networking.firewall.allowedUDPPorts = [ 51820 16261 ]; + networking.wg-quick.interfaces = lib.mkIf (wg.id != null) { + wg0 = { + address = [ + "10.0.0.${toString wg.id}/24" + "fdc9:281f:04d7:9ee9::${toString wg.id}/64" + ]; + dns = [ "10.0.0.1" "fdc9:281f:04d7:9ee9::1" ]; + mtu = 1500; + privateKeyFile = "/home/muon/wireguard-keys/private"; + + peers = [{ + publicKey = "2RF8GmTZwQdzVm2l2piYy6U0qiMU3wSxC7Lt8urAjwA="; + presharedKeyFile = + "/home/muon/wireguard-keys/psk-${config.networking.hostName}"; + allowedIPs = [ "10.0.0.${toString wg.id}/24" ]; + # allowedIPs = [ "0.0.0.0/0" ]; + # ip route add 93.95.230.11 via 192.168.0.1 + endpoint = "93.95.230.11:51820"; + persistentKeepalive = 25; + }]; + }; + }; + + networking.extraHosts = '' + 10.0.0.1 mups + 10.0.0.2 muon + 10.0.0.3 muho + 10.0.0.4 muop + ''; + + # gateway = + # "${pkgs.networkmanager}/bin/nmcli dev show ${interface} | ${pkgs.gnugrep}/bin/fgrep IP4.GATEWAY | ${pkgs.awk}/bin/awk {print $2}"; + + }; +} diff --git a/modules/nixos/server/audio.nix b/modules/nixos/server/audio.nix index 7cb6714..8b1af15 100644 --- a/modules/nixos/server/audio.nix +++ b/modules/nixos/server/audio.nix @@ -40,7 +40,6 @@ in with lib; { openFirewall = true; openRPCPort = true; port = arr.torrent.port; - package = pkgs.transmission_4; settings = { download-dir = "/storage1/download"; rpc-port = arr.torrent.port; diff --git a/modules/nixos/server/grav/default.nix b/modules/nixos/server/grav/default.nix index 7667bf5..80920cf 100644 --- a/modules/nixos/server/grav/default.nix +++ b/modules/nixos/server/grav/default.nix @@ -23,7 +23,7 @@ in with lib; { inherit port; enable = true; root = cfg.grav.location; - phpPackage = pkgs.php83; + phpPackage = pkgs.php81; }; users.users.${config.mods.user.name}.extraGroups = lib.mkAfter [ "grav" ]; }; diff --git a/modules/nixos/server/nginx.nix b/modules/nixos/server/nginx.nix index c307231..fafb4df 100644 --- a/modules/nixos/server/nginx.nix +++ b/modules/nixos/server/nginx.nix @@ -82,7 +82,7 @@ in add_header X-XSS-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "no-referrer-when-downgrade" always; - add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self'; script-src 'self'; object-src 'none'; base-uri 'none';"; always; + add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always; add_header Permissions-Policy "interest-cohort=()" always; # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; ''; @@ -99,14 +99,6 @@ in "/" = { proxyPass = "http://${cfg.ip}:${toString port}/"; proxyWebsockets = true; - extraConfig = - # sh - '' - client_max_body_size 50000M; - proxy_read_timeout 600s; - proxy_send_timeout 600s; - send_timeout 600s; - ''; }; }; in