muon/flake
1
0
Fork 0
mirror of https://codeberg.org/muon/home.git synced 2026-03-09 11:53:12 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Compare commits

base: muon:b1fdab737cca1017dbff29e4fd996be8da6917e1
Branches Tags
muon:main
muon:homelab
muon:vps
muon:container
muon:fresh
muon:i3
muon:hyprland
muon:refactor
muon:legacy
..
compare: muon:5bdf9e3a2c97bcb499369792f467ba4fbe84b450
Branches Tags
muon:main
muon:homelab
muon:vps
muon:container
muon:fresh
muon:i3
muon:hyprland
muon:refactor
muon:legacy

No commits in common. "b1fdab737cca1017dbff29e4fd996be8da6917e1" and "5bdf9e3a2c97bcb499369792f467ba4fbe84b450" have entirely different histories.
b1fdab737c ... 5bdf9e3a2c

9 changed files with 273 additions and 330 deletions
Download patch file Download diff file Expand all files Collapse all files

2
README.md
View file

@ -25,7 +25,7 @@ sudo cp {/mnt,/mnt/persist}/etc/machine-id
## Erasure ## Erasure
```nix ```nix
boot.initrd.postResumeCommands = lib.mkAfter /* bash */ '' boot.initrd.postResumeCommands = lib.mkAfter ''
mkdir /btrfs_tmp mkdir /btrfs_tmp
mount /dev/mapper/crypted /btrfs_tmp mount /dev/mapper/crypted /btrfs_tmp
if [[ -e /btrfs_tmp/root ]]; then if [[ -e /btrfs_tmp/root ]]; then

4
hosts/muvo/home.nix
View file

@ -21,7 +21,6 @@ in {
mods.desktop.development.enable = true; mods.desktop.development.enable = true;
mods.desktop.productivity.enable = false; mods.desktop.productivity.enable = false;
mods.zen.enable = true; mods.zen.enable = true;
mods.theme.slideshow.enable = true;
home.packages = with pkgs; [ home.packages = with pkgs; [
pulseaudio pulseaudio
@ -36,6 +35,9 @@ in {
enable = true; enable = true;
hooks.postswitch = { hooks.postswitch = {
"notify-i3" = "${pkgs.i3}/bin/i3-msg restart"; "notify-i3" = "${pkgs.i3}/bin/i3-msg restart";
"set-wallpaper" = ''
${lib.getExe pkgs.feh} --bg-fill --nofehbg ${./wallpaper.png}
'';
}; };
}; };

1
modules/home/desktop/default.nix
View file

@ -14,7 +14,6 @@ in {
./productivity.nix ./productivity.nix
./media.nix ./media.nix
./zen.nix ./zen.nix
./theme.nix
]; ];
mods.hyprland.enable = lib.mkIf cfg.wayland.enable true; mods.hyprland.enable = lib.mkIf cfg.wayland.enable true;

102
modules/home/desktop/development.nix
View file

@ -12,48 +12,46 @@
programs.nyxt = { programs.nyxt = {
enable = false; enable = false;
config = config = ''
# lisp (in-package #:nyxt-user)
''
(in-package #:nyxt-user)
(defvar *my-search-engines* (defvar *my-search-engines*
(list (list
(make-instance 'search-engine (make-instance 'search-engine
:name "Searx" :name "Searx"
:shortcut "s" :shortcut "s"
#+nyxt-4 :control-url #+nyxt-3 :search-url #+nyxt-4 :control-url #+nyxt-3 :search-url
""https://search.muon.host/?q=~a";") ""https://search.muon.host/?q=~a";")
(make-instance 'search-engine (make-instance 'search-engine
:name "nixpkgs" :name "nixpkgs"
:shortcut "np" :shortcut "np"
#+nyxt-4 :control-url #+nyxt-3 :search-url #+nyxt-4 :control-url #+nyxt-3 :search-url
"https://search.nixos.org/packages?channel=unstable&query=~a"))) "https://search.nixos.org/packages?channel=unstable&query=~a")))
(make-instance 'search-engine (make-instance 'search-engine
:name "nix options" :name "nix options"
:shortcut "np" :shortcut "np"
#+nyxt-4 :control-url #+nyxt-3 :search-url #+nyxt-4 :control-url #+nyxt-3 :search-url
"https://search.nixos.org/options?channel=unstable&query=~a"))) "https://search.nixos.org/options?channel=unstable&query=~a")))
(make-instance 'search-engine (make-instance 'search-engine
:name "home-manager" :name "home-manager"
:shortcut "hm" :shortcut "hm"
#+nyxt-4 :control-url #+nyxt-3 :search-url #+nyxt-4 :control-url #+nyxt-3 :search-url
"https://home-manager-options.extranix.com/?release=master&query=~a"))) "https://home-manager-options.extranix.com/?release=master&query=~a")))
(define-configuration browser (define-configuration browser
((restore-session-on-startup-p nil) ((restore-session-on-startup-p nil)
(default-new-buffer-url (quri:uri "https://online.bonjourr.fr/")) (default-new-buffer-url (quri:uri "https://online.bonjourr.fr/"))
(external-editor-program ("alacritty -e hx") (external-editor-program ("alacritty -e hx")
#+nyxt-4 #+nyxt-4
(search-engine-suggestions-p nil) (search-engine-suggestions-p nil)
#+nyxt-4 #+nyxt-4
(search-engines (append %slot-default% *my-search-engines*)) (search-engines (append %slot-default% *my-search-engines*))
)) ))
''; '';
}; };
programs.qutebrowser = { programs.qutebrowser = {
@ -75,25 +73,23 @@
hm = "https://home-manager-options.extranix.com/?release=master&query={}"; hm = "https://home-manager-options.extranix.com/?release=master&query={}";
}; };
extraConfig = extraConfig = ''
# py host = c.content.blocking.hosts.lists.append
'' host("https://www.github.developerdan.com/hosts/lists/facebook-extended.txt")
host = c.content.blocking.hosts.lists.append
host("https://www.github.developerdan.com/hosts/lists/facebook-extended.txt")
abp = c.content.blocking.adblock.lists.append abp = c.content.blocking.adblock.lists.append
abp("https://fanboy.co.nz/r/fanboy-ultimate.txt") abp("https://fanboy.co.nz/r/fanboy-ultimate.txt")
abp("https://fanboy.co.nz/fanboy-antifacebook.txt") abp("https://fanboy.co.nz/fanboy-antifacebook.txt")
abp("https://fanboy.co.nz/fanboy-annoyance.txt") abp("https://fanboy.co.nz/fanboy-annoyance.txt")
abp("https://fanboy.co.nz/fanboy-cookiemonster.txt") abp("https://fanboy.co.nz/fanboy-cookiemonster.txt")
abp("https://easylist-downloads.adblockplus.org/antiadblockfilters.txt") abp("https://easylist-downloads.adblockplus.org/antiadblockfilters.txt")
abp("https://easylist-downloads.adblockplus.org/abp-filters-anti-cv.txt") abp("https://easylist-downloads.adblockplus.org/abp-filters-anti-cv.txt")
abp("https://github.com/DandelionSprout/adfilt/raw/master/LegitimateURLShortener.txt") abp("https://github.com/DandelionSprout/adfilt/raw/master/LegitimateURLShortener.txt")
abp("https://github.com/DandelionSprout/adfilt/raw/master/AnnoyancesList") abp("https://github.com/DandelionSprout/adfilt/raw/master/AnnoyancesList")
abp("https://github.com/DandelionSprout/adfilt/raw/master/SocialShareList.txt") abp("https://github.com/DandelionSprout/adfilt/raw/master/SocialShareList.txt")
abp("https://github.com/DandelionSprout/adfilt/raw/master/ExtremelyCondensedList.txt") abp("https://github.com/DandelionSprout/adfilt/raw/master/ExtremelyCondensedList.txt")
''; '';
}; };
}; };
} }

24
modules/home/desktop/theme.nix
View file

@ -1,24 +0,0 @@
{
lib,
config,
...
}: let
cfg = config.mods.theme.slideshow;
in {
options.mods.theme.slideshow = {
enable = lib.mkEnableOption "enables slideshow wallpaper";
folder = lib.mkOption {
default = "%h/misc/pictures/wallpapers";
description = "slideshow wallpaper folder";
};
};
config = lib.mkIf cfg.enable {
services.random-background = lib.mkIf cfg.enable {
enable = true;
imageDirectory = cfg.folder;
enableXinerama = true;
interval = "1s";
};
};
}

56
modules/nixos/impermanence.nix
View file

@ -1,44 +1,36 @@
{ { pkgs, lib, config, ... }:
pkgs,
lib,
config,
...
}:
with lib; { with lib; {
options.mods.impermanence.enable = mkEnableOption "enables impermanence"; options.mods.impermanence.enable = mkEnableOption "enables impermanence";
config = mkIf config.mods.impermanence.enable { config = mkIf config.mods.impermanence.enable {
environment.persistence."/persist" = { environment.persistence."/persist" = {
directories = ["/var/lib/nixos" "/var/lib/systemd/coredump"]; directories = [ "/var/lib/nixos" "/var/lib/systemd/coredump" ];
files = ["/var/lib/sops-nix/key.txt" "/etc/machine-id"]; files = [ "/var/lib/sops-nix/key.txt" "/etc/machine-id" ];
}; };
boot.initrd.postResumeCommands = boot.initrd.postResumeCommands = lib.mkAfter ''
lib.mkAfter # sh mkdir /btrfs_tmp
mount /dev/mapper/crypted /btrfs_tmp
if [[ -e /btrfs_tmp/root ]]; then
mkdir -p /btrfs_tmp/old_roots
timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S")
mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp"
fi
'' delete_subvolume_recursively() {
mkdir /btrfs_tmp IFS=$'\n'
mount /dev/mapper/crypted /btrfs_tmp for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
if [[ -e /btrfs_tmp/root ]]; then delete_subvolume_recursively "/btrfs_tmp/$i"
mkdir -p /btrfs_tmp/old_roots done
timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S") btrfs subvolume delete "$1"
mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp" }
fi
delete_subvolume_recursively() { for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do
IFS=$'\n' delete_subvolume_recursively "$i"
for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do done
delete_subvolume_recursively "/btrfs_tmp/$i"
done
btrfs subvolume delete "$1"
}
for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do btrfs subvolume create /btrfs_tmp/root
delete_subvolume_recursively "$i" umount /btrfs_tmp
done '';
btrfs subvolume create /btrfs_tmp/root
umount /btrfs_tmp
'';
}; };
} }

197
modules/nixos/server/grav/service.nix
View file

@ -1,20 +1,10 @@
{ { config, lib, pkgs, ... }:
config,
lib, let
pkgs,
... inherit (lib)
}: let generators mapAttrs mkDefault mkEnableOption mkIf mkPackageOption mkOption
inherit types;
(lib)
generators
mapAttrs
mkDefault
mkEnableOption
mkIf
mkPackageOption
mkOption
types
;
cfg = config.mods.services.grav; cfg = config.mods.services.grav;
@ -22,9 +12,9 @@
poolName = "grav"; poolName = "grav";
pkgs_grav = pkgs.callPackage ./package.nix {}; pkgs_grav = pkgs.callPackage ./package.nix { };
servedRoot = pkgs.runCommand "grav-served-root" {} '' servedRoot = pkgs.runCommand "grav-served-root" { } ''
cp --reflink=auto --no-preserve=mode -r ${pkgs_grav} $out cp --reflink=auto --no-preserve=mode -r ${pkgs_grav} $out
for p in assets images user system/config; do for p in assets images user system/config; do
@ -32,8 +22,10 @@
ln -sf /var/lib/grav/$p $out/$p ln -sf /var/lib/grav/$p $out/$p
done done
''; '';
# systemSettingsYaml = # systemSettingsYaml =
# yamlFormat.generate "grav-settings.yaml" cfg.systemSettings; # yamlFormat.generate "grav-settings.yaml" cfg.systemSettings;
in { in {
options.mods.services.grav = { options.mods.services.grav = {
enable = mkEnableOption "grav"; enable = mkEnableOption "grav";
@ -78,7 +70,7 @@ in {
default = 3000; default = 3000;
}; };
phpPackage = mkPackageOption pkgs "php" {}; phpPackage = mkPackageOption pkgs "php" { };
maxUploadSize = mkOption { maxUploadSize = mkOption {
type = types.str; type = types.str;
@ -105,10 +97,7 @@ in {
group = "grav"; group = "grav";
phpPackage = cfg.phpPackage.buildEnv { phpPackage = cfg.phpPackage.buildEnv {
extensions = { extensions = { all, enabled }:
all,
enabled,
}:
with all; [ with all; [
apcu apcu
ctype ctype
@ -126,28 +115,27 @@ in {
zip zip
]; ];
extraConfig = extraConfig = generators.toKeyValue {
generators.toKeyValue { mkKeyValue = generators.mkKeyValueDefault { } " = ";
mkKeyValue = generators.mkKeyValueDefault {} " = "; } {
} { output_buffering = "0";
output_buffering = "0"; short_open_tag = "Off";
short_open_tag = "Off"; expose_php = "Off";
expose_php = "Off"; error_reporting = "E_ALL";
error_reporting = "E_ALL"; display_errors = "stderr";
display_errors = "stderr"; "opcache.interned_strings_buffer" = "8";
"opcache.interned_strings_buffer" = "8"; "opcache.max_accelerated_files" = "10000";
"opcache.max_accelerated_files" = "10000"; "opcache.memory_consumption" = "128";
"opcache.memory_consumption" = "128"; "opcache.revalidate_freq" = "1";
"opcache.revalidate_freq" = "1"; "opcache.fast_shutdown" = "1";
"opcache.fast_shutdown" = "1"; "openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
"openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt"; catch_workers_output = "yes";
catch_workers_output = "yes";
upload_max_filesize = cfg.maxUploadSize; upload_max_filesize = cfg.maxUploadSize;
post_max_size = cfg.maxUploadSize; post_max_size = cfg.maxUploadSize;
memory_limit = cfg.maxUploadSize; memory_limit = cfg.maxUploadSize;
"apc.enable_cli" = "1"; "apc.enable_cli" = "1";
}; };
}; };
phpEnv = { phpEnv = {
@ -181,12 +169,10 @@ in {
${cfg.virtualHost} = { ${cfg.virtualHost} = {
root = "${servedRoot}"; root = "${servedRoot}";
listen = [ listen = [{
{ addr = cfg.addr;
addr = cfg.addr; port = cfg.port;
port = cfg.port; }];
}
];
locations = { locations = {
"= /robots.txt" = { "= /robots.txt" = {
@ -216,28 +202,31 @@ in {
}; };
# deny running scripts inside core system folders # deny running scripts inside core system folders
"~* /(system|vendor)/.*\\.(txt|xml|md|html|htm|shtml|shtm|json|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$" = { "~* /(system|vendor)/.*\\.(txt|xml|md|html|htm|shtml|shtm|json|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$" =
priority = 300; {
extraConfig = '' priority = 300;
return 403; extraConfig = ''
''; return 403;
}; '';
};
# deny running scripts inside user folder # deny running scripts inside user folder
"~* /user/.*\\.(txt|md|json|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$" = { "~* /user/.*\\.(txt|md|json|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$" =
priority = 300; {
extraConfig = '' priority = 300;
return 403; extraConfig = ''
''; return 403;
}; '';
};
# deny access to specific files in the root folder # deny access to specific files in the root folder
"~ /(LICENSE\\.txt|composer\\.lock|composer\\.json|nginx\\.conf|web\\.config|htaccess\\.txt|\\.htaccess)" = { "~ /(LICENSE\\.txt|composer\\.lock|composer\\.json|nginx\\.conf|web\\.config|htaccess\\.txt|\\.htaccess)" =
priority = 300; {
extraConfig = '' priority = 300;
return 403; extraConfig = ''
''; return 403;
}; '';
};
# deny all files and folder beginning with a dot (hidden files & folders) # deny all files and folder beginning with a dot (hidden files & folders)
"~ (^|/)\\." = { "~ (^|/)\\." = {
@ -256,45 +245,41 @@ in {
}; };
}; };
extraConfig = extraConfig = ''
# sh index index.php index.html /index.php$request_uri;
'' add_header X-Content-Type-Options nosniff;
index index.php index.html /index.php$request_uri; add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff; add_header X-Robots-Tag "noindex, nofollow";
add_header X-XSS-Protection "1; mode=block"; add_header X-Download-Options noopen;
add_header X-Robots-Tag "noindex, nofollow"; add_header X-Permitted-Cross-Domain-Policies none;
add_header X-Download-Options noopen; add_header X-Frame-Options sameorigin;
add_header X-Permitted-Cross-Domain-Policies none; add_header Referrer-Policy no-referrer;
add_header X-Frame-Options sameorigin; client_max_body_size ${cfg.maxUploadSize};
add_header Referrer-Policy no-referrer; fastcgi_buffers 64 4K;
client_max_body_size ${cfg.maxUploadSize}; fastcgi_hide_header X-Powered-By;
fastcgi_buffers 64 4K; gzip on;
fastcgi_hide_header X-Powered-By; gzip_vary on;
gzip on; gzip_comp_level 4;
gzip_vary on; gzip_min_length 256;
gzip_comp_level 4; gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_min_length 256; gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; '';
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
'';
}; };
}; };
}; };
systemd.tmpfiles.rules = let systemd.tmpfiles.rules = let datadir = "/var/lib/grav";
datadir = "/var/lib/grav"; in map (dir: "d '${dir}' 0750 grav grav - -") [
in "/var/cache/grav"
map (dir: "d '${dir}' 0750 grav grav - -") [ "${datadir}/assets"
"/var/cache/grav" "${datadir}/backup"
"${datadir}/assets" "${datadir}/images"
"${datadir}/backup" "${datadir}/system/config"
"${datadir}/images" "${datadir}/user/accounts"
"${datadir}/system/config" "${datadir}/user/config"
"${datadir}/user/accounts" "${datadir}/user/data"
"${datadir}/user/config" "/var/log/grav"
"${datadir}/user/data" ];
"/var/log/grav"
];
# ++ [ # ++ [
# "L+ ${datadir}/user/config/system.yaml - - - - ${systemSettingsYaml}" # "L+ ${datadir}/user/config/system.yaml - - - - ${systemSettingsYaml}"
# ]; # ];
@ -302,7 +287,7 @@ in {
systemd.services = { systemd.services = {
"phpfpm-${poolName}" = mkIf (cfg.pool == "${poolName}") { "phpfpm-${poolName}" = mkIf (cfg.pool == "${poolName}") {
# restartTriggers = [ servedRoot systemSettingsYaml ]; # restartTriggers = [ servedRoot systemSettingsYaml ];
restartTriggers = [servedRoot]; restartTriggers = [ servedRoot ];
serviceConfig = { serviceConfig = {
ExecStartPre = pkgs.writeShellScript "grav-pre-start" '' ExecStartPre = pkgs.writeShellScript "grav-pre-start" ''
@ -344,6 +329,6 @@ in {
group = "grav"; group = "grav";
}; };
users.groups.grav = {members = [config.services.nginx.user];}; users.groups.grav = { members = [ config.services.nginx.user ]; };
}; };
} }

177
modules/nixos/server/nginx.nix
View file

@ -1,112 +1,105 @@
{ { pkgs, lib, config, ... }:
pkgs, let
lib,
config,
...
}: let
cfg = config.mods.server.nginx; cfg = config.mods.server.nginx;
in
with lib; {
options.mods.server.nginx = {
enable = mkEnableOption {
default = false;
description = "enables nginx reverse proxy";
};
ip = mkOption { in with lib; {
type = types.str; options.mods.server.nginx = {
default = "10.0.0.3"; enable = mkEnableOption {
}; default = false;
description = "enables nginx reverse proxy";
domain = mkOption {
type = types.str;
default = "muon.host";
};
ports = mkOption {
type = types.attrsOf (types.ints.u16);
default = {};
};
}; };
config = mkIf cfg.enable { ip = mkOption {
# ACME won't be able to authenticate your domain type = types.str;
# if ports 80 & 443 aren't open in your firewall. default = "10.0.0.3";
networking.firewall = {allowedTCPPorts = [443 80];}; };
security.acme.defaults.email = "acme@muon.host";
security.acme.acceptTerms = true;
services.nginx = { domain = mkOption {
enable = true; type = types.str;
default = "muon.host";
};
recommendedGzipSettings = true; ports = mkOption {
recommendedOptimisation = true; type = types.attrsOf (types.ints.u16);
recommendedProxySettings = true; default = { };
recommendedTlsSettings = true; };
};
# Only allow PFS-enabled ciphers with AES256 config = mkIf cfg.enable {
# sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; # ACME won't be able to authenticate your domain
# if ports 80 & 443 aren't open in your firewall.
networking.firewall = { allowedTCPPorts = [ 443 80 ]; };
security.acme.defaults.email = "acme@muon.host";
security.acme.acceptTerms = true;
appendHttpConfig = services.nginx = {
# sh enable = true;
''
# Add HSTS header with preloading to HTTPS requests.
# Adding this header to HTTP requests is discouraged
# map $scheme $hsts_header {
# https "max-age=31536000; includeSubdomains; preload";
# }
# add_header Strict-Transport-Security $hsts_header;
# Enable CSP for your services. recommendedGzipSettings = true;
# add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
# Minimize information leaked to other domains # Only allow PFS-enabled ciphers with AES256
# add_header 'Referrer-Policy' 'origin-when-cross-origin'; # sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
# Disable embedding as a frame appendHttpConfig = ''
add_header X-Frame-Options DENY; # Add HSTS header with preloading to HTTPS requests.
# Adding this header to HTTP requests is discouraged
# map $scheme $hsts_header {
# https "max-age=31536000; includeSubdomains; preload";
# }
# add_header Strict-Transport-Security $hsts_header;
# Prevent injection of code in other mime types (XSS Attacks) # Enable CSP for your services.
# add_header X-Content-Type-Options nosniff; # add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
# This might create errors # Minimize information leaked to other domains
# proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; # add_header 'Referrer-Policy' 'origin-when-cross-origin';
# required when the server wants to use HTTP Authentication # Disable embedding as a frame
proxy_pass_header Authorization; add_header X-Frame-Options DENY;
# This is necessary to pass the correct IP to be hashed # Prevent injection of code in other mime types (XSS Attacks)
real_ip_header X-Real-IP; # add_header X-Content-Type-Options nosniff;
# security # This might create errors
add_header X-XSS-Protection "1; mode=block" always; # proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always;
add_header Permissions-Policy "interest-cohort=()" always;
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
'';
virtualHosts = let # required when the server wants to use HTTP Authentication
base = locations: { proxy_pass_header Authorization;
inherit locations;
forceSSL = true; # This is necessary to pass the correct IP to be hashed
enableACME = true; real_ip_header X-Real-IP;
};
proxy = port: # security
base { add_header X-XSS-Protection "1; mode=block" always;
"/" = { add_header X-Content-Type-Options "nosniff" always;
proxyPass = "http://${cfg.ip}:${toString port}/"; add_header Referrer-Policy "no-referrer-when-downgrade" always;
proxyWebsockets = true; add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always;
}; add_header Permissions-Policy "interest-cohort=()" always;
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
'';
virtualHosts = let
base = locations: {
inherit locations;
forceSSL = true;
enableACME = true;
};
proxy = port:
base {
"/" = {
proxyPass = "http://${cfg.ip}:${toString port}/";
proxyWebsockets = true;
}; };
in };
mapAttrs' (name: port: in mapAttrs' (name: port:
nameValuePair "${name}.${cfg.domain}" nameValuePair ("${name}.${cfg.domain}")
# (proxy port // { default = true; })) cfg.ports; # (proxy port // { default = true; })) cfg.ports;
(proxy port)) (proxy port)) cfg.ports;
cfg.ports;
};
}; };
} };
}

40
modules/nixos/theme/default.nix
View file

@ -20,28 +20,28 @@ in {
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
stylix = { stylix.enable = true;
enable = true; stylix.autoEnable = true;
autoEnable = true; stylix.base16Scheme = cfg.scheme;
base16Scheme = cfg.scheme; stylix.image = cfg.wallpaper;
image = cfg.wallpaper;
cursor = { stylix.cursor = {
name = "phinger-cursors-light"; name = "phinger-cursors-light";
package = pkgs.phinger-cursors; package = pkgs.phinger-cursors;
size = 16; size = 16;
};
stylix.fonts = {
monospace = {
package = pkgs.nerd-fonts.commit-mono;
name = "CommitMono Nerd Font";
}; };
fonts = { emoji = {
monospace = { package = pkgs.noto-fonts-color-emoji;
package = pkgs.nerd-fonts.commit-mono; name = "OpenMoji Color";
name = "CommitMono Nerd Font";
};
emoji = {
package = pkgs.noto-fonts-color-emoji;
name = "OpenMoji Color";
};
serif = config.stylix.fonts.monospace;
sansSerif = config.stylix.fonts.monospace;
}; };
serif = config.stylix.fonts.monospace;
sansSerif = config.stylix.fonts.monospace;
}; };
fonts.packages = with pkgs; [ fonts.packages = with pkgs; [