diff --git a/hosts/muon/home.nix b/hosts/muon/home.nix index 75d1367..063bfdd 100644 --- a/hosts/muon/home.nix +++ b/hosts/muon/home.nix @@ -1,5 +1,11 @@ -{ pkgs, lib, osConfig,... }: -let cfg = osConfig.mods; in { +{ + pkgs, + lib, + osConfig, + ... +}: let + cfg = osConfig.mods; +in { # Modules mods.xdg.enable = true; mods.social.enable = true; @@ -11,17 +17,22 @@ let cfg = osConfig.mods; in { mods.desktop.development.enable = true; mods.desktop.productivity.enable = true; mods.desktop.media.enable = true; + mods.zen.enable = true; + mods.obsidian.enable = true; # Hardware preferences ## Monitors - xsession.windowManager.i3.config.workspaceOutputAssign = [{ - workspace = "1"; - output = "${cfg.monitors.primary.name}"; - } { - workspace = "2"; - output = "${cfg.monitors.secondary.name}"; - }]; + xsession.windowManager.i3.config.workspaceOutputAssign = [ + { + workspace = "1"; + output = "${cfg.monitors.primary.name}"; + } + { + workspace = "2"; + output = "${cfg.monitors.secondary.name}"; + } + ]; services.autorandr.enable = true; programs.autorandr = { enable = true; @@ -38,9 +49,9 @@ let cfg = osConfig.mods; in { }; config = { "${cfg.monitors.primary.name}" = - cfg.monitors.primary.config; + cfg.monitors.primary.config; "${cfg.monitors.secondary.name}" = - cfg.monitors.secondary.config; + cfg.monitors.secondary.config; }; }; }; diff --git a/modules/home/desktop/media.nix b/modules/home/desktop/media.nix index 2f4fe79..b2853fd 100644 --- a/modules/home/desktop/media.nix +++ b/modules/home/desktop/media.nix @@ -14,7 +14,7 @@ pavucontrol # Video - (callPackage ./packages/stremio-linux-shell.nix {}) + # (callPackage ./packages/stremio-linux-shell.nix {}) # Podcasts gpodder diff --git a/modules/home/desktop/productivity.nix b/modules/home/desktop/productivity.nix index 6072d85..f18c5b5 100644 --- a/modules/home/desktop/productivity.nix +++ b/modules/home/desktop/productivity.nix @@ -17,8 +17,8 @@ in home.packages = with pkgs; [ # ISO downloader qbittorrent - xd - biglybt + # xd + # biglybt # transmission_4-gtk # email diff --git a/modules/nixos/core/network.nix b/modules/nixos/core/network.nix index 8eea024..b1886ac 100644 --- a/modules/nixos/core/network.nix +++ b/modules/nixos/core/network.nix @@ -1,103 +1,107 @@ -{ pkgs, lib, config, ... }: - -let +{ + pkgs, + lib, + config, + ... +}: let cfg = config.mods; wg = cfg.wireguard; +in + with lib; { + options.mods = { + i2p.enable = mkEnableOption "enables i2p network"; + tailscale.enable = mkEnableOption "enables tailscale"; -in with lib; { - options.mods = { - i2p.enable = mkEnableOption "enables i2p network"; - tailscale.enable = mkEnableOption "enables tailscale"; - - wireguard.id = mkOption { - type = with types; nullOr ints.u8; - default = null; - }; - - openvpn.enable = mkEnableOption "enables openvpn config"; - openvpn.config = let - username = "${config.mods.user.name}"; - folder = "${config.users.users.${username}.home}/documents/openvpn/"; - file = "${config.mods.user.name}.ovpn"; - in mkOption { - description = "the config location"; - default = "${folder}${file}"; - }; - }; - - config = { - networking.networkmanager.enable = true; - # networking.nameservers = [ "45.90.28.97" "45.90.30.97" ]; - networking.nameservers = [ "194.242.2.4#base.dns.mullvad.net" ]; - # services.resolved = { - # enable = true; - # dnssec = "false"; - # dnsovertls = "true"; - # domains = [ "~." ]; - # fallbackDns = [ "194.242.2.4#base.dns.mullvad.net" ]; - # }; - - # udev 250 doesn't reliably reinitialize devices after restart - systemd.services.systemd-udevd.restartIfChanged = false; - # systemd.services.NetworkManager-wait-online.enable = lib.mkForce false; - # systemd.services.systemd-networkd-wait-online.enable = lib.mkForce false; - - services.tailscale.enable = cfg.tailscale.enable; - - services.openvpn.servers = mkIf cfg.openvpn.enable { - remote.config = "config ${cfg.openvpn.config}"; - }; - - networking.firewall.allowedTCPPorts = [ - 7656 # default proto sam port - 7070 # default web interface port - 4447 # default socks proxy port - 4444 # default http proxy port - ]; - services.i2pd = lib.mkIf cfg.i2p.enable { - enable = true; - proto.sam.enable = true; - address = "127.0.0.1"; - proto = { - http.enable = true; - socksProxy.enable = true; - httpProxy.enable = true; + wireguard.id = mkOption { + type = with types; nullOr ints.u8; + default = null; }; + + openvpn.enable = mkEnableOption "enables openvpn config"; + openvpn.config = let + username = "${config.mods.user.name}"; + folder = "${config.users.users.${username}.home}/documents/openvpn/"; + file = "${config.mods.user.name}.ovpn"; + in + mkOption { + description = "the config location"; + default = "${folder}${file}"; + }; }; - networking.firewall.allowedUDPPorts = [ 51820 16261 ]; - networking.wg-quick.interfaces = lib.mkIf (wg.id != null) { - wg0 = { - address = [ - "10.0.0.${toString wg.id}/24" - "fdc9:281f:04d7:9ee9::${toString wg.id}/64" - ]; - dns = [ "10.0.0.1" "fdc9:281f:04d7:9ee9::1" ]; - mtu = 1500; - privateKeyFile = "/home/muon/wireguard-keys/private"; + config = { + networking.networkmanager.enable = true; + # networking.nameservers = [ "45.90.28.97" "45.90.30.97" ]; + networking.nameservers = ["194.242.2.4#base.dns.mullvad.net"]; + # services.resolved = { + # enable = true; + # dnssec = "false"; + # dnsovertls = "true"; + # domains = [ "~." ]; + # fallbackDns = [ "194.242.2.4#base.dns.mullvad.net" ]; + # }; - peers = [{ - publicKey = "2RF8GmTZwQdzVm2l2piYy6U0qiMU3wSxC7Lt8urAjwA="; - presharedKeyFile = - "/home/muon/wireguard-keys/psk-${config.networking.hostName}"; - allowedIPs = [ "10.0.0.${toString wg.id}/24" ]; - # allowedIPs = [ "0.0.0.0/0" ]; - # ip route add 93.95.230.11 via 192.168.0.1 - endpoint = "93.95.230.11:51820"; - persistentKeepalive = 25; - }]; + # udev 250 doesn't reliably reinitialize devices after restart + systemd.services.systemd-udevd.restartIfChanged = false; + # systemd.services.NetworkManager-wait-online.enable = lib.mkForce false; + # systemd.services.systemd-networkd-wait-online.enable = lib.mkForce false; + + services.tailscale.enable = cfg.tailscale.enable; + + services.openvpn.servers = mkIf cfg.openvpn.enable { + remote.config = "config ${cfg.openvpn.config}"; }; + + networking.firewall.allowedTCPPorts = [ + 7656 # default proto sam port + 7070 # default web interface port + 4447 # default socks proxy port + 4444 # default http proxy port + ]; + services.i2pd = lib.mkIf cfg.i2p.enable { + enable = true; + proto.sam.enable = true; + address = "127.0.0.1"; + proto = { + http.enable = true; + socksProxy.enable = true; + httpProxy.enable = true; + }; + }; + + networking.firewall.allowedUDPPorts = [51820 16261]; + networking.wg-quick.interfaces = lib.mkIf (wg.id != null) { + wg0 = { + address = [ + "10.0.0.${toString wg.id}/24" + "fdc9:281f:04d7:9ee9::${toString wg.id}/64" + ]; + # dns = ["10.0.0.1" "fdc9:281f:04d7:9ee9::1"]; + mtu = 1500; + privateKeyFile = "/home/muon/wireguard-keys/private"; + + peers = [ + { + publicKey = "2RF8GmTZwQdzVm2l2piYy6U0qiMU3wSxC7Lt8urAjwA="; + presharedKeyFile = "/home/muon/wireguard-keys/psk-${config.networking.hostName}"; + allowedIPs = ["10.0.0.${toString wg.id}/24"]; + # allowedIPs = [ "0.0.0.0/0" ]; + # ip route add 93.95.230.11 via 192.168.0.1 + endpoint = "93.95.230.11:51820"; + persistentKeepalive = 25; + } + ]; + }; + }; + + networking.extraHosts = '' + 10.0.0.1 mups + 10.0.0.2 muon + 10.0.0.3 muho + 10.0.0.4 muop + ''; + + # gateway = + # "${pkgs.networkmanager}/bin/nmcli dev show ${interface} | ${pkgs.gnugrep}/bin/fgrep IP4.GATEWAY | ${pkgs.awk}/bin/awk {print $2}"; }; - - networking.extraHosts = '' - 10.0.0.1 mups - 10.0.0.2 muon - 10.0.0.3 muho - 10.0.0.4 muop - ''; - - # gateway = - # "${pkgs.networkmanager}/bin/nmcli dev show ${interface} | ${pkgs.gnugrep}/bin/fgrep IP4.GATEWAY | ${pkgs.awk}/bin/awk {print $2}"; - - }; -} + } diff --git a/modules/nixos/server/audio.nix b/modules/nixos/server/audio.nix index 8b1af15..7cb6714 100644 --- a/modules/nixos/server/audio.nix +++ b/modules/nixos/server/audio.nix @@ -40,6 +40,7 @@ in with lib; { openFirewall = true; openRPCPort = true; port = arr.torrent.port; + package = pkgs.transmission_4; settings = { download-dir = "/storage1/download"; rpc-port = arr.torrent.port; diff --git a/modules/nixos/server/grav/default.nix b/modules/nixos/server/grav/default.nix index 80920cf..7667bf5 100644 --- a/modules/nixos/server/grav/default.nix +++ b/modules/nixos/server/grav/default.nix @@ -23,7 +23,7 @@ in with lib; { inherit port; enable = true; root = cfg.grav.location; - phpPackage = pkgs.php81; + phpPackage = pkgs.php83; }; users.users.${config.mods.user.name}.extraGroups = lib.mkAfter [ "grav" ]; }; diff --git a/modules/nixos/server/nginx.nix b/modules/nixos/server/nginx.nix index fafb4df..c307231 100644 --- a/modules/nixos/server/nginx.nix +++ b/modules/nixos/server/nginx.nix @@ -82,7 +82,7 @@ in add_header X-XSS-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "no-referrer-when-downgrade" always; - add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always; + add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self'; script-src 'self'; object-src 'none'; base-uri 'none';"; always; add_header Permissions-Policy "interest-cohort=()" always; # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; ''; @@ -99,6 +99,14 @@ in "/" = { proxyPass = "http://${cfg.ip}:${toString port}/"; proxyWebsockets = true; + extraConfig = + # sh + '' + client_max_body_size 50000M; + proxy_read_timeout 600s; + proxy_send_timeout 600s; + send_timeout 600s; + ''; }; }; in