mirror of
https://git.gay/xqtc/nixos-config
synced 2024-11-23 09:20:33 +01:00
111 lines
3 KiB
Nix
111 lines
3 KiB
Nix
|
{
|
||
|
|
config,
|
||
|
|
lib,
|
||
|
|
pkgs,
|
||
|
|
...
|
||
|
|
}:
|
||
|
|
with lib; {
|
||
|
|
imports = [
|
||
|
|
# Include the results of the hardware scan.
|
||
|
|
./hardware-configuration.nix
|
||
|
|
./monitoring.nix
|
||
|
|
./jellyfin.nix
|
||
|
|
];
|
||
|
|
|
||
|
|
services.nginx = {
|
||
|
|
enable = true;
|
||
|
|
package = pkgs.nginxQuic;
|
||
|
|
|
||
|
|
recommendedGzipSettings = true;
|
||
|
|
recommendedOptimisation = true;
|
||
|
|
recommendedProxySettings = true;
|
||
|
|
recommendedTlsSettings = true;
|
||
|
|
|
||
|
|
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
|
||
|
|
sslProtocols = mkDefault "TLSv1.3";
|
||
|
|
# sslDhparam = config.security.dhparams.params.nginx.path;
|
||
|
|
|
||
|
|
clientMaxBodySize = mkDefault "128M";
|
||
|
|
commonHttpConfig = ''
|
||
|
|
map $scheme $hsts_header {
|
||
|
|
https "max-age=31536000; includeSubdomains; preload";
|
||
|
|
}
|
||
|
|
add_header Strict-Transport-Security $hsts_header;
|
||
|
|
add_header X-Content-Type-Options "nosniff" always;
|
||
|
|
add_header X-XSS-Protection "1; mode=block" always;
|
||
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
||
|
|
add_header Referrer-Policy "same-origin" always;
|
||
|
|
'';
|
||
|
|
};
|
||
|
|
|
||
|
|
security.acme = {
|
||
|
|
acceptTerms = true;
|
||
|
|
defaults.email = "xqtc@tutanota.com";
|
||
|
|
defaults.keyType = "ec256";
|
||
|
|
certs = {
|
||
|
|
"jellyfin.heroin.trade" = {};
|
||
|
|
"grafana.heroin.trade" = {};
|
||
|
|
};
|
||
|
|
};
|
||
|
|
|
||
|
|
nix.settings.experimental-features = ["nix-command" "flakes"];
|
||
|
|
|
||
|
|
nix.settings = {
|
||
|
|
trusted-users = ["xqtc"];
|
||
|
|
substituters = [
|
||
|
|
"https://nix-community.cachix.org"
|
||
|
|
];
|
||
|
|
trusted-public-keys = [
|
||
|
|
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
|
||
|
|
];
|
||
|
|
};
|
||
|
|
# Use the systemd-boot EFI boot loader.
|
||
|
|
boot.loader.systemd-boot.enable = true;
|
||
|
|
boot.loader.efi.canTouchEfiVariables = true;
|
||
|
|
|
||
|
|
networking.hostName = "beleth"; # Define your hostname.
|
||
|
|
networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
|
||
|
|
|
||
|
|
# Set your time zone.
|
||
|
|
time.timeZone = "Europe/Berlin";
|
||
|
|
|
||
|
|
users.users.xqtc = {
|
||
|
|
isNormalUser = true;
|
||
|
|
extraGroups = ["wheel"];
|
||
|
|
packages = with pkgs; [
|
||
|
|
tree
|
||
|
|
];
|
||
|
|
openssh.authorizedKeys.keys = [
|
||
|
|
# TODO: Add remaining keys from https://meta.sr.ht/~xqrc.keys
|
||
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN7UkcmSVo+SeB5Obevz3mf3UHruYxn0UHUzoOs2gDBy xqtc@asmodeus"
|
||
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPf3w5bHAssHthg9SPXVpG4w9v8m16X/0J3bjg08P6EA xqtc@seraphim"
|
||
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJYa+LoHGGvu12iBufUcr3GD8tsq4LuJdwLjaDkTr0SL xqtc@lilith"
|
||
|
|
];
|
||
|
|
};
|
||
|
|
users.users.root.openssh.authorizedKeys.keys = [
|
||
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN7UkcmSVo+SeB5Obevz3mf3UHruYxn0UHUzoOs2gDBy xqtc@asmodeus"
|
||
|
|
];
|
||
|
|
|
||
|
|
environment.systemPackages = with pkgs; [
|
||
|
|
neovim
|
||
|
|
vim
|
||
|
|
git
|
||
|
|
wget
|
||
|
|
];
|
||
|
|
|
||
|
|
programs.mtr.enable = true;
|
||
|
|
programs.gnupg.agent = {
|
||
|
|
enable = true;
|
||
|
|
enableSSHSupport = true;
|
||
|
|
};
|
||
|
|
|
||
|
|
# Enable the OpenSSH daemon.
|
||
|
|
services.openssh.enable = true;
|
||
|
|
|
||
|
|
# Open ports in the firewall.
|
||
|
|
networking.firewall.allowedTCPPorts = [22 80 443];
|
||
|
|
# networking.firewall.allowedUDPPorts = [443];
|
||
|
|
|
||
|
|
system.stateVersion = "24.05"; # Did you read the comment?
|
||
|
|
}
|