liv/nixos-config
1
0
Fork 0
mirror of https://github.com/Ahwxorg/nixos-config.git synced 2025-12-04 15:00:13 +01:00
Code Issues 1 Projects Releases Packages Wiki Activity Actions

chore: merge remote-tracking branch 'refs/remotes/origin/master'

Browse source
This commit is contained in:
Ahwx 2025-06-08 14:58:36 +02:00
commit 8d92925a61
13 changed files with 127 additions and 69 deletions
Download patch file Download diff file Expand all files Collapse all files

2
modules/core/printing.nix
View file

@ -1,7 +1,7 @@
{ pkgs, ... }:
{
services.avahi = {
enable = true;
enable = false;
nssmdns4 = true;
openFirewall = true;
};

2
modules/core/sshd.nix
View file

@ -2,7 +2,7 @@
{
services.openssh = {
enable = true;
ports = [ 22 ];
ports = [ 9123 ];
settings = {
PasswordAuthentication = lib.mkDefault false;
AllowUsers = null;

1
modules/services/dandelion.nix
View file

@ -7,5 +7,6 @@
++ [ (import ./home-assistant.nix) ]
++ [ (import ./monitoring.nix) ]
++ [ (import ./smart-monitoring.nix) ]
++ [ (import ./tailscale.nix) ]
++ [ (import ./hd-idle.nix) ];
}

10
modules/services/monitoring.nix
View file

@ -23,9 +23,9 @@
];
};
};
networking.firewall = {
allowedTCPPorts = [
9001
];
};
# networking.firewall = {
# allowedTCPPorts = [
# 9001
# ];
# };
}

2
modules/services/mumble.nix
View file

@ -2,6 +2,6 @@
{
services.murmur = {
enable = true;
openFirewall = true;
openFirewall = false;
};
}

59
modules/services/nginx.nix
View file

@ -37,41 +37,35 @@
recommendedProxySettings = true;
clientMaxBodySize = lib.mkDefault "10G";
defaultListen =
let
listen = [
{
addr = "[::]";
port = 80;
extraParameters = [ "proxy_protocol" ];
}
{
addr = "[::]";
port = 443;
ssl = true;
extraParameters = [ "proxy_protocol" ];
}
];
in
map (x: (x // { addr = "0.0.0.0"; })) listen ++ listen;
#defaultListen =
# let
# listen = [
# {
# addr = "[::]";
# port = 80;
# extraParameters = [ "proxy_protocol" ];
# }
# {
# addr = "[::]";
# port = 443;
# ssl = true;
# extraParameters = [ "proxy_protocol" ];
# }
# ];
# in
# map (x: (x // { addr = "0.0.0.0"; })) listen ++ listen;
# Hardened TLS and HSTS preloading
appendHttpConfig = ''
# Proxying
# real_ip_header proxy_protocol;
server {
listen 80 proxy_protocol;
listen 443 ssl proxy_protocol;
# set_real_ip_from 10.7.0.0/24;
}
ssl_certificate /var/lib/acme/quack.social/cert.pem;
ssl_certificate_key /var/lib/acme/quack.social/key.pem;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $proxy_protocol_addr;
proxy_set_header X-Forwarded-For $proxy_protocol_addr;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $proxy_protocol_addr;
# proxy_set_header X-Forwarded-For $proxy_protocol_addr;
# Add HSTS header with preloading to HTTPS requests.
# Do not add HSTS header to HTTP requests.
@ -98,19 +92,6 @@
add_header pronouns "any but neopronouns";
add_header locale "[en_US, nl_NL]";
'';
appendConfig = ''
# https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/
# set_real_ip_from 213.210.34.27;
# real_ip_header proxy_protocol;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $proxy_protocol_addr;
# proxy_set_header X-Forwarded-For $proxy_protocol_addr;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_set_header X-Forwarded-Host $host;
# proxy_set_header X-Forwarded-Server $host;
'';
};
networking.firewall = {
allowedTCPPorts = [

2
modules/services/ntfy.nix
View file

@ -12,7 +12,7 @@ in
listen-http = "127.0.0.1:${toString port}";
behind-proxy = true;
visitor-attachment-daily-bandwidth-limit = "10M";
visitor-request-limit-burst = 5;
visitor-request-limit-burst = 15;
visitor-request-limit-replenish = "15s";
};
};

1
modules/services/violet.nix
View file

@ -20,6 +20,7 @@
++ [ (import ./nginx.nix) ]
# ++ [(import ./komga.nix)]
++ [ (import ./radicale.nix) ]
++ [ (import ./tailscale.nix) ]
++ [ (import ./readarr.nix) ];
# ++ [(import ./smart-monitoring.nix)]
# ++ [(import ./jitsi-meet.nix)]