Compare commits
13 Commits
178513a21b
...
b645bfbddc
Author | SHA1 | Date |
---|---|---|
Simon Bruder | b645bfbddc | |
Simon Bruder | 1255e53e92 | |
Simon Bruder | 0318ca56f9 | |
Simon Bruder | 9107ce034c | |
Simon Bruder | 9d85bbfdc9 | |
Simon Bruder | 8f3d1bba06 | |
Simon Bruder | bf01605517 | |
Simon Bruder | 95590d6bc3 | |
Simon Bruder | cd47e1da97 | |
Simon Bruder | 9bd01d1e8c | |
Simon Bruder | 47998fddd0 | |
Simon Bruder | 80fcaab244 | |
Simon Bruder | a5622c3653 |
|
@ -36,11 +36,6 @@
|
|||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
|
||||
recommendedGzipSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
recommendedProxySettings = true;
|
||||
recommendedTlsSettings = true;
|
||||
};
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
systemd.services.nginx.serviceConfig.SupplementaryGroups = lib.singleton "keys";
|
||||
|
|
|
@ -15,14 +15,7 @@
|
|||
|
||||
system.stateVersion = "23.05";
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
|
||||
recommendedGzipSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
recommendedProxySettings = true;
|
||||
recommendedTlsSettings = true;
|
||||
};
|
||||
services.nginx.enable = true;
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
systemd.services.nginx.serviceConfig.SupplementaryGroups = lib.singleton "keys";
|
||||
|
||||
|
|
|
@ -22,11 +22,6 @@
|
|||
services.nginx = {
|
||||
enable = true;
|
||||
|
||||
recommendedGzipSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
recommendedProxySettings = true;
|
||||
recommendedTlsSettings = true;
|
||||
|
||||
virtualHosts."okarin.sbruder.xyz" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
|
|
@ -41,11 +41,6 @@
|
|||
services.nginx = {
|
||||
enable = true;
|
||||
|
||||
recommendedGzipSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
recommendedProxySettings = true;
|
||||
recommendedTlsSettings = true;
|
||||
|
||||
virtualHosts."sbruder.de" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
|
|
@ -42,11 +42,6 @@
|
|||
services.nginx = {
|
||||
enable = true;
|
||||
|
||||
recommendedGzipSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
recommendedProxySettings = true;
|
||||
recommendedTlsSettings = true;
|
||||
|
||||
virtualHosts = {
|
||||
"vueko.sbruder.de" = {
|
||||
enableACME = true;
|
||||
|
|
Binary file not shown.
|
@ -6,10 +6,13 @@
|
|||
enableACME = true;
|
||||
forceSSL = true;
|
||||
|
||||
locations."/".extraConfig = ''
|
||||
proxy_pass http://fuuko.vpn.sbruder.de/;
|
||||
proxy_set_header Host ${fqdn};
|
||||
'';
|
||||
locations."/" = {
|
||||
extraConfig = ''
|
||||
proxy_pass http://fuuko.vpn.sbruder.de/;
|
||||
proxy_set_header Host ${fqdn};
|
||||
'';
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
})
|
||||
[
|
||||
"languagetool.sbruder.de"
|
||||
|
|
|
@ -38,6 +38,7 @@
|
|||
./network-manager.nix
|
||||
./nginx-interactive-index
|
||||
./nginx.nix
|
||||
./nitrokey.nix
|
||||
./nix.nix
|
||||
./office.nix
|
||||
./pipewire.nix
|
||||
|
@ -97,10 +98,6 @@
|
|||
# Support for exotic file systems
|
||||
boot.supportedFilesystems = lib.optional config.sbruder.full "ntfs";
|
||||
|
||||
# Authentication/Encryption agents
|
||||
programs.gnupg.agent.enable = true;
|
||||
programs.ssh.startAgent = true;
|
||||
|
||||
# When this is set to true (default), routing everything through a
|
||||
# wireguard tunnel does not work.
|
||||
networking.firewall.checkReversePath = false;
|
||||
|
|
|
@ -52,4 +52,7 @@ lib.mkIf config.sbruder.gui.enable {
|
|||
mode = "440";
|
||||
};
|
||||
};
|
||||
|
||||
# required for pinentry-gnome3
|
||||
services.dbus.packages = [ pkgs.gcr ];
|
||||
}
|
||||
|
|
|
@ -1,6 +1,5 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
let
|
||||
port = 8888;
|
||||
services = {
|
||||
"media" = config.sops.secrets.media-proxy-auth.path;
|
||||
"media-sb" = config.sops.secrets.media-proxy-auth.path;
|
||||
|
@ -24,37 +23,27 @@ in
|
|||
enable = true;
|
||||
commonHttpConfig = ''
|
||||
map $http_referer $media_proxy_referer {
|
||||
~^http://localhost:8888/ "";
|
||||
~^http://.*\.localhost/ "";
|
||||
default $http_referer;
|
||||
}
|
||||
'';
|
||||
virtualHosts.media-proxy = {
|
||||
serverName = "localhost";
|
||||
listen = [
|
||||
{ inherit port; addr = "127.0.0.1"; }
|
||||
{ inherit port; addr = "[::1]"; }
|
||||
];
|
||||
locations = {
|
||||
"/".extraConfig = ''
|
||||
rewrite ^/__nginx-interactive-index-assets__/(.*)$ /media/__nginx-interactive-index-assets__/$1;
|
||||
'';
|
||||
} // lib.mapAttrs'
|
||||
(name: secret: {
|
||||
name = "/${name}/";
|
||||
value = {
|
||||
proxyPass = "https://${name}.sbruder.de/";
|
||||
proxyWebsockets = true;
|
||||
extraConfig = ''
|
||||
proxy_buffering off;
|
||||
include ${secret};
|
||||
charset utf-8;
|
||||
proxy_set_header Referer $media_proxy_referer;
|
||||
proxy_set_header Origin $media_proxy_referer;
|
||||
'';
|
||||
};
|
||||
})
|
||||
services;
|
||||
};
|
||||
virtualHosts = lib.mapAttrs'
|
||||
(name: secret: lib.nameValuePair "${name}.localhost" {
|
||||
locations."/" = {
|
||||
proxyPass = "https://${name}.sbruder.de/";
|
||||
proxyWebsockets = true;
|
||||
# they interfere here, as the host needs to be changed
|
||||
recommendedProxySettings = false;
|
||||
extraConfig = ''
|
||||
proxy_buffering off;
|
||||
include ${secret};
|
||||
charset utf-8;
|
||||
proxy_set_header Referer $media_proxy_referer;
|
||||
proxy_set_header Origin $media_proxy_referer;
|
||||
'';
|
||||
};
|
||||
})
|
||||
services;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -6,6 +6,7 @@ in
|
|||
options.sbruder.nginx = {
|
||||
hardening.enable = lib.mkEnableOption "nginx hardening";
|
||||
privacy.enable = (lib.mkEnableOption "nginx privacy options") // { default = true; };
|
||||
recommended.enable = (lib.mkEnableOption "recommended options") // { default = true; };
|
||||
};
|
||||
|
||||
config = lib.mkMerge [
|
||||
|
@ -26,5 +27,13 @@ in
|
|||
access_log off;
|
||||
'';
|
||||
})
|
||||
(lib.mkIf cfg.recommended.enable {
|
||||
services.nginx = {
|
||||
recommendedGzipSettings = lib.mkDefault true;
|
||||
recommendedOptimisation = lib.mkDefault true;
|
||||
recommendedProxySettings = lib.mkDefault true;
|
||||
recommendedTlsSettings = lib.mkDefault true;
|
||||
};
|
||||
})
|
||||
];
|
||||
}
|
||||
|
|
|
@ -0,0 +1,12 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
{
|
||||
hardware.nitrokey.enable = true;
|
||||
} // (lib.mkIf config.sbruder.gui.enable {
|
||||
environment.systemPackages = with pkgs; [
|
||||
# both depend on pypemicro, which is not needed, but nixpkgs requires it
|
||||
# (even though it could have been optional: https://github.com/NixOS/nixpkgs/pull/183099#discussion_r933226708)
|
||||
#nitrokey-app2
|
||||
#pynitrokey
|
||||
];
|
||||
})
|
|
@ -97,6 +97,7 @@ in
|
|||
# Avoid using nscd (leaks dns)
|
||||
InaccessiblePaths = [
|
||||
"/run/nscd"
|
||||
"/etc/nsswitch.conf"
|
||||
];
|
||||
# Make correct resolv.conf available for unit
|
||||
BindReadOnlyPaths = [
|
||||
|
|
|
@ -30,6 +30,11 @@ in
|
|||
"makemkv" # exception: runs in sandbox, only way to get DRM garbage to work properly
|
||||
"p7zip" # exception: rar source code is not free, but available; p7zip with `enableUnfree` includes it
|
||||
|
||||
# exception: used for programming the NitroKey,
|
||||
# available under essentially a 3-BSD license with two additional restrictions:
|
||||
# one usage restriction and one (pointless as the source is available) reverse engineering restriction
|
||||
"nrfutil"
|
||||
|
||||
# games (okay if they run sandboxed)
|
||||
"osu-lazer" # also is free except for one dependency
|
||||
"steam"
|
||||
|
|
|
@ -27,17 +27,17 @@
|
|||
|
||||
<p>
|
||||
Simon Bruder<br>
|
||||
Appartement 447<br>
|
||||
Nürnberger Platz 1<br>
|
||||
01187 Dresden<br>
|
||||
℅ Block Services<br>
|
||||
Stuttgarter Str. 106<br>
|
||||
70736 Fellbach<br>
|
||||
</p>
|
||||
|
||||
<h2>Kontakt</h2>
|
||||
|
||||
<ul>
|
||||
<li>E-Mail: <img class="mail" src="mail.svg"></li>
|
||||
<li>Telefon: +49 152 56561414</li>
|
||||
<li>Fax: +49 351 89672619<sup>a</sup></li>
|
||||
<li>Telefon: +49 351 41886715</li>
|
||||
<li>Telefax: +49 351 89672619<sup>a</sup></li>
|
||||
</ul>
|
||||
<div class="fineprint">
|
||||
<ol class="footnotes">
|
||||
|
|
|
@ -1,3 +1,5 @@
|
|||
{ nixosConfig, ... }:
|
||||
|
||||
{
|
||||
programs.gpg = {
|
||||
enable = true;
|
||||
|
@ -5,4 +7,17 @@
|
|||
default-key = "47E7559E037A35652DBBF8AA8D3C82F9F309F8EC";
|
||||
};
|
||||
};
|
||||
|
||||
services.gpg-agent = rec {
|
||||
enable = true;
|
||||
enableZshIntegration = true;
|
||||
enableSshSupport = true;
|
||||
|
||||
pinentryFlavor = if nixosConfig.sbruder.gui.enable then "gnome3" else "curses";
|
||||
|
||||
defaultCacheTtl = 300;
|
||||
defaultCacheTtlSsh = defaultCacheTtl;
|
||||
maxCacheTtl = 1800;
|
||||
maxCacheTtlSsh = maxCacheTtl;
|
||||
};
|
||||
}
|
||||
|
|
|
@ -18,10 +18,10 @@ lib.mkIf nixosConfig.sbruder.gui.enable {
|
|||
"browser.uidensity" = 1; # more compact layout
|
||||
"identity.fxaccounts.enabled" = true;
|
||||
"middlemouse.paste" = false;
|
||||
"network.http.referer.XOriginPolicy" = 2;
|
||||
"privacy.clearOnShutdown.history" = false;
|
||||
"webgl.disabled" = false; # requires installing CanvasBlocker
|
||||
|
||||
#"network.http.referer.XOriginPolicy" = 2; # breaks sites that include images from restrictive sources
|
||||
#"privacy.resistFingerprinting.letterboxing" = true; # quite annoying
|
||||
};
|
||||
};
|
||||
|
|
|
@ -87,7 +87,7 @@ in
|
|||
nvim-jdtls
|
||||
nvim-lspconfig
|
||||
nvim-solarized-lua
|
||||
nvim-treesitter
|
||||
nvim-treesitter.withAllGrammars
|
||||
nvim-web-devicons
|
||||
plantuml-syntax
|
||||
plenary-nvim
|
||||
|
@ -111,29 +111,7 @@ in
|
|||
xdg.configFile = {
|
||||
"nvim/lua/init.lua".source = ./init.lua;
|
||||
"nvim/lua/snippets.lua".source = pkgs.callPackage ./snippets.nix { };
|
||||
} // (lib.mapAttrs'
|
||||
(name: path: lib.nameValuePair "nvim/parser/${lib.removePrefix "tree-sitter-" name}.so" { source = "${path}/parser"; })
|
||||
({
|
||||
inherit (pkgs.tree-sitter.builtGrammars)
|
||||
#tree-sitter-bash
|
||||
tree-sitter-c
|
||||
tree-sitter-cpp
|
||||
tree-sitter-css
|
||||
tree-sitter-dot
|
||||
tree-sitter-go
|
||||
tree-sitter-haskell
|
||||
tree-sitter-html
|
||||
tree-sitter-json
|
||||
#tree-sitter-latex # incompatible with VimTeX
|
||||
tree-sitter-lua
|
||||
tree-sitter-nix
|
||||
tree-sitter-perl
|
||||
tree-sitter-python
|
||||
tree-sitter-rust
|
||||
tree-sitter-scss
|
||||
tree-sitter-toml
|
||||
tree-sitter-yaml;
|
||||
}));
|
||||
};
|
||||
|
||||
home.sessionVariables.EDITOR = "nvim";
|
||||
}
|
||||
|
|
|
@ -351,9 +351,23 @@ lsp.rust_analyzer.setup {
|
|||
on_attach = on_attach,
|
||||
settings = {
|
||||
['rust-analyzer'] = {
|
||||
cargo = {
|
||||
buildScripts = {
|
||||
enable = true,
|
||||
},
|
||||
},
|
||||
checkOnSave = {
|
||||
command = 'clippy',
|
||||
},
|
||||
imports = {
|
||||
granularity = {
|
||||
group = "module",
|
||||
},
|
||||
prefix = "self",
|
||||
},
|
||||
procMacro = {
|
||||
enable = true
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
@ -421,13 +435,17 @@ require('trouble').setup {}
|
|||
|
||||
-- Tree Sitter
|
||||
require('nvim-treesitter.configs').setup {
|
||||
highlight = {
|
||||
enable = true,
|
||||
additional_vim_regex_highlighting = false,
|
||||
},
|
||||
indent = {
|
||||
enable = true,
|
||||
},
|
||||
highlight = {
|
||||
enable = true,
|
||||
additional_vim_regex_highlighting = false,
|
||||
disable = {
|
||||
'gitcommit', -- only for “conventional commits”
|
||||
'latex', -- incompatible with VimTeX
|
||||
},
|
||||
},
|
||||
indent = {
|
||||
enable = true,
|
||||
},
|
||||
}
|
||||
|
||||
-- VimTeX
|
||||
|
|
|
@ -73,8 +73,11 @@ in
|
|||
xkb_options = "compose:caps";
|
||||
xkb_numlock = "enable";
|
||||
};
|
||||
"type:touchpad" = {
|
||||
click_method = "clickfinger";
|
||||
tap = "enabled";
|
||||
};
|
||||
} // (lib.optionalAttrs (nixosConfig.networking.hostName == "mayushii") {
|
||||
"type:touchpad".events = "disabled";
|
||||
"2:10:TPPS/2_Elan_TrackPoint".pointer_accel = "-0.15";
|
||||
});
|
||||
|
||||
|
|
Loading…
Reference in New Issue