From 8b424cff0aa80facfcf911d30f41296a7ac5567c Mon Sep 17 00:00:00 2001 From: fruchti Date: Fri, 4 Jul 2025 09:10:22 +0200 Subject: [PATCH 1/8] Base, rupert: Enable X11 forwarding on SSH --- base/defaults.nix | 1 + hosts/Rupert.nix | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/base/defaults.nix b/base/defaults.nix index 0a52911..b42a3e6 100644 --- a/base/defaults.nix +++ b/base/defaults.nix @@ -9,6 +9,7 @@ settings = { PasswordAuthentication = false; KbdInteractiveAuthentication = false; + X11Forwarding = true; }; }; diff --git a/hosts/Rupert.nix b/hosts/Rupert.nix index ef0fa9c..d1d9fdb 100644 --- a/hosts/Rupert.nix +++ b/hosts/Rupert.nix @@ -103,8 +103,9 @@ in services.openssh = { enable = true; settings = { - # ForwardX11 = true; PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + X11Forwarding = true; }; }; From 08de91165fc2c645dbd498d7e73a62234a7552e3 Mon Sep 17 00:00:00 2001 From: fruchti Date: Fri, 4 Jul 2025 09:11:05 +0200 Subject: [PATCH 2/8] Rupert: Make bluray override compile less stuff --- hosts/Rupert.nix | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/hosts/Rupert.nix b/hosts/Rupert.nix index d1d9fdb..715492f 100644 --- a/hosts/Rupert.nix +++ b/hosts/Rupert.nix @@ -17,13 +17,16 @@ in # ./open-pgsql.nix ]; - nixpkgs.overlays = [ + nixpkgs.overlays = let + libbluray = pkgs.libbluray.override { + withAACS = true; + withBDplus = true; + }; + in + [ ( self: super: { - libbluray = super.libbluray.override { - withAACS = true; - withBDplus = true; - }; + vlc = super.vlc.override { inherit libbluray; }; } ) ]; From 6809e8800fcbd98e7704907d7bc9148a21d0df07 Mon Sep 17 00:00:00 2001 From: fruchti Date: Fri, 4 Jul 2025 09:11:30 +0200 Subject: [PATCH 3/8] Rupert: Remove old-version special casing --- hosts/Rupert.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/Rupert.nix b/hosts/Rupert.nix index 715492f..fa92614 100644 --- a/hosts/Rupert.nix +++ b/hosts/Rupert.nix @@ -42,7 +42,7 @@ in hardware.graphics = { enable = true; extraPackages = with pkgs; [ - (if (lib.versionOlder (lib.versions.majorMinor lib.version) "23.11") then vaapiIntel else intel-vaapi-driver) + intel-vaapi-driver libvdpau-va-gl vaapiVdpau # intel-media-driver From e542198457fad2c8cc85861703446fcd94389c1e Mon Sep 17 00:00:00 2001 From: fruchti Date: Fri, 4 Jul 2025 09:12:03 +0200 Subject: [PATCH 4/8] Rupert: Limit CPU usage of beesd on data disk --- hosts/Rupert.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/Rupert.nix b/hosts/Rupert.nix index fa92614..258ab2b 100644 --- a/hosts/Rupert.nix +++ b/hosts/Rupert.nix @@ -169,6 +169,7 @@ in }; # Don’t start automatically systemd.services."beesd@backup-disk".wantedBy = lib.mkForce []; + systemd.services."beesd@data".serviceConfig.CPUQuota = "10%"; security.acme = { defaults = { From ff92b8f082ae8a5697004962df0eb96c15692610 Mon Sep 17 00:00:00 2001 From: fruchti Date: Fri, 4 Jul 2025 09:13:06 +0200 Subject: [PATCH 5/8] Update Nextcloud to 31 --- hosts/nextcloud.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/nextcloud.nix b/hosts/nextcloud.nix index fe1a9cb..897a04b 100644 --- a/hosts/nextcloud.nix +++ b/hosts/nextcloud.nix @@ -6,7 +6,7 @@ in services.nextcloud = { enable = true; https = true; - package = pkgs.nextcloud30; + package = pkgs.nextcloud31; hostName = hostName; datadir = "/data/nextcloud"; settings = { From 53a5948f22d089b42506fcbd93f17e5606257dfc Mon Sep 17 00:00:00 2001 From: fruchti Date: Fri, 4 Jul 2025 09:13:32 +0200 Subject: [PATCH 6/8] Nextcloud: Disable sign-up link --- hosts/nextcloud.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts/nextcloud.nix b/hosts/nextcloud.nix index 897a04b..029599f 100644 --- a/hosts/nextcloud.nix +++ b/hosts/nextcloud.nix @@ -16,6 +16,7 @@ in ]; blacklisted_files = []; trashbin_retention_obligation = "auto, 14"; + "simpleSignUpLink.shown" = false; }; config = { dbtype = "pgsql"; From 4ea44fa0e67a8e323a254d3281c55b1fe066962a Mon Sep 17 00:00:00 2001 From: fruchti Date: Fri, 4 Jul 2025 09:14:08 +0200 Subject: [PATCH 7/8] MPD: Fix for 25.05 --- hosts/mpd.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/mpd.nix b/hosts/mpd.nix index ca9262e..87deb37 100644 --- a/hosts/mpd.nix +++ b/hosts/mpd.nix @@ -38,7 +38,7 @@ in ''; }; - hardware.pulseaudio = { + services.pulseaudio = { enable = true; systemWide = true; tcp.enable = true; From 038a0c8176b2979067709364298893ce136f89fd Mon Sep 17 00:00:00 2001 From: fruchti Date: Fri, 4 Jul 2025 09:14:40 +0200 Subject: [PATCH 8/8] Nextcloud: Serve on 4431 with proxy protocol --- hosts/nextcloud.nix | 30 +++++++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/hosts/nextcloud.nix b/hosts/nextcloud.nix index 029599f..e68b058 100644 --- a/hosts/nextcloud.nix +++ b/hosts/nextcloud.nix @@ -49,13 +49,41 @@ in after = ["postgresql.service"]; }; - networking.firewall.allowedTCPPorts = [ 80 443 ]; + networking.firewall.allowedTCPPorts = [ 80 443 4431 ]; services.nginx = { virtualHosts.${hostName} = { forceSSL = true; enableACME = true; }; + defaultListen = [ + { + addr = "[::]"; + port = 443; + ssl = true; + } + { + addr = "0.0.0.0"; + port = 443; + ssl = true; + } + { + addr = "[::]"; + port = 80; + ssl = false; + } + { + addr = "0.0.0.0"; + port = 80; + ssl = false; + } + { + addr = "[::]"; + port = 4431; + ssl = true; + proxyProtocol = true; + } + ]; }; users.extraGroups.music = {