This repository has been archived on 2024-10-19. You can view files and clone it, but cannot push or open issues or pull requests.
server-nixos-config/configuration.nix

344 lines
7.9 KiB
Nix

{ config, pkgs, options, lib, ... }:
let
# Import home manager
homeManager = fetchTarball
"https://github.com/nix-community/home-manager/archive/release-24.05.tar.gz";
# Secrets and passwords
secrets = import ./secrets.nix;
in
{
imports = [
./hardware-configuration.nix
./freecorn.nix
./jimbo.nix
./vaultwarden.nix
"${homeManager}/nixos"
];
# Bootloader
boot.loader.grub = {
enable = true;
device = "/dev/sda";
};
# Enable network manager applet
programs.nm-applet.enable = true;
# Set your time zone.
time.timeZone = secrets.timeZone;
# Select internationalisation properties.
i18n.defaultLocale = "en_CA.UTF-8";
# allow non nix programs to run
programs.nix-ld.enable = true;
programs.nix-ld.libraries = with pkgs; [
# Add any missing dynamic libraries for unpackaged programs
# here, NOT in environment.systemPackages
];
# Enable the X11 windowing system.
# services.xserver = {
# enable = true;
# videoDrivers = [ "radeon" ];
# xkb = {
# layout = "us";
# variant = "";
# };
# Enable the LXQT Desktop Environment.
# displayManager.lightdm.enable = true;
# desktopManager.lxqt.enable = true;
# };
# Enable automatic login for the user.
# services.displayManager.autoLogin = {
# enable = true;
# user = "freecorn";
# };
# Enable sound with pipewire.
# hardware.pulseaudio.enable = false;
# security.rtkit.enable = true;
# services.pipewire = {
# enable = true;
# alsa.enable = true;
# alsa.support32Bit = true;
# pulse.enable = true;
# };
# OpenGL and drivers
# hardware.opengl = {
# enable = true;
# driSupport = true;
# driSupport32Bit = true;
# };
# Printer Stuff (FUCK HP!)
services = {
printing = {
listenAddresses = [ "*:631" ];
allowFrom = [ "all" ];
browsing = true;
defaultShared = true;
openFirewall = true;
enable = true;
drivers = [ pkgs.hplip ];
webInterface = false;
};
avahi = {
nssmdns4 = true;
openFirewall = true;
publish = {
enable = true;
userServices = true;
};
};
};
# Install fonts, need this for orbitron!
# fonts.packages = with pkgs; [
# orbitron
# ];
# systemd.services.rtl_tcp = {
# enable = true;
# description = "rtl_tcp";
# unitConfig = {
# Type = "simple";
# # ...
# };
# serviceConfig = {
# ExecStart = "rtl_tcp -a 10.0.0.240";
# # ...
# };
#}
# Define a users and groups
users = {
groups = {
nfsShare = {};
};
users.nextcloud = {
extraGroups = [ "nfsShare" ];
isSystemUser = true;
};
};
# RTL-SDR Support
hardware.rtl-sdr.enable = true;
boot.kernelParams = [ "modprobe.blacklist=dvb_usb_rtl28xxu" ]; # blacklist dunb driver
# Docker :(((
virtualisation.docker.enable = true;
# OpenWebRX
# services.openwebrx.enable = true;
# PufferPannel
services = {
pufferpanel = {
enable = true;
environment = {
PUFFER_WEB_HOST = ":5010";
PUFFER_PANEL_SETTINGS_MASTERURL = "https://ppanel.${secrets.cornDomain}";
PUFFER_PANEL_REGISTRATIONENABLED = "false";
# PUFFER_PANEL_EMAIL_PROVIDER = "smtp";
# PUFFER_PANEL_EMAIL_HOST = "mx.${outputs.secrets.jimDomain}:587";
# PUFFER_PANEL_EMAIL_FROM = "noreply@${outputs.secrets.jimDomain}";
# PUFFER_PANEL_EMAIL_USERNAME = "noreply@${outputs.secrets.jimDomain}";
# PUFFER_PANEL_EMAIL_PASSWORD = outputs.secrets.noreplyPassword;
};
extraPackages = with pkgs; [ bash curl gawk gnutar gzip ];
package = pkgs.buildFHSEnv {
name = "pufferpanel-fhs";
meta.mainProgram = "pufferpanel-fhs";
runScript = lib.getExe pkgs.pufferpanel;
targetPkgs = pkgs': with pkgs'; [ icu openssl zlib ];
};
};
};
# NGINX :3
services.nginx = {
enable = true;
package = (pkgs.nginx.override {
modules = with pkgs.nginxModules; [ rtmp ];
});
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
# Homepage HTML
virtualHosts = {
"${secrets.cornDomain}" = {
enableACME = true;
addSSL = true;
root = "/var/www/cornweb";
};
# non-free websites
"nonfree.${secrets.cornDomain}" = {
enableACME = true;
forceSSL = true;
root = "/var/www/non-free";
};
# websdr server
"ppanel.${secrets.cornDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:5010";
proxyWebsockets = true;
};
};
# Nextcloud Proxy
"cloud.${secrets.cornDomain}" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyWebsockets = true;
extraConfig = ''
location /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
'';
};
};
};
appendConfig = ''
rtmp {
server {
listen 1935;
chunk_size 4096;
allow publish all;
application stream {
record off;
live on;
allow play all;
}
}
}
'';
};
# Nextcloud server
services.nextcloud = {
enable = true;
package = pkgs.nextcloud29;
hostName = "cloud.${secrets.cornDomain}";
datadir = "/mnt/nextcloud";
https = true;
config = {
adminuser = "freecorn";
adminpassFile = "/mnt/nextcloud/password.txt";
};
settings = {
trusted_proxies = [ "127.0.0.1" ];
trusted_domains = [ "cloud.${secrets.cornDomain}" ];
overwriteprotocol = "https";
};
};
# Get certificates for Coturn
security.acme = {
acceptTerms = true;
defaults.email = secrets.cornEmail;
};
# Allow unfree packages
nixpkgs.config.allowUnfree = true;
# Packages installed in system profile
environment.systemPackages = with pkgs; [
# firefox
wget
x11vnc
fastfetch
ffmpeg
system-config-printer
libcaption
git
rtl-sdr
steam-run
# openwebrx
qbittorrent
];
# Enable the OpenSSH daemon.
services.openssh = {
enable = true;
settings = {
PermitRootLogin = "no";
PrintLastLog = "no";
PasswordAuthentication = false;
};
openFirewall = true;
};
# Hostname and networking
networking = {
hostName = "freecornserver";
networkmanager.enable = true;
firewall = {
allowedTCPPorts = [
1935 # RTMP
# 4455 # VR
80 443 # Nginx
1234 # rtl_tcp
# 25565 # minecraft port
8222
];
allowedUDPPorts = [
# 4455
# 24454 # minecraft vc mod
];
# Add extra input rules using nftables
extraInputRules = ''
ip saddr { 10.0.0.124, ${secrets.jimIP1}, ${secrets.jimIP2}, ${secrets.lunaIP} } tcp dport 2049 accept comment "Accept NFS"
'';
};
nftables = {
enable = true;
tables = {
forwarding = {
family = "ip";
content = ''
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
tcp dport { 9943, 9944 } dnat to 10.0.0.97 comment "ALVR"
}
chain POSTROUTING {
type nat hook postrouting priority 100; policy accept;
oifname "enp2s0" masquerade
}
'';
};
};
};
};
# NFS server
# services.nfs.server = {
# enable = true;
# exports = ''
# /export/freecornNFS *(rw,no_subtree_check)
# '';
# };
# Copy and link the NixOS configuration file to (/run/current-system/configuration.nix).
system.copySystemConfiguration = true;
# Don't change this
system.stateVersion = "24.05";
}