NixOS-Config/Server/configuration.nix

802 lines
21 KiB
Nix
Raw Normal View History

2024-07-30 08:51:17 -04:00
{ config, pkgs, options, lib, ... }:
let
# Import home manager
homeManager = fetchTarball
"https://github.com/nix-community/home-manager/archive/release-24.05.tar.gz";
# Define domains and ips
jimDomain = ''jimbosfiles.com'';
2024-07-30 08:51:17 -04:00
# IPs
netInt = ''eno1'';
2024-08-21 21:21:55 -04:00
localSpan = ''10.0.0'';
serverIP = ''${localSpan}.2'';
pcIP = ''${localSpan}.3'';
vmIP = ''${localSpan}.4'';
# Secrets and passwords
secrets = import ./secrets.nix;
2024-07-30 08:51:17 -04:00
in
{
# Import other nix files and firmware
imports = [
./hardware-configuration.nix
./jimbo.nix
"${homeManager}/nixos"
2024-07-30 08:54:11 -04:00
# Mail server import
(builtins.fetchTarball {
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/nixos-24.05/nixos-mailserver-nixos-24.05.tar.gz";
sha256 = "0clvw4622mqzk1aqw1qn6shl9pai097q62mq1ibzscnjayhp278b";
})
2024-07-30 08:51:17 -04:00
];
# Allow unfree packages
nixpkgs.config.allowUnfree = true;
# Allow flakes (I have no clue how they work yet)
nix.settings.experimental-features = [ "nix-command" "flakes" ];
# Allow unfree firmware
hardware.enableRedistributableFirmware = true;
# Choose Grub as the bootloader
boot = {
2024-08-09 01:42:44 -04:00
loader.systemd-boot = {
enable = true;
netbootxyz.enable = true;
2024-07-30 08:51:17 -04:00
};
};
# Enable a permissioning system
security = {
sudo.enable = false;
doas = {
enable = true;
extraRules = [
# Give wheel root access, allow persistant session
{ groups = [ "wheel" ]; keepEnv = true; persist = true; }
];
};
};
# Enable the ZSH shell
programs.zsh.enable = true;
# Disable Nano
programs.nano.enable = false;
# Define user account.
2024-07-30 08:51:17 -04:00
users.users.jimbo = {
isNormalUser = true;
2024-08-21 21:21:55 -04:00
hashedPassword = secrets.jimboAccPass;
2024-07-30 08:51:17 -04:00
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDLe/HioxCOkszFQdm1vb3ZwuzLzsOThqHNvEI4IXeXZ JimPhone"
2024-08-09 01:42:44 -04:00
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPjBdQrL23pDbcsNCLMvJhcNF7+u95ZV7o1QemOmegf jimbo@JimNixPC"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPeqiMCRXtpoP+BvKBmzvkL7oLKKCmbfdaQIF3yk/S8I jimbo@DV-JHAMPTON-NIXOS"
2024-07-30 08:51:17 -04:00
];
2024-08-09 01:42:44 -04:00
extraGroups = [ "wheel" "docker" "nfsShare" ];
2024-07-30 08:51:17 -04:00
uid = 1000;
shell = pkgs.zsh;
};
# Add service users to extra groups
users.users = {
nginx = {
extraGroups = [ "turnserver" "virtualMail" ];
isSystemUser = true;
};
nextcloud = {
2024-08-09 01:42:44 -04:00
extraGroups = [ "nfsShare" ];
isSystemUser = true;
};
};
# Define custom groups
users.groups = {
nfsShare = {};
};
2024-07-30 08:51:17 -04:00
# Installed programs to the system profile.
environment.systemPackages = with pkgs; [
# Essential system tools
git parted mdadm
];
# Define timezone and networking settings
time.timeZone = "America/New_York";
networking = {
hostName = "JimNixServer";
# Choose networking method
dhcpcd.enable = true;
wireless.enable = false;
2024-08-09 01:42:44 -04:00
# Configure firewall
2024-07-30 08:51:17 -04:00
firewall = {
2024-08-21 21:21:55 -04:00
allowPing = false;
2024-07-30 08:51:17 -04:00
allowedTCPPorts = [
80 443 # Nginx
25565 19132 5657 # Minecraft & Pufferpanel SFTP
2299 # Gitea SSH
3478 5349 # Coturn
2024-07-30 08:51:17 -04:00
];
allowedTCPPortRanges = [
{ from = 8100; to = 8150; } # Azuracast
2024-07-30 08:51:17 -04:00
];
allowedUDPPorts = [
25565 19132 # Minecraft Voicechat and Bedrock
3478 5349 # Coturn UDP
2024-07-30 08:51:17 -04:00
];
allowedUDPPortRanges = [
{ from = 49000; to = 50000; } # Coturn range
2024-07-30 08:51:17 -04:00
];
# Add extra input rules using nftables
2024-08-09 01:42:44 -04:00
extraInputRules = ''
ip saddr ${localSpan}.0/24 tcp dport 2049 accept comment "Accept NFS"
2024-08-21 21:21:55 -04:00
ip saddr ${localSpan}.0/24 udp dport 53 accept comment "Accept DNS"
ip saddr { ${pcIP}, ${secrets.lunaIP}, ${secrets.cornIP}, ${secrets.vertIP} } tcp dport { 1935, 1945 } accept comment "Accept RTMP"
2024-07-30 08:51:17 -04:00
'';
};
# Enable nftables and forwarding
nftables = {
enable = true;
tables = {
forwarding = {
family = "ip";
content = ''
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
tcp dport 2211 dnat to ${pcIP}:22 comment "SSH to PC"
udp dport { 27005, 27015, 7777 } dnat to ${pcIP} comment "Games to PC"
2024-08-21 21:21:55 -04:00
tcp dport { 58010, 57989, 57984 } dnat to ${pcIP} comment "Sunshine TCP to PC"
udp dport { 57998, 57999, 58000 } dnat to ${pcIP} comment "Sunshine UDP to PC"
2024-08-21 21:21:55 -04:00
tcp dport { 38010, 37989, 37984 } dnat to ${vmIP} comment "Sunshine TCP to VM"
udp dport { 37998, 37999, 38000 } dnat to ${vmIP} comment "Sunshine UDP to VM"
2024-08-21 21:21:55 -04:00
ip saddr ${secrets.cornIP} tcp dport { 9943, 9944 } dnat to ${vmIP} comment "ALVR TCP to VM"
ip saddr ${secrets.cornIP} udp dport { 9943, 9944 } dnat to ${vmIP} comment "ALVR UDP to VM"
}
chain POSTROUTING {
type nat hook postrouting priority 100; policy accept;
oifname "${netInt}" masquerade
}
'';
};
};
};
2024-07-30 08:51:17 -04:00
};
# Boot with compatibility for IP forwarding
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
# Enable AppArmor
security.apparmor.enable = true;
# Enable all manner of services
services = {
# SSH
openssh = {
enable = true;
settings = {
LogLevel = "VERBOSE";
PermitRootLogin = "no";
PrintLastLog = "no";
PasswordAuthentication = false;
};
ports = [ 2222 ];
};
# Login attempt lockout
fail2ban = {
enable = true;
maxretry = 5;
bantime = "5m";
ignoreIP = [ "${pcIP}" "${vmIP}" ];
2024-07-30 08:51:17 -04:00
};
# NFS server
nfs.server = {
enable = true;
exports = ''
/export/JimboNFS ${localSpan}.0/24(rw,no_subtree_check)
2024-07-30 08:51:17 -04:00
'';
};
2024-08-21 21:21:55 -04:00
# DDClient for Dynamic IPpanels
ddclient = {
enable = true;
protocol = "cloudflare";
use = "web, web=https://ipinfo.io/ip";
zone = "${jimDomain}";
username = "token";
passwordFile = "${pkgs.writeText "cloudflareapikey" secrets.flareApiKey}";
domains = [
"${jimDomain}"
"*.${jimDomain}"
"beta.${jimDomain}"
"git.${jimDomain}"
"john.${jimDomain}"
"mc.${jimDomain}"
"mx.${jimDomain}"
"panel.${jimDomain}"
"rtmp.${jimDomain}"
];
};
2024-07-30 08:51:17 -04:00
# Nginx reverse proxy
nginx = {
enable = true;
2024-07-30 08:54:11 -04:00
package = (pkgs.nginx.override {
2024-08-21 21:21:55 -04:00
modules = with pkgs.nginxModules; [ rtmp ];
2024-07-30 08:54:11 -04:00
});
2024-07-30 08:51:17 -04:00
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
virtualHosts = {
# Homepage redirect
"${jimDomain}" = {
enableACME = true;
addSSL = true;
2024-08-21 21:21:55 -04:00
root = "/var/www/jimweb";
2024-08-20 02:54:33 -04:00
locations = {
"/.well-known/matrix/client" = {
extraConfig = ''
default_type application/json;
return 200 '
{
"m.homeserver": {
"base_url": "https://matrix.${jimDomain}"
},
"m.identity_server": {
"base_url": "https://matrix.org"
},
"org.matrix.msc3575.proxy": {
"url": "https://matrix.${jimDomain}"
}
}';
'';
};
"/.well-known/matrix/server" = {
extraConfig = ''
default_type application/json;
return 200 '{"m.server": "matrix.${jimDomain}:443"}';
'';
};
};
};
2024-07-30 08:51:17 -04:00
# Nextcloud Proxy
"cloud.${jimDomain}" = {
2024-07-30 08:51:17 -04:00
enableACME = true;
addSSL = true;
2024-07-30 08:51:17 -04:00
locations."/" = {
proxyWebsockets = true;
extraConfig = "
location /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
";
};
};
# Vaultwarden Proxy
"warden.${jimDomain}" = {
2024-07-30 08:51:17 -04:00
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8222";
proxyWebsockets = true;
};
};
# Recipes Proxy
"recipes.${jimDomain}" = {
2024-07-30 08:51:17 -04:00
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:5030";
proxyWebsockets = true;
};
};
# Bluemap Proxy
"bluemap.${jimDomain}" = {
2024-07-30 08:51:17 -04:00
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:31010";
proxyWebsockets = true;
};
};
# Gitea Proxy
"git.${jimDomain}" = {
2024-07-30 08:51:17 -04:00
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:3110";
proxyWebsockets = true;
};
};
2024-08-21 21:21:55 -04:00
# Pufferpanel Proxy
"panel.${jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:5010";
proxyWebsockets = true;
};
};
2024-07-30 08:51:17 -04:00
# Matrix Proxy
2024-08-20 02:54:33 -04:00
"matrix.${jimDomain}" = {
2024-08-09 01:42:44 -04:00
enableACME = true;
forceSSL = true;
locations = {
"/".extraConfig = ''return 403;'';
"/client".proxyPass = "http://127.0.0.1:8009";
"/_matrix".proxyPass = "http://127.0.0.1:8008";
2024-08-20 02:54:33 -04:00
"/_matrix/client/unstable/org.matrix.msc3575/sync".proxyPass = "http://127.0.0.1:8009";
"/_synapse/client".proxyPass = "http://127.0.0.1:8008";
2024-08-09 01:42:44 -04:00
};
2024-07-30 08:51:17 -04:00
};
# Element Proxy
2024-08-20 02:54:33 -04:00
"chat.${jimDomain}" = {
2024-07-30 08:51:17 -04:00
enableACME = true;
addSSL = true;
2024-07-30 08:51:17 -04:00
root = "${pkgs.element-web}";
};
# Coturn Proxy
2024-08-20 02:54:33 -04:00
"turn.${jimDomain}" = {
2024-07-30 08:51:17 -04:00
enableACME = true;
forceSSL = true;
listen = [
2024-08-20 02:54:33 -04:00
{ addr = "0.0.0.0"; port = 80; ssl = false; }
2024-07-30 08:51:17 -04:00
];
locations."/".proxyPass = "http://127.0.0.1:1380";
2024-07-30 08:51:17 -04:00
};
# Radio Proxy
2024-08-20 02:54:33 -04:00
"radio.${jimDomain}" = {
2024-07-30 08:51:17 -04:00
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:255";
proxyWebsockets = true;
};
2024-07-30 08:51:17 -04:00
};
# Streaming proxy
2024-08-20 02:54:33 -04:00
"live.${jimDomain}" = {
2024-07-30 08:51:17 -04:00
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8060";
proxyWebsockets = true;
};
};
2024-07-30 08:54:11 -04:00
# Mail certificate proxy
2024-08-20 02:54:33 -04:00
"mx.${jimDomain}" = {
2024-07-30 08:54:11 -04:00
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:1390";
proxyWebsockets = true;
};
};
# Add SSL to Lemmy
2024-08-20 02:54:33 -04:00
"lemmy.${jimDomain}" = {
2024-07-30 08:54:11 -04:00
enableACME = true;
forceSSL = true;
};
2024-08-21 21:21:55 -04:00
# Adguard
"guard.${jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:3000";
proxyWebsockets = true;
};
};
2024-07-30 08:51:17 -04:00
};
appendConfig = ''
rtmp {
server {
2024-07-30 08:54:11 -04:00
listen 1935;
2024-07-30 08:51:17 -04:00
chunk_size 4096;
allow publish all;
2024-07-30 08:54:11 -04:00
application stream {
2024-07-30 08:51:17 -04:00
record off;
live on;
allow play all;
2024-07-30 08:51:17 -04:00
hls on;
2024-08-21 21:21:55 -04:00
hls_path /var/www/jimweb/streams/hls;
2024-07-30 08:51:17 -04:00
hls_fragment_naming system;
hls_fragment 3;
hls_playlist_length 40;
}
}
}
'';
};
# Nextcloud server
nextcloud = {
enable = true;
package = pkgs.nextcloud29;
hostName = "cloud.${jimDomain}";
2024-07-30 08:51:17 -04:00
datadir = "/mnt/nextcloud";
https = true;
config = {
adminuser = "jimbo";
adminpassFile = "/mnt/nextcloud/password.txt";
};
settings = {
trusted_proxies = [ "127.0.0.1" ];
trusted_domains = [ "cloud.${jimDomain}" ];
2024-07-30 08:51:17 -04:00
overwriteprotocol = "https";
# Mailserver settings
2024-08-20 02:54:33 -04:00
mail_smtphost = "mx.${jimDomain}";
mail_domain = "${jimDomain}";
mail_from_address = "noreply";
mail_smtpauth = "true";
2024-08-20 02:54:33 -04:00
mail_smtpname = "noreply@${jimDomain}";
mail_smtppassword = secrets.noreplyPassword;
mail_smtpmode = "smtp";
mail_smtpport = 587;
2024-07-30 08:51:17 -04:00
};
};
# Vaultwarden password manager
vaultwarden = {
enable = true;
config = {
DOMAIN = "https://warden.${jimDomain}";
2024-07-30 08:51:17 -04:00
SIGNUPS_ALLOWED = false;
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = 8222;
ROCKET_LOG = "critical";
# Smtp email
2024-08-20 02:54:33 -04:00
SMTP_HOST = "mx.${jimDomain}";
SMTP_FROM = "noreply@${jimDomain}";
SMTP_FROM_NAME = "Vaultwarden";
2024-08-20 02:54:33 -04:00
SMTP_USERNAME = "noreply@${jimDomain}";
SMTP_PASSWORD = secrets.noreplyPassword;
SMTP_SECURITY = "starttls";
SMTP_PORT = 587;
SMTP_TIMEOUT = 15;
2024-07-30 08:51:17 -04:00
};
};
# Recipes
tandoor-recipes = {
enable = true;
port = 5030;
};
# Gitea
gitea = {
enable = true;
settings = {
server = {
DOMAIN = "git.${jimDomain}";
ROOT_URL = "https://git.${jimDomain}:443";
2024-07-30 08:51:17 -04:00
HTTP_PORT = 3110;
SSH_PORT = 2299;
START_SSH_SERVER = true;
};
mailer = {
ENABLED = true;
2024-08-20 02:54:33 -04:00
SMTP_ADDR = "mx.${jimDomain}";
FROM = "noreply@${jimDomain}";
PASSWD = secrets.noreplyPassword;
PROTOCOL = "smtp+starttls";
SMTP_PORT = 587;
};
2024-07-30 08:51:17 -04:00
service.DISABLE_REGISTRATION = true;
};
};
# Pufferpannel for Minecraft
pufferpanel = {
enable = true;
environment = {
PUFFER_WEB_HOST = ":5010";
2024-08-21 21:21:55 -04:00
PUFFER_PANEL_SETTINGS_MASTERURL = "https://panel.${jimDomain}";
PUFFER_PANEL_EMAIL_PROVIDER = "smtp";
2024-08-20 02:54:33 -04:00
PUFFER_PANEL_EMAIL_HOST = "mx.${jimDomain}:587";
PUFFER_PANEL_EMAIL_FROM = "noreply@${jimDomain}";
PUFFER_PANEL_EMAIL_USERNAME = "noreply@${jimDomain}";
PUFFER_PANEL_EMAIL_PASSWORD = secrets.noreplyPassword;
};
extraPackages = with pkgs; [ bash curl gawk gnutar gzip ];
package = pkgs.buildFHSEnv {
name = "pufferpanel-fhs";
meta.mainProgram = "pufferpanel-fhs";
runScript = lib.getExe pkgs.pufferpanel;
targetPkgs = pkgs': with pkgs'; [ icu openssl zlib ];
};
};
# MariaDB
mysql = {
enable = true;
package = pkgs.mariadb;
dataDir = "/var/lib/mysql";
initialDatabases = [
{ name = "minecraft"; }
];
ensureUsers = [
{
name = "minecraft";
ensurePermissions = {
"minecraft.*" = "ALL PRIVILEGES";
};
}
];
};
2024-07-30 08:51:17 -04:00
# Owncast
owncast = {
enable = true;
port = 8060;
2024-07-30 08:54:11 -04:00
rtmp-port = 1945;
2024-07-30 08:51:17 -04:00
listen = "0.0.0.0";
};
# Coturn for VC
coturn = rec {
enable = true;
no-cli = true;
no-tcp-relay = true;
min-port = 49000;
max-port = 50000;
use-auth-secret = true;
2024-08-20 02:54:33 -04:00
realm = "turn.${jimDomain}";
2024-07-30 08:51:17 -04:00
static-auth-secret = "will be world readable for local users :(";
cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
};
# Synapse for Matrix clients
matrix-synapse = with config.services.coturn; {
enable = true;
settings = {
2024-08-20 02:54:33 -04:00
server_name = "${jimDomain}";
public_baseurl = "https://matrix.${jimDomain}";
2024-07-30 08:54:11 -04:00
suppress_key_server_warning = true;
2024-07-30 08:51:17 -04:00
# Set the network config
listeners = [{
# Client config
port = 8008;
bind_addresses = [ "::" "0.0.0.0" ];
resources = [ { compress = false; names = [ "client" "federation" ]; } ];
type = "http";
tls = false;
x_forwarded = true;
}];
# Enable smtp for password resets
email = {
2024-08-20 02:54:33 -04:00
notif_from = "Jimbo's Matrix Homeserver <noreply@${jimDomain}>";
smtp_host = "mx.${jimDomain}";
smtp_user = "noreply@${jimDomain}";
smtp_pass = secrets.noreplyPassword;
enable_tls = true;
smtp_port = 587;
require_transport_security = true;
};
# Disable registration without email
registrations_require_3pid = [ "email" ];
# Allow only this range of emails
allowed_local_3pids = [{
medium = "email";
2024-08-20 02:54:33 -04:00
pattern = "^[^@]+@jimbosfiles\\.com$";
}];
2024-07-30 08:51:17 -04:00
# Set the type of database
database.name = "sqlite3";
# Allow account registration
enable_registration = true;
# General settings
url_preview_enabled = true;
max_upload_size = "50M";
report_stats = false;
# Turn settings
2024-08-20 02:54:33 -04:00
turn_uris = [
"turn:${realm}:3478?transport=udp"
"turn:${realm}:3478?transport=tcp"
];
2024-07-30 08:51:17 -04:00
turn_shared_secret = static-auth-secret;
turn_user_lifetime = "1h";
# Ratelimiting
burst_count = 15;
};
};
2024-08-09 01:42:44 -04:00
# Sliding sync proxy for Matrix
matrix-sliding-sync = let
matrixSecretFile = pkgs.writeText "matrixsecret" ''
SYNCV3_SECRET=${secrets.matrixSecret}
'';
in {
2024-08-09 01:42:44 -04:00
enable = true;
settings = {
2024-08-20 02:54:33 -04:00
SYNCV3_SERVER = "https://matrix.${jimDomain}";
2024-08-09 01:42:44 -04:00
SYNCV3_BINDADDR = "0.0.0.0:8009";
};
environmentFile = "${matrixSecretFile}";
2024-08-09 01:42:44 -04:00
};
2024-07-30 08:54:11 -04:00
# Mastodon
mastodon = {
enable = true;
2024-08-20 02:54:33 -04:00
localDomain = "social.${jimDomain}";
2024-07-30 08:54:11 -04:00
streamingProcesses = 4;
configureNginx = true;
smtp = {
createLocally = false;
2024-08-20 02:54:33 -04:00
host = "mx.${jimDomain}";
2024-07-30 08:54:11 -04:00
port = 587;
authenticate = true;
2024-08-20 02:54:33 -04:00
fromAddress = "noreply@${jimDomain}";
user = "noreply@${jimDomain}";
passwordFile = pkgs.writeText "smtp_pass.txt" secrets.noreplyPassword;
2024-07-30 08:54:11 -04:00
};
};
# Lemmy forums
2024-07-30 08:54:11 -04:00
lemmy = {
enable = true;
nginx.enable = true;
database.createLocally = true;
settings = {
2024-08-20 02:54:33 -04:00
hostname = "lemmy.${jimDomain}";
2024-07-30 08:54:11 -04:00
email = {
2024-08-20 02:54:33 -04:00
smtp_server = "mx.${jimDomain}:587";
smtp_login = "noreply@${jimDomain}";
smtp_from_address = "noreply@${jimDomain}";
smtp_password = secrets.noreplyPassword;
2024-07-30 08:54:11 -04:00
tls_type = "starttls";
};
};
};
# Roundcube mail server
2024-07-30 08:54:11 -04:00
roundcube = {
enable = true;
2024-08-20 02:54:33 -04:00
hostName = "mail.${jimDomain}";
2024-07-30 08:54:11 -04:00
extraConfig = ''
$config['smtp_server'] = "tls://${config.mailserver.fqdn}";
$config['smtp_user'] = "%u";
$config['smtp_pass'] = "%p";
'';
};
2024-08-21 21:21:55 -04:00
# Enable a custom DNS server
adguardhome.enable = true;
# Snowflake proxy for Tor
snowflake-proxy.enable = true;
# Fix a nonbuilding issue
logrotate.checkConfig = false;
2024-08-21 21:21:55 -04:00
# Force the mailserver to use a different redis port
redis.servers.rspamd.port = 1515;
2024-07-30 08:51:17 -04:00
};
# Make Nginx not shit itself
2024-07-30 08:54:11 -04:00
security.pam.services.nginx.setEnvironment = false;
systemd.services.nginx.serviceConfig = {
SupplementaryGroups = [ "shadow" ];
};
systemd.services.nginx.serviceConfig.ReadWritePaths = [
2024-08-21 21:21:55 -04:00
"/var/www/jimweb/streams/hls/"
];
2024-07-30 08:51:17 -04:00
# Get certificates for Coturn
security.acme = {
acceptTerms = true;
defaults.email = "jimjam4real@gmail.com";
certs = {
${config.services.coturn.realm} = {
group = "turnserver";
postRun = "systemctl restart coturn.service";
};
};
};
# Configure the Element web server
nixpkgs.config.element-web.conf = {
default_server_config = {
"m.homeserver" = {
2024-08-20 02:54:33 -04:00
base_url = "https://matrix.${jimDomain}";
server_name = "matrix.${jimDomain}";
2024-07-30 08:51:17 -04:00
};
};
branding = {
2024-08-20 02:54:33 -04:00
#welcome_background_url = "https://staging.${jimDomain}/images/backgrounds/bloxelcom-sunset.jpg";
#auth_header_logo_url = "https://staging.${jimDomain}/images/logos/bloxelcom.png";
2024-07-30 08:51:17 -04:00
};
embedded_pages = {
2024-08-20 02:54:33 -04:00
home_url = "https://www.${jimDomain}/";
2024-07-30 08:51:17 -04:00
};
disable_custom_urls = true;
disable_guests = true;
default_theme = "dark";
};
# Enable Docker
virtualisation.docker = {
enable = true;
daemon.settings = {
log-driver = "json-file";
};
};
2024-07-30 08:54:11 -04:00
# Mail server
mailserver = rec {
enable = true;
enableManageSieve = true;
2024-08-20 02:54:33 -04:00
domains = [ "${jimDomain}" ];
fqdn = "mx.${jimDomain}";
2024-07-30 08:54:11 -04:00
certificateScheme = "acme-nginx";
2024-08-21 21:21:55 -04:00
localDnsResolver = false;
redis.port = 1515;
2024-07-30 08:54:11 -04:00
# A list of accounts.
# Generate passwords with nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
loginAccounts = {
2024-08-20 02:54:33 -04:00
"noreply@${jimDomain}" = {
hashedPasswordFile = pkgs.writeText "noreply" secrets.noreplyMailHash;
2024-07-30 08:54:11 -04:00
sendOnly = true;
};
2024-08-20 02:54:33 -04:00
"jimbo@${jimDomain}" = {
hashedPasswordFile = pkgs.writeText "jimbo" secrets.jimboMailHash;
2024-08-20 02:54:33 -04:00
aliases = [ "canada@${jimDomain}" "contact@${jimDomain}" ];
2024-07-30 08:54:11 -04:00
};
2024-08-20 02:54:33 -04:00
"lunamoonlight@${jimDomain}" = {
hashedPasswordFile = pkgs.writeText "luna" secrets.lunaMailHash;
2024-08-20 02:54:33 -04:00
aliases = [ "us@${jimDomain}" "contact@${jimDomain}" ];
2024-07-30 08:54:11 -04:00
};
2024-08-20 02:54:33 -04:00
"freecorn1854@${jimDomain}" = {
hashedPasswordFile = pkgs.writeText "freecorn" secrets.freecornMailHash;
2024-08-20 02:54:33 -04:00
aliases = [ "canada@${jimDomain}" "contact@${jimDomain}" ];
2024-07-30 08:54:11 -04:00
};
2024-08-20 02:54:33 -04:00
"tinyattack09@${jimDomain}" = {
hashedPasswordFile = pkgs.writeText "tiny" secrets.tinyMailHash;
};
2024-07-30 08:54:11 -04:00
};
};
2024-07-30 08:51:17 -04:00
# Determine the release version and allow auto-upgrades
system.stateVersion = "23.11";
system.autoUpgrade.enable = false;
}