NixOS-Config/Server/configuration.nix

{ config, pkgs, options, lib, ... }: 
let
  # Import home manager
  homeManager = fetchTarball 
    "https://github.com/nix-community/home-manager/archive/release-24.05.tar.gz";

  # Define domains and ips
  jimdomain = ''jimbosfiles.com'';
  bloxeldomain = ''bloxelcom.net'';

  # IPs
  localspan = ''192.168.1'';
  pc = ''${localspan}.18'';
  server = ''${localspan}.17'';
  vm = ''${localspan}.70'';
in

{
  # Import other nix files and firmware
  imports = [ 
    ./hardware-configuration.nix
    ./jimbo.nix 
    "${homeManager}/nixos"

    # Mail server import
    (builtins.fetchTarball {
      url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/nixos-24.05/nixos-mailserver-nixos-24.05.tar.gz";
      sha256 = "0clvw4622mqzk1aqw1qn6shl9pai097q62mq1ibzscnjayhp278b";
    })
  ];

  # Allow unfree packages
  nixpkgs.config.allowUnfree = true;

  # Allow flakes (I have no clue how they work yet)
  nix.settings.experimental-features = [ "nix-command" "flakes" ];

  # Allow unfree firmware
  hardware.enableRedistributableFirmware = true;

  # Choose Grub as the bootloader
  boot = {
    kernelPackages = pkgs.linuxPackages_xanmod;
    loader = {
      grub = {
        efiSupport = true;
        device = "nodev";
      };
    };
  };

  # Enable a permissioning system
  security = {
    sudo.enable = false;
    doas = {
      enable = true;
      extraRules = [
	# Give wheel root access, allow persistant session
        { groups = [ "wheel" ]; keepEnv = true; persist = true; }
      ];
    };
  };

  # Enable the ZSH shell
  programs.zsh.enable = true;

  # Disable Nano
  programs.nano.enable = false;

  # Define a user account.
  users.users.jimbo = {
    isNormalUser = true;
    hashedPassword = 
      "$6$gYpE.pG/zPXgin06$2kydjDfd0K62Dhf9P0PFvJhRNz6xIC/bHYaf/XYqyKcLyZNzPQpy8uy9tCRcSYlj1wwBhzVtTRyItwajOHCEj0";
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDLe/HioxCOkszFQdm1vb3ZwuzLzsOThqHNvEI4IXeXZ JimPhone"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEuCYrIZlD6LNpFh3XTYbXaPQWYysr1oZAX4DL3gF28l jimbo@DV-JHAMPTON"
    ];
    extraGroups = [ "wheel" "docker" ];
    uid = 1000;
    shell = pkgs.zsh;
  };

  # Add Nginx to extra groups
  users.users.nginx.extraGroups = [ "turnserver" "virtualMail" ];

  # Installed programs to the system profile.
  environment.systemPackages = with pkgs; [
    # Essential system tools
    git parted mdadm
  ];

  # Define timezone and networking settings
  time.timeZone = "America/New_York";
  networking = {
    # Set hostname
    hostName = "JimNixServer";

    # Choose networking method
    dhcpcd.enable = true;
    wireless.enable = false;
    
    # Enable firewall passthrough
    firewall = {
      allowedTCPPorts = [ 
	# NFS
	2049

	# Nginx
        80 443

	# Minecraft
	25565 19132

	# Gitea
	2299

	# Coturn
	3478 5349
      ];
      allowedTCPPortRanges = [
        # Also Azuracast
	{ from = 8100; to = 8150; }
      ];
      allowedUDPPorts = [
	# Minecraft Voicechat and Bedrock
	25565 19132

	# Coturn again
	3478 5349
      ];
      allowedUDPPortRanges = [
        # Coturn
	{ from = 49000; to = 50000; }
      ];

      # Extra rules that cannot be done above
      extraCommands = 

      # SSH and game servers from my PC
      ''
        iptables -t nat -A PREROUTING -p tcp -m tcp --dport 2211 -m comment --comment "SSH to PC" -j DNAT --to-destination ${pc}
        iptables -t nat -A PREROUTING -p udp -m udp --match multiport --dports 27005,27015,7777,29000 -m comment --comment "Games" -j DNAT --to-destination ${pc}
      '' +

      # Sunshine ports for PC and VM
      ''
        iptables -t nat -A PREROUTING -p tcp -m tcp --match multiport --dports 48010,47989,47984 -m comment --comment "PC Sunshine TCP" -j DNAT --to-destination ${pc}
        iptables -t nat -A PREROUTING -p udp -m udp --match multiport --dports 47998,47999,48000 -m comment --comment "PC Sunshine UDP" -j DNAT --to-destination ${pc}

        iptables -t nat -A PREROUTING -p tcp -m tcp --match multiport --dports 38010,37989,37984 -m comment --comment "VM Sunshine TCP" -j DNAT --to-destination ${vm}
        iptables -t nat -A PREROUTING -p udp -m udp --match multiport --dports 37998,37999,38000 -m comment --comment "VM Sunshine UDP" -j DNAT --to-destination ${vm}
      '' +

      # Set an IP firewall for RTMP
      ''
	iptables -N RTMPCHAIN
        iptables -A INPUT -p tcp -m tcp --match multiport --dports 1935,1945 -j RTMPCHAIN
	iptables -A RTMPCHAIN -s ${pc} -j ACCEPT
	iptables -A RTMPCHAIN -s 71.87.124.226 -j ACCEPT
	iptables -A RTMPCHAIN -s 24.66.98.13 -j ACCEPT
	iptables -A RTMPCHAIN -j DROP
      '' +

      # Finalize forwarding
      ''
        iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE
      '';

      # Remove the chain and such
      extraStopCommands = ''
	iptables -D INPUT -p tcp -m tcp --match multiport --dports 1935,1945 -j RTMPCHAIN
        iptables -F RTMPCHAIN
        iptables -X RTMPCHAIN
      '';

      # Disallow pinging this server
      allowPing = false;
    };
  };

  # Boot with compatibility for IP forwarding
  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;

  # Enable AppArmor
  security.apparmor.enable = true;

  # Enable all manner of services
  services = {
    # SSH
    openssh = {
      enable = true;
      settings = {
        LogLevel = "VERBOSE";
	PermitRootLogin = "no";
	PrintLastLog = "no";
	PasswordAuthentication = false;
      };
      ports = [ 2222 ];
    };

    # Login attempt lockout
    fail2ban = {
      enable = true;
      maxretry = 5;
      ignoreIP = [ "${pc}" "${server}" "${vm}" ];
    };

    # NFS server
    nfs.server = {
      enable = true;
      exports = ''
        /export/JimboNFS ${localspan}.0/24(rw,no_subtree_check)
      '';
    };

    # Nginx reverse proxy
    nginx = {
      enable = true;
      package = (pkgs.nginx.override {
	  modules = with pkgs.nginxModules; [ rtmp ];
      });
      recommendedTlsSettings = true;
      recommendedOptimisation = true;
      recommendedGzipSettings = true;
      recommendedProxySettings = true;
      virtualHosts = {
	# Nextcloud Proxy
        "cloud.${jimdomain}" =  {
          enableACME = true;
          forceSSL = true;
          locations."/" = {
            proxyWebsockets = true;
            extraConfig = "
	      location /.well-known/carddav {
                return 301 $scheme://$host/remote.php/dav;
              }
              
              location /.well-known/caldav {
                return 301 $scheme://$host/remote.php/dav;
              }
	    ";
          };
        };

	# Vaultwarden Proxy
        "warden.${jimdomain}" =  {
          enableACME = true;
          forceSSL = true;
          locations."/" = {
            proxyPass = "http://127.0.0.1:8222";
            proxyWebsockets = true;
          };
        };

	# Recipes Proxy
        "recipes.${jimdomain}" =  {
          enableACME = true;
          forceSSL = true;
          locations."/" = {
            proxyPass = "http://127.0.0.1:5030";
            proxyWebsockets = true;
          };
        };

	# Bluemap Proxy
        "bluemap.${jimdomain}" =  {
          enableACME = true;
          forceSSL = true;
          locations."/" = {
            proxyPass = "http://127.0.0.1:31010";
            proxyWebsockets = true;
          };
        };

	# Gitea Proxy
        "git.${jimdomain}" =  {
          enableACME = true;
          forceSSL = true;
          locations."/" = {
            proxyPass = "http://127.0.0.1:3110";
            proxyWebsockets = true;
          };
        };

	# Matrix Proxy
        "matrix.${bloxeldomain}" = {
          enableACME = true;
          forceSSL = true;
          locations."/_matrix".proxyPass = "http://[::1]:8008";
          locations."/_synapse".proxyPass = "http://[::1]:8008";
        };

	# Element Proxy
	"chat.${bloxeldomain}" = {
          addSSL = true;
          enableACME = true;
          root = "${pkgs.element-web}";
        };

	# Coturn Proxy
        "turn.${bloxeldomain}" = {
          enableACME = true;
          forceSSL = true;
          listen = [
            { addr = "[::]";    port = 80;   ssl = false; }
            { addr = "0.0.0.0"; port = 80;   ssl = false; }
          ];
          locations."/".proxyPass = "http://[::1]:1380";
        };

	# Radio Proxy
        "wbxdradio.${bloxeldomain}" =  {
          enableACME = true;
          forceSSL = true;
          locations."/" = {
            proxyPass = "http://127.0.0.1:255";
            proxyWebsockets = true;
          };
        };

	# Streaming proxy
        "live.${bloxeldomain}" =  {
          enableACME = true;
          forceSSL = true;
          locations."/" = {
            proxyPass = "http://127.0.0.1:8060";
            proxyWebsockets = true;
          };
        };

	# Mail certificate proxy
        "mx.${bloxeldomain}" =  {
          enableACME = true;
          forceSSL = true;
          locations."/" = {
            proxyPass = "http://127.0.0.1:1390";
            proxyWebsockets = true;
          };
        };

	# Add SSL to Lemmy
        "lemmy.${bloxeldomain}" =  {
          enableACME = true;
          forceSSL = true;
        };

	# Staging Bloxel Proxy
	"staging.${bloxeldomain}" = {
          addSSL = true;
          enableACME = true;
          root = "/var/www/bloxelcomweb/landing-page/";
	  locations."/BloxelcomCable/hls" = {
	    extraConfig = ''
	      # Disable cache
	      add_header Last-Modified $date_gmt;
              add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
              if_modified_since off;
              expires off;
              etag off;

	      # Allow serving m3u8 files
              types {
                application/vnd.apple.mpegurl m3u8;
              }
	    '';
	  };
	  locations."/.well-known/matrix/client" = {
	    extraConfig = ''
	      default_type application/json;
	      add_header Access-Control-Allow-Origin *;
	      return 200 '{"m.server": "matrix.${bloxeldomain}:443"}';
	    '';
	  };
	  locations."/.well-known/matrix/server" = {
	    extraConfig = ''
	      default_type application/json;
	      return 200 '{"m.server": "matrix.${bloxeldomain}:443"}';
	    '';
	  };
        };
      };
      appendConfig = ''
        rtmp {
          server {
            listen 1935;
            chunk_size 4096;
            allow publish all;
            application stream {
              record off;
              live on;
	      deny play all;
              hls on;
              hls_path /var/www/bloxelcomweb/landing-page/bloxelcom-cable/hls;
	      hls_fragment_naming system;
	      hls_fragment 3;
              hls_playlist_length 40;
            }
          }
        }
      '';
    };

    # Nextcloud server
    nextcloud = {
      enable = true;
      package = pkgs.nextcloud29;
      hostName = "cloud.${jimdomain}";
      datadir = "/mnt/nextcloud";
      https = true;
      config = {
        adminuser = "jimbo";
        adminpassFile = "/mnt/nextcloud/password.txt";
      };
      settings = {
	trusted_proxies = [ "127.0.0.1" ];
	trusted_domains = [ "cloud.${jimdomain}" ];
        overwriteprotocol = "https";
      };
    };

    # Vaultwarden password manager
    vaultwarden = {
      enable = true;
      config = {
        DOMAIN = "https://warden.${jimdomain}";
        SIGNUPS_ALLOWED = false;
        ROCKET_ADDRESS = "127.0.0.1";
        ROCKET_PORT = 8222;
        ROCKET_LOG = "critical";
      };
    };

    # Recipes
    tandoor-recipes = {
      enable = true;
      port = 5030;
    };

    # Gitea
    gitea = {
      enable = true;
      settings = {
        server = {
          DOMAIN = "git.${jimdomain}";
          ROOT_URL = "https://git.${jimdomain}:443";
          HTTP_PORT = 3110;
          SSH_PORT = 2299;
          START_SSH_SERVER = true;
        };
	service.DISABLE_REGISTRATION = true;
      };
    };

    # Owncast
    owncast = {
      enable = true;
      port = 8060;
      rtmp-port = 1945;
      listen = "0.0.0.0";
    };

    # Coturn for VC
    coturn = rec {
      enable = true;
      no-cli = true;
      no-tcp-relay = true;
      min-port = 49000;
      max-port = 50000;
      use-auth-secret = true;
      realm = "turn.${bloxeldomain}";
      static-auth-secret = "will be world readable for local users :(";
      cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
      pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
    };

    # Synapse for Matrix clients
    matrix-synapse = with config.services.coturn; {
      enable = true;
      extraConfigFiles = [ "/etc/matrix-synapse/conf.d/email-conf.yaml" ];
      settings = {
        server_name = "${bloxeldomain}";
	public_baseurl = "https://matrix.${bloxeldomain}";
	suppress_key_server_warning = true;

	# Set the network config
	listeners = [{
	  # Client config
          port = 8008;
          bind_addresses = [ "::" "0.0.0.0" ];
	  resources = [ { compress = false;  names = [ "client" "federation" ]; } ];
          type = "http";
          tls = false;
          x_forwarded = true;
        }];

	# Set the type of database
	database.name = "sqlite3";

	# Allow account registration
	enable_registration = true;

	# General settings
	url_preview_enabled = true;
	max_upload_size = "50M";
	report_stats = false;

	# Turn settings
	turn_uris = [ "turn:${realm}:3478?transport=udp" "turn:${realm}:3478?transport=tcp" ];
        turn_shared_secret = static-auth-secret;
        turn_user_lifetime = "1h";

	# Ratelimiting
	burst_count = 15;
      };
    };

    # Mastodon
    mastodon = {
      enable = true;
      localDomain = "social.${bloxeldomain}";
      streamingProcesses = 4;
      configureNginx = true;
      smtp = {
	host = "mx.${bloxeldomain}";
	port = 587;
	authenticate = true;
	user = "noreply@${bloxeldomain}";
	passwordFile = "/var/lib/mastodon/secrets/smtp-password";
        fromAddress = "noreply@${bloxeldomain}";
	createLocally = false;
      };
    };

    # Try Lemmy
    lemmy = {
      enable = true;
      nginx.enable = true;
      database.createLocally = true;
      settings = {
        hostname = "lemmy.${bloxeldomain}";
        email = {
          smtp_server = "mx.${bloxeldomain}:587";
	  smtp_login = "noreply@${bloxeldomain}";
          smtp_from_address = "noreply@${bloxeldomain}";
	  tls_type = "starttls";
        };
      };
      smtpPasswordFile = "/var/lib/mastodon/secrets/smtp-password";
    };

    # Snowflake proxy for Tor
    snowflake-proxy.enable = true;

    # Fix a nonbuilding issue
    logrotate.checkConfig = false;

    # Try roundcube
    roundcube = {
     enable = true;
     hostName = "mail.${bloxeldomain}";
     extraConfig = ''
       $config['smtp_server'] = "tls://${config.mailserver.fqdn}";
       $config['smtp_user'] = "%u";
       $config['smtp_pass'] = "%p";
     '';
    };
  };

  # Make Nginx not shit itself
  security.pam.services.nginx.setEnvironment = false;
  systemd.services.nginx.serviceConfig = {
    SupplementaryGroups = [ "shadow" ];
  };
  systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www/bloxelcomweb/landing-page/bloxelcom-cable/hls/" ];

  # Get certificates for Coturn
  security.acme = {
    acceptTerms = true;
    defaults.email = "jimjam4real@gmail.com";
    certs = {
      ${config.services.coturn.realm} = {
        group = "turnserver";
        postRun = "systemctl restart coturn.service";
      };
    };
  };

  # Configure the Element web server
  nixpkgs.config.element-web.conf = {
    default_server_config = {
      "m.homeserver" = {
        base_url = "https://matrix.${bloxeldomain}:443";
        server_name = "matrix.${bloxeldomain}";
      };
    };
    branding = {
      welcome_background_url = "https://staging.${bloxeldomain}/images/backgrounds/bloxelcom-sunset.jpg";
      auth_header_logo_url = "https://staging.${bloxeldomain}/images/logos/bloxelcom.png";
    };
    embedded_pages = {
      home_url = "https://www.${bloxeldomain}/";
    };
    disable_custom_urls = true;
    disable_guests = true;
    default_theme = "dark";
  };

  # Enable Docker
  virtualisation.docker = {
    enable = true;
    daemon.settings = {
      log-driver = "json-file";
    };
  };

  # Mail server
  mailserver = rec {
    enable = true;
    enableManageSieve = true;
    domains = [ "${bloxeldomain}" ];
    fqdn = "mx.${bloxeldomain}";
    certificateScheme = "acme-nginx";

    # A list of accounts. 
    # Generate passwords with nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
    loginAccounts = {
      "noreply@${bloxeldomain}" = {
        hashedPasswordFile = "${pkgs.writeText "noreply" "$2b$05$7VibcFKXy5Ff9sUMh3KWBeSXkInXNeaADa71Md/swt5RCk5s7UnM2"}";
	sendOnly = true;
      };
      "jimbo@${bloxeldomain}" = {
        hashedPasswordFile = "${pkgs.writeText "jimbo" "$2b$05$Chm7AjSicifTVpUWjOx1q.9YGaokIjxijAfqKTmI6o3OR2QU0B4U."}";
        aliases = [ "canada@${bloxeldomain}" "contact@${bloxeldomain}" ];
      };
      "lunamoonlight@${bloxeldomain}" = {
        hashedPasswordFile = "${pkgs.writeText "luna" "$2a$12$ytZ1k4S.XvQAvzc3pHNDV.m7A/bo8PKznA2qH27g5QHMYDloFHdnK"}";
        aliases = [ "us@${bloxeldomain}" "contact@${bloxeldomain}" ];
      };
      "freecorn1854@${bloxeldomain}" = {
        hashedPasswordFile = "${pkgs.writeText "freecorn1854" "$2b$05$7EF0TV39XzTYPIdWOoMnlegX8qLkcHxUytkvAt5sRDQE1oquAFTqm"}";
        aliases = [ "canada@${bloxeldomain}" "contact@${bloxeldomain}" ];
      };
    };
  };

  # Determine the release version and allow auto-upgrades
  system.stateVersion = "23.11";
  system.autoUpgrade.enable = false;
}