diff --git a/Server/configuration.nix b/Server/configuration.nix index 3c029a1..f203fdf 100644 --- a/Server/configuration.nix +++ b/Server/configuration.nix @@ -5,14 +5,15 @@ let "https://github.com/nix-community/home-manager/archive/release-24.05.tar.gz"; # Define domains and ips - jimdomain = ''jimbosfiles.com''; - bloxeldomain = ''bloxelcom.net''; + jimDomain = ''jimbosfiles.com''; + bloxelDomain = ''bloxelcom.net''; # IPs - localspan = ''192.168.2''; - pc = ''${localspan}.10''; - server = ''${localspan}.11''; - vm = ''${localspan}.70''; + netInt = ''eno1''; + localSpan = ''192.168.2''; + pcIP = ''${localSpan}.10''; + serverIP = ''${localSpan}.11''; + vmIP = ''${localSpan}.70''; # Secrets and passwords secrets = import ./secrets.nix; @@ -43,7 +44,6 @@ in # Choose Grub as the bootloader boot = { - kernelPackages = pkgs.linuxPackages_xanmod; loader.systemd-boot = { enable = true; netbootxyz.enable = true; @@ -108,75 +108,63 @@ in # Define timezone and networking settings time.timeZone = "America/New_York"; networking = { - # Set hostname hostName = "JimNixServer"; # Choose networking method dhcpcd.enable = true; wireless.enable = false; - # Enable nftables over iptables - nftables.enable = true; - # Configure firewall firewall = { - # Allow different ports allowedTCPPorts = [ - # NFS - 2049 - - # Nginx - 80 443 - - # Minecraft - 25565 19132 - - # Pufferpanel SFTP - 5657 - - # Gitea SSH - 2299 - - # Coturn - 3478 5349 + 80 443 # Nginx + 25565 19132 5657 # Minecraft & Pufferpanel SFTP + 2299 # Gitea SSH + 3478 5349 # Coturn ]; allowedTCPPortRanges = [ - # Also Azuracast - { from = 8100; to = 8150; } + { from = 8100; to = 8150; } # Azuracast ]; allowedUDPPorts = [ - # Minecraft Voicechat and Bedrock - 25565 19132 - - # Coturn again - 3478 5349 + 25565 19132 # Minecraft Voicechat and Bedrock + 3478 5349 # Coturn UDP ]; allowedUDPPortRanges = [ - # Coturn - { from = 49000; to = 50000; } + { from = 49000; to = 50000; } # Coturn range ]; - # Forward rules for nftables - extraForwardRules = '' - # Allow forwarding of basic ports from PC - ip saddr ${pc} tcp dport 2211 accept comment "SSH from PC" - ip saddr ${pc} udp dport { 27005, 27015, 7777, 29000 } accept comment "Games from PC" - - # Allow forwarding of Sunshine traffic - ip saddr ${pc} tcp dport { 48010, 47989, 47984 } accept comment "Sunshine TCP from PC" - ip saddr ${pc} udp dport { 47998, 47999, 48000 } accept comment "Sunshine UDP from PC" - ''; - - # Completely change to nftables + # Add extra input rules using nftables extraInputRules = '' - # Set an IP firewall for RTMP - ip saddr { ${pc}, ${secrets.lunaIP}, ${secrets.freecornIP} } tcp dport { 1935, 1945 } accept comment "Accept RTMP" - ip saddr { 0.0.0.0/0 } tcp dport { 1935, 1945 } drop + ip saddr ${localSpan}.0/24 tcp dport 2049 accept comment "Accept NFS" + ip saddr { ${pcIP}, ${secrets.lunaIP}, ${secrets.freecornIP} } tcp dport { 1935, 1945 } accept comment "Accept RTMP" ''; # Disallow pinging this server allowPing = false; }; + + # Enable nftables and forwarding + nftables = { + enable = true; + tables.forwarding = { + family = "ip"; + content = '' + chain PREROUTING { + type nat hook prerouting priority dstnat; policy accept; + tcp dport 2211 dnat to ${pcIP} comment "SSH from PC" + udp dport { 27005, 27015, 7777 } dnat to ${pcIP} comment "Games from PC" + tcp dport { 58010, 57989, 57984 } dnat to ${pcIP} comment "Sunshine TCP from PC" + udp dport { 57998, 57999, 58000 } dnat to ${pcIP} comment "Sunshine UDP from PC" + tcp dport { 38010, 37989, 37984 } dnat to ${vmIP} comment "Sunshine TCP from VM" + udp dport { 37998, 37999, 38000 } dnat to ${vmIP} comment "Sunshine UDP from VM" + } + chain POSTROUTING { + type nat hook postrouting priority 100; policy accept; + oifname "${netInt}" masquerade + } + ''; + }; + }; }; # Boot with compatibility for IP forwarding @@ -203,14 +191,15 @@ in fail2ban = { enable = true; maxretry = 5; - ignoreIP = [ "${pc}" "${server}" "${vm}" ]; + bantime = "5m"; + ignoreIP = [ "${pcIP}" "${vmIP}" ]; }; # NFS server nfs.server = { enable = true; exports = '' - /export/JimboNFS ${localspan}.0/24(rw,no_subtree_check) + /export/JimboNFS ${localSpan}.0/24(rw,no_subtree_check) ''; }; @@ -226,18 +215,18 @@ in recommendedProxySettings = true; virtualHosts = { # Homepage redirect - "${jimdomain}" = { + "${jimDomain}" = { enableACME = true; addSSL = true; locations."/" = { extraConfig = " - return 301 https://social.${bloxeldomain}/@jimbo; + return 301 https://social.${bloxelDomain}/@jimbo; "; }; }; # Nextcloud Proxy - "cloud.${jimdomain}" = { + "cloud.${jimDomain}" = { enableACME = true; addSSL = true; locations."/" = { @@ -255,7 +244,7 @@ in }; # Vaultwarden Proxy - "warden.${jimdomain}" = { + "warden.${jimDomain}" = { enableACME = true; forceSSL = true; locations."/" = { @@ -265,7 +254,7 @@ in }; # Recipes Proxy - "recipes.${jimdomain}" = { + "recipes.${jimDomain}" = { enableACME = true; forceSSL = true; locations."/" = { @@ -275,7 +264,7 @@ in }; # Bluemap Proxy - "bluemap.${jimdomain}" = { + "bluemap.${jimDomain}" = { enableACME = true; forceSSL = true; locations."/" = { @@ -285,7 +274,7 @@ in }; # Gitea Proxy - "git.${jimdomain}" = { + "git.${jimDomain}" = { enableACME = true; forceSSL = true; locations."/" = { @@ -295,7 +284,7 @@ in }; # Gitea Proxy - "mc.${jimdomain}" = { + "mc.${jimDomain}" = { enableACME = true; forceSSL = true; locations."/" = { @@ -305,51 +294,37 @@ in }; # Matrix Proxy - "matrix.${bloxeldomain}" = { + "matrix.${bloxelDomain}" = { enableACME = true; forceSSL = true; locations = { "/".extraConfig = ''return 403;''; - "/_matrix".proxyPass = "http://[::1]:8008"; - "/_synapse".proxyPass = "http://[::1]:8008"; - "/client".proxyPass = "http://[::1]:8008"; - }; - }; - - # Matrix Sliding Sync Proxy - "syncv3.${bloxeldomain}" = { - enableACME = true; - forceSSL = true; - locations = { - "/".extraConfig = ''return 403;''; - "/_matrix".proxyPass = "http://[::1]:8009"; - "/client".proxyPass = "http://[::1]:8009"; - "/sync".proxyPass = "http://[::1]:8009"; - "/unstable".proxyPass = "http://[::1]:8009"; - "/org.matrix.msc3575".proxyPass = "http://[::1]:8009"; + "/_matrix/client/unstable/org.matrix.msc3575/sync".proxyPass = "http://127.0.0.1:8009"; + "/client".proxyPass = "http://127.0.0.1:8009"; + "/_matrix".proxyPass = "http://127.0.0.1:8008"; + "/_synapse/client".proxyPass = "http://127.0.0.1:8008"; }; }; # Element Proxy - "chat.${bloxeldomain}" = { + "chat.${bloxelDomain}" = { enableACME = true; addSSL = true; root = "${pkgs.element-web}"; }; # Coturn Proxy - "turn.${bloxeldomain}" = { + "turn.${bloxelDomain}" = { enableACME = true; forceSSL = true; listen = [ - { addr = "[::]"; port = 80; ssl = false; } { addr = "0.0.0.0"; port = 80; ssl = false; } ]; - locations."/".proxyPass = "http://[::1]:1380"; + locations."/".proxyPass = "http://127.0.0.1:1380"; }; # Radio Proxy - "wbxdradio.${bloxeldomain}" = { + "wbxdradio.${bloxelDomain}" = { enableACME = true; forceSSL = true; locations."/" = { @@ -359,7 +334,7 @@ in }; # Streaming proxy - "live.${bloxeldomain}" = { + "live.${bloxelDomain}" = { enableACME = true; forceSSL = true; locations."/" = { @@ -369,7 +344,7 @@ in }; # Mail certificate proxy - "mx.${bloxeldomain}" = { + "mx.${bloxelDomain}" = { enableACME = true; forceSSL = true; locations."/" = { @@ -379,26 +354,19 @@ in }; # Add SSL to Lemmy - "lemmy.${bloxeldomain}" = { + "lemmy.${bloxelDomain}" = { enableACME = true; forceSSL = true; }; # Staging Bloxel Proxy - "staging.${bloxeldomain}" = { + "staging.${bloxelDomain}" = { enableACME = true; addSSL = true; root = "/var/www/bloxelcomweb/landing-page/"; locations = { "/BloxelcomCable/hls" = { extraConfig = '' - # Disable cache - add_header Last-Modified $date_gmt; - add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; - if_modified_since off; - expires off; - etag off; - # Allow serving m3u8 files types { application/vnd.apple.mpegurl m3u8; @@ -412,10 +380,13 @@ in return 200 ' { "m.homeserver": { - "base_url": "https://${bloxeldomain}" + "base_url": "https://matrix.${bloxelDomain}" + }, + "m.identity_server": { + "base_url": "https://matrix.${bloxelDomain}" }, "org.matrix.msc3575.proxy": { - "url": "https://syncv3.${bloxeldomain}" + "url": "https://matrix.${bloxelDomain}" } }'; ''; @@ -423,7 +394,7 @@ in "/.well-known/matrix/server" = { extraConfig = '' default_type application/json; - return 200 '{"m.server": "matrix.${bloxeldomain}:443"}'; + return 200 '{"m.server": "https://matrix.${bloxelDomain}"}'; ''; }; }; @@ -459,7 +430,7 @@ in nextcloud = { enable = true; package = pkgs.nextcloud29; - hostName = "cloud.${jimdomain}"; + hostName = "cloud.${jimDomain}"; datadir = "/mnt/nextcloud"; https = true; config = { @@ -468,15 +439,15 @@ in }; settings = { trusted_proxies = [ "127.0.0.1" ]; - trusted_domains = [ "cloud.${jimdomain}" ]; + trusted_domains = [ "cloud.${jimDomain}" ]; overwriteprotocol = "https"; # Mailserver settings - mail_smtphost = "mx.${bloxeldomain}"; - mail_domain = "${bloxeldomain}"; + mail_smtphost = "mx.${bloxelDomain}"; + mail_domain = "${bloxelDomain}"; mail_from_address = "noreply"; mail_smtpauth = "true"; - mail_smtpname = "noreply@${bloxeldomain}"; + mail_smtpname = "noreply@${bloxelDomain}"; mail_smtppassword = secrets.noreplyPassword; mail_smtpmode = "smtp"; mail_smtpport = 587; @@ -487,17 +458,17 @@ in vaultwarden = { enable = true; config = { - DOMAIN = "https://warden.${jimdomain}"; + DOMAIN = "https://warden.${jimDomain}"; SIGNUPS_ALLOWED = false; ROCKET_ADDRESS = "127.0.0.1"; ROCKET_PORT = 8222; ROCKET_LOG = "critical"; # Smtp email - SMTP_HOST = "mx.${bloxeldomain}"; - SMTP_FROM = "noreply@${bloxeldomain}"; + SMTP_HOST = "mx.${bloxelDomain}"; + SMTP_FROM = "noreply@${bloxelDomain}"; SMTP_FROM_NAME = "Vaultwarden"; - SMTP_USERNAME = "noreply@${bloxeldomain}"; + SMTP_USERNAME = "noreply@${bloxelDomain}"; SMTP_PASSWORD = secrets.noreplyPassword; SMTP_SECURITY = "starttls"; SMTP_PORT = 587; @@ -516,16 +487,16 @@ in enable = true; settings = { server = { - DOMAIN = "git.${jimdomain}"; - ROOT_URL = "https://git.${jimdomain}:443"; + DOMAIN = "git.${jimDomain}"; + ROOT_URL = "https://git.${jimDomain}:443"; HTTP_PORT = 3110; SSH_PORT = 2299; START_SSH_SERVER = true; }; mailer = { ENABLED = true; - SMTP_ADDR = "mx.${bloxeldomain}"; - FROM = "noreply@${bloxeldomain}"; + SMTP_ADDR = "mx.${bloxelDomain}"; + FROM = "noreply@${bloxelDomain}"; PASSWD = secrets.noreplyPassword; PROTOCOL = "smtp+starttls"; SMTP_PORT = 587; @@ -539,12 +510,11 @@ in enable = true; environment = { PUFFER_WEB_HOST = ":5010"; - PUFFER_PANEL_SETTINGS_MASTERURL = "https://mc.${jimdomain}"; - PUFFER_PANEL_REGISTRATIONENABLED = "false"; + PUFFER_PANEL_SETTINGS_MASTERURL = "https://mc.${jimDomain}"; PUFFER_PANEL_EMAIL_PROVIDER = "smtp"; - PUFFER_PANEL_EMAIL_HOST = "mx.${bloxeldomain}:587"; - PUFFER_PANEL_EMAIL_FROM = "noreply@${bloxeldomain}"; - PUFFER_PANEL_EMAIL_USERNAME = "noreply@${bloxeldomain}"; + PUFFER_PANEL_EMAIL_HOST = "mx.${bloxelDomain}:587"; + PUFFER_PANEL_EMAIL_FROM = "noreply@${bloxelDomain}"; + PUFFER_PANEL_EMAIL_USERNAME = "noreply@${bloxelDomain}"; PUFFER_PANEL_EMAIL_PASSWORD = secrets.noreplyPassword; }; extraPackages = with pkgs; [ bash curl gawk gnutar gzip ]; @@ -590,7 +560,7 @@ in min-port = 49000; max-port = 50000; use-auth-secret = true; - realm = "turn.${bloxeldomain}"; + realm = "turn.${bloxelDomain}"; static-auth-secret = "will be world readable for local users :("; cert = "${config.security.acme.certs.${realm}.directory}/full.pem"; pkey = "${config.security.acme.certs.${realm}.directory}/key.pem"; @@ -600,8 +570,8 @@ in matrix-synapse = with config.services.coturn; { enable = true; settings = { - server_name = "${bloxeldomain}"; - public_baseurl = "https://matrix.${bloxeldomain}"; + server_name = "${bloxelDomain}"; + public_baseurl = "https://matrix.${bloxelDomain}"; suppress_key_server_warning = true; # Set the network config @@ -618,8 +588,8 @@ in # Enable smtp for password resets email = { notif_from = "Bloxelcom's Matrix Homeserver "; - smtp_host = "mx.${bloxeldomain}"; - smtp_user = "noreply@${bloxeldomain}"; + smtp_host = "mx.${bloxelDomain}"; + smtp_user = "noreply@${bloxelDomain}"; smtp_pass = secrets.noreplyPassword; enable_tls = true; smtp_port = 587; @@ -657,29 +627,32 @@ in }; # Sliding sync proxy for Matrix - matrix-sliding-sync = { + matrix-sliding-sync = let + matrixSecretFile = pkgs.writeText "matrixsecret" '' + SYNCV3_SECRET=${secrets.matrixSecret} + ''; + in { enable = true; settings = { - SYNCV3_SERVER = "${bloxeldomain}"; + SYNCV3_SERVER = "https://matrix.${bloxelDomain}"; SYNCV3_BINDADDR = "0.0.0.0:8009"; - SYNCV3_SECRET = secrets.matrixSecret; }; - environmentFile = "${pkgs.writeText "matrixsecret" secrets.matrixSecret}"; + environmentFile = "${matrixSecretFile}"; }; # Mastodon mastodon = { enable = true; - localDomain = "social.${bloxeldomain}"; + localDomain = "social.${bloxelDomain}"; streamingProcesses = 4; configureNginx = true; smtp = { createLocally = false; - host = "mx.${bloxeldomain}"; + host = "mx.${bloxelDomain}"; port = 587; authenticate = true; - fromAddress = "noreply@${bloxeldomain}"; - user = "noreply@${bloxeldomain}"; + fromAddress = "noreply@${bloxelDomain}"; + user = "noreply@${bloxelDomain}"; passwordFile = pkgs.writeText "smtp_pass.txt" secrets.noreplyPassword; }; }; @@ -690,11 +663,11 @@ in nginx.enable = true; database.createLocally = true; settings = { - hostname = "lemmy.${bloxeldomain}"; + hostname = "lemmy.${bloxelDomain}"; email = { - smtp_server = "mx.${bloxeldomain}:587"; - smtp_login = "noreply@${bloxeldomain}"; - smtp_from_address = "noreply@${bloxeldomain}"; + smtp_server = "mx.${bloxelDomain}:587"; + smtp_login = "noreply@${bloxelDomain}"; + smtp_from_address = "noreply@${bloxelDomain}"; smtp_password = secrets.noreplyPassword; tls_type = "starttls"; }; @@ -704,7 +677,7 @@ in # Roundcube mail server roundcube = { enable = true; - hostName = "mail.${bloxeldomain}"; + hostName = "mail.${bloxelDomain}"; extraConfig = '' $config['smtp_server'] = "tls://${config.mailserver.fqdn}"; $config['smtp_user'] = "%u"; @@ -742,16 +715,16 @@ in nixpkgs.config.element-web.conf = { default_server_config = { "m.homeserver" = { - base_url = "https://matrix.${bloxeldomain}:443"; - server_name = "matrix.${bloxeldomain}"; + base_url = "https://matrix.${bloxelDomain}:443"; + server_name = "matrix.${bloxelDomain}"; }; }; branding = { - welcome_background_url = "https://staging.${bloxeldomain}/images/backgrounds/bloxelcom-sunset.jpg"; - auth_header_logo_url = "https://staging.${bloxeldomain}/images/logos/bloxelcom.png"; + welcome_background_url = "https://staging.${bloxelDomain}/images/backgrounds/bloxelcom-sunset.jpg"; + auth_header_logo_url = "https://staging.${bloxelDomain}/images/logos/bloxelcom.png"; }; embedded_pages = { - home_url = "https://www.${bloxeldomain}/"; + home_url = "https://www.${bloxelDomain}/"; }; disable_custom_urls = true; disable_guests = true; @@ -770,32 +743,32 @@ in mailserver = rec { enable = true; enableManageSieve = true; - domains = [ "${bloxeldomain}" ]; - fqdn = "mx.${bloxeldomain}"; + domains = [ "${bloxelDomain}" ]; + fqdn = "mx.${bloxelDomain}"; certificateScheme = "acme-nginx"; # A list of accounts. # Generate passwords with nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt' loginAccounts = { - "noreply@${bloxeldomain}" = { + "noreply@${bloxelDomain}" = { hashedPasswordFile = pkgs.writeText "noreply" secrets.noreplySmtpHash; sendOnly = true; }; - "jimbo@${bloxeldomain}" = { + "jimbo@${bloxelDomain}" = { hashedPasswordFile = pkgs.writeText "jimbo" secrets.jimboSmtpHash; - aliases = [ "canada@${bloxeldomain}" "contact@${bloxeldomain}" ]; + aliases = [ "canada@${bloxelDomain}" "contact@${bloxelDomain}" ]; }; - "lunamoonlight@${bloxeldomain}" = { + "lunamoonlight@${bloxelDomain}" = { hashedPasswordFile = pkgs.writeText "luna" secrets.lunaSmtpHash; - aliases = [ "us@${bloxeldomain}" "contact@${bloxeldomain}" ]; + aliases = [ "us@${bloxelDomain}" "contact@${bloxelDomain}" ]; }; - "freecorn1854@${bloxeldomain}" = { + "freecorn1854@${bloxelDomain}" = { hashedPasswordFile = pkgs.writeText "freecorn" secrets.freecornSmtpHash; - aliases = [ "canada@${bloxeldomain}" "contact@${bloxeldomain}" ]; + aliases = [ "canada@${bloxelDomain}" "contact@${bloxelDomain}" ]; }; - "tinyattack09@${bloxeldomain}" = { + "tinyattack09@${bloxelDomain}" = { hashedPasswordFile = pkgs.writeText "tiny" secrets.tinySmtpHash; - aliases = [ "smallthing@${bloxeldomain}" ]; + aliases = [ "smallthing@${bloxelDomain}" ]; }; }; };