diff --git a/Server/configuration.nix b/Server/configuration.nix index 231bc67..1f3fff2 100644 --- a/Server/configuration.nix +++ b/Server/configuration.nix @@ -21,6 +21,12 @@ in ./hardware-configuration.nix ./jimbo.nix "${homeManager}/nixos" + + # Mail server import + (builtins.fetchTarball { + url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/nixos-24.05/nixos-mailserver-nixos-24.05.tar.gz"; + sha256 = "0clvw4622mqzk1aqw1qn6shl9pai097q62mq1ibzscnjayhp278b"; + }) ]; # Allow unfree packages @@ -68,14 +74,15 @@ in "$6$gYpE.pG/zPXgin06$2kydjDfd0K62Dhf9P0PFvJhRNz6xIC/bHYaf/XYqyKcLyZNzPQpy8uy9tCRcSYlj1wwBhzVtTRyItwajOHCEj0"; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDLe/HioxCOkszFQdm1vb3ZwuzLzsOThqHNvEI4IXeXZ JimPhone" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEuCYrIZlD6LNpFh3XTYbXaPQWYysr1oZAX4DL3gF28l jimbo@DV-JHAMPTON" ]; extraGroups = [ "wheel" "docker" ]; uid = 1000; shell = pkgs.zsh; }; - # Add Nginx to the Turnserver group - users.users.nginx.extraGroups = [ "turnserver" ]; + # Add Nginx to extra groups + users.users.nginx.extraGroups = [ "turnserver" "virtualMail" ]; # Installed programs to the system profile. environment.systemPackages = with pkgs; [ @@ -100,7 +107,7 @@ in 2049 # Nginx - 80 443 8448 + 80 443 # Minecraft 25565 19132 @@ -151,6 +158,7 @@ in iptables -A INPUT -p tcp -m tcp --match multiport --dports 1935,1945 -j RTMPCHAIN iptables -A RTMPCHAIN -s ${pc} -j ACCEPT iptables -A RTMPCHAIN -s 71.87.124.226 -j ACCEPT + iptables -A RTMPCHAIN -s 24.66.98.13 -j ACCEPT iptables -A RTMPCHAIN -j DROP '' + @@ -169,10 +177,6 @@ in # Disallow pinging this server allowPing = false; }; - nameservers = [ - "1.1.1.1" - "9.9.9.9" - ]; }; # Boot with compatibility for IP forwarding @@ -206,14 +210,16 @@ in nfs.server = { enable = true; exports = '' - /export/JimboNFS ${localspan}.0/24(rw,nohide,insecure,no_subtree_check) + /export/JimboNFS ${localspan}.0/24(rw,no_subtree_check) ''; }; # Nginx reverse proxy nginx = { enable = true; - package = (pkgs.nginxMainline.override { modules = [ pkgs.nginxModules.rtmp ]; }); + package = (pkgs.nginx.override { + modules = with pkgs.nginxModules; [ rtmp ]; + }); recommendedTlsSettings = true; recommendedOptimisation = true; recommendedGzipSettings = true; @@ -224,7 +230,6 @@ in enableACME = true; forceSSL = true; locations."/" = { - proxyPass = "http://127.0.0.1:8080"; proxyWebsockets = true; extraConfig = " location /.well-known/carddav { @@ -248,7 +253,6 @@ in }; }; - # Recipes Proxy "recipes.${jimdomain}" = { enableACME = true; @@ -283,17 +287,8 @@ in "matrix.${bloxeldomain}" = { enableACME = true; forceSSL = true; - listen = [ - { addr = "[::]"; port = 80; ssl = false; } - { addr = "0.0.0.0"; port = 80; ssl = false; } - { addr = "[::]"; port = 443; ssl = true; } - { addr = "0.0.0.0"; port = 443; ssl = true; } - { addr = "[::]"; port = 8448; ssl = true; } - { addr = "0.0.0.0"; port = 8448; ssl = true; } - ]; locations."/_matrix".proxyPass = "http://[::1]:8008"; locations."/_synapse".proxyPass = "http://[::1]:8008"; - locations."/.well-known".proxyPass = "http://[::1]:8008"; }; # Element Proxy @@ -334,32 +329,69 @@ in }; }; + # Mail certificate proxy + "mx.${bloxeldomain}" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:1390"; + proxyWebsockets = true; + }; + }; + + # Add SSL to Lemmy + "lemmy.${bloxeldomain}" = { + enableACME = true; + forceSSL = true; + }; + # Staging Bloxel Proxy "staging.${bloxeldomain}" = { addSSL = true; enableACME = true; - root = "/var/www/bloxel-landing-page"; - locations."/bloxcable/hls" = { + root = "/var/www/bloxelcomweb/landing-page/"; + locations."/BloxelcomCable/hls" = { extraConfig = '' + # Disable cache + add_header Last-Modified $date_gmt; + add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; + if_modified_since off; + expires off; + etag off; + + # Allow serving m3u8 files types { application/vnd.apple.mpegurl m3u8; } ''; }; + locations."/.well-known/matrix/client" = { + extraConfig = '' + default_type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '{"m.server": "matrix.${bloxeldomain}:443"}'; + ''; + }; + locations."/.well-known/matrix/server" = { + extraConfig = '' + default_type application/json; + return 200 '{"m.server": "matrix.${bloxeldomain}:443"}'; + ''; + }; }; }; appendConfig = '' rtmp { server { - listen 1945; + listen 1935; chunk_size 4096; allow publish all; - application BloxelesteCA { + application stream { record off; live on; deny play all; hls on; - hls_path /var/www/bloxel-landing-page/bloxcable/hls; + hls_path /var/www/bloxelcomweb/landing-page/bloxelcom-cable/hls; hls_fragment_naming system; hls_fragment 3; hls_playlist_length 40; @@ -373,7 +405,7 @@ in nextcloud = { enable = true; package = pkgs.nextcloud29; - hostName = "localhost"; + hostName = "cloud.${jimdomain}"; datadir = "/mnt/nextcloud"; https = true; config = { @@ -387,11 +419,6 @@ in }; }; - # Force Nextcloud to use a different port - nginx.virtualHosts."localhost" = { - listen = [ { addr = "127.0.0.1"; port = 8080; } ]; - }; - # Vaultwarden password manager vaultwarden = { enable = true; @@ -429,6 +456,7 @@ in owncast = { enable = true; port = 8060; + rtmp-port = 1945; listen = "0.0.0.0"; }; @@ -449,10 +477,11 @@ in # Synapse for Matrix clients matrix-synapse = with config.services.coturn; { enable = true; + extraConfigFiles = [ "/etc/matrix-synapse/conf.d/email-conf.yaml" ]; settings = { - server_name = "matrix.${bloxeldomain}"; + server_name = "${bloxeldomain}"; public_baseurl = "https://matrix.${bloxeldomain}"; - serve_server_wellknown = true; + suppress_key_server_warning = true; # Set the network config listeners = [{ @@ -470,7 +499,6 @@ in # Allow account registration enable_registration = true; - registration_requires_token = true; # General settings url_preview_enabled = true; @@ -487,15 +515,64 @@ in }; }; + # Mastodon + mastodon = { + enable = true; + localDomain = "social.${bloxeldomain}"; + streamingProcesses = 4; + configureNginx = true; + smtp = { + host = "mx.${bloxeldomain}"; + port = 587; + authenticate = true; + user = "noreply@${bloxeldomain}"; + passwordFile = "/var/lib/mastodon/secrets/smtp-password"; + fromAddress = "noreply@${bloxeldomain}"; + createLocally = false; + }; + }; + + # Try Lemmy + lemmy = { + enable = true; + nginx.enable = true; + database.createLocally = true; + settings = { + hostname = "lemmy.${bloxeldomain}"; + email = { + smtp_server = "mx.${bloxeldomain}:587"; + smtp_login = "noreply@${bloxeldomain}"; + smtp_from_address = "noreply@${bloxeldomain}"; + tls_type = "starttls"; + }; + }; + smtpPasswordFile = "/var/lib/mastodon/secrets/smtp-password"; + }; + # Snowflake proxy for Tor snowflake-proxy.enable = true; # Fix a nonbuilding issue logrotate.checkConfig = false; + + # Try roundcube + roundcube = { + enable = true; + hostName = "mail.${bloxeldomain}"; + extraConfig = '' + $config['smtp_server'] = "tls://${config.mailserver.fqdn}"; + $config['smtp_user'] = "%u"; + $config['smtp_pass'] = "%p"; + ''; + }; }; # Make Nginx not shit itself - systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www/bloxel-landing-page/bloxcable/hls/" ]; + security.pam.services.nginx.setEnvironment = false; + systemd.services.nginx.serviceConfig = { + SupplementaryGroups = [ "shadow" ]; + }; + systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www/bloxelcomweb/landing-page/bloxelcom-cable/hls/" ]; # Get certificates for Coturn security.acme = { @@ -518,8 +595,8 @@ in }; }; branding = { - welcome_background_url = "https://images-wixmp-ed30a86b8c4ca887773594c2.wixmp.com/f/6658b953-7c85-4d44-9d97-d10a52d54af1/dhqaf1r-5402b859-340f-44cb-bfc6-eef5d541ae7d.png?token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1cm46YXBwOjdlMGQxODg5ODIyNjQzNzNhNWYwZDQxNWVhMGQyNmUwIiwiaXNzIjoidXJuOmFwcDo3ZTBkMTg4OTgyMjY0MzczYTVmMGQ0MTVlYTBkMjZlMCIsIm9iaiI6W1t7InBhdGgiOiJcL2ZcLzY2NThiOTUzLTdjODUtNGQ0NC05ZDk3LWQxMGE1MmQ1NGFmMVwvZGhxYWYxci01NDAyYjg1OS0zNDBmLTQ0Y2ItYmZjNi1lZWY1ZDU0MWFlN2QucG5nIn1dXSwiYXVkIjpbInVybjpzZXJ2aWNlOmZpbGUuZG93bmxvYWQiXX0.jqJL7Sx9JHu4RqiQnKKfxoxXD55ZLgzH4liMXxH6LkM"; - auth_header_logo_url = "https://www.${bloxeldomain}/bloxelcom.png"; + welcome_background_url = "https://staging.${bloxeldomain}/images/backgrounds/bloxelcom-sunset.jpg"; + auth_header_logo_url = "https://staging.${bloxeldomain}/images/logos/bloxelcom.png"; }; embedded_pages = { home_url = "https://www.${bloxeldomain}/"; @@ -537,6 +614,36 @@ in }; }; + # Mail server + mailserver = rec { + enable = true; + enableManageSieve = true; + domains = [ "${bloxeldomain}" ]; + fqdn = "mx.${bloxeldomain}"; + certificateScheme = "acme-nginx"; + + # A list of accounts. + # Generate passwords with nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt' + loginAccounts = { + "noreply@${bloxeldomain}" = { + hashedPasswordFile = "${pkgs.writeText "noreply" "$2b$05$7VibcFKXy5Ff9sUMh3KWBeSXkInXNeaADa71Md/swt5RCk5s7UnM2"}"; + sendOnly = true; + }; + "jimbo@${bloxeldomain}" = { + hashedPasswordFile = "${pkgs.writeText "jimbo" "$2b$05$Chm7AjSicifTVpUWjOx1q.9YGaokIjxijAfqKTmI6o3OR2QU0B4U."}"; + aliases = [ "canada@${bloxeldomain}" "contact@${bloxeldomain}" ]; + }; + "lunamoonlight@${bloxeldomain}" = { + hashedPasswordFile = "${pkgs.writeText "luna" "$2a$12$ytZ1k4S.XvQAvzc3pHNDV.m7A/bo8PKznA2qH27g5QHMYDloFHdnK"}"; + aliases = [ "us@${bloxeldomain}" "contact@${bloxeldomain}" ]; + }; + "freecorn1854@${bloxeldomain}" = { + hashedPasswordFile = "${pkgs.writeText "freecorn1854" "$2b$05$7EF0TV39XzTYPIdWOoMnlegX8qLkcHxUytkvAt5sRDQE1oquAFTqm"}"; + aliases = [ "canada@${bloxeldomain}" "contact@${bloxeldomain}" ]; + }; + }; + }; + # Determine the release version and allow auto-upgrades system.stateVersion = "23.11"; system.autoUpgrade.enable = false; diff --git a/Server/jimbo.nix b/Server/jimbo.nix index 01daf39..2bfea58 100644 --- a/Server/jimbo.nix +++ b/Server/jimbo.nix @@ -542,8 +542,8 @@ in controlpanel = "tmux new-session -d -s control; tmux attach -t control"; # Minecraft stuff - mcstart21 = "${pkgs.temurin-jre-bin-21}/bin/java -Xmx8G -jar"; - mcstart8 = "${pkgs.temurin-jre-bin-8}/bin/java -Xmx5G -jar"; + mcstart21 = "${pkgs.temurin-jre-bin-21}/bin/java -Xmx4G -jar"; + mcstart8 = "${pkgs.temurin-jre-bin-8}/bin/java -Xmx4G -jar"; velocitystart = "cd ${mineServers}/Velocity && mcstart21 velocity*"; johnstart = "cd ${mineServers}/Johnside-SMP && mcstart21 paper* --nogui"; bloxelstart = "cd ${mineServers}/Bloxelcom && mcstart21 paper* --nogui";