From 9b56f1ecc24119f7438e35ec8f76fa436ad73ce1 Mon Sep 17 00:00:00 2001 From: Jimbo Date: Fri, 9 Aug 2024 01:42:44 -0400 Subject: [PATCH] Changed a lot this one --- PC/jimbo.nix | 8 +- Server/configuration.nix | 188 +++++++++++++++--------------- Server/hardware-configuration.nix | 4 +- Server/jimbo.nix | 5 +- 4 files changed, 102 insertions(+), 103 deletions(-) diff --git a/PC/jimbo.nix b/PC/jimbo.nix index adaefcf..b4aa3a9 100644 --- a/PC/jimbo.nix +++ b/PC/jimbo.nix @@ -27,19 +27,19 @@ let # Wallpapers wallpaper1 = pkgs.fetchurl { - url = "https://git.JimbosFiles.com/Jimbo/NixOS-Files/raw/branch/main/Extras/Wallpapers/wallpaper1.png"; + url = "https://git.JimbosFiles.com/Jimbo/NixOS-Config/raw/branch/main/Extras/Wallpapers/wallpaper1.png"; sha256 = "1zxb0p0fjsmccy4xv8yk3c4kc313k3lc3xhqmiv452f7sjqqbp25"; }; wallpaper2 = pkgs.fetchurl { - url = "https://git.JimbosFiles.com/Jimbo/NixOS-Files/raw/branch/main/Extras/Wallpapers/wallpaper2.png"; + url = "https://git.JimbosFiles.com/Jimbo/NixOS-Config/raw/branch/main/Extras/Wallpapers/wallpaper2.png"; sha256 = "13jcllrs05d26iz2isvh1f8fqf20m23sps32kw7qz5iav8nhvsx7"; }; wallpaper3 = pkgs.fetchurl { - url = "https://git.JimbosFiles.com/Jimbo/NixOS-Files/raw/branch/main/Extras/Wallpapers/wallpaper3.png"; + url = "https://git.JimbosFiles.com/Jimbo/NixOS-Config/raw/branch/main/Extras/Wallpapers/wallpaper3.png"; sha256 = "16r65qnr7f0md4bbjnzq6av4dgmqr3avkilw72qdmyrmh3xj03yw"; }; lockpaper = pkgs.fetchurl { - url = "https://git.JimbosFiles.com/Jimbo/NixOS-Files/raw/branch/main/Extras/Wallpapers/lockpaper.png"; + url = "https://git.JimbosFiles.com/Jimbo/NixOS-Config/raw/branch/main/Extras/Wallpapers/lockpaper.png"; sha256 = "1mqvp4bic46gc994fawkraqj76hxd11wdd43qakligchzd20xjd5"; }; diff --git a/Server/configuration.nix b/Server/configuration.nix index 034c2c0..3c029a1 100644 --- a/Server/configuration.nix +++ b/Server/configuration.nix @@ -44,11 +44,9 @@ in # Choose Grub as the bootloader boot = { kernelPackages = pkgs.linuxPackages_xanmod; - loader = { - grub = { - efiSupport = true; - device = "nodev"; - }; + loader.systemd-boot = { + enable = true; + netbootxyz.enable = true; }; }; @@ -76,9 +74,10 @@ in hashedPassword = secrets.jimboAccPassword; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDLe/HioxCOkszFQdm1vb3ZwuzLzsOThqHNvEI4IXeXZ JimPhone" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEuCYrIZlD6LNpFh3XTYbXaPQWYysr1oZAX4DL3gF28l jimbo@DV-JHAMPTON" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPjBdQrL23pDbcsNCLMvJhcNF7+u95ZV7o1QemOmegf jimbo@JimNixPC" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPeqiMCRXtpoP+BvKBmzvkL7oLKKCmbfdaQIF3yk/S8I jimbo@DV-JHAMPTON-NIXOS" ]; - extraGroups = [ "wheel" "docker" "musicFolder" "nfsShare" ]; + extraGroups = [ "wheel" "docker" "nfsShare" ]; uid = 1000; shell = pkgs.zsh; }; @@ -90,7 +89,7 @@ in isSystemUser = true; }; nextcloud = { - extraGroups = [ "nfsShare" "musicFolder" ]; + extraGroups = [ "nfsShare" ]; isSystemUser = true; }; }; @@ -98,7 +97,6 @@ in # Define custom groups users.groups = { nfsShare = {}; - musicFolder = {}; }; # Installed programs to the system profile. @@ -116,9 +114,13 @@ in # Choose networking method dhcpcd.enable = true; wireless.enable = false; + + # Enable nftables over iptables + nftables.enable = true; - # Enable firewall passthrough + # Configure firewall firewall = { + # Allow different ports allowedTCPPorts = [ # NFS 2049 @@ -129,7 +131,7 @@ in # Minecraft 25565 19132 - # Pufferpanel sftp + # Pufferpanel SFTP 5657 # Gitea SSH @@ -154,44 +156,22 @@ in { from = 49000; to = 50000; } ]; - # Extra rules that cannot be done above - extraCommands = - - # SSH and game servers from my PC - '' - iptables -t nat -A PREROUTING -p tcp -m tcp --dport 2211 -m comment --comment "SSH to PC" -j DNAT --to-destination ${pc} - iptables -t nat -A PREROUTING -p udp -m udp --match multiport --dports 27005,27015,7777,29000 -m comment --comment "Games" -j DNAT --to-destination ${pc} - '' + - - # Sunshine ports for PC and VM - '' - iptables -t nat -A PREROUTING -p tcp -m tcp --match multiport --dports 48010,47989,47984 -m comment --comment "PC Sunshine TCP" -j DNAT --to-destination ${pc} - iptables -t nat -A PREROUTING -p udp -m udp --match multiport --dports 47998,47999,48000 -m comment --comment "PC Sunshine UDP" -j DNAT --to-destination ${pc} - - iptables -t nat -A PREROUTING -p tcp -m tcp --match multiport --dports 38010,37989,37984 -m comment --comment "VM Sunshine TCP" -j DNAT --to-destination ${vm} - iptables -t nat -A PREROUTING -p udp -m udp --match multiport --dports 37998,37999,38000 -m comment --comment "VM Sunshine UDP" -j DNAT --to-destination ${vm} - '' + - - # Set an IP firewall for RTMP - '' - iptables -N RTMPCHAIN - iptables -A INPUT -p tcp -m tcp --match multiport --dports 1935,1945 -j RTMPCHAIN - iptables -A RTMPCHAIN -s ${pc} -m comment --comment "Local PC" -j ACCEPT - iptables -A RTMPCHAIN -s 71.87.124.226 -m comment --comment "Luna IP" -j ACCEPT - iptables -A RTMPCHAIN -s 24.66.98.13 -m comment --comment "Freecorn IP" -j ACCEPT - iptables -A RTMPCHAIN -j DROP - '' + - - # Finalize forwarding - '' - iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE + # Forward rules for nftables + extraForwardRules = '' + # Allow forwarding of basic ports from PC + ip saddr ${pc} tcp dport 2211 accept comment "SSH from PC" + ip saddr ${pc} udp dport { 27005, 27015, 7777, 29000 } accept comment "Games from PC" + + # Allow forwarding of Sunshine traffic + ip saddr ${pc} tcp dport { 48010, 47989, 47984 } accept comment "Sunshine TCP from PC" + ip saddr ${pc} udp dport { 47998, 47999, 48000 } accept comment "Sunshine UDP from PC" ''; - # Remove the chain and such - extraStopCommands = '' - iptables -D INPUT -p tcp -m tcp --match multiport --dports 1935,1945 -j RTMPCHAIN - iptables -F RTMPCHAIN - iptables -X RTMPCHAIN + # Completely change to nftables + extraInputRules = '' + # Set an IP firewall for RTMP + ip saddr { ${pc}, ${secrets.lunaIP}, ${secrets.freecornIP} } tcp dport { 1935, 1945 } accept comment "Accept RTMP" + ip saddr { 0.0.0.0/0 } tcp dport { 1935, 1945 } drop ''; # Disallow pinging this server @@ -328,8 +308,26 @@ in "matrix.${bloxeldomain}" = { enableACME = true; forceSSL = true; - locations."/_matrix".proxyPass = "http://[::1]:8008"; - locations."/_synapse".proxyPass = "http://[::1]:8008"; + locations = { + "/".extraConfig = ''return 403;''; + "/_matrix".proxyPass = "http://[::1]:8008"; + "/_synapse".proxyPass = "http://[::1]:8008"; + "/client".proxyPass = "http://[::1]:8008"; + }; + }; + + # Matrix Sliding Sync Proxy + "syncv3.${bloxeldomain}" = { + enableACME = true; + forceSSL = true; + locations = { + "/".extraConfig = ''return 403;''; + "/_matrix".proxyPass = "http://[::1]:8009"; + "/client".proxyPass = "http://[::1]:8009"; + "/sync".proxyPass = "http://[::1]:8009"; + "/unstable".proxyPass = "http://[::1]:8009"; + "/org.matrix.msc3575".proxyPass = "http://[::1]:8009"; + }; }; # Element Proxy @@ -391,33 +389,43 @@ in enableACME = true; addSSL = true; root = "/var/www/bloxelcomweb/landing-page/"; - locations."/BloxelcomCable/hls" = { - extraConfig = '' - # Disable cache - add_header Last-Modified $date_gmt; - add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; - if_modified_since off; - expires off; - etag off; + locations = { + "/BloxelcomCable/hls" = { + extraConfig = '' + # Disable cache + add_header Last-Modified $date_gmt; + add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; + if_modified_since off; + expires off; + etag off; - # Allow serving m3u8 files - types { - application/vnd.apple.mpegurl m3u8; - } - ''; - }; - locations."/.well-known/matrix/client" = { - extraConfig = '' - default_type application/json; - add_header Access-Control-Allow-Origin *; - return 200 '{"m.server": "matrix.${bloxeldomain}:443"}'; - ''; - }; - locations."/.well-known/matrix/server" = { - extraConfig = '' - default_type application/json; - return 200 '{"m.server": "matrix.${bloxeldomain}:443"}'; - ''; + # Allow serving m3u8 files + types { + application/vnd.apple.mpegurl m3u8; + } + ''; + }; + "/.well-known/matrix/client" = { + extraConfig = '' + default_type application/json; + add_header Access-Control-Allow-Origin *; + return 200 ' + { + "m.homeserver": { + "base_url": "https://${bloxeldomain}" + }, + "org.matrix.msc3575.proxy": { + "url": "https://syncv3.${bloxeldomain}" + } + }'; + ''; + }; + "/.well-known/matrix/server" = { + extraConfig = '' + default_type application/json; + return 200 '{"m.server": "matrix.${bloxeldomain}:443"}'; + ''; + }; }; }; }; @@ -531,6 +539,7 @@ in enable = true; environment = { PUFFER_WEB_HOST = ":5010"; + PUFFER_PANEL_SETTINGS_MASTERURL = "https://mc.${jimdomain}"; PUFFER_PANEL_REGISTRATIONENABLED = "false"; PUFFER_PANEL_EMAIL_PROVIDER = "smtp"; PUFFER_PANEL_EMAIL_HOST = "mx.${bloxeldomain}:587"; @@ -553,28 +562,10 @@ in package = pkgs.mariadb; dataDir = "/var/lib/mysql"; initialDatabases = [ - { name = "nextcloud"; } - { name = "matrix"; } - { name = "git"; } { name = "minecraft"; } ]; ensureUsers = [ { - name = "nextcloud"; - ensurePermissions = { - "nextcloud.*" = "ALL PRIVILEGES"; - }; - }{ - name = "matrix-synapse"; - ensurePermissions = { - "matrix.*" = "ALL PRIVILEGES"; - }; - }{ - name = "gitea"; - ensurePermissions = { - "git.*" = "ALL PRIVILEGES"; - }; - }{ name = "minecraft"; ensurePermissions = { "minecraft.*" = "ALL PRIVILEGES"; @@ -665,6 +656,17 @@ in }; }; + # Sliding sync proxy for Matrix + matrix-sliding-sync = { + enable = true; + settings = { + SYNCV3_SERVER = "${bloxeldomain}"; + SYNCV3_BINDADDR = "0.0.0.0:8009"; + SYNCV3_SECRET = secrets.matrixSecret; + }; + environmentFile = "${pkgs.writeText "matrixsecret" secrets.matrixSecret}"; + }; + # Mastodon mastodon = { enable = true; diff --git a/Server/hardware-configuration.nix b/Server/hardware-configuration.nix index aa217c2..a900dda 100644 --- a/Server/hardware-configuration.nix +++ b/Server/hardware-configuration.nix @@ -68,8 +68,8 @@ options = [ "bind" ]; depends = [ "/export/JimboNFS" ]; }; - "/var/lib/pufferpanel/servers" = { - device = "/export/JimboNFS/MineServers"; + "/var/lib/private/pufferpanel/servers" = { + device = "/export/JimboNFS/System/var/lib/pufferpanel/servers"; fsType = "none"; options = [ "bind" ]; depends = [ "/export/JimboNFS" ]; diff --git a/Server/jimbo.nix b/Server/jimbo.nix index ba7d345..83b72b9 100644 --- a/Server/jimbo.nix +++ b/Server/jimbo.nix @@ -358,7 +358,6 @@ let P:/home/jimbo/JimboNFS/Projects V:/home/jimbo/JimboNFS/Videos/Random m:/home/jimbo/JimboNFS/Music - L:/home/jimbo/JimboNFS/MineServers s:/home/jimbo/JimboNFS/School ''; in @@ -522,9 +521,7 @@ in plugins = [ "git" ]; theme = "half-life"; }; - shellAliases = let - mineServers = ''/home/jimbo/JimboNFS/MineServers''; - in { + shellAliases = { # NixOS aliases nixcfg = "nvim /etc/nixos/{configuration,jimbo,secrets,hardware-configuration}.nix"; nixswitch = "${auth} nixos-rebuild switch";