Changed a lot this one

This commit is contained in:
Jimbo 2024-08-09 01:42:44 -04:00
parent 963e056b93
commit 9b56f1ecc2
4 changed files with 102 additions and 103 deletions

View file

@ -27,19 +27,19 @@ let
# Wallpapers # Wallpapers
wallpaper1 = pkgs.fetchurl { wallpaper1 = pkgs.fetchurl {
url = "https://git.JimbosFiles.com/Jimbo/NixOS-Files/raw/branch/main/Extras/Wallpapers/wallpaper1.png"; url = "https://git.JimbosFiles.com/Jimbo/NixOS-Config/raw/branch/main/Extras/Wallpapers/wallpaper1.png";
sha256 = "1zxb0p0fjsmccy4xv8yk3c4kc313k3lc3xhqmiv452f7sjqqbp25"; sha256 = "1zxb0p0fjsmccy4xv8yk3c4kc313k3lc3xhqmiv452f7sjqqbp25";
}; };
wallpaper2 = pkgs.fetchurl { wallpaper2 = pkgs.fetchurl {
url = "https://git.JimbosFiles.com/Jimbo/NixOS-Files/raw/branch/main/Extras/Wallpapers/wallpaper2.png"; url = "https://git.JimbosFiles.com/Jimbo/NixOS-Config/raw/branch/main/Extras/Wallpapers/wallpaper2.png";
sha256 = "13jcllrs05d26iz2isvh1f8fqf20m23sps32kw7qz5iav8nhvsx7"; sha256 = "13jcllrs05d26iz2isvh1f8fqf20m23sps32kw7qz5iav8nhvsx7";
}; };
wallpaper3 = pkgs.fetchurl { wallpaper3 = pkgs.fetchurl {
url = "https://git.JimbosFiles.com/Jimbo/NixOS-Files/raw/branch/main/Extras/Wallpapers/wallpaper3.png"; url = "https://git.JimbosFiles.com/Jimbo/NixOS-Config/raw/branch/main/Extras/Wallpapers/wallpaper3.png";
sha256 = "16r65qnr7f0md4bbjnzq6av4dgmqr3avkilw72qdmyrmh3xj03yw"; sha256 = "16r65qnr7f0md4bbjnzq6av4dgmqr3avkilw72qdmyrmh3xj03yw";
}; };
lockpaper = pkgs.fetchurl { lockpaper = pkgs.fetchurl {
url = "https://git.JimbosFiles.com/Jimbo/NixOS-Files/raw/branch/main/Extras/Wallpapers/lockpaper.png"; url = "https://git.JimbosFiles.com/Jimbo/NixOS-Config/raw/branch/main/Extras/Wallpapers/lockpaper.png";
sha256 = "1mqvp4bic46gc994fawkraqj76hxd11wdd43qakligchzd20xjd5"; sha256 = "1mqvp4bic46gc994fawkraqj76hxd11wdd43qakligchzd20xjd5";
}; };

View file

@ -44,11 +44,9 @@ in
# Choose Grub as the bootloader # Choose Grub as the bootloader
boot = { boot = {
kernelPackages = pkgs.linuxPackages_xanmod; kernelPackages = pkgs.linuxPackages_xanmod;
loader = { loader.systemd-boot = {
grub = { enable = true;
efiSupport = true; netbootxyz.enable = true;
device = "nodev";
};
}; };
}; };
@ -76,9 +74,10 @@ in
hashedPassword = secrets.jimboAccPassword; hashedPassword = secrets.jimboAccPassword;
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDLe/HioxCOkszFQdm1vb3ZwuzLzsOThqHNvEI4IXeXZ JimPhone" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDLe/HioxCOkszFQdm1vb3ZwuzLzsOThqHNvEI4IXeXZ JimPhone"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEuCYrIZlD6LNpFh3XTYbXaPQWYysr1oZAX4DL3gF28l jimbo@DV-JHAMPTON" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPjBdQrL23pDbcsNCLMvJhcNF7+u95ZV7o1QemOmegf jimbo@JimNixPC"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPeqiMCRXtpoP+BvKBmzvkL7oLKKCmbfdaQIF3yk/S8I jimbo@DV-JHAMPTON-NIXOS"
]; ];
extraGroups = [ "wheel" "docker" "musicFolder" "nfsShare" ]; extraGroups = [ "wheel" "docker" "nfsShare" ];
uid = 1000; uid = 1000;
shell = pkgs.zsh; shell = pkgs.zsh;
}; };
@ -90,7 +89,7 @@ in
isSystemUser = true; isSystemUser = true;
}; };
nextcloud = { nextcloud = {
extraGroups = [ "nfsShare" "musicFolder" ]; extraGroups = [ "nfsShare" ];
isSystemUser = true; isSystemUser = true;
}; };
}; };
@ -98,7 +97,6 @@ in
# Define custom groups # Define custom groups
users.groups = { users.groups = {
nfsShare = {}; nfsShare = {};
musicFolder = {};
}; };
# Installed programs to the system profile. # Installed programs to the system profile.
@ -117,8 +115,12 @@ in
dhcpcd.enable = true; dhcpcd.enable = true;
wireless.enable = false; wireless.enable = false;
# Enable firewall passthrough # Enable nftables over iptables
nftables.enable = true;
# Configure firewall
firewall = { firewall = {
# Allow different ports
allowedTCPPorts = [ allowedTCPPorts = [
# NFS # NFS
2049 2049
@ -129,7 +131,7 @@ in
# Minecraft # Minecraft
25565 19132 25565 19132
# Pufferpanel sftp # Pufferpanel SFTP
5657 5657
# Gitea SSH # Gitea SSH
@ -154,44 +156,22 @@ in
{ from = 49000; to = 50000; } { from = 49000; to = 50000; }
]; ];
# Extra rules that cannot be done above # Forward rules for nftables
extraCommands = extraForwardRules = ''
# Allow forwarding of basic ports from PC
ip saddr ${pc} tcp dport 2211 accept comment "SSH from PC"
ip saddr ${pc} udp dport { 27005, 27015, 7777, 29000 } accept comment "Games from PC"
# SSH and game servers from my PC # Allow forwarding of Sunshine traffic
'' ip saddr ${pc} tcp dport { 48010, 47989, 47984 } accept comment "Sunshine TCP from PC"
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 2211 -m comment --comment "SSH to PC" -j DNAT --to-destination ${pc} ip saddr ${pc} udp dport { 47998, 47999, 48000 } accept comment "Sunshine UDP from PC"
iptables -t nat -A PREROUTING -p udp -m udp --match multiport --dports 27005,27015,7777,29000 -m comment --comment "Games" -j DNAT --to-destination ${pc}
'' +
# Sunshine ports for PC and VM
''
iptables -t nat -A PREROUTING -p tcp -m tcp --match multiport --dports 48010,47989,47984 -m comment --comment "PC Sunshine TCP" -j DNAT --to-destination ${pc}
iptables -t nat -A PREROUTING -p udp -m udp --match multiport --dports 47998,47999,48000 -m comment --comment "PC Sunshine UDP" -j DNAT --to-destination ${pc}
iptables -t nat -A PREROUTING -p tcp -m tcp --match multiport --dports 38010,37989,37984 -m comment --comment "VM Sunshine TCP" -j DNAT --to-destination ${vm}
iptables -t nat -A PREROUTING -p udp -m udp --match multiport --dports 37998,37999,38000 -m comment --comment "VM Sunshine UDP" -j DNAT --to-destination ${vm}
'' +
# Set an IP firewall for RTMP
''
iptables -N RTMPCHAIN
iptables -A INPUT -p tcp -m tcp --match multiport --dports 1935,1945 -j RTMPCHAIN
iptables -A RTMPCHAIN -s ${pc} -m comment --comment "Local PC" -j ACCEPT
iptables -A RTMPCHAIN -s 71.87.124.226 -m comment --comment "Luna IP" -j ACCEPT
iptables -A RTMPCHAIN -s 24.66.98.13 -m comment --comment "Freecorn IP" -j ACCEPT
iptables -A RTMPCHAIN -j DROP
'' +
# Finalize forwarding
''
iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE
''; '';
# Remove the chain and such # Completely change to nftables
extraStopCommands = '' extraInputRules = ''
iptables -D INPUT -p tcp -m tcp --match multiport --dports 1935,1945 -j RTMPCHAIN # Set an IP firewall for RTMP
iptables -F RTMPCHAIN ip saddr { ${pc}, ${secrets.lunaIP}, ${secrets.freecornIP} } tcp dport { 1935, 1945 } accept comment "Accept RTMP"
iptables -X RTMPCHAIN ip saddr { 0.0.0.0/0 } tcp dport { 1935, 1945 } drop
''; '';
# Disallow pinging this server # Disallow pinging this server
@ -328,8 +308,26 @@ in
"matrix.${bloxeldomain}" = { "matrix.${bloxeldomain}" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/_matrix".proxyPass = "http://[::1]:8008"; locations = {
locations."/_synapse".proxyPass = "http://[::1]:8008"; "/".extraConfig = ''return 403;'';
"/_matrix".proxyPass = "http://[::1]:8008";
"/_synapse".proxyPass = "http://[::1]:8008";
"/client".proxyPass = "http://[::1]:8008";
};
};
# Matrix Sliding Sync Proxy
"syncv3.${bloxeldomain}" = {
enableACME = true;
forceSSL = true;
locations = {
"/".extraConfig = ''return 403;'';
"/_matrix".proxyPass = "http://[::1]:8009";
"/client".proxyPass = "http://[::1]:8009";
"/sync".proxyPass = "http://[::1]:8009";
"/unstable".proxyPass = "http://[::1]:8009";
"/org.matrix.msc3575".proxyPass = "http://[::1]:8009";
};
}; };
# Element Proxy # Element Proxy
@ -391,7 +389,8 @@ in
enableACME = true; enableACME = true;
addSSL = true; addSSL = true;
root = "/var/www/bloxelcomweb/landing-page/"; root = "/var/www/bloxelcomweb/landing-page/";
locations."/BloxelcomCable/hls" = { locations = {
"/BloxelcomCable/hls" = {
extraConfig = '' extraConfig = ''
# Disable cache # Disable cache
add_header Last-Modified $date_gmt; add_header Last-Modified $date_gmt;
@ -406,14 +405,22 @@ in
} }
''; '';
}; };
locations."/.well-known/matrix/client" = { "/.well-known/matrix/client" = {
extraConfig = '' extraConfig = ''
default_type application/json; default_type application/json;
add_header Access-Control-Allow-Origin *; add_header Access-Control-Allow-Origin *;
return 200 '{"m.server": "matrix.${bloxeldomain}:443"}'; return 200 '
{
"m.homeserver": {
"base_url": "https://${bloxeldomain}"
},
"org.matrix.msc3575.proxy": {
"url": "https://syncv3.${bloxeldomain}"
}
}';
''; '';
}; };
locations."/.well-known/matrix/server" = { "/.well-known/matrix/server" = {
extraConfig = '' extraConfig = ''
default_type application/json; default_type application/json;
return 200 '{"m.server": "matrix.${bloxeldomain}:443"}'; return 200 '{"m.server": "matrix.${bloxeldomain}:443"}';
@ -421,6 +428,7 @@ in
}; };
}; };
}; };
};
appendConfig = '' appendConfig = ''
rtmp { rtmp {
server { server {
@ -531,6 +539,7 @@ in
enable = true; enable = true;
environment = { environment = {
PUFFER_WEB_HOST = ":5010"; PUFFER_WEB_HOST = ":5010";
PUFFER_PANEL_SETTINGS_MASTERURL = "https://mc.${jimdomain}";
PUFFER_PANEL_REGISTRATIONENABLED = "false"; PUFFER_PANEL_REGISTRATIONENABLED = "false";
PUFFER_PANEL_EMAIL_PROVIDER = "smtp"; PUFFER_PANEL_EMAIL_PROVIDER = "smtp";
PUFFER_PANEL_EMAIL_HOST = "mx.${bloxeldomain}:587"; PUFFER_PANEL_EMAIL_HOST = "mx.${bloxeldomain}:587";
@ -553,28 +562,10 @@ in
package = pkgs.mariadb; package = pkgs.mariadb;
dataDir = "/var/lib/mysql"; dataDir = "/var/lib/mysql";
initialDatabases = [ initialDatabases = [
{ name = "nextcloud"; }
{ name = "matrix"; }
{ name = "git"; }
{ name = "minecraft"; } { name = "minecraft"; }
]; ];
ensureUsers = [ ensureUsers = [
{ {
name = "nextcloud";
ensurePermissions = {
"nextcloud.*" = "ALL PRIVILEGES";
};
}{
name = "matrix-synapse";
ensurePermissions = {
"matrix.*" = "ALL PRIVILEGES";
};
}{
name = "gitea";
ensurePermissions = {
"git.*" = "ALL PRIVILEGES";
};
}{
name = "minecraft"; name = "minecraft";
ensurePermissions = { ensurePermissions = {
"minecraft.*" = "ALL PRIVILEGES"; "minecraft.*" = "ALL PRIVILEGES";
@ -665,6 +656,17 @@ in
}; };
}; };
# Sliding sync proxy for Matrix
matrix-sliding-sync = {
enable = true;
settings = {
SYNCV3_SERVER = "${bloxeldomain}";
SYNCV3_BINDADDR = "0.0.0.0:8009";
SYNCV3_SECRET = secrets.matrixSecret;
};
environmentFile = "${pkgs.writeText "matrixsecret" secrets.matrixSecret}";
};
# Mastodon # Mastodon
mastodon = { mastodon = {
enable = true; enable = true;

View file

@ -68,8 +68,8 @@
options = [ "bind" ]; options = [ "bind" ];
depends = [ "/export/JimboNFS" ]; depends = [ "/export/JimboNFS" ];
}; };
"/var/lib/pufferpanel/servers" = { "/var/lib/private/pufferpanel/servers" = {
device = "/export/JimboNFS/MineServers"; device = "/export/JimboNFS/System/var/lib/pufferpanel/servers";
fsType = "none"; fsType = "none";
options = [ "bind" ]; options = [ "bind" ];
depends = [ "/export/JimboNFS" ]; depends = [ "/export/JimboNFS" ];

View file

@ -358,7 +358,6 @@ let
P:/home/jimbo/JimboNFS/Projects P:/home/jimbo/JimboNFS/Projects
V:/home/jimbo/JimboNFS/Videos/Random V:/home/jimbo/JimboNFS/Videos/Random
m:/home/jimbo/JimboNFS/Music m:/home/jimbo/JimboNFS/Music
L:/home/jimbo/JimboNFS/MineServers
s:/home/jimbo/JimboNFS/School s:/home/jimbo/JimboNFS/School
''; '';
in in
@ -522,9 +521,7 @@ in
plugins = [ "git" ]; plugins = [ "git" ];
theme = "half-life"; theme = "half-life";
}; };
shellAliases = let shellAliases = {
mineServers = ''/home/jimbo/JimboNFS/MineServers'';
in {
# NixOS aliases # NixOS aliases
nixcfg = "nvim /etc/nixos/{configuration,jimbo,secrets,hardware-configuration}.nix"; nixcfg = "nvim /etc/nixos/{configuration,jimbo,secrets,hardware-configuration}.nix";
nixswitch = "${auth} nixos-rebuild switch"; nixswitch = "${auth} nixos-rebuild switch";