Changed a lot this one
This commit is contained in:
parent
963e056b93
commit
9b56f1ecc2
|
@ -27,19 +27,19 @@ let
|
||||||
|
|
||||||
# Wallpapers
|
# Wallpapers
|
||||||
wallpaper1 = pkgs.fetchurl {
|
wallpaper1 = pkgs.fetchurl {
|
||||||
url = "https://git.JimbosFiles.com/Jimbo/NixOS-Files/raw/branch/main/Extras/Wallpapers/wallpaper1.png";
|
url = "https://git.JimbosFiles.com/Jimbo/NixOS-Config/raw/branch/main/Extras/Wallpapers/wallpaper1.png";
|
||||||
sha256 = "1zxb0p0fjsmccy4xv8yk3c4kc313k3lc3xhqmiv452f7sjqqbp25";
|
sha256 = "1zxb0p0fjsmccy4xv8yk3c4kc313k3lc3xhqmiv452f7sjqqbp25";
|
||||||
};
|
};
|
||||||
wallpaper2 = pkgs.fetchurl {
|
wallpaper2 = pkgs.fetchurl {
|
||||||
url = "https://git.JimbosFiles.com/Jimbo/NixOS-Files/raw/branch/main/Extras/Wallpapers/wallpaper2.png";
|
url = "https://git.JimbosFiles.com/Jimbo/NixOS-Config/raw/branch/main/Extras/Wallpapers/wallpaper2.png";
|
||||||
sha256 = "13jcllrs05d26iz2isvh1f8fqf20m23sps32kw7qz5iav8nhvsx7";
|
sha256 = "13jcllrs05d26iz2isvh1f8fqf20m23sps32kw7qz5iav8nhvsx7";
|
||||||
};
|
};
|
||||||
wallpaper3 = pkgs.fetchurl {
|
wallpaper3 = pkgs.fetchurl {
|
||||||
url = "https://git.JimbosFiles.com/Jimbo/NixOS-Files/raw/branch/main/Extras/Wallpapers/wallpaper3.png";
|
url = "https://git.JimbosFiles.com/Jimbo/NixOS-Config/raw/branch/main/Extras/Wallpapers/wallpaper3.png";
|
||||||
sha256 = "16r65qnr7f0md4bbjnzq6av4dgmqr3avkilw72qdmyrmh3xj03yw";
|
sha256 = "16r65qnr7f0md4bbjnzq6av4dgmqr3avkilw72qdmyrmh3xj03yw";
|
||||||
};
|
};
|
||||||
lockpaper = pkgs.fetchurl {
|
lockpaper = pkgs.fetchurl {
|
||||||
url = "https://git.JimbosFiles.com/Jimbo/NixOS-Files/raw/branch/main/Extras/Wallpapers/lockpaper.png";
|
url = "https://git.JimbosFiles.com/Jimbo/NixOS-Config/raw/branch/main/Extras/Wallpapers/lockpaper.png";
|
||||||
sha256 = "1mqvp4bic46gc994fawkraqj76hxd11wdd43qakligchzd20xjd5";
|
sha256 = "1mqvp4bic46gc994fawkraqj76hxd11wdd43qakligchzd20xjd5";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -44,11 +44,9 @@ in
|
||||||
# Choose Grub as the bootloader
|
# Choose Grub as the bootloader
|
||||||
boot = {
|
boot = {
|
||||||
kernelPackages = pkgs.linuxPackages_xanmod;
|
kernelPackages = pkgs.linuxPackages_xanmod;
|
||||||
loader = {
|
loader.systemd-boot = {
|
||||||
grub = {
|
enable = true;
|
||||||
efiSupport = true;
|
netbootxyz.enable = true;
|
||||||
device = "nodev";
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -76,9 +74,10 @@ in
|
||||||
hashedPassword = secrets.jimboAccPassword;
|
hashedPassword = secrets.jimboAccPassword;
|
||||||
openssh.authorizedKeys.keys = [
|
openssh.authorizedKeys.keys = [
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDLe/HioxCOkszFQdm1vb3ZwuzLzsOThqHNvEI4IXeXZ JimPhone"
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDLe/HioxCOkszFQdm1vb3ZwuzLzsOThqHNvEI4IXeXZ JimPhone"
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEuCYrIZlD6LNpFh3XTYbXaPQWYysr1oZAX4DL3gF28l jimbo@DV-JHAMPTON"
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPjBdQrL23pDbcsNCLMvJhcNF7+u95ZV7o1QemOmegf jimbo@JimNixPC"
|
||||||
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPeqiMCRXtpoP+BvKBmzvkL7oLKKCmbfdaQIF3yk/S8I jimbo@DV-JHAMPTON-NIXOS"
|
||||||
];
|
];
|
||||||
extraGroups = [ "wheel" "docker" "musicFolder" "nfsShare" ];
|
extraGroups = [ "wheel" "docker" "nfsShare" ];
|
||||||
uid = 1000;
|
uid = 1000;
|
||||||
shell = pkgs.zsh;
|
shell = pkgs.zsh;
|
||||||
};
|
};
|
||||||
|
@ -90,7 +89,7 @@ in
|
||||||
isSystemUser = true;
|
isSystemUser = true;
|
||||||
};
|
};
|
||||||
nextcloud = {
|
nextcloud = {
|
||||||
extraGroups = [ "nfsShare" "musicFolder" ];
|
extraGroups = [ "nfsShare" ];
|
||||||
isSystemUser = true;
|
isSystemUser = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -98,7 +97,6 @@ in
|
||||||
# Define custom groups
|
# Define custom groups
|
||||||
users.groups = {
|
users.groups = {
|
||||||
nfsShare = {};
|
nfsShare = {};
|
||||||
musicFolder = {};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
# Installed programs to the system profile.
|
# Installed programs to the system profile.
|
||||||
|
@ -116,9 +114,13 @@ in
|
||||||
# Choose networking method
|
# Choose networking method
|
||||||
dhcpcd.enable = true;
|
dhcpcd.enable = true;
|
||||||
wireless.enable = false;
|
wireless.enable = false;
|
||||||
|
|
||||||
|
# Enable nftables over iptables
|
||||||
|
nftables.enable = true;
|
||||||
|
|
||||||
# Enable firewall passthrough
|
# Configure firewall
|
||||||
firewall = {
|
firewall = {
|
||||||
|
# Allow different ports
|
||||||
allowedTCPPorts = [
|
allowedTCPPorts = [
|
||||||
# NFS
|
# NFS
|
||||||
2049
|
2049
|
||||||
|
@ -129,7 +131,7 @@ in
|
||||||
# Minecraft
|
# Minecraft
|
||||||
25565 19132
|
25565 19132
|
||||||
|
|
||||||
# Pufferpanel sftp
|
# Pufferpanel SFTP
|
||||||
5657
|
5657
|
||||||
|
|
||||||
# Gitea SSH
|
# Gitea SSH
|
||||||
|
@ -154,44 +156,22 @@ in
|
||||||
{ from = 49000; to = 50000; }
|
{ from = 49000; to = 50000; }
|
||||||
];
|
];
|
||||||
|
|
||||||
# Extra rules that cannot be done above
|
# Forward rules for nftables
|
||||||
extraCommands =
|
extraForwardRules = ''
|
||||||
|
# Allow forwarding of basic ports from PC
|
||||||
# SSH and game servers from my PC
|
ip saddr ${pc} tcp dport 2211 accept comment "SSH from PC"
|
||||||
''
|
ip saddr ${pc} udp dport { 27005, 27015, 7777, 29000 } accept comment "Games from PC"
|
||||||
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 2211 -m comment --comment "SSH to PC" -j DNAT --to-destination ${pc}
|
|
||||||
iptables -t nat -A PREROUTING -p udp -m udp --match multiport --dports 27005,27015,7777,29000 -m comment --comment "Games" -j DNAT --to-destination ${pc}
|
# Allow forwarding of Sunshine traffic
|
||||||
'' +
|
ip saddr ${pc} tcp dport { 48010, 47989, 47984 } accept comment "Sunshine TCP from PC"
|
||||||
|
ip saddr ${pc} udp dport { 47998, 47999, 48000 } accept comment "Sunshine UDP from PC"
|
||||||
# Sunshine ports for PC and VM
|
|
||||||
''
|
|
||||||
iptables -t nat -A PREROUTING -p tcp -m tcp --match multiport --dports 48010,47989,47984 -m comment --comment "PC Sunshine TCP" -j DNAT --to-destination ${pc}
|
|
||||||
iptables -t nat -A PREROUTING -p udp -m udp --match multiport --dports 47998,47999,48000 -m comment --comment "PC Sunshine UDP" -j DNAT --to-destination ${pc}
|
|
||||||
|
|
||||||
iptables -t nat -A PREROUTING -p tcp -m tcp --match multiport --dports 38010,37989,37984 -m comment --comment "VM Sunshine TCP" -j DNAT --to-destination ${vm}
|
|
||||||
iptables -t nat -A PREROUTING -p udp -m udp --match multiport --dports 37998,37999,38000 -m comment --comment "VM Sunshine UDP" -j DNAT --to-destination ${vm}
|
|
||||||
'' +
|
|
||||||
|
|
||||||
# Set an IP firewall for RTMP
|
|
||||||
''
|
|
||||||
iptables -N RTMPCHAIN
|
|
||||||
iptables -A INPUT -p tcp -m tcp --match multiport --dports 1935,1945 -j RTMPCHAIN
|
|
||||||
iptables -A RTMPCHAIN -s ${pc} -m comment --comment "Local PC" -j ACCEPT
|
|
||||||
iptables -A RTMPCHAIN -s 71.87.124.226 -m comment --comment "Luna IP" -j ACCEPT
|
|
||||||
iptables -A RTMPCHAIN -s 24.66.98.13 -m comment --comment "Freecorn IP" -j ACCEPT
|
|
||||||
iptables -A RTMPCHAIN -j DROP
|
|
||||||
'' +
|
|
||||||
|
|
||||||
# Finalize forwarding
|
|
||||||
''
|
|
||||||
iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE
|
|
||||||
'';
|
'';
|
||||||
|
|
||||||
# Remove the chain and such
|
# Completely change to nftables
|
||||||
extraStopCommands = ''
|
extraInputRules = ''
|
||||||
iptables -D INPUT -p tcp -m tcp --match multiport --dports 1935,1945 -j RTMPCHAIN
|
# Set an IP firewall for RTMP
|
||||||
iptables -F RTMPCHAIN
|
ip saddr { ${pc}, ${secrets.lunaIP}, ${secrets.freecornIP} } tcp dport { 1935, 1945 } accept comment "Accept RTMP"
|
||||||
iptables -X RTMPCHAIN
|
ip saddr { 0.0.0.0/0 } tcp dport { 1935, 1945 } drop
|
||||||
'';
|
'';
|
||||||
|
|
||||||
# Disallow pinging this server
|
# Disallow pinging this server
|
||||||
|
@ -328,8 +308,26 @@ in
|
||||||
"matrix.${bloxeldomain}" = {
|
"matrix.${bloxeldomain}" = {
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
locations."/_matrix".proxyPass = "http://[::1]:8008";
|
locations = {
|
||||||
locations."/_synapse".proxyPass = "http://[::1]:8008";
|
"/".extraConfig = ''return 403;'';
|
||||||
|
"/_matrix".proxyPass = "http://[::1]:8008";
|
||||||
|
"/_synapse".proxyPass = "http://[::1]:8008";
|
||||||
|
"/client".proxyPass = "http://[::1]:8008";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# Matrix Sliding Sync Proxy
|
||||||
|
"syncv3.${bloxeldomain}" = {
|
||||||
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
locations = {
|
||||||
|
"/".extraConfig = ''return 403;'';
|
||||||
|
"/_matrix".proxyPass = "http://[::1]:8009";
|
||||||
|
"/client".proxyPass = "http://[::1]:8009";
|
||||||
|
"/sync".proxyPass = "http://[::1]:8009";
|
||||||
|
"/unstable".proxyPass = "http://[::1]:8009";
|
||||||
|
"/org.matrix.msc3575".proxyPass = "http://[::1]:8009";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# Element Proxy
|
# Element Proxy
|
||||||
|
@ -391,33 +389,43 @@ in
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
addSSL = true;
|
addSSL = true;
|
||||||
root = "/var/www/bloxelcomweb/landing-page/";
|
root = "/var/www/bloxelcomweb/landing-page/";
|
||||||
locations."/BloxelcomCable/hls" = {
|
locations = {
|
||||||
extraConfig = ''
|
"/BloxelcomCable/hls" = {
|
||||||
# Disable cache
|
extraConfig = ''
|
||||||
add_header Last-Modified $date_gmt;
|
# Disable cache
|
||||||
add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
|
add_header Last-Modified $date_gmt;
|
||||||
if_modified_since off;
|
add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
|
||||||
expires off;
|
if_modified_since off;
|
||||||
etag off;
|
expires off;
|
||||||
|
etag off;
|
||||||
|
|
||||||
# Allow serving m3u8 files
|
# Allow serving m3u8 files
|
||||||
types {
|
types {
|
||||||
application/vnd.apple.mpegurl m3u8;
|
application/vnd.apple.mpegurl m3u8;
|
||||||
}
|
}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
locations."/.well-known/matrix/client" = {
|
"/.well-known/matrix/client" = {
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
default_type application/json;
|
default_type application/json;
|
||||||
add_header Access-Control-Allow-Origin *;
|
add_header Access-Control-Allow-Origin *;
|
||||||
return 200 '{"m.server": "matrix.${bloxeldomain}:443"}';
|
return 200 '
|
||||||
'';
|
{
|
||||||
};
|
"m.homeserver": {
|
||||||
locations."/.well-known/matrix/server" = {
|
"base_url": "https://${bloxeldomain}"
|
||||||
extraConfig = ''
|
},
|
||||||
default_type application/json;
|
"org.matrix.msc3575.proxy": {
|
||||||
return 200 '{"m.server": "matrix.${bloxeldomain}:443"}';
|
"url": "https://syncv3.${bloxeldomain}"
|
||||||
'';
|
}
|
||||||
|
}';
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
"/.well-known/matrix/server" = {
|
||||||
|
extraConfig = ''
|
||||||
|
default_type application/json;
|
||||||
|
return 200 '{"m.server": "matrix.${bloxeldomain}:443"}';
|
||||||
|
'';
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -531,6 +539,7 @@ in
|
||||||
enable = true;
|
enable = true;
|
||||||
environment = {
|
environment = {
|
||||||
PUFFER_WEB_HOST = ":5010";
|
PUFFER_WEB_HOST = ":5010";
|
||||||
|
PUFFER_PANEL_SETTINGS_MASTERURL = "https://mc.${jimdomain}";
|
||||||
PUFFER_PANEL_REGISTRATIONENABLED = "false";
|
PUFFER_PANEL_REGISTRATIONENABLED = "false";
|
||||||
PUFFER_PANEL_EMAIL_PROVIDER = "smtp";
|
PUFFER_PANEL_EMAIL_PROVIDER = "smtp";
|
||||||
PUFFER_PANEL_EMAIL_HOST = "mx.${bloxeldomain}:587";
|
PUFFER_PANEL_EMAIL_HOST = "mx.${bloxeldomain}:587";
|
||||||
|
@ -553,28 +562,10 @@ in
|
||||||
package = pkgs.mariadb;
|
package = pkgs.mariadb;
|
||||||
dataDir = "/var/lib/mysql";
|
dataDir = "/var/lib/mysql";
|
||||||
initialDatabases = [
|
initialDatabases = [
|
||||||
{ name = "nextcloud"; }
|
|
||||||
{ name = "matrix"; }
|
|
||||||
{ name = "git"; }
|
|
||||||
{ name = "minecraft"; }
|
{ name = "minecraft"; }
|
||||||
];
|
];
|
||||||
ensureUsers = [
|
ensureUsers = [
|
||||||
{
|
{
|
||||||
name = "nextcloud";
|
|
||||||
ensurePermissions = {
|
|
||||||
"nextcloud.*" = "ALL PRIVILEGES";
|
|
||||||
};
|
|
||||||
}{
|
|
||||||
name = "matrix-synapse";
|
|
||||||
ensurePermissions = {
|
|
||||||
"matrix.*" = "ALL PRIVILEGES";
|
|
||||||
};
|
|
||||||
}{
|
|
||||||
name = "gitea";
|
|
||||||
ensurePermissions = {
|
|
||||||
"git.*" = "ALL PRIVILEGES";
|
|
||||||
};
|
|
||||||
}{
|
|
||||||
name = "minecraft";
|
name = "minecraft";
|
||||||
ensurePermissions = {
|
ensurePermissions = {
|
||||||
"minecraft.*" = "ALL PRIVILEGES";
|
"minecraft.*" = "ALL PRIVILEGES";
|
||||||
|
@ -665,6 +656,17 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# Sliding sync proxy for Matrix
|
||||||
|
matrix-sliding-sync = {
|
||||||
|
enable = true;
|
||||||
|
settings = {
|
||||||
|
SYNCV3_SERVER = "${bloxeldomain}";
|
||||||
|
SYNCV3_BINDADDR = "0.0.0.0:8009";
|
||||||
|
SYNCV3_SECRET = secrets.matrixSecret;
|
||||||
|
};
|
||||||
|
environmentFile = "${pkgs.writeText "matrixsecret" secrets.matrixSecret}";
|
||||||
|
};
|
||||||
|
|
||||||
# Mastodon
|
# Mastodon
|
||||||
mastodon = {
|
mastodon = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
|
@ -68,8 +68,8 @@
|
||||||
options = [ "bind" ];
|
options = [ "bind" ];
|
||||||
depends = [ "/export/JimboNFS" ];
|
depends = [ "/export/JimboNFS" ];
|
||||||
};
|
};
|
||||||
"/var/lib/pufferpanel/servers" = {
|
"/var/lib/private/pufferpanel/servers" = {
|
||||||
device = "/export/JimboNFS/MineServers";
|
device = "/export/JimboNFS/System/var/lib/pufferpanel/servers";
|
||||||
fsType = "none";
|
fsType = "none";
|
||||||
options = [ "bind" ];
|
options = [ "bind" ];
|
||||||
depends = [ "/export/JimboNFS" ];
|
depends = [ "/export/JimboNFS" ];
|
||||||
|
|
|
@ -358,7 +358,6 @@ let
|
||||||
P:/home/jimbo/JimboNFS/Projects
|
P:/home/jimbo/JimboNFS/Projects
|
||||||
V:/home/jimbo/JimboNFS/Videos/Random
|
V:/home/jimbo/JimboNFS/Videos/Random
|
||||||
m:/home/jimbo/JimboNFS/Music
|
m:/home/jimbo/JimboNFS/Music
|
||||||
L:/home/jimbo/JimboNFS/MineServers
|
|
||||||
s:/home/jimbo/JimboNFS/School
|
s:/home/jimbo/JimboNFS/School
|
||||||
'';
|
'';
|
||||||
in
|
in
|
||||||
|
@ -522,9 +521,7 @@ in
|
||||||
plugins = [ "git" ];
|
plugins = [ "git" ];
|
||||||
theme = "half-life";
|
theme = "half-life";
|
||||||
};
|
};
|
||||||
shellAliases = let
|
shellAliases = {
|
||||||
mineServers = ''/home/jimbo/JimboNFS/MineServers'';
|
|
||||||
in {
|
|
||||||
# NixOS aliases
|
# NixOS aliases
|
||||||
nixcfg = "nvim /etc/nixos/{configuration,jimbo,secrets,hardware-configuration}.nix";
|
nixcfg = "nvim /etc/nixos/{configuration,jimbo,secrets,hardware-configuration}.nix";
|
||||||
nixswitch = "${auth} nixos-rebuild switch";
|
nixswitch = "${auth} nixos-rebuild switch";
|
||||||
|
|
Loading…
Reference in a new issue