Changed a lot this one

2024-08-09 01:42:44 -04:00 · 2024-08-09 01:42:44 -04:00 · 9b56f1ecc2
parent 963e056b93
commit 9b56f1ecc2
4 changed files with 102 additions and 103 deletions
--- a/PC/jimbo.nix
+++ b/PC/jimbo.nix
@ -27,19 +27,19 @@ let

  # Wallpapers
  wallpaper1 = pkgs.fetchurl { 
-    url = "https://git.JimbosFiles.com/Jimbo/NixOS-Files/raw/branch/main/Extras/Wallpapers/wallpaper1.png";
+    url = "https://git.JimbosFiles.com/Jimbo/NixOS-Config/raw/branch/main/Extras/Wallpapers/wallpaper1.png";
    sha256 = "1zxb0p0fjsmccy4xv8yk3c4kc313k3lc3xhqmiv452f7sjqqbp25";
  };
  wallpaper2 = pkgs.fetchurl { 
-    url = "https://git.JimbosFiles.com/Jimbo/NixOS-Files/raw/branch/main/Extras/Wallpapers/wallpaper2.png";
+    url = "https://git.JimbosFiles.com/Jimbo/NixOS-Config/raw/branch/main/Extras/Wallpapers/wallpaper2.png";
    sha256 = "13jcllrs05d26iz2isvh1f8fqf20m23sps32kw7qz5iav8nhvsx7";
  };
  wallpaper3 = pkgs.fetchurl { 
-    url = "https://git.JimbosFiles.com/Jimbo/NixOS-Files/raw/branch/main/Extras/Wallpapers/wallpaper3.png";
+    url = "https://git.JimbosFiles.com/Jimbo/NixOS-Config/raw/branch/main/Extras/Wallpapers/wallpaper3.png";
    sha256 = "16r65qnr7f0md4bbjnzq6av4dgmqr3avkilw72qdmyrmh3xj03yw";
  };
  lockpaper = pkgs.fetchurl { 
-    url = "https://git.JimbosFiles.com/Jimbo/NixOS-Files/raw/branch/main/Extras/Wallpapers/lockpaper.png";
+    url = "https://git.JimbosFiles.com/Jimbo/NixOS-Config/raw/branch/main/Extras/Wallpapers/lockpaper.png";
    sha256 = "1mqvp4bic46gc994fawkraqj76hxd11wdd43qakligchzd20xjd5";
  };

--- a/Server/configuration.nix
+++ b/Server/configuration.nix
@ -44,11 +44,9 @@ in
  # Choose Grub as the bootloader
  boot = {
    kernelPackages = pkgs.linuxPackages_xanmod;
-    loader = {
-      grub = {
-        efiSupport = true;
-        device = "nodev";
-      };
+    loader.systemd-boot = {
+      enable = true;
+      netbootxyz.enable = true;
    };
  };

@ -76,9 +74,10 @@ in
    hashedPassword = secrets.jimboAccPassword;
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDLe/HioxCOkszFQdm1vb3ZwuzLzsOThqHNvEI4IXeXZ JimPhone"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEuCYrIZlD6LNpFh3XTYbXaPQWYysr1oZAX4DL3gF28l jimbo@DV-JHAMPTON"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPjBdQrL23pDbcsNCLMvJhcNF7+u95ZV7o1QemOmegf jimbo@JimNixPC"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPeqiMCRXtpoP+BvKBmzvkL7oLKKCmbfdaQIF3yk/S8I jimbo@DV-JHAMPTON-NIXOS"
    ];
-    extraGroups = [ "wheel" "docker" "musicFolder" "nfsShare" ];
+    extraGroups = [ "wheel" "docker" "nfsShare" ];
    uid = 1000;
    shell = pkgs.zsh;
  };
@ -90,7 +89,7 @@ in
      isSystemUser = true;
    };
    nextcloud = {
-      extraGroups = [ "nfsShare" "musicFolder" ];
+      extraGroups = [ "nfsShare" ];
      isSystemUser = true;
    };
  };
@ -98,7 +97,6 @@ in
  # Define custom groups
  users.groups = {
    nfsShare = {};
-    musicFolder = {};
  };

  # Installed programs to the system profile.
@ -116,9 +114,13 @@ in
    # Choose networking method
    dhcpcd.enable = true;
    wireless.enable = false;
+
+    # Enable nftables over iptables
+    nftables.enable = true;
    
-    # Enable firewall passthrough
+    # Configure firewall
    firewall = {
+      # Allow different ports
      allowedTCPPorts = [ 
 	# NFS
 	2049
@ -129,7 +131,7 @@ in
 	# Minecraft
 	25565 19132 

-	# Pufferpanel sftp
+	# Pufferpanel SFTP
        5657

 	# Gitea SSH
@ -154,44 +156,22 @@ in
 	{ from = 49000; to = 50000; }
      ];

-      # Extra rules that cannot be done above
-      extraCommands = 
-
-      # SSH and game servers from my PC
-      ''
-        iptables -t nat -A PREROUTING -p tcp -m tcp --dport 2211 -m comment --comment "SSH to PC" -j DNAT --to-destination ${pc}
-        iptables -t nat -A PREROUTING -p udp -m udp --match multiport --dports 27005,27015,7777,29000 -m comment --comment "Games" -j DNAT --to-destination ${pc}
-      '' +
-
-      # Sunshine ports for PC and VM
-      ''
-        iptables -t nat -A PREROUTING -p tcp -m tcp --match multiport --dports 48010,47989,47984 -m comment --comment "PC Sunshine TCP" -j DNAT --to-destination ${pc}
-        iptables -t nat -A PREROUTING -p udp -m udp --match multiport --dports 47998,47999,48000 -m comment --comment "PC Sunshine UDP" -j DNAT --to-destination ${pc}
-
-        iptables -t nat -A PREROUTING -p tcp -m tcp --match multiport --dports 38010,37989,37984 -m comment --comment "VM Sunshine TCP" -j DNAT --to-destination ${vm}
-        iptables -t nat -A PREROUTING -p udp -m udp --match multiport --dports 37998,37999,38000 -m comment --comment "VM Sunshine UDP" -j DNAT --to-destination ${vm}
-      '' +
-
-      # Set an IP firewall for RTMP
-      ''
-	iptables -N RTMPCHAIN
-        iptables -A INPUT -p tcp -m tcp --match multiport --dports 1935,1945 -j RTMPCHAIN
-	iptables -A RTMPCHAIN -s ${pc} -m comment --comment "Local PC" -j ACCEPT
-	iptables -A RTMPCHAIN -s 71.87.124.226 -m comment --comment "Luna IP" -j ACCEPT
-	iptables -A RTMPCHAIN -s 24.66.98.13 -m comment --comment "Freecorn IP" -j ACCEPT
-	iptables -A RTMPCHAIN -j DROP
-      '' +
-
-      # Finalize forwarding
-      ''
-        iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE
+      # Forward rules for nftables
+      extraForwardRules = ''
+        # Allow forwarding of basic ports from PC
+        ip saddr ${pc} tcp dport 2211 accept comment "SSH from PC"
+        ip saddr ${pc} udp dport { 27005, 27015, 7777, 29000 } accept comment "Games from PC"
+      
+        # Allow forwarding of Sunshine traffic
+        ip saddr ${pc} tcp dport { 48010, 47989, 47984 } accept comment "Sunshine TCP from PC"
+        ip saddr ${pc} udp dport { 47998, 47999, 48000 } accept comment "Sunshine UDP from PC"
      '';

-      # Remove the chain and such
-      extraStopCommands = ''
-	iptables -D INPUT -p tcp -m tcp --match multiport --dports 1935,1945 -j RTMPCHAIN
-        iptables -F RTMPCHAIN
-        iptables -X RTMPCHAIN
+      # Completely change to nftables
+      extraInputRules = ''
+	# Set an IP firewall for RTMP
+	ip saddr { ${pc}, ${secrets.lunaIP}, ${secrets.freecornIP} } tcp dport { 1935, 1945 } accept comment "Accept RTMP"
+	ip saddr { 0.0.0.0/0 } tcp dport { 1935, 1945 } drop
      '';

      # Disallow pinging this server
@ -328,8 +308,26 @@ in
        "matrix.${bloxeldomain}" = {
          enableACME = true;
          forceSSL = true;
-          locations."/_matrix".proxyPass = "http://[::1]:8008";
-          locations."/_synapse".proxyPass = "http://[::1]:8008";
+	  locations = {
+	    "/".extraConfig = ''return 403;'';
+            "/_matrix".proxyPass = "http://[::1]:8008";
+            "/_synapse".proxyPass = "http://[::1]:8008";
+            "/client".proxyPass = "http://[::1]:8008";
+	  };
+        };
+
+	# Matrix Sliding Sync Proxy
+        "syncv3.${bloxeldomain}" = {
+          enableACME = true;
+          forceSSL = true;
+	  locations = {
+	    "/".extraConfig = ''return 403;'';
+            "/_matrix".proxyPass = "http://[::1]:8009";
+            "/client".proxyPass = "http://[::1]:8009";
+            "/sync".proxyPass = "http://[::1]:8009";
+            "/unstable".proxyPass = "http://[::1]:8009";
+            "/org.matrix.msc3575".proxyPass = "http://[::1]:8009";
+	  };
        };

 	# Element Proxy
@ -391,33 +389,43 @@ in
          enableACME = true;
          addSSL = true;
          root = "/var/www/bloxelcomweb/landing-page/";
-	  locations."/BloxelcomCable/hls" = {
-	    extraConfig = ''
-	      # Disable cache
-	      add_header Last-Modified $date_gmt;
-              add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
-              if_modified_since off;
-              expires off;
-              etag off;
+	  locations = {
+	    "/BloxelcomCable/hls" = {
+	      extraConfig = ''
+	        # Disable cache
+	        add_header Last-Modified $date_gmt;
+                add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
+                if_modified_since off;
+                expires off;
+                etag off;

-	      # Allow serving m3u8 files
-              types {
-                application/vnd.apple.mpegurl m3u8;
-              }
-	    '';
-	  };
-	  locations."/.well-known/matrix/client" = {
-	    extraConfig = ''
-	      default_type application/json;
-	      add_header Access-Control-Allow-Origin *;
-	      return 200 '{"m.server": "matrix.${bloxeldomain}:443"}';
-	    '';
-	  };
-	  locations."/.well-known/matrix/server" = {
-	    extraConfig = ''
-	      default_type application/json;
-	      return 200 '{"m.server": "matrix.${bloxeldomain}:443"}';
-	    '';
+	        # Allow serving m3u8 files
+                types {
+                  application/vnd.apple.mpegurl m3u8;
+                }
+	      '';
+	    };
+	    "/.well-known/matrix/client" = {
+	      extraConfig = ''
+	        default_type application/json;
+	        add_header Access-Control-Allow-Origin *;
+	        return 200 '
+	        {
+	          "m.homeserver": {
+	            "base_url": "https://${bloxeldomain}"
+	          },
+	          "org.matrix.msc3575.proxy": {
+	            "url": "https://syncv3.${bloxeldomain}"
+	          }
+	        }';
+	      '';
+	    };
+	    "/.well-known/matrix/server" = {
+	      extraConfig = ''
+	        default_type application/json;
+	        return 200 '{"m.server": "matrix.${bloxeldomain}:443"}';
+	      '';
+	    };
 	  };
        };
      };
@ -531,6 +539,7 @@ in
      enable = true;
      environment = {
        PUFFER_WEB_HOST = ":5010";
+	PUFFER_PANEL_SETTINGS_MASTERURL = "https://mc.${jimdomain}";
 	PUFFER_PANEL_REGISTRATIONENABLED = "false";
 	PUFFER_PANEL_EMAIL_PROVIDER = "smtp";
 	PUFFER_PANEL_EMAIL_HOST = "mx.${bloxeldomain}:587";
@ -553,28 +562,10 @@ in
      package = pkgs.mariadb;
      dataDir = "/var/lib/mysql";
      initialDatabases = [
-        { name = "nextcloud"; }
-        { name = "matrix"; }
-        { name = "git"; }
        { name = "minecraft"; }
      ];
      ensureUsers = [
        {
-          name = "nextcloud";
-          ensurePermissions = {
-            "nextcloud.*" = "ALL PRIVILEGES";
-          };
-        }{
-          name = "matrix-synapse";
-          ensurePermissions = {
-            "matrix.*" = "ALL PRIVILEGES";
-          };
-        }{
-          name = "gitea";
-          ensurePermissions = {
-            "git.*" = "ALL PRIVILEGES";
-          };
-        }{
          name = "minecraft";
          ensurePermissions = {
            "minecraft.*" = "ALL PRIVILEGES";
@ -665,6 +656,17 @@ in
      };
    };

+    # Sliding sync proxy for Matrix
+    matrix-sliding-sync = {
+      enable = true;
+      settings = {
+        SYNCV3_SERVER = "${bloxeldomain}";
+	SYNCV3_BINDADDR = "0.0.0.0:8009";
+	SYNCV3_SECRET = secrets.matrixSecret;
+      };
+      environmentFile = "${pkgs.writeText "matrixsecret" secrets.matrixSecret}";
+    };
+
    # Mastodon
    mastodon = {
      enable = true;
--- a/Server/hardware-configuration.nix
+++ b/Server/hardware-configuration.nix
@ -68,8 +68,8 @@
      options = [ "bind" ];
      depends = [ "/export/JimboNFS" ];
    };
-    "/var/lib/pufferpanel/servers" = {
-      device = "/export/JimboNFS/MineServers";
+    "/var/lib/private/pufferpanel/servers" = {
+      device = "/export/JimboNFS/System/var/lib/pufferpanel/servers";
      fsType = "none";
      options = [ "bind" ];
      depends = [ "/export/JimboNFS" ];
--- a/Server/jimbo.nix
+++ b/Server/jimbo.nix
@ -358,7 +358,6 @@ let
    P:/home/jimbo/JimboNFS/Projects
    V:/home/jimbo/JimboNFS/Videos/Random
    m:/home/jimbo/JimboNFS/Music
-    L:/home/jimbo/JimboNFS/MineServers
    s:/home/jimbo/JimboNFS/School
  '';
 in
@ -522,9 +521,7 @@ in
 	  plugins = [ "git" ];
          theme = "half-life";
        };
-        shellAliases = let 
-	  mineServers = ''/home/jimbo/JimboNFS/MineServers'';
-	in {
+        shellAliases = {
 	  # NixOS aliases
 	  nixcfg = "nvim /etc/nixos/{configuration,jimbo,secrets,hardware-configuration}.nix";
          nixswitch = "${auth} nixos-rebuild switch";