Jimbo/NixOS-Config
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Final backup of server before flake transition

Browse source
This commit is contained in:
Jimbo 2024-08-24 21:08:56 -04:00
parent d860401e1f
commit a90e09db74
2 changed files with 91 additions and 116 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

202
Server/configuration.nix
View file

@ -4,9 +4,6 @@ let
homeManager = fetchTarball
"https://github.com/nix-community/home-manager/archive/release-24.05.tar.gz";
# Define domains and ips
jimDomain = ''jimbosfiles.com'';
# IPs
netInt = ''eno1'';
localSpan = ''10.0.0'';
@ -26,10 +23,9 @@ in
"${homeManager}/nixos"
# Mail server import
(builtins.fetchTarball {
url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/nixos-24.05/nixos-mailserver-nixos-24.05.tar.gz";
sha256 = "0clvw4622mqzk1aqw1qn6shl9pai097q62mq1ibzscnjayhp278b";
})
(fetchTarball
"https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/nixos-24.05/nixos-mailserver-nixos-24.05.tar.gz"
)
];
# Allow unfree packages
@ -105,7 +101,7 @@ in
];
# Define timezone and networking settings
time.timeZone = "America/New_York";
time.timeZone = secrets.timeZone;
networking = {
hostName = "JimNixServer";
@ -118,7 +114,7 @@ in
allowPing = false;
allowedTCPPorts = [
80 443 # Nginx
25565 19132 5657 # Minecraft & Pufferpanel SFTP
25565 19132 5657 # Pufferpanel
2299 # Gitea SSH
3478 5349 # Coturn
];
@ -208,24 +204,24 @@ in
'';
};
# DDClient for Dynamic IPpanels
# DDClient for Dynamic IPs
ddclient = {
enable = true;
protocol = "cloudflare";
use = "web, web=https://ipinfo.io/ip";
zone = "${jimDomain}";
zone = "${secrets.jimDomain}";
username = "token";
passwordFile = "${pkgs.writeText "cloudflareapikey" secrets.flareApiKey}";
domains = [
"${jimDomain}"
"*.${jimDomain}"
"beta.${jimDomain}"
"git.${jimDomain}"
"john.${jimDomain}"
"mc.${jimDomain}"
"mx.${jimDomain}"
"panel.${jimDomain}"
"rtmp.${jimDomain}"
"${secrets.jimDomain}"
"*.${secrets.jimDomain}"
"beta.${secrets.jimDomain}"
"git.${secrets.jimDomain}"
"john.${secrets.jimDomain}"
"mc.${secrets.jimDomain}"
"mx.${secrets.jimDomain}"
"panel.${secrets.jimDomain}"
"rtmp.${secrets.jimDomain}"
];
};
@ -241,7 +237,7 @@ in
recommendedProxySettings = true;
virtualHosts = {
# Homepage redirect
"${jimDomain}" = {
"${secrets.jimDomain}" = {
enableACME = true;
addSSL = true;
root = "/var/www/jimweb";
@ -252,13 +248,13 @@ in
return 200 '
{
"m.homeserver": {
"base_url": "https://matrix.${jimDomain}"
"base_url": "https://matrix.${secrets.jimDomain}"
},
"m.identity_server": {
"base_url": "https://matrix.org"
},
"org.matrix.msc3575.proxy": {
"url": "https://matrix.${jimDomain}"
"url": "https://matrix.${secrets.jimDomain}"
}
}';
'';
@ -266,14 +262,14 @@ in
"/.well-known/matrix/server" = {
extraConfig = ''
default_type application/json;
return 200 '{"m.server": "matrix.${jimDomain}:443"}';
return 200 '{"m.server": "matrix.${secrets.jimDomain}:443"}';
'';
};
};
};
# Nextcloud Proxy
"cloud.${jimDomain}" = {
"cloud.${secrets.jimDomain}" = {
enableACME = true;
addSSL = true;
locations."/" = {
@ -290,7 +286,7 @@ in
};
# Vaultwarden Proxy
"warden.${jimDomain}" = {
"warden.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
@ -300,7 +296,7 @@ in
};
# Recipes Proxy
"recipes.${jimDomain}" = {
"recipes.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
@ -310,7 +306,7 @@ in
};
# Bluemap Proxy
"bluemap.${jimDomain}" = {
"bluemap.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
@ -320,7 +316,7 @@ in
};
# Gitea Proxy
"git.${jimDomain}" = {
"git.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
@ -330,7 +326,7 @@ in
};
# Pufferpanel Proxy
"panel.${jimDomain}" = {
"panel.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
@ -340,7 +336,7 @@ in
};
# Matrix Proxy
"matrix.${jimDomain}" = {
"matrix.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations = {
@ -353,14 +349,14 @@ in
};
# Element Proxy
"chat.${jimDomain}" = {
"chat.${secrets.jimDomain}" = {
enableACME = true;
addSSL = true;
root = "${pkgs.element-web}";
};
# Coturn Proxy
"turn.${jimDomain}" = {
"turn.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
listen = [
@ -370,7 +366,7 @@ in
};
# Radio Proxy
"radio.${jimDomain}" = {
"radio.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
@ -380,7 +376,7 @@ in
};
# Streaming proxy
"live.${jimDomain}" = {
"live.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
@ -390,7 +386,7 @@ in
};
# Mail certificate proxy
"mx.${jimDomain}" = {
"mx.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
@ -400,20 +396,10 @@ in
};
# Add SSL to Lemmy
"lemmy.${jimDomain}" = {
"lemmy.${secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
};
# Adguard
"guard.${jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:3000";
proxyWebsockets = true;
};
};
};
appendConfig = ''
rtmp {
@ -440,7 +426,7 @@ in
nextcloud = {
enable = true;
package = pkgs.nextcloud29;
hostName = "cloud.${jimDomain}";
hostName = "cloud.${secrets.jimDomain}";
datadir = "/mnt/nextcloud";
https = true;
config = {
@ -449,15 +435,15 @@ in
};
settings = {
trusted_proxies = [ "127.0.0.1" ];
trusted_domains = [ "cloud.${jimDomain}" ];
trusted_domains = [ "cloud.${secrets.jimDomain}" ];
overwriteprotocol = "https";
# Mailserver settings
mail_smtphost = "mx.${jimDomain}";
mail_domain = "${jimDomain}";
mail_smtphost = "mx.${secrets.jimDomain}";
mail_domain = "${secrets.jimDomain}";
mail_from_address = "noreply";
mail_smtpauth = "true";
mail_smtpname = "noreply@${jimDomain}";
mail_smtpname = "noreply@${secrets.jimDomain}";
mail_smtppassword = secrets.noreplyPassword;
mail_smtpmode = "smtp";
mail_smtpport = 587;
@ -468,17 +454,17 @@ in
vaultwarden = {
enable = true;
config = {
DOMAIN = "https://warden.${jimDomain}";
DOMAIN = "https://warden.${secrets.jimDomain}";
SIGNUPS_ALLOWED = false;
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = 8222;
ROCKET_LOG = "critical";
# Smtp email
SMTP_HOST = "mx.${jimDomain}";
SMTP_FROM = "noreply@${jimDomain}";
SMTP_HOST = "mx.${secrets.jimDomain}";
SMTP_FROM = "Jimbo's Vaultwarden <noreply@${secrets.jimDomain}>";
SMTP_FROM_NAME = "Vaultwarden";
SMTP_USERNAME = "noreply@${jimDomain}";
SMTP_USERNAME = "noreply@${secrets.jimDomain}";
SMTP_PASSWORD = secrets.noreplyPassword;
SMTP_SECURITY = "starttls";
SMTP_PORT = 587;
@ -497,21 +483,21 @@ in
enable = true;
settings = {
server = {
DOMAIN = "git.${jimDomain}";
ROOT_URL = "https://git.${jimDomain}:443";
DOMAIN = "git.${secrets.jimDomain}";
ROOT_URL = "https://git.${secrets.jimDomain}:443";
HTTP_PORT = 3110;
SSH_PORT = 2299;
START_SSH_SERVER = true;
};
mailer = {
ENABLED = true;
SMTP_ADDR = "mx.${jimDomain}";
FROM = "noreply@${jimDomain}";
SMTP_ADDR = "mx.${secrets.jimDomain}";
FROM = "Jimbo's Git <noreply@${secrets.jimDomain}>";
USER = "noreply@${secrets.jimDomain}";
PASSWD = secrets.noreplyPassword;
PROTOCOL = "smtp+starttls";
SMTP_PORT = 587;
PROTOCOL = "smtps";
};
service.DISABLE_REGISTRATION = true;
service.REGISTER_EMAIL_CONFIRM = true;
};
};
@ -520,12 +506,12 @@ in
enable = true;
environment = {
PUFFER_WEB_HOST = ":5010";
PUFFER_PANEL_SETTINGS_MASTERURL = "https://panel.${jimDomain}";
PUFFER_PANEL_EMAIL_PROVIDER = "smtp";
PUFFER_PANEL_EMAIL_HOST = "mx.${jimDomain}:587";
PUFFER_PANEL_EMAIL_FROM = "noreply@${jimDomain}";
PUFFER_PANEL_EMAIL_USERNAME = "noreply@${jimDomain}";
PUFFER_PANEL_EMAIL_PASSWORD = secrets.noreplyPassword;
PUFFER_PANEL_SETTINGS_MASTERURL = "https://panel.${secrets.jimDomain}";
PUFFER_PANEL_EMAIL_PROVIDER = "smtp";
PUFFER_PANEL_EMAIL_HOST = "mx.${secrets.jimDomain}:587";
PUFFER_PANEL_EMAIL_FROM = "noreply@${secrets.jimDomain}";
PUFFER_PANEL_EMAIL_USERNAME = "noreply@${secrets.jimDomain}";
PUFFER_PANEL_EMAIL_PASSWORD = secrets.noreplyPassword;
};
extraPackages = with pkgs; [ bash curl gawk gnutar gzip ];
package = pkgs.buildFHSEnv {
@ -536,6 +522,7 @@ in
};
};
# MariaDB
mysql = {
enable = true;
@ -570,7 +557,7 @@ in
min-port = 49000;
max-port = 50000;
use-auth-secret = true;
realm = "turn.${jimDomain}";
realm = "turn.${secrets.jimDomain}";
static-auth-secret = "will be world readable for local users :(";
cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
@ -580,8 +567,8 @@ in
matrix-synapse = with config.services.coturn; {
enable = true;
settings = {
server_name = "${jimDomain}";
public_baseurl = "https://matrix.${jimDomain}";
server_name = "${secrets.jimDomain}";
public_baseurl = "https://matrix.${secrets.jimDomain}";
suppress_key_server_warning = true;
# Set the network config
@ -597,9 +584,9 @@ in
# Enable smtp for password resets
email = {
notif_from = "Jimbo's Matrix Homeserver <noreply@${jimDomain}>";
smtp_host = "mx.${jimDomain}";
smtp_user = "noreply@${jimDomain}";
notif_from = "Jimbo's Matrix <noreply@${secrets.jimDomain}>";
smtp_host = "mx.${secrets.jimDomain}";
smtp_user = "noreply@${secrets.jimDomain}";
smtp_pass = secrets.noreplyPassword;
enable_tls = true;
smtp_port = 587;
@ -647,7 +634,7 @@ in
in {
enable = true;
settings = {
SYNCV3_SERVER = "https://matrix.${jimDomain}";
SYNCV3_SERVER = "https://matrix.${secrets.jimDomain}";
SYNCV3_BINDADDR = "0.0.0.0:8009";
};
environmentFile = "${matrixSecretFile}";
@ -656,16 +643,16 @@ in
# Mastodon
mastodon = {
enable = true;
localDomain = "social.${jimDomain}";
localDomain = "social.${secrets.jimDomain}";
streamingProcesses = 4;
configureNginx = true;
smtp = {
createLocally = false;
host = "mx.${jimDomain}";
host = "mx.${secrets.jimDomain}";
port = 587;
authenticate = true;
fromAddress = "noreply@${jimDomain}";
user = "noreply@${jimDomain}";
fromAddress = "Jimbo's Mastodon <noreply@${secrets.jimDomain}>";
user = "noreply@${secrets.jimDomain}";
passwordFile = pkgs.writeText "smtp_pass.txt" secrets.noreplyPassword;
};
};
@ -676,11 +663,11 @@ in
nginx.enable = true;
database.createLocally = true;
settings = {
hostname = "lemmy.${jimDomain}";
hostname = "lemmy.${secrets.jimDomain}";
email = {
smtp_server = "mx.${jimDomain}:587";
smtp_login = "noreply@${jimDomain}";
smtp_from_address = "noreply@${jimDomain}";
smtp_server = "mx.${secrets.jimDomain}:587";
smtp_login = "noreply@${secrets.jimDomain}";
smtp_from_address = "Jimbo's Lemmy <noreply@${secrets.jimDomain}>";
smtp_password = secrets.noreplyPassword;
tls_type = "starttls";
};
@ -690,7 +677,7 @@ in
# Roundcube mail server
roundcube = {
enable = true;
hostName = "mail.${jimDomain}";
hostName = "mail.${secrets.jimDomain}";
extraConfig = ''
$config['smtp_server'] = "tls://${config.mailserver.fqdn}";
$config['smtp_user'] = "%u";
@ -698,9 +685,6 @@ in
'';
};
# Enable a custom DNS server
adguardhome.enable = true;
# Snowflake proxy for Tor
snowflake-proxy.enable = true;
@ -711,19 +695,17 @@ in
redis.servers.rspamd.port = 1515;
};
# Make Nginx not shit itself
# Force Nginx to work and be able to read+write the hls path
security.pam.services.nginx.setEnvironment = false;
systemd.services.nginx.serviceConfig = {
SupplementaryGroups = [ "shadow" ];
ReadWritePaths = [ "/var/www/jimweb/streams/hls/" ];
};
systemd.services.nginx.serviceConfig.ReadWritePaths = [
"/var/www/jimweb/streams/hls/"
];
# Get certificates for Coturn
security.acme = {
acceptTerms = true;
defaults.email = "jimjam4real@gmail.com";
defaults.email = secrets.jimEmail;
certs = {
${config.services.coturn.realm} = {
group = "turnserver";
@ -736,16 +718,16 @@ in
nixpkgs.config.element-web.conf = {
default_server_config = {
"m.homeserver" = {
base_url = "https://matrix.${jimDomain}";
server_name = "matrix.${jimDomain}";
base_url = "https://matrix.${secrets.jimDomain}";
server_name = "matrix.${secrets.jimDomain}";
};
};
branding = {
#welcome_background_url = "https://staging.${jimDomain}/images/backgrounds/bloxelcom-sunset.jpg";
#auth_header_logo_url = "https://staging.${jimDomain}/images/logos/bloxelcom.png";
#welcome_background_url = "https://staging.${secrets.jimDomain}/images/backgrounds/bloxelcom-sunset.jpg";
#auth_header_logo_url = "https://staging.${secrets.jimDomain}/images/logos/bloxelcom.png";
};
embedded_pages = {
home_url = "https://www.${jimDomain}/";
home_url = "https://www.${secrets.jimDomain}/";
};
disable_custom_urls = true;
disable_guests = true;
@ -755,17 +737,15 @@ in
# Enable Docker
virtualisation.docker = {
enable = true;
daemon.settings = {
log-driver = "json-file";
};
daemon.settings.log-driver = "json-file";
};
# Mail server
mailserver = rec {
enable = true;
enableManageSieve = true;
domains = [ "${jimDomain}" ];
fqdn = "mx.${jimDomain}";
domains = [ "${secrets.jimDomain}" ];
fqdn = "mx.${secrets.jimDomain}";
certificateScheme = "acme-nginx";
localDnsResolver = false;
redis.port = 1515;
@ -773,23 +753,23 @@ in
# A list of accounts.
# Generate passwords with nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
loginAccounts = {
"noreply@${jimDomain}" = {
"noreply@${secrets.jimDomain}" = {
hashedPasswordFile = pkgs.writeText "noreply" secrets.noreplyMailHash;
sendOnly = true;
};
"jimbo@${jimDomain}" = {
"jimbo@${secrets.jimDomain}" = {
hashedPasswordFile = pkgs.writeText "jimbo" secrets.jimboMailHash;
aliases = [ "canada@${jimDomain}" "contact@${jimDomain}" ];
aliases = [ "canada@${secrets.jimDomain}" "contact@${secrets.jimDomain}" ];
};
"lunamoonlight@${jimDomain}" = {
"lunamoonlight@${secrets.jimDomain}" = {
hashedPasswordFile = pkgs.writeText "luna" secrets.lunaMailHash;
aliases = [ "us@${jimDomain}" "contact@${jimDomain}" ];
aliases = [ "us@${secrets.jimDomain}" "contact@${secrets.jimDomain}" ];
};
"freecorn1854@${jimDomain}" = {
"freecorn1854@${secrets.jimDomain}" = {
hashedPasswordFile = pkgs.writeText "freecorn" secrets.freecornMailHash;
aliases = [ "canada@${jimDomain}" "contact@${jimDomain}" ];
aliases = [ "canada@${secrets.jimDomain}" "contact@${secrets.jimDomain}" ];
};
"tinyattack09@${jimDomain}" = {
"tinyattack09@${secrets.jimDomain}" = {
hashedPasswordFile = pkgs.writeText "tiny" secrets.tinyMailHash;
};
};

5
Server/jimbo.nix
View file

@ -92,7 +92,6 @@ let
"text": "date -d @$(stat -c %W /) '+%a %b %d %r %Z %Y'",
"key": "󰶡 "
},
{
"type": "custom",
"format": "\u001b[1m"
@ -495,7 +494,6 @@ in
".config/ranger/rc.conf".text = rangerConf;
".config/ranger/rifle.conf".text = rifleConf;
".config/ranger/scope.sh" = { text = rangerScope; executable = true; };
".local/share/ranger/bookmarks".text = rangerBookmarks;
".config/ranger/plugins/devicons/devicons.py".source = "${pkgs.fetchurl {
url = "https://raw.githubusercontent.com/alexanderjeurissen/ranger_devicons/2c3c19dffb4238d01c74515c9eed5088066db243/devicons.py";
sha256 = "0girsranwhsgc6kcyh1mkwymx0bl14a2k5nzk3kyllb6ic48c33k";
@ -536,9 +534,6 @@ in
# Curl tools
myip = "curl ifconfig.co";
# Start basic programs
controlpanel = "tmux new-session -d -s control; tmux attach -t control";
};
};