diff --git a/nixos/server.nix b/nixos/server.nix index b7419ca..ec583dc 100644 --- a/nixos/server.nix +++ b/nixos/server.nix @@ -35,6 +35,7 @@ ./server/minecraft ./server/tandoor.nix ./server/vaultwarden.nix + ./server/transmission.nix ./server/misc.nix # Matrix diff --git a/nixos/server/firewall.nix b/nixos/server/firewall.nix index a28ee4a..c78d44e 100644 --- a/nixos/server/firewall.nix +++ b/nixos/server/firewall.nix @@ -8,27 +8,13 @@ in { firewall = { allowPing = false; - allowedTCPPorts = [ - 80 443 # Nginx - 25565 19132 5657 # Pufferpanel - 2299 # Gitea SSH - 3478 5349 # Coturn - ]; allowedTCPPortRanges = [ { from = 8100; to = 8150; } # Azuracast ]; - allowedUDPPorts = [ - 25565 19132 # Minecraft Voicechat and Bedrock - 3478 5349 # Coturn UDP - ]; - allowedUDPPortRanges = [ - { from = 49000; to = 50000; } # Coturn range - ]; # Add extra input rules using nftables extraInputRules = '' ip saddr ${ips.localSpan}.0/24 tcp dport 2049 accept comment "Accept NFS" - ip saddr ${ips.localSpan}.0/24 udp dport 53 accept comment "Accept DNS" ip saddr { ${ips.pc}, ${outputs.secrets.lunaIP}, ${outputs.secrets.cornIP}, ${outputs.secrets.vertIP} } tcp dport { 1935, 1945 } accept comment "Accept RTMP" ''; }; diff --git a/nixos/server/gitea.nix b/nixos/server/gitea.nix index 323801f..962ce9c 100644 --- a/nixos/server/gitea.nix +++ b/nixos/server/gitea.nix @@ -30,4 +30,7 @@ }; }; }; + + # Allow Gitea SSH to work + networking.firewall.allowedTCPPorts = [ 2299 ]; } diff --git a/nixos/server/minecraft/servers/johnside.nix b/nixos/server/minecraft/servers/johnside.nix index baed064..c85528c 100644 --- a/nixos/server/minecraft/servers/johnside.nix +++ b/nixos/server/minecraft/servers/johnside.nix @@ -1,41 +1,65 @@ -{pkgs, ...}: let +{pkgs, outputs, ...}: let common = import ../common.nix { inherit pkgs; }; in { - services.minecraft-servers.servers.johnside = { - enable = true; - package = pkgs.paperServers.paper-1_20_6; - jvmOpts = "-Xmx4084M"; - serverProperties = common.serverProperties // { - difficulty = 2; - server-port = 30009; - motd = "§l§9Johnside SMP§r §l§fworld for §4John lovers only."; + services = { + minecraft-servers.servers.johnside = { + enable = true; + package = pkgs.paperServers.paper-1_20_6; + jvmOpts = "-Xmx4084M"; + serverProperties = common.serverProperties // { + difficulty = 2; + server-port = 30009; + motd = "§l§9Johnside SMP§r §l§fworld for §4John lovers only."; + }; + whitelist = common.whitelist; + symlinks = common.symlinks // { + "plugins/BlueMap.jar" = builtins.fetchurl { + url = "https://cdn.modrinth.com/data/swbUV1cr/versions/TL5ElRWX/BlueMap-5.3-spigot.jar"; + sha256 = "08ls3wk0333vjg49kcmri884pcgm2xk9xdhwcxyffbh4ra0xrlbw"; + }; + "plugins/BlueMapOfflinePlayers.jar" = builtins.fetchurl { + url = "https://github.com/TechnicJelle/BlueMapOfflinePlayerMarkers/releases/download/v3.0/BlueMapOfflinePlayerMarkers-3.0.jar"; + sha256 = "1f07w53q7yr4mvph7013d7ajxmp4lnsv6b1ab14y2x0bmqv39nwr"; + }; + "plugins/BlueMapMarkerManager.jar" = builtins.fetchurl { + url = "https://cdn.modrinth.com/data/a8UoyV2h/versions/E0XoPfJV/BMM-2.1.5.jar"; + sha256 = "1vpnqglybysxnqyzkjnwbwg000dqkbk516apzvhmg39wlfaysl9d"; + }; + "plugins/CustomDiscs.jar" = builtins.fetchurl { + url = "https://github.com/Navoei/CustomDiscs/releases/download/v3.0/custom-discs-3.0.jar"; + sha256 = "0xv0zrkdmjx0d7l34nqag8j004pm9zqivc12d3zy9pdrkv7pz87d"; + }; + "plugins/NotTooExpensive.jar" = builtins.fetchurl { + url = "https://github.com/Mrredstone5230/Not-Too-Expensive/releases/download/1.1/not-too-expensive-1.1.jar"; + sha256 = "0da4v5l7iwry3wc21292lkmjprgmign4vdshzmhp7qc9hx26pj2d"; + }; + "plugins/SilkTouchHands.jar" = builtins.fetchurl { + url = "https://github.com/5U55/SilkTouchSpigot/releases/download/v1.1/SilkTouchv1.1.jar"; + sha256 = "0mbp73xclr7f5m2lbdfz6is1j8vvyv1qwpl28sm089zrpm73qn6w"; + }; + }; }; - whitelist = common.whitelist; - symlinks = common.symlinks // { - "plugins/BlueMap.jar" = builtins.fetchurl { - url = "https://cdn.modrinth.com/data/swbUV1cr/versions/TL5ElRWX/BlueMap-5.3-spigot.jar"; - sha256 = "08ls3wk0333vjg49kcmri884pcgm2xk9xdhwcxyffbh4ra0xrlbw"; - }; - "plugins/BlueMapOfflinePlayers.jar" = builtins.fetchurl { - url = "https://github.com/TechnicJelle/BlueMapOfflinePlayerMarkers/releases/download/v3.0/BlueMapOfflinePlayerMarkers-3.0.jar"; - sha256 = "1f07w53q7yr4mvph7013d7ajxmp4lnsv6b1ab14y2x0bmqv39nwr"; - }; - "plugins/BlueMapMarkerManager.jar" = builtins.fetchurl { - url = "https://cdn.modrinth.com/data/a8UoyV2h/versions/E0XoPfJV/BMM-2.1.5.jar"; - sha256 = "1vpnqglybysxnqyzkjnwbwg000dqkbk516apzvhmg39wlfaysl9d"; - }; - "plugins/CustomDiscs.jar" = builtins.fetchurl { - url = "https://github.com/Navoei/CustomDiscs/releases/download/v3.0/custom-discs-3.0.jar"; - sha256 = "0xv0zrkdmjx0d7l34nqag8j004pm9zqivc12d3zy9pdrkv7pz87d"; - }; - "plugins/NotTooExpensive.jar" = builtins.fetchurl { - url = "https://github.com/Mrredstone5230/Not-Too-Expensive/releases/download/1.1/not-too-expensive-1.1.jar"; - sha256 = "0da4v5l7iwry3wc21292lkmjprgmign4vdshzmhp7qc9hx26pj2d"; - }; - "plugins/SilkTouchHands.jar" = builtins.fetchurl { - url = "https://github.com/5U55/SilkTouchSpigot/releases/download/v1.1/SilkTouchv1.1.jar"; - sha256 = "0mbp73xclr7f5m2lbdfz6is1j8vvyv1qwpl28sm089zrpm73qn6w"; + + # BlueMap webhost + nginx.virtualHosts."john.${outputs.secrets.jimDomain}" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:31010"; + proxyWebsockets = true; }; }; }; + + # Allow Nginx to read and write to paths + systemd.services.nginx.serviceConfig = { + ReadWritePaths = [ "/var/www/Jimbo-Landing-Page/streams/hls/" ]; + }; + + # Open HTTP and HTTPs ports + networking.firewall = { + allowedTCPPorts = [ + 80 443 # Nginx + ]; + }; } diff --git a/nixos/server/minecraft/servers/velocity.nix b/nixos/server/minecraft/servers/velocity.nix index 732428e..ee86d80 100644 --- a/nixos/server/minecraft/servers/velocity.nix +++ b/nixos/server/minecraft/servers/velocity.nix @@ -36,4 +36,14 @@ in { }; }; }; + + # Open ports for proxy + networking.firewall = { + allowedTCPPorts = [ + 25565 19132 5657 # Minecraft server info + ]; + allowedUDPPorts = [ + 25565 19132 # Minecraft server, VC, and Bedrock + ]; + }; } diff --git a/nixos/server/nginx.nix b/nixos/server/nginx.nix index c867a58..53066ba 100644 --- a/nixos/server/nginx.nix +++ b/nixos/server/nginx.nix @@ -40,16 +40,6 @@ }; }; }; - - # Bluemap Proxy, TODO, move this into the nix-minecraft flake configs - "john.${outputs.secrets.jimDomain}" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://127.0.0.1:31010"; - proxyWebsockets = true; - }; - }; }; appendConfig = '' rtmp { @@ -76,4 +66,11 @@ systemd.services.nginx.serviceConfig = { ReadWritePaths = [ "/var/www/Jimbo-Landing-Page/streams/hls/" ]; }; + + # Open HTTP and HTTPs ports + networking.firewall = { + allowedTCPPorts = [ + 80 443 # Nginx + ]; + }; } diff --git a/nixos/server/synapse.nix b/nixos/server/synapse.nix index ea26672..81ed2e3 100644 --- a/nixos/server/synapse.nix +++ b/nixos/server/synapse.nix @@ -121,4 +121,14 @@ }; }; }; + + # Open coturn ports + networking.firewall = { + allowedUDPPorts = [ + 3478 5349 # Coturn UDP + ]; + allowedUDPPortRanges = [ + { from = 49000; to = 50000; } # Coturn range + ]; + }; } diff --git a/nixos/server/transmission.nix b/nixos/server/transmission.nix new file mode 100644 index 0000000..7b149f9 --- /dev/null +++ b/nixos/server/transmission.nix @@ -0,0 +1,20 @@ +{pkgs, outputs, ...}: { + services = { + transmission = { + enable = true; + credentialsFile = pkgs.writeText "credentials" outputs.secrets.transmissionCredFile; + openPeerPorts = true; + settings = { + rpc-authentication-required = true; + }; + }; + nginx.virtualHosts."torrent.${outputs.secrets.jimDomain}" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:9091"; + proxyWebsockets = true; + }; + }; + }; +} diff --git a/secrets.nix b/secrets.nix index 83e6cfd..dea9ce7 100644 Binary files a/secrets.nix and b/secrets.nix differ