From b69c9dbbbf165f1aadbfb83706be6f13db60ee54 Mon Sep 17 00:00:00 2001
From: Jimbo <jimjam4real@gmail.com>
Date: Wed, 4 Sep 2024 20:22:13 -0400
Subject: [PATCH] Move more things into their 'correct' place

---
 nixos/server.nix                            |   1 +
 nixos/server/firewall.nix                   |  14 ---
 nixos/server/gitea.nix                      |   3 +
 nixos/server/minecraft/servers/johnside.nix |  92 ++++++++++++--------
 nixos/server/minecraft/servers/velocity.nix |  10 +++
 nixos/server/nginx.nix                      |  17 ++--
 nixos/server/synapse.nix                    |  10 +++
 nixos/server/transmission.nix               |  20 +++++
 secrets.nix                                 | Bin 1742 -> 1900 bytes
 9 files changed, 109 insertions(+), 58 deletions(-)
 create mode 100644 nixos/server/transmission.nix

diff --git a/nixos/server.nix b/nixos/server.nix
index b7419ca..ec583dc 100644
--- a/nixos/server.nix
+++ b/nixos/server.nix
@@ -35,6 +35,7 @@
     ./server/minecraft
     ./server/tandoor.nix
     ./server/vaultwarden.nix
+    ./server/transmission.nix
     ./server/misc.nix
 
     # Matrix
diff --git a/nixos/server/firewall.nix b/nixos/server/firewall.nix
index a28ee4a..c78d44e 100644
--- a/nixos/server/firewall.nix
+++ b/nixos/server/firewall.nix
@@ -8,27 +8,13 @@
   in {
     firewall = {
       allowPing = false;
-      allowedTCPPorts = [
-        80 443 # Nginx
-        25565 19132 5657 # Pufferpanel
-        2299 # Gitea SSH
-        3478 5349 # Coturn
-      ];
       allowedTCPPortRanges = [
         { from = 8100; to = 8150; } # Azuracast
       ];
-      allowedUDPPorts = [
-        25565 19132 # Minecraft Voicechat and Bedrock
-        3478 5349 # Coturn UDP
-      ];
-      allowedUDPPortRanges = [
-        { from = 49000; to = 50000; } # Coturn range
-      ];
   
       # Add extra input rules using nftables
       extraInputRules = ''
         ip saddr ${ips.localSpan}.0/24 tcp dport 2049 accept comment "Accept NFS"
-        ip saddr ${ips.localSpan}.0/24 udp dport 53 accept comment "Accept DNS"
         ip saddr { ${ips.pc}, ${outputs.secrets.lunaIP}, ${outputs.secrets.cornIP}, ${outputs.secrets.vertIP} } tcp dport { 1935, 1945 } accept comment "Accept RTMP"
       '';
     };
diff --git a/nixos/server/gitea.nix b/nixos/server/gitea.nix
index 323801f..962ce9c 100644
--- a/nixos/server/gitea.nix
+++ b/nixos/server/gitea.nix
@@ -30,4 +30,7 @@
       };
     };
   };
+
+  # Allow Gitea SSH to work
+  networking.firewall.allowedTCPPorts = [ 2299 ];
 }
diff --git a/nixos/server/minecraft/servers/johnside.nix b/nixos/server/minecraft/servers/johnside.nix
index baed064..c85528c 100644
--- a/nixos/server/minecraft/servers/johnside.nix
+++ b/nixos/server/minecraft/servers/johnside.nix
@@ -1,41 +1,65 @@
-{pkgs, ...}: let
+{pkgs, outputs, ...}: let
   common = import ../common.nix { inherit pkgs; };
 in {
-  services.minecraft-servers.servers.johnside = {
-    enable = true;
-    package = pkgs.paperServers.paper-1_20_6;
-    jvmOpts = "-Xmx4084M";
-    serverProperties = common.serverProperties // {
-      difficulty = 2;
-      server-port = 30009;
-      motd = "§l§9Johnside SMP§r §l§fworld for §4John lovers only.";
+  services = {
+    minecraft-servers.servers.johnside = {
+      enable = true;
+      package = pkgs.paperServers.paper-1_20_6;
+      jvmOpts = "-Xmx4084M";
+      serverProperties = common.serverProperties // {
+        difficulty = 2;
+        server-port = 30009;
+        motd = "§l§9Johnside SMP§r §l§fworld for §4John lovers only.";
+      };
+      whitelist = common.whitelist;
+      symlinks = common.symlinks // {
+        "plugins/BlueMap.jar" = builtins.fetchurl {
+          url = "https://cdn.modrinth.com/data/swbUV1cr/versions/TL5ElRWX/BlueMap-5.3-spigot.jar";
+          sha256 = "08ls3wk0333vjg49kcmri884pcgm2xk9xdhwcxyffbh4ra0xrlbw";
+        };
+        "plugins/BlueMapOfflinePlayers.jar" = builtins.fetchurl {
+          url = "https://github.com/TechnicJelle/BlueMapOfflinePlayerMarkers/releases/download/v3.0/BlueMapOfflinePlayerMarkers-3.0.jar";
+          sha256 = "1f07w53q7yr4mvph7013d7ajxmp4lnsv6b1ab14y2x0bmqv39nwr";
+        };
+        "plugins/BlueMapMarkerManager.jar" = builtins.fetchurl {
+          url = "https://cdn.modrinth.com/data/a8UoyV2h/versions/E0XoPfJV/BMM-2.1.5.jar";
+          sha256 = "1vpnqglybysxnqyzkjnwbwg000dqkbk516apzvhmg39wlfaysl9d";
+        };
+        "plugins/CustomDiscs.jar" = builtins.fetchurl {
+          url = "https://github.com/Navoei/CustomDiscs/releases/download/v3.0/custom-discs-3.0.jar";
+          sha256 = "0xv0zrkdmjx0d7l34nqag8j004pm9zqivc12d3zy9pdrkv7pz87d";
+        };
+        "plugins/NotTooExpensive.jar" = builtins.fetchurl {
+          url = "https://github.com/Mrredstone5230/Not-Too-Expensive/releases/download/1.1/not-too-expensive-1.1.jar";
+          sha256 = "0da4v5l7iwry3wc21292lkmjprgmign4vdshzmhp7qc9hx26pj2d";
+        };
+        "plugins/SilkTouchHands.jar" = builtins.fetchurl {
+          url = "https://github.com/5U55/SilkTouchSpigot/releases/download/v1.1/SilkTouchv1.1.jar";
+          sha256 = "0mbp73xclr7f5m2lbdfz6is1j8vvyv1qwpl28sm089zrpm73qn6w";
+        };
+      };
     };
-    whitelist = common.whitelist;
-    symlinks = common.symlinks // {
-      "plugins/BlueMap.jar" = builtins.fetchurl {
-        url = "https://cdn.modrinth.com/data/swbUV1cr/versions/TL5ElRWX/BlueMap-5.3-spigot.jar";
-        sha256 = "08ls3wk0333vjg49kcmri884pcgm2xk9xdhwcxyffbh4ra0xrlbw";
-      };
-      "plugins/BlueMapOfflinePlayers.jar" = builtins.fetchurl {
-        url = "https://github.com/TechnicJelle/BlueMapOfflinePlayerMarkers/releases/download/v3.0/BlueMapOfflinePlayerMarkers-3.0.jar";
-        sha256 = "1f07w53q7yr4mvph7013d7ajxmp4lnsv6b1ab14y2x0bmqv39nwr";
-      };
-      "plugins/BlueMapMarkerManager.jar" = builtins.fetchurl {
-        url = "https://cdn.modrinth.com/data/a8UoyV2h/versions/E0XoPfJV/BMM-2.1.5.jar";
-        sha256 = "1vpnqglybysxnqyzkjnwbwg000dqkbk516apzvhmg39wlfaysl9d";
-      };
-      "plugins/CustomDiscs.jar" = builtins.fetchurl {
-        url = "https://github.com/Navoei/CustomDiscs/releases/download/v3.0/custom-discs-3.0.jar";
-        sha256 = "0xv0zrkdmjx0d7l34nqag8j004pm9zqivc12d3zy9pdrkv7pz87d";
-      };
-      "plugins/NotTooExpensive.jar" = builtins.fetchurl {
-        url = "https://github.com/Mrredstone5230/Not-Too-Expensive/releases/download/1.1/not-too-expensive-1.1.jar";
-        sha256 = "0da4v5l7iwry3wc21292lkmjprgmign4vdshzmhp7qc9hx26pj2d";
-      };
-      "plugins/SilkTouchHands.jar" = builtins.fetchurl {
-        url = "https://github.com/5U55/SilkTouchSpigot/releases/download/v1.1/SilkTouchv1.1.jar";
-        sha256 = "0mbp73xclr7f5m2lbdfz6is1j8vvyv1qwpl28sm089zrpm73qn6w";
+
+    # BlueMap webhost
+    nginx.virtualHosts."john.${outputs.secrets.jimDomain}" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:31010";
+        proxyWebsockets = true;
       };
     };
   };
+
+  # Allow Nginx to read and write to paths
+  systemd.services.nginx.serviceConfig = {
+    ReadWritePaths = [ "/var/www/Jimbo-Landing-Page/streams/hls/" ];
+  };
+
+  # Open HTTP and HTTPs ports
+  networking.firewall = {
+    allowedTCPPorts = [
+      80 443 # Nginx
+    ];
+  };
 }
diff --git a/nixos/server/minecraft/servers/velocity.nix b/nixos/server/minecraft/servers/velocity.nix
index 732428e..ee86d80 100644
--- a/nixos/server/minecraft/servers/velocity.nix
+++ b/nixos/server/minecraft/servers/velocity.nix
@@ -36,4 +36,14 @@ in {
       };
     };
   };
+
+  # Open ports for proxy
+  networking.firewall = {
+    allowedTCPPorts = [
+      25565 19132 5657 # Minecraft server info
+    ];
+    allowedUDPPorts = [
+      25565 19132 # Minecraft server, VC, and Bedrock
+    ];
+  };
 }
diff --git a/nixos/server/nginx.nix b/nixos/server/nginx.nix
index c867a58..53066ba 100644
--- a/nixos/server/nginx.nix
+++ b/nixos/server/nginx.nix
@@ -40,16 +40,6 @@
           };
         };
       };
-
-      # Bluemap Proxy, TODO, move this into the nix-minecraft flake configs
-      "john.${outputs.secrets.jimDomain}" =  {
-        enableACME = true;
-        forceSSL = true;
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:31010";
-          proxyWebsockets = true;
-        };
-      };
     };
     appendConfig = ''
       rtmp {
@@ -76,4 +66,11 @@
   systemd.services.nginx.serviceConfig = {
     ReadWritePaths = [ "/var/www/Jimbo-Landing-Page/streams/hls/" ];
   };
+
+  # Open HTTP and HTTPs ports
+  networking.firewall = {
+    allowedTCPPorts = [
+      80 443 # Nginx
+    ];
+  };
 }
diff --git a/nixos/server/synapse.nix b/nixos/server/synapse.nix
index ea26672..81ed2e3 100644
--- a/nixos/server/synapse.nix
+++ b/nixos/server/synapse.nix
@@ -121,4 +121,14 @@
       };
     };
   };
+
+  # Open coturn ports
+  networking.firewall = {
+    allowedUDPPorts = [
+      3478 5349 # Coturn UDP
+    ];
+    allowedUDPPortRanges = [
+      { from = 49000; to = 50000; } # Coturn range
+    ];
+  };
 }
diff --git a/nixos/server/transmission.nix b/nixos/server/transmission.nix
new file mode 100644
index 0000000..7b149f9
--- /dev/null
+++ b/nixos/server/transmission.nix
@@ -0,0 +1,20 @@
+{pkgs, outputs, ...}: {
+  services = {
+    transmission = {
+      enable = true;
+      credentialsFile = pkgs.writeText "credentials" outputs.secrets.transmissionCredFile;
+      openPeerPorts = true;
+      settings = {
+        rpc-authentication-required = true;
+      };
+    };
+    nginx.virtualHosts."torrent.${outputs.secrets.jimDomain}" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:9091";
+        proxyWebsockets = true;
+      };
+    };
+  };
+}
diff --git a/secrets.nix b/secrets.nix
index 83e6cfd3d5f5c4240dd98318c6f6801c6ddcc8b3..dea9ce7de973c0752e71152e8bf6b4c44997097a 100644
GIT binary patch
literal 1900
zcmV-y2b1^!M@dveQdv+`0B*O%8QLUFJ4sH{y>=p>HOGxIa+?~AtXOV@MSIlS_@B}J
zyecQ3`c*W9^&M?Ao#fN_H~sis!{)Sio8O|YjwgPr%Wvxkpsr%#gHvrLWx}!iK!C;>
z)+y-aaOSv)M2Qxnwdq!J)K)H%a(WyclqMC_^dT|0l?+F{3;t<vWh0Uz);M}FiU?Ey
ziv0aPabTxzE?jH6?!2B;W2?c_1ekUt7(<|VBO-v*V_H18HB33LM;d=Y6Kwv%Xir#s
zTY+egcJX$uSnx+H6jvrS!jRloA%H$jpwr~EELq;rS`*4wiu@wbQDVnkU)5iGc2mUA
zg?Xi0-q+m(-uZclDK+c7agZR@R1Lo4pLJ}a2M}YZsZe_VRF_podo!zESoo5L%YywT
zY)y~HRO7L-i~l01&mnCPq|T$u0bB`i)<7#54O5-{rlL8Syz+B$Rf-?;pQlV8pur{U
zc1<QCAfe*Hh+LL&l~aUn8Fk)Lw!!RR!@06{NHNuN8;D+<A1LK^-KzbRZj85aVbuy!
z*YATbUG>^2tSnq{Aqos~__Qq-T$HuTZMJz+bG;b`ZJW~sT#mlC=>Jzp;PVg!4v#FH
zfPnxE>tQUuPJo80FN)npu2-dW8Ra9to@xnW0I!k~#)AmvFLj+9{Ed`PpOqIHER2*C
zo|);)?yEt%XYU^qc^}5Y<HfZ!B<GPwW(-u+&EV!T)c6yfg%}?IM7xh^kil9#yUHZ%
zC4P6<JR7kmm`5JT>+xogUXI}p^>PNm3*d>q;qo=Z>P<~~JO<RFQwMvo(`TTNNUO(T
z9oWm0%1VMZ;=Iu6wfjWSeXeDLLqV3R`LK14T8vmdQ$LgCYNbiXV?Wb)rSU3~x;$*(
zsLa~@2AAnzaprm2h+TdSUVdAnn6m(mH-2-$trUnXQoiBOVX#H79m-WS5IB1uQBQgH
zE(Q~W=ANjHn%*%m@;#SaYW#_cW9?5+8<Bx^9|$mr@ErcJ_430N;5~6fi8e%|nKa>f
znXQ#$V`<o8fjVt$G<yzyzL^HYOS4Apt>>vb23?x?)%S%KuT$ov<%lQk7wH7PfINL<
zR8FbjJUO04C<tMg)j=!{hIBX}Kf$n`s8hf<NXCeHIn|-k_1kDVU*+^~4fc(D^63ac
zccf$_Sf_s?bh)8u@o8~qT3*+y`qME$UWcaLvJgg34`6slv>&kNg(6m{2Z8-~kUGET
z|3}YsN1hr%6FI8WXXhF|ZzoBr;z>l4wDpzj{O99VQ8M^yey!FC)bCwv9$>85fg>kF
zdVnKFcc`J;6jrL1VjXqVkF<@u^6yQ+^ewBnl^qho&K2bxx>$?kYv;a0;no6O$5DlF
zR#{iM*Xx|NQ#7Rdre`6W@Rz@zz`bThNI9CnP#uwyyuBce0(B!GY7FU<Sbp7X6brg?
z@)=u@h24=iCzgTQNga9B6Xij*I`3#6PpZ>^r4d#K?JJGwIOYW&p_BdmPmj$uaxnyc
zS#|4yto|ahGL#ce)t#y5<-CEzkbkl>>!W{7y4DH7-?XcWW8<Up+WvJUd$$8OesE9S
zvVn3gPaLDR6O{`(3pPQFo)Y6SzN^z=fml}~7ewF$itQ{RE`kAXg*Ad_yV34>AdM`o
z*&`laZ;=|^^Pb(0;Gfi|?-lh|mzp->RSDr&-tE<$CM(<v%>neULmEioj78Z}xiL_5
zVwm8AYol~Rm>>pqIp7Q!xYJ8Qt><@I2Cdg4mw+wOhdI^iCbC)yp-dfa?_@j?R;`qT
z5<g8V_qkcLu?N(bhghCmNJykg=hfPP&yW6xT)N|FEw7~eYYobKY&yAFYJJB$rESQD
zjGcMV2RtmT<M<Sz{EmuYiovd_-GD-(0r&u!KrQ@K7f>ismRul^FUos?&d&rXtLsRi
zV2T6tW8?qpE1^7Gy&xxt3R?Cwdi7Re2zm$StA`C->L_MmdprN9v8wm5y#J~sari{T
z6cAm2lvIZQOy6`V8b78iRCF9Y@oAWIH0nCqsd;>rzHewm&CQSi^o;rr_^t%Fn(eMA
z%}}QWBra>_Xer+Ly77=byj%VHg=)8pZwAaGY@<T^8j39@lech?FihmeeNjMI96l}L
zF(z4=P=i##L8@v)^Z;H_C9d(9@Ldlul-Xc#R(CiEyVZpzG>3^@O0$GFWIUS4jubNR
z#|%1UR!n@-*d3gTBTEa&1%{bkQmF<u@NG%?dBTJ_fl=$_yp*_lM{47c>cLz9TK}31
zaJjsAwv&FNHqBESlh61<V9TGFbuocxv~=OKIPe==wytv^15EF6nIwjG7UUVx-BqRH
z<J6FDEhP4cI|O*1JqcV0i;i2rmZ95$=sbWXQ(xD&|3FJc(OiTG2<axMI4G2N>E(1G
zs*dCxHz$+yUD76=1(AysYnGlz&qqH|ot#}yfO^-RREquIrwYWtkE2^7K*f36VL*5N
mM)@N4Zan&2G+kAg6UWSu5i*5cxVs93Otp7}RqXN|2THxwfv-{k

literal 1742
zcmV;<1~K^nM@dveQdv+`0LqMuAQQH17#j50s#M{~j*w_+a$$r?3qA3#0}b2<=4kL&
zdTd+Uo)GY(J_%uhK;&-qn#{VSjeVLV?Izi<!?gyC(0t$T0GBy-o3K-&Mp;v+LOr)5
zVIWt+4G$f`y)R<7Jxh9BIKh+&(QM`UL0m8CEF{^df2=xZ%28(2Xh8pX+Izopwi?Nw
z=#Fv8Q6xHD|LFk(lQfY?o&g>JxixyAZS+8ljf0o3(~}h&Njfs6WRoQLV?DN{&#N#n
z5*)X;lu1*gimW<eI^F|8m~(?8?E<pF#3LhnqQ_yDieDCrcc3In;7z6TKFL|CjIh$n
z2?R@4IMimBbN`Sl5fPtv4}^Y-K!+OIseq8q7`_)CI={;rP#>2knUl(X)DthhKqvEF
z&m6yTdNE;+m<VxZ^aK(&J&rw~ML!=4FYZ*`KsVAFI|nb#+Mti&yw}eBlKZ$EQAJbe
zZ_EY>eC$OptnB?COF`d?l)RX_chT$BrFYJ0jT>$7jNkX~m<wV5Y_ilfjg|hpvzTJ(
zOPF?ZGf6E4FWBfiK+a`pA$qKzw)c?WJ)Drj`^QIZQy_YI(t@j3%Z$*neVQ#WKeATo
zmvOXZp3C-OTh_S_)LqL>CF#>t*?CqRXi?IniX&H?V@rHYPZ|E-SHDm+<lzz&rxCOk
zC?|O6MtkU^$wMOXJ{r98O`+#{3F~6FaI^u$CVrYHouOhNZ9#}2YhxQsl`1MHXwsLe
z{);zd*iB&R1VNNY)8p-V5+bUH=X#m;Jr5oXjfv^;1?9FSyHi*=#@L*mnx;abdamgh
zLPC~_1jX7Oo)T^~!H+bp?xqvPtpGZ@!EjIjsr!N5uExK^r3L8t1UmUnrr6rzC6mC#
zGeVQ;7JlkLiN@DB`UqT;;Z4fDJ)b<jTHZ@v$do)XZ17jO;*q-&AcGIRT7#RhICk$M
zBQKrm)bn0MIxzwK-J<Cfve((aStk=xwNc+D1SE-m6|^-2A;5EGT}oAe7#R`YNe@**
z7u0t^CEBx()I*|L8QnZ4Cf*bjrWB6rltrC+(r&&h)(j*kI=>AjEw073lNTF@k9oNT
z8_+{i%s9()XO=;O|E>XN^1)0i0TO^?pbR2BMfv=9>lte#k$l2Y;|q1Oi+n*r@6!lt
zsI7=6i!8T4SXLV=YH$P}C6@(wadQHgUNiN)A<;QZ21hE*MHx`HE<%uLai;SprDtFj
z>UIHsi>uuY#XW7|=sYUR&;DKM9hEBdWigHz{)IH{QgD9OREmH}s`-jp{1FATJtJdG
zZ4-jb_;=rzR$zEwa7D;1LrR+@o~y-N^TrhA<#ye)J7US1cq72nJ%SKu#}cy1NUBI@
z4&Kle1zwI;oP=7*+iFy${t_pMz0K6YQ!#?$EzQs>bHow}<}Zh;GkbFUA1ekZj~ySC
zWT74JS!Zclv88G7447;*$6cu@-qq%<3dHp0ppYf&#+STro<D}KHtU*F5`KstHGJQU
zbb^zB3D%q3FgA*7cAq<<naKq_lEO=Y_KNb|oF9y6=F?l06hP&^I8>cPY7Ehe&`B$E
zYOB>AXCzg$D9^94m=9?qwySH++uEPR_T2U%2h?F|#3N)vh4xZ}=_RXxc;L1Gs}siE
z5Z@K@Ff%UF_yP_p3Xdqdq4gj-u~J|YTV3+=i0q|>Qv8vXGn*xwR;P>p3ed7>N6o2q
zK<9@34wBtmYwxx;qZyp{DV+k9%-t9-Tj4mAdWlb(f6djW4i=~Cf6n@eZo_4K*{$u)
zy93BPTY1$>;%Y<zoRj*-vRMFe$v0_`Cq7}wWr&3d;liE(GS@Xl8aiyi`+)v8#yTOS
z2`a%VW=P{Bo8K5%VjXN>(%>;cC%47_Lcz9n4NaLMiX0Cvmc{Vw3}6j)kHn}>#ck@T
z4@$*g7+r#2ovICCEw=^p7H;PB&~-rSI)#|LgnH*OgXHd5YPXmx^Ma{$pQ*%qam`B<
z72)!3R7O&!W7E9-SMmS^fsJh!8oF>}_SDQZ)gQ^QAvg5$R~<<|{0v=(odAA~7?TNZ
zBJI5FV)3jbnU6(Y_cC23XPz!*<7lmiGM7oh=7*!>V82y1oe6hsQV!(?DRA)>w%1Ye
z$UF;8qb+FpmJGgoYr80Mp-5#TT1GUnPbe!|53joQxuTH~K;vQvPA+B`yqr?Y!cK!6
z6c@cjxx0g6L+@zh{vn-tMKz)JZs_q&a$m*koAai#adDH4{TbFUp+uSzQx5LARv!p^
k5e<CF9ub=bWbuDdKW%xb8E8+XbK5t+jxzti`@lo+93^N?3;+NC