From e40211311153a089b63481d09e79d2e88a38d274 Mon Sep 17 00:00:00 2001 From: Jimbo Date: Wed, 21 Aug 2024 21:21:55 -0400 Subject: [PATCH] Why didn' --- Server/configuration.nix | 84 ++++++++++++++++++++++++++++------------ 1 file changed, 59 insertions(+), 25 deletions(-) diff --git a/Server/configuration.nix b/Server/configuration.nix index f322e32..f76a9ee 100644 --- a/Server/configuration.nix +++ b/Server/configuration.nix @@ -9,10 +9,10 @@ let # IPs netInt = ''eno1''; - localSpan = ''192.168.2''; - pcIP = ''${localSpan}.10''; - serverIP = ''${localSpan}.11''; - vmIP = ''${localSpan}.70''; + localSpan = ''10.0.0''; + serverIP = ''${localSpan}.2''; + pcIP = ''${localSpan}.3''; + vmIP = ''${localSpan}.4''; # Secrets and passwords secrets = import ./secrets.nix; @@ -70,7 +70,7 @@ in # Define user account. users.users.jimbo = { isNormalUser = true; - hashedPassword = secrets.jimboAccPassword; + hashedPassword = secrets.jimboAccPass; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDLe/HioxCOkszFQdm1vb3ZwuzLzsOThqHNvEI4IXeXZ JimPhone" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPjBdQrL23pDbcsNCLMvJhcNF7+u95ZV7o1QemOmegf jimbo@JimNixPC" @@ -115,6 +115,7 @@ in # Configure firewall firewall = { + allowPing = false; allowedTCPPorts = [ 80 443 # Nginx 25565 19132 5657 # Minecraft & Pufferpanel SFTP @@ -135,11 +136,9 @@ in # Add extra input rules using nftables extraInputRules = '' ip saddr ${localSpan}.0/24 tcp dport 2049 accept comment "Accept NFS" - ip saddr { ${pcIP}, ${secrets.lunaIP}, ${secrets.freecornIP} } tcp dport { 1935, 1945 } accept comment "Accept RTMP" + ip saddr ${localSpan}.0/24 udp dport 53 accept comment "Accept DNS" + ip saddr { ${pcIP}, ${secrets.lunaIP}, ${secrets.cornIP}, ${secrets.vertIP} } tcp dport { 1935, 1945 } accept comment "Accept RTMP" ''; - - # Disallow pinging this server - allowPing = false; }; # Enable nftables and forwarding @@ -153,15 +152,15 @@ in type nat hook prerouting priority dstnat; policy accept; tcp dport 2211 dnat to ${pcIP}:22 comment "SSH to PC" udp dport { 27005, 27015, 7777 } dnat to ${pcIP} comment "Games to PC" - + tcp dport { 58010, 57989, 57984 } dnat to ${pcIP} comment "Sunshine TCP to PC" udp dport { 57998, 57999, 58000 } dnat to ${pcIP} comment "Sunshine UDP to PC" - + tcp dport { 38010, 37989, 37984 } dnat to ${vmIP} comment "Sunshine TCP to VM" udp dport { 37998, 37999, 38000 } dnat to ${vmIP} comment "Sunshine UDP to VM" - - ip saddr ${secrets.freecornIP} tcp dport { 9943, 9944 } dnat to ${vmIP} comment "ALVR TCP to VM" - ip saddr ${secrets.freecornIP} udp dport { 9943, 9944 } dnat to ${vmIP} comment "ALVR UDP to VM" + + ip saddr ${secrets.cornIP} tcp dport { 9943, 9944 } dnat to ${vmIP} comment "ALVR TCP to VM" + ip saddr ${secrets.cornIP} udp dport { 9943, 9944 } dnat to ${vmIP} comment "ALVR UDP to VM" } chain POSTROUTING { type nat hook postrouting priority 100; policy accept; @@ -209,11 +208,32 @@ in ''; }; + # DDClient for Dynamic IPpanels + ddclient = { + enable = true; + protocol = "cloudflare"; + use = "web, web=https://ipinfo.io/ip"; + zone = "${jimDomain}"; + username = "token"; + passwordFile = "${pkgs.writeText "cloudflareapikey" secrets.flareApiKey}"; + domains = [ + "${jimDomain}" + "*.${jimDomain}" + "beta.${jimDomain}" + "git.${jimDomain}" + "john.${jimDomain}" + "mc.${jimDomain}" + "mx.${jimDomain}" + "panel.${jimDomain}" + "rtmp.${jimDomain}" + ]; + }; + # Nginx reverse proxy nginx = { enable = true; package = (pkgs.nginx.override { - modules = with pkgs.nginxModules; [ rtmp ]; + modules = with pkgs.nginxModules; [ rtmp ]; }); recommendedTlsSettings = true; recommendedOptimisation = true; @@ -224,12 +244,8 @@ in "${jimDomain}" = { enableACME = true; addSSL = true; + root = "/var/www/jimweb"; locations = { - "= /" = { - extraConfig = " - return 301 https://social.${jimDomain}/@jimbo; - "; - }; "/.well-known/matrix/client" = { extraConfig = '' default_type application/json; @@ -313,8 +329,8 @@ in }; }; - # Gitea Proxy - "mc.${jimDomain}" = { + # Pufferpanel Proxy + "panel.${jimDomain}" = { enableACME = true; forceSSL = true; locations."/" = { @@ -388,6 +404,16 @@ in enableACME = true; forceSSL = true; }; + + # Adguard + "guard.${jimDomain}" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:3000"; + proxyWebsockets = true; + }; + }; }; appendConfig = '' rtmp { @@ -400,7 +426,7 @@ in live on; allow play all; hls on; - hls_path /var/www/jimwebsite/hls; + hls_path /var/www/jimweb/streams/hls; hls_fragment_naming system; hls_fragment 3; hls_playlist_length 40; @@ -494,7 +520,7 @@ in enable = true; environment = { PUFFER_WEB_HOST = ":5010"; - PUFFER_PANEL_SETTINGS_MASTERURL = "https://mc.${jimDomain}"; + PUFFER_PANEL_SETTINGS_MASTERURL = "https://panel.${jimDomain}"; PUFFER_PANEL_EMAIL_PROVIDER = "smtp"; PUFFER_PANEL_EMAIL_HOST = "mx.${jimDomain}:587"; PUFFER_PANEL_EMAIL_FROM = "noreply@${jimDomain}"; @@ -672,11 +698,17 @@ in ''; }; + # Enable a custom DNS server + adguardhome.enable = true; + # Snowflake proxy for Tor snowflake-proxy.enable = true; # Fix a nonbuilding issue logrotate.checkConfig = false; + + # Force the mailserver to use a different redis port + redis.servers.rspamd.port = 1515; }; # Make Nginx not shit itself @@ -685,7 +717,7 @@ in SupplementaryGroups = [ "shadow" ]; }; systemd.services.nginx.serviceConfig.ReadWritePaths = [ - "/var/www/jimwebsite/hls/" + "/var/www/jimweb/streams/hls/" ]; # Get certificates for Coturn @@ -735,6 +767,8 @@ in domains = [ "${jimDomain}" ]; fqdn = "mx.${jimDomain}"; certificateScheme = "acme-nginx"; + localDnsResolver = false; + redis.port = 1515; # A list of accounts. # Generate passwords with nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'