Why didn'

Server/configuration.nix

@@ -9,10 +9,10 @@ let
 
   # IPs
   netInt = ''eno1'';
-  localSpan = ''192.168.2'';
+  localSpan = ''10.0.0'';
-  pcIP = ''${localSpan}.10'';
+  serverIP = ''${localSpan}.2'';
-  serverIP = ''${localSpan}.11'';
+  pcIP = ''${localSpan}.3'';
-  vmIP = ''${localSpan}.70'';
+  vmIP = ''${localSpan}.4'';
 
   # Secrets and passwords
   secrets = import ./secrets.nix;
@@ -70,7 +70,7 @@ in
   # Define user account.
   users.users.jimbo = {
     isNormalUser = true;
-    hashedPassword = secrets.jimboAccPassword;
+    hashedPassword = secrets.jimboAccPass;
     openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDLe/HioxCOkszFQdm1vb3ZwuzLzsOThqHNvEI4IXeXZ JimPhone"
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPjBdQrL23pDbcsNCLMvJhcNF7+u95ZV7o1QemOmegf jimbo@JimNixPC"
@@ -115,6 +115,7 @@ in
 
     # Configure firewall
     firewall = {
+      allowPing = false;
       allowedTCPPorts = [ 
 	80 443 # Nginx
 	25565 19132 5657 # Minecraft & Pufferpanel SFTP
@@ -135,11 +136,9 @@ in
       # Add extra input rules using nftables
       extraInputRules = ''
 	ip saddr ${localSpan}.0/24 tcp dport 2049 accept comment "Accept NFS"
-	ip saddr { ${pcIP}, ${secrets.lunaIP}, ${secrets.freecornIP} } tcp dport { 1935, 1945 } accept comment "Accept RTMP"
+	ip saddr ${localSpan}.0/24 udp dport 53 accept comment "Accept DNS"
+	ip saddr { ${pcIP}, ${secrets.lunaIP}, ${secrets.cornIP}, ${secrets.vertIP} } tcp dport { 1935, 1945 } accept comment "Accept RTMP"
       '';
-
-      # Disallow pinging this server
-      allowPing = false;
     };
 
     # Enable nftables and forwarding
@@ -160,8 +159,8 @@ in
               tcp dport { 38010, 37989, 37984 } dnat to ${vmIP} comment "Sunshine TCP to VM"
               udp dport { 37998, 37999, 38000 } dnat to ${vmIP} comment "Sunshine UDP to VM"
             
-              ip saddr ${secrets.freecornIP} tcp dport { 9943, 9944 } dnat to ${vmIP} comment "ALVR TCP to VM"
+              ip saddr ${secrets.cornIP} tcp dport { 9943, 9944 } dnat to ${vmIP} comment "ALVR TCP to VM"
-              ip saddr ${secrets.freecornIP} udp dport { 9943, 9944 } dnat to ${vmIP} comment "ALVR UDP to VM"
+              ip saddr ${secrets.cornIP} udp dport { 9943, 9944 } dnat to ${vmIP} comment "ALVR UDP to VM"
             }
             chain POSTROUTING {
               type nat hook postrouting priority 100; policy accept;
@@ -209,11 +208,32 @@ in
       '';
     };
 
+    # DDClient for Dynamic IPpanels
+    ddclient = {
+      enable = true;
+      protocol = "cloudflare";
+      use = "web, web=https://ipinfo.io/ip";
+      zone = "${jimDomain}";
+      username = "token";
+      passwordFile = "${pkgs.writeText "cloudflareapikey" secrets.flareApiKey}";
+      domains = [
+        "${jimDomain}"
+        "*.${jimDomain}"
+        "beta.${jimDomain}"
+        "git.${jimDomain}"
+        "john.${jimDomain}"
+        "mc.${jimDomain}"
+        "mx.${jimDomain}"
+        "panel.${jimDomain}"
+        "rtmp.${jimDomain}"
+      ];
+    };
+
     # Nginx reverse proxy
     nginx = {
       enable = true;
       package = (pkgs.nginx.override {
-	  modules = with pkgs.nginxModules; [ rtmp ];
+        modules = with pkgs.nginxModules; [ rtmp ];
       });
       recommendedTlsSettings = true;
       recommendedOptimisation = true;
@@ -224,12 +244,8 @@ in
         "${jimDomain}" =  {
           enableACME = true;
           addSSL = true;
+	  root = "/var/www/jimweb";
           locations = {
-	    "= /" = {
-              extraConfig = "
-	        return 301 https://social.${jimDomain}/@jimbo;
-	      ";
-            };
 	    "/.well-known/matrix/client" = {
 	      extraConfig = ''
                 default_type application/json;
@@ -313,8 +329,8 @@ in
           };
         };
 
-	# Gitea Proxy
+	# Pufferpanel Proxy
-        "mc.${jimDomain}" =  {
+        "panel.${jimDomain}" =  {
           enableACME = true;
           forceSSL = true;
           locations."/" = {
@@ -388,6 +404,16 @@ in
           enableACME = true;
           forceSSL = true;
         };
+
+	# Adguard
+	"guard.${jimDomain}" = {
+          enableACME = true;
+          forceSSL = true;
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:3000";
+            proxyWebsockets = true;
+          };
+	};
       };
       appendConfig = ''
         rtmp {
@@ -400,7 +426,7 @@ in
               live on;
 	      allow play all;
               hls on;
-              hls_path /var/www/jimwebsite/hls;
+              hls_path /var/www/jimweb/streams/hls;
 	      hls_fragment_naming system;
 	      hls_fragment 3;
               hls_playlist_length 40;
@@ -494,7 +520,7 @@ in
       enable = true;
       environment = {
         PUFFER_WEB_HOST = ":5010";
-	PUFFER_PANEL_SETTINGS_MASTERURL = "https://mc.${jimDomain}";
+	PUFFER_PANEL_SETTINGS_MASTERURL = "https://panel.${jimDomain}";
 	PUFFER_PANEL_EMAIL_PROVIDER = "smtp";
 	PUFFER_PANEL_EMAIL_HOST = "mx.${jimDomain}:587";
 	PUFFER_PANEL_EMAIL_FROM = "noreply@${jimDomain}";
@@ -672,11 +698,17 @@ in
      '';
     };
 
+    # Enable a custom DNS server
+    adguardhome.enable = true;
+
     # Snowflake proxy for Tor
     snowflake-proxy.enable = true;
 
     # Fix a nonbuilding issue
     logrotate.checkConfig = false;
+
+    # Force the mailserver to use a different redis port
+    redis.servers.rspamd.port = 1515;
   };
 
   # Make Nginx not shit itself
@@ -685,7 +717,7 @@ in
     SupplementaryGroups = [ "shadow" ];
   };
   systemd.services.nginx.serviceConfig.ReadWritePaths = [
-    "/var/www/jimwebsite/hls/" 
+    "/var/www/jimweb/streams/hls/" 
   ];
 
   # Get certificates for Coturn
@@ -735,6 +767,8 @@ in
     domains = [ "${jimDomain}" ];
     fqdn = "mx.${jimDomain}";
     certificateScheme = "acme-nginx";
+    localDnsResolver = false;
+    redis.port = 1515;
 
     # A list of accounts. 
     # Generate passwords with nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'