Why didn'
This commit is contained in:
parent
2326853c53
commit
e402113111
|
|
@ -9,10 +9,10 @@ let
|
|||
|
||||
# IPs
|
||||
netInt = ''eno1'';
|
||||
localSpan = ''192.168.2'';
|
||||
pcIP = ''${localSpan}.10'';
|
||||
serverIP = ''${localSpan}.11'';
|
||||
vmIP = ''${localSpan}.70'';
|
||||
localSpan = ''10.0.0'';
|
||||
serverIP = ''${localSpan}.2'';
|
||||
pcIP = ''${localSpan}.3'';
|
||||
vmIP = ''${localSpan}.4'';
|
||||
|
||||
# Secrets and passwords
|
||||
secrets = import ./secrets.nix;
|
||||
|
|
@ -70,7 +70,7 @@ in
|
|||
# Define user account.
|
||||
users.users.jimbo = {
|
||||
isNormalUser = true;
|
||||
hashedPassword = secrets.jimboAccPassword;
|
||||
hashedPassword = secrets.jimboAccPass;
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDLe/HioxCOkszFQdm1vb3ZwuzLzsOThqHNvEI4IXeXZ JimPhone"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPjBdQrL23pDbcsNCLMvJhcNF7+u95ZV7o1QemOmegf jimbo@JimNixPC"
|
||||
|
|
@ -115,6 +115,7 @@ in
|
|||
|
||||
# Configure firewall
|
||||
firewall = {
|
||||
allowPing = false;
|
||||
allowedTCPPorts = [
|
||||
80 443 # Nginx
|
||||
25565 19132 5657 # Minecraft & Pufferpanel SFTP
|
||||
|
|
@ -135,11 +136,9 @@ in
|
|||
# Add extra input rules using nftables
|
||||
extraInputRules = ''
|
||||
ip saddr ${localSpan}.0/24 tcp dport 2049 accept comment "Accept NFS"
|
||||
ip saddr { ${pcIP}, ${secrets.lunaIP}, ${secrets.freecornIP} } tcp dport { 1935, 1945 } accept comment "Accept RTMP"
|
||||
ip saddr ${localSpan}.0/24 udp dport 53 accept comment "Accept DNS"
|
||||
ip saddr { ${pcIP}, ${secrets.lunaIP}, ${secrets.cornIP}, ${secrets.vertIP} } tcp dport { 1935, 1945 } accept comment "Accept RTMP"
|
||||
'';
|
||||
|
||||
# Disallow pinging this server
|
||||
allowPing = false;
|
||||
};
|
||||
|
||||
# Enable nftables and forwarding
|
||||
|
|
@ -153,15 +152,15 @@ in
|
|||
type nat hook prerouting priority dstnat; policy accept;
|
||||
tcp dport 2211 dnat to ${pcIP}:22 comment "SSH to PC"
|
||||
udp dport { 27005, 27015, 7777 } dnat to ${pcIP} comment "Games to PC"
|
||||
|
||||
|
||||
tcp dport { 58010, 57989, 57984 } dnat to ${pcIP} comment "Sunshine TCP to PC"
|
||||
udp dport { 57998, 57999, 58000 } dnat to ${pcIP} comment "Sunshine UDP to PC"
|
||||
|
||||
|
||||
tcp dport { 38010, 37989, 37984 } dnat to ${vmIP} comment "Sunshine TCP to VM"
|
||||
udp dport { 37998, 37999, 38000 } dnat to ${vmIP} comment "Sunshine UDP to VM"
|
||||
|
||||
ip saddr ${secrets.freecornIP} tcp dport { 9943, 9944 } dnat to ${vmIP} comment "ALVR TCP to VM"
|
||||
ip saddr ${secrets.freecornIP} udp dport { 9943, 9944 } dnat to ${vmIP} comment "ALVR UDP to VM"
|
||||
|
||||
ip saddr ${secrets.cornIP} tcp dport { 9943, 9944 } dnat to ${vmIP} comment "ALVR TCP to VM"
|
||||
ip saddr ${secrets.cornIP} udp dport { 9943, 9944 } dnat to ${vmIP} comment "ALVR UDP to VM"
|
||||
}
|
||||
chain POSTROUTING {
|
||||
type nat hook postrouting priority 100; policy accept;
|
||||
|
|
@ -209,11 +208,32 @@ in
|
|||
'';
|
||||
};
|
||||
|
||||
# DDClient for Dynamic IPpanels
|
||||
ddclient = {
|
||||
enable = true;
|
||||
protocol = "cloudflare";
|
||||
use = "web, web=https://ipinfo.io/ip";
|
||||
zone = "${jimDomain}";
|
||||
username = "token";
|
||||
passwordFile = "${pkgs.writeText "cloudflareapikey" secrets.flareApiKey}";
|
||||
domains = [
|
||||
"${jimDomain}"
|
||||
"*.${jimDomain}"
|
||||
"beta.${jimDomain}"
|
||||
"git.${jimDomain}"
|
||||
"john.${jimDomain}"
|
||||
"mc.${jimDomain}"
|
||||
"mx.${jimDomain}"
|
||||
"panel.${jimDomain}"
|
||||
"rtmp.${jimDomain}"
|
||||
];
|
||||
};
|
||||
|
||||
# Nginx reverse proxy
|
||||
nginx = {
|
||||
enable = true;
|
||||
package = (pkgs.nginx.override {
|
||||
modules = with pkgs.nginxModules; [ rtmp ];
|
||||
modules = with pkgs.nginxModules; [ rtmp ];
|
||||
});
|
||||
recommendedTlsSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
|
|
@ -224,12 +244,8 @@ in
|
|||
"${jimDomain}" = {
|
||||
enableACME = true;
|
||||
addSSL = true;
|
||||
root = "/var/www/jimweb";
|
||||
locations = {
|
||||
"= /" = {
|
||||
extraConfig = "
|
||||
return 301 https://social.${jimDomain}/@jimbo;
|
||||
";
|
||||
};
|
||||
"/.well-known/matrix/client" = {
|
||||
extraConfig = ''
|
||||
default_type application/json;
|
||||
|
|
@ -313,8 +329,8 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
# Gitea Proxy
|
||||
"mc.${jimDomain}" = {
|
||||
# Pufferpanel Proxy
|
||||
"panel.${jimDomain}" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
|
|
@ -388,6 +404,16 @@ in
|
|||
enableACME = true;
|
||||
forceSSL = true;
|
||||
};
|
||||
|
||||
# Adguard
|
||||
"guard.${jimDomain}" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:3000";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
appendConfig = ''
|
||||
rtmp {
|
||||
|
|
@ -400,7 +426,7 @@ in
|
|||
live on;
|
||||
allow play all;
|
||||
hls on;
|
||||
hls_path /var/www/jimwebsite/hls;
|
||||
hls_path /var/www/jimweb/streams/hls;
|
||||
hls_fragment_naming system;
|
||||
hls_fragment 3;
|
||||
hls_playlist_length 40;
|
||||
|
|
@ -494,7 +520,7 @@ in
|
|||
enable = true;
|
||||
environment = {
|
||||
PUFFER_WEB_HOST = ":5010";
|
||||
PUFFER_PANEL_SETTINGS_MASTERURL = "https://mc.${jimDomain}";
|
||||
PUFFER_PANEL_SETTINGS_MASTERURL = "https://panel.${jimDomain}";
|
||||
PUFFER_PANEL_EMAIL_PROVIDER = "smtp";
|
||||
PUFFER_PANEL_EMAIL_HOST = "mx.${jimDomain}:587";
|
||||
PUFFER_PANEL_EMAIL_FROM = "noreply@${jimDomain}";
|
||||
|
|
@ -672,11 +698,17 @@ in
|
|||
'';
|
||||
};
|
||||
|
||||
# Enable a custom DNS server
|
||||
adguardhome.enable = true;
|
||||
|
||||
# Snowflake proxy for Tor
|
||||
snowflake-proxy.enable = true;
|
||||
|
||||
# Fix a nonbuilding issue
|
||||
logrotate.checkConfig = false;
|
||||
|
||||
# Force the mailserver to use a different redis port
|
||||
redis.servers.rspamd.port = 1515;
|
||||
};
|
||||
|
||||
# Make Nginx not shit itself
|
||||
|
|
@ -685,7 +717,7 @@ in
|
|||
SupplementaryGroups = [ "shadow" ];
|
||||
};
|
||||
systemd.services.nginx.serviceConfig.ReadWritePaths = [
|
||||
"/var/www/jimwebsite/hls/"
|
||||
"/var/www/jimweb/streams/hls/"
|
||||
];
|
||||
|
||||
# Get certificates for Coturn
|
||||
|
|
@ -735,6 +767,8 @@ in
|
|||
domains = [ "${jimDomain}" ];
|
||||
fqdn = "mx.${jimDomain}";
|
||||
certificateScheme = "acme-nginx";
|
||||
localDnsResolver = false;
|
||||
redis.port = 1515;
|
||||
|
||||
# A list of accounts.
|
||||
# Generate passwords with nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
|
||||
|
|
|
|||
Loading…
Reference in a new issue