{ config, pkgs, options, lib, ... }: let # Import home manager homeManager = fetchTarball "https://github.com/nix-community/home-manager/archive/release-24.05.tar.gz"; # Define domains and ips jimdomain = ''jimbosfiles.com''; bloxeldomain = ''bloxelcom.net''; # IPs localspan = ''192.168.1''; pc = ''${localspan}.18''; server = ''${localspan}.17''; vm = ''${localspan}.70''; in { # Import other nix files and firmware imports = [ ./hardware-configuration.nix ./jimbo.nix "${homeManager}/nixos" ]; # Allow unfree packages nixpkgs.config.allowUnfree = true; # Allow flakes (I have no clue how they work yet) nix.settings.experimental-features = [ "nix-command" "flakes" ]; # Allow unfree firmware hardware.enableRedistributableFirmware = true; # Choose Grub as the bootloader boot = { kernelPackages = pkgs.linuxPackages_xanmod; loader = { grub = { efiSupport = true; device = "nodev"; }; }; }; # Enable a permissioning system security = { sudo.enable = false; doas = { enable = true; extraRules = [ # Give wheel root access, allow persistant session { groups = [ "wheel" ]; keepEnv = true; persist = true; } ]; }; }; # Enable the ZSH shell programs.zsh.enable = true; # Disable Nano programs.nano.enable = false; # Define a user account. users.users.jimbo = { isNormalUser = true; hashedPassword = "$6$gYpE.pG/zPXgin06$2kydjDfd0K62Dhf9P0PFvJhRNz6xIC/bHYaf/XYqyKcLyZNzPQpy8uy9tCRcSYlj1wwBhzVtTRyItwajOHCEj0"; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDLe/HioxCOkszFQdm1vb3ZwuzLzsOThqHNvEI4IXeXZ JimPhone" ]; extraGroups = [ "wheel" "docker" ]; uid = 1000; shell = pkgs.zsh; }; # Add Nginx to the Turnserver group users.users.nginx.extraGroups = [ "turnserver" ]; # Installed programs to the system profile. environment.systemPackages = with pkgs; [ # Essential system tools git parted mdadm ]; # Define timezone and networking settings time.timeZone = "America/New_York"; networking = { # Set hostname hostName = "JimNixServer"; # Choose networking method dhcpcd.enable = true; wireless.enable = false; # Enable firewall passthrough firewall = { allowedTCPPorts = [ # NFS 2049 # Nginx 80 443 8448 # Minecraft 25565 19132 # Gitea 2299 # Coturn 3478 5349 ]; allowedTCPPortRanges = [ # Also Azuracast { from = 8100; to = 8150; } ]; allowedUDPPorts = [ # Minecraft Voicechat and Bedrock 25565 19132 # Coturn again 3478 5349 ]; allowedUDPPortRanges = [ # Coturn { from = 49000; to = 50000; } ]; # Extra rules that cannot be done above extraCommands = # SSH and game servers from my PC '' iptables -t nat -A PREROUTING -p tcp -m tcp --dport 2211 -m comment --comment "SSH to PC" -j DNAT --to-destination ${pc} iptables -t nat -A PREROUTING -p udp -m udp --match multiport --dports 27005,27015,7777,29000 -m comment --comment "Games" -j DNAT --to-destination ${pc} '' + # Sunshine ports for PC and VM '' iptables -t nat -A PREROUTING -p tcp -m tcp --match multiport --dports 48010,47989,47984 -m comment --comment "PC Sunshine TCP" -j DNAT --to-destination ${pc} iptables -t nat -A PREROUTING -p udp -m udp --match multiport --dports 47998,47999,48000 -m comment --comment "PC Sunshine UDP" -j DNAT --to-destination ${pc} iptables -t nat -A PREROUTING -p tcp -m tcp --match multiport --dports 38010,37989,37984 -m comment --comment "VM Sunshine TCP" -j DNAT --to-destination ${vm} iptables -t nat -A PREROUTING -p udp -m udp --match multiport --dports 37998,37999,38000 -m comment --comment "VM Sunshine UDP" -j DNAT --to-destination ${vm} '' + # Set an IP firewall for RTMP '' iptables -N RTMPCHAIN iptables -A INPUT -p tcp -m tcp --match multiport --dports 1935,1945 -j RTMPCHAIN iptables -A RTMPCHAIN -s ${pc} -j ACCEPT iptables -A RTMPCHAIN -s 71.87.124.226 -j ACCEPT iptables -A RTMPCHAIN -j DROP '' + # Finalize forwarding '' iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE ''; # Remove the chain and such extraStopCommands = '' iptables -D INPUT -p tcp -m tcp --match multiport --dports 1935,1945 -j RTMPCHAIN iptables -F RTMPCHAIN iptables -X RTMPCHAIN ''; # Disallow pinging this server allowPing = false; }; nameservers = [ "1.1.1.1" "9.9.9.9" ]; }; # Boot with compatibility for IP forwarding boot.kernel.sysctl."net.ipv4.ip_forward" = 1; # Enable AppArmor security.apparmor.enable = true; # Enable all manner of services services = { # SSH openssh = { enable = true; settings = { LogLevel = "VERBOSE"; PermitRootLogin = "no"; PrintLastLog = "no"; PasswordAuthentication = false; }; ports = [ 2222 ]; }; # Login attempt lockout fail2ban = { enable = true; maxretry = 5; ignoreIP = [ "${pc}" "${server}" "${vm}" ]; }; # NFS server nfs.server = { enable = true; exports = '' /export/JimboNFS ${localspan}.0/24(rw,nohide,insecure,no_subtree_check) ''; }; # Nginx reverse proxy nginx = { enable = true; package = (pkgs.nginxMainline.override { modules = [ pkgs.nginxModules.rtmp ]; }); recommendedTlsSettings = true; recommendedOptimisation = true; recommendedGzipSettings = true; recommendedProxySettings = true; virtualHosts = { # Nextcloud Proxy "cloud.${jimdomain}" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:8080"; proxyWebsockets = true; extraConfig = " location /.well-known/carddav { return 301 $scheme://$host/remote.php/dav; } location /.well-known/caldav { return 301 $scheme://$host/remote.php/dav; } "; }; }; # Vaultwarden Proxy "warden.${jimdomain}" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:8222"; proxyWebsockets = true; }; }; # Recipes Proxy "recipes.${jimdomain}" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:5030"; proxyWebsockets = true; }; }; # Bluemap Proxy "bluemap.${jimdomain}" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:31010"; proxyWebsockets = true; }; }; # Gitea Proxy "git.${jimdomain}" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:3110"; proxyWebsockets = true; }; }; # Matrix Proxy "matrix.${bloxeldomain}" = { enableACME = true; forceSSL = true; listen = [ { addr = "[::]"; port = 80; ssl = false; } { addr = "0.0.0.0"; port = 80; ssl = false; } { addr = "[::]"; port = 443; ssl = true; } { addr = "0.0.0.0"; port = 443; ssl = true; } { addr = "[::]"; port = 8448; ssl = true; } { addr = "0.0.0.0"; port = 8448; ssl = true; } ]; locations."/_matrix".proxyPass = "http://[::1]:8008"; locations."/_synapse".proxyPass = "http://[::1]:8008"; locations."/.well-known".proxyPass = "http://[::1]:8008"; }; # Element Proxy "chat.${bloxeldomain}" = { addSSL = true; enableACME = true; root = "${pkgs.element-web}"; }; # Coturn Proxy "turn.${bloxeldomain}" = { enableACME = true; forceSSL = true; listen = [ { addr = "[::]"; port = 80; ssl = false; } { addr = "0.0.0.0"; port = 80; ssl = false; } ]; locations."/".proxyPass = "http://[::1]:1380"; }; # Radio Proxy "wbxdradio.${bloxeldomain}" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:255"; proxyWebsockets = true; }; }; # Streaming proxy "live.${bloxeldomain}" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:8060"; proxyWebsockets = true; }; }; # Staging Bloxel Proxy "staging.${bloxeldomain}" = { addSSL = true; enableACME = true; root = "/var/www/bloxel-landing-page"; locations."/bloxcable/hls" = { extraConfig = '' types { application/vnd.apple.mpegurl m3u8; } ''; }; }; }; appendConfig = '' rtmp { server { listen 1945; chunk_size 4096; allow publish all; application BloxelesteCA { record off; live on; deny play all; hls on; hls_path /var/www/bloxel-landing-page/bloxcable/hls; hls_fragment_naming system; hls_fragment 3; hls_playlist_length 40; } } } ''; }; # Nextcloud server nextcloud = { enable = true; package = pkgs.nextcloud29; hostName = "localhost"; datadir = "/mnt/nextcloud"; https = true; config = { adminuser = "jimbo"; adminpassFile = "/mnt/nextcloud/password.txt"; }; settings = { trusted_proxies = [ "127.0.0.1" ]; trusted_domains = [ "cloud.${jimdomain}" ]; overwriteprotocol = "https"; }; }; # Force Nextcloud to use a different port nginx.virtualHosts."localhost" = { listen = [ { addr = "127.0.0.1"; port = 8080; } ]; }; # Vaultwarden password manager vaultwarden = { enable = true; config = { DOMAIN = "https://warden.${jimdomain}"; SIGNUPS_ALLOWED = false; ROCKET_ADDRESS = "127.0.0.1"; ROCKET_PORT = 8222; ROCKET_LOG = "critical"; }; }; # Recipes tandoor-recipes = { enable = true; port = 5030; }; # Gitea gitea = { enable = true; settings = { server = { DOMAIN = "git.${jimdomain}"; ROOT_URL = "https://git.${jimdomain}:443"; HTTP_PORT = 3110; SSH_PORT = 2299; START_SSH_SERVER = true; }; service.DISABLE_REGISTRATION = true; }; }; # Owncast owncast = { enable = true; port = 8060; listen = "0.0.0.0"; }; # Coturn for VC coturn = rec { enable = true; no-cli = true; no-tcp-relay = true; min-port = 49000; max-port = 50000; use-auth-secret = true; realm = "turn.${bloxeldomain}"; static-auth-secret = "will be world readable for local users :("; cert = "${config.security.acme.certs.${realm}.directory}/full.pem"; pkey = "${config.security.acme.certs.${realm}.directory}/key.pem"; }; # Synapse for Matrix clients matrix-synapse = with config.services.coturn; { enable = true; settings = { server_name = "matrix.${bloxeldomain}"; public_baseurl = "https://matrix.${bloxeldomain}"; serve_server_wellknown = true; # Set the network config listeners = [{ # Client config port = 8008; bind_addresses = [ "::" "0.0.0.0" ]; resources = [ { compress = false; names = [ "client" "federation" ]; } ]; type = "http"; tls = false; x_forwarded = true; }]; # Set the type of database database.name = "sqlite3"; # Allow account registration enable_registration = true; registration_requires_token = true; # General settings url_preview_enabled = true; max_upload_size = "50M"; report_stats = false; # Turn settings turn_uris = [ "turn:${realm}:3478?transport=udp" "turn:${realm}:3478?transport=tcp" ]; turn_shared_secret = static-auth-secret; turn_user_lifetime = "1h"; # Ratelimiting burst_count = 15; }; }; # Snowflake proxy for Tor snowflake-proxy.enable = true; # Fix a nonbuilding issue logrotate.checkConfig = false; }; # Make Nginx not shit itself systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www/bloxel-landing-page/bloxcable/hls/" ]; # Get certificates for Coturn security.acme = { acceptTerms = true; defaults.email = "jimjam4real@gmail.com"; certs = { ${config.services.coturn.realm} = { group = "turnserver"; postRun = "systemctl restart coturn.service"; }; }; }; # Configure the Element web server nixpkgs.config.element-web.conf = { default_server_config = { "m.homeserver" = { base_url = "https://matrix.${bloxeldomain}:443"; server_name = "matrix.${bloxeldomain}"; }; }; branding = { welcome_background_url = "https://images-wixmp-ed30a86b8c4ca887773594c2.wixmp.com/f/6658b953-7c85-4d44-9d97-d10a52d54af1/dhqaf1r-5402b859-340f-44cb-bfc6-eef5d541ae7d.png?token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1cm46YXBwOjdlMGQxODg5ODIyNjQzNzNhNWYwZDQxNWVhMGQyNmUwIiwiaXNzIjoidXJuOmFwcDo3ZTBkMTg4OTgyMjY0MzczYTVmMGQ0MTVlYTBkMjZlMCIsIm9iaiI6W1t7InBhdGgiOiJcL2ZcLzY2NThiOTUzLTdjODUtNGQ0NC05ZDk3LWQxMGE1MmQ1NGFmMVwvZGhxYWYxci01NDAyYjg1OS0zNDBmLTQ0Y2ItYmZjNi1lZWY1ZDU0MWFlN2QucG5nIn1dXSwiYXVkIjpbInVybjpzZXJ2aWNlOmZpbGUuZG93bmxvYWQiXX0.jqJL7Sx9JHu4RqiQnKKfxoxXD55ZLgzH4liMXxH6LkM"; auth_header_logo_url = "https://www.${bloxeldomain}/bloxelcom.png"; }; embedded_pages = { home_url = "https://www.${bloxeldomain}/"; }; disable_custom_urls = true; disable_guests = true; default_theme = "dark"; }; # Enable Docker virtualisation.docker = { enable = true; daemon.settings = { log-driver = "json-file"; }; }; # Determine the release version and allow auto-upgrades system.stateVersion = "23.11"; system.autoUpgrade.enable = false; }