Jimbo/NixOS-Config
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
NixOS-Config/Server/configuration.nix

544 lines
14 KiB
Nix
Raw Blame History

{ config, pkgs, options, lib, ... }:
let
# Import home manager
homeManager = fetchTarball
"https://github.com/nix-community/home-manager/archive/release-24.05.tar.gz";
# Define domains and ips
jimdomain = ''jimbosfiles.com'';
bloxeldomain = ''bloxelcom.net'';
# IPs
localspan = ''192.168.1'';
pc = ''${localspan}.18'';
server = ''${localspan}.17'';
vm = ''${localspan}.70'';
in
{
# Import other nix files and firmware
imports = [
./hardware-configuration.nix
./jimbo.nix
"${homeManager}/nixos"
];
# Allow unfree packages
nixpkgs.config.allowUnfree = true;
# Allow flakes (I have no clue how they work yet)
nix.settings.experimental-features = [ "nix-command" "flakes" ];
# Allow unfree firmware
hardware.enableRedistributableFirmware = true;
# Choose Grub as the bootloader
boot = {
kernelPackages = pkgs.linuxPackages_xanmod;
loader = {
grub = {
efiSupport = true;
device = "nodev";
};
};
};
# Enable a permissioning system
security = {
sudo.enable = false;
doas = {
enable = true;
extraRules = [
# Give wheel root access, allow persistant session
{ groups = [ "wheel" ]; keepEnv = true; persist = true; }
];
};
};
# Enable the ZSH shell
programs.zsh.enable = true;
# Disable Nano
programs.nano.enable = false;
# Define a user account.
users.users.jimbo = {
isNormalUser = true;
hashedPassword =
"$6$gYpE.pG/zPXgin06$2kydjDfd0K62Dhf9P0PFvJhRNz6xIC/bHYaf/XYqyKcLyZNzPQpy8uy9tCRcSYlj1wwBhzVtTRyItwajOHCEj0";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDLe/HioxCOkszFQdm1vb3ZwuzLzsOThqHNvEI4IXeXZ JimPhone"
];
extraGroups = [ "wheel" "docker" ];
uid = 1000;
shell = pkgs.zsh;
};
# Add Nginx to the Turnserver group
users.users.nginx.extraGroups = [ "turnserver" ];
# Installed programs to the system profile.
environment.systemPackages = with pkgs; [
# Essential system tools
git parted mdadm
];
# Define timezone and networking settings
time.timeZone = "America/New_York";
networking = {
# Set hostname
hostName = "JimNixServer";
# Choose networking method
dhcpcd.enable = true;
wireless.enable = false;
# Enable firewall passthrough
firewall = {
allowedTCPPorts = [
# NFS
2049
# Nginx
80 443 8448
# Minecraft
25565 19132
# Gitea
2299
# Coturn
3478 5349
];
allowedTCPPortRanges = [
# Also Azuracast
{ from = 8100; to = 8150; }
];
allowedUDPPorts = [
# Minecraft Voicechat and Bedrock
25565 19132
# Coturn again
3478 5349
];
allowedUDPPortRanges = [
# Coturn
{ from = 49000; to = 50000; }
];
# Extra rules that cannot be done above
extraCommands =
# SSH and game servers from my PC
''
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 2211 -m comment --comment "SSH to PC" -j DNAT --to-destination ${pc}
iptables -t nat -A PREROUTING -p udp -m udp --match multiport --dports 27005,27015,7777,29000 -m comment --comment "Games" -j DNAT --to-destination ${pc}
'' +
# Sunshine ports for PC and VM
''
iptables -t nat -A PREROUTING -p tcp -m tcp --match multiport --dports 48010,47989,47984 -m comment --comment "PC Sunshine TCP" -j DNAT --to-destination ${pc}
iptables -t nat -A PREROUTING -p udp -m udp --match multiport --dports 47998,47999,48000 -m comment --comment "PC Sunshine UDP" -j DNAT --to-destination ${pc}
iptables -t nat -A PREROUTING -p tcp -m tcp --match multiport --dports 38010,37989,37984 -m comment --comment "VM Sunshine TCP" -j DNAT --to-destination ${vm}
iptables -t nat -A PREROUTING -p udp -m udp --match multiport --dports 37998,37999,38000 -m comment --comment "VM Sunshine UDP" -j DNAT --to-destination ${vm}
'' +
# Set an IP firewall for RTMP
''
iptables -N RTMPCHAIN
iptables -A INPUT -p tcp -m tcp --match multiport --dports 1935,1945 -j RTMPCHAIN
iptables -A RTMPCHAIN -s ${pc} -j ACCEPT
iptables -A RTMPCHAIN -s 71.87.124.226 -j ACCEPT
iptables -A RTMPCHAIN -j DROP
'' +
# Finalize forwarding
''
iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE
'';
# Remove the chain and such
extraStopCommands = ''
iptables -D INPUT -p tcp -m tcp --match multiport --dports 1935,1945 -j RTMPCHAIN
iptables -F RTMPCHAIN
iptables -X RTMPCHAIN
'';
# Disallow pinging this server
allowPing = false;
};
nameservers = [
"1.1.1.1"
"9.9.9.9"
];
};
# Boot with compatibility for IP forwarding
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
# Enable AppArmor
security.apparmor.enable = true;
# Enable all manner of services
services = {
# SSH
openssh = {
enable = true;
settings = {
LogLevel = "VERBOSE";
PermitRootLogin = "no";
PrintLastLog = "no";
PasswordAuthentication = false;
};
ports = [ 2222 ];
};
# Login attempt lockout
fail2ban = {
enable = true;
maxretry = 5;
ignoreIP = [ "${pc}" "${server}" "${vm}" ];
};
# NFS server
nfs.server = {
enable = true;
exports = ''
/export/JimboNFS ${localspan}.0/24(rw,nohide,insecure,no_subtree_check)
'';
};
# Nginx reverse proxy
nginx = {
enable = true;
package = (pkgs.nginxMainline.override { modules = [ pkgs.nginxModules.rtmp ]; });
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
virtualHosts = {
# Nextcloud Proxy
"cloud.${jimdomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8080";
proxyWebsockets = true;
extraConfig = "
location /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
";
};
};
# Vaultwarden Proxy
"warden.${jimdomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8222";
proxyWebsockets = true;
};
};
# Recipes Proxy
"recipes.${jimdomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:5030";
proxyWebsockets = true;
};
};
# Bluemap Proxy
"bluemap.${jimdomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:31010";
proxyWebsockets = true;
};
};
# Gitea Proxy
"git.${jimdomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:3110";
proxyWebsockets = true;
};
};
# Matrix Proxy
"matrix.${bloxeldomain}" = {
enableACME = true;
forceSSL = true;
listen = [
{ addr = "[::]"; port = 80; ssl = false; }
{ addr = "0.0.0.0"; port = 80; ssl = false; }
{ addr = "[::]"; port = 443; ssl = true; }
{ addr = "0.0.0.0"; port = 443; ssl = true; }
{ addr = "[::]"; port = 8448; ssl = true; }
{ addr = "0.0.0.0"; port = 8448; ssl = true; }
];
locations."/_matrix".proxyPass = "http://[::1]:8008";
locations."/_synapse".proxyPass = "http://[::1]:8008";
locations."/.well-known".proxyPass = "http://[::1]:8008";
};
# Element Proxy
"chat.${bloxeldomain}" = {
addSSL = true;
enableACME = true;
root = "${pkgs.element-web}";
};
# Coturn Proxy
"turn.${bloxeldomain}" = {
enableACME = true;
forceSSL = true;
listen = [
{ addr = "[::]"; port = 80; ssl = false; }
{ addr = "0.0.0.0"; port = 80; ssl = false; }
];
locations."/".proxyPass = "http://[::1]:1380";
};
# Radio Proxy
"wbxdradio.${bloxeldomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:255";
proxyWebsockets = true;
};
};
# Streaming proxy
"live.${bloxeldomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8060";
proxyWebsockets = true;
};
};
# Staging Bloxel Proxy
"staging.${bloxeldomain}" = {
addSSL = true;
enableACME = true;
root = "/var/www/bloxel-landing-page";
locations."/bloxcable/hls" = {
extraConfig = ''
types {
application/vnd.apple.mpegurl m3u8;
}
'';
};
};
};
appendConfig = ''
rtmp {
server {
listen 1945;
chunk_size 4096;
allow publish all;
application BloxelesteCA {
record off;
live on;
deny play all;
hls on;
hls_path /var/www/bloxel-landing-page/bloxcable/hls;
hls_fragment_naming system;
hls_fragment 3;
hls_playlist_length 40;
}
}
}
'';
};
# Nextcloud server
nextcloud = {
enable = true;
package = pkgs.nextcloud29;
hostName = "localhost";
datadir = "/mnt/nextcloud";
https = true;
config = {
adminuser = "jimbo";
adminpassFile = "/mnt/nextcloud/password.txt";
};
settings = {
trusted_proxies = [ "127.0.0.1" ];
trusted_domains = [ "cloud.${jimdomain}" ];
overwriteprotocol = "https";
};
};
# Force Nextcloud to use a different port
nginx.virtualHosts."localhost" = {
listen = [ { addr = "127.0.0.1"; port = 8080; } ];
};
# Vaultwarden password manager
vaultwarden = {
enable = true;
config = {
DOMAIN = "https://warden.${jimdomain}";
SIGNUPS_ALLOWED = false;
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = 8222;
ROCKET_LOG = "critical";
};
};
# Recipes
tandoor-recipes = {
enable = true;
port = 5030;
};
# Gitea
gitea = {
enable = true;
settings = {
server = {
DOMAIN = "git.${jimdomain}";
ROOT_URL = "https://git.${jimdomain}:443";
HTTP_PORT = 3110;
SSH_PORT = 2299;
START_SSH_SERVER = true;
};
service.DISABLE_REGISTRATION = true;
};
};
# Owncast
owncast = {
enable = true;
port = 8060;
listen = "0.0.0.0";
};
# Coturn for VC
coturn = rec {
enable = true;
no-cli = true;
no-tcp-relay = true;
min-port = 49000;
max-port = 50000;
use-auth-secret = true;
realm = "turn.${bloxeldomain}";
static-auth-secret = "will be world readable for local users :(";
cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
};
# Synapse for Matrix clients
matrix-synapse = with config.services.coturn; {
enable = true;
settings = {
server_name = "matrix.${bloxeldomain}";
public_baseurl = "https://matrix.${bloxeldomain}";
serve_server_wellknown = true;
# Set the network config
listeners = [{
# Client config
port = 8008;
bind_addresses = [ "::" "0.0.0.0" ];
resources = [ { compress = false; names = [ "client" "federation" ]; } ];
type = "http";
tls = false;
x_forwarded = true;
}];
# Set the type of database
database.name = "sqlite3";
# Allow account registration
enable_registration = true;
registration_requires_token = true;
# General settings
url_preview_enabled = true;
max_upload_size = "50M";
report_stats = false;
# Turn settings
turn_uris = [ "turn:${realm}:3478?transport=udp" "turn:${realm}:3478?transport=tcp" ];
turn_shared_secret = static-auth-secret;
turn_user_lifetime = "1h";
# Ratelimiting
burst_count = 15;
};
};
# Snowflake proxy for Tor
snowflake-proxy.enable = true;
# Fix a nonbuilding issue
logrotate.checkConfig = false;
};
# Make Nginx not shit itself
systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www/bloxel-landing-page/bloxcable/hls/" ];
# Get certificates for Coturn
security.acme = {
acceptTerms = true;
defaults.email = "jimjam4real@gmail.com";
certs = {
${config.services.coturn.realm} = {
group = "turnserver";
postRun = "systemctl restart coturn.service";
};
};
};
# Configure the Element web server
nixpkgs.config.element-web.conf = {
default_server_config = {
"m.homeserver" = {
base_url = "https://matrix.${bloxeldomain}:443";
server_name = "matrix.${bloxeldomain}";
};
};
branding = {
welcome_background_url = "https://images-wixmp-ed30a86b8c4ca887773594c2.wixmp.com/f/6658b953-7c85-4d44-9d97-d10a52d54af1/dhqaf1r-5402b859-340f-44cb-bfc6-eef5d541ae7d.png?token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1cm46YXBwOjdlMGQxODg5ODIyNjQzNzNhNWYwZDQxNWVhMGQyNmUwIiwiaXNzIjoidXJuOmFwcDo3ZTBkMTg4OTgyMjY0MzczYTVmMGQ0MTVlYTBkMjZlMCIsIm9iaiI6W1t7InBhdGgiOiJcL2ZcLzY2NThiOTUzLTdjODUtNGQ0NC05ZDk3LWQxMGE1MmQ1NGFmMVwvZGhxYWYxci01NDAyYjg1OS0zNDBmLTQ0Y2ItYmZjNi1lZWY1ZDU0MWFlN2QucG5nIn1dXSwiYXVkIjpbInVybjpzZXJ2aWNlOmZpbGUuZG93bmxvYWQiXX0.jqJL7Sx9JHu4RqiQnKKfxoxXD55ZLgzH4liMXxH6LkM";
auth_header_logo_url = "https://www.${bloxeldomain}/bloxelcom.png";
};
embedded_pages = {
home_url = "https://www.${bloxeldomain}/";
};
disable_custom_urls = true;
disable_guests = true;
default_theme = "dark";
};
# Enable Docker
virtualisation.docker = {
enable = true;
daemon.settings = {
log-driver = "json-file";
};
};
# Determine the release version and allow auto-upgrades
system.stateVersion = "23.11";
system.autoUpgrade.enable = false;
}
Reference in a new issue View git blame Copy permalink