tlaternet-server/configuration/default.nix

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

146 lines
3.1 KiB
Nix
Raw Permalink Normal View History

2022-10-29 00:13:44 +01:00
{ config
, pkgs
, lib
, modulesPath
, flake-inputs
, ...
}: {
imports = [
2024-03-02 01:27:24 +00:00
flake-inputs.disko.nixosModules.disko
flake-inputs.sops-nix.nixosModules.sops
flake-inputs.tlaternet-webserver.nixosModules.default
2022-10-30 17:43:52 +00:00
"${modulesPath}/profiles/minimal.nix"
(import ../modules)
./services/afvalcalendar.nix
./services/backups.nix
2024-04-08 19:02:53 +01:00
./services/battery-manager.nix
2022-10-21 20:48:14 +01:00
./services/conduit.nix
./services/fail2ban.nix
2023-04-23 15:46:38 +01:00
./services/foundryvtt.nix
./services/gitea.nix
./services/metrics
./services/nextcloud.nix
./services/webserver.nix
2023-04-23 15:46:38 +01:00
./services/wireguard.nix
2022-04-23 04:08:45 +01:00
./services/starbound.nix
./services/postgres.nix
./nginx.nix
./sops.nix
];
nixpkgs.overlays = [
(final: prev: {
local = import ../pkgs {
pkgs = prev;
2022-10-17 11:00:02 +01:00
lib = prev.lib;
};
})
];
nix = {
package = pkgs.nixFlakes;
extraOptions = ''
experimental-features = nix-command flakes
'';
# Enable remote builds from tlater
settings.trusted-users = [ "@wheel" ];
};
2022-04-23 04:08:45 +01:00
nixpkgs.config.allowUnfreePredicate = pkg:
builtins.elem (lib.getName pkg) [ "steam-original" "steam-runtime" "steam-run" "steamcmd" ];
2022-04-23 04:08:45 +01:00
# Optimization for minecraft servers, see:
# https://bugs.mojang.com/browse/MC-183518
boot.kernelParams = [ "highres=off" "nohz=off" ];
networking = {
usePredictableInterfaceNames = false;
useDHCP = false;
2022-10-29 00:13:44 +01:00
firewall = {
allowedTCPPorts = [
# http
80
443
# ssh
2222
# matrix
8448
# starbound
21025
# Minecraft
25565
2022-10-29 00:13:44 +01:00
config.services.coturn.listening-port
config.services.coturn.tls-listening-port
config.services.coturn.alt-listening-port
config.services.coturn.alt-tls-listening-port
2022-10-29 00:13:44 +01:00
];
allowedUDPPorts = [
# More minecraft
25565
2022-10-29 00:13:44 +01:00
config.services.coturn.listening-port
config.services.coturn.tls-listening-port
config.services.coturn.alt-listening-port
config.services.coturn.alt-tls-listening-port
2022-10-29 00:13:44 +01:00
];
allowedUDPPortRanges = [
{
from = config.services.coturn.min-port;
to = config.services.coturn.max-port;
}
];
};
};
2023-04-23 15:46:38 +01:00
systemd.network.enable = true;
time.timeZone = "Europe/London";
users.users.tlater = {
isNormalUser = true;
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keyFiles = [ ../keys/tlater.pub ];
};
services = {
openssh = {
enable = true;
allowSFTP = false;
ports = [ 2222 ];
startWhenNeeded = true;
settings = {
GatewayPorts = "yes";
PermitRootLogin = "no";
PasswordAuthentication = false;
};
2023-07-28 10:23:56 +01:00
};
logrotate.enable = true;
};
security = {
sudo.execWheelOnly = true;
pam = {
2024-06-13 23:49:12 +01:00
sshAgentAuth = {
enable = true;
authorizedKeysFiles = [ "/etc/ssh/authorized_keys.d/%u" ];
};
services.sudo.sshAgentAuth = true;
};
};
2022-10-30 17:43:52 +00:00
# Remove some unneeded packages
environment.defaultPackages = [ ];
system.stateVersion = "20.09";
}