tlaternet-server/configuration/default.nix

175 lines
3.6 KiB
Nix
Raw Normal View History

{
2022-10-29 00:13:44 +01:00
config,
pkgs,
lib,
modulesPath,
flake-inputs,
...
}: {
imports = [
flake-inputs.sops-nix.nixosModules.sops
flake-inputs.tlaternet-webserver.nixosModules.default
"${modulesPath}/profiles/headless.nix"
2022-10-30 17:43:52 +00:00
"${modulesPath}/profiles/minimal.nix"
(import ../modules)
2023-09-22 05:20:36 +01:00
./services/backups.nix
2022-10-21 20:48:14 +01:00
./services/conduit.nix
2023-04-23 15:46:38 +01:00
./services/foundryvtt.nix
./services/gitea.nix
2023-09-25 02:32:04 +01:00
./services/metrics.nix
./services/nextcloud.nix
./services/webserver.nix
2023-04-23 15:46:38 +01:00
./services/wireguard.nix
2022-04-23 04:08:45 +01:00
./services/starbound.nix
./services/postgres.nix
./sops.nix
];
nixpkgs.overlays = [
(final: prev: {
local = import ../pkgs {
pkgs = prev;
2022-10-17 11:00:02 +01:00
lib = prev.lib;
};
})
];
nix = {
package = pkgs.nixFlakes;
extraOptions = ''
experimental-features = nix-command flakes
'';
# Enable remote builds from tlater
settings.trusted-users = ["@wheel"];
};
2022-04-23 04:08:45 +01:00
nixpkgs.config.allowUnfreePredicate = pkg:
builtins.elem (lib.getName pkg) ["steam-original" "steam-runtime" "steam-run" "steamcmd"];
2022-04-23 04:08:45 +01:00
# Optimization for minecraft servers, see:
# https://bugs.mojang.com/browse/MC-183518
boot.kernelParams = ["highres=off" "nohz=off"];
networking = {
hostName = "tlaternet";
usePredictableInterfaceNames = false;
useDHCP = false;
2022-10-29 00:13:44 +01:00
firewall = {
allowedTCPPorts = [
# http
80
443
# ssh
2222
# matrix
8448
# starbound
21025
# Minecraft
25565
2022-10-29 00:13:44 +01:00
config.services.coturn.listening-port
config.services.coturn.tls-listening-port
config.services.coturn.alt-listening-port
config.services.coturn.alt-tls-listening-port
2022-10-29 00:13:44 +01:00
];
allowedUDPPorts = [
# More minecraft
25565
2022-10-29 00:13:44 +01:00
config.services.coturn.listening-port
config.services.coturn.tls-listening-port
config.services.coturn.alt-listening-port
config.services.coturn.alt-tls-listening-port
2022-10-29 00:13:44 +01:00
];
allowedUDPPortRanges = [
{
from = config.services.coturn.min-port;
to = config.services.coturn.max-port;
}
];
};
};
2023-04-23 15:46:38 +01:00
systemd.network.enable = true;
time.timeZone = "Europe/London";
users.users.tlater = {
isNormalUser = true;
extraGroups = ["wheel"];
openssh.authorizedKeys.keyFiles = [../keys/tlater.pub];
};
services.openssh = {
enable = true;
allowSFTP = false;
ports = [2222];
startWhenNeeded = true;
2023-07-28 10:23:56 +01:00
settings = {
GatewayPorts = "yes";
PermitRootLogin = "no";
PasswordAuthentication = false;
};
};
security = {
sudo.execWheelOnly = true;
pam = {
enableSSHAgentAuth = true;
services.sudo.sshAgentAuth = true;
};
};
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
clientMaxBodySize = "10G";
domain = "tlater.net";
2023-10-02 21:53:56 +01:00
statusPage = true; # For metrics, should be accessible only from localhost
};
security.acme = {
defaults.email = "tm@tlater.net";
acceptTerms = true;
};
2022-10-14 01:11:15 +01:00
services.fail2ban = {
enable = true;
extraPackages = [pkgs.ipset];
banaction = "iptables-ipset-proto6-allports";
bantime-increment.enable = true;
jails = {
nginx-botsearch = ''
enabled = true
logpath = /var/log/nginx/access.log
'';
};
ignoreIP = [
"127.0.0.0/8"
"10.0.0.0/8"
"172.16.0.0/12"
"192.168.0.0/16"
];
};
2022-10-30 17:43:52 +00:00
# Remove some unneeded packages
environment.defaultPackages = [];
system.stateVersion = "20.09";
}