{ config, pkgs, lib, modulesPath, flake-inputs, ... }: { imports = [ flake-inputs.sops-nix.nixosModules.sops flake-inputs.tlaternet-webserver.nixosModules.default "${modulesPath}/profiles/headless.nix" "${modulesPath}/profiles/minimal.nix" (import ../modules) ./services/backups.nix ./services/conduit.nix ./services/foundryvtt.nix ./services/gitea.nix ./services/metrics.nix ./services/nextcloud.nix ./services/webserver.nix ./services/wireguard.nix ./services/starbound.nix ./services/postgres.nix ./sops.nix ]; nixpkgs.overlays = [ (final: prev: { local = import ../pkgs { pkgs = prev; lib = prev.lib; }; }) ]; nix = { package = pkgs.nixFlakes; extraOptions = '' experimental-features = nix-command flakes ''; # Enable remote builds from tlater settings.trusted-users = ["@wheel"]; }; nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) ["steam-original" "steam-runtime" "steam-run" "steamcmd"]; # Optimization for minecraft servers, see: # https://bugs.mojang.com/browse/MC-183518 boot.kernelParams = ["highres=off" "nohz=off"]; networking = { hostName = "tlaternet"; usePredictableInterfaceNames = false; useDHCP = false; firewall = { allowedTCPPorts = [ # http 80 443 # ssh 2222 # matrix 8448 # starbound 21025 # Minecraft 25565 config.services.coturn.listening-port config.services.coturn.tls-listening-port config.services.coturn.alt-listening-port config.services.coturn.alt-tls-listening-port ]; allowedUDPPorts = [ # More minecraft 25565 config.services.coturn.listening-port config.services.coturn.tls-listening-port config.services.coturn.alt-listening-port config.services.coturn.alt-tls-listening-port ]; allowedUDPPortRanges = [ { from = config.services.coturn.min-port; to = config.services.coturn.max-port; } ]; }; }; systemd.network.enable = true; time.timeZone = "Europe/London"; users.users.tlater = { isNormalUser = true; extraGroups = ["wheel"]; openssh.authorizedKeys.keyFiles = [../keys/tlater.pub]; }; services.openssh = { enable = true; allowSFTP = false; ports = [2222]; startWhenNeeded = true; settings = { GatewayPorts = "yes"; PermitRootLogin = "no"; PasswordAuthentication = false; }; }; security = { sudo.execWheelOnly = true; pam = { enableSSHAgentAuth = true; services.sudo.sshAgentAuth = true; }; }; services.nginx = { enable = true; recommendedTlsSettings = true; recommendedOptimisation = true; recommendedGzipSettings = true; recommendedProxySettings = true; clientMaxBodySize = "10G"; domain = "tlater.net"; statusPage = true; # For metrics, should be accessible only from localhost commonHttpConfig = '' log_format upstream_time '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent" ' 'rt=$request_time uct="$upstream_connect_time" ' 'uht="$upstream_header_time" urt="$upstream_response_time"'; ''; }; services.logrotate = { enable = true; settings = lib.mapAttrs' (virtualHost: _: lib.nameValuePair "/var/log/nginx/${virtualHost}/access.log" { frequency = "daily"; rotate = 2; compress = true; delaycompress = true; su = "${config.services.nginx.user} ${config.services.nginx.group}"; postrotate = "[ ! -f /var/run/nginx/nginx.pid ] || kill -USR1 `cat /var/run/nginx/nginx.pid`"; }) config.services.nginx.virtualHosts; }; systemd.tmpfiles.rules = lib.mapAttrsToList ( virtualHost: _: # "d /var/log/nginx/${virtualHost} 0750 ${config.services.nginx.user} ${config.services.nginx.group}" ) config.services.nginx.virtualHosts; security.acme = { defaults.email = "tm@tlater.net"; acceptTerms = true; }; services.fail2ban = { enable = true; extraPackages = [pkgs.ipset]; banaction = "iptables-ipset-proto6-allports"; bantime-increment.enable = true; jails = { nginx-botsearch = '' enabled = true logpath = /var/log/nginx/access.log ''; }; ignoreIP = [ "127.0.0.0/8" "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" ]; }; # Remove some unneeded packages environment.defaultPackages = []; system.stateVersion = "20.09"; }