Tristan Daniël Maat
222829d82a
This includes the really huge steam-run closure, which is just a PITA to keep up with if we're never using it.
143 lines
3 KiB
Nix
143 lines
3 KiB
Nix
{ config
|
|
, pkgs
|
|
, lib
|
|
, modulesPath
|
|
, flake-inputs
|
|
, ...
|
|
}: {
|
|
imports = [
|
|
flake-inputs.disko.nixosModules.disko
|
|
flake-inputs.sops-nix.nixosModules.sops
|
|
flake-inputs.tlaternet-webserver.nixosModules.default
|
|
|
|
"${modulesPath}/profiles/minimal.nix"
|
|
(import ../modules)
|
|
|
|
./services/afvalcalendar.nix
|
|
./services/backups.nix
|
|
./services/battery-manager.nix
|
|
./services/conduit.nix
|
|
./services/fail2ban.nix
|
|
./services/foundryvtt.nix
|
|
./services/gitea.nix
|
|
./services/metrics
|
|
./services/nextcloud.nix
|
|
./services/webserver.nix
|
|
./services/wireguard.nix
|
|
# ./services/starbound.nix -- Not currently used
|
|
./services/postgres.nix
|
|
./nginx.nix
|
|
./sops.nix
|
|
];
|
|
|
|
nixpkgs.overlays = [
|
|
(final: prev: {
|
|
local = import ../pkgs {
|
|
pkgs = prev;
|
|
lib = prev.lib;
|
|
};
|
|
})
|
|
];
|
|
|
|
nix = {
|
|
package = pkgs.nixFlakes;
|
|
extraOptions = ''
|
|
experimental-features = nix-command flakes
|
|
'';
|
|
|
|
# Enable remote builds from tlater
|
|
settings.trusted-users = [ "@wheel" ];
|
|
};
|
|
|
|
# Optimization for minecraft servers, see:
|
|
# https://bugs.mojang.com/browse/MC-183518
|
|
boot.kernelParams = [ "highres=off" "nohz=off" ];
|
|
|
|
networking = {
|
|
usePredictableInterfaceNames = false;
|
|
useDHCP = false;
|
|
|
|
firewall = {
|
|
allowedTCPPorts = [
|
|
# http
|
|
80
|
|
443
|
|
# ssh
|
|
2222
|
|
# matrix
|
|
8448
|
|
# starbound
|
|
21025
|
|
# Minecraft
|
|
25565
|
|
|
|
config.services.coturn.listening-port
|
|
config.services.coturn.tls-listening-port
|
|
config.services.coturn.alt-listening-port
|
|
config.services.coturn.alt-tls-listening-port
|
|
];
|
|
|
|
allowedUDPPorts = [
|
|
# More minecraft
|
|
25565
|
|
|
|
config.services.coturn.listening-port
|
|
config.services.coturn.tls-listening-port
|
|
config.services.coturn.alt-listening-port
|
|
config.services.coturn.alt-tls-listening-port
|
|
];
|
|
|
|
allowedUDPPortRanges = [
|
|
{
|
|
from = config.services.coturn.min-port;
|
|
to = config.services.coturn.max-port;
|
|
}
|
|
];
|
|
};
|
|
};
|
|
|
|
systemd.network.enable = true;
|
|
|
|
time.timeZone = "Europe/London";
|
|
|
|
users.users.tlater = {
|
|
isNormalUser = true;
|
|
extraGroups = [ "wheel" ];
|
|
openssh.authorizedKeys.keyFiles = [ ../keys/tlater.pub ];
|
|
};
|
|
|
|
services = {
|
|
openssh = {
|
|
enable = true;
|
|
allowSFTP = false;
|
|
ports = [ 2222 ];
|
|
startWhenNeeded = true;
|
|
|
|
settings = {
|
|
GatewayPorts = "yes";
|
|
PermitRootLogin = "no";
|
|
PasswordAuthentication = false;
|
|
};
|
|
};
|
|
|
|
logrotate.enable = true;
|
|
};
|
|
|
|
security = {
|
|
sudo.execWheelOnly = true;
|
|
|
|
pam = {
|
|
sshAgentAuth = {
|
|
enable = true;
|
|
authorizedKeysFiles = [ "/etc/ssh/authorized_keys.d/%u" ];
|
|
};
|
|
services.sudo.sshAgentAuth = true;
|
|
};
|
|
};
|
|
|
|
# Remove some unneeded packages
|
|
environment.defaultPackages = [ ];
|
|
|
|
system.stateVersion = "20.09";
|
|
}
|