tlaternet-server/configuration/default.nix

171 lines
3.5 KiB
Nix

{
config,
pkgs,
lib,
modulesPath,
flake-inputs,
...
}: {
imports = [
flake-inputs.sops-nix.nixosModules.sops
flake-inputs.tlaternet-webserver.nixosModules.default
"${modulesPath}/profiles/headless.nix"
"${modulesPath}/profiles/minimal.nix"
(import ../modules)
./services/conduit.nix
./services/foundryvtt.nix
./services/gitea.nix
./services/nextcloud.nix
./services/webserver.nix
./services/wireguard.nix
./services/starbound.nix
./services/postgres.nix
./sops.nix
];
nixpkgs.overlays = [
(final: prev: {
local = import ../pkgs {
pkgs = prev;
lib = prev.lib;
};
})
];
nix = {
package = pkgs.nixFlakes;
extraOptions = ''
experimental-features = nix-command flakes
'';
# Enable remote builds from tlater
settings.trusted-users = ["@wheel"];
};
nixpkgs.config.allowUnfreePredicate = pkg:
builtins.elem (lib.getName pkg) ["steam-original" "steam-runtime" "steam-run" "steamcmd"];
# Optimization for minecraft servers, see:
# https://bugs.mojang.com/browse/MC-183518
boot.kernelParams = ["highres=off" "nohz=off"];
networking = {
hostName = "tlaternet";
usePredictableInterfaceNames = false;
useDHCP = false;
firewall = {
allowedTCPPorts = [
# http
80
443
# ssh
2222
# matrix
8448
# starbound
21025
# Minecraft
25565
config.services.coturn.listening-port
config.services.coturn.tls-listening-port
config.services.coturn.alt-listening-port
config.services.coturn.alt-tls-listening-port
];
allowedUDPPorts = [
# More minecraft
25565
config.services.coturn.listening-port
config.services.coturn.tls-listening-port
config.services.coturn.alt-listening-port
config.services.coturn.alt-tls-listening-port
];
allowedUDPPortRanges = [
{
from = config.services.coturn.min-port;
to = config.services.coturn.max-port;
}
];
};
};
systemd.network.enable = true;
time.timeZone = "Europe/London";
users.users.tlater = {
isNormalUser = true;
extraGroups = ["wheel"];
openssh.authorizedKeys.keyFiles = [../keys/tlater.pub];
};
services.openssh = {
enable = true;
allowSFTP = false;
ports = [2222];
startWhenNeeded = true;
settings = {
GatewayPorts = "yes";
PermitRootLogin = "no";
PasswordAuthentication = false;
};
};
security = {
sudo.execWheelOnly = true;
pam = {
enableSSHAgentAuth = true;
services.sudo.sshAgentAuth = true;
};
};
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
clientMaxBodySize = "10G";
domain = "tlater.net";
};
security.acme = {
defaults.email = "tm@tlater.net";
acceptTerms = true;
};
services.fail2ban = {
enable = true;
extraPackages = [pkgs.ipset];
banaction = "iptables-ipset-proto6-allports";
bantime-increment.enable = true;
jails = {
nginx-botsearch = ''
enabled = true
logpath = /var/log/nginx/access.log
'';
};
ignoreIP = [
"127.0.0.0/8"
"10.0.0.0/8"
"172.16.0.0/12"
"192.168.0.0/16"
];
};
# Remove some unneeded packages
environment.defaultPackages = [];
system.stateVersion = "20.09";
}