174 lines
3.6 KiB
Nix
174 lines
3.6 KiB
Nix
{
|
|
config,
|
|
pkgs,
|
|
lib,
|
|
modulesPath,
|
|
flake-inputs,
|
|
...
|
|
}: {
|
|
imports = [
|
|
flake-inputs.sops-nix.nixosModules.sops
|
|
flake-inputs.tlaternet-webserver.nixosModules.default
|
|
|
|
"${modulesPath}/profiles/headless.nix"
|
|
"${modulesPath}/profiles/minimal.nix"
|
|
(import ../modules)
|
|
|
|
./services/backups.nix
|
|
./services/conduit.nix
|
|
./services/foundryvtt.nix
|
|
./services/gitea.nix
|
|
./services/metrics.nix
|
|
./services/nextcloud.nix
|
|
./services/webserver.nix
|
|
./services/wireguard.nix
|
|
./services/starbound.nix
|
|
./services/postgres.nix
|
|
./sops.nix
|
|
];
|
|
|
|
nixpkgs.overlays = [
|
|
(final: prev: {
|
|
local = import ../pkgs {
|
|
pkgs = prev;
|
|
lib = prev.lib;
|
|
};
|
|
})
|
|
];
|
|
|
|
nix = {
|
|
package = pkgs.nixFlakes;
|
|
extraOptions = ''
|
|
experimental-features = nix-command flakes
|
|
'';
|
|
|
|
# Enable remote builds from tlater
|
|
settings.trusted-users = ["@wheel"];
|
|
};
|
|
|
|
nixpkgs.config.allowUnfreePredicate = pkg:
|
|
builtins.elem (lib.getName pkg) ["steam-original" "steam-runtime" "steam-run" "steamcmd"];
|
|
|
|
# Optimization for minecraft servers, see:
|
|
# https://bugs.mojang.com/browse/MC-183518
|
|
boot.kernelParams = ["highres=off" "nohz=off"];
|
|
|
|
networking = {
|
|
hostName = "tlaternet";
|
|
usePredictableInterfaceNames = false;
|
|
useDHCP = false;
|
|
|
|
firewall = {
|
|
allowedTCPPorts = [
|
|
# http
|
|
80
|
|
443
|
|
# ssh
|
|
2222
|
|
# matrix
|
|
8448
|
|
# starbound
|
|
21025
|
|
# Minecraft
|
|
25565
|
|
|
|
config.services.coturn.listening-port
|
|
config.services.coturn.tls-listening-port
|
|
config.services.coturn.alt-listening-port
|
|
config.services.coturn.alt-tls-listening-port
|
|
];
|
|
|
|
allowedUDPPorts = [
|
|
# More minecraft
|
|
25565
|
|
|
|
config.services.coturn.listening-port
|
|
config.services.coturn.tls-listening-port
|
|
config.services.coturn.alt-listening-port
|
|
config.services.coturn.alt-tls-listening-port
|
|
];
|
|
|
|
allowedUDPPortRanges = [
|
|
{
|
|
from = config.services.coturn.min-port;
|
|
to = config.services.coturn.max-port;
|
|
}
|
|
];
|
|
};
|
|
};
|
|
|
|
systemd.network.enable = true;
|
|
|
|
time.timeZone = "Europe/London";
|
|
|
|
users.users.tlater = {
|
|
isNormalUser = true;
|
|
extraGroups = ["wheel"];
|
|
openssh.authorizedKeys.keyFiles = [../keys/tlater.pub];
|
|
};
|
|
|
|
services.openssh = {
|
|
enable = true;
|
|
allowSFTP = false;
|
|
ports = [2222];
|
|
startWhenNeeded = true;
|
|
|
|
settings = {
|
|
GatewayPorts = "yes";
|
|
PermitRootLogin = "no";
|
|
PasswordAuthentication = false;
|
|
};
|
|
};
|
|
|
|
security = {
|
|
sudo.execWheelOnly = true;
|
|
|
|
pam = {
|
|
enableSSHAgentAuth = true;
|
|
services.sudo.sshAgentAuth = true;
|
|
};
|
|
};
|
|
|
|
services.nginx = {
|
|
enable = true;
|
|
recommendedTlsSettings = true;
|
|
recommendedOptimisation = true;
|
|
recommendedGzipSettings = true;
|
|
recommendedProxySettings = true;
|
|
clientMaxBodySize = "10G";
|
|
domain = "tlater.net";
|
|
|
|
statusPage = true; # For metrics, should be accessible only from localhost
|
|
};
|
|
|
|
security.acme = {
|
|
defaults.email = "tm@tlater.net";
|
|
acceptTerms = true;
|
|
};
|
|
|
|
services.fail2ban = {
|
|
enable = true;
|
|
extraPackages = [pkgs.ipset];
|
|
banaction = "iptables-ipset-proto6-allports";
|
|
bantime-increment.enable = true;
|
|
|
|
jails = {
|
|
nginx-botsearch = ''
|
|
enabled = true
|
|
logpath = /var/log/nginx/access.log
|
|
'';
|
|
};
|
|
|
|
ignoreIP = [
|
|
"127.0.0.0/8"
|
|
"10.0.0.0/8"
|
|
"172.16.0.0/12"
|
|
"192.168.0.0/16"
|
|
];
|
|
};
|
|
|
|
# Remove some unneeded packages
|
|
environment.defaultPackages = [];
|
|
|
|
system.stateVersion = "20.09";
|
|
}
|