batteredbunny/server.nix
1
0
Fork 0
Code Issues 11 Pull requests Projects Releases Packages Wiki Activity Actions
server.nix/configuration.nix

974 lines
27 KiB
Nix
Raw Normal View History

Formatting
2024-03-05 21:21:27 +02:00
{
config,
pkgs,
lib,
inputs,
system,
...
}: let
Initial commit
2024-02-23 01:56:51 +02:00
settings = import ./settings.nix {};
in {
Formatting
2024-03-05 21:21:27 +02:00
imports = [
./hardware-configuration.nix
./containers.nix
./caddy.nix
inputs.nix-minecraft.nixosModules.minecraft-servers
];
Initial commit
2024-02-23 01:56:51 +02:00
nixpkgs = {
Formatting
2024-03-05 21:21:27 +02:00
overlays = [inputs.nix-minecraft.overlay];
Initial commit
2024-02-23 01:56:51 +02:00
config.allowUnfree = true;
};
Change autoUpgrade
2024-03-11 16:36:53 +02:00
system.autoUpgrade = {
Initial commit
2024-02-23 01:56:51 +02:00
enable = true;
allowReboot = true;
flake = "/etc/nixos";
};
nix = {
gc = {
automatic = true;
dates = "weekly";
};
optimise = {
automatic = true;
dates = ["06:00"];
};
settings = {
experimental-features = ["nix-command" "flakes"];
auto-optimise-store = true;
allowed-users = [
"@wheel"
"owo"
];
};
};
boot = {
supportedFilesystems = ["ntfs" "btrfs" "mergerfs"];
Clean tmp on boot
2024-03-08 10:45:58 +02:00
tmp.cleanOnBoot = true;
Initial commit
2024-02-23 01:56:51 +02:00
kernelPackages = pkgs.linuxPackages_latest;
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
};
systemd.services = {
tailscaled.environment = {
TS_NO_LOGS_NO_SUPPORT = "true";
};
Add experimental service that pushes lock changes to git automatically
2024-03-11 16:10:26 +02:00
Add nixos-upgrade failure notification
2024-03-20 16:57:31 +02:00
nixos-upgrade-failure = let
NTFY_DOMAIN = "ntfy.catnip.ee";
in {
path = with pkgs; ["/run/wrappers" "/run/current-system/sw" curl];
script = ''
nixos-upgrade-failure only sends logs for latest upgrade now
2024-03-27 14:30:48 +02:00
journalctl _SYSTEMD_INVOCATION_ID=`systemctl show --value -p InvocationID nixos-upgrade.service` > /tmp/upgrade-failure.txt
Add nixos-upgrade failure notification
2024-03-20 16:57:31 +02:00
curl -T /tmp/upgrade-failure.txt -H "Filename: failure-logs.txt" -H "Title: Nixos auto upgrade failed for $(hostname)" https://${NTFY_DOMAIN}/$NTFY_TOPIC
rm /tmp/upgrade-failure.txt
'';
serviceConfig = {
User = "root";
# Contains NTFY_TOPIC=
EnvironmentFile = "/etc/secrets/NTFY.env";
};
};
nixos-upgrade = {
onFailure = ["nixos-upgrade-failure.service"];
serviceConfig.ExecStartPre = pkgs.writeShellScript "update.sh" ''
cd ${config.system.autoUpgrade.flake}
${lib.getExe pkgs.git} pull
${lib.getExe pkgs.nix} flake update --commit-lock-file
${lib.getExe pkgs.git} push
'';
};
Add experimental service that pushes lock changes to git automatically
2024-03-11 16:10:26 +02:00
Initial commit
2024-02-23 01:56:51 +02:00
modded-mc-server = {
enable = true;
path = with pkgs; [
openjdk17-bootstrap
mcrcon
];
Formatting
2024-03-05 21:21:27 +02:00
serviceConfig = {
Initial commit
2024-02-23 01:56:51 +02:00
User = "owo";
WorkingDirectory = "/home/owo/Documents/aof7";
ExecStart = pkgs.writeShellScript "start.sh" ''
cd /home/owo/Documents/aof7
java -jar serverstarter-2.4.0.jar
'';
ExecStop = pkgs.writeShellScript "stop.sh" ''
mcrcon -H localhost -P 25575 -p "12345" stop
while kill -0 $MAINPID 2>/dev/null
do
sleep 0.5
done
'';
Restart = "always";
};
Formatting
2024-03-05 21:21:27 +02:00
wantedBy = ["default.target"];
Initial commit
2024-02-23 01:56:51 +02:00
};
lastfm-status = let
package = inputs.lastfm-status.packages.${system}.default;
in {
enable = true;
serviceConfig = {
Harden lastfm-status, move unpackerr config to git repo
2024-03-06 14:26:10 +02:00
DynamicUser = true;
ProtectSystem = "full";
ProtectHome = "yes";
Add more hardening, replace podman.enableNvidia
2024-03-06 14:38:51 +02:00
DeviceAllow = [""];
LockPersonality = true;
MemoryDenyWriteExecute = true;
PrivateDevices = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
More lastfm-status hardening
2024-03-06 14:46:39 +02:00
SystemCallArchitectures = "native";
PrivateUsers = true;
Add harderning to unpackerr
2024-03-06 15:07:10 +02:00
ExecStart = "${lib.getExe package} --port ${toString settings.ports.lastfm}";
Harden lastfm-status, move unpackerr config to git repo
2024-03-06 14:26:10 +02:00
Restart = "always";
Initial commit
2024-02-23 01:56:51 +02:00
};
Harden lastfm-status, move unpackerr config to git repo
2024-03-06 14:26:10 +02:00
wantedBy = ["default.target"];
Initial commit
2024-02-23 01:56:51 +02:00
};
# paths: ~/.config/qBittorrent/ and ~/.local/share/qBittorrent/
qbittorrent = {
enable = true;
description = "Activates qbittorrent nox on startup";
unitConfig = {
Documentation = "man:qbittorrent-nox(1)";
};
serviceConfig = {
Type = "exec";
Formatting
2024-03-05 21:21:27 +02:00
User = "owo";
ExecStart = "${lib.getExe pkgs.qbittorrent-nox} --webui-port=${toString settings.ports.qbittorrent} --torrenting-port=${toString settings.ports.qbittorrent-out}";
Initial commit
2024-02-23 01:56:51 +02:00
};
path = [
pkgs.curl
];
wantedBy = [
"multi-user.target"
];
wants = [
"network-online.target"
];
after = [
"network-online.target"
];
};
Moved unpackerr config to nix expression
2024-03-08 12:12:51 +02:00
unpackerr = let
config = {
debug = false;
quiet = false;
# How often to poll sonarr and radarr.
# Recommend 1m-5m. Uses Go Duration.
interval = "2m";
start_delay = "1m";
retry_delay = "5m";
parallel = 1;
# Use these configurations to control the file modes used for newly extracted
# files and folders. Recommend 0644/0755 or 0666/0777.
file_mode = "0644";
dir_mode = "0755";
sonarr = [
{
url = "http://localhost:8989";
paths = ["/mnt/drive1/torrents/downloads" "/mnt/drive2/torrents" "/mnt/drive3/torrents" "/mnt/drive4/torrents"];
protocols = "torrent";
timeout = "100s";
delete_delay = "10m";
}
];
radarr = [
{
url = "http://localhost:7878";
paths = ["/mnt/drive1/torrents/downloads" "/mnt/drive2/torrents" "/mnt/drive3/torrents" "/mnt/drive4/torrents"];
protocols = "torrent";
timeout = "100s";
delete_delay = "10m";
}
];
};
in {
Initial commit
2024-02-23 01:56:51 +02:00
enable = true;
description = "Activates unpackerr on startup";
serviceConfig = {
Change user unpackerr runs as
2024-03-06 15:14:29 +02:00
User = "owo";
Add harderning to unpackerr
2024-03-06 15:07:10 +02:00
ProtectHome = "yes";
DeviceAllow = [""];
LockPersonality = true;
MemoryDenyWriteExecute = true;
PrivateDevices = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
PrivateUsers = true;
Moved unpackerr config to nix expression
2024-03-08 12:12:51 +02:00
ExecStart = "${lib.getExe pkgs.unpackerr} -c ${(pkgs.formats.toml {}).generate "config.toml" config}";
Move unpackerr api keys into EnvironmentFile, other small changes
2024-03-11 12:06:27 +02:00
# Stores tokens for sonarr and radarr
# UN_SONARR_0_API_KEY, UN_RADARR_0_API_KEY
EnvironmentFile = "/etc/secrets/unpackerr.env";
Initial commit
2024-02-23 01:56:51 +02:00
};
Add harderning to unpackerr
2024-03-06 15:07:10 +02:00
wantedBy = ["default.target"];
Initial commit
2024-02-23 01:56:51 +02:00
};
};
fileSystems = {
"/mnt/important" = {
device = "/dev/disk/by-uuid/dd9449e5-3d28-4029-8434-aae3b7314e35";
fsType = "btrfs";
};
"/mnt/drive4" = {
device = "/dev/disk/by-uuid/a7874217-07af-485c-9e60-2370c305771e";
fsType = "btrfs";
};
"/mnt/drive3" = {
device = "/dev/disk/by-uuid/ba80a5be-d676-4cba-8fc8-aa21af116b88";
fsType = "btrfs";
};
"/mnt/drive2" = {
device = "/dev/disk/by-uuid/3203fc16-136f-4b17-b844-7584394ea870"; # 18tb hdd
fsType = "ext4";
};
"/mnt/drive1" = {
device = "/dev/disk/by-uuid/23aa13b8-3e1a-4cd7-890d-68a54d8f13fa"; # 16tb hdd
fsType = "btrfs";
};
"/mnt/media" = {
device = "/mnt/drive1/media:/mnt/drive2/media:/mnt/drive3/media:/mnt/drive4/media";
fsType = "fuse.mergerfs";
depends = [
"/mnt/drive1"
"/mnt/drive2"
"/mnt/drive3"
"/mnt/drive4"
];
options = [
"cache.files=partial"
"dropcacheonclose=true"
"category.create=mfs"
];
};
};
networking = {
hostName = "server";
networkmanager.enable = true;
nameservers = [
# "127.0.0.1"
Formatting
2024-03-05 21:21:27 +02:00
"1.1.1.1"
"1.0.0.1" # cloudflare
Initial commit
2024-02-23 01:56:51 +02:00
];
};
time.timeZone = "Europe/Tallinn";
i18n = {
defaultLocale = "en_GB.UTF-8";
extraLocaleSettings = {
LC_ADDRESS = "et_EE.UTF-8";
LC_IDENTIFICATION = "et_EE.UTF-8";
LC_MEASUREMENT = "et_EE.UTF-8";
LC_MONETARY = "et_EE.UTF-8";
LC_NAME = "et_EE.UTF-8";
LC_NUMERIC = "et_EE.UTF-8";
LC_PAPER = "et_EE.UTF-8";
LC_TELEPHONE = "et_EE.UTF-8";
LC_TIME = "et_EE.UTF-8";
};
};
services.xserver = {
enable = true;
xkb = {
variant = "";
layout = "us";
};
videoDrivers = ["nvidia"];
# Enable the KDE Plasma Desktop Environment.
displayManager.sddm.enable = true;
desktopManager.plasma5.enable = true;
};
sound.enable = true;
hardware.pulseaudio.enable = false;
security = {
sudo.wheelNeedsPassword = false;
rtkit.enable = true;
};
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
};
hardware = {
opengl = {
enable = true;
driSupport = true;
driSupport32Bit = true;
};
nvidia = {
package = config.boot.kernelPackages.nvidiaPackages.stable;
modesetting.enable = true;
open = false;
nvidiaSettings = true;
};
};
virtualisation = {
docker = {
enable = true;
enableNvidia = true;
autoPrune.enable = true;
liveRestore = false;
};
podman = {
enable = true;
autoPrune.enable = true;
};
Add more hardening, replace podman.enableNvidia
2024-03-06 14:38:51 +02:00
# replaces podman.enableNvidia
containers.cdi.dynamic.nvidia.enable = true;
Initial commit
2024-02-23 01:56:51 +02:00
};
environment.systemPackages = with pkgs; [
mergerfs
mergerfs-tools
ffmpeg # nextcloud
];
programs = {
git.enable = true;
fish.enable = true;
mosh.enable = true;
gnome-disks.enable = true;
ssh.startAgent = true;
};
security.acme = {
acceptTerms = true;
Update ssl emails
2024-03-22 13:52:30 +02:00
defaults.email = "ssl@catnip.ee";
Initial commit
2024-02-23 01:56:51 +02:00
certs = {
${config.services.coturn.realm} = {
dnsProvider = "cloudflare";
credentialsFile = "/etc/secrets/acme.env";
postRun = "systemctl restart coturn.service";
group = "turnserver";
};
};
};
systemd.services.mautrix-telegram.path = with pkgs; [
Formatting
2024-03-05 21:21:27 +02:00
lottieconverter # for animated stickers conversion, unfree package
ffmpeg # if converting animated stickers to webm (very slow!)
Initial commit
2024-02-23 01:56:51 +02:00
];
services = {
Replace docker scrutiny with native one
2024-03-08 10:19:23 +02:00
scrutiny = {
enable = true;
Simplify scrutiny config after PR
2024-03-11 12:17:26 +02:00
collector.enable = true;
Replace docker scrutiny with native one
2024-03-08 10:19:23 +02:00
settings.web.listen.port = settings.ports.scrutiny;
};
Initial commit
2024-02-23 01:56:51 +02:00
minecraft-servers = {
enable = true;
eula = true;
servers = let
drasl = "https://drasl.snailcore.net";
in {
paper-vanilla = {
enable = true;
Small clean up
2024-03-22 13:08:54 +02:00
# Pin to specific version of minecraft if you are using plugins, e.g paperServers.paper-1_20_4
Initial commit
2024-02-23 01:56:51 +02:00
package = pkgs.paper-server;
openFirewall = true;
autoStart = true;
jvmOpts = "-Xmx2G -Xms1G -Dminecraft.api.env=custom -Dminecraft.api.auth.host=${drasl}/auth -Dminecraft.api.account.host=${drasl}/account -Dminecraft.api.session.host=${drasl}/session -Dminecraft.api.services.host=${drasl}/services";
serverProperties = {
motd = "catnip enthutiasts";
spawn-protection = 0;
max-players = 69;
};
};
};
};
Add more comments, remove eternal-terminal, move radarr to ssd, comment out uptime-kuma
2024-03-06 12:41:16 +02:00
# /var/lib/gitea-runner
Initial commit
2024-02-23 01:56:51 +02:00
gitea-actions-runner = {
package = pkgs.forgejo-actions-runner;
instances = {
forge = {
enable = true;
url = "https://forge.catnip.ee";
name = "runner";
labels = [
"golang:docker://golang:latest"
"rust:docker://rust:latest"
"ubuntu:docker://ubuntu:latest"
Add alpine to gitea worker, commit-lock-file
2024-02-25 21:22:32 +02:00
"alpine:docker://alpine:latest"
Initial commit
2024-02-23 01:56:51 +02:00
];
tokenFile = "/etc/secrets/gitea-actions-runner.env";
};
};
};
Add more comments, remove eternal-terminal, move radarr to ssd, comment out uptime-kuma
2024-03-06 12:41:16 +02:00
# /var/lib/forgejo/
Initial commit
2024-02-23 01:56:51 +02:00
forgejo = {
enable = true;
database.type = "postgres";
Add email to forgejo
2024-03-22 14:00:21 +02:00
mailerPasswordFile = "/etc/secrets/forge-email";
Initial commit
2024-02-23 01:56:51 +02:00
settings = {
server = {
DOMAIN = "forge.catnip.ee";
HTTP_PORT = settings.ports.forgejo;
SSH_PORT = 2222;
START_SSH_SERVER = true;
ROOT_URL = "https://${config.services.forgejo.settings.server.DOMAIN}";
};
Add email to forgejo
2024-03-22 14:00:21 +02:00
mailer = {
ENABLED = true;
FROM = "forge@catnip.ee";
PROTOCOL = "smtps";
SMTP_ADDR = "mx1.sly.ee";
SMTP_PORT = 465;
USER = "forge@catnip.ee";
};
Initial commit
2024-02-23 01:56:51 +02:00
service = {
DISABLE_REGISTRATION = true;
};
};
};
# /var/lib/nextcloud
nextcloud = {
enable = true;
package = pkgs.nextcloud28;
hostName = "cloud.catnip.ee";
https = true;
configureRedis = true;
config = {
adminuser = "admin";
dbhost = "localhost:${toString config.services.mysql.replication.masterPort}";
dbtype = "mysql";
adminpassFile = "/etc/secrets/nextcloud";
};
autoUpdateApps.enable = true;
database.createLocally = true;
extraApps = with config.services.nextcloud.package.packages.apps; {
inherit contacts calendar tasks mail user_saml ;
integration_github = pkgs.fetchNextcloudApp rec {
url = "https://github.com/nextcloud-releases/integration_github/releases/download/v2.0.6/integration_github-v2.0.6.tar.gz";
sha256 = "sha256-hmcMaEtsn/+UZumVLNTsWy3WBKGryAGrDWJ5RZWmTWY=";
Fix license for nextcloud plugin
2024-03-27 14:18:17 +02:00
license = "agpl3Only";
Initial commit
2024-02-23 01:56:51 +02:00
};
};
extraAppsEnable = true;
settings = {
enable_previews = true;
enabledPreviewProviders = [
"OC\\Preview\\OpenDocument"
"OC\\Preview\\PDF"
"OC\\Preview\\MSOffice2003"
"OC\\Preview\\MSOfficeDoc"
"OC\\Preview\\Image"
"OC\\Preview\\Photoshop"
"OC\\Preview\\TIFF"
"OC\\Preview\\SVG"
"OC\\Preview\\Font"
"OC\\Preview\\MP3"
"OC\\Preview\\Movie"
"OC\\Preview\\MKV"
"OC\\Preview\\MP4"
"OC\\Preview\\AVI"
];
};
};
# /var/lib/mysql
mysql = {
enable = true;
ensureDatabases = [
"nextcloud"
];
Formatting
2024-03-05 21:21:27 +02:00
ensureUsers = [
{
name = "nextcloud";
ensurePermissions = {
"nextcloud.*" = "ALL PRIVILEGES";
};
}
];
Initial commit
2024-02-23 01:56:51 +02:00
};
nginx.virtualHosts.${config.services.nextcloud.hostName} = {
Formatting
2024-03-05 21:21:27 +02:00
listen = [
{
addr = "127.0.0.1";
port = settings.ports.nextcloud;
}
];
Initial commit
2024-02-23 01:56:51 +02:00
};
i2pd = {
enable = true;
proto.httpProxy.enable = true;
};
privoxy = {
enable = true;
settings = {
listen-address = ":${toString settings.ports.privoxy}";
forward = ".i2p localhost:${toString config.services.i2pd.proto.httpProxy.port}";
# forward = ".ygg localhost:1234";
};
};
tailscale = {
enable = true;
useRoutingFeatures = "server";
extraUpFlags = [
"--advertise-exit-node"
];
permitCertUid = "caddy";
port = 0;
};
blocky = {
enable = true;
settings = {
caching = {
minTime = "5m";
Formatting
2024-03-05 21:21:27 +02:00
maxTime = "30m";
Initial commit
2024-02-23 01:56:51 +02:00
prefetching = true;
};
ports.dns = 53;
upstream.default = [
"1.1.1.1" "1.0.0.1" # cloudflare
"8.8.8.8" "8.8.4.4" # google
"9.9.9.9" "149.112.112.112" # quad9
"https://dns.nextdns.io"
];
customDNS = let
Formatting
2024-03-05 21:21:27 +02:00
localDomains = names: ip:
builtins.listToAttrs (map (x: {
name = x;
value = ip;
})
names);
Initial commit
2024-02-23 01:56:51 +02:00
in {
mapping = localDomains [
"catnip.ee"
"files"
"qbittorrent"
"scrutiny"
"archive"
Formatting
2024-03-05 21:21:27 +02:00
"sonarr"
"radarr"
"prowlarr"
"bazarr"
Initial commit
2024-02-23 01:56:51 +02:00
] "100.93.150.89";
};
conditional = let
Formatting
2024-03-05 21:21:27 +02:00
opennic = names: ip:
builtins.listToAttrs (map (x: {
name = x;
value = ip;
})
names);
Initial commit
2024-02-23 01:56:51 +02:00
in {
mapping = opennic [
"epic"
"geek"
"chan"
"fur"
"cyb"
"oss"
"pirate"
"neo"
"libre"
"dyn"
"glue"
"indy"
"bbs"
"gopher"
"null"
"o"
"oz"
"parody"
"bazar"
"coin"
"lib"
"emc"
"ku"
"uu"
"ti"
"te"
Formatting
2024-03-05 21:21:27 +02:00
] "138.197.140.189";
Initial commit
2024-02-23 01:56:51 +02:00
};
blocking = {
blackLists.ads = [
"https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt"
"https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt"
];
clientGroupsBlock.default = [
"ads"
];
};
};
};
Move radarr, sonarr to ssd
2024-03-06 13:46:28 +02:00
prowlarr.enable = true; # port 9696, /var/lib/prowlarr
radarr.enable = true; # port 7878, /var/lib/radarr
sonarr.enable = true; # port 8989, /var/lib/sonarr
Formatting
2024-03-05 21:21:27 +02:00
bazarr = {
# /var/lib/bazarr/
Initial commit
2024-02-23 01:56:51 +02:00
enable = true;
listenPort = settings.ports.bazarr;
};
Move radarr, sonarr to ssd
2024-03-06 13:46:28 +02:00
Initial commit
2024-02-23 01:56:51 +02:00
plex = {
enable = true;
openFirewall = true;
dataDir = "${settings.server_configs}/plex";
};
coturn = rec {
enable = true;
no-cli = true;
no-tcp-relay = true;
min-port = 49000;
max-port = 50000;
use-auth-secret = true;
static-auth-secret-file = "/etc/secrets/coturn";
realm = "turn.catnip.ee";
cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
extraConfig = ''
# for debugging
verbose
# ban private IP ranges
no-multicast-peers
denied-peer-ip=0.0.0.0-0.255.255.255
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=100.64.0.0-100.127.255.255
denied-peer-ip=127.0.0.0-127.255.255.255
denied-peer-ip=169.254.0.0-169.254.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
denied-peer-ip=192.0.0.0-192.0.0.255
denied-peer-ip=192.0.2.0-192.0.2.255
denied-peer-ip=192.88.99.0-192.88.99.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=198.18.0.0-198.19.255.255
denied-peer-ip=198.51.100.0-198.51.100.255
denied-peer-ip=203.0.113.0-203.0.113.255
denied-peer-ip=240.0.0.0-255.255.255.255
denied-peer-ip=::1
denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
'';
};
# /var/lib/postgresql
postgresql = {
enable = true;
package = pkgs.postgresql_15;
initialScript = pkgs.writeText "backend-initScript" ''
CREATE USER "matrix-synapse";
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
LOCALE 'C'
ENCODING 'UTF8'
TEMPLATE template0;
'';
identMap = ''
superuser_map root matrix-synapse
superuser_map matrix-synapse matrix-synapse
superuser_map root matrix-sliding-sync
superuser_map matrix-sliding-sync matrix-sliding-sync
superuser_map root forgejo
superuser_map forgejo forgejo
superuser_map root postgres
superuser_map postgres postgres
'';
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser auth-method optional_ident_map
local sameuser all peer map=superuser_map
'';
};
Add more comments, remove eternal-terminal, move radarr to ssd, comment out uptime-kuma
2024-03-06 12:41:16 +02:00
# /var/lib/mautrix-telegram
Initial commit
2024-02-23 01:56:51 +02:00
mautrix-telegram = {
enable = true;
environmentFile = "/etc/secrets/mautrix-telegram.env";
settings = {
homeserver = {
address = "http://localhost:${toString settings.ports.synapse}";
domain = "catnip.ee";
};
appservice = {
address = "http://localhost:${toString settings.ports.mautrix-telegram}";
port = settings.ports.mautrix-telegram;
provisioning.enabled = false;
id = "telegram";
public = {
enabled = true;
prefix = "/telegram";
external = "https://matrix.catnip.ee/telegram";
};
};
bridge = {
relaybot.authless_portals = false;
permissions = {
"@admin:catnip.ee" = "admin";
"@kaya:catnip.ee" = "admin";
"catnip.ee" = "full";
};
backfill = {
enable = true;
forward_limits = {
initial = {
user = -1;
normal_group = -1;
supergroup = 1000;
channel = 1000;
};
sync = {
user = -1;
normal_group = -1;
supergroup = 1000;
channel = 1000;
};
};
};
animated_sticker = {
target = "gif";
args = {
width = 256;
height = 256;
Formatting
2024-03-05 21:21:27 +02:00
fps = 30; # only for webm
background = "020202"; # only for gif, transparency not supported
Initial commit
2024-02-23 01:56:51 +02:00
};
};
};
telegram = {
device_info = {
device_model = "GooglePixel 6";
system_version = "SDK 32";
app_version = "8.7.4 (26367)";
lang_code = "en";
system_lang_code = "en";
};
};
};
};
matrix-sliding-sync = {
enable = true;
createDatabase = true;
Fix typo
2024-03-06 16:04:52 +02:00
environmentFile = "/etc/secrets/matrix-sliding-sync.env";
Initial commit
2024-02-23 01:56:51 +02:00
settings = {
SYNCV3_SERVER = "https://matrix.catnip.ee";
SYNCV3_BINDADDR = "127.0.0.1:${toString settings.ports.matrix-sliding-sync}";
};
};
Add more comments, remove eternal-terminal, move radarr to ssd, comment out uptime-kuma
2024-03-06 12:41:16 +02:00
# /var/lib/matrix-synapse
Initial commit
2024-02-23 01:56:51 +02:00
matrix-synapse = {
enable = true;
extraConfigFiles = [
"/etc/secrets/synapse.yaml"
];
settings = {
enable_registration = true;
registration_requires_token = true;
max_upload_size = "250M";
server_name = "catnip.ee";
public_baseurl = "https://matrix.catnip.ee/";
Add notices to matrix, redirect matrix subservices to full paths
2024-03-06 17:39:08 +02:00
Add email for matrix synapse
2024-03-22 15:16:50 +02:00
# Note: email submodule is defined in /etc/secrets/synapse.yaml as matrix doesnt merge the fields and it will fail to run
# email = {
# smtp_host = "mx1.sly.ee";
# smtp_user = "matrix@catnip.ee";
# smtp_pass = "";
# force_tls = true;
# notif_from = "Matrix <matrix@catnip.ee>";
# app_name = "Catnip.ee matrix";
# };
Add notices to matrix, redirect matrix subservices to full paths
2024-03-06 17:39:08 +02:00
server_notices = {
system_mxid_localpart = "server";
system_mxid_display_name = "Server Notices";
system_mxid_avatar_url = "mxc://catnip.ee/LhehrbXOjfnhaJvFEWsXPtnm";
room_name = "Server Notices";
auto_join = true;
};
Initial commit
2024-02-23 01:56:51 +02:00
database = {
name = "psycopg2";
args = {
database = "matrix-synapse";
user = "matrix-synapse";
};
};
app_service_config_files = [
# sudo rm /var/lib/matrix-synapse/telegram-registration.yaml
# sudo cp /var/lib/mautrix-telegram/telegram-registration.yaml /var/lib/matrix-synapse/
# sudo chown matrix-synapse:matrix-synapse /var/lib/matrix-synapse/telegram-registration.yaml
# sudo systemctl restart matrix-synapse
"/var/lib/matrix-synapse/telegram-registration.yaml"
];
Formatting
2024-03-05 21:21:27 +02:00
listeners = [
{
bind_addresses = ["127.0.0.1"];
port = settings.ports.synapse;
resources = [
{
compress = true;
names = ["client" "federation"];
}
];
tls = false;
type = "http";
x_forwarded = true;
}
];
Initial commit
2024-02-23 01:56:51 +02:00
turn_uris = [
"turn:${config.services.coturn.realm}:3478?transport=udp"
"turn:${config.services.coturn.realm}:3478?transport=tcp"
];
turn_user_lifetime = "1h";
};
};
openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
PermitRootLogin = "no";
};
};
# /var/lib/ntfy-sh/
ntfy-sh = {
enable = true;
settings = {
listen-http = ":${toString settings.ports.ntfy}";
base-url = "https://ntfy.catnip.ee";
};
};
# /var/lib/jellyfin
jellyfin.enable = true;
cloudflare-dyndns = {
enable = true;
apiTokenFile = "/etc/secrets/cloudflare-dyndns.env";
domains = [
"catnip.ee"
];
};
};
networking.firewall = {
enable = true;
allowedUDPPortRanges = with config.services.coturn; [{
from = min-port;
to = max-port;
}];
allowedUDPPorts = [
Refactor firewall ports
2024-03-05 22:57:26 +02:00
config.services.blocky.settings.ports.dns
# coturn
3478
5349
settings.ports.qbittorrent-out
Initial commit
2024-02-23 01:56:51 +02:00
];
allowedTCPPorts = [
Refactor firewall ports
2024-03-05 22:57:26 +02:00
22 # ssh
config.services.blocky.settings.ports.dns
# HTTP/HTTPS
Formatting
2024-03-05 21:21:27 +02:00
80
Refactor firewall ports
2024-03-05 22:57:26 +02:00
443
# coturn
Formatting
2024-03-05 21:21:27 +02:00
3478
Refactor firewall ports
2024-03-05 22:57:26 +02:00
5349
settings.ports.qbittorrent-out
Initial commit
2024-02-23 01:56:51 +02:00
settings.ports.privoxy
25566 # modded minecraft
Refactor firewall ports
2024-03-05 22:57:26 +02:00
config.services.forgejo.settings.server.SSH_PORT
Initial commit
2024-02-23 01:56:51 +02:00
];
};
users = {
defaultUserShell = pkgs.fish;
users.owo = {
Formatting
2024-03-05 21:21:27 +02:00
isNormalUser = true;
extraGroups = ["networkmanager" "wheel" "docker"];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDhXnulnINZ/hBBwHhzl35UsFcFUwxwaaFVFwCgIgOHmlJhknhpq5UQDbV6JoouFMgN48uBDD5/vcYjvS0UYFMBTox0MmJK+Yt4AnNusHkf8j1XCiXxHsicQilxJgu7yZJJRd2TAIqWlautW+VjuXOssN08x0pvtiupefDz6Li7A4SnS1iGsNTgypJaemquEYRge3hC043kaubuSgqNKknK65zA9aLp9h31r9W5K6N+k+ll+TPyyWZdsJMnaqWmoIS1+fpAdG5wMPZbR503dLPFzdprwy8FSoTzkD8aKyEdtzzQboS3b7s2DfFvOy3uoKy5bcMOl6Fm1dos90TFiOjCQmF9+WKG8qteeAtizd04Fmi8JRipODCgkvDFj8YAHaB2w5+xNpCYwJTOdHQZflOo25725aIDXZ2afg3evSdVZgJ0PPiWs6fnJMqbJCrzLsBxfN7vAbWzHHTBIuXrtidwY/x/XTs5n4mm4OukyOQF5YjYXy39WIlzjk3uMR0m8ec= lain@navi"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDTbuZLmu2F2EWMl1cXwZqYQwuFDyMyPf+d6MospDs+UaFzKFJdtDlb5+uFkkz9gHf8rCBOnXi6bLGgZNxUhTgEBka0RQVCIqRDjOJAWtwG0zLg/mQ9c1Ug2/9kH/PRjy+GGGzz3GVw7HNZNUjAkNr/kIX4t0L8uBqqkgcM/woBH8S/rV3Xs30XWi9mNkx1J4Z5fqtBBeF2GAd02i2PsUMnGfZSwwJy3mhBhI+Vw5mtsS1QJWd9LrsRfLbtzVHWm4MGr3O0F34ij8BV1uzaHfopn0vKilI/dq8HfjuYjKr33CB5f3C1OdcuFfwqE3ZDxZcaOshqXimt9MrYLXaMv0i7I7a3r33ij2hl9d9oh3Z72yt+wAAdgTJ23Xrwzr4P9Iu4BsayG5bQC6IVLv3Eef5TcPKSXmmtCr2hFLYUMQmlPptrUOf1tmB/7oYo3vJe2cz07PxuxZZ20F3MXugoUTfsnuwAH2chT4xL/TnS4Kbs12QoPFjdG1v/0Z8fVD1ysoU= mina@navi"
];
packages = with pkgs; [
firefox
helix
mpv
croc
ffmpeg
speedtest-cli
htop
progress
duperemove
tmux
];
Initial commit
2024-02-23 01:56:51 +02:00
};
};
Remove system.stateVersion comment
2024-03-06 15:20:38 +02:00
system.stateVersion = "23.05";
Initial commit
2024-02-23 01:56:51 +02:00
}
Reference in a new issue Copy permalink