diff --git a/flake.nix b/flake.nix index 697a83a..2150635 100644 --- a/flake.nix +++ b/flake.nix @@ -162,6 +162,7 @@ # ]; }; + # Vintage story server nixosConfigurations."thancred" = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; specialArgs = { @@ -187,6 +188,32 @@ ]; }; + # Matrix and Mastodon server + nixosConfigurations."yshtola" = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = { + inherit userName userEmail; + hostname = "yshtola"; + role = "server"; + }; + modules = [ + myOverlays + ./modules/common + ./modules/machine/yshtola + + home-manager.nixosModules.home-manager + { + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + home-manager.extraSpecialArgs = extraSpecialArgs // { isNixOS = true; role = "server"; }; + home-manager.backupFileExtension = "bak"; + home-manager.users.${userName}.imports = [ + ./home + ]; + } + ]; + }; + # generic non-NixOS Linux machine homeConfigurations."generic" = let hostname = builtins.getEnv "HOSTNAME"; diff --git a/home/git.nix b/home/git.nix index db30f9d..ab4f498 100644 --- a/home/git.nix +++ b/home/git.nix @@ -40,6 +40,11 @@ ca = "commit -am"; dc = "diff --cached"; amend = "commit --amend -m"; + wipe = "git reset --hard"; + gg = "git reset --hard"; + ggs = "git reset --hard"; + sw = "git switch"; + r = "git restore"; # aliases for submodules update = "submodule update --init --recursive"; diff --git a/home/packages/linux.nix b/home/packages/linux.nix index df40f8f..7cc2912 100644 --- a/home/packages/linux.nix +++ b/home/packages/linux.nix @@ -3,5 +3,13 @@ lib.mkIf pkgs.stdenv.isLinux { home.packages = with pkgs; [ imv xdg-utils + ] ++ lib.optionals isNixOS [ + vesktop + xfce.thunar + pavucontrol + zathura + gpu-screen-recorder + gpu-screen-recorder-gtk + inetutils ]; } diff --git a/home/shell.nix b/home/shell.nix index 7b07646..a1fa065 100644 --- a/home/shell.nix +++ b/home/shell.nix @@ -62,7 +62,13 @@ "If you’ve brought your ivory standard, I’ll be happy to tell you where you can stick it" \ "Speeches? Oh, yes, I love them. There's nothing like a good exposition when you're having trouble sleeping!" \ "Somehow, the boy just isn't very buoyant" \ - "I am...not interested, little sun. Try again when you have become a man" + "I am...not interested, little sun. Try again when you have become a man" \ + "I am rightousness! And rightousness shall previal!" \ + "Ahhh such bliss!" \ + "The gods themselves will be my meal. Your dear companions my dessert. Upon this world I'll feast, and death shall follow in my wake. All your hate, all your rage, you will render unto me." \ + "Boring, boring, boring" \ + "Would you be 'happier' had I a 'good reason'?" \ + "A test of your reflexes!" set choose_meme (random)"%"(count $memes) diff --git a/modules/machine/README.md b/modules/machine/README.md index 216232e..315a8cc 100644 --- a/modules/machine/README.md +++ b/modules/machine/README.md @@ -10,6 +10,10 @@ I like Final Fantasy, alright? Isn't everyone supposed to have a hobby? These are named after Final Fantasy VII characters. -### Servers/Network Infrastructure +### Servers/Network Infrastructure (bare metal) These are named after Final Fantasy summons. There is some infrastructure missing here like my routers and switches that I also name after summons. + +### Servers/Network Infrastructure (virtual machines) + +These are named after Final Fantasy XIV Online characters (currently, these are named after the Scions of the Seventh Dawn). diff --git a/modules/machine/yshtola/configuration.nix b/modules/machine/yshtola/configuration.nix new file mode 100644 index 0000000..187f301 --- /dev/null +++ b/modules/machine/yshtola/configuration.nix @@ -0,0 +1,271 @@ +{ + pkgs, + userName, + ... +}: let + # INFO: set these to your liking + matrixFqdn = "chat.wyattjmiller.com"; + rtcFqdn = "rtc.wyattjmiller.com"; + + supportEmail = "wyatt@wyattjmiller.com"; + livekitKeyFile = "/var/lib/livekit/livekit.key"; + matrixRegistrationTokenFile = "/var/lib/matrix.key"; +in { + imports = [ + ../../pwrMgmt + ]; + + # Enable flakes for NixOS + nix.settings.experimental-features = ["nix-command" "flakes"]; + + nix.settings = { + download-buffer-size = 134217728; # 128 MiB in bytes + }; + + # Custom kernel/boot stuff + boot.kernelPackages = pkgs.linuxPackages_latest; + + # Set your timezone + time.timeZone = "America/Detroit"; + + # Enable OpenSSH + services.openssh = { + enable = true; + settings.PermitRootLogin = "no"; + settings.PasswordAuthentication = false; + }; + + # Enable keyring + services.gnome.gnome-keyring.enable = true; + + # Enable GnuPG + programs.gnupg.agent = { + enable = true; + enableSSHSupport = true; + }; + + # Enable SUID wrappers (some programs need them) + programs.mtr.enable = true; + + # Enable Polkit + security.polkit.enable = true; + + # Power management (see ../../pwrMgmt/default.nix) + pwrMgmt = { + enable = true; + cpuFreqGovernor = "performance"; + powertop.enable = false; + }; + + # Firewall settings (fallback, upstream way of doing things) + networking.firewall = { + enable = true; + + allowedTCPPorts = [ + 80 + 443 + 8448 + 3478 + 5349 + 7880 + 7881 + 8080 + 8081 + ]; + + allowedUDPPorts = [ + 3478 + 7881 + 8448 + ]; + + allowedUDPPortRanges =[ + # TURN UDP relays + { + from = 49000; + to = 50000; + } + # + { + from = 50100; + to = 50200; + } + ]; + }; + + # Add username to groups "wheel" and "video" - more may be added here later + users.users.${userName} = { + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFV9eSc9L+aJLoKoexq2f/jb5rpyZnhuGiyhS8YQAbaS wyatt@wyattjmiller.com" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4WKvKnnYpTbzZHFEslOKyfiiMqWxhW3AfX6E7ACmYU wyatt@wyattjmiller.com" + ]; + extraGroups = ["wheel" "video" "network"]; + }; + + # fail2ban + services.fail2ban = { + enable = true; + package = pkgs.fail2ban; + maxretry = 5; + bantime = "3h"; + bantime-increment = { + enable = true; + rndtime = "10m"; + }; + }; + + # Matrix server + services.matrix-tuwunel = { + enable = true; + package = pkgs.matrix-tuwunel; + settings = { + global = { + server_name = matrixFqdn; + allow_encryption = true; + allow_federation = true; + allow_registration = true; + registration_token = matrixRegistrationTokenFile; + allow_unstable_room_versions = false; + allow_experimental_room_versions = false; + zstd_compression = true; + new_user_displayname_suffix = "✨"; + max_request_size = 1048575600; # 100MB in bytes, for file uploads + database_backup_path = "/var/lib/tuwunel/database_backups"; + database_backups_to_keep = 2; + + address = [ + "127.0.0.1" + "::1" + ]; + port = [ 8008 ]; + + well_known = { + client = "https://${matrixFqdn}"; + server = "${matrixFqdn}:443"; + support_email = supportEmail; + support_mxid = "@wymiller:${matrixFqdn}"; + + rtc_transports = [{ + type = "livekit"; + livekit_service_url = "https://${rtcFqdn}"; + }]; + }; + }; + }; + }; + + # LiveKit (Matrix RTC) + services.livekit = { + enable = true; + package = pkgs.livekit; + openFirewall = true; + keyFile = livekitKeyFile; + settings = { + port = 7880; + room.auto_create = true; + rtc = { + use_external_ip = true; + }; + }; + }; + + # Reverse proxy + services.caddy = { + enable = true; + package = pkgs.caddy; + virtualHosts = { + "${matrixFqdn}" = { + extraConfig = '' + encode zstd gzip + reverse_proxy localhost:8008 + ''; + }; + "${matrixFqdn}:8448" = { + extraConfig = '' + encode zstd gzip + reverse_proxy localhost:8008 + ''; + }; + "${rtcFqdn}" = { + extraConfig = '' + @jwt_service { + path /sfu/get* /healthz* + } + + handle @jwt_service { + reverse_proxy localhost:8080 + } + + handle { + reverse_proxy localhost:7880 { + header_up Connection "upgrade" + header_up Upgrade {http.request.header.Upgrade} + } + } + ''; + }; + }; + }; + + # LiveKit JWT service + services.lk-jwt-service = { + enable = true; + port = 8080; + livekitUrl = "wss://rtc.wyattjmiller.com"; + keyFile = livekitKeyFile; + }; + + # Generate LiveKit key if it doesn't exist + systemd.services = { + matrix-registration-token-gen = { + before = [ "tuwunel.service" ]; + wantedBy = [ "multi-user.target" ]; + path = with pkgs; [ coreutils openssl ]; + script = '' + set -eu + + if [ -f "${matrixRegistrationTokenFile}" ]; then + exit 0 + fi + + install -d -m 0700 "$(dirname "${matrixRegistrationTokenFile}")" + + TOKEN="$(openssl rand -hex 32)" + + umask 077 + printf '%s\n' "$TOKEN" > "${matrixRegistrationTokenFile}" + ''; + serviceConfig = { + Type = "oneshot"; + User = "root"; + }; + }; + + livekit-key-gen = { + before = [ "lk-jwt-service.service" "livekit.service" ]; + wantedBy = [ "multi-user.target" ]; + path = with pkgs; [ coreutils openssl ]; + script = '' + set -eu + + if [ -f "${livekitKeyFile}" ]; then + exit 0 + fi + + install -d -m 0700 "$(dirname "${livekitKeyFile}")" + + API_KEY="$(openssl rand -hex 8)" + API_SECRET="$(openssl rand -hex 32)" + + umask 077 + printf '%s: %s\n' "$API_KEY" "$API_SECRET" > "${livekitKeyFile}" + ''; + serviceConfig = { + Type = "oneshot"; + User = "root"; + }; + }; + }; + + system.stateVersion = "25.11"; +} diff --git a/modules/machine/yshtola/default.nix b/modules/machine/yshtola/default.nix new file mode 100644 index 0000000..3c4d411 --- /dev/null +++ b/modules/machine/yshtola/default.nix @@ -0,0 +1,6 @@ +{ ... }: { + imports = [ + ./configuration.nix + ./hardware-configuration.nix + ]; +} diff --git a/modules/machine/yshtola/hardware-configuration.nix b/modules/machine/yshtola/hardware-configuration.nix new file mode 100644 index 0000000..7f5f6fd --- /dev/null +++ b/modules/machine/yshtola/hardware-configuration.nix @@ -0,0 +1,35 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "virtio_pci" "virtio_scsi" "ahci" "sd_mod" ]; + boot.kernelParams = [ "console=ttyS0,19200n8" ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + boot.loader.grub.extraConfig = '' + serial --speed=19200 --unit=0 --word=8 --parity=no --stop=1; + terminal_input serial; + terminal_output serial; + ''; + boot.loader.grub.forceInstall = true; +# boot.loader.grub.enable = true; + boot.loader.grub.device = "nodev"; + boot.loader.timeout = 10; + + fileSystems."/" = + { device = "/dev/sda"; + fsType = "ext4"; + }; + + swapDevices = + [ { device = "/dev/sdb"; } + ]; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +}