diff --git a/flake.nix b/flake.nix index 45f93d3..2a55f9e 100644 --- a/flake.nix +++ b/flake.nix @@ -162,6 +162,31 @@ # ]; }; + nixosConfigurations."yshtola" = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + specialArgs = { + inherit userName userEmail; + hostname = "yshtola"; + role = "server"; + }; + modules = [ + myOverlays + ./modules/common + ./modules/machine/yshtola + + home-manager.nixosModules.home-manager + { + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + home-manager.extraSpecialArgs = extraSpecialArgs // { isNixOS = true; role = "server"; }; + home-manager.backupFileExtension = "bak"; + home-manager.users.${userName}.imports = [ + ./home + ]; + } + ]; + }; + # generic non-NixOS Linux machine homeConfigurations."generic" = let hostname = builtins.getEnv "HOSTNAME"; diff --git a/modules/machine/yshtola/configuration.nix b/modules/machine/yshtola/configuration.nix new file mode 100644 index 0000000..2f962fd --- /dev/null +++ b/modules/machine/yshtola/configuration.nix @@ -0,0 +1,216 @@ + +{ + pkgs, + userName, + ... +}: { + imports = [ + ../../pwrMgmt + ../../networking/core.nix + ]; + + # Enable flakes for NixOS + nix.settings.experimental-features = ["nix-command" "flakes"]; + + # Custom kernel/boot stuff + boot.kernelPackages = pkgs.linuxPackages_latest; + boot.loader.systemd-boot.enable = true; # TODO: check on this + boot.loader.efi.canTouchEfiVariables = true; + + # Set your timezone + time.timeZone = "America/Detroit"; + + # Enable OpenSSH + services.openssh = { + enable = true; + PermitRootLogin = "no"; + PasswordAuthentication = "no"; + }; + + # Enable keyring + services.gnome.gnome-keyring.enable = true; + + # Enable GnuPG + programs.gnupg.agent = { + enable = true; + enableSSHSupport = true; + }; + + # Enable SUID wrappers (some programs need them) + programs.mtr.enable = true; + + # Enable Polkit + security.polkit.enable = true; + + # Power management (see ../../pwrMgmt/default.nix) + pwrMgmt = { + enable = true; + cpuFreqGovernor = "performance"; + powertop.enable = false; + }; + + # Core networking module (see ../../networking/core.nix) + network = { + networkManager.enable = true; + }; + + # Firewall settings (fallback, upstream way of doing things) + networking.firewall = { + enable = true; + + allowedTCPPorts = [ + 3478 + 5349 + 7880 + 7881 + 8080 + ]; + + allowedUDPPorts = [ + 3478 + ]; + + allowedUDPPortRanges =[ + { + from = 49000; + to = 50000; + } + { + from = 50100; + to = 50200; + } + ]; + }; + + # Add username to groups "wheel" and "video" - more may be added here later + users.users.${userName} = { + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFV9eSc9L+aJLoKoexq2f/jb5rpyZnhuGiyhS8YQAbaS wyatt@wyattjmiller.com" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4WKvKnnYpTbzZHFEslOKyfiiMqWxhW3AfX6E7ACmYU wyatt@wyattjmiller.com" + ]; + extraGroups = ["wheel" "video" "network"]; + }; + + # fail2ban + services.fail2ban = { + enable = true; + package = pkgs.fail2ban; + maxretry = 5; + bantime = "3h"; + bantime-increment = { + enable = true; + rndtime = "10m"; + }; + }; + + # Matrix server + services.matrix-tuwunel = { + enable = true; + package = pkgs.matrix-tuwunel; + settings = { + global = { + server_name = "wyattjmiller.com"; + allow_encryption = true; + allow_federation = true; + allow_registration = false; + allow_unstable_room_versions = false; + allow_experimental_room_versions = false; + encryption_enabled_by_default_for_room_type = "all"; + zstd_compression = true; + new_user_displayname_suffix = "✨"; + max_request_size = 1048575600; # 100MB in bytes, for file uploads + database_path = "/var/lib/tuwunel"; + database_backup_path = "/var/lib/tuwunel/database_backups"; + database_backups_to_keep = 2; + + address = [ + "127.0.0.1" + "::1" + ]; + port = [ 8008 ]; + + well_known = { + client = "https://chat.wyattjmiller.com"; + server = "chat.wyattjmiller.com:443"; + support_email = "wyatt@wyattjmiller.com"; + support_mxid = "@wymiller:wyattjmiller.com"; + + rtc_transports = { + type = "livekit"; + livekit_service_url = "https://rtc.wyattjmiller.com"; + }; + }; + }; + }; + }; + + # LiveKit (Matrix RTC) + services.livekit = { + enable = true; + package = pkgs.livekit; + openFirewall = true; + settings = { + port = 7880; + room.auto_create = true; + rtc = { + use_external_ip = true; + }; + }; + }; + + # Reverse proxy + services.caddy = { + enable = true; + package = pkgs.caddy; + virtualHosts = { + "chat.wyattjmiller.com" = { + extraConfig = '' + encode zstd gzip + reverse_proxy localhost:8008 + ''; + }; + "chat.wyattjmiller.com:8443" = { + extraConfig = '' + encode zstd gzip + reverse_proxy localhost:8008 + ''; + }; + "rtc.wyattjmiller.com" = { + extraConfig = '' + @jwt_service { + path /sfu/get* /healthz* + } + + handle @jwt_service { + reverse_proxy localhost:8081 + } + + handle { + reverse_proxy localhost:7880 { + header_up Connection "upgrade" + header_up Upgrade {http.request.header.Upgrade} + } + } + ''; + }; + }; + }; + + # TURN/STUN server + services.coturn = { + enable = true; + no-cli = false; + no-tcp-relay = false; + realm = "turn.wyattjmiller.com"; + min-port = 49000; + max-port = 50000; + + # TODO: fill out this extraConfig option a bit more with denial of private IP addresses + extraConfig = '' + verbose + no-multicast-peers + ''; + }; + + system.stateVersion = "25.11"; +} diff --git a/modules/machine/yshtola/default.nix b/modules/machine/yshtola/default.nix new file mode 100644 index 0000000..3c4d411 --- /dev/null +++ b/modules/machine/yshtola/default.nix @@ -0,0 +1,6 @@ +{ ... }: { + imports = [ + ./configuration.nix + ./hardware-configuration.nix + ]; +} diff --git a/modules/machine/yshtola/hardware-configuration.nix b/modules/machine/yshtola/hardware-configuration.nix new file mode 100644 index 0000000..e69de29