Bun/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update references and folder names

Browse source
This commit is contained in:
jimjam4real 2024-09-23 11:41:28 -04:00
parent 4cafc51f01
commit d402b1c806
82 changed files with 88 additions and 88 deletions
Download patch file Download diff file Expand all files Collapse all files

72
system/base.nix Normal file
View file

@ -0,0 +1,72 @@
# This is your system's configuration file (it replaces /etc/nixos/configuration.nix)
{inputs, outputs, lib, config, pkgs, ...}: {
# You can import other NixOS modules here
imports = [
./modules/networking.nix
./modules/gpg.nix
];
nixpkgs = {
# You can add overlays here
overlays = [
outputs.overlays.additions
outputs.overlays.selfsuper
outputs.overlays.finalprev
outputs.overlays.unstable-packages
inputs.minecraft.overlay
];
# Configure your nixpkgs instance
config = {
allowUnfree = true;
};
};
# Enable flakes and garbage collection
nix = {
settings = {
experimental-features = "nix-command flakes";
auto-optimise-store = true;
};
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 1w";
};
};
# Set timezone
time.timeZone = outputs.secrets.timeZone;
# Select a terminal font
console = {
earlySetup = true;
font = "${pkgs.terminus_font}/share/consolefonts/ter-u22n.psf.gz";
packages = with pkgs; [ terminus_font ];
keyMap = "us";
};
# Enable git
programs.git = {
enable = true;
lfs.enable = true;
};
# Basic firewall settings
networking.nftables.enable = true;
# Enable the ZSH shell
programs.zsh.enable = true;
# Disable Nano
programs.nano.enable = false;
# Disable the HTML documentation link
documentation = {
nixos.enable = false;
info.enable = false;
};
# Allow binary firmware
hardware.enableRedistributableFirmware = true;
}

52
system/desktop.nix Normal file
View file

@ -0,0 +1,52 @@
{
imports = [
# Base configs
./base.nix
# Import users and groups
./users/jimbo.nix
./users/groups.nix
# Desktop only
./desktop/misc.nix
./desktop/sway.nix
./desktop/greetd-sway.nix
./desktop/printing.nix
./desktop/gaming.nix
./desktop/pipewire.nix
./desktop/bluetooth.nix
./desktop/firewall.nix
./desktop/fonts.nix
./desktop/qt.nix
# Modules
./modules/security.nix
./modules/legacy.nix
# Hardware
./hardware/machines/desktop.nix
./hardware/systemdboot.nix
./hardware/opengl.nix
./hardware/nvidia.nix
#./hardware/nouveau.nix
# Services
./services/openssh.nix
./services/virtualisation.nix
./services/udev.nix
./services/sunshine.nix
./services/mpd.nix
# School VPN
./services/globalprotect.nix
];
# Set hostname
networking.hostName = "JimDesktop";
# Force Electron to use Wayland
environment.sessionVariables.NIXOS_OZONE_WL = "1";
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
system.stateVersion = "24.05";
}

15
system/desktop/bluetooth.nix Normal file
View file

@ -0,0 +1,15 @@
{
# Enable Bluetooth
hardware.bluetooth = {
enable = true;
settings = {
General.Experimental = "true";
Policy.AutoEnable = "true";
};
};
# Enable lingering for Bluetooth
systemd.tmpfiles.rules = [
"f /var/lib/systemd/linger/jimbo"
];
}

12
system/desktop/firewall.nix Normal file
View file

@ -0,0 +1,12 @@
{
# Networking settings
networking = {
# Enable firewall
firewall = {
allowPing = false;
extraInputRules = ''
ip saddr 10.0.0.2 accept comment "Accept Server Connections"
'';
};
};
}

14
system/desktop/fonts.nix Normal file
View file

@ -0,0 +1,14 @@
{pkgs, ...}: {
# Fonts
fonts = {
packages = with pkgs; [
liberation_ttf
twitter-color-emoji
ubuntu_font_family
noto-fonts
sarasa-gothic
(nerdfonts.override {fonts = ["UbuntuMono"];})
];
fontconfig.defaultFonts.emoji = ["Twitter Color Emoji"];
};
}

10
system/desktop/gaming.nix Normal file
View file

@ -0,0 +1,10 @@
{pkgs, ...}: {
# Enable Gamemode to boost games
programs.gamemode = {
enable = true;
settings.general.renice = 10;
};
# Enable hardware like the Steam Controller
hardware.steam-hardware.enable = true;
}

39
system/desktop/greetd-sway.nix Normal file
View file

@ -0,0 +1,39 @@
{pkgs, ...}: {
services = {
# Configure greetd for "auto" login (single user only)
greetd = let
startSway = pkgs.writeScript "startsway" ''
# Use NVIDIA variables if drivers are in use
if lspci -k | grep "Kernel driver in use: nvidia" &> /dev/null; then
# NVIDIA/AMD variables
export LIBVA_DRIVER_NAME=nvidia
export GBM_BACKEND=nvidia-drm
export __GLX_VENDOR_LIBRARY_NAME=nvidia
export WLR_NO_HARDWARE_CURSORS=1
else
:
fi
# Sway/Wayland
export XDG_CURRENT_DESKTOP=sway
export QT_QPA_PLATFORM="wayland;xcb"
# Start Sway
sway --unsupported-gpu
'';
in {
enable = true;
restart = true;
settings = {
terminal = {
vt = 2;
switch = true;
};
default_session = {
command = "${startSway}";
user = "jimbo";
};
};
};
};
}

24
system/desktop/misc.nix Normal file
View file

@ -0,0 +1,24 @@
{pkgs, ...}: {
# Enable AppImages
programs.appimage = {
enable = true;
binfmt = true;
};
# Network mounts, automounts, and battery saver
services = {
gvfs.enable = true;
udisks2.enable = true;
};
# Security that only makes sense with a GUI
security = {
polkit.enable = true;
rtkit.enable = true;
};
# Install programs system-wide
environment.systemPackages = with pkgs; [
cifs-utils
];
}

23
system/desktop/pipewire.nix Normal file
View file

@ -0,0 +1,23 @@
{pkgs, ...}: {
# Enable Pipewire
services = {
pipewire = {
enable = true;
audio.enable = true;
wireplumber = {
enable = true;
configPackages = [
(pkgs.writeTextDir "share/wireplumber/wireplumber.conf.d/11-bluetooth-policy.conf" ''
wireplumber.settings = { bluetooth.autoswitch-to-headset-profile = false }
'')
];
};
alsa = {
enable = true;
support32Bit = true;
};
pulse.enable = true;
#jack.enable = true;
};
};
}

20
system/desktop/printing.nix Normal file
View file

@ -0,0 +1,20 @@
{pkgs, ...}: {
# Enable printing
services = {
printing = {
enable = true;
drivers = with pkgs; [hplip];
webInterface = false;
};
avahi = {
enable = true;
nssmdns4 = true;
openFirewall = true;
};
};
# Install programs system-wide
environment.systemPackages = with pkgs; [
system-config-printer
];
}

7
system/desktop/qt.nix Normal file
View file

@ -0,0 +1,7 @@
{
qt = {
enable = true;
style = "gtk2";
platformTheme = "gtk2";
};
}

13
system/desktop/school.nix Normal file
View file

@ -0,0 +1,13 @@
{pkgs, ...}: {
# Install programs system-wide
environment.systemPackages = with pkgs; [
remmina
freerdp
globalprotect-openconnect
python3
zoom-us
];
# Enable Globalprotect VPN
services.globalprotect.enable = true;
}

32
system/desktop/sway.nix Normal file
View file

@ -0,0 +1,32 @@
{pkgs, ...}: {
imports = [
./wayland.nix
];
programs.sway = {
enable = true;
xwayland.enable = true;
extraPackages = with pkgs; [
swaylock
swaybg
];
};
# Allow swaylock to function
security.pam.services.swaylock = {};
# Enable desktop portals for screengrab
xdg.portal = {
wlr = {
enable = true;
settings.screencast = {
max_fps = 60;
chooser_type = "simple";
chooser_cmd = "${pkgs.slurp}/bin/slurp -f %o -or -B 00000066 -b 00000099";
};
};
extraPortals = with pkgs; [
xdg-desktop-portal-gtk
];
};
}

25
system/desktop/wayland.nix Normal file
View file

@ -0,0 +1,25 @@
{pkgs, ...}: {
programs = {
dconf.enable = true;
light.enable = true;
xwayland.enable = true;
};
# Battery saver and dbus
services = {
tlp.enable = true;
dbus.enable = true;
};
environment.systemPackages = with pkgs; [
wl-clipboard
wdisplays
clipman
libnotify
grim
slurp
swappy
jq
lm_sensors
];
}

7
system/hardware/extlinux.nix Normal file
View file

@ -0,0 +1,7 @@
{
# For ARM machines
boot.loader = {
generic-extlinux-compatible.enable = true;
grub.enable = false;
};
}

119
system/hardware/machines/desktop.nix Normal file
View file

@ -0,0 +1,119 @@
{ config, lib, pkgs, modulesPath, ... }: let
# Set common boot paramaters
commonKernelParams = [
# Nvidia settings
"nvidia_drm.fbdev=1"
"nouveau.config=NvGspRm=1"
# VM/GPU passthrough
"amd_iommu=on"
"iommu=pt"
"nested=1"
# Virtualization nonsense
"transparent_hugepage=never"
# Isolate devices into IOMMU groups
"pcie_acs_override=downstream,multifunction"
"pci=routeirq"
];
in {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
# Set all boot options
boot = {
# Set a kernel version and load/blacklist drivers
kernelPackages = pkgs.unstable.linuxPackages_zen;
blacklistedKernelModules = [
"pcspkr"
];
kernel.sysctl."vm.max_map_count" = 2147483642;
kernelParams = commonKernelParams ++ [
"vfio-pci.ids=10de:1f82,10de:10fa"
];
initrd = {
availableKernelModules = [
"nvme"
"xhci_pci"
"ahci"
"usbhid"
"usb_storage"
"sd_mod"
];
kernelModules = [
"vfio"
"vfio_pci"
"vfio_iommu_type1"
"kvm-amd"
];
};
# Manage supported filesystems
supportedFilesystems = {
ntfs = true;
zfs = lib.mkForce false;
};
};
# Additional entry to boot from the second GPU
specialisation = {
gputwo.configuration = {
boot.kernelParams = commonKernelParams ++ ["vfio-pci.ids=10de:2504,10de:228e"];
};
};
# Mount everything as necessary
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/f0786b07-8303-416f-87ff-276bfd696387";
fsType = "bcachefs";
};
"/boot" = {
device = "/dev/disk/by-uuid/EF6D-9009";
fsType = "vfat";
};
"/etc/libvirt" = {
device = "/dev/disk/by-label/Qemu";
options = ["nosuid" "nodev" "nofail"];
};
"/var/lib/libvirt" = {
depends = ["/etc/libvirt"];
device = "/etc/libvirt/varlibvirt";
options = ["bind" "rw"];
};
"/mnt/Linux1" = {
device = "/dev/disk/by-label/Linux1";
options = ["nosuid" "nodev" "nofail" "x-gvfs-show"];
};
"/mnt/Linux2" = {
device = "/dev/disk/by-label/Linux2";
options = ["nosuid" "nodev" "nofail" "x-gvfs-show"];
};
"/mnt/Windows1" = {
device = "/dev/disk/by-label/Windows1";
options = ["nosuid" "nodev" "noauto"];
};
"/mnt/Windows2" = {
device = "/dev/disk/by-label/Windows2";
options = ["nosuid" "nodev" "noauto"];
};
"/home/jimbo/JimboNFS" = {
device = "server:/export/JimboNFS";
fsType = "nfs4";
options = ["x-systemd.automount" "_netdev" "nofail" "noauto"];
};
};
# Set the swap partition
swapDevices = [
{device = "/dev/disk/by-uuid/2e4c5120-716d-4cdc-84a0-c9e6391760db";}
];
# Enables DHCP on each ethernet and wireless interface.
networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

53
system/hardware/machines/lenovo.nix Normal file
View file

@ -0,0 +1,53 @@
{ config, lib, pkgs, modulesPath, ... }: {
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
# Set all boot options
boot = {
# Set a kernel version and load/blacklist drivers
kernelPackages = pkgs.linuxPackages_zen;
blacklistedKernelModules = [
"pcspkr"
];
kernel.sysctl."vm.max_map_count" = 2147483642;
initrd = {
availableKernelModules = [
"nvme"
"xhci_pci"
"usbhid"
"usb_storage"
"sd_mod"
"sdhci_pci"
];
kernelModules = [
"kvm-amd"
];
};
# Manage supported filesystems
supportedFilesystems = {
ntfs = true;
zfs = lib.mkForce false;
};
};
# Mount everything as necessary
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/c0fe8419-88f9-48a0-8c5b-acd4c11f8037";
fsType = "ext4";
};
"/boot" = {
device = "/dev/disk/by-uuid/BF2B-9AE0";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
};
# Enables DHCP on each ethernet and wireless interface.
networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

38
system/hardware/machines/pinebook.nix Normal file
View file

@ -0,0 +1,38 @@
{ config, outputs, lib, pkgs, modulesPath, ... }:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot = {
initrd = {
availableKernelModules = [ ];
kernelModules = [ ];
};
blacklistedKernelModules = [
"pcspkr"
];
};
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/25738e24-385e-4bcf-bff5-d0e6274003b6";
fsType = "btrfs";
};
"/boot" = {
device = "/dev/disk/by-uuid/01D2-E962";
fsType = "vfat";
options = [ "fmask=0022" "dmask=0022" ];
};
"/home/jimbo/Downloads" = {
device = "/dev/disk/by-uuid/f0b6cf4e-9576-4ab5-96ae-2a7e57599a35";
fsType = "btrfs";
};
};
swapDevices = [
{ device = "/dev/disk/by-uuid/95c43e5a-b53d-41fd-99a3-54181510070e"; }
];
networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
}

110
system/hardware/machines/server.nix Normal file
View file

@ -0,0 +1,110 @@
{ config, outputs, lib, pkgs, modulesPath, ... }:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
# Set all boot options
boot = {
blacklistedKernelModules = [
"pcspkr"
];
initrd = {
availableKernelModules = [
"xhci_pci"
"ehci_pci"
"ahci"
"nvme"
"usbhid"
"sd_mod"
"sr_mod"
];
kernelModules = [
"kvm-intel"
];
};
swraid.mdadmConf = ''
MAILADDR jimbo@${outputs.secrets.jimDomain}
'';
};
# Mounting options
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/8f81cab7-9381-4950-b77f-b85c5fdbad16";
fsType = "ext4";
};
"/boot" = {
device = "/dev/disk/by-uuid/2034-754A";
fsType = "vfat";
};
"/export/JimboNFS" = {
device = "/dev/disk/by-uuid/713fcd92-534c-4153-8e04-e0c6fe5f6a51";
fsType = "ext4";
noCheck = true;
};
"/home/jimbo/JimboNFS" = {
device = "/export/JimboNFS";
fsType = "none";
options = [ "bind" ];
};
# Atrocity of bindmounts
"/mnt/nextcloud/data/JimboNFS" = {
device = "/export/JimboNFS";
fsType = "none";
options = [ "bind" ];
};
"/var/lib/bitwarden_rs" = {
device = "/export/JimboNFS/System/var/lib/bitwarden_rs";
fsType = "none";
options = [ "bind" ];
};
"/var/lib/gitea" = {
device = "/export/JimboNFS/System/var/lib/gitea";
fsType = "none";
options = [ "bind" ];
};
"/var/lib/matrix-synapse" = {
device = "/export/JimboNFS/System/var/lib/matrix-synapse";
fsType = "none";
options = [ "bind" ];
};
"/var/lib/nextcloud" = {
device = "/export/JimboNFS/System/var/lib/nextcloud";
fsType = "none";
options = [ "bind" ];
};
"/var/lib/owncast" = {
device = "/export/JimboNFS/System/var/lib/owncast";
fsType = "none";
options = [ "bind" ];
};
"/var/lib/mastodon" = {
device = "/export/JimboNFS/System/var/lib/mastodon";
fsType = "none";
options = [ "bind" ];
};
"/srv/minecraft" = {
device = "/export/JimboNFS/System/srv/minecraft";
fsType = "none";
options = [ "bind" ];
};
"/var/lib/private/photoprism/originals" = {
device = "/export/JimboNFS/Photos/Galleries";
fsType = "none";
options = [ "bind" ];
};
};
swapDevices = [
{ device = "/dev/disk/by-uuid/ec422cad-bf93-4b15-b989-2c807f1073a4"; }
];
# Enables DHCP on each ethernet and wireless interface.
networking.useDHCP = lib.mkDefault true;
# Hardware settings
boot.swraid.enable = true;
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

6
system/hardware/mackeys.nix Normal file
View file

@ -0,0 +1,6 @@
{
# Forces the function keys to work right on Macbooks
boot.extraModprobeConfig = ''
options hid_apple fnmode=2
'';
}

4
system/hardware/nouveau.nix Normal file
View file

@ -0,0 +1,4 @@
{pkgs, ...}: {
# Enable video drivers
services.xserver.videoDrivers = ["nouveau"];
}

10
system/hardware/nvidia.nix Normal file
View file

@ -0,0 +1,10 @@
{pkgs, config, ...}: {
# Enable video drivers
services.xserver.videoDrivers = ["nvidia"];
hardware.nvidia = {
modesetting.enable = true;
nvidiaSettings = false;
package = config.boot.kernelPackages.nvidiaPackages.beta;
open = false;
};
}

12
system/hardware/opengl.nix Normal file
View file

@ -0,0 +1,12 @@
{pkgs, ...}: {
# Enable OpenGL
hardware.opengl = {
enable = true;
driSupport32Bit = true;
extraPackages = with pkgs; [
vulkan-loader
vulkan-validation-layers
vulkan-extension-layer
];
};
}

7
system/hardware/systemdboot.nix Normal file
View file

@ -0,0 +1,7 @@
{
# For UEFI machines
boot.loader.systemd-boot = {
enable = true;
netbootxyz.enable = true;
};
}

7
system/hardware/wireless.nix Normal file
View file

@ -0,0 +1,7 @@
{
# Enable wireless networkmanager
networking = {
networkmanager.enable = true;
enableB43Firmware = true;
};
}

45
system/lenovo.nix Normal file
View file

@ -0,0 +1,45 @@
{
imports = [
# Base configs
./base.nix
# Import users and groups
./users/jimbo.nix
./users/groups.nix
# Desktop only
./desktop/misc.nix
./desktop/sway.nix
./desktop/greetd-sway.nix
./desktop/printing.nix
./desktop/gaming.nix
./desktop/pipewire.nix
./desktop/bluetooth.nix
./desktop/firewall.nix
./desktop/fonts.nix
./desktop/qt.nix
# Laptop/Portable only
./hardware/wireless.nix
# Modules
./modules/security.nix
./modules/legacy.nix
# Hardware
./hardware/machines/lenovo.nix
./hardware/systemdboot.nix
./hardware/opengl.nix
# Services
./services/openssh.nix
./services/udev.nix
./services/mpd.nix
];
# Set hostname
networking.hostName = "JimLenovo";
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
system.stateVersion = "24.05";
}

9
system/modules/gpg.nix Normal file
View file

@ -0,0 +1,9 @@
{pkgs, ...}: {
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
};
environment.systemPackages = with pkgs; [
git-crypt
];
}

11
system/modules/ips.nix Normal file
View file

@ -0,0 +1,11 @@
rec {
netInt = "eno1";
localSpan = "10.0.0";
server = "${localSpan}.2";
pc = "${localSpan}.3";
vm = "${localSpan}.4";
hx = "${localSpan}.70";
wgInt = "wg0";
wgSpan = "10.100.0";
}

14
system/modules/legacy.nix Normal file
View file

@ -0,0 +1,14 @@
{config, inputs, lib, ...}: {
# This will add each flake input as a registry to make nix commands consistent with your flake
nix.registry = (lib.mapAttrs (_: flake: {inherit flake;})) ((lib.filterAttrs (_: lib.isType "flake")) inputs);
# This will add your inputs to the system's legacy channels making legacy nix commands consistent
nix.nixPath = ["/etc/nix/path"];
environment.etc =
lib.mapAttrs'
(name: value: {
name = "nix/path/${name}";
value.source = value.flake;
})
config.nix.registry;
}

17
system/modules/networking.nix Normal file
View file

@ -0,0 +1,17 @@
{
# Networking settings
networking = {
# Choose networking method
wireless.enable = false;
dhcpcd.enable = true;
# Set hostnames
hosts = let
ips = import ../modules/ips.nix;
in {
"${ips.server}" = ["server"];
"${ips.pc}" = ["pc"];
"${ips.vm}" = ["vm"];
};
};
}

18
system/modules/security.nix Normal file
View file

@ -0,0 +1,18 @@
{
# Enable AppArmor
security = {
sudo.enable = false;
doas = {
enable = true;
extraRules = [
# Give wheel root access, allow persistant session
{
groups = ["wheel"];
keepEnv = true;
persist = true;
}
];
};
apparmor.enable = true;
};
}

47
system/pinebook.nix Normal file
View file

@ -0,0 +1,47 @@
{ lib, ...}: {
imports = [
# Base configs
./base.nix
# Import users and groups
./users/jimbo.nix
./users/groups.nix
# Desktop only
./desktop/misc.nix
./desktop/sway.nix
./desktop/greetd-sway.nix
./desktop/printing.nix
./desktop/pipewire.nix
./desktop/bluetooth.nix
./desktop/firewall.nix
./desktop/fonts.nix
./desktop/qt.nix
# Laptop/Portable only
./hardware/wireless.nix
# Modules
./modules/security.nix
./modules/legacy.nix
# Hardware
./hardware/machines/pinebook.nix
./hardware/extlinux.nix
./hardware/opengl.nix
# Services
./services/openssh.nix
./services/udev.nix
./services/mpd.nix
];
# Disable 32 bit graphics
hardware.opengl.driSupport32Bit = lib.mkForce false;
# Set hostname
networking.hostName = "JimPine";
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
system.stateVersion = "24.05";
}

64
system/server.nix Normal file
View file

@ -0,0 +1,64 @@
{
imports = [
# Base configs
./base.nix
# Import users and groups
./users/jimbo.nix
./users/nextcloud.nix
./users/nginx.nix
./users/liquidsoap.nix
./users/groups.nix
# Modules
./modules/security.nix
./modules/legacy.nix
# Hardware
./hardware/machines/server.nix
./hardware/systemdboot.nix
# Services
./services/openssh.nix
./server/acme.nix
./server/ddclient.nix
./server/icecast.nix
./server/firewall.nix
./server/forgejo.nix
./server/mailserver.nix
./server/mariadb.nix
./server/nginx.nix
./server/owncast.nix
./server/photoprism.nix
./server/minecraft
./server/vaultwarden.nix
./server/transmission.nix
./server/wireguard.nix
./server/misc.nix
# File server
./server/nextcloud.nix
./server/nfs.nix
./server/samba.nix
# Matrix
./server/synapse.nix
./server/element.nix
./server/coturn.nix
./server/matrix-discord.nix
# Federation
./server/lemmy.nix
./server/mastodon.nix
./server/pixelfed.nix
];
# Set custom openssh port
services.openssh.ports = [ 2222 ];
# Set hostname
networking.hostName = "JimServer";
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
system.stateVersion = "24.05";
}

12
system/server/acme.nix Normal file
View file

@ -0,0 +1,12 @@
{outputs, ...}: {
security.acme = {
acceptTerms = true;
defaults.email = outputs.secrets.jimEmail;
certs = {
"turn.${outputs.secrets.jimDomain}" = {
group = "turnserver";
postRun = "systemctl restart coturn.service";
};
};
};
}

14
system/server/archived/adguard.nix Normal file
View file

@ -0,0 +1,14 @@
{
services = {
adguardhome.enable = true;
nginx.virtualHosts."guard.${outputs.secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:3000";
proxyWebsockets = true;
};
};
};
networking.firewall.allowedUDPPorts = [ 53 ];
}

36
system/server/archived/gitea.nix Normal file
View file

@ -0,0 +1,36 @@
{outputs, ...}: {
services = {
gitea = {
enable = true;
settings = {
server = {
DOMAIN = "gitea.${outputs.secrets.jimDomain}";
ROOT_URL = "https://gitea.${outputs.secrets.jimDomain}:443";
HTTP_PORT = 3115;
SSH_PORT = 2295;
START_SSH_SERVER = true;
};
mailer = {
ENABLED = true;
SMTP_ADDR = "mx.${outputs.secrets.jimDomain}";
FROM = "Jimbo's Git <noreply@${outputs.secrets.jimDomain}>";
USER = "noreply@${outputs.secrets.jimDomain}";
PASSWD = outputs.secrets.noreplyPassword;
PROTOCOL = "smtps";
};
service.REGISTER_EMAIL_CONFIRM = true;
};
};
nginx.virtualHosts."gitea.${outputs.secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:3115";
proxyWebsockets = true;
};
};
};
# Allow Gitea SSH to work
networking.firewall.allowedTCPPorts = [ 2295 ];
}

31
system/server/archived/pufferpanel.nix Normal file
View file

@ -0,0 +1,31 @@
{pkgs, outputs, lib, ...}: {
services = {
pufferpanel = {
enable = true;
environment = {
PUFFER_WEB_HOST = ":5010";
PUFFER_PANEL_SETTINGS_MASTERURL = "https://panel.${outputs.secrets.jimDomain}";
PUFFER_PANEL_EMAIL_PROVIDER = "smtp";
PUFFER_PANEL_EMAIL_HOST = "mx.${outputs.secrets.jimDomain}:587";
PUFFER_PANEL_EMAIL_FROM = "noreply@${outputs.secrets.jimDomain}";
PUFFER_PANEL_EMAIL_USERNAME = "noreply@${outputs.secrets.jimDomain}";
PUFFER_PANEL_EMAIL_PASSWORD = outputs.secrets.noreplyPassword;
};
extraPackages = with pkgs; [ bash curl gawk gnutar gzip ];
package = pkgs.buildFHSEnv {
name = "pufferpanel-fhs";
meta.mainProgram = "pufferpanel-fhs";
runScript = lib.getExe pkgs.pufferpanel;
targetPkgs = pkgs': with pkgs'; [ icu openssl zlib ];
};
};
nginx.virtualHosts."panel.${outputs.secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:5010";
proxyWebsockets = true;
};
};
};
}

48
system/server/coturn.nix Normal file
View file

@ -0,0 +1,48 @@
{outputs, config, ...}: {
services = {
coturn = rec {
enable = true;
no-cli = true;
no-tcp-relay = true;
min-port = 49000;
max-port = 50000;
use-auth-secret = true;
static-auth-secret = "will be world readable for local users :(";
realm = "turn.${outputs.secrets.jimDomain}";
cert = "/var/lib/acme/turn.${outputs.secrets.jimDomain}.com/fullchain.pem";
pkey = "/var/lib/acme/turn.${outputs.secrets.jimDomain}.com/key.pem";
};
# Enable coturn on Synapse
matrix-synapse.settings = {
turn_uris = [
"turn:turn.${outputs.secrets.jimDomain}:3478?transport=udp"
"turn:turn.${outputs.secrets.jimDomain}:3478?transport=tcp"
];
turn_shared_secret = config.services.coturn.static-auth-secret;
turn_user_lifetime = "1h";
};
# Proxy main coturn port
nginx.virtualHosts."turn.${outputs.secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
listen = [{
addr = "0.0.0.0";
port = 80;
ssl = false;
}];
locations."/".proxyPass = "http://127.0.0.1:1380";
};
};
# Open coturn ports
networking.firewall = {
allowedUDPPorts = [
3478 5349
];
allowedUDPPortRanges = [
{ from = 49000; to = 50000; }
];
};
}

21
system/server/ddclient.nix Normal file
View file

@ -0,0 +1,21 @@
{pkgs, outputs, ...}: {
# Dynamic IPs for Cloudflare records
services.ddclient = {
enable = true;
protocol = "cloudflare";
use = "web, web=https://ipinfo.io/ip";
zone = "${outputs.secrets.jimDomain}";
username = "token";
passwordFile = "${pkgs.writeText "cloudflareapikey" outputs.secrets.flareApiKey}";
domains = [
"${outputs.secrets.jimDomain}"
"*.${outputs.secrets.jimDomain}"
"beta.${outputs.secrets.jimDomain}"
"git.${outputs.secrets.jimDomain}"
"john.${outputs.secrets.jimDomain}"
"mc.${outputs.secrets.jimDomain}"
"rtmp.${outputs.secrets.jimDomain}"
"turn.${outputs.secrets.jimDomain}"
];
};
}

28
system/server/element.nix Normal file
View file

@ -0,0 +1,28 @@
{pkgs, outputs, ...}: {
# Configure the Element web server
nixpkgs.config.element-web.conf = {
default_server_config = {
"m.homeserver" = {
base_url = "https://matrix.${outputs.secrets.jimDomain}";
server_name = "matrix.${outputs.secrets.jimDomain}";
};
};
branding = {
#welcome_background_url = "https://staging.${outputs.secrets.jimDomain}/images/backgrounds/bloxelcom-sunset.jpg";
#auth_header_logo_url = "https://staging.${outputs.secrets.jimDomain}/images/logos/bloxelcom.png";
};
embedded_pages = {
home_url = "https://www.${outputs.secrets.jimDomain}/";
};
disable_custom_urls = true;
disable_guests = true;
default_theme = "dark";
};
# Serve the Element page over Nginx
services.nginx.virtualHosts."chat.${outputs.secrets.jimDomain}" = {
enableACME = true;
addSSL = true;
root = "${pkgs.element-web}";
};
}

57
system/server/firewall.nix Normal file
View file

@ -0,0 +1,57 @@
{outputs, ...}: {
# Allow forwarding
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
# Configure firewall
networking = let
ips = import ../modules/ips.nix;
mailPorts = "{ 25, 143, 465, 587, 993, 4190 }";
in {
firewall = {
allowPing = false;
# Add extra input rules using nftables
extraInputRules = ''
ip saddr ${ips.localSpan}.0/24 tcp dport 2049 accept comment "Accept NFS"
ip saddr { ${ips.pc}, ${outputs.secrets.lunaIP}, ${outputs.secrets.cornIP}, ${outputs.secrets.vertIP} } tcp dport { 1935, 1945 } accept comment "Accept RTMP"
ip saddr ${ips.wgSpan}.3 tcp dport ${mailPorts} accept comment "Accept mail"
'';
};
# Enable nftables and forwarding
nftables = {
enable = true;
tables = {
forwarding = {
family = "ip";
content = ''
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
tcp dport 2211 dnat to ${ips.pc}:22 comment "SSH to PC"
tcp dport 2233 dnat to ${ips.wgSpan}.3:22 comment "SSH to Oracle VM"
udp dport { 27005, 27015, 7777 } dnat to ${ips.pc} comment "PC Hosted Games"
tcp dport { 58010, 57989, 57984 } dnat to ${ips.pc} comment "PC Sunshine TCP"
udp dport { 57998, 57999, 58000 } dnat to ${ips.pc} comment "PC Sunshine UDP"
tcp dport { 38010, 37989, 37984 } dnat to ${ips.vm} comment "VM Sunshine TCP"
udp dport { 37998, 37999, 38000 } dnat to ${ips.vm} comment "VM Sunshine UDP"
udp dport { 7790, 7791, 7792 } dnat to ${ips.hx} comment "Deus Ex"
ip saddr ${outputs.secrets.cornIP} tcp dport { 9943, 9944 } dnat to ${ips.vm} comment "VM ALVR TCP"
ip saddr ${outputs.secrets.cornIP} udp dport { 9943, 9944 } dnat to ${ips.vm} comment "VM ALVR UDP"
}
chain POSTROUTING {
type nat hook postrouting priority 100; policy accept;
oifname "${ips.netInt}" masquerade
iifname "${ips.netInt}" oifname "${ips.wgInt}" masquerade comment "Traffic from public to WireGuard"
tcp dport ${mailPorts} oifname != "${ips.wgInt}" drop comment "Send mail"
}
'';
};
};
};
};
}

43
system/server/forgejo.nix Normal file
View file

@ -0,0 +1,43 @@
# This is a hard fork of Gitea.
{outputs, ...}: {
services = {
forgejo = {
enable = true;
settings = {
server = {
DOMAIN = "git.${outputs.secrets.jimDomain}";
ROOT_URL = "https://git.${outputs.secrets.jimDomain}:443";
HTTP_PORT = 3110;
SSH_PORT = 2299;
START_SSH_SERVER = true;
};
ui = {
DEFAULT_THEME = "forgejo-dark";
};
mailer = {
ENABLED = true;
SMTP_ADDR = "mx.${outputs.secrets.jimDomain}";
FROM = "Jimbo's Git <noreply@${outputs.secrets.jimDomain}>";
USER = "noreply@${outputs.secrets.jimDomain}";
PASSWD = outputs.secrets.noreplyPassword;
PROTOCOL = "smtps";
};
service = {
REGISTER_EMAIL_CONFIRM = true;
DISABLE_REGISTRATION = true;
};
};
};
nginx.virtualHosts."git.${outputs.secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:3110";
proxyWebsockets = true;
};
};
};
# Allow Forgejo's SSH to work
networking.firewall.allowedTCPPorts = [ 2299 ];
}

78
system/server/icecast.nix Normal file
View file

@ -0,0 +1,78 @@
{pkgs, outputs, ...}: {
# Icecast, replacing Azuracast maybe
services = {
# The host service
icecast = {
enable = true;
listen.port = 265;
hostname = "icecast.${outputs.secrets.jimDomain}";
admin = {
user = "jimbo";
password = "${outputs.secrets.castAdminPass}";
};
extraConf = ''
<authentication>
<source-password>${outputs.secrets.castSourcePass}</source-password>
</authentication>
<location>Canada</location>
<admin>jimbo@jimbosfiles.com</admin>
<mount type="normal">
<mount-name>/jimbops.opus</mount-name>
<stream-name>JimBops Radio</stream-name>
<stream-description>Music gathered by me, Jimbo.</stream-description>
<stream-url>https://icecast.jimbosfiles.com/jimbops.opus</stream-url>
<genre>Anything</genre>
<type>application/ogg</type>
<subtype>vorbis</subtype>
</mount>
'';
};
# The audio stream
liquidsoap.streams = let
jimbops = ''
# CONFIGURATION
settings.log.stdout.set(true)
settings.init.allow_root.set(true)
settings.scheduler.fast_queues.set(2)
settings.decoder.file_extensions.mp4.set(["m4a", "m4b", "m4p", "m4v", "m4r", "3gp", "mp4"])
# Define the source with random playlist
jimbops = mksafe(playlist(mode='randomize', reload=1, reload_mode="rounds", "/export/JimboNFS/Music/"))
# Ensure the stream never stops
jimbops_fallback = fallback([jimbops, jimbops])
# Output configuration to Icecast
output.icecast(
%ffmpeg(format="ogg", %audio(codec="libvorbis", samplerate=48000, b="256k", channels=2)),
host="127.0.0.1",
port=265,
password="${outputs.secrets.castSourcePass}",
public=true,
icy_metadata=["artist", "title"],
mount="jimbops.opus",
encoding = "UTF-8",
jimbops_fallback
)
'';
in {
JimBops = pkgs.writeText "liquidjim" jimbops;
};
# The web frontend
nginx.virtualHosts."icecast.${outputs.secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:265";
proxyWebsockets = true;
extraConfig = ''
add_header Ice-Public "1";
'';
};
};
};
}

25
system/server/lemmy.nix Normal file
View file

@ -0,0 +1,25 @@
{outputs, ...}: {
services = {
lemmy = {
enable = true;
nginx.enable = true;
database.createLocally = true;
settings = {
hostname = "lemmy.${outputs.secrets.jimDomain}";
email = {
smtp_server = "mx.${outputs.secrets.jimDomain}:587";
smtp_login = "noreply@${outputs.secrets.jimDomain}";
smtp_from_address = "Jimbo's Lemmy <noreply@${outputs.secrets.jimDomain}>";
smtp_password = outputs.secrets.noreplyPassword;
tls_type = "starttls";
};
};
};
# Add SSL to webpage
nginx.virtualHosts."lemmy.${outputs.secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
};
};
}

68
system/server/mailserver.nix Normal file
View file

@ -0,0 +1,68 @@
{pkgs, outputs, ...}: rec {
# Mail server
mailserver = rec {
enable = true;
openFirewall = false;
domains = [ "${outputs.secrets.jimDomain}" ];
fqdn = "mx.${outputs.secrets.jimDomain}";
certificateScheme = "acme-nginx";
localDnsResolver = false;
redis.port = 1515;
# Dmarc info
dmarcReporting = {
enable = true;
domain = "${outputs.secrets.jimDomain}";
localpart = "noreply";
organizationName = "Jimbo's Files";
};
# A list of accounts, passwords generated with nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
loginAccounts = {
"noreply@${outputs.secrets.jimDomain}" = {
hashedPasswordFile = pkgs.writeText "noreply" outputs.secrets.noreplyMailHash;
sendOnly = true;
};
"jimbo@${outputs.secrets.jimDomain}" = {
hashedPasswordFile = pkgs.writeText "jimbo" outputs.secrets.jimboMailHash;
aliases = [ "james@${outputs.secrets.jimDomain}" "contact@${outputs.secrets.jimDomain}" ];
};
"lunamoonlight@${outputs.secrets.jimDomain}" = {
hashedPasswordFile = pkgs.writeText "luna" outputs.secrets.lunaMailHash;
};
"freecorn1854@${outputs.secrets.jimDomain}" = {
hashedPasswordFile = pkgs.writeText "freecorn" outputs.secrets.freecornMailHash;
};
"tinyattack09@${outputs.secrets.jimDomain}" = {
hashedPasswordFile = pkgs.writeText "tiny" outputs.secrets.tinyMailHash;
};
};
};
# Related services
services = {
# Roundcube mail server
roundcube = {
enable = true;
hostName = "mail.${outputs.secrets.jimDomain}";
extraConfig = ''
$config['smtp_server'] = "tls://${mailserver.fqdn}";
$config['smtp_user'] = "%u";
$config['smtp_pass'] = "%p";
'';
};
# Force the mailserver to use a different redis port
redis.servers.rspamd.port = 1515;
# The hostname mail ports use
nginx.virtualHosts."mx.${outputs.secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:1390";
proxyWebsockets = true;
};
};
};
}

25
system/server/mariadb.nix Normal file
View file

@ -0,0 +1,25 @@
{pkgs, ...}: {
services.mysql = {
enable = true;
package = pkgs.mariadb;
dataDir = "/var/lib/mysql";
ensureDatabases = [
"minecraft"
"photoprism"
];
ensureUsers = [
{
name = "minecraft";
ensurePermissions = {
"minecraft.*" = "ALL PRIVILEGES";
};
}
{
name = "photoprism";
ensurePermissions = {
"photoprism.*" = "ALL PRIVILEGES";
};
}
];
};
}

17
system/server/mastodon.nix Normal file
View file

@ -0,0 +1,17 @@
{pkgs, outputs, ...}: {
services.mastodon = {
enable = true;
localDomain = "social.${outputs.secrets.jimDomain}";
streamingProcesses = 4;
configureNginx = true;
smtp = {
createLocally = false;
host = "mx.${outputs.secrets.jimDomain}";
port = 587;
authenticate = true;
fromAddress = "Jimbo's Mastodon <noreply@${outputs.secrets.jimDomain}>";
user = "noreply@${outputs.secrets.jimDomain}";
passwordFile = pkgs.writeText "smtp_pass.txt" outputs.secrets.noreplyPassword;
};
};
}

16
system/server/matrix-discord.nix Normal file
View file

@ -0,0 +1,16 @@
{outputs, ...}: {
services.matrix-appservice-discord = {
enable = true;
settings = {
auth = {
clientID = "${outputs.secrets.discordBotID}";
botToken = "${outputs.secrets.discordBotToken}";
usePrivilegedIntents = true;
};
bridge = {
domain = "${outputs.secrets.jimDomain}";
homeserverUrl = "https://matrix.${outputs.secrets.jimDomain}";
};
};
};
}

68
system/server/minecraft/common.nix Normal file
View file

@ -0,0 +1,68 @@
{pkgs, ...}: {
# Common properties
serverProperties = {
enforce-secure-profile = false;
max-players = 20;
online-mode = false;
spawn-protection = 0;
view-distance = 10;
simulation-distance = 10;
white-list = true;
};
# Common whitelist
whitelist = {
K5G = "8656dc10-6050-4a17-b29e-88c4babbc54c";
JimmJam = "2f7affee-e10b-450f-a5e2-44c79a14a109";
Foxzilla04 = "f583f591-ad9b-4a30-8d91-514881b31394";
DewDemolisher = "9205524f-3886-483d-b471-82bb9905671a";
Freecorn1854 = "8299cd8d-3cd4-4779-8180-0d9db6dc12a9";
Tinyattack09 = "aaa8e9e2-4e51-4925-b9df-8a9504aec5d5";
Ankha3000 = "dd65a277-f618-411e-812c-900c9c7e82d9";
catoiico = "01f10cdf-c146-437e-99b1-2278b5dbe420";
Sp0ok7 = "016c3daa-3dd5-4631-ae79-3a6f48d7cbe6";
PooxterMooxter = "c973f4b5-ab50-45e3-b3eb-36286a6f66aa";
};
# Common plugins
paperSymlinks = {
"plugins/Backuper.jar" = builtins.fetchurl {
url = "https://cdn.modrinth.com/data/7cMAqMND/versions/nkcNIvUw/Backuper-3.0.1.jar";
sha256 = "081hvs7khd9s8598i59ai8n0idp85rgc89m9hpfajwym9rmy7il4";
};
"plugins/BungeeGuard.jar" = builtins.fetchurl {
url = "https://github.com/lucko/BungeeGuard/releases/download/v1.3.3/BungeeGuard.jar";
sha256 = "0cackavwk7kl71hn1i78hcvkdp7q81srq35nranpvysbmm8v34vk";
};
"plugins/EssentialsX.jar" = builtins.fetchurl {
url = "https://ci.ender.zone/job/EssentialsX/lastSuccessfulBuild/artifact/jars/EssentialsX-2.21.0-dev+111-b54c8c1.jar";
sha256 = "0kcsgz5kcfbjc3nbdlgp549y497m4v90dnjqkv30sd1bfyzs9i5z";
};
"plugins/EssentialsXChat.jar" = builtins.fetchurl {
url = "https://ci.ender.zone/job/EssentialsX/lastSuccessfulBuild/artifact/jars/EssentialsXChat-2.21.0-dev+111-b54c8c1.jar";
sha256 = "0nraiclvnpl69gigs7h6vq55iksfd47clbzp7n3rsjmgvrbl1wil";
};
"plugins/LuckPerms.jar" = builtins.fetchurl {
url = "https://download.luckperms.net/1556/bukkit/loader/LuckPerms-Bukkit-5.4.141.jar";
sha256 = "02ad0dl34vdk6b1wyflqa6wq440xrh5w7yf3z3w1x1g089myddw4";
};
"plugins/ProtocolLib.jar" = builtins.fetchurl {
url = "https://ci.dmulloy2.net/job/ProtocolLib/lastSuccessfulBuild/artifact/build/libs/ProtocolLib.jar";
sha256 = "16krc7pyav4khnaxkyg27i5yxsgcdkildrn4nm5bhzh1f0ngqv2s";
};
"plugins/Vault.jar" = builtins.fetchurl {
url = "https://github.com/MilkBowl/Vault/releases/download/1.7.3/Vault.jar";
sha256 = "07fhfz7ycdlbmxsri11z02ywkby54g6wi9q0myxzap1syjbyvdd6";
};
"plugins/VoiceChat.jar" = builtins.fetchurl {
url = "https://cdn.modrinth.com/data/9eGKb6K1/versions/nS19YToN/voicechat-bukkit-2.5.20.jar";
sha256 = "023wjx0zxf9rc2x9vsqg398wapz0nlwfs5g6c8pci3qx75i5s4jx";
};
};
# Config files
configSymlinks = {
"plugins/Essentials/config.yml" = ./essentialsconfig.yml;
"plugins/voicechat/voicechat-server.properties" = ./vcserver.properties;
};
}

17
system/server/minecraft/default.nix Normal file
View file

@ -0,0 +1,17 @@
{inputs, ...}: {
imports = [
inputs.nix-minecraft.nixosModules.minecraft-servers
./servers/velocity.nix
./servers/dewdemolisher.nix
./servers/johnside.nix
./servers/blockworld.nix
./servers/uberbeta.nix
#./servers/freaktards.nix
];
nixpkgs.overlays = [ inputs.nix-minecraft.overlay ];
services.minecraft-servers = {
enable = true;
eula = true;
};
}

1173
system/server/minecraft/essentialsconfig.yml Normal file
View file

File diff suppressed because it is too large Load diff

17
system/server/minecraft/servers/blockworld.nix Normal file
View file

@ -0,0 +1,17 @@
{pkgs, ...}: let
common = import ../common.nix { inherit pkgs; };
in {
services.minecraft-servers.servers.blockworld = {
enable = true;
autoStart = false;
package = pkgs.paperServers.paper-1_21_1;
jvmOpts = "-Xmx3072M";
serverProperties = common.serverProperties // {
difficulty = 2;
server-port = 30012;
motd = "§fArchival §l§n§cBloxelcom §r§fMinecraft server.";
};
whitelist = common.whitelist;
symlinks = common.paperSymlinks // common.configSymlinks;
};
}

16
system/server/minecraft/servers/dewdemolisher.nix Normal file
View file

@ -0,0 +1,16 @@
{pkgs, ...}: let
common = import ../common.nix { inherit pkgs; };
in {
services.minecraft-servers.servers.dewdemolisher = {
enable = true;
package = pkgs.paperServers.paper-1_21_1;
jvmOpts = "-Xmx3072M";
serverProperties = common.serverProperties // {
difficulty = 2;
server-port = 30010;
motd = "§l§aDew Demolisher is here.";
};
whitelist = common.whitelist;
symlinks = common.paperSymlinks // common.configSymlinks;
};
}

65
system/server/minecraft/servers/johnside.nix Normal file
View file

@ -0,0 +1,65 @@
{pkgs, outputs, ...}: let
common = import ../common.nix { inherit pkgs; };
in {
services = {
minecraft-servers.servers.johnside = {
enable = true;
package = pkgs.paperServers.paper-1_20_6;
jvmOpts = "-Xmx3072M";
serverProperties = common.serverProperties // {
difficulty = 2;
server-port = 30009;
motd = "§l§9Johnside SMP§r §l§fworld for §4John lovers only.";
};
whitelist = common.whitelist;
symlinks = common.paperSymlinks // common.configSymlinks // {
"plugins/BlueMap.jar" = builtins.fetchurl {
url = "https://cdn.modrinth.com/data/swbUV1cr/versions/TL5ElRWX/BlueMap-5.3-spigot.jar";
sha256 = "08ls3wk0333vjg49kcmri884pcgm2xk9xdhwcxyffbh4ra0xrlbw";
};
"plugins/BlueMapOfflinePlayers.jar" = builtins.fetchurl {
url = "https://github.com/TechnicJelle/BlueMapOfflinePlayerMarkers/releases/download/v3.0/BlueMapOfflinePlayerMarkers-3.0.jar";
sha256 = "1f07w53q7yr4mvph7013d7ajxmp4lnsv6b1ab14y2x0bmqv39nwr";
};
"plugins/BlueMapMarkerManager.jar" = builtins.fetchurl {
url = "https://cdn.modrinth.com/data/a8UoyV2h/versions/E0XoPfJV/BMM-2.1.5.jar";
sha256 = "1vpnqglybysxnqyzkjnwbwg000dqkbk516apzvhmg39wlfaysl9d";
};
"plugins/CustomDiscs.jar" = builtins.fetchurl {
url = "https://github.com/Navoei/CustomDiscs/releases/download/v3.0/custom-discs-3.0.jar";
sha256 = "0xv0zrkdmjx0d7l34nqag8j004pm9zqivc12d3zy9pdrkv7pz87d";
};
"plugins/NotTooExpensive.jar" = builtins.fetchurl {
url = "https://github.com/Mrredstone5230/Not-Too-Expensive/releases/download/1.1/not-too-expensive-1.1.jar";
sha256 = "0da4v5l7iwry3wc21292lkmjprgmign4vdshzmhp7qc9hx26pj2d";
};
"plugins/SilkTouchHands.jar" = builtins.fetchurl {
url = "https://github.com/5U55/SilkTouchSpigot/releases/download/v1.1/SilkTouchv1.1.jar";
sha256 = "0mbp73xclr7f5m2lbdfz6is1j8vvyv1qwpl28sm089zrpm73qn6w";
};
};
};
# BlueMap webhost
nginx.virtualHosts."john.${outputs.secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:31010";
proxyWebsockets = true;
};
};
};
# Allow Nginx to read and write to paths
systemd.services.nginx.serviceConfig = {
ReadWritePaths = [ "/var/www/Jimbo-Landing-Page/streams/hls/" ];
};
# Open HTTP and HTTPs ports
networking.firewall = {
allowedTCPPorts = [
80 443 # Nginx
];
};
}

21
system/server/minecraft/servers/uberbeta.nix Normal file
View file

@ -0,0 +1,21 @@
{pkgs, ...}: let
common = import ../common.nix { inherit pkgs; };
uberBukkitZip = pkgs.fetchzip {
url = "https://github.com/Moresteck/Project-Poseidon-Uberbukkit/releases/download/2.0.0/uberbukkit-2.0.0-java17.zip";
sha256 = "m4hgcqXJ43SnBGn6qNBGeEcXFv5Q8f/VFYJmx3aJ9PE=";
stripRoot = false;
};
uberBukkit = pkgs.vanillaServers.vanilla.overrideAttrs (oldAttrs: {
src = "${uberBukkitZip}/uberbukkit-2.0.0.jar";
});
in {
services.minecraft-servers.servers.uberbeta = {
enable = true;
package = uberBukkit;
jvmOpts = "-Xmx512M";
serverProperties = common.serverProperties // {
difficulty = 3;
server-port = 30005;
};
};
}

49
system/server/minecraft/servers/velocity.nix Normal file
View file

@ -0,0 +1,49 @@
{pkgs, ...}: let
common = import ../common.nix { inherit pkgs; };
in {
services.minecraft-servers.servers.velocity = {
enable = true;
package = pkgs.velocityServers.velocity;
jvmOpts = "-Xmx512M";
symlinks = {
"plugins/Geyser.jar" = builtins.fetchurl {
url = "https://download.geysermc.org/v2/projects/geyser/versions/2.4.2/builds/660/downloads/velocity";
sha256 = "09z938v6xrgbiba8rxgi7cdh3xxkv9fdampy15k6fmwddmj9y4a2";
};
"plugins/Floodgate.jar" = builtins.fetchurl {
url = "https://download.geysermc.org/v2/projects/floodgate/versions/2.2.3/builds/109/downloads/velocity";
sha256 = "1hxdf38qzpzdnyn2gn1152fyd54bi37i0ayc82dgcjf0qrcbmv0c";
};
"plugins/LuckPerms.jar" = builtins.fetchurl {
url = "https://download.luckperms.net/1556/velocity/LuckPerms-Velocity-5.4.141.jar";
sha256 = "0j5f7r3g8h4f8z8ppakwfk96hijp3slr0vxyj9v8x4h8w5rcl9d1";
};
"plugins/SkinsRestorer.jar" = builtins.fetchurl {
url = "https://github.com/SkinsRestorer/SkinsRestorer/releases/download/15.4.2/SkinsRestorer.jar";
sha256 = "14nl9mi958bfqwqz9182cxj7m6l15kalq3wjmjqzy50s52si35wf";
};
"plugins/ViaVersion.jar" = builtins.fetchurl {
url = "https://github.com/ViaVersion/ViaVersion/releases/download/5.0.3/ViaVersion-5.0.3.jar";
sha256 = "02gf91ysialgvbl0w8awa0dsi1yb33ac7clmz0wika1xigk9z10r";
};
"plugins/ViaBackwards.jar" = builtins.fetchurl {
url = "https://github.com/ViaVersion/ViaBackwards/releases/download/5.0.3/ViaBackwards-5.0.3.jar";
sha256 = "1wqk68pjrzl1zhajb9lxa1s6wzj85rb0c2riycv9yysr5bcxssqi";
};
"plugins/Voicechat.jar" = builtins.fetchurl {
url = "https://cdn.modrinth.com/data/9eGKb6K1/versions/svvcJhgC/voicechat-velocity-2.5.20.jar";
sha256 = "0nw85x24qa9skbhfgbhsjl2r7d9xshr9f04nnq490zbgz7716lqq";
};
};
};
# Open ports for proxy
networking.firewall = {
allowedTCPPorts = [
25565 19132 30013 5657 # Minecraft server info
];
allowedUDPPorts = [
25565 19132 30013 # Minecraft server, VC, and Bedrock
];
};
}

36
system/server/minecraft/vcserver.properties Normal file
View file

@ -0,0 +1,36 @@
# Simple Voice Chat server config v2.5.16
# The port of the voice chat server, "-1" sets the port to the Minecraft servers port
port=-1
# The distance to where the voice can be heard
max_voice_distance=48.0
# The multiplier the voice distance will be reduced by when sneaking
crouch_distance_multiplier=1.0
# The multiplier the voice distance will be reduced by when whispering
whisper_distance_multiplier=0.5
# The opus codec
codec=VOIP
# The maximum size in bytes in a voice packet
# Set this to a lower value if your voice packets don't arrive
mtu_size=1024
# The frequency in which keep alive packets are sent
# Setting this to a higher value may result in timeouts
keep_alive=1000
# If group chats are allowed
enable_groups=true
# If players are allowed to record the voice chat
allow_recording=true
# If spectators are allowed to talk to other players
spectator_interaction=false
# If spectators can talk to players they are spectating
spectator_player_possession=false
# If players without the mod should get kicked from the server
force_voice_chat=false
# The amount of milliseconds, the server should wait to check if the player has the mod installed
# Only active when force_voice_chat is set to true
login_timeout=10000
# The range where the voice chat should broadcast audio to
# A value <0 means 'max_voice_distance'
broadcast_range=-1.0
# If the voice chat server should reply to pings
allow_pings=true

10
system/server/misc.nix Normal file
View file

@ -0,0 +1,10 @@
{pkgs, ...}: {
# Install programs system-wide
environment.systemPackages = with pkgs; [
mdadm
];
services = {
snowflake-proxy.enable = true;
logrotate.checkConfig = false;
};
}

45
system/server/nextcloud.nix Normal file
View file

@ -0,0 +1,45 @@
{pkgs, outputs, ...}: {
services = {
nextcloud = {
enable = true;
package = pkgs.nextcloud29;
hostName = "cloud.${outputs.secrets.jimDomain}";
datadir = "/mnt/nextcloud";
https = true;
config = {
adminuser = "jimbo";
adminpassFile = "/mnt/nextcloud/password.txt";
};
settings = {
trusted_proxies = [ "127.0.0.1" ];
trusted_domains = [ "cloud.${outputs.secrets.jimDomain}" ];
overwriteprotocol = "https";
# Mailserver settings
mail_smtphost = "mx.${outputs.secrets.jimDomain}";
mail_domain = "${outputs.secrets.jimDomain}";
mail_from_address = "noreply";
mail_smtpauth = "true";
mail_smtpname = "noreply@${outputs.secrets.jimDomain}";
mail_smtppassword = outputs.secrets.noreplyPassword;
mail_smtpmode = "smtp";
mail_smtpport = 587;
};
};
nginx.virtualHosts."cloud.${outputs.secrets.jimDomain}" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyWebsockets = true;
extraConfig = "
location /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
";
};
};
};
}

9
system/server/nfs.nix Normal file
View file

@ -0,0 +1,9 @@
{
# NFS server
services.nfs.server = {
enable = true;
exports = ''
/export/JimboNFS *(rw,no_subtree_check)
'';
};
}

74
system/server/nginx.nix Normal file
View file

@ -0,0 +1,74 @@
{pkgs, outputs, ...}: {
services.nginx = {
enable = true;
package = (pkgs.nginx.override {
modules = with pkgs.nginxModules; [ rtmp ];
});
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
virtualHosts = {
# Landing page
"${outputs.secrets.jimDomain}" = {
enableACME = true;
addSSL = true;
root = "/var/www/Jimbo-Landing-Page";
locations = {
"/.well-known/matrix/client" = {
extraConfig = ''
default_type application/json;
return 200 '
{
"m.homeserver": {
"base_url": "https://matrix.${outputs.secrets.jimDomain}"
},
"m.identity_server": {
"base_url": "https://matrix.org"
},
"org.matrix.msc3575.proxy": {
"url": "https://matrix.${outputs.secrets.jimDomain}"
}
}';
'';
};
"/.well-known/matrix/server" = {
extraConfig = ''
default_type application/json;
return 200 '{"m.server": "matrix.${outputs.secrets.jimDomain}:443"}';
'';
};
};
};
};
appendConfig = ''
rtmp {
server {
listen 1935;
chunk_size 4096;
allow publish all;
application stream {
record off;
live on;
allow play all;
hls on;
hls_path /var/www/Jimbo-Landing-Page/streams/hls/;
hls_fragment_naming system;
hls_fragment 3;
hls_playlist_length 40;
}
}
}
'';
};
# Allow Nginx to read and write to paths
systemd.services.nginx.serviceConfig = {
ReadWritePaths = [ "/var/www/Jimbo-Landing-Page/streams/hls/" ];
};
# Open HTTP and HTTPs ports
networking.firewall.allowedTCPPorts = [
80 443
];
}

18
system/server/owncast.nix Normal file
View file

@ -0,0 +1,18 @@
{outputs, ...}: {
services = {
owncast = {
enable = true;
port = 8060;
rtmp-port = 1945;
listen = "0.0.0.0";
};
nginx.virtualHosts."live.${outputs.secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8060";
proxyWebsockets = true;
};
};
};
}

29
system/server/photoprism.nix Normal file
View file

@ -0,0 +1,29 @@
{outputs, ...}: {
services = {
photoprism = {
enable = true;
port = 2342;
originalsPath = "/var/lib/private/photoprism/originals";
address = "0.0.0.0";
settings = {
PHOTOPRISM_ADMIN_USER = "jimbo";
PHOTOPRISM_ADMIN_PASSWORD = "${outputs.secrets.prismAdminPass}";
PHOTOPRISM_DEFAULT_LOCALE = "en";
PHOTOPRISM_DATABASE_DRIVER = "mysql";
PHOTOPRISM_DATABASE_NAME = "photoprism";
PHOTOPRISM_DATABASE_SERVER = "/run/mysqld/mysqld.sock";
PHOTOPRISM_DATABASE_USER = "photoprism";
PHOTOPRISM_SITE_URL = "https://gallery.${outputs.secrets.jimDomain}";
PHOTOPRISM_SITE_TITLE = "Jimbo's PhotoPrism";
};
};
nginx.virtualHosts."gallery.${outputs.secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:2342";
proxyWebsockets = true;
};
};
};
}

31
system/server/pixelfed.nix Normal file
View file

@ -0,0 +1,31 @@
{pkgs, outputs, ...}: {
services.pixelfed = {
enable = true;
domain = "pics.${outputs.secrets.jimDomain}";
secretFile = pkgs.writeText "appkey" outputs.secrets.pixelfedKey;
settings = {
APP_NAME = ''"Jimbo's Pixelfed"'';
INSTANCE_DESCRIPTION = ''"The Jimbosfiles Pixelfed Instance"'';
INSTANCE_CONTACT_EMAIL = "jimbo@${outputs.secrets.jimDomain}";
OPEN_REGISTRATION = true;
APP_LOCALE = "en";
INSTANCE_DISCOVER_PUBLIC = false;
STORIES_ENABLED = true;
# Mail config
ENFORCE_EMAIL_VERIFICATION = true;
MAIL_FROM_ADDRESS = "noreply@${outputs.secrets.jimDomain}";
MAIL_FROM_NAME = ''"Jimbo's Pixelfed <noreply@${outputs.secrets.jimDomain}>"'';
MAIL_ENCRYPTION = "tls";
MAIL_DRIVER = "smtp";
MAIL_HOST = "mx.${outputs.secrets.jimDomain}";
MAIL_PORT = 587;
MAIL_USERNAME = "noreply@${outputs.secrets.jimDomain}";
MAIL_PASSWORD = "${outputs.secrets.noreplyPassword}";
};
nginx = {
enableACME = true;
forceSSL = true;
};
};
}

37
system/server/samba.nix Normal file
View file

@ -0,0 +1,37 @@
{
services = {
samba = {
enable = true;
securityType = "user";
openFirewall = true;
extraConfig = let
ips = import ../modules/ips.nix;
in ''
workgroup = WORKGROUP
server string = JimSMB
security = user
hosts allow = ${ips.localSpan}. 127.0.0.1 localhost
hosts deny = 0.0.0.0/0
guest account = nobody
map to guest = bad user
'';
shares = {
roms = {
comment = "Samba share with my ROMs";
path = "/export/JimboNFS/Downloads/GameFiles/ROMS";
browseable = "yes";
"read only" = "no";
"guest ok" = "no";
"create mask" = "0644";
"directory mask" = "0755";
};
};
};
# Advertise to Windows
samba-wsdd = {
enable = true;
openFirewall = true;
};
};
}

91
system/server/synapse.nix Normal file
View file

@ -0,0 +1,91 @@
{pkgs, outputs, ...}: {
services = {
# Synapse Matrix server
matrix-synapse = {
enable = true;
settings = {
server_name = "${outputs.secrets.jimDomain}";
public_baseurl = "https://matrix.${outputs.secrets.jimDomain}";
suppress_key_server_warning = true;
# Set the network config
listeners = [{
port = 8008;
bind_addresses = [ "::" "0.0.0.0" ];
resources = [ { compress = false; names = [ "client" "federation" ]; } ];
type = "http";
tls = false;
x_forwarded = true;
}];
# Enable smtp for password resets
email = {
notif_from = "Jimbo's Matrix <noreply@${outputs.secrets.jimDomain}>";
smtp_host = "mx.${outputs.secrets.jimDomain}";
smtp_user = "noreply@${outputs.secrets.jimDomain}";
smtp_pass = outputs.secrets.noreplyPassword;
enable_tls = true;
smtp_port = 587;
require_transport_security = true;
};
# Allows a Discord/Matrix bridge, comment on first use and copy using instructions
app_service_config_files = [
# cp /var/lib/matrix-appservice-discord/discord-registration.yaml /var/lib/matrix-synapse/
# chown matrix-synapse:matrix-synapse /var/lib/matrix-synapse/discord-registration.yaml
"/var/lib/matrix-synapse/discord-registration.yaml"
];
# Disable registration without email
registrations_require_3pid = [ "email" ];
# Allow only this range of emails
allowed_local_3pids = [{
medium = "email";
pattern = "^[^@]+@jimbosfiles\\.com$";
}];
# Set the type of database
database.name = "sqlite3";
# Allow account registration
enable_registration = true;
# General settings
url_preview_enabled = true;
max_upload_size = "50M";
report_stats = false;
# Ratelimiting
burst_count = 15;
};
};
# Sliding sync proxy for Matrix
matrix-sliding-sync = let
matrixSecretFile = pkgs.writeText "matrixsecret" ''
SYNCV3_SECRET=${outputs.secrets.matrixSecret}
'';
in {
enable = true;
settings = {
SYNCV3_SERVER = "https://matrix.${outputs.secrets.jimDomain}";
SYNCV3_BINDADDR = "0.0.0.0:8009";
};
environmentFile = "${matrixSecretFile}";
};
# Proxy for both Synapse and Sliding Sync
nginx.virtualHosts."matrix.${outputs.secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations = {
"/".extraConfig = ''return 403;'';
"/client".proxyPass = "http://127.0.0.1:8009";
"/_matrix".proxyPass = "http://127.0.0.1:8008";
"/_matrix/client/unstable/org.matrix.msc3575/sync".proxyPass = "http://127.0.0.1:8009";
"/_synapse/client".proxyPass = "http://127.0.0.1:8008";
};
};
};
}

20
system/server/transmission.nix Normal file
View file

@ -0,0 +1,20 @@
{pkgs, outputs, ...}: {
services = {
transmission = {
enable = true;
credentialsFile = pkgs.writeText "credentials" outputs.secrets.transmissionCredFile;
openPeerPorts = true;
settings = {
rpc-authentication-required = true;
};
};
nginx.virtualHosts."torrent.${outputs.secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:9091";
proxyWebsockets = true;
};
};
};
}

32
system/server/vaultwarden.nix Normal file
View file

@ -0,0 +1,32 @@
{outputs, ...}: {
services = {
vaultwarden = {
enable = true;
config = {
DOMAIN = "https://warden.${outputs.secrets.jimDomain}";
SIGNUPS_ALLOWED = false;
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = 8222;
ROCKET_LOG = "critical";
# Smtp email
SMTP_HOST = "mx.${outputs.secrets.jimDomain}";
SMTP_FROM = "Jimbo's Vaultwarden <noreply@${outputs.secrets.jimDomain}>";
SMTP_FROM_NAME = "Vaultwarden";
SMTP_USERNAME = "noreply@${outputs.secrets.jimDomain}";
SMTP_PASSWORD = outputs.secrets.noreplyPassword;
SMTP_SECURITY = "starttls";
SMTP_PORT = 587;
SMTP_TIMEOUT = 15;
};
};
nginx.virtualHosts."warden.${outputs.secrets.jimDomain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8222";
proxyWebsockets = true;
};
};
};
}

36
system/server/wireguard.nix Normal file
View file

@ -0,0 +1,36 @@
{outputs, ...}: let
ips = import ../modules/ips.nix;
in {
# Enable NAT
networking = {
nat = {
enable = true;
externalInterface = "${ips.netInt}";
internalInterfaces = [ "${ips.wgInt}" ];
};
firewall.allowedUDPPorts = [ 51820 ];
};
networking.wireguard = {
enable = true;
interfaces = {
# Wireguard interface name can be arbitrary
wg0 = {
# Determines the IP and subnet of the tunnel interface
ips = [ "${ips.wgSpan}.1/24" ];
listenPort = 51820;
privateKey = outputs.secrets.wireguardPriv;
peers = [
{ # Jimbo Pixel 9
publicKey = outputs.secrets.wirePixel9Pub;
allowedIPs = [ "${ips.wgSpan}.2/32" ];
}
{ # Oracle VM
publicKey = outputs.secrets.wireOraclePub;
allowedIPs = [ "${ips.wgSpan}.3/32" ];
}
];
};
};
};
}

3
system/services/globalprotect.nix Normal file
View file

@ -0,0 +1,3 @@
{
services.globalprotect.enable = true;
}

23
system/services/mpd.nix Normal file
View file

@ -0,0 +1,23 @@
{
config,
pkgs,
...
}: {
# Enable MPD
services.mpd = {
enable = true;
user = "jimbo";
group = "users";
musicDirectory = "/home/jimbo/JimboNFS/Music";
playlistDirectory = "/home/jimbo/JimboNFS/Music/Playlists";
extraConfig = ''
audio_output {
type "pipewire"
name "Local Pipewire"
}
'';
};
systemd.services.mpd.environment = {
XDG_RUNTIME_DIR = "/run/user/${toString config.users.users.jimbo.uid}";
};
}

22
system/services/openssh.nix Normal file
View file

@ -0,0 +1,22 @@
{
# Enable SSH
services = {
openssh = {
enable = true;
settings = {
PermitRootLogin = "no";
PrintLastLog = "no";
PasswordAuthentication = false;
UsePAM = false;
};
};
# Block nefarious SSH connections
fail2ban = {
enable = true;
maxretry = 5;
bantime = "5m";
ignoreIP = [ "10.0.0.0/24" ];
};
};
}

8
system/services/sunshine.nix Normal file
View file

@ -0,0 +1,8 @@
{
# Enable Sunshine as a service
services.sunshine = {
enable = true;
settings.port = 57989;
autoStart = false;
};
}

21
system/services/udev.nix Normal file
View file

@ -0,0 +1,21 @@
{pkgs, ...}: {
# Make udev rules to make PDP controller and Oculus Rift CV1 work
services.udev = let
oculusRules = pkgs.writeTextFile {
name = "10-oculus.rules";
text = ''
KERNEL=="hidraw*", ATTRS{idVendor}=="0e6f", ATTRS{idProduct}=="0184", MODE="0660", TAG+="uaccess"
'';
destination = "/etc/udev/rules.d/10-oculus.rules";
};
pdpRules = pkgs.writeTextFile {
name = "10-pdp.rules";
text = ''
SUBSYSTEM=="usb", ATTR{idVendor}=="2833", MODE="0666"
'';
destination = "/etc/udev/rules.d/10-pdp.rules";
};
in {
packages = [oculusRules pdpRules];
};
}

39
system/services/virtualisation.nix Normal file
View file

@ -0,0 +1,39 @@
{
config,
pkgs,
...
}: {
# Enable virtualization
virtualisation = {
libvirtd = {
enable = true;
onBoot = "ignore";
onShutdown = "shutdown";
qemu = {
ovmf = {
enable = true;
packages = [
pkgs.OVMFFull.fd
pkgs.pkgsCross.aarch64-multiplatform.OVMF.fd
];
};
swtpm.enable = true;
};
};
spiceUSBRedirection.enable = true;
};
# Install programs system-wide
environment.systemPackages = with pkgs; [
virt-manager
virtiofsd
dnsmasq
spice-vdagent
looking-glass-client
];
# Allow Looking-Glass permissions
systemd.tmpfiles.rules = [
"f /dev/shm/looking-glass 0660 jimbo libvirtd -"
];
}

6
system/users/groups.nix Normal file
View file

@ -0,0 +1,6 @@
{
# Define custom groups
users.groups = {
nfsShare = {};
};
}

28
system/users/jimbo.nix Normal file
View file

@ -0,0 +1,28 @@
{pkgs, outputs, ...}: {
users.users = {
jimbo = {
description = "Jimbo";
hashedPassword = outputs.secrets.jimboAccPass;
isNormalUser = true;
openssh.authorizedKeys.keys = outputs.secrets.jimKeys;
extraGroups = [
"wheel"
"audio"
"video"
"input"
"disk"
"dialout"
"networkmanager"
"rtkit"
"kvm"
"libvirtd"
"qemu-libvirtd"
"nginx"
"minecraft"
"nfsShare"
];
uid = 1000;
shell = pkgs.zsh;
};
};
}

9
system/users/liquidsoap.nix Normal file
View file

@ -0,0 +1,9 @@
{
# Add service users to extra groups
users.users = {
nextcloud = {
extraGroups = [ "nginx" ];
isSystemUser = true;
};
};
}

9
system/users/nextcloud.nix Normal file
View file

@ -0,0 +1,9 @@
{
# Add service users to extra groups
users.users = {
nextcloud = {
extraGroups = [ "nfsShare" ];
isSystemUser = true;
};
};
}

9
system/users/nginx.nix Normal file
View file

@ -0,0 +1,9 @@
{
# Add service users to extra groups
users.users = {
nginx = {
extraGroups = [ "turnserver" "virtualMail" ];
isSystemUser = true;
};
};
}