From b69c9dbbbf165f1aadbfb83706be6f13db60ee54 Mon Sep 17 00:00:00 2001 From: Jimbo Date: Wed, 4 Sep 2024 20:22:13 -0400 Subject: [PATCH] Move more things into their 'correct' place --- nixos/server.nix | 1 + nixos/server/firewall.nix | 14 --- nixos/server/gitea.nix | 3 + nixos/server/minecraft/servers/johnside.nix | 92 ++++++++++++-------- nixos/server/minecraft/servers/velocity.nix | 10 +++ nixos/server/nginx.nix | 17 ++-- nixos/server/synapse.nix | 10 +++ nixos/server/transmission.nix | 20 +++++ secrets.nix | Bin 1742 -> 1900 bytes 9 files changed, 109 insertions(+), 58 deletions(-) create mode 100644 nixos/server/transmission.nix diff --git a/nixos/server.nix b/nixos/server.nix index b7419ca1..ec583dce 100644 --- a/nixos/server.nix +++ b/nixos/server.nix @@ -35,6 +35,7 @@ ./server/minecraft ./server/tandoor.nix ./server/vaultwarden.nix + ./server/transmission.nix ./server/misc.nix # Matrix diff --git a/nixos/server/firewall.nix b/nixos/server/firewall.nix index a28ee4af..c78d44ec 100644 --- a/nixos/server/firewall.nix +++ b/nixos/server/firewall.nix @@ -8,27 +8,13 @@ in { firewall = { allowPing = false; - allowedTCPPorts = [ - 80 443 # Nginx - 25565 19132 5657 # Pufferpanel - 2299 # Gitea SSH - 3478 5349 # Coturn - ]; allowedTCPPortRanges = [ { from = 8100; to = 8150; } # Azuracast ]; - allowedUDPPorts = [ - 25565 19132 # Minecraft Voicechat and Bedrock - 3478 5349 # Coturn UDP - ]; - allowedUDPPortRanges = [ - { from = 49000; to = 50000; } # Coturn range - ]; # Add extra input rules using nftables extraInputRules = '' ip saddr ${ips.localSpan}.0/24 tcp dport 2049 accept comment "Accept NFS" - ip saddr ${ips.localSpan}.0/24 udp dport 53 accept comment "Accept DNS" ip saddr { ${ips.pc}, ${outputs.secrets.lunaIP}, ${outputs.secrets.cornIP}, ${outputs.secrets.vertIP} } tcp dport { 1935, 1945 } accept comment "Accept RTMP" ''; }; diff --git a/nixos/server/gitea.nix b/nixos/server/gitea.nix index 323801f6..962ce9c8 100644 --- a/nixos/server/gitea.nix +++ b/nixos/server/gitea.nix @@ -30,4 +30,7 @@ }; }; }; + + # Allow Gitea SSH to work + networking.firewall.allowedTCPPorts = [ 2299 ]; } diff --git a/nixos/server/minecraft/servers/johnside.nix b/nixos/server/minecraft/servers/johnside.nix index baed0648..c85528c6 100644 --- a/nixos/server/minecraft/servers/johnside.nix +++ b/nixos/server/minecraft/servers/johnside.nix @@ -1,41 +1,65 @@ -{pkgs, ...}: let +{pkgs, outputs, ...}: let common = import ../common.nix { inherit pkgs; }; in { - services.minecraft-servers.servers.johnside = { - enable = true; - package = pkgs.paperServers.paper-1_20_6; - jvmOpts = "-Xmx4084M"; - serverProperties = common.serverProperties // { - difficulty = 2; - server-port = 30009; - motd = "§l§9Johnside SMP§r §l§fworld for §4John lovers only."; + services = { + minecraft-servers.servers.johnside = { + enable = true; + package = pkgs.paperServers.paper-1_20_6; + jvmOpts = "-Xmx4084M"; + serverProperties = common.serverProperties // { + difficulty = 2; + server-port = 30009; + motd = "§l§9Johnside SMP§r §l§fworld for §4John lovers only."; + }; + whitelist = common.whitelist; + symlinks = common.symlinks // { + "plugins/BlueMap.jar" = builtins.fetchurl { + url = "https://cdn.modrinth.com/data/swbUV1cr/versions/TL5ElRWX/BlueMap-5.3-spigot.jar"; + sha256 = "08ls3wk0333vjg49kcmri884pcgm2xk9xdhwcxyffbh4ra0xrlbw"; + }; + "plugins/BlueMapOfflinePlayers.jar" = builtins.fetchurl { + url = "https://github.com/TechnicJelle/BlueMapOfflinePlayerMarkers/releases/download/v3.0/BlueMapOfflinePlayerMarkers-3.0.jar"; + sha256 = "1f07w53q7yr4mvph7013d7ajxmp4lnsv6b1ab14y2x0bmqv39nwr"; + }; + "plugins/BlueMapMarkerManager.jar" = builtins.fetchurl { + url = "https://cdn.modrinth.com/data/a8UoyV2h/versions/E0XoPfJV/BMM-2.1.5.jar"; + sha256 = "1vpnqglybysxnqyzkjnwbwg000dqkbk516apzvhmg39wlfaysl9d"; + }; + "plugins/CustomDiscs.jar" = builtins.fetchurl { + url = "https://github.com/Navoei/CustomDiscs/releases/download/v3.0/custom-discs-3.0.jar"; + sha256 = "0xv0zrkdmjx0d7l34nqag8j004pm9zqivc12d3zy9pdrkv7pz87d"; + }; + "plugins/NotTooExpensive.jar" = builtins.fetchurl { + url = "https://github.com/Mrredstone5230/Not-Too-Expensive/releases/download/1.1/not-too-expensive-1.1.jar"; + sha256 = "0da4v5l7iwry3wc21292lkmjprgmign4vdshzmhp7qc9hx26pj2d"; + }; + "plugins/SilkTouchHands.jar" = builtins.fetchurl { + url = "https://github.com/5U55/SilkTouchSpigot/releases/download/v1.1/SilkTouchv1.1.jar"; + sha256 = "0mbp73xclr7f5m2lbdfz6is1j8vvyv1qwpl28sm089zrpm73qn6w"; + }; + }; }; - whitelist = common.whitelist; - symlinks = common.symlinks // { - "plugins/BlueMap.jar" = builtins.fetchurl { - url = "https://cdn.modrinth.com/data/swbUV1cr/versions/TL5ElRWX/BlueMap-5.3-spigot.jar"; - sha256 = "08ls3wk0333vjg49kcmri884pcgm2xk9xdhwcxyffbh4ra0xrlbw"; - }; - "plugins/BlueMapOfflinePlayers.jar" = builtins.fetchurl { - url = "https://github.com/TechnicJelle/BlueMapOfflinePlayerMarkers/releases/download/v3.0/BlueMapOfflinePlayerMarkers-3.0.jar"; - sha256 = "1f07w53q7yr4mvph7013d7ajxmp4lnsv6b1ab14y2x0bmqv39nwr"; - }; - "plugins/BlueMapMarkerManager.jar" = builtins.fetchurl { - url = "https://cdn.modrinth.com/data/a8UoyV2h/versions/E0XoPfJV/BMM-2.1.5.jar"; - sha256 = "1vpnqglybysxnqyzkjnwbwg000dqkbk516apzvhmg39wlfaysl9d"; - }; - "plugins/CustomDiscs.jar" = builtins.fetchurl { - url = "https://github.com/Navoei/CustomDiscs/releases/download/v3.0/custom-discs-3.0.jar"; - sha256 = "0xv0zrkdmjx0d7l34nqag8j004pm9zqivc12d3zy9pdrkv7pz87d"; - }; - "plugins/NotTooExpensive.jar" = builtins.fetchurl { - url = "https://github.com/Mrredstone5230/Not-Too-Expensive/releases/download/1.1/not-too-expensive-1.1.jar"; - sha256 = "0da4v5l7iwry3wc21292lkmjprgmign4vdshzmhp7qc9hx26pj2d"; - }; - "plugins/SilkTouchHands.jar" = builtins.fetchurl { - url = "https://github.com/5U55/SilkTouchSpigot/releases/download/v1.1/SilkTouchv1.1.jar"; - sha256 = "0mbp73xclr7f5m2lbdfz6is1j8vvyv1qwpl28sm089zrpm73qn6w"; + + # BlueMap webhost + nginx.virtualHosts."john.${outputs.secrets.jimDomain}" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:31010"; + proxyWebsockets = true; }; }; }; + + # Allow Nginx to read and write to paths + systemd.services.nginx.serviceConfig = { + ReadWritePaths = [ "/var/www/Jimbo-Landing-Page/streams/hls/" ]; + }; + + # Open HTTP and HTTPs ports + networking.firewall = { + allowedTCPPorts = [ + 80 443 # Nginx + ]; + }; } diff --git a/nixos/server/minecraft/servers/velocity.nix b/nixos/server/minecraft/servers/velocity.nix index 732428ea..ee86d800 100644 --- a/nixos/server/minecraft/servers/velocity.nix +++ b/nixos/server/minecraft/servers/velocity.nix @@ -36,4 +36,14 @@ in { }; }; }; + + # Open ports for proxy + networking.firewall = { + allowedTCPPorts = [ + 25565 19132 5657 # Minecraft server info + ]; + allowedUDPPorts = [ + 25565 19132 # Minecraft server, VC, and Bedrock + ]; + }; } diff --git a/nixos/server/nginx.nix b/nixos/server/nginx.nix index c867a580..53066ba3 100644 --- a/nixos/server/nginx.nix +++ b/nixos/server/nginx.nix @@ -40,16 +40,6 @@ }; }; }; - - # Bluemap Proxy, TODO, move this into the nix-minecraft flake configs - "john.${outputs.secrets.jimDomain}" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://127.0.0.1:31010"; - proxyWebsockets = true; - }; - }; }; appendConfig = '' rtmp { @@ -76,4 +66,11 @@ systemd.services.nginx.serviceConfig = { ReadWritePaths = [ "/var/www/Jimbo-Landing-Page/streams/hls/" ]; }; + + # Open HTTP and HTTPs ports + networking.firewall = { + allowedTCPPorts = [ + 80 443 # Nginx + ]; + }; } diff --git a/nixos/server/synapse.nix b/nixos/server/synapse.nix index ea266724..81ed2e34 100644 --- a/nixos/server/synapse.nix +++ b/nixos/server/synapse.nix @@ -121,4 +121,14 @@ }; }; }; + + # Open coturn ports + networking.firewall = { + allowedUDPPorts = [ + 3478 5349 # Coturn UDP + ]; + allowedUDPPortRanges = [ + { from = 49000; to = 50000; } # Coturn range + ]; + }; } diff --git a/nixos/server/transmission.nix b/nixos/server/transmission.nix new file mode 100644 index 00000000..7b149f9c --- /dev/null +++ b/nixos/server/transmission.nix @@ -0,0 +1,20 @@ +{pkgs, outputs, ...}: { + services = { + transmission = { + enable = true; + credentialsFile = pkgs.writeText "credentials" outputs.secrets.transmissionCredFile; + openPeerPorts = true; + settings = { + rpc-authentication-required = true; + }; + }; + nginx.virtualHosts."torrent.${outputs.secrets.jimDomain}" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:9091"; + proxyWebsockets = true; + }; + }; + }; +} diff --git a/secrets.nix b/secrets.nix index 83e6cfd3d5f5c4240dd98318c6f6801c6ddcc8b3..dea9ce7de973c0752e71152e8bf6b4c44997097a 100644 GIT binary patch literal 1900 zcmZQ@_Y83kiVO&0$lHEY@|KE^wWr_Zy=6-CO^^2)70s6FSrd`h;#z&>_K*1&|L)OJ zpZ_b=q~)t@uF2ddmw%Z5{SkZk*_QIz_ZO|}Q?FZnI{!8Mf^|ucnuBxIQV(tXnkE!z4rtmsOZ-lU=`8QCdnqF25s8t$0NsUuHq7@+75e7F7ma z93c!{fBxDPCM?g>i^<;gZqK~n~Ks9Ux1 z>bQs>liE%<{Z-5H?LQv!c;lw-|4J*)E9MF;Ik)&UV+?1(H3w}8-r%`^mo2iKx#v@H zQD~R^=lRQh0Orlhd&(ZP<;xSXUp3dD?8C<+qk}Y@k zWtNz}ecNCB5BGTRS%8JFUuRB3BLmOtM4f$p4Q;FRyY9NJ3tw6y`BZuTye!UShV_$# zjx}>U(=VMX^QU);|NN=qQaU|TMCQ$WdFI_}$6e{~<%KKdj~#k^bgPNV^NH?hJRw)k zK6qwy<%jUxRtb3qm)-rD6Anh%?mngRTD7kHhK=+_^%?GRCtrU|n-JIckpF8D+d=LJ zo%t#=cnh01_%Ln>be$!(UZhkgzMenS8h6bN(r^jUd z>Fi2=>mMLJv9VO1!=U4X%)gCaKOGi*U|ZIhu-^vFzmh)USI1*=E zb=2W&E3r_pKe%Duir@q09>+Q=Ew3)T^!0XzRs7R0`MlqHt3SQua4cVvq7t#ZUa4f~ z!i(OE??bq)gw=r$y>foee>t}^ADbhWu;yl?vbu9sgR)!s ziiNjD!d6X7k}bW`zomEgr}w@GzUZ#rF;!OR&^ghkGP@$WpJYGZ=lt**Q|$4;)`GCe z@SWFR&)F7ivgFsYbj8^prthDBU~ih6hvlsO0kRV(?b)l)%T%hYkj3+Iazx$T91-qa zMV}<2C$!$3Xs$l3@s_7-2tnNyFy!g|tf2Atb z+nLSl3jFVGYAn+8msz|`cq+FQx0z$lJfX)%`&M60Y>Wt37I%5T()CtHQLl+HztyxU zefPz8l?uH&Yi}yc#pO?wy8C(F-TnvjuPlEr`Zav|EVD-;|x|iB5uf9^- z6vesFM>g+$ij82{+9@qU_P*NRcSdg6$bMydd&ImL5052Y&#&HUIN$%TJ!aSAOx^WM zerNNZs?M?68JSgk+1g6`lqTJ&z)z{T>aW(VL})4=j6x#Uu!S4iP@{5-p&>E&7|sUSRzLi`}5W9 zyfLpd(h{q!|1aOT>idR0|5vFL{%|=gA`sg!C8X`Y&;1fjDf?wQAtf@lA2VkZo4m5R zwX(8i>c0F8m$PRlFnsCx#rIwnE}lq2OU>sIe%e@3shbAamI&O zeuF7D6AHr0EjV^xZB;XA?~L`@++v<$GwVd3h|!1RJXWb;J~fwa$j<3f_U1mp+BP#T zXeFE3hg{E}m4{j^8v|cI-7{rJm3!9X39k;uFhu>I#Z$0zPsO&$b&Ji;21`vo|HCQa z^!yp6hK(6pN*->u_#hpeL=Gk(_ zaCG-Y@1M5tcH;}12DRY$>)Zc3c)MPVY2n~_skXvGV@mnUrzMK3`ku&|t55zCdr55` z>%?x6>}m7d&%4_P&YctM-%xdZZb;YP`^&kG9Oz#ht?Y2L@^+#_`Cqr6O5gHqe#Mx? fhRzT^erAH8QETju-CQj`TgzKQ-+Yo~_u2~p)q$^4 literal 1742 zcmZQ@_Y83kiVO&0IMvgwAiOO{Lh8$nRUr>g^i9afEJ|$g;Z-@& zx916bSZv3c*yQje@9V5HyO#9U&Qf`+c5}nwt!zCPYVN;hm~L4%dqeOdx5(fXPPW^X z6BWV_@$$%qKztmB=xx9XjRr;yGv@017|0`})?=RXW zb#nfTzQU7%Dps-oUotXJHks%#k5P_cr)kxK+%FD2z0K3tU!E)~?P+DSG-a~Nk7V0z zOU|!0Fc6a2zI}>k@ZzpDR*6>km>p*nH!Hto+H~-UvU2sJEhk7pQnW@Ll@Z z?quYuo(-2ybFz4cSzJk*Ui^Q8wxHnra{iXOE{ArhTPqtToRiomE@!p>v{ZonboH5& zPt{!!*5Bu#{yFZv%>KeE!^FNB9EE9LScJ@N`)n7u+RJn6zYDqRV17x;nqB|wtp)uL z_gp{sXVUK-GJ&qaFY?c@an`(X)nD`Gue`V8{jMo{X6!1z`1G+&wo~ zp{nvy)9UckJr_3B&eAoo-xT(8df}GTd8fZ6Mqk^>cO~|;ujJ=PpcA$aU;c$WE5_nX09wo^fgVs(;<)sW*HRUa~k&@woi>ZKaUXs`lqqGr!sL z%klJfzWm7gbern#;0TLjH|ETnwajT@)w-7wPEON0S&rV4nM;tcMB;r^Y4vnp1skc?7fn*{@hnrKF7IO88ZI4yXd9J zrt3HNN2&`4Z4JDy#-h?$C%VOyS@A$|YOGgigM_5ueNX;SC-E!g4yv~{_g`^d6eW4r zMosOWh{!ULzSmP+=T=_I+oyevM@8LgKd+kZx})1Bi%YlnSMFq$zTg~m#^Q8w`ZUMp z|LYjjKOOYZW)x~jUcjSda(b9*_UF)o?WWaVkrwN&b%RZ|wO-~SgRmND?z4|Wi zQQO>yFKo09NWqo$uZS zQP#M=usJPJCvRtkEd3{>-m&-Wm4m^CO^W@4Hv5i&Syy)1eCtIsPqNxfI^^B>t?Sd>Ir2Rj&n`z#5pj6B&mv^5OBTZqYcue&Y=OOyzB>v(MhXHUG%BJKq%9uOwz2QBHAc{T9^nQgwAh z#e;1OtA&r<6}T_@$-r3e(hnv+Ev|lzT?@Y|SZxeS5RQ)h^tt2B($=6q6Q>%_R-GNT zy!#*5g-sdmXIGXwJa7BQH|cIn_WNySizVlL*PP2V^~_xf{pg1lQ>r@sXVss*x|~mJ z`K$VKzdG{{r`FtD`}W*!<`Xv2l~=tVWw|iUnf&Y6rbvduljfNd)a?>aq;|A&K0Gv! z!RWfFtCUsFf!_`P%#T?qF5%QVsFmjNSb6q+iHIcGocK!*3?0?CAN}uia9bI#?@XmG z8GgNKM?bvbN#HH*KeEE_Xzr_({9Z>BBx0N5=dR*S)ZNbdSuF3_mkXs1udG^U>}jcb zZrJ?fT}0OQ8QPzlR+i3Rd8E4Vthb2h!%ul3Zb8eEFYoyq{)vI5u{T#-YF9z>w<~8% zugag?plJT(Q@E_B{U4s#_PGpoy%Li-^OWB1d6V>Ujmpe^*SPOSv1;k_^wJ(@tZg@% z?s@20`{Kt5`$Ns