diff --git a/configuration.nix b/configuration.nix index 87efe0f..9a731f9 100644 --- a/configuration.nix +++ b/configuration.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ pkgs, ... }: { imports = [ @@ -14,7 +14,10 @@ ./modules/fail2ban.nix ]; - nix.settings.experimental-features = [ "nix-command" "flakes" ]; + nix.settings.experimental-features = [ + "nix-command" + "flakes" + ]; environment.systemPackages = with pkgs; [ git diff --git a/modules/boot.nix b/modules/boot.nix index 49f0880..93cebed 100644 --- a/modules/boot.nix +++ b/modules/boot.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ pkgs, ... }: { boot.loader.grub = { @@ -9,7 +9,7 @@ boot.kernelPackages = pkgs.linuxPackages_latest; boot.kernelModules = [ "tcp_bbr" ]; - + boot.kernel.sysctl = { "net.core.default_qdisc" = "fq"; "net.ipv4.tcp_congestion_control" = "bbr"; diff --git a/modules/fail2ban.nix b/modules/fail2ban.nix index 09fb8ef..ab25713 100644 --- a/modules/fail2ban.nix +++ b/modules/fail2ban.nix @@ -1,4 +1,4 @@ -{ config, pkgs, lib, ... }: +{ ... }: { services.fail2ban = { diff --git a/modules/hardware.nix b/modules/hardware.nix index a4b2d44..4d04bb9 100644 --- a/modules/hardware.nix +++ b/modules/hardware.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ ... }: { hardware.enableRedistributableFirmware = true; diff --git a/modules/locale.nix b/modules/locale.nix index d75cedc..0856015 100644 --- a/modules/locale.nix +++ b/modules/locale.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ ... }: let settings = import ../settings.nix; diff --git a/modules/matrix.nix b/modules/matrix.nix index 4c35d0a..e824fd3 100644 --- a/modules/matrix.nix +++ b/modules/matrix.nix @@ -1,4 +1,4 @@ -{ config, pkgs, lib, ... }: +{ pkgs, ... }: let livekitKeyFile = "/run/livekit.key"; @@ -12,13 +12,19 @@ in settings = { global = { server_name = serverName; - address = [ "127.0.0.1" "::1" ]; + address = [ + "127.0.0.1" + "::1" + ]; port = [ 6167 ]; max_request_size = 104857600; allow_registration = false; allow_encryption = true; allow_federation = true; - trusted_servers = [ "matrix.org" "chat.blahaj.zone" ]; + trusted_servers = [ + "matrix.org" + "chat.blahaj.zone" + ]; ip_range_denylist = [ "127.0.0.0/8" "10.0.0.0/8" @@ -98,9 +104,16 @@ in systemd.services.livekit.requires = [ "acme-${matrixRtcDomain}.service" ]; systemd.services.livekit-key = { - before = [ "lk-jwt-service.service" "livekit.service" ]; + before = [ + "lk-jwt-service.service" + "livekit.service" + ]; wantedBy = [ "multi-user.target" ]; - path = with pkgs; [ livekit coreutils gawk ]; + path = with pkgs; [ + livekit + coreutils + gawk + ]; script = '' echo "Key missing, generating key" echo "lk-jwt-service: $(livekit-server generate-keys | tail -1 | awk '{print $3}')" > "${livekitKeyFile}" @@ -110,10 +123,17 @@ in }; networking.firewall = { - allowedTCPPorts = [ 7880 7881 5349 ]; + allowedTCPPorts = [ + 7880 + 7881 + 5349 + ]; allowedUDPPorts = [ 3478 ]; allowedUDPPortRanges = [ - { from = 50000; to = 60000; } + { + from = 50000; + to = 60000; + } ]; }; } diff --git a/modules/networking.nix b/modules/networking.nix index 91732d6..076bfb8 100644 --- a/modules/networking.nix +++ b/modules/networking.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ ... }: let settings = import ../settings.nix; @@ -10,7 +10,11 @@ in networking.firewall = { enable = true; - allowedTCPPorts = [ 22 80 443 ]; + allowedTCPPorts = [ + 22 + 80 + 443 + ]; allowedUDPPorts = [ ]; }; } diff --git a/modules/nginx.nix b/modules/nginx.nix index db8090a..87d409e 100644 --- a/modules/nginx.nix +++ b/modules/nginx.nix @@ -1,9 +1,13 @@ -{ config, pkgs, lib, ... }: +{ + config, + lib, + ... +}: let - serverName = "atri.dad"; - matrixDomain = "matrix.atri.dad"; - matrixRtcDomain = "matrixrtc.atri.dad"; + rootDomain = "atri.dad"; + matrixDomain = "matrix.${rootDomain}"; + matrixRtcDomain = "matrixrtc.${rootDomain}"; wellKnownServer = builtins.toJSON { "m.server" = "${matrixDomain}:443"; @@ -20,13 +24,34 @@ let } ]; }; + + blockAi = "if ($fuckai) { return 444; }"; + + mkProxyVhost = + { + host, + upstream, + websockets ? false, + extraConfig ? "", + locationExtraConfig ? "", + }: + { + "${host}" = { + enableACME = true; + forceSSL = true; + extraConfig = extraConfig; + locations."/" = { + proxyPass = upstream; + proxyWebsockets = websockets; + extraConfig = lib.concatStringsSep "\n" ( + [ blockAi ] ++ lib.optional (locationExtraConfig != "") locationExtraConfig + ); + }; + }; + }; + in { - security.acme = { - acceptTerms = true; - defaults.email = "me@atri.dad"; - }; - services.nginx = { enable = true; @@ -35,7 +60,6 @@ in recommendedProxySettings = true; recommendedTlsSettings = true; - # Fuck AI clientMaxBodySize = "3g"; commonHttpConfig = '' @@ -43,407 +67,250 @@ in more_clear_headers X-Powered-By; map $http_user_agent $fuckai { - default 0; - - "~*GPTBot" 1; - "~*ChatGPT-User" 1; - "~*OAI-SearchBot" 1; - "~*ChatGPT-Browser" 1; - "~*ClaudeBot" 1; - "~*Claude-Web" 1; - "~*anthropic-ai" 1; - "~*Anthropic-Claude" 1; - "~*xAI-Bot" 1; - "~*DeepseekBot" 1; - "~*Google-Extended" 1; - "~*Gemini-Ai" 1; - "~*Gemini-Deep-Research" 1; - "~*Google-CloudVertexBot" 1; - "~*Google-NotebookLM" 1; - "~*GoogleAgent-Mariner" 1; - "~*Bard-Ai" 1; - "~*FacebookBot" 1; - "~*Meta-ExternalAgent" 1; - "~*meta-webindexer" 1; - "~*Applebot-Extended" 1; - "~*bingbot" 1; - "~*CCBot" 1; - "~*PerplexityBot" 1; - "~*Perplexity-User" 1; - "~*Bytespider" 1; - "~*Diffbot" 1; - "~*Amazonbot" 1; - "~*cohere-ai" 1; - "~*Cohere-Command" 1; - "~*YouBot" 1; - "~*Omgilibot" 1; - "~*ImagesiftBot" 1; - "~*AI2Bot" 1; - "~*Andibot" 1; - "~*bigsur.ai" 1; - "~*Brightbot" 1; - "~*TerraCotta" 1; - "~*Character-AI" 1; - "~*Devin" 1; - "~*Crawlspace" 1; - "~*DuckAssistBot" 1; - "~*FirecrawlAgent" 1; - "~*Groq-Bot" 1; - "~*HuggingFace-Bot" 1; - "~*IbouBot" 1; - "~*MistralAI-User" 1; - "~*Replicate-Bot" 1; - "~*RunPod-Bot" 1; - "~*TimpiBot" 1; - "~*Together-Bot" 1; - "~*Kangaroo Bot" 1; - "~*PanguBot" 1; - "~*Cotoyogi" 1; - "~*Webzio-Extended" 1; + default 0; + "~*GPTBot" 1; + "~*ChatGPT-User" 1; + "~*OAI-SearchBot" 1; + "~*ChatGPT-Browser" 1; + "~*ClaudeBot" 1; + "~*Claude-Web" 1; + "~*anthropic-ai" 1; + "~*Anthropic-Claude" 1; + "~*xAI-Bot" 1; + "~*DeepseekBot" 1; + "~*Google-Extended" 1; + "~*Gemini-Ai" 1; + "~*Gemini-Deep-Research" 1; + "~*Google-CloudVertexBot" 1; + "~*Google-NotebookLM" 1; + "~*GoogleAgent-Mariner" 1; + "~*Bard-Ai" 1; + "~*FacebookBot" 1; + "~*Meta-ExternalAgent" 1; + "~*meta-webindexer" 1; + "~*Applebot-Extended" 1; + "~*bingbot" 1; + "~*CCBot" 1; + "~*PerplexityBot" 1; + "~*Perplexity-User" 1; + "~*Bytespider" 1; + "~*Diffbot" 1; + "~*Amazonbot" 1; + "~*cohere-ai" 1; + "~*Cohere-Command" 1; + "~*YouBot" 1; + "~*Omgilibot" 1; + "~*ImagesiftBot" 1; + "~*AI2Bot" 1; + "~*Andibot" 1; + "~*bigsur.ai" 1; + "~*Brightbot" 1; + "~*TerraCotta" 1; + "~*Character-AI" 1; + "~*Devin" 1; + "~*Crawlspace" 1; + "~*DuckAssistBot" 1; + "~*FirecrawlAgent" 1; + "~*Groq-Bot" 1; + "~*HuggingFace-Bot" 1; + "~*IbouBot" 1; + "~*MistralAI-User" 1; + "~*Replicate-Bot" 1; + "~*RunPod-Bot" 1; + "~*TimpiBot" 1; + "~*Together-Bot" 1; + "~*Kangaroo Bot" 1; + "~*PanguBot" 1; + "~*Cotoyogi" 1; + "~*Webzio-Extended" 1; } ''; - # Stream Hosts - streamConfig = '' - # Port 69 - server { - listen 69; - listen 69 udp; - proxy_pass lloyd.tadpole-pain.ts.net:69; + virtualHosts = lib.mkMerge [ + (mkProxyVhost { + host = rootDomain; + upstream = "http://lloyd.tadpole-pain.ts.net:3000"; + }) + + { + "${rootDomain}".locations."= /.well-known/matrix/server".extraConfig = '' + default_type application/json; + return 200 '${wellKnownServer}'; + ''; + "${rootDomain}".locations."= /.well-known/matrix/client".extraConfig = '' + default_type application/json; + add_header Access-Control-Allow-Origin "*"; + return 200 '${wellKnownClient}'; + ''; } - # Port 420 - server { - listen 420; - listen 420 udp; - proxy_pass lloyd.tadpole-pain.ts.net:420; - } + (mkProxyVhost { + host = "analytics.${rootDomain}"; + upstream = "http://lloyd.tadpole-pain.ts.net:30060"; + }) + (mkProxyVhost { + host = "archive.${rootDomain}"; + upstream = "http://lloyd.tadpole-pain.ts.net:30288"; + }) + (mkProxyVhost { + host = "ascently.${rootDomain}"; + upstream = "http://lloyd.tadpole-pain.ts.net:8838"; + }) + (mkProxyVhost { + host = "bsky.${rootDomain}"; + upstream = "http://lloyd.tadpole-pain.ts.net:31173"; + }) + (mkProxyVhost { + host = "chef.${rootDomain}"; + upstream = "http://lloyd.tadpole-pain.ts.net:30111"; + }) + (mkProxyVhost { + host = "democlimb.${rootDomain}"; + upstream = "http://lloyd.tadpole-pain.ts.net:8008"; + }) + (mkProxyVhost { + host = "fedi.${rootDomain}"; + upstream = "http://lloyd.tadpole-pain.ts.net:8181"; + }) + (mkProxyVhost { + host = "gist.${rootDomain}"; + upstream = "http://lloyd.tadpole-pain.ts.net:1227"; + }) + (mkProxyVhost { + host = "git.${rootDomain}"; + upstream = "http://lloyd.tadpole-pain.ts.net:30010"; + }) + (mkProxyVhost { + host = "links.${rootDomain}"; + upstream = "http://lloyd.tadpole-pain.ts.net:30243"; + }) - # Minecraft / Game Ports - server { - listen 25565; - listen 25565 udp; - proxy_pass lloyd.tadpole-pain.ts.net:25565; - } - server { - listen 25566; - listen 25566 udp; - proxy_pass lloyd.tadpole-pain.ts.net:25566; - } - server { - listen 25567; - listen 25567 udp; - proxy_pass lloyd.tadpole-pain.ts.net:25567; - } - ''; - - # Proxy Hosts - virtualHosts = { - # atri.dad hosts - "atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:3000"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - locations."= /.well-known/matrix/server" = { - extraConfig = '' - default_type application/json; - return 200 '${wellKnownServer}'; - ''; - }; - locations."= /.well-known/matrix/client" = { - extraConfig = '' - default_type application/json; - add_header Access-Control-Allow-Origin "*"; - return 200 '${wellKnownClient}'; - ''; - }; - }; - "analytics.atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:30060"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "archive.atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:30288"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "ascently.atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:8838"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "bsky.atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:31173"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "chef.atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:30111"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "democlimb.atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:8008"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "fedi.atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:8181"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "gist.atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:1227"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "git.atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:30010"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "links.atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:30243"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "media.atri.dad" = { - enableACME = true; - forceSSL = true; + (mkProxyVhost { + host = "media.${rootDomain}"; + upstream = "http://lloyd.tadpole-pain.ts.net:30013"; + websockets = true; extraConfig = '' client_max_body_size 0; ''; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:30013"; - proxyWebsockets = true; - extraConfig = '' - if ($fuckai) { return 444; } - proxy_buffering off; - proxy_request_buffering off; - proxy_read_timeout 86400s; - proxy_send_timeout 86400s; - send_timeout 86400s; - ''; - }; - }; - "memos.atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:30311"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "mermaid.atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:8280"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "msrc.atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:3311"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "n8n.atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:30109"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "ocr.atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:30070"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "openclimb.atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:1337"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "photos.atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:30041"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "pods.atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:8828"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "requests.atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:30042"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "ripkyle.org" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:4321"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "s3.atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:30188"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "search.atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:30053"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "sync.atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:20910"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "travel.atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:30251"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "travelapi.atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:30250"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "vault.atri.dad" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:30032"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; + locationExtraConfig = '' + proxy_buffering off; + proxy_request_buffering off; + proxy_read_timeout 86400s; + proxy_send_timeout 86400s; + send_timeout 86400s; + ''; + }) - "matrix.atri.dad" = { - enableACME = true; - forceSSL = true; + (mkProxyVhost { + host = "memos.${rootDomain}"; + upstream = "http://lloyd.tadpole-pain.ts.net:30311"; + }) + (mkProxyVhost { + host = "mermaid.${rootDomain}"; + upstream = "http://lloyd.tadpole-pain.ts.net:8280"; + }) + (mkProxyVhost { + host = "msrc.${rootDomain}"; + upstream = "http://lloyd.tadpole-pain.ts.net:3311"; + }) + (mkProxyVhost { + host = "n8n.${rootDomain}"; + upstream = "http://lloyd.tadpole-pain.ts.net:30109"; + }) + (mkProxyVhost { + host = "ocr.${rootDomain}"; + upstream = "http://lloyd.tadpole-pain.ts.net:30070"; + }) + (mkProxyVhost { + host = "openclimb.${rootDomain}"; + upstream = "http://lloyd.tadpole-pain.ts.net:1337"; + }) + (mkProxyVhost { + host = "photos.${rootDomain}"; + upstream = "http://lloyd.tadpole-pain.ts.net:30041"; + }) + (mkProxyVhost { + host = "pods.${rootDomain}"; + upstream = "http://lloyd.tadpole-pain.ts.net:8828"; + }) + (mkProxyVhost { + host = "requests.${rootDomain}"; + upstream = "http://lloyd.tadpole-pain.ts.net:30042"; + }) + (mkProxyVhost { + host = "s3.${rootDomain}"; + upstream = "http://lloyd.tadpole-pain.ts.net:30188"; + }) + (mkProxyVhost { + host = "search.${rootDomain}"; + upstream = "http://lloyd.tadpole-pain.ts.net:30053"; + }) + (mkProxyVhost { + host = "sync.${rootDomain}"; + upstream = "http://lloyd.tadpole-pain.ts.net:20910"; + }) + (mkProxyVhost { + host = "travel.${rootDomain}"; + upstream = "http://lloyd.tadpole-pain.ts.net:30251"; + }) + (mkProxyVhost { + host = "travelapi.${rootDomain}"; + upstream = "http://lloyd.tadpole-pain.ts.net:30250"; + }) + (mkProxyVhost { + host = "vault.${rootDomain}"; + upstream = "http://lloyd.tadpole-pain.ts.net:30032"; + }) - locations."/" = { - proxyPass = "http://[::1]:6167"; - proxyWebsockets = true; - extraConfig = '' - client_max_body_size 100M; - ''; - }; + { + "${matrixDomain}" = { + enableACME = true; + forceSSL = true; - locations."^~ /livekit/jwt/" = { - priority = 400; - proxyPass = "http://[::1]:${toString config.services.lk-jwt-service.port}/"; - }; - }; + locations."/" = { + proxyPass = "http://[::1]:6167"; + proxyWebsockets = true; + extraConfig = '' + client_max_body_size 100M; + ''; + }; - "matrixrtc.atri.dad" = { - enableACME = true; - forceSSL = true; + locations."^~ /livekit/jwt/" = { + priority = 400; + proxyPass = "http://[::1]:${toString config.services.lk-jwt-service.port}/"; + }; + }; + } - # livekit - locations."/" = { - proxyPass = "http://[::1]:${toString config.services.livekit.settings.port}"; - proxyWebsockets = true; - extraConfig = '' - proxy_send_timeout 120; - proxy_read_timeout 120; - proxy_buffering off; - proxy_set_header Accept-Encoding gzip; - ''; + { + "${matrixRtcDomain}" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://[::1]:${toString config.services.livekit.settings.port}"; + proxyWebsockets = true; + extraConfig = '' + proxy_send_timeout 120; + proxy_read_timeout 120; + proxy_buffering off; + proxy_set_header Accept-Encoding gzip; + ''; + }; }; - }; + } - "atash.dev" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:6969"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - "chronus.atash.dev" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://lloyd.tadpole-pain.ts.net:7337"; - extraConfig = "if ($fuckai) { return 444; }"; - }; - }; - }; + (mkProxyVhost { + host = "ripkyle.org"; + upstream = "http://lloyd.tadpole-pain.ts.net:4321"; + }) + (mkProxyVhost { + host = "atash.dev"; + upstream = "http://lloyd.tadpole-pain.ts.net:6969"; + }) + (mkProxyVhost { + host = "chronus.atash.dev"; + upstream = "http://lloyd.tadpole-pain.ts.net:7337"; + }) + ]; }; - - # Open Ports - networking.firewall.allowedTCPPorts = [ 80 443 69 420 25565 25566 25567 ]; - networking.firewall.allowedUDPPorts = [ 69 420 25565 25566 25567 ]; } diff --git a/modules/services.nix b/modules/services.nix index 33e7fb9..5a9d567 100644 --- a/modules/services.nix +++ b/modules/services.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ ... }: { services.openssh = { diff --git a/modules/users.nix b/modules/users.nix index 6827db2..2588b7f 100644 --- a/modules/users.nix +++ b/modules/users.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ ... }: let settings = import ../settings.nix; @@ -8,10 +8,14 @@ in isNormalUser = true; description = settings.userDescription; extraGroups = settings.userGroups; - openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMuiXQV7+vtLxoyLojnW/Pkt6ScWQs29KPZe8aJVAvvC" ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMuiXQV7+vtLxoyLojnW/Pkt6ScWQs29KPZe8aJVAvvC" + ]; }; - users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMuiXQV7+vtLxoyLojnW/Pkt6ScWQs29KPZe8aJVAvvC" ]; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMuiXQV7+vtLxoyLojnW/Pkt6ScWQs29KPZe8aJVAvvC" + ]; security.sudo.execWheelOnly = true; } diff --git a/settings.nix b/settings.nix index 4542d54..ca81d43 100644 --- a/settings.nix +++ b/settings.nix @@ -4,5 +4,9 @@ userDescription = "Atridad Lahiji"; timezone = "America/Edmonton"; locale = "en_CA.UTF-8"; - userGroups = [ "networkmanager" "wheel" "docker" ]; + userGroups = [ + "networkmanager" + "wheel" + "docker" + ]; }