{ config, pkgs, ... }: { imports = [ ./hardware-configuration.nix ]; boot.loader.grub.enable = true; networking.hostName = "knazarovcom"; boot.loader.grub.device = "/dev/vda"; users.users.knazarov = { isNormalUser = true; extraGroups = [ "wheel" ]; openssh.authorizedKeys.keys = [ "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIJkgpPDojl4RtsuFLIsHkH/19s3trYljdn/Jmbb3FCHNAAAABHNzaDo= knazarov@framework" "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIO7W7yDKxAj9u1hu3zsZMJW+0HUnA/C/rkbuzkQantkaAAAABHNzaDo= knazarov@mira" ]; }; environment.systemPackages = with pkgs; [ vim sops goaccess ]; services.openssh.enable = true; services.openssh.settings = { PermitRootLogin = "no"; PasswordAuthentication = false; }; security.pam.enableSSHAgentAuth = true; security.pam.sshAgentAuth.enable = true; security.sudo.wheelNeedsPassword = false; nix.settings.trusted-users = [ "@wheel" ]; users.users.nginx.extraGroups = [ "turnserver" ]; # Good list of bots: https://www.sci.news/robots.txt services.nginx = { enable = true; clientMaxBodySize = "1024m"; commonHttpConfig = '' map $http_user_agent $limit_bots { default 0; ~*(AhrefsBot|PetalBot|bingbot|gptbot|ZoominfoBot|BLEXBot|Bytespider) 1; ~*(DecompilationBot|Amazonbot|Barkrowler|SeznamBot|SemrushBot) 1; ~*(MJ12bot|IonCrawl|webprosbot|Sogou|paloaltonetworks|CensysInspect) 1; ~*(DotBot|ev-crawler|InternetMeasurement|CheckMarkNetwork|panscient) 1; ~*(gdnplus|PunkMap|pdrlabs|SurdotlyBot|researchscan|serpstatbot) 1; ~*(MegaIndex|DongleEmulatorBot|TinyTestBot|meta-externalagent) 1; } ''; virtualHosts = { "www.knazarov.com" = { enableACME = true; forceSSL = true; globalRedirect = "knazarov.com"; }; "knazarov.com" = { enableACME = true; forceSSL = true; root = "${pkgs.knazarovcom}/srv/knazarov.com"; locations."/.well-known/matrix/server" = { extraConfig = '' default_type application/json; return 200 '{ "m.server": "matrix.knazarov.com:443" }'; ''; }; locations."/.well-known/matrix/client" = { extraConfig = '' default_type application/json; return 200 '{ "m.homeserver": { "base_url": "https://matrix.knazarov.com" }, "org.matrix.msc3575.proxy": { "url": "https://syncv3.knazarov.com" } }'; add_header "Access-Control-Allow-Origin" *; ''; }; locations."/" = { extraConfig = '' if ($limit_bots = 1) { return 403; } ''; }; }; "vmatveeva.com" = { enableACME = true; forceSSL = true; root = "${pkgs.vmatveevacom}/srv/vmatveeva.com"; locations."/" = { extraConfig = '' if ($limit_bots = 1) { return 403; } ''; }; }; "matrix.knazarov.com" = { enableACME = true; forceSSL = true; locations."/_matrix" = { proxyPass = "http://127.0.0.1:8008"; }; }; "syncv3.knazarov.com" = { enableACME = true; forceSSL = true; locations."/_matrix/client/unstable/org.matrix.msc3575/sync" = { proxyPass = "http://127.0.0.1:8009"; extraConfig = '' proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; ''; }; locations."/client/" = { proxyPass = "http://127.0.0.1:8009"; extraConfig = '' proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; ''; }; }; "git.knazarov.com" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:3000"; }; }; "turn.knazarov.com" = { enableACME = true; }; "headscale.knazarov.com" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:8080"; extraConfig = '' proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Host $server_name; proxy_buffering off; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; ''; }; }; }; }; security.acme.acceptTerms = true; security.acme.certs = { "www.knazarov.com".email = "mail@knazarov.com"; "knazarov.com".email = "mail@knazarov.com"; "vmatveeva.com".email = "mail@knazarov.com"; "matrix.knazarov.com".email = "mail@knazarov.com"; "syncv3.knazarov.com".email = "mail@knazarov.com"; "git.knazarov.com".email = "mail@knazarov.com"; "turn.knazarov.com" = { email = "mail@knazarov.com"; postRun = "systemctl restart coturn.service"; group = "turnserver"; }; "headscale.knazarov.com".email = "mail@knazarov.com"; }; services.forgejo = { enable = true; package = pkgs.forgejo; settings = { service = { DISABLE_REGISTRATION = true; }; server = { ROOT_URL = "https://git.knazarov.com/"; LANDING_PAGE = "explore"; }; federation = { ENABLED = "true"; }; }; }; services.dendrite = { enable = true; environmentFile = config.sops.secrets.matrix_registration_secret.path; settings = { global = { server_name = "knazarov.com"; private_key = config.sops.secrets.matrix_key.path; jetstream = { storage_path = "/var/lib/dendrite/nats"; }; }; client_api.registration_shared_secret = "$REGISTRATION_SHARED_SECRET"; client_api.turn = { turn_user_lifetime = "5m"; turn_uris = [ "turn:${config.services.coturn.realm}:3478?transport=udp" "turn:${config.services.coturn.realm}:3478?transport=tcp" ]; turn_shared_secret = "$COTURN_AUTH_SECRET"; }; }; }; systemd.services.dendrite = { serviceConfig.SupplementaryGroups = [ config.users.groups.keys.name ]; }; services.coturn = rec { enable = true; no-cli = true; no-tcp-relay = true; min-port = 49000; max-port = 50000; use-auth-secret = true; static-auth-secret-file = config.sops.secrets.coturn_auth_secret.path; realm = "turn.knazarov.com"; cert = "${config.security.acme.certs.${realm}.directory}/full.pem"; pkey = "${config.security.acme.certs.${realm}.directory}/key.pem"; extraConfig = '' # for debugging verbose ''; }; services.headscale = { enable = true; settings = { server_url = "https://headscale.knazarov.com:443"; dns.base_domain = "nest"; }; }; sops.defaultSopsFile = ./secrets.yaml; sops.secrets = { example_key = { }; matrix_key = { mode = "0440"; group = config.users.groups.keys.name; }; matrix_registration_secret = { mode = "0440"; group = config.users.groups.keys.name; }; coturn_auth_secret = { mode = "0440"; group = config.users.groups.turnserver.name; }; }; networking.firewall = { allowedTCPPorts = [ 80 443 3478 5349 # coturn ]; allowedUDPPorts = [ 3478 5349 # coturn ]; allowedUDPPortRanges = [{ from = config.services.coturn.min-port; to = config.services.coturn.max-port; }]; }; # networking.firewall.allowedUDPPorts = [ ... ]; system.stateVersion = "23.05"; }