diff --git a/For_NEW_Sovran_Pros_Upload/flake.nix b/For_NEW_Sovran_Pros_Upload/flake.nix new file mode 100644 index 0000000..7d9c4e8 --- /dev/null +++ b/For_NEW_Sovran_Pros_Upload/flake.nix @@ -0,0 +1,14 @@ +{ + description = "The Ultimate Sovran Pro Configuration from Sovran Systems"; + + inputs = { + Sovran_Systems.url = "git+https://git.sovransystems.com/Sovran_Systems/Sovran_Pro"; + }; + + outputs = { self, Sovran_Systems, ... }@inputs: { + nixosConfigurations."nixos" = Sovran_Systems.inputs.nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ Sovran_Systems.nixosModules.Sovran_Pro ]; + }; + }; +} \ No newline at end of file diff --git a/For_NEW_Sovran_Pros_Upload/sp b/For_NEW_Sovran_Pros_Upload/sp new file mode 100644 index 0000000..701e52e --- /dev/null +++ b/For_NEW_Sovran_Pros_Upload/sp @@ -0,0 +1,197 @@ +#!/usr/bin/env bash + +GREEN="\e[32m" +LIGHTBLUE="\e[94m" +ENDCOLOR="\e[0m" + +# + +pushd /etc/nixos/ + +sudo wget https://git.sovransystems.com/Sovran_Systems/Sovran_Pro/raw/branch/main/For_NEW_Sovran_Pros_Upload/flake.nix + +sudo chown root:root /etc/nixos/ -R + +sudo chmod 770 /etc/nixos/ -R + +popd + +# + +sudo rsync -av -e "ssh -i /root/sovransystems" root@192.168.1.32:/home/ /home + +sudo rsync -av -e "ssh -i /root/sovransystems" root@192.168.1.32:/var/lib/www/ /var/lib/www + +sudo rsync -av -e "ssh -i /root/sovransystems" root@192.168.1.32:/var/lib/domains/ /var/lib/domains + +sudo rsync -av -e "ssh -i /root/sovransystems" root@192.168.1.32:/var/lib/nextcloudaddition/ /var/lib/nextcloudaddition + +sudo rsync -av -e "ssh -i /root/sovransystems" root@192.168.1.32:/var/lib/njalla/ /var/lib/njalla + +sudo rsync -av -e "ssh -i /root/sovransystems" root@192.168.1.32:/var/lib/external_ip/ /var/lib/external_ip + +sudo rsync -av -e "ssh -i /root/sovransystems" root@192.168.1.32:/var/lib/secrets/ /var/lib/secrets + +# + +nixos-rebuild switch --flake '/etc/nixos/#' --impure --update-input Sovran_Systems --commit-lock-file + +# + +sudo chown root:root /var/lib/secrets/main -R + +sudo chown matrix-synapse:matrix-synapse /var/lib/secrets/matrix_reg_secret -R + +sudo chown matrix-synapse:matrix-synapse /var/lib/secrets/matrixdb -R + +sudo chown postgres:postgres /var/lib/secrets/nextclouddb -R + +sudo chown turnserver:turnserver /var/lib/secrets/turn -R + +sudo chown mysql:mysql /var/lib/secrets/wordpressdb -R + +sudo chmod 770 /var/lib/secrets/ -R + +# + +sudo echo -e "${GREEN}What is your New Matrix (Element Chat) domain name?${ENDCOLOR}" +read +sudo echo -n $REPLY > /var/lib/domains/matrix + +sudo echo -e "${GREEN}What is your New Wordpress domain name?${ENDCOLOR}" +read +sudo echo -n $REPLY > /var/lib/domains/wordpress + +sudo echo -e "${GREEN}What is your New Nextcloud domain name?${ENDCOLOR}" +read +sudo echo -n $REPLY > /var/lib/domains/nextcloud + +sudo echo -e "${GREEN}What is your New BTCPayserver domain name?${ENDCOLOR}" +read +sudo echo -n $REPLY > /var/lib/domains/btcpayserver + +sudo echo -e "${GREEN}What is your New Vaultwarden domain name?${ENDCOLOR}" +read +sudo echo -n $REPLY > /var/lib/domains/vaultwarden + +sudo echo -e "${GREEN}What is the email you would like to use to manage the SSL certificates for your domains?${ENDCOLOR}" +read +sudo echo -n $REPLY > /var/lib/domains/sslemail + + +sudo chown caddy:php /var/lib/domains -R + +sudo chmod 770 /var/lib/domains -R + +# + +set -x + + +sudo rm -rf /home/free/.config/BraveSoftware + +sudo rm -rf /home/free/.local/share/fish/fish_history + +# + +sudo rm -rf /var/lib/www/wordpress/wp-config.php + +sudo rm -rf /var/lib/www/nextcloud/config/config.php + +sudo touch /var/lib/www/nextcloud/config/CAN_INSTALL + +sudo sed -i '$e cat /var/lib/nextcloudaddition/nextcloudaddition' /var/lib/www/nextcloud/config/config.php + + +sudo chown caddy:php /var/lib/www -R + +sudo chmod 770 /var/lib/www -R + +# + +sudo mkdir /var/lib/nextcloud + +sudo chown caddy:php /var/lib/nextcloud -R + +sudo chmod 770 /var/lib/nextcloud -R + +# + +sudo mkdir /var/lib/coturn + +sudo chown turnserver:turnserver /var/lib/coturn -R + +sudo chmod 770 /var/lib/coturn -R + +# + +sudo touch /var/lib/vaultwarden.env + +sudo chown vaultwarden:vaultwarden /var/lib/vaultwarden.env + +sudo chmod 770 /var/lib/vaultwarden.env + +# + +sudo echo -n $(pwgen -s 17 -1) > /var/lib/secrets/nextclouddb +sudo echo -n $(pwgen -s 17 -1) > /var/lib/secrets/wordpressdb +sudo echo -n $(pwgen -s 17 -1) > /var/lib/secrets/matrixdb +sudo echo -n $(pwgen -s 17 -1) > /var/lib/secrets/turn +sudo echo -n $(pwgen -s 17 -1) > /var/lib/secrets/matrix_reg_secret +sudo echo -n $(pwgen -s 17 -1) > /var/lib/secrets/main +sudo echo -n ADMIN_TOKEN=$(openssl rand -base64 48 +) > /var/lib/vaultwarden.env + +# + +sudo echo "root:$(cat /var/lib/secrets/main)" | chpasswd -c SHA512 + +# + +flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo +flatpak update + +# + +sudo echo "free:a" | chpasswd -c SHA512 + +# + +sudo rm -rf /root/sp + +sudo rm -rf /root/Step_2_psp + +sudo rm -rf /root/.ssh + +sudo rm -rf /home/free/.ssh + +sudo rm -rf /root/sovransystems + + +sudo chown bitcoin:bitcoin /run/media/Second_Drive/BTCEcoandBackup/Bitcoin_Node -R + +sudo chmod 770 /run/media/Second_Drive/BTCEcoandBackup/Bitcoin_Node -R + +sudo chown electrs:electrs /run/media/Second_Drive/BTCEcoandBackup/Electrs_Data -R + +sudo chmod 770 /run/media/Second_Drive/BTCEcoandBackup/Electrs_Data -R + +nixos-rebuild switch --flake '/etc/nixos/#' --impure --update-input Sovran_Systems --commit-lock-file + + +# + +set +x + +sudo echo -e "${GREEN}These four passwords are generated for convenience to use for the Web front end setup UI accounts for Nextcloud, Wordpress, VaultWarden, and BTCPayserver (if you want to use them).${ENDCOLOR} \n" + +sudo echo -e "$(pwgen -s 17 -1) \n" +sudo echo -e "$(pwgen -s 17 -1) \n" +sudo echo -e "$(pwgen -s 17 -1) \n" +sudo echo -e "$(pwgen -s 17 -1) \n" + +# + +sudo echo -e "${LIGHTBLUE}One last thing, you need to put the Njalla DDNS info from Njalla into njalla.sh.${ENDCOLOR} \n" + +sudo echo -e "${GREEN}All Finished! Please Reboot then Enjoy your New Sovran Pro!${ENDCOLOR} \n" \ No newline at end of file diff --git a/README.md b/README.md index b8fcfa8..62621c7 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,29 @@ -# Sovran_SystemsOS +
+
-The Official Repository of Sovran_SystemsOS. \ No newline at end of file +
drawing
+ +
+
+
+# Complete Configuration for Sovran_SystemsOS and the Sovran Pro +________________________________________________________ + +A Nix Flake Implementation + +Thanks to all the NixOS creators and developers for creating what is the future of computing. + +https://www.sovransystems.com + +Connect on Matrix here: https://matrix.to/#/#sovran-systems:anarchyislove.xyz + +_________________________________________________________ +GNU GPL 3.0+ + +All Open Source Software Used Falls Under Its Specific Open Source License. + +Created, Handcrafted, and Headquartered in Southern California – 2022-2023 🏖️. + +This Gitea is Proudly Powered by a Sovran Pro 💚. + +All Is Love. Fear Is Illusion. All Beings Are Free. Truth Can Never Be Destroyed. \ No newline at end of file diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..8a39b31 --- /dev/null +++ b/flake.lock @@ -0,0 +1,122 @@ +{ + "nodes": { + "extra-container": { + "inputs": { + "flake-utils": [ + "nix-bitcoin", + "flake-utils" + ], + "nixpkgs": [ + "nix-bitcoin", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1678566036, + "narHash": "sha256-dq+gCYplCTkbHOH1ERCzuTnwY/RvwMyw/kijPy7C3vE=", + "owner": "erikarvstedt", + "repo": "extra-container", + "rev": "a4fe3227bf63bf8479938e1457ebe1c04fe51ef5", + "type": "github" + }, + "original": { + "owner": "erikarvstedt", + "repo": "extra-container", + "type": "github" + } + }, + "flake-utils": { + "locked": { + "lastModified": 1678901627, + "narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "93a2b84fc4b70d9e089d029deacc3583435c2ed6", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "nix-bitcoin": { + "inputs": { + "extra-container": "extra-container", + "flake-utils": "flake-utils", + "nixpkgs": "nixpkgs", + "nixpkgs-unstable": "nixpkgs-unstable" + }, + "locked": { + "lastModified": 1679384842, + "narHash": "sha256-SMJW+QZt3iRuoezjE12sopBsdLHDihXe/RerLfRpqoI=", + "owner": "fort-nix", + "repo": "nix-bitcoin", + "rev": "481050bdf75106bff652016bfe5c39736bdd03ef", + "type": "github" + }, + "original": { + "owner": "fort-nix", + "ref": "release", + "repo": "nix-bitcoin", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1679139072, + "narHash": "sha256-Gtw2Yj8DfETie3u7iHv1y5Wt+plGRmp6nTQ0EEfaPho=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "08ef7dc8334521605a5c8b7086cc248e74ee338b", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-22.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1679198465, + "narHash": "sha256-VfXpHpniNWgg7pBzxb20pRX7kqn80LApPDQYTReiFCw=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "5a05160f7671434e1c833b1b01284b876e04eca4", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1681217261, + "narHash": "sha256-RbxCHWN3Vhyv/WEsXcJlDwF7bpvZ9NxDjfSouQxXEKo=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "3fb8eedc450286d5092e4953118212fa21091b3b", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "nix-bitcoin": "nix-bitcoin", + "nixpkgs": "nixpkgs_2" + } + } + }, + "root": "root", + "version": 7 +} \ No newline at end of file diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..243b4e3 --- /dev/null +++ b/flake.nix @@ -0,0 +1,28 @@ +{ + description = "The Ultimate Sovran Pro Configuration from Sovran Systems"; + + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + + nix-bitcoin.url = "github:fort-nix/nix-bitcoin/release"; + }; + + outputs = { self, nixpkgs, nix-bitcoin, ... }: + { + + nixosConfigurations.nixos = nixpkgs.lib.nixosSystem { + system ="x86_64-linux"; + }; + + nixosModules.Sovran_Pro = { pkgs, ... }: { + + imports = [ + + ./modules/modules.nix + + nix-bitcoin.nixosModules.default + + ]; + }; + }; +} \ No newline at end of file diff --git a/modules/bitcoinecosystem.nix b/modules/bitcoinecosystem.nix new file mode 100644 index 0000000..0f8e45d --- /dev/null +++ b/modules/bitcoinecosystem.nix @@ -0,0 +1,76 @@ +{ config, pkgs, lib, ... }: + +{ + nix-bitcoin.generateSecrets = true; + + services.bitcoind = { + enable = true; + dataDir = "/run/media/Second_Drive/BTCEcoandBackup/Bitcoin_Node"; + txindex = true; + tor.proxy = true; + disablewallet = true; + extraConfig = '' + peerbloomfilters=1 + server=1 + ''; + }; + + nix-bitcoin.onionServices.bitcoind.enable = true; + nix-bitcoin.onionServices.electrs.enable = true; + + services.lnd = { + enable = true; + }; + + services.lightning-loop = { + enable = true; + }; + + services.lightning-pool = { + enable = true; + }; + + services.rtl = { + enable = true; + port = 3050; + nightTheme = true; + nodes = { + lnd = { + enable = true; + loop = true; + }; + reverseOrder = true; + }; + }; + + nix-bitcoin.onionServices.lnd.public = true; + services.lnd.lndconnect = { + enable = true; + onion = true; + }; + services.charge-lnd.enable = true; + + services.btcpayserver.lightningBackend = "lnd"; + + + services.electrs = { + enable = true; + tor.enforce = true; + dataDir = "/run/media/Second_Drive/BTCEcoandBackup/Electrs_Data"; + }; + + + services.btcpayserver = { + enable = true; + }; + + + nix-bitcoin.nodeinfo.enable = true; + + + nix-bitcoin.operator = { + enable = true; + name = "free"; + }; + +} diff --git a/modules/configuration.nix b/modules/configuration.nix new file mode 100644 index 0000000..bf43b2e --- /dev/null +++ b/modules/configuration.nix @@ -0,0 +1,434 @@ +{ config, pkgs, lib, ... }: + + +let + personalization = import ./personalization.nix; + + + custom-php = pkgs.php81.buildEnv { + extensions = { enabled, all }: enabled ++ (with all; [ apcu imagick memcached ]); + extraConfig = '' + display_errors = On + display_startup_errors = On + max_execution_time = 6000 + max_input_time = 3000 + memory_limit = 8G; + opcache.enable=1; + opcache.memory_consumption=512; + opcache_revalidate_freq = 240; + opcache.max_accelerated_files=4000; + auto_prepend_file = '/var/lib/www/wordpress/wordfence-waf.php' + post_max_size = 2048M + upload_max_filesize = 2048M + opcache.interned_strings_buffer = 32 + apc.enable_cli=1 + ''; + }; +in +{ + # Bootloader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + boot.loader.efi.efiSysMountPoint = "/boot/efi"; + boot.kernelPackages = pkgs.linuxPackages_latest; + + # Enable Automount without Fail for Internal Drive. + fileSystems."/run/media/Second_Drive" = { + device = "LABEL=BTCEcoandBackup"; + fsType = "ext4"; + options = [ "nofail" ]; + }; + + nix = { + package = pkgs.nixUnstable; + extraOptions = '' + experimental-features = nix-command flakes + ''; + }; + + networking.hostName = "nixos"; # Define your hostname. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + + # Enable networking + networking.networkmanager.enable = true; + + # Set your time zone. + time.timeZone = "America/Los_Angeles"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + + # Enable the X11 windowing system. + services.xserver.enable = true; + + # Enable the GNOME Desktop Environment. + services.xserver.displayManager.gdm.enable = true; + services.xserver.desktopManager.gnome.enable = true; + + # Configure keymap in X11 + services.xserver = { + layout = "us"; + xkbVariant = ""; + }; + + # Enable CUPS to print documents. + services.printing.enable = true; + + # Systemd Settings + systemd.enableEmergencyMode = false; + + # Enable sound with pipewire. + sound.enable = true; + hardware.pulseaudio.enable = false; + security.rtkit.enable = true; + services.pipewire = { + enable = true; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + }; + + users.users = { + free = { + isNormalUser = true; + description = "free"; + extraGroups = [ "networkmanager" ]; + }; + + +####### PHP user for PHPFPM ####### + php = { + isSystemUser = true; + createHome = false; + uid = 7777; + }; + }; + + users.users.php.group = "php"; + users.groups.php = {}; + + + + # Enable automatic login for the user. + services.xserver.displayManager.autoLogin.enable = true; + services.xserver.displayManager.autoLogin.user = "free"; + + # Workaround for GNOME autologin: https://github.com/NixOS/nixpkgs/issues/103746#issuecomment-945091229 + systemd.services."getty@tty1".enable = true; + systemd.services."autovt@tty1".enable = true; + + # Allow Flatpak + services.flatpak.enable = true; + + # Allow unfree packages + nixpkgs.config.allowUnfree = true; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + git + wget + librewolf + fish + htop + gnomeExtensions.dash-to-dock-for-cosmic + gnomeExtensions.vitals + gnomeExtensions.pop-shell + gnomeExtensions.transparent-top-bar + gnomeExtensions.just-perfection + gnomeExtensions.appindicator + gnomeExtensions.systemd-manager + gnome.gnome-tweaks + papirus-icon-theme + ranger + gnome.gnome-tweaks + sparrow + bisq-desktop + neofetch + gnome.gedit + matrix-synapse + openssl + pwgen + aspell + aspellDicts.en + lm_sensors + hunspell + hunspellDicts.en_US + custom-php + matrix-synapse-tools.synadm + brave + ncdu_2 + bitwarden + gparted + pv + unzip + parted + screen + gnome.zenity + + ]; + + nixpkgs.config.permittedInsecurePackages = [ + "nodejs-16.20.0" + "nodejs-slim-16.20.0" + ]; + + + programs.bash.promptInit = "fish"; + programs.fish = { + enable = true; + promptInit = "neofetch"; + }; + + +####### PHPFMP ####### + services.phpfpm.pools = { + mypool = { + user = "caddy"; + group = "php"; + phpPackage = custom-php; + settings = { + "pm" = "dynamic"; + "pm.max_children" = 75; + "pm.start_servers" = 10; + "pm.min_spare_servers" = 5; + "pm.max_spare_servers" = 20; + "pm.max_requests" = 500; + "clear_env" = "no"; + }; + }; + }; + + + +####### CADDY ####### + services.caddy = { + enable = true; + package = pkgs.caddy; + user = "caddy"; + group = "root"; + email = "${personalization.caddy_email_for_zerossl}"; + acmeCA = "https://acme.zerossl.com/v2/DV90"; + virtualHosts = { + "${personalization.wordpress_url}" = { + extraConfig = '' + encode gzip zstd + root * /var/lib/www/wordpress + php_fastcgi unix//run/phpfpm/mypool.sock + file_server browse + ''; + }; + + "www.${personalization.wordpress_url}" = { + extraConfig = '' + encode gzip zstd + root * /var/lib/www/wordpress + php_fastcgi unix//run/phpfpm/mypool.sock + file_server browse + ''; + }; + + "${personalization.nextcloud_url}" = { + extraConfig = '' + encode gzip zstd + root * /var/lib/www/nextcloud + php_fastcgi unix//run/phpfpm/mypool.sock + file_server + redir /.well-known/carddav /remote.php/carddav 301 + redir /.well-known/caldav /remote.php/caldav 301 + header { + Strict-Transport-Security max-age=31536000; + } + ''; + }; + + "${personalization.matrix_url}" = { + extraConfig = '' + reverse_proxy /_matrix/* http://localhost:8008 + reverse_proxy /_synapse/client/* http://localhost:8008 + ''; + }; + + "${personalization.matrix_url}:8448" = { + extraConfig = '' + reverse_proxy http://localhost:8008 + ''; + }; + + "${personalization.btcpayserver_url}" = { + extraConfig = '' + reverse_proxy http://localhost:23000 + encode gzip zstd + ''; + }; + + "https://${personalization.vaultwarden_url}" = { + extraConfig = '' + reverse_proxy http://localhost:8777 + encode gzip zstd + ''; + }; + + ":3051" = { + extraConfig = '' + reverse_proxy :3050 + encode gzip zstd + tls internal + ''; + }; + }; + }; + + +###### CREATE DATABASE (WORDPRESS, MATRIX_SYNAPSE, AND NEXTCLOUD) ####### + services.postgresql = { + enable = true; + package = pkgs.postgresql_14; + }; + + services.postgresql.authentication = lib.mkForce '' + # Generated file; do not edit! + # TYPE DATABASE USER ADDRESS METHOD + local all all trust + host all all 127.0.0.1/32 trust + host all all ::1/128 trust + ''; + + + services.mysql = { + enable = true; + package = pkgs.mariadb_1011; + }; + + services.postgresql.initialScript = pkgs.writeText "begin-init.sql" '' + CREATE ROLE "ncusr" WITH LOGIN PASSWORD '${personalization.nextclouddb_pass}'; + CREATE DATABASE "nextclouddb" WITH OWNER "ncusr" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + + + CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD '${personalization.matrix-synapsedb_pass}'; + CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse" + TEMPLATE template0 + LC_COLLATE = "C" + LC_CTYPE = "C"; + + '' + ; + + services.mysql.initialScript = pkgs.writeText "wordpress-init.sql" '' + CREATE DATABASE wordpressdb; + GRANT ALL ON *.* TO 'wpusr'@'localhost' IDENTIFIED BY '${personalization.wordpressdb_pass}'; + FLUSH PRIVILEGES; + '' + ; + + + +####### KEEP AWAKE for DISPLAY and HEADLESS ####### + services.xserver.displayManager.gdm.autoSuspend = false; + + + +####### BACKUP TO INTERNAL DRIVE ####### + services.rsnapshot = { + enable = true; + extraConfig = '' +snapshot_root /run/media/Second_Drive/BTCEcoandBackup/NixOS_Snapshot_Backup +retain hourly 12 +retain daily 12 +backup /home/ localhost/ +backup /var/lib/ localhost/ +backup /etc/nixos/ localhost/ +backup /etc/nix-bitcoin-secrets/ localhost/ + ''; + cronIntervals = { + daily = "50 21 * * *"; + hourly = "0 * * * *"; + }; + }; + + + +####### CRON ####### + services.cron = { + enable = true; + systemCronJobs = [ + "*/5 * * * * caddy /run/current-system/sw/bin/php -f /var/lib/www/nextcloud/cron.php" + "15 * * * * root /var/lib/njalla/njalla.sh" + "0 */2 * * * root /var/lib/external_ip/external_ip.sh" + ]; + }; + + +####### TOR ####### + services.tor = { + enable = true; + client.enable = true; + torsocks.enable = true; + }; + services.privoxy.enableTor = true; + + + + +####### Enable the OpenSSH daemon ####### + services.openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + PermitRootLogin = "yes"; + }; + }; + + +#######FailtoBan####### + services.fail2ban = { + enable = true; + ignoreIP = [ + "127.0.0.0/8" + "10.0.0.0/8" + "172.16.0.0/12" + "192.168.0.0/16" + "8.8.8.8" + ]; + }; + + +####### Open ports in the firewall ####### + networking.firewall.allowedTCPPorts = [ 80 443 5349 8448 3050 3051 ]; + networking.firewall.allowedUDPPorts = [ 80 443 5349 8448 3050 3051 ]; + networking.firewall.allowedUDPPortRanges = [ + { from=49152; to=65535; } # TURN relay + ]; + + # Or disable the firewall altogether. + networking.firewall.enable = true; + + + + +####### AUTO UPDATE ####### +# system.autoUpgrade = { +# enable = true; +# flags = [ "--impure" "--update-input" "Sovran_Systems" "--commit-lock-file" ]; +# flake = "/etc/nixos"; +# persistent = true; +# allowReboot = true; +# rebootWindow = { lower = "02:00"; upper = "05:00"; }; +# }; + + + +####### AUTO COLLECT GARABAGE ####### + nix.gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 7d"; + }; + + system.stateVersion = "22.05"; + +} diff --git a/modules/coturn.nix b/modules/coturn.nix new file mode 100644 index 0000000..d6de653 --- /dev/null +++ b/modules/coturn.nix @@ -0,0 +1,51 @@ +{config, pkgs, lib, ...}: + +let + personalization = import ./personalization.nix; + in +{ + systemd.services.sslcoturn = { + script = '' + cp -n /var/lib/caddy/.local/share/caddy/certificates/acme.zerossl.com-v2-dv90/${personalization.matrix_url}/${personalization.matrix_url}.crt /var/lib/coturn/${personalization.matrix_url}.crt.pem + + cp -n /var/lib/caddy/.local/share/caddy/certificates/acme.zerossl.com-v2-dv90/${personalization.matrix_url}/${personalization.matrix_url}.key /var/lib/coturn/${personalization.matrix_url}.key.pem + + chown turnserver:turnserver /var/lib/coturn -R + + chmod 770 /var/lib/coturn -R + + systemctl restart coturn + ''; + + unitConfig = { + Type = "simple"; + After = "NetworkManager.service"; + Requires = "network-online.target"; + }; + + serviceConfig = { + RemainAfterExit = "yes"; + Type = "oneshot"; + }; + + wantedBy = [ "multi-user.target" ]; + }; + + + services.coturn = { + enable = true; + use-auth-secret = true; + static-auth-secret = "${personalization.turn_shared}"; + realm = personalization.matrix_url; + cert = "/var/lib/coturn/${personalization.matrix_url}.crt.pem"; + pkey = "/var/lib/coturn/${personalization.matrix_url}.key.pem"; + min-port = 49152; + max-port = 65535; + no-cli = true; + #listening-ips = [ "127.0.0.1" ]; + extraConfig = '' + verbose + external-ip=${personalization.external_ip_secret} + ''; + }; +} diff --git a/modules/modules.nix b/modules/modules.nix new file mode 100644 index 0000000..518304e --- /dev/null +++ b/modules/modules.nix @@ -0,0 +1,13 @@ +{ config, pkgs, lib, ... }: + +{ + + imports = [ + ./configuration.nix + ./synapse.nix + ./coturn.nix + ./bitcoinecosystem.nix + ./vaultwarden.nix + /etc/nixos/hardware-configuration.nix + ]; +} \ No newline at end of file diff --git a/modules/personalization.nix b/modules/personalization.nix new file mode 100644 index 0000000..3310da5 --- /dev/null +++ b/modules/personalization.nix @@ -0,0 +1,17 @@ +{ + +matrix_url = builtins.readFile /var/lib/domains/matrix; +wordpress_url = builtins.readFile /var/lib/domains/wordpress; +nextcloud_url = builtins.readFile /var/lib/domains/nextcloud; +btcpayserver_url = builtins.readFile /var/lib/domains/btcpayserver; +caddy_email_for_zerossl = builtins.readFile /var/lib/domains/sslemail; +vaultwarden_url = builtins.readFile /var/lib/domains/vaultwarden; + +wordpressdb_pass = builtins.readFile /var/lib/secrets/wordpressdb; +matrix-synapsedb_pass = builtins.readFile /var/lib/secrets/matrixdb; +nextclouddb_pass = builtins.readFile /var/lib/secrets/nextclouddb; +turn_shared = builtins.readFile /var/lib/secrets/turn; +matrix_reg_secret = builtins.readFile /var/lib/secrets/matrix_reg_secret; +external_ip_secret = builtins.readFile /var/lib/secrets/external_ip; + +} diff --git a/modules/synapse.nix b/modules/synapse.nix new file mode 100644 index 0000000..76839ae --- /dev/null +++ b/modules/synapse.nix @@ -0,0 +1,75 @@ +{ config, pkgs, lib, ... }: + + +####### CREATE NEW USER (ADMIN OR NOT) VIA TERMINAL ####### + +# (Run as root in terminal) matrix-synapse-register_new_matrix_user # + +####### ####### + +let + personalization = import ./personalization.nix; +in +{ + services.matrix-synapse = { + enable = true; + settings = { + include_content = false; + group_unread_count_by_room = false; + encryption_enabled_by_default_for_room_type = "invite"; + allow_profile_lookup_over_federation = false; + allow_device_name_lookup_over_federation = false; + server_name = personalization.matrix_url; + url_preview_enabled = true; + max_upload_size = "1024M"; + url_preview_ip_range_blacklist = [ + "10.0.0.0/8" + "100.64.0.0/10" + "169.254.0.0/16" + "172.16.0.0/12" + "192.0.0.0/24" + "192.0.2.0/24" + "192.168.0.0/16" + "192.88.99.0/24" + "198.18.0.0/15" + "198.51.100.0/24" + "2001:db8::/32" + "203.0.113.0/24" + "224.0.0.0/4" + "::1/128" + "fc00::/7" + "fe80::/10" + "fec0::/10" + "ff00::/8" + ]; + url_preview_ip_ranger_whitelist = [ "127.0.0.1" ]; + turn_shared_secret = "${personalization.turn_shared}"; + turn_uris = [ + "turn:${personalization.matrix_url}:5349?transport=udp" + "turn:${personalization.matrix_url}:5349?transport=tcp" + "turns:${personalization.matrix_url}:5349?transport=udp" + "turns:${personalization.matrix_url}:5349?transport=tcp" + ]; + presence.enabled = true; + enable_registration = false; + registration_shared_secret = "${personalization.matrix_reg_secret}"; + listeners = [ + { + port = 8008; + bind_addresses = [ "::1" ]; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ { + names = [ "client" ]; + compress = true; + } + { + names = [ "federation" ]; + compress = false; + } ]; + } + ]; + }; + }; +} diff --git a/modules/vaultwarden.nix b/modules/vaultwarden.nix new file mode 100644 index 0000000..46b0678 --- /dev/null +++ b/modules/vaultwarden.nix @@ -0,0 +1,21 @@ +{ config, pkgs, lib, ... }: + +let + personalization = import ./personalization.nix; +in +{ + + services.vaultwarden = { + enable = true; + config = { + + DOMAIN = "https://${personalization.vaultwarden_url}"; + SIGNUPS_ALLOWED = false; + ROCKET_ADDRESS = "127.0.0.1"; + ROCKET_PORT = 8777; + ROCKET_LOG = "critical"; + }; + dbBackend = "sqlite"; + environmentFile = "/var/lib/vaultwarden.env"; + }; +} \ No newline at end of file diff --git a/sovran_systems.png b/sovran_systems.png new file mode 100644 index 0000000..618f61e Binary files /dev/null and b/sovran_systems.png differ