titaniumtown/server-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: titaniumtown:a887edf510fe783bf8e333f2e18b00ac51a207fa
Branches Tags
titaniumtown:main
...
compare: titaniumtown:0f1e2491279f75e28d3d4e08a9b66149b3229e52
Branches Tags
titaniumtown:main

5 Commits
a887edf510 ... 0f1e249127

Author SHA1 Message Date
Simon Gardling
0f1e249127 ntfy 2026-02-10 17:39:01 -05:00
Simon Gardling
f3e972b3a4 matrix: fix registration 2026-02-10 14:49:58 -05:00
Simon Gardling
e28f8a70df matrix: add coturn 2026-02-10 14:49:50 -05:00
Simon Gardling
f27068a974 matrix: fix private folder 2026-02-10 14:22:53 -05:00
Simon Gardling
795c5b3d41 Revert "matrix: disable" 
This reverts commit a887edf510.
 2026-02-10 14:08:43 -05:00
6 changed files with 113 additions and 4 deletions
Expand all files Collapse all files

5
configuration.nix
View File

@@ -38,7 +38,8 @@
./services/bitwarden.nix ./services/bitwarden.nix
# ./services/matrix.nix ./services/matrix.nix
./services/coturn.nix
./services/monero.nix ./services/monero.nix
./services/xmrig.nix ./services/xmrig.nix
@@ -51,6 +52,8 @@
./services/ssh.nix ./services/ssh.nix
./services/syncthing.nix ./services/syncthing.nix
./services/ntfy.nix
]; ];
services.kmscon.enable = true; services.kmscon.enable = true;

7
flake.nix
View File

@@ -120,6 +120,9 @@
minecraft = 25565; minecraft = 25565;
matrix = 6167; matrix = 6167;
matrix_federation = 8448; matrix_federation = 8448;
coturn = 3478;
coturn_tls = 5349;
ntfy = 2586;
}; };
https = { https = {
@@ -175,6 +178,10 @@
domain = "matrix.${https.domain}"; domain = "matrix.${https.domain}";
}; };
ntfy = {
domain = "ntfy.${https.domain}";
};
syncthing = { syncthing = {
dataDir = services_dir + "/syncthing"; dataDir = services_dir + "/syncthing";
signalBackupDir = "/${zpool_ssds}/bak/signal"; signalBackupDir = "/${zpool_ssds}/bak/signal";

BIN
secrets/coturn_static_auth_secret Normal file
View File

Binary file not shown.

59
services/coturn.nix Normal file
View File

@@ -0,0 +1,59 @@
{
config,
lib,
service_configs,
...
}:
{
services.coturn = {
enable = true;
realm = service_configs.https.domain;
use-auth-secret = true;
static-auth-secret = lib.strings.trim (builtins.readFile ../secrets/coturn_static_auth_secret);
listening-port = service_configs.ports.coturn;
tls-listening-port = service_configs.ports.coturn_tls;
no-cli = true;
# recommended security settings from Synapse's coturn docs
extraConfig = ''
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
denied-peer-ip=0.0.0.0-0.255.255.255
denied-peer-ip=100.64.0.0-100.127.255.255
denied-peer-ip=169.254.0.0-169.254.255.255
denied-peer-ip=192.0.0.0-192.0.0.255
denied-peer-ip=198.18.0.0-198.19.255.255
denied-peer-ip=198.51.100.0-198.51.100.255
denied-peer-ip=203.0.113.0-203.0.113.255
denied-peer-ip=240.0.0.0-255.255.255.255
denied-peer-ip=::1
denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
'';
};
# coturn needs these ports open
networking.firewall = {
allowedTCPPorts = [
service_configs.ports.coturn
service_configs.ports.coturn_tls
];
allowedUDPPorts = [
service_configs.ports.coturn
service_configs.ports.coturn_tls
];
# relay port range
allowedUDPPortRanges = [
{
from = config.services.coturn.min-port;
to = config.services.coturn.max-port;
}
];
};
}

14
services/matrix.nix
View File

@@ -7,7 +7,7 @@
{ {
imports = [ imports = [
(lib.serviceMountWithZpool "continuwuity" service_configs.zpool_ssds [ (lib.serviceMountWithZpool "continuwuity" service_configs.zpool_ssds [
service_configs.matrix.dataDir "/var/lib/private/continuwuity"
]) ])
]; ];
@@ -18,7 +18,7 @@
port = [ service_configs.ports.matrix ]; port = [ service_configs.ports.matrix ];
server_name = service_configs.https.domain; server_name = service_configs.https.domain;
allow_registration = true; allow_registration = true;
registration_token_file = ../secrets/matrix_reg_token; registration_token = lib.strings.trim (builtins.readFile ../secrets/matrix_reg_token);
new_user_displayname_suffix = ""; new_user_displayname_suffix = "";
@@ -32,6 +32,14 @@
address = [ address = [
"0.0.0.0" "0.0.0.0"
]; ];
# TURN server config (coturn)
turn_secret = config.services.coturn.static-auth-secret;
turn_uris = [
"turn:${service_configs.https.domain}?transport=udp"
"turn:${service_configs.https.domain}?transport=tcp"
];
turn_ttl = 86400;
}; };
}; };
@@ -51,7 +59,7 @@
config.services.caddy.virtualHosts."${service_configs.matrix.domain}".extraConfig; config.services.caddy.virtualHosts."${service_configs.matrix.domain}".extraConfig;
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"Z ${service_configs.matrix.dataDir} 0770 ${config.services.matrix-continuwuity.user} ${config.services.matrix-continuwuity.group}" "Z /var/lib/private/continuwuity 0770 ${config.services.matrix-continuwuity.user} ${config.services.matrix-continuwuity.group}"
]; ];
# for federation # for federation

32
services/ntfy.nix Normal file
View File

@@ -0,0 +1,32 @@
{
config,
service_configs,
lib,
...
}:
{
imports = [
(lib.serviceMountWithZpool "ntfy-sh" service_configs.zpool_ssds [
"/var/lib/ntfy-sh"
])
];
services.ntfy-sh = {
enable = true;
settings = {
base-url = "https://${service_configs.ntfy.domain}";
listen-http = "127.0.0.1:${builtins.toString service_configs.ports.ntfy}";
behind-proxy = true;
auth-default-access = "deny-all";
};
};
services.caddy.virtualHosts."${service_configs.ntfy.domain}".extraConfig = ''
reverse_proxy :${builtins.toString service_configs.ports.ntfy}
'';
systemd.tmpfiles.rules = [
"Z /var/lib/ntfy-sh 0700 ${config.services.ntfy-sh.user} ${config.services.ntfy-sh.group}"
];
}