From cd03afb425b81a9a3b0985383d31767e092c4e62 Mon Sep 17 00:00:00 2001
From: Avery <aveeryy@protonmail.com>
Date: Fri, 28 Jun 2024 22:20:11 +0200
Subject: [PATCH] Modularize GY config

---
 .gitignore                                    |  1 +
 README.md                                     | 34 ++++++++++-----
 hosts/greatyamada/nixos/default.nix           | 16 ++++++++
 .../{nixos.nix => nixos/filesystems.nix}      | 16 +-------
 hosts/greatyamada/services/acme.nix           | 16 ++++++++
 hosts/greatyamada/services/ddns.nix           | 11 +++++
 hosts/greatyamada/services/matrix/coturn.nix  | 41 +++++++++++++++++++
 .../{matrix.nix => matrix/synapse.nix}        |  0
 8 files changed, 109 insertions(+), 26 deletions(-)
 create mode 100644 .gitignore
 create mode 100644 hosts/greatyamada/nixos/default.nix
 rename hosts/greatyamada/{nixos.nix => nixos/filesystems.nix} (75%)
 create mode 100644 hosts/greatyamada/services/acme.nix
 create mode 100644 hosts/greatyamada/services/ddns.nix
 create mode 100644 hosts/greatyamada/services/matrix/coturn.nix
 rename hosts/greatyamada/services/{matrix.nix => matrix/synapse.nix} (100%)

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..90cfd59
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+keys.txt
diff --git a/README.md b/README.md
index fde2c5a..fe7256a 100644
--- a/README.md
+++ b/README.md
@@ -1,12 +1,17 @@
+---
+gitea: none
+include_toc: true
+---
+
 # NixOS system configurations
 
+[toc]
+
 ## Installation (WIP)
 
 ## Hosts
 
-### 🐬 Totsugeki
-
-Configuration files for my desktop
+### 🐬 Totsugeki | Desktop
 
 #### Programs
 
@@ -27,16 +32,23 @@ Configuration files for my desktop
 - r2modman (Mod manager)
 - ProtonUp-Qt
 
-### 🐳 Great Yamada
-
-Configuration for my home server
+### 🐳 Great Yamada | Home server
 
 #### Services
 
 **Still a WIP**
 
-|    Name    |             Type             | Public-facing |
-| :--------: | :--------------------------: | :-----------: |
-|   Nginx    | Web server and reverse proxy |       x       |
-| PostgreSQL |       Database engine        |
-|  Forgejo   |        Git repository        |       x       |
+|       Name        |              Type              | Public-facing |
+| :---------------: | :----------------------------: | :-----------: |
+|       Nginx       |  Web server and reverse proxy  |       x       |
+|    PostgreSQL     |        Database engine         |
+|      Forgejo      |         Git repository         |       x       |
+|      Synapse      |         Matrix server          |       x       |
+|      coturn       |          TURN server           |       x       |
+| Synapse (bridges) |         Matrix server          |               |
+| mautrix-whatsapp  |   WhatsApp bridge for Matrix   |               |
+|      PaperMC      |        Minecraft server        |       x       |
+|   AdGuard Home    | DNS server and content blocker |               |
+|     Invidious     |         YouTube proxy          |               |
+|      SearXNG      |       Metasearch engine        |               |
+|     Radicale      |    CalDAV / CardDAV server     |               |
diff --git a/hosts/greatyamada/nixos/default.nix b/hosts/greatyamada/nixos/default.nix
new file mode 100644
index 0000000..ea5109b
--- /dev/null
+++ b/hosts/greatyamada/nixos/default.nix
@@ -0,0 +1,16 @@
+{ config, lib, pkgs }: {
+  imports = [ ./filesystems.nix ];
+  networking = {
+    firewall.enable = true;
+    hostName = "greatyamada";
+    networkmanager.enable = true;
+    useDHCP = lib.mkDefault false;
+  };
+
+  sops = {
+    defaultSopsFile = "/etc/nixos/secrets/greatyamada.yaml";
+    age.keyFile = "/etc/nixos/keys.txt";
+  };
+
+  time.timeZone = "UTC";
+}
diff --git a/hosts/greatyamada/nixos.nix b/hosts/greatyamada/nixos/filesystems.nix
similarity index 75%
rename from hosts/greatyamada/nixos.nix
rename to hosts/greatyamada/nixos/filesystems.nix
index 1bf16da..9459d09 100644
--- a/hosts/greatyamada/nixos.nix
+++ b/hosts/greatyamada/nixos/filesystems.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs }: {
+{ ... }: {
   fileSystems = {
     "/" = {
       device = "/dev/disk/by-uuid/61050e8d-41c6-4c37-98a9-d8b0cdce6903";
@@ -36,18 +36,4 @@
     };
   };
 
-  networking = {
-    firewall.enable = true;
-    hostName = "greatyamada";
-    networkmanager.enable = true;
-    useDHCP = lib.mkDefault false;
-  };
-
-  sops = {
-    defaultSopsFile = "/etc/nixos/secrets/greatyamada.yaml";
-    # TODO: change key path
-    age.keyFile = "/home/avery/.config/sops/age/keys.txt";
-  };
-
-  time.timeZone = "UTC";
 }
diff --git a/hosts/greatyamada/services/acme.nix b/hosts/greatyamada/services/acme.nix
new file mode 100644
index 0000000..3aff438
--- /dev/null
+++ b/hosts/greatyamada/services/acme.nix
@@ -0,0 +1,16 @@
+{ ... }: {
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "aveeryy@protonmail.com";
+    certs."rcia.dev" = {
+      credentialFiles.CLOUDFLARE_DNS_API_TOKEN_FILE =
+        "/run/secrets/cloudflare_api_token";
+      dnsProvider = "cloudflare";
+      extraDomainNames = [ "*.rcia.dev" ];
+    };
+  };
+  sops.secrets."cloudflare/api_token" = {
+    path = "/run/secrets/cloudflare_api_token";
+    group = "root";
+  };
+}
diff --git a/hosts/greatyamada/services/ddns.nix b/hosts/greatyamada/services/ddns.nix
new file mode 100644
index 0000000..9f3422c
--- /dev/null
+++ b/hosts/greatyamada/services/ddns.nix
@@ -0,0 +1,11 @@
+{ ... }: {
+  services.ddclient = {
+    enable = true;
+    interval = "5min";
+    quiet = true;
+    protocol = "cloudflare";
+    zone = "rcia.dev";
+    passwordFile = "/run/secrets/cloudflare_api_token";
+    domains = [ "@" "*" ];"
+  };
+}
diff --git a/hosts/greatyamada/services/matrix/coturn.nix b/hosts/greatyamada/services/matrix/coturn.nix
new file mode 100644
index 0000000..2d545b4
--- /dev/null
+++ b/hosts/greatyamada/services/matrix/coturn.nix
@@ -0,0 +1,41 @@
+{ pkgs, ... }: {
+  services.coturn = {
+    enable = true;
+    realm = "rcia.dev";
+    min-port = 49152;
+    max-port = 49200;
+    use-auth-secret = true;
+    static-auth-secret-file = "/run/turnserver/auth_secret"
+    extraConfig = ''
+      syslog
+      no-rfc5780
+      no-stun-backward-compatibility
+      response-origin-only-with-rfc5780 
+      denied-peer-ip=10.0.0.0-10.255.255.255
+      denied-peer-ip=192.168.0.0-192.168.255.255
+      denied-peer-ip=172.16.0.0-172.31.255.255
+      no-multicast-peers
+      denied-peer-ip=0.0.0.0-0.255.255.255
+      denied-peer-ip=100.64.0.0-100.127.255.255
+      denied-peer-ip=127.0.0.0-127.255.255.255
+      denied-peer-ip=169.254.0.0-169.254.255.255
+      denied-peer-ip=192.0.0.0-192.0.0.255
+      denied-peer-ip=192.0.2.0-192.0.2.255
+      denied-peer-ip=192.88.99.0-192.88.99.255
+      denied-peer-ip=198.18.0.0-198.19.255.255
+      denied-peer-ip=198.51.100.0-198.51.100.255
+      denied-peer-ip=203.0.113.0-203.0.113.255
+      denied-peer-ip=240.0.0.0-255.255.255.255
+      allowed-peer-ip=10.0.0.1
+      allowed-peer-ip=10.10.0.1
+      allowed-peer-ip=10.10.0.2
+      allowed-peer-ip=10.10.0.3
+      user-quota=16
+      total-quota=128
+    '';
+  };
+  sops.secrets."coturn/static_auth_secret" = {
+    path = "/run/turnserver/auth_secret";
+    owner = "turnserver";
+  };
+}
diff --git a/hosts/greatyamada/services/matrix.nix b/hosts/greatyamada/services/matrix/synapse.nix
similarity index 100%
rename from hosts/greatyamada/services/matrix.nix
rename to hosts/greatyamada/services/matrix/synapse.nix