From 6f88b92591ca129afa61a8ef055bcfb2efa489fc Mon Sep 17 00:00:00 2001 From: fi Date: Mon, 10 Jul 2023 15:30:51 +0200 Subject: [PATCH] Initial commit --- configuration/common/default.nix | 46 +++++++++++++++++++ configuration/proxmox-vm/default.nix | 9 ++++ .../proxmox-vm/hardware-configuration.nix | 34 ++++++++++++++ flake.lock | 27 +++++++++++ flake.nix | 39 ++++++++++++++++ hosts/coturn/configuration.nix | 15 ++++++ hosts/coturn/coturn.nix | 45 ++++++++++++++++++ hosts/coturn/default.nix | 8 ++++ hosts/coturn/secrets.nix | 11 +++++ hosts/jackett/configuration.nix | 15 ++++++ hosts/jackett/jackett.nix | 6 +++ hosts/netbox/configuration.nix | 15 ++++++ hosts/netbox/netbox.nix | 10 ++++ hosts/nitter/configuration.nix | 15 ++++++ hosts/nitter/default.nix | 8 ++++ hosts/nitter/nginx.nix | 29 ++++++++++++ hosts/nitter/nitter.nix | 19 ++++++++ hosts/tor-relay/configuration.nix | 15 ++++++ hosts/tor-relay/tor.nix | 18 ++++++++ users/yuri/default.nix | 11 +++++ 20 files changed, 395 insertions(+) create mode 100644 configuration/common/default.nix create mode 100644 configuration/proxmox-vm/default.nix create mode 100644 configuration/proxmox-vm/hardware-configuration.nix create mode 100644 flake.lock create mode 100644 flake.nix create mode 100644 hosts/coturn/configuration.nix create mode 100644 hosts/coturn/coturn.nix create mode 100644 hosts/coturn/default.nix create mode 100644 hosts/coturn/secrets.nix create mode 100644 hosts/jackett/configuration.nix create mode 100644 hosts/jackett/jackett.nix create mode 100644 hosts/netbox/configuration.nix create mode 100644 hosts/netbox/netbox.nix create mode 100644 hosts/nitter/configuration.nix create mode 100644 hosts/nitter/default.nix create mode 100644 hosts/nitter/nginx.nix create mode 100644 hosts/nitter/nitter.nix create mode 100644 hosts/tor-relay/configuration.nix create mode 100644 hosts/tor-relay/tor.nix create mode 100644 users/yuri/default.nix diff --git a/configuration/common/default.nix b/configuration/common/default.nix new file mode 100644 index 0000000..d89f1dc --- /dev/null +++ b/configuration/common/default.nix @@ -0,0 +1,46 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ../../users/yuri + ]; + + time.timeZone = "Europe/Berlin"; + + i18n.defaultLocale = "en_US.UTF-8"; + console = { + keyMap = "de-latin1"; + }; + + security.sudo.wheelNeedsPassword = false; + + nix.settings = { + trusted-users = [ "@wheel" ]; + auto-optimise-store = true; + experimental-features = [ "nix-command" "flakes" ]; + }; + + nix.gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 30d"; + }; + + environment.systemPackages = with pkgs; [ + htop + parted + tmux + nano + ]; + + services.openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + PermitRootLogin = "no"; + }; + }; + + services.fstrim.enable = true; +} diff --git a/configuration/proxmox-vm/default.nix b/configuration/proxmox-vm/default.nix new file mode 100644 index 0000000..20d895c --- /dev/null +++ b/configuration/proxmox-vm/default.nix @@ -0,0 +1,9 @@ +{ ... }: + +{ + imports = [ + ./hardware-configuration.nix + ]; + + services.qemuGuest.enable = true; +} diff --git a/configuration/proxmox-vm/hardware-configuration.nix b/configuration/proxmox-vm/hardware-configuration.nix new file mode 100644 index 0000000..c007292 --- /dev/null +++ b/configuration/proxmox-vm/hardware-configuration.nix @@ -0,0 +1,34 @@ +{ config, lib, pkgs, modulesPath, ... }: +{ + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot = { + initrd = { + availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_blk" ]; + kernelModules = [ ]; + }; + + kernelModules = [ "kvm-amd" ]; + extraModulePackages = [ ]; + }; + + fileSystems."/" = { + device = "/dev/disk/by-label/nixos"; + fsType = "ext4"; + options = [ "x-nixos.autoresize" "x-initrd.mount" ]; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp6s18.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..33a1357 --- /dev/null +++ b/flake.lock @@ -0,0 +1,27 @@ +{ + "nodes": { + "nixpkgs": { + "locked": { + "lastModified": 1688764204, + "narHash": "sha256-FsvK+tIvelCI0tWwlMDKfiyb7P/KfxpGbXMrdCKiT8s=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "d8bb6c681cf86265fdcf3cc3119f757bbb085835", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..7b641bc --- /dev/null +++ b/flake.nix @@ -0,0 +1,39 @@ +{ + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05"; + }; + + outputs = { nixpkgs, ... }: { + colmena = { + meta = { + nixpkgs = import nixpkgs { + system = "x86_64-linux"; + }; + }; + + nitter = { name, nodes, pkgs, ... }: { + deployment = { + targetHost = "nixos-nitter.vs.grzb.de"; + targetUser = "yuri"; + }; + imports = [ + ./configuration/common + ./configuration/proxmox-vm + ./hosts/nitter + ]; + }; + + coturn = { name, nodes, pkgs, ... }: { + deployment = { + targetHost = "nixos-coturn.vs.grzb.de"; + targetUser = "yuri"; + }; + imports = [ + ./configuration/common + ./configuration/proxmox-vm + ./hosts/coturn + ]; + }; + }; + }; +} diff --git a/hosts/coturn/configuration.nix b/hosts/coturn/configuration.nix new file mode 100644 index 0000000..a5df358 --- /dev/null +++ b/hosts/coturn/configuration.nix @@ -0,0 +1,15 @@ +{ config, pkgs, ... }: +{ + boot.loader.grub = { + enable = true; + version = 2; + device = "/dev/vda"; + }; + + networking = { + hostName = "coturn"; + firewall.enable = false; + }; + + system.stateVersion = "23.05"; +} diff --git a/hosts/coturn/coturn.nix b/hosts/coturn/coturn.nix new file mode 100644 index 0000000..c85dcba --- /dev/null +++ b/hosts/coturn/coturn.nix @@ -0,0 +1,45 @@ +{ ... }: +{ + services.coturn = { + enable = true; + + min-port = 49200; + max-port = 49500; + use-auth-secret = true; + static-auth-secret-file = "/secrets/static-auth-secret.secret"; + realm = "turn.nekover.se"; + cert = "/certs/turn.nekover.se/fullchain.pem"; + pkey = "/certs/turn.nekover.se/key.pem"; + no-tcp-relay = true; + extraConfig = " + external-ip=170.133.2.81/10.202.41.118 + prometheus + syslog + + no-tlsv1 + no-tlsv1_1 + + denied-peer-ip=10.0.0.0-10.255.255.255 + denied-peer-ip=192.168.0.0-192.168.255.255 + denied-peer-ip=172.16.0.0-172.31.255.255 + + no-multicast-peers + denied-peer-ip=0.0.0.0-0.255.255.255 + denied-peer-ip=100.64.0.0-100.127.255.255 + denied-peer-ip=127.0.0.0-127.255.255.255 + denied-peer-ip=169.254.0.0-169.254.255.255 + denied-peer-ip=192.0.0.0-192.0.0.255 + denied-peer-ip=192.0.2.0-192.0.2.255 + denied-peer-ip=192.88.99.0-192.88.99.255 + denied-peer-ip=198.18.0.0-198.19.255.255 + denied-peer-ip=198.51.100.0-198.51.100.255 + denied-peer-ip=203.0.113.0-203.0.113.255 + denied-peer-ip=240.0.0.0-255.255.255.255 + + allowed-peer-ip=10.202.41.118 + + user-quota=12 + total-quota=1200 + "; + }; +} diff --git a/hosts/coturn/default.nix b/hosts/coturn/default.nix new file mode 100644 index 0000000..63c719c --- /dev/null +++ b/hosts/coturn/default.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./secrets.nix + ./coturn.nix + ]; +} diff --git a/hosts/coturn/secrets.nix b/hosts/coturn/secrets.nix new file mode 100644 index 0000000..415b223 --- /dev/null +++ b/hosts/coturn/secrets.nix @@ -0,0 +1,11 @@ +{ ... }: +{ + deployment.keys."static-auth-secret.secret" = { + keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "coturn/static-auth-secret" ]; + destDir = "/secrets"; + user = "turnserver"; + group = "turnserver"; + permissions = "0640"; + uploadAt = "pre-activation"; + }; +} diff --git a/hosts/jackett/configuration.nix b/hosts/jackett/configuration.nix new file mode 100644 index 0000000..72e9795 --- /dev/null +++ b/hosts/jackett/configuration.nix @@ -0,0 +1,15 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ./hardware-configuration.nix + ./jackett.nix + ]; + + networking = { + hostName = "jackett"; + firewall.enable = false; + }; + + system.stateVersion = "23.05"; +} diff --git a/hosts/jackett/jackett.nix b/hosts/jackett/jackett.nix new file mode 100644 index 0000000..1b8707e --- /dev/null +++ b/hosts/jackett/jackett.nix @@ -0,0 +1,6 @@ +{ ... }: +{ + services.jackett = { + enable = true; + }; +} diff --git a/hosts/netbox/configuration.nix b/hosts/netbox/configuration.nix new file mode 100644 index 0000000..637244a --- /dev/null +++ b/hosts/netbox/configuration.nix @@ -0,0 +1,15 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ./hardware-configuration.nix + ./tor.nix + ]; + + networking = { + hostName = "tor-relay"; + firewall.enable = false; + }; + + system.stateVersion = "23.05"; +} diff --git a/hosts/netbox/netbox.nix b/hosts/netbox/netbox.nix new file mode 100644 index 0000000..07674e6 --- /dev/null +++ b/hosts/netbox/netbox.nix @@ -0,0 +1,10 @@ +{ ... }: +{ + services.netox = { + enable = true; + + settings = { + + }; + }; +} diff --git a/hosts/nitter/configuration.nix b/hosts/nitter/configuration.nix new file mode 100644 index 0000000..9abb412 --- /dev/null +++ b/hosts/nitter/configuration.nix @@ -0,0 +1,15 @@ +{ config, pkgs, ... }: +{ + boot.loader.grub = { + enable = true; + version = 2; + device = "/dev/vda"; + }; + + networking = { + hostName = "nitter"; + firewall.enable = false; + }; + + system.stateVersion = "23.05"; +} diff --git a/hosts/nitter/default.nix b/hosts/nitter/default.nix new file mode 100644 index 0000000..6aae884 --- /dev/null +++ b/hosts/nitter/default.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ./nginx.nix + ./nitter.nix + ]; +} diff --git a/hosts/nitter/nginx.nix b/hosts/nitter/nginx.nix new file mode 100644 index 0000000..cdec9b4 --- /dev/null +++ b/hosts/nitter/nginx.nix @@ -0,0 +1,29 @@ +{ ... }: +{ + services.nginx = { + enable = true; + enableReload = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + virtualHosts = { + "nixos-nitter.vs.grzb.de" = { + locations."/robots.txt" = { + return = "200 \"User-agent: *\\nDisallow: /\\n\""; + }; + + locations."/" = { + proxyPass = "http://localhost:8080"; + extraConfig = + "proxy_http_version 1.1;" + + "proxy_set_header Upgrade $http_upgrade;" + + "proxy_set_header Connection \"upgrade\";" + + "proxy_set_header Host $host;" + ; + }; + }; + }; + }; +} diff --git a/hosts/nitter/nitter.nix b/hosts/nitter/nitter.nix new file mode 100644 index 0000000..de780ac --- /dev/null +++ b/hosts/nitter/nitter.nix @@ -0,0 +1,19 @@ +{ ... }: +{ + services.nitter = { + enable = true; + + server = { + title = "Birdsite"; + https = true; + address = "0.0.0.0"; + port = 8080; + }; + + preferences = { + theme = "Mastodon"; + replaceTwitter = "birdsite.nekover.se"; + infiniteScroll = true; + }; + }; +} diff --git a/hosts/tor-relay/configuration.nix b/hosts/tor-relay/configuration.nix new file mode 100644 index 0000000..637244a --- /dev/null +++ b/hosts/tor-relay/configuration.nix @@ -0,0 +1,15 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ./hardware-configuration.nix + ./tor.nix + ]; + + networking = { + hostName = "tor-relay"; + firewall.enable = false; + }; + + system.stateVersion = "23.05"; +} diff --git a/hosts/tor-relay/tor.nix b/hosts/tor-relay/tor.nix new file mode 100644 index 0000000..54e9888 --- /dev/null +++ b/hosts/tor-relay/tor.nix @@ -0,0 +1,18 @@ +{ ... }: +{ + services.tor = { + enable = true; + + settings = { + Nickname = "vsm"; + ORPort = 9001; + ExitRelay = false; + SOCKSPort = 0; + ControlSocket = null; + ContactInfo = "admin@grzb.de"; + RelayBandwidthRate = "70 MBits"; + RelayBandwidthBurst = "150 Mbits"; + DirPort = 9030; + }; + }; +} diff --git a/users/yuri/default.nix b/users/yuri/default.nix new file mode 100644 index 0000000..f85b37e --- /dev/null +++ b/users/yuri/default.nix @@ -0,0 +1,11 @@ +{ ... }: + +{ + users.users.yuri = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara" + ]; + }; +}