Initial commit

2023-07-10 15:30:51 +02:00 · 2023-07-10 15:30:51 +02:00 · 6f88b92591
commit 6f88b92591
20 changed files with 395 additions and 0 deletions
--- a/hosts/coturn/configuration.nix
+++ b/hosts/coturn/configuration.nix
@ -0,0 +1,15 @@
+{ config, pkgs, ... }:
+{
+  boot.loader.grub = {
+    enable = true;
+    version = 2;
+    device = "/dev/vda";
+  };
+
+  networking = {
+    hostName = "coturn";
+    firewall.enable = false;
+  };
+
+  system.stateVersion = "23.05";
+}
--- a/hosts/coturn/coturn.nix
+++ b/hosts/coturn/coturn.nix
@ -0,0 +1,45 @@
+{ ... }:
+{
+  services.coturn = {
+    enable = true;
+
+    min-port = 49200;
+    max-port = 49500;
+    use-auth-secret = true;
+    static-auth-secret-file = "/secrets/static-auth-secret.secret";
+    realm = "turn.nekover.se";
+    cert = "/certs/turn.nekover.se/fullchain.pem";
+    pkey = "/certs/turn.nekover.se/key.pem";
+    no-tcp-relay = true;
+    extraConfig = "
+      external-ip=170.133.2.81/10.202.41.118
+      prometheus
+      syslog
+
+      no-tlsv1
+      no-tlsv1_1
+
+      denied-peer-ip=10.0.0.0-10.255.255.255
+      denied-peer-ip=192.168.0.0-192.168.255.255
+      denied-peer-ip=172.16.0.0-172.31.255.255
+
+      no-multicast-peers
+      denied-peer-ip=0.0.0.0-0.255.255.255
+      denied-peer-ip=100.64.0.0-100.127.255.255
+      denied-peer-ip=127.0.0.0-127.255.255.255
+      denied-peer-ip=169.254.0.0-169.254.255.255
+      denied-peer-ip=192.0.0.0-192.0.0.255
+      denied-peer-ip=192.0.2.0-192.0.2.255
+      denied-peer-ip=192.88.99.0-192.88.99.255
+      denied-peer-ip=198.18.0.0-198.19.255.255
+      denied-peer-ip=198.51.100.0-198.51.100.255
+      denied-peer-ip=203.0.113.0-203.0.113.255
+      denied-peer-ip=240.0.0.0-255.255.255.255
+
+      allowed-peer-ip=10.202.41.118
+
+      user-quota=12
+      total-quota=1200
+      ";
+  };
+}
--- a/hosts/coturn/default.nix
+++ b/hosts/coturn/default.nix
@ -0,0 +1,8 @@
+{ ... }:
+{
+  imports = [
+    ./configuration.nix
+    ./secrets.nix
+    ./coturn.nix
+  ];
+}
--- a/hosts/coturn/secrets.nix
+++ b/hosts/coturn/secrets.nix
@ -0,0 +1,11 @@
+{ ... }:
+{
+  deployment.keys."static-auth-secret.secret" = {
+    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "coturn/static-auth-secret" ];
+    destDir = "/secrets";
+    user = "turnserver";
+    group = "turnserver";
+    permissions = "0640";
+    uploadAt = "pre-activation";
+  };
+}
--- a/hosts/jackett/configuration.nix
+++ b/hosts/jackett/configuration.nix
@ -0,0 +1,15 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./jackett.nix
+  ];
+
+  networking = {
+    hostName = "jackett";
+    firewall.enable = false;
+  };
+
+  system.stateVersion = "23.05";
+}
--- a/hosts/jackett/jackett.nix
+++ b/hosts/jackett/jackett.nix
@ -0,0 +1,6 @@
+{ ... }:
+{
+  services.jackett = {
+    enable = true;
+  };
+}
--- a/hosts/netbox/configuration.nix
+++ b/hosts/netbox/configuration.nix
@ -0,0 +1,15 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./tor.nix
+  ];
+
+  networking = {
+    hostName = "tor-relay";
+    firewall.enable = false;
+  };
+
+  system.stateVersion = "23.05";
+}
--- a/hosts/netbox/netbox.nix
+++ b/hosts/netbox/netbox.nix
@ -0,0 +1,10 @@
+{ ... }:
+{
+  services.netox = {
+    enable = true;
+
+    settings = {
+
+    };
+  };
+}
--- a/hosts/nitter/configuration.nix
+++ b/hosts/nitter/configuration.nix
@ -0,0 +1,15 @@
+{ config, pkgs, ... }:
+{
+  boot.loader.grub = {
+    enable = true;
+    version = 2;
+    device = "/dev/vda";
+  };
+
+  networking = {
+    hostName = "nitter";
+    firewall.enable = false;
+  };
+
+  system.stateVersion = "23.05";
+}
--- a/hosts/nitter/default.nix
+++ b/hosts/nitter/default.nix
@ -0,0 +1,8 @@
+{ ... }:
+{
+  imports = [
+    ./configuration.nix
+    ./nginx.nix
+    ./nitter.nix
+  ];
+}
--- a/hosts/nitter/nginx.nix
+++ b/hosts/nitter/nginx.nix
@ -0,0 +1,29 @@
+{ ... }:
+{
+  services.nginx = {
+    enable = true;
+    enableReload = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    virtualHosts = {
+      "nixos-nitter.vs.grzb.de" = {
+        locations."/robots.txt" = {
+          return = "200 \"User-agent: *\\nDisallow: /\\n\"";
+        };
+
+        locations."/" = {
+          proxyPass = "http://localhost:8080";
+          extraConfig =
+            "proxy_http_version 1.1;" +
+            "proxy_set_header Upgrade $http_upgrade;" +
+            "proxy_set_header Connection \"upgrade\";" +
+            "proxy_set_header Host $host;"
+            ;
+        };
+      };
+    };
+  };
+}
--- a/hosts/nitter/nitter.nix
+++ b/hosts/nitter/nitter.nix
@ -0,0 +1,19 @@
+{ ... }:
+{
+  services.nitter = {
+    enable = true;
+
+    server = {
+      title = "Birdsite";
+      https = true;
+      address = "0.0.0.0";
+      port = 8080;
+    };
+    
+    preferences = {
+      theme = "Mastodon";
+      replaceTwitter = "birdsite.nekover.se";
+      infiniteScroll = true;
+    };
+  };
+}
--- a/hosts/tor-relay/configuration.nix
+++ b/hosts/tor-relay/configuration.nix
@ -0,0 +1,15 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./tor.nix
+  ];
+
+  networking = {
+    hostName = "tor-relay";
+    firewall.enable = false;
+  };
+
+  system.stateVersion = "23.05";
+}
--- a/hosts/tor-relay/tor.nix
+++ b/hosts/tor-relay/tor.nix
@ -0,0 +1,18 @@
+{ ... }:
+{
+  services.tor = {
+    enable = true;
+
+    settings = {
+      Nickname = "vsm";
+      ORPort = 9001;
+      ExitRelay = false;
+      SOCKSPort = 0;
+      ControlSocket = null;
+      ContactInfo = "admin@grzb.de";
+      RelayBandwidthRate = "70 MBits";
+      RelayBandwidthBurst = "150 Mbits";
+      DirPort = 9030;
+    };
+  };
+}