commit e9460e0f80def0395f08893ba3cadd8c7b7aeee4
Author: fi <fiona@grzb.de>
Date:   Wed Nov 20 05:46:39 2024 +0100

    Initial commit

diff --git a/configuration/common/default.nix b/configuration/common/default.nix
new file mode 100644
index 0000000..d89f1dc
--- /dev/null
+++ b/configuration/common/default.nix
@@ -0,0 +1,46 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ../../users/yuri
+  ];
+
+  time.timeZone = "Europe/Berlin";
+
+  i18n.defaultLocale = "en_US.UTF-8";
+  console = {
+    keyMap = "de-latin1";
+  };
+
+  security.sudo.wheelNeedsPassword = false;
+
+  nix.settings = {
+    trusted-users = [ "@wheel" ];
+    auto-optimise-store = true;
+    experimental-features = [ "nix-command" "flakes" ];
+  };
+
+  nix.gc = {
+    automatic = true;
+    dates = "weekly";
+    options = "--delete-older-than 30d";
+  };
+
+  environment.systemPackages = with pkgs; [
+    htop
+    parted
+    tmux
+    nano
+  ];
+
+  services.openssh = {
+    enable = true;
+    settings = {
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+      PermitRootLogin = "no";
+    };
+  };
+
+  services.fstrim.enable = true;
+}
diff --git a/configuration/proxmox-vm/default.nix b/configuration/proxmox-vm/default.nix
new file mode 100644
index 0000000..20d895c
--- /dev/null
+++ b/configuration/proxmox-vm/default.nix
@@ -0,0 +1,9 @@
+{ ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+  ];
+  
+  services.qemuGuest.enable = true;
+}
diff --git a/configuration/proxmox-vm/hardware-configuration.nix b/configuration/proxmox-vm/hardware-configuration.nix
new file mode 100644
index 0000000..c007292
--- /dev/null
+++ b/configuration/proxmox-vm/hardware-configuration.nix
@@ -0,0 +1,34 @@
+{ config, lib, pkgs, modulesPath, ... }:
+{
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_blk" ];
+      kernelModules = [ ];
+    };
+
+    kernelModules = [ "kvm-amd" ];
+    extraModulePackages = [ ];
+  };
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/nixos";
+    fsType = "ext4";
+    options = [ "x-nixos.autoresize" "x-initrd.mount" ];
+  };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp6s18.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
diff --git a/flake.lock b/flake.lock
new file mode 100644
index 0000000..33a1357
--- /dev/null
+++ b/flake.lock
@@ -0,0 +1,27 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1688764204,
+        "narHash": "sha256-FsvK+tIvelCI0tWwlMDKfiyb7P/KfxpGbXMrdCKiT8s=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "d8bb6c681cf86265fdcf3cc3119f757bbb085835",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-23.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
diff --git a/flake.nix b/flake.nix
new file mode 100644
index 0000000..7b641bc
--- /dev/null
+++ b/flake.nix
@@ -0,0 +1,39 @@
+{
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05";
+  };
+
+  outputs = { nixpkgs, ... }: {
+    colmena = {
+      meta = {
+        nixpkgs = import nixpkgs {
+          system = "x86_64-linux";
+        };
+      };
+
+      nitter = { name, nodes, pkgs, ... }: {
+        deployment = {
+          targetHost = "nixos-nitter.vs.grzb.de";
+          targetUser = "yuri";
+        };
+        imports = [
+          ./configuration/common
+          ./configuration/proxmox-vm
+          ./hosts/nitter
+        ];
+      };
+
+      coturn = { name, nodes, pkgs, ... }: {
+        deployment = {
+          targetHost = "nixos-coturn.vs.grzb.de";
+          targetUser = "yuri";
+        };
+        imports = [
+          ./configuration/common
+          ./configuration/proxmox-vm
+          ./hosts/coturn
+        ];
+      };
+    };
+  };
+}
diff --git a/hosts/coturn/configuration.nix b/hosts/coturn/configuration.nix
new file mode 100644
index 0000000..a5df358
--- /dev/null
+++ b/hosts/coturn/configuration.nix
@@ -0,0 +1,15 @@
+{ config, pkgs, ... }:
+{
+  boot.loader.grub = {
+    enable = true;
+    version = 2;
+    device = "/dev/vda";
+  };
+
+  networking = {
+    hostName = "coturn";
+    firewall.enable = false;
+  };
+
+  system.stateVersion = "23.05";
+}
diff --git a/hosts/coturn/coturn.nix b/hosts/coturn/coturn.nix
new file mode 100644
index 0000000..c85dcba
--- /dev/null
+++ b/hosts/coturn/coturn.nix
@@ -0,0 +1,45 @@
+{ ... }:
+{
+  services.coturn = {
+    enable = true;
+
+    min-port = 49200;
+    max-port = 49500;
+    use-auth-secret = true;
+    static-auth-secret-file = "/secrets/static-auth-secret.secret";
+    realm = "turn.nekover.se";
+    cert = "/certs/turn.nekover.se/fullchain.pem";
+    pkey = "/certs/turn.nekover.se/key.pem";
+    no-tcp-relay = true;
+    extraConfig = "
+      external-ip=170.133.2.81/10.202.41.118
+      prometheus
+      syslog
+
+      no-tlsv1
+      no-tlsv1_1
+
+      denied-peer-ip=10.0.0.0-10.255.255.255
+      denied-peer-ip=192.168.0.0-192.168.255.255
+      denied-peer-ip=172.16.0.0-172.31.255.255
+
+      no-multicast-peers
+      denied-peer-ip=0.0.0.0-0.255.255.255
+      denied-peer-ip=100.64.0.0-100.127.255.255
+      denied-peer-ip=127.0.0.0-127.255.255.255
+      denied-peer-ip=169.254.0.0-169.254.255.255
+      denied-peer-ip=192.0.0.0-192.0.0.255
+      denied-peer-ip=192.0.2.0-192.0.2.255
+      denied-peer-ip=192.88.99.0-192.88.99.255
+      denied-peer-ip=198.18.0.0-198.19.255.255
+      denied-peer-ip=198.51.100.0-198.51.100.255
+      denied-peer-ip=203.0.113.0-203.0.113.255
+      denied-peer-ip=240.0.0.0-255.255.255.255
+
+      allowed-peer-ip=10.202.41.118
+
+      user-quota=12
+      total-quota=1200
+      ";
+  };
+}
diff --git a/hosts/coturn/default.nix b/hosts/coturn/default.nix
new file mode 100644
index 0000000..63c719c
--- /dev/null
+++ b/hosts/coturn/default.nix
@@ -0,0 +1,8 @@
+{ ... }:
+{
+  imports = [
+    ./configuration.nix
+    ./secrets.nix
+    ./coturn.nix
+  ];
+}
diff --git a/hosts/coturn/secrets.nix b/hosts/coturn/secrets.nix
new file mode 100644
index 0000000..415b223
--- /dev/null
+++ b/hosts/coturn/secrets.nix
@@ -0,0 +1,11 @@
+{ ... }:
+{
+  deployment.keys."static-auth-secret.secret" = {
+    keyCommand = [ "env" "GNUPGHOME=/home/yuri/.passinfra_gnupg" "PASSWORD_STORE_DIR=/home/yuri/pass/infra" "pass" "coturn/static-auth-secret" ];
+    destDir = "/secrets";
+    user = "turnserver";
+    group = "turnserver";
+    permissions = "0640";
+    uploadAt = "pre-activation";
+  };
+}
diff --git a/hosts/jackett/configuration.nix b/hosts/jackett/configuration.nix
new file mode 100644
index 0000000..72e9795
--- /dev/null
+++ b/hosts/jackett/configuration.nix
@@ -0,0 +1,15 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./jackett.nix
+  ];
+
+  networking = {
+    hostName = "jackett";
+    firewall.enable = false;
+  };
+
+  system.stateVersion = "23.05";
+}
diff --git a/hosts/jackett/jackett.nix b/hosts/jackett/jackett.nix
new file mode 100644
index 0000000..1b8707e
--- /dev/null
+++ b/hosts/jackett/jackett.nix
@@ -0,0 +1,6 @@
+{ ... }:
+{
+  services.jackett = {
+    enable = true;
+  };
+}
diff --git a/hosts/netbox/configuration.nix b/hosts/netbox/configuration.nix
new file mode 100644
index 0000000..637244a
--- /dev/null
+++ b/hosts/netbox/configuration.nix
@@ -0,0 +1,15 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./tor.nix
+  ];
+
+  networking = {
+    hostName = "tor-relay";
+    firewall.enable = false;
+  };
+
+  system.stateVersion = "23.05";
+}
diff --git a/hosts/netbox/netbox.nix b/hosts/netbox/netbox.nix
new file mode 100644
index 0000000..07674e6
--- /dev/null
+++ b/hosts/netbox/netbox.nix
@@ -0,0 +1,10 @@
+{ ... }:
+{
+  services.netox = {
+    enable = true;
+
+    settings = {
+
+    };
+  };
+}
diff --git a/hosts/nitter/configuration.nix b/hosts/nitter/configuration.nix
new file mode 100644
index 0000000..9abb412
--- /dev/null
+++ b/hosts/nitter/configuration.nix
@@ -0,0 +1,15 @@
+{ config, pkgs, ... }:
+{
+  boot.loader.grub = {
+    enable = true;
+    version = 2;
+    device = "/dev/vda";
+  };
+
+  networking = {
+    hostName = "nitter";
+    firewall.enable = false;
+  };
+
+  system.stateVersion = "23.05";
+}
diff --git a/hosts/nitter/default.nix b/hosts/nitter/default.nix
new file mode 100644
index 0000000..6aae884
--- /dev/null
+++ b/hosts/nitter/default.nix
@@ -0,0 +1,8 @@
+{ ... }:
+{
+  imports = [
+    ./configuration.nix
+    ./nginx.nix
+    ./nitter.nix
+  ];
+}
diff --git a/hosts/nitter/nginx.nix b/hosts/nitter/nginx.nix
new file mode 100644
index 0000000..cdec9b4
--- /dev/null
+++ b/hosts/nitter/nginx.nix
@@ -0,0 +1,29 @@
+{ ... }:
+{
+  services.nginx = {
+    enable = true;
+    enableReload = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    virtualHosts = {
+      "nixos-nitter.vs.grzb.de" = {
+        locations."/robots.txt" = {
+          return = "200 \"User-agent: *\\nDisallow: /\\n\"";
+        };
+
+        locations."/" = {
+          proxyPass = "http://localhost:8080";
+          extraConfig =
+            "proxy_http_version 1.1;" +
+            "proxy_set_header Upgrade $http_upgrade;" +
+            "proxy_set_header Connection \"upgrade\";" +
+            "proxy_set_header Host $host;"
+            ;
+        };
+      };
+    };
+  };
+}
diff --git a/hosts/nitter/nitter.nix b/hosts/nitter/nitter.nix
new file mode 100644
index 0000000..de780ac
--- /dev/null
+++ b/hosts/nitter/nitter.nix
@@ -0,0 +1,19 @@
+{ ... }:
+{
+  services.nitter = {
+    enable = true;
+
+    server = {
+      title = "Birdsite";
+      https = true;
+      address = "0.0.0.0";
+      port = 8080;
+    };
+    
+    preferences = {
+      theme = "Mastodon";
+      replaceTwitter = "birdsite.nekover.se";
+      infiniteScroll = true;
+    };
+  };
+}
diff --git a/hosts/tor-relay/configuration.nix b/hosts/tor-relay/configuration.nix
new file mode 100644
index 0000000..637244a
--- /dev/null
+++ b/hosts/tor-relay/configuration.nix
@@ -0,0 +1,15 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./tor.nix
+  ];
+
+  networking = {
+    hostName = "tor-relay";
+    firewall.enable = false;
+  };
+
+  system.stateVersion = "23.05";
+}
diff --git a/hosts/tor-relay/tor.nix b/hosts/tor-relay/tor.nix
new file mode 100644
index 0000000..54e9888
--- /dev/null
+++ b/hosts/tor-relay/tor.nix
@@ -0,0 +1,18 @@
+{ ... }:
+{
+  services.tor = {
+    enable = true;
+
+    settings = {
+      Nickname = "vsm";
+      ORPort = 9001;
+      ExitRelay = false;
+      SOCKSPort = 0;
+      ControlSocket = null;
+      ContactInfo = "admin@grzb.de";
+      RelayBandwidthRate = "70 MBits";
+      RelayBandwidthBurst = "150 Mbits";
+      DirPort = 9030;
+    };
+  };
+}
diff --git a/users/yuri/default.nix b/users/yuri/default.nix
new file mode 100644
index 0000000..f85b37e
--- /dev/null
+++ b/users/yuri/default.nix
@@ -0,0 +1,11 @@
+{ ... }:
+
+{
+  users.users.yuri = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ];
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEvM35w+UaSpDTuaG5pGPgfHcfwscr+wSZN9Z5Jle82 yuri@kiara"
+    ];
+  };
+}