zuckerberg/nix-config
zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Activity

vpn for radio+drastikbot

Browse Source
This commit is contained in:
zuckerberg 2021-09-24 12:47:53 -04:00
parent 4464af3796
commit de9c03977b
4 changed files with 81 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
common/server/icecast.nix
View File

@ -17,11 +17,12 @@ in {
type = lib.types.str;
example = "fallback.mp3";
};
nginx = lib.mkEnableOption "enable nginx";
};
config = lib.mkIf cfg.enable {
services.icecast = {
listen.address = "127.0.0.1";
listen.address = "0.0.0.0";
listen.port = 8001;
admin.password = "hackme";
extraConf = ''
@ -49,7 +50,7 @@ in {
</mount>
'';
};
services.nginx.virtualHosts.${cfg.hostname} = {
services.nginx.virtualHosts.${cfg.hostname} = lib.mkIf cfg.nginx {
enableACME = true;
forceSSL = true;
locations."/${cfg.mount}" = {

11
common/server/radio.nix
View File

@ -33,6 +33,7 @@ in {
Domain radio is hosted on
'';
};
nginx = lib.mkEnableOption "enable nginx";
};
config = lib.mkIf cfg.enable {
@ -43,17 +44,17 @@ in {
fallback = "fallback.mp3";
};
services.nginx.virtualHosts.${cfg.host} = {
services.nginx.virtualHosts.${cfg.host} = lib.mkIf cfg.nginx {
enableACME = true;
forceSSL = true;
locations."/".root = inputs.radio-web;
};
users.users.${cfg.user} = {
isSystemUser = true;
group = cfg.group;
home = cfg.dataDir;
createHome = true;
isSystemUser = true;
group = cfg.group;
home = cfg.dataDir;
createHome = true;
};
users.groups.${cfg.group} = {};
systemd.services.radio = {

24
flake.lock generated
View File

@ -5,11 +5,11 @@
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1631325864,
"narHash": "sha256-bBvrjUS0qfgC4LPFthGJ5E8Fl0f5UvlrCB3o5Bnn9ys=",
"lastModified": 1631896269,
"narHash": "sha256-DAyCxJ8JacayOzGgGSfzrn7ghtsfL/EsCyk1NEUaAR8=",
"owner": "ryantm",
"repo": "agenix",
"rev": "5c5bc282565f03f9c5b3d6e72b7cb985706148a6",
"rev": "daf1d773989ac5d949aeef03fce0fe27e583dbca",
"type": "github"
},
"original": {
@ -98,8 +98,8 @@
},
"nixpkgs-peertube": {
"locked": {
"lastModified": 1630887850,
"narHash": "sha256-VcVFlhVuceolv1FZdle0q47tSHLRXFHCus7A9PJGUjc=",
"lastModified": 1631196474,
"narHash": "sha256-/9EnOH/pNgFR2sWdTQ954abxWVQHE5vlYY5js71vFi8=",
"owner": "GoogleBot42",
"repo": "nixpkgs",
"rev": "7fc03b76db3e5bf655bb3a9f5ee2f115e528944b",
@ -114,11 +114,11 @@
},
"nixpkgs_2": {
"locked": {
"lastModified": 1631452463,
"narHash": "sha256-/BMbXjACbkemEB0cULa4/DFNAHusavOzRJL/VX2FIuM=",
"lastModified": 1632291606,
"narHash": "sha256-oEN24XJYAFK9tsD13TzLEizpgQigEfgC6i9x1b/1pVU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "e85f0175e3effe9ba191d66c09e8f1b7d6362d5e",
"rev": "83413f47809790e4ca012e314e7782adeae36cf2",
"type": "github"
},
"original": {
@ -163,11 +163,11 @@
"nixpkgs": "nixpkgs_3"
},
"locked": {
"lastModified": 1631585589,
"narHash": "sha256-q4o/4/2pEuJyaKZwNQC5KHnzG1obClzFB7zWk9XSDfY=",
"lastModified": 1632501907,
"narHash": "sha256-desvMZ1BZd+1BdGJ3Au2l5Su9zJCltygOw+/h4iClNg=",
"ref": "main",
"rev": "5bf607fed977d41a269942a7d1e92f3e6d4f2473",
"revCount": 38,
"rev": "72995c0d3a1c1209ee038fd78539973a355798ec",
"revCount": 39,
"type": "git",
"url": "https://git.neet.dev/zuckerberg/radio.git"
},

77
machines/liza/configuration.nix
View File

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }:
{ config, pkgs, lib, inputs, ... }:
let
mta-sts-web = {
@ -78,8 +78,6 @@ in {
age.secrets.peertube-smtp.file = ../../secrets/peertube-smtp.age;
networking.firewall.allowedTCPPorts = [ 1935 ];
services.drastikbot.enable = true;
services.searx = {
enable = true;
environmentFile = "/run/secrets/searx";
@ -123,21 +121,61 @@ in {
});
};
services.radio = {
enable = true;
host = "radio.neet.space";
# wrap radio and drastikbot in a VPN
containers.vpn-continer = {
ephemeral = true;
autoStart = true;
bindMounts = {
"/var/lib" = {
hostPath = "/var/lib/";
isReadOnly = false;
};
};
bindMounts = {
"/run/secrets" = {
hostPath = "/run/secrets";
isReadOnly = true;
};
};
enableTun = true;
privateNetwork = true;
hostAddress = "172.16.100.1";
localAddress = "172.16.100.2";
config = {
imports = [
../../common/common.nix
];
pia.enable = true;
nixpkgs.pkgs = pkgs;
services.drastikbot.enable = true;
services.radio = {
enable = true;
host = "radio.neet.space";
};
};
};
# hardware accelerated video encoding/decoding (on intel)
nixpkgs.config.packageOverrides = pkgs: {
vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
# load the secret on behalf of the container
age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf;
# icecast endpoint
services.nginx.virtualHosts."radio.neet.space" = {
enableACME = true;
forceSSL = true;
locations."/stream.mp3" = {
proxyPass = "http://172.16.100.2:8001/stream.mp3";
extraConfig = ''
add_header Access-Control-Allow-Origin *;
'';
};
};
hardware.opengl = {
enable = true;
extraPackages = with pkgs; [
intel-media-driver # LIBVA_DRIVER_NAME=iHD
vaapiIntel # LIBVA_DRIVER_NAME=i965
];
extraPackages32 = with pkgs.pkgsi686Linux; [ vaapiIntel ];
# radio website
services.nginx.virtualHosts."radio.neet.space" = {
enableACME = true;
forceSSL = true;
locations."/".root = inputs.radio-web;
};
services.nginx.virtualHosts."paradigminteractive.agency" = {
@ -227,6 +265,7 @@ in {
forceSSL = true;
};
# iodine DNS-based vpn
services.iodine.server = {
enable = true;
ip = "192.168.99.1";
@ -235,9 +274,13 @@ in {
};
age.secrets.iodine.file = ../../secrets/iodine.age;
networking.firewall.allowedUDPPorts = [ 53 ];
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
networking.nat.enable = true;
networking.nat.internalInterfaces = [ "dns0" ];
networking.nat.internalInterfaces = [
"dns0" # iodine
"ve-vpn-continer" # vpn container
];
networking.nat.externalInterface = "enp1s0";
security.acme.acceptTerms = true;