From de9c03977bfda86c932446da8f3f15e01f98a6ab Mon Sep 17 00:00:00 2001
From: zuckerberg <5-zuckerberg@users.noreply.git.neet.dev>
Date: Fri, 24 Sep 2021 12:47:53 -0400
Subject: [PATCH] vpn for radio+drastikbot

---
 common/server/icecast.nix       |  5 ++-
 common/server/radio.nix         | 11 ++---
 flake.lock                      | 24 +++++-----
 machines/liza/configuration.nix | 77 +++++++++++++++++++++++++--------
 4 files changed, 81 insertions(+), 36 deletions(-)

diff --git a/common/server/icecast.nix b/common/server/icecast.nix
index a38ef0f..3ed1aa8 100644
--- a/common/server/icecast.nix
+++ b/common/server/icecast.nix
@@ -17,11 +17,12 @@ in {
       type = lib.types.str;
       example = "fallback.mp3";
     };
+    nginx = lib.mkEnableOption "enable nginx";
   };
 
   config = lib.mkIf cfg.enable {
     services.icecast = {
-      listen.address = "127.0.0.1";
+      listen.address = "0.0.0.0";
       listen.port = 8001;
       admin.password = "hackme";
       extraConf = ''
@@ -49,7 +50,7 @@ in {
         </mount>
       '';
     };
-    services.nginx.virtualHosts.${cfg.hostname} = {
+    services.nginx.virtualHosts.${cfg.hostname} = lib.mkIf cfg.nginx {
       enableACME = true;
       forceSSL = true;
       locations."/${cfg.mount}" = {
diff --git a/common/server/radio.nix b/common/server/radio.nix
index 4868a2d..53e0251 100644
--- a/common/server/radio.nix
+++ b/common/server/radio.nix
@@ -33,6 +33,7 @@ in {
         Domain radio is hosted on
       '';
     };
+    nginx = lib.mkEnableOption "enable nginx";
   };
 
   config = lib.mkIf cfg.enable {
@@ -43,17 +44,17 @@ in {
       fallback = "fallback.mp3";
     };
 
-    services.nginx.virtualHosts.${cfg.host} = {
+    services.nginx.virtualHosts.${cfg.host} = lib.mkIf cfg.nginx {
       enableACME = true;
       forceSSL = true;
       locations."/".root = inputs.radio-web;
     };
 
     users.users.${cfg.user} = {
-        isSystemUser = true;
-        group = cfg.group;
-        home = cfg.dataDir;
-        createHome = true;
+      isSystemUser = true;
+      group = cfg.group;
+      home = cfg.dataDir;
+      createHome = true;
     };
     users.groups.${cfg.group} = {};
     systemd.services.radio = {
diff --git a/flake.lock b/flake.lock
index 2739f67..ad2dcf4 100644
--- a/flake.lock
+++ b/flake.lock
@@ -5,11 +5,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1631325864,
-        "narHash": "sha256-bBvrjUS0qfgC4LPFthGJ5E8Fl0f5UvlrCB3o5Bnn9ys=",
+        "lastModified": 1631896269,
+        "narHash": "sha256-DAyCxJ8JacayOzGgGSfzrn7ghtsfL/EsCyk1NEUaAR8=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "5c5bc282565f03f9c5b3d6e72b7cb985706148a6",
+        "rev": "daf1d773989ac5d949aeef03fce0fe27e583dbca",
         "type": "github"
       },
       "original": {
@@ -98,8 +98,8 @@
     },
     "nixpkgs-peertube": {
       "locked": {
-        "lastModified": 1630887850,
-        "narHash": "sha256-VcVFlhVuceolv1FZdle0q47tSHLRXFHCus7A9PJGUjc=",
+        "lastModified": 1631196474,
+        "narHash": "sha256-/9EnOH/pNgFR2sWdTQ954abxWVQHE5vlYY5js71vFi8=",
         "owner": "GoogleBot42",
         "repo": "nixpkgs",
         "rev": "7fc03b76db3e5bf655bb3a9f5ee2f115e528944b",
@@ -114,11 +114,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1631452463,
-        "narHash": "sha256-/BMbXjACbkemEB0cULa4/DFNAHusavOzRJL/VX2FIuM=",
+        "lastModified": 1632291606,
+        "narHash": "sha256-oEN24XJYAFK9tsD13TzLEizpgQigEfgC6i9x1b/1pVU=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "e85f0175e3effe9ba191d66c09e8f1b7d6362d5e",
+        "rev": "83413f47809790e4ca012e314e7782adeae36cf2",
         "type": "github"
       },
       "original": {
@@ -163,11 +163,11 @@
         "nixpkgs": "nixpkgs_3"
       },
       "locked": {
-        "lastModified": 1631585589,
-        "narHash": "sha256-q4o/4/2pEuJyaKZwNQC5KHnzG1obClzFB7zWk9XSDfY=",
+        "lastModified": 1632501907,
+        "narHash": "sha256-desvMZ1BZd+1BdGJ3Au2l5Su9zJCltygOw+/h4iClNg=",
         "ref": "main",
-        "rev": "5bf607fed977d41a269942a7d1e92f3e6d4f2473",
-        "revCount": 38,
+        "rev": "72995c0d3a1c1209ee038fd78539973a355798ec",
+        "revCount": 39,
         "type": "git",
         "url": "https://git.neet.dev/zuckerberg/radio.git"
       },
diff --git a/machines/liza/configuration.nix b/machines/liza/configuration.nix
index 8eb4084..4cb2b7f 100644
--- a/machines/liza/configuration.nix
+++ b/machines/liza/configuration.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }:
+{ config, pkgs, lib, inputs, ... }:
 
 let
   mta-sts-web = {
@@ -78,8 +78,6 @@ in {
   age.secrets.peertube-smtp.file = ../../secrets/peertube-smtp.age;
   networking.firewall.allowedTCPPorts = [ 1935 ];
 
-  services.drastikbot.enable = true;
-
   services.searx = {
     enable = true;
     environmentFile = "/run/secrets/searx";
@@ -123,21 +121,61 @@ in {
     });
   };
 
-  services.radio = {
-    enable = true;
-    host = "radio.neet.space";
+  # wrap radio and drastikbot in a VPN
+  containers.vpn-continer = {
+    ephemeral = true;
+    autoStart = true;
+    bindMounts = {
+      "/var/lib" = {
+        hostPath = "/var/lib/";
+        isReadOnly = false;
+      };
+    };
+    bindMounts = {
+      "/run/secrets" = {
+        hostPath = "/run/secrets";
+        isReadOnly = true;
+      };
+    };
+    enableTun = true;
+    privateNetwork = true;
+    hostAddress = "172.16.100.1";
+    localAddress = "172.16.100.2";
+
+    config = {
+      imports = [
+        ../../common/common.nix
+      ];
+      pia.enable = true;
+      nixpkgs.pkgs = pkgs;
+
+      services.drastikbot.enable = true;
+      services.radio = {
+        enable = true;
+        host = "radio.neet.space";
+      };
+    };
   };
-  # hardware accelerated video encoding/decoding (on intel)
-  nixpkgs.config.packageOverrides = pkgs: {
-    vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
+  # load the secret on behalf of the container
+  age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf;
+
+  # icecast endpoint
+  services.nginx.virtualHosts."radio.neet.space" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/stream.mp3" = {
+      proxyPass = "http://172.16.100.2:8001/stream.mp3";
+      extraConfig = ''
+        add_header Access-Control-Allow-Origin *;
+      '';
+    };
   };
-  hardware.opengl = {
-    enable = true;
-    extraPackages = with pkgs; [
-      intel-media-driver # LIBVA_DRIVER_NAME=iHD
-      vaapiIntel         # LIBVA_DRIVER_NAME=i965
-    ];
-    extraPackages32 = with pkgs.pkgsi686Linux; [ vaapiIntel ];
+
+  # radio website
+  services.nginx.virtualHosts."radio.neet.space" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/".root = inputs.radio-web;
   };
 
   services.nginx.virtualHosts."paradigminteractive.agency" = {
@@ -227,6 +265,7 @@ in {
     forceSSL = true;
   };
 
+  # iodine DNS-based vpn
   services.iodine.server = {
     enable = true;
     ip = "192.168.99.1";
@@ -235,9 +274,13 @@ in {
   };
   age.secrets.iodine.file = ../../secrets/iodine.age;
   networking.firewall.allowedUDPPorts = [ 53 ];
+
   boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
   networking.nat.enable = true;
-  networking.nat.internalInterfaces = [ "dns0" ];
+  networking.nat.internalInterfaces = [
+    "dns0" # iodine
+    "ve-vpn-continer" # vpn container
+  ];
   networking.nat.externalInterface = "enp1s0";
 
   security.acme.acceptTerms = true;