zuckerberg/nix-config
zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Activity

vpn for radio+drastikbot

Browse Source
This commit is contained in:
zuckerberg 2021-09-24 12:47:53 -04:00
parent 4464af3796
commit de9c03977b
4 changed files with 81 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
common/server/icecast.nix
View File

@ -17,11 +17,12 @@ in {
type = lib.types.str; type = lib.types.str;
example = "fallback.mp3"; example = "fallback.mp3";
}; };
nginx = lib.mkEnableOption "enable nginx";
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
services.icecast = { services.icecast = {
listen.address = "127.0.0.1"; listen.address = "0.0.0.0";
listen.port = 8001; listen.port = 8001;
admin.password = "hackme"; admin.password = "hackme";
extraConf = '' extraConf = ''
@ -49,7 +50,7 @@ in {
</mount> </mount>
''; '';
}; };
services.nginx.virtualHosts.${cfg.hostname} = { services.nginx.virtualHosts.${cfg.hostname} = lib.mkIf cfg.nginx {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/${cfg.mount}" = { locations."/${cfg.mount}" = {

3
common/server/radio.nix
View File

@ -33,6 +33,7 @@ in {
Domain radio is hosted on Domain radio is hosted on
''; '';
}; };
nginx = lib.mkEnableOption "enable nginx";
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
@ -43,7 +44,7 @@ in {
fallback = "fallback.mp3"; fallback = "fallback.mp3";
}; };
services.nginx.virtualHosts.${cfg.host} = { services.nginx.virtualHosts.${cfg.host} = lib.mkIf cfg.nginx {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/".root = inputs.radio-web; locations."/".root = inputs.radio-web;

24
flake.lock generated
View File

@ -5,11 +5,11 @@
"nixpkgs": "nixpkgs" "nixpkgs": "nixpkgs"
}, },
"locked": { "locked": {
"lastModified": 1631325864, "lastModified": 1631896269,
"narHash": "sha256-bBvrjUS0qfgC4LPFthGJ5E8Fl0f5UvlrCB3o5Bnn9ys=", "narHash": "sha256-DAyCxJ8JacayOzGgGSfzrn7ghtsfL/EsCyk1NEUaAR8=",
"owner": "ryantm", "owner": "ryantm",
"repo": "agenix", "repo": "agenix",
"rev": "5c5bc282565f03f9c5b3d6e72b7cb985706148a6", "rev": "daf1d773989ac5d949aeef03fce0fe27e583dbca",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -98,8 +98,8 @@
}, },
"nixpkgs-peertube": { "nixpkgs-peertube": {
"locked": { "locked": {
"lastModified": 1630887850, "lastModified": 1631196474,
"narHash": "sha256-VcVFlhVuceolv1FZdle0q47tSHLRXFHCus7A9PJGUjc=", "narHash": "sha256-/9EnOH/pNgFR2sWdTQ954abxWVQHE5vlYY5js71vFi8=",
"owner": "GoogleBot42", "owner": "GoogleBot42",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "7fc03b76db3e5bf655bb3a9f5ee2f115e528944b", "rev": "7fc03b76db3e5bf655bb3a9f5ee2f115e528944b",
@ -114,11 +114,11 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1631452463, "lastModified": 1632291606,
"narHash": "sha256-/BMbXjACbkemEB0cULa4/DFNAHusavOzRJL/VX2FIuM=", "narHash": "sha256-oEN24XJYAFK9tsD13TzLEizpgQigEfgC6i9x1b/1pVU=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "e85f0175e3effe9ba191d66c09e8f1b7d6362d5e", "rev": "83413f47809790e4ca012e314e7782adeae36cf2",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -163,11 +163,11 @@
"nixpkgs": "nixpkgs_3" "nixpkgs": "nixpkgs_3"
}, },
"locked": { "locked": {
"lastModified": 1631585589, "lastModified": 1632501907,
"narHash": "sha256-q4o/4/2pEuJyaKZwNQC5KHnzG1obClzFB7zWk9XSDfY=", "narHash": "sha256-desvMZ1BZd+1BdGJ3Au2l5Su9zJCltygOw+/h4iClNg=",
"ref": "main", "ref": "main",
"rev": "5bf607fed977d41a269942a7d1e92f3e6d4f2473", "rev": "72995c0d3a1c1209ee038fd78539973a355798ec",
"revCount": 38, "revCount": 39,
"type": "git", "type": "git",
"url": "https://git.neet.dev/zuckerberg/radio.git" "url": "https://git.neet.dev/zuckerberg/radio.git"
}, },

71
machines/liza/configuration.nix
View File

@ -1,4 +1,4 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, inputs, ... }:
let let
mta-sts-web = { mta-sts-web = {
@ -78,8 +78,6 @@ in {
age.secrets.peertube-smtp.file = ../../secrets/peertube-smtp.age; age.secrets.peertube-smtp.file = ../../secrets/peertube-smtp.age;
networking.firewall.allowedTCPPorts = [ 1935 ]; networking.firewall.allowedTCPPorts = [ 1935 ];
services.drastikbot.enable = true;
services.searx = { services.searx = {
enable = true; enable = true;
environmentFile = "/run/secrets/searx"; environmentFile = "/run/secrets/searx";
@ -123,21 +121,61 @@ in {
}); });
}; };
# wrap radio and drastikbot in a VPN
containers.vpn-continer = {
ephemeral = true;
autoStart = true;
bindMounts = {
"/var/lib" = {
hostPath = "/var/lib/";
isReadOnly = false;
};
};
bindMounts = {
"/run/secrets" = {
hostPath = "/run/secrets";
isReadOnly = true;
};
};
enableTun = true;
privateNetwork = true;
hostAddress = "172.16.100.1";
localAddress = "172.16.100.2";
config = {
imports = [
../../common/common.nix
];
pia.enable = true;
nixpkgs.pkgs = pkgs;
services.drastikbot.enable = true;
services.radio = { services.radio = {
enable = true; enable = true;
host = "radio.neet.space"; host = "radio.neet.space";
}; };
# hardware accelerated video encoding/decoding (on intel)
nixpkgs.config.packageOverrides = pkgs: {
vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
}; };
hardware.opengl = { };
enable = true; # load the secret on behalf of the container
extraPackages = with pkgs; [ age.secrets."pia-login.conf".file = ../../secrets/pia-login.conf;
intel-media-driver # LIBVA_DRIVER_NAME=iHD
vaapiIntel # LIBVA_DRIVER_NAME=i965 # icecast endpoint
]; services.nginx.virtualHosts."radio.neet.space" = {
extraPackages32 = with pkgs.pkgsi686Linux; [ vaapiIntel ]; enableACME = true;
forceSSL = true;
locations."/stream.mp3" = {
proxyPass = "http://172.16.100.2:8001/stream.mp3";
extraConfig = ''
add_header Access-Control-Allow-Origin *;
'';
};
};
# radio website
services.nginx.virtualHosts."radio.neet.space" = {
enableACME = true;
forceSSL = true;
locations."/".root = inputs.radio-web;
}; };
services.nginx.virtualHosts."paradigminteractive.agency" = { services.nginx.virtualHosts."paradigminteractive.agency" = {
@ -227,6 +265,7 @@ in {
forceSSL = true; forceSSL = true;
}; };
# iodine DNS-based vpn
services.iodine.server = { services.iodine.server = {
enable = true; enable = true;
ip = "192.168.99.1"; ip = "192.168.99.1";
@ -235,9 +274,13 @@ in {
}; };
age.secrets.iodine.file = ../../secrets/iodine.age; age.secrets.iodine.file = ../../secrets/iodine.age;
networking.firewall.allowedUDPPorts = [ 53 ]; networking.firewall.allowedUDPPorts = [ 53 ];
boot.kernel.sysctl."net.ipv4.ip_forward" = 1; boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
networking.nat.enable = true; networking.nat.enable = true;
networking.nat.internalInterfaces = [ "dns0" ]; networking.nat.internalInterfaces = [
"dns0" # iodine
"ve-vpn-continer" # vpn container
];
networking.nat.externalInterface = "enp1s0"; networking.nat.externalInterface = "enp1s0";
security.acme.acceptTerms = true; security.acme.acceptTerms = true;