From 8815c9aaee7580fa601828caa8840008a084d163 Mon Sep 17 00:00:00 2001 From: Konstantin Nazarov Date: Sat, 9 Sep 2023 22:17:02 +0100 Subject: [PATCH] Turn server and wacom stylus setup --- configuration.nix | 13 +++++-- flake.lock | 19 +++++----- flake.nix | 8 ++-- nodes/knazarovcom/configuration.nix | 58 ++++++++++++++++++++++++++++- nodes/knazarovcom/secrets.yaml | 7 ++-- secrets.yaml | 6 +-- 6 files changed, 87 insertions(+), 24 deletions(-) diff --git a/configuration.nix b/configuration.nix index 61dd0ef..2519997 100644 --- a/configuration.nix +++ b/configuration.nix @@ -158,6 +158,9 @@ in mullvad usbutils wf-recorder + xournalpp + dnsutils + #network-manager-applet (clang-tools.override { llvmPackages = llvmPackages_16; }) # mainly for clang-format (emacsWithPackagesFromUsePackage { config = ./emacs.el; @@ -178,15 +181,18 @@ in services.mullvad-vpn = { enable = true; }; - systemd.services."mullvad-daemon".postStart = let - mullvad = config.services.mullvad-vpn.package; - in '' + systemd.services."mullvad-daemon".postStart = let + mullvad = config.services.mullvad-vpn.package; + in '' while ! ${mullvad}/bin/mullvad status >/dev/null; do sleep 1; done ${mullvad}/bin/mullvad account login `cat /var/run/secrets/mullvad_account` ${mullvad}/bin/mullvad auto-connect set on ${mullvad}/bin/mullvad tunnel ipv6 set on ''; + + services.fwupd.enable = true; + services.gnome.gnome-keyring.enable = true; services.emacs.package = nixpkgs.emacsUnstablePgtk; @@ -534,6 +540,7 @@ in for_window [title="mylauncher"] floating enable for_window [title="Firefox.*Sharing Indicator"] floating enable; default_border pixel 3 + input 1386:885:Wacom_Intuos_M_Pen map_to_output HDMI-A-1 ''; }; programs.foot = { diff --git a/flake.lock b/flake.lock index e3d8116..7443820 100755 --- a/flake.lock +++ b/flake.lock @@ -90,11 +90,11 @@ ] }, "locked": { - "lastModified": 1692564691, - "narHash": "sha256-v8wXjqYnWsTjXAi+sOPsAoxWXQumsAM6K9c6N2dlEIQ=", + "lastModified": 1693772557, + "narHash": "sha256-VwHawtQ10MJ1gfASfE+iLBNrne1ryG/cUHVYDqjKejs=", "owner": "~knazarov", "repo": "knazarov.com", - "rev": "7ff545d3eea9d49f7f9fb633fd14fa9d4b06643a", + "rev": "01b3ebb18ea306084719677a097001451b6a63e9", "type": "sourcehut" }, "original": { @@ -105,27 +105,26 @@ }, "nixpkgs": { "locked": { - "lastModified": 1692525914, - "narHash": "sha256-MUgZ9/9mE/EbEQA6JPdcQHkjoR5fgvaKhpy6UO67uEc=", + "lastModified": 1693420092, + "narHash": "sha256-zCYAQsvk0oF8NkvlBMAqJ2pCtQyfhy/cpUNEzBlsg5w=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "475d5ae2c4cb87b904545bdb547af05681198fcc", + "rev": "bca2c87fe83b889c4c671c1f72767607dcc2bcc9", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-23.05", "repo": "nixpkgs", "type": "github" } }, "nixpkgs-stable": { "locked": { - "lastModified": 1691693223, - "narHash": "sha256-9t8ZY1XNAsWqxAJmXgg+GXqF5chORMVnBT6PSHaRV3I=", + "lastModified": 1693341273, + "narHash": "sha256-wrsPjsIx2767909MPGhSIOmkpGELM9eufqLQOPxmZQg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "18784aac1013da9b442adf29b6c7c228518b5d3f", + "rev": "2ab91c8d65c00fd22a441c69bbf1bc9b420d5ea1", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 8bb27d6..a634537 100755 --- a/flake.nix +++ b/flake.nix @@ -3,7 +3,7 @@ { inputs = { - nixpkgs.url = github:NixOS/nixpkgs/nixos-23.05; + nixpkgs.url = github:NixOS/nixpkgs; nixpkgs-stable.url = github:NixOS/nixpkgs/nixos-23.05; home-manager.url = github:nix-community/home-manager/release-23.05; home-manager.inputs.nixpkgs.follows = "nixpkgs"; @@ -23,7 +23,7 @@ git-plan.inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = { self, nixpkgs, home-manager, emacs-overlay, sops-nix, q-sh, knazarovcom, vmatveevacom, git-plan, ... }@attrs: + outputs = { self, nixpkgs, nixpkgs-stable, home-manager, emacs-overlay, sops-nix, q-sh, knazarovcom, vmatveevacom, git-plan, ... }@attrs: let system = "x86_64-linux"; @@ -32,13 +32,15 @@ }; buildConfig = modules: system: { inherit modules system specialArgs; }; buildSystem = modules: system: nixpkgs.lib.nixosSystem (buildConfig modules system); + buildSystemStable = modules: system: nixpkgs-stable.lib.nixosSystem (buildConfig modules system); + hostAttrs = dir: { settings = import "${dir}/host-metadata.nix"; config = import "${dir}/configuration.nix"; hw-config = import "${dir}/hardware-configuration.nix"; }; - node = dir: with hostAttrs dir; buildSystem [ + node = dir: with hostAttrs dir; buildSystemStable [ ({ config, pkgs, ... }: { nixpkgs.overlays = [ emacs-overlay.overlay q-sh.overlays.default git-plan.overlays.default ]; }) diff --git a/nodes/knazarovcom/configuration.nix b/nodes/knazarovcom/configuration.nix index c4a1375..42928d6 100644 --- a/nodes/knazarovcom/configuration.nix +++ b/nodes/knazarovcom/configuration.nix @@ -35,15 +35,20 @@ security.sudo.wheelNeedsPassword = false; nix.settings.trusted-users = [ "@wheel" ]; + users.users.nginx.extraGroups = [ "turnserver" ]; + + # Good list of bots: https://www.sci.news/robots.txt services.nginx = { enable = true; + clientMaxBodySize = "1024m"; commonHttpConfig = '' map $http_user_agent $limit_bots { default 0; ~*(AhrefsBot|PetalBot|bingbot|gptbot|ZoominfoBot|BLEXBot|Bytespider) 1; ~*(DecompilationBot|Amazonbot|Barkrowler|SeznamBot|SemrushBot) 1; ~*(MJ12bot|IonCrawl|webprosbot|Sogou|paloaltonetworks|CensysInspect) 1; - ~*(DotBot|ev-crawler) 1; + ~*(DotBot|ev-crawler|InternetMeasurement|CheckMarkNetwork|panscient) 1; + ~*(gdnplus|PunkMap|pdrlabs|SurdotlyBot|researchscan|serpstatbot) 1; } ''; virtualHosts = { @@ -92,6 +97,9 @@ proxyPass = "http://127.0.0.1:8008"; }; }; + "turn.knazarov.com" = { + enableACME = true; + }; }; }; security.acme.acceptTerms = true; @@ -99,6 +107,11 @@ "knazarov.com".email = "mail@knazarov.com"; "vmatveeva.com".email = "mail@knazarov.com"; "matrix.knazarov.com".email = "mail@knazarov.com"; + "turn.knazarov.com" = { + email = "mail@knazarov.com"; + postRun = "systemctl restart coturn.service"; + group = "turnserver"; + }; }; services.dendrite = { @@ -113,6 +126,14 @@ }; }; client_api.registration_shared_secret = "$REGISTRATION_SHARED_SECRET"; + client_api.turn = { + turn_user_lifetime = "5m"; + turn_uris = [ + "turn:${config.services.coturn.realm}:3478?transport=udp" + "turn:${config.services.coturn.realm}:3478?transport=tcp" + ]; + turn_shared_secret = "$COTURN_AUTH_SECRET"; + }; }; }; @@ -120,6 +141,23 @@ serviceConfig.SupplementaryGroups = [ config.users.groups.keys.name ]; }; + services.coturn = rec { + enable = true; + no-cli = true; + no-tcp-relay = true; + min-port = 49000; + max-port = 50000; + use-auth-secret = true; + static-auth-secret-file = config.sops.secrets.coturn_auth_secret.path; + realm = "turn.knazarov.com"; + cert = "${config.security.acme.certs.${realm}.directory}/full.pem"; + pkey = "${config.security.acme.certs.${realm}.directory}/key.pem"; + extraConfig = '' + # for debugging + verbose + ''; + }; + sops.defaultSopsFile = ./secrets.yaml; sops.secrets = { example_key = {}; @@ -131,9 +169,25 @@ mode = "0440"; group = config.users.groups.keys.name; }; + coturn_auth_secret = { + mode = "0440"; + group = config.users.groups.turnserver.name; + }; }; - networking.firewall.allowedTCPPorts = [ 80 443 ]; + networking.firewall = { + allowedTCPPorts = [ + 80 443 + 3478 5349 # coturn + ]; + allowedUDPPorts = [ + 3478 5349 # coturn + ]; + allowedUDPPortRanges = [{ + from = config.services.coturn.min-port; + to = config.services.coturn.max-port; + }]; + }; # networking.firewall.allowedUDPPorts = [ ... ]; system.stateVersion = "23.05"; diff --git a/nodes/knazarovcom/secrets.yaml b/nodes/knazarovcom/secrets.yaml index 5003776..2ac469e 100644 --- a/nodes/knazarovcom/secrets.yaml +++ b/nodes/knazarovcom/secrets.yaml @@ -1,6 +1,7 @@ hello: ENC[AES256_GCM,data:Bv1MBhqWVzeDc0Qx0n3QagUbEUDUjCARZNiQ4qYnX9PsiQvHN21vsBiu9blBaA==,iv:rhxag0W9EER7lNRY9WsrvOyxxvqC7DSjgI9KR71hjm4=,tag:qJoMp8G0jQGBeoakBR+Zlw==,type:str] example_key: ENC[AES256_GCM,data:J09ZRQJg34iARNVGlQ==,iv:tFtCB+FfSLJad4oQNJsyOE9lz6y3Pj8nNq4x5WswNNs=,tag:8+OWJHmXzUrDl6qrSvWlYA==,type:str] -matrix_registration_secret: ENC[AES256_GCM,data:YbEp3LRrMs3gGG9tE1CCXXWoFdV9hXaTx4/VOHwSqyxAlQWnBXGUHwI6R1fE0e6ZzLT2+9g=,iv:YXLG/GsfRxSMwLd0Trl7xjuVPdAe7krEbh5YxAYzOb8=,tag:DYoEoMGH76pkVr6DAzjj+g==,type:str] +coturn_auth_secret: ENC[AES256_GCM,data:jk/3937oUY1aaLheY3CNkEE6wzmiwcSfiA==,iv:Y3dNrZR01hyrz+6Ztabkx2LLoPzdBH0x/7HSyhMfU+o=,tag:2DZTY4Q3z8QJE+J7Xt+D9A==,type:str] +matrix_registration_secret: ENC[AES256_GCM,data:FoCJvKTy5OXBXlBgMtBniPJ+Ip1uagOobkIlf/FHdexc5n8+ijTmExq7CaLeyCoE051LQfrIkK+m7tiR7fxQmC+lO+86sFYRF12vExtsPMEnN1r1IibSWN3arUngKBCbqwg=,iv:65Nd/DPiHBxz4DrikyovEEKIOCB3xaCNZk6YOP9Sbjo=,tag:lFHj8XjI2HmDy5j+RAlZBw==,type:str] matrix_key: ENC[AES256_GCM,data:+7Ru9Q57kECDCPp/SjvdIDFGveFJ8XI8/Dv+tTwpUdRt6yNeXOT1his8kP/F9Bod5LZLKD+3mZBJV39GCfl7Mha1pQowWj3UGLwUu1o/wJ2G83YSoa9leJc9Ug9vBSixAsP34g9lUTD/zrlvQtCNjZbtqx3D4B4DTUWUmN8jiE1ah+zXoO4U5YY=,iv:gUdM5cEh+LMP++1I7F/+148u7HBY3SKQvGVcVX6bL/U=,tag:evbi9tmmlbklrpaB1tvezA==,type:str] sops: kms: [] @@ -17,8 +18,8 @@ sops: anBCR0NXVlhLSXVCc2swTzNqOUFOSkUKyIRL9aCv3m6Qz7OaE7dSYzFYNeeFEprW /9XLB4FzTCK3xoBeeFGevm8Z6z9k+2eku5dQUjAZ5FrVZLPM+fUgRw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-06-11T20:37:31Z" - mac: ENC[AES256_GCM,data:7ke0oXjI31ocCqOxDriTOIVTm4Y/vsNKrsS1GioenIzzUBmkc+cFABuczAbkLMr7C0AEgMdHEA57e56xArQWJTNb0juBsA4oBWzIYxm/sYhZRdh29Mbp3zoJsNkLeiSi9JjF5Rptr5k8x01CV5swthStGUMQQ0TfbAQmqG7blBg=,iv:DSMu0htVdJ02yIqm6OTFsIejV901PryF9D6U/K5XqPk=,tag:yo1h+zrv5RFL/NniiZ70Bg==,type:str] + lastmodified: "2023-09-09T21:12:52Z" + mac: ENC[AES256_GCM,data:lrMo/zclIZQf44T+K/K6JOsZUexUPkt2mQEf8I0aAKQqQBNE/GJ/w+JUNMViuAhZxbIB160MrmGWfd/9dibP0GQxmXcEw+Q+Sa1j9IahflUqiDODwF9kvLqTSsZj1HLYdfMaPJoQQqaB4IjJxvOr3AxSf0Y0m+vs8rmZ4MfCkD4=,iv:MbRuS6oEHRngRuktYlN004KwcvIsZqw4u37TOlH9Y6M=,tag:JfZWLhDxDvSa+s4vZfstyA==,type:str] pgp: - created_at: "2023-06-11T20:10:06Z" enc: |- diff --git a/secrets.yaml b/secrets.yaml index c7558a3..d4273cf 100644 --- a/secrets.yaml +++ b/secrets.yaml @@ -2,7 +2,7 @@ hello: ENC[AES256_GCM,data:+LPt8J+Ks1m10+zZ2Q96r3K2W6Yeng7M7+c2TYDQ+/4AJl6Xc6hVn fastmail_password: ENC[AES256_GCM,data:tHr8PqIg9DigRBu2bgjUeg==,iv:NI9bENFPuKcOt1cd2kg2DKU22J1dJ+3mK7UoceZagR4=,tag:oEgeQb1iLKisOqHi9Ds7xg==,type:str] github_token: ENC[AES256_GCM,data:E1+wrI5VUlnsqfKNH6fY7IXqHIiagAByLYCfIfdd2+HcvniAvZzaIyKB3nma5eks3csN5A9XgYXRb09lELroW00obmIWbWZPdFhDccHRtVOqFq/r+x27O/3MAkDqID5mc8xD8SqWUibr9UZfXjFcXC4bx7+a4pyy45akz9RLIJRVKDzxMBGmZ/wQcuFS9uy2Pv2yWRL7q4olzvc/kzNFRWCLU7ThIAJSIx//NluOE8xjsA==,iv:Cdc2wwGdXprch1hHd0CwJM6vUAYmfhI4FpcKjcoIZYY=,tag:so8BJtjHGcGzayPqMwy43A==,type:str] mullvad_account: ENC[AES256_GCM,data:CO4wl2vNAMEC9oy37nIrpw==,iv:a3w64u8XQ/tihIDxIPPtdZ6F7dldLPvRzGUs1MpVe4M=,tag:HQxJVuGEvI0fVj8yGptbdA==,type:str] -git_plan_config: ENC[AES256_GCM,data:eN0UvSiZfgC/B/wVG58YzPJdFTCPFBwObc9wwazbSR41R03pR26sEVvm25pySXKU6Q/hO5NB71GlkB4dkMKrQKN1FKDxgM32iocx2gWtW+iHms+MYZ6XAzaR1rm2IfRK4kSAHHMY9fE6GZ16CisBihowBp60lDGLFh/5dn7cZzmZcokPN+tcNUxgRHHToa69ImCpPR3l7OpKfv3JDkc5VulmzTSeiVky1xDeBi+snAGM+rMirdwPdCeqTLAZCjGhWEtphcymlXm6VNaH5hJV0XGtTWUaaMR9iTjnvE9gFkqO7fI+PX/cKaHSvoko3LSomeEmlIsh1gdtyBvkOiyICJf+AEDTDzF5jREl65PyEXpm6OWFJ2i+wFGzDuSPpSIvTlgu/8GH5PdNSUN6qRNKjfc/MiR7SaZp+fiNJtziAHlY7nC5kVCVrKwCIR7bpCsftoeSk548th8y1IArINgvCQa6UFOAhkhSE7derUfOsbpLwOhSM0YBYKR5GkzuaptUsR5EFaK8q5KvqA1jKciUZMQ3KUHs7QToprmva9uShVkqATg7+Z5uGqh0kmSHI70FfyOE1CTKLQVvOI+UAjkZYxe4RvDfzke4Qn+w1K2jeZWsxMVI2NBbEJQ6TilaDFQz2KwWwSsC5g1PDWr3Qj+bZWI4Q/MG3lICsv3PIYqH9UsGZQ4ZfOwPY8chYDNHRT5nw33ZJ2hefpDbUJbObGPxYmKdJIAwZHJ0ZI8C1kQp2qUqnTL07XyPczZkbv4zuU0/uS/odj5uNm/B+Of7tAIfKpa5UhLZOmIdILg+lc6fdaszlcXKpftD69Hs/LVV2P6n1aZ+x4QOFliymYdRl+vqbfgo0akhPa12j2n+gNs8NFWAFZsMY/V9w3T6A2f5+enMXp+C+jU5JKqhCU8OM9E7FV4ZSjNMbpcIBrgsX/Gk4Q==,iv:+hcn1x6A6nS2wk53pc3rkAz1RbxcHsJ7yA0UnQOqZ+c=,tag:KG1RWvsWXHFRt7zgzZSCfQ==,type:str] +git_plan_config: ENC[AES256_GCM,data:K1jtHTmSDrWeld/0WWDTToDUnnDmXiQqiX7q/xKnxPYcC4ZLo7roIkz1OfnIlcML7sk3ZIBEf1rFI7AdXQWbJouQP7R0IPN2gOBZxC9JoaTNftuYY1lfdjuaTDVpMJtZuWHFtk6Oc+LZ7TH24TnHXbw3H9JFmZSeb+Ztl2n0gINNWrWdw4HrN/puouHQl4H7bLsDhD33X5lv/nOsE0KR52/F8Iae0Tvud7Yk69b+xcirlaAP5xxvHRh03jfxQtiYpIU5v8Qv2U9aL7k625uJLswdM/7DLlvplTV4zbdnf2j6VvTerGd4NmewVwQEfr/hzJg+0avClD2o9mNZNNpV/gMTtVrZgJsWGQocA1HVXaazxFvlb9LsFe9PI0MTlxr/AHpW1F33eHaSP7HAWJ5GGTwK1W7FQRf4L8P6ozAOQeESeJIfF4Zeoh8FC/6ZrqtwVNhyGMat2EaSgPNISnfOTYu1mWBebQ+spsy4yt9S/t5oFkLuD2KpxLohj2PaOVk3p03DQXoCCf5m67ODvuCFG8lEV8xaXtfFRR9WjB7KJx1SZbUvTE8Hnzos6UTUqMnAG/X0WiTRgK5kaH7FUMhK7eElBY9/CQg9Q9qWPy8mbZQmvgejcDYsxmsL04oNGVyaSN+HyJi6sS6KkICKtRNJYEF9K/VExBEqWBWRPhe88ESu7oEnziOkzoz0BdJix10lxNgiN/t/+XNMrDCMqeCLxyYq9XDn4Pr+4mXKHOwGbofwSlAp9HJLa+yi/F4sleDW9WvYFUdFleweAij10KDQ6N/XOSKOe4quH6BXCJZC+8Aig4DRlosMdtSkqPGny1DD1mQYdyVbL1c9oP4XVUklF/fKt1qH8g+ORLUMX6IefM7W8aKwyTQImcbiL+ZWjs7YH+JdJ2uYOhY4WL+0bAdLD5lGuQu9yoO7LvcxzBz22RrF4/85BshNVVU=,iv:ZDmaGvR1Eiu1NtXP1wXPvvrcm375QKinjcjHrgSj/OQ=,tag:b7y1N3thEYVQFHz7HIGz8w==,type:str] git_plan_credentials: ENC[AES256_GCM,data:d4egK2w4TGIDNaI2Wc3ViOBnH7/WpdeS1EoYe4/oaM4iayBXOEQMvT9qIgu/Hml34gvbBN9lRmlNkESVh7YpwO5wACkkRcO/0ZTyP8XzFUUo0IfUh1iHPjEQOF7vygW/woqBiQgFPRws9F+g6BW8aSQrBgvBF5IeNLhFBvSJUvTft1xEsNwFnkWnfZ2JWmYqLjEggoUEqtXMRw9KKcqm4DNXIzxmA8wSzDriIzeCVuSEV8sJD21saFPPaLw/jupLTLdWp5F8rAxLGa6e9coCNu8vSuqUgfv0jFET71bNw28xPrN38A/PIlUcR9MXe1SGqKAFxEv134ZkJr78g1PIWNoVDrmIlMpV6dYRLKM1FOcpAhJorIXooIl6quCdg2/U5onP8cQ7lt2LsEG5APKj7pz7huatdwM/CgxrcqPVb0E2Lk5c+wi3Rf9/Jz3BqcWQm3bwkHwivWyCD1Nw+qRXLFSfXGTovSBsxX0j4LbdP0o4iPuj068DGawpYC/AfcKfOCmh8aInQhGCQtIq14QGffU9GbW37gHu,iv:ZzOUYu3s+kfwbKajA+6fdu2EysipjoKD49muLNFBZ58=,tag:e0RI7rA8eLQI8h5L4pvS1A==,type:str] sops: kms: [] @@ -28,8 +28,8 @@ sops: U3loV2xDMkM5SWNXRDJobDloL0FVUUkK3OP7KvcKkE8mJ880dm6LMFZUxELjl8/P 6+q8qAYiAvl0Cbd4GzkNpUuBbLlFFWfFmC0vbgg8gyZ6xI5AFhHAPw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-08-16T08:55:30Z" - mac: ENC[AES256_GCM,data:YTmecy8ikC9a2oHOcBMcFfAkYzCBjPhQZewRdSDfyg5Z2b7p4M7KVPV3oyBNaZb9UHSz4/eONNh8hTTXqnPiKeaDtd8vUqxRTdbbLddF48l/MYBaKgSq8aLn/rm98afEr09FIxzu5TtMYJu/w2XinsCdllE8T7iA8rB/dJmLuEQ=,iv:O/GJ7pQFX7KrnL8mARkAFs3USa07o2+e1bmTXZrjp1Q=,tag:r/piFEQFym3lAf+hyIZe3w==,type:str] + lastmodified: "2023-09-04T08:56:05Z" + mac: ENC[AES256_GCM,data:j90tHJC29wq5E5c68/NFKLsjid+Pr90HtAQHNPfOpWKEQapYAYcLBf9OYpJvSh3errLEEVOl/aoIoycDxI0vb6gX98In4hRXP9QkJO2ew/PyDOEKGMxaoYSKnfslB0VaEHPrC3LLAm/1qtuWWSLJT02WPke8iU2KtaQgCpc1XiY=,iv:2AeIHxbIi1UqB9d2EEgHD7PWKdh8Ystt6p+N63fDSGg=,tag:789IAWnTi2L3OWxHLPSVSQ==,type:str] pgp: - created_at: "2023-06-10T01:03:11Z" enc: |-