summaryrefslogtreecommitdiffstats
path: root/lass/2configs
diff options
context:
space:
mode:
authortv <tv@krebsco.de>2021-01-18 15:24:18 +0100
committertv <tv@krebsco.de>2021-01-18 15:24:18 +0100
commitff6f5ef5e1cdbd27b2211c54643fa2754f888cbb (patch)
treeb33763a7ac8040efe988f8bed2fe1c649cc155dd /lass/2configs
parent7b7ebd8708885633c926c21a4b71d5d4ce8931cf (diff)
parent2a32b7731496615e43a06ec1049f6716c49a1999 (diff)
Merge remote-tracking branch 'prism/master'
Diffstat (limited to 'lass/2configs')
-rw-r--r--lass/2configs/exim-smarthost.nix114
-rw-r--r--lass/2configs/green-host.nix19
-rw-r--r--lass/2configs/jitsi.nix21
-rw-r--r--lass/2configs/tests/dummy-secrets/mails.nix1
-rw-r--r--lass/2configs/tv.nix128
5 files changed, 167 insertions, 116 deletions
diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix
index 797864b15..b677fe455 100644
--- a/lass/2configs/exim-smarthost.nix
+++ b/lass/2configs/exim-smarthost.nix
@@ -1,120 +1,10 @@
{ config, lib, pkgs, ... }: with import <stockholm/lib>; let
to = concatStringsSep "," [
- "lass@blue.r"
+ "lass@green.r"
];
- mails = [
- "postmaster@lassul.us"
- "lass@lassul.us"
- "lassulus@lassul.us"
- "test@lassul.us"
- "outlook@lassul.us"
- "steuer@aidsballs.de"
- "lass@aidsballs.de"
- "wordpress@ubikmedia.de"
- "finanzamt@lassul.us"
- "netzclub@lassul.us"
- "nebenan@lassul.us"
- "feed@lassul.us"
- "art@lassul.us"
- "irgendwas@lassul.us"
- "polo@lassul.us"
- "shack@lassul.us"
- "nix@lassul.us"
- "c-base@lassul.us"
- "paypal@lassul.us"
- "patreon@lassul.us"
- "steam@lassul.us"
- "securityfocus@lassul.us"
- "radio@lassul.us"
- "btce@lassul.us"
- "raf@lassul.us"
- "apple@lassul.us"
- "coinbase@lassul.us"
- "tomtop@lassul.us"
- "aliexpress@lassul.us"
- "business@lassul.us"
- "payeer@lassul.us"
- "github@lassul.us"
- "bitwala@lassul.us"
- "bitstamp@lassul.us"
- "bitcoin.de@lassul.us"
- "ableton@lassul.us"
- "dhl@lassul.us"
- "sipgate@lassul.us"
- "coinexchange@lassul.us"
- "verwaltung@lassul.us"
- "gearbest@lassul.us"
- "binance@lassul.us"
- "bitfinex@lassul.us"
- "alternate@lassul.us"
- "redacted@lassul.us"
- "mytaxi@lassul.us"
- "pizza@lassul.us"
- "robinhood@lassul.us"
- "drivenow@lassul.us"
- "aws@lassul.us"
- "reddit@lassul.us"
- "banggood@lassul.us"
- "immoscout@lassul.us"
- "gmail@lassul.us"
- "amazon@lassul.us"
- "humblebundle@lassul.us"
- "meetup@lassul.us"
- "gebfrei@lassul.us"
- "github@lassul.us"
- "ovh@lassul.us"
- "hetzner@lassul.us"
- "allygator@lassul.us"
- "immoscout@lassul.us"
- "elitedangerous@lassul.us"
- "boardgamegeek@lassul.us"
- "qwertee@lassul.us"
- "zazzle@lassul.us"
- "hackbeach@lassul.us"
- "transferwise@lassul.us"
- "cis@lassul.us"
- "afra@lassul.us"
- "ksp@lassul.us"
- "ccc@lassul.us"
- "neocron@lassul.us"
- "osmocom@lassul.us"
- "lesswrong@lassul.us"
- "nordvpn@lassul.us"
- "csv-direct@lassul.us"
- "nintendo@lassul.us"
- "overleaf@lassul.us"
- "box@lassul.us"
- "paloalto@lassul.us"
- "subtitles@lassul.us"
- "lobsters@lassul.us"
- "fysitech@lassul.us"
- "threema@lassul.us"
- "ubisoft@lassul.us"
- "kottezeller@lassul.us"
- "pie@lassul.us"
- "vebit@lassul.us"
- "vcvrack@lassul.us"
- "epic@lassul.us"
- "microsoft@lassul.us"
- "stickers@lassul.us"
- "nextbike@lassul.us"
- "mytello@lassul.us"
- "camp@lassul.us"
- "urlwatch@lassul.us"
- "lidl@lassul.us"
- "geizhals@lassul.us"
- "auschein@lassul.us"
- "tleech@lassul.us"
- "durstexpress@lassul.us"
- "acme@lassul.us"
- "antstore@lassul.us"
- "openweather@lassul.us"
- "lobsters@lassul.us"
- "rewe@lassul.us"
- "spotify@lassul.us"
- ];
+ mails = import <secrets/mails.nix>;
in {
environment.systemPackages = [ pkgs.review-mail-queue ];
diff --git a/lass/2configs/green-host.nix b/lass/2configs/green-host.nix
new file mode 100644
index 000000000..1f17c78c8
--- /dev/null
+++ b/lass/2configs/green-host.nix
@@ -0,0 +1,19 @@
+{ config, pkgs, ... }:
+{
+ imports = [
+ <stockholm/lass/2configs/container-networking.nix>
+ <stockholm/lass/2configs/syncthing.nix>
+ ];
+ lass.sync-containers.containers.green = {
+ peers = [
+ "icarus"
+ "shodan"
+ "skynet"
+ "mors"
+ "littleT"
+ ];
+ hostIp = "10.233.2.15";
+ localIp = "10.233.2.16";
+ format = "ecryptfs";
+ };
+}
diff --git a/lass/2configs/jitsi.nix b/lass/2configs/jitsi.nix
new file mode 100644
index 000000000..1435ccb5c
--- /dev/null
+++ b/lass/2configs/jitsi.nix
@@ -0,0 +1,21 @@
+{ config, lib, pkgs, ... }:
+{
+
+ services.jitsi-meet = {
+ enable = true;
+ hostName = "jitsi.lassul.us";
+ config = {
+ enableWelcomePage = true;
+ requireDisplayName = true;
+ };
+ interfaceConfig = {
+ SHOW_JITSI_WATERMARK = false;
+ SHOW_WATERMARK_FOR_GUESTS = false;
+ };
+ };
+
+ krebs.iptables.tables.filter.INPUT.rules = [
+ { predicate = "-p tcp --dport 4443"; target = "ACCEPT"; }
+ { predicate = "-p udp --dport 10000"; target = "ACCEPT"; }
+ ];
+}
diff --git a/lass/2configs/tests/dummy-secrets/mails.nix b/lass/2configs/tests/dummy-secrets/mails.nix
new file mode 100644
index 000000000..fe51488c7
--- /dev/null
+++ b/lass/2configs/tests/dummy-secrets/mails.nix
@@ -0,0 +1 @@
+[]
diff --git a/lass/2configs/tv.nix b/lass/2configs/tv.nix
index 8e208d5e5..0ca1b340f 100644
--- a/lass/2configs/tv.nix
+++ b/lass/2configs/tv.nix
@@ -32,7 +32,7 @@ nginxCfg = pkgs.writeText "nginx.conf" ''
application/vnd.apple.mpegurl m3u8;
video/mp2t ts;
}
- root /tmp;
+ root /var/lib/rtmp/tmp;
add_header Cache-Control no-cache;
# CORS setup
@@ -106,6 +106,11 @@ nginxCfg = pkgs.writeText "nginx.conf" ''
</html>
''};
}
+
+ location /records {
+ autoindex on;
+ root /var/lib/rtmp;
+ }
}
}
@@ -120,21 +125,128 @@ nginxCfg = pkgs.writeText "nginx.conf" ''
live on;
hls on;
- hls_path /tmp/hls;
+ hls_path /var/lib/rtmp/tmp/hls;
+ hls_fragment 1;
+ hls_playlist_length 10;
dash on;
- dash_path /tmp/dash;
+ dash_path /var/lib/rtmp/tmp/dash;
}
}
}
'';
in {
+
+ services.nginx = {
+ enable = true;
+ virtualHosts."streaming.lassul.us" = {
+ enableACME = true;
+ addSSL = true;
+ locations."/hls".extraConfig = ''
+ # Serve HLS fragments
+ types {
+ application/vnd.apple.mpegurl m3u8;
+ video/mp2t ts;
+ }
+ root /var/lib/rtmp/tmp;
+
+ # Allow CORS preflight requests
+ if ($request_method = 'OPTIONS') {
+ add_header 'Access-Control-Allow-Origin' '*';
+ add_header 'Access-Control-Max-Age' 1728000;
+ add_header 'Content-Type' 'text/plain charset=UTF-8';
+ add_header 'Content-Length' 0;
+ return 204;
+ }
+
+ if ($request_method != 'OPTIONS') {
+ add_header Cache-Control no-cache;
+
+ # CORS setup
+ add_header 'Access-Control-Allow-Origin' '*' always;
+ add_header 'Access-Control-Expose-Headers' 'Content-Length';
+ }
+ '';
+ locations."/dash".extraConfig = ''
+ # Serve DASH fragments
+ types {
+ application/dash+xml mpd;
+ video/mp4 mp4;
+ }
+ root /var/lib/rtmp/tmp;
+
+ # Allow CORS preflight requests
+ if ($request_method = 'OPTIONS') {
+ add_header 'Access-Control-Allow-Origin' '*';
+ add_header 'Access-Control-Max-Age' 1728000;
+ add_header 'Content-Type' 'text/plain charset=UTF-8';
+ add_header 'Content-Length' 0;
+ return 204;
+ }
+ if ($request_method != 'OPTIONS') {
+ add_header Cache-Control no-cache;
+
+ # CORS setup
+ add_header 'Access-Control-Allow-Origin' '*' always;
+ add_header 'Access-Control-Expose-Headers' 'Content-Length';
+ }
+ '';
+ locations."= /dash.all.min.js".extraConfig = ''
+ default_type "text/javascript";
+ alias ${pkgs.fetchurl {
+ url = "http://cdn.dashjs.org/v3.2.0/dash.all.min.js";
+ sha256 = "16f0b40gdqsnwqi01s5sz9f1q86dwzscgc3m701jd1sczygi481c";
+ }};
+ '';
+ locations."= /player".extraConfig = ''
+ default_type "text/html";
+ alias ${pkgs.writeText "player.html" ''
+ <!DOCTYPE html>
+ <html lang="en">
+ <head>
+ <meta charset="utf-8">
+ <title>lassulus livestream</title>
+ </head>
+ <body>
+ <div>
+ <video id="player" controls></video>
+ </video>
+ </div>
+ <script src="/dash.all.min.js"></script>
+ <script>
+ (function(){
+ var url = "/dash/nixos.mpd";
+ var player = dashjs.MediaPlayer().create();
+ player.initialize(document.querySelector("#player"), url, true);
+ })();
+ </script>
+ </body>
+ </html>
+ ''};
+ '';
+ locations."/records".extraConfig = ''
+ autoindex on;
+ root /var/lib/rtmp;
+ '';
+ };
+ };
+
+ fileSystems."/var/lib/rtmp/tmp" = {
+ device = "tmpfs";
+ fsType = "tmpfs";
+ options = [ "nosuid" "nodev" "noatime" ];
+ };
+
users.users.rtmp = {
- home = "/var/lib/rmtp";
+ home = "/var/lib/rtmp";
uid = genid_uint31 "rtmp";
isNormalUser = true;
createHome = true;
+ openssh.authorizedKeys.keys = with config.krebs.users; [
+ mic92.pubkey
+ palo.pubkey
+ ];
};
systemd.services.nginx-rtmp = {
@@ -149,6 +261,14 @@ in {
}}/bin/nginx -c ${nginxCfg} -p /var/lib/rtmp
'';
serviceConfig = {
+ ExecStartPre = pkgs.writers.writeDash "setup-rtmp" ''
+ mkdir -p /var/lib/rtmp/tmp/hls
+ mkdir -p /var/lib/rtmp/tmp/dash
+ chown rtmp:users /var/lib/rtmp/tmp/hls
+ chown rtmp:users /var/lib/rtmp/tmp/dash
+ chmod 755 /var/lib/rtmp/tmp/hls
+ chmod 755 /var/lib/rtmp/tmp/dash
+ '';
User = "rtmp";
};
};