yuzuru: Init

.sops.yaml

@@ -5,6 +5,7 @@ keys:
   - &vueko BB046D773F54739757553A053CB9B8EFD7FED749
   - &fuuko 2372651C56E22972C2D9F3F569C8187C9C43754E
   - &mayushii 23EEDF49AAF1B41DCD1CD10F44A37FA8C15053B3
+  - &yuzuru F4B5F6971A1FAEA1216FCE1C6745A652A31186DB
 creation_rules:
   - path_regex: machines/nunotaba/secrets\.yaml$
     key_groups:
@@ -31,6 +32,11 @@ creation_rules:
     - pgp:
       - *simon
       - *mayushii
+  - path_regex: machines/yuzuru/secrets\.yaml$
+    key_groups:
+    - pgp:
+      - *simon
+      - *yuzuru
   - path_regex: secrets\.yaml$
     key_groups:
     - pgp:

keys/machines/yuzuru.asc

@@ -0,0 +1,28 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+xsFNBAAAAAABEADlgmSvdnFWue1i5dS1qA9df+cRQDA1NDBHYm5dGpsTe7xghvde
+9B1aAzWxbxeppwr2IHvLo1boWyH0ODC5HFxvleaYd6R9oLljQvxZEPq8ANWMyxDx
+T4MyRlLClegMrUaCoQTFxoO7LFujrhKPC1+r/JVBBehJrpw31WAUQV2SLDTPFRMJ
+GVAJXR1vplafbftlkI9K3t12T1RrD1D5QxPtFPPEdwdfPQ8CDE7cCado9iv+P3e+
+9gA3fE0HJzS1ZRySF0sZ5lP3RX3ZBoY7z/8s3ZHGCYfD9ssGwZS5ByjMk2eJiPY2
+tX0ZwffBdzAwyq64e1/ddubGTIhKNPd5Iy2GCnOEgPMC8TCke5Zz5IeInUE3ANyS
+zkuwpCbqT8Vu541yqhs8+dOnH3srgks9OH2Ar2ctMWx3gmICDoCLHrWfbvlkqUwB
+cxnGxAeNzOXiem1Fu5IJwVC5JR1+5b4dqa3k+f/nuWRizvrU26OP/1S+NTz3T7/W
+TEF6KyE7+dy3K4IO95SDYwVp6mF/0fh4FTahNi6B1BDEAZKZjaVXyd2TOk77Y7si
+Tc98E4SUTUlRRCLh8SmUmxalI168LLgGMwUWhDvRw6EP7uh9FBEi1kLXnN6am0kP
+q1jgQL798DzFwcgEYTx7rTDHZLkbwrxWA32Lpu3T6twtaZiQE+o7wuXMTQARAQAB
+zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
+AQgAFgUCAAAAAAkQZ0WmUqMRhtsCGw8CGQEAAIyAEAA89dyQvXx4sS7I1nRlMw9q
+Agbi4h1lrCifEH6srlInbg3kZNgnlsDY+cVCIiy8m/Oyupn0U4uduMI8P7R5kgWQ
+g9+FKFXoLK8P1kO5gani+tWNmBW49leSN8un9YAviKele5wDM/Dg+rNbWDaYHKu5
+SspZV/SiP0JkxXOgxkMgOOl97kNmvv6O3qYHPG5rz5P/YV0pdDSi1cfhdREvTPAl
+eNqzMrdEuE/GUrYJYeF8kN+TswBubTgy4WBqQdMlS+Go1B/7HQd56pl5BHiHM8HZ
+l01ljbgqdYdggmXt7CI90Txe3RRduzKS4ncEQ1VVQiXEmOzU7emu+DFwknGnSgTW
+gW6Nps3u2XhcsJNczf2PdEzDAv0oNAp4So7JdTGetkJ1Yw4quS0l1XWWBm+cf376
+nanAGkENvuBbS36kgHNjNT1EnUnyJoMDMnc1AmSSlTf/ORc+JrzM4PtMonhWJTAU
+eM66tozyJ3qYWApiI2doYwMDuh/u3jvqpTddxklaNFUOxIA2VITP0EgCFkVjW2u3
+0gPY2tV6AtcxcUn1NnhS92xf0//O4fcGOwlTvNaPqDuF0mk9OazAPQ5L37mfNZzb
+XUc3AyZXRZNhlE+aNfeJSKtzFCpGUJfstPmkdOwPxK29G4GDbjzWevpYF9Rv6Xpq
+Ky38rXnis6Hpih/z6/7HOg==
+=5Ki8
+-----END PGP PUBLIC KEY BLOCK-----

machines/default.nix

@@ -36,4 +36,10 @@ in
       hardware.common-pc-ssd
     ];
   };
+  yuzuru = {
+    system = "x86_64-linux";
+    nixpkgs = inputs.nixpkgs-unstable;
+
+    targetHost = "yuzuru.sbruder.xyz";
+  };
 }

machines/fuuko/services/prometheus.nix

@@ -75,6 +75,7 @@ in
           "mayushii.vpn.sbruder.de:9100"
           "sayuri.vpn.sbruder.de:9100"
           "vueko.vpn.sbruder.de:9100"
+          "yuzuru.vpn.sbruder.de:9100"
         ];
       }
       {

machines/yuzuru/README.md

@@ -0,0 +1,18 @@
+# yuzuru
+
+## Hardware
+
+[Hetzner Cloud](https://hetzner.com/cloud) CX11 (1 vCPU, 2 GB RAM, 20 GB SSD).
+It has no swap, since the disk is already small enough.
+
+## Purpose
+
+It provides privacy-friendly proxies/alternatives to popular web services:
+
+ * Invidious
+ * Libreddit
+ * Nitter
+
+## Name
+
+Yuzuru Nishimiya is a character from *A Silent Voice*

machines/yuzuru/configuration.nix

@@ -0,0 +1,39 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+    ../../modules
+
+    ./services/invidious
+    ./services/libreddit.nix
+    ./services/nitter.nix
+    ./services/sbruder.xyz
+  ];
+
+  sbruder = {
+    nginx.hardening.enable = true;
+    wireguard.home.enable = true;
+    full = false;
+    trusted = false;
+  };
+
+  networking.hostName = "yuzuru";
+
+  system.stateVersion = "21.05";
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  services.nginx = {
+    enable = true;
+
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+  };
+
+  services.journald.extraConfig = ''
+    MaxRetentionSec=1week
+  '';
+}

machines/yuzuru/hardware-configuration.nix

@@ -0,0 +1,39 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  boot = {
+    initrd.kernelModules = [ "nvme" ];
+    loader.grub.device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-0-0-0";
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-uuid/b8ceb0bf-1a67-484b-bf57-c16653c23716";
+      fsType = "btrfs";
+      options = [ "discard=async" "noatime" "compress=zstd" ];
+    };
+  };
+
+  networking = {
+    useDHCP = false;
+    usePredictableInterfaceNames = false;
+    interfaces.eth0 = {
+      useDHCP = true;
+      ipv6.addresses = lib.singleton {
+        address = "2a01:4f9:c010:e4a7::";
+        prefixLength = 64;
+      };
+    };
+    defaultGateway6 = {
+      address = "fe80::1";
+      interface = "eth0";
+    };
+  };
+
+  # no smart on qemu disk
+  services.smartd.enable = false;
+}

machines/yuzuru/secrets.yaml

@@ -0,0 +1,53 @@
+invidious-extra-settings: ENC[AES256_GCM,data:sWvf8ASNUTmdRj9HTsXCkPDg0yQ+Hc+ddnHst72pGBKq0403o5erMzudPm5TVvTEzHeeNDB5d+lTt760s6S2diUMc8l/k3G8Z9loYf0Dpx7o,iv:vqyzZ2B4WQB7AmGDp64nu+Xi+6Jxm6m7D3SUfYq0DZs=,tag:aeQQLerfBEjkpi1NW1x2jw==,type:str]
+wg-home-private-key: ENC[AES256_GCM,data:KIUvsIhz2Rc4uHRQla714xfOxL9ke1WzRAbXVTDd6UyNkYQkuYIxIpmXQw4=,iv:usnONR35DtIVH2CV4tGSBz5FsZyMlEDzSQiYLDQLRnw=,tag:M1V4HhtByXogMacjajl1iw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2021-09-08T16:21:04Z"
+    mac: ENC[AES256_GCM,data:8Q52a8+6mO/LCjNR7yo4olqz8fJIqus7XUZ6FtRzzlEGeYvkBD6zFuz0QJBUl8gRtmj04tQWUn4fEKz8LApSluHXHoBv4/WVBNm/vL9T2k7SiAJmxhbU5wZmNt+Hg++Kvn8yZ6KXgpG6KVl5qu+/CHuJu2m39AvpTj9NJ+ThCUc=,iv:r037pF9rVUqe87+D7pVjxqgFM/hFALSWHFx8kB/fXFk=,tag:GsA95+KyajrKb5XMpVOB2g==,type:str]
+    pgp:
+        - created_at: "2021-09-08T16:11:14Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAwDgSONkM+d4ARAAhB2PfDQ+KeTI22tc2i4Bc5mVUMDHVpUFn81GzEubwrL0
+            xKqhDgCYfOogahJ7nvor/kLo0YSQuNs8mSJEgnBVnC4GnzeTQucJ5y8Ke/erBV0P
+            xscrZSINv4XtUllGFKc6LcKC+J9sbEcjDUMLwTiMBMcnhjm6mjOkT46ldIwXfnVq
+            vbKaVvUj0U/6awt0f/mqmce8PNfHzJ6rubcEEplBTLG/Qu+tmYFNVcWtsmP21SCt
+            u3Va9JeKmkIa83MY1khtnpSA2rnUa/acZL7vTRTcpCh8qvShtfoMrn9BKTjFhV6i
+            ggrkZKf4StJ+A1wgqw2IbwTH+M+5FM5loI4/9xQnkPkyiJIQByZXwQP2/EmuFpPE
+            sF5UByFTrpC/d7kN7R/xXFcGDIf384RM7Ia4W4XleyKUJ4XHWDkecFU1oT1kLcsA
+            kIYNgjEq4TSAVJMCKa4q3fQilaJ0K27Bvs3p90brzVEnM128k6eavpkrcjojs0JU
+            mV3ixEcS9OBwFfmQolekEt9TJebGNVmzg89TAQ3xn3DAJJPtBsmgM1LliJ39/ev3
+            SeO1rQPBWaxurKksWsDoqcqUtB0r+yR/flfh+Lr+iAgi+fS4W67WwcPm/9SENlUV
+            8OJ/YEkFxhBGiwJEudIGXQ965Z7+wSbpn1ILUaEvGvWvuOg1L6KjCUVbIbH92fjS
+            XAETVqe2zqU2IENVIY/HiMfUQG58M+CVytaWr4zyQ9X4Fc9BmvmjUgSn/4d/LdU3
+            kDT/tDL1fvdX1prXIGUseScSQGPxOamWFB3TPqzWdjhvbkEtT8wp8FqKP/Es
+            =rPPP
+            -----END PGP MESSAGE-----
+          fp: 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC
+        - created_at: "2021-09-08T16:11:14Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA2dFplKjEYbbARAAyvcLSp8ktZ/dqVROfa+xeeIFt9J5EGREnAgES2h9wy8m
+            21tsQWPajIwD3H52XW6Z1s0nxG8qUe1bz9RWvd51sonmZZobezagr9YfDMTMji8Z
+            Hmj+fQ0OdhQdJgaUc8JObvmTNeJyjodKS4TbOZqT/SCheS7DhnzcucqlN0uiVuHT
+            DIUzhM1uzHKcU8IOSclz4LPWLrKvn1yuRGKOplBuvwvd5g2I4QA5obq9Je4WYKEv
+            XL9quQfWW2OBV5XMK132Ttv6aXSJcrxDiI5CsvKivOcB+Rw9wjEesMJ9wBe8Od0L
+            jP/ehkGBsxq107M9srbn2WKjkvXFwpdDzpaQG2w1ZSIwHnsNunlDiU95oIDUcW3Y
+            p0JeL9Nn7uBvsnOKkBMCgXNH1VOBSLxRUDHlDVJIHWNl7TCqPfzKCc8ttq+lbmOf
+            dbATPhXh9wXQ1GgduexFGK4DSKteqSC8bgKC5JnmLx2ijOSgLGxaL4snAs3oqD2Q
+            gQptmLgiuFlof98l3TVJDN1yc6ononyIA72gvQ7e+zme6Q7UkkXU7gJHnd9k9YAL
+            7GQcxn9kTCz/iXxC3+ac/IMZae9b5bz8UGZdsI47RoovZ3dJlGj8jkjPJ7QTfZml
+            9EVuGkO0qWyPDzy14VTaCtKjtTOGm5iZwd8G63BPbaAlfyd6412QbisyC5ClICLS
+            TgF/ABxdrd/GbBzs3w7/8bAjR13EAVJWzqUQgKxluP0UxIthZn5od2f3pPaEyvfd
+            30eBLqpclcaQNIbGtv0qr5Ehjs26uKbAOXmNX+GbdA==
+            =h33S
+            -----END PGP MESSAGE-----
+          fp: F4B5F6971A1FAEA1216FCE1C6745A652A31186DB
+    unencrypted_suffix: _unencrypted
+    version: 3.7.1

machines/yuzuru/services/invidious/0001-Prefer-opus-audio-streams-in-listen-mode.patch

@@ -0,0 +1,33 @@
+From 3c692fc4fd5ea7faefc6b6ef63c9b6b20205a1cb Mon Sep 17 00:00:00 2001
+From: Simon Bruder <simon@sbruder.de>
+Date: Thu, 9 Sep 2021 16:56:57 +0200
+Subject: [PATCH] Prefer opus audio streams in listen mode
+
+---
+ src/invidious/views/components/player.ecr | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/invidious/views/components/player.ecr b/src/invidious/views/components/player.ecr
+index 6418f66b..73524cfd 100644
+--- a/src/invidious/views/components/player.ecr
++++ b/src/invidious/views/components/player.ecr
+@@ -7,6 +7,16 @@
+         <source src="<%= URI.parse(hlsvp).request_target %><% if params.local %>?local=true<% end %>" type="application/x-mpegURL" label="livestream">
+     <% else %>
+         <% if params.listen %>
++            <%
++            opus_streams = audio_streams.select { |fmt|
++                metadata = itag_to_metadata?(fmt["itag"])
++                metadata ? metadata["acodec"] == "opus" : false
++            }.reverse!
++            if opus_streams.size > 0
++                audio_streams = opus_streams
++            end
++            audio_streams.sort_by! { |fmt| fmt["bitrate"].as_i }.reverse!
++            %>
+             <% audio_streams.each_with_index do |fmt, i| %>
+                 <source src="/latest_version?id=<%= video.id %>&itag=<%= fmt["itag"] %><% if params.local %>&local=true<% end %>" type='<%= fmt["mimeType"] %>' label="<%= fmt["bitrate"] %>k" selected="<%= i == 0 ? true : false %>">
+             <% end %>
+-- 
+2.31.1
+

machines/yuzuru/services/invidious/default.nix

@@ -0,0 +1,49 @@
+{ config, pkgs, ... }:
+
+{
+  sops.secrets.invidious-extra-settings = {
+    sopsFile = ../../secrets.yaml;
+    group = "keys"; # not ideal, but required since the invidious user is dynamic
+    mode = "440";
+  };
+  systemd.services.invidious.serviceConfig.SupplementaryGroups = [ "keys" ];
+
+  services.invidious = {
+    enable = true;
+    package = pkgs.invidious.overrideAttrs (o: o // {
+      patches = (o.patches or [ ]) ++ [
+        ./0001-Prefer-opus-audio-streams-in-listen-mode.patch
+      ];
+    });
+    nginx.enable = true;
+    domain = "iv.sbruder.xyz";
+    settings = {
+      host_binding = "127.0.0.1";
+      log_level = "Warn";
+      default_user_preferences = {
+        # allow higher qualities
+        quality = "dash";
+        quality_dash = "auto";
+
+        # humane volume
+        volume = 50;
+
+        # no “popular” content
+        feed_menu = [ "Subscriptions" "Playlists" ];
+        default_home = ""; # search on /
+      };
+      disable_proxy = [ "downloads" ]; # legal precaution
+      local = true; # no external requests
+      use_pubsub_feeds = true;
+      modified_source_code_url = "https://github.com/sbruder/invidious/tree/patches";
+    };
+    extraSettingsFile = config.sops.secrets.invidious-extra-settings.path;
+  };
+
+  services.nginx.virtualHosts."iv.sbruder.xyz" = {
+    locations = {
+      "/robots.txt".return = "200 'User-agent: *\\nDisallow: /'";
+      "/privacy".return = "301 'https://sbruder.xyz/#privacy'";
+    };
+  };
+}

machines/yuzuru/services/libreddit.nix

@@ -0,0 +1,19 @@
+{ config, ... }:
+let
+  cfg = config.services.libreddit;
+in
+{
+  services.libreddit = {
+    enable = true;
+    address = "127.0.0.1";
+  };
+
+  services.nginx.virtualHosts."libreddit.sbruder.xyz" = {
+    forceSSL = true;
+    enableACME = true;
+    locations = {
+      "/robots.txt".return = "200 'User-agent: *\\nDisallow: /'";
+      "/".proxyPass = "http://${cfg.address}:${toString cfg.port}";
+    };
+  };
+}

machines/yuzuru/services/nitter.nix

@@ -0,0 +1,44 @@
+{ config, lib, ... }:
+let
+  cfg = config.services.nitter;
+in
+{
+  services.nitter = {
+    enable = true;
+    server = {
+      port = 8081;
+      hostname = "nitter.sbruder.xyz";
+      address = "127.0.0.1";
+    };
+    preferences = {
+      theme = "Auto";
+      replaceTwitter = "${cfg.server.hostname}";
+      muteVideos = true;
+      hlsPlayback = true;
+      replaceYouTube = "${config.services.invidious.domain}";
+    };
+  };
+
+  services.nginx.virtualHosts.${cfg.server.hostname} = {
+    forceSSL = true;
+    enableACME = true;
+    locations = {
+      "/robots.txt".return = "200 'User-agent: *\\nDisallow: /'";
+      "/" = {
+        proxyPass = "http://${cfg.server.address}:${toString cfg.server.port}";
+        extraConfig =
+          let
+            # workaround for nginx dropping parent headers
+            # see https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheaderredefinition.md
+            parentHeaders = lib.concatStringsSep "\n" (lib.filter
+              (lib.hasPrefix "add_header ")
+              (lib.splitString "\n" config.services.nginx.commonHttpConfig));
+          in
+          ''
+            ${parentHeaders}
+            add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' blob:; style-src 'self' 'unsafe-inline'";
+          '';
+      };
+    };
+  };
+}

machines/yuzuru/services/sbruder.xyz/.gitignore

@@ -0,0 +1 @@
+index.html

machines/yuzuru/services/sbruder.xyz/default.nix

@@ -0,0 +1,40 @@
+{ pkgs, ... }:
+
+{
+  services.nginx.virtualHosts."sbruder.xyz" = {
+    forceSSL = true;
+    enableACME = true;
+
+    root = pkgs.stdenvNoCC.mkDerivation {
+      name = "sbruder.xyz";
+
+      src = ./.;
+
+      nativeBuildInputs = with pkgs; [ pandoc ];
+
+      buildPhase = ''
+        runHook preBuild
+
+        pandoc \
+            -s \
+            --metadata-file metadata.yaml \
+            -f commonmark_x \
+            -t html5 \
+            -o index.html \
+            index.md
+
+        runHook postBuild
+      '';
+
+      installPhase = ''
+        runHook preInstall
+        install -D index.html $out/index.html
+        runHook postInstall
+      '';
+    };
+
+    locations = {
+      "/imprint/".alias = "${pkgs.sbruder.imprint}/";
+    };
+  };
+}

machines/yuzuru/services/sbruder.xyz/index.md

@@ -0,0 +1,64 @@
+On this domain, the following services are currently available:
+
+ * [Invidious](https://iv.sbruder.xyz)
+ * [Libreddit](https://libreddit.sbruder.xyz)
+ * [Nitter](https://nitter.sbruder.xyz)
+
+They are all semi-public instances.
+That means, they are not included in lists of public instances,
+but feel free to use them for personal purposes.
+
+You can do so by using a browser plugin like [Privacy Redirect](https://github.com/SimonBrazell/privacy-redirect)
+and configuring the addresses to point to this server.
+
+However, please note the following if you want to use them:
+
+ * These services are provided as-is without any guarantees.
+ * You must not use these services for any activities illegal under Finnish or German law.
+ * You must not use these services to interfere with the operation of the services
+   or the sites that originally provide the data.
+ * Please don’t over/abuse these services.
+   They run on a tiny VPS and won’t be able to handle high workloads.
+
+Also note the following service-specific things:
+
+ * **Invidious**: There are no backups, so you are responsible for using the data export feature to back up important data.
+
+The VPS providing the services is running NixOS.
+The configuration is available [here](https://git.sbruder.de/simon/nixos-config/src/branch/master/machines/yuzuru).
+
+If you have any questions, please [contact me](https://sbruder.de).
+
+## A Note to Copyright Holders
+
+The services are only relaying content that is otherwise already available on the Internet.
+If your rights are infringed by content available from this site,
+please report this to the site originally making it available.
+Otherwise the content will still be available on the Internet.
+
+If you still want to report illegal content to me instead of the original site,
+send me an Email to the address stated in the imprint.
+This is the fastest way to resolve the issue,
+so please use that if you care about it.
+
+## Imprint
+
+See [Imprint](/imprint/).
+
+## Privacy
+
+The Libreddit and Nitter services do not store your personally identifiable information.
+If you log in to an Invidious account,
+the data you provide to the service will be stored.
+You can export or delete that data by using its built-in data control feature.
+
+In the case of an error, details of the problematic request might be stored on the server
+and used strictly for debugging and fixing the error.
+Those logs will be deleted after one week.
+
+#### Fine Print
+
+<small>
+This site and the services provided by it are not associated with YouTube, Reddit and/or Twitter.
+Trademarks are property of their respective owners.
+</small>

machines/yuzuru/services/sbruder.xyz/metadata.yaml

@@ -0,0 +1,3 @@
+title: sbruder.xyz
+
+mainfont: Roboto, Helvetica, Arial, sans-serif

modules/wireguard/home.nix

@@ -18,6 +18,11 @@ let
       address = "10.80.0.9";
       publicKey = "nnLdgywXmDg8HWH6I0G28Z2zb4OmmyFDpnvvEBzKJTg=";
     };
+    yuzuru = {
+      address = "10.80.0.8";
+      publicKey = "2pQ2r0q+960dq7wXr1c5Shcz6K+rdhIA8fKAu2Lnhl0=";
+      public = true;
+    };
   };
 
   cfg = config.sbruder.wireguard.home;