yuzuru: Init

This commit is contained in:
Simon Bruder 2021-09-08 18:23:21 +02:00
parent b1f4b8b4b5
commit f4bf1ced57
Signed by: simon
GPG key ID: 8D3C82F9F309F8EC
17 changed files with 448 additions and 0 deletions

View file

@ -5,6 +5,7 @@ keys:
- &vueko BB046D773F54739757553A053CB9B8EFD7FED749 - &vueko BB046D773F54739757553A053CB9B8EFD7FED749
- &fuuko 2372651C56E22972C2D9F3F569C8187C9C43754E - &fuuko 2372651C56E22972C2D9F3F569C8187C9C43754E
- &mayushii 23EEDF49AAF1B41DCD1CD10F44A37FA8C15053B3 - &mayushii 23EEDF49AAF1B41DCD1CD10F44A37FA8C15053B3
- &yuzuru F4B5F6971A1FAEA1216FCE1C6745A652A31186DB
creation_rules: creation_rules:
- path_regex: machines/nunotaba/secrets\.yaml$ - path_regex: machines/nunotaba/secrets\.yaml$
key_groups: key_groups:
@ -31,6 +32,11 @@ creation_rules:
- pgp: - pgp:
- *simon - *simon
- *mayushii - *mayushii
- path_regex: machines/yuzuru/secrets\.yaml$
key_groups:
- pgp:
- *simon
- *yuzuru
- path_regex: secrets\.yaml$ - path_regex: secrets\.yaml$
key_groups: key_groups:
- pgp: - pgp:

28
keys/machines/yuzuru.asc Normal file
View file

@ -0,0 +1,28 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
xsFNBAAAAAABEADlgmSvdnFWue1i5dS1qA9df+cRQDA1NDBHYm5dGpsTe7xghvde
9B1aAzWxbxeppwr2IHvLo1boWyH0ODC5HFxvleaYd6R9oLljQvxZEPq8ANWMyxDx
T4MyRlLClegMrUaCoQTFxoO7LFujrhKPC1+r/JVBBehJrpw31WAUQV2SLDTPFRMJ
GVAJXR1vplafbftlkI9K3t12T1RrD1D5QxPtFPPEdwdfPQ8CDE7cCado9iv+P3e+
9gA3fE0HJzS1ZRySF0sZ5lP3RX3ZBoY7z/8s3ZHGCYfD9ssGwZS5ByjMk2eJiPY2
tX0ZwffBdzAwyq64e1/ddubGTIhKNPd5Iy2GCnOEgPMC8TCke5Zz5IeInUE3ANyS
zkuwpCbqT8Vu541yqhs8+dOnH3srgks9OH2Ar2ctMWx3gmICDoCLHrWfbvlkqUwB
cxnGxAeNzOXiem1Fu5IJwVC5JR1+5b4dqa3k+f/nuWRizvrU26OP/1S+NTz3T7/W
TEF6KyE7+dy3K4IO95SDYwVp6mF/0fh4FTahNi6B1BDEAZKZjaVXyd2TOk77Y7si
Tc98E4SUTUlRRCLh8SmUmxalI168LLgGMwUWhDvRw6EP7uh9FBEi1kLXnN6am0kP
q1jgQL798DzFwcgEYTx7rTDHZLkbwrxWA32Lpu3T6twtaZiQE+o7wuXMTQARAQAB
zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
AQgAFgUCAAAAAAkQZ0WmUqMRhtsCGw8CGQEAAIyAEAA89dyQvXx4sS7I1nRlMw9q
Agbi4h1lrCifEH6srlInbg3kZNgnlsDY+cVCIiy8m/Oyupn0U4uduMI8P7R5kgWQ
g9+FKFXoLK8P1kO5gani+tWNmBW49leSN8un9YAviKele5wDM/Dg+rNbWDaYHKu5
SspZV/SiP0JkxXOgxkMgOOl97kNmvv6O3qYHPG5rz5P/YV0pdDSi1cfhdREvTPAl
eNqzMrdEuE/GUrYJYeF8kN+TswBubTgy4WBqQdMlS+Go1B/7HQd56pl5BHiHM8HZ
l01ljbgqdYdggmXt7CI90Txe3RRduzKS4ncEQ1VVQiXEmOzU7emu+DFwknGnSgTW
gW6Nps3u2XhcsJNczf2PdEzDAv0oNAp4So7JdTGetkJ1Yw4quS0l1XWWBm+cf376
nanAGkENvuBbS36kgHNjNT1EnUnyJoMDMnc1AmSSlTf/ORc+JrzM4PtMonhWJTAU
eM66tozyJ3qYWApiI2doYwMDuh/u3jvqpTddxklaNFUOxIA2VITP0EgCFkVjW2u3
0gPY2tV6AtcxcUn1NnhS92xf0//O4fcGOwlTvNaPqDuF0mk9OazAPQ5L37mfNZzb
XUc3AyZXRZNhlE+aNfeJSKtzFCpGUJfstPmkdOwPxK29G4GDbjzWevpYF9Rv6Xpq
Ky38rXnis6Hpih/z6/7HOg==
=5Ki8
-----END PGP PUBLIC KEY BLOCK-----

View file

@ -36,4 +36,10 @@ in
hardware.common-pc-ssd hardware.common-pc-ssd
]; ];
}; };
yuzuru = {
system = "x86_64-linux";
nixpkgs = inputs.nixpkgs-unstable;
targetHost = "yuzuru.sbruder.xyz";
};
} }

View file

@ -75,6 +75,7 @@ in
"mayushii.vpn.sbruder.de:9100" "mayushii.vpn.sbruder.de:9100"
"sayuri.vpn.sbruder.de:9100" "sayuri.vpn.sbruder.de:9100"
"vueko.vpn.sbruder.de:9100" "vueko.vpn.sbruder.de:9100"
"yuzuru.vpn.sbruder.de:9100"
]; ];
} }
{ {

18
machines/yuzuru/README.md Normal file
View file

@ -0,0 +1,18 @@
# yuzuru
## Hardware
[Hetzner Cloud](https://hetzner.com/cloud) CX11 (1 vCPU, 2 GB RAM, 20 GB SSD).
It has no swap, since the disk is already small enough.
## Purpose
It provides privacy-friendly proxies/alternatives to popular web services:
* Invidious
* Libreddit
* Nitter
## Name
Yuzuru Nishimiya is a character from *A Silent Voice*

View file

@ -0,0 +1,39 @@
{ config, lib, pkgs, ... }:
{
imports = [
./hardware-configuration.nix
../../modules
./services/invidious
./services/libreddit.nix
./services/nitter.nix
./services/sbruder.xyz
];
sbruder = {
nginx.hardening.enable = true;
wireguard.home.enable = true;
full = false;
trusted = false;
};
networking.hostName = "yuzuru";
system.stateVersion = "21.05";
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
};
services.journald.extraConfig = ''
MaxRetentionSec=1week
'';
}

View file

@ -0,0 +1,39 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [
(modulesPath + "/profiles/qemu-guest.nix")
];
boot = {
initrd.kernelModules = [ "nvme" ];
loader.grub.device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-0-0-0";
};
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/b8ceb0bf-1a67-484b-bf57-c16653c23716";
fsType = "btrfs";
options = [ "discard=async" "noatime" "compress=zstd" ];
};
};
networking = {
useDHCP = false;
usePredictableInterfaceNames = false;
interfaces.eth0 = {
useDHCP = true;
ipv6.addresses = lib.singleton {
address = "2a01:4f9:c010:e4a7::";
prefixLength = 64;
};
};
defaultGateway6 = {
address = "fe80::1";
interface = "eth0";
};
};
# no smart on qemu disk
services.smartd.enable = false;
}

View file

@ -0,0 +1,53 @@
invidious-extra-settings: ENC[AES256_GCM,data:sWvf8ASNUTmdRj9HTsXCkPDg0yQ+Hc+ddnHst72pGBKq0403o5erMzudPm5TVvTEzHeeNDB5d+lTt760s6S2diUMc8l/k3G8Z9loYf0Dpx7o,iv:vqyzZ2B4WQB7AmGDp64nu+Xi+6Jxm6m7D3SUfYq0DZs=,tag:aeQQLerfBEjkpi1NW1x2jw==,type:str]
wg-home-private-key: ENC[AES256_GCM,data:KIUvsIhz2Rc4uHRQla714xfOxL9ke1WzRAbXVTDd6UyNkYQkuYIxIpmXQw4=,iv:usnONR35DtIVH2CV4tGSBz5FsZyMlEDzSQiYLDQLRnw=,tag:M1V4HhtByXogMacjajl1iw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2021-09-08T16:21:04Z"
mac: ENC[AES256_GCM,data:8Q52a8+6mO/LCjNR7yo4olqz8fJIqus7XUZ6FtRzzlEGeYvkBD6zFuz0QJBUl8gRtmj04tQWUn4fEKz8LApSluHXHoBv4/WVBNm/vL9T2k7SiAJmxhbU5wZmNt+Hg++Kvn8yZ6KXgpG6KVl5qu+/CHuJu2m39AvpTj9NJ+ThCUc=,iv:r037pF9rVUqe87+D7pVjxqgFM/hFALSWHFx8kB/fXFk=,tag:GsA95+KyajrKb5XMpVOB2g==,type:str]
pgp:
- created_at: "2021-09-08T16:11:14Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAwDgSONkM+d4ARAAhB2PfDQ+KeTI22tc2i4Bc5mVUMDHVpUFn81GzEubwrL0
xKqhDgCYfOogahJ7nvor/kLo0YSQuNs8mSJEgnBVnC4GnzeTQucJ5y8Ke/erBV0P
xscrZSINv4XtUllGFKc6LcKC+J9sbEcjDUMLwTiMBMcnhjm6mjOkT46ldIwXfnVq
vbKaVvUj0U/6awt0f/mqmce8PNfHzJ6rubcEEplBTLG/Qu+tmYFNVcWtsmP21SCt
u3Va9JeKmkIa83MY1khtnpSA2rnUa/acZL7vTRTcpCh8qvShtfoMrn9BKTjFhV6i
ggrkZKf4StJ+A1wgqw2IbwTH+M+5FM5loI4/9xQnkPkyiJIQByZXwQP2/EmuFpPE
sF5UByFTrpC/d7kN7R/xXFcGDIf384RM7Ia4W4XleyKUJ4XHWDkecFU1oT1kLcsA
kIYNgjEq4TSAVJMCKa4q3fQilaJ0K27Bvs3p90brzVEnM128k6eavpkrcjojs0JU
mV3ixEcS9OBwFfmQolekEt9TJebGNVmzg89TAQ3xn3DAJJPtBsmgM1LliJ39/ev3
SeO1rQPBWaxurKksWsDoqcqUtB0r+yR/flfh+Lr+iAgi+fS4W67WwcPm/9SENlUV
8OJ/YEkFxhBGiwJEudIGXQ965Z7+wSbpn1ILUaEvGvWvuOg1L6KjCUVbIbH92fjS
XAETVqe2zqU2IENVIY/HiMfUQG58M+CVytaWr4zyQ9X4Fc9BmvmjUgSn/4d/LdU3
kDT/tDL1fvdX1prXIGUseScSQGPxOamWFB3TPqzWdjhvbkEtT8wp8FqKP/Es
=rPPP
-----END PGP MESSAGE-----
fp: 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC
- created_at: "2021-09-08T16:11:14Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMA2dFplKjEYbbARAAyvcLSp8ktZ/dqVROfa+xeeIFt9J5EGREnAgES2h9wy8m
21tsQWPajIwD3H52XW6Z1s0nxG8qUe1bz9RWvd51sonmZZobezagr9YfDMTMji8Z
Hmj+fQ0OdhQdJgaUc8JObvmTNeJyjodKS4TbOZqT/SCheS7DhnzcucqlN0uiVuHT
DIUzhM1uzHKcU8IOSclz4LPWLrKvn1yuRGKOplBuvwvd5g2I4QA5obq9Je4WYKEv
XL9quQfWW2OBV5XMK132Ttv6aXSJcrxDiI5CsvKivOcB+Rw9wjEesMJ9wBe8Od0L
jP/ehkGBsxq107M9srbn2WKjkvXFwpdDzpaQG2w1ZSIwHnsNunlDiU95oIDUcW3Y
p0JeL9Nn7uBvsnOKkBMCgXNH1VOBSLxRUDHlDVJIHWNl7TCqPfzKCc8ttq+lbmOf
dbATPhXh9wXQ1GgduexFGK4DSKteqSC8bgKC5JnmLx2ijOSgLGxaL4snAs3oqD2Q
gQptmLgiuFlof98l3TVJDN1yc6ononyIA72gvQ7e+zme6Q7UkkXU7gJHnd9k9YAL
7GQcxn9kTCz/iXxC3+ac/IMZae9b5bz8UGZdsI47RoovZ3dJlGj8jkjPJ7QTfZml
9EVuGkO0qWyPDzy14VTaCtKjtTOGm5iZwd8G63BPbaAlfyd6412QbisyC5ClICLS
TgF/ABxdrd/GbBzs3w7/8bAjR13EAVJWzqUQgKxluP0UxIthZn5od2f3pPaEyvfd
30eBLqpclcaQNIbGtv0qr5Ehjs26uKbAOXmNX+GbdA==
=h33S
-----END PGP MESSAGE-----
fp: F4B5F6971A1FAEA1216FCE1C6745A652A31186DB
unencrypted_suffix: _unencrypted
version: 3.7.1

View file

@ -0,0 +1,33 @@
From 3c692fc4fd5ea7faefc6b6ef63c9b6b20205a1cb Mon Sep 17 00:00:00 2001
From: Simon Bruder <simon@sbruder.de>
Date: Thu, 9 Sep 2021 16:56:57 +0200
Subject: [PATCH] Prefer opus audio streams in listen mode
---
src/invidious/views/components/player.ecr | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/src/invidious/views/components/player.ecr b/src/invidious/views/components/player.ecr
index 6418f66b..73524cfd 100644
--- a/src/invidious/views/components/player.ecr
+++ b/src/invidious/views/components/player.ecr
@@ -7,6 +7,16 @@
<source src="<%= URI.parse(hlsvp).request_target %><% if params.local %>?local=true<% end %>" type="application/x-mpegURL" label="livestream">
<% else %>
<% if params.listen %>
+ <%
+ opus_streams = audio_streams.select { |fmt|
+ metadata = itag_to_metadata?(fmt["itag"])
+ metadata ? metadata["acodec"] == "opus" : false
+ }.reverse!
+ if opus_streams.size > 0
+ audio_streams = opus_streams
+ end
+ audio_streams.sort_by! { |fmt| fmt["bitrate"].as_i }.reverse!
+ %>
<% audio_streams.each_with_index do |fmt, i| %>
<source src="/latest_version?id=<%= video.id %>&itag=<%= fmt["itag"] %><% if params.local %>&local=true<% end %>" type='<%= fmt["mimeType"] %>' label="<%= fmt["bitrate"] %>k" selected="<%= i == 0 ? true : false %>">
<% end %>
--
2.31.1

View file

@ -0,0 +1,49 @@
{ config, pkgs, ... }:
{
sops.secrets.invidious-extra-settings = {
sopsFile = ../../secrets.yaml;
group = "keys"; # not ideal, but required since the invidious user is dynamic
mode = "440";
};
systemd.services.invidious.serviceConfig.SupplementaryGroups = [ "keys" ];
services.invidious = {
enable = true;
package = pkgs.invidious.overrideAttrs (o: o // {
patches = (o.patches or [ ]) ++ [
./0001-Prefer-opus-audio-streams-in-listen-mode.patch
];
});
nginx.enable = true;
domain = "iv.sbruder.xyz";
settings = {
host_binding = "127.0.0.1";
log_level = "Warn";
default_user_preferences = {
# allow higher qualities
quality = "dash";
quality_dash = "auto";
# humane volume
volume = 50;
# no “popular” content
feed_menu = [ "Subscriptions" "Playlists" ];
default_home = ""; # search on /
};
disable_proxy = [ "downloads" ]; # legal precaution
local = true; # no external requests
use_pubsub_feeds = true;
modified_source_code_url = "https://github.com/sbruder/invidious/tree/patches";
};
extraSettingsFile = config.sops.secrets.invidious-extra-settings.path;
};
services.nginx.virtualHosts."iv.sbruder.xyz" = {
locations = {
"/robots.txt".return = "200 'User-agent: *\\nDisallow: /'";
"/privacy".return = "301 'https://sbruder.xyz/#privacy'";
};
};
}

View file

@ -0,0 +1,19 @@
{ config, ... }:
let
cfg = config.services.libreddit;
in
{
services.libreddit = {
enable = true;
address = "127.0.0.1";
};
services.nginx.virtualHosts."libreddit.sbruder.xyz" = {
forceSSL = true;
enableACME = true;
locations = {
"/robots.txt".return = "200 'User-agent: *\\nDisallow: /'";
"/".proxyPass = "http://${cfg.address}:${toString cfg.port}";
};
};
}

View file

@ -0,0 +1,44 @@
{ config, lib, ... }:
let
cfg = config.services.nitter;
in
{
services.nitter = {
enable = true;
server = {
port = 8081;
hostname = "nitter.sbruder.xyz";
address = "127.0.0.1";
};
preferences = {
theme = "Auto";
replaceTwitter = "${cfg.server.hostname}";
muteVideos = true;
hlsPlayback = true;
replaceYouTube = "${config.services.invidious.domain}";
};
};
services.nginx.virtualHosts.${cfg.server.hostname} = {
forceSSL = true;
enableACME = true;
locations = {
"/robots.txt".return = "200 'User-agent: *\\nDisallow: /'";
"/" = {
proxyPass = "http://${cfg.server.address}:${toString cfg.server.port}";
extraConfig =
let
# workaround for nginx dropping parent headers
# see https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheaderredefinition.md
parentHeaders = lib.concatStringsSep "\n" (lib.filter
(lib.hasPrefix "add_header ")
(lib.splitString "\n" config.services.nginx.commonHttpConfig));
in
''
${parentHeaders}
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' blob:; style-src 'self' 'unsafe-inline'";
'';
};
};
};
}

View file

@ -0,0 +1 @@
index.html

View file

@ -0,0 +1,40 @@
{ pkgs, ... }:
{
services.nginx.virtualHosts."sbruder.xyz" = {
forceSSL = true;
enableACME = true;
root = pkgs.stdenvNoCC.mkDerivation {
name = "sbruder.xyz";
src = ./.;
nativeBuildInputs = with pkgs; [ pandoc ];
buildPhase = ''
runHook preBuild
pandoc \
-s \
--metadata-file metadata.yaml \
-f commonmark_x \
-t html5 \
-o index.html \
index.md
runHook postBuild
'';
installPhase = ''
runHook preInstall
install -D index.html $out/index.html
runHook postInstall
'';
};
locations = {
"/imprint/".alias = "${pkgs.sbruder.imprint}/";
};
};
}

View file

@ -0,0 +1,64 @@
On this domain, the following services are currently available:
* [Invidious](https://iv.sbruder.xyz)
* [Libreddit](https://libreddit.sbruder.xyz)
* [Nitter](https://nitter.sbruder.xyz)
They are all semi-public instances.
That means, they are not included in lists of public instances,
but feel free to use them for personal purposes.
You can do so by using a browser plugin like [Privacy Redirect](https://github.com/SimonBrazell/privacy-redirect)
and configuring the addresses to point to this server.
However, please note the following if you want to use them:
* These services are provided as-is without any guarantees.
* You must not use these services for any activities illegal under Finnish or German law.
* You must not use these services to interfere with the operation of the services
or the sites that originally provide the data.
* Please dont over/abuse these services.
They run on a tiny VPS and wont be able to handle high workloads.
Also note the following service-specific things:
* **Invidious**: There are no backups, so you are responsible for using the data export feature to back up important data.
The VPS providing the services is running NixOS.
The configuration is available [here](https://git.sbruder.de/simon/nixos-config/src/branch/master/machines/yuzuru).
If you have any questions, please [contact me](https://sbruder.de).
## A Note to Copyright Holders
The services are only relaying content that is otherwise already available on the Internet.
If your rights are infringed by content available from this site,
please report this to the site originally making it available.
Otherwise the content will still be available on the Internet.
If you still want to report illegal content to me instead of the original site,
send me an Email to the address stated in the imprint.
This is the fastest way to resolve the issue,
so please use that if you care about it.
## Imprint
See [Imprint](/imprint/).
## Privacy
The Libreddit and Nitter services do not store your personally identifiable information.
If you log in to an Invidious account,
the data you provide to the service will be stored.
You can export or delete that data by using its built-in data control feature.
In the case of an error, details of the problematic request might be stored on the server
and used strictly for debugging and fixing the error.
Those logs will be deleted after one week.
#### Fine Print
<small>
This site and the services provided by it are not associated with YouTube, Reddit and/or Twitter.
Trademarks are property of their respective owners.
</small>

View file

@ -0,0 +1,3 @@
title: sbruder.xyz
mainfont: Roboto, Helvetica, Arial, sans-serif

View file

@ -18,6 +18,11 @@ let
address = "10.80.0.9"; address = "10.80.0.9";
publicKey = "nnLdgywXmDg8HWH6I0G28Z2zb4OmmyFDpnvvEBzKJTg="; publicKey = "nnLdgywXmDg8HWH6I0G28Z2zb4OmmyFDpnvvEBzKJTg=";
}; };
yuzuru = {
address = "10.80.0.8";
publicKey = "2pQ2r0q+960dq7wXr1c5Shcz6K+rdhIA8fKAu2Lnhl0=";
public = true;
};
}; };
cfg = config.sbruder.wireguard.home; cfg = config.sbruder.wireguard.home;