From f14a673f96b76a6f81ebc26840cd3d5e1e554778 Mon Sep 17 00:00:00 2001
From: Nathan McCarty <nathan@mccarty.io>
Date: Fri, 13 May 2022 22:36:53 -0400
Subject: [PATCH] Migrate shadowchild to flake

---
 flake.nix                | 19 +++++++++
 hardware/shadowchild.nix | 14 +++++++
 machines/shadowchild.nix | 83 ++++++++++++++++++++++++++++++++++++++++
 3 files changed, 116 insertions(+)
 create mode 100644 hardware/shadowchild.nix
 create mode 100644 machines/shadowchild.nix

diff --git a/flake.nix b/flake.nix
index 26e18f1..1640a08 100644
--- a/flake.nix
+++ b/flake.nix
@@ -171,6 +171,25 @@
           ] ++ serverModules;
         };
 
+        shadowchild = nixpkgs.lib.nixosSystem {
+          system = "x86_64-linux";
+          specialArgs = {
+            unstable = import nixpkgs-unstable {
+              config = { allowUnfree = true; };
+              overlays = [ ];
+              system = "x86_64-linux";
+            };
+            fenix = fenix.packages.x86_64-linux;
+          };
+          modules = [
+            ./hardware/shadowchild.nix
+            ./machines/shadowchild.nix
+            ./home-linux.nix
+            ./applications/devel-rust.nix
+            ./modules/docker.nix
+          ] ++ serverModules;
+        };
+
         x86vm = nixpkgs.lib.nixosSystem {
           system = "x86_64-linux";
           specialArgs = {
diff --git a/hardware/shadowchild.nix b/hardware/shadowchild.nix
new file mode 100644
index 0000000..aab4a00
--- /dev/null
+++ b/hardware/shadowchild.nix
@@ -0,0 +1,14 @@
+{ modulesPath, ... }:
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+  boot.loader.grub = {
+    efiSupport = true;
+    efiInstallAsRemovable = true;
+    device = "nodev";
+  };
+  fileSystems."/boot" = { device = "/dev/disk/by-uuid/94E8-7477"; fsType = "vfat"; };
+  boot.initrd.kernelModules = [ "nvme" ];
+  fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
+
+  swapDevices = [{ device = "/swapfile"; }];
+}
diff --git a/machines/shadowchild.nix b/machines/shadowchild.nix
new file mode 100644
index 0000000..1635043
--- /dev/null
+++ b/machines/shadowchild.nix
@@ -0,0 +1,83 @@
+{ config, lib, pkgs, ... }:
+
+{
+  boot.cleanTmpDir = true;
+  networking.hostName = "shadowchild";
+  networking.domain = "mccarty.io";
+  networking.firewall.allowPing = true;
+
+  # Turn on nginx so we can get a lets encrypt cert
+  security.acme.email = "nathan@mccarty.io";
+  security.acme.acceptTerms = true;
+
+  services.nginx = {
+    enable = true;
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+    virtualHosts."turn.community.rs" = {
+      enableACME = true;
+      forceSSL = true;
+    };
+  };
+
+  services.coturn = rec {
+    enable = true;
+    no-cli = true;
+    no-tcp-relay = true;
+    min-port = 49000;
+    max-port = 50000;
+    use-auth-secret = true;
+    static-auth-secret = "5C1rbLi5pPJhEGTzkVR1";
+    realm = "turn.community.rs";
+    cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
+    pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
+    extraConfig = ''
+      # for debugging
+      verbose
+      # ban private IP ranges
+      no-multicast-peers
+      denied-peer-ip=0.0.0.0-0.255.255.255
+      denied-peer-ip=10.0.0.0-10.255.255.255
+      denied-peer-ip=100.64.0.0-100.127.255.255
+      denied-peer-ip=127.0.0.0-127.255.255.255
+      denied-peer-ip=169.254.0.0-169.254.255.255
+      denied-peer-ip=192.0.0.0-192.0.0.255
+      denied-peer-ip=192.0.2.0-192.0.2.255
+      denied-peer-ip=192.88.99.0-192.88.99.255
+      denied-peer-ip=192.168.0.0-192.168.255.255
+      denied-peer-ip=198.18.0.0-198.19.255.255
+      denied-peer-ip=198.51.100.0-198.51.100.255
+      denied-peer-ip=203.0.113.0-203.0.113.255
+      denied-peer-ip=240.0.0.0-255.255.255.255
+      denied-peer-ip=::1
+      denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
+      denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
+      denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
+      denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+    '';
+  };
+  # open the firewall
+  networking.firewall = {
+    interfaces.enp2s0 =
+      let
+        range = with config.services.coturn; [{
+          from = min-port;
+          to = max-port;
+        }];
+      in
+      {
+        allowedUDPPortRanges = range;
+        allowedUDPPorts = [ 3478 ];
+        allowedTCPPortRanges = range;
+        allowedTCPPorts = [ 3478 ];
+      };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  networking.firewall.allowedUDPPorts = [ 80 443 ];
+}