wip: add specus VPN

configs/stardict.nix

@@ -158,6 +158,16 @@
         sha256 = "03f9wdmkgpjifpms7dyh10ma29wf3ka1j3zlp1av0cybhdldk2a8";
       };
     };
+    turkish = {
+      BabylonTurkishEnglish = pkgs.fetchzip {
+        url = "http://download.huzheng.org/babylon/bidirectional/stardict-babylon-Babylon_Turkish_English-2.4.2.tar.bz2";
+        sha256 = "17rv46r95nkikg7aszqmfrbgdhz9ny52w423m8n01g3p93shdb4i";
+      };
+      BabylonEnglishTurkish = pkgs.fetchzip {
+        url = "http://download.huzheng.org/babylon/bidirectional/stardict-babylon-Babylon_English_Turkish-2.4.2.tar.bz2";
+        sha256 = "063dl02s8ii8snsxgma8wi49xwr6afk6ysq0v986fygx5511353f";
+      };
+    };
   };
 
   makeStardictDataDir = dicts: pkgs.linkFarm "dictionaries" (lib.mapAttrsToList (name: path: {inherit name path;}) dicts);
@@ -292,7 +302,8 @@ in {
     // dictionaries.sanskrit
     // dictionaries.oed
     // dictionaries.russian
-    // dictionaries.englishGerman));
+    // dictionaries.englishGerman
+    // dictionaries.turkish));
 
   environment.systemPackages = [
     # pkgs.goldendict
@@ -302,6 +313,7 @@ in {
     (makeStardict "sd-russian" dictionaries.russian)
     (makeStardict "sd" dictionaries.englishGerman)
     (makeStardict "jbo" dictionaries.lojban)
+    (makeStardict "sd-turkish" dictionaries.turkish)
   ];
 }
 /*

flake.lock

@@ -8,11 +8,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1677969766,
-        "narHash": "sha256-AIp/ZYZMNLDZR/H7iiAlaGpu4lcXsVt9JQpBlf43HRY=",
+        "lastModified": 1680281360,
+        "narHash": "sha256-XdLTgAzjJNDhAG2V+++0bHpSzfvArvr2pW6omiFfEJk=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "03b51fe8e459a946c4b88dcfb6446e45efb2c24e",
+        "rev": "e64961977f60388dd0b49572bb0fc453b871f896",
         "type": "github"
       },
       "original": {
@@ -60,12 +60,15 @@
       }
     },
     "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
       "locked": {
-        "lastModified": 1678901627,
-        "narHash": "sha256-U02riOqrKKzwjsxc/400XnElV+UtPUQWpANPlyazjH0=",
+        "lastModified": 1681202837,
+        "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "93a2b84fc4b70d9e089d029deacc3583435c2ed6",
+        "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
         "type": "github"
       },
       "original": {
@@ -202,11 +205,11 @@
         "utils": "utils"
       },
       "locked": {
-        "lastModified": 1679738842,
-        "narHash": "sha256-CvqRbsyDW756EskojZptDU590rez29RcHDV3ezoze08=",
+        "lastModified": 1681092193,
+        "narHash": "sha256-JerCqqOqbT2tBnXQW4EqwFl0hHnuZp21rIQ6lu/N4rI=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "83110c259889230b324bb2d35bef78bf5f214a1f",
+        "rev": "f9edbedaf015013eb35f8caacbe0c9666bbc16af",
         "type": "github"
       },
       "original": {
@@ -360,11 +363,11 @@
     },
     "nixpkgs_4": {
       "locked": {
-        "lastModified": 1679748960,
-        "narHash": "sha256-BP8XcYHyj1NxQi04RpyNW8e7KiXSoI+Fy1tXIK2GfdA=",
+        "lastModified": 1681269223,
+        "narHash": "sha256-i6OeI2f7qGvmLfD07l1Az5iBL+bFeP0RHixisWtpUGo=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "da26ae9f6ce2c9ab380c0f394488892616fc5a6a",
+        "rev": "87edbd74246ccdfa64503f334ed86fa04010bab9",
         "type": "github"
       },
       "original": {
@@ -455,11 +458,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1679900348,
-        "narHash": "sha256-WqWlr9n1qOO3XggFvJy9l1yNQ6Yfk3Oenah5++4Pn18=",
+        "lastModified": 1681454031,
+        "narHash": "sha256-JOamj7vKkFRp5mJ7FKt5dPfCmWj33sZLnBGDt15c/sc=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "c4cfddf79e5d427bd52430e75b708058d89ee663",
+        "rev": "8a35714f0be00235e2a1c8b759e6dc3888763d8b",
         "type": "github"
       },
       "original": {
@@ -490,11 +493,11 @@
     },
     "retiolum": {
       "locked": {
-        "lastModified": 1679861928,
-        "narHash": "sha256-caMCjCjdliop0zzEiT+YimGBAINaBvLcK0cya4TUQEo=",
+        "lastModified": 1681246809,
+        "narHash": "sha256-3RUAwk0ApPjq2Ms8KiAh+gG6EJKWurIur612w2m3Zu8=",
         "ref": "refs/heads/master",
-        "rev": "482f8dd39315ac2fff5e8cd7bebd07deab4907bb",
-        "revCount": 293,
+        "rev": "c8ddb36f3d85be762aeb1893a79da36014f55658",
+        "revCount": 296,
         "type": "git",
         "url": "https://git.thalheim.io/Mic92/retiolum"
       },
@@ -626,6 +629,21 @@
         "type": "github"
       }
     },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
     "telebots": {
       "inputs": {
         "flake-utils": "flake-utils_7",
@@ -706,11 +724,11 @@
     "voidrice": {
       "flake": false,
       "locked": {
-        "lastModified": 1679694583,
-        "narHash": "sha256-W0TVLjfMWHjy8OFjkBp4jGZnIczTOYBnRMM/upn6BeE=",
+        "lastModified": 1681301489,
+        "narHash": "sha256-5Zz33Q3E4A9nsEmxPQikYeX7Rvu3hM+PlXx/0SIqG34=",
         "owner": "Lukesmithxyz",
         "repo": "voidrice",
-        "rev": "749f74f84ef1ec1b15c9003c23120dc5c4baaa35",
+        "rev": "d4ff2ebaf3e88efe20cae0d1e592fddfc433c96e",
         "type": "github"
       },
       "original": {

flake.nix

@@ -49,6 +49,7 @@
         passport = import modules/passport.nix;
         panoptikon = import modules/panoptikon.nix;
         power-action = import modules/power-action.nix;
+        specus = import modules/specus.nix;
         system-dependent = import modules/system-dependent.nix;
         telegram-bot = import modules/telegram-bot.nix;
         traadfri = import modules/traadfri.nix;
@@ -79,6 +80,7 @@
             systems/ful/configuration.nix
             agenix.nixosModules.default
             inputs.self.nixosModules.passport
+            inputs.self.nixosModules.specus
             inputs.self.nixosModules.panoptikon
             retiolum.nixosModules.retiolum
             nur.nixosModules.nur
@@ -127,6 +129,7 @@
             inputs.self.nixosModules.telegram-bot
             inputs.self.nixosModules.htgen
             inputs.self.nixosModules.passport
+            inputs.self.nixosModules.specus
             agenix.nixosModules.default
             retiolum.nixosModules.retiolum
             nur.nixosModules.nur
@@ -190,6 +193,7 @@
             systems/kabsa/configuration.nix
             agenix.nixosModules.default
             retiolum.nixosModules.retiolum
+            inputs.self.nixosModules.specus
             home-manager.nixosModules.home-manager
             nur.nixosModules.nur
           ];

lib/streams.nix

@@ -1847,71 +1847,127 @@ in
       stream = dr "p8jazz";
       tags = [tags.jazz tags.danish];
     }
+    {
+      station = "CNN morse code slow";
+      stream = "http://cw.dimebank.com:8080/CNNslow";
+      tags = [tags.text];
+    }
+    {
+      station = "CNN morse code fast";
+      stream = "http://cw.dimebank.com:8080/CNNfast";
+      tags = [tags.text];
+    }
+    {
+      station = "XXX orchestral";
+      stream = "http://orion.shoutca.st:8978/stream";
+      tags = [tags.classical];
+    }
+    {
+      station = "XXX greek";
+      stream = "http://radio.hostchefs.net:8046/stream?1520818130148";
+      tags = [tags.greek];
+    }
+    {
+      station = "XXX turkish or greek";
+      stream = "https://onairmediagroup.live24.gr/kralfm100xanthi";
+      tags = [tags.greek tags.turkish];
+    }
+    {
+      station = "Hard Rock Hell Radio";
+      tags = [tags.rock];
+      stream = "http://andromeda.shoutca.st:9254/stream";
+    }
+    {
+      station = "Divyavani";
+      tags = [tags.trad tags.indian];
+      stream = "https://divyavani.radioca.st/stream";
+    }
+    {
+      station = "XXX sanskrit radio";
+      tags = [tags.text tags.indian];
+      stream = "https://stream-23.zeno.fm/m08mkwsyw8quv?zs=0w7MJFPdRfavhR_zPt0M2g";
+    }
+    {
+      station = "Radio Mariam Arabic";
+      stream = "http://www.dreamsiteradiocp4.com:8014/stream";
+      tags = [tags.text tags.arabic];
+    }
+    {
+      station = "Kamchatka Live Rock";
+      stream = "https://radio.kamchatkalive.ru:8103/rock";
+      tags = [tags.rock];
+    }
+    {
+      station = "Kamchatka Live Chillout";
+      stream = "https://radio.kamchatkalive.ru:8103/chillout";
+      tags = [tags.chill];
+    }
+    {
+      station = "Kamchatka Live Dance";
+      stream = "https://radio.kamchatkalive.ru:8103/dance";
+      tags = [tags.party];
+    }
+    {
+      tags = [tags.arabic tags.text];
+      stream = "http://n02.radiojar.com/sxfbks1vfy8uv.mp3";
+      station = "Bahrain Radio 102.3 FM (Arabic Stories)";
+    }
+    {
+      tags = [tags.arabic tags.text tags.holy];
+      stream = "http://s2.voscast.com:12312/;";
+      station = "Bahrain Quran Radio";
+    }
+    {
+      tags = [tags.arabic tags.text tags.holy];
+      stream = "http://162.244.81.30:8224/;";
+      station = "Quran Radio Lebanon";
+    }
+    {
+      tags = [tags.arabic tags.text tags.holy];
+      station = "Coptic for God";
+      stream = "http://66.70.249.70:5832/stream";
+    }
+    {
+      stream = "http://stream-025.zeno.fm/5y95pu36sm0uv?";
+      station = "Hayat FM";
+      tags = [tags.arabic tags.text tags.holy];
+    }
+    {
+      stream = "http://uk2.internet-radio.com:8151/stream";
+      station = "The Quran Radio";
+      tags = [tags.arabic tags.text tags.holy];
+    }
   ]
+  ++ map (name: {
+    stream = "https://${name}.stream.publicradio.org/${name}.aac";
+    station = "${name} | Your Classical";
+    tags = [tags.classical];
+  }) ["ycradio" "guitar" "cms" "relax" "lullabies" "choral" "favorites" "chambermusic" "concertband" "holiday"]
 /*
       (caster-fm "TODO" "noasrv" 10182) # https://github.com/cccruzr/albumsyoumusthear/blob/7e00baf575e4d357cd275d54d1aeb717321141a8/HLS/IBERO_90_1.m3u
       (caster-fm "TODO" "shaincast" 20866) # https://github.com/cccruzr/albumsyoumusthear/blob/7e00baf575e4d357cd275d54d1aeb717321141a8/HLS/IBERO_90_1.m3u
 
-CNN news in morse code
-http://cw.dimebank.com:8080/CNNslow
-http://cw.dimebank.com:8080/CNNfast
-
-Orchestral
-http://orion.shoutca.st:8978/stream
 
 LoFi / Chill
 http://ice55.securenetsystems.net/DASH76
 
-News background music
-https://c13014-l-hls.u.core.cdn.streamfarm.net/1000153copo/hk2.m3u8
-
-?
-http://94.23.221.158:9163/stream
-
-Greek radio
-http://radio.hostchefs.net:8046/stream?1520818130148
 
 : http://audiokrishna.com/stations/japa2.mp3
-http://185.105.4.53:2339//;stream.mp3
-http://cast5.servcast.net:1390/;stream.mp3
-
-Hard rock
-http://andromeda.shoutca.st:9254/stream
 
 Rock alternative
 http://icy.unitedradio.it/VirginRockAlternative.mp3
 
-American nautical weather news
-http://ca.radioboss.fm:8149/stream
 
 Christian radio in all languages
 https://jesuscomingfm.com/#
 tamazight http://live.jesuscomingfm.com:8462/;
 
-supposedly good Greek radio
-https://onairmediagroup.live24.gr/kralfm100xanthi
 
 Somali Radio
 http://n0b.radiojar.com/1pu7hhf8kfhvv
 
-Sanskrit
-https://stream-23.zeno.fm/m08mkwsyw8quv?zs=0w7MJFPdRfavhR_zPt0M2g
-https://divyavani.radioca.st/stream
 
 Chillout from kassel
 https://server4.streamserver24.com:2199/tunein/ejanowsk.pls
-
-Radio Mariam Arabic (Rome)
-http://www.dreamsiteradiocp4.com:8014/stream
-
-https://radio.kamchatkalive.ru:8103/rock
-https://radio.kamchatkalive.ru:8103/chillout
-https://radio.kamchatkalive.ru:8103/dance
-
-Fuṣḥā Stories (Bahrain Radio 102.3 FM)
-http://n02.radiojar.com/sxfbks1vfy8uv.mp3
-
-Bahrain Quran Radio
-http://s2.voscast.com:12312/;
 */
 

modules/specus.nix

@@ -0,0 +1,96 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  specusMachines = {
+    servers = {
+      makanek = {
+        ipv4 = "10.100.0.1";
+        publicKey = "KhcScd4fBpdhQzK8Vc+1mEHQMQBpbKBUPB4oZ7skeSk=";
+      };
+      ful = {
+        ipv4 = "10.100.0.2";
+        publicKey = "0Y7+zoXkWJGVOWWnMjvYjtwP+WpggAlmkRbgMw0z8Dk=";
+      };
+    };
+    clients = {
+      kabsa = {
+        ipv4 = "10.100.0.101";
+        publicKey = "nRkzoRi9crKHF7263U37lt4GGL7/8637NBSKjifI9hY=";
+      };
+    };
+  };
+in {
+  options.services.specus = {
+    server = {
+      enable = lib.mkEnableOption "Specus private VPN (server)";
+    };
+    client = {
+      enable = lib.mkEnableOption "Specus private VPN (client)";
+    };
+    privateKeyFile = lib.mkOption {
+      type = lib.types.path;
+      description = "Private key file of the server/client machine";
+    };
+  };
+
+  config = let
+    cfg = config.services.specus;
+    specusPort = 22;
+  in
+    {
+      assertions = [
+        {
+          assertion =
+            !(cfg.server.enable && cfg.client.enable);
+          message = "specus: systems cannot be client and server at the same time";
+        }
+      ];
+    }
+    // lib.mkIf cfg.server.enable {
+      networking.nat = {
+        enable = true;
+        externalInterface = "eth0"; # TODO
+        internalInterfaces = ["specus"];
+      };
+      networking.firewall.allowedUDPPorts = [specusPort];
+      networking.wireguard.interfaces.specus = {
+        ips = ["${specusMachines.servers.${config.networking.hostName}.ipv4}/24"];
+        # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
+        postSetup = ''
+          ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+        '';
+        postShutdown = ''
+          ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+        '';
+        listenPort = specusPort;
+        privateKeyFile = cfg.privateKeyFile;
+        peers =
+          lib.mapAttrsToList (clientName: clientConfig: {
+            publicKey = clientConfig.publicKey;
+            allowedIPs = ["${clientConfig.ipv4}/32"];
+          })
+          specusMachines.clients;
+      };
+    }
+    // lib.mkIf cfg.client.enable {
+      networking.firewall.allowedUDPPorts = [specusPort];
+      networking.wireguard.interfaces = lib.attrsets.mapAttrs' (serverName: serverConfig:
+        lib.nameValuePair "specus-${serverName}" {
+          ips = ["${specusMachines.clients.${config.networking.hostName}.ipv4}/24"];
+          listenPort = specusPort;
+          privateKeyFile = cfg.privateKeyFile;
+          peers = [
+            {
+              allowedIPs = ["0.0.0.0/0"];
+              endpoint = "${(import ../lib/external-network.nix).${serverName}}:${toString specusPort}";
+              persistentKeepalive = 25;
+              publicKey = serverConfig.publicKey;
+            }
+          ];
+        })
+      specusMachines.servers;
+    };
+}

systems/ful/configuration.nix

@@ -49,6 +49,12 @@ in {
     };
     root.file = ../../secrets/ful-root.age;
     restic.file = ../../secrets/restic.age;
+    specus.file = ../../secrets/ful-specus-privateKey.age;
+  };
+
+  services.specus = {
+    privateKeyFile = config.age.secrets.specus.path;
+    server.enable = true;
   };
 
   services.restic.backups.niveum = {

systems/ful/radio.nix

@@ -2,11 +2,38 @@
   lib,
   pkgs,
   config,
+  niveumPackages,
   ...
 }: let
   inherit (import ../../lib) tmpfilesConfig;
   liquidsoapDirectory = "/var/cache/liquidsoap";
   icecastPassword = "hackme";
+  refresh-qasaid = pkgs.writers.writeDashBin "refresh-qasaid" ''
+    (
+      for i in $(seq 1 22)
+      do
+        ${pkgs.curl}/bin/curl -sSL "https://www.hindawi.org/poems/$i/"
+      done
+    ) | ${pkgs.htmlq}/bin/htmlq '.poems li' \
+      | ${pkgs.fq}/bin/fq -d html  '
+        .html.body.li
+        | map(.a
+          | {
+            id: .[0].["@href"] | sub("/poems/"; "") | sub("/$"; "") | tonumber,
+            poem: .[0].["#text"],
+            author: .[1].["#text"]
+          })
+      ' | ${niveumPackages.cyberlocker-tools}/bin/cput qasaid.json
+  '';
+  qasida-poem = pkgs.writers.writeDash "qasida.sh" ''
+    set -efu
+    ${pkgs.jq}/bin/jq -c '.[]' < ${pkgs.fetchurl {
+      url = "https://c.krebsco.de/qasaid.json";
+      sha256 = "0vh1jzdrvjrdyq7dzya9k9g3jyli9jr0zfsqb2m1phm39psy4g2b";
+    }} \
+      | shuf -n1 \
+      | ${pkgs.jq}/bin/jq -r '"annotate:title=\"\(.poem) | https://www.hindawi.org/poems/\(.id)/\",artist=\"\(.author)\":https://downloads.hindawi.org/poems/\(.id)/\(.id).m4a"'
+  '';
   lyrikline-poem = pkgs.writers.writeDash "lyrikline.sh" ''
     set -efu
 
@@ -92,6 +119,7 @@ in {
     end
 
     make_streams("lyrikline", random_url("${lyrikline-poem}"), description="lyrikline. listen to the poet (unofficial)", genre="poetry")
+    make_streams("qasida", random_url("${qasida-poem}"), description="Qasa'id. Classical arabic poetry", genre="poetry")
     make_streams("lyrik", random_url("${stavenhagen-poem}"), description="Fritz Stavenhagen – Lyrik für alle | www.deutschelyrik.de", genre="poetry")
     make_streams("wikipedia", random_url("${wikipedia-article}"), description="Zufällige Artikel von Wikipedia", genre="useless knowledge")
   '';

systems/kabsa/configuration.nix

@@ -40,10 +40,16 @@ in {
     restic.file = ../../secrets/restic.age;
     syncthing-cert.file = ../../secrets/kabsa-syncthing-cert.age;
     syncthing-key.file = ../../secrets/kabsa-syncthing-key.age;
+    specus.file = ../../secrets/kabsa-specus-privateKey.age;
   };
 
   environment.systemPackages = [pkgs.minecraft pkgs.zeroad];
 
+  services.specus = {
+    privateKeyFile = config.age.secrets.specus.path;
+    client.enable = false;
+  };
+
   networking = {
     hostName = "kabsa";
     wireless.interfaces = ["wlp3s0"];

systems/makanek/configuration.nix

@@ -95,6 +95,12 @@ in {
       group = "tinc.retiolum";
     };
     restic.file = ../../secrets/restic.age;
+    specus.file = ../../secrets/makanek-specus-privateKey.age;
+  };
+
+  services.specus = {
+    privateKeyFile = config.age.secrets.specus.path;
+    server.enable = true;
   };
 
   system.stateVersion = "20.03";