add snowflake to vultr

nixos/boxes/vultr1/default.nix

@@ -4,14 +4,15 @@
 
   imports = [
     ./vultr-boot.nix
-    ../../server-security.nix
-    ../../tailscale.nix
     ./tailscale-vultr1.nix
-    ../cli.nix
-    ./nginx.nix
     ./folding.nix
     ./matrix-front.nix
+    ./nginx.nix
     ./search.nix
+    ./snowflake.nix
+    ../cli.nix
+    ../../server-security.nix
+    ../../tailscale.nix
   ];
 
   systemd.extraConfig = ''

nixos/boxes/vultr1/snowflake.nix

@@ -0,0 +1,40 @@
+{ config, pkgs, lib, ... }:
+{
+  containers.snowflake = {
+    autoStart = true;
+    ephemeral = true;
+    config = {
+      systemd.services.snowflake = {
+        wantedBy = [ "multi-user.target" ];
+        serviceConfig = {
+          IPAccounting = "yes";
+          ExecStart = "${pkgs.snowflake}/bin/proxy";
+          DynamicUser = "yes";
+          # Read-only filesystem
+          ProtectSystem = "strict";
+          PrivateDevices = "yes";
+          ProtectKernelTunables = "yes";
+          ProtectControlGroups = "yes";
+          ProtectHome = "yes";
+          # Deny access to as many things as possible
+          NoNewPrivileges = "yes";
+          PrivateUsers = "yes";
+          LockPersonality = "yes";
+          MemoryDenyWriteExecute = "yes";
+          ProtectClock = "yes";
+          ProtectHostname = "yes";
+          ProtectKernelLogs = "yes";
+          ProtectKernelModules = "yes";
+          RestrictNamespaces = "yes";
+          RestrictRealtime = "yes";
+          RestrictSUIDSGID = "yes";
+          SystemCallArchitectures = "native";
+          SystemCallFilter = "~@chown @clock @cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @setuid @swap @privileged @resources";
+          CapabilityBoundingSet = "";
+          ProtectProc = "invisible";
+          ProcSubset = "pid";
+        };
+      };
+    };
+  };
+}