summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authortv <tv@krebsco.de>2018-09-06 23:10:09 +0200
committertv <tv@krebsco.de>2018-09-06 23:10:09 +0200
commit03764d6765f8d2734d0960bc75cc6856bf0893d8 (patch)
treeb8cbbdc3a0381b5d1b1d08149c38a6bd5be5e9c5
parent86466154f11748365cdab50b6ac113bdfd5542be (diff)
parent96c4ab61202f515c7a361ef76c398e542771d6b4 (diff)
Merge remote-tracking branch 'prism/master'
-rw-r--r--.gitlab-ci.yml14
-rw-r--r--jeschli/1systems/brauerei/config.nix1
-rw-r--r--jeschli/1systems/enklave/config.nix1
-rw-r--r--jeschli/2configs/git.nix73
-rw-r--r--jeschli/2configs/retiolum.nix2
-rw-r--r--jeschli/2configs/steam.nix12
-rw-r--r--krebs/0tests/data/secrets/konsens.id_ed255190
-rw-r--r--krebs/1systems/wolf/config.nix3
-rw-r--r--krebs/2configs/buildbot-stockholm.nix2
-rw-r--r--krebs/2configs/repo-sync.nix24
-rw-r--r--krebs/2configs/shack/mobile.mpd.nix32
-rw-r--r--krebs/3modules/default.nix1
-rw-r--r--krebs/3modules/jeschli/default.nix1
-rw-r--r--krebs/3modules/konsens.nix80
-rw-r--r--krebs/3modules/lass/default.nix64
-rw-r--r--krebs/3modules/retiolum-bootstrap.nix5
-rw-r--r--krebs/nixpkgs.json6
-rw-r--r--lass/1systems/dishfire/config.nix63
-rw-r--r--lass/1systems/dishfire/physical.nix39
-rw-r--r--lass/1systems/dishfire/source.nix3
-rw-r--r--makefu/1systems/cake/source.nix2
-rw-r--r--makefu/1systems/darth/source.nix2
-rw-r--r--makefu/1systems/drop/config.nix2
-rw-r--r--makefu/1systems/drop/source.nix2
-rw-r--r--makefu/1systems/fileleech/config.nix4
-rw-r--r--makefu/1systems/fileleech/source.nix2
-rw-r--r--makefu/1systems/filepimp/source.nix2
-rw-r--r--makefu/1systems/full/source.nix5
-rw-r--r--makefu/1systems/gum/source.nix2
-rw-r--r--makefu/1systems/iso/source.nix2
-rw-r--r--makefu/1systems/kexec/source.nix2
-rw-r--r--makefu/1systems/latte/source.nix2
-rw-r--r--makefu/1systems/nextgum/source.nix2
-rw-r--r--makefu/1systems/omo/source.nix2
-rw-r--r--makefu/1systems/pnp/source.nix2
-rw-r--r--makefu/1systems/repunit/source.nix2
-rw-r--r--makefu/1systems/sdev/source.nix2
-rw-r--r--makefu/1systems/shack-autoinstall/source.nix3
-rw-r--r--makefu/1systems/shoney/config.nix2
-rw-r--r--makefu/1systems/shoney/source.nix2
-rw-r--r--makefu/1systems/studio/source.nix2
-rw-r--r--makefu/1systems/tsp/source.nix4
-rw-r--r--makefu/1systems/vbob/source.nix2
-rw-r--r--makefu/1systems/wbob/config.nix2
-rw-r--r--makefu/1systems/wbob/source.nix2
-rw-r--r--makefu/1systems/wry/config.nix2
-rw-r--r--makefu/1systems/wry/source.nix2
-rw-r--r--makefu/1systems/x/source.nix3
-rw-r--r--makefu/2configs/deployment/events-publisher/default.nix4
-rw-r--r--makefu/2configs/editor/vim.nix33
-rw-r--r--makefu/2configs/editor/vimrc98
-rw-r--r--makefu/2configs/hw/smartcard.nix18
-rw-r--r--makefu/2configs/nginx/rompr.nix76
-rw-r--r--makefu/2configs/tools/extra-gui.nix1
-rw-r--r--makefu/2configs/vim.nix136
-rw-r--r--makefu/5pkgs/arduino-user-env/default.nix35
-rw-r--r--makefu/5pkgs/beef/Gemfile56
-rw-r--r--makefu/5pkgs/beef/Gemfile.lock101
-rw-r--r--makefu/5pkgs/beef/db-in-homedir.patch39
-rw-r--r--makefu/5pkgs/beef/default.nix22
-rw-r--r--makefu/5pkgs/beef/gemset.nix238
-rw-r--r--makefu/5pkgs/bento4/default.nix30
-rw-r--r--makefu/5pkgs/cozy-audiobooks/default.nix99
-rw-r--r--makefu/5pkgs/default.nix10
-rw-r--r--makefu/5pkgs/drozer/default.nix9
-rw-r--r--makefu/5pkgs/ifdnfc/default.nix45
-rw-r--r--makefu/5pkgs/nur.nix7
-rw-r--r--makefu/krops.nix88
-rw-r--r--makefu/nixpkgs.json7
-rwxr-xr-xmakefu/update-channel.sh9
70 files changed, 1170 insertions, 482 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 3f2f28d65..1946f269e 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,5 +1,19 @@
+before_script:
+ - mkdir -p ~/.ssh
+ - echo "$deploy_privkey" > deploy.key
+ - export GIT_SSH_COMMAND="ssh -i $PWD/deploy.key"
+ - chmod 600 deploy.key
+ - ssh-keyscan -H 'github.com' >> ~/.ssh/known_hosts
nix-shell test:
script:
- env
- nix-shell --pure --command 'true' -p stdenv && echo success
- nix-shell --pure --command 'false' -p stdenv || echo success
+nur-packages makefu:
+ script:
+ - git reset --hard origin/master
+ - git filter-branch -f --prune-empty --subdirectory-filter makefu/5pkgs HEAD
+ - git remote add deploy git@github.com:makefu/nur-packages.git || git remote set-url deploy git@github.com:makefu/nur-packages.git
+ - git push --force deploy HEAD:master
+after_script:
+ - rm -f deploy.key
diff --git a/jeschli/1systems/brauerei/config.nix b/jeschli/1systems/brauerei/config.nix
index e200cbcd4..4cd544a66 100644
--- a/jeschli/1systems/brauerei/config.nix
+++ b/jeschli/1systems/brauerei/config.nix
@@ -8,6 +8,7 @@
<stockholm/jeschli/2configs/emacs.nix>
<stockholm/jeschli/2configs/xdg.nix>
<stockholm/jeschli/2configs/xserver>
+ <stockholm/jeschli/2configs/steam.nix>
<stockholm/jeschli/2configs/virtualbox.nix>
];
diff --git a/jeschli/1systems/enklave/config.nix b/jeschli/1systems/enklave/config.nix
index 470566a8b..cadec3cab 100644
--- a/jeschli/1systems/enklave/config.nix
+++ b/jeschli/1systems/enklave/config.nix
@@ -5,6 +5,7 @@
<stockholm/jeschli>
<stockholm/jeschli/2configs/retiolum.nix>
<stockholm/jeschli/2configs/IM.nix>
+ <stockholm/jeschli/2configs/git.nix>
<stockholm/jeschli/2configs/os-templates/CentOS-7-64bit.nix>
{
networking.dhcpcd.allowInterfaces = [
diff --git a/jeschli/2configs/git.nix b/jeschli/2configs/git.nix
new file mode 100644
index 000000000..77602e0f1
--- /dev/null
+++ b/jeschli/2configs/git.nix
@@ -0,0 +1,73 @@
+{ config, lib, pkgs, ... }:
+
+with import <stockholm/lib>;
+
+let
+
+ out = {
+ services.nginx.enable = true;
+ krebs.git = {
+ enable = true;
+ cgit = {
+ settings = {
+ root-title = "public repositories at ${config.krebs.build.host.name}";
+ root-desc = "keep calm and engage";
+ };
+ enable = true;
+ };
+ repos = mapAttrs (_: s: removeAttrs s ["collaborators"]) repos;
+ rules = rules;
+ };
+
+ krebs.iptables.tables.filter.INPUT.rules = [
+ { predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; }
+ ];
+ };
+
+ repos = public-repos;
+
+ rules = concatMap make-rules (attrValues repos);
+
+ public-repos = mapAttrs make-public-repo {
+ stockholm = {
+ cgit.desc = "Bonbon aus Git - die ganze Nacht";
+ };
+ krebs-page = {
+ cgit.desc = "Die Krebs Page";
+ };
+ };
+
+ make-public-repo = name: { cgit ? {}, ... }: {
+ inherit cgit name;
+ public = true;
+ hooks = {
+ post-receive = pkgs.git-hooks.irc-announce {
+ nick = config.krebs.build.host.name;
+ channel = "#xxx";
+ server = "irc.r";
+ verbose = true;
+ branches = [ "master" ];
+ };
+ };
+ };
+
+ make-rules =
+ with git // config.krebs.users;
+ repo:
+ singleton {
+ user = [ jeschli jeschli-brauerei];
+ repo = [ repo ];
+ perm = push "refs/*" [ non-fast-forward create delete merge ];
+ } ++
+ optional repo.public {
+ user = attrValues config.krebs.users;
+ repo = [ repo ];
+ perm = fetch;
+ } ++
+ optional (length (repo.collaborators or []) > 0) {
+ user = repo.collaborators;
+ repo = [ repo ];
+ perm = fetch;
+ };
+
+in out
diff --git a/jeschli/2configs/retiolum.nix b/jeschli/2configs/retiolum.nix
index b611cbe7d..f22609655 100644
--- a/jeschli/2configs/retiolum.nix
+++ b/jeschli/2configs/retiolum.nix
@@ -17,7 +17,7 @@
tinc = pkgs.tinc_pre;
};
- networking.firewall.allowedTCPPorts = [ 655 ];
+ networking.firewall.allowedTCPPorts = [ 80 655 ];
networking.firewall.allowedUDPPorts = [ 655 ];
environment.systemPackages = [
diff --git a/jeschli/2configs/steam.nix b/jeschli/2configs/steam.nix
new file mode 100644
index 000000000..06a068a3f
--- /dev/null
+++ b/jeschli/2configs/steam.nix
@@ -0,0 +1,12 @@
+{ config, pkgs, ... }:
+
+{
+
+ nixpkgs.config.steam.java = true;
+ environment.systemPackages = with pkgs; [
+ steam
+ ];
+ hardware.opengl.driSupport32Bit = true;
+
+ #ports for inhome streaming
+}
diff --git a/krebs/0tests/data/secrets/konsens.id_ed25519 b/krebs/0tests/data/secrets/konsens.id_ed25519
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/krebs/0tests/data/secrets/konsens.id_ed25519
diff --git a/krebs/1systems/wolf/config.nix b/krebs/1systems/wolf/config.nix
index 6addb0818..914b38051 100644
--- a/krebs/1systems/wolf/config.nix
+++ b/krebs/1systems/wolf/config.nix
@@ -25,6 +25,7 @@ in
<stockholm/krebs/2configs/shack/muell_caller.nix>
<stockholm/krebs/2configs/shack/radioactive.nix>
<stockholm/krebs/2configs/shack/share.nix>
+ <stockholm/krebs/2configs/shack/mobile.mpd.nix>
{
systemd.services.telegraf.path = [ pkgs.net_snmp ]; # for snmptranslate
systemd.services.telegraf.environment = {
@@ -114,7 +115,7 @@ in
networking = {
firewall.enable = false;
firewall.allowedTCPPorts = [ 8088 8086 8083 ];
- interfaces."${ext-if}".ip4 = [{
+ interfaces."${ext-if}".ipv4.addresses = [{
address = shack-ip;
prefixLength = 20;
}];
diff --git a/krebs/2configs/buildbot-stockholm.nix b/krebs/2configs/buildbot-stockholm.nix
index 62a5f9ab5..1ed38f54f 100644
--- a/krebs/2configs/buildbot-stockholm.nix
+++ b/krebs/2configs/buildbot-stockholm.nix
@@ -24,7 +24,7 @@ in
testslave = "lasspass";
};
change_source.stockholm = ''
- stockholm_repo = 'http://cgit.prism.r/stockholm'
+ stockholm_repo = 'http://cgit.hotdog.r/stockholm'
cs.append(
changes.GitPoller(
stockholm_repo,
diff --git a/krebs/2configs/repo-sync.nix b/krebs/2configs/repo-sync.nix
index 13e1217a4..3ca94fc1b 100644
--- a/krebs/2configs/repo-sync.nix
+++ b/krebs/2configs/repo-sync.nix
@@ -3,6 +3,10 @@
with import <stockholm/lib>;
let
+ konsens-user = {
+ name = "konsens";
+ pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIKKozGNGBAzHnyj6xUlsjGxxknyChXvuyrddkWVVnz7";
+ };
mirror = "git@${config.networking.hostName}:";
defineRepo = {
@@ -42,6 +46,13 @@ let
perm = push ''refs/*'' [ non-fast-forward create delete merge ];
}
{
+ user = [
+ konsens-user
+ ];
+ repo = [ repo ];
+ perm = push ''refs/heads/master'' [ create merge ];
+ }
+ {
user = attrValues config.krebs.users;
repo = [ repo ];
perm = fetch;
@@ -112,6 +123,19 @@ in {
krebs.repo-sync = {
enable = true;
};
+ krebs.konsens = {
+ enable = true;
+ repos = {
+ krops = { branchesToCheck = [ "lassulus" "tv" ]; };
+ stockholm = {};
+ };
+ };
+ krebs.secret.files.konsens = {
+ path = "/var/lib/konsens/.ssh/id_ed25519";
+ owner = konsens-user;
+ source-path = "${<secrets/konsens.id_ed25519>}";
+ };
+
imports = [
(sync-retiolum { name = "the_playlist"; desc = "Good Music collection + tools"; section = "art"; })
diff --git a/krebs/2configs/shack/mobile.mpd.nix b/krebs/2configs/shack/mobile.mpd.nix
new file mode 100644
index 000000000..2dc466edb
--- /dev/null
+++ b/krebs/2configs/shack/mobile.mpd.nix
@@ -0,0 +1,32 @@
+{lib,pkgs, ... }:
+let
+ mpdHost = "mpd.shack";
+ ympd = name: port: let
+ webPort = 10000 + port;
+ in {
+ systemd.services."ympd-${name}" = {
+ description = "mpd for ${name}";
+ wantedBy = [ "multi-user.target" ];
+ serviceConfig.ExecStart = "${pkgs.ympd}/bin/ympd --host ${mpdHost} --port ${toString port} --webport ${toString webPort} --user nobody";
+ };
+ services.nginx.virtualHosts."mobile.${name}.mpd.shack" = {
+ serverAliases = [
+ "${name}.mpd.wolf.r"
+ "${name}.mpd.wolf.shack"
+ ];
+ locations."/".proxyPass = "http://localhost:${toString webPort}";
+ };
+ };
+in lib.mkMerge [{
+ services.nginx.enable = true;
+}
+ (ympd "lounge" 6600)
+ (ympd "seminarraum" 6601)
+ (ympd "elab" 6602)
+ (ympd "kueche" 6603)
+ (ympd "crafting" 6604)
+ (ympd "fablab" 6605)
+ (ympd "workshop" 6606)
+ (ympd "klo" 6607)
+
+]
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index afc96e9ee..833349769 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -26,6 +26,7 @@ let
./iana-etc.nix
./iptables.nix
./kapacitor.nix
+ ./konsens.nix
./monit.nix
./newsbot-js.nix
./nixpkgs.nix
diff --git a/krebs/3modules/jeschli/default.nix b/krebs/3modules/jeschli/default.nix
index ed9bfad29..ab8fe097d 100644
--- a/krebs/3modules/jeschli/default.nix
+++ b/krebs/3modules/jeschli/default.nix
@@ -132,6 +132,7 @@ with import <stockholm/lib>;
ip6.addr = "42::30";
aliases = [
"enklave.r"
+ "cgit.enklave.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
diff --git a/krebs/3modules/konsens.nix b/krebs/3modules/konsens.nix
new file mode 100644
index 000000000..47316d5d6
--- /dev/null
+++ b/krebs/3modules/konsens.nix
@@ -0,0 +1,80 @@
+{ config, lib, pkgs, ... }:
+
+with import <stockholm/lib>;
+
+let
+ cfg = config.krebs.konsens;
+
+ out = {
+ options.krebs.konsens = api;
+ config = lib.mkIf cfg.enable imp;
+ };
+
+ api = {
+ enable = mkEnableOption "git konsens finder";
+ repos = mkOption {
+ type = types.attrsOf (types.submodule ({ config, ...}: {
+ options = {
+ url = mkOption {
+ type = types.str;
+ default = "git@localhost:${config._module.args.name}";
+ };
+ branchesToCheck = mkOption {
+ type = types.listOf types.str;
+ default = [ "lassulus" "makefu" "tv" ];
+ };
+ target = mkOption {
+ type = types.str;
+ default = "master";
+ };
+ timerConfig = mkOption {
+ type = types.attrsOf types.str;
+ default = {
+ OnCalendar = "*:00,15,30,45";
+ };
+ };
+ };
+ }));
+ };
+ };
+
+ imp = {
+ users.users.konsens = rec {
+ name = "konsens";
+ uid = genid name;
+ home = "/var/lib/konsens";
+ createHome = true;
+ };
+
+ systemd.timers = mapAttrs' (name: repo:
+ nameValuePair "konsens-${name}" {
+ description = "konsens timer";
+ wantedBy = [ "timers.target" ];
+ timerConfig = repo.timerConfig;
+ }
+ ) cfg.repos;
+
+ systemd.services = mapAttrs' (name: repo:
+ nameValuePair "konsens-${name}" {
+ after = [ "network.target" "secret.service" ];
+ path = [ pkgs.git ];
+ restartIfChanged = false;
+ serviceConfig = {
+ Type = "simple";
+ PermissionsStartOnly = true;
+ ExecStart = pkgs.writeDash "konsens-${name}" ''
+ if ! test -e ${name}; then
+ git clone ${repo.url} ${name}
+ fi
+ cd ${name}
+ git fetch origin
+ git push origin $(git merge-base ${concatMapStringsSep " " (branch: "origin/${branch}") repo.branchesToCheck}):refs/heads/master
+ '';
+ WorkingDirectory = /var/lib/konsens;
+ User = "konsens";
+ };
+ }
+ ) cfg.repos;
+ };
+
+in out
diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix
index c4a5bbb0d..7d9ef5075 100644
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@@ -11,39 +11,6 @@ with import <stockholm/lib>;
ci = true;
monitoring = true;
}) {
- dishfire = {
- cores = 4;
- nets = rec {
- internet = {
- ip4.addr = "144.76.172.188";
- aliases = [
- "dishfire.i"
- ];
- ssh.port = 45621;
- };
- retiolum = {
- via = internet;
- ip4.addr = "10.243.133.99";
- ip6.addr = "42:0000:0000:0000:0000:0000:d15f:1233";
- aliases = [
- "dishfire.r"
- ];
- tinc.pubkey = ''
- -----BEGIN RSA PUBLIC KEY-----
- MIIBCgKCAQEAwKi49fN+0s5Cze6JThM7f7lj4da27PSJ/3w3tDFPvtQco11ksNLs
- Xd3qPaQIgmcNVCR06aexae3bBeTx9y3qHvKqZVE1nCtRlRyqy1LVKSj15J1D7yz7
- uS6u/BSZiCzmdZwu3Fq5qqoK0nfzWe/NKEDWNa5l4Mz/BZQyI/hbOpn6UfFD0LpK
- R4jzc9Dbk/IFNAvwb5yrgEYtwBzlXzeDvHW2JcPq3qQjK2byQYNiIyV3g0GHppEd
- vDbIPDFhTn3Hv5zz/lX+/We8izzRge7MEd+Vn9Jwb5NAzwDsOHl6ExpqASv9H49U
- HwgPw5pstabyrsDWXybSYUb+8LcZf+unGwIDAQAB
- -----END RSA PUBLIC KEY-----
- '';
- tinc.port = 993;
- };
- };
- ssh.privkey.path = <secrets/ssh.id_ed25519>;
- ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGv0JMp0y+E5433GRSFKVK3cQmP0AAlS9aH9fk49yFxy";
- };
prism = rec {
cores = 4;
extraZones = {
@@ -441,7 +408,7 @@ with import <stockholm/lib>;
};
};
};
- borg = {
+ rock = {
monitoring = false;
ci = false;
external = true;
@@ -449,22 +416,21 @@ with import <stockholm/lib>;
retiolum = {
ip4.addr = "10.243.29.171";