diff options
| author | tv <tv@krebsco.de> | 2021-01-25 11:28:26 +0100 |
|---|---|---|
| committer | tv <tv@krebsco.de> | 2021-01-25 11:28:26 +0100 |
| commit | a0ca091cbf4e9ca41390ad9d54844c9eb2660406 (patch) | |
| tree | aae89f223f953a81da400d6f7deac1d5ae5d240e /lass | |
| parent | 1cd73df0c8694f491d40f93a796ea58f150e88dc (diff) | |
| parent | 71206dc6a2852dd69664e85aa6dcb49676ec1f6e (diff) | |
Merge remote-tracking branch 'prism/master'
Diffstat (limited to 'lass')
50 files changed, 379 insertions, 834 deletions
diff --git a/lass/1systems/archprism/config.nix b/lass/1systems/archprism/config.nix deleted file mode 100644 index 0a2ab1611..000000000 --- a/lass/1systems/archprism/config.nix +++ /dev/null @@ -1,54 +0,0 @@ -{ config, lib, pkgs, ... }: -with import <stockholm/lib>; - -{ - imports = [ - <stockholm/lass> - <stockholm/lass/2configs/retiolum.nix> - <stockholm/lass/2configs/libvirt.nix> - { # TODO make new hfos.nix out of this vv - boot.kernel.sysctl."net.ipv4.ip_forward" = 1; - users.users.riot = { - uid = genid_uint31 "riot"; - isNormalUser = true; - extraGroups = [ "libvirtd" ]; - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6o6sdTu/CX1LW2Ff5bNDqGEAGwAsjf0iIe5DCdC7YikCct+7x4LTXxY+nDlPMeGcOF88X9/qFwdyh+9E4g0nUAZaeL14Uc14QDqDt/aiKjIXXTepxE/i4JD9YbTqStAnA/HYAExU15yqgUdj2dnHu7OZcGxk0ZR1OY18yclXq7Rq0Fd3pN3lPP1T4QHM9w66r83yJdFV9szvu5ral3/QuxQnCNohTkR6LoJ4Ny2RbMPTRtb+jPbTQYTWUWwV69mB8ot5nRTP4MRM9pu7vnoPF4I2S5DvSnx4C5zdKzsb7zmIvD4AmptZLrXj4UXUf00Xf7Js5W100Ne2yhYyhq+35 riot@lagrange" - ]; - }; - - # TODO write function for proxy_pass (ssl/nonssl) - - krebs.iptables.tables.filter.FORWARD.rules = [ - { v6 = false; precedence = 1000; predicate = "-d 192.168.122.179"; target = "ACCEPT"; } - ]; - krebs.iptables.tables.nat.PREROUTING.rules = [ - { v6 = false; precedence = 1000; predicate = "-d 46.4.114.243"; target = "DNAT --to-destination 192.168.122.179"; } - ]; - } - <stockholm/lass/2configs/container-networking.nix> - { - services.taskserver = { - enable = true; - fqdn = "lassul.us"; - listenHost = "::"; - listenPort = 53589; - organisations.lass.users = [ "lass" "android" ]; - }; - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport 53589"; target = "ACCEPT"; } - ]; - } - { - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p udp --dport 60000:61000"; target = "ACCEPT";} - ]; - } - ]; - - krebs.build.host = config.krebs.hosts.archprism; - services.earlyoom = { - enable = true; - freeMemThreshold = 5; - }; -} diff --git a/lass/1systems/archprism/physical.nix b/lass/1systems/archprism/physical.nix deleted file mode 100644 index 36de7dc17..000000000 --- a/lass/1systems/archprism/physical.nix +++ /dev/null @@ -1,77 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - imports = [ - ./config.nix - { - boot.kernelParams = [ "net.ifnames=0" ]; - networking = { - defaultGateway = "46.4.114.225"; - # Use google's public DNS server - nameservers = [ "8.8.8.8" ]; - interfaces.eth0 = { - ipAddress = "46.4.114.247"; - prefixLength = 27; - }; - }; - # TODO use this network config - networking.interfaces.eth0.ipv4.addresses = [ - { - address = config.krebs.build.host.nets.internet.ip4.addr; - prefixLength = 27; - } - { - address = "46.4.114.243"; - prefixLength = 27; - } - ]; - #networking.defaultGateway = "46.4.114.225"; - #networking.nameservers = [ - # "8.8.8.8" - #]; - #services.udev.extraRules = '' - # SUBSYSTEM=="net", ATTR{address}=="08:60:6e:e7:87:04", NAME="et0" - #''; - } - { - imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ]; - - networking.hostId = "fb4173ea"; - boot.loader.grub = { - devices = [ - "/dev/sda" - "/dev/sdb" - ]; - splashImage = null; - }; - - boot.initrd.availableKernelModules = [ - "ata_piix" - "vmw_pvscsi" - "ahci" "sd_mod" - ]; - - boot.kernelModules = [ "kvm-intel" ]; - - sound.enable = false; - nixpkgs.config.allowUnfree = true; - time.timeZone = "Europe/Berlin"; - - fileSystems."/" = { - device = "rpool/root/nixos"; - fsType = "zfs"; - }; - - fileSystems."/home" = { - device = "rpool/home"; - fsType = "zfs"; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/b67c3370-1597-4ce8-8a46-e257ca32150d"; - fsType = "ext4"; - }; - - } - ]; - -} diff --git a/lass/1systems/blue/config.nix b/lass/1systems/blue/config.nix index f6dc23d20..c4286cca3 100644 --- a/lass/1systems/blue/config.nix +++ b/lass/1systems/blue/config.nix @@ -9,8 +9,8 @@ with import <stockholm/lib>; <stockholm/lass/2configs/blue.nix> <stockholm/lass/2configs/syncthing.nix> + <stockholm/lass/2configs/sync/sync.nix> <stockholm/lass/2configs/sync/decsync.nix> - <stockholm/lass/2configs/sync/weechat.nix> ]; krebs.build.host = config.krebs.hosts.blue; diff --git a/lass/1systems/daedalus/config.nix b/lass/1systems/daedalus/config.nix index bd559944a..d84502b3f 100644 --- a/lass/1systems/daedalus/config.nix +++ b/lass/1systems/daedalus/config.nix @@ -6,7 +6,6 @@ with import <stockholm/lib>; <stockholm/lass> <stockholm/lass/2configs/retiolum.nix> - <stockholm/lass/2configs/backup.nix> <stockholm/lass/2configs/nfs-dl.nix> { # bubsy config diff --git a/lass/1systems/green/config.nix b/lass/1systems/green/config.nix index 0b4b50ee4..fbd2d223f 100644 --- a/lass/1systems/green/config.nix +++ b/lass/1systems/green/config.nix @@ -9,13 +9,80 @@ with import <stockholm/lib>; <stockholm/lass/2configs/mail.nix> <stockholm/lass/2configs/syncthing.nix> + <stockholm/lass/2configs/sync/sync.nix> <stockholm/lass/2configs/sync/decsync.nix> <stockholm/lass/2configs/sync/weechat.nix> + + <stockholm/lass/2configs/bitlbee.nix> + <stockholm/lass/2configs/IM.nix> + <stockholm/lass/2configs/muchsync.nix> + <stockholm/lass/2configs/pass.nix> ]; krebs.build.host = config.krebs.hosts.green; - #networking.nameservers = [ "1.1.1.1" ]; + users.users.mainUser.openssh.authorizedKeys.keys = [ + config.krebs.users.lass-android.pubkey + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICMe23IAHn4Ow4J4i8M9GJshqvY80U11NKPLum6b1XLn" # weechat ssh tunnel + ]; + + krebs.bindfs = { + "/home/lass/.weechat" = { + source = "/var/state/lass_weechat"; + options = [ + "-M ${concatMapStringsSep ":" (u: toString config.users.users.${u}.uid) [ "syncthing" "mainUser" ]}" + "--create-for-user=${toString config.users.users.syncthing.uid}" + ]; + }; + "/home/lass/Maildir" = { + source = "/var/state/lass_mail"; + options = [ + "-M ${toString config.users.users.mainUser.uid}" + ]; + }; + "/home/lass/sync" = { + source = "/var/state/lass_sync"; + options = [ + "-M ${concatMapStringsSep ":" (u: toString config.users.users.${u}.uid) [ "syncthing" "mainUser" ]}" + "--create-for-user=${toString config.users.users.syncthing.uid}" + ]; + }; + "/var/lib/bitlbee" = { + source = "/var/state/bitlbee"; + options = [ + "-M ${toString config.users.users.bitlbee.uid}" + ]; + clearTarget = true; + }; + "/home/lass/.ssh" = { + source = "/var/state/lass_ssh"; + options = [ + "-M ${toString config.users.users.mainUser.uid}" + ]; + clearTarget = true; + }; + "/home/lass/.gnupg" = { + source = "/var/state/lass_gnupg"; + options = [ + "-M ${toString config.users.users.mainUser.uid}" + ]; + clearTarget = true; + }; + }; - #time.timeZone = "Europe/Berlin"; + systemd.services."bindfs-_home_lass_Maildir".serviceConfig.ExecStartPost = pkgs.writeDash "symlink-notmuch" '' + sleep 1 + mkdir -p /home/lass/notmuch + chown lass: /home/lass/notmuch + ln -sfTr /home/lass/notmuch /home/lass/Maildir/.notmuch + + mkdir -p /home/lass/notmuch/muchsync + chown lass: /home/lass/notmuch/muchsync + mkdir -p /home/lass/Maildir/.muchsync + ln -sfTr /home/lass/Maildir/.muchsync /home/lass/notmuch/muchsync/tmp + ''; + + krebs.iptables.tables.nat.PREROUTING.rules = [ + { predicate = "-i eth0 -p tcp -m tcp --dport 22"; target = "ACCEPT"; precedence = 101; } + ]; } diff --git a/lass/1systems/icarus/physical.nix b/lass/1systems/icarus/physical.nix index bd74c29f3..837872bf5 100644 --- a/lass/1systems/icarus/physical.nix +++ b/lass/1systems/icarus/physical.nix @@ -51,12 +51,10 @@ (1, 48, 60) (2, 50, 61) (3, 52, 63) - (6, 60, 65) - (7, 80, 85) - (127, 90, 32767) + (6, 60, 85) + (7, 80, 90) + (127, 89, 32767) ''; services.logind.lidSwitch = "ignore"; - services.logind.lidSwitchDocked = "ignore"; - } diff --git a/lass/1systems/littleT/config.nix b/lass/1systems/littleT/config.nix index eee23ee60..adf8aeeb1 100644 --- a/lass/1systems/littleT/config.nix +++ b/lass/1systems/littleT/config.nix @@ -7,6 +7,7 @@ with import <stockholm/lib>; <stockholm/lass/2configs/retiolum.nix> <stockholm/lass/2configs/blue-host.nix> + <stockholm/lass/2configs/green-host.nix> <stockholm/lass/2configs/syncthing.nix> ]; diff --git a/lass/1systems/morpheus/config.nix b/lass/1systems/morpheus/config.nix index 79fbe4c97..79d4f528d 100644 --- a/lass/1systems/morpheus/config.nix +++ b/lass/1systems/morpheus/config.nix @@ -4,6 +4,9 @@ with import <stockholm/lib>; imports = [ <stockholm/lass> <stockholm/lass/2configs/retiolum.nix> + + <stockholm/lass/2configs/syncthing.nix> + <stockholm/lass/2configs/green-host.nix> ]; krebs.build.host = config.krebs.hosts.morpheus; diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix index b03d95c49..95b688590 100644 --- a/lass/1systems/mors/config.nix +++ b/lass/1systems/mors/config.nix @@ -18,28 +18,28 @@ with import <stockholm/lib>; <stockholm/lass/2configs/steam.nix> <stockholm/lass/2configs/wine.nix> <stockholm/lass/2configs/git.nix> - <stockholm/lass/2configs/virtualbox.nix> <stockholm/lass/2configs/fetchWallpaper.nix> <stockholm/lass/2configs/mail.nix> <stockholm/krebs/2configs/ircd.nix> <stockholm/lass/2configs/logf.nix> <stockholm/lass/2configs/syncthing.nix> - <stockholm/lass/2configs/otp-ssh.nix> - <stockholm/lass/2configs/c-base.nix> + <stockholm/lass/2configs/sync/sync.nix> <stockholm/lass/2configs/sync/decsync.nix> <stockholm/lass/2configs/sync/weechat.nix> + #<stockholm/lass/2configs/c-base.nix> <stockholm/lass/2configs/br.nix> <stockholm/lass/2configs/ableton.nix> - <stockholm/lass/2configs/starcraft.nix> <stockholm/lass/2configs/dunst.nix> <stockholm/lass/2configs/rtl-sdr.nix> - <stockholm/lass/2configs/backup.nix> <stockholm/lass/2configs/print.nix> - <stockholm/lass/2configs/blue-host.nix> <stockholm/lass/2configs/network-manager.nix> <stockholm/lass/2configs/nfs-dl.nix> - #<stockholm/lass/2configs/hardening.nix> - <stockholm/lass/2configs/ppp.nix> + <stockholm/lass/2configs/green-host.nix> + <stockholm/krebs/2configs/news-host.nix> + <stockholm/lass/2configs/ppp/x220-modem.nix> + <stockholm/lass/2configs/ppp/umts-stick.nix> + # <stockholm/lass/2configs/remote-builder/morpheus.nix> + # <stockholm/lass/2configs/remote-builder/prism.nix> { krebs.iptables.tables.filter.INPUT.rules = [ #risk of rain diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index f63c6a05a..6f61ea57e 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -118,6 +118,7 @@ with import <stockholm/lib>; <stockholm/lass/2configs/iodined.nix> <stockholm/lass/2configs/paste.nix> <stockholm/lass/2configs/syncthing.nix> + <stockholm/lass/2configs/green-host.nix> <stockholm/lass/2configs/reaktor-coders.nix> <stockholm/lass/2configs/ciko.nix> <stockholm/lass/2configs/container-networking.nix> @@ -138,22 +139,17 @@ with import <stockholm/lib>; }; } { - lass.ejabberd = { - enable = true; - hosts = [ "lassul.us" ]; - }; - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport xmpp-client"; target = "ACCEPT"; } - { predicate = "-p tcp --dport xmpp-server"; target = "ACCEPT"; } - ]; - } - { imports = [ <stockholm/lass/2configs/realwallpaper.nix> ]; - services.nginx.virtualHosts."lassul.us".locations."= /wallpaper.png".extraConfig = '' - alias /var/realwallpaper/realwallpaper.png; - ''; + services.nginx.virtualHosts."lassul.us".locations = { + "= /wallpaper-marker.png".extraConfig = '' + alias /var/realwallpaper/realwallpaper-marker.png; + ''; + "= /wallpaper.png".extraConfig = '' + alias /var/realwallpaper/realwallpaper.png; + ''; + }; } { users.users.jeschli = { @@ -282,8 +278,9 @@ with import <stockholm/lib>; services.murmur = { enable = true; bandwidth = 10000000; + registerName = "lassul.us"; + autobanTime = 30; }; - services.murmur.registerName = "lassul.us"; krebs.iptables.tables.filter.INPUT.rules = [ { predicate = "-p tcp --dport 64738"; target = "ACCEPT";} { predicate = "-p udp --dport 64738"; target = "ACCEPT";} @@ -354,6 +351,8 @@ with import <stockholm/lib>; palo.pubkey "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDB0d0JA20Vqn7I4lCte6Ne2EOmLZyMJyS9yIKJYXNLjbLwkQ4AYoQKantPBkTxR75M09E7d3j5heuWnCjWH45TrfQfe1EOSSC3ppCI6C6aIVlaNs+KhAYZS0m2Y8WkKn+TT5JLEa8yybYVN/RlZPOilpj/1QgjU6CQK+eJ1k/kK+QFXcwN82GDVh5kbTVcKUNp2tiyxFA+z9LY0xFDg/JHif2ROpjJVLQBJ+YPuOXZN5LDnVcuyLWKThjxy5srQ8iDjoxBg7dwLHjby5Mv41K4W61Gq6xM53gDEgfXk4cQhJnmx7jA/pUnsn2ZQDeww3hcc7vRf8soogXXz2KC9maiq0M/svaATsa9Ul4hrKnqPZP9Q8ScSEAUX+VI+x54iWrnW0p/yqBiRAzwsczdPzaQroUFTBxrq8R/n5TFdSHRMX7fYNOeVMjhfNca/gtfw9dYBVquCvuqUuFiRc0I7yK44rrMjjVQRcAbw6F8O7+04qWCmaJ8MPlmApwu2c05VMv9hiJo5p6PnzterRSLCqF6rIdhSnuOwrUIt1s/V+EEZXHCwSaNLaQJnYL0H9YjaIuGz4c8kVzxw4c0B6nl+hqW5y5/B2cuHiumnlRIDKOIzlv8ufhh21iN7QpIsPizahPezGoT1XqvzeXfH4qryo8O4yTN/PWoA+f7o9POU7L6hQ== lhebendanz@nixos" "AAAAB3NzaC1yc2EAAAADAQABAAABgQC4ECL9NSCWqs4KVe+FF+2BPtl5Bv5aQPHqnXllCyiESZykwRKLx6/AbF5SbUAUMVZtp9oDSdp28m3BvVeWJ/q7hAbIxUtfd/jp+JBRZ8Kj6K5GzUO7Bhgl/o0A7xEjAeOKHiYuLjdPMcFUyl6Ah4ey/mcQYf6AdU0+hYUDeUlKe/YxxYD6202W0GJq2xGdIqs/TbopT9iaX+sv0wdXDVfFY72nFqOUwJW3u6O2viKKRugrz/eo50Eo3ts7pYz/FpDXExrUvV9Vu/bQ34pa8nKgF3/AKQHgmzljNQSVZKyAV8OY0UFonjBMXCBg2tXtwfnlzdx2SyuQVv55x+0AuRKsi85G2xLpXu1A3921pseBTW6Q6kbYK9eqxAay2c/kNbwNqFnO+nCvQ6Ier/hvGddOtItMu96IuU2E7mPN6WgvM8/3fjJRFWnZxFxqu/k7iH+yYT8qwRgdiSqZc76qvkYEuabdk2itstTRY0A3SpI3hFMZDw/7bxgMZtqpfyoRk5s= philip@shiki11:15 <Profpatsch> AAAAB3NzaC1yc2EAAAADAQABAAABgQC4ECL9NSCWqs4KVe+FF+2BPtl5Bv5aQPHqnXllCyiESZykwRKLx6/AbF5SbUAUMVZtp9oDSdp28m3BvVeWJ/q7hAbIxUtfd/jp+JBRZ8Kj6K5GzUO7Bhgl/o0A7xEjAeOKHiYuLjdPMcFUyl6Ah4ey/mcQYf6AdU0+hYUDeUlKe/YxxYD6202W0GJq2xGdIqs/TbopT9iaX+sv0wdXDVfFY72nFqOUwJW3u6O2viKKRugrz/eo50Eo3ts7pYz/FpDXExrUvV9Vu/bQ34pa8nKgF3/AKQHgmzljNQSVZKyAV8OY0UFonjBMXCBg2tXtwfnlzdx2SyuQVv55x+0AuRKsi85G2xLpXu1A3921pseBTW6Q6kbYK9eqxAay2c/kNbwNqFnO+nCvQ6Ier/hvGddOtItMu96IuU2E7mPN6WgvM8/3fjJRFWnZxFxqu/k7iH+yYT8qwRgdiSqZc76qvkYEuabdk2itstTRY0A3SpI3hFMZDw/7bxgMZtqpfyoRk5s= philip@shiki" + mic92.pubkey + qubasa.pubkey ]; }; }; @@ -412,42 +411,6 @@ with import <stockholm/lib>; ]; }; } - { #macos mounting of yellow - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-i wiregrill -p tcp --dport 139"; target = "ACCEPT"; } - { predicate = "-i wiregrill -p tcp --dport 445"; target = "ACCEPT"; } - { predicate = "-i wiregrill -p udp --dport 137"; target = "ACCEPT"; } - { predicate = "-i wiregrill -p udp --dport 138"; target = "ACCEPT"; } - ]; - users.users.smbguest = { - name = "smbguest"; - uid = config.ids.uids.smbguest; - description = "smb guest user"; - home = "/home/share"; - createHome = true; - }; - services.samba = { - enable = true; - enableNmbd = true; - shares = { - download = { - path = "/var/download/finished"; - "read only" = "yes"; - browseable = "yes"; - "guest ok" = "yes"; - }; - }; - extraConfig = '' - guest account = smbguest - map to guest = bad user - # disable printing - load printers = no - printing = bsd - printcap name = /dev/null - disable spoolss = yes - ''; - }; - } ]; krebs.build.host = config.krebs.hosts.prism; diff --git a/lass/1systems/shodan/config.nix b/lass/1systems/shodan/config.nix index 9e01396bc..7695e637b 100644 --- a/lass/1systems/shodan/config.nix +++ b/lass/1systems/shodan/config.nix @@ -13,19 +13,18 @@ with import <stockholm/lib>; <stockholm/lass/2configs/programs.nix> <stockholm/lass/2configs/wine.nix> <stockholm/lass/2configs/bitcoin.nix> - <stockholm/lass/2configs/backup.nix> <stockholm/lass/2configs/blue-host.nix> + <stockholm/lass/2configs/green-host.nix> + <stockholm/krebs/2configs/news-host.nix> <stockholm/lass/2configs/nfs-dl.nix> - <stockholm/lass/2configs/gg23.nix> - <stockholm/lass/2configs/hass> - <stockholm/lass/2configs/br.nix> <stockholm/lass/2configs/fetchWallpaper.nix> <stockholm/lass/2configs/home-media.nix> + <stockholm/lass/2configs/syncthing.nix> + <stockholm/lass/2configs/sync/sync.nix> ]; krebs.build.host = config.krebs.hosts.shodan; services.logind.lidSwitch = "ignore"; services.logind.lidSwitchDocked = "ignore"; - } diff --git a/lass/1systems/skynet/config.nix b/lass/1systems/skynet/config.nix index 507ccd14d..4da4dffb8 100644 --- a/lass/1systems/skynet/config.nix +++ b/lass/1systems/skynet/config.nix @@ -6,6 +6,7 @@ with import <stockholm/lib>; <stockholm/lass/2configs/retiolum.nix> <stockholm/lass/2configs/blue-host.nix> + <stockholm/lass/2configs/green-host.nix> <stockholm/lass/2configs/power-action.nix> <stockholm/lass/2configs/syncthing.nix> { diff --git a/lass/1systems/styx/config.nix b/lass/1systems/styx/config.nix index 4c3ae1411..016d1480f 100644 --- a/lass/1systems/styx/config.nix +++ b/lass/1systems/styx/config.nix @@ -12,14 +12,17 @@ with import <stockholm/lib>; <stockholm/lass/2configs/browsers.nix> <stockholm/lass/2configs/programs.nix> <stockholm/lass/2configs/nfs-dl.nix> - # <stockholm/lass/2configs/gg23.nix> - # <stockholm/lass/2configs/hass> + <stockholm/lass/2configs/gg23.nix> + <stockholm/lass/2configs/hass> + <stockholm/lass/2configs/green-host.nix> + <stockholm/krebs/2configs/news-host.nix> # <stockholm/lass/2configs/br.nix> <stockholm/lass/2configs/fetchWallpaper.nix> <stockholm/lass/2configs/home-media.nix> - # <stockholm/lass/2configs/syncthing.nix> - # <stockholm/lass/2configs/sync/sync.nix> + <stockholm/lass/2configs/syncthing.nix> + <stockholm/lass/2configs/sync/sync.nix> # <stockholm/lass/2configs/idc.nix> + <stockholm/lass/2configs/ppp/umts-stick.nix> ]; krebs.build.host = config.krebs.hosts.styx; @@ -27,6 +30,8 @@ with import <stockholm/lib>; krebs.iptables.tables.filter.INPUT.rules = [ { predicate = "-p tcp --dport ${toString config.services.smokeping.port}"; target = "ACCEPT"; } ]; + krebs.power-action.enable = mkForce false; + services.smokeping = { enable = true; targetConfig = '' diff --git a/lass/1systems/styx/physical.nix b/lass/1systems/styx/physical.nix index a3899f87d..ae0cdf489 100644 --- a/lass/1systems/styx/physical.nix +++ b/lass/1systems/styx/physical.nix @@ -31,4 +31,9 @@ nix.maxJobs = lib.mkDefault 4; powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + + services.udev.extraRules = '' + SUBSYSTEM=="net", ATTR{address}=="3c:7c:3f:7e:e2:39", NAME="et0" + SUBSYSTEM=="net", ATTR{address}=="00:e0:4c:78:91:50", NAME="int0" + ''; } diff --git a/lass/1systems/xerxes/config.nix b/lass/1systems/xerxes/config.nix index 8c4362865..22c80b4da 100644 --- a/lass/1systems/xerxes/config.nix +++ b/lass/1systems/xerxes/config.nix @@ -11,6 +11,7 @@ <stockholm/lass/2configs/programs.nix> <stockholm/lass/2configs/network-manager.nix> <stockholm/lass/2configs/syncthing.nix> + <stockholm/lass/2configs/sync/sync.nix> <stockholm/lass/2configs/games.nix> <stockholm/lass/2configs/steam.nix> <stockholm/lass/2configs/wine.nix> diff --git a/lass/1systems/yellow/config.nix b/lass/1systems/yellow/config.nix index d400697d7..1afad003c 100644 --- a/lass/1systems/yellow/config.nix +++ b/lass/1systems/yellow/config.nix @@ -9,30 +9,21 @@ with import <stockholm/lib>; krebs.build.host = config.krebs.hosts.yellow; - system.activationScripts.downloadFolder = '' - mkdir -p /var/download - chown transmission:download /var/download - chown transmission:download /var/download/finished - chmod 775 /var/download - ''; - - users.users.download = { uid = genid "download"; }; users.groups.download.members = [ "transmission" ]; - users.users.transmission.group = mkForce "download"; systemd.services.transmission.bindsTo = [ "openvpn-nordvpn.service" ]; systemd.services.transmission.after = [ "openvpn-nordvpn.service" ]; - systemd.services.transmission.postStart = '' - chmod 775 /var/download/finished - ''; services.transmission = { enable = true; + group = "download"; + downloadDirPermissions = "775"; settings = { download-dir = "/var/download/finished"; incomplete-dir = "/var/download/incoming"; incomplete-dir-enable = true; + rpc-bind-address = "0.0.0.0"; message-level = 1; - umask = "002"; + umask = 18; rpc-whitelist-enabled = false; rpc-host-whitelist-enabled = false; }; @@ -172,7 +163,7 @@ with import <stockholm/lib>; client dev tun proto udp - remote 185.230.127.27 1194 + remote 91.207.172.77 1194 resolv-retry infinite remote-random nobind @@ -195,6 +186,7 @@ with import <stockholm/lib>; fast-io cipher AES-256-CBC auth SHA512 + <ca> -----BEGIN CERTIFICATE----- MIIFCjCCAvKgAwIBAgIBATANBgkqhkiG9w0BAQ0FADA5MQswCQYDVQQGEwJQQTEQ diff --git a/lass/2configs/IM.nix b/lass/2configs/IM.nix new file mode 100644 index 000000000..b79af3b49 --- /dev/null +++ b/lass/2configs/IM.nix @@ -0,0 +1,45 @@ +with (import <stockholm/lib>); +{ config, lib, pkgs, ... }: + +{ + imports = [ + ./bitlbee.nix + ]; + + systemd.services.chat = let + tmux = pkgs.writeDash "tmux" '' + exec ${pkgs.tmux}/bin/tmux -f ${pkgs.writeText "tmux.conf" '' + set-option -g prefix ` + unbind-key C-b + bind ` send-prefix + + set-option -g status off + set-option -g default-terminal screen-256color + + #use session instead of windows + bind-key c new-session + bind-key p switch-client -p + bind-key n switch-client -n + bind-key C-s switch-client -l + ''} "$@" + ''; + in { + description = "chat environment setup"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + restartIfChanged = false; + + path = [ + pkgs.rxvt_unicode.terminfo + ]; + + serviceConfig = { + User = "lass"; + RemainAfterExit = true; + Type = "oneshot"; + ExecStart = "${tmux} -2 new-session -d -s IM ${pkgs.weechat}/bin/weechat"; + ExecStop = "${tmux} kill-session -t IM"; + }; + }; +} diff --git a/lass/2configs/backup.nix b/lass/2configs/backup.nix deleted file mode 100644 index f5c241785..000000000 --- a/lass/2configs/backup.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ config, lib, ... }: -with import <stockholm/lib>; - -{ - users.users.backup = { - useDefaultShell = true; - home = "/backups"; - createHome = true; - group = "syncthing"; - openssh.authorizedKeys.keys = with config.krebs.hosts; [ - blue.ssh.pubkey - ]; - }; -} diff --git a/lass/2configs/binary-cache/server.nix b/lass/2configs/binary-cache/server.nix index 9b91035a8..101dd045f 100644 --- a/lass/2configs/binary-cache/server.nix +++ b/lass/2configs/binary-cache/server.nix @@ -6,6 +6,7 @@ services.nix-serve = { enable = true; secretKeyFile = config.krebs.secret.files.nix-serve-key.path; + port = 5005; }; systemd.services.nix-serve = { diff --git a/lass/2configs/bitlbee.nix b/lass/2configs/bitlbee.nix index 1220fa0cd..d8f1ae888 100644 --- a/lass/2configs/bitlbee.nix +++ b/lass/2configs/bitlbee.nix @@ -10,6 +10,10 @@ with (import <stockholm/lib>); pkgs.bitlbee-steam pkgs.bitlbee-discord ]; - libpurple_plugins = [ pkgs.telegram-purple ]; + libpurple_plugins = [ + # pkgs.telegram-purple + pkgs.tdlib-purple + # pkgs.purple-gowhatsapp + ]; }; } diff --git a/lass/2configs/browsers.nix b/lass/2configs/browsers.nix index eafab400c..00a5d2db0 100644 --- a/lass/2configs/browsers.nix +++ b/lass/2configs/browsers.nix @@ -7,7 +7,6 @@ enable = true; extensions = [ "cjpalhdlnbpafiamejdnhcphjbkeiagm" # ublock origin - "ihlenndgcmojhcghmfjfneahoeklbjjh" #cVim ]; }; } diff --git a/lass/2configs/codimd.nix b/lass/2configs/codimd.nix index e55090de9..d29a65210 100644 --- a/lass/2configs/codimd.nix +++ b/lass/2configs/codimd.nix @@ -12,8 +12,9 @@ with import <stockholm/lib>; ''; }; - services.codimd = { + services.hedgedoc = { enable = true; + configuration.allowOrigin = [ "*" ]; configuration = { db = { dialect = "sqlite"; diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index 1cf421fed..7b6f01148 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -3,7 +3,6 @@ with import <stockholm/lib>; { imports = [ ./binary-cache/client.nix - ./backup.nix ./gc.nix ./mc.nix ./vim.nix @@ -22,6 +21,7 @@ with import <stockholm/lib>; openssh.authorizedKeys.keys = [ config.krebs.users.lass-mors.pubkey config.krebs.users.lass-blue.pubkey + config.krebs.users.lass-green.pubkey config.krebs.users.lass-yubikey.pubkey ]; }; @@ -40,6 +40,7 @@ with import <stockholm/lib>; openssh.authorizedKeys.keys = [ config.krebs.users.lass-mors.pubkey config.krebs.users.lass-blue.pubkey + config.krebs.users.lass-green.pubkey config.krebs.users.lass-yubikey.pubkey ]; }; diff --git a/lass/2configs/exim-retiolum.nix b/lass/2configs/exim-retiolum.nix index 1ee8d843e..589e17551 100644 --- a/lass/2configs/exim-retiolum.nix +++ b/lass/2configs/exim-retiolum.nix @@ -3,7 +3,12 @@ with import <stockholm/lib>; { - krebs.exim-retiolum.enable = true; + krebs.exim-retiolum = { + enable = true; + system-aliases = [ + { from = "root"; to = "lass"; } + ]; + }; krebs.iptables.tables.filter.INPUT.rules = [ { predicate = "-i retiolum -p tcp --dport smtp"; target = "ACCEPT"; } ]; diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix index edec2dcb4..e6aeca5d1 100644 --- a/lass/2configs/git.nix +++ b/lass/2configs/git.nix @@ -97,6 +97,10 @@ let populate = { cgit.section = "software"; }; + reaktor2 = { + cgit.desc = "irc bot"; + cgit.section = "software"; + }; stockholm = { cgit.desc = "take all the computers hostage, they'll love you!"; cgit.section = "configuration"; @@ -109,6 +113,10 @@ let cgit.desc = "Good Music collection + tools"; cgit.section = "art"; }; + workadventure-nix = { + cgit.desc = "Nix packaging for workadventure"; + cgit.section = "deployment"; + }; xmonad-stockholm = { cgit.desc = "krebs xmonad modules"; cgit.section = "configuration"; @@ -142,9 +150,6 @@ let nick = config.krebs.build.host.name; channel = "#xxx"; # TODO define refs in some kind of option per repo - refs = [ - "refs/heads/master" - ]; server = "irc.r"; verbose = config.krebs.build.host.name == "prism"; }} diff --git a/lass/2configs/green-host.nix b/lass/2configs/green-host.nix index 1f17c78c8..355daba9c 100644 --- a/lass/2configs/green-host.nix +++ b/lass/2configs/green-host.nix @@ -4,16 +4,26 @@ <stockholm/lass/2configs/container-networking.nix> <stockholm/lass/2configs/syncthing.nix> ]; - lass.sync-containers.containers.green = { + krebs.sync-containers.containers.green = { peers = [ "icarus" "shodan" "skynet" "mors" + "morpheus" "littleT" + "styx" ]; hostIp = "10.233.2.15"; localIp = "10.233.2.16"; format = "ecryptfs"; }; + + services.borgbackup.jobs.sync-green = { + encryption.mode = "none"; + paths = "/var/lib/sync-containers/green/ecryptfs"; + repo = "/var/lib/sync-containers/green/backup"; + compression = "auto,lzma"; + startAt = "daily"; + }; } diff --git a/lass/2configs/hass/default.nix b/lass/2configs/hass/default.nix index 78379ba1c..3cd6e0ebf 100644 --- a/lass/2configs/hass/default.nix +++ b/lass/2configs/hass/default.nix @@ -13,7 +13,9 @@ with import ./lib.nix { inherit lib; }; { predicate = "-i int0 -p tcp --dport 1883"; target = "ACCEPT"; } # mosquitto { predicate = "-i docker0 -p tcp --dport 1883"; target = "ACCEPT"; } # mosquitto { predicate = "-i int0 -p tcp --dport 8123"; target = "ACCEPT"; } # hass + { predicate = "-i int0 -p tcp --dport 1337"; target = "ACCEPT"; } # hass { predicate = "-i retiolum -p tcp --dport 8123"; target = "ACCEPT"; } # hass + { predicate = "-i retiolum -p tcp --dport 1337"; target = "ACCEPT"; } # hass frontend { predicate = "-i wiregrill -p tcp --dport 8123"; target = "ACCEPT"; } # hass ]; @@ -47,6 +49,7 @@ with import ./lib.nix { inherit lib; }; }; config = {}; sun.elevation = 66; + shopping_list = {}; discovery = {}; frontend = {}; mqtt = { @@ -81,7 +84,6 @@ with import ./lib.nix { inherit lib; }; (tasmota_s20 "Stereo Anlage" "stereo") ]; mobile_app = {}; - hue = {}; weather = [ { platform = "openweathermap"; diff --git a/lass/2configs/hass/lib.nix b/lass/2configs/hass/lib.nix index 9281a19ec..1f9f9945d 100644 --- a/lass/2configs/hass/lib.nix +++ b/lass/2configs/hass/lib.nix @@ -23,7 +23,7 @@ rec { }; friendly_names = - lib.mapAttrs' (n: v: lib.nameValuePair "light.${v}_light" { friendly_name = "l.${n}"; }) lights // + lib.mapAttrs' (n: v: lib.nameValuePair "light.${v}" { friendly_name = "l.${n}"; }) lights // lib.mapAttrs' (n: v: lib.nameValuePair "binary_sensor.${v}_update_available" { friendly_name = "s.${n}_up"; }) switches.dimmer // lib.mapAttrs' (n: v: lib.nameValuePair "binary_sensor.${v}_update_available" { friendly_name = "i.${n}_up"; }) sensors.movement // lib.mapAttrs' (n: v: lib.nameValuePair "binary_sensor.${v}_update_available" { friendly_name = "l.${n}_up"; }) lights // @@ -41,11 +41,11 @@ rec { lib.mapAttrs' (n: v: lib.nameValuePair "sensor.${v}_illuminance" { friendly_name = "i.${n}_lux"; }) sensors.movement // {}; - detect_movement = sensor: light: delay: + detect_movement = name: sensor: light: delay: let - id = "${sensor}_${light}"; + id = name; sensor_ = "binary_sensor.${sensor}_occupancy"; - light_ = "light.${light}_light"; + light_ = "light.${light}"; in { input_boolean."${id}" = { }; @@ -71,7 +71,6 @@ rec { # } { alias = "movement reset timer ${id}"; - hide_entity = true; trigger = { platform = "state"; entity_id = sensor_; @@ -87,7 +86,6 @@ rec { } { alias = "movement on ${id}"; - # hide_entity = true; trigger = { platform = "state"; entity_id = "binary_sensor.${sensor}_occupancy"; @@ -124,7 +122,6 @@ rec { } { alias = "movement off ${id}"; - hide_entity = true; trigger = { platform = "state"; entity_id = sensor_; @@ -144,7 +141,6 @@ rec { } { alias = "movement override ${id}"; - hide_entity = true; trigger = { platform = "state"; entity_id = light_; @@ -164,7 +160,6 @@ rec { } { alias = "movement expired ${id}"; - hide_entity = true; trigger = { platform = "event"; event_type = "timer.finished"; @@ -186,11 +181,10 @@ rec { ]; }; - lightswitch = switch: light: { + lightswitch = name: switch: light: { automation = [ { - alias = "lightswitch ${switch} turn on light ${light}"; - hide_entity = "true"; + alias = "lightswitch ${name} turn on"; trigger = { platform = "mqtt"; topic = "zigbee/${switch}"; @@ -225,15 +219,14 @@ rec { { service = "light.turn_on"; data_template = { - entity_id = "light.${light}_light"; + entity_id = "light.${light}"; brightness = "{{ trigger.payload_json.brightness }}"; }; } ]; } { - alias = "lightswitch ${switch} turn off light ${light}"; - hide_entity = "true"; + alias = "lightswitch ${name} turn off"; trigger = { platform = "mqtt"; topic = "zigbee/${switch}"; @@ -254,7 +247,7 @@ rec { action = { service = "light.turn_off"; data_template = { - entity_id = "light.${light}_light"; + entity_id = "light.${light}"; }; }; } diff --git a/lass/2configs/hass/rooms/bett.nix b/lass/2configs/hass/rooms/bett.nix index 48a1f72d7..026c5722c 100644 --- a/lass/2configs/hass/rooms/bett.nix +++ b/lass/2configs/hass/rooms/bett.nix @@ -3,7 +3,7 @@ with import ../lib.nix { inherit lib; }; { services.home-assistant.config = lib.mkMerge [ - (lightswitch switches.dimmer.bett lights.bett) + (lightswitch "bett" switches.dimmer.bett lights.bett) ]; # lass.hass.love = { diff --git a/lass/2configs/hass/rooms/essen.nix b/lass/2configs/hass/rooms/essen.nix index eeb3d30d2..293935f65 100644 --- a/lass/2configs/hass/rooms/essen.nix +++ b/lass/2configs/hass/rooms/essen.nix @@ -3,7 +3,7 @@ with import ../lib.nix { inherit lib; }; { services.home-assistant.config = lib.mkMerge [ - (detect_movement sensors.movement.essen lights.essen 10) - (lightswitch switches.dimmer.essen lights.essen) + (detect_movement "essen" sensors.movement.essen lights.essen 70) + (lightswitch "essen" switches.dimmer.essen lights.essen) ]; } diff --git a/lass/2configs/hass/rooms/nass.nix b/lass/2configs/hass/rooms/nass.nix index 7e6298738..b23ba86cd 100644 --- a/lass/2configs/hass/rooms/nass.nix +++ b/lass/2configs/hass/rooms/nass.nix @@ -3,8 +3,8 @@ with import ../lib.nix { inherit lib; }; { services.home-assistant.config = lib.mkMerge [ - (detect_movement sensors.movement.nass lights.nass 100) - (lightswitch switches.dimmer.nass lights.nass) + (detect_movement "nass" sensors.movement.nass lights.nass 100) + (lightswitch "nass" switches.dimmer.nass lights.nass) ]; } diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix index 98affdd83..4682865c6 100644 --- a/lass/2configs/mail.nix +++ b/lass/2configs/mail.nix @@ -21,6 +21,26 @@ let account default: prism ''; + notmuch-config = pkgs.writeText "notmuch-config" '' + [database] + path=/home/lass/Maildir + + [user] + name=lassulus + primary_email=lassulus@lassul.us + other_email=lass@mors.r;${concatStringsSep ";" (flatten (attrValues mailboxes))} + + [new] + tags=unread;inbox; + ignore= + + [search] + exclude_tags=deleted;spam; + + [maildir] + synchronize_flags=true + ''; + msmtp = pkgs.writeBashBin "msmtp" '' ${pkgs.coreutils}/bin/tee >(${pkgs.notmuch}/bin/notmuch insert +sent) | \ ${pkgs.msmtp}/bin/msmtp -C ${msmtprc} "$@" @@ -207,7 +227,7 @@ let set sidebar_short_path set sidebar_folder_indent set sidebar_visible = yes - set sidebar_format = '%B%?F? [%F]?%* %?N?%N/? %?S?%S?' + set sidebar_format = '%D%?F? [%F]?%* %?N?%N/? %?S?%S?' set sidebar_width = 20 color sidebar_new yellow red @@ -232,6 +252,7 @@ let }; in { + environment.variables.NOTMUCH_CONFIG = toString notmuch-config; environment.systemPackages = [ msmtp mutt diff --git a/lass/2configs/muchsync.nix b/lass/2configs/muchsync.nix new file mode 100644 index 000000000..b09bf579b --- /dev/null +++ b/lass/2configs/muchsync.nix @@ -0,0 +1,40 @@ +with (import <stockholm/lib>); +{ config, pkgs, ... }: + +{ + systemd.services.muchsync = let + hosts = [ + "mors.r" + "green.r" + "blue.r" + ]; + in { + description = "sync mails"; + environment = { + NOTMUCH_CONFIG = config.environment.variables.NOTMUCH_CONFIG; + }; + after = [ "network.target" ]; + + restartIfChanged = false; + + path = [ + pkgs.notmuch + pkgs.openssh + ]; + + startAt = "*:*"; # run every minute + serviceConfig = { + User = "lass"; + Type = "oneshot"; + ExecStart = pkgs.writeDash "sync-mails" '' + set -euf + + /run/current-system/sw/bin/nm-tag-init 2>/dev/null + ${concatMapStringsSep "\n" (host: '' + echo syncing ${host}: + ${pkgs.muchsync}/bin/muchsync -s 'ssh -CTaxq -o ConnectTimeout=4' --nonew lass@${host} || : + '') hosts} + ''; + }; + }; +} diff --git a/lass/2configs/nfs-dl.nix b/lass/2configs/nfs-dl.nix index 91b026455..eeab732ba 100644 --- a/lass/2configs/nfs-dl.nix +++ b/lass/2configs/nfs-dl.nix @@ -13,9 +13,9 @@ "x-systemd.device-timeout=1" "x-systemd.idle-timeout=1min" "x-systemd.requires=retiolum.service" - "x-systemd.requires=wpa_supplicant.service" "user" "_netdev" + "soft" ]; }; } diff --git a/lass/2configs/ppp/umts-stick.nix b/lass/2configs/ppp/umts-stick.nix new file mode 100644 index 000000000..64551a2b3 --- /dev/null +++ b/lass/2configs/ppp/umts-stick.nix @@ -0,0 +1,33 @@ +{ pkgs, ... }: { + + # usage: pppd call stick + + environment.etc."ppp/peers/stick".text = '' + /dev/ttyUSB0 + 460800 + crtscts + defaultroute + holdoff 10 + lock + maxfail 0 + noauth + nodetach + noipdefault + passive + persist + usepeerdns + connect "${pkgs.ppp}/bin/chat -f ${pkgs.writeText "default.chat" '' + ABORT "BUSY" + ABORT "NO CARRIER" + REPORT CONNECT + "" "ATDT*99#" + CONNECT + ''}" + ''; + + environment.systemPackages = [ + pkgs.ppp + ]; + +} + diff --git a/lass/2configs/ppp.nix b/lass/2configs/ppp/x220-modem.nix index 9cc7568a5..d6facb724 100644 --- a/lass/2configs/ppp.nix +++ b/lass/2configs/ppp/x220-modem.nix @@ -1,8 +1,8 @@ { pkgs, ... }: { - # usage: pppd call default + # usage: pppd call x220 - environment.etc."ppp/peers/default".text = '' + environment.etc."ppp/peers/x220".text = '' /dev/ttyACM2 921600 crtscts diff --git a/lass/2configs/radio.nix b/lass/2configs/radio.nix index 8c95b535d..707cc8459 100644 --- a/lass/2configs/radio.nix +++ b/lass/2configs/radio.nix @@ -200,7 +200,7 @@ in { ${pkgs.mpc_cli}/bin/mpc idle player > /dev/null ${pkgs.mpc_cli}/bin/mpc current -f %file% done | while read track; do - listeners=$(${pkgs.iproute}/bin/ss -Hno state established '( sport = :8000 )' | wc -l) + listeners=$(${pkgs.iproute}/bin/ss -Hno state established 'sport = :8000' | wc -l) echo "$(date -Is)" "$track" | tee -a "$HISTORY_FILE" echo "$(tail -$LIMIT "$HISTORY_FILE")" > "$HISTORY_FILE" ${write_to_irc} "playing: $track listeners: $listeners" @@ -275,7 +275,7 @@ in { user = { name = "radio"; }; - script = '' + script = ''. ${pkgs.writeDash "radio" '' case "$Method $Request_URI" in "GET /current") printf 'HTTP/1.1 200 OK\r\n' @@ -303,7 +303,7 @@ in { exit ;; esac - ''; + ''}''; }; services.nginx = { diff --git a/lass/2configs/realwallpaper.nix b/lass/2configs/realwallpaper.nix index e0cb37f67..c3054d3af 100644 --- a/lass/2configs/realwallpaper.nix +++ b/lass/2configs/realwallpaper.nix @@ -28,6 +28,9 @@ in { locations."/realwallpaper-krebs.png".extraConfig = '' root /var/realwallpaper/; ''; + locations."/realwallpaper-video.mp4".extraConfig = '' + root /var/realwallpaper/archive; + ''; }; krebs.iptables = { diff --git a/lass/2configs/sync/sync.nix b/lass/2configs/sync/sync.nix new file mode 100644 index 000000000..bee1d03ac --- /dev/null +++ b/lass/2configs/sync/sync.nix @@ -0,0 +1,13 @@ +{ + services.syncthing.declarative.folders."/home/lass/sync" = { + devices = [ "mors" "icarus" "xerxes" "shodan" "green" "blue" ]; + }; + krebs.permown."/home/lass/sync" = { + file-mode = "u+rw,g+rw"; + owner = "lass"; + group = "syncthing"; + umask = "0002"; + keepGoing = true; + }; +} + diff --git a/lass/2configs/sync/weechat.nix b/lass/2configs/sync/weechat.nix index ccbfc75a1..7970f3081 100644 --- a/lass/2configs/sync/weechat.nix +++ b/lass/2configs/sync/weechat.nix @@ -1,5 +1,5 @@ { - services.syncthing.declarative.folders."/home/lass/.weechat".devices = [ "blue" "green" "mors" ]; + services.syncthing.declarative.folders."/home/lass/.weechat".devices = [ "green" "mors" ]; krebs.permown."/home/lass/.weechat" = { owner = "lass"; group = "syncthing"; diff --git a/lass/2configs/syncthing.nix b/lass/2configs/syncthing.nix index 7758b860d..e288df68a 100644 --- a/lass/2configs/syncthing.nix +++ b/lass/2configs/syncthing.nix @@ -1,20 +1,11 @@ -{ config, pkgs, ... }: with import <stockholm/lib>; let - all_peers = filterAttrs (n: v: v.syncthing.id != null) config.krebs.hosts; - own_peers = filterAttrs (n: v: v.owner.name == "lass") all_peers; - mk_peers = mapAttrs (n: v: { id = v.syncthing.id; }); -in { +{ config, pkgs, ... }: with import <stockholm/lib>; +{ + imports = [ <stockholm/krebs/2configs/syncthing.nix> ]; services.syncthing = { - enable = true; group = "syncthing"; - configDir = "/var/lib/syncthing"; declarative = { key = toString <secrets/syncthing.key>; cert = toString <secrets/syncthing.cert>; - devices = mk_peers all_peers; - folders."/home/lass/sync" = { - devices = attrNames (filterAttrs (n: v: n != "phone") own_peers); - # ignorePerms = false; - }; }; }; krebs.iptables.tables.filter.INPUT.rules = [ @@ -26,11 +17,5 @@ in { ${pkgs.coreutils}/bin/chmod a+x /home/lass ''; - krebs.permown."/home/lass/sync" = { - file-mode = "u+rw,g+rw"; - owner = "lass"; - group = "syncthing"; - umask = "0002"; - keepGoing = true; - }; + boot.kernel.sysctl."fs.inotify.max_user_watches" = 524288; } diff --git a/lass/2configs/tv.nix b/lass/2configs/tv.nix index 0ca1b340f..d49ed6125 100644 --- a/lass/2configs/tv.nix +++ b/lass/2configs/tv.nix @@ -8,6 +8,7 @@ nginxCfg = pkgs.writeText "nginx.conf" '' worker_connections 128; } error_log stderr info; + http { client_body_temp_path /var/lib/rtmp/nginx_cache_client_body; proxy_temp_path /var/lib/rtmp/nginx_cache_proxy; @@ -25,92 +26,6 @@ nginxCfg = pkgs.writeText "nginx.conf" '' location /stat { rtmp_stat all; } - - location /hls { - # Serve HLS fragments - types { - application/vnd.apple.mpegurl m3u8; - video/mp2t ts; - } - root /var/lib/rtmp/tmp; - add_header Cache-Control no-cache; - - # CORS setup - add_header 'Access-Control-Allow-Origin' '*' always; - add_header 'Access-Control-Expose-Headers' 'Content-Length'; - - # Allow CORS preflight requests - if ($request_method = 'OPTIONS') { - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Max-Age' 1728000; - add_header 'Content-Type' 'text/plain charset=UTF-8'; - add_header 'Content-Length' 0; - return 204; - } - } - - location /dash { - # Serve DASH fragments - types { - application/dash+xml mpd; - video/mp4 mp4; - } - root /tmp; - add_header Cache-Control no-cache; - - # CORS setup - add_header 'Access-Control-Allow-Origin' '*' always; - add_header 'Access-Control-Expose-Headers' 'Content-Length'; - - # Allow CORS preflight requests - if ($request_method = 'OPTIONS') { - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Max-Age' 1728000; - add_header 'Content-Type' 'text/plain charset=UTF-8'; - add_header 'Content-Length' 0; - return 204; - } - } - - location "/dash.all.min.js" { - default_type "text/javascript"; - alias ${pkgs.fetchurl { - url = "http://cdn.dashjs.org/v3.2.0/dash.all.min.js"; - sha256 = "16f0b40gdqsnwqi01s5sz9f1q86dwzscgc3m701jd1sczygi481c"; - }}; - } - - location /player { - default_type "text/html"; - alias ${pkgs.writeText "player.html" '' - <!DOCTYPE html> - <html lang="en"> - <head> - <meta charset="utf-8"> - <title>lassulus livestream</title> - </head> - <body> - <div> - <video id="player" controls></video> - </video> - </div> - <script src="/dash.all.min.js"></script> - <script> - (function(){ - var url = "http://lassul.us:8080/dash/nixos.mpd"; - var player = dashjs.MediaPlayer().create(); - player.initialize(document.querySelector("#player"), url, true); - })(); - </script> - </body> - </html> - ''}; - } - - location /records { - autoindex on; - root /var/lib/rtmp; - } } } @@ -275,6 +190,5 @@ in { krebs.iptables.tables.filter.INPUT.rules = [ { predicate = "-p tcp --dport 1935"; target = "ACCEPT"; } - { predicate = "-p tcp --dport 8080"; target = "ACCEPT"; } ]; } diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index f3beb9eb9..c43c8c902 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -285,7 +285,6 @@ in { ]; }; - boot.kernel.sysctl."fs.inotify.max_user_watches" = "1048576"; services.syncthing.declarative.folders = { domsen-backups = { path = "/backups/domsen"; diff --git a/lass/3modules/bindfs.nix b/lass/3modules/bindfs.nix deleted file mode 100644 index 5c8df8dc5..000000000 --- a/lass/3modules/bindfs.nix +++ /dev/null @@ -1,51 +0,0 @@ -with import <stockholm/lib>; -{ config, pkgs, ... }: -let - cfg = config.lass.bindfs; -in { - options.lass.bindfs = mkOption { - type = types.attrsOf (types.submodule ({ config, ... }: { - options = { - target = mkOption { - description = '' - destination where bindfs mounts to. - second positional argument to bindfs. - ''; - default = config._module.args.name; - type = types.absolute-pathname; - }; - source = mkOption { - description = '' - source folder where the mounted directory is originally. - first positional argument to bindfs. - ''; - type = types.absolute-pathname; - }; - options = mkOption { - description = '' - additional arguments to bindfs - ''; - type = types.listOf types.str; - default = []; - }; - }; - })); - default = {}; - }; - - config = mkIf (cfg != {}) { - systemd.services = mapAttrs' (n: mount: let - name = replaceStrings [ "/" ] [ "_" ] n; - in nameValuePair "bindfs-${name}" { - wantedBy = [ "local-fs.target" ]; - path = [ pkgs.coreutils ]; - serviceConfig = { - ExecStartPre = pkgs.writeDash "bindfs-init-${name}" '' - mkdir -p '${mount.source}' - mkdir -p '${mount.target}' - ''; - ExecStart = "${pkgs.bindfs}/bin/bindfs -f ${concatStringsSep " " mount.options} ${mount.source} ${mount.target}"; - }; - }) cfg; - }; -} diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix index 8bee08caa..1ce88b238 100644 --- a/lass/3modules/default.nix +++ b/lass/3modules/default.nix @@ -1,9 +1,7 @@ _: { imports = [ - ./bindfs.nix ./dnsmasq.nix - ./ejabberd ./folderPerms.nix ./hosts.nix ./klem.nix @@ -13,7 +11,6 @@ _: ./pyload.nix ./restic.nix ./screenlock.nix - ./sync-containers.nix ./usershadow.nix ./xjail.nix ./autowifi.nix diff --git a/lass/3modules/ejabberd/config.nix b/lass/3modules/ejabberd/config.nix deleted file mode 100644 index 4630f25c1..000000000 --- a/lass/3modules/ejabberd/config.nix +++ /dev/null @@ -1,128 +0,0 @@ -with import <stockholm/lib>; -{ config, ... }: let - - # See https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example - - ciphers = concatStringsSep ":" [ - "ECDHE-ECDSA-AES256-GCM-SHA384" - "ECDHE-RSA-AES256-GCM-SHA384" - "ECDHE-ECDSA-CHACHA20-POLY1305" - "ECDHE-RSA-CHACHA20-POLY1305" - "ECDHE-ECDSA-AES128-GCM-SHA256" - "ECDHE-RSA-AES128-GCM-SHA256" - "ECDHE-ECDSA-AES256-SHA384" - "ECDHE-RSA-AES256-SHA384" - "ECDHE-ECDSA-AES128-SHA256" - "ECDHE-RSA-AES128-SHA256" - ]; - - protocol_options = [ - "no_sslv2" - "no_sslv3" - "no_tlsv1" - "no_tlsv1_10" - ]; - -in /* yaml */ '' - - access_rules: - announce: - - allow: admin - local: - - allow: local - configure: - - allow: admin - register: - - allow - s2s: - - allow - trusted_network: - - allow: loopback - - acl: - local: - user_regexp: "" - loopback: - ip: - - "127.0.0.0/8" - - "::1/128" - - "::FFFF:127.0.0.1/128" - - hosts: ${toJSON config.hosts} - - language: "en" - - listen: - - - port: 5222 - ip: "::" - module: ejabberd_c2s - shaper: c2s_shaper - certfile: ${toJSON config.certfile.path} - ciphers: ${toJSON ciphers} - dhfile: ${toJSON config.dhfile.path} - protocol_options: ${toJSON protocol_options} - starttls: true - starttls_required: true - tls: false - tls_compression: false - max_stanza_size: 65536 - - - port: 5269 - ip: "::" - module: ejabberd_s2s_in - shaper: s2s_shaper - max_stanza_size: 131072 - - loglevel: 4 - - modules: - mod_adhoc: {} - mod_admin_extra: {} - mod_announce: - access: announce - mod_caps: {} - mod_carboncopy: {} - mod_client_state: {} - mod_configure: {} - mod_disco: {} - mod_echo: {} - mod_bosh: {} - mod_last: {} - mod_offline: - access_max_user_messages: max_user_offline_messages - mod_ping: {} - mod_privacy: {} - mod_private: {} - mod_register: - access_from: allow - access: register - # ip_access: trusted_network - registration_watchers: ${toJSON config.registration_watchers} - mod_roster: {} - mod_shared_roster: {} - mod_stats: {} - mod_time: {} - mod_vcard: - search: false - mod_version: {} - mod_http_api: {} - - s2s_access: s2s - s2s_certfile: ${toJSON config.s2s_certfile.path} - s2s_ciphers: ${toJSON ciphers} - s2s_dhfile: ${toJSON config.dhfile.path} - s2s_protocol_options: ${toJSON protocol_options} - s2s_tls_compression: false - s2s_use_starttls: required - - shaper_rules: - max_user_offline_messages: - - 5000: admin - - 100 - max_user_sessions: 10 - c2s_shaper: - - none: admin - - normal - s2s_shaper: fast -'' diff --git a/lass/3modules/ejabberd/default.nix b/lass/3modules/ejabberd/default.nix deleted file mode 100644 index 20a38d572..000000000 --- a/lass/3modules/ejabberd/default.nix +++ /dev/null @@ -1,103 +0,0 @@ -{ config, lib, pkgs, ... }@args: with import <stockholm/lib>; let - cfg = config.lass.ejabberd; - - gen-dhparam = pkgs.writeDash "gen-dhparam" '' - set -efu - path=$1 - bits=2048 - # TODO regenerate dhfile after some time? - if ! test -e "$path"; then - ${pkgs.openssl}/bin/openssl dhparam "$bits" > "$path" - fi - ''; - -in { - options.lass.ejabberd = { - enable = mkEnableOption "lass.ejabberd"; - certfile = mkOption { - type = types.secret-file; - default = { - name = "ejabberd-certfile"; - path = "${cfg.user.home}/ejabberd.pem"; - owner = cfg.user; - source-path = "/var/lib/acme/lassul.us/full.pem"; - }; - }; - dhfile = mkOption { - type = types.secret-file; - default = { - name = "ejabberd-dhfile"; - path = "${cfg.user.home}/dhparams.pem"; - owner = cfg.user; - source-path = "/dev/null"; - }; - }; - hosts = mkOption { - type = with types; listOf str; - }; - pkgs.ejabberdctl = mkOption { - type = types.package; - default = pkgs.writeDashBin "ejabberdctl" '' - exec ${pkgs.ejabberd}/bin/ejabberdctl \ - --config ${toFile "ejabberd.yaml" (import ./config.nix { - inherit pkgs; - config = cfg; - })} \ - --logs ${shell.escape cfg.user.home} \ - --spool ${shell.escape cfg.user.home} \ - "$@" - ''; - }; - registration_watchers = mkOption { - type = types.listOf types.str; - default = [ - config.krebs.users.tv.mail - ]; - }; - s2s_certfile = mkOption { - type = types.secret-file; - default = cfg.certfile; - }; - user = mkOption { - type = types.user; - default = { - name = "ejabberd"; - home = "/var/ejabberd"; - }; - }; - }; - config = lib.mkIf cfg.enable { - environment.systemPackages = [ cfg.pkgs.ejabberdctl ]; - - krebs.secret.files = { - ejabberd-certfile = cfg.certfile; - ejabberd-s2s_certfile = cfg.s2s_certfile; - }; - - systemd.services.ejabberd = { - wantedBy = [ "multi-user.target" ]; - after = [ - config.krebs.secret.files.ejabberd-certfile.service - config.krebs.secret.files.ejabberd-s2s_certfile.service - "network.target" - ]; - partOf = [ - config.krebs.secret.files.ejabberd-certfile.service - config.krebs.secret.files.ejabberd-s2s_certfile.service - ]; - serviceConfig = { - ExecStartPre = "${gen-dhparam} ${cfg.dhfile.path}"; - ExecStart = "${cfg.pkgs.ejabberdctl}/bin/ejabberdctl foreground"; - PermissionsStartOnly = true; - SyslogIdentifier = "ejabberd"; - User = cfg.user.name; - TimeoutStartSec = 60; - }; - }; - - users.users.${cfg.user.name} = { - inherit (cfg.user) home name uid; - createHome = true; - }; - }; -} diff --git a/lass/3modules/sync-containers.nix b/lass/3modules/sync-containers.nix deleted file mode 100644 index ca81458a9..000000000 --- a/lass/3modules/sync-containers.nix +++ /dev/null @@ -1,166 +0,0 @@ -with import <stockholm/lib>; -{ config, pkgs, ... }: let - cfg = config.lass.sync-containers; - paths = cname: { - plain = "/var/lib/containers/${cname}/var/state"; - ecryptfs = "${cfg.dataLocation}/${cname}/ecryptfs"; - securefs = "${cfg.dataLocation}/${cname}/securefs"; - }; - start = cname: { - plain = '' - ''; - ecryptfs = '' - if ! mount | grep -q '${cfg.dataLocation}/${cname}/ecryptfs on /var/lib/containers/${cname}/var/state type ecryptfs'; then - if [ -e ${cfg.dataLocation}/${cname}/ecryptfs/.cfg.json ]; then - ${pkgs.ecrypt}/bin/ecrypt mount ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state - else - ${pkgs.ecrypt}/bin/ecrypt init ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state - fi - fi - ''; - securefs = '' - ## TODO init file systems if it does not exist - # ${pkgs.securefs}/bin/securefs create --format 3 ${cfg.dataLocation}/${cname}/securefs - if ! ${pkgs.mount}/bin/mount | grep -q '^securefs on /var/lib/containers/${cname}/var/state type fuse.securefs'; then - ${pkgs.securefs}/bin/securefs mount ${cfg.dataLocation}/${cname}/securefs /var/lib/containers/${cname}/var/state -b -o allow_other -o default_permissions - fi - ''; - }; - stop = cname: { - plain = '' - ''; - ecryptfs = '' - ${pkgs.ecrypt}/bin/ecrypt unmount ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state - ''; - securefs = '' - umount /var/lib/containers/${cname}/var/state - ''; - }; -in { - options.lass.sync-containers = { - dataLocation = mkOption { - description = '' - location where the encrypted sync-container lie around - ''; - default = "/var/lib/sync-containers"; - type = types.absolute-pathname; - }; - containers = mkOption { - type = types.attrsOf (types.submodule ({ config, ... }: { - options = { - name = mkOption { - description = '' - name of the container - ''; - default = config._module.args.name; - type = types.str; - }; - peers = mkOption { - description = '' - syncthing peers to share this container with - ''; - default = []; - type = types.listOf types.str; - }; - hostIp = mkOption { # TODO find this automatically - description = '' - hostAddress of the privateNetwork - ''; - example = "10.233.2.15"; - type = types.str; - }; - localIp = mkOption { # TODO find this automatically - description = '' - localAddress of the privateNetwork - ''; - example = "10.233.2.16"; - type = types.str; - }; - format = mkOption { - description = '' - file system encrption format of the container - ''; - type = types.enum [ "plain" "ecryptfs" "securefs" ]; - }; - }; - })); - default = {}; - }; - }; - - config = mkIf (cfg.containers != {}) { - programs.fuse.userAllowOther = true; - - services.syncthing.declarative.folders = (mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" ({ - devices = ctr.peers; - ignorePerms = false; - })) cfg.containers); - - krebs.permown = (mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" ({ - file-mode = "u+rw"; - directory-mode = "u+rwx"; - owner = "syncthing"; - keepGoing = false; - })) cfg.containers); - - systemd.services = mapAttrs' (n: ctr: nameValuePair "containers@${ctr.name}" ({ - reloadIfChanged = mkForce false; - })) cfg.containers; - - containers = mapAttrs' (n: ctr: nameValuePair ctr.name ({ - config = { ... }: { - environment.systemPackages = [ - pkgs.git - ]; - system.activationScripts.fuse = { - text = '' - ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229 - ''; - deps = []; - }; - }; - allowedDevices = [ - { modifier = "rwm"; node = "/dev/fuse"; } - ]; - autoStart = false; - enableTun = true; - privateNetwork = true; - hostAddress = ctr.hostIp; - localAddress = ctr.localIp; - })) cfg.containers; - - environment.systemPackages = flatten (mapAttrsToList (n: ctr: [ - (pkgs.writeDashBin "start-${ctr.name}" '' - set -euf - set -x - - mkdir -p /var/lib/containers/${ctr.name}/var/state - - ${(start ctr.name).${ctr.format}} - - STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${ctr.name}) - if [ "$STATE" = 'down' ]; then - ${pkgs.nixos-container}/bin/nixos-container start ${ctr.name} - fi - - ${pkgs.nixos-container}/bin/nixos-container run ${ctr.name} -- ${pkgs.writeDash "deploy-${ctr.name}" '' - set -x - - mkdir -p /var/state/var_src - ln -sfTr /var/state/var_src /var/src - touch /etc/NIXOS - ''} - - if [ -h /var/lib/containers/${ctr.name}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${ctr.name}.r); then - ${pkgs.nixos-container}/bin/nixos-container run ${ctr.name} -- nixos-rebuild -I /var/src switch - fi - '') - (pkgs.writeDashBin "stop-${ctr.name}" '' - set -euf - - ${pkgs.nixos-container}/bin/nixos-container stop ${ctr.name} - ${(stop ctr.name).${ctr.format}} - '') - ]) cfg.containers); - }; -} diff --git a/lass/5pkgs/l-gen-secrets/default.nix b/lass/5pkgs/l-gen-secrets/default.nix index 85b050644..6cf28c3c2 100644 --- a/lass/5pkgs/l-gen-secrets/default.nix +++ b/lass/5pkgs/l-gen-secrets/default.nix @@ -29,7 +29,7 @@ pkgs.writeDashBin "l-gen-secrets" '' nets = { retiolum = { ip4.addr = "10.243.0.changeme"; - ip6.addr = "42:0:0:0:0:0:0:changeme"; + ip6.addr = r6 "changeme"; aliases = [ "$HOSTNAME.r" ]; @@ -38,7 +38,7 @@ pkgs.writeDashBin "l-gen-secrets" '' ${"''"}; }; wiregrill = { - ip6.addr = (wip6 "changeme").address; + ip6.addr = w6 "changeme"; aliases = [ "$HOSTNAME.w" ]; diff --git a/lass/5pkgs/tdlib-purple/default.nix b/lass/5pkgs/tdlib-purple/default.nix new file mode 100644 index 000000000..445839a4b --- /dev/null +++ b/lass/5pkgs/tdlib-purple/default.nix @@ -0,0 +1,33 @@ +{ stdenv, fetchFromGitHub, cmake, tdlib, pidgin, libwebp, libtgvoip } : + +stdenv.mkDerivation rec { + pname = "tdlib-purple"; + version = "0.7.6"; + + src = fetchFromGitHub { + owner = "ars3niy"; + repo = pname; + rev = "v${version}"; + sha256 = "1inamfzbrz0sy4y431jgwjfg6lz14a7c71khrg02481raxchhzzf"; + }; + + cmakeFlags = [ + "-Dtgvoip_INCLUDE_DIRS=${libtgvoip.dev}/include/tgvoip" + ]; + + nativeBuildInputs = [ cmake ]; + buildInputs = [ pidgin tdlib libwebp libtgvoip ]; + + installPhase = '' + mkdir -p $out/lib/purple-2/ + cp *.so $out/lib/purple-2/ + ''; + + meta = with stdenv.lib; { + homepage = "https://github.com/ars3niy/tdlib-purple"; + description = "New libpurple plugin for Telegram"; + license = licenses.gpl2; + maintainers = [ maintainers.lassulus ]; + platforms = platforms.linux; + }; +} |