diff options
59 files changed, 211 insertions, 807 deletions
@@ -1,6 +1,6 @@ # usage: nix-instantiate --eval --json --read-write-mode --strict ci.nix | jq . -with import ./lib; let + lib = pkgs.lib; pkgs = import <nixpkgs> { overlays = [ (import ./submodules/nix-writers/pkgs) ]; }; system = import <nixpkgs/nixos/lib/eval-config.nix> { @@ -16,9 +16,9 @@ let } ; - ci-systems = filterAttrs (_: v: v.ci) system.config.krebs.hosts; + ci-systems = lib.filterAttrs (_: v: v.ci) system.config.krebs.hosts; build = host: owner: - ((import (toString ./. + "/${owner}/krops.nix") { name = host; }).test {target = "${getEnv "HOME"}/stockholm-build";}); + ((import (toString ./. + "/${owner}/krops.nix") { name = host; }).test {target = "${builtins.getEnv "HOME"}/stockholm-build";}); -in mapAttrs (n: h: build n h.owner.name) ci-systems +in lib.mapAttrs (n: h: build n h.owner.name) ci-systems diff --git a/default.nix b/default.nix index 9368dcd9e..45b4f03f6 100644 --- a/default.nix +++ b/default.nix @@ -1,7 +1,7 @@ import <nixpkgs/nixos> {} // rec { lib = import ./lib; systems = with lib; let - namespace = getEnv "LOGNAME"; + namespace = krebs; systemsDir = <stockholm> + "/${namespace}/1systems"; in genAttrs diff --git a/flake.lock b/flake.lock index b11c289b4..c7b051683 100644 --- a/flake.lock +++ b/flake.lock @@ -10,11 +10,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1760516981, - "narHash": "sha256-4AYTAH7WDL6C6WKktc9UEQRiav6oPzVpKuFWRyYeuTQ=", + "lastModified": 1768927382, + "narHash": "sha256-qdmb8Pm73PADLgO8Q06QfyPbEQS6el9Si+dGQc3TB1I=", "owner": "Mic92", "repo": "buildbot-nix", - "rev": "01dfc9a07c070092e3187be8edbd2243a9e301a5", + "rev": "eb4e904a8dc1aa12a964752e4fd9977c6aead724", "type": "github" }, "original": { @@ -31,11 +31,11 @@ ] }, "locked": { - "lastModified": 1756770412, - "narHash": "sha256-+uWLQZccFHwqpGqr2Yt5VsW/PbeJVTn9Dk6SHWhNRPw=", + "lastModified": 1768135262, + "narHash": "sha256-PVvu7OqHBGWN16zSi6tEmPwwHQ4rLPU9Plvs8/1TUBY=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "4524271976b625a4a605beefd893f270620fd751", + "rev": "80daad04eddbbf5a4d883996a73f3f542fa437ac", "type": "github" }, "original": { @@ -71,11 +71,11 @@ ] }, "locked": { - "lastModified": 1758022363, - "narHash": "sha256-ENUhCRWgSX4ni751HieNuQoq06dJvApV/Nm89kh+/A0=", + "lastModified": 1768476106, + "narHash": "sha256-V0YOJRum50gtKgwavsAfwXc9+XAsJCC7386YZx1sWGQ=", "owner": "hercules-ci", "repo": "hercules-ci-effects", - "rev": "1a3667d33e247ad35ca250698d63f49a5453d824", + "rev": "c19e263e6e22ec7379d972f19e6a322f943c73fb", "type": "github" }, "original": { @@ -87,7 +87,9 @@ "nix-writers": { "inputs": { "flake-utils": "flake-utils", - "nixpkgs": "nixpkgs" + "nixpkgs": [ + "nixpkgs" + ] }, "locked": { "lastModified": 1677612737, @@ -105,26 +107,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1677608380, - "narHash": "sha256-k82O23qBAK+43X0KSBjsMYXG2x4kWWXeAmpPTc2KRGY=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "4aba90e89f6d4ac6138939961f62842bd94ec929", - "type": "github" - }, - "original": { - "owner": "NixOS", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_2": { - "locked": { - "lastModified": 1760878510, - "narHash": "sha256-K5Osef2qexezUfs0alLvZ7nQFTGS9DL2oTVsIXsqLgs=", + "lastModified": 1768886240, + "narHash": "sha256-C2TjvwYZ2VDxYWeqvvJ5XPPp6U7H66zeJlRaErJKoEM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "5e2a59a5b1a82f89f2c7e598302a9cacebb72a67", + "rev": "80e4adbcf8992d3fd27ad4964fbb84907f9478b0", "type": "github" }, "original": { @@ -138,7 +125,7 @@ "inputs": { "buildbot-nix": "buildbot-nix", "nix-writers": "nix-writers", - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs" } }, "treefmt-nix": { @@ -149,11 +136,11 @@ ] }, "locked": { - "lastModified": 1758728421, - "narHash": "sha256-ySNJ008muQAds2JemiyrWYbwbG+V7S5wg3ZVKGHSFu8=", + "lastModified": 1768158989, + "narHash": "sha256-67vyT1+xClLldnumAzCTBvU0jLZ1YBcf4vANRWP3+Ak=", "owner": "numtide", "repo": "treefmt-nix", - "rev": "5eda4ee8121f97b218f7cc73f5172098d458f1d1", + "rev": "e96d59dff5c0d7fddb9d113ba108f03c3ef99eca", "type": "github" }, "original": { @@ -2,6 +2,7 @@ inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; nix-writers.url = "git+https://cgit.krebsco.de/nix-writers"; + nix-writers.inputs.nixpkgs.follows = "nixpkgs"; # disko.url = "github:nix-community/disko"; # disko.inputs.nixpkgs.follows = "nixpkgs"; buildbot-nix.url = "github:Mic92/buildbot-nix"; diff --git a/kartei/makefu/default.nix b/kartei/makefu/default.nix index 9df79afbf..e92aeec93 100644 --- a/kartei/makefu/default.nix +++ b/kartei/makefu/default.nix @@ -251,6 +251,8 @@ in { wikisearch IN A ${nets.internet.ip4.addr} work.euer IN A ${nets.internet.ip4.addr} shop.euer IN A ${nets.internet.ip4.addr} + matrix.euer IN A ${nets.internet.ip4.addr} + element.euer IN A ${nets.internet.ip4.addr} mediengewitter IN CNAME over.dose.io. nixos.unstable IN CNAME krebscode.github.io. diff --git a/kartei/tv/hosts/fu.nix b/kartei/tv/hosts/fu.nix index f33da59c9..c3f2f9297 100644 --- a/kartei/tv/hosts/fu.nix +++ b/kartei/tv/hosts/fu.nix @@ -20,5 +20,4 @@ }; secure = true; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE8T+2Oe6qCE0uEb9H7CWZengyhHK30NelmYmpI4Umpm root@fu"; - syncthing.id = "F5B3EPT-OEOFYMV-GATESYO-727M6R4-YBXGW6Q-SG3QWC7-PPVFX4C-AY4UKAJ"; } diff --git a/kartei/tv/hosts/leg.nix b/kartei/tv/hosts/leg.nix index c09749302..5841c72d5 100644 --- a/kartei/tv/hosts/leg.nix +++ b/kartei/tv/hosts/leg.nix @@ -23,5 +23,4 @@ }; secure = true; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGiputkYYQbg8sUHu+dMVOEuqhPYwPhPdmkS6LopPx17 root@leg"; - syncthing.id = "5IB2U3K-HNQWNA4-ULYNPZF-XC3HX4D-IKQB72L-GNF6U2P-RNL4OMF-BWGDVAU"; } diff --git a/kartei/tv/hosts/pi.nix b/kartei/tv/hosts/pi.nix index 991bc0086..cfcc71a28 100644 --- a/kartei/tv/hosts/pi.nix +++ b/kartei/tv/hosts/pi.nix @@ -1,4 +1,3 @@ { nets.wiregrill.ip4.addr = "10.244.3.102"; - syncthing.id = "NLR6FLV-2MJQSZ6-4M5QBBB-X2UM225-YGB6IYW-F2EGFV6-D7ZDCWY-27EQAAM"; } diff --git a/kartei/tv/hosts/zoppo.nix b/kartei/tv/hosts/zoppo.nix index 4d312105f..abbcc08dc 100644 --- a/kartei/tv/hosts/zoppo.nix +++ b/kartei/tv/hosts/zoppo.nix @@ -20,5 +20,4 @@ }; secure = true; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMk5DVtgzKmbJTsJs81GIMYE3YblnJJTc/FtVukKJK4J root@zoppo"; - syncthing.id = "F4GDV3I-QX6QAA5-32MXHXE-2RJDYBO-RFXGDFR-EGMN4IQ-OJDKL62-NCUWOAQ"; } diff --git a/krebs/1systems/hotdog/config.nix b/krebs/1systems/hotdog/config.nix index 91071ec85..655192077 100644 --- a/krebs/1systems/hotdog/config.nix +++ b/krebs/1systems/hotdog/config.nix @@ -5,6 +5,17 @@ ../../../krebs ../../../krebs/2configs ../../../krebs/2configs/nginx.nix + { + # Cherry-pick services.nginx.recommendedTlsSettings to fix: + # nginx: [emerg] "ssl_conf_command" directive is not supported on this platform + services.nginx.recommendedTlsSettings = lib.mkForce false; + services.nginx.appendHttpConfig = '' + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; + ssl_prefer_server_ciphers off; + ''; + } ../../../krebs/2configs/binary-cache/nixos.nix ../../../krebs/2configs/ircd.nix diff --git a/krebs/1systems/ponte/config.nix b/krebs/1systems/ponte/config.nix index 8bb14d517..5deeb9923 100644 --- a/krebs/1systems/ponte/config.nix +++ b/krebs/1systems/ponte/config.nix @@ -8,6 +8,18 @@ <stockholm/krebs/2configs/nameserver.nix> ]; + #networking.defaultGateway6 = { + # address = "fe80::1"; + # interface = "ens3"; + #}; + #networking.interfaces.ens3.ipv6.addresses = [ + # { + # # old: address = "2a03:4000:13:4c::1"; + # address = "2a03:4000:1a:cf::1"; #/64" + # prefixLength = 64; + # } + #]; + networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.logRefusedConnections = false; networking.firewall.logRefusedUnicastsOnly = false; diff --git a/krebs/1systems/puyak/config.nix b/krebs/1systems/puyak/config.nix index 0c361cc42..8e03e3b52 100644 --- a/krebs/1systems/puyak/config.nix +++ b/krebs/1systems/puyak/config.nix @@ -31,7 +31,7 @@ ../../2configs/shack/ssh-keys.nix # drivedroid.shack for shackphone - ../../2configs/shack/drivedroid.nix + #../../2configs/shack/drivedroid.nix (FIXME error: attribute 'drivedroid-gen-repo' missing) # ../../2configs/shack/nix-cacher.nix # Say if muell will be collected @@ -70,7 +70,7 @@ # ../../2configs/shack/share.nix # mobile.lounge.mpd.shack - ../../2configs/shack/mobile.mpd.nix + #../../2configs/shack/mobile.mpd.nix (FIXME Compatibility with CMake < 3.5 has been removed from CMake.) # hass.shack ../../2configs/shack/glados diff --git a/krebs/2configs/buildbot-stockholm.nix b/krebs/2configs/buildbot-stockholm.nix index 32452e010..c51d3c651 100644 --- a/krebs/2configs/buildbot-stockholm.nix +++ b/krebs/2configs/buildbot-stockholm.nix @@ -19,7 +19,6 @@ with import ../../lib/pure.nix { inherit lib; }; enable = true; repos = { disko.urls = [ - "http://cgit.gum.r/disko" "http://cgit.ni.r/disko" "http://cgit.orange.r/disko" ]; @@ -33,7 +32,6 @@ with import ../../lib/pure.nix { inherit lib; }; "http://cgit.orange.r/nix-writers" ]; stockholm.urls = [ - "http://cgit.gum.r/stockholm" "http://cgit.ni.r/stockholm" "http://cgit.orange.r/stockholm" ]; diff --git a/krebs/2configs/hw/x220.nix b/krebs/2configs/hw/x220.nix index a797673c9..937a20c29 100644 --- a/krebs/2configs/hw/x220.nix +++ b/krebs/2configs/hw/x220.nix @@ -17,8 +17,8 @@ }; hardware.opengl.extraPackages = [ - pkgs.vaapiIntel - pkgs.vaapiVdpau + pkgs.intel-vaapi-driver + pkgs.libva-vdpau-driver ]; services.xserver = { diff --git a/krebs/2configs/nameserver.nix b/krebs/2configs/nameserver.nix index fb22dc6f9..c394f312d 100644 --- a/krebs/2configs/nameserver.nix +++ b/krebs/2configs/nameserver.nix @@ -146,10 +146,14 @@ in { ''; }; + #krebs.systemd.services.knot.restartIfCredentialsChange = true; systemd.services."knsupdate-krebsco.de" = { serviceConfig = { Type = "oneshot"; SyslogIdentifier = "knsupdate-krebsco.de"; + #LoadCredential = [ + # "keys.conf:/var/src/secrets/knot-keys.conf" + #]; ExecStart = pkgs.writeDash "knsupdate-krebsco.de" /* sh */ '' set -efu diff --git a/krebs/2configs/reaktor2.nix b/krebs/2configs/reaktor2.nix index e7d348d50..600f7cd6d 100644 --- a/krebs/2configs/reaktor2.nix +++ b/krebs/2configs/reaktor2.nix @@ -235,20 +235,20 @@ let env.TASKDATA = "${stateDir}/${name}"; commands = rec { add.filename = pkgs.writers.writeDash "${name}-task-add" '' - ${pkgs.taskwarrior}/bin/task rc:${taskRcFile} add "$1" + ${pkgs.taskwarrior2}/bin/task rc:${taskRcFile} add "$1" ''; list.filename = pkgs.writers.writeDash "${name}-task-list" '' - ${pkgs.taskwarrior}/bin/task rc:${taskRcFile} export \ + ${pkgs.taskwarrior2}/bin/task rc:${taskRcFile} export \ | ${pkgs.jq}/bin/jq -r ' .[] | select(.id != 0) | "\(.id) \(.description)" ' ''; delete.filename = pkgs.writers.writeDash "${name}-task-delete" '' - ${pkgs.taskwarrior}/bin/task rc:${taskRcFile} delete "$1" + ${pkgs.taskwarrior2}/bin/task rc:${taskRcFile} delete "$1" ''; del = delete; done.filename = pkgs.writers.writeDash "${name}-task-done" '' - ${pkgs.taskwarrior}/bin/task rc:${taskRcFile} done "$1" + ${pkgs.taskwarrior2}/bin/task rc:${taskRcFile} done "$1" ''; }; }; @@ -456,7 +456,7 @@ in { printf 'HTTP/1.1 200 OK\r\n' printf 'Connection: close\r\n' printf '\r\n' - TASKDATA=/var/lib/reaktor2/agenda ${pkgs.taskwarrior}/bin/task rc:${taskRcFile} export + TASKDATA=/var/lib/reaktor2/agenda ${pkgs.taskwarrior2}/bin/task rc:${taskRcFile} export exit ;; esac diff --git a/krebs/2configs/repo-sync.nix b/krebs/2configs/repo-sync.nix index a488fdfea..1c7ed4719 100644 --- a/krebs/2configs/repo-sync.nix +++ b/krebs/2configs/repo-sync.nix @@ -98,7 +98,7 @@ in { krebs.secret.files.konsens = { path = "/var/lib/konsens/.ssh/id_ed25519"; owner = konsens-user; - source-path = "${config.krebs.secret.directory}/konsens.id_ed25519>"; + source-path = "${config.krebs.secret.directory}/konsens.id_ed25519"; }; imports = [ @@ -107,9 +107,10 @@ in { desc = "take all computers hostage, they love it"; section = "configuration"; remotes = { - makefu = "http://cgit.gum.r/stockholm"; - tv = "http://cgit.ni.r/stockholm"; + krebs = "https://github.com/krebs/stockholm"; lassulus = "http://cgit.orange.r/stockholm"; + makefu = "https://cgit.euer.krebsco.de/makefu/stockholm.git"; + tv = "http://cgit.ni.r/stockholm"; }; }) ({ krebs.git = defineRepo { diff --git a/krebs/2configs/shack/worlddomination.nix b/krebs/2configs/shack/worlddomination.nix index 66a4095db..eba6cc83b 100644 --- a/krebs/2configs/shack/worlddomination.nix +++ b/krebs/2configs/shack/worlddomination.nix @@ -3,7 +3,7 @@ with import ../../../lib/pure.nix { inherit lib; }; let pkg = pkgs.stdenv.mkDerivation { - name = "worlddomination-2020-12-01"; + name = "worlddomination-2025-04-02"; src = pkgs.fetchFromGitHub { owner = "shackspace"; repo = "worlddomination"; @@ -11,9 +11,8 @@ let sha256 = "sha256-AbRqxxY6hYNg4qkk/akuw4f+wJh4nx1hfEA4Lp5B+1E="; }; buildInputs = [ - (pkgs.python310.withPackages (pythonPackages: with pythonPackages; [ + (pkgs.python3.withPackages (pythonPackages: with pythonPackages; [ docopt - LinkHeader aiocoap grequests paramiko @@ -31,16 +30,6 @@ let pythonPackages = pkgs.python3Packages; # https://github.com/chrysn/aiocoap - LinkHeader = pythonPackages.buildPythonPackage { - name = "LinkHeader-0.4.3"; - src = pkgs.fetchurl { url = "https://files.pythonhosted.org/packages/27/d4/eb1da743b2dc825e936ef1d9e04356b5701e3a9ea022c7aaffdf4f6b0594/LinkHeader-0.4.3.tar.gz"; sha256 = "7fbbc35c0ba3fbbc530571db7e1c886e7db3d718b29b345848ac9686f21b50c3"; }; - propagatedBuildInputs = [ ]; - meta = with pkgs.lib; { - homepage = ""; - license = licenses.bsdOriginal; - description = "Parse and format link headers according to RFC 5988 \"Web Linking\""; - }; - }; wdpath = "/usr/worlddomination/wd.lst"; esphost = "10.42.24.7"; # esp8266 afrihost = "10.42.25.201"; # africa diff --git a/krebs/3modules/ci/default.nix b/krebs/3modules/ci/default.nix index 1f029276a..18fe46a98 100644 --- a/krebs/3modules/ci/default.nix +++ b/krebs/3modules/ci/default.nix @@ -50,7 +50,7 @@ let "${url}", workdir='${name}-${elemAt(splitString "." url) 1}', branches=True, project='${name}', - pollinterval=30 + pollInterval=30 ) '') repo.urls ) cfg.repos; diff --git a/krebs/3modules/github/known-hosts.nix b/krebs/3modules/github/known-hosts.nix index 3725ff2b8..6f10452e9 100644 --- a/krebs/3modules/github/known-hosts.nix +++ b/krebs/3modules/github/known-hosts.nix @@ -8,4 +8,5 @@ ; publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk="; }; + # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl } diff --git a/krebs/3modules/hosts.nix b/krebs/3modules/hosts.nix index 51aeefb9f..148b58d14 100644 --- a/krebs/3modules/hosts.nix +++ b/krebs/3modules/hosts.nix @@ -2,7 +2,6 @@ with lib; let check = hostname: any (domain: hasSuffix ".${domain}" hostname) domains; domains = attrNames (filterAttrs (_: slib.eq "hosts") config.krebs.dns.providers); - # we need this import because we have infinite recursion otherwise slib = lib.slib or (import ../../lib/pure.nix { inherit lib; }); in { diff --git a/krebs/3modules/iptables.nix b/krebs/3modules/iptables.nix index 16f1f3c84..1cde42dc3 100644 --- a/krebs/3modules/iptables.nix +++ b/krebs/3modules/iptables.nix @@ -19,6 +19,14 @@ let api = { enable = mkEnableOption "iptables"; + rules4 = mkOption { + default = buildTables "v4" cfg.tables; + }; + + rules6 = mkOption { + default = buildTables "v6" cfg.tables; + }; + #tables.filter.INPUT = { # policy = "DROP"; # rules = [ diff --git a/krebs/3modules/per-user.nix b/krebs/3modules/per-user.nix index c0368ee85..f83a29acb 100644 --- a/krebs/3modules/per-user.nix +++ b/krebs/3modules/per-user.nix @@ -28,7 +28,12 @@ in { }; }) (filterAttrs (_: per-user: per-user.packages != []) cfg); - profiles = ["/etc/per-user/$LOGNAME"]; + + # XXX this breaks /etc/pam/environment because $LOGNAME doesn't get + # replaced by @{PAM_USER} the way $USER does. + # See <nixpkgs/nixos/modules/config/system-environment.nix> + #profiles = ["/etc/per-user/$LOGNAME"]; + profiles = ["/etc/per-user/$USER"]; }; }; } diff --git a/krebs/3modules/permown.nix b/krebs/3modules/permown.nix index d65ce2a31..51f5cb752 100644 --- a/krebs/3modules/permown.nix +++ b/ |