diff options
48 files changed, 1256 insertions, 258 deletions
diff --git a/krebs/1systems/news/config.nix b/krebs/1systems/news/config.nix index 79946dad7..620e6249e 100644 --- a/krebs/1systems/news/config.nix +++ b/krebs/1systems/news/config.nix @@ -16,7 +16,7 @@ krebs.build.host = config.krebs.hosts.news; boot.isContainer = true; - networking.useDHCP = false; + networking.useDHCP = lib.mkForce true; krebs.bindfs = { "/var/lib/brockman" = { source = "/var/state/brockman"; diff --git a/krebs/2configs/reaktor2.nix b/krebs/2configs/reaktor2.nix index 0ea1ab2fa..3e88c0899 100644 --- a/krebs/2configs/reaktor2.nix +++ b/krebs/2configs/reaktor2.nix @@ -51,6 +51,29 @@ let }; }; + confuse = { + pattern = "^!confuse (.*)$"; + activate = "match"; + arguments = [1]; + command = { + filename = pkgs.writeDash "confuse" '' + set -efu + export PATH=${makeBinPath [ + pkgs.coreutils + pkgs.curl + pkgs.gnused + pkgs.stable-generate + ]} + stable_url=$(stable-generate "$@") + paste_url=$(curl -Ss "$stable_url" | + curl -Ss https://p.krebsco.de --data-binary @- | + tail -1 + ) + echo "$_from: $paste_url" + ''; + }; + }; + taskRcFile = builtins.toFile "taskrc" '' confirmation=no ''; @@ -203,6 +226,12 @@ let osm-restaurants = pkgs.callPackage "${osm-restaurants-src}/osm-restaurants" {}; in pkgs.writeDash "krebsfood" '' set -efu + export PATH=${makeBinPath [ + osm-restaurants + pkgs.coreutils + pkgs.curl + pkgs.jq + ]} poi=$(curl -fsS http://c.r/poi.json | jq --arg name "$1" '.[$name]') if [ "$poi" = null ]; then latitude=52.51252 @@ -212,34 +241,12 @@ let longitude=$(echo "$poi" | jq -r .longitude) fi - ${osm-restaurants}/bin/osm-restaurants --radius "$2" --latitude "$latitude" --longitude "$longitude" \ - | ${pkgs.jq}/bin/jq -r '"How about \(.tags.name) (https://www.openstreetmap.org/\(.type)/\(.id)), open \(.tags.opening_hours)?"' - ' - ''; - }; - } - { - pattern = ''^([\H-]*?):?\s+([+-][1-9][0-9]*)\s+(\S+)$''; - activate = "match"; - arguments = [1 2 3]; - command = { - env = { - # TODO; get state as argument - state_file = "${stateDir}/ledger"; - }; - filename = pkgs.writeDash "ledger-add" '' - set -x - tonick=$1 - amt=$2 - unit=$3 - printf '%s\n %s %d %s\n %s %d %s\n' "$(date -Id)" "$tonick" "$amt" "$unit" "$_from" "$(expr 0 - "''${amt#+}")" "$unit" >> $state_file - ${pkgs.hledger}/bin/hledger -f $state_file bal -N -O csv \ - | ${pkgs.coreutils}/bin/tail +2 \ - | ${pkgs.miller}/bin/mlr --icsv --opprint cat \ - | ${pkgs.gnugrep}/bin/grep "$_from" + osm-restaurants --radius "$2" --latitude "$latitude" --longitude "$longitude" \ + | jq -r '"How about \(.tags.name) (https://www.openstreetmap.org/\(.type)/\(.id)), open \(.tags.opening_hours)?"' ''; }; } + confuse bedger-add bedger-balance hooks.sed diff --git a/krebs/2configs/security-workarounds.nix b/krebs/2configs/security-workarounds.nix index b1a492f51..cb5d236ac 100644 --- a/krebs/2configs/security-workarounds.nix +++ b/krebs/2configs/security-workarounds.nix @@ -1,4 +1,27 @@ { config, lib, pkgs, ... }: -with import <stockholm/lib>; { + # OpenSSL pre-3.0.7 vulnerabilities + nixpkgs.overlays = [ + (self: super: { + exim = + super.exim.overrideAttrs (old: let + key = if builtins.hasAttr "preBuild" old then + "preBuild" + else + "configurePhase"; + in { + buildInputs = old.buildInputs ++ [ self.gnutls ]; + ${key} = /* sh */ '' + ${old.${key}} + sed -Ei ' + s:^USE_OPENSSL=.*:# &: + s:^# (USE_GNUTLS)=.*:\1=yes: + s:^# (USE_GNUTLS_PC=.*):\1: + ' Local/Makefile + ''; + }); + }) + ]; + # OpenSSL pre-3.0.7 vulnerabilities + services.nginx.package = lib.mkDefault (pkgs.nginxStable.override { openssl = pkgs.libressl; }); } diff --git a/krebs/2configs/shack/doorstatus.sh b/krebs/2configs/shack/doorstatus.sh index 11e710cfd..46314cb9c 100755 --- a/krebs/2configs/shack/doorstatus.sh +++ b/krebs/2configs/shack/doorstatus.sh @@ -54,7 +54,7 @@ Herr makefu an Kasse 3 bitte, Kasse 3 bitte Herr makefu. Der API Computer ist ma EOF ) -state=$(curl https://api.shackspace.de/v1/space | jq .doorState.open) +state=$(curl -fSsk https://api.shackspace.de/v1/space | jq .doorState.open) prevstate=$(cat state ||:) if test "$state" == "$(cat state)";then diff --git a/krebs/2configs/shack/reaktor.nix b/krebs/2configs/shack/reaktor.nix index a31c7a687..1f723c8e6 100644 --- a/krebs/2configs/shack/reaktor.nix +++ b/krebs/2configs/shack/reaktor.nix @@ -14,6 +14,21 @@ ]; }; } + { + plugin = "system"; + config = { + hooks.PRIVMSG = [ + { + pattern = ''\.open\??$|\.offen\??$''; + activate = "match"; + command.filename = pkgs.writers.writeDash "is_shack_open" '' + ${pkgs.curl}/bin/curl -fSsk https://api.shackspace.de/v1/space | + ${pkgs.jq}/bin/jq '.doorState.open' + ''; + } + ]; + }; + } ]; }; systemd.services.announce_doorstatus = { diff --git a/krebs/3modules/ci.nix b/krebs/3modules/ci/default.nix index 5efe41786..0f85b27c0 100644 --- a/krebs/3modules/ci.nix +++ b/krebs/3modules/ci/default.nix @@ -51,7 +51,7 @@ let "${url}", workdir='${name}-${elemAt(splitString "." url) 1}', branches=True, project='${name}', - pollinterval=100 + pollinterval=30 ) '') repo.urls ) cfg.repos; @@ -84,6 +84,7 @@ let from buildbot.process import buildstep, logobserver from twisted.internet import defer import json + import sys class GenerateStagesCommand(buildstep.ShellMixin, steps.BuildStep): def __init__(self, **kwargs): @@ -157,19 +158,29 @@ let ) ) '') cfg.repos)} + + # fancy irc notification by Mic92 https://github.com/Mic92/dotfiles/tree/master/nixos/eve/modules/buildbot + sys.path.append("${./modules}") + from irc_notify import NotifyFailedBuilds + c['services'].append( + NotifyFailedBuilds("irc://buildbot|test@irc.r:6667/#xxx") + ) + ''; enable = true; - reporters = ['' - reporters.IRC( - host = "irc.r", - nick = "buildbot|${hostname}", - notify_events = [ 'started', 'finished', 'failure', 'success', 'exception', 'problem' ], - channels = [{"channel": "#xxx"}], - showBlameList = True, - authz={'force': True}, - ) - '']; + reporters = [ + '' + reporters.IRC( + host = "irc.r", + nick = "buildbot|${hostname}", + notify_events = [ 'started', 'finished', 'failure', 'success', 'exception', 'problem' ], + channels = [{"channel": "#xxx"}], + showBlameList = True, + authz={'force': True}, + ) + '' + ]; buildbotUrl = "http://build.${hostname}.r/"; }; diff --git a/krebs/3modules/ci/modules/irc_notify.py b/krebs/3modules/ci/modules/irc_notify.py new file mode 100644 index 000000000..4b7969aaf --- /dev/null +++ b/krebs/3modules/ci/modules/irc_notify.py @@ -0,0 +1,145 @@ +from typing import Optional, Generator, Any +import socket +import ssl +import threading +import re +from urllib.parse import urlparse +import base64 + +from buildbot.reporters.base import ReporterBase +from buildbot.reporters.generators.build import BuildStatusGenerator +from buildbot.reporters.message import MessageFormatter +from twisted.internet import defer + +DEBUG = False + + +def _irc_send( + server: str, + nick: str, + channel: str, + sasl_password: Optional[str] = None, + server_password: Optional[str] = None, + tls: bool = True, + port: int = 6697, + messages: list[str] = [], +) -> None: + if not messages: + return + + # don't give a shit about legacy ip + sock = socket.socket(family=socket.AF_INET6) + if tls: + sock = ssl.wrap_socket( + sock, cert_reqs=ssl.CERT_NONE, ssl_version=ssl.PROTOCOL_TLSv1_2 + ) + + def _send(command: str) -> int: + if DEBUG: + print(command) + return sock.send((f"{command}\r\n").encode()) + + def _pong(ping: str): + if ping.startswith("PING"): + sock.send(ping.replace("PING", "PONG").encode("ascii")) + + recv_file = sock.makefile(mode="r") + + print(f"connect {server}:{port}") + sock.connect((server, port)) + if server_password: + _send(f"PASS {server_password}") + _send(f"USER {nick} 0 * :{nick}") + _send(f"NICK {nick}") + for line in recv_file.readline(): + if re.match(r"^:[^ ]* (MODE|221|376|422) ", line): + break + else: + _pong(line) + + if sasl_password: + _send("CAP REQ :sasl") + _send("AUTHENTICATE PLAIN") + auth = base64.encodebytes(f"{nick}\0{nick}\0{sasl_password}".encode("ascii")) + _send(f"AUTHENTICATE {auth.decode('ascii')}") + _send("CAP END") + _send(f"JOIN :{channel}") + + for m in messages: + _send(f"PRIVMSG {channel} :{m}") + + _send("INFO") + for line in recv_file: + if DEBUG: + print(line, end="") + # Assume INFO reply means we are done + if "End of /INFO" in line: + break + else: + _pong(line) + + sock.send(b"QUIT") + print("disconnect") + sock.close() + + +def irc_send( + url: str, notifications: list[str], password: Optional[str] = None +) -> None: + parsed = urlparse(f"{url}") + username = parsed.username or "prometheus" + server = parsed.hostname or "chat.freenode.net" + if parsed.fragment != "": + channel = f"#{parsed.fragment}" + else: + channel = "#krebs-announce" + port = parsed.port or 6697 + if not password: + password = parsed.password + if len(notifications) == 0: + return + # put this in a thread to not block buildbot + t = threading.Thread( + target=_irc_send, + kwargs=dict( + server=server, + nick=username, + sasl_password=password, + channel=channel, + port=port, + messages=notifications, + tls=parsed.scheme == "irc+tls", + ), + ) + t.start() + + +subject_template = """\ +{{ '☠' if result_names[results] == 'failure' else '☺' if result_names[results] == 'success' else '☝' }} \ +{{ build['properties'].get('project', ['whole buildset'])[0] if is_buildset else buildername }} \ +- \ +{{ build['state_string'] }} \ +{{ '(%s)' % (build['properties']['branch'][0] if (build['properties']['branch'] and build['properties']['branch'][0]) else build['properties'].get('got_revision', ['(unknown revision)'])[0]) }} \ +({{ build_url }}) +""" # # noqa pylint: disable=line-too-long + + +class NotifyFailedBuilds(ReporterBase): + def _generators(self) -> list[BuildStatusGenerator]: + formatter = MessageFormatter(template_type="plain", subject=subject_template) + return [BuildStatusGenerator(message_formatter=formatter)] + + def checkConfig(self, url: str): + super().checkConfig(generators=self._generators()) + + @defer.inlineCallbacks + def reconfigService(self, url: str) -> Generator[Any, object, Any]: + self.url = url + yield super().reconfigService(generators=self._generators()) + + def sendMessage(self, reports: list): + msgs = [] + for r in reports: + if r["builds"][0]["state_string"] != "build successful": + msgs.append(r["subject"]) + irc_send(self.url, notifications=msgs) diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 5ba436580..7af6b13d9 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -16,7 +16,7 @@ let ./brockman.nix ./build.nix ./cachecache.nix - ./ci.nix + ./ci ./current.nix ./dns.nix ./ergo.nix @@ -105,6 +105,7 @@ let { krebs = import ./external/kmein.nix { inherit config; }; } { krebs = import ./external/mic92.nix { inherit config; }; } { krebs = import ./external/palo.nix { inherit config; }; } + { krebs = import ./external/rtunreal.nix { inherit config; }; } { krebs = import ./jeschli { inherit config; }; } { krebs = import ./krebs { inherit config; }; } { krebs = import ./lass { inherit config; }; } diff --git a/krebs/3modules/ergo.nix b/krebs/3modules/ergo.nix index 50c5ab628..d5f167e79 100644 --- a/krebs/3modules/ergo.nix +++ b/krebs/3modules/ergo.nix @@ -122,7 +122,7 @@ # reloadIfChanged = true; restartTriggers = [ configFile ]; serviceConfig = { - ExecStart = "${pkgs.ergo}/bin/ergo run --conf /etc/ergo.yaml"; + ExecStart = "${pkgs.ergochat}/bin/ergo run --conf /etc/ergo.yaml"; ExecReload = "${pkgs.util-linux}/bin/kill -HUP $MAINPID"; DynamicUser = true; StateDirectory = "ergo"; diff --git a/krebs/3modules/external/default.nix b/krebs/3modules/external/default.nix index 5cb40cfbb..62cbb78a8 100644 --- a/krebs/3modules/external/default.nix +++ b/krebs/3modules/external/default.nix @@ -769,6 +769,31 @@ in { }; }; }; + verex = { + owner = config.krebs.users.lc4r; + nets = { + retiolum = { + ip4.addr = "10.243.232.232"; + aliases = [ "verex.r" ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEA7RCGaxVcTK3cPIs5NkbDdKEg/ASLRyKN2tBklvs43fD2lq/t77YK + vtLkZhJokcxzDWNAyUZXgTsmVblYTzbyg+DFhygNwhMSI0vdrG5AoYhWa+eIe8mf + Hxi7TWNTbDx/p66kw2NFDlw6Wbs5enPlMzfZPZj+aI7Dx7GrZRz8TrsKAauSSBKc + Vtl7Aqs2FLk8suiMAOE4JD4Lt/pvR7YSISBo1N6/eBbFEosY1XqYkv+l9a0d948a + k3jfJYRllsBRQzUyseMewwgVEz8Ny+rwk2J4ukSogAlMXXkPD/pYQgdTZwbGWOyY + FMLgb7qULn60aUO6mE/mW9JP90/9cX3CD9McdEFRXV4oM0P9EUq49kN+vinD6JDm + bL9fP+yx3sdzl34dFWDRPwrzn13kTDlRbble8jATRcisxMT1zYiADuRwIx8AeKs7 + O4uc7r/hz8ANO3zksuPhkTUoObTvZyW4mXbac2p6DGv/2aC6jzMRFJsJbWQK1TSr + 9WjeAOknhSP9UGxQWz6AgHNjq04dR3lQk34xMfKfWxRAaMD+T6frWKz++Z07WpUo + OkPlz57jPZ7yeJGwwPM/CMcNNmA6YCqgE2kJo5rVQqlUb90nVRbuiQYYldl1YCIc + Z4X36TKEXPBTiiKf6rFL6dJ64vaVxmOPr3+jdvLSufa/L7uXq3g66ZECAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "9ifWNFwaXe6qLVTW0UrOl2jg7erwTUC7f50Th4Vv2iE"; + }; + }; + }; }; users = { @@ -849,5 +874,8 @@ in { feliks = { mail = "feliks@flipdot.org"; }; + lc4r = { + mail = "lc4r@riseup.net"; + }; }; } diff --git a/krebs/3modules/external/mic92.nix b/krebs/3modules/external/mic92.nix index 58757b0b3..2a3604b25 100644 --- a/krebs/3modules/external/mic92.nix +++ b/krebs/3modules/external/mic92.nix @@ -930,32 +930,27 @@ in { }; }; - dev1 = { + ruby = { owner = config.krebs.users.mic92; nets = rec { - internet = { - ip4.addr = "65.108.192.175"; - ip6.addr = "2a01:4f9:1a:94a4::1"; - aliases = [ "dev1.i" ]; - }; retiolum = { - aliases = [ "dev1.r" ]; + aliases = [ "ruby.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- - MIICCgKCAgEAwx2l5llCtEdoTRT9UJKHqa/GTqd5f9mUWX/n3HKQHdeEVao6cH9J - LteQ2rJY+Gh2zt3FZYzRBykvArjGmu1qKKnouldFJis0DygUI1jZVbeeNKbA2lZx - 7+jCUIz4kgpA0ggJt/9Nb0xHMGPpgXSMADPHLKODT2FPxA4026pI6xLAZWY1o1SY - oypaIxaOUbqi9M+eR5KRCngUGHBOQm3rGtgw5wYxHsfJqHvqCmFIicxHVifpbzOf - Hf0hDvk6E54PijcrDUfDBkXrEoa1hFezCMnzv0h+1Y4qfueFtCtPbJdYKUo87X04 - PWT/P+x78VY9e7fJswi4bYflXmE6jVg/0gXPNpWNV1iBmbrFMJMduGNiuyBcSAxp - S1ubP/+5D2hgOLCuflLfnPOozPtvV6F/XYKatQGPmgo4d7+z7g4frFKv6Uu9ZMT0 - p2CN/bnVNAEErPbTVLyk8zX6J3ruCBQxucr3dsqyw7pk74tTQlFwH9BY8tWfRrAP - v7rDLHzv/1KA9GRDkbVPJmCkwIlPd9PcqSeHL9pnV9IkFr0UTVJE5qBLDSRW9XAb - QY6wVgsMocMeAxwrx6q+pdX/NAPbBzrmr0IB+DwYfMhZdGWoWEw+NV1wOsQjBzjw - SA63+XAgJ30QR5Z87d5g2Y7560+6oQavMPdt+5kfPTGa48UR7WwYyzsCAwEAAQ== + MIICCgKCAgEAzqrguDMHqYyidLxbz3jsQS3JVNCy0HaN6wprT1Ge1Anf5E8KtuXh + M9IjYPShzzJ162rYaJdd2lBmc5o435j+0/Gg5pySILni9bILhuRr7TMWN0sjNbgr + x0JRbpMmpW5DOmQx1BSyA+LLNbyVVnCc1XI0P2EaRr1ZrRSU0bpE/7kJ//Zt7ATu + GfqJTuL2aqap12VMKAfjRByyXA9V7szJMRom2Ia3cWSXhie1E0OOvCNT+InKXx4c + QbEGX71noCgsNgxbD8AVSwMnNV15vdnbgwK/1QzA0Cep1uxFS05TXJZLZTjcGwG0 + Kp0kEjntq1rCqgdoUHIubNB17efU/oP6aSrdfvtgeYBjn0zSLHSUYdhf3JHd1Fvf + Ov2TwHxt/sm8d91UjhrkYwjf2nzSruAklYDnIDJiHgLFoT5WuOoVlnfUjRpQEw44 + kp8KXsd24Y0UT5XJO5cQA+kZ1vl2ktHbQGTqYuYDB2FKEnBR/JIwJzJfugcGiyRx + OukQ2/rjnS60JA2pHUEfoezIAMhYAF+EPgOgMcNSSRYUVBpPVKD26oGTrNn0AtnO + ALW1vqUDwxb0cpv877vN1VfqvLE8n8Zgtt7itdT0+vxNPxICvF6//LNYUeDoQ3pj + w+1ZSdYZsvIQ7tDcilnL0hU5/nfsSIbHV+ceuLde1xDt5c7Tnl4v/U0CAwEAAQ== -----END RSA PUBLIC KEY----- ''; - tinc.pubkey_ed25519 = "nu1d0uwAE1Lg16SfXkCgGz2blir402mlucwJMfHivrJ"; + tinc.pubkey_ed25519 = "TV9byzSblknvqdUjQCwjgLmA8qCB4Tnl/DSd2mbsZTJ"; }; }; }; diff --git a/krebs/3modules/external/rtunreal.nix b/krebs/3modules/external/rtunreal.nix new file mode 100644 index 000000000..8c0e0af2c --- /dev/null +++ b/krebs/3modules/external/rtunreal.nix @@ -0,0 +1,51 @@ +with import <stockholm/lib>; +{ config, ... }: +let + hostDefaults = hostName: host: flip recursiveUpdate host ({ + ci = false; + external = true; + monitoring = false; + owner = config.krebs.users.rtunreal; + } // optionalAttrs (host.nets?retiolum) { + nets.retiolum = { + ip6.addr = (krebs.genipv6 "retiolum" "external" { inherit hostName; }).address; + }; + } // optionalAttrs (host.nets?wiregrill) { + nets.wiregrill = { + ip6.addr = (krebs.genipv6 "wiregrill" "external" { inherit hostName; }).address; + }; + }); +in +{ + users = rec { + rtunreal = { + # Mail is temporary as it will change in the future and I + # don't want it to be semi permanent + # mail: krebscotemp(a)user-sites[point]de + }; + }; + hosts = mapAttrs hostDefaults { + rtspinner = { + nets.retiolum = { + aliases = [ "spinner.rtunreal.r" ]; + ip4.addr = "10.243.20.18"; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEApgnFW2hCP2Lf+CGMtzgiTyA9sphEKGzVtOTJy+LxZ/WchFU6QiU6 + Dl5ybz/Bor25dbwvQCRsQo42gPb+xyjsoHGu2q1NVazMQobePjt/8Qzfqw+Ydz3e + CC0Lq2J7A5HkzHAevvSHjWh52EfAfu9PGnsszDyWY/oKY+JkBd3wdnE4VsZIhUU6 + Zrmuq+JU53Wy4TAcd3JNStvTW3z7MK4BXxovTV3zSq9sg4a120dyrG/d/m35abvm + V20Qb9VPmG+861f7gBn45M1w9d4X+3Ev8zum60Lk9JDRETfnufbOsSWNFVk2nsc3 + wpCYd+7FMq5hBf75At/pQ32kbsMkAMpQDJlHwE/xmhxYU2mzlMLY6JW1gspOt00C + iny5qqmhMoZ3r1VmGuu1aA00V+My+dj5i+pvZiUQ9DG2eYoKM43Var2XsU6lURpL + UhozcYkb+ax9mqlaPjq2BSYLNzmqTJc3FJY6CcyZxIi4aB8EhDeebYD7wIX115tf + wwMIJB9FgmvwBhL2K48P5p8lmxU0sNidvv/Gnr3Fgf1p+jEo8BC9hDK3gigD0lqo + AGmRrjHQN7AjysTMTllDj8RSoO2LhOYTxVtcMsQnPJ9hfFrgnSpSZok64y0h+QJG + q2WZRBwRYORC7JfKNbE6drRtM6DXccMxOM0eQXoDvg3D5Xg4aqWy3ikCAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "eHWJxlhbUQY0rT2PLqbqb9W4hf7zHh3+gEIRaGrxAdB"; + }; + }; + }; +} diff --git a/krebs/3modules/git.nix b/krebs/3modules/git.nix index c038fd4c6..02c673e43 100644 --- a/krebs/3modules/git.nix +++ b/krebs/3modules/git.nix @@ -628,7 +628,7 @@ let # TODO fix correctly with stringAfter chown -R ${toString config.users.users.git.uid}:nogroup "$repodir" fi - ln -s ${hooks} "$repodir/hooks" + ln -Tfs ${hooks} "$repodir/hooks" '' ) (attrValues cfg.repos)} |