diff options
Diffstat (limited to 'krebs')
64 files changed, 335 insertions, 895 deletions
diff --git a/krebs/1systems/hotdog/config.nix b/krebs/1systems/hotdog/config.nix index 91071ec85..655192077 100644 --- a/krebs/1systems/hotdog/config.nix +++ b/krebs/1systems/hotdog/config.nix @@ -5,6 +5,17 @@ ../../../krebs ../../../krebs/2configs ../../../krebs/2configs/nginx.nix + { + # Cherry-pick services.nginx.recommendedTlsSettings to fix: + # nginx: [emerg] "ssl_conf_command" directive is not supported on this platform + services.nginx.recommendedTlsSettings = lib.mkForce false; + services.nginx.appendHttpConfig = '' + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; + ssl_prefer_server_ciphers off; + ''; + } ../../../krebs/2configs/binary-cache/nixos.nix ../../../krebs/2configs/ircd.nix diff --git a/krebs/1systems/ponte/config.nix b/krebs/1systems/ponte/config.nix index 8bb14d517..5deeb9923 100644 --- a/krebs/1systems/ponte/config.nix +++ b/krebs/1systems/ponte/config.nix @@ -8,6 +8,18 @@ <stockholm/krebs/2configs/nameserver.nix> ]; + #networking.defaultGateway6 = { + # address = "fe80::1"; + # interface = "ens3"; + #}; + #networking.interfaces.ens3.ipv6.addresses = [ + # { + # # old: address = "2a03:4000:13:4c::1"; + # address = "2a03:4000:1a:cf::1"; #/64" + # prefixLength = 64; + # } + #]; + networking.firewall.allowedTCPPorts = [ 80 443 ]; networking.firewall.logRefusedConnections = false; networking.firewall.logRefusedUnicastsOnly = false; diff --git a/krebs/1systems/puyak/config.nix b/krebs/1systems/puyak/config.nix index 0c361cc42..60479fd90 100644 --- a/krebs/1systems/puyak/config.nix +++ b/krebs/1systems/puyak/config.nix @@ -27,11 +27,11 @@ ### shackspace ### # handle the worlddomination map via coap - ../../2configs/shack/worlddomination.nix + #../../2configs/shack/worlddomination.nix (FIXME error: python3.13-LinkHeader-0.4.3 does not configure a `format`. To build with setuptools as before, set `pyproject = true` and `build-system = [ setuptools ]`.) ../../2configs/shack/ssh-keys.nix # drivedroid.shack for shackphone - ../../2configs/shack/drivedroid.nix + #../../2configs/shack/drivedroid.nix (FIXME error: attribute 'drivedroid-gen-repo' missing) # ../../2configs/shack/nix-cacher.nix # Say if muell will be collected @@ -70,7 +70,7 @@ # ../../2configs/shack/share.nix # mobile.lounge.mpd.shack - ../../2configs/shack/mobile.mpd.nix + #../../2configs/shack/mobile.mpd.nix (FIXME Compatibility with CMake < 3.5 has been removed from CMake.) # hass.shack ../../2configs/shack/glados diff --git a/krebs/2configs/buildbot-stockholm.nix b/krebs/2configs/buildbot-stockholm.nix index 32452e010..c51d3c651 100644 --- a/krebs/2configs/buildbot-stockholm.nix +++ b/krebs/2configs/buildbot-stockholm.nix @@ -19,7 +19,6 @@ with import ../../lib/pure.nix { inherit lib; }; enable = true; repos = { disko.urls = [ - "http://cgit.gum.r/disko" "http://cgit.ni.r/disko" "http://cgit.orange.r/disko" ]; @@ -33,7 +32,6 @@ with import ../../lib/pure.nix { inherit lib; }; "http://cgit.orange.r/nix-writers" ]; stockholm.urls = [ - "http://cgit.gum.r/stockholm" "http://cgit.ni.r/stockholm" "http://cgit.orange.r/stockholm" ]; diff --git a/krebs/2configs/hw/x220.nix b/krebs/2configs/hw/x220.nix index a797673c9..937a20c29 100644 --- a/krebs/2configs/hw/x220.nix +++ b/krebs/2configs/hw/x220.nix @@ -17,8 +17,8 @@ }; hardware.opengl.extraPackages = [ - pkgs.vaapiIntel - pkgs.vaapiVdpau + pkgs.intel-vaapi-driver + pkgs.libva-vdpau-driver ]; services.xserver = { diff --git a/krebs/2configs/nameserver.nix b/krebs/2configs/nameserver.nix index 633f6f5d5..c394f312d 100644 --- a/krebs/2configs/nameserver.nix +++ b/krebs/2configs/nameserver.nix @@ -66,6 +66,10 @@ in { - id: hostingde_ns1 address: 134.0.30.178 + - id: krebscode_ne + address: ${config.krebs.hosts.ne.nets.internet.ip4.addr} + key: krebs_transfer_notify_key + - id: krebscode_ni address: ${config.krebs.hosts.ni.nets.internet.ip4.addr} key: krebs_transfer_notify_key @@ -119,6 +123,7 @@ in { dnssec-policy: rsa2k notify: henet_ns1 notify: hostingde_ns1 + notify: krebscode_ne notify: krebscode_ni acl: transfer_to_henet_secondary acl: transfer_to_hostingde_secondary @@ -141,10 +146,14 @@ in { ''; }; + #krebs.systemd.services.knot.restartIfCredentialsChange = true; systemd.services."knsupdate-krebsco.de" = { serviceConfig = { Type = "oneshot"; SyslogIdentifier = "knsupdate-krebsco.de"; + #LoadCredential = [ + # "keys.conf:/var/src/secrets/knot-keys.conf" + #]; ExecStart = pkgs.writeDash "knsupdate-krebsco.de" /* sh */ '' set -efu diff --git a/krebs/2configs/reaktor2.nix b/krebs/2configs/reaktor2.nix index faabf7677..600f7cd6d 100644 --- a/krebs/2configs/reaktor2.nix +++ b/krebs/2configs/reaktor2.nix @@ -235,20 +235,20 @@ let env.TASKDATA = "${stateDir}/${name}"; commands = rec { add.filename = pkgs.writers.writeDash "${name}-task-add" '' - ${pkgs.taskwarrior}/bin/task rc:${taskRcFile} add "$1" + ${pkgs.taskwarrior2}/bin/task rc:${taskRcFile} add "$1" ''; list.filename = pkgs.writers.writeDash "${name}-task-list" '' - ${pkgs.taskwarrior}/bin/task rc:${taskRcFile} export \ + ${pkgs.taskwarrior2}/bin/task rc:${taskRcFile} export \ | ${pkgs.jq}/bin/jq -r ' .[] | select(.id != 0) | "\(.id) \(.description)" ' ''; delete.filename = pkgs.writers.writeDash "${name}-task-delete" '' - ${pkgs.taskwarrior}/bin/task rc:${taskRcFile} delete "$1" + ${pkgs.taskwarrior2}/bin/task rc:${taskRcFile} delete "$1" ''; del = delete; done.filename = pkgs.writers.writeDash "${name}-task-done" '' - ${pkgs.taskwarrior}/bin/task rc:${taskRcFile} done "$1" + ${pkgs.taskwarrior2}/bin/task rc:${taskRcFile} done "$1" ''; }; }; @@ -293,7 +293,7 @@ let { activate = "always"; command = { - filename = ../5pkgs/simple/Reaktor/scripts/tell-on_join.sh; + filename = ../5pkgs/simple/reaktor2-plugins/scripts/tell-on_join.sh; env = { PATH = makeBinPath [ pkgs.coreutils # XXX env, touch @@ -415,7 +415,7 @@ let (generators.command_hook { inherit (commands) dance random-emoji nixos-version; tell = { - filename = ../5pkgs/simple/Reaktor/scripts/tell-on_privmsg.sh; + filename = ../5pkgs/simple/reaktor2-plugins/scripts/tell-on_privmsg.sh; env = { PATH = makeBinPath [ pkgs.coreutils # XXX date, env @@ -456,7 +456,7 @@ in { printf 'HTTP/1.1 200 OK\r\n' printf 'Connection: close\r\n' printf '\r\n' - TASKDATA=/var/lib/reaktor2/agenda ${pkgs.taskwarrior}/bin/task rc:${taskRcFile} export + TASKDATA=/var/lib/reaktor2/agenda ${pkgs.taskwarrior2}/bin/task rc:${taskRcFile} export exit ;; esac diff --git a/krebs/2configs/repo-sync.nix b/krebs/2configs/repo-sync.nix index a488fdfea..1c7ed4719 100644 --- a/krebs/2configs/repo-sync.nix +++ b/krebs/2configs/repo-sync.nix @@ -98,7 +98,7 @@ in { krebs.secret.files.konsens = { path = "/var/lib/konsens/.ssh/id_ed25519"; owner = konsens-user; - source-path = "${config.krebs.secret.directory}/konsens.id_ed25519>"; + source-path = "${config.krebs.secret.directory}/konsens.id_ed25519"; }; imports = [ @@ -107,9 +107,10 @@ in { desc = "take all computers hostage, they love it"; section = "configuration"; remotes = { - makefu = "http://cgit.gum.r/stockholm"; - tv = "http://cgit.ni.r/stockholm"; + krebs = "https://github.com/krebs/stockholm"; lassulus = "http://cgit.orange.r/stockholm"; + makefu = "https://cgit.euer.krebsco.de/makefu/stockholm.git"; + tv = "http://cgit.ni.r/stockholm"; }; }) ({ krebs.git = defineRepo { diff --git a/krebs/3modules/airdcpp.nix b/krebs/3modules/airdcpp.nix index acd007cb8..901b1eb87 100644 --- a/krebs/3modules/airdcpp.nix +++ b/krebs/3modules/airdcpp.nix @@ -1,7 +1,7 @@ { config, lib, pkgs, ... }: with lib; let - slib = import ../../lib/pure.nix { inherit lib; }; + slib = lib.slib or (import ../../lib/pure.nix { inherit lib; }); cfg = config.krebs.airdcpp; out = { diff --git a/krebs/3modules/announce-activation.nix b/krebs/3modules/announce-activation.nix index fa0f1530c..1c4067e7a 100644 --- a/krebs/3modules/announce-activation.nix +++ b/krebs/3modules/announce-activation.nix @@ -1,6 +1,6 @@ { config, pkgs, lib, ... }: let - slib = import ../../lib/pure.nix { inherit lib; }; + slib = lib.slib or (import ../../lib/pure.nix { inherit lib; }); cfg = config.krebs.announce-activation; announce-activation = pkgs.writeDash "announce-activation" '' set -efu diff --git a/krebs/3modules/backup.nix b/krebs/3modules/backup.nix index 900be5139..2be3a1422 100644 --- a/krebs/3modules/backup.nix +++ b/krebs/3modules/backup.nix @@ -1,5 +1,5 @@ { config, lib, pkgs, ... }: -with import ../../lib/pure.nix { inherit lib; }; +with lib.slib or (import ../../lib/pure.nix { inherit lib; }); let out = { options.krebs.backup = api; diff --git a/krebs/3modules/brockman.nix b/krebs/3modules/brockman.nix index a3acf83cf..e7847aa09 100644 --- a/krebs/3modules/brockman.nix +++ b/krebs/3modules/brockman.nix @@ -1,7 +1,7 @@ { pkgs, config, lib, ... }: with lib; let - slib = import ../../lib/pure.nix { inherit lib; }; + slib = lib.slib or (import ../../lib/pure.nix { inherit lib; }); cfg = config.krebs.brockman; in { options.krebs.brockman = { diff --git a/krebs/3modules/build.nix b/krebs/3modules/build.nix index bf20cb099..6480c300f 100644 --- a/krebs/3modules/build.nix +++ b/krebs/3modules/build.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with import ../../lib/pure.nix { inherit lib; }; +with lib.slib or (import ../../lib/pure.nix { inherit lib; }); { options.krebs.build = { diff --git a/krebs/3modules/ci/default.nix b/krebs/3modules/ci/default.nix index 5035a11a8..18fe46a98 100644 --- a/krebs/3modules/ci/default.nix +++ b/krebs/3modules/ci/default.nix @@ -1,5 +1,5 @@ { config, lib, pkgs, ... }: -with import ../../../lib/pure.nix { inherit lib; }; +with lib.slib or (import ../../../lib/pure.nix { inherit lib; }); let cfg = config.krebs.ci; @@ -50,7 +50,7 @@ let "${url}", workdir='${name}-${elemAt(splitString "." url) 1}', branches=True, project='${name}', - pollinterval=30 + pollInterval=30 ) '') repo.urls ) cfg.repos; diff --git a/krebs/3modules/dns.nix b/krebs/3modules/dns.nix index a268b931c..fd672a890 100644 --- a/krebs/3modules/dns.nix +++ b/krebs/3modules/dns.nix @@ -1,5 +1,5 @@ { config, lib, pkgs, ... }: -with import ../../lib/pure.nix { inherit lib; }; { +with lib.slib or (import ../../lib/pure.nix { inherit lib; }); { options = { krebs.dns.providers = mkOption { type = types.attrsOf types.str; diff --git a/krebs/3modules/exim-retiolum.nix b/krebs/3modules/exim-retiolum.nix index f78f1746c..b5f8d187a 100644 --- a/krebs/3modules/exim-retiolum.nix +++ b/krebs/3modules/exim-retiolum.nix @@ -1,5 +1,5 @@ { config, pkgs, lib, ... }: -with import ../../lib/pure.nix { inherit lib; }; let +with lib.slib or (import ../../lib/pure.nix { inherit lib; }); let cfg = config.krebs.exim-retiolum; # Due to improvements to the JSON notation, braces around top-level objects diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix index 4e42ce72e..14963f472 100644 --- a/krebs/3modules/exim-smarthost.nix +++ b/krebs/3modules/exim-smarthost.nix @@ -1,6 +1,6 @@ { config, pkgs, lib, ... }: -with import ../../lib/pure.nix { inherit lib; }; +with lib.slib or (import ../../lib/pure.nix { inherit lib; }); let cfg = config.krebs.exim-smarthost; diff --git a/krebs/3modules/exim.nix b/krebs/3modules/exim.nix index 583fd07b1..bb749b273 100644 --- a/krebs/3modules/exim.nix +++ b/krebs/3modules/exim.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: with import ../../lib/pure.nix { inherit lib; }; let +{ config, lib, pkgs, ... }: with lib.slib or (import ../../lib/pure.nix { inherit lib; }); let cfg = config.krebs.exim; in { options.krebs.exim = { diff --git a/krebs/3modules/git.nix b/krebs/3modules/git.nix index 6d666b6d6..8b8f205dc 100644 --- a/krebs/3modules/git.nix +++ b/krebs/3modules/git.nix @@ -6,7 +6,7 @@ # TODO when authorized_keys changes, then restart ssh # (or kill already connected users somehow) -with import ../../lib/pure.nix { inherit lib; }; +with lib.slib or (import ../../lib/pure.nix { inherit lib; }); let cfg = config.krebs.git; diff --git a/krebs/3modules/github/known-hosts.nix b/krebs/3modules/github/known-hosts.nix index 3725ff2b8..6f10452e9 100644 --- a/krebs/3modules/github/known-hosts.nix +++ b/krebs/3modules/github/known-hosts.nix @@ -8,4 +8,5 @@ ; publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk="; }; + # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl } diff --git a/krebs/3modules/hosts.nix b/krebs/3modules/hosts.nix index 2333d0a8d..148b58d14 100644 --- a/krebs/3modules/hosts.nix +++ b/krebs/3modules/hosts.nix @@ -2,8 +2,7 @@ with lib; let check = hostname: any (domain: hasSuffix ".${domain}" hostname) domains; domains = attrNames (filterAttrs (_: slib.eq "hosts") config.krebs.dns.providers); - # we need this import because we have infinite recursion otherwise - slib = import ../../lib/pure.nix { inherit lib; }; + slib = lib.slib or (import ../../lib/pure.nix { inherit lib; }); in { options = { diff --git a/krebs/3modules/htgen.nix b/krebs/3modules/htgen.nix index 334a83cb3..020b3eaea 100644 --- a/krebs/3modules/htgen.nix +++ b/krebs/3modules/htgen.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with import ../../lib/pure.nix { inherit lib; }; +with lib.slib or (import ../../lib/pure.nix { inherit lib; }); let optionalAttr = name: value: if name != null then diff --git a/krebs/3modules/iana-etc.nix b/krebs/3modules/iana-etc.nix index dabe2f8aa..8858c6ed5 100644 --- a/krebs/3modules/iana-etc.nix +++ b/krebs/3modules/iana-etc.nix @@ -1,5 +1,5 @@ { config, lib, pkgs, ... }: let - slib = import ../../lib/pure.nix { inherit lib; }; + slib = lib.slib or (import ../../lib/pure.nix { inherit lib; }); in with lib; { options.krebs.iana-etc.services = mkOption { diff --git a/krebs/3modules/iptables.nix b/krebs/3modules/iptables.nix index 16f1f3c84..1cde42dc3 100644 --- a/krebs/3modules/iptables.nix +++ b/krebs/3modules/iptables.nix @@ -19,6 +19,14 @@ let api = { enable = mkEnableOption "iptables"; + rules4 = mkOption { + default = buildTables "v4" cfg.tables; + }; + + rules6 = mkOption { + default = buildTables "v6" cfg.tables; + }; + #tables.filter.INPUT = { # policy = "DROP"; # rules = [ diff --git a/krebs/3modules/konsens.nix b/krebs/3modules/konsens.nix index 0463de53f..b71cb2ba9 100644 --- a/krebs/3modules/konsens.nix +++ b/krebs/3modules/konsens.nix @@ -1,5 +1,5 @@ { config, lib, pkgs, ... }: -with import ../../lib/pure.nix { inherit lib; }; +with lib.slib or (import ../../lib/pure.nix { inherit lib; }); let cfg = config.krebs.konsens; diff --git a/krebs/3modules/on-failure.nix b/krebs/3modules/on-failure.nix index 11d2b4194..d87b279a0 100644 --- a/krebs/3modules/on-failure.nix +++ b/krebs/3modules/on-failure.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: with import ../../lib/pure.nix { inherit lib; }; let +{ config, lib, pkgs, ... }: with lib.slib or (import ../../lib/pure.nix { inherit lib; }); let out = { options.krebs.on-failure = api; config = lib.mkIf cfg.enable imp; diff --git a/krebs/3modules/per-user.nix b/krebs/3modules/per-user.nix index c0368ee85..f83a29acb 100644 --- a/krebs/3modules/per-user.nix +++ b/krebs/3modules/per-user.nix @@ -28,7 +28 |