10 files changed, 58 insertions, 93 deletions

diff --git a/lass/2configs/bepasty.nix b/lass/2configs/bepasty.nix
deleted file mode 100644
index 9bd416c05..000000000
--- a/lass/2configs/bepasty.nix
+++ /dev/null
@@ -1,44 +0,0 @@
-{ config, pkgs, ... }:
-with import <stockholm/lib>;
-
-# secrets used:
-#   wildcard.krebsco.de.crt
-#   wildcard.krebsco.de.key
-#   bepasty-secret.nix     <- contains single string
-
-with import <stockholm/lib>;
-let
-  secKey = import <secrets/bepasty-secret.nix>;
-  ext-doms = [
-    "paste.lassul.us"
-    "paste.krebsco.de"
-  ];
-in {
-
-  services.nginx.enable = mkDefault true;
-  krebs.bepasty = {
-    enable = true;
-    serveNginx= true;
-
-    servers = {
-      "paste.r" = {
-        nginx = {
-          serverAliases = [
-            "paste.${config.krebs.build.host.name}"
-            "paste.r"
-          ];
-        };
-        defaultPermissions = "admin,list,create,read,delete";
-        secretKey = secKey;
-      };
-    } //
-    genAttrs ext-doms (ext-dom: {
-      nginx = {
-        forceSSL = true;
-        enableACME = true;
-      };
-      defaultPermissions = "read,create";
-      secretKey = secKey;
-    });
-  };
-}
diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix
index eb38d0e97..1bcfb162c 100644
--- a/lass/2configs/default.nix
+++ b/lass/2configs/default.nix
@@ -89,8 +89,6 @@ with import <stockholm/lib>;
 
   services.timesyncd.enable = mkForce true;
 
-  boot.tmpOnTmpfs = true;
-
   # multiple-definition-problem when defining environment.variables.EDITOR
   environment.extraInit = ''
     EDITOR=vim
diff --git a/lass/2configs/green-host.nix b/lass/2configs/green-host.nix
index 355daba9c..a83ed0544 100644
--- a/lass/2configs/green-host.nix
+++ b/lass/2configs/green-host.nix
@@ -6,12 +6,12 @@
   ];
   krebs.sync-containers.containers.green = {
     peers = [
+      "echelon"
       "icarus"
+      "littleT"
+      "mors"
       "shodan"
       "skynet"
-      "mors"
-      "morpheus"
-      "littleT"
       "styx"
     ];
     hostIp = "10.233.2.15";
@@ -25,5 +25,9 @@
     repo = "/var/lib/sync-containers/green/backup";
     compression = "auto,lzma";
     startAt = "daily";
+    prune.keep = {
+      daily = 7;
+      weekly = 4;
+    };
   };
 }
diff --git a/lass/2configs/mpv.nix b/lass/2configs/mpv.nix
index 210551a62..854af3eb5 100644
--- a/lass/2configs/mpv.nix
+++ b/lass/2configs/mpv.nix
@@ -80,7 +80,12 @@ let
     name = "mpv";
     paths = [
       (pkgs.writeDashBin "mpv" ''
-        exec ${pkgs.mpv}/bin/mpv -vo=gpu --no-config --script=${autosub} "$@"
+        exec ${pkgs.mpv}/bin/mpv \
+         -vo=gpu \
+         --no-config \
+         --script=${autosub} \
+         --script-opts=ytdl_hook-ytdl_path=${pkgs.yt-dlp}/bin/yt-dlp \
+         "$@"
       '')
       pkgs.mpv
     ];
diff --git a/lass/2configs/murmur.nix b/lass/2configs/murmur.nix
index 9f325d0af..7cc4051a8 100644
--- a/lass/2configs/murmur.nix
+++ b/lass/2configs/murmur.nix
@@ -16,7 +16,7 @@
     StandardError = lib.mkForce "journal";
   };
   virtualisation.oci-containers.containers.mumble-web = {
-    image = "rankenstein/mumble-web";
+    image = "rankenstein/mumble-web:0.5";
     environment = {
       MUMBLE_SERVER = "lassul.us:64738";
     };
@@ -28,12 +28,9 @@
   services.nginx.virtualHosts."mumble.lassul.us" = {
     enableACME = true;
     forceSSL = true;
-    locations."/".extraConfig = ''
-      proxy_pass http://localhost:64739/;
-      proxy_set_header Accept-Encoding "";
-      proxy_http_version 1.1;
-      proxy_set_header Upgrade $http_upgrade;
-      proxy_set_header Connection $connection_upgrade;
-    '';
+    locations."/" = {
+      proxyPass = "http://localhost:64739";
+      proxyWebsockets = true;
+    };
   };
 }
diff --git a/lass/2configs/pass.nix b/lass/2configs/pass.nix
index 48070ea06..8ec3ac092 100644
--- a/lass/2configs/pass.nix
+++ b/lass/2configs/pass.nix
@@ -4,7 +4,15 @@
   users.users.mainUser.packages = with pkgs; [
     (pass.withExtensions (ext: [ ext.pass-otp ]))
     gnupg
+    (pkgs.writers.writeDashBin "unlock" ''
+      set -efu
+      HOST=$1
+
+      pw=$(pass show "admin/$HOST/luks")
+      torify sshn root@$(pass "hosts/$HOST/initrd/hostname") "echo $pw > /crypt-ramfs/passphrase"
+    '')
   ];
 
   programs.gnupg.agent.enable = true;
+
 }
diff --git a/lass/2configs/prism-mounts/samba.nix b/lass/2configs/prism-mounts/samba.nix
new file mode 100644
index 000000000..4b1475ef3
--- /dev/null
+++ b/lass/2configs/prism-mounts/samba.nix
@@ -0,0 +1,15 @@
+{
+  fileSystems."/mnt/prism" = {
+    device = "//prism.r/public";
+    fsType = "cifs";
+    options = [
+      "guest"
+      "nofail"
+      "noauto"
+      "ro"
+      "x-systemd.automount"
+      "x-systemd.device-timeout=1"
+      "x-systemd.idle-timeout=1min"
+    ];
+  };
+ }
diff --git a/lass/2configs/ts3.nix b/lass/2configs/ts3.nix
deleted file mode 100644
index d0cfdf478..000000000
--- a/lass/2configs/ts3.nix
+++ /dev/null
@@ -1,19 +0,0 @@
-{ config, ... }:
-
-{
-  services.teamspeak3 = {
-    enable = true;
-  };
-
-  krebs.iptables.tables.filter.INPUT.rules = [
-    #voice port
-    { predicate = "-p tcp --dport 9987"; target = "ACCEPT"; }
-    { predicate = "-p udp --dport 9987"; target = "ACCEPT"; }
-    ##file transfer port
-    { predicate = "-p tcp --dport 30033"; target = "ACCEPT"; }
-    { predicate = "-p udp --dport 30033"; target = "ACCEPT"; }
-    ##query port
-    #{ predicate = "-p tcp --dport 10011"; target = "ACCEPT"; }
-    #{ predicate = "-p udp --dport 10011"; target = "ACCEPT"; }
-  ];
-}
diff --git a/lass/2configs/vim.nix b/lass/2configs/vim.nix
index 0e4ac5394..6c730efdd 100644
--- a/lass/2configs/vim.nix
+++ b/lass/2configs/vim.nix
@@ -5,16 +5,6 @@ let
   out = {
     environment.systemPackages = [
       (hiPrio vim)
-      (pkgs.writeDashBin "govet" ''
-        go vet "$@"
-      '')
-      (hiPrio (pkgs.python3.withPackages (ps: [
-        ps.python-language-server
-        ps.pyls-isort
-        ps.pyflakes
-        ps.flake8
-        ps.yapf
-      ])))
     ];
 
     environment.etc.vimrc.source = vimrc;
@@ -126,11 +116,7 @@ let
   '';
 
   extra-runtimepath = concatMapStringsSep "," (pkg: "${pkg.rtp}") [
-    pkgs.vimPlugins.ack-vim
     pkgs.vimPlugins.undotree
-    pkgs.vimPlugins.vim-go
-    pkgs.vimPlugins.fzf-vim
-    pkgs.vimPlugins.LanguageClient-neovim
     (pkgs.vimUtils.buildVimPlugin {
       name = "file-line-1.0";
       src = pkgs.fetchFromGitHub {
diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix
index 40f67537e..3f055e370 100644
--- a/lass/2configs/websites/domsen.nix
+++ b/lass/2configs/websites/domsen.nix
@@ -82,7 +82,6 @@ in {
     "o_ubikmedia_de"
   ];
 
-  services.phpfpm.phpPackage = pkgs.php73;
   services.phpfpm.phpOptions = ''
     sendmail_path = ${sendmail} -t
     upload_max_filesize = 100M
@@ -117,6 +116,13 @@ in {
   # workaround for android 7
   security.acme.certs."lassul.us".keyType = "rsa4096";
 
+  services.roundcube = {
+    enable = true;
+    hostName = "mail.lassul.us";
+    extraConfig = ''
+      $config['smtp_port'] = 25;
+    '';
+  };
   services.dovecot2 = {
     enable = true;
     mailLocation = "maildir:~/Mail";
@@ -138,7 +144,7 @@ in {
       driver = plaintext
       public_name = LOGIN
       server_prompts = "Username:: : Password::"
-      server_condition = ''${run{${config.lass.usershadow.path}/bin/verify_arg ${config.lass.usershadow.pattern} $auth1 $auth2}{yes}{no}}
+      server_condition = ''${run{/run/wrappers/bin/shadow_verify_arg ${config.lass.usershadow.pattern} $auth1 $auth2}{yes}{no}}
     '';
     internet-aliases = [
       { from = "dma@ubikmedia.de"; to = "domsen"; }
@@ -317,6 +323,15 @@ in {
     isNormalUser = true;
   };
 
+  users.users.line = {
+    uid = genid_uint31 "line";
+    home = "/home/line";
+    useDefaultShell = true;
+    # extraGroups = [ "xanf" ];
+    createHome = true;
+    isNormalUser = true;
+  };
+
   users.groups.xanf = {};
 
   krebs.on-failure.plans.restic-backups-domsen = {