9 files changed, 193 insertions, 34 deletions
diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix
index cd259d0fe..c59494e4d 100644
--- a/lass/1systems/mors/config.nix
+++ b/lass/1systems/mors/config.nix
@@ -141,6 +141,15 @@ with import <stockholm/lib>;
 
     dnsutils
     generate-secrets
+    (pkgs.writeDashBin "btc-coinbase" ''
+      ${pkgs.curl}/bin/curl -Ss 'https://api.coinbase.com/v2/prices/spot?currency=EUR' | ${pkgs.jq}/bin/jq '.data.amount'
+    '')
+    (pkgs.writeDashBin "btc-wex" ''
+      ${pkgs.curl}/bin/curl -Ss 'https://wex.nz/api/3/ticker/btc_eur' | ${pkgs.jq}/bin/jq '.btc_eur.avg'
+    '')
+    (pkgs.writeDashBin "btc-kraken" ''
+      ${pkgs.curl}/bin/curl -Ss  'https://api.kraken.com/0/public/Ticker?pair=BTCEUR' | ${pkgs.jq}/bin/jq '.result.XXBTZEUR.a[0]'
+    '')
   ];
 
   #TODO: fix this shit
@@ -177,4 +186,34 @@ with import <stockholm/lib>;
   programs.adb.enable = true;
   users.users.mainUser.extraGroups = [ "adbusers" "docker" ];
   virtualisation.docker.enable = true;
+
+  lass.restic = genAttrs [
+    "daedalus"
+    "icarus"
+    "littleT"
+    "prism"
+    "shodan"
+    "skynet"
+  ] (dest: {
+    dirs = [
+      "/home/lass/src"
+      "/home/lass/work"
+      "/home/lass/.gnupg"
+      "/home/lass/Maildir"
+      "/home/lass/stockholm"
+      "/home/lass/.password-store"
+      "/home/bitcoin"
+      "/home/bch"
+    ];
+    passwordFile = (toString <secrets>) + "/restic/${dest}";
+    repo = "sftp:backup@${dest}.r:/backups/mors";
+    #sshPrivateKey = config.krebs.build.host.ssh.privkey.path;
+    extraArguments = [
+      "sftp.command='ssh backup@${dest}.r -i ${config.krebs.build.host.ssh.privkey.path} -s sftp'"
+    ];
+    timerConfig = {
+      OnCalendar = "00:05";
+      RandomizedDelaySec = "5h";
+    };
+  });
 }
diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix
index c0e4620cc..983604f8e 100644
--- a/lass/1systems/prism/config.nix
+++ b/lass/1systems/prism/config.nix
@@ -8,11 +8,15 @@ in {
   imports = [
     <stockholm/lass>
     {
-      networking.interfaces.et0.ip4 = [
+      networking.interfaces.et0.ipv4.addresses = [
         {
           address = ip;
           prefixLength = 27;
         }
+        {
+          address = "46.4.114.243";
+          prefixLength = 27;
+        }
       ];
       networking.defaultGateway = "46.4.114.225";
       networking.nameservers = [
@@ -110,29 +114,13 @@ in {
       };
 
       # TODO write function for proxy_pass (ssl/nonssl)
-      services.nginx.virtualHosts."hackerfleet.de" = {
-        serverAliases = [
-          "*.hackerfleet.de"
-        ];
-        locations."/".extraConfig = ''
-          proxy_pass http://192.168.122.92:80;
-        '';
-      };
-      services.nginx.virtualHosts."hackerfleet.de-s" = {
-        serverName = "hackerfleet.de";
-        listen = [
-          {
-            addr = "0.0.0.0";
-            port = 443;
-          }
-        ];
-        serverAliases = [
-          "*.hackerfleet.de"
-        ];
-        locations."/".extraConfig = ''
-          proxy_pass http://192.168.122.92:443;
-        '';
-      };
+
+      krebs.iptables.tables.filter.FORWARD.rules = [
+        { v6 = false; precedence = 1000; predicate = "-d 192.168.122.92"; target = "ACCEPT"; }
+      ];
+      krebs.iptables.tables.nat.PREROUTING.rules = [
+        { v6 = false; precedence = 1000; predicate = "-d 46.4.114.243"; target = "DNAT --to-destination 192.168.122.92"; }
+      ];
     }
     {
       users.users.tv = {
diff --git a/lass/2configs/games.nix b/lass/2configs/games.nix
index 50362cda4..3ee3a98a5 100644
--- a/lass/2configs/games.nix
+++ b/lass/2configs/games.nix
@@ -3,7 +3,7 @@
 let
   mainUser = config.users.extraUsers.mainUser;
   vdoom = pkgs.writeDash "vdoom" ''
-    ${pkgs.zandronum-bin}/bin/zandronum \
+    ${pkgs.zandronum}/bin/zandronum \
       -fov 120 \
       "$@"
   '';
@@ -50,7 +50,7 @@ let
   vdoomserver = pkgs.writeDashBin "vdoomserver" ''
     DOOM_DIR=''${DOOM_DIR:-~/doom/}
 
-    ${pkgs.zandronum-bin}/bin/zandronum-server \
+    ${pkgs.zandronum}/bin/zandronum-server \
     +exec ${doomservercfg} \
     "$@"
   '';
diff --git a/lass/2configs/reaktor-coders.nix b/lass/2configs/reaktor-coders.nix
index 5fa1611ae..5a39f7115 100644
--- a/lass/2configs/reaktor-coders.nix
+++ b/lass/2configs/reaktor-coders.nix
@@ -4,7 +4,7 @@ with import <stockholm/lib>;
 {
   krebs.Reaktor.coders = {
     nickname = "Reaktor|lass";
-    channels = [ "#coders" "#germany" ];
+    channels = [ "#coders" "#germany" "#panthermoderns" ];
     extraEnviron = {
       REAKTOR_HOST = "irc.hackint.org";
     };
@@ -87,6 +87,19 @@ with import <stockholm/lib>;
           exec /run/wrappers/bin/ping -q -c1 "$1" 2>&1 | tail -1
         '';
       })
+      (buildSimpleReaktorPlugin "google" {
+        pattern = "^!g (?P<args>.*)$$";
+        script = pkgs.writeDash "google" ''
+          exec ${pkgs.ddgr}/bin/ddgr -C -n1 --json "$@" | \
+            ${pkgs.jq}/bin/jq '@text "\(.[0].abstract) \(.[0].url)"'
+        '';
+      })
+      (buildSimpleReaktorPlugin "blockchain" {
+        pattern = ".*[Bb]lockchain.*$$";
+        script = pkgs.writeDash "blockchain" ''
+          exec echo 'DID SOMEBODY SAY BLOCKCHAIN? https://paste.krebsco.de/r99pMoQq/+inline'
+        '';
+      })
     ];
   };
 }
diff --git a/lass/2configs/syncthing.nix b/lass/2configs/syncthing.nix
index cef43d1e6..17debf822 100644
--- a/lass/2configs/syncthing.nix
+++ b/lass/2configs/syncthing.nix
@@ -3,7 +3,6 @@ with import <stockholm/lib>;
 {
   services.syncthing = {
     enable = true;
-    useInotify = true;
   };
   krebs.iptables.tables.filter.INPUT.rules = [
     { predicate = "-p tcp --dport 22000"; target = "ACCEPT";}
diff --git a/lass/2configs/websites/util.nix b/lass/2configs/websites/util.nix
index 62055d0fd..441b7af90 100644
--- a/lass/2configs/websites/util.nix
+++ b/lass/2configs/websites/util.nix
@@ -16,7 +16,7 @@ rec {
     in {
       services.nginx.virtualHosts.${domain} = {
         enableACME = true;
-        enableSSL = true;
+        onlySSL = true;
         extraConfig = ''
           listen 80;
           listen [::]:80;
@@ -34,7 +34,7 @@ rec {
     in {
       services.nginx.virtualHosts."${domain}" = {
         enableACME = true;
-        enableSSL = true;
+        onlySSL = true;
         serverAliases = domains;
         extraConfig = ''
           listen 80;
@@ -148,7 +148,7 @@ rec {
     in {
       services.nginx.virtualHosts."${domain}" = {
         enableACME = true;
-        enableSSL = true;
+        onlySSL = true;
         serverAliases = domains;
         extraConfig = ''
           listen 80;
diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix
index 0c10e1ec2..5e7e6dff3 100644
--- a/lass/3modules/default.nix
+++ b/lass/3modules/default.nix
@@ -8,6 +8,7 @@ _:
     ./mysql-backup.nix
     ./news.nix
     ./pyload.nix
+    ./restic.nix
     ./screenlock.nix
     ./umts.nix
     ./usershadow.nix
diff --git a/lass/3modules/restic.nix b/lass/3modules/restic.nix
new file mode 100644
index 000000000..c720793b1
--- /dev/null
+++ b/lass/3modules/restic.nix
@@ -0,0 +1,119 @@
+{ config, lib, pkgs, ... }:
+
+with import <stockholm/lib>;
+
+{
+  options.lass.restic = mkOption {
+    type = types.attrsOf (types.submodule ({ config, ... }: {
+      options = {
+        name = mkOption {
+          type = types.str;
+          default = config._module.args.name;
+        };
+        passwordFile = mkOption {
+          type = types.str;
+          default = toString <secrets/restic-password>;
+          description = ''
+            read the repository password from a file.
+          '';
+          example = "/etc/nixos/restic-password";
+
+        };
+        repo = mkOption {
+          type = types.str;
+          default = "sftp:backup@prism.r:/backups/${config.name}";
+          description = ''
+            repository to backup to.
+          '';
+          example = "sftp:backup@192.168.1.100:/backups/${config.name}";
+        };
+        dirs = mkOption {
+          type = types.listOf types.str;
+          default = [];
+          description = ''
+            which directories to backup.
+          '';
+          example = [
+            "/var/lib/postgresql"
+            "/home/user/backup"
+          ];
+        };
+        timerConfig = mkOption {
+          type = types.attrsOf types.str;
+          default = {
+            OnCalendar = "daily";
+          };
+          description = ''
+            When to run the backup. See man systemd.timer for details.
+          '';
+          example = {
+            OnCalendar = "00:05";
+            RandomizedDelaySec = "5h";
+          };
+        };
+        user = mkOption {
+          type = types.str;
+          default = "root";
+          description = ''
+            As which user the backup should run.
+          '';
+          example = "postgresql";
+        };
+        extraArguments = mkOption {
+          type = types.listOf types.str;
+          default = [];
+          description = ''
+            Extra arguments to append to the restic command.
+          '';
+          example = [
+            "sftp.command='ssh backup@192.168.1.100 -i /home/user/.ssh/id_rsa -s sftp"
+          ];
+        };
+        initialize = mkOption {
+          type = types.bool;
+          default = false;
+          description = ''
+            Create the repository if it doesn't exist.
+          '';
+        };
+      };
+    }));
+    default = {};
+  };
+
+  config = {
+    systemd.services =
+      mapAttrs' (_: plan:
+        let
+          extraArguments = concatMapStringsSep " " (arg: "-o ${arg}") plan.extraArguments;
+          connectTo = elemAt (splitString ":" plan.repo) 1;
+          resticCmd = "${pkgs.restic}/bin/restic ${extraArguments}";
+        in nameValuePair "backup.${plan.name}" {
+          environment = {
+            RESTIC_PASSWORD_FILE = plan.passwordFile;
+            RESTIC_REPOSITORY = plan.repo;
+          };
+          path = with pkgs; [
+            openssh
+          ];
+          restartIfChanged = false;
+          serviceConfig = {
+            ExecStartPre = mkIf plan.initialize (pkgs.writeScript "rustic-${plan.name}-init" ''
+              #! ${pkgs.bash}/bin/bash
+              ${resticCmd} snapshots || ${resticCmd} init
+            '');
+            ExecStart = pkgs.writeDash "rustic-${plan.name}" (
+              "#! ${pkgs.bash}/bin/bash\n" +
+              concatMapStringsSep "\n" (dir: "${resticCmd} backup ${dir}") plan.dirs
+            );
+            User = plan.user;
+          };
+        }
+      ) config.lass.restic;
+    systemd.timers =
+      mapAttrs' (_: plan: nameValuePair "backup.${plan.name}" {
+        wantedBy = [ "timers.target" ];
+        timerConfig = plan.timerConfig;
+      }) config.lass.restic;
+  };
+}
diff --git a/lass/5pkgs/generate-secrets/default.nix b/lass/5pkgs/l-gen-secrets/default.nix
index 5a4afe7c5..4b25fbd4c 100644
--- a/lass/5pkgs/generate-secrets/default.nix
+++ b/lass/5pkgs/l-gen-secrets/default.nix
@@ -1,5 +1,5 @@
 { pkgs }:
-pkgs.writeDashBin "generate-secrets" ''
+pkgs.writeDashBin "l-gen-secrets" ''
   HOSTNAME="$1"
   TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d)
   PASSWORD=$(${pkgs.pwgen}/bin/pwgen 25 1)
@@ -17,9 +17,9 @@ pkgs.writeDashBin "generate-secrets" ''
 
   cd $TMPDIR
   for x in *; do
-    ${pkgs.coreutils}/bin/cat $x | ${pkgs.pass}/bin/pass insert -m hosts/$HOSTNAME/$x > /dev/null
+    ${pkgs.coreutils}/bin/cat $x | ${pkgs.pass}/bin/pass insert -m krebs-secrets/$HOSTNAME/$x > /dev/null
   done
-  echo $PASSWORD | ${pkgs.pass}/bin/pass insert -m admin/hosts/$HOSTNAME/pass > /dev/null
+  echo $PASSWORD | ${pkgs.pass}/bin/pass insert -m hosts/$HOSTNAME/pass > /dev/null
 
   cat <<EOF
     $HOSTNAME = {