diff options
Diffstat (limited to 'lass')
48 files changed, 1221 insertions, 426 deletions
diff --git a/lass/1systems/aergia/config.nix b/lass/1systems/aergia/config.nix index d49040a7a..618938ce8 100644 --- a/lass/1systems/aergia/config.nix +++ b/lass/1systems/aergia/config.nix @@ -27,6 +27,83 @@ <stockholm/lass/2configs/print.nix> <stockholm/lass/2configs/br.nix> <stockholm/lass/2configs/c-base.nix> + # steam-deck like experience https://github.com/Jovian-Experiments/Jovian-NixOS + { + imports = [ + "${builtins.fetchTarball "https://github.com/Jovian-Experiments/Jovian-NixOS/archive/master.tar.gz"}/modules" + ]; + jovian.steam.enable = true; + } + { # autorandrs + services.autorandr = { + enable = true; + hooks.postswitch.reset_usb = '' + echo 0 > /sys/bus/usb/devices/usb9/authorized; echo 1 > /sys/bus/usb/devices/usb9/authorized + ${pkgs.xorg.xmodmap}/bin/xmodmap -e 'keycode 96 = F12 Insert F12 F12' # rebind shift + F12 to shift + insert + ''; + profiles = { + default = { + fingerprint = { + eDP = "00ffffffffffff00288931000100000016200104805932780a0dc9a05747982712484c0000000101010101010101010101010101010108700088a1401360c820a300d9870000001ead4a0088a1401360c820a30020c23100001e000000fd0016480f5a1e000a202020202020000000fc0047504431303031480a2020202000cf"; + }; + config = { + eDP = { + enable = true; + primary = true; + position = "0x0"; + mode = "2560x1600"; + rate = "60.01"; + transform = [ + [ 0.750000 0.000000 0.000000 ] + [ 0.000000 0.750000 0.000000 ] + [ 0.000000 0.000000 1.000000 ] + ]; + # scale = { + # x = 0.599991; + # y = 0.599991; + # }; + }; + }; + }; + docked2 = { + fingerprint = { + eDP = config.services.autorandr.profiles.default.fingerprint.eDP; + DisplayPort-8 = "00ffffffffffff0010ac39d14c3346300f200104b5462878fb26f5af4f46a5240f5054a54b00714f8140818081c081009500b300d1c0565e00a0a0a0295030203500b9882100001a000000ff00444342375847330a2020202020000000fc0044454c4c204733323233440a20000000fd0030a5fafa41010a2020202020200181020332f149030212110490131f3f2309070783010000e200eae305c000e606050162622c6d1a0000020b30a50007622c622c5a8780a070384d4030203500b9882100001af4fb0050a0a0285008206800b9882100001a40e7006aa0a0675008209804b9882100001a6fc200a0a0a0555030203500b9882100001a000000000009"; + DisplayPort-7 = "00ffffffffffff0020a32f00010000000c190103807341780acf74a3574cb02309484c21080081c0814081800101010101010101010104740030f2705a80b0588a00501d7400001e023a801871382d40582c4500501d7400001e000000fc00484953454e53450a2020202020000000fd00324b0f451e000a2020202020200172020333714f5f5e5d01020400101113001f2021222909070715075057070083010000e200f96d030c002000183c200060010203662150b051001b304070360056005300001e011d8018711c1620582c2500c48e2100009e011d007251d01e206e285500c48e2100001800000000000000000000000000000000000000000000ea"; + }; + config = { + DisplayPort-7 = { + enable = true; + position = "2560x0"; + mode = "1920x1080"; + rate = "60.00"; + }; + DisplayPort-8 = config.services.autorandr.profiles.docked1.config.DisplayPort-1; + eDP = config.services.autorandr.profiles.docked1.config.eDP; + }; + }; + docked1 = { + fingerprint = { + eDP = config.services.autorandr.profiles.default.fingerprint.eDP; + DisplayPort-1 = "00ffffffffffff0010ac39d14c3346300f200104b5462878fb26f5af4f46a5240f5054a54b00714f8140818081c081009500b300d1c0565e00a0a0a0295030203500b9882100001a000000ff00444342375847330a2020202020000000fc0044454c4c204733323233440a20000000fd0030a5fafa41010a2020202020200181020332f149030212110490131f3f2309070783010000e200eae305c000e606050162622c6d1a0000020b30a50007622c622c000000000000000000000000000000000000f4fb0050a0a0285008206800b9882100001a40e7006aa0a0675008209804b9882100001a6fc200a0a0a0555030203500b9882100001a000000000040"; + }; + config = { + DisplayPort-1 = { + enable = true; + primary = true; + position = "0x0"; + mode = "2560x1440"; + rate = "165.08"; + }; + eDP = config.services.autorandr.profiles.default.config.eDP // { + primary = false; + position = "640x1440"; + }; + }; + }; + }; + }; + } ]; system.stateVersion = "22.11"; @@ -38,6 +115,8 @@ bank l-gen-secrets generate-secrets + nixpkgs-review + pipenv ]; programs.adb.enable = true; @@ -65,4 +144,5 @@ ]; boot.cleanTmpDir = true; + programs.noisetorch.enable = true; } diff --git a/lass/1systems/aergia/disk.nix b/lass/1systems/aergia/disk.nix index 0ae0892ee..848157729 100644 --- a/lass/1systems/aergia/disk.nix +++ b/lass/1systems/aergia/disk.nix @@ -10,14 +10,12 @@ partitions = [ { name = "boot"; - type = "partition"; start = "0"; end = "1M"; part-type = "primary"; flags = ["bios_grub"]; } { - type = "partition"; name = "ESP"; start = "1MiB"; end = "1GiB"; @@ -31,7 +29,6 @@ } { name = "root"; - type = "partition"; start = "1GiB"; end = "100%"; content = { diff --git a/lass/1systems/aergia/physical.nix b/lass/1systems/aergia/physical.nix index 692f68dcc..9f06dccdc 100644 --- a/lass/1systems/aergia/physical.nix +++ b/lass/1systems/aergia/physical.nix @@ -19,15 +19,9 @@ boot.kernelPackages = pkgs.linuxPackages_latest; boot.kernelParams = [ - # Enable energy savings during sleep - "mem_sleep_default=deep" - # use less power with pstate "amd_pstate=passive" - # for ryzenadj -i - "iomem=relaxed" - # suspend "resume_offset=178345675" ]; @@ -37,24 +31,6 @@ # On recent AMD CPUs this can be more energy efficient. "amd-pstate" "kvm-amd" - - # needed for zenstates - "msr" - - # zenpower - "zenpower" - ]; - - boot.extraModulePackages = [ - (config.boot.kernelPackages.zenpower.overrideAttrs (old: { - src = pkgs.fetchFromGitea { - domain = "git.exozy.me"; - owner = "a"; - repo = "zenpower3"; - rev = "c176fdb0d5bcba6ba2aba99ea36812e40f47751f"; - hash = "sha256-d2WH8Zv7F0phZmEKcDiaak9On+Mo9bAFhMulT/N5FWI="; - }; - })) ]; # hardware.cpu.amd.updateMicrocode = true; @@ -76,7 +52,6 @@ environment.systemPackages = [ pkgs.vulkan-tools - pkgs.ryzenadj (pkgs.writers.writeDashBin "set_tdp" '' set -efux watt=$1 @@ -85,9 +60,6 @@ '') ]; - # textsize - services.xserver.dpi = 200; - # corectrl programs.corectrl = { enable = true; @@ -99,17 +71,6 @@ users.users.mainUser.extraGroups = [ "corectrl" ]; # use newer ryzenadj - nixpkgs.config.packageOverrides = super: { - ryzenadj = super.ryzenadj.overrideAttrs (old: { - version = "unstable-2023-01-15"; - src = pkgs.fetchFromGitHub { - owner = "FlyGoat"; - repo = "RyzenAdj"; - rev = "1052fb52b2c0e23ac4cd868c4e74d4a9510be57c"; # unstable on 2023-01-15 - sha256 = "sha256-/IxkbQ1XrBrBVrsR4EdV6cbrFr1m+lGwz+rYBqxYG1k="; - }; - }); - }; # keyboard quirks services.xserver.displayManager.sessionCommands = '' @@ -122,11 +83,16 @@ KEYBOARD_KEY_70027=reserved ''; - # ignore power key - # update cpu microcode hardware.cpu.amd.updateMicrocode = true; + hardware.opengl.enable = true; + hardware.opengl.extraPackages = [ + pkgs.amdvlk + pkgs.rocm-opencl-icd + pkgs.rocm-opencl-runtime + ]; + # suspend to disk swapDevices = [{ device = "/swapfile"; @@ -139,4 +105,8 @@ # firefox touchscreen support environment.sessionVariables.MOZ_USE_XINPUT2 = "1"; + # reinit usb after docking station connect + services.udev.extraRules = '' + SUBSYSTEM=="drm", ACTION=="change", RUN+="${pkgs.dash}/bin/dash -c 'echo 0 > /sys/bus/usb/devices/usb9/authorized; echo 1 > /sys/bus/usb/devices/usb9/authorized'" + ''; } diff --git a/lass/1systems/daedalus/config.nix b/lass/1systems/daedalus/config.nix index 9ef858e28..c34dc0acf 100644 --- a/lass/1systems/daedalus/config.nix +++ b/lass/1systems/daedalus/config.nix @@ -6,7 +6,8 @@ with import <stockholm/lib>; <stockholm/lass> <stockholm/lass/2configs/retiolum.nix> - <stockholm/lass/2configs/nfs-dl.nix> + <stockholm/lass/2configs/pipewire.nix> + # <stockholm/lass/2configs/nfs-dl.nix> { # bubsy config users.users.bubsy = { @@ -17,22 +18,20 @@ with import <stockholm/lib>; extraGroups = [ "audio" "networkmanager" + "pipewire" + # "plugdev" ]; useDefaultShell = true; isNormalUser = true; }; networking.networkmanager.enable = true; networking.wireless.enable = mkForce false; - hardware.pulseaudio = { - enable = true; - systemWide = true; - }; - programs.chromium = { - enable = true; - extensions = [ - "cjpalhdlnbpafiamejdnhcphjbkeiagm" # ublock origin - ]; - }; + # programs.chromium = { + # enable = true; + # extensions = [ + # "cjpalhdlnbpafiamejdnhcphjbkeiagm" # ublock origin + # ]; + # }; environment.systemPackages = with pkgs; [ ark pavucontrol @@ -48,7 +47,9 @@ with import <stockholm/lib>; geeqie vlc zsnes + telegram-desktop ]; + # services.udev.packages = [ pkgs.ledger-udev-rules ]; nixpkgs.config.firefox.enableAdobeFlash = true; services.xserver.enable = true; services.xserver.displayManager.lightdm.enable = true; @@ -72,12 +73,10 @@ with import <stockholm/lib>; "networkmanager" "plugdev" ]; - packages = let - unstable = import <nixpkgs-unstable> { config.allowUnfree = true; }; - in [ + packages = [ pkgs.electrum pkgs.electron-cash - unstable.ledger-live-desktop + pkgs.ledger-live-desktop ]; }; }; diff --git a/lass/1systems/dishfire/config.nix b/lass/1systems/dishfire/config.nix index b814d7188..279cad10b 100644 --- a/lass/1systems/dishfire/config.nix +++ b/lass/1systems/dishfire/config.nix @@ -4,6 +4,9 @@ imports = [ <stockholm/lass> <stockholm/lass/2configs/retiolum.nix> + <stockholm/lass/2configs/monitoring/prometheus.nix> + <stockholm/lass/2configs/monitoring/telegraf.nix> + <stockholm/lass/2configs/consul.nix> ]; krebs.build.host = config.krebs.hosts.dishfire; diff --git a/lass/1systems/hilum/config.nix b/lass/1systems/hilum/config.nix index 3f25991d9..953b5d0d4 100644 --- a/lass/1systems/hilum/config.nix +++ b/lass/1systems/hilum/config.nix @@ -4,13 +4,8 @@ <stockholm/lass> <stockholm/lass/2configs/retiolum.nix> - <stockholm/lass/2configs/baseX.nix> - <stockholm/lass/2configs/browsers.nix> - <stockholm/lass/2configs/programs.nix> <stockholm/lass/2configs/network-manager.nix> - <stockholm/lass/2configs/mail.nix> <stockholm/lass/2configs/syncthing.nix> - <stockholm/lass/2configs/nfs-dl.nix> ]; krebs.build.host = config.krebs.hosts.hilum; diff --git a/lass/1systems/hilum/disk.nix b/lass/1systems/hilum/disk.nix index 926401648..b5199d432 100644 --- a/lass/1systems/hilum/disk.nix +++ b/lass/1systems/hilum/disk.nix @@ -10,18 +10,14 @@ partitions = [ { name = "boot"; - type = "partition"; start = "0"; end = "1M"; - part-type = "primary"; flags = ["bios_grub"]; } { - type = "partition"; name = "ESP"; - start = "1MiB"; + start = "1M"; end = "50%"; - fs-type = "fat32"; bootable = true; content = { type = "filesystem"; @@ -31,18 +27,12 @@ } { name = "root"; - type = "partition"; start = "50%"; end = "100%"; content = { - type = "luks"; - name = "hilum_luks"; - keyFile = keyFile; - content = { - type = "filesystem"; - format = "xfs"; - mountpoint = "/"; - }; + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; }; } ]; diff --git a/lass/1systems/hilum/flash-stick.sh b/lass/1systems/hilum/flash-stick.sh index 17a5fc580..9846ea087 100755 --- a/lass/1systems/hilum/flash-stick.sh +++ b/lass/1systems/hilum/flash-stick.sh @@ -3,9 +3,13 @@ set -efux disk=$1 +cd "$(dirname "$0")" export NIXPKGS_ALLOW_UNFREE=1 (umask 077; pass show admin/hilum/luks > /tmp/hilum.luks) trap 'rm -f /tmp/hilum.luks' EXIT +echo "$disk" > /tmp/hilum-disk +trap 'rm -f /tmp/hilum-disk' EXIT + stockholm_root=$(git rev-parse --show-toplevel) ssh root@localhost -t -- $(nix-build \ --no-out-link \ @@ -31,7 +35,9 @@ $(nix-build \ --arg force true ) ssh root@localhost << SSH -NIXOS_CONFIG=/mnt/hilum/var/src/nixos-config nixos-install --no-root-password --root /mnt/hilum -I /var/src +set -efux +mkdir -p /mnt/hilum/etc +NIXOS_CONFIG=/mnt/hilum/var/src/nixos-config nixos-install --no-bootloader --no-root-password --root /mnt/hilum -I /var/src nixos-enter --root /mnt/hilum -- nixos-rebuild -I /var/src switch --install-bootloader umount -Rv /mnt/hilum SSH diff --git a/lass/1systems/hilum/physical.nix b/lass/1systems/hilum/physical.nix index 6f160062d..9caf8e531 100644 --- a/lass/1systems/hilum/physical.nix +++ b/lass/1systems/hilum/physical.nix @@ -15,7 +15,7 @@ ; in lib.mkOption { type = lib.types.str; - default = tryFile "/etc/hilum-disk" "/dev/sdz"; + default = tryFile "/etc/hilum-disk" (tryFile "/tmp/hilum-disk" "/dev/sdz"); }; config.environment.etc.hilum-disk.text = config.mainDisk; } @@ -47,4 +47,7 @@ nix.maxJobs = lib.mkDefault 4; powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + + #weird bug with nixos-enter + services.logrotate.enable = false; } diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix index a3486cffa..1b205f25c 100644 --- a/lass/1systems/mors/config.nix +++ b/lass/1systems/mors/config.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ config, lib, pkgs, ... }: with import <stockholm/lib>; { @@ -8,6 +8,7 @@ with import <stockholm/lib>; <stockholm/lass/2configs/mouse.nix> <stockholm/lass/2configs/retiolum.nix> <stockholm/lass/2configs/baseX.nix> + <stockholm/lass/2configs/pipewire.nix> <stockholm/lass/2configs/exim-retiolum.nix> <stockholm/lass/2configs/programs.nix> <stockholm/lass/2configs/bitcoin.nix> @@ -17,10 +18,8 @@ with import <stockholm/lib>; <stockholm/lass/2configs/elster.nix> <stockholm/lass/2configs/steam.nix> <stockholm/lass/2configs/wine.nix> - <stockholm/lass/2configs/git.nix> <stockholm/lass/2configs/fetchWallpaper.nix> <stockholm/lass/2configs/mail.nix> - <stockholm/krebs/2configs/ircd.nix> <stockholm/lass/2configs/logf.nix> <stockholm/lass/2configs/syncthing.nix> <stockholm/lass/2configs/sync/sync.nix> @@ -104,28 +103,9 @@ with import <stockholm/lib>; dnsutils woeusb - l-gen-secrets - generate-secrets - (pkgs.writeDashBin "btc-coinbase" '' - ${pkgs.curl}/bin/curl -Ss 'https://api.coinbase.com/v2/prices/spot?currency=EUR' | ${pkgs.jq}/bin/jq '.data.amount' - '') - (pkgs.writeDashBin "btc-wex" '' - ${pkgs.curl}/bin/curl -Ss 'https://wex.nz/api/3/ticker/btc_eur' | ${pkgs.jq}/bin/jq '.btc_eur.avg' - '') - (pkgs.writeDashBin "btc-kraken" '' - ${pkgs.curl}/bin/curl -Ss 'https://api.kraken.com/0/public/Ticker?pair=BTCEUR' | ${pkgs.jq}/bin/jq '.result.XXBTZEUR.a[0]' - '') - (pkgs.writeDashBin "krebsco.de" '' - TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d) - ${pkgs.brain}/bin/brain show krebs-secrets/ovh-secrets.json > "$TMPDIR"/ovh-secrets.json - OVH_ZONE_CONFIG="$TMPDIR"/ovh-secrets.json ${pkgs.krebszones}/bin/krebszones import - ${pkgs.coreutils}/bin/rm -rf "$TMPDIR" - '') - (pkgs.writeDashBin "lassul.us" '' - TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d) - ${pkgs.pass}/bin/pass show admin/ovh/api.config > "$TMPDIR"/ovh-secrets.json - OVH_ZONE_CONFIG="$TMPDIR"/ovh-secrets.json ${pkgs.ovh-zone}/bin/ovh-zone import /etc/zones/lassul.us lassul.us - ${pkgs.coreutils}/bin/rm -rf "$TMPDIR" + (pkgs.writeDashBin "play-on" '' + HOST=$(echo 'styx\nshodan' | fzfmenu) + ssh -t "$HOST" -- mpv "$@" '') ]; diff --git a/lass/1systems/mors/physical.nix b/lass/1systems/mors/physical.nix index a9108104b..2ffbf88c0 100644 --- a/lass/1systems/mors/physical.nix +++ b/lass/1systems/mors/physical.nix @@ -2,9 +2,11 @@ imports = [ ./config.nix <stockholm/lass/2configs/hw/x220.nix> - <stockholm/lass/2configs/boot/stock-x220.nix> + <stockholm/lass/2configs/boot/universal.nix> ]; + boot.kernelParams = [ "acpi_backlight=native" ]; + fileSystems = { "/bku" = { device = "/dev/mapper/pool-bku"; diff --git a/lass/1systems/neoprism/config.nix b/lass/1systems/neoprism/config.nix index 7b402f8a6..79402959e 100644 --- a/lass/1systems/neoprism/config.nix +++ b/lass/1systems/neoprism/config.nix @@ -4,6 +4,9 @@ imports = [ <stockholm/lass> <stockholm/lass/2configs/retiolum.nix> + <stockholm/lass/2configs/mail/internet-gateway.nix> + <stockholm/lass/2configs/binary-cache/server.nix> + <stockholm/lass/2configs/matrix.nix> <stockholm/lass/2configs/gsm-wiki.nix> # sync-containers @@ -26,7 +29,23 @@ krebs.build.host = config.krebs.hosts.neoprism; networking.firewall.allowedTCPPorts = [ 80 443 ]; - services.nginx.enable = true; security.acme.acceptTerms = true; security.acme.defaults.email = "acme@lassul.us"; + services.nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + + enableReload = true; + + virtualHosts.default = { + default = true; + locations."= /etc/os-release".extraConfig = '' + default_type text/plain; + alias /etc/os-release; + ''; + locations."~ ^/.well-known/acme-challenge/".root = "/var/lib/acme/acme-challenge"; + }; + }; } diff --git a/lass/1systems/neoprism/disk.nix b/lass/1systems/neoprism/disk.nix index cf9a8cef4..c5bd44c94 100644 --- a/lass/1systems/neoprism/disk.nix +++ b/lass/1systems/neoprism/disk.nix @@ -4,40 +4,27 @@ type = "disk"; device = disk; content = { - type = "table"; - format = "gpt"; - partitions = [ - { - name = "boot"; - type = "partition"; - start = "0"; - end = "1M"; - part-type = "primary"; - flags = ["bios_grub"]; - } - { - type = "partition"; - name = "ESP"; - start = "1M"; - end = "1GiB"; - fs-type = "fat32"; - bootable = true; + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; + }; + ESP = { + size = "1G"; content = { type = "mdraid"; name = "boot"; }; - } - { - type = "partition"; - name = "zfs"; - start = "1GiB"; - end = "100%"; + }; + zfs = { + size = "100%"; content = { type = "zfs"; pool = "zroot"; }; - } - ]; + }; + }; }; })) // { hdd1 = { @@ -69,7 +56,7 @@ rootFsOptions = { }; datasets.reserved = { - zfs_type = "filesystem"; + type = "zfs_fs"; options.refreservation = "1G"; }; }; @@ -77,38 +64,53 @@ type = "zpool"; datasets = { reserved = { - zfs_type = "filesystem"; + type = "zfs_fs"; options.refreservation = "1G"; }; containers = { - zfs_type = "filesystem"; + type = "zfs_fs"; mountpoint = "/var/lib/containers"; + options = { + canmount = "noauto"; + }; }; home = { - zfs_type = "filesystem"; + type = "zfs_fs"; mountpoint = "/home"; + options = { + canmount = "noauto"; + }; }; srv = { - zfs_type = "filesystem"; + type = "zfs_fs"; mountpoint = "/srv"; + options = { + canmount = "noauto"; + }; }; libvirt = { - zfs_type = "filesystem"; + type = "zfs_fs"; mountpoint = "/var/lib/libvirt"; + options = { + canmount = "noauto"; + }; }; # encrypted = { - # zfs_type = "filesystem"; + # type = "zfs_fs"; # options = { + # canmount = "noauto"; # mountpoint = "none"; # encryption = "aes-256-gcm"; # keyformat = "passphrase"; # keylocation = "prompt"; # }; # }; - # "encrypted/download" = { - # zfs_type = "filesystem"; + # type = "zfs_fs"; # mountpoint = "/var/download"; + # options = { + # canmount = "noauto"; + # }; # }; }; }; diff --git a/lass/1systems/neoprism/physical.nix b/lass/1systems/neoprism/physical.nix index 4ffb749f1..f2092d9aa 100644 --- a/lass/1systems/neoprism/physical.nix +++ b/lass/1systems/neoprism/physical.nix @@ -8,6 +8,8 @@ ]; disko.devices = import ./disk.nix; + networking.hostId = "9c0a74ac"; + boot.loader.grub.enable = true; boot.loader.grub.version = 2; boot.loader.grub.efiSupport = true; @@ -17,26 +19,58 @@ hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; # networking config - boot.kernelParams = [ "net.ifnames=0" ]; - networking.bridges."ext-br".interfaces = [ "eth0" ]; - networking = { - hostId = "2283aaae"; - defaultGateway = "95.217.192.1"; - defaultGateway6 = { address = "fe80::1"; interface = "ext-br"; }; - # Use google's public DNS server - nameservers = [ "8.8.8.8" ]; - interfaces.ext-br.ipv4.addresses = [ - { - address = "95.217.192.59"; - prefixLength = 26; - } - ]; - interfaces.ext-br.ipv6.addresses = [ - { - address = "2a01:4f9:4a:4f1a::1"; - prefixLength = 64; - } - ]; + networking.useNetworkd = true; + systemd.network = { + enable = true; + config = { + networkConfig.SpeedMeter = true; + }; + # netdevs.ext-br.netdevConfig = { + # Kind = "bridge"; + # Name = "ext-br"; + # MACAddress = "a8:a1:59:0f:2d:69"; + # }; + # networks.ext-br = { + # name = "ext-br"; + # address = [ + # "95.217.192.59/26" + # "2a01:4f9:4a:4f1a::1/64" + # ]; + # gateway = [ + # "95.217.192.1" + # "fe80::1" + # ]; + # }; + networks.eth0 = { + #bridge = [ "ext-br" ]; + matchConfig.Name = "eth0"; + address = [ + "95.217.192.59/26" + "2a01:4f9:4a:4f1a::1/64" + ]; + gateway = [ + "95.217.192.1" + "fe80::1" + ]; + }; }; + networking.useDHCP = false; + boot.initrd.network = { + enable = true; + ssh = { + enable = true; + authorizedKeys = [ config.krebs.users.lass.pubkey ]; + port = 2222; + hostKeys = [ + (toString <secrets/ssh.id_ed25519>) + (toString <secrets/ssh.id_rsa>) + ]; + }; + }; + boot.kernelParams = [ + "net.ifnames=0" + "ip=dhcp" + "boot.trace" + ]; } diff --git a/lass/1systems/prism/physical.nix b/lass/1systems/prism/physical.nix index 027a27b2b..ebc80411b 100644 --- a/lass/1systems/prism/physical.nix +++ b/lass/1systems/prism/physical.nix @@ -83,6 +83,9 @@ boot.kernelParams = [ "pcie_aspm=off" "net.ifnames=0" ]; networking.dhcpcd.enable = false; + + networking.useNetworkd = lib.mkForce false; + systemd.network.enable = lib.mkForce false; # bridge config networking.bridges."ext-br".interfaces = [ "eth0" ]; networking = { diff --git a/lass/1systems/styx/config.nix b/lass/1systems/styx/config.nix index e49d24f9a..6c054abfe 100644 --- a/lass/1systems/styx/config.nix +++ b/lass/1systems/styx/config.nix @@ -13,6 +13,7 @@ with import <stockholm/lib>; <stockholm/lass/2configs/browsers.nix> <stockholm/lass/2configs/programs.nix> <stockholm/lass/2configs/nfs-dl.nix> + <stockholm/lass/2configs/yellow-mounts/samba.nix> <stockholm/lass/2configs/gg23.nix> <stockholm/lass/2configs/hass> <stockholm/lass/2configs/green-host.nix> @@ -30,13 +31,37 @@ with import <stockholm/lib>; krebs.build.host = config.krebs.hosts.styx; - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport ${toString config.services.smokeping.port}"; target = "ACCEPT"; } - ]; + networking.firewall.interfaces.int0.allowedTCPPorts = [ config.services.smokeping.port ]; + networking.firewall.interfaces.retiolum.allowedTCPPorts = [ config.services.smokeping.port ]; + networking.firewall.interfaces.wiregrill.allowedTCPPorts = [ config.services.smokeping.port ]; krebs.power-action.enable = mkForce false; + environment.systemPackages = with pkgs; [ + wol + (writeDashBin "wake-alien" '' + ${wol}/bin/wol -h 10.42.0.255 10:65:30:68:83:a3 + '') + (writers.writeDashBin "iptv" '' + set -efu + /run/current-system/sw/bin/mpv \ + --audio-display=no --audio-channels=stereo \ + --audio-samplerate=48000 --audio-format=s16 \ + --ao-pcm-file=/run/snapserver/snapfifo --ao=pcm \ + --audio-delay=-1 \ + --playlist=https://iptv-org.github.io/iptv/index.nsfw.m3u \ + --idle=yes \ + --input-ipc-server=/tmp/mpv.ipc \ + "$@" + '') + ]; + + users.users.mainUser.openssh.authorizedKeys.keys = [ + config.krebs.users.lass-android.pubkey + ]; + # http://10.42.0.1:8081/smokeping.fcgi services.smokeping = { enable = true; + host = null; targetConfig = '' probe = FPing menu = top @@ -84,5 +109,8 @@ with import <stockholm/lib>; host = prism.r ''; }; + + # for usb internet + hardware.usbWwan.enable = true; } diff --git a/lass/1systems/ubik/config.nix b/lass/1systems/ubik/config.nix index b153c0d3b..3afbf6bd1 100644 --- a/lass/1systems/ubik/config.nix +++ b/lass/1systems/ubik/config.nix @@ -42,4 +42,235 @@ with import <stockholm/lib>; /var/src/secrets/nextcloud.pw /run/nextcloud.pw ''}" ]; + + # mail + lass.usershadow.enable = true; + services.nginx.virtualHosts."mail.ubikmedia.eu" = { + enableACME = true; + forceSSL = true; + }; + services.roundcube = { + enable = true; + hostName = "mail.ubikmedia.eu"; + extraConfig = '' + $config['smtp_debug'] = true; + $config['smtp_host'] = "localhost:25"; + ''; + }; + services.dovecot2 = { + enable = true; + showPAMFailure = true; + mailLocation = "maildir:~/Mail"; + sslServerCert = "/var/lib/acme/mail.ubikmedia.eu/fullchain.pem"; + sslServerKey = "/var/lib/acme/mail.ubikmedia.eu/key.pem"; + }; + krebs.exim-smarthost = { + ssl_cert = "/var/lib/acme/mail.ubikmedia.eu/fullchain.pem"; + ssl_key = "/var/lib/acme/mail.ubikmedia.eu/key.pem"; + authenticators.PLAIN = '' + driver = plaintext + public_name = PLAIN + server_condition = ''${run{/run/wrappers/bin/shadow_verify_arg ${config.lass.usershadow.pattern} $auth2 $auth3}{yes}{no}} + ''; + authenticators.LOGIN = '' + driver = plaintext + public_name = LOGIN + server_prompts = "Username:: : Password::" + server_condition = ''${run{/run/wrappers/bin/shadow_verify_arg ${config.lass.usershadow.pattern} $auth1 $auth2}{yes}{no}} + # server_condition = ''${run{/run/current-system/sw/bin/debug_exim ${config.lass.usershadow.pattern} $auth1 $auth2}{yes}{no}} + ''; + internet-aliases = [ + { from = "dma@ubikmedia.de"; to = "domsen"; } + { from = "dma@ubikmedia.eu"; to = "domsen"; } + { from = "hallo@apanowicz.de"; to = "domsen"; } + { from = "bruno@apanowicz.de"; to = "bruno"; } + { from = "mail@jla-trading.com"; to = "jla-trading"; } + { from = "jms@ubikmedia.eu"; to = "jms"; } + { from = "ms@ubikmedia.eu"; to = "ms"; } + { from = "ubik@ubikmedia.eu"; to = "domsen, jms, ms"; } + { from = "kontakt@alewis.de"; to ="klabusterbeere"; } + { from = "hallo@jarugadesign.de"; to ="kasia"; } + { from = "noreply@beeshmooth.ch"; to ="besmooth@gmx.ch"; } + + { from = "testuser@ubikmedia.eu"; to = "testuser"; } + ]; + sender_domains = [ + "jla-trading.com" + "ubikmedia.eu" + "ubikmedia.de" + "apanowicz.de" + "alewis.de" + "jarugadesign.de" + "beesmooth.ch" + "event-extra.de" + ]; + dkim = [ + { domain = "ubikmedia.eu"; } + { domain = "apanowicz.de"; } + { domain = "beesmooth.ch"; } + ]; + }; + + # users + users.users.UBIK-SFTP = { + uid = pkgs.stockholm.lib.genid_uint31 "UBIK-SFTP"; + home = "/home/UBIK-SFTP"; + useDefaultShell = true; + createHome = true; + isNormalUser = true; + }; + + users.users.xanf = { + uid = pkgs.stockholm.lib.genid_uint31 "xanf"; + group = "xanf"; + home = "/home/xanf"; + useDefaultShell = true; + createHome = false; # creathome forces permissions + isNormalUser = true; + }; + + users.users.domsen = { + uid = pkgs.stockholm.lib.genid_uint31 "domsen"; + description = "maintenance acc for domsen"; + home = "/home/domsen"; + useDefaultShell = true; + extraGroups = [ "syncthing" "download" "xanf" ]; + createHome = true; + isNormalUser = true; + }; + + users.users.bruno = { + uid = pkgs.stockholm.lib.genid_uint31 "bruno"; + home = "/home/bruno"; + useDefaultShell = true; + createHome = true; + isNormalUser = true; + }; + + users.users.jla-trading = { + uid = pkgs.stockholm.lib.genid_uint31 "jla-trading"; + home = "/home/jla-trading"; + useDefaultShell = true; + createHome = true; + isNormalUser = true; + }; + + users.users.jms = { + uid = pkgs.stockholm.lib.genid_uint31 "jms"; + home = "/home/jms"; + useDefaultShell = true; + createHome = true; + isNormalUser = true; + }; + + users.users.ms = { + uid = pkgs.stockholm.lib.genid_uint31 "ms"; + home = "/home/ms"; + useDefaultShell = true; + createHome = true; + isNormalUser = true; + }; + + users.users.testuser = { + uid = pkgs.stockholm.lib.genid_uint31 "testuser"; + home = "/home/testuser"; + useDefaultShell = true; + createHome = true; + isNormalUser = true; + }; + + users.users.bui = { + uid = pkgs.stockholm.lib.genid_uint31 "bui"; + home = "/home/bui"; + useDefaultShell = true; + createHome = true; + isNormalUser = true; + }; + + users.users.klabusterbeere = { + uid = pkgs.stockholm.lib.genid_uint31 "klabusterbeere"; + home = "/home/klabusterbeere"; + useDefaultShell = true; + createHome = true; + isNormalUser = true; + }; + + users.users.kasia = { + uid = pkgs.stockholm.lib.genid_uint31 "kasia"; + home = "/home/kasia"; + useDefaultShell = true; + createHome = true; + isNormalUser = true; + }; + + users.users.XANF_TEAM = { + uid = pkgs.stockholm.lib.genid_uint31 "XANF_TEAM"; + group = "xanf"; + home = "/home/XANF_TEAM"; + useDefaultShell = true; + createHome = true; + isNormalUser = true; + }; + + users.users.dif = { + uid = pkgs.stockholm.lib.genid_uint31 "dif"; + home = "/home/dif"; + useDefaultShell = true; + extraGroups = [ "xanf" ]; + createHome = true; + isNormalUser = true; + }; + + users.users.lavafilms = { + uid = pkgs.stockholm.lib.genid_uint31 "lavafilms"; + home = "/home/lavafilms"; + useDefaultShell = true; + extraGroups = [ "xanf" ]; + createHome = true; + isNormalUser = true; + }; + + users.users.movematchers = { + uid = pkgs.stockholm.lib.genid_uint31 "movematchers"; + home = "/home/movematchers"; + useDefaultShell = true; + extraGroups = [ "xanf" ]; + createHome = true; + isNormalUser = true; + }; + + users.users.blackphoton = { + uid = pkgs.stockholm.lib.genid_uint31 "blackphoton"; + home = "/home/blackphoton"; + useDefaultShell = true; + extraGroups = [ "xanf" ]; + createHome = true; + isNormalUser = true; + }; + + users.users.line = { + uid = pkgs.stockholm.lib.genid_uint31 "line"; + home = "/home/line"; + useDefaultShell = true; + # extraGroups = [ "xanf" ]; + createHome = true; + isNormalUser = true; + }; + + users.users.avada = { + uid = pkgs.stockholm.lib.genid_uint31 "avada"; + home = "/home/avada"; + useDefaultShell = true; + createHome = true; + isNormalUser = true; + }; + + users.users.familienrat = { + uid = pkgs.stockholm.lib.genid_uint31 "familienrat"; + home = "/home/familienrat"; + useDefaultShell = true; + createHome = true; + isNormalUser = true; + }; + } diff --git a/lass/2configs/antimicrox/default.nix b/lass/2configs/antimicrox/default.nix index 16f546ce6..2b683b8bc 100644 --- a/lass/2configs/antimicrox/default.nix +++ b/lass/2configs/antimicrox/default.nix @@ -1,6 +1,7 @@ { config, lib, pkgs, ... }: { systemd.services.antimicrox = { + after = [ "display-manager.service" ]; wantedBy = [ "multi-user.target" ]; environment = { DISPLAY = ":0"; @@ -8,18 +9,23 @@ serviceConfig = { User = config.users.users.mainUser.name; ExecStartPre = lib.singleton (pkgs.writeDash "init_state" "echo 0 > /tmp/gamepad.state"); - ExecStart = "${pkgs.antimicrox}/bin/antimicrox --no-tray --hidden --profile ${./mouse.amgp}"; + ExecStart = "${pkgs.antimicrox}/bin/antimicrox --hidden --profile ${./mouse.gamecontroller.amgp}"; }; }; + services.udev.extraRules = '' + KERNEL=="uinput", MODE="0660", GROUP="input", OPTIONS+="static_node=uinput" + ''; + environment.systemPackages = [ + pkgs.antimicrox (pkgs.writers.writeDashBin "gamepad_mouse_disable" '' echo 1 > /tmp/gamepad.state - ${pkgs.antimicrox}/bin/antimicrox --profile ${./empty.amgp} + ${pkgs.antimicrox}/bin/antimicrox --profile ${./empty.gamecontroller.amgp} '') (pkgs.writers.writeDashBin "gamepad_mouse_enable" '' echo 0 > /tmp/gamepad.state - ${pkgs.antimicrox}/bin/antimicrox --profile ${./mouse.amgp} + ${pkgs.antimicrox}/bin/antimicrox --profile ${./mouse.gamecontroller.amgp} '') (pkgs.writers.writeDashBin "gamepad_mouse_toggle" '' state=$(${pkgs.coreutils}/bin/cat /tmp/gamepad.state) diff --git a/lass/2configs/antimicrox/empty.amgp b/lass/2configs/antimicrox/empty.gamecontroller.amgp index 0257bfe71..0257bfe71 100644 --- a/lass/2configs/antimicrox/empty.amgp +++ b/lass/2configs/antimicrox/empty.gamecontroller.amgp diff --git a/lass/2configs/antimicrox/mouse.amgp b/lass/2configs/antimicrox/mouse.gamecontroller.amgp index 313e598de..743618f54 100644 --- a/lass/2configs/antimicrox/mouse.amgp +++ b/lass/2configs/antimicrox/mouse.gamecontroller.amgp @@ -23,7 +23,8 @@ <maxZone>29501</maxZone> <modifierZone>1412</modifierZone> <diagonalRange>90</diagonalRange> - <stickbutton index="7"> + <squareStick>100</squareStick> + <stickbutton index="1"> <mousespeedx>74</mousespeedx> <mousespeedy>74</mousespeedy> <accelerationmultiplier>4</accelerationmultiplier> @@ -32,16 +33,12 @@ <extraaccelerationcurve>easeoutquad</extraaccelerationcurve> <slots> <slot> - <code>3</code> + <code>1</code> <mode>mousemovement</mode> </slot> </slots> </stickbutton> - <stickbutton index="6"> - <mousespeedx>74</mousespeedx> - <mousespeedy>74</mousespeedy> - </stickbutton> - <stickbutton index="5"> + <stickbutton index="3"> <mousespeedx>74</mousespeedx> <mousespeedy>74</mousespeedy> <accelerationmultiplier>4</accelerationmultiplier> @@ -50,16 +47,16 @@ <extraaccelerationcurve>easeoutquad</extraaccelerationcurve> <slots> <slot> - <code>2</code> + <code>4</code> <mode>mousemovement</mode> </slot> </slots> </stickbutton> - <stickbutton index="4"> + <stickbutton index="2"> <mousespeedx>74</mousespeedx> <mousespeedy>74</mousespeedy> </stickbutton> - <stickbutton index="3"> + <stickbutton index="5"> <mousespeedx>74</mousespeedx> <mousespeedy>74</mousespeedy> <accelerationmultiplier>4</accelerationmultiplier> @@ -68,16 +65,16 @@ <extraaccelerationcurve>easeoutquad</extraaccelerationcurve> <slots> <slot> - <code>4</code> + <code>2</code> <mode>mousemovement</mode> </slot> </slots> </stickbutton> - <stickbutton index="2"> + <stickbutton index="4"> <mousespeedx>74</mousespeedx> <mousespeedy>74</mousespeedy> </stickbutton> - <stickbutton index="1"> + <stickbutton index="7"> <mousespeedx>74</mousespeedx> <mousespeedy>74</mousespeedy> <accelerationmultiplier>4</accelerationmultiplier> @@ -86,11 +83,15 @@ <extraaccelerationcurve>easeoutquad</extraaccelerationcurve> <slots> <slot> - <code>1</code> + <code>3</code> <mode>mousemovement</mode> </slot> </slots> </stickbutton> + <stickbutton index="6"> + <mousespeedx>74</mousespeedx> + <mousespeedy>74</mousespeedy> + </stickbutton> <stickbutton index="8"> <mousespeedx>74</mousespeedx> <mousespeedy>74</mousespeedy> @@ -99,66 +100,66 @@ <stick index="1"> <deadZone>2578</deadZone> <maxZone>30799</maxZone> - <stickbutton index="7"> + <stickbutton index="1"> <mouseacceleration>linear</mouseacceleration> <slots> <slot> - <code>6</code> + <code>4</code> <mode>mousebutton</mode> </slot> </slots> </stickbutton> - <stickbutton index="6"> - <mouseacceleration>linear</mouseacceleration> - </stickbutton> - <stickbutton index="5"> + <stickbutton index="3"> <mouseacceleration>linear</mouseacceleration> <slots> <slot> - <code>5</code> + <code>7</code> <mode>mousebutton</mode> </slot> </slots> </stickbutton> - <stickbutton index="4"> + <stickbutton index="2"> <mouseacceleration>linear</mouseacceleration> </stickbutton> - <stickbutton index="3"> + <stickbutton index="5"> <mouseacceleration>linear</mouseacceleration> <slots> <slot> - <code>7</code> + <code>5</code> <mode>mousebutton</mode> </slot> </slots> </stickbutton> - <stickbutton index="2"> + <stickbutton index="4"> <mouseacceleration>linear</mouseacceleration> </stickbutton> - <stickbutton index="1"> + <stickbutton index="7"> <mouseacceleration>linear</mouseacceleration> <slots> <slot> - <code>4</code> + <code>6</code> <mode>mousebutton</mode> </slot> </slots> </stickbutton> + <stickbutton index="6"> + <mouseacceleration>linear</mouseacceleration> + </stickbutton> <stickbutton index="8"> <mouseacceleration>linear</mouseacceleration> </stickbutton> </stick> <dpad index="1"> - <dpadbutton index="6"> + <dpadbutton index="12"> <wheelspeedx>2</wheelspeedx> <wheelspeedy>10</wheelspeedy> </dpadbutton> - <dpadbutton index="4"> - <wheelspeedx>2</wheelspeedx> + <dpadbutton index="1"> + <wheelspeedx>10</wheelspeedx> <wheelspeedy>10</wheelspeedy> <slots> <slot> - <code>0x1000017</code> + <code>0x1000013</code> <mode>keyboard</mode> </slot> </slots> @@ -172,22 +173,22 @@ <wheelspeedy>10</wheelspeedy> <slots> <slot> - <code>0x1000011</code> + <code>0x1000014</code> <mode>keyboard</mode> </slot> </slots> </dpadbutton> - <dpadbutton index="1"> - <wheelspeedx>10</wheelspeedx> + <dpadbutton index="4"> + <wheelspeedx>2</wheelspeedx> <wheelspeedy>10</wheelspeedy> <slots> <slot> - <code>0x1000016</code> + <code>0x1000015</code> <mode>keyboard</mode> </slot> </slots> </dpadbutton> - <dpadbutton index="12"> + <dpadbutton index="6"> <wheelspeedx>2</wheelspeedx> <wheelspeedy>10</wheelspeedy> </dpadbutton> @@ -200,7 +201,7 @@ <wheelspeedy>10</wheelspeedy> <slots> <slot> - <code>0x1000010</code> + <code>0x1000012</code> <mode>keyboard</mode> </slot> </slots> @@ -235,31 +236,39 @@ </slot> </slots> </button> - <button index="5"> + <button index="2"> <slots> <slot> - <code>1</code> + <code>3</code> <mode>mousebutton</mode> </slot> </slots> </button> - <button index="3"> + <button index="1"> <slots> <slot> - <code>2</code> + <code>1</code> <mode>mousebutton</mode> </slot> </slots> </button> - <button index="2"> + <button index="4"> <slots> <slot> - <code>3</code> + <code>0x1000004</code> + <mode>keyboard</mode> + </slot> + </slots> + </button> + <button index="3"> + <slots> + <slot> + <code>2</code> <mode>mousebutton</mode> </slot> </slots> </button> - <button index="1"> + <button index="5"> <slots> <slot> <code>1</code> diff --git a/lass/2configs/atuin-server.nix b/lass/2configs/atuin-server.nix index ad959a311..05d3b4fd4 100644 --- a/lass/2configs/atuin-server.nix +++ b/lass/2configs/atuin-server.nix @@ -1,38 +1,10 @@ { config, lib, pkgs, ... }: { - services.postgresql = { + services.atuin = { enable = true; - dataDir = "/var/state/postgresql/${config.services.postgresql.package.psqlSchema}"; - ensureDatabases = [ "atuin" ]; - ensureUsers = [{ - name = "atuin"; - ensurePermissions."DATABASE atuin" = "ALL PRIVILEGES"; - }]; - }; - systemd.tmpfiles.rules = [ - "d /var/state/postgresql 0700 postgres postgres -" - ]; - users.groups.atuin = {}; - users.users.atuin = { - uid = pkgs.stockholm.lib.genid_uint31 "atuin"; - isSystemUser = true; - group = "atuin"; - home = "/run/atuin"; - createHome = true; + host = "0.0.0.0"; + maxHistoryLength = 1000000; + openFirewall = true; }; - systemd.services.atuin = { - wantedBy = [ "multi-user.target" ]; - environment = { - ATUIN_HOST = "0.0.0.0"; - ATUIN_PORT = "8888"; - ATUIN_OPEN_REGISTRATION = "true"; - ATUIN_DB_URI = "postgres:///atuin"; - }; - serviceConfig = { - User = "atuin"; - ExecStart = "${pkgs.atuin}/bin/atuin server start"; - }; - }; - networking.firewall.allowedTCPPorts = [ 8888 ]; } diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index 654247728..e5b1f0b90 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -89,16 +89,30 @@ in { x11vnc xclip xephyrify + xorg.xmodmap xorg.xhost + xdotool xsel zathura flameshot (pkgs.writeDashBin "screenshot" '' set -efu - ${pkgs.flameshot}/bin/flameshot gui + ${pkgs.flameshot}/bin/flameshot gui && ${pkgs.klem}/bin/klem '') + (pkgs.writers.writeDashBin "IM" '' + ${pkgs.mosh}/bin/mosh green.r -- tmux new-session -A -s IM -- weechat + '') + (pkgs.writers.writeDashBin "deploy_hm" '' + target=$1 + shift + + hm_profile=$(${pkgs.home-manager}/bin/home-manager -f ~/sync/stockholm/lass/2configs/home-manager.nix build "$@") + nix-copy-closure --to "$target" "$hm_profile" + ssh "$target" -- "$hm_profile"/activate + '') + zbar ]; services.udev.extraRules = '' @@ -114,6 +128,7 @@ in { xkbVariant = "altgr-intl"; xkbOptions = "caps:escape"; libinput.enable = true; + exportConfiguration = true; displayManager = { lightdm.enable = true; defaultSession = "none+xmonad"; @@ -130,7 +145,6 @@ in { }; krebs.xresources.enable = true; - lass.screenlock.enable = true; lass.klem = { kpaste.script = pkgs.writeDash "kpaste-wrapper" '' @@ -152,7 +166,7 @@ in { qrcode = { target = "image"; script = pkgs.writeDash "zbar" '' - ${pkgs.zbar}/bin/zbarimg -q - + ${pkgs.zbar}/bin/zbarimg -q --raw - ''; }; ocr = { diff --git a/lass/2configs/boot/universal.nix b/lass/2configs/boot/universal.nix new file mode 100644 index 000000000..33f4323cc --- /dev/null +++ b/lass/2configs/boot/universal.nix @@ -0,0 +1,11 @@ +{ ... }: + +{ + boot = { + loader.grub.enable = true; + loader.grub.version = 2; + loader.grub.device = "/dev/sda"; + loader.grub.efiSupport = true; + loader.grub.efiInstallAsRemovable = true; + }; +} diff --git a/lass/2configs/codimd.nix b/lass/2configs/codimd.nix index b3bf1b761..ccca49fac 100644 --- a/lass/2configs/codimd.nix +++ b/lass/2configs/codimd.nix @@ -21,7 +21,7 @@ in { }; security.acme.certs.${domain}.group = "hedgecert"; - users.groups.hedgecert.members = [ "codimd" "nginx" ]; + users.groups.hedgecert.members = [ "hedgedoc" "nginx" ]; security.dhparams = { enable = true; @@ -35,10 +35,10 @@ in { services.hedgedoc = { enable = true; configuration.allowOrigin = [ domain ]; - configuration = { + settings = { db = { dialect = "sqlite"; - storage = "/var/lib/codimd/db.codimd.sqlite"; + storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite"; }; useCDN = false; port = 3091; diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index 3d7188dc6..72dbfc480 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -12,6 +12,7 @@ with import <stockholm/lib>; ./wiregrill.nix ./tmux.nix ./tor-ssh.nix + ./networkd.nix { users.extraUsers = mapAttrs (_: h: { hashedPassword = h; }) diff --git a/lass/2configs/hass/default.nix b/lass/2configs/hass/default.nix index cc8189f51..1745bbfe5 100644 --- a/lass/2configs/hass/default.nix +++ b/lass/2configs/hass/default.nix @@ -41,8 +41,7 @@ in { configWritable = true; lovelaceConfigWritable = true; config = let - tasmota_s20 = name: topic: { - platform = "mqtt"; + tasmota = name: topic: { inherit name; state_topic = "stat/${topic}/POWER"; command_topic = "cmnd/${topic}/POWER"; @@ -57,7 +56,7 @@ in { longitude = "13.41489"; elevation = 90; unit_system = "metric"; - customize = friendly_names; + # customize = friendly_names; }; config = {}; sun.elevation = 66; @@ -65,36 +64,37 @@ in { discovery = {}; frontend = {}; http = {}; - mqtt = { - broker = "localhost"; - port = 1883; - client_id = "home-assistant"; - username = "gg23"; - password = "gg23-mqtt"; - keepalive = 60; - protocol = 3.1; + # mqtt = { + # broker = "localhost"; + # port = 1883; + # client_id = "home-assistant"; + # username = "gg23"; + # password = "gg23-mqtt"; + # keepalive = 60; + # protocol = 3.1; - discovery = true; - birth_message = { - topic = "/hass/status"; - payload = "online"; - }; - will_message = { - topic = "/hass/status"; - payload = "offline"; - }; - }; + # discovery = true; + # birth_message = { + # topic = "/hass/status"; + # payload = "online"; + # }; + # will_message = { + # topic = "/hass/status"; + # payload = "offline"; + # }; + # }; sensor = [ { platform = "dwd_weather_warnings"; region_name = "Berlin"; } ]; - switch = [ - (tasmota_s20 "TV" "tv") - (tasmota_s20 "Drucker Strom" "drucker") - (tasmota_s20 "Waschmaschine" "wasch") - (tasmota_s20 "Stereo Anlage" "stereo") + mqtt.switch = [ + (tasmota "TV" "tv") + (tasmota "Drucker Strom" "drucker") + (tasmota "Waschmaschine" "wasch") + (tasmota "Stereo Anlage" "stereo") + (tasmota "Wohnzimmer Lampe" "wohn_lampe") ]; mobile_app = {}; weather = [ @@ -106,6 +106,10 @@ in { system_health = {}; history = {}; shopping_list = {}; + media_player = { + platform = "snapcast"; + host = "127.0.0.1"; + }; }; }; diff --git a/lass/2configs/hass/lib.nix b/lass/2configs/hass/lib.nix index 1f9f9945d..72ff2966f 100644 --- a/lass/2configs/hass/lib.nix +++ b/lass/2configs/hass/lib.nix @@ -1,24 +1,24 @@ { lib, ... }: rec { lights = { - bett = "0x0017880106ed3bd8"; - essen = "0x0017880108327622"; - arbeit = "0x0017880106ee2865"; - nass = "0x00178801082e9f2f"; + bett = "l_bett"; + essen = "l_essen"; + arbeit = "l_arbeit"; + nass = "l_nass"; }; switches = { dimmer = { - bett = "0x00178801086ac38c"; - essen = "0x00178801086ad1fb"; - nass = "0x00178801086ac373"; + bett = "i_bett"; + essen = "i_essen"; + nass = "i_nass"; }; }; sensors = { movement = { - essen = "0x0017880106f772f2"; - nass = "0x0017880106f77f30"; + essen = "s_essen"; + nass = "s_nass"; }; }; diff --git a/lass/2configs/hass/zigbee.nix b/lass/2configs/hass/zigbee.nix index 8fc02263b..210c761b5 100644 --- a/lass/2configs/hass/zigbee.nix +++ b/lass/2configs/hass/zigbee.nix @@ -34,117 +34,42 @@ in { advanced = { pan_id = 4222; }; - }; - }; + devices = let + set_device = id: name: + lib.nameValuePair id { + }; + in { + # lights https://www.zigbee2mqtt.io/devices/9290022166.html#philips-9290022166 + "0x0017880106ed3bd8".friendly_name = "l_bett"; + "0x0017880108327622".friendly_name = "l_essen"; + "0x0017880106ee2865".friendly_name = "l_arbeit"; + "0x00178801082e9f2f".friendly_name = "l_nass"; - services.home-assistant.config = { - sensor = [ - # Sensor for monitoring the bridge state - { - platform = "mqtt"; - name = "Zigbee2mqtt Bridge state"; - state_topic = "/zigbee2mqtt/bridge/state"; - icon = "mdi:router-wireless"; - } - # Sensor for Showing the Zigbee2mqtt Version - { - platform = "mqtt"; - name = "Zigbee2mqtt Version"; - state_topic = "/zigbee2mqtt/bridge/config"; - value_template = "{{ value_json.version }}"; - icon = "mdi:zigbee"; - } - # Sensor for Showing the Coordinator Version - { - platform = "mqtt"; - name = "Coordinator Version"; - state_topic = "/zigbee2mqtt/bridge/config"; - value_template = "{{ value_json.coordinator }}"; - icon = "mdi:chip"; - } - ]; - switch = [ - { - platform = "mqtt"; - name = "zigbee2mqtt_join"; - state_topic = "/zigbee2mqtt/bridge/config/permit_join"; - command_topic = "/zigbee2mqtt/bridge/config/permit_join"; - payload_on = "true"; - payload_off = "false"; - } - ]; - automation = [ - #{ - # alias = "Zigbee2mqtt Log Level"; - # initial_state = "on"; - # trigger = { - # platform = "state"; - # entity_id = "input_select.zigbee2mqtt_log_level"; - # }; - # action = [ - # { - # service = "mqtt.publish"; - # data = { - # payload_template = "{{ states('input_select.zigbee2mqtt_log_level') }}"; - # topic = "/zigbee2mqtt/bridge/config/log_level"; - # }; - # } - # ]; - #} - # Automation to start timer when enable join is turned on - { - id = "zigbee_join_enabled"; - alias = ""; - trigger = { - platform = "state"; - entity_id = "switch.zigbee2mqtt_join"; - to = "on"; - }; - action = { - service = "timer.start"; - entity_id = "timer.zigbee_permit_join"; + # switches https://www.zigbee2mqtt.io/devices/324131092621.html#philips-324131092621 + "0x00178801086ac38c".friendly_name = "i_bett"; + "0x00178801086ad1fb".friendly_name = "i_essen"; + "0x00178801086ac373".friendly_name = "i_nass"; + + # sensors https://www.zigbee2mqtt.io/devices/9290012607.html#philips-9290012607 + "0x0017880106f772f2".friendly_name = "s_essen"; + "0x0017880106f77f30".friendly_name = "s_nass"; + + # heat https://www.zigbee2mqtt.io/devices/701721.html#popp-701721 + "0x842e14fffe27109a".friendly_name = "t_bett"; + "0x842e14fffe269a73".friendly_name = "t_nass"; + "0x842e14fffe269a56".friendly_name = "t_arbeit"; + + # rotation https://www.zigbee2mqtt.io/devices/E1744.html + "0x8cf681fffe065493" = { + friendly_name = "r_test"; + device_id = "r_test"; + simulated_brightness = { + delta = 2; + interval = 100; + }; }; - } - # Automation to stop timer when switch turned off and turn off switch when timer finished - { - id = "zigbee_join_disabled"; - trigger = [ - { - platform = "event"; - event_type = "timer.finished"; - event_data.entity_id = "timer.zigbee_permit_join"; - } - { - platform = "state"; - entity_id = "switch.zigbee2mqtt_join"; - to = "off"; - } - ]; - action = [ - { service = "timer.cancel"; - data.entity_id = "timer.zigbee_permit_join"; - } - { service = "switch.turn_off"; - entity_id = "switch.zigbee2mqtt_join"; - } - ]; - } - ]; - #input_select.zigbee2mqtt_log_level = { - # name = "Zigbee2mqtt Log Level"; - # options = [ - # "debug" - # "info" - # "warn" - # "error" - # ]; - # initial = "info"; - # icon = "mdi:format-list-bulleted"; - #}; - timer.zigbee_permit_join = { - name = "Zigbee Time remaining"; - duration = 120; + }; }; }; } diff --git a/lass/2configs/mail/internet-gateway.nix b/lass/2configs/mail/internet-gateway.nix new file mode 100644 index 000000000..134e408a4 --- /dev/null +++ b/lass/2configs/mail/internet-gateway.nix @@ -0,0 +1,48 @@ +{ config, lib, pkgs, ... }: +{ + security.acme.certs."mail.lassul.us" = { + group = "lasscert"; + webroot = "/var/lib/acme/acme-challenge"; + }; + users.groups.lasscert.members = [ + "exim" + "nginx" + ]; + + krebs.exim-smarthost = { + enable = true; + primary_hostname = "lassul.us"; + dkim = [ + { domain = "lassul.us"; } + ]; + ssl_cert = "/var/lib/acme/mail.lassul.us/fullchain.pem"; + ssl_key = "/var/lib/acme/mail.lassul.us/key.pem"; + local_domains = [ + "localhost" + "lassul.us" + "ubikmedia.eu" + "ubikmedia.de" + "apanowicz.de" + "alewis.de" + "jarugadesign.de" + "beesmooth.ch" + "event-extra.de" + "jla-trading.com" + ]; + extraRouters = '' + forward_lassul_us: + driver = manualroute + domains = lassul.us + transport = remote_smtp + route_list = * orange.r + no_more + + forward_ubik: + driver = manualroute + domains = ubikmedia.eu:ubikmedia.de:apanowicz.de:alewis.de:jarugadesign.de:beesmooth.ch:event-extra.de:jla-trading.com + transport = remote_smtp + route_list = * ubik.r + no_more + ''; + }; +} diff --git a/lass/2configs/monitoring/alert-rules.nix b/lass/2configs/monitoring/alert-rules.nix new file mode 100644 index 000000000..eae2569fb --- /dev/null +++ b/lass/2configs/monitoring/alert-rules.nix @@ -0,0 +1,208 @@ +# inspiration from https://github.com/Mic92/dotfiles/blob/master/nixos/eva/modules/prometheus/alert-rules.nix +{ lib }: + +lib.mapAttrsToList + (name: opts: { + alert = name; + expr = opts.condition; + for = opts.time or "2m"; + labels = { }; + annotations.description = opts.description; + }) + ({ + prometheus_too_many_restarts = { + condition = ''changes(process_start_time_seconds{job=~"prometheus|pushgateway|alertmanager|telegraf"}[15m]) > 2''; + description = "Prometheus has restarted more than twice in the last 15 minutes. It might be crashlooping."; + }; + + alert_manager_config_not_synced = { + condition = ''count(count_values("config_hash", alertmanager_config_hash)) > 1''; + description = "Configurations of AlertManager cluster instances are out of sync."; + }; + + prometheus_not_connected_to_alertmanager = { + condition = "prometheus_notifications_alertmanagers_discovered < 1"; + description = "Prometheus cannot connect the alertmanager\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"; + }; + + prometheus_rule_evaluation_failures = { + condition = "increase(prometheus_rule_evaluation_failures_total[3m]) > 0"; + description = "Prometheus encountered {{ $value }} rule evaluation failures, leading to potentially ignored alerts.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"; + }; + + prometheus_template_expansion_failures = { + condition = "increase(prometheus_template_text_expansion_failures_total[3m]) > 0"; + time = "0m"; + description = "Prometheus encountered {{ $value }} template text expansion failures\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"; + }; + + promtail_request_errors = { + condition = ''100 * sum(rate(promtail_request_duration_seconds_count{status_code=~"5..|failed"}[1m])) by (namespace, job, route, instance) / sum(rate(promtail_request_duration_seconds_count[1m])) by (namespace, job, route, instance) > 10''; + time = "15m"; + description = ''{{ $labels.job }} {{ $labels.route }} is experiencing {{ printf "%.2f" $value }}% errors.''; + }; + + promtail_file_lagging = { + condition = ''abs(promtail_file_bytes_total - promtail_read_bytes_total) > 1e6''; + time = "15m"; + description = ''{{ $labels.instance }} {{ $labels.job }} {{ $labels.path }} has been lagging by more than 1MB for more than 15m.''; + }; + + filesystem_full_80percent = { + condition = ''disk_used_percent{mode!="ro"} >= 95''; + time = "10m"; + description = "{{$labels.instance}} device {{$labels.device}} on {{$labels.path}} got less than 20% space left on its filesystem."; + }; + + filesystem_full_krebs = { + condition = ''disk_used_percent{mode!="ro", org="krebs"} >= 95''; + time = "10m"; + description = "{{$labels.instance}} device {{$labels.device}} on {{$labels.path}} got less than 5% space left on its filesystem."; + }; + + filesystem_inodes_full = { + condition = ''disk_inodes_free / disk_inodes_total < 0.10''; + time = "10m"; + description = "{{$labels.instance}} device {{$labels.device}} on {{$labels.path}} got less than 10% inodes left on its filesystem."; + }; + + daily_task_not_run = { + # give 6 hours grace period + condition = ''time() - task_last_run{state="ok",frequency="daily"} > (24 + 6) * 60 * 60''; + description = "{{$labels.host}}: {{$labels.name}} was not run in the last 24h"; + }; + + daily_task_failed = { + condition = ''task_last_run{state="fail"}''; + description = "{{$labels.host}}: {{$labels.name}} failed to run"; + }; + + swap_using_30percent = { + condition = "mem_swap_total - (mem_swap_cached + mem_swap_free) > mem_swap_total * 0.3"; + time = "30m"; + description = "{{$labels.host}} is using 30% of its swap space for at least 30 minutes."; + }; + + systemd_service_failed = { + condition = ''systemd_units_active_code{name!~"nixpkgs-update-.*.service"} == 3''; + description = "{{$labels.host}} failed to (re)start service {{$labels.name}}."; + }; + + service_not_running = { + condition = ''systemd_units_active_code{name=~"teamspeak3-server.service|tt-rss.service", sub!="running"}''; + description = "{{$labels.host}} should have a running {{$labels.name}}."; + }; + + nfs_export_not_present = { + condition = "nfs_export_present == 0"; + time = "1h"; + description = "{{$labels.host}} cannot reach nfs export [{{$labels.server}}]:{{$labels.path}}"; + }; + + ram_using_90percent = { + condition = "mem_buffered + mem_free + mem_cached < mem_total * 0.1"; + time = "1h"; + description = "{{$labels.host}} is using at least 90% of its RAM for at least 1 hour."; + }; + load15 = { + condition = ''system_load15 / system_n_cpus{org!="nix-community"} >= 2.0''; + time = "10m"; + description = "{{$labels.host}} is running with load15 > 1 for at least 5 minutes: {{$value}}"; + }; + reboot = { + condition = "system_uptime < 300"; + description = "{{$labels.host}} just rebooted."; + }; + uptime = { + # too scared to upgrade matchbox + condition = ''system_uptime {host!~"^(matchbox|grandalf)$"} > 2592000''; + description = "Uptime monster: {{$labels.host}} has been up for more than 30 days."; + }; + telegraf_down = { + condition = ''min(up{job=~"telegraf",type!='mobile'}) by (source, job, instance, org) == 0''; + time = "3m"; + description = "{{$labels.instance}}: {{$labels.job}} telegraf exporter from {{$labels.source}} is down."; + }; + ping = { + condition = "ping_result_code{type!='mobile'} != 0"; + description = "{{$labels.url}}: ping from {{$labels.instance}} has failed!"; + }; + ping_high_latency = { + condition = "ping_average_response_ms{type!='mobile'} > 5000"; + description = "{{$labels.instance}}: ping probe from {{$labels.source}} is encountering high latency!"; + }; + http = { + condition = "http_response_result_code != 0"; + description = "{{$labels.server}} : http request failed from {{$labels.instance}}: {{$labels.result}}!"; + }; + http_match_failed = { + condition = "http_response_response_string_match == 0"; + description = "{{$labels.server}} : http body not as expected; status code: {{$labels.status_code}}!"; + }; + dns_query = { + condition = "dns_query_result_code != 0"; + description = "{{$labels.domain}} : could retrieve A record {{$labels.instance}} from server {{$labels.server}}: {{$labels.result}}!"; + }; + secure_dns_query = { + condition = "secure_dns_state != 0"; + description = "{{$labels.domain}} : could retrieve A record {{$labels.instance}} from server {{$labels.server}}: {{$labels.result}} for protocol {{$labels.protocol}}!"; + }; + connection_failed = { + condition = "net_response_result_code != 0"; + description = "{{$labels.server}}: connection to {{$labels.port}}({{$labels.protocol}}) failed from {{$labels.instance}}"; + }; + healthchecks = { + condition = "hc_check_up == 0"; + description = "{{$labels.instance}}: healtcheck {{$labels.job}} fails!"; + }; + cert_expiry = { + condition = "x509_cert_expiry < 7*24*3600"; + description = "{{$labels.instance}}: The TLS certificate from {{$labels.source}} will expire in less than 7 days: {{$value}}s"; + }; + + postfix_queue_length = { + condition = "avg_over_time(postfix_queue_length[1h]) > 10"; + description = "{{$labels.instance}}: postfix mail queue has undelivered {{$value}} items"; + }; + + zfs_errors = { + condition = "zfs_arcstats_l2_io_error + zfs_dmu_tx_error + zfs_arcstats_l2_writes_error > 0"; + description = "{{$labels.instance}} reports: {{$value}} ZFS IO errors."; + }; + + # ignore devices that disabled S.M.A.R.T (example if attached via USB) + smart_errors = { + condition = ''smart_device_health_ok{enabled!="Disabled"} != 1''; + description = "{{$labels.instance}}: S.M.A.R.T reports: {{$labels.device}} ({{$labels.model}}) has errors."; + }; + + oom_kills = { + condition = "increase(kernel_vmstat_oom_kill[5m]) > 0"; + description = "{{$labels.instance}}: OOM kill detected"; + }; + + unusual_disk_read_latency = { + condition = "rate(diskio_read_time[1m]) / rate(diskio_reads[1m]) > 0.1 and rate(diskio_reads[1m]) > 0"; + description = "{{$labels.instance}}: Disk latency is growing (read operations > 100ms)\n"; + }; + + unusual_disk_write_latency = { + condition = "rate(diskio_write_time[1m]) / rate(diskio_write[1m]) > 0.1 and rate(diskio_write[1m]) > 0"; + description = "{{$labels.instance}}: Disk latency is growing (write operations > 100ms)\n"; + }; + + host_memory_under_memory_pressure = { + condition = "rate(node_vmstat_pgmajfault[1m]) > 1000"; + description = "{{$labels.instance}}: The node is under heavy memory pressure. High rate of major page faults: {{$value}}"; + }; + + ext4_errors = { + condition = "ext4_errors_value > 0"; + description = "{{$labels.instance}}: ext4 has reported {{$value}} I/O errors: check /sys/fs/ext4/*/errors_count"; + }; + + alerts_silences_changed = { + condition = ''abs(delta(alertmanager_silences{state="active"}[1h])) >= 1''; + description = "alertmanager: number of active silences has changed: {{$value}}"; + }; + }) diff --git a/lass/2configs/monitoring/prometheus.nix b/lass/2configs/monitoring/prometheus.nix new file mode 100644 index 000000000..ba32c62a7 --- /dev/null +++ b/lass/2configs/monitoring/prometheus.nix @@ -0,0 +1,110 @@ +{ config, lib, pkgs, ... }: +{ + #prometheus + krebs.iptables = { + enable = true; + tables.filter.INPUT.rules = [ + { predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; } # nginx + # { predicate = "-i retiolum -p tcp --dport 3012"; target = "ACCEPT"; } # grafana + # { predicate = "-i retiolum -p tcp --dport 9093"; target = "ACCEPT"; } # alertmanager + # { predicate = "-i retiolum -p tcp --dport 9223"; target = "ACCEPT"; } # alertmanager + ]; + }; + + services.nginx = { + enable = true; + virtualHosts = { + "prometheus.lass.r" = { + locations."/".proxyPass = "http://localhost:9090"; + }; + "alert.lass.r" = { + locations."/".proxyPass = "http://localhost:9093"; + }; + "grafana.lass.r" = { + locations."/".proxyPass = "http://localhost:3012"; + }; + }; + }; + + services.grafana = { + enable = true; + addr = "0.0.0.0"; + port = 3012; + auth.anonymous = { + enable = true; + org_role = "Admin"; + }; + }; + services.prometheus = { + enable = true; + ruleFiles = [ + (pkgs.writeText "prometheus-rules.yml" (builtins.toJSON { + groups = [{ + name = "alerting-rules"; + rules = import ./alert-rules.nix { inherit lib; }; + }]; + })) + ]; + scrapeConfigs = [ + { + job_name = "telegraf"; + scrape_interval = "60s"; + metrics_path = "/metrics"; + static_configs = [ + { + targets = [ + "prism.r:9273" + "dishfire.r:9273" + "yellow.r:9273" + ]; + } + ]; + } + ]; + alertmanagers = [ + { scheme = "http"; + path_prefix = "/"; + static_configs = [ { targets = [ "localhost:9093" ]; } ]; + } + ]; + alertmanager = { + enable = true; + webExternalUrl = "https://alert.lass.r"; + listenAddress = "[::1]"; + configuration = { + global = { + # The smarthost and SMTP sender used for mail notifications. + smtp_smarthost = "localhost:587"; + smtp_from = "alertmanager@alert.lass.r"; + # smtp_auth_username = "alertmanager@thalheim.io"; + # smtp_auth_password = "$SMTP_PASSWORD"; + }; + route = { + receiver = "default"; + routes = [ + { + group_by = [ "host" ]; + group_wait = "30s"; + group_interval = "2m"; + repeat_interval = "2h"; + receiver = "all"; + } + ]; + }; + receivers = [ + { + name = "all"; + webhook_configs = [{ + url = "http://127.0.0.1:9223/"; + max_alerts = 5; + }]; + } + { + name = "default"; + } + ]; + }; + }; + }; + +} diff --git a/lass/2configs/monitoring/telegraf.nix b/lass/2configs/monitoring/telegraf.nix new file mode 100644 index 000000000..5258b87ed --- /dev/null +++ b/lass/2configs/monitoring/telegraf.nix @@ -0,0 +1,72 @@ +{ config, lib, pkgs, ... }: +let + isVM = lib.any (mod: mod == "xen-blkfront" || mod == "virtio_console") config.boot.initrd.kernelModules; +in { + + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-i retiolum -p tcp --dport 9273"; target = "ACCEPT"; } + ]; + + systemd.services.telegraf.path = [ pkgs.nvme-cli ]; + + services.telegraf = { + enable = true; + extraConfig = { + agent.interval = "60s"; + inputs = { + http_response = [ + { urls = [ + "http://localhost:8080/about/health/" + ]; } + ]; + prometheus.metric_version = 2; + kernel_vmstat = { }; + # smart = lib.mkIf (!isVM) { + # path = pkgs.writeShellScript "smartctl" '' + # exec /run/wrappers/bin/sudo ${pkgs.smartmontools}/bin/smartctl "$@" + # ''; + # }; + system = { }; + mem = { }; + file = [{ + data_format = "influx"; + file_tag = "name"; + files = [ "/var/log/telegraf/*" ]; + }] ++ lib.optional (lib.any (fs: fs == "ext4") config.boot.supportedFilesystems) { + name_override = "ext4_errors"; + files = [ "/sys/fs/ext4/*/errors_count" ]; + data_format = "value"; + }; + exec = lib.optionalAttrs (lib.any (fs: fs == "zfs") config.boot.supportedFilesystems) { + ## Commands array + commands = [ + (pkgs.writeScript "zpool-health" '' + #!${pkgs.gawk}/bin/awk -f + BEGIN { + while ("${pkgs.zfs}/bin/zpool status" | getline) { + if ($1 ~ /pool:/) { printf "zpool_status,name=%s ", $2 } + if ($1 ~ /state:/) { printf " state=\"%s\",", $2 } + if ($1 ~ /errors:/) { + if (index($2, "No")) printf "errors=0i\n"; else printf "errors=%di\n", $2 + } + } + } + '') + ]; + data_format = "influx"; + }; + systemd_units = { }; + swap = { }; + disk.tagdrop = { + fstype = [ "tmpfs" "ramfs" "devtmpfs" "devfs" "iso9660" "overlay" "aufs" "squashfs" ]; + device = [ "rpc_pipefs" "lxcfs" "nsfs" "borgfs" ]; + }; + diskio = { }; + }; + outputs.prometheus_client = { + listen = ":9273"; + metric_version = 2; + }; + }; + }; +} diff --git a/lass/2configs/mpv.nix b/lass/2configs/mpv.nix index b11e54c2c..d65b4a87a 100644 --- a/lass/2configs/mpv.nix +++ b/lass/2configs/mpv.nix @@ -78,7 +78,7 @@ let exec ${pkgs.mpv.override { scripts = with pkgs.mpvScripts; [ sponsorblock - youtube-quality + quality-menu ]; }}/bin/mpv \ --no-config \ diff --git a/lass/2configs/networkd.nix b/lass/2configs/networkd.nix new file mode 100644 index 000000000..12ffe0bd7 --- /dev/null +++ b/lass/2configs/networkd.nix @@ -0,0 +1,20 @@ +{ config, lib, pkgs, ... }: +{ + systemd.services.systemd-networkd-wait-online.enable = lib.mkForce false; + systemd.services.systemd-networkd.stopIfChanged = false; + # Services that are only restarted might be not able to resolve when resolved is stopped before + systemd.services.systemd-resolved.stopIfChanged = false; + + networking.useNetworkd = true; + systemd.network = { + enable = true; + networks.wl0 = { + matchConfig.Name = "wl0"; + DHCP = "yes"; + networkConfig = { + IgnoreCarrierLoss = "3s"; + }; + dhcpV4Config.UseDNS = true; + }; + }; +} diff --git a/lass/2configs/services/git/default.nix b/lass/2configs/services/git/default.nix index 096f73c03..2b68905ed 100644 --- a/lass/2configs/services/git/default.nix +++ b/lass/2configs/services/git/default.nix @@ -7,5 +7,15 @@ enableACME = true; addSSL = true; locations = config.services.nginx.virtualHosts.cgit.locations; + extraConfig = '' + client_max_body_size 300M; + client_body_timeout 2024; + client_header_timeout 2024; + + fastcgi_buffers 16 512k; + fastcgi_buffer_size 512k; + fastcgi_read_timeout 500; + fastcgi_send_timeout 500; + ''; }; } diff --git a/lass/2configs/services/git/proxy.nix b/lass/2configs/services/git/proxy.nix index cb05c3f6c..9875898ea 100644 --- a/lass/2configs/services/git/proxy.nix +++ b/lass/2configs/services/git/proxy.nix @@ -9,5 +9,15 @@ proxyWebsockets = true; recommendedProxySettings = true; }; + extraConfig = '' + client_max_body_size 300M; + client_body_timeout 2024; + client_header_timeout 2024; + + fastcgi_buffers 16 512k; + fastcgi_buffer_size 512k; + fastcgi_read_timeout 500; + fastcgi_send_timeout 500; + ''; }; } diff --git a/lass/2configs/services/radio/default.nix b/lass/2configs/services/radio/default.nix index 16ef31b6f..5accfe360 100644 --- a/lass/2configs/services/radio/default.nix +++ b/lass/2configs/services/radio/default.nix @@ -169,6 +169,7 @@ in { # allow reaktor2 to modify files systemd.services."reaktor2-the_playlist".serviceConfig.DynamicUser = lib.mkForce false; + systemd.services."reaktor2-the_playlist".serviceConfig.Group = lib.mkForce "radio"; krebs.reaktor2.the_playlist = { hostname = "irc.hackint.org"; diff --git a/lass/2configs/services/radio/weather_for_ips.py b/lass/2configs/services/radio/weather_for_ips.py index 62206a985..c44c5e46a 100644 --- a/lass/2configs/services/radio/weather_for_ips.py +++ b/lass/2configs/services/radio/weather_for_ips.py @@ -12,12 +12,12 @@ output = [] for ip in fileinput.input(): if "80.147.140.51" in ip: output.append( - 'Weather report for c-base, space.' + 'Weather report for c-base, space. ' 'It is empty space outside ' 'with a temperature of -270 degrees, ' 'a lightspeed of 299792 kilometers per second ' 'and a humidity of Not a Number percent. ' - f'The probability of reincarnation is {random.randrange(0, 100)} percent.' + f'The probability of reincarnation is {random.randrange(0, 100)} percent. ' ) else: try: diff --git a/lass/2configs/sync/decsync.nix b/lass/2configs/sync/decsync.nix index 5fded10a2..98479c7f5 100644 --- a/lass/2configs/sync/decsync.nix +++ b/lass/2configs/sync/decsync.nix @@ -1,7 +1,7 @@ { services.syncthing.folders.decsync = { path = "/home/lass/decsync"; - devices = [ "mors" "blue" "green" "phone" ]; + devices = [ "mors" "blue" "green" "phone" "massulus" ]; }; krebs.acl."/home/lass/decsync"."u:syncthing:X".parents = true; diff --git a/lass/2configs/sync/sync.nix b/lass/2configs/sync/sync.nix index 2714fa83e..09f94378b 100644 --- a/lass/2configs/sync/sync.nix +++ b/lass/2configs/sync/sync.nix @@ -1,6 +1,13 @@ { services.syncthing.folders."/home/lass/sync" = { - devices = [ "mors" "icarus" "xerxes" "shodan" "green" "blue" "coaxmetal" ]; + devices = [ + "mors" + "xerxes" + "green" + "blue" + "coaxmetal" + "aergia" + ]; }; krebs.acl."/home/lass/sync"."u:syncthing:X".parents = true; krebs.acl."/home/lass/sync"."u:syncthing:rwX" = {}; diff --git a/lass/2configs/websites/default.nix b/lass/2configs/websites/default.nix index bfd86ad7e..ebf4d8345 100644 --- a/lass/2configs/websites/default.nix +++ b/lass/2configs/websites/default.nix @@ -4,6 +4,7 @@ with import <stockholm/lib>; { services.nginx = { + enable = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedTlsSettings = true; diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index c57fb5907..9d28bedc6 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -96,6 +96,7 @@ in { file_uploads = on ''; + systemd.services.nextcloud-setup.after = [ "secret-nextcloud_pw.service" ]; krebs.secret.files.nextcloud_pw = { path = "/run/nextcloud.pw"; owner.name = "nextcloud"; @@ -121,18 +122,17 @@ in { # MAIL STUFF # TODO: make into its own module - # workaround for android 7 - security.acme.certs."lassul.us".keyType = "rsa4096"; - services.roundcube = { enable = true; hostName = "mail.lassul.us"; extraConfig = '' - $config['smtp_port'] = 25; + $config['smtp_debug'] = true; + $config['smtp_host'] = "localhost:25"; ''; }; services.dovecot2 = { enable = true; + showPAMFailure = true; mailLocation = "maildir:~/Mail"; sslServerCert = "/var/lib/acme/lassul.us/fullchain.pem"; sslServerKey = "/var/lib/acme/lassul.us/key.pem"; @@ -142,6 +142,17 @@ in { { predicate = "-p tcp --dport imaps"; target = "ACCEPT"; } ]; + environment.systemPackages = [ + (pkgs.writers.writeDashBin "debug_exim" '' + set -ef + export PATH="${lib.makeBinPath [ pkgs.coreutils ]}" + echo "$@" >> /tmp/xxx + /run/wrappers/bin/shadow_verify_arg "${config.lass.usershadow.pattern}" "$2" "$3" 2>>/tmp/xxx1 + echo "ok" >> /tmp/yyy + exit 23 + '') + ]; + krebs.exim-smarthost = { authenticators.PLAIN = '' driver = plaintext @@ -153,6 +164,7 @@ in { public_name = LOGIN server_prompts = "Username:: : Password::" server_condition = ''${run{/run/wrappers/bin/shadow_verify_arg ${config.lass.usershadow.pattern} $auth1 $auth2}{yes}{no}} + # server_condition = ''${run{/run/current-system/sw/bin/debug_exim ${config.lass.usershadow.pattern} $auth1 $auth2}{yes}{no}} ''; internet-aliases = [ { from = "dma@ubikmedia.de"; to = "domsen"; } @@ -180,14 +192,13 @@ in { "alewis.de" "jarugadesign.de" "beesmooth.ch" + "event-extra.de" ]; dkim = [ { domain = "ubikmedia.eu"; } { domain = "apanowicz.de"; } { domain = "beesmooth.ch"; } ]; - ssl_cert = "/var/lib/acme/lassul.us/fullchain.pem"; - ssl_key = "/var/lib/acme/lassul.us/key.pem"; }; users.users.UBIK-SFTP = { diff --git a/lass/2configs/websites/lassulus.nix b/lass/2configs/websites/lassulus.nix index 411234b82..9440413aa 100644 --- a/lass/2configs/websites/lassulus.nix +++ b/lass/2configs/websites/lassulus.nix @@ -9,8 +9,6 @@ let in { imports = [ ./default.nix - ../git.nix - ./ref.ptkk.de ]; security.acme = { @@ -66,23 +64,11 @@ in { locations."= /gpg.pub".extraConfig = '' alias ${pkgs.writeText "pub" config.krebs.users.lass-yubikey.pgp.pubkeys.default}; ''; + locations."= /ip".extraConfig = '' + return 200 '$remote_addr'; + ''; }; - security.acme.certs."cgit.lassul.us" = { - email = "lassulus@lassul.us"; - webroot = "/var/lib/acme/acme-challenge"; - group = "nginx"; - }; - services.nginx.virtualHosts.cgit = { - serverName = "cgit.lassul.us"; - addSSL = true; - sslCertificate = "/var/lib/acme/cgit.lassul.us/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/cgit.lassul.us/key.pem"; - locations."/.well-known/acme-challenge".extraConfig = '' - root /var/lib/acme/acme-challenge; - ''; - }; } - diff --git a/lass/3modules/drbd.nix b/lass/3modules/drbd.nix index dbc3db4db..b933158a5 100644 --- a/lass/3modules/drbd.nix +++ b/lass/3modules/drbd.nix @@ -34,6 +34,18 @@ in { net { protocol a; ping-int 10; + csums-alg crc32c; + connect-int 3; + after-sb-0pri discard-older-primary; + after-sb-1pri discard-secondary; + + # seems to be drbd-proxy premium feature + on-congestion pull-ahead; + congestion-fill 1G; + congestion-extents 500; + + sndbuf-size 10M; + max-epoch-size 20000; } device minor ${toString config.blockMinor}; disk ${config.disk}; diff --git a/lass/5pkgs/nm-dmenu/default.nix b/lass/5pkgs/nm-dmenu/default.nix index cb47bded3..ff4ba1633 100644 --- a/lass/5pkgs/nm-dmenu/default.nix +++ b/lass/5pkgs/nm-dmenu/default.nix @@ -1,6 +1,10 @@ -{ pkgs, ... }: +{ pkgs, lib, ... }: pkgs.writeDashBin "nm-dmenu" '' - export PATH=$PATH:${pkgs.dmenu}/bin:${pkgs.networkmanagerapplet}/bin + export PATH=$PATH:${lib.makeBinPath [ + pkgs.dmenu + pkgs.networkmanagerapplet + pkgs.procps + ]} exec ${pkgs.networkmanager_dmenu}/bin/networkmanager_dmenu "$@" '' diff --git a/lass/5pkgs/otpmenu/default.nix b/lass/5pkgs/otpmenu/default.nix index fe6d5b94c..fffe47005 100644 --- a/lass/5pkgs/otpmenu/default.nix +++ b/lass/5pkgs/otpmenu/default.nix @@ -1,10 +1,11 @@ { pkgs }: -pkgs.writeDashBin "otpmenu" '' +pkgs.writers.writeDashBin "otpmenu" '' +set -efux x=$(${pkgs.pass}/bin/pass git ls-files '*/otp.gpg' \ | ${pkgs.gnused}/bin/sed 's:/otp\.gpg$::' \ | ${pkgs.dmenu}/bin/dmenu ) otp=$(${(pkgs.pass.withExtensions (ext: [ ext.pass-otp ]))}/bin/pass otp code "$x/otp") -printf %s "$otp" | ${pkgs.xdotool}/bin/xdotool type -f - +printf %s "$otp" | ${pkgs.wtype}/bin/wtype -s 1 - || printf %s "$otp" | ${pkgs.xdotool}/bin/xdotool type -f - '' diff --git a/lass/5pkgs/unimenu/default.nix b/lass/5pkgs/unimenu/default.nix index d452195fc..cf2a15277 100644 --- a/lass/5pkgs/unimenu/default.nix +++ b/lass/5pkgs/unimenu/default.nix @@ -62,6 +62,7 @@ ᕦ(ò_óˇ)ᕤ strong flex muscle bicep (๑>ᴗ<๑) excite (∩ ` -´)⊃━━☆゚.*・。゚ wizard spell magic + ╰( ͡° ͜ʖ ͡° )つ──☆*:・゚ wizard spell magic ◕ ◡ ◕ puss in boots big eye ≋≋≋≋≋̯̫⌧̯̫(ˆ•̮ ̮•ˆ) nyan cat ʕ•ᴥ•ʔ bear @@ -71,6 +72,15 @@ \(º □ º )/ panic 𓂺 penis 𓂸 penis + __〆( ̄ー ̄ ) write down + __〆(º □ º) write down + __〆(^_^) write down + C= C= C= C= C=┌(;・ω・)┘ running fast here + ▓▒░(°◡°)░▒▓ dont care + (๑ᵔ⤙ᵔ๑) nom food eating + (·•᷄ࡇ •᷅ ) ohoh sad + ᕕ( ᐛ )ᕗ hehe lol letsgo + (^_~) wink ''; in # ref https://github.com/LukeSmithxyz/voidrice/blob/9fe6802122f6e0392c7fe20eefd30437771d7f8e/.local/bin/dmenuunicode diff --git a/lass/krops.nix b/lass/krops.nix index 81c679c5e..a7dcaf5bf 100644 --- a/lass/krops.nix +++ b/lass/krops.nix @@ -27,7 +27,7 @@ ''; } else { git = { - ref = (lib.importJSON ../krebs/nixpkgs.json).rev; + ref = (lib.importJSON ../krebs/nixpkgs-unstable.json).rev; url = https://github.com/NixOS/nixpkgs; shallow = true; }; |