summaryrefslogtreecommitdiffstats
path: root/lass
diff options
context:
space:
mode:
Diffstat (limited to 'lass')
-rw-r--r--lass/1systems/aergia/config.nix1
-rw-r--r--lass/1systems/aergia/disk.nix2
-rw-r--r--lass/1systems/aergia/physical.nix11
-rw-r--r--lass/1systems/green/config.nix1
-rw-r--r--lass/1systems/neoprism/physical.nix39
-rw-r--r--lass/1systems/prism/backup.nix37
-rw-r--r--lass/1systems/prism/config.nix157
-rw-r--r--lass/1systems/prism/physical.nix8
-rw-r--r--lass/1systems/shodan/config.nix6
-rw-r--r--lass/1systems/skynet/physical.nix16
-rw-r--r--lass/1systems/styx/config.nix2
-rw-r--r--lass/1systems/styx/physical.nix1
-rw-r--r--lass/1systems/wizard/config.nix3
-rw-r--r--lass/1systems/xerxes/config.nix21
-rw-r--r--lass/2configs/binary-cache/server.nix6
-rw-r--r--lass/2configs/bitlbee.nix22
-rw-r--r--lass/2configs/browsers.nix2
-rw-r--r--lass/2configs/c-base.nix2
-rw-r--r--lass/2configs/codimd.nix20
-rw-r--r--lass/2configs/consul.nix3
-rw-r--r--lass/2configs/default.nix15
-rw-r--r--lass/2configs/exim-smarthost.nix16
-rw-r--r--lass/2configs/fysiirc.nix17
-rw-r--r--lass/2configs/gc.nix2
-rw-r--r--lass/2configs/gg23.nix8
-rw-r--r--lass/2configs/git-brain.nix1
-rw-r--r--lass/2configs/green-hosts/cryfs.nix95
-rw-r--r--lass/2configs/green-hosts/ecryptfs.nix99
-rw-r--r--lass/2configs/green-hosts/plain-bindfs.nix90
-rw-r--r--lass/2configs/green-hosts/plain-permown.nix88
-rw-r--r--lass/2configs/green-hosts/plain.nix87
-rw-r--r--lass/2configs/green-hosts/securefs.nix101
-rw-r--r--lass/2configs/gsm-wiki.nix20
-rw-r--r--lass/2configs/hfos.nix9
-rw-r--r--lass/2configs/home-media.nix78
-rw-r--r--lass/2configs/matrix.nix20
-rw-r--r--lass/2configs/minecraft.nix6
-rw-r--r--lass/2configs/monitoring/telegraf.nix175
-rw-r--r--lass/2configs/muchsync.nix1
-rw-r--r--lass/2configs/murmur.nix37
-rw-r--r--lass/2configs/orange-host.nix4
-rw-r--r--lass/2configs/pass.nix3
-rw-r--r--lass/2configs/paste.nix17
-rw-r--r--lass/2configs/print.nix5
-rw-r--r--lass/2configs/realwallpaper.nix8
-rw-r--r--lass/2configs/red-host.nix4
-rw-r--r--lass/2configs/retiolum.nix9
-rw-r--r--lass/2configs/riot.nix34
-rw-r--r--lass/2configs/services/coms/proxy.nix13
-rw-r--r--lass/2configs/services/radio/default.nix18
-rw-r--r--lass/2configs/services/radio/news.nix11
-rw-r--r--lass/2configs/snapclient.nix2
-rw-r--r--lass/2configs/snapserver.nix23
-rw-r--r--lass/2configs/steam.nix4
-rw-r--r--lass/2configs/telegraf.nix67
-rw-r--r--lass/2configs/tor-ssh.nix2
-rw-r--r--lass/2configs/vim.nix45
-rw-r--r--lass/2configs/websites/default.nix2
-rw-r--r--lass/2configs/websites/domsen.nix28
-rw-r--r--lass/2configs/websites/flix.lassul.us.nix13
-rw-r--r--lass/2configs/weechat.nix11
-rw-r--r--lass/2configs/wine.nix2
-rw-r--r--lass/2configs/wiregrill.nix10
-rw-r--r--lass/2configs/xmonad.nix30
-rw-r--r--lass/2configs/yubikey.nix15
-rw-r--r--lass/3modules/nichtparasoup.nix2
-rw-r--r--lass/5pkgs/deploy/default.nix2
-rw-r--r--lass/5pkgs/q/default.nix6
-rw-r--r--lass/5pkgs/super-vnc/default.nix38
-rw-r--r--lass/krops.nix53
70 files changed, 1304 insertions, 502 deletions
diff --git a/lass/1systems/aergia/config.nix b/lass/1systems/aergia/config.nix
index 618938ce8..3e0ae23f7 100644
--- a/lass/1systems/aergia/config.nix
+++ b/lass/1systems/aergia/config.nix
@@ -112,7 +112,6 @@
environment.systemPackages = with pkgs; [
brain
- bank
l-gen-secrets
generate-secrets
nixpkgs-review
diff --git a/lass/1systems/aergia/disk.nix b/lass/1systems/aergia/disk.nix
index 848157729..233b320e4 100644
--- a/lass/1systems/aergia/disk.nix
+++ b/lass/1systems/aergia/disk.nix
@@ -45,9 +45,11 @@
# Mountpoints inferred from subvolume name
"/home" = {
mountOptions = [];
+ mountpoint = "/home";
};
"/nix" = {
mountOptions = [];
+ mountpoint = "/nix";
};
};
};
diff --git a/lass/1systems/aergia/physical.nix b/lass/1systems/aergia/physical.nix
index 9f06dccdc..e76460d20 100644
--- a/lass/1systems/aergia/physical.nix
+++ b/lass/1systems/aergia/physical.nix
@@ -16,7 +16,7 @@
efiInstallAsRemovable = true;
};
- boot.kernelPackages = pkgs.linuxPackages_latest;
+ # boot.kernelPackages = pkgs.linuxPackages_latest;
boot.kernelParams = [
# use less power with pstate
@@ -70,8 +70,6 @@
};
users.users.mainUser.extraGroups = [ "corectrl" ];
- # use newer ryzenadj
-
# keyboard quirks
services.xserver.displayManager.sessionCommands = ''
${pkgs.xorg.xmodmap}/bin/xmodmap -e 'keycode 96 = F12 Insert F12 F12' # rebind shift + F12 to shift + insert
@@ -102,9 +100,16 @@
services.logind.extraConfig = ''
HandlePowerKey=hibernate
'';
+ # systemd.sleep.extraConfig = ''
+ # HibernateDelaySec=1800
+ # '';
# firefox touchscreen support
environment.sessionVariables.MOZ_USE_XINPUT2 = "1";
+
+ # enable thunderbolt
+ services.hardware.bolt.enable = true;
+
# reinit usb after docking station connect
services.udev.extraRules = ''
SUBSYSTEM=="drm", ACTION=="change", RUN+="${pkgs.dash}/bin/dash -c 'echo 0 > /sys/bus/usb/devices/usb9/authorized; echo 1 > /sys/bus/usb/devices/usb9/authorized'"
diff --git a/lass/1systems/green/config.nix b/lass/1systems/green/config.nix
index c232be9bd..81b8b909b 100644
--- a/lass/1systems/green/config.nix
+++ b/lass/1systems/green/config.nix
@@ -15,7 +15,6 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/weechat.nix>
<stockholm/lass/2configs/bitlbee.nix>
- <stockholm/lass/2configs/muchsync.nix>
<stockholm/lass/2configs/pass.nix>
<stockholm/lass/2configs/git-brain.nix>
diff --git a/lass/1systems/neoprism/physical.nix b/lass/1systems/neoprism/physical.nix
index f2092d9aa..cc7734f39 100644
--- a/lass/1systems/neoprism/physical.nix
+++ b/lass/1systems/neoprism/physical.nix
@@ -13,7 +13,10 @@
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.efiSupport = true;
- boot.loader.grub.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ];
+ boot.loader.grub.devices = [
+ config.disko.devices.disk."/dev/nvme0n1".device
+ config.disko.devices.disk."/dev/nvme1n1".device
+ ];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "sd_mod" ];
boot.kernelModules = [ "kvm-amd" ];
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
@@ -56,21 +59,21 @@
};
networking.useDHCP = false;
- boot.initrd.network = {
- enable = true;
- ssh = {
- enable = true;
- authorizedKeys = [ config.krebs.users.lass.pubkey ];
- port = 2222;
- hostKeys = [
- (toString <secrets/ssh.id_ed25519>)
- (toString <secrets/ssh.id_rsa>)
- ];
- };
- };
- boot.kernelParams = [
- "net.ifnames=0"
- "ip=dhcp"
- "boot.trace"
- ];
+ # boot.initrd.network = {
+ # enable = true;
+ # ssh = {
+ # enable = true;
+ # authorizedKeys = [ config.krebs.users.lass.pubkey ];
+ # port = 2222;
+ # hostKeys = [
+ # (<secrets/ssh.id_ed25519>)
+ # (<secrets/ssh.id_rsa>)
+ # ];
+ # };
+ # };
+ # boot.kernelParams = [
+ # "net.ifnames=0"
+ # "ip=dhcp"
+ # "boot.trace"
+ # ];
}
diff --git a/lass/1systems/prism/backup.nix b/lass/1systems/prism/backup.nix
new file mode 100644
index 000000000..52b4142b9
--- /dev/null
+++ b/lass/1systems/prism/backup.nix
@@ -0,0 +1,37 @@
+{ config, lib, pkgs, ... }:
+{
+ services.postgresqlBackup.enable = true;
+
+ systemd.services.borgbackup-job-hetzner.serviceConfig.ReadWritePaths = [ "/var/log/telegraf" ];
+
+ services.borgbackup.jobs.hetzner = {
+ paths = [
+ "/var/backup"
+ ];
+ exclude = [
+ "*.pyc"
+ ];
+ repo = "u364341@u364341.your-storagebox.de:/./hetzner";
+ encryption.mode = "none";
+ compression = "auto,zstd";
+ startAt = "daily";
+ # TODO: change backup key
+ environment.BORG_RSH = "ssh -oPort=23 -i ${toString <secrets> + "/borgbackup.ssh.id25519"}";
+ preHook = ''
+ set -x
+ '';
+
+ postHook = ''
+ cat > /var/log/telegraf/borgbackup-job-hetzner.service <<EOF
+ task,frequency=daily last_run=$(date +%s)i,state="$([[ $exitStatus == 0 ]] && echo ok || echo fail)"
+ EOF
+ '';
+
+ prune.keep = {
+ within = "1d"; # Keep all archives from the last day
+ daily = 7;
+ weekly = 4;
+ monthly = 0;
+ };
+ };
+}
diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix
index 1faa23ec3..990dac091 100644
--- a/lass/1systems/prism/config.nix
+++ b/lass/1systems/prism/config.nix
@@ -3,12 +3,13 @@ with import <stockholm/lib>;
{
imports = [
+ ./backup.nix
<stockholm/lass>
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/libvirt.nix>
<stockholm/lass/2configs/tv.nix>
<stockholm/lass/2configs/websites/lassulus.nix>
- <stockholm/lass/2configs/telegraf.nix>
+ <stockholm/lass/2configs/monitoring/telegraf.nix>
{
services.nginx.enable = true;
imports = [
@@ -80,24 +81,6 @@ with import <stockholm/lib>;
};
}
{
- #hotdog
- systemd.services."container@hotdog".reloadIfChanged = mkForce false;
- containers.hotdog = {
- config = { ... }: {
- environment.systemPackages = [ pkgs.git ];
- services.openssh.enable = true;
- users.users.root.openssh.authorizedKeys.keys = [
- config.krebs.users.lass.pubkey
- ];
- };
- autoStart = false;
- enableTun = true;
- privateNetwork = true;
- hostAddress = "10.233.2.1";
- localAddress = "10.233.2.2";
- };
- }
- {
services.nginx.virtualHosts."radio.lassul.us" = {
enableACME = true;
addSSL = true;
@@ -159,40 +142,6 @@ with import <stockholm/lib>;
};
}
{
- users.users.jeschli = {
- uid = genid_uint31 "jeschli";
- isNormalUser = true;
- openssh.authorizedKeys.keys = with config.krebs.users; [
- jeschli.pubkey
- jeschli-bln.pubkey
- jeschli-bolide.pubkey
- jeschli-brauerei.pubkey
- ];
- };
- krebs.git.rules = [
- {
- user = with config.krebs.users; [
- jeschli
- jeschli-bln
- jeschli-bolide
- jeschli-brauerei
- ];
- repo = [ config.krebs.git.repos.xmonad-stockholm ];
- perm = with git; push "refs/heads/jeschli*" [ fast-forward non-fast-forward create delete merge ];
- }
- {
- user = with config.krebs.users; [
- jeschli
- jeschli-bln
- jeschli-bolide
- jeschli-brauerei
- ];
- repo = [ config.krebs.git.repos.stockholm ];
- perm = with git; push "refs/heads/staging/jeschli*" [ fast-forward non-fast-forward create delete merge ];
- }
- ];
- }
- {
krebs.repo-sync.repos.stockholm.timerConfig = {
OnBootSec = "5min";
OnUnitInactiveSec = "2min";
@@ -201,43 +150,8 @@ with import <stockholm/lib>;
}
<stockholm/lass/2configs/minecraft.nix>
<stockholm/lass/2configs/codimd.nix>
- <stockholm/lass/2configs/searx.nix>
- {
- services.taskserver = {
- enable = true;
- fqdn = "lassul.us";
- listenHost = "::";
- listenPort = 53589;
- organisations.lass.users = [ "lass" "android" ];
- };
- krebs.iptables.tables.filter.INPUT.rules = [
- { predicate = "-p tcp --dport 53589"; target = "ACCEPT"; }
- ];
- }
<stockholm/lass/2configs/go.nix>
{
- environment.systemPackages = [ pkgs.cryptsetup ];
- systemd.services."container@red".reloadIfChanged = mkForce false;
- containers.red = {
- config = { ... }: {
- environment.systemPackages = [ pkgs.git ];
- services.openssh.enable = true;
- users.users.root.openssh.authorizedKeys.keys = [
- config.krebs.users.lass.pubkey
- ];
- };
- autoStart = false;
- enableTun = true;
- privateNetwork = true;
- hostAddress = "10.233.2.3";
- localAddress = "10.233.2.4";
- };
- }
- {
- users.users.download.openssh.authorizedKeys.keys = [
- ];
- }
- {
lass.nichtparasoup.enable = true;
services.nginx = {
enable = true;
@@ -255,7 +169,7 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/wiregrill.nix>
];
krebs.iptables.tables.nat.PREROUTING.rules = mkOrder 999 [
- { v6 = false; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; }
+ { v6 = false; predicate = "-s 10.244.0.0/16"; target = "ACCEPT"; }
{ v4 = false; predicate = "-s 42:1::/32"; target = "ACCEPT"; }
];
krebs.iptables.tables.filter.FORWARD.rules = mkBefore [
@@ -264,16 +178,16 @@ with import <stockholm/lib>;
];
krebs.iptables.tables.nat.POSTROUTING.rules = [
{ v4 = false; predicate = "-s 42:1::/32 ! -d 42:1::/48"; target = "MASQUERADE"; }
- { v6 = false; predicate = "-s 10.244.1.0/24 ! -d 10.244.1.0/24"; target = "MASQUERADE"; }
+ { v6 = false; predicate = "-s 10.244.0.0/16 ! -d 10.244.0.0/16"; target = "MASQUERADE"; }
];
services.dnsmasq = {
enable = true;
resolveLocalQueries = false;
extraConfig= ''
- listen-address=42:1:ce16::1,10.244.1.103
- except-interface=lo
+ bind-interfaces
interface=wiregrill
+ interface=retiolum
'';
};
}
@@ -285,33 +199,15 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/services/coms/murmur.nix>
<stockholm/lass/2configs/docker.nix>
{
- systemd.services."container@yellow".reloadIfChanged = mkForce false;
- containers.yellow = {
- config = { ... }: {
- environment.systemPackages = [ pkgs.git ];
- services.openssh.enable = true;
- users.users.root.openssh.authorizedKeys.keys = [
- config.krebs.users.lass.pubkey
- ];
- };
- autoStart = false;
- enableTun = true;
- privateNetwork = true;
- hostAddress = "10.233.2.13";
- localAddress = "10.233.2.14";
- };
- services.nginx.virtualHosts."jelly.r" = {
- locations."/".extraConfig = ''
- proxy_pass http://10.233.2.14:8096/;
- proxy_set_header Accept-Encoding "";
- '';
- };
- services.nginx.virtualHosts."flix.r" = {
- locations."/".extraConfig = ''
- proxy_pass http://10.233.2.14:80/;
- proxy_set_header Accept-Encoding "";
- '';
+ services.nginx.virtualHosts."flix.lassul.us" = {
+ forceSSL = true;
+ enableACME = true;
+ locations."/" = {
+ proxyPass = "http://yellow.r:8096";
+ proxyWebsockets = true;
+ recommendedProxySettings = true;
+ };
};
services.nginx.virtualHosts."lassul.us" = {
locations."^~ /flix/".extraConfig = ''
@@ -322,7 +218,7 @@ with import <stockholm/lib>;
auth_basic_user_file ${pkgs.writeText "flix-user-pass" ''
krebs:$apr1$1Fwt/4T0$YwcUn3OBmtmsGiEPlYWyq0
''};
- proxy_pass http://10.233.2.14:80/;
+ proxy_pass http://yellow.r:80/;
proxy_set_header Accept-Encoding "";
sub_filter "https://lassul.us/" "https://lassul.us/flix/";
sub_filter_once off;
@@ -396,7 +292,7 @@ with import <stockholm/lib>;
netbios name = PRISM
server string = ${config.networking.hostName}
# only allow retiolum addresses
- hosts allow = 42::/16 10.243.0.0/16
+ hosts allow = 42::/16 10.243.0.0/16 10.244.0.0/16
# Use sendfile() for performance gain
use sendfile = true
@@ -438,13 +334,13 @@ with import <stockholm/lib>;
krebs.iptables.tables.filter.INPUT.rules = [
# smbd
{ predicate = "-i retiolum -p tcp --dport 445"; target = "ACCEPT"; }
-
{ predicate = "-i retiolum -p tcp --dport 111"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p udp --dport 111"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p tcp --dport 2049"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p udp --dport 2049"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p tcp --dport 4000:4002"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p udp --dport 4000:4002"; target = "ACCEPT"; }
+ { predicate = "-i wiregrill -p tcp --dport 445"; target = "ACCEPT"; }
{ predicate = "-i wiregrill -p tcp --dport 111"; target = "ACCEPT"; }
{ predicate = "-i wiregrill -p udp --dport 111"; target = "ACCEPT"; }
{ predicate = "-i wiregrill -p tcp --dport 2049"; target = "ACCEPT"; }
@@ -453,25 +349,6 @@ with import <stockholm/lib>;
{ predicate = "-i wiregrill -p udp --dport 4000:4002"; target = "ACCEPT"; }
];
}
- {
- users.users.shannan = {
- uid = genid_uint31 "shannan";
- isNormalUser = true;
- openssh.authorizedKeys.keys = [
- config.krebs.users.shannan.pubkey
- ];
- };
- }
- {
- nix.trustedUsers = [ "mic92" ];
- users.users.mic92 = {
- uid = genid_uint31 "mic92";