From 363b381eeca12c54c83b4841198d189d470d345e Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 2 Aug 2023 18:14:32 +0200 Subject: krebszones: RIP --- lass/2configs/programs.nix | 6 ------ 1 file changed, 6 deletions(-) (limited to 'lass/2configs') diff --git a/lass/2configs/programs.nix b/lass/2configs/programs.nix index 0997b41a8..4361ec747 100644 --- a/lass/2configs/programs.nix +++ b/lass/2configs/programs.nix @@ -35,12 +35,6 @@ export SYSTEM="$1" $(nix-build $HOME/sync/stockholm/lass/krops.nix --no-out-link --argstr name "$SYSTEM" -A deploy) '') - (pkgs.writeDashBin "krebsco.de" '' - TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d) - ${pkgs.brain}/bin/brain show krebs-secrets/ovh-secrets.json > "$TMPDIR"/ovh-secrets.json - OVH_ZONE_CONFIG="$TMPDIR"/ovh-secrets.json ${pkgs.krebszones}/bin/krebszones import - ${pkgs.coreutils}/bin/rm -rf "$TMPDIR" - '') (pkgs.writeDashBin "lassul.us" '' TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d) ${pkgs.pass}/bin/pass show admin/ovh/api.config > "$TMPDIR"/ovh-secrets.json -- cgit v1.2.3 From 666a2b0a8a7941768077a7774d6ca7732d8e8c24 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 26 Aug 2023 08:36:05 +0200 Subject: l matrix: remove deprecated pkg override --- lass/2configs/matrix.nix | 18 ------------------ 1 file changed, 18 deletions(-) (limited to 'lass/2configs') diff --git a/lass/2configs/matrix.nix b/lass/2configs/matrix.nix index cdcbe7ab0..1d6a8663e 100644 --- a/lass/2configs/matrix.nix +++ b/lass/2configs/matrix.nix @@ -2,24 +2,6 @@ with import ; { services.matrix-synapse = { - # synapse 1.60.0 errors during startup with: - # https://github.com/matrix-org/synapse/issues/15809 - package = pkgs.matrix-synapse.overrideAttrs (oldAttrs: rec { - version = "1.85.2"; - name = "matrix-synapse-${version}"; - src = pkgs.fetchFromGitHub { - owner = "matrix-org"; - repo = "synapse"; - rev = "v${version}"; - hash = "sha256-pFafBsisBPfpDnFYWcimUuBgfFVPZzLna3yHeqIBAAE="; - }; - cargoDeps = pkgs.rustPlatform.fetchCargoTarball { - inherit src; - name = "matrix-synapse-${version}"; - hash = "sha256-dnno+5Ma0YNYpmj3oZ5UG22uAanKwVT67BwQW+mHoFc="; - }; - doCheck = false; - }); enable = true; settings = { server_name = "lassul.us"; -- cgit v1.2.3 From 6592341dc31c6f26422ec3a9fed2e601ab985cfc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Thu, 31 Aug 2023 11:44:53 +0200 Subject: prism: add backup MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jörg Thalheim --- lass/2configs/codimd.nix | 71 +++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 67 insertions(+), 4 deletions(-) (limited to 'lass/2configs') diff --git a/lass/2configs/codimd.nix b/lass/2configs/codimd.nix index ccca49fac..0927788a7 100644 --- a/lass/2configs/codimd.nix +++ b/lass/2configs/codimd.nix @@ -2,7 +2,8 @@ with import ; let domain = "pad.lassul.us"; -in { +in +{ # redirect legacy domain to new one services.nginx.virtualHosts."codi.lassul.us" = { @@ -25,13 +26,77 @@ in { security.dhparams = { enable = true; - params.hedgedoc = {}; + params.hedgedoc = { }; }; systemd.services.hedgedoc.environment = { CMD_COOKIE_POLICY = "none"; CMD_CSP_ALLOW_FRAMING = "true"; }; + + systemd.services.hedgedoc-backup = { + startAt = "daily"; + serviceConfig = { + ExecStart = ''${pkgs.sqlite}/bin/sqlite3 /var/lib/hedgedoc/db.hedgedoc.sqlite ".backup /var/backup/hedgedoc/backup.sq3"''; + Type = "oneshot"; + }; + }; + + services.postgresqlBackup.enable = true; + + systemd.services.borgbackup-job-hetzner.serviceConfig.ReadWritePaths = [ "/var/log/telegraf" ]; + + services.borgbackup.jobs.hetzner = { + paths = [ + "/home" + "/etc" + "/var" + "/root" + ]; + exclude = [ + "*.pyc" + "/home/*/.direnv" + "/home/*/.cache" + "/home/*/.cargo" + "/home/*/.npm" + "/home/*/.m2" + "/home/*/.gradle" + "/home/*/.opam" + "/home/*/.clangd" + "/var/lib/containerd" + # already included in database backup + "/var/lib/postgresql" + # not so important + "/var/lib/docker/" + "/var/log/journal" + "/var/cache" + "/var/tmp" + "/var/log" + ]; + repo = "u348918@u348918.your-storagebox.de:/./hetzner"; + encryption.mode = "none"; + compression = "auto,zstd"; + startAt = "daily"; + # TODO: change backup key + environment.BORG_RSH = "ssh -oPort=23 -i ${config.sops.secrets.hetzner-borgbackup-ssh.path}"; + preHook = '' + set -x + ''; + + postHook = '' + cat > /var/log/telegraf/borgbackup-job-hetzner.service < Date: Thu, 31 Aug 2023 17:47:17 +0200 Subject: l prism.r: add backups --- lass/2configs/codimd.nix | 56 +-------------------------------------- lass/2configs/websites/domsen.nix | 28 +++++++++++++++++++- 2 files changed, 28 insertions(+), 56 deletions(-) (limited to 'lass/2configs') diff --git a/lass/2configs/codimd.nix b/lass/2configs/codimd.nix index 0927788a7..f8880dbdc 100644 --- a/lass/2configs/codimd.nix +++ b/lass/2configs/codimd.nix @@ -34,6 +34,7 @@ in CMD_CSP_ALLOW_FRAMING = "true"; }; + services.borgbackup.jobs.hetzner.paths = [ "/var/backup" ]; systemd.services.hedgedoc-backup = { startAt = "daily"; serviceConfig = { @@ -42,61 +43,6 @@ in }; }; - services.postgresqlBackup.enable = true; - - systemd.services.borgbackup-job-hetzner.serviceConfig.ReadWritePaths = [ "/var/log/telegraf" ]; - - services.borgbackup.jobs.hetzner = { - paths = [ - "/home" - "/etc" - "/var" - "/root" - ]; - exclude = [ - "*.pyc" - "/home/*/.direnv" - "/home/*/.cache" - "/home/*/.cargo" - "/home/*/.npm" - "/home/*/.m2" - "/home/*/.gradle" - "/home/*/.opam" - "/home/*/.clangd" - "/var/lib/containerd" - # already included in database backup - "/var/lib/postgresql" - # not so important - "/var/lib/docker/" - "/var/log/journal" - "/var/cache" - "/var/tmp" - "/var/log" - ]; - repo = "u348918@u348918.your-storagebox.de:/./hetzner"; - encryption.mode = "none"; - compression = "auto,zstd"; - startAt = "daily"; - # TODO: change backup key - environment.BORG_RSH = "ssh -oPort=23 -i ${config.sops.secrets.hetzner-borgbackup-ssh.path}"; - preHook = '' - set -x - ''; - - postHook = '' - cat > /var/log/telegraf/borgbackup-job-hetzner.service < Date: Sat, 2 Sep 2023 11:36:38 +0200 Subject: l codimd: backup statedir --- lass/2configs/codimd.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'lass/2configs') diff --git a/lass/2configs/codimd.nix b/lass/2configs/codimd.nix index f8880dbdc..d0ba8912c 100644 --- a/lass/2configs/codimd.nix +++ b/lass/2configs/codimd.nix @@ -34,7 +34,10 @@ in CMD_CSP_ALLOW_FRAMING = "true"; }; - services.borgbackup.jobs.hetzner.paths = [ "/var/backup" ]; + services.borgbackup.jobs.hetzner.paths = [ + "/var/backup" + "/var/lib/hedgedoc" + ]; systemd.services.hedgedoc-backup = { startAt = "daily"; serviceConfig = { -- cgit v1.2.3 From be170d796f8520b88102a0f540f028d0fa395a55 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 11:56:59 +0200 Subject: l binary-cache: disable nix-serve-ng --- lass/2configs/binary-cache/server.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'lass/2configs') diff --git a/lass/2configs/binary-cache/server.nix b/lass/2configs/binary-cache/server.nix index bdd568c15..490601641 100644 --- a/lass/2configs/binary-cache/server.nix +++ b/lass/2configs/binary-cache/server.nix @@ -1,8 +1,8 @@ { config, lib, pkgs, ...}: { - nixpkgs.config.packageOverrides = p: { - nix-serve = p.haskellPackages.nix-serve-ng; - }; + # nixpkgs.config.packageOverrides = p: { + # nix-serve = p.haskellPackages.nix-serve-ng; + # }; # generate private key with: # nix-store --generate-binary-cache-key my-secret-key my-public-key services.nix-serve = { -- cgit v1.2.3 From 32bac4e0549b6b41aa6062aee48f1aa7eb493a3f Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 11:57:19 +0200 Subject: l green-hosts: add different implementations --- lass/2configs/green-hosts/cryfs.nix | 95 ++++++++++++++++++++++++++ lass/2configs/green-hosts/ecryptfs.nix | 99 +++++++++++++++++++++++++++ lass/2configs/green-hosts/plain-bindfs.nix | 90 +++++++++++++++++++++++++ lass/2configs/green-hosts/plain-permown.nix | 88 ++++++++++++++++++++++++ lass/2configs/green-hosts/plain.nix | 87 ++++++++++++++++++++++++ lass/2configs/green-hosts/securefs.nix | 101 ++++++++++++++++++++++++++++ 6 files changed, 560 insertions(+) create mode 100644 lass/2configs/green-hosts/cryfs.nix create mode 100644 lass/2configs/green-hosts/ecryptfs.nix create mode 100644 lass/2configs/green-hosts/plain-bindfs.nix create mode 100644 lass/2configs/green-hosts/plain-permown.nix create mode 100644 lass/2configs/green-hosts/plain.nix create mode 100644 lass/2configs/green-hosts/securefs.nix (limited to 'lass/2configs') diff --git a/lass/2configs/green-hosts/cryfs.nix b/lass/2configs/green-hosts/cryfs.nix new file mode 100644 index 000000000..d60dc5951 --- /dev/null +++ b/lass/2configs/green-hosts/cryfs.nix @@ -0,0 +1,95 @@ +# seems to work, very slow though + +{ config, lib, pkgs, ... }: +with import ; + +let + + cname = "green-cryfs"; + +in { + imports = [ + + + ]; + + programs.fuse.userAllowOther = true; + + services.syncthing.declarative.folders."/var/lib/sync-containers/${cname}/cryfs" = { + devices = [ "icarus" "skynet" "littleT" "shodan" "mors" "morpheus" ]; + ignorePerms = false; + }; + + lass.bindfs."/var/lib/sync-containers/${cname}/cryfs" = { + source = "/var/lib/sync-containers/${cname}/cryfs"; + options = [ + "-M ${toString config.users.users.syncthing.uid} -u root -g root" + ]; + }; + + + systemd.services."container@${cname}".reloadIfChanged = mkForce false; + containers.${cname} = { + config = { ... }: { + environment.systemPackages = [ + pkgs.git + pkgs.rxvt-unicode-unwrapped.terminfo + ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + ]; + system.activationScripts.fuse = { + text = '' + ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229 + ''; + deps = []; + }; + }; + allowedDevices = [ + { modifier = "rwm"; node = "/dev/fuse"; } + ]; + autoStart = false; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.15"; # TODO find way to automatically calculate IPs + localAddress = "10.233.2.16"; # TODO find way to automatically calculate IPs + }; + + environment.systemPackages = [ + (pkgs.writeDashBin "init-${cname}" '' + set -euf + set -x + + mkdir -p /var/lib/sync-containers/${cname}/cryfs + '') + (pkgs.writeDashBin "start-${cname}" '' + set -euf + set -x + + mkdir -p /var/lib/containers/${cname}/var/state + + STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${cname}) + if [ "$STATE" = 'down' ]; then + ${pkgs.nixos-container}/bin/nixos-container start ${cname} + fi + + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- ${pkgs.writeDash "deploy-${cname}" '' + set -x + + mkdir -p /var/state/var_src + ln -sfTr /var/state/var_src /var/src + touch /etc/NIXOS + ''} + + if [ -h /var/lib/containers/${cname}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${cname}.r); then + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- nixos-rebuild -I /var/src switch + fi + '') + (pkgs.writeDashBin "stop-${cname}" '' + set -euf + + ${pkgs.nixos-container}/bin/nixos-container stop ${cname} + '') + ]; +} diff --git a/lass/2configs/green-hosts/ecryptfs.nix b/lass/2configs/green-hosts/ecryptfs.nix new file mode 100644 index 000000000..2c335f6f2 --- /dev/null +++ b/lass/2configs/green-hosts/ecryptfs.nix @@ -0,0 +1,99 @@ + +{ config, lib, pkgs, ... }: +with import ; + +let + + cname = "green"; + +in { + imports = [ + + + ]; + + programs.fuse.userAllowOther = true; + + services.syncthing.declarative.folders."/var/lib/sync-containers/${cname}/ecryptfs" = { + devices = [ "icarus" "skynet" "littleT" "shodan" "mors" "morpheus" ]; + ignorePerms = false; + }; + + krebs.permown."/var/lib/sync-containers/${cname}/ecryptfs" = { + file-mode = "u+rw"; + directory-mode = "u+rwx"; + owner = "syncthing"; + keepGoing = false; + }; + + systemd.services."container@${cname}".reloadIfChanged = mkForce false; + containers.${cname} = { + config = { ... }: { + environment.systemPackages = [ + pkgs.git + pkgs.rxvt-unicode-unwrapped.terminfo + ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + ]; + system.activationScripts.fuse = { + text = '' + ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229 + ''; + deps = []; + }; + }; + allowedDevices = [ + { modifier = "rwm"; node = "/dev/fuse"; } + ]; + autoStart = false; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.15"; # TODO find way to automatically calculate IPs + localAddress = "10.233.2.16"; # TODO find way to automatically calculate IPs + }; + + environment.systemPackages = [ + pkgs.ecryptfs + pkgs.keyutils + (pkgs.writeDashBin "start-${cname}" '' + set -euf + set -x + + mkdir -p /var/lib/containers/${cname}/var/state + + if ! mount | grep -q '/var/lib/sync-containers/${cname}/ecryptfs on /var/lib/containers/${cname}/var/state type ecryptfs'; then + if [ -e /var/lib/sync-containers/${cname}/ecryptfs/.cfg.json ]; then + ${pkgs.ecrypt}/bin/ecrypt mount /var/lib/sync-containers/${cname}/ecryptfs /var/lib/containers/${cname}/var/state + else + ${pkgs.ecrypt}/bin/ecrypt init /var/lib/sync-containers/${cname}/ecryptfs /var/lib/containers/${cname}/var/state + fi + fi + + STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${cname}) + if [ "$STATE" = 'down' ]; then + ${pkgs.nixos-container}/bin/nixos-container start ${cname} + fi + + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- ${pkgs.writeDash "deploy-${cname}" '' + set -x + + mkdir -p /var/state/var_src + ln -sfTr /var/state/var_src /var/src + touch /etc/NIXOS + ''} + + if [ -h /var/lib/containers/${cname}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${cname}.r); then + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- nixos-rebuild -I /var/src switch + fi + '') + (pkgs.writeDashBin "stop-${cname}" '' + set -euf + + ${pkgs.nixos-container}/bin/nixos-container stop ${cname} + ${pkgs.ecrypt}/bin/ecrypt unmount /var/lib/sync-containers/${cname}/ecryptfs /var/lib/containers/${cname}/var/state + '') + ]; +} + diff --git a/lass/2configs/green-hosts/plain-bindfs.nix b/lass/2configs/green-hosts/plain-bindfs.nix new file mode 100644 index 000000000..81d8f20c2 --- /dev/null +++ b/lass/2configs/green-hosts/plain-bindfs.nix @@ -0,0 +1,90 @@ +# this seems to work, sadly there are no inotify events on the state directory because bindfs hides them, + +{ config, lib, pkgs, ... }: +with import ; + +let + + cname = "green-plain"; + +in { + imports = [ + + + ]; + + programs.fuse.userAllowOther = true; + + services.syncthing.declarative.folders."/var/lib/containers/${cname}/var/state" = { + devices = [ "icarus" "skynet" "littleT" "shodan" "mors" "morpheus" ]; + ignorePerms = false; + }; + + lass.bindfs."/var/lib/containers/${cname}/var/state" = { + source = "/var/lib/containers/${cname}/var/state"; + options = [ + "-M ${toString config.users.users.syncthing.uid} -u root -g root" + ]; + }; + + + systemd.services."container@${cname}".reloadIfChanged = mkForce false; + containers.${cname} = { + config = { ... }: { + environment.systemPackages = [ + pkgs.git + pkgs.rxvt-unicode-unwrapped.terminfo + ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + ]; + system.activationScripts.fuse = { + text = '' + ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229 + ''; + deps = []; + }; + }; + allowedDevices = [ + { modifier = "rwm"; node = "/dev/fuse"; } + ]; + autoStart = false; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.15"; # TODO find way to automatically calculate IPs + localAddress = "10.233.2.16"; # TODO find way to automatically calculate IPs + }; + + environment.systemPackages = [ + (pkgs.writeDashBin "start-${cname}" '' + set -euf + set -x + + mkdir -p /var/lib/containers/${cname}/var/state + + STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${cname}) + if [ "$STATE" = 'down' ]; then + ${pkgs.nixos-container}/bin/nixos-container start ${cname} + fi + + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- ${pkgs.writeDash "deploy-${cname}" '' + set -x + + mkdir -p /var/state/var_src + ln -sfTr /var/state/var_src /var/src + touch /etc/NIXOS + ''} + + if [ -h /var/lib/containers/${cname}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${cname}.r); then + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- nixos-rebuild -I /var/src switch + fi + '') + (pkgs.writeDashBin "stop-${cname}" '' + set -euf + + ${pkgs.nixos-container}/bin/nixos-container stop ${cname} + '') + ]; +} + diff --git a/lass/2configs/green-hosts/plain-permown.nix b/lass/2configs/green-hosts/plain-permown.nix new file mode 100644 index 000000000..21a7d0085 --- /dev/null +++ b/lass/2configs/green-hosts/plain-permown.nix @@ -0,0 +1,88 @@ +# this seems to work fine, downsides are, all state is owned by syncthing and could be read by the guests syncthing + + +{ config, lib, pkgs, ... }: +with import ; + +let + + cname = "green-plain"; + +in { + imports = [ + + + ]; + + services.syncthing.declarative.folders."/var/lib/containers/${cname}/var/state" = { + devices = [ "icarus" "skynet" "littleT" "shodan" "mors" "morpheus" ]; + ignorePerms = false; + }; + + krebs.permown."/var/lib/containers/${cname}/var/state" = { + file-mode = "u+rw"; + directory-mode = "u+rwx"; + owner = "syncthing"; + keepGoing = true; + }; + + systemd.services."container@${cname}".reloadIfChanged = mkForce false; + containers.${cname} = { + config = { ... }: { + environment.systemPackages = [ + pkgs.git + pkgs.rxvt-unicode-unwrapped.terminfo + ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + ]; + system.activationScripts.fuse = { + text = '' + ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229 + ''; + deps = []; + }; + }; + allowedDevices = [ + { modifier = "rwm"; node = "/dev/fuse"; } + ]; + autoStart = false; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.15"; # TODO find way to automatically calculate IPs + localAddress = "10.233.2.16"; # TODO find way to automatically calculate IPs + }; + + environment.systemPackages = [ + (pkgs.writeDashBin "start-${cname}" '' + set -euf + set -x + + mkdir -p /var/lib/containers/${cname}/var/state + + STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${cname}) + if [ "$STATE" = 'down' ]; then + ${pkgs.nixos-container}/bin/nixos-container start ${cname} + fi + + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- ${pkgs.writeDash "deploy-${cname}" '' + set -x + + mkdir -p /var/state/var_src + ln -sfTr /var/state/var_src /var/src + touch /etc/NIXOS + ''} + + if [ -h /var/lib/containers/${cname}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${cname}.r); then + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- nixos-rebuild -I /var/src switch + fi + '') + (pkgs.writeDashBin "stop-${cname}" '' + set -euf + + ${pkgs.nixos-container}/bin/nixos-container stop ${cname} + '') + ]; +} + diff --git a/lass/2configs/green-hosts/plain.nix b/lass/2configs/green-hosts/plain.nix new file mode 100644 index 000000000..58f54b748 --- /dev/null +++ b/lass/2configs/green-hosts/plain.nix @@ -0,0 +1,87 @@ +{ config, lib, pkgs, ... }: +with import ; + +let + + cname = "green-plain"; + +in { + imports = [ + + + ]; + + programs.fuse.userAllowOther = true; + + services.syncthing.declarative.folders."/var/lib/containers/${cname}/var/state" = { + devices = [ "icarus" "skynet" "littleT" "shodan" "mors" "morpheus" ]; + ignorePerms = false; + }; + + krebs.permown."/var/lib/containers/${cname}/var/state" = { + file-mode = "u+rw"; + directory-mode = "u+rwx"; + owner = "syncthing"; + keepGoing = true; + }; + + systemd.services."container@${cname}".reloadIfChanged = mkForce false; + containers.${cname} = { + config = { ... }: { + environment.systemPackages = [ + pkgs.git + pkgs.rxvt-unicode-unwrapped.terminfo + ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + ]; + system.activationScripts.fuse = { + text = '' + ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229 + ''; + deps = []; + }; + }; + allowedDevices = [ + { modifier = "rwm"; node = "/dev/fuse"; } + ]; + autoStart = false; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.15"; # TODO find way to automatically calculate IPs + localAddress = "10.233.2.16"; # TODO find way to automatically calculate IPs + }; + + environment.systemPackages = [ + (pkgs.writeDashBin "start-${cname}" '' + set -euf + set -x + + mkdir -p /var/lib/containers/${cname}/var/state + + STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${cname}) + if [ "$STATE" = 'down' ]; then + ${pkgs.nixos-container}/bin/nixos-container start ${cname} + fi + + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- ${pkgs.writeDash "deploy-${cname}" '' + set -x + + mkdir -p /var/state/var_src + ln -sfTr /var/state/var_src /var/src + touch /etc/NIXOS + ''} + + if [ -h /var/lib/containers/${cname}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${cname}.r); then + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- nixos-rebuild -I /var/src switch + fi + '') + (pkgs.writeDashBin "stop-${cname}" '' + set -euf + + ${pkgs.nixos-container}/bin/nixos-container stop ${cname} + '') + ]; +} + diff --git a/lass/2configs/green-hosts/securefs.nix b/lass/2configs/green-hosts/securefs.nix new file mode 100644 index 000000000..a69cfe6ca --- /dev/null +++ b/lass/2configs/green-hosts/securefs.nix @@ -0,0 +1,101 @@ +# broken, muchsync cant sync into the folders which should be handles by bindfs +# ls -la also does not show the full directory permissions +{ config, lib, pkgs, ... }: +with import ; + +let + + cname = "green"; + +in { + imports = [ + + + ]; + + programs.fuse.userAllowOther = true; + + services.syncthing.declarative.folders."/var/lib/sync-containers/${cname}/securefs" = { + devices = [ "icarus" "skynet" "littleT" "shodan" "mors" "morpheus" ]; + ignorePerms = false; + }; + + krebs.permown."/var/lib/sync-containers/${cname}/securefs" = { + file-mode = "u+rw"; + directory-mode = "u+rwx"; + owner = "syncthing"; + keepGoing = false; + }; + + systemd.services."container@${cname}".reloadIfChanged = mkForce false; + containers.${cname} = { + config = { ... }: { + environment.systemPackages = [ + pkgs.git + pkgs.rxvt-unicode-unwrapped.terminfo + ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + ]; + system.activationScripts.fuse = { + text = '' + ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229 + ''; + deps = []; + }; + }; + allowedDevices = [ + { modifier = "rwm"; node = "/dev/fuse"; } + ]; + autoStart = false; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.15"; # TODO find way to automatically calculate IPs + localAddress = "10.233.2.16"; # TODO find way to automatically calculate IPs + }; + + environment.systemPackages = [ + (pkgs.writeDashBin "start-${cname}" '' + set -euf + set -x + + mkdir -p /var/lib/containers/${cname}/var/state + + if ! mount | grep -q 'securefs on /var/lib/containers/${cname}/var/state type fuse.securefs'; then + if ! ${pkgs.securefs}/bin/securefs info /var/lib/sync-containers/${cname}/securefs; then + ${pkgs.securefs}/bin/securefs create --format 4 /var/lib/sync-containers/${cname}/securefs + fi + + ${pkgs.securefs}/bin/securefs mount -b \ + -o allow_other -o default_permissions \ + --log /var/lib/sync-containers/${cname}/securefs.log \ + /var/lib/sync-containers/${cname}/securefs /var/lib/containers/${cname}/var/state + fi + + STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${cname}) + if [ "$STATE" = 'down' ]; then + ${pkgs.nixos-container}/bin/nixos-container start ${cname} + fi + + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- ${pkgs.writeDash "deploy-${cname}" '' + set -x + + mkdir -p /var/state/var_src + ln -sfTr /var/state/var_src /var/src + touch /etc/NIXOS + ''} + + if [ -h /var/lib/containers/${cname}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${cname}.r); then + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- nixos-rebuild -I /var/src switch + fi + '') + (pkgs.writeDashBin "stop-${cname}" '' + set -euf + + ${pkgs.nixos-container}/bin/nixos-container stop ${cname} + umount /var/lib/containers/${cname}/var/state + '') + ]; +} + -- cgit v1.2.3 From ba79c70bbdd357e9c97306beeb181645bad03219 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 11:57:38 +0200 Subject: l telegraf: update config --- lass/2configs/monitoring/telegraf.nix | 175 ++++++++++++++++++++++++++-------- 1 file changed, 133 insertions(+), 42 deletions(-) (limited to 'lass/2configs') diff --git a/lass/2configs/monitoring/telegraf.nix b/lass/2configs/monitoring/telegraf.nix index 5258b87ed..b172b9c62 100644 --- a/lass/2configs/monitoring/telegraf.nix +++ b/lass/2configs/monitoring/telegraf.nix @@ -1,60 +1,127 @@ -{ config, lib, pkgs, ... }: +{ pkgs, lib, config, ... }: +# To use this module you also need to allow port 9273 either on the internet or on a vpn interface +# i.e. networking.firewall.interfaces."vpn0".allowedTCPPorts = [ 9273 ]; +# Example prometheus alert rules: +# - https://github.com/Mic92/dotfiles/blob/master/nixos/eva/modules/prometheus/alert-rules.nix let isVM = lib.any (mod: mod == "xen-blkfront" || mod == "virtio_console") config.boot.initrd.kernelModules; -in { + # potentially wrong if the nvme is not used at boot... + hasNvme = lib.any (m: m == "nvme") config.boot.initrd.availableKernelModules; - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-i retiolum -p tcp --dport 9273"; target = "ACCEPT"; } - ]; + ipv6DadCheck = pkgs.writeShellScript "ipv6-dad-check" '' + ${pkgs.iproute2}/bin/ip --json addr | \ + ${pkgs.jq}/bin/jq -r 'map(.addr_info) | flatten(1) | map(select(.dadfailed == true)) | map(.local) | @text "ipv6_dad_failures count=\(length)i"' + ''; - systemd.services.telegraf.path = [ pkgs.nvme-cli ]; + zfsChecks = lib.optional + (lib.any (fs: fs == "zfs") config.boot.supportedFilesystems) + (pkgs.writeScript "zpool-health" '' + #!${pkgs.gawk}/bin/awk -f + BEGIN { + while ("${pkgs.zfs}/bin/zpool status" | getline) { + if ($1 ~ /pool:/) { printf "zpool_status,name=%s ", $2 } + if ($1 ~ /state:/) { printf " state=\"%s\",", $2 } + if ($1 ~ /errors:/) { + if (index($2, "No")) printf "errors=0i\n"; else printf "errors=%di\n", $2 + } + } + } + ''); + + nfsChecks = + let + collectHosts = shares: fs: + if builtins.elem fs.fsType [ "nfs" "nfs3" "nfs4" ] + then + shares + // ( + let + # also match ipv6 addresses + group = builtins.match "\\[?([^\]]+)]?:([^:]+)$" fs.device; + host = builtins.head group; + path = builtins.elemAt group 1; + in + { + ${host} = (shares.${host} or [ ]) ++ [ path ]; + } + ) + else shares; + nfsHosts = lib.foldl collectHosts { } (builtins.attrValues config.fileSystems); + in + lib.mapAttrsToList + ( + host: args: + (pkgs.writeScript "nfs-health" '' + #!${pkgs.gawk}/bin/awk -f + BEGIN { + for (i = 2; i < ARGC; i++) { + mounts[ARGV[i]] = 1 + } + while ("${pkgs.nfs-utils}/bin/showmount -e " ARGV[1] | getline) { + if (NR == 1) { continue } + if (mounts[$1] == 1) { + printf "nfs_export,host=%s,path=%s present=1\n", ARGV[1], $1 + } + delete mounts[$1] + } + for (mount in mounts) { + printf "nfs_export,host=%s,path=%s present=0\n", ARGV[1], $1 + } + } + '') + + " ${host} ${builtins.concatStringsSep " " args}" + ) + nfsHosts; + +in +{ + + systemd.services.telegraf.path = lib.optional (!isVM && hasNvme) pkgs.nvme-cli; services.telegraf = { enable = true; extraConfig = { agent.interval = "60s"; inputs = { - http_response = [ - { urls = [ - "http://localhost:8080/about/health/" - ]; } + prometheus.urls = lib.mkIf config.services.promtail.enable [ + # default promtail port + "http://localhost:9080/metrics" ]; prometheus.metric_version = 2; kernel_vmstat = { }; - # smart = lib.mkIf (!isVM) { - # path = pkgs.writeShellScript "smartctl" '' - # exec /run/wrappers/bin/sudo ${pkgs.smartmontools}/bin/smartctl "$@" - # ''; - # }; + nginx.urls = lib.mkIf config.services.nginx.statusPage [ + "http://localhost/nginx_status" + ]; + smart = lib.mkIf (!isVM) { + path_smartctl = pkgs.writeShellScript "smartctl" '' + exec /run/wrappers/bin/sudo ${pkgs.smartmontools}/bin/smartctl "$@" + ''; + }; system = { }; mem = { }; - file = [{ - data_format = "influx"; - file_tag = "name"; - files = [ "/var/log/telegraf/*" ]; - }] ++ lib.optional (lib.any (fs: fs == "ext4") config.boot.supportedFilesystems) { - name_override = "ext4_errors"; - files = [ "/sys/fs/ext4/*/errors_count" ]; - data_format = "value"; - }; - exec = lib.optionalAttrs (lib.any (fs: fs == "zfs") config.boot.supportedFilesystems) { - ## Commands array - commands = [ - (pkgs.writeScript "zpool-health" '' - #!${pkgs.gawk}/bin/awk -f - BEGIN { - while ("${pkgs.zfs}/bin/zpool status" | getline) { - if ($1 ~ /pool:/) { printf "zpool_status,name=%s ", $2 } - if ($1 ~ /state:/) { printf " state=\"%s\",", $2 } - if ($1 ~ /errors:/) { - if (index($2, "No")) printf "errors=0i\n"; else printf "errors=%di\n", $2 - } - } - } - '') - ]; - data_format = "influx"; - }; + file = + [ + { + data_format = "influx"; + file_tag = "name"; + files = [ "/var/log/telegraf/*" ]; + } + ] + ++ lib.optional (lib.any (fs: fs == "ext4") config.boot.supportedFilesystems) { + name_override = "ext4_errors"; + files = [ "/sys/fs/ext4/*/errors_count" ]; + data_format = "value"; + }; + exec = [ + { + ## Commands array + commands = + [ ipv6DadCheck ] + ++ zfsChecks + ++ nfsChecks; + data_format = "influx"; + } + ]; systemd_units = { }; swap = { }; disk.tagdrop = { @@ -62,6 +129,11 @@ in { device = [ "rpc_pipefs" "lxcfs" "nsfs" "borgfs" ]; }; diskio = { }; + zfs = { + poolMetrics = true; + }; + } // lib.optionalAttrs (if lib.versionAtLeast (lib.versions.majorMinor lib.version) "23.11" then config.boot.swraid.enable else config.boot.initrd.services.swraid.enable) { + mdstat = { }; }; outputs.prometheus_client = { listen = ":9273"; @@ -69,4 +141,23 @@ in { }; }; }; + security.sudo.extraRules = lib.mkIf (!isVM) [ + { + users = [ "telegraf" ]; + commands = [ + { + command = "${pkgs.smartmontools}/bin/smartctl"; + options = [ "NOPASSWD" ]; + } + ]; + } + ]; + # avoid logging sudo use + security.sudo.configFile = '' + Defaults:telegraf !syslog,!pam_session + ''; + # create dummy file to avoid telegraf errors + systemd.tmpfiles.rules = [ + "f /var/log/telegraf/dummy 0444 root root - -" + ]; } -- cgit v1.2.3 From 77b8c837c5e9a5217e829ae2976a37e691a291b5 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 11:58:42 +0200 Subject: l coms proxy: ipforward ports --- lass/2configs/services/coms/proxy.nix | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) (limited to 'lass/2configs') diff --git a/lass/2configs/services/coms/proxy.nix b/lass/2configs/services/coms/proxy.nix index e8555f9b7..fd7b36ca8 100644 --- a/lass/2configs/services/coms/proxy.nix +++ b/lass/2configs/services/coms/proxy.nix @@ -21,14 +21,13 @@ in proxy_pass ${target}:${toString port}; } '') tcpports} - ${lib.concatMapStringsSep "\n" (port: '' - server { - listen ${toString port} udp; - proxy_pass ${target}:${toString port}; - } - '') udpports} ''; + krebs.iptables.tables.nat.PREROUTING.rules = lib.flatten (map (port: [ + { predicate = "-p udp --dport ${toString port}"; target = "DNAT --to-destination ${config.krebs.hosts.orange.nets.retiolum.ip4.addr}:${toString port}"; v6 = false; } + { predicate = "-p udp --dport ${toString port}"; target = "DNAT --to-destination [${config.krebs.hosts.orange.nets.retiolum.ip6.addr}]:${toString port}"; v4 = false; } + ]) udpports); + services.nginx.virtualHosts."jitsi.lassul.us" = { enableACME = true; acmeFallbackHost = "${target}"; @@ -36,7 +35,7 @@ in locations."/" = { recommendedProxySettings = true; proxyWebsockets = true; - proxyPass = "http://${target}"; + proxyPass = "https://${target}"; }; }; } -- cgit v1.2.3 From 541cfbe3a2544ec74cee6c9b24b1a86051688414 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 11:59:38 +0200 Subject: l radio news: add debug outputs --- lass/2configs/services/radio/news.nix | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) (limited to 'lass/2configs') diff --git a/lass/2configs/services/radio/news.nix b/lass/2configs/services/radio/news.nix index 62f7f548c..a9cddb62a 100644 --- a/lass/2configs/services/radio/news.nix +++ b/lass/2configs/services/radio/news.nix @@ -122,10 +122,9 @@ in ''}''; }; - ## debug - # environment.systemPackages = [ - # weather_report - # send_to_radio - # newsshow - # ]; + # debug + environment.systemPackages = [ + send_to_radio + newsshow + ]; } -- cgit v1.2.3 From 45c3e165c96efa0148ddedffd50f508d7dae6093 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 11:59:53 +0200 Subject: l radio: add watcher --- lass/2configs/services/radio/default.nix | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'lass/2configs') diff --git a/lass/2configs/services/radio/default.nix b/lass/2configs/services/radio/default.nix index 5accfe360..5a10b5578 100644 --- a/lass/2configs/services/radio/default.nix +++ b/lass/2configs/services/radio/default.nix @@ -104,6 +104,22 @@ in { print_current ]; + + systemd.services.radio_watcher = { + wantedBy = [ "multi-user.target" ]; + after = [ "radio.service" ]; + serviceConfig = { + ExecStart = pkgs.writers.writeDash "radio_watcher" '' + set -efux + while :; do + ${pkgs.curl}/bin/curl -Ss http://localhost:8000/radio.ogg -o /dev/null + ${pkgs.systemd}/bin/systemctl restart radio + sleep 60 + done + ''; + }; + }; + services.liquidsoap.streams.radio = ./radio.liq; systemd.services.radio = { environment = { @@ -124,6 +140,7 @@ in { }; path = [ pkgs.yt-dlp + pkgs.bubblewrap ]; serviceConfig.User = lib.mkForce "radio"; }; @@ -163,6 +180,7 @@ in { filter.INPUT.rules = [ { predicate = "-p tcp --dport 8000"; target = "ACCEPT"; } { predicate = "-i retiolum -p tcp --dport 8001"; target = "ACCEPT"; } + { predicate = "-i retiolum -p tcp --dport 8002"; target = "ACCEPT"; } ]; }; }; -- cgit v1.2.3 From d0422e3b64403cdcc2acd68e432a3671a6f6a502 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:00:44 +0200 Subject: l websites: add flix.lassul.us --- lass/2configs/websites/default.nix | 2 -- lass/2configs/websites/flix.lassul.us.nix | 13 +++++++++++++ 2 files changed, 13 insertions(+), 2 deletions(-) create mode 100644 lass/2configs/websites/flix.lassul.us.nix (limited to 'lass/2configs') diff --git a/lass/2configs/websites/default.nix b/lass/2configs/websites/default.nix index ebf4d8345..f74845a56 100644 --- a/lass/2configs/websites/default.nix +++ b/lass/2configs/websites/default.nix @@ -1,7 +1,5 @@ { config, lib, ... }: -with import ; - { services.nginx = { enable = true; diff --git a/lass/2configs/websites/flix.lassul.us.nix b/lass/2configs/websites/flix.lassul.us.nix new file mode 100644 index 000000000..27a7f75e8 --- /dev/null +++ b/lass/2configs/websites/flix.lassul.us.nix @@ -0,0 +1,13 @@ +{ config, pkgs, ... }: +{ + services.nginx.virtualHosts."flix.lassul.us" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://yellow.r:8096"; + proxyWebsockets = true; + recommendedProxySettings = true; + }; + }; +} + -- cgit v1.2.3 From 8edd78c98273812a1239ab95af93f8c3d9664065 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:01:41 +0200 Subject: l bitlbee: move to statedir --- lass/2configs/bitlbee.nix | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) (limited to 'lass/2configs') diff --git a/lass/2configs/bitlbee.nix b/lass/2configs/bitlbee.nix index 84f06e587..43573d893 100644 --- a/lass/2configs/bitlbee.nix +++ b/lass/2configs/bitlbee.nix @@ -15,18 +15,20 @@ with (import ); # pkgs.tdlib-purple # pkgs.purple-gowhatsapp ]; + configDir = "/var/state/bitlbee"; }; - users.users.bitlbee = { - uid = genid_uint31 "bitlbee"; - isSystemUser = true; - group = "bitlbee"; - }; - users.groups.bitlbee = {}; - systemd.services.bitlbee.serviceConfig = { - DynamicUser = lib.mkForce false; - User = "bitlbee"; - StateDirectory = lib.mkForce null; + ExecStartPre = [ + "+${pkgs.writeDash "setup-bitlbee" '' + ${pkgs.coreutils}/bin/chown bitlbee:bitlbee /var/state/bitlbee || : + ''}" + ]; + ReadWritePaths = [ + "/var/state/bitlbee" + ]; }; + systemd.tmpfiles.rules = [ + "d /var/state/bitlbee 0700 - - -" + ]; } -- cgit v1.2.3 From 2dbabb06849bfe7054e1da2bef85acf5919df6d7 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:01:55 +0200 Subject: l browsers: use ff devedition --- lass/2configs/browsers.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lass/2configs') diff --git a/lass/2configs/browsers.nix b/lass/2configs/browsers.nix index ea6fb644b..92ee8e30f 100644 --- a/lass/2configs/browsers.nix +++ b/lass/2configs/browsers.nix @@ -3,6 +3,6 @@ programs.firefox.nativeMessagingHosts.tridactyl = true; environment.variables.BROWSER = "${pkgs.firefox}/bin/firefox"; environment.systemPackages = [ - pkgs.firefox + pkgs.firefox-devedition ]; } -- cgit v1.2.3 From 600085425b8ee8268258eda2d0d3d10566850b45 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:02:06 +0200 Subject: l c-base: use different subnet --- lass/2configs/c-base.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lass/2configs') diff --git a/lass/2configs/c-base.nix b/lass/2configs/c-base.nix index a8dd3dd1d..c9ad8cf68 100644 --- a/lass/2configs/c-base.nix +++ b/lass/2configs/c-base.nix @@ -17,7 +17,7 @@ in { }; routes = [ { routeConfig = { - Destination = "10.0.1.0/24"; + Destination = "10.0.0.0/23"; Gateway = "172.31.77.1"; };} { routeConfig = { -- cgit v1.2.3 From 90ca326b590a6039bcc73a55c56ec2b3d52b6f6a Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:02:32 +0200 Subject: l consul: remove raft_multiplier --- lass/2configs/consul.nix | 3 --- 1 file changed, 3 deletions(-) (limited to 'lass/2configs') diff --git a/lass/2configs/consul.nix b/lass/2configs/consul.nix index b8d925de5..67467364e 100644 --- a/lass/2configs/consul.nix +++ b/lass/2configs/consul.nix @@ -17,9 +17,6 @@ # try to fix random lock loss on leader reelection retry_interval = "3s"; - performance = { - raft_multiplier = 8; - }; }; }; -- cgit v1.2.3 From eb00c6b977986dffbf2063a624a654438a5d354e Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:04:27 +0200 Subject: l exim-smarthost: fix ssl for mail.lassul.us --- lass/2configs/exim-smarthost.nix | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) (limited to 'lass/2configs') diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix index cb9abd43a..2a3a6b1e5 100644 --- a/lass/2configs/exim-smarthost.nix +++ b/lass/2configs/exim-smarthost.nix @@ -14,18 +14,22 @@ in { dkim = [ { domain = "lassul.us"; } ]; + ssl_cert = "/var/lib/acme/mail.lassul.us/fullchain.pem"; + ssl_key = "/var/lib/acme/mail.lassul.us/key.pem"; primary_hostname = "lassul.us"; sender_domains = [ "lassul.us" ]; relay_from_hosts = map (host: host.nets.retiolum.ip6.addr) [ + config.krebs.hosts.aergia config.krebs.hosts.blue config.krebs.hosts.coaxmetal config.krebs.hosts.green config.krebs.hosts.mors config.krebs.hosts.xerxes ]; - internet-aliases = map (from: { inherit from to; }) mails; + internet-aliases = map (from: { inherit from to; }) mails ++ [ + ]; system-aliases = [ { from = "mailer-daemon"; to = "postmaster"; } { from = "postmaster"; to = "root"; } @@ -45,4 +49,14 @@ in { krebs.iptables.tables.filter.INPUT.rules = [ { predicate = "-p tcp --dport smtp"; target = "ACCEPT"; } ]; + + security.acme.certs."mail.lassul.us" = { + group = "lasscert"; + webroot = "/var/lib/acme/acme-challenge"; + }; + users.groups.lasscert.members = [ + "dovecot2" + "exim" + "nginx" + ]; } -- cgit v1.2.3 From 42080b5a394d923f9098da1fdcb353e788dcf122 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:04:51 +0200 Subject: l fysiirc: update code --- lass/2configs/fysiirc.nix | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) (limited to 'lass/2configs') diff --git a/lass/2configs/fysiirc.nix b/lass/2configs/fysiirc.nix index 809298df4..b2912d894 100644 --- a/lass/2configs/fysiirc.nix +++ b/lass/2configs/fysiirc.nix @@ -1,13 +1,13 @@ { config, lib, pkgs, ... }: let format-github-message = pkgs.writeDashBin "format-github-message" '' - set -xefu + set -efu export PATH=${lib.makeBinPath [ pkgs.jq ]} INPUT=$(jq -c .) - if $(echo "$INPUT" | jq 'has("issue") or has("pull_request")'); then - ${write_to_irc} "$(echo "$INPUT" | jq -r ' + if $(printf '%s' "$INPUT" | jq 'has("issue") or has("pull_request")'); then + ${write_to_irc} "$(printf '%s' "$INPUT" | jq -r ' "\(.action): " + "[\(.issue.title // .pull_request.title)] " + "\(.comment.html_url // .issue.html_url // .pull_request.html_url) " @@ -57,16 +57,7 @@ in { case "$Method $Request_URI" in "POST /") payload=$(head -c "$req_content_length") - raw=$(printf '%s' "$payload" | ${pkgs.curl}/bin/curl --data-binary @- http://p.krebsco.de | tail -1) - payload2=$payload - payload2=$(printf '%s' "$payload" | tr '\n' ' ' | tr -d '\r') - if [ "$payload" != "$payload2" ]; then - echo "payload has been mangled" >&2 - else - echo "payload not mangled" >&2 - fi - echo "$payload2" | ${format-github-message}/bin/format-github-message - ${write_to_irc} "$raw" + printf '%s' "$payload" | ${format-github-message}/bin/format-github-message printf 'HTTP/1.1 200 OK\r\n' printf 'Connection: close\r\n' printf '\r\n' -- cgit v1.2.3 From f0ab828e1ab90826f24aa4b4b2ef02650f824139 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:05:08 +0200 Subject: l gc: disable on aergia --- lass/2configs/gc.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lass/2configs') diff --git a/lass/2configs/gc.nix b/lass/2configs/gc.nix index 224a6cbb9..d56e95368 100644 --- a/lass/2configs/gc.nix +++ b/lass/2configs/gc.nix @@ -3,7 +3,7 @@ with import ; { nix.gc = { - automatic = ! (elem config.krebs.build.host.name [ "mors" "xerxes" "coaxmetal" ] || config.boot.isContainer); + automatic = ! (elem config.krebs.build.host.name [ "aergia" "mors" "xerxes" "coaxmetal" ] || config.boot.isContainer); options = "--delete-older-than 15d"; }; } -- cgit v1.2.3 From de6d5adcc55240d7af7da5473e07efdda4f13368 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:05:22 +0200 Subject: l gg23: add static lease for printer --- lass/2configs/gg23.nix | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'lass/2configs') diff --git a/lass/2configs/gg23.nix b/lass/2configs/gg23.nix index b35b0cb85..bb38f1f90 100644 --- a/lass/2configs/gg23.nix +++ b/lass/2configs/gg23.nix @@ -39,6 +39,14 @@ with import ; # IPv6SendRA = "yes"; # DHCPPrefixDelegation = "yes"; }; + dhcpServerStaticLeases = [ + { + dhcpServerStaticLeaseConfig = { + Address = "10.42.0.4"; + MACAddress = "3c:2a:f4:22:28:37"; + }; + } + ]; }; networking.networkmanager.unmanaged = [ "int0" ]; krebs.iptables.tables.filter.INPUT.rules = [ -- cgit v1.2.3 From 2395c9c0261d043027798d53962c75ccc630da82 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:05:39 +0200 Subject: l git-brain: use not used krebs-secrets repo --- lass/2configs/git-brain.nix | 1 - 1 file changed, 1 deletion(-) (limited to 'lass/2configs') diff --git a/lass/2configs/git-brain.nix b/lass/2configs/git-brain.nix index f4d1a27cd..d4ce263ef 100644 --- a/lass/2configs/git-brain.nix +++ b/lass/2configs/git-brain.nix @@ -7,7 +7,6 @@ let krebs-repos = mapAttrs make-krebs-repo { brain = { }; - krebs-secrets = { }; }; -- cgit v1.2.3 From 48e371a59786ba235f7421fcea71f91d9a7e1b32 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:06:05 +0200 Subject: l gsm-wiki: add c3gsm.de vhost --- lass/2configs/gsm-wiki.nix | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) (limited to 'lass/2configs') diff --git a/lass/2configs/gsm-wiki.nix b/lass/2configs/gsm-wiki.nix index 69508a155..77b944ef8 100644 --- a/lass/2configs/gsm-wiki.nix +++ b/lass/2configs/gsm-wiki.nix @@ -12,6 +12,14 @@ ''; }; + services.nginx.virtualHosts."c3gsm.de" = { + forceSSL = true; + enableACME = true; + locations."/".extraConfig = '' + root /srv/http/c3gsm.de; + ''; + }; + users.users.c3gsm-docs = { isNormalUser = true; home = "/srv/http/docs.c3gsm.de"; @@ -23,4 +31,16 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAlW1fvCrVXhVH/z76fXBWYR/qyecYTE9VOOkFLJ6OwG user@osmocom-dev" ]; }; + + users.users.c3gsm = { + isNormalUser = true; + home = "/srv/http/c3gsm.de"; + createHome = true; + homeMode = "750"; + useDefaultShell = true; + group = "nginx"; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAlW1fvCrVXhVH/z76fXBWYR/qyecYTE9VOOkFLJ6OwG user@osmocom-dev" + ]; + }; } -- cgit v1.2.3 From be4121f52602efe241d66a67a985fd91bec393b5 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:06:28 +0200 Subject: l hfos: try multi ips --- lass/2configs/hfos.nix | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'lass/2configs') diff --git a/lass/2configs/hfos.nix b/lass/2configs/hfos.nix index 9dafe086c..05bea9a09 100644 --- a/lass/2configs/hfos.nix +++ b/lass/2configs/hfos.nix @@ -1,7 +1,8 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, ... }: let -with import ; -{ + vmip = "192.168.122.208"; + +in { users.users.riot = { uid = genid "riot"; isNormalUser = true; @@ -11,7 +12,7 @@ with import ; ]; }; - networking.interfaces.et0.ip4 = [ + networking.interfaces."eth0:0".ip4 = [ { address = "213.239.205.246"; prefixLength = 24; -- cgit v1.2.3 From 0b77e8722379e8b47b375b7621be923b2b6267ee Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:07:00 +0200 Subject: l home-media: add mpvd --- lass/2configs/home-media.nix | 78 +++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 73 insertions(+), 5 deletions(-) (limited to 'lass/2configs') diff --git a/lass/2configs/home-media.nix b/lass/2configs/home-media.nix index f3908e6be..1f7c3fcb5 100644 --- a/lass/2configs/home-media.nix +++ b/lass/2configs/home-media.nix @@ -1,12 +1,34 @@ with import ; { pkgs, ... }: { + imports = [ + ./mpv.nix + ]; users.users.media = { isNormalUser = true; uid = genid_uint31 "media"; extraGroups = [ "video" "audio" "pipewire" ]; + packages = [ + (pkgs.writers.writeDashBin "mpv" '' + if test -e "$1"; then + mpv-ipc-cli loadfile "$(realpath "$1")" + else + mpv-ipc-cli loadfile "$1" + fi + '') + ]; }; + users.users.mainUser.packages = [ + (pkgs.writers.writeDashBin "mpv" '' + if test -e "$1"; then + mpv-ipc-cli loadfile "$(realpath "$1")" + else + mpv-ipc-cli loadfile "$1" + fi + '') + ]; + services.xserver.displayManager.autoLogin = { enable = true; user = "media"; @@ -17,12 +39,12 @@ with import ; load-module module-native-protocol-tcp auth-ip-acl=127.0.0.1;10.42.0.0/24 auth-anonymous=1 ''; - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport 4713"; target = "ACCEPT"; } # pulseaudio - ]; - environment.systemPackages = [ - (pkgs.writers.writeDashBin "snapmpv" '' + (pkgs.writers.writeDashBin "mpv-ipc-cli" '' + set -efux + ${pkgs.jq}/bin/jq -nc '{ "command": $ARGS.positional }' --args "$@" | ${pkgs.socat}/bin/socat - /tmp/mpv.ipc + '') + (pkgs.writers.writeDashBin "ipc-mpv" '' /run/current-system/sw/bin/mpv \ --audio-display=no --audio-channels=stereo \ --audio-samplerate=48000 --audio-format=s16 \ @@ -30,5 +52,51 @@ with import ; --audio-delay=-1 \ "$@" '') + pkgs.mpvc + (pkgs.writers.writeDashBin "iptv" '' + curl -Ssf 'https://iptv-org.github.io/iptv/index.nsfw.m3u' | + sed 's/.*,//' | + sed -z 's/\nhttp/,http/g' | + fzf --bind='enter:execute(echo {} | cut -d ',' -f 2 | xargs -0 mpv-ipc-cli loadfile)' + '') ]; + + environment.variables.SOCKET = "/tmp/mpv.ipc"; + systemd.services.mpvd = { + wantedBy = [ "multi-user.target" ]; + environment.DISPLAY = ":0"; + serviceConfig = { + User = "media"; + RemainAfterExit = true; + Nice = "-10"; + ExecStart = ''${pkgs.tmux}/bin/tmux -2 new-session -d -s mpvd -- /run/current-system/sw/bin/ipc-mpv \ + --audio-display=no --audio-channels=stereo \ + --audio-samplerate=48000 --audio-format=s16 \ + --ao-pcm-file=/run/snapserver/snapfifo --ao=pcm \ + --audio-delay=-1 \ + --network-timeout=3 \ + --untimed --cache-pause=no \ + --idle=yes --force-window=yes \ + --loop-playlist=inf \ + --input-ipc-server=/tmp/mpv.ipc + ''; + ExecStop = "${pkgs.tmux}/bin/tmux kill-session -t mpvd"; + ExecStartPre = [ + "+${pkgs.writers.writeDash "remove_socket" '' + set -efux + rm -f /tmp/mpv.ipc + ''}" + ]; + ExecStartPost = [ + "+${pkgs.writers.writeDash "fix_permissions" '' + set -efux + until test -e /tmp/mpv.ipc; do + sleep 1 + done + # sleep 2 + chmod 666 /tmp/mpv.ipc || : + ''}" + ]; + }; + }; } -- cgit v1.2.3 From 3ad34380669da711fb857a8dcc971d3abd5975a0 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:07:17 +0200 Subject: l matrix: add compression --- lass/2configs/matrix.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lass/2configs') diff --git a/lass/2configs/matrix.nix b/lass/2configs/matrix.nix index 1d6a8663e..7c4b645f2 100644 --- a/lass/2configs/matrix.nix +++ b/lass/2configs/matrix.nix @@ -25,7 +25,7 @@ with import ; } { names = [ "federation" ]; - compress = false; + compress = true; } ]; } -- cgit v1.2.3 From 0b547853c4dac101c691da4e4e79e745a90ef0f2 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:07:42 +0200 Subject: l minecraft: use firewall syntax --- lass/2configs/minecraft.nix | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) (limited to 'lass/2configs') diff --git a/lass/2configs/minecraft.nix b/lass/2configs/minecraft.nix index 34da3047e..285a4552c 100644 --- a/lass/2configs/minecraft.nix +++ b/lass/2configs/minecraft.nix @@ -8,8 +8,6 @@ in { eula = true; package = unstable.minecraft-server; }; - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport 25565"; target = "ACCEPT"; } - { predicate = "-p udp --dport 25565"; target = "ACCEPT"; } - ]; + networking.firewall.allowedTCPPorts = [ 25565 ]; + networking.firewall.allowedUDPPorts = [ 25565 ]; } -- cgit v1.2.3 From a0274f6bbd36c16fb51a2d6ae6824e8cf576a876 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:08:09 +0200 Subject: l muchsync: don't sync blue --- lass/2configs/muchsync.nix | 1 - 1 file changed, 1 deletion(-) (limited to 'lass/2configs') diff --git a/lass/2configs/muchsync.nix b/lass/2configs/muchsync.nix index 392970dbd..b6d8c5dbc 100644 --- a/lass/2configs/muchsync.nix +++ b/lass/2configs/muchsync.nix @@ -7,7 +7,6 @@ with (import ); "coaxmetal.r" "mors.r" "green.r" - "blue.r" ]; in { description = "sync mails"; -- cgit v1.2.3 From 5ead5cf6dd5f504459fce09adcc4db820d960eaf Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:08:39 +0200 Subject: l: add murmur.nix --- lass/2configs/murmur.nix | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 lass/2configs/murmur.nix (limited to 'lass/2configs') diff --git a/lass/2configs/murmur.nix b/lass/2configs/murmur.nix new file mode 100644 index 000000000..3129fef50 --- /dev/null +++ b/lass/2configs/murmur.nix @@ -0,0 +1,37 @@ +{ config, lib, pkgs, ... }: +{ + services.murmur = { + enable = true; + allowHtml = false; + bandwidth = 10000000; + registerName = "lassul.us"; + autobanTime = 30; + }; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport 64738"; target = "ACCEPT";} + { predicate = "-p udp --dport 64738"; target = "ACCEPT";} + ]; + + systemd.services.docker-mumble-web.serviceConfig = { + StandardOutput = lib.mkForce "journal"; + StandardError = lib.mkForce "journal"; + }; + virtualisation.oci-containers.containers.mumble-web = { + image = "rankenstein/mumble-web:0.5"; + environment = { + MUMBLE_SERVER = "lassul.us:64738"; + }; + ports = [ + "64739:8080" + ]; + }; + + services.nginx.virtualHosts."mumble.lassul.us" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://localhost:64739"; + proxyWebsockets = true; + }; + }; +} -- cgit v1.2.3 From 89328a48aaa7ccdd411786c60831d43d9feba2ad Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:09:18 +0200 Subject: l orange: add bindmount for /var/lib --- lass/2configs/orange-host.nix | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'lass/2configs') diff --git a/lass/2configs/orange-host.nix b/lass/2configs/orange-host.nix index e4bfcff89..6d82d8cc9 100644 --- a/lass/2configs/orange-host.nix +++ b/lass/2configs/orange-host.nix @@ -3,6 +3,10 @@ krebs.sync-containers3.containers.orange = { sshKey = "${toString }/orange.sync.key"; }; + containers.orange.bindMounts."/var/lib" = { + hostPath = "/var/lib/sync-containers3/orange/state"; + isReadOnly = false; + }; services.nginx.virtualHosts."lassul.us" = { # enableACME = config.security; # forceSSL = true; -- cgit v1.2.3 From c1b812509e476a445fcf3dc6e56bff2d0eed2d9c Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:09:34 +0200 Subject: l pass: create pass symlink with tmpfilesd --- lass/2configs/pass.nix | 3 +++ 1 file changed, 3 insertions(+) (limited to 'lass/2configs') diff --git a/lass/2configs/pass.nix b/lass/2configs/pass.nix index 8ec3ac092..a52fe4afc 100644 --- a/lass/2configs/pass.nix +++ b/lass/2configs/pass.nix @@ -14,5 +14,8 @@ ]; programs.gnupg.agent.enable = true; + systemd.tmpfiles.rules = [ + "L+ /home/lass/.password-store - - - - sync/pwstore" + ]; } -- cgit v1.2.3 From fd5615dd2234b2e63850d8f509499a718fe53b2b Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:09:51 +0200 Subject: l paste: try to fix CORS --- lass/2configs/paste.nix | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) (limited to 'lass/2configs') diff --git a/lass/2configs/paste.nix b/lass/2configs/paste.nix index 87768a452..86f0dba15 100644 --- a/lass/2configs/paste.nix +++ b/lass/2configs/paste.nix @@ -10,8 +10,8 @@ with import ; proxy_pass http://127.0.0.1:${toString config.krebs.htgen.cyberlocker.port}; ''; extraConfig = '' - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; + add_header Access-Control-Allow-Origin * always; + add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS'; ''; }; services.nginx.virtualHosts.paste = { @@ -48,8 +48,8 @@ with import ; proxy_pass http://127.0.0.1:${toString config.krebs.htgen.cyberlocker.port}; ''; extraConfig = '' - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; + add_header Access-Control-Allow-Origin * always; + add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS' always; ''; }; services.nginx.virtualHosts."p.krebsco.de" = { @@ -57,6 +57,10 @@ with import ; addSSL = true; serverAliases = [ "p.krebsco.de" ]; locations."/".extraConfig = '' + if ($request_method = 'OPTIONS') { + return 204; + } + client_max_body_size 4G; proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://127.0.0.1:${toString co