Mic92/stockholm
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge remote-tracking branch 'prism/master' into head

Browse Source
This commit is contained in:
tv 2023-03-02 09:20:37 +01:00
commit 03a9448a09
55 changed files with 1057 additions and 896 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
kartei/lass/prism.nix
View File

@ -21,7 +21,7 @@ rec {
60 IN TXT ( "v=DKIM1; k=rsa; t=s; s=*; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUv3DMndFellqu208feABEzT/PskOfTSdJCOF/HELBR0PHnbBeRoeHEm9XAcOe/Mz2t/ysgZ6JFXeFxCtoM5fG20brUMRzsVRxb9Ur5cEvOYuuRrbChYcKa+fopu8pYrlrqXD3miHISoy6ErukIYCRpXWUJHi1TlNQhLWFYqAaywIDAQAB" ) 60 IN TXT ( "v=DKIM1; k=rsa; t=s; s=*; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUv3DMndFellqu208feABEzT/PskOfTSdJCOF/HELBR0PHnbBeRoeHEm9XAcOe/Mz2t/ysgZ6JFXeFxCtoM5fG20brUMRzsVRxb9Ur5cEvOYuuRrbChYcKa+fopu8pYrlrqXD3miHISoy6ErukIYCRpXWUJHi1TlNQhLWFYqAaywIDAQAB" )
default._domainkey 60 IN TXT "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUv3DMndFellqu208feABEzT/PskOfTSdJCOF/HELBR0PHnbBeRoeHEm9XAcOe/Mz2t/ysgZ6JFXeFxCtoM5fG20brUMRzsVRxb9Ur5cEvOYuuRrbChYcKa+fopu8pYrlrqXD3miHISoy6ErukIYCRpXWUJHi1TlNQhLWFYqAaywIDAQAB" default._domainkey 60 IN TXT "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUv3DMndFellqu208feABEzT/PskOfTSdJCOF/HELBR0PHnbBeRoeHEm9XAcOe/Mz2t/ysgZ6JFXeFxCtoM5fG20brUMRzsVRxb9Ur5cEvOYuuRrbChYcKa+fopu8pYrlrqXD3miHISoy6ErukIYCRpXWUJHi1TlNQhLWFYqAaywIDAQAB"
cache 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} cache 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
cgit CNAME ${config.krebs.hosts.prism.nets.internet.ip4.addr} cgit 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
pad 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} pad 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
codi 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} codi 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
go 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} go 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
@ -38,6 +38,7 @@ rec {
mail 60 IN AAAA ${config.krebs.hosts.prism.nets.internet.ip6.addr} mail 60 IN AAAA ${config.krebs.hosts.prism.nets.internet.ip6.addr}
flix 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} flix 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
testing 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} testing 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
schrott 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
''; '';
}; };
nets = rec { nets = rec {

134
kartei/mic92/default.nix
View File

@ -51,24 +51,6 @@ in {
}; };
}; };
}; };
herbert = {
owner = config.krebs.users.mic92;
nets = rec {
retiolum = {
aliases = [ "herbert.r" ];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEA7ZINr8YxVwHtcOR+ySpc9UjnJWsFXlOyu3CnrJ8IrY+mPA25UmNZ
stXd8QbJuxpad9HyPs294uW8UmXttEZzIwAlikVHasM5IQHVltudTTFvv7s3YFWd
/lgpHbo8zOA2mafx+Sr02Fy/lHjk6BTf8IOzdJIpUHZL/P+FUl9baBwGLmtbEvPh
fbvtf5QryBjJ9nRnb+wsPVpeFE/LncIMK/bYQsyE01T5QDu/muAaeYPbgm6FqaQH
OJ4oEHsarWBvU1qzgz/IRz0BHHeTrbbP3AG/glTwL02Z1mtTXSjME7cfk7ZRM5Cj
jXAqnqu2m1B08Kii+zYp4BPZDmPLT5gq+QIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
};
rauter = { rauter = {
owner = config.krebs.users.mic92; owner = config.krebs.users.mic92;
nets = rec { nets = rec {
@ -161,19 +143,20 @@ in {
]; ];
tinc.pubkey = '' tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY----- -----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAt/dCDTvJU5jugP+5pk2CNM8X6cOnFonJv2eS253nsmKI97T9FSUa MIICCgKCAgEAvanhJvtvqnTGblOF9Dy7Un3vaLAJHGeu9z8YMARFh6ENe+duILp0
QDt417MoqAJNEeZw7o4ve1fmdZmtfKgmXYdDJi2HSJCJoKY6FUgVOKevtzGg4akl IDjJMZc7F3J01RbkjkfbzPiXmHN532MBcbKnp0Z5eUld/XmDdNCc3ekTifrYs2em
4mKTy2z59CxyIbA41MHyLq18W3NLabQ41NpWGBRt9jvHQpZfd+wI8t5IIzdvFrKo eJKFrx2Vhsx924PZ8cOOf7P+JuqJNQzMiy7ohATjpMLU9If1tjqSyV+/lGjbjckN
JSOFRbzEBL5//Hc3N/443cUg4IMyDBTemS7/jaZ2/Mn+PVZAdoIPLEZjFeWewmTF /e88XtG7Z4Cu5LdbD5Ajb4Rzp9gL0ae4aNw+2nX3wMJLYEjOcmBYuMzBcLYzVnZw
Jd8Bsc2thzAREYHYnawhq3PLJSebMJd91pCdkD0NB0i59VKORcQTFady3fzE9+w4 YrtgN9RV8md9gdb2B/Fj1PdJGDyjdiuGRE9LnloC3dpMSkmhbNm9DthsThaWMUn1
RSTqAdBTUDuxzU/B8g1dp89/qW+fVPiFuB5Pf7D9t2DgxTDAeSXMiId/4Hwa0B1G DyrtHrJoyNTO8OvyTfWK7EqKqZcZ+0gaTmtec5VCYWSCpb/CWLmHL3ydTyzNhtRA
QCnCedz0Qk2UdId16BTS8DSq8Pd9fawU6qCmPY6ahSiw5ZQ6odMvDISb480cKj41 9ZFRwPQUdBsYQ/G/xtGrMQf5T/FdqUj3bD5pGlw6vheabBkD8a8Bt7WB52fzWWb0
pslLjhIItTk3WEs8MwnQCzweNABuCK7GzT7CNaYm3f9pznBlOB+KfoZ6mrlzKkEK MZZlxyWiHoIim83LI8Qa5WHkJ7jZkV8XdrwsA7hkJpVikJIbWsdzwQVWBVvz5WiF
u+gFJXTFym0ZF0wheXO7FCJ1jp4LFHqKGS3zWQyT7isjLsbcQzpOe8/FdiFlQvlG 0z1vi/cb5EYe3MRRshhG5VpTHBJzDRmvkdbKqrWi8dFEzJGkr0NPflmVKYAIBnRI
vltL+5JjcahAMHc/ba+pRa5rSy8ebqf68fg4jlkT94Za13bCIHdK5w7eAXR3s/9z xLemDSacswrvY1x9cdzCsNI92SkYxCvsVI27DCeeF5cfkApkZ0YcnOJm+3joTgpP
H2wZmhvajUIZAxQSgFUy+7kKWOIkWqFkGPIdmbdwTaHC88OWshvRv8ECAwEAAQ== uF8mQiPsyavyuBg4QWWPwGJosDRbycmHEzGDRLoizSkAQX5c+rvCvVECAwEAAQ==
-----END RSA PUBLIC KEY----- -----END RSA PUBLIC KEY-----
''; '';
tinc.pubkey_ed25519 = "5ZhQyLQ2RLTkKvFCN38dfmqfjZOnZmm19Vr1eiOVlID";
}; };
}; };
aenderpad = { aenderpad = {
@ -294,32 +277,6 @@ in {
}; };
}; };
}; };
sauron = {
owner = config.krebs.users.mic92;
nets = rec {
internet = {
ip4.addr = "129.215.165.75";
ip6.addr = "2001:630:3c1:164:d65d:64ff:feb0:e8a8";
aliases = [ "sauron.i" ];
};
retiolum = {
via = internet;
ip4.addr = "10.243.29.194";
aliases = [ "sauron.r" ];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAxmCryT4ZEhPOvdZhWhYZsRS7sz1njSh2ozh6iwXRXhjRjZ9tYZVQ
GoYc6ADnWCnb9SGpPe1WqwFMblfKofnXCvC4wLQaFsch1GIMPhujosJ4Te84BHi1
XKqyompotE2F7iWYPE6i6UAdRK2dCapfCbiDBOjMhCnmmhM1oY5Bv/fBtx3/2N7E
W+iN6LG2t9cKibs8qrLzFtJIfWn8uXU9dkdhX3d9guCdplGOn/NT/Aq3ayvA+/Mf
74oJVJgBT5M1rTH2+u+MU+kC+x2UD+jjXEjS55owFWsEM1jI4rGra+dpsDuzdGdG
67wl9JlpDBy4Tkf2Bl3CQWZHsWDsR6jCqwIDAQAB
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "Z5+fArxMfP8oLqlHpXadkGc9ROOPHBqugAMD2czmNlJ";
};
};
};
bill = { bill = {
owner = config.krebs.users.mic92; owner = config.krebs.users.mic92;
nets = rec { nets = rec {
@ -435,73 +392,6 @@ in {
}; };
}; };
}; };
harsha = {
owner = config.krebs.users.mic92;
nets = {
retiolum = {
ip4.addr = "10.243.29.184";
aliases = [
"harsha.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEA9VVG+kwSXDmjLuNCT6Mp9xTCj9IdzgjWxkExEH/Jd9kgVNXRa+39
P8OQuHXi9fC/51363hh7ThggneIxOs2R4fZDyUcWfzv13aik34U0e+tYjhWXig+o
MClkK4/uhLrsk370MQVevpjYW23S5d+pThOm84xIchvjR9nqzp6E3jzjhyeQwHJg
dM48y7XT2+7hLvOkkEQ8xLcd35J228wVSilsSYhye1D2+ThRDbjjEkKXnIeOmU5h
TPNvn+U0lVdwUDYlS+XUhNl3awRdfzTYlPvUhTWv9zwSxS5EQjvgMqC/3/fQod2K
zyYdPwCwEyrksr9JvJF/t+oCw4hf3V4iOwIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
};
redha = {
owner = config.krebs.users.mic92;
nets = {
retiolum = {
ip4.addr = "10.243.29.188";
aliases = [
"redha.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAx7STxTTPMxXugweHpUGOeLUrrTSCt7j5l+fjNtArIygOGKEiAC5O
s0G4WHK2IcrNnv7pxS09S5mnXywi51aAL+G2fKzcU3YgLFuoUN4Kk5LohMvBynEE
a3kZK2/D+LMeFfpK2RWBPjLnulN29ke11Iot42TC6+NIMWiZh/Y2T0mKirUJQGsH
RV3zRlR7YfIOdR1AZ5S+qrmPF8hLb7O08TTXrHo8NQk5NAVUS89OYcn1pc9hnf/e
FK5qRrQFMRFB8KGV+n3+cx3XCM2q0ZPTNf06N+Usx6vTKLASa/4GaTcbBx+9Dndm
mFVWq9JjLa8e65tojzj8PhmgxqaNCf8aKwIDAQAB
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "oRGc9V9G9GFsY1bZIaJamoDEAZU2kphlpxXOMBxI2GN";
};
};
};
grandalf = {
owner = config.krebs.users.mic92;
nets = {
retiolum = {
ip4.addr = "10.243.29.187";
aliases = [
"grandalf.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAn1wLOI8DluJAKvscyImoyG0gjxyVC1/Ky8A63YO7INy0SYBg3wU7
XPSbix5VJZdADQ382LWg31ORYjnDg40c49gCGLfR6+awgd+Rb0sb4eAz07XENXJC
qc70oQrrXLi8HIfeckCsJHe514LJOMA3pU+muaMShOiSygoTiTlEH6RRrkC8HROL
2/V7Hm2Sg7YS+MY8bI/x61MIagfkQKH2eFyqGG54Y80bIhm5SohMkiANu78GdngI
jb+EGlT/vq3+oGNFJ7Shy/VsR5GLDoZ5KCsT45DM87lOjGB7m+bOdizZQtWmJtC/
/btEPWJPAD9lIY2iGtPrmeMWDNTW9c0iCwIDAQAB
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "dzjT09UeUGJCbUFrBo+FtbnXrsxFQnmqmJw7tjpJQJL";
};
};
};
doctor = { doctor = {
owner = config.krebs.users.mic92; owner = config.krebs.users.mic92;

21
kartei/palo/default.nix
View File

@ -17,13 +17,28 @@ let
in in
{ {
hosts = mapAttrs hostDefaults { hosts = mapAttrs hostDefaults {
sterni = { sol = {
owner = config.krebs.users.palo; owner = config.krebs.users.palo;
nets = { nets = {
retiolum = { retiolum = {
tinc.port = 720; tinc.port = 720;
aliases = [ "sterni.r" ]; aliases = [ "sol.r" ];
tinc.pubkey = builtins.readFile ./retiolum.pub; tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAxrvdMSAcOJXM1TbIIDZ+zPojrcRG3RVMfPC2/0DasRpBFSuS+L60
mQEs0l0ptAL6Sbr4+9gfaHkdETfYpeKB4Q4lCPahMq88YfTyB1f3tEOqW3vP22nC
Z+Yf+W/sTLWVRoDoS/Eok6wS95R1IQ74vr37YXdbJTD/eeX6sAJkn2I2RV5PD6Bu
lHsMuunAj+PyhAgqb2P393h7FN4exL0xM6UbHbgsd9OSp5qKTjZE3jeOyWmounK1
7n+8pyRjI0VE47ontnj/GANwpsxRFFtRGmG/S5KhUBXMv7wZr/vaVETRphAu+KhT
NqdclmGkQlB/YBodzJID7C21Zz4b33kcn12TU3nc6AL5u9j3sU2sEu/22fAZBWLV
yOZ9l/Qe4aJkIbdL70Gvp9G8m7+M4vkdM+e/nA5cZT0N9ArI2D5ltJRd7VLVzxef
Y0t/bS9bVOcNt2Sgd81Ubg0OmF2paHGGboAAMqXhf3afwCMyXcDsP6sgPXOIEu7Q
hjuo5rg6Fu8eK9edAAQ2afl52GiFUawzjHbjGANwVyea1JTQ3uR6eBtxGOEaYpkr
vbl75CxLwE0YA0L3VwhJTNLMVldTrUi2M76QedjzyePkJHMijHT5+0nqTlsmjcNg
uv89Mh9shNKdqulfGjTAFyKjTCuUe/rCprJ5CeZWBaEuQKYkcZuMkJsCAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "qCJvjlNz5YNOz5IEiwGaoK3InSVCL76uNl+xVBUa/AP";
}; };
}; };
}; };

13
kartei/palo/retiolum.pub
View File

@ -1,13 +0,0 @@
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEA2ACttoosnRZ99o+OyMrxBdUWPqsT5btzSIQ5dU1XWqGjO4nRchCE
8tO0b/4jqVgJVTRZVIUJQESZRlSmclsCAjdM8tsGj74CJrm7tBvgbBn2IObSs5+4
oJWe57VsQaeHPuI2JZuGqv8Z3Esw+B07bQS5VTaC1ISo7vnLG/q5XLCbKHB9JZc/
ztYbk4bEQHwbulfoPjD9FY3heLnTzqPw9Xr3ixao5gbAXfWNJM+iCluMq+Q2g1BD
ozSnyYvaGLQ6h4yksDp+xuK8YCqiRj174EkXySI8Jee1CBMuI8ciX/5Q7yzvzscQ
ZQ/MLVdx3MRW+VeT0ctaRzoA9E09ILqPe+56DjpsKzt4Ne8qeMG5HdpzO9UdNzTu
MuibsCL7CJy5Ytl38PK+LAXHQr3Os1Z4OHjeTZ38vTAZcOUJZEkl6w9nO1XjcyBL
rIaG+20Nx0ZU79MlJZFiG7ovlUiDfIEKNygng8v/yoTMaqMYLxQZ/leQwLMNLujo
sku8+oV4Jvx4SyUjuAS6jgG9CnejLCnHP/yyDGdaMQSzmlzYXacLMfnPZE3r7bj1
EjA6yQbkPixm7xLCyMm5u2leWtqtbg1oRA6Mw3UyYkNy3hiTU+jTvztEI3SCliDH
yjGlESH4/edryKjLNjmYP77VFbM9ZSQ+QGlbMGPvjcn6XCdJGdxm3PUCAwEAAQ==
-----END RSA PUBLIC KEY-----

4
krebs/1systems/hotdog/config.nix
View File

@ -26,4 +26,8 @@
boot.isContainer = true; boot.isContainer = true;
networking.useDHCP = false; networking.useDHCP = false;
krebs.sync-containers3.inContainer = {
enable = true;
pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM20tYHHvwIgrJZzR35ATzH9AlTrM1enNKEQJ7IP6lBh";
};
} }

11
krebs/1systems/news/config.nix
View File

@ -17,13 +17,8 @@
boot.isContainer = true; boot.isContainer = true;
networking.useDHCP = lib.mkForce true; networking.useDHCP = lib.mkForce true;
krebs.bindfs = { krebs.sync-containers3.inContainer = {
"/var/lib/brockman" = { enable = true;
source = "/var/state/brockman"; pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMBVZomw68WDQy0HsHhNbWK1KpzaR5aRUG1oioE7IgCv";
options = [
"-m ${toString config.users.users.brockman.uid}:${toString config.users.users.nginx.uid}"
];
clearTarget = true;
};
}; };
} }

9
krebs/2configs/hotdog-host.nix Normal file
View File

@ -0,0 +1,9 @@
{
krebs.sync-containers3.containers.hotdog = {
sshKey = "${toString <secrets>}/hotdog.sync.key";
};
containers.hotdog.bindMounts."/var/lib" = {
hostPath = "/var/lib/sync-containers3/hotdog/state";
isReadOnly = false;
};
}

9
krebs/2configs/news-host.nix
View File

@ -1,10 +1,5 @@
{ {
krebs.sync-containers.containers.news = { krebs.sync-containers3.containers.news = {
peers = [ sshKey = "${toString <secrets>}/news.sync.key";
"shodan"
"mors"
"styx"
];
format = "plain";
}; };
} }

3
krebs/2configs/news.nix
View File

@ -74,7 +74,7 @@
limits.identlen = 100; limits.identlen = 100;
history.enabled = false; history.enabled = false;
}; };
systemd.services.brockman.bindsTo = [ "ergo.service" ]; systemd.services.brockman.bindsTo = [ "ergochat.service" ];
systemd.services.brockman.serviceConfig.LimitNOFILE = 16384; systemd.services.brockman.serviceConfig.LimitNOFILE = 16384;
systemd.services.brockman.environment.BROCKMAN_LOG_LEVEL = "DEBUG"; systemd.services.brockman.environment.BROCKMAN_LOG_LEVEL = "DEBUG";
krebs.brockman = { krebs.brockman = {
@ -87,6 +87,7 @@
nick = "brockman"; nick = "brockman";
extraChannels = [ "#all" ]; extraChannels = [ "#all" ];
}; };
statePath = "/var/state/brockman/brockman.json";
bots = {}; bots = {};
}; };
}; };

4
krebs/3modules/sync-containers3.nix
View File

@ -104,7 +104,9 @@ in {
consul lock sync_${ctr.name} ${pkgs.writers.writeDash "${ctr.name}-sync" '' consul lock sync_${ctr.name} ${pkgs.writers.writeDash "${ctr.name}-sync" ''
set -efux set -efux
if /run/wrappers/bin/ping -c 1 ${ctr.name}.r; then if /run/wrappers/bin/ping -c 1 ${ctr.name}.r; then
nice --adjustment=30 rsync -a -e "ssh -i $CREDENTIALS_DIRECTORY/ssh_key" --timeout=30 container_sync@${ctr.name}.r:disk "$HOME"/disk nice --adjustment=30 rsync -a -e "ssh -i $CREDENTIALS_DIRECTORY/ssh_key" --timeout=30 --inplace --sparse container_sync@${ctr.name}.r:disk "$HOME"/disk.rsync
touch "$HOME"/incomplete
nice --adjustment=30 rsync --inplace "$HOME"/disk.rsync "$HOME"/disk
rm -f "$HOME"/incomplete rm -f "$HOME"/incomplete
fi fi
''} ''}

9
krebs/5pkgs/simple/fzfmenu/default.nix
View File

@ -48,10 +48,11 @@ pkgs.writeDashBin "fzfmenu" ''
exec 4>&1 exec 4>&1
export FZFMENU_INPUT_FD=3 export FZFMENU_INPUT_FD=3
export FZFMENU_OUTPUT_FD=4 export FZFMENU_OUTPUT_FD=4
exec ${pkgs.rxvt-unicode}/bin/urxvt \ exec ${pkgs.alacritty}/bin/alacritty \
-name ${cfg.appName} \ --config-file /var/theme/config/alacritty.yaml \
-title ${shell.escape cfg.windowTitle} \ --class ${cfg.appName} \
-e "$0" "$@" --title ${shell.escape cfg.windowTitle} \
--command "$0" "$@"
else else
exec 0<&''${FZFMENU_INPUT_FD-0} exec 0<&''${FZFMENU_INPUT_FD-0}
exec 1>&''${FZFMENU_OUTPUT_FD-1} exec 1>&''${FZFMENU_OUTPUT_FD-1}

2
krebs/5pkgs/simple/pager.nix
View File

@ -33,8 +33,6 @@ pkgs.symlinkJoin {
-ti vt340 \ -ti vt340 \
-xrm '*geometry: 32x10' \ -xrm '*geometry: 32x10' \
-xrm '*internalBorder: 2' \ -xrm '*internalBorder: 2' \
-xrm '*background: #050505' \
-xrm '*foreground: #d0d7d0' \
-e ${pkgs.haskellPackages.pager}/bin/pager "$@" -e ${pkgs.haskellPackages.pager}/bin/pager "$@"
'') '')
pkgs.haskellPackages.pager pkgs.haskellPackages.pager

6
lass/1systems/aergia/config.nix
View File

@ -26,6 +26,7 @@
<stockholm/lass/2configs/dunst.nix> <stockholm/lass/2configs/dunst.nix>
<stockholm/lass/2configs/print.nix> <stockholm/lass/2configs/print.nix>
<stockholm/lass/2configs/br.nix> <stockholm/lass/2configs/br.nix>
<stockholm/lass/2configs/c-base.nix>
]; ];
system.stateVersion = "22.11"; system.stateVersion = "22.11";
@ -47,11 +48,6 @@
}; };
hardware.pulseaudio.package = pkgs.pulseaudioFull; hardware.pulseaudio.package = pkgs.pulseaudioFull;
lass.browser.config = {
fy = { browser = "chromium"; groups = [ "audio" "video" ]; hidden = true; };
qt = { browser = "qutebrowser"; groups = [ "audio" "video" ]; hidden = true; };
};
nix.trustedUsers = [ "root" "lass" ]; nix.trustedUsers = [ "root" "lass" ];
# nix.extraOptions = '' # nix.extraOptions = ''

73
lass/1systems/aergia/physical.nix
View File

@ -3,6 +3,7 @@
imports = [ imports = [
./config.nix ./config.nix
(modulesPath + "/installer/scan/not-detected.nix") (modulesPath + "/installer/scan/not-detected.nix")
<stockholm/lass/2configs/antimicrox>
]; ];
disko.devices = import ./disk.nix; disko.devices = import ./disk.nix;
@ -20,15 +21,41 @@
boot.kernelParams = [ boot.kernelParams = [
# Enable energy savings during sleep # Enable energy savings during sleep
"mem_sleep_default=deep" "mem_sleep_default=deep"
"initcall_blacklist=acpi_cpufreq_init"
# use less power with pstate
"amd_pstate=passive"
# for ryzenadj -i # for ryzenadj -i
"iomem=relaxed" "iomem=relaxed"
# suspend
"resume_offset=178345675"
]; ];
# Enables the amd cpu scaling https://www.kernel.org/doc/html/latest/admin-guide/pm/amd-pstate.html boot.kernelModules = [
# On recent AMD CPUs this can be more energy efficient. # Enables the amd cpu scaling https://www.kernel.org/doc/html/latest/admin-guide/pm/amd-pstate.html
boot.kernelModules = [ "amd-pstate" "kvm-amd" ]; # On recent AMD CPUs this can be more energy efficient.
"amd-pstate"
"kvm-amd"
# needed for zenstates
"msr"
# zenpower
"zenpower"
];
boot.extraModulePackages = [
(config.boot.kernelPackages.zenpower.overrideAttrs (old: {
src = pkgs.fetchFromGitea {
domain = "git.exozy.me";
owner = "a";
repo = "zenpower3";
rev = "c176fdb0d5bcba6ba2aba99ea36812e40f47751f";
hash = "sha256-d2WH8Zv7F0phZmEKcDiaak9On+Mo9bAFhMulT/N5FWI=";
};
}))
];
# hardware.cpu.amd.updateMicrocode = true; # hardware.cpu.amd.updateMicrocode = true;
@ -36,7 +63,16 @@
"amdgpu" "amdgpu"
]; ];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ]; boot.initrd.availableKernelModules = [
"nvme"
"thunderbolt"
"xhci_pci"
"usbhid"
];
boot.initrd.kernelModules = [
"amdgpu"
];
environment.systemPackages = [ environment.systemPackages = [
pkgs.vulkan-tools pkgs.vulkan-tools
@ -54,7 +90,13 @@
hardware.video.hidpi.enable = lib.mkDefault true; hardware.video.hidpi.enable = lib.mkDefault true;
# corectrl # corectrl
programs.corectrl.enable = true; programs.corectrl = {
enable = true;
gpuOverclock = {
enable = true;
ppfeaturemask = "0xffffffff";
};
};
users.users.mainUser.extraGroups = [ "corectrl" ]; users.users.mainUser.extraGroups = [ "corectrl" ];
# use newer ryzenadj # use newer ryzenadj
@ -72,7 +114,7 @@
# keyboard quirks # keyboard quirks
services.xserver.displayManager.sessionCommands = '' services.xserver.displayManager.sessionCommands = ''
xmodmap -e 'keycode 96 = F12 Insert F12 F12' # rebind shift + F12 to shift + insert ${pkgs.xorg.xmodmap}/bin/xmodmap -e 'keycode 96 = F12 Insert F12 F12' # rebind shift + F12 to shift + insert
''; '';
services.udev.extraHwdb = /* sh */ '' services.udev.extraHwdb = /* sh */ ''
# disable back buttons # disable back buttons
@ -82,5 +124,20 @@
''; '';
# ignore power key # ignore power key
services.logind.extraConfig = "HandlePowerKey=ignore";
# update cpu microcode
hardware.cpu.amd.updateMicrocode = true;
# suspend to disk
swapDevices = [{
device = "/swapfile";
}];
boot.resumeDevice = "/dev/mapper/aergia1";
services.logind.lidSwitch = "suspend-then-hibernate";
services.logind.extraConfig = ''
HandlePowerKey=hibernate
'';
# firefox touchscreen support
environment.sessionVariables.MOZ_USE_XINPUT2 = "1";
} }

6
lass/1systems/coaxmetal/config.nix
View File

@ -54,12 +54,6 @@
}; };
hardware.pulseaudio.package = pkgs.pulseaudioFull; hardware.pulseaudio.package = pkgs.pulseaudioFull;
lass.browser.config = {
dc = { browser = "chromium"; groups = [ "audio" "video" ]; hidden = true; };
ff = { browser = "firefox"; groups = [ "audio" "video" ]; hidden = true; };
fy = { browser = "chromium"; groups = [ "audio" "video" ]; hidden = true; };
};
nix.trustedUsers = [ "root" "lass" ]; nix.trustedUsers = [ "root" "lass" ];
services.tor = { services.tor = {

1
lass/1systems/green/config.nix
View File

@ -35,6 +35,7 @@ with import <stockholm/lib>;
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d /home/lass/.local/share 0700 lass users -" "d /home/lass/.local/share 0700 lass users -"
"d /home/lass/.local 0700 lass users -" "d /home/lass/.local 0700 lass users -"
"d /home/lass/.config 0700 lass users -"
"d /var/state/lass_mail 0700 lass users -" "d /var/state/lass_mail 0700 lass users -"
"L+ /home/lass/Maildir - - - - ../../var/state/lass_mail" "L+ /home/lass/Maildir - - - - ../../var/state/lass_mail"

5
lass/1systems/lasspi/config.nix
View File

@ -1,4 +1,3 @@
with import <stockholm/lib>;
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
in in
@ -18,9 +17,9 @@ in
}; };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
vim vim
rxvt_unicode.terminfo rxvt-unicode-unwrapped.terminfo
]; ];
services.openssh.enable = true; services.openssh.enable = true;
system.stateVersion = "21.05"; system.stateVersion = "22.05";
} }

21
lass/1systems/lasspi/physical.nix
View File

@ -1,15 +1,14 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, modulesPath, ... }:
{ {
# This configuration worked on 09-03-2021 nixos-unstable @ commit 102eb68ceec
# The image used https://hydra.nixos.org/build/134720986
imports = [ imports = [
(modulesPath + "/installer/scan/not-detected.nix")
./config.nix ./config.nix
]; ];
boot = { boot = {
# kernelPackages = pkgs.linuxPackages_rpi4; # kernelPackages = pkgs.linuxPackages_rpi4;
tmpOnTmpfs = true; tmpOnTmpfs = true;
initrd.availableKernelModules = [ "usbhid" "usb_storage" ]; initrd.availableKernelModules = [ "usbhid" "usb_storage" "xhci_pci" ];
# ttyAMA0 is the serial console broken out to the GPIO # ttyAMA0 is the serial console broken out to the GPIO
kernelParams = [ kernelParams = [
"8250.nr_uarts=1" "8250.nr_uarts=1"
@ -20,19 +19,23 @@
]; ];
}; };
boot.loader.raspberryPi = { # boot.loader.raspberryPi = {
enable = true; # enable = true;
version = 4; # version = 4;
}; # # uboot.enable = true;
# };
boot.loader.grub.enable = false; boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = true;
# Required for the Wireless firmware # Required for the Wireless firmware
hardware.enableRedistributableFirmware = true; hardware.enableRedistributableFirmware = true;
networking.interfaces.eth0.useDHCP = true;
# Assuming this is installed on top of the disk image. # Assuming this is installed on top of the disk image.
fileSystems = { fileSystems = {
"/" = { "/" = {
device = "/dev/disk/by-label/NIXOS_SD"; device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
fsType = "ext4"; fsType = "ext4";
options = [ "noatime" ]; options = [ "noatime" ];
}; };

11
lass/1systems/neoprism/config.nix
View File

@ -7,12 +7,19 @@
# sync-containers # sync-containers
<stockholm/lass/2configs/consul.nix> <stockholm/lass/2configs/consul.nix>
<stockholm/lass/2configs/yellow-host.nix> <stockholm/lass/2configs/services/flix/container-host.nix>
<stockholm/lass/2configs/radio/container-host.nix> <stockholm/lass/2configs/services/radio/container-host.nix>
<stockholm/lass/2configs/ubik-host.nix> <stockholm/lass/2configs/ubik-host.nix>
<stockholm/lass/2configs/orange-host.nix>
<stockholm/krebs/2configs/hotdog-host.nix>
# other containers # other containers
<stockholm/lass/2configs/riot.nix> <stockholm/lass/2configs/riot.nix>
# proxying of services
<stockholm/lass/2configs/services/radio/proxy.nix>
<stockholm/lass/2configs/services/flix/proxy.nix>
<stockholm/lass/2configs/services/coms/proxy.nix>
]; ];
krebs.build.host = config.krebs.hosts.neoprism; krebs.build.host = config.krebs.hosts.neoprism;

1
lass/1systems/orange/config.nix
View File

@ -5,6 +5,7 @@ with import <stockholm/lib>;
<stockholm/lass> <stockholm/lass>
<stockholm/lass/2configs> <stockholm/lass/2configs>
<stockholm/lass/2configs/retiolum.nix> <stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/mumble-reminder.nix>
]; ];
krebs.build.host = config.krebs.hosts.orange; krebs.build.host = config.krebs.hosts.orange;

5
lass/1systems/prism/config.nix
View File

@ -134,10 +134,9 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/reaktor-coders.nix> <stockholm/lass/2configs/reaktor-coders.nix>
<stockholm/lass/2configs/ciko.nix> <stockholm/lass/2configs/ciko.nix>
<stockholm/lass/2configs/container-networking.nix> <stockholm/lass/2configs/container-networking.nix>
<stockholm/lass/2configs/jitsi.nix> <stockholm/lass/2configs/services/coms/jitsi.nix>
<stockholm/lass/2configs/fysiirc.nix> <stockholm/lass/2configs/fysiirc.nix>
<stockholm/lass/2configs/bgt-bot> <stockholm/lass/2configs/bgt-bot>
<stockholm/lass/2configs/mumble-reminder.nix>
<stockholm/krebs/2configs/mastodon-proxy.nix> <stockholm/krebs/2configs/mastodon-proxy.nix>
{ {
services.tor = { services.tor = {
@ -281,7 +280,7 @@ with import <stockholm/lib>;
{ predicate = "-p udp --dport 60000:61000"; target = "ACCEPT"; } { predicate = "-p udp --dport 60000:61000"; target = "ACCEPT"; }
]; ];
} }
<stockholm/lass/2configs/murmur.nix> <stockholm/lass/2configs/services/coms/murmur.nix>
<stockholm/lass/2configs/docker.nix> <stockholm/lass/2configs/docker.nix>
{ {
systemd.services."container@yellow".reloadIfChanged = mkForce false; systemd.services."container@yellow".reloadIfChanged = mkForce false;

2
lass/1systems/radio/config.nix
View File

@ -7,7 +7,7 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/retiolum.nix> <stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/syncthing.nix> <stockholm/lass/2configs/syncthing.nix>
<stockholm/lass/2configs/radio> <stockholm/lass/2configs/services/radio>
]; ];
krebs.build.host = config.krebs.hosts.radio; krebs.build.host = config.krebs.hosts.radio;

330
lass/1systems/yellow/config.nix
View File

@ -5,6 +5,7 @@ in {
<stockholm/lass> <stockholm/lass>
<stockholm/lass/2configs> <stockholm/lass/2configs>
<stockholm/lass/2configs/retiolum.nix> <stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/services/flix>
]; ];
krebs.build.host = config.krebs.hosts.yellow; krebs.build.host = config.krebs.hosts.yellow;
@ -14,281 +15,8 @@ in {
pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN737BAP36KiZO97mPKTIUGJUcr97ps8zjfFag6cUiYL"; pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN737BAP36KiZO97mPKTIUGJUcr97ps8zjfFag6cUiYL";
}; };
users.groups.download.members = [ "transmission" ];
networking.useHostResolvConf = false; networking.useHostResolvConf = false;
networking.useNetworkd = true; networking.useNetworkd = true;
services.transmission = {
enable = true;
home = "/var/state/transmission";
group = "download";
downloadDirPermissions = "775";
settings = {
download-dir = "/var/download/transmission";
incomplete-dir-enabled = false;
rpc-bind-address = "::";
message-level = 1;
umask = 18;
rpc-whitelist-enabled = false;
rpc-host-whitelist-enabled = false;
};
};
security.acme.defaults.email = "spam@krebsco.de";
security.acme.acceptTerms = true;
security.acme.certs."yellow.r".server = config.krebs.ssl.acmeURL;
security.acme.certs."jelly.r".server = config.krebs.ssl.acmeURL;
security.acme.certs."radar.r".server = config.krebs.ssl.acmeURL;
security.acme.certs."sonar.r".server = config.krebs.ssl.acmeURL;
security.acme.certs."transmission.r".server = config.krebs.ssl.acmeURL;
services.nginx = {
enable = true;
package = pkgs.nginx.override {
modules = with pkgs.nginxModules; [
fancyindex
];
};
virtualHosts."yellow.r" = {
default = true;
enableACME = true;
addSSL = true;
locations."/" = {
root = "/var/download";
extraConfig = ''
fancyindex on;
fancyindex_footer "/fancy.html";
include ${pkgs.nginx}/conf/mime.types;
include ${pkgs.writeText "extrMime" ''
types {
video/webm mkv;
}
''};
create_full_put_path on;
'';
};
locations."/chatty" = {
proxyPass = "http://localhost:3000";
extraConfig = ''
rewrite /chatty/(.*) /$1 break;
proxy_set_header Host $host;
'';
};
locations."= /fancy.html".extraConfig = ''
alias ${pkgs.writeText "nginx_footer" ''
<div id="mydiv">
<!-- Include a header DIV with the same name as the draggable DIV, followed by "header" -->
<div id="mydivheader">Click here to move</div>
<iframe src="/chatty/index.html"></iframe>
</div>
<style>
#mydiv {
position: absolute;
z-index: 9;
background-color: #f1f1f1;
border: 1px solid #d3d3d3;
text-align: center;
}
#mydivheader {
padding: 10px;
cursor: move;
z-index: 10;
background-color: #2196F3;
color: #fff;
}
</style>
<script>
// Make the DIV element draggable:
dragElement(document.getElementById("mydiv"));
function dragElement(elmnt) {
var pos1 = 0, pos2 = 0, pos3 = 0, pos4 = 0;
if (document.getElementById(elmnt.id + "header")) {
// if present, the header is where you move the DIV from:
document.getElementById(elmnt.id + "header").onmousedown = dragMouseDown;
} else {
// otherwise, move the DIV from anywhere inside the DIV:
elmnt.onmousedown = dragMouseDown;
}
function dragMouseDown(e) {
e = e || window.event;
e.preventDefault();
// get the mouse cursor position at startup:
pos3 = e.clientX;
pos4 = e.clientY;
document.onmouseup = closeDragElement;
// call a function whenever the cursor moves:
document.onmousemove = elementDrag;
}
function elementDrag(e) {
e = e || window.event;
e.preventDefault();
// calculate the new cursor position:
pos1 = pos3 - e.clientX;
pos2 = pos4 - e.clientY;
pos3 = e.clientX;
pos4 = e.clientY;
// set the element's new position:
elmnt.style.top = (elmnt.offsetTop - pos2) + "px";
elmnt.style.left = (elmnt.offsetLeft - pos1) + "px";
}
function closeDragElement() {
// stop moving when mouse button is released:
document.onmouseup = null;
document.onmousemove = null;
}
}
</script>
''};
'';
};
virtualHosts."jelly.r" = {
enableACME = true;
addSSL = true;
locations."/".extraConfig = ''
proxy_pass http://localhost:8096/;
proxy_set_header Accept-Encoding "";
'';
};
virtualHosts."transmission.r" = {
enableACME = true;
addSSL = true;
locations."/".extraConfig = ''
proxy_pass http://localhost:9091/;
proxy_set_header Accept-Encoding "";
'';
};
virtualHosts."radar.r" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyWebsockets = true;
proxyPass = "http://localhost:7878";
};
};
virtualHosts."sonar.r" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyWebsockets = true;
proxyPass = "http://localhost:8989";
};
};
};
services.samba = {
enable = true;
enableNmbd = false;
extraConfig = ''
workgroup = WORKGROUP
server string = ${config.networking.hostName}
# only allow retiolum addresses
hosts allow = 42::/16 10.243.0.0/16 10.244.0.0/16
# Use sendfile() for performance gain
use sendfile = true
# No NetBIOS is needed
disable netbios = true
# Only mangle non-valid NTFS names, don't care about DOS support
mangled names = illegal
# Performance optimizations
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536
# Disable all printing
load printers = false
disable spoolss = true
printcap name = /dev/null
map to guest = Bad User
max log size = 50
dns proxy = no
security = user
[global]
syslog only = yes
'';
shares.public = {
comment = "Warez";
path = "/var/download";
public = "yes";
"only guest" = "yes";
"create mask" = "0644";
"directory mask" = "2777";
writable = "no";
printable = "no";
};
};
systemd.services.bruellwuerfel =
let
bruellwuerfelSrc = pkgs.fetchFromGitHub {
owner = "krebs";
repo = "bruellwuerfel";
rev = "dc73adf69249fb63a4b024f1f3fbc9e541b27015";
sha256 = "078jp1gbavdp8lnwa09xa5m6bbbd05fi4x5ldkkgin5z04hwlhmd";
};
in {
wantedBy = [ "multi-user.target" ];
environment = {
IRC_CHANNEL = "#flix";
IRC_NICK = "bruelli";
IRC_SERVER = "irc.r";
IRC_HISTORY_FILE = "/tmp/bruelli.history";
};
serviceConfig = {
ExecStart = "${pkgs.deno}/bin/deno run -A ${bruellwuerfelSrc}/src/index.ts";
};
};
krebs.iptables = {
enable = true;
tables.filter.INPUT.rules = [
{ predicate = "-p tcp --dport 80"; target = "ACCEPT"; } # nginx web dir
{ predicate = "-p tcp --dport 443"; target = "ACCEPT"; } # nginx web dir
{ predicate = "-p tcp --dport 9091"; target = "ACCEPT"; } # transmission-web
{ predicate = "-p tcp --dport 51413"; target = "ACCEPT"; } # transmission-traffic
{ predicate = "-p udp --dport 51413"; target = "ACCEPT"; } # transmission-traffic
{ predicate = "-p tcp --dport 8096"; target = "ACCEPT"; } # jellyfin
{ predicate = "-p tcp --dport 9696"; target = "ACCEPT"; } # prowlarr
{ predicate = "-p tcp --dport 8989"; target = "ACCEPT"; } # sonarr
{ predicate = "-p tcp --dport 7878"; target = "ACCEPT"; } # radarr
{ predicate = "-p tcp --dport 6767"; target = "ACCEPT"; } # bazarr
# smbd
{ predicate = "-i retiolum -p tcp --dport 445"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p tcp --dport 111"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p udp --dport 111"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p tcp --dport 2049"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p udp --dport 2049"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p tcp --dport 4000:4002"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p udp --dport 4000:4002"; target = "ACCEPT"; }
{ predicate = "-i wiregrill -p tcp --dport 445"; target = "ACCEPT"; }
{ predicate = "-i wiregrill -p tcp --dport 111"; target = "ACCEPT"; }
{ predicate = "-i wiregrill -p udp --dport 111"; target = "ACCEPT"; }
{ predicate = "-i wiregrill -p tcp --dport 2049"; target = "ACCEPT"; }
{ predicate = "-i wiregrill -p udp --dport 2049"; target = "ACCEPT"; }
{ predicate = "-i wiregrill -p tcp --dport 4000:4002"; target = "ACCEPT"; }
{ predicate = "-i wiregrill -p udp --dport 4000:4002"; target = "ACCEPT"; }
];
tables.filter.OUTPUT = {
policy = "DROP";
rules = [
{ predicate = "-o lo"; target = "ACCEPT"; }
{ v6 = false; predicate = "-d ${vpnIp}/32"; target = "ACCEPT"; }
{ predicate = "-o tun0"; target = "ACCEPT"; }
{ predicate = "-o retiolum"; target = "ACCEPT"; }
{ v6 = false; predicate = "-d 1.1.1.1/32"; target = "ACCEPT"; }
{ v6 = false; predicate = "-d 1.0.0.1/32"; target = "ACCEPT"; }
{ v6 = false; predicate = "-o eth0 -d 10.233.2.0/24"; target = "ACCEPT"; }
];
};
};
services.openvpn.servers.nordvpn.config = '' services.openvpn.servers.nordvpn.config = ''
client client
@ -375,49 +103,19 @@ in {
</tls-auth> </tls-auth>
''; '';
systemd.services.flix-index = { krebs.iptables = {
wantedBy = [ "multi-user.target" ]; enable = true;
path = [ tables.filter.OUTPUT = {
pkgs.coreutils policy = "DROP";
pkgs.findutils rules = [
pkgs.inotify-tools { predicate = "-o lo"; target = "ACCEPT"; }
]; { v6 = false; predicate = "-d ${vpnIp}/32"; target = "ACCEPT"; }
serviceConfig = { { predicate = "-o tun0"; target = "ACCEPT"; }
Restart = "always"; { predicate = "-o retiolum"; target = "ACCEPT"; }
ExecStart = pkgs.writers.writeDash "flix-index" '' { v6 = false; predicate = "-d 1.1.1.1/32"; target = "ACCEPT"; }
set -efu { v6 = false; predicate = "-d 1.0.0.1/32"; target = "ACCEPT"; }
{ v6 = false; predicate = "-o eth0 -d 10.233.2.0/24"; target = "ACCEPT"; }
DIR=/var/download ];
cd "$DIR"
while inotifywait -rq -e create -e move -e delete "$DIR"; do
find . -type f > "$DIR"/index.tmp
mv "$DIR"/index.tmp "$DIR"/index
done
'';
}; };
}; };
services.jellyfin = {
enable = true;
group = "download";
};
services.radarr = {
enable = true;
group = "download";
};
services.sonarr = {
enable = true;
group = "download";
};
services.prowlarr = {
enable = true;
};
services.bazarr = {
enable = true;
group = "download";
};
} }

33
lass/2configs/antimicrox/default.nix Normal file
View File

@ -0,0 +1,33 @@
{ config, lib, pkgs, ... }:
{
systemd.services.antimicrox = {
wantedBy = [ "multi-user.target" ];
environment = {
DISPLAY = ":0";
};
serviceConfig = {
User = config.users.users.mainUser.name;
ExecStartPre = lib.singleton (pkgs.writeDash "init_state" "echo 0 > /tmp/gamepad.state");
ExecStart = "${pkgs.antimicrox}/bin/antimicrox --no-tray --hidden --profile ${./mouse.amgp}";
};
};
environment.systemPackages = [
(pkgs.writers.writeDashBin "gamepad_mouse_disable" ''
echo 1 > /tmp/gamepad.state
${pkgs.antimicrox}/bin/antimicrox --profile ${./empty.amgp}
'')
(pkgs.writers.writeDashBin "gamepad_mouse_enable" ''
echo 0 > /tmp/gamepad.state
${pkgs.antimicrox}/bin/antimicrox --profile ${./mouse.amgp}
'')
(pkgs.writers.writeDashBin "gamepad_mouse_toggle" ''
state=$(${pkgs.coreutils}/bin/cat /tmp/gamepad.state)
if [ "$state" = 1 ]; then
/run/current-system/sw/bin/gamepad_mouse_enable
else
/run/current-system/sw/bin/gamepad_mouse_disable
fi
'')
];
}

20
lass/2configs/antimicrox/empty.amgp Normal file
View File

@ -0,0 +1,20 @@
<?xml version="1.0" encoding="UTF-8"?>
<gamecontroller configversion="19" appversion="3.3.2">
<!--The SDL name for a joystick is included for informational purposes only.-->
<sdlname>XInput Controller</sdlname>
<!--The Unique ID for a joystick is included for informational purposes only.-->
<uniqueID>030000005e0400008e020000010100001118654</uniqueID>
<stickAxisAssociation index="2" xAxis="3" yAxis="4"/>
<stickAxisAssociation index="1" xAxis="1" yAxis="2"/>
<vdpadButtonAssociations index="1">
<vdpadButtonAssociation axis="0" button="12" direction="1"/>
<vdpadButtonAssociation axis="0" button="13" direction="4"/>
<vdpadButtonAssociation axis="0" button="14" direction="8"/>
<vdpadButtonAssociation axis="0" button="15" direction="2"/>
</vdpadButtonAssociations>
<names>
<controlstickname index="2">R Stick</controlstickname>
<controlstickname index="1">L Stick</controlstickname>
</names>
<sets/>
</gamecontroller>

272
lass/2configs/antimicrox/mouse.amgp Normal file
View File

@ -0,0 +1,272 @@
<?xml version="1.0" encoding="UTF-8"?>
<gamecontroller configversion="19" appversion="3.3.2">
<!--The SDL name for a joystick is included for informational purposes only.-->
<sdlname>XInput Controller</sdlname>
<!--The Unique ID for a joystick is included for informational purposes only.-->
<uniqueID>030000005e0400008e020000010100001118654</uniqueID>
<stickAxisAssociation index="2" xAxis="3" yAxis="4"/>
<stickAxisAssociation index="1" xAxis="1" yAxis="2"/>
<vdpadButtonAssociations index="1">
<vdpadButtonAssociation axis="0" button="12" direction="1"/>
<vdpadButtonAssociation axis="0" button="13" direction="4"/>
<vdpadButtonAssociation axis="0" button="14" direction="8"/>
<vdpadButtonAssociation axis="0" button="15" direction="2"/>
</vdpadButtonAssociations>
<names>
<controlstickname index="2">Stick 2</controlstickname>
<controlstickname index="1">Stick 1</controlstickname>
</names>
<sets>
<set index="1">
<stick index="2">
<deadZone>1</deadZone>
<maxZone>29501</maxZone>
<modifierZone>1412</modifierZone>
<diagonalRange>90</diagonalRange>
<stickbutton index="7">
<mousespeedx>74</mousespeedx>
<mousespeedy>74</mousespeedy>
<accelerationmultiplier>4</accelerationmultiplier>
<startaccelmultiplier>20</startaccelmultiplier>
<minaccelthreshold>3</minaccelthreshold>
<extraaccelerationcurve>easeoutquad</extraaccelerationcurve>
<slots>
<slot>
<code>3</code>
<mode>mousemovement</mode>
</slot>
</slots>
</stickbutton>
<stickbutton index="6">
<mousespeedx>74</mousespeedx>
<mousespeedy>74</mousespeedy>
</stickbutton>
<stickbutton index="5">
<mousespeedx>74</mousespeedx>
<mousespeedy>74</mousespeedy>
<accelerationmultiplier>4</accelerationmultiplier>
<startaccelmultiplier>20</startaccelmultiplier>
<minaccelthreshold>3</minaccelthreshold>
<extraaccelerationcurve>easeoutquad</extraaccelerationcurve>
<slots>
<slot>
<code>2</code>
<mode>mousemovement</mode>
</slot>
</slots>
</stickbutton>
<stickbutton index="4">
<mousespeedx>74</mousespeedx>
<mousespeedy>74</mousespeedy>
</stickbutton>
<stickbutton index="3">
<mousespeedx>74</mousespeedx>
<mousespeedy>74</mousespeedy>
<accelerationmultiplier>4</accelerationmultiplier>
<startaccelmultiplier>20</startaccelmultiplier>
<minaccelthreshold>3</minaccelthreshold>
<extraaccelerationcurve>easeoutquad</extraaccelerationcurve>
<slots>
<slot>
<code>4</code>
<mode>mousemovement</mode>
</slot>
</slots>
</stickbutton>
<stickbutton index="2">
<mousespeedx>74</mousespeedx>
<mousespeedy>74</mousespeedy>
</stickbutton>
<stickbutton index="1">
<mousespeedx>74</mousespeedx>
<mousespeedy>74</mousespeedy>
<accelerationmultiplier>4</accelerationmultiplier>
<startaccelmultiplier>20</startaccelmultiplier>
<minaccelthreshold>3</minaccelthreshold>
<extraaccelerationcurve>easeoutquad</extraaccelerationcurve>
<slots>
<slot>
<code>1</code>
<mode>mousemovement</mode>
</slot>
</slots>
</stickbutton>
<stickbutton index="8">
<mousespeedx>74</mousespeedx>
<mousespeedy>74</mousespeedy>
</stickbutton>
</stick>
<stick index="1">
<deadZone>2578</deadZone>
<maxZone>30799</maxZone>
<stickbutton index="7">
<mouseacceleration>linear</mouseacceleration>
<slots>
<slot>
<code>6</code>
<mode>mousebutton</mode>
</slot>
</slots>
</stickbutton>
<stickbutton index="6">
<mouseacceleration>linear</mouseacceleration>
</stickbutton>
<stickbutton index="5">
<mouseacceleration>linear</mouseacceleration>
<slots>
<slot>
<code>5</code>
<mode>mousebutton</mode>
</slot>
</slots>
</stickbutton>
<stickbutton index="4">
<mouseacceleration>linear</mouseacceleration>
</stickbutton>
<stickbutton index="3">
<mouseacceleration>linear</mouseacceleration>
<slots>
<slot>
<code>7</code>
<mode>mousebutton</mode>
</slot>
</slots>
</stickbutton>
<stickbutton index="2">
<mouseacceleration>linear</mouseacceleration>
</stickbutton>
<stickbutton index="1">
<mouseacceleration>linear</mouseacceleration>
<slots>
<slot>
<code>4</code>
<mode>mousebutton</mode>
</slot>
</slots>
</stickbutton>
<stickbutton index="8">
<mouseacceleration>linear</mouseacceleration>
</stickbutton>
</stick>
<dpad index="1">
<dpadbutton index="6">
<wheelspeedx>2</wheelspeedx>
<wheelspeedy>10</wheelspeedy>
</dpadbutton>
<dpadbutton index="4">
<wheelspeedx>2</wheelspeedx>
<wheelspeedy>10</wheelspeedy>
<slots>
<slot>
<code>0x1000017</code>
<mode>keyboard</mode>
</slot>
</slots>
</dpadbutton>
<dpadbutton index="3">
<wheelspeedx>2</wheelspeedx>
<wheelspeedy>10</wheelspeedy>
</dpadbutton>
<dpadbutton index="2">
<wheelspeedx>2</wheelspeedx>
<wheelspeedy>10</wheelspeedy>
<slots>
<slot>
<code>0x1000011</code>
<mode>keyboard</mode>
</slot>
</slots>
</dpadbutton>
<dpadbutton index="1">
<wheelspeedx>10</wheelspeedx>
<wheelspeedy>10</wheelspeedy>
<slots>
<slot>
<code>0x1000016</code>
<mode>keyboard</mode>
</slot>
</slots>
</dpadbutton>
<dpadbutton index="12">
<wheelspeedx>2</wheelspeedx>
<wheelspeedy>10</wheelspeedy>
</dpadbutton>
<dpadbutton index="9">
<wheelspeedx>2</wheelspeedx>
<wheelspeedy>10</wheelspeedy>
</dpadbutton>
<dpadbutton index="8">
<wheelspeedx>2</wheelspeedx>
<wheelspeedy>10</wheelspeedy>
<slots>
<slot>
<code>0x1000010</code>
<mode>keyboard</mode>
</slot>
</slots>
</dpadbutton>
</dpad>
<trigger index="6">
<deadZone>2000</deadZone>
<throttle>positivehalf</throttle>
<triggerbutton index="1">
<mousespeedx>100</mousespeedx>
<mousespeedy>100</mousespeedy>
</triggerbutton>
<triggerbutton index="2">
<mousespeedx>100</mousespeedx>
<mousespeedy>100</mousespeedy>
<slots>
<slot>
<code>250</code>
<mode>mousespeedmod</mode>
</slot>
</slots>
</triggerbutton>
</trigger>
<trigger index="5">
<throttle>positivehalf</throttle>
</trigger>
<button index="11">
<slots>
<slot>
<code>1</code>
<mode>mousebutton</mode>
</slot>
</slots>
</button>
<button index="5">
<slots>
<slot>
<code>1</code>
<mode>mousebutton</mode>
</slot>
</slots>
</button>
<button index="3">
<slots>
<slot>
<code>2</code>
<mode>mousebutton</mode>
</slot>
</slots>
</button>
<button index="2">
<slots>
<slot>
<code>3</code>
<mode>mousebutton</mode>
</slot>
</slots>
</button>
<button index="1">
<slots>
<slot>
<code>1</code>
<mode>mousebutton</mode>
</slot>
</slots>
</button>
</set>
</sets>
</gamecontroller>

2
lass/2configs/baseX.nix
View File

@ -95,7 +95,7 @@ in {
(pkgs.writeDashBin "screenshot" '' (pkgs.writeDashBin "screenshot" ''
set -efu set -efu
${pkgs.flameshot}/bin/flameshot ${pkgs.flameshot}/bin/flameshot gui
${pkgs.klem}/bin/klem ${pkgs.klem}/bin/klem
'') '')
]; ];

14
lass/2configs/browsers.nix
View File

@ -1,12 +1,8 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
{ {
lass.browser.config = { programs.firefox.nativeMessagingHosts.tridactyl = true;
cr = { groups = [ "audio" "video" ]; precedence = 9; }; environment.variables.BROWSER = "${pkgs.firefox}/bin/firefox";
}; environment.systemPackages = [
programs.chromium = { pkgs.firefox
enable = true; ];
extensions = [
"cjpalhdlnbpafiamejdnhcphjbkeiagm" # ublock origin
];
};
} }

24
lass/2configs/jitsi.nix
View File

@ -1,24 +0,0 @@
{ config, lib, pkgs, ... }:
{
services.jitsi-meet = {
enable = true;
hostName = "jitsi.lassul.us";
config = {
enableWelcomePage = true;
requireDisplayName = true;
analytics.disabled = true;
};
interfaceConfig = {
SHOW_JITSI_WATERMARK = false;
SHOW_WATERMARK_FOR_GUESTS = false;
DISABLE_PRESENCE_STATUS = true;
GENERATE_ROOMNAMES_ON_WELCOME_PAGE = false;
};
};
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p tcp --dport 4443"; target = "ACCEPT"; }
{ predicate = "-p udp --dport 10000"; target = "ACCEPT"; }
];
}

6
lass/2configs/mail.nix
View File

@ -92,8 +92,6 @@ let
tag-new-mails = pkgs.writeDashBin "nm-tag-init" '' tag-new-mails = pkgs.writeDashBin "nm-tag-init" ''
${pkgs.notmuch}/bin/notmuch new ${pkgs.notmuch}/bin/notmuch new
${lib.concatMapStringsSep "\n" (i: ''
'') (lib.mapAttrsToList lib.nameValuePair mailboxes)}
${lib.concatMapStringsSep "\n" (i: '' ${lib.concatMapStringsSep "\n" (i: ''
mkdir -p "$HOME/Maildir/.${i.name}/cur" mkdir -p "$HOME/Maildir/.${i.name}/cur"
for mail in $(${pkgs.notmuch}/bin/notmuch search --output=files 'tag:inbox and (${lib.concatMapStringsSep " or " (f: "${f}") i.value})'); do for mail in $(${pkgs.notmuch}/bin/notmuch search --output=files 'tag:inbox and (${lib.concatMapStringsSep " or " (f: "${f}") i.value})'); do
@ -186,7 +184,9 @@ let
"<enter-command>unset wait_key<enter> \ "<enter-command>unset wait_key<enter> \
<shell-escape>${pkgs.writeDash "muchsync" '' <shell-escape>${pkgs.writeDash "muchsync" ''
set -efu set -efu
${pkgs.muchsync}/bin/muchsync -F lass@green.r until ${pkgs.muchsync}/bin/muchsync -F lass@green.r; do
sleep 1
done
''}<enter> \ ''}<enter> \
'run muchsync to green.r' 'run muchsync to green.r'

6
lass/2configs/mumble-reminder.nix
View File

@ -23,7 +23,7 @@
Kois Kois
Faulaffen Faulaffen
Schraubenziegen Schraubenziegen
Nachtigalle Nachtigallen
Okapis Okapis
Stachelschweine Stachelschweine
Kurzschwanzkängurus Kurzschwanzkängurus
@ -49,7 +49,7 @@
pattern = "^nerv nicht$"; pattern = "^nerv nicht$";
activate = "match"; activate = "match";
command = { command = {
filename = pkgs.writeDash "add_remind" '' filename = pkgs.writeDash "del_remind" ''
${pkgs.gnused}/bin/sed -i "/$_from/d" /var/lib/reaktor2-mumble-reminder/users ${pkgs.gnused}/bin/sed -i "/$_from/d" /var/lib/reaktor2-mumble-reminder/users
echo "okok, Ich werde $_from nich mehr errinern" echo "okok, Ich werde $_from nich mehr errinern"
''; '';
@ -80,7 +80,7 @@ in {
}; };
systemd.services.mumble-reminder-nixos = { systemd.services.mumble-reminder-nixos = {
description = "weekly reminder for nixos mumble"; description = "weekly reminder for nixos mumble";
startAt = "Thu *-*-* 19:00:00 Europe/Berlin"; startAt = "Thu *-*-* 17:00:00 Europe/Berlin";
serviceConfig = { serviceConfig = {
ExecStart = pkgs.writers.writeDash "mumble_reminder" '' ExecStart = pkgs.writers.writeDash "mumble_reminder" ''
animals=' animals='

42
lass/2configs/murmur.nix
View File

@ -1,42 +0,0 @@
{ config, lib, pkgs, ... }:
{
services.murmur = {
enable = true;
allowHtml = false;
bandwidth = 10000000;
registerName = "lassul.us";
autobanTime = 30;
sslCert = "/var/lib/acme/lassul.us/cert.pem";
sslKey = "/var/lib/acme/lassul.us/key.pem";
};
users.groups.lasscert.members = [
"murmur"
];
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p tcp --dport 64738"; target = "ACCEPT";}
{ predicate = "-p udp --dport 64738"; target = "ACCEPT";}
];
systemd.services.docker-mumble-web.serviceConfig = {
StandardOutput = lib.mkForce "journal";
StandardError = lib.mkForce "journal";
};
virtualisation.oci-containers.containers.mumble-web = {
image = "rankenstein/mumble-web:0.5";
environment = {
MUMBLE_SERVER = "lassul.us:64738";
};
ports = [
"64739:8080"
];
};
services.nginx.virtualHosts."mumble.lassul.us" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:64739";
proxyWebsockets = true;
};
};
}

14
lass/2configs/print.nix
View File

@ -6,5 +6,19 @@
pkgs.foomatic-filters pkgs.foomatic-filters
pkgs.gutenprint pkgs.gutenprint
]; ];
browsing = true;
browsedConf = ''
BrowseDNSSDSubTypes _cups,_print
BrowseLocalProtocols all
BrowseRemoteProtocols all
CreateIPPPrinterQueues All
BrowseProtocols all
'';
};
services.avahi = {
enable = true;
openFirewall = true;
nssmdns = true;
}; };
} }

6
lass/2configs/services/coms/default.nix Normal file
View File

@ -0,0 +1,6 @@
{
imports = [
./jitsi.nix
./murmur.nix
];
}

43
lass/2configs/services/coms/jitsi.nix Normal file
View File

@ -0,0 +1,43 @@
{ config, lib, pkgs, ... }:
{
services.jitsi-meet = {
enable = true;
hostName = "jitsi.lassul.us";
config = {
enableWelcomePage = true;
requireDisplayName = true;
analytics.disabled = true;
startAudioOnly = true;
channelLastN = 4;
stunServers = [
# - https://www.kuketz-blog.de/jitsi-meet-server-einstellungen-fuer-einen-datenschutzfreundlichen-betrieb/
{ urls = "turn:turn.matrix.org:3478?transport=udp"; }
{ urls = "turn:turn.matrix.org:3478?transport=tcp"; }
# - services.coturn:
#{ urls = "turn:turn.${domainName}:3479?transport=udp"; }
#{ urls = "turn:turn.${domainName}:3479?transport=tcp"; }
];
constraints.video.height = {
ideal = 720;
max = 1080;
min = 240;
};
};
interfaceConfig = {
SHOW_JITSI_WATERMARK = false;
SHOW_WATERMARK_FOR_GUESTS = false;
DISABLE_PRESENCE_STATUS = true;
GENERATE_ROOMNAMES_ON_WELCOME_PAGE = false;
};
};
services.jitsi-videobridge.config = {
org.jitsi.videobridge.TRUST_BWE = false;
};
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p tcp --dport 4443"; target = "ACCEPT"; }
{ predicate = "-p udp --dport 10000"; target = "ACCEPT"; }
];
}

47
lass/2configs/services/coms/murmur.nix Normal file
View File

@ -0,0 +1,47 @@
{ config, lib, pkgs, ... }:
{
services.murmur = {
enable = true;
# allowHtml = false;
bandwidth = 10000000;
registerName = "lassul.us";
autobanTime = 30;
sslCert = "/var/lib/acme/lassul.us/cert.pem";
sslKey = "/var/lib/acme/lassul.us/key.pem";
extraConfig = ''
opusthreshold=0
# rememberchannelduration=10000
'';
};
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p tcp --dport 64738"; target = "ACCEPT";}
{ predicate = "-p udp --dport 64738"; target = "ACCEPT";}
];
# services.botamusique = {
# enable = true;
# settings = {
# server.host = "lassul.us";
# bot.auto_check_updates = false;
# bot.max_track_duration = 360;
# webinterface.enabled = true;
# };
# };
services.nginx.virtualHosts."lassul.us" = {
enableACME = true;
};
security.acme.certs."lassul.us" = {
group = "lasscert";
};
users.groups.lasscert.members = [
"nginx"
"murmur"
];
# services.nginx.virtualHosts."bota.r" = {
# locations."/" = {
# proxyPass = "http://localhost:8181";
# };
# };
}

41
lass/2configs/services/coms/proxy.nix Normal file
View File

@ -0,0 +1,41 @@
{ config, lib, pkgs, ... }:
let
tcpports = [
4443 # jitsi
64738 # murmur
];
udpports = [
10000 # jitsi
64738 # murmur
];
target = "orange.r";
in
{
networking.firewall.allowedTCPPorts = tcpports;
networking.firewall.allowedUDPPorts = udpports;
services.nginx.streamConfig = ''
${lib.concatMapStringsSep "\n" (port: ''
server {
listen ${toString port};
proxy_pass ${target}:${toString port};
}
'') tcpports}
${lib.concatMapStringsSep "\n" (port: ''
server {
listen ${toString port} udp;
proxy_pass ${target}:${toString port};
}
'') udpports}
'';
services.nginx.virtualHosts."jitsi.lassul.us" = {
enableACME = true;
acmeFallbackHost = "${target}";
addSSL = true;
locations."/" = {
recommendedProxySettings = true;
proxyWebsockets = true;
proxyPass = "http://${target}";
};
};
}

40
lass/2configs/services/flix/container-host.nix Normal file
View File

@ -0,0 +1,40 @@
{ config, pkgs, ... }:
{
krebs.sync-containers3.containers.yellow = {
sshKey = "${toString <secrets>}/yellow.sync.key";
};
containers.yellow.bindMounts."/var/lib" = {
hostPath = "/var/lib/sync-containers3/yellow/state";
isReadOnly = false;
};
containers.yellow.bindMounts."/var/download" = {
hostPath = "/var/download";
isReadOnly = false;
};
# krebs.iptables.tables.filter.FORWARD.rules = [
# { predicate = "-d ${config.krebs.hosts.yellow.nets.retiolum.ip4.addr} -p tcp --dport 8000 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; v6 = false; }
# { predicate = "-d ${config.krebs.hosts.yellow.nets.retiolum.ip6.addr} -p tcp --dport 8000 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; v4 = false; }
# ];
# krebs.iptables.tables.nat.PREROUTING.rules = [
# { predicate = "-p tcp --dport 2"; target = "DNAT --to-destination ${config.krebs.hosts.radio.nets.retiolum.ip4.addr}:8000"; v6 = false; }
# { predicate = "-p tcp --dport 2"; target = "DNAT --to-destination ${config.krebs.hosts.radio.nets.retiolum.ip6.addr}:8000"; v4 = false; }
# ];
networking.firewall.allowedTCPPorts = [ 8096 8920 ];
networking.firewall.allowedUDPPorts = [ 1900 7359 ];
containers.yellow.forwardPorts = [
{ hostPort = 8096; containerPort = 8096; protocol = "tcp"; }
{ hostPort = 8920; containerPort = 8920; protocol = "tcp"; }
{ hostPort = 1900; containerPort = 1900; protocol = "udp"; }
{ hostPort = 7359; containerPort = 7359; protocol = "udp"; }
];
services.nginx.virtualHosts."flix.lassul.us" = {
# forceSSL = true;
# enableACME = true;
locations."/" = {
proxyPass = "http://yellow.r:8096";
proxyWebsockets = true;
recommendedProxySettings = true;
};
};
}

316
lass/2configs/services/flix/default.nix Normal file
View File

@ -0,0 +1,316 @@
{ config, lib, pkgs, ... }:
{
users.groups.download.members = [ "transmission" ];
services.transmission = {
enable = true;
home = "/var/state/transmission";
group = "download";
downloadDirPermissions = "775";
settings = {
download-dir = "/var/download/transmission";
incomplete-dir-enabled = false;
rpc-bind-address = "::";
message-level = 1;
umask = 18;
rpc-whitelist-enabled = false;
rpc-host-whitelist-enabled = false;
};
};
security.acme.defaults.email = "spam@krebsco.de";
security.acme.acceptTerms = true;
security.acme.certs."yellow.r".server = config.krebs.ssl.acmeURL;
security.acme.certs."jelly.r".server = config.krebs.ssl.acmeURL;
security.acme.certs."radar.r".server = config.krebs.ssl.acmeURL;
security.acme.certs."sonar.r".server = config.krebs.ssl.acmeURL;
security.acme.certs."transmission.r".server = config.krebs.ssl.acmeURL;
services.nginx = {
enable = true;
package = pkgs.nginx.override {
modules = with pkgs.nginxModules; [
fancyindex
];
};
virtualHosts."yellow.r" = {
default = true;
enableACME = true;
addSSL = true;
locations."/" = {
root = "/var/download";
extraConfig = ''
fancyindex on;
fancyindex_footer "/fancy.html";
include ${pkgs.nginx}/conf/mime.types;
include ${pkgs.writeText "extrMime" ''
types {
video/webm mkv;
}
''};
create_full_put_path on;
'';
};
locations."/chatty" = {
proxyPass = "http://localhost:3000";
extraConfig = ''
rewrite /chatty/(.*) /$1 break;
proxy_set_header Host $host;
'';
};
locations."= /fancy.html".extraConfig = ''
alias ${pkgs.writeText "nginx_footer" ''
<div id="mydiv">
<!-- Include a header DIV with the same name as the draggable DIV, followed by "header" -->
<div id="mydivheader">Click here to move</div>
<iframe src="/chatty/index.html"></iframe>
</div>
<style>
#mydiv {
position: absolute;
z-index: 9;
background-color: #f1f1f1;
border: 1px solid #d3d3d3;
text-align: center;
}
#mydivheader {
padding: 10px;
cursor: move;
z-index: 10;
background-color: #2196F3;
color: #fff;
}
</style>
<script>
// Make the DIV element draggable:
dragElement(document.getElementById("mydiv"));
function dragElement(elmnt) {
var pos1 = 0, pos2 = 0, pos3 = 0, pos4 = 0;
if (document.getElementById(elmnt.id + "header")) {
// if present, the header is where you move the DIV from:
document.getElementById(elmnt.id + "header").onmousedown = dragMouseDown;
} else {
// otherwise, move the DIV from anywhere inside the DIV:
elmnt.onmousedown = dragMouseDown;
}
function dragMouseDown(e) {
e = e || window.event;
e.preventDefault();
// get the mouse cursor position at startup:
pos3 = e.clientX;
pos4 = e.clientY;
document.onmouseup = closeDragElement;
// call a function whenever the cursor moves:
document.onmousemove = elementDrag;
}
function elementDrag(e) {
e = e || window.event;
e.preventDefault();
// calculate the new cursor position:
pos1 = pos3 - e.clientX;
pos2 = pos4 - e.clientY;
pos3 = e.clientX;
pos4 = e.clientY;
// set the element's new position:
elmnt.style.top = (elmnt.offsetTop - pos2) + "px";
elmnt.style.left = (elmnt.offsetLeft - pos1) + "px";
}
function closeDragElement() {
// stop moving when mouse button is released:
document.onmouseup = null;
document.onmousemove = null;
}
}
</script>
''};
'';
};
virtualHosts."jelly.r" = {
enableACME = true;
addSSL = true;
locations."/".extraConfig = ''
proxy_pass http://localhost:8096/;
proxy_set_header Accept-Encoding "";
'';
};
virtualHosts."transmission.r" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyWebsockets = true;
proxyPass = "http://localhost:9091";
};
};
virtualHosts."radar.r" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyWebsockets = true;
proxyPass = "http://localhost:7878";
};
};
virtualHosts."sonar.r" = {
enableACME = true;
addSSL = true;
locations."/" = {
proxyWebsockets = true;
proxyPass = "http://localhost:8989";
};
};
};
services.samba = {
enable = true;
enableNmbd = false;
extraConfig = ''
workgroup = WORKGROUP
server string = ${config.networking.hostName}
# only allow retiolum addresses
hosts allow = 42::/16 10.243.0.0/16 10.244.0.0/16
# Use sendfile() for performance gain
use sendfile = true
# No NetBIOS is needed
disable netbios = true
# Only mangle non-valid NTFS names, don't care about DOS support
mangled names = illegal
# Performance optimizations
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536
# Disable all printing
load printers = false
disable spoolss = true
printcap name = /dev/null
map to guest = Bad User
max log size = 50
dns proxy = no
security = user
[global]
syslog only = yes
'';
shares.public = {
comment = "Warez";
path = "/var/download";
public = "yes";
"only guest" = "yes";
"create mask" = "0644";
"directory mask" = "2777";
writable = "no";
printable = "no";
};
};
systemd.services.bruellwuerfel =
let
bruellwuerfelSrc = pkgs.fetchFromGitHub {
owner = "krebs";
repo = "bruellwuerfel";
rev = "dc73adf69249fb63a4b024f1f3fbc9e541b27015";
sha256 = "078jp1gbavdp8lnwa09xa5m6bbbd05fi4x5ldkkgin5z04hwlhmd";
};
in {
wantedBy = [ "multi-user.target" ];
environment = {
IRC_CHANNEL = "#flix";
IRC_NICK = "bruelli";
IRC_SERVER = "irc.r";
IRC_HISTORY_FILE = "/tmp/bruelli.history";
};
serviceConfig = {
ExecStart = "${pkgs.deno}/bin/deno run -A ${bruellwuerfelSrc}/src/index.ts";
};
};
krebs.iptables = {
enable = true;
tables.filter.INPUT.rules = [
{ predicate = "-p tcp --dport 80"; target = "ACCEPT"; } # nginx web dir
{ predicate = "-p tcp --dport 443"; target = "ACCEPT"; } # nginx web dir
{ predicate = "-p tcp --dport 9091"; target = "ACCEPT"; } # transmission-web
{ predicate = "-p tcp --dport 51413"; target = "ACCEPT"; } # transmission-traffic
{ predicate = "-p udp --dport 51413"; target = "ACCEPT"; } # transmission-traffic
{ predicate = "-p tcp --dport 8096"; target = "ACCEPT"; } # jellyfin
{ predicate = "-p tcp --dport 8920"; target = "ACCEPT"; } # jellyfin
{ predicate = "-p udp --dport 1900"; target = "ACCEPT"; } # jellyfin
{ predicate = "-p udp --dport 7359"; target = "ACCEPT"; } # jellyfin
{ predicate = "-p tcp --dport 9696"; target = "ACCEPT"; } # prowlarr
{ predicate = "-p tcp --dport 8989"; target = "ACCEPT"; } # sonarr
{ predicate = "-p tcp --dport 7878"; target = "ACCEPT"; } # radarr
{ predicate = "-p tcp --dport 6767"; target = "ACCEPT"; } # bazarr
# smbd
{ predicate = "-i retiolum -p tcp --dport 445"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p tcp --dport 111"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p udp --dport 111"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p tcp --dport 2049"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p udp --dport 2049"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p tcp --dport 4000:4002"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p udp --dport 4000:4002"; target = "ACCEPT"; }
{ predicate = "-i wiregrill -p tcp --dport 445"; target = "ACCEPT"; }
{ predicate = "-i wiregrill -p tcp --dport 111"; target = "ACCEPT"; }
{ predicate = "-i wiregrill -p udp --dport 111"; target = "ACCEPT"; }
{ predicate = "-i wiregrill -p tcp --dport 2049"; target = "ACCEPT"; }
{ predicate = "-i wiregrill -p udp --dport 2049"; target = "ACCEPT"; }
{ predicate = "-i wiregrill -p tcp --dport 4000:4002"; target = "ACCEPT"; }
{ predicate = "-i wiregrill -p udp --dport 4000:4002"; target = "ACCEPT"; }
];
};
systemd.services.flix-index = {
wantedBy = [ "multi-user.target" ];
path = [
pkgs.coreutils
pkgs.findutils
pkgs.inotify-tools
];
serviceConfig = {
Restart = "always";
ExecStart = pkgs.writers.writeDash "flix-index" ''
set -efu
DIR=/var/download
cd "$DIR"
while inotifywait -rq -e create -e move -e delete "$DIR"; do
find . -type f > "$DIR"/index.tmp
mv "$DIR"/index.tmp "$DIR"/index
done
'';
};
};
services.jellyfin = {
enable = true;
group = "download";
};
# movies
services.radarr = {
enable = true;
group = "download";
};
# shows
services.sonarr = {
enable = true;
group = "download";
};
# indexers
services.prowlarr = {
enable = true;
};
# subtitles
services.bazarr = {
enable = true;
group = "download";
};
}

12
lass/2configs/services/flix/proxy.nix Normal file
View File

@ -0,0 +1,12 @@
{ config, pkgs, ... }:
{
services.nginx.virtualHosts."flix.lassul.us" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://yellow.r:8096";
proxyWebsockets = true;
recommendedProxySettings = true;
};
};
}

0
lass/2configs/radio/container-host.nix → lass/2configs/services/radio/container-host.nix
View File

0
lass/2configs/radio/controls.html → lass/2configs/services/radio/controls.html
View File

0
lass/2configs/radio/default.nix → lass/2configs/services/radio/default.nix
View File

0
lass/2configs/radio/news.nix → lass/2configs/services/radio/news.nix
View File

17
lass/2configs/services/radio/proxy.nix Normal file
View File

@ -0,0 +1,17 @@
{ config, pkgs, ... }:
{
services.nginx.virtualHosts."radio.lassul.us" = {
enableACME = true;
addSSL = true;
locations."/" = {
# recommendedProxySettings = true;
proxyWebsockets = true;
proxyPass = "http://radio.r";
extraConfig = ''
proxy_set_header Host radio.r;
# get source ip for weather reports
proxy_set_header user-agent "$http_user_agent; client-ip=$remote_addr";
'';
};
};
}

0
lass/2configs/radio/radio.liq → lass/2configs/services/radio/radio.liq
View File

0
lass/2configs/radio/shell.nix → lass/2configs/services/radio/shell.nix
View File

0
lass/2configs/radio/weather.nix → lass/2configs/services/radio/weather.nix
View File

0
lass/2configs/radio/weather_for_ips.py → lass/2configs/services/radio/weather_for_ips.py
View File

26
lass/2configs/xdg-open.nix
View File

@ -1,12 +1,13 @@
{ config, pkgs, lib, ... }: with import <stockholm/lib>; let { config, pkgs, lib, ... }: with import <stockholm/lib>; let
xdg-open-wrapper = pkgs.writeDashBin "xdg-open" '' xdg-open-wrapper = pkgs.writeDashBin "xdg-open" ''
/run/wrappers/bin/sudo -u lass ${xdg-open} "$@" exec ${xdg-open}/bin/xdg-open "$@" >> /tmp/xdg-debug.log 2>&1
''; '';
xdg-open = pkgs.writeBash "xdg-open" '' xdg-open = pkgs.writeBashBin "xdg-open" ''
set -e set -xe
FILE="$1" FILE="$1"
PATH=/run/current-system/sw/bin
mime= mime=
case "$FILE" in case "$FILE" in
@ -35,15 +36,13 @@
case "$mime" in case "$mime" in
special/mailaddress) special/mailaddress)
urxvtc --execute vim "$FILE" ;; alacritty --execute vim "$FILE" ;;
${optionalString (hasAttr "browser" config.lass) ''
text/html) text/html)
${config.lass.browser.select}/bin/browser-select "$FILE" ;; firefox "$FILE" ;;
text/xml) text/xml)
${config.lass.browser.select}/bin/browser-select "$FILE" ;; firefox "$FILE" ;;
''}
text/*) text/*)
urxvtc --execute vim "$FILE" ;; alacritty --execute vim "$FILE" ;;
image/*) image/*)
sxiv "$FILE" ;; sxiv "$FILE" ;;
application/x-bittorrent) application/x-bittorrent)
@ -51,17 +50,18 @@
application/pdf) application/pdf)
zathura "$FILE" ;; zathura "$FILE" ;;
inode/directory) inode/directory)
sudo -u lass -i urxvtc --execute mc "$FILE" ;; alacritty --execute mc "$FILE" ;;
*) *)
# open dmenu and ask for program to open with # open dmenu and ask for program to open with
$(dmenu_path | dmenu) "$FILE";; runner=$(print -rC1 -- ''${(ko)commands} | dmenu)
exec $runner "$FILE";;
esac esac
''; '';
in { in {
environment.systemPackages = [ xdg-open-wrapper ]; environment.systemPackages = [ xdg-open-wrapper ];
security.sudo.extraConfig = '' security.sudo.extraConfig = ''
cr ALL=(lass) NOPASSWD: ${xdg-open} * cr ALL=(lass) NOPASSWD: ${xdg-open}/bin/xdg-open *
ff ALL=(lass) NOPASSWD: ${xdg-open} * ff ALL=(lass) NOPASSWD: ${xdg-open}/bin/xdg-open *
''; '';
} }

6
lass/2configs/xmonad.nix
View File

@ -159,14 +159,14 @@ myKeyMap =
${pkgs.clipmenu}/bin/clipmenu ${pkgs.clipmenu}/bin/clipmenu
''}") ''}")
, ("M4-<F2>", windows copyToAll)
, ("M4-<F4>", spawn "${pkgs.nm-dmenu}/bin/nm-dmenu")
, ("M4-<Insert>", spawn "${pkgs.writeDash "paste" '' , ("M4-<Insert>", spawn "${pkgs.writeDash "paste" ''
${pkgs.coreutils}/bin/sleep 0.4 ${pkgs.coreutils}/bin/sleep 0.4
${pkgs.xclip}/bin/xclip -o | ${pkgs.xdotool}/bin/xdotool type -f - ${pkgs.xclip}/bin/xclip -o | ${pkgs.xdotool}/bin/xdotool type -f -
''}") ''}")
, ("M4-<F1>", spawn "/run/current-system/sw/bin/gamepad_mouse_toggle")
, ("M4-<F2>", windows copyToAll)
, ("M4-<F4>", spawn "${pkgs.nm-dmenu}/bin/nm-dmenu")
, ("M4-<F5>", spawn "${pkgs.acpilight}/bin/xbacklight -set 1") , ("M4-<F5>", spawn "${pkgs.acpilight}/bin/xbacklight -set 1")
, ("M4-<F6>", spawn "${pkgs.acpilight}/bin/xbacklight -set 10") , ("M4-<F6>", spawn "${pkgs.acpilight}/bin/xbacklight -set 10")
, ("M4-<F7>", spawn "${pkgs.acpilight}/bin/xbacklight -set 33") , ("M4-<F7>", spawn "${pkgs.acpilight}/bin/xbacklight -set 33")

14
lass/2configs/yellow-host.nix
View File

@ -1,14 +0,0 @@
{ config, pkgs, ... }:
{
krebs.sync-containers3.containers.yellow = {
sshKey = "${toString <secrets>}/yellow.sync.key";
};
containers.yellow.bindMounts."/var/lib" = {
hostPath = "/var/lib/sync-containers3/yellow/state";
isReadOnly = false;
};
containers.yellow.bindMounts."/var/download" = {
hostPath = "/var/download";
isReadOnly = false;
};
}

94
lass/3modules/browsers.nix
View File

@ -1,94 +0,0 @@
{ config, lib, pkgs, ... }:
with import <stockholm/lib>;
let
cfg = config.lass.browser;
browserScripts = {
brave = "${pkgs.brave}/bin/brave";
chrome = "${pkgs.google-chrome}/bin/chrome";
chromium = "${pkgs.ungoogled-chromium}/bin/chromium";
firefox = "${pkgs.firefox.override {
extraNativeMessagingHosts = [ pkgs.tridactyl-native ];
}}/bin/firefox";
qutebrowser = "${pkgs.qutebrowser}/bin/qutebrowser";
};
browser-select = let
sortedPaths = sort (a: b: a.value.precedence > b.value.precedence)
(filter (x: ! x.value.hidden)
(mapAttrsToList (name: value: { inherit name value; })
cfg.config));
in if (lib.length sortedPaths) > 1 then
pkgs.writeScriptBin "browser-select" ''
BROWSER=$(echo -e "${concatStringsSep "\\n" (map (getAttr "name") sortedPaths)}" | ${pkgs.dmenu}/bin/dmenu)
case $BROWSER in
${concatMapStringsSep "\n" (n: ''
${n.name})
export BIN=${config.lass.xjail-bins.${n.name}}/bin/${n.name}
;;
'') (sortedPaths)}
esac
$BIN "$@"
''
else
let
name = (lib.head sortedPaths).name;
in pkgs.writeScriptBin "browser-select" ''
${config.lass.xjail-bins.${name}}/bin/${name} "$@"
''
;
in {
options.lass.browser = {
select = mkOption {
type = types.path;
};
config = mkOption {
type = types.attrsOf (types.submodule ({ config, ... }: {
options = {
name = mkOption {
type = types.str;
default = config._module.args.name;
};
hidden = mkOption {
type = types.bool;
default = false;
};
precedence = mkOption {
type = types.int;
default = 0;
};
user = mkOption {
type = types.str;
default = config._module.args.name;
};
browser = mkOption {
type = types.enum (attrNames browserScripts);
default = "brave";
};
groups = mkOption {
type = types.listOf types.str;
default = [];
};
};
}));
default = {};
};
};
config = (mkIf (cfg.config != {}) {
lass.xjail = mapAttrs' (name: browser:
nameValuePair name {
script = browserScripts.${browser.browser};
groups = browser.groups;
}
) cfg.config;
environment.systemPackages = (map (browser:
config.lass.xjail-bins.${browser.name}
) (attrValues cfg.config)) ++ [
browser-select
];
lass.browser.select = browser-select;
});
}

2
lass/3modules/default.nix
View File

@ -12,8 +12,6 @@ _:
./pyload.nix ./pyload.nix
./screenlock.nix ./screenlock.nix
./usershadow.nix ./usershadow.nix
./xjail.nix
./autowifi.nix ./autowifi.nix
./browsers.nix
]; ];
} }

173
lass/3modules/xjail.nix
View File

@ -1,173 +0,0 @@
{ config, pkgs, lib, ... }:
with import <stockholm/lib>;
{
options.lass.xjail = mkOption {
type = types.attrsOf (types.submodule ({ config, ...}: {
options = {
name = mkOption {
type = types.str;
default = config._module.args.name;
};
user = mkOption {
type = types.str;
default = config.name;
};
groups = mkOption {
type = types.listOf types.str;
default = [];
};
from = mkOption {
type = types.str;
default = "lass";
};
display = mkOption {
type = types.str;
default = toString (genid_uint31 config._module.args.name);
};
dpi = mkOption {
type = types.int;
default = 90;
};
extraXephyrArgs = mkOption {
type = types.str;
default = "";
};
extraVglrunArgs = mkOption {
type = types.str;
default = "";
};
script = mkOption {
type = types.path;
default = pkgs.writeScript "echo_lol" "echo lol";
};
wm = mkOption {
#TODO find type
type = types.str;
defaultText = "script";
default = "${pkgs.writeHaskellPackage "xephyrify-xmonad" {
executables.xmonad = {
extra-depends = [
"containers"
"unix"
"xmonad"
];
text = /* haskell */ ''
module Main where
import XMonad
import Data.Monoid
import System.Posix.Process (executeFile)
import qualified Data.Map as Map
main :: IO ()
main = do
xmonad def
{ workspaces = [ "1" ]
, layoutHook = myLayoutHook
, keys = myKeys
, normalBorderColor = "#000000"
, focusedBorderColor = "#000000"
, handleEventHook = myEventHook
}
myEventHook :: Event -> X All
myEventHook (ConfigureEvent { ev_event_type = 22 }) = do
spawn "${pkgs.xorg.xrandr}/bin/xrandr >/dev/null 2>&1"
return (All True)
myEventHook _ = do
return (All True)
myLayoutHook = Full
myKeys _ = Map.fromList []
'';
};
}}/bin/xmonad";
};
};
}));
default = {};
};
options.lass.xjail-bins = mkOption {
type = types.attrsOf types.path;
};
# implementation
config = let
scripts = mapAttrs' (name: cfg:
let
newOrExisting = pkgs.writeDash "${cfg.name}-existing" ''
DISPLAY=:${cfg.display} ${pkgs.xorg.xrandr}/bin/xrandr
if test $? -eq 0; then
echo using existing xephyr
${sudo_} "$@"
else
echo starting new xephyr
${xephyr_} "$@"
fi
'';
xephyr_ = pkgs.writeDash "${cfg.name}-xephyr" ''
${pkgs.xorg.xorgserver}/bin/Xephyr -br -ac -reset -terminate -resizeable -nolisten local -dpi ${toString cfg.dpi} ${cfg.extraXephyrArgs} :${cfg.display} &
XEPHYR_PID=$!
DISPLAY=:${cfg.display} ${cfg.wm} &
WM_PID=$!
${sudo_} "$@"
${pkgs.coreutils}/bin/kill $WM_PID
${pkgs.coreutils}/bin/kill $XEPHYR_PID
'';
# TODO fix xephyr which doesn't honor resizes anymore
sudo_ = pkgs.writeDash "${cfg.name}-sudo" ''
#/var/run/wrappers/bin/sudo -u ${cfg.name} -i env DISPLAY=:${cfg.display} ${cfg.script} "$@"
${pkgs.systemd}/bin/machinectl shell -E DISPLAY=:0 --uid=${cfg.name} .host ${cfg.script} "$@"
'';
in nameValuePair name {
existing = newOrExisting;
xephyr = xephyr_;
sudo = sudo_;
}
) config.lass.xjail;
in {
users.users = mapAttrs' (_: cfg:
nameValuePair cfg.name {
uid = genid_uint31 cfg.name;
home = "/home/${cfg.name}";
useDefaultShell = true;
createHome = true;
extraGroups = cfg.groups;
isNormalUser = true;
}
) config.lass.xjail;
users.groups = mapAttrs' (_: cfg:
nameValuePair cfg.name {
members = [
cfg.name
cfg.from
];
}
) config.lass.xjail;
security.polkit.extraConfig = (concatStringsSep "\n" (mapAttrsToList (_: cfg: ''
polkit.addRule(function(action, subject) {
if (
subject.user == "${cfg.from}" &&
action.id == "org.freedesktop.machine1.host-shell" &&
action.lookup("user") == "${cfg.user}" &&
action.lookup("program") == "${cfg.script}" &&
true
) {
return polkit.Result.YES;
}
});
'') config.lass.xjail));
lass.xjail-bins = mapAttrs' (name: cfg:
nameValuePair name (pkgs.writeScriptBin cfg.name ''
${scripts.${name}.sudo} "$@"
'')
) config.lass.xjail;
};
}