Merge remote-tracking branch 'lass/master'

krebs/3modules/shared/default.nix

@@ -13,12 +13,8 @@ let
     cores = 1;
     nets = {
       retiolum = {
-        ip4.addr = "10.243.111.111";
+        ip4.addr = "10.243.73.57";
         ip6.addr = "42:0:0:0:0:0:0:7357";
-        aliases = [
-          "test.r"
-          "test.retiolum"
-        ];
         tinc.pubkey = ''
           -----BEGIN RSA PUBLIC KEY-----
           MIIBCgKCAQEAy41YKF/wpHLnN370MSdnAo63QUW30aw+6O79cnaJyxoL6ZQkk4Nd

krebs/5pkgs/irc-announce/default.nix

@@ -29,12 +29,10 @@ pkgs.writeDashBin "irc-announce" ''
   # privmsg_cat transforms stdin to a privmsg
   privmsg_cat() { awk '{ print "PRIVMSG "ENVIRON["IRC_CHANNEL"]" :"$0 }'; }
 
-  # we cd to /tmp here to be able to create a tmpdir in the first place
-  cd /tmp
   # ircin is used to feed the output of netcat back to the "irc client"
   # so we can implement expect-like behavior with sed^_^
   # XXX mkselfdestructingtmpfifo would be nice instead of this cruft
-  tmpdir="$(mktemp -d irc-announce_XXXXXXXX)"
+  tmpdir=$(mktemp --tmpdir -d irc-announce_XXXXXXXX)
   cd "$tmpdir"
   mkfifo ircin
   trap "

lass/1systems/icarus.nix

@@ -13,6 +13,7 @@ with import <stockholm/lib>;
     ../2configs/programs.nix
     ../2configs/fetchWallpaper.nix
     ../2configs/backups.nix
+    ../2configs/games.nix
     #{
     #  users.extraUsers = {
     #    root = {

lass/1systems/mors.nix

@@ -307,20 +307,16 @@ with import <stockholm/lib>;
 
     #Runtime PMs
     echo 'auto' > '/sys/bus/pci/devices/0000:00:02.0/power/control'
-    echo 'auto' > '/sys/bus/pci/devices/0000:00:16.0/power/control'
     echo 'auto' > '/sys/bus/pci/devices/0000:00:00.0/power/control'
-    echo 'auto' > '/sys/bus/pci/devices/0000:03:00.0/power/control'
     echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.3/power/control'
     echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.2/power/control'
     echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.0/power/control'
     echo 'auto' > '/sys/bus/pci/devices/0000:00:1d.0/power/control'
     echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.3/power/control'
-    echo 'auto' > '/sys/bus/pci/devices/0000:0d:00.0/power/control'
     echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.0/power/control'
     echo 'auto' > '/sys/bus/pci/devices/0000:00:1b.0/power/control'
     echo 'auto' > '/sys/bus/pci/devices/0000:00:1a.0/power/control'
     echo 'auto' > '/sys/bus/pci/devices/0000:00:19.0/power/control'
-    echo 'auto' > '/sys/bus/pci/devices/0000:00:16.3/power/control'
     echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.1/power/control'
     echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.4/power/control'
   '';

lass/1systems/prism.nix

@@ -26,6 +26,7 @@ in {
     ../2configs/iodined.nix
     ../2configs/libvirt.nix
     ../2configs/hfos.nix
+    ../2configs/makefu-sip.nix
     {
       users.extraGroups = {
         # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories

lass/2configs/baseX.nix

@@ -7,7 +7,12 @@ in {
     ./xserver
     ./mpv.nix
     ./power-action.nix
-    ./pulse.nix
+    {
+      hardware.pulseaudio = {
+        enable = true;
+        systemWide = true;
+      };
+    }
   ];
 
   users.extraUsers.mainUser.extraGroups = [ "audio" "video" ];

lass/2configs/default.nix

@@ -22,6 +22,7 @@ with import <stockholm/lib>;
           openssh.authorizedKeys.keys = [
             config.krebs.users.lass.pubkey
             config.krebs.users.lass-shodan.pubkey
+            config.krebs.users.lass-icarus.pubkey
           ];
         };
         mainUser = {
@@ -38,6 +39,7 @@ with import <stockholm/lib>;
           openssh.authorizedKeys.keys = [
             config.krebs.users.lass.pubkey
             config.krebs.users.lass-shodan.pubkey
+            config.krebs.users.lass-icarus.pubkey
           ];
         };
       };

lass/2configs/games.nix

@@ -51,6 +51,8 @@ in {
     };
   };
 
+  hardware.pulseaudio.support32Bit = true;
+
   security.sudo.extraConfig = ''
     ${mainUser.name} ALL=(games) NOPASSWD: ALL
   '';

lass/2configs/makefu-sip.nix

@@ -0,0 +1,21 @@
+{ config, lib, pkgs, ... }:
+
+with import <stockholm/lib>;
+{
+  users.users.makefu = {
+    uid = genid "makefu";
+    isNormalUser = true;
+    extraGroups = [ "libvirtd" ];
+    openssh.authorizedKeys.keys = [
+      config.krebs.users.makefu.pubkey
+    ];
+  };
+
+  krebs.iptables.tables.nat.PREROUTING.rules = [
+    { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 10022"; target = "DNAT --to-destination 192.168.122.136:22"; }
+  ];
+
+  krebs.iptables.tables.filter.FORWARD.rules = [
+    { v6 = false; precedence = 1000; predicate = "-d 192.168.122.136 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
+  ];
+}

lass/2configs/pulse.nix

@@ -1,96 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with import <stockholm/lib>;
-let
-  pkg = pkgs.pulseaudioLight;
-  runDir = "/run/pulse";
-
-  alsaConf = pkgs.writeText "asound.conf" ''
-    ctl_type.pulse {
-      libs.native = ${pkgs.alsaPlugins}/lib/alsa-lib/libasound_module_ctl_pulse.so;
-    }
-    pcm_type.pulse {
-      libs.native = ${pkgs.alsaPlugins}/lib/alsa-lib/libasound_module_pcm_pulse.so;
-    }
-    ctl.!default {
-      type pulse
-    }
-    pcm.!default {
-      type pulse
-    }
-  '';
-
-  clientConf = pkgs.writeText "client.conf" ''
-    autospawn=no
-    default-server = unix:${runDir}/socket
-  '';
-
-  daemonConf = pkgs.writeText "daemon.conf" ''
-    exit-idle-time=-1
-    flat-volumes = no
-    default-fragments = 4
-    default-fragment-size-msec = 25
-  '';
-
-  configFile = pkgs.writeText "default.pa" ''
-    .include ${pkg}/etc/pulse/default.pa
-    load-module ${toString [
-      "module-native-protocol-unix"
-      "auth-anonymous=1"
-      "socket=${runDir}/socket"
-    ]}
-  '';
-in
-
-{
-  environment = {
-    etc = {
-      "asound.conf".source = alsaConf;
-      # XXX mkForce is not strong enough (and neither is mkOverride) to create
-      # /etc/pulse/client.conf, see pulseaudio-hack below for a solution.
-      #"pulse/client.conf" = mkForce { source = clientConf; };
-      #"pulse/client.conf".source = mkForce clientConf;
-      "pulse/default.pa".source = configFile;
-      "pulse/daemon.pa".source = daemonConf;
-    };
-    systemPackages = [
-      pkg
-    ] ++ optionals config.services.xserver.enable [
-      pkgs.pavucontrol
-    ];
-  };
-
-  # Allow PulseAudio to get realtime priority using rtkit.
-  security.rtkit.enable = true;
-
-  system.activationScripts.pulseaudio-hack = ''
-    ln -fns ${clientConf} /etc/pulse/client.conf
-  '';
-
-  systemd.services.pulse = {
-    wantedBy = [ "sound.target" ];
-    before = [ "sound.target" ];
-    environment = {
-      PULSE_RUNTIME_PATH = "${runDir}/home";
-    };
-    serviceConfig = {
-      ExecStart = "${pkg}/bin/pulseaudio";
-      ExecStartPre = pkgs.writeDash "pulse-start" ''
-        install -o pulse -g audio -m 0750 -d ${runDir}
-        install -o pulse -g audio -m 0700 -d ${runDir}/home
-      '';
-      PermissionsStartOnly = "true";
-      User = "pulse";
-    };
-  };
-
-  users = {
-    groups.pulse.gid = config.users.users.pulse.uid;
-    users.pulse = {
-      uid = genid "pulse";
-      group = "pulse";
-      extraGroups = [ "audio" ];
-      home = "${runDir}/home";
-    };
-  };
-}

lass/2configs/tests/dummy-secrets/grafana_security.nix

@@ -0,0 +1,4 @@
+{
+  adminUser = "bla";
+  adminPassword = "blub";
+}

lass/2configs/websites/fritz.nix

@@ -23,6 +23,9 @@ let
   '';
 
 in {
+
+  services.nginx.enable = true;
+
   imports = [
     ./sqlBackup.nix