Mic92/stockholm
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge remote-tracking branch 'prism/master'

Browse Source
This commit is contained in:
tv 2022-11-22 19:38:36 +01:00
commit 1c4e27473c
36 changed files with 1440 additions and 304 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
krebs/2configs/matterbridge.nix
View File

@ -10,14 +10,10 @@
Charset = "utf-8"; Charset = "utf-8";
}; };
telegram.krebs.Token = bridgeBotToken; telegram.krebs.Token = bridgeBotToken;
irc = let irc.hackint = {
Server = "irc.hackint.org:6697";
UseTLS = true;
Nick = "ponte"; Nick = "ponte";
in {
hackint = {
Server = "irc.hackint.org:6697";
UseTLS = true;
inherit Nick;
};
}; };
gateway = [ gateway = [
{ {

3
krebs/2configs/news-host.nix
View File

@ -4,10 +4,7 @@
"shodan" "shodan"
"mors" "mors"
"styx" "styx"
"puyak"
]; ];
hostIp = "10.233.2.101";
localIp = "10.233.2.102";
format = "plain"; format = "plain";
}; };
} }

49
krebs/2configs/reaktor2.nix
View File

@ -51,6 +51,29 @@ let
}; };
}; };
confuse = {
pattern = "^!confuse (.*)$";
activate = "match";
arguments = [1];
command = {
filename = pkgs.writeDash "confuse" ''
set -efu
export PATH=${makeBinPath [
pkgs.coreutils
pkgs.curl
pkgs.gnused
pkgs.stable-generate
]}
stable_url=$(stable-generate "$@")
paste_url=$(curl -Ss "$stable_url" |
curl -Ss https://p.krebsco.de --data-binary @- |
tail -1
)
echo "$_from: $paste_url"
'';
};
};
taskRcFile = builtins.toFile "taskrc" '' taskRcFile = builtins.toFile "taskrc" ''
confirmation=no confirmation=no
''; '';
@ -185,8 +208,9 @@ let
}; };
} }
{ {
pattern = "18@p"; pattern = ''^18@p\s+(\S+)\s+(\d+)m$'';
activate = "match"; activate = "match";
arguments = [1 2];
command = { command = {
env = { env = {
CACHE_DIR = "${stateDir}/krebsfood"; CACHE_DIR = "${stateDir}/krebsfood";
@ -202,14 +226,27 @@ let
osm-restaurants = pkgs.callPackage "${osm-restaurants-src}/osm-restaurants" {}; osm-restaurants = pkgs.callPackage "${osm-restaurants-src}/osm-restaurants" {};
in pkgs.writeDash "krebsfood" '' in pkgs.writeDash "krebsfood" ''
set -efu set -efu
ecke_lat=52.51252 export PATH=${makeBinPath [
ecke_lon=13.41740 osm-restaurants
${osm-restaurants}/bin/osm-restaurants --radius 500 --latitude "$ecke_lat" --longitude "$ecke_lon" \ pkgs.coreutils
| ${pkgs.jq}/bin/jq -r '"How about \(.tags.name) (https://www.openstreetmap.org/\(.type)/\(.id)), open \(.tags.opening_hours)?"' pkgs.curl
' pkgs.jq
]}
poi=$(curl -fsS http://c.r/poi.json | jq --arg name "$1" '.[$name]')
if [ "$poi" = null ]; then
latitude=52.51252
longitude=13.41740
else
latitude=$(echo "$poi" | jq -r .latitude)
longitude=$(echo "$poi" | jq -r .longitude)
fi
osm-restaurants --radius "$2" --latitude "$latitude" --longitude "$longitude" \
| jq -r '"How about \(.tags.name) (https://www.openstreetmap.org/\(.type)/\(.id)), open \(.tags.opening_hours)?"'
''; '';
}; };
} }
confuse
bedger-add bedger-add
bedger-balance bedger-balance
hooks.sed hooks.sed

3
krebs/2configs/shack/doorstatus.sh
View File

@ -54,7 +54,8 @@ Herr makefu an Kasse 3 bitte, Kasse 3 bitte Herr makefu. Der API Computer ist ma
EOF EOF
) )
state=$(curl -fSsk https://api.shackspace.de/v1/space | jq .doorState.open) payload=$(curl -fSsk https://api.shackspace.de/v1/space)
state=$(printf '%s' "$payload" | jq .doorState.open)
prevstate=$(cat state ||:) prevstate=$(cat state ||:)
if test "$state" == "$(cat state)";then if test "$state" == "$(cat state)";then

1
krebs/3modules/ci/default.nix
View File

@ -115,6 +115,7 @@ let
build_name = stage, build_name = stage,
build_script = stages[stage], build_script = stages[stage],
), ),
timeout = 3600,
command="${pkgs.writeDash "build.sh" '' command="${pkgs.writeDash "build.sh" ''
set -xefu set -xefu
profile=${shell.escape profileRoot}/$build_name profile=${shell.escape profileRoot}/$build_name

2
krebs/3modules/ergo.nix
View File

@ -122,7 +122,7 @@
# reloadIfChanged = true; # reloadIfChanged = true;
restartTriggers = [ configFile ]; restartTriggers = [ configFile ];
serviceConfig = { serviceConfig = {
ExecStart = "${pkgs.ergo}/bin/ergo run --conf /etc/ergo.yaml"; ExecStart = "${pkgs.ergochat}/bin/ergo run --conf /etc/ergo.yaml";
ExecReload = "${pkgs.util-linux}/bin/kill -HUP $MAINPID"; ExecReload = "${pkgs.util-linux}/bin/kill -HUP $MAINPID";
DynamicUser = true; DynamicUser = true;
StateDirectory = "ergo"; StateDirectory = "ergo";

25
krebs/3modules/external/mic92.nix vendored
View File

@ -929,5 +929,30 @@ in {
}; };
}; };
}; };
ruby = {
owner = config.krebs.users.mic92;
nets = rec {
retiolum = {
aliases = [ "ruby.r" ];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAzqrguDMHqYyidLxbz3jsQS3JVNCy0HaN6wprT1Ge1Anf5E8KtuXh
M9IjYPShzzJ162rYaJdd2lBmc5o435j+0/Gg5pySILni9bILhuRr7TMWN0sjNbgr
x0JRbpMmpW5DOmQx1BSyA+LLNbyVVnCc1XI0P2EaRr1ZrRSU0bpE/7kJ//Zt7ATu
GfqJTuL2aqap12VMKAfjRByyXA9V7szJMRom2Ia3cWSXhie1E0OOvCNT+InKXx4c
QbEGX71noCgsNgxbD8AVSwMnNV15vdnbgwK/1QzA0Cep1uxFS05TXJZLZTjcGwG0
Kp0kEjntq1rCqgdoUHIubNB17efU/oP6aSrdfvtgeYBjn0zSLHSUYdhf3JHd1Fvf
Ov2TwHxt/sm8d91UjhrkYwjf2nzSruAklYDnIDJiHgLFoT5WuOoVlnfUjRpQEw44
kp8KXsd24Y0UT5XJO5cQA+kZ1vl2ktHbQGTqYuYDB2FKEnBR/JIwJzJfugcGiyRx
OukQ2/rjnS60JA2pHUEfoezIAMhYAF+EPgOgMcNSSRYUVBpPVKD26oGTrNn0AtnO
ALW1vqUDwxb0cpv877vN1VfqvLE8n8Zgtt7itdT0+vxNPxICvF6//LNYUeDoQ3pj
w+1ZSdYZsvIQ7tDcilnL0hU5/nfsSIbHV+ceuLde1xDt5c7Tnl4v/U0CAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "TV9byzSblknvqdUjQCwjgLmA8qCB4Tnl/DSd2mbsZTJ";
};
};
};
}; };
} }

58
krebs/3modules/lass/default.nix
View File

@ -1,12 +1,6 @@
with import <stockholm/lib>; with import <stockholm/lib>;
{ config, ... }: let { config, ... }: let
hostDefaults = hostName: host: flip recursiveUpdate host {
ci = true;
monitoring = true;
owner = config.krebs.users.lass;
};
r6 = ip: (krebs.genipv6 "retiolum" "lass" ip).address; r6 = ip: (krebs.genipv6 "retiolum" "lass" ip).address;
w6 = ip: (krebs.genipv6 "wiregrill" "lass" ip).address; w6 = ip: (krebs.genipv6 "wiregrill" "lass" ip).address;
@ -16,6 +10,7 @@ in {
}; };
hosts = mapAttrs (_: recursiveUpdate { hosts = mapAttrs (_: recursiveUpdate {
owner = config.krebs.users.lass; owner = config.krebs.users.lass;
consul = true;
ci = true; ci = true;
monitoring = true; monitoring = true;
}) { }) {
@ -418,6 +413,7 @@ in {
}; };
xerxes = { xerxes = {
cores = 2; cores = 2;
consul = false;
nets = rec { nets = rec {
retiolum = { retiolum = {
ip4.addr = "10.243.1.3"; ip4.addr = "10.243.1.3";
@ -592,7 +588,53 @@ in {
syncthing.id = "CADHN7J-CWRCWTZ-3GZRLII-JBVZN4N-RGHDGDL-UTAJNYI-RZPHK55-7EYAWQM"; syncthing.id = "CADHN7J-CWRCWTZ-3GZRLII-JBVZN4N-RGHDGDL-UTAJNYI-RZPHK55-7EYAWQM";
}; };
massulus = {
cores = 1;
ci = false;
nets = {
retiolum = {
ip4.addr = "10.243.0.113";
ip6.addr = r6 "113";
aliases = [
"massulus.r"
];
tinc = {
pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEApwYalnJ2E1e3WOttPCpt
ypNm2adUXS/pejcbF68oRvgv6NRMOKVkoFVEzdnCLYTkYkwcpGd+oRO91F+ekZrN
ndEoicuzHNyG6NTXfW3Sjj9Au/NoAVwOJxAztzXMBAsH5pi4PSiqIQZC4l6cyv2K
zUNm1LvW5Z5/W0J5XCUw3/B4Py7V/HjW9Yxe8MCaCVVP2kF5SwjmfQ+Yp+8csvU3
F30xFjcTJjjWUPSkubgxtsfkrbbjzdMZhKldi3l9LhbYWD8O4bUTrTau/Emaaf6e
v5paVh9Kczwg7Ugk9Co3GL4tKOE2I7kRQV2Rg0M5NcRBUwfxkl6JTI2PmY0fNmYd
kdLQ1fKlFOrkyHuPBjZET1UniomlLpdycyyZii+YWLoQNj4JlFl8nAlPbqkiy8EF
LcHvB2VfdjjyBY25TtYPjFzFsEYKd8HQ7djs8rvJvmhu4tLDD6NaOqJPWMo7I7rW
EavQWZd+CELCJNN8eJhYWIGpnq+BI00FKayUAX+OSObYCHD1AikiiIaSjfDCrCJb
KVDj/uczOjxHk6TUVbepFA7C8EAxZ01sgHtUDkIfvcDMs4DGn88PmjPW+V/4MfKl
oqT7aVv6BYJdSK63rH3Iw+qTvdtzj+vcoO+HmRt2I2Be4ZPSeDrt+riaLycrVF00
yFmvsQgi48/0ZSwaVGR8lFUCAwEAAQ==
-----END PUBLIC KEY-----
'';
pubkey_ed25519 = "QwKNyv97Q2/fmPrVkgbGIhDTVW+uKu+F2enGCtZJgkM";
port = 1655;
};
};
wiregrill = {
ip6.addr = w6 "113";
aliases = [
"massulus.w"
];
wireguard.pubkey = ''
4wXpuDBEJS8J1bxS4paz/eZP1MuMfgHDCvOPn4TYtHQ=
'';
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKH8lFXZ/d2NtqyrpslTGRNBR7FJZCJ6i3UPy0LDl9t7 ";
};
phone = { phone = {
consul = false;
nets = { nets = {
wiregrill = { wiregrill = {
ip4.addr = "10.244.1.13"; ip4.addr = "10.244.1.13";
@ -608,6 +650,7 @@ in {
syncthing.id = "PWKVXPB-JCNO6E4-KVIQ7CK-6FSOWHM-AWORMDU-HVVYLKW-44DQTYW-XZT7DQJ"; syncthing.id = "PWKVXPB-JCNO6E4-KVIQ7CK-6FSOWHM-AWORMDU-HVVYLKW-44DQTYW-XZT7DQJ";
}; };
tablet = { tablet = {
consul = false;
nets = { nets = {
wiregrill = { wiregrill = {
ip4.addr = "10.244.1.14"; ip4.addr = "10.244.1.14";
@ -622,6 +665,7 @@ in {
ci = false; ci = false;
}; };
hilum = { hilum = {
consul = false;
cores = 1; cores = 1;
nets = { nets = {
retiolum = { retiolum = {
@ -797,6 +841,7 @@ in {
}; };
lasspi = { lasspi = {
consul = false;
cores = 1; cores = 1;
nets = { nets = {
retiolum = { retiolum = {
@ -840,6 +885,7 @@ in {
}; };
domsen-pixel = { domsen-pixel = {
consul = false;
nets = { nets = {
wiregrill = { wiregrill = {
ip4.addr = "10.244.1.17"; ip4.addr = "10.244.1.17";

144
krebs/3modules/lass/pgp/yubikey.pgp
View File

@ -58,52 +58,100 @@ D7u4ShvPtxqFf+mv/4eHYx2akBIIUQYAf5OYGnE3E0kqiuK4qHKgt1NI5z1mSd9D
duWIuoRbBUrApTKsHgwtMxNrNVioGIE1dTRuu56drhwY2ZPyzVtSb7q/hRU/a3UZ duWIuoRbBUrApTKsHgwtMxNrNVioGIE1dTRuu56drhwY2ZPyzVtSb7q/hRU/a3UZ
5S6EsrmDGIIlAHrgKfKfuerESE5VzN1Nn3QHpfjwX+gq51cosTqlRiu4oMesPk31 5S6EsrmDGIIlAHrgKfKfuerESE5VzN1Nn3QHpfjwX+gq51cosTqlRiu4oMesPk31
ZmPcuG6H/m7nGagX9+l00sDsqISqMG4lZCJAFa020OS/g6V3q6LCqggky6+4sQTG ZmPcuG6H/m7nGagX9+l00sDsqISqMG4lZCJAFa020OS/g6V3q6LCqggky6+4sQTG
5HB8jGba2tXMSQfBQEtDFve6agiRTw8z1V8s1gPCMmPhsLi5Ag0EXaJN1gEQANML 5HB8jGba2tXMSQfBQEtDFve6agiRTw8z1V8s1gPCMmPhsLiJBGwEGAEKACACGwIW
yxoeknGlTtkG640UP5ZkUEojwXxlni3v2dpWEaEJO9yqvkELCWum5pRz+iDzoDFS IQTbzXV4RgabOS6pQB1mV76KjR7oBwUCY1E8SAJAwXQgBBkBCgAdFiEEVAotn4qI
lUPnP3YKVFkLbAlk56abIAQ6VK7wkOSHCw1F7LlCY830bRkgGJ8/b8us9KpET6Am hqe83vdsfheGip18nM8FAl2iTZIACgkQfheGip18nM9DVxAAuqX7iztddbttkIfN
ei7OGYVtqNBUodEJi6XkH5q9RLQeVR+7ynt0LTAxO/mMFYc3nhccrhadubhh5rTd 65R5XJPjz7NRg0AI8G+1qnkvF3c2ufNjL++BJSvlbi/2ov92S+0CPF08E4kDsHjA
e/UcxBL/zYx8tCBy2F4ep6Anx02HOauTwaqk4KLhB9IcdS8sJQHFY7iEVWNcovwF /JM782D6lDfSZltW4YBBqkJZdtiPElcIqIhM6EX7fs3Ag/RjUVPb4tYkH20xcNhy
8luGEGPJOdOPTMZz4jD4aWFqbT6ragWaG8tisLEe9UhET2LL3r/4DIgAJY4bwg5T l+0RdBuSvR0+KOXXBfoNmsyQM4/hUKiWW3vGOZOBmYPNcvAQcMs+p4D5JHQcOyxg
ZyK/1j+Nj1IyYkQ9A6YF96Y5XCi9DF0MYq9NytWNnMCT8F4QCCDRWhgql714/Er/ tXyiXU/VxvUWI7cH6I7daRDTFR3L4zXoIrRwqEgxIqof2Zm4smoHDLfXxGQrcjj6
qfwnT2M6m8P4OS1sAHv5vDDYXezB0WrJNstYvhtHhi4ctuolBuwOb7nyIBlZovhk eKkn/gt/T7qYxnhcG5guS2DwIay5c7xV1xuB7pDgM1On56heD21DI4vtXXnTkjo7
5/6IAFmoUprfGHOuttEcPTRDGv737cR1cYaz5QMuz2svNU3ivI/tYfIQwMAjv84A /6hsw2e6TBcn295fEekvBupYVwazefBSlr2f3xxlDvd35D5tWZRVGspzxO15DcTa
ZN2wl63QkghYo/dm9a5Ex78CNwZD/z7HOE3zD+Rd0C9/hXLpVVhN0mKmDzgJHPUo TglOeNtRnYGRwHwE/tiJ0G0uwGfvaI0xeexuhnTfvEkpJ4SJ/iMl+FpOw7I35H7m
VDk//P3YgzM+dtUWWPJ1FfaTz2543V9MwVWUJQj0DIgl4noLHX3wkd/d4gYGAhlW z8MrRNMjtR+Es8gzuw7hNErmbh0SLZvddoPnqt9kF8ayA1iz1X9KiBkkj3EbvI99
kBxkbQPJ4NT7EKBFk44fa6DVuGOGatBAxKQq1GftABEBAAGJAjwEGAEKACYCGwwW jYjdDDm5lsxCZKLSX4r9Mp236K6DMGlifRN2AfdXziXhPABQkKE5m7kcn1gALn9M
IQTbzXV4RgabOS6pQB1mV76KjR7oBwUCX4l2DwUJBamPOQAKCRBmV76KjR7oB/Ds cg5HgeXTdxan6QP35ygDtmNldJGEP+AWAZ4RwaFK8P3/oqQ/8XhnkwH5n2SPd8WQ
D/96TGfHa6BW1v2kUyHUKmpdk62UhZz49nTsOu1JeMI2cDMLkKaPyeKLsRpzV2qc qnldvrtajUzUegvJUstLS5B1TFQJEGZXvoqNHugHrtcP+waicH+WhpbvPoHJW//U
OoG1dal7dgjtzKsWdz0HxrrbEs0rBJO4xOmg12Sv9fttTocTt2bQMe3d20Vihbi+ c7IwcrsOpWNuh0gKV1+LvBV9dGzGZDlhwsncMeNzT8tnxDwhD1CiJ1uzO2H1m+yX
NDEx2PeyncYulDd8PNfDkh8vWUJQoThqimXoVARwKNuH2oDytGceIp+BZLOH8HRz CeljVnYFlP0sl9IT/AiV8NNiuaIpOc5RjRY1yvOZ017/J7Hyhnaw0iap1vNDNOwH
0ESH9nCAGw3gVX6vQPtjbMgoIXHAnAJkIe2boyyUHu2ZmD6CGjxGSSICMzShcDvN t7tzB1PvM3p6an4Jh0AJZF5adReQTbi9Zw7MW2Yf0XHTT4rFX+Mn5gcuvsV9n39d
kcyPKG5BbOGRpbehaMcOOiGH0NsudUPOsyxQt90bP/U+WHPhvOTGk0PqGaOf8QDE 6U3k5G6Hf1bSROsXNVwOwF6VbO8NvBm6ehgNyRcGsino/f82HRwvnQPhJgEakZ1h
saGlChd3wVK+uCGl60szcxQsbgzlEQVUG3tTW4QGfzL3XK5bHvuGj03Vb45005Y4 WWUUnakK14mRRMUns8CMNfFh+50ciK1Q8kAVgYLVA1H1NXM0+68YZMl5CiiaD3pM
6UCUP4ZkEYDsw1Hrn5bkPOP/Pc8Sz1MQt+nw1U3QXbHLxLb8fB82B6oDMakHPgaw 17flwcWUdkIu3uWAvc3hSCNw6i9F4Kx1yD/ZdiT0vBapa3ehUXIo5g79NcFl9xnQ
73HxYwbaXDswBb6BVTc86RmXRH1+StObDiJp+h16EqdsSyp15tSM80GRf1KaNKxc fnYG+nnl2bLZSHP8b+LZsGivOEZuBHoR2ComeTqqJxeT8ZsEdtLcloaSaf2Em2xf
MA4N7/i7j9M/z2fKWT7vTAGdcg8vhZH0MDQ9vRmYsuQZtoNieZVXnyQ/ILAgPhiL b9OfhGOC7hKfS4HAlLFbEydWuZuA8EpTXd6eqINCFbOb9BjpKvSCCLs5S3s7T4WE
pdyPffQV0BpWKd68C8kEhoMP0D3h6Uj88ZOuapyOCvsrBvR7SQOVh+L+KMjh1Xgx FQB7yHXQQgB1EzYaJxFZstkiD8exu/hiWfwVLaho09QbtPmt2u1lvbxiSxtCdphi
WvPJuoU4Jox4og85/Gz0Ui8EROYyHg5yqPqsBBmz6h8F7rkCDQRdok4KARAAyG97 hoKc6wjhD8F9YM5xxitcF7iAV7oEDZ/1JVkvi/1gWFgW0UmEKuy2KN/Eb/mr41NJ
rjKhP8Uie1i/16SekDo+GkpodBmvhrZiZdwg75YxriHhgioe2AKKmQItOdZOY+mV bMauCCfjnCbAzoW6dhHpbO45uQINBF2iTdYBEADTC8saHpJxpU7ZBuuNFD+WZFBK
qMA63FmByDlPodHmQnrIAn/gr7p5V3lM+l0oVTI8maPO39iT7Nh6W/rv4ni8eMBk I8F8ZZ4t79naVhGhCTvcqr5BCwlrpuaUc/og86AxUpVD5z92ClRZC2wJZOemmyAE
L6P2cPPaTpcv76qWl/WcMiEflPNSAFaxyIapq04rafthcIILWmOBbQ+liMn9YT7a OlSu8JDkhwsNRey5QmPN9G0ZIBifP2/LrPSqRE+gJnouzhmFbajQVKHRCYul5B+a
6w3nF/Ig4Zxx7hoQE6/HrTC8HcENpCAceQQYAqIrlu8F5y1AQVWHjtyCPee1z/8l vUS0HlUfu8p7dC0wMTv5jBWHN54XHK4Wnbm4Yea03Xv1HMQS/82MfLQgctheHqeg
PNnPg40lSbXozg5kQDP965Pge6XReUoUVVRcgeiSUfkHdYPIkh/tkFy1MtzTNize J8dNhzmrk8GqpOCi4QfSHHUvLCUBxWO4hFVjXKL8BfJbhhBjyTnTj0zGc+Iw+Glh
buadqE41Ds6BD1maO5cpGc5iFnf+YY01vWIhwvgPMbAsUKrPOw/RyvYSwOrnWegh am0+q2oFmhvLYrCxHvVIRE9iy96/+AyIACWOG8IOU2civ9Y/jY9SMmJEPQOmBfem
pKuIRv+sBcDY0jJ799CHB2c8eiAYoTRm64rKyYS8RIilqTCmIHnpoSIq3n1wOlMV OVwovQxdDGKvTcrVjZzAk/BeEAgg0VoYKpe9ePxK/6n8J09jOpvD+DktbAB7+bww
X4sB4N4CfAZRAbI9LZfx1QEYn0dst9+mCDRJ/ALBxocKz0wRTpwU5nwP1Zz9TZVh 2F3swdFqyTbLWL4bR4YuHLbqJQbsDm+58iAZWaL4ZOf+iABZqFKa3xhzrrbRHD00
81wn1Ypj+mFb3aBggpwMLxbifmbsZmd1MwW9k3p2WTs8M1dLFM2ZNA9QmkgRSVFN Qxr+9+3EdXGGs+UDLs9rLzVN4ryP7WHyEMDAI7/OAGTdsJet0JIIWKP3ZvWuRMe/
6GTTpAyDOs+ZSGYM7MisG9/EvFbNx2BPg6qZH7JeMnlOZXXOg8K5VcLkiGuL1brO AjcGQ/8+xzhN8w/kXdAvf4Vy6VVYTdJipg84CRz1KFQ5P/z92IMzPnbVFljydRX2
Hlg94Axha8ffMmqjsde6XOAgvSl5P9k47SWOcZkAEQEAAYkCPAQYAQoAJgIbIBYh k89ueN1fTMFVlCUI9AyIJeJ6Cx198JHf3eIGBgIZVpAcZG0DyeDU+xCgRZOOH2ug
BNvNdXhGBps5LqlAHWZXvoqNHugHBQJfiXYPBQkFqY8FAAoJEGZXvoqNHugHuLUP 1bhjhmrQQMSkKtRn7QARAQABiQI8BBgBCgAmAhsMFiEE2811eEYGmzkuqUAdZle+
+gJ01mSEs3+0jriWqg7V+Q59rulMVrUdV2mjBtzz3gvF9PLiEnVEl7EgGdLpVIr/ io0e6AcFAl+Jdg8FCQWpjzkACgkQZle+io0e6Afw7A//ekxnx2ugVtb9pFMh1Cpq
Wr9QIiUnS1NNrDz8oeDf54Q+OXtQOiczGClK+yWSm/CM02+HATFws66umAl4GQ4X XZOtlIWc+PZ07DrtSXjCNnAzC5Cmj8nii7Eac1dqnDqBtXWpe3YI7cyrFnc9B8a6
qAJwdSDDKIHCP1/0VqXNQUOWW0GCCGCAdn55u4pf+B1rmkA3cWhN51SvAriA/YcG 2xLNKwSTuMTpoNdkr/X7bU6HE7dm0DHt3dtFYoW4vjQxMdj3sp3GLpQ3fDzXw5If
qmyJZgXO+qZOPWNHxNUdgq9lVEO132dhDzH1b9ufnvQMDxF2V681fQ7E3zWEJZZb L1lCUKE4aopl6FQEcCjbh9qA8rRnHiKfgWSzh/B0c9BEh/ZwgBsN4FV+r0D7Y2zI
YLRB4jrSz8oxipGRGKgDLiR7lyQ/xRU161jSawblBTcIRXK9c4hv178xQWAInMjt KCFxwJwCZCHtm6MslB7tmZg+gho8RkkiAjM0oXA7zZHMjyhuQWzhkaW3oWjHDjoh
Hst4YCpvclG26ypZLCzvw6swfnXf3A6Q4A8pZQVvogWZ01dlgofwHm8qlYxT7wSq h9DbLnVDzrMsULfdGz/1Plhz4bzkxpND6hmjn/EAxLGhpQoXd8FSvrghpetLM3MU
eicOu3FkSHD8vNwkXnMLqxwkFr4BcSefzCiXulyMcb3h67ZfXAYAFGrrR581vGEt LG4M5REFVBt7U1uEBn8y91yuWx77ho9N1W+OdNOWOOlAlD+GZBGA7MNR65+W5Dzj
Xy+xfXK5PqBX7CWEl3Vs2an9whEncZuv1I9iyXDUmGP7Y373JjqNtpS2GMMPA73k /z3PEs9TELfp8NVN0F2xy8S2/HwfNgeqAzGpBz4GsO9x8WMG2lw7MAW+gVU3POkZ
nB7eI/zpVS5qoxUlqw35Pldvt+L4E3hvrvE7iZE3w4lB9WUyY1OnSRDU10l2rqWt l0R9fkrTmw4iafodehKnbEsqdebUjPNBkX9SmjSsXDAODe/4u4/TP89nylk+70wB
Ptyk3LE2ed5hz5I+gy8/RsXrAooMBXIGV/GJrhye45wf5F/XQqPulnj38sKhmrQC nXIPL4WR9DA0Pb0ZmLLkGbaDYnmVV58kPyCwID4Yi6Xcj330FdAaVinevAvJBIaD
QTubPgJwG/kTpNdrA3YukE3E7T5ejaGTT2n5nKat6bj7 D9A94elI/PGTrmqcjgr7Kwb0e0kDlYfi/ijI4dV4MVrzybqFOCaMeKIPOfxs9FIv
=h9fX BETmMh4Ocqj6rAQZs+ofBe6JAjYEGAEKACACGwwWIQTbzXV4RgabOS6pQB1mV76K
jR7oBwUCY1E8SAAKCRBmV76KjR7oBwM+D/0evufvIWftzdge63hol1k4LdZSiSD9
bh+h8fb/Mm+2HIS8RweHr1+CS8CW/Om9MJoW0ZDsCmC0vU44/vLL3JzbP4+BDuVF
dky1XX/9Z73Fn/LpakITyXd6YJMsknzAA4ZEzhe4uModNSH5IU818I+/Vyvbe1nX
Hfg2FYva4zVn9E5Gd4vpHBF7D99dGg0vUINtux06WKfdsDB59MiZxCSWfqty+yTM
XWwh5fuFIxwjlkKVdrb45101MnUtzJDmxwPxjOpF+z2tJ0qIvs6Zu6FDEh7fcaJM
mKAPtVXKRxTYaS6j7fpNk5ACFgiHDb+0mI60fH0eiQSqp9Q7cyYbt1yiW2bKY4Pg
qDOtcLT+uIYYVmxBHTLx38gT3Gp83O7WqNZ9ouctIXAXHWwTNsKzMhwgaEmmPbkP
7VO8oZZ9hVphirmijgNO1Oz7Qqh5ORYwsGdvYtbPXD4ZUSpqFT5bTMHS5TKPHf70
5alkwYuwYfLs4m2zYsKadQ+vq12ZX7Z6+DbjfzWAEhzqLP2Y8yGnFSBSmULsALnj
Zg3RN5sxJe3fhTze09Fm8OTopTLoDH5fR91VPhRLGHahvV1Sm/H4ZdtAXTPsHP20
phAc8mK2DgEM0k7vDO5RtV4xTLjBopiciXIBL+TzCKGmDRX2+9nTyF3Kx9qjN52H
EFFJ1mTed/J7VrkCDQRdok4KARAAyG97rjKhP8Uie1i/16SekDo+GkpodBmvhrZi
Zdwg75YxriHhgioe2AKKmQItOdZOY+mVqMA63FmByDlPodHmQnrIAn/gr7p5V3lM
+l0oVTI8maPO39iT7Nh6W/rv4ni8eMBkL6P2cPPaTpcv76qWl/WcMiEflPNSAFax
yIapq04rafthcIILWmOBbQ+liMn9YT7a6w3nF/Ig4Zxx7hoQE6/HrTC8HcENpCAc
eQQYAqIrlu8F5y1AQVWHjtyCPee1z/8lPNnPg40lSbXozg5kQDP965Pge6XReUoU
VVRcgeiSUfkHdYPIkh/tkFy1MtzTNizebuadqE41Ds6BD1maO5cpGc5iFnf+YY01
vWIhwvgPMbAsUKrPOw/RyvYSwOrnWeghpKuIRv+sBcDY0jJ799CHB2c8eiAYoTRm
64rKyYS8RIilqTCmIHnpoSIq3n1wOlMVX4sB4N4CfAZRAbI9LZfx1QEYn0dst9+m
CDRJ/ALBxocKz0wRTpwU5nwP1Zz9TZVh81wn1Ypj+mFb3aBggpwMLxbifmbsZmd1
MwW9k3p2WTs8M1dLFM2ZNA9QmkgRSVFN6GTTpAyDOs+ZSGYM7MisG9/EvFbNx2BP
g6qZH7JeMnlOZXXOg8K5VcLkiGuL1brOHlg94Axha8ffMmqjsde6XOAgvSl5P9k4
7SWOcZkAEQEAAYkCPAQYAQoAJgIbIBYhBNvNdXhGBps5LqlAHWZXvoqNHugHBQJf
iXYPBQkFqY8FAAoJEGZXvoqNHugHuLUP+gJ01mSEs3+0jriWqg7V+Q59rulMVrUd
V2mjBtzz3gvF9PLiEnVEl7EgGdLpVIr/Wr9QIiUnS1NNrDz8oeDf54Q+OXtQOicz
GClK+yWSm/CM02+HATFws66umAl4GQ4XqAJwdSDDKIHCP1/0VqXNQUOWW0GCCGCA
dn55u4pf+B1rmkA3cWhN51SvAriA/YcGqmyJZgXO+qZOPWNHxNUdgq9lVEO132dh
DzH1b9ufnvQMDxF2V681fQ7E3zWEJZZbYLRB4jrSz8oxipGRGKgDLiR7lyQ/xRU1
61jSawblBTcIRXK9c4hv178xQWAInMjtHst4YCpvclG26ypZLCzvw6swfnXf3A6Q
4A8pZQVvogWZ01dlgofwHm8qlYxT7wSqeicOu3FkSHD8vNwkXnMLqxwkFr4BcSef
zCiXulyMcb3h67ZfXAYAFGrrR581vGEtXy+xfXK5PqBX7CWEl3Vs2an9whEncZuv
1I9iyXDUmGP7Y373JjqNtpS2GMMPA73knB7eI/zpVS5qoxUlqw35Pldvt+L4E3hv
rvE7iZE3w4lB9WUyY1OnSRDU10l2rqWtPtyk3LE2ed5hz5I+gy8/RsXrAooMBXIG
V/GJrhye45wf5F/XQqPulnj38sKhmrQCQTubPgJwG/kTpNdrA3YukE3E7T5ejaGT
T2n5nKat6bj7iQI2BBgBCgAgAhsgFiEE2811eEYGmzkuqUAdZle+io0e6AcFAmNR
PEgACgkQZle+io0e6AfQpg/+K0gD0WVyXYLOEM6jCvtz5/f9nDQnqj90ck9VfpuN
QG+cMSK/u3T4ya0k3UDWxEyRih0BzChOlmwnaupBwN7ZbYAzxM0sglwseSdAPpCE
s63RTnaAxpSWFocsUxtJngSoPnnmD1fVbWL3/j9j6jZkT4NB/l2ekDngMyRqt104
BmabaLdz44X1VDgg0tXyACkZ8c/8ISBOoPSFg2n9FuCmhI9Atu6hjCFQZOA/youA
fXzeUxU3iFw5UhyNP084jZ9AK2xwp+rB3JzvzMdiqO3OBFemuiU4/ZKQKFg5a/n4
UAZtO8V2DGe76o1N9uFUvQ41RSAXolPUOTXiZvP4GfiGIhJUXV96QaPHhKWybKlr
4MWG5PpwfuWnGoP8vXtLmz2TDRUfEBOQBzYRBRvXmzekq8nFQCM7dGofLLEchMRv
lYHab2fquGmXiY3LfzyQX+vS3FO9/m2POJcdXcQvSq4MXIzOEzXnJKw5HemfZ3ae
/AlTTfE4og/AYLwacECY6CZqUFOYtQeVx9hSXV97XnoKotde66D4RyFgzFbsIBM/
bA5qyvdpKb60hqjpj/rhXjlnhH8KwAwOlaPVgI1cgnW8uJTElJEtqHPhuRkU6y9f
au4EZ+tsmaxJ0whuziG1/3LJ62AIM9ZpixDEj4GQYaRdkFrx/1IKiUOlw5GQC3y2
zxs=
=MmP2
-----END PGP PUBLIC KEY BLOCK----- -----END PGP PUBLIC KEY BLOCK-----

140
krebs/3modules/sync-containers.nix
View File

@ -5,27 +5,55 @@ with import <stockholm/lib>;
plain = "/var/lib/containers/${cname}/var/state"; plain = "/var/lib/containers/${cname}/var/state";
ecryptfs = "${cfg.dataLocation}/${cname}/ecryptfs"; ecryptfs = "${cfg.dataLocation}/${cname}/ecryptfs";
securefs = "${cfg.dataLocation}/${cname}/securefs"; securefs = "${cfg.dataLocation}/${cname}/securefs";
luksfile = "${cfg.dataLocation}/${cname}/luksfile";
};
init = cname: {
plain = ''
echo 'no need for init'
'';
ecryptfs = ''
${pkgs.ecrypt}/bin/ecrypt init ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state
'';
securefs = ''
${pkgs.securefs}/bin/securefs create --format 3 ${cfg.dataLocation}/${cname}/securefs
'';
luksfile = ''
${pkgs.coreutils}/bin/truncate -s 10G '${(paths cname).luksfile}/fs.luks'
${pkgs.cryptsetup}/bin/cryptsetup luksFormat '${(paths cname).luksfile}/fs.luks'
${pkgs.cryptsetup}/bin/cryptsetup luksOpen '${(paths cname).luksfile}/fs.luks' 'luksfile-${cname}'
${pkgs.xfsprogs}/bin/mkfs.xfs '/dev/mapper/luksfile-${cname}'
'';
}; };
start = cname: { start = cname: {
plain = '' plain = ''
: :
''; '';
ecryptfs = '' ecryptfs = ''
if ! mount | grep -q '${cfg.dataLocation}/${cname}/ecryptfs on /var/lib/containers/${cname}/var/state type ecryptfs'; then
if [ -e ${cfg.dataLocation}/${cname}/ecryptfs/.cfg.json ]; then if [ -e ${cfg.dataLocation}/${cname}/ecryptfs/.cfg.json ]; then
if ! mount | grep -q '${cfg.dataLocation}/${cname}/ecryptfs on /var/lib/containers/${cname}/var/state type ecryptfs'; then
${pkgs.ecrypt}/bin/ecrypt mount ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state ${pkgs.ecrypt}/bin/ecrypt mount ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state
else
${pkgs.ecrypt}/bin/ecrypt init ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state
fi fi
else
echo 'please run init-${cname} first'
exit 1
fi fi
''; '';
securefs = '' securefs = ''
## TODO init file systems if it does not exist ## check if FS was initialized first
# ${pkgs.securefs}/bin/securefs create --format 3 ${cfg.dataLocation}/${cname}/securefs
if ! ${pkgs.mount}/bin/mount | grep -q '^securefs on /var/lib/containers/${cname}/var/state type fuse.securefs'; then if ! ${pkgs.mount}/bin/mount | grep -q '^securefs on /var/lib/containers/${cname}/var/state type fuse.securefs'; then
${pkgs.securefs}/bin/securefs mount ${cfg.dataLocation}/${cname}/securefs /var/lib/containers/${cname}/var/state -b -o allow_other -o default_permissions ${pkgs.securefs}/bin/securefs mount ${cfg.dataLocation}/${cname}/securefs /var/lib/containers/${cname}/var/state -b -o allow_other -o default_permissions
fi fi
''; '';
luksfile = ''
mkdir -p /var/lib/containers/${cname}/var/state
if ! test -e /dev/mapper/luksfile-${cname}; then
${pkgs.cryptsetup}/bin/cryptsetup luksOpen '${(paths cname).luksfile}/fs.luks' 'luksfile-${cname}'
fi
if ! ${pkgs.mount}/bin/mount | grep -q '^/dev/mapper/luksfile-${cname} on /var/lib/containers/${cname}/var/state'; then
mount '/dev/mapper/luksfile-${cname}' '/var/lib/containers/${cname}/var/state'
fi
'';
}; };
stop = cname: { stop = cname: {
plain = '' plain = ''
@ -37,12 +65,16 @@ with import <stockholm/lib>;
securefs = '' securefs = ''
umount /var/lib/containers/${cname}/var/state umount /var/lib/containers/${cname}/var/state
''; '';
luksfile = ''
umount /var/lib/containers/${cname}/var/state
${pkgs.cryptsetup}/bin/cryptsetup luksClose luksfile-${cname}
'';
}; };
in { in {
options.krebs.sync-containers = { options.krebs.sync-containers = {
dataLocation = mkOption { dataLocation = mkOption {
description = '' description = ''
location where the encrypted sync-container lie around location where the encrypted sync-containers lie around
''; '';
default = "/var/lib/sync-containers"; default = "/var/lib/sync-containers";
type = types.absolute-pathname; type = types.absolute-pathname;
@ -64,25 +96,11 @@ in {
default = []; default = [];
type = types.listOf types.str; type = types.listOf types.str;
}; };
hostIp = mkOption { # TODO find this automatically
description = ''
hostAddress of the privateNetwork
'';
example = "10.233.2.15";
type = types.str;
};
localIp = mkOption { # TODO find this automatically
description = ''
localAddress of the privateNetwork
'';
example = "10.233.2.16";
type = types.str;
};
format = mkOption { format = mkOption {
description = '' description = ''
file system encrption format of the container file system encrption format of the container
''; '';
type = types.enum [ "plain" "ecryptfs" "securefs" ]; type = types.enum [ "plain" "ecryptfs" "securefs" "luksfile" ];
}; };
}; };
})); }));
@ -102,12 +120,11 @@ in {
ignorePerms = false; ignorePerms = false;
})) cfg.containers); })) cfg.containers);
krebs.permown = (mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" ({ krebs.acl = mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" {
file-mode = "u+rw"; "u:syncthing:rX".parents = true;
directory-mode = "u+rwx"; "u:syncthing:rwX" = {};
owner = "syncthing"; }) cfg.containers;
keepGoing = false;
})) cfg.containers);
systemd.services = mapAttrs' (n: ctr: nameValuePair "containers@${ctr.name}" ({ systemd.services = mapAttrs' (n: ctr: nameValuePair "containers@${ctr.name}" ({
reloadIfChanged = mkForce false; reloadIfChanged = mkForce false;
@ -116,8 +133,11 @@ in {
containers = mapAttrs' (n: ctr: nameValuePair ctr.name ({ containers = mapAttrs' (n: ctr: nameValuePair ctr.name ({
config = { ... }: { config = { ... }: {
environment.systemPackages = [ environment.systemPackages = [
pkgs.dhcpcd
pkgs.git pkgs.git
pkgs.jq
]; ];
networking.useDHCP = mkForce true;
system.activationScripts.fuse = { system.activationScripts.fuse = {
text = '' text = ''
${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229 ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229
@ -131,11 +151,57 @@ in {
autoStart = false; autoStart = false;
enableTun = true; enableTun = true;
privateNetwork = true; privateNetwork = true;
hostAddress = ctr.hostIp; hostBridge = "ctr0";
localAddress = ctr.localIp;
})) cfg.containers; })) cfg.containers;
environment.systemPackages = flatten (mapAttrsToList (n: ctr: [ networking.networkmanager.unmanaged = [ "ctr0" ];
networking.bridges.ctr0.interfaces = [];
networking.interfaces.ctr0.ipv4.addresses = [{
address = "10.233.0.1";
prefixLength = 24;
}];
# networking.nat = {
# enable = true;
# externalInterface = lib.mkDefault "et0";
# internalInterfaces = [ "ctr0" ];
# };
services.dhcpd4 = {
enable = true;
interfaces = [ "ctr0" ];
extraConfig = ''
option subnet-mask 255.255.255.0;
option routers 10.233.0.1;
# option domain-name-servers 8.8.8.8; # TODO configure dns server
subnet 10.233.0.0 netmask 255.255.255.0 {
range 10.233.0.10 10.233.0.250;
}
'';
};
users.users.root.packages = flatten (mapAttrsToList (n: ctr: [
(pkgs.writeDashBin "init-${ctr.name}" ''
set -euf
set -x
mkdir -p /var/lib/containers/${ctr.name}/var/state
STATE=$(/run/current-system/sw/bin/nixos-container status ${ctr.name})
if [ "$STATE" = 'up' ]; then
/run/current-system/sw/bin/nixos-container stop ${ctr.name}
fi
${(init ctr.name).${ctr.format}}
${(start ctr.name).${ctr.format}}
/run/current-system/sw/bin/nixos-container start ${ctr.name}
/run/current-system/sw/bin/nixos-container run ${ctr.name} -- ${pkgs.writeDash "deploy-${ctr.name}" ''
set -x
mkdir -p /var/state/var_src
ln -sfTr /var/state/var_src /var/src
touch /etc/NIXOS
''}
target_ip=$(/run/current-system/sw/bin/nixos-container run ${ctr.name} -- ip -j a s eth0 | jq -r '.[].addr_info[] | select(.family=="inet") | .local')
echo "deploy to $target_ip"
'')
(pkgs.writeDashBin "start-${ctr.name}" '' (pkgs.writeDashBin "start-${ctr.name}" ''
set -euf set -euf
set -x set -x
@ -144,12 +210,12 @@ in {
${(start ctr.name).${ctr.format}} ${(start ctr.name).${ctr.format}}
STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${ctr.name}) STATE=$(/run/current-system/sw/bin/nixos-container status ${ctr.name})
if [ "$STATE" = 'down' ]; then if [ "$STATE" = 'down' ]; then
${pkgs.nixos-container}/bin/nixos-container start ${ctr.name} /run/current-system/sw/bin/nixos-container start ${ctr.name}
fi fi
${pkgs.nixos-container}/bin/nixos-container run ${ctr.name} -- ${pkgs.writeDash "deploy-${ctr.name}" '' /run/current-system/sw/bin/nixos-container run ${ctr.name} -- ${pkgs.writeDash "deploy-${ctr.name}" ''
set -x set -x
mkdir -p /var/state/var_src mkdir -p /var/state/var_src
@ -158,15 +224,17 @@ in {
''} ''}
if [ -h /var/lib/containers/${ctr.name}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${ctr.name}.r); then if [ -h /var/lib/containers/${ctr.name}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${ctr.name}.r); then
${pkgs.nixos-container}/bin/nixos-container run ${ctr.name} -- nixos-rebuild -I /var/src switch /run/current-system/sw/bin/nixos-container run ${ctr.name} -- nixos-rebuild -I /var/src switch
else else
echo 'no nixos config, or target already online, bailing out'
${(stop ctr.name).${ctr.format}} ${(stop ctr.name).${ctr.format}}
/run/current-system/sw/bin/nixos-container stop ${ctr.name}
fi fi
'') '')
(pkgs.writeDashBin "stop-${ctr.name}" '' (pkgs.writeDashBin "stop-${ctr.name}" ''
set -euf set -euf
${pkgs.nixos-container}/bin/nixos-container stop ${ctr.name} /run/current-system/sw/bin/nixos-container stop ${ctr.name}
${(stop ctr.name).${ctr.format}} ${(stop ctr.name).${ctr.format}}
'') '')
]) cfg.containers); ]) cfg.containers);

23
krebs/5pkgs/simple/ergo/default.nix
View File

@ -1,23 +0,0 @@
{ buildGo117Module , fetchFromGitHub, lib }:
buildGo117Module rec {
pname = "ergo";
version = "2.9.1";
src = fetchFromGitHub {
owner = "ergochat";
repo = "ergo";
rev = "v${version}";
sha256 = "sha256-RxsmkTfHymferS/FRW0sLnstKfvGXkW6cEb/JbeS4lc=";
};
vendorSha256 = null;
meta = {
description = "A modern IRC server (daemon/ircd) written in Go";
homepage = "https://github.com/ergochat/ergo";
license = lib.licenses.mit;
maintainers = with lib.maintainers; [ lassulus tv ];
platforms = lib.platforms.linux;
};
}

2
krebs/5pkgs/simple/hashPassword/default.nix
View File

@ -1,6 +1,6 @@
{ lib, pkgs, ... }: { lib, pkgs, ... }:
pkgs.writeDashBin "hashPassword" '' pkgs.writers.writeDashBin "hashPassword" ''
# usage: hashPassword [...] # usage: hashPassword [...]
set -euf set -euf

25
krebs/5pkgs/simple/nix-prefetch-github.nix
View File

@ -1,25 +0,0 @@
{ curl, jq, nix, writeDashBin }:
writeDashBin "nix-prefetch-github" ''
# usage: nix-prefetch-github OWNER REPO [REF]
set -efu
owner=$1
repo=$2
ref=''${3-master}
info_url=https://api.github.com/repos/$owner/$repo/commits/$ref
info=$(${curl}/bin/curl -fsS "$info_url")
rev=$(printf %s "$info" | ${jq}/bin/jq -r .sha)
name=$owner-$repo-$ref
url=https://github.com/$owner/$repo/tarball/$rev
sha256=$(${nix}/bin/nix-prefetch-url --name "$name" --unpack "$url")
export owner repo rev sha256
${jq}/bin/jq -n '
env | {
owner, repo, rev, sha256
}
'
''

64
krebs/5pkgs/simple/stable-generate/default.nix Normal file
View File

@ -0,0 +1,64 @@
{ pkgs, lib, ... }:
pkgs.writers.writeDashBin "stable-generate" ''
set -efu
export PATH=${lib.makeBinPath [
pkgs.curl
pkgs.jq
]}
STABLE_URL=''${STABLE_URL:-http://stable-confusion.r}
PAYLOAD=$(jq -cn --arg query "$*" '{fn_index: 51, data: [
$query,
"",
"None",
"None",
20, # sampling steps
"Euler a", # sampling method
false, # restore faces
false,
1,
1,
7,
-1,
-1,
0,
0,
0,
false,
512, #probably resolution
512, #probably resolution
false,
0.7,
0,
0,
"None",
"",
false,
false,
false,
"",
"Seed",
"",
"Nothing",
"",
true,
false,
false,
null,
"",
""], session_hash: "hello_this_is_dog"}')
data=$(curl -Ssf "$STABLE_URL/run/predict/" \
-X POST \
--Header 'Content-Type: application/json' \
--data "$PAYLOAD"
)
export data
filename=$(jq -rn 'env.data | fromjson.data[0][0].name')
echo "$STABLE_URL/file=$filename"
''

5
krebs/5pkgs/simple/weechat-declarative/default.nix
View File

@ -33,7 +33,7 @@ let
eval = lib.evalModules { eval = lib.evalModules {
modules = lib.singleton { modules = lib.singleton {
_file = toString ./weechat-declarative.nix; _file = toString ./default.nix;
imports = lib.singleton config; imports = lib.singleton config;
options = { options = {
scripts = lib.mkOption { scripts = lib.mkOption {
@ -148,7 +148,8 @@ let
${lib.concatStringsSep "\n" ${lib.concatStringsSep "\n"
(lib.mapAttrsToList (lib.mapAttrsToList
(name: target: /* sh */ '' (name: target: /* sh */ ''
${pkgs.coreutils}/bin/ln -s ${lib.escapeShellArg target} "$CONFDIR"/${lib.escapeShellArg name} ${pkgs.coreutils}/bin/cp ${lib.escapeShellArg target} "$CONFDIR"/${lib.escapeShellArg name}
${pkgs.coreutils}/bin/chmod +w "$CONFDIR"/${lib.escapeShellArg name}
'') '')
cfg.files cfg.files
) )

8
krebs/nixpkgs-unstable.json
View File

@ -1,9 +1,9 @@
{ {
"url": "https://github.com/NixOS/nixpkgs", "url": "https://github.com/NixOS/nixpkgs",
"rev": "d40fea9aeb8840fea0d377baa4b38e39b9582458", "rev": "b457130e8a21608675ddf12c7d85227b22a27112",
"date": "2022-10-31T16:44:53+01:00", "date": "2022-11-16T11:03:19+00:00",
"path": "/nix/store/6z1f9z44ljsxvn0kzlpz03a5m7lbh096-nixpkgs", "path": "/nix/store/jr123qfmrl53imi48naxh6zs486fqmz2-nixpkgs",
"sha256": "1ikpccnyi0b7ql6jak4g3wl4876njybpvknfs6gin461xjp5fi24", "sha256": "16cjrr3np3f428lxw8yk6n2dqi7mg08zf6h6gv75zpw865jz44df",
"fetchLFS": false, "fetchLFS": false,
"fetchSubmodules": false, "fetchSubmodules": false,
"deepClone": false, "deepClone": false,

8
krebs/nixpkgs.json
View File

@ -1,9 +1,9 @@
{ {
"url": "https://github.com/NixOS/nixpkgs", "url": "https://github.com/NixOS/nixpkgs",
"rev": "1b4722674c315de0e191d0d79790b4eac51570a1", "rev": "6474d93e007e4d165bcf48e7f87de2175c93d10b",
"date": "2022-10-31T23:14:26+01:00", "date": "2022-11-16T11:41:31+01:00",
"path": "/nix/store/byvkpdxd5pwixshrfrxgl0z2xc9y9hcs-nixpkgs", "path": "/nix/store/z86f31carhz3sf78kn3lkyq748drgp63-nixpkgs",
"sha256": "0ykbqcfwx338m1jcln9pj629byxbyr448d88wsryp8sf6p611cv2", "sha256": "00swm7hz3fjyzps75bjyqviw6dqg2cc126wc7lcc1rjkpdyk5iwg",
"fetchLFS": false, "fetchLFS": false,
"fetchSubmodules": false, "fetchSubmodules": false,
"deepClone": false, "deepClone": false,

97
lass/1systems/green/config.nix
View File

@ -11,78 +11,50 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/syncthing.nix> <stockholm/lass/2configs/syncthing.nix>
<stockholm/lass/2configs/sync/sync.nix> <stockholm/lass/2configs/sync/sync.nix>
<stockholm/lass/2configs/sync/decsync.nix> <stockholm/lass/2configs/sync/decsync.nix>
<stockholm/lass/2configs/sync/weechat.nix>
<stockholm/lass/2configs/weechat.nix>
<stockholm/lass/2configs/bitlbee.nix> <stockholm/lass/2configs/bitlbee.nix>
<stockholm/lass/2configs/IM.nix>
<stockholm/lass/2configs/muchsync.nix> <stockholm/lass/2configs/muchsync.nix>
<stockholm/lass/2configs/pass.nix> <stockholm/lass/2configs/pass.nix>
<stockholm/lass/2configs/git-brain.nix> <stockholm/lass/2configs/git-brain.nix>
<stockholm/lass/2configs/et-server.nix>
<stockholm/lass/2configs/consul.nix>
<stockholm/lass/2configs/atuin-server.nix>
]; ];
krebs.build.host = config.krebs.hosts.green; krebs.build.host = config.krebs.hosts.green;
users.users.mainUser.openssh.authorizedKeys.keys = [ lass.sync-containers3.inContainer = {
config.krebs.users.lass-android.pubkey enable = true;
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0rn3003CkJMk3jZrh/3MC6nVorHRymlFSI4x1brCKY" # weechat ssh tunnel pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFlUMf943qEQG64ob81p6dgoHq4jUjq7tSvmSdEOEU2y";
];
krebs.bindfs = {
"/home/lass/.weechat" = {
source = "/var/state/lass_weechat";
options = [
"-M ${concatMapStringsSep ":" (u: toString config.users.users.${u}.uid) [ "syncthing" "mainUser" ]}"
"--create-for-user=${toString config.users.users.syncthing.uid}"
];
};
"/home/lass/Maildir" = {
source = "/var/state/lass_mail";
options = [
"-M ${toString config.users.users.mainUser.uid}"
];
};
"/var/lib/bitlbee" = {
source = "/var/state/bitlbee";
options = [
"-M ${toString config.users.users.bitlbee.uid}"
];
clearTarget = true;
};
"/home/lass/.ssh" = {
source = "/var/state/lass_ssh";
options = [
"-M ${toString config.users.users.mainUser.uid}"
];
clearTarget = true;
};
"/home/lass/.gnupg" = {
source = "/var/state/lass_gnupg";
options = [
"-M ${toString config.users.users.mainUser.uid}"
];
clearTarget = true;
};
"/var/lib/git" = {
source = "/var/state/git";
options = [
"-M ${toString config.users.users.git.uid}"
];
clearTarget = true;
};
}; };
systemd.services."bindfs-_home_lass_Maildir".serviceConfig.ExecStartPost = pkgs.writeDash "symlink-notmuch" '' systemd.tmpfiles.rules = [
sleep 1 "d /home/lass/.local/share 0700 lass users -"
mkdir -p /home/lass/notmuch "d /home/lass/.local 0700 lass users -"
chown lass: /home/lass/notmuch
ln -sfTr /home/lass/notmuch /home/lass/Maildir/.notmuch
mkdir -p /home/lass/notmuch/muchsync "d /var/state/lass_mail 0700 lass users -"
chown lass: /home/lass/notmuch/muchsync "L+ /home/lass/Maildir - - - - ../../var/state/lass_mail"
mkdir -p /home/lass/Maildir/.muchsync
ln -sfTr /home/lass/Maildir/.muchsync /home/lass/notmuch/muchsync/tmp "d /var/state/lass_ssh 0700 lass users -"
''; "L+ /home/lass/.ssh - - - - ../../var/state/lass_ssh"
"d /var/state/lass_gpg 0700 lass users -"
"L+ /home/lass/.gnupg - - - - ../../var/state/lass_gpg"
"d /var/state/lass_sync 0700 lass users -"
"L+ /home/lass/sync - - - - ../../var/state/lass_sync"
"d /var/state/git 0700 git nogroup -"
"L+ /var/lib/git - - - - ../../var/state/git"
];
users.users.mainUser.openssh.authorizedKeys.keys = [
config.krebs.users.lass-android.pubkey
config.krebs.users.lass-tablet.pubkey
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKgpZwye6yavIs3gUIYvSi70spDa0apL2yHR0ASW74z8" # weechat ssh tunnel
];
krebs.iptables.tables.nat.PREROUTING.rules = [ krebs.iptables.tables.nat.PREROUTING.rules = [
{ predicate = "-i eth0 -p tcp -m tcp --dport 22"; target = "ACCEPT"; precedence = 101; } { predicate = "-i eth0 -p tcp -m tcp --dport 22"; target = "ACCEPT"; precedence = 101; }
@ -93,4 +65,11 @@ with import <stockholm/lib>;
HostKeyAlgorithms +ssh-rsa HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa PubkeyAcceptedAlgorithms +ssh-rsa
''; '';
services.dovecot2 = {
enable = true;
mailLocation = "maildir:~/Maildir";
};
networking.firewall.allowedTCPPorts = [ 143 ];
} }

2
lass/1systems/green/physical.nix
View File

@ -3,5 +3,5 @@
./config.nix ./config.nix
]; ];
boot.isContainer = true; boot.isContainer = true;
networking.useDHCP = false; networking.useDHCP = true;
} }

6
lass/1systems/green/source.nix
View File

@ -1,4 +1,6 @@
{ lib, pkgs, test, ... }: { lib, pkgs, test, ... }: let
if test then {} else { npkgs = lib.importJSON ../../../krebs/nixpkgs-unstable.json;
in if test then {} else {
nixpkgs.git.ref = lib.mkForce npkgs.rev;
nixpkgs-unstable = lib.mkForce { file = "/var/empty"; }; nixpkgs-unstable = lib.mkForce { file = "/var/empty"; };
} }

10
lass/1systems/shodan/config.nix
View File

@ -1,6 +1,5 @@
{ config, pkgs, ... }: { config, lib, pkgs, ... }:
with import <stockholm/lib>;
{ {
imports = [ imports = [
<stockholm/lass> <stockholm/lass>
@ -17,11 +16,10 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/blue-host.nix> <stockholm/lass/2configs/blue-host.nix>
<stockholm/lass/2configs/green-host.nix> <stockholm/lass/2configs/green-host.nix>
<stockholm/krebs/2configs/news-host.nix> <stockholm/krebs/2configs/news-host.nix>
<stockholm/lass/2configs/nfs-dl.nix> <stockholm/lass/2configs/prism-mounts/samba.nix>
<stockholm/lass/2configs/fetchWallpaper.nix> <stockholm/lass/2configs/fetchWallpaper.nix>
<stockholm/lass/2configs/home-media.nix> <stockholm/lass/2configs/consul.nix>
<stockholm/lass/2configs/syncthing.nix> <stockholm/lass/2configs/red-host.nix>
<stockholm/lass/2configs/sync/sync.nix>
<stockholm/lass/2configs/snapclient.nix> <stockholm/lass/2configs/snapclient.nix>
]; ];

6
lass/1systems/shodan/physical.nix
View File

@ -11,7 +11,6 @@
loader.grub.device = "/dev/sda"; loader.grub.device = "/dev/sda";
initrd.luks.devices.lusksroot.device = "/dev/sda2"; initrd.luks.devices.lusksroot.device = "/dev/sda2";
initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ];
initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ];
}; };
fileSystems = { fileSystems = {
@ -28,11 +27,6 @@
fsType = "btrfs"; fsType = "btrfs";
options = ["defaults" "noatime" "ssd" "compress=lzo"]; options = ["defaults" "noatime" "ssd" "compress=lzo"];
}; };
"/tmp" = {
device = "tmpfs";
fsType = "tmpfs";
options = ["nosuid" "nodev" "noatime"];
};
"/bku" = { "/bku" = {
device = "/dev/pool/bku"; device = "/dev/pool/bku";
fsType = "btrfs"; fsType = "btrfs";

13
lass/1systems/yellow/config.nix
View File

@ -154,6 +154,7 @@ with import <stockholm/lib>;
tables.filter.INPUT.rules = [ tables.filter.INPUT.rules = [
{ predicate = "-p tcp --dport 80"; target = "ACCEPT"; } # nginx web dir { predicate = "-p tcp --dport 80"; target = "ACCEPT"; } # nginx web dir
{ predicate = "-p tcp --dport 9091"; target = "ACCEPT"; } # transmission-web { predicate = "-p tcp --dport 9091"; target = "ACCEPT"; } # transmission-web
{ predicate = "-p tcp --dport 9092"; target = "ACCEPT"; } # magnetico webinterface
{ predicate = "-p tcp --dport 51413"; target = "ACCEPT"; } # transmission-traffic { predicate = "-p tcp --dport 51413"; target = "ACCEPT"; } # transmission-traffic
{ predicate = "-p udp --dport 51413"; target = "ACCEPT"; } # transmission-traffic { predicate = "-p udp --dport 51413"; target = "ACCEPT"; } # transmission-traffic
{ predicate = "-p tcp --dport 8096"; target = "ACCEPT"; } # jellyfin { predicate = "-p tcp --dport 8096"; target = "ACCEPT"; } # jellyfin
@ -164,7 +165,7 @@ with import <stockholm/lib>;
client client
dev tun dev tun
proto udp proto udp
remote 196.240.57.43 1194 remote 194.110.84.106 1194
resolv-retry infinite resolv-retry infinite
remote-random remote-random
nobind nobind
@ -174,7 +175,7 @@ with import <stockholm/lib>;
persist-key persist-key
persist-tun persist-tun
ping 15 ping 15
ping-restart 0 ping-restart 15
ping-timer-rem ping-timer-rem
reneg-sec 0 reneg-sec 0
comp-lzo no comp-lzo no
@ -250,7 +251,7 @@ with import <stockholm/lib>;
path = [ path = [
pkgs.coreutils pkgs.coreutils
pkgs.findutils pkgs.findutils
pkgs.inotifyTools pkgs.inotify-tools
]; ];
serviceConfig = { serviceConfig = {
Restart = "always"; Restart = "always";
@ -271,4 +272,10 @@ with import <stockholm/lib>;
enable = true; enable = true;
group = "download"; group = "download";
}; };
services.magnetico = {
enable = true;
web.address = "0.0.0.0";
web.port = 9092;
};
} }

13
lass/2configs/alacritty.nix
View File

@ -1,21 +1,23 @@
{ config, lib, pkgs, ... }: let { config, lib, pkgs, ... }: let
alacritty-cfg = extrVals: builtins.toJSON ({ alacritty-cfg = extrVals: builtins.toJSON ({
font = { font = let
family = "Iosevka";
in {
normal = { normal = {
family = "Inconsolata"; family = family;
style = "Regular"; style = "Regular";
}; };
bold = { bold = {
family = "Inconsolata"; family = family;
style = "Bold"; style = "Bold";
}; };
italic = { italic = {
family = "Inconsolata"; family = family;
style = "Italic"; style = "Italic";
}; };
bold_italic = { bold_italic = {
family = "Inconsolata"; family = family;
style = "Bold Italic"; style = "Bold Italic";
}; };
size = 8; size = 8;
@ -44,6 +46,7 @@
name = "alacritty"; name = "alacritty";
paths = [ paths = [
(pkgs.writeDashBin "alacritty" '' (pkgs.writeDashBin "alacritty" ''
${pkgs.alacritty}/bin/alacritty --config-file /var/theme/config/alacritty.yaml msg create-window "$@" ||
${pkgs.alacritty}/bin/alacritty --config-file /var/theme/config/alacritty.yaml "$@" ${pkgs.alacritty}/bin/alacritty --config-file /var/theme/config/alacritty.yaml "$@"
'') '')
pkgs.alacritty pkgs.alacritty

38
lass/2configs/atuin-server.nix Normal file
View File

@ -0,0 +1,38 @@
{ config, lib, pkgs, ... }:
{
services.postgresql = {
enable = true;
dataDir = "/var/state/postgresql/${config.services.postgresql.package.psqlSchema}";
ensureDatabases = [ "atuin" ];
ensureUsers = [{
name = "atuin";
ensurePermissions."DATABASE atuin" = "ALL PRIVILEGES";
}];
};
systemd.tmpfiles.rules = [
"d /var/state/postgresql 0700 postgres postgres -"
];
users.groups.atuin = {};
users.users.atuin = {
uid = pkgs.stockholm.lib.genid_uint31 "atuin";
isSystemUser = true;
group = "atuin";
home = "/run/atuin";
createHome = true;
};
systemd.services.atuin = {
wantedBy = [ "multi-user.target" ];
environment = {
ATUIN_HOST = "0.0.0.0";
ATUIN_PORT = "8888";
ATUIN_OPEN_REGISTRATION = "true";
ATUIN_DB_URI = "postgres:///atuin";
};
serviceConfig = {
User = "atuin";
ExecStart = "${pkgs.atuin}/bin/atuin server start";
};
};
networking.firewall.allowedTCPPorts = [ 8888 ];
}

72
lass/2configs/baseX.nix
View File

@ -7,7 +7,6 @@ in {
./alacritty.nix ./alacritty.nix
./mpv.nix ./mpv.nix
./power-action.nix ./power-action.nix
./copyq.nix
./urxvt.nix ./urxvt.nix
./xdg-open.nix ./xdg-open.nix
./yubikey.nix ./yubikey.nix
@ -80,7 +79,10 @@ in {
powertop powertop
rxvt-unicode rxvt-unicode
sshvnc sshvnc
sxiv (pkgs.writers.writeDashBin "sxiv" ''
${pkgs.nsxiv}/bin/nsxiv "$@"
'')
nsxiv
taskwarrior taskwarrior
termite termite
transgui transgui
@ -105,10 +107,56 @@ in {
enableGhostscriptFonts = true; enableGhostscriptFonts = true;
fonts = with pkgs; [ fonts = with pkgs; [
hack-font
xorg.fontschumachermisc xorg.fontschumachermisc
terminus_font_ttf
inconsolata inconsolata
noto-fonts
(iosevka.override {
# https://typeof.net/Iosevka/customizer
privateBuildPlan = {
family = "Iosevka";
spacing = "term";
serifs = "slab";
no-ligation = true;
variants.design = {
capital-i = "serifless";
capital-j = "serifless";
a = "double-storey-tailed";
b = "toothless-corner";
d = "toothless-corner-serifless";
f = "flat-hook-tailed";
g = "earless-corner";
i = "hooky";
j = "serifless";
l = "tailed";
m = "earless-corner-double-arch";
n = "earless-corner-straight";
p = "earless-corner";
q = "earless-corner";
r = "earless-corner";
u = "toothless-rounded";
y = "cursive-flat-hook";
one = "no-base-long-top-serif";
two = "straight-neck";
three = "flat-top";
four = "open";
six = "open-contour";
seven = "straight-serifless";
eight = "two-circles";
nine = "open-contour";
tilde = "low";
asterisk = "hex-low";
number-sign = "upright";
at = "short";
dollar = "open";
percent = "dots";
question = "corner-flat-hooked";
};
};
set = "kookiefonts";
})
]; ];
}; };
@ -174,4 +222,20 @@ in {
''; '';
}; };
}; };
services.clipmenu.enable = true;
# synchronize all the clipboards
systemd.user.services.autocutsel = {
enable = true;
wantedBy = [ "graphical-session.target" ];
after = [ "graphical-session.target" ];
serviceConfig = {
Type = "forking";
ExecStart = pkgs.writers.writeDash "autocutsel" ''
${pkgs.autocutsel}/bin/autocutsel -fork -selection PRIMARY
${pkgs.autocutsel}/bin/autocutsel -fork -selection CLIPBOARD
'';
};
};
} }

43
lass/2configs/consul.nix Normal file
View File

@ -0,0 +1,43 @@
{ config, lib, pkgs, ... }:
{
services.consul = {
enable = true;
# dropPrivileges = false;
webUi = true;
# interface.bind = "retiolum";
extraConfig = {
bind_addr = config.krebs.build.host.nets.retiolum.ip4.addr;
bootstrap_expect = 3;
server = true;
# retry_join = config.services.consul.extraConfig.start_join;
retry_join = lib.mapAttrsToList (n: h:
lib.head h.nets.retiolum.aliases
) (lib.filterAttrs (n: h: h.consul) config.krebs.hosts);
rejoin_after_leave = true;
# try to fix random lock loss on leader reelection
retry_interval = "3s";
performance = {
raft_multiplier = 8;
};
};
};
environment.etc."consul.d/testservice.json".text = builtins.toJSON {
service = {
name = "testing";
};
};
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-i retiolum -p tcp --dport 8300"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p tcp --dport 8301"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p udp --dport 8301"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p tcp --dport 8302"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p udp --dport 8302"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p tcp --dport 8400"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p tcp --dport 8500"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p tcp --dport 8600"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p udp --dport 8500"; target = "ACCEPT"; }
];
}

7
lass/2configs/et-server.nix Normal file
View File

@ -0,0 +1,7 @@
{ config, lib, pkgs, ... }:
{
services.eternal-terminal = {
enable = true;
};
networking.firewall.allowedTCPPorts = [ config.services.eternal-terminal.port ];
}

27
lass/2configs/green-host.nix
View File

@ -2,32 +2,9 @@
{ {
imports = [ imports = [
<stockholm/lass/2configs/container-networking.nix> <stockholm/lass/2configs/container-networking.nix>
<stockholm/lass/2configs/syncthing.nix>
]; ];
krebs.sync-containers.containers.green = {
peers = [
"echelon"
"icarus"
"littleT"
"mors"
"shodan"
"skynet"
"styx"
];
hostIp = "10.233.2.15";
localIp = "10.233.2.16";
format = "ecryptfs";
};
services.borgbackup.jobs.sync-green = { lass.sync-containers3.containers.green = {
encryption.mode = "none"; sshKey = "${toString <secrets>}/green.sync.key";
paths = "/var/lib/sync-containers/green/ecryptfs";
repo = "/var/lib/sync-containers/green/backup";
compression = "auto,lzma";
startAt = "daily";
prune.keep = {
daily = 7;
weekly = 4;
};
}; };
} }

167
lass/2configs/red-host.nix Normal file
View File

@ -0,0 +1,167 @@
{ config, lib, pkgs, ... }:
let
ctr.name = "red";
in
{
imports = [
<stockholm/lass/2configs/container-networking.nix>
];
lass.sync-containers3.containers.red = {
sshKey = "${toString <secrets>}/containers/red/sync.key";
ephemeral = true;
};
# containers.${ctr.name} = {
# config = {
# environment.systemPackages = [
# pkgs.dhcpcd
# pkgs.git
# pkgs.jq
# ];
# networking.useDHCP = lib.mkForce true;
# systemd.services.autoswitch = {
# environment = {
# NIX_REMOTE = "daemon";
# };
# wantedBy = [ "multi-user.target" ];
# serviceConfig.ExecStart = pkgs.writers.writeDash "autoswitch" ''
# if test -e /var/src/nixos-config; then
# /run/current-system/sw/bin/nixos-rebuild -I /var/src switch || :
# fi
# '';
# unitConfig.X-StopOnRemoval = false;
# };
# };
# autoStart = false;
# enableTun = true;
# privateNetwork = true;
# hostBridge = "ctr0";
# bindMounts = {
# "/etc/resolv.conf".hostPath = "/etc/resolv.conf";
# "/var/lib/self-state/disk-image" = {
# hostPath = "/var/lib/sync-containers3/${ctr.name}";
# isReadOnly = true;
# };
# };
# };
# systemd.services."${ctr.name}_scheduler" = {
# wantedBy = [ "multi-user.target" ];
# path = with pkgs; [
# coreutils
# consul
# cryptsetup
# mount
# util-linux
# systemd
# untilport
# ];
# serviceConfig = {
# Restart = "always";
# RestartSec = "15s";
# ExecStart = "${pkgs.consul}/bin/consul lock container_${ctr.name} ${pkgs.writers.writeDash "${ctr.name}-start" ''
# set -efux
# trap ${pkgs.writers.writeDash "stop-${ctr.name}" ''
# set -efux
# /run/current-system/sw/bin/nixos-container stop ${ctr.name} || :
# umount /var/lib/nixos-containers/${ctr.name}/var/state || :
# cryptsetup luksClose ${ctr.name} || :
# ''} INT TERM EXIT
# consul kv put containers/${ctr.name}/host ${config.networking.hostName}
# cryptsetup luksOpen --key-file /var/src/secrets/containers/${ctr.name}/luks /var/lib/sync-containers3/${ctr.name}/disk ${ctr.name}
# mkdir -p /var/lib/nixos-containers/${ctr.name}/var/state
# mount /dev/mapper/${ctr.name} /var/lib/nixos-containers/${ctr.name}/var/state
# ln -frs /var/lib/nixos-containers/${ctr.name}/var/state/var_src /var/lib/nixos-containers/${ctr.name}/var/src
# /run/current-system/sw/bin/nixos-container start ${ctr.name}
# set +x
# until /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null; do sleep 5; done
# while /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null; do sleep 5; done
# ''}";
# };
# };
# users.groups."container_${ctr.name}" = {};
# users.users."container_${ctr.name}" = {
# group = "container_${ctr.name}";
# isSystemUser = true;
# home = "/var/lib/sync-containers3/${ctr.name}";
# createHome = true;
# homeMode = "705";
# openssh.authorizedKeys.keys = [
# config.krebs.users.lass.pubkey
# ];
# };
# systemd.timers."${ctr.name}_syncer" = {
# timerConfig = {
# RandomizedDelaySec = 300;
# };
# };
# systemd.services."${ctr.name}_syncer" = {
# path = with pkgs; [
# coreutils
# rsync
# openssh
# systemd
# ];
# startAt = "*:0/1";
# serviceConfig = {
# User = "container_${ctr.name}";
# LoadCredential = [
# "ssh_key:${toString <secrets>}/containers/${ctr.name}/sync.key"
# ];
# ExecCondition = pkgs.writers.writeDash "${ctr.name}_checker" ''
# set -efu
# ! systemctl is-active --quiet container@${ctr.name}.service
# '';
# ExecStart = pkgs.writers.writeDash "${ctr.name}_syncer" ''
# set -efu
# rsync -a -e "ssh -i $CREDENTIALS_DIRECTORY/ssh_key" --inplace container_sync@${ctr.name}.r:disk-image/disk $HOME/disk
# '';
# };
# };
# # networking
# networking.networkmanager.unmanaged = [ "ctr0" ];
# networking.interfaces.dummy0.virtual = true;
# networking.bridges.ctr0.interfaces = [ "dummy0" ];
# networking.interfaces.ctr0.ipv4.addresses = [{
# address = "10.233.0.1";
# prefixLength = 24;
# }];
# systemd.services."dhcpd-ctr0" = {
# wantedBy = [ "multi-user.target" ];
# after = [ "network.target" ];
# serviceConfig = {
# Type = "forking";
# Restart = "always";
# DynamicUser = true;
# StateDirectory = "dhcpd-ctr0";
# User = "dhcpd-ctr0";
# Group = "dhcpd-ctr0";
# AmbientCapabilities = [
# "CAP_NET_RAW" # to send ICMP messages
# "CAP_NET_BIND_SERVICE" # to bind on DHCP port (67)
# ];
# ExecStartPre = "${pkgs.coreutils}/bin/touch /var/lib/dhcpd-ctr0/dhcpd.leases";
# ExecStart = "${pkgs.dhcp}/bin/dhcpd -4 -lf /var/lib/dhcpd-ctr0/dhcpd.leases -cf ${pkgs.writeText "dhpd.conf" ''
# default-lease-time 600;
# max-lease-time 7200;
# authoritative;
# ddns-update-style interim;
# log-facility local1; # see dhcpd.nix
# option subnet-mask 255.255.255.0;
# option routers 10.233.0.1;
# # option domain-name-servers 8.8.8.8; # TODO configure dns server
# subnet 10.233.0.0 netmask 255.255.255.0 {
# range 10.233.0.10 10.233.0.250;
# }
# ''} ctr0";
# };
# };
}

221
lass/2configs/weechat.nix Normal file
View File

@ -0,0 +1,221 @@
{ config, lib, pkgs, ... }: let
weechat-configured = pkgs.weechat-declarative.override {
config = {
scripts = [
pkgs.weechat-matrix
pkgs.weechatScripts.wee-slack
];
settings = {
irc.server_default.nicks = [ "lassulus" "hackulus" ];
irc.server.bitlbee = {
addresses = "localhost/6666";
command = "msg &bitlbee identify \${sec.data.bitlbee}";
};
irc.server.hackint = {
addresses = "irc.hackint.org/6697";
autojoin = [
"#c3-gsm"
"#panthermoderns"
"#36c3"
"#cccac"
"#nixos"
"#krebs"
"#c-base"
"#afra"
"#tvl"
"#eloop"
"#systemdultras"
"#rc3"
"#krebs-announce"
"#the_playlist"
"#germany"
"#hackint"
"#dezentrale"
"#hackerfleet \${sec.data.c3-gsm}" # TODO support channel passwords in a cooler way
];
ssl = true;
sasl_fail = "reconnect";
sasl_username = "lassulus";
sasl_password = "\${sec.data.hackint_sasl}";
};
irc.server.r = {
addresses = "irc.r";
autojoin = [
"#xxx"
"#autowifi"
"#brockman"
"#flix"
"#kollkoll"
"#noise"
"#mukke"
];
sasl_fail = "reconnect";
sasl_username = "lassulus";
sasl_password = "\${sec.data.r_sasl}";
anti_flood_prio_high = 0;
anti_flood_prio_low = 0;
};
irc.server.libera = {
addresses = "irc.libera.chat/6697";
autojoin = [
"#shackspace"
"#nixos"
"#krebs"
"#dezentrale"
"#tinc"
"#nixos-de"
"#fysi"
"#hillhacks"
"#nixos-rc3"
"#binaergewitter"
"#hackerfleet"
"#weechat"
];
ssl = true;
sasl_username = "lassulus";
sasl_fail = "reconnect";
sasl_password = "\${sec.data.libera_sasl}";
};
irc.server.news = {
addresses = "news.r";
autojoin = [
"#all"
"#aluhut"
"#querdenkos"
"#news"
"#drachengame"
];
anti_flood_prio_high = 0;
anti_flood_prio_low = 0;
};
matrix.server.lassulus = {
address = "matrix.lassul.us";
username = "lassulus";
password = "\${sec.data.matrix_lassulus}";
device_name = config.networking.hostName;
};
matrix.server.nixos_dev = {
address = "matrix.nixos.dev";
username = "@lassulus:nixos.dev";
device_name = config.networking.hostName;
sso_helper_listening_port = 55123;
};
plugins.var.python.go.short_name = true;
plugins.var.python.go.short_name_server = true;
plugins.var.python.go.fuzzy_search = true;
relay.network.password = "xxx"; # secret?
relay.port.weechat = 9998;
relay.weechat.commands = "*,!exec,!quit";
weechat.look.buffer_time_format = "%m-%d_%H:%M:%S";
weechat.look.item_time_format = "%m-%d_%H:%M:%S";
irc.look.color_nicks_in_names = true;
irc.look.color_nicks_in_nicklist = true;
logger.file.mask = "$plugin.$name/%Y-%m-%d.weechatlog";
logger.file.path = "/var/state/weechat_logs";
logger.look.backlog = 1000;
weechat.notify.python.matrix.nixos_dev."!YLoVsCxScyQODoqIbb:hackint.org" = "none"; #c-base
weechat.notify.python.matrix.nixos_dev."!bohcSYPVoePqBDWlvE:hackint.org" = "none"; #krebs
weechat.notify.irc.news."#all" = "highlight";
# setting logger levels for channels is currently not possible declarativly
# because of already defined
logger.level.core.weechat = 0;
logger.level.irc = 3;
logger.level.python = 3;
weechat.bar.title.color_bg = 0;
weechat.bar.status.color_bg = 0;
alias.cmd.reload = "exec -oc cat /etc/weechat.set";
script.scripts.download_enabled = true;
weechat.look.prefix_align = "left";
weechat.look.prefix_align_max = 20;
irc.look.server_buffer = "independent";
matrix.look.server_buffer = "independent";
weechat.bar.buflist.size_max = 20;
weechat.color.chat_nick_colors = [
1 2 3 4 5 6 9
10 11 12 13 14
28 29
30 31 32 33 34 35 36 37 38 39
70
94
101 102 103 104 105 106 107
130 131 133 134 135 136 137
140 141 142 143
160 161 162 163 165 166 167 168 169
170 171 172 173 174 175
196 197 198 199
200 201 202 203 204 205 206 208 209 209
210 211 212
];
};
extraCommands = ''
/script upgrade
/script install go.py
/script install nickregain.pl
/script install autosort.py
/key bind meta-q /go
/key bind meta-t /bar toggle nicklist
/key bind meta-y /bar toggle buflist
/filter addreplace irc_smart * irc_smart_filter *
/filter addreplace playlist_topic irc.*.#the_playlist irc_topic *
/filter addreplace xxx_joinpart irc.r.#xxx irc_join,irc_part,irc_quit *
/set logger.level.irc.news 0
/set logger.level.python.server.nixos_dev = 0;
/set logger.level.irc.hackint.#the_playlist = 0;
/connect bitlbee
/connect r
/connect news
/connect libera
/connect hackint
/matrix connect nixos_dev
/matrix connect lassulus
'';
files."sec.conf" = toString (pkgs.writeText "sec.conf" ''
[crypt]
cipher = aes256
hash_algo = sha256
passphrase_command = "cat $CREDENTIALS_DIRECTORY/WEECHAT_PASSPHRASE"
salt = on
[data]
__passphrase__ = on
hackint_sasl = "5CA242E92E7A09B180711B50C4AE2E65C42934EB4E584EC82BC1281D8C72CD411D590C16CC435687C0DA13759873CC"
libera_sasl = "9500B5AC3B29F9CAA273F1B89DC99550E038AF95C4B47442B1FB4CB9F0D6B86B26015988AD39E642CA9C4A78DED7F42D1F409B268C93E778"
r_sasl = "CB6FB1421ED5A9094CD2C05462DB1FA87C4A675628ABD9AEC9928A1A6F3F96C07D9F26472331BAF80B7B73270680EB1BBEFD"
c3-gsm = "C49DD845900CFDFA93EEBCE4F1ABF4A963EF6082B7DA6410FA701CC77A04BB6C201FCB864988C4F2B97ED7D44D5A28F162"
matrix.server.nixos_dev.access_token = "C40FE41B9B7B73553D51D8FCBD53871E940FE7FCCAB543E7F4720A924B8E1D58E2B1E1F460F5476C954A223F78CCB956337F6529159C0ECD7CB0384C13CB7170FF1270A577B1C4FF744D20FCF5C708259896F8D9"
bitlbee = "814ECAC59D9CF6E8340B566563E5D7E92AB92209B49C1EDE4CAAC32DD0DF1EC511D97C75E840C45D69BB9E3D03E79C"
matrix_lassulus = "0CA5C0F70A9F893881370F4A665B4CC40FBB1A41E53BC94916CD92B029103528611EC0B390116BE60FA79AE10F486E96E17B0824BE2DE1C97D87B88F5407330DAD70C044147533C36B09B7030CAD97"
'');
};
};
in {
users.users.mainUser.packages = [
weechat-configured
];
environment.etc."weechat.set".source = "${weechat-configured}/weechat.set";
systemd.tmpfiles.rules = [
"d /var/state/weechat_logs 0700 lass users -"
"d /var/state/weechat 0700 lass users -"
"d /var/state/weechat_cfg 0700 lass users -"
"L+ /home/lass/.local/share/weechat - - - - ../../../../var/state/weechat"
"L+ /home/lass/.config/weechat - - - - ../../../../var/state/weechat_cfg"
];
systemd.services.weechat = {
wantedBy = [ "multi-user.target" ];
restartIfChanged = false;
serviceConfig = {
User = "lass";
RemainAfterExit = true;
Type = "oneshot";
LoadCredential = [
"WEECHAT_PASSPHRASE:${toString <secrets>}/weechat_passphrase"
];
ExecStart = "${pkgs.tmux}/bin/tmux -2 new-session -d -s IM ${weechat-configured}/bin/weechat";
ExecStop = "${pkgs.tmux}/bin/tmux kill-session -t IM"; # TODO run save in weechat
};
};
}

50
lass/2configs/zsh.nix
View File

@ -1,6 +1,17 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
{ {
environment.systemPackages = [ pkgs.fzf ]; environment.systemPackages = with pkgs; [
atuin
direnv
fzf
];
environment.variables.ATUIN_CONFIG_DIR = toString (pkgs.writeTextDir "/config.toml" ''
auto_sync = true
update_check = false
sync_address = "http://green.r:8888"
sync_frequency = 0
style = "compact"
'');
programs.zsh = { programs.zsh = {
enable = true; enable = true;
shellInit = '' shellInit = ''
@ -12,27 +23,9 @@
setopt autocd extendedglob setopt autocd extendedglob
bindkey -e bindkey -e
#history magic
bindkey "" up-line-or-local-history
bindkey "" down-line-or-local-history
up-line-or-local-history() { # # setopt inc_append_history
zle set-local-history 1 # bindkey '^R' history-incremental-search-backward
zle up-line-or-history
zle set-local-history 0
}
zle -N up-line-or-local-history
down-line-or-local-history() {
zle set-local-history 1
zle down-line-or-history
zle set-local-history 0
}
zle -N down-line-or-local-history
setopt SHARE_HISTORY
setopt HIST_IGNORE_ALL_DUPS
# setopt inc_append_history
bindkey '^R' history-incremental-search-backward
#C-x C-e open line in editor #C-x C-e open line in editor
autoload -z edit-command-line autoload -z edit-command-line
@ -43,6 +36,13 @@
source ${pkgs.fzf}/share/fzf/completion.zsh source ${pkgs.fzf}/share/fzf/completion.zsh
source ${pkgs.fzf}/share/fzf/key-bindings.zsh source ${pkgs.fzf}/share/fzf/key-bindings.zsh
# atuin distributed shell history
export ATUIN_NOBIND="true" # disable all keybdinings of atuin
eval "$(atuin init zsh)"
bindkey '^r' _atuin_search_widget # bind ctrl+r to atuin
# use zsh only session history
fc -p
#completion magic #completion magic
autoload -Uz compinit autoload -Uz compinit
compinit compinit
@ -65,13 +65,11 @@
bindkey "[8~" end-of-line bindkey "[8~" end-of-line
bindkey "Oc" emacs-forward-word bindkey "Oc" emacs-forward-word
bindkey "Od" emacs-backward-word bindkey "Od" emacs-backward-word
# direnv integration
eval "$(${pkgs.direnv}/bin/direnv hook zsh)"
''; '';
promptInit = '' promptInit = ''
# TODO: figure out why we need to set this here
HISTSIZE=900001
HISTFILESIZE=$HISTSIZE
SAVEHIST=$HISTSIZE
autoload -U promptinit autoload -U promptinit
promptinit promptinit

1
lass/3modules/default.nix
View File

@ -15,5 +15,6 @@ _:
./xjail.nix ./xjail.nix
./autowifi.nix ./autowifi.nix
./browsers.nix ./browsers.nix
./sync-containers3.nix
]; ];
} }

313
lass/3modules/sync-containers3.nix Normal file
View File

@ -0,0 +1,313 @@
{ config, lib, pkgs, ... }: let
cfg = config.lass.sync-containers3;
slib = pkgs.stockholm.lib;
in {
options.lass.sync-containers3 = {
inContainer = {
enable = lib.mkEnableOption "container config for syncing";
pubkey = lib.mkOption {
type = lib.types.str; # TODO ssh key
};
};
containers = lib.mkOption {
default = {};
type = lib.types.attrsOf (lib.types.submodule ({ config, ... }: {
options = {
name = lib.mkOption {
type = lib.types.str;
default = config._module.args.name;
};
sshKey = lib.mkOption {
type = slib.types.absolute-pathname;
};
luksKey = lib.mkOption {
type = slib.types.absolute-pathname;
default = config.sshKey;
};
ephemeral = lib.mkOption {
type = lib.types.bool;
default = false;
};
};
}));
};
};
config = lib.mkMerge [
(lib.mkIf (cfg.containers != {}) {
containers = lib.mapAttrs' (n: ctr: lib.nameValuePair ctr.name {
config = {
environment.systemPackages = [
pkgs.dhcpcd
pkgs.git
pkgs.jq
];
networking.useDHCP = lib.mkForce true;
systemd.services.autoswitch = {
environment = {
NIX_REMOTE = "daemon";
};
wantedBy = [ "multi-user.target" ];
serviceConfig.ExecStart = pkgs.writers.writeDash "autoswitch" ''
set -efu
ln -frs /var/state/var_src /var/src
if test -e /var/src/nixos-config; then
/run/current-system/sw/bin/nixos-rebuild -I /var/src switch || :
fi
'';
unitConfig.X-StopOnRemoval = false;
};
};
autoStart = false;
enableTun = true;
ephemeral = ctr.ephemeral;
privateNetwork = true;
hostBridge = "ctr0";
bindMounts = {
"/etc/resolv.conf".hostPath = "/etc/resolv.conf";
"/var/lib/self/disk" = {
hostPath = "/var/lib/sync-containers3/${ctr.name}/disk";
isReadOnly = false;
};
"/var/state" = {
hostPath = "/var/lib/sync-containers3/${ctr.name}/state";
isReadOnly = false;
};
};
}) cfg.containers;
systemd.services = lib.foldr lib.recursiveUpdate {} (lib.flatten (map (ctr: [
{ "${ctr.name}_syncer" = {
path = with pkgs; [
coreutils
consul
rsync
openssh
systemd
];
startAt = "*:0/1";
serviceConfig = {
User = "${ctr.name}_container";
LoadCredential = [
"ssh_key:${ctr.sshKey}"
];
ExecCondition = pkgs.writers.writeDash "${ctr.name}_checker" ''
set -efu
! systemctl is-active --quiet container@${ctr.name}.service
'';
ExecStart = pkgs.writers.writeDash "${ctr.name}_syncer" ''
set -efux
consul lock sync_${ctr.name} ${pkgs.writers.writeDash "${ctr.name}-sync" ''
set -efux
if /run/wrappers/bin/ping -c 1 ${ctr.name}.r; then
touch "$HOME"/incomplete
rsync -a -e "ssh -i $CREDENTIALS_DIRECTORY/ssh_key" --inplace container_sync@${ctr.name}.r:disk "$HOME"/disk
rm "$HOME"/incomplete
fi
''}
'';
};
}; }
{ "${ctr.name}_watcher" = {
path = with pkgs; [
coreutils
consul
cryptsetup
curl
mount
util-linux
jq
retry
];
serviceConfig = {
ExecStart = pkgs.writers.writeDash "${ctr.name}_watcher" ''
set -efux
while sleep 5; do
# get the payload
# check if the host reacted recently
case $(curl -s -o /dev/null --retry 10 --retry-delay 10 -w '%{http_code}' http://127.0.0.1:8500/v1/kv/containers/${ctr.name}) in
404)
echo 'got 404 from kv, should kill the container'
break
;;
500)
echo 'got 500 from kv, will kill container'
break
;;
200)
# echo 'got 200 from kv, will check payload'
export payload=$(consul kv get containers/${ctr.name})
if [ "$(jq -rn 'env.payload | fromjson.host')" = '${config.networking.hostName}' ]; then
# echo 'we are the host, trying to reach container'
if $(retry -t 10 -d 10 -- /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null); then
# echo 'container is reachable, continueing'
continue
else
# echo 'container seems dead, killing'
break
fi
else
echo 'we are not host, killing container'
break
fi
;;
*)
echo 'unknown state, continuing'
continue
;;
esac
done
/run/current-system/sw/bin/nixos-container stop ${ctr.name} || :
umount /var/lib/sync-containers3/${ctr.name}/state || :
cryptsetup luksClose ${ctr.name} || :
'';
};
}; }
{ "${ctr.name}_scheduler" = {
wantedBy = [ "multi-user.target" ];
path = with pkgs; [
coreutils
consul
cryptsetup
mount
util-linux
curl
systemd
jq
retry
bc
];
serviceConfig = {
Restart = "always";
RestartSec = "30s";
ExecStart = pkgs.writers.writeDash "${ctr.name}_scheduler" ''
set -efux
# get the payload
# check if the host reacted recently
case $(curl -s -o /dev/null --retry 10 -w '%{http_code}' http://127.0.0.1:8500/v1/kv/containers/${ctr.name}) in
404)
# echo 'got 404 from kv, will create container'
;;
500)
# echo 'got 500 from kv, retrying again'
exit 0
;;
200)
# echo 'got 200 from kv, will check payload'
export payload=$(consul kv get containers/${ctr.name})
if [ "$(jq -rn 'env.payload | fromjson.host')" = '${config.networking.hostName}' ]; then
echo 'we are the host, starting container'
else
# echo 'we are not host, checking timestamp'
# if [ $(echo "$(date +%s) - $(jq -rn 'env.payload | fromjson.time') > 100" | bc) -eq 1 ]; then
if [ "$(jq -rn 'env.payload | fromjson.time | now - tonumber > 100')" = 'true' ]; then
echo 'last beacon is more than 100s ago, taking over'
else
# echo 'last beacon was recent. trying again'
exit 0
fi
fi
;;
*)
echo 'unknown state, bailing out'
exit 0
;;
esac
if test -e /var/lib/sync-containers3/${ctr.name}/incomplete; then
echo 'data is inconistent, start aborted'
exit 1
fi
consul kv put containers/${ctr.name} "$(jq -cn '{host: "${config.networking.hostName}", time: now}')" >/dev/null
consul lock -verbose -monitor-retry=100 -timeout 30s -name container_${ctr.name} container_${ctr.name} ${pkgs.writers.writeBash "${ctr.name}-start" ''
set -efu
cryptsetup luksOpen --key-file ${ctr.luksKey} /var/lib/sync-containers3/${ctr.name}/disk ${ctr.name} || :
mkdir -p /var/lib/sync-containers3/${ctr.name}/state
mountpoint /var/lib/sync-containers3/${ctr.name}/state || mount /dev/mapper/${ctr.name} /var/lib/sync-containers3/${ctr.name}/state
/run/current-system/sw/bin/nixos-container start ${ctr.name}
# wait for system to become reachable for the first time
retry -t 10 -d 10 -- /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null
systemctl start ${ctr.name}_watcher.service
while systemctl is-active container@${ctr.name}.service >/devnull && /run/wrappers/bin/ping -q -c 3 ${ctr.name}.r >/dev/null; do
consul kv put containers/${ctr.name} "$(jq -cn '{host: "${config.networking.hostName}", time: now}')" >/dev/null
sleep 10
done
''}
'';
};
}; }
]) (lib.attrValues cfg.containers)));
systemd.timers = lib.mapAttrs' (n: ctr: lib.nameValuePair "${ctr.name}_syncer" {
timerConfig = {
RandomizedDelaySec = 100;
};
}) cfg.containers;
users.groups = lib.mapAttrs' (_: ctr: lib.nameValuePair "${ctr.name}_container" {
}) cfg.containers;
users.users = lib.mapAttrs' (_: ctr: lib.nameValuePair "${ctr.name}_container" ({
group = "container_${ctr.name}";
isNormalUser = true;
uid = slib.genid_uint31 "container_${ctr.name}";
home = "/var/lib/sync-containers3/${ctr.name}";
createHome = true;
homeMode = "705";
})) cfg.containers;
})
(lib.mkIf (cfg.containers != {}) {
# networking
networking.networkmanager.unmanaged = [ "ctr0" ];
networking.interfaces.dummy0.virtual = true;
networking.bridges.ctr0.interfaces = [ "dummy0" ];
networking.interfaces.ctr0.ipv4.addresses = [{
address = "10.233.0.1";
prefixLength = 24;
}];
systemd.services."dhcpd-ctr0" = {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
Type = "forking";
Restart = "always";
DynamicUser = true;
StateDirectory = "dhcpd-ctr0";
User = "dhcpd-ctr0";
Group = "dhcpd-ctr0";
AmbientCapabilities = [
"CAP_NET_RAW" # to send ICMP messages
"CAP_NET_BIND_SERVICE" # to bind on DHCP port (67)
];
ExecStartPre = "${pkgs.coreutils}/bin/touch /var/lib/dhcpd-ctr0/dhcpd.leases";
ExecStart = "${pkgs.dhcp}/bin/dhcpd -4 -lf /var/lib/dhcpd-ctr0/dhcpd.leases -cf ${pkgs.writeText "dhpd.conf" ''
default-lease-time 600;
max-lease-time 7200;
authoritative;
ddns-update-style interim;
log-facility local1; # see dhcpd.nix
option subnet-mask 255.255.255.0;
option routers 10.233.0.1;
# option domain-name-servers 8.8.8.8; # TODO configure dns server
subnet 10.233.0.0 netmask 255.255.255.0 {
range 10.233.0.10 10.233.0.250;
}
''} ctr0";
};
};
})
(lib.mkIf cfg.inContainer.enable {
users.groups.container_sync = {};
users.users.container_sync = {
group = "container_sync";
uid = slib.genid_uint31 "container_sync";
isNormalUser = true;
home = "/var/lib/self";
createHome = true;
openssh.authorizedKeys.keys = [
cfg.inContainer.pubkey
];
};
})
];
}

80
lass/5pkgs/weechat-matrix/default.nix Normal file
View File

@ -0,0 +1,80 @@
{ python3Packages
, lib
, fetchFromGitHub
}:
with python3Packages;
let
scriptPython = python.withPackages (ps: with ps; [
aiohttp
requests
python_magic
]);
version = "lassulus-fork";
in python3Packages.buildPythonPackage {
pname = "weechat-matrix";
inherit version;
src = fetchFromGitHub {
owner = "poljar";
repo = "weechat-matrix";
rev = version;
hash = "sha256-o4kgneszVLENG167nWnk2FxM+PsMzi+PSyMUMIktZcc=";
};
# src = ./weechat-matrix;
propagatedBuildInputs = [
pyopenssl
webcolors
future
atomicwrites
attrs
Logbook
pygments
matrix-nio
aiohttp
requests
];
passthru.scripts = [ "matrix.py" ];
dontBuild = true;
doCheck = false;
format = "other";
installPhase = ''
mkdir -p $out/share $out/bin
cp main.py $out/share/matrix.py
cp contrib/matrix_upload.py $out/bin/matrix_upload
cp contrib/matrix_decrypt.py $out/bin/matrix_decrypt
cp contrib/matrix_sso_helper.py $out/bin/matrix_sso_helper
substituteInPlace $out/bin/matrix_upload \
--replace '/usr/bin/env -S python3' '${scriptPython}/bin/python'
substituteInPlace $out/bin/matrix_sso_helper \
--replace '/usr/bin/env -S python3' '${scriptPython}/bin/python'
substituteInPlace $out/bin/matrix_decrypt \
--replace '/usr/bin/env python3' '${scriptPython}/bin/python'
mkdir -p $out/${python.sitePackages}
cp -r matrix $out/${python.sitePackages}/matrix
'';
dontPatchShebangs = true;
postFixup = ''
addToSearchPath program_PYTHONPATH $out/${python.sitePackages}
patchPythonScript $out/share/matrix.py
substituteInPlace $out/${python.sitePackages}/matrix/server.py --replace \"matrix_sso_helper\" \"$out/bin/matrix_sso_helper\"
'';
meta = with lib; {
description = "A Python plugin for Weechat that lets Weechat communicate over the Matrix protocol";
homepage = "https://github.com/poljar/weechat-matrix";
license = licenses.isc;
platforms = platforms.unix;
maintainers = with maintainers; [ tilpner emily ];
};
}

8
lib/types.nix
View File

@ -58,6 +58,14 @@ rec {
default = false; default = false;
}; };
consul = mkOption {
description = ''
Whether the host is a member of the global consul network
'';
type = bool;
default = false;
};
owner = mkOption { owner = mkOption {
type = user; type = user;
}; };