Mic92/stockholm
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge remote-tracking branch 'prism/master'

Browse Source
This commit is contained in:
tv 2022-11-22 19:38:36 +01:00
commit 1c4e27473c
36 changed files with 1440 additions and 304 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
krebs/2configs/matterbridge.nix
View File

@ -10,14 +10,10 @@
Charset = "utf-8";
};
telegram.krebs.Token = bridgeBotToken;
irc = let
Nick = "ponte";
in {
hackint = {
irc.hackint = {
Server = "irc.hackint.org:6697";
UseTLS = true;
inherit Nick;
};
Nick = "ponte";
};
gateway = [
{

3
krebs/2configs/news-host.nix
View File

@ -4,10 +4,7 @@
"shodan"
"mors"
"styx"
"puyak"
];
hostIp = "10.233.2.101";
localIp = "10.233.2.102";
format = "plain";
};
}

49
krebs/2configs/reaktor2.nix
View File

@ -51,6 +51,29 @@ let
};
};
confuse = {
pattern = "^!confuse (.*)$";
activate = "match";
arguments = [1];
command = {
filename = pkgs.writeDash "confuse" ''
set -efu
export PATH=${makeBinPath [
pkgs.coreutils
pkgs.curl
pkgs.gnused
pkgs.stable-generate
]}
stable_url=$(stable-generate "$@")
paste_url=$(curl -Ss "$stable_url" |
curl -Ss https://p.krebsco.de --data-binary @- |
tail -1
)
echo "$_from: $paste_url"
'';
};
};
taskRcFile = builtins.toFile "taskrc" ''
confirmation=no
'';
@ -185,8 +208,9 @@ let
};
}
{
pattern = "18@p";
pattern = ''^18@p\s+(\S+)\s+(\d+)m$'';
activate = "match";
arguments = [1 2];
command = {
env = {
CACHE_DIR = "${stateDir}/krebsfood";
@ -202,14 +226,27 @@ let
osm-restaurants = pkgs.callPackage "${osm-restaurants-src}/osm-restaurants" {};
in pkgs.writeDash "krebsfood" ''
set -efu
ecke_lat=52.51252
ecke_lon=13.41740
${osm-restaurants}/bin/osm-restaurants --radius 500 --latitude "$ecke_lat" --longitude "$ecke_lon" \
| ${pkgs.jq}/bin/jq -r '"How about \(.tags.name) (https://www.openstreetmap.org/\(.type)/\(.id)), open \(.tags.opening_hours)?"'
'
export PATH=${makeBinPath [
osm-restaurants
pkgs.coreutils
pkgs.curl
pkgs.jq
]}
poi=$(curl -fsS http://c.r/poi.json | jq --arg name "$1" '.[$name]')
if [ "$poi" = null ]; then
latitude=52.51252
longitude=13.41740
else
latitude=$(echo "$poi" | jq -r .latitude)
longitude=$(echo "$poi" | jq -r .longitude)
fi
osm-restaurants --radius "$2" --latitude "$latitude" --longitude "$longitude" \
| jq -r '"How about \(.tags.name) (https://www.openstreetmap.org/\(.type)/\(.id)), open \(.tags.opening_hours)?"'
'';
};
}
confuse
bedger-add
bedger-balance
hooks.sed

3
krebs/2configs/shack/doorstatus.sh
View File

@ -54,7 +54,8 @@ Herr makefu an Kasse 3 bitte, Kasse 3 bitte Herr makefu. Der API Computer ist ma
EOF
)
state=$(curl -fSsk https://api.shackspace.de/v1/space | jq .doorState.open)
payload=$(curl -fSsk https://api.shackspace.de/v1/space)
state=$(printf '%s' "$payload" | jq .doorState.open)
prevstate=$(cat state ||:)
if test "$state" == "$(cat state)";then

1
krebs/3modules/ci/default.nix
View File

@ -115,6 +115,7 @@ let
build_name = stage,
build_script = stages[stage],
),
timeout = 3600,
command="${pkgs.writeDash "build.sh" ''
set -xefu
profile=${shell.escape profileRoot}/$build_name

2
krebs/3modules/ergo.nix
View File

@ -122,7 +122,7 @@
# reloadIfChanged = true;
restartTriggers = [ configFile ];
serviceConfig = {
ExecStart = "${pkgs.ergo}/bin/ergo run --conf /etc/ergo.yaml";
ExecStart = "${pkgs.ergochat}/bin/ergo run --conf /etc/ergo.yaml";
ExecReload = "${pkgs.util-linux}/bin/kill -HUP $MAINPID";
DynamicUser = true;
StateDirectory = "ergo";

25
krebs/3modules/external/mic92.nix vendored
View File

@ -929,5 +929,30 @@ in {
};
};
};
ruby = {
owner = config.krebs.users.mic92;
nets = rec {
retiolum = {
aliases = [ "ruby.r" ];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAzqrguDMHqYyidLxbz3jsQS3JVNCy0HaN6wprT1Ge1Anf5E8KtuXh
M9IjYPShzzJ162rYaJdd2lBmc5o435j+0/Gg5pySILni9bILhuRr7TMWN0sjNbgr
x0JRbpMmpW5DOmQx1BSyA+LLNbyVVnCc1XI0P2EaRr1ZrRSU0bpE/7kJ//Zt7ATu
GfqJTuL2aqap12VMKAfjRByyXA9V7szJMRom2Ia3cWSXhie1E0OOvCNT+InKXx4c
QbEGX71noCgsNgxbD8AVSwMnNV15vdnbgwK/1QzA0Cep1uxFS05TXJZLZTjcGwG0
Kp0kEjntq1rCqgdoUHIubNB17efU/oP6aSrdfvtgeYBjn0zSLHSUYdhf3JHd1Fvf
Ov2TwHxt/sm8d91UjhrkYwjf2nzSruAklYDnIDJiHgLFoT5WuOoVlnfUjRpQEw44
kp8KXsd24Y0UT5XJO5cQA+kZ1vl2ktHbQGTqYuYDB2FKEnBR/JIwJzJfugcGiyRx
OukQ2/rjnS60JA2pHUEfoezIAMhYAF+EPgOgMcNSSRYUVBpPVKD26oGTrNn0AtnO
ALW1vqUDwxb0cpv877vN1VfqvLE8n8Zgtt7itdT0+vxNPxICvF6//LNYUeDoQ3pj
w+1ZSdYZsvIQ7tDcilnL0hU5/nfsSIbHV+ceuLde1xDt5c7Tnl4v/U0CAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "TV9byzSblknvqdUjQCwjgLmA8qCB4Tnl/DSd2mbsZTJ";
};
};
};
};
}

58
krebs/3modules/lass/default.nix
View File

@ -1,12 +1,6 @@
with import <stockholm/lib>;
{ config, ... }: let
hostDefaults = hostName: host: flip recursiveUpdate host {
ci = true;
monitoring = true;
owner = config.krebs.users.lass;
};
r6 = ip: (krebs.genipv6 "retiolum" "lass" ip).address;
w6 = ip: (krebs.genipv6 "wiregrill" "lass" ip).address;
@ -16,6 +10,7 @@ in {
};
hosts = mapAttrs (_: recursiveUpdate {
owner = config.krebs.users.lass;
consul = true;
ci = true;
monitoring = true;
}) {
@ -418,6 +413,7 @@ in {
};
xerxes = {
cores = 2;
consul = false;
nets = rec {
retiolum = {
ip4.addr = "10.243.1.3";
@ -592,7 +588,53 @@ in {
syncthing.id = "CADHN7J-CWRCWTZ-3GZRLII-JBVZN4N-RGHDGDL-UTAJNYI-RZPHK55-7EYAWQM";
};
massulus = {
cores = 1;
ci = false;
nets = {
retiolum = {
ip4.addr = "10.243.0.113";
ip6.addr = r6 "113";
aliases = [
"massulus.r"
];
tinc = {
pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEApwYalnJ2E1e3WOttPCpt
ypNm2adUXS/pejcbF68oRvgv6NRMOKVkoFVEzdnCLYTkYkwcpGd+oRO91F+ekZrN
ndEoicuzHNyG6NTXfW3Sjj9Au/NoAVwOJxAztzXMBAsH5pi4PSiqIQZC4l6cyv2K
zUNm1LvW5Z5/W0J5XCUw3/B4Py7V/HjW9Yxe8MCaCVVP2kF5SwjmfQ+Yp+8csvU3
F30xFjcTJjjWUPSkubgxtsfkrbbjzdMZhKldi3l9LhbYWD8O4bUTrTau/Emaaf6e
v5paVh9Kczwg7Ugk9Co3GL4tKOE2I7kRQV2Rg0M5NcRBUwfxkl6JTI2PmY0fNmYd
kdLQ1fKlFOrkyHuPBjZET1UniomlLpdycyyZii+YWLoQNj4JlFl8nAlPbqkiy8EF
LcHvB2VfdjjyBY25TtYPjFzFsEYKd8HQ7djs8rvJvmhu4tLDD6NaOqJPWMo7I7rW
EavQWZd+CELCJNN8eJhYWIGpnq+BI00FKayUAX+OSObYCHD1AikiiIaSjfDCrCJb
KVDj/uczOjxHk6TUVbepFA7C8EAxZ01sgHtUDkIfvcDMs4DGn88PmjPW+V/4MfKl
oqT7aVv6BYJdSK63rH3Iw+qTvdtzj+vcoO+HmRt2I2Be4ZPSeDrt+riaLycrVF00
yFmvsQgi48/0ZSwaVGR8lFUCAwEAAQ==
-----END PUBLIC KEY-----
'';
pubkey_ed25519 = "QwKNyv97Q2/fmPrVkgbGIhDTVW+uKu+F2enGCtZJgkM";
port = 1655;
};
};
wiregrill = {
ip6.addr = w6 "113";
aliases = [
"massulus.w"
];
wireguard.pubkey = ''
4wXpuDBEJS8J1bxS4paz/eZP1MuMfgHDCvOPn4TYtHQ=
'';
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKH8lFXZ/d2NtqyrpslTGRNBR7FJZCJ6i3UPy0LDl9t7 ";
};
phone = {
consul = false;
nets = {
wiregrill = {
ip4.addr = "10.244.1.13";
@ -608,6 +650,7 @@ in {
syncthing.id = "PWKVXPB-JCNO6E4-KVIQ7CK-6FSOWHM-AWORMDU-HVVYLKW-44DQTYW-XZT7DQJ";
};
tablet = {
consul = false;
nets = {
wiregrill = {
ip4.addr = "10.244.1.14";
@ -622,6 +665,7 @@ in {
ci = false;
};
hilum = {
consul = false;
cores = 1;
nets = {
retiolum = {
@ -797,6 +841,7 @@ in {
};
lasspi = {
consul = false;
cores = 1;
nets = {
retiolum = {
@ -840,6 +885,7 @@ in {
};
domsen-pixel = {
consul = false;
nets = {
wiregrill = {
ip4.addr = "10.244.1.17";

144
krebs/3modules/lass/pgp/yubikey.pgp
View File

@ -58,52 +58,100 @@ D7u4ShvPtxqFf+mv/4eHYx2akBIIUQYAf5OYGnE3E0kqiuK4qHKgt1NI5z1mSd9D
duWIuoRbBUrApTKsHgwtMxNrNVioGIE1dTRuu56drhwY2ZPyzVtSb7q/hRU/a3UZ
5S6EsrmDGIIlAHrgKfKfuerESE5VzN1Nn3QHpfjwX+gq51cosTqlRiu4oMesPk31
ZmPcuG6H/m7nGagX9+l00sDsqISqMG4lZCJAFa020OS/g6V3q6LCqggky6+4sQTG
5HB8jGba2tXMSQfBQEtDFve6agiRTw8z1V8s1gPCMmPhsLi5Ag0EXaJN1gEQANML
yxoeknGlTtkG640UP5ZkUEojwXxlni3v2dpWEaEJO9yqvkELCWum5pRz+iDzoDFS
lUPnP3YKVFkLbAlk56abIAQ6VK7wkOSHCw1F7LlCY830bRkgGJ8/b8us9KpET6Am
ei7OGYVtqNBUodEJi6XkH5q9RLQeVR+7ynt0LTAxO/mMFYc3nhccrhadubhh5rTd
e/UcxBL/zYx8tCBy2F4ep6Anx02HOauTwaqk4KLhB9IcdS8sJQHFY7iEVWNcovwF
8luGEGPJOdOPTMZz4jD4aWFqbT6ragWaG8tisLEe9UhET2LL3r/4DIgAJY4bwg5T
ZyK/1j+Nj1IyYkQ9A6YF96Y5XCi9DF0MYq9NytWNnMCT8F4QCCDRWhgql714/Er/
qfwnT2M6m8P4OS1sAHv5vDDYXezB0WrJNstYvhtHhi4ctuolBuwOb7nyIBlZovhk
5/6IAFmoUprfGHOuttEcPTRDGv737cR1cYaz5QMuz2svNU3ivI/tYfIQwMAjv84A
ZN2wl63QkghYo/dm9a5Ex78CNwZD/z7HOE3zD+Rd0C9/hXLpVVhN0mKmDzgJHPUo
VDk//P3YgzM+dtUWWPJ1FfaTz2543V9MwVWUJQj0DIgl4noLHX3wkd/d4gYGAhlW
kBxkbQPJ4NT7EKBFk44fa6DVuGOGatBAxKQq1GftABEBAAGJAjwEGAEKACYCGwwW
IQTbzXV4RgabOS6pQB1mV76KjR7oBwUCX4l2DwUJBamPOQAKCRBmV76KjR7oB/Ds
D/96TGfHa6BW1v2kUyHUKmpdk62UhZz49nTsOu1JeMI2cDMLkKaPyeKLsRpzV2qc
OoG1dal7dgjtzKsWdz0HxrrbEs0rBJO4xOmg12Sv9fttTocTt2bQMe3d20Vihbi+
NDEx2PeyncYulDd8PNfDkh8vWUJQoThqimXoVARwKNuH2oDytGceIp+BZLOH8HRz
0ESH9nCAGw3gVX6vQPtjbMgoIXHAnAJkIe2boyyUHu2ZmD6CGjxGSSICMzShcDvN
kcyPKG5BbOGRpbehaMcOOiGH0NsudUPOsyxQt90bP/U+WHPhvOTGk0PqGaOf8QDE
saGlChd3wVK+uCGl60szcxQsbgzlEQVUG3tTW4QGfzL3XK5bHvuGj03Vb45005Y4
6UCUP4ZkEYDsw1Hrn5bkPOP/Pc8Sz1MQt+nw1U3QXbHLxLb8fB82B6oDMakHPgaw
73HxYwbaXDswBb6BVTc86RmXRH1+StObDiJp+h16EqdsSyp15tSM80GRf1KaNKxc
MA4N7/i7j9M/z2fKWT7vTAGdcg8vhZH0MDQ9vRmYsuQZtoNieZVXnyQ/ILAgPhiL
pdyPffQV0BpWKd68C8kEhoMP0D3h6Uj88ZOuapyOCvsrBvR7SQOVh+L+KMjh1Xgx
WvPJuoU4Jox4og85/Gz0Ui8EROYyHg5yqPqsBBmz6h8F7rkCDQRdok4KARAAyG97
rjKhP8Uie1i/16SekDo+GkpodBmvhrZiZdwg75YxriHhgioe2AKKmQItOdZOY+mV
qMA63FmByDlPodHmQnrIAn/gr7p5V3lM+l0oVTI8maPO39iT7Nh6W/rv4ni8eMBk
L6P2cPPaTpcv76qWl/WcMiEflPNSAFaxyIapq04rafthcIILWmOBbQ+liMn9YT7a
6w3nF/Ig4Zxx7hoQE6/HrTC8HcENpCAceQQYAqIrlu8F5y1AQVWHjtyCPee1z/8l
PNnPg40lSbXozg5kQDP965Pge6XReUoUVVRcgeiSUfkHdYPIkh/tkFy1MtzTNize
buadqE41Ds6BD1maO5cpGc5iFnf+YY01vWIhwvgPMbAsUKrPOw/RyvYSwOrnWegh
pKuIRv+sBcDY0jJ799CHB2c8eiAYoTRm64rKyYS8RIilqTCmIHnpoSIq3n1wOlMV
X4sB4N4CfAZRAbI9LZfx1QEYn0dst9+mCDRJ/ALBxocKz0wRTpwU5nwP1Zz9TZVh
81wn1Ypj+mFb3aBggpwMLxbifmbsZmd1MwW9k3p2WTs8M1dLFM2ZNA9QmkgRSVFN
6GTTpAyDOs+ZSGYM7MisG9/EvFbNx2BPg6qZH7JeMnlOZXXOg8K5VcLkiGuL1brO
Hlg94Axha8ffMmqjsde6XOAgvSl5P9k47SWOcZkAEQEAAYkCPAQYAQoAJgIbIBYh
BNvNdXhGBps5LqlAHWZXvoqNHugHBQJfiXYPBQkFqY8FAAoJEGZXvoqNHugHuLUP
+gJ01mSEs3+0jriWqg7V+Q59rulMVrUdV2mjBtzz3gvF9PLiEnVEl7EgGdLpVIr/
Wr9QIiUnS1NNrDz8oeDf54Q+OXtQOiczGClK+yWSm/CM02+HATFws66umAl4GQ4X
qAJwdSDDKIHCP1/0VqXNQUOWW0GCCGCAdn55u4pf+B1rmkA3cWhN51SvAriA/YcG
qmyJZgXO+qZOPWNHxNUdgq9lVEO132dhDzH1b9ufnvQMDxF2V681fQ7E3zWEJZZb
YLRB4jrSz8oxipGRGKgDLiR7lyQ/xRU161jSawblBTcIRXK9c4hv178xQWAInMjt
Hst4YCpvclG26ypZLCzvw6swfnXf3A6Q4A8pZQVvogWZ01dlgofwHm8qlYxT7wSq
eicOu3FkSHD8vNwkXnMLqxwkFr4BcSefzCiXulyMcb3h67ZfXAYAFGrrR581vGEt
Xy+xfXK5PqBX7CWEl3Vs2an9whEncZuv1I9iyXDUmGP7Y373JjqNtpS2GMMPA73k
nB7eI/zpVS5qoxUlqw35Pldvt+L4E3hvrvE7iZE3w4lB9WUyY1OnSRDU10l2rqWt
Ptyk3LE2ed5hz5I+gy8/RsXrAooMBXIGV/GJrhye45wf5F/XQqPulnj38sKhmrQC
QTubPgJwG/kTpNdrA3YukE3E7T5ejaGTT2n5nKat6bj7
=h9fX
5HB8jGba2tXMSQfBQEtDFve6agiRTw8z1V8s1gPCMmPhsLiJBGwEGAEKACACGwIW
IQTbzXV4RgabOS6pQB1mV76KjR7oBwUCY1E8SAJAwXQgBBkBCgAdFiEEVAotn4qI
hqe83vdsfheGip18nM8FAl2iTZIACgkQfheGip18nM9DVxAAuqX7iztddbttkIfN
65R5XJPjz7NRg0AI8G+1qnkvF3c2ufNjL++BJSvlbi/2ov92S+0CPF08E4kDsHjA
/JM782D6lDfSZltW4YBBqkJZdtiPElcIqIhM6EX7fs3Ag/RjUVPb4tYkH20xcNhy
l+0RdBuSvR0+KOXXBfoNmsyQM4/hUKiWW3vGOZOBmYPNcvAQcMs+p4D5JHQcOyxg
tXyiXU/VxvUWI7cH6I7daRDTFR3L4zXoIrRwqEgxIqof2Zm4smoHDLfXxGQrcjj6
eKkn/gt/T7qYxnhcG5guS2DwIay5c7xV1xuB7pDgM1On56heD21DI4vtXXnTkjo7
/6hsw2e6TBcn295fEekvBupYVwazefBSlr2f3xxlDvd35D5tWZRVGspzxO15DcTa
TglOeNtRnYGRwHwE/tiJ0G0uwGfvaI0xeexuhnTfvEkpJ4SJ/iMl+FpOw7I35H7m
z8MrRNMjtR+Es8gzuw7hNErmbh0SLZvddoPnqt9kF8ayA1iz1X9KiBkkj3EbvI99
jYjdDDm5lsxCZKLSX4r9Mp236K6DMGlifRN2AfdXziXhPABQkKE5m7kcn1gALn9M
cg5HgeXTdxan6QP35ygDtmNldJGEP+AWAZ4RwaFK8P3/oqQ/8XhnkwH5n2SPd8WQ
qnldvrtajUzUegvJUstLS5B1TFQJEGZXvoqNHugHrtcP+waicH+WhpbvPoHJW//U
c7IwcrsOpWNuh0gKV1+LvBV9dGzGZDlhwsncMeNzT8tnxDwhD1CiJ1uzO2H1m+yX
CeljVnYFlP0sl9IT/AiV8NNiuaIpOc5RjRY1yvOZ017/J7Hyhnaw0iap1vNDNOwH
t7tzB1PvM3p6an4Jh0AJZF5adReQTbi9Zw7MW2Yf0XHTT4rFX+Mn5gcuvsV9n39d
6U3k5G6Hf1bSROsXNVwOwF6VbO8NvBm6ehgNyRcGsino/f82HRwvnQPhJgEakZ1h
WWUUnakK14mRRMUns8CMNfFh+50ciK1Q8kAVgYLVA1H1NXM0+68YZMl5CiiaD3pM
17flwcWUdkIu3uWAvc3hSCNw6i9F4Kx1yD/ZdiT0vBapa3ehUXIo5g79NcFl9xnQ
fnYG+nnl2bLZSHP8b+LZsGivOEZuBHoR2ComeTqqJxeT8ZsEdtLcloaSaf2Em2xf
b9OfhGOC7hKfS4HAlLFbEydWuZuA8EpTXd6eqINCFbOb9BjpKvSCCLs5S3s7T4WE
FQB7yHXQQgB1EzYaJxFZstkiD8exu/hiWfwVLaho09QbtPmt2u1lvbxiSxtCdphi
hoKc6wjhD8F9YM5xxitcF7iAV7oEDZ/1JVkvi/1gWFgW0UmEKuy2KN/Eb/mr41NJ
bMauCCfjnCbAzoW6dhHpbO45uQINBF2iTdYBEADTC8saHpJxpU7ZBuuNFD+WZFBK
I8F8ZZ4t79naVhGhCTvcqr5BCwlrpuaUc/og86AxUpVD5z92ClRZC2wJZOemmyAE
OlSu8JDkhwsNRey5QmPN9G0ZIBifP2/LrPSqRE+gJnouzhmFbajQVKHRCYul5B+a
vUS0HlUfu8p7dC0wMTv5jBWHN54XHK4Wnbm4Yea03Xv1HMQS/82MfLQgctheHqeg
J8dNhzmrk8GqpOCi4QfSHHUvLCUBxWO4hFVjXKL8BfJbhhBjyTnTj0zGc+Iw+Glh
am0+q2oFmhvLYrCxHvVIRE9iy96/+AyIACWOG8IOU2civ9Y/jY9SMmJEPQOmBfem
OVwovQxdDGKvTcrVjZzAk/BeEAgg0VoYKpe9ePxK/6n8J09jOpvD+DktbAB7+bww
2F3swdFqyTbLWL4bR4YuHLbqJQbsDm+58iAZWaL4ZOf+iABZqFKa3xhzrrbRHD00
Qxr+9+3EdXGGs+UDLs9rLzVN4ryP7WHyEMDAI7/OAGTdsJet0JIIWKP3ZvWuRMe/
AjcGQ/8+xzhN8w/kXdAvf4Vy6VVYTdJipg84CRz1KFQ5P/z92IMzPnbVFljydRX2
k89ueN1fTMFVlCUI9AyIJeJ6Cx198JHf3eIGBgIZVpAcZG0DyeDU+xCgRZOOH2ug
1bhjhmrQQMSkKtRn7QARAQABiQI8BBgBCgAmAhsMFiEE2811eEYGmzkuqUAdZle+
io0e6AcFAl+Jdg8FCQWpjzkACgkQZle+io0e6Afw7A//ekxnx2ugVtb9pFMh1Cpq
XZOtlIWc+PZ07DrtSXjCNnAzC5Cmj8nii7Eac1dqnDqBtXWpe3YI7cyrFnc9B8a6
2xLNKwSTuMTpoNdkr/X7bU6HE7dm0DHt3dtFYoW4vjQxMdj3sp3GLpQ3fDzXw5If
L1lCUKE4aopl6FQEcCjbh9qA8rRnHiKfgWSzh/B0c9BEh/ZwgBsN4FV+r0D7Y2zI
KCFxwJwCZCHtm6MslB7tmZg+gho8RkkiAjM0oXA7zZHMjyhuQWzhkaW3oWjHDjoh
h9DbLnVDzrMsULfdGz/1Plhz4bzkxpND6hmjn/EAxLGhpQoXd8FSvrghpetLM3MU
LG4M5REFVBt7U1uEBn8y91yuWx77ho9N1W+OdNOWOOlAlD+GZBGA7MNR65+W5Dzj
/z3PEs9TELfp8NVN0F2xy8S2/HwfNgeqAzGpBz4GsO9x8WMG2lw7MAW+gVU3POkZ
l0R9fkrTmw4iafodehKnbEsqdebUjPNBkX9SmjSsXDAODe/4u4/TP89nylk+70wB
nXIPL4WR9DA0Pb0ZmLLkGbaDYnmVV58kPyCwID4Yi6Xcj330FdAaVinevAvJBIaD
D9A94elI/PGTrmqcjgr7Kwb0e0kDlYfi/ijI4dV4MVrzybqFOCaMeKIPOfxs9FIv
BETmMh4Ocqj6rAQZs+ofBe6JAjYEGAEKACACGwwWIQTbzXV4RgabOS6pQB1mV76K
jR7oBwUCY1E8SAAKCRBmV76KjR7oBwM+D/0evufvIWftzdge63hol1k4LdZSiSD9
bh+h8fb/Mm+2HIS8RweHr1+CS8CW/Om9MJoW0ZDsCmC0vU44/vLL3JzbP4+BDuVF
dky1XX/9Z73Fn/LpakITyXd6YJMsknzAA4ZEzhe4uModNSH5IU818I+/Vyvbe1nX
Hfg2FYva4zVn9E5Gd4vpHBF7D99dGg0vUINtux06WKfdsDB59MiZxCSWfqty+yTM
XWwh5fuFIxwjlkKVdrb45101MnUtzJDmxwPxjOpF+z2tJ0qIvs6Zu6FDEh7fcaJM
mKAPtVXKRxTYaS6j7fpNk5ACFgiHDb+0mI60fH0eiQSqp9Q7cyYbt1yiW2bKY4Pg
qDOtcLT+uIYYVmxBHTLx38gT3Gp83O7WqNZ9ouctIXAXHWwTNsKzMhwgaEmmPbkP
7VO8oZZ9hVphirmijgNO1Oz7Qqh5ORYwsGdvYtbPXD4ZUSpqFT5bTMHS5TKPHf70
5alkwYuwYfLs4m2zYsKadQ+vq12ZX7Z6+DbjfzWAEhzqLP2Y8yGnFSBSmULsALnj
Zg3RN5sxJe3fhTze09Fm8OTopTLoDH5fR91VPhRLGHahvV1Sm/H4ZdtAXTPsHP20
phAc8mK2DgEM0k7vDO5RtV4xTLjBopiciXIBL+TzCKGmDRX2+9nTyF3Kx9qjN52H
EFFJ1mTed/J7VrkCDQRdok4KARAAyG97rjKhP8Uie1i/16SekDo+GkpodBmvhrZi
Zdwg75YxriHhgioe2AKKmQItOdZOY+mVqMA63FmByDlPodHmQnrIAn/gr7p5V3lM
+l0oVTI8maPO39iT7Nh6W/rv4ni8eMBkL6P2cPPaTpcv76qWl/WcMiEflPNSAFax
yIapq04rafthcIILWmOBbQ+liMn9YT7a6w3nF/Ig4Zxx7hoQE6/HrTC8HcENpCAc
eQQYAqIrlu8F5y1AQVWHjtyCPee1z/8lPNnPg40lSbXozg5kQDP965Pge6XReUoU
VVRcgeiSUfkHdYPIkh/tkFy1MtzTNizebuadqE41Ds6BD1maO5cpGc5iFnf+YY01
vWIhwvgPMbAsUKrPOw/RyvYSwOrnWeghpKuIRv+sBcDY0jJ799CHB2c8eiAYoTRm
64rKyYS8RIilqTCmIHnpoSIq3n1wOlMVX4sB4N4CfAZRAbI9LZfx1QEYn0dst9+m
CDRJ/ALBxocKz0wRTpwU5nwP1Zz9TZVh81wn1Ypj+mFb3aBggpwMLxbifmbsZmd1
MwW9k3p2WTs8M1dLFM2ZNA9QmkgRSVFN6GTTpAyDOs+ZSGYM7MisG9/EvFbNx2BP
g6qZH7JeMnlOZXXOg8K5VcLkiGuL1brOHlg94Axha8ffMmqjsde6XOAgvSl5P9k4
7SWOcZkAEQEAAYkCPAQYAQoAJgIbIBYhBNvNdXhGBps5LqlAHWZXvoqNHugHBQJf
iXYPBQkFqY8FAAoJEGZXvoqNHugHuLUP+gJ01mSEs3+0jriWqg7V+Q59rulMVrUd
V2mjBtzz3gvF9PLiEnVEl7EgGdLpVIr/Wr9QIiUnS1NNrDz8oeDf54Q+OXtQOicz
GClK+yWSm/CM02+HATFws66umAl4GQ4XqAJwdSDDKIHCP1/0VqXNQUOWW0GCCGCA
dn55u4pf+B1rmkA3cWhN51SvAriA/YcGqmyJZgXO+qZOPWNHxNUdgq9lVEO132dh
DzH1b9ufnvQMDxF2V681fQ7E3zWEJZZbYLRB4jrSz8oxipGRGKgDLiR7lyQ/xRU1
61jSawblBTcIRXK9c4hv178xQWAInMjtHst4YCpvclG26ypZLCzvw6swfnXf3A6Q
4A8pZQVvogWZ01dlgofwHm8qlYxT7wSqeicOu3FkSHD8vNwkXnMLqxwkFr4BcSef
zCiXulyMcb3h67ZfXAYAFGrrR581vGEtXy+xfXK5PqBX7CWEl3Vs2an9whEncZuv
1I9iyXDUmGP7Y373JjqNtpS2GMMPA73knB7eI/zpVS5qoxUlqw35Pldvt+L4E3hv
rvE7iZE3w4lB9WUyY1OnSRDU10l2rqWtPtyk3LE2ed5hz5I+gy8/RsXrAooMBXIG
V/GJrhye45wf5F/XQqPulnj38sKhmrQCQTubPgJwG/kTpNdrA3YukE3E7T5ejaGT
T2n5nKat6bj7iQI2BBgBCgAgAhsgFiEE2811eEYGmzkuqUAdZle+io0e6AcFAmNR
PEgACgkQZle+io0e6AfQpg/+K0gD0WVyXYLOEM6jCvtz5/f9nDQnqj90ck9VfpuN
QG+cMSK/u3T4ya0k3UDWxEyRih0BzChOlmwnaupBwN7ZbYAzxM0sglwseSdAPpCE
s63RTnaAxpSWFocsUxtJngSoPnnmD1fVbWL3/j9j6jZkT4NB/l2ekDngMyRqt104
BmabaLdz44X1VDgg0tXyACkZ8c/8ISBOoPSFg2n9FuCmhI9Atu6hjCFQZOA/youA
fXzeUxU3iFw5UhyNP084jZ9AK2xwp+rB3JzvzMdiqO3OBFemuiU4/ZKQKFg5a/n4
UAZtO8V2DGe76o1N9uFUvQ41RSAXolPUOTXiZvP4GfiGIhJUXV96QaPHhKWybKlr
4MWG5PpwfuWnGoP8vXtLmz2TDRUfEBOQBzYRBRvXmzekq8nFQCM7dGofLLEchMRv
lYHab2fquGmXiY3LfzyQX+vS3FO9/m2POJcdXcQvSq4MXIzOEzXnJKw5HemfZ3ae
/AlTTfE4og/AYLwacECY6CZqUFOYtQeVx9hSXV97XnoKotde66D4RyFgzFbsIBM/
bA5qyvdpKb60hqjpj/rhXjlnhH8KwAwOlaPVgI1cgnW8uJTElJEtqHPhuRkU6y9f
au4EZ+tsmaxJ0whuziG1/3LJ62AIM9ZpixDEj4GQYaRdkFrx/1IKiUOlw5GQC3y2
zxs=
=MmP2
-----END PGP PUBLIC KEY BLOCK-----

138
krebs/3modules/sync-containers.nix
View File

@ -5,27 +5,55 @@ with import <stockholm/lib>;
plain = "/var/lib/containers/${cname}/var/state";
ecryptfs = "${cfg.dataLocation}/${cname}/ecryptfs";
securefs = "${cfg.dataLocation}/${cname}/securefs";
luksfile = "${cfg.dataLocation}/${cname}/luksfile";
};
init = cname: {
plain = ''
echo 'no need for init'
'';
ecryptfs = ''
${pkgs.ecrypt}/bin/ecrypt init ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state
'';
securefs = ''
${pkgs.securefs}/bin/securefs create --format 3 ${cfg.dataLocation}/${cname}/securefs
'';
luksfile = ''
${pkgs.coreutils}/bin/truncate -s 10G '${(paths cname).luksfile}/fs.luks'
${pkgs.cryptsetup}/bin/cryptsetup luksFormat '${(paths cname).luksfile}/fs.luks'
${pkgs.cryptsetup}/bin/cryptsetup luksOpen '${(paths cname).luksfile}/fs.luks' 'luksfile-${cname}'
${pkgs.xfsprogs}/bin/mkfs.xfs '/dev/mapper/luksfile-${cname}'
'';
};
start = cname: {
plain = ''
:
'';
ecryptfs = ''
if ! mount | grep -q '${cfg.dataLocation}/${cname}/ecryptfs on /var/lib/containers/${cname}/var/state type ecryptfs'; then
if [ -e ${cfg.dataLocation}/${cname}/ecryptfs/.cfg.json ]; then
if ! mount | grep -q '${cfg.dataLocation}/${cname}/ecryptfs on /var/lib/containers/${cname}/var/state type ecryptfs'; then
${pkgs.ecrypt}/bin/ecrypt mount ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state
else
${pkgs.ecrypt}/bin/ecrypt init ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state
fi
else
echo 'please run init-${cname} first'
exit 1
fi
'';
securefs = ''
## TODO init file systems if it does not exist
# ${pkgs.securefs}/bin/securefs create --format 3 ${cfg.dataLocation}/${cname}/securefs
## check if FS was initialized first
if ! ${pkgs.mount}/bin/mount | grep -q '^securefs on /var/lib/containers/${cname}/var/state type fuse.securefs'; then
${pkgs.securefs}/bin/securefs mount ${cfg.dataLocation}/${cname}/securefs /var/lib/containers/${cname}/var/state -b -o allow_other -o default_permissions
fi
'';
luksfile = ''
mkdir -p /var/lib/containers/${cname}/var/state
if ! test -e /dev/mapper/luksfile-${cname}; then
${pkgs.cryptsetup}/bin/cryptsetup luksOpen '${(paths cname).luksfile}/fs.luks' 'luksfile-${cname}'
fi
if ! ${pkgs.mount}/bin/mount | grep -q '^/dev/mapper/luksfile-${cname} on /var/lib/containers/${cname}/var/state'; then
mount '/dev/mapper/luksfile-${cname}' '/var/lib/containers/${cname}/var/state'
fi
'';
};
stop = cname: {
plain = ''
@ -37,12 +65,16 @@ with import <stockholm/lib>;
securefs = ''
umount /var/lib/containers/${cname}/var/state
'';
luksfile = ''
umount /var/lib/containers/${cname}/var/state
${pkgs.cryptsetup}/bin/cryptsetup luksClose luksfile-${cname}
'';
};
in {
options.krebs.sync-containers = {
dataLocation = mkOption {
description = ''
location where the encrypted sync-container lie around
location where the encrypted sync-containers lie around
'';
default = "/var/lib/sync-containers";
type = types.absolute-pathname;
@ -64,25 +96,11 @@ in {
default = [];
type = types.listOf types.str;
};
hostIp = mkOption { # TODO find this automatically
description = ''
hostAddress of the privateNetwork
'';
example = "10.233.2.15";
type = types.str;
};
localIp = mkOption { # TODO find this automatically
description = ''
localAddress of the privateNetwork
'';
example = "10.233.2.16";
type = types.str;
};
format = mkOption {
description = ''
file system encrption format of the container
'';
type = types.enum [ "plain" "ecryptfs" "securefs" ];
type = types.enum [ "plain" "ecryptfs" "securefs" "luksfile" ];
};
};
}));
@ -102,12 +120,11 @@ in {
ignorePerms = false;
})) cfg.containers);
krebs.permown = (mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" ({
file-mode = "u+rw";
directory-mode = "u+rwx";
owner = "syncthing";
keepGoing = false;
})) cfg.containers);
krebs.acl = mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" {
"u:syncthing:rX".parents = true;
"u:syncthing:rwX" = {};
}) cfg.containers;
systemd.services = mapAttrs' (n: ctr: nameValuePair "containers@${ctr.name}" ({
reloadIfChanged = mkForce false;
@ -116,8 +133,11 @@ in {
containers = mapAttrs' (n: ctr: nameValuePair ctr.name ({
config = { ... }: {
environment.systemPackages = [
pkgs.dhcpcd
pkgs.git
pkgs.jq
];
networking.useDHCP = mkForce true;
system.activationScripts.fuse = {
text = ''
${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229
@ -131,11 +151,57 @@ in {
autoStart = false;
enableTun = true;
privateNetwork = true;
hostAddress = ctr.hostIp;
localAddress = ctr.localIp;
hostBridge = "ctr0";
})) cfg.containers;
environment.systemPackages = flatten (mapAttrsToList (n: ctr: [
networking.networkmanager.unmanaged = [ "ctr0" ];
networking.bridges.ctr0.interfaces = [];
networking.interfaces.ctr0.ipv4.addresses = [{
address = "10.233.0.1";
prefixLength = 24;
}];
# networking.nat = {
# enable = true;
# externalInterface = lib.mkDefault "et0";
# internalInterfaces = [ "ctr0" ];
# };
services.dhcpd4 = {
enable = true;
interfaces = [ "ctr0" ];
extraConfig = ''
option subnet-mask 255.255.255.0;
option routers 10.233.0.1;
# option domain-name-servers 8.8.8.8; # TODO configure dns server
subnet 10.233.0.0 netmask 255.255.255.0 {
range 10.233.0.10 10.233.0.250;
}
'';
};
users.users.root.packages = flatten (mapAttrsToList (n: ctr: [
(pkgs.writeDashBin "init-${ctr.name}" ''
set -euf
set -x
mkdir -p /var/lib/containers/${ctr.name}/var/state
STATE=$(/run/current-system/sw/bin/nixos-container status ${ctr.name})
if [ "$STATE" = 'up' ]; then
/run/current-system/sw/bin/nixos-container stop ${ctr.name}
fi
${(init ctr.name).${ctr.format}}
${(start ctr.name).${ctr.format}}
/run/current-system/sw/bin/nixos-container start ${ctr.name}
/run/current-system/sw/bin/nixos-container run ${ctr.name} -- ${pkgs.writeDash "deploy-${ctr.name}" ''
set -x
mkdir -p /var/state/var_src
ln -sfTr /var/state/var_src /var/src
touch /etc/NIXOS
''}
target_ip=$(/run/current-system/sw/bin/nixos-container run ${ctr.name} -- ip -j a s eth0 | jq -r '.[].addr_info[] | select(.family=="inet") | .local')
echo "deploy to $target_ip"
'')
(pkgs.writeDashBin "start-${ctr.name}" ''
set -euf
set -x
@ -144,12 +210,12 @@ in {
${(start ctr.name).${ctr.format}}
STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${ctr.name})
STATE=$(/run/current-system/sw/bin/nixos-container status ${ctr.name})
if [ "$STATE" = 'down' ]; then
${pkgs.nixos-container}/bin/nixos-container start ${ctr.name}
/run/current-system/sw/bin/nixos-container start ${ctr.name}
fi
${pkgs.nixos-container}/bin/nixos-container run ${ctr.name} -- ${pkgs.writeDash "deploy-${ctr.name}" ''
/run/current-system/sw/bin/nixos-container run ${ctr.name} -- ${pkgs.writeDash "deploy-${ctr.name}" ''
set -x
mkdir -p /var/state/var_src
@ -158,15 +224,17 @@ in {
''}
if [ -h /var/lib/containers/${ctr.name}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${ctr.name}.r); then
${pkgs.nixos-container}/bin/nixos-container run ${ctr.name} -- nixos-rebuild -I /var/src switch
/run/current-system/sw/bin/nixos-container run ${ctr.name} -- nixos-rebuild -I /var/src switch
else
echo 'no nixos config, or target already online, bailing out'
${(stop ctr.name).${ctr.format}}
/run/current-system/sw/bin/nixos-container stop ${ctr.name}
fi
'')
(pkgs.writeDashBin "stop-${ctr.name}" ''
set -euf
${pkgs.nixos-container}/bin/nixos-container stop ${ctr.name}
/run/current-system/sw/bin/nixos-container stop ${ctr.name}
${(stop ctr.name).${ctr.format}}
'')
]) cfg.containers);

23
krebs/5pkgs/simple/ergo/default.nix
View File

@ -1,23 +0,0 @@
{ buildGo117Module , fetchFromGitHub, lib }:
buildGo117Module rec {
pname = "ergo";
version = "2.9.1";
src = fetchFromGitHub {
owner = "ergochat";
repo = "ergo";
rev = "v${version}";
sha256 = "sha256-RxsmkTfHymferS/FRW0sLnstKfvGXkW6cEb/JbeS4lc=";
};
vendorSha256 = null;
meta = {
description = "A modern IRC server (daemon/ircd) written in Go";
homepage = "https://github.com/ergochat/ergo";
license = lib.licenses.mit;
maintainers = with lib.maintainers; [ lassulus tv ];
platforms = lib.platforms.linux;
};
}

2
krebs/5pkgs/simple/hashPassword/default.nix
View File

@ -1,6 +1,6 @@
{ lib, pkgs, ... }:
pkgs.writeDashBin "hashPassword" ''
pkgs.writers.writeDashBin "hashPassword" ''
# usage: hashPassword [...]
set -euf

25
krebs/5pkgs/simple/nix-prefetch-github.nix
View File

@ -1,25 +0,0 @@
{ curl, jq, nix, writeDashBin }:
writeDashBin "nix-prefetch-github" ''
# usage: nix-prefetch-github OWNER REPO [REF]
set -efu
owner=$1
repo=$2
ref=''${3-master}
info_url=https://api.github.com/repos/$owner/$repo/commits/$ref
info=$(${curl}/bin/curl -fsS "$info_url")
rev=$(printf %s "$info" | ${jq}/bin/jq -r .sha)
name=$owner-$repo-$ref
url=https://github.com/$owner/$repo/tarball/$rev
sha256=$(${nix}/bin/nix-prefetch-url --name "$name" --unpack "$url")
export owner repo rev sha256
${jq}/bin/jq -n '
env | {
owner, repo, rev, sha256
}
'
''

64
krebs/5pkgs/simple/stable-generate/default.nix Normal file
View File

@ -0,0 +1,64 @@
{ pkgs, lib, ... }:
pkgs.writers.writeDashBin "stable-generate" ''
set -efu
export PATH=${lib.makeBinPath [
pkgs.curl
pkgs.jq
]}
STABLE_URL=''${STABLE_URL:-http://stable-confusion.r}
PAYLOAD=$(jq -cn --arg query "$*" '{fn_index: 51, data: [
$query,
"",
"None",
"None",
20, # sampling steps
"Euler a", # sampling method
false, # restore faces
false,
1,
1,
7,
-1,
-1,
0,
0,
0,
false,
512, #probably resolution
512, #probably resolution
false,
0.7,
0,
0,
"None",
"",
false,
false,
false,
"",
"Seed",
"",
"Nothing",
"",
true,
false,
false,
null,
"",
""], session_hash: "hello_this_is_dog"}')
data=$(curl -Ssf "$STABLE_URL/run/predict/" \
-X POST \
--Header 'Content-Type: application/json' \
--data "$PAYLOAD"
)
export data
filename=$(jq -rn 'env.data | fromjson.data[0][0].name')
echo "$STABLE_URL/file=$filename"
''

5
krebs/5pkgs/simple/weechat-declarative/default.nix
View File

@ -33,7 +33,7 @@ let
eval = lib.evalModules {
modules = lib.singleton {
_file = toString ./weechat-declarative.nix;
_file = toString ./default.nix;
imports = lib.singleton config;
options = {
scripts = lib.mkOption {
@ -148,7 +148,8 @@ let
${lib.concatStringsSep "\n"
(lib.mapAttrsToList
(name: target: /* sh */ ''
${pkgs.coreutils}/bin/ln -s ${lib.escapeShellArg target} "$CONFDIR"/${lib.escapeShellArg name}
${pkgs.coreutils}/bin/cp ${lib.escapeShellArg target} "$CONFDIR"/${lib.escapeShellArg name}
${pkgs.coreutils}/bin/chmod +w "$CONFDIR"/${lib.escapeShellArg name}
'')
cfg.files
)

8
krebs/nixpkgs-unstable.json
View File

@ -1,9 +1,9 @@
{
"url": "https://github.com/NixOS/nixpkgs",
"rev": "d40fea9aeb8840fea0d377baa4b38e39b9582458",
"date": "2022-10-31T16:44:53+01:00",
"path": "/nix/store/6z1f9z44ljsxvn0kzlpz03a5m7lbh096-nixpkgs",
"sha256": "1ikpccnyi0b7ql6jak4g3wl4876njybpvknfs6gin461xjp5fi24",
"rev": "b457130e8a21608675ddf12c7d85227b22a27112",
"date": "2022-11-16T11:03:19+00:00",
"path": "/nix/store/jr123qfmrl53imi48naxh6zs486fqmz2-nixpkgs",
"sha256": "16cjrr3np3f428lxw8yk6n2dqi7mg08zf6h6gv75zpw865jz44df",
"fetchLFS": false,
"fetchSubmodules": false,
"deepClone": false,

8
krebs/nixpkgs.json
View File

@ -1,9 +1,9 @@
{
"url": "https://github.com/NixOS/nixpkgs",
"rev": "1b4722674c315de0e191d0d79790b4eac51570a1",
"date": "2022-10-31T23:14:26+01:00",
"path": "/nix/store/byvkpdxd5pwixshrfrxgl0z2xc9y9hcs-nixpkgs",
"sha256": "0ykbqcfwx338m1jcln9pj629byxbyr448d88wsryp8sf6p611cv2",
"rev": "6474d93e007e4d165bcf48e7f87de2175c93d10b",
"date": "2022-11-16T11:41:31+01:00",
"path": "/nix/store/z86f31carhz3sf78kn3lkyq748drgp63-nixpkgs",
"sha256": "00swm7hz3fjyzps75bjyqviw6dqg2cc126wc7lcc1rjkpdyk5iwg",
"fetchLFS": false,
"fetchSubmodules": false,
"deepClone": false,

97
lass/1systems/green/config.nix
View File

@ -11,79 +11,51 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/syncthing.nix>
<stockholm/lass/2configs/sync/sync.nix>
<stockholm/lass/2configs/sync/decsync.nix>
<stockholm/lass/2configs/sync/weechat.nix>
<stockholm/lass/2configs/weechat.nix>
<stockholm/lass/2configs/bitlbee.nix>
<stockholm/lass/2configs/IM.nix>
<stockholm/lass/2configs/muchsync.nix>
<stockholm/lass/2configs/pass.nix>
<stockholm/lass/2configs/git-brain.nix>
<stockholm/lass/2configs/et-server.nix>
<stockholm/lass/2configs/consul.nix>
<stockholm/lass/2configs/atuin-server.nix>
];
krebs.build.host = config.krebs.hosts.green;
lass.sync-containers3.inContainer = {
enable = true;
pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFlUMf943qEQG64ob81p6dgoHq4jUjq7tSvmSdEOEU2y";
};
systemd.tmpfiles.rules = [
"d /home/lass/.local/share 0700 lass users -"
"d /home/lass/.local 0700 lass users -"
"d /var/state/lass_mail 0700 lass users -"
"L+ /home/lass/Maildir - - - - ../../var/state/lass_mail"
"d /var/state/lass_ssh 0700 lass users -"
"L+ /home/lass/.ssh - - - - ../../var/state/lass_ssh"
"d /var/state/lass_gpg 0700 lass users -"
"L+ /home/lass/.gnupg - - - - ../../var/state/lass_gpg"
"d /var/state/lass_sync 0700 lass users -"
"L+ /home/lass/sync - - - - ../../var/state/lass_sync"
"d /var/state/git 0700 git nogroup -"
"L+ /var/lib/git - - - - ../../var/state/git"
];
users.users.mainUser.openssh.authorizedKeys.keys = [
config.krebs.users.lass-android.pubkey
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0rn3003CkJMk3jZrh/3MC6nVorHRymlFSI4x1brCKY" # weechat ssh tunnel
config.krebs.users.lass-tablet.pubkey
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKgpZwye6yavIs3gUIYvSi70spDa0apL2yHR0ASW74z8" # weechat ssh tunnel
];
krebs.bindfs = {
"/home/lass/.weechat" = {
source = "/var/state/lass_weechat";
options = [
"-M ${concatMapStringsSep ":" (u: toString config.users.users.${u}.uid) [ "syncthing" "mainUser" ]}"
"--create-for-user=${toString config.users.users.syncthing.uid}"
];
};
"/home/lass/Maildir" = {
source = "/var/state/lass_mail";
options = [
"-M ${toString config.users.users.mainUser.uid}"
];
};
"/var/lib/bitlbee" = {
source = "/var/state/bitlbee";
options = [
"-M ${toString config.users.users.bitlbee.uid}"
];
clearTarget = true;
};
"/home/lass/.ssh" = {
source = "/var/state/lass_ssh";
options = [
"-M ${toString config.users.users.mainUser.uid}"
];
clearTarget = true;
};
"/home/lass/.gnupg" = {
source = "/var/state/lass_gnupg";
options = [
"-M ${toString config.users.users.mainUser.uid}"
];
clearTarget = true;
};
"/var/lib/git" = {
source = "/var/state/git";
options = [
"-M ${toString config.users.users.git.uid}"
];
clearTarget = true;
};
};
systemd.services."bindfs-_home_lass_Maildir".serviceConfig.ExecStartPost = pkgs.writeDash "symlink-notmuch" ''
sleep 1
mkdir -p /home/lass/notmuch
chown lass: /home/lass/notmuch
ln -sfTr /home/lass/notmuch /home/lass/Maildir/.notmuch
mkdir -p /home/lass/notmuch/muchsync
chown lass: /home/lass/notmuch/muchsync
mkdir -p /home/lass/Maildir/.muchsync
ln -sfTr /home/lass/Maildir/.muchsync /home/lass/notmuch/muchsync/tmp
'';
krebs.iptables.tables.nat.PREROUTING.rules = [
{ predicate = "-i eth0 -p tcp -m tcp --dport 22"; target = "ACCEPT"; precedence = 101; }
];
@ -93,4 +65,11 @@ with import <stockholm/lib>;
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
'';
services.dovecot2 = {
enable = true;
mailLocation = "maildir:~/Maildir";
};
networking.firewall.allowedTCPPorts = [ 143 ];
}

2
lass/1systems/green/physical.nix
View File

@ -3,5 +3,5 @@
./config.nix
];
boot.isContainer = true;
networking.useDHCP = false;
networking.useDHCP = true;
}

6
lass/1systems/green/source.nix
View File

@ -1,4 +1,6 @@
{ lib, pkgs, test, ... }:
if test then {} else {
{ lib, pkgs, test, ... }: let
npkgs = lib.importJSON ../../../krebs/nixpkgs-unstable.json;
in if test then {} else {
nixpkgs.git.ref = lib.mkForce npkgs.rev;
nixpkgs-unstable = lib.mkForce { file = "/var/empty"; };
}

10
lass/1systems/shodan/config.nix
View File

@ -1,6 +1,5 @@
{ config, pkgs, ... }:
{ config, lib, pkgs, ... }:
with import <stockholm/lib>;
{
imports = [
<stockholm/lass>
@ -17,11 +16,10 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/blue-host.nix>
<stockholm/lass/2configs/green-host.nix>
<stockholm/krebs/2configs/news-host.nix>
<stockholm/lass/2configs/nfs-dl.nix>
<stockholm/lass/2configs/prism-mounts/samba.nix>
<stockholm/lass/2configs/fetchWallpaper.nix>
<stockholm/lass/2configs/home-media.nix>
<stockholm/lass/2configs/syncthing.nix>
<stockholm/lass/2configs/sync/sync.nix>
<stockholm/lass/2configs/consul.nix>
<stockholm/lass/2configs/red-host.nix>
<stockholm/lass/2configs/snapclient.nix>
];

6
lass/1systems/shodan/physical.nix
View File

@ -11,7 +11,6 @@
loader.grub.device = "/dev/sda";
initrd.luks.devices.lusksroot.device = "/dev/sda2";
initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ];
initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ];
};
fileSystems = {
@ -28,11 +27,6 @@
fsType = "btrfs";
options = ["defaults" "noatime" "ssd" "compress=lzo"];
};
"/tmp" = {
device = "tmpfs";
fsType = "tmpfs";
options = ["nosuid" "nodev" "noatime"];
};
"/bku" = {
device = "/dev/pool/bku";
fsType = "btrfs";

13
lass/1systems/yellow/config.nix
View File

@ -154,6 +154,7 @@ with import <stockholm/lib>;
tables.filter.INPUT.rules = [
{ predicate = "-p tcp --dport 80"; target = "ACCEPT"; } # nginx web dir
{ predicate = "-p tcp --dport 9091"; target = "ACCEPT"; } # transmission-web
{ predicate = "-p tcp --dport 9092"; target = "ACCEPT"; } # magnetico webinterface
{ predicate = "-p tcp --dport 51413"; target = "ACCEPT"; } # transmission-traffic
{ predicate = "-p udp --dport 51413"; target = "ACCEPT"; } # transmission-traffic
{ predicate = "-p tcp --dport 8096"; target = "ACCEPT"; } # jellyfin
@ -164,7 +165,7 @@ with import <stockholm/lib>;
client
dev tun
proto udp
remote 196.240.57.43 1194
remote 194.110.84.106 1194
resolv-retry infinite
remote-random
nobind
@ -174,7 +175,7 @@ with import <stockholm/lib>;
persist-key
persist-tun
ping 15
ping-restart 0
ping-restart 15
ping-timer-rem
reneg-sec 0
comp-lzo no
@ -250,7 +251,7 @@ with import <stockholm/lib>;
path = [
pkgs.coreutils
pkgs.findutils
pkgs.inotifyTools
pkgs.inotify-tools
];
serviceConfig = {
Restart = "always";
@ -271,4 +272,10 @@ with import <stockholm/lib>;
enable = true;
group = "download";
};
services.magnetico = {
enable = true;
web.address = "0.0.0.0";
web.port = 9092;
};
}

13
lass/2configs/alacritty.nix
View File

@ -1,21 +1,23 @@
{ config, lib, pkgs, ... }: let
alacritty-cfg = extrVals: builtins.toJSON ({
font = {
font = let
family = "Iosevka";
in {
normal = {
family = "Inconsolata";
family = family;
style = "Regular";
};
bold = {
family = "Inconsolata";
family = family;
style = "Bold";
};
italic = {
family = "Inconsolata";
family = family;
style = "Italic";
};
bold_italic = {
family = "Inconsolata";
family = family;
style = "Bold Italic";
};
size = 8;
@ -44,6 +46,7 @@
name = "alacritty";
paths = [
(pkgs.writeDashBin "alacritty" ''
${pkgs.alacritty}/bin/alacritty --config-file /var/theme/config/alacritty.yaml msg create-window "$@" ||
${pkgs.alacritty}/bin/alacritty --config-file /var/theme/config/alacritty.yaml "$@"
'')
pkgs.alacritty

38
lass/2configs/atuin-server.nix Normal file
View File

@ -0,0 +1,38 @@
{ config, lib, pkgs, ... }:
{
services.postgresql = {
enable = true;
dataDir = "/var/state/postgresql/${config.services.postgresql.package.psqlSchema}";
ensureDatabases = [ "atuin" ];
ensureUsers = [{
name = "atuin";
ensurePermissions."DATABASE atuin" = "ALL PRIVILEGES";
}];
};
systemd.tmpfiles.rules = [
"d /var/state/postgresql 0700 postgres postgres -"
];
users.groups.atuin = {};
users.users.atuin = {
uid = pkgs.stockholm.lib.genid_uint31 "atuin";
isSystemUser = true;
group = "atuin";
home = "/run/atuin";
createHome = true;
};
systemd.services.atuin = {
wantedBy = [ "multi-user.target" ];
environment = {
ATUIN_HOST = "0.0.0.0";
ATUIN_PORT = "8888";
ATUIN_OPEN_REGISTRATION = "true";
ATUIN_DB_URI = "postgres:///atuin";
};
serviceConfig = {
User = "atuin";
ExecStart = "${pkgs.atuin}/bin/atuin server start";
};
};
networking.firewall.allowedTCPPorts = [ 8888 ];
}

72
lass/2configs/baseX.nix
View File

@ -7,7 +7,6 @@ in {
./alacritty.nix
./mpv.nix
./power-action.nix
./copyq.nix
./urxvt.nix
./xdg-open.nix
./yubikey.nix
@ -80,7 +79,10 @@ in {
powertop
rxvt-unicode
sshvnc
sxiv
(pkgs.writers.writeDashBin "sxiv" ''
${pkgs.nsxiv}/bin/nsxiv "$@"
'')
nsxiv
taskwarrior
termite
transgui
@ -105,10 +107,56 @@ in {
enableGhostscriptFonts = true;
fonts = with pkgs; [
hack-font
xorg.fontschumachermisc
terminus_font_ttf
inconsolata
noto-fonts
(iosevka.override {
# https://typeof.net/Iosevka/customizer
privateBuildPlan = {
family = "Iosevka";
spacing = "term";
serifs = "slab";
no-ligation = true;
variants.design = {
capital-i = "serifless";
capital-j = "serifless";
a = "double-storey-tailed";
b = "toothless-corner";
d = "toothless-corner-serifless";
f = "flat-hook-tailed";
g = "earless-corner";
i = "hooky";
j = "serifless";
l = "tailed";
m = "earless-corner-double-arch";
n = "earless-corner-straight";
p = "earless-corner";
q = "earless-corner";
r = "earless-corner";
u = "toothless-rounded";
y = "cursive-flat-hook";
one = "no-base-long-top-serif";
two = "straight-neck";
three = "flat-top";
four = "open";
six = "open-contour";
seven = "straight-serifless";
eight = "two-circles";
nine = "open-contour";
tilde = "low";
asterisk = "hex-low";
number-sign = "upright";
at = "short";
dollar = "open";
percent = "dots";
question = "corner-flat-hooked";
};
};
set = "kookiefonts";
})
];
};
@ -174,4 +222,20 @@ in {
'';
};
};
services.clipmenu.enable = true;
# synchronize all the clipboards
systemd.user.services.autocutsel = {
enable = true;
wantedBy = [ "graphical-session.target" ];
after = [ "graphical-session.target" ];
serviceConfig = {
Type = "forking";
ExecStart = pkgs.writers.writeDash "autocutsel" ''
${pkgs.autocutsel}/bin/autocutsel -fork -selection PRIMARY
${pkgs.autocutsel}/bin/autocutsel -fork -selection CLIPBOARD
'';
};
};
}

43
lass/2configs/consul.nix Normal file
View File

@ -0,0 +1,43 @@
{ config, lib, pkgs, ... }:
{
services.consul = {
enable = true;
# dropPrivileges = false;
webUi = true;
# interface.bind = "retiolum";
extraConfig = {
bind_addr = config.krebs.build.host.nets.retiolum.ip4.addr;
bootstrap_expect = 3;
server = true;
# retry_join = config.services.consul.extraConfig.start_join;
retry_join = lib.mapAttrsToList (n: h:
lib.head h.nets.retiolum.aliases
) (lib.filterAttrs (n: h: h.consul) config.krebs.hosts);
rejoin_after_leave = true;
# try to fix random lock loss on leader reelection
retry_interval = "3s";
performance = {
raft_multiplier = 8;
};
};
};
environment.etc."consul.d/testservice.json".text = builtins.toJSON {
service = {
name = "testing";
};
};
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-i retiolum -p tcp --dport 8300"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p tcp --dport 8301"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p udp --dport 8301"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p tcp --dport 8302"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p udp --dport 8302"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p tcp --dport 8400"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p tcp --dport 8500"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p tcp --dport 8600"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p udp --dport 8500"; target = "ACCEPT"; }
];
}

7
lass/2configs/et-server.nix Normal file
View File

@ -0,0 +1,7 @@
{ config, lib, pkgs, ... }:
{
services.eternal-terminal = {
enable = true;
};
networking.firewall.allowedTCPPorts = [ config.services.eternal-terminal.port ];
}

27
lass/2configs/green-host.nix
View File

@ -2,32 +2,9 @@
{
imports = [
<stockholm/lass/2configs/container-networking.nix>
<stockholm/lass/2configs/syncthing.nix>
];
krebs.sync-containers.containers.green = {
peers = [
"echelon"
"icarus"
"littleT"
"mors"
"shodan"
"skynet"
"styx"
];
hostIp = "10.233.2.15";
localIp = "10.233.2.16";
format = "ecryptfs";
};
services.borgbackup.jobs.sync-green = {
encryption.mode = "none";
paths = "/var/lib/sync-containers/green/ecryptfs";
repo = "/var/lib/sync-containers/green/backup";
compression = "auto,lzma";
startAt = "daily";
prune.keep = {
daily = 7;
weekly = 4;
};
lass.sync-containers3.containers.green = {
sshKey = "${toString <secrets>}/green.sync.key";
};
}

167
lass/2configs/red-host.nix Normal file
View File

@ -0,0 +1,167 @@
{ config, lib, pkgs, ... }:
let
ctr.name = "red";
in
{
imports = [
<stockholm/lass/2configs/container-networking.nix>
];
lass.sync-containers3.containers.red = {
sshKey = "${toString <secrets>}/containers/red/sync.key";
ephemeral = true;
};
# containers.${ctr.name} = {
# config = {
# environment.systemPackages = [
# pkgs.dhcpcd
# pkgs.git
# pkgs.jq
# ];
# networking.useDHCP = lib.mkForce true;
# systemd.services.autoswitch = {
# environment = {
# NIX_REMOTE = "daemon";
# };
# wantedBy = [ "multi-user.target" ];
# serviceConfig.ExecStart = pkgs.writers.writeDash "autoswitch" ''
# if test -e /var/src/nixos-config; then
# /run/current-system/sw/bin/nixos-rebuild -I /var/src switch || :
# fi
# '';
# unitConfig.X-StopOnRemoval = false;
# };
# };
# autoStart = false;
# enableTun = true;
# privateNetwork = true;
# hostBridge = "ctr0";
# bindMounts = {
# "/etc/resolv.conf".hostPath = "/etc/resolv.conf";
# "/var/lib/self-state/disk-image" = {
# hostPath = "/var/lib/sync-containers3/${ctr.name}";
# isReadOnly = true;
# };
# };
# };
# systemd.services."${ctr.name}_scheduler" = {
# wantedBy = [ "multi-user.target" ];
# path = with pkgs; [
# coreutils
# consul
# cryptsetup
# mount
# util-linux
# systemd
# untilport
# ];
# serviceConfig = {
# Restart = "always";
# RestartSec = "15s";
# ExecStart = "${pkgs.consul}/bin/consul lock container_${ctr.name} ${pkgs.writers.writeDash "${ctr.name}-start" ''
# set -efux
# trap ${pkgs.writers.writeDash "stop-${ctr.name}" ''
# set -efux
# /run/current-system/sw/bin/nixos-container stop ${ctr.name} || :
# umount /var/lib/nixos-containers/${ctr.name}/var/state || :
# cryptsetup luksClose ${ctr.name} || :
# ''} INT TERM EXIT
# consul kv put containers/${ctr.name}/host ${config.networking.hostName}
# cryptsetup luksOpen --key-file /var/src/secrets/containers/${ctr.name}/luks /var/lib/sync-containers3/${ctr.name}/disk ${ctr.name}
# mkdir -p /var/lib/nixos-containers/${ctr.name}/var/state
# mount /dev/mapper/${ctr.name} /var/lib/nixos-containers/${ctr.name}/var/state
# ln -frs /var/lib/nixos-containers/${ctr.name}/var/state/var_src /var/lib/nixos-containers/${ctr.name}/var/src
# /run/current-system/sw/bin/nixos-container start ${ctr.name}
# set +x
# until /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null; do sleep 5; done
# while /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null; do sleep 5; done
# ''}";
# };
# };
# users.groups."container_${ctr.name}" = {};
# users.users."container_${ctr.name}" = {
# group = "container_${ctr.name}";
# isSystemUser = true;
# home = "/var/lib/sync-containers3/${ctr.name}";
# createHome = true;
# homeMode = "705";
# openssh.authorizedKeys.keys = [
# config.krebs.users.lass.pubkey
# ];
# };
# systemd.timers."${ctr.name}_syncer" = {
# timerConfig = {
# RandomizedDelaySec = 300;
# };
# };
# systemd.services."${ctr.name}_syncer" = {
# path = with pkgs; [
# coreutils
# rsync
# openssh
# systemd
# ];
# startAt = "*:0/1";
# serviceConfig = {
# User = "container_${ctr.name}";
# LoadCredential = [
# "ssh_key:${toString <secrets>}/containers/${ctr.name}/sync.key"
# ];
# ExecCondition = pkgs.writers.writeDash "${ctr.name}_checker" ''
# set -efu
# ! systemctl is-active --quiet container@${ctr.name}.service
# '';
# ExecStart = pkgs.writers.writeDash "${ctr.name}_syncer" ''
# set -efu
# rsync -a -e "ssh -i $CREDENTIALS_DIRECTORY/ssh_key" --inplace container_sync@${ctr.name}.r:disk-image/disk $HOME/disk
# '';
# };
# };
# # networking
# networking.networkmanager.unmanaged = [ "ctr0" ];
# networking.interfaces.dummy0.virtual = true;
# networking.bridges.ctr0.interfaces = [ "dummy0" ];
# networking.interfaces.ctr0.ipv4.addresses = [{
# address = "10.233.0.1";
# prefixLength = 24;
# }];
# systemd.services."dhcpd-ctr0" = {
# wantedBy = [ "multi-user.target" ];
# after = [ "network.target" ];
# serviceConfig = {
# Type = "forking";
# Restart = "always";
# DynamicUser = true;
# StateDirectory = "dhcpd-ctr0";
# User = "dhcpd-ctr0";
# Group = "dhcpd-ctr0";
# AmbientCapabilities = [
# "CAP_NET_RAW" # to send ICMP messages
# "CAP_NET_BIND_SERVICE" # to bind on DHCP port (67)
# ];
# ExecStartPre = "${pkgs.coreutils}/bin/touch /var/lib/dhcpd-ctr0/dhcpd.leases";
# ExecStart = "${pkgs.dhcp}/bin/dhcpd -4 -lf /var/lib/dhcpd-ctr0/dhcpd.leases -cf ${pkgs.writeText "dhpd.conf" ''
# default-lease-time 600;
# max-lease-time 7200;
# authoritative;
# ddns-update-style interim;
# log-facility local1; # see dhcpd.nix
# option subnet-mask 255.255.255.0;
# option routers 10.233.0.1;
# # option domain-name-servers 8.8.8.8; # TODO configure dns server
# subnet 10.233.0.0 netmask 255.255.255.0 {
# range 10.233.0.10 10.233.0.250;
# }
# ''} ctr0";
# };
# };
}

221
lass/2configs/weechat.nix Normal file
View File

@ -0,0 +1,221 @@
{ config, lib, pkgs, ... }: let
weechat-configured = pkgs.weechat-declarative.override {
config = {
scripts = [
pkgs.weechat-matrix
pkgs.weechatScripts.wee-slack
];
settings = {
irc.server_default.nicks = [ "lassulus" "hackulus" ];
irc.server.bitlbee = {
addresses = "localhost/6666";
command = "msg &bitlbee identify \${sec.data.bitlbee}";
};
irc.server.hackint = {
addresses = "irc.hackint.org/6697";
autojoin = [
"#c3-gsm"
"#panthermoderns"
"#36c3"
"#cccac"
"#nixos"
"#krebs"
"#c-base"
"#afra"
"#tvl"
"#eloop"
"#systemdultras"
"#rc3"
"#krebs-announce"
"#the_playlist"
"#germany"
"#hackint"
"#dezentrale"
"#hackerfleet \${sec.data.c3-gsm}" # TODO support channel passwords in a cooler way
];
ssl = true;
sasl_fail = "reconnect";
sasl_username = "lassulus";
sasl_password = "\${sec.data.hackint_sasl}";
};
irc.server.r = {
addresses = "irc.r";
autojoin = [
"#xxx"
"#autowifi"
"#brockman"
"#flix"
"#kollkoll"
"#noise"
"#mukke"
];
sasl_fail = "reconnect";
sasl_username = "lassulus";
sasl_password = "\${sec.data.r_sasl}";
anti_flood_prio_high = 0;
anti_flood_prio_low = 0;
};
irc.server.libera = {
addresses = "irc.libera.chat/6697";
autojoin = [
"#shackspace"
"#nixos"
"#krebs"
"#dezentrale"
"#tinc"
"#nixos-de"
"#fysi"
"#hillhacks"
"#nixos-rc3"
"#binaergewitter"
"#hackerfleet"
"#weechat"
];
ssl = true;
sasl_username = "lassulus";
sasl_fail = "reconnect";
sasl_password = "\${sec.data.libera_sasl}";
};
irc.server.news = {
addresses = "news.r";
autojoin = [
"#all"
"#aluhut"
"#querdenkos"
"#news"
"#drachengame"
];
anti_flood_prio_high = 0;
anti_flood_prio_low = 0;
};
matrix.server.lassulus = {
address = "matrix.lassul.us";
username = "lassulus";
password = "\${sec.data.matrix_lassulus}";
device_name = config.networking.hostName;
};
matrix.server.nixos_dev = {
address = "matrix.nixos.dev";
username = "@lassulus:nixos.dev";
device_name = config.networking.hostName;
sso_helper_listening_port = 55123;
};
plugins.var.python.go.short_name = true;
plugins.var.python.go.short_name_server = true;
plugins.var.python.go.fuzzy_search = true;
relay.network.password = "xxx"; # secret?
relay.port.weechat = 9998;
relay.weechat.commands = "*,!exec,!quit";
weechat.look.buffer_time_format = "%m-%d_%H:%M:%S";
weechat.look.item_time_format = "%m-%d_%H:%M:%S";
irc.look.color_nicks_in_names = true;
irc.look.color_nicks_in_nicklist = true;
logger.file.mask = "$plugin.$name/%Y-%m-%d.weechatlog";
logger.file.path = "/var/state/weechat_logs";
logger.look.backlog = 1000;
weechat.notify.python.matrix.nixos_dev."!YLoVsCxScyQODoqIbb:hackint.org" = "none"; #c-base
weechat.notify.python.matrix.nixos_dev."!bohcSYPVoePqBDWlvE:hackint.org" = "none"; #krebs
weechat.notify.irc.news."#all" = "highlight";
# setting logger levels for channels is currently not possible declarativly
# because of already defined
logger.level.core.weechat = 0;
logger.level.irc = 3;
logger.level.python = 3;
weechat.bar.title.color_bg = 0;
weechat.bar.status.color_bg = 0;
alias.cmd.reload = "exec -oc cat /etc/weechat.set";
script.scripts.download_enabled = true;
weechat.look.prefix_align = "left";
weechat.look.prefix_align_max = 20;
irc.look.server_buffer = "independent";
matrix.look.server_buffer = "independent";
weechat.bar.buflist.size_max = 20;
weechat.color.chat_nick_colors = [
1 2 3 4 5 6 9
10 11 12 13 14
28 29
30 31 32 33 34 35 36 37 38 39
70
94
101 102 103 104 105 106 107
130 131 133 134 135 136 137
140 141 142 143
160 161 162 163 165 166 167 168 169
170 171 172 173 174 175
196 197 198 199
200 201 202 203 204 205 206 208 209 209
210 211 212
];
};
extraCommands = ''
/script upgrade
/script install go.py
/script install nickregain.pl
/script install autosort.py
/key bind meta-q /go
/key bind meta-t /bar toggle nicklist
/key bind meta-y /bar toggle buflist
/filter addreplace irc_smart * irc_smart_filter *
/filter addreplace playlist_topic irc.*.#the_playlist irc_topic *
/filter addreplace xxx_joinpart irc.r.#xxx irc_join,irc_part,irc_quit *
/set logger.level.irc.news 0
/set logger.level.python.server.nixos_dev = 0;
/set logger.level.irc.hackint.#the_playlist = 0;
/connect bitlbee
/connect r
/connect news
/connect libera
/connect hackint
/matrix connect nixos_dev
/matrix connect lassulus
'';
files."sec.conf" = toString (pkgs.writeText "sec.conf" ''
[crypt]
cipher = aes256
hash_algo = sha256
passphrase_command = "cat $CREDENTIALS_DIRECTORY/WEECHAT_PASSPHRASE"
salt = on
[data]
__passphrase__ = on
hackint_sasl = "5CA242E92E7A09B180711B50C4AE2E65C42934EB4E584EC82BC1281D8C72CD411D590C16CC435687C0DA13759873CC"
libera_sasl = "9500B5AC3B29F9CAA273F1B89DC99550E038AF95C4B47442B1FB4CB9F0D6B86B26015988AD39E642CA9C4A78DED7F42D1F409B268C93E778"
r_sasl = "CB6FB1421ED5A9094CD2C05462DB1FA87C4A675628ABD9AEC9928A1A6F3F96C07D9F26472331BAF80B7B73270680EB1BBEFD"
c3-gsm = "C49DD845900CFDFA93EEBCE4F1ABF4A963EF6082B7DA6410FA701CC77A04BB6C201FCB864988C4F2B97ED7D44D5A28F162"
matrix.server.nixos_dev.access_token = "C40FE41B9B7B73553D51D8FCBD53871E940FE7FCCAB543E7F4720A924B8E1D58E2B1E1F460F5476C954A223F78CCB956337F6529159C0ECD7CB0384C13CB7170FF1270A577B1C4FF744D20FCF5C708259896F8D9"
bitlbee = "814ECAC59D9CF6E8340B566563E5D7E92AB92209B49C1EDE4CAAC32DD0DF1EC511D97C75E840C45D69BB9E3D03E79C"
matrix_lassulus = "0CA5C0F70A9F893881370F4A665B4CC40FBB1A41E53BC94916CD92B029103528611EC0B390116BE60FA79AE10F486E96E17B0824BE2DE1C97D87B88F5407330DAD70C044147533C36B09B7030CAD97"
'');
};
};
in {
users.users.mainUser.packages = [
weechat-configured
];
environment.etc."weechat.set".source = "${weechat-configured}/weechat.set";
systemd.tmpfiles.rules = [
"d /var/state/weechat_logs 0700 lass users -"
"d /var/state/weechat 0700 lass users -"
"d /var/state/weechat_cfg 0700 lass users -"
"L+ /home/lass/.local/share/weechat - - - - ../../../../var/state/weechat"
"L+ /home/lass/.config/weechat - - - - ../../../../var/state/weechat_cfg"
];
systemd.services.weechat = {
wantedBy = [ "multi-user.target" ];
restartIfChanged = false;
serviceConfig = {
User = "lass";
RemainAfterExit = true;
Type = "oneshot";
LoadCredential = [
"WEECHAT_PASSPHRASE:${toString <secrets>}/weechat_passphrase"
];
ExecStart = "${pkgs.tmux}/bin/tmux -2 new-session -d -s IM ${weechat-configured}/bin/weechat";
ExecStop = "${pkgs.tmux}/bin/tmux kill-session -t IM"; # TODO run save in weechat
};
};
}

50
lass/2configs/zsh.nix
View File

@ -1,6 +1,17 @@
{ config, lib, pkgs, ... }:
{
environment.systemPackages = [ pkgs.fzf ];
environment.systemPackages = with pkgs; [
atuin
direnv
fzf
];
environment.variables.ATUIN_CONFIG_DIR = toString (pkgs.writeTextDir "/config.toml" ''
auto_sync = true
update_check = false
sync_address = "http://green.r:8888"
sync_frequency = 0
style = "compact"
'');
programs.zsh = {
enable = true;
shellInit = ''
@ -12,27 +23,9 @@
setopt autocd extendedglob
bindkey -e
#history magic
bindkey "" up-line-or-local-history
bindkey "" down-line-or-local-history
up-line-or-local-history() {
zle set-local-history 1
zle up-line-or-history
zle set-local-history 0
}
zle -N up-line-or-local-history
down-line-or-local-history() {
zle set-local-history 1
zle down-line-or-history
zle set-local-history 0
}
zle -N down-line-or-local-history
setopt SHARE_HISTORY
setopt HIST_IGNORE_ALL_DUPS
# setopt inc_append_history
bindkey '^R' history-incremental-search-backward
# # setopt inc_append_history
# bindkey '^R' history-incremental-search-backward
#C-x C-e open line in editor
autoload -z edit-command-line
@ -43,6 +36,13 @@
source ${pkgs.fzf}/share/fzf/completion.zsh
source ${pkgs.fzf}/share/fzf/key-bindings.zsh
# atuin distributed shell history
export ATUIN_NOBIND="true" # disable all keybdinings of atuin
eval "$(atuin init zsh)"
bindkey '^r' _atuin_search_widget # bind ctrl+r to atuin
# use zsh only session history
fc -p
#completion magic
autoload -Uz compinit
compinit
@ -65,13 +65,11 @@
bindkey "[8~" end-of-line
bindkey "Oc" emacs-forward-word
bindkey "Od" emacs-backward-word
# direnv integration
eval "$(${pkgs.direnv}/bin/direnv hook zsh)"
'';
promptInit = ''
# TODO: figure out why we need to set this here
HISTSIZE=900001
HISTFILESIZE=$HISTSIZE
SAVEHIST=$HISTSIZE
autoload -U promptinit
promptinit

1
lass/3modules/default.nix
View File

@ -15,5 +15,6 @@ _:
./xjail.nix
./autowifi.nix
./browsers.nix
./sync-containers3.nix
];
}

313
lass/3modules/sync-containers3.nix Normal file
View File

@ -0,0 +1,313 @@
{ config, lib, pkgs, ... }: let
cfg = config.lass.sync-containers3;
slib = pkgs.stockholm.lib;
in {
options.lass.sync-containers3 = {
inContainer = {
enable = lib.mkEnableOption "container config for syncing";
pubkey = lib.mkOption {
type = lib.types.str; # TODO ssh key
};
};
containers = lib.mkOption {
default = {};
type = lib.types.attrsOf (lib.types.submodule ({ config, ... }: {
options = {
name = lib.mkOption {
type = lib.types.str;
default = config._module.args.name;
};
sshKey = lib.mkOption {
type = slib.types.absolute-pathname;
};
luksKey = lib.mkOption {
type = slib.types.absolute-pathname;
default = config.sshKey;
};
ephemeral = lib.mkOption {
type = lib.types.bool;
default = false;
};
};
}));
};
};
config = lib.mkMerge [
(lib.mkIf (cfg.containers != {}) {
containers = lib.mapAttrs' (n: ctr: lib.nameValuePair ctr.name {
config = {
environment.systemPackages = [
pkgs.dhcpcd
pkgs.git
pkgs.jq
];
networking.useDHCP = lib.mkForce true;
systemd.services.autoswitch = {
environment = {
NIX_REMOTE = "daemon";
};
wantedBy = [ "multi-user.target" ];
serviceConfig.ExecStart = pkgs.writers.writeDash "autoswitch" ''
set -efu
ln -frs /var/state/var_src /var/src
if test -e /var/src/nixos-config; then
/run/current-system/sw/bin/nixos-rebuild -I /var/src switch || :
fi
'';
unitConfig.X-StopOnRemoval = false;
};
};
autoStart = false;
enableTun = true;
ephemeral = ctr.ephemeral;
privateNetwork = true;
hostBridge = "ctr0";
bindMounts = {
"/etc/resolv.conf".hostPath = "/etc/resolv.conf";
"/var/lib/self/disk" = {
hostPath = "/var/lib/sync-containers3/${ctr.name}/disk";
isReadOnly = false;
};
"/var/state" = {
hostPath = "/var/lib/sync-containers3/${ctr.name}/state";
isReadOnly = false;
};
};
}) cfg.containers;
systemd.services = lib.foldr lib.recursiveUpdate {} (lib.flatten (map (ctr: [
{ "${ctr.name}_syncer" = {
path = with pkgs; [
coreutils
consul
rsync
openssh
systemd
];
startAt = "*:0/1";
serviceConfig = {
User = "${ctr.name}_container";
LoadCredential = [
"ssh_key:${ctr.sshKey}"
];
ExecCondition = pkgs.writers.writeDash "${ctr.name}_checker" ''
set -efu
! systemctl is-active --quiet container@${ctr.name}.service
'';
ExecStart = pkgs.writers.writeDash "${ctr.name}_syncer" ''
set -efux
consul lock sync_${ctr.name} ${pkgs.writers.writeDash "${ctr.name}-sync" ''
set -efux
if /run/wrappers/bin/ping -c 1 ${ctr.name}.r; then
touch "$HOME"/incomplete
rsync -a -e "ssh -i $CREDENTIALS_DIRECTORY/ssh_key" --inplace container_sync@${ctr.name}.r:disk "$HOME"/disk
rm "$HOME"/incomplete
fi
''}
'';
};
}; }
{ "${ctr.name}_watcher" = {
path = with pkgs; [
coreutils
consul
cryptsetup
curl
mount
util-linux
jq
retry
];
serviceConfig = {
ExecStart = pkgs.writers.writeDash "${ctr.name}_watcher" ''
set -efux
while sleep 5; do
# get the payload
# check if the host reacted recently
case $(curl -s -o /dev/null --retry 10 --retry-delay 10 -w '%{http_code}' http://127.0.0.1:8500/v1/kv/containers/${ctr.name}) in
404)
echo 'got 404 from kv, should kill the container'
break
;;
500)
echo 'got 500 from kv, will kill container'
break
;;
200)
# echo 'got 200 from kv, will check payload'
export payload=$(consul kv get containers/${ctr.name})
if [ "$(jq -rn 'env.payload | fromjson.host')" = '${config.networking.hostName}' ]; then
# echo 'we are the host, trying to reach container'
if $(retry -t 10 -d 10 -- /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null); then
# echo 'container is reachable, continueing'
continue
else
# echo 'container seems dead, killing'
break
fi
else
echo 'we are not host, killing container'
break
fi
;;
*)
echo 'unknown state, continuing'
continue
;;
esac
done
/run/current-system/sw/bin/nixos-container stop ${ctr.name} || :
umount /var/lib/sync-containers3/${ctr.name}/state || :
cryptsetup luksClose ${ctr.name} || :
'';
};
}; }
{ "${ctr.name}_scheduler" = {
wantedBy = [ "multi-user.target" ];
path = with pkgs; [
coreutils
consul
cryptsetup
mount
util-linux
curl
systemd
jq
retry
bc
];
serviceConfig = {
Restart = "always";
RestartSec = "30s";
ExecStart = pkgs.writers.writeDash "${ctr.name}_scheduler" ''
set -efux
# get the payload
# check if the host reacted recently
case $(curl -s -o /dev/null --retry 10 -w '%{http_code}' http://127.0.0.1:8500/v1/kv/containers/${ctr.name}) in
404)
# echo 'got 404 from kv, will create container'
;;
500)
# echo 'got 500 from kv, retrying again'
exit 0
;;
200)
# echo 'got 200 from kv, will check payload'
export payload=$(consul kv get containers/${ctr.name})
if [ "$(jq -rn 'env.payload | fromjson.host')" = '${config.networking.hostName}' ]; then
echo 'we are the host, starting container'
else
# echo 'we are not host, checking timestamp'
# if [ $(echo "$(date +%s) - $(jq -rn 'env.payload | fromjson.time') > 100" | bc) -eq 1 ]; then
if [ "$(jq -rn 'env.payload | fromjson.time | now - tonumber > 100')" = 'true' ]; then
echo 'last beacon is more than 100s ago, taking over'
else
# echo 'last beacon was recent. trying again'
exit 0
fi
fi
;;
*)
echo 'unknown state, bailing out'
exit 0
;;
esac
if test -e /var/lib/sync-containers3/${ctr.name}/incomplete; then
echo 'data is inconistent, start aborted'
exit 1
fi
consul kv put containers/${ctr.name} "$(jq -cn '{host: "${config.networking.hostName}", time: now}')" >/dev/null
consul lock -verbose -monitor-retry=100 -timeout 30s -name container_${ctr.name} container_${ctr.name} ${pkgs.writers.writeBash "${ctr.name}-start" ''
set -efu
cryptsetup luksOpen --key-file ${ctr.luksKey} /var/lib/sync-containers3/${ctr.name}/disk ${ctr.name} || :
mkdir -p /var/lib/sync-containers3/${ctr.name}/state
mountpoint /var/lib/sync-containers3/${ctr.name}/state || mount /dev/mapper/${ctr.name} /var/lib/sync-containers3/${ctr.name}/state
/run/current-system/sw/bin/nixos-container start ${ctr.name}
# wait for system to become reachable for the first time
retry -t 10 -d 10 -- /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null
systemctl start ${ctr.name}_watcher.service
while systemctl is-active container@${ctr.name}.service >/devnull && /run/wrappers/bin/ping -q -c 3 ${ctr.name}.r >/dev/null; do
consul kv put containers/${ctr.name} "$(jq -cn '{host: "${config.networking.hostName}", time: now}')" >/dev/null
sleep 10
done
''}
'';
};
}; }
]) (lib.attrValues cfg.containers)));
systemd.timers = lib.mapAttrs' (n: ctr: lib.nameValuePair "${ctr.name}_syncer" {
timerConfig = {
RandomizedDelaySec = 100;
};
}) cfg.containers;
users.groups = lib.mapAttrs' (_: ctr: lib.nameValuePair "${ctr.name}_container" {
}) cfg.containers;
users.users = lib.mapAttrs' (_: ctr: lib.nameValuePair "${ctr.name}_container" ({
group = "container_${ctr.name}";
isNormalUser = true;
uid = slib.genid_uint31 "container_${ctr.name}";
home = "/var/lib/sync-containers3/${ctr.name}";
createHome = true;
homeMode = "705";
})) cfg.containers;
})
(lib.mkIf (cfg.containers != {}) {
# networking
networking.networkmanager.unmanaged = [ "ctr0" ];
networking.interfaces.dummy0.virtual = true;
networking.bridges.ctr0.interfaces = [ "dummy0" ];
networking.interfaces.ctr0.ipv4.addresses = [{
address = "10.233.0.1";
prefixLength = 24;
}];
systemd.services."dhcpd-ctr0" = {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
Type = "forking";
Restart = "always";
DynamicUser = true;
StateDirectory = "dhcpd-ctr0";
User = "dhcpd-ctr0";
Group = "dhcpd-ctr0";
AmbientCapabilities = [
"CAP_NET_RAW" # to send ICMP messages
"CAP_NET_BIND_SERVICE" # to bind on DHCP port (67)
];
ExecStartPre = "${pkgs.coreutils}/bin/touch /var/lib/dhcpd-ctr0/dhcpd.leases";
ExecStart = "${pkgs.dhcp}/bin/dhcpd -4 -lf /var/lib/dhcpd-ctr0/dhcpd.leases -cf ${pkgs.writeText "dhpd.conf" ''
default-lease-time 600;
max-lease-time 7200;
authoritative;
ddns-update-style interim;
log-facility local1; # see dhcpd.nix
option subnet-mask 255.255.255.0;
option routers 10.233.0.1;
# option domain-name-servers 8.8.8.8; # TODO configure dns server
subnet 10.233.0.0 netmask 255.255.255.0 {
range 10.233.0.10 10.233.0.250;
}
''} ctr0";
};
};
})
(lib.mkIf cfg.inContainer.enable {
users.groups.container_sync = {};
users.users.container_sync = {
group = "container_sync";
uid = slib.genid_uint31 "container_sync";
isNormalUser = true;
home = "/var/lib/self";
createHome = true;
openssh.authorizedKeys.keys = [
cfg.inContainer.pubkey
];
};
})
];
}

80
lass/5pkgs/weechat-matrix/default.nix Normal file
View File

@ -0,0 +1,80 @@
{ python3Packages
, lib
, fetchFromGitHub
}:
with python3Packages;
let
scriptPython = python.withPackages (ps: with ps; [
aiohttp
requests
python_magic
]);
version = "lassulus-fork";
in python3Packages.buildPythonPackage {
pname = "weechat-matrix";
inherit version;
src = fetchFromGitHub {
owner = "poljar";
repo = "weechat-matrix";
rev = version;
hash = "sha256-o4kgneszVLENG167nWnk2FxM+PsMzi+PSyMUMIktZcc=";
};
# src = ./weechat-matrix;
propagatedBuildInputs = [
pyopenssl
webcolors
future
atomicwrites
attrs
Logbook
pygments
matrix-nio
aiohttp
requests
];
passthru.scripts = [ "matrix.py" ];
dontBuild = true;
doCheck = false;
format = "other";
installPhase = ''
mkdir -p $out/share $out/bin
cp main.py $out/share/matrix.py
cp contrib/matrix_upload.py $out/bin/matrix_upload
cp contrib/matrix_decrypt.py $out/bin/matrix_decrypt
cp contrib/matrix_sso_helper.py $out/bin/matrix_sso_helper
substituteInPlace $out/bin/matrix_upload \
--replace '/usr/bin/env -S python3' '${scriptPython}/bin/python'
substituteInPlace $out/bin/matrix_sso_helper \
--replace '/usr/bin/env -S python3' '${scriptPython}/bin/python'
substituteInPlace $out/bin/matrix_decrypt \
--replace '/usr/bin/env python3' '${scriptPython}/bin/python'
mkdir -p $out/${python.sitePackages}
cp -r matrix $out/${python.sitePackages}/matrix
'';
dontPatchShebangs = true;
postFixup = ''
addToSearchPath program_PYTHONPATH $out/${python.sitePackages}
patchPythonScript $out/share/matrix.py
substituteInPlace $out/${python.sitePackages}/matrix/server.py --replace \"matrix_sso_helper\" \"$out/bin/matrix_sso_helper\"
'';
meta = with lib; {
description = "A Python plugin for Weechat that lets Weechat communicate over the Matrix protocol";
homepage = "https://github.com/poljar/weechat-matrix";
license = licenses.isc;
platforms = platforms.unix;
maintainers = with maintainers; [ tilpner emily ];
};
}

8
lib/types.nix
View File

@ -58,6 +58,14 @@ rec {
default = false;
};
consul = mkOption {
description = ''
Whether the host is a member of the global consul network
'';
type = bool;
default = false;
};
owner = mkOption {
type = user;
};