Merge remote-tracking branch 'prism/master'
This commit is contained in:
commit
1c4e27473c
@ -10,14 +10,10 @@
|
||||
Charset = "utf-8";
|
||||
};
|
||||
telegram.krebs.Token = bridgeBotToken;
|
||||
irc = let
|
||||
irc.hackint = {
|
||||
Server = "irc.hackint.org:6697";
|
||||
UseTLS = true;
|
||||
Nick = "ponte";
|
||||
in {
|
||||
hackint = {
|
||||
Server = "irc.hackint.org:6697";
|
||||
UseTLS = true;
|
||||
inherit Nick;
|
||||
};
|
||||
};
|
||||
gateway = [
|
||||
{
|
||||
|
@ -4,10 +4,7 @@
|
||||
"shodan"
|
||||
"mors"
|
||||
"styx"
|
||||
"puyak"
|
||||
];
|
||||
hostIp = "10.233.2.101";
|
||||
localIp = "10.233.2.102";
|
||||
format = "plain";
|
||||
};
|
||||
}
|
||||
|
@ -51,6 +51,29 @@ let
|
||||
};
|
||||
};
|
||||
|
||||
confuse = {
|
||||
pattern = "^!confuse (.*)$";
|
||||
activate = "match";
|
||||
arguments = [1];
|
||||
command = {
|
||||
filename = pkgs.writeDash "confuse" ''
|
||||
set -efu
|
||||
export PATH=${makeBinPath [
|
||||
pkgs.coreutils
|
||||
pkgs.curl
|
||||
pkgs.gnused
|
||||
pkgs.stable-generate
|
||||
]}
|
||||
stable_url=$(stable-generate "$@")
|
||||
paste_url=$(curl -Ss "$stable_url" |
|
||||
curl -Ss https://p.krebsco.de --data-binary @- |
|
||||
tail -1
|
||||
)
|
||||
echo "$_from: $paste_url"
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
taskRcFile = builtins.toFile "taskrc" ''
|
||||
confirmation=no
|
||||
'';
|
||||
@ -185,8 +208,9 @@ let
|
||||
};
|
||||
}
|
||||
{
|
||||
pattern = "18@p";
|
||||
pattern = ''^18@p\s+(\S+)\s+(\d+)m$'';
|
||||
activate = "match";
|
||||
arguments = [1 2];
|
||||
command = {
|
||||
env = {
|
||||
CACHE_DIR = "${stateDir}/krebsfood";
|
||||
@ -202,14 +226,27 @@ let
|
||||
osm-restaurants = pkgs.callPackage "${osm-restaurants-src}/osm-restaurants" {};
|
||||
in pkgs.writeDash "krebsfood" ''
|
||||
set -efu
|
||||
ecke_lat=52.51252
|
||||
ecke_lon=13.41740
|
||||
${osm-restaurants}/bin/osm-restaurants --radius 500 --latitude "$ecke_lat" --longitude "$ecke_lon" \
|
||||
| ${pkgs.jq}/bin/jq -r '"How about \(.tags.name) (https://www.openstreetmap.org/\(.type)/\(.id)), open \(.tags.opening_hours)?"'
|
||||
'
|
||||
export PATH=${makeBinPath [
|
||||
osm-restaurants
|
||||
pkgs.coreutils
|
||||
pkgs.curl
|
||||
pkgs.jq
|
||||
]}
|
||||
poi=$(curl -fsS http://c.r/poi.json | jq --arg name "$1" '.[$name]')
|
||||
if [ "$poi" = null ]; then
|
||||
latitude=52.51252
|
||||
longitude=13.41740
|
||||
else
|
||||
latitude=$(echo "$poi" | jq -r .latitude)
|
||||
longitude=$(echo "$poi" | jq -r .longitude)
|
||||
fi
|
||||
|
||||
osm-restaurants --radius "$2" --latitude "$latitude" --longitude "$longitude" \
|
||||
| jq -r '"How about \(.tags.name) (https://www.openstreetmap.org/\(.type)/\(.id)), open \(.tags.opening_hours)?"'
|
||||
'';
|
||||
};
|
||||
}
|
||||
confuse
|
||||
bedger-add
|
||||
bedger-balance
|
||||
hooks.sed
|
||||
|
@ -54,7 +54,8 @@ Herr makefu an Kasse 3 bitte, Kasse 3 bitte Herr makefu. Der API Computer ist ma
|
||||
EOF
|
||||
)
|
||||
|
||||
state=$(curl -fSsk https://api.shackspace.de/v1/space | jq .doorState.open)
|
||||
payload=$(curl -fSsk https://api.shackspace.de/v1/space)
|
||||
state=$(printf '%s' "$payload" | jq .doorState.open)
|
||||
prevstate=$(cat state ||:)
|
||||
|
||||
if test "$state" == "$(cat state)";then
|
||||
|
@ -115,6 +115,7 @@ let
|
||||
build_name = stage,
|
||||
build_script = stages[stage],
|
||||
),
|
||||
timeout = 3600,
|
||||
command="${pkgs.writeDash "build.sh" ''
|
||||
set -xefu
|
||||
profile=${shell.escape profileRoot}/$build_name
|
||||
|
@ -122,7 +122,7 @@
|
||||
# reloadIfChanged = true;
|
||||
restartTriggers = [ configFile ];
|
||||
serviceConfig = {
|
||||
ExecStart = "${pkgs.ergo}/bin/ergo run --conf /etc/ergo.yaml";
|
||||
ExecStart = "${pkgs.ergochat}/bin/ergo run --conf /etc/ergo.yaml";
|
||||
ExecReload = "${pkgs.util-linux}/bin/kill -HUP $MAINPID";
|
||||
DynamicUser = true;
|
||||
StateDirectory = "ergo";
|
||||
|
25
krebs/3modules/external/mic92.nix
vendored
25
krebs/3modules/external/mic92.nix
vendored
@ -929,5 +929,30 @@ in {
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
ruby = {
|
||||
owner = config.krebs.users.mic92;
|
||||
nets = rec {
|
||||
retiolum = {
|
||||
aliases = [ "ruby.r" ];
|
||||
tinc.pubkey = ''
|
||||
-----BEGIN RSA PUBLIC KEY-----
|
||||
MIICCgKCAgEAzqrguDMHqYyidLxbz3jsQS3JVNCy0HaN6wprT1Ge1Anf5E8KtuXh
|
||||
M9IjYPShzzJ162rYaJdd2lBmc5o435j+0/Gg5pySILni9bILhuRr7TMWN0sjNbgr
|
||||
x0JRbpMmpW5DOmQx1BSyA+LLNbyVVnCc1XI0P2EaRr1ZrRSU0bpE/7kJ//Zt7ATu
|
||||
GfqJTuL2aqap12VMKAfjRByyXA9V7szJMRom2Ia3cWSXhie1E0OOvCNT+InKXx4c
|
||||
QbEGX71noCgsNgxbD8AVSwMnNV15vdnbgwK/1QzA0Cep1uxFS05TXJZLZTjcGwG0
|
||||
Kp0kEjntq1rCqgdoUHIubNB17efU/oP6aSrdfvtgeYBjn0zSLHSUYdhf3JHd1Fvf
|
||||
Ov2TwHxt/sm8d91UjhrkYwjf2nzSruAklYDnIDJiHgLFoT5WuOoVlnfUjRpQEw44
|
||||
kp8KXsd24Y0UT5XJO5cQA+kZ1vl2ktHbQGTqYuYDB2FKEnBR/JIwJzJfugcGiyRx
|
||||
OukQ2/rjnS60JA2pHUEfoezIAMhYAF+EPgOgMcNSSRYUVBpPVKD26oGTrNn0AtnO
|
||||
ALW1vqUDwxb0cpv877vN1VfqvLE8n8Zgtt7itdT0+vxNPxICvF6//LNYUeDoQ3pj
|
||||
w+1ZSdYZsvIQ7tDcilnL0hU5/nfsSIbHV+ceuLde1xDt5c7Tnl4v/U0CAwEAAQ==
|
||||
-----END RSA PUBLIC KEY-----
|
||||
'';
|
||||
tinc.pubkey_ed25519 = "TV9byzSblknvqdUjQCwjgLmA8qCB4Tnl/DSd2mbsZTJ";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
@ -1,12 +1,6 @@
|
||||
with import <stockholm/lib>;
|
||||
{ config, ... }: let
|
||||
|
||||
hostDefaults = hostName: host: flip recursiveUpdate host {
|
||||
ci = true;
|
||||
monitoring = true;
|
||||
owner = config.krebs.users.lass;
|
||||
};
|
||||
|
||||
r6 = ip: (krebs.genipv6 "retiolum" "lass" ip).address;
|
||||
w6 = ip: (krebs.genipv6 "wiregrill" "lass" ip).address;
|
||||
|
||||
@ -16,6 +10,7 @@ in {
|
||||
};
|
||||
hosts = mapAttrs (_: recursiveUpdate {
|
||||
owner = config.krebs.users.lass;
|
||||
consul = true;
|
||||
ci = true;
|
||||
monitoring = true;
|
||||
}) {
|
||||
@ -418,6 +413,7 @@ in {
|
||||
};
|
||||
xerxes = {
|
||||
cores = 2;
|
||||
consul = false;
|
||||
nets = rec {
|
||||
retiolum = {
|
||||
ip4.addr = "10.243.1.3";
|
||||
@ -592,7 +588,53 @@ in {
|
||||
syncthing.id = "CADHN7J-CWRCWTZ-3GZRLII-JBVZN4N-RGHDGDL-UTAJNYI-RZPHK55-7EYAWQM";
|
||||
};
|
||||
|
||||
massulus = {
|
||||
cores = 1;
|
||||
ci = false;
|
||||
nets = {
|
||||
retiolum = {
|
||||
ip4.addr = "10.243.0.113";
|
||||
ip6.addr = r6 "113";
|
||||
aliases = [
|
||||
"massulus.r"
|
||||
];
|
||||
tinc = {
|
||||
pubkey = ''
|
||||
-----BEGIN PUBLIC KEY-----
|
||||
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEApwYalnJ2E1e3WOttPCpt
|
||||
ypNm2adUXS/pejcbF68oRvgv6NRMOKVkoFVEzdnCLYTkYkwcpGd+oRO91F+ekZrN
|
||||
ndEoicuzHNyG6NTXfW3Sjj9Au/NoAVwOJxAztzXMBAsH5pi4PSiqIQZC4l6cyv2K
|
||||
zUNm1LvW5Z5/W0J5XCUw3/B4Py7V/HjW9Yxe8MCaCVVP2kF5SwjmfQ+Yp+8csvU3
|
||||
F30xFjcTJjjWUPSkubgxtsfkrbbjzdMZhKldi3l9LhbYWD8O4bUTrTau/Emaaf6e
|
||||
v5paVh9Kczwg7Ugk9Co3GL4tKOE2I7kRQV2Rg0M5NcRBUwfxkl6JTI2PmY0fNmYd
|
||||
kdLQ1fKlFOrkyHuPBjZET1UniomlLpdycyyZii+YWLoQNj4JlFl8nAlPbqkiy8EF
|
||||
LcHvB2VfdjjyBY25TtYPjFzFsEYKd8HQ7djs8rvJvmhu4tLDD6NaOqJPWMo7I7rW
|
||||
EavQWZd+CELCJNN8eJhYWIGpnq+BI00FKayUAX+OSObYCHD1AikiiIaSjfDCrCJb
|
||||
KVDj/uczOjxHk6TUVbepFA7C8EAxZ01sgHtUDkIfvcDMs4DGn88PmjPW+V/4MfKl
|
||||
oqT7aVv6BYJdSK63rH3Iw+qTvdtzj+vcoO+HmRt2I2Be4ZPSeDrt+riaLycrVF00
|
||||
yFmvsQgi48/0ZSwaVGR8lFUCAwEAAQ==
|
||||
-----END PUBLIC KEY-----
|
||||
'';
|
||||
pubkey_ed25519 = "QwKNyv97Q2/fmPrVkgbGIhDTVW+uKu+F2enGCtZJgkM";
|
||||
port = 1655;
|
||||
};
|
||||
};
|
||||
wiregrill = {
|
||||
ip6.addr = w6 "113";
|
||||
aliases = [
|
||||
"massulus.w"
|
||||
];
|
||||
wireguard.pubkey = ''
|
||||
4wXpuDBEJS8J1bxS4paz/eZP1MuMfgHDCvOPn4TYtHQ=
|
||||
'';
|
||||
};
|
||||
};
|
||||
ssh.privkey.path = <secrets/ssh.id_ed25519>;
|
||||
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKH8lFXZ/d2NtqyrpslTGRNBR7FJZCJ6i3UPy0LDl9t7 ";
|
||||
};
|
||||
|
||||
phone = {
|
||||
consul = false;
|
||||
nets = {
|
||||
wiregrill = {
|
||||
ip4.addr = "10.244.1.13";
|
||||
@ -608,6 +650,7 @@ in {
|
||||
syncthing.id = "PWKVXPB-JCNO6E4-KVIQ7CK-6FSOWHM-AWORMDU-HVVYLKW-44DQTYW-XZT7DQJ";
|
||||
};
|
||||
tablet = {
|
||||
consul = false;
|
||||
nets = {
|
||||
wiregrill = {
|
||||
ip4.addr = "10.244.1.14";
|
||||
@ -622,6 +665,7 @@ in {
|
||||
ci = false;
|
||||
};
|
||||
hilum = {
|
||||
consul = false;
|
||||
cores = 1;
|
||||
nets = {
|
||||
retiolum = {
|
||||
@ -797,6 +841,7 @@ in {
|
||||
};
|
||||
|
||||
lasspi = {
|
||||
consul = false;
|
||||
cores = 1;
|
||||
nets = {
|
||||
retiolum = {
|
||||
@ -840,6 +885,7 @@ in {
|
||||
};
|
||||
|
||||
domsen-pixel = {
|
||||
consul = false;
|
||||
nets = {
|
||||
wiregrill = {
|
||||
ip4.addr = "10.244.1.17";
|
||||
|
@ -58,52 +58,100 @@ D7u4ShvPtxqFf+mv/4eHYx2akBIIUQYAf5OYGnE3E0kqiuK4qHKgt1NI5z1mSd9D
|
||||
duWIuoRbBUrApTKsHgwtMxNrNVioGIE1dTRuu56drhwY2ZPyzVtSb7q/hRU/a3UZ
|
||||
5S6EsrmDGIIlAHrgKfKfuerESE5VzN1Nn3QHpfjwX+gq51cosTqlRiu4oMesPk31
|
||||
ZmPcuG6H/m7nGagX9+l00sDsqISqMG4lZCJAFa020OS/g6V3q6LCqggky6+4sQTG
|
||||
5HB8jGba2tXMSQfBQEtDFve6agiRTw8z1V8s1gPCMmPhsLi5Ag0EXaJN1gEQANML
|
||||
yxoeknGlTtkG640UP5ZkUEojwXxlni3v2dpWEaEJO9yqvkELCWum5pRz+iDzoDFS
|
||||
lUPnP3YKVFkLbAlk56abIAQ6VK7wkOSHCw1F7LlCY830bRkgGJ8/b8us9KpET6Am
|
||||
ei7OGYVtqNBUodEJi6XkH5q9RLQeVR+7ynt0LTAxO/mMFYc3nhccrhadubhh5rTd
|
||||
e/UcxBL/zYx8tCBy2F4ep6Anx02HOauTwaqk4KLhB9IcdS8sJQHFY7iEVWNcovwF
|
||||
8luGEGPJOdOPTMZz4jD4aWFqbT6ragWaG8tisLEe9UhET2LL3r/4DIgAJY4bwg5T
|
||||
ZyK/1j+Nj1IyYkQ9A6YF96Y5XCi9DF0MYq9NytWNnMCT8F4QCCDRWhgql714/Er/
|
||||
qfwnT2M6m8P4OS1sAHv5vDDYXezB0WrJNstYvhtHhi4ctuolBuwOb7nyIBlZovhk
|
||||
5/6IAFmoUprfGHOuttEcPTRDGv737cR1cYaz5QMuz2svNU3ivI/tYfIQwMAjv84A
|
||||
ZN2wl63QkghYo/dm9a5Ex78CNwZD/z7HOE3zD+Rd0C9/hXLpVVhN0mKmDzgJHPUo
|
||||
VDk//P3YgzM+dtUWWPJ1FfaTz2543V9MwVWUJQj0DIgl4noLHX3wkd/d4gYGAhlW
|
||||
kBxkbQPJ4NT7EKBFk44fa6DVuGOGatBAxKQq1GftABEBAAGJAjwEGAEKACYCGwwW
|
||||
IQTbzXV4RgabOS6pQB1mV76KjR7oBwUCX4l2DwUJBamPOQAKCRBmV76KjR7oB/Ds
|
||||
D/96TGfHa6BW1v2kUyHUKmpdk62UhZz49nTsOu1JeMI2cDMLkKaPyeKLsRpzV2qc
|
||||
OoG1dal7dgjtzKsWdz0HxrrbEs0rBJO4xOmg12Sv9fttTocTt2bQMe3d20Vihbi+
|
||||
NDEx2PeyncYulDd8PNfDkh8vWUJQoThqimXoVARwKNuH2oDytGceIp+BZLOH8HRz
|
||||
0ESH9nCAGw3gVX6vQPtjbMgoIXHAnAJkIe2boyyUHu2ZmD6CGjxGSSICMzShcDvN
|
||||
kcyPKG5BbOGRpbehaMcOOiGH0NsudUPOsyxQt90bP/U+WHPhvOTGk0PqGaOf8QDE
|
||||
saGlChd3wVK+uCGl60szcxQsbgzlEQVUG3tTW4QGfzL3XK5bHvuGj03Vb45005Y4
|
||||
6UCUP4ZkEYDsw1Hrn5bkPOP/Pc8Sz1MQt+nw1U3QXbHLxLb8fB82B6oDMakHPgaw
|
||||
73HxYwbaXDswBb6BVTc86RmXRH1+StObDiJp+h16EqdsSyp15tSM80GRf1KaNKxc
|
||||
MA4N7/i7j9M/z2fKWT7vTAGdcg8vhZH0MDQ9vRmYsuQZtoNieZVXnyQ/ILAgPhiL
|
||||
pdyPffQV0BpWKd68C8kEhoMP0D3h6Uj88ZOuapyOCvsrBvR7SQOVh+L+KMjh1Xgx
|
||||
WvPJuoU4Jox4og85/Gz0Ui8EROYyHg5yqPqsBBmz6h8F7rkCDQRdok4KARAAyG97
|
||||
rjKhP8Uie1i/16SekDo+GkpodBmvhrZiZdwg75YxriHhgioe2AKKmQItOdZOY+mV
|
||||
qMA63FmByDlPodHmQnrIAn/gr7p5V3lM+l0oVTI8maPO39iT7Nh6W/rv4ni8eMBk
|
||||
L6P2cPPaTpcv76qWl/WcMiEflPNSAFaxyIapq04rafthcIILWmOBbQ+liMn9YT7a
|
||||
6w3nF/Ig4Zxx7hoQE6/HrTC8HcENpCAceQQYAqIrlu8F5y1AQVWHjtyCPee1z/8l
|
||||
PNnPg40lSbXozg5kQDP965Pge6XReUoUVVRcgeiSUfkHdYPIkh/tkFy1MtzTNize
|
||||
buadqE41Ds6BD1maO5cpGc5iFnf+YY01vWIhwvgPMbAsUKrPOw/RyvYSwOrnWegh
|
||||
pKuIRv+sBcDY0jJ799CHB2c8eiAYoTRm64rKyYS8RIilqTCmIHnpoSIq3n1wOlMV
|
||||
X4sB4N4CfAZRAbI9LZfx1QEYn0dst9+mCDRJ/ALBxocKz0wRTpwU5nwP1Zz9TZVh
|
||||
81wn1Ypj+mFb3aBggpwMLxbifmbsZmd1MwW9k3p2WTs8M1dLFM2ZNA9QmkgRSVFN
|
||||
6GTTpAyDOs+ZSGYM7MisG9/EvFbNx2BPg6qZH7JeMnlOZXXOg8K5VcLkiGuL1brO
|
||||
Hlg94Axha8ffMmqjsde6XOAgvSl5P9k47SWOcZkAEQEAAYkCPAQYAQoAJgIbIBYh
|
||||
BNvNdXhGBps5LqlAHWZXvoqNHugHBQJfiXYPBQkFqY8FAAoJEGZXvoqNHugHuLUP
|
||||
+gJ01mSEs3+0jriWqg7V+Q59rulMVrUdV2mjBtzz3gvF9PLiEnVEl7EgGdLpVIr/
|
||||
Wr9QIiUnS1NNrDz8oeDf54Q+OXtQOiczGClK+yWSm/CM02+HATFws66umAl4GQ4X
|
||||
qAJwdSDDKIHCP1/0VqXNQUOWW0GCCGCAdn55u4pf+B1rmkA3cWhN51SvAriA/YcG
|
||||
qmyJZgXO+qZOPWNHxNUdgq9lVEO132dhDzH1b9ufnvQMDxF2V681fQ7E3zWEJZZb
|
||||
YLRB4jrSz8oxipGRGKgDLiR7lyQ/xRU161jSawblBTcIRXK9c4hv178xQWAInMjt
|
||||
Hst4YCpvclG26ypZLCzvw6swfnXf3A6Q4A8pZQVvogWZ01dlgofwHm8qlYxT7wSq
|
||||
eicOu3FkSHD8vNwkXnMLqxwkFr4BcSefzCiXulyMcb3h67ZfXAYAFGrrR581vGEt
|
||||
Xy+xfXK5PqBX7CWEl3Vs2an9whEncZuv1I9iyXDUmGP7Y373JjqNtpS2GMMPA73k
|
||||
nB7eI/zpVS5qoxUlqw35Pldvt+L4E3hvrvE7iZE3w4lB9WUyY1OnSRDU10l2rqWt
|
||||
Ptyk3LE2ed5hz5I+gy8/RsXrAooMBXIGV/GJrhye45wf5F/XQqPulnj38sKhmrQC
|
||||
QTubPgJwG/kTpNdrA3YukE3E7T5ejaGTT2n5nKat6bj7
|
||||
=h9fX
|
||||
5HB8jGba2tXMSQfBQEtDFve6agiRTw8z1V8s1gPCMmPhsLiJBGwEGAEKACACGwIW
|
||||
IQTbzXV4RgabOS6pQB1mV76KjR7oBwUCY1E8SAJAwXQgBBkBCgAdFiEEVAotn4qI
|
||||
hqe83vdsfheGip18nM8FAl2iTZIACgkQfheGip18nM9DVxAAuqX7iztddbttkIfN
|
||||
65R5XJPjz7NRg0AI8G+1qnkvF3c2ufNjL++BJSvlbi/2ov92S+0CPF08E4kDsHjA
|
||||
/JM782D6lDfSZltW4YBBqkJZdtiPElcIqIhM6EX7fs3Ag/RjUVPb4tYkH20xcNhy
|
||||
l+0RdBuSvR0+KOXXBfoNmsyQM4/hUKiWW3vGOZOBmYPNcvAQcMs+p4D5JHQcOyxg
|
||||
tXyiXU/VxvUWI7cH6I7daRDTFR3L4zXoIrRwqEgxIqof2Zm4smoHDLfXxGQrcjj6
|
||||
eKkn/gt/T7qYxnhcG5guS2DwIay5c7xV1xuB7pDgM1On56heD21DI4vtXXnTkjo7
|
||||
/6hsw2e6TBcn295fEekvBupYVwazefBSlr2f3xxlDvd35D5tWZRVGspzxO15DcTa
|
||||
TglOeNtRnYGRwHwE/tiJ0G0uwGfvaI0xeexuhnTfvEkpJ4SJ/iMl+FpOw7I35H7m
|
||||
z8MrRNMjtR+Es8gzuw7hNErmbh0SLZvddoPnqt9kF8ayA1iz1X9KiBkkj3EbvI99
|
||||
jYjdDDm5lsxCZKLSX4r9Mp236K6DMGlifRN2AfdXziXhPABQkKE5m7kcn1gALn9M
|
||||
cg5HgeXTdxan6QP35ygDtmNldJGEP+AWAZ4RwaFK8P3/oqQ/8XhnkwH5n2SPd8WQ
|
||||
qnldvrtajUzUegvJUstLS5B1TFQJEGZXvoqNHugHrtcP+waicH+WhpbvPoHJW//U
|
||||
c7IwcrsOpWNuh0gKV1+LvBV9dGzGZDlhwsncMeNzT8tnxDwhD1CiJ1uzO2H1m+yX
|
||||
CeljVnYFlP0sl9IT/AiV8NNiuaIpOc5RjRY1yvOZ017/J7Hyhnaw0iap1vNDNOwH
|
||||
t7tzB1PvM3p6an4Jh0AJZF5adReQTbi9Zw7MW2Yf0XHTT4rFX+Mn5gcuvsV9n39d
|
||||
6U3k5G6Hf1bSROsXNVwOwF6VbO8NvBm6ehgNyRcGsino/f82HRwvnQPhJgEakZ1h
|
||||
WWUUnakK14mRRMUns8CMNfFh+50ciK1Q8kAVgYLVA1H1NXM0+68YZMl5CiiaD3pM
|
||||
17flwcWUdkIu3uWAvc3hSCNw6i9F4Kx1yD/ZdiT0vBapa3ehUXIo5g79NcFl9xnQ
|
||||
fnYG+nnl2bLZSHP8b+LZsGivOEZuBHoR2ComeTqqJxeT8ZsEdtLcloaSaf2Em2xf
|
||||
b9OfhGOC7hKfS4HAlLFbEydWuZuA8EpTXd6eqINCFbOb9BjpKvSCCLs5S3s7T4WE
|
||||
FQB7yHXQQgB1EzYaJxFZstkiD8exu/hiWfwVLaho09QbtPmt2u1lvbxiSxtCdphi
|
||||
hoKc6wjhD8F9YM5xxitcF7iAV7oEDZ/1JVkvi/1gWFgW0UmEKuy2KN/Eb/mr41NJ
|
||||
bMauCCfjnCbAzoW6dhHpbO45uQINBF2iTdYBEADTC8saHpJxpU7ZBuuNFD+WZFBK
|
||||
I8F8ZZ4t79naVhGhCTvcqr5BCwlrpuaUc/og86AxUpVD5z92ClRZC2wJZOemmyAE
|
||||
OlSu8JDkhwsNRey5QmPN9G0ZIBifP2/LrPSqRE+gJnouzhmFbajQVKHRCYul5B+a
|
||||
vUS0HlUfu8p7dC0wMTv5jBWHN54XHK4Wnbm4Yea03Xv1HMQS/82MfLQgctheHqeg
|
||||
J8dNhzmrk8GqpOCi4QfSHHUvLCUBxWO4hFVjXKL8BfJbhhBjyTnTj0zGc+Iw+Glh
|
||||
am0+q2oFmhvLYrCxHvVIRE9iy96/+AyIACWOG8IOU2civ9Y/jY9SMmJEPQOmBfem
|
||||
OVwovQxdDGKvTcrVjZzAk/BeEAgg0VoYKpe9ePxK/6n8J09jOpvD+DktbAB7+bww
|
||||
2F3swdFqyTbLWL4bR4YuHLbqJQbsDm+58iAZWaL4ZOf+iABZqFKa3xhzrrbRHD00
|
||||
Qxr+9+3EdXGGs+UDLs9rLzVN4ryP7WHyEMDAI7/OAGTdsJet0JIIWKP3ZvWuRMe/
|
||||
AjcGQ/8+xzhN8w/kXdAvf4Vy6VVYTdJipg84CRz1KFQ5P/z92IMzPnbVFljydRX2
|
||||
k89ueN1fTMFVlCUI9AyIJeJ6Cx198JHf3eIGBgIZVpAcZG0DyeDU+xCgRZOOH2ug
|
||||
1bhjhmrQQMSkKtRn7QARAQABiQI8BBgBCgAmAhsMFiEE2811eEYGmzkuqUAdZle+
|
||||
io0e6AcFAl+Jdg8FCQWpjzkACgkQZle+io0e6Afw7A//ekxnx2ugVtb9pFMh1Cpq
|
||||
XZOtlIWc+PZ07DrtSXjCNnAzC5Cmj8nii7Eac1dqnDqBtXWpe3YI7cyrFnc9B8a6
|
||||
2xLNKwSTuMTpoNdkr/X7bU6HE7dm0DHt3dtFYoW4vjQxMdj3sp3GLpQ3fDzXw5If
|
||||
L1lCUKE4aopl6FQEcCjbh9qA8rRnHiKfgWSzh/B0c9BEh/ZwgBsN4FV+r0D7Y2zI
|
||||
KCFxwJwCZCHtm6MslB7tmZg+gho8RkkiAjM0oXA7zZHMjyhuQWzhkaW3oWjHDjoh
|
||||
h9DbLnVDzrMsULfdGz/1Plhz4bzkxpND6hmjn/EAxLGhpQoXd8FSvrghpetLM3MU
|
||||
LG4M5REFVBt7U1uEBn8y91yuWx77ho9N1W+OdNOWOOlAlD+GZBGA7MNR65+W5Dzj
|
||||
/z3PEs9TELfp8NVN0F2xy8S2/HwfNgeqAzGpBz4GsO9x8WMG2lw7MAW+gVU3POkZ
|
||||
l0R9fkrTmw4iafodehKnbEsqdebUjPNBkX9SmjSsXDAODe/4u4/TP89nylk+70wB
|
||||
nXIPL4WR9DA0Pb0ZmLLkGbaDYnmVV58kPyCwID4Yi6Xcj330FdAaVinevAvJBIaD
|
||||
D9A94elI/PGTrmqcjgr7Kwb0e0kDlYfi/ijI4dV4MVrzybqFOCaMeKIPOfxs9FIv
|
||||
BETmMh4Ocqj6rAQZs+ofBe6JAjYEGAEKACACGwwWIQTbzXV4RgabOS6pQB1mV76K
|
||||
jR7oBwUCY1E8SAAKCRBmV76KjR7oBwM+D/0evufvIWftzdge63hol1k4LdZSiSD9
|
||||
bh+h8fb/Mm+2HIS8RweHr1+CS8CW/Om9MJoW0ZDsCmC0vU44/vLL3JzbP4+BDuVF
|
||||
dky1XX/9Z73Fn/LpakITyXd6YJMsknzAA4ZEzhe4uModNSH5IU818I+/Vyvbe1nX
|
||||
Hfg2FYva4zVn9E5Gd4vpHBF7D99dGg0vUINtux06WKfdsDB59MiZxCSWfqty+yTM
|
||||
XWwh5fuFIxwjlkKVdrb45101MnUtzJDmxwPxjOpF+z2tJ0qIvs6Zu6FDEh7fcaJM
|
||||
mKAPtVXKRxTYaS6j7fpNk5ACFgiHDb+0mI60fH0eiQSqp9Q7cyYbt1yiW2bKY4Pg
|
||||
qDOtcLT+uIYYVmxBHTLx38gT3Gp83O7WqNZ9ouctIXAXHWwTNsKzMhwgaEmmPbkP
|
||||
7VO8oZZ9hVphirmijgNO1Oz7Qqh5ORYwsGdvYtbPXD4ZUSpqFT5bTMHS5TKPHf70
|
||||
5alkwYuwYfLs4m2zYsKadQ+vq12ZX7Z6+DbjfzWAEhzqLP2Y8yGnFSBSmULsALnj
|
||||
Zg3RN5sxJe3fhTze09Fm8OTopTLoDH5fR91VPhRLGHahvV1Sm/H4ZdtAXTPsHP20
|
||||
phAc8mK2DgEM0k7vDO5RtV4xTLjBopiciXIBL+TzCKGmDRX2+9nTyF3Kx9qjN52H
|
||||
EFFJ1mTed/J7VrkCDQRdok4KARAAyG97rjKhP8Uie1i/16SekDo+GkpodBmvhrZi
|
||||
Zdwg75YxriHhgioe2AKKmQItOdZOY+mVqMA63FmByDlPodHmQnrIAn/gr7p5V3lM
|
||||
+l0oVTI8maPO39iT7Nh6W/rv4ni8eMBkL6P2cPPaTpcv76qWl/WcMiEflPNSAFax
|
||||
yIapq04rafthcIILWmOBbQ+liMn9YT7a6w3nF/Ig4Zxx7hoQE6/HrTC8HcENpCAc
|
||||
eQQYAqIrlu8F5y1AQVWHjtyCPee1z/8lPNnPg40lSbXozg5kQDP965Pge6XReUoU
|
||||
VVRcgeiSUfkHdYPIkh/tkFy1MtzTNizebuadqE41Ds6BD1maO5cpGc5iFnf+YY01
|
||||
vWIhwvgPMbAsUKrPOw/RyvYSwOrnWeghpKuIRv+sBcDY0jJ799CHB2c8eiAYoTRm
|
||||
64rKyYS8RIilqTCmIHnpoSIq3n1wOlMVX4sB4N4CfAZRAbI9LZfx1QEYn0dst9+m
|
||||
CDRJ/ALBxocKz0wRTpwU5nwP1Zz9TZVh81wn1Ypj+mFb3aBggpwMLxbifmbsZmd1
|
||||
MwW9k3p2WTs8M1dLFM2ZNA9QmkgRSVFN6GTTpAyDOs+ZSGYM7MisG9/EvFbNx2BP
|
||||
g6qZH7JeMnlOZXXOg8K5VcLkiGuL1brOHlg94Axha8ffMmqjsde6XOAgvSl5P9k4
|
||||
7SWOcZkAEQEAAYkCPAQYAQoAJgIbIBYhBNvNdXhGBps5LqlAHWZXvoqNHugHBQJf
|
||||
iXYPBQkFqY8FAAoJEGZXvoqNHugHuLUP+gJ01mSEs3+0jriWqg7V+Q59rulMVrUd
|
||||
V2mjBtzz3gvF9PLiEnVEl7EgGdLpVIr/Wr9QIiUnS1NNrDz8oeDf54Q+OXtQOicz
|
||||
GClK+yWSm/CM02+HATFws66umAl4GQ4XqAJwdSDDKIHCP1/0VqXNQUOWW0GCCGCA
|
||||
dn55u4pf+B1rmkA3cWhN51SvAriA/YcGqmyJZgXO+qZOPWNHxNUdgq9lVEO132dh
|
||||
DzH1b9ufnvQMDxF2V681fQ7E3zWEJZZbYLRB4jrSz8oxipGRGKgDLiR7lyQ/xRU1
|
||||
61jSawblBTcIRXK9c4hv178xQWAInMjtHst4YCpvclG26ypZLCzvw6swfnXf3A6Q
|
||||
4A8pZQVvogWZ01dlgofwHm8qlYxT7wSqeicOu3FkSHD8vNwkXnMLqxwkFr4BcSef
|
||||
zCiXulyMcb3h67ZfXAYAFGrrR581vGEtXy+xfXK5PqBX7CWEl3Vs2an9whEncZuv
|
||||
1I9iyXDUmGP7Y373JjqNtpS2GMMPA73knB7eI/zpVS5qoxUlqw35Pldvt+L4E3hv
|
||||
rvE7iZE3w4lB9WUyY1OnSRDU10l2rqWtPtyk3LE2ed5hz5I+gy8/RsXrAooMBXIG
|
||||
V/GJrhye45wf5F/XQqPulnj38sKhmrQCQTubPgJwG/kTpNdrA3YukE3E7T5ejaGT
|
||||
T2n5nKat6bj7iQI2BBgBCgAgAhsgFiEE2811eEYGmzkuqUAdZle+io0e6AcFAmNR
|
||||
PEgACgkQZle+io0e6AfQpg/+K0gD0WVyXYLOEM6jCvtz5/f9nDQnqj90ck9VfpuN
|
||||
QG+cMSK/u3T4ya0k3UDWxEyRih0BzChOlmwnaupBwN7ZbYAzxM0sglwseSdAPpCE
|
||||
s63RTnaAxpSWFocsUxtJngSoPnnmD1fVbWL3/j9j6jZkT4NB/l2ekDngMyRqt104
|
||||
BmabaLdz44X1VDgg0tXyACkZ8c/8ISBOoPSFg2n9FuCmhI9Atu6hjCFQZOA/youA
|
||||
fXzeUxU3iFw5UhyNP084jZ9AK2xwp+rB3JzvzMdiqO3OBFemuiU4/ZKQKFg5a/n4
|
||||
UAZtO8V2DGe76o1N9uFUvQ41RSAXolPUOTXiZvP4GfiGIhJUXV96QaPHhKWybKlr
|
||||
4MWG5PpwfuWnGoP8vXtLmz2TDRUfEBOQBzYRBRvXmzekq8nFQCM7dGofLLEchMRv
|
||||
lYHab2fquGmXiY3LfzyQX+vS3FO9/m2POJcdXcQvSq4MXIzOEzXnJKw5HemfZ3ae
|
||||
/AlTTfE4og/AYLwacECY6CZqUFOYtQeVx9hSXV97XnoKotde66D4RyFgzFbsIBM/
|
||||
bA5qyvdpKb60hqjpj/rhXjlnhH8KwAwOlaPVgI1cgnW8uJTElJEtqHPhuRkU6y9f
|
||||
au4EZ+tsmaxJ0whuziG1/3LJ62AIM9ZpixDEj4GQYaRdkFrx/1IKiUOlw5GQC3y2
|
||||
zxs=
|
||||
=MmP2
|
||||
-----END PGP PUBLIC KEY BLOCK-----
|
||||
|
@ -5,27 +5,55 @@ with import <stockholm/lib>;
|
||||
plain = "/var/lib/containers/${cname}/var/state";
|
||||
ecryptfs = "${cfg.dataLocation}/${cname}/ecryptfs";
|
||||
securefs = "${cfg.dataLocation}/${cname}/securefs";
|
||||
luksfile = "${cfg.dataLocation}/${cname}/luksfile";
|
||||
};
|
||||
init = cname: {
|
||||
plain = ''
|
||||
echo 'no need for init'
|
||||
'';
|
||||
ecryptfs = ''
|
||||
${pkgs.ecrypt}/bin/ecrypt init ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state
|
||||
'';
|
||||
securefs = ''
|
||||
${pkgs.securefs}/bin/securefs create --format 3 ${cfg.dataLocation}/${cname}/securefs
|
||||
'';
|
||||
luksfile = ''
|
||||
${pkgs.coreutils}/bin/truncate -s 10G '${(paths cname).luksfile}/fs.luks'
|
||||
${pkgs.cryptsetup}/bin/cryptsetup luksFormat '${(paths cname).luksfile}/fs.luks'
|
||||
${pkgs.cryptsetup}/bin/cryptsetup luksOpen '${(paths cname).luksfile}/fs.luks' 'luksfile-${cname}'
|
||||
${pkgs.xfsprogs}/bin/mkfs.xfs '/dev/mapper/luksfile-${cname}'
|
||||
'';
|
||||
};
|
||||
start = cname: {
|
||||
plain = ''
|
||||
:
|
||||
'';
|
||||
ecryptfs = ''
|
||||
if ! mount | grep -q '${cfg.dataLocation}/${cname}/ecryptfs on /var/lib/containers/${cname}/var/state type ecryptfs'; then
|
||||
if [ -e ${cfg.dataLocation}/${cname}/ecryptfs/.cfg.json ]; then
|
||||
|
||||
if [ -e ${cfg.dataLocation}/${cname}/ecryptfs/.cfg.json ]; then
|
||||
if ! mount | grep -q '${cfg.dataLocation}/${cname}/ecryptfs on /var/lib/containers/${cname}/var/state type ecryptfs'; then
|
||||
${pkgs.ecrypt}/bin/ecrypt mount ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state
|
||||
else
|
||||
${pkgs.ecrypt}/bin/ecrypt init ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state
|
||||
fi
|
||||
else
|
||||
echo 'please run init-${cname} first'
|
||||
exit 1
|
||||
fi
|
||||
'';
|
||||
securefs = ''
|
||||
## TODO init file systems if it does not exist
|
||||
# ${pkgs.securefs}/bin/securefs create --format 3 ${cfg.dataLocation}/${cname}/securefs
|
||||
## check if FS was initialized first
|
||||
if ! ${pkgs.mount}/bin/mount | grep -q '^securefs on /var/lib/containers/${cname}/var/state type fuse.securefs'; then
|
||||
${pkgs.securefs}/bin/securefs mount ${cfg.dataLocation}/${cname}/securefs /var/lib/containers/${cname}/var/state -b -o allow_other -o default_permissions
|
||||
fi
|
||||
'';
|
||||
luksfile = ''
|
||||
mkdir -p /var/lib/containers/${cname}/var/state
|
||||
if ! test -e /dev/mapper/luksfile-${cname}; then
|
||||
${pkgs.cryptsetup}/bin/cryptsetup luksOpen '${(paths cname).luksfile}/fs.luks' 'luksfile-${cname}'
|
||||
fi
|
||||
if ! ${pkgs.mount}/bin/mount | grep -q '^/dev/mapper/luksfile-${cname} on /var/lib/containers/${cname}/var/state'; then
|
||||
mount '/dev/mapper/luksfile-${cname}' '/var/lib/containers/${cname}/var/state'
|
||||
fi
|
||||
'';
|
||||
};
|
||||
stop = cname: {
|
||||
plain = ''
|
||||
@ -37,12 +65,16 @@ with import <stockholm/lib>;
|
||||
securefs = ''
|
||||
umount /var/lib/containers/${cname}/var/state
|
||||
'';
|
||||
luksfile = ''
|
||||
umount /var/lib/containers/${cname}/var/state
|
||||
${pkgs.cryptsetup}/bin/cryptsetup luksClose luksfile-${cname}
|
||||
'';
|
||||
};
|
||||
in {
|
||||
options.krebs.sync-containers = {
|
||||
dataLocation = mkOption {
|
||||
description = ''
|
||||
location where the encrypted sync-container lie around
|
||||
location where the encrypted sync-containers lie around
|
||||
'';
|
||||
default = "/var/lib/sync-containers";
|
||||
type = types.absolute-pathname;
|
||||
@ -64,25 +96,11 @@ in {
|
||||
default = [];
|
||||
type = types.listOf types.str;
|
||||
};
|
||||
hostIp = mkOption { # TODO find this automatically
|
||||
description = ''
|
||||
hostAddress of the privateNetwork
|
||||
'';
|
||||
example = "10.233.2.15";
|
||||
type = types.str;
|
||||
};
|
||||
localIp = mkOption { # TODO find this automatically
|
||||
description = ''
|
||||
localAddress of the privateNetwork
|
||||
'';
|
||||
example = "10.233.2.16";
|
||||
type = types.str;
|
||||
};
|
||||
format = mkOption {
|
||||
description = ''
|
||||
file system encrption format of the container
|
||||
'';
|
||||
type = types.enum [ "plain" "ecryptfs" "securefs" ];
|
||||
type = types.enum [ "plain" "ecryptfs" "securefs" "luksfile" ];
|
||||
};
|
||||
};
|
||||
}));
|
||||
@ -102,12 +120,11 @@ in {
|
||||
ignorePerms = false;
|
||||
})) cfg.containers);
|
||||
|
||||
krebs.permown = (mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" ({
|
||||
file-mode = "u+rw";
|
||||
directory-mode = "u+rwx";
|
||||
owner = "syncthing";
|
||||
keepGoing = false;
|
||||
})) cfg.containers);
|
||||
krebs.acl = mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" {
|
||||
"u:syncthing:rX".parents = true;
|
||||
"u:syncthing:rwX" = {};
|
||||
}) cfg.containers;
|
||||
|
||||
|
||||
systemd.services = mapAttrs' (n: ctr: nameValuePair "containers@${ctr.name}" ({
|
||||
reloadIfChanged = mkForce false;
|
||||
@ -116,8 +133,11 @@ in {
|
||||
containers = mapAttrs' (n: ctr: nameValuePair ctr.name ({
|
||||
config = { ... }: {
|
||||
environment.systemPackages = [
|
||||
pkgs.dhcpcd
|
||||
pkgs.git
|
||||
pkgs.jq
|
||||
];
|
||||
networking.useDHCP = mkForce true;
|
||||
system.activationScripts.fuse = {
|
||||
text = ''
|
||||
${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229
|
||||
@ -131,11 +151,57 @@ in {
|
||||
autoStart = false;
|
||||
enableTun = true;
|
||||
privateNetwork = true;
|
||||
hostAddress = ctr.hostIp;
|
||||
localAddress = ctr.localIp;
|
||||
hostBridge = "ctr0";
|
||||
})) cfg.containers;
|
||||
|
||||
environment.systemPackages = flatten (mapAttrsToList (n: ctr: [
|
||||
networking.networkmanager.unmanaged = [ "ctr0" ];
|
||||
networking.bridges.ctr0.interfaces = [];
|
||||
networking.interfaces.ctr0.ipv4.addresses = [{
|
||||
address = "10.233.0.1";
|
||||
prefixLength = 24;
|
||||
}];
|
||||
# networking.nat = {
|
||||
# enable = true;
|
||||
# externalInterface = lib.mkDefault "et0";
|
||||
# internalInterfaces = [ "ctr0" ];
|
||||
# };
|
||||
services.dhcpd4 = {
|
||||
enable = true;
|
||||
interfaces = [ "ctr0" ];
|
||||
extraConfig = ''
|
||||
option subnet-mask 255.255.255.0;
|
||||
option routers 10.233.0.1;
|
||||
# option domain-name-servers 8.8.8.8; # TODO configure dns server
|
||||
subnet 10.233.0.0 netmask 255.255.255.0 {
|
||||
range 10.233.0.10 10.233.0.250;
|
||||
}
|
||||
'';
|
||||
};
|
||||
|
||||
users.users.root.packages = flatten (mapAttrsToList (n: ctr: [
|
||||
(pkgs.writeDashBin "init-${ctr.name}" ''
|
||||
set -euf
|
||||
set -x
|
||||
|
||||
mkdir -p /var/lib/containers/${ctr.name}/var/state
|
||||
STATE=$(/run/current-system/sw/bin/nixos-container status ${ctr.name})
|
||||
if [ "$STATE" = 'up' ]; then
|
||||
/run/current-system/sw/bin/nixos-container stop ${ctr.name}
|
||||
fi
|
||||
${(init ctr.name).${ctr.format}}
|
||||
${(start ctr.name).${ctr.format}}
|
||||
/run/current-system/sw/bin/nixos-container start ${ctr.name}
|
||||
/run/current-system/sw/bin/nixos-container run ${ctr.name} -- ${pkgs.writeDash "deploy-${ctr.name}" ''
|
||||
set -x
|
||||
|
||||
mkdir -p /var/state/var_src
|
||||
ln -sfTr /var/state/var_src /var/src
|
||||
touch /etc/NIXOS
|
||||
''}
|
||||
target_ip=$(/run/current-system/sw/bin/nixos-container run ${ctr.name} -- ip -j a s eth0 | jq -r '.[].addr_info[] | select(.family=="inet") | .local')
|
||||
|
||||
echo "deploy to $target_ip"
|
||||
'')
|
||||
(pkgs.writeDashBin "start-${ctr.name}" ''
|
||||
set -euf
|
||||
set -x
|
||||
@ -144,12 +210,12 @@ in {
|
||||
|
||||
${(start ctr.name).${ctr.format}}
|
||||
|
||||
STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${ctr.name})
|
||||
STATE=$(/run/current-system/sw/bin/nixos-container status ${ctr.name})
|
||||
if [ "$STATE" = 'down' ]; then
|
||||
${pkgs.nixos-container}/bin/nixos-container start ${ctr.name}
|
||||
/run/current-system/sw/bin/nixos-container start ${ctr.name}
|
||||
fi
|
||||
|
||||
${pkgs.nixos-container}/bin/nixos-container run ${ctr.name} -- ${pkgs.writeDash "deploy-${ctr.name}" ''
|
||||
/run/current-system/sw/bin/nixos-container run ${ctr.name} -- ${pkgs.writeDash "deploy-${ctr.name}" ''
|
||||
set -x
|
||||
|
||||
mkdir -p /var/state/var_src
|
||||
@ -158,15 +224,17 @@ in {
|
||||
''}
|
||||
|
||||
if [ -h /var/lib/containers/${ctr.name}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${ctr.name}.r); then
|
||||
${pkgs.nixos-container}/bin/nixos-container run ${ctr.name} -- nixos-rebuild -I /var/src switch
|
||||
/run/current-system/sw/bin/nixos-container run ${ctr.name} -- nixos-rebuild -I /var/src switch
|
||||
else
|
||||
echo 'no nixos config, or target already online, bailing out'
|
||||
${(stop ctr.name).${ctr.format}}
|
||||
/run/current-system/sw/bin/nixos-container stop ${ctr.name}
|
||||
fi
|
||||
'')
|
||||
(pkgs.writeDashBin "stop-${ctr.name}" ''
|
||||
set -euf
|
||||
|
||||
${pkgs.nixos-container}/bin/nixos-container stop ${ctr.name}
|
||||
/run/current-system/sw/bin/nixos-container stop ${ctr.name}
|
||||
${(stop ctr.name).${ctr.format}}
|
||||
'')
|
||||
]) cfg.containers);
|
||||
|
@ -1,23 +0,0 @@
|
||||
{ buildGo117Module , fetchFromGitHub, lib }:
|
||||
|
||||
buildGo117Module rec {
|
||||
pname = "ergo";
|
||||
version = "2.9.1";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "ergochat";
|
||||
repo = "ergo";
|
||||
rev = "v${version}";
|
||||
sha256 = "sha256-RxsmkTfHymferS/FRW0sLnstKfvGXkW6cEb/JbeS4lc=";
|
||||
};
|
||||
|
||||
vendorSha256 = null;
|
||||
|
||||
meta = {
|
||||
description = "A modern IRC server (daemon/ircd) written in Go";
|
||||
homepage = "https://github.com/ergochat/ergo";
|
||||
license = lib.licenses.mit;
|
||||
maintainers = with lib.maintainers; [ lassulus tv ];
|
||||
platforms = lib.platforms.linux;
|
||||
};
|
||||
}
|
@ -1,6 +1,6 @@
|
||||
{ lib, pkgs, ... }:
|
||||
|
||||
pkgs.writeDashBin "hashPassword" ''
|
||||
pkgs.writers.writeDashBin "hashPassword" ''
|
||||
# usage: hashPassword [...]
|
||||
set -euf
|
||||
|
||||
|
@ -1,25 +0,0 @@
|
||||
{ curl, jq, nix, writeDashBin }:
|
||||
|
||||
writeDashBin "nix-prefetch-github" ''
|
||||
# usage: nix-prefetch-github OWNER REPO [REF]
|
||||
set -efu
|
||||
|
||||
owner=$1
|
||||
repo=$2
|
||||
ref=''${3-master}
|
||||
|
||||
info_url=https://api.github.com/repos/$owner/$repo/commits/$ref
|
||||
info=$(${curl}/bin/curl -fsS "$info_url")
|
||||
rev=$(printf %s "$info" | ${jq}/bin/jq -r .sha)
|
||||
|
||||
name=$owner-$repo-$ref
|
||||
url=https://github.com/$owner/$repo/tarball/$rev
|
||||
sha256=$(${nix}/bin/nix-prefetch-url --name "$name" --unpack "$url")
|
||||
|
||||
export owner repo rev sha256
|
||||
${jq}/bin/jq -n '
|
||||
env | {
|
||||
owner, repo, rev, sha256
|
||||
}
|
||||
'
|
||||
''
|
64
krebs/5pkgs/simple/stable-generate/default.nix
Normal file
64
krebs/5pkgs/simple/stable-generate/default.nix
Normal file
@ -0,0 +1,64 @@
|
||||
{ pkgs, lib, ... }:
|
||||
|
||||
pkgs.writers.writeDashBin "stable-generate" ''
|
||||
set -efu
|
||||
|
||||
export PATH=${lib.makeBinPath [
|
||||
pkgs.curl
|
||||
pkgs.jq
|
||||
]}
|
||||
|
||||
STABLE_URL=''${STABLE_URL:-http://stable-confusion.r}
|
||||
|
||||
PAYLOAD=$(jq -cn --arg query "$*" '{fn_index: 51, data: [
|
||||
$query,
|
||||
"",
|
||||
"None",
|
||||
"None",
|
||||
20, # sampling steps
|
||||
"Euler a", # sampling method
|
||||
false, # restore faces
|
||||
false,
|
||||
1,
|
||||
1,
|
||||
7,
|
||||
-1,
|
||||
-1,
|
||||
0,
|
||||
0,
|
||||
0,
|
||||
false,
|
||||
512, #probably resolution
|
||||
512, #probably resolution
|
||||
false,
|
||||
0.7,
|
||||
0,
|
||||
0,
|
||||
"None",
|
||||
"",
|
||||
false,
|
||||
false,
|
||||
false,
|
||||
"",
|
||||
"Seed",
|
||||
"",
|
||||
"Nothing",
|
||||
"",
|
||||
true,
|
||||
false,
|
||||
false,
|
||||
null,
|
||||
"",
|
||||
""], session_hash: "hello_this_is_dog"}')
|
||||
|
||||
data=$(curl -Ssf "$STABLE_URL/run/predict/" \
|
||||
-X POST \
|
||||
--Header 'Content-Type: application/json' \
|
||||
--data "$PAYLOAD"
|
||||
)
|
||||
export data
|
||||
|
||||
filename=$(jq -rn 'env.data | fromjson.data[0][0].name')
|
||||
|
||||
echo "$STABLE_URL/file=$filename"
|
||||
''
|
@ -33,7 +33,7 @@ let
|
||||
|
||||
eval = lib.evalModules {
|
||||
modules = lib.singleton {
|
||||
_file = toString ./weechat-declarative.nix;
|
||||
_file = toString ./default.nix;
|
||||
imports = lib.singleton config;
|
||||
options = {
|
||||
scripts = lib.mkOption {
|
||||
@ -148,7 +148,8 @@ let
|
||||
${lib.concatStringsSep "\n"
|
||||
(lib.mapAttrsToList
|
||||
(name: target: /* sh */ ''
|
||||
${pkgs.coreutils}/bin/ln -s ${lib.escapeShellArg target} "$CONFDIR"/${lib.escapeShellArg name}
|
||||
${pkgs.coreutils}/bin/cp ${lib.escapeShellArg target} "$CONFDIR"/${lib.escapeShellArg name}
|
||||
${pkgs.coreutils}/bin/chmod +w "$CONFDIR"/${lib.escapeShellArg name}
|
||||
'')
|
||||
cfg.files
|
||||
)
|
||||
|
@ -1,9 +1,9 @@
|
||||
{
|
||||
"url": "https://github.com/NixOS/nixpkgs",
|
||||
"rev": "d40fea9aeb8840fea0d377baa4b38e39b9582458",
|
||||
"date": "2022-10-31T16:44:53+01:00",
|
||||
"path": "/nix/store/6z1f9z44ljsxvn0kzlpz03a5m7lbh096-nixpkgs",
|
||||
"sha256": "1ikpccnyi0b7ql6jak4g3wl4876njybpvknfs6gin461xjp5fi24",
|
||||
"rev": "b457130e8a21608675ddf12c7d85227b22a27112",
|
||||
"date": "2022-11-16T11:03:19+00:00",
|
||||
"path": "/nix/store/jr123qfmrl53imi48naxh6zs486fqmz2-nixpkgs",
|
||||
"sha256": "16cjrr3np3f428lxw8yk6n2dqi7mg08zf6h6gv75zpw865jz44df",
|
||||
"fetchLFS": false,
|
||||
"fetchSubmodules": false,
|
||||
"deepClone": false,
|
||||
|
@ -1,9 +1,9 @@
|
||||
{
|
||||
"url": "https://github.com/NixOS/nixpkgs",
|
||||
"rev": "1b4722674c315de0e191d0d79790b4eac51570a1",
|
||||
"date": "2022-10-31T23:14:26+01:00",
|
||||
"path": "/nix/store/byvkpdxd5pwixshrfrxgl0z2xc9y9hcs-nixpkgs",
|
||||
"sha256": "0ykbqcfwx338m1jcln9pj629byxbyr448d88wsryp8sf6p611cv2",
|
||||
"rev": "6474d93e007e4d165bcf48e7f87de2175c93d10b",
|
||||
"date": "2022-11-16T11:41:31+01:00",
|
||||
"path": "/nix/store/z86f31carhz3sf78kn3lkyq748drgp63-nixpkgs",
|
||||
"sha256": "00swm7hz3fjyzps75bjyqviw6dqg2cc126wc7lcc1rjkpdyk5iwg",
|
||||
"fetchLFS": false,
|
||||
"fetchSubmodules": false,
|
||||
"deepClone": false,
|
||||
|
@ -11,78 +11,50 @@ with import <stockholm/lib>;
|
||||
<stockholm/lass/2configs/syncthing.nix>
|
||||
<stockholm/lass/2configs/sync/sync.nix>
|
||||
<stockholm/lass/2configs/sync/decsync.nix>
|
||||
<stockholm/lass/2configs/sync/weechat.nix>
|
||||
|
||||
<stockholm/lass/2configs/weechat.nix>
|
||||
<stockholm/lass/2configs/bitlbee.nix>
|
||||
<stockholm/lass/2configs/IM.nix>
|
||||
|
||||
<stockholm/lass/2configs/muchsync.nix>
|
||||
<stockholm/lass/2configs/pass.nix>
|
||||
|
||||
<stockholm/lass/2configs/git-brain.nix>
|
||||
<stockholm/lass/2configs/et-server.nix>
|
||||
<stockholm/lass/2configs/consul.nix>
|
||||
|
||||
<stockholm/lass/2configs/atuin-server.nix>
|
||||
];
|
||||
|
||||
krebs.build.host = config.krebs.hosts.green;
|
||||
|
||||
users.users.mainUser.openssh.authorizedKeys.keys = [
|
||||
config.krebs.users.lass-android.pubkey
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0rn3003CkJMk3jZrh/3MC6nVorHRymlFSI4x1brCKY" # weechat ssh tunnel
|
||||
];
|
||||
|
||||
krebs.bindfs = {
|
||||
"/home/lass/.weechat" = {
|
||||
source = "/var/state/lass_weechat";
|
||||
options = [
|
||||
"-M ${concatMapStringsSep ":" (u: toString config.users.users.${u}.uid) [ "syncthing" "mainUser" ]}"
|
||||
"--create-for-user=${toString config.users.users.syncthing.uid}"
|
||||
];
|
||||
};
|
||||
"/home/lass/Maildir" = {
|
||||
source = "/var/state/lass_mail";
|
||||
options = [
|
||||
"-M ${toString config.users.users.mainUser.uid}"
|
||||
];
|
||||
};
|
||||
"/var/lib/bitlbee" = {
|
||||
source = "/var/state/bitlbee";
|
||||
options = [
|
||||
"-M ${toString config.users.users.bitlbee.uid}"
|
||||
];
|
||||
clearTarget = true;
|
||||
};
|
||||
"/home/lass/.ssh" = {
|
||||
source = "/var/state/lass_ssh";
|
||||
options = [
|
||||
"-M ${toString config.users.users.mainUser.uid}"
|
||||
];
|
||||
clearTarget = true;
|
||||
};
|
||||
"/home/lass/.gnupg" = {
|
||||
source = "/var/state/lass_gnupg";
|
||||
options = [
|
||||
"-M ${toString config.users.users.mainUser.uid}"
|
||||
];
|
||||
clearTarget = true;
|
||||
};
|
||||
"/var/lib/git" = {
|
||||
source = "/var/state/git";
|
||||
options = [
|
||||
"-M ${toString config.users.users.git.uid}"
|
||||
];
|
||||
clearTarget = true;
|
||||
};
|
||||
lass.sync-containers3.inContainer = {
|
||||
enable = true;
|
||||
pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFlUMf943qEQG64ob81p6dgoHq4jUjq7tSvmSdEOEU2y";
|
||||
};
|
||||
|
||||
systemd.services."bindfs-_home_lass_Maildir".serviceConfig.ExecStartPost = pkgs.writeDash "symlink-notmuch" ''
|
||||
sleep 1
|
||||
mkdir -p /home/lass/notmuch
|
||||
chown lass: /home/lass/notmuch
|
||||
ln -sfTr /home/lass/notmuch /home/lass/Maildir/.notmuch
|
||||
systemd.tmpfiles.rules = [
|
||||
"d /home/lass/.local/share 0700 lass users -"
|
||||
"d /home/lass/.local 0700 lass users -"
|
||||
|
||||
mkdir -p /home/lass/notmuch/muchsync
|
||||
chown lass: /home/lass/notmuch/muchsync
|
||||
mkdir -p /home/lass/Maildir/.muchsync
|
||||
ln -sfTr /home/lass/Maildir/.muchsync /home/lass/notmuch/muchsync/tmp
|
||||
'';
|
||||
"d /var/state/lass_mail 0700 lass users -"
|
||||
"L+ /home/lass/Maildir - - - - ../../var/state/lass_mail"
|
||||
|
||||
"d /var/state/lass_ssh 0700 lass users -"
|
||||
"L+ /home/lass/.ssh - - - - ../../var/state/lass_ssh"
|
||||
"d /var/state/lass_gpg 0700 lass users -"
|
||||
"L+ /home/lass/.gnupg - - - - ../../var/state/lass_gpg"
|
||||
"d /var/state/lass_sync 0700 lass users -"
|
||||
"L+ /home/lass/sync - - - - ../../var/state/lass_sync"
|
||||
|
||||
"d /var/state/git 0700 git nogroup -"
|
||||
"L+ /var/lib/git - - - - ../../var/state/git"
|
||||
];
|
||||
|
||||
users.users.mainUser.openssh.authorizedKeys.keys = [
|
||||
config.krebs.users.lass-android.pubkey
|
||||
config.krebs.users.lass-tablet.pubkey
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKgpZwye6yavIs3gUIYvSi70spDa0apL2yHR0ASW74z8" # weechat ssh tunnel
|
||||
];
|
||||
|
||||
krebs.iptables.tables.nat.PREROUTING.rules = [
|
||||
{ predicate = "-i eth0 -p tcp -m tcp --dport 22"; target = "ACCEPT"; precedence = 101; }
|
||||
@ -93,4 +65,11 @@ with import <stockholm/lib>;
|
||||
HostKeyAlgorithms +ssh-rsa
|
||||
PubkeyAcceptedAlgorithms +ssh-rsa
|
||||
'';
|
||||
|
||||
services.dovecot2 = {
|
||||
enable = true;
|
||||
mailLocation = "maildir:~/Maildir";
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 143 ];
|
||||
}
|
||||
|
@ -3,5 +3,5 @@
|
||||
./config.nix
|
||||
];
|
||||
boot.isContainer = true;
|
||||
networking.useDHCP = false;
|
||||
networking.useDHCP = true;
|
||||
}
|
||||
|
@ -1,4 +1,6 @@
|
||||
{ lib, pkgs, test, ... }:
|
||||
if test then {} else {
|
||||
{ lib, pkgs, test, ... }: let
|
||||
npkgs = lib.importJSON ../../../krebs/nixpkgs-unstable.json;
|
||||
in if test then {} else {
|
||||
nixpkgs.git.ref = lib.mkForce npkgs.rev;
|
||||
nixpkgs-unstable = lib.mkForce { file = "/var/empty"; };
|
||||
}
|
||||
|
@ -1,6 +1,5 @@
|
||||
{ config, pkgs, ... }:
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with import <stockholm/lib>;
|
||||
{
|
||||
imports = [
|
||||
<stockholm/lass>
|
||||
@ -17,11 +16,10 @@ with import <stockholm/lib>;
|
||||
<stockholm/lass/2configs/blue-host.nix>
|
||||
<stockholm/lass/2configs/green-host.nix>
|
||||
<stockholm/krebs/2configs/news-host.nix>
|
||||
<stockholm/lass/2configs/nfs-dl.nix>
|
||||
<stockholm/lass/2configs/prism-mounts/samba.nix>
|
||||
<stockholm/lass/2configs/fetchWallpaper.nix>
|
||||
<stockholm/lass/2configs/home-media.nix>
|
||||
<stockholm/lass/2configs/syncthing.nix>
|
||||
<stockholm/lass/2configs/sync/sync.nix>
|
||||
<stockholm/lass/2configs/consul.nix>
|
||||
<stockholm/lass/2configs/red-host.nix>
|
||||
<stockholm/lass/2configs/snapclient.nix>
|
||||
];
|
||||
|
||||
|
@ -11,7 +11,6 @@
|
||||
loader.grub.device = "/dev/sda";
|
||||
|
||||
initrd.luks.devices.lusksroot.device = "/dev/sda2";
|
||||
initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ];
|
||||
initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ];
|
||||
};
|
||||
fileSystems = {
|
||||
@ -28,11 +27,6 @@
|
||||
fsType = "btrfs";
|
||||
options = ["defaults" "noatime" "ssd" "compress=lzo"];
|
||||
};
|
||||
"/tmp" = {
|
||||
device = "tmpfs";
|
||||
fsType = "tmpfs";
|
||||
options = ["nosuid" "nodev" "noatime"];
|
||||
};
|
||||
"/bku" = {
|
||||
device = "/dev/pool/bku";
|
||||
fsType = "btrfs";
|
||||
|
@ -154,6 +154,7 @@ with import <stockholm/lib>;
|
||||
tables.filter.INPUT.rules = [
|
||||
{ predicate = "-p tcp --dport 80"; target = "ACCEPT"; } # nginx web dir
|
||||
{ predicate = "-p tcp --dport 9091"; target = "ACCEPT"; } # transmission-web
|
||||
{ predicate = "-p tcp --dport 9092"; target = "ACCEPT"; } # magnetico webinterface
|
||||
{ predicate = "-p tcp --dport 51413"; target = "ACCEPT"; } # transmission-traffic
|
||||
{ predicate = "-p udp --dport 51413"; target = "ACCEPT"; } # transmission-traffic
|
||||
{ predicate = "-p tcp --dport 8096"; target = "ACCEPT"; } # jellyfin
|
||||
@ -164,7 +165,7 @@ with import <stockholm/lib>;
|
||||
client
|
||||
dev tun
|
||||
proto udp
|
||||
remote 196.240.57.43 1194
|
||||
remote 194.110.84.106 1194
|
||||
resolv-retry infinite
|
||||
remote-random
|
||||
nobind
|
||||
@ -174,7 +175,7 @@ with import <stockholm/lib>;
|
||||
persist-key
|
||||
persist-tun
|
||||
ping 15
|
||||
ping-restart 0
|
||||
ping-restart 15
|
||||
ping-timer-rem
|
||||
reneg-sec 0
|
||||
comp-lzo no
|
||||
@ -250,7 +251,7 @@ with import <stockholm/lib>;
|
||||
path = [
|
||||
pkgs.coreutils
|
||||
pkgs.findutils
|
||||
pkgs.inotifyTools
|
||||
pkgs.inotify-tools
|
||||
];
|
||||
serviceConfig = {
|
||||
Restart = "always";
|
||||
@ -271,4 +272,10 @@ with import <stockholm/lib>;
|
||||
enable = true;
|
||||
group = "download";
|
||||
};
|
||||
|
||||
services.magnetico = {
|
||||
enable = true;
|
||||
web.address = "0.0.0.0";
|
||||
web.port = 9092;
|
||||
};
|
||||
}
|
||||
|
@ -1,21 +1,23 @@
|
||||
{ config, lib, pkgs, ... }: let
|
||||
|
||||
alacritty-cfg = extrVals: builtins.toJSON ({
|
||||
font = {
|
||||
font = let
|
||||
family = "Iosevka";
|
||||
in {
|
||||
normal = {
|
||||
family = "Inconsolata";
|
||||
family = family;
|
||||
style = "Regular";
|
||||
};
|
||||
bold = {
|
||||
family = "Inconsolata";
|
||||
family = family;
|
||||
style = "Bold";
|
||||
};
|
||||
italic = {
|
||||
family = "Inconsolata";
|
||||
family = family;
|
||||
style = "Italic";
|
||||
};
|
||||
bold_italic = {
|
||||
family = "Inconsolata";
|
||||
family = family;
|
||||
style = "Bold Italic";
|
||||
};
|
||||
size = 8;
|
||||
@ -44,6 +46,7 @@
|
||||
name = "alacritty";
|
||||
paths = [
|
||||
(pkgs.writeDashBin "alacritty" ''
|
||||
${pkgs.alacritty}/bin/alacritty --config-file /var/theme/config/alacritty.yaml msg create-window "$@" ||
|
||||
${pkgs.alacritty}/bin/alacritty --config-file /var/theme/config/alacritty.yaml "$@"
|
||||
'')
|
||||
pkgs.alacritty
|
||||
|
38
lass/2configs/atuin-server.nix
Normal file
38
lass/2configs/atuin-server.nix
Normal file
@ -0,0 +1,38 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
{
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
dataDir = "/var/state/postgresql/${config.services.postgresql.package.psqlSchema}";
|
||||
ensureDatabases = [ "atuin" ];
|
||||
ensureUsers = [{
|
||||
name = "atuin";
|
||||
ensurePermissions."DATABASE atuin" = "ALL PRIVILEGES";
|
||||
}];
|
||||
};
|
||||
systemd.tmpfiles.rules = [
|
||||
"d /var/state/postgresql 0700 postgres postgres -"
|
||||
];
|
||||
users.groups.atuin = {};
|
||||
users.users.atuin = {
|
||||
uid = pkgs.stockholm.lib.genid_uint31 "atuin";
|
||||
isSystemUser = true;
|
||||
group = "atuin";
|
||||
home = "/run/atuin";
|
||||
createHome = true;
|
||||
};
|
||||
|
||||
systemd.services.atuin = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
environment = {
|
||||
ATUIN_HOST = "0.0.0.0";
|
||||
ATUIN_PORT = "8888";
|
||||
ATUIN_OPEN_REGISTRATION = "true";
|
||||
ATUIN_DB_URI = "postgres:///atuin";
|
||||
};
|
||||
serviceConfig = {
|
||||
User = "atuin";
|
||||
ExecStart = "${pkgs.atuin}/bin/atuin server start";
|
||||
};
|
||||
};
|
||||
networking.firewall.allowedTCPPorts = [ 8888 ];
|
||||
}
|
@ -7,7 +7,6 @@ in {
|
||||
./alacritty.nix
|
||||
./mpv.nix
|
||||
./power-action.nix
|
||||
./copyq.nix
|
||||
./urxvt.nix
|
||||
./xdg-open.nix
|
||||
./yubikey.nix
|
||||
@ -80,7 +79,10 @@ in {
|
||||
powertop
|
||||
rxvt-unicode
|
||||
sshvnc
|
||||
sxiv
|
||||
(pkgs.writers.writeDashBin "sxiv" ''
|
||||
${pkgs.nsxiv}/bin/nsxiv "$@"
|
||||
'')
|
||||
nsxiv
|
||||
taskwarrior
|
||||
termite
|
||||
transgui
|
||||
@ -105,10 +107,56 @@ in {
|
||||
enableGhostscriptFonts = true;
|
||||
|
||||
fonts = with pkgs; [
|
||||
hack-font
|
||||
xorg.fontschumachermisc
|
||||
terminus_font_ttf
|
||||
inconsolata
|
||||
noto-fonts
|
||||
(iosevka.override {
|
||||
# https://typeof.net/Iosevka/customizer
|
||||
privateBuildPlan = {
|
||||
family = "Iosevka";
|
||||
spacing = "term";
|
||||
serifs = "slab";
|
||||
no-ligation = true;
|
||||
|
||||
variants.design = {
|
||||
capital-i = "serifless";
|
||||
capital-j = "serifless";
|
||||
a = "double-storey-tailed";
|
||||
b = "toothless-corner";
|
||||
d = "toothless-corner-serifless";
|
||||
f = "flat-hook-tailed";
|
||||
g = "earless-corner";
|
||||
i = "hooky";
|
||||
j = "serifless";
|
||||
l = "tailed";
|
||||
|
||||
m = "earless-corner-double-arch";
|
||||
n = "earless-corner-straight";
|
||||
p = "earless-corner";
|
||||
q = "earless-corner";
|
||||
r = "earless-corner";
|
||||
u = "toothless-rounded";
|
||||
y = "cursive-flat-hook";
|
||||
|
||||
one = "no-base-long-top-serif";
|
||||
two = "straight-neck";
|
||||
three = "flat-top";
|
||||
four = "open";
|
||||
six = "open-contour";
|
||||
seven = "straight-serifless";
|
||||
eight = "two-circles";
|
||||
nine = "open-contour";
|
||||
tilde = "low";
|
||||
asterisk = "hex-low";
|
||||
number-sign = "upright";
|
||||
at = "short";
|
||||
dollar = "open";
|
||||
percent = "dots";
|
||||
question = "corner-flat-hooked";
|
||||
};
|
||||
};
|
||||
set = "kookiefonts";
|
||||
})
|
||||
];
|
||||
};
|
||||
|
||||
@ -174,4 +222,20 @@ in {
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
services.clipmenu.enable = true;
|
||||
|
||||
# synchronize all the clipboards
|
||||
systemd.user.services.autocutsel = {
|
||||
enable = true;
|
||||
wantedBy = [ "graphical-session.target" ];
|
||||
after = [ "graphical-session.target" ];
|
||||
serviceConfig = {
|
||||
Type = "forking";
|
||||
ExecStart = pkgs.writers.writeDash "autocutsel" ''
|
||||
${pkgs.autocutsel}/bin/autocutsel -fork -selection PRIMARY
|
||||
${pkgs.autocutsel}/bin/autocutsel -fork -selection CLIPBOARD
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
||||
|
43
lass/2configs/consul.nix
Normal file
43
lass/2configs/consul.nix
Normal file
@ -0,0 +1,43 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
{
|
||||
services.consul = {
|
||||
enable = true;
|
||||
# dropPrivileges = false;
|
||||
webUi = true;
|
||||
# interface.bind = "retiolum";
|
||||
extraConfig = {
|
||||
bind_addr = config.krebs.build.host.nets.retiolum.ip4.addr;
|
||||
bootstrap_expect = 3;
|
||||
server = true;
|
||||
# retry_join = config.services.consul.extraConfig.start_join;
|
||||
retry_join = lib.mapAttrsToList (n: h:
|
||||
lib.head h.nets.retiolum.aliases
|
||||
) (lib.filterAttrs (n: h: h.consul) config.krebs.hosts);
|
||||
rejoin_after_leave = true;
|
||||
|
||||
# try to fix random lock loss on leader reelection
|
||||
retry_interval = "3s";
|
||||
performance = {
|
||||
raft_multiplier = 8;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
environment.etc."consul.d/testservice.json".text = builtins.toJSON {
|
||||
service = {
|
||||
name = "testing";
|
||||
};
|
||||
};
|
||||
|
||||
krebs.iptables.tables.filter.INPUT.rules = [
|
||||
{ predicate = "-i retiolum -p tcp --dport 8300"; target = "ACCEPT"; }
|
||||
{ predicate = "-i retiolum -p tcp --dport 8301"; target = "ACCEPT"; }
|
||||
{ predicate = "-i retiolum -p udp --dport 8301"; target = "ACCEPT"; }
|
||||
{ predicate = "-i retiolum -p tcp --dport 8302"; target = "ACCEPT"; }
|
||||
{ predicate = "-i retiolum -p udp --dport 8302"; target = "ACCEPT"; }
|
||||
{ predicate = "-i retiolum -p tcp --dport 8400"; target = "ACCEPT"; }
|
||||
{ predicate = "-i retiolum -p tcp --dport 8500"; target = "ACCEPT"; }
|
||||
{ predicate = "-i retiolum -p tcp --dport 8600"; target = "ACCEPT"; }
|
||||
{ predicate = "-i retiolum -p udp --dport 8500"; target = "ACCEPT"; }
|
||||
];
|
||||
}
|
7
lass/2configs/et-server.nix
Normal file
7
lass/2configs/et-server.nix
Normal file
@ -0,0 +1,7 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
{
|
||||
services.eternal-terminal = {
|
||||
enable = true;
|
||||
};
|
||||
networking.firewall.allowedTCPPorts = [ config.services.eternal-terminal.port ];
|
||||
}
|
@ -2,32 +2,9 @@
|
||||
{
|
||||
imports = [
|
||||
<stockholm/lass/2configs/container-networking.nix>
|
||||
<stockholm/lass/2configs/syncthing.nix>
|
||||
];
|
||||
krebs.sync-containers.containers.green = {
|
||||
peers = [
|
||||
"echelon"
|
||||
"icarus"
|
||||
"littleT"
|
||||
"mors"
|
||||
"shodan"
|
||||
"skynet"
|
||||
"styx"
|
||||
];
|
||||
hostIp = "10.233.2.15";
|
||||
localIp = "10.233.2.16";
|
||||
format = "ecryptfs";
|
||||
};
|
||||
|
||||
services.borgbackup.jobs.sync-green = {
|
||||
encryption.mode = "none";
|
||||
paths = "/var/lib/sync-containers/green/ecryptfs";
|
||||
repo = "/var/lib/sync-containers/green/backup";
|
||||
compression = "auto,lzma";
|
||||
startAt = "daily";
|
||||
prune.keep = {
|
||||
daily = 7;
|
||||
weekly = 4;
|
||||
};
|
||||
lass.sync-containers3.containers.green = {
|
||||
sshKey = "${toString <secrets>}/green.sync.key";
|
||||
};
|
||||
}
|
||||
|
167
lass/2configs/red-host.nix
Normal file
167
lass/2configs/red-host.nix
Normal file
@ -0,0 +1,167 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
let
|
||||
ctr.name = "red";
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
<stockholm/lass/2configs/container-networking.nix>
|
||||
];
|
||||
|
||||
|
||||
lass.sync-containers3.containers.red = {
|
||||
sshKey = "${toString <secrets>}/containers/red/sync.key";
|
||||
ephemeral = true;
|
||||
};
|
||||
|
||||
# containers.${ctr.name} = {
|
||||
# config = {
|
||||
# environment.systemPackages = [
|
||||
# pkgs.dhcpcd
|
||||
# pkgs.git
|
||||
# pkgs.jq
|
||||
# ];
|
||||
# networking.useDHCP = lib.mkForce true;
|
||||
# systemd.services.autoswitch = {
|
||||
# environment = {
|
||||
# NIX_REMOTE = "daemon";
|
||||
# };
|
||||
# wantedBy = [ "multi-user.target" ];
|
||||
# serviceConfig.ExecStart = pkgs.writers.writeDash "autoswitch" ''
|
||||
# if test -e /var/src/nixos-config; then
|
||||
# /run/current-system/sw/bin/nixos-rebuild -I /var/src switch || :
|
||||
# fi
|
||||
# '';
|
||||
# unitConfig.X-StopOnRemoval = false;
|
||||
# };
|
||||
# };
|
||||
# autoStart = false;
|
||||
# enableTun = true;
|
||||
# privateNetwork = true;
|
||||
# hostBridge = "ctr0";
|
||||
# bindMounts = {
|
||||
# "/etc/resolv.conf".hostPath = "/etc/resolv.conf";
|
||||
# "/var/lib/self-state/disk-image" = {
|
||||
# hostPath = "/var/lib/sync-containers3/${ctr.name}";
|
||||
# isReadOnly = true;
|
||||
# };
|
||||
# };
|
||||
# };
|
||||
|
||||
# systemd.services."${ctr.name}_scheduler" = {
|
||||
# wantedBy = [ "multi-user.target" ];
|
||||
# path = with pkgs; [
|
||||
# coreutils
|
||||
# consul
|
||||
# cryptsetup
|
||||
# mount
|
||||
# util-linux
|
||||
# systemd
|
||||
# untilport
|
||||
# ];
|
||||
# serviceConfig = {
|
||||
# Restart = "always";
|
||||
# RestartSec = "15s";
|
||||
# ExecStart = "${pkgs.consul}/bin/consul lock container_${ctr.name} ${pkgs.writers.writeDash "${ctr.name}-start" ''
|
||||
# set -efux
|
||||
# trap ${pkgs.writers.writeDash "stop-${ctr.name}" ''
|
||||
# set -efux
|
||||
# /run/current-system/sw/bin/nixos-container stop ${ctr.name} || :
|
||||
# umount /var/lib/nixos-containers/${ctr.name}/var/state || :
|
||||
# cryptsetup luksClose ${ctr.name} || :
|
||||
# ''} INT TERM EXIT
|
||||
# consul kv put containers/${ctr.name}/host ${config.networking.hostName}
|
||||
# cryptsetup luksOpen --key-file /var/src/secrets/containers/${ctr.name}/luks /var/lib/sync-containers3/${ctr.name}/disk ${ctr.name}
|
||||
# mkdir -p /var/lib/nixos-containers/${ctr.name}/var/state
|
||||
# mount /dev/mapper/${ctr.name} /var/lib/nixos-containers/${ctr.name}/var/state
|
||||
# ln -frs /var/lib/nixos-containers/${ctr.name}/var/state/var_src /var/lib/nixos-containers/${ctr.name}/var/src
|
||||
# /run/current-system/sw/bin/nixos-container start ${ctr.name}
|
||||
# set +x
|
||||
# until /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null; do sleep 5; done
|
||||
# while /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null; do sleep 5; done
|
||||
# ''}";
|
||||
# };
|
||||
# };
|
||||
|
||||
# users.groups."container_${ctr.name}" = {};
|
||||
# users.users."container_${ctr.name}" = {
|
||||
# group = "container_${ctr.name}";
|
||||
# isSystemUser = true;
|
||||
# home = "/var/lib/sync-containers3/${ctr.name}";
|
||||
# createHome = true;
|
||||
# homeMode = "705";
|
||||
# openssh.authorizedKeys.keys = [
|
||||
# config.krebs.users.lass.pubkey
|
||||
# ];
|
||||
# };
|
||||
|
||||
# systemd.timers."${ctr.name}_syncer" = {
|
||||
# timerConfig = {
|
||||
# RandomizedDelaySec = 300;
|
||||
# };
|
||||
# };
|
||||
# systemd.services."${ctr.name}_syncer" = {
|
||||
# path = with pkgs; [
|
||||
# coreutils
|
||||
# rsync
|
||||
# openssh
|
||||
# systemd
|
||||
# ];
|
||||
# startAt = "*:0/1";
|
||||
# serviceConfig = {
|
||||
# User = "container_${ctr.name}";
|
||||
# LoadCredential = [
|
||||
# "ssh_key:${toString <secrets>}/containers/${ctr.name}/sync.key"
|
||||
# ];
|
||||
# ExecCondition = pkgs.writers.writeDash "${ctr.name}_checker" ''
|
||||
# set -efu
|
||||
# ! systemctl is-active --quiet container@${ctr.name}.service
|
||||
# '';
|
||||
# ExecStart = pkgs.writers.writeDash "${ctr.name}_syncer" ''
|
||||
# set -efu
|
||||
# rsync -a -e "ssh -i $CREDENTIALS_DIRECTORY/ssh_key" --inplace container_sync@${ctr.name}.r:disk-image/disk $HOME/disk
|
||||
# '';
|
||||
# };
|
||||
# };
|
||||
|
||||
# # networking
|
||||
# networking.networkmanager.unmanaged = [ "ctr0" ];
|
||||
# networking.interfaces.dummy0.virtual = true;
|
||||
# networking.bridges.ctr0.interfaces = [ "dummy0" ];
|
||||
# networking.interfaces.ctr0.ipv4.addresses = [{
|
||||
# address = "10.233.0.1";
|
||||
# prefixLength = 24;
|
||||
# }];
|
||||
# systemd.services."dhcpd-ctr0" = {
|
||||
# wantedBy = [ "multi-user.target" ];
|
||||
# after = [ "network.target" ];
|
||||
# serviceConfig = {
|
||||
# Type = "forking";
|
||||
# Restart = "always";
|
||||
# DynamicUser = true;
|
||||
# StateDirectory = "dhcpd-ctr0";
|
||||
# User = "dhcpd-ctr0";
|
||||
# Group = "dhcpd-ctr0";
|
||||
# AmbientCapabilities = [
|
||||
# "CAP_NET_RAW" # to send ICMP messages
|
||||
# "CAP_NET_BIND_SERVICE" # to bind on DHCP port (67)
|
||||
# ];
|
||||
# ExecStartPre = "${pkgs.coreutils}/bin/touch /var/lib/dhcpd-ctr0/dhcpd.leases";
|
||||
# ExecStart = "${pkgs.dhcp}/bin/dhcpd -4 -lf /var/lib/dhcpd-ctr0/dhcpd.leases -cf ${pkgs.writeText "dhpd.conf" ''
|
||||
# default-lease-time 600;
|
||||
# max-lease-time 7200;
|
||||
# authoritative;
|
||||
# ddns-update-style interim;
|
||||
# log-facility local1; # see dhcpd.nix
|
||||
|
||||
# option subnet-mask 255.255.255.0;
|
||||
# option routers 10.233.0.1;
|
||||
# # option domain-name-servers 8.8.8.8; # TODO configure dns server
|
||||
# subnet 10.233.0.0 netmask 255.255.255.0 {
|
||||
# range 10.233.0.10 10.233.0.250;
|
||||
# }
|
||||
# ''} ctr0";
|
||||
# };
|
||||
# };
|
||||
|
||||
}
|
||||
|
221
lass/2configs/weechat.nix
Normal file
221
lass/2configs/weechat.nix
Normal file
@ -0,0 +1,221 @@
|
||||
{ config, lib, pkgs, ... }: let
|
||||
|
||||
weechat-configured = pkgs.weechat-declarative.override {
|
||||
config = {
|
||||
scripts = [
|
||||
pkgs.weechat-matrix
|
||||
pkgs.weechatScripts.wee-slack
|
||||
];
|
||||
settings = {
|
||||
irc.server_default.nicks = [ "lassulus" "hackulus" ];
|
||||
irc.server.bitlbee = {
|
||||
addresses = "localhost/6666";
|
||||
command = "msg &bitlbee identify \${sec.data.bitlbee}";
|
||||
};
|
||||
irc.server.hackint = {
|
||||
addresses = "irc.hackint.org/6697";
|
||||
autojoin = [
|
||||
"#c3-gsm"
|
||||
"#panthermoderns"
|
||||
"#36c3"
|
||||
"#cccac"
|
||||
"#nixos"
|
||||
"#krebs"
|
||||
"#c-base"
|
||||
"#afra"
|
||||
"#tvl"
|
||||
"#eloop"
|
||||
"#systemdultras"
|
||||
"#rc3"
|
||||
"#krebs-announce"
|
||||
"#the_playlist"
|
||||
"#germany"
|
||||
"#hackint"
|
||||
"#dezentrale"
|
||||
"#hackerfleet \${sec.data.c3-gsm}" # TODO support channel passwords in a cooler way
|
||||
];
|
||||
ssl = true;
|
||||
sasl_fail = "reconnect";
|
||||
sasl_username = "lassulus";
|
||||
sasl_password = "\${sec.data.hackint_sasl}";
|
||||
};
|
||||
irc.server.r = {
|
||||
addresses = "irc.r";
|
||||
autojoin = [
|
||||
"#xxx"
|
||||
"#autowifi"
|
||||
"#brockman"
|
||||
"#flix"
|
||||
"#kollkoll"
|
||||
"#noise"
|
||||
"#mukke"
|
||||
];
|
||||
sasl_fail = "reconnect";
|
||||
sasl_username = "lassulus";
|
||||
sasl_password = "\${sec.data.r_sasl}";
|
||||
anti_flood_prio_high = 0;
|
||||
anti_flood_prio_low = 0;
|
||||
};
|
||||
irc.server.libera = {
|
||||
addresses = "irc.libera.chat/6697";
|
||||
autojoin = [
|
||||
"#shackspace"
|
||||
"#nixos"
|
||||
"#krebs"
|
||||
"#dezentrale"
|
||||
"#tinc"
|
||||
"#nixos-de"
|
||||
"#fysi"
|
||||
"#hillhacks"
|
||||
"#nixos-rc3"
|
||||
"#binaergewitter"
|
||||
"#hackerfleet"
|
||||
"#weechat"
|
||||
];
|
||||
ssl = true;
|
||||
sasl_username = "lassulus";
|
||||
sasl_fail = "reconnect";
|
||||
sasl_password = "\${sec.data.libera_sasl}";
|
||||
};
|
||||
irc.server.news = {
|
||||
addresses = "news.r";
|
||||
autojoin = [
|
||||
"#all"
|
||||
"#aluhut"
|
||||
"#querdenkos"
|
||||
"#news"
|
||||
"#drachengame"
|
||||
];
|
||||
anti_flood_prio_high = 0;
|
||||
anti_flood_prio_low = 0;
|
||||
};
|
||||
matrix.server.lassulus = {
|
||||
address = "matrix.lassul.us";
|
||||
username = "lassulus";
|
||||
password = "\${sec.data.matrix_lassulus}";
|
||||
device_name = config.networking.hostName;
|
||||
};
|
||||
matrix.server.nixos_dev = {
|
||||
address = "matrix.nixos.dev";
|
||||
username = "@lassulus:nixos.dev";
|
||||
device_name = config.networking.hostName;
|
||||
sso_helper_listening_port = 55123;
|
||||
};
|
||||
plugins.var.python.go.short_name = true;
|
||||
plugins.var.python.go.short_name_server = true;
|
||||
plugins.var.python.go.fuzzy_search = true;
|
||||
relay.network.password = "xxx"; # secret?
|
||||
relay.port.weechat = 9998;
|
||||
relay.weechat.commands = "*,!exec,!quit";
|
||||
weechat.look.buffer_time_format = "%m-%d_%H:%M:%S";
|
||||
weechat.look.item_time_format = "%m-%d_%H:%M:%S";
|
||||
irc.look.color_nicks_in_names = true;
|
||||
irc.look.color_nicks_in_nicklist = true;
|
||||
logger.file.mask = "$plugin.$name/%Y-%m-%d.weechatlog";
|
||||
logger.file.path = "/var/state/weechat_logs";
|
||||
logger.look.backlog = 1000;
|
||||
weechat.notify.python.matrix.nixos_dev."!YLoVsCxScyQODoqIbb:hackint.org" = "none"; #c-base
|
||||
weechat.notify.python.matrix.nixos_dev."!bohcSYPVoePqBDWlvE:hackint.org" = "none"; #krebs
|
||||
weechat.notify.irc.news."#all" = "highlight";
|
||||
|
||||
# setting logger levels for channels is currently not possible declarativly
|
||||
# because of already defined
|
||||
logger.level.core.weechat = 0;
|
||||
logger.level.irc = 3;
|
||||
logger.level.python = 3;
|
||||
weechat.bar.title.color_bg = 0;
|
||||
weechat.bar.status.color_bg = 0;
|
||||
alias.cmd.reload = "exec -oc cat /etc/weechat.set";
|
||||
script.scripts.download_enabled = true;
|
||||
weechat.look.prefix_align = "left";
|
||||
weechat.look.prefix_align_max = 20;
|
||||
irc.look.server_buffer = "independent";
|
||||
matrix.look.server_buffer = "independent";
|
||||
weechat.bar.buflist.size_max = 20;
|
||||
weechat.color.chat_nick_colors = [
|
||||
1 2 3 4 5 6 9
|
||||
10 11 12 13 14
|
||||
28 29
|
||||
30 31 32 33 34 35 36 37 38 39
|
||||
70
|
||||
94
|
||||
101 102 103 104 105 106 107
|
||||
130 131 133 134 135 136 137
|
||||
140 141 142 143
|
||||
160 161 162 163 165 166 167 168 169
|
||||
170 171 172 173 174 175
|
||||
196 197 198 199
|
||||
200 201 202 203 204 205 206 208 209 209
|
||||
210 211 212
|
||||
];
|
||||
};
|
||||
extraCommands = ''
|
||||
/script upgrade
|
||||
/script install go.py
|
||||
/script install nickregain.pl
|
||||
/script install autosort.py
|
||||
/key bind meta-q /go
|
||||
/key bind meta-t /bar toggle nicklist
|
||||
/key bind meta-y /bar toggle buflist
|
||||
/filter addreplace irc_smart * irc_smart_filter *
|
||||
/filter addreplace playlist_topic irc.*.#the_playlist irc_topic *
|
||||
/filter addreplace xxx_joinpart irc.r.#xxx irc_join,irc_part,irc_quit *
|
||||
/set logger.level.irc.news 0
|
||||
/set logger.level.python.server.nixos_dev = 0;
|
||||
/set logger.level.irc.hackint.#the_playlist = 0;
|
||||
/connect bitlbee
|
||||
/connect r
|
||||
/connect news
|
||||
/connect libera
|
||||
/connect hackint
|
||||
/matrix connect nixos_dev
|
||||
/matrix connect lassulus
|
||||
'';
|
||||
files."sec.conf" = toString (pkgs.writeText "sec.conf" ''
|
||||
[crypt]
|
||||
cipher = aes256
|
||||
hash_algo = sha256
|
||||
passphrase_command = "cat $CREDENTIALS_DIRECTORY/WEECHAT_PASSPHRASE"
|
||||
salt = on
|
||||
|
||||
[data]
|
||||
__passphrase__ = on
|
||||
hackint_sasl = "5CA242E92E7A09B180711B50C4AE2E65C42934EB4E584EC82BC1281D8C72CD411D590C16CC435687C0DA13759873CC"
|
||||
libera_sasl = "9500B5AC3B29F9CAA273F1B89DC99550E038AF95C4B47442B1FB4CB9F0D6B86B26015988AD39E642CA9C4A78DED7F42D1F409B268C93E778"
|
||||
r_sasl = "CB6FB1421ED5A9094CD2C05462DB1FA87C4A675628ABD9AEC9928A1A6F3F96C07D9F26472331BAF80B7B73270680EB1BBEFD"
|
||||
c3-gsm = "C49DD845900CFDFA93EEBCE4F1ABF4A963EF6082B7DA6410FA701CC77A04BB6C201FCB864988C4F2B97ED7D44D5A28F162"
|
||||
matrix.server.nixos_dev.access_token = "C40FE41B9B7B73553D51D8FCBD53871E940FE7FCCAB543E7F4720A924B8E1D58E2B1E1F460F5476C954A223F78CCB956337F6529159C0ECD7CB0384C13CB7170FF1270A577B1C4FF744D20FCF5C708259896F8D9"
|
||||
bitlbee = "814ECAC59D9CF6E8340B566563E5D7E92AB92209B49C1EDE4CAAC32DD0DF1EC511D97C75E840C45D69BB9E3D03E79C"
|
||||
matrix_lassulus = "0CA5C0F70A9F893881370F4A665B4CC40FBB1A41E53BC94916CD92B029103528611EC0B390116BE60FA79AE10F486E96E17B0824BE2DE1C97D87B88F5407330DAD70C044147533C36B09B7030CAD97"
|
||||
'');
|
||||
};
|
||||
};
|
||||
|
||||
in {
|
||||
users.users.mainUser.packages = [
|
||||
weechat-configured
|
||||
];
|
||||
environment.etc."weechat.set".source = "${weechat-configured}/weechat.set";
|
||||
systemd.tmpfiles.rules = [
|
||||
"d /var/state/weechat_logs 0700 lass users -"
|
||||
"d /var/state/weechat 0700 lass users -"
|
||||
"d /var/state/weechat_cfg 0700 lass users -"
|
||||
"L+ /home/lass/.local/share/weechat - - - - ../../../../var/state/weechat"
|
||||
"L+ /home/lass/.config/weechat - - - - ../../../../var/state/weechat_cfg"
|
||||
];
|
||||
|
||||
systemd.services.weechat = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
restartIfChanged = false;
|
||||
serviceConfig = {
|
||||
User = "lass";
|
||||
RemainAfterExit = true;
|
||||
Type = "oneshot";
|
||||
LoadCredential = [
|
||||
"WEECHAT_PASSPHRASE:${toString <secrets>}/weechat_passphrase"
|
||||
];
|
||||
ExecStart = "${pkgs.tmux}/bin/tmux -2 new-session -d -s IM ${weechat-configured}/bin/weechat";
|
||||
ExecStop = "${pkgs.tmux}/bin/tmux kill-session -t IM"; # TODO run save in weechat
|
||||
};
|
||||
};
|
||||
}
|
@ -1,6 +1,17 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
{
|
||||
environment.systemPackages = [ pkgs.fzf ];
|
||||
environment.systemPackages = with pkgs; [
|
||||
atuin
|
||||
direnv
|
||||
fzf
|
||||
];
|
||||
environment.variables.ATUIN_CONFIG_DIR = toString (pkgs.writeTextDir "/config.toml" ''
|
||||
auto_sync = true
|
||||
update_check = false
|
||||
sync_address = "http://green.r:8888"
|
||||
sync_frequency = 0
|
||||
style = "compact"
|
||||
'');
|
||||
programs.zsh = {
|
||||
enable = true;
|
||||
shellInit = ''
|
||||
@ -12,27 +23,9 @@
|
||||
setopt autocd extendedglob
|
||||
bindkey -e
|
||||
|
||||
#history magic
|
||||
bindkey "[A" up-line-or-local-history
|
||||
bindkey "[B" down-line-or-local-history
|
||||
|
||||
up-line-or-local-history() {
|
||||
zle set-local-history 1
|
||||
zle up-line-or-history
|
||||
zle set-local-history 0
|
||||
}
|
||||
zle -N up-line-or-local-history
|
||||
down-line-or-local-history() {
|
||||
zle set-local-history 1
|
||||
zle down-line-or-history
|
||||
zle set-local-history 0
|
||||
}
|
||||
zle -N down-line-or-local-history
|
||||
|
||||
setopt SHARE_HISTORY
|
||||
setopt HIST_IGNORE_ALL_DUPS
|
||||
# setopt inc_append_history
|
||||
bindkey '^R' history-incremental-search-backward
|
||||
# # setopt inc_append_history
|
||||
# bindkey '^R' history-incremental-search-backward
|
||||
|
||||
#C-x C-e open line in editor
|
||||
autoload -z edit-command-line
|
||||
@ -43,6 +36,13 @@
|
||||
source ${pkgs.fzf}/share/fzf/completion.zsh
|
||||
source ${pkgs.fzf}/share/fzf/key-bindings.zsh
|
||||
|
||||
# atuin distributed shell history
|
||||
export ATUIN_NOBIND="true" # disable all keybdinings of atuin
|
||||
eval "$(atuin init zsh)"
|
||||
bindkey '^r' _atuin_search_widget # bind ctrl+r to atuin
|
||||
# use zsh only session history
|
||||
fc -p
|
||||
|
||||
#completion magic
|
||||
autoload -Uz compinit
|
||||
compinit
|
||||
@ -65,13 +65,11 @@
|
||||
bindkey "[8~" end-of-line
|
||||
bindkey "Oc" emacs-forward-word
|
||||
bindkey "Od" emacs-backward-word
|
||||
|
||||
# direnv integration
|
||||
eval "$(${pkgs.direnv}/bin/direnv hook zsh)"
|
||||
'';
|
||||
promptInit = ''
|
||||
# TODO: figure out why we need to set this here
|
||||
HISTSIZE=900001
|
||||
HISTFILESIZE=$HISTSIZE
|
||||
SAVEHIST=$HISTSIZE
|
||||
|
||||
autoload -U promptinit
|
||||
promptinit
|
||||
|
||||
|
@ -15,5 +15,6 @@ _:
|
||||
./xjail.nix
|
||||
./autowifi.nix
|
||||
./browsers.nix
|
||||
./sync-containers3.nix
|
||||
];
|
||||
}
|
||||
|
313
lass/3modules/sync-containers3.nix
Normal file
313
lass/3modules/sync-containers3.nix
Normal file
@ -0,0 +1,313 @@
|
||||
{ config, lib, pkgs, ... }: let
|
||||
cfg = config.lass.sync-containers3;
|
||||
slib = pkgs.stockholm.lib;
|
||||
in {
|
||||
options.lass.sync-containers3 = {
|
||||
inContainer = {
|
||||
enable = lib.mkEnableOption "container config for syncing";
|
||||
pubkey = lib.mkOption {
|
||||
type = lib.types.str; # TODO ssh key
|
||||
};
|
||||
};
|
||||
containers = lib.mkOption {
|
||||
default = {};
|
||||
type = lib.types.attrsOf (lib.types.submodule ({ config, ... }: {
|
||||
options = {
|
||||
name = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = config._module.args.name;
|
||||
};
|
||||
sshKey = lib.mkOption {
|
||||
type = slib.types.absolute-pathname;
|
||||
};
|
||||
luksKey = lib.mkOption {
|
||||
type = slib.types.absolute-pathname;
|
||||
default = config.sshKey;
|
||||
};
|
||||
ephemeral = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = false;
|
||||
};
|
||||
};
|
||||
}));
|
||||
};
|
||||
};
|
||||
config = lib.mkMerge [
|
||||
(lib.mkIf (cfg.containers != {}) {
|
||||
|
||||
containers = lib.mapAttrs' (n: ctr: lib.nameValuePair ctr.name {
|
||||
config = {
|
||||
environment.systemPackages = [
|
||||
pkgs.dhcpcd
|
||||
pkgs.git
|
||||
pkgs.jq
|
||||
];
|
||||
networking.useDHCP = lib.mkForce true;
|
||||
systemd.services.autoswitch = {
|
||||
environment = {
|
||||
NIX_REMOTE = "daemon";
|
||||
};
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig.ExecStart = pkgs.writers.writeDash "autoswitch" ''
|
||||
set -efu
|
||||
ln -frs /var/state/var_src /var/src
|
||||
if test -e /var/src/nixos-config; then
|
||||
/run/current-system/sw/bin/nixos-rebuild -I /var/src switch || :
|
||||
fi
|
||||
'';
|
||||
unitConfig.X-StopOnRemoval = false;
|
||||
};
|
||||
};
|
||||
autoStart = false;
|
||||
enableTun = true;
|
||||
ephemeral = ctr.ephemeral;
|
||||
privateNetwork = true;
|
||||
hostBridge = "ctr0";
|
||||
bindMounts = {
|
||||
"/etc/resolv.conf".hostPath = "/etc/resolv.conf";
|
||||
"/var/lib/self/disk" = {
|
||||
hostPath = "/var/lib/sync-containers3/${ctr.name}/disk";
|
||||
isReadOnly = false;
|
||||
};
|
||||
"/var/state" = {
|
||||
hostPath = "/var/lib/sync-containers3/${ctr.name}/state";
|
||||
isReadOnly = false;
|
||||
};
|
||||
};
|
||||
}) cfg.containers;
|
||||
|
||||
systemd.services = lib.foldr lib.recursiveUpdate {} (lib.flatten (map (ctr: [
|
||||
{ "${ctr.name}_syncer" = {
|
||||
path = with pkgs; [
|
||||
coreutils
|
||||
consul
|
||||
rsync
|
||||
openssh
|
||||
systemd
|
||||
];
|
||||
startAt = "*:0/1";
|
||||
serviceConfig = {
|
||||
User = "${ctr.name}_container";
|
||||
LoadCredential = [
|
||||
"ssh_key:${ctr.sshKey}"
|
||||
];
|
||||
ExecCondition = pkgs.writers.writeDash "${ctr.name}_checker" ''
|
||||
set -efu
|
||||
! systemctl is-active --quiet container@${ctr.name}.service
|
||||
'';
|
||||
ExecStart = pkgs.writers.writeDash "${ctr.name}_syncer" ''
|
||||
set -efux
|
||||
consul lock sync_${ctr.name} ${pkgs.writers.writeDash "${ctr.name}-sync" ''
|
||||
set -efux
|
||||
if /run/wrappers/bin/ping -c 1 ${ctr.name}.r; then
|
||||
touch "$HOME"/incomplete
|
||||
rsync -a -e "ssh -i $CREDENTIALS_DIRECTORY/ssh_key" --inplace container_sync@${ctr.name}.r:disk "$HOME"/disk
|
||||
rm "$HOME"/incomplete
|
||||
fi
|
||||
''}
|
||||
'';
|
||||
};
|
||||
}; }
|
||||
{ "${ctr.name}_watcher" = {
|
||||
path = with pkgs; [
|
||||
coreutils
|
||||
consul
|
||||
cryptsetup
|
||||
curl
|
||||
mount
|
||||
util-linux
|
||||
jq
|
||||
retry
|
||||
];
|
||||
serviceConfig = {
|
||||
ExecStart = pkgs.writers.writeDash "${ctr.name}_watcher" ''
|
||||
set -efux
|
||||
while sleep 5; do
|
||||
# get the payload
|
||||
# check if the host reacted recently
|
||||
case $(curl -s -o /dev/null --retry 10 --retry-delay 10 -w '%{http_code}' http://127.0.0.1:8500/v1/kv/containers/${ctr.name}) in
|
||||
404)
|
||||
echo 'got 404 from kv, should kill the container'
|
||||
break
|
||||
;;
|
||||
500)
|
||||
echo 'got 500 from kv, will kill container'
|
||||
break
|
||||
;;
|
||||
200)
|
||||
# echo 'got 200 from kv, will check payload'
|
||||
export payload=$(consul kv get containers/${ctr.name})
|
||||
if [ "$(jq -rn 'env.payload | fromjson.host')" = '${config.networking.hostName}' ]; then
|
||||
# echo 'we are the host, trying to reach container'
|
||||
if $(retry -t 10 -d 10 -- /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null); then
|
||||
# echo 'container is reachable, continueing'
|
||||
continue
|
||||
else
|
||||
# echo 'container seems dead, killing'
|
||||
break
|
||||
fi
|
||||
else
|
||||
echo 'we are not host, killing container'
|
||||
break
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
echo 'unknown state, continuing'
|
||||
continue
|
||||
;;
|
||||
esac
|
||||
done
|
||||
/run/current-system/sw/bin/nixos-container stop ${ctr.name} || :
|
||||
umount /var/lib/sync-containers3/${ctr.name}/state || :
|
||||
cryptsetup luksClose ${ctr.name} || :
|
||||
'';
|
||||
};
|
||||
}; }
|
||||
{ "${ctr.name}_scheduler" = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
path = with pkgs; [
|
||||
coreutils
|
||||
consul
|
||||
cryptsetup
|
||||
mount
|
||||
util-linux
|
||||
curl
|
||||
systemd
|
||||
jq
|
||||
retry
|
||||
bc
|
||||
];
|
||||
serviceConfig = {
|
||||
Restart = "always";
|
||||
RestartSec = "30s";
|
||||
ExecStart = pkgs.writers.writeDash "${ctr.name}_scheduler" ''
|
||||
set -efux
|
||||
# get the payload
|
||||
# check if the host reacted recently
|
||||
case $(curl -s -o /dev/null --retry 10 -w '%{http_code}' http://127.0.0.1:8500/v1/kv/containers/${ctr.name}) in
|
||||
404)
|
||||
# echo 'got 404 from kv, will create container'
|
||||
;;
|
||||
500)
|
||||
# echo 'got 500 from kv, retrying again'
|
||||
exit 0
|
||||
;;
|
||||
200)
|
||||
# echo 'got 200 from kv, will check payload'
|
||||
export payload=$(consul kv get containers/${ctr.name})
|
||||
if [ "$(jq -rn 'env.payload | fromjson.host')" = '${config.networking.hostName}' ]; then
|
||||
echo 'we are the host, starting container'
|
||||
else
|
||||
# echo 'we are not host, checking timestamp'
|
||||
# if [ $(echo "$(date +%s) - $(jq -rn 'env.payload | fromjson.time') > 100" | bc) -eq 1 ]; then
|
||||
if [ "$(jq -rn 'env.payload | fromjson.time | now - tonumber > 100')" = 'true' ]; then
|
||||
echo 'last beacon is more than 100s ago, taking over'
|
||||
else
|
||||
# echo 'last beacon was recent. trying again'
|
||||
exit 0
|
||||
fi
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
echo 'unknown state, bailing out'
|
||||
exit 0
|
||||
;;
|
||||
esac
|
||||
if test -e /var/lib/sync-containers3/${ctr.name}/incomplete; then
|
||||
echo 'data is inconistent, start aborted'
|
||||
exit 1
|
||||
fi
|
||||
consul kv put containers/${ctr.name} "$(jq -cn '{host: "${config.networking.hostName}", time: now}')" >/dev/null
|
||||
consul lock -verbose -monitor-retry=100 -timeout 30s -name container_${ctr.name} container_${ctr.name} ${pkgs.writers.writeBash "${ctr.name}-start" ''
|
||||
set -efu
|
||||
cryptsetup luksOpen --key-file ${ctr.luksKey} /var/lib/sync-containers3/${ctr.name}/disk ${ctr.name} || :
|
||||
mkdir -p /var/lib/sync-containers3/${ctr.name}/state
|
||||
mountpoint /var/lib/sync-containers3/${ctr.name}/state || mount /dev/mapper/${ctr.name} /var/lib/sync-containers3/${ctr.name}/state
|
||||
/run/current-system/sw/bin/nixos-container start ${ctr.name}
|
||||
# wait for system to become reachable for the first time
|
||||
retry -t 10 -d 10 -- /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null
|
||||
systemctl start ${ctr.name}_watcher.service
|
||||
while systemctl is-active container@${ctr.name}.service >/devnull && /run/wrappers/bin/ping -q -c 3 ${ctr.name}.r >/dev/null; do
|
||||
consul kv put containers/${ctr.name} "$(jq -cn '{host: "${config.networking.hostName}", time: now}')" >/dev/null
|
||||
sleep 10
|
||||
done
|
||||
''}
|
||||
'';
|
||||
};
|
||||
}; }
|
||||
]) (lib.attrValues cfg.containers)));
|
||||
|
||||
systemd.timers = lib.mapAttrs' (n: ctr: lib.nameValuePair "${ctr.name}_syncer" {
|
||||
timerConfig = {
|
||||
RandomizedDelaySec = 100;
|
||||
};
|
||||
}) cfg.containers;
|
||||
|
||||
users.groups = lib.mapAttrs' (_: ctr: lib.nameValuePair "${ctr.name}_container" {
|
||||
}) cfg.containers;
|
||||
users.users = lib.mapAttrs' (_: ctr: lib.nameValuePair "${ctr.name}_container" ({
|
||||
group = "container_${ctr.name}";
|
||||
isNormalUser = true;
|
||||
uid = slib.genid_uint31 "container_${ctr.name}";
|
||||
home = "/var/lib/sync-containers3/${ctr.name}";
|
||||
createHome = true;
|
||||
homeMode = "705";
|
||||
})) cfg.containers;
|
||||
|
||||
})
|
||||
(lib.mkIf (cfg.containers != {}) {
|
||||
# networking
|
||||
networking.networkmanager.unmanaged = [ "ctr0" ];
|
||||
networking.interfaces.dummy0.virtual = true;
|
||||
networking.bridges.ctr0.interfaces = [ "dummy0" ];
|
||||
networking.interfaces.ctr0.ipv4.addresses = [{
|
||||
address = "10.233.0.1";
|
||||
prefixLength = 24;
|
||||
}];
|
||||
systemd.services."dhcpd-ctr0" = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
serviceConfig = {
|
||||
Type = "forking";
|
||||
Restart = "always";
|
||||
DynamicUser = true;
|
||||
StateDirectory = "dhcpd-ctr0";
|
||||
User = "dhcpd-ctr0";
|
||||
Group = "dhcpd-ctr0";
|
||||
AmbientCapabilities = [
|
||||
"CAP_NET_RAW" # to send ICMP messages
|
||||
"CAP_NET_BIND_SERVICE" # to bind on DHCP port (67)
|
||||
];
|
||||
ExecStartPre = "${pkgs.coreutils}/bin/touch /var/lib/dhcpd-ctr0/dhcpd.leases";
|
||||
ExecStart = "${pkgs.dhcp}/bin/dhcpd -4 -lf /var/lib/dhcpd-ctr0/dhcpd.leases -cf ${pkgs.writeText "dhpd.conf" ''
|
||||
default-lease-time 600;
|
||||
max-lease-time 7200;
|
||||
authoritative;
|
||||
ddns-update-style interim;
|
||||
log-facility local1; # see dhcpd.nix
|
||||
|
||||
option subnet-mask 255.255.255.0;
|
||||
option routers 10.233.0.1;
|
||||
# option domain-name-servers 8.8.8.8; # TODO configure dns server
|
||||
subnet 10.233.0.0 netmask 255.255.255.0 {
|
||||
range 10.233.0.10 10.233.0.250;
|
||||
}
|
||||
''} ctr0";
|
||||
};
|
||||
};
|
||||
})
|
||||
(lib.mkIf cfg.inContainer.enable {
|
||||
users.groups.container_sync = {};
|
||||
users.users.container_sync = {
|
||||
group = "container_sync";
|
||||
uid = slib.genid_uint31 "container_sync";
|
||||
isNormalUser = true;
|
||||
home = "/var/lib/self";
|
||||
createHome = true;
|
||||
openssh.authorizedKeys.keys = [
|
||||
cfg.inContainer.pubkey
|
||||
];
|
||||
};
|
||||
})
|
||||
];
|
||||
}
|
80
lass/5pkgs/weechat-matrix/default.nix
Normal file
80
lass/5pkgs/weechat-matrix/default.nix
Normal file
@ -0,0 +1,80 @@
|
||||
{ python3Packages
|
||||
, lib
|
||||
, fetchFromGitHub
|
||||
}:
|
||||
|
||||
with python3Packages;
|
||||
|
||||
let
|
||||
scriptPython = python.withPackages (ps: with ps; [
|
||||
aiohttp
|
||||
requests
|
||||
python_magic
|
||||
]);
|
||||
|
||||
version = "lassulus-fork";
|
||||
in python3Packages.buildPythonPackage {
|
||||
pname = "weechat-matrix";
|
||||
inherit version;
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "poljar";
|
||||
repo = "weechat-matrix";
|
||||
rev = version;
|
||||
hash = "sha256-o4kgneszVLENG167nWnk2FxM+PsMzi+PSyMUMIktZcc=";
|
||||
};
|
||||
# src = ./weechat-matrix;
|
||||
|
||||
propagatedBuildInputs = [
|
||||
pyopenssl
|
||||
webcolors
|
||||
future
|
||||
atomicwrites
|
||||
attrs
|
||||
Logbook
|
||||
pygments
|
||||
matrix-nio
|
||||
aiohttp
|
||||
requests
|
||||
];
|
||||
|
||||
passthru.scripts = [ "matrix.py" ];
|
||||
|
||||
dontBuild = true;
|
||||
doCheck = false;
|
||||
|
||||
format = "other";
|
||||
|
||||
installPhase = ''
|
||||
mkdir -p $out/share $out/bin
|
||||
cp main.py $out/share/matrix.py
|
||||
|
||||
cp contrib/matrix_upload.py $out/bin/matrix_upload
|
||||
cp contrib/matrix_decrypt.py $out/bin/matrix_decrypt
|
||||
cp contrib/matrix_sso_helper.py $out/bin/matrix_sso_helper
|
||||
substituteInPlace $out/bin/matrix_upload \
|
||||
--replace '/usr/bin/env -S python3' '${scriptPython}/bin/python'
|
||||
substituteInPlace $out/bin/matrix_sso_helper \
|
||||
--replace '/usr/bin/env -S python3' '${scriptPython}/bin/python'
|
||||
substituteInPlace $out/bin/matrix_decrypt \
|
||||
--replace '/usr/bin/env python3' '${scriptPython}/bin/python'
|
||||
|
||||
mkdir -p $out/${python.sitePackages}
|
||||
cp -r matrix $out/${python.sitePackages}/matrix
|
||||
'';
|
||||
|
||||
dontPatchShebangs = true;
|
||||
postFixup = ''
|
||||
addToSearchPath program_PYTHONPATH $out/${python.sitePackages}
|
||||
patchPythonScript $out/share/matrix.py
|
||||
substituteInPlace $out/${python.sitePackages}/matrix/server.py --replace \"matrix_sso_helper\" \"$out/bin/matrix_sso_helper\"
|
||||
'';
|
||||
|
||||
meta = with lib; {
|
||||
description = "A Python plugin for Weechat that lets Weechat communicate over the Matrix protocol";
|
||||
homepage = "https://github.com/poljar/weechat-matrix";
|
||||
license = licenses.isc;
|
||||
platforms = platforms.unix;
|
||||
maintainers = with maintainers; [ tilpner emily ];
|
||||
};
|
||||
}
|
@ -58,6 +58,14 @@ rec {
|
||||
default = false;
|
||||
};
|
||||
|
||||
consul = mkOption {
|
||||
description = ''
|
||||
Whether the host is a member of the global consul network
|
||||
'';
|
||||
type = bool;
|
||||
default = false;
|
||||
};
|
||||
|
||||
owner = mkOption {
|
||||
type = user;
|
||||
};
|
||||
|
Loading…
Reference in New Issue
Block a user