From 85816b60c2002ea3ea68e51523b9fc2490f0a8e5 Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 1 Aug 2023 14:06:03 +0200 Subject: [PATCH 001/125] zones: import misplaced options from ssh --- krebs/3modules/ssh.nix | 23 ----------------------- krebs/3modules/zones.nix | 16 ++++++++++++++++ 2 files changed, 16 insertions(+), 23 deletions(-) diff --git a/krebs/3modules/ssh.nix b/krebs/3modules/ssh.nix index 58f3a3c10..aba825c29 100644 --- a/krebs/3modules/ssh.nix +++ b/krebs/3modules/ssh.nix @@ -4,32 +4,9 @@ let cfg = config.krebs; out = { - options.krebs = api; config = lib.mkIf cfg.enable imp; }; - api = { - zone-head-config = mkOption { - type = with types; attrsOf str; - description = '' - The zone configuration head which is being used to create the - zone files. The string for each key is pre-pended to the zone file. - ''; - # TODO: configure the default somewhere else, - # maybe use krebs.dns.providers - default = { - - # github.io -> 192.30.252.154 - "krebsco.de" = '' - $TTL 86400 - @ IN SOA dns19.ovh.net. tech.ovh.net. (2015052000 86400 3600 3600000 86400) - IN NS ns19.ovh.net. - IN NS dns19.ovh.net. - ''; - }; - }; - }; - imp = lib.mkMerge [ { services.openssh.hostKeys = diff --git a/krebs/3modules/zones.nix b/krebs/3modules/zones.nix index 7771d3b51..a7bd867f5 100644 --- a/krebs/3modules/zones.nix +++ b/krebs/3modules/zones.nix @@ -1,6 +1,22 @@ { config, pkgs, lib, ... }: with lib; { + options.krebs.zone-head-config = mkOption { + type = lib.types.attrsOf lib.types.str; + description = '' + The zone configuration head which is being used to create the + zone files. The string for each key is pre-pended to the zone file. + ''; + default = { + "krebsco.de" = /* bindzone */ '' + $TTL 86400 + @ IN SOA dns19.ovh.net. tech.ovh.net. (2015052000 86400 3600 3600000 86400) + @ IN NS ns19.ovh.net. + @ IN NS dns19.ovh.net. + ''; + }; + }; + config = { environment.etc = mapAttrs' From d3ace17ebd02624fcf38c3c0b0e0f4fb08f4beb6 Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 1 Aug 2023 17:20:51 +0200 Subject: [PATCH 002/125] kartei ponte: assign ns1.krebsco.de --- kartei/krebs/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/kartei/krebs/default.nix b/kartei/krebs/default.nix index e48b3e32a..6c4ac8e80 100644 --- a/kartei/krebs/default.nix +++ b/kartei/krebs/default.nix @@ -166,6 +166,7 @@ in { extraZones = { "krebsco.de" = /* bindzone */ '' krebsco.de. 60 IN A ${config.krebs.hosts.ponte.nets.internet.ip4.addr} + ns1 IN A ${config.krebs.hosts.ponte.nets.internet.ip4.addr} ''; }; nets = rec { From dc6575069609f0065c5ec3bd186a41fc0d1e9631 Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 1 Aug 2023 17:22:00 +0200 Subject: [PATCH 003/125] kartei ponte: simplify krebsco.de record --- kartei/krebs/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kartei/krebs/default.nix b/kartei/krebs/default.nix index 6c4ac8e80..0525b4c85 100644 --- a/kartei/krebs/default.nix +++ b/kartei/krebs/default.nix @@ -165,7 +165,7 @@ in { owner = config.krebs.users.krebs; extraZones = { "krebsco.de" = /* bindzone */ '' - krebsco.de. 60 IN A ${config.krebs.hosts.ponte.nets.internet.ip4.addr} + @ IN A ${config.krebs.hosts.ponte.nets.internet.ip4.addr} ns1 IN A ${config.krebs.hosts.ponte.nets.internet.ip4.addr} ''; }; From 3a86105cef21b0397ba399ab44b2290f743f22d1 Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 1 Aug 2023 17:22:16 +0200 Subject: [PATCH 004/125] kartei ponte: add intranet --- kartei/krebs/default.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/kartei/krebs/default.nix b/kartei/krebs/default.nix index 0525b4c85..bbf6a74f8 100644 --- a/kartei/krebs/default.nix +++ b/kartei/krebs/default.nix @@ -179,6 +179,12 @@ in { "ponte.i" ]; }; + intranet = { + ip4 = rec { + addr = "10.0.0.234"; + prefix = "${addr}/24"; + }; + }; retiolum = { via = internet; ip4.addr = "10.243.4.43"; From 99e21a074648d2586fd608d800e1a106a72986da Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 1 Aug 2023 17:26:14 +0200 Subject: [PATCH 005/125] nameserver config: init --- krebs/2configs/nameserver.nix | 150 ++++++++++++++++++++++++++++++++++ 1 file changed, 150 insertions(+) create mode 100644 krebs/2configs/nameserver.nix diff --git a/krebs/2configs/nameserver.nix b/krebs/2configs/nameserver.nix new file mode 100644 index 000000000..4b205a13d --- /dev/null +++ b/krebs/2configs/nameserver.nix @@ -0,0 +1,150 @@ +{ config, lib, pkgs, ... }: let + acmeChallenge = + { domain + , nameserver + , adminEmail + , serial ? 0 + , refresh ? 3600 + , retry ? 900 + , expire ? 604800 + , minimum ? 180 + }: + pkgs.writeText "${domain}.zone" /* bindzone */ '' + $TTL 60 + @ IN SOA ${lib.concatStringsSep " " [ + "${nameserver}." + "${lib.replaceStrings ["@"] ["."] adminEmail}." + (toString serial) + (toString refresh) + (toString retry) + (toString expire) + (toString minimum) + ]} + @ IN NS ${nameserver}. + ''; +in { + networking.firewall.allowedTCPPorts = [ + 53 # domain for AXFR + ]; + networking.firewall.allowedUDPPorts = [ + 53 # domain + ]; + + krebs.systemd.services.knot.restartIfCredentialsChange = true; + systemd.services.knot.serviceConfig.LoadCredential = [ + "keys.conf:/var/src/secrets/knot-keys.conf" + ]; + + services.knot = { + enable = true; + keyFiles = [ + "/run/credentials/knot.service/keys.conf" + ]; + extraConfig = /* yaml */ '' + server: + udp-max-payload: 4096 + listen: [ 127.0.0.53@2, ${ + lib.concatMapStringsSep ", " + (addr: "${addr}@53") + ( + config.krebs.build.host.nets.internet.addrs or [] + ++ + # This is required for hosts at OCI because the default route + # provided by DHCP is using the private address. + config.krebs.build.host.nets.intranet.addrs or [] + ) + } ] + + log: + - target: syslog + any: debug + + remote: + + acl: + - id: acme_acl + key: acme + action: update + + - id: dane_acl + key: dane + action: update + + mod-rrl: + - id: default + rate-limit: 200 # Allow 200 resp/s for each flow + slip: 2 # Every other response slips + + policy: + - id: rsa2k + algorithm: rsasha256 + ksk-size: 4096 + zsk-size: 2048 + + template: + - id: default + global-module: mod-rrl/default + semantic-checks: on + zonefile-sync: -1 + zonefile-load: difference-no-serial + journal-content: all + + zone: + - domain: krebsco.de + file: ${pkgs.krebs.zones."krebsco.de"} + dnssec-signing: on + dnssec-policy: rsa2k + acl: dane_acl + + - domain: _acme-challenge.krebsco.de + file: ${acmeChallenge { + domain = "_acme-challenge.krebsco.de"; + nameserver = "ns1.krebsco.de"; + adminEmail = "spam@krebsco.de"; + }} + acl: acme_acl + + - domain: r + file: ${pkgs.krebs.zones.r} + + - domain: w + file: ${pkgs.krebs.zones.w} + ''; + }; + + systemd.services."knsupdate-krebsco.de" = { + serviceConfig = { + Type = "oneshot"; + SyslogIdentifier = "knsupdate-krebsco.de"; + ExecStart = pkgs.writeDash "knsupdate-krebsco.de" /* sh */ '' + set -efu + + mk_certificate_association_data() { + ${pkgs.openssl}/bin/openssl x509 -noout -fingerprint -sha256 < "$1" | + ${pkgs.coreutils}/bin/cut -d= -f2 | + ${pkgs.coreutils}/bin/tr -d : + } + + certfile=/var/lib/acme/krebsco.de/cert.pem + certificate_association_data=$(mk_certificate_association_data "$certfile") + keyfile=/var/src/secrets/dane.tsig + + script=$(${pkgs.coreutils}/bin/mktemp -t knsupdate.XXXXXXXX) + trap 'rm "$script"' EXIT + ( + exec >"$script" + echo server krebsco.de. + echo zone krebsco.de. + echo origin krebsco.de. + echo add _25._tcp.ni 60 IN TLSA 3 0 1 $certificate_association_data + echo add _443._tcp.ni 60 IN TLSA 3 0 1 $certificate_association_data + echo show + echo send + echo answer + echo quit + ) + ${pkgs.knot-dns}/bin/knsupdate -k "$keyfile" "$script" + ''; + }; + }; +} From b63f7920b5bce1670692e6278eb87db52b1ba0af Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 1 Aug 2023 17:27:09 +0200 Subject: [PATCH 006/125] zones: update default head config --- krebs/3modules/zones.nix | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/krebs/3modules/zones.nix b/krebs/3modules/zones.nix index a7bd867f5..1d63548b8 100644 --- a/krebs/3modules/zones.nix +++ b/krebs/3modules/zones.nix @@ -9,10 +9,9 @@ with lib; { ''; default = { "krebsco.de" = /* bindzone */ '' - $TTL 86400 - @ IN SOA dns19.ovh.net. tech.ovh.net. (2015052000 86400 3600 3600000 86400) - @ IN NS ns19.ovh.net. - @ IN NS dns19.ovh.net. + $TTL 60 + @ 3600 IN SOA spam.krebsco.de. spam.krebsco.de. 0 7200 3600 86400 3600 + @ 3600 IN NS ns1 ''; }; }; From 068fbd791257b3f3dc4cab7e11716171a8ef39fb Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 1 Aug 2023 17:27:59 +0200 Subject: [PATCH 007/125] ponte: add nameserver config --- krebs/1systems/ponte/config.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/krebs/1systems/ponte/config.nix b/krebs/1systems/ponte/config.nix index 2f55995cf..0b9b1c563 100644 --- a/krebs/1systems/ponte/config.nix +++ b/krebs/1systems/ponte/config.nix @@ -5,6 +5,7 @@ + ]; networking.firewall.allowedTCPPorts = [ 80 443 ]; From 73a64cc57af95a876168151654f06277f91a2243 Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 1 Aug 2023 17:29:42 +0200 Subject: [PATCH 008/125] ponte: use DNS-01 challenge --- krebs/1systems/ponte/config.nix | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/krebs/1systems/ponte/config.nix b/krebs/1systems/ponte/config.nix index 0b9b1c563..8bb14d517 100644 --- a/krebs/1systems/ponte/config.nix +++ b/krebs/1systems/ponte/config.nix @@ -31,8 +31,23 @@ krebs.pages.enable = true; krebs.pages.nginx.addSSL = true; - krebs.pages.nginx.enableACME = true; + krebs.pages.nginx.useACMEHost = "krebsco.de"; security.acme.acceptTerms = true; - security.acme.certs.${config.krebs.pages.domain}.email = "spam@krebsco.de"; + security.acme.certs."krebsco.de" = { + domain = "krebsco.de"; + extraDomainNames = [ + "*.krebsco.de" + ]; + email = "spam@krebsco.de"; + reloadServices = [ + "knsupdate-krebsco.de.service" + "nginx.service" + ]; + keyType = "ec384"; + dnsProvider = "rfc2136"; + credentialsFile = "/var/src/secrets/acme-credentials"; + }; + + users.users.nginx.extraGroups = [ "acme" ]; } From 7cd50a3c07e788fa0b4ab53c78b9dea10ff30b2d Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 2 Aug 2023 11:39:33 +0200 Subject: [PATCH 009/125] nameserver config: add ni as secondary --- krebs/2configs/nameserver.nix | 9 +++++++++ krebs/3modules/zones.nix | 1 + 2 files changed, 10 insertions(+) diff --git a/krebs/2configs/nameserver.nix b/krebs/2configs/nameserver.nix index 4b205a13d..a4c4b5f05 100644 --- a/krebs/2configs/nameserver.nix +++ b/krebs/2configs/nameserver.nix @@ -60,6 +60,9 @@ in { any: debug remote: + - id: krebscode_ni + address: ${config.krebs.hosts.ni.nets.internet.ip4.addr} + key: krebs_transfer_notify_key acl: - id: acme_acl @@ -70,6 +73,10 @@ in { key: dane action: update + - id: transfer_to_krebscode_secondary + key: krebs_transfer_notify_key + action: transfer + mod-rrl: - id: default rate-limit: 200 # Allow 200 resp/s for each flow @@ -94,6 +101,8 @@ in { file: ${pkgs.krebs.zones."krebsco.de"} dnssec-signing: on dnssec-policy: rsa2k + notify: krebscode_ni + acl: transfer_to_krebscode_secondary acl: dane_acl - domain: _acme-challenge.krebsco.de diff --git a/krebs/3modules/zones.nix b/krebs/3modules/zones.nix index 1d63548b8..bf904a268 100644 --- a/krebs/3modules/zones.nix +++ b/krebs/3modules/zones.nix @@ -12,6 +12,7 @@ with lib; { $TTL 60 @ 3600 IN SOA spam.krebsco.de. spam.krebsco.de. 0 7200 3600 86400 3600 @ 3600 IN NS ns1 + @ 3600 IN NS ni ''; }; }; From 6bd5f06770f0b16ae6ec6fd906402883bd6e75b6 Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 2 Aug 2023 12:37:18 +0200 Subject: [PATCH 010/125] kartei feliks: fix ahuatangata's aliases --- kartei/feliks/default.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/kartei/feliks/default.nix b/kartei/feliks/default.nix index 96c20f602..953f1a7ee 100644 --- a/kartei/feliks/default.nix +++ b/kartei/feliks/default.nix @@ -93,7 +93,10 @@ in { ahuatangata = { nets.wiregrill = { ip4.addr = "10.244.10.246"; - aliases = [ "ahuatangata" "ndrd.feliks.r" ]; + aliases = [ + "ahuatangata.w" + "ndrd.feliks.w" + ]; wireguard.pubkey = "QPDGBEYJ1znqUdjy6JWZJ+cqPMcU67dHlOX5beTM6TA="; }; }; From 193baa8f2f64a4909e38069d4f21ac6c46d2796b Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 2 Aug 2023 15:53:27 +0200 Subject: [PATCH 011/125] nameserver config: add he.net as secondary --- krebs/2configs/nameserver.nix | 10 ++++++++++ krebs/3modules/zones.nix | 2 ++ 2 files changed, 12 insertions(+) diff --git a/krebs/2configs/nameserver.nix b/krebs/2configs/nameserver.nix index a4c4b5f05..4c6b95516 100644 --- a/krebs/2configs/nameserver.nix +++ b/krebs/2configs/nameserver.nix @@ -60,6 +60,9 @@ in { any: debug remote: + - id: henet_ns1 + address: 216.218.130.2 + - id: krebscode_ni address: ${config.krebs.hosts.ni.nets.internet.ip4.addr} key: krebs_transfer_notify_key @@ -73,6 +76,11 @@ in { key: dane action: update + - id: transfer_to_henet_secondary + key: henet_transfer_key + address: [ 216.218.133.2, 2001:470:600::2 ] + action: transfer + - id: transfer_to_krebscode_secondary key: krebs_transfer_notify_key action: transfer @@ -101,7 +109,9 @@ in { file: ${pkgs.krebs.zones."krebsco.de"} dnssec-signing: on dnssec-policy: rsa2k + notify: henet_ns1 notify: krebscode_ni + acl: transfer_to_henet_secondary acl: transfer_to_krebscode_secondary acl: dane_acl diff --git a/krebs/3modules/zones.nix b/krebs/3modules/zones.nix index bf904a268..8cb68c4f7 100644 --- a/krebs/3modules/zones.nix +++ b/krebs/3modules/zones.nix @@ -13,6 +13,8 @@ with lib; { @ 3600 IN SOA spam.krebsco.de. spam.krebsco.de. 0 7200 3600 86400 3600 @ 3600 IN NS ns1 @ 3600 IN NS ni + @ 3600 IN NS ns2.he.net. + @ 3600 IN NS ns3.he.net. ''; }; }; From 7e98588f8e626c4e2800e1238ea8a1df1f5c8f7a Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 2 Aug 2023 17:42:32 +0200 Subject: [PATCH 012/125] nameserver config: add hosting.de as secondary --- krebs/2configs/nameserver.nix | 10 ++++++++++ krebs/3modules/zones.nix | 1 + 2 files changed, 11 insertions(+) diff --git a/krebs/2configs/nameserver.nix b/krebs/2configs/nameserver.nix index 4c6b95516..633f6f5d5 100644 --- a/krebs/2configs/nameserver.nix +++ b/krebs/2configs/nameserver.nix @@ -63,6 +63,9 @@ in { - id: henet_ns1 address: 216.218.130.2 + - id: hostingde_ns1 + address: 134.0.30.178 + - id: krebscode_ni address: ${config.krebs.hosts.ni.nets.internet.ip4.addr} key: krebs_transfer_notify_key @@ -81,6 +84,11 @@ in { address: [ 216.218.133.2, 2001:470:600::2 ] action: transfer + # https://www.hosting.de/helpdesk/produkte/dns/dns-master-ips/ + - id: transfer_to_hostingde_secondary + address: [ 134.0.30.178, 194.126.196.2, 2a03:2900:3:1::2, 2a03:2902:3:1::2 ] + action: transfer + - id: transfer_to_krebscode_secondary key: krebs_transfer_notify_key action: transfer @@ -110,8 +118,10 @@ in { dnssec-signing: on dnssec-policy: rsa2k notify: henet_ns1 + notify: hostingde_ns1 notify: krebscode_ni acl: transfer_to_henet_secondary + acl: transfer_to_hostingde_secondary acl: transfer_to_krebscode_secondary acl: dane_acl diff --git a/krebs/3modules/zones.nix b/krebs/3modules/zones.nix index 8cb68c4f7..e68482d77 100644 --- a/krebs/3modules/zones.nix +++ b/krebs/3modules/zones.nix @@ -15,6 +15,7 @@ with lib; { @ 3600 IN NS ni @ 3600 IN NS ns2.he.net. @ 3600 IN NS ns3.he.net. + @ 3600 IN NS ns2.hosting.de. ''; }; }; From 363b381eeca12c54c83b4841198d189d470d345e Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 2 Aug 2023 18:14:32 +0200 Subject: [PATCH 013/125] krebszones: RIP --- krebs/5pkgs/simple/krebszones/default.nix | 13 ------------- lass/2configs/programs.nix | 6 ------ tv/1systems/xu/config.nix | 1 - 3 files changed, 20 deletions(-) delete mode 100644 krebs/5pkgs/simple/krebszones/default.nix diff --git a/krebs/5pkgs/simple/krebszones/default.nix b/krebs/5pkgs/simple/krebszones/default.nix deleted file mode 100644 index 32608e7fa..000000000 --- a/krebs/5pkgs/simple/krebszones/default.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ pkgs, ... }: - -pkgs.writeDashBin "krebszones" '' - set -efu - export OVH_ZONE_CONFIG=''${OVH_ZONE_CONFIG:-$HOME/.secrets/krebs/ovh-zone.conf} - case $* in - import) - set -- import /etc/zones/krebsco.de krebsco.de - echo "+ krebszones $*" >&2 - ;; - esac - exec ${pkgs.ovh-zone}/bin/ovh-zone "$@" -'' diff --git a/lass/2configs/programs.nix b/lass/2configs/programs.nix index 0997b41a8..4361ec747 100644 --- a/lass/2configs/programs.nix +++ b/lass/2configs/programs.nix @@ -35,12 +35,6 @@ export SYSTEM="$1" $(nix-build $HOME/sync/stockholm/lass/krops.nix --no-out-link --argstr name "$SYSTEM" -A deploy) '') - (pkgs.writeDashBin "krebsco.de" '' - TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d) - ${pkgs.brain}/bin/brain show krebs-secrets/ovh-secrets.json > "$TMPDIR"/ovh-secrets.json - OVH_ZONE_CONFIG="$TMPDIR"/ovh-secrets.json ${pkgs.krebszones}/bin/krebszones import - ${pkgs.coreutils}/bin/rm -rf "$TMPDIR" - '') (pkgs.writeDashBin "lassul.us" '' TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d) ${pkgs.pass}/bin/pass show admin/ovh/api.config > "$TMPDIR"/ovh-secrets.json diff --git a/tv/1systems/xu/config.nix b/tv/1systems/xu/config.nix index 80d16e686..83e17e1bd 100644 --- a/tv/1systems/xu/config.nix +++ b/tv/1systems/xu/config.nix @@ -37,7 +37,6 @@ with import ./lib; gnupg1compat haskellPackages.hledger jq - krebszones mkpasswd netcat netcup From 947dd631235359a22993ed213828266f0fc60313 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 16 Aug 2023 11:21:52 +0200 Subject: [PATCH 014/125] nixpkgs-unstable: 66aedfd -> 8353344 --- krebs/nixpkgs-unstable.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/krebs/nixpkgs-unstable.json b/krebs/nixpkgs-unstable.json index 0dcb20e9a..c31b7f708 100644 --- a/krebs/nixpkgs-unstable.json +++ b/krebs/nixpkgs-unstable.json @@ -1,10 +1,10 @@ { "url": "https://github.com/NixOS/nixpkgs", - "rev": "66aedfd010204949cb225cf749be08cb13ce1813", - "date": "2023-08-02T21:56:37+02:00", - "path": "/nix/store/wwmgy3p8svf9ag2s6fimr3fpz5v40mya-nixpkgs", - "sha256": "1jspq3g1wzdfgmnp4wzzrwh2cfn9q2w86b25bgwr7ygdcdap3fqd", - "hash": "sha256-DbtxVWPt+ZP5W0Usg7jAyTomIM//c3Jtfa59Ht7AV8s=", + "rev": "8353344d3236d3fda429bb471c1ee008857d3b7c", + "date": "2023-08-15T09:25:12+02:00", + "path": "/nix/store/r7sblbzjhxfl07r4l3nywhaprk3486zx-nixpkgs", + "sha256": "02431z7g8zmjrmqpmsxsnzz4r91cdl3a2sdz6kiqpsjalnlbxbv5", + "hash": "sha256-Za++qKVK6ovjNL9poQZtLKRM/re663pxzbJ+9M4Pgwg=", "fetchLFS": false, "fetchSubmodules": false, "deepClone": false, From 03f86e7faa67f953b3829b96402f752b1df19c9d Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 23 Aug 2023 22:06:13 +0200 Subject: [PATCH 015/125] vicuna-chat: update model name --- krebs/5pkgs/simple/vicuna-chat/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krebs/5pkgs/simple/vicuna-chat/default.nix b/krebs/5pkgs/simple/vicuna-chat/default.nix index 11a11aabe..db15899d6 100644 --- a/krebs/5pkgs/simple/vicuna-chat/default.nix +++ b/krebs/5pkgs/simple/vicuna-chat/default.nix @@ -23,7 +23,7 @@ pkgs.writers.writeDashBin "vicuna-chat" '' add_to_context "{\"role\": \"user\", \"content\": \"$PROMPT\"}" response=$( jq -nc --slurpfile context "$CONTEXT" '{ - model: "vicuna-13b", + model: "vicuna-13b-v1.5-16k", messages: $context[0], }' | curl -Ss http://vicuna.r/v1/chat/completions -H 'Content-Type: application/json' -d @- From 4acff6e9e977352a1e6ec7a86f0b060a9234f248 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 23 Aug 2023 22:07:31 +0200 Subject: [PATCH 016/125] l prism.r: make bootable again --- lass/1systems/prism/physical.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lass/1systems/prism/physical.nix b/lass/1systems/prism/physical.nix index ebc80411b..d4dd88382 100644 --- a/lass/1systems/prism/physical.nix +++ b/lass/1systems/prism/physical.nix @@ -9,6 +9,7 @@ boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "sd_mod" ]; boot.kernelModules = [ "kvm-intel" ]; + boot.swraid.enable = true; fileSystems."/" = { device = "rpool/root/nixos"; @@ -80,7 +81,7 @@ # we don't pay for power there and this might solve a problem we observed at least once # https://www.thomas-krenn.com/de/wiki/PCIe_Bus_Error_Status_00001100_beheben - boot.kernelParams = [ "pcie_aspm=off" "net.ifnames=0" ]; + boot.kernelParams = [ "pcie_aspm=off" "net.ifnames=0" "nomodeset" ]; networking.dhcpcd.enable = false; From 36eaa0d88d631905e9d439a6b2b7ae6e6df84919 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 26 Aug 2023 08:24:47 +0200 Subject: [PATCH 017/125] mastodon: add clear-cache command --- krebs/2configs/mastodon.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/krebs/2configs/mastodon.nix b/krebs/2configs/mastodon.nix index 145b383ed..af308b2c7 100644 --- a/krebs/2configs/mastodon.nix +++ b/krebs/2configs/mastodon.nix @@ -33,8 +33,10 @@ ]; environment.systemPackages = [ - (pkgs.writers.writeDashBin "tootctl" '' - sudo -u mastodon /etc/profiles/per-user/mastodon/bin/mastodon-env /etc/profiles/per-user/mastodon/bin/tootctl "$@" + (pkgs.writers.writeDashBin "clear-mastodon-cache" '' + mastodon-tootctl media remove --prune-profiles --days=14 --concurrency=30 + mastodon-tootctl media remove-orphans + mastodon-tootctl preview_cards remove --days=14 '') (pkgs.writers.writeDashBin "create-mastodon-user" '' set -efu From 666a2b0a8a7941768077a7774d6ca7732d8e8c24 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 26 Aug 2023 08:36:05 +0200 Subject: [PATCH 018/125] l matrix: remove deprecated pkg override --- lass/2configs/matrix.nix | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/lass/2configs/matrix.nix b/lass/2configs/matrix.nix index cdcbe7ab0..1d6a8663e 100644 --- a/lass/2configs/matrix.nix +++ b/lass/2configs/matrix.nix @@ -2,24 +2,6 @@ with import ; { services.matrix-synapse = { - # synapse 1.60.0 errors during startup with: - # https://github.com/matrix-org/synapse/issues/15809 - package = pkgs.matrix-synapse.overrideAttrs (oldAttrs: rec { - version = "1.85.2"; - name = "matrix-synapse-${version}"; - src = pkgs.fetchFromGitHub { - owner = "matrix-org"; - repo = "synapse"; - rev = "v${version}"; - hash = "sha256-pFafBsisBPfpDnFYWcimUuBgfFVPZzLna3yHeqIBAAE="; - }; - cargoDeps = pkgs.rustPlatform.fetchCargoTarball { - inherit src; - name = "matrix-synapse-${version}"; - hash = "sha256-dnno+5Ma0YNYpmj3oZ5UG22uAanKwVT67BwQW+mHoFc="; - }; - doCheck = false; - }); enable = true; settings = { server_name = "lassul.us"; From 6592341dc31c6f26422ec3a9fed2e601ab985cfc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Thu, 31 Aug 2023 11:44:53 +0200 Subject: [PATCH 019/125] prism: add backup MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jörg Thalheim --- lass/2configs/codimd.nix | 71 +++++++++++++++++++++++++++++++++++++--- 1 file changed, 67 insertions(+), 4 deletions(-) diff --git a/lass/2configs/codimd.nix b/lass/2configs/codimd.nix index ccca49fac..0927788a7 100644 --- a/lass/2configs/codimd.nix +++ b/lass/2configs/codimd.nix @@ -2,7 +2,8 @@ with import ; let domain = "pad.lassul.us"; -in { +in +{ # redirect legacy domain to new one services.nginx.virtualHosts."codi.lassul.us" = { @@ -25,13 +26,77 @@ in { security.dhparams = { enable = true; - params.hedgedoc = {}; + params.hedgedoc = { }; }; systemd.services.hedgedoc.environment = { CMD_COOKIE_POLICY = "none"; CMD_CSP_ALLOW_FRAMING = "true"; }; + + systemd.services.hedgedoc-backup = { + startAt = "daily"; + serviceConfig = { + ExecStart = ''${pkgs.sqlite}/bin/sqlite3 /var/lib/hedgedoc/db.hedgedoc.sqlite ".backup /var/backup/hedgedoc/backup.sq3"''; + Type = "oneshot"; + }; + }; + + services.postgresqlBackup.enable = true; + + systemd.services.borgbackup-job-hetzner.serviceConfig.ReadWritePaths = [ "/var/log/telegraf" ]; + + services.borgbackup.jobs.hetzner = { + paths = [ + "/home" + "/etc" + "/var" + "/root" + ]; + exclude = [ + "*.pyc" + "/home/*/.direnv" + "/home/*/.cache" + "/home/*/.cargo" + "/home/*/.npm" + "/home/*/.m2" + "/home/*/.gradle" + "/home/*/.opam" + "/home/*/.clangd" + "/var/lib/containerd" + # already included in database backup + "/var/lib/postgresql" + # not so important + "/var/lib/docker/" + "/var/log/journal" + "/var/cache" + "/var/tmp" + "/var/log" + ]; + repo = "u348918@u348918.your-storagebox.de:/./hetzner"; + encryption.mode = "none"; + compression = "auto,zstd"; + startAt = "daily"; + # TODO: change backup key + environment.BORG_RSH = "ssh -oPort=23 -i ${config.sops.secrets.hetzner-borgbackup-ssh.path}"; + preHook = '' + set -x + ''; + + postHook = '' + cat > /var/log/telegraf/borgbackup-job-hetzner.service < Date: Thu, 31 Aug 2023 17:47:17 +0200 Subject: [PATCH 020/125] l prism.r: add backups --- lass/1systems/prism/backup.nix | 37 ++++++++++++++++++++ lass/1systems/prism/config.nix | 1 + lass/2configs/codimd.nix | 56 +------------------------------ lass/2configs/websites/domsen.nix | 28 +++++++++++++++- 4 files changed, 66 insertions(+), 56 deletions(-) create mode 100644 lass/1systems/prism/backup.nix diff --git a/lass/1systems/prism/backup.nix b/lass/1systems/prism/backup.nix new file mode 100644 index 000000000..52b4142b9 --- /dev/null +++ b/lass/1systems/prism/backup.nix @@ -0,0 +1,37 @@ +{ config, lib, pkgs, ... }: +{ + services.postgresqlBackup.enable = true; + + systemd.services.borgbackup-job-hetzner.serviceConfig.ReadWritePaths = [ "/var/log/telegraf" ]; + + services.borgbackup.jobs.hetzner = { + paths = [ + "/var/backup" + ]; + exclude = [ + "*.pyc" + ]; + repo = "u364341@u364341.your-storagebox.de:/./hetzner"; + encryption.mode = "none"; + compression = "auto,zstd"; + startAt = "daily"; + # TODO: change backup key + environment.BORG_RSH = "ssh -oPort=23 -i ${toString + "/borgbackup.ssh.id25519"}"; + preHook = '' + set -x + ''; + + postHook = '' + cat > /var/log/telegraf/borgbackup-job-hetzner.service <; { imports = [ + ./backup.nix diff --git a/lass/2configs/codimd.nix b/lass/2configs/codimd.nix index 0927788a7..f8880dbdc 100644 --- a/lass/2configs/codimd.nix +++ b/lass/2configs/codimd.nix @@ -34,6 +34,7 @@ in CMD_CSP_ALLOW_FRAMING = "true"; }; + services.borgbackup.jobs.hetzner.paths = [ "/var/backup" ]; systemd.services.hedgedoc-backup = { startAt = "daily"; serviceConfig = { @@ -42,61 +43,6 @@ in }; }; - services.postgresqlBackup.enable = true; - - systemd.services.borgbackup-job-hetzner.serviceConfig.ReadWritePaths = [ "/var/log/telegraf" ]; - - services.borgbackup.jobs.hetzner = { - paths = [ - "/home" - "/etc" - "/var" - "/root" - ]; - exclude = [ - "*.pyc" - "/home/*/.direnv" - "/home/*/.cache" - "/home/*/.cargo" - "/home/*/.npm" - "/home/*/.m2" - "/home/*/.gradle" - "/home/*/.opam" - "/home/*/.clangd" - "/var/lib/containerd" - # already included in database backup - "/var/lib/postgresql" - # not so important - "/var/lib/docker/" - "/var/log/journal" - "/var/cache" - "/var/tmp" - "/var/log" - ]; - repo = "u348918@u348918.your-storagebox.de:/./hetzner"; - encryption.mode = "none"; - compression = "auto,zstd"; - startAt = "daily"; - # TODO: change backup key - environment.BORG_RSH = "ssh -oPort=23 -i ${config.sops.secrets.hetzner-borgbackup-ssh.path}"; - preHook = '' - set -x - ''; - - postHook = '' - cat > /var/log/telegraf/borgbackup-job-hetzner.service < Date: Sat, 2 Sep 2023 11:36:38 +0200 Subject: [PATCH 021/125] l codimd: backup statedir --- lass/2configs/codimd.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lass/2configs/codimd.nix b/lass/2configs/codimd.nix index f8880dbdc..d0ba8912c 100644 --- a/lass/2configs/codimd.nix +++ b/lass/2configs/codimd.nix @@ -34,7 +34,10 @@ in CMD_CSP_ALLOW_FRAMING = "true"; }; - services.borgbackup.jobs.hetzner.paths = [ "/var/backup" ]; + services.borgbackup.jobs.hetzner.paths = [ + "/var/backup" + "/var/lib/hedgedoc" + ]; systemd.services.hedgedoc-backup = { startAt = "daily"; serviceConfig = { From 046651c48c43b366900d3f3cd46c6413b93e8d01 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 2 Sep 2023 21:24:33 +0200 Subject: [PATCH 022/125] nixpkgs: bd836ac -> 9075cba --- krebs/nixpkgs.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/krebs/nixpkgs.json b/krebs/nixpkgs.json index cd0714cf3..0b6021ed0 100644 --- a/krebs/nixpkgs.json +++ b/krebs/nixpkgs.json @@ -1,10 +1,10 @@ { "url": "https://github.com/NixOS/nixpkgs", - "rev": "bd836ac5e5a7358dea73cb74a013ca32864ccb86", - "date": "2023-08-02T00:11:43+02:00", - "path": "/nix/store/qj37rmkpa5spmxsr3vb5hrwkahnsn4pm-nixpkgs", - "sha256": "1xcg07nmzz74s99ln079rqzlxyiv2gzzz9g71h5337jf4il0560g", - "hash": "sha256-D5gCaCROnjEKDOel//8TO/pOP87pAEtT0uT8X+0Bj/U=", + "rev": "9075cba53e86dc318d159aee55dc9a7c9a4829c1", + "date": "2023-09-02T08:28:47+02:00", + "path": "/nix/store/605bv7zssv38j0ii8rbnxkv1m0f0b53p-nixpkgs", + "sha256": "0kymzp32d31c0hny2b2f7zfn49nzrxlm963xbm4v0axka6abym36", + "hash": "sha256-ZlS/lFGzK7BJXX2YVGnP3yZi3T9OLOEtBCyMJsb91U8=", "fetchLFS": false, "fetchSubmodules": false, "deepClone": false, From 40db172916f1b328d0d03f3753500b3ee2a41c7f Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 2 Sep 2023 21:25:12 +0200 Subject: [PATCH 023/125] nixpkgs-unstable: 8353344 -> aa8aa7e --- krebs/nixpkgs-unstable.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/krebs/nixpkgs-unstable.json b/krebs/nixpkgs-unstable.json index c31b7f708..2233cd20b 100644 --- a/krebs/nixpkgs-unstable.json +++ b/krebs/nixpkgs-unstable.json @@ -1,10 +1,10 @@ { "url": "https://github.com/NixOS/nixpkgs", - "rev": "8353344d3236d3fda429bb471c1ee008857d3b7c", - "date": "2023-08-15T09:25:12+02:00", - "path": "/nix/store/r7sblbzjhxfl07r4l3nywhaprk3486zx-nixpkgs", - "sha256": "02431z7g8zmjrmqpmsxsnzz4r91cdl3a2sdz6kiqpsjalnlbxbv5", - "hash": "sha256-Za++qKVK6ovjNL9poQZtLKRM/re663pxzbJ+9M4Pgwg=", + "rev": "aa8aa7e2ea35ce655297e8322dc82bf77a31d04b", + "date": "2023-09-01T18:51:16+08:00", + "path": "/nix/store/10xskkarnksmn1fahylswv0y4216c73w-nixpkgs", + "sha256": "0bbv3y86kfpn02zh5vvdbkmnqyzagzbc1gzpvvlb6qbvgg639bf9", + "hash": "sha256-ya00zHt7YbPo3ve/wNZ/6nts61xt7wK/APa6aZAfey0=", "fetchLFS": false, "fetchSubmodules": false, "deepClone": false, From 3bb70cd5c28ebcf8ddee9ef7ad05cc86a2c841af Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 10:59:51 +0200 Subject: [PATCH 024/125] l aergia.r: fix mounting with new disko --- lass/1systems/aergia/disk.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lass/1systems/aergia/disk.nix b/lass/1systems/aergia/disk.nix index 848157729..233b320e4 100644 --- a/lass/1systems/aergia/disk.nix +++ b/lass/1systems/aergia/disk.nix @@ -45,9 +45,11 @@ # Mountpoints inferred from subvolume name "/home" = { mountOptions = []; + mountpoint = "/home"; }; "/nix" = { mountOptions = []; + mountpoint = "/nix"; }; }; }; From 521dd6afa5518f19a1ba7772a036363d5604441b Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 11:23:46 +0200 Subject: [PATCH 025/125] l aergia.r: more hardware settings --- lass/1systems/aergia/physical.nix | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/lass/1systems/aergia/physical.nix b/lass/1systems/aergia/physical.nix index 9f06dccdc..e76460d20 100644 --- a/lass/1systems/aergia/physical.nix +++ b/lass/1systems/aergia/physical.nix @@ -16,7 +16,7 @@ efiInstallAsRemovable = true; }; - boot.kernelPackages = pkgs.linuxPackages_latest; + # boot.kernelPackages = pkgs.linuxPackages_latest; boot.kernelParams = [ # use less power with pstate @@ -70,8 +70,6 @@ }; users.users.mainUser.extraGroups = [ "corectrl" ]; - # use newer ryzenadj - # keyboard quirks services.xserver.displayManager.sessionCommands = '' ${pkgs.xorg.xmodmap}/bin/xmodmap -e 'keycode 96 = F12 Insert F12 F12' # rebind shift + F12 to shift + insert @@ -102,9 +100,16 @@ services.logind.extraConfig = '' HandlePowerKey=hibernate ''; + # systemd.sleep.extraConfig = '' + # HibernateDelaySec=1800 + # ''; # firefox touchscreen support environment.sessionVariables.MOZ_USE_XINPUT2 = "1"; + + # enable thunderbolt + services.hardware.bolt.enable = true; + # reinit usb after docking station connect services.udev.extraRules = '' SUBSYSTEM=="drm", ACTION=="change", RUN+="${pkgs.dash}/bin/dash -c 'echo 0 > /sys/bus/usb/devices/usb9/authorized; echo 1 > /sys/bus/usb/devices/usb9/authorized'" From c1656131473f63e415baae35e99507dbb1c780a4 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 11:43:01 +0200 Subject: [PATCH 026/125] l prism.r: remove xanf disk --- lass/1systems/prism/physical.nix | 5 ----- 1 file changed, 5 deletions(-) diff --git a/lass/1systems/prism/physical.nix b/lass/1systems/prism/physical.nix index d4dd88382..2260aa648 100644 --- a/lass/1systems/prism/physical.nix +++ b/lass/1systems/prism/physical.nix @@ -61,11 +61,6 @@ fsType = "zfs"; }; - fileSystems."/home/xanf" = { - device = "/dev/disk/by-id/wwn-0x500a07511becb076"; - fsType = "ext4"; - }; - # silence mdmonitor.service failures # https://github.com/NixOS/nixpkgs/issues/72394 environment.etc."mdadm.conf".text = '' From b7fba1c6ba5379cbad60728541259538df5096ec Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 11:45:42 +0200 Subject: [PATCH 027/125] l shodan.r: remove containers, add trusted users --- lass/1systems/shodan/config.nix | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/lass/1systems/shodan/config.nix b/lass/1systems/shodan/config.nix index 5e48c216a..0bea37e5c 100644 --- a/lass/1systems/shodan/config.nix +++ b/lass/1systems/shodan/config.nix @@ -13,13 +13,9 @@ - - - - ]; @@ -27,4 +23,6 @@ services.logind.lidSwitch = "ignore"; services.logind.lidSwitchDocked = "ignore"; + nix.trustedUsers = [ "root" "lass" ]; + system.stateVersion = "22.05"; } From f3f5adc4b67c3fff7af571df8a6e395896c93fea Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 11:46:09 +0200 Subject: [PATCH 028/125] l skynet.r: better fileSystems syntax --- lass/1systems/skynet/physical.nix | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/lass/1systems/skynet/physical.nix b/lass/1systems/skynet/physical.nix index e3451293f..1ac9708c7 100644 --- a/lass/1systems/skynet/physical.nix +++ b/lass/1systems/skynet/physical.nix @@ -12,15 +12,15 @@ networking.hostId = "06442b9a"; - fileSystems."/" = - { device = "rpool/root"; - fsType = "zfs"; - }; + fileSystems."/" = { + device = "rpool/root"; + fsType = "zfs"; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/0876-B308"; - fsType = "vfat"; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/0876-B308"; + fsType = "vfat"; + }; services.udev.extraRules = '' SUBSYSTEM=="net", ATTR{address}=="10:0b:a9:a6:44:04", NAME="wl0" From 1fa53c704e22534219ef85e804eef1feb4643131 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 11:46:56 +0200 Subject: [PATCH 029/125] l styx.r: disable syncthing, add consul --- lass/1systems/styx/config.nix | 2 +- lass/1systems/styx/physical.nix | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/lass/1systems/styx/config.nix b/lass/1systems/styx/config.nix index 6c054abfe..988cbca75 100644 --- a/lass/1systems/styx/config.nix +++ b/lass/1systems/styx/config.nix @@ -22,11 +22,11 @@ with import ; - # + ]; krebs.build.host = config.krebs.hosts.styx; diff --git a/lass/1systems/styx/physical.nix b/lass/1systems/styx/physical.nix index ae0cdf489..284bbb333 100644 --- a/lass/1systems/styx/physical.nix +++ b/lass/1systems/styx/physical.nix @@ -16,7 +16,6 @@ boot.loader.grub.device = "/dev/disk/by-id/ata-SanDisk_SSD_G5_BICS4_20248F446514"; boot.loader.grub.efiInstallAsRemovable = true; - fileSystems."/" = { device = "/dev/disk/by-uuid/ee5c9099-17fa-401e-852e-67cb4ae068f4"; fsType = "ext4"; From a53b28f0d6b0a6e7523ee38ce56d3c1afeee660f Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 11:47:18 +0200 Subject: [PATCH 030/125] l wizard.r: add nm-dmenu --- lass/1systems/wizard/config.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lass/1systems/wizard/config.nix b/lass/1systems/wizard/config.nix index e158fa728..5e69171ce 100644 --- a/lass/1systems/wizard/config.nix +++ b/lass/1systems/wizard/config.nix @@ -183,7 +183,7 @@ in { #style most - rxvt_unicode.terminfo + rxvt-unicode-unwrapped.terminfo #monitoring tools htop @@ -192,6 +192,7 @@ in { #network iptables iftop + nm-dmenu #stuff for dl aria2 From 72be85e30bbdd658d100b70efc7deafa2a925267 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 11:55:15 +0200 Subject: [PATCH 031/125] l neoprism.r: disable initrd ssh --- lass/1systems/neoprism/physical.nix | 39 ++++++++++++++++------------- 1 file changed, 21 insertions(+), 18 deletions(-) diff --git a/lass/1systems/neoprism/physical.nix b/lass/1systems/neoprism/physical.nix index f2092d9aa..cc7734f39 100644 --- a/lass/1systems/neoprism/physical.nix +++ b/lass/1systems/neoprism/physical.nix @@ -13,7 +13,10 @@ boot.loader.grub.enable = true; boot.loader.grub.version = 2; boot.loader.grub.efiSupport = true; - boot.loader.grub.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ]; + boot.loader.grub.devices = [ + config.disko.devices.disk."/dev/nvme0n1".device + config.disko.devices.disk."/dev/nvme1n1".device + ]; boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "sd_mod" ]; boot.kernelModules = [ "kvm-amd" ]; hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; @@ -56,21 +59,21 @@ }; networking.useDHCP = false; - boot.initrd.network = { - enable = true; - ssh = { - enable = true; - authorizedKeys = [ config.krebs.users.lass.pubkey ]; - port = 2222; - hostKeys = [ - (toString ) - (toString ) - ]; - }; - }; - boot.kernelParams = [ - "net.ifnames=0" - "ip=dhcp" - "boot.trace" - ]; + # boot.initrd.network = { + # enable = true; + # ssh = { + # enable = true; + # authorizedKeys = [ config.krebs.users.lass.pubkey ]; + # port = 2222; + # hostKeys = [ + # () + # () + # ]; + # }; + # }; + # boot.kernelParams = [ + # "net.ifnames=0" + # "ip=dhcp" + # "boot.trace" + # ]; } From f58eceedb1ce03b17b75b2cb033a6722f9d72a72 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 11:55:59 +0200 Subject: [PATCH 032/125] l xerxes.r: disable some stuff --- lass/1systems/xerxes/config.nix | 21 +-------------------- 1 file changed, 1 insertion(+), 20 deletions(-) diff --git a/lass/1systems/xerxes/config.nix b/lass/1systems/xerxes/config.nix index 6972567d7..d1ee4cf71 100644 --- a/lass/1systems/xerxes/config.nix +++ b/lass/1systems/xerxes/config.nix @@ -7,16 +7,15 @@ + - - ]; @@ -60,24 +59,6 @@ services.logind.lidSwitch = "suspend"; lass.screenlock.enable = lib.mkForce false; - systemd.services.suspend-again = { - after = [ "suspend.target" ]; - requiredBy = [ "suspend.target" ]; - # environment = { - # DISPLAY = ":${toString config.services.xserver.display}"; - # }; - serviceConfig = { - ExecStart = pkgs.writeDash "suspend-again" '' - ${pkgs.gnugrep}/bin/grep -q closed /proc/acpi/button/lid/LID0/state - if [ "$?" -eq 0 ]; then - echo 'wakeup with closed lid' - ${pkgs.systemd}/bin/systemctl suspend - fi - ''; - Type = "simple"; - }; - }; - hardware.bluetooth = { enable = true; powerOnBoot = true; From be170d796f8520b88102a0f540f028d0fa395a55 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 11:56:59 +0200 Subject: [PATCH 033/125] l binary-cache: disable nix-serve-ng --- lass/2configs/binary-cache/server.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lass/2configs/binary-cache/server.nix b/lass/2configs/binary-cache/server.nix index bdd568c15..490601641 100644 --- a/lass/2configs/binary-cache/server.nix +++ b/lass/2configs/binary-cache/server.nix @@ -1,8 +1,8 @@ { config, lib, pkgs, ...}: { - nixpkgs.config.packageOverrides = p: { - nix-serve = p.haskellPackages.nix-serve-ng; - }; + # nixpkgs.config.packageOverrides = p: { + # nix-serve = p.haskellPackages.nix-serve-ng; + # }; # generate private key with: # nix-store --generate-binary-cache-key my-secret-key my-public-key services.nix-serve = { From 32bac4e0549b6b41aa6062aee48f1aa7eb493a3f Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 11:57:19 +0200 Subject: [PATCH 034/125] l green-hosts: add different implementations --- lass/2configs/green-hosts/cryfs.nix | 95 ++++++++++++++++++ lass/2configs/green-hosts/ecryptfs.nix | 99 +++++++++++++++++++ lass/2configs/green-hosts/plain-bindfs.nix | 90 +++++++++++++++++ lass/2configs/green-hosts/plain-permown.nix | 88 +++++++++++++++++ lass/2configs/green-hosts/plain.nix | 87 +++++++++++++++++ lass/2configs/green-hosts/securefs.nix | 101 ++++++++++++++++++++ 6 files changed, 560 insertions(+) create mode 100644 lass/2configs/green-hosts/cryfs.nix create mode 100644 lass/2configs/green-hosts/ecryptfs.nix create mode 100644 lass/2configs/green-hosts/plain-bindfs.nix create mode 100644 lass/2configs/green-hosts/plain-permown.nix create mode 100644 lass/2configs/green-hosts/plain.nix create mode 100644 lass/2configs/green-hosts/securefs.nix diff --git a/lass/2configs/green-hosts/cryfs.nix b/lass/2configs/green-hosts/cryfs.nix new file mode 100644 index 000000000..d60dc5951 --- /dev/null +++ b/lass/2configs/green-hosts/cryfs.nix @@ -0,0 +1,95 @@ +# seems to work, very slow though + +{ config, lib, pkgs, ... }: +with import ; + +let + + cname = "green-cryfs"; + +in { + imports = [ + + + ]; + + programs.fuse.userAllowOther = true; + + services.syncthing.declarative.folders."/var/lib/sync-containers/${cname}/cryfs" = { + devices = [ "icarus" "skynet" "littleT" "shodan" "mors" "morpheus" ]; + ignorePerms = false; + }; + + lass.bindfs."/var/lib/sync-containers/${cname}/cryfs" = { + source = "/var/lib/sync-containers/${cname}/cryfs"; + options = [ + "-M ${toString config.users.users.syncthing.uid} -u root -g root" + ]; + }; + + + systemd.services."container@${cname}".reloadIfChanged = mkForce false; + containers.${cname} = { + config = { ... }: { + environment.systemPackages = [ + pkgs.git + pkgs.rxvt-unicode-unwrapped.terminfo + ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + ]; + system.activationScripts.fuse = { + text = '' + ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229 + ''; + deps = []; + }; + }; + allowedDevices = [ + { modifier = "rwm"; node = "/dev/fuse"; } + ]; + autoStart = false; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.15"; # TODO find way to automatically calculate IPs + localAddress = "10.233.2.16"; # TODO find way to automatically calculate IPs + }; + + environment.systemPackages = [ + (pkgs.writeDashBin "init-${cname}" '' + set -euf + set -x + + mkdir -p /var/lib/sync-containers/${cname}/cryfs + '') + (pkgs.writeDashBin "start-${cname}" '' + set -euf + set -x + + mkdir -p /var/lib/containers/${cname}/var/state + + STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${cname}) + if [ "$STATE" = 'down' ]; then + ${pkgs.nixos-container}/bin/nixos-container start ${cname} + fi + + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- ${pkgs.writeDash "deploy-${cname}" '' + set -x + + mkdir -p /var/state/var_src + ln -sfTr /var/state/var_src /var/src + touch /etc/NIXOS + ''} + + if [ -h /var/lib/containers/${cname}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${cname}.r); then + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- nixos-rebuild -I /var/src switch + fi + '') + (pkgs.writeDashBin "stop-${cname}" '' + set -euf + + ${pkgs.nixos-container}/bin/nixos-container stop ${cname} + '') + ]; +} diff --git a/lass/2configs/green-hosts/ecryptfs.nix b/lass/2configs/green-hosts/ecryptfs.nix new file mode 100644 index 000000000..2c335f6f2 --- /dev/null +++ b/lass/2configs/green-hosts/ecryptfs.nix @@ -0,0 +1,99 @@ + +{ config, lib, pkgs, ... }: +with import ; + +let + + cname = "green"; + +in { + imports = [ + + + ]; + + programs.fuse.userAllowOther = true; + + services.syncthing.declarative.folders."/var/lib/sync-containers/${cname}/ecryptfs" = { + devices = [ "icarus" "skynet" "littleT" "shodan" "mors" "morpheus" ]; + ignorePerms = false; + }; + + krebs.permown."/var/lib/sync-containers/${cname}/ecryptfs" = { + file-mode = "u+rw"; + directory-mode = "u+rwx"; + owner = "syncthing"; + keepGoing = false; + }; + + systemd.services."container@${cname}".reloadIfChanged = mkForce false; + containers.${cname} = { + config = { ... }: { + environment.systemPackages = [ + pkgs.git + pkgs.rxvt-unicode-unwrapped.terminfo + ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + ]; + system.activationScripts.fuse = { + text = '' + ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229 + ''; + deps = []; + }; + }; + allowedDevices = [ + { modifier = "rwm"; node = "/dev/fuse"; } + ]; + autoStart = false; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.15"; # TODO find way to automatically calculate IPs + localAddress = "10.233.2.16"; # TODO find way to automatically calculate IPs + }; + + environment.systemPackages = [ + pkgs.ecryptfs + pkgs.keyutils + (pkgs.writeDashBin "start-${cname}" '' + set -euf + set -x + + mkdir -p /var/lib/containers/${cname}/var/state + + if ! mount | grep -q '/var/lib/sync-containers/${cname}/ecryptfs on /var/lib/containers/${cname}/var/state type ecryptfs'; then + if [ -e /var/lib/sync-containers/${cname}/ecryptfs/.cfg.json ]; then + ${pkgs.ecrypt}/bin/ecrypt mount /var/lib/sync-containers/${cname}/ecryptfs /var/lib/containers/${cname}/var/state + else + ${pkgs.ecrypt}/bin/ecrypt init /var/lib/sync-containers/${cname}/ecryptfs /var/lib/containers/${cname}/var/state + fi + fi + + STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${cname}) + if [ "$STATE" = 'down' ]; then + ${pkgs.nixos-container}/bin/nixos-container start ${cname} + fi + + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- ${pkgs.writeDash "deploy-${cname}" '' + set -x + + mkdir -p /var/state/var_src + ln -sfTr /var/state/var_src /var/src + touch /etc/NIXOS + ''} + + if [ -h /var/lib/containers/${cname}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${cname}.r); then + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- nixos-rebuild -I /var/src switch + fi + '') + (pkgs.writeDashBin "stop-${cname}" '' + set -euf + + ${pkgs.nixos-container}/bin/nixos-container stop ${cname} + ${pkgs.ecrypt}/bin/ecrypt unmount /var/lib/sync-containers/${cname}/ecryptfs /var/lib/containers/${cname}/var/state + '') + ]; +} + diff --git a/lass/2configs/green-hosts/plain-bindfs.nix b/lass/2configs/green-hosts/plain-bindfs.nix new file mode 100644 index 000000000..81d8f20c2 --- /dev/null +++ b/lass/2configs/green-hosts/plain-bindfs.nix @@ -0,0 +1,90 @@ +# this seems to work, sadly there are no inotify events on the state directory because bindfs hides them, + +{ config, lib, pkgs, ... }: +with import ; + +let + + cname = "green-plain"; + +in { + imports = [ + + + ]; + + programs.fuse.userAllowOther = true; + + services.syncthing.declarative.folders."/var/lib/containers/${cname}/var/state" = { + devices = [ "icarus" "skynet" "littleT" "shodan" "mors" "morpheus" ]; + ignorePerms = false; + }; + + lass.bindfs."/var/lib/containers/${cname}/var/state" = { + source = "/var/lib/containers/${cname}/var/state"; + options = [ + "-M ${toString config.users.users.syncthing.uid} -u root -g root" + ]; + }; + + + systemd.services."container@${cname}".reloadIfChanged = mkForce false; + containers.${cname} = { + config = { ... }: { + environment.systemPackages = [ + pkgs.git + pkgs.rxvt-unicode-unwrapped.terminfo + ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + ]; + system.activationScripts.fuse = { + text = '' + ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229 + ''; + deps = []; + }; + }; + allowedDevices = [ + { modifier = "rwm"; node = "/dev/fuse"; } + ]; + autoStart = false; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.15"; # TODO find way to automatically calculate IPs + localAddress = "10.233.2.16"; # TODO find way to automatically calculate IPs + }; + + environment.systemPackages = [ + (pkgs.writeDashBin "start-${cname}" '' + set -euf + set -x + + mkdir -p /var/lib/containers/${cname}/var/state + + STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${cname}) + if [ "$STATE" = 'down' ]; then + ${pkgs.nixos-container}/bin/nixos-container start ${cname} + fi + + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- ${pkgs.writeDash "deploy-${cname}" '' + set -x + + mkdir -p /var/state/var_src + ln -sfTr /var/state/var_src /var/src + touch /etc/NIXOS + ''} + + if [ -h /var/lib/containers/${cname}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${cname}.r); then + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- nixos-rebuild -I /var/src switch + fi + '') + (pkgs.writeDashBin "stop-${cname}" '' + set -euf + + ${pkgs.nixos-container}/bin/nixos-container stop ${cname} + '') + ]; +} + diff --git a/lass/2configs/green-hosts/plain-permown.nix b/lass/2configs/green-hosts/plain-permown.nix new file mode 100644 index 000000000..21a7d0085 --- /dev/null +++ b/lass/2configs/green-hosts/plain-permown.nix @@ -0,0 +1,88 @@ +# this seems to work fine, downsides are, all state is owned by syncthing and could be read by the guests syncthing + + +{ config, lib, pkgs, ... }: +with import ; + +let + + cname = "green-plain"; + +in { + imports = [ + + + ]; + + services.syncthing.declarative.folders."/var/lib/containers/${cname}/var/state" = { + devices = [ "icarus" "skynet" "littleT" "shodan" "mors" "morpheus" ]; + ignorePerms = false; + }; + + krebs.permown."/var/lib/containers/${cname}/var/state" = { + file-mode = "u+rw"; + directory-mode = "u+rwx"; + owner = "syncthing"; + keepGoing = true; + }; + + systemd.services."container@${cname}".reloadIfChanged = mkForce false; + containers.${cname} = { + config = { ... }: { + environment.systemPackages = [ + pkgs.git + pkgs.rxvt-unicode-unwrapped.terminfo + ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + ]; + system.activationScripts.fuse = { + text = '' + ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229 + ''; + deps = []; + }; + }; + allowedDevices = [ + { modifier = "rwm"; node = "/dev/fuse"; } + ]; + autoStart = false; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.15"; # TODO find way to automatically calculate IPs + localAddress = "10.233.2.16"; # TODO find way to automatically calculate IPs + }; + + environment.systemPackages = [ + (pkgs.writeDashBin "start-${cname}" '' + set -euf + set -x + + mkdir -p /var/lib/containers/${cname}/var/state + + STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${cname}) + if [ "$STATE" = 'down' ]; then + ${pkgs.nixos-container}/bin/nixos-container start ${cname} + fi + + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- ${pkgs.writeDash "deploy-${cname}" '' + set -x + + mkdir -p /var/state/var_src + ln -sfTr /var/state/var_src /var/src + touch /etc/NIXOS + ''} + + if [ -h /var/lib/containers/${cname}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${cname}.r); then + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- nixos-rebuild -I /var/src switch + fi + '') + (pkgs.writeDashBin "stop-${cname}" '' + set -euf + + ${pkgs.nixos-container}/bin/nixos-container stop ${cname} + '') + ]; +} + diff --git a/lass/2configs/green-hosts/plain.nix b/lass/2configs/green-hosts/plain.nix new file mode 100644 index 000000000..58f54b748 --- /dev/null +++ b/lass/2configs/green-hosts/plain.nix @@ -0,0 +1,87 @@ +{ config, lib, pkgs, ... }: +with import ; + +let + + cname = "green-plain"; + +in { + imports = [ + + + ]; + + programs.fuse.userAllowOther = true; + + services.syncthing.declarative.folders."/var/lib/containers/${cname}/var/state" = { + devices = [ "icarus" "skynet" "littleT" "shodan" "mors" "morpheus" ]; + ignorePerms = false; + }; + + krebs.permown."/var/lib/containers/${cname}/var/state" = { + file-mode = "u+rw"; + directory-mode = "u+rwx"; + owner = "syncthing"; + keepGoing = true; + }; + + systemd.services."container@${cname}".reloadIfChanged = mkForce false; + containers.${cname} = { + config = { ... }: { + environment.systemPackages = [ + pkgs.git + pkgs.rxvt-unicode-unwrapped.terminfo + ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + ]; + system.activationScripts.fuse = { + text = '' + ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229 + ''; + deps = []; + }; + }; + allowedDevices = [ + { modifier = "rwm"; node = "/dev/fuse"; } + ]; + autoStart = false; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.15"; # TODO find way to automatically calculate IPs + localAddress = "10.233.2.16"; # TODO find way to automatically calculate IPs + }; + + environment.systemPackages = [ + (pkgs.writeDashBin "start-${cname}" '' + set -euf + set -x + + mkdir -p /var/lib/containers/${cname}/var/state + + STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${cname}) + if [ "$STATE" = 'down' ]; then + ${pkgs.nixos-container}/bin/nixos-container start ${cname} + fi + + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- ${pkgs.writeDash "deploy-${cname}" '' + set -x + + mkdir -p /var/state/var_src + ln -sfTr /var/state/var_src /var/src + touch /etc/NIXOS + ''} + + if [ -h /var/lib/containers/${cname}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${cname}.r); then + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- nixos-rebuild -I /var/src switch + fi + '') + (pkgs.writeDashBin "stop-${cname}" '' + set -euf + + ${pkgs.nixos-container}/bin/nixos-container stop ${cname} + '') + ]; +} + diff --git a/lass/2configs/green-hosts/securefs.nix b/lass/2configs/green-hosts/securefs.nix new file mode 100644 index 000000000..a69cfe6ca --- /dev/null +++ b/lass/2configs/green-hosts/securefs.nix @@ -0,0 +1,101 @@ +# broken, muchsync cant sync into the folders which should be handles by bindfs +# ls -la also does not show the full directory permissions +{ config, lib, pkgs, ... }: +with import ; + +let + + cname = "green"; + +in { + imports = [ + + + ]; + + programs.fuse.userAllowOther = true; + + services.syncthing.declarative.folders."/var/lib/sync-containers/${cname}/securefs" = { + devices = [ "icarus" "skynet" "littleT" "shodan" "mors" "morpheus" ]; + ignorePerms = false; + }; + + krebs.permown."/var/lib/sync-containers/${cname}/securefs" = { + file-mode = "u+rw"; + directory-mode = "u+rwx"; + owner = "syncthing"; + keepGoing = false; + }; + + systemd.services."container@${cname}".reloadIfChanged = mkForce false; + containers.${cname} = { + config = { ... }: { + environment.systemPackages = [ + pkgs.git + pkgs.rxvt-unicode-unwrapped.terminfo + ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + ]; + system.activationScripts.fuse = { + text = '' + ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229 + ''; + deps = []; + }; + }; + allowedDevices = [ + { modifier = "rwm"; node = "/dev/fuse"; } + ]; + autoStart = false; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.15"; # TODO find way to automatically calculate IPs + localAddress = "10.233.2.16"; # TODO find way to automatically calculate IPs + }; + + environment.systemPackages = [ + (pkgs.writeDashBin "start-${cname}" '' + set -euf + set -x + + mkdir -p /var/lib/containers/${cname}/var/state + + if ! mount | grep -q 'securefs on /var/lib/containers/${cname}/var/state type fuse.securefs'; then + if ! ${pkgs.securefs}/bin/securefs info /var/lib/sync-containers/${cname}/securefs; then + ${pkgs.securefs}/bin/securefs create --format 4 /var/lib/sync-containers/${cname}/securefs + fi + + ${pkgs.securefs}/bin/securefs mount -b \ + -o allow_other -o default_permissions \ + --log /var/lib/sync-containers/${cname}/securefs.log \ + /var/lib/sync-containers/${cname}/securefs /var/lib/containers/${cname}/var/state + fi + + STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${cname}) + if [ "$STATE" = 'down' ]; then + ${pkgs.nixos-container}/bin/nixos-container start ${cname} + fi + + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- ${pkgs.writeDash "deploy-${cname}" '' + set -x + + mkdir -p /var/state/var_src + ln -sfTr /var/state/var_src /var/src + touch /etc/NIXOS + ''} + + if [ -h /var/lib/containers/${cname}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${cname}.r); then + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- nixos-rebuild -I /var/src switch + fi + '') + (pkgs.writeDashBin "stop-${cname}" '' + set -euf + + ${pkgs.nixos-container}/bin/nixos-container stop ${cname} + umount /var/lib/containers/${cname}/var/state + '') + ]; +} + From ba79c70bbdd357e9c97306beeb181645bad03219 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 11:57:38 +0200 Subject: [PATCH 035/125] l telegraf: update config --- lass/2configs/monitoring/telegraf.nix | 175 +++++++++++++++++++------- 1 file changed, 133 insertions(+), 42 deletions(-) diff --git a/lass/2configs/monitoring/telegraf.nix b/lass/2configs/monitoring/telegraf.nix index 5258b87ed..b172b9c62 100644 --- a/lass/2configs/monitoring/telegraf.nix +++ b/lass/2configs/monitoring/telegraf.nix @@ -1,60 +1,127 @@ -{ config, lib, pkgs, ... }: +{ pkgs, lib, config, ... }: +# To use this module you also need to allow port 9273 either on the internet or on a vpn interface +# i.e. networking.firewall.interfaces."vpn0".allowedTCPPorts = [ 9273 ]; +# Example prometheus alert rules: +# - https://github.com/Mic92/dotfiles/blob/master/nixos/eva/modules/prometheus/alert-rules.nix let isVM = lib.any (mod: mod == "xen-blkfront" || mod == "virtio_console") config.boot.initrd.kernelModules; -in { + # potentially wrong if the nvme is not used at boot... + hasNvme = lib.any (m: m == "nvme") config.boot.initrd.availableKernelModules; - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-i retiolum -p tcp --dport 9273"; target = "ACCEPT"; } - ]; + ipv6DadCheck = pkgs.writeShellScript "ipv6-dad-check" '' + ${pkgs.iproute2}/bin/ip --json addr | \ + ${pkgs.jq}/bin/jq -r 'map(.addr_info) | flatten(1) | map(select(.dadfailed == true)) | map(.local) | @text "ipv6_dad_failures count=\(length)i"' + ''; - systemd.services.telegraf.path = [ pkgs.nvme-cli ]; + zfsChecks = lib.optional + (lib.any (fs: fs == "zfs") config.boot.supportedFilesystems) + (pkgs.writeScript "zpool-health" '' + #!${pkgs.gawk}/bin/awk -f + BEGIN { + while ("${pkgs.zfs}/bin/zpool status" | getline) { + if ($1 ~ /pool:/) { printf "zpool_status,name=%s ", $2 } + if ($1 ~ /state:/) { printf " state=\"%s\",", $2 } + if ($1 ~ /errors:/) { + if (index($2, "No")) printf "errors=0i\n"; else printf "errors=%di\n", $2 + } + } + } + ''); + + nfsChecks = + let + collectHosts = shares: fs: + if builtins.elem fs.fsType [ "nfs" "nfs3" "nfs4" ] + then + shares + // ( + let + # also match ipv6 addresses + group = builtins.match "\\[?([^\]]+)]?:([^:]+)$" fs.device; + host = builtins.head group; + path = builtins.elemAt group 1; + in + { + ${host} = (shares.${host} or [ ]) ++ [ path ]; + } + ) + else shares; + nfsHosts = lib.foldl collectHosts { } (builtins.attrValues config.fileSystems); + in + lib.mapAttrsToList + ( + host: args: + (pkgs.writeScript "nfs-health" '' + #!${pkgs.gawk}/bin/awk -f + BEGIN { + for (i = 2; i < ARGC; i++) { + mounts[ARGV[i]] = 1 + } + while ("${pkgs.nfs-utils}/bin/showmount -e " ARGV[1] | getline) { + if (NR == 1) { continue } + if (mounts[$1] == 1) { + printf "nfs_export,host=%s,path=%s present=1\n", ARGV[1], $1 + } + delete mounts[$1] + } + for (mount in mounts) { + printf "nfs_export,host=%s,path=%s present=0\n", ARGV[1], $1 + } + } + '') + + " ${host} ${builtins.concatStringsSep " " args}" + ) + nfsHosts; + +in +{ + + systemd.services.telegraf.path = lib.optional (!isVM && hasNvme) pkgs.nvme-cli; services.telegraf = { enable = true; extraConfig = { agent.interval = "60s"; inputs = { - http_response = [ - { urls = [ - "http://localhost:8080/about/health/" - ]; } + prometheus.urls = lib.mkIf config.services.promtail.enable [ + # default promtail port + "http://localhost:9080/metrics" ]; prometheus.metric_version = 2; kernel_vmstat = { }; - # smart = lib.mkIf (!isVM) { - # path = pkgs.writeShellScript "smartctl" '' - # exec /run/wrappers/bin/sudo ${pkgs.smartmontools}/bin/smartctl "$@" - # ''; - # }; + nginx.urls = lib.mkIf config.services.nginx.statusPage [ + "http://localhost/nginx_status" + ]; + smart = lib.mkIf (!isVM) { + path_smartctl = pkgs.writeShellScript "smartctl" '' + exec /run/wrappers/bin/sudo ${pkgs.smartmontools}/bin/smartctl "$@" + ''; + }; system = { }; mem = { }; - file = [{ - data_format = "influx"; - file_tag = "name"; - files = [ "/var/log/telegraf/*" ]; - }] ++ lib.optional (lib.any (fs: fs == "ext4") config.boot.supportedFilesystems) { - name_override = "ext4_errors"; - files = [ "/sys/fs/ext4/*/errors_count" ]; - data_format = "value"; - }; - exec = lib.optionalAttrs (lib.any (fs: fs == "zfs") config.boot.supportedFilesystems) { - ## Commands array - commands = [ - (pkgs.writeScript "zpool-health" '' - #!${pkgs.gawk}/bin/awk -f - BEGIN { - while ("${pkgs.zfs}/bin/zpool status" | getline) { - if ($1 ~ /pool:/) { printf "zpool_status,name=%s ", $2 } - if ($1 ~ /state:/) { printf " state=\"%s\",", $2 } - if ($1 ~ /errors:/) { - if (index($2, "No")) printf "errors=0i\n"; else printf "errors=%di\n", $2 - } - } - } - '') - ]; - data_format = "influx"; - }; + file = + [ + { + data_format = "influx"; + file_tag = "name"; + files = [ "/var/log/telegraf/*" ]; + } + ] + ++ lib.optional (lib.any (fs: fs == "ext4") config.boot.supportedFilesystems) { + name_override = "ext4_errors"; + files = [ "/sys/fs/ext4/*/errors_count" ]; + data_format = "value"; + }; + exec = [ + { + ## Commands array + commands = + [ ipv6DadCheck ] + ++ zfsChecks + ++ nfsChecks; + data_format = "influx"; + } + ]; systemd_units = { }; swap = { }; disk.tagdrop = { @@ -62,6 +129,11 @@ in { device = [ "rpc_pipefs" "lxcfs" "nsfs" "borgfs" ]; }; diskio = { }; + zfs = { + poolMetrics = true; + }; + } // lib.optionalAttrs (if lib.versionAtLeast (lib.versions.majorMinor lib.version) "23.11" then config.boot.swraid.enable else config.boot.initrd.services.swraid.enable) { + mdstat = { }; }; outputs.prometheus_client = { listen = ":9273"; @@ -69,4 +141,23 @@ in { }; }; }; + security.sudo.extraRules = lib.mkIf (!isVM) [ + { + users = [ "telegraf" ]; + commands = [ + { + command = "${pkgs.smartmontools}/bin/smartctl"; + options = [ "NOPASSWD" ]; + } + ]; + } + ]; + # avoid logging sudo use + security.sudo.configFile = '' + Defaults:telegraf !syslog,!pam_session + ''; + # create dummy file to avoid telegraf errors + systemd.tmpfiles.rules = [ + "f /var/log/telegraf/dummy 0444 root root - -" + ]; } From 77b8c837c5e9a5217e829ae2976a37e691a291b5 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 11:58:42 +0200 Subject: [PATCH 036/125] l coms proxy: ipforward ports --- lass/2configs/services/coms/proxy.nix | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/lass/2configs/services/coms/proxy.nix b/lass/2configs/services/coms/proxy.nix index e8555f9b7..fd7b36ca8 100644 --- a/lass/2configs/services/coms/proxy.nix +++ b/lass/2configs/services/coms/proxy.nix @@ -21,14 +21,13 @@ in proxy_pass ${target}:${toString port}; } '') tcpports} - ${lib.concatMapStringsSep "\n" (port: '' - server { - listen ${toString port} udp; - proxy_pass ${target}:${toString port}; - } - '') udpports} ''; + krebs.iptables.tables.nat.PREROUTING.rules = lib.flatten (map (port: [ + { predicate = "-p udp --dport ${toString port}"; target = "DNAT --to-destination ${config.krebs.hosts.orange.nets.retiolum.ip4.addr}:${toString port}"; v6 = false; } + { predicate = "-p udp --dport ${toString port}"; target = "DNAT --to-destination [${config.krebs.hosts.orange.nets.retiolum.ip6.addr}]:${toString port}"; v4 = false; } + ]) udpports); + services.nginx.virtualHosts."jitsi.lassul.us" = { enableACME = true; acmeFallbackHost = "${target}"; @@ -36,7 +35,7 @@ in locations."/" = { recommendedProxySettings = true; proxyWebsockets = true; - proxyPass = "http://${target}"; + proxyPass = "https://${target}"; }; }; } From 541cfbe3a2544ec74cee6c9b24b1a86051688414 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 11:59:38 +0200 Subject: [PATCH 037/125] l radio news: add debug outputs --- lass/2configs/services/radio/news.nix | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/lass/2configs/services/radio/news.nix b/lass/2configs/services/radio/news.nix index 62f7f548c..a9cddb62a 100644 --- a/lass/2configs/services/radio/news.nix +++ b/lass/2configs/services/radio/news.nix @@ -122,10 +122,9 @@ in ''}''; }; - ## debug - # environment.systemPackages = [ - # weather_report - # send_to_radio - # newsshow - # ]; + # debug + environment.systemPackages = [ + send_to_radio + newsshow + ]; } From 45c3e165c96efa0148ddedffd50f508d7dae6093 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 11:59:53 +0200 Subject: [PATCH 038/125] l radio: add watcher --- lass/2configs/services/radio/default.nix | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/lass/2configs/services/radio/default.nix b/lass/2configs/services/radio/default.nix index 5accfe360..5a10b5578 100644 --- a/lass/2configs/services/radio/default.nix +++ b/lass/2configs/services/radio/default.nix @@ -104,6 +104,22 @@ in { print_current ]; + + systemd.services.radio_watcher = { + wantedBy = [ "multi-user.target" ]; + after = [ "radio.service" ]; + serviceConfig = { + ExecStart = pkgs.writers.writeDash "radio_watcher" '' + set -efux + while :; do + ${pkgs.curl}/bin/curl -Ss http://localhost:8000/radio.ogg -o /dev/null + ${pkgs.systemd}/bin/systemctl restart radio + sleep 60 + done + ''; + }; + }; + services.liquidsoap.streams.radio = ./radio.liq; systemd.services.radio = { environment = { @@ -124,6 +140,7 @@ in { }; path = [ pkgs.yt-dlp + pkgs.bubblewrap ]; serviceConfig.User = lib.mkForce "radio"; }; @@ -163,6 +180,7 @@ in { filter.INPUT.rules = [ { predicate = "-p tcp --dport 8000"; target = "ACCEPT"; } { predicate = "-i retiolum -p tcp --dport 8001"; target = "ACCEPT"; } + { predicate = "-i retiolum -p tcp --dport 8002"; target = "ACCEPT"; } ]; }; }; From d0422e3b64403cdcc2acd68e432a3671a6f6a502 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:00:44 +0200 Subject: [PATCH 039/125] l websites: add flix.lassul.us --- lass/2configs/websites/default.nix | 2 -- lass/2configs/websites/flix.lassul.us.nix | 13 +++++++++++++ 2 files changed, 13 insertions(+), 2 deletions(-) create mode 100644 lass/2configs/websites/flix.lassul.us.nix diff --git a/lass/2configs/websites/default.nix b/lass/2configs/websites/default.nix index ebf4d8345..f74845a56 100644 --- a/lass/2configs/websites/default.nix +++ b/lass/2configs/websites/default.nix @@ -1,7 +1,5 @@ { config, lib, ... }: -with import ; - { services.nginx = { enable = true; diff --git a/lass/2configs/websites/flix.lassul.us.nix b/lass/2configs/websites/flix.lassul.us.nix new file mode 100644 index 000000000..27a7f75e8 --- /dev/null +++ b/lass/2configs/websites/flix.lassul.us.nix @@ -0,0 +1,13 @@ +{ config, pkgs, ... }: +{ + services.nginx.virtualHosts."flix.lassul.us" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://yellow.r:8096"; + proxyWebsockets = true; + recommendedProxySettings = true; + }; + }; +} + From 8edd78c98273812a1239ab95af93f8c3d9664065 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:01:41 +0200 Subject: [PATCH 040/125] l bitlbee: move to statedir --- lass/2configs/bitlbee.nix | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/lass/2configs/bitlbee.nix b/lass/2configs/bitlbee.nix index 84f06e587..43573d893 100644 --- a/lass/2configs/bitlbee.nix +++ b/lass/2configs/bitlbee.nix @@ -15,18 +15,20 @@ with (import ); # pkgs.tdlib-purple # pkgs.purple-gowhatsapp ]; + configDir = "/var/state/bitlbee"; }; - users.users.bitlbee = { - uid = genid_uint31 "bitlbee"; - isSystemUser = true; - group = "bitlbee"; - }; - users.groups.bitlbee = {}; - systemd.services.bitlbee.serviceConfig = { - DynamicUser = lib.mkForce false; - User = "bitlbee"; - StateDirectory = lib.mkForce null; + ExecStartPre = [ + "+${pkgs.writeDash "setup-bitlbee" '' + ${pkgs.coreutils}/bin/chown bitlbee:bitlbee /var/state/bitlbee || : + ''}" + ]; + ReadWritePaths = [ + "/var/state/bitlbee" + ]; }; + systemd.tmpfiles.rules = [ + "d /var/state/bitlbee 0700 - - -" + ]; } From 2dbabb06849bfe7054e1da2bef85acf5919df6d7 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:01:55 +0200 Subject: [PATCH 041/125] l browsers: use ff devedition --- lass/2configs/browsers.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lass/2configs/browsers.nix b/lass/2configs/browsers.nix index ea6fb644b..92ee8e30f 100644 --- a/lass/2configs/browsers.nix +++ b/lass/2configs/browsers.nix @@ -3,6 +3,6 @@ programs.firefox.nativeMessagingHosts.tridactyl = true; environment.variables.BROWSER = "${pkgs.firefox}/bin/firefox"; environment.systemPackages = [ - pkgs.firefox + pkgs.firefox-devedition ]; } From 600085425b8ee8268258eda2d0d3d10566850b45 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:02:06 +0200 Subject: [PATCH 042/125] l c-base: use different subnet --- lass/2configs/c-base.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lass/2configs/c-base.nix b/lass/2configs/c-base.nix index a8dd3dd1d..c9ad8cf68 100644 --- a/lass/2configs/c-base.nix +++ b/lass/2configs/c-base.nix @@ -17,7 +17,7 @@ in { }; routes = [ { routeConfig = { - Destination = "10.0.1.0/24"; + Destination = "10.0.0.0/23"; Gateway = "172.31.77.1"; };} { routeConfig = { From 90ca326b590a6039bcc73a55c56ec2b3d52b6f6a Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:02:32 +0200 Subject: [PATCH 043/125] l consul: remove raft_multiplier --- lass/2configs/consul.nix | 3 --- 1 file changed, 3 deletions(-) diff --git a/lass/2configs/consul.nix b/lass/2configs/consul.nix index b8d925de5..67467364e 100644 --- a/lass/2configs/consul.nix +++ b/lass/2configs/consul.nix @@ -17,9 +17,6 @@ # try to fix random lock loss on leader reelection retry_interval = "3s"; - performance = { - raft_multiplier = 8; - }; }; }; From eb00c6b977986dffbf2063a624a654438a5d354e Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:04:27 +0200 Subject: [PATCH 044/125] l exim-smarthost: fix ssl for mail.lassul.us --- lass/2configs/exim-smarthost.nix | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix index cb9abd43a..2a3a6b1e5 100644 --- a/lass/2configs/exim-smarthost.nix +++ b/lass/2configs/exim-smarthost.nix @@ -14,18 +14,22 @@ in { dkim = [ { domain = "lassul.us"; } ]; + ssl_cert = "/var/lib/acme/mail.lassul.us/fullchain.pem"; + ssl_key = "/var/lib/acme/mail.lassul.us/key.pem"; primary_hostname = "lassul.us"; sender_domains = [ "lassul.us" ]; relay_from_hosts = map (host: host.nets.retiolum.ip6.addr) [ + config.krebs.hosts.aergia config.krebs.hosts.blue config.krebs.hosts.coaxmetal config.krebs.hosts.green config.krebs.hosts.mors config.krebs.hosts.xerxes ]; - internet-aliases = map (from: { inherit from to; }) mails; + internet-aliases = map (from: { inherit from to; }) mails ++ [ + ]; system-aliases = [ { from = "mailer-daemon"; to = "postmaster"; } { from = "postmaster"; to = "root"; } @@ -45,4 +49,14 @@ in { krebs.iptables.tables.filter.INPUT.rules = [ { predicate = "-p tcp --dport smtp"; target = "ACCEPT"; } ]; + + security.acme.certs."mail.lassul.us" = { + group = "lasscert"; + webroot = "/var/lib/acme/acme-challenge"; + }; + users.groups.lasscert.members = [ + "dovecot2" + "exim" + "nginx" + ]; } From 42080b5a394d923f9098da1fdcb353e788dcf122 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:04:51 +0200 Subject: [PATCH 045/125] l fysiirc: update code --- lass/2configs/fysiirc.nix | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) diff --git a/lass/2configs/fysiirc.nix b/lass/2configs/fysiirc.nix index 809298df4..b2912d894 100644 --- a/lass/2configs/fysiirc.nix +++ b/lass/2configs/fysiirc.nix @@ -1,13 +1,13 @@ { config, lib, pkgs, ... }: let format-github-message = pkgs.writeDashBin "format-github-message" '' - set -xefu + set -efu export PATH=${lib.makeBinPath [ pkgs.jq ]} INPUT=$(jq -c .) - if $(echo "$INPUT" | jq 'has("issue") or has("pull_request")'); then - ${write_to_irc} "$(echo "$INPUT" | jq -r ' + if $(printf '%s' "$INPUT" | jq 'has("issue") or has("pull_request")'); then + ${write_to_irc} "$(printf '%s' "$INPUT" | jq -r ' "\(.action): " + "[\(.issue.title // .pull_request.title)] " + "\(.comment.html_url // .issue.html_url // .pull_request.html_url) " @@ -57,16 +57,7 @@ in { case "$Method $Request_URI" in "POST /") payload=$(head -c "$req_content_length") - raw=$(printf '%s' "$payload" | ${pkgs.curl}/bin/curl --data-binary @- http://p.krebsco.de | tail -1) - payload2=$payload - payload2=$(printf '%s' "$payload" | tr '\n' ' ' | tr -d '\r') - if [ "$payload" != "$payload2" ]; then - echo "payload has been mangled" >&2 - else - echo "payload not mangled" >&2 - fi - echo "$payload2" | ${format-github-message}/bin/format-github-message - ${write_to_irc} "$raw" + printf '%s' "$payload" | ${format-github-message}/bin/format-github-message printf 'HTTP/1.1 200 OK\r\n' printf 'Connection: close\r\n' printf '\r\n' From f0ab828e1ab90826f24aa4b4b2ef02650f824139 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:05:08 +0200 Subject: [PATCH 046/125] l gc: disable on aergia --- lass/2configs/gc.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lass/2configs/gc.nix b/lass/2configs/gc.nix index 224a6cbb9..d56e95368 100644 --- a/lass/2configs/gc.nix +++ b/lass/2configs/gc.nix @@ -3,7 +3,7 @@ with import ; { nix.gc = { - automatic = ! (elem config.krebs.build.host.name [ "mors" "xerxes" "coaxmetal" ] || config.boot.isContainer); + automatic = ! (elem config.krebs.build.host.name [ "aergia" "mors" "xerxes" "coaxmetal" ] || config.boot.isContainer); options = "--delete-older-than 15d"; }; } From de6d5adcc55240d7af7da5473e07efdda4f13368 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:05:22 +0200 Subject: [PATCH 047/125] l gg23: add static lease for printer --- lass/2configs/gg23.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/lass/2configs/gg23.nix b/lass/2configs/gg23.nix index b35b0cb85..bb38f1f90 100644 --- a/lass/2configs/gg23.nix +++ b/lass/2configs/gg23.nix @@ -39,6 +39,14 @@ with import ; # IPv6SendRA = "yes"; # DHCPPrefixDelegation = "yes"; }; + dhcpServerStaticLeases = [ + { + dhcpServerStaticLeaseConfig = { + Address = "10.42.0.4"; + MACAddress = "3c:2a:f4:22:28:37"; + }; + } + ]; }; networking.networkmanager.unmanaged = [ "int0" ]; krebs.iptables.tables.filter.INPUT.rules = [ From 2395c9c0261d043027798d53962c75ccc630da82 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:05:39 +0200 Subject: [PATCH 048/125] l git-brain: use not used krebs-secrets repo --- lass/2configs/git-brain.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/lass/2configs/git-brain.nix b/lass/2configs/git-brain.nix index f4d1a27cd..d4ce263ef 100644 --- a/lass/2configs/git-brain.nix +++ b/lass/2configs/git-brain.nix @@ -7,7 +7,6 @@ let krebs-repos = mapAttrs make-krebs-repo { brain = { }; - krebs-secrets = { }; }; From 48e371a59786ba235f7421fcea71f91d9a7e1b32 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:06:05 +0200 Subject: [PATCH 049/125] l gsm-wiki: add c3gsm.de vhost --- lass/2configs/gsm-wiki.nix | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/lass/2configs/gsm-wiki.nix b/lass/2configs/gsm-wiki.nix index 69508a155..77b944ef8 100644 --- a/lass/2configs/gsm-wiki.nix +++ b/lass/2configs/gsm-wiki.nix @@ -12,6 +12,14 @@ ''; }; + services.nginx.virtualHosts."c3gsm.de" = { + forceSSL = true; + enableACME = true; + locations."/".extraConfig = '' + root /srv/http/c3gsm.de; + ''; + }; + users.users.c3gsm-docs = { isNormalUser = true; home = "/srv/http/docs.c3gsm.de"; @@ -23,4 +31,16 @@ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAlW1fvCrVXhVH/z76fXBWYR/qyecYTE9VOOkFLJ6OwG user@osmocom-dev" ]; }; + + users.users.c3gsm = { + isNormalUser = true; + home = "/srv/http/c3gsm.de"; + createHome = true; + homeMode = "750"; + useDefaultShell = true; + group = "nginx"; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAlW1fvCrVXhVH/z76fXBWYR/qyecYTE9VOOkFLJ6OwG user@osmocom-dev" + ]; + }; } From be4121f52602efe241d66a67a985fd91bec393b5 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:06:28 +0200 Subject: [PATCH 050/125] l hfos: try multi ips --- lass/2configs/hfos.nix | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/lass/2configs/hfos.nix b/lass/2configs/hfos.nix index 9dafe086c..05bea9a09 100644 --- a/lass/2configs/hfos.nix +++ b/lass/2configs/hfos.nix @@ -1,7 +1,8 @@ -{ config, lib, pkgs, ... }: +{ config, lib, pkgs, ... }: let -with import ; -{ + vmip = "192.168.122.208"; + +in { users.users.riot = { uid = genid "riot"; isNormalUser = true; @@ -11,7 +12,7 @@ with import ; ]; }; - networking.interfaces.et0.ip4 = [ + networking.interfaces."eth0:0".ip4 = [ { address = "213.239.205.246"; prefixLength = 24; From 0b77e8722379e8b47b375b7621be923b2b6267ee Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:07:00 +0200 Subject: [PATCH 051/125] l home-media: add mpvd --- lass/2configs/home-media.nix | 78 +++++++++++++++++++++++++++++++++--- 1 file changed, 73 insertions(+), 5 deletions(-) diff --git a/lass/2configs/home-media.nix b/lass/2configs/home-media.nix index f3908e6be..1f7c3fcb5 100644 --- a/lass/2configs/home-media.nix +++ b/lass/2configs/home-media.nix @@ -1,12 +1,34 @@ with import ; { pkgs, ... }: { + imports = [ + ./mpv.nix + ]; users.users.media = { isNormalUser = true; uid = genid_uint31 "media"; extraGroups = [ "video" "audio" "pipewire" ]; + packages = [ + (pkgs.writers.writeDashBin "mpv" '' + if test -e "$1"; then + mpv-ipc-cli loadfile "$(realpath "$1")" + else + mpv-ipc-cli loadfile "$1" + fi + '') + ]; }; + users.users.mainUser.packages = [ + (pkgs.writers.writeDashBin "mpv" '' + if test -e "$1"; then + mpv-ipc-cli loadfile "$(realpath "$1")" + else + mpv-ipc-cli loadfile "$1" + fi + '') + ]; + services.xserver.displayManager.autoLogin = { enable = true; user = "media"; @@ -17,12 +39,12 @@ with import ; load-module module-native-protocol-tcp auth-ip-acl=127.0.0.1;10.42.0.0/24 auth-anonymous=1 ''; - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport 4713"; target = "ACCEPT"; } # pulseaudio - ]; - environment.systemPackages = [ - (pkgs.writers.writeDashBin "snapmpv" '' + (pkgs.writers.writeDashBin "mpv-ipc-cli" '' + set -efux + ${pkgs.jq}/bin/jq -nc '{ "command": $ARGS.positional }' --args "$@" | ${pkgs.socat}/bin/socat - /tmp/mpv.ipc + '') + (pkgs.writers.writeDashBin "ipc-mpv" '' /run/current-system/sw/bin/mpv \ --audio-display=no --audio-channels=stereo \ --audio-samplerate=48000 --audio-format=s16 \ @@ -30,5 +52,51 @@ with import ; --audio-delay=-1 \ "$@" '') + pkgs.mpvc + (pkgs.writers.writeDashBin "iptv" '' + curl -Ssf 'https://iptv-org.github.io/iptv/index.nsfw.m3u' | + sed 's/.*,//' | + sed -z 's/\nhttp/,http/g' | + fzf --bind='enter:execute(echo {} | cut -d ',' -f 2 | xargs -0 mpv-ipc-cli loadfile)' + '') ]; + + environment.variables.SOCKET = "/tmp/mpv.ipc"; + systemd.services.mpvd = { + wantedBy = [ "multi-user.target" ]; + environment.DISPLAY = ":0"; + serviceConfig = { + User = "media"; + RemainAfterExit = true; + Nice = "-10"; + ExecStart = ''${pkgs.tmux}/bin/tmux -2 new-session -d -s mpvd -- /run/current-system/sw/bin/ipc-mpv \ + --audio-display=no --audio-channels=stereo \ + --audio-samplerate=48000 --audio-format=s16 \ + --ao-pcm-file=/run/snapserver/snapfifo --ao=pcm \ + --audio-delay=-1 \ + --network-timeout=3 \ + --untimed --cache-pause=no \ + --idle=yes --force-window=yes \ + --loop-playlist=inf \ + --input-ipc-server=/tmp/mpv.ipc + ''; + ExecStop = "${pkgs.tmux}/bin/tmux kill-session -t mpvd"; + ExecStartPre = [ + "+${pkgs.writers.writeDash "remove_socket" '' + set -efux + rm -f /tmp/mpv.ipc + ''}" + ]; + ExecStartPost = [ + "+${pkgs.writers.writeDash "fix_permissions" '' + set -efux + until test -e /tmp/mpv.ipc; do + sleep 1 + done + # sleep 2 + chmod 666 /tmp/mpv.ipc || : + ''}" + ]; + }; + }; } From 3ad34380669da711fb857a8dcc971d3abd5975a0 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:07:17 +0200 Subject: [PATCH 052/125] l matrix: add compression --- lass/2configs/matrix.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lass/2configs/matrix.nix b/lass/2configs/matrix.nix index 1d6a8663e..7c4b645f2 100644 --- a/lass/2configs/matrix.nix +++ b/lass/2configs/matrix.nix @@ -25,7 +25,7 @@ with import ; } { names = [ "federation" ]; - compress = false; + compress = true; } ]; } From 0b547853c4dac101c691da4e4e79e745a90ef0f2 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:07:42 +0200 Subject: [PATCH 053/125] l minecraft: use firewall syntax --- lass/2configs/minecraft.nix | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/lass/2configs/minecraft.nix b/lass/2configs/minecraft.nix index 34da3047e..285a4552c 100644 --- a/lass/2configs/minecraft.nix +++ b/lass/2configs/minecraft.nix @@ -8,8 +8,6 @@ in { eula = true; package = unstable.minecraft-server; }; - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport 25565"; target = "ACCEPT"; } - { predicate = "-p udp --dport 25565"; target = "ACCEPT"; } - ]; + networking.firewall.allowedTCPPorts = [ 25565 ]; + networking.firewall.allowedUDPPorts = [ 25565 ]; } From a0274f6bbd36c16fb51a2d6ae6824e8cf576a876 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:08:09 +0200 Subject: [PATCH 054/125] l muchsync: don't sync blue --- lass/2configs/muchsync.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/lass/2configs/muchsync.nix b/lass/2configs/muchsync.nix index 392970dbd..b6d8c5dbc 100644 --- a/lass/2configs/muchsync.nix +++ b/lass/2configs/muchsync.nix @@ -7,7 +7,6 @@ with (import ); "coaxmetal.r" "mors.r" "green.r" - "blue.r" ]; in { description = "sync mails"; From 5ead5cf6dd5f504459fce09adcc4db820d960eaf Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:08:39 +0200 Subject: [PATCH 055/125] l: add murmur.nix --- lass/2configs/murmur.nix | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 lass/2configs/murmur.nix diff --git a/lass/2configs/murmur.nix b/lass/2configs/murmur.nix new file mode 100644 index 000000000..3129fef50 --- /dev/null +++ b/lass/2configs/murmur.nix @@ -0,0 +1,37 @@ +{ config, lib, pkgs, ... }: +{ + services.murmur = { + enable = true; + allowHtml = false; + bandwidth = 10000000; + registerName = "lassul.us"; + autobanTime = 30; + }; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport 64738"; target = "ACCEPT";} + { predicate = "-p udp --dport 64738"; target = "ACCEPT";} + ]; + + systemd.services.docker-mumble-web.serviceConfig = { + StandardOutput = lib.mkForce "journal"; + StandardError = lib.mkForce "journal"; + }; + virtualisation.oci-containers.containers.mumble-web = { + image = "rankenstein/mumble-web:0.5"; + environment = { + MUMBLE_SERVER = "lassul.us:64738"; + }; + ports = [ + "64739:8080" + ]; + }; + + services.nginx.virtualHosts."mumble.lassul.us" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://localhost:64739"; + proxyWebsockets = true; + }; + }; +} From 89328a48aaa7ccdd411786c60831d43d9feba2ad Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:09:18 +0200 Subject: [PATCH 056/125] l orange: add bindmount for /var/lib --- lass/2configs/orange-host.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lass/2configs/orange-host.nix b/lass/2configs/orange-host.nix index e4bfcff89..6d82d8cc9 100644 --- a/lass/2configs/orange-host.nix +++ b/lass/2configs/orange-host.nix @@ -3,6 +3,10 @@ krebs.sync-containers3.containers.orange = { sshKey = "${toString }/orange.sync.key"; }; + containers.orange.bindMounts."/var/lib" = { + hostPath = "/var/lib/sync-containers3/orange/state"; + isReadOnly = false; + }; services.nginx.virtualHosts."lassul.us" = { # enableACME = config.security; # forceSSL = true; From c1b812509e476a445fcf3dc6e56bff2d0eed2d9c Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:09:34 +0200 Subject: [PATCH 057/125] l pass: create pass symlink with tmpfilesd --- lass/2configs/pass.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lass/2configs/pass.nix b/lass/2configs/pass.nix index 8ec3ac092..a52fe4afc 100644 --- a/lass/2configs/pass.nix +++ b/lass/2configs/pass.nix @@ -14,5 +14,8 @@ ]; programs.gnupg.agent.enable = true; + systemd.tmpfiles.rules = [ + "L+ /home/lass/.password-store - - - - sync/pwstore" + ]; } From fd5615dd2234b2e63850d8f509499a718fe53b2b Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:09:51 +0200 Subject: [PATCH 058/125] l paste: try to fix CORS --- lass/2configs/paste.nix | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/lass/2configs/paste.nix b/lass/2configs/paste.nix index 87768a452..86f0dba15 100644 --- a/lass/2configs/paste.nix +++ b/lass/2configs/paste.nix @@ -10,8 +10,8 @@ with import ; proxy_pass http://127.0.0.1:${toString config.krebs.htgen.cyberlocker.port}; ''; extraConfig = '' - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; + add_header Access-Control-Allow-Origin * always; + add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS'; ''; }; services.nginx.virtualHosts.paste = { @@ -48,8 +48,8 @@ with import ; proxy_pass http://127.0.0.1:${toString config.krebs.htgen.cyberlocker.port}; ''; extraConfig = '' - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; + add_header Access-Control-Allow-Origin * always; + add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS' always; ''; }; services.nginx.virtualHosts."p.krebsco.de" = { @@ -57,6 +57,10 @@ with import ; addSSL = true; serverAliases = [ "p.krebsco.de" ]; locations."/".extraConfig = '' + if ($request_method = 'OPTIONS') { + return 204; + } + client_max_body_size 4G; proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://127.0.0.1:${toString config.krebs.htgen.paste.port}; @@ -75,8 +79,9 @@ with import ; proxy_pass_header Server; ''; extraConfig = '' - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; + add_header Access-Control-Allow-Headers Authorization always; + add_header Access-Control-Allow-Origin * always; + add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS' always; ''; }; From 07f4e3fa8d71a9c2260634e2c49320f13d9d7511 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:10:08 +0200 Subject: [PATCH 059/125] l print: disable avahi --- lass/2configs/print.nix | 5 ----- 1 file changed, 5 deletions(-) diff --git a/lass/2configs/print.nix b/lass/2configs/print.nix index 5769f9b15..f493b19cc 100644 --- a/lass/2configs/print.nix +++ b/lass/2configs/print.nix @@ -16,9 +16,4 @@ BrowseProtocols all ''; }; - services.avahi = { - enable = true; - openFirewall = true; - nssmdns = true; - }; } From 8c074037a1ed6705d6cecb5c5dd1910a2d739c5b Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:10:37 +0200 Subject: [PATCH 060/125] l realwallpaper: make public readable --- lass/2configs/realwallpaper.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lass/2configs/realwallpaper.nix b/lass/2configs/realwallpaper.nix index d81642da1..0260b91c0 100644 --- a/lass/2configs/realwallpaper.nix +++ b/lass/2configs/realwallpaper.nix @@ -10,7 +10,7 @@ in { krebs.realwallpaper.enable = true; system.activationScripts.wallpaper-chmod = '' - ${pkgs.coreutils}/bin/chmod +x /var/realwallpaper + ${pkgs.coreutils}/bin/chmod +rx /var/realwallpaper ''; services.nginx.virtualHosts.wallpaper = { extraConfig = '' @@ -21,9 +21,9 @@ in { serverAliases = [ "wallpaper.r" ]; - locations."/realwallpaper/".extraConfig = '' - index on; - root /var/realwallpaper"; + locations."/".extraConfig = '' + autoindex on; + root /var/realwallpaper/; ''; locations."/realwallpaper.png".extraConfig = '' root /var/realwallpaper/; From 2d87daa73fb71a94989e8f5c03af04c59c21679c Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:10:58 +0200 Subject: [PATCH 061/125] l red-host: don't import container-networking --- lass/2configs/red-host.nix | 4 ---- 1 file changed, 4 deletions(-) diff --git a/lass/2configs/red-host.nix b/lass/2configs/red-host.nix index 171191dac..ac7e529a3 100644 --- a/lass/2configs/red-host.nix +++ b/lass/2configs/red-host.nix @@ -3,10 +3,6 @@ let ctr.name = "red"; in { - imports = [ - - ]; - krebs.sync-containers3.containers.red = { sshKey = "${toString }/containers/red/sync.key"; From 2c38c86d18e440bf5361b638795a704b3530448c Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:11:54 +0200 Subject: [PATCH 062/125] l retiolum: handle connection loss better --- lass/2configs/retiolum.nix | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/lass/2configs/retiolum.nix b/lass/2configs/retiolum.nix index 746bc069d..c2828f6db 100644 --- a/lass/2configs/retiolum.nix +++ b/lass/2configs/retiolum.nix @@ -22,7 +22,6 @@ ]; extraConfig = '' AutoConnect = no - StrictSubnets = yes ${lib.optionalString (config.krebs.build.host.nets.retiolum.via != null) '' LocalDiscovery = no ''} @@ -36,6 +35,14 @@ "${config.krebs.build.host.nets.retiolum.ip4.addr}/16" "${config.krebs.build.host.nets.retiolum.ip6.addr}/16" ]; + linkConfig = { + MTUBytes = "1377"; + RequiredForOnline = "no"; + }; + networkConfig = { + IgnoreCarrierLoss = "10s"; + LinkLocalAddressing = "no"; + }; }; nixpkgs.config.packageOverrides = pkgs: { From 3e9f8a0cf037043a2a65769b03507383cc08dedc Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:12:13 +0200 Subject: [PATCH 063/125] l riot: add some preparation for move --- lass/2configs/riot.nix | 34 +++++++++++++++++++++++++++++----- 1 file changed, 29 insertions(+), 5 deletions(-) diff --git a/lass/2configs/riot.nix b/lass/2configs/riot.nix index 6aacec5b6..6348cb882 100644 --- a/lass/2configs/riot.nix +++ b/lass/2configs/riot.nix @@ -1,9 +1,12 @@ -{ config, lib, pkgs, ... }: -{ +{ config, lib, pkgs, ... }: let + domains = [ + "hackerfleet.eu" + "hackerfleet.de" + ]; +in { containers.riot = { config = { environment.systemPackages = [ - pkgs.dhcpcd pkgs.git pkgs.jq ]; @@ -19,8 +22,11 @@ wantedBy = [ "multi-user.target" ]; serviceConfig.ExecStart = pkgs.writers.writeDash "autoswitch" '' set -efu - if test -e /var/src/nixos-config; then - /run/current-system/sw/bin/nixos-rebuild -I /var/src switch || : + if test -e /etc/nixos/configuration.nix; then + /run/current-system/sw/bin/nixos-rebuild switch \ + -I nixpkgs=channel:$(cat /etc/nixos/channel) \ + -I nixos-config=/etc/nixos/configuration.nix \ + || : fi ''; unitConfig.X-StopOnRemoval = false; @@ -32,6 +38,7 @@ hostAddress = "10.233.1.1"; localAddress = "10.233.1.2"; }; + systemd.services."container@riot".restartIfChanged = lib.mkForce false; systemd.network.networks."50-ve-riot" = { matchConfig.Name = "ve-riot"; @@ -60,4 +67,21 @@ { predicate = "-i ve-riot"; target = "ACCEPT"; } { predicate = "-o ve-riot"; target = "ACCEPT"; } ]; + + + # non container stuff + + services.nginx.virtualHosts.riot = { + serverName = null; + serverAliases = domains; + }; + + krebs.exim-smarthost.extraRouters = '' + forward_riot: + driver = manualroute + domains = ${lib.concatStringsSep ":" domains} + transport = remote_smtp + route_list = * riot + no_more + ''; } From bb29da920769395db909ee3e1fa373a3e122a98e Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:12:23 +0200 Subject: [PATCH 064/125] l snapclient: use hostname as id --- lass/2configs/snapclient.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lass/2configs/snapclient.nix b/lass/2configs/snapclient.nix index 8015680e9..c20abdc3a 100644 --- a/lass/2configs/snapclient.nix +++ b/lass/2configs/snapclient.nix @@ -3,7 +3,7 @@ systemd.services.snapclient = { wantedBy = [ "multi-user.target" ]; path = [ pkgs.snapcast ]; - script = "snapclient -h 10.42.0.1"; + script = "snapclient -h 10.42.0.1 --hostID ${config.networking.hostName}"; serviceConfig = { DynamicUser = true; Group = "pipewire"; From 63fc24339c838c8596ee535590a4c756bc5573ce Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:12:33 +0200 Subject: [PATCH 065/125] l snapserver: add radio stream --- lass/2configs/snapserver.nix | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/lass/2configs/snapserver.nix b/lass/2configs/snapserver.nix index 3c6dbf750..60aa97077 100644 --- a/lass/2configs/snapserver.nix +++ b/lass/2configs/snapserver.nix @@ -2,12 +2,29 @@ { services.snapserver = { enable = true; - openFirewall = true; - streams = { - pipewire = { + # openFirewall = true; + streams = { + radio = { + type = "process"; + location = pkgs.writers.writeDash "radio" '' + exec ${pkgs.mpv}/bin/mpv http://radio.lassul.us/radio.ogg \ + --no-terminal \ + --audio-display=no \ + --audio-channels=stereo \ + --audio-samplerate=48000 \ + --audio-format=s16 \ + --ao=pcm \ + --ao-pcm-file=/dev/stdout + ''; + }; + styx = { type = "pipe"; location = "/run/snapserver/snapfifo"; }; }; + http.enable = true; }; + + networking.firewall.interfaces.int0.allowedTCPPorts = [ 1704 1705 1780 ]; + networking.firewall.interfaces.retiolum.allowedTCPPorts = [ 1780 ]; } From cd681943f4e3cbc30b2bff1fa96bd3c1b76bb5fc Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:12:50 +0200 Subject: [PATCH 066/125] l steam: don't import games.nix --- lass/2configs/steam.nix | 4 ---- 1 file changed, 4 deletions(-) diff --git a/lass/2configs/steam.nix b/lass/2configs/steam.nix index d814a2499..4f0df8ee3 100644 --- a/lass/2configs/steam.nix +++ b/lass/2configs/steam.nix @@ -1,10 +1,6 @@ { config, pkgs, ... }: { - - imports = [ - ./games.nix - ]; # # Steam stuff # source: https://nixos.org/wiki/Talk:Steam From 1c3e6a720a0bd6133788c75a8bd368197f31ba26 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:13:08 +0200 Subject: [PATCH 067/125] l: remove deprecated telegraf.nix --- lass/2configs/telegraf.nix | 67 -------------------------------------- 1 file changed, 67 deletions(-) delete mode 100644 lass/2configs/telegraf.nix diff --git a/lass/2configs/telegraf.nix b/lass/2configs/telegraf.nix deleted file mode 100644 index 4f46cd721..000000000 --- a/lass/2configs/telegraf.nix +++ /dev/null @@ -1,67 +0,0 @@ -{ config, lib, pkgs, ... }: -let - isVM = lib.any (mod: mod == "xen-blkfront" || mod == "virtio_console") config.boot.initrd.kernelModules; -in { - - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-i retiolum -p tcp --dport 9273"; target = "ACCEPT"; } - ]; - - systemd.services.telegraf.path = [ pkgs.nvme-cli ]; - - services.telegraf = { - enable = true; - extraConfig = { - agent.interval = "60s"; - inputs = { - prometheus.metric_version = 2; - kernel_vmstat = { }; - # smart = lib.mkIf (!isVM) { - # path = pkgs.writeShellScript "smartctl" '' - # exec /run/wrappers/bin/sudo ${pkgs.smartmontools}/bin/smartctl "$@" - # ''; - # }; - system = { }; - mem = { }; - file = [{ - data_format = "influx"; - file_tag = "name"; - files = [ "/var/log/telegraf/*" ]; - }] ++ lib.optional (lib.any (fs: fs == "ext4") config.boot.supportedFilesystems) { - name_override = "ext4_errors"; - files = [ "/sys/fs/ext4/*/errors_count" ]; - data_format = "value"; - }; - exec = lib.optionalAttrs (lib.any (fs: fs == "zfs") config.boot.supportedFilesystems) { - ## Commands array - commands = [ - (pkgs.writeScript "zpool-health" '' - #!${pkgs.gawk}/bin/awk -f - BEGIN { - while ("${pkgs.zfs}/bin/zpool status" | getline) { - if ($1 ~ /pool:/) { printf "zpool_status,name=%s ", $2 } - if ($1 ~ /state:/) { printf " state=\"%s\",", $2 } - if ($1 ~ /errors:/) { - if (index($2, "No")) printf "errors=0i\n"; else printf "errors=%di\n", $2 - } - } - } - '') - ]; - data_format = "influx"; - }; - systemd_units = { }; - swap = { }; - disk.tagdrop = { - fstype = [ "tmpfs" "ramfs" "devtmpfs" "devfs" "iso9660" "overlay" "aufs" "squashfs" ]; - device = [ "rpc_pipefs" "lxcfs" "nsfs" "borgfs" ]; - }; - diskio = { }; - }; - outputs.prometheus_client = { - listen = ":9273"; - metric_version = 2; - }; - }; - }; -} From 270c5618590d7b3d65c0b95cf443281e3d658202 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:13:25 +0200 Subject: [PATCH 068/125] l tor-ssh: enable sockets --- lass/2configs/tor-ssh.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lass/2configs/tor-ssh.nix b/lass/2configs/tor-ssh.nix index 8b36733e2..c727aa015 100644 --- a/lass/2configs/tor-ssh.nix +++ b/lass/2configs/tor-ssh.nix @@ -9,6 +9,8 @@ }]; secretKey = ; }; + controlSocket.enable = true; + client.enable = true; }; } From 349819d601220489ff2931dc129d457a9f64b7f5 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:14:09 +0200 Subject: [PATCH 069/125] l weechat: remove nixos_dev, add some channels --- lass/2configs/weechat.nix | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/lass/2configs/weechat.nix b/lass/2configs/weechat.nix index 10ca013f8..3dfaebc04 100644 --- a/lass/2configs/weechat.nix +++ b/lass/2configs/weechat.nix @@ -17,10 +17,12 @@ autojoin = [ "#c3-gsm" "#panthermoderns" + "#feldoffice" "#36c3" "#cccac" "#nixos" "#krebs" + "#krebstel" "#c-base" "#afra" "#tvl" @@ -95,12 +97,6 @@ password = "\${sec.data.matrix_lassulus}"; device_name = config.networking.hostName; }; - matrix.server.nixos_dev = { - address = "matrix.nixos.dev"; - username = "@lassulus:nixos.dev"; - device_name = config.networking.hostName; - sso_helper_listening_port = 55123; - }; plugins.var.python.go.short_name = true; plugins.var.python.go.short_name_server = true; plugins.var.python.go.fuzzy_search = true; @@ -114,8 +110,6 @@ logger.file.mask = "$plugin.$name/%Y-%m-%d.weechatlog"; logger.file.path = "/var/state/weechat_logs"; logger.look.backlog = 1000; - weechat.notify.python.matrix.nixos_dev."!YLoVsCxScyQODoqIbb:hackint.org" = "none"; #c-base - weechat.notify.python.matrix.nixos_dev."!bohcSYPVoePqBDWlvE:hackint.org" = "none"; #krebs weechat.notify.irc.news."#all" = "highlight"; # setting logger levels for channels is currently not possible declarativly @@ -184,7 +178,6 @@ libera_sasl = "9500B5AC3B29F9CAA273F1B89DC99550E038AF95C4B47442B1FB4CB9F0D6B86B26015988AD39E642CA9C4A78DED7F42D1F409B268C93E778" r_sasl = "CB6FB1421ED5A9094CD2C05462DB1FA87C4A675628ABD9AEC9928A1A6F3F96C07D9F26472331BAF80B7B73270680EB1BBEFD" c3-gsm = "C49DD845900CFDFA93EEBCE4F1ABF4A963EF6082B7DA6410FA701CC77A04BB6C201FCB864988C4F2B97ED7D44D5A28F162" - matrix.server.nixos_dev.access_token = "C40FE41B9B7B73553D51D8FCBD53871E940FE7FCCAB543E7F4720A924B8E1D58E2B1E1F460F5476C954A223F78CCB956337F6529159C0ECD7CB0384C13CB7170FF1270A577B1C4FF744D20FCF5C708259896F8D9" bitlbee = "814ECAC59D9CF6E8340B566563E5D7E92AB92209B49C1EDE4CAAC32DD0DF1EC511D97C75E840C45D69BB9E3D03E79C" matrix_lassulus = "0CA5C0F70A9F893881370F4A665B4CC40FBB1A41E53BC94916CD92B029103528611EC0B390116BE60FA79AE10F486E96E17B0824BE2DE1C97D87B88F5407330DAD70C044147533C36B09B7030CAD97" ''); From d08fc3f507177da3f904390977a084406a37339d Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:14:18 +0200 Subject: [PATCH 070/125] l wine: use minimal --- lass/2configs/wine.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lass/2configs/wine.nix b/lass/2configs/wine.nix index 5476624c9..5f906cd2b 100644 --- a/lass/2configs/wine.nix +++ b/lass/2configs/wine.nix @@ -14,7 +14,7 @@ in { ]; createHome = true; packages = [ - pkgs.wineWowPackages.stable + pkgs.winePackages.minimal ]; isNormalUser = true; }; From 8b89fed120c8076310f15ebcf4573097d9b608fd Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:14:41 +0200 Subject: [PATCH 071/125] wiregrill: handle networkd carrier loss --- lass/2configs/wiregrill.nix | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/lass/2configs/wiregrill.nix b/lass/2configs/wiregrill.nix index a27e99ee2..81175c59e 100644 --- a/lass/2configs/wiregrill.nix +++ b/lass/2configs/wiregrill.nix @@ -29,17 +29,21 @@ in mkIf (hasAttr "wiregrill" config.krebs.build.host.nets) { (optional (!isNull self.ip4) "${self.ip4.addr}/16") ++ (optional (!isNull self.ip6) "${self.ip6.addr}/48") ; + networkConfig = { + IgnoreCarrierLoss = "10s"; + }; }; networking.wireguard.interfaces.wiregrill = { ips = - (optional (!isNull self.ip4) self.ip4.addr) ++ - (optional (!isNull self.ip6) self.ip6.addr); + (optional (!isNull self.ip4 && !config.systemd.network.enable) self.ip4.addr) ++ + (optional (!isNull self.ip6 && !config.systemd.network.enable) self.ip6.addr); listenPort = 51820; privateKeyFile = (toString ) + "/wiregrill.key"; allowedIPsAsRoutes = true; peers = mapAttrsToList - (_: host: { + (name: host: { + # inherit name; allowedIPs = if isRouter then (optional (!isNull host.nets.wiregrill.ip4) host.nets.wiregrill.ip4.addr) ++ (optional (!isNull host.nets.wiregrill.ip6) host.nets.wiregrill.ip6.addr) From 6c82f97ae7bcfa26d91503c9975ab394cf30ace8 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:15:14 +0200 Subject: [PATCH 072/125] l xmonad: add some small fixes --- lass/2configs/xmonad.nix | 30 ++++++++++++++++++++++-------- 1 file changed, 22 insertions(+), 8 deletions(-) diff --git a/lass/2configs/xmonad.nix b/lass/2configs/xmonad.nix index e2d9cff5d..749e7cd18 100644 --- a/lass/2configs/xmonad.nix +++ b/lass/2configs/xmonad.nix @@ -24,6 +24,7 @@ import System.IO (hPutStrLn, stderr) import System.Posix.Process (executeFile) import Data.Ratio +import XMonad.Actions.Commands (defaultCommands, runCommand) import XMonad.Actions.CopyWindow (copy, copyToAll, kill1) import XMonad.Actions.CycleWS (toggleWS) import XMonad.Actions.DynamicWorkspaces ( addWorkspacePrompt, renameWorkspace, removeEmptyWorkspace) @@ -42,18 +43,18 @@ import XMonad.Layout.BoringWindows (boringWindows, focusDown, focusUp) import XMonad.Layout.FixedColumn (FixedColumn(..)) import XMonad.Layout.Grid (Grid(..)) import XMonad.Layout.Minimize (minimize) -import XMonad.Layout.NoBorders (smartBorders) +import XMonad.Layout.NoBorders (smartBorders, noBorders) import XMonad.Layout.MouseResizableTile (mouseResizableTile) import XMonad.Layout.SimplestFloat (simplestFloat) import XMonad.Layout.StateFull import XMonad.ManageHook (composeAll) -import XMonad.Prompt (autoComplete, font, searchPredicate, XPConfig) +import XMonad.Prompt (autoComplete, font, height, searchPredicate, XPConfig) import XMonad.Prompt.Window (windowPromptGoto, windowPromptBringCopy) import XMonad.Util.EZConfig (additionalKeysP) import XMonad.Util.NamedWindows (getName) import XMonad.Util.Run (safeSpawn) import XMonad.Util.Ungrab (unGrab) -import XMonad.Util.Paste (pasteSelection) +import XMonad.Util.Paste (sendKey) data LibNotifyUrgencyHook = LibNotifyUrgencyHook deriving (Read, Show) @@ -77,7 +78,7 @@ main = do $ def { terminal = myTerm , modMask = mod4Mask - , layoutHook = smartBorders $ myLayoutHook + , layoutHook = myLayoutHook , manageHook = floatHooks , startupHook = whenJustM (liftIO (lookupEnv "XMONAD_STARTUP_HOOK")) @@ -89,7 +90,18 @@ main = do myLayoutHook = defLayout where - defLayout = minimize . boringWindows $ ((avoidStruts $ Mirror (Tall 1 (3/100) (1/2))) ||| StateFull ||| FixedColumn 2 80 80 1 ||| Tall 1 (3/100) (1/2) ||| simplestFloat ||| mouseResizableTile ||| Grid) + defLayout = smartBorders $ + minimize . + boringWindows $ + ( + noBorders StateFull ||| + (avoidStruts $ Mirror (Tall 1 (3/100) (1/2))) ||| + FixedColumn 2 80 80 1 ||| + Tall 1 (3/100) (1/2) ||| + simplestFloat ||| + mouseResizableTile ||| + Grid + ) floatHooks = composeAll [ className =? "Pinentry" --> doCenterFloat @@ -137,8 +149,10 @@ myKeyMap = , ("M4-f", floatNext True) , ("M4-b", spawn "/run/current-system/sw/bin/klem") - , ("M4-v", spawn "${pkgs.pager}/bin/pager view") + , ("M4-c", defaultCommands >>= runCommand) + -- , ("M4-v", spawn "${pkgs.pager}/bin/pager view") -- , ("M4-S-v", spawn "${pkgs.pager}/bin/pager shift") + , ("M4-v", withWorkspace autoXPConfig (windows . W.greedyView)) , ("M4-S-v", withWorkspace autoXPConfig (windows . W.shift)) , ("M4-C-v", withWorkspace autoXPConfig (windows . copy)) @@ -159,7 +173,7 @@ myKeyMap = ${pkgs.clipmenu}/bin/clipmenu ''}") - , ("M4-", spawn "${pkgs.writeDash "paste" '' + , ("M4-", spawn "${pkgs.writers.writeDash "paste" '' ${pkgs.coreutils}/bin/sleep 0.4 ${pkgs.xclip}/bin/xclip -o | ${pkgs.xdotool}/bin/xdotool type -f - ''}") @@ -182,7 +196,6 @@ myKeyMap = ${lib.optionalString (builtins.hasAttr "warpd" pkgs) '', ("M4-s", spawn "${pkgs.warpd}/bin/warpd --hint")''} , ("M4-i", spawn "/run/current-system/sw/bin/screenshot") - , ("S-", pasteSelection) --, ("M4-w", screenWorkspace 0 >>= (windows . W.greedyView)) --, ("M4-e", screenWorkspace 1 >>= (windows . W.greedyView)) @@ -196,6 +209,7 @@ forkFile path args env = myXPConfig :: XPConfig myXPConfig = def { font = myFont + , height = 40 } autoXPConfig :: XPConfig From faf786cb9cb5e0b5eb8c35e1055c854315a11f44 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:15:37 +0200 Subject: [PATCH 073/125] l yubikey: use upstream --- lass/2configs/yubikey.nix | 15 +-------------- 1 file changed, 1 insertion(+), 14 deletions(-) diff --git a/lass/2configs/yubikey.nix b/lass/2configs/yubikey.nix index bf6a587af..5ac310199 100644 --- a/lass/2configs/yubikey.nix +++ b/lass/2configs/yubikey.nix @@ -48,19 +48,6 @@ }); ''; - environment.shellInit = '' - if [ "$UID" -eq 1337 ] && [ -z "$SSH_CONNECTION" ]; then - export GPG_TTY="$(tty)" - mkdir -p $HOME/.gnupg - gpg-connect-agent --quiet updatestartuptty /bye > /dev/null - export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh" - if [ -z "$SSH_AUTH_SOCK" ]; then - export SSH_AUTH_SOCK=$(${pkgs.gnupg}/bin/gpgconf --list-dirs agent-ssh-socket) - fi - - fi - ''; - # allow nix to acces remote builders via yubikey systemd.services.nix-daemon.environment.SSH_AUTH_SOCK = "/run/user/1337/gnupg/S.gpg-agent.ssh"; @@ -69,7 +56,7 @@ gnupg.agent = { enable = true; pinentryFlavor = "qt"; - # enableSSHSupport = true; + enableSSHSupport = true; }; }; } From fd141bd4f3a2183bfda9529fb7e5c3b05b1e9012 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:16:13 +0200 Subject: [PATCH 074/125] l nichtparasoup: fix start command --- lass/3modules/nichtparasoup.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lass/3modules/nichtparasoup.nix b/lass/3modules/nichtparasoup.nix index c18c942d1..a28c2a159 100644 --- a/lass/3modules/nichtparasoup.nix +++ b/lass/3modules/nichtparasoup.nix @@ -154,7 +154,7 @@ with import ; restartIfChanged = true; serviceConfig = { Restart = "always"; - ExecStart = "${pkgs.nichtparasoup}/bin/nichtparasoup -c ${pkgs.writeText "config.ini"config.lass.nichtparasoup.config}"; + ExecStart = "${pkgs.nichtparasoup}/bin/nichtparasoup -c ${pkgs.writeText "config.ini" config.lass.nichtparasoup.config}"; }; }; }; From 62630ff3def88d169159f9228f07e39d8969f486 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:16:34 +0200 Subject: [PATCH 075/125] l deploy: add debug --- lass/5pkgs/deploy/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lass/5pkgs/deploy/default.nix b/lass/5pkgs/deploy/default.nix index c07cf20d1..a3fe4dca3 100644 --- a/lass/5pkgs/deploy/default.nix +++ b/lass/5pkgs/deploy/default.nix @@ -1,6 +1,6 @@ { writers }: writers.writeDashBin "deploy" '' - set -eu + set -xeu export SYSTEM="$1" $(nix-build $HOME/sync/stockholm/lass/krops.nix --no-out-link --argstr name "$SYSTEM" -A deploy) '' From c15ec193d6a4210d15576340fc4f4d769c297f0c Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:33:03 +0200 Subject: [PATCH 076/125] l: update default config --- lass/2configs/default.nix | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index 72dbfc480..6d4230c68 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -40,6 +40,7 @@ with import ; "video" "fuse" "wheel" + "tor" ]; openssh.authorizedKeys.keys = [ config.krebs.users.lass.pubkey @@ -74,6 +75,7 @@ with import ; krebs = { enable = true; build.user = config.krebs.users.lass; + ssl.trustIntermediate = true; }; nix.useSandbox = true; @@ -93,12 +95,15 @@ with import ; #stockholm deploy git + git-absorb git-preview gnumake jq + nix-output-monitor #style rxvt-unicode-unwrapped.terminfo + alacritty.terminfo #monitoring tools htop @@ -109,6 +114,7 @@ with import ; iftop tcpdump mosh + eternal-terminal sshify #stuff for dl @@ -226,13 +232,18 @@ with import ; noipv4ll ''; + networking.extraHosts = '' + 10.42.0.1 styx.gg23 + ''; + + nix.extraOptions = '' + experimental-features = nix-command flakes + ''; # use 24:00 time format, the default got sneakily changed around 20.03 i18n.defaultLocale = mkDefault "C.UTF-8"; time.timeZone = mkDefault"Europe/Berlin"; - system.stateVersion = mkDefault "20.03"; - # disable doc usually documentation.nixos.enable = mkDefault false; } From f0af62110fdab7f9eb4d65a58ad0d2cd4eaaaa67 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:33:23 +0200 Subject: [PATCH 077/125] l vim: update --- lass/2configs/vim.nix | 45 +++++++++++++++++++------------------------ 1 file changed, 20 insertions(+), 25 deletions(-) diff --git a/lass/2configs/vim.nix b/lass/2configs/vim.nix index 210133f48..efe6a739c 100644 --- a/lass/2configs/vim.nix +++ b/lass/2configs/vim.nix @@ -1,15 +1,15 @@ { config, lib, pkgs, ... }: -with import ; let out = { environment.systemPackages = [ - (hiPrio vim) + (lib.hiPrio vim) ]; environment.etc.vimrc.source = vimrc; + environment.etc.vim.source = vim; - environment.variables.EDITOR = mkForce "vim"; + environment.variables.EDITOR = lib.mkForce "vim"; environment.variables.VIMINIT = ":so /etc/vimrc"; }; @@ -43,6 +43,9 @@ let set wildmenu set wildmode=longest,full + " enable better-whitespace + let g:better_whitespace_enabled=1 + set title set titleold= set titlestring=(vim)\ %t%(\ %M%)%(\ (%{expand(\"%:p:h\")})%)%(\ %a%)\ -\ %{v:servername} @@ -122,10 +125,12 @@ let let g:fzf_layout = { 'down': '~15%' } ''; - extra-runtimepath = concatMapStringsSep "," (pkg: "${pkg.rtp}") [ + extra-runtimepath = lib.concatMapStringsSep "," (pkg: "${pkg.rtp}") [ + pkgs.vimPlugins.copilot-vim pkgs.vimPlugins.undotree pkgs.vimPlugins.fzf-vim pkgs.vimPlugins.fzfWrapper + pkgs.vimPlugins.vim-better-whitespace (pkgs.vimUtils.buildVimPlugin { name = "file-line-1.0"; src = pkgs.fetchFromGitHub { @@ -144,19 +149,6 @@ let sha256 = "sha256-lyTZUgqUEEJRrzGo1FD8/t8KBioPrtB3MmGvPeEVI/g="; }; }) - ((rtp: rtp // { inherit rtp; }) (pkgs.writeTextFile (let - name = "vim"; - in { - name = "vim-syntax-${name}-1.0.0"; - destination = "/syntax/${name}.vim"; - text = /* vim */ '' - ${concatMapStringsSep "\n" (s: /* vim */ '' - syn keyword vimColor${s} ${s} - \ containedin=ALLBUT,vimComment,vimLineComment - hi vimColor${s} ctermfg=${s} - '') (map (i: lpad 3 "0" (toString i)) (range 0 255))} - ''; - }))) ((rtp: rtp // { inherit rtp; }) (pkgs.writeTextFile (let name = "showsyntax"; in { @@ -193,16 +185,19 @@ let }; mkdirs = let - dirOf = s: let out = concatStringsSep "/" (init (splitString "/" s)); + dirOf = s: let out = lib.concatStringsSep "/" (lib.init (lib.splitString "/" s)); in assert out != ""; out; - alldirs = attrValues dirs ++ map dirOf (attrValues files); - in unique (sort lessThan alldirs); + alldirs = lib.attrValues dirs ++ map dirOf (lib.attrValues files); + in lib.unique (lib.sort lib.lessThan alldirs); vim = pkgs.symlinkJoin { name = "vim"; paths = [ - (pkgs.writeDashBin "vim" '' + (pkgs.writers.writeDashBin "vim" '' set -efu + export PATH=$PATH:${lib.makeBinPath [ + pkgs.nodejs + ]} (umask 0077; exec ${pkgs.coreutils}/bin/mkdir -p ${toString mkdirs}) exec ${pkgs.vim}/bin/vim "$@" '') @@ -267,18 +262,18 @@ let syn cluster nix_ind_strings contains=NixIND_STRING syn cluster nix_strings contains=NixSTRING - ${concatStringsSep "\n" (mapAttrsToList (lang: { extraStart ? null }: let - startAlts = filter isString [ + ${lib.concatStringsSep "\n" (lib.mapAttrsToList (lang: { extraStart ? null }: let + startAlts = lib.filter lib.isString [ ''/\* ${lang} \*/'' extraStart ]; - sigil = ''\(${concatStringsSep ''\|'' startAlts}\)[ \t\r\n]*''; + sigil = ''\(${lib.concatStringsSep ''\|'' startAlts}\)[ \t\r\n]*''; in /* vim */ '' syn include @nix_${lang}_syntax syntax/${lang}.vim unlet b:current_syntax syn match nix_${lang}_sigil - \ X${replaceStrings ["X"] ["\\X"] sigil}\ze\('''\|"\)X + \ X${lib.replaceStrings ["X"] ["\\X"] sigil}\ze\('''\|"\)X \ nextgroup=nix_${lang}_region_IND_STRING,nix_${lang}_region_STRING \ transparent From 93289a9d3197c7e0d30d0cda96ab6e9f59dd1f36 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:34:33 +0200 Subject: [PATCH 078/125] l q: utillinux -> util-linux --- lass/5pkgs/q/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lass/5pkgs/q/default.nix b/lass/5pkgs/q/default.nix index ae8a80266..9b834f0c4 100644 --- a/lass/5pkgs/q/default.nix +++ b/lass/5pkgs/q/default.nix @@ -21,18 +21,18 @@ let }''; in '' ${pkgs.coreutils}/bin/paste \ - <(${pkgs.utillinux}/bin/cal -mw \ + <(${pkgs.util-linux}/bin/cal -mw \ $(${pkgs.coreutils}/bin/date +'%m %Y' -d 'last month') \ | ${pad} ) \ - <(${pkgs.utillinux}/bin/cal -mw \ + <(${pkgs.util-linux}/bin/cal -mw \ | ${pkgs.gnused}/bin/sed ' # colorize day of month s/\(^\| \)'"$(${pkgs.coreutils}/bin/date +%e)"'\>/&/ ' \ | ${pad} ) \ - <(${pkgs.utillinux}/bin/cal -mw \ + <(${pkgs.util-linux}/bin/cal -mw \ $(${pkgs.coreutils}/bin/date +'%m %Y' -d 'next month') \ | ${pad} ) \ From 2c0e580ba1c1cd28a135639bd8e17df14399db5c Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:34:55 +0200 Subject: [PATCH 079/125] l super-vnc: init --- lass/5pkgs/super-vnc/default.nix | 38 ++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 lass/5pkgs/super-vnc/default.nix diff --git a/lass/5pkgs/super-vnc/default.nix b/lass/5pkgs/super-vnc/default.nix new file mode 100644 index 000000000..ce0e3aaa7 --- /dev/null +++ b/lass/5pkgs/super-vnc/default.nix @@ -0,0 +1,38 @@ +{ pkgs, lib }: let + + quoteChar = c: + if c == "\n" then "'\n'" + else c; + quote = x: if x == "" then "''" else lib.stringAsChars quoteChar x; + +in pkgs.writers.writeDashBin "super-vnc" '' + PATH=${lib.makeBinPath (with pkgs; [ + xorg.xrandr gnugrep coreutils xorg.xorgserver gnused openssh gawk tightvnc + ])} + remote=$1 + res_x=$(xrandr --current | grep '*' | uniq | awk '{print $1}' | cut -d 'x' -f1) + res_y=$(xrandr --current | grep '*' | uniq | awk '{print $1}' | cut -d 'x' -f2) + export modeline="$(gtf "$res_x" "$res_y" 60 | sed -n 's/.*Modeline "\([^" ]\+\)" \(.*\)/\1 \2/p')" + export name="$(echo "$modeline" | sed 's/\([^ ]\+\) .*/\1/')" + export vncline="''${res_x}x''${res_y}+0+0" + + if [ -z "$modeline" -o -z "$name" ]; then + echo "Error! modeline=$modeline name=$name" + exit 1 + fi + + echo $modeline + + # TODO user random highport + ssh "$remote" -L 5900:localhost:55900 bash < Date: Sun, 3 Sep 2023 12:35:59 +0200 Subject: [PATCH 080/125] l krops: add more functions & params --- lass/krops.nix | 53 ++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 51 insertions(+), 2 deletions(-) diff --git a/lass/krops.nix b/lass/krops.nix index a7dcaf5bf..407df3bc6 100644 --- a/lass/krops.nix +++ b/lass/krops.nix @@ -54,7 +54,7 @@ in { - deploy = { target ? "root@${name}/var/src", offline ? false }: pkgs.krops.writeCommand "deploy" { + deploy = { target ? "root@${name}/var/src", offline ? false, command ? "switch" }: pkgs.krops.writeCommand "deploy" { command = targetPath: '' set -xfu @@ -73,10 +73,21 @@ in { nix-env -p /nix/var/nix/profiles/system --set "$outDir/out" - "$outDir/out/bin/switch-to-configuration" switch + "$outDir/out/bin/switch-to-configuration" ${command} ''; source = source { test = false; }; allocateTTY = true; + backup = false; + inherit target; + }; + + deployWithFlake = { target ? "root@${name}/var/src", offline ? false }: pkgs.krops.writeCommand "deploy" { + source = { + inherit (source { test = false; }) stockholm secrets; + }; + command = targetPath: '' + ''; + allocateTTY = true; inherit target; }; @@ -93,4 +104,42 @@ in { inherit target; source = source { test = true; }; }; + + deploy-with-diff = { target ? "root@${name}/var/src" }: pkgs.krops.writeCommand "${name}-deploy" { + command = targetPath: '' + set -xu + deployScript=$(mktemp) + cat << EOF > "$deployScript" + #! /usr/bin/env nix-shell + #! nix-shell -p nix-diff proot rsync -i bash + set -xfu + + oldPath=\$(echo "${targetPath}" | sed 's/-new$//') + oldSystemDrv=\$(nix show-derivation /run/current-system | jq -r 'keys[0]') + newSystemDrv=\$(proot -b /var/src-new:/var/src nix-instantiate -I /var/src '' -A config.system.build.toplevel) + + ( + diff -rq -x '.git' "\$oldPath" "${targetPath}" + nix-diff --color always --line-oriented "\$oldSystemDrv" "\$newSystemDrv" + ) | less -R + echo 'continue? [(Y)es]/(n)o' + read yn + case \$yn in + [Nn]* ) exit;; + esac + rsync -ra --delete /var/src-new/ /var/src/ + nixos-rebuild -I /var/src switch + EOF + + chmod +x "$deployScript" + echo "$deployScript" + cat "$deployScript" + exec "$deployScript" + rm "$deployScript" + ''; + target = "${target}-new"; + source = source { test = false; }; + force = true; + allocateTTY = true; + }; } From bbe4e5652118609aefb8833440b61224f6d8e0b1 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:36:54 +0200 Subject: [PATCH 081/125] nix-serve-ng: 1.0.0 -> 1.0.1 --- krebs/5pkgs/haskell/nix-serve-ng.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/krebs/5pkgs/haskell/nix-serve-ng.nix b/krebs/5pkgs/haskell/nix-serve-ng.nix index 8866b205b..62e02ce82 100644 --- a/krebs/5pkgs/haskell/nix-serve-ng.nix +++ b/krebs/5pkgs/haskell/nix-serve-ng.nix @@ -6,11 +6,11 @@ }: mkDerivation { pname = "nix-serve-ng"; - version = "1.0.0"; + version = "1.0.1"; src = fetchgit { url = "https://github.com/aristanetworks/nix-serve-ng"; - sha256 = "0mqp67z5mi8rsjahdh395n7ppf0b65k8rd3pvnl281g02rbr69y2"; - rev = "433f70f4daae156b84853f5aaa11987aa5ce7277"; + sha256 = "sha256-PkzwtjUgYuqfWtCH1nRqVRaajihN1SqMVjWmoSG/CCY="; + rev = "9b546864f4090736f3f9069a01ea5d42cf7bab7c"; fetchSubmodules = true; }; isLibrary = false; From 654c596efd4f57687583532dc1531868d314a644 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 12:37:42 +0200 Subject: [PATCH 082/125] ovh-zone: remove broken d2to1 --- krebs/5pkgs/simple/ovh-zone/default.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/krebs/5pkgs/simple/ovh-zone/default.nix b/krebs/5pkgs/simple/ovh-zone/default.nix index 051a14e8d..bc0e45cb9 100644 --- a/krebs/5pkgs/simple/ovh-zone/default.nix +++ b/krebs/5pkgs/simple/ovh-zone/default.nix @@ -9,7 +9,6 @@ python3Packages.buildPythonPackage rec { name = "ovh-zone-${version}"; version = "0.4.4"; propagatedBuildInputs = with pkgs.python3Packages;[ - d2to1 # for setup to work ovh docopt ]; From c4eb2afdb6e2ca28bf68f558d8cbef71a6f512f7 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 4 Sep 2023 09:33:16 +0200 Subject: [PATCH 083/125] l aergia.r: remove broken bank package --- lass/1systems/aergia/config.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/lass/1systems/aergia/config.nix b/lass/1systems/aergia/config.nix index 618938ce8..3e0ae23f7 100644 --- a/lass/1systems/aergia/config.nix +++ b/lass/1systems/aergia/config.nix @@ -112,7 +112,6 @@ environment.systemPackages = with pkgs; [ brain - bank l-gen-secrets generate-secrets nixpkgs-review From 9682c93e85ca8b80ba3db2f7a19e5d1662fad0d7 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 4 Sep 2023 10:14:10 +0200 Subject: [PATCH 084/125] l green.r: disable muchsync --- lass/1systems/green/config.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/lass/1systems/green/config.nix b/lass/1systems/green/config.nix index c232be9bd..81b8b909b 100644 --- a/lass/1systems/green/config.nix +++ b/lass/1systems/green/config.nix @@ -15,7 +15,6 @@ with import ; - From 21f62c5352b3c291bbcb61bcc0a9bdfefa502696 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 4 Sep 2023 10:14:48 +0200 Subject: [PATCH 085/125] l prism.r: use new telegraf.nix location --- lass/1systems/prism/config.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 0e58b62b8..40c721e18 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -9,7 +9,7 @@ with import ; - + { services.nginx.enable = true; imports = [ From 78569fbc7e35fab8a3601dca30424b17d46e7e9b Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 4 Sep 2023 10:15:23 +0200 Subject: [PATCH 086/125] l prism.r: remove jeschli user --- lass/1systems/prism/config.nix | 34 ---------------------------------- 1 file changed, 34 deletions(-) diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 40c721e18..5502dd04c 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -159,40 +159,6 @@ with import ; ''; }; } - { - users.users.jeschli = { - uid = genid_uint31 "jeschli"; - isNormalUser = true; - openssh.authorizedKeys.keys = with config.krebs.users; [ - jeschli.pubkey - jeschli-bln.pubkey - jeschli-bolide.pubkey - jeschli-brauerei.pubkey - ]; - }; - krebs.git.rules = [ - { - user = with config.krebs.users; [ - jeschli - jeschli-bln - jeschli-bolide - jeschli-brauerei - ]; - repo = [ config.krebs.git.repos.xmonad-stockholm ]; - perm = with git; push "refs/heads/jeschli*" [ fast-forward non-fast-forward create delete merge ]; - } - { - user = with config.krebs.users; [ - jeschli - jeschli-bln - jeschli-bolide - jeschli-brauerei - ]; - repo = [ config.krebs.git.repos.stockholm ]; - perm = with git; push "refs/heads/staging/jeschli*" [ fast-forward non-fast-forward create delete merge ]; - } - ]; - } { krebs.repo-sync.repos.stockholm.timerConfig = { OnBootSec = "5min"; From d9c8a90feaf41d74a383c0d6a146aca4c92d4f47 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 4 Sep 2023 10:15:36 +0200 Subject: [PATCH 087/125] l prism.r: remove taskserver --- lass/1systems/prism/config.nix | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 5502dd04c..aaabd655d 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -169,18 +169,6 @@ with import ; - { - services.taskserver = { - enable = true; - fqdn = "lassul.us"; - listenHost = "::"; - listenPort = 53589; - organisations.lass.users = [ "lass" "android" ]; - }; - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport 53589"; target = "ACCEPT"; } - ]; - } { environment.systemPackages = [ pkgs.cryptsetup ]; From 7757553259fdc426b2a450a0af439e69d290e564 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 4 Sep 2023 10:15:45 +0200 Subject: [PATCH 088/125] l prism.r: disable searx --- lass/1systems/prism/config.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index aaabd655d..909eedc92 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -168,7 +168,6 @@ with import ; } - { environment.systemPackages = [ pkgs.cryptsetup ]; From 759c63246af4af49e4cdeee329d065879f92ef2d Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 4 Sep 2023 10:16:04 +0200 Subject: [PATCH 089/125] l prism.r: remove hotdog --- lass/1systems/prism/config.nix | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 909eedc92..46e35de4f 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -80,24 +80,6 @@ with import ; openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDQFaYOWRUvHP6I37q9Dd4PJOq8FNQqAeJZ8pLx0G62uC450kbPGcG80rHHvXmk7HqQP6biJmMg48bOsvXAScPot2Qhp1Qc35CuUqVhLiTvUAsi8l/iJjhjZ23yRGDCAmW5+JIOzIvECkcbMnG7YoYAQ9trNGHe9qwGzQGhpt3QVClE23WtE3PVKRLQx1VbiabSnAm6tXVd2zpUoSdpWt8Gpi2taM4XXJ5+l744MNxFHvDapN5xqpYzwrA34Ii13jNLWcGbtgxESpR+VjnamdWByrkBsW4X5/xn2K1I1FrujaM/DBHV1QMaDKst9V8+uL5X7aYNt0OUBu2eyZdg6aujY2BYovB9uRyR1JIuSbA/a54MM96yN9WirMUufJF/YZrV0L631t9EW8ORyWUo1GRzMuBHVHQlfApj7NCU/jEddUuTqKgwyRgTmMFMUI4M0tRULAB/7pBE1Vbcx9tg6RsKIk8VkskfbBJW9Y6Sx6YoFlxPdgMNIrBefqEjIV62piP7YLMlvfIDCJ7TNd9dLN86XGggZ/nD5zt6SL1o61vVnw9If8pHosppxADPJsJvcdN6fOe16/tFAeE0JRo0jTcyFVTBGfhpey+rFfuW8wtUyuO5WPUxkOn7xMHGMWHJAtWX2vwVIDtLxvqn48B4SmEOpPD6ii+vcpwqAex3ycqBUQ==" ]; }; } - { - #hotdog - systemd.services."container@hotdog".reloadIfChanged = mkForce false; - containers.hotdog = { - config = { ... }: { - environment.systemPackages = [ pkgs.git ]; - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keys = [ - config.krebs.users.lass.pubkey - ]; - }; - autoStart = false; - enableTun = true; - privateNetwork = true; - hostAddress = "10.233.2.1"; - localAddress = "10.233.2.2"; - }; - } { services.nginx.virtualHosts."radio.lassul.us" = { enableACME = true; From 9e2adb53bf35e958eddbb369cba1adb3eda92bc6 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 4 Sep 2023 10:16:38 +0200 Subject: [PATCH 090/125] l prism.r: remove red --- lass/1systems/prism/config.nix | 22 ---------------------- 1 file changed, 22 deletions(-) diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 46e35de4f..797e4e3ed 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -151,28 +151,6 @@ with import ; - { - environment.systemPackages = [ pkgs.cryptsetup ]; - systemd.services."container@red".reloadIfChanged = mkForce false; - containers.red = { - config = { ... }: { - environment.systemPackages = [ pkgs.git ]; - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keys = [ - config.krebs.users.lass.pubkey - ]; - }; - autoStart = false; - enableTun = true; - privateNetwork = true; - hostAddress = "10.233.2.3"; - localAddress = "10.233.2.4"; - }; - } - { - users.users.download.openssh.authorizedKeys.keys = [ - ]; - } { lass.nichtparasoup.enable = true; services.nginx = { From c05b4517786b63516a18b834af895af39f7e6918 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 4 Sep 2023 10:16:58 +0200 Subject: [PATCH 091/125] l prism.r: increase wiregrill network size --- lass/1systems/prism/config.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 797e4e3ed..03c673caa 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -169,7 +169,7 @@ with import ; ]; krebs.iptables.tables.nat.PREROUTING.rules = mkOrder 999 [ - { v6 = false; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; } + { v6 = false; predicate = "-s 10.244.0.0/16"; target = "ACCEPT"; } { v4 = false; predicate = "-s 42:1::/32"; target = "ACCEPT"; } ]; krebs.iptables.tables.filter.FORWARD.rules = mkBefore [ @@ -178,7 +178,7 @@ with import ; ]; krebs.iptables.tables.nat.POSTROUTING.rules = [ { v4 = false; predicate = "-s 42:1::/32 ! -d 42:1::/48"; target = "MASQUERADE"; } - { v6 = false; predicate = "-s 10.244.1.0/24 ! -d 10.244.1.0/24"; target = "MASQUERADE"; } + { v6 = false; predicate = "-s 10.244.0.0/16 ! -d 10.244.0.0/16"; target = "MASQUERADE"; } ]; services.dnsmasq = { enable = true; From 0e34328a449486325882a95d9b08f66eec7105a2 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 4 Sep 2023 10:17:29 +0200 Subject: [PATCH 092/125] l prism.r: listen dnsmasq on all internal interfaces --- lass/1systems/prism/config.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 03c673caa..db53ae22d 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -185,9 +185,9 @@ with import ; resolveLocalQueries = false; extraConfig= '' - listen-address=42:1:ce16::1,10.244.1.103 - except-interface=lo + bind-interfaces interface=wiregrill + interface=retiolum ''; }; } From 6700eb015e8581386c5452c854da1f68a6f372a4 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 4 Sep 2023 10:17:57 +0200 Subject: [PATCH 093/125] l prism.r: disable yellow --- lass/1systems/prism/config.nix | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index db53ae22d..26eb17a71 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -199,21 +199,6 @@ with import ; { - systemd.services."container@yellow".reloadIfChanged = mkForce false; - containers.yellow = { - config = { ... }: { - environment.systemPackages = [ pkgs.git ]; - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keys = [ - config.krebs.users.lass.pubkey - ]; - }; - autoStart = false; - enableTun = true; - privateNetwork = true; - hostAddress = "10.233.2.13"; - localAddress = "10.233.2.14"; - }; services.nginx.virtualHosts."jelly.r" = { locations."/".extraConfig = '' From 53b6ca655127488e4a160d4f570bc839728b515f Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 4 Sep 2023 10:18:42 +0200 Subject: [PATCH 094/125] l prism.r: disable jelly.r and flix.r --- lass/1systems/prism/config.nix | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 26eb17a71..4cc72d2f0 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -200,17 +200,6 @@ with import ; { - services.nginx.virtualHosts."jelly.r" = { - locations."/".extraConfig = '' - proxy_pass http://10.233.2.14:8096/; - proxy_set_header Accept-Encoding ""; - ''; - }; - services.nginx.virtualHosts."flix.r" = { - locations."/".extraConfig = '' - proxy_pass http://10.233.2.14:80/; - proxy_set_header Accept-Encoding ""; - ''; }; services.nginx.virtualHosts."lassul.us" = { locations."^~ /flix/".extraConfig = '' From dcb9216d5c5e916378cca66aa09960a108d7b05e Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 4 Sep 2023 10:19:12 +0200 Subject: [PATCH 095/125] l prism.r: proxy flix to yellow.r --- lass/1systems/prism/config.nix | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 4cc72d2f0..0753b69b5 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -200,6 +200,14 @@ with import ; { + services.nginx.virtualHosts."flix.lassul.us" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://yellow.r:8096"; + proxyWebsockets = true; + recommendedProxySettings = true; + }; }; services.nginx.virtualHosts."lassul.us" = { locations."^~ /flix/".extraConfig = '' @@ -210,7 +218,7 @@ with import ; auth_basic_user_file ${pkgs.writeText "flix-user-pass" '' krebs:$apr1$1Fwt/4T0$YwcUn3OBmtmsGiEPlYWyq0 ''}; - proxy_pass http://10.233.2.14:80/; + proxy_pass http://yellow.r:80/; proxy_set_header Accept-Encoding ""; sub_filter "https://lassul.us/" "https://lassul.us/flix/"; sub_filter_once off; From 472e71f1d67e9df8ba5248bcf0854dc475fdb95b Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 4 Sep 2023 10:19:43 +0200 Subject: [PATCH 096/125] l prism.r: allow samba from wiregrill --- lass/1systems/prism/config.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 0753b69b5..e93183c9e 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -292,7 +292,7 @@ with import ; netbios name = PRISM server string = ${config.networking.hostName} # only allow retiolum addresses - hosts allow = 42::/16 10.243.0.0/16 + hosts allow = 42::/16 10.243.0.0/16 10.244.0.0/16 # Use sendfile() for performance gain use sendfile = true @@ -334,13 +334,13 @@ with import ; krebs.iptables.tables.filter.INPUT.rules = [ # smbd { predicate = "-i retiolum -p tcp --dport 445"; target = "ACCEPT"; } - { predicate = "-i retiolum -p tcp --dport 111"; target = "ACCEPT"; } { predicate = "-i retiolum -p udp --dport 111"; target = "ACCEPT"; } { predicate = "-i retiolum -p tcp --dport 2049"; target = "ACCEPT"; } { predicate = "-i retiolum -p udp --dport 2049"; target = "ACCEPT"; } { predicate = "-i retiolum -p tcp --dport 4000:4002"; target = "ACCEPT"; } { predicate = "-i retiolum -p udp --dport 4000:4002"; target = "ACCEPT"; } + { predicate = "-i wiregrill -p tcp --dport 445"; target = "ACCEPT"; } { predicate = "-i wiregrill -p tcp --dport 111"; target = "ACCEPT"; } { predicate = "-i wiregrill -p udp --dport 111"; target = "ACCEPT"; } { predicate = "-i wiregrill -p tcp --dport 2049"; target = "ACCEPT"; } From 591680e58f94e2fc6a65378c0baf190c2f2a5b68 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 4 Sep 2023 10:24:39 +0200 Subject: [PATCH 097/125] l prism.r: remove mic92 & shannan users --- lass/1systems/prism/config.nix | 19 ------------------- 1 file changed, 19 deletions(-) diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index e93183c9e..990dac091 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -349,25 +349,6 @@ with import ; { predicate = "-i wiregrill -p udp --dport 4000:4002"; target = "ACCEPT"; } ]; } - { - users.users.shannan = { - uid = genid_uint31 "shannan"; - isNormalUser = true; - openssh.authorizedKeys.keys = [ - config.krebs.users.shannan.pubkey - ]; - }; - } - { - nix.trustedUsers = [ "mic92" ]; - users.users.mic92 = { - uid = genid_uint31 "mic92"; - isNormalUser = true; - openssh.authorizedKeys.keys = [ - config.krebs.users.mic92.pubkey - ]; - }; - } ]; krebs.build.host = config.krebs.hosts.prism; From da3c1f05f595ac6919f26e994094d5513936a06e Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 4 Sep 2023 10:54:17 +0200 Subject: [PATCH 098/125] haskellPackages: pager -> desktop-pager Rename pager to desktop-pager to prevent a name clash with https://hackage.haskell.org/package/pager, causing hledger-lib to not build. --- krebs/5pkgs/haskell/{pager.nix => desktop-pager.nix} | 2 +- krebs/5pkgs/simple/pager.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) rename krebs/5pkgs/haskell/{pager.nix => desktop-pager.nix} (96%) diff --git a/krebs/5pkgs/haskell/pager.nix b/krebs/5pkgs/haskell/desktop-pager.nix similarity index 96% rename from krebs/5pkgs/haskell/pager.nix rename to krebs/5pkgs/haskell/desktop-pager.nix index 36709788c..1a4f94db3 100644 --- a/krebs/5pkgs/haskell/pager.nix +++ b/krebs/5pkgs/haskell/desktop-pager.nix @@ -4,7 +4,7 @@ , utf8-string, X11 }: mkDerivation { - pname = "pager"; + pname = "desktop-pager"; version = "1.0.0"; src = fetchgit { url = "https://cgit.krebsco.de/pager"; diff --git a/krebs/5pkgs/simple/pager.nix b/krebs/5pkgs/simple/pager.nix index 952b5ee1e..adc2cc67b 100644 --- a/krebs/5pkgs/simple/pager.nix +++ b/krebs/5pkgs/simple/pager.nix @@ -33,7 +33,7 @@ pkgs.symlinkJoin { -ti vt340 \ -xrm '*geometry: 32x10' \ -xrm '*internalBorder: 2' \ - -e ${pkgs.haskellPackages.pager}/bin/pager "$@" + -e ${pkgs.haskellPackages.desktop-pager}/bin/pager "$@" '') pkgs.haskellPackages.pager ]; From 6cfb2fa930b8da1d9e519b4223cd3ad53f0bdeef Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 4 Sep 2023 11:01:45 +0200 Subject: [PATCH 099/125] Revert "l aergia.r: remove broken bank package" This reverts commit c4eb2afdb6e2ca28bf68f558d8cbef71a6f512f7. --- lass/1systems/aergia/config.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/lass/1systems/aergia/config.nix b/lass/1systems/aergia/config.nix index 3e0ae23f7..618938ce8 100644 --- a/lass/1systems/aergia/config.nix +++ b/lass/1systems/aergia/config.nix @@ -112,6 +112,7 @@ environment.systemPackages = with pkgs; [ brain + bank l-gen-secrets generate-secrets nixpkgs-review From 65829c6fb6c72a03194d444f52a2063b20459973 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 4 Sep 2023 12:02:52 +0200 Subject: [PATCH 100/125] tv xmonad: pager = desktop-pager --- tv/5pkgs/haskell/default.nix | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/tv/5pkgs/haskell/default.nix b/tv/5pkgs/haskell/default.nix index f05223d72..193a2630d 100644 --- a/tv/5pkgs/haskell/default.nix +++ b/tv/5pkgs/haskell/default.nix @@ -4,7 +4,11 @@ let mapNixDir (path: self.callPackage path {}) [ ./. - ]; + ] // { + xmonad-tv = self.callPackage ./xmonad-tv { + pager = self.desktop-pager; + }; + }; in self: super: { haskell = super.haskell // { From 73eb150756608ee0c04dbf69a177d9ac021f8f9f Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 4 Sep 2023 12:28:53 +0200 Subject: [PATCH 101/125] l aergia.r: add docked1_hack atuorandr config due to broken usb-c out --- lass/1systems/aergia/config.nix | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/lass/1systems/aergia/config.nix b/lass/1systems/aergia/config.nix index 618938ce8..9b7409bcc 100644 --- a/lass/1systems/aergia/config.nix +++ b/lass/1systems/aergia/config.nix @@ -101,6 +101,25 @@ }; }; }; + docked1_hack = { + fingerprint = { + eDP = config.services.autorandr.profiles.default.fingerprint.eDP; + HDMI-A-0 = "00ffffffffffff0010ac31d14c3346300f20010380462878ea26f5af4f46a5240f5054a54b00714f8140818081c081009500b300d1c0565e00a0a0a0295030203500b9882100001a000000ff00444342375847330a2020202020000000fc0044454c4c204733323233440a20000000fd0030901ee63c000a20202020202001db020346f14d030212110113042f141f05103f2309070783010000e200ea67030c001000383c67d85dc4017888006d1a0000020b3090e607622c622ce305c000e606050162622c40e7006aa0a0675008209804b9882100001a6fc200a0a0a05550302035001d4e3100001a000000000000000000000000000000000000000000fc"; + }; + config = { + HDMI-A-0 = { + enable = true; + primary = true; + position = "0x0"; + mode = "2560x1440"; + rate = "165.08"; + }; + eDP = config.services.autorandr.profiles.default.config.eDP // { + primary = false; + position = "640x1440"; + }; + }; + }; }; }; } From 754faee1a004573daaa0cc8e81019075b5986a94 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 4 Sep 2023 12:29:59 +0200 Subject: [PATCH 102/125] l icarus.r: remove some services, add consul --- lass/1systems/icarus/config.nix | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/lass/1systems/icarus/config.nix b/lass/1systems/icarus/config.nix index 2d2f23f95..e789b09da 100644 --- a/lass/1systems/icarus/config.nix +++ b/lass/1systems/icarus/config.nix @@ -17,20 +17,14 @@ with import ; - - # - + ]; krebs.build.host = config.krebs.hosts.icarus; - services.xserver.displayManager.lightdm.autoLogin = { - enable = true; - user = "media"; - }; environment.systemPackages = [ pkgs.chromium ]; } From 90436a4d49be93f08efcd26180e75850ffe09816 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 4 Sep 2023 12:31:35 +0200 Subject: [PATCH 103/125] l mors.r: update imports --- lass/1systems/mors/config.nix | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix index 1b205f25c..cd389480c 100644 --- a/lass/1systems/mors/config.nix +++ b/lass/1systems/mors/config.nix @@ -33,13 +33,13 @@ with import ; - - - + # # + + { krebs.iptables.tables.filter.INPUT.rules = [ @@ -133,13 +133,17 @@ with import ; nixpkgs.config.android_sdk.accept_license = true; programs.adb.enable = true; - users.users.mainUser.extraGroups = [ "adbusers" "docker" ]; - virtualisation.docker.enable = true; - virtualisation.libvirtd.enable = true; services.earlyoom = { enable = true; freeMemThreshold = 5; }; + + + + nix.trustedUsers = [ "root" "lass" ]; + + services.nscd.enableNsncd = true; + } From ced758208aba91337d35831c69c47dbf7058f8df Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 4 Sep 2023 12:32:33 +0200 Subject: [PATCH 104/125] l mors.r: add fast binfmt --- lass/1systems/mors/config.nix | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix index cd389480c..23f8a1184 100644 --- a/lass/1systems/mors/config.nix +++ b/lass/1systems/mors/config.nix @@ -141,6 +141,24 @@ with import ; }; + # It may leak your data, but look how FAST it is!1!! + # https://make-linux-fast-again.com/ + boot.kernelParams = [ + "noibrs" + "noibpb" + "nopti" + "nospectre_v2" + "nospectre_v1" + "l1tf=off" + "nospec_store_bypass_disable" + "no_stf_barrier" + "mds=off" + "mitigations=off" + ]; + + boot.binfmt.emulatedSystems = [ + "aarch64-linux" + ]; nix.trustedUsers = [ "root" "lass" ]; From 941203838900b2b46847022e1173af0a0e24828e Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 4 Sep 2023 12:35:35 +0200 Subject: [PATCH 105/125] l prism.r: cleanup --- lass/1systems/prism/config.nix | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 990dac091..7234e7f22 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -9,7 +9,9 @@ with import ; + + { services.nginx.enable = true; imports = [ @@ -114,11 +116,9 @@ with import ; - - @@ -139,13 +139,9 @@ with import ; "= /wallpaper.png".extraConfig = '' alias /var/realwallpaper/realwallpaper.png; ''; - }; - } - { - krebs.repo-sync.repos.stockholm.timerConfig = { - OnBootSec = "5min"; - OnUnitInactiveSec = "2min"; - RandomizedDelaySec = "2min"; + "= /wallpaper-stars-berlin.png".extraConfig = '' + alias /var/realwallpaper/realwallpaper-krebs-stars-berlin.png; + ''; }; } @@ -196,8 +192,8 @@ with import ; { predicate = "-p udp --dport 60000:61000"; target = "ACCEPT"; } ]; } + - { services.nginx.virtualHosts."flix.lassul.us" = { @@ -243,7 +239,7 @@ with import ; users.groups.download = {}; users.users = { download = { - createHome = true; + createHome = false; group = "download"; name = "download"; home = "/var/download"; From 60b4a4c2253b9b7d4da42c39dec7fa5c7e4991d2 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 4 Sep 2023 12:36:02 +0200 Subject: [PATCH 106/125] l prism.r: add migration config --- lass/1systems/prism/config.nix | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 7234e7f22..29244f8a3 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -345,6 +345,25 @@ with import ; { predicate = "-i wiregrill -p udp --dport 4000:4002"; target = "ACCEPT"; } ]; } + { # acme fallback for neoprism migration + services.nginx.virtualHosts."lassul.us".acmeFallbackHost = "orange.r"; + services.nginx.virtualHosts."radio.lassul.us".acmeFallbackHost = "neoprism.r"; + services.nginx.virtualHosts."flix.lassul.us".acmeFallbackHost = "neoprism.r"; + services.nginx.virtualHosts."jitsi.lassul.us".acmeFallbackHost = "neoprism.r"; + services.nginx.virtualHosts."cgit.lassul.us".acmeFallbackHost = "orange.r"; + services.nginx.virtualHosts."mail.lassul.us".acmeFallbackHost = "neoprism.r"; + services.nginx.virtualHosts."mumble.lassul.us".acmeFallbackHost = "neoprism.r"; + services.nginx.virtualHosts."mail.ubikmedia.eu" = { + enableACME = true; + forceSSL = true; + acmeFallbackHost = "ubik.r"; + locations."/" = { + recommendedProxySettings = true; + proxyWebsockets = true; + proxyPass = "https://ubik.r"; + }; + }; + } ]; krebs.build.host = config.krebs.hosts.prism; From 236856503c9507794c9042996f013d1848fde30f Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 4 Sep 2023 12:36:48 +0200 Subject: [PATCH 107/125] l radio: restart watcher on failure --- lass/2configs/services/radio/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/lass/2configs/services/radio/default.nix b/lass/2configs/services/radio/default.nix index 5a10b5578..8dfca6fc1 100644 --- a/lass/2configs/services/radio/default.nix +++ b/lass/2configs/services/radio/default.nix @@ -117,6 +117,7 @@ in { sleep 60 done ''; + Restart = "on-failure"; }; }; From de37ad95995c89054fb3a864ce4e56f2b2aa12df Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 4 Sep 2023 13:44:51 +0200 Subject: [PATCH 108/125] realwallpaper get_constellations: make importable --- .../realwallpaper/get_constellations.py | 29 +++++++++++-------- lass/2configs/services/radio/news.nix | 3 +- 2 files changed, 19 insertions(+), 13 deletions(-) diff --git a/krebs/5pkgs/simple/realwallpaper/get_constellations.py b/krebs/5pkgs/simple/realwallpaper/get_constellations.py index 5d8d3df5d..4ba766f6a 100644 --- a/krebs/5pkgs/simple/realwallpaper/get_constellations.py +++ b/krebs/5pkgs/simple/realwallpaper/get_constellations.py @@ -18,19 +18,24 @@ def points_to_lines(points): return lines -with open(sys.argv[1]) as f: - constellations = json.load(f)['features'] +def main(): + with open(sys.argv[1]) as f: + constellations = json.load(f)['features'] -output = [] + output = [] -for const in constellations: - for line in const['geometry']['coordinates']: - transformed_line = [] - for point in line: - transformed_line.append(convert_to_itrs(point)) + for const in constellations: + for line in const['geometry']['coordinates']: + transformed_line = [] + for point in line: + transformed_line.append(convert_to_itrs(point)) - line_combined = points_to_lines(transformed_line) - for l in line_combined: # noqa - output.append(f'{l[0][0]} {l[0][1]} {l[1][0]} {l[1][1]} # {const["id"]}') # noqa + line_combined = points_to_lines(transformed_line) + for l in line_combined: # noqa + output.append(f'{l[0][0]} {l[0][1]} {l[1][0]} {l[1][1]} # {const["id"]}') # noqa -print('\n'.join(output)) + print('\n'.join(output)) + + +if __name__ == "__main__": + main() diff --git a/lass/2configs/services/radio/news.nix b/lass/2configs/services/radio/news.nix index a9cddb62a..b17c2e629 100644 --- a/lass/2configs/services/radio/news.nix +++ b/lass/2configs/services/radio/news.nix @@ -10,7 +10,7 @@ let SPEAKER=$[ $RANDOM % 900 ] while read line; do echo "$line" | - ${pkgs.larynx}/bin/larynx \ + ${pkgs.piper-tts}/bin/piper \ --model ${pkgs.fetchzip { url = "https://github.com/rhasspy/piper/releases/download/v0.0.2/voice-en-us-libritts-high.tar.gz"; hash = "sha256-jCoK4p0O7BuF0nr6Sfj40tpivCvU5M3GHKQRg1tfIO8="; @@ -126,5 +126,6 @@ in environment.systemPackages = [ send_to_radio newsshow + tts ]; } From da71141921958d50e6845ccbdad08a117c7d9be4 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 4 Sep 2023 13:45:19 +0200 Subject: [PATCH 109/125] init renew-krebs-intermediate-ca --- .../renew-krebs-intermediate-ca/default.nix | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 krebs/5pkgs/simple/renew-krebs-intermediate-ca/default.nix diff --git a/krebs/5pkgs/simple/renew-krebs-intermediate-ca/default.nix b/krebs/5pkgs/simple/renew-krebs-intermediate-ca/default.nix new file mode 100644 index 000000000..d3557894d --- /dev/null +++ b/krebs/5pkgs/simple/renew-krebs-intermediate-ca/default.nix @@ -0,0 +1,30 @@ +{ pkgs }: +pkgs.writers.writeDashBin "renew-intermediate-ca" '' + TMPDIR=$(mktemp -d) + trap "rm -rf $TMPDIR;" INT TERM EXIT + mkdir -p "$TMPDIR/krebs" + brain show ca/ca.key > "$TMPDIR/krebs/ca.key" + brain show ca/ca.crt > "$TMPDIR/krebs/ca.crt" + brain show krebs-secrets/hotdog/acme_ca.key > "$TMPDIR/acme.key" + cp ${toString ../../../6assets/krebsAcmeCA.crt} "$TMPDIR/acme.crt" + export STEPPATH="$TMPDIR/step" + cat << EOF > "$TMPDIR/intermediate.tpl" + { + "subject": {{ toJson .Subject }}, + "keyUsage": ["certSign", "crlSign"], + "basicConstraints": { + "isCA": true, + "maxPathLen": 0 + }, + "nameConstraints": { + "critical": true, + "permittedDNSDomains": ["r" ,"w"] + } + } + EOF + + ${pkgs.step-cli}/bin/step ca renew "$TMPDIR/ca.crt" "$TMPDIR/ca.key" \ + --offline \ + --root "$TMPDIR/krebs/ca.crt" \ + --ca-config "$TMPDIR/intermediate.tpl" +'' From e8821a74cc8a37065400df63ba3493216034c44c Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 4 Sep 2023 13:50:34 +0200 Subject: [PATCH 110/125] l: init dl --- lass/5pkgs/dl/default.nix | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 lass/5pkgs/dl/default.nix diff --git a/lass/5pkgs/dl/default.nix b/lass/5pkgs/dl/default.nix new file mode 100644 index 000000000..69f2b8c45 --- /dev/null +++ b/lass/5pkgs/dl/default.nix @@ -0,0 +1,29 @@ +{ pkgs }: +pkgs.writers.writeBashBin "dl" '' + set -efux + LINK_OR_SEARCH=$@ + if [[ $LINK_OR_SEARCH == magnet:?* ]] || [[ $LINK_OR_SEARCH =~ ^https?: ]]; then + LINK=$LINK_OR_SEARCH + else + SEARCH=$LINK_OR_SEARCH + fi + + if ! [ -z ''${SEARCH+x} ]; then + LINK=$(${pkgs.we-get}/bin/we-get -n 50 -t the_pirate_bay,1337x --json -s "$SEARCH" | + ${pkgs.jq}/bin/jq -r 'to_entries | + .[] | + "\(.key) [\(.value.seeds)]\t\(.value.link)" + ' | + ${pkgs.fzf}/bin/fzf -d '\t' --with-nth=1 | + ${pkgs.coreutils}/bin/cut -f 2 + ) + fi + + if [ -z ''${CATEGORY+x} ]; then + CATEGORY=$(echo -e 'movies\nseries' | ${pkgs.fzf}/bin/fzf) + fi + + ${pkgs.transmission}/bin/transmission-remote yellow.r \ + -w /var/download/finished/sorted/"$CATEGORY" \ + -a "$LINK" +'' From 820e17ca1b7ab863ae69d18f56c042112385ca08 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 4 Sep 2023 13:50:44 +0200 Subject: [PATCH 111/125] l: init dls --- lass/5pkgs/dls/default.nix | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 lass/5pkgs/dls/default.nix diff --git a/lass/5pkgs/dls/default.nix b/lass/5pkgs/dls/default.nix new file mode 100644 index 000000000..36cdb620b --- /dev/null +++ b/lass/5pkgs/dls/default.nix @@ -0,0 +1,13 @@ +{ pkgs }: +pkgs.writers.writeDashBin "dls" '' + set -efux + SESSION_ID=$( + curl -Ss -d '{}' http://yellow.r:9091/transmission/rpc -v -o /dev/null 2>&1 | + grep -oP '(?<=X-Transmission-Session-Id: )\w+' + ) + ${pkgs.curl}/bin/curl -Ss \ + http://yellow.r:9091/transmission/rpc \ + -H "X-Transmission-Session-Id: $SESSION_ID" \ + -d '{"arguments":{"fields":["errorString","eta","isFinished","name","sizeWhenDone","status"]},"method":"torrent-get","tag":4}' | + jq . +'' From d1d41f9d1fb6d95ed38873bfb61c15de954dd499 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 4 Sep 2023 13:51:04 +0200 Subject: [PATCH 112/125] l: init graphml2json --- lass/5pkgs/graphml2json/default.nix | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 lass/5pkgs/graphml2json/default.nix diff --git a/lass/5pkgs/graphml2json/default.nix b/lass/5pkgs/graphml2json/default.nix new file mode 100644 index 000000000..6f06ded3d --- /dev/null +++ b/lass/5pkgs/graphml2json/default.nix @@ -0,0 +1,12 @@ +{ pkgs, ... }: +pkgs.writers.writePython3Bin "graphml2json" { libraries = [ pkgs.python3Packages.networkx ]; } '' + import networkx as nx + import json + import sys + + + G = nx.read_graphml(sys.argv[1]) + data = nx.readwrite.json_graph.node_link_data(G) + + print(json.dumps(data, indent=2)) +'' From b2ff8468458b90023439768858437582d026f9d5 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 4 Sep 2023 13:51:15 +0200 Subject: [PATCH 113/125] l: init htmlparser --- lass/5pkgs/htmlparser/default.nix | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 lass/5pkgs/htmlparser/default.nix diff --git a/lass/5pkgs/htmlparser/default.nix b/lass/5pkgs/htmlparser/default.nix new file mode 100644 index 000000000..72bd3f437 --- /dev/null +++ b/lass/5pkgs/htmlparser/default.nix @@ -0,0 +1,15 @@ +{ lib, buildGoModule, fetchFromGitHub }: + +buildGoModule rec { + pname = "htmlparser"; + version = "v1.0.0"; + + src = fetchFromGitHub { + owner = "htmlparser"; + repo = "htmlparser"; + rev = "02f964ebd24c296dcfa56c357bb8dedde0f39757"; + sha256 = "1k19rdpjf5sdyjfl233y6bsfgkcnv799ivrh2vkw22almg4243ar"; + }; + + vendorSha256 = "0qkd587z4n372y4lqyzjqc1qlsi3525ah99vdm5dqq4jidcd5h7w"; +} From 73b17ef250e7f59daa8d19abba265015b8dc7c22 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 4 Sep 2023 13:51:36 +0200 Subject: [PATCH 114/125] l: init nix-index-update --- lass/5pkgs/nix-index-update/default.nix | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 lass/5pkgs/nix-index-update/default.nix diff --git a/lass/5pkgs/nix-index-update/default.nix b/lass/5pkgs/nix-index-update/default.nix new file mode 100644 index 000000000..40be8d1a3 --- /dev/null +++ b/lass/5pkgs/nix-index-update/default.nix @@ -0,0 +1,9 @@ +{ pkgs }: +pkgs.writers.writeDashBin "nix-index-update" '' + set -efux + filename="index-$(uname -m)-$(uname | tr A-Z a-z)" + mkdir -p ~/.cache/nix-index && cd ~/.cache/nix-index + # -N will only download a new version if there is an update. + ${pkgs.wget}/bin/wget -q -N https://github.com/Mic92/nix-index-database/releases/latest/download/$filename + ln -f $filename files +'' From aa0292417f18840f61a504b752e4b3f4172fee97 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 4 Sep 2023 20:23:12 +0200 Subject: [PATCH 115/125] kartei janik: make pure --- kartei/janik/default.nix | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/kartei/janik/default.nix b/kartei/janik/default.nix index 44ec9b0a8..a945550d1 100644 --- a/kartei/janik/default.nix +++ b/kartei/janik/default.nix @@ -1,12 +1,12 @@ -with import ../../lib; -{ config, ... }: let - hostDefaults = hostName: host: flip recursiveUpdate host ({ +{ config, lib, ... }: let + slib = import ../../lib/pure.nix { inherit lib; }; + hostDefaults = hostName: host: lib.flip lib.recursiveUpdate host ({ ci = false; external = true; monitoring = false; - } // optionalAttrs (host.nets?retiolum) { + } // lib.optionalAttrs (host.nets?retiolum) { nets.retiolum.ip6.addr = - (krebs.genipv6 "retiolum" "external" { inherit hostName; }).address; + (slib.krebs.genipv6 "retiolum" "external" { inherit hostName; }).address; }); in { users.janik = { @@ -16,7 +16,7 @@ in { owner = config.krebs.users.janik; nets.retiolum = { aliases = [ "hertz.janik.r" ]; - ip6.addr = (lib.krebs.genipv6 "retiolum" "janik" { hostName = "hertz"; }).address; + ip6.addr = (slib.krebs.genipv6 "retiolum" "janik" { hostName = "hertz"; }).address; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- MIICCgKCAgEA0mqxrdVU9wFhNZYGWEknJpKV4yIodNlaCIKDPVhU5wmlzh2szKUS From 1105d9ef32d5512b0e6eee7fb6c8d7e0435a893c Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 4 Sep 2023 20:32:48 +0200 Subject: [PATCH 116/125] fetchWallpaper: use upstream writers --- krebs/3modules/fetchWallpaper.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krebs/3modules/fetchWallpaper.nix b/krebs/3modules/fetchWallpaper.nix index 79187adfa..0d67120fd 100644 --- a/krebs/3modules/fetchWallpaper.nix +++ b/krebs/3modules/fetchWallpaper.nix @@ -40,7 +40,7 @@ let }; }; - fetchWallpaperScript = pkgs.writeDash "fetchWallpaper" '' + fetchWallpaperScript = pkgs.writers.writeDash "fetchWallpaper" '' set -euf mkdir -p ${cfg.stateDir} From 245dd8b67ffe133dbff76a59a4f9e7f5401f7aec Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 4 Sep 2023 20:35:32 +0200 Subject: [PATCH 117/125] iptables: use upstream writers --- krebs/3modules/iptables.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krebs/3modules/iptables.nix b/krebs/3modules/iptables.nix index c1c5b68c8..32a5273a5 100644 --- a/krebs/3modules/iptables.nix +++ b/krebs/3modules/iptables.nix @@ -177,7 +177,7 @@ let ${buildTables iptables-version cfg.tables} ''; - startScript = pkgs.writeDash "krebs-iptables_start" '' + startScript = pkgs.writers.writeDash "krebs-iptables_start" '' set -euf iptables-restore < ${rules "v4"} ip6tables-restore < ${rules "v6"} From 5e215d87e53f97e73247c0d415a416cade9f9328 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 4 Sep 2023 20:36:51 +0200 Subject: [PATCH 118/125] power-action: use upstream writers --- krebs/3modules/power-action.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/krebs/3modules/power-action.nix b/krebs/3modules/power-action.nix index 71e2b541a..a9ed24d3f 100644 --- a/krebs/3modules/power-action.nix +++ b/krebs/3modules/power-action.nix @@ -60,7 +60,7 @@ let }; }; - startScript = pkgs.writeDash "power-action" '' + startScript = pkgs.writers.writeDash "power-action" '' set -euf power="$(${powerlvl})" @@ -77,11 +77,11 @@ let writeRule = _: plan: "if [ $power -ge ${toString plan.lowerLimit} ] && [ $power -le ${toString plan.upperLimit} ] ${charging_check plan}; then ${plan.action}; fi"; - powerlvl = pkgs.writeDash "powerlvl" '' + powerlvl = pkgs.writers.writeDash "powerlvl" '' cat /sys/class/power_supply/${cfg.battery}/capacity ''; - state = pkgs.writeDash "state" '' + state = pkgs.writers.writeDash "state" '' if [ "$(cat /sys/class/power_supply/${cfg.battery}/status)" = "Discharging" ] then echo "false" else echo "true" From a2f58988f5c35c5782dc75c2c6c8635cb82339a5 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 7 Sep 2023 11:54:02 +0200 Subject: [PATCH 119/125] fzfmenu: handle dumb terminal as no terminal --- krebs/5pkgs/simple/fzfmenu/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krebs/5pkgs/simple/fzfmenu/default.nix b/krebs/5pkgs/simple/fzfmenu/default.nix index eb2441330..030c1b1b1 100644 --- a/krebs/5pkgs/simple/fzfmenu/default.nix +++ b/krebs/5pkgs/simple/fzfmenu/default.nix @@ -43,7 +43,7 @@ pkgs.writers.writeDashBin "fzfmenu" '' set -efu # Spawn terminal if called without one, like e.g. from a window manager. - if [ -z ''${TERM+x} ]; then + if [ -z ''${TERM+x} ] || [ $TERM = dumb ]; then exec 3<&0 exec 4>&1 export FZFMENU_INPUT_FD=3 From 1e89787cbafbe4dcd2b4da947d6ac2d14824875c Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 7 Sep 2023 12:05:42 +0200 Subject: [PATCH 120/125] kartei lass: remove privkeys --- kartei/lass/default.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/kartei/lass/default.nix b/kartei/lass/default.nix index d4806534f..9ccf1c72d 100644 --- a/kartei/lass/default.nix +++ b/kartei/lass/default.nix @@ -19,7 +19,6 @@ in { consul = true; ci = true; monitoring = true; - ssh.privkey.path = ; }) ( lib.genAttrs hostFiles (host: import (./. + "/${host}.nix") { inherit config lib r6 w6; From 3ad7dd0565d2bdf3a3f89a0d27834275be81f9df Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 7 Sep 2023 12:21:53 +0200 Subject: [PATCH 121/125] l radio news: ignore stdout of tts --- lass/2configs/services/radio/news.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lass/2configs/services/radio/news.nix b/lass/2configs/services/radio/news.nix index b17c2e629..cfd17e637 100644 --- a/lass/2configs/services/radio/news.nix +++ b/lass/2configs/services/radio/news.nix @@ -17,7 +17,7 @@ let stripRoot = false; }}/en-us-libritts-high.onnx \ -s "$SPEAKER" \ - -f "$OUTPUT"/"$offset".wav + -f "$OUTPUT"/"$offset".wav >/dev/null ((offset+=1)) done From 85ae348bf3f53125c8281669a32bf007dc0063be Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 7 Sep 2023 12:24:01 +0200 Subject: [PATCH 122/125] l alacritty: use precompiled font --- lass/2configs/alacritty.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lass/2configs/alacritty.nix b/lass/2configs/alacritty.nix index e5e001a4c..7f24e4a2e 100644 --- a/lass/2configs/alacritty.nix +++ b/lass/2configs/alacritty.nix @@ -2,7 +2,7 @@ alacritty-cfg = extrVals: builtins.toJSON ({ font = let - family = "Iosevka"; + family = "Iosevka Term SS15"; in { normal = { family = family; @@ -20,13 +20,14 @@ family = family; style = "Bold Italic"; }; - size = 8; + size = 12; }; live_config_reload = true; window.dimensions = { columns = 80; lines = 20; }; + env.WINIT_X11_SCALE_FACTOR = "1.0"; # window.opacity = 0; hints.enabled = [ { From f55307fd73af235069744dd5155fda0bc73fe613 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 7 Sep 2023 12:26:31 +0200 Subject: [PATCH 123/125] lass: migrate away --- .gitmodules | 3 - kartei/lass/default.nix | 2 +- lass/1systems/aergia/config.nix | 167 ------- lass/1systems/aergia/disk.nix | 63 --- lass/1systems/aergia/install.sh | 3 - lass/1systems/aergia/physical.nix | 117 ----- lass/1systems/aergia/source.nix | 21 - lass/1systems/blue/config.nix | 22 - lass/1systems/blue/physical.nix | 7 - lass/1systems/blue/source.nix | 17 - lass/1systems/coaxmetal/config.nix | 63 --- lass/1systems/coaxmetal/physical.nix | 59 --- lass/1systems/coaxmetal/source.nix | 21 - lass/1systems/daedalus/config.nix | 115 ----- lass/1systems/daedalus/physical.nix | 24 - lass/1systems/dishfire/config.nix | 13 - lass/1systems/dishfire/physical.nix | 21 - lass/1systems/echelon/config.nix | 17 - lass/1systems/echelon/physical.nix | 33 -- lass/1systems/green/config.nix | 75 --- lass/1systems/green/physical.nix | 7 - lass/1systems/green/source.nix | 6 - lass/1systems/hilum/config.nix | 33 -- lass/1systems/hilum/disk.nix | 43 -- lass/1systems/hilum/flash-stick.sh | 43 -- lass/1systems/hilum/physical.nix | 53 -- lass/1systems/icarus/config.nix | 30 -- lass/1systems/icarus/physical.nix | 49 -- lass/1systems/lasspi/config.nix | 25 - lass/1systems/lasspi/physical.nix | 45 -- lass/1systems/littleT/config.nix | 30 -- lass/1systems/littleT/physical.nix | 25 - lass/1systems/mors/config.nix | 167 ------- lass/1systems/mors/physical.nix | 48 -- lass/1systems/mors/source.nix | 21 - lass/1systems/neoprism/config.nix | 51 -- lass/1systems/neoprism/disk.nix | 118 ----- lass/1systems/neoprism/physical.nix | 79 --- lass/1systems/orange/config.nix | 25 - lass/1systems/orange/physical.nix | 7 - lass/1systems/prism/backup.nix | 37 -- lass/1systems/prism/config.nix | 380 --------------- lass/1systems/prism/physical.nix | 107 ----- lass/1systems/radio/config.nix | 24 - lass/1systems/radio/physical.nix | 7 - lass/1systems/radio/source.nix | 6 - lass/1systems/shodan/config.nix | 28 -- lass/1systems/shodan/physical.nix | 45 -- lass/1systems/skynet/config.nix | 41 -- lass/1systems/skynet/physical.nix | 29 -- lass/1systems/styx/config.nix | 116 ----- lass/1systems/styx/physical.nix | 38 -- lass/1systems/ubik/config.nix | 276 ----------- lass/1systems/ubik/physical.nix | 7 - lass/1systems/wizard/config.nix | 287 ----------- lass/1systems/wizard/generate-iso.sh | 7 - lass/1systems/wizard/run-vm.sh | 7 - lass/1systems/wizard/test.nix | 10 - lass/1systems/xerxes/config.nix | 76 --- lass/1systems/xerxes/physical.nix | 73 --- lass/1systems/yellow/config.nix | 45 -- lass/1systems/yellow/physical.nix | 7 - lass/2configs/AP.nix | 83 ---- lass/2configs/IM.nix | 38 -- lass/2configs/ableton.nix | 20 - lass/2configs/alacritty.nix | 134 ------ lass/2configs/antimicrox/default.nix | 39 -- .../antimicrox/empty.gamecontroller.amgp | 20 - .../antimicrox/mouse.gamecontroller.amgp | 281 ----------- lass/2configs/atuin-server.nix | 10 - lass/2configs/autotether.nix | 16 - lass/2configs/baseX.nix | 196 -------- lass/2configs/bgt-bot/bgt-check.sh | 57 --- lass/2configs/bgt-bot/default.nix | 44 -- lass/2configs/binary-cache/client.nix | 17 - lass/2configs/binary-cache/proxy.nix | 13 - lass/2configs/binary-cache/server.nix | 31 -- lass/2configs/bird.nix | 13 - lass/2configs/bitcoin.nix | 34 -- lass/2configs/bitlbee.nix | 34 -- lass/2configs/blue-host.nix | 116 ----- lass/2configs/blue.nix | 33 -- lass/2configs/boot/coreboot.nix | 10 - lass/2configs/boot/stock-x220.nix | 8 - lass/2configs/boot/universal.nix | 11 - lass/2configs/br.nix | 51 -- lass/2configs/browsers.nix | 8 - lass/2configs/c-base.nix | 115 ----- lass/2configs/ciko.nix | 20 - lass/2configs/codimd.nix | 70 --- lass/2configs/consul.nix | 40 -- lass/2configs/container-networking.nix | 22 - lass/2configs/copyq.nix | 37 -- lass/2configs/default.nix | 249 ---------- lass/2configs/docker.nix | 6 - lass/2configs/dunst.nix | 277 ----------- lass/2configs/elster.nix | 24 - lass/2configs/et-server.nix | 7 - lass/2configs/exim-retiolum.nix | 15 - lass/2configs/exim-smarthost.nix | 62 --- lass/2configs/fetchWallpaper.nix | 11 - lass/2configs/firefoxPatched.nix | 58 --- lass/2configs/fonts.nix | 14 - lass/2configs/fysiirc.nix | 69 --- lass/2configs/games.nix | 96 ---- lass/2configs/gc.nix | 9 - lass/2configs/gg23.nix | 93 ---- lass/2configs/git-brain.nix | 56 --- lass/2configs/git.nix | 206 -------- lass/2configs/go.nix | 19 - lass/2configs/green-host.nix | 6 - lass/2configs/green-hosts/cryfs.nix | 95 ---- lass/2configs/green-hosts/ecryptfs.nix | 99 ---- lass/2configs/green-hosts/plain-bindfs.nix | 90 ---- lass/2configs/green-hosts/plain-permown.nix | 88 ---- lass/2configs/green-hosts/plain.nix | 87 ---- lass/2configs/green-hosts/securefs.nix | 101 ---- lass/2configs/gsm-wiki.nix | 46 -- lass/2configs/hardening.nix | 11 - lass/2configs/hass/default.nix | 125 ----- lass/2configs/hass/lib.nix | 256 ---------- lass/2configs/hass/pyscript/.gitignore | 1 - lass/2configs/hass/pyscript/default.nix | 26 - lass/2configs/hass/pyscript/shell.nix | 51 -- lass/2configs/hass/rooms/bett.nix | 39 -- lass/2configs/hass/rooms/essen.nix | 9 - lass/2configs/hass/rooms/nass.nix | 10 - lass/2configs/hass/zigbee.nix | 76 --- lass/2configs/hfos.nix | 48 -- lass/2configs/home-media.nix | 102 ---- lass/2configs/htop.nix | 43 -- lass/2configs/hw/brcmfmac4356-pcie.txt | 125 ----- lass/2configs/hw/gpd-pocket.nix | 28 -- lass/2configs/hw/x220.nix | 50 -- lass/2configs/iodined.nix | 20 - lass/2configs/libvirt.nix | 33 -- lass/2configs/livestream.nix | 12 - lass/2configs/logf.nix | 24 - lass/2configs/mail.nix | 272 ----------- lass/2configs/mail/internet-gateway.nix | 48 -- lass/2configs/matrix.nix | 62 --- lass/2configs/mc.nix | 344 ------------- lass/2configs/minecraft.nix | 13 - lass/2configs/monitoring/alert-rules.nix | 208 -------- lass/2configs/monitoring/prometheus.nix | 110 ----- lass/2configs/monitoring/telegraf.nix | 163 ------- lass/2configs/mouse.nix | 20 - lass/2configs/mpv.nix | 103 ---- lass/2configs/muchsync.nix | 40 -- lass/2configs/mumble-reminder.nix | 107 ----- lass/2configs/murmur.nix | 37 -- lass/2configs/network-manager.nix | 25 - lass/2configs/networkd.nix | 20 - lass/2configs/nfs-dl.nix | 22 - lass/2configs/orange-host.nix | 19 - .../os-templates/CAC-CentOS-6.5-64bit.nix | 47 -- .../os-templates/CAC-CentOS-7-64bit.nix | 47 -- lass/2configs/otp-ssh.nix | 18 - lass/2configs/pass.nix | 21 - lass/2configs/paste.nix | 146 ------ lass/2configs/pipewire.nix | 35 -- lass/2configs/power-action.nix | 45 -- lass/2configs/ppp/umts-stick.nix | 33 -- lass/2configs/ppp/x220-modem.nix | 32 -- lass/2configs/print.nix | 19 - lass/2configs/prism-share.nix | 42 -- lass/2configs/privoxy-retiolum.nix | 21 - lass/2configs/privoxy.nix | 7 - lass/2configs/programs.nix | 54 --- lass/2configs/reaktor-coders.nix | 56 --- lass/2configs/realwallpaper.nix | 52 -- lass/2configs/rebuild-on-boot.nix | 18 - lass/2configs/red-host.nix | 163 ------- lass/2configs/redis.nix | 8 - lass/2configs/retiolum.nix | 55 --- lass/2configs/review.nix | 14 - lass/2configs/riot.nix | 87 ---- lass/2configs/rtl-sdr.nix | 6 - lass/2configs/searx.nix | 23 - lass/2configs/services/coms/default.nix | 6 - lass/2configs/services/coms/jitsi.nix | 43 -- lass/2configs/services/coms/murmur.nix | 47 -- lass/2configs/services/coms/proxy.nix | 41 -- .../2configs/services/flix/container-host.nix | 40 -- lass/2configs/services/flix/default.nix | 316 ------------ lass/2configs/services/flix/proxy.nix | 12 - lass/2configs/services/git/default.nix | 21 - lass/2configs/services/git/proxy.nix | 23 - .../services/radio/container-host.nix | 23 - lass/2configs/services/radio/controls.html | 83 ---- lass/2configs/services/radio/default.nix | 348 -------------- lass/2configs/services/radio/news.nix | 131 ----- lass/2configs/services/radio/proxy.nix | 17 - lass/2configs/services/radio/radio.liq | 112 ----- lass/2configs/services/radio/shell.nix | 7 - lass/2configs/services/radio/weather.nix | 60 --- .../services/radio/weather_for_ips.py | 48 -- lass/2configs/skype.nix | 27 -- lass/2configs/smartd.nix | 17 - lass/2configs/snapclient.nix | 12 - lass/2configs/snapserver.nix | 30 -- lass/2configs/ssh-cryptsetup.nix | 15 - lass/2configs/starcraft.nix | 22 - lass/2configs/steam.nix | 29 -- lass/2configs/sync/decsync.nix | 10 - lass/2configs/sync/sync.nix | 15 - lass/2configs/sync/the_playlist.nix | 9 - lass/2configs/sync/weechat.nix | 6 - lass/2configs/syncthing.nix | 15 - lass/2configs/termite.nix | 22 - .../tests/dummy-secrets/bepasty-secret.nix | 1 - lass/2configs/tests/dummy-secrets/cbase.txt | 0 .../tests/dummy-secrets/grafana_security.nix | 4 - .../tests/dummy-secrets/hashedPasswords.nix | 1 - .../tests/dummy-secrets/icecast-admin-pw | 1 - .../tests/dummy-secrets/icecast-source-pw | 1 - .../dummy-secrets/initrd/ssh.ed25519_key | 0 .../2configs/tests/dummy-secrets/iodinepw.nix | 1 - .../tests/dummy-secrets/lassul.us.dkim.priv | 3 - lass/2configs/tests/dummy-secrets/mails.nix | 1 - .../tests/dummy-secrets/mysql_rootPassword | 1 - .../tests/dummy-secrets/nix-serve.key | 1 - lass/2configs/tests/dummy-secrets/nordvpn.txt | 0 lass/2configs/tests/dummy-secrets/repos.nix | 1 - .../tests/dummy-secrets/retiolum.rsa_key.priv | 4 - lass/2configs/tests/dummy-secrets/searx.key | 1 - .../2configs/tests/dummy-secrets/ssh-tor.priv | 0 .../tests/dummy-secrets/ssh.id_ed25519 | 3 - lass/2configs/tests/dummy-secrets/ssh.id_rsa | 3 - .../tests/dummy-secrets/syncthing.cert | 0 .../tests/dummy-secrets/syncthing.key | 0 .../2configs/tests/dummy-secrets/torrent-auth | 3 - .../tests/dummy-secrets/transmission-pw | 1 - lass/2configs/texlive.nix | 12 - lass/2configs/themes.nix | 75 --- lass/2configs/tmux.nix | 47 -- lass/2configs/tor-initrd.nix | 49 -- lass/2configs/tor-ssh.nix | 16 - lass/2configs/tv.nix | 194 -------- lass/2configs/ubik-host.nix | 26 - lass/2configs/urxvt.nix | 37 -- lass/2configs/vim.nix | 349 -------------- lass/2configs/virtualbox.nix | 24 - lass/2configs/websites/default.nix | 20 - lass/2configs/websites/domsen.nix | 454 ------------------ lass/2configs/websites/flix.lassul.us.nix | 13 - lass/2configs/websites/lassulus.nix | 74 --- .../2configs/websites/ref.ptkk.de/default.nix | 89 ---- lass/2configs/websites/sqlBackup.nix | 30 -- lass/2configs/websites/util.nix | 246 ---------- lass/2configs/weechat.nix | 214 --------- lass/2configs/weron/client.nix | 20 - lass/2configs/weron/signaler.nix | 13 - lass/2configs/wine.nix | 25 - lass/2configs/wiregrill.nix | 59 --- lass/2configs/xdg-open.nix | 67 --- lass/2configs/xmonad.nix | 236 --------- lass/2configs/xonsh.nix | 7 - lass/2configs/yellow-mounts/samba.nix | 15 - lass/2configs/yubikey.nix | 62 --- lass/2configs/zsh.nix | 144 ------ lass/3modules/autowifi.nix | 38 -- lass/3modules/default.nix | 18 - lass/3modules/dnsmasq.nix | 48 -- lass/3modules/drbd.nix | 159 ------ lass/3modules/folderPerms.nix | 104 ---- lass/3modules/hosts.nix | 12 - lass/3modules/klem.nix | 75 --- lass/3modules/mysql-backup.nix | 86 ---- lass/3modules/news.nix | 76 --- lass/3modules/nichtparasoup.nix | 161 ------- lass/3modules/pyload.nix | 55 --- lass/3modules/screenlock.nix | 40 -- lass/3modules/usershadow.nix | 139 ------ lass/4lib/default.nix | 10 - lass/5pkgs/acronym/default.nix | 16 - lass/5pkgs/autowifi | 1 - lass/5pkgs/bank/default.nix | 14 - lass/5pkgs/default.nix | 24 - lass/5pkgs/deploy/default.nix | 6 - lass/5pkgs/dl/default.nix | 29 -- lass/5pkgs/dls/default.nix | 13 - lass/5pkgs/drbd9/default.nix | 35 -- lass/5pkgs/emot-menu/default.nix | 34 -- lass/5pkgs/firefoxPlugins/noscript.nix | 28 -- lass/5pkgs/firefoxPlugins/ublock.nix | 31 -- lass/5pkgs/firefoxPlugins/vimperator.nix | 19 - lass/5pkgs/graphml2json/default.nix | 12 - lass/5pkgs/htmlparser/default.nix | 15 - lass/5pkgs/init/default.nix | 107 ----- lass/5pkgs/init/run-vm.sh | 7 - lass/5pkgs/init/test.nix | 13 - lass/5pkgs/init/test.sh | 11 - lass/5pkgs/install-system/default.nix | 35 -- lass/5pkgs/knav/default.nix | 26 - lass/5pkgs/l-gen-secrets/default.nix | 82 ---- lass/5pkgs/logify/default.nix | 7 - lass/5pkgs/mk_sql_pair/default.nix | 19 - lass/5pkgs/mpv-poll/default.nix | 40 -- lass/5pkgs/nichtparasoup/default.nix | 15 - lass/5pkgs/nichtparasoup/exception.patch | 13 - lass/5pkgs/nix-index-update/default.nix | 9 - lass/5pkgs/nm-dmenu/default.nix | 10 - lass/5pkgs/otpmenu/default.nix | 11 - lass/5pkgs/pop/default.nix | 10 - lass/5pkgs/q/default.nix | 286 ----------- lass/5pkgs/review-mail-queue/default.nix | 39 -- lass/5pkgs/rs/default.nix | 6 - lass/5pkgs/searx/default.nix | 69 --- lass/5pkgs/sshify/default.nix | 39 -- lass/5pkgs/sshvnc/default.nix | 11 - lass/5pkgs/super-vnc/default.nix | 38 -- lass/5pkgs/sxiv/default.nix | 27 -- lass/5pkgs/tdlib-purple/default.nix | 51 -- lass/5pkgs/unimenu/default.nix | 101 ---- lass/5pkgs/urban/default.nix | 21 - lass/5pkgs/xephyrify/default.nix | 62 --- lass/5pkgs/xml2json/default.nix | 17 - lass/5pkgs/xonsh2/default.nix | 56 --- lass/5pkgs/yt-next/default.nix | 13 - lass/default.nix | 9 - lass/krops.nix | 145 ------ lass/tombstone | 1 + 323 files changed, 2 insertions(+), 17633 deletions(-) delete mode 100644 lass/1systems/aergia/config.nix delete mode 100644 lass/1systems/aergia/disk.nix delete mode 100644 lass/1systems/aergia/install.sh delete mode 100644 lass/1systems/aergia/physical.nix delete mode 100644 lass/1systems/aergia/source.nix delete mode 100644 lass/1systems/blue/config.nix delete mode 100644 lass/1systems/blue/physical.nix delete mode 100644 lass/1systems/blue/source.nix delete mode 100644 lass/1systems/coaxmetal/config.nix delete mode 100644 lass/1systems/coaxmetal/physical.nix delete mode 100644 lass/1systems/coaxmetal/source.nix delete mode 100644 lass/1systems/daedalus/config.nix delete mode 100644 lass/1systems/daedalus/physical.nix delete mode 100644 lass/1systems/dishfire/config.nix delete mode 100644 lass/1systems/dishfire/physical.nix delete mode 100644 lass/1systems/echelon/config.nix delete mode 100644 lass/1systems/echelon/physical.nix delete mode 100644 lass/1systems/green/config.nix delete mode 100644 lass/1systems/green/physical.nix delete mode 100644 lass/1systems/green/source.nix delete mode 100644 lass/1systems/hilum/config.nix delete mode 100644 lass/1systems/hilum/disk.nix delete mode 100755 lass/1systems/hilum/flash-stick.sh delete mode 100644 lass/1systems/hilum/physical.nix delete mode 100644 lass/1systems/icarus/config.nix delete mode 100644 lass/1systems/icarus/physical.nix delete mode 100644 lass/1systems/lasspi/config.nix delete mode 100644 lass/1systems/lasspi/physical.nix delete mode 100644 lass/1systems/littleT/config.nix delete mode 100644 lass/1systems/littleT/physical.nix delete mode 100644 lass/1systems/mors/config.nix delete mode 100644 lass/1systems/mors/physical.nix delete mode 100644 lass/1systems/mors/source.nix delete mode 100644 lass/1systems/neoprism/config.nix delete mode 100644 lass/1systems/neoprism/disk.nix delete mode 100644 lass/1systems/neoprism/physical.nix delete mode 100644 lass/1systems/orange/config.nix delete mode 100644 lass/1systems/orange/physical.nix delete mode 100644 lass/1systems/prism/backup.nix delete mode 100644 lass/1systems/prism/config.nix delete mode 100644 lass/1systems/prism/physical.nix delete mode 100644 lass/1systems/radio/config.nix delete mode 100644 lass/1systems/radio/physical.nix delete mode 100644 lass/1systems/radio/source.nix delete mode 100644 lass/1systems/shodan/config.nix delete mode 100644 lass/1systems/shodan/physical.nix delete mode 100644 lass/1systems/skynet/config.nix delete mode 100644 lass/1systems/skynet/physical.nix delete mode 100644 lass/1systems/styx/config.nix delete mode 100644 lass/1systems/styx/physical.nix delete mode 100644 lass/1systems/ubik/config.nix delete mode 100644 lass/1systems/ubik/physical.nix delete mode 100644 lass/1systems/wizard/config.nix delete mode 100755 lass/1systems/wizard/generate-iso.sh delete mode 100755 lass/1systems/wizard/run-vm.sh delete mode 100644 lass/1systems/wizard/test.nix delete mode 100644 lass/1systems/xerxes/config.nix delete mode 100644 lass/1systems/xerxes/physical.nix delete mode 100644 lass/1systems/yellow/config.nix delete mode 100644 lass/1systems/yellow/physical.nix delete mode 100644 lass/2configs/AP.nix delete mode 100644 lass/2configs/IM.nix delete mode 100644 lass/2configs/ableton.nix delete mode 100644 lass/2configs/alacritty.nix delete mode 100644 lass/2configs/antimicrox/default.nix delete mode 100644 lass/2configs/antimicrox/empty.gamecontroller.amgp delete mode 100644 lass/2configs/antimicrox/mouse.gamecontroller.amgp delete mode 100644 lass/2configs/atuin-server.nix delete mode 100644 lass/2configs/autotether.nix delete mode 100644 lass/2configs/baseX.nix delete mode 100644 lass/2configs/bgt-bot/bgt-check.sh delete mode 100644 lass/2configs/bgt-bot/default.nix delete mode 100644 lass/2configs/binary-cache/client.nix delete mode 100644 lass/2configs/binary-cache/proxy.nix delete mode 100644 lass/2configs/binary-cache/server.nix delete mode 100644 lass/2configs/bird.nix delete mode 100644 lass/2configs/bitcoin.nix delete mode 100644 lass/2configs/bitlbee.nix delete mode 100644 lass/2configs/blue-host.nix delete mode 100644 lass/2configs/blue.nix delete mode 100644 lass/2configs/boot/coreboot.nix delete mode 100644 lass/2configs/boot/stock-x220.nix delete mode 100644 lass/2configs/boot/universal.nix delete mode 100644 lass/2configs/br.nix delete mode 100644 lass/2configs/browsers.nix delete mode 100644 lass/2configs/c-base.nix delete mode 100644 lass/2configs/ciko.nix delete mode 100644 lass/2configs/codimd.nix delete mode 100644 lass/2configs/consul.nix delete mode 100644 lass/2configs/container-networking.nix delete mode 100644 lass/2configs/copyq.nix delete mode 100644 lass/2configs/default.nix delete mode 100644 lass/2configs/docker.nix delete mode 100644 lass/2configs/dunst.nix delete mode 100644 lass/2configs/elster.nix delete mode 100644 lass/2configs/et-server.nix delete mode 100644 lass/2configs/exim-retiolum.nix delete mode 100644 lass/2configs/exim-smarthost.nix delete mode 100644 lass/2configs/fetchWallpaper.nix delete mode 100644 lass/2configs/firefoxPatched.nix delete mode 100644 lass/2configs/fonts.nix delete mode 100644 lass/2configs/fysiirc.nix delete mode 100644 lass/2configs/games.nix delete mode 100644 lass/2configs/gc.nix delete mode 100644 lass/2configs/gg23.nix delete mode 100644 lass/2configs/git-brain.nix delete mode 100644 lass/2configs/git.nix delete mode 100644 lass/2configs/go.nix delete mode 100644 lass/2configs/green-host.nix delete mode 100644 lass/2configs/green-hosts/cryfs.nix delete mode 100644 lass/2configs/green-hosts/ecryptfs.nix delete mode 100644 lass/2configs/green-hosts/plain-bindfs.nix delete mode 100644 lass/2configs/green-hosts/plain-permown.nix delete mode 100644 lass/2configs/green-hosts/plain.nix delete mode 100644 lass/2configs/green-hosts/securefs.nix delete mode 100644 lass/2configs/gsm-wiki.nix delete mode 100644 lass/2configs/hardening.nix delete mode 100644 lass/2configs/hass/default.nix delete mode 100644 lass/2configs/hass/lib.nix delete mode 100644 lass/2configs/hass/pyscript/.gitignore delete mode 100644 lass/2configs/hass/pyscript/default.nix delete mode 100644 lass/2configs/hass/pyscript/shell.nix delete mode 100644 lass/2configs/hass/rooms/bett.nix delete mode 100644 lass/2configs/hass/rooms/essen.nix delete mode 100644 lass/2configs/hass/rooms/nass.nix delete mode 100644 lass/2configs/hass/zigbee.nix delete mode 100644 lass/2configs/hfos.nix delete mode 100644 lass/2configs/home-media.nix delete mode 100644 lass/2configs/htop.nix delete mode 100644 lass/2configs/hw/brcmfmac4356-pcie.txt delete mode 100644 lass/2configs/hw/gpd-pocket.nix delete mode 100644 lass/2configs/hw/x220.nix delete mode 100644 lass/2configs/iodined.nix delete mode 100644 lass/2configs/libvirt.nix delete mode 100644 lass/2configs/livestream.nix delete mode 100644 lass/2configs/logf.nix delete mode 100644 lass/2configs/mail.nix delete mode 100644 lass/2configs/mail/internet-gateway.nix delete mode 100644 lass/2configs/matrix.nix delete mode 100644 lass/2configs/mc.nix delete mode 100644 lass/2configs/minecraft.nix delete mode 100644 lass/2configs/monitoring/alert-rules.nix delete mode 100644 lass/2configs/monitoring/prometheus.nix delete mode 100644 lass/2configs/monitoring/telegraf.nix delete mode 100644 lass/2configs/mouse.nix delete mode 100644 lass/2configs/mpv.nix delete mode 100644 lass/2configs/muchsync.nix delete mode 100644 lass/2configs/mumble-reminder.nix delete mode 100644 lass/2configs/murmur.nix delete mode 100644 lass/2configs/network-manager.nix delete mode 100644 lass/2configs/networkd.nix delete mode 100644 lass/2configs/nfs-dl.nix delete mode 100644 lass/2configs/orange-host.nix delete mode 100644 lass/2configs/os-templates/CAC-CentOS-6.5-64bit.nix delete mode 100644 lass/2configs/os-templates/CAC-CentOS-7-64bit.nix delete mode 100644 lass/2configs/otp-ssh.nix delete mode 100644 lass/2configs/pass.nix delete mode 100644 lass/2configs/paste.nix delete mode 100644 lass/2configs/pipewire.nix delete mode 100644 lass/2configs/power-action.nix delete mode 100644 lass/2configs/ppp/umts-stick.nix delete mode 100644 lass/2configs/ppp/x220-modem.nix delete mode 100644 lass/2configs/print.nix delete mode 100644 lass/2configs/prism-share.nix delete mode 100644 lass/2configs/privoxy-retiolum.nix delete mode 100644 lass/2configs/privoxy.nix delete mode 100644 lass/2configs/programs.nix delete mode 100644 lass/2configs/reaktor-coders.nix delete mode 100644 lass/2configs/realwallpaper.nix delete mode 100644 lass/2configs/rebuild-on-boot.nix delete mode 100644 lass/2configs/red-host.nix delete mode 100644 lass/2configs/redis.nix delete mode 100644 lass/2configs/retiolum.nix delete mode 100644 lass/2configs/review.nix delete mode 100644 lass/2configs/riot.nix delete mode 100644 lass/2configs/rtl-sdr.nix delete mode 100644 lass/2configs/searx.nix delete mode 100644 lass/2configs/services/coms/default.nix delete mode 100644 lass/2configs/services/coms/jitsi.nix delete mode 100644 lass/2configs/services/coms/murmur.nix delete mode 100644 lass/2configs/services/coms/proxy.nix delete mode 100644 lass/2configs/services/flix/container-host.nix delete mode 100644 lass/2configs/services/flix/default.nix delete mode 100644 lass/2configs/services/flix/proxy.nix delete mode 100644 lass/2configs/services/git/default.nix delete mode 100644 lass/2configs/services/git/proxy.nix delete mode 100644 lass/2configs/services/radio/container-host.nix delete mode 100644 lass/2configs/services/radio/controls.html delete mode 100644 lass/2configs/services/radio/default.nix delete mode 100644 lass/2configs/services/radio/news.nix delete mode 100644 lass/2configs/services/radio/proxy.nix delete mode 100644 lass/2configs/services/radio/radio.liq delete mode 100644 lass/2configs/services/radio/shell.nix delete mode 100644 lass/2configs/services/radio/weather.nix delete mode 100644 lass/2configs/services/radio/weather_for_ips.py delete mode 100644 lass/2configs/skype.nix delete mode 100644 lass/2configs/smartd.nix delete mode 100644 lass/2configs/snapclient.nix delete mode 100644 lass/2configs/snapserver.nix delete mode 100644 lass/2configs/ssh-cryptsetup.nix delete mode 100644 lass/2configs/starcraft.nix delete mode 100644 lass/2configs/steam.nix delete mode 100644 lass/2configs/sync/decsync.nix delete mode 100644 lass/2configs/sync/sync.nix delete mode 100644 lass/2configs/sync/the_playlist.nix delete mode 100644 lass/2configs/sync/weechat.nix delete mode 100644 lass/2configs/syncthing.nix delete mode 100644 lass/2configs/termite.nix delete mode 100644 lass/2configs/tests/dummy-secrets/bepasty-secret.nix delete mode 100644 lass/2configs/tests/dummy-secrets/cbase.txt delete mode 100644 lass/2configs/tests/dummy-secrets/grafana_security.nix delete mode 100644 lass/2configs/tests/dummy-secrets/hashedPasswords.nix delete mode 100644 lass/2configs/tests/dummy-secrets/icecast-admin-pw delete mode 100644 lass/2configs/tests/dummy-secrets/icecast-source-pw delete mode 100644 lass/2configs/tests/dummy-secrets/initrd/ssh.ed25519_key delete mode 100644 lass/2configs/tests/dummy-secrets/iodinepw.nix delete mode 100644 lass/2configs/tests/dummy-secrets/lassul.us.dkim.priv delete mode 100644 lass/2configs/tests/dummy-secrets/mails.nix delete mode 100644 lass/2configs/tests/dummy-secrets/mysql_rootPassword delete mode 100644 lass/2configs/tests/dummy-secrets/nix-serve.key delete mode 100644 lass/2configs/tests/dummy-secrets/nordvpn.txt delete mode 100644 lass/2configs/tests/dummy-secrets/repos.nix delete mode 100644 lass/2configs/tests/dummy-secrets/retiolum.rsa_key.priv delete mode 100644 lass/2configs/tests/dummy-secrets/searx.key delete mode 100644 lass/2configs/tests/dummy-secrets/ssh-tor.priv delete mode 100644 lass/2configs/tests/dummy-secrets/ssh.id_ed25519 delete mode 100644 lass/2configs/tests/dummy-secrets/ssh.id_rsa delete mode 100644 lass/2configs/tests/dummy-secrets/syncthing.cert delete mode 100644 lass/2configs/tests/dummy-secrets/syncthing.key delete mode 100644 lass/2configs/tests/dummy-secrets/torrent-auth delete mode 100644 lass/2configs/tests/dummy-secrets/transmission-pw delete mode 100644 lass/2configs/texlive.nix delete mode 100644 lass/2configs/themes.nix delete mode 100644 lass/2configs/tmux.nix delete mode 100644 lass/2configs/tor-initrd.nix delete mode 100644 lass/2configs/tor-ssh.nix delete mode 100644 lass/2configs/tv.nix delete mode 100644 lass/2configs/ubik-host.nix delete mode 100644 lass/2configs/urxvt.nix delete mode 100644 lass/2configs/vim.nix delete mode 100644 lass/2configs/virtualbox.nix delete mode 100644 lass/2configs/websites/default.nix delete mode 100644 lass/2configs/websites/domsen.nix delete mode 100644 lass/2configs/websites/flix.lassul.us.nix delete mode 100644 lass/2configs/websites/lassulus.nix delete mode 100644 lass/2configs/websites/ref.ptkk.de/default.nix delete mode 100644 lass/2configs/websites/sqlBackup.nix delete mode 100644 lass/2configs/websites/util.nix delete mode 100644 lass/2configs/weechat.nix delete mode 100644 lass/2configs/weron/client.nix delete mode 100644 lass/2configs/weron/signaler.nix delete mode 100644 lass/2configs/wine.nix delete mode 100644 lass/2configs/wiregrill.nix delete mode 100644 lass/2configs/xdg-open.nix delete mode 100644 lass/2configs/xmonad.nix delete mode 100644 lass/2configs/xonsh.nix delete mode 100644 lass/2configs/yellow-mounts/samba.nix delete mode 100644 lass/2configs/yubikey.nix delete mode 100644 lass/2configs/zsh.nix delete mode 100644 lass/3modules/autowifi.nix delete mode 100644 lass/3modules/default.nix delete mode 100644 lass/3modules/dnsmasq.nix delete mode 100644 lass/3modules/drbd.nix delete mode 100644 lass/3modules/folderPerms.nix delete mode 100644 lass/3modules/hosts.nix delete mode 100644 lass/3modules/klem.nix delete mode 100644 lass/3modules/mysql-backup.nix delete mode 100644 lass/3modules/news.nix delete mode 100644 lass/3modules/nichtparasoup.nix delete mode 100644 lass/3modules/pyload.nix delete mode 100644 lass/3modules/screenlock.nix delete mode 100644 lass/3modules/usershadow.nix delete mode 100644 lass/4lib/default.nix delete mode 100644 lass/5pkgs/acronym/default.nix delete mode 160000 lass/5pkgs/autowifi delete mode 100644 lass/5pkgs/bank/default.nix delete mode 100644 lass/5pkgs/default.nix delete mode 100644 lass/5pkgs/deploy/default.nix delete mode 100644 lass/5pkgs/dl/default.nix delete mode 100644 lass/5pkgs/dls/default.nix delete mode 100644 lass/5pkgs/drbd9/default.nix delete mode 100644 lass/5pkgs/emot-menu/default.nix delete mode 100644 lass/5pkgs/firefoxPlugins/noscript.nix delete mode 100644 lass/5pkgs/firefoxPlugins/ublock.nix delete mode 100644 lass/5pkgs/firefoxPlugins/vimperator.nix delete mode 100644 lass/5pkgs/graphml2json/default.nix delete mode 100644 lass/5pkgs/htmlparser/default.nix delete mode 100644 lass/5pkgs/init/default.nix delete mode 100755 lass/5pkgs/init/run-vm.sh delete mode 100644 lass/5pkgs/init/test.nix delete mode 100755 lass/5pkgs/init/test.sh delete mode 100644 lass/5pkgs/install-system/default.nix delete mode 100644 lass/5pkgs/knav/default.nix delete mode 100644 lass/5pkgs/l-gen-secrets/default.nix delete mode 100644 lass/5pkgs/logify/default.nix delete mode 100644 lass/5pkgs/mk_sql_pair/default.nix delete mode 100644 lass/5pkgs/mpv-poll/default.nix delete mode 100644 lass/5pkgs/nichtparasoup/default.nix delete mode 100644 lass/5pkgs/nichtparasoup/exception.patch delete mode 100644 lass/5pkgs/nix-index-update/default.nix delete mode 100644 lass/5pkgs/nm-dmenu/default.nix delete mode 100644 lass/5pkgs/otpmenu/default.nix delete mode 100644 lass/5pkgs/pop/default.nix delete mode 100644 lass/5pkgs/q/default.nix delete mode 100644 lass/5pkgs/review-mail-queue/default.nix delete mode 100644 lass/5pkgs/rs/default.nix delete mode 100644 lass/5pkgs/searx/default.nix delete mode 100644 lass/5pkgs/sshify/default.nix delete mode 100644 lass/5pkgs/sshvnc/default.nix delete mode 100644 lass/5pkgs/super-vnc/default.nix delete mode 100644 lass/5pkgs/sxiv/default.nix delete mode 100644 lass/5pkgs/tdlib-purple/default.nix delete mode 100644 lass/5pkgs/unimenu/default.nix delete mode 100644 lass/5pkgs/urban/default.nix delete mode 100644 lass/5pkgs/xephyrify/default.nix delete mode 100644 lass/5pkgs/xml2json/default.nix delete mode 100644 lass/5pkgs/xonsh2/default.nix delete mode 100644 lass/5pkgs/yt-next/default.nix delete mode 100644 lass/default.nix delete mode 100644 lass/krops.nix create mode 100644 lass/tombstone diff --git a/.gitmodules b/.gitmodules index 4779748c8..38bb83ee3 100644 --- a/.gitmodules +++ b/.gitmodules @@ -4,9 +4,6 @@ [submodule "submodules/krops"] path = submodules/krops url = https://cgit.krebsco.de/krops -[submodule "lass/5pkgs/autowifi"] - path = lass/5pkgs/autowifi - url = https://github.com/Lassulus/autowifi [submodule "submodules/disko"] path = submodules/disko url = https://github.com/nix-community/disko diff --git a/kartei/lass/default.nix b/kartei/lass/default.nix index 9ccf1c72d..fac48a8ba 100644 --- a/kartei/lass/default.nix +++ b/kartei/lass/default.nix @@ -17,7 +17,7 @@ in { hosts = lib.mapAttrs (_: lib.recursiveUpdate { owner = config.krebs.users.lass; consul = true; - ci = true; + ci = false; monitoring = true; }) ( lib.genAttrs hostFiles (host: import (./. + "/${host}.nix") { diff --git a/lass/1systems/aergia/config.nix b/lass/1systems/aergia/config.nix deleted file mode 100644 index 9b7409bcc..000000000 --- a/lass/1systems/aergia/config.nix +++ /dev/null @@ -1,167 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - imports = [ - - - - - - - - - - - - - - - - - - - - # - - - - - - # steam-deck like experience https://github.com/Jovian-Experiments/Jovian-NixOS - { - imports = [ - "${builtins.fetchTarball "https://github.com/Jovian-Experiments/Jovian-NixOS/archive/master.tar.gz"}/modules" - ]; - jovian.steam.enable = true; - } - { # autorandrs - services.autorandr = { - enable = true; - hooks.postswitch.reset_usb = '' - echo 0 > /sys/bus/usb/devices/usb9/authorized; echo 1 > /sys/bus/usb/devices/usb9/authorized - ${pkgs.xorg.xmodmap}/bin/xmodmap -e 'keycode 96 = F12 Insert F12 F12' # rebind shift + F12 to shift + insert - ''; - profiles = { - default = { - fingerprint = { - eDP = "00ffffffffffff00288931000100000016200104805932780a0dc9a05747982712484c0000000101010101010101010101010101010108700088a1401360c820a300d9870000001ead4a0088a1401360c820a30020c23100001e000000fd0016480f5a1e000a202020202020000000fc0047504431303031480a2020202000cf"; - }; - config = { - eDP = { - enable = true; - primary = true; - position = "0x0"; - mode = "2560x1600"; - rate = "60.01"; - transform = [ - [ 0.750000 0.000000 0.000000 ] - [ 0.000000 0.750000 0.000000 ] - [ 0.000000 0.000000 1.000000 ] - ]; - # scale = { - # x = 0.599991; - # y = 0.599991; - # }; - }; - }; - }; - docked2 = { - fingerprint = { - eDP = config.services.autorandr.profiles.default.fingerprint.eDP; - DisplayPort-8 = "00ffffffffffff0010ac39d14c3346300f200104b5462878fb26f5af4f46a5240f5054a54b00714f8140818081c081009500b300d1c0565e00a0a0a0295030203500b9882100001a000000ff00444342375847330a2020202020000000fc0044454c4c204733323233440a20000000fd0030a5fafa41010a2020202020200181020332f149030212110490131f3f2309070783010000e200eae305c000e606050162622c6d1a0000020b30a50007622c622c5a8780a070384d4030203500b9882100001af4fb0050a0a0285008206800b9882100001a40e7006aa0a0675008209804b9882100001a6fc200a0a0a0555030203500b9882100001a000000000009"; - DisplayPort-7 = "00ffffffffffff0020a32f00010000000c190103807341780acf74a3574cb02309484c21080081c0814081800101010101010101010104740030f2705a80b0588a00501d7400001e023a801871382d40582c4500501d7400001e000000fc00484953454e53450a2020202020000000fd00324b0f451e000a2020202020200172020333714f5f5e5d01020400101113001f2021222909070715075057070083010000e200f96d030c002000183c200060010203662150b051001b304070360056005300001e011d8018711c1620582c2500c48e2100009e011d007251d01e206e285500c48e2100001800000000000000000000000000000000000000000000ea"; - }; - config = { - DisplayPort-7 = { - enable = true; - position = "2560x0"; - mode = "1920x1080"; - rate = "60.00"; - }; - DisplayPort-8 = config.services.autorandr.profiles.docked1.config.DisplayPort-1; - eDP = config.services.autorandr.profiles.docked1.config.eDP; - }; - }; - docked1 = { - fingerprint = { - eDP = config.services.autorandr.profiles.default.fingerprint.eDP; - DisplayPort-1 = "00ffffffffffff0010ac39d14c3346300f200104b5462878fb26f5af4f46a5240f5054a54b00714f8140818081c081009500b300d1c0565e00a0a0a0295030203500b9882100001a000000ff00444342375847330a2020202020000000fc0044454c4c204733323233440a20000000fd0030a5fafa41010a2020202020200181020332f149030212110490131f3f2309070783010000e200eae305c000e606050162622c6d1a0000020b30a50007622c622c000000000000000000000000000000000000f4fb0050a0a0285008206800b9882100001a40e7006aa0a0675008209804b9882100001a6fc200a0a0a0555030203500b9882100001a000000000040"; - }; - config = { - DisplayPort-1 = { - enable = true; - primary = true; - position = "0x0"; - mode = "2560x1440"; - rate = "165.08"; - }; - eDP = config.services.autorandr.profiles.default.config.eDP // { - primary = false; - position = "640x1440"; - }; - }; - }; - docked1_hack = { - fingerprint = { - eDP = config.services.autorandr.profiles.default.fingerprint.eDP; - HDMI-A-0 = "00ffffffffffff0010ac31d14c3346300f20010380462878ea26f5af4f46a5240f5054a54b00714f8140818081c081009500b300d1c0565e00a0a0a0295030203500b9882100001a000000ff00444342375847330a2020202020000000fc0044454c4c204733323233440a20000000fd0030901ee63c000a20202020202001db020346f14d030212110113042f141f05103f2309070783010000e200ea67030c001000383c67d85dc4017888006d1a0000020b3090e607622c622ce305c000e606050162622c40e7006aa0a0675008209804b9882100001a6fc200a0a0a05550302035001d4e3100001a000000000000000000000000000000000000000000fc"; - }; - config = { - HDMI-A-0 = { - enable = true; - primary = true; - position = "0x0"; - mode = "2560x1440"; - rate = "165.08"; - }; - eDP = config.services.autorandr.profiles.default.config.eDP // { - primary = false; - position = "640x1440"; - }; - }; - }; - }; - }; - } - ]; - - system.stateVersion = "22.11"; - - krebs.build.host = config.krebs.hosts.aergia; - - environment.systemPackages = with pkgs; [ - brain - bank - l-gen-secrets - generate-secrets - nixpkgs-review - pipenv - ]; - - programs.adb.enable = true; - - hardware.bluetooth = { - enable = true; - powerOnBoot = true; - }; - hardware.pulseaudio.package = pkgs.pulseaudioFull; - - nix.trustedUsers = [ "root" "lass" ]; - - # nix.extraOptions = '' - # extra-experimental-features = nix-command flakes - # ''; - - services.tor = { - enable = true; - client.enable = true; - }; - - documentation.nixos.enable = true; - boot.binfmt.emulatedSystems = [ - "aarch64-linux" - ]; - - boot.cleanTmpDir = true; - programs.noisetorch.enable = true; -} diff --git a/lass/1systems/aergia/disk.nix b/lass/1systems/aergia/disk.nix deleted file mode 100644 index 233b320e4..000000000 --- a/lass/1systems/aergia/disk.nix +++ /dev/null @@ -1,63 +0,0 @@ -{ lib, ... }: -{ - disk = { - main = { - type = "disk"; - device = "/dev/nvme0n1"; - content = { - type = "table"; - format = "gpt"; - partitions = [ - { - name = "boot"; - start = "0"; - end = "1M"; - part-type = "primary"; - flags = ["bios_grub"]; - } - { - name = "ESP"; - start = "1MiB"; - end = "1GiB"; - fs-type = "fat32"; - bootable = true; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - }; - } - { - name = "root"; - start = "1GiB"; - end = "100%"; - content = { - type = "luks"; - name = "aergia1"; - content = { - type = "btrfs"; - extraArgs = "-f"; # Override existing partition - subvolumes = { - # Subvolume name is different from mountpoint - "/rootfs" = { - mountpoint = "/"; - }; - # Mountpoints inferred from subvolume name - "/home" = { - mountOptions = []; - mountpoint = "/home"; - }; - "/nix" = { - mountOptions = []; - mountpoint = "/nix"; - }; - }; - }; - }; - } - ]; - }; - }; - }; -} - diff --git a/lass/1systems/aergia/install.sh b/lass/1systems/aergia/install.sh deleted file mode 100644 index 0e4f0ab4c..000000000 --- a/lass/1systems/aergia/install.sh +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh - -target=$1 diff --git a/lass/1systems/aergia/physical.nix b/lass/1systems/aergia/physical.nix deleted file mode 100644 index e76460d20..000000000 --- a/lass/1systems/aergia/physical.nix +++ /dev/null @@ -1,117 +0,0 @@ -{ config, lib, pkgs, modulesPath, ... }: -{ - imports = [ - ./config.nix - (modulesPath + "/installer/scan/not-detected.nix") - - ]; - disko.devices = import ./disk.nix; - - networking.hostId = "deadbeef"; - # boot.loader.efi.canTouchEfiVariables = true; - boot.loader.grub = { - enable = true; - device = "/dev/nvme0n1"; - efiSupport = true; - efiInstallAsRemovable = true; - }; - - # boot.kernelPackages = pkgs.linuxPackages_latest; - - boot.kernelParams = [ - # use less power with pstate - "amd_pstate=passive" - - # suspend - "resume_offset=178345675" - ]; - - boot.kernelModules = [ - # Enables the amd cpu scaling https://www.kernel.org/doc/html/latest/admin-guide/pm/amd-pstate.html - # On recent AMD CPUs this can be more energy efficient. - "amd-pstate" - "kvm-amd" - ]; - - # hardware.cpu.amd.updateMicrocode = true; - - services.xserver.videoDrivers = [ - "amdgpu" - ]; - - boot.initrd.availableKernelModules = [ - "nvme" - "thunderbolt" - "xhci_pci" - "usbhid" - ]; - - boot.initrd.kernelModules = [ - "amdgpu" - ]; - - environment.systemPackages = [ - pkgs.vulkan-tools - (pkgs.writers.writeDashBin "set_tdp" '' - set -efux - watt=$1 - value=$(( $watt * 1000 )) - ${pkgs.ryzenadj}/bin/ryzenadj --stapm-limit="$value" --fast-limit="$value" --slow-limit="$value" - '') - ]; - - # corectrl - programs.corectrl = { - enable = true; - gpuOverclock = { - enable = true; - ppfeaturemask = "0xffffffff"; - }; - }; - users.users.mainUser.extraGroups = [ "corectrl" ]; - - # keyboard quirks - services.xserver.displayManager.sessionCommands = '' - ${pkgs.xorg.xmodmap}/bin/xmodmap -e 'keycode 96 = F12 Insert F12 F12' # rebind shift + F12 to shift + insert - ''; - services.udev.extraHwdb = /* sh */ '' - # disable back buttons - evdev:input:b0003v2F24p0135* # /dev/input/event2 - KEYBOARD_KEY_70026=reserved - KEYBOARD_KEY_70027=reserved - ''; - - # update cpu microcode - hardware.cpu.amd.updateMicrocode = true; - - hardware.opengl.enable = true; - hardware.opengl.extraPackages = [ - pkgs.amdvlk - pkgs.rocm-opencl-icd - pkgs.rocm-opencl-runtime - ]; - - # suspend to disk - swapDevices = [{ - device = "/swapfile"; - }]; - boot.resumeDevice = "/dev/mapper/aergia1"; - services.logind.lidSwitch = "suspend-then-hibernate"; - services.logind.extraConfig = '' - HandlePowerKey=hibernate - ''; - # systemd.sleep.extraConfig = '' - # HibernateDelaySec=1800 - # ''; - - # firefox touchscreen support - environment.sessionVariables.MOZ_USE_XINPUT2 = "1"; - - # enable thunderbolt - services.hardware.bolt.enable = true; - - # reinit usb after docking station connect - services.udev.extraRules = '' - SUBSYSTEM=="drm", ACTION=="change", RUN+="${pkgs.dash}/bin/dash -c 'echo 0 > /sys/bus/usb/devices/usb9/authorized; echo 1 > /sys/bus/usb/devices/usb9/authorized'" - ''; -} diff --git a/lass/1systems/aergia/source.nix b/lass/1systems/aergia/source.nix deleted file mode 100644 index abbf26c75..000000000 --- a/lass/1systems/aergia/source.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ lib, pkgs, test, ... }: let - npkgs = lib.importJSON ../../../krebs/nixpkgs-unstable.json; -in { - nixpkgs = (if test then lib.mkForce ({ derivation = let - rev = npkgs.rev; - sha256 = npkgs.sha256; - in '' - with import (builtins.fetchTarball { - url = "https://github.com/nixos/nixpkgs/archive/${rev}.tar.gz"; - sha256 = "${sha256}"; - }) {}; - pkgs.fetchFromGitHub { - owner = "nixos"; - repo = "nixpkgs"; - rev = "${rev}"; - sha256 = "${sha256}"; - } - ''; }) else { - git.ref = lib.mkForce npkgs.rev; - }); -} diff --git a/lass/1systems/blue/config.nix b/lass/1systems/blue/config.nix deleted file mode 100644 index c4286cca3..000000000 --- a/lass/1systems/blue/config.nix +++ /dev/null @@ -1,22 +0,0 @@ -with import ; -{ config, lib, pkgs, ... }: -{ - imports = [ - - - - - - - - - - ]; - - krebs.build.host = config.krebs.hosts.blue; - - networking.nameservers = [ "1.1.1.1" ]; - - time.timeZone = "Europe/Berlin"; - users.users.mainUser.openssh.authorizedKeys.keys = [ config.krebs.users.lass-android.pubkey ]; -} diff --git a/lass/1systems/blue/physical.nix b/lass/1systems/blue/physical.nix deleted file mode 100644 index b6aa3a894..000000000 --- a/lass/1systems/blue/physical.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ - imports = [ - ./config.nix - ]; - boot.isContainer = true; - networking.useDHCP = false; -} diff --git a/lass/1systems/blue/source.nix b/lass/1systems/blue/source.nix deleted file mode 100644 index 0b2bf5f5b..000000000 --- a/lass/1systems/blue/source.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ lib, pkgs, test, ... }: -if test then {} else { - nixpkgs = lib.mkIf (! test) (lib.mkForce { - file = { - path = toString (pkgs.fetchFromGitHub { - owner = "nixos"; - repo = "nixpkgs"; - rev = (lib.importJSON ../../../krebs/nixpkgs.json).rev; - sha256 = (lib.importJSON ../../../krebs/nixpkgs.json).sha256; - }); - useChecksum = true; - }; - }); - nixpkgs-unstable = lib.mkForce { - file.path = "/var/empty"; - }; -} diff --git a/lass/1systems/coaxmetal/config.nix b/lass/1systems/coaxmetal/config.nix deleted file mode 100644 index 7fd76974b..000000000 --- a/lass/1systems/coaxmetal/config.nix +++ /dev/null @@ -1,63 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - imports = [ - - - - - - - - - - - - - - - - - - - - - # - ]; - - krebs.build.host = config.krebs.hosts.coaxmetal; - - environment.systemPackages = with pkgs; [ - brain - bank - l-gen-secrets - (pkgs.writeDashBin "deploy" '' - set -eu - export SYSTEM="$1" - $(nix-build $HOME/sync/stockholm/lass/krops.nix --no-out-link --argstr name "$SYSTEM" -A deploy) - '') - (pkgs.writeDashBin "usb-tether-on" '' - adb shell su -c service call connectivity 33 i32 1 s16 text - '') - (pkgs.writeDashBin "usb-tether-off" '' - adb shell su -c service call connectivity 33 i32 0 s16 text - '') - ]; - - programs.adb.enable = true; - - hardware.bluetooth = { - enable = true; - powerOnBoot = true; - }; - hardware.pulseaudio.package = pkgs.pulseaudioFull; - - nix.trustedUsers = [ "root" "lass" ]; - - services.tor = { - enable = true; - client.enable = true; - }; - - documentation.nixos.enable = true; -} diff --git a/lass/1systems/coaxmetal/physical.nix b/lass/1systems/coaxmetal/physical.nix deleted file mode 100644 index 6be047300..000000000 --- a/lass/1systems/coaxmetal/physical.nix +++ /dev/null @@ -1,59 +0,0 @@ -{ config, lib, pkgs, modulesPath, ... }: -{ - imports = [ - ./config.nix - (modulesPath + "/installer/scan/not-detected.nix") - ]; - - networking.hostId = "e0c335ea"; - boot.zfs.requestEncryptionCredentials = true; - boot.zfs.enableUnstable = true; - boot.loader.efi.canTouchEfiVariables = true; - boot.loader.grub = { - enable = true; - # device = "/dev/disk/by-id/nvme-WDC_PC_SN730_SDBQNTY-1T00-1001_205349800040"; - device = "nodev"; - efiSupport = true; - # efiInstallAsRemovable = true; - }; - - services.xserver.videoDrivers = [ - "amdgpu" - ]; - - hardware.opengl.extraPackages = [ pkgs.amdvlk ]; - environment.variables.VK_ICD_FILENAMES = - "/run/opengl-driver/share/vulkan/icd.d/amd_icd64.json"; - - boot.initrd.availableKernelModules = [ "nvme" "ehci_pci" "xhci_pci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; - boot.kernelModules = [ "kvm-amd" ]; - - fileSystems."/" = { - device = "zpool/root/root"; - fsType = "zfs"; - }; - - fileSystems."/home" = { - device = "zpool/root/home"; - fsType = "zfs"; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/50A7-1889"; - fsType = "vfat"; - }; - - services.logind.lidSwitch = "ignore"; - services.logind.lidSwitchDocked = "ignore"; - - # Mouse stuff - services.xserver.libinput.enable = lib.mkForce false; - services.xserver.synaptics.enable = true; - - services.xserver.displayManager.sessionCommands = '' - xinput disable 'ETPS/2 Elantech Touchpad' - xinput set-prop 'ETPS/2 Elantech TrackPoint' 'Evdev Wheel Emulation' 1 - xinput set-prop 'ETPS/2 Elantech TrackPoint' 'Evdev Wheel Emulation Button' 2 - xinput set-prop 'ETPS/2 Elantech TrackPoint' 'Evdev Wheel Emulation Axes' 6 7 4 5 - ''; -} diff --git a/lass/1systems/coaxmetal/source.nix b/lass/1systems/coaxmetal/source.nix deleted file mode 100644 index abbf26c75..000000000 --- a/lass/1systems/coaxmetal/source.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ lib, pkgs, test, ... }: let - npkgs = lib.importJSON ../../../krebs/nixpkgs-unstable.json; -in { - nixpkgs = (if test then lib.mkForce ({ derivation = let - rev = npkgs.rev; - sha256 = npkgs.sha256; - in '' - with import (builtins.fetchTarball { - url = "https://github.com/nixos/nixpkgs/archive/${rev}.tar.gz"; - sha256 = "${sha256}"; - }) {}; - pkgs.fetchFromGitHub { - owner = "nixos"; - repo = "nixpkgs"; - rev = "${rev}"; - sha256 = "${sha256}"; - } - ''; }) else { - git.ref = lib.mkForce npkgs.rev; - }); -} diff --git a/lass/1systems/daedalus/config.nix b/lass/1systems/daedalus/config.nix deleted file mode 100644 index c34dc0acf..000000000 --- a/lass/1systems/daedalus/config.nix +++ /dev/null @@ -1,115 +0,0 @@ -with import ; -{ config, pkgs, ... }: - -{ - imports = [ - - - - - # - { - # bubsy config - users.users.bubsy = { - uid = genid "bubsy"; - home = "/home/bubsy"; - group = "users"; - createHome = true; - extraGroups = [ - "audio" - "networkmanager" - "pipewire" - # "plugdev" - ]; - useDefaultShell = true; - isNormalUser = true; - }; - networking.networkmanager.enable = true; - networking.wireless.enable = mkForce false; - # programs.chromium = { - # enable = true; - # extensions = [ - # "cjpalhdlnbpafiamejdnhcphjbkeiagm" # ublock origin - # ]; - # }; - environment.systemPackages = with pkgs; [ - ark - pavucontrol - #firefox - chromium - hexchat - networkmanagerapplet - libreoffice - audacity - zathura - skypeforlinux - wine - geeqie - vlc - zsnes - telegram-desktop - ]; - # services.udev.packages = [ pkgs.ledger-udev-rules ]; - nixpkgs.config.firefox.enableAdobeFlash = true; - services.xserver.enable = true; - services.xserver.displayManager.lightdm.enable = true; - services.xserver.desktopManager.plasma5.enable = true; - services.tlp.enable = lib.mkForce false; - services.xserver.layout = "de"; - } - { - users = { - groups.plugdev = {}; - users = { - bitcoin = { - name = "bitcoin"; - description = "user for bitcoin stuff"; - home = "/home/bitcoin"; - isNormalUser = true; - useDefaultShell = true; - createHome = true; - extraGroups = [ - "audio" - "networkmanager" - "plugdev" - ]; - packages = [ - pkgs.electrum - pkgs.electron-cash - pkgs.ledger-live-desktop - ]; - }; - }; - }; - hardware.ledger.enable = true; - security.sudo.extraConfig = '' - bubsy ALL=(bitcoin) NOPASSWD: ALL - ''; - } - { - #remote control - environment.systemPackages = with pkgs; [ - x11vnc - # torbrowser - ]; - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp -i retiolum --dport 5900"; target = "ACCEPT"; } - ]; - } - ]; - - time.timeZone = "Europe/Berlin"; - - hardware.trackpoint = { - enable = true; - sensitivity = 220; - speed = 0; - emulateWheel = true; - }; - - services.logind.extraConfig = '' - HandleLidSwitch=ignore - ''; - - krebs.build.host = config.krebs.hosts.daedalus; -} diff --git a/lass/1systems/daedalus/physical.nix b/lass/1systems/daedalus/physical.nix deleted file mode 100644 index d10ced7da..000000000 --- a/lass/1systems/daedalus/physical.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ - imports = [ - ./config.nix - - - ]; - - fileSystems = { - "/bku" = { - device = "/dev/mapper/pool-bku"; - fsType = "btrfs"; - options = ["defaults" "noatime" "ssd" "compress=lzo"]; - }; - "/backups" = { - device = "/dev/pool/backup"; - fsType = "ext4"; - }; - }; - - services.udev.extraRules = '' - SUBSYSTEM=="net", ATTR{address}=="08:11:96:0a:5d:6c", NAME="wl0" - SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:71:cb:35", NAME="et0" - ''; -} diff --git a/lass/1systems/dishfire/config.nix b/lass/1systems/dishfire/config.nix deleted file mode 100644 index 279cad10b..000000000 --- a/lass/1systems/dishfire/config.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - imports = [ - - - - - - ]; - - krebs.build.host = config.krebs.hosts.dishfire; -} diff --git a/lass/1systems/dishfire/physical.nix b/lass/1systems/dishfire/physical.nix deleted file mode 100644 index ca013132f..000000000 --- a/lass/1systems/dishfire/physical.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ config, lib, pkgs, modulesPath, ... }: - -{ - imports = [ - ./config.nix - (modulesPath + "/profiles/qemu-guest.nix") - ]; - - boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "xhci_pci" "sd_mod" "sr_mod" ]; - boot.initrd.kernelModules = [ ]; - boot.kernelModules = [ ]; - boot.extraModulePackages = [ ]; - boot.loader.grub.devices = [ "/dev/sda" ]; - - fileSystems."/" = - { device = "/dev/disk/by-uuid/84053adc-49bc-4e02-8a19-3838bf3a43fd"; - fsType = "ext4"; - }; - - swapDevices = [ ]; -} diff --git a/lass/1systems/echelon/config.nix b/lass/1systems/echelon/config.nix deleted file mode 100644 index eacdff782..000000000 --- a/lass/1systems/echelon/config.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ config, pkgs, ... }: -{ - imports = [ - - - - - - - ]; - - krebs.build.host = config.krebs.hosts.echelon; - - boot.tmpOnTmpfs = true; - -} - diff --git a/lass/1systems/echelon/physical.nix b/lass/1systems/echelon/physical.nix deleted file mode 100644 index fbacc3927..000000000 --- a/lass/1systems/echelon/physical.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ config, lib, pkgs, modulesPath, ... }: -{ - imports = [ - ./config.nix - (modulesPath + "/profiles/qemu-guest.nix") - ]; - - # Use the GRUB 2 boot loader. - boot.loader.grub.enable = true; - boot.loader.grub.version = 2; - boot.loader.grub.efiSupport = true; - boot.loader.grub.efiInstallAsRemovable = true; - # Define on which hard drive you want to install Grub. - boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only - - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ]; - boot.initrd.kernelModules = [ "dm-snapshot" ]; - boot.initrd.luks.devices.luksroot.device = "/dev/sda3"; - - networking.useDHCP = false; - networking.interfaces.ens18.useDHCP = true; - - fileSystems."/" = { - device = "/dev/disk/by-uuid/5186edb1-9234-48ae-8679-61facb56b818"; - fsType = "xfs"; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/56D1-34A0"; - fsType = "vfat"; - }; - -} diff --git a/lass/1systems/green/config.nix b/lass/1systems/green/config.nix deleted file mode 100644 index 81b8b909b..000000000 --- a/lass/1systems/green/config.nix +++ /dev/null @@ -1,75 +0,0 @@ -with import ; -{ config, lib, pkgs, ... }: -{ - imports = [ - - - - - - - - - - - - - - - - - - - - - ]; - - krebs.build.host = config.krebs.hosts.green; - - krebs.sync-containers3.inContainer = { - enable = true; - pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFlUMf943qEQG64ob81p6dgoHq4jUjq7tSvmSdEOEU2y"; - }; - - systemd.tmpfiles.rules = [ - "d /home/lass/.local/share 0700 lass users -" - "d /home/lass/.local 0700 lass users -" - "d /home/lass/.config 0700 lass users -" - - "d /var/state/lass_mail 0700 lass users -" - "L+ /home/lass/Maildir - - - - ../../var/state/lass_mail" - - "d /var/state/lass_ssh 0700 lass users -" - "L+ /home/lass/.ssh - - - - ../../var/state/lass_ssh" - "d /var/state/lass_gpg 0700 lass users -" - "L+ /home/lass/.gnupg - - - - ../../var/state/lass_gpg" - "d /var/state/lass_sync 0700 lass users -" - "L+ /home/lass/sync - - - - ../../var/state/lass_sync" - - "d /var/state/git 0700 git nogroup -" - "L+ /var/lib/git - - - - ../../var/state/git" - ]; - - users.users.mainUser.openssh.authorizedKeys.keys = [ - config.krebs.users.lass-android.pubkey - config.krebs.users.lass-tablet.pubkey - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKgpZwye6yavIs3gUIYvSi70spDa0apL2yHR0ASW74z8" # weechat ssh tunnel - ]; - - krebs.iptables.tables.nat.PREROUTING.rules = [ - { predicate = "-i eth0 -p tcp -m tcp --dport 22"; target = "ACCEPT"; } - ]; - - # workaround for ssh access from yubikey via android - services.openssh.extraConfig = '' - HostKeyAlgorithms +ssh-rsa - PubkeyAcceptedAlgorithms +ssh-rsa - ''; - - services.dovecot2 = { - enable = true; - mailLocation = "maildir:~/Maildir"; - }; - - networking.firewall.allowedTCPPorts = [ 143 ]; -} diff --git a/lass/1systems/green/physical.nix b/lass/1systems/green/physical.nix deleted file mode 100644 index 8577daf34..000000000 --- a/lass/1systems/green/physical.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ - imports = [ - ./config.nix - ]; - boot.isContainer = true; - networking.useDHCP = true; -} diff --git a/lass/1systems/green/source.nix b/lass/1systems/green/source.nix deleted file mode 100644 index 4acdb0c26..000000000 --- a/lass/1systems/green/source.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ lib, pkgs, test, ... }: let - npkgs = lib.importJSON ../../../krebs/nixpkgs-unstable.json; -in if test then {} else { - nixpkgs.git.ref = lib.mkForce npkgs.rev; - nixpkgs-unstable = lib.mkForce { file = "/var/empty"; }; -} diff --git a/lass/1systems/hilum/config.nix b/lass/1systems/hilum/config.nix deleted file mode 100644 index 953b5d0d4..000000000 --- a/lass/1systems/hilum/config.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ config, pkgs, ... }: -{ - imports = [ - - - - - - ]; - - krebs.build.host = config.krebs.hosts.hilum; - - boot.loader.grub = { - extraEntries = '' - submenu isos { - source /grub/autoiso.cfg - } - ''; - extraFiles."/grub/autoiso.cfg" = (pkgs.stdenv.mkDerivation { - name = "autoiso.cfg"; - src = pkgs.grub2.src; - phases = [ "unpackPhase" "installPhase" ]; - installPhase = '' - cp docs/autoiso.cfg $out - ''; - }); - }; - - services.logind.lidSwitch = "ignore"; - services.logind.lidSwitchDocked = "ignore"; - - boot.tmpOnTmpfs = true; -} diff --git a/lass/1systems/hilum/disk.nix b/lass/1systems/hilum/disk.nix deleted file mode 100644 index b5199d432..000000000 --- a/lass/1systems/hilum/disk.nix +++ /dev/null @@ -1,43 +0,0 @@ -{ lib, disk, keyFile, ... }: -{ - disk = { - main = { - type = "disk"; - device = disk; - content = { - type = "table"; - format = "gpt"; - partitions = [ - { - name = "boot"; - start = "0"; - end = "1M"; - flags = ["bios_grub"]; - } - { - name = "ESP"; - start = "1M"; - end = "50%"; - bootable = true; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - }; - } - { - name = "root"; - start = "50%"; - end = "100%"; - content = { - type = "filesystem"; - format = "ext4"; - mountpoint = "/"; - }; - } - ]; - }; - }; - }; -} - diff --git a/lass/1systems/hilum/flash-stick.sh b/lass/1systems/hilum/flash-stick.sh deleted file mode 100755 index 9846ea087..000000000 --- a/lass/1systems/hilum/flash-stick.sh +++ /dev/null @@ -1,43 +0,0 @@ -#!/bin/sh -set -efux - -disk=$1 - -cd "$(dirname "$0")" -export NIXPKGS_ALLOW_UNFREE=1 -(umask 077; pass show admin/hilum/luks > /tmp/hilum.luks) -trap 'rm -f /tmp/hilum.luks' EXIT -echo "$disk" > /tmp/hilum-disk -trap 'rm -f /tmp/hilum-disk' EXIT - -stockholm_root=$(git rev-parse --show-toplevel) -ssh root@localhost -t -- $(nix-build \ - --no-out-link \ - -I nixpkgs=/var/src/nixpkgs \ - -I stockholm="$stockholm_root" \ - -I secrets="$stockholm_root"/lass/2configs/tests/dummy-secrets \ - -E "with import {}; (pkgs.nixos [ - { - luksPassFile = \"/tmp/hilum.luks\"; - mainDisk = \"$disk\"; - disko.rootMountPoint = \"/mnt/hilum\"; - } - ./physical.nix - ]).disko" -) -rm -f /tmp/hilum.luks -$(nix-build \ - --no-out-link \ - -I nixpkgs=/var/src/nixpkgs \ - "$stockholm_root"/lass/krops.nix -A populate \ - --argstr name hilum \ - --argstr target "root@localhost/mnt/hilum/var/src" \ - --arg force true -) -ssh root@localhost << SSH -set -efux -mkdir -p /mnt/hilum/etc -NIXOS_CONFIG=/mnt/hilum/var/src/nixos-config nixos-install --no-bootloader --no-root-password --root /mnt/hilum -I /var/src -nixos-enter --root /mnt/hilum -- nixos-rebuild -I /var/src switch --install-bootloader -umount -Rv /mnt/hilum -SSH diff --git a/lass/1systems/hilum/physical.nix b/lass/1systems/hilum/physical.nix deleted file mode 100644 index 9caf8e531..000000000 --- a/lass/1systems/hilum/physical.nix +++ /dev/null @@ -1,53 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - imports = [ - ./config.nix - - { - # nice hack to carry around state passed impurely at the beginning - options.mainDisk = let - tryFile = path: default: - if lib.elem (builtins.baseNameOf path) (lib.attrNames (builtins.readDir (builtins.dirOf path))) then - builtins.readFile path - else - default - ; - in lib.mkOption { - type = lib.types.str; - default = tryFile "/etc/hilum-disk" (tryFile "/tmp/hilum-disk" "/dev/sdz"); - }; - config.environment.etc.hilum-disk.text = config.mainDisk; - } - { - options.luksPassFile = lib.mkOption { - type = lib.types.nullOr lib.types.str; - default = null; - }; - } - ]; - - disko.devices = import ./disk.nix { - inherit lib; - disk = config.mainDisk; - keyFile = config.luksPassFile; - }; - - boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "xhci_pci" "usb_storage" "sd_mod" "sdhci_pci" ]; - boot.initrd.kernelModules = [ "dm-snapshot" ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - boot.loader.grub.enable = true; - boot.loader.grub.efiSupport = true; - boot.loader.grub.device = config.mainDisk; - boot.loader.grub.efiInstallAsRemovable = true; - - swapDevices = [ ]; - - nix.maxJobs = lib.mkDefault 4; - powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; - - #weird bug with nixos-enter - services.logrotate.enable = false; -} diff --git a/lass/1systems/icarus/config.nix b/lass/1systems/icarus/config.nix deleted file mode 100644 index e789b09da..000000000 --- a/lass/1systems/icarus/config.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ config, lib, pkgs, ... }: - -with import ; -{ - imports = [ - - - - - - - - - - - - - - - # - - - - ]; - - krebs.build.host = config.krebs.hosts.icarus; - - - environment.systemPackages = [ pkgs.chromium ]; -} diff --git a/lass/1systems/icarus/physical.nix b/lass/1systems/icarus/physical.nix deleted file mode 100644 index 0b1aff4a8..000000000 --- a/lass/1systems/icarus/physical.nix +++ /dev/null @@ -1,49 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - imports = [ - ./config.nix - # - # - - - ]; - - boot.loader.grub.enable = true; - boot.loader.grub.version = 2; - boot.loader.grub.efiSupport = true; - boot.loader.grub.efiInstallAsRemovable = true; - boot.loader.grub.device = "/dev/disk/by-id/wwn-0x5002538d702f5ac6"; - boot.initrd.luks.devices.ssd.device = "/dev/disk/by-id/wwn-0x5002538d702f5ac6-part3"; - - boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "xhci_pci" "sd_mod" "sdhci_pci" ]; - boot.initrd.kernelModules = [ "dm-snapshot" ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = { - device = "/dev/disk/by-uuid/298eb635-8db2-4c15-a73d-2e0d6afa10e8"; - fsType = "xfs"; - }; - - fileSystems."/home" = { - device = "/dev/disk/by-uuid/eec94bef-e745-4d95-ad17-4df728f5fd31"; - fsType = "xfs"; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/D975-2CAB"; - fsType = "vfat"; - }; - - swapDevices = [ ]; - - nix.maxJobs = lib.mkDefault 4; - powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; - - services.udev.extraRules = '' - SUBSYSTEM=="net", ATTR{address}=="00:24:d7:f0:a0:0c", NAME="wl0" - SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:71:cb:35", NAME="et0" - ''; - - services.logind.lidSwitch = "ignore"; -} diff --git a/lass/1systems/lasspi/config.nix b/lass/1systems/lasspi/config.nix deleted file mode 100644 index d2207627d..000000000 --- a/lass/1systems/lasspi/config.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ config, lib, pkgs, ... }: -let -in -{ - imports = [ - - - - ]; - - krebs.build.host = config.krebs.hosts.lasspi; - - networking = { - networkmanager = { - enable = true; - }; - }; - environment.systemPackages = with pkgs; [ - vim - rxvt-unicode-unwrapped.terminfo - ]; - services.openssh.enable = true; - - system.stateVersion = "22.05"; -} diff --git a/lass/1systems/lasspi/physical.nix b/lass/1systems/lasspi/physical.nix deleted file mode 100644 index 07efb5ca5..000000000 --- a/lass/1systems/lasspi/physical.nix +++ /dev/null @@ -1,45 +0,0 @@ -{ config, lib, pkgs, modulesPath, ... }: -{ - imports = [ - (modulesPath + "/installer/scan/not-detected.nix") - ./config.nix - ]; - - boot = { - # kernelPackages = pkgs.linuxPackages_rpi4; - tmpOnTmpfs = true; - initrd.availableKernelModules = [ "usbhid" "usb_storage" "xhci_pci" ]; - # ttyAMA0 is the serial console broken out to the GPIO - kernelParams = [ - "8250.nr_uarts=1" - "console=ttyAMA0,115200" - "console=tty1" - # Some gui programs need this - "cma=128M" - ]; - }; - - # boot.loader.raspberryPi = { - # enable = true; - # version = 4; - # # uboot.enable = true; - # }; - boot.loader.grub.enable = false; - boot.loader.generic-extlinux-compatible.enable = true; - - # Required for the Wireless firmware - hardware.enableRedistributableFirmware = true; - - networking.interfaces.eth0.useDHCP = true; - - # Assuming this is installed on top of the disk image. - fileSystems = { - "/" = { - device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888"; - fsType = "ext4"; - options = [ "noatime" ]; - }; - }; - - powerManagement.cpuFreqGovernor = "ondemand"; -} diff --git a/lass/1systems/littleT/config.nix b/lass/1systems/littleT/config.nix deleted file mode 100644 index adf8aeeb1..000000000 --- a/lass/1systems/littleT/config.nix +++ /dev/null @@ -1,30 +0,0 @@ -with import ; -{ config, pkgs, ... }: - -{ - imports = [ - - - - - - - ]; - - networking.networkmanager.enable = true; - networking.wireless.enable = mkForce false; - time.timeZone = "Europe/Berlin"; - - hardware.trackpoint = { - enable = true; - sensitivity = 220; - speed = 0; - emulateWheel = true; - }; - - services.logind.extraConfig = '' - HandleLidSwitch=ignore - ''; - - krebs.build.host = config.krebs.hosts.littleT; -} diff --git a/lass/1systems/littleT/physical.nix b/lass/1systems/littleT/physical.nix deleted file mode 100644 index 550f058a8..000000000 --- a/lass/1systems/littleT/physical.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ - imports = [ - ./config.nix - - ]; - fileSystems."/" = - { device = "rpool/root"; - fsType = "zfs"; - }; - - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/5B2E-3734"; - fsType = "vfat"; - }; - boot.loader.grub.enable = true; - boot.loader.grub.version = 2; - boot.loader.grub.efiSupport = true; - boot.loader.grub.efiInstallAsRemovable = true; - boot.loader.grub.device = "nodev"; - networking.hostId = "584248c6"; - - boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usb_storage" "sd_mod" "sdhci_pci" ]; - boot.kernelModules = [ "kvm-intel" ]; - -} diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix deleted file mode 100644 index 23f8a1184..000000000 --- a/lass/1systems/mors/config.nix +++ /dev/null @@ -1,167 +0,0 @@ -{ config, lib, pkgs, ... }: - -with import ; -{ - imports = [ - - - - - - - - - - - - - - - - - - - - - - - - # - - - - - - - - - - # - # - - - - { - krebs.iptables.tables.filter.INPUT.rules = [ - #risk of rain - { predicate = "-p tcp --dport 11100"; target = "ACCEPT"; } - #quake3 - { predicate = "-p tcp --dport 27950:27965"; target = "ACCEPT"; } - { predicate = "-p udp --dport 27950:27965"; target = "ACCEPT"; } - ]; - } - { - services.nginx = { - enable = true; - virtualHosts.default = { - default = true; - serverAliases = [ - "localhost" - "${config.krebs.build.host.name}" - "${config.krebs.build.host.name}.r" - ]; - locations."~ ^/~(.+?)(/.*)?\$".extraConfig = '' - alias /home/$1/public_html$2; - ''; - }; - }; - } - { - services.redis.enable = true; - } - { - environment.systemPackages = [ - pkgs.ovh-zone - pkgs.bank - pkgs.adb-sync - pkgs.transgui - ]; - } - { - services.tor = { - enable = true; - client.enable = true; - }; - } - ]; - - krebs.build.host = config.krebs.hosts.mors; - - environment.systemPackages = with pkgs; [ - acronym - brain - cac-api - sshpass - get - hashPassword - urban - mk_sql_pair - remmina - transmission - - macchanger - - dnsutils - woeusb - (pkgs.writeDashBin "play-on" '' - HOST=$(echo 'styx\nshodan' | fzfmenu) - ssh -t "$HOST" -- mpv "$@" - '') - ]; - - #TODO: fix this shit - ##fprint stuff - ##sudo fprintd-enroll $USER to save fingerprints - #services.fprintd.enable = true; - #security.pam.services.sudo.fprintAuth = true; - - users.extraGroups = { - loot = { - members = [ - config.users.extraUsers.mainUser.name - "firefox" - "chromium" - "google" - "virtual" - ]; - }; - }; - - krebs.repo-sync.timerConfig = { - OnCalendar = "00:37"; - }; - - nixpkgs.config.android_sdk.accept_license = true; - programs.adb.enable = true; - - - services.earlyoom = { - enable = true; - freeMemThreshold = 5; - }; - - - # It may leak your data, but look how FAST it is!1!! - # https://make-linux-fast-again.com/ - boot.kernelParams = [ - "noibrs" - "noibpb" - "nopti" - "nospectre_v2" - "nospectre_v1" - "l1tf=off" - "nospec_store_bypass_disable" - "no_stf_barrier" - "mds=off" - "mitigations=off" - ]; - - boot.binfmt.emulatedSystems = [ - "aarch64-linux" - ]; - - nix.trustedUsers = [ "root" "lass" ]; - - services.nscd.enableNsncd = true; - -} diff --git a/lass/1systems/mors/physical.nix b/lass/1systems/mors/physical.nix deleted file mode 100644 index 2ffbf88c0..000000000 --- a/lass/1systems/mors/physical.nix +++ /dev/null @@ -1,48 +0,0 @@ -{ - imports = [ - ./config.nix - - - ]; - - boot.kernelParams = [ "acpi_backlight=native" ]; - - fileSystems = { - "/bku" = { - device = "/dev/mapper/pool-bku"; - fsType = "btrfs"; - options = ["defaults" "noatime" "ssd" "compress=lzo"]; - }; - "/home/virtual" = { - device = "/dev/mapper/pool-virtual"; - fsType = "ext4"; - }; - "/backups" = { - device = "/dev/pool/backup"; - fsType = "ext4"; - }; - }; - - services.udev.extraRules = '' - SUBSYSTEM=="net", DEVPATH=="/devices/pci*/*1c.1/*/net/*", NAME="wl0" - SUBSYSTEM=="net", ATTR{address}=="3c:97:0e:37:15:d9", NAME="et0" - ''; - - #TODO activationScripts seem broken, fix them! - #activationScripts - #split up and move into base - system.activationScripts.powertopTunables = '' - #Runtime PMs - echo 'auto' > '/sys/bus/pci/devices/0000:00:02.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:00.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.3/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.2/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1d.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1b.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1a.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:19.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.1/power/control' - ''; -} diff --git a/lass/1systems/mors/source.nix b/lass/1systems/mors/source.nix deleted file mode 100644 index abbf26c75..000000000 --- a/lass/1systems/mors/source.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ lib, pkgs, test, ... }: let - npkgs = lib.importJSON ../../../krebs/nixpkgs-unstable.json; -in { - nixpkgs = (if test then lib.mkForce ({ derivation = let - rev = npkgs.rev; - sha256 = npkgs.sha256; - in '' - with import (builtins.fetchTarball { - url = "https://github.com/nixos/nixpkgs/archive/${rev}.tar.gz"; - sha256 = "${sha256}"; - }) {}; - pkgs.fetchFromGitHub { - owner = "nixos"; - repo = "nixpkgs"; - rev = "${rev}"; - sha256 = "${sha256}"; - } - ''; }) else { - git.ref = lib.mkForce npkgs.rev; - }); -} diff --git a/lass/1systems/neoprism/config.nix b/lass/1systems/neoprism/config.nix deleted file mode 100644 index 79402959e..000000000 --- a/lass/1systems/neoprism/config.nix +++ /dev/null @@ -1,51 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - imports = [ - - - - - - - - # sync-containers - - - - - - - - # other containers - - - # proxying of services - - - - ]; - - krebs.build.host = config.krebs.hosts.neoprism; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; - security.acme.acceptTerms = true; - security.acme.defaults.email = "acme@lassul.us"; - services.nginx = { - enable = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedTlsSettings = true; - - enableReload = true; - - virtualHosts.default = { - default = true; - locations."= /etc/os-release".extraConfig = '' - default_type text/plain; - alias /etc/os-release; - ''; - locations."~ ^/.well-known/acme-challenge/".root = "/var/lib/acme/acme-challenge"; - }; - }; -} diff --git a/lass/1systems/neoprism/disk.nix b/lass/1systems/neoprism/disk.nix deleted file mode 100644 index c5bd44c94..000000000 --- a/lass/1systems/neoprism/disk.nix +++ /dev/null @@ -1,118 +0,0 @@ -{ lib, ... }: -{ - disk = (lib.genAttrs [ "/dev/nvme0n1" "/dev/nvme1n1" ] (disk: { - type = "disk"; - device = disk; - content = { - type = "gpt"; - partitions = { - boot = { - size = "1M"; - type = "EF02"; - }; - ESP = { - size = "1G"; - content = { - type = "mdraid"; - name = "boot"; - }; - }; - zfs = { - size = "100%"; - content = { - type = "zfs"; - pool = "zroot"; - }; - }; - }; - }; - })) // { - hdd1 = { - type = "disk"; - device = "/dev/sda"; - content = { - type = "zfs"; - pool = "tank"; - }; - }; - }; - mdadm = { - boot = { - type = "mdadm"; - level = 1; - metadata = "1.0"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - }; - }; - }; - zpool = { - zroot = { - type = "zpool"; - mode = "mirror"; - mountpoint = "/"; - rootFsOptions = { - }; - datasets.reserved = { - type = "zfs_fs"; - options.refreservation = "1G"; - }; - }; - tank = { - type = "zpool"; - datasets = { - reserved = { - type = "zfs_fs"; - options.refreservation = "1G"; - }; - containers = { - type = "zfs_fs"; - mountpoint = "/var/lib/containers"; - options = { - canmount = "noauto"; - }; - }; - home = { - type = "zfs_fs"; - mountpoint = "/home"; - options = { - canmount = "noauto"; - }; - }; - srv = { - type = "zfs_fs"; - mountpoint = "/srv"; - options = { - canmount = "noauto"; - }; - }; - libvirt = { - type = "zfs_fs"; - mountpoint = "/var/lib/libvirt"; - options = { - canmount = "noauto"; - }; - }; - # encrypted = { - # type = "zfs_fs"; - # options = { - # canmount = "noauto"; - # mountpoint = "none"; - # encryption = "aes-256-gcm"; - # keyformat = "passphrase"; - # keylocation = "prompt"; - # }; - # }; - # "encrypted/download" = { - # type = "zfs_fs"; - # mountpoint = "/var/download"; - # options = { - # canmount = "noauto"; - # }; - # }; - }; - }; - }; -} diff --git a/lass/1systems/neoprism/physical.nix b/lass/1systems/neoprism/physical.nix deleted file mode 100644 index cc7734f39..000000000 --- a/lass/1systems/neoprism/physical.nix +++ /dev/null @@ -1,79 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - - imports = [ - ./config.nix - - ]; - - disko.devices = import ./disk.nix; - networking.hostId = "9c0a74ac"; - - boot.loader.grub.enable = true; - boot.loader.grub.version = 2; - boot.loader.grub.efiSupport = true; - boot.loader.grub.devices = [ - config.disko.devices.disk."/dev/nvme0n1".device - config.disko.devices.disk."/dev/nvme1n1".device - ]; - boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "sd_mod" ]; - boot.kernelModules = [ "kvm-amd" ]; - hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; - - # networking config - networking.useNetworkd = true; - systemd.network = { - enable = true; - config = { - networkConfig.SpeedMeter = true; - }; - # netdevs.ext-br.netdevConfig = { - # Kind = "bridge"; - # Name = "ext-br"; - # MACAddress = "a8:a1:59:0f:2d:69"; - # }; - # networks.ext-br = { - # name = "ext-br"; - # address = [ - # "95.217.192.59/26" - # "2a01:4f9:4a:4f1a::1/64" - # ]; - # gateway = [ - # "95.217.192.1" - # "fe80::1" - # ]; - # }; - networks.eth0 = { - #bridge = [ "ext-br" ]; - matchConfig.Name = "eth0"; - address = [ - "95.217.192.59/26" - "2a01:4f9:4a:4f1a::1/64" - ]; - gateway = [ - "95.217.192.1" - "fe80::1" - ]; - }; - }; - - networking.useDHCP = false; - # boot.initrd.network = { - # enable = true; - # ssh = { - # enable = true; - # authorizedKeys = [ config.krebs.users.lass.pubkey ]; - # port = 2222; - # hostKeys = [ - # () - # () - # ]; - # }; - # }; - # boot.kernelParams = [ - # "net.ifnames=0" - # "ip=dhcp" - # "boot.trace" - # ]; -} diff --git a/lass/1systems/orange/config.nix b/lass/1systems/orange/config.nix deleted file mode 100644 index 47867c31f..000000000 --- a/lass/1systems/orange/config.nix +++ /dev/null @@ -1,25 +0,0 @@ -with import ; -{ config, lib, pkgs, ... }: -{ - imports = [ - - - - - - ]; - - krebs.build.host = config.krebs.hosts.orange; - - services.nginx.enable = true; - networking.firewall.allowedTCPPorts = [ 80 443 ]; - security.acme = { - acceptTerms = true; - defaults.email = "acme@lassul.us"; - }; - - krebs.sync-containers3.inContainer = { - enable = true; - pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFQWzKuXrwQopBc1mzb2VpljmwAs7Y8bRl9a8hBXLC+l"; - }; -} diff --git a/lass/1systems/orange/physical.nix b/lass/1systems/orange/physical.nix deleted file mode 100644 index 8577daf34..000000000 --- a/lass/1systems/orange/physical.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ - imports = [ - ./config.nix - ]; - boot.isContainer = true; - networking.useDHCP = true; -} diff --git a/lass/1systems/prism/backup.nix b/lass/1systems/prism/backup.nix deleted file mode 100644 index 52b4142b9..000000000 --- a/lass/1systems/prism/backup.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - services.postgresqlBackup.enable = true; - - systemd.services.borgbackup-job-hetzner.serviceConfig.ReadWritePaths = [ "/var/log/telegraf" ]; - - services.borgbackup.jobs.hetzner = { - paths = [ - "/var/backup" - ]; - exclude = [ - "*.pyc" - ]; - repo = "u364341@u364341.your-storagebox.de:/./hetzner"; - encryption.mode = "none"; - compression = "auto,zstd"; - startAt = "daily"; - # TODO: change backup key - environment.BORG_RSH = "ssh -oPort=23 -i ${toString + "/borgbackup.ssh.id25519"}"; - preHook = '' - set -x - ''; - - postHook = '' - cat > /var/log/telegraf/borgbackup-job-hetzner.service <; - -{ - imports = [ - ./backup.nix - - - - - - - - - { - services.nginx.enable = true; - imports = [ - - ]; - # needed by domsen.nix ^^ - lass.usershadow = { - enable = true; - }; - - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport http"; target = "ACCEPT"; } - { predicate = "-p tcp --dport https"; target = "ACCEPT"; } - ]; - } - { # TODO make new hfos.nix out of this vv - users.users.riot = { - uid = genid_uint31 "riot"; - isNormalUser = true; - extraGroups = [ "libvirtd" ]; - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6o6sdTu/CX1LW2Ff5bNDqGEAGwAsjf0iIe5DCdC7YikCct+7x4LTXxY+nDlPMeGcOF88X9/qFwdyh+9E4g0nUAZaeL14Uc14QDqDt/aiKjIXXTepxE/i4JD9YbTqStAnA/HYAExU15yqgUdj2dnHu7OZcGxk0ZR1OY18yclXq7Rq0Fd3pN3lPP1T4QHM9w66r83yJdFV9szvu5ral3/QuxQnCNohTkR6LoJ4Ny2RbMPTRtb+jPbTQYTWUWwV69mB8ot5nRTP4MRM9pu7vnoPF4I2S5DvSnx4C5zdKzsb7zmIvD4AmptZLrXj4UXUf00Xf7Js5W100Ne2yhYyhq+35 riot@lagrange" - ]; - }; - krebs.iptables.tables.filter.FORWARD.rules = mkBefore [ - { v6 = false; predicate = "--destination 95.216.1.130"; target = "ACCEPT"; } - { v6 = false; predicate = "--source 95.216.1.130"; target = "ACCEPT"; } - ]; - } - { - users.users.tv = { - uid = genid_uint31 "tv"; - isNormalUser = true; - openssh.authorizedKeys.keys = [ - config.krebs.users.tv.pubkey - ]; - }; - users.users.makefu = { - uid = genid_uint31 "makefu"; - isNormalUser = true; - openssh.authorizedKeys.keys = [ - config.krebs.users.makefu.pubkey - ]; - }; - users.extraUsers.dritter = { - uid = genid_uint31 "dritter"; - isNormalUser = true; - extraGroups = [ - "download" - ]; - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnqOWDDk7QkSAvrSLkEoz7dY22+xPyv5JDn2zlfUndfavmTMfZvPx9REMjgULbcCSM4m3Ncf40yUjciDpVleGoEz82+p/ObHAkVWPQyXRS3ZRM2IJJultBHEFc61+61Pi8k3p5pBhPPaig6VncJ4uUuuNqen9jqLesSTVXNtdntU2IvnC8B8k1Kq6fu9q1T2yEOMxkD31D5hVHlqAly0LdRiYvtsRIoCSmRvlpGl70uvPprhQxhtoiEUeDqmIL7BG9x7gU0Swdl7R0/HtFXlFuOwSlNYDmOf/Zrb1jhOpj4AlCliGUkM0iKIJhgH0tnJna6kfkGKHDwuzITGIh6SpZ dritter@Janeway" - ]; - }; - users.extraUsers.juhulian = { - uid = 1339; - isNormalUser = true; - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBQhLGvfv4hyQ/nqJGy1YgHXPSVl6igeWTroJSvAhUFgoh+rG+zvqY0EahKXNb3sq0/OYDCTJVuucc0hgCg7T2KqTqMtTb9EEkRmCFbD7F7DWZojCrh/an6sHneqT5eFvzAPZ8E5hup7oVQnj5P5M3I9keRHBWt1rq6q0IcOEhsFvne4qJc73aLASTJkxzlo5U8ju3JQOl6474ECuSn0lb1fTrQ/SR1NgF7jV11eBldkS8SHEB+2GXjn4Yrn+QUKOnDp+B85vZmVlJSI+7XR1/U/xIbtAjGTEmNwB6cTbBv9NCG9jloDDOZG4ZvzzHYrlBXjaigtQh2/4mrHoKa5eV juhulian@juhulian" - ]; - }; - users.users.hellrazor = { - uid = genid_uint31 "hellrazor"; - isNormalUser = true; - extraGroups = [ - "download" - ]; - openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDQFaYOWRUvHP6I37q9Dd4PJOq8FNQqAeJZ8pLx0G62uC450kbPGcG80rHHvXmk7HqQP6biJmMg48bOsvXAScPot2Qhp1Qc35CuUqVhLiTvUAsi8l/iJjhjZ23yRGDCAmW5+JIOzIvECkcbMnG7YoYAQ9trNGHe9qwGzQGhpt3QVClE23WtE3PVKRLQx1VbiabSnAm6tXVd2zpUoSdpWt8Gpi2taM4XXJ5+l744MNxFHvDapN5xqpYzwrA34Ii13jNLWcGbtgxESpR+VjnamdWByrkBsW4X5/xn2K1I1FrujaM/DBHV1QMaDKst9V8+uL5X7aYNt0OUBu2eyZdg6aujY2BYovB9uRyR1JIuSbA/a54MM96yN9WirMUufJF/YZrV0L631t9EW8ORyWUo1GRzMuBHVHQlfApj7NCU/jEddUuTqKgwyRgTmMFMUI4M0tRULAB/7pBE1Vbcx9tg6RsKIk8VkskfbBJW9Y6Sx6YoFlxPdgMNIrBefqEjIV62piP7YLMlvfIDCJ7TNd9dLN86XGggZ/nD5zt6SL1o61vVnw9If8pHosppxADPJsJvcdN6fOe16/tFAeE0JRo0jTcyFVTBGfhpey+rFfuW8wtUyuO5WPUxkOn7xMHGMWHJAtWX2vwVIDtLxvqn48B4SmEOpPD6ii+vcpwqAex3ycqBUQ==" ]; - }; - } - { - services.nginx.virtualHosts."radio.lassul.us" = { - enableACME = true; - addSSL = true; - locations."/" = { - # recommendedProxySettings = true; - proxyWebsockets = true; - proxyPass = "http://radio.r"; - extraConfig = '' - proxy_set_header Host radio.r; - # get source ip for weather reports - proxy_set_header user-agent "$http_user_agent; client-ip=$remote_addr"; - ''; - }; - }; - krebs.htgen.radio-redirect = { - port = 8000; - scriptFile = pkgs.writers.writeDash "redir" '' - printf 'HTTP/1.1 301 Moved Permanently\r\n' - printf "Location: http://radio.lassul.us''${Request_URI}\r\n" - printf '\r\n' - ''; - }; - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport 8000"; target = "ACCEPT"; } - ]; - } - - - - - - - - - - - - - - - { - services.tor = { - enable = true; - }; - } - { - imports = [ - - ]; - services.nginx.virtualHosts."lassul.us".locations = { - "= /wallpaper-marker.png".extraConfig = '' - alias /var/realwallpaper/realwallpaper-marker.png; - ''; - "= /wallpaper.png".extraConfig = '' - alias /var/realwallpaper/realwallpaper.png; - ''; - "= /wallpaper-stars-berlin.png".extraConfig = '' - alias /var/realwallpaper/realwallpaper-krebs-stars-berlin.png; - ''; - }; - } - - - - { - lass.nichtparasoup.enable = true; - services.nginx = { - enable = true; - virtualHosts."lol.lassul.us" = { - forceSSL = true; - enableACME = true; - locations."/".extraConfig = '' - proxy_pass http://localhost:5001; - ''; - }; - }; - } - { - imports = [ - - ]; - krebs.iptables.tables.nat.PREROUTING.rules = mkOrder 999 [ - { v6 = false; predicate = "-s 10.244.0.0/16"; target = "ACCEPT"; } - { v4 = false; predicate = "-s 42:1::/32"; target = "ACCEPT"; } - ]; - krebs.iptables.tables.filter.FORWARD.rules = mkBefore [ - { predicate = "-i wiregrill -o retiolum"; target = "ACCEPT"; } - { predicate = "-i retiolum -o wiregrill"; target = "ACCEPT"; } - ]; - krebs.iptables.tables.nat.POSTROUTING.rules = [ - { v4 = false; predicate = "-s 42:1::/32 ! -d 42:1::/48"; target = "MASQUERADE"; } - { v6 = false; predicate = "-s 10.244.0.0/16 ! -d 10.244.0.0/16"; target = "MASQUERADE"; } - ]; - services.dnsmasq = { - enable = true; - resolveLocalQueries = false; - - extraConfig= '' - bind-interfaces - interface=wiregrill - interface=retiolum - ''; - }; - } - { - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p udp --dport 60000:61000"; target = "ACCEPT"; } - ]; - } - - - { - - services.nginx.virtualHosts."flix.lassul.us" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://yellow.r:8096"; - proxyWebsockets = true; - recommendedProxySettings = true; - }; - }; - services.nginx.virtualHosts."lassul.us" = { - locations."^~ /flix/".extraConfig = '' - if ($scheme != "https") { - rewrite ^ https://$host$request_uri permanent; - } - auth_basic "Restricted Content"; - auth_basic_user_file ${pkgs.writeText "flix-user-pass" '' - krebs:$apr1$1Fwt/4T0$YwcUn3OBmtmsGiEPlYWyq0 - ''}; - proxy_pass http://yellow.r:80/; - proxy_set_header Accept-Encoding ""; - sub_filter "https://lassul.us/" "https://lassul.us/flix/"; - sub_filter_once off; - ''; - locations."^~ /chatty/".extraConfig = '' - rewrite ^ https://$host/flix/$request_uri permanent; - ''; - #locations."^~ /transmission".return = "301 https://$host/transmission/web/"; - locations."^~ /transmission/".extraConfig = '' - if ($scheme != "https") { - rewrite ^ https://$host$request_uri permanent; - } - auth_basic "Restricted Content"; - auth_basic_user_file ${pkgs.writeText "transmission-user-pass" '' - krebs:$apr1$1Fwt/4T0$YwcUn3OBmtmsGiEPlYWyq0 - ''}; - proxy_pass_header X-Transmission-Session-Id; - proxy_pass http://10.233.2.14:9091; - ''; - }; - - users.groups.download = {}; - users.users = { - download = { - createHome = false; - group = "download"; - name = "download"; - home = "/var/download"; - useDefaultShell = true; - uid = genid "download"; - isSystemUser = true; - openssh.authorizedKeys.keys = with config.krebs.users; [ - lass.pubkey - lass-android.pubkey - makefu.pubkey - palo.pubkey - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDB0d0JA20Vqn7I4lCte6Ne2EOmLZyMJyS9yIKJYXNLjbLwkQ4AYoQKantPBkTxR75M09E7d3j5heuWnCjWH45TrfQfe1EOSSC3ppCI6C6aIVlaNs+KhAYZS0m2Y8WkKn+TT5JLEa8yybYVN/RlZPOilpj/1QgjU6CQK+eJ1k/kK+QFXcwN82GDVh5kbTVcKUNp2tiyxFA+z9LY0xFDg/JHif2ROpjJVLQBJ+YPuOXZN5LDnVcuyLWKThjxy5srQ8iDjoxBg7dwLHjby5Mv41K4W61Gq6xM53gDEgfXk4cQhJnmx7jA/pUnsn2ZQDeww3hcc7vRf8soogXXz2KC9maiq0M/svaATsa9Ul4hrKnqPZP9Q8ScSEAUX+VI+x54iWrnW0p/yqBiRAzwsczdPzaQroUFTBxrq8R/n5TFdSHRMX7fYNOeVMjhfNca/gtfw9dYBVquCvuqUuFiRc0I7yK44rrMjjVQRcAbw6F8O7+04qWCmaJ8MPlmApwu2c05VMv9hiJo5p6PnzterRSLCqF6rIdhSnuOwrUIt1s/V+EEZXHCwSaNLaQJnYL0H9YjaIuGz4c8kVzxw4c0B6nl+hqW5y5/B2cuHiumnlRIDKOIzlv8ufhh21iN7QpIsPizahPezGoT1XqvzeXfH4qryo8O4yTN/PWoA+f7o9POU7L6hQ== lhebendanz@nixos" - "AAAAB3NzaC1yc2EAAAADAQABAAABgQC4ECL9NSCWqs4KVe+FF+2BPtl5Bv5aQPHqnXllCyiESZykwRKLx6/AbF5SbUAUMVZtp9oDSdp28m3BvVeWJ/q7hAbIxUtfd/jp+JBRZ8Kj6K5GzUO7Bhgl/o0A7xEjAeOKHiYuLjdPMcFUyl6Ah4ey/mcQYf6AdU0+hYUDeUlKe/YxxYD6202W0GJq2xGdIqs/TbopT9iaX+sv0wdXDVfFY72nFqOUwJW3u6O2viKKRugrz/eo50Eo3ts7pYz/FpDXExrUvV9Vu/bQ34pa8nKgF3/AKQHgmzljNQSVZKyAV8OY0UFonjBMXCBg2tXtwfnlzdx2SyuQVv55x+0AuRKsi85G2xLpXu1A3921pseBTW6Q6kbYK9eqxAay2c/kNbwNqFnO+nCvQ6Ier/hvGddOtItMu96IuU2E7mPN6WgvM8/3fjJRFWnZxFxqu/k7iH+yYT8qwRgdiSqZc76qvkYEuabdk2itstTRY0A3SpI3hFMZDw/7bxgMZtqpfyoRk5s= philip@shiki11:15 AAAAB3NzaC1yc2EAAAADAQABAAABgQC4ECL9NSCWqs4KVe+FF+2BPtl5Bv5aQPHqnXllCyiESZykwRKLx6/AbF5SbUAUMVZtp9oDSdp28m3BvVeWJ/q7hAbIxUtfd/jp+JBRZ8Kj6K5GzUO7Bhgl/o0A7xEjAeOKHiYuLjdPMcFUyl6Ah4ey/mcQYf6AdU0+hYUDeUlKe/YxxYD6202W0GJq2xGdIqs/TbopT9iaX+sv0wdXDVfFY72nFqOUwJW3u6O2viKKRugrz/eo50Eo3ts7pYz/FpDXExrUvV9Vu/bQ34pa8nKgF3/AKQHgmzljNQSVZKyAV8OY0UFonjBMXCBg2tXtwfnlzdx2SyuQVv55x+0AuRKsi85G2xLpXu1A3921pseBTW6Q6kbYK9eqxAay2c/kNbwNqFnO+nCvQ6Ier/hvGddOtItMu96IuU2E7mPN6WgvM8/3fjJRFWnZxFxqu/k7iH+yYT8qwRgdiSqZc76qvkYEuabdk2itstTRY0A3SpI3hFMZDw/7bxgMZtqpfyoRk5s= philip@shiki" - mic92.pubkey - qubasa.pubkey - ]; - }; - }; - - system.activationScripts.downloadFolder = '' - mkdir -p /var/download - chmod 775 /var/download - ln -fnsT /var/lib/containers/yellow/var/download/finished /var/download/finished || : - chown download: /var/download/finished - ''; - - fileSystems."/export/download" = { - device = "/var/lib/containers/yellow/var/download/finished"; - options = [ "bind" ]; - }; - services.nfs.server = { - enable = true; - exports = '' - /export 42::/16(insecure,ro,crossmnt) - ''; - lockdPort = 4001; - mountdPort = 4002; - statdPort = 4000; - }; - - services.samba = { - enable = true; - enableNmbd = false; - extraConfig = '' - workgroup = WORKGROUP - netbios name = PRISM - server string = ${config.networking.hostName} - # only allow retiolum addresses - hosts allow = 42::/16 10.243.0.0/16 10.244.0.0/16 - - # Use sendfile() for performance gain - use sendfile = true - - # No NetBIOS is needed - disable netbios = true - - # Only mangle non-valid NTFS names, don't care about DOS support - mangled names = illegal - - # Performance optimizations - socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536 - - # Disable all printing - load printers = false - disable spoolss = true - printcap name = /dev/null - - map to guest = Bad User - max log size = 50 - dns proxy = no - security = user - - [global] - syslog only = yes - ''; - shares.public = { - comment = "Warez"; - path = "/export"; - public = "yes"; - "only guest" = "yes"; - "create mask" = "0644"; - "directory mask" = "2777"; - writable = "no"; - printable = "no"; - }; - }; - - krebs.iptables.tables.filter.INPUT.rules = [ - # smbd - { predicate = "-i retiolum -p tcp --dport 445"; target = "ACCEPT"; } - { predicate = "-i retiolum -p tcp --dport 111"; target = "ACCEPT"; } - { predicate = "-i retiolum -p udp --dport 111"; target = "ACCEPT"; } - { predicate = "-i retiolum -p tcp --dport 2049"; target = "ACCEPT"; } - { predicate = "-i retiolum -p udp --dport 2049"; target = "ACCEPT"; } - { predicate = "-i retiolum -p tcp --dport 4000:4002"; target = "ACCEPT"; } - { predicate = "-i retiolum -p udp --dport 4000:4002"; target = "ACCEPT"; } - { predicate = "-i wiregrill -p tcp --dport 445"; target = "ACCEPT"; } - { predicate = "-i wiregrill -p tcp --dport 111"; target = "ACCEPT"; } - { predicate = "-i wiregrill -p udp --dport 111"; target = "ACCEPT"; } - { predicate = "-i wiregrill -p tcp --dport 2049"; target = "ACCEPT"; } - { predicate = "-i wiregrill -p udp --dport 2049"; target = "ACCEPT"; } - { predicate = "-i wiregrill -p tcp --dport 4000:4002"; target = "ACCEPT"; } - { predicate = "-i wiregrill -p udp --dport 4000:4002"; target = "ACCEPT"; } - ]; - } - { # acme fallback for neoprism migration - services.nginx.virtualHosts."lassul.us".acmeFallbackHost = "orange.r"; - services.nginx.virtualHosts."radio.lassul.us".acmeFallbackHost = "neoprism.r"; - services.nginx.virtualHosts."flix.lassul.us".acmeFallbackHost = "neoprism.r"; - services.nginx.virtualHosts."jitsi.lassul.us".acmeFallbackHost = "neoprism.r"; - services.nginx.virtualHosts."cgit.lassul.us".acmeFallbackHost = "orange.r"; - services.nginx.virtualHosts."mail.lassul.us".acmeFallbackHost = "neoprism.r"; - services.nginx.virtualHosts."mumble.lassul.us".acmeFallbackHost = "neoprism.r"; - services.nginx.virtualHosts."mail.ubikmedia.eu" = { - enableACME = true; - forceSSL = true; - acmeFallbackHost = "ubik.r"; - locations."/" = { - recommendedProxySettings = true; - proxyWebsockets = true; - proxyPass = "https://ubik.r"; - }; - }; - } - ]; - - krebs.build.host = config.krebs.hosts.prism; - services.earlyoom = { - enable = true; - freeMemThreshold = 5; - }; - - # prism rsa hack - services.openssh.hostKeys = [{ - path = toString + "ssh.id_rsa"; - type = "rsa"; - }]; -} diff --git a/lass/1systems/prism/physical.nix b/lass/1systems/prism/physical.nix deleted file mode 100644 index 2260aa648..000000000 --- a/lass/1systems/prism/physical.nix +++ /dev/null @@ -1,107 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - - imports = [ - ./config.nix - - ]; - - boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "sd_mod" ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.swraid.enable = true; - - fileSystems."/" = { - device = "rpool/root/nixos"; - fsType = "zfs"; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/d155d6ff-8e89-4876-a9e7-d1b7ba6a4804"; - fsType = "ext4"; - }; - - fileSystems."/backups" = { - device = "tank/backups"; - fsType = "zfs"; - }; - - fileSystems."/srv/http" = { - device = "tank/srv-http"; - fsType = "zfs"; - }; - - fileSystems."/var/download" = { - device = "tank/download"; - fsType = "zfs"; - }; - - fileSystems."/var/lib/containers" = { - device = "tank/containers"; - fsType = "zfs"; - }; - - fileSystems."/home" = { - device = "tank/home"; - fsType = "zfs"; - }; - - fileSystems."/var/lib/nextcloud" = { - device = "tank/nextcloud"; - fsType = "zfs"; - }; - - fileSystems."/var/lib/libvirt" = { - device = "tank/libvirt"; - fsType = "zfs"; - }; - - fileSystems."/var/realwallpaper/archive" = { - device = "tank/wallpaper"; - fsType = "zfs"; - }; - - # silence mdmonitor.service failures - # https://github.com/NixOS/nixpkgs/issues/72394 - environment.etc."mdadm.conf".text = '' - MAILADDR root - ''; - - nix.maxJobs = lib.mkDefault 8; - powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; - - boot.loader.grub.enable = true; - boot.loader.grub.version = 2; - boot.loader.grub.devices = [ "/dev/sda" "/dev/sdb" ]; - - # we don't pay for power there and this might solve a problem we observed at least once - # https://www.thomas-krenn.com/de/wiki/PCIe_Bus_Error_Status_00001100_beheben - boot.kernelParams = [ "pcie_aspm=off" "net.ifnames=0" "nomodeset" ]; - networking.dhcpcd.enable = false; - - - networking.useNetworkd = lib.mkForce false; - systemd.network.enable = lib.mkForce false; - # bridge config - networking.bridges."ext-br".interfaces = [ "eth0" ]; - networking = { - hostId = "2283aaae"; - defaultGateway = "95.216.1.129"; - defaultGateway6 = { address = "fe80::1"; interface = "ext-br"; }; - # Use google's public DNS server - nameservers = [ "8.8.8.8" ]; - interfaces.ext-br.ipv4.addresses = [ - { - address = "95.216.1.150"; - prefixLength = 26; - } - ]; - interfaces.ext-br.ipv6.addresses = [ - { - address = "2a01:4f9:2a:1e9::1"; - prefixLength = 64; - } - ]; - }; - -} diff --git a/lass/1systems/radio/config.nix b/lass/1systems/radio/config.nix deleted file mode 100644 index 00e9bd3fe..000000000 --- a/lass/1systems/radio/config.nix +++ /dev/null @@ -1,24 +0,0 @@ -with import ; -{ config, lib, pkgs, ... }: -{ - imports = [ - - - - - - - ]; - - krebs.build.host = config.krebs.hosts.radio; - - security.acme = { - acceptTerms = true; - defaults.email = "acme@lassul.us"; - }; - - krebs.sync-containers3.inContainer = { - enable = true; - pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOvPKdbVwMEFCDMyNAzR8NdVjTbQL2G+03Xomxn6KKFt"; - }; -} diff --git a/lass/1systems/radio/physical.nix b/lass/1systems/radio/physical.nix deleted file mode 100644 index 8577daf34..000000000 --- a/lass/1systems/radio/physical.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ - imports = [ - ./config.nix - ]; - boot.isContainer = true; - networking.useDHCP = true; -} diff --git a/lass/1systems/radio/source.nix b/lass/1systems/radio/source.nix deleted file mode 100644 index 4acdb0c26..000000000 --- a/lass/1systems/radio/source.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ lib, pkgs, test, ... }: let - npkgs = lib.importJSON ../../../krebs/nixpkgs-unstable.json; -in if test then {} else { - nixpkgs.git.ref = lib.mkForce npkgs.rev; - nixpkgs-unstable = lib.mkForce { file = "/var/empty"; }; -} diff --git a/lass/1systems/shodan/config.nix b/lass/1systems/shodan/config.nix deleted file mode 100644 index 0bea37e5c..000000000 --- a/lass/1systems/shodan/config.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - imports = [ - - - - - - - - - - - - - - - - ]; - - krebs.build.host = config.krebs.hosts.shodan; - - services.logind.lidSwitch = "ignore"; - services.logind.lidSwitchDocked = "ignore"; - nix.trustedUsers = [ "root" "lass" ]; - system.stateVersion = "22.05"; -} diff --git a/lass/1systems/shodan/physical.nix b/lass/1systems/shodan/physical.nix deleted file mode 100644 index f94edcf9b..000000000 --- a/lass/1systems/shodan/physical.nix +++ /dev/null @@ -1,45 +0,0 @@ -{ - #TODO reinstall with correct layout and use lass/hw/x220 - imports = [ - ./config.nix - - ]; - - boot = { - loader.grub.enable = true; - loader.grub.version = 2; - loader.grub.device = "/dev/sda"; - - initrd.luks.devices.lusksroot.device = "/dev/sda2"; - initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; - }; - fileSystems = { - "/" = { - device = "/dev/pool/nix"; - fsType = "btrfs"; - }; - - "/boot" = { - device = "/dev/sda1"; - }; - "/home" = { - device = "/dev/mapper/pool-home"; - fsType = "btrfs"; - options = ["defaults" "noatime" "ssd" "compress=lzo"]; - }; - "/bku" = { - device = "/dev/pool/bku"; - fsType = "btrfs"; - }; - "/backups" = { - device = "/dev/pool/backup"; - fsType = "ext4"; - }; - }; - - services.udev.extraRules = '' - SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:29:26:bc", NAME="wl0" - SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:0c:a7:63", NAME="et0" - SUBSYSTEM=="net", ATTR{address}=="00:e0:4c:69:ea:71", NAME="int0" - ''; -} diff --git a/lass/1systems/skynet/config.nix b/lass/1systems/skynet/config.nix deleted file mode 100644 index 4da4dffb8..000000000 --- a/lass/1systems/skynet/config.nix +++ /dev/null @@ -1,41 +0,0 @@ -{ config, pkgs, ... }: -with import ; -{ - imports = [ - - - - - - - - { - services.xserver.enable = true; - services.xserver.desktopManager.xfce.enable = true; - - users.users.discordius = { - uid = genid "diskordius"; - isNormalUser = true; - extraGroups = [ - "audio" - "networkmanager" - ]; - }; - environment.systemPackages = with pkgs; [ - google-chrome - ]; - hardware.pulseaudio = { - enable = true; - systemWide = true; - }; - } - ]; - - krebs.build.host = config.krebs.hosts.skynet; - - networking.wireless.enable = false; - networking.networkmanager.enable = true; - - services.logind.lidSwitch = "ignore"; - services.logind.lidSwitchDocked = "ignore"; -} diff --git a/lass/1systems/skynet/physical.nix b/lass/1systems/skynet/physical.nix deleted file mode 100644 index 1ac9708c7..000000000 --- a/lass/1systems/skynet/physical.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ - imports = [ - ./config.nix - - ]; - - boot.loader.grub.enable = true; - boot.loader.grub.version = 2; - boot.loader.grub.efiSupport = true; - boot.loader.grub.efiInstallAsRemovable = true; - boot.loader.grub.device = "nodev"; - - networking.hostId = "06442b9a"; - - fileSystems."/" = { - device = "rpool/root"; - fsType = "zfs"; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/0876-B308"; - fsType = "vfat"; - }; - - services.udev.extraRules = '' - SUBSYSTEM=="net", ATTR{address}=="10:0b:a9:a6:44:04", NAME="wl0" - SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:d1:90:fc", NAME="et0" - ''; -} diff --git a/lass/1systems/styx/config.nix b/lass/1systems/styx/config.nix deleted file mode 100644 index 988cbca75..000000000 --- a/lass/1systems/styx/config.nix +++ /dev/null @@ -1,116 +0,0 @@ -{ config, pkgs, ... }: - -with import ; -{ - imports = [ - - - - - - - - - - - - - - - - # - - - - # - - - - - ]; - - krebs.build.host = config.krebs.hosts.styx; - - networking.firewall.interfaces.int0.allowedTCPPorts = [ config.services.smokeping.port ]; - networking.firewall.interfaces.retiolum.allowedTCPPorts = [ config.services.smokeping.port ]; - networking.firewall.interfaces.wiregrill.allowedTCPPorts = [ config.services.smokeping.port ]; - krebs.power-action.enable = mkForce false; - - environment.systemPackages = with pkgs; [ - wol - (writeDashBin "wake-alien" '' - ${wol}/bin/wol -h 10.42.0.255 10:65:30:68:83:a3 - '') - (writers.writeDashBin "iptv" '' - set -efu - /run/current-system/sw/bin/mpv \ - --audio-display=no --audio-channels=stereo \ - --audio-samplerate=48000 --audio-format=s16 \ - --ao-pcm-file=/run/snapserver/snapfifo --ao=pcm \ - --audio-delay=-1 \ - --playlist=https://iptv-org.github.io/iptv/index.nsfw.m3u \ - --idle=yes \ - --input-ipc-server=/tmp/mpv.ipc \ - "$@" - '') - ]; - - users.users.mainUser.openssh.authorizedKeys.keys = [ - config.krebs.users.lass-android.pubkey - ]; - # http://10.42.0.1:8081/smokeping.fcgi - services.smokeping = { - enable = true; - host = null; - targetConfig = '' - probe = FPing - menu = top - title = top - - + Local - menu = Local - title = Local Network - ++ LocalMachine - menu = Local Machine - title = This host - host = localhost - - + Internet - menu = internet - title = internet - - ++ CloudflareDNS - menu = Cloudflare DNS - title = Cloudflare DNS server - host = 1.1.1.1 - - ++ GoogleDNS - menu = Google DNS - title = Google DNS server - host = 8.8.8.8 - - + retiolum - menu = retiolum - title = retiolum - - ++ gum - menu = gum.r - title = gum.r - host = gum.r - - ++ ni - menu = ni.r - title = ni.r - host = ni.r - - ++ prism - menu = prism.r - title = prism.r - host = prism.r - ''; - }; - - # for usb internet - hardware.usbWwan.enable = true; -} - diff --git a/lass/1systems/styx/physical.nix b/lass/1systems/styx/physical.nix deleted file mode 100644 index 284bbb333..000000000 --- a/lass/1systems/styx/physical.nix +++ /dev/null @@ -1,38 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - imports = [ - ./config.nix - - ]; - - boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ]; - boot.initrd.kernelModules = [ "dm-snapshot" ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - boot.loader.grub.enable = true; - boot.loader.grub.efiSupport = true; - boot.loader.grub.device = "/dev/disk/by-id/ata-SanDisk_SSD_G5_BICS4_20248F446514"; - boot.loader.grub.efiInstallAsRemovable = true; - - fileSystems."/" = - { device = "/dev/disk/by-uuid/ee5c9099-17fa-401e-852e-67cb4ae068f4"; - fsType = "ext4"; - }; - - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/EAA5-88A9"; - fsType = "vfat"; - }; - - swapDevices = [ ]; - - nix.maxJobs = lib.mkDefault 4; - powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; - - services.udev.extraRules = '' - SUBSYSTEM=="net", ATTR{address}=="3c:7c:3f:7e:e2:39", NAME="et0" - SUBSYSTEM=="net", ATTR{address}=="00:e0:4c:78:91:50", NAME="int0" - ''; -} diff --git a/lass/1systems/ubik/config.nix b/lass/1systems/ubik/config.nix deleted file mode 100644 index 3afbf6bd1..000000000 --- a/lass/1systems/ubik/config.nix +++ /dev/null @@ -1,276 +0,0 @@ -with import ; -{ config, lib, pkgs, ... }: -{ - imports = [ - - - - ]; - - krebs.build.host = config.krebs.hosts.ubik; - - krebs.sync-containers3.inContainer = { - enable = true; - pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPBFGMjH0+Dco6DVFZbByENMci8CFTLXCL7j53yctPnM"; - }; - - security.acme = { - acceptTerms = true; - defaults.email = "acme@lassul.us"; - }; - networking.firewall.allowedTCPPorts = [ 80 443 ]; - - # nextcloud - services.nginx.virtualHosts."c.apanowicz.de" = { - enableACME = true; - forceSSL = true; - }; - services.nextcloud = { - enable = true; - enableBrokenCiphersForSSE = false; - hostName = "c.apanowicz.de"; - package = pkgs.nextcloud25; - config.adminpassFile = "/run/nextcloud.pw"; - https = true; - maxUploadSize = "9001M"; - }; - systemd.services.nextcloud-setup.serviceConfig.ExecStartPre = [ - "+${pkgs.writeDash "copy-pw" '' - ${pkgs.rsync}/bin/rsync \ - --chown nextcloud:nextcloud \ - --chmod 0700 \ - /var/src/secrets/nextcloud.pw /run/nextcloud.pw - ''}" - ]; - - # mail - lass.usershadow.enable = true; - services.nginx.virtualHosts."mail.ubikmedia.eu" = { - enableACME = true; - forceSSL = true; - }; - services.roundcube = { - enable = true; - hostName = "mail.ubikmedia.eu"; - extraConfig = '' - $config['smtp_debug'] = true; - $config['smtp_host'] = "localhost:25"; - ''; - }; - services.dovecot2 = { - enable = true; - showPAMFailure = true; - mailLocation = "maildir:~/Mail"; - sslServerCert = "/var/lib/acme/mail.ubikmedia.eu/fullchain.pem"; - sslServerKey = "/var/lib/acme/mail.ubikmedia.eu/key.pem"; - }; - krebs.exim-smarthost = { - ssl_cert = "/var/lib/acme/mail.ubikmedia.eu/fullchain.pem"; - ssl_key = "/var/lib/acme/mail.ubikmedia.eu/key.pem"; - authenticators.PLAIN = '' - driver = plaintext - public_name = PLAIN - server_condition = ''${run{/run/wrappers/bin/shadow_verify_arg ${config.lass.usershadow.pattern} $auth2 $auth3}{yes}{no}} - ''; - authenticators.LOGIN = '' - driver = plaintext - public_name = LOGIN - server_prompts = "Username:: : Password::" - server_condition = ''${run{/run/wrappers/bin/shadow_verify_arg ${config.lass.usershadow.pattern} $auth1 $auth2}{yes}{no}} - # server_condition = ''${run{/run/current-system/sw/bin/debug_exim ${config.lass.usershadow.pattern} $auth1 $auth2}{yes}{no}} - ''; - internet-aliases = [ - { from = "dma@ubikmedia.de"; to = "domsen"; } - { from = "dma@ubikmedia.eu"; to = "domsen"; } - { from = "hallo@apanowicz.de"; to = "domsen"; } - { from = "bruno@apanowicz.de"; to = "bruno"; } - { from = "mail@jla-trading.com"; to = "jla-trading"; } - { from = "jms@ubikmedia.eu"; to = "jms"; } - { from = "ms@ubikmedia.eu"; to = "ms"; } - { from = "ubik@ubikmedia.eu"; to = "domsen, jms, ms"; } - { from = "kontakt@alewis.de"; to ="klabusterbeere"; } - { from = "hallo@jarugadesign.de"; to ="kasia"; } - { from = "noreply@beeshmooth.ch"; to ="besmooth@gmx.ch"; } - - { from = "testuser@ubikmedia.eu"; to = "testuser"; } - ]; - sender_domains = [ - "jla-trading.com" - "ubikmedia.eu" - "ubikmedia.de" - "apanowicz.de" - "alewis.de" - "jarugadesign.de" - "beesmooth.ch" - "event-extra.de" - ]; - dkim = [ - { domain = "ubikmedia.eu"; } - { domain = "apanowicz.de"; } - { domain = "beesmooth.ch"; } - ]; - }; - - # users - users.users.UBIK-SFTP = { - uid = pkgs.stockholm.lib.genid_uint31 "UBIK-SFTP"; - home = "/home/UBIK-SFTP"; - useDefaultShell = true; - createHome = true; - isNormalUser = true; - }; - - users.users.xanf = { - uid = pkgs.stockholm.lib.genid_uint31 "xanf"; - group = "xanf"; - home = "/home/xanf"; - useDefaultShell = true; - createHome = false; # creathome forces permissions - isNormalUser = true; - }; - - users.users.domsen = { - uid = pkgs.stockholm.lib.genid_uint31 "domsen"; - description = "maintenance acc for domsen"; - home = "/home/domsen"; - useDefaultShell = true; - extraGroups = [ "syncthing" "download" "xanf" ]; - createHome = true; - isNormalUser = true; - }; - - users.users.bruno = { - uid = pkgs.stockholm.lib.genid_uint31 "bruno"; - home = "/home/bruno"; - useDefaultShell = true; - createHome = true; - isNormalUser = true; - }; - - users.users.jla-trading = { - uid = pkgs.stockholm.lib.genid_uint31 "jla-trading"; - home = "/home/jla-trading"; - useDefaultShell = true; - createHome = true; - isNormalUser = true; - }; - - users.users.jms = { - uid = pkgs.stockholm.lib.genid_uint31 "jms"; - home = "/home/jms"; - useDefaultShell = true; - createHome = true; - isNormalUser = true; - }; - - users.users.ms = { - uid = pkgs.stockholm.lib.genid_uint31 "ms"; - home = "/home/ms"; - useDefaultShell = true; - createHome = true; - isNormalUser = true; - }; - - users.users.testuser = { - uid = pkgs.stockholm.lib.genid_uint31 "testuser"; - home = "/home/testuser"; - useDefaultShell = true; - createHome = true; - isNormalUser = true; - }; - - users.users.bui = { - uid = pkgs.stockholm.lib.genid_uint31 "bui"; - home = "/home/bui"; - useDefaultShell = true; - createHome = true; - isNormalUser = true; - }; - - users.users.klabusterbeere = { - uid = pkgs.stockholm.lib.genid_uint31 "klabusterbeere"; - home = "/home/klabusterbeere"; - useDefaultShell = true; - createHome = true; - isNormalUser = true; - }; - - users.users.kasia = { - uid = pkgs.stockholm.lib.genid_uint31 "kasia"; - home = "/home/kasia"; - useDefaultShell = true; - createHome = true; - isNormalUser = true; - }; - - users.users.XANF_TEAM = { - uid = pkgs.stockholm.lib.genid_uint31 "XANF_TEAM"; - group = "xanf"; - home = "/home/XANF_TEAM"; - useDefaultShell = true; - createHome = true; - isNormalUser = true; - }; - - users.users.dif = { - uid = pkgs.stockholm.lib.genid_uint31 "dif"; - home = "/home/dif"; - useDefaultShell = true; - extraGroups = [ "xanf" ]; - createHome = true; - isNormalUser = true; - }; - - users.users.lavafilms = { - uid = pkgs.stockholm.lib.genid_uint31 "lavafilms"; - home = "/home/lavafilms"; - useDefaultShell = true; - extraGroups = [ "xanf" ]; - createHome = true; - isNormalUser = true; - }; - - users.users.movematchers = { - uid = pkgs.stockholm.lib.genid_uint31 "movematchers"; - home = "/home/movematchers"; - useDefaultShell = true; - extraGroups = [ "xanf" ]; - createHome = true; - isNormalUser = true; - }; - - users.users.blackphoton = { - uid = pkgs.stockholm.lib.genid_uint31 "blackphoton"; - home = "/home/blackphoton"; - useDefaultShell = true; - extraGroups = [ "xanf" ]; - createHome = true; - isNormalUser = true; - }; - - users.users.line = { - uid = pkgs.stockholm.lib.genid_uint31 "line"; - home = "/home/line"; - useDefaultShell = true; - # extraGroups = [ "xanf" ]; - createHome = true; - isNormalUser = true; - }; - - users.users.avada = { - uid = pkgs.stockholm.lib.genid_uint31 "avada"; - home = "/home/avada"; - useDefaultShell = true; - createHome = true; - isNormalUser = true; - }; - - users.users.familienrat = { - uid = pkgs.stockholm.lib.genid_uint31 "familienrat"; - home = "/home/familienrat"; - useDefaultShell = true; - createHome = true; - isNormalUser = true; - }; - -} diff --git a/lass/1systems/ubik/physical.nix b/lass/1systems/ubik/physical.nix deleted file mode 100644 index 8577daf34..000000000 --- a/lass/1systems/ubik/physical.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ - imports = [ - ./config.nix - ]; - boot.isContainer = true; - networking.useDHCP = true; -} diff --git a/lass/1systems/wizard/config.nix b/lass/1systems/wizard/config.nix deleted file mode 100644 index 5e69171ce..000000000 --- a/lass/1systems/wizard/config.nix +++ /dev/null @@ -1,287 +0,0 @@ -{ config, lib, pkgs, ... }: -with import ; - -let - - icon = pkgs.writeText "icon" '' - // - // - _ // - .' . // '. - '_ '_\/_' `_ - . . \\ . . - .==. ` \\' .' - .\| //bd\\ \, - \_'`._\\__//_.'`.; - `.__ __,' \\ - | | \\ - | | ` - | | - | | - |____| - l42 ==' '== - ''; - - messenger = pkgs.writeText "message" '' - . - | \/| - (\ _ ) )|/| - (/ _----. /.'.' - .-._________.. .' @ _\ .' - '.._______. '. / (_| .') - '._____. / '-/ | _.' - '.______ ( ) ) \ - '..____ '._ ) ) - .' __.--\ , , // (( - '.' mrf| \/ (_.'( - ' \ .' - \ ( - \ '. - \ \ '.) - '-'-' - ''; - - waiting = pkgs.writeText "waiting" '' - Z - Z - z - z - * ' - / \ - /___\ - ( - - ) - ) L ( .--------------. - __()(-)()__ | \ | - .~~ )()()() ~. | . : - / )()() ` | `-.__________) - | )() ~ | : : - | ) | : | - | _ | | [ ## : - \ ~~-. | , oo_______.' - `_ ( \) _____/~~~~ `--___ - | ~`-) ) `-. `--- ( - a:f - - | '///` | `-. - | | | | `-. - | | | | `-. - | | |\ | - | | | \| - `-. | | | - `-| ' - ''; - - wizard = pkgs.writers.writeDash "wizard" '' - cat ${icon} - - echo -n '${'' - welcome to the computer wizard - first we will check for internet connectivity - - ''}' - - read -p '(press enter to continue...)' key - until ping -c1 8.8.8.8; do - ${pkgs.nm-dmenu}/bin/nm-dmenu - done - - mode=$(echo -n '${'' - 1. Help of the wizard - 2. Install NixOS - 3. I know what I need to do - ''}' | ${pkgs.fzf}/bin/fzf --reverse) - case "$mode" in - 1*) - echo 'mode_1' > /tmp/mode - clear - echo 'waiting for the messenger to reach the wizard' - cat ${messenger} - - # get pubkeys - mkdir -p /root/.ssh/ - touch /root/.ssh/authorized_keys - curl -Ss 'https://lassul.us/mors.pub' >> /root/.ssh/authorized_keys - curl -Ss 'https://lassul.us/blue.pub' >> /root/.ssh/authorized_keys - curl -Ss 'https://lassul.us/yubi.pub' >> /root/.ssh/authorized_keys - - # write via irc - systemctl start hidden-ssh-announce.service - tmux new-session -s help ${pkgs.writers.writeDash "waiting" '' - cat ${waiting} - read -p 'waiting for the wizard to wake up' key - ${pkgs.bashInteractive}/bin/bash - ''} - ;; - 2*) - echo 'mode_2' > /tmp/mode - ${pkgs.nixos-installer}/bin/nixos-installer - ;; - 3*) - echo 'mode_3' > /tmp/mode - ;; - *) - echo 'no mode selected' - ;; - esac - ''; - -in { - imports = [ - - - - # - { - nixpkgs.config.packageOverrides = import pkgs; - krebs.enable = true; - krebs.build.user = config.krebs.users.lass; - krebs.build.host = {}; - } - # { - # systemd.services.wizard = { - # description = "Computer Wizard"; - # wantedBy = [ "multi-user.target" ]; - # serviceConfig = { - # ExecStart = pkgs.writers.writeDash "wizard" '' - # set -efu - # cat < - - - - - - - - - - - - - - - - ]; - - krebs.build.host = config.krebs.hosts.xerxes; - - environment.shellAliases = { - deploy = pkgs.writeDash "deploy" '' - set -eu - export SYSTEM="$1" - $(nix-build $HOME/sync/stockholm/lass/krops.nix --no-out-link --argstr name "$SYSTEM" -A deploy) - ''; - usb-tether-on = pkgs.writeDash "usb-tether-on" '' - adb shell su -c service call connectivity 33 i32 1 s16 text - ''; - usb-tether-off = pkgs.writeDash "usb-tether-off" '' - adb shell su -c service call connectivity 33 i32 0 s16 text - ''; - }; - - services.xserver = { - displayManager.lightdm.autoLogin.enable = true; - displayManager.lightdm.autoLogin.user = "lass"; - }; - - boot.blacklistedKernelModules = [ "xpad" ]; - systemd.services.xboxdrv = { - wantedBy = [ "multi-user.target" ]; - script = '' - ${pkgs.xboxdrv.overrideAttrs(o: { - patches = o.patches ++ [ (pkgs.fetchurl { - url = "https://patch-diff.githubusercontent.com/raw/xboxdrv/xboxdrv/pull/251.patch"; - sha256 = "17784y20mxqrlhgvwvszh8lprxrvgmb7ah9dknmbhj5jhkjl8wq5"; - }) ]; - })}/bin/xboxdrv --type xbox360 --dbus disabled -D - ''; - }; - - programs.adb.enable = true; - - services.logind.lidSwitch = "suspend"; - lass.screenlock.enable = lib.mkForce false; - - hardware.bluetooth = { - enable = true; - powerOnBoot = true; - }; - hardware.pulseaudio.package = pkgs.pulseaudioFull; - # hardware.pulseaudio.configFile = pkgs.writeText "default.pa" '' - # load-module module-bluetooth-policy - # load-module module-bluetooth-discover - # ## module fails to load with - # ## module-bluez5-device.c: Failed to get device path from module arguments - # ## module.c: Failed to load module "module-bluez5-device" (argument: ""): initialization failed. - # # load-module module-bluez5-device - # # load-module module-bluez5-discover - # ''; -} diff --git a/lass/1systems/xerxes/physical.nix b/lass/1systems/xerxes/physical.nix deleted file mode 100644 index 5a6f07215..000000000 --- a/lass/1systems/xerxes/physical.nix +++ /dev/null @@ -1,73 +0,0 @@ -{ pkgs, lib, ... }: -{ - imports = [ - ./config.nix - - ]; - - boot.loader.grub = { - enable = true; - device = "/dev/sda"; - efiSupport = true; - efiInstallAsRemovable = true; - }; - - boot.blacklistedKernelModules = [ - "sdhci_pci" - ]; - - boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ]; - boot.initrd.luks.devices.crypted.device = "/dev/sda3"; - boot.kernelModules = [ "kvm-intel" ]; - boot.kernelParams = [ - "fbcon=rotate:1" - "boot.shell_on_fail" - ]; - - fileSystems."/" = { - device = "/dev/disk/by-uuid/8efd0c22-f712-46bf-baad-1fbf19d9ec25"; - fsType = "xfs"; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/7F23-DDB4"; - fsType = "vfat"; - }; - - swapDevices = [ ]; - - boot.extraModprobeConfig = '' - options zfs zfs_arc_max=107374182 - ''; - - nix.maxJobs = lib.mkDefault 4; - - networking.hostId = "9b0a74ac"; - networking.networkmanager.enable = true; - - hardware.opengl.enable = true; - - services.tlp.enable = true; - services.tlp.extraConfig = '' - CPU_SCALING_GOVERNOR_ON_AC=ondemand - CPU_SCALING_GOVERNOR_ON_BAT=powersave - CPU_MIN_PERF_ON_AC=0 - CPU_MAX_PERF_ON_AC=100 - CPU_MIN_PERF_ON_BAT=0 - CPU_MAX_PERF_ON_BAT=30 - ''; - - services.logind.extraConfig = '' - HandlePowerKey=suspend - IdleAction=suspend - IdleActionSec=300 - ''; - - services.xserver = { - videoDrivers = [ "intel" ]; - displayManager.sessionCommands = '' - (sleep 2 && ${pkgs.xorg.xrandr}/bin/xrandr --output eDP1 --rotate right) - (sleep 2 && ${pkgs.xorg.xinput}/bin/xinput set-prop "pointer:Goodix Capacitive TouchScreen" --type=float "Coordinate Transformation Matrix" 0 1 0 -1 0 1 0 0 1) - ''; - }; -} diff --git a/lass/1systems/yellow/config.nix b/lass/1systems/yellow/config.nix deleted file mode 100644 index 2da93b8fd..000000000 --- a/lass/1systems/yellow/config.nix +++ /dev/null @@ -1,45 +0,0 @@ -{ config, lib, pkgs, ... }: let - vpnPort = 1637; - torrentport = 56709; # port forwarded in airvpn webinterface -in { - imports = [ - - - - - ]; - - krebs.build.host = config.krebs.hosts.yellow; - - krebs.sync-containers3.inContainer = { - enable = true; - pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN737BAP36KiZO97mPKTIUGJUcr97ps8zjfFag6cUiYL"; - }; - - networking.useHostResolvConf = false; - networking.useNetworkd = true; - - networking.wg-quick.interfaces.airvpn.configFile = "/var/src/secrets/airvpn.conf"; - services.transmission.settings.peer-port = torrentport; - - # only allow traffic through openvpn - krebs.iptables = { - enable = true; - tables.filter.INPUT.rules = [ - { predicate = "-i airvpn -p tcp --dport ${toString torrentport}"; target = "ACCEPT"; } - { predicate = "-i airvpn -p udp --dport ${toString torrentport}"; target = "ACCEPT"; } - ]; - tables.filter.OUTPUT = { - policy = "DROP"; - rules = [ - { predicate = "-o lo"; target = "ACCEPT"; } - { predicate = "-p udp --dport ${toString vpnPort}"; target = "ACCEPT"; } - { predicate = "-o airvpn"; target = "ACCEPT"; } - { predicate = "-o retiolum"; target = "ACCEPT"; } - { v6 = false; predicate = "-d 1.1.1.1/32"; target = "ACCEPT"; } - { v6 = false; predicate = "-d 1.0.0.1/32"; target = "ACCEPT"; } - { v6 = false; predicate = "-o eth0 -d 10.233.2.0/24"; target = "ACCEPT"; } - ]; - }; - }; -} diff --git a/lass/1systems/yellow/physical.nix b/lass/1systems/yellow/physical.nix deleted file mode 100644 index b6aa3a894..000000000 --- a/lass/1systems/yellow/physical.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ - imports = [ - ./config.nix - ]; - boot.isContainer = true; - networking.useDHCP = false; -} diff --git a/lass/2configs/AP.nix b/lass/2configs/AP.nix deleted file mode 100644 index e38475381..000000000 --- a/lass/2configs/AP.nix +++ /dev/null @@ -1,83 +0,0 @@ -{ config, pkgs, ... }: -with import ; -let - wifi = "wlp0s29u1u2"; -in { - boot.extraModulePackages = [ - pkgs.linuxPackages.rtl8814au - ]; - networking.networkmanager.unmanaged = [ wifi "et0" ]; - - systemd.services.hostapd = { - description = "hostapd wireless AP"; - path = [ pkgs.hostapd ]; - wantedBy = [ "network.target" ]; - - after = [ "${wifi}-cfg.service" "nat.service" "bind.service" "dhcpd.service" "sys-subsystem-net-devices-${wifi}.device" ]; - - serviceConfig = { - ExecStart = "${pkgs.hostapd}/bin/hostapd ${pkgs.writeText "hostapd.conf" '' - interface=${wifi} - hw_mode=a - channel=36 - ieee80211d=1 - country_code=DE - ieee80211n=1 - ieee80211ac=1 - wmm_enabled=1 - - # 5ghz - ssid=krebsing - auth_algs=1 - wpa=2 - wpa_key_mgmt=WPA-PSK - rsn_pairwise=CCMP - wpa_passphrase=aidsballz - ''}"; - Restart = "always"; - }; - }; - - networking.bridges.br0.interfaces = [ - wifi - "et0" - ]; - - networking.interfaces.br0.ipv4.addresses = [ - { address = "10.99.0.1"; prefixLength = 24; } - ]; - services.dhcpd4 = { - enable = true; - interfaces = [ "br0" ]; - extraConfig = '' - option subnet-mask 255.255.255.0; - option routers 10.99.0.1; - option domain-name-servers 1.1.1.1, 8.8.8.8; - subnet 10.99.0.0 netmask 255.255.255.0 { - range 10.99.0.100 10.99.0.200; - } - ''; - }; - - boot.kernel.sysctl."net.ipv4.ip_forward" = 1; - krebs.iptables.tables.filter.FORWARD.rules = [ - { v6 = false; predicate = "-d 10.99.0.0/24 -o br0 -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } - { v6 = false; predicate = "-s 10.99.0.0/24 -i br0"; target = "ACCEPT"; } - { v6 = false; predicate = "-i br0 -o br0"; target = "ACCEPT"; } - { v6 = false; predicate = "-i br0 -o br0"; target = "ACCEPT"; } - { v6 = false; predicate = "-o br0"; target = "REJECT --reject-with icmp-port-unreachable"; } - { v6 = false; predicate = "-i br0"; target = "REJECT --reject-with icmp-port-unreachable"; } - ]; - krebs.iptables.tables.nat.PREROUTING.rules = mkBefore [ - { v6 = false; predicate = "-s 10.99.0.0/24"; target = "ACCEPT"; } - ]; - krebs.iptables.tables.nat.POSTROUTING.rules = [ - #TODO find out what this is about? - { v6 = false; predicate = "-s 10.99.0.0/24 -d 224.0.0.0/24"; target = "RETURN"; } - { v6 = false; predicate = "-s 10.99.0.0/24 -d 255.255.255.255"; target = "RETURN"; } - - { v6 = false; predicate = "-s 10.99.0.0/24 ! -d 10.99.0.0/24"; target = "MASQUERADE"; } - { v6 = false; predicate = "-s 10.99.0.0/24 ! -d 10.99.0.0/24 -p tcp"; target = "MASQUERADE --to-ports 1024-65535"; } - { v6 = false; predicate = "-s 10.99.0.0/24 ! -d 10.99.0.0/24 -p udp"; target = "MASQUERADE --to-ports 1024-65535"; } - ]; -} diff --git a/lass/2configs/IM.nix b/lass/2configs/IM.nix deleted file mode 100644 index 8db2a05d6..000000000 --- a/lass/2configs/IM.nix +++ /dev/null @@ -1,38 +0,0 @@ -with (import ); -{ config, lib, pkgs, ... }: let - weechat = pkgs.weechat.override { - configure = { availablePlugins, ... }: { - scripts = with pkgs.weechatScripts; [ - weechat-matrix - ]; - }; - }; - - tmux = "/run/current-system/sw/bin/tmux"; - -in { - imports = [ - ./bitlbee.nix - ]; - environment.systemPackages = [ weechat ]; - systemd.services.chat = { - description = "chat environment setup"; - environment.WEECHAT_HOME = "\$HOME/.weechat"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - - restartIfChanged = false; - - path = [ - pkgs.rxvt-unicode-unwrapped.terminfo - ]; - - serviceConfig = { - User = "lass"; - RemainAfterExit = true; - Type = "oneshot"; - ExecStart = "${tmux} -2 new-session -d -s IM ${weechat}/bin/weechat"; - ExecStop = "${tmux} kill-session -t IM"; # TODO run save in weechat - }; - }; -} diff --git a/lass/2configs/ableton.nix b/lass/2configs/ableton.nix deleted file mode 100644 index 9d6f481b0..000000000 --- a/lass/2configs/ableton.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ config, pkgs, ... }: let - mainUser = config.users.extraUsers.mainUser; -in { - users.users= { - ableton = { - isNormalUser = true; - extraGroups = [ - "audio" - "video" - ]; - packages = [ - pkgs.wine - pkgs.winetricks - ]; - }; - }; - security.sudo.extraConfig = '' - ${mainUser.name} ALL=(ableton) NOPASSWD: ALL - ''; -} diff --git a/lass/2configs/alacritty.nix b/lass/2configs/alacritty.nix deleted file mode 100644 index 7f24e4a2e..000000000 --- a/lass/2configs/alacritty.nix +++ /dev/null @@ -1,134 +0,0 @@ -{ config, lib, pkgs, ... }: let - - alacritty-cfg = extrVals: builtins.toJSON ({ - font = let - family = "Iosevka Term SS15"; - in { - normal = { - family = family; - style = "Regular"; - }; - bold = { - family = family; - style = "Bold"; - }; - italic = { - family = family; - style = "Italic"; - }; - bold_italic = { - family = family; - style = "Bold Italic"; - }; - size = 12; - }; - live_config_reload = true; - window.dimensions = { - columns = 80; - lines = 20; - }; - env.WINIT_X11_SCALE_FACTOR = "1.0"; - # window.opacity = 0; - hints.enabled = [ - { - regex = ''(mailto:|gemini:|gopher:|https:|http:|news:|file:|git:|ssh:|ftp:)[^\u0000-\u001F\u007F-\u009F<>"\s{-}\^⟨⟩`]+''; - command = "/run/current-system/sw/bin/xdg-open"; - post_processing = true; - mouse.enabled = true; - binding = { - key = "U"; - mods = "Alt"; - }; - } - ]; - } // extrVals); - - alacritty = pkgs.symlinkJoin { - name = "alacritty"; - paths = [ - (pkgs.writeDashBin "alacritty" '' - ${pkgs.alacritty}/bin/alacritty --config-file /var/theme/config/alacritty.yaml msg create-window "$@" || - ${pkgs.alacritty}/bin/alacritty --config-file /var/theme/config/alacritty.yaml "$@" - '') - pkgs.alacritty - ]; - }; - -in { - environment.etc = { - "themes/light/alacritty.yaml".text = alacritty-cfg { - colors = { - # Default colors - primary = { - # hard contrast: background = '#f9f5d7' - # background = "#fbf1c7"; - background = "#f9f5d7"; - # soft contrast: background = '#f2e5bc' - foreground = "#3c3836"; - }; - - # Normal colors - normal = { - black = "#fbf1c7"; - red = "#cc241d"; - green = "#98971a"; - yellow = "#d79921"; - blue = "#458588"; - magenta = "#b16286"; - cyan = "#689d6a"; - white = "#7c6f64"; - }; - - # Bright colors - bright = { - black = "#928374"; - red = "#9d0006"; - green = "#79740e"; - yellow = "#b57614"; - blue = "#076678"; - magenta = "#8f3f71"; - cyan = "#427b58"; - white = "#3c3836"; - }; - }; - }; - "themes/dark/alacritty.yaml".text = alacritty-cfg { - colors = { - # Default colors - primary = { - background = "0x000000"; - foreground = "0xffffff"; - }; - cursor = { - text = "0xF81CE5"; - cursor = "0xffffff"; - }; - - # Normal colors - normal = { - black = "0x000000"; - red = "0xfe0100"; - green = "0x33ff00"; - yellow = "0xfeff00"; - blue = "0x0066ff"; - magenta = "0xcc00ff"; - cyan = "0x00ffff"; - white = "0xd0d0d0"; - }; - - # Bright colors - bright = { - black = "0x808080"; - red = "0xfe0100"; - green = "0x33ff00"; - yellow = "0xfeff00"; - blue = "0x0066ff"; - magenta = "0xcc00ff"; - cyan = "0x00ffff"; - white = "0xFFFFFF"; - }; - }; - }; - }; - environment.systemPackages = [ alacritty ]; -} diff --git a/lass/2configs/antimicrox/default.nix b/lass/2configs/antimicrox/default.nix deleted file mode 100644 index 2b683b8bc..000000000 --- a/lass/2configs/antimicrox/default.nix +++ /dev/null @@ -1,39 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - systemd.services.antimicrox = { - after = [ "display-manager.service" ]; - wantedBy = [ "multi-user.target" ]; - environment = { - DISPLAY = ":0"; - }; - serviceConfig = { - User = config.users.users.mainUser.name; - ExecStartPre = lib.singleton (pkgs.writeDash "init_state" "echo 0 > /tmp/gamepad.state"); - ExecStart = "${pkgs.antimicrox}/bin/antimicrox --hidden --profile ${./mouse.gamecontroller.amgp}"; - }; - }; - - services.udev.extraRules = '' - KERNEL=="uinput", MODE="0660", GROUP="input", OPTIONS+="static_node=uinput" - ''; - - environment.systemPackages = [ - pkgs.antimicrox - (pkgs.writers.writeDashBin "gamepad_mouse_disable" '' - echo 1 > /tmp/gamepad.state - ${pkgs.antimicrox}/bin/antimicrox --profile ${./empty.gamecontroller.amgp} - '') - (pkgs.writers.writeDashBin "gamepad_mouse_enable" '' - echo 0 > /tmp/gamepad.state - ${pkgs.antimicrox}/bin/antimicrox --profile ${./mouse.gamecontroller.amgp} - '') - (pkgs.writers.writeDashBin "gamepad_mouse_toggle" '' - state=$(${pkgs.coreutils}/bin/cat /tmp/gamepad.state) - if [ "$state" = 1 ]; then - /run/current-system/sw/bin/gamepad_mouse_enable - else - /run/current-system/sw/bin/gamepad_mouse_disable - fi - '') - ]; -} diff --git a/lass/2configs/antimicrox/empty.gamecontroller.amgp b/lass/2configs/antimicrox/empty.gamecontroller.amgp deleted file mode 100644 index 0257bfe71..000000000 --- a/lass/2configs/antimicrox/empty.gamecontroller.amgp +++ /dev/null @@ -1,20 +0,0 @@ - - - - XInput Controller - - 030000005e0400008e020000010100001118654 - - - - - - - - - - R Stick - L Stick - - - diff --git a/lass/2configs/antimicrox/mouse.gamecontroller.amgp b/lass/2configs/antimicrox/mouse.gamecontroller.amgp deleted file mode 100644 index 743618f54..000000000 --- a/lass/2configs/antimicrox/mouse.gamecontroller.amgp +++ /dev/null @@ -1,281 +0,0 @@ - - - - XInput Controller - - 030000005e0400008e020000010100001118654 - - - - - - - - - - Stick 2 - Stick 1 - - - - - 1 - 29501 - 1412 - 90 - 100 - - 74 - 74 - 4 - 20 - 3 - easeoutquad - - - 1 - mousemovement - - - - - 74 - 74 - 4 - 20 - 3 - easeoutquad - - - 4 - mousemovement - - - - - 74 - 74 - - - 74 - 74 - 4 - 20 - 3 - easeoutquad - - - 2 - mousemovement - - - - - 74 - 74 - - - 74 - 74 - 4 - 20 - 3 - easeoutquad - - - 3 - mousemovement - - - - - 74 - 74 - - - 74 - 74 - - - - 2578 - 30799 - - linear - - - 4 - mousebutton - - - - - linear - - - 7 - mousebutton - - - - - linear - - - linear - - - 5 - mousebutton - - - - - linear - - - linear - - - 6 - mousebutton - - - - - linear - - - linear - - - - - 2 - 10 - - - 10 - 10 - - - 0x1000013 - keyboard - - - - - 2 - 10 - - - 2 - 10 - - - 0x1000014 - keyboard - - - - - 2 - 10 - - - 0x1000015 - keyboard - - - - - 2 - 10 - - - 2 - 10 - - - 2 - 10 - - - 0x1000012 - keyboard - - - - - - 2000 - positivehalf - - 100 - 100 - - - 100 - 100 - - - 250 - mousespeedmod - - - - - - positivehalf - - - - - - - - - - diff --git a/lass/2configs/atuin-server.nix b/lass/2configs/atuin-server.nix deleted file mode 100644 index 05d3b4fd4..000000000 --- a/lass/2configs/atuin-server.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - services.atuin = { - enable = true; - host = "0.0.0.0"; - maxHistoryLength = 1000000; - openFirewall = true; - }; - -} diff --git a/lass/2configs/autotether.nix b/lass/2configs/autotether.nix deleted file mode 100644 index 98712303e..000000000 --- a/lass/2configs/autotether.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - systemd.services.usb_tether = { - script = '' - ${pkgs.android-tools}/bin/adb -s QV770FAMEK wait-for-device - ${pkgs.android-tools}/bin/adb -s QV770FAMEK shell svc usb setFunctions rndis - ''; - }; - services.udev.extraRules = '' - ACTION=="add", SUBSYSTEM=="usb", ENV{PRODUCT}=="fce/320d/510", TAG+="systemd", ENV{SYSTEMD_WANTS}="usb_tether.service" - ''; - systemd.network.networks.android = { - matchConfig.Name = "enp0s20u1"; - DHCP = "yes"; - }; -} diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix deleted file mode 100644 index e5b1f0b90..000000000 --- a/lass/2configs/baseX.nix +++ /dev/null @@ -1,196 +0,0 @@ -{ config, pkgs, ... }: -with import ; -let - user = config.krebs.build.user; -in { - imports = [ - ./alacritty.nix - ./mpv.nix - ./power-action.nix - ./urxvt.nix - ./xdg-open.nix - ./yubikey.nix - ./pipewire.nix - ./tmux.nix - ./xmonad.nix - ./themes.nix - ./fonts.nix - { - users.users.mainUser.packages = [ - pkgs.sshuttle - ]; - security.sudo.extraConfig = '' - lass ALL= (root) NOPASSWD:SETENV: ${pkgs.sshuttle}/bin/.sshuttle-wrapped - ''; - } - { #font magic - options.lass.fonts = { - regular = mkOption { - type = types.str; - default = "xft:Iosevka Term SS15:style=regular"; - }; - bold = mkOption { - type = types.str; - default = "xft:Iosevka Term SS15:style=bold"; - }; - italic = mkOption { - type = types.str; - default = "xft:Iosevka Term SS15:style=italic"; - }; - }; - config.krebs.xresources.resources.X = '' - *.font: ${config.lass.fonts.regular} - *.boldFont: ${config.lass.fonts.bold} - *.italicFont: ${config.lass.fonts.italic} - ''; - } - ]; - - users.users.mainUser.extraGroups = [ "audio" "pipewire" "video" ]; - - time.timeZone = "Europe/Berlin"; - - programs.ssh.agentTimeout = "10m"; - programs.ssh.startAgent = false; - services.openssh.forwardX11 = true; - - environment.systemPackages = with pkgs; [ - acpi - acpilight - ripgrep - cabal2nix - dic - dmenu - font-size - fzfmenu - gimp - gitAndTools.gh - git-crypt - git-preview - dconf - iodine - libarchive - lm_sensors - ncdu - nix-index - nixpkgs-review - nmap - pavucontrol - ponymix - powertop - rxvt-unicode - sshvnc - sxiv - nsxiv - taskwarrior - termite - transgui - wirelesstools - x11vnc - xclip - xephyrify - xorg.xmodmap - xorg.xhost - xdotool - xsel - zathura - flameshot - (pkgs.writeDashBin "screenshot" '' - set -efu - - ${pkgs.flameshot}/bin/flameshot gui && - ${pkgs.klem}/bin/klem - '') - (pkgs.writers.writeDashBin "IM" '' - ${pkgs.mosh}/bin/mosh green.r -- tmux new-session -A -s IM -- weechat - '') - (pkgs.writers.writeDashBin "deploy_hm" '' - target=$1 - shift - - hm_profile=$(${pkgs.home-manager}/bin/home-manager -f ~/sync/stockholm/lass/2configs/home-manager.nix build "$@") - nix-copy-closure --to "$target" "$hm_profile" - ssh "$target" -- "$hm_profile"/activate - '') - zbar - ]; - - services.udev.extraRules = '' - SUBSYSTEM=="backlight", ACTION=="add", \ - RUN+="${pkgs.coreutils}/bin/chgrp video /sys/class/backlight/%k/brightness", \ - RUN+="${pkgs.coreutils}/bin/chmod g+w /sys/class/backlight/%k/brightness" - ''; - - services.xserver = { - enable = true; - layout = "us"; - display = mkForce 0; - xkbVariant = "altgr-intl"; - xkbOptions = "caps:escape"; - libinput.enable = true; - exportConfiguration = true; - displayManager = { - lightdm.enable = true; - defaultSession = "none+xmonad"; - sessionCommands = '' - ${pkgs.xorg.xhost}/bin/xhost +LOCAL: - ''; - }; - }; - - nixpkgs.config.packageOverrides = super: { - dmenu = pkgs.writeDashBin "dmenu" '' - ${pkgs.fzfmenu}/bin/fzfmenu "$@" - ''; - }; - - krebs.xresources.enable = true; - - lass.klem = { - kpaste.script = pkgs.writeDash "kpaste-wrapper" '' - ${pkgs.kpaste}/bin/kpaste \ - | ${pkgs.coreutils}/bin/tail -1 \ - | ${pkgs.coreutils}/bin/tr -d '\r\n' - ''; - go = { - target = "STRING"; - script = "${pkgs.goify}/bin/goify"; - }; - "go.lassul.us" = { - target = "STRING"; - script = pkgs.writeDash "go.lassul.us" '' - export GO_HOST='go.lassul.us' - ${pkgs.goify}/bin/goify - ''; - }; - qrcode = { - target = "image"; - script = pkgs.writeDash "zbar" '' - ${pkgs.zbar}/bin/zbarimg -q --raw - - ''; - }; - ocr = { - target = "image"; - script = pkgs.writeDash "gocr" '' - ${pkgs.netpbm}/bin/pngtopnm - \ - | ${pkgs.gocr}/bin/gocr - - ''; - }; - }; - - services.clipmenu.enable = true; - - # synchronize all the clipboards - systemd.user.services.autocutsel = { - enable = true; - wantedBy = [ "graphical-session.target" ]; - after = [ "graphical-session.target" ]; - serviceConfig = { - Type = "forking"; - ExecStart = pkgs.writers.writeDash "autocutsel" '' - ${pkgs.autocutsel}/bin/autocutsel -fork -selection PRIMARY - ${pkgs.autocutsel}/bin/autocutsel -fork -selection CLIPBOARD - ''; - }; - }; -} diff --git a/lass/2configs/bgt-bot/bgt-check.sh b/lass/2configs/bgt-bot/bgt-check.sh deleted file mode 100644 index 30185ba18..000000000 --- a/lass/2configs/bgt-bot/bgt-check.sh +++ /dev/null @@ -1,57 +0,0 @@ -#!/bin/sh -# needs in path: -# curl gnugrep jq -# creates and manages $PWD/state -set -xeuf - -send_reaktor(){ - # usage: send_reaktor "text" - echo "send_reaktor: $1" - curl -fsS "http://localhost:$REAKTOR_PORT" \ - -H content-type:application/json \ - -d "$(jq -n \ - --arg text "$1" \ - --arg channel "$IRC_CHANNEL" \ - '{ - command:"PRIVMSG", - params:[$channel,$text] - }' - )" -} - -live=$(shuf -n1 < state -fi diff --git a/lass/2configs/bgt-bot/default.nix b/lass/2configs/bgt-bot/default.nix deleted file mode 100644 index 6f9e33704..000000000 --- a/lass/2configs/bgt-bot/default.nix +++ /dev/null @@ -1,44 +0,0 @@ -{ config, lib, pkgs, ... }: -let - - bot_port = "7654"; - irc_channel = "#binaergewitter"; -in -{ - krebs.reaktor2.bgt-announce = { - hostname = "irc.libera.chat"; - port = "6697"; - nick = "bgt-announce"; - API.listen = "inet://127.0.0.1:${bot_port}"; - plugins = [ - { - plugin = "register"; - config = { - channels = [ - irc_channel - ]; - }; - } - ]; - }; - systemd.services.check_bgt_show = { - startAt = "*:0/5"; - environment = { - IRC_CHANNEL = irc_channel; - REAKTOR_PORT = bot_port; - }; - path = with pkgs; [ - curl - gnugrep - jq - ]; - script = builtins.readFile ./bgt-check.sh; - serviceConfig = { - DynamicUser = true; - StateDirectory = "bgt-announce"; - WorkingDirectory = "/var/lib/bgt-announce"; - PrivateTmp = true; - }; - }; -} - diff --git a/lass/2configs/binary-cache/client.nix b/lass/2configs/binary-cache/client.nix deleted file mode 100644 index de15aff92..000000000 --- a/lass/2configs/binary-cache/client.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ config, ... }: - -{ - nix = { - binaryCaches = [ - "http://cache.prism.r" - "http://cache.neoprism.r" - "https://cache.nixos.org/" - ]; - binaryCachePublicKeys = [ - "cache.prism-1:+S+6Lo/n27XEtvdlQKuJIcb1yO5NUqUCE2lolmTgNJU=" - "cache.prism-2:YwmCm3/s/D+SxrPKN/ETjlpw/219pNUbpnluatp6FKI=" - "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" - ]; - }; -} - diff --git a/lass/2configs/binary-cache/proxy.nix b/lass/2configs/binary-cache/proxy.nix deleted file mode 100644 index a6ecb044d..000000000 --- a/lass/2configs/binary-cache/proxy.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ config, lib, pkgs, ...}: -{ - services.nginx = { - enable = true; - virtualHosts."cache.krebsco.de" = { - enableACME = true; - forceSSL = true; - locations."/".extraConfig = '' - proxy_pass http://cache.neoprism.r/; - ''; - }; - }; -} diff --git a/lass/2configs/binary-cache/server.nix b/lass/2configs/binary-cache/server.nix deleted file mode 100644 index 490601641..000000000 --- a/lass/2configs/binary-cache/server.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ config, lib, pkgs, ...}: -{ - # nixpkgs.config.packageOverrides = p: { - # nix-serve = p.haskellPackages.nix-serve-ng; - # }; - # generate private key with: - # nix-store --generate-binary-cache-key my-secret-key my-public-key - services.nix-serve = { - enable = true; - secretKeyFile = toString + "/nix-serve.key"; - port = 5005; - }; - - services.nginx = { - enable = true; - virtualHosts.nix-serve = { - serverAliases = [ "cache.${config.networking.hostName}.r" ]; - locations."/".extraConfig = '' - proxy_pass http://localhost:${toString config.services.nix-serve.port}; - ''; - locations."= /nix-cache-info".extraConfig = '' - alias ${pkgs.writeText "cache-info" '' - StoreDir: /nix/store - WantMassQuery: 1 - Priority: 42 - ''}; - ''; - }; - }; -} - diff --git a/lass/2configs/bird.nix b/lass/2configs/bird.nix deleted file mode 100644 index 3fc265cd7..000000000 --- a/lass/2configs/bird.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ config, ... }: - -{ - config.services.bird = { - enable = true; - config = '' - router id 192.168.122.1; - protocol device { - scan time 10; - } - ''; - }; -} diff --git a/lass/2configs/bitcoin.nix b/lass/2configs/bitcoin.nix deleted file mode 100644 index e9dd055f9..000000000 --- a/lass/2configs/bitcoin.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ config, pkgs, ... }: - -let - mainUser = config.users.extraUsers.mainUser; -in { - - users.extraUsers = { - bitcoin = { - name = "bitcoin"; - description = "user for bitcoin stuff"; - home = "/home/bitcoin"; - useDefaultShell = true; - createHome = true; - packages = [ pkgs.electrum ]; - isNormalUser = true; - }; - monero = { - name = "monero"; - description = "user for monero stuff"; - home = "/home/monero"; - useDefaultShell = true; - createHome = true; - packages = [ - pkgs.monero - pkgs.monero-gui - ]; - isNormalUser = true; - }; - }; - security.sudo.extraConfig = '' - ${mainUser.name} ALL=(bitcoin) ALL - ${mainUser.name} ALL=(monero) ALL - ''; -} diff --git a/lass/2configs/bitlbee.nix b/lass/2configs/bitlbee.nix deleted file mode 100644 index 43573d893..000000000 --- a/lass/2configs/bitlbee.nix +++ /dev/null @@ -1,34 +0,0 @@ -with (import ); -{ config, lib, pkgs, ... }: - -{ - services.bitlbee = { - enable = true; - portNumber = 6666; - plugins = [ - pkgs.bitlbee-facebook - pkgs.bitlbee-steam - pkgs.bitlbee-discord - ]; - libpurple_plugins = [ - # pkgs.telegram-purple - # pkgs.tdlib-purple - # pkgs.purple-gowhatsapp - ]; - configDir = "/var/state/bitlbee"; - }; - - systemd.services.bitlbee.serviceConfig = { - ExecStartPre = [ - "+${pkgs.writeDash "setup-bitlbee" '' - ${pkgs.coreutils}/bin/chown bitlbee:bitlbee /var/state/bitlbee || : - ''}" - ]; - ReadWritePaths = [ - "/var/state/bitlbee" - ]; - }; - systemd.tmpfiles.rules = [ - "d /var/state/bitlbee 0700 - - -" - ]; -} diff --git a/lass/2configs/blue-host.nix b/lass/2configs/blue-host.nix deleted file mode 100644 index 532e55fe5..000000000 --- a/lass/2configs/blue-host.nix +++ /dev/null @@ -1,116 +0,0 @@ -{ config, lib, pkgs, ... }: -with import ; -let - all_hosts = [ - "icarus" - "shodan" - "daedalus" - "skynet" - "prism" - "littleT" - ]; - remote_hosts = filter (h: h != config.networking.hostName) all_hosts; - -in { - imports = [ - - { #hack for already defined - systemd.services."container@blue".reloadIfChanged = mkForce false; - systemd.services."container@blue".preStart = '' - ${pkgs.mount}/bin/mount | ${pkgs.gnugrep}/bin/grep -q '^encfs on /var/lib/containers/blue' - ''; - systemd.services."container@blue".preStop = '' - /run/wrappers/bin/fusermount -u /var/lib/containers/blue - ''; - } - ]; - - system.activationScripts.containerPermissions = '' - mkdir -p /var/lib/containers - chmod 711 /var/lib/containers - ''; - - containers.blue = { - config = { ... }: { - environment.systemPackages = [ - pkgs.git - pkgs.rxvt-unicode-unwrapped.terminfo - ]; - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keys = [ - config.krebs.users.lass.pubkey - ]; - }; - autoStart = false; - enableTun = true; - privateNetwork = true; - hostAddress = "10.233.2.9"; - localAddress = "10.233.2.10"; - }; - - - #systemd.services = builtins.listToAttrs (map (host: - # let - # in nameValuePair "sync-blue-${host}" { - # bindsTo = [ "container@blue.service" ]; - # wantedBy = [ "container@blue.service" ]; - # # ssh needed for rsync - # path = [ pkgs.openssh ]; - # serviceConfig = { - # Restart = "always"; - # RestartSec = 10; - # ExecStart = pkgs.writeDash "sync-blue-${host}" '' - # set -efu - # #make sure blue is running - # /run/wrappers/bin/ping -c1 blue.r > /dev/null - - # #make sure the container is unlocked - # ${pkgs.mount}/bin/mount | ${pkgs.gnugrep}/bin/grep -q '^encfs on /var/lib/containers/blue' - - # #make sure our target is reachable - # ${pkgs.untilport}/bin/untilport ${host}.r 22 2>/dev/null - - # #start sync - # ${pkgs.lsyncd}/bin/lsyncd -log scarce ${pkgs.writeText "lsyncd-config.lua" '' - # settings { - # nodaemon = true, - # inotifyMode = "CloseWrite or Modify", - # } - # sync { - # default.rsyncssh, - # source = "/var/lib/containers/.blue", - # host = "${host}.r", - # targetdir = "/var/lib/containers/.blue", - # rsync = { - # archive = true, - # owner = true, - # group = true, - # }; - # ssh = { - # binary = "${pkgs.openssh}/bin/ssh"; - # identityFile = "/var/lib/containers/blue/home/lass/.ssh/id_rsa", - # }, - # } - # ''} - # ''; - # }; - # unitConfig.ConditionPathExists = "!/var/run/ppp0.pid"; - # } - #) remote_hosts); - - environment.systemPackages = [ - (pkgs.writeDashBin "start-blue" '' - set -ef - if ! $(mount | ${pkgs.gnugrep}/bin/grep -qi '^encfs on /var/lib/containers/blue'); then - ${pkgs.encfs}/bin/encfs --public /var/lib/containers/.blue /var/lib/containers/blue - fi - nixos-container start blue - nixos-container run blue -- nixos-rebuild -I /var/src dry-build - if ping -c1 blue.r >/dev/null; then - echo 'blue is already running. bailing out' - exit 23 - fi - nixos-container run blue -- nixos-rebuild -I /var/src switch - '') - ]; -} diff --git a/lass/2configs/blue.nix b/lass/2configs/blue.nix deleted file mode 100644 index 2698f67e0..000000000 --- a/lass/2configs/blue.nix +++ /dev/null @@ -1,33 +0,0 @@ -with (import ); -{ config, lib, pkgs, ... }: - -{ - imports = [ - ./mail.nix - ./pass.nix - ]; - - environment.systemPackages = with pkgs; [ - dic - nmap - git-preview - l-gen-secrets - ]; - - services.tor.enable = true; - services.tor.client.enable = true; - - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-i retiolum -p udp --dport 60000:61000"; target = "ACCEPT";} - { predicate = "-i wiregrill -p udp --dport 60000:61000"; target = "ACCEPT";} - { predicate = "-i retiolum -p tcp --dport 9998:9999"; target = "ACCEPT";} - { predicate = "-i wiregrill -p tcp --dport 9998:9999"; target = "ACCEPT";} - { predicate = "-i retiolum -p tcp --dport imap"; target = "ACCEPT";} - { predicate = "-i wiregrill -p tcp --dport imap"; target = "ACCEPT";} - ]; - - services.dovecot2 = { - enable = true; - mailLocation = "maildir:~/Maildir"; - }; -} diff --git a/lass/2configs/boot/coreboot.nix b/lass/2configs/boot/coreboot.nix deleted file mode 100644 index 1548cbc2d..000000000 --- a/lass/2configs/boot/coreboot.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ ... }: - -{ - boot = { - loader.grub.enable = true; - loader.grub.version = 2; - loader.grub.device = "/dev/sda"; - loader.grub.efiSupport = true; - }; -} diff --git a/lass/2configs/boot/stock-x220.nix b/lass/2configs/boot/stock-x220.nix deleted file mode 100644 index 54a382db7..000000000 --- a/lass/2configs/boot/stock-x220.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ ... }: - -{ - boot = { - loader.systemd-boot.enable = true; - loader.efi.canTouchEfiVariables = true; - }; -} diff --git a/lass/2configs/boot/universal.nix b/lass/2configs/boot/universal.nix deleted file mode 100644 index 33f4323cc..000000000 --- a/lass/2configs/boot/universal.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ ... }: - -{ - boot = { - loader.grub.enable = true; - loader.grub.version = 2; - loader.grub.device = "/dev/sda"; - loader.grub.efiSupport = true; - loader.grub.efiInstallAsRemovable = true; - }; -} diff --git a/lass/2configs/br.nix b/lass/2configs/br.nix deleted file mode 100644 index 273a9c963..000000000 --- a/lass/2configs/br.nix +++ /dev/null @@ -1,51 +0,0 @@ -with import ; -{ config, pkgs, ... }: { - - imports = [ - - ]; - - krebs.nixpkgs.allowUnfreePredicate = pkg: any (eq (packageName pkg)) [ - "brother-udev-rule-type1" - "brscan4" - "brscan4-etc-files" - "mfcl2700dnlpr" - ]; - - hardware.sane = { - enable = true; - brscan4 = { - enable = true; - netDevices = { - bra = { - model = "MFCL2700DN"; - ip = "10.42.0.4"; - }; - }; - }; - }; - - services.saned.enable = true; - - # usage: scanimage -d "$(find-scanner bra)" --batch --format=tiff --resolution 150 -x 211 -y 298 - environment.systemPackages = [ - (pkgs.writeDashBin "find-scanner" '' - set -efu - name=$1 - ${pkgs.sane-backends}/bin/scanimage -f '%m %d - ' \ - | ${pkgs.gawk}/bin/awk -v dev="*$name" '$1 == dev { print $2; exit }' \ - | ${pkgs.gnugrep}/bin/grep . - '') - ]; - - services.printing = { - enable = true; - drivers = [ - pkgs.mfcl2700dncupswrapper - ]; - }; - - users.users.mainUser.extraGroups = [ "scanner" "lp" ]; - -} diff --git a/lass/2configs/browsers.nix b/lass/2configs/browsers.nix deleted file mode 100644 index 92ee8e30f..000000000 --- a/lass/2configs/browsers.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - programs.firefox.nativeMessagingHosts.tridactyl = true; - environment.variables.BROWSER = "${pkgs.firefox}/bin/firefox"; - environment.systemPackages = [ - pkgs.firefox-devedition - ]; -} diff --git a/lass/2configs/c-base.nix b/lass/2configs/c-base.nix deleted file mode 100644 index c9ad8cf68..000000000 --- a/lass/2configs/c-base.nix +++ /dev/null @@ -1,115 +0,0 @@ -{ config, lib, pkgs, ... }: - -let -in { - - environment.systemPackages = [ - pkgs.cifs-utils - ]; - - systemd.network.networks.c-base = { - matchConfig.Name = "c-base"; - networkConfig = { - IgnoreCarrierLoss = "3s"; - KeepConfiguration = "static"; - DNS = "10.0.1.254"; - Domains = "cbrp3.c-base.org"; - }; - routes = [ - { routeConfig = { - Destination = "10.0.0.0/23"; - Gateway = "172.31.77.1"; - };} - { routeConfig = { - Destination = "91.102.9.99/32"; # vorstand.c-base.org - Gateway = "172.31.77.1"; - };} - ]; - }; - services.openvpn.servers.c-base = { - config = '' - remote vpn.ext.c-base.org 1194 - verify-x509-name vpn.ext.c-base.org name - client - proto udp - dev-type tun - dev c-base - resolv-retry infinite - nobind - # user openvpn - # group openvpn - persist-key - persist-tun - comp-lzo - # register-dns - # block-outside-dns - script-security 2 - auth-user-pass ${toString } - #auth-user-pass - key-direction 1 - - # - # 2048 bit OpenVPN static key - # - -----BEGIN OpenVPN Static key V1----- - 54a66ed1048bed7508703347e89d68d6 - 5586e6a5d1218cf8675941031d540be6 - 993e07200a16ad3b770b659932ee71e5 - f8080b5c9fa2acb3893abd40fad2552c - fdaf17565e617ae450efcccf5652dca5 - a16419509024b075941098731eb25ac0 - a64f963ece3dca1d2a64a9c5e17839d7 - 5b5080165a9b2dc90ef111879d7d3173 - 2d1027ae42d869394aca08da4472a9d0 - 6b724b4ed43a957feef7d6dfc86da241 - 74828fa0e1240941586f0d937cac32fc - 13cc81e7bed58817353d6afaff7e6a26 - 4f9cc086af79c1cdca660d86e18cff96 - 69dd3d392caf09a468894a8504f4cc7c - 7ae0072e6d9ad90b166ad13a39c57b3c - 3a869e27a1d89deb161c255227551713 - -----END OpenVPN Static key V1----- - - - -----BEGIN CERTIFICATE----- - MIIGsDCCBJigAwIBAgIJAPkM1l2zA306MA0GCSqGSIb3DQEBCwUAMIGWMQswCQYD - VQQGEwJERTEPMA0GA1UEBxMGQmVybGluMRswGQYDVQQLExJ2cG4uZXh0LmMtYmFz - ZS5vcmcxGzAZBgNVBAMTEnZwbi5leHQuYy1iYXNlLm9yZzEbMBkGA1UEKRMSdnBu - LmV4dC5jLWJhc2Uub3JnMR8wHQYJKoZIhvcNAQkBFhBhZG1heEBjLWJhc2Uub3Jn - MB4XDTE2MDcwOTE4MjkyMFoXDTI2MDcxMDE4MjkyMFowgZYxCzAJBgNVBAYTAkRF - MQ8wDQYDVQQHEwZCZXJsaW4xGzAZBgNVBAsTEnZwbi5leHQuYy1iYXNlLm9yZzEb - MBkGA1UEAxMSdnBuLmV4dC5jLWJhc2Uub3JnMRswGQYDVQQpExJ2cG4uZXh0LmMt - YmFzZS5vcmcxHzAdBgkqhkiG9w0BCQEWEGFkbWF4QGMtYmFzZS5vcmcwggIiMA0G - CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDXEs+uWCXLNmm+lgP9x7u3FqWa4pPI - h64c6EWIULMATrhEw+Ej4fpCXwU9otFaO04fAeJmZGkDcnAYdBDiCeI0luOSdj44 - Bg9KecSei/TskqjhDVnEBp65hiz0rZE6c1baPdLYmD5xrXWb3i0zrlBYFawuL6C2 - lwVCEm3cadvkDJ2DleMuu3NblV8ViIDN0HZqzJNP72g1I0MgohkpetACXlf7MzQV - PFHfzvb04Rj2lJ8BDhceQ0WmjtVV/Ag6nka5oi954OeHMujRuH+rZYiQZDZpJLHK - Kh1KWTVlWPRy+AvCi9lweDWSmLccq7Ug4xMtDF4I5qW3tjCd0xqpZ21Xmo2JyKtY - 4h8wEDPqiJvgwvkXsH17GLn5ZxiMcQuRJQYZqJephkzR9uccJeWSS76kwm/vLqG3 - +eORlYnyjiNXtiMIhmAEFjpWUrGH8v4CijpUNP6E63ynGrRVXK684YQXkqL+xPAt - t6dsMBUwf94a2S1o2kgvuRCim1wlHvf1QsHrO/Hwgpzc8no/daWL+Z9Rq9okTHNK - nc1G5dv8TkmxIDYnLm07QMzzBoOT36BcGtkEBA+0xhQlX5PyQdM5/jnZVhdSBmoP - MbZXPoU/gJAIuuBuwdTlgCzYf44/9/YU/AnW8eLrbhm9KtMtoMpatrWorKqk/GPv - /lGNRQuNffrbiQIDAQABo4H+MIH7MB0GA1UdDgQWBBTf5cYbK+KCF9u9aobFlLbu - ilwX4jCBywYDVR0jBIHDMIHAgBTf5cYbK+KCF9u9aobFlLbuilwX4qGBnKSBmTCB - ljELMAkGA1UEBhMCREUxDzANBgNVBAcTBkJlcmxpbjEbMBkGA1UECxMSdnBuLmV4 - dC5jLWJhc2Uub3JnMRswGQYDVQQDExJ2cG4uZXh0LmMtYmFzZS5vcmcxGzAZBgNV - BCkTEnZwbi5leHQuYy1iYXNlLm9yZzEfMB0GCSqGSIb3DQEJARYQYWRtYXhAYy1i - YXNlLm9yZ4IJAPkM1l2zA306MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQAD - ggIBAMs1moiS7UZ4neOivQjqwKrBbm1j3tgmPLhDfNMmXYarGhnBGAlLxLAQWtG+ - Fnbx8KcsJnrsWcGfZcst1z45S4a5oBdVNKOfgkMOG0glZorIDO8Odrb51rpyzU0v - 0wcNumMNWhkFuo2OTBHPnnJIWEAFwwCCSCL0I0hQxxoaV36kphjuIwzrMJhd+XAT - 24En58cNp6sPRDd+FzOH08uFINevyzKWYxkMgVj+e3fbuiyOB8RqvndKvtfBBcpB - cCO86lGnj/ETMDciTczUShxaMn9wV1zr1KH1xvT3ohUeOcQZGbGTcjG4mxlns8ZO - U5J3Yrcd1eMfJq9Bwd3zPsTLnT8LwIS8vfYRav9b34XdqcBG73dhrjsicMK0Qy0z - Qz7vKJzcvrEnKuaMyB3mCxz/UvbNc2Bupwm4FmzN5eFjDs+7paYFdfOzqMjoRP+8 - bcXSqDN5P2eUd7cdsZXaFNcsf1FkWlE3GudVBOmNJqz9zBab/T5J+l4Z90Pd6OUX - GNozEvLhcJkvPKA526TegHTGC8hMquxKc9tpOzNRqZJMFa+UG1mgMrMepRmM/B3s - QrKI1C11iCVYfb9J0tQUkfENHMx4J7mG2DZAhnKWQDU2awM41qU4A7aBYaJvDPnQ - RRcbaT0D794lKUQwH/mZuyKzF22oZNk1o1TV2SaFXqgX5tDt - -----END CERTIFICATE----- - - ''; - }; -} diff --git a/lass/2configs/ciko.nix b/lass/2configs/ciko.nix deleted file mode 100644 index f32f062ff..000000000 --- a/lass/2configs/ciko.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ config, pkgs, ... }: -with import ; -{ - users.users.ciko = { - uid = genid_uint31 "ciko"; - description = "acc for ciko"; - home = "/home/ciko"; - useDefaultShell = true; - createHome = true; - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDTUWm/fISw/gbuHvf3kwxGEuk1aY5HrNNvr8QXCQv0khDdaYmZSELbtFQtE04WGTWmackNcLpld5mETVyCM0BjOgqMJYQNhtywxfYcodEY5xxHCuGgA3S1t94MZub+DRodXCfB0yUV85Wbb0sltkMTJufMwYmLEGxSLRukxAOcNsXdjlyro96csmYrIiV6R7+REnz8OcR7sKlI4tvKA1mbvWmjbDBd1MZ8Jc0Lwf+b0H/rH69wEQIcB5HRHHJIChoAk0t2azSjXagk1+4AebONZTCKvTHxs/D2wUBIzoxyjmh5S0aso/cKw8qpKcl/A2mZiIvW3KMlJAM5U+RQKMrr" - ]; - isNormalUser = true; - }; - - system.activationScripts.user-shadow = '' - ${pkgs.coreutils}/bin/chmod +x /home/ciko - ''; -} - diff --git a/lass/2configs/codimd.nix b/lass/2configs/codimd.nix deleted file mode 100644 index d0ba8912c..000000000 --- a/lass/2configs/codimd.nix +++ /dev/null @@ -1,70 +0,0 @@ -{ config, pkgs, lib, ... }: -with import ; -let - domain = "pad.lassul.us"; -in -{ - - # redirect legacy domain to new one - services.nginx.virtualHosts."codi.lassul.us" = { - enableACME = true; - addSSL = true; - locations."/".return = "301 https://${domain}\$request_uri"; - }; - - services.nginx.virtualHosts.${domain} = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "https://localhost:3091"; - proxyWebsockets = true; - }; - }; - - security.acme.certs.${domain}.group = "hedgecert"; - users.groups.hedgecert.members = [ "hedgedoc" "nginx" ]; - - security.dhparams = { - enable = true; - params.hedgedoc = { }; - }; - - systemd.services.hedgedoc.environment = { - CMD_COOKIE_POLICY = "none"; - CMD_CSP_ALLOW_FRAMING = "true"; - }; - - services.borgbackup.jobs.hetzner.paths = [ - "/var/backup" - "/var/lib/hedgedoc" - ]; - systemd.services.hedgedoc-backup = { - startAt = "daily"; - serviceConfig = { - ExecStart = ''${pkgs.sqlite}/bin/sqlite3 /var/lib/hedgedoc/db.hedgedoc.sqlite ".backup /var/backup/hedgedoc/backup.sq3"''; - Type = "oneshot"; - }; - }; - - services.hedgedoc = { - enable = true; - configuration.allowOrigin = [ domain ]; - settings = { - db = { - dialect = "sqlite"; - storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite"; - }; - useCDN = false; - port = 3091; - domain = domain; - allowFreeURL = true; - - useSSL = true; - protocolUseSSL = true; - sslCAPath = [ "/etc/ssl/certs/ca-certificates.crt" ]; - sslCertPath = "/var/lib/acme/${domain}/cert.pem"; - sslKeyPath = "/var/lib/acme/${domain}/key.pem"; - dhParamPath = config.security.dhparams.params.hedgedoc.path; - }; - }; -} diff --git a/lass/2configs/consul.nix b/lass/2configs/consul.nix deleted file mode 100644 index 67467364e..000000000 --- a/lass/2configs/consul.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - services.consul = { - enable = true; - # dropPrivileges = false; - webUi = true; - # interface.bind = "retiolum"; - extraConfig = { - bind_addr = config.krebs.build.host.nets.retiolum.ip4.addr; - bootstrap_expect = 3; - server = true; - # retry_join = config.services.consul.extraConfig.start_join; - retry_join = lib.mapAttrsToList (n: h: - lib.head h.nets.retiolum.aliases - ) (lib.filterAttrs (n: h: h.consul) config.krebs.hosts); - rejoin_after_leave = true; - - # try to fix random lock loss on leader reelection - retry_interval = "3s"; - }; - }; - - environment.etc."consul.d/testservice.json".text = builtins.toJSON { - service = { - name = "testing"; - }; - }; - - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-i retiolum -p tcp --dport 8300"; target = "ACCEPT"; } - { predicate = "-i retiolum -p tcp --dport 8301"; target = "ACCEPT"; } - { predicate = "-i retiolum -p udp --dport 8301"; target = "ACCEPT"; } - { predicate = "-i retiolum -p tcp --dport 8302"; target = "ACCEPT"; } - { predicate = "-i retiolum -p udp --dport 8302"; target = "ACCEPT"; } - { predicate = "-i retiolum -p tcp --dport 8400"; target = "ACCEPT"; } - { predicate = "-i retiolum -p tcp --dport 8500"; target = "ACCEPT"; } - { predicate = "-i retiolum -p tcp --dport 8600"; target = "ACCEPT"; } - { predicate = "-i retiolum -p udp --dport 8500"; target = "ACCEPT"; } - ]; -} diff --git a/lass/2configs/container-networking.nix b/lass/2configs/container-networking.nix deleted file mode 100644 index 0cfe193d9..000000000 --- a/lass/2configs/container-networking.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ lib, ... }: - -{ - krebs.iptables.tables.filter.FORWARD.rules = [ - { v6 = false; predicate = "-d 10.233.2.0/24 -o ve-+ -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } - { v6 = false; predicate = "-s 10.233.2.0/24 -i ve-+"; target = "ACCEPT"; } - { v6 = false; predicate = "-i ve-+ -o ve-+"; target = "ACCEPT"; } - { v6 = false; predicate = "-o ve-+"; target = "REJECT --reject-with icmp-port-unreachable"; } - { v6 = false; predicate = "-i ve-+"; target = "REJECT --reject-with icmp-port-unreachable"; } - ]; - krebs.iptables.tables.nat.PREROUTING.rules = lib.mkBefore [ - { v6 = false; predicate = "-s 10.233.2.0/24"; target = "ACCEPT"; } - ]; - krebs.iptables.tables.nat.POSTROUTING.rules = [ - { v6 = false; predicate = "-s 10.233.2.0/24 -d 224.0.0.0/24"; target = "RETURN"; } - { v6 = false; predicate = "-s 10.233.2.0/24 -d 255.255.255.255"; target = "RETURN"; } - { v6 = false; predicate = "-s 10.233.2.0/24 ! -d 10.233.2.0/24"; target = "MASQUERADE"; } - { v6 = false; predicate = "-s 10.233.2.0/24 ! -d 10.233.2.0/24 -p tcp"; target = "MASQUERADE --to-ports 1024-65535"; } - { v6 = false; predicate = "-s 10.233.2.0/24 ! -d 10.233.2.0/24 -p udp"; target = "MASQUERADE --to-ports 1024-65535"; } - ]; - boot.kernel.sysctl."net.ipv4.ip_forward" = lib.mkDefault 1; -} diff --git a/lass/2configs/copyq.nix b/lass/2configs/copyq.nix deleted file mode 100644 index ed78699b0..000000000 --- a/lass/2configs/copyq.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ config, pkgs, ... }: -with import ; -let - copyqConfig = pkgs.writeDash "copyq-config" '' - ${pkgs.copyq}/bin/copyq config check_clipboard true - ${pkgs.copyq}/bin/copyq config check_selection true - ${pkgs.copyq}/bin/copyq config copy_clipboard true - ${pkgs.copyq}/bin/copyq config copy_selection true - - ${pkgs.copyq}/bin/copyq config activate_closes true - ${pkgs.copyq}/bin/copyq config clipboard_notification_lines 0 - ${pkgs.copyq}/bin/copyq config clipboard_tab \&clipboard - ${pkgs.copyq}/bin/copyq config disable_tray true - ${pkgs.copyq}/bin/copyq config hide_tabs true - ${pkgs.copyq}/bin/copyq config hide_toolbar true - ${pkgs.copyq}/bin/copyq config item_popup_interval true - ${pkgs.copyq}/bin/copyq config maxitems 1000 - ${pkgs.copyq}/bin/copyq config move true - ${pkgs.copyq}/bin/copyq config text_wrap true - ''; -in { - systemd.user.services.copyq = { - wantedBy = [ "graphical-session.target" ]; - requires = [ "xmonad.service" ]; - environment = { - DISPLAY = ":${toString config.services.xserver.display}"; - }; - serviceConfig = { - SyslogIdentifier = "copyq"; - ExecStart = "${pkgs.copyq}/bin/copyq"; - ExecStartPost = copyqConfig; - Restart = "always"; - RestartSec = "15s"; - StartLimitBurst = 0; - }; - }; -} diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix deleted file mode 100644 index 6d4230c68..000000000 --- a/lass/2configs/default.nix +++ /dev/null @@ -1,249 +0,0 @@ -with import ; -{ config, pkgs, ... }: -{ - imports = [ - ./binary-cache/client.nix - ./gc.nix - ./mc.nix - ./vim.nix - ./zsh.nix - ./htop.nix - - ./wiregrill.nix - ./tmux.nix - ./tor-ssh.nix - ./networkd.nix - { - users.extraUsers = - mapAttrs (_: h: { hashedPassword = h; }) - (import ); - } - { - users.extraUsers = { - root = { - openssh.authorizedKeys.keys = [ - config.krebs.users.lass.pubkey - config.krebs.users.lass-blue.pubkey - config.krebs.users.lass-green.pubkey - ]; - }; - mainUser = { - name = "lass"; - uid = 1337; - home = "/home/lass"; - group = "users"; - createHome = true; - useDefaultShell = true; - isNormalUser = true; - extraGroups = [ - "audio" - "video" - "fuse" - "wheel" - "tor" - ]; - openssh.authorizedKeys.keys = [ - config.krebs.users.lass.pubkey - config.krebs.users.lass-blue.pubkey - config.krebs.users.lass-green.pubkey - ]; - }; - }; - } - { - environment.variables = { - NIX_PATH = mkForce "secrets=/var/src/stockholm/null:/var/src"; - }; - } - (let ca-bundle = "/etc/ssl/certs/ca-bundle.crt"; in { - environment.variables = { - CURL_CA_BUNDLE = ca-bundle; - GIT_SSL_CAINFO = ca-bundle; - SSL_CERT_FILE = ca-bundle; - }; - }) - { - #for sshuttle - environment.systemPackages = [ - pkgs.python3Packages.python - ]; - } - ]; - - networking.hostName = config.krebs.build.host.name; - - krebs = { - enable = true; - build.user = config.krebs.users.lass; - ssl.trustIntermediate = true; - }; - - nix.useSandbox = true; - - users.mutableUsers = false; - - services.timesyncd.enable = mkForce true; - - # multiple-definition-problem when defining environment.variables.EDITOR - environment.extraInit = '' - EDITOR=vim - ''; - - nixpkgs.config.allowUnfree = true; - - environment.systemPackages = with pkgs; [ - #stockholm - deploy - git - git-absorb - git-preview - gnumake - jq - nix-output-monitor - - #style - rxvt-unicode-unwrapped.terminfo - alacritty.terminfo - - #monitoring tools - htop - iotop - - #network - iptables - iftop - tcpdump - mosh - eternal-terminal - sshify - - #stuff for dl - aria2 - - #neat utils - file - hashPassword - kpaste - cyberlocker-tools - pciutils - pop - q - rs - untilport - (pkgs.writeDashBin "urgent" '' - printf '\a' - '') - usbutils - logify - goify - - #unpack stuff - libarchive - - (pkgs.writeDashBin "sshn" '' - ${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no "$@" - '') - ]; - - environment.shellAliases = { - ll = "ls -l"; - la = "ls -la"; - ls = "ls --color"; - ip = "ip -color=auto"; - grep = "grep --color=auto"; - }; - - programs.bash = { - enableCompletion = true; - interactiveShellInit = '' - HISTCONTROL='erasedups:ignorespace' - HISTSIZE=65536 - HISTFILESIZE=$HISTSIZE - - shopt -s checkhash - shopt -s histappend histreedit histverify - shopt -s no_empty_cmd_completion - complete -d cd - LS_COLORS=$LS_COLORS:'di=1;31:' ; export LS_COLORS - ''; - promptInit = '' - if test $UID = 0; then - PS1='\[\033[1;31m\]\w\[\033[0m\] ' - PROMPT_COMMAND='echo -ne "\033]0;$$ $USER@$PWD\007"' - elif test $UID = 1337; then - PS1='\[\033[1;32m\]\w\[\033[0m\] ' - PROMPT_COMMAND='echo -ne "\033]0;$$ $PWD\007"' - else - PS1='\[\033[1;33m\]\u@\w\[\033[0m\] ' - PROMPT_COMMAND='echo -ne "\033]0;$$ $USER@$PWD\007"' - fi - if test -n "$SSH_CLIENT"; then - PS1='\[\033[35m\]\h'" $PS1" - PROMPT_COMMAND='echo -ne "\033]0;$$ $HOSTNAME $USER@$PWD\007"' - fi - ''; - }; - - services.openssh.enable = true; - - services.journald.extraConfig = '' - SystemMaxUse=1G - RuntimeMaxUse=128M - Storage=persistent - ''; - - krebs.iptables = { - enable = true; - tables = { - nat.PREROUTING.rules = [ - { predicate = "-i retiolum -p tcp -m tcp --dport 22"; target = "ACCEPT"; } - { predicate = "-i wiregrill -p tcp -m tcp --dport 22"; target = "ACCEPT"; } - { predicate = "-p tcp -m tcp --dport 22"; target = "REDIRECT --to-ports 0"; } - { predicate = "-p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; } - ]; - nat.OUTPUT.rules = [ - { predicate = "-o lo -p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; } - ]; - filter.INPUT.policy = "DROP"; - filter.FORWARD.policy = "DROP"; - filter.INPUT.rules = mkMerge [ - (mkBefore [ - { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } - { predicate = "-p icmp"; target = "ACCEPT"; } - { predicate = "-p ipv6-icmp"; target = "ACCEPT"; v4 = false; } - { predicate = "-i lo"; target = "ACCEPT"; } - { predicate = "-p tcp --dport 22"; target = "ACCEPT"; } - ]) - (mkOrder 1000 [ - { predicate = "-i retiolum -p udp --dport 60000:61000"; target = "ACCEPT"; } - { predicate = "-i retiolum -p udp -m udp --dport 53"; target = "ACCEPT"; } - { predicate = "-i retiolum -p tcp --dport 19999"; target = "ACCEPT"; } - ]) - (mkAfter [ - { predicate = "-p tcp -i retiolum"; target = "REJECT --reject-with tcp-reset"; } - { predicate = "-p udp -i retiolum"; target = "REJECT --reject-with icmp-port-unreachable"; v6 = false; } - { predicate = "-i retiolum"; target = "REJECT --reject-with icmp-proto-unreachable"; v6 = false; } - ]) - ]; - }; - }; - - networking.dhcpcd.extraConfig = '' - noipv4ll - ''; - - networking.extraHosts = '' - 10.42.0.1 styx.gg23 - ''; - - nix.extraOptions = '' - experimental-features = nix-command flakes - ''; - - # use 24:00 time format, the default got sneakily changed around 20.03 - i18n.defaultLocale = mkDefault "C.UTF-8"; - time.timeZone = mkDefault"Europe/Berlin"; - - # disable doc usually - documentation.nixos.enable = mkDefault false; -} diff --git a/lass/2configs/docker.nix b/lass/2configs/docker.nix deleted file mode 100644 index 2bc3a2361..000000000 --- a/lass/2configs/docker.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ pkgs, lib, config, ... }: -{ - systemd.services.krebs-iptables.serviceConfig.ExecStartPost = pkgs.writeDash "kick_docker" '' - ${pkgs.systemd}/bin/systemctl restart docker.service - ''; -} diff --git a/lass/2configs/dunst.nix b/lass/2configs/dunst.nix deleted file mode 100644 index 18a22e1da..000000000 --- a/lass/2configs/dunst.nix +++ /dev/null @@ -1,277 +0,0 @@ -{ config, pkgs, ... }: -with import ; -let - dunstConfig = pkgs.writeText "dunst-config" '' - [global] - font = Iosevka Term 11 - - # Allow a small subset of html markup: - # bold - # italic - # strikethrough - # underline - # - # For a complete reference see - # . - # If markup is not allowed, those tags will be stripped out of the - # message. - markup = yes - plain_text = no - - # The format of the message. Possible variables are: - # %a appname - # %s summary - # %b body - # %i iconname (including its path) - # %I iconname (without its path) - # %p progress value if set ([ 0%] to [100%]) or nothing - # Markup is allowed - format = "%a\n%s\n%b" - - # Sort messages by urgency. - sort = yes - - # Show how many messages are currently hidden (because of geometry). - indicate_hidden = yes - - # Alignment of message text. - # Possible values are "left", "center" and "right". - alignment = center - - # The frequency with wich text that is longer than the notification - # window allows bounces back and forth. - # This option conflicts with "word_wrap". - # Set to 0 to disable. - bounce_freq = 0 - - # Show age of message if message is older than show_age_threshold - # seconds. - # Set to -1 to disable. - show_age_threshold = 1 - - # Split notifications into multiple lines if they don't fit into - # geometry. - word_wrap = yes - - # Ignore newlines '\n' in notifications. - ignore_newline = no - - # Hide duplicate's count and stack them - stack_duplicates = yes - hide_duplicates_count = no - - - # The geometry of the window: - # [{width}]x{height}[+/-{x}+/-{y}] - # The geometry of the message window. - # The height is measured in number of notifications everything else - # in pixels. If the width is omitted but the height is given - # ("-geometry x2"), the message window expands over the whole screen - # (dmenu-like). If width is 0, the window expands to the longest - # message displayed. A positive x is measured from the left, a - # negative from the right side of the screen. Y is measured from - # the top and down respectevly. - # The width can be negative. In this case the actual width is the - # screen width minus the width defined in within the geometry option. - geometry = "500x10-0+0" - - # Shrink window if it's smaller than the width. Will be ignored if - # width is 0. - shrink = no - - # The transparency of the window. Range: [0; 100]. - # This option will only work if a compositing windowmanager is - # present (e.g. xcompmgr, compiz, etc.). - # transparency = 5 - - # Don't remove messages, if the user is idle (no mouse or keyboard input) - # for longer than idle_threshold seconds. - # Set to 0 to disable. - idle_threshold = 0 - - # Which monitor should the notifications be displayed on. - monitor = keyboard - - # Display notification on focused monitor. Possible modes are: - # mouse: follow mouse pointer - # keyboard: follow window with keyboard focus - # none: don't follow anything - # - # "keyboard" needs a windowmanager that exports the - # _NET_ACTIVE_WINDOW property. - # This should be the case for almost all modern windowmanagers. - # - # If this option is set to mouse or keyboard, the monitor option - # will be ignored. - follow = none - - # Should a notification popped up from history be sticky or timeout - # as if it would normally do. - sticky_history = yes - - # Maximum amount of notifications kept in history - history_length = 15 - - # Display indicators for URLs (U) and actions (A). - show_indicators = no - - # The height of a single line. If the height is smaller than the - # font height, it will get raised to the font height. - # This adds empty space above and under the text. - line_height = 3 - - # Draw a line of "separatpr_height" pixel height between two - # notifications. - # Set to 0 to disable. - separator_height = 1 - - # Padding between text and separator. - padding = 1 - - # Horizontal padding. - horizontal_padding = 1 - - # Define a color for the separator. - # possible values are: - # * auto: dunst tries to find a color fitting to the background; - # * foreground: use the same color as the foreground; - # * frame: use the same color as the frame; - # * anything else will be interpreted as a X color. - separator_color = frame - - # Print a notification on startup. - # This is mainly for error detection, since dbus (re-)starts dunst - # automatically after a crash. - startup_notification = true - - # dmenu path. - dmenu = ${pkgs.dmenu}/bin/dmenu -p dunst: - - # Browser for opening urls in context menu. - browser = /usr/bin/firefox -new-tab - - # Align icons left/right/off - icon_position = off - max_icon_size = 80 - - # Paths to default icons. - icon_folders = /usr/share/icons/Paper/16x16/mimetypes/:/usr/share/icons/Paper/48x48/status/:/usr/share/icons/Paper/16x16/devices/:/usr/share/icons/Paper/48x48/notifications/:/usr/share/icons/Paper/48x48/emblems/ - - frame_width = 2 - frame_color = "#8EC07C" - - [shortcuts] - - # Shortcuts are specified as [modifier+][modifier+]...key - # Available modifiers are "ctrl", "mod1" (the alt-key), "mod2", - # "mod3" and "mod4" (windows-key). - # Xev might be helpful to find names for keys. - - # Close notification. - close = ctrl+space - - # Close all notifications. - close_all = ctrl+shift+space - - # Redisplay last message(s). - # On the US keyboard layout "grave" is normally above TAB and left - # of "1". - history = ctrl+grave - - # Context menu. - context = mod4+u - - [urgency_low] - # IMPORTANT: colors have to be defined in quotation marks. - # Otherwise the "#" and following would be interpreted as a comment. - frame_color = "#3B7C87" - foreground = "#3B7C87" - background = "#191311" - #background = "#2B313C" - timeout = 1 - - [urgency_normal] - frame_color = "#5B8234" - foreground = "#5B8234" - background = "#191311" - #background = "#2B313C" - timeout = 1 - - [urgency_critical] - frame_color = "#B7472A" - foreground = "#B7472A" - background = "#191311" - #background = "#2B313C" - timeout = 1 - - - # Every section that isn't one of the above is interpreted as a rules to - # override settings for certain messages. - # Messages can be matched by "appname", "summary", "body", "icon", "category", - # "msg_urgency" and you can override the "timeout", "urgency", "foreground", - # "background", "new_icon" and "format". - # Shell-like globbing will get expanded. - # - # SCRIPTING - # You can specify a script that gets run when the rule matches by - # setting the "script" option. - # The script will be called as follows: - # script appname summary body icon urgency - # where urgency can be "LOW", "NORMAL" or "CRITICAL". - # - # NOTE: if you don't want a notification to be displayed, set the format - # to "". - # NOTE: It might be helpful to run dunst -print in a terminal in order - # to find fitting options for rules. - - #[espeak] - # summary = "*" - # script = dunst_espeak.sh - - #[script-test] - # summary = "*script*" - # script = dunst_test.sh - - #[ignore] - # # This notification will not be displayed - # summary = "foobar" - # format = "" - - #[signed_on] - # appname = Pidgin - # summary = "*signed on*" - # urgency = low - # - #[signed_off] - # appname = Pidgin - # summary = *signed off* - # urgency = low - # - #[says] - # appname = Pidgin - # summary = *says* - # urgency = critical - # - #[twitter] - # appname = Pidgin - # summary = *twitter.com* - # urgency = normal - # - # vim: ft=cfg - ''; -in { - systemd.user.services.dunst = { - wantedBy = [ "graphical-session.target" ]; - requires = [ "xmonad.service" ]; - environment = { - DISPLAY = ":${toString config.services.xserver.display}"; - }; - serviceConfig = { - SyslogIdentifier = "dunst"; - ExecStart = "${pkgs.dunst}/bin/dunst -conf ${dunstConfig}"; - Restart = "always"; - RestartSec = "15s"; - StartLimitBurst = 0; - }; - }; -} diff --git a/lass/2configs/elster.nix b/lass/2configs/elster.nix deleted file mode 100644 index 5d68def35..000000000 --- a/lass/2configs/elster.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ config, pkgs, ... }: - -let - mainUser = config.users.extraUsers.mainUser; - -in { - users.extraUsers = { - elster = { - name = "elster"; - description = "user for running elster-online"; - home = "/home/elster"; - useDefaultShell = true; - extraGroups = []; - createHome = true; - isNormalUser = true; - }; - }; - krebs.per-user.elster.packages = [ - pkgs.chromium - ]; - security.sudo.extraConfig = '' - ${mainUser.name} ALL=(elster) NOPASSWD: ALL - ''; -} diff --git a/lass/2configs/et-server.nix b/lass/2configs/et-server.nix deleted file mode 100644 index 19961fb84..000000000 --- a/lass/2configs/et-server.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - services.eternal-terminal = { - enable = true; - }; - networking.firewall.allowedTCPPorts = [ config.services.eternal-terminal.port ]; -} diff --git a/lass/2configs/exim-retiolum.nix b/lass/2configs/exim-retiolum.nix deleted file mode 100644 index 589e17551..000000000 --- a/lass/2configs/exim-retiolum.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ config, lib, pkgs, ... }: - -with import ; - -{ - krebs.exim-retiolum = { - enable = true; - system-aliases = [ - { from = "root"; to = "lass"; } - ]; - }; - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-i retiolum -p tcp --dport smtp"; target = "ACCEPT"; } - ]; -} diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix deleted file mode 100644 index 2a3a6b1e5..000000000 --- a/lass/2configs/exim-smarthost.nix +++ /dev/null @@ -1,62 +0,0 @@ -{ config, lib, pkgs, ... }: with import ; let - - to = concatStringsSep "," [ - "lass@green.r" - ]; - - mails = import ; - -in { - environment.systemPackages = [ pkgs.review-mail-queue ]; - - krebs.exim-smarthost = { - enable = true; - dkim = [ - { domain = "lassul.us"; } - ]; - ssl_cert = "/var/lib/acme/mail.lassul.us/fullchain.pem"; - ssl_key = "/var/lib/acme/mail.lassul.us/key.pem"; - primary_hostname = "lassul.us"; - sender_domains = [ - "lassul.us" - ]; - relay_from_hosts = map (host: host.nets.retiolum.ip6.addr) [ - config.krebs.hosts.aergia - config.krebs.hosts.blue - config.krebs.hosts.coaxmetal - config.krebs.hosts.green - config.krebs.hosts.mors - config.krebs.hosts.xerxes - ]; - internet-aliases = map (from: { inherit from to; }) mails ++ [ - ]; - system-aliases = [ - { from = "mailer-daemon"; to = "postmaster"; } - { from = "postmaster"; to = "root"; } - { from = "nobody"; to = "root"; } - { from = "hostmaster"; to = "root"; } - { from = "usenet"; to = "root"; } - { from = "news"; to = "root"; } - { from = "webmaster"; to = "root"; } - { from = "www"; to = "root"; } - { from = "ftp"; to = "root"; } - { from = "abuse"; to = "root"; } - { from = "noc"; to = "root"; } - { from = "security"; to = "root"; } - { from = "root"; to = "lass"; } - ]; - }; - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport smtp"; target = "ACCEPT"; } - ]; - - security.acme.certs."mail.lassul.us" = { - group = "lasscert"; - webroot = "/var/lib/acme/acme-challenge"; - }; - users.groups.lasscert.members = [ - "dovecot2" - "exim" - "nginx" - ]; -} diff --git a/lass/2configs/fetchWallpaper.nix b/lass/2configs/fetchWallpaper.nix deleted file mode 100644 index 781dad032..000000000 --- a/lass/2configs/fetchWallpaper.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ config, pkgs, ... }: - -let - -in { - krebs.fetchWallpaper = { - enable = true; - url = "http://wallpaper.r/realwallpaper-krebs-stars-berlin.png"; - }; -} - diff --git a/lass/2configs/firefoxPatched.nix b/lass/2configs/firefoxPatched.nix deleted file mode 100644 index daf8a28be..000000000 --- a/lass/2configs/firefoxPatched.nix +++ /dev/null @@ -1,58 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - lpkgs = import ../5pkgs { inherit pkgs; }; - - inherit (lib) - concatMapStrings - ; - - plugins = with lpkgs.firefoxPlugins; [ - noscript - ublock - vimperator - ]; - - copyXpi = plugin: - "cp ${plugin}/*.xpi $out/usr/lib/firefox-*/browser/extensions/"; - - preferences = pkgs.writeText "autoload.js" '' - pref('general.config.filename', 'firefox.cfg'); - pref('general.config.obscure_value', 0); - ''; - - config = pkgs.writeText "firefox.cfg" '' - // - lockPref("app.update.enabled", false); - lockPref("extensions.update.enabled", false); - lockPref("autoadmin.global_config_url", ""); - lockPref("extensions.checkUpdateSecurity", false); - lockPref("services.sync.enabled", false); - lockPref("browser.shell.checkDefaultBrowser", false); - lockPref("layout.spellcheckDefault", 0); - lockPref("app.update.auto", false); - lockPref("browser.newtabpage.enabled", false); - lockPref("noscript.firstRunRedirection", false); - lockPref("noscript.hoverUI", false); - lockPref("noscript.notify", false); - defaultPref("extensions.newAddons", false); - defaultPref("extensions.autoDisableScopes", 0); - defaultPref("plugin.scan.plid.all", false); - ''; - -in { - environment.systemPackages = [ - (pkgs.lib.overrideDerivation pkgs.firefox-bin (original : { - installPhase = '' - ${original.installPhase} - find $out/usr/lib - ${concatMapStrings copyXpi plugins} - cd $out/usr/lib/firefox-*/ - mkdir -p browser/defaults/preferences - cp ${preferences} browser/defaults/preferences/autoload.js - cp ${config} ./firefox.cfg - ''; - })) - ]; -} - diff --git a/lass/2configs/fonts.nix b/lass/2configs/fonts.nix deleted file mode 100644 index 3d047e513..000000000 --- a/lass/2configs/fonts.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - fonts = { - fontDir.enable = true; - enableGhostscriptFonts = true; - - fonts = with pkgs; [ - xorg.fontschumachermisc - inconsolata - noto-fonts - (iosevka-bin.override { variant = "ss15"; }) - ]; - }; -} diff --git a/lass/2configs/fysiirc.nix b/lass/2configs/fysiirc.nix deleted file mode 100644 index b2912d894..000000000 --- a/lass/2configs/fysiirc.nix +++ /dev/null @@ -1,69 +0,0 @@ -{ config, lib, pkgs, ... }: let - - format-github-message = pkgs.writeDashBin "format-github-message" '' - set -efu - export PATH=${lib.makeBinPath [ - pkgs.jq - ]} - INPUT=$(jq -c .) - if $(printf '%s' "$INPUT" | jq 'has("issue") or has("pull_request")'); then - ${write_to_irc} "$(printf '%s' "$INPUT" | jq -r ' - "\(.action): " + - "[\(.issue.title // .pull_request.title)] " + - "\(.comment.html_url // .issue.html_url // .pull_request.html_url) " - ')" - fi - ''; - - write_to_irc = pkgs.writeDash "write_to_irc" '' - ${pkgs.curl}/bin/curl -fsSv http://localhost:44001 \ - -H content-type:application/json \ - -d "$(${pkgs.jq}/bin/jq -n \ - --arg text "$1" '{ - command:"PRIVMSG", - params:["#fysi",$text] - }' - )" - ''; - -in { - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport 44002"; target = "ACCEPT"; } - ]; - krebs.reaktor2.fysiweb-github = { - hostname = "irc.libera.chat"; - port = "6697"; - useTLS = true; - nick = "fysiweb-github"; - API.listen = "inet://127.0.0.1:44001"; - plugins = [ - { - plugin = "register"; - config = { - channels = [ - "#fysi" - ]; - }; - } - ]; - }; - krebs.htgen.fysiweb-github = { - port = 44002; - user = { - name = "reaktor2-fysiweb-github"; - }; - script = ''. ${pkgs.writeDash "github-irc" '' - set -xefu - case "$Method $Request_URI" in - "POST /") - payload=$(head -c "$req_content_length") - printf '%s' "$payload" | ${format-github-message}/bin/format-github-message - printf 'HTTP/1.1 200 OK\r\n' - printf 'Connection: close\r\n' - printf '\r\n' - exit - ;; - esac - ''}''; - }; -} diff --git a/lass/2configs/games.nix b/lass/2configs/games.nix deleted file mode 100644 index 01941bde8..000000000 --- a/lass/2configs/games.nix +++ /dev/null @@ -1,96 +0,0 @@ -{ config, pkgs, ... }: - -let - mainUser = config.users.extraUsers.mainUser; - vdoom = pkgs.writeDash "vdoom" '' - ${pkgs.zandronum}/bin/zandronum \ - -fov 120 \ - "$@" - ''; - doom = pkgs.writeDash "doom" '' - DOOM_DIR=''${DOOM_DIR:-~/doom/} - ${vdoom} \ - -file $DOOM_DIR/lib/brutalv21.pk3 \ - "$@" - ''; - doom1 = pkgs.writeDashBin "doom1" '' - DOOM_DIR=''${DOOM_DIR:-~/doom/} - ${doom} -iwad $DOOM_DIR/wads/stock/doom.wad "$@" - ''; - doom2 = pkgs.writeDashBin "doom2" '' - DOOM_DIR=''${DOOM_DIR:-~/doom/} - ${doom} -iwad $DOOM_DIR/wads/stock/doom2.wad "$@" - ''; - vdoom1 = pkgs.writeDashBin "vdoom1" '' - DOOM_DIR=''${DOOM_DIR:-~/doom/} - ${vdoom} -iwad $DOOM_DIR/wads/stock/doom.wad "$@" - ''; - vdoom2 = pkgs.writeDashBin "vdoom2" '' - DOOM_DIR=''${DOOM_DIR:-~/doom/} - ${vdoom} -iwad $DOOM_DIR/wads/stock/doom2.wad "$@" - ''; - - doomservercfg = pkgs.writeText "doomserver.cfg" '' - skill 7 - #survival true - #sv_maxlives 4 - #sv_norespawn true - #sv_weapondrop true - no_jump true - #sv_noweaponspawn true - sv_sharekeys true - sv_survivalcountdowntime 1 - sv_noteamselect true - sv_updatemaster false - #sv_coop_loseinventory true - #cl_startasspectator false - #lms_spectatorview false - ''; - - vdoomserver = pkgs.writeDashBin "vdoomserver" '' - DOOM_DIR=''${DOOM_DIR:-~/doom/} - - ${pkgs.zandronum}/bin/zandronum-server \ - +exec ${doomservercfg} \ - "$@" - ''; - -in { - users.extraUsers = { - games = { - name = "games"; - description = "user playing games"; - home = "/home/games"; - extraGroups = [ "audio" "video" "input" "loot" "pipewire" ]; - createHome = true; - useDefaultShell = true; - packages = with pkgs; [ - # minecraft - # ftb - # steam-run - # scummvm - # dolphinEmu - doom1 - doom2 - # protontricks - vdoom1 - # vdoom2 - # vdoomserver - retroarchBare - ]; - isNormalUser = true; - }; - }; - - hardware.opengl.driSupport32Bit = true; - hardware.pulseaudio.support32Bit = true; - - security.sudo.extraConfig = '' - ${mainUser.name} ALL=(games) NOPASSWD: ALL - ''; - - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport 10666"; target = "ACCEPT"; } - { predicate = "-p udp --dport 10666"; target = "ACCEPT"; } - ]; -} diff --git a/lass/2configs/gc.nix b/lass/2configs/gc.nix deleted file mode 100644 index d56e95368..000000000 --- a/lass/2configs/gc.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ config, ... }: - -with import ; -{ - nix.gc = { - automatic = ! (elem config.krebs.build.host.name [ "aergia" "mors" "xerxes" "coaxmetal" ] || config.boot.isContainer); - options = "--delete-older-than 15d"; - }; -} diff --git a/lass/2configs/gg23.nix b/lass/2configs/gg23.nix deleted file mode 100644 index bb38f1f90..000000000 --- a/lass/2configs/gg23.nix +++ /dev/null @@ -1,93 +0,0 @@ -{ config, pkgs, ... }: -with import ; - -{ - # ipv6 from vodafone is really really flaky - boot.kernel.sysctl."net.ipv6.conf.et0.disable_ipv6" = 1; - systemd.network.networks."50-et0" = { - matchConfig.Name = "et0"; - DHCP = "ipv4"; - # dhcpV4Config.UseDNS = false; - # dhcpV6Config.UseDNS = false; - linkConfig = { - RequiredForOnline = "routable"; - }; - networkConfig = { - LinkLocalAddressing = "no"; - }; - # dhcpV6Config = { - # PrefixDelegationHint = "::/60"; - # }; - # networkConfig = { - # IPv6AcceptRA = true; - # }; - # ipv6PrefixDelegationConfig = { - # Managed = true; - # }; - }; - boot.kernel.sysctl."net.ipv4.ip_forward" = 1; - systemd.network.networks."50-int0" = { - name = "int0"; - address = [ - "10.42.0.1/24" - ]; - networkConfig = { - # IPForward = "yes"; - # IPMasquerade = "both"; - ConfigureWithoutCarrier = true; - DHCPServer = "yes"; - # IPv6SendRA = "yes"; - # DHCPPrefixDelegation = "yes"; - }; - dhcpServerStaticLeases = [ - { - dhcpServerStaticLeaseConfig = { - Address = "10.42.0.4"; - MACAddress = "3c:2a:f4:22:28:37"; - }; - } - ]; - }; - networking.networkmanager.unmanaged = [ "int0" ]; - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-i int0"; target = "ACCEPT"; } - ]; - krebs.iptables.tables.filter.FORWARD.rules = [ - { predicate = "-i int0"; target = "ACCEPT"; } - { predicate = "-o int0"; target = "ACCEPT"; } - { predicate = "-p ipv6-icmp"; target = "ACCEPT"; v4 = false; } - ]; - krebs.iptables.tables.nat.PREROUTING.rules = mkBefore [ - { v6 = false; predicate = "-s 10.42.0.0/24"; target = "ACCEPT"; } - ]; - krebs.iptables.tables.nat.POSTROUTING.rules = [ - { v6 = false; predicate = "-s 10.42.0.0/24"; target = "MASQUERADE"; } - ]; - - networking.domain = "gg23"; - - networking.useHostResolvConf = false; - services.resolved.extraConfig = '' - DNSStubListener=no - ''; - services.dnsmasq = { - enable = true; - resolveLocalQueries = false; - - extraConfig = '' - local=/gg23/ - domain=gg23 - expand-hosts - listen-address=10.42.0.1 - interface=int0 - ''; - }; - - environment.systemPackages = [ - (pkgs.writers.writeDashBin "restart_router" '' - ${pkgs.mosquitto}/bin/mosquitto_pub -h localhost -t 'cmnd/router/POWER' -u gg23 -P gg23-mqtt -m OFF - sleep 2 - ${pkgs.mosquitto}/bin/mosquitto_pub -h localhost -t 'cmnd/router/POWER' -u gg23 -P gg23-mqtt -m ON - '') - ]; -} diff --git a/lass/2configs/git-brain.nix b/lass/2configs/git-brain.nix deleted file mode 100644 index d4ce263ef..000000000 --- a/lass/2configs/git-brain.nix +++ /dev/null @@ -1,56 +0,0 @@ -{ config, lib, pkgs, ... }: -with import ; -let - - repos = krebs-repos; - rules = concatMap krebs-rules (attrValues krebs-repos); - - krebs-repos = mapAttrs make-krebs-repo { - brain = { }; - }; - - - make-krebs-repo = with git; name: { cgit ? {}, ... }: { - inherit cgit name; - public = false; - hooks = { - post-receive = pkgs.git-hooks.irc-announce { - nick = config.networking.hostName; - verbose = true; - channel = "#xxx"; - # TODO remove the hardcoded hostname - server = "irc.r"; - }; - }; - }; - - - - # TODO: get the list of all krebsministers - krebsminister = with config.krebs.users; [ makefu tv kmein ]; - krebs-rules = repo: - set-owners repo [ config.krebs.users.lass ] ++ set-ro-access repo krebsminister; - - set-ro-access = with git; repo: user: - singleton { - inherit user; - repo = [ repo ]; - perm = fetch; - }; - - set-owners = with git;repo: user: - singleton { - inherit user; - repo = [ repo ]; - perm = push "refs/*" [ non-fast-forward create delete merge ]; - }; - -in { - krebs.git = { - enable = true; - cgit = { - enable = false; - }; - inherit repos rules; - }; -} diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix deleted file mode 100644 index 16260b77b..000000000 --- a/lass/2configs/git.nix +++ /dev/null @@ -1,206 +0,0 @@ -{ config, lib, pkgs, ... }: - -with import ; - -let - - out = { - services.nginx.enable = true; - krebs.git = { - enable = true; - cgit = { - settings = { - root-title = "public repositories at ${config.krebs.build.host.name}"; - root-desc = "keep calm and engage"; - }; - }; - repos = repos; - rules = rules; - }; - - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; } - ]; - - system.activationScripts.spool-chmod = '' - ${pkgs.coreutils}/bin/chmod +x /var/spool - ''; - }; - - cgit-clear-cache = pkgs.cgit-clear-cache.override { - inherit (config.krebs.git.cgit.settings) cache-root; - }; - - repos = - public-repos // - optionalAttrs config.krebs.build.host.secure restricted-repos; - - rules = concatMap make-rules (attrValues repos); - - public-repos = mapAttrs make-public-repo { - Reaktor = { - cgit.desc = "Reaktor IRC bot"; - cgit.section = "software"; - }; - buildbot-classic = { - cgit.desc = "fork of buildbot"; - cgit.section = "software"; - }; - cholerab = { - cgit.desc = "krebs thesauron & enterprise-patterns"; - cgit.section = "documentation"; - }; - disko = { - cgit.desc = "take a description of your disk layout and produce a format script"; - cgit.section = "software"; - }; - go = { - cgit.desc = "url shortener"; - cgit.section = "software"; - }; - grib2json-bin = { - cgit.desc = "build jar of grib2json"; - cgit.section = "deployment"; - }; - krebspage = { - cgit.desc = "homepage of krebs"; - cgit.section = "configuration"; - }; - krops = { - cgit.desc = "krebs deployment"; - cgit.section = "software"; - }; - news = { - cgit.desc = "take a rss feed and a timeout and print it to stdout"; - cgit.section = "software"; - }; - newsbot-js = { - cgit.desc = "print rss feeds to irc channels"; - cgit.section = "software"; - }; - nix-user-chroot = { - cgit.desc = "Fork of nix-user-chroot by lethalman"; - cgit.section = "software"; - }; - nix-writers = { - cgit.desc = "high level writers for nix"; - cgit.section = "software"; - }; - nixos-generators = { - cgit.desc = "custom image builders"; - cgit.section = "software"; - }; - nixpkgs = { - cgit.desc = "nixpkgs fork"; - cgit.section = "configuration"; - }; - populate = { - cgit.section = "software"; - }; - reaktor2 = { - cgit.desc = "irc bot"; - cgit.section = "software"; - }; - stockholm = { - cgit.desc = "take all the computers hostage, they'll love you!"; - cgit.section = "configuration"; - }; - stockholm-issues = { - cgit.desc = "stockholm issues"; - cgit.section = "issues"; - }; - the_playlist = { - cgit.desc = "Good Music collection + tools"; - cgit.section = "art"; - }; - workadventure-nix = { - cgit.desc = "Nix packaging for workadventure"; - cgit.section = "deployment"; - }; - xmonad-stockholm = { - cgit.desc = "krebs xmonad modules"; - cgit.section = "configuration"; - }; - } // mapAttrs make-public-repo-silent { - }; - - restricted-repos = mapAttrs make-restricted-repo ( - { - brain = { - collaborators = with config.krebs.users; [ tv makefu ]; - announce = true; - }; - } // - import { inherit config lib pkgs; } - ); - - make-public-repo = name: { cgit ? {}, collaborators ? [], ... }: { - inherit cgit collaborators name; - public = true; - hooks = { - post-receive = '' - ${pkgs.git-hooks.irc-announce { - # TODO make nick = config.krebs.build.host.name the default - nick = config.krebs.build.host.name; - channel = "#xxx"; - # TODO define refs in some kind of option per repo - server = "irc.r"; - verbose = config.krebs.build.host.name == "orange"; - }} - ${cgit-clear-cache}/bin/cgit-clear-cache - ''; - }; - }; - - make-public-repo-silent = name: { cgit ? {}, ... }: { - inherit cgit name; - public = true; - }; - - make-restricted-repo = name: { admins ? [], collaborators ? [], announce ? true, hooks ? {}, ... }: { - inherit admins collaborators name; - public = false; - hooks = { - post-receive = '' - ${optionalString announce (pkgs.git-hooks.irc-announce { - # TODO make nick = config.krebs.build.host.name the default - nick = config.krebs.build.host.name; - channel = "#xxx"; - # TODO define refs in some kind of option per repo - refs = [ - "refs/heads/master" - "refs/heads/staging*" - ]; - server = "irc.r"; - verbose = false; - })} - ${cgit-clear-cache}/bin/cgit-clear-cache - ''; - } // hooks; - }; - - make-rules = - with git // config.krebs.users; - repo: - singleton { - user = [ lass lass-green ]; - repo = [ repo ]; - perm = push "refs/*" [ non-fast-forward create delete merge ]; - } ++ - optional (length (repo.admins or []) > 0) { - user = repo.admins; - repo = [ repo ]; - perm = push "refs/*" [ non-fast-forward create delete merge ]; - } ++ - optional (length (repo.collaborators or []) > 0) { - user = repo.collaborators; - repo = [ repo ]; - perm = fetch; - } ++ - optional repo.public { - user = attrValues config.krebs.users; - repo = [ repo ]; - perm = fetch; - }; - -in out diff --git a/lass/2configs/go.nix b/lass/2configs/go.nix deleted file mode 100644 index ecf89b298..000000000 --- a/lass/2configs/go.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - krebs.go = { - enable = true; - }; - services.nginx = { - enable = true; - virtualHosts.go = { - locations."/".extraConfig = '' - proxy_set_header Host go.lassul.us; - proxy_pass http://localhost:1337; - ''; - serverAliases = [ - "go.lassul.us" - ]; - }; - }; -} - diff --git a/lass/2configs/green-host.nix b/lass/2configs/green-host.nix deleted file mode 100644 index 66088a562..000000000 --- a/lass/2configs/green-host.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ config, pkgs, ... }: -{ - krebs.sync-containers3.containers.green = { - sshKey = "${toString }/green.sync.key"; - }; -} diff --git a/lass/2configs/green-hosts/cryfs.nix b/lass/2configs/green-hosts/cryfs.nix deleted file mode 100644 index d60dc5951..000000000 --- a/lass/2configs/green-hosts/cryfs.nix +++ /dev/null @@ -1,95 +0,0 @@ -# seems to work, very slow though - -{ config, lib, pkgs, ... }: -with import ; - -let - - cname = "green-cryfs"; - -in { - imports = [ - - - ]; - - programs.fuse.userAllowOther = true; - - services.syncthing.declarative.folders."/var/lib/sync-containers/${cname}/cryfs" = { - devices = [ "icarus" "skynet" "littleT" "shodan" "mors" "morpheus" ]; - ignorePerms = false; - }; - - lass.bindfs."/var/lib/sync-containers/${cname}/cryfs" = { - source = "/var/lib/sync-containers/${cname}/cryfs"; - options = [ - "-M ${toString config.users.users.syncthing.uid} -u root -g root" - ]; - }; - - - systemd.services."container@${cname}".reloadIfChanged = mkForce false; - containers.${cname} = { - config = { ... }: { - environment.systemPackages = [ - pkgs.git - pkgs.rxvt-unicode-unwrapped.terminfo - ]; - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keys = [ - config.krebs.users.lass.pubkey - ]; - system.activationScripts.fuse = { - text = '' - ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229 - ''; - deps = []; - }; - }; - allowedDevices = [ - { modifier = "rwm"; node = "/dev/fuse"; } - ]; - autoStart = false; - enableTun = true; - privateNetwork = true; - hostAddress = "10.233.2.15"; # TODO find way to automatically calculate IPs - localAddress = "10.233.2.16"; # TODO find way to automatically calculate IPs - }; - - environment.systemPackages = [ - (pkgs.writeDashBin "init-${cname}" '' - set -euf - set -x - - mkdir -p /var/lib/sync-containers/${cname}/cryfs - '') - (pkgs.writeDashBin "start-${cname}" '' - set -euf - set -x - - mkdir -p /var/lib/containers/${cname}/var/state - - STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${cname}) - if [ "$STATE" = 'down' ]; then - ${pkgs.nixos-container}/bin/nixos-container start ${cname} - fi - - ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- ${pkgs.writeDash "deploy-${cname}" '' - set -x - - mkdir -p /var/state/var_src - ln -sfTr /var/state/var_src /var/src - touch /etc/NIXOS - ''} - - if [ -h /var/lib/containers/${cname}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${cname}.r); then - ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- nixos-rebuild -I /var/src switch - fi - '') - (pkgs.writeDashBin "stop-${cname}" '' - set -euf - - ${pkgs.nixos-container}/bin/nixos-container stop ${cname} - '') - ]; -} diff --git a/lass/2configs/green-hosts/ecryptfs.nix b/lass/2configs/green-hosts/ecryptfs.nix deleted file mode 100644 index 2c335f6f2..000000000 --- a/lass/2configs/green-hosts/ecryptfs.nix +++ /dev/null @@ -1,99 +0,0 @@ - -{ config, lib, pkgs, ... }: -with import ; - -let - - cname = "green"; - -in { - imports = [ - - - ]; - - programs.fuse.userAllowOther = true; - - services.syncthing.declarative.folders."/var/lib/sync-containers/${cname}/ecryptfs" = { - devices = [ "icarus" "skynet" "littleT" "shodan" "mors" "morpheus" ]; - ignorePerms = false; - }; - - krebs.permown."/var/lib/sync-containers/${cname}/ecryptfs" = { - file-mode = "u+rw"; - directory-mode = "u+rwx"; - owner = "syncthing"; - keepGoing = false; - }; - - systemd.services."container@${cname}".reloadIfChanged = mkForce false; - containers.${cname} = { - config = { ... }: { - environment.systemPackages = [ - pkgs.git - pkgs.rxvt-unicode-unwrapped.terminfo - ]; - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keys = [ - config.krebs.users.lass.pubkey - ]; - system.activationScripts.fuse = { - text = '' - ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229 - ''; - deps = []; - }; - }; - allowedDevices = [ - { modifier = "rwm"; node = "/dev/fuse"; } - ]; - autoStart = false; - enableTun = true; - privateNetwork = true; - hostAddress = "10.233.2.15"; # TODO find way to automatically calculate IPs - localAddress = "10.233.2.16"; # TODO find way to automatically calculate IPs - }; - - environment.systemPackages = [ - pkgs.ecryptfs - pkgs.keyutils - (pkgs.writeDashBin "start-${cname}" '' - set -euf - set -x - - mkdir -p /var/lib/containers/${cname}/var/state - - if ! mount | grep -q '/var/lib/sync-containers/${cname}/ecryptfs on /var/lib/containers/${cname}/var/state type ecryptfs'; then - if [ -e /var/lib/sync-containers/${cname}/ecryptfs/.cfg.json ]; then - ${pkgs.ecrypt}/bin/ecrypt mount /var/lib/sync-containers/${cname}/ecryptfs /var/lib/containers/${cname}/var/state - else - ${pkgs.ecrypt}/bin/ecrypt init /var/lib/sync-containers/${cname}/ecryptfs /var/lib/containers/${cname}/var/state - fi - fi - - STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${cname}) - if [ "$STATE" = 'down' ]; then - ${pkgs.nixos-container}/bin/nixos-container start ${cname} - fi - - ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- ${pkgs.writeDash "deploy-${cname}" '' - set -x - - mkdir -p /var/state/var_src - ln -sfTr /var/state/var_src /var/src - touch /etc/NIXOS - ''} - - if [ -h /var/lib/containers/${cname}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${cname}.r); then - ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- nixos-rebuild -I /var/src switch - fi - '') - (pkgs.writeDashBin "stop-${cname}" '' - set -euf - - ${pkgs.nixos-container}/bin/nixos-container stop ${cname} - ${pkgs.ecrypt}/bin/ecrypt unmount /var/lib/sync-containers/${cname}/ecryptfs /var/lib/containers/${cname}/var/state - '') - ]; -} - diff --git a/lass/2configs/green-hosts/plain-bindfs.nix b/lass/2configs/green-hosts/plain-bindfs.nix deleted file mode 100644 index 81d8f20c2..000000000 --- a/lass/2configs/green-hosts/plain-bindfs.nix +++ /dev/null @@ -1,90 +0,0 @@ -# this seems to work, sadly there are no inotify events on the state directory because bindfs hides them, - -{ config, lib, pkgs, ... }: -with import ; - -let - - cname = "green-plain"; - -in { - imports = [ - - - ]; - - programs.fuse.userAllowOther = true; - - services.syncthing.declarative.folders."/var/lib/containers/${cname}/var/state" = { - devices = [ "icarus" "skynet" "littleT" "shodan" "mors" "morpheus" ]; - ignorePerms = false; - }; - - lass.bindfs."/var/lib/containers/${cname}/var/state" = { - source = "/var/lib/containers/${cname}/var/state"; - options = [ - "-M ${toString config.users.users.syncthing.uid} -u root -g root" - ]; - }; - - - systemd.services."container@${cname}".reloadIfChanged = mkForce false; - containers.${cname} = { - config = { ... }: { - environment.systemPackages = [ - pkgs.git - pkgs.rxvt-unicode-unwrapped.terminfo - ]; - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keys = [ - config.krebs.users.lass.pubkey - ]; - system.activationScripts.fuse = { - text = '' - ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229 - ''; - deps = []; - }; - }; - allowedDevices = [ - { modifier = "rwm"; node = "/dev/fuse"; } - ]; - autoStart = false; - enableTun = true; - privateNetwork = true; - hostAddress = "10.233.2.15"; # TODO find way to automatically calculate IPs - localAddress = "10.233.2.16"; # TODO find way to automatically calculate IPs - }; - - environment.systemPackages = [ - (pkgs.writeDashBin "start-${cname}" '' - set -euf - set -x - - mkdir -p /var/lib/containers/${cname}/var/state - - STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${cname}) - if [ "$STATE" = 'down' ]; then - ${pkgs.nixos-container}/bin/nixos-container start ${cname} - fi - - ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- ${pkgs.writeDash "deploy-${cname}" '' - set -x - - mkdir -p /var/state/var_src - ln -sfTr /var/state/var_src /var/src - touch /etc/NIXOS - ''} - - if [ -h /var/lib/containers/${cname}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${cname}.r); then - ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- nixos-rebuild -I /var/src switch - fi - '') - (pkgs.writeDashBin "stop-${cname}" '' - set -euf - - ${pkgs.nixos-container}/bin/nixos-container stop ${cname} - '') - ]; -} - diff --git a/lass/2configs/green-hosts/plain-permown.nix b/lass/2configs/green-hosts/plain-permown.nix deleted file mode 100644 index 21a7d0085..000000000 --- a/lass/2configs/green-hosts/plain-permown.nix +++ /dev/null @@ -1,88 +0,0 @@ -# this seems to work fine, downsides are, all state is owned by syncthing and could be read by the guests syncthing - - -{ config, lib, pkgs, ... }: -with import ; - -let - - cname = "green-plain"; - -in { - imports = [ - - - ]; - - services.syncthing.declarative.folders."/var/lib/containers/${cname}/var/state" = { - devices = [ "icarus" "skynet" "littleT" "shodan" "mors" "morpheus" ]; - ignorePerms = false; - }; - - krebs.permown."/var/lib/containers/${cname}/var/state" = { - file-mode = "u+rw"; - directory-mode = "u+rwx"; - owner = "syncthing"; - keepGoing = true; - }; - - systemd.services."container@${cname}".reloadIfChanged = mkForce false; - containers.${cname} = { - config = { ... }: { - environment.systemPackages = [ - pkgs.git - pkgs.rxvt-unicode-unwrapped.terminfo - ]; - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keys = [ - config.krebs.users.lass.pubkey - ]; - system.activationScripts.fuse = { - text = '' - ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229 - ''; - deps = []; - }; - }; - allowedDevices = [ - { modifier = "rwm"; node = "/dev/fuse"; } - ]; - autoStart = false; - enableTun = true; - privateNetwork = true; - hostAddress = "10.233.2.15"; # TODO find way to automatically calculate IPs - localAddress = "10.233.2.16"; # TODO find way to automatically calculate IPs - }; - - environment.systemPackages = [ - (pkgs.writeDashBin "start-${cname}" '' - set -euf - set -x - - mkdir -p /var/lib/containers/${cname}/var/state - - STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${cname}) - if [ "$STATE" = 'down' ]; then - ${pkgs.nixos-container}/bin/nixos-container start ${cname} - fi - - ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- ${pkgs.writeDash "deploy-${cname}" '' - set -x - - mkdir -p /var/state/var_src - ln -sfTr /var/state/var_src /var/src - touch /etc/NIXOS - ''} - - if [ -h /var/lib/containers/${cname}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${cname}.r); then - ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- nixos-rebuild -I /var/src switch - fi - '') - (pkgs.writeDashBin "stop-${cname}" '' - set -euf - - ${pkgs.nixos-container}/bin/nixos-container stop ${cname} - '') - ]; -} - diff --git a/lass/2configs/green-hosts/plain.nix b/lass/2configs/green-hosts/plain.nix deleted file mode 100644 index 58f54b748..000000000 --- a/lass/2configs/green-hosts/plain.nix +++ /dev/null @@ -1,87 +0,0 @@ -{ config, lib, pkgs, ... }: -with import ; - -let - - cname = "green-plain"; - -in { - imports = [ - - - ]; - - programs.fuse.userAllowOther = true; - - services.syncthing.declarative.folders."/var/lib/containers/${cname}/var/state" = { - devices = [ "icarus" "skynet" "littleT" "shodan" "mors" "morpheus" ]; - ignorePerms = false; - }; - - krebs.permown."/var/lib/containers/${cname}/var/state" = { - file-mode = "u+rw"; - directory-mode = "u+rwx"; - owner = "syncthing"; - keepGoing = true; - }; - - systemd.services."container@${cname}".reloadIfChanged = mkForce false; - containers.${cname} = { - config = { ... }: { - environment.systemPackages = [ - pkgs.git - pkgs.rxvt-unicode-unwrapped.terminfo - ]; - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keys = [ - config.krebs.users.lass.pubkey - ]; - system.activationScripts.fuse = { - text = '' - ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229 - ''; - deps = []; - }; - }; - allowedDevices = [ - { modifier = "rwm"; node = "/dev/fuse"; } - ]; - autoStart = false; - enableTun = true; - privateNetwork = true; - hostAddress = "10.233.2.15"; # TODO find way to automatically calculate IPs - localAddress = "10.233.2.16"; # TODO find way to automatically calculate IPs - }; - - environment.systemPackages = [ - (pkgs.writeDashBin "start-${cname}" '' - set -euf - set -x - - mkdir -p /var/lib/containers/${cname}/var/state - - STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${cname}) - if [ "$STATE" = 'down' ]; then - ${pkgs.nixos-container}/bin/nixos-container start ${cname} - fi - - ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- ${pkgs.writeDash "deploy-${cname}" '' - set -x - - mkdir -p /var/state/var_src - ln -sfTr /var/state/var_src /var/src - touch /etc/NIXOS - ''} - - if [ -h /var/lib/containers/${cname}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${cname}.r); then - ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- nixos-rebuild -I /var/src switch - fi - '') - (pkgs.writeDashBin "stop-${cname}" '' - set -euf - - ${pkgs.nixos-container}/bin/nixos-container stop ${cname} - '') - ]; -} - diff --git a/lass/2configs/green-hosts/securefs.nix b/lass/2configs/green-hosts/securefs.nix deleted file mode 100644 index a69cfe6ca..000000000 --- a/lass/2configs/green-hosts/securefs.nix +++ /dev/null @@ -1,101 +0,0 @@ -# broken, muchsync cant sync into the folders which should be handles by bindfs -# ls -la also does not show the full directory permissions -{ config, lib, pkgs, ... }: -with import ; - -let - - cname = "green"; - -in { - imports = [ - - - ]; - - programs.fuse.userAllowOther = true; - - services.syncthing.declarative.folders."/var/lib/sync-containers/${cname}/securefs" = { - devices = [ "icarus" "skynet" "littleT" "shodan" "mors" "morpheus" ]; - ignorePerms = false; - }; - - krebs.permown."/var/lib/sync-containers/${cname}/securefs" = { - file-mode = "u+rw"; - directory-mode = "u+rwx"; - owner = "syncthing"; - keepGoing = false; - }; - - systemd.services."container@${cname}".reloadIfChanged = mkForce false; - containers.${cname} = { - config = { ... }: { - environment.systemPackages = [ - pkgs.git - pkgs.rxvt-unicode-unwrapped.terminfo - ]; - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keys = [ - config.krebs.users.lass.pubkey - ]; - system.activationScripts.fuse = { - text = '' - ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229 - ''; - deps = []; - }; - }; - allowedDevices = [ - { modifier = "rwm"; node = "/dev/fuse"; } - ]; - autoStart = false; - enableTun = true; - privateNetwork = true; - hostAddress = "10.233.2.15"; # TODO find way to automatically calculate IPs - localAddress = "10.233.2.16"; # TODO find way to automatically calculate IPs - }; - - environment.systemPackages = [ - (pkgs.writeDashBin "start-${cname}" '' - set -euf - set -x - - mkdir -p /var/lib/containers/${cname}/var/state - - if ! mount | grep -q 'securefs on /var/lib/containers/${cname}/var/state type fuse.securefs'; then - if ! ${pkgs.securefs}/bin/securefs info /var/lib/sync-containers/${cname}/securefs; then - ${pkgs.securefs}/bin/securefs create --format 4 /var/lib/sync-containers/${cname}/securefs - fi - - ${pkgs.securefs}/bin/securefs mount -b \ - -o allow_other -o default_permissions \ - --log /var/lib/sync-containers/${cname}/securefs.log \ - /var/lib/sync-containers/${cname}/securefs /var/lib/containers/${cname}/var/state - fi - - STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${cname}) - if [ "$STATE" = 'down' ]; then - ${pkgs.nixos-container}/bin/nixos-container start ${cname} - fi - - ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- ${pkgs.writeDash "deploy-${cname}" '' - set -x - - mkdir -p /var/state/var_src - ln -sfTr /var/state/var_src /var/src - touch /etc/NIXOS - ''} - - if [ -h /var/lib/containers/${cname}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${cname}.r); then - ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- nixos-rebuild -I /var/src switch - fi - '') - (pkgs.writeDashBin "stop-${cname}" '' - set -euf - - ${pkgs.nixos-container}/bin/nixos-container stop ${cname} - umount /var/lib/containers/${cname}/var/state - '') - ]; -} - diff --git a/lass/2configs/gsm-wiki.nix b/lass/2configs/gsm-wiki.nix deleted file mode 100644 index 77b944ef8..000000000 --- a/lass/2configs/gsm-wiki.nix +++ /dev/null @@ -1,46 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - services.nginx.virtualHosts."docs.c3gsm.de" = { - forceSSL = true; - enableACME = true; - locations."/".extraConfig = '' - auth_basic "Restricted Content"; - auth_basic_user_file ${pkgs.writeText "flix-user-pass" '' - c3gsm:$apr1$q9OrPI4C$7AY4EIp3J2Xc4eLMbPGE21 - ''}; - root /srv/http/docs.c3gsm.de; - ''; - }; - - services.nginx.virtualHosts."c3gsm.de" = { - forceSSL = true; - enableACME = true; - locations."/".extraConfig = '' - root /srv/http/c3gsm.de; - ''; - }; - - users.users.c3gsm-docs = { - isNormalUser = true; - home = "/srv/http/docs.c3gsm.de"; - createHome = true; - homeMode = "750"; - useDefaultShell = true; - group = "nginx"; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAlW1fvCrVXhVH/z76fXBWYR/qyecYTE9VOOkFLJ6OwG user@osmocom-dev" - ]; - }; - - users.users.c3gsm = { - isNormalUser = true; - home = "/srv/http/c3gsm.de"; - createHome = true; - homeMode = "750"; - useDefaultShell = true; - group = "nginx"; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAlW1fvCrVXhVH/z76fXBWYR/qyecYTE9VOOkFLJ6OwG user@osmocom-dev" - ]; - }; -} diff --git a/lass/2configs/hardening.nix b/lass/2configs/hardening.nix deleted file mode 100644 index aee4bf06f..000000000 --- a/lass/2configs/hardening.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ pkgs, lib, ... }: -with lib; -{ - security.chromiumSuidSandbox.enable = true; - security.lockKernelModules = false; - boot.kernel.sysctl."user.max_user_namespaces" = 63414; - - imports = [ - - ]; -} diff --git a/lass/2configs/hass/default.nix b/lass/2configs/hass/default.nix deleted file mode 100644 index 1745bbfe5..000000000 --- a/lass/2configs/hass/default.nix +++ /dev/null @@ -1,125 +0,0 @@ -{ config, lib, pkgs, ... }: -with import ./lib.nix { inherit lib; }; -let - dwdwfsapi = pkgs.python3Packages.buildPythonPackage rec { - pname = "dwdwfsapi"; - version = "1.0.3"; - - src = pkgs.python3Packages.fetchPypi { - inherit pname version; - sha256 = "0fcv79xiq0qr4kivhd68iqpgrsjc7djxqs2h543pyr0sdgb5nz9x"; - }; - - buildInputs = with pkgs.python3Packages; [ - requests ciso8601 - ]; - - # LC_ALL = "en_US.UTF-8"; - }; - -in { - imports = [ - ./pyscript - ./zigbee.nix - ./rooms/bett.nix - ./rooms/essen.nix - ./rooms/nass.nix - ]; - - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-i int0 -p tcp --dport 1883"; target = "ACCEPT"; } # mosquitto - { predicate = "-i docker0 -p tcp --dport 1883"; target = "ACCEPT"; } # mosquitto - { predicate = "-i int0 -p tcp --dport 8123"; target = "ACCEPT"; } # hass - { predicate = "-i int0 -p tcp --dport 1337"; target = "ACCEPT"; } # zigbee2mqtt frontend - { predicate = "-i retiolum -p tcp --dport 8123"; target = "ACCEPT"; } # hass - { predicate = "-i retiolum -p tcp --dport 1337"; target = "ACCEPT"; } # zigbee2mqtt frontend - { predicate = "-i wiregrill -p tcp --dport 8123"; target = "ACCEPT"; } # hass - ]; - - services.home-assistant = { - enable = true; - configWritable = true; - lovelaceConfigWritable = true; - config = let - tasmota = name: topic: { - inherit name; - state_topic = "stat/${topic}/POWER"; - command_topic = "cmnd/${topic}/POWER"; - payload_on = "ON"; - payload_off = "OFF"; - }; - in { - homeassistant = { - name = "Home"; - time_zone = "Europe/Berlin"; - latitude = "52.46187"; - longitude = "13.41489"; - elevation = 90; - unit_system = "metric"; - # customize = friendly_names; - }; - config = {}; - sun.elevation = 66; - shopping_list = {}; - discovery = {}; - frontend = {}; - http = {}; - # mqtt = { - # broker = "localhost"; - # port = 1883; - # client_id = "home-assistant"; - # username = "gg23"; - # password = "gg23-mqtt"; - # keepalive = 60; - # protocol = 3.1; - - # discovery = true; - # birth_message = { - # topic = "/hass/status"; - # payload = "online"; - # }; - # will_message = { - # topic = "/hass/status"; - # payload = "offline"; - # }; - # }; - sensor = [ - { - platform = "dwd_weather_warnings"; - region_name = "Berlin"; - } - ]; - mqtt.switch = [ - (tasmota "TV" "tv") - (tasmota "Drucker Strom" "drucker") - (tasmota "Waschmaschine" "wasch") - (tasmota "Stereo Anlage" "stereo") - (tasmota "Wohnzimmer Lampe" "wohn_lampe") - ]; - mobile_app = {}; - weather = [ - { - platform = "openweathermap"; - api_key = "xxx"; # TODO put into secrets - } - ]; - system_health = {}; - history = {}; - shopping_list = {}; - media_player = { - platform = "snapcast"; - host = "127.0.0.1"; - }; - }; - }; - - services.mosquitto = { - enable = true; - listeners = [{ - acl = [ ]; - users.gg23 = { acl = [ "readwrite #" ]; password = "gg23-mqtt"; }; - }]; - }; - - environment.systemPackages = [ pkgs.mosquitto ]; -} diff --git a/lass/2configs/hass/lib.nix b/lass/2configs/hass/lib.nix deleted file mode 100644 index 72ff2966f..000000000 --- a/lass/2configs/hass/lib.nix +++ /dev/null @@ -1,256 +0,0 @@ -{ lib, ... }: -rec { - lights = { - bett = "l_bett"; - essen = "l_essen"; - arbeit = "l_arbeit"; - nass = "l_nass"; - }; - - switches = { - dimmer = { - bett = "i_bett"; - essen = "i_essen"; - nass = "i_nass"; - }; - }; - - sensors = { - movement = { - essen = "s_essen"; - nass = "s_nass"; - }; - }; - - friendly_names = - lib.mapAttrs' (n: v: lib.nameValuePair "light.${v}" { friendly_name = "l.${n}"; }) lights // - lib.mapAttrs' (n: v: lib.nameValuePair "binary_sensor.${v}_update_available" { friendly_name = "s.${n}_up"; }) switches.dimmer // - lib.mapAttrs' (n: v: lib.nameValuePair "binary_sensor.${v}_update_available" { friendly_name = "i.${n}_up"; }) sensors.movement // - lib.mapAttrs' (n: v: lib.nameValuePair "binary_sensor.${v}_update_available" { friendly_name = "l.${n}_up"; }) lights // - lib.mapAttrs' (n: v: lib.nameValuePair "sensor.${v}_linkquality" { friendly_name = "s.${n}_link"; }) switches.dimmer // - lib.mapAttrs' (n: v: lib.nameValuePair "sensor.${v}_linkquality" { friendly_name = "i.${n}_link"; }) sensors.movement // - lib.mapAttrs' (n: v: lib.nameValuePair "sensor.${v}_linkquality" { friendly_name = "l.${n}_link"; }) lights // - lib.mapAttrs' (n: v: lib.nameValuePair "sensor.${v}_battery" { friendly_name = "s.${n}_bat"; }) switches.dimmer // - lib.mapAttrs' (n: v: lib.nameValuePair "sensor.${v}_battery" { friendly_name = "i.${n}_bat"; }) sensors.movement // - lib.mapAttrs' (n: v: lib.nameValuePair "sensor.${v}_action" { friendly_name = "s.${n}_act"; }) switches.dimmer // - lib.mapAttrs' (n: v: lib.nameValuePair "binary_sensor.${v}_occupancy" { friendly_name = "i.${n}_move"; }) sensors.movement // - lib.mapAttrs' (n: v: lib.nameValuePair "binary_sensor.${v}_occupancy" { friendly_name = "i.${n}_move"; }) sensors.movement // - lib.mapAttrs' (n: v: lib.nameValuePair "sensor.${v}_temperature" { friendly_name = "i.${n}_heat"; }) sensors.movement // - lib.mapAttrs' (n: v: lib.nameValuePair "sensor.${v}_temperature" { friendly_name = "i.${n}_heat"; }) sensors.movement // - lib.mapAttrs' (n: v: lib.nameValuePair "sensor.${v}_illuminance" { friendly_name = "i.${n}_lux"; }) sensors.movement // - lib.mapAttrs' (n: v: lib.nameValuePair "sensor.${v}_illuminance" { friendly_name = "i.${n}_lux"; }) sensors.movement // - {}; - - detect_movement = name: sensor: light: delay: - let - id = name; - sensor_ = "binary_sensor.${sensor}_occupancy"; - light_ = "light.${light}"; - in { - input_boolean."${id}" = { - }; - timer."${id}" = { - duration = delay; - }; - automation = [ - # { - # alias = "debug detect_movement"; - # trigger = { - # platform = "state"; - # entity_id = sensor_; - # }; - # action = [ - # { - # service = "system_log.write"; - # data_template = { - # message = "XXXXXXXXXXXXXXXXXXXXXX {{ states('input_boolean.${sensor}_${light}_triggered') == 'on' }}"; - # #message = "XXXXXXXXXXXXXXXXXXXXXX {{ state_attr('trigger.to_state.state', 'illuminance') }}"; - # }; - # } - # ]; - # } - { - alias = "movement reset timer ${id}"; - trigger = { - platform = "state"; - entity_id = sensor_; - from = "off"; - to = "on"; - }; - action = [ - { - service = "timer.cancel"; - data_template.entity_id = "timer.${id}"; - } - ]; - } - { - alias = "movement on ${id}"; - trigger = { - platform = "state"; - entity_id = "binary_sensor.${sensor}_occupancy"; - from = "off"; - to = "on"; - }; - condition = { - condition = "and"; - conditions = [ - { - condition = "template"; - value_template = "{{ trigger.to_state.attributes.illuminance < 7500 }}"; - } - { - condition = "template"; - value_template = "{{ states('${light_}') == 'off' }}"; - } - ]; - }; - action = [ - { - service = "light.turn_on"; - data_template = { - entity_id = light_; - brightness = "100"; - }; - } - { delay = "0:00:02"; } - { - service = "input_boolean.turn_on"; - data_template.entity_id = "input_boolean.${id}"; - } - ]; - } - { - alias = "movement off ${id}"; - trigger = { - platform = "state"; - entity_id = sensor_; - from = "on"; - to = "off"; - }; - condition = { - condition = "template"; - value_template = "{{ states('input_boolean.${id}') == 'on' }}"; - }; - action = [ - { - service = "timer.start"; - entity_id = "timer.${id}"; - } - ]; - } - { - alias = "movement override ${id}"; - trigger = { - platform = "state"; - entity_id = light_; - }; - action = [ - { - service = "input_boolean.turn_off"; - data_template.entity_id = "input_boolean.${id}"; - } - { - service = "system_log.write"; - data_template = { - message = "XXXXXXXXXXXXXXXXXXXXXX {{ trigger }}"; - }; - } - ]; - } - { - alias = "movement expired ${id}"; - trigger = { - platform = "event"; - event_type = "timer.finished"; - event_data.entity_id = "timer.${id}"; - }; - action = [ - { - service = "light.turn_off"; - data_template = { - entity_id = light_; - }; - } - { - service = "input_boolean.turn_off"; - data_template.entity_id = "input_boolean.${id}"; - } - ]; - } - ]; - }; - - lightswitch = name: switch: light: { - automation = [ - { - alias = "lightswitch ${name} turn on"; - trigger = { - platform = "mqtt"; - topic = "zigbee/${switch}"; - }; - condition = { - condition = "or"; - conditions = [ - { - condition = "template"; - value_template = "{{ trigger.payload_json.action == 'on-press' }}"; - } - { - condition = "template"; - value_template = "{{ trigger.payload_json.action == 'up-press' }}"; - } - { - condition = "and"; - conditions = [ - { - condition = "template"; - value_template = "{{ trigger.payload_json.action == 'down-press' }}"; - } - { - condition = "template"; - value_template = "{{ trigger.payload_json.brightness > 30 }}"; - } - ]; - } - ]; - }; - action = [ - { - service = "light.turn_on"; - data_template = { - entity_id = "light.${light}"; - brightness = "{{ trigger.payload_json.brightness }}"; - }; - } - ]; - } - { - alias = "lightswitch ${name} turn off"; - trigger = { - platform = "mqtt"; - topic = "zigbee/${switch}"; - }; - condition = { - condition = "or"; - conditions = [ - { - condition = "template"; - value_template = "{{ trigger.payload_json.action == 'off-press' }}"; - } - { - condition = "template"; - value_template = "{{ trigger.payload_json.brightness < 30 }}"; - } - ]; - }; - action = { - service = "light.turn_off"; - data_template = { - entity_id = "light.${light}"; - }; - }; - } - ]; - }; -} diff --git a/lass/2configs/hass/pyscript/.gitignore b/lass/2configs/hass/pyscript/.gitignore deleted file mode 100644 index 282debf56..000000000 --- a/lass/2configs/hass/pyscript/.gitignore +++ /dev/null @@ -1 +0,0 @@ -hass_token diff --git a/lass/2configs/hass/pyscript/default.nix b/lass/2configs/hass/pyscript/default.nix deleted file mode 100644 index c56967e4b..000000000 --- a/lass/2configs/hass/pyscript/default.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - systemd.tmpfiles.rules = [ - "L+ /var/lib/hass/custom_components/pyscript - - - - ${pkgs.fetchzip { - url = "https://github.com/custom-components/pyscript/releases/download/1.3.2/hass-custom-pyscript.zip"; - sha256 = "0cqdjj46s5xp4mqxb0ic790jm1xp3z0zr2n9f7bsfl5zpvdshl8z"; - stripRoot = false; - }}" - ]; - - services.home-assistant = { - package = (pkgs.home-assistant.overrideAttrs (old: { - doInstallCheck = false; - })).override { - extraPackages = pp: [ pp.croniter ]; - }; - config.pyscript = { - allow_all_imports = true; - hass_is_global = true; - }; - }; - - networking.firewall.interfaces.retiolum.allowedTCPPortRanges = [ - { from = 50321; to = 50341; } # for ipython interactive debugging - ]; -} diff --git a/lass/2configs/hass/pyscript/shell.nix b/lass/2configs/hass/pyscript/shell.nix deleted file mode 100644 index 3cfac0275..000000000 --- a/lass/2configs/hass/pyscript/shell.nix +++ /dev/null @@ -1,51 +0,0 @@ -{ pkgs ? import {} }: let - - hass_host = "styx.r"; - hass_token = builtins.readFile ./hass_token; - - mach-nix = import (builtins.fetchGit { - url = "https://github.com/DavHau/mach-nix/"; - ref = "refs/tags/3.4.0"; - }) { - pkgs = pkgs; - }; - pyenv = mach-nix.mkPython { - requirements = '' - hass_pyscript_kernel - ''; - }; - jupyter = import (builtins.fetchGit { - url = https://github.com/tweag/jupyterWith; - ref = "master"; - }) {}; - - pyscriptKernel = { - spec = pkgs.runCommand "pyscript" {} '' - mkdir -p $out/kernels/pyscript - cp ${kernel_json} $out/kernels/pyscript/kernel.json - cp ${pyscript_conf} $out/kernels/pyscript/pyscript.conf - ''; - runtimePackages = [ pyenv ]; - }; - - kernel_json = pkgs.writeText "kernel.json" (builtins.toJSON { - argv = [ - "${pyenv}/bin/python3" "-m" "hass_pyscript_kernel" - "-f" "{connection_file}" - ]; - display_name = "hass_pyscript"; - language = "python"; - }); - - pyscript_conf = pkgs.writeText "pyscript.conf" '' - [homeassistant] - hass_host = ${hass_host} - hass_url = http://''${hass_host}:8123 - hass_token = ${hass_token} - ''; - - jupyterEnvironment = jupyter.jupyterlabWith { - kernels = [ pyscriptKernel ]; - }; - -in jupyterEnvironment.env diff --git a/lass/2configs/hass/rooms/bett.nix b/lass/2configs/hass/rooms/bett.nix deleted file mode 100644 index 026c5722c..000000000 --- a/lass/2configs/hass/rooms/bett.nix +++ /dev/null @@ -1,39 +0,0 @@ -{ lib, ... }: -with import ../lib.nix { inherit lib; }; - -{ - services.home-assistant.config = lib.mkMerge [ - (lightswitch "bett" switches.dimmer.bett lights.bett) - ]; - - # lass.hass.love = { - # resources = [{ - # url = "https://raw.githubusercontent.com/ljmerza/light-entity-card/master/dist/light-entity-card.js.map"; - # type = "js"; - # }]; - # views = [{ - # title = "bett"; - # cards = [ - # { - # type = "markdown"; - # title = "hello world"; - # content = "This is just a test"; - # } - # { - # type = "light"; - # entity = "light.${lights.bett}"; - # } - # { - # type = "custom:light-entity-card"; - # entity = "light.${lights.bett}"; - # } - # { - # type = "history-graph"; - # entities = [ - # "light.${lights.bett}" - # ]; - # } - # ]; - # }]; - # }; -} diff --git a/lass/2configs/hass/rooms/essen.nix b/lass/2configs/hass/rooms/essen.nix deleted file mode 100644 index 293935f65..000000000 --- a/lass/2configs/hass/rooms/essen.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ lib, ... }: -with import ../lib.nix { inherit lib; }; - -{ - services.home-assistant.config = lib.mkMerge [ - (detect_movement "essen" sensors.movement.essen lights.essen 70) - (lightswitch "essen" switches.dimmer.essen lights.essen) - ]; -} diff --git a/lass/2configs/hass/rooms/nass.nix b/lass/2configs/hass/rooms/nass.nix deleted file mode 100644 index b23ba86cd..000000000 --- a/lass/2configs/hass/rooms/nass.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ lib, ... }: -with import ../lib.nix { inherit lib; }; - -{ - services.home-assistant.config = lib.mkMerge [ - (detect_movement "nass" sensors.movement.nass lights.nass 100) - (lightswitch "nass" switches.dimmer.nass lights.nass) - ]; -} - diff --git a/lass/2configs/hass/zigbee.nix b/lass/2configs/hass/zigbee.nix deleted file mode 100644 index 210c761b5..000000000 --- a/lass/2configs/hass/zigbee.nix +++ /dev/null @@ -1,76 +0,0 @@ -{config, pkgs, lib, ...}: let - - unstable-pkgs = import {}; - -in { - # symlink the zigbee controller - services.udev.extraRules = '' - SUBSYSTEM=="tty", ATTRS{idVendor}=="0451", ATTRS{idProduct}=="16a8", SYMLINK+="cc2531", MODE="0660", GROUP="dialout" - SUBSYSTEM=="tty", ATTRS{idVendor}=="10c4", ATTRS{idProduct}=="ea60", SYMLINK+="cc2652", MODE="0660", GROUP="dialout" - ''; - - # needed to use unstable package - systemd.services.zigbee2mqtt.environment.ZIGBEE2MQTT_DATA = "/var/lib/zigbee2mqtt"; - - services.zigbee2mqtt = { - enable = true; - package = unstable-pkgs.zigbee2mqtt; - settings = { - homeassistant = true; - frontend.port = 1337; - experimental.new_api = true; - permit_join = false; - mqtt = { - discovery = true; - base_topic = "zigbee"; - server = "mqtt://10.42.0.1"; - user = "gg23"; - password = "gg23-mqtt"; - }; - serial = { - port = "/dev/cc2652"; - # disable_led = true; - }; - advanced = { - pan_id = 4222; - }; - devices = let - set_device = id: name: - lib.nameValuePair id { - }; - in { - # lights https://www.zigbee2mqtt.io/devices/9290022166.html#philips-9290022166 - "0x0017880106ed3bd8".friendly_name = "l_bett"; - "0x0017880108327622".friendly_name = "l_essen"; - "0x0017880106ee2865".friendly_name = "l_arbeit"; - "0x00178801082e9f2f".friendly_name = "l_nass"; - - # switches https://www.zigbee2mqtt.io/devices/324131092621.html#philips-324131092621 - "0x00178801086ac38c".friendly_name = "i_bett"; - "0x00178801086ad1fb".friendly_name = "i_essen"; - "0x00178801086ac373".friendly_name = "i_nass"; - - # sensors https://www.zigbee2mqtt.io/devices/9290012607.html#philips-9290012607 - "0x0017880106f772f2".friendly_name = "s_essen"; - "0x0017880106f77f30".friendly_name = "s_nass"; - - # heat https://www.zigbee2mqtt.io/devices/701721.html#popp-701721 - "0x842e14fffe27109a".friendly_name = "t_bett"; - "0x842e14fffe269a73".friendly_name = "t_nass"; - "0x842e14fffe269a56".friendly_name = "t_arbeit"; - - # rotation https://www.zigbee2mqtt.io/devices/E1744.html - "0x8cf681fffe065493" = { - friendly_name = "r_test"; - device_id = "r_test"; - simulated_brightness = { - delta = 2; - interval = 100; - }; - }; - - }; - }; - }; -} - diff --git a/lass/2configs/hfos.nix b/lass/2configs/hfos.nix deleted file mode 100644 index 05bea9a09..000000000 --- a/lass/2configs/hfos.nix +++ /dev/null @@ -1,48 +0,0 @@ -{ config, lib, pkgs, ... }: let - - vmip = "192.168.122.208"; - -in { - users.users.riot = { - uid = genid "riot"; - isNormalUser = true; - extraGroups = [ "libvirtd" ]; - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMkyCwdwBrsbs3qrNQcy/SqQpex4aaQoAMuT+NDefFc8KVHOMfmkDccEyAggDTgQhUrEVIvo/fFUmGBd9sm1vN1IthO2Qh5nX+qiK/A2R7sxci0Ry6piU03R27JfpZqi6g8TSPNi1C9rC8eBqOfO3OB8oQOkFmM48Q9cmS8AV3ERLR0LaHoEqUbs86JELbtHrMdKk4Hzo8zTM/isP3GO8iDHRt4dBS/03Ve7+WVxgNwWU2HW3a3jJd3tWHrqGmS/ZfCEC/47eIj4WSW+JiH9Q0BarNEbkkMV1Mvm32MX52stGPd5FaIIUtFqD4745iVSiw8esUGFUxJ1RjWgUHr99h riot@vortex" - ]; - }; - - networking.interfaces."eth0:0".ip4 = [ - { - address = "213.239.205.246"; - prefixLength = 24; - } - ]; - - krebs.iptables.tables.nat.PREROUTING.rules = mkBefore [ - { v6 = false; predicate = "-d 213.239.205.246 -p tcp --dport 22"; target = "DNAT --to-destination 192.168.122.208:22"; } - { v6 = false; predicate = "-d 213.239.205.246 -p tcp --dport 25"; target = "DNAT --to-destination 192.168.122.208:25"; } - { v6 = false; predicate = "-d 213.239.205.246 -p tcp --dport 80"; target = "DNAT --to-destination 192.168.122.208:1080"; } - { v6 = false; predicate = "-d 213.239.205.246 -p tcp --dport 443"; target = "DNAT --to-destination 192.168.122.208:1443"; } - ]; - - krebs.iptables.tables.filter.FORWARD.rules = mkBefore [ - { v6 = false; predicate = "-d 192.168.122.208 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; } - { v6 = false; predicate = "-d 192.168.122.208 -p tcp --dport 25 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; } - { v6 = false; predicate = "-d 192.168.122.208 -p tcp --dport 1080 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; } - { v6 = false; predicate = "-d 192.168.122.208 -p tcp --dport 1443 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; } - ]; - - krebs.iptables.tables.nat.OUTPUT.rules = mkBefore [ - { v6 = false; predicate = "-d 213.239.205.246 -p tcp --dport 443"; target = "DNAT --to-destination 192.168.122.208:1443"; } - ]; - - # TODO use bridge interfaces instead of this crap - systemd.services.libvirtd.serviceConfig.ExecStartPost = let - restart-iptables = pkgs.writeDash "restart-iptables" '' - #soo hacky - ${pkgs.coreutils}/bin/sleep 5s - ${pkgs.systemd}/bin/systemctl restart krebs-iptables.service - ''; - in restart-iptables; -} diff --git a/lass/2configs/home-media.nix b/lass/2configs/home-media.nix deleted file mode 100644 index 1f7c3fcb5..000000000 --- a/lass/2configs/home-media.nix +++ /dev/null @@ -1,102 +0,0 @@ -with import ; -{ pkgs, ... }: -{ - imports = [ - ./mpv.nix - ]; - users.users.media = { - isNormalUser = true; - uid = genid_uint31 "media"; - extraGroups = [ "video" "audio" "pipewire" ]; - packages = [ - (pkgs.writers.writeDashBin "mpv" '' - if test -e "$1"; then - mpv-ipc-cli loadfile "$(realpath "$1")" - else - mpv-ipc-cli loadfile "$1" - fi - '') - ]; - }; - - users.users.mainUser.packages = [ - (pkgs.writers.writeDashBin "mpv" '' - if test -e "$1"; then - mpv-ipc-cli loadfile "$(realpath "$1")" - else - mpv-ipc-cli loadfile "$1" - fi - '') - ]; - - services.xserver.displayManager.autoLogin = { - enable = true; - user = "media"; - }; - - hardware.pulseaudio.configFile = pkgs.writeText "pulse.pa" '' - .include ${pkgs.pulseaudioFull}/etc/pulse/default.pa - load-module module-native-protocol-tcp auth-ip-acl=127.0.0.1;10.42.0.0/24 auth-anonymous=1 - ''; - - environment.systemPackages = [ - (pkgs.writers.writeDashBin "mpv-ipc-cli" '' - set -efux - ${pkgs.jq}/bin/jq -nc '{ "command": $ARGS.positional }' --args "$@" | ${pkgs.socat}/bin/socat - /tmp/mpv.ipc - '') - (pkgs.writers.writeDashBin "ipc-mpv" '' - /run/current-system/sw/bin/mpv \ - --audio-display=no --audio-channels=stereo \ - --audio-samplerate=48000 --audio-format=s16 \ - --ao-pcm-file=/run/snapserver/snapfifo --ao=pcm \ - --audio-delay=-1 \ - "$@" - '') - pkgs.mpvc - (pkgs.writers.writeDashBin "iptv" '' - curl -Ssf 'https://iptv-org.github.io/iptv/index.nsfw.m3u' | - sed 's/.*,//' | - sed -z 's/\nhttp/,http/g' | - fzf --bind='enter:execute(echo {} | cut -d ',' -f 2 | xargs -0 mpv-ipc-cli loadfile)' - '') - ]; - - environment.variables.SOCKET = "/tmp/mpv.ipc"; - systemd.services.mpvd = { - wantedBy = [ "multi-user.target" ]; - environment.DISPLAY = ":0"; - serviceConfig = { - User = "media"; - RemainAfterExit = true; - Nice = "-10"; - ExecStart = ''${pkgs.tmux}/bin/tmux -2 new-session -d -s mpvd -- /run/current-system/sw/bin/ipc-mpv \ - --audio-display=no --audio-channels=stereo \ - --audio-samplerate=48000 --audio-format=s16 \ - --ao-pcm-file=/run/snapserver/snapfifo --ao=pcm \ - --audio-delay=-1 \ - --network-timeout=3 \ - --untimed --cache-pause=no \ - --idle=yes --force-window=yes \ - --loop-playlist=inf \ - --input-ipc-server=/tmp/mpv.ipc - ''; - ExecStop = "${pkgs.tmux}/bin/tmux kill-session -t mpvd"; - ExecStartPre = [ - "+${pkgs.writers.writeDash "remove_socket" '' - set -efux - rm -f /tmp/mpv.ipc - ''}" - ]; - ExecStartPost = [ - "+${pkgs.writers.writeDash "fix_permissions" '' - set -efux - until test -e /tmp/mpv.ipc; do - sleep 1 - done - # sleep 2 - chmod 666 /tmp/mpv.ipc || : - ''}" - ]; - }; - }; -} diff --git a/lass/2configs/htop.nix b/lass/2configs/htop.nix deleted file mode 100644 index 629d74235..000000000 --- a/lass/2configs/htop.nix +++ /dev/null @@ -1,43 +0,0 @@ -{ pkgs, ... }: - -with import ; - -{ - nixpkgs.config.packageOverrides = super: { - htop = pkgs.symlinkJoin { - name = "htop"; - paths = [ - (pkgs.writeDashBin "htop" '' - export HTOPRC=${pkgs.writeText "htoprc" '' - fields=0 48 17 18 38 39 40 2 46 47 49 1 - sort_key=46 - sort_direction=1 - hide_threads=0 - hide_kernel_threads=1 - hide_userland_threads=0 - shadow_other_users=1 - show_thread_names=1 - show_program_path=1 - highlight_base_name=1 - highlight_megabytes=1 - highlight_threads=1 - tree_view=1 - header_margin=1 - detailed_cpu_time=0 - cpu_count_from_zero=0 - update_process_names=0 - account_guest_in_cpu_meter=1 - color_scheme=6 - delay=15 - left_meters=LeftCPUs2 RightCPUs2 Memory Swap - left_meter_modes=1 1 1 1 - right_meters=Uptime Tasks LoadAverage Battery - right_meter_modes=2 2 2 2 - ''} - exec ${super.htop}/bin/htop "$@" - '') - super.htop - ]; - }; - }; -} diff --git a/lass/2configs/hw/brcmfmac4356-pcie.txt b/lass/2configs/hw/brcmfmac4356-pcie.txt deleted file mode 100644 index 7a7ee45a6..000000000 --- a/lass/2configs/hw/brcmfmac4356-pcie.txt +++ /dev/null @@ -1,125 +0,0 @@ -# Sample variables file for BCM94356Z NGFF 22x30mm iPA, iLNA board with PCIe for production package -NVRAMRev=$Rev: 492104 $ -#4356 chip = 4354 A2 chip -sromrev=11 -boardrev=0x1102 -boardtype=0x073e -boardflags=0x02400201 -#0x2000 enable 2G spur WAR -boardflags2=0x00802000 -boardflags3=0x0000000a -#boardflags3 0x00000100 /* to read swctrlmap from nvram*/ -#define BFL3_5G_SPUR_WAR 0x00080000 /* enable spur WAR in 5G band */ -#define BFL3_AvVim 0x40000000 /* load AvVim from nvram */ -macaddr=00:90:4c:1a:10:01 -ccode=0x5854 -regrev=205 -antswitch=0 -pdgain5g=4 -pdgain2g=4 -tworangetssi2g=0 -tworangetssi5g=0 -paprdis=0 -femctrl=10 -vendid=0x14e4 -devid=0x43ec -manfid=0x2d0 -#prodid=0x052e -nocrc=1 -otpimagesize=502 -xtalfreq=37400 -rxgains2gelnagaina0=0 -rxgains2gtrisoa0=7 -rxgains2gtrelnabypa0=0 -rxgains5gelnagaina0=0 -rxgains5gtrisoa0=11 -rxgains5gtrelnabypa0=0 -rxgains5gmelnagaina0=0 -rxgains5gmtrisoa0=13 -rxgains5gmtrelnabypa0=0 -rxgains5ghelnagaina0=0 -rxgains5ghtrisoa0=12 -rxgains5ghtrelnabypa0=0 -rxgains2gelnagaina1=0 -rxgains2gtrisoa1=7 -rxgains2gtrelnabypa1=0 -rxgains5gelnagaina1=0 -rxgains5gtrisoa1=10 -rxgains5gtrelnabypa1=0 -rxgains5gmelnagaina1=0 -rxgains5gmtrisoa1=11 -rxgains5gmtrelnabypa1=0 -rxgains5ghelnagaina1=0 -rxgains5ghtrisoa1=11 -rxgains5ghtrelnabypa1=0 -rxchain=3 -txchain=3 -aa2g=3 -aa5g=3 -agbg0=2 -agbg1=2 -aga0=2 -aga1=2 -tssipos2g=1 -extpagain2g=2 -tssipos5g=1 -extpagain5g=2 -tempthresh=255 -tempoffset=255 -rawtempsense=0x1ff -pa2ga0=-147,6192,-705 -pa2ga1=-161,6041,-701 -pa5ga0=-194,6069,-739,-188,6137,-743,-185,5931,-725,-171,5898,-715 -pa5ga1=-190,6248,-757,-190,6275,-759,-190,6225,-757,-184,6131,-746 -subband5gver=0x4 -pdoffsetcckma0=0x4 -pdoffsetcckma1=0x4 -pdoffset40ma0=0x0000 -pdoffset80ma0=0x0000 -pdoffset40ma1=0x0000 -pdoffset80ma1=0x0000 -maxp2ga0=76 -maxp5ga0=74,74,74,74 -maxp2ga1=76 -maxp5ga1=74,74,74,74 -cckbw202gpo=0x0000 -cckbw20ul2gpo=0x0000 -mcsbw202gpo=0x99644422 -mcsbw402gpo=0x99644422 -dot11agofdmhrbw202gpo=0x6666 -ofdmlrbw202gpo=0x0022 -mcsbw205glpo=0x88766663 -mcsbw405glpo=0x88666663 -mcsbw805glpo=0xbb666665 -mcsbw205gmpo=0xd8666663 -mcsbw405gmpo=0x88666663 -mcsbw805gmpo=0xcc666665 -mcsbw205ghpo=0xdc666663 -mcsbw405ghpo=0xaa666663 -mcsbw805ghpo=0xdd666665 -mcslr5glpo=0x0000 -mcslr5gmpo=0x0000 -mcslr5ghpo=0x0000 -sb20in40hrpo=0x0 -sb20in80and160hr5glpo=0x0 -sb40and80hr5glpo=0x0 -sb20in80and160hr5gmpo=0x0 -sb40and80hr5gmpo=0x0 -sb20in80and160hr5ghpo=0x0 -sb40and80hr5ghpo=0x0 -sb20in40lrpo=0x0 -sb20in80and160lr5glpo=0x0 -sb40and80lr5glpo=0x0 -sb20in80and160lr5gmpo=0x0 -sb40and80lr5gmpo=0x0 -sb20in80and160lr5ghpo=0x0 -sb40and80lr5ghpo=0x0 -dot11agduphrpo=0x0 -dot11agduplrpo=0x0 -phycal_tempdelta=255 -temps_period=15 -temps_hysteresis=15 -rssicorrnorm_c0=4,4 -rssicorrnorm_c1=4,4 -rssicorrnorm5g_c0=1,2,3,1,2,3,6,6,8,6,6,8 -rssicorrnorm5g_c1=1,2,3,2,2,2,7,7,8,7,7,8 diff --git a/lass/2configs/hw/gpd-pocket.nix b/lass/2configs/hw/gpd-pocket.nix deleted file mode 100644 index 87b4c518b..000000000 --- a/lass/2configs/hw/gpd-pocket.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ pkgs, ... }: - -let - dummy_firmware = pkgs.writeTextFile { - name = "brcmfmac4356-pcie.txt"; - text = builtins.readFile ./brcmfmac4356-pcie.txt; - destination = "/lib/firmware/brcm/brcmfmac4356-pcie.txt"; - }; -in { - #imports = [ ]; - hardware.firmware = [ dummy_firmware ]; - hardware.enableRedistributableFirmware = true; - - boot.initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" "sd_mod" "sdhci_acpi" "sdhci_pci" ]; - boot.kernelPackages = pkgs.linuxPackages_4_14; - boot.kernelParams = [ - "fbcon=rotate:1" - ]; - services.xserver.displayManager.sessionCommands = '' - (sleep 2 && ${pkgs.xorg.xrandr}/bin/xrandr --output DSI1 --rotate right) - (sleep 2 && ${pkgs.xorg.xinput}/bin/xinput set-prop 'Goodix Capacitive TouchScreen' 'Coordinate Transformation Matrix' 0 1 0 -1 0 1 0 0 1) - ''; - services.xserver.dpi = 200; - fonts.fontconfig.dpi = 200; - lass.fonts.regular = "xft:Hack-Regular:pixelsize=22,xft:Symbola"; - lass.fonts.bold = "xft:Hack-Bold:pixelsize=22,xft:Symbola"; - lass.fonts.italic = "xft:Hack-RegularOblique:pixelsize=22,xft:Symbol"; -} diff --git a/lass/2configs/hw/x220.nix b/lass/2configs/hw/x220.nix deleted file mode 100644 index cbb5b168d..000000000 --- a/lass/2configs/hw/x220.nix +++ /dev/null @@ -1,50 +0,0 @@ -{ config, pkgs, ... }: -{ - imports = [ - - ]; - - boot = { - initrd.luks.devices.luksroot.device = "/dev/sda3"; - initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; - extraModulePackages = [ - config.boot.kernelPackages.tp_smapi - config.boot.kernelPackages.acpi_call - ]; - kernelModules = [ - "acpi_call" - "tp_smapi" - ]; - }; - - environment.systemPackages = [ - pkgs.tpacpi-bat - ]; - - fileSystems = { - "/" = { - device = "/dev/mapper/pool-root"; - fsType = "btrfs"; - options = ["defaults" "noatime" "ssd" "compress=lzo"]; - }; - "/boot" = { - device = "/dev/sda2"; - }; - "/home" = { - device = "/dev/mapper/pool-home"; - fsType = "btrfs"; - options = ["defaults" "noatime" "ssd" "compress=lzo"]; - }; - }; - - services.logind.lidSwitch = "ignore"; - services.logind.lidSwitchDocked = "ignore"; - - services.tlp.enable = true; - #services.tlp.extraConfig = '' - # START_CHARGE_THRESH_BAT0=80 - # STOP_CHARGE_THRESH_BAT0=95 - #''; - - services.xserver.dpi = 80; -} diff --git a/lass/2configs/iodined.nix b/lass/2configs/iodined.nix deleted file mode 100644 index f67e2ae86..000000000 --- a/lass/2configs/iodined.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ pkgs, config, ... }: - -let - # TODO: make this a parameter - domain = "io.lassul.us"; - pw = import ; -in { - - services.iodine.server = { - enable = true; - domain = domain; - ip = "172.16.10.1/24"; - extraConfig = "-c -P ${pw} -l ${config.krebs.build.host.nets.internet.ip4.addr}"; - }; - - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p udp --dport 53"; target = "ACCEPT";} - ]; - -} diff --git a/lass/2configs/libvirt.nix b/lass/2configs/libvirt.nix deleted file mode 100644 index 6d07c7a77..000000000 --- a/lass/2configs/libvirt.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - virtualisation.libvirtd.enable = true; - security.polkit.enable = true; - - krebs.iptables.tables.filter.INPUT.rules = [ - { v6 = false; predicate = "-i virbr0 -p udp -m udp --dport 53"; target = "ACCEPT"; } - { v6 = false; predicate = "-i virbr0 -p tcp -m tcp --dport 53"; target = "ACCEPT"; } - { v6 = false; predicate = "-i virbr0 -p udp -m udp --dport 67"; target = "ACCEPT"; } - { v6 = false; predicate = "-i virbr0 -p tcp -m tcp --dport 67"; target = "ACCEPT"; } - ]; - krebs.iptables.tables.filter.FORWARD.rules = [ - { v6 = false; predicate = "-d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } - { v6 = false; predicate = "-s 192.168.122.0/24 -i virbr0"; target = "ACCEPT"; } - { v6 = false; predicate = "-i virbr0 -o virbr0"; target = "ACCEPT"; } - { v6 = false; predicate = "-o virbr0"; target = "REJECT --reject-with icmp-port-unreachable"; } - { v6 = false; predicate = "-i virbr0"; target = "REJECT --reject-with icmp-port-unreachable"; } - ]; - krebs.iptables.tables.filter.OUTPUT.rules = [ - { v6 = false; predicate = "-o virbr0 -p udp -m udp --dport 68"; target = "ACCEPT"; } - ]; - krebs.iptables.tables.nat.PREROUTING.rules = lib.mkBefore [ - { v6 = false; predicate = "-s 192.168.122.0/24"; target = "ACCEPT"; } - ]; - krebs.iptables.tables.nat.POSTROUTING.rules = [ - { v6 = false; predicate = "-s 192.168.122.0/24 -d 224.0.0.0/24"; target = "RETURN"; } - { v6 = false; predicate = "-s 192.168.122.0/24 -d 255.255.255.255"; target = "RETURN"; } - { v6 = false; predicate = "-s 192.168.122.0/24 ! -d 192.168.122.0/24"; target = "MASQUERADE"; } - { v6 = false; predicate = "-s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp"; target = "MASQUERADE --to-ports 1024-65535"; } - { v6 = false; predicate = "-s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp"; target = "MASQUERADE --to-ports 1024-65535"; } - ]; -} diff --git a/lass/2configs/livestream.nix b/lass/2configs/livestream.nix deleted file mode 100644 index c877a8c0a..000000000 --- a/lass/2configs/livestream.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ config, pkgs, ... }: -with import ; - -let - - stream = pkgs.writeDashBin "stream" '' - ${pkgs.python27Packages.livestreamer}/bin/livestreamer --http-header Client-ID=jzkbprff40iqj646a697cyrvl0zt2m6 -p mpv "$@" - ''; - -in { - environment.systemPackages = [ stream ]; -} diff --git a/lass/2configs/logf.nix b/lass/2configs/logf.nix deleted file mode 100644 index f141a94f5..000000000 --- a/lass/2configs/logf.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ config, pkgs, ... }: -with import ; -let - host-colors = { - mors = "131"; - prism = "95"; - uriel = "61"; - shodan = "51"; - icarus = "53"; - echelon = "197"; - cloudkrebs = "119"; - }; - urgent = [ - "\\blass@blue\\b" - ]; -in { - environment.systemPackages = [ - (pkgs.writeDashBin "logf" '' - export LOGF_URGENT=${pkgs.writeJSON "urgent" urgent} - export LOGF_HOST_COLORS=${pkgs.writeJSON "host-colors" host-colors} - ${pkgs.logf}/bin/logf ${concatMapStringsSep " " (name: "root@${name}") (attrNames config.lass.hosts)} - '') - ]; -} diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix deleted file mode 100644 index bf8904b89..000000000 --- a/lass/2configs/mail.nix +++ /dev/null @@ -1,272 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - - msmtprc = pkgs.writeText "msmtprc" '' - defaults - logfile ~/.msmtp.log - account prism - host prism.r - account c-base - from lassulus@c-base.org - host c-mail.c-base.org - port 465 - tls on - tls_starttls off - auth on - user lassulus - passwordeval pass show c-base/pass - account default: prism - ''; - - notmuch-config = pkgs.writeText "notmuch-config" '' - [database] - path=/home/lass/Maildir - mail_root=/home/lass/Maildir - - [user] - name=lassulus - primary_email=lassulus@lassul.us - other_email=lass@mors.r;${lib.concatStringsSep ";" (lib.flatten (lib.attrValues mailboxes))} - - [new] - tags=unread;inbox; - ignore= - - [search] - exclude_tags=deleted;spam; - - [maildir] - synchronize_flags=true - ''; - - msmtp = pkgs.writeBashBin "msmtp" '' - ${pkgs.coreutils}/bin/tee >(${pkgs.notmuch}/bin/notmuch insert +sent) | \ - ${pkgs.msmtp}/bin/msmtp -C ${msmtprc} "$@" - ''; - - mailcap = pkgs.writeText "mailcap" '' - text/html; ${pkgs.elinks}/bin/elinks -dump ; copiousoutput; - ''; - - mailboxes = { - afra = [ "to:afra@afra-berlin.de" ]; - c-base = [ "to:c-base.org" ]; - coins = [ - "to:btce@lassul.us" - "to:coinbase@lassul.us" - "to:polo@lassul.us" - "to:bitwala@lassul.us" - "to:payeer@lassul.us" - "to:gatehub@lassul.us" - "to:bitfinex@lassul.us" - "to:binance@lassul.us" - "to:bitcoin.de@lassul.us" - "to:robinhood@lassul.us" - ]; - dezentrale = [ "to:dezentrale.space" ]; - dhl = [ "to:dhl@lassul.us" ]; - dn42 = [ "to:dn42@lists.nox.tf" ]; - eloop = [ "to:eloop.org" ]; - github = [ "to:github@lassul.us" ]; - gmail = [ "to:gmail@lassul.us" "to:lassulus@gmail.com" "lassulus@googlemail.com" ]; - india = [ "to:hillhackers@lists.hillhacks.in" "to:hackbeach@lists.hackbeach.in" "to:hackbeach@mail.hackbeach.in" ]; - kaosstuff = [ "to:gearbest@lassul.us" "to:banggood@lassul.us" "to:tomtop@lassul.us" ]; - lugs = [ "to:lugs@lug-s.org" ]; - meetup = [ "to:meetup@lassul.us" ]; - nix = [ "to:nix-devel@googlegroups.com" "to:nix@lassul.us" ]; - patreon = [ "to:patreon@lassul.us" ]; - paypal = [ "to:paypal@lassul.us" ]; - ptl = [ "to:ptl@posttenebraslab.ch" ]; - retiolum = [ "to:lass@mors.r" ]; - security = [ - "to:seclists.org" "to:bugtraq" "to:securityfocus@lassul.us" - "to:security-announce@lists.apple.com" - ]; - shack = [ "to:shackspace.de" ]; - steam = [ "to:steam@lassul.us" ]; - tinc = [ "to:tinc@tinc-vpn.org" "to:tinc-devel@tinc-vpn.org" ]; - wireguard = [ "to:wireguard@lists.zx2c4" ]; - zzz = [ "to:pizza@lassul.us" "to:spam@krebsco.de" ]; - }; - - tag-new-mails = pkgs.writeDashBin "nm-tag-init" '' - ${pkgs.notmuch}/bin/notmuch new - ${lib.concatMapStringsSep "\n" (i: '' - mkdir -p "$HOME/Maildir/.${i.name}/cur" - for mail in $(${pkgs.notmuch}/bin/notmuch search --output=files 'tag:inbox and (${lib.concatMapStringsSep " or " (f: "${f}") i.value})'); do - if test -e "$mail"; then - mv "$mail" "$HOME/Maildir/.${i.name}/cur/" - else - echo "$mail does not exist" - fi - done - ${pkgs.notmuch}/bin/notmuch tag -inbox +${i.name} -- tag:inbox ${lib.concatMapStringsSep " or " (f: "${f}") i.value} - '') (lib.mapAttrsToList lib.nameValuePair mailboxes)} - ${pkgs.notmuch}/bin/notmuch new - ${pkgs.notmuch}/bin/notmuch dump > "$HOME/Maildir/notmuch.backup" - ''; - - tag-old-mails = pkgs.writeDashBin "nm-tag-old" '' - set -efux - ${lib.concatMapStringsSep "\n" (i: '' - ${pkgs.notmuch}/bin/notmuch tag -inbox -archive +${i.name} -- ${lib.concatMapStringsSep " or " (f: "${f}") i.value} - mkdir -p "$HOME/Maildir/.${i.name}/cur" - for mail in $(${pkgs.notmuch}/bin/notmuch search --output=files ${lib.concatMapStringsSep " or " (f: "${f}") i.value}); do - if test -e "$mail"; then - mv "$mail" "$HOME/Maildir/.${i.name}/cur/" - else - echo "$mail does not exist" - fi - done - '') (lib.mapAttrsToList lib.nameValuePair mailboxes)} - ${pkgs.notmuch}/bin/notmuch new --no-hooks - ''; - - muttrc = pkgs.writeText "muttrc" '' - - # read html mails - auto_view text/html - set mailcap_path = ${mailcap} - - # notmuch - set folder="$HOME/Maildir" - set nm_default_uri = "notmuch://$HOME/Maildir" - set nm_record = yes - set nm_record_tags = "-inbox me archive" - set spoolfile = +Inbox - set virtual_spoolfile = yes - - - set sendmail="${msmtp}/bin/msmtp" # enables parsing of outgoing mail - set from="lassulus@lassul.us" - alternates ^.*@lassul\.us$ ^.*@.*\.r$ - unset envelope_from_address - set use_envelope_from - set reverse_name - - set sort=threads - - set index_format="%4C %Z %?GI?%GI& ? %[%y-%m-%d] %-20.20a %?M?(%3M)& ? %s %> %r %g" - - virtual-mailboxes "Unread" "notmuch://?query=tag:unread" - virtual-mailboxes "INBOX" "notmuch://?query=tag:inbox" - ${lib.concatMapStringsSep "\n" (i: ''${" "}virtual-mailboxes "${i.name}" "notmuch://?query=tag:${i.name}"'') (lib.mapAttrsToList lib.nameValuePair mailboxes)} - virtual-mailboxes "TODO" "notmuch://?query=tag:TODO" - virtual-mailboxes "Starred" "notmuch://?query=tag:*" - virtual-mailboxes "Archive" "notmuch://?query=tag:archive" - virtual-mailboxes "Sent" "notmuch://?query=tag:sent" - virtual-mailboxes "Junk" "notmuch://?query=tag:junk" - virtual-mailboxes "All" "notmuch://?query=*" - - tag-transforms "junk" "k" \ - "unread" "u" \ - "replied" "↻" \ - "TODO" "T" \ - - # notmuch bindings - macro index \\\\ "" # looks up a hand made query - macro index + "+*\n" # tag as starred - macro index - "-*\n" # tag as unstarred - - # muchsync - bind index \Cr noop - macro index \Cr \ - "unset wait_key \ - ${pkgs.writeDash "muchsync" '' - set -efu - until ${pkgs.muchsync}/bin/muchsync -F lass@green.r; do - sleep 1 - done - ''} - - #killed - bind index d noop - bind pager d noop - - bind index S noop - bind index s noop - bind pager S noop - bind pager s noop - macro index S "-inbox -unread +junk\n" # tag as Junk mail - macro index s "-junk\n" # tag as Junk mail - macro pager S "-inbox -unread +junk\n" # tag as Junk mail - macro pager s "-junk\n" # tag as Junk mail - - - bind index A noop - bind index a noop - bind pager A noop - bind pager a noop - macro index A "+archive -unread -inbox\n" # tag as Archived - macro index a "-archive\n" # tag as Archived - macro pager A "+archive -unread -inbox\n" # tag as Archived - macro pager a "-archive\n" # tag as Archived - - - bind index U noop - bind index u noop - bind pager U noop - bind pager u noop - macro index U "+unread\n" - macro index u "-unread\n" - macro pager U "+unread\n" - macro pager u "-unread\n" - - - bind index t noop - bind pager t noop - macro index t "" # tag as Archived - - # top index bar in email view - set pager_index_lines=7 - # top_index_bar toggle - macro pager ,@1 " set pager_index_lines=0; macro pager ] ,@2 'Toggle indexbar" - macro pager ,@2 " set pager_index_lines=3; macro pager ] ,@3 'Toggle indexbar" - macro pager ,@3 " set pager_index_lines=7; macro pager ] ,@1 'Toggle indexbar" - macro pager ] ,@1 'Toggle indexbar - - # urlview - macro pager \cb '${pkgs.urlview}/bin/urlview' 'Follow links with urlview' - - # sidebar - set sidebar_divider_char = '│' - set sidebar_delim_chars = "/" - set sidebar_short_path - set sidebar_folder_indent - set sidebar_visible = yes - set sidebar_format = '%D%?F? [%F]?%* %?N?%N/? %?S?%S?' - set sidebar_width = 20 - color sidebar_new yellow red - - # sidebar bindings - bind index sidebar-prev # got to previous folder in sidebar - bind index sidebar-next # got to next folder in sidebar - bind index sidebar-open # open selected folder from sidebar - # sidebar toggle - macro index,pager ,@) " set sidebar_visible=no; macro index,pager [ ,@( 'Toggle sidebar'" - macro index,pager ,@( " set sidebar_visible=yes; macro index,pager [ ,@) 'Toggle sidebar'" - macro index,pager [ ,@( 'Toggle sidebar' # toggle the sidebar - ''; - - mutt = pkgs.symlinkJoin { - name = "mutt"; - paths = [ - (pkgs.writeDashBin "mutt" '' - exec ${pkgs.neomutt}/bin/neomutt -F ${muttrc} "$@" - '') - pkgs.neomutt - ]; - }; - -in { - environment.variables.NOTMUCH_CONFIG = toString notmuch-config; - environment.systemPackages = [ - msmtp - mutt - pkgs.notmuch - pkgs.muchsync - tag-new-mails - tag-old-mails - ]; -} diff --git a/lass/2configs/mail/internet-gateway.nix b/lass/2configs/mail/internet-gateway.nix deleted file mode 100644 index 134e408a4..000000000 --- a/lass/2configs/mail/internet-gateway.nix +++ /dev/null @@ -1,48 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - security.acme.certs."mail.lassul.us" = { - group = "lasscert"; - webroot = "/var/lib/acme/acme-challenge"; - }; - users.groups.lasscert.members = [ - "exim" - "nginx" - ]; - - krebs.exim-smarthost = { - enable = true; - primary_hostname = "lassul.us"; - dkim = [ - { domain = "lassul.us"; } - ]; - ssl_cert = "/var/lib/acme/mail.lassul.us/fullchain.pem"; - ssl_key = "/var/lib/acme/mail.lassul.us/key.pem"; - local_domains = [ - "localhost" - "lassul.us" - "ubikmedia.eu" - "ubikmedia.de" - "apanowicz.de" - "alewis.de" - "jarugadesign.de" - "beesmooth.ch" - "event-extra.de" - "jla-trading.com" - ]; - extraRouters = '' - forward_lassul_us: - driver = manualroute - domains = lassul.us - transport = remote_smtp - route_list = * orange.r - no_more - - forward_ubik: - driver = manualroute - domains = ubikmedia.eu:ubikmedia.de:apanowicz.de:alewis.de:jarugadesign.de:beesmooth.ch:event-extra.de:jla-trading.com - transport = remote_smtp - route_list = * ubik.r - no_more - ''; - }; -} diff --git a/lass/2configs/matrix.nix b/lass/2configs/matrix.nix deleted file mode 100644 index 7c4b645f2..000000000 --- a/lass/2configs/matrix.nix +++ /dev/null @@ -1,62 +0,0 @@ -{ config, pkgs, ... }: -with import ; -{ - services.matrix-synapse = { - enable = true; - settings = { - server_name = "lassul.us"; - # registration_shared_secret = "yolo"; - database.name = "sqlite3"; - turn_uris = [ - "turn:turn.matrix.org?transport=udp" - "turn:turn.matrix.org?transport=tcp" - ]; - listeners = [ - { - port = 8008; - bind_addresses = [ "::1" ]; - type = "http"; - tls = false; - x_forwarded = true; - resources = [ - { - names = [ "client" ]; - compress = true; - } - { - names = [ "federation" ]; - compress = true; - } - ]; - } - ]; - }; - }; - services.nginx = { - virtualHosts = { - "lassul.us" = { - locations."= /.well-known/matrix/server".extraConfig = '' - add_header Content-Type application/json; - return 200 '${builtins.toJSON { - "m.server" = "matrix.lassul.us:443"; - }}'; - ''; - locations."= /.well-known/matrix/client".extraConfig = '' - add_header Content-Type application/json; - add_header Access-Control-Allow-Origin *; - return 200 '${builtins.toJSON { - "m.homeserver" = { "base_url" = "https://matrix.lassul.us"; }; - "m.identity_server" = { "base_url" = "https://vector.im"; }; - }}'; - ''; - }; - "matrix.lassul.us" = { - forceSSL = true; - enableACME = true; - locations."/_matrix" = { - proxyPass = "http://[::1]:8008"; - }; - }; - }; - }; -} diff --git a/lass/2configs/mc.nix b/lass/2configs/mc.nix deleted file mode 100644 index f5de04616..000000000 --- a/lass/2configs/mc.nix +++ /dev/null @@ -1,344 +0,0 @@ -{ config, pkgs, ... }: - -let - mcExt = pkgs.writeText "mc.ext" '' - # gitfs changeset - regex/^\[git\] - Open=%cd %p/changesetfs:// - View=%cd %p/patchsetfs:// - - ### Archives ### - - # .tgz, .tpz, .tar.gz, .tar.z, .tar.Z, .ipk, .gem - regex/\.t([gp]?z|ar\.g?[zZ])$|\.ipk$|\.gem$ - Open=%cd %p/utar:// - - shell/.tar.bz - # Open=%cd %p/utar:// - - regex/\.t(ar\.bz2|bz2?|b2)$ - Open=%cd %p/utar:// - - # .tar.lzma, .tlz - regex/\.t(ar\.lzma|lz)$ - Open=%cd %p/utar:// - - # .tar.xz, .txz - regex/\.t(ar\.xz|xz)$ - Open=%cd %p/utar:// - - # .tar.F - used in QNX - shell/.tar.F - # Open=%cd %p/utar:// - - # .qpr/.qpk - QNX Neutrino package installer files - regex/\.qp[rk]$ - Open=%cd %p/utar:// - - # tar - shell/i/.tar - Open=%cd %p/utar:// - - # lha - type/^LHa\ .*archive - Open=%cd %p/ulha:// - - # arj - regex/i/\.a(rj|[0-9][0-9])$ - Open=%cd %p/uarj:// - - # cab - shell/i/.cab - Open=%cd %p/ucab:// - - # ha - shell/i/.ha - Open=%cd %p/uha:// - - # rar - regex/i/\.r(ar|[0-9][0-9])$ - Open=%cd %p/urar:// - - # ALZip - shell/i/.alz - Open=%cd %p/ualz:// - - # cpio - shell/.cpio.Z - Open=%cd %p/ucpio:// - - shell/.cpio.xz - Open=%cd %p/ucpio:// - - shell/.cpio.gz - Open=%cd %p/ucpio:// - - shell/i/.cpio - Open=%cd %p/ucpio:// - - # 7zip archives (they are not man pages) - shell/i/.7z - Open=%cd %p/u7z:// - - # patch - regex/\.(diff|patch)(\.bz2)$ - Open=%cd %p/patchfs:// - - regex/\.(diff|patch)(\.(gz|Z))$ - Open=%cd %p/patchfs:// - - # ls-lR - regex/(^|\.)ls-?lR(\.gz|Z|bz2)$ - Open=%cd %p/lslR:// - - # trpm - shell/.trpm - Open=%cd %p/trpm:// - - # RPM packages (SuSE uses *.spm for source packages) - regex/\.(src\.rpm|spm)$ - Open=%cd %p/rpm:// - - shell/.rpm - Open=%cd %p/rpm:// - - # deb - regex/\.u?deb$ - Open=%cd %p/deb:// - - # dpkg - shell/.debd - Open=%cd %p/debd:// - - # apt - shell/.deba - Open=%cd %p/deba:// - - # ISO9660 - shell/i/.iso - Open=%cd %p/iso9660:// - - - regex/\.(diff|patch)$ - Open=%cd %p/patchfs:// - - # ar library - regex/\.s?a$ - Open=%cd %p/uar:// - - # gplib - shell/i/.lib - Open=%cd %p/ulib:// - - - # Mailboxes - type/^ASCII\ mail\ text - Open=%cd %p/mailfs:// - - - ### Sources ### - - # C/C++ - regex/i/\.(c|cc|cpp)$ - Include=editor - - # C/C++ header - regex/i/\.(h|hh|hpp)$ - Include=editor - - # Fortran - shell/i/.f - Include=editor - - # Assembler - regex/i/\.(s|asm)$ - Include=editor - - include/editor - Open=%var{EDITOR:vim} %f - - ### Images ### - - shell/i/.gif - Include=image - - regex/i/\.jpe?g$ - Include=image - - shell/i/.bmp - Include=image - - shell/i/.png - Include=image - - shell/i/.jng - Include=image - - shell/i/.mng - Include=image - - shell/i/.tiff - Include=image - - shell/.ico - Include=image - - include/image - Open=sxiv %f - View=sxiv %f - - ### Sound files ### - - regex/i/\.(wav|snd|voc|au|smp|aiff|snd|m4a|ape|aac|wv)$ - Include=audio - - regex/i/\.(mod|s3m|xm|it|mtm|669|stm|ult|far)$ - Include=audio - - shell/i/.waw22 - Include=audio - - shell/i/.mp3 - Include=audio - - regex/i/\.og[gax]$ - Include=audio - - regex/i/\.(spx|flac)$ - Include=audio - - regex/i/\.(midi?|rmid?)$ - Include=audio - - shell/i/.wma - Include=audio - - include/audio - Open=mpv %f - View=mpv %f - - ### Video ### - - shell/i/.avi - Include=video - - regex/i/\.as[fx]$ - Include=video - - shell/i/.divx - Include=video - - shell/i/.rmvb - Include=video - - shell/i/.mkv - Include=video - - regex/i/\.(mov|qt)$ - Include=video - - regex/i/\.(mp4|m4v|mpe?g)$ - Include=video - - # MPEG-2 TS container + H.264 codec - shell/i/.mts - Include=video - - shell/i/.ts - Include=video - - shell/i/.vob - Include=video - - shell/i/.wmv - Include=video - - regex/i/\.fl[icv]$ - Include=video - - shell/i/.ogv - Include=video - - # WebM - shell/i/.webm - Include=video - - type/WebM - Include=video - - include/video - Open=mpv %f - View=mpv %f - - - ### Documents ### - - # PDF - shell/i/.pdf - Open=zathura %f - View=zathura %f - - ### Miscellaneous ### - - # Makefile - regex/[Mm]akefile$ - Open=make -f %f %{Enter parameters} - - - ### Plain compressed files ### - - # ace - shell/i/.ace - Open=%cd %p/uace:// - Extract=unace x %f - - # arc - shell/i/.arc - Open=%cd %p/uarc:// - Extract=arc x %f '*' - Extract (with flags)=I=%{Enter any Arc flags:}; if test -n "$I"; then arc x $I %f; fi - - # zip - shell/i/.zip - Open=%cd %p/uzip:// - - # zip - type/i/^zip\ archive - Open=%cd %p/uzip:// - - # jar(zip) - type/i/^Java\ Jar\ file\ data\ \(zip\) - Open=%cd %p/uzip:// - - # zoo - shell/i/.zoo - Open=%cd %p/uzoo:// - - ### Default ### - - # Default target for anything not described above - default/* - Open=vim %f - View=vim %f - - ''; - -in { - environment.systemPackages = [ - (pkgs.symlinkJoin { - name = "mc"; - paths = [ - (pkgs.writeDashBin "mc" '' - export MC_DATADIR=${pkgs.write "mc-ext" { - "/mc.ext".link = mcExt; - "/sfs.ini".text = ""; - }}; - export TERM=xterm-256color - exec ${pkgs.mc}/bin/mc -S xoria256 "$@" - '') - pkgs.mc - ]; - }) - ]; -} - diff --git a/lass/2configs/minecraft.nix b/lass/2configs/minecraft.nix deleted file mode 100644 index 285a4552c..000000000 --- a/lass/2configs/minecraft.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ pkgs, ... }: let - - unstable = import { config.allowUnfree = true; }; - -in { - services.minecraft-server = { - enable = true; - eula = true; - package = unstable.minecraft-server; - }; - networking.firewall.allowedTCPPorts = [ 25565 ]; - networking.firewall.allowedUDPPorts = [ 25565 ]; -} diff --git a/lass/2configs/monitoring/alert-rules.nix b/lass/2configs/monitoring/alert-rules.nix deleted file mode 100644 index eae2569fb..000000000 --- a/lass/2configs/monitoring/alert-rules.nix +++ /dev/null @@ -1,208 +0,0 @@ -# inspiration from https://github.com/Mic92/dotfiles/blob/master/nixos/eva/modules/prometheus/alert-rules.nix -{ lib }: - -lib.mapAttrsToList - (name: opts: { - alert = name; - expr = opts.condition; - for = opts.time or "2m"; - labels = { }; - annotations.description = opts.description; - }) - ({ - prometheus_too_many_restarts = { - condition = ''changes(process_start_time_seconds{job=~"prometheus|pushgateway|alertmanager|telegraf"}[15m]) > 2''; - description = "Prometheus has restarted more than twice in the last 15 minutes. It might be crashlooping."; - }; - - alert_manager_config_not_synced = { - condition = ''count(count_values("config_hash", alertmanager_config_hash)) > 1''; - description = "Configurations of AlertManager cluster instances are out of sync."; - }; - - prometheus_not_connected_to_alertmanager = { - condition = "prometheus_notifications_alertmanagers_discovered < 1"; - description = "Prometheus cannot connect the alertmanager\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"; - }; - - prometheus_rule_evaluation_failures = { - condition = "increase(prometheus_rule_evaluation_failures_total[3m]) > 0"; - description = "Prometheus encountered {{ $value }} rule evaluation failures, leading to potentially ignored alerts.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"; - }; - - prometheus_template_expansion_failures = { - condition = "increase(prometheus_template_text_expansion_failures_total[3m]) > 0"; - time = "0m"; - description = "Prometheus encountered {{ $value }} template text expansion failures\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"; - }; - - promtail_request_errors = { - condition = ''100 * sum(rate(promtail_request_duration_seconds_count{status_code=~"5..|failed"}[1m])) by (namespace, job, route, instance) / sum(rate(promtail_request_duration_seconds_count[1m])) by (namespace, job, route, instance) > 10''; - time = "15m"; - description = ''{{ $labels.job }} {{ $labels.route }} is experiencing {{ printf "%.2f" $value }}% errors.''; - }; - - promtail_file_lagging = { - condition = ''abs(promtail_file_bytes_total - promtail_read_bytes_total) > 1e6''; - time = "15m"; - description = ''{{ $labels.instance }} {{ $labels.job }} {{ $labels.path }} has been lagging by more than 1MB for more than 15m.''; - }; - - filesystem_full_80percent = { - condition = ''disk_used_percent{mode!="ro"} >= 95''; - time = "10m"; - description = "{{$labels.instance}} device {{$labels.device}} on {{$labels.path}} got less than 20% space left on its filesystem."; - }; - - filesystem_full_krebs = { - condition = ''disk_used_percent{mode!="ro", org="krebs"} >= 95''; - time = "10m"; - description = "{{$labels.instance}} device {{$labels.device}} on {{$labels.path}} got less than 5% space left on its filesystem."; - }; - - filesystem_inodes_full = { - condition = ''disk_inodes_free / disk_inodes_total < 0.10''; - time = "10m"; - description = "{{$labels.instance}} device {{$labels.device}} on {{$labels.path}} got less than 10% inodes left on its filesystem."; - }; - - daily_task_not_run = { - # give 6 hours grace period - condition = ''time() - task_last_run{state="ok",frequency="daily"} > (24 + 6) * 60 * 60''; - description = "{{$labels.host}}: {{$labels.name}} was not run in the last 24h"; - }; - - daily_task_failed = { - condition = ''task_last_run{state="fail"}''; - description = "{{$labels.host}}: {{$labels.name}} failed to run"; - }; - - swap_using_30percent = { - condition = "mem_swap_total - (mem_swap_cached + mem_swap_free) > mem_swap_total * 0.3"; - time = "30m"; - description = "{{$labels.host}} is using 30% of its swap space for at least 30 minutes."; - }; - - systemd_service_failed = { - condition = ''systemd_units_active_code{name!~"nixpkgs-update-.*.service"} == 3''; - description = "{{$labels.host}} failed to (re)start service {{$labels.name}}."; - }; - - service_not_running = { - condition = ''systemd_units_active_code{name=~"teamspeak3-server.service|tt-rss.service", sub!="running"}''; - description = "{{$labels.host}} should have a running {{$labels.name}}."; - }; - - nfs_export_not_present = { - condition = "nfs_export_present == 0"; - time = "1h"; - description = "{{$labels.host}} cannot reach nfs export [{{$labels.server}}]:{{$labels.path}}"; - }; - - ram_using_90percent = { - condition = "mem_buffered + mem_free + mem_cached < mem_total * 0.1"; - time = "1h"; - description = "{{$labels.host}} is using at least 90% of its RAM for at least 1 hour."; - }; - load15 = { - condition = ''system_load15 / system_n_cpus{org!="nix-community"} >= 2.0''; - time = "10m"; - description = "{{$labels.host}} is running with load15 > 1 for at least 5 minutes: {{$value}}"; - }; - reboot = { - condition = "system_uptime < 300"; - description = "{{$labels.host}} just rebooted."; - }; - uptime = { - # too scared to upgrade matchbox - condition = ''system_uptime {host!~"^(matchbox|grandalf)$"} > 2592000''; - description = "Uptime monster: {{$labels.host}} has been up for more than 30 days."; - }; - telegraf_down = { - condition = ''min(up{job=~"telegraf",type!='mobile'}) by (source, job, instance, org) == 0''; - time = "3m"; - description = "{{$labels.instance}}: {{$labels.job}} telegraf exporter from {{$labels.source}} is down."; - }; - ping = { - condition = "ping_result_code{type!='mobile'} != 0"; - description = "{{$labels.url}}: ping from {{$labels.instance}} has failed!"; - }; - ping_high_latency = { - condition = "ping_average_response_ms{type!='mobile'} > 5000"; - description = "{{$labels.instance}}: ping probe from {{$labels.source}} is encountering high latency!"; - }; - http = { - condition = "http_response_result_code != 0"; - description = "{{$labels.server}} : http request failed from {{$labels.instance}}: {{$labels.result}}!"; - }; - http_match_failed = { - condition = "http_response_response_string_match == 0"; - description = "{{$labels.server}} : http body not as expected; status code: {{$labels.status_code}}!"; - }; - dns_query = { - condition = "dns_query_result_code != 0"; - description = "{{$labels.domain}} : could retrieve A record {{$labels.instance}} from server {{$labels.server}}: {{$labels.result}}!"; - }; - secure_dns_query = { - condition = "secure_dns_state != 0"; - description = "{{$labels.domain}} : could retrieve A record {{$labels.instance}} from server {{$labels.server}}: {{$labels.result}} for protocol {{$labels.protocol}}!"; - }; - connection_failed = { - condition = "net_response_result_code != 0"; - description = "{{$labels.server}}: connection to {{$labels.port}}({{$labels.protocol}}) failed from {{$labels.instance}}"; - }; - healthchecks = { - condition = "hc_check_up == 0"; - description = "{{$labels.instance}}: healtcheck {{$labels.job}} fails!"; - }; - cert_expiry = { - condition = "x509_cert_expiry < 7*24*3600"; - description = "{{$labels.instance}}: The TLS certificate from {{$labels.source}} will expire in less than 7 days: {{$value}}s"; - }; - - postfix_queue_length = { - condition = "avg_over_time(postfix_queue_length[1h]) > 10"; - description = "{{$labels.instance}}: postfix mail queue has undelivered {{$value}} items"; - }; - - zfs_errors = { - condition = "zfs_arcstats_l2_io_error + zfs_dmu_tx_error + zfs_arcstats_l2_writes_error > 0"; - description = "{{$labels.instance}} reports: {{$value}} ZFS IO errors."; - }; - - # ignore devices that disabled S.M.A.R.T (example if attached via USB) - smart_errors = { - condition = ''smart_device_health_ok{enabled!="Disabled"} != 1''; - description = "{{$labels.instance}}: S.M.A.R.T reports: {{$labels.device}} ({{$labels.model}}) has errors."; - }; - - oom_kills = { - condition = "increase(kernel_vmstat_oom_kill[5m]) > 0"; - description = "{{$labels.instance}}: OOM kill detected"; - }; - - unusual_disk_read_latency = { - condition = "rate(diskio_read_time[1m]) / rate(diskio_reads[1m]) > 0.1 and rate(diskio_reads[1m]) > 0"; - description = "{{$labels.instance}}: Disk latency is growing (read operations > 100ms)\n"; - }; - - unusual_disk_write_latency = { - condition = "rate(diskio_write_time[1m]) / rate(diskio_write[1m]) > 0.1 and rate(diskio_write[1m]) > 0"; - description = "{{$labels.instance}}: Disk latency is growing (write operations > 100ms)\n"; - }; - - host_memory_under_memory_pressure = { - condition = "rate(node_vmstat_pgmajfault[1m]) > 1000"; - description = "{{$labels.instance}}: The node is under heavy memory pressure. High rate of major page faults: {{$value}}"; - }; - - ext4_errors = { - condition = "ext4_errors_value > 0"; - description = "{{$labels.instance}}: ext4 has reported {{$value}} I/O errors: check /sys/fs/ext4/*/errors_count"; - }; - - alerts_silences_changed = { - condition = ''abs(delta(alertmanager_silences{state="active"}[1h])) >= 1''; - description = "alertmanager: number of active silences has changed: {{$value}}"; - }; - }) diff --git a/lass/2configs/monitoring/prometheus.nix b/lass/2configs/monitoring/prometheus.nix deleted file mode 100644 index ba32c62a7..000000000 --- a/lass/2configs/monitoring/prometheus.nix +++ /dev/null @@ -1,110 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - #prometheus - krebs.iptables = { - enable = true; - tables.filter.INPUT.rules = [ - { predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; } # nginx - # { predicate = "-i retiolum -p tcp --dport 3012"; target = "ACCEPT"; } # grafana - # { predicate = "-i retiolum -p tcp --dport 9093"; target = "ACCEPT"; } # alertmanager - # { predicate = "-i retiolum -p tcp --dport 9223"; target = "ACCEPT"; } # alertmanager - ]; - }; - - services.nginx = { - enable = true; - virtualHosts = { - "prometheus.lass.r" = { - locations."/".proxyPass = "http://localhost:9090"; - }; - "alert.lass.r" = { - locations."/".proxyPass = "http://localhost:9093"; - }; - "grafana.lass.r" = { - locations."/".proxyPass = "http://localhost:3012"; - }; - }; - }; - - services.grafana = { - enable = true; - addr = "0.0.0.0"; - port = 3012; - auth.anonymous = { - enable = true; - org_role = "Admin"; - }; - }; - services.prometheus = { - enable = true; - ruleFiles = [ - (pkgs.writeText "prometheus-rules.yml" (builtins.toJSON { - groups = [{ - name = "alerting-rules"; - rules = import ./alert-rules.nix { inherit lib; }; - }]; - })) - ]; - scrapeConfigs = [ - { - job_name = "telegraf"; - scrape_interval = "60s"; - metrics_path = "/metrics"; - static_configs = [ - { - targets = [ - "prism.r:9273" - "dishfire.r:9273" - "yellow.r:9273" - ]; - } - ]; - } - ]; - alertmanagers = [ - { scheme = "http"; - path_prefix = "/"; - static_configs = [ { targets = [ "localhost:9093" ]; } ]; - } - ]; - alertmanager = { - enable = true; - webExternalUrl = "https://alert.lass.r"; - listenAddress = "[::1]"; - configuration = { - global = { - # The smarthost and SMTP sender used for mail notifications. - smtp_smarthost = "localhost:587"; - smtp_from = "alertmanager@alert.lass.r"; - # smtp_auth_username = "alertmanager@thalheim.io"; - # smtp_auth_password = "$SMTP_PASSWORD"; - }; - route = { - receiver = "default"; - routes = [ - { - group_by = [ "host" ]; - group_wait = "30s"; - group_interval = "2m"; - repeat_interval = "2h"; - receiver = "all"; - } - ]; - }; - receivers = [ - { - name = "all"; - webhook_configs = [{ - url = "http://127.0.0.1:9223/"; - max_alerts = 5; - }]; - } - { - name = "default"; - } - ]; - }; - }; - }; - -} diff --git a/lass/2configs/monitoring/telegraf.nix b/lass/2configs/monitoring/telegraf.nix deleted file mode 100644 index b172b9c62..000000000 --- a/lass/2configs/monitoring/telegraf.nix +++ /dev/null @@ -1,163 +0,0 @@ -{ pkgs, lib, config, ... }: -# To use this module you also need to allow port 9273 either on the internet or on a vpn interface -# i.e. networking.firewall.interfaces."vpn0".allowedTCPPorts = [ 9273 ]; -# Example prometheus alert rules: -# - https://github.com/Mic92/dotfiles/blob/master/nixos/eva/modules/prometheus/alert-rules.nix -let - isVM = lib.any (mod: mod == "xen-blkfront" || mod == "virtio_console") config.boot.initrd.kernelModules; - # potentially wrong if the nvme is not used at boot... - hasNvme = lib.any (m: m == "nvme") config.boot.initrd.availableKernelModules; - - ipv6DadCheck = pkgs.writeShellScript "ipv6-dad-check" '' - ${pkgs.iproute2}/bin/ip --json addr | \ - ${pkgs.jq}/bin/jq -r 'map(.addr_info) | flatten(1) | map(select(.dadfailed == true)) | map(.local) | @text "ipv6_dad_failures count=\(length)i"' - ''; - - zfsChecks = lib.optional - (lib.any (fs: fs == "zfs") config.boot.supportedFilesystems) - (pkgs.writeScript "zpool-health" '' - #!${pkgs.gawk}/bin/awk -f - BEGIN { - while ("${pkgs.zfs}/bin/zpool status" | getline) { - if ($1 ~ /pool:/) { printf "zpool_status,name=%s ", $2 } - if ($1 ~ /state:/) { printf " state=\"%s\",", $2 } - if ($1 ~ /errors:/) { - if (index($2, "No")) printf "errors=0i\n"; else printf "errors=%di\n", $2 - } - } - } - ''); - - nfsChecks = - let - collectHosts = shares: fs: - if builtins.elem fs.fsType [ "nfs" "nfs3" "nfs4" ] - then - shares - // ( - let - # also match ipv6 addresses - group = builtins.match "\\[?([^\]]+)]?:([^:]+)$" fs.device; - host = builtins.head group; - path = builtins.elemAt group 1; - in - { - ${host} = (shares.${host} or [ ]) ++ [ path ]; - } - ) - else shares; - nfsHosts = lib.foldl collectHosts { } (builtins.attrValues config.fileSystems); - in - lib.mapAttrsToList - ( - host: args: - (pkgs.writeScript "nfs-health" '' - #!${pkgs.gawk}/bin/awk -f - BEGIN { - for (i = 2; i < ARGC; i++) { - mounts[ARGV[i]] = 1 - } - while ("${pkgs.nfs-utils}/bin/showmount -e " ARGV[1] | getline) { - if (NR == 1) { continue } - if (mounts[$1] == 1) { - printf "nfs_export,host=%s,path=%s present=1\n", ARGV[1], $1 - } - delete mounts[$1] - } - for (mount in mounts) { - printf "nfs_export,host=%s,path=%s present=0\n", ARGV[1], $1 - } - } - '') - + " ${host} ${builtins.concatStringsSep " " args}" - ) - nfsHosts; - -in -{ - - systemd.services.telegraf.path = lib.optional (!isVM && hasNvme) pkgs.nvme-cli; - - services.telegraf = { - enable = true; - extraConfig = { - agent.interval = "60s"; - inputs = { - prometheus.urls = lib.mkIf config.services.promtail.enable [ - # default promtail port - "http://localhost:9080/metrics" - ]; - prometheus.metric_version = 2; - kernel_vmstat = { }; - nginx.urls = lib.mkIf config.services.nginx.statusPage [ - "http://localhost/nginx_status" - ]; - smart = lib.mkIf (!isVM) { - path_smartctl = pkgs.writeShellScript "smartctl" '' - exec /run/wrappers/bin/sudo ${pkgs.smartmontools}/bin/smartctl "$@" - ''; - }; - system = { }; - mem = { }; - file = - [ - { - data_format = "influx"; - file_tag = "name"; - files = [ "/var/log/telegraf/*" ]; - } - ] - ++ lib.optional (lib.any (fs: fs == "ext4") config.boot.supportedFilesystems) { - name_override = "ext4_errors"; - files = [ "/sys/fs/ext4/*/errors_count" ]; - data_format = "value"; - }; - exec = [ - { - ## Commands array - commands = - [ ipv6DadCheck ] - ++ zfsChecks - ++ nfsChecks; - data_format = "influx"; - } - ]; - systemd_units = { }; - swap = { }; - disk.tagdrop = { - fstype = [ "tmpfs" "ramfs" "devtmpfs" "devfs" "iso9660" "overlay" "aufs" "squashfs" ]; - device = [ "rpc_pipefs" "lxcfs" "nsfs" "borgfs" ]; - }; - diskio = { }; - zfs = { - poolMetrics = true; - }; - } // lib.optionalAttrs (if lib.versionAtLeast (lib.versions.majorMinor lib.version) "23.11" then config.boot.swraid.enable else config.boot.initrd.services.swraid.enable) { - mdstat = { }; - }; - outputs.prometheus_client = { - listen = ":9273"; - metric_version = 2; - }; - }; - }; - security.sudo.extraRules = lib.mkIf (!isVM) [ - { - users = [ "telegraf" ]; - commands = [ - { - command = "${pkgs.smartmontools}/bin/smartctl"; - options = [ "NOPASSWD" ]; - } - ]; - } - ]; - # avoid logging sudo use - security.sudo.configFile = '' - Defaults:telegraf !syslog,!pam_session - ''; - # create dummy file to avoid telegraf errors - systemd.tmpfiles.rules = [ - "f /var/log/telegraf/dummy 0444 root root - -" - ]; -} diff --git a/lass/2configs/mouse.nix b/lass/2configs/mouse.nix deleted file mode 100644 index f5f9319ed..000000000 --- a/lass/2configs/mouse.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ lib, ... }: -{ - hardware.trackpoint = { - enable = true; - sensitivity = 220; - speed = 0; - emulateWheel = true; - }; - - services.xserver.libinput.enable = lib.mkForce false; - services.xserver.synaptics = { - enable = true; - horizEdgeScroll = false; - horizontalScroll = false; - vertEdgeScroll = false; - maxSpeed = "0.1"; - minSpeed = "0.01"; - tapButtons = false; - }; -} diff --git a/lass/2configs/mpv.nix b/lass/2configs/mpv.nix deleted file mode 100644 index d65b4a87a..000000000 --- a/lass/2configs/mpv.nix +++ /dev/null @@ -1,103 +0,0 @@ -{ pkgs, lib, ... }: - -let - dl_subs = pkgs.writers.writeDashBin "dl_subs" '' - filename=$1 - ${pkgs.subdl}/bin/subdl --output='/tmp/{m}.{M}.sub' "$filename" 1>&2 - echo "/tmp/$(basename "$filename").sub" - ''; - - autosub = pkgs.writeText "autosub.lua" '' - -- Requires Subliminal version 1.0 or newer - -- Make sure to specify your system's Subliminal location below: - local utils = require 'mp.utils' - - -- Log function: log to both terminal and mpv OSD (On-Screen Display) - function log(string, secs) - secs = secs or 2 -- secs defaults to 2 when the secs parameter is absent - mp.msg.warn(string) -- This logs to the terminal - mp.osd_message(string, secs) -- This logs to mpv screen - end - - function download() - log('Searching subtitles ...', 10) - path = mp.get_property('path') - result = utils.subprocess({ args = {"${dl_subs}/bin/dl_subs", path} }) - if result.error == nil then - filename = string.gsub(result.stdout, "\n", "") - log(filename) - mp.commandv('sub_add', filename) - log('Subtitles ready!') - else - log('Subtitles failed downloading') - end - end - - -- Control function: only download if necessary - function control_download() - duration = tonumber(mp.get_property('duration')) - if duration < 900 then - mp.msg.warn('Video is less than 15 minutes\n', '=> NOT downloading any subtitles') - return - end - -- There does not seem to be any documentation for the 'sub' property, - -- but it works on both internally encoded as well as external subtitle files! - -- -> sub = '1' when subtitles are present - -- -> sub = 'no' when subtitles are not present - -- -> sub = 'auto' when called before the 'file-loaded' event is triggered - sub = mp.get_property('sub') - if sub == '1' then - mp.msg.warn('Sub track is already present\n', '=> NOT downloading other subtitles') - return - end - mp.msg.warn('No sub track was detected\n', '=> Proceeding to download subtitles:') - download() - end - - mp.add_key_binding('S', "download_subs", download) - ''; - - mpvInput = pkgs.writeText "mpv.input" '' - : script-binding console/enable - x add audio-delay -0.050 - X add audio-delay 0.050 - ''; - - mpvConfig = pkgs.writeText "mpv.conf" '' - osd-font-size=20 - ''; - - mpv = pkgs.symlinkJoin { - name = "mpv"; - paths = [ - (pkgs.writeDashBin "mpv" '' - set -efu - Y_RES=1081 - # we need to disable sponsorblock local database because of - # https://github.com/po5/mpv_sponsorblock/issues/31 - exec ${pkgs.mpv.override { - scripts = with pkgs.mpvScripts; [ - sponsorblock - quality-menu - ]; - }}/bin/mpv \ - --no-config \ - --input-conf=${mpvInput} \ - --include=${mpvConfig} \ - --script=${autosub} \ - --ytdl-format="best[height<$Y_RES]" \ - --script-opts=ytdl_hook-ytdl_path=${pkgs.yt-dlp}/bin/yt-dlp \ - --script-opts-append=sponsorblock-local_database=no \ - --audio-channels=2 \ - "$@" - '') - pkgs.mpv - ]; - }; - -in { - environment.systemPackages = [ - mpv - dl_subs - ]; -} diff --git a/lass/2configs/muchsync.nix b/lass/2configs/muchsync.nix deleted file mode 100644 index b6d8c5dbc..000000000 --- a/lass/2configs/muchsync.nix +++ /dev/null @@ -1,40 +0,0 @@ -with (import ); -{ config, pkgs, ... }: - -{ - systemd.services.muchsync = let - hosts = [ - "coaxmetal.r" - "mors.r" - "green.r" - ]; - in { - description = "sync mails"; - environment = { - NOTMUCH_CONFIG = config.environment.variables.NOTMUCH_CONFIG; - }; - after = [ "network.target" ]; - - restartIfChanged = false; - - path = [ - pkgs.notmuch - pkgs.openssh - ]; - - startAt = "*:*"; # run every minute - serviceConfig = { - User = "lass"; - Type = "oneshot"; - ExecStart = pkgs.writeDash "sync-mails" '' - set -euf - - /run/current-system/sw/bin/nm-tag-init 2>/dev/null - ${concatMapStringsSep "\n" (host: '' - echo syncing ${host}: - ${pkgs.muchsync}/bin/muchsync -s 'ssh -CTaxq -o ConnectTimeout=4' --nonew lass@${host} || : - '') hosts} - ''; - }; - }; -} diff --git a/lass/2configs/mumble-reminder.nix b/lass/2configs/mumble-reminder.nix deleted file mode 100644 index 0067d64eb..000000000 --- a/lass/2configs/mumble-reminder.nix +++ /dev/null @@ -1,107 +0,0 @@ -{ config, lib, pkgs, ... }: let - write_to_irc = chan: pkgs.writeDash "write_to_irc" '' - ${pkgs.curl}/bin/curl -fsSv --unix-socket '${lib.removePrefix "unix:" config.krebs.reaktor2.mumble-reminder.API.listen}' http://z/ \ - -H content-type:application/json \ - -d "$(${pkgs.jq}/bin/jq -n \ - --arg text "$1" '{ - command:"PRIVMSG", - params:["${chan}",$text] - }' - )" - ''; - animals = '' - Erdferkel - Paviane - Raupen - Australischen Wildhunde - Emus - Flundern - Gorillas - Kolibris - Schwarzfersenantilopen - Quallen - Kois - Faulaffen - Schraubenziegen - Nachtigallen - Okapis - Stachelschweine - Kurzschwanzkängurus - Waschbären - ''; - systemPlugin = { - plugin = "system"; - config = { - hooks.PRIVMSG = [ - { - pattern = "^erriner mich$"; - activate = "match"; - command = { - filename = pkgs.writeDash "add_remind" '' - echo "$_from" >> /var/lib/reaktor2-mumble-reminder/users - sort /var/lib/reaktor2-mumble-reminder/users | uniq > /var/lib/reaktor2-mumble-reminder/users.tmp - mv /var/lib/reaktor2-mumble-reminder/users.tmp /var/lib/reaktor2-mumble-reminder/users - echo "Ich werde $_from in zukunft an das meetup errinern" - ''; - }; - } - { - pattern = "^nerv nicht$"; - activate = "match"; - command = { - filename = pkgs.writeDash "del_remind" '' - ${pkgs.gnused}/bin/sed -i "/$_from/d" /var/lib/reaktor2-mumble-reminder/users - echo "okok, Ich werde $_from nich mehr errinern" - ''; - }; - } - ]; - }; - }; - -in { - krebs.reaktor2.mumble-reminder = { - hostname = "irc.hackint.org"; - nick = "lassulus__"; - API.listen = "unix:/var/lib/reaktor2-mumble-reminder/reaktor_hackint.sock"; - plugins = [ - { - plugin = "register"; - config = { - channels = [ - "#krebs" - "#nixos" - ]; - }; - } - systemPlugin - ]; - port = "6697"; - }; - systemd.services.mumble-reminder-nixos = { - description = "weekly reminder for nixos mumble"; - startAt = "Wed *-*-* 19:00:00 Europe/Berlin"; - serviceConfig = { - ExecStart = pkgs.writers.writeDash "mumble_reminder" '' - animals=' - ${animals} - ' - ${write_to_irc "#nixos"} "Es ist Mittwoch meine $(echo "$animals" | grep -v '^$' | shuf -n1 )!" - ${write_to_irc "#nixos"} "kommt auf mumble://lassul.us" - ''; - }; - }; - systemd.services.mumble-reminder-krebs = { - description = "weekly reminder for nixos mumble"; - startAt = "Wed *-*-* 19:00:00 Europe/Berlin"; - serviceConfig = { - ExecStart = pkgs.writers.writeDash "mumble_reminder" '' - animals=' - ${animals} - ' - ${write_to_irc "#krebs"} "Es ist Mittwoch meine $(echo "$animals" | grep -v '^$' | shuf -n1 )!" - ${write_to_irc "#krebs"} "$(cat /var/lib/reaktor2-mumble-reminder/users | ${pkgs.findutils}/bin/xargs echo) : mumble?" - ''; - }; - }; -} diff --git a/lass/2configs/murmur.nix b/lass/2configs/murmur.nix deleted file mode 100644 index 3129fef50..000000000 --- a/lass/2configs/murmur.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - services.murmur = { - enable = true; - allowHtml = false; - bandwidth = 10000000; - registerName = "lassul.us"; - autobanTime = 30; - }; - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport 64738"; target = "ACCEPT";} - { predicate = "-p udp --dport 64738"; target = "ACCEPT";} - ]; - - systemd.services.docker-mumble-web.serviceConfig = { - StandardOutput = lib.mkForce "journal"; - StandardError = lib.mkForce "journal"; - }; - virtualisation.oci-containers.containers.mumble-web = { - image = "rankenstein/mumble-web:0.5"; - environment = { - MUMBLE_SERVER = "lassul.us:64738"; - }; - ports = [ - "64739:8080" - ]; - }; - - services.nginx.virtualHosts."mumble.lassul.us" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://localhost:64739"; - proxyWebsockets = true; - }; - }; -} diff --git a/lass/2configs/network-manager.nix b/lass/2configs/network-manager.nix deleted file mode 100644 index ee69c6b1a..000000000 --- a/lass/2configs/network-manager.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ pkgs, lib, ... }: -{ - networking.wireless.enable = lib.mkForce false; - - networking.networkmanager = { - ethernet.macAddress = "random"; - wifi.macAddress = "random"; - enable = true; - unmanaged = [ - "docker*" - "vboxnet*" - ]; - }; - systemd.services.NetworkManager-wait-online.enable = false; - users.users.mainUser = { - extraGroups = [ "networkmanager" ]; - packages = with pkgs; [ - gnome.gnome-keyring - dconf - ]; - }; - environment.systemPackages = [ - pkgs.nm-dmenu - ]; -} diff --git a/lass/2configs/networkd.nix b/lass/2configs/networkd.nix deleted file mode 100644 index 12ffe0bd7..000000000 --- a/lass/2configs/networkd.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - systemd.services.systemd-networkd-wait-online.enable = lib.mkForce false; - systemd.services.systemd-networkd.stopIfChanged = false; - # Services that are only restarted might be not able to resolve when resolved is stopped before - systemd.services.systemd-resolved.stopIfChanged = false; - - networking.useNetworkd = true; - systemd.network = { - enable = true; - networks.wl0 = { - matchConfig.Name = "wl0"; - DHCP = "yes"; - networkConfig = { - IgnoreCarrierLoss = "3s"; - }; - dhcpV4Config.UseDNS = true; - }; - }; -} diff --git a/lass/2configs/nfs-dl.nix b/lass/2configs/nfs-dl.nix deleted file mode 100644 index eeab732ba..000000000 --- a/lass/2configs/nfs-dl.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ - fileSystems."/mnt/prism" = { - device = "prism.w:/export/download"; - fsType = "nfs"; - options = [ - #"timeo=14" - "noauto" - "noatime" - "nodiratime" - #"noac" - #"nocto" - "x-systemd.automount" - "x-systemd.device-timeout=1" - "x-systemd.idle-timeout=1min" - "x-systemd.requires=retiolum.service" - "user" - "_netdev" - "soft" - ]; - }; -} - diff --git a/lass/2configs/orange-host.nix b/lass/2configs/orange-host.nix deleted file mode 100644 index 6d82d8cc9..000000000 --- a/lass/2configs/orange-host.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ config, pkgs, ... }: -{ - krebs.sync-containers3.containers.orange = { - sshKey = "${toString }/orange.sync.key"; - }; - containers.orange.bindMounts."/var/lib" = { - hostPath = "/var/lib/sync-containers3/orange/state"; - isReadOnly = false; - }; - services.nginx.virtualHosts."lassul.us" = { - # enableACME = config.security; - # forceSSL = true; - locations."/" = { - recommendedProxySettings = true; - proxyWebsockets = true; - proxyPass = "http://orange.r"; - }; - }; -} diff --git a/lass/2configs/os-templates/CAC-CentOS-6.5-64bit.nix b/lass/2configs/os-templates/CAC-CentOS-6.5-64bit.nix deleted file mode 100644 index b5ec722a0..000000000 --- a/lass/2configs/os-templates/CAC-CentOS-6.5-64bit.nix +++ /dev/null @@ -1,47 +0,0 @@ -_: - -{ - boot.loader.grub = { - device = "/dev/sda"; - splashImage = null; - }; - - boot.initrd.availableKernelModules = [ - "ata_piix" - "vmw_pvscsi" - ]; - - fileSystems."/" = { - device = "/dev/VolGroup/lv_root"; - fsType = "ext4"; - }; - - fileSystems."/boot" = { - device = "/dev/sda1"; - fsType = "ext4"; - }; - - swapDevices = [ - { device = "/dev/VolGroup/lv_swap"; } - ]; - - users.extraGroups = { - # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories - # Loaded: loaded (/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/example/systemd/system/systemd-tmpfiles-setup.service) - # Active: failed (Result: exit-code) since Mon 2015-03-16 10:29:18 UTC; 4s ago - # Docs: man:tmpfiles.d(5) - # man:systemd-tmpfiles(8) - # Process: 19272 ExecStart=/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev (code=exited, status=1/FAILURE) - # Main PID: 19272 (code=exited, status=1/FAILURE) - # - # Mar 16 10:29:17 cd systemd-tmpfiles[19272]: [/usr/lib/tmpfiles.d/legacy.conf:26] Unknown group 'lock'. - # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal configured, ignoring. - # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal/7b35116927d74ea58785e00b47ac0f0d configured, ignoring. - # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service: main process exited, code=exited, status=1/FAILURE - # Mar 16 10:29:18 cd systemd[1]: Failed to start Create Volatile Files and Directories. - # Mar 16 10:29:18 cd systemd[1]: Unit systemd-tmpfiles-setup.service entered failed state. - # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service failed. - # warning: error(s) occured while switching to the new configuration - lock.gid = 10001; - }; -} diff --git a/lass/2configs/os-templates/CAC-CentOS-7-64bit.nix b/lass/2configs/os-templates/CAC-CentOS-7-64bit.nix deleted file mode 100644 index 168d1d97b..000000000 --- a/lass/2configs/os-templates/CAC-CentOS-7-64bit.nix +++ /dev/null @@ -1,47 +0,0 @@ -_: - -{ - boot.loader.grub = { - device = "/dev/sda"; - splashImage = null; - }; - - boot.initrd.availableKernelModules = [ - "ata_piix" - "vmw_pvscsi" - ]; - - fileSystems."/" = { - device = "/dev/centos/root"; - fsType = "xfs"; - }; - - fileSystems."/boot" = { - device = "/dev/sda1"; - fsType = "xfs"; - }; - - swapDevices = [ - { device = "/dev/centos/swap"; } - ]; - - users.extraGroups = { - # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories - # Loaded: loaded (/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/example/systemd/system/systemd-tmpfiles-setup.service) - # Active: failed (Result: exit-code) since Mon 2015-03-16 10:29:18 UTC; 4s ago - # Docs: man:tmpfiles.d(5) - # man:systemd-tmpfiles(8) - # Process: 19272 ExecStart=/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev (code=exited, status=1/FAILURE) - # Main PID: 19272 (code=exited, status=1/FAILURE) - # - # Mar 16 10:29:17 cd systemd-tmpfiles[19272]: [/usr/lib/tmpfiles.d/legacy.conf:26] Unknown group 'lock'. - # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal configured, ignoring. - # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal/7b35116927d74ea58785e00b47ac0f0d configured, ignoring. - # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service: main process exited, code=exited, status=1/FAILURE - # Mar 16 10:29:18 cd systemd[1]: Failed to start Create Volatile Files and Directories. - # Mar 16 10:29:18 cd systemd[1]: Unit systemd-tmpfiles-setup.service entered failed state. - # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service failed. - # warning: error(s) occured while switching to the new configuration - lock.gid = 10001; - }; -} diff --git a/lass/2configs/otp-ssh.nix b/lass/2configs/otp-ssh.nix deleted file mode 100644 index f9984e245..000000000 --- a/lass/2configs/otp-ssh.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ pkgs, ... }: -# Enables second factor for ssh password login - -## Usage: -# gen-oath-safe totp -## scan the qrcode with google authenticator (or FreeOTP) -## copy last line into secrets//users.oath (chmod 700) -{ - security.pam.oath = { - # enabling it will make it a requisite of `all` services - # enable = true; - digits = 6; - # TODO assert existing - usersFile = (toString ) + "/users.oath"; - }; - # I want TFA only active for sshd with password-auth - security.pam.services.sshd.oathAuth = true; -} diff --git a/lass/2configs/pass.nix b/lass/2configs/pass.nix deleted file mode 100644 index a52fe4afc..000000000 --- a/lass/2configs/pass.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ config, pkgs, ... }: - -{ - users.users.mainUser.packages = with pkgs; [ - (pass.withExtensions (ext: [ ext.pass-otp ])) - gnupg - (pkgs.writers.writeDashBin "unlock" '' - set -efu - HOST=$1 - - pw=$(pass show "admin/$HOST/luks") - torify sshn root@$(pass "hosts/$HOST/initrd/hostname") "echo $pw > /crypt-ramfs/passphrase" - '') - ]; - - programs.gnupg.agent.enable = true; - systemd.tmpfiles.rules = [ - "L+ /home/lass/.password-store - - - - sync/pwstore" - ]; - -} diff --git a/lass/2configs/paste.nix b/lass/2configs/paste.nix deleted file mode 100644 index 86f0dba15..000000000 --- a/lass/2configs/paste.nix +++ /dev/null @@ -1,146 +0,0 @@ -{ config, pkgs, ... }: -with import ; - -{ - services.nginx.virtualHosts.cyberlocker = { - serverAliases = [ "c.r" ]; - locations."/".extraConfig = '' - client_max_body_size 4G; - proxy_set_header Host $host; - proxy_pass http://127.0.0.1:${toString config.krebs.htgen.cyberlocker.port}; - ''; - extraConfig = '' - add_header Access-Control-Allow-Origin * always; - add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS'; - ''; - }; - services.nginx.virtualHosts.paste = { - serverAliases = [ "p.r" ]; - locations."/".extraConfig = '' - client_max_body_size 4G; - proxy_set_header Host $host; - proxy_pass http://127.0.0.1:${toString config.krebs.htgen.paste.port}; - ''; - locations."/image".extraConfig = /* nginx */ '' - client_max_body_size 40M; - - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_pass http://127.0.0.1:${toString config.krebs.htgen.imgur.port}; - proxy_pass_header Server; - ''; - extraConfig = '' - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; - ''; - }; - services.nginx.virtualHosts."c.krebsco.de" = { - enableACME = true; - addSSL = true; - serverAliases = [ "c.krebsco.de" ]; - locations."/".extraConfig = '' - if ($request_method != GET) { - return 403; - } - proxy_set_header Host $host; - proxy_pass http://127.0.0.1:${toString config.krebs.htgen.cyberlocker.port}; - ''; - extraConfig = '' - add_header Access-Control-Allow-Origin * always; - add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS' always; - ''; - }; - services.nginx.virtualHosts."p.krebsco.de" = { - enableACME = true; - addSSL = true; - serverAliases = [ "p.krebsco.de" ]; - locations."/".extraConfig = '' - if ($request_method = 'OPTIONS') { - return 204; - } - client_max_body_size 4G; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass http://127.0.0.1:${toString config.krebs.htgen.paste.port}; - ''; - locations."/form".extraConfig = '' - client_max_body_size 4G; - proxy_set_header Host $host; - proxy_pass http://127.0.0.1:${toString config.krebs.htgen.paste-form.port}; - ''; - locations."/image".extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_pass http://127.0.0.1:${toString config.krebs.htgen.imgur.port}; - proxy_pass_header Server; - ''; - extraConfig = '' - add_header Access-Control-Allow-Headers Authorization always; - add_header Access-Control-Allow-Origin * always; - add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS' always; - ''; - }; - - krebs.htgen.paste = { - port = 9081; - script = /* sh */ '' - (. ${pkgs.htgen-paste}/bin/htgen-paste) - ''; - }; - - systemd.services.paste-gc = { - startAt = "daily"; - serviceConfig = { - ExecStart = '' - ${pkgs.findutils}/bin/find /var/lib/htgen-paste/items -type f -mtime '+30' -exec rm {} \; - ''; - User = "htgen-paste"; - }; - }; - - krebs.htgen.paste-form = { - port = 7770; - script = /* sh */ '' - export PATH=${makeBinPath [ - pkgs.curl - pkgs.gnused - ]}:$PATH - (. ${pkgs.writeScript "paste-form" '' - case "$Method" in - 'POST') - ref=$(head -c $req_content_length | sed '0,/^\r$/d;$d' | curl -fSs --data-binary @- https://p.krebsco.de | sed '1d;s/^http:/https:/') - - printf 'HTTP/1.1 200 OK\r\n' - printf 'Content-Type: text/plain; charset=UTF-8\r\n' - printf 'Server: %s\r\n' "$Server" - printf 'Connection: close\r\n' - printf 'Content-Length: %d\r\n' $(expr ''${#ref} + 1) - printf '\r\n' - printf '%s\n' "$ref" - - exit - ;; - esac - ''}) - ''; - }; - krebs.htgen.imgur = { - port = 7771; - script = /* sh */ '' - (. ${pkgs.htgen-imgur}/bin/htgen-imgur) - ''; - }; - krebs.htgen.cyberlocker = { - port = 7772; - script = /* sh */ '' - (. ${pkgs.htgen-cyberlocker}/bin/htgen-cyberlocker) - ''; - }; - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT";} - ]; -} diff --git a/lass/2configs/pipewire.nix b/lass/2configs/pipewire.nix deleted file mode 100644 index da9408669..000000000 --- a/lass/2configs/pipewire.nix +++ /dev/null @@ -1,35 +0,0 @@ -{ config, lib, pkgs, ... }: -# TODO test `alsactl init` after suspend to reinit mic -{ - security.rtkit.enable = true; - - hardware.bluetooth = { - enable = true; - powerOnBoot = true; - }; - - environment.systemPackages = with pkgs; [ - alsa-utils - pulseaudio - ponymix - ]; - - services.pipewire = { - enable = true; - systemWide = true; - alsa.enable = true; - alsa.support32Bit = true; - pulse.enable = true; - jack.enable = true; - }; - environment.etc = { - "wireplumber/bluetooth.lua.d/51-bluez-config.lua".text = '' - bluez_monitor.properties = { - ["bluez5.enable-sbc-xq"] = true, - ["bluez5.enable-msbc"] = true, - ["bluez5.enable-hw-volume"] = true, - ["bluez5.headset-roles"] = "[ hsp_hs hsp_ag hfp_hf hfp_ag ]" - } - ''; - }; -} diff --git a/lass/2configs/power-action.nix b/lass/2configs/power-action.nix deleted file mode 100644 index 648ffc784..000000000 --- a/lass/2configs/power-action.nix +++ /dev/null @@ -1,45 +0,0 @@ -{ config, pkgs, ... }: - -let - suspend = pkgs.writeDash "suspend" '' - ${pkgs.systemd}/bin/systemctl suspend - ''; - - speak = text: - pkgs.writeDash "speak" '' - ${pkgs.espeak}/bin/espeak -v +whisper -s 110 "${text}" - ''; - -in { - krebs.power-action = { - enable = true; - plans.low-battery = { - upperLimit = 10; - lowerLimit = 15; - charging = false; - action = pkgs.writeDash "warn-low-battery" '' - ${speak "power level low"} - ''; - }; - plans.suspend = { - upperLimit = 10; - lowerLimit = 0; - charging = false; - action = pkgs.writeDash "suspend-wrapper" '' - /run/wrappers/bin/sudo ${suspend} - ''; - }; - user = "lass"; - }; - - users.users.power-action = { - isNormalUser = true; - extraGroups = [ - "audio" - ]; - }; - - security.sudo.extraConfig = '' - ${config.krebs.power-action.user} ALL= (root) NOPASSWD: ${suspend} - ''; -} diff --git a/lass/2configs/ppp/umts-stick.nix b/lass/2configs/ppp/umts-stick.nix deleted file mode 100644 index 64551a2b3..000000000 --- a/lass/2configs/ppp/umts-stick.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ pkgs, ... }: { - - # usage: pppd call stick - - environment.etc."ppp/peers/stick".text = '' - /dev/ttyUSB0 - 460800 - crtscts - defaultroute - holdoff 10 - lock - maxfail 0 - noauth - nodetach - noipdefault - passive - persist - usepeerdns - connect "${pkgs.ppp}/bin/chat -f ${pkgs.writeText "default.chat" '' - ABORT "BUSY" - ABORT "NO CARRIER" - REPORT CONNECT - "" "ATDT*99#" - CONNECT - ''}" - ''; - - environment.systemPackages = [ - pkgs.ppp - ]; - -} - diff --git a/lass/2configs/ppp/x220-modem.nix b/lass/2configs/ppp/x220-modem.nix deleted file mode 100644 index d6facb724..000000000 --- a/lass/2configs/ppp/x220-modem.nix +++ /dev/null @@ -1,32 +0,0 @@ -{ pkgs, ... }: { - - # usage: pppd call x220 - - environment.etc."ppp/peers/x220".text = '' - /dev/ttyACM2 - 921600 - crtscts - defaultroute - holdoff 10 - lock - maxfail 0 - noauth - nodetach - noipdefault - passive - persist - usepeerdns - connect "${pkgs.ppp}/bin/chat -f ${pkgs.writeText "default.chat" '' - ABORT "BUSY" - ABORT "NO CARRIER" - REPORT CONNECT - "" "ATDT*99#" - CONNECT - ''}" - ''; - - environment.systemPackages = [ - pkgs.ppp - ]; - -} diff --git a/lass/2configs/print.nix b/lass/2configs/print.nix deleted file mode 100644 index f493b19cc..000000000 --- a/lass/2configs/print.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ pkgs, ... }: -{ - services.printing = { - enable = true; - drivers = [ - pkgs.foomatic-filters - pkgs.gutenprint - ]; - browsing = true; - browsedConf = '' - BrowseDNSSDSubTypes _cups,_print - BrowseLocalProtocols all - BrowseRemoteProtocols all - CreateIPPPrinterQueues All - - BrowseProtocols all - ''; - }; -} diff --git a/lass/2configs/prism-share.nix b/lass/2configs/prism-share.nix deleted file mode 100644 index fb803dd77..000000000 --- a/lass/2configs/prism-share.nix +++ /dev/null @@ -1,42 +0,0 @@ -with import ; -{ config, pkgs, ... }: - -{ - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport 139"; target = "ACCEPT"; } - { predicate = "-p tcp --dport 445"; target = "ACCEPT"; } - { predicate = "-p udp --dport 137"; target = "ACCEPT"; } - { predicate = "-p udp --dport 138"; target = "ACCEPT"; } - ]; - users.users.smbguest = { - name = "smbguest"; - uid = config.ids.uids.smbguest; - description = "smb guest user"; - home = "/home/share"; - createHome = true; - group = "share"; - }; - users.groups.share = {}; - - services.samba = { - enable = true; - enableNmbd = true; - shares = { - incoming = { - path = "/mnt/prism"; - "read only" = "yes"; - browseable = "yes"; - "guest ok" = "yes"; - }; - }; - extraConfig = '' - guest account = smbguest - map to guest = bad user - # disable printing - load printers = no - printing = bsd - printcap name = /dev/null - disable spoolss = yes - ''; - }; -} diff --git a/lass/2configs/privoxy-retiolum.nix b/lass/2configs/privoxy-retiolum.nix deleted file mode 100644 index 352a6d3d8..000000000 --- a/lass/2configs/privoxy-retiolum.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ config, lib, ... }: - -let - r_ip = config.krebs.build.host.nets.retiolum.ip4.addr; - -in { - imports = [ - ./privoxy.nix - ]; - - services.privoxy.listenAddress = "${r_ip}:8118"; - - krebs.iptables = { - tables = { - filter.INPUT.rules = [ - { predicate = "-i retiolum -p tcp --dport 8118"; target = "ACCEPT"; } - { predicate = "-i dns0 -p tcp --dport 8118"; target = "ACCEPT"; } - ]; - }; - }; -} diff --git a/lass/2configs/privoxy.nix b/lass/2configs/privoxy.nix deleted file mode 100644 index e0a086421..000000000 --- a/lass/2configs/privoxy.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ config, ... }: - -{ - services.privoxy = { - enable = true; - }; -} diff --git a/lass/2configs/programs.nix b/lass/2configs/programs.nix deleted file mode 100644 index 4361ec747..000000000 --- a/lass/2configs/programs.nix +++ /dev/null @@ -1,54 +0,0 @@ -{ config, pkgs, ... }: - -## TODO sort and split up -{ - environment.systemPackages = with pkgs; [ - aria2 - generate-secrets - gnupg1compat - htop - i3lock - l-gen-secrets - mosh - pass - pavucontrol - pv - pwgen - remmina - ripgrep - silver-searcher - transmission - wget - xsel - yt-dlp - (pkgs.writeDashBin "youtube-dl" '' - exec ${pkgs.yt-dlp}/bin/yt-dlp "$@" - '') - (pkgs.writeDashBin "tether-on" '' - adb shell svc usb setFunctions rndis - '') - (pkgs.writeDashBin "tether-off" '' - adb shell svc usb setFunctions - '') - (pkgs.writeDashBin "deploy" '' - set -eu - export SYSTEM="$1" - $(nix-build $HOME/sync/stockholm/lass/krops.nix --no-out-link --argstr name "$SYSTEM" -A deploy) - '') - (pkgs.writeDashBin "lassul.us" '' - TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d) - ${pkgs.pass}/bin/pass show admin/ovh/api.config > "$TMPDIR"/ovh-secrets.json - OVH_ZONE_CONFIG="$TMPDIR"/ovh-secrets.json ${pkgs.ovh-zone}/bin/ovh-zone import /etc/zones/lassul.us lassul.us - ${pkgs.coreutils}/bin/rm -rf "$TMPDIR" - '') - (pkgs.writeDashBin "btc-coinbase" '' - ${pkgs.curl}/bin/curl -Ss 'https://api.coinbase.com/v2/prices/spot?currency=EUR' | ${pkgs.jq}/bin/jq '.data.amount' - '') - (pkgs.writeDashBin "btc-wex" '' - ${pkgs.curl}/bin/curl -Ss 'https://wex.nz/api/3/ticker/btc_eur' | ${pkgs.jq}/bin/jq '.btc_eur.avg' - '') - (pkgs.writeDashBin "btc-kraken" '' - ${pkgs.curl}/bin/curl -Ss 'https://api.kraken.com/0/public/Ticker?pair=BTCEUR' | ${pkgs.jq}/bin/jq '.result.XXBTZEUR.a[0]' - '') - ]; -} diff --git a/lass/2configs/reaktor-coders.nix b/lass/2configs/reaktor-coders.nix deleted file mode 100644 index 457d5b6c7..000000000 --- a/lass/2configs/reaktor-coders.nix +++ /dev/null @@ -1,56 +0,0 @@ -{ config, lib, pkgs, ... }: -with import ; - -let - hooks = pkgs.reaktor2-plugins.hooks; -in { - krebs.reaktor2.coders = { - hostname = "irc.hackint.org"; - port = "9999"; - useTLS = true; - nick = "reaktor2|lass"; - plugins = [ - { - plugin = "register"; - config = { - channels = [ - "#coders" - "#germany" - "#panthermoderns" - ]; - }; - } - { - plugin = "system"; - config = { - workdir = config.krebs.reaktor2.coders.stateDir; - hooks.PRIVMSG = [ - hooks.sed - hooks.url-title - { - activate = "match"; - pattern = ''^!([^ ]+)(?:\s*(.*))?''; - command = 1; - arguments = [2]; - commands = { - ping.filename = pkgs.writeDash "ping" '' - exec /run/wrappers/bin/ping -q -c1 "$1" 2>&1 | tail -1 - ''; - google.filename = pkgs.writeDash "google" '' - exec ${pkgs.ddgr}/bin/ddgr -C -n1 --json "$@" | \ - ${pkgs.jq}/bin/jq '@text "\(.[0].abstract) \(.[0].url)"' - ''; - shrug.filename = pkgs.writeDash "shrug" '' - exec echo '¯\_(ツ)_/¯' - ''; - table.filename = pkgs.writeDash "table" '' - exec echo '(╯°□°)╯ ┻━┻' - ''; - }; - } - ]; - }; - } - ]; - }; -} diff --git a/lass/2configs/realwallpaper.nix b/lass/2configs/realwallpaper.nix deleted file mode 100644 index 0260b91c0..000000000 --- a/lass/2configs/realwallpaper.nix +++ /dev/null @@ -1,52 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - hostname = config.krebs.build.host.name; - inherit (lib) - nameValuePair - ; - -in { - krebs.realwallpaper.enable = true; - - system.activationScripts.wallpaper-chmod = '' - ${pkgs.coreutils}/bin/chmod +rx /var/realwallpaper - ''; - services.nginx.virtualHosts.wallpaper = { - extraConfig = '' - if ( $server_addr = "${config.krebs.build.host.nets.internet.ip4.addr}" ) { - return 403; - } - ''; - serverAliases = [ - "wallpaper.r" - ]; - locations."/".extraConfig = '' - autoindex on; - root /var/realwallpaper/; - ''; - locations."/realwallpaper.png".extraConfig = '' - root /var/realwallpaper/; - ''; - locations."/realwallpaper-krebs.png".extraConfig = '' - root /var/realwallpaper/; - ''; - locations."/realwallpaper-krebs-stars.png".extraConfig = '' - root /var/realwallpaper/; - ''; - locations."/realwallpaper-krebs-stars-berlin.png".extraConfig = '' - root /var/realwallpaper/; - ''; - locations."/realwallpaper-video.mp4".extraConfig = '' - root /var/realwallpaper/archive; - ''; - }; - - krebs.iptables = { - tables = { - filter.INPUT.rules = [ - { predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; } - ]; - }; - }; -} diff --git a/lass/2configs/rebuild-on-boot.nix b/lass/2configs/rebuild-on-boot.nix deleted file mode 100644 index 60198be7b..000000000 --- a/lass/2configs/rebuild-on-boot.nix +++ /dev/null @@ -1,18 +0,0 @@ -{ config, pkgs, ... }: -with import ; -{ - systemd.services.rebuild-on-boot = { - wantedBy = [ "multi-user.target" ]; - environment = { - NIX_REMOTE = "daemon"; - HOME = "/var/empty"; - }; - serviceConfig = { - ExecStart = pkgs.writeScript "rebuild" '' - #!${pkgs.bash}/bin/bash - (/run/current-system/sw/bin/nixos-rebuild -I /var/src switch) & - ''; - ExecStop = "${pkgs.coreutils}/bin/sleep 10"; - }; - }; -} diff --git a/lass/2configs/red-host.nix b/lass/2configs/red-host.nix deleted file mode 100644 index ac7e529a3..000000000 --- a/lass/2configs/red-host.nix +++ /dev/null @@ -1,163 +0,0 @@ -{ config, lib, pkgs, ... }: -let - ctr.name = "red"; -in -{ - - krebs.sync-containers3.containers.red = { - sshKey = "${toString }/containers/red/sync.key"; - ephemeral = true; - }; - - # containers.${ctr.name} = { - # config = { - # environment.systemPackages = [ - # pkgs.dhcpcd - # pkgs.git - # pkgs.jq - # ]; - # networking.useDHCP = lib.mkForce true; - # systemd.services.autoswitch = { - # environment = { - # NIX_REMOTE = "daemon"; - # }; - # wantedBy = [ "multi-user.target" ]; - # serviceConfig.ExecStart = pkgs.writers.writeDash "autoswitch" '' - # if test -e /var/src/nixos-config; then - # /run/current-system/sw/bin/nixos-rebuild -I /var/src switch || : - # fi - # ''; - # unitConfig.X-StopOnRemoval = false; - # }; - # }; - # autoStart = false; - # enableTun = true; - # privateNetwork = true; - # hostBridge = "ctr0"; - # bindMounts = { - # "/etc/resolv.conf".hostPath = "/etc/resolv.conf"; - # "/var/lib/self-state/disk-image" = { - # hostPath = "/var/lib/sync-containers3/${ctr.name}"; - # isReadOnly = true; - # }; - # }; - # }; - - # systemd.services."${ctr.name}_scheduler" = { - # wantedBy = [ "multi-user.target" ]; - # path = with pkgs; [ - # coreutils - # consul - # cryptsetup - # mount - # util-linux - # systemd - # untilport - # ]; - # serviceConfig = { - # Restart = "always"; - # RestartSec = "15s"; - # ExecStart = "${pkgs.consul}/bin/consul lock container_${ctr.name} ${pkgs.writers.writeDash "${ctr.name}-start" '' - # set -efux - # trap ${pkgs.writers.writeDash "stop-${ctr.name}" '' - # set -efux - # /run/current-system/sw/bin/nixos-container stop ${ctr.name} || : - # umount /var/lib/nixos-containers/${ctr.name}/var/state || : - # cryptsetup luksClose ${ctr.name} || : - # ''} INT TERM EXIT - # consul kv put containers/${ctr.name}/host ${config.networking.hostName} - # cryptsetup luksOpen --key-file /var/src/secrets/containers/${ctr.name}/luks /var/lib/sync-containers3/${ctr.name}/disk ${ctr.name} - # mkdir -p /var/lib/nixos-containers/${ctr.name}/var/state - # mount /dev/mapper/${ctr.name} /var/lib/nixos-containers/${ctr.name}/var/state - # ln -frs /var/lib/nixos-containers/${ctr.name}/var/state/var_src /var/lib/nixos-containers/${ctr.name}/var/src - # /run/current-system/sw/bin/nixos-container start ${ctr.name} - # set +x - # until /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null; do sleep 5; done - # while /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null; do sleep 5; done - # ''}"; - # }; - # }; - - # users.groups."container_${ctr.name}" = {}; - # users.users."container_${ctr.name}" = { - # group = "container_${ctr.name}"; - # isSystemUser = true; - # home = "/var/lib/sync-containers3/${ctr.name}"; - # createHome = true; - # homeMode = "705"; - # openssh.authorizedKeys.keys = [ - # config.krebs.users.lass.pubkey - # ]; - # }; - - # systemd.timers."${ctr.name}_syncer" = { - # timerConfig = { - # RandomizedDelaySec = 300; - # }; - # }; - # systemd.services."${ctr.name}_syncer" = { - # path = with pkgs; [ - # coreutils - # rsync - # openssh - # systemd - # ]; - # startAt = "*:0/1"; - # serviceConfig = { - # User = "container_${ctr.name}"; - # LoadCredential = [ - # "ssh_key:${toString }/containers/${ctr.name}/sync.key" - # ]; - # ExecCondition = pkgs.writers.writeDash "${ctr.name}_checker" '' - # set -efu - # ! systemctl is-active --quiet container@${ctr.name}.service - # ''; - # ExecStart = pkgs.writers.writeDash "${ctr.name}_syncer" '' - # set -efu - # rsync -a -e "ssh -i $CREDENTIALS_DIRECTORY/ssh_key" --inplace container_sync@${ctr.name}.r:disk-image/disk $HOME/disk - # ''; - # }; - # }; - - # # networking - # networking.networkmanager.unmanaged = [ "ctr0" ]; - # networking.interfaces.dummy0.virtual = true; - # networking.bridges.ctr0.interfaces = [ "dummy0" ]; - # networking.interfaces.ctr0.ipv4.addresses = [{ - # address = "10.233.0.1"; - # prefixLength = 24; - # }]; - # systemd.services."dhcpd-ctr0" = { - # wantedBy = [ "multi-user.target" ]; - # after = [ "network.target" ]; - # serviceConfig = { - # Type = "forking"; - # Restart = "always"; - # DynamicUser = true; - # StateDirectory = "dhcpd-ctr0"; - # User = "dhcpd-ctr0"; - # Group = "dhcpd-ctr0"; - # AmbientCapabilities = [ - # "CAP_NET_RAW" # to send ICMP messages - # "CAP_NET_BIND_SERVICE" # to bind on DHCP port (67) - # ]; - # ExecStartPre = "${pkgs.coreutils}/bin/touch /var/lib/dhcpd-ctr0/dhcpd.leases"; - # ExecStart = "${pkgs.dhcp}/bin/dhcpd -4 -lf /var/lib/dhcpd-ctr0/dhcpd.leases -cf ${pkgs.writeText "dhpd.conf" '' - # default-lease-time 600; - # max-lease-time 7200; - # authoritative; - # ddns-update-style interim; - # log-facility local1; # see dhcpd.nix - - # option subnet-mask 255.255.255.0; - # option routers 10.233.0.1; - # # option domain-name-servers 8.8.8.8; # TODO configure dns server - # subnet 10.233.0.0 netmask 255.255.255.0 { - # range 10.233.0.10 10.233.0.250; - # } - # ''} ctr0"; - # }; - # }; - -} - diff --git a/lass/2configs/redis.nix b/lass/2configs/redis.nix deleted file mode 100644 index 8dd8df5c3..000000000 --- a/lass/2configs/redis.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ config, ... }: - -{ - config.services.redis = { - enable = true; - bind = "127.0.0.1"; - }; -} diff --git a/lass/2configs/retiolum.nix b/lass/2configs/retiolum.nix deleted file mode 100644 index c2828f6db..000000000 --- a/lass/2configs/retiolum.nix +++ /dev/null @@ -1,55 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - - krebs.iptables = { - tables = { - filter.INPUT.rules = let - tincport = toString config.krebs.build.host.nets.retiolum.tinc.port; - in [ - { predicate = "-p tcp --dport ${tincport}"; target = "ACCEPT"; } - { predicate = "-p udp --dport ${tincport}"; target = "ACCEPT"; } - ]; - }; - }; - - krebs.tinc.retiolum = { - enable = true; - connectTo = [ - "prism" - "ni" - "eve" - ]; - extraConfig = '' - AutoConnect = no - ${lib.optionalString (config.krebs.build.host.nets.retiolum.via != null) '' - LocalDiscovery = no - ''} - ''; - tincUp = lib.mkIf config.systemd.network.enable ""; - }; - - systemd.network.networks.retiolum = { - matchConfig.Name = "retiolum"; - address = [ - "${config.krebs.build.host.nets.retiolum.ip4.addr}/16" - "${config.krebs.build.host.nets.retiolum.ip6.addr}/16" - ]; - linkConfig = { - MTUBytes = "1377"; - RequiredForOnline = "no"; - }; - networkConfig = { - IgnoreCarrierLoss = "10s"; - LinkLocalAddressing = "no"; - }; - }; - - nixpkgs.config.packageOverrides = pkgs: { - tinc = pkgs.tinc_pre; - }; - - environment.systemPackages = [ - pkgs.tinc - ]; -} diff --git a/lass/2configs/review.nix b/lass/2configs/review.nix deleted file mode 100644 index 658f32084..000000000 --- a/lass/2configs/review.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ config, pkgs, ... }: - -let - mainUser = config.users.extraUsers.mainUser; -in { - - users.users.review = { - isNormalUser = true; - packages = [ pkgs.nixpkgs-review ]; - }; - security.sudo.extraConfig = '' - ${mainUser.name} ALL=(review) NOPASSWD: ALL - ''; -} diff --git a/lass/2configs/riot.nix b/lass/2configs/riot.nix deleted file mode 100644 index 6348cb882..000000000 --- a/lass/2configs/riot.nix +++ /dev/null @@ -1,87 +0,0 @@ -{ config, lib, pkgs, ... }: let - domains = [ - "hackerfleet.eu" - "hackerfleet.de" - ]; -in { - containers.riot = { - config = { - environment.systemPackages = [ - pkgs.git - pkgs.jq - ]; - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6o6sdTu/CX1LW2Ff5bNDqGEAGwAsjf0iIe5DCdC7YikCct+7x4LTXxY+nDlPMeGcOF88X9/qFwdyh+9E4g0nUAZaeL14Uc14QDqDt/aiKjIXXTepxE/i4JD9YbTqStAnA/HYAExU15yqgUdj2dnHu7OZcGxk0ZR1OY18yclXq7Rq0Fd3pN3lPP1T4QHM9w66r83yJdFV9szvu5ral3/QuxQnCNohTkR6LoJ4Ny2RbMPTRtb+jPbTQYTWUWwV69mB8ot5nRTP4MRM9pu7vnoPF4I2S5DvSnx4C5zdKzsb7zmIvD4AmptZLrXj4UXUf00Xf7Js5W100Ne2yhYyhq+35 riot@lagrange" - ]; - networking.defaultGateway = "10.233.1.1"; - systemd.services.autoswitch = { - environment = { - NIX_REMOTE = "daemon"; - }; - wantedBy = [ "multi-user.target" ]; - serviceConfig.ExecStart = pkgs.writers.writeDash "autoswitch" '' - set -efu - if test -e /etc/nixos/configuration.nix; then - /run/current-system/sw/bin/nixos-rebuild switch \ - -I nixpkgs=channel:$(cat /etc/nixos/channel) \ - -I nixos-config=/etc/nixos/configuration.nix \ - || : - fi - ''; - unitConfig.X-StopOnRemoval = false; - }; - }; - autoStart = true; - enableTun = true; - privateNetwork = true; - hostAddress = "10.233.1.1"; - localAddress = "10.233.1.2"; - }; - systemd.services."container@riot".restartIfChanged = lib.mkForce false; - - systemd.network.networks."50-ve-riot" = { - matchConfig.Name = "ve-riot"; - - networkConfig = { - # weirdly we have to use POSTROUTING MASQUERADE here - # and set ip_forward manually - # IPForward = "yes"; - # IPMasquerade = "both"; - LinkLocalAddressing = "no"; - KeepConfiguration = "static"; - }; - }; - - boot.kernel.sysctl."net.ipv4.ip_forward" = lib.mkDefault 1; - - krebs.iptables.tables.nat.POSTROUTING.rules = [ - { v6 = false; predicate = "-s ${config.containers.riot.localAddress}"; target = "MASQUERADE"; } - ]; - - # networking.nat can be used instead of this - krebs.iptables.tables.nat.PREROUTING.rules = [ - { predicate = "-p tcp --dport 45622"; target = "DNAT --to-destination ${config.containers.riot.localAddress}:22"; v6 = false; } - ]; - krebs.iptables.tables.filter.FORWARD.rules = [ - { predicate = "-i ve-riot"; target = "ACCEPT"; } - { predicate = "-o ve-riot"; target = "ACCEPT"; } - ]; - - - # non container stuff - - services.nginx.virtualHosts.riot = { - serverName = null; - serverAliases = domains; - }; - - krebs.exim-smarthost.extraRouters = '' - forward_riot: - driver = manualroute - domains = ${lib.concatStringsSep ":" domains} - transport = remote_smtp - route_list = * riot - no_more - ''; -} diff --git a/lass/2configs/rtl-sdr.nix b/lass/2configs/rtl-sdr.nix deleted file mode 100644 index 7d640ea6c..000000000 --- a/lass/2configs/rtl-sdr.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ - boot.blacklistedKernelModules = [ "dvb_usb_rtl28xxu" ]; - services.udev.extraRules = '' - SUBSYSTEM=="usb", ATTRS{idVendor}=="0bda", ATTRS{idProduct}=="2838", GROUP="adm", MODE="0666", SYMLINK+="rtl_sdr" - ''; -} diff --git a/lass/2configs/searx.nix b/lass/2configs/searx.nix deleted file mode 100644 index ed6586a26..000000000 --- a/lass/2configs/searx.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ pkgs, ... }: -let - port = 8889; -in { - services.nginx.virtualHosts.search = { - serverAliases = [ "search.r" ]; - locations."/".extraConfig = '' - proxy_set_header Host $host; - proxy_pass http://127.0.0.1:${builtins.toString port}; - ''; - }; - - services.searx = { - enable = true; - configFile = pkgs.writeText "searx.cfg" (builtins.toJSON { - use_default_settings = true; - server = { - port = port; - secret_key = builtins.readFile ; - }; - }); - }; -} diff --git a/lass/2configs/services/coms/default.nix b/lass/2configs/services/coms/default.nix deleted file mode 100644 index 4bc5f744b..000000000 --- a/lass/2configs/services/coms/default.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ - imports = [ - ./jitsi.nix - ./murmur.nix - ]; -} diff --git a/lass/2configs/services/coms/jitsi.nix b/lass/2configs/services/coms/jitsi.nix deleted file mode 100644 index bbcb36166..000000000 --- a/lass/2configs/services/coms/jitsi.nix +++ /dev/null @@ -1,43 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - - services.jitsi-meet = { - enable = true; - hostName = "jitsi.lassul.us"; - config = { - enableWelcomePage = true; - requireDisplayName = true; - analytics.disabled = true; - startAudioOnly = true; - channelLastN = 4; - stunServers = [ - # - https://www.kuketz-blog.de/jitsi-meet-server-einstellungen-fuer-einen-datenschutzfreundlichen-betrieb/ - { urls = "turn:turn.matrix.org:3478?transport=udp"; } - { urls = "turn:turn.matrix.org:3478?transport=tcp"; } - # - services.coturn: - #{ urls = "turn:turn.${domainName}:3479?transport=udp"; } - #{ urls = "turn:turn.${domainName}:3479?transport=tcp"; } - ]; - constraints.video.height = { - ideal = 720; - max = 1080; - min = 240; - }; - }; - interfaceConfig = { - SHOW_JITSI_WATERMARK = false; - SHOW_WATERMARK_FOR_GUESTS = false; - DISABLE_PRESENCE_STATUS = true; - GENERATE_ROOMNAMES_ON_WELCOME_PAGE = false; - }; - }; - - services.jitsi-videobridge.config = { - org.jitsi.videobridge.TRUST_BWE = false; - }; - - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport 4443"; target = "ACCEPT"; } - { predicate = "-p udp --dport 10000"; target = "ACCEPT"; } - ]; -} diff --git a/lass/2configs/services/coms/murmur.nix b/lass/2configs/services/coms/murmur.nix deleted file mode 100644 index 40c53da36..000000000 --- a/lass/2configs/services/coms/murmur.nix +++ /dev/null @@ -1,47 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - services.murmur = { - enable = true; - # allowHtml = false; - bandwidth = 10000000; - registerName = "lassul.us"; - autobanTime = 30; - sslCert = "/var/lib/acme/lassul.us/cert.pem"; - sslKey = "/var/lib/acme/lassul.us/key.pem"; - extraConfig = '' - opusthreshold=0 - # rememberchannelduration=10000 - ''; - }; - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport 64738"; target = "ACCEPT";} - { predicate = "-p udp --dport 64738"; target = "ACCEPT";} - ]; - - # services.botamusique = { - # enable = true; - # settings = { - # server.host = "lassul.us"; - # bot.auto_check_updates = false; - # bot.max_track_duration = 360; - # webinterface.enabled = true; - # }; - # }; - - services.nginx.virtualHosts."lassul.us" = { - enableACME = true; - }; - security.acme.certs."lassul.us" = { - group = "lasscert"; - }; - users.groups.lasscert.members = [ - "nginx" - "murmur" - ]; - - # services.nginx.virtualHosts."bota.r" = { - # locations."/" = { - # proxyPass = "http://localhost:8181"; - # }; - # }; -} diff --git a/lass/2configs/services/coms/proxy.nix b/lass/2configs/services/coms/proxy.nix deleted file mode 100644 index fd7b36ca8..000000000 --- a/lass/2configs/services/coms/proxy.nix +++ /dev/null @@ -1,41 +0,0 @@ -{ config, lib, pkgs, ... }: -let - tcpports = [ - 4443 # jitsi - 64738 # murmur - ]; - udpports = [ - 10000 # jitsi - 64738 # murmur - ]; - target = "orange.r"; -in -{ - networking.firewall.allowedTCPPorts = tcpports; - networking.firewall.allowedUDPPorts = udpports; - services.nginx.streamConfig = '' - ${lib.concatMapStringsSep "\n" (port: '' - server { - listen [::]:${toString port}; - listen ${toString port}; - proxy_pass ${target}:${toString port}; - } - '') tcpports} - ''; - - krebs.iptables.tables.nat.PREROUTING.rules = lib.flatten (map (port: [ - { predicate = "-p udp --dport ${toString port}"; target = "DNAT --to-destination ${config.krebs.hosts.orange.nets.retiolum.ip4.addr}:${toString port}"; v6 = false; } - { predicate = "-p udp --dport ${toString port}"; target = "DNAT --to-destination [${config.krebs.hosts.orange.nets.retiolum.ip6.addr}]:${toString port}"; v4 = false; } - ]) udpports); - - services.nginx.virtualHosts."jitsi.lassul.us" = { - enableACME = true; - acmeFallbackHost = "${target}"; - addSSL = true; - locations."/" = { - recommendedProxySettings = true; - proxyWebsockets = true; - proxyPass = "https://${target}"; - }; - }; -} diff --git a/lass/2configs/services/flix/container-host.nix b/lass/2configs/services/flix/container-host.nix deleted file mode 100644 index 1c5b81128..000000000 --- a/lass/2configs/services/flix/container-host.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ config, pkgs, ... }: -{ - krebs.sync-containers3.containers.yellow = { - sshKey = "${toString }/yellow.sync.key"; - }; - containers.yellow.bindMounts."/var/lib" = { - hostPath = "/var/lib/sync-containers3/yellow/state"; - isReadOnly = false; - }; - containers.yellow.bindMounts."/var/download" = { - hostPath = "/var/download"; - isReadOnly = false; - }; - # krebs.iptables.tables.filter.FORWARD.rules = [ - # { predicate = "-d ${config.krebs.hosts.yellow.nets.retiolum.ip4.addr} -p tcp --dport 8000 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; v6 = false; } - # { predicate = "-d ${config.krebs.hosts.yellow.nets.retiolum.ip6.addr} -p tcp --dport 8000 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; v4 = false; } - # ]; - # krebs.iptables.tables.nat.PREROUTING.rules = [ - # { predicate = "-p tcp --dport 2"; target = "DNAT --to-destination ${config.krebs.hosts.radio.nets.retiolum.ip4.addr}:8000"; v6 = false; } - # { predicate = "-p tcp --dport 2"; target = "DNAT --to-destination ${config.krebs.hosts.radio.nets.retiolum.ip6.addr}:8000"; v4 = false; } - # ]; - networking.firewall.allowedTCPPorts = [ 8096 8920 ]; - networking.firewall.allowedUDPPorts = [ 1900 7359 ]; - containers.yellow.forwardPorts = [ - { hostPort = 8096; containerPort = 8096; protocol = "tcp"; } - { hostPort = 8920; containerPort = 8920; protocol = "tcp"; } - { hostPort = 1900; containerPort = 1900; protocol = "udp"; } - { hostPort = 7359; containerPort = 7359; protocol = "udp"; } - ]; - - services.nginx.virtualHosts."flix.lassul.us" = { - # forceSSL = true; - # enableACME = true; - locations."/" = { - proxyPass = "http://yellow.r:8096"; - proxyWebsockets = true; - recommendedProxySettings = true; - }; - }; -} diff --git a/lass/2configs/services/flix/default.nix b/lass/2configs/services/flix/default.nix deleted file mode 100644 index e6be394ce..000000000 --- a/lass/2configs/services/flix/default.nix +++ /dev/null @@ -1,316 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - users.groups.download.members = [ "transmission" ]; - services.transmission = { - enable = true; - home = "/var/state/transmission"; - group = "download"; - downloadDirPermissions = "775"; - settings = { - download-dir = "/var/download/transmission"; - incomplete-dir-enabled = false; - rpc-bind-address = "::"; - message-level = 1; - umask = 18; - rpc-whitelist-enabled = false; - rpc-host-whitelist-enabled = false; - }; - }; - - security.acme.defaults.email = "spam@krebsco.de"; - security.acme.acceptTerms = true; - security.acme.certs."yellow.r".server = config.krebs.ssl.acmeURL; - security.acme.certs."jelly.r".server = config.krebs.ssl.acmeURL; - security.acme.certs."radar.r".server = config.krebs.ssl.acmeURL; - security.acme.certs."sonar.r".server = config.krebs.ssl.acmeURL; - security.acme.certs."transmission.r".server = config.krebs.ssl.acmeURL; - services.nginx = { - enable = true; - package = pkgs.nginx.override { - modules = with pkgs.nginxModules; [ - fancyindex - ]; - }; - virtualHosts."yellow.r" = { - default = true; - enableACME = true; - addSSL = true; - locations."/" = { - root = "/var/download"; - extraConfig = '' - fancyindex on; - fancyindex_footer "/fancy.html"; - include ${pkgs.nginx}/conf/mime.types; - include ${pkgs.writeText "extrMime" '' - types { - video/webm mkv; - } - ''}; - create_full_put_path on; - ''; - }; - locations."/chatty" = { - proxyPass = "http://localhost:3000"; - extraConfig = '' - rewrite /chatty/(.*) /$1 break; - proxy_set_header Host $host; - ''; - }; - locations."= /fancy.html".extraConfig = '' - alias ${pkgs.writeText "nginx_footer" '' -
- -
Click here to move
- -
- - - ''}; - ''; - }; - virtualHosts."jelly.r" = { - enableACME = true; - addSSL = true; - locations."/".extraConfig = '' - proxy_pass http://localhost:8096/; - proxy_set_header Accept-Encoding ""; - ''; - }; - virtualHosts."transmission.r" = { - enableACME = true; - addSSL = true; - locations."/" = { - proxyWebsockets = true; - proxyPass = "http://localhost:9091"; - }; - }; - virtualHosts."radar.r" = { - enableACME = true; - addSSL = true; - locations."/" = { - proxyWebsockets = true; - proxyPass = "http://localhost:7878"; - }; - }; - virtualHosts."sonar.r" = { - enableACME = true; - addSSL = true; - locations."/" = { - proxyWebsockets = true; - proxyPass = "http://localhost:8989"; - }; - }; - }; - - services.samba = { - enable = true; - enableNmbd = false; - extraConfig = '' - workgroup = WORKGROUP - server string = ${config.networking.hostName} - # only allow retiolum addresses - hosts allow = 42::/16 10.243.0.0/16 10.244.0.0/16 - - # Use sendfile() for performance gain - use sendfile = true - - # No NetBIOS is needed - disable netbios = true - - # Only mangle non-valid NTFS names, don't care about DOS support - mangled names = illegal - - # Performance optimizations - socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536 - - # Disable all printing - load printers = false - disable spoolss = true - printcap name = /dev/null - - map to guest = Bad User - max log size = 50 - dns proxy = no - security = user - - [global] - syslog only = yes - ''; - shares.public = { - comment = "Warez"; - path = "/var/download"; - public = "yes"; - "only guest" = "yes"; - "create mask" = "0644"; - "directory mask" = "2777"; - writable = "no"; - printable = "no"; - }; - }; - - systemd.services.bruellwuerfel = - let - bruellwuerfelSrc = pkgs.fetchFromGitHub { - owner = "krebs"; - repo = "bruellwuerfel"; - rev = "dc73adf69249fb63a4b024f1f3fbc9e541b27015"; - sha256 = "078jp1gbavdp8lnwa09xa5m6bbbd05fi4x5ldkkgin5z04hwlhmd"; - }; - in { - wantedBy = [ "multi-user.target" ]; - environment = { - IRC_CHANNEL = "#flix"; - IRC_NICK = "bruelli"; - IRC_SERVER = "irc.r"; - IRC_HISTORY_FILE = "/tmp/bruelli.history"; - }; - serviceConfig = { - ExecStart = "${pkgs.deno}/bin/deno run -A ${bruellwuerfelSrc}/src/index.ts"; - }; - }; - - krebs.iptables = { - enable = true; - tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport 80"; target = "ACCEPT"; } # nginx web dir - { predicate = "-p tcp --dport 443"; target = "ACCEPT"; } # nginx web dir - { predicate = "-p tcp --dport 9091"; target = "ACCEPT"; } # transmission-web - { predicate = "-p tcp --dport 51413"; target = "ACCEPT"; } # transmission-traffic - { predicate = "-p udp --dport 51413"; target = "ACCEPT"; } # transmission-traffic - { predicate = "-p tcp --dport 8096"; target = "ACCEPT"; } # jellyfin - { predicate = "-p tcp --dport 8920"; target = "ACCEPT"; } # jellyfin - { predicate = "-p udp --dport 1900"; target = "ACCEPT"; } # jellyfin - { predicate = "-p udp --dport 7359"; target = "ACCEPT"; } # jellyfin - { predicate = "-p tcp --dport 9696"; target = "ACCEPT"; } # prowlarr - { predicate = "-p tcp --dport 8989"; target = "ACCEPT"; } # sonarr - { predicate = "-p tcp --dport 7878"; target = "ACCEPT"; } # radarr - { predicate = "-p tcp --dport 6767"; target = "ACCEPT"; } # bazarr - - # smbd - { predicate = "-i retiolum -p tcp --dport 445"; target = "ACCEPT"; } - { predicate = "-i retiolum -p tcp --dport 111"; target = "ACCEPT"; } - { predicate = "-i retiolum -p udp --dport 111"; target = "ACCEPT"; } - { predicate = "-i retiolum -p tcp --dport 2049"; target = "ACCEPT"; } - { predicate = "-i retiolum -p udp --dport 2049"; target = "ACCEPT"; } - { predicate = "-i retiolum -p tcp --dport 4000:4002"; target = "ACCEPT"; } - { predicate = "-i retiolum -p udp --dport 4000:4002"; target = "ACCEPT"; } - { predicate = "-i wiregrill -p tcp --dport 445"; target = "ACCEPT"; } - { predicate = "-i wiregrill -p tcp --dport 111"; target = "ACCEPT"; } - { predicate = "-i wiregrill -p udp --dport 111"; target = "ACCEPT"; } - { predicate = "-i wiregrill -p tcp --dport 2049"; target = "ACCEPT"; } - { predicate = "-i wiregrill -p udp --dport 2049"; target = "ACCEPT"; } - { predicate = "-i wiregrill -p tcp --dport 4000:4002"; target = "ACCEPT"; } - { predicate = "-i wiregrill -p udp --dport 4000:4002"; target = "ACCEPT"; } - ]; - }; - - systemd.services.flix-index = { - wantedBy = [ "multi-user.target" ]; - path = [ - pkgs.coreutils - pkgs.findutils - pkgs.inotify-tools - ]; - serviceConfig = { - Restart = "always"; - ExecStart = pkgs.writers.writeDash "flix-index" '' - set -efu - - DIR=/var/download - cd "$DIR" - while inotifywait -rq -e create -e move -e delete "$DIR"; do - find . -type f > "$DIR"/index.tmp - mv "$DIR"/index.tmp "$DIR"/index - done - ''; - }; - }; - - services.jellyfin = { - enable = true; - group = "download"; - }; - - # movies - services.radarr = { - enable = true; - group = "download"; - }; - - # shows - services.sonarr = { - enable = true; - group = "download"; - }; - - # indexers - services.prowlarr = { - enable = true; - }; - - # subtitles - services.bazarr = { - enable = true; - group = "download"; - }; -} diff --git a/lass/2configs/services/flix/proxy.nix b/lass/2configs/services/flix/proxy.nix deleted file mode 100644 index c16c6def3..000000000 --- a/lass/2configs/services/flix/proxy.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ config, pkgs, ... }: -{ - services.nginx.virtualHosts."flix.lassul.us" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://yellow.r:8096"; - proxyWebsockets = true; - recommendedProxySettings = true; - }; - }; -} diff --git a/lass/2configs/services/git/default.nix b/lass/2configs/services/git/default.nix deleted file mode 100644 index 2b68905ed..000000000 --- a/lass/2configs/services/git/default.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - imports = [ - ../../git.nix - ]; - services.nginx.virtualHosts."cgit.lassul.us" = { - enableACME = true; - addSSL = true; - locations = config.services.nginx.virtualHosts.cgit.locations; - extraConfig = '' - client_max_body_size 300M; - client_body_timeout 2024; - client_header_timeout 2024; - - fastcgi_buffers 16 512k; - fastcgi_buffer_size 512k; - fastcgi_read_timeout 500; - fastcgi_send_timeout 500; - ''; - }; -} diff --git a/lass/2configs/services/git/proxy.nix b/lass/2configs/services/git/proxy.nix deleted file mode 100644 index 9875898ea..000000000 --- a/lass/2configs/services/git/proxy.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ config, pkgs, ... }: -{ - services.nginx.virtualHosts."cgit.lassul.us" = { - forceSSL = true; - enableACME = true; - acmeFallbackHost = "orange.r"; - locations."/" = { - proxyPass = "http://orange.r"; - proxyWebsockets = true; - recommendedProxySettings = true; - }; - extraConfig = '' - client_max_body_size 300M; - client_body_timeout 2024; - client_header_timeout 2024; - - fastcgi_buffers 16 512k; - fastcgi_buffer_size 512k; - fastcgi_read_timeout 500; - fastcgi_send_timeout 500; - ''; - }; -} diff --git a/lass/2configs/services/radio/container-host.nix b/lass/2configs/services/radio/container-host.nix deleted file mode 100644 index de0ea9afe..000000000 --- a/lass/2configs/services/radio/container-host.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ config, pkgs, ... }: -{ - krebs.sync-containers3.containers.radio = { - sshKey = "${toString }/radio.sync.key"; - }; - containers.radio = { - bindMounts."/var/music" = { - hostPath = "/var/music"; - isReadOnly = false; - }; - }; - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport 8000"; target = "ACCEPT"; } - ]; - krebs.htgen.radio-redirect = { - port = 8000; - scriptFile = pkgs.writers.writeDash "redir" '' - printf 'HTTP/1.1 301 Moved Permanently\r\n' - printf "Location: http://radio.lassul.us''${Request_URI}\r\n" - printf '\r\n' - ''; - }; -} diff --git a/lass/2configs/services/radio/controls.html b/lass/2configs/services/radio/controls.html deleted file mode 100644 index 858dc3656..000000000 --- a/lass/2configs/services/radio/controls.html +++ /dev/null @@ -1,83 +0,0 @@ - - - - - - - - The_Playlist Voting! - - - - - -
- - - -
- Currently Running:
- -
-
-
- -
- - - - diff --git a/lass/2configs/services/radio/default.nix b/lass/2configs/services/radio/default.nix deleted file mode 100644 index 8dfca6fc1..000000000 --- a/lass/2configs/services/radio/default.nix +++ /dev/null @@ -1,348 +0,0 @@ -{ config, pkgs, lib, ... }: - -let - name = "radio"; - - music_dir = "/var/music"; - - skip_track = pkgs.writers.writeBashBin "skip_track" '' - set -eu - - # TODO come up with new rating, without moving files - # current_track=$(${pkgs.curl}/bin/curl -fSs http://localhost:8002/current | ${pkgs.jq}/bin/jq -r .filename) - # track_infos=$(${print_current}/bin/print_current) - # skip_count=$(${pkgs.attr}/bin/getfattr -n user.skip_count --only-values "$current_track" || echo 0) - # if [[ "$current_track" =~ .*/the_playlist/music/.* ]] && [ "$skip_count" -le 2 ]; then - # skip_count=$((skip_count+1)) - # ${pkgs.attr}/bin/setfattr -n user.skip_count -v "$skip_count" "$current_track" - # echo skipping: "$track_infos" skip_count: "$skip_count" - # else - # mkdir -p "$music_dir"/the_playlist/.graveyard/ - # mv "$current_track" "$music_dir"/the_playlist/.graveyard/ - # echo killing: "$track_infos" - # fi - ${pkgs.curl}/bin/curl -fSs -X POST http://localhost:8002/skip | - ${pkgs.jq}/bin/jq -r '.filename' - ''; - - good_track = pkgs.writeBashBin "good_track" '' - set -eu - - current_track=$(${pkgs.curl}/bin/curl -fSs http://localhost:8002/current | ${pkgs.jq}/bin/jq -r .filename) - track_infos=$(${print_current}/bin/print_current) - # TODO come up with new rating, without moving files - # if [[ "$current_track" =~ .*/the_playlist/music/.* ]]; then - # ${pkgs.attr}/bin/setfattr -n user.skip_count -v 0 "$current_track" - # else - # mv "$current_track" "$music_dir"/the_playlist/music/ || : - # fi - echo good: "$track_infos" - ''; - - print_current = pkgs.writeDashBin "print_current" '' - file=$(${pkgs.curl}/bin/curl -fSs http://localhost:8002/current | - ${pkgs.jq}/bin/jq -r '.filename' | - ${pkgs.gnused}/bin/sed 's,^${music_dir},,' - ) - link=$(${pkgs.curl}/bin/curl http://localhost:8002/current | - ${pkgs.jq}/bin/jq -r '.filename' | - ${pkgs.gnused}/bin/sed 's@.*\(.\{11\}\)\.ogg@https://youtu.be/\1@' - ) - echo "$file": "$link" - ''; - - set_irc_topic = pkgs.writeDash "set_irc_topic" '' - ${pkgs.curl}/bin/curl -fsS --unix-socket /home/radio/reaktor.sock http://z/ \ - -H content-type:application/json \ - -d "$(${pkgs.jq}/bin/jq -n \ - --arg text "$1" '{ - command:"TOPIC", - params:["#the_playlist",$text] - }' - )" - ''; - - write_to_irc = pkgs.writeDash "write_to_irc" '' - ${pkgs.curl}/bin/curl -fsSv --unix-socket /home/radio/reaktor.sock http://z/ \ - -H content-type:application/json \ - -d "$(${pkgs.jq}/bin/jq -n \ - --arg text "$1" '{ - command:"PRIVMSG", - params:["#the_playlist",$text] - }' - )" - ''; - -in { - imports = [ - ./news.nix - ./weather.nix - ]; - - users.users = { - "${name}" = rec { - inherit name; - createHome = true; - group = name; - uid = pkgs.stockholm.lib.genid_uint31 name; - description = "radio manager"; - home = "/home/${name}"; - useDefaultShell = true; - openssh.authorizedKeys.keys = with config.krebs.users; [ - lass.pubkey - ]; - }; - }; - - users.groups = { - "radio" = {}; - }; - - krebs.per-user.${name}.packages = with pkgs; [ - good_track - skip_track - print_current - ]; - - - systemd.services.radio_watcher = { - wantedBy = [ "multi-user.target" ]; - after = [ "radio.service" ]; - serviceConfig = { - ExecStart = pkgs.writers.writeDash "radio_watcher" '' - set -efux - while :; do - ${pkgs.curl}/bin/curl -Ss http://localhost:8000/radio.ogg -o /dev/null - ${pkgs.systemd}/bin/systemctl restart radio - sleep 60 - done - ''; - Restart = "on-failure"; - }; - }; - - services.liquidsoap.streams.radio = ./radio.liq; - systemd.services.radio = { - environment = { - RADIO_PORT = "8002"; - HOOK_TRACK_CHANGE = pkgs.writers.writeDash "on_change" '' - set -xefu - LIMIT=1000 #how many tracks to keep in the history - HISTORY_FILE=/var/lib/radio/recent - - listeners=$(${pkgs.curl}/bin/curl -fSs http://localhost:8000/status-json.xsl | - ${pkgs.jq}/bin/jq '[.icestats.source[].listeners] | add' || echo 0) - echo "$(${pkgs.coreutils}/bin/date -Is)" "$filename" | ${pkgs.coreutils}/bin/tee -a "$HISTORY_FILE" - echo "$(${pkgs.coreutils}/bin/tail -$LIMIT "$HISTORY_FILE")" > "$HISTORY_FILE" - ${set_irc_topic} "playing: $filename listeners: $listeners" - ''; - MUSIC = "${music_dir}/the_playlist"; - ICECAST_HOST = "localhost"; - }; - path = [ - pkgs.yt-dlp - pkgs.bubblewrap - ]; - serviceConfig.User = lib.mkForce "radio"; - }; - - nixpkgs.config.packageOverrides = opkgs: { - icecast = opkgs.icecast.overrideAttrs (old: rec { - version = "2.5-beta3"; - - src = pkgs.fetchurl { - url = "http://downloads.xiph.org/releases/icecast/icecast-${version}.tar.gz"; - sha256 = "sha256-4FDokoA9zBDYj8RAO/kuTHaZ6jZYBLSJZiX/IYFaCW8="; - }; - - buildInputs = old.buildInputs ++ [ pkgs.pkg-config ]; - }); - }; - services.icecast = { - enable = true; - hostname = "radio.lassul.us"; - admin.password = "hackme"; - extraConf = '' - - hackme - admin - hackme - - - - - - - 3 - - ''; - }; - - krebs.iptables = { - tables = { - filter.INPUT.rules = [ - { predicate = "-p tcp --dport 8000"; target = "ACCEPT"; } - { predicate = "-i retiolum -p tcp --dport 8001"; target = "ACCEPT"; } - { predicate = "-i retiolum -p tcp --dport 8002"; target = "ACCEPT"; } - ]; - }; - }; - - # allow reaktor2 to modify files - systemd.services."reaktor2-the_playlist".serviceConfig.DynamicUser = lib.mkForce false; - systemd.services."reaktor2-the_playlist".serviceConfig.Group = lib.mkForce "radio"; - - krebs.reaktor2.the_playlist = { - hostname = "irc.hackint.org"; - port = "6697"; - useTLS = true; - nick = "the_playlist"; - username = "radio"; - API.listen = "unix:/home/radio/reaktor.sock"; - plugins = [ - { - plugin = "register"; - config = { - channels = [ - "#the_playlist" - "#krebs" - ]; - }; - } - { - plugin = "system"; - config = { - workdir = config.krebs.reaktor2.the_playlist.stateDir; - hooks.PRIVMSG = [ - { - activate = "match"; - pattern = "^(?:.*\\s)?\\s*the_playlist:\\s*([0-9A-Za-z._][0-9A-Za-z._-]*)(?:\\s+(.*\\S))?\\s*$"; - command = 1; - arguments = [2]; - commands = { - skip.filename = "${skip_track}/bin/skip_track"; - next.filename = "${skip_track}/bin/skip_track"; - bad.filename = "${skip_track}/bin/skip_track"; - - good.filename = "${good_track}/bin/good_track"; - nice.filename = "${good_track}/bin/good_track"; - like.filename = "${good_track}/bin/good_track"; - - current.filename = "${print_current}/bin/print_current"; - wish.filename = pkgs.writeDash "wish" '' - echo "youtube-dl:$1" | ${pkgs.curl}/bin/curl -fSs http://localhost:8002/wish -d @- > /dev/null - ''; - wishlist.filename = pkgs.writeDash "wishlist" '' - ${pkgs.curl}/bin/curl -fSs http://localhost:8002/wish | ${pkgs.jq}/bin/jq -r '.[]' - ''; - suggest.filename = pkgs.writeDash "suggest" '' - echo "$@" >> playlist_suggest - ''; - }; - } - ]; - }; - } - ]; - }; - - krebs.htgen.radio = { - port = 8001; - user = { - name = "radio"; - }; - scriptFile = pkgs.writeDash "radio" '' - case "$Method $Request_URI" in - "POST /skip") - printf 'HTTP/1.1 200 OK\r\n' - printf 'Connection: close\r\n' - printf '\r\n' - msg=$(${skip_track}/bin/skip_track) - ${write_to_irc} "$msg" - echo "$msg" - exit - ;; - "POST /good") - printf 'HTTP/1.1 200 OK\r\n' - printf 'Connection: close\r\n' - printf '\r\n' - msg=$(${good_track}/bin/good_track) - ${write_to_irc} "$msg" - echo "$msg" - exit - ;; - esac - ''; - }; - - networking.firewall.allowedTCPPorts = [ 80 ]; - services.nginx = { - enable = true; - virtualHosts."radio.r" = { - locations."/".extraConfig = '' - # https://github.com/aswild/icecast-notes#core-nginx-config - proxy_pass http://localhost:8000; - # Disable request size limit, very important for uploading large files - client_max_body_size 0; - - # Enable support `Transfer-Encoding: chunked` - chunked_transfer_encoding on; - - # Disable request and response buffering, minimize latency to/from Icecast - proxy_buffering off; - proxy_request_buffering off; - - # Icecast needs HTTP/1.1, not 1.0 or 2 - proxy_http_version 1.1; - - # Forward all original request headers - proxy_pass_request_headers on; - - # Set some standard reverse proxy headers. Icecast server currently ignores these, - # but may support them in a future version so that access logs are more useful. - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - - # get source ip for weather reports - proxy_set_header user-agent "$http_user_agent; client-ip=$remote_addr"; - ''; - locations."= /recent".extraConfig = '' - default_type "text/plain"; - alias /var/lib/radio/recent; - ''; - locations."= /current".extraConfig = '' - proxy_pass http://localhost:8002; - ''; - locations."= /skip".extraConfig = '' - proxy_pass http://localhost:8001; - ''; - locations."= /good".extraConfig = '' - proxy_pass http://localhost:8001; - ''; - locations."= /radio.sh".alias = pkgs.writeScript "radio.sh" '' - #!/bin/sh - trap 'exit 0' EXIT - while sleep 1; do - mpv \ - --cache-secs=0 --demuxer-readahead-secs=0 --untimed --cache-pause=no \ - 'http://radio.lassul.us/radio.ogg' - done - ''; - locations."= /controls".extraConfig = '' - default_type "text/html"; - alias ${./controls.html}; - ''; - extraConfig = '' - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; - ''; - }; - }; - services.syncthing.declarative.folders."the_playlist" = { - path = "/var/music/the_playlist"; - devices = [ "mors" "phone" "prism" "omo" "radio" ]; - }; - krebs.acl."/var/music/the_playlist"."u:syncthing:X".parents = true; - krebs.acl."/var/music/the_playlist"."u:syncthing:rwX" = {}; - krebs.acl."/var/music/the_playlist"."u:radio:rwX" = {}; -} diff --git a/lass/2configs/services/radio/news.nix b/lass/2configs/services/radio/news.nix deleted file mode 100644 index cfd17e637..000000000 --- a/lass/2configs/services/radio/news.nix +++ /dev/null @@ -1,131 +0,0 @@ -{ config, lib, pkgs, ... }: -let - - tts = pkgs.writers.writeBashBin "tts" '' - set -efu - - offset=0 - OUTPUT=$(mktemp -d) - trap 'rm -rf "$OUTPUT"' EXIT - SPEAKER=$[ $RANDOM % 900 ] - while read line; do - echo "$line" | - ${pkgs.piper-tts}/bin/piper \ - --model ${pkgs.fetchzip { - url = "https://github.com/rhasspy/piper/releases/download/v0.0.2/voice-en-us-libritts-high.tar.gz"; - hash = "sha256-jCoK4p0O7BuF0nr6Sfj40tpivCvU5M3GHKQRg1tfIO8="; - stripRoot = false; - }}/en-us-libritts-high.onnx \ - -s "$SPEAKER" \ - -f "$OUTPUT"/"$offset".wav >/dev/null - - ((offset+=1)) - done - - ${pkgs.sox}/bin/sox "$OUTPUT"/*.wav "$OUTPUT"/all.wav - cat "$OUTPUT"/all.wav - ''; - - send_to_radio = pkgs.writers.writeDashBin "send_to_radio" '' - ${pkgs.vorbis-tools}/bin/oggenc - | - ${pkgs.cyberlocker-tools}/bin/cput news.ogg - ${pkgs.curl}/bin/curl -fSs -X POST http://localhost:8002/newsshow - ''; - - gc_news = pkgs.writers.writeDashBin "gc_news" '' - set -xefu - export TZ=UTC #workaround for jq parsing wrong timestamp - ${pkgs.coreutils}/bin/cat $HOME/news | ${pkgs.jq}/bin/jq -cs 'map(select((.to|fromdateiso8601) > now)) | .[]' > $HOME/bla-news.tmp - ${pkgs.coreutils}/bin/mv $HOME/bla-news.tmp $HOME/news - ''; - - get_current_news = pkgs.writers.writeDashBin "get_current_news" '' - set -xefu - export TZ=UTC #workaround for jq parsing wrong timestamp - ${pkgs.coreutils}/bin/cat $HOME/news | ${pkgs.jq}/bin/jq -rs ' - sort_by(.priority) | - map(select( - ((.to | fromdateiso8601) > now) and - (.from|fromdateiso8601) < now) | - .text - ) | .[]' - ''; - - newsshow = pkgs.writers.writeDashBin "newsshow" /* sh */ '' - cat << EOF - hello crabpeople! - $(${pkgs.ddate}/bin/ddate +'Today is %{%A, the %e of %B%}, %Y. %N%nCelebrate %H') - It is $(date --utc +%H) o clock UTC. - todays news: - $(get_current_news) - $(gc_news) - EOF - ''; -in -{ - systemd.services.newsshow = { - path = [ - newsshow - tts - send_to_radio - gc_news - get_current_news - pkgs.retry - ]; - script = '' - set -efu - retry -t 5 -d 10 -- newsshow | - retry -t 5 -d 10 -- tts | - retry -t 5 -d 10 -- send_to_radio - ''; - startAt = "*:00:00"; - serviceConfig = { - User = "radio-news"; - }; - }; - - services.nginx.virtualHosts."radio-news.r" = { - locations."/" = { - proxyPass = "http://localhost:7999"; - proxyWebsockets = true; - extraConfig = '' - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; - ''; - }; - }; - krebs.htgen.news = { - port = 7999; - user = { - name = "radio-news"; - }; - script = ''. ${pkgs.writers.writeDash "htgen-news" '' - set -xefu - case "''${Method:-GET} $Request_URI" in - "GET /") - printf 'HTTP/1.1 200 OK\r\n' - printf 'Connection: close\r\n' - printf '\r\n' - cat "$HOME"/news | jq -sc . - exit - ;; - "POST /") - payload=$(head -c "$req_content_length") - printf '%s' "$payload" | jq 'has("from") and has("to") and has("text")' >&2 - printf '%s' "$payload" | jq -c '{ from: .from, to: .to, text: .text, priority: (.priority // 0)}' >> "$HOME"/news - printf 'HTTP/1.1 200 OK\r\n' - printf 'Connection: close\r\n' - printf '\r\n' - exit - ;; - esac - ''}''; - }; - - # debug - environment.systemPackages = [ - send_to_radio - newsshow - tts - ]; -} diff --git a/lass/2configs/services/radio/proxy.nix b/lass/2configs/services/radio/proxy.nix deleted file mode 100644 index 49f8ade79..000000000 --- a/lass/2configs/services/radio/proxy.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ config, pkgs, ... }: -{ - services.nginx.virtualHosts."radio.lassul.us" = { - enableACME = true; - addSSL = true; - locations."/" = { - # recommendedProxySettings = true; - proxyWebsockets = true; - proxyPass = "http://radio.r"; - extraConfig = '' - proxy_set_header Host radio.r; - # get source ip for weather reports - proxy_set_header user-agent "$http_user_agent; client-ip=$remote_addr"; - ''; - }; - }; -} diff --git a/lass/2configs/services/radio/radio.liq b/lass/2configs/services/radio/radio.liq deleted file mode 100644 index 1366287a7..000000000 --- a/lass/2configs/services/radio/radio.liq +++ /dev/null @@ -1,112 +0,0 @@ -log.stdout.set(true) - -# use yt-dlp -settings.protocol.youtube_dl.path.set("yt-dlp") - -## functions - -def stringify_attrs(attrs) = - let json.stringify out = (attrs : [(string * string)] as json.object) - out -end - -def filter_music(req) = - filename = request.filename(req) - if string.match(pattern = '.*/\\.graveyard/.*', filename) then - false - else - true - end -end - -def queue_contents(q) = - list.map(fun (req) -> request.uri(req), q) -end -## main - -env = environment() -port = string.to_int(env["RADIO_PORT"], default = 8000) - -all_music = playlist(env["MUSIC"], check_next = filter_music) -wishlist = request.queue() -tracks = fallback(track_sensitive = true, [wishlist, all_music]) -tracks = blank.eat(tracks) - -last_metadata = ref([]) -def on_metadata(m) = - last_metadata := m - print("changing tracks") - out = process.read(env["HOOK_TRACK_CHANGE"], env = m, timeout = 5.0) - print(out) -end -tracks.on_metadata(on_metadata) - -# some nice effects -music = crossfade(tracks) -music = mksafe(music) -music = normalize(music) - -news = request.queue() -radio = smooth_add(normal = music, special = amplify(1.5, news)) - -if string.length(env["ICECAST_HOST"]) > 0 then - output.icecast(host = env["ICECAST_HOST"], mount = '/music.ogg', password = 'hackme', %vorbis(quality = 1), music) - output.icecast(host = env["ICECAST_HOST"], mount = '/music.mp3', password = 'hackme', %mp3.vbr(), music) - output.icecast(host = env["ICECAST_HOST"], mount = '/music.opus', password = 'hackme', %opus(bitrate = 128), music) - - output.icecast(host = env["ICECAST_HOST"], mount = '/radio.ogg', password = 'hackme', %vorbis(quality = 1), radio) - output.icecast(host = env["ICECAST_HOST"], mount = '/radio.mp3', password = 'hackme', %mp3.vbr(), radio) - output.icecast(host = env["ICECAST_HOST"], mount = '/radio.opus', password = 'hackme', %opus(bitrate = 128), radio) -else - output(fallible = true, buffer(radio)) -end - -interactive.harbor(port = port) - -def current(~protocol, ~headers, ~data, uri) = - http.response(content_type = "application/json", data = stringify_attrs( - !last_metadata - )) -end -harbor.http.register("/current", port = port, current) - -def skip(~protocol, ~headers, ~data, uri) = - tracks.skip() - http.response(content_type = "application/json", data = stringify_attrs( - !last_metadata - )) -end -harbor.http.register("/skip", method = "POST", port = port, skip) - -def all_tracks(~protocol, ~headers, ~data, uri) = - http.response(content_type = "application/json", data = json.stringify( - all_music.remaining_files() - )) -end -harbor.http.register("/all_tracks", port = port, all_tracks) - -def wish_track(~protocol, ~headers, ~data, uri) = - # disallow process: - if string.match(pattern = '^process:', data) then - http.response(code = 400) - else - # TODO report errors back - wish = request.create(data) - wishlist.push(wish) - http.response(content_type = "application/json", data = "ok") - end -end -harbor.http.register("/wish", method = "POST", port = port, wish_track) - -def wish_tracklist(~protocol, ~headers, ~data, uri) = - http.response(content_type = "application/json", data = json.stringify( - queue_contents(wishlist.queue()) - )) -end -harbor.http.register("/wish", port = port, wish_tracklist) - -def newsshow(~protocol, ~headers, ~data, uri) = - news.push(request.create("http://c.r/news.ogg")) - http.response(content_type = "application/json", data = "ok") -end -harbor.http.register("/newsshow", method = "POST", port = port, newsshow) diff --git a/lass/2configs/services/radio/shell.nix b/lass/2configs/services/radio/shell.nix deleted file mode 100644 index 9d00e3b06..000000000 --- a/lass/2configs/services/radio/shell.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ pkgs ? import {} }: -pkgs.mkShell { - buildInputs = [ - pkgs.liquidsoap - pkgs.yt-dlp - ]; -} diff --git a/lass/2configs/services/radio/weather.nix b/lass/2configs/services/radio/weather.nix deleted file mode 100644 index dca8a7843..000000000 --- a/lass/2configs/services/radio/weather.nix +++ /dev/null @@ -1,60 +0,0 @@ -{ config, lib, pkgs, ... }: -let - weather_for_ips = pkgs.writers.writePython3Bin "weather_for_ips" { - libraries = [ pkgs.python3Packages.geoip2 ]; - flakeIgnore = [ "E501" ]; - } ./weather_for_ips.py; - - weather_report = pkgs.writers.writeDashBin "weather_report" '' - set -efux - export PATH="${lib.makeBinPath [ - pkgs.coreutils - pkgs.curl - pkgs.jq - ]}" - curl -fSsz /tmp/GeoLite2-City.mmdb -o /tmp/GeoLite2-City.mmdb http://c.r/GeoLite2-City.mmdb - MAXMIND_GEOIP_DB="/tmp/GeoLite2-City.mmdb"; export MAXMIND_GEOIP_DB - OPENWEATHER_API_KEY=$(cat "$CREDENTIALS_DIRECTORY/openweather_api"); export OPENWEATHER_API_KEY - ( - curl -sS 'http://admin:hackme@localhost:8000/admin/listclients.json?mount=/radio.ogg' - curl -sS 'http://admin:hackme@localhost:8000/admin/listclients.json?mount=/radio.mp3' - curl -sS 'http://admin:hackme@localhost:8000/admin/listclients.json?mount=/radio.opus' - ) | jq -rs ' - [ - .[][].source|values|to_entries[].value | - (.listener//[]) [] | - (.useragent | capture("client-ip=(?[a-f0-9.:]+)")).ip // .ip - ] | - unique[] | - select(. != "127.0.0.1") | - select(. != "::1") - ' | - ${weather_for_ips}/bin/weather_for_ips - ''; -in { - systemd.services.weather = { - path = [ - weather_report - pkgs.retry - pkgs.jq - pkgs.curl - ]; - script = '' - set -xefu - retry -t 5 -d 10 -- weather_report | - jq \ - --arg from "$(date -u +'%FT%TZ')" \ - --arg to "$(date -u +'%FT%TZ' -d '+1 hours')" \ - --slurp --raw-input --compact-output --ascii-output \ - '{text: ., from: $from, to: $to, priority: 100}' | - retry -t 5 -d 10 -- curl -fSs -d@- http://radio-news.r - ''; - startAt = "*:58:00"; - serviceConfig = { - User = "radio-news"; - LoadCredential = [ - "openweather_api:${toString }/openweather_api_key" - ]; - }; - }; -} diff --git a/lass/2configs/services/radio/weather_for_ips.py b/lass/2configs/services/radio/weather_for_ips.py deleted file mode 100644 index c44c5e46a..000000000 --- a/lass/2configs/services/radio/weather_for_ips.py +++ /dev/null @@ -1,48 +0,0 @@ -import geoip2.database -import fileinput -import json -import requests -import os -import random - - -geoip = geoip2.database.Reader(os.environ['MAXMIND_GEOIP_DB']) -seen = {} -output = [] -for ip in fileinput.input(): - if "80.147.140.51" in ip: - output.append( - 'Weather report for c-base, space. ' - 'It is empty space outside ' - 'with a temperature of -270 degrees, ' - 'a lightspeed of 299792 kilometers per second ' - 'and a humidity of Not a Number percent. ' - f'The probability of reincarnation is {random.randrange(0, 100)} percent. ' - ) - else: - try: - location = geoip.city(ip.strip()) - if location.city.geoname_id not in seen: - seen[location.city.geoname_id] = True - weather_api_key = os.environ['OPENWEATHER_API_KEY'] - url = ( - f'https://api.openweathermap.org/data/2.5/onecall' - f'?lat={location.location.latitude}' - f'&lon={location.location.longitude}' - f'&appid={weather_api_key}' - f'&units=metric' - ) - resp = requests.get(url) - weather = json.loads(resp.text) - output.append( - f'Weather report for {location.city.name}, {location.country.name}. ' - f'It is {weather["current"]["weather"][0]["description"]} outside ' - f'with a temperature of {weather["current"]["temp"]:.1f} degrees, ' - f'a wind speed of {weather["current"]["wind_speed"]:.1f} meters per second ' - f'and a humidity of {weather["current"]["humidity"]} percent. ' - f'The probability of precipitation is {weather["hourly"][0]["pop"] * 100:.0f} percent. ' - ) - except: # noqa E722 - pass - -print('\n'.join(output)) diff --git a/lass/2configs/skype.nix b/lass/2configs/skype.nix deleted file mode 100644 index a803df15b..000000000 --- a/lass/2configs/skype.nix +++ /dev/null @@ -1,27 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - mainUser = config.users.extraUsers.mainUser; - inherit (import ) genid; - -in { - users.extraUsers = { - skype = { - name = "skype"; - uid = genid "skype"; - description = "user for running skype"; - home = "/home/skype"; - useDefaultShell = true; - extraGroups = [ "audio" "video" ]; - createHome = true; - }; - }; - - krebs.per-user.skype.packages = [ - pkgs.skype - ]; - - security.sudo.extraConfig = '' - ${mainUser.name} ALL=(skype) NOPASSWD: ALL - ''; -} diff --git a/lass/2configs/smartd.nix b/lass/2configs/smartd.nix deleted file mode 100644 index 859812bed..000000000 --- a/lass/2configs/smartd.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ config, pkgs, ... }: - -{ - services.smartd = { - enable = true; - devices = [ - { - device = "DEVICESCAN"; - options = toString [ - "-a" - "-m ${config.krebs.users.lass.mail}" - "-s (O/../.././09|S/../.././04|L/../../6/05)" - ]; - } - ]; - }; -} diff --git a/lass/2configs/snapclient.nix b/lass/2configs/snapclient.nix deleted file mode 100644 index c20abdc3a..000000000 --- a/lass/2configs/snapclient.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - systemd.services.snapclient = { - wantedBy = [ "multi-user.target" ]; - path = [ pkgs.snapcast ]; - script = "snapclient -h 10.42.0.1 --hostID ${config.networking.hostName}"; - serviceConfig = { - DynamicUser = true; - Group = "pipewire"; - }; - }; -} diff --git a/lass/2configs/snapserver.nix b/lass/2configs/snapserver.nix deleted file mode 100644 index 60aa97077..000000000 --- a/lass/2configs/snapserver.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - services.snapserver = { - enable = true; - # openFirewall = true; - streams = { - radio = { - type = "process"; - location = pkgs.writers.writeDash "radio" '' - exec ${pkgs.mpv}/bin/mpv http://radio.lassul.us/radio.ogg \ - --no-terminal \ - --audio-display=no \ - --audio-channels=stereo \ - --audio-samplerate=48000 \ - --audio-format=s16 \ - --ao=pcm \ - --ao-pcm-file=/dev/stdout - ''; - }; - styx = { - type = "pipe"; - location = "/run/snapserver/snapfifo"; - }; - }; - http.enable = true; - }; - - networking.firewall.interfaces.int0.allowedTCPPorts = [ 1704 1705 1780 ]; - networking.firewall.interfaces.retiolum.allowedTCPPorts = [ 1780 ]; -} diff --git a/lass/2configs/ssh-cryptsetup.nix b/lass/2configs/ssh-cryptsetup.nix deleted file mode 100644 index 0126c33b2..000000000 --- a/lass/2configs/ssh-cryptsetup.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ config, ... }: -{ - boot.initrd = { - network = { - enable = true; - ssh = { - enable = true; - authorizedKeys = with config.krebs.users; [ - config.krebs.users.lass.pubkey - config.krebs.users.lass-blue.pubkey - ]; - }; - }; - }; -} diff --git a/lass/2configs/starcraft.nix b/lass/2configs/starcraft.nix deleted file mode 100644 index c95a610e7..000000000 --- a/lass/2configs/starcraft.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ config, pkgs, ... }: let - mainUser = config.users.extraUsers.mainUser; -in { - users.users= { - starcraft = { - isNormalUser = true; - extraGroups = [ - "audio" - "video" - ]; - packages = [ - pkgs.wineWowPackages.minimal - pkgs.winetricks - pkgs.mpg123 - ]; - }; - }; - security.sudo.extraConfig = '' - ${mainUser.name} ALL=(starcraft) NOPASSWD: ALL - ''; -} - diff --git a/lass/2configs/steam.nix b/lass/2configs/steam.nix deleted file mode 100644 index 4f0df8ee3..000000000 --- a/lass/2configs/steam.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ config, pkgs, ... }: - -{ - # - # Steam stuff - # source: https://nixos.org/wiki/Talk:Steam - # - ##TODO: make steam module - nixpkgs.config.steam.java = true; - hardware.opengl.extraPackages32 = with pkgs.pkgsi686Linux; [ libva ]; - - users.users.mainUser.packages = [ (pkgs.steam.override { - extraPkgs = p: with p; [ - gnutls # needed for Halo MCC - ]; - }) ]; - - #ports for inhome streaming - krebs.iptables = { - tables = { - filter.INPUT.rules = [ - { predicate = "-p tcp --dport 27031"; target = "ACCEPT"; } - { predicate = "-p tcp --dport 27036"; target = "ACCEPT"; } - { predicate = "-p udp --dport 27031"; target = "ACCEPT"; } - { predicate = "-p udp --dport 27036"; target = "ACCEPT"; } - ]; - }; - }; -} diff --git a/lass/2configs/sync/decsync.nix b/lass/2configs/sync/decsync.nix deleted file mode 100644 index 98479c7f5..000000000 --- a/lass/2configs/sync/decsync.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ - services.syncthing.folders.decsync = { - path = "/home/lass/decsync"; - devices = [ "mors" "blue" "green" "phone" "massulus" ]; - }; - - krebs.acl."/home/lass/decsync"."u:syncthing:X".parents = true; - krebs.acl."/home/lass/decsync"."u:syncthing:rwX" = {}; - krebs.acl."/home/lass/decsync"."u:lass:rwX" = {}; -} diff --git a/lass/2configs/sync/sync.nix b/lass/2configs/sync/sync.nix deleted file mode 100644 index 09f94378b..000000000 --- a/lass/2configs/sync/sync.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ - services.syncthing.folders."/home/lass/sync" = { - devices = [ - "mors" - "xerxes" - "green" - "blue" - "coaxmetal" - "aergia" - ]; - }; - krebs.acl."/home/lass/sync"."u:syncthing:X".parents = true; - krebs.acl."/home/lass/sync"."u:syncthing:rwX" = {}; - krebs.acl."/home/lass/sync"."u:lass:rwX" = {}; -} diff --git a/lass/2configs/sync/the_playlist.nix b/lass/2configs/sync/the_playlist.nix deleted file mode 100644 index 233ca8fb7..000000000 --- a/lass/2configs/sync/the_playlist.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ - services.syncthing.folders.the_playlist = { - path = "/home/lass/tmp/the_playlist"; - devices = [ "mors" "phone" "prism" "omo" "radio" ]; - }; - krebs.acl."/home/lass/tmp/the_playlist"."u:syncthing:X".parents = true; - krebs.acl."/home/lass/tmp/the_playlist"."u:syncthing:rwX" = {}; - krebs.acl."/home/lass/tmp/the_playlist"."u:lass:rwX" = {}; -} diff --git a/lass/2configs/sync/weechat.nix b/lass/2configs/sync/weechat.nix deleted file mode 100644 index b32015b84..000000000 --- a/lass/2configs/sync/weechat.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ - services.syncthing.folders."/home/lass/.weechat".devices = [ "green" "mors" ]; - krebs.acl."/home/lass/.weechat"."u:syncthing:X".parents = true; - krebs.acl."/home/lass/.weechat"."u:syncthing:rwX" = {}; - krebs.acl."/home/lass/.weechat"."u:lass:rwX" = {}; -} diff --git a/lass/2configs/syncthing.nix b/lass/2configs/syncthing.nix deleted file mode 100644 index 7b8850681..000000000 --- a/lass/2configs/syncthing.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ config, pkgs, ... }: with import ; -{ - imports = [ ]; - services.syncthing = { - group = "syncthing"; - }; - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport 22000"; target = "ACCEPT";} - { predicate = "-p udp --dport 21027"; target = "ACCEPT";} - ]; - - system.activationScripts.syncthing-home = mkDefault '' - ${pkgs.coreutils}/bin/chmod a+x /home/lass - ''; -} diff --git a/lass/2configs/termite.nix b/lass/2configs/termite.nix deleted file mode 100644 index 245b89e9c..000000000 --- a/lass/2configs/termite.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ config, pkgs, ... }: -with import ; - -{ - environment.systemPackages = [ - pkgs.termite - ]; - - krebs.per-user.lass.packages = let - termitecfg = pkgs.writeTextFile { - name = "termite-config"; - destination = "/etc/xdg/termite/config"; - text = '' - [colors] - foreground = #d0d7d0 - background = #000000 - ''; - }; - in [ - termitecfg - ]; -} diff --git a/lass/2configs/tests/dummy-secrets/bepasty-secret.nix b/lass/2configs/tests/dummy-secrets/bepasty-secret.nix deleted file mode 100644 index 6e08144d0..000000000 --- a/lass/2configs/tests/dummy-secrets/bepasty-secret.nix +++ /dev/null @@ -1 +0,0 @@ -"bla" diff --git a/lass/2configs/tests/dummy-secrets/cbase.txt b/lass/2configs/tests/dummy-secrets/cbase.txt deleted file mode 100644 index e69de29bb..000000000 diff --git a/lass/2configs/tests/dummy-secrets/grafana_security.nix b/lass/2configs/tests/dummy-secrets/grafana_security.nix deleted file mode 100644 index ef75d4e0f..000000000 --- a/lass/2configs/tests/dummy-secrets/grafana_security.nix +++ /dev/null @@ -1,4 +0,0 @@ -{ - adminUser = "bla"; - adminPassword = "blub"; -} diff --git a/lass/2configs/tests/dummy-secrets/hashedPasswords.nix b/lass/2configs/tests/dummy-secrets/hashedPasswords.nix deleted file mode 100644 index 0967ef424..000000000 --- a/lass/2configs/tests/dummy-secrets/hashedPasswords.nix +++ /dev/null @@ -1 +0,0 @@ -{} diff --git a/lass/2configs/tests/dummy-secrets/icecast-admin-pw b/lass/2configs/tests/dummy-secrets/icecast-admin-pw deleted file mode 100644 index 16b542cee..000000000 --- a/lass/2configs/tests/dummy-secrets/icecast-admin-pw +++ /dev/null @@ -1 +0,0 @@ -"blabla" diff --git a/lass/2configs/tests/dummy-secrets/icecast-source-pw b/lass/2configs/tests/dummy-secrets/icecast-source-pw deleted file mode 100644 index 16b542cee..000000000 --- a/lass/2configs/tests/dummy-secrets/icecast-source-pw +++ /dev/null @@ -1 +0,0 @@ -"blabla" diff --git a/lass/2configs/tests/dummy-secrets/initrd/ssh.ed25519_key b/lass/2configs/tests/dummy-secrets/initrd/ssh.ed25519_key deleted file mode 100644 index e69de29bb..000000000 diff --git a/lass/2configs/tests/dummy-secrets/iodinepw.nix b/lass/2configs/tests/dummy-secrets/iodinepw.nix deleted file mode 100644 index f5e704702..000000000 --- a/lass/2configs/tests/dummy-secrets/iodinepw.nix +++ /dev/null @@ -1 +0,0 @@ -"derp" diff --git a/lass/2configs/tests/dummy-secrets/lassul.us.dkim.priv b/lass/2configs/tests/dummy-secrets/lassul.us.dkim.priv deleted file mode 100644 index 215a7fa0c..000000000 --- a/lass/2configs/tests/dummy-secrets/lassul.us.dkim.priv +++ /dev/null @@ -1,3 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -this is a private key ------END RSA PRIVATE KEY----- diff --git a/lass/2configs/tests/dummy-secrets/mails.nix b/lass/2configs/tests/dummy-secrets/mails.nix deleted file mode 100644 index fe51488c7..000000000 --- a/lass/2configs/tests/dummy-secrets/mails.nix +++ /dev/null @@ -1 +0,0 @@ -[] diff --git a/lass/2configs/tests/dummy-secrets/mysql_rootPassword b/lass/2configs/tests/dummy-secrets/mysql_rootPassword deleted file mode 100644 index 922a74472..000000000 --- a/lass/2configs/tests/dummy-secrets/mysql_rootPassword +++ /dev/null @@ -1 +0,0 @@ -blabla123 diff --git a/lass/2configs/tests/dummy-secrets/nix-serve.key b/lass/2configs/tests/dummy-secrets/nix-serve.key deleted file mode 100644 index 91448ad2f..000000000 --- a/lass/2configs/tests/dummy-secrets/nix-serve.key +++ /dev/null @@ -1 +0,0 @@ -key-name:blabla123 diff --git a/lass/2configs/tests/dummy-secrets/nordvpn.txt b/lass/2configs/tests/dummy-secrets/nordvpn.txt deleted file mode 100644 index e69de29bb..000000000 diff --git a/lass/2configs/tests/dummy-secrets/repos.nix b/lass/2configs/tests/dummy-secrets/repos.nix deleted file mode 100644 index eed712458..000000000 --- a/lass/2configs/tests/dummy-secrets/repos.nix +++ /dev/null @@ -1 +0,0 @@ -_: {} diff --git a/lass/2configs/tests/dummy-secrets/retiolum.rsa_key.priv b/lass/2configs/tests/dummy-secrets/retiolum.rsa_key.priv deleted file mode 100644 index 99a4033f6..000000000 --- a/lass/2configs/tests/dummy-secrets/retiolum.rsa_key.priv +++ /dev/null @@ -1,4 +0,0 @@ - ------BEGIN RSA PRIVATE KEY----- -this is a private key ------END RSA PRIVATE KEY----- diff --git a/lass/2configs/tests/dummy-secrets/searx.key b/lass/2configs/tests/dummy-secrets/searx.key deleted file mode 100644 index bd88e01cd..000000000 --- a/lass/2configs/tests/dummy-secrets/searx.key +++ /dev/null @@ -1 +0,0 @@ -yolo diff --git a/lass/2configs/tests/dummy-secrets/ssh-tor.priv b/lass/2configs/tests/dummy-secrets/ssh-tor.priv deleted file mode 100644 index e69de29bb..000000000 diff --git a/lass/2configs/tests/dummy-secrets/ssh.id_ed25519 b/lass/2configs/tests/dummy-secrets/ssh.id_ed25519 deleted file mode 100644 index 5c12da0b3..000000000 --- a/lass/2configs/tests/dummy-secrets/ssh.id_ed25519 +++ /dev/null @@ -1,3 +0,0 @@ ------BEGIN OPENSSH PRIVATE KEY----- -private key bla ------END OPENSSH PRIVATE KEY----- diff --git a/lass/2configs/tests/dummy-secrets/ssh.id_rsa b/lass/2configs/tests/dummy-secrets/ssh.id_rsa deleted file mode 100644 index 885cf61f0..000000000 --- a/lass/2configs/tests/dummy-secrets/ssh.id_rsa +++ /dev/null @@ -1,3 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -private key bla ------END RSA PRIVATE KEY----- diff --git a/lass/2configs/tests/dummy-secrets/syncthing.cert b/lass/2configs/tests/dummy-secrets/syncthing.cert deleted file mode 100644 index e69de29bb..000000000 diff --git a/lass/2configs/tests/dummy-secrets/syncthing.key b/lass/2configs/tests/dummy-secrets/syncthing.key deleted file mode 100644 index e69de29bb..000000000 diff --git a/lass/2configs/tests/dummy-secrets/torrent-auth b/lass/2configs/tests/dummy-secrets/torrent-auth deleted file mode 100644 index f167e71f9..000000000 --- a/lass/2configs/tests/dummy-secrets/torrent-auth +++ /dev/null @@ -1,3 +0,0 @@ -{ - x = "xxx"; -} diff --git a/lass/2configs/tests/dummy-secrets/transmission-pw b/lass/2configs/tests/dummy-secrets/transmission-pw deleted file mode 100644 index b71df1a2d..000000000 --- a/lass/2configs/tests/dummy-secrets/transmission-pw +++ /dev/null @@ -1 +0,0 @@ -"krebskrebs123" diff --git a/lass/2configs/texlive.nix b/lass/2configs/texlive.nix deleted file mode 100644 index fa20ef81f..000000000 --- a/lass/2configs/texlive.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ pkgs, ... }: - -{ - environment.systemPackages = with pkgs; [ - (texLiveAggregationFun { paths = [ - texLive - texLiveExtra - texLiveCMSuper - texLiveModerncv - ];}) - ]; -} diff --git a/lass/2configs/themes.nix b/lass/2configs/themes.nix deleted file mode 100644 index 60e2f7aec..000000000 --- a/lass/2configs/themes.nix +++ /dev/null @@ -1,75 +0,0 @@ -{ config, lib, pkgs, ... }: let - - switch-theme = pkgs.writers.writeDashBin "switch-theme" '' - set -efux - if [ "$1" = toggle ]; then - if [ "$(${pkgs.coreutils}/bin/cat /var/theme/current_theme)" = dark ]; then - ${placeholder "out"}/bin/switch-theme light - else - ${placeholder "out"}/bin/switch-theme dark - fi - elif test -e "/etc/themes/$1"; then - ${pkgs.coreutils}/bin/mkdir -p /var/theme/config - ${pkgs.rsync}/bin/rsync --chown=lass:users -a --delete "/etc/themes/$1/" /var/theme/config/ - echo "$1" > /var/theme/current_theme - ${pkgs.coreutils}/bin/chown lass:users /var/theme/current_theme - ${pkgs.xorg.xrdb}/bin/xrdb -merge /var/theme/config/xresources - ${pkgs.procps}/bin/pkill -HUP xsettingsd - ${pkgs.glib}/bin/gsettings set org.gnome.desktop.interface gtk-theme "$(cat /var/theme/config/gtk-theme)" || : - else - echo "theme $1 not found" - fi - ''; - -in { - systemd.services.xsettingsd = { - wantedBy = [ "multi-user.target" ]; - after = [ "display-manager.service" ]; - environment.DISPLAY = ":0"; - serviceConfig = { - ExecStart = "${pkgs.xsettingsd}/bin/xsettingsd -c /var/theme/config/xsettings.conf"; - User = "lass"; - Restart = "always"; - RestartSec = "15s"; - }; - }; - systemd.tmpfiles.rules = [ - "d /var/theme/ 755 lass users" - ]; - environment.systemPackages = [ - switch-theme - pkgs.dracula-theme - pkgs.gnome3.adwaita-icon-theme - ]; - environment.etc = { - "themes/light/gtk-theme".text = '' - Adwaita - ''; - "themes/light/xsettings.conf".text = '' - Net/ThemeName "Adwaita" - ''; - "themes/light/xresources".text = '' - *background: #ffffff - *foreground: #000000 - ''; - "themes/dark/gtk-theme".text = '' - Dracula - ''; - "themes/dark/xsettings.conf".text = '' - Net/ThemeName "Dracula" - ''; - "themes/dark/xresources".text = '' - *background: #000000 - *foreground: #ffffff - ''; - }; - system.activationScripts.theme.text = '' - export DISPLAY=:0 - if test -e /var/theme/current_theme; then - ${switch-theme}/bin/switch-theme "$(cat /var/theme/current_theme)" || - ${switch-theme}/bin/switch-theme dark - else - ${switch-theme}/bin/switch-theme dark - fi - ''; -} diff --git a/lass/2configs/tmux.nix b/lass/2configs/tmux.nix deleted file mode 100644 index 10931365d..000000000 --- a/lass/2configs/tmux.nix +++ /dev/null @@ -1,47 +0,0 @@ -with import ; -{ config, pkgs, ... }: - -{ - environment.etc."tmux.conf".text = '' - #prefix key to ` - set-option -g prefix2 ` - - bind-key r source-file /etc/tmux.conf \; display-message "/etc/tmux.conf reloaded" - - set-option -g default-terminal screen-256color - - #use session instead of windows - bind-key c new-session - bind-key p switch-client -p - bind-key n switch-client -n - bind-key C-s switch-client -l - ''; - nixpkgs.config.packageOverrides = super: { - tmux = pkgs.symlinkJoin { - name = "tmux"; - paths = [ - (pkgs.writeDashBin "tmux" '' - exec ${super.tmux}/bin/tmux -f /etc/tmux.conf "$@" - '') - super.tmux - ]; - }; - }; - environment.systemPackages = with pkgs; [ - tmux - ]; - - # programs.bash.interactiveShellInit = '' - # if [[ "$TERM" != "linux" && -z "$TMUX" ]]; then - # if [[ -n "$SSH_AUTH_SOCK" ]]; then - # tmux set-environment -g SSH_AUTH_SOCK "$SSH_AUTH_SOCK" 2>/dev/null - # fi - - # exec tmux -u - # fi - # if [[ "$__host__" != "$HOST" ]]; then - # tmux set -g status-bg colour$(string_hash $HOST 255) - # export __host__=$HOST - # fi - # ''; -} diff --git a/lass/2configs/tor-initrd.nix b/lass/2configs/tor-initrd.nix deleted file mode 100644 index 64e64b5b3..000000000 --- a/lass/2configs/tor-initrd.nix +++ /dev/null @@ -1,49 +0,0 @@ -{config, pkgs, ... }: -## unlock command: -# (pass admin/$host/root;echo) | torify ssh root@$(pass hosts/$host/initrd/hostname) 'cat > /crypt-ramfs/passphrase' -{ - boot.initrd.network.enable = true; - boot.initrd.network.ssh = { - enable = true; - port = 22; - authorizedKeys = [ - config.krebs.users.lass.pubkey - config.krebs.users.lass-mors.pubkey - config.krebs.users.lass-green.pubkey - ]; - hostKeys = [ ]; - }; - boot.initrd.availableKernelModules = [ "e1000e" ]; - - boot.initrd.secrets = { - "/etc/tor/onion/bootup" = ; - }; - - boot.initrd.extraUtilsCommands = '' - copy_bin_and_libs ${pkgs.tor}/bin/tor - ''; - - # start tor during boot process - boot.initrd.network.postCommands = let - torRc = (pkgs.writeText "tor.rc" '' - DataDirectory /etc/tor - SOCKSPort 127.0.0.1:9050 IsolateDestAddr - SOCKSPort 127.0.0.1:9063 - HiddenServiceDir /etc/tor/onion/bootup - HiddenServicePort 22 127.0.0.1:22 - ''); - in '' - echo "tor: preparing onion folder" - # have to do this otherwise tor does not want to start - chmod -R 700 /etc/tor - - echo "make sure localhost is up" - ip a a 127.0.0.1/8 dev lo - ip link set lo up - - echo "tor: starting tor" - tor -f ${torRc} --verify-config - tor -f ${torRc} & - ''; -} - diff --git a/lass/2configs/tor-ssh.nix b/lass/2configs/tor-ssh.nix deleted file mode 100644 index c727aa015..000000000 --- a/lass/2configs/tor-ssh.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ - services.tor = { - enable = true; - relay.onionServices.ssh = { - version = 3; - map = [{ - port = 22; - target.port = 22; - }]; - secretKey = ; - }; - controlSocket.enable = true; - client.enable = true; - }; -} - diff --git a/lass/2configs/tv.nix b/lass/2configs/tv.nix deleted file mode 100644 index d49ed6125..000000000 --- a/lass/2configs/tv.nix +++ /dev/null @@ -1,194 +0,0 @@ -{ config, pkgs, ... }: with import ; let - -nginxCfg = pkgs.writeText "nginx.conf" '' - daemon off; - pid /var/lib/rtmp/nginx.pid; - events { - use epoll; - worker_connections 128; - } - error_log stderr info; - - http { - client_body_temp_path /var/lib/rtmp/nginx_cache_client_body; - proxy_temp_path /var/lib/rtmp/nginx_cache_proxy; - fastcgi_temp_path /var/lib/rtmp/nginx_cache_fastcgi; - uwsgi_temp_path /var/lib/rtmp/nginx_cache_uwsgi; - scgi_temp_path /var/lib/rtmp/nginx_cache_scgi; - - server { - listen 8080; - root /var/lib/rtmp; - access_log stderr; - error_log stderr; - - # This URL provides RTMP statistics in XML - location /stat { - rtmp_stat all; - } - } - } - - rtmp { - server { - access_log stderr; - listen 1935; - ping 30s; - notify_method get; - - application stream { - live on; - - hls on; - hls_path /var/lib/rtmp/tmp/hls; - hls_fragment 1; - hls_playlist_length 10; - - dash on; - dash_path /var/lib/rtmp/tmp/dash; - } - } - } -''; - -in { - - services.nginx = { - enable = true; - virtualHosts."streaming.lassul.us" = { - enableACME = true; - addSSL = true; - locations."/hls".extraConfig = '' - # Serve HLS fragments - types { - application/vnd.apple.mpegurl m3u8; - video/mp2t ts; - } - root /var/lib/rtmp/tmp; - - # Allow CORS preflight requests - if ($request_method = 'OPTIONS') { - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Max-Age' 1728000; - add_header 'Content-Type' 'text/plain charset=UTF-8'; - add_header 'Content-Length' 0; - return 204; - } - - if ($request_method != 'OPTIONS') { - add_header Cache-Control no-cache; - - # CORS setup - add_header 'Access-Control-Allow-Origin' '*' always; - add_header 'Access-Control-Expose-Headers' 'Content-Length'; - } - ''; - locations."/dash".extraConfig = '' - # Serve DASH fragments - types { - application/dash+xml mpd; - video/mp4 mp4; - } - root /var/lib/rtmp/tmp; - - # Allow CORS preflight requests - if ($request_method = 'OPTIONS') { - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Max-Age' 1728000; - add_header 'Content-Type' 'text/plain charset=UTF-8'; - add_header 'Content-Length' 0; - return 204; - } - if ($request_method != 'OPTIONS') { - add_header Cache-Control no-cache; - - # CORS setup - add_header 'Access-Control-Allow-Origin' '*' always; - add_header 'Access-Control-Expose-Headers' 'Content-Length'; - } - ''; - locations."= /dash.all.min.js".extraConfig = '' - default_type "text/javascript"; - alias ${pkgs.fetchurl { - url = "http://cdn.dashjs.org/v3.2.0/dash.all.min.js"; - sha256 = "16f0b40gdqsnwqi01s5sz9f1q86dwzscgc3m701jd1sczygi481c"; - }}; - ''; - locations."= /player".extraConfig = '' - default_type "text/html"; - alias ${pkgs.writeText "player.html" '' - - - - - lassulus livestream - - -
- - -
- - - - - ''}; - ''; - locations."/records".extraConfig = '' - autoindex on; - root /var/lib/rtmp; - ''; - }; - }; - - fileSystems."/var/lib/rtmp/tmp" = { - device = "tmpfs"; - fsType = "tmpfs"; - options = [ "nosuid" "nodev" "noatime" ]; - }; - - users.users.rtmp = { - home = "/var/lib/rtmp"; - uid = genid_uint31 "rtmp"; - isNormalUser = true; - createHome = true; - openssh.authorizedKeys.keys = with config.krebs.users; [ - mic92.pubkey - palo.pubkey - ]; - }; - - systemd.services.nginx-rtmp = { - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - restartIfChanged = true; - script = '' - ${pkgs.nginx.override { - modules = [ - pkgs.nginxModules.rtmp - ]; - }}/bin/nginx -c ${nginxCfg} -p /var/lib/rtmp - ''; - serviceConfig = { - ExecStartPre = pkgs.writers.writeDash "setup-rtmp" '' - mkdir -p /var/lib/rtmp/tmp/hls - mkdir -p /var/lib/rtmp/tmp/dash - chown rtmp:users /var/lib/rtmp/tmp/hls - chown rtmp:users /var/lib/rtmp/tmp/dash - chmod 755 /var/lib/rtmp/tmp/hls - chmod 755 /var/lib/rtmp/tmp/dash - ''; - User = "rtmp"; - }; - }; - - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport 1935"; target = "ACCEPT"; } - ]; -} diff --git a/lass/2configs/ubik-host.nix b/lass/2configs/ubik-host.nix deleted file mode 100644 index a4ad5e55e..000000000 --- a/lass/2configs/ubik-host.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ config, pkgs, ... }: -{ - krebs.sync-containers3.containers.ubik = { - sshKey = "${toString }/ubik.sync.key"; - }; - containers.ubik.bindMounts."/var/lib" = { - hostPath = "/var/lib/sync-containers3/ubik/state"; - isReadOnly = false; - }; - containers.ubik.bindMounts."/var/lib/nextcloud/data" = { - hostPath = "/var/ubik"; - isReadOnly = false; - }; - services.nginx.virtualHosts."c.apanowicz.de" = { - enableACME = true; - forceSSL = true; - locations."/" = { - recommendedProxySettings = true; - proxyWebsockets = true; - proxyPass = "http://ubik.r"; - extraConfig = '' - client_max_body_size 9001M; - ''; - }; - }; -} diff --git a/lass/2configs/urxvt.nix b/lass/2configs/urxvt.nix deleted file mode 100644 index 7dd59e0c3..000000000 --- a/lass/2configs/urxvt.nix +++ /dev/null @@ -1,37 +0,0 @@ -{ config, pkgs, ... }: -with import ; - -{ - services.urxvtd.enable = true; - - krebs.xresources.resources.urxvt = '' - URxvt.saveLines: 10000 - URxvt.scrollBar: false - URxvt.urgentOnBell: true - URxvt.perl-ext: default,matcher - - URxvt.url-launcher: /run/current-system/sw/bin/browser-select - URxvt.matcher.pattern.1: \\bwww\\.[\\w-]+\\.[\\w./?&@#-]*[\\w/-] - - URxvt.keysym.M-Escape: perl:keyboard-select:activate - URxvt.keysym.M-s: perl:keyboard-select:search - URxvt.keysym.M-u: matcher:select - URxvt.keysym.M-i: matcher:list - - URxvt.keysym.M-F1: command:\033]710;${config.lass.fonts.regular}\007\033]711;${config.lass.fonts.bold}\007 - URxvt.keysym.M-F2: command:\033]710;xft:Monospace:size=12\007\033]711;xft:Monospace:size=15:bold\007 - URxvt.keysym.M-F3: command:\033]710;xft:Monospace:size=18\007\033]711;xft:Monospace:size=20:bold\007 - URxvt.keysym.M-F4: command:\033]710;xft:Monospace:size=25\007\033]711;xft:Monospace:size=25:bold\007 - URxvt.keysym.M-F5: command:\033]710;xft:Monospace:size=30\007\033]711;xft:Monospace:size=30:bold\007 - - URxvt.intensityStyles: false - - URxvt*background: #000000 - URxvt*foreground: #ffffff - - !change unreadable blue - URxvt*color4: #268bd2 - - URxvt*color0: #232342 - ''; -} diff --git a/lass/2configs/vim.nix b/lass/2configs/vim.nix deleted file mode 100644 index efe6a739c..000000000 --- a/lass/2configs/vim.nix +++ /dev/null @@ -1,349 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - out = { - environment.systemPackages = [ - (lib.hiPrio vim) - ]; - - environment.etc.vimrc.source = vimrc; - environment.etc.vim.source = vim; - - environment.variables.EDITOR = lib.mkForce "vim"; - environment.variables.VIMINIT = ":so /etc/vimrc"; - }; - - vimrc = pkgs.writeText "vimrc" '' - set nocompatible - - set autoindent - set backspace=indent,eol,start - set backup - set backupdir=${dirs.backupdir}/ - set directory=${dirs.swapdir}// - set list listchars=tab:⇥\ ,extends:❯,precedes:❮,nbsp:␣,trail:· showbreak=¬ - set hlsearch - set incsearch - set ttymouse=sgr - set mouse=a - set ruler - set pastetoggle= - set runtimepath=${extra-runtimepath},$VIMRUNTIME - set shortmess+=I - set showcmd - set showmatch - set ttimeoutlen=0 - set undodir=${dirs.undodir} - set undofile - set undolevels=1000000 - set undoreload=1000000 - set viminfo='20,<1000,s100,h,n${files.viminfo} - set visualbell - set wildignore+=*.o,*.class,*.hi,*.dyn_hi,*.dyn_o - set wildmenu - set wildmode=longest,full - - " enable better-whitespace - let g:better_whitespace_enabled=1 - - set title - set titleold= - set titlestring=(vim)\ %t%(\ %M%)%(\ (%{expand(\"%:p:h\")})%)%(\ %a%)\ -\ %{v:servername} - - set et ts=2 sts=2 sw=2 - - filetype plugin indent on - - set t_Co=256 - colorscheme dim - syntax on - - au Syntax * syn match Garbage containedin=ALL /\s\+$/ - \ | syn match TabStop containedin=ALL /\t\+/ - \ | syn keyword Todo containedin=ALL TODO - \ | syn match NBSP '\%xa0' - \ | syn match NarrowNBSP '\%u202F' - - au BufRead,BufNewFile *.hs so ${hs.vim} - - au BufRead,BufNewFile *.nix so ${nix.vim} - - au BufRead,BufNewFile /dev/shm/* set nobackup nowritebackup noswapfile - - nnoremap :call LanguageClient_contextMenu() - set hidden - let g:LanguageClient_serverCommands = { - \ 'python': ['pyls'], - \ 'go': ['~/go/bin/go-langserver'] - \ } - - let g:LanguageClient_diagnosticsDisplay = { - \ 1: { "signText": "E" }, - \ 2: { "signText": "W" } - \ } - - nmap q :buffer - nmap :buffer - - cnoremap - - noremap :q - vnoremap < >gv - - nnoremap [5^ :tabp - nnoremap [6^ :tabn - nnoremap [5@ :tabm -1 - nnoremap [6@ :tabm +1 - - nnoremap :tabp - nnoremap :tabn - inoremap :tabp - inoremap :tabn - - " - noremap Oa | noremap! Oa - noremap Ob | noremap! Ob - noremap Oc | noremap! Oc - noremap Od | noremap! Od - " <[C]S-{Up,Down,Right,Left> - noremap [a | noremap! [a - noremap [b | noremap! [b - noremap [c | noremap! [c - noremap [d | noremap! [d - - " search with ack - let g:ackprg = 'ag --vimgrep' - cnoreabbrev Ack Ack! - - " copy/paste from/to xclipboard - set clipboard=unnamedplus - - " use fzf to switch files - nnoremap :FZF - nnoremap :Rg - let g:fzf_layout = { 'down': '~15%' } - ''; - - extra-runtimepath = lib.concatMapStringsSep "," (pkg: "${pkg.rtp}") [ - pkgs.vimPlugins.copilot-vim - pkgs.vimPlugins.undotree - pkgs.vimPlugins.fzf-vim - pkgs.vimPlugins.fzfWrapper - pkgs.vimPlugins.vim-better-whitespace - (pkgs.vimUtils.buildVimPlugin { - name = "file-line-1.0"; - src = pkgs.fetchFromGitHub { - owner = "bogado"; - repo = "file-line"; - rev = "1.0"; - sha256 = "0z47zq9rqh06ny0q8lpcdsraf3lyzn9xvb59nywnarf3nxrk6hx0"; - }; - }) - (pkgs.vimUtils.buildVimPlugin { - name = "vim-dim-1.1.0"; - src = pkgs.fetchFromGitHub { - owner = "jeffkreeftmeijer"; - repo = "vim-dim"; - rev = "1.1.0"; - sha256 = "sha256-lyTZUgqUEEJRrzGo1FD8/t8KBioPrtB3MmGvPeEVI/g="; - }; - }) - ((rtp: rtp // { inherit rtp; }) (pkgs.writeTextFile (let - name = "showsyntax"; - in { - name = "vim-plugin-${name}-1.0.0"; - destination = "/plugin/${name}.vim"; - text = /* vim */ '' - if exists('g:loaded_showsyntax') - finish - endif - let g:loaded_showsyntax = 0 - - fu! ShowSyntax() - let id = synID(line("."), col("."), 1) - let name = synIDattr(id, "name") - let transName = synIDattr(synIDtrans(id),"name") - if name != transName - let name .= " (" . transName . ")" - endif - echo "Syntax: " . name - endfu - - command! -n=0 -bar ShowSyntax :call ShowSyntax() - ''; - }))) - ]; - - dirs = { - backupdir = "$HOME/.cache/vim/backup"; - swapdir = "$HOME/.cache/vim/swap"; - undodir = "$HOME/.cache/vim/undo"; - }; - files = { - viminfo = "$HOME/.cache/vim/info"; - }; - - mkdirs = let - dirOf = s: let out = lib.concatStringsSep "/" (lib.init (lib.splitString "/" s)); - in assert out != ""; out; - alldirs = lib.attrValues dirs ++ map dirOf (lib.attrValues files); - in lib.unique (lib.sort lib.lessThan alldirs); - - vim = pkgs.symlinkJoin { - name = "vim"; - paths = [ - (pkgs.writers.writeDashBin "vim" '' - set -efu - export PATH=$PATH:${lib.makeBinPath [ - pkgs.nodejs - ]} - (umask 0077; exec ${pkgs.coreutils}/bin/mkdir -p ${toString mkdirs}) - exec ${pkgs.vim}/bin/vim "$@" - '') - pkgs.vim - ]; - }; - - hs.vim = pkgs.writeText "hs.vim" '' - syn region String start=+\[[[:alnum:]]*|+ end=+|]+ - - hi link ConId Identifier - hi link VarId Identifier - hi link hsDelimiter Delimiter - ''; - - nix.vim = pkgs.writeText "nix.vim" '' - setf nix - - " Ref - syn match NixID /[a-zA-Z\_][a-zA-Z0-9\_\'\-]*/ - syn match NixINT /\<[0-9]\+\>/ - syn match NixPATH /[a-zA-Z0-9\.\_\-\+]*\(\/[a-zA-Z0-9\.\_\-\+]\+\)\+/ - syn match NixHPATH /\~\(\/[a-zA-Z0-9\.\_\-\+]\+\)\+/ - syn match NixSPATH /<[a-zA-Z0-9\.\_\-\+]\+\(\/[a-zA-Z0-9\.\_\-\+]\+\)*>/ - syn match NixURI /[a-zA-Z][a-zA-Z0-9\+\-\.]*:[a-zA-Z0-9\%\/\?\:\@\&\=\+\$\,\-\_\.\!\~\*\']\+/ - syn region NixSTRING - \ matchgroup=NixSTRING - \ start='"' - \ skip='\\"' - \ end='"' - syn region NixIND_STRING - \ matchgroup=NixIND_STRING - \ start="'''" - \ skip="'''\('\|[$]\|\\[nrt]\)" - \ end="'''" - - syn match NixOther /[():/;=.,?\[\]]/ - - syn match NixCommentMatch /\(^\|\s\)#.*/ - syn region NixCommentRegion start="/\*" end="\*/" - - hi link NixCode Statement - hi link NixData Constant - hi link NixComment Comment - - hi link NixCommentMatch NixComment - hi link NixCommentRegion NixComment - hi link NixID NixCode - hi link NixINT NixData - hi link NixPATH NixData - hi link NixHPATH NixData - hi link NixSPATH NixData - hi link NixURI NixData - hi link NixSTRING NixData - hi link NixIND_STRING NixData - - hi link NixEnter NixCode - hi link NixOther NixCode - hi link NixQuote NixData - - syn cluster nix_has_dollar_curly contains=@nix_ind_strings,@nix_strings - syn cluster nix_ind_strings contains=NixIND_STRING - syn cluster nix_strings contains=NixSTRING - - ${lib.concatStringsSep "\n" (lib.mapAttrsToList (lang: { extraStart ? null }: let - startAlts = lib.filter lib.isString [ - ''/\* ${lang} \*/'' - extraStart - ]; - sigil = ''\(${lib.concatStringsSep ''\|'' startAlts}\)[ \t\r\n]*''; - in /* vim */ '' - syn include @nix_${lang}_syntax syntax/${lang}.vim - unlet b:current_syntax - - syn match nix_${lang}_sigil - \ X${lib.replaceStrings ["X"] ["\\X"] sigil}\ze\('''\|"\)X - \ nextgroup=nix_${lang}_region_IND_STRING,nix_${lang}_region_STRING - \ transparent - - syn region nix_${lang}_region_STRING - \ matchgroup=NixSTRING - \ start='"' - \ skip='\\"' - \ end='"' - \ contained - \ contains=@nix_${lang}_syntax - \ transparent - - syn region nix_${lang}_region_IND_STRING - \ matchgroup=NixIND_STRING - \ start="'''" - \ skip="'''\('\|[$]\|\\[nrt]\)" - \ end="'''" - \ contained - \ contains=@nix_${lang}_syntax - \ transparent - - syn cluster nix_ind_strings - \ add=nix_${lang}_region_IND_STRING - - syn cluster nix_strings - \ add=nix_${lang}_region_STRING - - syn cluster nix_has_dollar_curly - \ add=@nix_${lang}_syntax - '') { - c = {}; - cabal = {}; - haskell = {}; - sh.extraStart = ''write\(Ba\|Da\)sh[^ \t\r\n]*[ \t\r\n]*"[^"]*"''; - vim.extraStart = - ''write[^ \t\r\n]*[ \t\r\n]*"\(\([^"]*\.\)\?vimrc\|[^"]*\.vim\)"''; - })} - - " Clear syntax that interferes with nixINSIDE_DOLLAR_CURLY. - syn clear shVarAssign - - syn region nixINSIDE_DOLLAR_CURLY - \ matchgroup=NixEnter - \ start="[$]{" - \ end="}" - \ contains=TOP - \ containedin=@nix_has_dollar_curly - \ transparent - - syn region nix_inside_curly - \ matchgroup=NixEnter - \ start="{" - \ end="}" - \ contains=TOP - \ containedin=nixINSIDE_DOLLAR_CURLY,nix_inside_curly - \ transparent - - syn match NixQuote /'''\([''$']\|\\.\)/he=s+2 - \ containedin=@nix_ind_strings - \ contained - - syn match NixQuote /\\./he=s+1 - \ containedin=@nix_strings - \ contained - - syn sync fromstart - - let b:current_syntax = "nix" - - set isk=@,48-57,_,192-255,-,' - ''; -in -out diff --git a/lass/2configs/virtualbox.nix b/lass/2configs/virtualbox.nix deleted file mode 100644 index cd270bdf8..000000000 --- a/lass/2configs/virtualbox.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ config, pkgs, ... }: - -let - mainUser = config.users.extraUsers.mainUser; - -in { - #services.virtualboxHost.enable = true; - virtualisation.virtualbox.host.enable = true; - virtualisation.virtualbox.host.enableHardening = false; - - users.extraUsers = { - virtual = { - name = "virtual"; - description = "user for running VirtualBox"; - home = "/home/virtual"; - useDefaultShell = true; - extraGroups = [ "vboxusers" "audio" "video" ]; - createHome = true; - }; - }; - security.sudo.extraConfig = '' - ${mainUser.name} ALL=(virtual) NOPASSWD: ALL - ''; -} diff --git a/lass/2configs/websites/default.nix b/lass/2configs/websites/default.nix deleted file mode 100644 index f74845a56..000000000 --- a/lass/2configs/websites/default.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ config, lib, ... }: - -{ - services.nginx = { - enable = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedTlsSettings = true; - - enableReload = true; - - virtualHosts.default = { - locations."= /etc/os-release".extraConfig = '' - default_type text/plain; - alias /etc/os-release; - ''; - }; - }; -} - diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix deleted file mode 100644 index 71f7f8111..000000000 --- a/lass/2configs/websites/domsen.nix +++ /dev/null @@ -1,454 +0,0 @@ -{ config, pkgs, lib, ... }: - -let - - inherit (import ) - genid - genid_uint31 - ; - inherit (import {inherit lib pkgs;}) - servePage - serveOwncloud - serveWordpress; - - msmtprc = pkgs.writeText "msmtprc" '' - account localhost - host localhost - account default: localhost - ''; - - sendmail = pkgs.writeDash "msmtp" '' - exec ${pkgs.msmtp}/bin/msmtp --read-envelope-from -C ${msmtprc} "$@" - ''; - -in { - imports = [ - ./default.nix - ./sqlBackup.nix - (servePage [ "aldonasiech.com" "www.aldonasiech.com" ]) - (servePage [ "apanowicz.de" "www.apanowicz.de" ]) - (servePage [ "reich-gebaeudereinigung.de" "www.reich-gebaeudereinigung.de" ]) - (servePage [ "illustra.de" "www.illustra.de" ]) - (servePage [ "event-extra.de" "www.event-extra.de" ]) - # (servePage [ "nirwanabluete.de" "www.nirwanabluete.de" ]) - (servePage [ "familienrat-hamburg.de" "www.familienrat-hamburg.de" ]) - (servePage [ "karlaskop.de" ]) - (servePage [ - "freemonkey.art" - "www.freemonkey.art" - ]) - (serveOwncloud [ "o.ubikmedia.de" ]) - (serveWordpress [ - "ubikmedia.de" - "ubikmedia.eu" - "youthtube.xyz" - "joemisch.com" - "weirdwednesday.de" - "jarugadesign.de" - "beesmooth.ch" - - "www.ubikmedia.eu" - "www.youthtube.xyz" - "www.ubikmedia.de" - "www.joemisch.com" - "www.weirdwednesday.de" - "www.jarugadesign.de" - "www.beesmooth.ch" - - "aldona2.ubikmedia.de" - "cinevita.ubikmedia.de" - "factscloud.ubikmedia.de" - "illucloud.ubikmedia.de" - "joemisch.ubikmedia.de" - "nb.ubikmedia.de" - "youthtube.ubikmedia.de" - "weirdwednesday.ubikmedia.de" - "freemonkey.ubikmedia.de" - "jarugadesign.ubikmedia.de" - "crypto4art.ubikmedia.de" - "jarugadesign.ubikmedia.de" - "beesmooth.ubikmedia.de" - ]) - ]; - - # https://github.com/nextcloud/server/issues/25436 - services.mysql.settings.mysqld.innodb_read_only_compressed = 0; - - services.mysql.ensureDatabases = [ "ubikmedia_de" "o_ubikmedia_de" ]; - services.mysql.ensureUsers = [ - { ensurePermissions = { "ubikmedia_de.*" = "ALL"; }; name = "nginx"; } - { ensurePermissions = { "o_ubikmedia_de.*" = "ALL"; }; name = "nginx"; } - ]; - - services.nginx.virtualHosts."ubikmedia.de".locations."/piwika".extraConfig = '' - try_files $uri $uri/ /index.php?$args; - ''; - - lass.mysqlBackup.config.all.databases = [ - "ubikmedia_de" - "o_ubikmedia_de" - ]; - - services.phpfpm.phpOptions = '' - sendmail_path = ${sendmail} -t - upload_max_filesize = 100M - post_max_size = 100M - file_uploads = on - ''; - - systemd.services.nextcloud-setup.after = [ "secret-nextcloud_pw.service" ]; - krebs.secret.files.nextcloud_pw = { - path = "/run/nextcloud.pw"; - owner.name = "nextcloud"; - group-name = "nextcloud"; - source-path = toString + "/nextcloud_pw"; - }; - services.nextcloud = { - enable = true; - enableBrokenCiphersForSSE = false; - hostName = "o.xanf.org"; - package = pkgs.nextcloud25; - config = { - adminpassFile = "/run/nextcloud.pw"; - overwriteProtocol = "https"; - }; - https = true; - }; - services.nginx.virtualHosts."o.xanf.org" = { - enableACME = true; - forceSSL = true; - }; - - # MAIL STUFF - # TODO: make into its own module - - services.roundcube = { - enable = true; - hostName = "mail.lassul.us"; - extraConfig = '' - $config['smtp_debug'] = true; - $config['smtp_host'] = "localhost:25"; - ''; - }; - services.dovecot2 = { - enable = true; - showPAMFailure = true; - mailLocation = "maildir:~/Mail"; - sslServerCert = "/var/lib/acme/lassul.us/fullchain.pem"; - sslServerKey = "/var/lib/acme/lassul.us/key.pem"; - }; - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport pop3s"; target = "ACCEPT"; } - { predicate = "-p tcp --dport imaps"; target = "ACCEPT"; } - ]; - - environment.systemPackages = [ - (pkgs.writers.writeDashBin "debug_exim" '' - set -ef - export PATH="${lib.makeBinPath [ pkgs.coreutils ]}" - echo "$@" >> /tmp/xxx - /run/wrappers/bin/shadow_verify_arg "${config.lass.usershadow.pattern}" "$2" "$3" 2>>/tmp/xxx1 - echo "ok" >> /tmp/yyy - exit 23 - '') - ]; - - krebs.exim-smarthost = { - authenticators.PLAIN = '' - driver = plaintext - public_name = PLAIN - server_condition = ''${run{/run/wrappers/bin/shadow_verify_arg ${config.lass.usershadow.pattern} $auth2 $auth3}{yes}{no}} - ''; - authenticators.LOGIN = '' - driver = plaintext - public_name = LOGIN - server_prompts = "Username:: : Password::" - server_condition = ''${run{/run/wrappers/bin/shadow_verify_arg ${config.lass.usershadow.pattern} $auth1 $auth2}{yes}{no}} - # server_condition = ''${run{/run/current-system/sw/bin/debug_exim ${config.lass.usershadow.pattern} $auth1 $auth2}{yes}{no}} - ''; - internet-aliases = [ - { from = "dma@ubikmedia.de"; to = "domsen"; } - { from = "dma@ubikmedia.eu"; to = "domsen"; } - { from = "mail@habsys.de"; to = "domsen"; } - { from = "mail@habsys.eu"; to = "domsen"; } - { from = "hallo@apanowicz.de"; to = "domsen"; } - { from = "bruno@apanowicz.de"; to = "bruno"; } - { from = "mail@jla-trading.com"; to = "jla-trading"; } - { from = "jms@ubikmedia.eu"; to = "jms"; } - { from = "ms@ubikmedia.eu"; to = "ms"; } - { from = "ubik@ubikmedia.eu"; to = "domsen, jms, ms"; } - { from = "kontakt@alewis.de"; to ="klabusterbeere"; } - { from = "hallo@jarugadesign.de"; to ="kasia"; } - { from = "noreply@beeshmooth.ch"; to ="besmooth@gmx.ch"; } - - { from = "testuser@lassul.us"; to = "testuser"; } - { from = "testuser@ubikmedia.eu"; to = "testuser"; } - ]; - sender_domains = [ - "jla-trading.com" - "ubikmedia.eu" - "ubikmedia.de" - "apanowicz.de" - "alewis.de" - "jarugadesign.de" - "beesmooth.ch" - "event-extra.de" - ]; - dkim = [ - { domain = "ubikmedia.eu"; } - { domain = "apanowicz.de"; } - { domain = "beesmooth.ch"; } - ]; - }; - services.borgbackup.jobs.hetzner.paths = [ - "/home/xanf" - "/home/domsen" - "/home/bruno" - "/home/jla-trading" - "/home/jms" - "/home/ms" - "/home/bui" - "/home/klabusterbeere" - "/home/akayguen" - "/home/kasia" - "/home/dif" - "/home/lavafilms" - "/home/movematchers" - "/home/blackphoton" - "/home/avada" - "/home/sts" - "/home/familienrat" - ]; - users.users.UBIK-SFTP = { - uid = genid_uint31 "UBIK-SFTP"; - home = "/home/UBIK-SFTP"; - useDefaultShell = true; - createHome = true; - isNormalUser = true; - }; - - users.users.xanf = { - uid = genid_uint31 "xanf"; - group = "xanf"; - home = "/home/xanf"; - useDefaultShell = true; - createHome = false; # creathome forces permissions - isNormalUser = true; - }; - - users.users.domsen = { - uid = genid_uint31 "domsen"; - description = "maintenance acc for domsen"; - home = "/home/domsen"; - useDefaultShell = true; - extraGroups = [ "syncthing" "download" "xanf" ]; - createHome = true; - isNormalUser = true; - }; - - users.users.bruno = { - uid = genid_uint31 "bruno"; - home = "/home/bruno"; - useDefaultShell = true; - createHome = true; - isNormalUser = true; - }; - - users.users.jla-trading = { - uid = genid_uint31 "jla-trading"; - home = "/home/jla-trading"; - useDefaultShell = true; - createHome = true; - isNormalUser = true; - }; - - users.users.jms = { - uid = genid_uint31 "jms"; - home = "/home/jms"; - useDefaultShell = true; - createHome = true; - isNormalUser = true; - }; - - users.users.ms = { - uid = genid_uint31 "ms"; - home = "/home/ms"; - useDefaultShell = true; - createHome = true; - isNormalUser = true; - }; - - users.users.testuser = { - uid = genid_uint31 "testuser"; - home = "/home/testuser"; - useDefaultShell = true; - createHome = true; - isNormalUser = true; - }; - - #users.users.akayguen = { - # uid = genid_uint31 "akayguen"; - # home = "/home/akayguen"; - # useDefaultShell = true; - # createHome = true; - # isNormalUser = true; - #}; - - users.users.bui = { - uid = genid_uint31 "bui"; - home = "/home/bui"; - useDefaultShell = true; - createHome = true; - isNormalUser = true; - }; - - users.users.klabusterbeere = { - uid = genid_uint31 "klabusterbeere"; - home = "/home/klabusterbeere"; - useDefaultShell = true; - createHome = true; - isNormalUser = true; - }; - - users.users.kasia = { - uid = genid_uint31 "kasia"; - home = "/home/kasia"; - useDefaultShell = true; - createHome = true; - isNormalUser = true; - }; - - users.users.XANF_TEAM = { - uid = genid_uint31 "XANF_TEAM"; - group = "xanf"; - home = "/home/XANF_TEAM"; - useDefaultShell = true; - createHome = true; - isNormalUser = true; - }; - - users.users.dif = { - uid = genid_uint31 "dif"; - home = "/home/dif"; - useDefaultShell = true; - extraGroups = [ "xanf" ]; - createHome = true; - isNormalUser = true; - }; - - users.users.lavafilms = { - uid = genid_uint31 "lavafilms"; - home = "/home/lavafilms"; - useDefaultShell = true; - extraGroups = [ "xanf" ]; - createHome = true; - isNormalUser = true; - }; - - users.users.movematchers = { - uid = genid_uint31 "movematchers"; - home = "/home/movematchers"; - useDefaultShell = true; - extraGroups = [ "xanf" ]; - createHome = true; - isNormalUser = true; - }; - - users.users.blackphoton = { - uid = genid_uint31 "blackphoton"; - home = "/home/blackphoton"; - useDefaultShell = true; - extraGroups = [ "xanf" ]; - createHome = true; - isNormalUser = true; - }; - - users.users.line = { - uid = genid_uint31 "line"; - home = "/home/line"; - useDefaultShell = true; - # extraGroups = [ "xanf" ]; - createHome = true; - isNormalUser = true; - }; - - users.users.avada = { - uid = genid_uint31 "avada"; - home = "/home/avada"; - useDefaultShell = true; - createHome = true; - isNormalUser = true; - }; - - users.users.sts = { - uid = genid_uint31 "sts"; - home = "/home/sts"; - useDefaultShell = true; - createHome = true; - isNormalUser = true; - }; - - users.users.familienrat = { - uid = genid_uint31 "familienrat"; - home = "/home/familienrat"; - useDefaultShell = true; - createHome = true; - isNormalUser = true; - }; - krebs.acl."/srv/http/familienrat-hamburg.de"."u:familienrat:rwX" = {}; - krebs.acl."/srv/http"."u:familienrat:X" = { - default = false; - recursive = false; - }; - - users.groups.xanf = {}; - - krebs.on-failure.plans.restic-backups-domsen = { - journalctl = { - lines = 1000; - }; - }; - - services.restic.backups.domsen = { - initialize = true; - repository = "/backups/domsen"; - passwordFile = toString + "/domsen_backup_pw"; - timerConfig = { OnCalendar = "00:05"; RandomizedDelaySec = "5h"; }; - paths = [ - "/home/domsen/Mail" - "/home/ms/Mail" - "/home/klabusterbeere/Mail" - "/home/jms/Mail" - "/home/kasia/Mail" - "/home/bruno/Mail" - "/home/akayguen/Mail" - "/backups/sql_dumps" - ]; - }; - - services.syncthing.declarative.folders = { - domsen-backups = { - path = "/backups/domsen"; - devices = [ "domsen-backup" ]; - }; - domsen-backup-srv-http = { - path = "/srv/http"; - devices = [ "domsen-backup" ]; - }; - }; - - system.activationScripts.domsen-backups = '' - ${pkgs.coreutils}/bin/chmod 750 /backups - ''; - - # takes too long!! - # krebs.acl."/srv/http"."u:syncthing:rwX" = {}; - # krebs.acl."/srv/http"."u:nginx:rwX" = {}; - # krebs.acl."/srv/http/ubikmedia.de"."u:avada:rwX" = {}; - krebs.acl."/home/xanf/XANF_TEAM"."g:xanf:rwX" = {}; - krebs.acl."/home/xanf"."g:xanf:X" = { - default = false; - recursive = false; - }; -} - diff --git a/lass/2configs/websites/flix.lassul.us.nix b/lass/2configs/websites/flix.lassul.us.nix deleted file mode 100644 index 27a7f75e8..000000000 --- a/lass/2configs/websites/flix.lassul.us.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ config, pkgs, ... }: -{ - services.nginx.virtualHosts."flix.lassul.us" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://yellow.r:8096"; - proxyWebsockets = true; - recommendedProxySettings = true; - }; - }; -} - diff --git a/lass/2configs/websites/lassulus.nix b/lass/2configs/websites/lassulus.nix deleted file mode 100644 index 9440413aa..000000000 --- a/lass/2configs/websites/lassulus.nix +++ /dev/null @@ -1,74 +0,0 @@ -{ config, pkgs, lib, ... }: - -with lib; -let - inherit (import ) - genid_uint31 - ; - -in { - imports = [ - ./default.nix - ]; - - security.acme = { - email = "acme@lassul.us"; - acceptTerms = true; - certs."lassul.us" = { - group = "lasscert"; - }; - }; - - users.groups.lasscert.members = [ - "dovecot2" - "exim" - "nginx" - ]; - - services.nginx.virtualHosts."lassul.us" = { - addSSL = true; - enableACME = true; - default = true; - locations."/".extraConfig = '' - root /srv/http/lassul.us; - ''; - locations."= /retiolum-hosts.tar.bz2".extraConfig = '' - alias ${config.krebs.tinc.retiolum.hostsArchive}; - ''; - locations."= /hosts".extraConfig = '' - alias ${pkgs.krebs-hosts_combined}; - ''; - locations."= /retiolum.hosts".extraConfig = '' - alias ${pkgs.krebs-hosts-retiolum}; - ''; - locations."= /wireguard-key".extraConfig = '' - alias ${pkgs.writeText "prism.wg" config.krebs.hosts.prism.nets.wiregrill.wireguard.pubkey}; - ''; - locations."= /krebspage".extraConfig = '' - default_type "text/html"; - alias ${pkgs.krebspage}/index.html; - ''; - locations."= /init".extraConfig = let - initscript = pkgs.init.override { - pubkey = config.krebs.users.lass.pubkey; - }; - in '' - alias ${initscript}/bin/init; - ''; - locations."= /blue.pub".extraConfig = '' - alias ${pkgs.writeText "pub" config.krebs.users.lass-blue.pubkey}; - ''; - locations."= /ssh.pub".extraConfig = '' - alias ${pkgs.writeText "pub" config.krebs.users.lass-yubikey.pubkey}; - ''; - locations."= /gpg.pub".extraConfig = '' - alias ${pkgs.writeText "pub" config.krebs.users.lass-yubikey.pgp.pubkeys.default}; - ''; - locations."= /ip".extraConfig = '' - return 200 '$remote_addr'; - ''; - }; - - - -} diff --git a/lass/2configs/websites/ref.ptkk.de/default.nix b/lass/2configs/websites/ref.ptkk.de/default.nix deleted file mode 100644 index 14ce58b8e..000000000 --- a/lass/2configs/websites/ref.ptkk.de/default.nix +++ /dev/null @@ -1,89 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - services.nginx.virtualHosts."ref.ptkk.de" = { - enableACME = true; - locations."/" = { - proxyPass = "http://localhost:4626"; - extraConfig = '' - proxy_http_version 1.1; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Port $server_port; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header Connection $connection_upgrade; - proxy_set_header Upgrade $http_upgrade; - proxy_cache_bypass $http_upgrade; - ''; - }; - locations."/static/" = { - alias = "/var/lib/ref.ptkk.de/static/"; - }; - forceSSL = true; - }; - systemd.services."ref.ptkk.de" = { - wantedBy = [ "multi-user.target" ]; - environment = { - PRODUCTION = "yip"; - DATA_DIR = "/var/lib/ref.ptkk.de/data"; - PORT = "4626"; - STATIC_ROOT = "/var/lib/ref.ptkk.de/static"; - }; - path = with pkgs; [ - git - gnutar - gzip - nix - ]; - serviceConfig = { - ExecStartPre = [ - "${pkgs.coreutils}/bin/mkdir -p /var/lib/ref.ptkk.de/data" - "${pkgs.coreutils}/bin/mkdir -p /var/lib/ref.ptkk.de/code" - "${pkgs.coreutils}/bin/mkdir -p /var/lib/ref.ptkk.de/static" - ]; - ExecStart = pkgs.writers.writeDash "nixify" '' - cd code - if test -e shell.nix; then - ${pkgs.nix}/bin/nix-shell -I /var/src --run serve - else - echo 'no shell.nix, bailing out' - exit 0 - fi - ''; - LoadCredential = [ - "django-secret.key:${toString }/ref.ptkk.de-django.key" - ]; - User = "ref.ptkk.de"; - WorkingDirectory = "/var/lib/ref.ptkk.de"; - StateDirectory = "ref.ptkk.de"; - Restart = "always"; - RestartSec = "100s"; - }; - }; - systemd.services."ref.ptkk.de-restarter" = { - serviceConfig = { - Type = "oneshot"; - ExecStart = "${pkgs.systemd}/bin/systemctl restart ref.ptkk.de.service"; - }; - }; - systemd.paths."ref.ptkk.de-restarter" = { - wantedBy = [ "multi-user.target" ]; - pathConfig.PathChanged = [ - "/var/lib/ref.ptkk.de/code" - "/var/src/nixpkgs" - ]; - }; - - users.users."ref.ptkk.de" = { - isSystemUser = true; - uid = pkgs.stockholm.lib.genid_uint31 "ref.ptkk.de"; - openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF6fu6LtyRdk++qIBpP0BdZQHSTqzNNlvp7ML2Dv0IxD CI@github.com" - config.krebs.users.lass.pubkey - ]; - group = "nginx"; - home = "/var/lib/ref.ptkk.de"; - useDefaultShell = true; - }; -} diff --git a/lass/2configs/websites/sqlBackup.nix b/lass/2configs/websites/sqlBackup.nix deleted file mode 100644 index c9783bece..000000000 --- a/lass/2configs/websites/sqlBackup.nix +++ /dev/null @@ -1,30 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - krebs.secret.files.mysql_rootPassword = { - path = "${config.services.mysql.dataDir}/mysql_rootPassword"; - owner.name = "mysql"; - source-path = toString + "/mysql_rootPassword"; - }; - - services.mysql = { - enable = true; - dataDir = "/var/mysql"; - package = pkgs.mariadb; - }; - - systemd.services.mysql = { - after = [ - config.krebs.secret.files.mysql_rootPassword.service - ]; - partOf = [ - config.krebs.secret.files.mysql_rootPassword.service - ]; - }; - - lass.mysqlBackup = { - enable = true; - config.all = {}; - }; -} - diff --git a/lass/2configs/websites/util.nix b/lass/2configs/websites/util.nix deleted file mode 100644 index bffa1036b..000000000 --- a/lass/2configs/websites/util.nix +++ /dev/null @@ -1,246 +0,0 @@ -{ lib, pkgs, ... }: - -with lib; - -rec { - - ssl = domains : - let - domain = head domains; - in { - }; - - servePage = domains: - let - domain = head domains; - in { - services.nginx.virtualHosts.${domain} = { - enableACME = true; - addSSL = true; - serverAliases = domains; - locations."/".extraConfig = '' - root /srv/http/${domain}; - ''; - }; - }; - - servephpBB = domains: - let - domain = head domains; - - in { - services.nginx.virtualHosts."${domain}" = { - serverAliases = domains; - extraConfig = '' - index index.php; - root /srv/http/${domain}/; - access_log /tmp/nginx_acc.log; - error_log /tmp/nginx_err.log; - error_page 404 /404.html; - error_page 500 502 503 504 /50x.html; - client_max_body_size 100m; - ''; - locations."/".extraConfig = '' - try_files $uri $uri/ /index.php?$args; - ''; - locations."~ \.php(?:$|/)".extraConfig = '' - fastcgi_split_path_info ^(.+\.php)(/.+)$; - include ${pkgs.nginx}/conf/fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $fastcgi_path_info; - fastcgi_param HTTPS on; - fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice - fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool; - fastcgi_intercept_errors on; - ''; - #Directives to send expires headers and turn off 404 error logging. - locations."~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$".extraConfig = '' - access_log off; - log_not_found off; - expires max; - ''; - }; - services.phpfpm.pools."${domain}" = { - user = "nginx"; - group = "nginx"; - extraConfig = '' - listen = /srv/http/${domain}/phpfpm.pool - pm = dynamic - pm.max_children = 25 - pm.start_servers = 5 - pm.min_spare_servers = 3 - pm.max_spare_servers = 20 - listen.owner = nginx - listen.group = nginx - php_admin_value[error_log] = 'stderr' - php_admin_flag[log_errors] = on - catch_workers_output = yes - ''; - }; - }; - - serveOwncloud = domains: - let - domain = head domains; - in { - services.nginx.virtualHosts."${domain}" = { - enableACME = true; - addSSL = true; - serverAliases = domains; - extraConfig = '' - # Add headers to serve security related headers - add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; - add_header X-Content-Type-Options nosniff; - add_header X-Frame-Options "SAMEORIGIN"; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag none; - add_header X-Download-Options noopen; - add_header X-Permitted-Cross-Domain-Policies none; - - # Path to the root of your installation - root /srv/http/${domain}/; - # set max upload size - client_max_body_size 10G; - fastcgi_buffers 64 4K; - fastcgi_read_timeout 120; - - # Disable gzip to avoid the removal of the ETag header - gzip off; - - # Uncomment if your server is build with the ngx_pagespeed module - # This module is currently not supported. - #pagespeed off; - - index index.php; - error_page 403 /core/templates/403.php; - error_page 404 /core/templates/404.php; - - rewrite ^/.well-known/carddav /remote.php/carddav/ permanent; - rewrite ^/.well-known/caldav /remote.php/caldav/ permanent; - - # The following 2 rules are only needed for the user_webfinger app. - # Uncomment it if you're planning to use this app. - rewrite ^/.well-known/host-meta /public.php?service=host-meta last; - rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; - ''; - locations."/robots.txt".extraConfig = '' - allow all; - log_not_found off; - access_log off; - ''; - locations."~ ^/(build|tests|config|lib|3rdparty|templates|data)/".extraConfig = '' - deny all; - ''; - - locations."~ ^/(?:autotest|occ|issue|indie|db_|console)".extraConfig = '' - deny all; - ''; - - locations."/".extraConfig = '' - rewrite ^/remote/(.*) /remote.php last; - rewrite ^(/core/doc/[^\/]+/)$ $1/index.html; - try_files $uri $uri/ =404; - ''; - - locations."~ \.php(?:$|/)".extraConfig = '' - fastcgi_split_path_info ^(.+\.php)(/.+)$; - include ${pkgs.nginx}/conf/fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $fastcgi_path_info; - fastcgi_param HTTPS on; - fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice - fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool; - fastcgi_intercept_errors on; - ''; - - # Adding the cache control header for js and css files - # Make sure it is BELOW the location ~ \.php(?:$|/) { block - locations."~* \.(?:css|js)$".extraConfig = '' - add_header Cache-Control "public, max-age=7200"; - # Add headers to serve security related headers - add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; - add_header X-Content-Type-Options nosniff; - add_header X-Frame-Options "SAMEORIGIN"; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag none; - # Optional: Don't log access to assets - access_log off; - ''; - # Optional: Don't log access to other assets - locations."~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$".extraConfig = '' - access_log off; - ''; - }; - services.phpfpm.pools."${domain}" = { - user = "nginx"; - group = "nginx"; - extraConfig = '' - listen = /srv/http/${domain}/phpfpm.pool - pm = dynamic - pm.max_children = 32 - pm.max_requests = 500 - pm.start_servers = 2 - pm.min_spare_servers = 2 - pm.max_spare_servers = 5 - listen.owner = nginx - listen.group = nginx - php_admin_value[error_log] = 'stderr' - php_admin_flag[log_errors] = on - catch_workers_output = yes - ''; - }; - }; - - serveWordpress = domains: - let - domain = head domains; - - in { - services.nginx.virtualHosts."${domain}" = { - enableACME = true; - forceSSL = true; - serverAliases = domains; - extraConfig = '' - root /srv/http/${domain}/; - index index.php; - access_log /tmp/nginx_acc.log; - error_log /tmp/nginx_err.log; - error_page 404 /404.html; - error_page 500 502 503 504 /50x.html; - client_max_body_size 100m; - ''; - locations."/".extraConfig = '' - try_files $uri $uri/ /index.php?$args; - ''; - locations."~ \.php$".extraConfig = '' - fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool; - fastcgi_read_timeout 120; - include ${pkgs.nginx}/conf/fastcgi.conf; - ''; - #Directives to send expires headers and turn off 404 error logging. - locations."~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$".extraConfig = '' - access_log off; - log_not_found off; - expires max; - ''; - }; - services.phpfpm.pools."${domain}" = { - user = "nginx"; - group = "nginx"; - extraConfig = '' - listen = /srv/http/${domain}/phpfpm.pool - pm = dynamic - pm.max_children = 25 - pm.start_servers = 5 - pm.min_spare_servers = 3 - pm.max_spare_servers = 20 - listen.owner = nginx - listen.group = nginx - php_admin_value[error_log] = 'stderr' - php_admin_flag[log_errors] = on - catch_workers_output = yes - ''; - }; - }; - -} diff --git a/lass/2configs/weechat.nix b/lass/2configs/weechat.nix deleted file mode 100644 index 3dfaebc04..000000000 --- a/lass/2configs/weechat.nix +++ /dev/null @@ -1,214 +0,0 @@ -{ config, lib, pkgs, ... }: let - - weechat-configured = pkgs.weechat-declarative.override { - config = { - scripts = [ - pkgs.weechatScripts.weechat-matrix - pkgs.weechatScripts.wee-slack - ]; - settings = { - irc.server_default.nicks = [ "lassulus" "hackulus" ]; - irc.server.bitlbee = { - addresses = "localhost/6666"; - command = "msg &bitlbee identify \${sec.data.bitlbee}"; - }; - irc.server.hackint = { - addresses = "irc.hackint.org/6697"; - autojoin = [ - "#c3-gsm" - "#panthermoderns" - "#feldoffice" - "#36c3" - "#cccac" - "#nixos" - "#krebs" - "#krebstel" - "#c-base" - "#afra" - "#tvl" - "#eloop" - "#systemdultras" - "#rc3" - "#krebs-announce" - "#the_playlist" - "#germany" - "#hackint" - "#dezentrale" - "#hackerfleet \${sec.data.c3-gsm}" # TODO support channel passwords in a cooler way - ]; - ssl = true; - sasl_fail = "reconnect"; - sasl_username = "lassulus"; - sasl_password = "\${sec.data.hackint_sasl}"; - }; - irc.server.r = { - addresses = "irc.r"; - autojoin = [ - "#xxx" - "#autowifi" - "#brockman" - "#flix" - "#kollkoll" - "#noise" - "#mukke" - ]; - sasl_fail = "reconnect"; - sasl_username = "lassulus"; - sasl_password = "\${sec.data.r_sasl}"; - anti_flood_prio_high = 0; - anti_flood_prio_low = 0; - }; - irc.server.libera = { - addresses = "irc.libera.chat/6697"; - autojoin = [ - "#shackspace" - "#nixos" - "#krebs" - "#dezentrale" - "#tinc" - "#nixos-de" - "#fysi" - "#hillhacks" - "#nixos-rc3" - "#binaergewitter" - "#hackerfleet" - "#weechat" - ]; - ssl = true; - sasl_username = "lassulus"; - sasl_fail = "reconnect"; - sasl_password = "\${sec.data.libera_sasl}"; - }; - irc.server.news = { - addresses = "news.r"; - autojoin = [ - "#all" - "#aluhut" - "#querdenkos" - "#news" - "#drachengame" - ]; - anti_flood_prio_high = 0; - anti_flood_prio_low = 0; - }; - matrix.server.lassulus = { - address = "matrix.lassul.us"; - username = "lassulus"; - password = "\${sec.data.matrix_lassulus}"; - device_name = config.networking.hostName; - }; - plugins.var.python.go.short_name = true; - plugins.var.python.go.short_name_server = true; - plugins.var.python.go.fuzzy_search = true; - relay.network.password = "xxx"; # secret? - relay.port.weechat = 9998; - relay.weechat.commands = "*,!exec,!quit"; - weechat.look.buffer_time_format = "%m-%d_%H:%M:%S"; - weechat.look.item_time_format = "%m-%d_%H:%M:%S"; - irc.look.color_nicks_in_names = true; - irc.look.color_nicks_in_nicklist = true; - logger.file.mask = "$plugin.$name/%Y-%m-%d.weechatlog"; - logger.file.path = "/var/state/weechat_logs"; - logger.look.backlog = 1000; - weechat.notify.irc.news."#all" = "highlight"; - - # setting logger levels for channels is currently not possible declarativly - # because of already defined - logger.level.core.weechat = 0; - logger.level.irc = 3; - logger.level.python = 3; - weechat.bar.title.color_bg = 0; - weechat.bar.status.color_bg = 0; - alias.cmd.reload = "exec -oc cat /etc/weechat.set"; - script.scripts.download_enabled = true; - weechat.look.prefix_align = "left"; - weechat.look.prefix_align_max = 20; - irc.look.server_buffer = "independent"; - matrix.look.server_buffer = "independent"; - weechat.bar.buflist.size_max = 20; - weechat.color.chat_nick_colors = [ - 1 2 3 4 5 6 9 - 10 11 12 13 14 - 28 29 - 30 31 32 33 34 35 36 37 38 39 - 70 - 94 - 101 102 103 104 105 106 107 - 130 131 133 134 135 136 137 - 140 141 142 143 - 160 161 162 163 165 166 167 168 169 - 170 171 172 173 174 175 - 196 197 198 199 - 200 201 202 203 204 205 206 208 209 209 - 210 211 212 - ]; - }; - extraCommands = '' - /script upgrade - /script install go.py - /script install nickregain.pl - /script install autosort.py - /key bind meta-q /go - /key bind meta-t /bar toggle nicklist - /key bind meta-y /bar toggle buflist - /filter addreplace irc_smart * irc_smart_filter * - /filter addreplace playlist_topic irc.*.#the_playlist irc_topic * - /filter addreplace xxx_joinpart irc.r.#xxx irc_join,irc_part,irc_quit * - /set logger.level.irc.news 0 - /set logger.level.python.server.nixos_dev = 0; - /set logger.level.irc.hackint.#the_playlist = 0; - /connect bitlbee - /connect r - /connect news - /connect libera - /connect hackint - /matrix connect nixos_dev - /matrix connect lassulus - ''; - files."sec.conf" = toString (pkgs.writeText "sec.conf" '' - [crypt] - cipher = aes256 - hash_algo = sha256 - passphrase_command = "cat $CREDENTIALS_DIRECTORY/WEECHAT_PASSPHRASE" - salt = on - - [data] - __passphrase__ = on - hackint_sasl = "5CA242E92E7A09B180711B50C4AE2E65C42934EB4E584EC82BC1281D8C72CD411D590C16CC435687C0DA13759873CC" - libera_sasl = "9500B5AC3B29F9CAA273F1B89DC99550E038AF95C4B47442B1FB4CB9F0D6B86B26015988AD39E642CA9C4A78DED7F42D1F409B268C93E778" - r_sasl = "CB6FB1421ED5A9094CD2C05462DB1FA87C4A675628ABD9AEC9928A1A6F3F96C07D9F26472331BAF80B7B73270680EB1BBEFD" - c3-gsm = "C49DD845900CFDFA93EEBCE4F1ABF4A963EF6082B7DA6410FA701CC77A04BB6C201FCB864988C4F2B97ED7D44D5A28F162" - bitlbee = "814ECAC59D9CF6E8340B566563E5D7E92AB92209B49C1EDE4CAAC32DD0DF1EC511D97C75E840C45D69BB9E3D03E79C" - matrix_lassulus = "0CA5C0F70A9F893881370F4A665B4CC40FBB1A41E53BC94916CD92B029103528611EC0B390116BE60FA79AE10F486E96E17B0824BE2DE1C97D87B88F5407330DAD70C044147533C36B09B7030CAD97" - ''); - }; - }; - -in { - users.users.mainUser.packages = [ - weechat-configured - ]; - environment.etc."weechat.set".source = "${weechat-configured}/weechat.set"; - systemd.tmpfiles.rules = [ - "d /var/state/weechat_logs 0700 lass users -" - "d /var/state/weechat 0700 lass users -" - "d /var/state/weechat_cfg 0700 lass users -" - "L+ /home/lass/.local/share/weechat - - - - ../../../../var/state/weechat" - "L+ /home/lass/.config/weechat - - - - ../../../../var/state/weechat_cfg" - ]; - - systemd.services.weechat = { - wantedBy = [ "multi-user.target" ]; - restartIfChanged = false; - serviceConfig = { - User = "lass"; - RemainAfterExit = true; - Type = "oneshot"; - LoadCredential = [ - "WEECHAT_PASSPHRASE:${toString }/weechat_passphrase" - ]; - ExecStart = "${pkgs.tmux}/bin/tmux -2 new-session -d -s IM ${weechat-configured}/bin/weechat"; - ExecStop = "${pkgs.tmux}/bin/tmux kill-session -t IM"; # TODO run save in weechat - }; - }; -} diff --git a/lass/2configs/weron/client.nix b/lass/2configs/weron/client.nix deleted file mode 100644 index 55bc8a0da..000000000 --- a/lass/2configs/weron/client.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - systemd.services.weron = { - wantedBy = [ "multi-user.target" ]; - environment = { - WERON_RADDR = "ws://lassul.us:23420/"; - }; - serviceConfig = { - ExecStart = pkgs.writers.writeDash "weron" '' - ${pkgs.weron}/bin/weron vpn ip \ - --community krebs \ - --password aidsballs \ - --key aidsballs \ - --ips 10.249.1.0/24 \ - --verbose 7 \ - --dev weron - ''; - }; - }; -} diff --git a/lass/2configs/weron/signaler.nix b/lass/2configs/weron/signaler.nix deleted file mode 100644 index 9e817583b..000000000 --- a/lass/2configs/weron/signaler.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - systemd.services.weron-signaler = { - wantedBy = [ "multi-user.target" ]; - environment = { - }; - serviceConfig = { - ExecStart = ''${pkgs.weron}/bin/weron signaler --verbose=7 --laddr ":23420"''; - }; - }; - - networking.firewall.allowedTCPPorts = [ 23420 ]; -} diff --git a/lass/2configs/wine.nix b/lass/2configs/wine.nix deleted file mode 100644 index 5f906cd2b..000000000 --- a/lass/2configs/wine.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ config, pkgs, ... }: - -let - mainUser = config.users.extraUsers.mainUser; - -in { - users.users= { - wine = { - home = "/home/wine"; - useDefaultShell = true; - extraGroups = [ - "audio" - "video" - ]; - createHome = true; - packages = [ - pkgs.winePackages.minimal - ]; - isNormalUser = true; - }; - }; - security.sudo.extraConfig = '' - ${mainUser.name} ALL=(wine) NOPASSWD: ALL - ''; -} diff --git a/lass/2configs/wiregrill.nix b/lass/2configs/wiregrill.nix deleted file mode 100644 index 81175c59e..000000000 --- a/lass/2configs/wiregrill.nix +++ /dev/null @@ -1,59 +0,0 @@ -with import ; -{ config, pkgs, ... }: let - - self = config.krebs.build.host.nets.wiregrill; - isRouter = !isNull self.via; - -in mkIf (hasAttr "wiregrill" config.krebs.build.host.nets) { - #hack for modprobe inside containers - systemd.services."wireguard-wiregrill".path = mkIf config.boot.isContainer (mkBefore [ - (pkgs.writeDashBin "modprobe" ":") - ]); - - boot.kernel.sysctl = mkIf isRouter { - "net.ipv6.conf.all.forwarding" = 1; - }; - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p udp --dport ${toString self.wireguard.port}"; target = "ACCEPT"; } - ]; - krebs.iptables.tables.filter.FORWARD.rules = mkIf isRouter (mkBefore [ - { predicate = "-i wiregrill -o wiregrill"; target = "ACCEPT"; } - { predicate = "-i wiregrill -o retiolum"; target = "ACCEPT"; } - { predicate = "-i retiolum -o wiregrill"; target = "ACCEPT"; } - { predicate = "-i wiregrill -o eth0"; target = "ACCEPT"; } - { predicate = "-o wiregrill -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } - ]); - systemd.network.networks.wiregrill = { - matchConfig.Name = "wiregrill"; - address = - (optional (!isNull self.ip4) "${self.ip4.addr}/16") ++ - (optional (!isNull self.ip6) "${self.ip6.addr}/48") - ; - networkConfig = { - IgnoreCarrierLoss = "10s"; - }; - }; - - networking.wireguard.interfaces.wiregrill = { - ips = - (optional (!isNull self.ip4 && !config.systemd.network.enable) self.ip4.addr) ++ - (optional (!isNull self.ip6 && !config.systemd.network.enable) self.ip6.addr); - listenPort = 51820; - privateKeyFile = (toString ) + "/wiregrill.key"; - allowedIPsAsRoutes = true; - peers = mapAttrsToList - (name: host: { - # inherit name; - allowedIPs = if isRouter then - (optional (!isNull host.nets.wiregrill.ip4) host.nets.wiregrill.ip4.addr) ++ - (optional (!isNull host.nets.wiregrill.ip6) host.nets.wiregrill.ip6.addr) - else - host.nets.wiregrill.wireguard.subnets - ; - endpoint = mkIf (!isNull host.nets.wiregrill.via) (host.nets.wiregrill.via.ip4.addr + ":${toString host.nets.wiregrill.wireguard.port}"); - persistentKeepalive = mkIf (!isNull host.nets.wiregrill.via) 61; - publicKey = (replaceStrings ["\n"] [""] host.nets.wiregrill.wireguard.pubkey); - }) - (filterAttrs (_: h: hasAttr "wiregrill" h.nets) config.krebs.hosts); - }; -} diff --git a/lass/2configs/xdg-open.nix b/lass/2configs/xdg-open.nix deleted file mode 100644 index 02c551a2b..000000000 --- a/lass/2configs/xdg-open.nix +++ /dev/null @@ -1,67 +0,0 @@ -{ config, pkgs, lib, ... }: with import ; let - - xdg-open-wrapper = pkgs.writeDashBin "xdg-open" '' - exec ${xdg-open}/bin/xdg-open "$@" >> /tmp/xdg-debug.log 2>&1 - ''; - - xdg-open = pkgs.writeBashBin "xdg-open" '' - set -xe - FILE="$1" - PATH=/run/current-system/sw/bin - mime= - - case "$FILE" in - http://*|https://*) - mime=text/html - ;; - mailto:*) - mime=special/mailaddress - ;; - magnet:*) - mime=application/x-bittorrent - ;; - irc:*) - mime=x-scheme-handler/irc - ;; - *) - # it’s a file - - # strip possible protocol - FILE=''${FILE#file://} - mime=''$(file -E --brief --mime-type "$FILE") \ - || (echo "$mime" 1>&2; exit 1) - # ^ echo the error message of file - ;; - esac - - case "$mime" in - special/mailaddress) - alacritty --execute vim "$FILE" ;; - text/html) - firefox "$FILE" ;; - text/xml) - firefox "$FILE" ;; - text/*) - alacritty --execute vim "$FILE" ;; - image/*) - sxiv "$FILE" ;; - application/x-bittorrent) - env DISPLAY=:0 transgui "$FILE" ;; - application/pdf) - zathura "$FILE" ;; - inode/directory) - alacritty --execute mc "$FILE" ;; - *) - # open dmenu and ask for program to open with - runner=$(print -rC1 -- ''${(ko)commands} | dmenu) - exec $runner "$FILE";; - esac - ''; -in { - environment.systemPackages = [ xdg-open-wrapper ]; - - security.sudo.extraConfig = '' - cr ALL=(lass) NOPASSWD: ${xdg-open}/bin/xdg-open * - ff ALL=(lass) NOPASSWD: ${xdg-open}/bin/xdg-open * - ''; -} diff --git a/lass/2configs/xmonad.nix b/lass/2configs/xmonad.nix deleted file mode 100644 index 749e7cd18..000000000 --- a/lass/2configs/xmonad.nix +++ /dev/null @@ -1,236 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - services.xserver.windowManager.xmonad = { - enable = true; - extraPackages = hs: [ - hs.extra - hs.xmonad-contrib - ]; - config = /* haskell */ '' -{-# LANGUAGE LambdaCase #-} - - -module Main where -import XMonad - -import qualified XMonad.StackSet as W -import Control.Monad.Extra (whenJustM) -import Data.List (isInfixOf) -import Data.Monoid (Endo) -import System.Environment (getArgs, lookupEnv) -import System.Exit (exitFailure) -import System.IO (hPutStrLn, stderr) -import System.Posix.Process (executeFile) -import Data.Ratio - -import XMonad.Actions.Commands (defaultCommands, runCommand) -import XMonad.Actions.CopyWindow (copy, copyToAll, kill1) -import XMonad.Actions.CycleWS (toggleWS) -import XMonad.Actions.DynamicWorkspaces ( addWorkspacePrompt, renameWorkspace, removeEmptyWorkspace) -import XMonad.Actions.DynamicWorkspaces (withWorkspace) -import XMonad.Actions.GridSelect (GSConfig(..), gridselectWorkspace, navNSearch) -import XMonad.Actions.Minimize (minimizeWindow, maximizeWindow, withLastMinimized) -import XMonad.Hooks.EwmhDesktops (ewmh) -import XMonad.Hooks.FloatNext (floatNext) -import XMonad.Hooks.FloatNext (floatNextHook) -import XMonad.Hooks.ManageDocks (avoidStruts, ToggleStruts(ToggleStruts)) -import XMonad.Hooks.ManageHelpers (doCenterFloat, doRectFloat, (-?>)) -import XMonad.Hooks.Place (placeHook, smart) -import XMonad.Hooks.UrgencyHook (focusUrgent) -import XMonad.Hooks.UrgencyHook (withUrgencyHook, UrgencyHook(..)) -import XMonad.Layout.BoringWindows (boringWindows, focusDown, focusUp) -import XMonad.Layout.FixedColumn (FixedColumn(..)) -import XMonad.Layout.Grid (Grid(..)) -import XMonad.Layout.Minimize (minimize) -import XMonad.Layout.NoBorders (smartBorders, noBorders) -import XMonad.Layout.MouseResizableTile (mouseResizableTile) -import XMonad.Layout.SimplestFloat (simplestFloat) -import XMonad.Layout.StateFull -import XMonad.ManageHook (composeAll) -import XMonad.Prompt (autoComplete, font, height, searchPredicate, XPConfig) -import XMonad.Prompt.Window (windowPromptGoto, windowPromptBringCopy) -import XMonad.Util.EZConfig (additionalKeysP) -import XMonad.Util.NamedWindows (getName) -import XMonad.Util.Run (safeSpawn) -import XMonad.Util.Ungrab (unGrab) -import XMonad.Util.Paste (sendKey) - -data LibNotifyUrgencyHook = LibNotifyUrgencyHook deriving (Read, Show) - -instance UrgencyHook LibNotifyUrgencyHook where - urgencyHook LibNotifyUrgencyHook w = do - name <- getName w - Just idx <- fmap (W.findTag w) $ gets windowset - - safeSpawn "${pkgs.libnotify}/bin/notify-send" [show name, "workspace " ++ idx] - -myTerm :: FilePath -myTerm = "/run/current-system/sw/bin/alacritty" - -myFont :: String -myFont = "${config.lass.fonts.regular}" - -main :: IO () -main = do - xmonad $ ewmh - $ withUrgencyHook LibNotifyUrgencyHook - $ def - { terminal = myTerm - , modMask = mod4Mask - , layoutHook = myLayoutHook - , manageHook = floatHooks - , startupHook = - whenJustM (liftIO (lookupEnv "XMONAD_STARTUP_HOOK")) - (\path -> forkFile path [] Nothing) - , normalBorderColor = "#1c1c1c" - , focusedBorderColor = "#ff0000" - , workspaces = [ "dashboard", "sys", "wp" ] - } `additionalKeysP` myKeyMap - -myLayoutHook = defLayout - where - defLayout = smartBorders $ - minimize . - boringWindows $ - ( - noBorders StateFull ||| - (avoidStruts $ Mirror (Tall 1 (3/100) (1/2))) ||| - FixedColumn 2 80 80 1 ||| - Tall 1 (3/100) (1/2) ||| - simplestFloat ||| - mouseResizableTile ||| - Grid - ) - -floatHooks = composeAll - [ className =? "Pinentry" --> doCenterFloat - , className =? "Pager" --> doCenterFloat - , title =? "pager" --> doCenterFloat - , title =? "fzfmenu" --> doCenterFloat - , title =? "glxgears" --> doCenterFloat - , resource =? "Dialog" --> doFloat - , title =? "Upload to Imgur" --> - doRectFloat (W.RationalRect 0 0 (1 % 8) (1 % 8)) - , placeHook (smart (1,0)) - , floatNextHook - ] - -myKeyMap :: [([Char], X ())] -myKeyMap = - [ ("M4-p", forkFile "${pkgs.pass}/bin/passmenu" [ "--type" ] Nothing) - , ("M4-S-p", forkFile "${pkgs.otpmenu}/bin/otpmenu" [] Nothing) - , ("M4-z", forkFile "${pkgs.unimenu}/bin/unimenu" [] Nothing) - - , ("M4-S-q", restart "xmonad" True) - - , ("", spawn "${pkgs.pulseaudio.out}/bin/pactl -- set-sink-mute @DEFAULT_SINK@ toggle") - , ("", spawn "${pkgs.pulseaudio.out}/bin/pactl -- set-sink-volume @DEFAULT_SINK@ +4%") - , ("", spawn "${pkgs.pulseaudio.out}/bin/pactl -- set-sink-volume @DEFAULT_SINK@ -4%") - , ("", spawn "${pkgs.acpilight}/bin/xbacklight -time 0 -dec 1") - , ("", spawn "${pkgs.acpilight}/bin/xbacklight -time 0 -inc 1") - , ("M4-C-k", spawn "${pkgs.xorg.xkill}/bin/xkill") - - , ("M4-", focusDown) - , ("M4-S-", focusUp) - , ("M4-j", focusDown) - , ("M4-k", focusUp) - - , ("M4-a", focusUrgent) - , ("M4-S-r", renameWorkspace myXPConfig) - , ("M4-S-a", addWorkspacePrompt myXPConfig) - , ("M4-S-", removeEmptyWorkspace) - , ("M4-S-c", kill1) - , ("M4-", toggleWS) - , ("M4-S-", spawn myTerm) - , ("M4-x", floatNext True >> spawn myTerm) - , ("M4-c", spawn "/run/current-system/sw/bin/emacsclient -c") - -- , ("M4-c", unGrab) - , ("M4-f", floatNext True) - , ("M4-b", spawn "/run/current-system/sw/bin/klem") - - , ("M4-c", defaultCommands >>= runCommand) - -- , ("M4-v", spawn "${pkgs.pager}/bin/pager view") - -- , ("M4-S-v", spawn "${pkgs.pager}/bin/pager shift") - , ("M4-v", withWorkspace autoXPConfig (windows . W.greedyView)) - , ("M4-S-v", withWorkspace autoXPConfig (windows . W.shift)) - , ("M4-C-v", withWorkspace autoXPConfig (windows . copy)) - - , ("M4-m", withFocused minimizeWindow) - , ("M4-S-m", withLastMinimized maximizeWindow) - - , ("M4-q", windowPromptGoto infixAutoXPConfig) - , ("M4-C-q", windowPromptBringCopy infixAutoXPConfig) - - , ("M4-S-q", return ()) - - , ("M4-d", floatNext True >> spawn "${pkgs.writers.writeDash "clipmenu" '' - PATH=${lib.makeBinPath [ - pkgs.coreutils - pkgs.gawk - pkgs.dmenu - ]} - ${pkgs.clipmenu}/bin/clipmenu - ''}") - - , ("M4-", spawn "${pkgs.writers.writeDash "paste" '' - ${pkgs.coreutils}/bin/sleep 0.4 - ${pkgs.xclip}/bin/xclip -o | ${pkgs.xdotool}/bin/xdotool type -f - - ''}") - - , ("M4-", spawn "/run/current-system/sw/bin/gamepad_mouse_toggle") - , ("M4-", windows copyToAll) - , ("M4-", spawn "${pkgs.nm-dmenu}/bin/nm-dmenu") - , ("M4-", spawn "${pkgs.acpilight}/bin/xbacklight -set 1") - , ("M4-", spawn "${pkgs.acpilight}/bin/xbacklight -set 10") - , ("M4-", spawn "${pkgs.acpilight}/bin/xbacklight -set 33") - , ("M4-", spawn "${pkgs.acpilight}/bin/xbacklight -set 100") - - , ("M4-", spawn "${pkgs.redshift}/bin/redshift -O 4000 -g 0.9:0.8:0.8") - , ("M4-", spawn "${pkgs.redshift}/bin/redshift -x") - - , ("M4-", spawn "${config.lass.screenlock.command}") - - , ("M4-u", spawn "${pkgs.xcalib}/bin/xcalib -invert -alter") - , ("M4-y", spawn "/run/current-system/sw/bin/switch-theme toggle") - - ${lib.optionalString (builtins.hasAttr "warpd" pkgs) '', ("M4-s", spawn "${pkgs.warpd}/bin/warpd --hint")''} - , ("M4-i", spawn "/run/current-system/sw/bin/screenshot") - - --, ("M4-w", screenWorkspace 0 >>= (windows . W.greedyView)) - --, ("M4-e", screenWorkspace 1 >>= (windows . W.greedyView)) - --, ("M4-r", screenWorkspace 2 >>= (windows . W.greedyView)) - ] - -forkFile :: FilePath -> [String] -> Maybe [(String, String)] -> X () -forkFile path args env = - xfork (executeFile path True args env) >> return () - -myXPConfig :: XPConfig -myXPConfig = def - { font = myFont - , height = 40 - } - -autoXPConfig :: XPConfig -autoXPConfig = myXPConfig - { autoComplete = Just 5000 - } - -infixAutoXPConfig :: XPConfig -infixAutoXPConfig = autoXPConfig - { searchPredicate = isInfixOf - } - -gridConfig :: GSConfig WorkspaceId -gridConfig = def - { gs_cellwidth = 100 - , gs_cellheight = 30 - , gs_cellpadding = 2 - , gs_navigate = navNSearch - , gs_font = myFont - } - - ''; - }; -} diff --git a/lass/2configs/xonsh.nix b/lass/2configs/xonsh.nix deleted file mode 100644 index 23ed28847..000000000 --- a/lass/2configs/xonsh.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - environment.systemPackages = [ - pkgs.xonsh - pkgs.xonsh2 - ]; -} diff --git a/lass/2configs/yellow-mounts/samba.nix b/lass/2configs/yellow-mounts/samba.nix deleted file mode 100644 index e16f1cc47..000000000 --- a/lass/2configs/yellow-mounts/samba.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ - fileSystems."/mnt/yellow" = { - device = "//yellow.r/public"; - fsType = "cifs"; - options = [ - "guest" - "nofail" - "noauto" - "ro" - "x-systemd.automount" - "x-systemd.device-timeout=1" - "x-systemd.idle-timeout=1min" - ]; - }; - } diff --git a/lass/2configs/yubikey.nix b/lass/2configs/yubikey.nix deleted file mode 100644 index 5ac310199..000000000 --- a/lass/2configs/yubikey.nix +++ /dev/null @@ -1,62 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - environment.systemPackages = with pkgs; [ - yubikey-personalization - yubikey-manager - pinentry-curses pinentry-qt - ]; - - services.udev.packages = with pkgs; [ yubikey-personalization ]; - systemd.user.sockets.gpg-agent-ssh.wantedBy = [ "sockets.target" ]; - - services.pcscd.enable = true; - systemd.user.services.gpg-agent.serviceConfig.ExecStartPre = pkgs.writers.writeDash "init_gpg" '' - set -x - mkdir -p $HOME/.gnupg - ${pkgs.coreutils}/bin/ln -sf ${pkgs.writeText "scdaemon.conf" '' - disable-ccid - pcsc-driver ${pkgs.pcsclite.out}/lib/libpcsclite.so.1 - card-timeout 1 - - # Always try to use yubikey as the first reader - # even when other smart card readers are connected - # Name of the reader can be found using the pcsc_scan command - # If you have problems with gpg not recognizing the Yubikey - # then make sure that the string here matches exacly pcsc_scan - # command output. Also check journalctl -f for errors. - reader-port Yubico YubiKey - ''} $HOME/.gnupg/scdaemon.conf - ''; - systemd.user.services.gpg-agent.serviceConfig.ExecStartPost = pkgs.writers.writeDash "init_gpg" '' - ${pkgs.gnupg}/bin/gpg --import ${../../kartei/lass/pgp/yubikey.pgp} >/dev/null - echo -e '5\ny\n' | gpg --command-fd 0 --expert --edit-key DBCD757846069B392EA9401D6657BE8A8D1EE807 trust >/dev/null || : - ''; - - security.polkit.extraConfig = '' - polkit.addRule(function(action, subject) { - if ( - ( - action.id == "org.debian.pcsc-lite.access_pcsc" || - action.id == "org.debian.pcsc-lite.access_card" - ) && subject.user == "lass" - ) { - return polkit.Result.YES; - } - }); - polkit.addRule(function(action, subject) { - polkit.log("subject: " + subject + " action: " + action); - }); - ''; - - # allow nix to acces remote builders via yubikey - systemd.services.nix-daemon.environment.SSH_AUTH_SOCK = "/run/user/1337/gnupg/S.gpg-agent.ssh"; - - programs = { - ssh.startAgent = false; - gnupg.agent = { - enable = true; - pinentryFlavor = "qt"; - enableSSHSupport = true; - }; - }; -} diff --git a/lass/2configs/zsh.nix b/lass/2configs/zsh.nix deleted file mode 100644 index f77aa258b..000000000 --- a/lass/2configs/zsh.nix +++ /dev/null @@ -1,144 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - environment.systemPackages = with pkgs; [ - atuin - direnv - fzf - ]; - environment.variables.ATUIN_CONFIG_DIR = toString (pkgs.writeTextDir "/config.toml" '' - auto_sync = true - update_check = false - sync_address = "http://green.r:8888" - sync_frequency = 0 - style = "compact" - ''); - programs.zsh = { - enable = true; - shellInit = '' - #disable config wizard - zsh-newuser-install() { :; } - ''; - interactiveShellInit = '' - unsetopt nomatch # no matches found urls - setopt autocd extendedglob - bindkey -e - - - # # setopt inc_append_history - # bindkey '^R' history-incremental-search-backward - - #C-x C-e open line in editor - autoload -z edit-command-line - zle -N edit-command-line - bindkey "^X^E" edit-command-line - - #fzf inclusion - source ${pkgs.fzf}/share/fzf/completion.zsh - source ${pkgs.fzf}/share/fzf/key-bindings.zsh - - # atuin distributed shell history - export ATUIN_NOBIND="true" # disable all keybdinings of atuin - eval "$(atuin init zsh)" - bindkey '^r' _atuin_search_widget # bind ctrl+r to atuin - # use zsh only session history - fc -p - - #completion magic - autoload -Uz compinit - compinit - zstyle ':completion:*' menu select - - #enable automatic rehashing of $PATH - zstyle ':completion:*' rehash true - - # fancy mv which interactively gets the second argument if not given - function mv() { - if [[ "$#" -ne 1 ]] || [[ ! -e "$1" ]]; then - command mv -v "$@" - return - fi - - newfilename="$1" - vared newfilename - command mv -v -- "$1" "$newfilename" - } - - #beautiful colors - eval $(dircolors -b ${pkgs.fetchFromGitHub { - owner = "trapd00r"; - repo = "LS_COLORS"; - rev = "a75fca8545f91abb8a5f802981033ef54bf1eac0"; - sha256="1lzj0qnj89mzh76ha137mnz2hf86k278rh0y9x124ghxj9yqsnb4"; - }}/LS_COLORS) - zstyle ':completion:*:default' list-colors ''${(s.:.)LS_COLORS} - - #emacs bindings - bindkey "[7~" beginning-of-line - bindkey "[8~" end-of-line - bindkey "Oc" emacs-forward-word - bindkey "Od" emacs-backward-word - - # direnv integration - eval "$(${pkgs.direnv}/bin/direnv hook zsh)" - ''; - promptInit = '' - autoload -U promptinit - promptinit - - p_error='%(?..%F{red}%?%f )' - t_error='%(?..%? )' - - case $UID in - 0) - p_username='%F{red}root%f' - t_username='root' - ;; - 1337) - p_username="" - t_username="" - ;; - *) - p_username='%F{blue}%n%f' - t_username='%n' - ;; - esac - - if test -n "$SSH_CLIENT"; then - p_hostname='@%F{magenta}%M%f ' - t_hostname='@%M ' - else - p_hostname="" - t_hostname="" - fi - - #check if in nix shell - if test -n "$IN_NIX_SHELL"; then - p_nixshell='%F{green}[s]%f ' - t_nixshell='[s] ' - else - p_nixshell="" - t_nixshell="" - fi - - PROMPT="$p_error$p_username$p_hostname$p_nixshell%~ " - TITLE="$t_error$t_username$t_hostname$t_nixshell%~" - case $TERM in - (*xterm* | *rxvt*) - function precmd { - PROMPT_EVALED=$(print -P "$TITLE") - echo -ne "\033]0;$$ $PROMPT_EVALED\007" - } - # This seems broken for some reason - # # This is seen while the shell waits for a command to complete. - # function preexec { - # PROMPT_EVALED=$(print -P "$TITLE") - # echo -ne "\033]0;$$ $PROMPT_EVALED $1\007" - # } - ;; - esac - ''; - }; - environment.shellAliases.ns = "nix-shell --command zsh"; - - users.defaultUserShell = "/run/current-system/sw/bin/zsh"; -} diff --git a/lass/3modules/autowifi.nix b/lass/3modules/autowifi.nix deleted file mode 100644 index 9aa1a2d28..000000000 --- a/lass/3modules/autowifi.nix +++ /dev/null @@ -1,38 +0,0 @@ -{ config, lib, pkgs, ... }: -with import ; -let - - cfg = config.lass.autowifi; - -in { - options.lass.autowifi = { - enable = mkEnableOption "automatic wifi connector"; - knownWifisFile = mkOption { - type = types.str; - default = "/etc/wifis"; - }; - enablePrisonBreak = mkOption { - type = types.bool; - default = false; - }; - }; - - config = lib.mkIf cfg.enable { - systemd.services.autowifi = { - description = "Automatic wifi connector"; - wantedBy = [ "multi-user.target" ]; - path = [ pkgs.networkmanager ]; - serviceConfig = { - Type = "simple"; - Restart = "always"; - RestartSec = "10s"; - ExecStart = "${autowifi}/bin/autowifi"; - }; - }; - - networking.networkmanager.dispatcherScripts = mkIf cfg.enablePrisonBreak [ - { source = "${pkgs.callPackage ; -in { - options = { - lass.drbd = lib.mkOption { - default = {}; - type = lib.types.attrsOf (lib.types.submodule ({ config, ... }: { - options = { - name = lib.mkOption { - type = lib.types.str; - default = config._module.args.name; - }; - blockMinor = lib.mkOption { - type = lib.types.int; - default = lib.mod (slib.genid config.name) 16000; # TODO get max_id fron drbd - }; - port = lib.mkOption { - type = lib.types.int; - default = 20000 + config.blockMinor; - }; - peers = lib.mkOption { - type = lib.types.listOf slib.types.host; - }; - disk = lib.mkOption { - type = lib.types.str; - default = "/dev/loop${toString config.blockMinor}"; - }; - drbdConfig = lib.mkOption { - type = lib.types.path; - internal = true; - default = pkgs.writeText "drbd-${config.name}.conf" '' - resource ${config.name} { - net { - protocol a; - ping-int 10; - csums-alg crc32c; - connect-int 3; - after-sb-0pri discard-older-primary; - after-sb-1pri discard-secondary; - - # seems to be drbd-proxy premium feature - on-congestion pull-ahead; - congestion-fill 1G; - congestion-extents 500; - - sndbuf-size 10M; - max-epoch-size 20000; - } - device minor ${toString config.blockMinor}; - disk ${config.disk}; - meta-disk internal; - ${slib.indent (lib.concatStrings (lib.imap1 (i: peer: /* shell */ '' - on ${peer.name} { - address ${peer.nets.retiolum.ip4.addr}:${toString config.port}; - node-id ${toString i}; - } - '') config.peers))} - connection-mesh { - hosts ${lib.concatMapStringsSep " " (peer: peer.name) config.peers}; - } - } - ''; - }; - }; - })); - }; - }; - config = lib.mkIf (cfg != {}) { - boot.extraModulePackages = [ - (pkgs.linuxPackages.callPackage ../5pkgs/drbd9/default.nix {}) - ]; - boot.extraModprobeConfig = '' - options drbd usermode_helper=/run/current-system/sw/bin/drbdadm - ''; - services.udev.packages = [ pkgs.drbd ]; - boot.kernelModules = [ "drbd" ]; - - environment.systemPackages = [ - pkgs.drbd - (pkgs.writers.writeDashBin "drbd-change-nodeid" '' - # https://linbit.com/drbd-user-guide/drbd-guide-9_0-en/#s-using-truck-based-replication - set -efux - - if [ "$#" -ne 2 ]; then - echo '$1 needs to be drbd volume name' - echo '$2 needs to be new node id' - exit 1 - fi - - - TMPDIR=$(mktemp -d) - trap 'rm -rf $TMPDIR' EXIT - - V=$1 - NODE_TO=$2 - META_DATA_LOCATION=internal - - ${pkgs.drbd}/bin/drbdadm -- --force dump-md $V > "$TMPDIR"/md_orig.txt - NODE_FROM=$(cat "$TMPDIR"/md_orig.txt | ${pkgs.gnused}/bin/sed -n 's/^node-id \(.*\);$/\1/p') - ${pkgs.gnused}/bin/sed -e "s/node-id $NODE_FROM/node-id $NODE_TO/" \ - -e "s/^peer.$NODE_FROM. /peer-NEW /" \ - -e "s/^peer.$NODE_TO. /peer[$NODE_FROM] /" \ - -e "s/^peer-NEW /peer[$NODE_TO] /" \ - < "$TMPDIR"/md_orig.txt > "$TMPDIR"/md.txt - - drbdmeta --force $(drbdadm sh-minor $V) v09 $(drbdadm sh-md-dev $V) $META_DATA_LOCATION restore-md "$TMPDIR"/md.txt - '') - ]; - - networking.firewall.allowedTCPPorts = map (device: device.port) (lib.attrValues cfg); - systemd.services = lib.mapAttrs' (_: device: - lib.nameValuePair "drbd-${device.name}" { - after = [ "systemd-udev.settle.service" "network.target" "retiolum.service" ]; - wants = [ "systemd-udev.settle.service" ]; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - RemainAfterExit = true; - ExecStart = pkgs.writers.writeDash "start-drbd-${device.name}" '' - set -efux - mkdir -p /var/lib/sync-containers2 - ${lib.optionalString (device.disk == "/dev/loop${toString device.blockMinor}") '' - if ! test -e /var/lib/sync-containers2/${device.name}.disk; then - truncate -s 10G /var/lib/sync-containers2/${device.name}.disk - fi - if ! ${pkgs.util-linux}/bin/losetup /dev/loop${toString device.blockMinor}; then - ${pkgs.util-linux}/bin/losetup /dev/loop${toString device.blockMinor} /var/lib/sync-containers2/${device.name}.disk - fi - ''} - if ! ${pkgs.drbd}/bin/drbdadm adjust ${device.name}; then - ${pkgs.drbd}/bin/drbdadm down ${device.name} - ${pkgs.drbd}/bin/drbdadm create-md ${device.name}/0 --max-peers 31 - ${pkgs.drbd}/bin/drbdadm up ${device.name} - fi - ''; - ExecStop = pkgs.writers.writeDash "stop-drbd-${device.name}" '' - set -efux - ${pkgs.drbd}/bin/drbdadm -c ${device.drbdConfig} down ${device.name} - ${lib.optionalString (device.disk == "/dev/loop${toString device.blockMinor}") '' - ${pkgs.util-linux}/bin/losetup -d /dev/loop${toString device.blockMinor} - ''} - ''; - }; - } - ) cfg; - - - environment.etc."drbd.conf".text = '' - global { - usage-count yes; - } - - ${lib.concatMapStrings (device: /* shell */ '' - include ${device.drbdConfig}; - '') (lib.attrValues cfg)} - ''; - }; -} - diff --git a/lass/3modules/folderPerms.nix b/lass/3modules/folderPerms.nix deleted file mode 100644 index bb0320327..000000000 --- a/lass/3modules/folderPerms.nix +++ /dev/null @@ -1,104 +0,0 @@ -{ config, lib, pkgs, ... }: - -#TODO: implement recursive mode maybe? -# enable different mods for files and folders - -let - inherit (pkgs) - writeScript - ; - - inherit (lib) - concatMapStringsSep - concatStringsSep - mkEnableOption - mkIf - mkOption - types - ; - - cfg = config.lass.folderPerms; - - out = { - options.lass.folderPerms = api; - config = mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "folder permissions"; - permissions = mkOption { - type = with types; listOf (submodule ({ - options = { - path = mkOption { - type = str; - }; - permission = mkOption { - type = nullOr str; - example = "755"; - description = '' - basically anything that chmod takes as permission - ''; - default = null; - }; - owner = mkOption { - type = nullOr str; - example = "root:root"; - description = '' - basically anything that chown takes as owner - ''; - default = null; - }; - }; - })); - }; - }; - - imp = { - systemd.services.lass-folderPerms = { - description = "lass-folderPerms"; - wantedBy = [ "multi-user.target" ]; - - path = with pkgs; [ - coreutils - ]; - - restartIfChanged = true; - - serviceConfig = { - type = "simple"; - RemainAfterExit = true; - Restart = "always"; - ExecStart = "@${startScript}"; - }; - }; - }; - - startScript = writeScript "lass-folderPerms" '' - ${concatMapStringsSep "\n" writeCommand cfg.permissions} - ''; - - writeCommand = fperm: - concatStringsSep "\n" [ - (buildPermission fperm) - (buildOwner fperm) - ]; - - buildPermission = perm: - #TODO: create folder maybe - #TODO: check if permission is valid - if (perm.permission == null) then - "" - else - "chmod ${perm.permission} ${perm.path}" - ; - - buildOwner = perm: - #TODO: create folder maybe - #TODO: check if owner/group valid - if (perm.owner == null) then - "" - else - "chown ${perm.owner} ${perm.path}" - ; - -in out diff --git a/lass/3modules/hosts.nix b/lass/3modules/hosts.nix deleted file mode 100644 index 37cbf3ed3..000000000 --- a/lass/3modules/hosts.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ config, ... }: - -with import ; - -{ - options.lass.hosts = mkOption { - type = types.attrsOf types.host; - default = - filterAttrs (_: host: host.owner.name == "lass" && host.ci) - config.krebs.hosts; - }; -} diff --git a/lass/3modules/klem.nix b/lass/3modules/klem.nix deleted file mode 100644 index 8536d967d..000000000 --- a/lass/3modules/klem.nix +++ /dev/null @@ -1,75 +0,0 @@ -{ config, pkgs, ... }: with import ; let - cfg = config.lass.klem; -in { - options.lass.klem = mkOption { - default = {}; - type = types.attrsOf (types.submodule ({ config, ...}: { - options = { - target = mkOption { - default = ".*"; - description = '' - regex of valid targets - can be shown with xclip -selection clipboard -t TARGETS - the first hit is taken as target argument - ''; - type = types.str; - }; - script = mkOption { - description = '' - file to run if entry is selected - ''; - type = types.path; - }; - label = mkOption { - default = config._module.args.name; - description = '' - label to show in dmenu for this script - ''; - type = types.str; - }; - }; - })); - }; - config = let - klem = pkgs.writers.writeDashBin "klem" '' - set -x - - labels="" - # match filetype against patterns - ${concatMapStringsSep "\n" (script: '' - ${pkgs.xclip}/bin/xclip -selection clipboard -target TARGETS -out \ - | ${pkgs.gnugrep}/bin/grep -q '${script.target}' - if [ $? -eq 0 ]; then - labels="$labels:${script.label}" - fi - '') (attrValues cfg)} - - #remove empty line, feed into dmenu - script=$(echo "$labels" \ - | ${pkgs.gnused}/bin/sed 's/^://;s/:/\n/g' \ - | ${pkgs.dmenu}/bin/dmenu) - - #run the chosen script - case $script in - ${concatMapStringsSep "\n" (script: indent '' - ${script.label}) - target=$(${pkgs.xclip}/bin/xclip -selection clipboard -target TARGETS -out \ - | ${pkgs.gnugrep}/bin/grep '${script.target}' \ - | ${pkgs.gnugrep}/bin/grep -v TARGETS \ - | ${pkgs.coreutils}/bin/head -1) - ${pkgs.xclip}/bin/xclip -selection clipboard -target "$target" -out \ - | ${script.script} \ - | ${pkgs.xclip}/bin/xclip -selection clipboard -in - ;; - '') (attrValues cfg)} - esac - ''; - in mkIf (cfg != {}) { - environment.systemPackages = [ klem ]; - nixpkgs.overlays = [ - (self: super: { - klem = klem; - }) - ]; - }; -} diff --git a/lass/3modules/mysql-backup.nix b/lass/3modules/mysql-backup.nix deleted file mode 100644 index 516f96c34..000000000 --- a/lass/3modules/mysql-backup.nix +++ /dev/null @@ -1,86 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - - cfg = config.lass.mysqlBackup; - - out = { - options.lass.mysqlBackup = api; - config = mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "mysqlBackup"; - config = mkOption { - type = with types; attrsOf (submodule ({ config, ... }: { - options = { - name = mkOption { - type = types.str; - default = config._module.args.name; - }; - startAt = mkOption { - type = with types; nullOr str; # TODO systemd.time(7)'s calendar event - default = "*-*-* 01:15:00"; - }; - user = mkOption { - type = str; - default = "root"; - }; - password = mkOption { - type = nullOr str; - default = null; - description = '' - path to a file containing the mysqlPassword for the specified user. - ''; - }; - databases = mkOption { - type = listOf str; - default = []; - }; - location = mkOption { - type = str; - default = "/backups/sql_dumps"; - }; - }; - })); - description = "configuration for mysqlBackup"; - }; - }; - - imp = { - - services.mysql.ensureUsers = [ - { ensurePermissions = { "*.*" = "ALL"; }; name = "root"; } - ]; - - systemd.services = - mapAttrs' (_: plan: nameValuePair "mysqlBackup-${plan.name}" { - path = with pkgs; [ - mysql - gzip - ]; - serviceConfig = rec { - ExecStart = start plan; - SyslogIdentifier = ExecStart.name; - Type = "oneshot"; - User = plan.user; - }; - startAt = plan.startAt; - }) cfg.config; - }; - - - start = plan: let - backupScript = plan: db: '' - mkdir -p ${plan.location} - mysqldump -u ${plan.user} ${optionalString (plan.password != null) "-p$(cat ${plan.password})"} ${db} | gzip -c > ${plan.location}/${db}.gz - ''; - - in pkgs.pkgs.writeDash "mysqlBackup.${plan.name}" '' - ${concatMapStringsSep "\n" (backupScript plan) plan.databases} - ''; - - -in out diff --git a/lass/3modules/news.nix b/lass/3modules/news.nix deleted file mode 100644 index b6061736c..000000000 --- a/lass/3modules/news.nix +++ /dev/null @@ -1,76 +0,0 @@ -{ config, lib, pkgs, ... }: - -with import ; - -let - cfg = config.lass.news; - - out = { - options.lass.news = api; - config = lib.mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "news"; - feeds = mkOption { - type = types.listOf (types.submodule { options = { - nick = mkOption { - type = types.str; - }; - feedurl = mkOption { - type = types.str; - }; - interval = mkOption { - type = types.int; - default = 1000; - }; - channels = mkOption { - type = types.listOf types.str; - }; - };}); - }; - user = mkOption { - type = types.user; - default = { - name = "news"; - home = "/var/lib/news"; - }; - }; - ircServer = mkOption { - type = types.str; - default = "localhost"; - description = "to which server the bot should connect"; - }; - }; - - imp = { - - users.users.${cfg.user.name} = { - inherit (cfg.user) home name uid; - createHome = true; - }; - - systemd.services = listToAttrs (map (feed: - nameValuePair "news-${feed.nick}" { - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - serviceConfig = { - SyslogIdentifier = "news-${feed.nick}"; - User = cfg.user.name; - PrivateTmp = true; - Restart = "always"; - ExecStart = pkgs.writeDash "news-${feed.nick}" '' - ${pkgs.haskellPackages.news}/bin/news '${feed.feedurl}' '${toString feed.interval}' \ - | ${pkgs.goify}/bin/goify \ - | while :; do - ${pkgs.haskellPackages.kirk}/bin/ircout --nick '${feed.nick}' --host '${cfg.ircServer}' \ - \${concatStringsSep " \\" feed.channels} - done - ''; - }; - } - ) cfg.feeds); - - }; - -in out diff --git a/lass/3modules/nichtparasoup.nix b/lass/3modules/nichtparasoup.nix deleted file mode 100644 index a28c2a159..000000000 --- a/lass/3modules/nichtparasoup.nix +++ /dev/null @@ -1,161 +0,0 @@ -{ config, lib, pkgs, ... }: - -with import ; - -{ - options.lass.nichtparasoup = { - enable = mkEnableOption "nichtparasoup funny image page"; - config = mkOption { - type = types.str; - default = '' - [General] - Port: 5001 - IP: 0.0.0.0 - Useragent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25 - - [Cache] - Images_min_limit: 15 - - [Logging] - ;; possible destinations: file syslog - Destination: syslog - Verbosity: ERROR - - [Sites] - SoupIO: everyone - Pr0gramm: new,top - Reddit: ${lib.concatStringsSep "," [ - "2healthbars" - "abandonedporn" - "animalsbeingderps" - "ANormalDayInRussia" - "assholedesign" - "AwesomeOffBrands" - "bizarrebuildings" - "bonehurtingjuice" - "boottoobig" - "bossfight" - "bravofotogeschichten" - "breathinginformation" - "buddhistmemes" - "cablefail" - "cableporn" - "catastrophicfailure" - "chairsunderwater" - "clevercomebacks" - "confusingperspective" - "conni" - "crappydesign" - "cursedcomments" - "desirepath" - "doenerverbrechen" - "dontdeadopeninside" - "educationalgifs" - "EngineeringPorn" - "eyebleach" - "forbiddensnacks" - "funnyanimals" - "gifs" - "Gittertiere" - "goodboomerhumor" - "grssk" - "halthoch" - "hmm" - "hmmm" - "holdmybeer" - "holup" - "iamatotalpieceofshit" - "ichbin40undlustig" - "idiotsincars" - "illegallysmolcats" - "infokriegerkutschen" - "instagramreality" - "instant_regret" - "itrunsdoom" - "itsaunixsystem" - "kamikazebywords" - "keming" - "kidsarefuckingstupid" - "kitchenconfidential" - "laughingbuddha" - "LiminalSpace" - "loadingicon" - "MachinePorn" - "mallninjashit" - "michaelbaygifs" - "mildlyinfuriating" - "miscatculations" - "natureisfuckinglit" - "nononoyesno" - "notinteresting" - "notliketheothergirls" - "oddlysatisfying" - "ofcoursethatsathing" - "okbuddylinux" - "OSHA" - "PeopleFuckingDying" - "Perfectfit" - "perfectloops" - "PerfectTiming" - "picsofunusualbirds" - "PixelArt" - "pizzacrimes" - "prequelmemes" - "Prisonwallet" - "reactiongifs" - "RealFakeDoors" - "reallifedoodles" - "RetroFuturism" - "robotsbeingjerks" - "SchizophreniaRides" - "scriptedasiangifs" - "shitposting" - "shittyfoodporn" - "shittyrobots" - "softwaregore" - "specializedtools" - "spicypillows" - "StallmanWasRight" - "startledcats" - "startrekstabilized" - "stupidfood" - "techsupportgore" - "thathappened" - "ThingsCutInHalfPorn" - "totallynotrobots" - "trippinthroughtime" - "Unexpected" - "urbanexploration" - "wasletztepreis" - "wellthatsucks" - "wertekinder" - "wewantplates" - "whatcouldgowrong" - "whatsthisbug" - "whatsthisplant" - "whatswrongwithyourdog" - "whenthe" - "yesyesyesyesno" - "youseeingthisshit" - ]} - NineGag: geeky,wtf,hot,trending - Instagram: nature,wtf - Fourchan: sci - ''; - }; - }; - - config = mkIf config.lass.nichtparasoup.enable { - systemd.services.nichtparasoup = { - description = "nichtparasoup"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - - restartIfChanged = true; - serviceConfig = { - Restart = "always"; - ExecStart = "${pkgs.nichtparasoup}/bin/nichtparasoup -c ${pkgs.writeText "config.ini" config.lass.nichtparasoup.config}"; - }; - }; - }; -} diff --git a/lass/3modules/pyload.nix b/lass/3modules/pyload.nix deleted file mode 100644 index 6f29ffb17..000000000 --- a/lass/3modules/pyload.nix +++ /dev/null @@ -1,55 +0,0 @@ -{ config, lib, pkgs, ... }: - -with import ; - -let - cfg = config.lass.pyload; - - out = { - options.lass.pyload = api; - config = lib.mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "pyload"; - user = mkOption { - type = types.str; - default = "download"; - }; - }; - - imp = { - - krebs.per-user.${cfg.user}.packages = [ - pkgs.pyload - pkgs.spidermonkey - pkgs.tesseract - ]; - - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport 9099"; target = "ACCEPT"; } - ]; - systemd.services.pyload = { - description = "pyload"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - - path = with pkgs; [ - pyload - spidermonkey - tesseract - dnsmasq - ]; - - restartIfChanged = true; - - serviceConfig = { - Restart = "always"; - ExecStart = "${pkgs.pyload}/bin/pyLoadCore"; - User = cfg.user; - }; - }; - - }; - -in out diff --git a/lass/3modules/screenlock.nix b/lass/3modules/screenlock.nix deleted file mode 100644 index b5c69b65a..000000000 --- a/lass/3modules/screenlock.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ pkgs, config, ... }: - -with import ; - -let - cfg = config.lass.screenlock; - - out = { - options.lass.screenlock = api; - config = mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "screenlock"; - command = mkOption { - type = types.path; - default = pkgs.writeDash "screenlock" '' - ${pkgs.xlockmore}/bin/xlock -mode life1d -size 1 - sleep 3 - ''; - }; - }; - - imp = { - systemd.services.screenlock = { - before = [ "sleep.target" ]; - requiredBy = [ "sleep.target" ]; - environment = { - DISPLAY = ":${toString config.services.xserver.display}"; - }; - serviceConfig = { - SyslogIdentifier = "screenlock"; - ExecStart = cfg.command; - Type = "simple"; - User = "lass"; - }; - }; - }; - -in out diff --git a/lass/3modules/usershadow.nix b/lass/3modules/usershadow.nix deleted file mode 100644 index 094d37a36..000000000 --- a/lass/3modules/usershadow.nix +++ /dev/null @@ -1,139 +0,0 @@ -{ config, lib, pkgs, ... }@args: with import ; let - - cfg = config.lass.usershadow; - - out = { - options.lass.usershadow = api; - config = lib.mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "usershadow"; - pattern = mkOption { - type = types.str; - default = "/home/%/.shadow"; - }; - path = mkOption { - type = types.str; - }; - }; - - imp = { - environment.systemPackages = [ usershadow ]; - lass.usershadow.path = "${usershadow}"; - security.pam.services.sshd.text = '' - auth required pam_exec.so expose_authtok /run/wrappers/bin/shadow_verify_pam ${cfg.pattern} - auth required pam_permit.so - account required pam_permit.so - session required pam_permit.so - ''; - - security.pam.services.dovecot2.text = '' - auth required pam_exec.so expose_authtok /run/wrappers/bin/shadow_verify_pam ${cfg.pattern} - auth required pam_permit.so - account required pam_permit.so - session required pam_permit.so - ''; - - security.wrappers.shadow_verify_pam = { - setuid = true; - source = "${usershadow}/bin/verify_pam"; - owner = "root"; - group = "root"; - }; - security.wrappers.shadow_verify_arg = { - setuid = true; - source = "${usershadow}/bin/verify_arg"; - owner = "root"; - group = "root"; - }; - }; - - usershadow = let { - deps = [ - "pwstore-fast" - "bytestring" - ]; - body = pkgs.writeHaskellPackage "passwords" { - ghc-options = [ - "-rtsopts" - "-Wall" - ]; - executables.verify_pam = { - extra-depends = deps; - text = '' - import System.IO - import Data.Char (chr) - import System.Environment (getEnv, getArgs) - import Crypto.PasswordStore (verifyPasswordWith, pbkdf2) - import qualified Data.ByteString.Char8 as BS8 - import System.Exit (exitFailure, exitSuccess) - - main :: IO () - main = do - user <- getEnv "PAM_USER" - shadowFilePattern <- head <$> getArgs - let shadowFile = lhs <> user <> tail rhs - (lhs, rhs) = span (/= '%') shadowFilePattern - hash <- readFile shadowFile - password <- takeWhile (/= (chr 0)) <$> hGetLine stdin - let res = verifyPasswordWith pbkdf2 (2^) (BS8.pack password) (BS8.pack hash) - if res then exitSuccess else exitFailure - ''; - }; - executables.verify_arg = { - extra-depends = deps; - text = '' - import System.Environment (getArgs) - import Crypto.PasswordStore (verifyPasswordWith, pbkdf2) - import qualified Data.ByteString.Char8 as BS8 - import System.Exit (exitFailure, exitSuccess) - - main :: IO () - main = do - argsList <- getArgs - let shadowFilePattern = argsList !! 0 - let user = argsList !! 1 - let password = argsList !! 2 - let shadowFile = lhs <> user <> tail rhs - (lhs, rhs) = span (/= '%') shadowFilePattern - hash <- readFile shadowFile - let res = verifyPasswordWith pbkdf2 (2^) (BS8.pack password) (BS8.pack hash) - if res then do (putStr "yes") else exitFailure - ''; - }; - executables.passwd = { - extra-depends = deps; - text = '' - import System.Environment (getEnv) - import Crypto.PasswordStore (makePasswordWith, pbkdf2) - import qualified Data.ByteString.Char8 as BS8 - import System.IO (stdin, stdout, hSetEcho, hFlush, putStr, putStrLn) - import Control.Exception (bracket_) - - main :: IO () - main = do - home <- getEnv "HOME" - mb_password <- bracket_ (hSetEcho stdin False) (hSetEcho stdin True) $ do - putStr "Enter new UNIX password: " - hFlush stdout - password <- BS8.hGetLine stdin - putStrLn "" - putStr "Retype new UNIX password: " - hFlush stdout - password2 <- BS8.hGetLine stdin - return $ if password == password2 - then Just password - else Nothing - case mb_password of - Just password -> do - hash <- makePasswordWith pbkdf2 password 10 - BS8.writeFile (home ++ "/.shadow") hash - putStrLn "passwd: all authentication tokens updated successfully." - Nothing -> putStrLn "Sorry, passwords do not match" - ''; - }; - }; - }; - -in out diff --git a/lass/4lib/default.nix b/lass/4lib/default.nix deleted file mode 100644 index 56943b7ac..000000000 --- a/lass/4lib/default.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ lib, ... }: - -with lib; - -rec { - - getDefaultGateway = ip: - concatStringsSep "." (take 3 (splitString "." ip) ++ ["1"]); - -} diff --git a/lass/5pkgs/acronym/default.nix b/lass/5pkgs/acronym/default.nix deleted file mode 100644 index 8380b220a..000000000 --- a/lass/5pkgs/acronym/default.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ pkgs, ... }: - -pkgs.writeScriptBin "acronym" '' - - #! ${pkgs.bash}/bin/bash - - acro=$1 - - curl -L -s http://www.acronymfinder.com/$acro.html \ - | grep 'class="result-list__body__rank"' \ - | sed ' - s/.*title="\([^"]*\)".*/\1/ - s/^.* - // - s/'/'\'''/g - ' -'' diff --git a/lass/5pkgs/autowifi b/lass/5pkgs/autowifi deleted file mode 160000 index cf3ae8f6f..000000000 --- a/lass/5pkgs/autowifi +++ /dev/null @@ -1 +0,0 @@ -Subproject commit cf3ae8f6fe285eab67db4f36f9a3da3762c35317 diff --git a/lass/5pkgs/bank/default.nix b/lass/5pkgs/bank/default.nix deleted file mode 100644 index 9f3a44d79..000000000 --- a/lass/5pkgs/bank/default.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ writeDashBin, coreutils, pass, hledger, diffutils }: - -writeDashBin "bank" '' - tmp=$(mktemp) - ${pass}/bin/pass show hledger > $tmp - ${hledger}/bin/hledger --file=$tmp "$@" - ${pass}/bin/pass show hledger | if ${diffutils}/bin/diff $tmp -; then - exit 0 - else - ${coreutils}/bin/cat $tmp | ${pass}/bin/pass insert -m hledger - fi - ${coreutils}/bin/rm $tmp -'' - diff --git a/lass/5pkgs/default.nix b/lass/5pkgs/default.nix deleted file mode 100644 index 6fa93e146..000000000 --- a/lass/5pkgs/default.nix +++ /dev/null @@ -1,24 +0,0 @@ -self: super: let - lib = super.lib; - - # This callPackage will try to detect obsolete overrides. - callPackage = path: args: let - override = super.callPackage path args; - upstream = lib.optionalAttrs (override ? "name") - (super.${(builtins.parseDrvName override.name).name} or {}); - in if upstream ? "name" && - override ? "name" && - builtins.compareVersions upstream.name override.name != -1 - then - builtins.trace - "Upstream `${upstream.name}' gets overridden by `${override.name}'." - override - else override; - - subdirsOf = path: - lib.mapAttrs (name: _: path + "/${name}") - (lib.filterAttrs (_: x: x == "directory") (builtins.readDir path)); - -in lib.mapAttrs (_: lib.flip callPackage {}) - (lib.filterAttrs (_: dir: lib.pathExists (dir + "/default.nix")) - (subdirsOf ./.)) diff --git a/lass/5pkgs/deploy/default.nix b/lass/5pkgs/deploy/default.nix deleted file mode 100644 index a3fe4dca3..000000000 --- a/lass/5pkgs/deploy/default.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ writers }: -writers.writeDashBin "deploy" '' - set -xeu - export SYSTEM="$1" - $(nix-build $HOME/sync/stockholm/lass/krops.nix --no-out-link --argstr name "$SYSTEM" -A deploy) -'' diff --git a/lass/5pkgs/dl/default.nix b/lass/5pkgs/dl/default.nix deleted file mode 100644 index 69f2b8c45..000000000 --- a/lass/5pkgs/dl/default.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ pkgs }: -pkgs.writers.writeBashBin "dl" '' - set -efux - LINK_OR_SEARCH=$@ - if [[ $LINK_OR_SEARCH == magnet:?* ]] || [[ $LINK_OR_SEARCH =~ ^https?: ]]; then - LINK=$LINK_OR_SEARCH - else - SEARCH=$LINK_OR_SEARCH - fi - - if ! [ -z ''${SEARCH+x} ]; then - LINK=$(${pkgs.we-get}/bin/we-get -n 50 -t the_pirate_bay,1337x --json -s "$SEARCH" | - ${pkgs.jq}/bin/jq -r 'to_entries | - .[] | - "\(.key) [\(.value.seeds)]\t\(.value.link)" - ' | - ${pkgs.fzf}/bin/fzf -d '\t' --with-nth=1 | - ${pkgs.coreutils}/bin/cut -f 2 - ) - fi - - if [ -z ''${CATEGORY+x} ]; then - CATEGORY=$(echo -e 'movies\nseries' | ${pkgs.fzf}/bin/fzf) - fi - - ${pkgs.transmission}/bin/transmission-remote yellow.r \ - -w /var/download/finished/sorted/"$CATEGORY" \ - -a "$LINK" -'' diff --git a/lass/5pkgs/dls/default.nix b/lass/5pkgs/dls/default.nix deleted file mode 100644 index 36cdb620b..000000000 --- a/lass/5pkgs/dls/default.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ pkgs }: -pkgs.writers.writeDashBin "dls" '' - set -efux - SESSION_ID=$( - curl -Ss -d '{}' http://yellow.r:9091/transmission/rpc -v -o /dev/null 2>&1 | - grep -oP '(?<=X-Transmission-Session-Id: )\w+' - ) - ${pkgs.curl}/bin/curl -Ss \ - http://yellow.r:9091/transmission/rpc \ - -H "X-Transmission-Session-Id: $SESSION_ID" \ - -d '{"arguments":{"fields":["errorString","eta","isFinished","name","sizeWhenDone","status"]},"method":"torrent-get","tag":4}' | - jq . -'' diff --git a/lass/5pkgs/drbd9/default.nix b/lass/5pkgs/drbd9/default.nix deleted file mode 100644 index 34ef0f564..000000000 --- a/lass/5pkgs/drbd9/default.nix +++ /dev/null @@ -1,35 +0,0 @@ -{ lib, stdenv, git, fetchzip, fetchFromGitHub, kernel }: let - - version = "9.1.7"; - -in stdenv.mkDerivation { - pname = "drbd"; - version = "${kernel.version}-${version}"; - - src = fetchzip { - url = "https://pkg.linbit.com//downloads/drbd/9/drbd-9.1.7.tar.gz"; - sha256 = "sha256-JsbtOrqhZkG7tFEc6tDmj3RlxZggl0HOKfCI8lYtQok="; - }; - # src = fetchFromGitHub { - # owner = "LINBIT"; - # repo = "drbd"; - # rev = "drbd-${version}"; - # sha256 = "sha256-8HAt+k0yi6XsZZ9mkVCQkv2pn65o3Zsa0KwTSBJh0yY="; - # leaveDotGit = true; - # }; - - nativeBuildInputs = [ git ] ++ kernel.moduleBuildDependencies; - - # hardeningDisable = [ "pic" ]; - - makeFlags = kernel.makeFlags ++ [ - "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build" - ]; - - installPhase = '' - install -D drbd/drbd.ko -t "$out/lib/modules/${kernel.modDirVersion}/updates/" - install -D drbd/drbd_transport_tcp.ko -t "$out/lib/modules/${kernel.modDirVersion}/updates/" - ''; - - enableParallelBuilding = true; -} diff --git a/lass/5pkgs/emot-menu/default.nix b/lass/5pkgs/emot-menu/default.nix deleted file mode 100644 index 3ce635dac..000000000 --- a/lass/5pkgs/emot-menu/default.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ coreutils, dmenu, gnused, writeDashBin, writeText, xdotool }: let - - emoticons = writeText "emoticons" '' -¯\(°_o)/¯ | dunno lol shrug dlol -¯\_(ツ)_/¯ | dunno lol shrug dlol -( ͡° ͜ʖ ͡°) | lenny -¯\_( ͡° ͜ʖ ͡°)_/¯ | lenny shrug dlol -( ゚д゚) | aaah sad noo -ヽ(^o^)丿 | hi yay hello -(^o^; | ups hehe -(^∇^) | yay -┗(`皿´)┛ | angry argh -ヾ(^_^) byebye!! | bye -<(^.^<) <(^.^)> (>^.^)> (7^.^)7 (>^.^<) | dance -(-.-)Zzz... | sleep -(∩╹□╹∩) | oh noes woot -™ | tm -ζ | zeta -(╯°□°)╯ ┻━┻ | table flip -(」゜ロ゜)」 | why woot -(_゜_゜_) | gloom I see you -༼ ༎ຶ ෴ ༎ຶ༽ | sad -(\/) (°,,,,°) (\/) | krebs - ''; - -in -writeDashBin "emoticons" '' - set -efu - - data=$(${coreutils}/bin/cat ${emoticons}) - emoticon=$(echo "$data" | ${dmenu}/bin/dmenu | ${gnused}/bin/sed 's/ | .*//') - ${xdotool}/bin/xdotool type --clearmodifiers -- "$emoticon" - exit 0 -'' diff --git a/lass/5pkgs/firefoxPlugins/noscript.nix b/lass/5pkgs/firefoxPlugins/noscript.nix deleted file mode 100644 index 67a00a1b2..000000000 --- a/lass/5pkgs/firefoxPlugins/noscript.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ fetchgit, stdenv, bash, zip }: - -stdenv.mkDerivation rec { - name = "noscript"; - id = "{73a6fe31-595d-460b-a920-fcc0f8843232}"; - - src = fetchgit { - url = "https://github.com/avian2/noscript"; - rev = "c900a079793868bb080ab1e23522d29dc121b4c6"; - sha256 = "1y06gh5a622yrsx0h7v92qnvdi97i54ln09zc1lvk8x430z5bdly"; - }; - - buildInputs = [ zip ]; - - patchPhase = '' - substituteInPlace "version.sh" \ - --replace "/bin/bash" "${bash}/bin/bash" - ''; - - buildPhase = '' - ./makexpi.sh - ''; - - installPhase = '' - mkdir -p $out/ - cp *.xpi $out/${id}.xpi - ''; -} diff --git a/lass/5pkgs/firefoxPlugins/ublock.nix b/lass/5pkgs/firefoxPlugins/ublock.nix deleted file mode 100644 index 29ef250e8..000000000 --- a/lass/5pkgs/firefoxPlugins/ublock.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ fetchgit, stdenv, bash, python, zip }: - -stdenv.mkDerivation rec { - name = "ublock"; - id = "{2b10c1c8-a11f-4bad-fe9c-1c11e82cac42}"; - - src = fetchgit { - url = "https://github.com/chrisaljoudi/uBlock"; - rev = "a70a50052a7914cbf86d46a725812b98434d8c70"; - sha256 = "1qfzy79f8x01i33x0m95k833z1jgxjwb8wvlr6fj6id1kxfvzh77"; - }; - - buildInputs = [ - zip - python - ]; - - patchPhase = '' - substituteInPlace "tools/make-firefox.sh" \ - --replace "/bin/bash" "${bash}/bin/bash" - ''; - - buildPhase = '' - tools/make-firefox.sh all - ''; - - installPhase = '' - mkdir -p $out/ - cp dist/build/uBlock.firefox.xpi $out/${id}.xpi - ''; -} diff --git a/lass/5pkgs/firefoxPlugins/vimperator.nix b/lass/5pkgs/firefoxPlugins/vimperator.nix deleted file mode 100644 index dabef3d20..000000000 --- a/lass/5pkgs/firefoxPlugins/vimperator.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ fetchgit, stdenv, zip }: - -stdenv.mkDerivation rec { - name = "vimperator"; - id = "vimperator@mozdev.org"; - - src = fetchgit { - url = "https://github.com/vimperator/vimperator-labs.git"; - rev = "ba7d8e72516fdc22246748c8183d7bc90f6fb073"; - sha256 = "0drz67qm5hxxzw699rswlpjkg4p2lfipx119pk1nyixrqblcsvq2"; - }; - - buildInputs = [ zip ]; - - installPhase = '' - mkdir -p $out/ - cp downloads/vimperator*.xpi $out/${id}.xpi - ''; -} diff --git a/lass/5pkgs/graphml2json/default.nix b/lass/5pkgs/graphml2json/default.nix deleted file mode 100644 index 6f06ded3d..000000000 --- a/lass/5pkgs/graphml2json/default.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ pkgs, ... }: -pkgs.writers.writePython3Bin "graphml2json" { libraries = [ pkgs.python3Packages.networkx ]; } '' - import networkx as nx - import json - import sys - - - G = nx.read_graphml(sys.argv[1]) - data = nx.readwrite.json_graph.node_link_data(G) - - print(json.dumps(data, indent=2)) -'' diff --git a/lass/5pkgs/htmlparser/default.nix b/lass/5pkgs/htmlparser/default.nix deleted file mode 100644 index 72bd3f437..000000000 --- a/lass/5pkgs/htmlparser/default.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ lib, buildGoModule, fetchFromGitHub }: - -buildGoModule rec { - pname = "htmlparser"; - version = "v1.0.0"; - - src = fetchFromGitHub { - owner = "htmlparser"; - repo = "htmlparser"; - rev = "02f964ebd24c296dcfa56c357bb8dedde0f39757"; - sha256 = "1k19rdpjf5sdyjfl233y6bsfgkcnv799ivrh2vkw22almg4243ar"; - }; - - vendorSha256 = "0qkd587z4n372y4lqyzjqc1qlsi3525ah99vdm5dqq4jidcd5h7w"; -} diff --git a/lass/5pkgs/init/default.nix b/lass/5pkgs/init/default.nix deleted file mode 100644 index ee49951b1..000000000 --- a/lass/5pkgs/init/default.nix +++ /dev/null @@ -1,107 +0,0 @@ -{ pkgs, lib, vgname ? "vgname", luksmap ? "luksmap", ... }: - -with lib; - -pkgs.writeScriptBin "init" '' - #!/usr/bin/env nix-shell - #! nix-shell -i bash -p cryptsetup gptfdisk jq libxfs - set -xefuo pipefail - - disk=$1 - - if mount | grep -q "$disk"; then - echo "target device is already mounted, bailout" - exit 2 - fi - - bootdev="$disk"2 - luksdev="$disk"3 - luksmap=/dev/mapper/${luksmap} - - vgname=${vgname} - - - rootdev=/dev/mapper/${vgname}-root - homedev=/dev/mapper/${vgname}-home - - read -p "LUKS Password: " lukspw - - # - # partitioning - # - - # http://en.wikipedia.org/wiki/GUID_Partition_Table - # undo: - # dd if=/dev/zero bs=512 count=34 of=/dev/sda - # TODO zero last 34 blocks (lsblk -bno SIZE /dev/sda) - if ! test "$(blkid -o value -s PTTYPE "$disk")" = gpt; then - sgdisk -og "$disk" - sgdisk -n 1:2048:4095 -c 1:"BIOS Boot Partition" -t 1:ef02 "$disk" - sgdisk -n 2:4096:+1G -c 2:"EFI System Partition" -t 2:ef00 "$disk" - sgdisk -n 3:0:0 -c 3:"LUKS container" -t 3:8300 "$disk" - fi - - if ! test "$(blkid -o value -s PARTLABEL "$luksdev")" = "LUKS container"; then - echo zonk2 - exit 23 - fi - - if ! cryptsetup isLuks "$luksdev"; then - # aes xts-plain64 - echo -n "$lukspw" | cryptsetup luksFormat "$luksdev" - \ - -h sha512 \ - --iter-time 5000 - fi - - if ! test -e "$luksmap"; then - echo "$lukspw" | cryptsetup luksOpen "$luksdev" "$(basename "$luksmap")" - - fi - - if ! test "$(blkid -o value -s TYPE "$luksmap")" = LVM2_member; then - pvcreate "$luksmap" - fi - - if ! vgdisplay -s "$vgname"; then vgcreate "$vgname" "$luksmap"; fi - - lvchange -a y /dev/mapper/"$vgname" - - if ! test -e "$rootdev"; then lvcreate -L 3G -n root "$vgname"; fi - - # - # formatting - # - - if ! test "$(blkid -o value -s TYPE "$bootdev")" = vfat; then - mkfs.vfat "$bootdev" - fi - - if ! test "$(blkid -o value -s TYPE "$rootdev")" = xfs; then - mkfs.xfs "$rootdev" - fi - - if ! test "$(lsblk -n -o MOUNTPOINT "$rootdev")" = /mnt; then - mkdir -p /mnt - mount "$rootdev" /mnt - fi - if ! test "$(lsblk -n -o MOUNTPOINT "$bootdev")" = /mnt/boot; then - mkdir -m 0000 -p /mnt/boot - mount "$bootdev" /mnt/boot - fi - - # - # dependencies for stockholm - # - - # TODO: get sentinal file from target_path - mkdir -p /mnt/var/src - touch /mnt/var/src/.populate - - # - # print all the infos - # - - gdisk -l "$disk" - lsblk "$disk" - - echo READY. -'' diff --git a/lass/5pkgs/init/run-vm.sh b/lass/5pkgs/init/run-vm.sh deleted file mode 100755 index 13914ad5f..000000000 --- a/lass/5pkgs/init/run-vm.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/usr/bin/env nix-shell -#! nix-shell -i bash -p nixos-generators - -set -efu - -WD=$(dirname "$0") -nixos-generate -I stockholm="$WD"/../../.. -c "$WD"/config.nix -f vm-nogui --run diff --git a/lass/5pkgs/init/test.nix b/lass/5pkgs/init/test.nix deleted file mode 100644 index e76e7e009..000000000 --- a/lass/5pkgs/init/test.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - virtualisation.emptyDiskImages = [ - 8000 - ]; - virtualisation.memorySize = 1500; - boot.tmpOnTmpfs = true; - - environment.systemPackages = [ - (pkgs.callPackage ./default.nix {}) - ]; - services.mingetty.autologinUser = lib.mkForce "root"; -} diff --git a/lass/5pkgs/init/test.sh b/lass/5pkgs/init/test.sh deleted file mode 100755 index 0ceaa73ca..000000000 --- a/lass/5pkgs/init/test.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/usr/bin/env nix-shell -#! nix-shell -i bash -p nixos-generators - -set -xefu - -WD=$(realpath $(dirname "$0")) -TMPDIR=$(mktemp -d) -cd "$TMPDIR" -nixos-generate -c "$WD"/test.nix -f vm-nogui --run "$@" -cd - -rm -r "$TMPDIR" diff --git a/lass/5pkgs/install-system/default.nix b/lass/5pkgs/install-system/default.nix deleted file mode 100644 index 0e13265f6..000000000 --- a/lass/5pkgs/install-system/default.nix +++ /dev/null @@ -1,35 +0,0 @@ -{ pkgs }: -pkgs.writers.writeDashBin "install-system" '' - set -efux - SYSTEM=$1 - TARGET=$2 - # format - if ! (sshn "$TARGET" -- mountpoint /mnt); then - if ! (sshn "$TARGET" -- type -p nix); then - nix run github:numtide/nixos-remote -- --stop-after-disko --store-paths "$(nix-build --no-out-link -I stockholm="$HOME"/sync/stockholm -I nixos-config="$HOME"/sync/stockholm/lass/1systems/"$SYSTEM"/physical.nix '' -A config.system.build.diskoNoDeps)" /dev/null "$TARGET" - else - disko=$(nix-build -I stockholm=$HOME/sync/stockholm -I secrets=$HOME/sync/stockholm/lass/2configs/tests/dummy-secrets -I nixos-config=$HOME/sync/stockholm/lass/1systems/$SYSTEM/physical.nix '' -A config.system.build.disko) - NIX_SSHOPTS='-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' nix-copy-closure --to "$TARGET" "$disko" - sshn -t "$TARGET" -- "$disko" - fi - fi - - # install dependencies - sshn "$TARGET" << SSH - if ! type -p git; then - nix-channel --update - nix-env -iA nixos.git - fi - SSH - - # populate - $(nix-build --no-out-link "$HOME"/sync/stockholm/lass/krops.nix -A populate --argstr name "$SYSTEM" --argstr target "$TARGET"/mnt/var/src --arg force true) - - # install - sshn "$TARGET" << SSH - NIXOS_CONFIG=/var/src/nixos-config nixos-install --no-root-password -I /mnt/var/src - nixos-enter -- nixos-rebuild -I /var/src switch --install-bootloader - umount -R /mnt - zpool export -fa - SSH -'' diff --git a/lass/5pkgs/knav/default.nix b/lass/5pkgs/knav/default.nix deleted file mode 100644 index 30d49a1b3..000000000 --- a/lass/5pkgs/knav/default.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ pkgs, ... }: let - - keynavrc = pkgs.writeText "keynavrc" '' - clear - Escape quit - q record ~/.keynav_macros - shift+at playback - u history-back - a cut-left - s cut-down - w cut-up - d cut-right - shift+a move-left - shift+s move-down - shift+w move-up - shift+d move-right - t windowzoom - c cursorzoom 300 300 - e warp - 1 click 1 - 2 click 2 - 3 click 3 - ''; -in pkgs.writeScriptBin "knav" '' - ${pkgs.keynav}/bin/keynav "loadconfig ${keynavrc}, start" -'' diff --git a/lass/5pkgs/l-gen-secrets/default.nix b/lass/5pkgs/l-gen-secrets/default.nix deleted file mode 100644 index 27e59bb96..000000000 --- a/lass/5pkgs/l-gen-secrets/default.nix +++ /dev/null @@ -1,82 +0,0 @@ -{ pkgs }: -pkgs.writers.writeDashBin "l-gen-secrets" '' - set -efu - HOSTNAME=$1 - TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d) - if [ "''${DRYRUN-n}" = "n" ]; then - trap 'rm -rf $TMPDIR' EXIT - else - echo "$TMPDIR" - set -x - fi - mkdir -p $TMPDIR/out - - PASSWORD=$(${pkgs.pwgen}/bin/pwgen 25 1) - HASHED_PASSWORD=$(echo $PASSWORD | ${pkgs.hashPassword}/bin/hashPassword -s) > /dev/null - - # ssh - ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f $TMPDIR/ssh.id_ed25519 -P "" -C "" >/dev/null - ${pkgs.coreutils}/bin/mv $TMPDIR/ssh.id_ed25519 $TMPDIR/out/ - - # tor - ${pkgs.coreutils}/bin/timeout 1 ${pkgs.tor}/bin/tor --HiddenServiceDir $TMPDIR/tor --HiddenServicePort 1 --SocksPort 0 >/dev/null || : - ${pkgs.coreutils}/bin/mv $TMPDIR/tor/hs_ed25519_secret_key $TMPDIR/out/ssh-tor.priv - - # tinc - ${pkgs.coreutils}/bin/mkdir -p $TMPDIR/tinc - ${pkgs.tinc_pre}/bin/tinc --config $TMPDIR/tinc generate-keys 4096 $TMPDIR/out/wiregrill.key - ${pkgs.coreutils}/bin/cat $TMPDIR/out/wiregrill.key | ${pkgs.wireguard-tools}/bin/wg pubkey > $TMPDIR/wiregrill.pub - - # system passwords - cat < $TMPDIR/out/hashedPasswords.nix - { - root = "$HASHED_PASSWORD"; - mainUser = "$HASHED_PASSWORD"; - } - EOF - - set +f - if [ "''${DRYRUN-n}" = "n" ]; then - cd $TMPDIR/out - for x in *; do - ${pkgs.coreutils}/bin/cat $x | ${pkgs.pass}/bin/pass insert -m hosts/$HOSTNAME/$x > /dev/null - done - echo $PASSWORD | ${pkgs.pass}/bin/pass insert -m admin/$HOSTNAME/pass > /dev/null - ${pkgs.coreutils}/bin/cat $TMPDIR/tor/hostname | ${pkgs.pass}/bin/pass insert -m admin/$HOSTNAME/torname > /dev/null - fi - set -f - - cat <> $hist - mpv $mpv_options $toPlay - } - - if ! [ -e $hist ]; then - touch $hist - fi - - while : - do - if [ -s $pl ]; then - toPlay=$(head -1 $pl) - sed -i '1d' $pl - if $(echo $toPlay | grep -Eq 'https?://(www.)?youtube.com/watch'); then - lastYT=$toPlay - fi - play_video $toPlay - else - if [ -n "$lastYT" ]; then - next=$(yt-next $lastYT) - lastYT=$next - play_video $next - fi - sleep 1 - fi - done -'' diff --git a/lass/5pkgs/nichtparasoup/default.nix b/lass/5pkgs/nichtparasoup/default.nix deleted file mode 100644 index fcff7ad54..000000000 --- a/lass/5pkgs/nichtparasoup/default.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ stdenv, pkgs, ... }: -let - py = pkgs.python3Packages.python.withPackages (p: [ - p.werkzeug - p.beautifulsoup4 - ]); - src = pkgs.fetchFromGitHub { - owner = "k4cg"; - repo = "nichtparasoup"; - rev = "c6dcd0d"; - sha256 = "10xy20bjdnd5bjv2hf6v5y5wi0mc9555awxkjqf57rk6ngc5w6ss"; - }; -in pkgs.writeDashBin "nichtparasoup" '' - ${py}/bin/python ${src}/nichtparasoup.py "$@" -'' diff --git a/lass/5pkgs/nichtparasoup/exception.patch b/lass/5pkgs/nichtparasoup/exception.patch deleted file mode 100644 index 34c177de0..000000000 --- a/lass/5pkgs/nichtparasoup/exception.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/nichtparasoup.py b/nichtparasoup.py -index 9da9a2b..833ca71 100755 ---- a/nichtparasoup.py -+++ b/nichtparasoup.py -@@ -211,7 +211,7 @@ def cache_fill_loop(): - try: - sources[crawler][site].crawl() - info = Crawler.info() -- except Exception, e: -+ except Exception as e: - logger.error("Error in crawler %s - %s: %s" % (crawler, site, e)) - break - diff --git a/lass/5pkgs/nix-index-update/default.nix b/lass/5pkgs/nix-index-update/default.nix deleted file mode 100644 index 40be8d1a3..000000000 --- a/lass/5pkgs/nix-index-update/default.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ pkgs }: -pkgs.writers.writeDashBin "nix-index-update" '' - set -efux - filename="index-$(uname -m)-$(uname | tr A-Z a-z)" - mkdir -p ~/.cache/nix-index && cd ~/.cache/nix-index - # -N will only download a new version if there is an update. - ${pkgs.wget}/bin/wget -q -N https://github.com/Mic92/nix-index-database/releases/latest/download/$filename - ln -f $filename files -'' diff --git a/lass/5pkgs/nm-dmenu/default.nix b/lass/5pkgs/nm-dmenu/default.nix deleted file mode 100644 index ff4ba1633..000000000 --- a/lass/5pkgs/nm-dmenu/default.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ pkgs, lib, ... }: - -pkgs.writeDashBin "nm-dmenu" '' - export PATH=$PATH:${lib.makeBinPath [ - pkgs.dmenu - pkgs.networkmanagerapplet - pkgs.procps - ]} - exec ${pkgs.networkmanager_dmenu}/bin/networkmanager_dmenu "$@" -'' diff --git a/lass/5pkgs/otpmenu/default.nix b/lass/5pkgs/otpmenu/default.nix deleted file mode 100644 index fffe47005..000000000 --- a/lass/5pkgs/otpmenu/default.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ pkgs }: -pkgs.writers.writeDashBin "otpmenu" '' -set -efux -x=$(${pkgs.pass}/bin/pass git ls-files '*/otp.gpg' \ - | ${pkgs.gnused}/bin/sed 's:/otp\.gpg$::' \ - | ${pkgs.dmenu}/bin/dmenu -) - -otp=$(${(pkgs.pass.withExtensions (ext: [ ext.pass-otp ]))}/bin/pass otp code "$x/otp") -printf %s "$otp" | ${pkgs.wtype}/bin/wtype -s 1 - || printf %s "$otp" | ${pkgs.xdotool}/bin/xdotool type -f - -'' diff --git a/lass/5pkgs/pop/default.nix b/lass/5pkgs/pop/default.nix deleted file mode 100644 index cec22e3b1..000000000 --- a/lass/5pkgs/pop/default.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ pkgs, ... }: - -pkgs.writeScriptBin "pop" '' - #! ${pkgs.bash}/bin/bash - - file=$1 - - head -1 $file - sed -i 1d $file -'' diff --git a/lass/5pkgs/q/default.nix b/lass/5pkgs/q/default.nix deleted file mode 100644 index 9b834f0c4..000000000 --- a/lass/5pkgs/q/default.nix +++ /dev/null @@ -1,286 +0,0 @@ -{ pkgs, ... }: -let - q-cal = let - # XXX 23 is the longest line of cal's output - pad = ''{ - ${pkgs.gnused}/bin/sed ' - # rtrim - s/ *$// - - # delete last empty line - ''${/^$/d} - ' \ - | ${pkgs.gawk}/bin/awk '{printf "%-23s\n", $0}' \ - | ${pkgs.gnused}/bin/sed ' - # colorize header - 1,2s/.*/&/ - - # colorize week number - s/^[ 1-9][0-9]/&/ - ' - }''; - in '' - ${pkgs.coreutils}/bin/paste \ - <(${pkgs.util-linux}/bin/cal -mw \ - $(${pkgs.coreutils}/bin/date +'%m %Y' -d 'last month') \ - | ${pad} - ) \ - <(${pkgs.util-linux}/bin/cal -mw \ - | ${pkgs.gnused}/bin/sed ' - # colorize day of month - s/\(^\| \)'"$(${pkgs.coreutils}/bin/date +%e)"'\>/&/ - ' \ - | ${pad} - ) \ - <(${pkgs.util-linux}/bin/cal -mw \ - $(${pkgs.coreutils}/bin/date +'%m %Y' -d 'next month') \ - | ${pad} - ) \ - | ${pkgs.gnused}/bin/sed 's/\t/ /g' - ''; - - q-isodate = '' - ${pkgs.coreutils}/bin/date \ - '+%Y-%m-%dT%H:%M:%S%:z' - ''; - - q-gitdir = '' - if test -d .git; then - #git status --porcelain - branch=$( - ${pkgs.git}/bin/git branch \ - | ${pkgs.gnused}/bin/sed -rn 's/^\* (.*)/\1/p' - ) - echo "± $LOGNAME@''${HOSTNAME-$(${pkgs.nettools}/bin/hostname)}:$PWD .git $branch" - fi - ''; - - q-intel_backlight = '' - cd /sys/class/backlight/intel_backlight - = .42) t_col = "1;32" - else if (r >= 23) t_col = "1;33" - else if (r >= 11) t_col = "1;31" - else t_col = "5;1;31" - return sgr(t_col) strdup("■", t1) sgr(";30") strdup("■", t2) sgr() - } - - function sgr(p) { - return "\x1b[" p "m" - } - - function strdup(s,n,t) { - t = sprintf("%"n"s","") - gsub(/ /,s,t) - return t - } - - END { - name = ENVIRON["POWER_SUPPLY_NAME"] - - charge_unit = "Ah" - charge_now = ENVIRON["POWER_SUPPLY_CHARGE_NOW"] / 10^6 - charge_full = ENVIRON["POWER_SUPPLY_CHARGE_FULL"] / 10^6 - - current_unit = "A" - current_now = ENVIRON["POWER_SUPPLY_CURRENT_NOW"] / 10^6 - - energy_unit = "Wh" - energy_now = ENVIRON["POWER_SUPPLY_ENERGY_NOW"] / 10^6 - energy_full = ENVIRON["POWER_SUPPLY_ENERGY_FULL"] / 10^6 - - power_unit = "W" - power_now = ENVIRON["POWER_SUPPLY_POWER_NOW"] / 10^6 - - voltage_unit = "V" - voltage_now = ENVIRON["POWER_SUPPLY_VOLTAGE_NOW"] / 10^6 - voltage_min_design = ENVIRON["POWER_SUPPLY_VOLTAGE_MIN_DESIGN"] / 10^6 - - #printf "charge_now: %s\n", charge_now - #printf "charge_full: %s\n", charge_full - #printf "current_now: %s\n", current_now - #printf "energy_now: %s\n", energy_now - #printf "energy_full: %s\n", energy_full - #printf "energy_full: %s\n", ENVIRON["POWER_SUPPLY_ENERGY_FULL"] - #printf "energy_full: %s\n", ENVIRON["POWER_SUPPLY_ENERGY_FULL"] / 10^6 - #printf "power_now: %s\n", power_now - #printf "voltage_now: %s\n", voltage_now - - if (current_now == 0 && voltage_now != 0) { - current_now = power_now / voltage_now - } - if (power_now == 0) { - power_now = current_now * voltage_now - } - if (charge_now == 0 && voltage_min_design != 0) { - charge_now = energy_now / voltage_min_design - } - if (energy_now == 0) { - energy_now = charge_now * voltage_min_design - } - if (charge_full == 0 && voltage_min_design != 0) { - charge_full = energy_full / voltage_min_design - } - if (energy_full == 0) { - energy_full = charge_full * voltage_min_design - } - - if (charge_now == 0 || charge_full == 0) { - die("unknown charge") - } - - charge_ratio = charge_now / charge_full - - out = out name - out = out sprintf(" %s", print_bar(10, charge_ratio)) - out = out sprintf(" %d%", charge_ratio * 100) - out = out sprintf(" %.2f%s", charge_now, charge_unit) - if (current_now != 0) { - out = out sprintf("/%.1f%s", current_now, current_unit) - } - out = out sprintf(" %d%s", energy_full, energy_unit) - if (power_now != 0) { - out = out sprintf("/%.1f%s", power_now, power_unit) - } - if (current_now != 0) { - out = out sprintf(" %s", print_hm(charge_now / current_now)) - } - - print out - } - ' - ''; - in '' - for uevent in /sys/class/power_supply/*/uevent; do - ${power_supply} "$uevent" || : - done - ''; - - q-virtualization = '' - echo "VT: $(${pkgs.systemd}/bin/systemd-detect-virt)" - ''; - - q-wireless = '' - for dev in $( - ${pkgs.iw}/bin/iw dev \ - | ${pkgs.gnused}/bin/sed -n 's/^\s*Interface\s\+\([0-9a-z]\+\)$/\1/p' - ); do - inet=$(${pkgs.iproute2}/bin/ip addr show $dev \ - | ${pkgs.gnused}/bin/sed -n ' - s/.*inet \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+\).*/\1/p - ') \ - || unset inet - ssid=$(${pkgs.iw}/bin/iw dev $dev link \ - | ${pkgs.gnused}/bin/sed -n ' - s/.*\tSSID: \(.*\)/\1/p - ') \ - || unset ssid - echo "$dev''${inet+ $inet}''${ssid+ $ssid}" - done - ''; - - q-online = '' - if ${pkgs.curl}/bin/curl -s google.com >/dev/null; then - echo 'online' - else - echo offline - fi - ''; - - q-thermal_zone = '' - for i in /sys/class/thermal/thermal_zone*; do - type=$(${pkgs.coreutils}/bin/cat $i/type) - temp=$(${pkgs.coreutils}/bin/cat $i/temp) - printf '%s %s°C\n' $type $(echo $temp / 1000 | ${pkgs.bc}/bin/bc) - done - ''; - - q-todo = '' - TODO_file=$HOME/TODO - if test -e "$TODO_file"; then - ${pkgs.coreutils}/bin/cat "$TODO_file" \ - | ${pkgs.gawk}/bin/gawk -v now=$(${pkgs.coreutils}/bin/date +%s) ' - BEGIN { print "remind=0" } - /^[0-9]/{ - x = $1 - gsub(".", "\\\\&", x) - rest = substr($0, index($0, " ")) - rest = $0 - sub(" *", "", rest) - gsub(".", "\\\\&", rest) - print "test $(${pkgs.coreutils}/bin/date +%s -d"x") -lt "now" && \ - echo \"\x1b[38;5;208m\""rest esc "\"\x1b[m\" && \ - (( remind++ ))" - } - END { print "test $remind = 0 && echo \"nothing to remind\"" } - ' \ - | { - # bash needed for (( ... )) - ${pkgs.bash}/bin/bash - } - else - echo "$TODO_file: no such file or directory" - fi - ''; - -in -# bash needed for <(...) -pkgs.writeBashBin "q" '' - set -eu - export PATH=/var/empty - (${q-todo}) || : - if [ "$PWD" != "$HOME" ]; then - (HOME=$PWD; ${q-todo}) || : - fi - echo - ${q-cal} - echo - ${q-isodate} - (${q-gitdir}) & - (${q-intel_backlight}) & - (${q-power_supply}) & - (${q-virtualization}) & - (${q-wireless}) & - (${q-online}) & - (${q-thermal_zone}) & - wait -'' diff --git a/lass/5pkgs/review-mail-queue/default.nix b/lass/5pkgs/review-mail-queue/default.nix deleted file mode 100644 index c8c66706c..000000000 --- a/lass/5pkgs/review-mail-queue/default.nix +++ /dev/null @@ -1,39 +0,0 @@ -{ pkgs }: let - - review = pkgs.writers.writeBash "review-mail" '' - mail="$1" - ${pkgs.exim}/bin/exim -Mvc "$mail" | grep -E 'Subject:|To:' - ${pkgs.exim}/bin/exim -Mvl "$mail" - while :; do - read -p 'delete?' key - case "$key" in - v*) - ${pkgs.exim}/bin/exim -Mvc "$mail" - ;; - d*) - ${pkgs.exim}/bin/exim -Mrm "$mail" - break - ;; - r*) - ${pkgs.exim}/bin/exim -Mt "$mail" - break - ;; - n*) - break - ;; - esac - done - echo '-------------------' - echo '-------------------' - echo '-------------------' - echo '-------------------' - echo '-------------------' - ''; - -in pkgs.writers.writeBashBin "review-mail" '' - for mail in $(${pkgs.exim}/bin/exim -bp \ - | ${pkgs.gnugrep}/bin/grep frozen \ - | ${pkgs.gawk}/bin/awk '{print $3}'); do - ${review} "$mail" - done -'' diff --git a/lass/5pkgs/rs/default.nix b/lass/5pkgs/rs/default.nix deleted file mode 100644 index 6b27908fb..000000000 --- a/lass/5pkgs/rs/default.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ pkgs, ... }: - -#TODO: get tab-completion working again -pkgs.writeBashBin "rs" '' - rsync -vaP --append-verify "$@" -'' diff --git a/lass/5pkgs/searx/default.nix b/lass/5pkgs/searx/default.nix deleted file mode 100644 index e5ce5788a..000000000 --- a/lass/5pkgs/searx/default.nix +++ /dev/null @@ -1,69 +0,0 @@ -{ lib, nixosTests, python3, python3Packages, fetchFromGitHub, fetchpatch }: - -with python3Packages; - -toPythonModule (buildPythonApplication rec { - pname = "searx"; - version = "1.0.0"; - - # Can not use PyPI because certain test files are missing. - src = fetchFromGitHub { - owner = "searx"; - repo = "searx"; - rev = "v${version}"; - sha256 = "0ghkx8g8jnh8yd46p4mlbjn2zm12nx27v7qflr4c8xhlgi0px0mh"; - }; - - postPatch = '' - sed -i 's/==.*$//' requirements.txt - ''; - - preBuild = '' - export SEARX_DEBUG="true"; - ''; - - propagatedBuildInputs = [ - Babel - certifi - dateutil - flask - flaskbabel - gevent - grequests - jinja2 - langdetect - lxml - ndg-httpsclient - pyasn1 - pyasn1-modules - pygments - pysocks - pytz - pyyaml - requests - speaklater - werkzeug - ]; - - # tests try to connect to network - doCheck = false; - # checkInputs = [ - # Babel mock nose2 covCore pep8 plone-testing splinter - # unittest2 zope_testrunner selenium - # ]; - - postInstall = '' - # Create a symlink for easier access to static data - mkdir -p $out/share - ln -s ../${python3.sitePackages}/searx/static $out/share/ - ''; - - passthru.tests = { inherit (nixosTests) searx; }; - - meta = with lib; { - homepage = "https://github.com/searx/searx"; - description = "A privacy-respecting, hackable metasearch engine"; - license = licenses.agpl3Plus; - maintainers = with maintainers; [ matejc fpletz globin danielfullmer ]; - }; -}) diff --git a/lass/5pkgs/sshify/default.nix b/lass/5pkgs/sshify/default.nix deleted file mode 100644 index 445b9b4aa..000000000 --- a/lass/5pkgs/sshify/default.nix +++ /dev/null @@ -1,39 +0,0 @@ -{ pkgs }: -# usage: sshify prism.r -- curl ifconfig.me -pkgs.writers.writeBashBin "sshify" '' - set -efu - - TMPDIR=$(mktemp -d) - - SSH_ARGS=() - - while [[ "$#" -gt 0 ]]; do - case $1 in - --) - shift - break - ;; - *) - SSH_ARGS+=($1) - ;; - esac - shift - done - - if [[ "$#" -le 0 ]]; then - echo no command specified - exit 1 - fi - - RANDOM_HIGH_PORT=$(shuf -i 20000-65000 -n 1) - - cat << EOF >$TMPDIR/proxychains.conf - [ProxyList] - socks4 127.0.0.1 $RANDOM_HIGH_PORT - EOF - - ssh -fNM -S "$TMPDIR/socket" -D "$RANDOM_HIGH_PORT" "''${SSH_ARGS[@]}" - trap "ssh -S $TMPDIR/socket -O exit bla 2>/dev/null; rm -rf $TMPDIR >&2" EXIT - - ${pkgs.proxychains-ng}/bin/proxychains4 -q -f "$TMPDIR/proxychains.conf" "$@" -'' diff --git a/lass/5pkgs/sshvnc/default.nix b/lass/5pkgs/sshvnc/default.nix deleted file mode 100644 index f66ed1b0d..000000000 --- a/lass/5pkgs/sshvnc/default.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ pkgs }: -pkgs.writers.writeBashBin "sshvnc" '' - set -xm - - RANDOM_HIGH_PORT=$(shuf -i 20000-65000 -n 1) - ssh "$@" -f -L $RANDOM_HIGH_PORT:localhost:$RANDOM_HIGH_PORT -- x11vnc -noxdamage -noxfixes -noxrecord -display :0 -localhost -rfbport $RANDOM_HIGH_PORT - - sleep 3 - - _JAVA_AWT_WM_NONREPARENTING=1 ${pkgs.turbovnc}/bin/vncviewer localhost:$RANDOM_HIGH_PORT -'' diff --git a/lass/5pkgs/super-vnc/default.nix b/lass/5pkgs/super-vnc/default.nix deleted file mode 100644 index ce0e3aaa7..000000000 --- a/lass/5pkgs/super-vnc/default.nix +++ /dev/null @@ -1,38 +0,0 @@ -{ pkgs, lib }: let - - quoteChar = c: - if c == "\n" then "'\n'" - else c; - quote = x: if x == "" then "''" else lib.stringAsChars quoteChar x; - -in pkgs.writers.writeDashBin "super-vnc" '' - PATH=${lib.makeBinPath (with pkgs; [ - xorg.xrandr gnugrep coreutils xorg.xorgserver gnused openssh gawk tightvnc - ])} - remote=$1 - res_x=$(xrandr --current | grep '*' | uniq | awk '{print $1}' | cut -d 'x' -f1) - res_y=$(xrandr --current | grep '*' | uniq | awk '{print $1}' | cut -d 'x' -f2) - export modeline="$(gtf "$res_x" "$res_y" 60 | sed -n 's/.*Modeline "\([^" ]\+\)" \(.*\)/\1 \2/p')" - export name="$(echo "$modeline" | sed 's/\([^ ]\+\) .*/\1/')" - export vncline="''${res_x}x''${res_y}+0+0" - - if [ -z "$modeline" -o -z "$name" ]; then - echo "Error! modeline=$modeline name=$name" - exit 1 - fi - - echo $modeline - - # TODO user random highport - ssh "$remote" -L 5900:localhost:55900 bash <&2; exit 1 - else - # Consume stdin and put it in the temporal file - cat > "$tmpfile" - fi - fi - - for arg in "$@"; do - # if it's a pipe then drain it to $tmpfile - [ -p "$arg" ] && cat "$arg" > "$tmpfile" - done - - if [ -s "$tmpfile" ]; then - ${nsxiv}/bin/nsxiv -q "$@" "$tmpfile" # -q to silence warnings - else - ${nsxiv}/bin/nsxiv "$@" # fallback - fi -'' diff --git a/lass/5pkgs/tdlib-purple/default.nix b/lass/5pkgs/tdlib-purple/default.nix deleted file mode 100644 index d7937da58..000000000 --- a/lass/5pkgs/tdlib-purple/default.nix +++ /dev/null @@ -1,51 +0,0 @@ -{ stdenv, pkgs, fetchFromGitHub, cmake, pidgin, libwebp, libtgvoip } : - -let - - tdlib = stdenv.mkDerivation rec { - version = "1.6.0"; - pname = "tdlib"; - - src = fetchFromGitHub { - owner = "tdlib"; - repo = "td"; - rev = "v${version}"; - sha256 = "0zlzpl6fgszg18kwycyyyrnkm255dvc6fkq0b0y32m5wvwwl36cv"; - }; - - buildInputs = with pkgs; [ gperf openssl readline zlib ]; - nativeBuildInputs = [ pkgs.cmake ]; - - }; - -in stdenv.mkDerivation rec { - pname = "tdlib-purple"; - version = "0.7.8"; - - src = fetchFromGitHub { - owner = "ars3niy"; - repo = pname; - rev = "v${version}"; - sha256 = "17g54mcxsidcx37l6m4p8i06ln1hvq3347dhdl9xkkn7pqpwvv1c"; - }; - - cmakeFlags = [ - "-Dtgvoip_INCLUDE_DIRS=${libtgvoip.dev}/include/tgvoip" - ]; - - nativeBuildInputs = [ cmake ]; - buildInputs = [ pidgin tdlib libwebp libtgvoip ]; - - installPhase = '' - mkdir -p $out/lib/purple-2/ - cp *.so $out/lib/purple-2/ - ''; - - meta = with stdenv.lib; { - homepage = "https://github.com/ars3niy/tdlib-purple"; - description = "New libpurple plugin for Telegram"; - license = licenses.gpl2; - maintainers = [ maintainers.lassulus ]; - platforms = platforms.linux; - }; -} diff --git a/lass/5pkgs/unimenu/default.nix b/lass/5pkgs/unimenu/default.nix deleted file mode 100644 index cf2a15277..000000000 --- a/lass/5pkgs/unimenu/default.nix +++ /dev/null @@ -1,101 +0,0 @@ -{ - lib, - runCommand, - fetchurl, - writeText, - writers, - coreutils, - dmenu, - gnused, - libnotify, - xclip, - xdotool, - gawk, -}: let - unicode-file = runCommand "unicode.txt" {} '' - ${ - writers.writePython3 "generate.py" {flakeIgnore = ["E501" "E722"];} '' - import csv - - with open("${ - fetchurl { - url = "https://unicode.org/Public/UCD/latest/ucd/UnicodeData.txt"; - sha256 = "sha256-NgGOaGV/3LNIX2NmMP/oyFMuAcl3cD0oA/W4nWxf6vs="; - } - }", "r") as unicode_data: - reader = csv.reader(unicode_data, delimiter=";") - next(reader) # skip first row containing \0 - for row in reader: - codepoint = row[0] - name = row[1] - alternate_name = row[10] - try: - print(chr(int(codepoint, 16)), codepoint, name, alternate_name, sep=" ") - except: - continue - '' - } > $out - ''; - kaomoji-file = writeText "kaomoji.txt" '' - ¯\(°_o)/¯ dunno lol shrug dlol - ¯\_(ツ)_/¯ dunno lol shrug dlol - ( ͡° ͜ʖ ͡°) lenny - ¯\_( ͡° ͜ʖ ͡°)_/¯ lenny shrug dlol - ( ゚д゚) aaah sad noo - ヽ(^o^)丿 hi yay hello - (^o^: ups hehe - (^∇^) yay - ┗(`皿´)┛ angry argh - ヾ(^_^) byebye!! bye - <(^.^<) <(^.^)> (>^.^)> (7^.^)7 (>^.^<) dance - (-.-)Zzz... sleep - (∩╹□╹∩) oh noes woot - (╯°□°)╯ ┻━┻ table flip - (」゜ロ゜)」 why woot - (_゜_゜_) gloom I see you - ༼ ༎ຶ ෴ ༎ຶ༽ sad - (\/) (°,,,,°) (\/) krebs - ┳━┳ ヽ(ಠل͜ಠ)ノ putting table back - ┻━┻︵ \(°□°)/ ︵ ┻━┻ flip all dem tablez - (`・ω・´) bear look - ᕦ(ຈل͜ຈ)ᕤ strong flex muscle bicep - ᕦ(ò_óˇ)ᕤ strong flex muscle bicep - (๑>ᴗ<๑) excite - (∩ ` -´)⊃━━☆゚.*・。゚ wizard spell magic - ╰( ͡° ͜ʖ ͡° )つ──☆*:・゚ wizard spell magic - ◕ ◡ ◕ puss in boots big eye - ≋≋≋≋≋̯̫⌧̯̫(ˆ•̮ ̮•ˆ) nyan cat - ʕ•ᴥ•ʔ bear - (ԾɷԾ) adventure time - (⁀ᗢ⁀) happy yay - (≧◡≦) happy yay - \(º □ º )/ panic - 𓂺 penis - 𓂸 penis - __〆( ̄ー ̄ ) write down - __〆(º □ º) write down - __〆(^_^) write down - C= C= C= C= C=┌(;・ω・)┘ running fast here - ▓▒░(°◡°)░▒▓ dont care - (๑ᵔ⤙ᵔ๑) nom food eating - (·•᷄ࡇ •᷅ ) ohoh sad - ᕕ( ᐛ )ᕗ hehe lol letsgo - (^_~) wink - ''; -in - # ref https://github.com/LukeSmithxyz/voidrice/blob/9fe6802122f6e0392c7fe20eefd30437771d7f8e/.local/bin/dmenuunicode - writers.writeDashBin "unimenu" '' - history_file=$HOME/.cache/unimenu - PATH=${lib.makeBinPath [coreutils dmenu gnused libnotify xclip xdotool]} - chosen=$(cat "$history_file" ${kaomoji-file} ${unicode-file} | dmenu -p unicode -i -l 10 | tee --append "$history_file" | sed "s/ .*//") - - [ "$chosen" != "" ] || exit - - echo "$chosen" | tr -d '\n' | xclip -selection clipboard - - if [ -n "$1" ]; then - xdotool key Shift+Insert - else - notify-send --app-name="$(basename "$0")" "'$chosen' copied to clipboard." & - fi - '' diff --git a/lass/5pkgs/urban/default.nix b/lass/5pkgs/urban/default.nix deleted file mode 100644 index fb8adaed9..000000000 --- a/lass/5pkgs/urban/default.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ pkgs, ... }: - -pkgs.writeScriptBin "urban" '' - #!/bin/sh - set -euf - term=$1 - curl -LsS 'http://www.urbandictionary.com/define.php?term='"$term" \ - | sed 's/<\/\?a\>[^>]*>//g' \ - | sed 's/<\([^>]*\)>/\n<\1\n/g' \ - | grep . \ - | sed -n '/
' \ - | grep -v '^' \ - | sed ' - s/"/"/g - s/'/'\'''/g - s/>/>/g - s/</>/g - ' -'' diff --git a/lass/5pkgs/xephyrify/default.nix b/lass/5pkgs/xephyrify/default.nix deleted file mode 100644 index 20c546dbb..000000000 --- a/lass/5pkgs/xephyrify/default.nix +++ /dev/null @@ -1,62 +0,0 @@ -{ writeDashBin, writeHaskellPackage, coreutils, xorg, virtualgl, ... }: - -let - - xephyrify-xmonad = writeHaskellPackage "xephyrify-xmonad" { - executables.xmonad = { - extra-depends = [ - "containers" - "unix" - "xmonad" - ]; - text = /* haskell */ '' - module Main where - import XMonad - import Data.Monoid - import System.Posix.Process (executeFile) - import qualified Data.Map as Map - - main :: IO () - main = do - xmonad def - { workspaces = [ "1" ] - , layoutHook = myLayoutHook - , keys = myKeys - , normalBorderColor = "#000000" - , focusedBorderColor = "#000000" - , handleEventHook = myEventHook - } - - myEventHook :: Event -> X All - - myEventHook (ConfigureEvent { ev_event_type = 22 }) = do - spawn "${xorg.xrandr}/bin/xrandr >/dev/null 2>&1" - return (All True) - - myEventHook _ = do - return (All True) - - myLayoutHook = Full - myKeys _ = Map.fromList [] - ''; - }; - }; - -in writeDashBin "xephyrify" '' - NDISPLAY=''${NDISPLAY:-$(${coreutils}/bin/shuf -i 100-65536 -n 1)} - echo "using DISPLAY $NDISPLAY" - ${xorg.xorgserver}/bin/Xephyr -br -ac -reset -terminate -resizeable -dpi 60 -nolisten local :$NDISPLAY & - if test -n $DROP_TO_USER; then - sleep 1 - ls /tmp/.X11-unix/ - id - ${coreutils}/bin/chgrp "$DROP_TO_USER" "/tmp/.X11-unix/X$NDISPLAY" - ${coreutils}/bin/chmod 770 "/tmp/.X11-unix/X$NDISPLAY" - fi - XEPHYR_PID=$! - DISPLAY=:$NDISPLAY ${xephyrify-xmonad}/bin/xmonad & - XMONAD_PID=$! - DISPLAY=:$NDISPLAY ${virtualgl}/bin/vglrun "$@" - kill $XMONAD_PID - kill $XEPHYR_PID -'' diff --git a/lass/5pkgs/xml2json/default.nix b/lass/5pkgs/xml2json/default.nix deleted file mode 100644 index 78690d4b7..000000000 --- a/lass/5pkgs/xml2json/default.nix +++ /dev/null @@ -1,17 +0,0 @@ -{ pkgs, ... }: -let - pp = pkgs.python35Packages; -in pp.buildPythonPackage rec { - name = "xml2json-${version}"; - version = "22ffcd"; - propagatedBuildInputs = [ - pp.simplejson - ]; - src = pkgs.fetchFromGitHub { - owner = "hay"; - repo = "xml2json"; - rev = "${version}"; - sha256 = "1snjd6q6bk517350gdrl8kkphkra0iaz56i583h2q57ab09r29vc"; - }; - doCheck = false; -} diff --git a/lass/5pkgs/xonsh2/default.nix b/lass/5pkgs/xonsh2/default.nix deleted file mode 100644 index d55d22445..000000000 --- a/lass/5pkgs/xonsh2/default.nix +++ /dev/null @@ -1,56 +0,0 @@ -{ lib, stdenv -, fetchFromGitHub -, python39Packages -, glibcLocales -, coreutils -, git -, extraInputs ? [] -}: let - - python3Packages = python39Packages; - -in python3Packages.buildPythonApplication rec { - pname = "xonsh2"; - version = "master"; - - # fetch from github because the pypi package ships incomplete tests - src = fetchFromGitHub { - owner = "anki-code"; - repo = "xonsh2"; - rev = "bd96fcdce9319ab6b90c7d9ac47d2249b61144d0"; - sha256 = "0b632rac8macfp2mmvhh1f34cf1m5qfpjajwnf676qk7jzn79vx6"; - }; - - LC_ALL = "en_US.UTF-8"; - - postPatch = '' - sed -ie 's|/usr/bin/env|${coreutils}/bin/env|' scripts/xon.sh - find scripts -name 'xonsh*' -exec sed -i -e "s|env -S|env|" {} \; - find -name "*.xsh" | xargs sed -ie 's|/usr/bin/env|${coreutils}/bin/env|' - patchShebangs . - ''; - - doCheck = false; - - checkPhase = '' - HOME=$TMPDIR pytest -k 'not test_repath_backslash and not test_os and not test_man_completion and not test_builtins and not test_main and not test_ptk_highlight and not test_pyghooks' - HOME=$TMPDIR pytest -k 'test_builtins or test_main' --reruns 5 - HOME=$TMPDIR pytest -k 'test_ptk_highlight' - ''; - - checkInputs = [ python3Packages.pytest python3Packages.pytest-rerunfailures glibcLocales git ]; - - propagatedBuildInputs = with python3Packages; [ ply prompt_toolkit pygments ] ++ extraInputs; - - meta = with lib; { - description = "A Python-ish, BASHwards-compatible shell"; - homepage = "https://xon.sh/"; - # changelog = "https://github.com/xonsh/xonsh/releases/tag/${version}"; - license = licenses.bsd3; - platforms = platforms.all; - }; - - passthru = { - shellPath = "/bin/xonsh2"; - }; -} diff --git a/lass/5pkgs/yt-next/default.nix b/lass/5pkgs/yt-next/default.nix deleted file mode 100644 index 8132b4f05..000000000 --- a/lass/5pkgs/yt-next/default.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ pkgs, ... }: - -pkgs.writeScriptBin "yt-next" '' - #! ${pkgs.bash}/bin/bash - - vid=$1 - num=''${NUM:-1} - - curl -Ls $1 \ - | grep 'href="/watch?v=' \ - | head -n$num \ - | sed 's,.*href="\([^"]*\)".*,https://youtube.com\1,' -'' diff --git a/lass/default.nix b/lass/default.nix deleted file mode 100644 index d077cc09f..000000000 --- a/lass/default.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ pkgs, ... }: -{ - imports = [ - ../krebs - ./2configs - ./3modules - ]; - nixpkgs.config.packageOverrides = import ./5pkgs pkgs; -} diff --git a/lass/krops.nix b/lass/krops.nix deleted file mode 100644 index 407df3bc6..000000000 --- a/lass/krops.nix +++ /dev/null @@ -1,145 +0,0 @@ -{ name }: let - inherit (import ../krebs/krops.nix { inherit name; }) - krebs-source - lib - pkgs - ; - - source = { test }: lib.evalSource ([ - (krebs-source { test = test; }) - { - nixos-config.symlink = "stockholm/lass/1systems/${name}/physical.nix"; - nixpkgs = lib.mkForce (if test then { - derivation = let - rev = (lib.importJSON ../krebs/nixpkgs-unstable.json).rev; - sha256 = (lib.importJSON ../krebs/nixpkgs-unstable.json).sha256; - in '' - with import (builtins.fetchTarball { - url = "https://github.com/nixos/nixpkgs/archive/${rev}.tar.gz"; - sha256 = "${sha256}"; - }) {}; - pkgs.fetchFromGitHub { - owner = "nixos"; - repo = "nixpkgs"; - rev = "${rev}"; - sha256 = "${sha256}"; - } - ''; - } else { - git = { - ref = (lib.importJSON ../krebs/nixpkgs-unstable.json).rev; - url = https://github.com/NixOS/nixpkgs; - shallow = true; - }; - }); - secrets = if test then { - file = toString ./2configs/tests/dummy-secrets; - } else { - pass = { - dir = "${lib.getEnv "HOME"}/sync/pwstore"; - name = "hosts/${name}"; - }; - }; - stockholm.file = lib.mkForce { - path = toString ../.; - useChecksum = true; - }; - } - (if lib.pathExists (./. + "/1systems/${name}/source.nix") then - import (./. + "/1systems/${name}/source.nix") { inherit lib pkgs test; } - else - {} - ) - ]); - -in { - - deploy = { target ? "root@${name}/var/src", offline ? false, command ? "switch" }: pkgs.krops.writeCommand "deploy" { - command = targetPath: '' - - set -xfu - - outDir=$(mktemp -d) - trap "rm -rf $outDir;" INT TERM EXIT - - build=$(command -v nom-build || echo "nix-build") - - $build \ - -I "${targetPath}" \ - '' -A config.system.build.toplevel \ - -o "$outDir/out" \ - ${lib.optionalString offline "--option substitute false"} \ - # -vvvvv --show-trace - - nix-env -p /nix/var/nix/profiles/system --set "$outDir/out" - - "$outDir/out/bin/switch-to-configuration" ${command} - ''; - source = source { test = false; }; - allocateTTY = true; - backup = false; - inherit target; - }; - - deployWithFlake = { target ? "root@${name}/var/src", offline ? false }: pkgs.krops.writeCommand "deploy" { - source = { - inherit (source { test = false; }) stockholm secrets; - }; - command = targetPath: '' - ''; - allocateTTY = true; - inherit target; - }; - - # usage: $(nix-build --no-out-link --argstr name HOSTNAME --argstr target PATH -A populate) - populate = { target, force ? false }: pkgs.populate { - inherit force; - source = source { test = false; }; - target = lib.mkTarget target; - }; - - # usage: $(nix-build --no-out-link --argstr name HOSTNAME --argstr target PATH -A test) - test = { target }: pkgs.krops.writeTest "${name}-test" { - force = true; - inherit target; - source = source { test = true; }; - }; - - deploy-with-diff = { target ? "root@${name}/var/src" }: pkgs.krops.writeCommand "${name}-deploy" { - command = targetPath: '' - set -xu - deployScript=$(mktemp) - cat << EOF > "$deployScript" - #! /usr/bin/env nix-shell - #! nix-shell -p nix-diff proot rsync -i bash - set -xfu - - oldPath=\$(echo "${targetPath}" | sed 's/-new$//') - oldSystemDrv=\$(nix show-derivation /run/current-system | jq -r 'keys[0]') - newSystemDrv=\$(proot -b /var/src-new:/var/src nix-instantiate -I /var/src '' -A config.system.build.toplevel) - - ( - diff -rq -x '.git' "\$oldPath" "${targetPath}" - nix-diff --color always --line-oriented "\$oldSystemDrv" "\$newSystemDrv" - ) | less -R - echo 'continue? [(Y)es]/(n)o' - read yn - case \$yn in - [Nn]* ) exit;; - esac - rsync -ra --delete /var/src-new/ /var/src/ - nixos-rebuild -I /var/src switch - EOF - - chmod +x "$deployScript" - echo "$deployScript" - cat "$deployScript" - exec "$deployScript" - rm "$deployScript" - ''; - target = "${target}-new"; - source = source { test = false; }; - force = true; - allocateTTY = true; - }; -} diff --git a/lass/tombstone b/lass/tombstone new file mode 100644 index 000000000..e3b051963 --- /dev/null +++ b/lass/tombstone @@ -0,0 +1 @@ +this config has been moved to https://github.com/lassulus/superconfig for now From 39c4ee8f921da4ad2c2445e46a86310ecf7d9a13 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 7 Sep 2023 12:38:27 +0200 Subject: [PATCH 124/125] flake.lock: update nixpkgs --- flake.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/flake.lock b/flake.lock index 937db8871..7ca0c5f9b 100644 --- a/flake.lock +++ b/flake.lock @@ -18,11 +18,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1686135559, - "narHash": "sha256-pY8waAV8K/sbHBdLn5diPFnQKpNg0YS9w03MrD2lUGE=", + "lastModified": 1693844670, + "narHash": "sha256-t69F2nBB8DNQUWHD809oJZJVE+23XBrth4QZuVd6IE0=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "381e92a35e2d196fdd6077680dca0cd0197e75cb", + "rev": "3c15feef7770eb5500a4b8792623e2d6f598c9c1", "type": "github" }, "original": { From 083229d0211096daec08673f743ccc45b1d8a0ac Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 7 Sep 2023 19:00:57 +0200 Subject: [PATCH 125/125] krebs: krebs.secret.directory --- krebs/2configs/acme.nix | 2 +- krebs/2configs/cal.nix | 2 +- krebs/2configs/hotdog-host.nix | 3 ++- krebs/2configs/news-host.nix | 3 ++- krebs/2configs/repo-sync.nix | 2 +- krebs/2configs/syncthing.nix | 4 ++-- krebs/2configs/tor/initrd.nix | 4 ++-- krebs/2configs/wiki.nix | 2 +- krebs/3modules/exim-smarthost.nix | 4 ++-- krebs/3modules/github/hosts-sync.nix | 2 +- krebs/3modules/repo-sync.nix | 2 +- krebs/3modules/retiolum-bootstrap.nix | 4 ++-- krebs/3modules/tinc.nix | 4 ++-- 13 files changed, 20 insertions(+), 18 deletions(-) diff --git a/krebs/2configs/acme.nix b/krebs/2configs/acme.nix index 056aa7ae4..0b9cb91af 100644 --- a/krebs/2configs/acme.nix +++ b/krebs/2configs/acme.nix @@ -24,7 +24,7 @@ in { path = "/var/lib/step-ca/intermediate_ca.key"; owner.name = "root"; mode = "1444"; - source-path = builtins.toString + "/acme_ca.key"; + source-path = "${config.krebs.secret.directory}/acme_ca.key"; }; services.step-ca = { enable = true; diff --git a/krebs/2configs/cal.nix b/krebs/2configs/cal.nix index a1fe47b5d..1a0cdf019 100644 --- a/krebs/2configs/cal.nix +++ b/krebs/2configs/cal.nix @@ -108,7 +108,7 @@ in { krebs.secret.files.calendar = { path = "/var/lib/radicale/.ssh/id_ed25519"; owner = { name = "radicale"; }; - source-path = "${}"; + source-path = "${config.krebs.secret.directory}/radicale.id_ed25519"; }; security.sudo.extraConfig = '' diff --git a/krebs/2configs/hotdog-host.nix b/krebs/2configs/hotdog-host.nix index 95d70376b..ab2b22b7c 100644 --- a/krebs/2configs/hotdog-host.nix +++ b/krebs/2configs/hotdog-host.nix @@ -1,6 +1,7 @@ +{ config, ... }: { krebs.sync-containers3.containers.hotdog = { - sshKey = "${toString }/hotdog.sync.key"; + sshKey = "${config.krebs.secret.directory}/hotdog.sync.key"; }; containers.hotdog.bindMounts."/var/lib" = { hostPath = "/var/lib/sync-containers3/hotdog/state"; diff --git a/krebs/2configs/news-host.nix b/krebs/2configs/news-host.nix index 71793e518..81922ef87 100644 --- a/krebs/2configs/news-host.nix +++ b/krebs/2configs/news-host.nix @@ -1,5 +1,6 @@ +{ config, ... }: { krebs.sync-containers3.containers.news = { - sshKey = "${toString }/news.sync.key"; + sshKey = "${config.krebs.secret.directory}/news.sync.key"; }; } diff --git a/krebs/2configs/repo-sync.nix b/krebs/2configs/repo-sync.nix index 1b72924a6..a488fdfea 100644 --- a/krebs/2configs/repo-sync.nix +++ b/krebs/2configs/repo-sync.nix @@ -98,7 +98,7 @@ in { krebs.secret.files.konsens = { path = "/var/lib/konsens/.ssh/id_ed25519"; owner = konsens-user; - source-path = "${}"; + source-path = "${config.krebs.secret.directory}/konsens.id_ed25519>"; }; imports = [ diff --git a/krebs/2configs/syncthing.nix b/krebs/2configs/syncthing.nix index 59178516c..90ae66f6e 100644 --- a/krebs/2configs/syncthing.nix +++ b/krebs/2configs/syncthing.nix @@ -10,8 +10,8 @@ in { services.syncthing = { enable = true; configDir = "/var/lib/syncthing"; - key = toString ; - cert = toString ; + key = "${config.krebs.secret.directory}/syncthing.key"; + cert = "${config.krebs.secret.directory}/syncthing.cert"; # workaround for infinite recursion on unstable, remove in 23.11 } // (if builtins.hasAttr "settings" options.services.syncthing then { settings.devices = mk_peers used_peers; } diff --git a/krebs/2configs/tor/initrd.nix b/krebs/2configs/tor/initrd.nix index 98ed039b4..21c46a0a7 100644 --- a/krebs/2configs/tor/initrd.nix +++ b/krebs/2configs/tor/initrd.nix @@ -13,12 +13,12 @@ config.krebs.users.makefu.pubkey config.krebs.users.tv.pubkey ]; - hostKeys = [ ]; + hostKeys = [ "${config.krebs.secret.directory}/initrd/openssh_host_ecdsa_key" ]; }; boot.initrd.availableKernelModules = [ "e1000e" ]; boot.initrd.secrets = { - "/etc/tor/onion/bootup" = ; + "/etc/tor/onion/bootup" = "${config.krebs.secret.directory}/initrd"; }; boot.initrd.extraUtilsCommands = '' diff --git a/krebs/2configs/wiki.nix b/krebs/2configs/wiki.nix index a227ceb4a..4b0bf9768 100644 --- a/krebs/2configs/wiki.nix +++ b/krebs/2configs/wiki.nix @@ -96,7 +96,7 @@ in krebs.secret.files.gollum = { path = "${config.services.gollum.stateDir}/.ssh/id_ed25519"; owner = { name = "gollum"; }; - source-path = "${}"; + source-path = "${config.krebs.secret.directory}/gollum.id_ed25519"; }; security.sudo.extraConfig = '' diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix index 093ae2030..4e42ce72e 100644 --- a/krebs/3modules/exim-smarthost.nix +++ b/krebs/3modules/exim-smarthost.nix @@ -20,14 +20,14 @@ let }; dkim = mkOption { - type = types.listOf (types.submodule ({ config, ... }: { + type = types.listOf (types.submodule (dkim: { options = { domain = mkOption { type = types.str; }; private_key = mkOption { type = types.absolute-pathname; - default = toString + "/${config.domain}.dkim.priv"; + default = "${config.krebs.secret.directory}/${dkim.config.domain}.dkim.priv"; defaultText = "‹secrets/‹domain›.dkim.priv›"; }; selector = mkOption { diff --git a/krebs/3modules/github/hosts-sync.nix b/krebs/3modules/github/hosts-sync.nix index 6f9aee0ce..2f373f9bc 100644 --- a/krebs/3modules/github/hosts-sync.nix +++ b/krebs/3modules/github/hosts-sync.nix @@ -22,7 +22,7 @@ let }; ssh-identity-file = mkOption { type = types.suffixed-str [".ssh.id_ed25519" ".ssh.id_rsa"]; - default = toString ; + default = "${config.krebs.secret.directory}/github-hosts-sync.ssh.id_ed25519"; defaultText = "‹secrets/github-hosts-sync.ssh.id_ed25519›"; }; url = mkOption { diff --git a/krebs/3modules/repo-sync.nix b/krebs/3modules/repo-sync.nix index a6de3f3f6..5208d91ae 100644 --- a/krebs/3modules/repo-sync.nix +++ b/krebs/3modules/repo-sync.nix @@ -123,7 +123,7 @@ let privateKeyFile = mkOption { type = types.absolute-pathname; - default = toString + "/repo-sync.ssh.key"; + default = "${config.krebs.secret.directory}/repo-sync.ssh.key"; defaultText = "‹secrets/repo-sync.ssh.key›"; }; diff --git a/krebs/3modules/retiolum-bootstrap.nix b/krebs/3modules/retiolum-bootstrap.nix index c9ea8a619..bd7e7c5f6 100644 --- a/krebs/3modules/retiolum-bootstrap.nix +++ b/krebs/3modules/retiolum-bootstrap.nix @@ -14,12 +14,12 @@ in sslCertificate = mkOption { type = types.str; description = "Certificate file to use for ssl"; - default = "${toString }/tinc.krebsco.de.crt" ; + default = "${config.krebs.secret.directory}/tinc.krebsco.de.crt" ; }; sslCertificateKey = mkOption { type = types.str; description = "Certificate key to use for ssl"; - default = "${toString }/tinc.krebsco.de.key"; + default = "${config.krebs.secret.directory}/tinc.krebsco.de.key"; }; # in use: # diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix index 2f9efad46..9df368cfb 100644 --- a/krebs/3modules/tinc.nix +++ b/krebs/3modules/tinc.nix @@ -149,7 +149,7 @@ with import ../../lib/pure.nix { inherit lib; }; { privkey = mkOption { type = types.absolute-pathname; - default = toString + "/${tinc.config.netname}.rsa_key.priv"; + default = "${config.krebs.secret.directory}/${tinc.config.netname}.rsa_key.priv"; defaultText = "‹secrets/‹netname›.rsa_key.priv›"; }; @@ -158,7 +158,7 @@ with import ../../lib/pure.nix { inherit lib; }; { default = if tinc.config.host.nets.${netname}.tinc.pubkey_ed25519 == null then null - else toString + "/${tinc.config.netname}.ed25519_key.priv"; + else "${config.krebs.secret.directory}/${tinc.config.netname}.ed25519_key.priv"; defaultText = "‹secrets/‹netname›.ed25519_key.priv›"; };