Merge remote-tracking branch 'prism/master'

2022-11-29 19:54:28 +01:00 · 2022-11-29 19:54:28 +01:00 · 43428ccca5
commit 43428ccca5
parent 5c05e2a9b6 32b23666d1
12 changed files with 171 additions and 34 deletions
--- a/kartei/krebs/default.nix
+++ b/kartei/krebs/default.nix
@ -78,6 +78,7 @@ in {
            "build.r"
            "build.hotdog.r"
            "ca.r"
+            "calendar.r"
            "cgit.hotdog.r"
            "irc.r"
            "wiki.r"
--- a/kartei/others/ssh/xkey.pub
+++ b/kartei/others/ssh/xkey.pub
@ -1 +1 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIZFKgFcAEGXcsssJxDeUVvOTKD0U4LlT2Yw85+WmMTj
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPVwyWKyTjg00x1M1PCDBXbixmdZObZiMLAW0f9KGFvC
--- a/krebs/1systems/hotdog/config.nix
+++ b/krebs/1systems/hotdog/config.nix
@ -13,6 +13,8 @@
    <stockholm/krebs/2configs/acme.nix>
    <stockholm/krebs/2configs/mud.nix>

+    <stockholm/krebs/2configs/cal.nix>
+
    ## shackie irc bot
    <stockholm/krebs/2configs/shack/reaktor.nix>
  ];
--- a/krebs/2configs/cal.nix
+++ b/krebs/2configs/cal.nix
@ -0,0 +1,33 @@
+{ config, lib, pkgs, ... }:
+{
+  users.users.testing = {
+    uid = pkgs.stockholm.lib.genid_uint31 "testing";
+    isNormalUser = true;
+    openssh.authorizedKeys.keys = [
+      config.krebs.users.xkey.pubkey
+      config.krebs.users.lass.pubkey
+    ];
+    packages = [
+      pkgs.calendar-cli
+      pkgs.tmux
+    ];
+  };
+
+  services.xandikos = {
+    enable = true;
+    extraOptions = [
+      "--autocreate"
+      "--defaults"
+      "--current-user-principal /krebs"
+      "--dump-dav-xml"
+    ];
+  };
+
+  services.nginx = {
+    enable = true;
+
+    virtualHosts = {
+      "calendar.r".locations."/".proxyPass = "http://localhost:${toString config.services.xandikos.port}/";
+    };
+  };
+}
--- a/krebs/2configs/reaktor2.nix
+++ b/krebs/2configs/reaktor2.nix
@ -62,7 +62,6 @@ let
        export PATH=${makeBinPath [
          pkgs.coreutils
          pkgs.curl
-          pkgs.gnused
          pkgs.stable-generate
        ]}
        stable_url=$(stable-generate "$@")
@ -85,7 +84,6 @@ let
        export PATH=${makeBinPath [
          pkgs.coreutils
          pkgs.curl
-          pkgs.gnused
          pkgs.stable-generate
        ]}
        case $_msgtarget in \#*)
@ -100,6 +98,30 @@ let
    };
  };

+  say = {
+    pattern = "^!say (.*)$";
+    activate = "match";
+    arguments = [1];
+    command = {
+      filename = pkgs.writeDash "say" ''
+        set -efu
+
+        export PATH=${makeBinPath [
+          pkgs.coreutils
+          pkgs.curl
+          pkgs.opusTools
+        ]}
+        paste_url=$(printf '%s' "$1" |
+          curl -fSsG http://tts.r/api/tts --data-urlencode 'text@-' |
+          opusenc - - |
+          curl -Ss https://p.krebsco.de --data-binary @- |
+          tail -1
+        )
+        echo "$_from: $paste_url"
+      '';
+    };
+  };
+
  taskRcFile = builtins.toFile "taskrc" ''
    confirmation=no
  '';
@ -275,6 +297,7 @@ let
        bedger-add
        bedger-balance
        hooks.sed
+        say
        (generators.command_hook {
          inherit (commands) dance random-emoji nixos-version;
          tell = {
--- a/lass/1systems/prism/config.nix
+++ b/lass/1systems/prism/config.nix
@ -25,7 +25,6 @@ with import <stockholm/lib>;
      ];
    }
    { # TODO make new hfos.nix out of this vv
-      boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
      users.users.riot = {
        uid = genid_uint31 "riot";
        isNormalUser = true;
@ -33,23 +32,10 @@ with import <stockholm/lib>;
        openssh.authorizedKeys.keys = [
          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6o6sdTu/CX1LW2Ff5bNDqGEAGwAsjf0iIe5DCdC7YikCct+7x4LTXxY+nDlPMeGcOF88X9/qFwdyh+9E4g0nUAZaeL14Uc14QDqDt/aiKjIXXTepxE/i4JD9YbTqStAnA/HYAExU15yqgUdj2dnHu7OZcGxk0ZR1OY18yclXq7Rq0Fd3pN3lPP1T4QHM9w66r83yJdFV9szvu5ral3/QuxQnCNohTkR6LoJ4Ny2RbMPTRtb+jPbTQYTWUWwV69mB8ot5nRTP4MRM9pu7vnoPF4I2S5DvSnx4C5zdKzsb7zmIvD4AmptZLrXj4UXUf00Xf7Js5W100Ne2yhYyhq+35 riot@lagrange"
        ];
-        packages = [
-          (pkgs.writeDashBin "kick-routing" ''
-            /run/wrappers/bin/sudo ${pkgs.systemd}/bin/systemctl restart krebs-iptables.service
-          '')
-        ];
      };
-      security.sudo.extraConfig = ''
-        riot ALL=(root) NOPASSWD: ${pkgs.systemd}/bin/systemctl restart krebs-iptables.service
-      '';
-
-      # TODO write function for proxy_pass (ssl/nonssl)
-
      krebs.iptables.tables.filter.FORWARD.rules = [
-        { v6 = false; precedence = 1000; predicate = "-d 192.168.122.141"; target = "ACCEPT"; }
-      ];
-      krebs.iptables.tables.nat.PREROUTING.rules = [
-        { v6 = false; precedence = 1000; predicate = "-d 95.216.1.130"; target = "DNAT --to-destination 192.168.122.141"; }
+        { v6 = false; precedence = 1000; predicate = "--destination 95.216.1.130"; target = "ACCEPT"; }
+        { v6 = false; precedence = 1000; predicate = "--source 95.216.1.130"; target = "ACCEPT"; }
      ];
    }
    {
--- a/lass/1systems/prism/physical.nix
+++ b/lass/1systems/prism/physical.nix
@ -78,29 +78,31 @@
  boot.loader.grub.version = 2;
  boot.loader.grub.devices = [ "/dev/sda" "/dev/sdb" ];

-  boot.kernelParams = [ "net.ifnames=0" ];
+  # we don't pay for power there and this might solve a problem we observed at least once
+  # https://www.thomas-krenn.com/de/wiki/PCIe_Bus_Error_Status_00001100_beheben
+  boot.kernelParams = [ "pcie_aspm=off" "net.ifnames=0" ];
  networking.dhcpcd.enable = false;
+
+  # bridge config
+  networking.bridges."ext-br".interfaces = [ "eth0" ];
  networking = {
    hostId = "2283aaae";
    defaultGateway = "95.216.1.129";
-    defaultGateway6 = { address = "fe80::1"; interface = "eth0"; };
+    defaultGateway6 = { address = "fe80::1"; interface = "ext-br"; };
    # Use google's public DNS server
    nameservers = [ "8.8.8.8" ];
-    interfaces.eth0.ipv4.addresses = [
+    interfaces.ext-br.ipv4.addresses = [
      {
        address = "95.216.1.150";
        prefixLength = 26;
      }
-      {
-        address = "95.216.1.130";
-        prefixLength = 26;
-      }
    ];
-    interfaces.eth0.ipv6.addresses = [
+    interfaces.ext-br.ipv6.addresses = [
      {
        address = "2a01:4f9:2a:1e9::1";
        prefixLength = 64;
      }
    ];
  };
+
 }
--- a/lass/2configs/baseX.nix
+++ b/lass/2configs/baseX.nix
@ -79,9 +79,7 @@ in {
    powertop
    rxvt-unicode
    sshvnc
-    (pkgs.writers.writeDashBin "sxiv" ''
-      ${pkgs.nsxiv}/bin/nsxiv "$@"
-    '')
+    sxiv
    nsxiv
    taskwarrior
    termite
--- a/lass/2configs/xmonad.nix
+++ b/lass/2configs/xmonad.nix
@ -45,6 +45,7 @@ import XMonad.Layout.Minimize (minimize)
 import XMonad.Layout.NoBorders (smartBorders)
 import XMonad.Layout.MouseResizableTile (mouseResizableTile)
 import XMonad.Layout.SimplestFloat (simplestFloat)
+import XMonad.Layout.StateFull
 import XMonad.ManageHook (composeAll)
 import XMonad.Prompt (autoComplete, font, searchPredicate, XPConfig)
 import XMonad.Prompt.Window (windowPromptGoto, windowPromptBringCopy)
@ -87,7 +88,7 @@ main = do

 myLayoutHook = defLayout
  where
-    defLayout = minimize . boringWindows $ ((avoidStruts $ Mirror (Tall 1 (3/100) (1/2))) ||| Full ||| FixedColumn 2 80 80 1 ||| Tall 1 (3/100) (1/2) ||| simplestFloat ||| mouseResizableTile ||| Grid)
+    defLayout = minimize . boringWindows $ ((avoidStruts $ Mirror (Tall 1 (3/100) (1/2))) ||| StateFull ||| FixedColumn 2 80 80 1 ||| Tall 1 (3/100) (1/2) ||| simplestFloat ||| mouseResizableTile ||| Grid)

 floatHooks = composeAll
   [ className =? "Pinentry" --> doCenterFloat
--- a/lass/3modules/drbd.nix
+++ b/lass/3modules/drbd.nix
@ -64,13 +64,42 @@ in {
    services.udev.packages = [ pkgs.drbd ];
    boot.kernelModules = [ "drbd" ];

-    environment.systemPackages = [ pkgs.drbd ];
+    environment.systemPackages = [
+      pkgs.drbd
+      (pkgs.writers.writeDashBin "drbd-change-nodeid" ''
+        # https://linbit.com/drbd-user-guide/drbd-guide-9_0-en/#s-using-truck-based-replication
+        set -efux

+        if [ "$#" -ne 2 ]; then
+          echo '$1 needs to be drbd volume name'
+          echo '$2 needs to be new node id'
+          exit 1
+        fi
+
+
+        TMPDIR=$(mktemp -d)
+        trap 'rm -rf $TMPDIR' EXIT
+
+        V=$1
+        NODE_TO=$2
+        META_DATA_LOCATION=internal
+
+        ${pkgs.drbd}/bin/drbdadm -- --force dump-md $V > "$TMPDIR"/md_orig.txt
+        NODE_FROM=$(cat "$TMPDIR"/md_orig.txt | ${pkgs.gnused}/bin/sed -n 's/^node-id \(.*\);$/\1/p')
+        ${pkgs.gnused}/bin/sed -e "s/node-id $NODE_FROM/node-id $NODE_TO/" \
+          -e "s/^peer.$NODE_FROM. /peer-NEW /" \
+          -e "s/^peer.$NODE_TO. /peer[$NODE_FROM] /" \
+          -e "s/^peer-NEW /peer[$NODE_TO] /" \
+          < "$TMPDIR"/md_orig.txt > "$TMPDIR"/md.txt
+
+        drbdmeta --force $(drbdadm sh-minor $V) v09 $(drbdadm sh-md-dev $V) $META_DATA_LOCATION restore-md "$TMPDIR"/md.txt
+      '')
+    ];

    networking.firewall.allowedTCPPorts = map (device: device.port) (lib.attrValues cfg);
    systemd.services = lib.mapAttrs' (_: device:
      lib.nameValuePair "drbd-${device.name}" {
-        after = [ "systemd-udev.settle.service" "network.target" ];
+        after = [ "systemd-udev.settle.service" "network.target" "retiolum.service" ];
        wants = [ "systemd-udev.settle.service" ];
        wantedBy = [ "multi-user.target" ];
        serviceConfig = {
@ -88,7 +117,7 @@ in {
            ''}
            if ! ${pkgs.drbd}/bin/drbdadm adjust ${device.name}; then
              ${pkgs.drbd}/bin/drbdadm down ${device.name}
-              ${pkgs.drbd}/bin/drbdadm create-md ${device.name}
+              ${pkgs.drbd}/bin/drbdadm create-md ${device.name}/0 --max-peers 31
              ${pkgs.drbd}/bin/drbdadm up ${device.name}
            fi
          '';
--- a/lass/5pkgs/drbd9/default.nix
+++ b/lass/5pkgs/drbd9/default.nix
@ -0,0 +1,35 @@
+{ lib, stdenv, git, fetchzip, fetchFromGitHub, kernel }: let
+
+  version = "9.1.7";
+
+in stdenv.mkDerivation {
+  pname = "drbd";
+  version = "${kernel.version}-${version}";
+
+  src = fetchzip {
+    url = "https://pkg.linbit.com//downloads/drbd/9/drbd-9.1.7.tar.gz";
+    sha256 = "sha256-JsbtOrqhZkG7tFEc6tDmj3RlxZggl0HOKfCI8lYtQok=";
+  };
+  # src = fetchFromGitHub {
+  #   owner = "LINBIT";
+  #   repo = "drbd";
+  #   rev = "drbd-${version}";
+  #   sha256 = "sha256-8HAt+k0yi6XsZZ9mkVCQkv2pn65o3Zsa0KwTSBJh0yY=";
+  #   leaveDotGit = true;
+  # };
+
+  nativeBuildInputs = [ git ] ++ kernel.moduleBuildDependencies;
+
+  # hardeningDisable = [ "pic" ];
+
+  makeFlags = kernel.makeFlags ++ [
+    "KDIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+  ];
+
+  installPhase = ''
+    install -D drbd/drbd.ko -t "$out/lib/modules/${kernel.modDirVersion}/updates/"
+    install -D drbd/drbd_transport_tcp.ko -t "$out/lib/modules/${kernel.modDirVersion}/updates/"
+  '';
+
+  enableParallelBuilding = true;
+}
--- a/lass/5pkgs/sxiv/default.nix
+++ b/lass/5pkgs/sxiv/default.nix
@ -0,0 +1,27 @@
+{ nsxiv, writers }:
+
+writers.writeDashBin "sxiv" ''
+  set -efu
+  tmpfile="''${TMPDIR:-/tmp}/nsxiv_pipe_$$"
+  trap 'rm -f -- $tmpfile' EXIT
+
+  if [ "$#" -eq 0 ]; then
+    if [ -t 0 ]; then
+      echo "sxiv: No arguments provided" >&2; exit 1
+    else
+      # Consume stdin and put it in the temporal file
+      cat > "$tmpfile"
+    fi
+  fi
+
+  for arg in "$@"; do
+    # if it's a pipe then drain it to $tmpfile
+    [ -p "$arg" ] && cat "$arg" > "$tmpfile"
+  done
+
+  if [ -s "$tmpfile" ]; then
+    ${nsxiv}/bin/nsxiv -q "$@" "$tmpfile" # -q to silence warnings
+  else
+    ${nsxiv}/bin/nsxiv "$@" # fallback
+  fi
+''