Merge branch 'master' of prism.r:stockholm

This commit is contained in:
jeschli 2018-12-04 19:27:27 +01:00
commit 5030b74cc5
196 changed files with 3041 additions and 3507 deletions

4
ci.nix
View File

@ -1,4 +1,4 @@
# usage: nix-instantiate --eval --strict --json ./ci.nix # usage: nix-instantiate --eval --json --read-write-mode --strict ci.nix | jq .
with import ./lib; with import ./lib;
let let
pkgs = import <nixpkgs> { overlays = [ (import ./submodules/nix-writers/pkgs) ]; }; pkgs = import <nixpkgs> { overlays = [ (import ./submodules/nix-writers/pkgs) ]; };
@ -16,6 +16,6 @@ let
ci-systems = filterAttrs (_: v: v.ci) system.config.krebs.hosts; ci-systems = filterAttrs (_: v: v.ci) system.config.krebs.hosts;
build = host: owner: build = host: owner:
((import (toString ./. + "/${owner}/krops.nix") { name = host; }).test {target = "${getEnv "HOME"}/stockholm-build/${host}";}); ((import (toString ./. + "/${owner}/krops.nix") { name = host; }).test {target = "${getEnv "HOME"}/stockholm-tmp";});
in mapAttrs (n: h: build n h.owner.name) ci-systems in mapAttrs (n: h: build n h.owner.name) ci-systems

View File

@ -1,19 +1,12 @@
import <nixpkgs/nixos/lib/eval-config.nix> { import <nixpkgs/nixos> {} // rec {
modules = [
(import <nixpkgs/nixos/lib/from-env.nix> "NIXOS_CONFIG" <nixos-config>)
];
}
//
{
lib = import ./lib; lib = import ./lib;
systems = with import ./lib; let systems = with lib; let
ns = getEnv "LOGNAME"; namespace = getEnv "LOGNAME";
systemsDir = <stockholm> + "/${namespace}/1systems";
in in
genAttrs genAttrs
(attrNames (filterAttrs (_: eq "directory") (readDir (<stockholm> + "/${ns}/1systems")))) (attrNames (filterAttrs (_: eq "directory") (readDir systemsDir)))
(name: let (name: import <nixpkgs/nixos> {
config = import (<stockholm> + "/${ns}/1systems/${name}/config.nix"); configuration = import (systemsDir + "/${name}/config.nix");
in import <nixpkgs/nixos/lib/eval-config.nix> {
modules = [ config ];
}); });
} }

View File

@ -15,10 +15,4 @@ let
else override; else override;
in in
listToAttrs mapNixDir (path: callPackage path {}) ./.
(map
(name: nameValuePair (removeSuffix ".nix" name)
(callPackage (./. + "/${name}") {}))
(filter
(name: name != "default.nix" && !hasPrefix "." name)
(attrNames (readDir ./.))))

View File

@ -24,8 +24,9 @@ import Control.Monad.Extra (whenJustM)
import Graphics.X11.ExtraTypes.XF86 import Graphics.X11.ExtraTypes.XF86
import Text.Read (readEither) import Text.Read (readEither)
import XMonad import XMonad
import System.IO (hPutStrLn, stderr)
import System.Environment (getArgs, withArgs, getEnv, getEnvironment, lookupEnv) import System.Environment (getArgs, withArgs, getEnv, getEnvironment, lookupEnv)
import System.Exit (exitFailure)
import System.IO (hPutStrLn, stderr)
import System.Posix.Process (executeFile) import System.Posix.Process (executeFile)
import XMonad.Actions.DynamicWorkspaces ( addWorkspacePrompt, renameWorkspace import XMonad.Actions.DynamicWorkspaces ( addWorkspacePrompt, renameWorkspace
, removeEmptyWorkspace) , removeEmptyWorkspace)
@ -66,12 +67,14 @@ myFont = "-schumacher-*-*-*-*-*-*-*-*-*-*-*-iso10646-*"
main :: IO () main :: IO ()
main = getArgs >>= \case main = getArgs >>= \case
["--shutdown"] -> sendShutdownEvent [] -> mainNoArgs
_ -> mainNoArgs ["--shutdown"] -> shutdown
args -> hPutStrLn stderr ("bad arguments: " <> show args) >> exitFailure
mainNoArgs :: IO () mainNoArgs :: IO ()
mainNoArgs = do mainNoArgs = do
workspaces0 <- getWorkspaces0 workspaces0 <- getWorkspaces0
handleShutdownEvent <- newShutdownEventHandler
xmonad xmonad
-- $ withUrgencyHookC dzenUrgencyHook { args = ["-bg", "magenta", "-fg", "magenta", "-h", "2"], duration = 500000 } -- $ withUrgencyHookC dzenUrgencyHook { args = ["-bg", "magenta", "-fg", "magenta", "-h", "2"], duration = 500000 }
-- urgencyConfig { remindWhen = Every 1 } -- urgencyConfig { remindWhen = Every 1 }

View File

@ -6,7 +6,7 @@
; ;
source = { test }: lib.evalSource [ source = { test }: lib.evalSource [
krebs-source (krebs-source { test = test; })
{ {
nixos-config.symlink = "stockholm/jeschli/1systems/${name}/config.nix"; nixos-config.symlink = "stockholm/jeschli/1systems/${name}/config.nix";
secrets = if test then { secrets = if test then {

View File

@ -10,7 +10,6 @@
<stockholm/krebs/2configs> <stockholm/krebs/2configs>
<stockholm/krebs/2configs/buildbot-stockholm.nix> <stockholm/krebs/2configs/buildbot-stockholm.nix>
<stockholm/krebs/2configs/gitlab-runner-shackspace.nix>
<stockholm/krebs/2configs/binary-cache/nixos.nix> <stockholm/krebs/2configs/binary-cache/nixos.nix>
<stockholm/krebs/2configs/ircd.nix> <stockholm/krebs/2configs/ircd.nix>
<stockholm/krebs/2configs/reaktor-retiolum.nix> <stockholm/krebs/2configs/reaktor-retiolum.nix>

View File

@ -0,0 +1,33 @@
{lib, ... }:
with lib;
let
domain = "cache.nsupdate.info";
in {
# This only works for a single domain for nsupdate.info as multiple usernames
# and passwords are required for multiple domains
services.ddclient = {
enable = true;
server = "ipv4.nsupdate.info";
username = domain;
password = import ((toString <secrets>) + "/nsupdate-cache.nix");
domains = [ domain ];
use= "if, if=et0";
# use = "web, web=http://ipv4.nsupdate.info/myip";
};
krebs.cachecache = {
enable = true;
enableSSL = false; # disable letsencrypt for testing
cacheDir = "/var/cache/nix-cache-cache";
maxSize = "10g";
# assumes that the domain is reachable from the internet
virtualHost = domain;
};
boot.kernelModules = [ "tcp_bbr" ];
boot.kernel.sysctl."net.ipv4.tcp_congestion_control" = "bbr";
boot.kernel.sysctl."net.core.default_qdisc" = "fq";
networking.firewall.allowedTCPPorts = [ 80 443 ];
}

View File

@ -5,7 +5,7 @@
6667 6669 6667 6669
]; ];
services.charybdis = { krebs.charybdis = {
enable = true; enable = true;
motd = '' motd = ''
hello hello

View File

@ -243,7 +243,7 @@ let
in { in {
systemd.services.airdcpp = { systemd.services.airdcpp = {
description = "airdcpp webui"; description = "airdcpp webui";
after = [ "network.target" ]; after = [ "network.target" "local-fs.target" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
restartIfChanged = true; restartIfChanged = true;
serviceConfig = { serviceConfig = {

View File

@ -362,7 +362,7 @@ let
# normally we should write buildbot.tac by our own # normally we should write buildbot.tac by our own
# ${pkgs.buildbot-classic}/bin/buildbot upgrade-master ${workdir} # ${pkgs.buildbot-classic}/bin/buildbot upgrade-master ${workdir}
chmod 700 -R ${workdir} chmod 700 ${workdir}
chown buildbotMaster:buildbotMaster -R ${workdir} chown buildbotMaster:buildbotMaster -R ${workdir}
''; '';
ExecStart = "${pkgs.buildbot-classic}/bin/buildbot start --nodaemon ${workdir}"; ExecStart = "${pkgs.buildbot-classic}/bin/buildbot start --nodaemon ${workdir}";

View File

@ -166,7 +166,7 @@ let
echo ${description} > ${workdir}/info/host echo ${description} > ${workdir}/info/host
chown buildbotSlave:buildbotSlave -R ${workdir} chown buildbotSlave:buildbotSlave -R ${workdir}
chmod 700 -R ${workdir} chmod 700 ${workdir}
''; '';
ExecStart = "${pkgs.buildbot-classic-slave}/bin/buildslave start ${workdir}"; ExecStart = "${pkgs.buildbot-classic-slave}/bin/buildslave start ${workdir}";
ExecStop = "${pkgs.buildbot-classic-slave}/bin/buildslave stop ${workdir}"; ExecStop = "${pkgs.buildbot-classic-slave}/bin/buildslave stop ${workdir}";

View File

@ -0,0 +1,171 @@
{ config, lib, ... }:
# fork of https://gist.github.com/rycee/f495fc6cc4130f155e8b670609a1e57b
# related: https://github.com/nh2/nix-binary-cache-proxy
with lib;
let
cfg = config.krebs.cachecache;
nginxCfg = config.services.nginx;
cacheFallbackConfig = {
proxyPass = "$upstream_endpoint";
extraConfig = ''
# Default is HTTP/1, keepalive is only enabled in HTTP/1.1.
proxy_http_version 1.1;
# Remove the Connection header if the client sends it, it could
# be "close" to close a keepalive connection
proxy_set_header Connection "";
# Needed for CloudFront.
proxy_ssl_server_name on;
proxy_set_header Host $proxy_host;
proxy_cache nix_cache_cache;
proxy_cache_valid 200 302 60m;
proxy_cache_valid 404 1m;
expires max;
add_header Cache-Control $nix_cache_cache_header always;
'';
};
in
{
options = {
krebs.cachecache = {
enable = mkEnableOption "Nix binary cache cache";
virtualHost = mkOption {
type = types.str;
default = "nix-cache";
description = ''
Name of the nginx virtualhost to use and setup. If null, do
not setup any virtualhost.
'';
};
enableSSL = mkOption {
type = types.bool;
default = true;
description = ''
enable SSL via letsencrypt. Requires working dns resolution and open
internet tls port.
'';
};
# webRoot = mkOption {
# type = types.str;
# default = "/";
# description = ''
# Directory on virtual host that serves the cache. Must end in
# <literal>/</literal>.
# '';
# };
resolver = mkOption {
type = types.str;
description = "Address of DNS resolver.";
default = "8.8.8.8 ipv6=off";
example = "127.0.0.1 ipv6=off";
};
cacheDir = mkOption {
type = types.str;
default = "/var/cache/nix-cache-cache";
description = ''
Where nginx should store cached data.
'';
};
maxSize = mkOption {
type = types.str;
default = "50g";
description = "Maximum cache size.";
};
};
};
config = mkIf cfg.enable {
networking.firewall.allowedTCPPorts = [ 80 443 ];
systemd.services.nginx.preStart = ''
mkdir -p ${cfg.cacheDir} /srv/www/nix-cache-cache
chmod 700 ${cfg.cacheDir} /srv/www/nix-cache-cache
chown ${nginxCfg.user}:${nginxCfg.group} \
${cfg.cacheDir} /srv/www/nix-cache-cache
'';
services.nginx = {
enable = true;
appendHttpConfig = ''
proxy_cache_path ${cfg.cacheDir}
levels=1:2
keys_zone=nix_cache_cache:100m
max_size=${cfg.maxSize}
inactive=365d
use_temp_path=off;
# Cache only success status codes; in particular we don't want
# to cache 404s. See https://serverfault.com/a/690258/128321.
map $status $nix_cache_cache_header {
200 "public";
302 "public";
default "no-cache";
}
'';
virtualHosts.${cfg.virtualHost} = {
addSSL = cfg.enableSSL;
enableACME = cfg.enableSSL;
extraConfig = ''
# Using a variable for the upstream endpoint to ensure that it is
# resolved at runtime as opposed to once when the config file is loaded
# and then cached forever (we don't want that):
# see https://tenzer.dk/nginx-with-dynamic-upstreams/
# This fixes errors like
#
# nginx: [emerg] host not found in upstream "upstream.example.com"
#
# when the upstream host is not reachable for a short time when
# nginx is started.
resolver ${cfg.resolver} valid=10s;
set $upstream_endpoint https://cache.nixos.org;
'';
locations."/" =
{
root = "/srv/www/nix-cache-cache";
extraConfig = ''
expires max;
add_header Cache-Control $nix_cache_cache_header always;
# Ask the upstream server if a file isn't available
# locally.
error_page 404 = @fallback;
# Don't bother logging the above 404.
log_not_found off;
'';
};
locations."@fallback" = cacheFallbackConfig;
# We always want to copy cache.nixos.org's nix-cache-info
# file, and ignore our own, because `nix-push` by default
# generates one without `Priority` field, and thus that file
# by default has priority 50 (compared to cache.nixos.org's
# `Priority: 40`), which will make download clients prefer
# `cache.nixos.org` over our binary cache.
locations."= /nix-cache-info" = cacheFallbackConfig;
};
};
};
}

View File

@ -0,0 +1,110 @@
{ config, lib, pkgs, ... }:
let
inherit (lib) mkEnableOption mkIf mkOption singleton types;
inherit (pkgs) coreutils charybdis;
cfg = config.krebs.charybdis;
configFile = pkgs.writeText "charybdis.conf" ''
${cfg.config}
'';
in
{
###### interface
options = {
krebs.charybdis = {
enable = mkEnableOption "Charybdis IRC daemon";
config = mkOption {
type = types.string;
description = ''
Charybdis IRC daemon configuration file.
'';
};
statedir = mkOption {
type = types.string;
default = "/var/lib/charybdis";
description = ''
Location of the state directory of charybdis.
'';
};
user = mkOption {
type = types.string;
default = "ircd";
description = ''
Charybdis IRC daemon user.
'';
};
group = mkOption {
type = types.string;
default = "ircd";
description = ''
Charybdis IRC daemon group.
'';
};
motd = mkOption {
type = types.nullOr types.lines;
default = null;
description = ''
Charybdis MOTD text.
Charybdis will read its MOTD from /etc/charybdis/ircd.motd .
If set, the value of this option will be written to this path.
'';
};
};
};
###### implementation
config = mkIf cfg.enable (lib.mkMerge [
{
users.users = singleton {
name = cfg.user;
description = "Charybdis IRC daemon user";
uid = config.ids.uids.ircd;
group = cfg.group;
};
users.groups = singleton {
name = cfg.group;
gid = config.ids.gids.ircd;
};
systemd.services.charybdis = {
description = "Charybdis IRC daemon";
wantedBy = [ "multi-user.target" ];
environment = {
BANDB_DBPATH = "${cfg.statedir}/ban.db";
};
serviceConfig = {
ExecStart = "${charybdis}/bin/charybdis -foreground -logfile /dev/stdout -configfile ${configFile}";
Group = cfg.group;
User = cfg.user;
PermissionsStartOnly = true; # preStart needs to run with root permissions
};
preStart = ''
${coreutils}/bin/mkdir -p ${cfg.statedir}
${coreutils}/bin/chown ${cfg.user}:${cfg.group} ${cfg.statedir}
'';
};
}
(mkIf (cfg.motd != null) {
environment.etc."charybdis/ircd.motd".text = cfg.motd;
})
]);
}

View File

@ -26,10 +26,19 @@ let
hostname = config.networking.hostName; hostname = config.networking.hostName;
getJobs = pkgs.writeDash "get_jobs" '' getJobs = pkgs.writeDash "get_jobs" ''
nix-build --no-out-link --quiet -Q ./ci.nix > /dev/null set -efu
nix-instantiate --quiet -Q --eval --strict --json ./ci.nix ${pkgs.nix}/bin/nix-build --no-out-link --quiet -Q ./ci.nix >&2
json="$(${pkgs.nix}/bin/nix-instantiate --quiet -Q --eval --strict --json ./ci.nix)"
echo "$json" | ${pkgs.jq}/bin/jq -r 'to_entries[] | [.key, .value] | @tsv' \
| while read -r host builder; do
gcroot=${shell.escape profileRoot}/$host-builder
${pkgs.nix}/bin/nix-env -p "$gcroot" --set "$builder"
done
echo "$json"
''; '';
profileRoot = "/nix/var/nix/profiles/ci";
imp = { imp = {
krebs.buildbot.master = { krebs.buildbot.master = {
slaves = { slaves = {
@ -98,9 +107,16 @@ let
self.addBuildSteps([steps.ShellCommand( self.addBuildSteps([steps.ShellCommand(
name=str(new_step), name=str(new_step),
command=[ command=[
new_steps[new_step] "${pkgs.writeDash "build-stepper.sh" ''
set -efu
profile=${shell.escape profileRoot}/$build_name
result=$("$build_script")
${pkgs.nix}/bin/nix-env -p "$profile" --set "$result"
''}"
], ],
env={ env={
"build_name": new_step,
"build_script": new_steps[new_step],
"NIX_REMOTE": "daemon", "NIX_REMOTE": "daemon",
"NIX_PATH": "secrets=/var/src/stockholm/null:/var/src", "NIX_PATH": "secrets=/var/src/stockholm/null:/var/src",
}, },
@ -163,6 +179,20 @@ let
password = "lasspass"; password = "lasspass";
packages = with pkgs; [ gnumake jq nix populate gnutar lzma gzip ]; packages = with pkgs; [ gnumake jq nix populate gnutar lzma gzip ];
}; };
system.activationScripts.buildbots-nix-profile = ''
${pkgs.coreutils}/bin/mkdir -p ${shell.escape profileRoot}
${pkgs.coreutils}/bin/chmod 0770 ${shell.escape profileRoot}
${pkgs.coreutils}/bin/chgrp buildbots ${shell.escape profileRoot}
'';
users = {
groups.buildbots.gid = genid "buildbots";
users = {
buildbotMaster.extraGroups = [ "buildbots" ];
buildbotSlave.extraGroups = [ "buildbots" ];
};
};
}; };
in out in out

View File

@ -14,6 +14,8 @@ let
./buildbot/master.nix ./buildbot/master.nix
./buildbot/slave.nix ./buildbot/slave.nix
./build.nix ./build.nix
./cachecache.nix
./charybdis.nix
./ci.nix ./ci.nix
./current.nix ./current.nix
./exim.nix ./exim.nix
@ -111,7 +113,6 @@ let
{ krebs = import ./krebs { inherit config; }; } { krebs = import ./krebs { inherit config; }; }
{ krebs = import ./lass { inherit config; }; } { krebs = import ./lass { inherit config; }; }
{ krebs = import ./makefu { inherit config; }; } { krebs = import ./makefu { inherit config; }; }
{ krebs = import ./nin { inherit config; }; }
{ krebs = import ./tv { inherit config; }; } { krebs = import ./tv { inherit config; }; }
{ {
krebs.dns.providers = { krebs.dns.providers = {
@ -201,6 +202,7 @@ let
"cfp@eloop.org" = eloop-ml; "cfp@eloop.org" = eloop-ml;
"kontakt@eloop.org" = eloop-ml; "kontakt@eloop.org" = eloop-ml;
"root@eloop.org" = eloop-ml; "root@eloop.org" = eloop-ml;
"youtube@eloop.org" = eloop-ml;
"eloop2016@krebsco.de" = eloop-ml; "eloop2016@krebsco.de" = eloop-ml;
"eloop2017@krebsco.de" = eloop-ml; "eloop2017@krebsco.de" = eloop-ml;
"postmaster@krebsco.de" = spam-ml; # RFC 822 "postmaster@krebsco.de" = spam-ml; # RFC 822

View File

@ -38,11 +38,6 @@ let
''; '';
default = {}; default = {};
}; };
maxTime = mkOption {
type = types.int;
default = 0;
description = "Time to wait before download is aborted";
};
}; };
fetchWallpaperScript = pkgs.writeDash "fetchWallpaper" '' fetchWallpaperScript = pkgs.writeDash "fetchWallpaper" ''
@ -51,8 +46,8 @@ let
mkdir -p ${cfg.stateDir} mkdir -p ${cfg.stateDir}
chmod o+rx ${cfg.stateDir} chmod o+rx ${cfg.stateDir}
cd ${cfg.stateDir} cd ${cfg.stateDir}
(curl --max-time ${toString cfg.maxTime} -s -o wallpaper.tmp -z wallpaper.tmp ${shell.escape cfg.url} && cp wallpaper.tmp wallpaper) || : (curl -s -o wallpaper.tmp -z wallpaper.tmp ${shell.escape cfg.url} && cp wallpaper.tmp wallpaper) || :
feh --no-fehbg --bg-scale ${shell.escape cfg.stateDir}/wallpaper feh --no-fehbg --bg-scale wallpaper
''; '';
imp = { imp = {

View File

@ -57,7 +57,7 @@ let
user = rec { user = rec {
name = "github-hosts-sync"; name = "github-hosts-sync";
uid = genid name; uid = genid_uint31 name;
}; };
# TODO move to lib? # TODO move to lib?

View File

@ -15,8 +15,9 @@ with import <stockholm/lib>;
cores = 4; cores = 4;
extraZones = { extraZones = {
"krebsco.de" = '' "krebsco.de" = ''
prism IN A ${nets.internet.ip4.addr} cache IN A ${nets.internet.ip4.addr}
paste IN A ${nets.internet.ip4.addr} paste IN A ${nets.internet.ip4.addr}
prism IN A ${nets.internet.ip4.addr}
''; '';
"lassul.us" = '' "lassul.us" = ''
$TTL 3600 $TTL 3600
@ -27,12 +28,13 @@ with import <stockholm/lib>;
60 IN TXT v=spf1 mx a:lassul.us -all 60 IN TXT v=spf1 mx a:lassul.us -all
60 IN TXT ( "v=DKIM1; k=rsa; t=s; s=*; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUv3DMndFellqu208feABEzT/PskOfTSdJCOF/HELBR0PHnbBeRoeHEm9XAcOe/Mz2t/ysgZ6JFXeFxCtoM5fG20brUMRzsVRxb9Ur5cEvOYuuRrbChYcKa+fopu8pYrlrqXD3miHISoy6ErukIYCRpXWUJHi1TlNQhLWFYqAaywIDAQAB" ) 60 IN TXT ( "v=DKIM1; k=rsa; t=s; s=*; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUv3DMndFellqu208feABEzT/PskOfTSdJCOF/HELBR0PHnbBeRoeHEm9XAcOe/Mz2t/ysgZ6JFXeFxCtoM5fG20brUMRzsVRxb9Ur5cEvOYuuRrbChYcKa+fopu8pYrlrqXD3miHISoy6ErukIYCRpXWUJHi1TlNQhLWFYqAaywIDAQAB" )
default._domainkey 60 IN TXT "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUv3DMndFellqu208feABEzT/PskOfTSdJCOF/HELBR0PHnbBeRoeHEm9XAcOe/Mz2t/ysgZ6JFXeFxCtoM5fG20brUMRzsVRxb9Ur5cEvOYuuRrbChYcKa+fopu8pYrlrqXD3miHISoy6ErukIYCRpXWUJHi1TlNQhLWFYqAaywIDAQAB" default._domainkey 60 IN TXT "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUv3DMndFellqu208feABEzT/PskOfTSdJCOF/HELBR0PHnbBeRoeHEm9XAcOe/Mz2t/ysgZ6JFXeFxCtoM5fG20brUMRzsVRxb9Ur5cEvOYuuRrbChYcKa+fopu8pYrlrqXD3miHISoy6ErukIYCRpXWUJHi1TlNQhLWFYqAaywIDAQAB"
cache 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
cgit 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} cgit 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
go 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} go 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
io 60 IN NS ions.lassul.us. io 60 IN NS ions.lassul.us.
ions 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} ions 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
paste 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
lol 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} lol 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
paste 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
radio 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} radio 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
''; '';
}; };
@ -642,47 +644,6 @@ with import <stockholm/lib>;
ssh.privkey.path = <secrets/ssh.id_ed25519>; ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5HyLyaIvVH0qHIQ4ciKhDiElhSqsK+uXcA6lTvL+5n"; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5HyLyaIvVH0qHIQ4ciKhDiElhSqsK+uXcA6lTvL+5n";
}; };
cabal = {
cores = 2;
nets = rec {
retiolum = {
ip4.addr = "10.243.1.4";
ip6.addr = "42::1:4";
aliases = [
"cabal.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIECgKCBAEAukXm8xPpC6/F+wssYqQbqt1QDwsPrF3TJ9ToLFcN1WgDlhDhjM3A
SuRDMNjRT1fvVTuXyplH5g16eokW/yLOpNnznMS3/VR372pLPEOqfuRf7wAy18jj
rZkW3EO7nyZ8KMb+SXA8Q0KIpHY50Ezh+tqGoTZDICwoK6N5dKLgAZShS55JXwwK
qRG3vyzV3mDjgVyT0FNfyL1/BN1qvJ+tQQ40lEbkcQauMunMzNbH058kAd6H2/0e
LK4JkxI9XpZHE6Pf1epXyClHW7vT7APFRp9gL9tZS/XMC18+aEMFfQrNW9jb3FIq
rU5MfJ7aubboe7dT6CRaRSWpduiKLVzY/JCoGvUziyvmR7qHsQWTEjtNuQX9joc3
6iq1o+gmLV0G8Xwq8cEcg5USlLxNsGBQPwYnTG6iTPPHqOv7BKucekE/opnVZseE
fSNCGl1+tGwa3soSMI97LkpQTZxdeqf+jWZve0RbSa2Ihyod91ldFCqi1+PZx68v
yBI0PJamlt+dBx6WQKbPngWYeD8hXo7tg0XVRVa3ZQyX+Mq6uCCb2GM8ewMUPl+A
kcY1osFt6+sdkFGdiv3FMyijAiZumPoPprXC/4SGIsMnkoI4JfSAbTpHi2QuesqR
KMeairdB7XGUYlMvWpDLKN2dbMdRc+l3kDUKT7hALjKeyWS/27WYeK/STxvZXEXi
TZGHopvOFv6wcrb6nI49vIJo5mDLFamAPN3ZjeR20wP95UP7cUUSaTYX49M4lX6U
oL5BaFrcLn2PTvS84pUxcXKAp70FgTpvGJbaWwETgDjW+H+qlGmI/BTejpL7flVs
TOtaP/uCMxhVZSFv9bzo0ih10o+4gtU8lqxfJsVxlf2K7LVZ++LQba/u+XxRY+xw
3IFBfg34tnO6zYlV8XgAiJ6IUOHUZANsuBD4iMoFSVOig6t5eIOkgXR6GEkP8FBD
rkroRMmxcu4lTCOzWIuAVOxCd4XXguoGQ4HAzpGd5ccdcb8Ev4RYEvNJY7B5tIQZ
4J0F9ECzJuSu1HvWTL+T6a36d2MDTkXU2IJ2tSHciXqiP+QMMF7p9Ux0tiAq4mtf
luA94uKWg3cSyTyEM/jF66CgO6Ts3AivNE0MRNupV6AbUdr+TjzotGn9rxi168py
w/49OVbpR9EIGC2wxx7qcSEk5chFOcgvNQMRqgIx51bbOL7JYb0f4XuA38GUqLkG
09PXmPeyqGzR9HsV2XZDprZdD3Dy4ojdexw0+YILg9bHaAxLHYs6WFZvzfaLLsf1
K2I39vvrEEOy8tHi4jvMk7oVX6RWG+DOZMeXTvyUCaBHyYkA0eDlC6NeKOHxnW/g
ZtN1W93UdklEqc5okM0/ZIke1HDRt3ZLdQIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
secure = true;
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPsTeSAedrbp7/KmZX8Mvka702fIUy77Mvqo9HwzCbym";
};
red = { red = {
monitoring = false; monitoring = false;
cores = 1; cores = 1;
@ -714,6 +675,36 @@ with import <stockholm/lib>;
ssh.privkey.path = <secrets/ssh.id_ed25519>; ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd/6eCR8yxC14zBJLIQgVa4Zbutv5yr2S8k08ztmBpp"; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd/6eCR8yxC14zBJLIQgVa4Zbutv5yr2S8k08ztmBpp";
}; };
yellow = {
cores = 1;
nets = {
retiolum = {
ip4.addr = "10.243.0.14";
ip6.addr = "42:0:0:0:0:0:0:14";
aliases = [
"yellow.r"
];
tinc.pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA6lHmzq8+04h3zivJmIbP
MkYiW7KflcTWQrl/4jJ7DVFbrtS6BSSI0wIibW5ygtLrp2nYgWv1jhg7K9q8tWMY
b6tDv/ze02ywCwStbjytW3ymSZUJlRkK2DQ4Ld7JEyKmLQIjxXYah+2P3QeUxLfU
Uwk6vSRuTlcb94rLFOrCUDRy1cZC73ZmtdbEP2UZz3ey6beo3l/K5O4OOz+lNXgd
OXPls4CeNm6NYhSGTBomS/zZBzGqb+4sOtLSPraNQuc75ZVpT8nFa/7tLVytWCOP
vWglPTJOyQSygSoVwGU9I8pq8xF1aTE72hLGHprIJAGgQE9rmS9/3mbiGLVZpny6
C6Q9t6vkYBRb+jg3WozIXdUvPP19qTEFaeb08kAuf1xhjZhirfDQjI7K6SFaDOUp
Y/ZmCrCuaevifaXYza/lM+4qhPXmh82WD5ONOhX0Di98HBtij2lybIRUG/io4DAU
52rrNAhRvMkUTBRlGG6LPC4q6khjuYgo9uley5BbyWWbCB1A9DUfbc6KfLUuxSwg
zLybZs/SHgXw+pJSXNgFJTYGv1i/1YQdpnbTgW4QsEp05gb+gA9/6+IjSIJdJE3p
DSZGcJz3gNSR1vETk8I2sSC/N8wlYXYV7wxQvSlQsehfEPrFtXM65k3RWzAAbNIJ
Akz4E3+xLVIMqKmHaGWi0usCAwEAAQ==
-----END PUBLIC KEY-----
'';
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC03TCO73NQZHo7NKZiVJp2iiUbe6PQP14Kg3Bnlkqje ";
};
blue = { blue = {
cores = 1; cores = 1;
nets = { nets = {
@ -787,9 +778,6 @@ with import <stockholm/lib>;
mail = "lass@daedalus.r"; mail = "lass@daedalus.r";
pubkey = builtins.readFile ./ssh/daedalus.rsa; pubkey = builtins.readFile ./ssh/daedalus.rsa;
}; };
fritz = {
pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCz34435NSXgj72YAOL4cIlRq/4yInKEyL9no+gymURoW5x1nkYpP0EK331e7UyQQSOdWOogRo6d7YHcFqNlYWv5xlYcHucIhgJwC4Zda1liVA+v7tSOJz2BjmFvOT3/qlcPS69f3zdLHZooz2C33uHX1FgGRXlxiA8dpqGnSr8o76QLZjuQkuDqr8reOspjO/RHCo2Moq0Xm5q9OgN1WLAZzupqt9A5lx567mRzYsRAr23pUxVN8T/tSCgDlPe4ktEjYX9CXLKfMyh9WuBVi+AuH4GFEWBT+AMpsHeF45w+w956x56mz0F5nYOQNK87gFr+Jr+mh2AF1ot2CxzrfTb fritz@scriptkiddiT540";
};
prism-repo-sync = { prism-repo-sync = {
pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKhpCKTnSq6VDJPB+0NiHu2ZxSKEIxHN6uPAPnbXYNCe"; pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKhpCKTnSq6VDJPB+0NiHu2ZxSKEIxHN6uPAPnbXYNCe";
mail = "lass@prism.r"; mail = "lass@prism.r";

View File

@ -60,7 +60,7 @@ in {
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGaV5Ga5R8RTrA+nclxw6uy5Z+hPBLitQTfuXdsmbVW6 crapi"; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGaV5Ga5R8RTrA+nclxw6uy5Z+hPBLitQTfuXdsmbVW6 crapi";
}; };
drop = rec { drop = rec {
ci = true; ci = false;
cores = 1; cores = 1;
nets = { nets = {
retiolum = { retiolum = {
@ -83,7 +83,7 @@ in {
}; };
}; };
studio = rec { studio = rec {
ci = true; ci = false;
cores = 4; cores = 4;
ssh.privkey.path = <secrets/ssh_host_ed25519_key>; ssh.privkey.path = <secrets/ssh_host_ed25519_key>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIqBR5gjJkR1TEIs2yx6JRoIOA7+/LJA6kjju8yCauFa studio"; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIqBR5gjJkR1TEIs2yx6JRoIOA7+/LJA6kjju8yCauFa studio";
@ -109,7 +109,7 @@ in {
}; };
fileleech = rec { fileleech = rec {
ci = true; ci = false;
cores = 4; cores = 4;
ssh.privkey.path = <secrets/ssh_host_ed25519_key>; ssh.privkey.path = <secrets/ssh_host_ed25519_key>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM+jB5QdPsAJc90alYDhAEP3sPDJb6eIj9bebj+rTBEJ fileleech"; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM+jB5QdPsAJc90alYDhAEP3sPDJb6eIj9bebj+rTBEJ fileleech";
@ -134,7 +134,7 @@ in {
}; };
}; };
latte = rec { latte = rec {
ci = true; ci = false;
cores = 1; cores = 1;
ssh.privkey.path = <secrets/ssh_host_ed25519_key>; ssh.privkey.path = <secrets/ssh_host_ed25519_key>;
# ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIrkK1mWfPvfZ9ALC1irGLuzOtMefaGAmGY1VD4dj7K1 latte"; # ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIrkK1mWfPvfZ9ALC1irGLuzOtMefaGAmGY1VD4dj7K1 latte";
@ -166,7 +166,7 @@ in {
}; };
pnp = { pnp = {
ci = true; ci = false;
cores = 1; cores = 1;
nets = { nets = {
retiolum = { retiolum = {
@ -190,7 +190,7 @@ in {
}; };
}; };
darth = { darth = {
ci = true; ci = false;
cores = 4; cores = 4;
nets = { nets = {
retiolum = { retiolum = {
@ -404,7 +404,7 @@ in {
}; };
}; };
wry = rec { wry = rec {
ci = true; ci = false;
cores = 1; cores = 1;
extraZones = { extraZones = {
"krebsco.de" = '' "krebsco.de" = ''
@ -449,7 +449,7 @@ in {
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH4Tjx9qK6uWtxT1HCpeC0XvDZKO/kaPygyKatpAqU6I root@wry"; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH4Tjx9qK6uWtxT1HCpeC0XvDZKO/kaPygyKatpAqU6I root@wry";
}; };
filepimp = rec { filepimp = rec {
ci = true; ci = false;
cores = 1; cores = 1;
nets = { nets = {
lan = { lan = {
@ -494,6 +494,8 @@ in {
ip6.addr = "42:f9f0::10"; ip6.addr = "42:f9f0::10";
aliases = [ aliases = [
"omo.r" "omo.r"
"dcpp.omo.r"
"torrent.omo.r"
]; ];
tinc.pubkey = '' tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY----- -----BEGIN RSA PUBLIC KEY-----
@ -554,7 +556,7 @@ in {
ssh.privkey.path = <secrets/ssh.id_ed25519>; ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN5ZmJSypW3LXIJ67DdbxMxCfLtORFkl5jEuD131S5Tr"; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN5ZmJSypW3LXIJ67DdbxMxCfLtORFkl5jEuD131S5Tr";
}; };
nextgum = rec { gum = rec {
ci = true; ci = true;
extraZones = { extraZones = {
"krebsco.de" = '' "krebsco.de" = ''
@ -563,6 +565,23 @@ in {
graph IN A ${nets.internet.ip4.addr} graph IN A ${nets.internet.ip4.addr}
gold IN A ${nets.internet.ip4.addr} gold IN A ${nets.internet.ip4.addr}
iso.euer IN A ${nets.internet.ip4.addr} iso.euer IN A ${nets.internet.ip4.addr}
wg.euer IN A ${nets.internet.ip4.addr}
photostore IN A ${nets.internet.ip4.addr}
o.euer IN A ${nets.internet.ip4.addr}
mon.euer IN A ${nets.internet.ip4.addr}
boot.euer IN A ${nets.internet.ip4.addr}
wiki.euer IN A ${nets.internet.ip4.addr}
pigstarter IN A ${nets.internet.ip4.addr}
cgit.euer IN A ${nets.internet.ip4.addr}
git.euer IN A ${nets.internet.ip4.addr}
euer IN A ${nets.internet.ip4.addr}
share.euer IN A ${nets.internet.ip4.addr}
gum IN A ${nets.internet.ip4.addr}
wikisearch IN A ${nets.internet.ip4.addr}
dl.euer IN A ${nets.internet.ip4.addr}
ghook IN A ${nets.internet.ip4.addr}
dockerhub IN A ${nets.internet.ip4.addr}
io IN NS gum.krebsco.de.
''; '';
}; };
cores = 8; cores = 8;
@ -571,6 +590,7 @@ in {
ip4.addr = "144.76.26.247"; ip4.addr = "144.76.26.247";
ip6.addr = "2a01:4f8:191:12f6::2"; ip6.addr = "2a01:4f8:191:12f6::2";
aliases = [ aliases = [
"gum.i"
"nextgum.i" "nextgum.i"
]; ];
}; };
@ -594,71 +614,17 @@ in {
"stats.makefu.r" "stats.makefu.r"
"backup.makefu.r" "backup.makefu.r"
"dcpp.nextgum.r" "dcpp.nextgum.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAucCebFmS96WorD+Br4UQudmAhMlLpacErjwA/u2argBTT2nGHTR8
aN4e0xf3IYLA+iogLIW/JuQfKLe8evEK21iZ3jleW8N7mbCulhasi/0lqWlirrpO
npJAiSNF1m7ijoylkEKxtmehze+8ojprUT2hx1ImMlHMWGxvs+TmBbZBMgxAGMJh
6cMMDJQi+4d9XrJQ3+XUVK3MkviLA91oIAXsLdFptL6b12siUaz4StQXDJUHemBF
3ZwlO+W2Es69ifEhmV6NaDDRcSRdChGbHTz1OU8wYaFNaxWla/iprQQ+jEUldpcN
VC18QGYRUAgZ0PCIpKurjWNehJFB3zXt+wIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcxWFEPzke/Sdd9qNX6rSJgXal8NmINYajpFCxXfYdj root@gum";
};
gum = rec {
ci = true;
cores = 2;
extraZones = {
"krebsco.de" = ''
share.euer IN A ${nets.internet.ip4.addr}
mattermost.euer IN A ${nets.internet.ip4.addr}
gum IN A ${nets.internet.ip4.addr}
wikisearch IN A ${nets.internet.ip4.addr}
pigstarter IN A ${nets.internet.ip4.addr}
cgit.euer IN A ${nets.internet.ip4.addr}
euer IN A ${nets.internet.ip4.addr}
o.euer IN A ${nets.internet.ip4.addr}
git.euer IN A ${nets.internet.ip4.addr}
dl.euer IN A ${nets.internet.ip4.addr}
boot.euer IN A ${nets.internet.ip4.addr}
wiki.euer IN A ${nets.internet.ip4.addr}
mon.euer IN A ${nets.internet.ip4.addr}
ghook IN A ${nets.internet.ip4.addr}
dockerhub IN A ${nets.internet.ip4.addr}
photostore IN A ${nets.internet.ip4.addr}
io IN NS gum.krebsco.de.
'';
};
nets = rec {
internet = {
ip4.addr = "185.194.143.140";
ip6.addr = "2a03:4000:1c:43f::1";
aliases = [
"gum.i"
];
};
retiolum = {
via = internet;
ip4.addr = "10.243.0.211";
ip6.addr = "42:f9f0:0000:0000:0000:0000:0000:70d2";
aliases = [
"gum.r" "gum.r"
"cgit.gum.r" "cgit.gum.r"
"o.gum.r" "o.gum.r"
"tracker.makefu.r" "tracker.makefu.r"
"search.makefu.r" "search.makefu.r"
"wiki.makefu.r" "wiki.makefu.r"
"wiki.gum.r" "wiki.gum.r"
"blog.makefu.r" "blog.makefu.r"
"blog.gum.r" "blog.gum.r"
"dcpp.gum.r" "dcpp.gum.r"
"torrent.gum.r"
]; ];
tinc.pubkey = '' tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY----- -----BEGIN RSA PUBLIC KEY-----
@ -672,12 +638,11 @@ in {
''; '';
}; };
}; };
# configured manually
# ssh.privkey.path = <secrets/ssh_host_ed25519_key>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcxWFEPzke/Sdd9qNX6rSJgXal8NmINYajpFCxXfYdj root@gum"; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcxWFEPzke/Sdd9qNX6rSJgXal8NmINYajpFCxXfYdj root@gum";
}; };
shoney = rec { shoney = rec {
ci = true; ci = false;
cores = 1; cores = 1;
nets = rec { nets = rec {
siem = { siem = {

View File

@ -1,111 +0,0 @@
{ config, ... }:
with import <stockholm/lib>;
{
hosts = mapAttrs (_: recursiveUpdate {
owner = config.krebs.users.nin;
ci = true;
}) {
hiawatha = {
cores = 2;
nets = {
retiolum = {
ip4.addr = "10.243.132.96";
ip6.addr = "42:0000:0000:0000:0000:0000:0000:2342";
aliases = [
"hiawatha.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAucIe5yLzKJ8F982XRpZT6CvyXuPrtnNTmw/E/T6Oyq88m/OVHh6o
Viho1XAlJZZwqNniItD0AQB98uFB3+3yA7FepnwwC+PEceIfBG4bTDNyYD3ZCsAB
iWpmRar9SQ7LFnoZ6X2lYaJkUD9afmvXqJJLR5MClnRQo5OSqXaFdp7ryWinHP7E
UkPSNByu4LbQ9CnBEW8mmCVZSBLb8ezxg3HpJSigmUcJgiDBJ6aj22BsZ5L+j1Sr
lvUuaCr8WOS41AYsD5dbTYk7EG42tU5utrOS6z5yHmhbA5r8Ro2OFi/R3Td68BIJ
yw/m8sfItBCvjJSMEpKHEDfGMBCfQKltCwIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFizK5kauDlnjm/IzyzLi+W4hLKqjSWMkfuxzLwg6egx";
};
axon= {
cores = 2;
nets = {
retiolum = {
ip4.addr = "10.243.134.66";
ip6.addr = "42:0000:0000:0000:0000:0000:0000:1379";
aliases = [
"axon.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIECgKCBAEA89h5SLDQL/ENM//3SMzNkVnW4dBdg1GOXs/SdRCTcgygJC0TzsAo
glfQhfS+OhFSC/mXAjP8DnN7Ys6zXzMfJgH7TgVRJ8tCo5ETehICA19hMjMFINLj
KZhhthPuX7u2Jr4uDMQ0eLJnKVHF4PmHnkA+JGcOqO7VSkgcqPvqPMnJFcMkGWvH
L3KAz1KGPHZWrAB2NBDrD/bOZj4L39nS4nJIYVOraP7ze1GTTC7s/0CnZj3qwS5j
VdUYgAR+bdxlWm1B1PPOjkslP6UOklQQK4SjK3ceLYb2yM7BVICeznjWCbkbMACY
PUSvdxyiD7nZcLvuM3cJ1M45zUK+tAHHDB5FFUUAZ+YY/Xml4+JOINekpQdGQqkN
X4VsdRGKpjqi+OXNP4ktDcVkl8uALmNR6TFfAEwQJdjgcMxgJGW9PkqvPl3Mqgoh
m89lHPpO0Cpf40o6lZRG42gH1OR7Iy1M234uA08a3eFf+IQutHaOBt/Oi0YeiaQp
OtJHmWtpsQRz24/m+uroSUtKZ63sESli28G1jP73Qv7CiB8KvSX0Z4zKJOV/CyaT
LLguAyeWdNLtVg4bGRd7VExoWA+Rd9YKHCiE5duhETZk0Hb9WZmgPdM7A0RBb+1H
/F9BPKSZFl2e42VEsy8yNmBqO8lL7DVbAjLhtikTpPLcyjNeqN99a8jFX4c5nhIK
MVsSLKsmNGQq+dylXMbErsGu3P/OuCZ4mRkC32Kp4qwJ+JMrJc8+ZbhKl6Fhwu0w
7DwwoUaRoMqtr2AwR+X67eJsYiOVo5EkqBo6DrWIM6mO2GrWHg5LTBIShn08q/Nm
ofPK2TmLdfqBycUR0kRCCPVi82f9aElmg3pzzPJnLAn9JLL43q6l+sefvtr9sTs3
1co6m8k5mO8zTb8BCmX2nFMkCopuHeF1nQ33y6woq0D8WsXHfHtbPwN9eYRVrbBF
29YBp5E+Q1pQB+0rJ4A5N1I3VUKhDGKc72pbQc8cYoAbDXA+RKYbsFOra5z585dt
4HQXpwj3a/JGJYRT6FVbJp4p8PjwAtN9VkpXNl4//3lXQdDD6aQ6ssXaKxVAp2Xj
FjPjx6J6ok4mRvofKNAREt4eZUdDub34bff6G0zI7Vls9t4ul0uHsJ6+ic3CG+Yl
buLfOkDp4hVCAlMPQ2NJfWKSggoVao7OTBPTMB3NiM56YOPptfZgu2ttDRTyuQ7p
hrOwutxoy/abH3hA8bWj1+C23vDtQ2gj0r16SWxpPdb3sselquzKp9NIvtyRVfnG
yYZTWRHg9mahMC2P0/wWAQVjKb0LnTib4lSe21uqFkWzp+3/Uu+hiwP5xGez/NIi
ahyL7t0D9r9y+i1RPjYWypgyR568fiGheQIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF4ubHA2pQzV4tQq9D1zRTD1xOSR6xZM3z6te+5A1ekc";
};
onondaga = {
cores = 1;
nets = {
retiolum = {
ip4.addr = "10.243.132.55";
ip6.addr = "42:0000:0000:0000:0000:0000:0000:1357";
aliases = [
"onondaga.r"
"cgit.onondaga.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAqj6NPhRVsr8abz9FFx9+ld3amfxN7SRNccbksUOqkufGS0vaupFR
OWsgj4Qmt3lQ82YVt5yjx0FZHkAsenCEKM3kYoIb4nipT0e1MWkQ7plVveMfGkiu
htaJ1aCbI2Adxfmk4YbyAr8k3G+Zl9t7gTikBRh7cf5PMiu2JhGUZHzx9urR0ieH
xyashZFjl4TtIy4q6QTiyST9kfzteh8k7CJ72zfYkdHl9dPlr5Nk22zH9xPkyzmO
kCNeknuDqKeTT9erNtRLk6pjEcyutt0y2/Uq6iZ38z5qq9k4JzcMuQ3YPpNy8bxn
hVuk2qBu6kBTUW3iLchoh0d4cfFLWLx1SQIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGmQk7AXsYLzjUrOjsuhZ3+gT7FjhPtjwxv5XnuU8GJO";
};
};
users = {
nin = {
mail = "nin@axon.r";
pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCl4jHl2dya9Tecot7AcHuk57FiPN0lo8eDa03WmTOCCU7gEJLgpi/zwLxY/K4eXsDgOt8LJwddicgruX2WgIYD3LnwtuN40/U9QqqdBIv/5sYZTcShAK2jyPj0vQJlVUpL7DLxxRH+t4lWeRw/1qaAAVt9jEVbzT5RH233E6+SbXxfnQDhDwOXwD1qfM10BOGh63iYz8/loXG1meb+pkv3HTf5/D7x+/y1XvWRPKuJ2Ml33p2pE3cTd+Tie1O8CREr45I9JOIOKUDQk1klFL5NNXnaQ9h1FRCsnQuoGztoBq8ed6XXL/b8mQ0lqJMxHIoCuDN/HBZYJ0z+1nh8X6XH nin@axon";
};
nin_h = {
mail = "nin@hiawatha.r";
pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDicZLUPEVNX7SgqYWcjPo0UESRizEfIvVVbiwa1aApA8x25u/5R3sevcgbIpLHYKDMl5tebny9inr6G2zqB6oq/pocQjHxrPnuLzqjvqeSpbjQjlNWJ9GaHT5koTXZHdkEXGL0vfv1SRDNWUiK0rNymr3GXab4DyrnRnuNl/G1UtLf4Zka94YUD0SSPdS9y6knnRrUWKjGMFBZEbNSgHqMGATPQP9VDwKHIO2OWGfiBAJ4nj/MWj+BxHDleCMY9zbym8yY7p/0PLaUe9eIyLC8MftJ5suuMmASlj+UGWgnqUxWxsMHax9y7CTAc23r1NNCXN5LC6/facGt0rEQrdrTizBgOA1FSHAPCl5f0DBEgWBrRuygEcAueuGWvI8/uvtvQQZLhosDbXEfs/3vm2xoYBe7wH4NZHm+d2LqgIcPXehH9hVQsl6pczngTCJt0Q/6tIMffjhDHeYf6xbe/n3AqFT0PylUSvOw/H5iHws3R6rxtgnOio7yTJ4sq0NMzXCtBY6LYPGnkwf0oKsgB8KavZVnxzF8B1TD4nNi0a7ma7bd1LMzI/oGE6i8kDMROgisIECOcoe8YYJZXIne/wimhhRKZAsd+VrKUo4SzNIavCruCodGAVh2vfrqRJD+HD/aWH7Vr1fCEexquaxeKpRtKGIPW9LRCcEsTilqpZdAiw== nin@hiawatha";
};
};
}

View File

@ -77,7 +77,190 @@ let
serviceConfig = { serviceConfig = {
Type = "simple"; Type = "simple";
ExecStart = "${pkgs.realwallpaper}/realwallpaper.sh"; ExecStart = pkgs.writeDash "generate-wallpaper" ''
set -xeuf
# usage: getimg FILENAME URL
fetch() {
echo "fetch $1"
curl -LsS -z "$1" -o "$1" "$2"
}
# usage: check_type FILENAME TYPE
check_type() {
if ! file -ib "$1" | grep -q "^$2/"; then
echo "$1 is not of type $2" >&2
rm "$1"
return 1
fi
}
# usage: image_size FILENAME
image_size() {
identify "$1" | awk '{print$3}'
}
# usage: make_mask DST SRC MASK
make_layer() {
if needs_rebuild "$@"; then
echo "make $1 (apply mask)" >&2
convert "$2" "$3" -alpha off -compose copy_opacity -composite "$1"
fi
}
# usage: flatten DST HILAYER LOLAYER
flatten() {
if needs_rebuild "$@"; then
echo "make $1 (flatten)" >&2
composite "$2" "$3" "$1"
fi
}
# usage: needs_rebuild DST SRC...
needs_rebuild() {
a="$1"
shift
if ! test -e "$a"; then
#echo " $a does not exist" >&2
result=0
else
result=1
for b; do
if test "$b" -nt "$a"; then
#echo " $b is newer than $a" >&2
result=0
fi
done
fi
#case $result in
# 0) echo "$a needs rebuild" >&2;;
#esac
return $result
}
main() {
cd ${cfg.workingDir}
# fetch source images in parallel
fetch nightmap-raw.jpg \
${cfg.nightmap} &
fetch daymap-raw.png \
${cfg.daymap} &
fetch clouds-raw.jpg \
${cfg.cloudmap} &
fetch marker.json \
${cfg.marker} &
wait
check_type nightmap-raw.jpg image
check_type daymap-raw.png image
check_type clouds-raw.jpg image
in_size=2048x1024
xplanet_out_size=1466x1200
out_geometry=1366x768+100+160
nightsnow_color='#0c1a49' # nightmap
for raw in \
nightmap-raw.jpg \
daymap-raw.png \
clouds-raw.jpg \
;
do
normal=''${raw%-raw.*}.png
if needs_rebuild $normal $raw; then
echo "make $normal; normalize $raw" >&2
convert $raw -scale $in_size $normal
fi
done
# create nightmap-fullsnow
if needs_rebuild nightmap-fullsnow.png; then
convert -size $in_size xc:$nightsnow_color nightmap-fullsnow.png
fi
# extract daymap-snowmask from daymap-final
if needs_rebuild daymap-snowmask.png daymap.png; then
convert daymap.png -threshold 95% daymap-snowmask.png
fi
# extract nightmap-lightmask from nightmap
if needs_rebuild nightmap-lightmask.png nightmap.png; then
convert nightmap.png -threshold 25% nightmap-lightmask.png
fi
# create layers
make_layer nightmap-snowlayer.png nightmap-fullsnow.png daymap-snowmask.png
make_layer nightmap-lightlayer.png nightmap.png nightmap-lightmask.png
# apply layers
flatten nightmap-lightsnowlayer.png \
nightmap-lightlayer.png \
nightmap-snowlayer.png
flatten nightmap-final.png \
nightmap-lightsnowlayer.png \
nightmap.png
# create marker file from json
if [ -s marker.json ]; then
jq -r 'to_entries[] | @json "\(.value.latitude) \(.value.longitude)"' marker.json > marker_file
fi
# make all unmodified files as final
for normal in \
daymap.png \
clouds.png \
;
do
final=''${normal%.png}-final.png
needs_rebuild $final &&
ln $normal $final
done
# rebuild every time to update shadow
xplanet --num_times 1 --geometry $xplanet_out_size \
--output xplanet-output.png --projection merc \
-config ${pkgs.writeText "xplanet.config" ''
[earth]
"Earth"
map=daymap-final.png
night_map=nightmap-final.png
cloud_map=clouds-final.png
cloud_threshold=10
shade=15
''}
xplanet --num_times 1 --geometry $xplanet_out_size \
--output xplanet-krebs-output.png --projection merc \
-config ${pkgs.writeText "xplanet-krebs.config" ''
[earth]
"Earth"
map=daymap-final.png
night_map=nightmap-final.png
cloud_map=clouds-final.png
cloud_threshold=10
marker_file=marker_file
shade=15
''}
# trim xplanet output
if needs_rebuild realwallpaper.png xplanet-output.png; then
convert xplanet-output.png -crop $out_geometry \
realwallpaper-tmp.png
mv realwallpaper-tmp.png realwallpaper.png
fi
if needs_rebuild realwallpaper-krebs.png xplanet-krebs-output.png; then
convert xplanet-krebs-output.png -crop $out_geometry \
realwallpaper-krebs-tmp.png
mv realwallpaper-krebs-tmp.png realwallpaper-krebs.png
fi
}
main "$@"
'';
User = "realwallpaper"; User = "realwallpaper";
}; };
}; };

View File

@ -75,6 +75,7 @@ let
${iproute}/sbin/ip -6 addr add ${net.ip6.addr} dev ${netname} ${iproute}/sbin/ip -6 addr add ${net.ip6.addr} dev ${netname}
${iproute}/sbin/ip -6 route add ${net.ip6.prefix} dev ${netname} ${iproute}/sbin/ip -6 route add ${net.ip6.prefix} dev ${netname}
''} ''}
${tinc.config.tincUpExtra}
''; '';
description = '' description = ''
tinc-up script to be used. Defaults to setting the tinc-up script to be used. Defaults to setting the
@ -83,6 +84,11 @@ let
''; '';
}; };
tincUpExtra = mkOption {
type = types.str;
default = "";
};
tincPackage = mkOption { tincPackage = mkOption {
type = types.package; type = types.package;
default = pkgs.tinc; default = pkgs.tinc;

View File

@ -183,7 +183,7 @@ let
user = rec { user = rec {
name = "urlwatch"; name = "urlwatch";
uid = genid name; uid = genid_uint31 name;
}; };
subtypes.job = types.submodule { subtypes.job = types.submodule {

View File

@ -1,13 +1,6 @@
with import <stockholm/lib>; with import <stockholm/lib>;
let let
overrides = self: super: overrides = self: super: mapNixDir (path: self.callPackage path {}) ./.;
listToAttrs
(map
(name: nameValuePair (removeSuffix ".nix" name)
(self.callPackage (./. + "/${name}") {}))
(filter
(name: name != "default.nix" && !hasPrefix "." name)
(attrNames (readDir ./.))));
in in
self: super: self: super:
{ {

View File

@ -1,17 +1,16 @@
{ mkDerivation, base, containers, fetchgit, stdenv, X11, X11-xft, X11-xshape { mkDerivation, base, containers, fetchgit, filepath, stdenv, unix, X11, X11-xft
, xmonad, xmonad-contrib , X11-xshape, xmonad, xmonad-contrib
}: }:
mkDerivation rec { mkDerivation rec {
pname = "xmonad-stockholm"; pname = "xmonad-stockholm";
version = "1.2.0"; version = "1.3.0";
# src = /home/jeschli/projects/haskell/xmonad-stockholm;
src = fetchgit { src = fetchgit {
url = http://cgit.ni.krebsco.de/xmonad-stockholm; url = http://cgit.ni.krebsco.de/xmonad-stockholm;
rev = "refs/tags/v${version}"; rev = "refs/tags/v1.3.0";
sha256 = "13mvmh3kk9a79l1nii028p0n7l95pb78wz9c4j42l90m02mg6cis"; sha256 = "1np5126wn67y0a1r60rnkq828s0w9zjnvai4b8zy3yc02xlkrjm9";
}; };
libraryHaskellDepends = [ libraryHaskellDepends = [
base containers X11 X11-xft X11-xshape xmonad xmonad-contrib base containers filepath unix X11 X11-xft X11-xshape xmonad xmonad-contrib
]; ];
license = stdenv.lib.licenses.mit; license = stdenv.lib.licenses.mit;
} }

View File

@ -15,10 +15,4 @@ let
else override; else override;
in in
listToAttrs mapNixDir (path: callPackage path {}) ./.
(map
(name: nameValuePair (removeSuffix ".nix" name)
(callPackage (./. + "/${name}") {}))
(filter
(name: name != "default.nix" && !hasPrefix "." name)
(attrNames (readDir ./.))))

View File

@ -1,122 +0,0 @@
{ stdenv, writeScriptBin, lib, fetchurl, git, cacert
, erlang, openssl, expat, libyaml, bash, gnused, gnugrep, coreutils, utillinux, procps, gd
, withMysql ? false
, withPgsql ? false
, withSqlite ? false, sqlite
, withPam ? false, pam
, withZlib ? true, zlib
, withRiak ? false
, withElixir ? false, elixir
, withIconv ? true
, withTools ? false
, withRedis ? false
}:
let
fakegit = writeScriptBin "git" ''
#! ${stdenv.shell} -e
if [ "$1" = "describe" ]; then
[ -r .rev ] && cat .rev || true
fi
'';
ctlpath = lib.makeBinPath [ bash gnused gnugrep coreutils utillinux procps ];
in stdenv.mkDerivation rec {
version = "18.01";
name = "ejabberd-${version}";
src = fetchurl {
url = "http://www.process-one.net/downloads/ejabberd/${version}/${name}.tgz";
sha256 = "01i2n8mlgw293jdf4172f9q8ca8m35vysjws791p7nynpfdb4cn6";
};
nativeBuildInputs = [ fakegit ];
buildInputs = [ erlang openssl expat libyaml gd ]
++ lib.optional withSqlite sqlite
++ lib.optional withPam pam
++ lib.optional withZlib zlib
++ lib.optional withElixir elixir
;
# Apparently needed for Elixir
LANG = "en_US.UTF-8";
deps = stdenv.mkDerivation {
name = "ejabberd-deps-${version}";
inherit src;
configureFlags = [ "--enable-all" "--with-sqlite3=${sqlite.dev}" ];
nativeBuildInputs = [ git erlang openssl expat libyaml sqlite pam zlib elixir ];
GIT_SSL_CAINFO = "${cacert}/etc/ssl/certs/ca-bundle.crt";
makeFlags = [ "deps" ];
phases = [ "unpackPhase" "configurePhase" "buildPhase" "installPhase" ];
installPhase = ''
for i in deps/*; do
( cd $i
git reset --hard
git clean -ffdx
git describe --always --tags > .rev
rm -rf .git
)
done
rm deps/.got
cp -r deps $out
'';
outputHashMode = "recursive";
outputHashAlgo = "sha256";
outputHash = "1v3h0c7kfifb6wsfxyv5j1wc7rlxbb7r0pgd4s340wiyxnllzzhk";
};
configureFlags =
[ (lib.enableFeature withMysql "mysql")
(lib.enableFeature withPgsql "pgsql")
(lib.enableFeature withSqlite "sqlite")
(lib.enableFeature withPam "pam")
(lib.enableFeature withZlib "zlib")
(lib.enableFeature withRiak "riak")
(lib.enableFeature withElixir "elixir")
(lib.enableFeature withIconv "iconv")
(lib.enableFeature withTools "tools")
(lib.enableFeature withRedis "redis")
] ++ lib.optional withSqlite "--with-sqlite3=${sqlite.dev}";
enableParallelBuilding = true;
patches = [
./ejabberdctl.patch
];
preBuild = ''
cp -r $deps deps
chmod -R +w deps
patchShebangs deps
'';
postInstall = ''
sed -i \
-e '2iexport PATH=${ctlpath}:$PATH' \
-e 's,\(^ *FLOCK=\).*,\1${utillinux}/bin/flock,' \
-e 's,\(^ *JOT=\).*,\1,' \
-e 's,\(^ *CONNLOCKDIR=\).*,\1/var/lock/ejabberdctl,' \
$out/sbin/ejabberdctl
'';
meta = with stdenv.lib; {
description = "Open-source XMPP application server written in Erlang";
license = licenses.gpl2;
homepage = http://www.ejabberd.im;
platforms = platforms.linux;
maintainers = with maintainers; [ sander abbradar ];
broken = withElixir;
};
}

View File

@ -1,32 +0,0 @@
--- a/ejabberdctl.template 1970-01-01 01:00:01.000000000 +0100
+++ b/ejabberdctl.template 2018-04-24 23:06:54.127715441 +0200
@@ -42,19 +42,18 @@
esac
# parse command line parameters
-for arg; do
- case $arg in
- -n|--node) ERLANG_NODE_ARG=$2; shift;;
- -s|--spool) SPOOL_DIR=$2; shift;;
- -l|--logs) LOGS_DIR=$2; shift;;
- -f|--config) EJABBERD_CONFIG_PATH=$2; shift;;
- -c|--ctl-config) EJABBERDCTL_CONFIG_PATH=$2; shift;;
- -d|--config-dir) ETC_DIR=$2; shift;;
- -t|--no-timeout) NO_TIMEOUT="--no-timeout";;
- --) :;;
+while test $# -gt 0; do
+ case $1 in
+ -n|--node) ERLANG_NODE_ARG=$2; shift 2;;
+ -s|--spool) SPOOL_DIR=$2; shift 2;;
+ -l|--logs) LOGS_DIR=$2; shift 2;;
+ -f|--config) EJABBERD_CONFIG_PATH=$2; shift 2;;
+ -c|--ctl-config) EJABBERDCTL_CONFIG_PATH=$2; shift 2;;
+ -d|--config-dir) ETC_DIR=$2; shift 2;;
+ -t|--no-timeout) NO_TIMEOUT="--no-timeout"; shift 1;;
+ # --) :;; what is this for?
*) break;;
esac
- shift
done
# define ejabberd variables if not already defined from the command line

View File

@ -1,24 +0,0 @@
{ stdenv, fetchgit, xplanet, imagemagick, curl, file }:
stdenv.mkDerivation {
name = "realwallpaper";
src = fetchgit {
url = https://github.com/Lassulus/realwallpaper;
rev = "e0563289c2ab592b669ce4549fc40130246e9d79";
sha256 = "1zgk8ips2d686216h203w62wrw7zy9z0lrndx9f8z6f1vpvjcmqc";
};
phases = [
"unpackPhase"
"installPhase"
];
buildInputs = [
];
installPhase = ''
mkdir -p $out
cp realwallpaper.sh $out/realwallpaper.sh
'';
}

View File

@ -1,12 +1,14 @@
{ config, lib, pkgs, ... }:
with import <stockholm/lib>;
{ {
imports = [ imports = [
./3modules ./3modules
{
nixpkgs.config.packageOverrides =
import ../submodules/nix-writers/pkgs pkgs;
}
]; ];
nixpkgs.config.packageOverrides = import ./5pkgs pkgs;
nixpkgs = {
overlays = [
(import ./5pkgs)
(import ../submodules/nix-writers/pkgs)
];
};
} }

View File

@ -7,15 +7,27 @@
# TODO document why pkgs should be used like this # TODO document why pkgs should be used like this
pkgs = import "${krops}/pkgs" {}; pkgs = import "${krops}/pkgs" {};
krebs-source = { krebs-source = { test ? false }: rec {
nixpkgs.git = { nixpkgs = if test then {
file = {
path = toString (pkgs.fetchFromGitHub {
owner = "nixos";
repo = "nixpkgs";
rev = (lib.importJSON ./nixpkgs.json).rev;
sha256 = (lib.importJSON ./nixpkgs.json).sha256;
});
useChecksum = true;
};
} else {
git = {
ref = (lib.importJSON ./nixpkgs.json).rev; ref = (lib.importJSON ./nixpkgs.json).rev;
url = https://github.com/NixOS/nixpkgs; url = https://github.com/NixOS/nixpkgs;
}; };
};
stockholm.file = toString ../.; stockholm.file = toString ../.;
stockholm-version.pipe = toString (pkgs.writeDash "${name}-version" '' stockholm-version.pipe = toString (pkgs.writeDash "${name}-version" ''
set -efu set -efu
cd ${lib.escapeShellArg krebs-source.stockholm.file} cd ${lib.escapeShellArg stockholm.file}
V=$(${pkgs.coreutils}/bin/date +%y.%m) V=$(${pkgs.coreutils}/bin/date +%y.%m)
if test -d .git; then if test -d .git; then
V=$V.git.$(${pkgs.git}/bin/git describe --always --dirty) V=$V.git.$(${pkgs.git}/bin/git describe --always --dirty)
@ -28,21 +40,17 @@
}; };
source ={ test }: lib.evalSource [ source ={ test }: lib.evalSource [
krebs-source (krebs-source { test = test; })
{ {
nixos-config.symlink = "stockholm/krebs/1systems/${name}/config.nix"; nixos-config.symlink = "stockholm/krebs/1systems/${name}/config.nix";
secrets = secrets = if test then {
if test
then {
file = toString <stockholm/krebs/0tests/data/secrets>; file = toString <stockholm/krebs/0tests/data/secrets>;
} } else {
else {
pass = { pass = {
dir = "${lib.getEnv "HOME"}/brain"; dir = "${lib.getEnv "HOME"}/brain";
name = "krebs-secrets/${name}"; name = "krebs-secrets/${name}";
}; };
} };
;
} }
]; ];

View File

@ -1,7 +1,7 @@
{ {
"url": "https://github.com/NixOS/nixpkgs-channels", "url": "https://github.com/NixOS/nixpkgs-channels",
"rev": "bf7930d582bcf7953c3b87e649858f3f1873eb9c", "rev": "5d4a1a3897e2d674522bcb3aa0026c9e32d8fd7c",
"date": "2018-11-04T19:36:25+01:00", "date": "2018-11-24T00:40:22-05:00",
"sha256": "0nvn6g0pxp0glqjg985qxs7ash0cmcdc80h8jxxk6z4pnr3f2n1m", "sha256": "19kryzx9a6x68mpyxks3dajraf92hkbnw1zf952k73s2k4qw9jlq",
"fetchSubmodules": false "fetchSubmodules": false
} }

View File

@ -36,10 +36,10 @@ with import <stockholm/lib>;
# TODO write function for proxy_pass (ssl/nonssl) # TODO write function for proxy_pass (ssl/nonssl)
krebs.iptables.tables.filter.FORWARD.rules = [ krebs.iptables.tables.filter.FORWARD.rules = [
{ v6 = false; precedence = 1000; predicate = "-d 192.168.122.92"; target = "ACCEPT"; } { v6 = false; precedence = 1000; predicate = "-d 192.168.122.179"; target = "ACCEPT"; }
]; ];
krebs.iptables.tables.nat.PREROUTING.rules = [ krebs.iptables.tables.nat.PREROUTING.rules = [
{ v6 = false; precedence = 1000; predicate = "-d 46.4.114.243"; target = "DNAT --to-destination 192.168.122.92"; } { v6 = false; precedence = 1000; predicate = "-d 46.4.114.243"; target = "DNAT --to-destination 192.168.122.179"; }
]; ];
} }
{ {
@ -57,13 +57,6 @@ with import <stockholm/lib>;
config.krebs.users.makefu.pubkey config.krebs.users.makefu.pubkey
]; ];
}; };
users.users.nin = {
uid = genid "nin";
isNormalUser = true;
openssh.authorizedKeys.keys = [
config.krebs.users.nin.pubkey
];
};
users.extraUsers.dritter = { users.extraUsers.dritter = {
uid = genid "dritter"; uid = genid "dritter";
isNormalUser = true; isNormalUser = true;
@ -109,26 +102,6 @@ with import <stockholm/lib>;
localAddress = "10.233.2.2"; localAddress = "10.233.2.2";
}; };
} }
{
#onondaga
systemd.services."container@onondaga".reloadIfChanged = mkForce false;
containers.onondaga = {
config = { ... }: {
imports = [ <stockholm/lass/2configs/rebuild-on-boot.nix> ];
environment.systemPackages = [ pkgs.git ];
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [
config.krebs.users.lass.pubkey
config.krebs.users.nin.pubkey
];
};
autoStart = true;
enableTun = true;
privateNetwork = true;
hostAddress = "10.233.2.5";
localAddress = "10.233.2.6";
};
}
<stockholm/lass/2configs/exim-smarthost.nix> <stockholm/lass/2configs/exim-smarthost.nix>
<stockholm/lass/2configs/ts3.nix> <stockholm/lass/2configs/ts3.nix>
<stockholm/lass/2configs/privoxy-retiolum.nix> <stockholm/lass/2configs/privoxy-retiolum.nix>
@ -137,7 +110,6 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/iodined.nix> <stockholm/lass/2configs/iodined.nix>
<stockholm/lass/2configs/paste.nix> <stockholm/lass/2configs/paste.nix>
<stockholm/lass/2configs/syncthing.nix> <stockholm/lass/2configs/syncthing.nix>
<stockholm/lass/2configs/reaktor-coders.nix>
<stockholm/lass/2configs/ciko.nix> <stockholm/lass/2configs/ciko.nix>
<stockholm/lass/2configs/container-networking.nix> <stockholm/lass/2configs/container-networking.nix>
<stockholm/lass/2configs/monitoring/prometheus-server.nix> <stockholm/lass/2configs/monitoring/prometheus-server.nix>

View File

@ -14,16 +14,16 @@
}; };
}; };
# TODO use this network config # TODO use this network config
#networking.interfaces.et0.ipv4.addresses = [ networking.interfaces.eth0.ipv4.addresses = [
# { {
# address = config.krebs.build.host.nets.internet.ip4.addr; address = config.krebs.build.host.nets.internet.ip4.addr;
# prefixLength = 27; prefixLength = 27;
# } }
# { {
# address = "46.4.114.243"; address = "46.4.114.243";
# prefixLength = 27; prefixLength = 27;
# } }
#]; ];
#networking.defaultGateway = "46.4.114.225"; #networking.defaultGateway = "46.4.114.225";
#networking.nameservers = [ #networking.nameservers = [
# "8.8.8.8" # "8.8.8.8"

View File

@ -0,0 +1,11 @@
{ lib, pkgs, ... }:
{
nixpkgs = lib.mkForce {
file = toString (pkgs.fetchFromGitHub {
owner = "nixos";
repo = "nixpkgs";
rev = (lib.importJSON ../../../krebs/nixpkgs.json).rev;
sha256 = (lib.importJSON ../../../krebs/nixpkgs.json).sha256;
});
};
}

View File

@ -1,16 +0,0 @@
{ config, pkgs, ... }:
{
imports = [
<stockholm/lass>
<stockholm/lass/2configs/mouse.nix>
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/exim-retiolum.nix>
<stockholm/lass/2configs/baseX.nix>
<stockholm/lass/2configs/AP.nix>
<stockholm/lass/2configs/blue-host.nix>
];
krebs.build.host = config.krebs.hosts.cabal;
}

View File

@ -1,12 +0,0 @@
{
imports = [
./config.nix
<stockholm/lass/2configs/hw/x220.nix>
<stockholm/lass/2configs/boot/stock-x220.nix>
];
services.udev.extraRules = ''
SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:45:85:ac", NAME="wl0"
SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:62:2b:1b", NAME="et0"
'';
}

View File

@ -25,9 +25,5 @@
macchanger macchanger
dpass dpass
]; ];
services.redshift = {
enable = true;
provider = "geoclue2";
};
programs.adb.enable = true; programs.adb.enable = true;
} }

View File

@ -33,6 +33,7 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/rtl-sdr.nix> <stockholm/lass/2configs/rtl-sdr.nix>
<stockholm/lass/2configs/backup.nix> <stockholm/lass/2configs/backup.nix>
<stockholm/lass/2configs/print.nix> <stockholm/lass/2configs/print.nix>
<stockholm/lass/2configs/blue-host.nix>
{ {
krebs.iptables.tables.filter.INPUT.rules = [ krebs.iptables.tables.filter.INPUT.rules = [
#risk of rain #risk of rain
@ -101,6 +102,7 @@ with import <stockholm/lib>;
urban urban
mk_sql_pair mk_sql_pair
remmina remmina
transmission
iodine iodine
@ -147,10 +149,6 @@ with import <stockholm/lib>;
programs.adb.enable = true; programs.adb.enable = true;
users.users.mainUser.extraGroups = [ "adbusers" "docker" ]; users.users.mainUser.extraGroups = [ "adbusers" "docker" ];
virtualisation.docker.enable = true; virtualisation.docker.enable = true;
services.redshift = {
enable = true;
provider = "geoclue2";
};
lass.restic = genAttrs [ lass.restic = genAttrs [
"daedalus" "daedalus"

View File

@ -57,13 +57,6 @@ with import <stockholm/lib>;
config.krebs.users.makefu.pubkey config.krebs.users.makefu.pubkey
]; ];
}; };
users.users.nin = {
uid = genid "nin";
isNormalUser = true;
openssh.authorizedKeys.keys = [
config.krebs.users.nin.pubkey
];
};
users.extraUsers.dritter = { users.extraUsers.dritter = {
uid = genid "dritter"; uid = genid "dritter";
isNormalUser = true; isNormalUser = true;
@ -119,7 +112,6 @@ with import <stockholm/lib>;
services.openssh.enable = true; services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [ users.users.root.openssh.authorizedKeys.keys = [
config.krebs.users.lass.pubkey config.krebs.users.lass.pubkey
config.krebs.users.nin.pubkey
]; ];
}; };
autoStart = true; autoStart = true;
@ -215,7 +207,6 @@ with import <stockholm/lib>;
RandomizedDelaySec = "2min"; RandomizedDelaySec = "2min";
}; };
} }
<stockholm/lass/2configs/downloading.nix>
<stockholm/lass/2configs/minecraft.nix> <stockholm/lass/2configs/minecraft.nix>
{ {
services.taskserver = { services.taskserver = {
@ -346,11 +337,64 @@ with import <stockholm/lib>;
]; ];
} }
{
systemd.services."container@yellow".reloadIfChanged = mkForce false;
containers.yellow = {
config = { ... }: {
environment.systemPackages = [ pkgs.git ];
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [
config.krebs.users.lass.pubkey
];
};
autoStart = false;
enableTun = true;
privateNetwork = true;
hostAddress = "10.233.2.13";
localAddress = "10.233.2.14";
};
services.nginx.virtualHosts."lassul.us".locations."^~ /transmission".extraConfig = ''
if ($scheme != "https") {
rewrite ^ https://$host$uri permanent;
}
auth_basic "Restricted Content";
auth_basic_user_file ${pkgs.writeText "transmission-user-pass" ''
krebs:$apr1$1Fwt/4T0$YwcUn3OBmtmsGiEPlYWyq0
''};
proxy_pass http://10.233.2.14:9091;
'';
users.groups.download = {};
users.users = {
download = {
createHome = true;
group = "download";
name = "download";
home = "/var/download";
useDefaultShell = true;
openssh.authorizedKeys.keys = with config.krebs.users; [
lass.pubkey
lass-shodan.pubkey
lass-icarus.pubkey
lass-daedalus.pubkey
lass-helios.pubkey
makefu.pubkey
wine-mors.pubkey
];
};
};
system.activationScripts.downloadFolder = ''
mkdir -p /var/download
chmod 775 /var/download
ln -fnsT /var/lib/containers/yellow/var/download/finished /var/download/finished || :
chown download: /var/download/finished
'';
}
]; ];
krebs.build.host = config.krebs.hosts.prism; krebs.build.host = config.krebs.hosts.prism;
# workaround because grub store paths are broken
boot.copyKernels = true;
services.earlyoom = { services.earlyoom = {
enable = true; enable = true;
freeMemThreshold = 5; freeMemThreshold = 5;

View File

@ -1,77 +1,61 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
{ {
imports = [ imports = [
./config.nix ./config.nix
{ <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
boot.kernelParams = [ "net.ifnames=0" ];
networking = {
defaultGateway = "46.4.114.225";
# Use google's public DNS server
nameservers = [ "8.8.8.8" ];
interfaces.eth0 = {
ipAddress = "46.4.114.247";
prefixLength = 27;
};
};
# TODO use this network config
#networking.interfaces.et0.ipv4.addresses = [
# {
# address = config.krebs.build.host.nets.internet.ip4.addr;
# prefixLength = 27;
# }
# {
# address = "46.4.114.243";
# prefixLength = 27;
# }
#];
#networking.defaultGateway = "46.4.114.225";
#networking.nameservers = [
# "8.8.8.8"
#];
#services.udev.extraRules = ''
# SUBSYSTEM=="net", ATTR{address}=="08:60:6e:e7:87:04", NAME="et0"
#'';
}
{
imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
networking.hostId = "fb4173ea";
boot.loader.grub = {
devices = [
"/dev/sda"
"/dev/sdb"
];
splashImage = null;
};
boot.initrd.availableKernelModules = [
"ata_piix"
"vmw_pvscsi"
"ahci" "sd_mod"
]; ];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "sd_mod" ];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ "kvm-intel" ];
sound.enable = false;
nixpkgs.config.allowUnfree = true;
time.timeZone = "Europe/Berlin";
fileSystems."/" = { fileSystems."/" = {
device = "rpool/root/nixos"; device = "rpool/root/nixos";
fsType = "zfs"; fsType = "zfs";
}; };
fileSystems."/home" = {
device = "rpool/home";
fsType = "zfs";
};
fileSystems."/boot" = { fileSystems."/boot" = {
device = "/dev/disk/by-uuid/b67c3370-1597-4ce8-8a46-e257ca32150d"; device = "/dev/disk/by-uuid/d155d6ff-8e89-4876-a9e7-d1b7ba6a4804";
fsType = "ext4"; fsType = "ext4";
}; };
} fileSystems."/srv/http" = {
]; device = "tank/srv-http";
fsType = "zfs";
};
fileSystems."/var/download" = {
device = "tank/download";
fsType = "zfs";
};
fileSystems."/var/lib/containers" = {
device = "tank/containers";
fsType = "zfs";
};
fileSystems."/home" = {
device = "tank/home";
fsType = "zfs";
};
nix.maxJobs = lib.mkDefault 8;
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.devices = [ "/dev/sda" "/dev/sdb" ];
boot.kernelParams = [ "net.ifnames=0" ];
networking = {
hostId = "2283aaae";
defaultGateway = "95.216.1.129";
# Use google's public DNS server
nameservers = [ "8.8.8.8" ];
interfaces.eth0 = {
ipAddress = "95.216.1.150";
prefixLength = 26;
};
};
} }

View File

@ -16,6 +16,7 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/wine.nix> <stockholm/lass/2configs/wine.nix>
<stockholm/lass/2configs/bitcoin.nix> <stockholm/lass/2configs/bitcoin.nix>
<stockholm/lass/2configs/backup.nix> <stockholm/lass/2configs/backup.nix>
<stockholm/lass/2configs/blue-host.nix>
]; ];
krebs.build.host = config.krebs.hosts.shodan; krebs.build.host = config.krebs.hosts.shodan;

View File

@ -5,42 +5,36 @@ with import <stockholm/lib>;
<stockholm/lass> <stockholm/lass>
<stockholm/lass/2configs/retiolum.nix> <stockholm/lass/2configs/retiolum.nix>
#<stockholm/lass/2configs/exim-retiolum.nix>
<stockholm/lass/2configs/fetchWallpaper.nix> <stockholm/lass/2configs/fetchWallpaper.nix>
<stockholm/lass/2configs/blue-host.nix>
<stockholm/lass/2configs/power-action.nix>
{ {
# discordius config
services.xserver.enable = true; services.xserver.enable = true;
services.xserver.desktopManager.xfce.enable = true;
users.users.discordius = { users.users.discordius = {
uid = genid "discordius"; uid = genid "diskordius";
home = "/home/discordius"; isNormalUser = true;
group = "users";
createHome = true;
extraGroups = [ extraGroups = [
"audio" "audio"
"networkmanager" "networkmanager"
]; ];
useDefaultShell = true;
}; };
networking.networkmanager.enable = true; environment.systemPackages = with pkgs; [
networking.wireless.enable = mkForce false; google-chrome
];
hardware.pulseaudio = { hardware.pulseaudio = {
enable = true; enable = true;
systemWide = true; systemWide = true;
}; };
environment.systemPackages = with pkgs; [
pavucontrol
firefox
hexchat
networkmanagerapplet
];
services.xserver.desktopManager.gnome3 = {
enable = true;
};
} }
]; ];
krebs.build.host = config.krebs.hosts.skynet; krebs.build.host = config.krebs.hosts.skynet;
networking.wireless.enable = false;
networking.networkmanager.enable = true;
services.logind.extraConfig = '' services.logind.extraConfig = ''
HandleLidSwitch=ignore HandleLidSwitch=ignore
''; '';

View File

@ -1,10 +1,27 @@
{ {
imports = [ imports = [
./config.nix ./config.nix
<stockholm/lass/2configs/hw/x220.nix> <stockholm/krebs/2configs/hw/x220.nix>
<stockholm/lass/2configs/boot/stock-x220.nix>
]; ];
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.efiSupport = true;
boot.loader.grub.efiInstallAsRemovable = true;
boot.loader.grub.device = "nodev";
networking.hostId = "06442b9a";
fileSystems."/" =
{ device = "rpool/root";
fsType = "zfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/0876-B308";
fsType = "vfat";
};
services.udev.extraRules = '' services.udev.extraRules = ''
SUBSYSTEM=="net", ATTR{address}=="10:0b:a9:a6:44:04", NAME="wl0" SUBSYSTEM=="net", ATTR{address}=="10:0b:a9:a6:44:04", NAME="wl0"
SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:d1:90:fc", NAME="et0" SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:d1:90:fc", NAME="et0"

View File

@ -0,0 +1,140 @@
with import <stockholm/lib>;
{ config, lib, pkgs, ... }:
{
imports = [
<stockholm/lass>
<stockholm/lass/2configs>
<stockholm/lass/2configs/retiolum.nix>
];
krebs.build.host = config.krebs.hosts.yellow;
system.activationScripts.downloadFolder = ''
mkdir -p /var/download
chown download:download /var/download
chmod 775 /var/download
'';
users.users.download = { uid = genid "download"; };
users.groups.download.members = [ "transmission" ];
users.users.transmission.group = mkForce "download";
systemd.services.transmission.serviceConfig.bindsTo = [ "openvpn-nordvpn.service" ];
services.transmission = {
enable = true;
settings = {
download-dir = "/var/download/finished";
incomplete-dir = "/var/download/incoming";
incomplete-dir-enable = true;
umask = "002";
rpc-whitelist-enabled = false;
rpc-host-whitelist-enabled = false;
};
};
services.nginx = {
enable = true;
virtualHosts."yellow.r".locations."/dl".extraConfig = ''
autoindex on;
alias /var/download/finished;
'';
};
krebs.iptables = {
enable = true;
tables.filter.INPUT.rules = [
{ predicate = "-p tcp --dport 80"; target = "ACCEPT"; }
{ predicate = "-p tcp --dport 9091"; target = "ACCEPT"; }
{ predicate = "-p tcp --dport 51413"; target = "ACCEPT"; }
{ predicate = "-p udp --dport 51413"; target = "ACCEPT"; }
];
};
services.openvpn.servers.nordvpn.config = ''
client
dev tun
proto udp
remote 82.102.16.229 1194
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
comp-lzo no
explicit-exit-notify 3
remote-cert-tls server
#mute 10000
auth-user-pass ${toString <secrets/nordvpn.txt>}
verb 3
pull
fast-io
cipher AES-256-CBC
auth SHA512
<ca>
-----BEGIN CERTIFICATE-----
MIIEyjCCA7KgAwIBAgIJANIxRSmgmjW6MA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD
VQQGEwJQQTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQMA4GA1UEChMH
Tm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjEaMBgGA1UEAxMRZGUyMjkubm9yZHZw
bi5jb20xEDAOBgNVBCkTB05vcmRWUE4xHzAdBgkqhkiG9w0BCQEWEGNlcnRAbm9y
ZHZwbi5jb20wHhcNMTcxMTIyMTQ1MTQ2WhcNMjcxMTIwMTQ1MTQ2WjCBnjELMAkG
A1UEBhMCUEExCzAJBgNVBAgTAlBBMQ8wDQYDVQQHEwZQYW5hbWExEDAOBgNVBAoT
B05vcmRWUE4xEDAOBgNVBAsTB05vcmRWUE4xGjAYBgNVBAMTEWRlMjI5Lm5vcmR2
cG4uY29tMRAwDgYDVQQpEwdOb3JkVlBOMR8wHQYJKoZIhvcNAQkBFhBjZXJ0QG5v
cmR2cG4uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv++dfZlG
UeFF2sGdXjbreygfo78Ujti6X2OiMDFnwgqrhELstumXl7WrFf5EzCYbVriNuUny
mNCx3OxXxw49xvvg/KplX1CE3rKBNnzbeaxPmeyEeXe+NgA7rwOCbYPQJScFxK7X
+D16ZShY25GyIG7hqFGML0Qz6gpZRGaHSd0Lc3wSgoLzGtsIg8hunhfi00dNqMBT
ukCzgfIqbQUuqmOibsWnYvZoXoYKnbRL0Bj8IYvwvu4p2oBQpvM+JR4DC+rv52LI
583Q6g3LebQ4JuQf8jgxvEEV4UL1CsUBqN3mcRpVUKJS3ijXmzEX9MfpBRcp1rBA
VsiE4Mrk7PXhkwIDAQABo4IBBzCCAQMwHQYDVR0OBBYEFFIv1UuKN2NXaVjRNXDT
Rs/+LT/9MIHTBgNVHSMEgcswgciAFFIv1UuKN2NXaVjRNXDTRs/+LT/9oYGkpIGh
MIGeMQswCQYDVQQGEwJQQTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQ
MA4GA1UEChMHTm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjEaMBgGA1UEAxMRZGUy
Mjkubm9yZHZwbi5jb20xEDAOBgNVBCkTB05vcmRWUE4xHzAdBgkqhkiG9w0BCQEW
EGNlcnRAbm9yZHZwbi5jb22CCQDSMUUpoJo1ujAMBgNVHRMEBTADAQH/MA0GCSqG
SIb3DQEBCwUAA4IBAQBf1vr93OIkIFehXOCXYFmAYai8/lK7OQH0SRMYdUPvADjQ
e5tSDK5At2Ew9YLz96pcDhzLqtbQsRqjuqWKWs7DBZ8ZiJg1nVIXxE+C3ezSyuVW
//DdqMeUD80/FZD5kPS2yJJOWfuBBMnaN8Nxb0BaJi9AKFHnfg6Zxqa/FSUPXFwB
wH+zeymL2Dib2+ngvCm9VP3LyfIdvodEJ372H7eG8os8allUnkUzpVyGxI4pN/IB
KROBRPKb+Aa5FWeWgEUHIr+hNrEMvcWfSvZAkSh680GScQeJh5Xb4RGMCW08tb4p
lrojzCvC7OcFeUNW7Ayiuukx8rx/F4+IZ1yJGff9
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
49b2f54c6ee58d2d97331681bb577d55
054f56d92b743c31e80b684de0388702
ad3bf51088cd88f3fac7eb0729f2263c
51d82a6eb7e2ed4ae6dfa65b1ac764d0
b9dedf1379c1b29b36396d64cb6fd6b2
e61f869f9a13001dadc02db171f04c4d
c46d1132c1f31709e7b54a6eabae3ea8
fbd2681363c185f4cb1be5aa42a27c31
21db7b2187fd11c1acf224a0d5a44466
b4b5a3cc34ec0227fe40007e8b379654
f1e8e2b63c6b46ee7ab6f1bd82f57837
92c209e8f25bc9ed493cb5c1d891ae72
7f54f4693c5b20f136ca23e639fd8ea0
865b4e22dd2af43e13e6b075f12427b2
08af9ffd09c56baa694165f57fe2697a
3377fa34aebcba587c79941d83deaf45
-----END OpenVPN Static key V1-----
</tls-auth>
'';
}

View File

@ -0,0 +1,8 @@
{
imports = [
./config.nix
];
boot.isContainer = true;
networking.useDHCP = false;
environment.variables.NIX_REMOTE = "daemon";
}

View File

@ -126,6 +126,12 @@ in {
restartIfChanged = false; restartIfChanged = false;
}; };
nixpkgs.config.packageOverrides = super: {
dmenu = pkgs.writeDashBin "dmenu" ''
${pkgs.fzfmenu}/bin/fzfmenu "$@"
'';
};
krebs.xresources.enable = true; krebs.xresources.enable = true;
lass.screenlock.enable = true; lass.screenlock.enable = true;
} }

View File

@ -25,6 +25,14 @@
proxy_pass http://localhost:${toString config.services.nix-serve.port}; proxy_pass http://localhost:${toString config.services.nix-serve.port};
''; '';
}; };
virtualHosts."cache.krebsco.de" = {
forceSSL = true;
serverAliases = [ "cache.lassul.us" ];
enableACME = true;
locations."/".extraConfig = ''
proxy_pass http://localhost:${toString config.services.nix-serve.port};
'';
};
}; };
} }

View File

@ -1,23 +1,115 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
with import <stockholm/lib>; with import <stockholm/lib>;
let
all_hosts = [
"icarus"
"shodan"
"daedalus"
"skynet"
"prism"
];
remote_hosts = filter (h: h != config.networking.hostName) all_hosts;
{ in {
imports = [ imports = [
<stockholm/lass/2configs/container-networking.nix> <stockholm/lass/2configs/container-networking.nix>
]; { #hack for already defined
systemd.services."container@blue".reloadIfChanged = mkForce false; systemd.services."container@blue".reloadIfChanged = mkForce false;
systemd.services."container@blue".preStart = ''
${pkgs.mount}/bin/mount | ${pkgs.gnugrep}/bin/grep -q '^encfs on /var/lib/containers/blue'
'';
systemd.services."container@blue".preStop = ''
/run/wrappers/bin/fusermount -u /var/lib/containers/blue
'';
}
];
system.activationScripts.containerPermissions = ''
mkdir -p /var/lib/containers
chmod 711 /var/lib/containers
'';
containers.blue = { containers.blue = {
config = { ... }: { config = { ... }: {
environment.systemPackages = [ pkgs.git ]; environment.systemPackages = [
pkgs.git
pkgs.rxvt_unicode.terminfo
];
services.openssh.enable = true; services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [ users.users.root.openssh.authorizedKeys.keys = [
config.krebs.users.lass.pubkey config.krebs.users.lass.pubkey
]; ];
}; };
autoStart = true; autoStart = false;
enableTun = true; enableTun = true;
privateNetwork = true; privateNetwork = true;
hostAddress = "10.233.2.9"; hostAddress = "10.233.2.9";
localAddress = "10.233.2.10"; localAddress = "10.233.2.10";
}; };
systemd.services = builtins.listToAttrs (map (host:
let
in nameValuePair "sync-blue-${host}" {
bindsTo = [ "container@blue.service" ];
wantedBy = [ "container@blue.service" ];
# ssh needed for rsync
path = [ pkgs.openssh ];
serviceConfig = {
Restart = "always";
RestartSec = 10;
ExecStart = pkgs.writeDash "sync-blue-${host}" ''
set -efu
#make sure blue is running
/run/wrappers/bin/ping -c1 blue.r > /dev/null
#make sure the container is unlocked
${pkgs.mount}/bin/mount | ${pkgs.gnugrep}/bin/grep -q '^encfs on /var/lib/containers/blue'
#make sure our target is reachable
${pkgs.untilport}/bin/untilport ${host}.r 22 2>/dev/null
#start sync
${pkgs.lsyncd}/bin/lsyncd -log scarce ${pkgs.writeText "lsyncd-config.lua" ''
settings {
nodaemon = true,
inotifyMode = "CloseWrite or Modify",
}
sync {
default.rsyncssh,
source = "/var/lib/containers/.blue",
host = "${host}.r",
targetdir = "/var/lib/containers/.blue",
rsync = {
archive = true,
owner = true,
group = true,
};
ssh = {
binary = "${pkgs.openssh}/bin/ssh";
identityFile = "/var/lib/containers/blue/home/lass/.ssh/id_rsa",
},
}
''}
'';
};
unitConfig.ConditionPathExists = "!/var/run/ppp0.pid";
}
) remote_hosts);
environment.systemPackages = [
(pkgs.writeDashBin "start-blue" ''
set -ef
if ! $(mount | ${pkgs.gnugrep}/bin/grep -qi '^encfs on /var/lib/containers/blue'); then
${pkgs.encfs}/bin/encfs --public /var/lib/containers/.blue /var/lib/containers/blue
fi
nixos-container start blue
nixos-container run blue -- nixos-rebuild -I /var/src dry-build
if ping -c1 blue.r >/dev/null; then
echo 'blue is already running. bailing out'
exit 23
fi
nixos-container run blue -- nixos-rebuild -I /var/src switch
'')
];
} }

View File

@ -15,6 +15,7 @@ with (import <stockholm/lib>);
dic dic
nmap nmap
git-preview git-preview
l-gen-secrets
]; ];
services.tor.enable = true; services.tor.enable = true;

View File

@ -19,5 +19,9 @@ with import <stockholm/lib>;
"slash16.net" "slash16.net"
]; ];
}; };
system.activationScripts.user-shadow = ''
${pkgs.coreutils}/bin/chmod +x /home/ciko
'';
} }

View File

@ -1,65 +0,0 @@
{ config, lib, pkgs, ... }:
with import <stockholm/lib>;
{
users.extraUsers = {
download = {
name = "download";
home = "/var/download";
createHome = true;
useDefaultShell = true;
extraGroups = [
"download"
];
openssh.authorizedKeys.keys = with config.krebs.users; [
lass.pubkey
lass-shodan.pubkey
lass-icarus.pubkey
lass-daedalus.pubkey
lass-helios.pubkey
makefu.pubkey
wine-mors.pubkey
];
};
transmission = {
extraGroups = [
"download"
];
};
};
users.extraGroups = {
download = {
members = [
"download"
"transmission"
];
};
};
krebs.rtorrent = {
enable = true;
web = {
enable = true;
port = 9091;
basicAuth = import <secrets/torrent-auth>;
};
rutorrent.enable = true;
enableXMLRPC = true;
listenPort = 51413;
downloadDir = "/var/download/finished";
# dump old torrents into watch folder to have them re-added
watchDir = "/var/download/watch";
};
krebs.iptables = {
enable = true;
tables.filter.INPUT.rules = [
{ predicate = "-p tcp --dport 9091"; target = "ACCEPT"; }
{ predicate = "-p tcp --dport 51413"; target = "ACCEPT"; }
{ predicate = "-p udp --dport 51413"; target = "ACCEPT"; }
];
};
}

View File

@ -90,6 +90,10 @@ with import <stockholm/lib>;
{ from = "afra@lassul.us"; to = lass.mail; } { from = "afra@lassul.us"; to = lass.mail; }
{ from = "ksp@lassul.us"; to = lass.mail; } { from = "ksp@lassul.us"; to = lass.mail; }
{ from = "ccc@lassul.us"; to = lass.mail; } { from = "ccc@lassul.us"; to = lass.mail; }
{ from = "neocron@lassul.us"; to = lass.mail; }
{ from = "osmocom@lassul.us"; to = lass.mail; }
{ from = "lesswrong@lassul.us"; to = lass.mail; }
{ from = "nordvpn@lassul.us"; to = lass.mail; }
]; ];
system-aliases = [ system-aliases = [
{ from = "mailer-daemon"; to = "postmaster"; } { from = "mailer-daemon"; to = "postmaster"; }

View File

@ -6,8 +6,7 @@ in {
krebs.fetchWallpaper = { krebs.fetchWallpaper = {
enable = true; enable = true;
unitConfig.ConditionPathExists = "!/var/run/ppp0.pid"; unitConfig.ConditionPathExists = "!/var/run/ppp0.pid";
url = "prism/realwallpaper-sat-krebs.png"; url = "prism/realwallpaper-krebs.png";
maxTime = 10;
}; };
} }

View File

@ -75,6 +75,8 @@ in {
packages = with pkgs; [ packages = with pkgs; [
ftb ftb
minecraft minecraft
steam-run
dolphinEmu
]; ];
}; };
}; };

View File

@ -21,6 +21,10 @@ let
krebs.iptables.tables.filter.INPUT.rules = [ krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; } { predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; }
]; ];
system.activationScripts.spool-chmod = ''
${pkgs.coreutils}/bin/chmod +x /var/spool
'';
}; };
cgit-clear-cache = pkgs.cgit-clear-cache.override { cgit-clear-cache = pkgs.cgit-clear-cache.override {

View File

@ -31,6 +31,7 @@ let
''; '';
mailboxes = { mailboxes = {
afra = [ "to:afra@afra-berlin.de" ];
c-base = [ "to:c-base.org" ]; c-base = [ "to:c-base.org" ];
coins = [ coins = [
"to:btce@lassul.us" "to:btce@lassul.us"
@ -46,12 +47,15 @@ let
]; ];
dezentrale = [ "to:dezentrale.space" ]; dezentrale = [ "to:dezentrale.space" ];
dhl = [ "to:dhl@lassul.us" ]; dhl = [ "to:dhl@lassul.us" ];
dn42 = [ "to:dn42@lists.nox.tf" ];
eloop = [ "to:eloop.org" ]; eloop = [ "to:eloop.org" ];
github = [ "to:github@lassul.us" ]; github = [ "to:github@lassul.us" ];
gmail = [ "to:gmail@lassul.us" "to:lassulus@gmail.com" "lassulus@googlemail.com" ]; gmail = [ "to:gmail@lassul.us" "to:lassulus@gmail.com" "lassulus@googlemail.com" ];
india = [ "to:hillhackers@lists.hillhacks.in" "to:hackbeach@lists.hackbeach.in" ];
kaosstuff = [ "to:gearbest@lassul.us" "to:banggood@lassul.us" "to:tomtop@lassul.us" ]; kaosstuff = [ "to:gearbest@lassul.us" "to:banggood@lassul.us" "to:tomtop@lassul.us" ];
lugs = [ "to:lugs@lug-s.org" ]; lugs = [ "to:lugs@lug-s.org" ];
nix-devel = [ "to:nix-devel@googlegroups.com" ]; meetup = [ "to:meetup@lassul.us" ];
nix = [ "to:nix-devel@googlegroups.com" "to:nix@lassul.us" ];
patreon = [ "to:patreon@lassul.us" ]; patreon = [ "to:patreon@lassul.us" ];
paypal = [ "to:paypal@lassul.us" ]; paypal = [ "to:paypal@lassul.us" ];
ptl = [ "to:ptl@posttenebraslab.ch" ]; ptl = [ "to:ptl@posttenebraslab.ch" ];
@ -170,6 +174,16 @@ let
macro pager a "<modify-labels>-archive\n" # tag as Archived macro pager a "<modify-labels>-archive\n" # tag as Archived
bind index U noop
bind index u noop
bind pager U noop
bind pager u noop
macro index U "<modify-labels>+unread\n"
macro index u "<modify-labels>-unread\n"
macro pager U "<modify-labels>+unread\n"
macro pager u "<modify-labels>-unread\n"
bind index t noop bind index t noop
bind pager t noop bind pager t noop
macro index t "<modify-labels>" # tag as Archived macro index t "<modify-labels>" # tag as Archived

View File

@ -177,7 +177,8 @@
addr = "0.0.0.0"; addr = "0.0.0.0";
domain = "grafana.example.com"; domain = "grafana.example.com";
rootUrl = "https://grafana.example.com/"; rootUrl = "https://grafana.example.com/";
security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""} auth.anonymous.enable = true;
auth.anonymous.org_role = "Admin";
}; };
}; };
services.logstash = { services.logstash = {

View File

@ -60,10 +60,25 @@ in {
group = "radio"; group = "radio";
musicDirectory = "/home/radio/the_playlist/music"; musicDirectory = "/home/radio/the_playlist/music";
extraConfig = '' extraConfig = ''
audio_output {
type "shout"
encoding "lame"
name "the_playlist_mp3"
host "localhost"
port "8000"
mount "/radio.mp3"
password "${source-password}"
bitrate "128"
format "44100:16:2"
user "source"
genre "good music"
}
audio_output { audio_output {
type "shout" type "shout"
encoding "ogg" encoding "ogg"
name "the_playlist" name "the_playlist_ogg"
host "localhost" host "localhost"
port "8000" port "8000"
mount "/radio.ogg" mount "/radio.ogg"

View File

@ -1,4 +1,4 @@
{ config, lib, ... }: { config, lib, pkgs, ... }:
let let
hostname = config.krebs.build.host.name; hostname = config.krebs.build.host.name;
@ -9,6 +9,9 @@ let
in { in {
krebs.realwallpaper.enable = true; krebs.realwallpaper.enable = true;
system.activationScripts.user-shadow = ''
${pkgs.coreutils}/bin/chmod +x /var/realwallpaper
'';
services.nginx.virtualHosts.wallpaper = { services.nginx.virtualHosts.wallpaper = {
extraConfig = '' extraConfig = ''
if ( $server_addr = "${config.krebs.build.host.nets.internet.ip4.addr}" ) { if ( $server_addr = "${config.krebs.build.host.nets.internet.ip4.addr}" ) {
@ -22,10 +25,7 @@ in {
locations."/realwallpaper.png".extraConfig = '' locations."/realwallpaper.png".extraConfig = ''
root /var/realwallpaper/; root /var/realwallpaper/;
''; '';
locations."/realwallpaper-sat.png".extraConfig = '' locations."/realwallpaper-krebs.png".extraConfig = ''
root /var/realwallpaper/;
'';
locations."/realwallpaper-sat-krebs.png".extraConfig = ''
root /var/realwallpaper/; root /var/realwallpaper/;
''; '';
}; };

View File

@ -139,6 +139,13 @@ in {
ssl_key = "/var/lib/acme/lassul.us/key.pem"; ssl_key = "/var/lib/acme/lassul.us/key.pem";
}; };
users.users.xanf = {
uid = genid_uint31 "xanf";
home = "/home/xanf";
useDefaultShell = true;
createHome = true;
};
users.users.domsen = { users.users.domsen = {
uid = genid_uint31 "domsen"; uid = genid_uint31 "domsen";
description = "maintenance acc for domsen"; description = "maintenance acc for domsen";

View File

@ -1,70 +0,0 @@
{ config, pkgs, lib, ... }:
with lib;
let
inherit (import <stockholm/lib>)
genid
head
;
inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;})
servePage
serveWordpress
;
msmtprc = pkgs.writeText "msmtprc" ''
account default
host localhost
'';
sendmail = pkgs.writeDash "msmtp" ''
exec ${pkgs.msmtp}/bin/msmtp --read-envelope-from -C ${msmtprc} "$@"
'';
in {
services.nginx.enable = true;
imports = [
./default.nix
./sqlBackup.nix
(serveWordpress [ "radical-dreamers.de" "www.radical-dreamers.de" ])
(serveWordpress [ "gs-maubach.de" "www.gs-maubach.de" ])
(serveWordpress [ "spielwaren-kern.de" "www.spielwaren-kern.de" ])
(servePage [ "familienpraxis-korntal.de" "www.familienpraxis-korntal.de" ])
(serveWordpress [ "ttf-kleinaspach.de" "www.ttf-kleinaspach.de" ])
(serveWordpress [ "eastuttgart.de" "www.eastuttgart.de" ])
(serveWordpress [ "goldbarrendiebstahl.radical-dreamers.de" ])
];
lass.mysqlBackup.config.all.databases = [
"eastuttgart_de"
"radical_dreamers_de"
"spielwaren_kern_de"
"ttf_kleinaspach_de"
];
users.users.root.openssh.authorizedKeys.keys = [
config.krebs.users.fritz.pubkey
];
users.users.goldbarrendiebstahl = {
home = "/srv/http/goldbarrendiebstahl.radical-dreamers.de";
uid = genid "goldbarrendiebstahl";
createHome = true;
useDefaultShell = true;
openssh.authorizedKeys.keys = [
config.krebs.users.fritz.pubkey
];
};
services.phpfpm.phpOptions = ''
sendmail_path = ${sendmail} -t
'';
}

View File

@ -66,22 +66,6 @@ in {
locations."/tinc".extraConfig = '' locations."/tinc".extraConfig = ''
alias ${config.krebs.tinc_graphs.workingDir}/external; alias ${config.krebs.tinc_graphs.workingDir}/external;
''; '';
locations."/urlaubyay2018".extraConfig = ''
autoindex on;
alias /srv/http/lassul.us-media/india2018;
auth_basic "Restricted Content";
auth_basic_user_file ${pkgs.writeText "pics-user-pass" ''
paolo:$apr1$aQ6mYNR3$ho.aJ7icqSO.y.xKo3GQf0
''};
'';
locations."/heilstadt".extraConfig = ''
autoindex on;
alias /srv/http/lassul.us-media/grabowsee2018;
auth_basic "Restricted Content";
auth_basic_user_file ${pkgs.writeText "pics-user-pass" ''
c-base:$apr1$aQ6mYNR3$ho.aJ7icqSO.y.xKo3GQf0
''};
'';
locations."/krebspage".extraConfig = '' locations."/krebspage".extraConfig = ''
default_type "text/html"; default_type "text/html";
alias ${pkgs.krebspage}/index.html; alias ${pkgs.krebspage}/index.html;

View File

@ -11,7 +11,6 @@
enable = true; enable = true;
dataDir = "/var/mysql"; dataDir = "/var/mysql";
package = pkgs.mariadb; package = pkgs.mariadb;
rootPassword = config.krebs.secret.files.mysql_rootPassword.path;
}; };
systemd.services.mysql = { systemd.services.mysql = {

View File

@ -87,7 +87,6 @@ in /* yaml */ ''
mod_configure: {} mod_configure: {}
mod_disco: {} mod_disco: {}
mod_echo: {} mod_echo: {}
mod_irc: {}
mod_bosh: {} mod_bosh: {}
mod_last: {} mod_last: {}
mod_offline: mod_offline:
@ -96,9 +95,9 @@ in /* yaml */ ''
mod_privacy: {} mod_privacy: {}
mod_private: {} mod_private: {}
mod_register: mod_register:
access_from: deny access_from: allow
access: register access: register
ip_access: trusted_network # ip_access: trusted_network
registration_watchers: ${toJSON config.registration_watchers} registration_watchers: ${toJSON config.registration_watchers}
mod_roster: {} mod_roster: {}
mod_shared_roster: {} mod_shared_roster: {}

View File

@ -25,6 +25,8 @@ import Control.Monad.Extra (whenJustM)
import Data.List (isInfixOf) import Data.List (isInfixOf)
import Data.Monoid (Endo) import Data.Monoid (Endo)
import System.Environment (getArgs, lookupEnv) import System.Environment (getArgs, lookupEnv)
import System.Exit (exitFailure)
import System.IO (hPutStrLn, stderr)
import System.Posix.Process (executeFile) import System.Posix.Process (executeFile)
import XMonad.Actions.CopyWindow (copy, kill1) import XMonad.Actions.CopyWindow (copy, kill1)
import XMonad.Actions.CycleWS (toggleWS) import XMonad.Actions.CycleWS (toggleWS)
@ -36,7 +38,7 @@ import XMonad.Hooks.EwmhDesktops (ewmh)
import XMonad.Hooks.FloatNext (floatNext) import XMonad.Hooks.FloatNext (floatNext)
import XMonad.Hooks.FloatNext (floatNextHook) import XMonad.Hooks.FloatNext (floatNextHook)
import XMonad.Hooks.ManageDocks (avoidStruts, ToggleStruts(ToggleStruts)) import XMonad.Hooks.ManageDocks (avoidStruts, ToggleStruts(ToggleStruts))
import XMonad.Hooks.Place (placeHook, smart) import XMonad.Hooks.ManageHelpers (composeOne, doCenterFloat, (-?>))
import XMonad.Hooks.UrgencyHook (focusUrgent) import XMonad.Hooks.UrgencyHook (focusUrgent)
import XMonad.Hooks.UrgencyHook (withUrgencyHook, UrgencyHook(..)) import XMonad.Hooks.UrgencyHook (withUrgencyHook, UrgencyHook(..))
import XMonad.Layout.FixedColumn (FixedColumn(..)) import XMonad.Layout.FixedColumn (FixedColumn(..))
@ -49,7 +51,7 @@ import XMonad.Util.EZConfig (additionalKeysP)
import XMonad.Util.NamedWindows (getName) import XMonad.Util.NamedWindows (getName)
import XMonad.Util.Run (safeSpawn) import XMonad.Util.Run (safeSpawn)
import XMonad.Stockholm.Shutdown (handleShutdownEvent, sendShutdownEvent) import XMonad.Stockholm.Shutdown (newShutdownEventHandler, shutdown)
import XMonad.Stockholm.Pager (defaultWindowColors, pager, MatchMethod(MatchPrefix), PagerConfig(..)) import XMonad.Stockholm.Pager (defaultWindowColors, pager, MatchMethod(MatchPrefix), PagerConfig(..))
data LibNotifyUrgencyHook = LibNotifyUrgencyHook deriving (Read, Show) data LibNotifyUrgencyHook = LibNotifyUrgencyHook deriving (Read, Show)
@ -69,18 +71,20 @@ myFont = "-*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-1"
main :: IO () main :: IO ()
main = getArgs >>= \case main = getArgs >>= \case
["--shutdown"] -> sendShutdownEvent [] -> main'
_ -> main' ["--shutdown"] -> shutdown
args -> hPutStrLn stderr ("bad arguments: " <> show args) >> exitFailure
main' :: IO () main' :: IO ()
main' = do main' = do
handleShutdownEvent <- newShutdownEventHandler
xmonad $ ewmh xmonad $ ewmh
$ withUrgencyHook LibNotifyUrgencyHook $ withUrgencyHook LibNotifyUrgencyHook
$ def $ def
{ terminal = myTerm { terminal = myTerm
, modMask = mod4Mask , modMask = mod4Mask
, layoutHook = smartBorders $ myLayoutHook , layoutHook = smartBorders $ myLayoutHook
, manageHook = placeHook (smart (1,0)) <+> floatNextHook <+> floatHooks , manageHook = floatHooks <+> floatNextHook
, startupHook = , startupHook =
whenJustM (liftIO (lookupEnv "XMONAD_STARTUP_HOOK")) whenJustM (liftIO (lookupEnv "XMONAD_STARTUP_HOOK"))
(\path -> forkFile path [] Nothing) (\path -> forkFile path [] Nothing)
@ -95,13 +99,12 @@ myLayoutHook = defLayout
defLayout = minimize $ ((avoidStruts $ Mirror (Tall 1 (3/100) (1/2))) ||| Full ||| FixedColumn 2 80 80 1 ||| Tall 1 (3/100) (1/2) ||| simplestFloat) defLayout = minimize $ ((avoidStruts $ Mirror (Tall 1 (3/100) (1/2))) ||| Full ||| FixedColumn 2 80 80 1 ||| Tall 1 (3/100) (1/2) ||| simplestFloat)
floatHooks :: Query (Endo WindowSet) floatHooks :: Query (Endo WindowSet)
floatHooks = composeAll . concat $ floatHooks = composeOne
[ [ title =? t --> doFloat | t <- myTitleFloats] [ className =? "Pinentry" -?> doCenterFloat
, [ className =? c --> doFloat | c <- myClassFloats ] ] , title =? "fzfmenu" -?> doCenterFloat
where , title =? "glxgears" -?> doCenterFloat
myTitleFloats = [] , resource =? "Dialog" -?> doFloat
myClassFloats = ["Pinentry"] -- for gpg passphrase entry ]
myKeyMap :: [([Char], X ())] myKeyMap :: [([Char], X ())]
myKeyMap = myKeyMap =
@ -110,6 +113,7 @@ myKeyMap =
, ("M4-p", spawn "${pkgs.pass}/bin/passmenu --type") , ("M4-p", spawn "${pkgs.pass}/bin/passmenu --type")
, ("M4-o", spawn "${pkgs.brain}/bin/brainmenu --type") , ("M4-o", spawn "${pkgs.brain}/bin/brainmenu --type")
, ("M4-i", spawn "${pkgs.dpass}/bin/dpassmenu --type") , ("M4-i", spawn "${pkgs.dpass}/bin/dpassmenu --type")
, ("M4-z", spawn "${pkgs.emot-menu}/bin/emoticons")
, ("<XF86AudioMute>", spawn "${pkgs.pulseaudioLight.out}/bin/pactl -- set-sink-mute @DEFAULT_SINK@ toggle") , ("<XF86AudioMute>", spawn "${pkgs.pulseaudioLight.out}/bin/pactl -- set-sink-mute @DEFAULT_SINK@ toggle")
, ("<XF86AudioRaiseVolume>", spawn "${pkgs.pulseaudioLight.out}/bin/pactl -- set-sink-volume @DEFAULT_SINK@ +4%") , ("<XF86AudioRaiseVolume>", spawn "${pkgs.pulseaudioLight.out}/bin/pactl -- set-sink-volume @DEFAULT_SINK@ +4%")
@ -159,6 +163,9 @@ myKeyMap =
, ("M4-<F7>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 33") , ("M4-<F7>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 33")
, ("M4-<F8>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 100") , ("M4-<F8>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 100")
, ("M4-<F9>", spawn "${pkgs.redshift}/bin/redshift -O 4000 -g 0.9:0.8:0.8")
, ("M4-<F10>", spawn "${pkgs.redshift}/bin/redshift -x")
, ("<Pause>", spawn "${pkgs.xcalib}/bin/xcalib -invert -alter") , ("<Pause>", spawn "${pkgs.xcalib}/bin/xcalib -invert -alter")
, ("M4-s", spawn "${pkgs.knav}/bin/knav") , ("M4-s", spawn "${pkgs.knav}/bin/knav")

View File

@ -0,0 +1,31 @@
{ coreutils, dmenu, gnused, writeDashBin, writeText, xdotool }: let
emoticons = writeText "emoticons" ''
¯\(°_o)/¯ | dunno lol shrug dlol
¯\_()_/¯ | dunno lol shrug dlol
( ͡° ͜ʖ ͡°) | lenny
¯\_( ͡° ͜ʖ ͡°)_/¯ | lenny shrug dlol
( д) | aaah sad noo
(^o^)丿 | hi yay hello
(^o^; | ups hehe
(^^) | yay
(´) | angry argh
(^_^) byebye!! | bye
<(^.^<) <(^.^)> (>^.^)> (7^.^)7 (>^.^<) | dance
(-.-)Zzz... | sleep
() | oh noes woot
| tm
ζ | zeta
(°° | table flip
() | why woot
'';
in
writeDashBin "emoticons" ''
set -efu
data=$(${coreutils}/bin/cat ${emoticons})
emoticon=$(echo "$data" | ${dmenu}/bin/dmenu | ${gnused}/bin/sed 's/ | .*//')
${xdotool}/bin/xdotool type -- "$emoticon"
exit 0
''

View File

@ -0,0 +1,45 @@
{ pkgs, ... }:
pkgs.writeDashBin "fzfmenu" ''
set -efu
PROMPT=">"
for i in "$@"
do
case $i in
-p)
PROMPT="$2"
shift
shift
break
;;
-l)
# no reason to filter number of lines
LINES="$2"
shift
shift
break
;;
-i)
# we do this anyway
shift
break
;;
*)
echo "Unknown option $1" >&2
shift
;;
esac
done
INPUT=$(${pkgs.coreutils}/bin/cat)
OUTPUT="$(${pkgs.coreutils}/bin/mktemp)"
${pkgs.rxvt_unicode}/bin/urxvt \
-name fzfmenu -title fzfmenu \
-e ${pkgs.dash}/bin/dash -c \
"echo \"$INPUT\" | ${pkgs.fzf}/bin/fzf \
--history=/dev/null \
--no-sort \
--prompt=\"$PROMPT\" \
> \"$OUTPUT\"" 2>/dev/null
${pkgs.coreutils}/bin/cat "$OUTPUT"
${pkgs.coreutils}/bin/rm "$OUTPUT"
''

View File

@ -5,8 +5,14 @@
pkgs pkgs
; ;
host-source = if lib.pathExists (./. + "/1systems/${name}/source.nix") then
import (./. + "/1systems/${name}/source.nix") { inherit lib pkgs; }
else
{}
;
source = { test }: lib.evalSource [ source = { test }: lib.evalSource [
krebs-source (krebs-source { test = test; })
{ {
nixos-config.symlink = "stockholm/lass/1systems/${name}/physical.nix"; nixos-config.symlink = "stockholm/lass/1systems/${name}/physical.nix";
secrets = if test then { secrets = if test then {
@ -18,15 +24,24 @@
}; };
}; };
} }
host-source
]; ];
in { in {
# usage: $(nix-build --no-out-link --argstr name HOSTNAME -A deploy) # usage: $(nix-build --no-out-link --argstr name HOSTNAME -A deploy)
deploy = { target ? "root@${name}/var/src" }: pkgs.krops.writeDeploy "${name}-deploy" { deploy = { target ? "root@${name}/var/src" }: pkgs.krops.writeDeploy "${name}-deploy" {
source = source { test = false; }; source = source { test = false; };
inherit target; inherit target;
}; };
# usage: $(nix-build --no-out-link --argstr name HOSTNAME --argstr target PATH -A populate)
populate = { target, force ? false }: pkgs.populate {
inherit force;
source = source { test = false; };
target = lib.mkTarget target;
};
# usage: $(nix-build --no-out-link --argstr name HOSTNAME --argstr target PATH -A test) # usage: $(nix-build --no-out-link --argstr name HOSTNAME --argstr target PATH -A test)
test = { target }: pkgs.krops.writeTest "${name}-test" { test = { target }: pkgs.krops.writeTest "${name}-test" {
force = true; force = true;

View File

@ -5,6 +5,7 @@ let
evalSource = import ./eval-source.nix; evalSource = import ./eval-source.nix;
git = import ./git.nix { inherit lib; }; git = import ./git.nix { inherit lib; };
krops = import ../submodules/krops/lib;
shell = import ./shell.nix { inherit lib; }; shell = import ./shell.nix { inherit lib; };
types = nixpkgs-lib.types // import ./types.nix { inherit lib; }; types = nixpkgs-lib.types // import ./types.nix { inherit lib; };
@ -12,8 +13,9 @@ let
ne = x: y: x != y; ne = x: y: x != y;
mod = x: y: x - y * (x / y); mod = x: y: x - y * (x / y);
genid = import ./genid.nix { inherit lib; }; genid = lib.genid_uint32; # TODO remove
genid_uint31 = x: ((lib.genid x) + 16777216) / 2; genid_uint31 = x: ((lib.genid_uint32 x) + 16777216) / 2;
genid_uint32 = import ./genid.nix { inherit lib; };
lpad = n: c: s: lpad = n: c: s:
if lib.stringLength s < n if lib.stringLength s < n
@ -44,6 +46,23 @@ let
indent = replaceChars ["\n"] ["\n "]; indent = replaceChars ["\n"] ["\n "];
mapNixDir = f: x: {
list = foldl' mergeAttrs {} (map (mapNixDir1 f) x);
path = mapNixDir1 f x;
}.${typeOf x};
mapNixDir1 = f: dirPath:
listToAttrs
(map
(relPath: let
name = removeSuffix ".nix" relPath;
path = dirPath + "/${relPath}";
in
nameValuePair name (f path))
(filter
(name: name != "default.nix" && !hasPrefix "." name)
(attrNames (readDir dirPath))));
# https://tools.ietf.org/html/rfc5952 # https://tools.ietf.org/html/rfc5952
normalize-ip6-addr = normalize-ip6-addr =
let let

View File

@ -3,7 +3,7 @@
let let
inherit (lib) inherit (lib)
all any attrNames concatMapStringsSep concatStringsSep const filter flip all any attrNames concatMapStringsSep concatStringsSep const filter flip
genid hasSuffix head isInt isString length mergeOneOption mkOption genid_uint31 hasSuffix head isInt isString length mergeOneOption mkOption
mkOptionType optional optionalAttrs optionals range splitString mkOptionType optional optionalAttrs optionals range splitString
stringLength substring test testString typeOf; stringLength substring test testString typeOf;
inherit (lib.types) inherit (lib.types)
@ -365,7 +365,7 @@ rec {
}; };
uid = mkOption { uid = mkOption {
type = int; type = int;
default = genid config.name; default = genid_uint31 config.name;
}; };
}; };
}); });
@ -377,7 +377,7 @@ rec {
}; };
gid = mkOption { gid = mkOption {
type = int; type = int;
default = genid config.name; default = genid_uint31 config.name;
}; };
}; };
}); });

View File

@ -8,16 +8,21 @@ in {
imports = [ imports = [
<stockholm/makefu> <stockholm/makefu>
./hardware-config.nix ./hardware-config.nix
{
users.users.lass = {
uid = 9002;
isNormalUser = true;
createHome = true;
useDefaultShell = true;
openssh.authorizedKeys.keys = with config.krebs.users; [
lass.pubkey
makefu.pubkey
];
};
}
<stockholm/makefu/2configs/headless.nix> <stockholm/makefu/2configs/headless.nix>
# <stockholm/makefu/2configs/smart-monitor.nix> # <stockholm/makefu/2configs/smart-monitor.nix>
<stockholm/makefu/2configs/git/cgit-retiolum.nix>
<stockholm/makefu/2configs/backup.nix>
# <stockholm/makefu/2configs/mattermost-docker.nix>
# <stockholm/makefu/2configs/disable_v6.nix>
<stockholm/makefu/2configs/exim-retiolum.nix>
<stockholm/makefu/2configs/tinc/retiolum.nix>
# Security # Security
<stockholm/makefu/2configs/sshd-totp.nix> <stockholm/makefu/2configs/sshd-totp.nix>
@ -26,83 +31,90 @@ in {
<stockholm/makefu/2configs/tools/dev.nix> <stockholm/makefu/2configs/tools/dev.nix>
<stockholm/makefu/2configs/tools/sec.nix> <stockholm/makefu/2configs/tools/sec.nix>
<stockholm/makefu/2configs/zsh-user.nix> <stockholm/makefu/2configs/zsh-user.nix>
<stockholm/makefu/2configs/mosh.nix>
# <stockholm/makefu/2configs/gui/xpra.nix>
# networking
<stockholm/makefu/2configs/vpn/openvpn-server.nix>
# <stockholm/makefu/2configs/vpn/vpnws/server.nix>
#<stockholm/makefu/2configs/dnscrypt/server.nix>
<stockholm/makefu/2configs/iodined.nix>
# <stockholm/makefu/2configs/backup.nix>
<stockholm/makefu/2configs/tinc/retiolum.nix>
# ci
# <stockholm/makefu/2configs/exim-retiolum.nix>
<stockholm/makefu/2configs/git/cgit-retiolum.nix>
<stockholm/makefu/2configs/shack/gitlab-runner>
<stockholm/makefu/2configs/remote-build/slave.nix>
<stockholm/makefu/2configs/taskd.nix>
# services # services
<stockholm/makefu/2configs/share/gum.nix> <stockholm/makefu/2configs/sabnzbd.nix>
# <stockholm/makefu/2configs/sabnzbd.nix> <stockholm/makefu/2configs/mail/mail.euer.nix>
<stockholm/makefu/2configs/torrent.nix>
<stockholm/makefu/2configs/mosh.nix>
# <stockholm/makefu/2configs/retroshare.nix>
# network # sharing
<stockholm/makefu/2configs/share/gum.nix>
<stockholm/makefu/2configs/torrent.nix>
#<stockholm/makefu/2configs/retroshare.nix>
## <stockholm/makefu/2configs/ipfs.nix>
#<stockholm/makefu/2configs/syncthing.nix>
{ # ncdc
environment.systemPackages = [ pkgs.ncdc ];
networking.firewall = {
allowedUDPPorts = [ 51411 ];
allowedTCPPorts = [ 51411 ];
};
}
# <stockholm/makefu/2configs/opentracker.nix>
## network
<stockholm/makefu/2configs/vpn/openvpn-server.nix> <stockholm/makefu/2configs/vpn/openvpn-server.nix>
# <stockholm/makefu/2configs/vpn/vpnws/server.nix> # <stockholm/makefu/2configs/vpn/vpnws/server.nix>
<stockholm/makefu/2configs/dnscrypt/server.nix> <stockholm/makefu/2configs/dnscrypt/server.nix>
<stockholm/makefu/2configs/binary-cache/server.nix>
<stockholm/makefu/2configs/backup/server.nix>
<stockholm/makefu/2configs/iodined.nix> <stockholm/makefu/2configs/iodined.nix>
<stockholm/makefu/2configs/bitlbee.nix>
<stockholm/makefu/2configs/wireguard/server.nix>
# buildbot # Removed until move: no extra mails
<stockholm/makefu/2configs/remote-build/slave.nix> <stockholm/makefu/2configs/urlwatch>
# Removed until move: avoid letsencrypt ban
## Web ### Web
<stockholm/makefu/2configs/nginx/share-download.nix> #<stockholm/makefu/2configs/nginx/share-download.nix>
<stockholm/makefu/2configs/nginx/euer.test.nix> #<stockholm/makefu/2configs/nginx/euer.test.nix>
<stockholm/makefu/2configs/nginx/euer.mon.nix> <stockholm/makefu/2configs/nginx/euer.mon.nix>
<stockholm/makefu/2configs/nginx/euer.wiki.nix> <stockholm/makefu/2configs/nginx/euer.wiki.nix>
<stockholm/makefu/2configs/nginx/euer.blog.nix> <stockholm/makefu/2configs/nginx/euer.blog.nix>
# <stockholm/makefu/2configs/nginx/gum.krebsco.de.nix> ## <stockholm/makefu/2configs/nginx/gum.krebsco.de.nix>
<stockholm/makefu/2configs/nginx/public_html.nix> #<stockholm/makefu/2configs/nginx/public_html.nix>
<stockholm/makefu/2configs/nginx/update.connector.one.nix> #<stockholm/makefu/2configs/nginx/update.connector.one.nix>
<stockholm/makefu/2configs/nginx/misa-felix-hochzeit.ml.nix> <stockholm/makefu/2configs/nginx/misa-felix-hochzeit.ml.nix>
<stockholm/makefu/2configs/nginx/gold.krebsco.de.nix>
<stockholm/makefu/2configs/nginx/iso.euer.nix>
<stockholm/makefu/2configs/shack/events-publisher>
<stockholm/makefu/2configs/deployment/photostore.krebsco.de.nix> <stockholm/makefu/2configs/deployment/photostore.krebsco.de.nix>
# <stockholm/makefu/2configs/deployment/graphs.nix> <stockholm/makefu/2configs/deployment/graphs.nix>
<stockholm/makefu/2configs/deployment/owncloud.nix> <stockholm/makefu/2configs/deployment/owncloud.nix>
<stockholm/makefu/2configs/deployment/boot-euer.nix> <stockholm/makefu/2configs/deployment/boot-euer.nix>
<stockholm/makefu/2configs/deployment/bgt/hidden_service.nix> <stockholm/makefu/2configs/deployment/bgt/hidden_service.nix>
{
services.taskserver.enable = true;
services.taskserver.fqdn = config.krebs.build.host.name;
services.taskserver.listenHost = "::";
services.taskserver.organisations.home.users = [ "makefu" ];
networking.firewall.extraCommands = ''
iptables -A INPUT -i retiolum -p tcp --dport 53589 -j ACCEPT
ip6tables -A INPUT -i retiolum -p tcp --dport 53589 -j ACCEPT
'';
}
# <stockholm/makefu/2configs/ipfs.nix>
<stockholm/makefu/2configs/syncthing.nix>
# <stockholm/makefu/2configs/opentracker.nix>
<stockholm/makefu/2configs/dcpp/hub.nix>
<stockholm/makefu/2configs/dcpp/client.nix>
<stockholm/makefu/2configs/stats/client.nix> <stockholm/makefu/2configs/stats/client.nix>
# <stockholm/makefu/2configs/logging/client.nix> # <stockholm/makefu/2configs/logging/client.nix>
# Temporary: # sharing
<stockholm/makefu/2configs/dcpp/airdcpp.nix>
<stockholm/makefu/2configs/dcpp/hub.nix>
## Temporary:
# <stockholm/makefu/2configs/temp/rst-issue.nix> # <stockholm/makefu/2configs/temp/rst-issue.nix>
<stockholm/makefu/2configs/virtualisation/docker.nix> <stockholm/makefu/2configs/virtualisation/docker.nix>
<stockholm/makefu/2configs/virtualisation/libvirt.nix>
#{ # krebs infrastructure services
# services.dockerRegistry.enable = true; <stockholm/makefu/2configs/stats/server.nix>
# networking.firewall.allowedTCPPorts = [ 8443 ];
# services.nginx.virtualHosts."euer.krebsco.de" = {
# forceSSL = true;
# enableACME = true;
# extraConfig = ''
# client_max_body_size 1000M;
# '';
# locations."/".proxyPass = "http://localhost:5000";
# };
#}
<stockholm/makefu/2configs/wireguard/server.nix>
{ # iperf3
networking.firewall.allowedUDPPorts = [ 5201 ];
networking.firewall.allowedTCPPorts = [ 5201 ];
}
]; ];
makefu.dl-dir = "/var/download"; makefu.dl-dir = "/var/download";
@ -120,9 +132,7 @@ in {
ListenAddress = ${external-ip} 21031 ListenAddress = ${external-ip} 21031
''; '';
connectTo = [ connectTo = [
"muhbaasu" "tahoe" "flap" "wry" "prism" "ni" "enklave" "dishfire" "echelon" "hotdog"
"ni"
"fastpoke" "prism" "dishfire" "echelon" "cloudkrebs"
]; ];
}; };
@ -137,10 +147,11 @@ in {
environment.systemPackages = with pkgs;[ environment.systemPackages = with pkgs;[
weechat weechat
bepasty-client-cli bepasty-client-cli
get
tmux tmux
]; ];
# Hardware
# Network # Network
networking = { networking = {
firewall = { firewall = {
@ -179,4 +190,5 @@ in {
}; };
users.users.makefu.extraGroups = [ "download" "nginx" ]; users.users.makefu.extraGroups = [ "download" "nginx" ];
boot.tmpOnTmpfs = true; boot.tmpOnTmpfs = true;
state = [ "/home/makefu/.weechat" ];
} }

View File

@ -1,26 +1,24 @@
{ config, ... }: { config, ... }:
let let
external-mac = "2a:c5:6e:d2:fc:7f"; external-mac = "50:46:5d:9f:63:6b";
main-disk = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-0-0-0"; main-disk = "/dev/disk/by-id/ata-TOSHIBA_DT01ACA300_13H8863AS";
external-gw = "185.194.140.1"; sec-disk = "/dev/disk/by-id/ata-TOSHIBA_DT01ACA300_23OJ2GJAS";
external-gw = "144.76.26.225";
# single partition, label "nixos" # single partition, label "nixos"
# cd /var/src; curl https://github.com/nixos/nixpkgs/tarball/809cf38 -L | tar zx ; mv * nixpkgs && touch .populate # cd /var/src; curl https://github.com/nixos/nixpkgs/tarball/809cf38 -L | tar zx ; mv * nixpkgs && touch .populate
# static # static
external-ip = config.krebs.build.host.nets.internet.ip4.addr; external-ip = "144.76.26.247";
external-ip6 = config.krebs.build.host.nets.internet.ip6.addr; external-ip6 = "2a01:4f8:191:12f6::2";
external-gw6 = "fe80::1"; external-gw6 = "fe80::1";
external-netmask = 22; external-netmask = 27;
external-netmask6 = 64; external-netmask6 = 64;
internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr; internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr;
ext-if = "et0"; # gets renamed on the fly ext-if = "et0"; # gets renamed on the fly
in { in {
imports = [ imports = [
<nixpkgs/nixos/modules/profiles/qemu-guest.nix>
<stockholm/makefu/2configs/fs/single-partition-ext4.nix>
]; ];
makefu.server.primary-itf = ext-if; makefu.server.primary-itf = ext-if;
services.udev.extraRules = '' services.udev.extraRules = ''
SUBSYSTEM=="net", ATTR{address}=="${external-mac}", NAME="${ext-if}" SUBSYSTEM=="net", ATTR{address}=="${external-mac}", NAME="${ext-if}"
@ -40,7 +38,62 @@ in {
defaultGateway = external-gw; defaultGateway = external-gw;
}; };
boot.kernelParams = [ ]; boot.kernelParams = [ ];
boot.loader.grub.device = main-disk; boot.loader.grub.enable = true;
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ]; boot.loader.grub.version = 2;
boot.loader.grub.devices = [ main-disk ];
boot.initrd.kernelModules = [ "dm-raid" ];
boot.initrd.availableKernelModules = [
"ata_piix" "vmw_pvscsi" "virtio_pci" "sd_mod" "ahci"
"xhci_pci" "ehci_pci" "ahci" "sd_mod"
];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ "kvm-intel" ];
hardware.enableRedistributableFirmware = true;
fileSystems."/" = {
device = "/dev/mapper/nixos-root";
fsType = "ext4";
};
fileSystems."/var/lib" = {
device = "/dev/mapper/nixos-lib";
fsType = "ext4";
};
fileSystems."/var/download" = {
device = "/dev/mapper/nixos-download";
fsType = "ext4";
};
fileSystems."/var/lib/borgbackup" = {
device = "/dev/mapper/nixos-backup";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/sda2";
fsType = "vfat";
};
# parted -s -a optimal "$disk" \
# mklabel gpt \
# mkpart no-fs 0 1024KiB \
# set 1 bios_grub on \
# mkpart ESP fat32 1025KiB 1024MiB set 2 boot on \
# mkpart primary 1025MiB 100%
# parted -s -a optimal "/dev/sdb" \
# mklabel gpt \
# mkpart primary 1M 100%
#mkfs.vfat /dev/sda2
#pvcreate /dev/sda3
#pvcreate /dev/sdb1
#vgcreate nixos /dev/sda3 /dev/sdb1
#lvcreate -L 120G -m 1 -n root nixos
#lvcreate -L 50G -m 1 -n lib nixos
#lvcreate -L 100G -n download nixos
#lvcreate -L 100G -n backup nixos
#mkfs.ext4 /dev/mapper/nixos-root
#mkfs.ext4 /dev/mapper/nixos-lib
#mkfs.ext4 /dev/mapper/nixos-download
#mkfs.ext4 /dev/mapper/nixos-borgbackup
#mount /dev/mapper/nixos-root /mnt
#mkdir /mnt/boot
#mount /dev/sda2 /mnt/boot
#mkdir -p /mnt/var/src
#touch /mnt/var/src/.populate
} }

View File

@ -0,0 +1,11 @@
mount /dev/mapper/nixos-root /mnt
mount /dev/sda2 /mnt/boot
chroot-prepare /mnt
chroot /mnt /bin/sh
journalctl -D /mnt/var/log/journal --since today # find the active system (or check grub)
export PATH=/nix/store/9incs5sfn7n1vh1lavgp95v761nh11w3-nixos-system-nextgum-18.03pre-git/sw/bin
/nix/store/9incs5sfn7n1vh1lavgp95v761nh11w3-nixos-system-nextgum-18.03pre-git/activate
/nix/store/9incs5sfn7n1vh1lavgp95v761nh11w3-nixos-system-nextgum-18.03pre-git/sw/bin/nixos-rebuild

View File

@ -1,5 +1,5 @@
{ {
name="gum"; name="nextgum";
torrent = true; torrent = true;
clever_kexec = true; clever_kexec = true;
} }

View File

@ -1,253 +0,0 @@
{ config, lib, pkgs, ... }:
with import <stockholm/lib>;
let
external-ip = config.krebs.build.host.nets.internet.ip4.addr;
ext-if = config.makefu.server.primary-itf;
in {
imports = [
<stockholm/makefu>
./hardware-config.nix
./transfer-config.nix
<stockholm/makefu/2configs/headless.nix>
# <stockholm/makefu/2configs/smart-monitor.nix>
# Security
<stockholm/makefu/2configs/sshd-totp.nix>
# Tools
<stockholm/makefu/2configs/tools/core.nix>
<stockholm/makefu/2configs/tools/dev.nix>
<stockholm/makefu/2configs/tools/sec.nix>
<stockholm/makefu/2configs/zsh-user.nix>
<stockholm/makefu/2configs/mosh.nix>
<stockholm/makefu/2configs/gui/xpra.nix>
<stockholm/makefu/2configs/git/cgit-retiolum.nix>
<stockholm/makefu/2configs/backup.nix>
# <stockholm/makefu/2configs/exim-retiolum.nix>
<stockholm/makefu/2configs/tinc/retiolum.nix>
# services
<stockholm/makefu/2configs/sabnzbd.nix>
<stockholm/makefu/2configs/mail/mail.euer.nix>
# sharing
<stockholm/makefu/2configs/share/gum.nix>
<stockholm/makefu/2configs/torrent.nix>
#<stockholm/makefu/2configs/retroshare.nix>
## <stockholm/makefu/2configs/ipfs.nix>
#<stockholm/makefu/2configs/syncthing.nix>
{ # ncdc
environment.systemPackages = [ pkgs.ncdc ];
networking.firewall = {
allowedUDPPorts = [ 51411 ];
allowedTCPPorts = [ 51411 ];
};
}
# <stockholm/makefu/2configs/opentracker.nix>
## network
<stockholm/makefu/2configs/vpn/openvpn-server.nix>
# <stockholm/makefu/2configs/vpn/vpnws/server.nix>
<stockholm/makefu/2configs/dnscrypt/server.nix>
<stockholm/makefu/2configs/binary-cache/server.nix>
<stockholm/makefu/2configs/iodined.nix>
<stockholm/makefu/2configs/bitlbee.nix>
## buildbot
<stockholm/makefu/2configs/remote-build/slave.nix>
# Removed until move: no extra mails
<stockholm/makefu/2configs/urlwatch>
# Removed until move: avoid double-update of domain
# <stockholm/makefu/2configs/hub.nix>
# Removed until move: avoid letsencrypt ban
### Web
#<stockholm/makefu/2configs/nginx/share-download.nix>
#<stockholm/makefu/2configs/nginx/euer.test.nix>
#<stockholm/makefu/2configs/nginx/euer.mon.nix>
#<stockholm/makefu/2configs/nginx/euer.wiki.nix>
#<stockholm/makefu/2configs/nginx/euer.blog.nix>
## <stockholm/makefu/2configs/nginx/gum.krebsco.de.nix>
#<stockholm/makefu/2configs/nginx/public_html.nix>
#<stockholm/makefu/2configs/nginx/update.connector.one.nix>
#<stockholm/makefu/2configs/nginx/misa-felix-hochzeit.ml.nix>
<stockholm/makefu/2configs/nginx/gold.krebsco.de.nix>
<stockholm/makefu/2configs/nginx/iso.euer.nix>
<stockholm/makefu/2configs/deployment/events-publisher>
#<stockholm/makefu/2configs/deployment/photostore.krebsco.de.nix>
#<stockholm/makefu/2configs/deployment/graphs.nix>
#<stockholm/makefu/2configs/deployment/owncloud.nix>
#<stockholm/makefu/2configs/deployment/boot-euer.nix>
#<stockholm/makefu/2configs/deployment/bgt/hidden_service.nix>
{
services.taskserver.enable = true;
services.taskserver.fqdn = config.krebs.build.host.name;
services.taskserver.listenHost = "::";
services.taskserver.organisations.home.users = [ "makefu" ];
networking.firewall.extraCommands = ''
iptables -A INPUT -i retiolum -p tcp --dport 53589 -j ACCEPT
ip6tables -A INPUT -i retiolum -p tcp --dport 53589 -j ACCEPT
'';
}
<stockholm/makefu/2configs/stats/client.nix>
<stockholm/makefu/2configs/dcpp/airdcpp.nix>
# <stockholm/makefu/2configs/logging/client.nix>
## Temporary:
# <stockholm/makefu/2configs/temp/rst-issue.nix>
<stockholm/makefu/2configs/virtualisation/docker.nix>
<stockholm/makefu/2configs/virtualisation/libvirt.nix>
#{
# services.dockerRegistry.enable = true;
# networking.firewall.allowedTCPPorts = [ 8443 ];
# services.nginx.virtualHosts."euer.krebsco.de" = {
# forceSSL = true;
# enableACME = true;
# extraConfig = ''
# client_max_body_size 1000M;
# '';
# locations."/".proxyPass = "http://localhost:5000";
# };
#}
{ # wireguard server
# opkg install wireguard luci-proto-wireguard
# TODO: networking.nat
# boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
# conf.all.proxy_arp =1
networking.firewall = {
allowedUDPPorts = [ 51820 ];
extraCommands = ''
iptables -t nat -A POSTROUTING -s 10.244.0.0/24 -o ${ext-if} -j MASQUERADE
'';
};
networking.wireguard.interfaces.wg0 = {
ips = [ "10.244.0.1/24" ];
listenPort = 51820;
privateKeyFile = (toString <secrets>) + "/wireguard.key";
allowedIPsAsRoutes = true;
peers = [
{
# x
allowedIPs = [ "10.244.0.2/32" ];
publicKey = "fe5smvKVy5GAn7EV4w4tav6mqIAKhGWQotm7dRuRt1g=";
}
{
# vbob
allowedIPs = [ "10.244.0.3/32" ];
publicKey = "Lju7EsCu1OWXhkhdNR7c/uiN60nr0TUPHQ+s8ULPQTw=";
}
{
# x-test
allowedIPs = [ "10.244.0.4/32" ];
publicKey = "vZ/AJpfDLJyU3DzvYeW70l4FNziVgSTumA89wGHG7XY=";
}
{
# work-router
allowedIPs = [ "10.244.0.5/32" ];
publicKey = "QJMwwYu/92koCASbHnR/vqe/rN00EV6/o7BGwLockDw=";
}
{
# workr
allowedIPs = [ "10.244.0.6/32" ];
publicKey = "OFhCF56BrV9tjqW1sxqXEKH/GdqamUT1SqZYSADl5GA=";
}
];
};
}
{ # iperf3
networking.firewall.allowedUDPPorts = [ 5201 ];
networking.firewall.allowedTCPPorts = [ 5201 ];
}
# krebs infrastructure services
<stockholm/makefu/2configs/stats/server.nix>
];
makefu.dl-dir = "/var/download";
services.openssh.hostKeys = [
{ bits = 4096; path = (toString <secrets/ssh_host_rsa_key>); type = "rsa"; }
{ path = (toString <secrets/ssh_host_ed25519_key>); type = "ed25519"; } ];
###### stable
services.nginx.virtualHosts.cgit.serverAliases = [ "cgit.euer.krebsco.de" ];
krebs.build.host = config.krebs.hosts.gum;
krebs.tinc.retiolum = {
extraConfig = ''
ListenAddress = ${external-ip} 53
ListenAddress = ${external-ip} 655
ListenAddress = ${external-ip} 21031
'';
connectTo = [
"muhbaasu" "tahoe" "flap" "wry"
"ni"
"fastpoke" "prism" "dishfire" "echelon" "cloudkrebs"
];
};
# access
users.users = {
root.openssh.authorizedKeys.keys = [ config.krebs.users.makefu-omo.pubkey ];
makefu.openssh.authorizedKeys.keys = [ config.krebs.users.makefu-vbob.pubkey config.krebs.users.makefu-bob.pubkey ];
};
# Chat
environment.systemPackages = with pkgs;[
weechat
bepasty-client-cli
tmux
];
# Hardware
# Network
networking = {
firewall = {
allowPing = true;
logRefusedConnections = false;
allowedTCPPorts = [
# smtp
25
# http
80 443
# httptunnel
8080 8443
# tinc
655
# tinc-shack
21032
# tinc-retiolum
21031
# taskserver
53589
# temp vnc
18001
# temp reverseshell
31337
];
allowedUDPPorts = [
# tinc
655 53
# tinc-retiolum
21031
# tinc-shack
21032
];
};
nameservers = [ "8.8.8.8" ];
};
users.users.makefu.extraGroups = [ "download" "nginx" ];
boot.tmpOnTmpfs = true;
}

View File

@ -1,99 +0,0 @@
{ config, ... }:
let
external-mac = "50:46:5d:9f:63:6b";
main-disk = "/dev/disk/by-id/ata-TOSHIBA_DT01ACA300_13H8863AS";
sec-disk = "/dev/disk/by-id/ata-TOSHIBA_DT01ACA300_23OJ2GJAS";
external-gw = "144.76.26.225";
# single partition, label "nixos"
# cd /var/src; curl https://github.com/nixos/nixpkgs/tarball/809cf38 -L | tar zx ; mv * nixpkgs && touch .populate
# static
external-ip = "144.76.26.247";
external-ip6 = "2a01:4f8:191:12f6::2";
external-gw6 = "fe80::1";
external-netmask = 27;
external-netmask6 = 64;
internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr;
ext-if = "et0"; # gets renamed on the fly
in {
imports = [
];
makefu.server.primary-itf = ext-if;
services.udev.extraRules = ''
SUBSYSTEM=="net", ATTR{address}=="${external-mac}", NAME="${ext-if}"
'';
networking = {
interfaces."${ext-if}" = {
ipv4.addresses = [{
address = external-ip;
prefixLength = external-netmask;
}];
ipv6.addresses = [{
address = external-ip6;
prefixLength = external-netmask6;
}];
};
defaultGateway6 = external-gw6;
defaultGateway = external-gw;
};
boot.kernelParams = [ ];
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.devices = [ main-disk ];
boot.initrd.kernelModules = [ "dm-raid" ];
boot.initrd.availableKernelModules = [
"ata_piix" "vmw_pvscsi" "virtio_pci" "sd_mod" "ahci"
"xhci_pci" "ehci_pci" "ahci" "sd_mod"
];
boot.kernelModules = [ "kvm-intel" ];
hardware.enableRedistributableFirmware = true;
fileSystems."/" = {
device = "/dev/mapper/nixos-root";
fsType = "ext4";
};
fileSystems."/var/lib" = {
device = "/dev/mapper/nixos-lib";
fsType = "ext4";
};
fileSystems."/var/download" = {
device = "/dev/mapper/nixos-download";
fsType = "ext4";
};
fileSystems."/var/lib/borgbackup" = {
device = "/dev/mapper/nixos-backup";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/sda2";
fsType = "vfat";
};
# parted -s -a optimal "$disk" \
# mklabel gpt \
# mkpart no-fs 0 1024KiB \
# set 1 bios_grub on \
# mkpart ESP fat32 1025KiB 1024MiB set 2 boot on \
# mkpart primary 1025MiB 100%
# parted -s -a optimal "/dev/sdb" \
# mklabel gpt \
# mkpart primary 1M 100%
#mkfs.vfat /dev/sda2
#pvcreate /dev/sda3
#pvcreate /dev/sdb1
#vgcreate nixos /dev/sda3 /dev/sdb1
#lvcreate -L 120G -m 1 -n root nixos
#lvcreate -L 50G -m 1 -n lib nixos
#lvcreate -L 100G -n download nixos
#lvcreate -L 100G -n backup nixos
#mkfs.ext4 /dev/mapper/nixos-root
#mkfs.ext4 /dev/mapper/nixos-lib
#mkfs.ext4 /dev/mapper/nixos-download
#mkfs.ext4 /dev/mapper/nixos-borgbackup
#mount /dev/mapper/nixos-root /mnt
#mkdir /mnt/boot
#mount /dev/sda2 /mnt/boot
#mkdir -p /mnt/var/src
#touch /mnt/var/src/.populate
}

View File

@ -1,5 +0,0 @@
{
name="nextgum";
torrent = true;
clever_kexec = true;
}

View File

@ -1,7 +0,0 @@
{ config, lib, ... }:
# configuration which is only required for the time of the transfer
{
krebs.tinc.retiolum.connectTo = [ "gum" ];
krebs.build.host = lib.mkForce config.krebs.hosts.nextgum;
}

View File

@ -8,11 +8,11 @@ let
in { in {
imports = imports =
[ [
#./hw/omo.nix ./hw/omo.nix
./hw/tsp.nix #./hw/tsp.nix
<stockholm/makefu> <stockholm/makefu>
<stockholm/makefu/2configs/zsh-user.nix> <stockholm/makefu/2configs/zsh-user.nix>
<stockholm/makefu/2configs/backup.nix> <stockholm/makefu/2configs/backup/state.nix>
<stockholm/makefu/2configs/exim-retiolum.nix> <stockholm/makefu/2configs/exim-retiolum.nix>
# <stockholm/makefu/2configs/smart-monitor.nix> # <stockholm/makefu/2configs/smart-monitor.nix>
<stockholm/makefu/2configs/mail-client.nix> <stockholm/makefu/2configs/mail-client.nix>
@ -25,6 +25,22 @@ in {
#<stockholm/makefu/2configs/graphite-standalone.nix> #<stockholm/makefu/2configs/graphite-standalone.nix>
#<stockholm/makefu/2configs/share-user-sftp.nix> #<stockholm/makefu/2configs/share-user-sftp.nix>
<stockholm/makefu/2configs/share/omo.nix> <stockholm/makefu/2configs/share/omo.nix>
<stockholm/makefu/2configs/dcpp/airdcpp.nix>
{ krebs.airdcpp.dcpp.shares = let
d = path: "/media/cryptX/${path}";
in {
emu.path = d "emu";
audiobooks.path = lib.mkForce (d "audiobooks");
incoming.path = lib.mkForce (d "torrent");
anime.path = d "anime";
};
krebs.airdcpp.dcpp.DownloadDirectory = "/media/cryptX/torrent/dcpp";
}
{
# copy config from <secrets/sabnzbd.ini> to /var/lib/sabnzbd/
#services.sabnzbd.enable = true;
#systemd.services.sabnzbd.environment.SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
}
# <stockholm/makefu/2configs/share/omo-timemachine.nix> # <stockholm/makefu/2configs/share/omo-timemachine.nix>
<stockholm/makefu/2configs/tinc/retiolum.nix> <stockholm/makefu/2configs/tinc/retiolum.nix>
@ -41,12 +57,30 @@ in {
<stockholm/makefu/2configs/stats/arafetch.nix> <stockholm/makefu/2configs/stats/arafetch.nix>
# services # services
<stockholm/makefu/2configs/syncthing.nix> {
services.nginx.enable = true;
networking.firewall.allowedTCPPorts = [ 80 ];
}
# <stockholm/makefu/2configs/syncthing.nix>
<stockholm/makefu/2configs/remote-build/slave.nix> <stockholm/makefu/2configs/remote-build/slave.nix>
<stockholm/makefu/2configs/deployment/google-muell.nix> # TODO:
# <stockholm/makefu/2configs/deployment/google-muell.nix>
<stockholm/makefu/2configs/virtualisation/docker.nix> <stockholm/makefu/2configs/virtualisation/docker.nix>
<stockholm/makefu/2configs/bluetooth-mpd.nix> <stockholm/makefu/2configs/bluetooth-mpd.nix>
{
# Risikoübernahme
nixpkgs.config.permittedInsecurePackages = [
"homeassistant-0.77.2"
];
}
<stockholm/makefu/2configs/deployment/homeautomation> <stockholm/makefu/2configs/deployment/homeautomation>
{
makefu.ps3netsrv = {
enable = true;
servedir = "/media/cryptX/emu/ps3";
};
}
{ {
hardware.pulseaudio.systemWide = true; hardware.pulseaudio.systemWide = true;
makefu.mpd.musicDirectory = "/media/cryptX/music"; makefu.mpd.musicDirectory = "/media/cryptX/music";
@ -71,10 +105,11 @@ in {
]; ];
makefu.full-populate = true; makefu.full-populate = true;
nixpkgs.config.allowUnfree = true;
krebs.rtorrent = (builtins.trace (builtins.toJSON config.services.telegraf.extraConfig)) { krebs.rtorrent = (builtins.trace (builtins.toJSON config.services.telegraf.extraConfig)) {
downloadDir = lib.mkForce "/media/cryptX/torrent"; downloadDir = lib.mkForce "/media/cryptX/torrent";
extraConfig = '' extraConfig = ''
upload_rate = 200 upload_rate = 500
''; '';
}; };
users.groups.share = { users.groups.share = {
@ -83,14 +118,7 @@ in {
}; };
networking.firewall.trustedInterfaces = [ primaryInterface ]; networking.firewall.trustedInterfaces = [ primaryInterface ];
# copy config from <secrets/sabnzbd.ini> to /var/lib/sabnzbd/
services.sabnzbd.enable = true;
systemd.services.sabnzbd.environment.SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
makefu.ps3netsrv = {
enable = true;
servedir = "/media/cryptX/emu/ps3";
};
users.users.misa = { users.users.misa = {
uid = 9002; uid = 9002;

View File

@ -11,10 +11,10 @@ in {
<stockholm/makefu> <stockholm/makefu>
<stockholm/makefu/2configs/zsh-user.nix> <stockholm/makefu/2configs/zsh-user.nix>
<stockholm/makefu/2configs/tools/core.nix> <stockholm/makefu/2configs/tools/core.nix>
<stockholm/makefu/2configs/disable_v6.nix> # <stockholm/makefu/2configs/disable_v6.nix>
# <stockholm/makefu/2configs/tools/core-gui.nix> <stockholm/makefu/2configs/tools/core-gui.nix>
# <stockholm/makefu/2configs/tools/extra-gui.nix> <stockholm/makefu/2configs/tools/extra-gui.nix>
# <stockholm/makefu/2configs/tools/media.nix> <stockholm/makefu/2configs/tools/media.nix>
<stockholm/makefu/2configs/virtualisation/libvirt.nix> <stockholm/makefu/2configs/virtualisation/libvirt.nix>
<stockholm/makefu/2configs/tinc/retiolum.nix> <stockholm/makefu/2configs/tinc/retiolum.nix>
<stockholm/makefu/2configs/mqtt.nix> <stockholm/makefu/2configs/mqtt.nix>
@ -33,9 +33,6 @@ in {
<stockholm/makefu/2configs/share/wbob.nix> <stockholm/makefu/2configs/share/wbob.nix>
<stockholm/makefu/2configs/bluetooth-mpd.nix> <stockholm/makefu/2configs/bluetooth-mpd.nix>
{
users.users.makefu.extraGroups = [ "pulse" ];
}
# Sensors # Sensors
<stockholm/makefu/2configs/stats/telegraf> <stockholm/makefu/2configs/stats/telegraf>
@ -46,10 +43,16 @@ in {
<stockholm/makefu/2configs/deployment/led-fader.nix> <stockholm/makefu/2configs/deployment/led-fader.nix>
<stockholm/makefu/2configs/hw/mceusb.nix> <stockholm/makefu/2configs/hw/mceusb.nix>
# <stockholm/makefu/2configs/stats/telegraf/bamstats.nix> # <stockholm/makefu/2configs/stats/telegraf/bamstats.nix>
{ environment.systemPackages = [ pkgs.vlc ]; }
{
# Risikoübernahme
nixpkgs.config.permittedInsecurePackages = [
"homeassistant-0.77.2"
];
}
<stockholm/makefu/2configs/deployment/bureautomation> <stockholm/makefu/2configs/deployment/bureautomation>
<stockholm/makefu/2configs/deployment/bureautomation/mpd.nix>
<stockholm/makefu/2configs/deployment/bureautomation/hass.nix> <stockholm/makefu/2configs/deployment/bureautomation/hass.nix>
(let (let
collectd-port = 25826; collectd-port = 25826;
@ -174,20 +177,4 @@ in {
fsType = "ext4"; fsType = "ext4";
}; };
}; };
# DualHead on NUC
# TODO: update synergy package with these extras (username)
# TODO: add crypto layer
systemd.services."synergy-client" = {
environment.DISPLAY = ":0";
serviceConfig.User = user;
};
services.synergy = {
client = {
enable = true;
screenName = "wbob";
serverAddress = "x.r";
};
};
} }

View File

@ -15,7 +15,7 @@
<stockholm/makefu/2configs/extra-fonts.nix> <stockholm/makefu/2configs/extra-fonts.nix>
<stockholm/makefu/2configs/tools/all.nix> <stockholm/makefu/2configs/tools/all.nix>
<stockholm/makefu/2configs/laptop-backup.nix> <stockholm/makefu/2configs/backup/state.nix>
# <stockholm/makefu/2configs/dnscrypt/client.nix> # <stockholm/makefu/2configs/dnscrypt/client.nix>
<stockholm/makefu/2configs/avahi.nix> <stockholm/makefu/2configs/avahi.nix>
@ -74,6 +74,7 @@
<stockholm/makefu/2configs/hw/network-manager.nix> <stockholm/makefu/2configs/hw/network-manager.nix>
<stockholm/makefu/2configs/hw/stk1160.nix> <stockholm/makefu/2configs/hw/stk1160.nix>
<stockholm/makefu/2configs/hw/irtoy.nix> <stockholm/makefu/2configs/hw/irtoy.nix>
<stockholm/makefu/2configs/hw/switch.nix>
<stockholm/makefu/2configs/hw/bluetooth.nix> <stockholm/makefu/2configs/hw/bluetooth.nix>
# <stockholm/makefu/2configs/hw/rad1o.nix> # <stockholm/makefu/2configs/hw/rad1o.nix>
<stockholm/makefu/2configs/hw/smartcard.nix> <stockholm/makefu/2configs/hw/smartcard.nix>
@ -83,11 +84,11 @@
# Security # Security
<stockholm/makefu/2configs/sshd-totp.nix> <stockholm/makefu/2configs/sshd-totp.nix>
{ { programs.adb.enable = true; }
programs.adb.enable = true;
}
# temporary # temporary
{ services.redis.enable = true; }
<stockholm/makefu/2configs/pyload.nix> <stockholm/makefu/2configs/pyload.nix>
# <stockholm/makefu/2configs/dcpp/airdcpp.nix>
# <stockholm/makefu/2configs/nginx/rompr.nix> # <stockholm/makefu/2configs/nginx/rompr.nix>
# <stockholm/makefu/2configs/lanparty/lancache.nix> # <stockholm/makefu/2configs/lanparty/lancache.nix>
# <stockholm/makefu/2configs/lanparty/lancache-dns.nix> # <stockholm/makefu/2configs/lanparty/lancache-dns.nix>
@ -121,13 +122,11 @@
]; ];
makefu.server.primary-itf = "wlp3s0"; makefu.server.primary-itf = "wlp3s0";
makefu.full-populate = true;
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
# configure pulseAudio to provide a HDMI sink as well # configure pulseAudio to provide a HDMI sink as well
networking.firewall.enable = true; networking.firewall.enable = true;
networking.firewall.allowedTCPPorts = [ 80 24800 26061 8000 3000 ];
networking.firewall.allowedUDPPorts = [ 665 26061 ]; networking.firewall.allowedUDPPorts = [ 665 26061 ];
networking.firewall.trustedInterfaces = [ "vboxnet0" ]; networking.firewall.trustedInterfaces = [ "vboxnet0" ];
@ -144,14 +143,25 @@
# avoid full boot dir # avoid full boot dir
boot.loader.grub.configurationLimit = 3; boot.loader.grub.configurationLimit = 3;
environment.systemPackages = [ pkgs.passwdqc-utils pkgs.nixUnstable ]; environment.systemPackages = [ pkgs.passwdqc-utils ];
# environment.variables = { GOROOT = [ "${pkgs.go.out}/share/go" ]; }; # environment.variables = { GOROOT = [ "${pkgs.go.out}/share/go" ]; };
state = [ state = [
"/home/makefu/stockholm" "/home/makefu/stockholm"
"/home/makefu/backup/borgun" "/home/makefu/.ssh/"
"/home/makefu/.mail/" "/home/makefu/.zsh_history"
"/home/makefu/.bash_history"
"/home/makefu/.zshrc"
"/home/makefu/bin"
"/home/makefu/.gnupg"
"/home/makefu/.imapfilter"
"/home/makefu/.mutt"
"/home/makefu/docs"
"/home/makefu/.password-store"
"/home/makefu/.secrets-pass"
"/home/makefu/autosync/Database.kdb"
]; ];
services.syncthing.user = lib.mkForce "makefu"; services.syncthing.user = lib.mkForce "makefu";
services.syncthing.dataDir = lib.mkForce "/home/makefu/.config/syncthing/"; services.syncthing.dataDir = lib.mkForce "/home/makefu/.config/syncthing/";
} }

View File

@ -1,52 +0,0 @@
{ config, lib, pkgs, ... }:
with import <stockholm/lib>;
let
# preparation:
# mkdir -p defaultBackupDir/host.name/src
# as root on omo:
# ssh-copy-id root@src
startAt = "0,6,12,18:00";
defaultBackupServer = config.krebs.hosts.omo;
defaultBackupDir = "/home/backup";
defaultPull = host: src: {
method = "pull";
src = {
inherit host;
path = src;
};
dst = {
host = defaultBackupServer;
path = "${defaultBackupDir}/${host.name}${src}";
};
startAt = "0,6,12,18:00";
snapshots = {
hourly = { format = "%Y-%m-%dT%H"; retain = 4; };
daily = { format = "%Y-%m-%d"; retain = 7; };
weekly = { format = "%YW%W"; retain = 4; };
monthly = { format = "%Y-%m"; retain = 12; };
yearly = { format = "%Y"; };
};
};
in {
krebs.backup.plans = {
# wry-to-omo_root = defaultPull config.krebs.hosts.wry "/";
gum-to-omo_root = defaultPull config.krebs.hosts.gum "/";
gum-dl-to-omo_external = (defaultPull config.krebs.hosts.gum "/var/download" )//
{
dst.path = "/media/cryptX/backup/gum/var-download";
dst.host = defaultBackupServer;
startAt = "19:00";
};
gum-owncloud-to-omo_external = (defaultPull config.krebs.hosts.gum "/var/www/o.euer.krebsco.de" )//
{
dst.path = "/media/cryptX/backup/gum/var-www-o.euer.krebsco.de";
dst.host = defaultBackupServer;
startAt = "05:00";
};
# wolf-to-omo_root = defaultPull config.krebs.hosts.wolf "/";
};
environment.systemPackages = [
pkgs.borgbackup
];
}

View File

@ -0,0 +1,11 @@
{lib, ... }:
let
hosts = lib.mapAttrsToList (f: _: lib.removeSuffix ".pub" f) (builtins.readDir ./ssh );
in {
# TODO: for all enabled machines
services.borgbackup.repos = lib.genAttrs hosts (host: {
authorizedKeys = [ (builtins.readFile (./ssh + "/${host}.pub") ) ];
path = "/var/lib/borgbackup/${host}";
user = "borg-${host}";
}) ;
}

View File

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOSCJe7DQkKbL58pL78ImO+nVI/aaNFP8Zyqgo8EbNhW makefu@x

View File

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOUZcfi2SXxCo1if0oU3x9qPK8/O5FmiXy2HFZyTp/P1 makefu@x

View File

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAtA3XzpjByYQ9uSHQr0dkNUyi6nROjwv1S2IQtUu4pi makefu@x

View File

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBRfhUv9twYbO7tUe2r2LOXEMNxW14GO3Q0RTkUWeMxw makefu@x

View File

@ -0,0 +1,25 @@
{ config, ... }:
# back up all state
let
sec = toString <secrets>;
sshkey = sec + "/borg.priv";
phrase = sec + "/borg.pw";
in
{
services.borgbackup.jobs.state = {
repo = "borg-${config.krebs.build.host.name}@backup.makefu.r:.";
paths = config.state;
encryption = {
mode = "repokey";
passCommand = "cat ${phrase}";
};
environment.BORG_RSH = "ssh -i ${sshkey}";
prune.keep =
{ daily = 7;
weekly = 4;
monthly = -1; # Keep at least one archive for each month
};
compression = "auto,lzma";
startAt = "daily";
};
}

View File

@ -32,6 +32,11 @@ in {
"paste.${config.krebs.build.host.name}" "paste.${config.krebs.build.host.name}"
"paste.r" "paste.r"
]; ];
extraConfig = ''
if ( $server_addr = "${external-ip}" ) {
return 403;
}
'';
}; };
defaultPermissions = "admin,list,create,read,delete"; defaultPermissions = "admin,list,create,read,delete";
secretKeyFile = secKey; secretKeyFile = secKey;

View File

@ -57,6 +57,8 @@ in {
load-module module-filter-heuristics load-module module-filter-heuristics
load-module module-filter-apply load-module module-filter-apply
load-module module-switch-on-connect load-module module-switch-on-connect
load-module module-equalizer-sink
load-module module-dbus-protocol
#load-module module-bluez5-device #load-module module-bluez5-device
#load-module module-bluez5-discover #load-module module-bluez5-discover
''; '';

View File

@ -44,5 +44,6 @@
''; '';
}; };
state = map (f: "${config.krebs.airdcpp.stateDir}/${f}")
[ "Favorites.xml" "DCPlusPlus.xml" "WebServer.xml" "Recents.xml" "IgnoredUsers.xml" ];
} }

View File

@ -11,6 +11,11 @@ let
payload_available= "Online"; payload_available= "Online";
payload_not_available= "Offline"; payload_not_available= "Offline";
}; };
tasmota_stecki = name: topic:
( tasmota_plug name topic) //
{ state_topic = "/bam/${topic}/stat/POWER";
command_topic = "/bam/${topic}/cmnd/POWER";
};
espeasy_dht22 = name: [ espeasy_dht22 = name: [
{ platform = "mqtt"; { platform = "mqtt";
name = "${name} DHT22 Temperature"; name = "${name} DHT22 Temperature";
@ -38,9 +43,6 @@ let
}; };
in { in {
networking.firewall.allowedTCPPorts = [ 8123 ]; networking.firewall.allowedTCPPorts = [ 8123 ];
nixpkgs.config.permittedInsecurePackages = [
"homeassistant-0.65.5"
];
services.home-assistant = { services.home-assistant = {
enable = true; enable = true;
@ -48,6 +50,9 @@ in {
homeassistant = { homeassistant = {
name = "Bureautomation"; name = "Bureautomation";
time_zone = "Europe/Berlin"; time_zone = "Europe/Berlin";
latitude = "48.8265";
longitude = "9.0676";
elevation = 303;
}; };
mqtt = { mqtt = {
@ -72,7 +77,7 @@ in {
switch = [ switch = [
(tasmota_plug "Bauarbeiterlampe" "plug") (tasmota_plug "Bauarbeiterlampe" "plug")
(tasmota_plug "Blitzdings" "plug2") (tasmota_plug "Blitzdings" "plug2")
(tasmota_plug "Fernseher" "plug3") (tasmota_stecki "Fernseher" "fernseher")
(tasmota_plug "Pluggy" "plug4") (tasmota_plug "Pluggy" "plug4")
]; ];
binary_sensor = [ binary_sensor = [
@ -96,26 +101,140 @@ in {
sensorid = "5341"; sensorid = "5341";
monitored_conditions = [ "P1" "P2" ]; monitored_conditions = [ "P1" "P2" ];
} }
{ platform = "influxdb";
queries = [ { platform = "darksky";
{ name = "mean value of feinstaub P1"; api_key = lib.removeSuffix "\n"
where = '' "node" = 'esp8266-1355142' ''; (builtins.readFile <secrets/hass/darksky.apikey>);
measurement = "feinstaub"; language = "de";
database = "telegraf"; monitored_conditions = [ "summary" "icon"
field = "P1"; "nearest_storm_distance" "precip_probability"
} "precip_intensity"
{ name = "mean value of feinstaub P2"; "temperature" # "temperature_high" "temperature_low"
where = '' "node" = 'esp8266-1355142' ''; "apparent_temperature"
measurement = "feinstaub"; "hourly_summary" # next 24 hours text
database = "telegraf"; "minutely_summary"
field = "P2"; "humidity"
"pressure"
"uv_index" ];
units = "si" ;
update_interval = {
days = 0;
hours = 0;
minutes = 30;
seconds = 0;
};
} }
#{ platform = "influxdb";
# queries = [
# { name = "mean value of feinstaub P1";
# where = '' "node" = 'esp8266-1355142' '';
# measurement = "feinstaub";
# database = "telegraf";
# field = "P1";
# }
# { name = "mean value of feinstaub P2";
# where = '' "node" = 'esp8266-1355142' '';
# measurement = "feinstaub";
# database = "telegraf";
# field = "P2";
# }
# ];
#}
]; ];
camera = [
{ name = "Baumarkt";
platform = "generic";
still_image_url = http://t4915209254324-p80-c0-h6jv2afnujcoftrcstsafb45kdrqv4buy.webdirect.mdex.de/oneshotimage ;# baumarkt
}
{ name = "Autobahn Heilbronn";
platform = "generic";
still_image_url = https://api.svz-bw.de/v2/verkehrskameras/kameras/K10 ;
}
{ name = "Autobahn Singen";
platform = "generic";
still_image_url = https://api.svz-bw.de/v2/verkehrskameras/kameras/K11 ;
} }
]; ];
frontend = { }; frontend = { };
http = { }; http = { };
feedreader.urls = [ "http://www.heise.de/security/rss/news-atom.xml" ]; conversation = {};
history = {};
logbook = {};
tts = [ { platform = "google";} ];
recorder = {};
group =
{ default_view =
{ view = "yes";
entities = [
"group.sensors"
"group.outside"
"group.switches"
"group.automation"
"group.camera"
];
};
automation = [
"automation.turn_off_fernseher_10_minutes_after_last_movement"
];
switches = [
"switch.bauarbeiterlampe"
"switch.blitzdings"
"switch.fernseher"
"switch.pluggy"
];
camera = [
"camera.Baumarkt"
"camera.Autobahn_Heilbronn"
"camera.Autobahn_Singen"
];
sensors = [
"binary_sensor.motion"
"sensor.easy2_dht22_humidity"
"sensor.easy2_dht22_temperature"
];
outside = [
"sensor.ditzingen_pm10"
"sensor.ditzingen_pm25"
"sensor.dark_sky_temperature"
"sensor.dark_sky_humidity"
"sensor.dark_sky_pressure"
"sensor.dark_sky_hourly_summary"
"sensor.dark_sky_minutely_summary"
];
};
# only for automation
# feedreader.urls = [ "http://www.heise.de/security/rss/news-atom.xml" ];
automation = [
{ alias = "Turn on Fernseher on movement";
trigger = {
platform = "state";
entity_id = "binary_sensor.motion";
to = "on";
};
action = {
service= "homeassistant.turn_on";
entity_id= "switch.fernseher";
};
}
{ alias = "Turn off Fernseher 10 minutes after last movement";
trigger = {
platform = "state";
entity_id = "binary_sensor.motion";
to = "off";
for.minutes = 10;
};
action = {
service= "homeassistant.turn_off";
entity_id= "switch.fernseher";
};
condition = [{
condition = "time";
before = "06:30:00"; #only turn off between 6:30 and 18:00
after = "18:00:00";
weekday = [ "mon" "tue" "wed" "thu" "fri" ];
}];
}
];
}; };
}; };
} }

View File

@ -1,67 +0,0 @@
{ pkgs, lib, ... }:
let
firetv = "192.168.1.238";
in {
systemd.services.firetv = {
wantedBy = [ "multi-user.target" ];
serviceConfig = {
User = "nobody";
ExecStart = "${pkgs.python-firetv}/bin/firetv-server -d ${firetv}:5555";
};
};
services.home-assistant = {
#panel_iframe:
#configurator:
# title: Configurator
# icon: mdi:wrench
# url: http://hassio.local:3218
# sensor:
# - platform: random
enable = true;
config = {
homeassistant = {
name = "Bureautomation";
time_zone = "Europe/Berlin";
};
panel_iframe = {
euer_blog = {
title = "Euer Blog";
icon = "mdi:wrench";
url = "https://euer.krebsco.de";
};
};
media_player = [
{ platform = "kodi";
host = firetv;
}
{ platform = "firetv";
# assumes python-firetv running
}
];
sensor = [
{
platform = "luftdaten";
name = "Shack 1";
sensorid = "50";
monitored_conditions = [ "P1" "P2" ];
}
{
platform = "luftdaten";
name = "Shack 2";
sensorid = "658";
monitored_conditions = [ "P1" "P2" ];
}
{
platform = "luftdaten";
name = "Ditzingen";
sensorid = "5341";
monitored_conditions = [ "P1" "P2" ];
}
{ platform = "random"; }
];
frontend = { };
http = { };
feedreader.urls = [ "https://nixos.org/blogs.xml" ];
};
};
}

View File

@ -0,0 +1,9 @@
{lib,pkgs, ... }:
{
systemd.services."ympd-wbob" = {
description = "mpd ";
wantedBy = [ "multi-user.target" ];
serviceConfig.ExecStart = "${pkgs.ympd}/bin/ympd --host localhost --port 6600 --webport 8866 --user nobody";
};
}

View File

@ -6,11 +6,6 @@ let
internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr; internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr;
hn = config.krebs.build.host.name; hn = config.krebs.build.host.name;
in { in {
krebs.bepasty.servers."paste.r".nginx.extraConfig = ''
if ( $server_addr = "${external-ip}" ) {
return 403;
}
'';
krebs.tinc_graphs = { krebs.tinc_graphs = {
enable = true; enable = true;
nginx = { nginx = {

View File

@ -1,9 +1,60 @@
{ pkgs, config, ... }: { pkgs, lib, config, ... }:
# Ideas: # Ideas:
## wake-on-lan server ## wake-on-lan server
## ##
let let
tasmota_rgb = name: topic:
# LED WS2812b
# effect_state_topic: "stat/led/Scheme"
# effect_command_topic: "cmnd/led/Scheme"
# effect_value_template: "{{ value_json.Scheme }}"
{ platform = "mqtt";
inherit name;
retain = false;
qos = 1;
optimistic = false;
# state
# TODO: currently broken, will not use the custom state topic
#state_topic = "/ham/${topic}/stat/POWER";
state_topic = "/ham/${topic}/stat/POWER";
command_topic = "/ham/${topic}/cmnd/POWER";
availability_topic = "/ham/${topic}/tele/LWT";
payload_on= "ON";
payload_off= "OFF";
payload_available= "Online";
payload_not_available= "Offline";
# brightness
brightness_state_topic = "/ham/${topic}/stat/Dimmer";
brightness_command_topic = "/ham/${topic}/cmnd/Dimmer";
brightness_value_template = "{{ value_json.Dimmer }}";
brightness_scale = 100;
# color
rgb_state_topic = "/ham/${topic}/stat/Color";
rgb_command_topic = "/ham/${topic}/cmnd/Color2";
rgb_command_mode = "hex";
rgb_command_template = "{{ '%02x%02x%02x' | format(red, green, blue)}}";
# effects
effect_state_topic = "/ham/${topic}/stat/Scheme";
effect_command_topic = "/ham/${topic}/cmnd/Scheme";
effect_value_template = "{{ value_json.Scheme }}";
effect_list = [ 0 1 2 3 4 5 6 7 8 9 10 11 12 ];
};
# switchmode 1 - also toggle power
# switchtopic flurlicht
tasmota_motion = name: topic:
{ platform = "mqtt";
device_class = "motion";
inherit name;
# TODO: currently broken, will not use the custom state topic
state_topic = "/ham/${topic}/stat/POWER";
payload_on = "ON";
payload_off = "OFF";
availability_topic = "/ham/${topic}/tele/LWT";
payload_available = "Online";
payload_not_available = "Offline";
};
firetv = "192.168.1.238"; firetv = "192.168.1.238";
tasmota_plug = name: topic: tasmota_plug = name: topic:
{ platform = "mqtt"; { platform = "mqtt";
@ -36,20 +87,31 @@ let
unit_of_measurement = "hPa"; unit_of_measurement = "hPa";
} }
]; ];
tasmota_am2301 = name: topic:
[ { platform = "mqtt";
name = "${name} Temperatur";
state_topic = "/ham/${topic}/tele/SENSOR";
value_template = "{{ value_json.AM2301.Temperature }}";
unit_of_measurement = "°C";
}
{ platform = "mqtt";
name = "${name} Luftfeuchtigkeit";
state_topic = "/ham/${topic}/tele/SENSOR";
value_template = "{{ value_json.AM2301.Humidity }}";
unit_of_measurement = "%";
}
];
in { in {
imports = [ imports = [
./mqtt.nix ./mqtt.nix
]; ];
systemd.services.firetv = { #systemd.services.firetv = {
wantedBy = [ "multi-user.target" ]; # wantedBy = [ "multi-user.target" ];
serviceConfig = { # serviceConfig = {
User = "nobody"; # User = "nobody";
ExecStart = "${pkgs.python-firetv}/bin/firetv-server -d ${firetv}:5555"; # ExecStart = "${pkgs.python-firetv}/bin/firetv-server -d ${firetv}:5555";
}; # };
}; #};
nixpkgs.config.permittedInsecurePackages = [
"homeassistant-0.65.5"
];
services.home-assistant = { services.home-assistant = {
config = { config = {
homeassistant = { homeassistant = {
@ -58,7 +120,7 @@ in {
longitude = "9.2478"; longitude = "9.2478";
elevation = 247; elevation = 247;
}; };
discovery = {}; #discovery = {};
conversation = {}; conversation = {};
history = {}; history = {};
logbook = {}; logbook = {};
@ -71,16 +133,16 @@ in {
{ platform = "kodi"; { platform = "kodi";
host = firetv; host = firetv;
} }
{ platform = "firetv"; #{ platform = "firetv";
# assumes python-firetv running # # assumes python-firetv running
} #}
]; ];
mqtt = { mqtt = {
broker = "localhost"; broker = "localhost";
port = 1883; port = 1883;
client_id = "home-assistant"; client_id = "home-assistant";
username = "hass"; username = "hass";
password = builtins.readFile <secrets/mqtt/hass>; password = lib.removeSuffix "\n" (builtins.readFile <secrets/mqtt/hass>);
keepalive = 60; keepalive = 60;
protocol = 3.1; protocol = 3.1;
birth_message = { birth_message = {
@ -96,43 +158,100 @@ in {
retain = true; retain = true;
}; };
}; };
binary_sensor = [
(tasmota_motion "Flur Bewegung" "flurlicht")
];
sensor = [ sensor = [
{ platform = "speedtest"; # broken
monitored_conditions = [ "ping" "download" "upload" ]; #{ platform = "speedtest";
} # monitored_conditions = [ "ping" "download" "upload" ];
#}
{ platform = "luftdaten"; { platform = "luftdaten";
name = "Ditzingen"; name = "Wangen";
sensorid = "663"; sensorid = "663";
monitored_conditions = [ "P1" "P2" ]; monitored_conditions = [ "P1" "P2" ];
} }
# https://www.home-assistant.io/cookbook/automation_for_rainy_days/ # https://www.home-assistant.io/cookbook/automation_for_rainy_days/
{ platform = "darksky"; { platform = "darksky";
api_key = "c73619e6ea79e553a585be06aacf3679"; api_key = lib.removeSuffix "\n"
(builtins.readFile <secrets/hass/darksky.apikey>);
language = "de"; language = "de";
monitored_conditions = [ "summary" "icon" monitored_conditions = [ "summary" "icon"
"nearest_storm_distance" "precip_probability" "nearest_storm_distance" "precip_probability"
"precip_intensity" "precip_intensity"
"temperature" # "temperature_high" "temperature_low" "temperature"
"apparent_temperature"
"hourly_summary" "hourly_summary"
"humidity"
"pressure"
"uv_index" ]; "uv_index" ];
units = "si" ; units = "si" ;
update_interval = { update_interval = {
days = 0; days = 0;
hours = 0; hours = 0;
minutes = 10; minutes = 30;
seconds = 0; seconds = 0;
}; };
} }
] ++ (tasmota_bme "Schlafzimmer" "schlafzimmer"); ]
++ (tasmota_bme "Schlafzimmer" "schlafzimmer")
++ (tasmota_am2301 "Arbeitszimmer" "arbeitszimmer");
frontend = { }; frontend = { };
#group = [ group =
# { default_view = { view = "yes"; entities = [ { default_view =
# "sensor.luftdaten" { view = "yes";
# ]} entities = [
#]; "group.flur"
"group.schlafzimmer"
"group.draussen"
"group.wohnzimmer"
"group.arbeitszimmer"
];
};
flur = [
"light.flurlicht"
"binary_sensor.flur_bewegung"
];
wohnzimmer = [
"media_player.kodi"
];
draussen = [
"sensor.dark_sky_temperature"
"sensor.dark_sky_hourly_summary"
"sensor.wangen_pm10"
"sensor.wangen_pm25"
];
schlafzimmer = [
"sensor.schlafzimmer_temperatur"
"sensor.schlafzimmer_luftdruck"
"sensor.schlafzimmer_luftfeuchtigkeit"
"switch.lichterkette_schlafzimmer"
];
arbeitszimmer = [
"switch.strom_staubsauger"
"sensor.arbeitszimmer_temperatur"
"sensor.arbeitszimmer_luftfeuchtigkeit"
];
};
http = { }; http = { };
switch = [ switch = [
(tasmota_plug "Lichterkette Schlafzimmer" "schlafzimmer") (tasmota_plug "Lichterkette Schlafzimmer" "schlafzimmer")
(tasmota_plug "Strom Staubsauger" "arbeitszimmer")
];
light = [ (tasmota_rgb "Flurlicht" "flurlicht" ) ];
automation = [
{ alias = "Staubsauger Strom aus nach 6h";
trigger = {
platform = "state";
entity_id = "switch.strom_staubsauger";
to = "on";
for.hours = 6;
};
action = {
service= "homeassistant.turn_off";
entity_id= "switch.strom_staubsauger";
};
}
]; ];
}; };
enable = true; enable = true;

View File

@ -8,7 +8,7 @@
timerConfig = { timerConfig = {
OnCalendar = "*:0/30"; OnCalendar = "*:0/30";
}; };
url = "http://prism.r/realwallpaper-sat-krebs.png"; url = "http://prism.r/realwallpaper-krebs.png";
}; };
} }

Some files were not shown because too many files have changed in this diff Show More