From 6f26a01e0a849e30b71f1f4646774cf244b79ce2 Mon Sep 17 00:00:00 2001 From: makefu Date: Tue, 15 Feb 2022 22:29:33 +0100 Subject: [PATCH 01/24] k 3 ma: init latte --- krebs/3modules/makefu/default.nix | 40 ++++++++++++++++++- krebs/3modules/makefu/retiolum/latte.pub | 8 ++++ .../makefu/retiolum/latte_ed25519.pub | 1 + 3 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 krebs/3modules/makefu/retiolum/latte.pub create mode 100644 krebs/3modules/makefu/retiolum/latte_ed25519.pub diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index f87802b45..1695db3f5 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -148,6 +148,44 @@ in { }; }; }; + latte = rec { + ci = true; + extraZones = { + "krebsco.de" = '' + latte.euer IN A ${nets.internet.ip4.addr} + ''; + }; + cores = 4; + nets = rec { + internet = { + ip4.addr = "178.254.30.202"; + ip6.addr = "2a00:6800:3:18c::2"; + aliases = [ + "latte.i" + ]; + }; + #wiregrill = { + # via = internet; + # ip4.addr = "10.244.245.1"; + # ip6.addr = w6 "1"; + # wireguard.port = 51821; + # wireguard.subnets = [ + # (krebs.genipv6 "wiregrill" "makefu" 0).subnetCIDR + # "10.244.245.0/24" # required for routing directly to gum via rockit + # ]; + #}; + retiolum = { + via = internet; + ip4.addr = "10.243.0.214"; + # never connect via gum (he eats your packets!) + #tinc.weight = 9001; + + aliases = [ + "latte.r" + ]; + }; + }; + }; gum = rec { ci = true; extraZones = { @@ -220,7 +258,7 @@ in { via = internet; ip4.addr = "10.243.0.213"; # never connect via gum (he eats your packets!) - tinc.weight = 9001; + #tinc.weight = 9001; aliases = [ "gum.r" diff --git a/krebs/3modules/makefu/retiolum/latte.pub b/krebs/3modules/makefu/retiolum/latte.pub new file mode 100644 index 000000000..17fca2b40 --- /dev/null +++ b/krebs/3modules/makefu/retiolum/latte.pub @@ -0,0 +1,8 @@ +-----BEGIN RSA PUBLIC KEY----- +MIIBCgKCAQEAx70gmNoP4RYeF3ShddEMsbNad9L5ezegwxJTZA7XTfF+/cwr/QwU +5BL0QXTwBnKzS0gun5NXmhwPzvOdvfczAxtJLk8/NjVHFeE39CiTHGgIxkZFgnbo +r2Rj6jJb89ZPaTr+hl0+0WQQVpl9NI7MTCUimvFBaD6IPmBh5wTySu6mYBs0mqmf +43RrvS42ieqQJAvVPkIzxxJeTS/M3NXmjbJ3bdx/2Yzd7INdfPkMhOONHcQhTKS4 +GSXJRTytLYZEah8lp8F4ONggN6ixlhlcQAotToFP4s8c+KqYfIZrtP+pRj7W72Y6 +vhnobLDJwBbAsW1RQ6FHcw10TrP2H+haewIDAQAB +-----END RSA PUBLIC KEY----- diff --git a/krebs/3modules/makefu/retiolum/latte_ed25519.pub b/krebs/3modules/makefu/retiolum/latte_ed25519.pub new file mode 100644 index 000000000..f987f3077 --- /dev/null +++ b/krebs/3modules/makefu/retiolum/latte_ed25519.pub @@ -0,0 +1 @@ +Ed25519PublicKey = ILtT9Y5pGBtc5/wR56RYzzYeZMvmmutaC6IED6I1oTI From 30d9c20b1bc1bc718bcb93caa2d10971f4c504a0 Mon Sep 17 00:00:00 2001 From: makefu Date: Tue, 15 Feb 2022 22:30:02 +0100 Subject: [PATCH 02/24] ma latte.r: run on 1blu --- makefu/1systems/latte/1blu/default.nix | 50 ++++++++++++++++++++++++++ makefu/1systems/latte/1blu/network.nix | 31 ++++++++++++++++ makefu/1systems/latte/config.nix | 27 ++++---------- makefu/1systems/latte/source.nix | 1 + 4 files changed, 88 insertions(+), 21 deletions(-) create mode 100644 makefu/1systems/latte/1blu/default.nix create mode 100644 makefu/1systems/latte/1blu/network.nix diff --git a/makefu/1systems/latte/1blu/default.nix b/makefu/1systems/latte/1blu/default.nix new file mode 100644 index 000000000..50cd9204d --- /dev/null +++ b/makefu/1systems/latte/1blu/default.nix @@ -0,0 +1,50 @@ +{ config, lib, pkgs, modulesPath, ... }: +{ + + imports = + [ ./network.nix + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + # Disk + boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sr_mod" "virtio_blk" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "tank/root"; + fsType = "zfs"; + }; + + fileSystems."/home" = + { device = "tank/home"; + fsType = "zfs"; + }; + + fileSystems."/nix" = + { device = "tank/nix"; + fsType = "zfs"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/AEF3-A486"; + fsType = "vfat"; + }; + + swapDevices = [ ]; + boot.loader.grub.device = "/dev/vda"; + + networking.hostId = "3150697c"; # required for zfs use + boot.tmpOnTmpfs = true; + boot.supportedFilesystems = [ "zfs" ]; + + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.copyKernels = true; + boot.zfs.devNodes = "/dev"; # fixes some virtualmachine issues + boot.kernelParams = [ + "boot.shell_on_fail" + "panic=30" "boot.panic_on_fail" # reboot the machine upon fatal boot issues + ]; +} diff --git a/makefu/1systems/latte/1blu/network.nix b/makefu/1systems/latte/1blu/network.nix new file mode 100644 index 000000000..065a69013 --- /dev/null +++ b/makefu/1systems/latte/1blu/network.nix @@ -0,0 +1,31 @@ +{ config, lib, pkgs, modulesPath, ... }: +let + external-mac = "c4:37:72:55:4e:1c"; + external-gw = "178.254.28.1"; + external-ip = "178.254.30.202"; + external-ip6 = "2a00:6800:3:18c::2"; + external-gw6 = "2a00:6800:3::1"; + external-netmask = 22; + external-netmask6 = 64; + internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr; + ext-if = "et0"; # gets renamed on the fly +in +{ + services.udev.extraRules = '' + SUBSYSTEM=="net", ATTR{address}=="${external-mac}", NAME="${ext-if}" + ''; + networking = { + interfaces."${ext-if}" = { + ipv4.addresses = [{ + address = external-ip; + prefixLength = external-netmask; + }]; + ipv6.addresses = [{ + address = external-ip6; + prefixLength = external-netmask6; + }]; + }; + defaultGateway6 = { address = external-gw6; interface = ext-if; }; + defaultGateway = external-gw; + }; +} diff --git a/makefu/1systems/latte/config.nix b/makefu/1systems/latte/config.nix index bec778abc..27df80fbf 100644 --- a/makefu/1systems/latte/config.nix +++ b/makefu/1systems/latte/config.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ config, lib, pkgs, ... }: let # external-ip = config.krebs.build.host.nets.internet.ip4.addr; @@ -10,11 +10,13 @@ let in { imports = [ + ./1blu + # # configure your hw: - + # - + # # Security @@ -25,29 +27,12 @@ in { # Services - + # ]; krebs = { enable = true; build.host = config.krebs.hosts.latte; }; - boot.initrd.availableKernelModules = [ "ata_piix" "ehci_pci" "virtio_pci" "virtio_blk" "virtio_net" "virtio_scsi" ]; - boot.loader.grub.device = "/dev/vda"; - boot.loader.grub.copyKernels = true; - fileSystems."/" = { - device = "/dev/vda1"; - fsType = "ext4"; - }; - networking = { - firewall = { - allowPing = true; - logRefusedConnections = false; - allowedTCPPorts = [ ]; - allowedUDPPorts = [ 655 ]; - }; - # network interface receives dhcp address - nameservers = [ "8.8.8.8" ]; - }; } diff --git a/makefu/1systems/latte/source.nix b/makefu/1systems/latte/source.nix index ab0a454c0..41abecf36 100644 --- a/makefu/1systems/latte/source.nix +++ b/makefu/1systems/latte/source.nix @@ -1,4 +1,5 @@ { name = "latte"; torrent = true; + home-manager = true; } From 66341414c5fe2e440acdd3b77178b7826dcded23 Mon Sep 17 00:00:00 2001 From: makefu Date: Thu, 17 Feb 2022 22:46:55 +0100 Subject: [PATCH 03/24] ma retiolum: fix ed25519 for latte --- krebs/3modules/makefu/retiolum/latte_ed25519.pub | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krebs/3modules/makefu/retiolum/latte_ed25519.pub b/krebs/3modules/makefu/retiolum/latte_ed25519.pub index f987f3077..7974bb6e5 100644 --- a/krebs/3modules/makefu/retiolum/latte_ed25519.pub +++ b/krebs/3modules/makefu/retiolum/latte_ed25519.pub @@ -1 +1 @@ -Ed25519PublicKey = ILtT9Y5pGBtc5/wR56RYzzYeZMvmmutaC6IED6I1oTI +ILtT9Y5pGBtc5/wR56RYzzYeZMvmmutaC6IED6I1oTI From ee9c23c4bb5737b77df0fed9385e7b30604da0de Mon Sep 17 00:00:00 2001 From: makefu Date: Fri, 18 Feb 2022 09:22:59 +0100 Subject: [PATCH 04/24] ma latte.r: continue migration of gum services --- makefu/1systems/latte/1blu/network.nix | 1 + makefu/1systems/latte/config.nix | 47 +++++++++++++++++--------- 2 files changed, 32 insertions(+), 16 deletions(-) diff --git a/makefu/1systems/latte/1blu/network.nix b/makefu/1systems/latte/1blu/network.nix index 065a69013..0a0eac972 100644 --- a/makefu/1systems/latte/1blu/network.nix +++ b/makefu/1systems/latte/1blu/network.nix @@ -27,5 +27,6 @@ in }; defaultGateway6 = { address = external-gw6; interface = ext-if; }; defaultGateway = external-gw; + nameservers = [ "1.1.1.1" ]; }; } diff --git a/makefu/1systems/latte/config.nix b/makefu/1systems/latte/config.nix index 27df80fbf..fdd3df192 100644 --- a/makefu/1systems/latte/config.nix +++ b/makefu/1systems/latte/config.nix @@ -10,24 +10,39 @@ let in { imports = [ - ./1blu - - # - # configure your hw: - # - - # + ./1blu + - # Security - - # + # common + + + - # Tools - - - # Services - - # + # Security + + + # Tools + + + + # NixOS Build + + + # Storage + + + # Services: + + + # Supervision + + + # Krebs + + + # + # configure your hw: + # ]; krebs = { From 639472d948f5da119c791f5ff80c1c150b1bf98b Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 20 Feb 2022 00:19:23 +0100 Subject: [PATCH 05/24] l radio-news: add api endpoint --- lass/2configs/radio-news.nix | 53 ++++++++++++++++++++++++++++++++++-- 1 file changed, 50 insertions(+), 3 deletions(-) diff --git a/lass/2configs/radio-news.nix b/lass/2configs/radio-news.nix index a4e28c1b1..eb7d3bd9a 100644 --- a/lass/2configs/radio-news.nix +++ b/lass/2configs/radio-news.nix @@ -1,8 +1,8 @@ -{ config, pkgs, ... }: with pkgs.stockholm.lib; +{ config, lib, pkgs, ... }: let weather_report = pkgs.writers.writeDashBin "weather_report" '' set -efu - ${pkgs.curl}/bin/curl -sSL https://wttr.in/''${1-}?format=j1 \ + ${pkgs.curl}/bin/curl -fsSL https://wttr.in/''${1-}?format=j1 \ | ${pkgs.jq}/bin/jq -r ' [.nearest_area[0] | "Weather report for \(.areaName[0].value), \(.country[0].value)."] + [.current_condition[0] | "Currently it is \(.weatherDesc[0].value) outside with a temperature of \(.temp_C) degrees."] @@ -14,11 +14,25 @@ let ${pkgs.libshout}/bin/shout --format ogg --host localhost --port 1338 --mount /live ''; + gc_news = pkgs.writers.writeDashBin "gc_news" '' + set -xefu + ${pkgs.coreutils}/bin/cat $HOME/news | ${pkgs.jq}/bin/jq -cs 'map(select((.to|fromdateiso8601) > now)) | .[]' > $HOME/bla-news.tmp + ${pkgs.coreutils}/bin/mv $HOME/bla-news.tmp $HOME/news + ''; + + get_current_news = pkgs.writers.writeDashBin "get_current_news" '' + set -xefu + ${pkgs.coreutils}/bin/cat $HOME/news | ${pkgs.jq}/bin/jq -rs 'map(select(((.to | fromdateiso8601) > now) and (.from|fromdateiso8601) < now) | .text) | .[]' + ''; + newsshow = pkgs.writers.writeDashBin "newsshow" /* sh */ '' echo " hello crabpeople! $(${pkgs.ddate}/bin/ddate | sed 's/YOLD/Year of Discord/')! It is $(date --utc +%H) o clock UTC. + todays news: + $(get_current_news) + $(gc_news) $(weather_report berlin) $(weather_report 70173) $(weather_report munich) @@ -30,6 +44,8 @@ in path = [ newsshow send_to_radio + gc_news + get_current_news weather_report pkgs.curl pkgs.retry @@ -37,10 +53,41 @@ in script = '' set -efu retry -t 5 -d 10 -- newsshow | - retry -t 5 -d 10 -- curl -SsG http://tts.r/api/tts --data-urlencode 'text@-' | + retry -t 5 -d 10 -- curl -fSsG http://tts.r/api/tts --data-urlencode 'text@-' | retry -t 5 -d 10 -- send_to_radio ''; startAt = "*:00:00"; + serviceConfig = { + User = "radio-news"; + }; + }; + + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport 7999"; target = "ACCEPT"; } + ]; + + krebs.htgen.news = { + port = 7999; + user = { + name = "radio-news"; + }; + script = ''. ${pkgs.writers.writeDash "htgen-news" '' + set -xefu + case "$Method $Request_URI" in + "POST /") + payload=$(head -c "$req_content_length" \ + | sed 's/+/ /g;s/%\(..\)/\\x\1/g;' \ + | xargs -0 echo -e \ + ) + echo "$payload" | jq 'has("from") and has("to") and has("text")' >&2 + echo "$payload" | jq -c '{ from: (.from | fromdate | todate), to: (.to | fromdate | todate), text: .text }' >> $HOME/news + printf 'HTTP/1.1 200 OK\r\n' + printf 'Connection: close\r\n' + printf '\r\n' + exit + ;; + esac + ''}''; }; ## debug From 04f550493171d8091598791796035e365b87fe7c Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 20 Feb 2022 15:05:21 +0100 Subject: [PATCH 06/24] news: fix add_twitter command --- krebs/2configs/news.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krebs/2configs/news.nix b/krebs/2configs/news.nix index 9ea4cbf8d..1f966bf24 100644 --- a/krebs/2configs/news.nix +++ b/krebs/2configs/news.nix @@ -184,7 +184,7 @@ exit 1 fi twitter_nick=$(echo "$1" | ${pkgs.jq}/bin/jq -Rr '[match("(\\S+)\\s*";"g").captures[].string][0]') - echo "brockman: add tw_$twitter_nick http://rss.r/?action=display&bridge=Twitch&channel=$twitter_nick&type=all&format=Atom" + echo "brockman: add tw_$twitter_nick http://rss.r/?action=display&bridge=Twitter&context=By+username&u=$twitter_nick&norep=on&noretweet=on&nopinned=on&nopic=on&format=Atom" ''; search.filename = pkgs.writeDash "search" '' set -euf From c88b48f0266ebfffd1bfd5ea2045f01cb15760b8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kier=C3=A1n=20Meinhardt?= Date: Tue, 22 Feb 2022 20:32:16 +0100 Subject: [PATCH 07/24] external: add redaktion.r --- krebs/3modules/external/kmein.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/krebs/3modules/external/kmein.nix b/krebs/3modules/external/kmein.nix index 1e4a68057..4605fbdf0 100644 --- a/krebs/3modules/external/kmein.nix +++ b/krebs/3modules/external/kmein.nix @@ -63,6 +63,7 @@ in "names.kmein.r" "graph.r" "rrm.r" + "redaktion.r" ]; ip4.addr = "10.243.2.84"; tinc.pubkey = '' From d085a1b0b47092a3eaf728c5e8cc978169e158e1 Mon Sep 17 00:00:00 2001 From: makefu Date: Tue, 22 Feb 2022 21:47:38 +0100 Subject: [PATCH 08/24] k 3 ma: torrent.latte.r --- krebs/3modules/makefu/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index 1695db3f5..7a3d2fcc2 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -182,6 +182,7 @@ in { aliases = [ "latte.r" + "torrent.latte.r" ]; }; }; From 12ba7d6aeb6a28a94713c5965a22f987f989b5f4 Mon Sep 17 00:00:00 2001 From: makefu Date: Tue, 22 Feb 2022 22:18:40 +0100 Subject: [PATCH 09/24] ma backup: add latte --- makefu/2configs/backup/ssh/latte.pub | 1 + 1 file changed, 1 insertion(+) create mode 100644 makefu/2configs/backup/ssh/latte.pub diff --git a/makefu/2configs/backup/ssh/latte.pub b/makefu/2configs/backup/ssh/latte.pub new file mode 100644 index 000000000..52d56d956 --- /dev/null +++ b/makefu/2configs/backup/ssh/latte.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOUZcfi2SXxCo1if0oU3x9qPK8/O5FmiXy2HFZyTp/P1 makefu@x From a51abfa5b975f932211e2c5a46c1096a65cf481f Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 26 Feb 2022 12:07:12 +0100 Subject: [PATCH 10/24] nixpkgs: 521e4d7 -> 4275a32 --- krebs/nixpkgs.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/krebs/nixpkgs.json b/krebs/nixpkgs.json index 22d465b27..c9b40c10f 100644 --- a/krebs/nixpkgs.json +++ b/krebs/nixpkgs.json @@ -1,9 +1,9 @@ { "url": "https://github.com/NixOS/nixpkgs", - "rev": "521e4d7d13b09bc0a21976b9d19abd197d4e3b1e", - "date": "2022-02-07T00:29:53+00:00", - "path": "/nix/store/pvmrsiy8k37nwg18g7230g5kasbsf132-nixpkgs", - "sha256": "156b4wnm6y6lg0gz09mp48rd0mhcdazr5s888c4lbhlpn3j8h042", + "rev": "4275a321beab5a71872fb7a5fe5da511bb2bec73", + "date": "2022-02-23T13:42:45-08:00", + "path": "/nix/store/g521qhbql6116naa3fjgga6dm0r24ynx-nixpkgs", + "sha256": "1p3pn7767ifbg08nmgjd93iqk0z87z4lv29ypalj9idwd3chsm69", "fetchLFS": false, "fetchSubmodules": false, "deepClone": false, From f0a47ab3b254ceb4eb08f4ee8986748bb3496e4f Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 26 Feb 2022 12:07:45 +0100 Subject: [PATCH 11/24] nixpkgs-unstable: 60c52a7 -> 7f9b6e2 --- krebs/nixpkgs-unstable.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/krebs/nixpkgs-unstable.json b/krebs/nixpkgs-unstable.json index 12afe0e9c..71367c2f1 100644 --- a/krebs/nixpkgs-unstable.json +++ b/krebs/nixpkgs-unstable.json @@ -1,9 +1,9 @@ { "url": "https://github.com/NixOS/nixpkgs", - "rev": "60c52a73f1d5858020ac4f161cd5bf1c9650f8b8", - "date": "2022-02-07T23:59:33+00:00", - "path": "/nix/store/5w1yn77d2b44wq0w7b8cqqqfap2897n2-nixpkgs", - "sha256": "1xyi4xag084ikcbis3iixpvfsmlfm2s105j58770x7k24mkrif7n", + "rev": "7f9b6e2babf232412682c09e57ed666d8f84ac2d", + "date": "2022-02-21T09:47:16+01:00", + "path": "/nix/store/4vd9z4b2s4jfn96ypdfavizy6908l71h-nixpkgs", + "sha256": "03nb8sbzgc3c0qdr1jbsn852zi3qp74z4qcy7vrabvvly8rbixp2", "fetchLFS": false, "fetchSubmodules": false, "deepClone": false, From a67ded588b45c09ca58a3b4007a8d32e42323613 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 26 Feb 2022 14:06:02 +0100 Subject: [PATCH 12/24] l bch: RIP --- lass/2configs/bitcoin.nix | 9 --------- 1 file changed, 9 deletions(-) diff --git a/lass/2configs/bitcoin.nix b/lass/2configs/bitcoin.nix index 9aa97a8ce..de6562cbc 100644 --- a/lass/2configs/bitcoin.nix +++ b/lass/2configs/bitcoin.nix @@ -5,15 +5,6 @@ let in { users.extraUsers = { - bch = { - name = "bch"; - description = "user for bch stuff"; - home = "/home/bch"; - useDefaultShell = true; - createHome = true; - packages = [ pkgs.electron-cash ]; - isNormalUser = true; - }; bitcoin = { name = "bitcoin"; description = "user for bitcoin stuff"; From 036289a0a119159901e20c272b97c00412e41676 Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 28 Feb 2022 21:31:52 +0100 Subject: [PATCH 13/24] ma omo.r: enable more services --- makefu/1systems/latte/config.nix | 18 +++++++++++++++--- makefu/1systems/omo/config.nix | 7 +++++++ .../{torrent.nix => torrent/rtorrent.nix} | 0 3 files changed, 22 insertions(+), 3 deletions(-) rename makefu/2configs/{torrent.nix => torrent/rtorrent.nix} (100%) diff --git a/makefu/1systems/latte/config.nix b/makefu/1systems/latte/config.nix index fdd3df192..5332fadf5 100644 --- a/makefu/1systems/latte/config.nix +++ b/makefu/1systems/latte/config.nix @@ -29,10 +29,19 @@ in { # Storage + # Services: + # + # + + + + # local usage: + + # Supervision @@ -40,9 +49,9 @@ in { # Krebs - # - # configure your hw: - # + # backup + + ]; krebs = { @@ -50,4 +59,7 @@ in { build.host = config.krebs.hosts.latte; }; + makefu.dl-dir = "/media/cloud/download"; + networking.firewall.allowedTCPPorts = [ 80 ]; + } diff --git a/makefu/1systems/omo/config.nix b/makefu/1systems/omo/config.nix index 3a216ea76..42f335264 100644 --- a/makefu/1systems/omo/config.nix +++ b/makefu/1systems/omo/config.nix @@ -43,14 +43,18 @@ in { + # # # + + + { krebs.airdcpp.dcpp.shares = let d = path: "/media/cryptX/${path}"; @@ -96,6 +100,8 @@ in { + + # @@ -104,6 +110,7 @@ in { enable = true; servedir = "/media/cryptX/emu/ps3"; }; + users.users.makefu.packages = [ pkgs.pkgrename ]; } diff --git a/makefu/2configs/torrent.nix b/makefu/2configs/torrent/rtorrent.nix similarity index 100% rename from makefu/2configs/torrent.nix rename to makefu/2configs/torrent/rtorrent.nix From 7b34d93b0721acacaa112d94e57889618b11f399 Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 28 Feb 2022 21:32:18 +0100 Subject: [PATCH 14/24] ma x.r: enable hetzner share --- makefu/1systems/x/config.nix | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/makefu/1systems/x/config.nix b/makefu/1systems/x/config.nix index 224277861..3edfcecc1 100644 --- a/makefu/1systems/x/config.nix +++ b/makefu/1systems/x/config.nix @@ -137,6 +137,8 @@ # # + + # @@ -145,6 +147,7 @@ # + # Virtualization # @@ -167,7 +170,7 @@ # # { nixpkgs.overlays = [ (self: super: super.prefer-remote-fetch self super) ]; } - + # @@ -223,7 +226,8 @@ krebs.build.host = config.krebs.hosts.x; - krebs.tinc.retiolum.connectTo = [ "omo" "prism" "nextgum" "wbob" ]; + #krebs.tinc.retiolum.connectTo = lib.mkForce [ "gum" ]; + #krebs.tinc.retiolum.extraConfig = "AutoConnect = no"; environment.systemPackages = [ pkgs.passwdqc-utils ]; @@ -245,6 +249,6 @@ "/home/makefu/.config/syncthing" ]; - services.syncthing.user = lib.mkForce "makefu"; - services.syncthing.dataDir = lib.mkForce "/home/makefu/.config/syncthing/"; + # services.syncthing.user = lib.mkForce "makefu"; + # services.syncthing.dataDir = lib.mkForce "/home/makefu/.config/syncthing/"; } From 123221de60a626ccf42c4ee5049bf385597c1bb3 Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 28 Feb 2022 21:44:27 +0100 Subject: [PATCH 15/24] ma rss.euer: gum -> latte --- krebs/3modules/makefu/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index 7a3d2fcc2..68484a102 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -153,6 +153,7 @@ in { extraZones = { "krebsco.de" = '' latte.euer IN A ${nets.internet.ip4.addr} + rss.euer IN A ${nets.internet.ip4.addr} ''; }; cores = 4; @@ -212,7 +213,6 @@ in { feed.euer IN A ${nets.internet.ip4.addr} board.euer IN A ${nets.internet.ip4.addr} etherpad.euer IN A ${nets.internet.ip4.addr} - rss.euer IN A ${nets.internet.ip4.addr} mediengewitter IN CNAME over.dose.io. mon.euer IN A ${nets.internet.ip4.addr} netdata.euer IN A ${nets.internet.ip4.addr} From 0086cc952bd397b27940cbf02877f19c510f9f7d Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 28 Feb 2022 21:45:20 +0100 Subject: [PATCH 16/24] k 3 rtorrent: rip in favor of upstream rtorret + flood --- krebs/3modules/default.nix | 1 - krebs/3modules/rtorrent.nix | 348 ------------------------------------ 2 files changed, 349 deletions(-) delete mode 100644 krebs/3modules/rtorrent.nix diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index fc57d8188..2d73da884 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -46,7 +46,6 @@ let ./realwallpaper.nix ./repo-sync.nix ./retiolum-bootstrap.nix - ./rtorrent.nix ./secret.nix ./setuid.nix ./shadow.nix diff --git a/krebs/3modules/rtorrent.nix b/krebs/3modules/rtorrent.nix deleted file mode 100644 index 4a96f6203..000000000 --- a/krebs/3modules/rtorrent.nix +++ /dev/null @@ -1,348 +0,0 @@ -{ config, lib, pkgs, options, ... }: - -with import ; -let - cfg = config.krebs.rtorrent; - webcfg = config.krebs.rtorrent.web; - rucfg = config.krebs.rtorrent.rutorrent; - - nginx-user = config.services.nginx.user; - nginx-group = config.services.nginx.group; - fpm-socket = config.services.phpfpm.pools.rutorrent.socket; - - webdir = rucfg.webdir; - systemd-logfile = cfg.workDir + "/rtorrent-systemd.log"; - - # rutorrent requires a couple of binaries to be available to either the - # rtorrent process or to phpfpm - - rutorrent-deps = with pkgs; [ curl php coreutils procps ffmpeg mediainfo ] ++ - (if (config.nixpkgs.config.allowUnfree or false) then - trace "enabling unfree packages for rutorrent" [ unrar unzip ] else - trace "not enabling unfree packages for rutorrent because allowUnfree is unset" []); - - configFile = pkgs.writeText "rtorrent-config" '' - # THIS FILE IS AUTOGENERATED - ${optionalString (cfg.listenPort != null) '' - port_range = ${toString cfg.listenPort}-${toString cfg.listenPort} - port_random = no - ''} - - ${optionalString (cfg.watchDir != null) '' - directory.watch.added = "${cfg.watchDir}", load.start_verbose - ''} - - directory = ${cfg.downloadDir} - session = ${cfg.sessionDir} - - ${optionalString (cfg.enableXMLRPC ) '' - # prepare socket and set permissions. rtorrent user is part of group nginx - # TODO: configure a shared torrent group - execute.nothrow = rm,${cfg.xmlrpc-socket} - scgi_local = ${cfg.xmlrpc-socket} - schedule = scgi_permission,0,0,"execute.nothrow=chmod,\"ug+w,o=\",${cfg.xmlrpc-socket}" - ''} - - system.file.allocate.set = ${if cfg.preAllocate then "yes" else "no"} - - # Prepare systemd logging - log.open_file = "rtorrent-systemd", ${systemd-logfile} - log.add_output = "warn", "rtorrent-systemd" - log.add_output = "notice", "rtorrent-systemd" - log.add_output = "info", "rtorrent-systemd" - # log.add_output = "debug", "rtorrent-systemd" - ${cfg.extraConfig} - ''; - - out = { - options.krebs.rtorrent = api; - # This only works because none of the attrsets returns the same key - config = with lib; mkIf cfg.enable (lib.mkMerge [ - (lib.mkIf webcfg.enable rpcweb-imp) - # only build rutorrent-imp if webcfg is enabled as well - (lib.mkIf (webcfg.enable && rucfg.enable) rutorrent-imp) - imp - ]); - }; - - api = { - enable = mkEnableOption "rtorrent"; - - web = { - # configure NGINX to provide /RPC2 for listen address - # authentication also applies to rtorrent.rutorrent - enable = mkEnableOption "rtorrent nginx web RPC"; - - addr = mkOption { - type = types.addr4; - default = "0.0.0.0"; - description = '' - the address to listen on - default is 0.0.0.0 - ''; - }; - - port = mkOption { - type = types.nullOr types.int; - description ='' - nginx listen port for rtorrent - ''; - default = 8006; - }; - - basicAuth = mkOption { - type = types.attrsOf types.str ; - description = '' - basic authentication to be used. If unset, no authentication will be - enabled. - - Refer to `services.nginx.virtualHosts.‹name›.basicAuth` - ''; - default = {}; - }; - }; - - rutorrent = { - enable = mkEnableOption "rutorrent"; # requires rtorrent.web.enable - - package = mkOption { - type = types.package; - description = '' - path to rutorrent package. When using your own ruTorrent package, - scgi_port and scgi_host will be patched on startup. - ''; - default = pkgs.rutorrent; - }; - - webdir = mkOption { - type = types.path; - description = '' - rutorrent php files will be written to this folder. - when using nginx, be aware that the the folder should be readable by nginx. - because rutorrent does not hold mutable data in a separate folder - these files must be writable. - ''; - default = "/var/lib/rutorrent"; - }; - - }; - - package = mkOption { - type = types.package; - default = pkgs.rtorrent; - }; - - # TODO: enable xmlrpc with web.enable - enableXMLRPC = mkEnableOption "rtorrent xmlrpc via socket"; - xmlrpc-socket = mkOption { - type = types.str; - description = '' - enable xmlrpc at given socket. Required for web-interface. - - for documentation see: - https://github.com/rakshasa/rtorrent/wiki/RPC-Setup-XMLRPC - ''; - default = cfg.workDir + "/rtorrent.sock"; - }; - - preAllocate = mkOption { - type = types.bool; - description = '' - Pre-Allocate torrent files - ''; - default = true; - }; - - downloadDir = mkOption { - type = types.path; - description = '' - directory where torrents are stored - ''; - default = cfg.workDir + "/downloads"; - }; - - sessionDir = mkOption { - type = types.path; - description = '' - directory where torrent progress is stored - ''; - default = cfg.workDir + "/rtorrent-session"; - }; - - watchDir = mkOption { - type = with types; nullOr str; - description = '' - directory to watch for torrent files. - If unset, no watch directory will be configured - ''; - default = null; - }; - - listenPort = mkOption { - type = with types; nullOr int; - description ='' - listening port. if you want multiple ports, use extraConfig port_range - ''; - }; - - extraConfig = mkOption { - type = types.lines; - description = '' - config to be placed into ${cfg.workDir}/.rtorrent.rc - - see ${cfg.package}/share/doc/rtorrent/rtorrent.rc - ''; - example = literalExample '' - log.execute = ${cfg.workDir}/execute.log - log.xmlrpc = ${cfg.workDir}/xmlrpc.log - ''; - default = ""; - }; - - user = mkOption { - description = '' - user which will run rtorrent. if kept default a new user will be created - ''; - type = types.str; - default = "rtorrent"; - }; - - workDir = mkOption { - description = '' - working directory. rtorrent will search in HOME for `.rtorrent.rc` - ''; - type = types.str; - default = "/var/lib/rtorrent"; - }; - - }; - - imp = { - systemd.services = { - rtorrent-daemon = { - description = "rtorrent headless"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - restartIfChanged = true; - serviceConfig = { - Type = "forking"; - ExecStartPre = pkgs.writeDash "prepare-folder" '' - mkdir -p ${cfg.workDir} ${cfg.sessionDir} - chmod 770 ${cfg.workDir} ${cfg.sessionDir} - touch ${systemd-logfile} - cp -f ${configFile} ${cfg.workDir}/.rtorrent.rc - ''; - ExecStart = "${pkgs.tmux}/bin/tmux new-session -s rt -n rtorrent -d 'PATH=/bin:/usr/bin:${makeBinPath rutorrent-deps} ${cfg.package}/bin/rtorrent'"; - Restart = "always"; - RestartSec = "10"; - - ## you can simply sudo -u rtorrent tmux a if privateTmp is set to false - ## otherwise the tmux session is stored in some private folder in /tmp - PrivateTmp = false; - - WorkingDirectory = cfg.workDir; - User = "${cfg.user}"; - }; - }; - rtorrent-log = { - after = [ "rtorrent-daemon.service" ]; - bindsTo = [ "rtorrent-daemon.service" ]; - wantedBy = [ "rtorrent-daemon.service" ]; - serviceConfig = { - ExecStart = "${pkgs.coreutils}/bin/tail -f ${systemd-logfile}"; - User = "${cfg.user}"; - }; - }; - } // (optionalAttrs webcfg.enable { - rutorrent-prepare = { - after = [ "rtorrent-daemon.service" ]; - wantedBy = [ "rtorrent-daemon.service" ]; - serviceConfig = { - Type = "oneshot"; - # we create the folder and set the permissions to allow nginx - # TODO: update files if the version of rutorrent changed - ExecStart = pkgs.writeDash "create-webconfig-dir" '' - if [ ! -e ${webdir} ];then - echo "creating webconfiguration directory for rutorrent: ${webdir}" - cp -vr ${rucfg.package} ${webdir} - echo "setting permissions for webdir to ${cfg.user}:${nginx-group}" - chown -R ${cfg.user}:${nginx-group} ${webdir} - chmod -R 770 ${webdir} - else - echo "not overwriting ${webdir}" - - fi - echo "updating xmlrpc-socket with unix://${cfg.xmlrpc-socket}" - sed -i -e 's#^\s*$scgi_port.*#$scgi_port = 0;#' \ - -e 's#^\s*$scgi_host.*#$scgi_host = "unix://${cfg.xmlrpc-socket}";#' \ - "${webdir}/conf/config.php" - ''; - }; - }; - }) - // (optionalAttrs rucfg.enable { }); - - users = lib.mkIf (cfg.user == "rtorrent") { - users.rtorrent = { - uid = genid "rtorrent"; - home = cfg.workDir; - group = nginx-group; # required for rutorrent to work - shell = "/bin/sh"; #required for tmux - isSystemUser = true; - createHome = true; - }; - groups.rtorrent.gid = genid "rtorrent"; - }; - }; - - rpcweb-imp = { - services.nginx.enable = mkDefault true; - services.nginx.virtualHosts.rtorrent = { - default = mkDefault true; - inherit (webcfg) basicAuth; - root = optionalString rucfg.enable webdir; - listen = [ { inherit (webcfg) addr port; } ]; - - locations = { - "/RPC2".extraConfig = '' - include ${pkgs.nginx}/conf/scgi_params; - scgi_param SCRIPT_NAME /RPC2; - scgi_pass unix:${cfg.xmlrpc-socket}; - ''; - } // (optionalAttrs rucfg.enable { - "~ \.php$".extraConfig = '' - client_max_body_size 200M; - fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_pass unix:${fpm-socket}; - try_files $uri =404; - fastcgi_index index.php; - include ${pkgs.nginx}/conf/fastcgi_params; - include ${pkgs.nginx}/conf/fastcgi.conf; - ''; } - ); - }; - }; - - rutorrent-imp = { - services.phpfpm = { - pools.rutorrent = { - user = nginx-user; - group = nginx-group; - phpEnv.PATH = makeBinPath rutorrent-deps; - - settings = { - "listen.owner" = nginx-user; - "pm" = "dynamic"; - "pm.max_children" = 5; - "pm.start_servers" = 2; - "pm.min_spare_servers" = 1; - "pm.max_spare_servers" = 3; - "chdir" = "/"; - "php_admin_value[error_log]" = "stderr"; - "php_admin_flag[log_errors]" = "on"; - "catch_workers_output" = "yes"; - }; - }; - }; - }; -in out From 6002189225e347418f07a99d6a85b033fa0edaf7 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 1 Mar 2022 14:20:57 +0100 Subject: [PATCH 17/24] tinc tinc-up: don't rely on store path interpreter --- krebs/3modules/tinc.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix index bc85aa0a6..e9d1b30ae 100644 --- a/krebs/3modules/tinc.nix +++ b/krebs/3modules/tinc.nix @@ -25,7 +25,8 @@ with import ; Port = ${toString tinc.config.host.nets.${netname}.tinc.port} ${tinc.config.extraConfig} ''; - "tinc-up" = pkgs.writeDash "${netname}-tinc-up" '' + "tinc-up" = pkgs.writeScript "${netname}-tinc-up" '' + #!/bin/sh ip link set ${netname} up ${tinc.config.tincUp} ''; From 859a1c2101e5c0b3b519d359a75f6f3086737843 Mon Sep 17 00:00:00 2001 From: makefu Date: Tue, 1 Mar 2022 23:19:44 +0100 Subject: [PATCH 18/24] ma latte.r: continue migration from gum --- makefu/1systems/gum/config.nix | 32 ++++++++++++++++---------------- makefu/1systems/latte/config.nix | 14 +++++++++++--- 2 files changed, 27 insertions(+), 19 deletions(-) diff --git a/makefu/1systems/gum/config.nix b/makefu/1systems/gum/config.nix index a9d9b661f..9ee00c1de 100644 --- a/makefu/1systems/gum/config.nix +++ b/makefu/1systems/gum/config.nix @@ -23,11 +23,12 @@ in { } - # + + # @@ -56,13 +57,13 @@ in { { # bonus retiolum config for connecting more hosts krebs.tinc.retiolum = { - extraConfig = lib.mkForce '' - ListenAddress = ${external-ip} 53 - ListenAddress = ${external-ip} 655 - ListenAddress = ${external-ip} 21031 - StrictSubnets = yes - LocalDiscovery = no - ''; + #extraConfig = lib.mkForce '' + # ListenAddress = ${external-ip} 53 + # ListenAddress = ${external-ip} 655 + # ListenAddress = ${external-ip} 21031 + # StrictSubnets = yes + # LocalDiscovery = no + #''; connectTo = [ "prism" "ni" "enklave" "eve" "dishfire" ]; @@ -106,7 +107,7 @@ in { # sharing # samba sahre - + # @@ -114,7 +115,7 @@ in { # ## # - + # # @@ -125,9 +126,8 @@ in { { makefu.backup.server.repo = "/var/backup/borg"; } - - + # { # recent changes mediawiki bot networking.firewall.allowedUDPPorts = [ 5005 5006 ]; @@ -152,11 +152,10 @@ in { - # - + # # @@ -182,14 +181,15 @@ in { ## Temporary: # - + # # # krebs infrastructure services # ]; - makefu.dl-dir = "/var/download"; + # makefu.dl-dir = "/var/download"; + makefu.dl-dir = "/media/cloud/download"; services.openssh.hostKeys = lib.mkForce [ { bits = 4096; path = (toString ); type = "rsa"; } diff --git a/makefu/1systems/latte/config.nix b/makefu/1systems/latte/config.nix index 5332fadf5..c493541fb 100644 --- a/makefu/1systems/latte/config.nix +++ b/makefu/1systems/latte/config.nix @@ -34,10 +34,18 @@ in { # Services: - # - # + ## Web + + ### Moving owncloud data dir to /media/cloud/nextcloud-data + { + users.users.nextcloud.extraGroups = [ "download" ]; + fileSystems."/var/lib/nextcloud/data" = { + device = "/media/cloud/nextcloud-data"; + options = [ "bind" ]; + }; + } # local usage: @@ -60,6 +68,6 @@ in { }; makefu.dl-dir = "/media/cloud/download"; - networking.firewall.allowedTCPPorts = [ 80 ]; + networking.firewall.allowedTCPPorts = [ 80 443 ]; } From 4904dcf2291d61d41a22f5429327e95e8a7e61ae Mon Sep 17 00:00:00 2001 From: makefu Date: Tue, 1 Mar 2022 23:20:22 +0100 Subject: [PATCH 19/24] ma torrent: migrate to upstream rtorrent + flood --- makefu/2configs/torrent/rtorrent.nix | 99 +++++++++++----------------- 1 file changed, 37 insertions(+), 62 deletions(-) diff --git a/makefu/2configs/torrent/rtorrent.nix b/makefu/2configs/torrent/rtorrent.nix index 74f1e5fe8..79325bfc7 100644 --- a/makefu/2configs/torrent/rtorrent.nix +++ b/makefu/2configs/torrent/rtorrent.nix @@ -1,73 +1,48 @@ { config, lib, pkgs, ... }: -with import ; - let basicAuth = import ; peer-port = 51412; web-port = 8112; daemon-port = 58846; - base-dir = config.krebs.rtorrent.workDir; + dldir = config.makefu.dl-dir; in { - - users.users = { - download = { - name = "download"; - home = base-dir; - uid = mkDefault (genid "download"); - createHome = true; - useDefaultShell = true; - group = "download"; - openssh.authorizedKeys.keys = [ ]; - }; - }; - - users.extraGroups = { - download = { - gid = lib.mkDefault (genid "download"); - members = [ - config.krebs.build.user.name - "download" - "rtorrent" - "nginx" - ]; - }; - rtorrent.members = [ "download" ]; - }; - - krebs.rtorrent = let - d = config.makefu.dl-dir; - in { - enable = true; - web = { - enable = true; - port = web-port; - inherit basicAuth; - }; - rutorrent.enable = true; - enableXMLRPC = true; - listenPort = peer-port; - downloadDir = d + "/finished/incoming"; - watchDir = d + "/watch"; - # TODO: maybe test out multiple watch dirs with tags: https://github.com/rakshasa/rtorrent/wiki/TORRENT-Watch-directories - extraConfig = '' - # log.add_output = "debug", "rtorrent-systemd" - # log.add_output = "dht_debug", "rtorrent-systemd" - # log.add_output = "tracker_debug", "rtorrent-systemd" - log.add_output = "rpc_events", "rtorrent-systemd" - # log.add_output = "rpc_dump", "rtorrent-systemd" - system.daemon.set = true - ''; - # dump old torrents into watch folder to have them re-added - }; - - services.nginx.virtualHosts."torrent.${config.krebs.build.host.name}.r".locations."/" = { proxyPass = "http://localhost:${toString web-port}/"; }; - - networking.firewall.extraCommands = '' - iptables -A INPUT -i retiolum -p tcp --dport ${toString web-port} -j ACCEPT + services.rtorrent.enable = true; + services.rtorrent.user = "rtorrent"; + services.rtorrent.group = "download"; + services.rtorrent.downloadDir = dldir; + services.rtorrent.configText = '' + schedule2 = watch_start, 10, 10, ((load.start, (cat, (cfg.watch), "/media/cloud/watch/*.torrent"))) ''; - networking.firewall.allowedTCPPorts = [ peer-port ]; - networking.firewall.allowedUDPPorts = [ peer-port ]; - state = [ config.krebs.rtorrent.sessionDir ]; # state which torrents were loaded + services.rtorrent.openFirewall = true; + + systemd.services.flood = { + wantedBy = [ "multi-user.target" ]; + wants = [ "rtorrent.service" ]; + after = [ "rtorrent.service" ]; + serviceConfig = { + User = "rtorrent"; + ExecStart = "${pkgs.nodePackages.flood}/bin/flood --auth none --port ${toString web-port} --rtsocket ${config.services.rtorrent.rpcSocket}"; + }; + }; + + #security.acme.certs."torrent.${config.krebs.build.host.name}.r".server = config.krebs.ssl.acmeURL; + + services.nginx = { + enable = true; + virtualHosts."torrent.${config.krebs.build.host.name}.r" = { + # TODO + inherit basicAuth; + #enableACME = true; + #addSSL = true; + root = "${pkgs.nodePackages.flood}/lib/node_modules/flood/dist/assets"; + locations."/api".extraConfig = '' + proxy_pass http://localhost:${toString web-port}; + ''; + locations."/".extraConfig = '' + try_files $uri /index.html; + ''; + }; + }; } From 94b29daa137e704d9db1979169ba82f9150515c6 Mon Sep 17 00:00:00 2001 From: makefu Date: Tue, 1 Mar 2022 23:26:31 +0100 Subject: [PATCH 20/24] ma share: set file-mode to 0770 for hetzner --- makefu/2configs/share/default.nix | 29 ++++++++++++++++++++++++ makefu/2configs/share/hetzner-client.nix | 12 ++++++---- makefu/2configs/share/omo.nix | 6 +++++ 3 files changed, 42 insertions(+), 5 deletions(-) create mode 100644 makefu/2configs/share/default.nix diff --git a/makefu/2configs/share/default.nix b/makefu/2configs/share/default.nix new file mode 100644 index 000000000..a1ad349b9 --- /dev/null +++ b/makefu/2configs/share/default.nix @@ -0,0 +1,29 @@ +{ config, lib, ... }: +with import ; +let + base-dir = config.services.rtorrent.downloadDir; +in { + users.users = { + download = { + name = "download"; + home = base-dir; + isNormalUser = true; + uid = mkDefault (genid "download"); + createHome = false; + useDefaultShell = true; + group = "download"; + openssh.authorizedKeys.keys = [ ]; + }; + }; + + users.groups = { + download = { + gid = lib.mkDefault (genid "download"); + members = [ + config.krebs.build.user.name + "download" + ]; + }; + }; + +} diff --git a/makefu/2configs/share/hetzner-client.nix b/makefu/2configs/share/hetzner-client.nix index e59698063..90bc32deb 100644 --- a/makefu/2configs/share/hetzner-client.nix +++ b/makefu/2configs/share/hetzner-client.nix @@ -1,5 +1,6 @@ { config, lib, pkgs, ... }: +with ; let automount_opts = [ "x-systemd.automount" @@ -10,14 +11,16 @@ let host = "u288834.your-storagebox.de"; in { boot.kernel.sysctl."net.ipv6.route.max_size" = 2147483647; + fileSystems."/media/cloud" = { device = "//${host}/backup"; fsType = "cifs"; options = automount_opts ++ - [ "credentials=/var/src/secrets/hetzner.smb" - "file_mode=0775" - "dir_mode=0775" - "uid=9001" + [ "credentials=${toString }" + "file_mode=0770" + "dir_mode=0770" + "uid=${toString config.users.users.download.uid}" + "gid=${toString config.users.groups.download.gid}" #"vers=3" "vers=2.1" "rsize=65536" @@ -25,5 +28,4 @@ in { "iocharset=utf8" ]; }; - } diff --git a/makefu/2configs/share/omo.nix b/makefu/2configs/share/omo.nix index 93536b63d..e53158b8f 100644 --- a/makefu/2configs/share/omo.nix +++ b/makefu/2configs/share/omo.nix @@ -32,6 +32,12 @@ in { browseable = "yes"; "guest ok" = "yes"; }; + movies = { + path = "/media/cryptX/movies"; + "read only" = "yes"; + browseable = "yes"; + "guest ok" = "yes"; + }; audiobook = { path = "/media/crypt1/audiobooks"; "read only" = "yes"; From 26e2bc72ab89c9e2d0ca02fed632c982beb73322 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 2 Mar 2022 13:23:44 +0100 Subject: [PATCH 21/24] ma latte.r: un-fail nextcloud-setup --- makefu/1systems/gum/config.nix | 2 +- makefu/1systems/latte/config.nix | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/makefu/1systems/gum/config.nix b/makefu/1systems/gum/config.nix index 9ee00c1de..089fc8e9f 100644 --- a/makefu/1systems/gum/config.nix +++ b/makefu/1systems/gum/config.nix @@ -150,7 +150,7 @@ in { # - + # # diff --git a/makefu/1systems/latte/config.nix b/makefu/1systems/latte/config.nix index c493541fb..2828aea08 100644 --- a/makefu/1systems/latte/config.nix +++ b/makefu/1systems/latte/config.nix @@ -41,6 +41,8 @@ in { ### Moving owncloud data dir to /media/cloud/nextcloud-data { users.users.nextcloud.extraGroups = [ "download" ]; + # nextcloud-setup fails as it cannot set permissions for nextcloud + systemd.services.nextcloud-setup.serviceConfig.SuccessExitStatus = "0 1"; fileSystems."/var/lib/nextcloud/data" = { device = "/media/cloud/nextcloud-data"; options = [ "bind" ]; From a2d2a6977e5d0809ee45590bc1e6faf705dfaee2 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 2 Mar 2022 16:20:42 +0100 Subject: [PATCH 22/24] ma secrets: add hetzner.smb --- makefu/0tests/data/secrets/hetzner.smb | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 makefu/0tests/data/secrets/hetzner.smb diff --git a/makefu/0tests/data/secrets/hetzner.smb b/makefu/0tests/data/secrets/hetzner.smb new file mode 100644 index 000000000..e69de29bb From 81817007edda4601c95a8f95aa99ce15320e224a Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 2 Mar 2022 16:22:14 +0100 Subject: [PATCH 23/24] ma home: init ps4srv --- makefu/2configs/home/ps4srv.nix | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 makefu/2configs/home/ps4srv.nix diff --git a/makefu/2configs/home/ps4srv.nix b/makefu/2configs/home/ps4srv.nix new file mode 100644 index 000000000..cb1864fae --- /dev/null +++ b/makefu/2configs/home/ps4srv.nix @@ -0,0 +1,17 @@ +let + internal-ip = "192.168.111.11"; +in +{ + services.nginx.virtualHosts."ps4srv" = { + serverAliases = [ + "ps4srv.lan" + ]; + + locations."/".root = "/media/cryptX/emu/ps4"; + extraConfig = '' + if ( $server_addr != "${internal-ip}" ) { + return 403; + } + ''; + }; +} From 87a44dd1573cbdc8f0fc3553b0896b470bcfa44d Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 3 Mar 2022 10:53:25 +0100 Subject: [PATCH 24/24] tinc: add logLevel with default of 3 --- krebs/3modules/tinc.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix index e9d1b30ae..1b28628d6 100644 --- a/krebs/3modules/tinc.nix +++ b/krebs/3modules/tinc.nix @@ -19,6 +19,7 @@ with import ; "hosts" = tinc.config.hostsPackage; "tinc.conf" = pkgs.writeText "${netname}-tinc.conf" '' Name = ${tinc.config.host.name} + LogLevel = ${toString tinc.config.logLevel} Interface = ${netname} Broadcast = no ${concatMapStrings (c: "ConnectTo = ${c}\n") tinc.config.connectTo} @@ -193,6 +194,14 @@ with import ; ''; }; + logLevel = mkOption { + type = types.int; + description = '' + LogLevel in tinc.conf + ''; + default = 3; + }; + user = mkOption { type = types.user; default = {