Merge remote-tracking branch 'prism/master'
This commit is contained in:
commit
5182daaaf4
|
@ -184,7 +184,7 @@
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
twitter_nick=$(echo "$1" | ${pkgs.jq}/bin/jq -Rr '[match("(\\S+)\\s*";"g").captures[].string][0]')
|
twitter_nick=$(echo "$1" | ${pkgs.jq}/bin/jq -Rr '[match("(\\S+)\\s*";"g").captures[].string][0]')
|
||||||
echo "brockman: add tw_$twitter_nick http://rss.r/?action=display&bridge=Twitch&channel=$twitter_nick&type=all&format=Atom"
|
echo "brockman: add tw_$twitter_nick http://rss.r/?action=display&bridge=Twitter&context=By+username&u=$twitter_nick&norep=on&noretweet=on&nopinned=on&nopic=on&format=Atom"
|
||||||
'';
|
'';
|
||||||
search.filename = pkgs.writeDash "search" ''
|
search.filename = pkgs.writeDash "search" ''
|
||||||
set -euf
|
set -euf
|
||||||
|
|
|
@ -46,7 +46,6 @@ let
|
||||||
./realwallpaper.nix
|
./realwallpaper.nix
|
||||||
./repo-sync.nix
|
./repo-sync.nix
|
||||||
./retiolum-bootstrap.nix
|
./retiolum-bootstrap.nix
|
||||||
./rtorrent.nix
|
|
||||||
./secret.nix
|
./secret.nix
|
||||||
./setuid.nix
|
./setuid.nix
|
||||||
./shadow.nix
|
./shadow.nix
|
||||||
|
|
1
krebs/3modules/external/kmein.nix
vendored
1
krebs/3modules/external/kmein.nix
vendored
|
@ -63,6 +63,7 @@ in
|
||||||
"names.kmein.r"
|
"names.kmein.r"
|
||||||
"graph.r"
|
"graph.r"
|
||||||
"rrm.r"
|
"rrm.r"
|
||||||
|
"redaktion.r"
|
||||||
];
|
];
|
||||||
ip4.addr = "10.243.2.84";
|
ip4.addr = "10.243.2.84";
|
||||||
tinc.pubkey = ''
|
tinc.pubkey = ''
|
||||||
|
|
|
@ -148,6 +148,46 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
latte = rec {
|
||||||
|
ci = true;
|
||||||
|
extraZones = {
|
||||||
|
"krebsco.de" = ''
|
||||||
|
latte.euer IN A ${nets.internet.ip4.addr}
|
||||||
|
rss.euer IN A ${nets.internet.ip4.addr}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
cores = 4;
|
||||||
|
nets = rec {
|
||||||
|
internet = {
|
||||||
|
ip4.addr = "178.254.30.202";
|
||||||
|
ip6.addr = "2a00:6800:3:18c::2";
|
||||||
|
aliases = [
|
||||||
|
"latte.i"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
#wiregrill = {
|
||||||
|
# via = internet;
|
||||||
|
# ip4.addr = "10.244.245.1";
|
||||||
|
# ip6.addr = w6 "1";
|
||||||
|
# wireguard.port = 51821;
|
||||||
|
# wireguard.subnets = [
|
||||||
|
# (krebs.genipv6 "wiregrill" "makefu" 0).subnetCIDR
|
||||||
|
# "10.244.245.0/24" # required for routing directly to gum via rockit
|
||||||
|
# ];
|
||||||
|
#};
|
||||||
|
retiolum = {
|
||||||
|
via = internet;
|
||||||
|
ip4.addr = "10.243.0.214";
|
||||||
|
# never connect via gum (he eats your packets!)
|
||||||
|
#tinc.weight = 9001;
|
||||||
|
|
||||||
|
aliases = [
|
||||||
|
"latte.r"
|
||||||
|
"torrent.latte.r"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
gum = rec {
|
gum = rec {
|
||||||
ci = true;
|
ci = true;
|
||||||
extraZones = {
|
extraZones = {
|
||||||
|
@ -173,7 +213,6 @@ in {
|
||||||
feed.euer IN A ${nets.internet.ip4.addr}
|
feed.euer IN A ${nets.internet.ip4.addr}
|
||||||
board.euer IN A ${nets.internet.ip4.addr}
|
board.euer IN A ${nets.internet.ip4.addr}
|
||||||
etherpad.euer IN A ${nets.internet.ip4.addr}
|
etherpad.euer IN A ${nets.internet.ip4.addr}
|
||||||
rss.euer IN A ${nets.internet.ip4.addr}
|
|
||||||
mediengewitter IN CNAME over.dose.io.
|
mediengewitter IN CNAME over.dose.io.
|
||||||
mon.euer IN A ${nets.internet.ip4.addr}
|
mon.euer IN A ${nets.internet.ip4.addr}
|
||||||
netdata.euer IN A ${nets.internet.ip4.addr}
|
netdata.euer IN A ${nets.internet.ip4.addr}
|
||||||
|
@ -220,7 +259,7 @@ in {
|
||||||
via = internet;
|
via = internet;
|
||||||
ip4.addr = "10.243.0.213";
|
ip4.addr = "10.243.0.213";
|
||||||
# never connect via gum (he eats your packets!)
|
# never connect via gum (he eats your packets!)
|
||||||
tinc.weight = 9001;
|
#tinc.weight = 9001;
|
||||||
|
|
||||||
aliases = [
|
aliases = [
|
||||||
"gum.r"
|
"gum.r"
|
||||||
|
|
8
krebs/3modules/makefu/retiolum/latte.pub
Normal file
8
krebs/3modules/makefu/retiolum/latte.pub
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
-----BEGIN RSA PUBLIC KEY-----
|
||||||
|
MIIBCgKCAQEAx70gmNoP4RYeF3ShddEMsbNad9L5ezegwxJTZA7XTfF+/cwr/QwU
|
||||||
|
5BL0QXTwBnKzS0gun5NXmhwPzvOdvfczAxtJLk8/NjVHFeE39CiTHGgIxkZFgnbo
|
||||||
|
r2Rj6jJb89ZPaTr+hl0+0WQQVpl9NI7MTCUimvFBaD6IPmBh5wTySu6mYBs0mqmf
|
||||||
|
43RrvS42ieqQJAvVPkIzxxJeTS/M3NXmjbJ3bdx/2Yzd7INdfPkMhOONHcQhTKS4
|
||||||
|
GSXJRTytLYZEah8lp8F4ONggN6ixlhlcQAotToFP4s8c+KqYfIZrtP+pRj7W72Y6
|
||||||
|
vhnobLDJwBbAsW1RQ6FHcw10TrP2H+haewIDAQAB
|
||||||
|
-----END RSA PUBLIC KEY-----
|
1
krebs/3modules/makefu/retiolum/latte_ed25519.pub
Normal file
1
krebs/3modules/makefu/retiolum/latte_ed25519.pub
Normal file
|
@ -0,0 +1 @@
|
||||||
|
ILtT9Y5pGBtc5/wR56RYzzYeZMvmmutaC6IED6I1oTI
|
|
@ -1,348 +0,0 @@
|
||||||
{ config, lib, pkgs, options, ... }:
|
|
||||||
|
|
||||||
with import <stockholm/lib>;
|
|
||||||
let
|
|
||||||
cfg = config.krebs.rtorrent;
|
|
||||||
webcfg = config.krebs.rtorrent.web;
|
|
||||||
rucfg = config.krebs.rtorrent.rutorrent;
|
|
||||||
|
|
||||||
nginx-user = config.services.nginx.user;
|
|
||||||
nginx-group = config.services.nginx.group;
|
|
||||||
fpm-socket = config.services.phpfpm.pools.rutorrent.socket;
|
|
||||||
|
|
||||||
webdir = rucfg.webdir;
|
|
||||||
systemd-logfile = cfg.workDir + "/rtorrent-systemd.log";
|
|
||||||
|
|
||||||
# rutorrent requires a couple of binaries to be available to either the
|
|
||||||
# rtorrent process or to phpfpm
|
|
||||||
|
|
||||||
rutorrent-deps = with pkgs; [ curl php coreutils procps ffmpeg mediainfo ] ++
|
|
||||||
(if (config.nixpkgs.config.allowUnfree or false) then
|
|
||||||
trace "enabling unfree packages for rutorrent" [ unrar unzip ] else
|
|
||||||
trace "not enabling unfree packages for rutorrent because allowUnfree is unset" []);
|
|
||||||
|
|
||||||
configFile = pkgs.writeText "rtorrent-config" ''
|
|
||||||
# THIS FILE IS AUTOGENERATED
|
|
||||||
${optionalString (cfg.listenPort != null) ''
|
|
||||||
port_range = ${toString cfg.listenPort}-${toString cfg.listenPort}
|
|
||||||
port_random = no
|
|
||||||
''}
|
|
||||||
|
|
||||||
${optionalString (cfg.watchDir != null) ''
|
|
||||||
directory.watch.added = "${cfg.watchDir}", load.start_verbose
|
|
||||||
''}
|
|
||||||
|
|
||||||
directory = ${cfg.downloadDir}
|
|
||||||
session = ${cfg.sessionDir}
|
|
||||||
|
|
||||||
${optionalString (cfg.enableXMLRPC ) ''
|
|
||||||
# prepare socket and set permissions. rtorrent user is part of group nginx
|
|
||||||
# TODO: configure a shared torrent group
|
|
||||||
execute.nothrow = rm,${cfg.xmlrpc-socket}
|
|
||||||
scgi_local = ${cfg.xmlrpc-socket}
|
|
||||||
schedule = scgi_permission,0,0,"execute.nothrow=chmod,\"ug+w,o=\",${cfg.xmlrpc-socket}"
|
|
||||||
''}
|
|
||||||
|
|
||||||
system.file.allocate.set = ${if cfg.preAllocate then "yes" else "no"}
|
|
||||||
|
|
||||||
# Prepare systemd logging
|
|
||||||
log.open_file = "rtorrent-systemd", ${systemd-logfile}
|
|
||||||
log.add_output = "warn", "rtorrent-systemd"
|
|
||||||
log.add_output = "notice", "rtorrent-systemd"
|
|
||||||
log.add_output = "info", "rtorrent-systemd"
|
|
||||||
# log.add_output = "debug", "rtorrent-systemd"
|
|
||||||
${cfg.extraConfig}
|
|
||||||
'';
|
|
||||||
|
|
||||||
out = {
|
|
||||||
options.krebs.rtorrent = api;
|
|
||||||
# This only works because none of the attrsets returns the same key
|
|
||||||
config = with lib; mkIf cfg.enable (lib.mkMerge [
|
|
||||||
(lib.mkIf webcfg.enable rpcweb-imp)
|
|
||||||
# only build rutorrent-imp if webcfg is enabled as well
|
|
||||||
(lib.mkIf (webcfg.enable && rucfg.enable) rutorrent-imp)
|
|
||||||
imp
|
|
||||||
]);
|
|
||||||
};
|
|
||||||
|
|
||||||
api = {
|
|
||||||
enable = mkEnableOption "rtorrent";
|
|
||||||
|
|
||||||
web = {
|
|
||||||
# configure NGINX to provide /RPC2 for listen address
|
|
||||||
# authentication also applies to rtorrent.rutorrent
|
|
||||||
enable = mkEnableOption "rtorrent nginx web RPC";
|
|
||||||
|
|
||||||
addr = mkOption {
|
|
||||||
type = types.addr4;
|
|
||||||
default = "0.0.0.0";
|
|
||||||
description = ''
|
|
||||||
the address to listen on
|
|
||||||
default is 0.0.0.0
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
port = mkOption {
|
|
||||||
type = types.nullOr types.int;
|
|
||||||
description =''
|
|
||||||
nginx listen port for rtorrent
|
|
||||||
'';
|
|
||||||
default = 8006;
|
|
||||||
};
|
|
||||||
|
|
||||||
basicAuth = mkOption {
|
|
||||||
type = types.attrsOf types.str ;
|
|
||||||
description = ''
|
|
||||||
basic authentication to be used. If unset, no authentication will be
|
|
||||||
enabled.
|
|
||||||
|
|
||||||
Refer to `services.nginx.virtualHosts.‹name›.basicAuth`
|
|
||||||
'';
|
|
||||||
default = {};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
rutorrent = {
|
|
||||||
enable = mkEnableOption "rutorrent"; # requires rtorrent.web.enable
|
|
||||||
|
|
||||||
package = mkOption {
|
|
||||||
type = types.package;
|
|
||||||
description = ''
|
|
||||||
path to rutorrent package. When using your own ruTorrent package,
|
|
||||||
scgi_port and scgi_host will be patched on startup.
|
|
||||||
'';
|
|
||||||
default = pkgs.rutorrent;
|
|
||||||
};
|
|
||||||
|
|
||||||
webdir = mkOption {
|
|
||||||
type = types.path;
|
|
||||||
description = ''
|
|
||||||
rutorrent php files will be written to this folder.
|
|
||||||
when using nginx, be aware that the the folder should be readable by nginx.
|
|
||||||
because rutorrent does not hold mutable data in a separate folder
|
|
||||||
these files must be writable.
|
|
||||||
'';
|
|
||||||
default = "/var/lib/rutorrent";
|
|
||||||
};
|
|
||||||
|
|
||||||
};
|
|
||||||
|
|
||||||
package = mkOption {
|
|
||||||
type = types.package;
|
|
||||||
default = pkgs.rtorrent;
|
|
||||||
};
|
|
||||||
|
|
||||||
# TODO: enable xmlrpc with web.enable
|
|
||||||
enableXMLRPC = mkEnableOption "rtorrent xmlrpc via socket";
|
|
||||||
xmlrpc-socket = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
description = ''
|
|
||||||
enable xmlrpc at given socket. Required for web-interface.
|
|
||||||
|
|
||||||
for documentation see:
|
|
||||||
https://github.com/rakshasa/rtorrent/wiki/RPC-Setup-XMLRPC
|
|
||||||
'';
|
|
||||||
default = cfg.workDir + "/rtorrent.sock";
|
|
||||||
};
|
|
||||||
|
|
||||||
preAllocate = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
description = ''
|
|
||||||
Pre-Allocate torrent files
|
|
||||||
'';
|
|
||||||
default = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
downloadDir = mkOption {
|
|
||||||
type = types.path;
|
|
||||||
description = ''
|
|
||||||
directory where torrents are stored
|
|
||||||
'';
|
|
||||||
default = cfg.workDir + "/downloads";
|
|
||||||
};
|
|
||||||
|
|
||||||
sessionDir = mkOption {
|
|
||||||
type = types.path;
|
|
||||||
description = ''
|
|
||||||
directory where torrent progress is stored
|
|
||||||
'';
|
|
||||||
default = cfg.workDir + "/rtorrent-session";
|
|
||||||
};
|
|
||||||
|
|
||||||
watchDir = mkOption {
|
|
||||||
type = with types; nullOr str;
|
|
||||||
description = ''
|
|
||||||
directory to watch for torrent files.
|
|
||||||
If unset, no watch directory will be configured
|
|
||||||
'';
|
|
||||||
default = null;
|
|
||||||
};
|
|
||||||
|
|
||||||
listenPort = mkOption {
|
|
||||||
type = with types; nullOr int;
|
|
||||||
description =''
|
|
||||||
listening port. if you want multiple ports, use extraConfig port_range
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
extraConfig = mkOption {
|
|
||||||
type = types.lines;
|
|
||||||
description = ''
|
|
||||||
config to be placed into ${cfg.workDir}/.rtorrent.rc
|
|
||||||
|
|
||||||
see ${cfg.package}/share/doc/rtorrent/rtorrent.rc
|
|
||||||
'';
|
|
||||||
example = literalExample ''
|
|
||||||
log.execute = ${cfg.workDir}/execute.log
|
|
||||||
log.xmlrpc = ${cfg.workDir}/xmlrpc.log
|
|
||||||
'';
|
|
||||||
default = "";
|
|
||||||
};
|
|
||||||
|
|
||||||
user = mkOption {
|
|
||||||
description = ''
|
|
||||||
user which will run rtorrent. if kept default a new user will be created
|
|
||||||
'';
|
|
||||||
type = types.str;
|
|
||||||
default = "rtorrent";
|
|
||||||
};
|
|
||||||
|
|
||||||
workDir = mkOption {
|
|
||||||
description = ''
|
|
||||||
working directory. rtorrent will search in HOME for `.rtorrent.rc`
|
|
||||||
'';
|
|
||||||
type = types.str;
|
|
||||||
default = "/var/lib/rtorrent";
|
|
||||||
};
|
|
||||||
|
|
||||||
};
|
|
||||||
|
|
||||||
imp = {
|
|
||||||
systemd.services = {
|
|
||||||
rtorrent-daemon = {
|
|
||||||
description = "rtorrent headless";
|
|
||||||
after = [ "network.target" ];
|
|
||||||
wantedBy = [ "multi-user.target" ];
|
|
||||||
restartIfChanged = true;
|
|
||||||
serviceConfig = {
|
|
||||||
Type = "forking";
|
|
||||||
ExecStartPre = pkgs.writeDash "prepare-folder" ''
|
|
||||||
mkdir -p ${cfg.workDir} ${cfg.sessionDir}
|
|
||||||
chmod 770 ${cfg.workDir} ${cfg.sessionDir}
|
|
||||||
touch ${systemd-logfile}
|
|
||||||
cp -f ${configFile} ${cfg.workDir}/.rtorrent.rc
|
|
||||||
'';
|
|
||||||
ExecStart = "${pkgs.tmux}/bin/tmux new-session -s rt -n rtorrent -d 'PATH=/bin:/usr/bin:${makeBinPath rutorrent-deps} ${cfg.package}/bin/rtorrent'";
|
|
||||||
Restart = "always";
|
|
||||||
RestartSec = "10";
|
|
||||||
|
|
||||||
## you can simply sudo -u rtorrent tmux a if privateTmp is set to false
|
|
||||||
## otherwise the tmux session is stored in some private folder in /tmp
|
|
||||||
PrivateTmp = false;
|
|
||||||
|
|
||||||
WorkingDirectory = cfg.workDir;
|
|
||||||
User = "${cfg.user}";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
rtorrent-log = {
|
|
||||||
after = [ "rtorrent-daemon.service" ];
|
|
||||||
bindsTo = [ "rtorrent-daemon.service" ];
|
|
||||||
wantedBy = [ "rtorrent-daemon.service" ];
|
|
||||||
serviceConfig = {
|
|
||||||
ExecStart = "${pkgs.coreutils}/bin/tail -f ${systemd-logfile}";
|
|
||||||
User = "${cfg.user}";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
} // (optionalAttrs webcfg.enable {
|
|
||||||
rutorrent-prepare = {
|
|
||||||
after = [ "rtorrent-daemon.service" ];
|
|
||||||
wantedBy = [ "rtorrent-daemon.service" ];
|
|
||||||
serviceConfig = {
|
|
||||||
Type = "oneshot";
|
|
||||||
# we create the folder and set the permissions to allow nginx
|
|
||||||
# TODO: update files if the version of rutorrent changed
|
|
||||||
ExecStart = pkgs.writeDash "create-webconfig-dir" ''
|
|
||||||
if [ ! -e ${webdir} ];then
|
|
||||||
echo "creating webconfiguration directory for rutorrent: ${webdir}"
|
|
||||||
cp -vr ${rucfg.package} ${webdir}
|
|
||||||
echo "setting permissions for webdir to ${cfg.user}:${nginx-group}"
|
|
||||||
chown -R ${cfg.user}:${nginx-group} ${webdir}
|
|
||||||
chmod -R 770 ${webdir}
|
|
||||||
else
|
|
||||||
echo "not overwriting ${webdir}"
|
|
||||||
|
|
||||||
fi
|
|
||||||
echo "updating xmlrpc-socket with unix://${cfg.xmlrpc-socket}"
|
|
||||||
sed -i -e 's#^\s*$scgi_port.*#$scgi_port = 0;#' \
|
|
||||||
-e 's#^\s*$scgi_host.*#$scgi_host = "unix://${cfg.xmlrpc-socket}";#' \
|
|
||||||
"${webdir}/conf/config.php"
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
})
|
|
||||||
// (optionalAttrs rucfg.enable { });
|
|
||||||
|
|
||||||
users = lib.mkIf (cfg.user == "rtorrent") {
|
|
||||||
users.rtorrent = {
|
|
||||||
uid = genid "rtorrent";
|
|
||||||
home = cfg.workDir;
|
|
||||||
group = nginx-group; # required for rutorrent to work
|
|
||||||
shell = "/bin/sh"; #required for tmux
|
|
||||||
isSystemUser = true;
|
|
||||||
createHome = true;
|
|
||||||
};
|
|
||||||
groups.rtorrent.gid = genid "rtorrent";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
rpcweb-imp = {
|
|
||||||
services.nginx.enable = mkDefault true;
|
|
||||||
services.nginx.virtualHosts.rtorrent = {
|
|
||||||
default = mkDefault true;
|
|
||||||
inherit (webcfg) basicAuth;
|
|
||||||
root = optionalString rucfg.enable webdir;
|
|
||||||
listen = [ { inherit (webcfg) addr port; } ];
|
|
||||||
|
|
||||||
locations = {
|
|
||||||
"/RPC2".extraConfig = ''
|
|
||||||
include ${pkgs.nginx}/conf/scgi_params;
|
|
||||||
scgi_param SCRIPT_NAME /RPC2;
|
|
||||||
scgi_pass unix:${cfg.xmlrpc-socket};
|
|
||||||
'';
|
|
||||||
} // (optionalAttrs rucfg.enable {
|
|
||||||
"~ \.php$".extraConfig = ''
|
|
||||||
client_max_body_size 200M;
|
|
||||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
|
||||||
fastcgi_pass unix:${fpm-socket};
|
|
||||||
try_files $uri =404;
|
|
||||||
fastcgi_index index.php;
|
|
||||||
include ${pkgs.nginx}/conf/fastcgi_params;
|
|
||||||
include ${pkgs.nginx}/conf/fastcgi.conf;
|
|
||||||
''; }
|
|
||||||
);
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
rutorrent-imp = {
|
|
||||||
services.phpfpm = {
|
|
||||||
pools.rutorrent = {
|
|
||||||
user = nginx-user;
|
|
||||||
group = nginx-group;
|
|
||||||
phpEnv.PATH = makeBinPath rutorrent-deps;
|
|
||||||
|
|
||||||
settings = {
|
|
||||||
"listen.owner" = nginx-user;
|
|
||||||
"pm" = "dynamic";
|
|
||||||
"pm.max_children" = 5;
|
|
||||||
"pm.start_servers" = 2;
|
|
||||||
"pm.min_spare_servers" = 1;
|
|
||||||
"pm.max_spare_servers" = 3;
|
|
||||||
"chdir" = "/";
|
|
||||||
"php_admin_value[error_log]" = "stderr";
|
|
||||||
"php_admin_flag[log_errors]" = "on";
|
|
||||||
"catch_workers_output" = "yes";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
in out
|
|
|
@ -19,13 +19,15 @@ with import <stockholm/lib>;
|
||||||
"hosts" = tinc.config.hostsPackage;
|
"hosts" = tinc.config.hostsPackage;
|
||||||
"tinc.conf" = pkgs.writeText "${netname}-tinc.conf" ''
|
"tinc.conf" = pkgs.writeText "${netname}-tinc.conf" ''
|
||||||
Name = ${tinc.config.host.name}
|
Name = ${tinc.config.host.name}
|
||||||
|
LogLevel = ${toString tinc.config.logLevel}
|
||||||
Interface = ${netname}
|
Interface = ${netname}
|
||||||
Broadcast = no
|
Broadcast = no
|
||||||
${concatMapStrings (c: "ConnectTo = ${c}\n") tinc.config.connectTo}
|
${concatMapStrings (c: "ConnectTo = ${c}\n") tinc.config.connectTo}
|
||||||
Port = ${toString tinc.config.host.nets.${netname}.tinc.port}
|
Port = ${toString tinc.config.host.nets.${netname}.tinc.port}
|
||||||
${tinc.config.extraConfig}
|
${tinc.config.extraConfig}
|
||||||
'';
|
'';
|
||||||
"tinc-up" = pkgs.writeDash "${netname}-tinc-up" ''
|
"tinc-up" = pkgs.writeScript "${netname}-tinc-up" ''
|
||||||
|
#!/bin/sh
|
||||||
ip link set ${netname} up
|
ip link set ${netname} up
|
||||||
${tinc.config.tincUp}
|
${tinc.config.tincUp}
|
||||||
'';
|
'';
|
||||||
|
@ -192,6 +194,14 @@ with import <stockholm/lib>;
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
logLevel = mkOption {
|
||||||
|
type = types.int;
|
||||||
|
description = ''
|
||||||
|
LogLevel in tinc.conf
|
||||||
|
'';
|
||||||
|
default = 3;
|
||||||
|
};
|
||||||
|
|
||||||
user = mkOption {
|
user = mkOption {
|
||||||
type = types.user;
|
type = types.user;
|
||||||
default = {
|
default = {
|
||||||
|
|
|
@ -1,9 +1,9 @@
|
||||||
{
|
{
|
||||||
"url": "https://github.com/NixOS/nixpkgs",
|
"url": "https://github.com/NixOS/nixpkgs",
|
||||||
"rev": "60c52a73f1d5858020ac4f161cd5bf1c9650f8b8",
|
"rev": "7f9b6e2babf232412682c09e57ed666d8f84ac2d",
|
||||||
"date": "2022-02-07T23:59:33+00:00",
|
"date": "2022-02-21T09:47:16+01:00",
|
||||||
"path": "/nix/store/5w1yn77d2b44wq0w7b8cqqqfap2897n2-nixpkgs",
|
"path": "/nix/store/4vd9z4b2s4jfn96ypdfavizy6908l71h-nixpkgs",
|
||||||
"sha256": "1xyi4xag084ikcbis3iixpvfsmlfm2s105j58770x7k24mkrif7n",
|
"sha256": "03nb8sbzgc3c0qdr1jbsn852zi3qp74z4qcy7vrabvvly8rbixp2",
|
||||||
"fetchLFS": false,
|
"fetchLFS": false,
|
||||||
"fetchSubmodules": false,
|
"fetchSubmodules": false,
|
||||||
"deepClone": false,
|
"deepClone": false,
|
||||||
|
|
|
@ -1,9 +1,9 @@
|
||||||
{
|
{
|
||||||
"url": "https://github.com/NixOS/nixpkgs",
|
"url": "https://github.com/NixOS/nixpkgs",
|
||||||
"rev": "521e4d7d13b09bc0a21976b9d19abd197d4e3b1e",
|
"rev": "4275a321beab5a71872fb7a5fe5da511bb2bec73",
|
||||||
"date": "2022-02-07T00:29:53+00:00",
|
"date": "2022-02-23T13:42:45-08:00",
|
||||||
"path": "/nix/store/pvmrsiy8k37nwg18g7230g5kasbsf132-nixpkgs",
|
"path": "/nix/store/g521qhbql6116naa3fjgga6dm0r24ynx-nixpkgs",
|
||||||
"sha256": "156b4wnm6y6lg0gz09mp48rd0mhcdazr5s888c4lbhlpn3j8h042",
|
"sha256": "1p3pn7767ifbg08nmgjd93iqk0z87z4lv29ypalj9idwd3chsm69",
|
||||||
"fetchLFS": false,
|
"fetchLFS": false,
|
||||||
"fetchSubmodules": false,
|
"fetchSubmodules": false,
|
||||||
"deepClone": false,
|
"deepClone": false,
|
||||||
|
|
|
@ -5,15 +5,6 @@ let
|
||||||
in {
|
in {
|
||||||
|
|
||||||
users.extraUsers = {
|
users.extraUsers = {
|
||||||
bch = {
|
|
||||||
name = "bch";
|
|
||||||
description = "user for bch stuff";
|
|
||||||
home = "/home/bch";
|
|
||||||
useDefaultShell = true;
|
|
||||||
createHome = true;
|
|
||||||
packages = [ pkgs.electron-cash ];
|
|
||||||
isNormalUser = true;
|
|
||||||
};
|
|
||||||
bitcoin = {
|
bitcoin = {
|
||||||
name = "bitcoin";
|
name = "bitcoin";
|
||||||
description = "user for bitcoin stuff";
|
description = "user for bitcoin stuff";
|
||||||
|
|
|
@ -1,8 +1,8 @@
|
||||||
{ config, pkgs, ... }: with pkgs.stockholm.lib;
|
{ config, lib, pkgs, ... }:
|
||||||
let
|
let
|
||||||
weather_report = pkgs.writers.writeDashBin "weather_report" ''
|
weather_report = pkgs.writers.writeDashBin "weather_report" ''
|
||||||
set -efu
|
set -efu
|
||||||
${pkgs.curl}/bin/curl -sSL https://wttr.in/''${1-}?format=j1 \
|
${pkgs.curl}/bin/curl -fsSL https://wttr.in/''${1-}?format=j1 \
|
||||||
| ${pkgs.jq}/bin/jq -r '
|
| ${pkgs.jq}/bin/jq -r '
|
||||||
[.nearest_area[0] | "Weather report for \(.areaName[0].value), \(.country[0].value)."]
|
[.nearest_area[0] | "Weather report for \(.areaName[0].value), \(.country[0].value)."]
|
||||||
+ [.current_condition[0] | "Currently it is \(.weatherDesc[0].value) outside with a temperature of \(.temp_C) degrees."]
|
+ [.current_condition[0] | "Currently it is \(.weatherDesc[0].value) outside with a temperature of \(.temp_C) degrees."]
|
||||||
|
@ -14,11 +14,25 @@ let
|
||||||
${pkgs.libshout}/bin/shout --format ogg --host localhost --port 1338 --mount /live
|
${pkgs.libshout}/bin/shout --format ogg --host localhost --port 1338 --mount /live
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
gc_news = pkgs.writers.writeDashBin "gc_news" ''
|
||||||
|
set -xefu
|
||||||
|
${pkgs.coreutils}/bin/cat $HOME/news | ${pkgs.jq}/bin/jq -cs 'map(select((.to|fromdateiso8601) > now)) | .[]' > $HOME/bla-news.tmp
|
||||||
|
${pkgs.coreutils}/bin/mv $HOME/bla-news.tmp $HOME/news
|
||||||
|
'';
|
||||||
|
|
||||||
|
get_current_news = pkgs.writers.writeDashBin "get_current_news" ''
|
||||||
|
set -xefu
|
||||||
|
${pkgs.coreutils}/bin/cat $HOME/news | ${pkgs.jq}/bin/jq -rs 'map(select(((.to | fromdateiso8601) > now) and (.from|fromdateiso8601) < now) | .text) | .[]'
|
||||||
|
'';
|
||||||
|
|
||||||
newsshow = pkgs.writers.writeDashBin "newsshow" /* sh */ ''
|
newsshow = pkgs.writers.writeDashBin "newsshow" /* sh */ ''
|
||||||
echo "
|
echo "
|
||||||
hello crabpeople!
|
hello crabpeople!
|
||||||
$(${pkgs.ddate}/bin/ddate | sed 's/YOLD/Year of Discord/')!
|
$(${pkgs.ddate}/bin/ddate | sed 's/YOLD/Year of Discord/')!
|
||||||
It is $(date --utc +%H) o clock UTC.
|
It is $(date --utc +%H) o clock UTC.
|
||||||
|
todays news:
|
||||||
|
$(get_current_news)
|
||||||
|
$(gc_news)
|
||||||
$(weather_report berlin)
|
$(weather_report berlin)
|
||||||
$(weather_report 70173)
|
$(weather_report 70173)
|
||||||
$(weather_report munich)
|
$(weather_report munich)
|
||||||
|
@ -30,6 +44,8 @@ in
|
||||||
path = [
|
path = [
|
||||||
newsshow
|
newsshow
|
||||||
send_to_radio
|
send_to_radio
|
||||||
|
gc_news
|
||||||
|
get_current_news
|
||||||
weather_report
|
weather_report
|
||||||
pkgs.curl
|
pkgs.curl
|
||||||
pkgs.retry
|
pkgs.retry
|
||||||
|
@ -37,10 +53,41 @@ in
|
||||||
script = ''
|
script = ''
|
||||||
set -efu
|
set -efu
|
||||||
retry -t 5 -d 10 -- newsshow |
|
retry -t 5 -d 10 -- newsshow |
|
||||||
retry -t 5 -d 10 -- curl -SsG http://tts.r/api/tts --data-urlencode 'text@-' |
|
retry -t 5 -d 10 -- curl -fSsG http://tts.r/api/tts --data-urlencode 'text@-' |
|
||||||
retry -t 5 -d 10 -- send_to_radio
|
retry -t 5 -d 10 -- send_to_radio
|
||||||
'';
|
'';
|
||||||
startAt = "*:00:00";
|
startAt = "*:00:00";
|
||||||
|
serviceConfig = {
|
||||||
|
User = "radio-news";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
krebs.iptables.tables.filter.INPUT.rules = [
|
||||||
|
{ predicate = "-p tcp --dport 7999"; target = "ACCEPT"; }
|
||||||
|
];
|
||||||
|
|
||||||
|
krebs.htgen.news = {
|
||||||
|
port = 7999;
|
||||||
|
user = {
|
||||||
|
name = "radio-news";
|
||||||
|
};
|
||||||
|
script = ''. ${pkgs.writers.writeDash "htgen-news" ''
|
||||||
|
set -xefu
|
||||||
|
case "$Method $Request_URI" in
|
||||||
|
"POST /")
|
||||||
|
payload=$(head -c "$req_content_length" \
|
||||||
|
| sed 's/+/ /g;s/%\(..\)/\\x\1/g;' \
|
||||||
|
| xargs -0 echo -e \
|
||||||
|
)
|
||||||
|
echo "$payload" | jq 'has("from") and has("to") and has("text")' >&2
|
||||||
|
echo "$payload" | jq -c '{ from: (.from | fromdate | todate), to: (.to | fromdate | todate), text: .text }' >> $HOME/news
|
||||||
|
printf 'HTTP/1.1 200 OK\r\n'
|
||||||
|
printf 'Connection: close\r\n'
|
||||||
|
printf '\r\n'
|
||||||
|
exit
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
''}'';
|
||||||
};
|
};
|
||||||
|
|
||||||
## debug
|
## debug
|
||||||
|
|
0
makefu/0tests/data/secrets/hetzner.smb
Normal file
0
makefu/0tests/data/secrets/hetzner.smb
Normal file
|
@ -23,11 +23,12 @@ in {
|
||||||
}
|
}
|
||||||
<stockholm/makefu/2configs/nur.nix>
|
<stockholm/makefu/2configs/nur.nix>
|
||||||
<stockholm/makefu/2configs/support-nixos.nix>
|
<stockholm/makefu/2configs/support-nixos.nix>
|
||||||
<stockholm/makefu/2configs/nix-community/mediawiki-matrix-bot.nix>
|
|
||||||
<stockholm/makefu/2configs/nix-community/supervision.nix>
|
<stockholm/makefu/2configs/nix-community/supervision.nix>
|
||||||
<stockholm/makefu/2configs/home-manager>
|
<stockholm/makefu/2configs/home-manager>
|
||||||
<stockholm/makefu/2configs/home-manager/cli.nix>
|
<stockholm/makefu/2configs/home-manager/cli.nix>
|
||||||
# <stockholm/makefu/2configs/stats/client.nix>
|
# <stockholm/makefu/2configs/stats/client.nix>
|
||||||
|
<stockholm/makefu/2configs/share>
|
||||||
|
<stockholm/makefu/2configs/share/hetzner-client.nix>
|
||||||
# <stockholm/makefu/2configs/stats/netdata-server.nix>
|
# <stockholm/makefu/2configs/stats/netdata-server.nix>
|
||||||
|
|
||||||
<stockholm/makefu/2configs/headless.nix>
|
<stockholm/makefu/2configs/headless.nix>
|
||||||
|
@ -56,13 +57,13 @@ in {
|
||||||
<stockholm/makefu/2configs/tinc/retiolum.nix>
|
<stockholm/makefu/2configs/tinc/retiolum.nix>
|
||||||
{ # bonus retiolum config for connecting more hosts
|
{ # bonus retiolum config for connecting more hosts
|
||||||
krebs.tinc.retiolum = {
|
krebs.tinc.retiolum = {
|
||||||
extraConfig = lib.mkForce ''
|
#extraConfig = lib.mkForce ''
|
||||||
ListenAddress = ${external-ip} 53
|
# ListenAddress = ${external-ip} 53
|
||||||
ListenAddress = ${external-ip} 655
|
# ListenAddress = ${external-ip} 655
|
||||||
ListenAddress = ${external-ip} 21031
|
# ListenAddress = ${external-ip} 21031
|
||||||
StrictSubnets = yes
|
# StrictSubnets = yes
|
||||||
LocalDiscovery = no
|
# LocalDiscovery = no
|
||||||
'';
|
#'';
|
||||||
connectTo = [
|
connectTo = [
|
||||||
"prism" "ni" "enklave" "eve" "dishfire"
|
"prism" "ni" "enklave" "eve" "dishfire"
|
||||||
];
|
];
|
||||||
|
@ -106,7 +107,7 @@ in {
|
||||||
|
|
||||||
# sharing
|
# sharing
|
||||||
<stockholm/makefu/2configs/share/gum.nix> # samba sahre
|
<stockholm/makefu/2configs/share/gum.nix> # samba sahre
|
||||||
<stockholm/makefu/2configs/torrent.nix>
|
<stockholm/makefu/2configs/torrent/rtorrent.nix>
|
||||||
# <stockholm/makefu/2configs/sickbeard>
|
# <stockholm/makefu/2configs/sickbeard>
|
||||||
<stockholm/makefu/2configs/bitwarden.nix>
|
<stockholm/makefu/2configs/bitwarden.nix>
|
||||||
|
|
||||||
|
@ -114,7 +115,7 @@ in {
|
||||||
#<stockholm/makefu/2configs/retroshare.nix>
|
#<stockholm/makefu/2configs/retroshare.nix>
|
||||||
## <stockholm/makefu/2configs/ipfs.nix>
|
## <stockholm/makefu/2configs/ipfs.nix>
|
||||||
#<stockholm/makefu/2configs/syncthing.nix>
|
#<stockholm/makefu/2configs/syncthing.nix>
|
||||||
<stockholm/makefu/2configs/sync>
|
# <stockholm/makefu/2configs/sync>
|
||||||
# <stockholm/makefu/2configs/opentracker.nix>
|
# <stockholm/makefu/2configs/opentracker.nix>
|
||||||
|
|
||||||
|
|
||||||
|
@ -125,9 +126,8 @@ in {
|
||||||
{ makefu.backup.server.repo = "/var/backup/borg"; }
|
{ makefu.backup.server.repo = "/var/backup/borg"; }
|
||||||
<stockholm/makefu/2configs/backup/server.nix>
|
<stockholm/makefu/2configs/backup/server.nix>
|
||||||
<stockholm/makefu/2configs/backup/state.nix>
|
<stockholm/makefu/2configs/backup/state.nix>
|
||||||
<stockholm/makefu/2configs/bitlbee.nix>
|
|
||||||
<stockholm/makefu/2configs/wireguard/server.nix>
|
<stockholm/makefu/2configs/wireguard/server.nix>
|
||||||
<stockholm/makefu/2configs/wireguard/wiregrill.nix>
|
# <stockholm/makefu/2configs/wireguard/wiregrill.nix>
|
||||||
|
|
||||||
{ # recent changes mediawiki bot
|
{ # recent changes mediawiki bot
|
||||||
networking.firewall.allowedUDPPorts = [ 5005 5006 ];
|
networking.firewall.allowedUDPPorts = [ 5005 5006 ];
|
||||||
|
@ -150,13 +150,12 @@ in {
|
||||||
|
|
||||||
# <stockholm/makefu/2configs/deployment/photostore.krebsco.de.nix>
|
# <stockholm/makefu/2configs/deployment/photostore.krebsco.de.nix>
|
||||||
<stockholm/makefu/2configs/deployment/graphs.nix>
|
<stockholm/makefu/2configs/deployment/graphs.nix>
|
||||||
<stockholm/makefu/2configs/deployment/owncloud.nix>
|
#<stockholm/makefu/2configs/deployment/owncloud.nix>
|
||||||
<stockholm/makefu/2configs/deployment/board.euer.krebsco.de.nix>
|
<stockholm/makefu/2configs/deployment/board.euer.krebsco.de.nix>
|
||||||
<stockholm/makefu/2configs/deployment/rss.euer.krebsco.de.nix>
|
|
||||||
#<stockholm/makefu/2configs/deployment/feed.euer.krebsco.de>
|
#<stockholm/makefu/2configs/deployment/feed.euer.krebsco.de>
|
||||||
<stockholm/makefu/2configs/deployment/boot-euer.nix>
|
<stockholm/makefu/2configs/deployment/boot-euer.nix>
|
||||||
<stockholm/makefu/2configs/deployment/gecloudpad>
|
<stockholm/makefu/2configs/deployment/gecloudpad>
|
||||||
<stockholm/makefu/2configs/deployment/docker/archiveteam-warrior.nix>
|
#<stockholm/makefu/2configs/deployment/docker/archiveteam-warrior.nix>
|
||||||
<stockholm/makefu/2configs/deployment/mediengewitter.de.nix>
|
<stockholm/makefu/2configs/deployment/mediengewitter.de.nix>
|
||||||
<stockholm/makefu/2configs/bgt/etherpad.euer.krebsco.de.nix>
|
<stockholm/makefu/2configs/bgt/etherpad.euer.krebsco.de.nix>
|
||||||
# <stockholm/makefu/2configs/deployment/systemdultras-rss.nix>
|
# <stockholm/makefu/2configs/deployment/systemdultras-rss.nix>
|
||||||
|
@ -182,14 +181,15 @@ in {
|
||||||
|
|
||||||
## Temporary:
|
## Temporary:
|
||||||
# <stockholm/makefu/2configs/temp/rst-issue.nix>
|
# <stockholm/makefu/2configs/temp/rst-issue.nix>
|
||||||
<stockholm/makefu/2configs/virtualisation/docker.nix>
|
# <stockholm/makefu/2configs/virtualisation/docker.nix>
|
||||||
#<stockholm/makefu/2configs/virtualisation/libvirt.nix>
|
#<stockholm/makefu/2configs/virtualisation/libvirt.nix>
|
||||||
|
|
||||||
# krebs infrastructure services
|
# krebs infrastructure services
|
||||||
# <stockholm/makefu/2configs/stats/server.nix>
|
# <stockholm/makefu/2configs/stats/server.nix>
|
||||||
];
|
];
|
||||||
|
|
||||||
makefu.dl-dir = "/var/download";
|
# makefu.dl-dir = "/var/download";
|
||||||
|
makefu.dl-dir = "/media/cloud/download";
|
||||||
|
|
||||||
services.openssh.hostKeys = lib.mkForce [
|
services.openssh.hostKeys = lib.mkForce [
|
||||||
{ bits = 4096; path = (toString <secrets/ssh_host_rsa_key>); type = "rsa"; }
|
{ bits = 4096; path = (toString <secrets/ssh_host_rsa_key>); type = "rsa"; }
|
||||||
|
|
50
makefu/1systems/latte/1blu/default.nix
Normal file
50
makefu/1systems/latte/1blu/default.nix
Normal file
|
@ -0,0 +1,50 @@
|
||||||
|
{ config, lib, pkgs, modulesPath, ... }:
|
||||||
|
{
|
||||||
|
|
||||||
|
imports =
|
||||||
|
[ ./network.nix
|
||||||
|
(modulesPath + "/profiles/qemu-guest.nix")
|
||||||
|
];
|
||||||
|
|
||||||
|
# Disk
|
||||||
|
boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sr_mod" "virtio_blk" ];
|
||||||
|
boot.initrd.kernelModules = [ ];
|
||||||
|
boot.kernelModules = [ ];
|
||||||
|
boot.extraModulePackages = [ ];
|
||||||
|
|
||||||
|
fileSystems."/" =
|
||||||
|
{ device = "tank/root";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/home" =
|
||||||
|
{ device = "tank/home";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/nix" =
|
||||||
|
{ device = "tank/nix";
|
||||||
|
fsType = "zfs";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/boot" =
|
||||||
|
{ device = "/dev/disk/by-uuid/AEF3-A486";
|
||||||
|
fsType = "vfat";
|
||||||
|
};
|
||||||
|
|
||||||
|
swapDevices = [ ];
|
||||||
|
boot.loader.grub.device = "/dev/vda";
|
||||||
|
|
||||||
|
networking.hostId = "3150697c"; # required for zfs use
|
||||||
|
boot.tmpOnTmpfs = true;
|
||||||
|
boot.supportedFilesystems = [ "zfs" ];
|
||||||
|
|
||||||
|
boot.loader.grub.enable = true;
|
||||||
|
boot.loader.grub.version = 2;
|
||||||
|
boot.loader.grub.copyKernels = true;
|
||||||
|
boot.zfs.devNodes = "/dev"; # fixes some virtualmachine issues
|
||||||
|
boot.kernelParams = [
|
||||||
|
"boot.shell_on_fail"
|
||||||
|
"panic=30" "boot.panic_on_fail" # reboot the machine upon fatal boot issues
|
||||||
|
];
|
||||||
|
}
|
32
makefu/1systems/latte/1blu/network.nix
Normal file
32
makefu/1systems/latte/1blu/network.nix
Normal file
|
@ -0,0 +1,32 @@
|
||||||
|
{ config, lib, pkgs, modulesPath, ... }:
|
||||||
|
let
|
||||||
|
external-mac = "c4:37:72:55:4e:1c";
|
||||||
|
external-gw = "178.254.28.1";
|
||||||
|
external-ip = "178.254.30.202";
|
||||||
|
external-ip6 = "2a00:6800:3:18c::2";
|
||||||
|
external-gw6 = "2a00:6800:3::1";
|
||||||
|
external-netmask = 22;
|
||||||
|
external-netmask6 = 64;
|
||||||
|
internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr;
|
||||||
|
ext-if = "et0"; # gets renamed on the fly
|
||||||
|
in
|
||||||
|
{
|
||||||
|
services.udev.extraRules = ''
|
||||||
|
SUBSYSTEM=="net", ATTR{address}=="${external-mac}", NAME="${ext-if}"
|
||||||
|
'';
|
||||||
|
networking = {
|
||||||
|
interfaces."${ext-if}" = {
|
||||||
|
ipv4.addresses = [{
|
||||||
|
address = external-ip;
|
||||||
|
prefixLength = external-netmask;
|
||||||
|
}];
|
||||||
|
ipv6.addresses = [{
|
||||||
|
address = external-ip6;
|
||||||
|
prefixLength = external-netmask6;
|
||||||
|
}];
|
||||||
|
};
|
||||||
|
defaultGateway6 = { address = external-gw6; interface = ext-if; };
|
||||||
|
defaultGateway = external-gw;
|
||||||
|
nameservers = [ "1.1.1.1" ];
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,4 +1,4 @@
|
||||||
{ config, pkgs, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
let
|
let
|
||||||
|
|
||||||
# external-ip = config.krebs.build.host.nets.internet.ip4.addr;
|
# external-ip = config.krebs.build.host.nets.internet.ip4.addr;
|
||||||
|
@ -10,44 +10,66 @@ let
|
||||||
in {
|
in {
|
||||||
|
|
||||||
imports = [
|
imports = [
|
||||||
|
./1blu
|
||||||
<stockholm/makefu>
|
<stockholm/makefu>
|
||||||
# configure your hw:
|
|
||||||
<stockholm/makefu/2configs/hw/CAC.nix>
|
# common
|
||||||
<stockholm/makefu/2configs/tinc/retiolum.nix>
|
<stockholm/makefu/2configs/nur.nix>
|
||||||
<stockholm/makefu/2configs/save-diskspace.nix>
|
<stockholm/makefu/2configs/home-manager>
|
||||||
|
<stockholm/makefu/2configs/home-manager/cli.nix>
|
||||||
|
|
||||||
# Security
|
# Security
|
||||||
<stockholm/makefu/2configs/sshd-totp.nix>
|
<stockholm/makefu/2configs/sshd-totp.nix>
|
||||||
# <stockholm/makefu/2configs/stats/client.nix>
|
|
||||||
|
|
||||||
# Tools
|
# Tools
|
||||||
<stockholm/makefu/2configs/tools/core.nix>
|
<stockholm/makefu/2configs/tools/core.nix>
|
||||||
<stockholm/makefu/2configs/zsh-user.nix>
|
<stockholm/makefu/2configs/zsh-user.nix>
|
||||||
# Services
|
|
||||||
|
# NixOS Build
|
||||||
<stockholm/makefu/2configs/remote-build/slave.nix>
|
<stockholm/makefu/2configs/remote-build/slave.nix>
|
||||||
<stockholm/makefu/2configs/torrent.nix>
|
|
||||||
|
# Storage
|
||||||
|
<stockholm/makefu/2configs/share>
|
||||||
|
<stockholm/makefu/2configs/share/hetzner-client.nix>
|
||||||
|
|
||||||
|
# Services:
|
||||||
|
<stockholm/makefu/2configs/nix-community/mediawiki-matrix-bot.nix>
|
||||||
|
<stockholm/makefu/2configs/torrent/rtorrent.nix>
|
||||||
|
## Web
|
||||||
|
<stockholm/makefu/2configs/deployment/rss.euer.krebsco.de.nix>
|
||||||
|
<stockholm/makefu/2configs/deployment/owncloud.nix>
|
||||||
|
### Moving owncloud data dir to /media/cloud/nextcloud-data
|
||||||
|
{
|
||||||
|
users.users.nextcloud.extraGroups = [ "download" ];
|
||||||
|
# nextcloud-setup fails as it cannot set permissions for nextcloud
|
||||||
|
systemd.services.nextcloud-setup.serviceConfig.SuccessExitStatus = "0 1";
|
||||||
|
fileSystems."/var/lib/nextcloud/data" = {
|
||||||
|
device = "/media/cloud/nextcloud-data";
|
||||||
|
options = [ "bind" ];
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
# local usage:
|
||||||
|
<stockholm/makefu/2configs/mosh.nix>
|
||||||
|
<stockholm/makefu/2configs/bitlbee.nix>
|
||||||
|
|
||||||
|
# Supervision
|
||||||
|
<stockholm/makefu/2configs/nix-community/supervision.nix>
|
||||||
|
|
||||||
|
# Krebs
|
||||||
|
<stockholm/makefu/2configs/tinc/retiolum.nix>
|
||||||
|
|
||||||
|
# backup
|
||||||
|
<stockholm/makefu/2configs/backup/state.nix>
|
||||||
|
|
||||||
|
|
||||||
];
|
];
|
||||||
krebs = {
|
krebs = {
|
||||||
enable = true;
|
enable = true;
|
||||||
build.host = config.krebs.hosts.latte;
|
build.host = config.krebs.hosts.latte;
|
||||||
};
|
};
|
||||||
boot.initrd.availableKernelModules = [ "ata_piix" "ehci_pci" "virtio_pci" "virtio_blk" "virtio_net" "virtio_scsi" ];
|
|
||||||
|
|
||||||
boot.loader.grub.device = "/dev/vda";
|
makefu.dl-dir = "/media/cloud/download";
|
||||||
boot.loader.grub.copyKernels = true;
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||||
fileSystems."/" = {
|
|
||||||
device = "/dev/vda1";
|
|
||||||
fsType = "ext4";
|
|
||||||
};
|
|
||||||
networking = {
|
|
||||||
firewall = {
|
|
||||||
allowPing = true;
|
|
||||||
logRefusedConnections = false;
|
|
||||||
allowedTCPPorts = [ ];
|
|
||||||
allowedUDPPorts = [ 655 ];
|
|
||||||
};
|
|
||||||
# network interface receives dhcp address
|
|
||||||
nameservers = [ "8.8.8.8" ];
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
{
|
{
|
||||||
name = "latte";
|
name = "latte";
|
||||||
torrent = true;
|
torrent = true;
|
||||||
|
home-manager = true;
|
||||||
}
|
}
|
||||||
|
|
|
@ -43,14 +43,18 @@ in {
|
||||||
<stockholm/makefu/2configs/tools/dev.nix>
|
<stockholm/makefu/2configs/tools/dev.nix>
|
||||||
<stockholm/makefu/2configs/tools/desktop.nix>
|
<stockholm/makefu/2configs/tools/desktop.nix>
|
||||||
<stockholm/makefu/2configs/tools/mobility.nix>
|
<stockholm/makefu/2configs/tools/mobility.nix>
|
||||||
|
<stockholm/makefu/2configs/tools/consoles.nix>
|
||||||
#<stockholm/makefu/2configs/graphite-standalone.nix>
|
#<stockholm/makefu/2configs/graphite-standalone.nix>
|
||||||
#<stockholm/makefu/2configs/share-user-sftp.nix>
|
#<stockholm/makefu/2configs/share-user-sftp.nix>
|
||||||
|
|
||||||
<stockholm/makefu/2configs/urlwatch>
|
<stockholm/makefu/2configs/urlwatch>
|
||||||
# <stockholm/makefu/2configs/legacy_only.nix>
|
# <stockholm/makefu/2configs/legacy_only.nix>
|
||||||
|
|
||||||
|
<stockholm/makefu/2configs/share>
|
||||||
<stockholm/makefu/2configs/share/omo.nix>
|
<stockholm/makefu/2configs/share/omo.nix>
|
||||||
<stockholm/makefu/2configs/share/gum-client.nix>
|
<stockholm/makefu/2configs/share/gum-client.nix>
|
||||||
|
<stockholm/makefu/2configs/share/hetzner-client.nix>
|
||||||
|
<stockholm/makefu/2configs/sync>
|
||||||
<stockholm/makefu/2configs/dcpp/airdcpp.nix>
|
<stockholm/makefu/2configs/dcpp/airdcpp.nix>
|
||||||
{ krebs.airdcpp.dcpp.shares = let
|
{ krebs.airdcpp.dcpp.shares = let
|
||||||
d = path: "/media/cryptX/${path}";
|
d = path: "/media/cryptX/${path}";
|
||||||
|
@ -96,6 +100,8 @@ in {
|
||||||
|
|
||||||
<stockholm/makefu/2configs/home/music.nix>
|
<stockholm/makefu/2configs/home/music.nix>
|
||||||
<stockholm/makefu/2configs/home/photoprism.nix>
|
<stockholm/makefu/2configs/home/photoprism.nix>
|
||||||
|
<stockholm/makefu/2configs/home/tonie.nix>
|
||||||
|
<stockholm/makefu/2configs/home/ps4srv.nix>
|
||||||
# <stockholm/makefu/2configs/home/metube.nix>
|
# <stockholm/makefu/2configs/home/metube.nix>
|
||||||
<stockholm/makefu/2configs/home/ham>
|
<stockholm/makefu/2configs/home/ham>
|
||||||
<stockholm/makefu/2configs/home/zigbee2mqtt>
|
<stockholm/makefu/2configs/home/zigbee2mqtt>
|
||||||
|
@ -104,6 +110,7 @@ in {
|
||||||
enable = true;
|
enable = true;
|
||||||
servedir = "/media/cryptX/emu/ps3";
|
servedir = "/media/cryptX/emu/ps3";
|
||||||
};
|
};
|
||||||
|
users.users.makefu.packages = [ pkgs.pkgrename ];
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -137,6 +137,8 @@
|
||||||
# <stockholm/makefu/2configs/share/anon-ftp.nix>
|
# <stockholm/makefu/2configs/share/anon-ftp.nix>
|
||||||
# <stockholm/makefu/2configs/share/anon-sftp.nix>
|
# <stockholm/makefu/2configs/share/anon-sftp.nix>
|
||||||
<stockholm/makefu/2configs/share/gum-client.nix>
|
<stockholm/makefu/2configs/share/gum-client.nix>
|
||||||
|
<stockholm/makefu/2configs/share/hetzner-client.nix>
|
||||||
|
<stockholm/makefu/2configs/share>
|
||||||
# <stockholm/makefu/2configs/share/temp-share-samba.nix>
|
# <stockholm/makefu/2configs/share/temp-share-samba.nix>
|
||||||
|
|
||||||
|
|
||||||
|
@ -145,6 +147,7 @@
|
||||||
<stockholm/makefu/2configs/mail-client.nix>
|
<stockholm/makefu/2configs/mail-client.nix>
|
||||||
<stockholm/makefu/2configs/printer.nix>
|
<stockholm/makefu/2configs/printer.nix>
|
||||||
# <stockholm/makefu/2configs/syncthing.nix>
|
# <stockholm/makefu/2configs/syncthing.nix>
|
||||||
|
<stockholm/makefu/2configs/sync>
|
||||||
|
|
||||||
# Virtualization
|
# Virtualization
|
||||||
# <stockholm/makefu/2configs/virtualisation/libvirt.nix>
|
# <stockholm/makefu/2configs/virtualisation/libvirt.nix>
|
||||||
|
@ -167,7 +170,7 @@
|
||||||
# <stockholm/makefu/2configs/remote-build/gum.nix>
|
# <stockholm/makefu/2configs/remote-build/gum.nix>
|
||||||
# { nixpkgs.overlays = [ (self: super: super.prefer-remote-fetch self super) ]; }
|
# { nixpkgs.overlays = [ (self: super: super.prefer-remote-fetch self super) ]; }
|
||||||
|
|
||||||
<stockholm/makefu/2configs/binary-cache/gum.nix>
|
# <stockholm/makefu/2configs/binary-cache/gum.nix>
|
||||||
<stockholm/makefu/2configs/binary-cache/lass.nix>
|
<stockholm/makefu/2configs/binary-cache/lass.nix>
|
||||||
|
|
||||||
|
|
||||||
|
@ -223,7 +226,8 @@
|
||||||
|
|
||||||
krebs.build.host = config.krebs.hosts.x;
|
krebs.build.host = config.krebs.hosts.x;
|
||||||
|
|
||||||
krebs.tinc.retiolum.connectTo = [ "omo" "prism" "nextgum" "wbob" ];
|
#krebs.tinc.retiolum.connectTo = lib.mkForce [ "gum" ];
|
||||||
|
#krebs.tinc.retiolum.extraConfig = "AutoConnect = no";
|
||||||
|
|
||||||
|
|
||||||
environment.systemPackages = [ pkgs.passwdqc-utils ];
|
environment.systemPackages = [ pkgs.passwdqc-utils ];
|
||||||
|
@ -245,6 +249,6 @@
|
||||||
"/home/makefu/.config/syncthing"
|
"/home/makefu/.config/syncthing"
|
||||||
];
|
];
|
||||||
|
|
||||||
services.syncthing.user = lib.mkForce "makefu";
|
# services.syncthing.user = lib.mkForce "makefu";
|
||||||
services.syncthing.dataDir = lib.mkForce "/home/makefu/.config/syncthing/";
|
# services.syncthing.dataDir = lib.mkForce "/home/makefu/.config/syncthing/";
|
||||||
}
|
}
|
||||||
|
|
1
makefu/2configs/backup/ssh/latte.pub
Normal file
1
makefu/2configs/backup/ssh/latte.pub
Normal file
|
@ -0,0 +1 @@
|
||||||
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOUZcfi2SXxCo1if0oU3x9qPK8/O5FmiXy2HFZyTp/P1 makefu@x
|
17
makefu/2configs/home/ps4srv.nix
Normal file
17
makefu/2configs/home/ps4srv.nix
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
let
|
||||||
|
internal-ip = "192.168.111.11";
|
||||||
|
in
|
||||||
|
{
|
||||||
|
services.nginx.virtualHosts."ps4srv" = {
|
||||||
|
serverAliases = [
|
||||||
|
"ps4srv.lan"
|
||||||
|
];
|
||||||
|
|
||||||
|
locations."/".root = "/media/cryptX/emu/ps4";
|
||||||
|
extraConfig = ''
|
||||||
|
if ( $server_addr != "${internal-ip}" ) {
|
||||||
|
return 403;
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
}
|
29
makefu/2configs/share/default.nix
Normal file
29
makefu/2configs/share/default.nix
Normal file
|
@ -0,0 +1,29 @@
|
||||||
|
{ config, lib, ... }:
|
||||||
|
with import <stockholm/lib>;
|
||||||
|
let
|
||||||
|
base-dir = config.services.rtorrent.downloadDir;
|
||||||
|
in {
|
||||||
|
users.users = {
|
||||||
|
download = {
|
||||||
|
name = "download";
|
||||||
|
home = base-dir;
|
||||||
|
isNormalUser = true;
|
||||||
|
uid = mkDefault (genid "download");
|
||||||
|
createHome = false;
|
||||||
|
useDefaultShell = true;
|
||||||
|
group = "download";
|
||||||
|
openssh.authorizedKeys.keys = [ ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
users.groups = {
|
||||||
|
download = {
|
||||||
|
gid = lib.mkDefault (genid "download");
|
||||||
|
members = [
|
||||||
|
config.krebs.build.user.name
|
||||||
|
"download"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
}
|
|
@ -1,5 +1,6 @@
|
||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
with <stockholm/lib>;
|
||||||
let
|
let
|
||||||
automount_opts =
|
automount_opts =
|
||||||
[ "x-systemd.automount"
|
[ "x-systemd.automount"
|
||||||
|
@ -10,14 +11,16 @@ let
|
||||||
host = "u288834.your-storagebox.de";
|
host = "u288834.your-storagebox.de";
|
||||||
in {
|
in {
|
||||||
boot.kernel.sysctl."net.ipv6.route.max_size" = 2147483647;
|
boot.kernel.sysctl."net.ipv6.route.max_size" = 2147483647;
|
||||||
|
|
||||||
fileSystems."/media/cloud" = {
|
fileSystems."/media/cloud" = {
|
||||||
device = "//${host}/backup";
|
device = "//${host}/backup";
|
||||||
fsType = "cifs";
|
fsType = "cifs";
|
||||||
options = automount_opts ++
|
options = automount_opts ++
|
||||||
[ "credentials=/var/src/secrets/hetzner.smb"
|
[ "credentials=${toString <secrets/hetzner.smb>}"
|
||||||
"file_mode=0775"
|
"file_mode=0770"
|
||||||
"dir_mode=0775"
|
"dir_mode=0770"
|
||||||
"uid=9001"
|
"uid=${toString config.users.users.download.uid}"
|
||||||
|
"gid=${toString config.users.groups.download.gid}"
|
||||||
#"vers=3"
|
#"vers=3"
|
||||||
"vers=2.1"
|
"vers=2.1"
|
||||||
"rsize=65536"
|
"rsize=65536"
|
||||||
|
@ -25,5 +28,4 @@ in {
|
||||||
"iocharset=utf8"
|
"iocharset=utf8"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -32,6 +32,12 @@ in {
|
||||||
browseable = "yes";
|
browseable = "yes";
|
||||||
"guest ok" = "yes";
|
"guest ok" = "yes";
|
||||||
};
|
};
|
||||||
|
movies = {
|
||||||
|
path = "/media/cryptX/movies";
|
||||||
|
"read only" = "yes";
|
||||||
|
browseable = "yes";
|
||||||
|
"guest ok" = "yes";
|
||||||
|
};
|
||||||
audiobook = {
|
audiobook = {
|
||||||
path = "/media/crypt1/audiobooks";
|
path = "/media/crypt1/audiobooks";
|
||||||
"read only" = "yes";
|
"read only" = "yes";
|
||||||
|
|
|
@ -1,73 +0,0 @@
|
||||||
{ config, lib, pkgs, ... }:
|
|
||||||
|
|
||||||
with import <stockholm/lib>;
|
|
||||||
|
|
||||||
let
|
|
||||||
basicAuth = import <torrent-secrets/auth.nix>;
|
|
||||||
peer-port = 51412;
|
|
||||||
web-port = 8112;
|
|
||||||
daemon-port = 58846;
|
|
||||||
base-dir = config.krebs.rtorrent.workDir;
|
|
||||||
in {
|
|
||||||
|
|
||||||
users.users = {
|
|
||||||
download = {
|
|
||||||
name = "download";
|
|
||||||
home = base-dir;
|
|
||||||
uid = mkDefault (genid "download");
|
|
||||||
createHome = true;
|
|
||||||
useDefaultShell = true;
|
|
||||||
group = "download";
|
|
||||||
openssh.authorizedKeys.keys = [ ];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
users.extraGroups = {
|
|
||||||
download = {
|
|
||||||
gid = lib.mkDefault (genid "download");
|
|
||||||
members = [
|
|
||||||
config.krebs.build.user.name
|
|
||||||
"download"
|
|
||||||
"rtorrent"
|
|
||||||
"nginx"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
rtorrent.members = [ "download" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
krebs.rtorrent = let
|
|
||||||
d = config.makefu.dl-dir;
|
|
||||||
in {
|
|
||||||
enable = true;
|
|
||||||
web = {
|
|
||||||
enable = true;
|
|
||||||
port = web-port;
|
|
||||||
inherit basicAuth;
|
|
||||||
};
|
|
||||||
rutorrent.enable = true;
|
|
||||||
enableXMLRPC = true;
|
|
||||||
listenPort = peer-port;
|
|
||||||
downloadDir = d + "/finished/incoming";
|
|
||||||
watchDir = d + "/watch";
|
|
||||||
# TODO: maybe test out multiple watch dirs with tags: https://github.com/rakshasa/rtorrent/wiki/TORRENT-Watch-directories
|
|
||||||
extraConfig = ''
|
|
||||||
# log.add_output = "debug", "rtorrent-systemd"
|
|
||||||
# log.add_output = "dht_debug", "rtorrent-systemd"
|
|
||||||
# log.add_output = "tracker_debug", "rtorrent-systemd"
|
|
||||||
log.add_output = "rpc_events", "rtorrent-systemd"
|
|
||||||
# log.add_output = "rpc_dump", "rtorrent-systemd"
|
|
||||||
system.daemon.set = true
|
|
||||||
'';
|
|
||||||
# dump old torrents into watch folder to have them re-added
|
|
||||||
};
|
|
||||||
|
|
||||||
services.nginx.virtualHosts."torrent.${config.krebs.build.host.name}.r".locations."/" = { proxyPass = "http://localhost:${toString web-port}/"; };
|
|
||||||
|
|
||||||
networking.firewall.extraCommands = ''
|
|
||||||
iptables -A INPUT -i retiolum -p tcp --dport ${toString web-port} -j ACCEPT
|
|
||||||
'';
|
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [ peer-port ];
|
|
||||||
networking.firewall.allowedUDPPorts = [ peer-port ];
|
|
||||||
state = [ config.krebs.rtorrent.sessionDir ]; # state which torrents were loaded
|
|
||||||
}
|
|
48
makefu/2configs/torrent/rtorrent.nix
Normal file
48
makefu/2configs/torrent/rtorrent.nix
Normal file
|
@ -0,0 +1,48 @@
|
||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
basicAuth = import <torrent-secrets/auth.nix>;
|
||||||
|
peer-port = 51412;
|
||||||
|
web-port = 8112;
|
||||||
|
daemon-port = 58846;
|
||||||
|
dldir = config.makefu.dl-dir;
|
||||||
|
in {
|
||||||
|
services.rtorrent.enable = true;
|
||||||
|
services.rtorrent.user = "rtorrent";
|
||||||
|
services.rtorrent.group = "download";
|
||||||
|
services.rtorrent.downloadDir = dldir;
|
||||||
|
services.rtorrent.configText = ''
|
||||||
|
schedule2 = watch_start, 10, 10, ((load.start, (cat, (cfg.watch), "/media/cloud/watch/*.torrent")))
|
||||||
|
'';
|
||||||
|
|
||||||
|
services.rtorrent.openFirewall = true;
|
||||||
|
|
||||||
|
systemd.services.flood = {
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
wants = [ "rtorrent.service" ];
|
||||||
|
after = [ "rtorrent.service" ];
|
||||||
|
serviceConfig = {
|
||||||
|
User = "rtorrent";
|
||||||
|
ExecStart = "${pkgs.nodePackages.flood}/bin/flood --auth none --port ${toString web-port} --rtsocket ${config.services.rtorrent.rpcSocket}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
#security.acme.certs."torrent.${config.krebs.build.host.name}.r".server = config.krebs.ssl.acmeURL;
|
||||||
|
|
||||||
|
services.nginx = {
|
||||||
|
enable = true;
|
||||||
|
virtualHosts."torrent.${config.krebs.build.host.name}.r" = {
|
||||||
|
# TODO
|
||||||
|
inherit basicAuth;
|
||||||
|
#enableACME = true;
|
||||||
|
#addSSL = true;
|
||||||
|
root = "${pkgs.nodePackages.flood}/lib/node_modules/flood/dist/assets";
|
||||||
|
locations."/api".extraConfig = ''
|
||||||
|
proxy_pass http://localhost:${toString web-port};
|
||||||
|
'';
|
||||||
|
locations."/".extraConfig = ''
|
||||||
|
try_files $uri /index.html;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user