Merge remote-tracking branch 'lass/master'

This commit is contained in:
makefu 2022-01-26 17:59:53 +01:00
commit 54aaf5af8e
No known key found for this signature in database
GPG Key ID: 36F7711F3FC0F225
43 changed files with 584 additions and 384 deletions

View File

@ -7,7 +7,7 @@
<stockholm/krebs/2configs/buildbot-stockholm.nix> <stockholm/krebs/2configs/buildbot-stockholm.nix>
<stockholm/krebs/2configs/binary-cache/nixos.nix> <stockholm/krebs/2configs/binary-cache/nixos.nix>
<stockholm/krebs/2configs/ergo.nix> <stockholm/krebs/2configs/ircd.nix>
<stockholm/krebs/2configs/reaktor2.nix> <stockholm/krebs/2configs/reaktor2.nix>
<stockholm/krebs/2configs/wiki.nix> <stockholm/krebs/2configs/wiki.nix>
<stockholm/krebs/2configs/acme.nix> <stockholm/krebs/2configs/acme.nix>

View File

@ -4,6 +4,7 @@ with import <stockholm/lib>;
{ {
imports = [ imports = [
./backup.nix ./backup.nix
./security-workarounds.nix
]; ];
krebs.announce-activation.enable = true; krebs.announce-activation.enable = true;
krebs.enable = true; krebs.enable = true;

View File

@ -1,13 +0,0 @@
{ config, pkgs, ... }:
{
networking.firewall.allowedTCPPorts = [
6667
];
krebs.ergo = {
enable = true;
};
}

View File

@ -1,121 +1,44 @@
{ config, pkgs, lib, ... }: { config, pkgs, ... }:
{ {
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
6667 6669 6667
]; ];
systemd.services.solanum.serviceConfig.LimitNOFILE = lib.mkForce 16384; krebs.ergo = {
services.solanum = {
enable = true; enable = true;
motd = '' config = {
hello server.secure-nets = [
''; "42::0/16"
config = '' "10.240.0.0/12"
loadmodule "extensions/m_omode"; ];
serverinfo { oper-classes.server-admin = {
name = "${config.krebs.build.host.name}.irc.r"; title = "admin";
sid = "1as"; capabilities = [
description = "irc!"; "kill" # disconnect user sessions
network_name = "irc.r"; "ban" # ban IPs, CIDRs, and NUH masks ("d-line" and "k-line")
"nofakelag" # remove "fakelag" restrictions on rate of message sending
vhost = "0.0.0.0"; "relaymsg" # use RELAYMSG in any channel (see the 'relaymsg' config block)
vhost6 = "::"; "vhosts" # add and remove vhosts from users
"sajoin" # join arbitrary channels, including private channels
#ssl_private_key = "etc/ssl.key"; "samode" # modify arbitrary channel and user modes
#ssl_cert = "etc/ssl.cert"; "snomasks" # subscribe to arbitrary server notice masks
#ssl_dh_params = "etc/dh.pem"; "roleplay" # use the (deprecated) roleplay commands in any channel
#ssld_count = 1; "rehash" # rehash the server, i.e. reload the config at runtime
"accreg" # modify arbitrary account registrations
default_max_clients = 2048; "chanreg" # modify arbitrary channel registrations
#nicklen = 30; "history" # modify or delete history messages
"defcon" # use the DEFCON command (restrict server capabilities)
"massmessage" # message all users on the server
];
}; };
opers.aids = {
listen { class = "server-admin";
defer_accept = yes; hidden = false;
password = "$2a$04$0AtVycWQJ07ymrDdKyAm2un3UVSVIzpzL3wsWbWb3PF95d1CZMcMO";
/* If you want to listen on a specific IP only, specify host.
* host definitions apply only to the following port line.
*/
host = "0.0.0.0";
port = 6667;
#sslport = 6697;
/* Listen on IPv6 (if you used host= above). */
host = "::";
port = 6667;
#sslport = 6697;
}; };
class "users" {
ping_time = 2 minutes;
number_per_ident = 10;
number_per_ip = 4096;
number_per_ip_global = 4096;
cidr_ipv4_bitlen = 24;
cidr_ipv6_bitlen = 64;
number_per_cidr = 65535;
max_number = 65535;
sendq = 1000 megabyte;
}; };
privset "op" {
privs = oper:admin, oper:general;
};
operator "aids" {
user = "*@*";
password = "balls";
flags = ~encrypted;
snomask = "+s";
privset = "op";
};
exempt {
ip = "127.0.0.1";
};
exempt {
ip = "10.243.0.0/16";
};
auth {
user = "*@*";
class = "users";
flags = kline_exempt, exceed_limit, flood_exempt;
};
channel {
autochanmodes = "+t";
use_invex = yes;
use_except = yes;
use_forward = yes;
use_knock = yes;
knock_delay = 5 minutes;
knock_delay_channel = 1 minute;
max_chans_per_user = 150;
max_bans = 100;
max_bans_large = 500;
default_split_user_count = 0;
default_split_server_count = 0;
no_create_on_split = no;
no_join_on_split = no;
burst_topicwho = yes;
kick_on_split_riding = no;
only_ascii_channels = no;
resv_forcepart = yes;
channel_target_change = yes;
disable_local_channels = no;
};
general {
#maybe we want ident someday?
default_floodcount = 10000;
disable_auth = yes;
throttle_duration = 1;
throttle_count = 10000;
};
'';
}; };
} }

View File

@ -156,7 +156,8 @@ in {
openssh.authorizedKeys.keys = with config.krebs.users; [ openssh.authorizedKeys.keys = with config.krebs.users; [
lass.pubkey lass.pubkey
makefu.pubkey makefu.pubkey
kmein.pubkey kmein-kabsa.pubkey
kmein-manakish.pubkey
tv.pubkey tv.pubkey
]; ];
packages = with pkgs; [ packages = with pkgs; [

View File

@ -68,7 +68,13 @@
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
}; };
systemd.services.brockman.bindsTo = [ "solanum.service" ]; krebs.ergo.openFilesLimit = 16384;
krebs.ergo.config = {
limits.nicklen = 100;
limits.identlen = 100;
history.enabled = false;
};
systemd.services.brockman.bindsTo = [ "ergo.service" ];
systemd.services.brockman.serviceConfig.LimitNOFILE = 16384; systemd.services.brockman.serviceConfig.LimitNOFILE = 16384;
systemd.services.brockman.environment.BROCKMAN_LOG_LEVEL = "DEBUG"; systemd.services.brockman.environment.BROCKMAN_LOG_LEVEL = "DEBUG";
krebs.brockman = { krebs.brockman = {

View File

@ -95,7 +95,7 @@ let
} }
hooks.sed hooks.sed
(generators.command_hook { (generators.command_hook {
inherit (commands) random-emoji nixos-version; inherit (commands) dance random-emoji nixos-version;
tell = { tell = {
filename = filename =
<stockholm/krebs/5pkgs/simple/Reaktor/scripts/tell-on_privmsg.sh>; <stockholm/krebs/5pkgs/simple/Reaktor/scripts/tell-on_privmsg.sh>;

View File

@ -0,0 +1,6 @@
{ config, lib, pkgs, ... }:
with import <stockholm/lib>;
{
# https://github.com/berdav/CVE-2021-4034
security.wrappers.pkexec.source = lib.mkForce (pkgs.writeText "pkexec" "");
}

View File

@ -157,7 +157,8 @@ let
# of the deepest directory: # of the deepest directory:
# shellcheck disable=SC2174 # shellcheck disable=SC2174
${local.rsync} >&2 \ ${local.rsync} >&2 \
-aAXF --delete \ -aAX --delete \
--filter='dir-merge /.backup-filter' \
--rsh=${shell.escape ssh} \ --rsh=${shell.escape ssh} \
--rsync-path=${shell.escape remote.rsync} \ --rsync-path=${shell.escape remote.rsync} \
--link-dest=${shell.escape plan.dst.path}/current \ --link-dest=${shell.escape plan.dst.path}/current \
@ -191,7 +192,8 @@ let
echo >&2 "create snapshot: $ns/$name" echo >&2 "create snapshot: $ns/$name"
mkdir -m 0700 -p "$dst_path/$ns" mkdir -m 0700 -p "$dst_path/$ns"
rsync >&2 \ rsync >&2 \
-aAXF --delete \ -aAX --delete \
--filter='dir-merge /.backup-filter' \
--link-dest="$dst_path/current" \ --link-dest="$dst_path/current" \
"$dst_path/current/" \ "$dst_path/current/" \
"$dst_path/$ns/.partial.$name" "$dst_path/$ns/.partial.$name"

View File

@ -108,6 +108,7 @@ let
{ krebs = import ./makefu { inherit config; }; } { krebs = import ./makefu { inherit config; }; }
{ krebs = import ./external/palo.nix { inherit config; }; } { krebs = import ./external/palo.nix { inherit config; }; }
{ krebs = import ./external/mic92.nix { inherit config; }; } { krebs = import ./external/mic92.nix { inherit config; }; }
{ krebs = import ./external/kmein.nix { inherit config; }; }
{ krebs = import ./tv { inherit config; }; } { krebs = import ./tv { inherit config; }; }
{ {
krebs.dns.providers = { krebs.dns.providers = {

View File

@ -2,6 +2,13 @@
options = { options = {
krebs.ergo = { krebs.ergo = {
enable = lib.mkEnableOption "Ergo IRC daemon"; enable = lib.mkEnableOption "Ergo IRC daemon";
openFilesLimit = lib.mkOption {
type = lib.types.int;
default = 1024;
description = ''
Maximum number of open files. Limits the clients and server connections.
'';
};
config = lib.mkOption { config = lib.mkOption {
type = (pkgs.formats.json {}).type; type = (pkgs.formats.json {}).type;
description = '' description = ''
@ -54,8 +61,8 @@
multiclient = { multiclient = {
enabled = true; enabled = true;
allowed-by-default = true; allowed-by-default = true;
always-on = "opt-in"; always-on = "opt-out";
auto-away = "opt-in"; auto-away = "opt-out";
}; };
}; };
channels = { channels = {
@ -111,13 +118,15 @@
systemd.services.ergo = { systemd.services.ergo = {
description = "Ergo IRC daemon"; description = "Ergo IRC daemon";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
reloadIfChanged = true; # reload currently not working as expected
# reloadIfChanged = true;
restartTriggers = [ configFile ]; restartTriggers = [ configFile ];
serviceConfig = { serviceConfig = {
ExecStart = "${pkgs.ergo}/bin/ergo run --conf /etc/ergo.yaml"; ExecStart = "${pkgs.ergo}/bin/ergo run --conf /etc/ergo.yaml";
ExecReload = "${pkgs.util-linux}/bin/kill -HUP $MAINPID"; ExecReload = "${pkgs.util-linux}/bin/kill -HUP $MAINPID";
DynamicUser = true; DynamicUser = true;
StateDirectory = "ergo"; StateDirectory = "ergo";
LimitNOFILE = "${toString cfg.openFilesLimit}";
}; };
}; };
}); });

View File

@ -16,37 +16,7 @@ with import <stockholm/lib>;
tinc-for = name: builtins.readFile (./tinc + "/${name}.pub"); tinc-for = name: builtins.readFile (./tinc + "/${name}.pub");
in { in {
hosts = mapAttrs hostDefaults { hosts = mapAttrs hostDefaults {
kabsa = {
owner = config.krebs.users.kmein;
nets = {
retiolum = {
ip4.addr = "10.243.2.4";
aliases = [
"kabsa.r"
"kabsa.kmein.r"
];
tinc.pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtz/MY5OSxJqrEMv6Iwjk
g/V58MATljj+2bmOuOuPui/AUYHEZX759lHW4MgLjYdNbZEoVq8UgkxNk0KPGlSg
2lsJ7FneCU7jBSE2iLT1aHuNFFa56KzSThFUl6Nj6Vyg5ghSmDF2tikurtG2q+Ay
uxf5/yEhFUPc1ZxmvJDqVHMeW5RZkuKXH00C7yN+gdcPuuFEFq+OtHNkBVmaxu7L
a8Q6b/QbrwQJAR9FAcm5WSQIj2brv50qnD8pZrU4loVu8dseQIicWkRowC0bzjAo
IHZTbF/S+CK0u0/q395sWRQJISkD+WAZKz5qOGHc4djJHBR3PWgHWBnRdkYqlQYM
C9zA/n4I+Y2BEfTWtgkD2g0dDssNGP5dlgFScGmRclR9pJ/7dsIbIeo9C72c6q3q
sg0EIWggQ8xyWrUTXIMoDXt37htlTSnTgjGsuwRzjotAEMJmgynWRf3br3yYChrq
10Exq8Lej+iOuKbdAXlwjKEk0qwN7JWft3OzVc2DMtKf7rcZQkBoLfWKzaCTQ4xo
1Y7d4OlcjbgrkLwHltTaShyosm8kbttdeinyBG1xqQcK11pMO43GFj8om+uKrz57
lQUVipu6H3WIVGnvLmr0e9MQfThpC1em/7Aq2exn1JNUHhCdEho/mK2x/doiiI+0
QAD64zPmuo9wsHnSMR2oKs0CAwEAAQ==
-----END PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "KhOetVTVLtGxB22NmZhkTWC0Uhg8rXJv4ayZqchSgCN";
};
};
};
helsinki = { helsinki = {
owner = config.krebs.users.ajs124; owner = config.krebs.users.ajs124;
nets = { nets = {
@ -142,65 +112,6 @@ in {
}; };
}; };
}; };
makanek = {
owner = config.krebs.users.kmein;
nets = {
retiolum = {
ip4.addr = "10.243.2.84";
aliases = [
"makanek.r"
"makanek.kmein.r"
"grafana.kmein.r"
"names.kmein.r"
"graph.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAwvtxCG7Vua6+WoStGrkL+H/g4BABidL2eikDBtbxWN+oGv2Bjrwb
VzXB8lMTCsu6M2wb3YTXXzAkc5oI4gE1sSOiCKyhYnQRrndc91KewquxTPfKL19u
JiRqax/E49IvWKARPRPXUhPfU/NNw1oIxhbcFkjwJmqDvh9SWhl5VZVynCE28ov5
hjjhqNXZHOR8CQqPJeY8v38OAAwTWvJ6rhEQwp5dLBqmRAbvPXj7OOzCxKluDY2X
Dl4k6QAjI6NddJXsXHRYRNGiB0CP1UBC91NDtW2+HIjf1Q1Lip5agO4/SkkSUt39
de7uYKrNcfyDUBb9Suconw0HvW+Dv4Ce5um+aa1RUrWIQdqBCOECbsXYKp66vAnK
Hidf2uznFseWxiyxz1ow8AvvSseABej5GuHI/56lywnFlnHEZLREUF/4PT+BZ0vE
uPRkzqeSNybsYYFieK8aany/RmJaoIsduGutgAiKBvkCCHru895n02xuLhZVkM2G
zfVjA2le+Gxr21/sVPrHfxResLUh4RA8fkS7erWMRF4a3IOpIS4yrM+p4pZTlTxO
Ya8buh4RgyE/0hp4QNpa4K7fvntriK+k6zHs7BcZcG2aMWP3O9/4DgjzBR3eslQV
oou23ajP11wyfrmZK0/PQGTpsU472Jj+06KtMAaH0zo4vAR8s2kV1ukCAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "GiAe9EH3ss+K71lRlkGaOcg/MrV/zxNW5tDF0koEGvC";
};
};
};
manakish = {
owner = config.krebs.users.kmein;
nets = {
retiolum = {
ip4.addr = "10.243.2.85";
aliases = [
"manakish.r"
"manakish.kmein.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAtZcWwm1tTFoMcO0EOwNdSrZW9m2tSNWzwTGjlfuNFQKPnHiKdFFH
Hym72+WtaIZmffermGTfYdMoB/lWgOB0glqH9oSBFvrLVDgdQL2il589EXBd/1Qy
7Ye5EVy2/xEA7iZGg3j0i+q1ic48tt6ePd4+QR0LmLEa8+Gz5X0Tp9TTf7gdv+lB
dVA6p7LJixKcBsC5W0jY5oTGUP0fM844AtWbpflmlz0JZNWrkJhCksOnfhUzeIsF
1m9rCsyK+3jGMV6ZxhEbwaOt99Wlv0N0ouPePw+xLnnGTu0rJ/RKWceYnWnrHIyb
GgGIHnm9GbMd4mAfyp63emRYDMclSQSrddpDUL2GK8TCTttr6bZm4M/pFuXQGJsQ
EG0iaE8FM+nCrhmCRnX8dRWcNmHybd34UoVGCDJ6u+ksLIivqgWeY41CauqN0vQw
U4zqp6XMXRB6vlVcyLzdTASxVKaLJt+BuvHcyqz/YslJ97z4yoLE3d7s/9gZkM//
+FD970bsyvKpKRx72rNRCO9tQJNgPsaMiW5nuHUFw71XxX8o0w//5a0h5cdbiT64
I4ISySa4ynmHI1/v0a937/sFS0IvRI1Va0Efh2VxasNIqpDmM3hA8auPDj0Js/4c
qVnWMbvqqYlY9l//HCNxUXIhi0vcOr2PoCxBtcP5pHY8nNphQrPjRrcCAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "CjSqXJMvJevjqX9W9sqDpLTJs9DXfC04YNAFpYqS2iN";
};
};
};
qubasa = { qubasa = {
owner = config.krebs.users.qubasa; owner = config.krebs.users.qubasa;
nets = { nets = {
@ -226,7 +137,6 @@ in {
}; };
}; };
}; };
keller = { keller = {
owner = config.krebs.users.qubasa; owner = config.krebs.users.qubasa;
nets = { nets = {
@ -279,13 +189,6 @@ in {
}; };
}; };
rilke = {
owner = config.krebs.users.kmein;
nets.wiregrill = {
aliases = [ "rilke.w" ];
wireguard.pubkey = "09yVPHL/ucvqc6V5n7vFQ2Oi1LBMdwQZDL+7jBwy+iQ=";
};
};
rtjure = { rtjure = {
owner = config.krebs.users.rtjure; owner = config.krebs.users.rtjure;
nets = { nets = {
@ -312,37 +215,6 @@ in {
}; };
}; };
}; };
zaatar = {
owner = config.krebs.users.kmein;
nets = {
retiolum = {
ip4.addr = "10.243.2.34";
aliases = [
"zaatar.r"
"zaatar.kmein.r"
"grocy.kmein.r"
"bvg.kmein.r"
"moodle.kmein.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAyEeesa4mDNAT2QT/PxfmildhqawinWTcUiF3V2wsfy3eXJCFySKM
pRKrLnOpkd2RoLWA88o0/hAfTdel/fXRjAx8TtKlh1n+UoRhYOGqLJKUZDVGImjJ
xTPGCC+g4b2cNCYU3RVdttSu8+zlfO6ktkySULKbVkJN3ocQmSCmWs2tP6hYvk2i
5OB3Uxw+OwhtVO76dlby6Idmc8o++ZVm3snbYsgiR7RQf9vHZHR8lKr5fZ/ycq2Q
T+agY/cFLJ+jhfUi8LFtKKcqGLyKKrDywADQWTcIG+cjV33k6ftW678jvsEft6e6
2RgspZX5XciTbMPIPGMcH5NZPXi6youcUcqcqDtok7Y1Jj3N5dSmJno5ojyKolZp
PRt4bPx9WuerjzwL5gG9E6n6l24neX6Mq7RDyJfBYtpUvZblezXWUuoReGNczAvj
zZrAKXKnuCEgQ/du7pT8V6qHG5NjovIMm0VDxOJV5jBL4NUox3PGbW5g0vS/nxHc
xKWPq+4zoyA6MsL9sGCqIlSWEqNnSERX19GbJZNYjm1J+aGZ/fZ+MaDJGuCzlxn4
yjLBuuXSkIrPxxtIV+Yh8Wy5qDNRN7XS1wNxUcmjQn0+7Ou/4W+cTWJ/+yZyC1DK
uYEZh8YBMJo0E4bR4s04SFA6uLIvLigPELxzb0jwZSKXRnQhay6zzZ0CAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "GYg9UMw0rFWFS0Yr8HFe81HcGjQw0xbu9wqDWtQPDLH";
};
};
};
sokrateslaptop = { sokrateslaptop = {
owner = config.krebs.users.sokratess; owner = config.krebs.users.sokratess;
nets = { nets = {
@ -691,6 +563,31 @@ in {
}; };
}; };
}; };
papawhakaaro = {
owner = config.krebs.users.feliks;
nets = {
retiolum = {
ip4.addr = "10.243.10.243";
aliases = [ "papawhakaaro.r" ];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEA4bd0lVUVlzFmM8TuH77C5VctcK4lkw02LbMVQDJ5U+Ww075nNahw
oRHqPgJRwfGW0Tgu/1s5czZ2tAFU3lXoOSBYldAspM3KRZ4DKQsFrL9B0oWarGsK
sUgsuOJprlX4mkfj/eBNINqTqf2kVIH+p43VENQ9ioKmc+qJKm4xfRONRLp871GV
5jmIvRvQ6JP0RtNd2KpNLaeplzx8M61D9PBOAZkNYAUTpBs4LZBNJj4eFnXBugrz
GkBjmm3Rk7olz0uOZzbeTc6Slv2tgtN5FrQifdy4XIlsKcBTzMkYHEZstmldJgd9
pGvfmem6uPcXrF+eDJzqUn0ArH7eOIS4F0+DzugJz4qX+ytvE4ag7r2Vx0Pa9TCY
hpn0lqwW+ly1clM0SKt59v1nQ4oRW4UIbAZaIgp4UJbb3IGSwbq7NuadvHpNICHi
4pqQD+1sSEbGLAZ0bFjLIYFg9zzNjLeAxXpn49WHOEyRlq3h+SUQcG2EuVMI28DX
lILKSoOJsuQupURPubaxkiNEa5neYk9hZ8CWgwSG/VlyRLuNsVDVn2dBma43Mr10
LHMkX2/a9t7ghokugvV2XMP9Es9A9TGFShM9UtFAlovdad+SQ8FBPNheDwIhjCJe
l5NIrMrmQIveq7QJ1szxYhqfl1ifU0c+YxeMkg3tvEuQV/tk/oki/aECAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "5G49yQPjkkoGZxM6CeDy87y6tB/abtelUAk55wJ4GpP";
};
};
};
hydrogen = { hydrogen = {
owner = config.krebs.users.sandro; owner = config.krebs.users.sandro;
nets = rec { nets = rec {
@ -740,10 +637,6 @@ in {
jonge = { jonge = {
mail = "jacek.galowicz@gmail.com"; mail = "jacek.galowicz@gmail.com";
}; };
kmein = {
mail = "kmein@posteo.de";
pubkey = ssh-for "kmein";
};
mic92 = { mic92 = {
mail = "joerg@thalheim.io"; mail = "joerg@thalheim.io";
pubkey = ssh-for "mic92"; pubkey = ssh-for "mic92";
@ -799,5 +692,8 @@ in {
pie_ = {}; pie_ = {};
domsen = { domsen = {
}; };
feliks = {
mail = "feliks@flipdot.org";
};
}; };
} }

146
krebs/3modules/external/kmein.nix vendored Normal file
View File

@ -0,0 +1,146 @@
with import <stockholm/lib>;
{ config, ... }:
let
maybeEmpty = attrset: key: if (attrset?key) then attrset.${key} else [];
hostDefaults = hostName: host: flip recursiveUpdate host ({
ci = false;
external = true;
monitoring = false;
owner = config.krebs.users.kmein;
} // optionalAttrs (host.nets?retiolum) {
nets.retiolum = {
ip6.addr = (krebs.genipv6 "retiolum" "external" { inherit hostName; }).address;
};
} // optionalAttrs (host.nets?wiregrill) {
nets.wiregrill = {
ip6.addr = (krebs.genipv6 "wiregrill" "external" { inherit hostName; }).address;
};
});
ssh-for = name: builtins.readFile (./ssh + "/${name}.pub");
in
{
users = rec {
kmein = kmein-kabsa;
kmein-kabsa = {
mail = "kmein@posteo.de";
pubkey = ssh-for "kmein.kabsa";
};
kmein-manakish = {
inherit (kmein-kabsa) mail;
pubkey = ssh-for "kmein.manakish";
};
};
hosts = mapAttrs hostDefaults {
kabsa = {
nets.retiolum = {
aliases = [ "kabsa.r" "kabsa.kmein.r" ];
ip4.addr = "10.243.2.4";
tinc.pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtz/MY5OSxJqrEMv6Iwjk
g/V58MATljj+2bmOuOuPui/AUYHEZX759lHW4MgLjYdNbZEoVq8UgkxNk0KPGlSg
2lsJ7FneCU7jBSE2iLT1aHuNFFa56KzSThFUl6Nj6Vyg5ghSmDF2tikurtG2q+Ay
uxf5/yEhFUPc1ZxmvJDqVHMeW5RZkuKXH00C7yN+gdcPuuFEFq+OtHNkBVmaxu7L
a8Q6b/QbrwQJAR9FAcm5WSQIj2brv50qnD8pZrU4loVu8dseQIicWkRowC0bzjAo
IHZTbF/S+CK0u0/q395sWRQJISkD+WAZKz5qOGHc4djJHBR3PWgHWBnRdkYqlQYM
C9zA/n4I+Y2BEfTWtgkD2g0dDssNGP5dlgFScGmRclR9pJ/7dsIbIeo9C72c6q3q
sg0EIWggQ8xyWrUTXIMoDXt37htlTSnTgjGsuwRzjotAEMJmgynWRf3br3yYChrq
10Exq8Lej+iOuKbdAXlwjKEk0qwN7JWft3OzVc2DMtKf7rcZQkBoLfWKzaCTQ4xo
1Y7d4OlcjbgrkLwHltTaShyosm8kbttdeinyBG1xqQcK11pMO43GFj8om+uKrz57
lQUVipu6H3WIVGnvLmr0e9MQfThpC1em/7Aq2exn1JNUHhCdEho/mK2x/doiiI+0
QAD64zPmuo9wsHnSMR2oKs0CAwEAAQ==
-----END PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "KhOetVTVLtGxB22NmZhkTWC0Uhg8rXJv4ayZqchSgCN";
};
};
makanek = {
nets.retiolum = {
aliases = [
"makanek.r"
"makanek.kmein.r"
"grafana.kmein.r"
"names.kmein.r"
"graph.r"
"rrm.r"
];
ip4.addr = "10.243.2.84";
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAwvtxCG7Vua6+WoStGrkL+H/g4BABidL2eikDBtbxWN+oGv2Bjrwb
VzXB8lMTCsu6M2wb3YTXXzAkc5oI4gE1sSOiCKyhYnQRrndc91KewquxTPfKL19u
JiRqax/E49IvWKARPRPXUhPfU/NNw1oIxhbcFkjwJmqDvh9SWhl5VZVynCE28ov5
hjjhqNXZHOR8CQqPJeY8v38OAAwTWvJ6rhEQwp5dLBqmRAbvPXj7OOzCxKluDY2X
Dl4k6QAjI6NddJXsXHRYRNGiB0CP1UBC91NDtW2+HIjf1Q1Lip5agO4/SkkSUt39
de7uYKrNcfyDUBb9Suconw0HvW+Dv4Ce5um+aa1RUrWIQdqBCOECbsXYKp66vAnK
Hidf2uznFseWxiyxz1ow8AvvSseABej5GuHI/56lywnFlnHEZLREUF/4PT+BZ0vE
uPRkzqeSNybsYYFieK8aany/RmJaoIsduGutgAiKBvkCCHru895n02xuLhZVkM2G
zfVjA2le+Gxr21/sVPrHfxResLUh4RA8fkS7erWMRF4a3IOpIS4yrM+p4pZTlTxO
Ya8buh4RgyE/0hp4QNpa4K7fvntriK+k6zHs7BcZcG2aMWP3O9/4DgjzBR3eslQV
oou23ajP11wyfrmZK0/PQGTpsU472Jj+06KtMAaH0zo4vAR8s2kV1ukCAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "GiAe9EH3ss+K71lRlkGaOcg/MrV/zxNW5tDF0koEGvC";
};
};
manakish = {
nets.retiolum = {
aliases = [
"manakish.r"
"manakish.kmein.r"
];
ip4.addr = "10.243.2.85";
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAtZcWwm1tTFoMcO0EOwNdSrZW9m2tSNWzwTGjlfuNFQKPnHiKdFFH
Hym72+WtaIZmffermGTfYdMoB/lWgOB0glqH9oSBFvrLVDgdQL2il589EXBd/1Qy
7Ye5EVy2/xEA7iZGg3j0i+q1ic48tt6ePd4+QR0LmLEa8+Gz5X0Tp9TTf7gdv+lB
dVA6p7LJixKcBsC5W0jY5oTGUP0fM844AtWbpflmlz0JZNWrkJhCksOnfhUzeIsF
1m9rCsyK+3jGMV6ZxhEbwaOt99Wlv0N0ouPePw+xLnnGTu0rJ/RKWceYnWnrHIyb
GgGIHnm9GbMd4mAfyp63emRYDMclSQSrddpDUL2GK8TCTttr6bZm4M/pFuXQGJsQ
EG0iaE8FM+nCrhmCRnX8dRWcNmHybd34UoVGCDJ6u+ksLIivqgWeY41CauqN0vQw
U4zqp6XMXRB6vlVcyLzdTASxVKaLJt+BuvHcyqz/YslJ97z4yoLE3d7s/9gZkM//
+FD970bsyvKpKRx72rNRCO9tQJNgPsaMiW5nuHUFw71XxX8o0w//5a0h5cdbiT64
I4ISySa4ynmHI1/v0a937/sFS0IvRI1Va0Efh2VxasNIqpDmM3hA8auPDj0Js/4c
qVnWMbvqqYlY9l//HCNxUXIhi0vcOr2PoCxBtcP5pHY8nNphQrPjRrcCAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "CjSqXJMvJevjqX9W9sqDpLTJs9DXfC04YNAFpYqS2iN";
};
};
g7power = {
nets.wiregrill = {
ip4.addr = "10.244.2.97";
aliases = [ "phone.kmein.w" ];
wireguard.pubkey = "09yVPHL/ucvqc6V5n7vFQ2Oi1LBMdwQZDL+7jBwy+iQ=";
};
};
zaatar = {
nets.retiolum = {
ip4.addr = "10.243.2.34";
aliases = [
"zaatar.r"
"zaatar.kmein.r"
"grocy.kmein.r"
"moodle.kmein.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAyEeesa4mDNAT2QT/PxfmildhqawinWTcUiF3V2wsfy3eXJCFySKM
pRKrLnOpkd2RoLWA88o0/hAfTdel/fXRjAx8TtKlh1n+UoRhYOGqLJKUZDVGImjJ
xTPGCC+g4b2cNCYU3RVdttSu8+zlfO6ktkySULKbVkJN3ocQmSCmWs2tP6hYvk2i
5OB3Uxw+OwhtVO76dlby6Idmc8o++ZVm3snbYsgiR7RQf9vHZHR8lKr5fZ/ycq2Q
T+agY/cFLJ+jhfUi8LFtKKcqGLyKKrDywADQWTcIG+cjV33k6ftW678jvsEft6e6
2RgspZX5XciTbMPIPGMcH5NZPXi6youcUcqcqDtok7Y1Jj3N5dSmJno5ojyKolZp
PRt4bPx9WuerjzwL5gG9E6n6l24neX6Mq7RDyJfBYtpUvZblezXWUuoReGNczAvj
zZrAKXKnuCEgQ/du7pT8V6qHG5NjovIMm0VDxOJV5jBL4NUox3PGbW5g0vS/nxHc
xKWPq+4zoyA6MsL9sGCqIlSWEqNnSERX19GbJZNYjm1J+aGZ/fZ+MaDJGuCzlxn4
yjLBuuXSkIrPxxtIV+Yh8Wy5qDNRN7XS1wNxUcmjQn0+7Ou/4W+cTWJ/+yZyC1DK
uYEZh8YBMJo0E4bR4s04SFA6uLIvLigPELxzb0jwZSKXRnQhay6zzZ0CAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "GYg9UMw0rFWFS0Yr8HFe81HcGjQw0xbu9wqDWtQPDLH";
};
};
};
}

View File

@ -526,8 +526,10 @@ in {
}; };
turingmachine = { turingmachine = {
owner = config.krebs.users.mic92; owner = config.krebs.users.mic92;
nets = { nets = rec {
internet.addrs = [ "turingmachine.thalheim.io" ];
retiolum = { retiolum = {
via = internet;
aliases = [ aliases = [
"turingmachine.r" "turingmachine.r"
]; ];
@ -675,10 +677,33 @@ in {
}; };
}; };
}; };
jarvis = {
owner = config.krebs.users.mic92;
nets = rec {
internet.addrs = [ "jarvis.thalheim.io" ];
retiolum = {
via = internet;
aliases = [ "jarvis.r" ];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEA7PtJlYBpBr2TK5CAvAukkGvj+esC+sMPKd3mO9iDwdViBrqKdf+D
yEy8SI80Y02dpkL97NjvnzepKpyGQWpG1ZQflJLhCTj7oFyVpWd4XsbIuzYp5ES6
r8qKWs2xcItc1pbW0ZmrCBzdWsC1B0VAHlYkiz+7vM6pCTvg6hNQugP4c1TRCtJC
Sr+n+EjTXN/NTaKl+f7eoHJGnT5liDO3/xZVxm8AuLnron1xPPDghXClVHfDj5mt
f66f+CLwZhq3BrZuptwXp7TerMfrNtPyTx96b+EyuLPjrYxKeKL/+Nbr3VmmiDIV
tsraNc+0a8OBpVsYh4MQLp55NYwqxAoetQIDAQAB
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "RRkMnGSg+nMkz4L2iqmdFf2fIf4wIfcTM0TlTWLLNCE";
};
};
};
bernie = { bernie = {
owner = config.krebs.users.mic92; owner = config.krebs.users.mic92;
nets = rec { nets = rec {
internet.addrs = [ "bernie.thalheim.io" ];
retiolum = { retiolum = {
via = internet;
aliases = [ "bernie.r" ]; aliases = [ "bernie.r" ];
tinc.pubkey = '' tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY----- -----BEGIN RSA PUBLIC KEY-----
@ -700,7 +725,6 @@ in {
}; };
}; };
ryan = { ryan = {
owner = config.krebs.users.mic92; owner = config.krebs.users.mic92;
nets = rec { nets = rec {

View File

@ -1,2 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDyTnGhFq0Q+vghNhrqNrAyY+CsN7nNz8bPfiwIwNpjk ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDyTnGhFq0Q+vghNhrqNrAyY+CsN7nNz8bPfiwIwNpjk
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOiQEc8rTr7C7xVLYV7tQ99BDDBLrJsy5hslxtCEatkB

View File

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOiQEc8rTr7C7xVLYV7tQ99BDDBLrJsy5hslxtCEatkB

View File

@ -1,2 +1 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDB0d0JA20Vqn7I4lCte6Ne2EOmLZyMJyS9yIKJYXNLjbLwkQ4AYoQKantPBkTxR75M09E7d3j5heuWnCjWH45TrfQfe1EOSSC3ppCI6C6aIVlaNs+KhAYZS0m2Y8WkKn+TT5JLEa8yybYVN/RlZPOilpj/1QgjU6CQK+eJ1k/kK+QFXcwN82GDVh5kbTVcKUNp2tiyxFA+z9LY0xFDg/JHif2ROpjJVLQBJ+YPuOXZN5LDnVcuyLWKThjxy5srQ8iDjoxBg7dwLHjby5Mv41K4W61Gq6xM53gDEgfXk4cQhJnmx7jA/pUnsn2ZQDeww3hcc7vRf8soogXXz2KC9maiq0M/svaATsa9Ul4hrKnqPZP9Q8ScSEAUX+VI+x54iWrnW0p/yqBiRAzwsczdPzaQroUFTBxrq8R/n5TFdSHRMX7fYNOeVMjhfNca/gtfw9dYBVquCvuqUuFiRc0I7yK44rrMjjVQRcAbw6F8O7+04qWCmaJ8MPlmApwu2c05VMv9hiJo5p6PnzterRSLCqF6rIdhSnuOwrUIt1s/V+EEZXHCwSaNLaQJnYL0H9YjaIuGz4c8kVzxw4c0B6nl+hqW5y5/B2cuHiumnlRIDKOIzlv8ufhh21iN7QpIsPizahPezGoT1XqvzeXfH4qryo8O4yTN/PWoA+f7o9POU7L6hQ== lhebendanz@nixos ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDB0d0JA20Vqn7I4lCte6Ne2EOmLZyMJyS9yIKJYXNLjbLwkQ4AYoQKantPBkTxR75M09E7d3j5heuWnCjWH45TrfQfe1EOSSC3ppCI6C6aIVlaNs+KhAYZS0m2Y8WkKn+TT5JLEa8yybYVN/RlZPOilpj/1QgjU6CQK+eJ1k/kK+QFXcwN82GDVh5kbTVcKUNp2tiyxFA+z9LY0xFDg/JHif2ROpjJVLQBJ+YPuOXZN5LDnVcuyLWKThjxy5srQ8iDjoxBg7dwLHjby5Mv41K4W61Gq6xM53gDEgfXk4cQhJnmx7jA/pUnsn2ZQDeww3hcc7vRf8soogXXz2KC9maiq0M/svaATsa9Ul4hrKnqPZP9Q8ScSEAUX+VI+x54iWrnW0p/yqBiRAzwsczdPzaQroUFTBxrq8R/n5TFdSHRMX7fYNOeVMjhfNca/gtfw9dYBVquCvuqUuFiRc0I7yK44rrMjjVQRcAbw6F8O7+04qWCmaJ8MPlmApwu2c05VMv9hiJo5p6PnzterRSLCqF6rIdhSnuOwrUIt1s/V+EEZXHCwSaNLaQJnYL0H9YjaIuGz4c8kVzxw4c0B6nl+hqW5y5/B2cuHiumnlRIDKOIzlv8ufhh21iN7QpIsPizahPezGoT1XqvzeXfH4qryo8O4yTN/PWoA+f7o9POU7L6hQ== lhebendanz@nixos

View File

@ -41,11 +41,17 @@ let
fi fi
;; ;;
"POST /") "POST /")
uri=$(head -c "$req_content_length" \ uri_candidate=$(head -c "$req_content_length" \
| sed 's/+/ /g;s/%\(..\)/\\x\1/g;' \ | sed 's/+/ /g;s/%\(..\)/\\x\1/g;' \
| xargs -0 echo -e \ | xargs -0 echo -e \
| tee /tmp/tee.log \ )
| ${pkgs.urix}/bin/urix \
if $(echo "$uri_candidate" | grep -q '^uri=//.*'); then
# fix urls with missing https: in front
uri_candidate=$(echo "$uri_candidate" | sed 's,//,https://,g')
fi
uri=$(echo "$uri_candidate" | ${pkgs.urix}/bin/urix \
| head -1 \ | head -1 \
) )

View File

@ -681,7 +681,7 @@ in {
aliases = [ aliases = [
"styx.r" "styx.r"
]; ];
tinc.port = 0; tinc.port = 654;
tinc = { tinc = {
pubkey = '' pubkey = ''
-----BEGIN PUBLIC KEY----- -----BEGIN PUBLIC KEY-----

View File

@ -82,6 +82,32 @@ in {
ssh.privkey.path = config.krebs.secret.file "ssh.id_ed25519"; ssh.privkey.path = config.krebs.secret.file "ssh.id_ed25519";
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsqDuhGJpjpqNv4QmjoOhcODObrPyY3GHLvtVkgXV0g root@au"; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsqDuhGJpjpqNv4QmjoOhcODObrPyY3GHLvtVkgXV0g root@au";
}; };
bu = {
ci = true;
cores = 4;
nets = {
retiolum = {
ip4.addr = "10.243.13.36";
aliases = [
"bu.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAxjAvT1sfHPWExhWRoXG+NJbYUmf5q4yfpfBRvb232LC9sLn4Z2wb
hxKreR5/j9a/2hRIlCz4IwKftl5vroG9Vy4e7zZIz6QvN4TqED8dUjJ1ubhtj47l
jjHW4cHLUWsaqqu6TAuPH26qPSxm9VrD6rZIX9RmQ1bWIaonVB3Q+XnDfPlISw6M
gbQXz4tOsOnC+y/6C3VPUo0nqC+PuA/kyRq/ivVutKd0dTSY8LmCDNla6AEVD5dG
sIqPWX5h8fjqU7G3oOMvMsBrCkvRRB0F0dQzGo8EXwCDJxa+xOuk5n1GYJ2lqeM/
st7KIxmLvO5AE7cUxdLlDj4EzVLSDoAqOwIDAQAB
-----END RSA PUBLIC KEY-----
'';
tinc.pubkey_ed25519 = "/MXEuv96HlrpHBto8KP2S6Ztiahhi3H7AevmbYS+xqE";
};
};
secure = true;
ssh.privkey.path = config.krebs.secret.file "ssh.id_rsa";
ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1Y13PvTn+9VjQbgy2ZmpAEFXyYaroYP/5nK9o7B8cidf01Sh39184mG8KN8VuEzCj7b37KnLH8qUDcsukvkxOVSoVHmXH+/Pgbmsxp4c9sxLQLHBfCazhT0S3Zs+BkR6LNQ8GOCS1qsgy05L6fMXoQgds3Zx/X4ZYjLnYVnJo8k+6aP4pU/rB6GFzGG9UrLDvSvk/PoswpEr7S6uFa4bF8JWD5VPkQTPTNwm1LWH4va+ABcw9KOgL2tsAk/jJlkLD4qgXowqgbwcpfe+QCukJb7uIQjRtOgxSAhHqT1nxjS6gROhGt0ojuwALaZaFPr9YtGlqxPhUzAXWKvvbVcr6kkR17HrtXZeLdFqwrUPlkIDFV6yLbYzQGKPFwxtpoJaH/irv6cgeXnHaa9XQJk+XJ5pE0X9uNljGr3B8LMKymdlvvBiWOOLpYsHg5aVOR+K7HvydLSuaah8hpCLjjVyIYIl/pIDL4F/FUSxcFBB4fgdXB77LXm5UizmI7+dqZaOQSm8qXbLZ8P+13ele2JyV1pmvJbLFlhCksDMOXx9jvSJQ6DOjPd+2vtABWh9XGo2Fiy+ekB9LTzlW+xON4FRZDoTPrPmhg40v+s7lySHx3miwCIJfNfLJpf0dxm3pQYWZPIra1RA9hbgstXBJ3+2VA5JEuVRt0SEygN5Kgk1Y5w== root@bu";
};
hu = { hu = {
nets = { nets = {
retiolum = { retiolum = {

View File

@ -7,12 +7,12 @@
}: }:
mkDerivation rec { mkDerivation rec {
pname = "brockman"; pname = "brockman";
version = "4.0.2"; version = "4.0.3";
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "kmein"; owner = "kmein";
repo = "brockman"; repo = "brockman";
rev = version; rev = version;
sha256 = "sha256-EKXKhGdIJRbRklD5zxJNGhOxqPzog4f9NMXo/c8iBGc="; sha256 = "sha256-rjwroSG9ys0FV2JM70kzmCutMVpUTx8cQ+jQq8Hw1kw=";
}; };
isLibrary = false; isLibrary = false;
isExecutable = true; isExecutable = true;

View File

@ -9,11 +9,11 @@
}: }:
mkDerivation { mkDerivation {
pname = "much"; pname = "much";
version = "1.2.0"; version = "1.3.1";
src = fetchgit { src = fetchgit {
url = "https://cgit.krebsco.de/much"; url = "https://cgit.krebsco.de/much";
sha256 = "0rf27d7gki5hgivy49xi59ld0j6jw3v7nxi4w1gx6byj1xsarwwl"; sha256 = "0gwyhqcvg9ywna8fhb9hnx97qh5inglj3l0pcwkgwcvm27mfpcqa";
rev = "29749366052a8f6c05b314f1ff17201717855ad7"; rev = "77357335a3a88a4b93f91a46ab939a1a9b192977";
fetchSubmodules = true; fetchSubmodules = true;
}; };
isLibrary = true; isLibrary = true;

View File

@ -0,0 +1,38 @@
{ lib, pkgs, stdenv }:
stdenv.mkDerivation {
pname = "K_belwagen";
version = "1.0";
src = pkgs.painload;
sourceRoot = "source/K_belwagen";
buildInputs = [
pkgs.jack1
pkgs.pkgconfig
];
patchPhase = ''
sed -i '
s@^cd@# &@
s@^make@# &@
s@^jackd@# &@
s@^trap@# &@
s@^set.*@&\nPATH=${lib.makeBinPath [
pkgs.bc
pkgs.coreutils
]}; export PATH@
s@\./a\.out@'"$out"'/lib/a.out@
' alarm
'';
installPhase = ''
mkdir -p $out/lib
mkdir -p $out/bin
cp alarm $out/bin
cp a.out $out/lib
'';
}

View File

@ -1,14 +1,14 @@
{ buildGo116Module , fetchFromGitHub, lib }: { buildGo117Module , fetchFromGitHub, lib }:
buildGo116Module rec { buildGo117Module rec {
pname = "ergo"; pname = "ergo";
version = "2.8.0"; version = "2.9.1";
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "ergochat"; owner = "ergochat";
repo = "ergo"; repo = "ergo";
rev = "v${version}"; rev = "v${version}";
sha256 = "sha256-xKcSHNH1ksjH1IikqzDi88fOdHR5CHGs8ya4Fj65MbI="; sha256 = "sha256-RxsmkTfHymferS/FRW0sLnstKfvGXkW6cEb/JbeS4lc=";
}; };
vendorSha256 = null; vendorSha256 = null;
@ -17,7 +17,7 @@ buildGo116Module rec {
description = "A modern IRC server (daemon/ircd) written in Go"; description = "A modern IRC server (daemon/ircd) written in Go";
homepage = "https://github.com/ergochat/ergo"; homepage = "https://github.com/ergochat/ergo";
license = lib.licenses.mit; license = lib.licenses.mit;
maintainers = [ lib.maintainers.tv ]; maintainers = with lib.maintainers; [ lassulus tv ];
platforms = lib.platforms.linux; platforms = lib.platforms.linux;
}; };
} }

View File

@ -100,6 +100,7 @@ with stockholm.lib;
add_message "$( add_message "$(
git log \ git log \
--format="$(orange %h) %s $(gray '(%ar)')" \ --format="$(orange %h) %s $(gray '(%ar)')" \
--no-merges \
--reverse \ --reverse \
$id2..$id $id2..$id

View File

@ -1,7 +1,9 @@
{ fetchgit, ... }: { pkgs }:
fetchgit { pkgs.fetchFromGitHub {
url = https://github.com/krebs/painload; owner = "krebs";
rev = "c113487f73713a03b1a139b22bb34b86234d0495"; repo = "painload";
sha256 = "1irxklnmvm8wsa70ypjahkr8rfqq7357vcy8r0x1sfncs1hy6gr6"; rev = "a963b45d5a3921f19189575420cc7f8f946345b5";
sha256 = "03q8rxpzy4l9nd4wv0107s0ck3dhfzkfy1rabf8srabkwl0c3vsc";
fetchSubmodules = true;
} }

View File

@ -21,6 +21,16 @@ rec {
}; };
}; };
dance = {
filename = pkgs.writeDash "dance" ''
echo "<(^.^<)"
echo "<(^.^)>"
echo "(>^.^)>"
echo "(7^.^)7"
echo "(>^.^<)"
'';
};
nixos-version = { nixos-version = {
filename = pkgs.writeDash "nixos-version" '' filename = pkgs.writeDash "nixos-version" ''
. /etc/os-release . /etc/os-release

View File

@ -1,9 +1,9 @@
{ {
"url": "https://github.com/NixOS/nixpkgs", "url": "https://github.com/NixOS/nixpkgs",
"rev": "59bfda72480496f32787cec8c557182738b1bd3f", "rev": "689b76bcf36055afdeb2e9852f5ecdd2bf483f87",
"date": "2021-12-31T15:09:52+01:00", "date": "2022-01-23T03:10:13+01:00",
"path": "/nix/store/wy2iidg15nwgmn8xir8fbr1lfz1hqphb-nixpkgs", "path": "/nix/store/s6kxwpz8k02mg1wqsf06bsjygwi6xr6j-nixpkgs",
"sha256": "18akd1chfvniq1q774rigfxgmxwi0wyjljpa1j9ls59szpzr316d", "sha256": "08d38db4707jdm3gws82y6bynh6k8qal4s1cms9zqd9cdwcmylyj",
"fetchLFS": false, "fetchLFS": false,
"fetchSubmodules": false, "fetchSubmodules": false,
"deepClone": false, "deepClone": false,

View File

@ -1,9 +1,9 @@
{ {
"url": "https://github.com/NixOS/nixpkgs", "url": "https://github.com/NixOS/nixpkgs",
"rev": "d1e59cfc49961e121583abe32e2f3db1550fbcff", "rev": "604c44137d97b5111be1ca5c0d97f6e24fbc5c2c",
"date": "2022-01-01T22:20:39+08:00", "date": "2022-01-23T10:04:55-08:00",
"path": "/nix/store/azrxsxpszjwgg75jk1pkzlzjcj0qnw8d-nixpkgs", "path": "/nix/store/r22j0r232a5y02yhd1avaw27zqdbhx1x-nixpkgs",
"sha256": "03ldf1dlxqf3g8qh9x5vp6vd9zvvr481fyjds111imll69y60wpm", "sha256": "0gzhigyn8f7vps4a5vc1c8wbim59724s179a7d0h3gv6ss9avdj4",
"fetchLFS": false, "fetchLFS": false,
"fetchSubmodules": false, "fetchSubmodules": false,
"deepClone": false, "deepClone": false,

View File

@ -123,6 +123,7 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/ciko.nix> <stockholm/lass/2configs/ciko.nix>
<stockholm/lass/2configs/container-networking.nix> <stockholm/lass/2configs/container-networking.nix>
<stockholm/lass/2configs/jitsi.nix> <stockholm/lass/2configs/jitsi.nix>
<stockholm/lass/2configs/fysiirc.nix>
{ {
services.tor = { services.tor = {
enable = true; enable = true;

View File

@ -79,9 +79,11 @@
boot.loader.grub.devices = [ "/dev/sda" "/dev/sdb" ]; boot.loader.grub.devices = [ "/dev/sda" "/dev/sdb" ];
boot.kernelParams = [ "net.ifnames=0" ]; boot.kernelParams = [ "net.ifnames=0" ];
networking.dhcpcd.enable = false;
networking = { networking = {
hostId = "2283aaae"; hostId = "2283aaae";
defaultGateway = "95.216.1.129"; defaultGateway = "95.216.1.129";
defaultGateway6 = { address = "fe80::1"; interface = "eth0"; };
# Use google's public DNS server # Use google's public DNS server
nameservers = [ "8.8.8.8" ]; nameservers = [ "8.8.8.8" ];
interfaces.eth0.ipv4.addresses = [ interfaces.eth0.ipv4.addresses = [
@ -94,5 +96,11 @@
prefixLength = 26; prefixLength = 26;
} }
]; ];
interfaces.eth0.ipv6.addresses = [
{
address = "2a01:4f9:2a:1e9::1";
prefixLength = 64;
}
];
}; };
} }

View File

@ -65,7 +65,7 @@ in {
gitAndTools.hub gitAndTools.hub
git-crypt git-crypt
git-preview git-preview
gnome3.dconf dconf
iodine iodine
libarchive libarchive
lm_sensors lm_sensors

View File

@ -8,7 +8,7 @@ with import <stockholm/lib>;
./vim.nix ./vim.nix
./zsh.nix ./zsh.nix
./htop.nix ./htop.nix
./security-workarounds.nix <stockholm/krebs/2configs/security-workarounds.nix>
./wiregrill.nix ./wiregrill.nix
{ {
users.extraUsers = users.extraUsers =

51
lass/2configs/fysiirc.nix Normal file
View File

@ -0,0 +1,51 @@
{ config, lib, pkgs, ... }:
{
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p tcp --dport 44002"; target = "ACCEPT"; }
];
krebs.reaktor2.fysiweb-github = {
hostname = "irc.libera.chat";
port = "6697";
useTLS = true;
nick = "fysiweb-github";
API.listen = "inet://127.0.0.1:44001";
plugins = [
{
plugin = "register";
config = {
channels = [
"#fysi"
];
};
}
];
};
krebs.htgen.fysiweb-github = {
port = 44002;
user = {
name = "reaktor2-fysiweb-github";
};
script = ''. ${pkgs.writeDash "github-irc" ''
case "$Method $Request_URI" in
"POST /")
payload=$(head -c "$req_content_length" \
| sed 's/+/ /g;s/%\(..\)/\\x\1/g;' \
| xargs -0 echo -e \
)
${pkgs.curl}/bin/curl -fsSv http://localhost:44001/ \
-H content-type:application/json \
-d "$(echo "$payload" | ${pkgs.jq}/bin/jq \
'{
command:"PRIVMSG",
params:["#fysi", "\(.action): \(.comment.html_url // .issue.html_url // .pull_request.html_url)"]
}'
)"
printf 'HTTP/1.1 200 OK\r\n'
printf 'Connection: close\r\n'
printf '\r\n'
exit
;;
esac
''}'';
};
}

View File

@ -14,8 +14,8 @@
users.users.mainUser = { users.users.mainUser = {
extraGroups = [ "networkmanager" ]; extraGroups = [ "networkmanager" ];
packages = with pkgs; [ packages = with pkgs; [
gnome3.gnome_keyring gnome3.gnome-keyring
gnome3.dconf dconf
]; ];
}; };
environment.systemPackages = [ environment.systemPackages = [

View File

@ -8,67 +8,18 @@
powerOnBoot = true; powerOnBoot = true;
}; };
# autostart with login
systemd.user.services.pipewire-pulse = {
wantedBy = [ "graphical-session.target" ];
};
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
alsaUtils alsaUtils
pulseaudioLight pulseaudioLight
ponymix ponymix
]; ];
environment.variables.PULSE_SERVER = "localhost:4713";
services.pipewire = { services.pipewire = {
enable = true; enable = true;
socketActivation = false; systemWide = true;
alsa.enable = true; alsa.enable = true;
alsa.support32Bit = true; alsa.support32Bit = true;
pulse.enable = true; pulse.enable = true;
jack.enable = true; jack.enable = true;
# https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/Migrate-PulseAudio#module-native-protocol-tcp
config.pipewire-pulse = {
"context.properties" = {
"log.level" = 2;
};
"context.modules" = [
{
name = "libpipewire-module-rtkit";
# args = {
# "nice.level" = -15;
# "rt.prio" = 88;
# "rt.time.soft" = 200000;
# "rt.time.hard" = 200000;
# };
flags = [ "ifexists" "nofail" ];
}
{ name = "libpipewire-module-protocol-native"; }
{ name = "libpipewire-module-client-node"; }
{ name = "libpipewire-module-adapter"; }
{ name = "libpipewire-module-metadata"; }
{
name = "libpipewire-module-protocol-pulse";
args = {
"vm.overrides" = {
# "pulse.min.req" = "32/48000";
# "pulse.default.req" = "32/48000";
# "pulse.max.req" = "32/48000";
"pulse.min.quantum" = "1024/48000";
# "pulse.max.quantum" = "32/48000";
};
"server.address" = [
"unix:native"
"tcp:4713"
];
};
}
];
"stream.properties" = {
# "node.latency" = "32/48000";
# "resample.quality" = 1;
};
};
}; };
} }

View File

@ -17,14 +17,17 @@
enable = true; enable = true;
connectTo = [ connectTo = [
"prism" "prism"
"gum"
"ni" "ni"
"eve"
]; ];
extraConfig = '' extraConfig = ''
LocalDiscovery = yes StrictSubnets = yes
''; '';
}; };
# never connect via gum (he eats our packets!)
krebs.hosts.gum.nets.retiolum.tinc.weight = 9000;
nixpkgs.config.packageOverrides = pkgs: { nixpkgs.config.packageOverrides = pkgs: {
tinc = pkgs.tinc_pre; tinc = pkgs.tinc_pre;
}; };

View File

@ -1,8 +0,0 @@
{ config, pkgs, ... }:
with import <stockholm/lib>;
{
# http://seclists.org/oss-sec/2017/q1/471
boot.extraModprobeConfig = ''
install dccp /run/current-system/sw/bin/false
'';
}

View File

@ -6,15 +6,41 @@
]; ];
services.udev.packages = with pkgs; [ yubikey-personalization ]; services.udev.packages = with pkgs; [ yubikey-personalization ];
services.pcscd.enable = true;
systemd.user.sockets.gpg-agent-ssh.wantedBy = [ "sockets.target" ]; systemd.user.sockets.gpg-agent-ssh.wantedBy = [ "sockets.target" ];
##restart pcscd if yubikey is plugged in services.pcscd.enable = true;
#services.udev.extraRules = '' systemd.user.services.gpg-agent.serviceConfig.ExecStartPre = pkgs.writers.writeDash "init_gpg" ''
# ACTION=="add", ATTRS{idVendor}=="04d9", ATTRS{idProduct}=="2013", RUN+="${pkgs.writeDash "restart_pcscd" '' set -x
# ${pkgs.systemd}/bin/systemctl restart pcscd.service ${pkgs.coreutils}/bin/ln -sf ${pkgs.writeText "scdaemon.conf" ''
# ''}" disable-ccid
#''; pcsc-driver ${pkgs.pcsclite.out}/lib/libpcsclite.so.1
card-timeout 1
# Always try to use yubikey as the first reader
# even when other smart card readers are connected
# Name of the reader can be found using the pcsc_scan command
# If you have problems with gpg not recognizing the Yubikey
# then make sure that the string here matches exacly pcsc_scan
# command output. Also check journalctl -f for errors.
reader-port Yubico YubiKey
''} $HOME/.gnupg/scdaemon.conf
'';
security.polkit.extraConfig = ''
polkit.addRule(function(action, subject) {
if (
(
action.id == "org.debian.pcsc-lite.access_pcsc" ||
action.id == "org.debian.pcsc-lite.access_card"
) && subject.user == "lass"
) {
return polkit.Result.YES;
}
});
polkit.addRule(function(action, subject) {
polkit.log("user " + subject.user + " is attempting action " + action.id + " from PID " + subject.pid);
});
'';
environment.shellInit = '' environment.shellInit = ''
if [ "$UID" -eq 1337 ] && [ -z "$SSH_CONNECTION" ]; then if [ "$UID" -eq 1337 ] && [ -z "$SSH_CONNECTION" ]; then
@ -28,6 +54,9 @@
fi fi
''; '';
# allow nix to acces remote builders via yubikey
systemd.services.nix-daemon.environment.SSH_AUTH_SOCK = "/run/user/1337/gnupg/S.gpg-agent.ssh";
programs = { programs = {
ssh.startAgent = false; ssh.startAgent = false;
gnupg.agent = { gnupg.agent = {

View File

@ -41,10 +41,6 @@ with import <stockholm/lib>;
type = types.path; type = types.path;
default = pkgs.writeScript "echo_lol" "echo lol"; default = pkgs.writeScript "echo_lol" "echo lol";
}; };
vglrun = mkOption {
type = types.bool;
default = false;
};
wm = mkOption { wm = mkOption {
#TODO find type #TODO find type
type = types.str; type = types.str;
@ -122,21 +118,14 @@ with import <stockholm/lib>;
${pkgs.coreutils}/bin/kill $XEPHYR_PID ${pkgs.coreutils}/bin/kill $XEPHYR_PID
''; '';
# TODO fix xephyr which doesn't honor resizes anymore # TODO fix xephyr which doesn't honor resizes anymore
sudo_ = pkgs.writeDash "${cfg.name}-sudo" (if cfg.vglrun then '' sudo_ = pkgs.writeDash "${cfg.name}-sudo" ''
/var/run/wrappers/bin/sudo -u ${cfg.name} -i ${vglrun_} "$@"
'' else ''
#/var/run/wrappers/bin/sudo -u ${cfg.name} -i env DISPLAY=:${cfg.display} ${cfg.script} "$@" #/var/run/wrappers/bin/sudo -u ${cfg.name} -i env DISPLAY=:${cfg.display} ${cfg.script} "$@"
/var/run/wrappers/bin/sudo -u ${cfg.name} -i ${cfg.script} "$@" ${pkgs.systemd}/bin/machinectl shell -E DISPLAY=:0 --uid=${cfg.name} .host ${cfg.script} "$@"
'');
vglrun_ = pkgs.writeDash "${cfg.name}-vglrun" ''
DISPLAY=:${cfg.display} ${pkgs.virtualgl}/bin/vglrun ${cfg.extraVglrunArgs} ${cfg.script} "$@"
''; '';
in nameValuePair name { in nameValuePair name {
existing = newOrExisting; existing = newOrExisting;
xephyr = xephyr_; xephyr = xephyr_;
sudo = sudo_; sudo = sudo_;
vglrun = vglrun_;
} }
) config.lass.xjail; ) config.lass.xjail;
in { in {
@ -161,10 +150,19 @@ with import <stockholm/lib>;
} }
) config.lass.xjail; ) config.lass.xjail;
security.sudo.extraConfig = (concatStringsSep "\n" (mapAttrsToList (_: cfg: security.polkit.extraConfig = (concatStringsSep "\n" (mapAttrsToList (_: cfg: ''
# TODO allow just the right script with sudo polkit.addRule(function(action, subject) {
"${cfg.from} ALL=(${cfg.name}) NOPASSWD: ALL" if (
) config.lass.xjail)); subject.user == "${cfg.from}" &&
action.id == "org.freedesktop.machine1.host-shell" &&
action.lookup("user") == "${cfg.user}" &&
action.lookup("program") == "${cfg.script}" &&
true
) {
return polkit.Result.YES;
}
});
'') config.lass.xjail));
lass.xjail-bins = mapAttrs' (name: cfg: lass.xjail-bins = mapAttrs' (name: cfg:
nameValuePair name (pkgs.writeScriptBin cfg.name '' nameValuePair name (pkgs.writeScriptBin cfg.name ''

40
tv/1systems/bu/config.nix Normal file
View File

@ -0,0 +1,40 @@
{ config, pkgs, ... }: let
lib = import ../../../lib;
in {
imports = [
./disks.nix
<stockholm/tv>
<stockholm/tv/2configs/hw/x220.nix>
<stockholm/tv/2configs/exim-retiolum.nix>
<stockholm/tv/2configs/gitconfig.nix>
<stockholm/tv/2configs/pulse.nix>
<stockholm/tv/2configs/retiolum.nix>
];
environment.homeBinInPath = true;
krebs.build.host = config.krebs.hosts.bu;
networking.hostId = lib.mkDefault "00000000";
networking.wireless.enable = true;
networking.useDHCP = false;
networking.interfaces.enp0s25.useDHCP = true;
networking.interfaces.wlp3s0.useDHCP = true;
networking.interfaces.wwp0s29u1u4i6.useDHCP = true;
networking.wireless.interfaces = [
"wlp3s0"
];
programs.gnupg.agent.enable = true;
programs.gnupg.agent.pinentryFlavor = "gtk2";
services.earlyoom.enable = true;
services.earlyoom.freeMemThreshold = 5;
systemd.services.earlyoom.environment.EARLYOOM_ARGS = toString [
"--prefer '(^|/)chromium$'"
];
system.stateVersion = "21.11";
}

19
tv/1systems/bu/disks.nix Normal file
View File

@ -0,0 +1,19 @@
{
boot.initrd.luks.devices.buda2.device = "/dev/sda2";
fileSystems."/" = {
device = "buda2/root";
fsType = "zfs";
};
fileSystems."/bku" = {
device = "buda2/bku";
fsType = "zfs";
};
fileSystems."/home" = {
device = "buda2/home";
fsType = "zfs";
};
fileSystems."/boot" = {
device = "/dev/sda1";
fsType = "vfat";
};
}

View File

@ -10,6 +10,24 @@ with import <stockholm/lib>;
yearly = { format = "%Y"; }; yearly = { format = "%Y"; };
}; };
}) { }) {
bu-home-wu = {
method = "push";
src = { host = config.krebs.hosts.bu; path = "/home"; };
dst = { host = config.krebs.hosts.wu; path = "/bku/bu-home"; };
startAt = "05:15";
};
bu-home-xu = {
method = "push";
src = { host = config.krebs.hosts.bu; path = "/home"; };
dst = { host = config.krebs.hosts.xu; path = "/bku/bu-home"; };
startAt = "05:20";
};
bu-home-zu = {
method = "push";
src = { host = config.krebs.hosts.bu; path = "/home"; };
dst = { host = config.krebs.hosts.zu; path = "/bku/bu-home"; };
startAt = "05:25";
};
nomic-home-xu = { nomic-home-xu = {
method = "push"; method = "push";
src = { host = config.krebs.hosts.nomic; path = "/home"; }; src = { host = config.krebs.hosts.nomic; path = "/home"; };
@ -40,6 +58,12 @@ with import <stockholm/lib>;
dst = { host = config.krebs.hosts.zu; path = "/bku/wu-home"; }; dst = { host = config.krebs.hosts.zu; path = "/bku/wu-home"; };
startAt = "05:20"; startAt = "05:20";
}; };
xu-home-bu = {
method = "push";
src = { host = config.krebs.hosts.xu; path = "/home"; };
dst = { host = config.krebs.hosts.bu; path = "/bku/xu-home"; };
startAt = "04:50";
};
xu-home-nomic = { xu-home-nomic = {
method = "push"; method = "push";
src = { host = config.krebs.hosts.xu; path = "/home"; }; src = { host = config.krebs.hosts.xu; path = "/home"; };