From 4cf1dfeef28e3571eac3e8a4495347f778e9c0a5 Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 30 Sep 2018 01:25:06 +0200 Subject: [PATCH 01/74] ma pkgs._4nxci: re-package 4nxci's version of mbedtls --- makefu/5pkgs/{4nxci => _4nxci}/default.nix | 44 +++++++++++----------- 1 file changed, 21 insertions(+), 23 deletions(-) rename makefu/5pkgs/{4nxci => _4nxci}/default.nix (55%) diff --git a/makefu/5pkgs/4nxci/default.nix b/makefu/5pkgs/_4nxci/default.nix similarity index 55% rename from makefu/5pkgs/4nxci/default.nix rename to makefu/5pkgs/_4nxci/default.nix index 3aba3be45..dafa37ff6 100644 --- a/makefu/5pkgs/4nxci/default.nix +++ b/makefu/5pkgs/_4nxci/default.nix @@ -1,33 +1,31 @@ -{ stdenv, lib, fetchFromGitHub, mbedtls, python2 }: +{ stdenv, lib, fetchFromGitHub, mbedtls, python2, perl }: let - - mymbedtls = lib.overrideDerivation mbedtls (old: rec { - name = "mbedtls-${version}"; - version = "2.13.0"; - src = fetchFromGitHub { - owner = "ARMmbed"; - repo = "mbedtls"; - rev = name; - sha256 = "1257kp7yxkwwbx5v14kmrmgk1f9zagiddg5alm4wbj0pmgbrm14j"; - }; - buildInputs = old.buildInputs ++ [ python2 ]; - postConfigure = '' - perl scripts/config.pl set MBEDTLS_CMAC_C - ''; - doCheck = false; - - }); -in stdenv.mkDerivation rec { - name = "4nxci-${version}"; - version = "1.30"; - + version = "1.35"; src = fetchFromGitHub { owner = "The-4n"; repo = "4NXCI"; rev = "v${version}"; - sha256 = "0nrd19z88iahxcdx468lzgxlvkl65smwx8f9s19431cszyhvpxyh"; + sha256 = "0yq0irxzi4wi71ajw8ld01zfpkrgknpq7g3m76pbnwmdzkm7dra6"; }; + mymbedtls = stdenv.mkDerivation { + name = "mbedtls-${version}"; + version = "2.6.1"; + doCheck = false; + inherit src; + buildInputs = [ perl ]; + phases = [ "unpackPhase" "buildPhase" "installPhase" ]; + makeFlags = [ "DESTDIR=$(out)" ]; + buildPhase = '' + cp config.mk.template config.mk + cd mbedtls + make + ''; + }; +in stdenv.mkDerivation rec { + name = "4nxci-${version}"; + + inherit src version; buildPhase = '' cp config.mk.template config.mk sed -i 's#\(INCLUDE =\).*#\1${mymbedtls}/include#' Makefile From 453fc4093a0cc3b18a71fcc6e2e0f3189aed0131 Mon Sep 17 00:00:00 2001 From: jeschli Date: Fri, 5 Oct 2018 14:04:27 +0200 Subject: [PATCH 02/74] j brauerei: +luis @ dev tmux --- jeschli/1systems/brauerei/config.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/jeschli/1systems/brauerei/config.nix b/jeschli/1systems/brauerei/config.nix index 0c01b7948..e419e35be 100644 --- a/jeschli/1systems/brauerei/config.nix +++ b/jeschli/1systems/brauerei/config.nix @@ -147,6 +147,7 @@ isNormalUser = true; openssh.authorizedKeys.keys = [ config.krebs.users.lass.pubkey + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDB0d0JA20Vqn7I4lCte6Ne2EOmLZyMJyS9yIKJYXNLjbLwkQ4AYoQKantPBkTxR75M09E7d3j5heuWnCjWH45TrfQfe1EOSSC3ppCI6C6aIVlaNs+KhAYZS0m2Y8WkKn+TT5JLEa8yybYVN/RlZPOilpj/1QgjU6CQK+eJ1k/kK+QFXcwN82GDVh5kbTVcKUNp2tiyxFA+z9LY0xFDg/JHif2ROpjJVLQBJ+YPuOXZN5LDnVcuyLWKThjxy5srQ8iDjoxBg7dwLHjby5Mv41K4W61Gq6xM53gDEgfXk4cQhJnmx7jA/pUnsn2ZQDeww3hcc7vRf8soogXXz2KC9maiq0M/svaATsa9Ul4hrKnqPZP9Q8ScSEAUX+VI+x54iWrnW0p/yqBiRAzwsczdPzaQroUFTBxrq8R/n5TFdSHRMX7fYNOeVMjhfNca/gtfw9dYBVquCvuqUuFiRc0I7yK44rrMjjVQRcAbw6F8O7+04qWCmaJ8MPlmApwu2c05VMv9hiJo5p6PnzterRSLCqF6rIdhSnuOwrUIt1s/V+EEZXHCwSaNLaQJnYL0H9YjaIuGz4c8kVzxw4c0B6nl+hqW5y5/B2cuHiumnlRIDKOIzlv8ufhh21iN7QpIsPizahPezGoT1XqvzeXfH4qryo8O4yTN/PWoA+f7o9POU7L6hQ== lhebendanz@nixos" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEZgHR1ZPDBMUjGWar/QmI2GiUkZM8pAXRyBDh8j3hGlxlS+0lsBV6bTAI5F13iyzTC4pCuEuDO2OlFB0scwjcOATci8phd8jTjOIDodqDaeQZXbshyuUBfyiAV6q0Sc+cUDV3D6GhzigH3t8EiQmvXmUGm916yFotT12o0dm83SCOh1nAf9ZveC1Hz/eEUTvgWvIb58OdUR5F/S5OVBnIIJZ8tcp0BP9lyjjJCcANWkYJlwaVcNNb0UarCRhvRtptFj+e/EPqQxSCaS2QcxW4zBsQ6C81TFf7WrdH+pwtFg0owlWsxv547sRLLiPf2h2YuQgSoAaW24N0SHhUqvOXd+JyaYw7MAF8Qh3jHm2iJQRgXNuIN0msFi1alwAevilL2mnfAt2biQ9sS9g+CVvQCwX3mg09E4Y3UmFLzvsJafD9meKVrjnDCcXySeAfts59eFmwKtMQ0qrEWaclzUiA6Ay3uD1zma8x1XELGTf8nxnXCGl8s2i2APn7y1Tcwep69DlENWSaReF5zBLIkCtIUDd+8xBFTF3yu5CpyRrRMKGa0QX/MtsQl4SGJWadOTwpM8joIbrIVfKkTNB2McxAjvo0iaRoBDm409gi2Ycy+NSoUV/KAIUG7OysAQZ62hr+E/Kw1ocJCIVI+9vzKx/EnEIHkCSwhYKl5393W7CShVJjJUcKcZddqX2smSShXq8rXPzhIHk1dAVn5Ff/vGZT9z9R0QN3z6Oa9QN5t5TjTdUDToqHTudqOpDxPl2c2yXK9wV+aoHFoML9AmbzTT1U1mKU7GXSoFACiKNzhDzkovyJGpWRyvisX5t75IfuVqvGGI8n3u8OhPMdyyOHRylVaciDzBMZ00xnIHB+dJG9IeYaMm9bW1Li4Jo0CWnogo2+olfHPMLijBuu+bsa5Kp6kFkccJYR/xqcSq0lVXkpGm692JI4dnMGjchipXEGh1gXof9jXHemMMBwjpLFGty+D0r5KdA33m+mIqc9hi0ShquA9nA7E1IxDlgE0gQg+P5ZOeeIN7q54AQmT8iCCCRyne2Kw57XxaGgZoLfj7VjjaeRlzBUglmtyq8B7/c0J3y41vt9Hxhj4sKD+vufZu+M9E6E936KsJlIi+3U0PtopM/b8L4jcH1JYpPljapsys8wkJZ1ymHf6Kj/0FHyi1V+GvquiVrlFN+aHECIzNlCiSMO4MqfPUO1A+s9zkG2ZgPNNv+LoZqnokjbmKM4kdxexMxaL/Eo9Nd/bzdYiFYXlllEL7Uox+yV0N3loQ2juh4zn+ctCnwHi+V9X4l4rB8amW96WrXiJ/WqEK2UO8St8dcQWhCsUUm2OawSrbYYZw5HhJwz/Rhz2UsdSc56s5OUiQLJqpILYvCnqSLlF4iZdRSdDQNpKn+le3CeGUl5UUuvK2BpKGrbPKx0i/2ZSEMxNA5GnDMx/NyiNyDBcoPu/XOlNi8VWsEbCtoTQRamvqHjOmNcPrxCxds+TaF8c0wMR720yj5sWq8= jeschli@nixos" ]; }; From d6ee59430d800fe2cb14ab71143c3fba7bbf9089 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 7 Oct 2018 15:09:15 +0200 Subject: [PATCH 03/74] add charybdis module until it's fixed in 18.09 --- krebs/2configs/ircd.nix | 2 +- krebs/3modules/charybdis.nix | 110 +++++++++++++++++++++++++++++++++++ krebs/3modules/default.nix | 1 + 3 files changed, 112 insertions(+), 1 deletion(-) create mode 100644 krebs/3modules/charybdis.nix diff --git a/krebs/2configs/ircd.nix b/krebs/2configs/ircd.nix index 962dbf49c..65972aacc 100644 --- a/krebs/2configs/ircd.nix +++ b/krebs/2configs/ircd.nix @@ -5,7 +5,7 @@ 6667 6669 ]; - services.charybdis = { + krebs.charybdis = { enable = true; motd = '' hello diff --git a/krebs/3modules/charybdis.nix b/krebs/3modules/charybdis.nix new file mode 100644 index 000000000..f4a7c1313 --- /dev/null +++ b/krebs/3modules/charybdis.nix @@ -0,0 +1,110 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) mkEnableOption mkIf mkOption singleton types; + inherit (pkgs) coreutils charybdis; + cfg = config.krebs.charybdis; + + configFile = pkgs.writeText "charybdis.conf" '' + ${cfg.config} + ''; +in + +{ + + ###### interface + + options = { + + krebs.charybdis = { + + enable = mkEnableOption "Charybdis IRC daemon"; + + config = mkOption { + type = types.string; + description = '' + Charybdis IRC daemon configuration file. + ''; + }; + + statedir = mkOption { + type = types.string; + default = "/var/lib/charybdis"; + description = '' + Location of the state directory of charybdis. + ''; + }; + + user = mkOption { + type = types.string; + default = "ircd"; + description = '' + Charybdis IRC daemon user. + ''; + }; + + group = mkOption { + type = types.string; + default = "ircd"; + description = '' + Charybdis IRC daemon group. + ''; + }; + + motd = mkOption { + type = types.nullOr types.lines; + default = null; + description = '' + Charybdis MOTD text. + + Charybdis will read its MOTD from /etc/charybdis/ircd.motd . + If set, the value of this option will be written to this path. + ''; + }; + + }; + + }; + + + ###### implementation + + config = mkIf cfg.enable (lib.mkMerge [ + { + users.users = singleton { + name = cfg.user; + description = "Charybdis IRC daemon user"; + uid = config.ids.uids.ircd; + group = cfg.group; + }; + + users.groups = singleton { + name = cfg.group; + gid = config.ids.gids.ircd; + }; + + systemd.services.charybdis = { + description = "Charybdis IRC daemon"; + wantedBy = [ "multi-user.target" ]; + environment = { + BANDB_DBPATH = "${cfg.statedir}/ban.db"; + }; + serviceConfig = { + ExecStart = "${charybdis}/bin/charybdis -foreground -logfile /dev/stdout -configfile ${configFile}"; + Group = cfg.group; + User = cfg.user; + PermissionsStartOnly = true; # preStart needs to run with root permissions + }; + preStart = '' + ${coreutils}/bin/mkdir -p ${cfg.statedir} + ${coreutils}/bin/chown ${cfg.user}:${cfg.group} ${cfg.statedir} + ''; + }; + + } + + (mkIf (cfg.motd != null) { + environment.etc."charybdis/ircd.motd".text = cfg.motd; + }) + ]); +} diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 6307649e3..dd682bf4d 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -14,6 +14,7 @@ let ./buildbot/master.nix ./buildbot/slave.nix ./build.nix + ./charybdis.nix ./ci.nix ./current.nix ./exim.nix From a19708a441ff7c7bb46131b83e9294890fe079b4 Mon Sep 17 00:00:00 2001 From: jeschli Date: Sun, 7 Oct 2018 16:42:45 +0200 Subject: [PATCH 04/74] j emacs: remove melpaPackages.mmm-mode --- jeschli/2configs/emacs.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/jeschli/2configs/emacs.nix b/jeschli/2configs/emacs.nix index 3bd2dbfc4..5fc887477 100644 --- a/jeschli/2configs/emacs.nix +++ b/jeschli/2configs/emacs.nix @@ -67,7 +67,6 @@ let emacsWithCustomPackages = (pkgs.emacsPackagesNgGen pkgs.emacs).emacsWithPackages (epkgs: [ epkgs.melpaPackages.evil epkgs.melpaStablePackages.magit - epkgs.melpaPackages.mmm-mode epkgs.melpaPackages.nix-mode epkgs.melpaPackages.go-mode epkgs.melpaPackages.google-this From d92a2971d7c749a5ffa241e679f2e32008adf8c0 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 7 Oct 2018 16:49:08 +0200 Subject: [PATCH 05/74] krops: init submodule --- .gitmodules | 3 +++ submodules/krops | 1 + 2 files changed, 4 insertions(+) create mode 160000 submodules/krops diff --git a/.gitmodules b/.gitmodules index c96fec739..f35a9250d 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,3 +1,6 @@ [submodule "submodules/nix-writers"] path = submodules/nix-writers url = http://cgit.krebsco.de/nix-writers +[submodule "submodules/krops"] + path = submodules/krops + url = https://cgit.krebsco.de/krops diff --git a/submodules/krops b/submodules/krops new file mode 160000 index 000000000..e2b296542 --- /dev/null +++ b/submodules/krops @@ -0,0 +1 @@ +Subproject commit e2b29654251367545700154ffbac806705dd04c0 From 4c73914d128e8d5b36a0644834db7cbd09be7434 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 7 Oct 2018 17:08:01 +0200 Subject: [PATCH 06/74] krops: import from submodules --- krebs/krops.nix | 5 +---- makefu/krops.nix | 5 +---- 2 files changed, 2 insertions(+), 8 deletions(-) diff --git a/krebs/krops.nix b/krebs/krops.nix index 864cc8066..89354c1ea 100644 --- a/krebs/krops.nix +++ b/krebs/krops.nix @@ -1,9 +1,6 @@ { name }: rec { - krops = builtins.fetchGit { - url = https://cgit.krebsco.de/krops/; - rev = "c46166d407c7d246112f13346621a3fbdb25889e"; - }; + krops = ../submodules/krops; lib = import "${krops}/lib"; diff --git a/makefu/krops.nix b/makefu/krops.nix index ddb4afece..4f55915af 100644 --- a/makefu/krops.nix +++ b/makefu/krops.nix @@ -1,8 +1,5 @@ { config ? config, name, target ? name }: let - krops = builtins.fetchGit { - url = https://cgit.krebsco.de/krops/; - rev = "4e466eaf05861b47365c5ef46a31a188b70f3615"; - }; + krops = ../submodules/krops; nixpkgs-src = lib.importJSON ./nixpkgs.json; lib = import "${krops}/lib"; From 6b08d5aa46adc80d8a1ab4ed1d3e320c61a19f01 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 7 Oct 2018 20:57:53 +0200 Subject: [PATCH 07/74] remove nin --- krebs/3modules/default.nix | 1 - krebs/3modules/nin/default.nix | 111 ------ lass/1systems/prism/config.nix | 8 - nin/0tests/dummysecrets/hashedPasswords.nix | 1 - nin/0tests/dummysecrets/ssh.id_ed25519 | 0 nin/1systems/axon/config.nix | 132 -------- nin/1systems/hiawatha/config.nix | 126 ------- nin/1systems/onondaga/config.nix | 23 -- nin/2configs/ableton.nix | 20 -- nin/2configs/copyq.nix | 38 --- nin/2configs/default.nix | 173 ---------- nin/2configs/games.nix | 70 ---- nin/2configs/git.nix | 60 ---- nin/2configs/im.nix | 19 -- nin/2configs/retiolum.nix | 28 -- nin/2configs/skype.nix | 27 -- nin/2configs/termite.nix | 22 -- nin/2configs/vim.nix | 355 -------------------- nin/2configs/weechat.nix | 21 -- nin/default.nix | 7 - nin/krops.nix | 35 -- 21 files changed, 1277 deletions(-) delete mode 100644 krebs/3modules/nin/default.nix delete mode 100644 nin/0tests/dummysecrets/hashedPasswords.nix delete mode 100644 nin/0tests/dummysecrets/ssh.id_ed25519 delete mode 100644 nin/1systems/axon/config.nix delete mode 100644 nin/1systems/hiawatha/config.nix delete mode 100644 nin/1systems/onondaga/config.nix delete mode 100644 nin/2configs/ableton.nix delete mode 100644 nin/2configs/copyq.nix delete mode 100644 nin/2configs/default.nix delete mode 100644 nin/2configs/games.nix delete mode 100644 nin/2configs/git.nix delete mode 100644 nin/2configs/im.nix delete mode 100644 nin/2configs/retiolum.nix delete mode 100644 nin/2configs/skype.nix delete mode 100644 nin/2configs/termite.nix delete mode 100644 nin/2configs/vim.nix delete mode 100644 nin/2configs/weechat.nix delete mode 100644 nin/default.nix delete mode 100644 nin/krops.nix diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index dd682bf4d..8f2e22acf 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -112,7 +112,6 @@ let { krebs = import ./krebs { inherit config; }; } { krebs = import ./lass { inherit config; }; } { krebs = import ./makefu { inherit config; }; } - { krebs = import ./nin { inherit config; }; } { krebs = import ./tv { inherit config; }; } { krebs.dns.providers = { diff --git a/krebs/3modules/nin/default.nix b/krebs/3modules/nin/default.nix deleted file mode 100644 index 1531a2c89..000000000 --- a/krebs/3modules/nin/default.nix +++ /dev/null @@ -1,111 +0,0 @@ -{ config, ... }: - -with import ; - -{ - hosts = mapAttrs (_: recursiveUpdate { - owner = config.krebs.users.nin; - ci = true; - }) { - hiawatha = { - cores = 2; - nets = { - retiolum = { - ip4.addr = "10.243.132.96"; - ip6.addr = "42:0000:0000:0000:0000:0000:0000:2342"; - aliases = [ - "hiawatha.r" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAucIe5yLzKJ8F982XRpZT6CvyXuPrtnNTmw/E/T6Oyq88m/OVHh6o - Viho1XAlJZZwqNniItD0AQB98uFB3+3yA7FepnwwC+PEceIfBG4bTDNyYD3ZCsAB - iWpmRar9SQ7LFnoZ6X2lYaJkUD9afmvXqJJLR5MClnRQo5OSqXaFdp7ryWinHP7E - UkPSNByu4LbQ9CnBEW8mmCVZSBLb8ezxg3HpJSigmUcJgiDBJ6aj22BsZ5L+j1Sr - lvUuaCr8WOS41AYsD5dbTYk7EG42tU5utrOS6z5yHmhbA5r8Ro2OFi/R3Td68BIJ - yw/m8sfItBCvjJSMEpKHEDfGMBCfQKltCwIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; - }; - ssh.privkey.path = ; - ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFizK5kauDlnjm/IzyzLi+W4hLKqjSWMkfuxzLwg6egx"; - }; - axon= { - cores = 2; - nets = { - retiolum = { - ip4.addr = "10.243.134.66"; - ip6.addr = "42:0000:0000:0000:0000:0000:0000:1379"; - aliases = [ - "axon.r" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIECgKCBAEA89h5SLDQL/ENM//3SMzNkVnW4dBdg1GOXs/SdRCTcgygJC0TzsAo - glfQhfS+OhFSC/mXAjP8DnN7Ys6zXzMfJgH7TgVRJ8tCo5ETehICA19hMjMFINLj - KZhhthPuX7u2Jr4uDMQ0eLJnKVHF4PmHnkA+JGcOqO7VSkgcqPvqPMnJFcMkGWvH - L3KAz1KGPHZWrAB2NBDrD/bOZj4L39nS4nJIYVOraP7ze1GTTC7s/0CnZj3qwS5j - VdUYgAR+bdxlWm1B1PPOjkslP6UOklQQK4SjK3ceLYb2yM7BVICeznjWCbkbMACY - PUSvdxyiD7nZcLvuM3cJ1M45zUK+tAHHDB5FFUUAZ+YY/Xml4+JOINekpQdGQqkN - X4VsdRGKpjqi+OXNP4ktDcVkl8uALmNR6TFfAEwQJdjgcMxgJGW9PkqvPl3Mqgoh - m89lHPpO0Cpf40o6lZRG42gH1OR7Iy1M234uA08a3eFf+IQutHaOBt/Oi0YeiaQp - OtJHmWtpsQRz24/m+uroSUtKZ63sESli28G1jP73Qv7CiB8KvSX0Z4zKJOV/CyaT - LLguAyeWdNLtVg4bGRd7VExoWA+Rd9YKHCiE5duhETZk0Hb9WZmgPdM7A0RBb+1H - /F9BPKSZFl2e42VEsy8yNmBqO8lL7DVbAjLhtikTpPLcyjNeqN99a8jFX4c5nhIK - MVsSLKsmNGQq+dylXMbErsGu3P/OuCZ4mRkC32Kp4qwJ+JMrJc8+ZbhKl6Fhwu0w - 7DwwoUaRoMqtr2AwR+X67eJsYiOVo5EkqBo6DrWIM6mO2GrWHg5LTBIShn08q/Nm - ofPK2TmLdfqBycUR0kRCCPVi82f9aElmg3pzzPJnLAn9JLL43q6l+sefvtr9sTs3 - 1co6m8k5mO8zTb8BCmX2nFMkCopuHeF1nQ33y6woq0D8WsXHfHtbPwN9eYRVrbBF - 29YBp5E+Q1pQB+0rJ4A5N1I3VUKhDGKc72pbQc8cYoAbDXA+RKYbsFOra5z585dt - 4HQXpwj3a/JGJYRT6FVbJp4p8PjwAtN9VkpXNl4//3lXQdDD6aQ6ssXaKxVAp2Xj - FjPjx6J6ok4mRvofKNAREt4eZUdDub34bff6G0zI7Vls9t4ul0uHsJ6+ic3CG+Yl - buLfOkDp4hVCAlMPQ2NJfWKSggoVao7OTBPTMB3NiM56YOPptfZgu2ttDRTyuQ7p - hrOwutxoy/abH3hA8bWj1+C23vDtQ2gj0r16SWxpPdb3sselquzKp9NIvtyRVfnG - yYZTWRHg9mahMC2P0/wWAQVjKb0LnTib4lSe21uqFkWzp+3/Uu+hiwP5xGez/NIi - ahyL7t0D9r9y+i1RPjYWypgyR568fiGheQIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; - }; - ssh.privkey.path = ; - ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF4ubHA2pQzV4tQq9D1zRTD1xOSR6xZM3z6te+5A1ekc"; - }; - onondaga = { - cores = 1; - nets = { - retiolum = { - ip4.addr = "10.243.132.55"; - ip6.addr = "42:0000:0000:0000:0000:0000:0000:1357"; - aliases = [ - "onondaga.r" - "cgit.onondaga.r" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAqj6NPhRVsr8abz9FFx9+ld3amfxN7SRNccbksUOqkufGS0vaupFR - OWsgj4Qmt3lQ82YVt5yjx0FZHkAsenCEKM3kYoIb4nipT0e1MWkQ7plVveMfGkiu - htaJ1aCbI2Adxfmk4YbyAr8k3G+Zl9t7gTikBRh7cf5PMiu2JhGUZHzx9urR0ieH - xyashZFjl4TtIy4q6QTiyST9kfzteh8k7CJ72zfYkdHl9dPlr5Nk22zH9xPkyzmO - kCNeknuDqKeTT9erNtRLk6pjEcyutt0y2/Uq6iZ38z5qq9k4JzcMuQ3YPpNy8bxn - hVuk2qBu6kBTUW3iLchoh0d4cfFLWLx1SQIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; - }; - ssh.privkey.path = ; - ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGmQk7AXsYLzjUrOjsuhZ3+gT7FjhPtjwxv5XnuU8GJO"; - }; - - }; - users = { - nin = { - mail = "nin@axon.r"; - pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCl4jHl2dya9Tecot7AcHuk57FiPN0lo8eDa03WmTOCCU7gEJLgpi/zwLxY/K4eXsDgOt8LJwddicgruX2WgIYD3LnwtuN40/U9QqqdBIv/5sYZTcShAK2jyPj0vQJlVUpL7DLxxRH+t4lWeRw/1qaAAVt9jEVbzT5RH233E6+SbXxfnQDhDwOXwD1qfM10BOGh63iYz8/loXG1meb+pkv3HTf5/D7x+/y1XvWRPKuJ2Ml33p2pE3cTd+Tie1O8CREr45I9JOIOKUDQk1klFL5NNXnaQ9h1FRCsnQuoGztoBq8ed6XXL/b8mQ0lqJMxHIoCuDN/HBZYJ0z+1nh8X6XH nin@axon"; - }; - nin_h = { - mail = "nin@hiawatha.r"; - pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDicZLUPEVNX7SgqYWcjPo0UESRizEfIvVVbiwa1aApA8x25u/5R3sevcgbIpLHYKDMl5tebny9inr6G2zqB6oq/pocQjHxrPnuLzqjvqeSpbjQjlNWJ9GaHT5koTXZHdkEXGL0vfv1SRDNWUiK0rNymr3GXab4DyrnRnuNl/G1UtLf4Zka94YUD0SSPdS9y6knnRrUWKjGMFBZEbNSgHqMGATPQP9VDwKHIO2OWGfiBAJ4nj/MWj+BxHDleCMY9zbym8yY7p/0PLaUe9eIyLC8MftJ5suuMmASlj+UGWgnqUxWxsMHax9y7CTAc23r1NNCXN5LC6/facGt0rEQrdrTizBgOA1FSHAPCl5f0DBEgWBrRuygEcAueuGWvI8/uvtvQQZLhosDbXEfs/3vm2xoYBe7wH4NZHm+d2LqgIcPXehH9hVQsl6pczngTCJt0Q/6tIMffjhDHeYf6xbe/n3AqFT0PylUSvOw/H5iHws3R6rxtgnOio7yTJ4sq0NMzXCtBY6LYPGnkwf0oKsgB8KavZVnxzF8B1TD4nNi0a7ma7bd1LMzI/oGE6i8kDMROgisIECOcoe8YYJZXIne/wimhhRKZAsd+VrKUo4SzNIavCruCodGAVh2vfrqRJD+HD/aWH7Vr1fCEexquaxeKpRtKGIPW9LRCcEsTilqpZdAiw== nin@hiawatha"; - }; - }; -} diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index bf7de6fc5..808f35b24 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -57,13 +57,6 @@ with import ; config.krebs.users.makefu.pubkey ]; }; - users.users.nin = { - uid = genid "nin"; - isNormalUser = true; - openssh.authorizedKeys.keys = [ - config.krebs.users.nin.pubkey - ]; - }; users.extraUsers.dritter = { uid = genid "dritter"; isNormalUser = true; @@ -119,7 +112,6 @@ with import ; services.openssh.enable = true; users.users.root.openssh.authorizedKeys.keys = [ config.krebs.users.lass.pubkey - config.krebs.users.nin.pubkey ]; }; autoStart = true; diff --git a/nin/0tests/dummysecrets/hashedPasswords.nix b/nin/0tests/dummysecrets/hashedPasswords.nix deleted file mode 100644 index 0967ef424..000000000 --- a/nin/0tests/dummysecrets/hashedPasswords.nix +++ /dev/null @@ -1 +0,0 @@ -{} diff --git a/nin/0tests/dummysecrets/ssh.id_ed25519 b/nin/0tests/dummysecrets/ssh.id_ed25519 deleted file mode 100644 index e69de29bb..000000000 diff --git a/nin/1systems/axon/config.nix b/nin/1systems/axon/config.nix deleted file mode 100644 index 5e81afdbd..000000000 --- a/nin/1systems/axon/config.nix +++ /dev/null @@ -1,132 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). - -{ config, lib, pkgs, ... }: - -with lib; - -{ - imports = [ - - - #../2configs/copyq.nix - - - - - - ]; - - krebs.build.host = config.krebs.hosts.axon; - - boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "sd_mod" "sr_mod" "rtsx_pci_sdmmc" ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = - { device = "/dev/pool/root"; - fsType = "ext4"; - }; - - fileSystems."/tmp" = - { device = "tmpfs"; - fsType = "tmpfs"; - }; - - fileSystems."/boot" = - { device = "/dev/sda1"; - fsType = "ext2"; - }; - - boot.initrd.luks.devices.crypted.device = "/dev/sda2"; - boot.initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; - - swapDevices = [ ]; - - nix.maxJobs = lib.mkDefault 4; - # Use the GRUB 2 boot loader. - boot.loader.grub.enable = true; - boot.loader.grub.version = 2; - # Define on which hard drive you want to install Grub. - boot.loader.grub.device = "/dev/sda"; - - # Enable the OpenSSH daemon. - services.openssh.enable = true; - - # Enable CUPS to print documents. - # services.printing.enable = true; - - # nin config - time.timeZone = "Europe/Berlin"; - services.xserver = { - enable = true; - - displayManager.lightdm.enable = true; - }; - - networking.networkmanager.enable = true; - #networking.wireless.enable = true; - - hardware.pulseaudio = { - enable = true; - systemWide = true; - }; - - hardware.bluetooth.enable = true; - - hardware.opengl.driSupport32Bit = true; - - #nixpkgs.config.steam.java = true; - - environment.systemPackages = with pkgs; [ - atom - chromium - firefox - git - htop - keepassx - lmms - networkmanagerapplet - openvpn - python - ruby - steam - taskwarrior - thunderbird - vim - virtmanager - ]; - - nixpkgs.config = { - - allowUnfree = true; - - }; - - #services.logind.extraConfig = "HandleLidSwitch=ignore"; - - services.xserver.synaptics = { - enable = true; - }; - - services.xserver.displayManager.sessionCommands = '' - ${pkgs.xorg.xhost}/bin/xhost + local: - ''; - - services.xserver.desktopManager.xfce = let - xbindConfig = pkgs.writeText "xbindkeysrc" '' - "${pkgs.pass}/bin/passmenu --type" - Control + p - ''; - in { - enable = true; - extraSessionCommands = '' - ${pkgs.xbindkeys}/bin/xbindkeys -f ${xbindConfig} - ''; - }; - - # The NixOS release to be compatible with for stateful data such as databases. - system.stateVersion = "17.03"; - -} diff --git a/nin/1systems/hiawatha/config.nix b/nin/1systems/hiawatha/config.nix deleted file mode 100644 index a09eed958..000000000 --- a/nin/1systems/hiawatha/config.nix +++ /dev/null @@ -1,126 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). - -{ config, lib, pkgs, ... }: - -with lib; - -{ - imports = [ - - - #../2configs/copyq.nix - - - - - ]; - - krebs.build.host = config.krebs.hosts.hiawatha; - - boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "sd_mod" "sr_mod" "rtsx_pci_sdmmc" ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; - - fileSystems."/" = - { device = "/dev/disk/by-uuid/b83f8830-84f3-4282-b10e-015c4b76bd9e"; - fsType = "ext4"; - }; - - fileSystems."/tmp" = - { device = "tmpfs"; - fsType = "tmpfs"; - }; - - fileSystems."/home" = - { device = "/dev/fam/home"; - }; - - - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/2f319b08-2560-401d-b53c-2abd28f1a010"; - fsType = "ext2"; - }; - - boot.initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ]; - boot.initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; - - swapDevices = [ ]; - - nix.maxJobs = lib.mkDefault 4; - # Use the GRUB 2 boot loader. - boot.loader.grub.enable = true; - boot.loader.grub.version = 2; - # Define on which hard drive you want to install Grub. - boot.loader.grub.device = "/dev/sda"; - - # Enable the OpenSSH daemon. - services.openssh.enable = true; - - # Enable CUPS to print documents. - # services.printing.enable = true; - - fileSystems."/home/nin/.local/share/Steam" = { - device = "/dev/fam/steam"; - }; - - # nin config - time.timeZone = "Europe/Berlin"; - services.xserver.enable = true; - - networking.networkmanager.enable = true; - #networking.wireless.enable = true; - - hardware.pulseaudio = { - enable = true; - systemWide = true; - }; - - hardware.bluetooth.enable = true; - - hardware.opengl.driSupport32Bit = true; - - #nixpkgs.config.steam.java = true; - - environment.systemPackages = with pkgs; [ - firefox - git - lmms - networkmanagerapplet - python - steam - thunderbird - vim - virtmanager - ]; - - nixpkgs.config = { - - allowUnfree = true; - - }; - - #services.logind.extraConfig = "HandleLidSwitch=ignore"; - - services.xserver.synaptics = { - enable = true; - }; - - - services.xserver.desktopManager.xfce = let - xbindConfig = pkgs.writeText "xbindkeysrc" '' - "${pkgs.pass}/bin/passmenu --type" - Control + p - ''; - in { - enable = true; - extraSessionCommands = '' - ${pkgs.xbindkeys}/bin/xbindkeys -f ${xbindConfig} - ''; - }; - - # The NixOS release to be compatible with for stateful data such as databases. - system.stateVersion = "17.03"; - -} diff --git a/nin/1systems/onondaga/config.nix b/nin/1systems/onondaga/config.nix deleted file mode 100644 index 3cd0773ae..000000000 --- a/nin/1systems/onondaga/config.nix +++ /dev/null @@ -1,23 +0,0 @@ -# Edit this configuration file to define what should be installed on -# your system. Help is available in the configuration.nix(5) man page -# and in the NixOS manual (accessible by running ‘nixos-help’). - -{ config, lib, pkgs, ... }: - -{ - imports = [ - - - - - ]; - - krebs.build.host = config.krebs.hosts.onondaga; - - boot.isContainer = true; - networking.useDHCP = false; - - time.timeZone = "Europe/Amsterdam"; - - services.openssh.enable = true; -} diff --git a/nin/2configs/ableton.nix b/nin/2configs/ableton.nix deleted file mode 100644 index 343a9089d..000000000 --- a/nin/2configs/ableton.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ config, pkgs, ... }: let - mainUser = config.users.extraUsers.nin; -in { - users.users= { - ableton = { - isNormalUser = true; - extraGroups = [ - "audio" - "video" - ]; - packages = [ - pkgs.wine - pkgs.winetricks - ]; - }; - }; - security.sudo.extraConfig = '' - ${mainUser.name} ALL=(ableton) NOPASSWD: ALL - ''; -} diff --git a/nin/2configs/copyq.nix b/nin/2configs/copyq.nix deleted file mode 100644 index 0616c4025..000000000 --- a/nin/2configs/copyq.nix +++ /dev/null @@ -1,38 +0,0 @@ -{ config, pkgs, ... }: -with import ; -let - copyqConfig = pkgs.writeDash "copyq-config" '' - ${pkgs.copyq}/bin/copyq config check_clipboard true - ${pkgs.copyq}/bin/copyq config check_selection true - ${pkgs.copyq}/bin/copyq config copy_clipboard true - ${pkgs.copyq}/bin/copyq config copy_selection true - - ${pkgs.copyq}/bin/copyq config activate_closes true - ${pkgs.copyq}/bin/copyq config clipboard_notification_lines 0 - ${pkgs.copyq}/bin/copyq config clipboard_tab clipboard - ${pkgs.copyq}/bin/copyq config disable_tray true - ${pkgs.copyq}/bin/copyq config hide_tabs true - ${pkgs.copyq}/bin/copyq config hide_toolbar true - ${pkgs.copyq}/bin/copyq config item_popup_interval true - ${pkgs.copyq}/bin/copyq config maxitems 1000 - ${pkgs.copyq}/bin/copyq config move true - ${pkgs.copyq}/bin/copyq config text_wrap true - ''; -in { - systemd.user.services.copyq = { - after = [ "graphical.target" ]; - wants = [ "graphical.target" ]; - wantedBy = [ "default.target" ]; - environment = { - DISPLAY = ":0"; - }; - serviceConfig = { - SyslogIdentifier = "copyq"; - ExecStart = "${pkgs.copyq}/bin/copyq"; - ExecStartPost = copyqConfig; - Restart = "always"; - RestartSec = "2s"; - StartLimitBurst = 0; - }; - }; -} diff --git a/nin/2configs/default.nix b/nin/2configs/default.nix deleted file mode 100644 index 62f499a2d..000000000 --- a/nin/2configs/default.nix +++ /dev/null @@ -1,173 +0,0 @@ -{ config, lib, pkgs, ... }: - -with import ; -{ - imports = [ - ../2configs/vim.nix - - - { - users.extraUsers = - mapAttrs (_: h: { hashedPassword = h; }) - (import ); - } - { - users.users = { - root = { - openssh.authorizedKeys.keys = [ - config.krebs.users.nin.pubkey - config.krebs.users.nin_h.pubkey - ]; - }; - nin = { - name = "nin"; - uid = 1337; - home = "/home/nin"; - group = "users"; - createHome = true; - useDefaultShell = true; - extraGroups = [ - "audio" - "fuse" - ]; - openssh.authorizedKeys.keys = [ - config.krebs.users.nin.pubkey - config.krebs.users.nin_h.pubkey - ]; - }; - }; - } - { - environment.variables = { - NIX_PATH = mkForce "secrets=/var/src/stockholm/null:/var/src"; - }; - } - (let ca-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; in { - environment.variables = { - CURL_CA_BUNDLE = ca-bundle; - GIT_SSL_CAINFO = ca-bundle; - SSL_CERT_FILE = ca-bundle; - }; - }) - ]; - - networking.hostName = config.krebs.build.host.name; - nix.maxJobs = config.krebs.build.host.cores; - - krebs = { - enable = true; - search-domain = "r"; - build = { - user = config.krebs.users.nin; - }; - }; - - nix.useSandbox = true; - - users.mutableUsers = false; - - services.timesyncd.enable = true; - - #why is this on in the first place? - services.nscd.enable = false; - - boot.tmpOnTmpfs = true; - # see tmpfiles.d(5) - systemd.tmpfiles.rules = [ - "d /tmp 1777 root root - -" - ]; - - # multiple-definition-problem when defining environment.variables.EDITOR - environment.extraInit = '' - EDITOR=vim - ''; - - nixpkgs.config.allowUnfree = true; - - environment.shellAliases = { - gs = "git status"; - }; - - environment.systemPackages = with pkgs; [ - #stockholm - git - gnumake - jq - proot - pavucontrol - populate - p7zip - termite - unzip - unrar - hashPassword - ]; - - programs.bash = { - enableCompletion = true; - interactiveShellInit = '' - HISTCONTROL='erasedups:ignorespace' - HISTSIZE=65536 - HISTFILESIZE=$HISTSIZE - - shopt -s checkhash - shopt -s histappend histreedit histverify - shopt -s no_empty_cmd_completion - complete -d cd - ''; - promptInit = '' - if test $UID = 0; then - PS1='\[\033[1;31m\]$PWD\[\033[0m\] ' - elif test $UID = 1337; then - PS1='\[\033[1;32m\]$PWD\[\033[0m\] ' - else - PS1='\[\033[1;33m\]\u@$PWD\[\033[0m\] ' - fi - if test -n "$SSH_CLIENT"; then - PS1='\[\033[35m\]\h'" $PS1" - fi - ''; - }; - - services.openssh = { - enable = true; - hostKeys = [ - # XXX bits here make no science - { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } - ]; - }; - - services.journald.extraConfig = '' - SystemMaxUse=1G - RuntimeMaxUse=128M - ''; - - krebs.iptables = { - enable = true; - tables = { - nat.PREROUTING.rules = [ - { predicate = "! -i retiolum -p tcp -m tcp --dport 22"; target = "REDIRECT --to-ports 0"; precedence = 100; } - { predicate = "-p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 99; } - ]; - nat.OUTPUT.rules = [ - { predicate = "-o lo -p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 100; } - ]; - filter.INPUT.policy = "DROP"; - filter.FORWARD.policy = "DROP"; - filter.INPUT.rules = [ - { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; } - { predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; } - { predicate = "-p ipv6-icmp"; target = "ACCEPT"; v4 = false; precedence = 10000; } - { predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; } - { predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; } - { predicate = "-p tcp -i retiolum"; target = "REJECT --reject-with tcp-reset"; precedence = -10000; } - { predicate = "-p udp -i retiolum"; target = "REJECT --reject-with icmp-port-unreachable"; v6 = false; precedence = -10000; } - { predicate = "-i retiolum"; target = "REJECT --reject-with icmp-proto-unreachable"; v6 = false; precedence = -10000; } - ]; - }; - }; - - networking.dhcpcd.extraConfig = '' - noipv4ll - ''; -} diff --git a/nin/2configs/games.nix b/nin/2configs/games.nix deleted file mode 100644 index 15e17238d..000000000 --- a/nin/2configs/games.nix +++ /dev/null @@ -1,70 +0,0 @@ -{ config, pkgs, ... }: - -let - mainUser = config.users.extraUsers.mainUser; - vdoom = pkgs.writeDash "vdoom" '' - ${pkgs.zandronum}/bin/zandronum \ - -fov 120 \ - "$@" - ''; - doom = pkgs.writeDash "doom" '' - DOOM_DIR=''${DOOM_DIR:-~/doom/} - ${vdoom} \ - -file $DOOM_DIR/lib/brutalv20.pk3 \ - "$@" - ''; - doom1 = pkgs.writeDashBin "doom1" '' - DOOM_DIR=''${DOOM_DIR:-~/doom/} - ${doom} -iwad $DOOM_DIR/wads/stock/doom.wad "$@" - ''; - doom2 = pkgs.writeDashBin "doom2" '' - DOOM_DIR=''${DOOM_DIR:-~/doom/} - ${doom} -iwad $DOOM_DIR/wads/stock/doom2.wad "$@" - ''; - vdoom1 = pkgs.writeDashBin "vdoom1" '' - DOOM_DIR=''${DOOM_DIR:-~/doom/} - ${vdoom} -iwad $DOOM_DIR/wads/stock/doom.wad "$@" - ''; - vdoom2 = pkgs.writeDashBin "vdoom2" '' - DOOM_DIR=''${DOOM_DIR:-~/doom/} - ${vdoom} -iwad $DOOM_DIR/wads/stock/doom2.wad "$@" - ''; - - doomservercfg = pkgs.writeText "doomserver.cfg" '' - skill 7 - #survival true - #sv_maxlives 4 - #sv_norespawn true - #sv_weapondrop true - no_jump true - #sv_noweaponspawn true - sv_sharekeys true - sv_survivalcountdowntime 1 - sv_noteamselect true - sv_updatemaster false - #sv_coop_loseinventory true - #cl_startasspectator false - #lms_spectatorview false - ''; - - vdoomserver = pkgs.writeDashBin "vdoomserver" '' - DOOM_DIR=''${DOOM_DIR:-~/doom/} - - ${pkgs.zandronum}/bin/zandronum-server \ - +exec ${doomservercfg} \ - "$@" - ''; - -in { - environment.systemPackages = with pkgs; [ - dwarf_fortress - doom1 - doom2 - vdoom1 - vdoom2 - vdoomserver - ]; - - hardware.pulseaudio.support32Bit = true; - -} diff --git a/nin/2configs/git.nix b/nin/2configs/git.nix deleted file mode 100644 index aed4a9f48..000000000 --- a/nin/2configs/git.nix +++ /dev/null @@ -1,60 +0,0 @@ -{ config, lib, pkgs, ... }: - -with import ; - -let - - out = { - services.nginx.enable = true; - krebs.git = { - enable = true; - cgit = { - settings = { - root-title = "public repositories at ${config.krebs.build.host.name}"; - root-desc = "keep calm and engage"; - }; - }; - repos = mapAttrs (_: s: removeAttrs s ["collaborators"]) repos; - rules = rules; - }; - - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; } - ]; - }; - - repos = public-repos; - - rules = concatMap make-rules (attrValues repos); - - public-repos = mapAttrs make-public-repo { - stockholm = { - cgit.desc = "take all the computers hostage, they'll love you!"; - }; - }; - - make-public-repo = name: { cgit ? {}, ... }: { - inherit cgit name; - public = true; - }; - - make-rules = - with git // config.krebs.users; - repo: - singleton { - user = [ nin nin_h ]; - repo = [ repo ]; - perm = push "refs/*" [ non-fast-forward create delete merge ]; - } ++ - optional repo.public { - user = attrValues config.krebs.users; - repo = [ repo ]; - perm = fetch; - } ++ - optional (length (repo.collaborators or []) > 0) { - user = repo.collaborators; - repo = [ repo ]; - perm = fetch; - }; - -in out diff --git a/nin/2configs/im.nix b/nin/2configs/im.nix deleted file mode 100644 index b078dbd53..000000000 --- a/nin/2configs/im.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ config, lib, pkgs, ... }: -with import ; -{ - environment.systemPackages = with pkgs; [ - (pkgs.writeDashBin "im" '' - export PATH=${makeSearchPath "bin" (with pkgs; [ - tmux - gnugrep - weechat - ])} - ssh chat@onondaga - if tmux list-sessions -F\#S | grep -q '^im''$'; then - exec tmux attach -t im - else - exec tmux new -s im weechat - fi - '') - ]; -} diff --git a/nin/2configs/retiolum.nix b/nin/2configs/retiolum.nix deleted file mode 100644 index 821e3cc00..000000000 --- a/nin/2configs/retiolum.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ ... }: - -{ - - krebs.iptables = { - tables = { - filter.INPUT.rules = [ - { predicate = "-i retiolum -p tcp --dport smtp"; target = "ACCEPT"; } - { predicate = "-p tcp --dport tinc"; target = "ACCEPT"; } - { predicate = "-p udp --dport tinc"; target = "ACCEPT"; } - ]; - }; - }; - - krebs.tinc.retiolum = { - enable = true; - connectTo = [ - "prism" - "pigstarter" - "gum" - "flap" - ]; - }; - - nixpkgs.config.packageOverrides = pkgs: { - tinc = pkgs.tinc_pre; - }; -} diff --git a/nin/2configs/skype.nix b/nin/2configs/skype.nix deleted file mode 100644 index 621dfae82..000000000 --- a/nin/2configs/skype.nix +++ /dev/null @@ -1,27 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - mainUser = config.users.extraUsers.nin; - inherit (import ) genid; - -in { - users.extraUsers = { - skype = { - name = "skype"; - uid = genid "skype"; - description = "user for running skype"; - home = "/home/skype"; - useDefaultShell = true; - extraGroups = [ "audio" "video" ]; - createHome = true; - }; - }; - - krebs.per-user.skype.packages = [ - pkgs.skype - ]; - - security.sudo.extraConfig = '' - ${mainUser.name} ALL=(skype) NOPASSWD: ALL - ''; -} diff --git a/nin/2configs/termite.nix b/nin/2configs/termite.nix deleted file mode 100644 index 942446b01..000000000 --- a/nin/2configs/termite.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ config, pkgs, ... }: - -{ - environment.systemPackages = [ - pkgs.termite - ]; - - krebs.per-user.nin.packages = let - termitecfg = pkgs.writeTextFile { - name = "termite-config"; - destination = "/etc/xdg/termite/config"; - text = '' - [colors] - foreground = #d0d7d0 - background = #000000 - ''; - }; - in [ - termitecfg - ]; - -} diff --git a/nin/2configs/vim.nix b/nin/2configs/vim.nix deleted file mode 100644 index 7b5d37611..000000000 --- a/nin/2configs/vim.nix +++ /dev/null @@ -1,355 +0,0 @@ -{ config, lib, pkgs, ... }: - -with import ; -let - out = { - environment.systemPackages = [ - vim - pkgs.pythonPackages.flake8 - ]; - - environment.etc.vimrc.source = vimrc; - - environment.variables.EDITOR = mkForce "vim"; - environment.variables.VIMINIT = ":so /etc/vimrc"; - }; - - vimrc = pkgs.writeText "vimrc" '' - set nocompatible - - set autoindent - set backspace=indent,eol,start - set backup - set backupdir=${dirs.backupdir}/ - set directory=${dirs.swapdir}// - set hlsearch - set incsearch - set laststatus=2 - set mouse=a - set noruler - set pastetoggle= - set runtimepath=${extra-runtimepath},$VIMRUNTIME - set shortmess+=I - set showcmd - set showmatch - set ttimeoutlen=0 - set undodir=${dirs.undodir} - set undofile - set undolevels=1000000 - set undoreload=1000000 - set viminfo='20,<1000,s100,h,n${files.viminfo} - set visualbell - set wildignore+=*.o,*.class,*.hi,*.dyn_hi,*.dyn_o - set wildmenu - set wildmode=longest,full - - set et ts=2 sts=2 sw=2 - - filetype plugin indent on - - set t_Co=256 - colorscheme hack - syntax on - - au Syntax * syn match Garbage containedin=ALL /\s\+$/ - \ | syn match TabStop containedin=ALL /\t\+/ - \ | syn keyword Todo containedin=ALL TODO - - au BufRead,BufNewFile *.hs so ${hs.vim} - - au BufRead,BufNewFile *.nix so ${nix.vim} - - au BufRead,BufNewFile /dev/shm/* set nobackup nowritebackup noswapfile - - "Syntastic config - let g:syntastic_python_checkers=['flake8'] - - nmap q :buffer - nmap :buffer - - cnoremap - - noremap :q - vnoremap < >gv - - nnoremap [5^ :tabp - nnoremap [6^ :tabn - nnoremap [5@ :tabm -1 - nnoremap [6@ :tabm +1 - - nnoremap :tabp - nnoremap :tabn - inoremap :tabp - inoremap :tabn - - " - noremap Oa | noremap! Oa - noremap Ob | noremap! Ob - noremap Oc | noremap! Oc - noremap Od | noremap! Od - " <[C]S-{Up,Down,Right,Left> - noremap [a | noremap! [a - noremap [b | noremap! [b - noremap [c | noremap! [c - noremap [d | noremap! [d - vnoremap u - ''; - - extra-runtimepath = concatMapStringsSep "," (pkg: "${pkg.rtp}") [ - pkgs.vimPlugins.Syntastic - pkgs.vimPlugins.undotree - pkgs.vimPlugins.airline - (pkgs.vimUtils.buildVimPlugin { - name = "file-line-1.0"; - src = pkgs.fetchgit { - url = git://github.com/bogado/file-line; - rev = "refs/tags/1.0"; - sha256 = "0z47zq9rqh06ny0q8lpcdsraf3lyzn9xvb59nywnarf3nxrk6hx0"; - }; - }) - ((rtp: rtp // { inherit rtp; }) (pkgs.writeTextFile (let - name = "hack"; - in { - name = "vim-color-${name}-1.0.2"; - destination = "/colors/${name}.vim"; - text = /* vim */ '' - set background=dark - hi clear - if exists("syntax_on") - syntax clear - endif - - let colors_name = ${toJSON name} - - hi Normal ctermbg=235 - hi Comment ctermfg=242 - hi Constant ctermfg=062 - hi Identifier ctermfg=068 - hi Function ctermfg=041 - hi Statement ctermfg=167 - hi PreProc ctermfg=167 - hi Type ctermfg=041 - hi Delimiter ctermfg=251 - hi Special ctermfg=062 - - hi Garbage ctermbg=088 - hi TabStop ctermbg=016 - hi Todo ctermfg=174 ctermbg=NONE - - hi NixCode ctermfg=148 - hi NixData ctermfg=149 - hi NixQuote ctermfg=150 - - hi diffNewFile ctermfg=207 - hi diffFile ctermfg=207 - hi diffLine ctermfg=207 - hi diffSubname ctermfg=207 - hi diffAdded ctermfg=010 - hi diffRemoved ctermfg=009 - ''; - }))) - ((rtp: rtp // { inherit rtp; }) (pkgs.writeTextFile (let - name = "vim"; - in { - name = "vim-syntax-${name}-1.0.0"; - destination = "/syntax/${name}.vim"; - text = /* vim */ '' - ${concatMapStringsSep "\n" (s: /* vim */ '' - syn keyword vimColor${s} ${s} - \ containedin=ALLBUT,vimComment,vimLineComment - hi vimColor${s} ctermfg=${s} - '') (map (i: lpad 3 "0" (toString i)) (range 0 255))} - ''; - }))) - ((rtp: rtp // { inherit rtp; }) (pkgs.writeTextFile (let - name = "showsyntax"; - in { - name = "vim-plugin-${name}-1.0.0"; - destination = "/plugin/${name}.vim"; - text = /* vim */ '' - if exists('g:loaded_showsyntax') - finish - endif - let g:loaded_showsyntax = 0 - - fu! ShowSyntax() - let id = synID(line("."), col("."), 1) - let name = synIDattr(id, "name") - let transName = synIDattr(synIDtrans(id),"name") - if name != transName - let name .= " (" . transName . ")" - endif - echo "Syntax: " . name - endfu - - command! -n=0 -bar ShowSyntax :call ShowSyntax() - ''; - }))) - ]; - - dirs = { - backupdir = "$HOME/.cache/vim/backup"; - swapdir = "$HOME/.cache/vim/swap"; - undodir = "$HOME/.cache/vim/undo"; - }; - files = { - viminfo = "$HOME/.cache/vim/info"; - }; - - mkdirs = let - dirOf = s: let out = concatStringsSep "/" (init (splitString "/" s)); - in assert out != ""; out; - alldirs = attrValues dirs ++ map dirOf (attrValues files); - in unique (sort lessThan alldirs); - - vim = pkgs.writeDashBin "vim" '' - set -efu - (umask 0077; exec ${pkgs.coreutils}/bin/mkdir -p ${toString mkdirs}) - exec ${pkgs.vim}/bin/vim "$@" - ''; - - - hs.vim = pkgs.writeText "hs.vim" '' - syn region String start=+\[[[:alnum:]]*|+ end=+|]+ - - hi link ConId Identifier - hi link VarId Identifier - hi link hsDelimiter Delimiter - ''; - - nix.vim = pkgs.writeText "nix.vim" '' - setf nix - - " Ref - syn match NixID /[a-zA-Z\_][a-zA-Z0-9\_\'\-]*/ - syn match NixINT /\<[0-9]\+\>/ - syn match NixPATH /[a-zA-Z0-9\.\_\-\+]*\(\/[a-zA-Z0-9\.\_\-\+]\+\)\+/ - syn match NixHPATH /\~\(\/[a-zA-Z0-9\.\_\-\+]\+\)\+/ - syn match NixSPATH /<[a-zA-Z0-9\.\_\-\+]\+\(\/[a-zA-Z0-9\.\_\-\+]\+\)*>/ - syn match NixURI /[a-zA-Z][a-zA-Z0-9\+\-\.]*:[a-zA-Z0-9\%\/\?\:\@\&\=\+\$\,\-\_\.\!\~\*\']\+/ - syn region NixSTRING - \ matchgroup=NixSTRING - \ start='"' - \ skip='\\"' - \ end='"' - syn region NixIND_STRING - \ matchgroup=NixIND_STRING - \ start="'''" - \ skip="'''\('\|[$]\|\\[nrt]\)" - \ end="'''" - - syn match NixOther /[():/;=.,?\[\]]/ - - syn match NixCommentMatch /\(^\|\s\)#.*/ - syn region NixCommentRegion start="/\*" end="\*/" - - hi link NixCode Statement - hi link NixData Constant - hi link NixComment Comment - - hi link NixCommentMatch NixComment - hi link NixCommentRegion NixComment - hi link NixID NixCode - hi link NixINT NixData - hi link NixPATH NixData - hi link NixHPATH NixData - hi link NixSPATH NixData - hi link NixURI NixData - hi link NixSTRING NixData - hi link NixIND_STRING NixData - - hi link NixEnter NixCode - hi link NixOther NixCode - hi link NixQuote NixData - - syn cluster nix_has_dollar_curly contains=@nix_ind_strings,@nix_strings - syn cluster nix_ind_strings contains=NixIND_STRING - syn cluster nix_strings contains=NixSTRING - - ${concatStringsSep "\n" (mapAttrsToList (lang: { extraStart ? null }: let - startAlts = filter isString [ - ''/\* ${lang} \*/'' - extraStart - ]; - sigil = ''\(${concatStringsSep ''\|'' startAlts}\)[ \t\r\n]*''; - in /* vim */ '' - syn include @nix_${lang}_syntax syntax/${lang}.vim - unlet b:current_syntax - - syn match nix_${lang}_sigil - \ X${replaceStrings ["X"] ["\\X"] sigil}\ze\('''\|"\)X - \ nextgroup=nix_${lang}_region_IND_STRING,nix_${lang}_region_STRING - \ transparent - - syn region nix_${lang}_region_STRING - \ matchgroup=NixSTRING - \ start='"' - \ skip='\\"' - \ end='"' - \ contained - \ contains=@nix_${lang}_syntax - \ transparent - - syn region nix_${lang}_region_IND_STRING - \ matchgroup=NixIND_STRING - \ start="'''" - \ skip="'''\('\|[$]\|\\[nrt]\)" - \ end="'''" - \ contained - \ contains=@nix_${lang}_syntax - \ transparent - - syn cluster nix_ind_strings - \ add=nix_${lang}_region_IND_STRING - - syn cluster nix_strings - \ add=nix_${lang}_region_STRING - - syn cluster nix_has_dollar_curly - \ add=@nix_${lang}_syntax - '') { - c = {}; - cabal = {}; - haskell = {}; - sh.extraStart = ''write\(Ba\|Da\)sh[^ \t\r\n]*[ \t\r\n]*"[^"]*"''; - vim.extraStart = - ''write[^ \t\r\n]*[ \t\r\n]*"\(\([^"]*\.\)\?vimrc\|[^"]*\.vim\)"''; - })} - - " Clear syntax that interferes with nixINSIDE_DOLLAR_CURLY. - syn clear shVarAssign - - syn region nixINSIDE_DOLLAR_CURLY - \ matchgroup=NixEnter - \ start="[$]{" - \ end="}" - \ contains=TOP - \ containedin=@nix_has_dollar_curly - \ transparent - - syn region nix_inside_curly - \ matchgroup=NixEnter - \ start="{" - \ end="}" - \ contains=TOP - \ containedin=nixINSIDE_DOLLAR_CURLY,nix_inside_curly - \ transparent - - syn match NixQuote /'''\([''$']\|\\.\)/he=s+2 - \ containedin=@nix_ind_strings - \ contained - - syn match NixQuote /\\./he=s+1 - \ containedin=@nix_strings - \ contained - - syn sync fromstart - - let b:current_syntax = "nix" - - set isk=@,48-57,_,192-255,-,' - set bg=dark - ''; -in -out diff --git a/nin/2configs/weechat.nix b/nin/2configs/weechat.nix deleted file mode 100644 index 6c0fb313e..000000000 --- a/nin/2configs/weechat.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - inherit (import ) genid; -in { - krebs.per-user.chat.packages = with pkgs; [ - mosh - weechat - tmux - ]; - - users.extraUsers.chat = { - home = "/home/chat"; - uid = genid "chat"; - useDefaultShell = true; - createHome = true; - openssh.authorizedKeys.keys = [ - config.krebs.users.nin.pubkey - ]; - }; -} diff --git a/nin/default.nix b/nin/default.nix deleted file mode 100644 index c31d6d949..000000000 --- a/nin/default.nix +++ /dev/null @@ -1,7 +0,0 @@ -_: -{ - imports = [ - ../krebs - ./2configs - ]; -} diff --git a/nin/krops.nix b/nin/krops.nix deleted file mode 100644 index d0074840a..000000000 --- a/nin/krops.nix +++ /dev/null @@ -1,35 +0,0 @@ -{ name }: let - inherit (import ../krebs/krops.nix { inherit name; }) - krebs-source - lib - pkgs - ; - - source = { test }: lib.evalSource [ - krebs-source - { - nixos-config.symlink = "stockholm/nin/1systems/${name}/config.nix"; - secrets = if test then { - file = toString ./0tests/dummysecrets; - } else { - pass = { - dir = "${lib.getEnv "HOME"}/.password-store"; - name = "hosts/${name}"; - }; - }; - } - ]; - -in { - # usage: $(nix-build --no-out-link --argstr name HOSTNAME -A deploy) - deploy = pkgs.krops.writeDeploy "${name}-deploy" { - source = source { test = false; }; - target = "root@${name}/var/src"; - }; - - # usage: $(nix-build --no-out-link --argstr name HOSTNAME --argstr target PATH -A test) - test = { target }: pkgs.krops.writeTest "${name}-test" { - inherit target; - source = source { test = true; }; - }; -} From 9104af869e8c8ce299fc2ddbf7f2631bbbf48b1e Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 7 Oct 2018 23:09:27 +0200 Subject: [PATCH 08/74] ma pkgs: rip zj-58 and jd-gui --- makefu/5pkgs/jd-gui/default.nix | 36 --------------------------------- makefu/5pkgs/zj-58/default.nix | 30 --------------------------- 2 files changed, 66 deletions(-) delete mode 100644 makefu/5pkgs/jd-gui/default.nix delete mode 100644 makefu/5pkgs/zj-58/default.nix diff --git a/makefu/5pkgs/jd-gui/default.nix b/makefu/5pkgs/jd-gui/default.nix deleted file mode 100644 index adefd80dd..000000000 --- a/makefu/5pkgs/jd-gui/default.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ stdenv, lib, pkgs, fetchurl, jre, makeWrapper, unzip }: -stdenv.mkDerivation rec { - name = "${packageName}-${version}"; - packageName = "jd-gui"; - version = "1.4.0"; - - src = fetchurl { - url = "https://github.com/java-decompiler/jd-gui/releases/download/v${version}/${name}.jar"; - sha256 = "0rvbplkhafb6s9aiwgcq4ffz4bvzyp7q511pd46hx4ahhzfg7lmx"; - }; - - nativeBuildInputs = [ makeWrapper unzip ]; - - phases = [ "installPhase" ]; - - installPhase = '' - f=$out/lib/jd-gui/ - bin=$out/bin - name=$(basename $src) - mkdir -p $f $bin - - # fixup path to java - cp $src $f - cat > $bin/jd-gui < Date: Mon, 8 Oct 2018 00:58:45 +0200 Subject: [PATCH 09/74] nixpkgs: 86fb1e9 -> 86fb1e9 --- makefu/nixpkgs.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/makefu/nixpkgs.json b/makefu/nixpkgs.json index f39bb6688..c5cd0ac30 100644 --- a/makefu/nixpkgs.json +++ b/makefu/nixpkgs.json @@ -1,7 +1,7 @@ { "url": "https://github.com/makefu/nixpkgs", - "rev": "8f991294288b27b9dec05cc1e07ec6a360bb39c8", - "date": "2018-08-06T14:29:01+02:00", - "sha256": "0zan8kdjk1pwdzm1rwc3ka87k11j0zmw4mdnj70r6pm38x2fa9n6", + "rev": "86fb1e9ae6ba6dfedc814b82abd8db5cfa4f4687", + "date": "2018-10-07T23:33:42+02:00", + "sha256": "015yxs3qj299mgqfmz5vgszj2gxqwazifsdsjw6xadris3ri41d3", "fetchSubmodules": true } From e51aa863c5c7b6403b2b8dcbe064697476f200ea Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 8 Oct 2018 20:31:31 +0200 Subject: [PATCH 10/74] ma printer: use upstream zj-58 --- makefu/2configs/printer.nix | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/makefu/2configs/printer.nix b/makefu/2configs/printer.nix index d5fa65ef9..fb1a67358 100644 --- a/makefu/2configs/printer.nix +++ b/makefu/2configs/printer.nix @@ -5,11 +5,11 @@ let in { services.printing = { enable = true; - drivers = [ - pkgs.samsungUnifiedLinuxDriver - pkgs.cups-dymo # dymo labelwriter - pkgs.foo2zjs # magicolor 1690mf - pkgs.zj-58 + drivers = with pkgs; [ + samsungUnifiedLinuxDriver + cups-dymo # dymo labelwriter + foo2zjs # magicolor 1690mf + cups-zj-58 ]; }; From 77bf84d5ffdab0f930c125ae8daaa15e25e4c879 Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 8 Oct 2018 23:39:41 +0200 Subject: [PATCH 11/74] ma pkgs.inkscape: share/extensions solves the issue see ee44a46c858b5a80c1888ab5d38aef43a9577783 in https://gitlab.com/inkscape/extensions --- makefu/2configs/rtorrent.nix | 19 ------------------- makefu/5pkgs/custom/inkscape/dxf_fix.patch | 12 ------------ makefu/5pkgs/default.nix | 3 --- 3 files changed, 34 deletions(-) delete mode 100644 makefu/2configs/rtorrent.nix delete mode 100644 makefu/5pkgs/custom/inkscape/dxf_fix.patch diff --git a/makefu/2configs/rtorrent.nix b/makefu/2configs/rtorrent.nix deleted file mode 100644 index 9e2990cab..000000000 --- a/makefu/2configs/rtorrent.nix +++ /dev/null @@ -1,19 +0,0 @@ -_: -let - listenPort = 60123; - xml-port = 5000; - authfile = ; -in { - makefu.rtorrent = { - enable = true; - web = { - enable = true; - enableAuth = true; - inherit authfile; - }; - rutorrent.enable = true; - enableXMLRPC = true; - logLevel = "debug"; - inherit listenPort; - }; -} diff --git a/makefu/5pkgs/custom/inkscape/dxf_fix.patch b/makefu/5pkgs/custom/inkscape/dxf_fix.patch deleted file mode 100644 index b7b491d4e..000000000 --- a/makefu/5pkgs/custom/inkscape/dxf_fix.patch +++ /dev/null @@ -1,12 +0,0 @@ ---- ./share/extensions/dxf_outlines.py 2017-10-08 17:28:45.553368917 +0200 -+++ ./share/extensions/dxf_outlines.py.new 2017-10-08 17:29:20.172554152 +0200 -@@ -341,7 +341,7 @@ - if not scale: - scale = 25.4/96 # if no scale is specified, assume inch as baseunit - scale /= self.unittouu('1px') -- h = self.unittouu(self.document.getroot().xpath('@height', namespaces=inkex.NSS)[0]) -+ h = self.unittouu(self.documentHeight()) - self.groupmat = [[[scale, 0.0, 0.0], [0.0, -scale, h*scale]]] - doc = self.document.getroot() - self.process_group(doc) - diff --git a/makefu/5pkgs/default.nix b/makefu/5pkgs/default.nix index 390aabd73..6e86f4264 100644 --- a/makefu/5pkgs/default.nix +++ b/makefu/5pkgs/default.nix @@ -30,9 +30,6 @@ in { qcma = super.pkgs.libsForQt5.callPackage ./custom/qcma { }; inherit (callPackage ./devpi {}) devpi-web ; nodemcu-uploader = super.pkgs.callPackage ./nodemcu-uploader {}; - inkscape = super.pkgs.stdenv.lib.overrideDerivation super.inkscape (old: { - patches = [ ./custom/inkscape/dxf_fix.patch ]; - }); } // (mapAttrs (_: flip callPackage {}) From 9b638b239aa37038b0223840cdf4e5885d1565ea Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 10 Oct 2018 00:08:16 +0200 Subject: [PATCH 12/74] ma pkgs.esniper: replaced by upstream --- .../events-publisher/default.nix | 0 makefu/5pkgs/esniper/default.nix | 32 ------------------- makefu/5pkgs/esniper/find-ca-bundle.patch | 26 --------------- 3 files changed, 58 deletions(-) rename makefu/2configs/{deployment => shack}/events-publisher/default.nix (100%) delete mode 100644 makefu/5pkgs/esniper/default.nix delete mode 100644 makefu/5pkgs/esniper/find-ca-bundle.patch diff --git a/makefu/2configs/deployment/events-publisher/default.nix b/makefu/2configs/shack/events-publisher/default.nix similarity index 100% rename from makefu/2configs/deployment/events-publisher/default.nix rename to makefu/2configs/shack/events-publisher/default.nix diff --git a/makefu/5pkgs/esniper/default.nix b/makefu/5pkgs/esniper/default.nix deleted file mode 100644 index a6aac5748..000000000 --- a/makefu/5pkgs/esniper/default.nix +++ /dev/null @@ -1,32 +0,0 @@ -{ stdenv, fetchurl , openssl, curl, coreutils, gawk, bash, which }: - -stdenv.mkDerivation rec { - name = "${pname}-2-35-0"; - pname = "esniper"; - version = "2.35.0"; - src = fetchurl { - url = "mirror://sourceforge/${pname}/${name}.tgz"; - sha256 = "04iwjb42lw90c03125bjdpnm0fp78dmwf2j35r7mah0nwcrlagd9"; - }; - - - buildInputs = [ openssl curl ]; - - # Add support for CURL_CA_BUNDLE variable. - # Fix . - patches = [ ./find-ca-bundle.patch ]; - - postInstall = '' - sed <"frontends/snipe" >"$out/bin/snipe" \ - -e "2i export PATH=\"$out/bin:${stdenv.lib.makeBinPath [ coreutils gawk bash which ]}:\$PATH\"" - chmod 555 "$out/bin/snipe" - ''; - - meta = with stdenv.lib; { - description = "Simple, lightweight tool for sniping eBay auctions"; - homepage = http://esniper.sourceforge.net; - license = licenses.gpl2; - maintainers = with maintainers; [ lovek323 peti ]; - platforms = platforms.all; - }; -} diff --git a/makefu/5pkgs/esniper/find-ca-bundle.patch b/makefu/5pkgs/esniper/find-ca-bundle.patch deleted file mode 100644 index e4df272a0..000000000 --- a/makefu/5pkgs/esniper/find-ca-bundle.patch +++ /dev/null @@ -1,26 +0,0 @@ -diff -ubr '--exclude=*.o' esniper-2-27-0-orig/http.c esniper-2-27-0-patched/http.c ---- esniper-2-27-0-orig/http.c 2012-02-06 22:04:06.000000000 +0100 -+++ esniper-2-27-0-patched/http.c 2012-07-27 10:54:20.893054646 +0200 -@@ -200,6 +200,9 @@ - int - initCurlStuff(void) - { -+ /* Path to OpenSSL bundle file. */ -+ const char *ssl_capath=NULL; -+ - /* list for custom headers */ - struct curl_slist *slist=NULL; - -@@ -241,6 +244,12 @@ - if ((curlrc = curl_easy_setopt(easyhandle, CURLOPT_COOKIEFILE, ""))) - return initCurlStuffFailed(); - -+ /* If the environment variable CURL_CA_BUNDLE is set, pass through its -+ * contents to curl. */ -+ if ((ssl_capath = getenv("CURL_CA_BUNDLE"))) -+ if ((curlrc = curl_easy_setopt(easyhandle, CURLOPT_CAINFO, ssl_capath))) -+ return initCurlStuffFailed(); -+ - slist = curl_slist_append(slist, "Accept: text/*"); - slist = curl_slist_append(slist, "Accept-Language: en"); - slist = curl_slist_append(slist, "Accept-Charset: iso-8859-1,*,utf-8"); From a083d352b416ba6d13bd15534473053a29ede50b Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 10 Oct 2018 14:07:42 +0200 Subject: [PATCH 13/74] ma pkgs.ifdnfc: rip --- makefu/5pkgs/ifdnfc/default.nix | 45 --------------------------------- 1 file changed, 45 deletions(-) delete mode 100644 makefu/5pkgs/ifdnfc/default.nix diff --git a/makefu/5pkgs/ifdnfc/default.nix b/makefu/5pkgs/ifdnfc/default.nix deleted file mode 100644 index cc7956c8c..000000000 --- a/makefu/5pkgs/ifdnfc/default.nix +++ /dev/null @@ -1,45 +0,0 @@ -{ stdenv, fetchFromGitHub , pkgconfig -, pcsclite -, autoreconfHook -, libnfc -}: - -stdenv.mkDerivation rec { - name = "ifdnfc-${version}"; - version = "2016-03-01"; - - src = fetchFromGitHub { - owner = "nfc-tools"; - repo = "ifdnfc"; - rev = "0e48e8e"; - sha256 = "1cxnvhhlcbm8h49rlw5racspb85fmwqqhd3gzzpzy68vrs0b37vg"; - }; - nativeBuildInputs = [ pkgconfig autoreconfHook ]; - buildInputs = [ pcsclite libnfc ]; - - configureFlags = [ "--prefix=$(out)" ]; - makeFlags = [ "DESTDIR=/" "usbdropdir=$(out)/pcsc/drivers" ]; - - meta = with stdenv.lib; { - description = "PC/SC IFD Handler based on libnfc"; - long_description = - '' libnfc Interface Plugin to be used in services.pcscd.plugins. - It provides support for all readers which are not supported by ccid but by libnfc. - - For activating your reader you need to run - ifdnfc-activate yes with this package in your - environment.systemPackages - - To use your reader you may need to blacklist your reader kernel modules: - boot.blacklistedKernelModules = [ "pn533" "pn533_usb" "nfc" ]; - - Supports the pn533 smart-card reader chip which is for example used in - the SCM SCL3711. - ''; - homepage = https://github.com/nfc-tools/ifdnfc; - license = licenses.gpl3; - platforms = platforms.linux; - maintainers = with maintainers; [ makefu ]; - }; -} - From f97f63deab36b7ff774c4f132c1a87daecc8e9f5 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 10 Oct 2018 14:08:18 +0200 Subject: [PATCH 14/74] ma events-publisher: bump version --- makefu/2configs/shack/events-publisher/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/makefu/2configs/shack/events-publisher/default.nix b/makefu/2configs/shack/events-publisher/default.nix index 37d74c282..93a965e95 100644 --- a/makefu/2configs/shack/events-publisher/default.nix +++ b/makefu/2configs/shack/events-publisher/default.nix @@ -2,8 +2,8 @@ with import ; let shack-announce = pkgs.callPackage (builtins.fetchTarball { - url = "https://github.com/makefu/events-publisher/archive/c5218195e6afdc646cb7682d8f355a7ec2b90716.tar.gz"; - sha256 = "0xk74q7gah3l5zy3bkvih3k9fr1hclvf71rm3ixcmslhicl7khav"; + url = "https://github.com/makefu/events-publisher/archive/1e98edfabfe5574586b4eb8d30d315ae2afb1f9f.tar.gz"; + sha256 = "013ca4dkkzc7q49cwad6fxpxv01hd8va02025pazlz5q223nk70z"; }) {} ; home = "/var/lib/shackannounce"; user = "shackannounce"; From 431cf1348b97fe6364ece67616f345b887f34b75 Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 14 Oct 2018 23:46:51 +0200 Subject: [PATCH 15/74] ma omo.r: enable airdcpp --- makefu/1systems/omo/config.nix | 43 ++++++++++++++++++++++++---------- 1 file changed, 31 insertions(+), 12 deletions(-) diff --git a/makefu/1systems/omo/config.nix b/makefu/1systems/omo/config.nix index be49db024..9eb8cbf49 100644 --- a/makefu/1systems/omo/config.nix +++ b/makefu/1systems/omo/config.nix @@ -8,11 +8,11 @@ let in { imports = [ - #./hw/omo.nix - ./hw/tsp.nix + ./hw/omo.nix + #./hw/tsp.nix - + # @@ -25,6 +25,22 @@ in { # # + + { krebs.airdcpp.dcpp.shares = let + d = path: "/media/cryptX/${path}"; + in { + emu.path = d "emu"; + audiobooks.path = lib.mkForce (d "audiobooks"); + incoming.path = lib.mkForce (d "torrent"); + anime.path = d "anime"; + }; + krebs.airdcpp.dcpp.DownloadDirectory = "/media/cryptX/torrent/dcpp"; + } + { + # copy config from to /var/lib/sabnzbd/ + #services.sabnzbd.enable = true; + #systemd.services.sabnzbd.environment.SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; + } # @@ -41,12 +57,22 @@ in { # services - + { + services.nginx.enable = true; + networking.firewall.allowedTCPPorts = [ 80 ]; + } + # + { + makefu.ps3netsrv = { + enable = true; + servedir = "/media/cryptX/emu/ps3"; + }; + } { hardware.pulseaudio.systemWide = true; makefu.mpd.musicDirectory = "/media/cryptX/music"; @@ -74,7 +100,7 @@ in { krebs.rtorrent = (builtins.trace (builtins.toJSON config.services.telegraf.extraConfig)) { downloadDir = lib.mkForce "/media/cryptX/torrent"; extraConfig = '' - upload_rate = 200 + upload_rate = 500 ''; }; users.groups.share = { @@ -83,14 +109,7 @@ in { }; networking.firewall.trustedInterfaces = [ primaryInterface ]; - # copy config from to /var/lib/sabnzbd/ - services.sabnzbd.enable = true; - systemd.services.sabnzbd.environment.SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; - makefu.ps3netsrv = { - enable = true; - servedir = "/media/cryptX/emu/ps3"; - }; users.users.misa = { uid = 9002; From 0cfc9b54a0d588dadef3642aa6b3872f0392a220 Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 14 Oct 2018 23:47:18 +0200 Subject: [PATCH 16/74] ma airdcpp: enable state tracking --- makefu/2configs/dcpp/airdcpp.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/makefu/2configs/dcpp/airdcpp.nix b/makefu/2configs/dcpp/airdcpp.nix index fe05effd9..ad62babc3 100644 --- a/makefu/2configs/dcpp/airdcpp.nix +++ b/makefu/2configs/dcpp/airdcpp.nix @@ -44,5 +44,6 @@ ''; }; - + state = map (f: "${config.krebs.airdcpp.stateDir}/${f}") + [ "Favorites.xml" "DCPlusPlus.xml" "WebServer.xml" "Recents.xml" "IgnoredUsers.xml" ]; } From efc70c213c464d0a4eecd80e1acf886c8deb787a Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 17 Oct 2018 00:34:46 +0200 Subject: [PATCH 17/74] ma homeautomation: cleanup, add flurlicht --- .../deployment/bureautomation/home.nix | 67 --------- .../deployment/homeautomation/default.nix | 127 ++++++++++++++---- 2 files changed, 102 insertions(+), 92 deletions(-) delete mode 100644 makefu/2configs/deployment/bureautomation/home.nix diff --git a/makefu/2configs/deployment/bureautomation/home.nix b/makefu/2configs/deployment/bureautomation/home.nix deleted file mode 100644 index 28edb6af2..000000000 --- a/makefu/2configs/deployment/bureautomation/home.nix +++ /dev/null @@ -1,67 +0,0 @@ -{ pkgs, lib, ... }: -let - firetv = "192.168.1.238"; -in { - systemd.services.firetv = { - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - User = "nobody"; - ExecStart = "${pkgs.python-firetv}/bin/firetv-server -d ${firetv}:5555"; - }; - }; - services.home-assistant = { - #panel_iframe: - #configurator: - # title: Configurator - # icon: mdi:wrench - # url: http://hassio.local:3218 - # sensor: - # - platform: random - enable = true; - config = { - homeassistant = { - name = "Bureautomation"; - time_zone = "Europe/Berlin"; - }; - panel_iframe = { - euer_blog = { - title = "Euer Blog"; - icon = "mdi:wrench"; - url = "https://euer.krebsco.de"; - }; - }; - media_player = [ - { platform = "kodi"; - host = firetv; - } - { platform = "firetv"; - # assumes python-firetv running - } - ]; - sensor = [ - { - platform = "luftdaten"; - name = "Shack 1"; - sensorid = "50"; - monitored_conditions = [ "P1" "P2" ]; - } - { - platform = "luftdaten"; - name = "Shack 2"; - sensorid = "658"; - monitored_conditions = [ "P1" "P2" ]; - } - { - platform = "luftdaten"; - name = "Ditzingen"; - sensorid = "5341"; - monitored_conditions = [ "P1" "P2" ]; - } - { platform = "random"; } - ]; - frontend = { }; - http = { }; - feedreader.urls = [ "https://nixos.org/blogs.xml" ]; - }; - }; -} diff --git a/makefu/2configs/deployment/homeautomation/default.nix b/makefu/2configs/deployment/homeautomation/default.nix index f2a3b36e2..5da0dba2e 100644 --- a/makefu/2configs/deployment/homeautomation/default.nix +++ b/makefu/2configs/deployment/homeautomation/default.nix @@ -1,9 +1,60 @@ -{ pkgs, config, ... }: +{ pkgs, lib, config, ... }: # Ideas: ## wake-on-lan server ## let + tasmota_rgb = name: topic: +# LED WS2812b +# effect_state_topic: "stat/led/Scheme" +# effect_command_topic: "cmnd/led/Scheme" +# effect_value_template: "{{ value_json.Scheme }}" + { platform = "mqtt"; + inherit name; + retain = false; + qos = 1; + optimistic = false; + # state + # TODO: currently broken, will not use the custom state topic + #state_topic = "/ham/${topic}/stat/POWER"; + state_topic = "stat/${topic}/POWER"; + command_topic = "/ham/${topic}/cmnd/POWER"; + availability_topic = "/ham/${topic}/tele/LWT"; + payload_on= "ON"; + payload_off= "OFF"; + payload_available= "Online"; + payload_not_available= "Offline"; + # brightness + brightness_state_topic = "/ham/${topic}/stat/Dimmer"; + brightness_command_topic = "/ham/${topic}/cmnd/Dimmer"; + brightness_value_template = "{{ value_json.Dimmer }}"; + brightness_scale = 100; + # color + rgb_state_topic = "/ham/${topic}/stat/Color"; + rgb_command_topic = "/ham/${topic}/cmnd/Color2"; + rgb_command_mode = "hex"; + rgb_command_template = "{{ '%02x%02x%02x' | format(red, green, blue)}}"; + # effects + effect_state_topic = "/ham/${topic}/stat/Scheme"; + effect_command_topic = "/ham/${topic}/cmnd/Scheme"; + effect_value_template = "{{ value_json.Scheme }}"; + effect_list = [ 0 1 2 3 4 5 6 7 8 9 10 11 12 ]; +}; + # switchmode 1 - also toggle power + # switchtopic flurlicht + tasmota_motion = name: topic: + { platform = "mqtt"; + device_class = "motion"; + inherit name; + # TODO: currently broken, will not use the custom state topic + state_topic = "stat/${topic}/POWER"; + payload_on = "ON"; + payload_off = "OFF"; + availability_topic = "/ham/${topic}/tele/LWT"; + payload_available = "Online"; + payload_not_available = "Offline"; + }; + firetv = "192.168.1.238"; tasmota_plug = name: topic: { platform = "mqtt"; @@ -40,16 +91,13 @@ in { imports = [ ./mqtt.nix ]; - systemd.services.firetv = { - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - User = "nobody"; - ExecStart = "${pkgs.python-firetv}/bin/firetv-server -d ${firetv}:5555"; - }; - }; - nixpkgs.config.permittedInsecurePackages = [ - "homeassistant-0.65.5" - ]; + #systemd.services.firetv = { + # wantedBy = [ "multi-user.target" ]; + # serviceConfig = { + # User = "nobody"; + # ExecStart = "${pkgs.python-firetv}/bin/firetv-server -d ${firetv}:5555"; + # }; + #}; services.home-assistant = { config = { homeassistant = { @@ -58,7 +106,7 @@ in { longitude = "9.2478"; elevation = 247; }; - discovery = {}; + #discovery = {}; conversation = {}; history = {}; logbook = {}; @@ -71,16 +119,16 @@ in { { platform = "kodi"; host = firetv; } - { platform = "firetv"; - # assumes python-firetv running - } + #{ platform = "firetv"; + # # assumes python-firetv running + #} ]; mqtt = { broker = "localhost"; port = 1883; client_id = "home-assistant"; username = "hass"; - password = builtins.readFile ; + password = lib.removeSuffix "\n" (builtins.readFile ); keepalive = 60; protocol = 3.1; birth_message = { @@ -96,10 +144,14 @@ in { retain = true; }; }; + binary_sensor = [ + (tasmota_motion "Flur Bewegung" "flurlicht") + ]; sensor = [ - { platform = "speedtest"; - monitored_conditions = [ "ping" "download" "upload" ]; - } + # broken + #{ platform = "speedtest"; + # monitored_conditions = [ "ping" "download" "upload" ]; + #} { platform = "luftdaten"; name = "Ditzingen"; sensorid = "663"; @@ -107,7 +159,8 @@ in { } # https://www.home-assistant.io/cookbook/automation_for_rainy_days/ { platform = "darksky"; - api_key = "c73619e6ea79e553a585be06aacf3679"; + api_key = lib.removeSuffix "\n" + (builtins.readFile ); language = "de"; monitored_conditions = [ "summary" "icon" "nearest_storm_distance" "precip_probability" @@ -125,15 +178,39 @@ in { } ] ++ (tasmota_bme "Schlafzimmer" "schlafzimmer"); frontend = { }; - #group = [ - # { default_view = { view = "yes"; entities = [ - # "sensor.luftdaten" - # ]} - #]; + group = + { default_view = + { view = "yes"; + entities = [ + "group.flur" + "group.schlafzimmer" + "group.draussen" + "group.wohnzimmer" + ]; + }; + flur = [ + "light.flurlicht" + "binary_sensor.flur_bewegung" + ]; + wohnzimmer = [ + "media_player.kodi" + ]; + draussen = [ + "sensor.dark_sky_temperature" + "sensor.dark_sky_hourly_summary" + ]; + schlafzimmer = [ + "sensor.schlafzimmer_temperatur" + "sensor.schlafzimmer_luftdruck" + "sensor.schlafzimmer_luftfeuchtigkeit" + "switch.lichterkette_schlafzimmer" + ]; + }; http = { }; switch = [ (tasmota_plug "Lichterkette Schlafzimmer" "schlafzimmer") ]; + light = [ (tasmota_rgb "Flurlicht" "flurlicht" ) ]; }; enable = true; #configDir = "/var/lib/hass"; From c6de0074ebe4197fbcdd9665cc597b455312b32c Mon Sep 17 00:00:00 2001 From: makefu Date: Sat, 20 Oct 2018 21:39:26 +0200 Subject: [PATCH 18/74] ma pkgs.ns-atmosphere-programmer: init --- .../ns-atmosphere-programmer/default.nix | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 makefu/5pkgs/ns-atmosphere-programmer/default.nix diff --git a/makefu/5pkgs/ns-atmosphere-programmer/default.nix b/makefu/5pkgs/ns-atmosphere-programmer/default.nix new file mode 100644 index 000000000..1e1cb1d86 --- /dev/null +++ b/makefu/5pkgs/ns-atmosphere-programmer/default.nix @@ -0,0 +1,36 @@ +{ stdenv, fetchzip +, makeWrapper +, autoPatchelfHook +, xlibs +, gnome3 +, libpng12 +}: +stdenv.mkDerivation rec { + name = "ns-atmosphere-programmer-${version}"; + version = "0.1"; + + src = fetchzip { + url = "http://www.ns-atmosphere.com/media/content/ns-atmosphere-programmer-linux-v01.zip"; + sha256 = "0g2fxbirgi0lm0mi69cmknqj7626fxjkwn98bqx5pcalxplww8k0"; + }; + + buildInputs = with xlibs; [ libX11 libXxf86vm libSM gnome3.gtk libpng12 ]; + nativeBuildInputs = [ autoPatchelfHook makeWrapper ]; + + installPhase = '' + install -D -m755 NS-Atmosphere-Programmer-Linux-v0.1/NS-Atmosphere $out/bin/NS-Atmosphere + wrapProgram $out/bin/NS-Atmosphere --prefix XDG_DATA_DIRS : "$GSETTINGS_SCHEMAS_PATH" \ +--suffix XDG_DATA_DIRS : '${gnome3.defaultIconTheme}/share' + ''; + + dontStrip = true; + + meta = with stdenv.lib; { + description = "Payload programmer for ns-atmosphere injector"; + homepage = http://www.ns-atmosphere.com; + maintainers = [ maintainers.makefu ]; + platforms = platforms.linux; + license = with licenses; [ unfree ]; + }; + +} From 72a009b6a5593ca6885ca83517dfd99cefe2d3cb Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 21 Oct 2018 00:16:12 +0200 Subject: [PATCH 19/74] ma shack/events-publisher: bump to latest version --- makefu/2configs/shack/events-publisher/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/makefu/2configs/shack/events-publisher/default.nix b/makefu/2configs/shack/events-publisher/default.nix index 93a965e95..531d2525e 100644 --- a/makefu/2configs/shack/events-publisher/default.nix +++ b/makefu/2configs/shack/events-publisher/default.nix @@ -2,8 +2,8 @@ with import ; let shack-announce = pkgs.callPackage (builtins.fetchTarball { - url = "https://github.com/makefu/events-publisher/archive/1e98edfabfe5574586b4eb8d30d315ae2afb1f9f.tar.gz"; - sha256 = "013ca4dkkzc7q49cwad6fxpxv01hd8va02025pazlz5q223nk70z"; + url = "https://github.com/makefu/events-publisher/archive/670f4d7182a41b6763296e301612499d2986f213.tar.gz"; + sha256 = "1yf9cb08v4rc6x992yx5lcyn62sm3p8i2b48rsmr4m66xdi4bpnd"; }) {} ; home = "/var/lib/shackannounce"; user = "shackannounce"; From cea8403dc5eb48792c9ccd4c4fc9584a84ba4238 Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 21 Oct 2018 00:18:59 +0200 Subject: [PATCH 20/74] ma shack/gitlab-ci: maintain own config --- .../2configs/shack/gitlab-runner/default.nix | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 makefu/2configs/shack/gitlab-runner/default.nix diff --git a/makefu/2configs/shack/gitlab-runner/default.nix b/makefu/2configs/shack/gitlab-runner/default.nix new file mode 100644 index 000000000..55dc50fa8 --- /dev/null +++ b/makefu/2configs/shack/gitlab-runner/default.nix @@ -0,0 +1,31 @@ + +{ + systemd.services.gitlab-runner.path = [ + "/run/wrappers" # /run/wrappers/bin/su + "/" # /bin/sh + ]; + services.gitlab-runner = { + enable = true; + configOptions = + { concurrent = 1; + runners = [ + { builds_dir = ""; + #docker = + #{ cache_dir = ""; + # disable_cache = true; + # host = ""; image = "nixos/nix:2.1.3"; + # privileged = true; + #}; + #executor = "docker"; + # name = "docker-nix"; + name = "gum-shell"; + executor = "shell"; + environment = [ "PATH=/bin:/run/wrappers/bin:/etc/per-user/gitlab-runner/bin:/etc/per-user-pkgs/gitlab-runner/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin" ]; + # generate via `gitlab-runner register` + token = import ; + url = "https://git.shackspace.de/"; + } + ]; + }; + }; +} From 489d3924307171751b174d62f64ce29a5c2550cf Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 21 Oct 2018 23:04:27 +0200 Subject: [PATCH 21/74] ma backup: init --- makefu/2configs/backup/server.nix | 11 +++++++++++ makefu/2configs/backup/ssh/gum.pub | 1 + makefu/2configs/backup/ssh/nextgum.pub | 1 + makefu/2configs/backup/ssh/omo.pub | 1 + makefu/2configs/backup/ssh/x.pub | 1 + makefu/2configs/backup/state.nix | 25 +++++++++++++++++++++++++ 6 files changed, 40 insertions(+) create mode 100644 makefu/2configs/backup/server.nix create mode 100644 makefu/2configs/backup/ssh/gum.pub create mode 100644 makefu/2configs/backup/ssh/nextgum.pub create mode 100644 makefu/2configs/backup/ssh/omo.pub create mode 100644 makefu/2configs/backup/ssh/x.pub create mode 100644 makefu/2configs/backup/state.nix diff --git a/makefu/2configs/backup/server.nix b/makefu/2configs/backup/server.nix new file mode 100644 index 000000000..f157e715f --- /dev/null +++ b/makefu/2configs/backup/server.nix @@ -0,0 +1,11 @@ +{lib, ... }: +let + hosts = lib.mapAttrsToList (f: _: lib.removeSuffix ".pub" f) (builtins.readDir ./ssh ); +in { + # TODO: for all enabled machines + services.borgbackup.repos = lib.genAttrs hosts (host: { + authorizedKeys = [ (builtins.readFile (./ssh + "/${host}.pub") ) ]; + path = "/var/lib/borgbackup/${host}"; + user = "borg-${host}"; + }) ; +} diff --git a/makefu/2configs/backup/ssh/gum.pub b/makefu/2configs/backup/ssh/gum.pub new file mode 100644 index 000000000..ed203d544 --- /dev/null +++ b/makefu/2configs/backup/ssh/gum.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOSCJe7DQkKbL58pL78ImO+nVI/aaNFP8Zyqgo8EbNhW makefu@x diff --git a/makefu/2configs/backup/ssh/nextgum.pub b/makefu/2configs/backup/ssh/nextgum.pub new file mode 100644 index 000000000..52d56d956 --- /dev/null +++ b/makefu/2configs/backup/ssh/nextgum.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOUZcfi2SXxCo1if0oU3x9qPK8/O5FmiXy2HFZyTp/P1 makefu@x diff --git a/makefu/2configs/backup/ssh/omo.pub b/makefu/2configs/backup/ssh/omo.pub new file mode 100644 index 000000000..053b4da87 --- /dev/null +++ b/makefu/2configs/backup/ssh/omo.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAtA3XzpjByYQ9uSHQr0dkNUyi6nROjwv1S2IQtUu4pi makefu@x diff --git a/makefu/2configs/backup/ssh/x.pub b/makefu/2configs/backup/ssh/x.pub new file mode 100644 index 000000000..fe894df33 --- /dev/null +++ b/makefu/2configs/backup/ssh/x.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBRfhUv9twYbO7tUe2r2LOXEMNxW14GO3Q0RTkUWeMxw makefu@x diff --git a/makefu/2configs/backup/state.nix b/makefu/2configs/backup/state.nix new file mode 100644 index 000000000..1143708bf --- /dev/null +++ b/makefu/2configs/backup/state.nix @@ -0,0 +1,25 @@ +{ config, ... }: +# back up all state +let + sec = toString ; + sshkey = sec + "/borg.priv"; + phrase = sec + "/borg.pw"; +in +{ + services.borgbackup.jobs.state = { + repo = "borg-${config.krebs.build.host.name}@backup.makefu.r:."; + paths = config.state; + encryption = { + mode = "repokey"; + passCommand = "cat ${phrase}"; + }; + environment.BORG_RSH = "ssh -i ${sshkey}"; + prune.keep = + { daily = 7; + weekly = 4; + monthly = -1; # Keep at least one archive for each month + }; + compression = "auto,lzma"; + startAt = "daily"; + }; +} From 23d99c1ae27744d00b25e0615797c357642c4112 Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 21 Oct 2018 23:05:21 +0200 Subject: [PATCH 22/74] ma backup: streamline, RIP old rsync --- makefu/2configs/backup.nix | 52 ------------------------------- makefu/2configs/laptop-backup.nix | 12 ------- 2 files changed, 64 deletions(-) delete mode 100644 makefu/2configs/backup.nix delete mode 100644 makefu/2configs/laptop-backup.nix diff --git a/makefu/2configs/backup.nix b/makefu/2configs/backup.nix deleted file mode 100644 index a4d02af6b..000000000 --- a/makefu/2configs/backup.nix +++ /dev/null @@ -1,52 +0,0 @@ -{ config, lib, pkgs, ... }: -with import ; -let - # preparation: - # mkdir -p defaultBackupDir/host.name/src - # as root on omo: - # ssh-copy-id root@src - startAt = "0,6,12,18:00"; - defaultBackupServer = config.krebs.hosts.omo; - defaultBackupDir = "/home/backup"; - defaultPull = host: src: { - method = "pull"; - src = { - inherit host; - path = src; - }; - dst = { - host = defaultBackupServer; - path = "${defaultBackupDir}/${host.name}${src}"; - }; - startAt = "0,6,12,18:00"; - snapshots = { - hourly = { format = "%Y-%m-%dT%H"; retain = 4; }; - daily = { format = "%Y-%m-%d"; retain = 7; }; - weekly = { format = "%YW%W"; retain = 4; }; - monthly = { format = "%Y-%m"; retain = 12; }; - yearly = { format = "%Y"; }; - }; - }; -in { - krebs.backup.plans = { - # wry-to-omo_root = defaultPull config.krebs.hosts.wry "/"; - gum-to-omo_root = defaultPull config.krebs.hosts.gum "/"; - gum-dl-to-omo_external = (defaultPull config.krebs.hosts.gum "/var/download" )// - { - dst.path = "/media/cryptX/backup/gum/var-download"; - dst.host = defaultBackupServer; - startAt = "19:00"; - }; - gum-owncloud-to-omo_external = (defaultPull config.krebs.hosts.gum "/var/www/o.euer.krebsco.de" )// - { - dst.path = "/media/cryptX/backup/gum/var-www-o.euer.krebsco.de"; - dst.host = defaultBackupServer; - - startAt = "05:00"; - }; - # wolf-to-omo_root = defaultPull config.krebs.hosts.wolf "/"; - }; - environment.systemPackages = [ - pkgs.borgbackup - ]; -} diff --git a/makefu/2configs/laptop-backup.nix b/makefu/2configs/laptop-backup.nix deleted file mode 100644 index 8df7043c8..000000000 --- a/makefu/2configs/laptop-backup.nix +++ /dev/null @@ -1,12 +0,0 @@ -{config, lib, pkgs, ... }: - -{ - systemd.user.services.duply-secrets = { - description = "run daily secrets backup"; - startAt = "daily"; - serviceConfig = { - Type = "oneshot"; - ExecStart = "{pkgs.duply}/bin/duply omo-secrets backup"; - }; - }; -} From 102d394330ae8212907380b284c07bea4edd69e1 Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 21 Oct 2018 23:09:24 +0200 Subject: [PATCH 23/74] ma krops: bump home-manager --- makefu/krops.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/makefu/krops.nix b/makefu/krops.nix index 4f55915af..2f6f3a3d7 100644 --- a/makefu/krops.nix +++ b/makefu/krops.nix @@ -69,7 +69,7 @@ (lib.mkIf ( host-src.home-manager ) { home-manager.git = { url = https://github.com/rycee/home-manager; - ref = "6eea2a4"; + ref = "f947faf"; }; }) ]; From 8845ee8363feff8d944db4dd954bae9fda6345f1 Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 21 Oct 2018 23:09:48 +0200 Subject: [PATCH 24/74] ma pkgs.switch-launcher: init --- makefu/5pkgs/switch-launcher/default.nix | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 makefu/5pkgs/switch-launcher/default.nix diff --git a/makefu/5pkgs/switch-launcher/default.nix b/makefu/5pkgs/switch-launcher/default.nix new file mode 100644 index 000000000..cc7905a31 --- /dev/null +++ b/makefu/5pkgs/switch-launcher/default.nix @@ -0,0 +1,24 @@ +{ lib, pkgs, python3Packages, ... }: + +with python3Packages; buildPythonPackage rec { + name = "nodemcu-uploader-${version}"; + version = "0.1.0"; + + src = pkgs.fetchFromGitHub { + owner = "ksmit799"; + repo = "switch-launcher"; + rev = version; + sha256 = "0j24dwiqqjiks59s8gilnplsls130mp1jssg2rpjrvj0jg0w52zz"; + }; + + + propagatedBuildInputs = [ + pyusb + ]; + + meta = { + homepage = https://github.com/ksmit799/switch-launcher; + description = "Desktop switch payload launcher based on a modified reswitched injector"; + license = lib.licenses.bsd3; + }; +} From 29752c0970c2964a7b1a5434fb7a583dd302ef43 Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 21 Oct 2018 23:10:25 +0200 Subject: [PATCH 25/74] ma pkgs.target-cli: init at 2.1 --- makefu/5pkgs/targetcli/default.nix | 64 ++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 makefu/5pkgs/targetcli/default.nix diff --git a/makefu/5pkgs/targetcli/default.nix b/makefu/5pkgs/targetcli/default.nix new file mode 100644 index 000000000..927c34c5a --- /dev/null +++ b/makefu/5pkgs/targetcli/default.nix @@ -0,0 +1,64 @@ +{ pkgs, fetchFromGitHub, ... }: +with pkgs.python2Packages; +let + version = "2.1"; + rtslib = buildPythonPackage rec { + pname = "rtslib"; + inherit version; + src = fetchFromGitHub { + owner = "datera"; + repo = "rtslib"; + rev = version; + sha256 = "1d58k9i4xigfqgycyismsqzkz65ssjdri2v9fg0wpica1klyyv22"; + }; + propagatedBuildInputs = [ ipaddr netifaces configobj ]; + }; + configshell = buildPythonPackage rec { + pname = "configshell"; + version = "1.6"; + src = fetchFromGitHub { + owner = "datera"; + repo = "configshell"; + rev = version; + sha256 = "14n7xbcaicsvwajv1aihz727dlkn6zfaqjbnn7mcpns83c2hms7y"; + }; + propagatedBuildInputs = [ pyparsing ]; + }; + + tcm-py = buildPythonPackage rec { + pname = "tcm-py"; + version = "0ac9091c1ff7a52d5435a4f4449e82637142e06e"; + src = fetchFromGitHub { + owner = "datera"; + repo = "lio-utils"; + rev = "0ac9091c1ff7a52d5435a4f4449e82637142e06e"; + sha256 = "0fc922kxvgr7rwg1y875vqvkipcrixmlafsp5g8mipmq90i8zcq0"; + } + "/tcm-py"; + propagatedBuildInputs = [ ]; + }; + + lio-py = buildPythonPackage rec { + pname = "lio-py"; + version = "0ac9091c1ff7a52d5435a4f4449e82637142e06e"; + src = fetchFromGitHub { + owner = "datera"; + repo = "lio-utils"; + rev = "0ac9091c1ff7a52d5435a4f4449e82637142e06e"; + sha256 = "0fc922kxvgr7rwg1y875vqvkipcrixmlafsp5g8mipmq90i8zcq0"; + } + "/lio-py"; + propagatedBuildInputs = [ ]; + }; + +in buildPythonApplication rec { + pname = "targetcli"; + inherit version; + + propagatedBuildInputs = [ rtslib configshell lio-py tcm-py ]; + + src = fetchFromGitHub { + owner = "datera"; + repo = "targetcli"; + rev = version; + sha256 = "10nax7761g93qzky01y3hra8i4s11cgyy9w5w6l8781lj21lgi3d"; + }; +} From 56945ee3f2e16719943b8429d85ae3d61d8ee61f Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 21 Oct 2018 23:10:56 +0200 Subject: [PATCH 26/74] ma hw/switch: init udev rules --- makefu/2configs/hw/switch.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 makefu/2configs/hw/switch.nix diff --git a/makefu/2configs/hw/switch.nix b/makefu/2configs/hw/switch.nix new file mode 100644 index 000000000..d46e8cf3f --- /dev/null +++ b/makefu/2configs/hw/switch.nix @@ -0,0 +1,10 @@ +{ config, lib, pkgs, ... }: + +{ + + users.extraUsers.${config.krebs.build.user.name}.extraGroups = [ "plugdev" ]; + + services.udev.extraRules = '' + SUBSYSTEM=="usb", ATTR{idVendor}=="0955", MODE="0664", GROUP="plugdev" + ''; +} From 8c3e92d9eb51f4eae4bca0e11839be652cc142ad Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 21 Oct 2018 23:11:23 +0200 Subject: [PATCH 27/74] ma mcomix: rip --- makefu/5pkgs/mcomix/default.nix | 24 ------------------------ 1 file changed, 24 deletions(-) delete mode 100644 makefu/5pkgs/mcomix/default.nix diff --git a/makefu/5pkgs/mcomix/default.nix b/makefu/5pkgs/mcomix/default.nix deleted file mode 100644 index 7fb9cd375..000000000 --- a/makefu/5pkgs/mcomix/default.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ pkgs, lib ,python2Packages, fetchurl, gtk3}: -python2Packages.buildPythonPackage rec { - name = "mcomix-${version}"; - version = "1.2.1"; - - src = fetchurl { - url = "mirror://sourceforge/mcomix/${name}.tar.bz2"; - sha256 = "0fzsf9pklhfs1rzwzj64c0v30b74nk94p93h371rpg45qnfiahvy"; - }; - - propagatedBuildInputs = with python2Packages; - [ python2Packages.pygtk gtk3 python2Packages.pillow ]; - - # for module in sys.modules.itervalues(): - # RuntimeError: dictionary changed size during iteration - doCheck = false; - - meta = { - homepage = https://github.com/pyload/pyload; - description = "Free and Open Source download manager written in Python"; - license = lib.licenses.gpl3; - maintainers = with lib.maintainers; [ makefu ]; - }; -} From d8e481ac79f7d65fdede7cb553da8f27d7ccbfb8 Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 21 Oct 2018 23:16:34 +0200 Subject: [PATCH 28/74] ma nginx/euer.{blog,wiki}: add state dirs --- makefu/2configs/nginx/euer.blog.nix | 1 + makefu/2configs/nginx/euer.wiki.nix | 1 + 2 files changed, 2 insertions(+) diff --git a/makefu/2configs/nginx/euer.blog.nix b/makefu/2configs/nginx/euer.blog.nix index 65d36d9b6..14d1285db 100644 --- a/makefu/2configs/nginx/euer.blog.nix +++ b/makefu/2configs/nginx/euer.blog.nix @@ -39,4 +39,5 @@ in { }; }; }; + state = [ base-dir ]; } diff --git a/makefu/2configs/nginx/euer.wiki.nix b/makefu/2configs/nginx/euer.wiki.nix index 99533b25c..280622259 100644 --- a/makefu/2configs/nginx/euer.wiki.nix +++ b/makefu/2configs/nginx/euer.wiki.nix @@ -21,6 +21,7 @@ let tw-pass-file = "${sec}/tw-pass.ini"; in { + state = [ base-dir ]; services.phpfpm = { # phpfpm does not have an enable option poolConfigs = { From 851c0e47d1ac7073ea5a38a656f93054b20d4b44 Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 21 Oct 2018 23:17:37 +0200 Subject: [PATCH 29/74] ma bureautomation: add tasks for shutting down monitor --- .../deployment/bureautomation/hass.nix | 32 ++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/makefu/2configs/deployment/bureautomation/hass.nix b/makefu/2configs/deployment/bureautomation/hass.nix index 4605e8933..b1eba22b4 100644 --- a/makefu/2configs/deployment/bureautomation/hass.nix +++ b/makefu/2configs/deployment/bureautomation/hass.nix @@ -11,6 +11,11 @@ let payload_available= "Online"; payload_not_available= "Offline"; }; + tasmota_stecki = name: topic: + ( tasmota_plug name topic) // + { state_topic = "/bam/${topic}/stat/POWER"; + command_topic = "/bam/${topic}/cmnd/POWER"; + }; espeasy_dht22 = name: [ { platform = "mqtt"; name = "${name} DHT22 Temperature"; @@ -72,7 +77,7 @@ in { switch = [ (tasmota_plug "Bauarbeiterlampe" "plug") (tasmota_plug "Blitzdings" "plug2") - (tasmota_plug "Fernseher" "plug3") + (tasmota_stecki "Fernseher" "fernseher") (tasmota_plug "Pluggy" "plug4") ]; binary_sensor = [ @@ -116,6 +121,31 @@ in { frontend = { }; http = { }; feedreader.urls = [ "http://www.heise.de/security/rss/news-atom.xml" ]; + automation = [ + { alias = "Turn on Fernseher on movement"; + trigger = { + platform = "state"; + entity_id = "binary_sensor.motion"; + to = "on"; + }; + action = { + service= "homeassistant.turn_on"; + entity_id= "switch.fernseher"; + }; + } + { alias = "Turn off Fernseher 10 minutes after last movement"; + trigger = { + platform = "state"; + entity_id = "binary_sensor.motion"; + to = "off"; + for.minutes = 10; + }; + action = { + service= "homeassistant.turn_off"; + entity_id= "switch.fernseher"; + }; + } + ]; }; }; } From 99b737e3e554b866fef2a9ba5fa58107e6c75aac Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 21 Oct 2018 23:19:09 +0200 Subject: [PATCH 30/74] ma bepasty-dual: unauthorized on error --- makefu/2configs/bepasty-dual.nix | 5 +++++ makefu/2configs/deployment/graphs.nix | 5 ----- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/makefu/2configs/bepasty-dual.nix b/makefu/2configs/bepasty-dual.nix index 890652285..f63dbefd8 100644 --- a/makefu/2configs/bepasty-dual.nix +++ b/makefu/2configs/bepasty-dual.nix @@ -32,6 +32,11 @@ in { "paste.${config.krebs.build.host.name}" "paste.r" ]; + extraConfig = '' + if ( $server_addr = "${external-ip}" ) { + return 403; + } + ''; }; defaultPermissions = "admin,list,create,read,delete"; secretKeyFile = secKey; diff --git a/makefu/2configs/deployment/graphs.nix b/makefu/2configs/deployment/graphs.nix index bde9892cd..e7dc54dd0 100644 --- a/makefu/2configs/deployment/graphs.nix +++ b/makefu/2configs/deployment/graphs.nix @@ -6,11 +6,6 @@ let internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr; hn = config.krebs.build.host.name; in { - krebs.bepasty.servers."paste.r".nginx.extraConfig = '' - if ( $server_addr = "${external-ip}" ) { - return 403; - } - ''; krebs.tinc_graphs = { enable = true; nginx = { From 4a445704512f50032747e73e10c5afeaa5cce6fc Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 21 Oct 2018 23:19:46 +0200 Subject: [PATCH 31/74] ma pkgs.cozy: now upstream --- makefu/5pkgs/cozy-audiobooks/default.nix | 95 ------------------------ 1 file changed, 95 deletions(-) delete mode 100644 makefu/5pkgs/cozy-audiobooks/default.nix diff --git a/makefu/5pkgs/cozy-audiobooks/default.nix b/makefu/5pkgs/cozy-audiobooks/default.nix deleted file mode 100644 index 870fa8ce2..000000000 --- a/makefu/5pkgs/cozy-audiobooks/default.nix +++ /dev/null @@ -1,95 +0,0 @@ -{ stdenv, fetchFromGitHub -, ninja -, boost -, meson -, pkgconfig -, wrapGAppsHook -, appstream-glib -, desktop-file-utils -, gtk3 -, glib -, gst_all_1 -, gobjectIntrospection -, python3Packages -, file -, cairo , sqlite , gettext -, gnome3 -}: - -let - peewee = with python3Packages; buildPythonPackage rec { - # https://git.archlinux.org/svntogit/community.git/tree/trunk/PKGBUILD?h=packages/python-peewee - pname = "peewee"; - version = "3.6.4"; - src = fetchPypi { - inherit pname version; - sha256 = "1fi4z9n86ri79gllwav0gv3hmwipzmkvivzfyszfqn9fi5zpp3ak"; - }; - doCheck = false; - - checkPhase = '' - python runtests.py - ''; - - buildInputs = [ - cython - sqlite - # psycopg2 - # mysql-connector - ]; - meta.license = stdenv.lib.licenses.mit; - }; -in -stdenv.mkDerivation rec { - name = "cozy-${version}"; - version = "0.6.0"; - - src = fetchFromGitHub { - owner = "geigi"; - repo = "cozy"; - rev = version; - sha256 = "1afl3qsn9h4k8fgp63z0ab9p5ashrg3g936a9rh3i9qydv6s3srd"; - }; - - postPatch = '' - chmod +x data/meson_post_install.py - patchShebangs data/meson_post_install.py - substituteInPlace cozy/magic/magic.py --replace "ctypes.util.find_library('magic')" "'${file}/lib/libmagic${stdenv.hostPlatform.extensions.sharedLibrary}'" - ''; - postInstall = '' - wrapProgram $out/bin/com.github.geigi.cozy \ - --prefix PYTHONPATH : "$PYTHONPATH:$(toPythonPath $out)" - - ''; - wrapPrefixVariables = [ "PYTHONPATH" ]; - - - nativeBuildInputs = [ - meson ninja pkgconfig - wrapGAppsHook - appstream-glib - desktop-file-utils - gobjectIntrospection - - ]; - buildInputs = with gst_all_1; [ gtk3 glib - gstreamer gst-plugins-good gst-plugins-ugly gst-plugins-base cairo gettext - gnome3.defaultIconTheme gnome3.gsettings-desktop-schemas - ] - ++ (with python3Packages; [ - python gst-python pygobject3 dbus-python mutagen peewee magic - - ]); - - checkPhase = '' - ninja test - ''; - - meta = with stdenv.lib; { - description = '' - A modern audio book player for Linux using GTK+ 3 - ''; - maintainers = [ maintainers.makefu ]; - license = licenses.mit; - }; -} From f2b532c7ea8a87e46b3d0c8107c33bd631ff08ab Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 21 Oct 2018 23:20:19 +0200 Subject: [PATCH 32/74] ma torrent: add state, torrent..r --- makefu/2configs/torrent.nix | 20 +++++--------------- 1 file changed, 5 insertions(+), 15 deletions(-) diff --git a/makefu/2configs/torrent.nix b/makefu/2configs/torrent.nix index 3df0ddbfe..ca368dbf0 100644 --- a/makefu/2configs/torrent.nix +++ b/makefu/2configs/torrent.nix @@ -3,12 +3,11 @@ with import ; let - daemon-user = "tor"; basicAuth = import ; peer-port = 51412; web-port = 8112; daemon-port = 58846; - base-dir = config.makefu.dl-dir; + base-dir = config.krebs.rtorrent.workDir; in { users.users = { @@ -23,17 +22,6 @@ in { }; }; - # todo: race condition, do this after download user has been created - system.activationScripts."download-dir-chmod" = '' - for i in finished watch; do - if test ! -d $i;then - mkdir -p "${base-dir}/$i" - chown rtorrent:download "${base-dir}/$i" - chmod 775 "${base-dir}/$i" - fi - done - ''; - users.extraGroups = { download = { gid = lib.mkDefault (genid "download"); @@ -57,15 +45,17 @@ in { rutorrent.enable = true; enableXMLRPC = true; listenPort = peer-port; - downloadDir = base-dir + "/finished"; - watchDir = base-dir + "/watch"; + downloadDir = config.makefu.dl-dir; # dump old torrents into watch folder to have them re-added }; + services.nginx.virtualHosts."torrent.${config.krebs.build.host.name}.r".locations."/" = { proxyPass = "http://localhost:${toString web-port}/"; }; + networking.firewall.extraCommands = '' iptables -A INPUT -i retiolum -p tcp --dport ${toString web-port} -j ACCEPT ''; networking.firewall.allowedTCPPorts = [ peer-port ]; networking.firewall.allowedUDPPorts = [ peer-port ]; + state = [ config.krebs.rtorrent.sessionDir ]; # state which torrents were loaded } From 8f10933423df2f4dd71e13ef28a006e2fad67405 Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 21 Oct 2018 23:20:51 +0200 Subject: [PATCH 33/74] ma tools: shuffle --- makefu/2configs/tools/android-pentest.nix | 2 +- makefu/2configs/tools/desktop.nix | 2 +- makefu/2configs/tools/extra-gui.nix | 1 - makefu/2configs/tools/media.nix | 2 +- makefu/2configs/tools/mobility.nix | 2 ++ makefu/2configs/tools/secrets.nix | 2 +- 6 files changed, 6 insertions(+), 5 deletions(-) diff --git a/makefu/2configs/tools/android-pentest.nix b/makefu/2configs/tools/android-pentest.nix index da8a357ae..9dedafdd2 100644 --- a/makefu/2configs/tools/android-pentest.nix +++ b/makefu/2configs/tools/android-pentest.nix @@ -9,7 +9,7 @@ dex2jar apktool jd-gui - android-studio + # android-studio jdk jre openssl diff --git a/makefu/2configs/tools/desktop.nix b/makefu/2configs/tools/desktop.nix index bb14c3eb5..924668803 100644 --- a/makefu/2configs/tools/desktop.nix +++ b/makefu/2configs/tools/desktop.nix @@ -3,7 +3,7 @@ { users.users.makefu.packages = with pkgs; [ taskwarrior - pass + (pass.withExtensions (ext: [ ext.pass-otp ])) gopass mutt weechat diff --git a/makefu/2configs/tools/extra-gui.nix b/makefu/2configs/tools/extra-gui.nix index 1c28eeffd..3d26cc574 100644 --- a/makefu/2configs/tools/extra-gui.nix +++ b/makefu/2configs/tools/extra-gui.nix @@ -6,7 +6,6 @@ gimp inkscape libreoffice - quodlibet # skype synergy tdesktop diff --git a/makefu/2configs/tools/media.nix b/makefu/2configs/tools/media.nix index a61b6c88e..988550655 100644 --- a/makefu/2configs/tools/media.nix +++ b/makefu/2configs/tools/media.nix @@ -7,7 +7,7 @@ vlc mumble mplayer - quodlibet + quodlibet # exfalso plowshare streamripper diff --git a/makefu/2configs/tools/mobility.nix b/makefu/2configs/tools/mobility.nix index 8a559dbbd..11151003d 100644 --- a/makefu/2configs/tools/mobility.nix +++ b/makefu/2configs/tools/mobility.nix @@ -7,6 +7,8 @@ rclone exfat (pkgs.callPackage ./secrets.nix {}) + + opensc pcsctools libu2f-host ]; # boot.extraModulePackages = [ config.boot.kernelPackages.exfat-nofuse ]; diff --git a/makefu/2configs/tools/secrets.nix b/makefu/2configs/tools/secrets.nix index f88618cbc..7d10983c7 100644 --- a/makefu/2configs/tools/secrets.nix +++ b/makefu/2configs/tools/secrets.nix @@ -1,7 +1,7 @@ { pass, write, writeDash, ... }: write "secrets" { - "/bin/secrets".link = writeDash "brain" '' + "/bin/secrets".link = writeDash "secrets" '' PASSWORD_STORE_DIR=$HOME/.secrets-pass/ \ exec ${pass}/bin/pass $@ ''; From 90da0939308ac0b7e3d73370ee6c12b5901990b7 Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 21 Oct 2018 23:21:22 +0200 Subject: [PATCH 34/74] ma cgit-retiolum: add secrets repo --- makefu/2configs/git/cgit-retiolum.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/makefu/2configs/git/cgit-retiolum.nix b/makefu/2configs/git/cgit-retiolum.nix index 1a7f3d987..4890e4afe 100644 --- a/makefu/2configs/git/cgit-retiolum.nix +++ b/makefu/2configs/git/cgit-retiolum.nix @@ -41,6 +41,7 @@ let autosync = { }; fenkins = { }; pass = { }; + secrets = { }; }; connector-repos = mapAttrs make-priv-repo { From f1bd2ce84d820d0b35c56245d820beffd7d2eb5b Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 21 Oct 2018 23:21:58 +0200 Subject: [PATCH 35/74] ma gui: do not use antialiased fonts --- makefu/2configs/gui/base.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/makefu/2configs/gui/base.nix b/makefu/2configs/gui/base.nix index 861a9327e..6bcd09826 100644 --- a/makefu/2configs/gui/base.nix +++ b/makefu/2configs/gui/base.nix @@ -66,7 +66,7 @@ in cat |derp < Date: Sun, 21 Oct 2018 23:22:21 +0200 Subject: [PATCH 36/74] ma gui/wbob-kiosk: disable screensaver on startup --- makefu/2configs/gui/wbob-kiosk.nix | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/makefu/2configs/gui/wbob-kiosk.nix b/makefu/2configs/gui/wbob-kiosk.nix index 7db749227..b0479d0d7 100644 --- a/makefu/2configs/gui/wbob-kiosk.nix +++ b/makefu/2configs/gui/wbob-kiosk.nix @@ -22,4 +22,16 @@ xrandr --output HDMI2 --right-of HDMI1 ''; }; + + systemd.services.xset-off = { + after = [ "display-manager.service" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${pkgs.xlibs.xset}/bin/xset -display :0 s off -dpms"; + RemainAfterExit = "yes"; + TimeoutSec = "5"; + Restart = "on-failure"; + }; + }; + } From 7a3801c75ef2ecccb976be8ed62367e6ddb3ce25 Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 21 Oct 2018 23:28:52 +0200 Subject: [PATCH 37/74] ma home-manager: bump --- makefu/2configs/home-manager/cli.nix | 8 +++- makefu/2configs/home-manager/default.nix | 3 ++ makefu/2configs/home-manager/desktop.nix | 52 +++++++++++++++--------- makefu/2configs/home-manager/mail.nix | 3 +- 4 files changed, 44 insertions(+), 22 deletions(-) diff --git a/makefu/2configs/home-manager/cli.nix b/makefu/2configs/home-manager/cli.nix index 1efc4d2bf..64aa03bd7 100644 --- a/makefu/2configs/home-manager/cli.nix +++ b/makefu/2configs/home-manager/cli.nix @@ -1,12 +1,18 @@ -{ +{pkgs, ... }: { home-manager.users.makefu = { services.gpg-agent = { + enable = true; defaultCacheTtl = 900; maxCacheTtl = 7200; defaultCacheTtlSsh = 3600; maxCacheTtlSsh = 86400; enableSshSupport = true; + enableScDaemon = true; }; programs.fzf.enable = true; # alt-c }; + services.udev.packages = [ + pkgs.libu2f-host + pkgs.yubikey-personalization + ]; } diff --git a/makefu/2configs/home-manager/default.nix b/makefu/2configs/home-manager/default.nix index e75ee6262..2a4574cc8 100644 --- a/makefu/2configs/home-manager/default.nix +++ b/makefu/2configs/home-manager/default.nix @@ -4,4 +4,7 @@ ]; home-manager.users.makefu = { }; + environment.variables = { + GTK_DATA_PREFIX = "/run/current-system/sw"; + }; } diff --git a/makefu/2configs/home-manager/desktop.nix b/makefu/2configs/home-manager/desktop.nix index c2f854d47..ce98e651a 100644 --- a/makefu/2configs/home-manager/desktop.nix +++ b/makefu/2configs/home-manager/desktop.nix @@ -1,31 +1,43 @@ -{pkgs, ... }: { +{ pkgs, lib, ... }: + +{ home-manager.users.makefu = { programs.browserpass = { browsers = [ "firefox" ] ; enable = true; }; + programs.firefox.enable = true; services.network-manager-applet.enable = true; + systemd.user.services.network-manager-applet.Service.Environment = ''XDG_DATA_DIRS=/etc/profiles/per-user/makefu/share GDK_PIXBUF_MODULE_FILE=${pkgs.librsvg.out}/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache''; services.blueman-applet.enable = true; services.pasystray.enable = true; - - systemd.user.services.network-manager-applet.Service.Environment = '' - XDG_DATA_DIRS=/etc/profiles/per-user/makefu/share GDK_PIXBUF_MODULE_FILE=${pkgs.librsvg.out}/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache - ''; - systemd.user.services.clipit = { - Unit = { - Description = "clipboard manager"; - After = [ "graphical-session-pre.target" ]; - PartOf = [ "graphical-session.target" ]; + systemd.user.services.pasystray.Service.Environment = "PATH=" + (lib.makeBinPath (with pkgs;[ pavucontrol paprefs /* pavumeter */ /* paman */ ]) ); + programs.chromium = { + enable = true; + extensions = [ + "cjpalhdlnbpafiamejdnhcphjbkeiagm" # ublock origin + "dbepggeogbaibhgnhhndojpepiihcmeb" # vimium + # "liloimnbhkghhdhlamdjipkmadhpcjmn" # krebsgold + "fpnmgdkabkmnadcjpehmlllkndpkmiak" # wayback machine + "gcknhkkoolaabfmlnjonogaaifnjlfnp" # foxyproxy + "abkfbakhjpmblaafnpgjppbmioombali" # memex + "kjacjjdnoddnpbbcjilcajfhhbdhkpgk" # forest + ]; }; - Install = { - WantedBy = [ "graphical-session.target" ]; - }; + systemd.user.services.clipit = { + Unit = { + Description = "clipboard manager"; + After = [ "graphical-session-pre.target" ]; + PartOf = [ "graphical-session.target" ]; + }; - Service = { - Environment = '' - XDG_DATA_DIRS=/etc/profiles/per-user/makefu/share GDK_PIXBUF_MODULE_FILE=${pkgs.librsvg.out}/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache - ''; - ExecStart = "${pkgs.clipit}/bin/clipit"; - Restart = "on-abort"; + Install = { + WantedBy = [ "graphical-session.target" ]; + }; + + Service = { + Environment = ''XDG_DATA_DIRS=/etc/profiles/per-user/makefu/share GDK_PIXBUF_MODULE_FILE=${pkgs.librsvg.out}/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache''; + ExecStart = "${pkgs.clipit}/bin/clipit"; + Restart = "on-abort"; + }; }; }; - }; } diff --git a/makefu/2configs/home-manager/mail.nix b/makefu/2configs/home-manager/mail.nix index ce7ae4f4d..467e0d7a0 100644 --- a/makefu/2configs/home-manager/mail.nix +++ b/makefu/2configs/home-manager/mail.nix @@ -1,5 +1,6 @@ { home-manager.users.makefu = { + accounts.email.maildirBasePath = "/home/makefu/Mail"; accounts.email.accounts.syntaxfehler = { address = "felix.richter@syntax-fehler.de"; userName = "Felix.Richter@syntax-fehler.de"; @@ -27,7 +28,7 @@ }; primary = true; realName = "Felix Richter"; - passwordCommand = "gpg --use-agent --quiet --batch -d /home/makefu/.mail/syntax-fehler.gpg"; + passwordCommand = "gpg --use-agent --quiet --batch -d /home/makefu/.gnupg/mail/syntax-fehler.gpg"; }; programs.offlineimap.enable = true; programs.offlineimap.extraConfig = { From f6b82f2d1f3cd5df1d70bf2b8e9f69196268f1e3 Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 21 Oct 2018 23:29:34 +0200 Subject: [PATCH 38/74] ma hw/bluetooth: add blueman to dbus packages --- makefu/2configs/hw/bluetooth.nix | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/makefu/2configs/hw/bluetooth.nix b/makefu/2configs/hw/bluetooth.nix index 313ca0147..e556b43c0 100644 --- a/makefu/2configs/hw/bluetooth.nix +++ b/makefu/2configs/hw/bluetooth.nix @@ -1,9 +1,7 @@ { pkgs, ... }: { # bluetooth+pulse config # for blueman-applet - users.users.makefu.packages = [ - pkgs.blueman - ]; + users.users.makefu.packages = [ pkgs.blueman ]; hardware.pulseaudio = { enable = true; package = pkgs.pulseaudioFull; @@ -39,4 +37,5 @@ Enable=Source,Sink,Media,Socket ''; }; + services.dbus.packages = [ pkgs.blueman ]; } From 85e7795a34c757993118a39a8b6bb23465c0246b Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 21 Oct 2018 23:29:55 +0200 Subject: [PATCH 39/74] ma hw/network-manager: collect state --- makefu/2configs/hw/network-manager.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/makefu/2configs/hw/network-manager.nix b/makefu/2configs/hw/network-manager.nix index ffc32e0cb..3b9d04549 100644 --- a/makefu/2configs/hw/network-manager.nix +++ b/makefu/2configs/hw/network-manager.nix @@ -27,4 +27,7 @@ powersave = true; scanRandMacAddress = true; }; + state = [ + "/etc/NetworkManager/system-connections" #NM stateful config files + ]; } From 2e88305f407f1b3b2d71e7c3948645374c8cfd65 Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 21 Oct 2018 23:31:37 +0200 Subject: [PATCH 40/74] ma virtualbox: cleanup --- makefu/2configs/virtualisation/virtualbox.nix | 21 ++----------------- 1 file changed, 2 insertions(+), 19 deletions(-) diff --git a/makefu/2configs/virtualisation/virtualbox.nix b/makefu/2configs/virtualisation/virtualbox.nix index 30de6e44a..e90cc1e8d 100644 --- a/makefu/2configs/virtualisation/virtualbox.nix +++ b/makefu/2configs/virtualisation/virtualbox.nix @@ -1,26 +1,9 @@ { config, lib, pkgs, ... }: -let - mainUser = config.krebs.build.user; - vboxguestpkg = lib.stdenv.mkDerivation rec { - name = "Virtualbox-Extensions-${version}-${rev}"; - version = "5.0.20"; - rev = "106931"; - src = pkgs.fetchurl { - url = "http://download.virtualbox.org/virtualbox/${version}/Oracle_VM_VirtualBox_Extension_Pack-${version}-${rev}.vbox-extpack"; - sha256 = "1dc70x2m7x266zzw5vw36mxqj7xykkbk357fc77f9zrv4lylzvaf"; - }; - }; -in { +{ virtualisation.virtualbox.host.enable = true; nixpkgs.config.virtualbox.enableExtensionPack = true; virtualisation.virtualbox.host.enableHardening = false; - users.extraGroups.vboxusers.members = [ "${mainUser.name}" ]; - nixpkgs.config.packageOverrides = super: { - boot.kernelPackages.virtualbox = super.boot.kernelPackages.virtualbox.override { - buildInputs = super.boot.kernelPackages.virtualBox.buildInputs - ++ [ vboxguestpkg ]; - }; - }; + users.extraGroups.vboxusers.members = [ config.krebs.build.user.name ]; } From 5c1e92aaf6fc0a3882207a5cb3ff03b7aeab04d6 Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 21 Oct 2018 23:33:33 +0200 Subject: [PATCH 41/74] ma gum.r: manage less services --- makefu/1systems/gum/config.nix | 67 +++++++++++++++++----------------- 1 file changed, 34 insertions(+), 33 deletions(-) diff --git a/makefu/1systems/gum/config.nix b/makefu/1systems/gum/config.nix index 36af23bb5..75b0680b2 100644 --- a/makefu/1systems/gum/config.nix +++ b/makefu/1systems/gum/config.nix @@ -8,11 +8,23 @@ in { imports = [ ./hardware-config.nix + { + users.users.lass = { + uid = 9002; + isNormalUser = true; + createHome = true; + useDefaultShell = true; + openssh.authorizedKeys.keys = with config.krebs.users; [ + lass.pubkey + makefu.pubkey + ]; + }; + } # - + # # @@ -42,23 +54,24 @@ in { # buildbot + ## Web - - - - - - # - - - + # + # + # + # + # + ## + # + # + # - + # # - - - + # + # + # { services.taskserver.enable = true; @@ -71,11 +84,11 @@ in { ''; } # - + # # - + # @@ -98,10 +111,6 @@ in { # }; #} - { # iperf3 - networking.firewall.allowedUDPPorts = [ 5201 ]; - networking.firewall.allowedTCPPorts = [ 5201 ]; - } ]; makefu.dl-dir = "/var/download"; @@ -133,20 +142,12 @@ in { makefu.openssh.authorizedKeys.keys = [ config.krebs.users.makefu-vbob.pubkey config.krebs.users.makefu-bob.pubkey ]; }; - # Chat - environment.systemPackages = with pkgs;[ - weechat - bepasty-client-cli - get - tmux - ]; - # Network networking = { firewall = { - allowPing = true; - logRefusedConnections = false; - allowedTCPPorts = [ + allowPing = true; + logRefusedConnections = false; + allowedTCPPorts = [ # smtp 25 # http @@ -174,9 +175,9 @@ in { # tinc-shack 21032 ]; + }; + nameservers = [ "8.8.8.8" ]; }; - nameservers = [ "8.8.8.8" ]; - }; users.users.makefu.extraGroups = [ "download" "nginx" ]; boot.tmpOnTmpfs = true; } From cfd65930a09d0b147bdd54bccf26b4f1004862dc Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 21 Oct 2018 23:34:54 +0200 Subject: [PATCH 42/74] ma x.r: manage more state, use new services --- makefu/1systems/x/config.nix | 28 +++++++++++++++++++--------- 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/makefu/1systems/x/config.nix b/makefu/1systems/x/config.nix index 66d904512..5a4eea2e4 100644 --- a/makefu/1systems/x/config.nix +++ b/makefu/1systems/x/config.nix @@ -15,7 +15,7 @@ - + # @@ -74,6 +74,7 @@ + # @@ -83,11 +84,11 @@ # Security - { - programs.adb.enable = true; - } + { programs.adb.enable = true; } # temporary + { services.redis.enable = true; } + # # # # @@ -121,13 +122,11 @@ ]; makefu.server.primary-itf = "wlp3s0"; - makefu.full-populate = true; nixpkgs.config.allowUnfree = true; # configure pulseAudio to provide a HDMI sink as well networking.firewall.enable = true; - networking.firewall.allowedTCPPorts = [ 80 24800 26061 8000 3000 ]; networking.firewall.allowedUDPPorts = [ 665 26061 ]; networking.firewall.trustedInterfaces = [ "vboxnet0" ]; @@ -144,14 +143,25 @@ # avoid full boot dir boot.loader.grub.configurationLimit = 3; - environment.systemPackages = [ pkgs.passwdqc-utils pkgs.nixUnstable ]; + environment.systemPackages = [ pkgs.passwdqc-utils ]; # environment.variables = { GOROOT = [ "${pkgs.go.out}/share/go" ]; }; state = [ "/home/makefu/stockholm" - "/home/makefu/backup/borgun" - "/home/makefu/.mail/" + "/home/makefu/.ssh/" + "/home/makefu/.zsh_history" + "/home/makefu/.bash_history" + "/home/makefu/.zshrc" + "/home/makefu/bin" + "/home/makefu/.gnupg" + "/home/makefu/.imapfilter" + "/home/makefu/.mutt" + "/home/makefu/docs" + "/home/makefu/.password-store" + "/home/makefu/.secrets-pass" + "/home/makefu/autosync/Database.kdb" ]; + services.syncthing.user = lib.mkForce "makefu"; services.syncthing.dataDir = lib.mkForce "/home/makefu/.config/syncthing/"; } From ba234de4e1aa42e2abbd6edcfbb509b755ac6c16 Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 21 Oct 2018 23:35:17 +0200 Subject: [PATCH 43/74] ma nextgum.r: almost finished the migration --- makefu/1systems/nextgum/config.nix | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/makefu/1systems/nextgum/config.nix b/makefu/1systems/nextgum/config.nix index 64516fa98..1c5cca0de 100644 --- a/makefu/1systems/nextgum/config.nix +++ b/makefu/1systems/nextgum/config.nix @@ -21,10 +21,10 @@ in { - + # - + # # @@ -52,6 +52,7 @@ in { # + @@ -66,22 +67,22 @@ in { ### Web # # - # - # - # + + + ## # # - # + - + - # - # - # - # - # + + + + + { services.taskserver.enable = true; @@ -250,4 +251,5 @@ in { }; users.users.makefu.extraGroups = [ "download" "nginx" ]; boot.tmpOnTmpfs = true; + state = [ "/home/makefu/.weechat" ]; } From acaadbb6fd7f61ccd2f131ad9b59c140068d7473 Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 21 Oct 2018 23:36:19 +0200 Subject: [PATCH 44/74] ma wbob.r: no more synergy --- makefu/1systems/wbob/config.nix | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/makefu/1systems/wbob/config.nix b/makefu/1systems/wbob/config.nix index e1d66a2f9..e1d61081e 100644 --- a/makefu/1systems/wbob/config.nix +++ b/makefu/1systems/wbob/config.nix @@ -174,20 +174,4 @@ in { fsType = "ext4"; }; }; - - # DualHead on NUC - # TODO: update synergy package with these extras (username) - # TODO: add crypto layer - systemd.services."synergy-client" = { - environment.DISPLAY = ":0"; - serviceConfig.User = user; - }; - - services.synergy = { - client = { - enable = true; - screenName = "wbob"; - serverAddress = "x.r"; - }; - }; } From 228d4acd7b17afb245627f62f8943f418fb1dd8d Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 30 Oct 2018 19:26:02 +0100 Subject: [PATCH 45/74] l: adopt kruck.r (palo) --- krebs/3modules/lass/default.nix | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index 6b4dc3f17..4d382cfd3 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -338,6 +338,35 @@ with import ; }; }; }; + kruck = { + monitoring = false; + ci = false; + external = true; + nets = { + retiolum = { + ip4.addr = "10.243.29.201"; + ip6.addr = "42:4234:6a6d:600::1"; + aliases = [ + "kruck.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEAxcui2sirT5YY9HrSauj9nSF3AxUnfd2CCEGyzmzbi5+qw8T9jdNh + QcIG3s+eC3uEy6leL/eeR4NjVtQRt8CDmhGul95Vs3I1jx9gdvYR+HOatPgK0YQA + EFwk0jv8Z8tOc87X1qwA00Gb+25+kAzsf+8+4HQuh/szSGje3RBmBFkUyNHh8R0U + uzs8NSTRdN+edvYtzjnYcE1sq59HFBPkVcJNp5I3qYTp6m9SxGHMvsq6vRpNnjq/ + /RZVBhnPDBlgxia/aVfVQKeEOHZV3svLvsJzGDrUWsJCEvF0YwW4bvohY19myTNR + 9lXo/VFx86qAkY09il2OloE7iu5cA2RV+FWwLeajE9vIDA06AD7nECVgthNoZd1s + qsDfuu3WqlpyBmr6XhRkYOFFE4xVLrZ0vItGYlgR2UPp9TjHrzfsedoyJoJAbhMH + gDlFgiHlAy1fhG1sCX5883XmSjWn0eJwmZ2O9sZNBP5dxfGUXg/x8NWfQj7E1lqj + jQ59UC6yiz7bFtObKvpdn1D4tPbqBvndZzn19U/3wKo+cCBRjtLmUD7HQHC65dCs + fAiCFvUTVMM3SNDvYChm0U/KGjZZFwQ+cCLj1JNVPet2C+CJ0qI2muXOnCuv/0o5 + TBZrrHMpj6Th8AiOgeMVuxzjX1FsmAThWj9Qp/jQu6O0qvnkUNaU7I8CAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; turingmachine = { monitoring = false; ci = false; From f170326b0518d28f6ac611559edf1e4cbadeadc1 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 31 Oct 2018 13:40:57 +0100 Subject: [PATCH 46/74] nixpkgs: 81f5c26 -> 06fb025 --- krebs/nixpkgs.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/krebs/nixpkgs.json b/krebs/nixpkgs.json index 60307e694..b761246cd 100644 --- a/krebs/nixpkgs.json +++ b/krebs/nixpkgs.json @@ -1,7 +1,7 @@ { "url": "https://github.com/NixOS/nixpkgs-channels", - "rev": "81f5c2698a87c65b4970c69d472960c574ea0db4", - "date": "2018-10-17T20:48:45-04:00", - "sha256": "0p4x9532d3qlbykyyq8zk62k8py9mxd1s7zgbv54zmv597rs5y35", + "rev": "06fb0253afabb8cc7dc85db742e2de94a4d68ca0", + "date": "2018-10-24T10:37:15-04:00", + "sha256": "0jkldgvdm8pl9cfw5faw90n0qbbzrdssgwgbihk1by4xq66khf1b", "fetchSubmodules": false } From 77a83976ceab16e394602c1128b633ef67bd87cf Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 4 Nov 2018 18:26:04 +0100 Subject: [PATCH 47/74] l: prism.r -> archprism.r, new prism.r --- krebs/3modules/lass/default.nix | 42 +++- lass/1systems/archprism/config.nix | 356 +++++++++++++++++++++++++++ lass/1systems/archprism/physical.nix | 77 ++++++ 3 files changed, 474 insertions(+), 1 deletion(-) create mode 100644 lass/1systems/archprism/config.nix create mode 100644 lass/1systems/archprism/physical.nix diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index 4d382cfd3..fbe0f6c1c 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -38,7 +38,7 @@ with import ; }; nets = rec { internet = { - ip4.addr = "46.4.114.247"; + ip4.addr = "95.216.1.150"; aliases = [ "prism.i" "paste.i" @@ -87,6 +87,46 @@ with import ; ssh.privkey.path = ; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsANFdMi825qWQXQbWLYuNZ6/fARt3lnh1KStQHQQMD"; }; + + archprism = { + cores = 1; + nets = rec { + internet = { + ip4.addr = "46.4.114.247"; + aliases = [ + "archprism.i" + ]; + ssh.port = 45621; + }; + retiolum = { + via = internet; + ip4.addr = "10.243.0.123"; + ip6.addr = "42:0:0:0:0:0:0:123"; + aliases = [ + "prism.r" + ]; + tinc.pubkey = '' + -----BEGIN PUBLIC KEY----- + MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA6dK0jsPSb7kWMGjfyWbG + wQYYt8vi5pY/1/Ohk0iy84+mfb1SCJdm5IOC4WXgHtmfd468OluUpU5etAu13D3n + f0iDeCuohH0uTjP+EojnKrAXYTiTRpySqXjVmhaWwFyMAACFdzKFb9cgMoByrP0U + 5qruBcupK8Zwxt+Pe8IadRpPuOmz/bMYS7r+NKwybttoIX+YVm4myNzqdtMT77+H + BYR2mzW99T5YI54YZoCe0+XiIEQsosd6IL/9dP0+6vku6nHLD4qb81Q9AgaT+hte + s/ivHL+Fe2GULEQUi8aoEfXrPwnGFVY+QYxLw2G9A0Gfe9KnYBXDn99HXUGcFu2l + x7duN6mnT3WNC6VReh9m5+rPMnih/3l82W0tH1lBWUtdKcxx6yhkyUFgKOvkm4UP + gf1+EIpxf+bM7jlWylKGc+bD+dTMFV+tzHE6qHlcnzdZQrhYd0zjOXGnm4Kl1ec5 + GSlpmqTcjgR+42l6frAENo3fndqYw1WkDtswImDz3Wjuco7BiOULHTJvQN+Ao1DI + l2MQDOWJoN4eYIE4XPqLSvdOSavHQB2WGv+dFDDpWOxnDLNi19aubtynIfpGJXxV + L8s9kUTG00Hdv08BG06hGt0+2Sy1PTVniDcTftHKmEOPS6Y5rJzQih7JdakSUQCc + 6j/HwgWTf85Io/tbVMTNtkECAwEAAQ== + -----END PUBLIC KEY----- + ''; + }; + }; + ssh.privkey.path = ; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsANFdMi825qWQXQbWLYuNZ6/fARt3lnh1KStQHQQMD"; + }; + domsen-nas = { ci = false; monitoring = false; diff --git a/lass/1systems/archprism/config.nix b/lass/1systems/archprism/config.nix new file mode 100644 index 000000000..0a286c6f0 --- /dev/null +++ b/lass/1systems/archprism/config.nix @@ -0,0 +1,356 @@ +{ config, lib, pkgs, ... }: +with import ; + +{ + imports = [ + + + + { + services.nginx.enable = true; + imports = [ + + + ]; + # needed by domsen.nix ^^ + lass.usershadow = { + enable = true; + }; + + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport http"; target = "ACCEPT"; } + { predicate = "-p tcp --dport https"; target = "ACCEPT"; } + ]; + } + { # TODO make new hfos.nix out of this vv + boot.kernel.sysctl."net.ipv4.ip_forward" = 1; + users.users.riot = { + uid = genid "riot"; + isNormalUser = true; + extraGroups = [ "libvirtd" ]; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6o6sdTu/CX1LW2Ff5bNDqGEAGwAsjf0iIe5DCdC7YikCct+7x4LTXxY+nDlPMeGcOF88X9/qFwdyh+9E4g0nUAZaeL14Uc14QDqDt/aiKjIXXTepxE/i4JD9YbTqStAnA/HYAExU15yqgUdj2dnHu7OZcGxk0ZR1OY18yclXq7Rq0Fd3pN3lPP1T4QHM9w66r83yJdFV9szvu5ral3/QuxQnCNohTkR6LoJ4Ny2RbMPTRtb+jPbTQYTWUWwV69mB8ot5nRTP4MRM9pu7vnoPF4I2S5DvSnx4C5zdKzsb7zmIvD4AmptZLrXj4UXUf00Xf7Js5W100Ne2yhYyhq+35 riot@lagrange" + ]; + }; + + # TODO write function for proxy_pass (ssl/nonssl) + + krebs.iptables.tables.filter.FORWARD.rules = [ + { v6 = false; precedence = 1000; predicate = "-d 192.168.122.92"; target = "ACCEPT"; } + ]; + krebs.iptables.tables.nat.PREROUTING.rules = [ + { v6 = false; precedence = 1000; predicate = "-d 46.4.114.243"; target = "DNAT --to-destination 192.168.122.92"; } + ]; + } + { + users.users.tv = { + uid = genid "tv"; + isNormalUser = true; + openssh.authorizedKeys.keys = [ + config.krebs.users.tv.pubkey + ]; + }; + users.users.makefu = { + uid = genid "makefu"; + isNormalUser = true; + openssh.authorizedKeys.keys = [ + config.krebs.users.makefu.pubkey + ]; + }; + users.users.nin = { + uid = genid "nin"; + isNormalUser = true; + openssh.authorizedKeys.keys = [ + config.krebs.users.nin.pubkey + ]; + }; + users.extraUsers.dritter = { + uid = genid "dritter"; + isNormalUser = true; + extraGroups = [ + "download" + ]; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnqOWDDk7QkSAvrSLkEoz7dY22+xPyv5JDn2zlfUndfavmTMfZvPx9REMjgULbcCSM4m3Ncf40yUjciDpVleGoEz82+p/ObHAkVWPQyXRS3ZRM2IJJultBHEFc61+61Pi8k3p5pBhPPaig6VncJ4uUuuNqen9jqLesSTVXNtdntU2IvnC8B8k1Kq6fu9q1T2yEOMxkD31D5hVHlqAly0LdRiYvtsRIoCSmRvlpGl70uvPprhQxhtoiEUeDqmIL7BG9x7gU0Swdl7R0/HtFXlFuOwSlNYDmOf/Zrb1jhOpj4AlCliGUkM0iKIJhgH0tnJna6kfkGKHDwuzITGIh6SpZ dritter@Janeway" + ]; + }; + users.extraUsers.juhulian = { + uid = 1339; + isNormalUser = true; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBQhLGvfv4hyQ/nqJGy1YgHXPSVl6igeWTroJSvAhUFgoh+rG+zvqY0EahKXNb3sq0/OYDCTJVuucc0hgCg7T2KqTqMtTb9EEkRmCFbD7F7DWZojCrh/an6sHneqT5eFvzAPZ8E5hup7oVQnj5P5M3I9keRHBWt1rq6q0IcOEhsFvne4qJc73aLASTJkxzlo5U8ju3JQOl6474ECuSn0lb1fTrQ/SR1NgF7jV11eBldkS8SHEB+2GXjn4Yrn+QUKOnDp+B85vZmVlJSI+7XR1/U/xIbtAjGTEmNwB6cTbBv9NCG9jloDDOZG4ZvzzHYrlBXjaigtQh2/4mrHoKa5eV juhulian@juhulian" + ]; + }; + users.users.hellrazor = { + uid = genid "hellrazor"; + isNormalUser = true; + extraGroups = [ + "download" + ]; + openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDQFaYOWRUvHP6I37q9Dd4PJOq8FNQqAeJZ8pLx0G62uC450kbPGcG80rHHvXmk7HqQP6biJmMg48bOsvXAScPot2Qhp1Qc35CuUqVhLiTvUAsi8l/iJjhjZ23yRGDCAmW5+JIOzIvECkcbMnG7YoYAQ9trNGHe9qwGzQGhpt3QVClE23WtE3PVKRLQx1VbiabSnAm6tXVd2zpUoSdpWt8Gpi2taM4XXJ5+l744MNxFHvDapN5xqpYzwrA34Ii13jNLWcGbtgxESpR+VjnamdWByrkBsW4X5/xn2K1I1FrujaM/DBHV1QMaDKst9V8+uL5X7aYNt0OUBu2eyZdg6aujY2BYovB9uRyR1JIuSbA/a54MM96yN9WirMUufJF/YZrV0L631t9EW8ORyWUo1GRzMuBHVHQlfApj7NCU/jEddUuTqKgwyRgTmMFMUI4M0tRULAB/7pBE1Vbcx9tg6RsKIk8VkskfbBJW9Y6Sx6YoFlxPdgMNIrBefqEjIV62piP7YLMlvfIDCJ7TNd9dLN86XGggZ/nD5zt6SL1o61vVnw9If8pHosppxADPJsJvcdN6fOe16/tFAeE0JRo0jTcyFVTBGfhpey+rFfuW8wtUyuO5WPUxkOn7xMHGMWHJAtWX2vwVIDtLxvqn48B4SmEOpPD6ii+vcpwqAex3ycqBUQ==" ]; + }; + } + { + #hotdog + systemd.services."container@hotdog".reloadIfChanged = mkForce false; + containers.hotdog = { + config = { ... }: { + imports = [ ]; + environment.systemPackages = [ pkgs.git ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + ]; + }; + autoStart = true; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.1"; + localAddress = "10.233.2.2"; + }; + } + { + #onondaga + systemd.services."container@onondaga".reloadIfChanged = mkForce false; + containers.onondaga = { + config = { ... }: { + imports = [ ]; + environment.systemPackages = [ pkgs.git ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + config.krebs.users.nin.pubkey + ]; + }; + autoStart = true; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.5"; + localAddress = "10.233.2.6"; + }; + } + + + + + + + + + + + + + { # quasi bepasty.nix + imports = [ + + ]; + krebs.bepasty.servers."paste.r".nginx.extraConfig = '' + if ( $server_addr = "${config.krebs.build.host.nets.internet.ip4.addr}" ) { + return 403; + } + ''; + } + { + services.tor = { + enable = true; + }; + } + { + lass.ejabberd = { + enable = true; + hosts = [ "lassul.us" ]; + }; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport xmpp-client"; target = "ACCEPT"; } + { predicate = "-p tcp --dport xmpp-server"; target = "ACCEPT"; } + ]; + } + { + imports = [ + + ]; + services.nginx.virtualHosts."lassul.us".locations."/wallpaper.png".extraConfig = '' + alias /var/realwallpaper/realwallpaper.png; + ''; + } + { + users.users.jeschli = { + uid = genid "jeschli"; + isNormalUser = true; + openssh.authorizedKeys.keys = with config.krebs.users; [ + jeschli.pubkey + jeschli-bln.pubkey + jeschli-bolide.pubkey + jeschli-brauerei.pubkey + ]; + }; + krebs.git.rules = [ + { + user = with config.krebs.users; [ + jeschli + jeschli-bln + jeschli-bolide + jeschli-brauerei + ]; + repo = [ config.krebs.git.repos.xmonad-stockholm ]; + perm = with git; push "refs/heads/jeschli*" [ fast-forward non-fast-forward create delete merge ]; + } + { + user = with config.krebs.users; [ + jeschli + jeschli-bln + jeschli-bolide + jeschli-brauerei + ]; + repo = [ config.krebs.git.repos.stockholm ]; + perm = with git; push "refs/heads/staging/jeschli*" [ fast-forward non-fast-forward create delete merge ]; + } + ]; + } + { + krebs.repo-sync.repos.stockholm.timerConfig = { + OnBootSec = "5min"; + OnUnitInactiveSec = "2min"; + RandomizedDelaySec = "2min"; + }; + } + + + { + services.taskserver = { + enable = true; + fqdn = "lassul.us"; + listenHost = "::"; + listenPort = 53589; + organisations.lass.users = [ "lass" "android" ]; + }; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport 53589"; target = "ACCEPT"; } + ]; + } + # + { + environment.systemPackages = [ pkgs.cryptsetup ]; + systemd.services."container@red".reloadIfChanged = mkForce false; + containers.red = { + config = { ... }: { + environment.systemPackages = [ pkgs.git ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + ]; + }; + autoStart = false; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.3"; + localAddress = "10.233.2.4"; + }; + services.nginx.virtualHosts."rote-allez-fraktion.de" = { + enableACME = true; + forceSSL = true; + locations."/" = { + extraConfig = '' + proxy_set_header Host rote-allez-fraktion.de; + proxy_pass http://10.233.2.4; + ''; + }; + }; + } + #{ + # imports = [ ]; + # lass.restic = genAttrs [ + # "daedalus" + # "icarus" + # "littleT" + # "mors" + # "shodan" + # "skynet" + # ] (dest: { + # dirs = [ + # "/home/chat/.weechat" + # "/bku/sql_dumps" + # ]; + # passwordFile = (toString ) + "/restic/${dest}"; + # repo = "sftp:backup@${dest}.r:/backups/prism"; + # extraArguments = [ + # "sftp.command='ssh backup@${dest}.r -i ${config.krebs.build.host.ssh.privkey.path} -s sftp'" + # ]; + # timerConfig = { + # OnCalendar = "00:05"; + # RandomizedDelaySec = "5h"; + # }; + # }); + #} + { + users.users.download.openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDB0d0JA20Vqn7I4lCte6Ne2EOmLZyMJyS9yIKJYXNLjbLwkQ4AYoQKantPBkTxR75M09E7d3j5heuWnCjWH45TrfQfe1EOSSC3ppCI6C6aIVlaNs+KhAYZS0m2Y8WkKn+TT5JLEa8yybYVN/RlZPOilpj/1QgjU6CQK+eJ1k/kK+QFXcwN82GDVh5kbTVcKUNp2tiyxFA+z9LY0xFDg/JHif2ROpjJVLQBJ+YPuOXZN5LDnVcuyLWKThjxy5srQ8iDjoxBg7dwLHjby5Mv41K4W61Gq6xM53gDEgfXk4cQhJnmx7jA/pUnsn2ZQDeww3hcc7vRf8soogXXz2KC9maiq0M/svaATsa9Ul4hrKnqPZP9Q8ScSEAUX+VI+x54iWrnW0p/yqBiRAzwsczdPzaQroUFTBxrq8R/n5TFdSHRMX7fYNOeVMjhfNca/gtfw9dYBVquCvuqUuFiRc0I7yK44rrMjjVQRcAbw6F8O7+04qWCmaJ8MPlmApwu2c05VMv9hiJo5p6PnzterRSLCqF6rIdhSnuOwrUIt1s/V+EEZXHCwSaNLaQJnYL0H9YjaIuGz4c8kVzxw4c0B6nl+hqW5y5/B2cuHiumnlRIDKOIzlv8ufhh21iN7QpIsPizahPezGoT1XqvzeXfH4qryo8O4yTN/PWoA+f7o9POU7L6hQ== lhebendanz@nixos" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACADLPxtB2f2tocXHxD3ul9D1537hTht6/un87JYZNnoYABveasyIcdFIfp5lPJmj3PjwqXNTA4M/3V+ufrpZ91dxFeXWI5mOI4YB3xRu+Elja8g7nfvCz1HrH3sD1equos/7ltQ1GZYvHGw40qD1/ZtOODwRwrYJ7l/DUBrjk/tzXRjm0+ZgyQsb3G9a80cA8d3fiuQDxbAzdoJF46wt36ZfuSMpJ/Td8CbCoLlV/uL9QZemOglyxNxR607qGfRNXF1An+P+fFq24GmdHpMJ00DfjZ/dJRL9QSs7vd07uyB4Qty4VHwRhc46XH6KL7VTF1D3INF/BeBZx90GBxOvpgEji7Zrf7O5eSAjM2Do1+t+Ev2IIuiltB+QqTir4rZcrCBrJ2+zD3DDymKffVi8sz15AvdrFkIplzZxpOcgm9Ns2w/uh8sxeV6J58aoLEVmd2KRUfJFYiS1EuEjYo2OHlj8ltIh3VlfYdWksGpQc71IT0iEWvzvjYcfCda9uzFLKdLfBy4GB8+s4zR2CX9aGDyJaIY1kt/xqDeztnYwW1owG+fLMrDJlq3Mu+KmJljb30jzrOPhFYVZgWenmMFgH2RBzVEmnsR0f2LFVLj6N/a9fpEJ3WhxMOc5Ybdpgg/l9KUdgvWLk6KOtba+z9fuYT1YgwtZBoMgHAdZLmZ/DGtff palo@pepe" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDGMjbYFmmvpF60YBShyFISbjN+O3e4GPkfsre6xFqz20joi8YqpD/5PtrMsGrPd1ZoZ9qSwXJtbb1WBomFg0xzRSNa1/FliKiE1ilcaB3aUZRtP0OWHIvWD3/YL/0h+/YXDGTfb8FNvpgJmnbN3Q0gw8cwWw+eve5BMyqDhzFvycxO4qDuP2JXkGpdhJqjaYZhP5rPH2mgv1oU1RnOA3A7APZVGf1m6JSmV7FZR514aGlFV+NpsvS29Mib8fcswgpoGhMN6jeh/nf49tp01LUAOmXSqdHIWNOTt3Mt7S4rU7RZwEhswdSRbKdKFRMj+uRkhJ4CPcNuuGtSY3id0Ja7IvrvxNaQUk1L8nBcza709jvSBYWSY5/aGL1ocA/PNWXDpOTp2PWwxkh39aPMqZXPTH3KC4IkRp5SiKibEhdmjnToV7nUAJe4IWn1b7QdoqS03ib0X87DnHWIbvi8UZlImM7pn0rs+rwnOo4lQwrTz7kbBHPaa6XOZAuDYND2728vtcrhwzVrKgiXWbyF6VzvwxPeeStmn1gENvozbj1hl9gbQ1cH/a4pZFBV/OFl/ryzDnB2ghM4acNJazXx/6/us9hX+np1YxIzJaxENj677MLc6HitM2g6XJGaixBQ0U2NNjcjIuQT0ZaeKXsSLnu1Y7+uslbVAwsQ4pJmSxxMMQ== palo@workhorse" + ]; + } + { + } + { + lass.nichtparasoup.enable = true; + services.nginx = { + enable = true; + virtualHosts."lol.lassul.us" = { + forceSSL = true; + enableACME = true; + locations."/".extraConfig = '' + proxy_pass http://localhost:5001; + ''; + }; + }; + } + { + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p udp --dport 51820"; target = "ACCEPT"; } + ]; + krebs.iptables.tables.nat.PREROUTING.rules = [ + { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; } + ]; + krebs.iptables.tables.filter.FORWARD.rules = [ + { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; } + { v6 = false; precedence = 1000; predicate = "-s 10.243.0.0/16 -d 10.244.1.0/24"; target = "ACCEPT"; } + ]; + krebs.iptables.tables.nat.POSTROUTING.rules = [ + { v6 = false; predicate = "-s 10.244.1.0/24 ! -d 10.244.1.0/24"; target = "MASQUERADE"; } + ]; + networking.wireguard.interfaces.wg0 = { + ips = [ "10.244.1.1/24" ]; + listenPort = 51820; + privateKeyFile = (toString ) + "/wireguard.key"; + allowedIPsAsRoutes = true; + peers = [ + { + # lass-android + allowedIPs = [ "10.244.1.2/32" ]; + publicKey = "zVunBVOxsMETlnHkgjfH71HaZjjNUOeYNveAVv5z3jw="; + } + ]; + }; + } + { + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p udp --dport 60000:61000"; target = "ACCEPT";} + ]; + } + { + services.murmur.enable = true; + services.murmur.registerName = "lassul.us"; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport 64738"; target = "ACCEPT";} + ]; + + } + ]; + + krebs.build.host = config.krebs.hosts.archprism; + services.earlyoom = { + enable = true; + freeMemThreshold = 5; + }; +} diff --git a/lass/1systems/archprism/physical.nix b/lass/1systems/archprism/physical.nix new file mode 100644 index 000000000..56348d0ab --- /dev/null +++ b/lass/1systems/archprism/physical.nix @@ -0,0 +1,77 @@ +{ config, lib, pkgs, ... }: +{ + imports = [ + ./config.nix + { + boot.kernelParams = [ "net.ifnames=0" ]; + networking = { + defaultGateway = "46.4.114.225"; + # Use google's public DNS server + nameservers = [ "8.8.8.8" ]; + interfaces.eth0 = { + ipAddress = "46.4.114.247"; + prefixLength = 27; + }; + }; + # TODO use this network config + #networking.interfaces.et0.ipv4.addresses = [ + # { + # address = config.krebs.build.host.nets.internet.ip4.addr; + # prefixLength = 27; + # } + # { + # address = "46.4.114.243"; + # prefixLength = 27; + # } + #]; + #networking.defaultGateway = "46.4.114.225"; + #networking.nameservers = [ + # "8.8.8.8" + #]; + #services.udev.extraRules = '' + # SUBSYSTEM=="net", ATTR{address}=="08:60:6e:e7:87:04", NAME="et0" + #''; + } + { + imports = [ ]; + + networking.hostId = "fb4173ea"; + boot.loader.grub = { + devices = [ + "/dev/sda" + "/dev/sdb" + ]; + splashImage = null; + }; + + boot.initrd.availableKernelModules = [ + "ata_piix" + "vmw_pvscsi" + "ahci" "sd_mod" + ]; + + boot.kernelModules = [ "kvm-intel" ]; + + sound.enable = false; + nixpkgs.config.allowUnfree = true; + time.timeZone = "Europe/Berlin"; + + fileSystems."/" = { + device = "rpool/root/nixos"; + fsType = "zfs"; + }; + + fileSystems."/home" = { + device = "rpool/home"; + fsType = "zfs"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/b67c3370-1597-4ce8-8a46-e257ca32150d"; + fsType = "ext4"; + }; + + } + ]; + +} From e39e8318b647a737fe759aa37ef35d18901c8efd Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 4 Nov 2018 18:26:04 +0100 Subject: [PATCH 48/74] l: prism.r -> archprism.r, new prism.r --- krebs/3modules/lass/default.nix | 42 +++- lass/1systems/archprism/config.nix | 356 +++++++++++++++++++++++++++ lass/1systems/archprism/physical.nix | 77 ++++++ 3 files changed, 474 insertions(+), 1 deletion(-) create mode 100644 lass/1systems/archprism/config.nix create mode 100644 lass/1systems/archprism/physical.nix diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index 4d382cfd3..9b9f052a5 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -38,7 +38,7 @@ with import ; }; nets = rec { internet = { - ip4.addr = "46.4.114.247"; + ip4.addr = "95.216.1.150"; aliases = [ "prism.i" "paste.i" @@ -87,6 +87,46 @@ with import ; ssh.privkey.path = ; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsANFdMi825qWQXQbWLYuNZ6/fARt3lnh1KStQHQQMD"; }; + + archprism = { + cores = 1; + nets = rec { + internet = { + ip4.addr = "46.4.114.247"; + aliases = [ + "archprism.i" + ]; + ssh.port = 45621; + }; + retiolum = { + via = internet; + ip4.addr = "10.243.0.123"; + ip6.addr = "42:0:0:0:0:0:0:123"; + aliases = [ + "archprism.r" + ]; + tinc.pubkey = '' + -----BEGIN PUBLIC KEY----- + MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA6dK0jsPSb7kWMGjfyWbG + wQYYt8vi5pY/1/Ohk0iy84+mfb1SCJdm5IOC4WXgHtmfd468OluUpU5etAu13D3n + f0iDeCuohH0uTjP+EojnKrAXYTiTRpySqXjVmhaWwFyMAACFdzKFb9cgMoByrP0U + 5qruBcupK8Zwxt+Pe8IadRpPuOmz/bMYS7r+NKwybttoIX+YVm4myNzqdtMT77+H + BYR2mzW99T5YI54YZoCe0+XiIEQsosd6IL/9dP0+6vku6nHLD4qb81Q9AgaT+hte + s/ivHL+Fe2GULEQUi8aoEfXrPwnGFVY+QYxLw2G9A0Gfe9KnYBXDn99HXUGcFu2l + x7duN6mnT3WNC6VReh9m5+rPMnih/3l82W0tH1lBWUtdKcxx6yhkyUFgKOvkm4UP + gf1+EIpxf+bM7jlWylKGc+bD+dTMFV+tzHE6qHlcnzdZQrhYd0zjOXGnm4Kl1ec5 + GSlpmqTcjgR+42l6frAENo3fndqYw1WkDtswImDz3Wjuco7BiOULHTJvQN+Ao1DI + l2MQDOWJoN4eYIE4XPqLSvdOSavHQB2WGv+dFDDpWOxnDLNi19aubtynIfpGJXxV + L8s9kUTG00Hdv08BG06hGt0+2Sy1PTVniDcTftHKmEOPS6Y5rJzQih7JdakSUQCc + 6j/HwgWTf85Io/tbVMTNtkECAwEAAQ== + -----END PUBLIC KEY----- + ''; + }; + }; + ssh.privkey.path = ; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsANFdMi825qWQXQbWLYuNZ6/fARt3lnh1KStQHQQMD"; + }; + domsen-nas = { ci = false; monitoring = false; diff --git a/lass/1systems/archprism/config.nix b/lass/1systems/archprism/config.nix new file mode 100644 index 000000000..0a286c6f0 --- /dev/null +++ b/lass/1systems/archprism/config.nix @@ -0,0 +1,356 @@ +{ config, lib, pkgs, ... }: +with import ; + +{ + imports = [ + + + + { + services.nginx.enable = true; + imports = [ + + + ]; + # needed by domsen.nix ^^ + lass.usershadow = { + enable = true; + }; + + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport http"; target = "ACCEPT"; } + { predicate = "-p tcp --dport https"; target = "ACCEPT"; } + ]; + } + { # TODO make new hfos.nix out of this vv + boot.kernel.sysctl."net.ipv4.ip_forward" = 1; + users.users.riot = { + uid = genid "riot"; + isNormalUser = true; + extraGroups = [ "libvirtd" ]; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6o6sdTu/CX1LW2Ff5bNDqGEAGwAsjf0iIe5DCdC7YikCct+7x4LTXxY+nDlPMeGcOF88X9/qFwdyh+9E4g0nUAZaeL14Uc14QDqDt/aiKjIXXTepxE/i4JD9YbTqStAnA/HYAExU15yqgUdj2dnHu7OZcGxk0ZR1OY18yclXq7Rq0Fd3pN3lPP1T4QHM9w66r83yJdFV9szvu5ral3/QuxQnCNohTkR6LoJ4Ny2RbMPTRtb+jPbTQYTWUWwV69mB8ot5nRTP4MRM9pu7vnoPF4I2S5DvSnx4C5zdKzsb7zmIvD4AmptZLrXj4UXUf00Xf7Js5W100Ne2yhYyhq+35 riot@lagrange" + ]; + }; + + # TODO write function for proxy_pass (ssl/nonssl) + + krebs.iptables.tables.filter.FORWARD.rules = [ + { v6 = false; precedence = 1000; predicate = "-d 192.168.122.92"; target = "ACCEPT"; } + ]; + krebs.iptables.tables.nat.PREROUTING.rules = [ + { v6 = false; precedence = 1000; predicate = "-d 46.4.114.243"; target = "DNAT --to-destination 192.168.122.92"; } + ]; + } + { + users.users.tv = { + uid = genid "tv"; + isNormalUser = true; + openssh.authorizedKeys.keys = [ + config.krebs.users.tv.pubkey + ]; + }; + users.users.makefu = { + uid = genid "makefu"; + isNormalUser = true; + openssh.authorizedKeys.keys = [ + config.krebs.users.makefu.pubkey + ]; + }; + users.users.nin = { + uid = genid "nin"; + isNormalUser = true; + openssh.authorizedKeys.keys = [ + config.krebs.users.nin.pubkey + ]; + }; + users.extraUsers.dritter = { + uid = genid "dritter"; + isNormalUser = true; + extraGroups = [ + "download" + ]; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnqOWDDk7QkSAvrSLkEoz7dY22+xPyv5JDn2zlfUndfavmTMfZvPx9REMjgULbcCSM4m3Ncf40yUjciDpVleGoEz82+p/ObHAkVWPQyXRS3ZRM2IJJultBHEFc61+61Pi8k3p5pBhPPaig6VncJ4uUuuNqen9jqLesSTVXNtdntU2IvnC8B8k1Kq6fu9q1T2yEOMxkD31D5hVHlqAly0LdRiYvtsRIoCSmRvlpGl70uvPprhQxhtoiEUeDqmIL7BG9x7gU0Swdl7R0/HtFXlFuOwSlNYDmOf/Zrb1jhOpj4AlCliGUkM0iKIJhgH0tnJna6kfkGKHDwuzITGIh6SpZ dritter@Janeway" + ]; + }; + users.extraUsers.juhulian = { + uid = 1339; + isNormalUser = true; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBQhLGvfv4hyQ/nqJGy1YgHXPSVl6igeWTroJSvAhUFgoh+rG+zvqY0EahKXNb3sq0/OYDCTJVuucc0hgCg7T2KqTqMtTb9EEkRmCFbD7F7DWZojCrh/an6sHneqT5eFvzAPZ8E5hup7oVQnj5P5M3I9keRHBWt1rq6q0IcOEhsFvne4qJc73aLASTJkxzlo5U8ju3JQOl6474ECuSn0lb1fTrQ/SR1NgF7jV11eBldkS8SHEB+2GXjn4Yrn+QUKOnDp+B85vZmVlJSI+7XR1/U/xIbtAjGTEmNwB6cTbBv9NCG9jloDDOZG4ZvzzHYrlBXjaigtQh2/4mrHoKa5eV juhulian@juhulian" + ]; + }; + users.users.hellrazor = { + uid = genid "hellrazor"; + isNormalUser = true; + extraGroups = [ + "download" + ]; + openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDQFaYOWRUvHP6I37q9Dd4PJOq8FNQqAeJZ8pLx0G62uC450kbPGcG80rHHvXmk7HqQP6biJmMg48bOsvXAScPot2Qhp1Qc35CuUqVhLiTvUAsi8l/iJjhjZ23yRGDCAmW5+JIOzIvECkcbMnG7YoYAQ9trNGHe9qwGzQGhpt3QVClE23WtE3PVKRLQx1VbiabSnAm6tXVd2zpUoSdpWt8Gpi2taM4XXJ5+l744MNxFHvDapN5xqpYzwrA34Ii13jNLWcGbtgxESpR+VjnamdWByrkBsW4X5/xn2K1I1FrujaM/DBHV1QMaDKst9V8+uL5X7aYNt0OUBu2eyZdg6aujY2BYovB9uRyR1JIuSbA/a54MM96yN9WirMUufJF/YZrV0L631t9EW8ORyWUo1GRzMuBHVHQlfApj7NCU/jEddUuTqKgwyRgTmMFMUI4M0tRULAB/7pBE1Vbcx9tg6RsKIk8VkskfbBJW9Y6Sx6YoFlxPdgMNIrBefqEjIV62piP7YLMlvfIDCJ7TNd9dLN86XGggZ/nD5zt6SL1o61vVnw9If8pHosppxADPJsJvcdN6fOe16/tFAeE0JRo0jTcyFVTBGfhpey+rFfuW8wtUyuO5WPUxkOn7xMHGMWHJAtWX2vwVIDtLxvqn48B4SmEOpPD6ii+vcpwqAex3ycqBUQ==" ]; + }; + } + { + #hotdog + systemd.services."container@hotdog".reloadIfChanged = mkForce false; + containers.hotdog = { + config = { ... }: { + imports = [ ]; + environment.systemPackages = [ pkgs.git ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + ]; + }; + autoStart = true; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.1"; + localAddress = "10.233.2.2"; + }; + } + { + #onondaga + systemd.services."container@onondaga".reloadIfChanged = mkForce false; + containers.onondaga = { + config = { ... }: { + imports = [ ]; + environment.systemPackages = [ pkgs.git ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + config.krebs.users.nin.pubkey + ]; + }; + autoStart = true; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.5"; + localAddress = "10.233.2.6"; + }; + } + + + + + + + + + + + + + { # quasi bepasty.nix + imports = [ + + ]; + krebs.bepasty.servers."paste.r".nginx.extraConfig = '' + if ( $server_addr = "${config.krebs.build.host.nets.internet.ip4.addr}" ) { + return 403; + } + ''; + } + { + services.tor = { + enable = true; + }; + } + { + lass.ejabberd = { + enable = true; + hosts = [ "lassul.us" ]; + }; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport xmpp-client"; target = "ACCEPT"; } + { predicate = "-p tcp --dport xmpp-server"; target = "ACCEPT"; } + ]; + } + { + imports = [ + + ]; + services.nginx.virtualHosts."lassul.us".locations."/wallpaper.png".extraConfig = '' + alias /var/realwallpaper/realwallpaper.png; + ''; + } + { + users.users.jeschli = { + uid = genid "jeschli"; + isNormalUser = true; + openssh.authorizedKeys.keys = with config.krebs.users; [ + jeschli.pubkey + jeschli-bln.pubkey + jeschli-bolide.pubkey + jeschli-brauerei.pubkey + ]; + }; + krebs.git.rules = [ + { + user = with config.krebs.users; [ + jeschli + jeschli-bln + jeschli-bolide + jeschli-brauerei + ]; + repo = [ config.krebs.git.repos.xmonad-stockholm ]; + perm = with git; push "refs/heads/jeschli*" [ fast-forward non-fast-forward create delete merge ]; + } + { + user = with config.krebs.users; [ + jeschli + jeschli-bln + jeschli-bolide + jeschli-brauerei + ]; + repo = [ config.krebs.git.repos.stockholm ]; + perm = with git; push "refs/heads/staging/jeschli*" [ fast-forward non-fast-forward create delete merge ]; + } + ]; + } + { + krebs.repo-sync.repos.stockholm.timerConfig = { + OnBootSec = "5min"; + OnUnitInactiveSec = "2min"; + RandomizedDelaySec = "2min"; + }; + } + + + { + services.taskserver = { + enable = true; + fqdn = "lassul.us"; + listenHost = "::"; + listenPort = 53589; + organisations.lass.users = [ "lass" "android" ]; + }; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport 53589"; target = "ACCEPT"; } + ]; + } + # + { + environment.systemPackages = [ pkgs.cryptsetup ]; + systemd.services."container@red".reloadIfChanged = mkForce false; + containers.red = { + config = { ... }: { + environment.systemPackages = [ pkgs.git ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + ]; + }; + autoStart = false; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.3"; + localAddress = "10.233.2.4"; + }; + services.nginx.virtualHosts."rote-allez-fraktion.de" = { + enableACME = true; + forceSSL = true; + locations."/" = { + extraConfig = '' + proxy_set_header Host rote-allez-fraktion.de; + proxy_pass http://10.233.2.4; + ''; + }; + }; + } + #{ + # imports = [ ]; + # lass.restic = genAttrs [ + # "daedalus" + # "icarus" + # "littleT" + # "mors" + # "shodan" + # "skynet" + # ] (dest: { + # dirs = [ + # "/home/chat/.weechat" + # "/bku/sql_dumps" + # ]; + # passwordFile = (toString ) + "/restic/${dest}"; + # repo = "sftp:backup@${dest}.r:/backups/prism"; + # extraArguments = [ + # "sftp.command='ssh backup@${dest}.r -i ${config.krebs.build.host.ssh.privkey.path} -s sftp'" + # ]; + # timerConfig = { + # OnCalendar = "00:05"; + # RandomizedDelaySec = "5h"; + # }; + # }); + #} + { + users.users.download.openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDB0d0JA20Vqn7I4lCte6Ne2EOmLZyMJyS9yIKJYXNLjbLwkQ4AYoQKantPBkTxR75M09E7d3j5heuWnCjWH45TrfQfe1EOSSC3ppCI6C6aIVlaNs+KhAYZS0m2Y8WkKn+TT5JLEa8yybYVN/RlZPOilpj/1QgjU6CQK+eJ1k/kK+QFXcwN82GDVh5kbTVcKUNp2tiyxFA+z9LY0xFDg/JHif2ROpjJVLQBJ+YPuOXZN5LDnVcuyLWKThjxy5srQ8iDjoxBg7dwLHjby5Mv41K4W61Gq6xM53gDEgfXk4cQhJnmx7jA/pUnsn2ZQDeww3hcc7vRf8soogXXz2KC9maiq0M/svaATsa9Ul4hrKnqPZP9Q8ScSEAUX+VI+x54iWrnW0p/yqBiRAzwsczdPzaQroUFTBxrq8R/n5TFdSHRMX7fYNOeVMjhfNca/gtfw9dYBVquCvuqUuFiRc0I7yK44rrMjjVQRcAbw6F8O7+04qWCmaJ8MPlmApwu2c05VMv9hiJo5p6PnzterRSLCqF6rIdhSnuOwrUIt1s/V+EEZXHCwSaNLaQJnYL0H9YjaIuGz4c8kVzxw4c0B6nl+hqW5y5/B2cuHiumnlRIDKOIzlv8ufhh21iN7QpIsPizahPezGoT1XqvzeXfH4qryo8O4yTN/PWoA+f7o9POU7L6hQ== lhebendanz@nixos" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACADLPxtB2f2tocXHxD3ul9D1537hTht6/un87JYZNnoYABveasyIcdFIfp5lPJmj3PjwqXNTA4M/3V+ufrpZ91dxFeXWI5mOI4YB3xRu+Elja8g7nfvCz1HrH3sD1equos/7ltQ1GZYvHGw40qD1/ZtOODwRwrYJ7l/DUBrjk/tzXRjm0+ZgyQsb3G9a80cA8d3fiuQDxbAzdoJF46wt36ZfuSMpJ/Td8CbCoLlV/uL9QZemOglyxNxR607qGfRNXF1An+P+fFq24GmdHpMJ00DfjZ/dJRL9QSs7vd07uyB4Qty4VHwRhc46XH6KL7VTF1D3INF/BeBZx90GBxOvpgEji7Zrf7O5eSAjM2Do1+t+Ev2IIuiltB+QqTir4rZcrCBrJ2+zD3DDymKffVi8sz15AvdrFkIplzZxpOcgm9Ns2w/uh8sxeV6J58aoLEVmd2KRUfJFYiS1EuEjYo2OHlj8ltIh3VlfYdWksGpQc71IT0iEWvzvjYcfCda9uzFLKdLfBy4GB8+s4zR2CX9aGDyJaIY1kt/xqDeztnYwW1owG+fLMrDJlq3Mu+KmJljb30jzrOPhFYVZgWenmMFgH2RBzVEmnsR0f2LFVLj6N/a9fpEJ3WhxMOc5Ybdpgg/l9KUdgvWLk6KOtba+z9fuYT1YgwtZBoMgHAdZLmZ/DGtff palo@pepe" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDGMjbYFmmvpF60YBShyFISbjN+O3e4GPkfsre6xFqz20joi8YqpD/5PtrMsGrPd1ZoZ9qSwXJtbb1WBomFg0xzRSNa1/FliKiE1ilcaB3aUZRtP0OWHIvWD3/YL/0h+/YXDGTfb8FNvpgJmnbN3Q0gw8cwWw+eve5BMyqDhzFvycxO4qDuP2JXkGpdhJqjaYZhP5rPH2mgv1oU1RnOA3A7APZVGf1m6JSmV7FZR514aGlFV+NpsvS29Mib8fcswgpoGhMN6jeh/nf49tp01LUAOmXSqdHIWNOTt3Mt7S4rU7RZwEhswdSRbKdKFRMj+uRkhJ4CPcNuuGtSY3id0Ja7IvrvxNaQUk1L8nBcza709jvSBYWSY5/aGL1ocA/PNWXDpOTp2PWwxkh39aPMqZXPTH3KC4IkRp5SiKibEhdmjnToV7nUAJe4IWn1b7QdoqS03ib0X87DnHWIbvi8UZlImM7pn0rs+rwnOo4lQwrTz7kbBHPaa6XOZAuDYND2728vtcrhwzVrKgiXWbyF6VzvwxPeeStmn1gENvozbj1hl9gbQ1cH/a4pZFBV/OFl/ryzDnB2ghM4acNJazXx/6/us9hX+np1YxIzJaxENj677MLc6HitM2g6XJGaixBQ0U2NNjcjIuQT0ZaeKXsSLnu1Y7+uslbVAwsQ4pJmSxxMMQ== palo@workhorse" + ]; + } + { + } + { + lass.nichtparasoup.enable = true; + services.nginx = { + enable = true; + virtualHosts."lol.lassul.us" = { + forceSSL = true; + enableACME = true; + locations."/".extraConfig = '' + proxy_pass http://localhost:5001; + ''; + }; + }; + } + { + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p udp --dport 51820"; target = "ACCEPT"; } + ]; + krebs.iptables.tables.nat.PREROUTING.rules = [ + { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; } + ]; + krebs.iptables.tables.filter.FORWARD.rules = [ + { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; } + { v6 = false; precedence = 1000; predicate = "-s 10.243.0.0/16 -d 10.244.1.0/24"; target = "ACCEPT"; } + ]; + krebs.iptables.tables.nat.POSTROUTING.rules = [ + { v6 = false; predicate = "-s 10.244.1.0/24 ! -d 10.244.1.0/24"; target = "MASQUERADE"; } + ]; + networking.wireguard.interfaces.wg0 = { + ips = [ "10.244.1.1/24" ]; + listenPort = 51820; + privateKeyFile = (toString ) + "/wireguard.key"; + allowedIPsAsRoutes = true; + peers = [ + { + # lass-android + allowedIPs = [ "10.244.1.2/32" ]; + publicKey = "zVunBVOxsMETlnHkgjfH71HaZjjNUOeYNveAVv5z3jw="; + } + ]; + }; + } + { + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p udp --dport 60000:61000"; target = "ACCEPT";} + ]; + } + { + services.murmur.enable = true; + services.murmur.registerName = "lassul.us"; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport 64738"; target = "ACCEPT";} + ]; + + } + ]; + + krebs.build.host = config.krebs.hosts.archprism; + services.earlyoom = { + enable = true; + freeMemThreshold = 5; + }; +} diff --git a/lass/1systems/archprism/physical.nix b/lass/1systems/archprism/physical.nix new file mode 100644 index 000000000..56348d0ab --- /dev/null +++ b/lass/1systems/archprism/physical.nix @@ -0,0 +1,77 @@ +{ config, lib, pkgs, ... }: +{ + imports = [ + ./config.nix + { + boot.kernelParams = [ "net.ifnames=0" ]; + networking = { + defaultGateway = "46.4.114.225"; + # Use google's public DNS server + nameservers = [ "8.8.8.8" ]; + interfaces.eth0 = { + ipAddress = "46.4.114.247"; + prefixLength = 27; + }; + }; + # TODO use this network config + #networking.interfaces.et0.ipv4.addresses = [ + # { + # address = config.krebs.build.host.nets.internet.ip4.addr; + # prefixLength = 27; + # } + # { + # address = "46.4.114.243"; + # prefixLength = 27; + # } + #]; + #networking.defaultGateway = "46.4.114.225"; + #networking.nameservers = [ + # "8.8.8.8" + #]; + #services.udev.extraRules = '' + # SUBSYSTEM=="net", ATTR{address}=="08:60:6e:e7:87:04", NAME="et0" + #''; + } + { + imports = [ ]; + + networking.hostId = "fb4173ea"; + boot.loader.grub = { + devices = [ + "/dev/sda" + "/dev/sdb" + ]; + splashImage = null; + }; + + boot.initrd.availableKernelModules = [ + "ata_piix" + "vmw_pvscsi" + "ahci" "sd_mod" + ]; + + boot.kernelModules = [ "kvm-intel" ]; + + sound.enable = false; + nixpkgs.config.allowUnfree = true; + time.timeZone = "Europe/Berlin"; + + fileSystems."/" = { + device = "rpool/root/nixos"; + fsType = "zfs"; + }; + + fileSystems."/home" = { + device = "rpool/home"; + fsType = "zfs"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/b67c3370-1597-4ce8-8a46-e257ca32150d"; + fsType = "ext4"; + }; + + } + ]; + +} From 5297f29d422aebc10727c929126d54f4aee8daee Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 4 Nov 2018 19:13:46 +0100 Subject: [PATCH 49/74] l baseX: remove broken pkgs.push --- lass/2configs/baseX.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index e8a2539f3..9b44e8f0e 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -74,7 +74,6 @@ in { nmap pavucontrol powertop - push rxvt_unicode_with-plugins sxiv taskwarrior From fbbb800cbe8daee2d8d660bab996ef9fd7c0fa37 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 4 Nov 2018 21:46:32 +0100 Subject: [PATCH 50/74] nixpkgs: 81f5c26 -> 06fb025 --- krebs/nixpkgs.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/krebs/nixpkgs.json b/krebs/nixpkgs.json index 60307e694..b761246cd 100644 --- a/krebs/nixpkgs.json +++ b/krebs/nixpkgs.json @@ -1,7 +1,7 @@ { "url": "https://github.com/NixOS/nixpkgs-channels", - "rev": "81f5c2698a87c65b4970c69d472960c574ea0db4", - "date": "2018-10-17T20:48:45-04:00", - "sha256": "0p4x9532d3qlbykyyq8zk62k8py9mxd1s7zgbv54zmv597rs5y35", + "rev": "06fb0253afabb8cc7dc85db742e2de94a4d68ca0", + "date": "2018-10-24T10:37:15-04:00", + "sha256": "0jkldgvdm8pl9cfw5faw90n0qbbzrdssgwgbihk1by4xq66khf1b", "fetchSubmodules": false } From 100ca928ad483471d61b36bd9e977e34441d404b Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 5 Nov 2018 10:33:28 +0100 Subject: [PATCH 51/74] nixpkgs: 06fb025 -> bf7930d --- krebs/nixpkgs.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/krebs/nixpkgs.json b/krebs/nixpkgs.json index b761246cd..e013645ea 100644 --- a/krebs/nixpkgs.json +++ b/krebs/nixpkgs.json @@ -1,7 +1,7 @@ { "url": "https://github.com/NixOS/nixpkgs-channels", - "rev": "06fb0253afabb8cc7dc85db742e2de94a4d68ca0", - "date": "2018-10-24T10:37:15-04:00", - "sha256": "0jkldgvdm8pl9cfw5faw90n0qbbzrdssgwgbihk1by4xq66khf1b", + "rev": "bf7930d582bcf7953c3b87e649858f3f1873eb9c", + "date": "2018-11-04T19:36:25+01:00", + "sha256": "0nvn6g0pxp0glqjg985qxs7ash0cmcdc80h8jxxk6z4pnr3f2n1m", "fetchSubmodules": false } From 82a97181d6c20b1ceaf544d80327cce7782d9fd9 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 5 Nov 2018 10:33:28 +0100 Subject: [PATCH 52/74] nixpkgs: 06fb025 -> bf7930d --- krebs/nixpkgs.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/krebs/nixpkgs.json b/krebs/nixpkgs.json index b761246cd..e013645ea 100644 --- a/krebs/nixpkgs.json +++ b/krebs/nixpkgs.json @@ -1,7 +1,7 @@ { "url": "https://github.com/NixOS/nixpkgs-channels", - "rev": "06fb0253afabb8cc7dc85db742e2de94a4d68ca0", - "date": "2018-10-24T10:37:15-04:00", - "sha256": "0jkldgvdm8pl9cfw5faw90n0qbbzrdssgwgbihk1by4xq66khf1b", + "rev": "bf7930d582bcf7953c3b87e649858f3f1873eb9c", + "date": "2018-11-04T19:36:25+01:00", + "sha256": "0nvn6g0pxp0glqjg985qxs7ash0cmcdc80h8jxxk6z4pnr3f2n1m", "fetchSubmodules": false } From 9520ee2c51b49a0e6cb0c96f9ab1724381e0e9cd Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 5 Nov 2018 13:48:25 +0100 Subject: [PATCH 53/74] ma nixpkgs: 86fb1e9 -> bf46294 --- makefu/nixpkgs.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/makefu/nixpkgs.json b/makefu/nixpkgs.json index c5cd0ac30..73798f44d 100644 --- a/makefu/nixpkgs.json +++ b/makefu/nixpkgs.json @@ -1,7 +1,7 @@ { "url": "https://github.com/makefu/nixpkgs", - "rev": "86fb1e9ae6ba6dfedc814b82abd8db5cfa4f4687", - "date": "2018-10-07T23:33:42+02:00", - "sha256": "015yxs3qj299mgqfmz5vgszj2gxqwazifsdsjw6xadris3ri41d3", - "fetchSubmodules": true + "rev": "bf46294e4cf20649182f76fc9200a48436f5874a", + "date": "2018-09-18T02:20:45+02:00", + "sha256": "13900gack7pgf5a7c11x30rzb3s0kjpbm2z2g8fw4720cr9lkd94", + "fetchSubmodules": false } From ea3afff61105fd32be1ea658460329aecf061eec Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 5 Nov 2018 13:50:22 +0100 Subject: [PATCH 54/74] ma gum: prepare replacement by nextgum --- makefu/1systems/gum/config.nix | 23 ------ makefu/1systems/nextgum/config.nix | 120 ++++++++--------------------- makefu/1systems/nextgum/rescue.txt | 11 +++ makefu/2configs/taskd.nix | 11 +++ 4 files changed, 52 insertions(+), 113 deletions(-) create mode 100644 makefu/1systems/nextgum/rescue.txt create mode 100644 makefu/2configs/taskd.nix diff --git a/makefu/1systems/gum/config.nix b/makefu/1systems/gum/config.nix index 75b0680b2..af2e6f6b0 100644 --- a/makefu/1systems/gum/config.nix +++ b/makefu/1systems/gum/config.nix @@ -8,18 +8,6 @@ in { imports = [ ./hardware-config.nix - { - users.users.lass = { - uid = 9002; - isNormalUser = true; - createHome = true; - useDefaultShell = true; - openssh.authorizedKeys.keys = with config.krebs.users; [ - lass.pubkey - makefu.pubkey - ]; - }; - } # @@ -73,16 +61,6 @@ in { # # - { - services.taskserver.enable = true; - services.taskserver.fqdn = config.krebs.build.host.name; - services.taskserver.listenHost = "::"; - services.taskserver.organisations.home.users = [ "makefu" ]; - networking.firewall.extraCommands = '' - iptables -A INPUT -i retiolum -p tcp --dport 53589 -j ACCEPT - ip6tables -A INPUT -i retiolum -p tcp --dport 53589 -j ACCEPT - ''; - } # # @@ -110,7 +88,6 @@ in { # locations."/".proxyPass = "http://localhost:5000"; # }; #} - ]; makefu.dl-dir = "/var/download"; diff --git a/makefu/1systems/nextgum/config.nix b/makefu/1systems/nextgum/config.nix index 1c5cca0de..118b5b9d4 100644 --- a/makefu/1systems/nextgum/config.nix +++ b/makefu/1systems/nextgum/config.nix @@ -9,6 +9,18 @@ in { ./hardware-config.nix ./transfer-config.nix + { + users.users.lass = { + uid = 9002; + isNormalUser = true; + createHome = true; + useDefaultShell = true; + openssh.authorizedKeys.keys = with config.krebs.users; [ + lass.pubkey + makefu.pubkey + ]; + }; + } # @@ -23,11 +35,21 @@ in { # - + # networking + + # + # + # - # + # ci + # + + + + + # services @@ -55,14 +77,10 @@ in { - - ## buildbot - + # Removed until move: no extra mails - # Removed until move: avoid double-update of domain - # # Removed until move: avoid letsencrypt ban ### Web # @@ -84,94 +102,18 @@ in { - { - services.taskserver.enable = true; - services.taskserver.fqdn = config.krebs.build.host.name; - services.taskserver.listenHost = "::"; - services.taskserver.organisations.home.users = [ "makefu" ]; - networking.firewall.extraCommands = '' - iptables -A INPUT -i retiolum -p tcp --dport 53589 -j ACCEPT - ip6tables -A INPUT -i retiolum -p tcp --dport 53589 -j ACCEPT - ''; - } - - - # + # sharing + + + ## Temporary: # - #{ - # services.dockerRegistry.enable = true; - # networking.firewall.allowedTCPPorts = [ 8443 ]; - - # services.nginx.virtualHosts."euer.krebsco.de" = { - # forceSSL = true; - # enableACME = true; - # extraConfig = '' - # client_max_body_size 1000M; - # ''; - # locations."/".proxyPass = "http://localhost:5000"; - # }; - #} - { # wireguard server - - # opkg install wireguard luci-proto-wireguard - - # TODO: networking.nat - - # boot.kernel.sysctl."net.ipv4.ip_forward" = 1; - # conf.all.proxy_arp =1 - networking.firewall = { - allowedUDPPorts = [ 51820 ]; - extraCommands = '' - iptables -t nat -A POSTROUTING -s 10.244.0.0/24 -o ${ext-if} -j MASQUERADE - ''; - }; - - networking.wireguard.interfaces.wg0 = { - ips = [ "10.244.0.1/24" ]; - listenPort = 51820; - privateKeyFile = (toString ) + "/wireguard.key"; - allowedIPsAsRoutes = true; - peers = [ - { - # x - allowedIPs = [ "10.244.0.2/32" ]; - publicKey = "fe5smvKVy5GAn7EV4w4tav6mqIAKhGWQotm7dRuRt1g="; - } - { - # vbob - allowedIPs = [ "10.244.0.3/32" ]; - publicKey = "Lju7EsCu1OWXhkhdNR7c/uiN60nr0TUPHQ+s8ULPQTw="; - } - { - # x-test - allowedIPs = [ "10.244.0.4/32" ]; - publicKey = "vZ/AJpfDLJyU3DzvYeW70l4FNziVgSTumA89wGHG7XY="; - } - { - # work-router - allowedIPs = [ "10.244.0.5/32" ]; - publicKey = "QJMwwYu/92koCASbHnR/vqe/rN00EV6/o7BGwLockDw="; - } - { - # workr - allowedIPs = [ "10.244.0.6/32" ]; - publicKey = "OFhCF56BrV9tjqW1sxqXEKH/GdqamUT1SqZYSADl5GA="; - } - ]; - }; - } - { # iperf3 - networking.firewall.allowedUDPPorts = [ 5201 ]; - networking.firewall.allowedTCPPorts = [ 5201 ]; - } - # krebs infrastructure services ]; @@ -191,9 +133,7 @@ in { ListenAddress = ${external-ip} 21031 ''; connectTo = [ - "muhbaasu" "tahoe" "flap" "wry" - "ni" - "fastpoke" "prism" "dishfire" "echelon" "cloudkrebs" + "prism" "ni" "enklave" "dishfire" "echelon" "hotdog" ]; }; diff --git a/makefu/1systems/nextgum/rescue.txt b/makefu/1systems/nextgum/rescue.txt new file mode 100644 index 000000000..30276b7db --- /dev/null +++ b/makefu/1systems/nextgum/rescue.txt @@ -0,0 +1,11 @@ +mount /dev/mapper/nixos-root /mnt +mount /dev/sda2 /mnt/boot + +chroot-prepare /mnt +chroot /mnt /bin/sh + +journalctl -D /mnt/var/log/journal --since today # find the active system (or check grub) + +export PATH=/nix/store/9incs5sfn7n1vh1lavgp95v761nh11w3-nixos-system-nextgum-18.03pre-git/sw/bin +/nix/store/9incs5sfn7n1vh1lavgp95v761nh11w3-nixos-system-nextgum-18.03pre-git/activate +/nix/store/9incs5sfn7n1vh1lavgp95v761nh11w3-nixos-system-nextgum-18.03pre-git/sw/bin/nixos-rebuild diff --git a/makefu/2configs/taskd.nix b/makefu/2configs/taskd.nix new file mode 100644 index 000000000..5ca3b9904 --- /dev/null +++ b/makefu/2configs/taskd.nix @@ -0,0 +1,11 @@ +{config, ... }: +{ + services.taskserver.enable = true; + services.taskserver.fqdn = config.krebs.build.host.name; + services.taskserver.listenHost = "::"; + services.taskserver.organisations.home.users = [ "makefu" ]; + networking.firewall.extraCommands = '' + iptables -A INPUT -i retiolum -p tcp --dport 53589 -j ACCEPT + ip6tables -A INPUT -i retiolum -p tcp --dport 53589 -j ACCEPT + ''; +} From 2487cbc8829b9c81545d1627d4a03b8fed12de01 Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 5 Nov 2018 13:51:28 +0100 Subject: [PATCH 55/74] ma wbob.r: more automation --- makefu/1systems/wbob/config.nix | 14 +- .../deployment/bureautomation/hass.nix | 129 +++++++++++++++--- .../deployment/bureautomation/mpd.nix | 9 ++ 3 files changed, 124 insertions(+), 28 deletions(-) create mode 100644 makefu/2configs/deployment/bureautomation/mpd.nix diff --git a/makefu/1systems/wbob/config.nix b/makefu/1systems/wbob/config.nix index e1d61081e..24a3dddc6 100644 --- a/makefu/1systems/wbob/config.nix +++ b/makefu/1systems/wbob/config.nix @@ -11,10 +11,10 @@ in { - - # - # - # + # + + + @@ -33,9 +33,6 @@ in { - { - users.users.makefu.extraGroups = [ "pulse" ]; - } # Sensors @@ -46,10 +43,11 @@ in { # - + { environment.systemPackages = [ pkgs.vlc ]; } + (let collectd-port = 25826; diff --git a/makefu/2configs/deployment/bureautomation/hass.nix b/makefu/2configs/deployment/bureautomation/hass.nix index b1eba22b4..443484a34 100644 --- a/makefu/2configs/deployment/bureautomation/hass.nix +++ b/makefu/2configs/deployment/bureautomation/hass.nix @@ -12,7 +12,7 @@ let payload_not_available= "Offline"; }; tasmota_stecki = name: topic: - ( tasmota_plug name topic) // + ( tasmota_plug name topic) // { state_topic = "/bam/${topic}/stat/POWER"; command_topic = "/bam/${topic}/cmnd/POWER"; }; @@ -43,9 +43,6 @@ let }; in { networking.firewall.allowedTCPPorts = [ 8123 ]; - nixpkgs.config.permittedInsecurePackages = [ - "homeassistant-0.65.5" - ]; services.home-assistant = { enable = true; @@ -53,6 +50,9 @@ in { homeassistant = { name = "Bureautomation"; time_zone = "Europe/Berlin"; + latitude = "48.8265"; + longitude = "9.0676"; + elevation = 303; }; mqtt = { @@ -101,26 +101,109 @@ in { sensorid = "5341"; monitored_conditions = [ "P1" "P2" ]; } - { platform = "influxdb"; - queries = [ - { name = "mean value of feinstaub P1"; - where = '' "node" = 'esp8266-1355142' ''; - measurement = "feinstaub"; - database = "telegraf"; - field = "P1"; - } - { name = "mean value of feinstaub P2"; - where = '' "node" = 'esp8266-1355142' ''; - measurement = "feinstaub"; - database = "telegraf"; - field = "P2"; - } - ]; + + { platform = "darksky"; + api_key = lib.removeSuffix "\n" + (builtins.readFile ); + language = "de"; + monitored_conditions = [ "summary" "icon" + "nearest_storm_distance" "precip_probability" + "precip_intensity" + "temperature" # "temperature_high" "temperature_low" + "apparent_temperature" + "hourly_summary" # next 24 hours text + "minutely_summary" + "humidity" + "pressure" + "uv_index" ]; + units = "si" ; + update_interval = { + days = 0; + hours = 0; + minutes = 30; + seconds = 0; + }; + } + #{ platform = "influxdb"; + # queries = [ + # { name = "mean value of feinstaub P1"; + # where = '' "node" = 'esp8266-1355142' ''; + # measurement = "feinstaub"; + # database = "telegraf"; + # field = "P1"; + # } + # { name = "mean value of feinstaub P2"; + # where = '' "node" = 'esp8266-1355142' ''; + # measurement = "feinstaub"; + # database = "telegraf"; + # field = "P2"; + # } + # ]; + #} + ]; + camera = [ + { name = "Baumarkt"; + platform = "generic"; + still_image_url = http://t4915209254324-p80-c0-h6jv2afnujcoftrcstsafb45kdrqv4buy.webdirect.mdex.de/oneshotimage ;# baumarkt + } + { name = "Autobahn Heilbronn"; + platform = "generic"; + still_image_url = https://api.svz-bw.de/v2/verkehrskameras/kameras/K10 ; + } + { name = "Autobahn Singen"; + platform = "generic"; + still_image_url = https://api.svz-bw.de/v2/verkehrskameras/kameras/K11 ; } ]; frontend = { }; http = { }; - feedreader.urls = [ "http://www.heise.de/security/rss/news-atom.xml" ]; + conversation = {}; + history = {}; + logbook = {}; + tts = [ { platform = "google";} ]; + recorder = {}; + group = + { default_view = + { view = "yes"; + entities = [ + "group.sensors" + "group.outside" + "group.switches" + "group.automation" + "group.camera" + ]; + }; + automation = [ + "automation.turn_off_fernseher_10_minutes_after_last_movement" + ]; + switches = [ + "switch.bauarbeiterlampe" + "switch.blitzdings" + "switch.fernseher" + "switch.pluggy" + ]; + camera = [ + "camera.Baumarkt" + "camera.Autobahn_Heilbronn" + "camera.Autobahn_Singen" + ]; + sensors = [ + "binary_sensor.motion" + "sensor.easy2_dht22_humidity" + "sensor.easy2_dht22_temperature" + ]; + outside = [ + "sensor.ditzingen_pm10" + "sensor.ditzingen_pm25" + "sensor.dark_sky_temperature" + "sensor.dark_sky_humidity" + "sensor.dark_sky_pressure" + "sensor.dark_sky_hourly_summary" + "sensor.dark_sky_minutely_summary" + ]; + }; + # only for automation + # feedreader.urls = [ "http://www.heise.de/security/rss/news-atom.xml" ]; automation = [ { alias = "Turn on Fernseher on movement"; trigger = { @@ -144,6 +227,12 @@ in { service= "homeassistant.turn_off"; entity_id= "switch.fernseher"; }; + condition = [{ + condition = "time"; + before = "06:30:00"; #only turn off between 6:30 and 18:00 + after = "18:00:00"; + weekday = [ "mon" "tue" "wed" "thu" "fri" ]; + }]; } ]; }; diff --git a/makefu/2configs/deployment/bureautomation/mpd.nix b/makefu/2configs/deployment/bureautomation/mpd.nix new file mode 100644 index 000000000..1f5acb357 --- /dev/null +++ b/makefu/2configs/deployment/bureautomation/mpd.nix @@ -0,0 +1,9 @@ +{lib,pkgs, ... }: + +{ + systemd.services."ympd-wbob" = { + description = "mpd "; + wantedBy = [ "multi-user.target" ]; + serviceConfig.ExecStart = "${pkgs.ympd}/bin/ympd --host localhost --port 6600 --webport 8866 --user nobody"; + }; +} From 7f52e698476f3d782caa4134a6166c68a9abc56e Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 5 Nov 2018 13:51:54 +0100 Subject: [PATCH 56/74] ma wbob-kiosk: trying to get xset working ... --- makefu/2configs/gui/wbob-kiosk.nix | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/makefu/2configs/gui/wbob-kiosk.nix b/makefu/2configs/gui/wbob-kiosk.nix index b0479d0d7..6da1a37e7 100644 --- a/makefu/2configs/gui/wbob-kiosk.nix +++ b/makefu/2configs/gui/wbob-kiosk.nix @@ -4,23 +4,26 @@ imports = [ ./base.nix ]; - users.users.makefu.packages = [ pkgs.chromium ]; + users.users.makefu = { + packages = [ pkgs.chromium ]; + extraGroups = [ "audio" "pulse" ]; + }; services.xserver = { - layout = lib.mkForce "de"; - xkbVariant = lib.mkForce ""; windowManager = lib.mkForce { awesome.enable = false; default = "none"; }; - desktopManager.xfce.enable = true; + desktopManager.xfce = { + extraSessionCommands = '' + ${pkgs.xlibs.xset}/bin/xset -display :0 s off -dpms + ${pkgs.xlibs.xrandr}/bin/xrandr --output HDMI2 --right-of HDMI1 + ''; + enable = true; + }; # xrandrHeads = [ "HDMI1" "HDMI2" ]; # prevent screen from turning off, disable dpms - displayManager.sessionCommands = '' - xset -display :0 s off -dpms - xrandr --output HDMI2 --right-of HDMI1 - ''; }; systemd.services.xset-off = { @@ -29,7 +32,8 @@ serviceConfig = { ExecStart = "${pkgs.xlibs.xset}/bin/xset -display :0 s off -dpms"; RemainAfterExit = "yes"; - TimeoutSec = "5"; + TimeoutSec = "5s"; + RestartSec="5s"; Restart = "on-failure"; }; }; From e706831281d6e4a0638cab2a8f38ac21af23081c Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 5 Nov 2018 13:52:11 +0100 Subject: [PATCH 57/74] ma homeautomation: more sensors --- .../deployment/homeautomation/default.nix | 54 ++++++++++++++++--- 1 file changed, 48 insertions(+), 6 deletions(-) diff --git a/makefu/2configs/deployment/homeautomation/default.nix b/makefu/2configs/deployment/homeautomation/default.nix index 5da0dba2e..94799b11d 100644 --- a/makefu/2configs/deployment/homeautomation/default.nix +++ b/makefu/2configs/deployment/homeautomation/default.nix @@ -17,7 +17,7 @@ let # state # TODO: currently broken, will not use the custom state topic #state_topic = "/ham/${topic}/stat/POWER"; - state_topic = "stat/${topic}/POWER"; + state_topic = "/ham/${topic}/stat/POWER"; command_topic = "/ham/${topic}/cmnd/POWER"; availability_topic = "/ham/${topic}/tele/LWT"; payload_on= "ON"; @@ -47,7 +47,7 @@ let device_class = "motion"; inherit name; # TODO: currently broken, will not use the custom state topic - state_topic = "stat/${topic}/POWER"; + state_topic = "/ham/${topic}/stat/POWER"; payload_on = "ON"; payload_off = "OFF"; availability_topic = "/ham/${topic}/tele/LWT"; @@ -87,6 +87,20 @@ let unit_of_measurement = "hPa"; } ]; + tasmota_am2301 = name: topic: + [ { platform = "mqtt"; + name = "${name} Temperatur"; + state_topic = "/ham/${topic}/tele/SENSOR"; + value_template = "{{ value_json.AM2301.Temperature }}"; + unit_of_measurement = "°C"; + } + { platform = "mqtt"; + name = "${name} Luftfeuchtigkeit"; + state_topic = "/ham/${topic}/tele/SENSOR"; + value_template = "{{ value_json.AM2301.Humidity }}"; + unit_of_measurement = "%"; + } + ]; in { imports = [ ./mqtt.nix @@ -153,7 +167,7 @@ in { # monitored_conditions = [ "ping" "download" "upload" ]; #} { platform = "luftdaten"; - name = "Ditzingen"; + name = "Wangen"; sensorid = "663"; monitored_conditions = [ "P1" "P2" ]; } @@ -165,18 +179,23 @@ in { monitored_conditions = [ "summary" "icon" "nearest_storm_distance" "precip_probability" "precip_intensity" - "temperature" # "temperature_high" "temperature_low" + "temperature" + "apparent_temperature" "hourly_summary" + "humidity" + "pressure" "uv_index" ]; units = "si" ; update_interval = { days = 0; hours = 0; - minutes = 10; + minutes = 30; seconds = 0; }; } - ] ++ (tasmota_bme "Schlafzimmer" "schlafzimmer"); + ] + ++ (tasmota_bme "Schlafzimmer" "schlafzimmer") + ++ (tasmota_am2301 "Arbeitszimmer" "arbeitszimmer"); frontend = { }; group = { default_view = @@ -186,6 +205,7 @@ in { "group.schlafzimmer" "group.draussen" "group.wohnzimmer" + "group.arbeitszimmer" ]; }; flur = [ @@ -198,6 +218,8 @@ in { draussen = [ "sensor.dark_sky_temperature" "sensor.dark_sky_hourly_summary" + "sensor.wangen_pm10" + "sensor.wangen_pm25" ]; schlafzimmer = [ "sensor.schlafzimmer_temperatur" @@ -205,12 +227,32 @@ in { "sensor.schlafzimmer_luftfeuchtigkeit" "switch.lichterkette_schlafzimmer" ]; + arbeitszimmer = [ + "switch.strom_staubsauger" + "sensor.arbeitszimmer_temperatur" + "sensor.arbeitszimmer_luftfeuchtigkeit" + ]; }; http = { }; switch = [ (tasmota_plug "Lichterkette Schlafzimmer" "schlafzimmer") + (tasmota_plug "Strom Staubsauger" "arbeitszimmer") ]; light = [ (tasmota_rgb "Flurlicht" "flurlicht" ) ]; + automation = [ + { alias = "Staubsauger Strom aus nach 6h"; + trigger = { + platform = "state"; + entity_id = "switch.strom_staubsauger"; + to = "on"; + for.hours = 6; + }; + action = { + service= "homeassistant.turn_off"; + entity_id= "switch.strom_staubsauger"; + }; + } + ]; }; enable = true; #configDir = "/var/lib/hass"; From af41e7225900113b6a9c9b666a5fa25e209965b7 Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 5 Nov 2018 13:55:24 +0100 Subject: [PATCH 58/74] ma wbob: cleanup config, minor tweaks --- makefu/2configs/bluetooth-mpd.nix | 2 ++ makefu/2configs/stats/arafetch.nix | 2 ++ makefu/2configs/tools/media.nix | 2 ++ makefu/5pkgs/awesomecfg/full.cfg | 6 +++--- 4 files changed, 9 insertions(+), 3 deletions(-) diff --git a/makefu/2configs/bluetooth-mpd.nix b/makefu/2configs/bluetooth-mpd.nix index b59d3ce10..e007b6072 100644 --- a/makefu/2configs/bluetooth-mpd.nix +++ b/makefu/2configs/bluetooth-mpd.nix @@ -57,6 +57,8 @@ in { load-module module-filter-heuristics load-module module-filter-apply load-module module-switch-on-connect + load-module module-equalizer-sink + load-module module-dbus-protocol #load-module module-bluez5-device #load-module module-bluez5-discover ''; diff --git a/makefu/2configs/stats/arafetch.nix b/makefu/2configs/stats/arafetch.nix index 422676b24..c16629cc5 100644 --- a/makefu/2configs/stats/arafetch.nix +++ b/makefu/2configs/stats/arafetch.nix @@ -27,12 +27,14 @@ in { systemd.services.arafetch = { startAt = "Mon,Wed,Fri 09:15:00"; wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; environment = { OUTDIR = home; }; path = [ pkg pkgs.git pkgs.wget ]; serviceConfig = { User = "arafetch"; + Restart = "always"; WorkingDirectory = home; PrivateTmp = true; ExecStart = pkgs.writeDash "start-weekrun" '' diff --git a/makefu/2configs/tools/media.nix b/makefu/2configs/tools/media.nix index 988550655..88a7c6882 100644 --- a/makefu/2configs/tools/media.nix +++ b/makefu/2configs/tools/media.nix @@ -12,5 +12,7 @@ plowshare streamripper youtube-dl + + pulseeffects ]; } diff --git a/makefu/5pkgs/awesomecfg/full.cfg b/makefu/5pkgs/awesomecfg/full.cfg index 12d357913..11f9f59b8 100644 --- a/makefu/5pkgs/awesomecfg/full.cfg +++ b/makefu/5pkgs/awesomecfg/full.cfg @@ -572,9 +572,9 @@ local os = { do local cmds = { - "@networkmanagerapplet@/bin/nm-applet", - "@blueman@/bin/blueman-applet", - "@clipit@/bin/clipit" + -- "@networkmanagerapplet@/bin/nm-applet", + -- "@blueman@/bin/blueman-applet", + -- "@clipit@/bin/clipit" } for _,i in pairs(cmds) do From 72cd32c0bc7d66536e163b42a9404986e479c597 Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 5 Nov 2018 16:22:39 +0100 Subject: [PATCH 59/74] ma nextgum.r becomes gum.r --- krebs/3modules/makefu/default.nix | 100 +++------ makefu/1systems/gum/config.nix | 149 ++++++++----- makefu/1systems/gum/hardware-config.nix | 77 +++++-- makefu/1systems/{nextgum => gum}/rescue.txt | 0 makefu/1systems/gum/source.nix | 2 +- .../{nextgum => gum}/transfer-config.nix | 0 makefu/1systems/nextgum/config.nix | 195 ------------------ makefu/1systems/nextgum/hardware-config.nix | 99 --------- makefu/1systems/nextgum/source.nix | 5 - 9 files changed, 190 insertions(+), 437 deletions(-) rename makefu/1systems/{nextgum => gum}/rescue.txt (100%) rename makefu/1systems/{nextgum => gum}/transfer-config.nix (100%) delete mode 100644 makefu/1systems/nextgum/config.nix delete mode 100644 makefu/1systems/nextgum/hardware-config.nix delete mode 100644 makefu/1systems/nextgum/source.nix diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index e2152ea1a..94af67fc7 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -494,6 +494,8 @@ in { ip6.addr = "42:f9f0::10"; aliases = [ "omo.r" + "dcpp.omo.r" + "torrent.omo.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- @@ -554,7 +556,7 @@ in { ssh.privkey.path = ; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN5ZmJSypW3LXIJ67DdbxMxCfLtORFkl5jEuD131S5Tr"; }; - nextgum = rec { + gum = rec { ci = true; extraZones = { "krebsco.de" = '' @@ -563,6 +565,23 @@ in { graph IN A ${nets.internet.ip4.addr} gold IN A ${nets.internet.ip4.addr} iso.euer IN A ${nets.internet.ip4.addr} + wg.euer IN A ${nets.internet.ip4.addr} + photostore IN A ${nets.internet.ip4.addr} + o.euer IN A ${nets.internet.ip4.addr} + mon.euer IN A ${nets.internet.ip4.addr} + boot.euer IN A ${nets.internet.ip4.addr} + wiki.euer IN A ${nets.internet.ip4.addr} + pigstarter IN A ${nets.internet.ip4.addr} + cgit.euer IN A ${nets.internet.ip4.addr} + git.euer IN A ${nets.internet.ip4.addr} + euer IN A ${nets.internet.ip4.addr} + share.euer IN A ${nets.internet.ip4.addr} + gum IN A ${nets.internet.ip4.addr} + wikisearch IN A ${nets.internet.ip4.addr} + dl.euer IN A ${nets.internet.ip4.addr} + ghook IN A ${nets.internet.ip4.addr} + dockerhub IN A ${nets.internet.ip4.addr} + io IN NS gum.krebsco.de. ''; }; cores = 8; @@ -571,6 +590,7 @@ in { ip4.addr = "144.76.26.247"; ip6.addr = "2a01:4f8:191:12f6::2"; aliases = [ + "gum.i" "nextgum.i" ]; }; @@ -594,6 +614,16 @@ in { "stats.makefu.r" "backup.makefu.r" "dcpp.nextgum.r" + "gum.r" + "cgit.gum.r" + "o.gum.r" + "tracker.makefu.r" + "search.makefu.r" + "wiki.makefu.r" + "wiki.gum.r" + "blog.makefu.r" + "blog.gum.r" + "dcpp.gum.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- @@ -609,73 +639,7 @@ in { }; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcxWFEPzke/Sdd9qNX6rSJgXal8NmINYajpFCxXfYdj root@gum"; }; - - gum = rec { - ci = true; - cores = 2; - - extraZones = { - "krebsco.de" = '' - share.euer IN A ${nets.internet.ip4.addr} - mattermost.euer IN A ${nets.internet.ip4.addr} - gum IN A ${nets.internet.ip4.addr} - wikisearch IN A ${nets.internet.ip4.addr} - pigstarter IN A ${nets.internet.ip4.addr} - cgit.euer IN A ${nets.internet.ip4.addr} - euer IN A ${nets.internet.ip4.addr} - o.euer IN A ${nets.internet.ip4.addr} - git.euer IN A ${nets.internet.ip4.addr} - dl.euer IN A ${nets.internet.ip4.addr} - boot.euer IN A ${nets.internet.ip4.addr} - wiki.euer IN A ${nets.internet.ip4.addr} - mon.euer IN A ${nets.internet.ip4.addr} - ghook IN A ${nets.internet.ip4.addr} - dockerhub IN A ${nets.internet.ip4.addr} - photostore IN A ${nets.internet.ip4.addr} - io IN NS gum.krebsco.de. - ''; - }; - nets = rec { - internet = { - ip4.addr = "185.194.143.140"; - ip6.addr = "2a03:4000:1c:43f::1"; - aliases = [ - "gum.i" - ]; - }; - retiolum = { - via = internet; - ip4.addr = "10.243.0.211"; - ip6.addr = "42:f9f0:0000:0000:0000:0000:0000:70d2"; - aliases = [ - "gum.r" - "cgit.gum.r" - "o.gum.r" - "tracker.makefu.r" - - "search.makefu.r" - "wiki.makefu.r" - "wiki.gum.r" - "blog.makefu.r" - "blog.gum.r" - "dcpp.gum.r" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAvgvzx3rT/3zLuCkzXk1ZkYBkG4lltxrLOLNivohw2XAzrYDIw/ZY - BTDDcD424EkNOF6g/3tIRWqvVGZ1u12WQ9A/R+2F7i1SsaE4nTxdNlQ5rjy80gO3 - i1ZubMkTGwd1OYjJytYdcMTwM9V9/8QYFiiWqh77Xxu/FhY6PcQqwHxM7SMyZCJ7 - 09gtZuR16ngKnKfo2tw6C3hHQtWCfORVbWQq5cmGzCb4sdIKow5BxUC855MulNsS - u5l+G8wX+UbDI85VSDAtOP4QaSFzLL+U0aaDAmq0NO1QiODJoCo0iPhULZQTFZUa - OMDYHHfqzluEI7n8ENI4WwchDXH+MstsgwIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; - }; - # configured manually - # ssh.privkey.path = ; - ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcxWFEPzke/Sdd9qNX6rSJgXal8NmINYajpFCxXfYdj root@gum"; - }; + shoney = rec { ci = true; cores = 1; diff --git a/makefu/1systems/gum/config.nix b/makefu/1systems/gum/config.nix index af2e6f6b0..118b5b9d4 100644 --- a/makefu/1systems/gum/config.nix +++ b/makefu/1systems/gum/config.nix @@ -8,16 +8,22 @@ in { imports = [ ./hardware-config.nix + ./transfer-config.nix + { + users.users.lass = { + uid = 9002; + isNormalUser = true; + createHome = true; + useDefaultShell = true; + openssh.authorizedKeys.keys = with config.krebs.users; [ + lass.pubkey + makefu.pubkey + ]; + }; + } # - - - # - # - - - # Security @@ -26,69 +32,90 @@ in { + + # + + # networking + + # + # + + # + + + # ci + # + + + + # services - - # - - - # + + - # network + # sharing + + + # + ## + # + { # ncdc + environment.systemPackages = [ pkgs.ncdc ]; + networking.firewall = { + allowedUDPPorts = [ 51411 ]; + allowedTCPPorts = [ 51411 ]; + }; + } + # + + ## network # + + + + - # buildbot - - - - ## Web + # Removed until move: no extra mails + + # Removed until move: avoid letsencrypt ban + ### Web # # - # - # - # + + + ## # # - # + + + + - # - # - # - # - # - - # - # - - # - - + + + + + # - # Temporary: + # sharing + + + + ## Temporary: # + - #{ - # services.dockerRegistry.enable = true; - # networking.firewall.allowedTCPPorts = [ 8443 ]; - - # services.nginx.virtualHosts."euer.krebsco.de" = { - # forceSSL = true; - # enableACME = true; - # extraConfig = '' - # client_max_body_size 1000M; - # ''; - # locations."/".proxyPass = "http://localhost:5000"; - # }; - #} - + # krebs infrastructure services + ]; makefu.dl-dir = "/var/download"; @@ -106,9 +133,7 @@ in { ListenAddress = ${external-ip} 21031 ''; connectTo = [ - "muhbaasu" "tahoe" "flap" "wry" - "ni" - "fastpoke" "prism" "dishfire" "echelon" "cloudkrebs" + "prism" "ni" "enklave" "dishfire" "echelon" "hotdog" ]; }; @@ -119,12 +144,21 @@ in { makefu.openssh.authorizedKeys.keys = [ config.krebs.users.makefu-vbob.pubkey config.krebs.users.makefu-bob.pubkey ]; }; + # Chat + environment.systemPackages = with pkgs;[ + weechat + bepasty-client-cli + tmux + ]; + + # Hardware + # Network networking = { firewall = { - allowPing = true; - logRefusedConnections = false; - allowedTCPPorts = [ + allowPing = true; + logRefusedConnections = false; + allowedTCPPorts = [ # smtp 25 # http @@ -152,9 +186,10 @@ in { # tinc-shack 21032 ]; - }; - nameservers = [ "8.8.8.8" ]; }; + nameservers = [ "8.8.8.8" ]; + }; users.users.makefu.extraGroups = [ "download" "nginx" ]; boot.tmpOnTmpfs = true; + state = [ "/home/makefu/.weechat" ]; } diff --git a/makefu/1systems/gum/hardware-config.nix b/makefu/1systems/gum/hardware-config.nix index a40709169..bfe29b46c 100644 --- a/makefu/1systems/gum/hardware-config.nix +++ b/makefu/1systems/gum/hardware-config.nix @@ -1,26 +1,24 @@ { config, ... }: let - external-mac = "2a:c5:6e:d2:fc:7f"; - main-disk = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi0-0-0-0"; - external-gw = "185.194.140.1"; + external-mac = "50:46:5d:9f:63:6b"; + main-disk = "/dev/disk/by-id/ata-TOSHIBA_DT01ACA300_13H8863AS"; + sec-disk = "/dev/disk/by-id/ata-TOSHIBA_DT01ACA300_23OJ2GJAS"; + external-gw = "144.76.26.225"; # single partition, label "nixos" # cd /var/src; curl https://github.com/nixos/nixpkgs/tarball/809cf38 -L | tar zx ; mv * nixpkgs && touch .populate # static - external-ip = config.krebs.build.host.nets.internet.ip4.addr; - external-ip6 = config.krebs.build.host.nets.internet.ip6.addr; + external-ip = "144.76.26.247"; + external-ip6 = "2a01:4f8:191:12f6::2"; external-gw6 = "fe80::1"; - external-netmask = 22; + external-netmask = 27; external-netmask6 = 64; internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr; ext-if = "et0"; # gets renamed on the fly in { imports = [ - - ]; - makefu.server.primary-itf = ext-if; services.udev.extraRules = '' SUBSYSTEM=="net", ATTR{address}=="${external-mac}", NAME="${ext-if}" @@ -40,7 +38,62 @@ in { defaultGateway = external-gw; }; boot.kernelParams = [ ]; - boot.loader.grub.device = main-disk; - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ]; - boot.kernelModules = [ "kvm-intel" ]; + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.devices = [ main-disk ]; + boot.initrd.kernelModules = [ "dm-raid" ]; + boot.initrd.availableKernelModules = [ + "ata_piix" "vmw_pvscsi" "virtio_pci" "sd_mod" "ahci" + "xhci_pci" "ehci_pci" "ahci" "sd_mod" + ]; + boot.kernelModules = [ "kvm-intel" ]; + hardware.enableRedistributableFirmware = true; + fileSystems."/" = { + device = "/dev/mapper/nixos-root"; + fsType = "ext4"; + }; + fileSystems."/var/lib" = { + device = "/dev/mapper/nixos-lib"; + fsType = "ext4"; + }; + fileSystems."/var/download" = { + device = "/dev/mapper/nixos-download"; + fsType = "ext4"; + }; + fileSystems."/var/lib/borgbackup" = { + device = "/dev/mapper/nixos-backup"; + fsType = "ext4"; + }; + fileSystems."/boot" = { + device = "/dev/sda2"; + fsType = "vfat"; + }; + # parted -s -a optimal "$disk" \ + # mklabel gpt \ + # mkpart no-fs 0 1024KiB \ + # set 1 bios_grub on \ + # mkpart ESP fat32 1025KiB 1024MiB set 2 boot on \ + # mkpart primary 1025MiB 100% + # parted -s -a optimal "/dev/sdb" \ + # mklabel gpt \ + # mkpart primary 1M 100% + + #mkfs.vfat /dev/sda2 + #pvcreate /dev/sda3 + #pvcreate /dev/sdb1 + #vgcreate nixos /dev/sda3 /dev/sdb1 + #lvcreate -L 120G -m 1 -n root nixos + #lvcreate -L 50G -m 1 -n lib nixos + #lvcreate -L 100G -n download nixos + #lvcreate -L 100G -n backup nixos + #mkfs.ext4 /dev/mapper/nixos-root + #mkfs.ext4 /dev/mapper/nixos-lib + #mkfs.ext4 /dev/mapper/nixos-download + #mkfs.ext4 /dev/mapper/nixos-borgbackup + #mount /dev/mapper/nixos-root /mnt + #mkdir /mnt/boot + #mount /dev/sda2 /mnt/boot + #mkdir -p /mnt/var/src + #touch /mnt/var/src/.populate + } diff --git a/makefu/1systems/nextgum/rescue.txt b/makefu/1systems/gum/rescue.txt similarity index 100% rename from makefu/1systems/nextgum/rescue.txt rename to makefu/1systems/gum/rescue.txt diff --git a/makefu/1systems/gum/source.nix b/makefu/1systems/gum/source.nix index 1e36c6e87..6940498f1 100644 --- a/makefu/1systems/gum/source.nix +++ b/makefu/1systems/gum/source.nix @@ -1,5 +1,5 @@ { - name="gum"; + name="nextgum"; torrent = true; clever_kexec = true; } diff --git a/makefu/1systems/nextgum/transfer-config.nix b/makefu/1systems/gum/transfer-config.nix similarity index 100% rename from makefu/1systems/nextgum/transfer-config.nix rename to makefu/1systems/gum/transfer-config.nix diff --git a/makefu/1systems/nextgum/config.nix b/makefu/1systems/nextgum/config.nix deleted file mode 100644 index 118b5b9d4..000000000 --- a/makefu/1systems/nextgum/config.nix +++ /dev/null @@ -1,195 +0,0 @@ -{ config, lib, pkgs, ... }: - -with import ; -let - external-ip = config.krebs.build.host.nets.internet.ip4.addr; - ext-if = config.makefu.server.primary-itf; -in { - imports = [ - - ./hardware-config.nix - ./transfer-config.nix - { - users.users.lass = { - uid = 9002; - isNormalUser = true; - createHome = true; - useDefaultShell = true; - openssh.authorizedKeys.keys = with config.krebs.users; [ - lass.pubkey - makefu.pubkey - ]; - }; - } - - # - - # Security - - - # Tools - - - - - - # - - # networking - - # - # - - # - - - # ci - # - - - - - - # services - - - - # sharing - - - # - ## - # - { # ncdc - environment.systemPackages = [ pkgs.ncdc ]; - networking.firewall = { - allowedUDPPorts = [ 51411 ]; - allowedTCPPorts = [ 51411 ]; - }; - } - # - - ## network - - # - - - - - - - - # Removed until move: no extra mails - - # Removed until move: avoid letsencrypt ban - ### Web - # - # - - - - ## - # - # - - - - - - - - - - - - - # - - # sharing - - - - ## Temporary: - # - - - - # krebs infrastructure services - - ]; - makefu.dl-dir = "/var/download"; - - services.openssh.hostKeys = [ - { bits = 4096; path = (toString ); type = "rsa"; } - { path = (toString ); type = "ed25519"; } ]; - ###### stable - services.nginx.virtualHosts.cgit.serverAliases = [ "cgit.euer.krebsco.de" ]; - krebs.build.host = config.krebs.hosts.gum; - - krebs.tinc.retiolum = { - extraConfig = '' - ListenAddress = ${external-ip} 53 - ListenAddress = ${external-ip} 655 - ListenAddress = ${external-ip} 21031 - ''; - connectTo = [ - "prism" "ni" "enklave" "dishfire" "echelon" "hotdog" - ]; - }; - - - # access - users.users = { - root.openssh.authorizedKeys.keys = [ config.krebs.users.makefu-omo.pubkey ]; - makefu.openssh.authorizedKeys.keys = [ config.krebs.users.makefu-vbob.pubkey config.krebs.users.makefu-bob.pubkey ]; - }; - - # Chat - environment.systemPackages = with pkgs;[ - weechat - bepasty-client-cli - tmux - ]; - - # Hardware - - # Network - networking = { - firewall = { - allowPing = true; - logRefusedConnections = false; - allowedTCPPorts = [ - # smtp - 25 - # http - 80 443 - # httptunnel - 8080 8443 - # tinc - 655 - # tinc-shack - 21032 - # tinc-retiolum - 21031 - # taskserver - 53589 - # temp vnc - 18001 - # temp reverseshell - 31337 - ]; - allowedUDPPorts = [ - # tinc - 655 53 - # tinc-retiolum - 21031 - # tinc-shack - 21032 - ]; - }; - nameservers = [ "8.8.8.8" ]; - }; - users.users.makefu.extraGroups = [ "download" "nginx" ]; - boot.tmpOnTmpfs = true; - state = [ "/home/makefu/.weechat" ]; -} diff --git a/makefu/1systems/nextgum/hardware-config.nix b/makefu/1systems/nextgum/hardware-config.nix deleted file mode 100644 index bfe29b46c..000000000 --- a/makefu/1systems/nextgum/hardware-config.nix +++ /dev/null @@ -1,99 +0,0 @@ -{ config, ... }: -let - external-mac = "50:46:5d:9f:63:6b"; - main-disk = "/dev/disk/by-id/ata-TOSHIBA_DT01ACA300_13H8863AS"; - sec-disk = "/dev/disk/by-id/ata-TOSHIBA_DT01ACA300_23OJ2GJAS"; - external-gw = "144.76.26.225"; - # single partition, label "nixos" - # cd /var/src; curl https://github.com/nixos/nixpkgs/tarball/809cf38 -L | tar zx ; mv * nixpkgs && touch .populate - - - # static - external-ip = "144.76.26.247"; - external-ip6 = "2a01:4f8:191:12f6::2"; - external-gw6 = "fe80::1"; - external-netmask = 27; - external-netmask6 = 64; - internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr; - ext-if = "et0"; # gets renamed on the fly -in { - imports = [ - ]; - makefu.server.primary-itf = ext-if; - services.udev.extraRules = '' - SUBSYSTEM=="net", ATTR{address}=="${external-mac}", NAME="${ext-if}" - ''; - networking = { - interfaces."${ext-if}" = { - ipv4.addresses = [{ - address = external-ip; - prefixLength = external-netmask; - }]; - ipv6.addresses = [{ - address = external-ip6; - prefixLength = external-netmask6; - }]; - }; - defaultGateway6 = external-gw6; - defaultGateway = external-gw; - }; - boot.kernelParams = [ ]; - boot.loader.grub.enable = true; - boot.loader.grub.version = 2; - boot.loader.grub.devices = [ main-disk ]; - boot.initrd.kernelModules = [ "dm-raid" ]; - boot.initrd.availableKernelModules = [ - "ata_piix" "vmw_pvscsi" "virtio_pci" "sd_mod" "ahci" - "xhci_pci" "ehci_pci" "ahci" "sd_mod" - ]; - boot.kernelModules = [ "kvm-intel" ]; - hardware.enableRedistributableFirmware = true; - fileSystems."/" = { - device = "/dev/mapper/nixos-root"; - fsType = "ext4"; - }; - fileSystems."/var/lib" = { - device = "/dev/mapper/nixos-lib"; - fsType = "ext4"; - }; - fileSystems."/var/download" = { - device = "/dev/mapper/nixos-download"; - fsType = "ext4"; - }; - fileSystems."/var/lib/borgbackup" = { - device = "/dev/mapper/nixos-backup"; - fsType = "ext4"; - }; - fileSystems."/boot" = { - device = "/dev/sda2"; - fsType = "vfat"; - }; - # parted -s -a optimal "$disk" \ - # mklabel gpt \ - # mkpart no-fs 0 1024KiB \ - # set 1 bios_grub on \ - # mkpart ESP fat32 1025KiB 1024MiB set 2 boot on \ - # mkpart primary 1025MiB 100% - # parted -s -a optimal "/dev/sdb" \ - # mklabel gpt \ - # mkpart primary 1M 100% - - #mkfs.vfat /dev/sda2 - #pvcreate /dev/sda3 - #pvcreate /dev/sdb1 - #vgcreate nixos /dev/sda3 /dev/sdb1 - #lvcreate -L 120G -m 1 -n root nixos - #lvcreate -L 50G -m 1 -n lib nixos - #lvcreate -L 100G -n download nixos - #lvcreate -L 100G -n backup nixos - #mkfs.ext4 /dev/mapper/nixos-root - #mkfs.ext4 /dev/mapper/nixos-lib - #mkfs.ext4 /dev/mapper/nixos-download - #mkfs.ext4 /dev/mapper/nixos-borgbackup - #mount /dev/mapper/nixos-root /mnt - #mkdir /mnt/boot - #mount /dev/sda2 /mnt/boot - #mkdir -p /mnt/var/src - #touch /mnt/var/src/.populate - -} diff --git a/makefu/1systems/nextgum/source.nix b/makefu/1systems/nextgum/source.nix deleted file mode 100644 index 6940498f1..000000000 --- a/makefu/1systems/nextgum/source.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ - name="nextgum"; - torrent = true; - clever_kexec = true; -} From 51fe1cf77b1d66a75c8ad86bec231a889f11ed86 Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 5 Nov 2018 16:48:37 +0100 Subject: [PATCH 60/74] Revert "ma nixpkgs: 86fb1e9 -> bf46294" ... for now This reverts commit 9520ee2c51b49a0e6cb0c96f9ab1724381e0e9cd. --- makefu/nixpkgs.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/makefu/nixpkgs.json b/makefu/nixpkgs.json index 73798f44d..c5cd0ac30 100644 --- a/makefu/nixpkgs.json +++ b/makefu/nixpkgs.json @@ -1,7 +1,7 @@ { "url": "https://github.com/makefu/nixpkgs", - "rev": "bf46294e4cf20649182f76fc9200a48436f5874a", - "date": "2018-09-18T02:20:45+02:00", - "sha256": "13900gack7pgf5a7c11x30rzb3s0kjpbm2z2g8fw4720cr9lkd94", - "fetchSubmodules": false + "rev": "86fb1e9ae6ba6dfedc814b82abd8db5cfa4f4687", + "date": "2018-10-07T23:33:42+02:00", + "sha256": "015yxs3qj299mgqfmz5vgszj2gxqwazifsdsjw6xadris3ri41d3", + "fetchSubmodules": true } From 8b57f04ff84b53742ef6a8a9677560745075ffb1 Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 5 Nov 2018 18:18:35 +0100 Subject: [PATCH 61/74] ma gum.r: bye transfer-config --- makefu/1systems/gum/config.nix | 1 - makefu/1systems/gum/transfer-config.nix | 7 ------- 2 files changed, 8 deletions(-) delete mode 100644 makefu/1systems/gum/transfer-config.nix diff --git a/makefu/1systems/gum/config.nix b/makefu/1systems/gum/config.nix index 118b5b9d4..3d2cbac6f 100644 --- a/makefu/1systems/gum/config.nix +++ b/makefu/1systems/gum/config.nix @@ -8,7 +8,6 @@ in { imports = [ ./hardware-config.nix - ./transfer-config.nix { users.users.lass = { uid = 9002; diff --git a/makefu/1systems/gum/transfer-config.nix b/makefu/1systems/gum/transfer-config.nix deleted file mode 100644 index 92df60195..000000000 --- a/makefu/1systems/gum/transfer-config.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ config, lib, ... }: -# configuration which is only required for the time of the transfer -{ - krebs.tinc.retiolum.connectTo = [ "gum" ]; - krebs.build.host = lib.mkForce config.krebs.hosts.nextgum; -} - From 70bffd8b90a7740546a20dbbdd6730ab00c7158b Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 10 Nov 2018 18:47:06 +0100 Subject: [PATCH 62/74] hotdog.r: remove import of gitlab-runner-shackspace --- krebs/1systems/hotdog/config.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/krebs/1systems/hotdog/config.nix b/krebs/1systems/hotdog/config.nix index 0a848426c..cf72e0d73 100644 --- a/krebs/1systems/hotdog/config.nix +++ b/krebs/1systems/hotdog/config.nix @@ -10,7 +10,6 @@ - From 6416e2637665a99c7efc07d036a023463500fefe Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 10 Nov 2018 18:47:34 +0100 Subject: [PATCH 63/74] realwallpaper: e056328 -> 847faeb --- krebs/5pkgs/simple/realwallpaper/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/krebs/5pkgs/simple/realwallpaper/default.nix b/krebs/5pkgs/simple/realwallpaper/default.nix index 15cc277a5..7c9812117 100644 --- a/krebs/5pkgs/simple/realwallpaper/default.nix +++ b/krebs/5pkgs/simple/realwallpaper/default.nix @@ -5,8 +5,8 @@ stdenv.mkDerivation { src = fetchgit { url = https://github.com/Lassulus/realwallpaper; - rev = "e0563289c2ab592b669ce4549fc40130246e9d79"; - sha256 = "1zgk8ips2d686216h203w62wrw7zy9z0lrndx9f8z6f1vpvjcmqc"; + rev = "847faebc9b7e87e4bea078e3a2304ec00b4cdfc0"; + sha256 = "10zihkwj9vpshlxw2jk67zbsy8g4i8b1y4jzna9fdcsgn7s12jrr"; }; phases = [ From df660ff2fa05a624903b0b8c93b84c2fef3eb4e8 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 10 Nov 2018 18:49:05 +0100 Subject: [PATCH 64/74] l archprism.r: new hfos ip --- lass/1systems/archprism/config.nix | 4 ++-- lass/1systems/archprism/physical.nix | 20 ++++++++++---------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/lass/1systems/archprism/config.nix b/lass/1systems/archprism/config.nix index 0a286c6f0..e6eddf8b2 100644 --- a/lass/1systems/archprism/config.nix +++ b/lass/1systems/archprism/config.nix @@ -36,10 +36,10 @@ with import ; # TODO write function for proxy_pass (ssl/nonssl) krebs.iptables.tables.filter.FORWARD.rules = [ - { v6 = false; precedence = 1000; predicate = "-d 192.168.122.92"; target = "ACCEPT"; } + { v6 = false; precedence = 1000; predicate = "-d 192.168.122.179"; target = "ACCEPT"; } ]; krebs.iptables.tables.nat.PREROUTING.rules = [ - { v6 = false; precedence = 1000; predicate = "-d 46.4.114.243"; target = "DNAT --to-destination 192.168.122.92"; } + { v6 = false; precedence = 1000; predicate = "-d 46.4.114.243"; target = "DNAT --to-destination 192.168.122.179"; } ]; } { diff --git a/lass/1systems/archprism/physical.nix b/lass/1systems/archprism/physical.nix index 56348d0ab..36de7dc17 100644 --- a/lass/1systems/archprism/physical.nix +++ b/lass/1systems/archprism/physical.nix @@ -14,16 +14,16 @@ }; }; # TODO use this network config - #networking.interfaces.et0.ipv4.addresses = [ - # { - # address = config.krebs.build.host.nets.internet.ip4.addr; - # prefixLength = 27; - # } - # { - # address = "46.4.114.243"; - # prefixLength = 27; - # } - #]; + networking.interfaces.eth0.ipv4.addresses = [ + { + address = config.krebs.build.host.nets.internet.ip4.addr; + prefixLength = 27; + } + { + address = "46.4.114.243"; + prefixLength = 27; + } + ]; #networking.defaultGateway = "46.4.114.225"; #networking.nameservers = [ # "8.8.8.8" From 3902f97c56cd374c67374b57357811621d8cec29 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 10 Nov 2018 18:53:16 +0100 Subject: [PATCH 65/74] l prism.r: remove deprecated grub workaround --- lass/1systems/prism/config.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index bf7de6fc5..01479b69c 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -349,8 +349,6 @@ with import ; ]; krebs.build.host = config.krebs.hosts.prism; - # workaround because grub store paths are broken - boot.copyKernels = true; services.earlyoom = { enable = true; freeMemThreshold = 5; From cf22b956cd0f11a25c09c6e04b440dd456a23e03 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 10 Nov 2018 18:56:25 +0100 Subject: [PATCH 66/74] l prism.r: new physical host --- lass/1systems/prism/physical.nix | 119 +++++++++++++------------------ 1 file changed, 49 insertions(+), 70 deletions(-) diff --git a/lass/1systems/prism/physical.nix b/lass/1systems/prism/physical.nix index 56348d0ab..4388c13fa 100644 --- a/lass/1systems/prism/physical.nix +++ b/lass/1systems/prism/physical.nix @@ -1,77 +1,56 @@ { config, lib, pkgs, ... }: + { + imports = [ ./config.nix - { - boot.kernelParams = [ "net.ifnames=0" ]; - networking = { - defaultGateway = "46.4.114.225"; - # Use google's public DNS server - nameservers = [ "8.8.8.8" ]; - interfaces.eth0 = { - ipAddress = "46.4.114.247"; - prefixLength = 27; - }; - }; - # TODO use this network config - #networking.interfaces.et0.ipv4.addresses = [ - # { - # address = config.krebs.build.host.nets.internet.ip4.addr; - # prefixLength = 27; - # } - # { - # address = "46.4.114.243"; - # prefixLength = 27; - # } - #]; - #networking.defaultGateway = "46.4.114.225"; - #networking.nameservers = [ - # "8.8.8.8" - #]; - #services.udev.extraRules = '' - # SUBSYSTEM=="net", ATTR{address}=="08:60:6e:e7:87:04", NAME="et0" - #''; - } - { - imports = [ ]; - - networking.hostId = "fb4173ea"; - boot.loader.grub = { - devices = [ - "/dev/sda" - "/dev/sdb" - ]; - splashImage = null; - }; - - boot.initrd.availableKernelModules = [ - "ata_piix" - "vmw_pvscsi" - "ahci" "sd_mod" - ]; - - boot.kernelModules = [ "kvm-intel" ]; - - sound.enable = false; - nixpkgs.config.allowUnfree = true; - time.timeZone = "Europe/Berlin"; - - fileSystems."/" = { - device = "rpool/root/nixos"; - fsType = "zfs"; - }; - - fileSystems."/home" = { - device = "rpool/home"; - fsType = "zfs"; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/b67c3370-1597-4ce8-8a46-e257ca32150d"; - fsType = "ext4"; - }; - - } + ]; + boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "sd_mod" ]; + boot.kernelModules = [ "kvm-intel" ]; + + fileSystems."/" = { + device = "rpool/root/nixos"; + fsType = "zfs"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/d155d6ff-8e89-4876-a9e7-d1b7ba6a4804"; + fsType = "ext4"; + }; + + fileSystems."/srv/http" = { + device = "tank/srv-http"; + fsType = "zfs"; + }; + + fileSystems."/var/lib/containers" = { + device = "tank/containers"; + fsType = "zfs"; + }; + + fileSystems."/home" = { + device = "tank/home"; + fsType = "zfs"; + }; + + nix.maxJobs = lib.mkDefault 8; + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.devices = [ "/dev/sda" "/dev/sdb" ]; + + boot.kernelParams = [ "net.ifnames=0" ]; + networking = { + hostId = "2283aaae"; + defaultGateway = "95.216.1.129"; + # Use google's public DNS server + nameservers = [ "8.8.8.8" ]; + interfaces.eth0 = { + ipAddress = "95.216.1.150"; + prefixLength = 26; + }; + }; } From 2912ca43a9607f88780535fc32c5ad0a43d7bd3a Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 10 Nov 2018 19:00:04 +0100 Subject: [PATCH 67/74] l blue: add l-gen-secrets --- lass/2configs/blue.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/lass/2configs/blue.nix b/lass/2configs/blue.nix index 68f2256cf..4d4a92eb9 100644 --- a/lass/2configs/blue.nix +++ b/lass/2configs/blue.nix @@ -15,6 +15,7 @@ with (import ); dic nmap git-preview + l-gen-secrets ]; services.tor.enable = true; From 95c9cd185bdd29b19454a771d5a98d7c594d7cdb Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 10 Nov 2018 19:02:49 +0100 Subject: [PATCH 68/74] l ciko: chmod +x --- lass/2configs/ciko.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lass/2configs/ciko.nix b/lass/2configs/ciko.nix index b08cf9307..6818db460 100644 --- a/lass/2configs/ciko.nix +++ b/lass/2configs/ciko.nix @@ -19,5 +19,9 @@ with import ; "slash16.net" ]; }; + + system.activationScripts.user-shadow = '' + ${pkgs.coreutils}/bin/chmod +x /home/ciko + ''; } From 4a5608ba7bb92450ca5c3ef5567818d65b0330a9 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 10 Nov 2018 19:03:08 +0100 Subject: [PATCH 69/74] l: add neocron@lassul.us --- lass/2configs/exim-smarthost.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix index 6ef3c8595..733115a74 100644 --- a/lass/2configs/exim-smarthost.nix +++ b/lass/2configs/exim-smarthost.nix @@ -90,6 +90,7 @@ with import ; { from = "afra@lassul.us"; to = lass.mail; } { from = "ksp@lassul.us"; to = lass.mail; } { from = "ccc@lassul.us"; to = lass.mail; } + { from = "neocron@lassul.us"; to = lass.mail; } ]; system-aliases = [ { from = "mailer-daemon"; to = "postmaster"; } From 93b4db56dfbb4981e5732cad981fba899c1309ce Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 10 Nov 2018 19:03:43 +0100 Subject: [PATCH 70/74] l games: add steam-run & dolphinEmu to pkgs --- lass/2configs/games.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lass/2configs/games.nix b/lass/2configs/games.nix index 17c3cf3be..49602898e 100644 --- a/lass/2configs/games.nix +++ b/lass/2configs/games.nix @@ -75,6 +75,8 @@ in { packages = with pkgs; [ ftb minecraft + steam-run + dolphinEmu ]; }; }; From ab6b32baa7282a5127def657dc0e595464b0bf9c Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 10 Nov 2018 19:13:01 +0100 Subject: [PATCH 71/74] l git: chmod +x /var/spool --- lass/2configs/git.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix index c5b5c01fb..62173e33f 100644 --- a/lass/2configs/git.nix +++ b/lass/2configs/git.nix @@ -21,6 +21,10 @@ let krebs.iptables.tables.filter.INPUT.rules = [ { predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; } ]; + + system.activationScripts.spool-chmod = '' + ${pkgs.coreutils}/bin/chmod +x /var/spool + ''; }; cgit-clear-cache = pkgs.cgit-clear-cache.override { From 1c473c7c203e30aa7f48715c965786350084f901 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 10 Nov 2018 19:15:11 +0100 Subject: [PATCH 72/74] l mail: add nix@lassul.us to nix ml --- lass/2configs/mail.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix index e50689254..46939c97e 100644 --- a/lass/2configs/mail.nix +++ b/lass/2configs/mail.nix @@ -51,7 +51,7 @@ let gmail = [ "to:gmail@lassul.us" "to:lassulus@gmail.com" "lassulus@googlemail.com" ]; kaosstuff = [ "to:gearbest@lassul.us" "to:banggood@lassul.us" "to:tomtop@lassul.us" ]; lugs = [ "to:lugs@lug-s.org" ]; - nix-devel = [ "to:nix-devel@googlegroups.com" ]; + nix = [ "to:nix-devel@googlegroups.com" "to:nix@lassul.us" ]; patreon = [ "to:patreon@lassul.us" ]; paypal = [ "to:paypal@lassul.us" ]; ptl = [ "to:ptl@posttenebraslab.ch" ]; From 70c12e9b021d2b5e532110713a6456ab312f6b64 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 10 Nov 2018 19:38:54 +0100 Subject: [PATCH 73/74] l sqlBackup: remove mysql_password --- lass/2configs/websites/sqlBackup.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/lass/2configs/websites/sqlBackup.nix b/lass/2configs/websites/sqlBackup.nix index 2fffa6cc9..897e35e61 100644 --- a/lass/2configs/websites/sqlBackup.nix +++ b/lass/2configs/websites/sqlBackup.nix @@ -11,7 +11,6 @@ enable = true; dataDir = "/var/mysql"; package = pkgs.mariadb; - rootPassword = config.krebs.secret.files.mysql_rootPassword.path; }; systemd.services.mysql = { From 62aebdf0584ee8c512da2f9a8d12d87995266484 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 10 Nov 2018 19:39:07 +0100 Subject: [PATCH 74/74] l ejabberd: allow registration --- lass/3modules/ejabberd/config.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lass/3modules/ejabberd/config.nix b/lass/3modules/ejabberd/config.nix index 68bcfa340..e7288313a 100644 --- a/lass/3modules/ejabberd/config.nix +++ b/lass/3modules/ejabberd/config.nix @@ -96,9 +96,9 @@ in /* yaml */ '' mod_privacy: {} mod_private: {} mod_register: - access_from: deny + access_from: allow access: register - ip_access: trusted_network + # ip_access: trusted_network registration_watchers: ${toJSON config.registration_watchers} mod_roster: {} mod_shared_roster: {}