Merge remote-tracking branch 'origin/master'

This commit is contained in:
jeschli 2018-09-25 19:56:06 +02:00
commit 8834d1a9ff
143 changed files with 1931 additions and 1346 deletions

View File

@ -13,10 +13,7 @@ import <nixpkgs/nixos/lib/eval-config.nix> {
(attrNames (filterAttrs (_: eq "directory") (readDir (<stockholm> + "/${ns}/1systems")))) (attrNames (filterAttrs (_: eq "directory") (readDir (<stockholm> + "/${ns}/1systems"))))
(name: let (name: let
config = import (<stockholm> + "/${ns}/1systems/${name}/config.nix"); config = import (<stockholm> + "/${ns}/1systems/${name}/config.nix");
source = import (<stockholm> + "/${ns}/1systems/${name}/source.nix");
in import <nixpkgs/nixos/lib/eval-config.nix> { in import <nixpkgs/nixos/lib/eval-config.nix> {
modules = [ config ]; modules = [ config ];
} // {
inherit source;
}); });
} }

View File

@ -1,4 +0,0 @@
import <stockholm/jeschli/source.nix> {
name = "bolide";
secure = true;
}

View File

@ -1,4 +0,0 @@
import <stockholm/jeschli/source.nix> {
name = "brauerei";
secure = true;
}

View File

@ -1,3 +0,0 @@
import <stockholm/jeschli/source.nix> {
name = "enklave";
}

View File

@ -1,4 +0,0 @@
import <stockholm/jeschli/source.nix> {
name = "reagenzglas";
secure = true;
}

View File

@ -1,26 +0,0 @@
with import <stockholm/lib>;
host@{ name, secure ? false, override ? {} }: let
builder = if getEnv "dummy_secrets" == "true"
then "buildbot"
else "jeschli";
_file = <stockholm> + "/jeschli/1systems/${name}/source.nix";
pkgs = import <nixpkgs> {
overlays = map import [
<stockholm/krebs/5pkgs>
<stockholm/submodules/nix-writers/pkgs>
];
};
in
evalSource (toString _file) [
{
nixos-config.symlink = "stockholm/jeschli/1systems/${name}/config.nix";
nixpkgs = (import <stockholm/krebs/source.nix> host).nixpkgs;
secrets.file = getAttr builder {
buildbot = toString <stockholm/jeschli/2configs/tests/dummy-secrets>;
jeschli = "${getEnv "HOME"}/secrets/${name}";
};
stockholm.file = toString <stockholm>;
stockholm-version.pipe = "${pkgs.stockholm}/bin/get-version";
}
override
]

View File

@ -44,11 +44,6 @@ let
exec >&2 exec >&2
source=${pkgs.writeJSON "source.json" populate-source} source=${pkgs.writeJSON "source.json" populate-source}
LOGNAME=krebs ${pkgs.populate}/bin/populate --force root@server:22/var/src/ < "$source" LOGNAME=krebs ${pkgs.populate}/bin/populate --force root@server:22/var/src/ < "$source"
# TODO: make deploy work
#LOGNAME=krebs ${pkgs.stockholm}/bin/deploy \
# --force-populate \
# --source=${./data/test-source.nix} \
# --system=server \
''; '';
minimalSystem = (import <nixpkgs/nixos/lib/eval-config.nix> { minimalSystem = (import <nixpkgs/nixos/lib/eval-config.nix> {
modules = [ modules = [

View File

@ -1,3 +0,0 @@
import <stockholm/krebs/source.nix> {
name = "hotdog";
}

View File

@ -1,13 +0,0 @@
with import <stockholm/lib>;
let
pkgs = import <nixpkgs> {};
nixpkgs = builtins.fetchTarball {
url = https://github.com/NixOS/nixpkgs-channels/archive/nixos-unstable.tar.gz;
};
in import <stockholm/krebs/source.nix> {
name = "onebutton";
override.nixpkgs = mkForce {
file = toString nixpkgs;
};
}

View File

@ -1,3 +0,0 @@
import <stockholm/krebs/source.nix> {
name = "puyak";
}

View File

@ -1,3 +0,0 @@
import <stockholm/krebs/source.nix> {
name = "test-all-krebs-modules";
}

View File

@ -1,3 +0,0 @@
import <stockholm/krebs/source.nix> {
name = "test-arch";
}

View File

@ -1,3 +0,0 @@
import <stockholm/krebs/source.nix> {
name = "test-centos6";
}

View File

@ -1,3 +0,0 @@
import <stockholm/krebs/source.nix> {
name = "test-centos7";
}

View File

@ -1,3 +0,0 @@
import <stockholm/krebs/source.nix> {
name = "test-failing";
}

View File

@ -1,3 +0,0 @@
import <stockholm/krebs/source.nix> {
name = "test-minimal-deploy";
}

View File

@ -1,3 +0,0 @@
import <stockholm/krebs/source.nix> {
name = "wolf";
}

View File

@ -1,47 +1,11 @@
{ config, pkgs, ... }: with import <stockholm/lib>; { config, ... }: with import <stockholm/lib>;
let
hostname = config.networking.hostName;
sourceRepos = [
"http://cgit.enklave.r/stockholm"
"http://cgit.gum.r/stockholm"
"http://cgit.hotdog.r/stockholm"
"http://cgit.ni.r/stockholm"
"http://cgit.prism.r/stockholm"
];
# usage: build USER HOST
# This executable is meant to be run with <stockholm> as working directory.
# USER is expected to be a subdirectory of the working directory.
build = pkgs.writeDash "build" ''
set -efu
user=$1
host=$2
result=$(nix-build \
--argstr name "$host" \
--argstr target "$HOME"/stockholm-build \
--attr test \
--no-build-output \
--no-out-link \
--show-trace \
"$user"/krops.nix \
)
exec "$result"
'';
in
{ {
networking.firewall.allowedTCPPorts = [ 80 ]; networking.firewall.allowedTCPPorts = [ 80 ];
services.nginx = { services.nginx = {
enable = true; enable = true;
virtualHosts.build = { virtualHosts.build = {
serverAliases = [ "build.${hostname}.r" ]; serverAliases = [ "build.${config.networking.hostName}.r" ];
locations."/".extraConfig = '' locations."/".extraConfig = ''
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade"; proxy_set_header Connection "upgrade";
@ -49,155 +13,28 @@ in
''; '';
}; };
}; };
krebs.ci = {
krebs.buildbot.master = {
slaves = {
testslave = "lasspass";
};
change_source.stockholm = concatMapStrings (repo: ''
cs.append(
changes.GitPoller(
"${repo}",
workdir='stockholm${elemAt(splitString "." repo) 1}', branches=True,
project='stockholm',
pollinterval=10
)
)
'') sourceRepos;
scheduler = {
auto-scheduler = ''
sched.append(
schedulers.SingleBranchScheduler(
change_filter=util.ChangeFilter(branch_re=".*"),
treeStableTimer=60,
name="build-all-branches",
builderNames=[
"hosts",
]
)
)
'';
force-scheduler = ''
sched.append(
schedulers.ForceScheduler(
name="hosts",
builderNames=[
"hosts",
]
)
)
'';
};
builder_pre = ''
# prepare grab_repo step for stockholm
grab_repo = steps.Git(
repourl=util.Property('repository', 'http://cgit.hotdog.r/stockholm'),
mode='full',
submodules=True,
)
'';
builder = {
hosts = ''
from buildbot import interfaces
from buildbot.steps.shell import ShellCommand
class StepToStartMoreSteps(ShellCommand):
def __init__(self, **kwargs):
ShellCommand.__init__(self, **kwargs)
def addBuildSteps(self, steps_factories):
for sf in steps_factories:
step = interfaces.IBuildStepFactory(sf).buildStep()
step.setBuild(self.build)
step.setBuildSlave(self.build.slavebuilder.slave)
step_status = self.build.build_status.addStepWithName(step.name)
step.setStepStatus(step_status)
self.build.steps.append(step)
def start(self):
props = self.build.getProperties()
hosts = json.loads(props.getProperty('hosts_json'))
for host in hosts:
user = hosts[host]['owner']
self.addBuildSteps([steps.ShellCommand(
name=str(host),
env={
"NIX_PATH": "secrets=/var/src/stockholm/null:stockholm=./:/var/src",
"NIX_REMOTE": "daemon",
},
command=[
"${build}", user, host
],
timeout=90001,
workdir='build', # TODO figure out why we need this?
)])
ShellCommand.start(self)
f = util.BuildFactory()
f.addStep(grab_repo)
f.addStep(steps.SetPropertyFromCommand(
env={
"NIX_PATH": "secrets=/var/src/stockholm/null:stockholm=./:/var/src",
"NIX_REMOTE": "daemon",
},
name="get_hosts",
command=["nix-instantiate", "--json", "--strict", "--eval", "-E", """
with import <nixpkgs> {};
let
eval-config = cfg:
import <nixpkgs/nixos/lib/eval-config.nix> {
modules = [
(import cfg)
];
}
;
system = eval-config ./krebs/1systems/hotdog/config.nix; # TODO put a better config here
ci-systems = lib.filterAttrs (_: v: v.ci) system.config.krebs.hosts;
filtered-attrs = lib.mapAttrs ( n: v: {
owner = v.owner.name;
}) ci-systems;
in filtered-attrs
"""],
property="hosts_json"
))
f.addStep(StepToStartMoreSteps(command=["echo"])) # TODO remove dummy command from here
bu.append(
util.BuilderConfig(
name="hosts",
slavenames=slavenames,
factory=f
)
)
'';
};
enable = true; enable = true;
web.enable = true; repos = {
irc = { disko.urls = [
enable = true; "http://cgit.gum.r/disko"
nick = "build|${hostname}"; "http://cgit.hotdog.r/disko"
server = "irc.r"; "http://cgit.ni.r/disko"
channels = [ "noise" "xxx" ]; "http://cgit.prism.r/disko"
allowForce = true; ];
nix_writers.urls = [
"http://cgit.hotdog.r/nix-writers"
"http://cgit.ni.r/nix-writers"
"http://cgit.prism.r/nix-writers"
"https://git.ingolf-wagner.de/krebs/nix-writers.git"
];
stockholm.urls = [
"http://cgit.enklave.r/stockholm"
"http://cgit.gum.r/stockholm"
"http://cgit.hotdog.r/stockholm"
"http://cgit.ni.r/stockholm"
"http://cgit.prism.r/stockholm"
];
}; };
extraConfig = ''
c['buildbotURL'] = "http://build.${hostname}.r/"
'';
};
krebs.buildbot.slave = {
enable = true;
masterhost = "localhost";
username = "testslave";
password = "lasspass";
packages = with pkgs; [ gnumake jq nix populate gnutar lzma gzip ];
}; };
} }

View File

@ -49,6 +49,7 @@ with import <stockholm/lib>;
users.mutableUsers = false; users.mutableUsers = false;
users.extraUsers.root.openssh.authorizedKeys.keys = [ users.extraUsers.root.openssh.authorizedKeys.keys = [
# TODO # TODO
config.krebs.users.jeschli-brauerei.pubkey
config.krebs.users.lass.pubkey config.krebs.users.lass.pubkey
config.krebs.users.lass-mors.pubkey config.krebs.users.lass-mors.pubkey
config.krebs.users.makefu.pubkey config.krebs.users.makefu.pubkey

View File

@ -10,6 +10,7 @@ with import <stockholm/lib>;
]; ];
extraEnviron = { extraEnviron = {
REAKTOR_HOST = "irc.freenode.org"; REAKTOR_HOST = "irc.freenode.org";
REAKTOR_NICKSERV_PASSWORD = "/var/lib/Reaktor/reaktor_nickserv_password";
}; };
plugins = with pkgs.ReaktorPlugins; [ plugins = with pkgs.ReaktorPlugins; [
sed-plugin sed-plugin
@ -21,4 +22,9 @@ with import <stockholm/lib>;
(attrValues (todo "agenda")) (attrValues (todo "agenda"))
; ;
}; };
krebs.secret.files.nix-serve-key = {
path = "/var/lib/Reaktor/reaktor_nickserv_password";
owner.name = "Reaktor";
source-path = toString <secrets> + "/reaktor_nickserv_password";
};
} }

View File

@ -4,7 +4,7 @@ with import <stockholm/lib>;
{ {
krebs.Reaktor.retiolum = { krebs.Reaktor.retiolum = {
nickname = "Reaktor|lass"; nickname = "Reaktor|lass";
channels = [ "#xxx" ]; channels = [ "#noise" "#xxx" ];
extraEnviron = { extraEnviron = {
REAKTOR_HOST = "irc.r"; REAKTOR_HOST = "irc.r";
}; };

View File

@ -122,6 +122,7 @@ let
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
environment = { environment = {
GIT_SSL_CAINFO = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; GIT_SSL_CAINFO = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
PYTHONPATH = "${pkgs.Reaktor}/lib/python3.6/site-packages";
REAKTOR_NICKNAME = botcfg.nickname; REAKTOR_NICKNAME = botcfg.nickname;
REAKTOR_DEBUG = (if botcfg.debug then "True" else "False"); REAKTOR_DEBUG = (if botcfg.debug then "True" else "False");
REAKTOR_CHANNELS = lib.concatStringsSep "," botcfg.channels; REAKTOR_CHANNELS = lib.concatStringsSep "," botcfg.channels;

View File

@ -53,7 +53,7 @@ in {
}; };
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
system.activationScripts.announce-activation = '' system.activationScripts.announce-activation = stringAfter [ "etc" ] ''
${announce-activation} ${announce-activation}
''; '';
}; };

View File

@ -82,6 +82,7 @@ let
irc = words.IRC("${cfg.irc.server}", "${cfg.irc.nick}", irc = words.IRC("${cfg.irc.server}", "${cfg.irc.nick}",
channels=${builtins.toJSON cfg.irc.channels}, channels=${builtins.toJSON cfg.irc.channels},
notify_events={ notify_events={
'started': 1,
'success': 1, 'success': 1,
'failure': 1, 'failure': 1,
'exception': 1, 'exception': 1,

View File

@ -160,8 +160,6 @@ let
# TODO: maybe also prepare buildbot.tac? # TODO: maybe also prepare buildbot.tac?
ExecStartPre = pkgs.writeDash "buildbot-master-init" '' ExecStartPre = pkgs.writeDash "buildbot-master-init" ''
set -efux set -efux
#remove garbage from old versions
rm -rf ${workdir}
mkdir -p ${workdir}/info mkdir -p ${workdir}/info
cp ${buildbot-slave-init} ${workdir}/buildbot.tac cp ${buildbot-slave-init} ${workdir}/buildbot.tac
echo ${contact} > ${workdir}/info/admin echo ${contact} > ${workdir}/info/admin

View File

@ -26,8 +26,8 @@ let
hostname = config.networking.hostName; hostname = config.networking.hostName;
getJobs = pkgs.writeDash "get_jobs" '' getJobs = pkgs.writeDash "get_jobs" ''
nix-build --no-out-link ./ci.nix 2>&1 > /dev/null nix-build --no-out-link --quiet -Q ./ci.nix > /dev/null
nix-instantiate --eval --strict --json ./ci.nix nix-instantiate --quiet -Q --eval --strict --json ./ci.nix
''; '';
imp = { imp = {
@ -53,9 +53,12 @@ let
nameValuePair name '' nameValuePair name ''
sched.append( sched.append(
schedulers.SingleBranchScheduler( schedulers.SingleBranchScheduler(
change_filter=util.ChangeFilter(branch_re=".*"), change_filter=util.ChangeFilter(
branch_re=".*",
project='${name}',
),
treeStableTimer=60, treeStableTimer=60,
name="build-all-branches", name="${name}-all-branches",
builderNames=[ builderNames=[
"${name}", "${name}",
] ]
@ -97,6 +100,10 @@ let
command=[ command=[
new_steps[new_step] new_steps[new_step]
], ],
env={
"NIX_REMOTE": "daemon",
"NIX_PATH": "secrets=/var/src/stockholm/null:/var/src",
},
timeout=90001, timeout=90001,
workdir='build', # TODO figure out why we need this? workdir='build', # TODO figure out why we need this?
)]) )])
@ -121,7 +128,7 @@ let
}, },
name="get_steps", name="get_steps",
command=["${getJobs}"], command=["${getJobs}"],
property="steps_json" extract_fn=lambda rc, stdout, stderr: { 'steps_json': stdout },
)) ))
f_${name}.addStep(StepToStartMoreSteps(command=["echo"])) # TODO remove dummy command from here f_${name}.addStep(StepToStartMoreSteps(command=["echo"])) # TODO remove dummy command from here
@ -141,7 +148,7 @@ let
enable = true; enable = true;
nick = "build|${hostname}"; nick = "build|${hostname}";
server = "irc.r"; server = "irc.r";
channels = [ "noise" ]; channels = [ "xxx" "noise" ];
allowForce = true; allowForce = true;
}; };
extraConfig = '' extraConfig = ''

View File

@ -182,6 +182,11 @@ let
to = concatMapStringsSep "," (getAttr "mail") (toList to); to = concatMapStringsSep "," (getAttr "mail") (toList to);
}; };
in mapAttrsToList format (with config.krebs.users; let in mapAttrsToList format (with config.krebs.users; let
brain-ml = [
lass
makefu
tv
];
eloop-ml = spam-ml ++ [ ciko ]; eloop-ml = spam-ml ++ [ ciko ];
spam-ml = [ spam-ml = [
lass lass
@ -191,6 +196,7 @@ let
ciko.mail = "ciko@slash16.net"; ciko.mail = "ciko@slash16.net";
in { in {
"anmeldung@eloop.org" = eloop-ml; "anmeldung@eloop.org" = eloop-ml;
"brain@krebsco.de" = brain-ml;
"cfp@eloop.org" = eloop-ml; "cfp@eloop.org" = eloop-ml;
"kontakt@eloop.org" = eloop-ml; "kontakt@eloop.org" = eloop-ml;
"root@eloop.org" = eloop-ml; "root@eloop.org" = eloop-ml;

View File

@ -129,6 +129,8 @@ in {
"graphite.shack" "graphite.shack"
"acng.shack" "acng.shack"
"drivedroid.shack" "drivedroid.shack"
"mobile.lounge.mpd.shack"
"lounge.mpd.wolf.shack"
]; ];
}; };
retiolum = { retiolum = {
@ -138,6 +140,7 @@ in {
"wolf.r" "wolf.r"
"build.wolf.r" "build.wolf.r"
"cgit.wolf.r" "cgit.wolf.r"
"lounge.mpd.wolf.r"
]; ];
tinc.pubkey = '' tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY----- -----BEGIN RSA PUBLIC KEY-----

View File

@ -1,7 +1,9 @@
{ config, ... }: { config, ... }:
with import <stockholm/lib>; with import <stockholm/lib>;
## generate keys with:
# tinc generate-keys
# ssh-keygen -f ssh.id_ed25519 -t ed25519 -C host
{ {
hosts = mapAttrs (_: setAttr "owner" config.krebs.users.makefu) { hosts = mapAttrs (_: setAttr "owner" config.krebs.users.makefu) {
cake = rec { cake = rec {
@ -29,6 +31,32 @@ with import <stockholm/lib>;
ssh.privkey.path = <secrets/ssh_host_ed25519_key>; ssh.privkey.path = <secrets/ssh_host_ed25519_key>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGyJlI0YpIh/LiiPMseD2IBHg+uVGrkSy0MPNeD+Jv8Y cake"; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGyJlI0YpIh/LiiPMseD2IBHg+uVGrkSy0MPNeD+Jv8Y cake";
}; };
crapi = rec { # raspi1
cores = 1;
ci = false;
nets = {
retiolum = {
ip4.addr = "10.243.136.237";
ip6.addr = "42:b3b2:9552:eef0:ee67:f3b3:8d33:eee2";
aliases = [
"crapi.r"
];
tinc.pubkey = ''
Ed25519PublicKey = Zkh6vtSNBvKYUjCPsMyAFJmxzueglCDoawVPCezKy4F
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAloXLBfZQEVW9mJ7uwOoa+DfV4ek/SG+JQuexJMugei/iNy0NjY66
OVIkzFmED32c3D7S1+Q+5Mc3eR02k1o7XERpZeZhCtJOBlS4xMzCKH62E4USvH5L
R4O8XX1o/tpeOuZvpnpY1oPmFFc/B5G2jWWQR4Slpbw7kODwYYm5o+B7n+MkVNrk
OEOHLaaO6I5QB3GJvDH2JbwzDKLVClQM20L/EvIwnB+Xg0q3veKFj0WTXEK+tuME
di++RV4thhZ9IOgRTJOeT94j7ulloh15gqYaIqRqgtzfWE2TnUxvl+upB+yQHNtl
bJFLHkE34cQGxEv9dMjRe8i14+Onhb3B6wIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGaV5Ga5R8RTrA+nclxw6uy5Z+hPBLitQTfuXdsmbVW6 crapi";
};
drop = rec { drop = rec {
ci = true; ci = true;
cores = 1; cores = 1;
@ -298,6 +326,13 @@ with import <stockholm/lib>;
-----END RSA PUBLIC KEY----- -----END RSA PUBLIC KEY-----
''; '';
}; };
#wiregrill = {
# ip6.addr = "42:4200:0000:0000:0000:0000:0000:a4db";
# aliases = [
# "x.w"
# ];
# wireguard.pubkey = "fe5smvKVy5GAn7EV4w4tav6mqIAKhGWQotm7dRuRt1g=";
#};
}; };
ssh.privkey.path = <secrets/ssh_host_ed25519_key>; ssh.privkey.path = <secrets/ssh_host_ed25519_key>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHDM0E608d/6rGzXqGbNSuMb2RlCojCJSiiz6QcPOC2G root@x"; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHDM0E608d/6rGzXqGbNSuMb2RlCojCJSiiz6QcPOC2G root@x";
@ -457,8 +492,6 @@ with import <stockholm/lib>;
ip6.addr = "42:f9f0::10"; ip6.addr = "42:f9f0::10";
aliases = [ aliases = [
"omo.r" "omo.r"
"logs.makefu.r"
"stats.makefu.r"
]; ];
tinc.pubkey = '' tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY----- -----BEGIN RSA PUBLIC KEY-----
@ -525,7 +558,9 @@ with import <stockholm/lib>;
"krebsco.de" = '' "krebsco.de" = ''
cache.euer IN A ${nets.internet.ip4.addr} cache.euer IN A ${nets.internet.ip4.addr}
cache.gum IN A ${nets.internet.ip4.addr} cache.gum IN A ${nets.internet.ip4.addr}
graph IN A ${nets.internet.ip4.addr}
gold IN A ${nets.internet.ip4.addr} gold IN A ${nets.internet.ip4.addr}
iso.euer IN A ${nets.internet.ip4.addr}
''; '';
}; };
cores = 8; cores = 8;
@ -537,13 +572,24 @@ with import <stockholm/lib>;
"nextgum.i" "nextgum.i"
]; ];
}; };
#wiregrill = {
# via = internet;
# ip6.addr = "42:4200:0000:0000:0000:0000:0000:70d3";
# aliases = [
# "gum.w"
# ];
# wireguard.pubkey = "yAKvxTvcEVdn+MeKsmptZkR3XSEue+wSyLxwcjBYxxo=";
#};
retiolum = { retiolum = {
via = internet; via = internet;
ip4.addr = "10.243.0.213"; ip4.addr = "10.243.0.213";
ip6.addr = "42:f9f0:0000:0000:0000:0000:0000:70d3"; ip6.addr = "42:f9f0:0000:0000:0000:0000:0000:70d3";
aliases = [ aliases = [
"nextgum.r" "nextgum.r"
"graph.r"
"cache.gum.r" "cache.gum.r"
"logs.makefu.r"
"stats.makefu.r"
]; ];
tinc.pubkey = '' tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY----- -----BEGIN RSA PUBLIC KEY-----
@ -579,7 +625,6 @@ with import <stockholm/lib>;
boot.euer IN A ${nets.internet.ip4.addr} boot.euer IN A ${nets.internet.ip4.addr}
wiki.euer IN A ${nets.internet.ip4.addr} wiki.euer IN A ${nets.internet.ip4.addr}
mon.euer IN A ${nets.internet.ip4.addr} mon.euer IN A ${nets.internet.ip4.addr}
graph IN A ${nets.internet.ip4.addr}
ghook IN A ${nets.internet.ip4.addr} ghook IN A ${nets.internet.ip4.addr}
dockerhub IN A ${nets.internet.ip4.addr} dockerhub IN A ${nets.internet.ip4.addr}
photostore IN A ${nets.internet.ip4.addr} photostore IN A ${nets.internet.ip4.addr}
@ -604,7 +649,6 @@ with import <stockholm/lib>;
"o.gum.r" "o.gum.r"
"tracker.makefu.r" "tracker.makefu.r"
"graph.r"
"search.makefu.r" "search.makefu.r"
"wiki.makefu.r" "wiki.makefu.r"
"wiki.gum.r" "wiki.gum.r"

View File

@ -58,7 +58,7 @@ let
}; };
}; };
config.activate = let config.activate = let
src = pkgs.execve config.name { src = pkgs.exec config.name {
inherit (config) envp filename; inherit (config) envp filename;
}; };
dst = "${wrapperDir}/${config.name}"; dst = "${wrapperDir}/${config.name}";

View File

@ -1,8 +1,8 @@
{ lib, pkgs,python3Packages,fetchurl, ... }: { lib, pkgs, python3Packages, fetchFromGitHub, ... }:
python3Packages.buildPythonPackage rec { python3Packages.buildPythonPackage rec {
name = "Reaktor-${version}"; name = "Reaktor-${version}";
version = "0.5.1"; version = "0.6.0";
doCheck = false; doCheck = false;
@ -10,9 +10,11 @@ python3Packages.buildPythonPackage rec {
python3Packages.docopt python3Packages.docopt
python3Packages.requests python3Packages.requests
]; ];
src = fetchurl { src = fetchFromGitHub {
url = "https://pypi.python.org/packages/source/R/Reaktor/Reaktor-${version}.tar.gz"; owner = "krebs";
sha256 = "0dn9r0cyxi1sji2pnybsrc4hhaaq7hmf235nlgkrxqlsdb7y6n6n"; repo = "Reaktor";
rev = version;
sha256 = "0nsnv1rixmlg5wkb74b4f5bycb42b9rp4b14hijh558hbsa1b9am";
}; };
meta = { meta = {
homepage = http://krebsco.de/; homepage = http://krebsco.de/;

View File

@ -120,7 +120,7 @@ rec {
url-title = (buildSimpleReaktorPlugin "url-title" { url-title = (buildSimpleReaktorPlugin "url-title" {
pattern = "^.*(?P<args>http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+).*$$"; pattern = "^.*(?P<args>http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+).*$$";
path = with pkgs; [ curl perl ]; path = with pkgs; [ curl perl ];
script = pkgs.writePython3 "url-title" [ "beautifulsoup4" "lxml" ] '' script = pkgs.writePython3 "url-title" { deps = with pkgs.python3Packages; [ beautifulsoup4 lxml ]; } ''
import cgi import cgi
import sys import sys
import urllib.request import urllib.request

View File

@ -8,9 +8,19 @@ import shelve
from os import environ from os import environ
from os.path import join from os.path import join
from sys import argv from sys import argv
from time import sleep
import re import re
d = shelve.open(join(environ['state_dir'], 'sed-plugin.shelve'), writeback=True) # try to open the shelve file until it succeeds
while True:
try:
d = shelve.open(
join(environ['state_dir'], 'sed-plugin.shelve'),
writeback=True
)
break
except: # noqa: E722
sleep(0.2)
usr = environ['_from'] usr = environ['_from']

View File

@ -2,7 +2,7 @@
python2Packages.buildPythonApplication rec { python2Packages.buildPythonApplication rec {
name = "buildbot-classic-${version}"; name = "buildbot-classic-${version}";
version = "0.8.17"; version = "0.8.18";
namePrefix = ""; namePrefix = "";
patches = []; patches = [];
@ -10,7 +10,7 @@ python2Packages.buildPythonApplication rec {
owner = "krebs"; owner = "krebs";
repo = "buildbot-classic"; repo = "buildbot-classic";
rev = version; rev = version;
sha256 = "0yn0n37rs2bhz9q0simnvyzz5sfrpqhbdm6pdj6qk7sab4y6xbq8"; sha256 = "0b4y3n9zd2gdy8xwk1vpvs4n9fbg72vi8mx4ydgijwngcmdqkjmq";
}; };
postUnpack = "sourceRoot=\${sourceRoot}/master"; postUnpack = "sourceRoot=\${sourceRoot}/master";

View File

@ -1,6 +1,6 @@
{ writeDashBin, bepasty-client-cli }: { writeDashBin, bepasty-client-cli }:
# TODO use `execve` instead? # TODO use `pkgs.exec` instead?
writeDashBin "krebspaste" '' writeDashBin "krebspaste" ''
exec ${bepasty-client-cli}/bin/bepasty-cli -L 1m --url http://paste.r "$@" | sed '$ s/$/\/+inline/g' exec ${bepasty-client-cli}/bin/bepasty-cli -L 1m --url http://paste.r "$@" | sed '$ s/$/\/+inline/g'
'' ''

View File

@ -1,230 +0,0 @@
{ pkgs }: let
stockholm-dir = ../../../..;
lib = import (stockholm-dir + "/lib");
#
# high level commands
#
cmds.deploy = pkgs.withGetopt {
force-populate = { default = /* sh */ "false"; switch = true; };
quiet = { default = /* sh */ "false"; switch = true; };
source_file = {
default = /* sh */ "$user/1systems/$system/source.nix";
long = "source";
};
system = {};
target.default = /* sh */ "$system";
user.default = /* sh */ "$LOGNAME";
} (opts: pkgs.writeDash "stockholm.deploy" ''
set -efu
. ${init.env}
. ${init.proxy "deploy" opts}
# Use system's nixos-rebuild, which is not self-contained
export PATH=/run/current-system/sw/bin
exec ${utils.with-whatsupnix} \
nixos-rebuild switch \
--show-trace \
-I "$target_path"
'');
cmds.get-version = pkgs.writeDash "get-version" ''
set -efu
hostname=''${HOSTNAME-$(${pkgs.nettools}/bin/hostname)}
version=git.$(${pkgs.git}/bin/git describe --always --dirty)
case $version in (*-dirty)
version=$version@$hostname
esac
date=$(${pkgs.coreutils}/bin/date +%y.%m)
echo "$date.$version"
'';
cmds.install = pkgs.withGetopt {
force-populate = { default = /* sh */ "false"; switch = true; };
quiet = { default = /* sh */ "false"; switch = true; };
source_file = {
default = /* sh */ "$user/1systems/$system/source.nix";
long = "source";
};
system = {};
target = {};
user.default = /* sh */ "$LOGNAME";
} (opts: pkgs.writeBash "stockholm.install" ''
set -efu
. ${init.env}
if \test "''${using_proxy-}" != true; then
${pkgs.openssh}/bin/ssh \
-o StrictHostKeyChecking=no \
-o UserKnownHostsFile=/dev/null \
"$target_user@$target_host" -p "$target_port" \
env target_path=$(${pkgs.quote}/bin/quote "$target_path") \
sh -s prepare \
< ${stockholm-dir + "/krebs/4lib/infest/prepare.sh"}
# TODO inline prepare.sh?
fi
. ${init.proxy "install" opts}
# these variables get defined by nix-shell (i.e. nix-build) from
# XDG_RUNTIME_DIR and reference the wrong directory (/run/user/0),
# which only exists on / and not at /mnt.
export NIX_BUILD_TOP=/tmp
export TEMPDIR=/tmp
export TEMP=/tmp
export TMPDIR=/tmp
export TMP=/tmp
export XDG_RUNTIME_DIR=/tmp
export NIXOS_CONFIG="$target_path/nixos-config"
cd
exec nixos-install
'');
cmds.test = pkgs.withGetopt {
force-populate = { default = /* sh */ "false"; switch = true; };
quiet = { default = /* sh */ "false"; switch = true; };
source_file = {
default = /* sh */ "$user/1systems/$system/source.nix";
long = "source";
};
system = {};
target = {};
user.default = /* sh */ "$LOGNAME";
} (opts: pkgs.writeDash "stockholm.test" /* sh */ ''
set -efu
export dummy_secrets=true
. ${init.env}
. ${init.proxy "test" opts}
exec ${utils.build} config.system.build.toplevel
'');
#
# low level commands
#
# usage: get-source SOURCE_FILE
cmds.get-source = pkgs.writeDash "stockholm.get-source" ''
set -efu
exec ${pkgs.nix}/bin/nix-instantiate \
--eval \
--json \
--readonly-mode \
--show-trace \
--strict \
"$1"
'';
# usage: parse-target [--default=TARGET] TARGET
# TARGET = [USER@]HOST[:PORT][/PATH]
cmds.parse-target = pkgs.withGetopt {
default_target = {
long = "default";
short = "d";
};
} (opts: pkgs.writeDash "stockholm.parse-target" ''
set -efu
target=$1; shift
for arg; do echo "$0: bad argument: $arg" >&2; done
if \test $# != 0; then exit 2; fi
exec ${pkgs.jq}/bin/jq \
-enr \
--arg default_target "$default_target" \
--arg target "$target" \
-f ${pkgs.writeText "stockholm.parse-target.jq" ''
def parse: match("^(?:([^@]+)@)?([^:/]+)?(?::([0-9]+))?(/.*)?$") | {
user: .captures[0].string,
host: .captures[1].string,
port: .captures[2].string,
path: .captures[3].string,
};
def sanitize: with_entries(select(.value != null));
($default_target | parse) + ($target | parse | sanitize) |
. + { local: (.user == env.LOGNAME and .host == env.HOSTNAME) }
''}
'');
init.env = pkgs.writeText "init.env" /* sh */ ''
export HOSTNAME="$(${pkgs.nettools}/bin/hostname)"
export quiet
export system
export target
export user
default_target=root@$system:22/var/src
export target_object="$(
${cmds.parse-target} "$target" -d "$default_target"
)"
export target_user="$(echo $target_object | ${pkgs.jq}/bin/jq -r .user)"
export target_host="$(echo $target_object | ${pkgs.jq}/bin/jq -r .host)"
export target_port="$(echo $target_object | ${pkgs.jq}/bin/jq -r .port)"
export target_path="$(echo $target_object | ${pkgs.jq}/bin/jq -r .path)"
export target_local="$(echo $target_object | ${pkgs.jq}/bin/jq -r .local)"
'';
init.proxy = command: opts: pkgs.writeText "init.proxy" /* sh */ ''
if \test "''${using_proxy-}" != true; then
source=$(${cmds.get-source} "$source_file")
qualified_target=$target_user@$target_host:$target_port$target_path
if \test "$force_populate" = true; then
echo "$source" | ${pkgs.populate}/bin/populate --force "$qualified_target"
else
echo "$source" | ${pkgs.populate}/bin/populate "$qualified_target"
fi
if \test "$target_local" != true; then
exec ${pkgs.openssh}/bin/ssh \
"$target_user@$target_host" -p "$target_port" \
cd "$target_path/stockholm" \; \
NIX_PATH=$(${pkgs.quote}/bin/quote "$target_path") \
nix-shell --run "$(${pkgs.quote}/bin/quote "
${lib.concatStringsSep " " (lib.mapAttrsToList
(name: opt: /* sh */
"${opt.varname}=\$(${pkgs.quote}/bin/quote ${opt.ref})")
opts
)} \
using_proxy=true \
${lib.shell.escape command} \
$WITHGETOPT_ORIG_ARGS \
")"
fi
fi
'';
utils.build = pkgs.writeDash "utils.build" ''
set -efu
${utils.with-whatsupnix} \
${pkgs.nix}/bin/nix-build \
--no-out-link \
--show-trace \
-E "with import <stockholm>; $1" \
-I "$target_path" \
'';
utils.with-whatsupnix = pkgs.writeDash "utils.with-whatsupnix" ''
set -efu
if \test "$quiet" = true; then
"$@" -Q 2>&1 | ${pkgs.whatsupnix}/bin/whatsupnix
else
exec "$@"
fi
'';
in
pkgs.write "stockholm" (lib.mapAttrs' (name: link:
lib.nameValuePair "/bin/${name}" { inherit link; }
) cmds)

View File

@ -0,0 +1,49 @@
{ openssl, writePython2Bin }:
writePython2Bin "syncthing-device-id" {
flakeIgnore = [
"E226"
"E302"
"E305"
"E501"
"F401"
];
} /* python */ ''
import base64
import hashlib
import subprocess
import sys
B32ALPHABET = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567'
def luhn_checksum(data, alphabet=B32ALPHABET):
n = len(alphabet)
number = tuple(alphabet.index(i) for i in reversed(data))
result = (sum(number[::2]) +
sum(sum(divmod(i * 2, n)) for i in number[1::2])) % n
return alphabet[-result]
def main(incert):
der_data = subprocess.check_output([
'${openssl}/bin/openssl',
'x509',
'-outform',
'DER',
], stdin=incert)
data_hash = hashlib.sha256(der_data)
b32_hash = base64.b32encode(data_hash.digest()).decode('ascii')
result = b32_hash.upper().rstrip('=')
blocks = [result[pos:pos+13] for pos in range(0, len(result), 13)]
result = '''.join(block + luhn_checksum(block) for block in blocks)
blocks = [result[pos:pos+7] for pos in range(0, len(result), 7)]
print('-'.join(blocks))
if __name__ == '__main__':
import argparse
parser = argparse.ArgumentParser(description='Generate syncthing ID from certificate')
parser.add_argument('incert', type=argparse.FileType('rb'), help='Certificate path')
args = parser.parse_args()
main(**vars(args))
''

View File

@ -2,7 +2,7 @@
krops = builtins.fetchGit { krops = builtins.fetchGit {
url = https://cgit.krebsco.de/krops/; url = https://cgit.krebsco.de/krops/;
rev = "4e466eaf05861b47365c5ef46a31a188b70f3615"; rev = "c46166d407c7d246112f13346621a3fbdb25889e";
}; };
lib = import "${krops}/lib"; lib = import "${krops}/lib";
@ -18,7 +18,7 @@
stockholm.file = toString ../.; stockholm.file = toString ../.;
stockholm-version.pipe = toString (pkgs.writeDash "${name}-version" '' stockholm-version.pipe = toString (pkgs.writeDash "${name}-version" ''
set -efu set -efu
cd $HOME/stockholm cd ${lib.escapeShellArg krebs-source.stockholm.file}
V=$(${pkgs.coreutils}/bin/date +%y.%m) V=$(${pkgs.coreutils}/bin/date +%y.%m)
if test -d .git; then if test -d .git; then
V=$V.git.$(${pkgs.git}/bin/git describe --always --dirty) V=$V.git.$(${pkgs.git}/bin/git describe --always --dirty)

View File

@ -1,7 +1,7 @@
{ {
"url": "https://github.com/NixOS/nixpkgs-channels", "url": "https://github.com/NixOS/nixpkgs-channels",
"rev": "a37638d46706610d12c9747614fd1b8f8d35ad48", "rev": "d16a7abceb72aac85e0deb8c45fbcb7127baf628",
"date": "2018-08-30T21:03:26+02:00", "date": "2018-09-20T18:31:51-05:00",
"sha256": "0rsdkk4z7pkqr2mw0pq7i6fkqs7gbi5kral3c8smm9bw104sn8v7", "sha256": "0byf6rlwwy70v2sdfmv7mnwd0kvxmlq0pi8ijghg0mcfhcqibgh7",
"fetchSubmodules": true "fetchSubmodules": true
} }

View File

@ -1,29 +0,0 @@
with import <stockholm/lib>;
host@{ name, secure ? false, override ? {} }: let
builder = if getEnv "dummy_secrets" == "true"
then "buildbot"
else "krebs";
_file = <stockholm> + "/krebs/1systems/${name}/source.nix";
pkgs = import <nixpkgs> {
overlays = map import [
<stockholm/krebs/5pkgs>
<stockholm/submodules/nix-writers/pkgs>
];
};
in
evalSource (toString _file) [
{
nixos-config.symlink = "stockholm/krebs/1systems/${name}/config.nix";
secrets = getAttr builder {
buildbot.file = toString <stockholm/krebs/0tests/data/secrets>;
krebs.pass = {
dir = "${getEnv "HOME"}/brain";
name = "krebs-secrets/${name}";
};
};
stockholm.file = toString <stockholm>;
stockholm-version.pipe = "${pkgs.stockholm}/bin/get-version";
nixpkgs = (import ./krops.nix { name = ""; }).krebs-source.nixpkgs;
}
override
]

View File

@ -1,4 +0,0 @@
import <stockholm/lass/source.nix> {
name = "blue";
secure = true;
}

View File

@ -1,4 +0,0 @@
import <stockholm/lass/source.nix> {
name = "cabal";
secure = true;
}

View File

@ -1,4 +0,0 @@
import <stockholm/lass/source.nix> {
name = "daedalus";
secure = true;
}

View File

@ -16,6 +16,7 @@
<stockholm/lass/2configs/bitcoin.nix> <stockholm/lass/2configs/bitcoin.nix>
<stockholm/lass/2configs/backup.nix> <stockholm/lass/2configs/backup.nix>
<stockholm/lass/2configs/wine.nix> <stockholm/lass/2configs/wine.nix>
<stockholm/lass/2configs/blue-host.nix>
]; ];
krebs.build.host = config.krebs.hosts.icarus; krebs.build.host = config.krebs.hosts.icarus;

View File

@ -1,4 +0,0 @@
import <stockholm/lass/source.nix> {
name = "icarus";
secure = true;
}

View File

@ -1,4 +0,0 @@
import <stockholm/lass/source.nix> {
name = "littleT";
secure = true;
}

View File

@ -1,4 +0,0 @@
import <stockholm/lass/source.nix> {
name = "mors";
secure = true;
}

View File

@ -1,4 +0,0 @@
with import <stockholm/lib>;
import <stockholm/lass/source.nix> {
name = "prism";
}

View File

@ -1,4 +0,0 @@
import <stockholm/lass/source.nix> {
name = "red";
secure = true;
}

View File

@ -1,3 +0,0 @@
import <stockholm/lass/source.nix> {
name = "shodan";
}

View File

@ -1,4 +0,0 @@
import <stockholm/lass/source.nix> {
name = "skynet";
secure = true;
}

View File

@ -1,3 +0,0 @@
import <stockholm/lass/source.nix> {
name = "uriel";
}

View File

@ -1,5 +0,0 @@
with import <stockholm/lib>;
import <stockholm/lass/source.nix> {
name = "xerxes";
secure = true;
}

View File

@ -11,6 +11,8 @@ with (import <stockholm/lib>);
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
ag ag
brain
dic
nmap nmap
git-preview git-preview
]; ];

View File

@ -34,6 +34,10 @@ let
rules = concatMap make-rules (attrValues repos); rules = concatMap make-rules (attrValues repos);
public-repos = mapAttrs make-public-repo { public-repos = mapAttrs make-public-repo {
Reaktor = {
cgit.desc = "Reaktor IRC bot";
cgit.section = "software";
};
buildbot-classic = { buildbot-classic = {
cgit.desc = "fork of buildbot"; cgit.desc = "fork of buildbot";
cgit.section = "software"; cgit.section = "software";
@ -54,6 +58,10 @@ let
cgit.desc = "take a rss feed and a timeout and print it to stdout"; cgit.desc = "take a rss feed and a timeout and print it to stdout";
cgit.section = "software"; cgit.section = "software";
}; };
nix-writers = {
cgit.desc = "high level writers for nix";
cgit.section = "software";
};
nixpkgs = { nixpkgs = {
cgit.desc = "nixpkgs fork"; cgit.desc = "nixpkgs fork";
cgit.section = "configuration"; cgit.section = "configuration";

View File

@ -131,6 +131,30 @@ in {
}; };
}; };
systemd.services.radio-recent = let
recentlyPlayed = pkgs.writeDash "recentlyPlayed" ''
LIMIT=1000 #how many tracks to keep in the history
HISTORY_FILE=/tmp/played
while :; do
${pkgs.mpc_cli}/bin/mpc idle player > /dev/null
${pkgs.mpc_cli}/bin/mpc current -f %file%
done | while read track; do
echo "$(date -Is)" "$track" | tee -a "$HISTORY_FILE"
echo "$(tail -$LIMIT "$HISTORY_FILE")" > "$HISTORY_FILE"
done
'';
in {
description = "radio recently played";
after = [ "mpd.service" "network.target" ];
wantedBy = [ "multi-user.target" ];
restartIfChanged = true;
serviceConfig = {
ExecStart = recentlyPlayed;
};
};
krebs.Reaktor.playlist = { krebs.Reaktor.playlist = {
nickname = "the_playlist|r"; nickname = "the_playlist|r";
channels = [ channels = [
@ -157,27 +181,40 @@ in {
}) })
]; ];
}; };
services.nginx.virtualHosts."lassul.us".locations."/the_playlist".extraConfig = let services.nginx = {
html = pkgs.writeText "index.html" '' enable = true;
<!DOCTYPE html> virtualHosts."radio.lassul.us" = {
<html lang="en"> forceSSL = true;
<head> enableACME = true;
<meta charset="utf-8"> locations."/".extraConfig = ''
<title>lassulus playlist</title> proxy_pass http://localhost:8000;
</head> '';
<body> locations."/recent".extraConfig = ''
<div style="display:inline-block;margin:0px;padding:0px;overflow:hidden"> alias /tmp/played;
<iframe src="https://kiwiirc.com/client/irc.freenode.org/?nick=kiwi_test|?&theme=cli#the_playlist" frameborder="0" style="overflow:hidden;overflow-x:hidden;overflow-y:hidden;height:95%;width:100%;position:absolute;top:0px;left:0px;right:0px;bottom:0px" height="95%" width="100%"></iframe> '';
</div> };
<div style="position:absolute;bottom:1px;display:inline-block;background-color:red;"> virtualHosts."lassul.us".locations."/the_playlist".extraConfig = let
<audio controls autoplay="autoplay"><source src="http://lassul.us:8000/radio.ogg" type="audio/ogg">Your browser does not support the audio element.</audio> html = pkgs.writeText "index.html" ''
</div> <!DOCTYPE html>
<!-- page content --> <html lang="en">
</body> <head>
</html> <meta charset="utf-8">
<title>lassulus playlist</title>
</head>
<body>
<div style="display:inline-block;margin:0px;padding:0px;overflow:hidden">
<iframe src="https://kiwiirc.com/client/irc.freenode.org/?nick=kiwi_test|?&theme=cli#the_playlist" frameborder="0" style="overflow:hidden;overflow-x:hidden;overflow-y:hidden;height:95%;width:100%;position:absolute;top:0px;left:0px;right:0px;bottom:0px" height="95%" width="100%"></iframe>
</div>
<div style="position:absolute;bottom:1px;display:inline-block;background-color:red;">
<audio controls autoplay="autoplay"><source src="http://lassul.us:8000/radio.ogg" type="audio/ogg">Your browser does not support the audio element.</audio>
</div>
<!-- page content -->
</body>
</html>
'';
in ''
default_type "text/html";
alias ${html};
''; '';
in '' };
default_type "text/html";
alias ${html};
'';
} }

View File

@ -65,7 +65,7 @@ with import <stockholm/lib>;
}) })
(buildSimpleReaktorPlugin "random-unicorn-porn" { (buildSimpleReaktorPlugin "random-unicorn-porn" {
pattern = "^!rup$$"; pattern = "^!rup$$";
script = pkgs.writePython2 "rup" [] '' script = pkgs.writePython2 "rup" {} ''
t1 = """ t1 = """
_. _.
;=',_ () ;=',_ ()

View File

@ -91,7 +91,7 @@ in {
script = pkgs.writeBash "test" '' script = pkgs.writeBash "test" ''
echo "hello world" echo "hello world"
''; '';
#script = pkgs.execve "ddate-wrapper" { #script = pkgs.exec "ddate-wrapper" {
# filename = "${pkgs.ddate}/bin/ddate"; # filename = "${pkgs.ddate}/bin/ddate";
# argv = []; # argv = [];
#}; #};

View File

@ -1,29 +0,0 @@
with import <stockholm/lib>;
host@{ name, secure ? false, override ? {} }: let
builder = if getEnv "dummy_secrets" == "true"
then "buildbot"
else "lass";
_file = <stockholm> + "/lass/1systems/${name}/source.nix";
pkgs = import <nixpkgs> {
overlays = map import [
<stockholm/krebs/5pkgs>
<stockholm/submodules/nix-writers/pkgs>
];
};
in
evalSource (toString _file) [
{
nixos-config.symlink = "stockholm/lass/1systems/${name}/physical.nix";
nixpkgs = (import <stockholm/krebs/source.nix> host).nixpkgs;
secrets = getAttr builder {
buildbot.file = toString <stockholm/lass/2configs/tests/dummy-secrets>;
lass.pass = {
dir = "${getEnv "HOME"}/.password-store";
name = "hosts/${name}";
};
};
stockholm.file = toString <stockholm>;
stockholm-version.pipe = "${pkgs.stockholm}/bin/get-version";
}
override
]

View File

View File

View File

View File

@ -0,0 +1,4 @@
1. flash arm6 image from https://www.cs.helsinki.fi/u/tmtynkky/nixos-arm/installer/ to sdcard
2. passwd; systemctl start sshd; mkdir /var/src ; touch /var/src/.populate
3. "environment.systemPackages = [ pkgs.rsync pkgs.git ];" in /etc/nixos/configuration.nix
5. nixos-rebuild switch --fast --option binary-caches http://nixos-arm.dezgeg.me/channel --option binary-cache-public-keys nixos-arm.dezgeg.me-1:xBaUKS3n17BZPKeyxL4JfbTqECsT+ysbDJz29kLFRW0=%

View File

@ -0,0 +1,46 @@
{ config, pkgs, lib, ... }:
{
# :l <nixpkgs>
# builtins.readDir (pkgs.fetchFromGitHub { owner = "nixos"; repo = "nixpkgs-channels"; rev = "6c064e6b"; sha256 = "1rqzh475xn43phagrr30lb0fd292c1s8as53irihsnd5wcksnbyd"; })
imports = [
<stockholm/makefu>
<stockholm/makefu/2configs>
<stockholm/makefu/2configs/tinc/retiolum.nix>
<stockholm/makefu/2configs/save-diskspace.nix>
];
krebs.build.host = config.krebs.hosts.crapi;
# NixOS wants to enable GRUB by default
boot.loader.grub.enable = false;
# Enables the generation of /boot/extlinux/extlinux.conf
boot.loader.generic-extlinux-compatible.enable = true;
boot.kernelPackages = pkgs.linuxPackages_rpi;
nix.binaryCaches = [ "http://nixos-arm.dezgeg.me/channel" ];
nix.binaryCachePublicKeys = [ "nixos-arm.dezgeg.me-1:xBaUKS3n17BZPKeyxL4JfbTqECsT+ysbDJz29kLFRW0=%" ];
fileSystems = {
"/boot" = {
device = "/dev/disk/by-label/NIXOS_BOOT";
fsType = "vfat";
};
"/" = {
device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
};
};
system.activationScripts.create-swap = ''
if [ ! -e /swapfile ]; then
fallocate -l 2G /swapfile
mkswap /swapfile
fi
'';
swapDevices = [ { device = "/swapfile"; size = 2048; } ];
nix.package = lib.mkForce pkgs.nixStable;
services.openssh.enable = true;
}

View File

@ -0,0 +1,3 @@
{
arm6 = true;
}

View File

@ -74,14 +74,8 @@ in {
<stockholm/makefu/2configs/syncthing.nix> <stockholm/makefu/2configs/syncthing.nix>
# <stockholm/makefu/2configs/opentracker.nix> # <stockholm/makefu/2configs/opentracker.nix>
<stockholm/makefu/2configs/hub.nix> <stockholm/makefu/2configs/dcpp/hub.nix>
{ # ncdc <stockholm/makefu/2configs/dcpp/client.nix>
environment.systemPackages = [ pkgs.ncdc ];
networking.firewall = {
allowedUDPPorts = [ 51411 ];
allowedTCPPorts = [ 51411 ];
};
}
<stockholm/makefu/2configs/stats/client.nix> <stockholm/makefu/2configs/stats/client.nix>
# <stockholm/makefu/2configs/logging/client.nix> # <stockholm/makefu/2configs/logging/client.nix>
@ -103,55 +97,7 @@ in {
# locations."/".proxyPass = "http://localhost:5000"; # locations."/".proxyPass = "http://localhost:5000";
# }; # };
#} #}
{ # wireguard server <stockholm/makefu/2configs/wireguard/server.nix>
# opkg install wireguard luci-proto-wireguard
# TODO: networking.nat
# boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
# conf.all.proxy_arp =1
networking.firewall = {
allowedUDPPorts = [ 51820 ];
extraCommands = ''
iptables -t nat -A POSTROUTING -s 10.244.0.0/24 -o ${ext-if} -j MASQUERADE
'';
};
networking.wireguard.interfaces.wg0 = {
ips = [ "10.244.0.1/24" ];
listenPort = 51820;
privateKeyFile = (toString <secrets>) + "/wireguard.key";
allowedIPsAsRoutes = true;
peers = [
{
# x
allowedIPs = [ "10.244.0.2/32" ];
publicKey = "fe5smvKVy5GAn7EV4w4tav6mqIAKhGWQotm7dRuRt1g=";
}
{
# vbob
allowedIPs = [ "10.244.0.3/32" ];
publicKey = "Lju7EsCu1OWXhkhdNR7c/uiN60nr0TUPHQ+s8ULPQTw=";
}
{
# x-test
allowedIPs = [ "10.244.0.4/32" ];
publicKey = "vZ/AJpfDLJyU3DzvYeW70l4FNziVgSTumA89wGHG7XY=";
}
{
# work-router
allowedIPs = [ "10.244.0.5/32" ];
publicKey = "QJMwwYu/92koCASbHnR/vqe/rN00EV6/o7BGwLockDw=";
}
{
# workr
allowedIPs = [ "10.244.0.6/32" ];
publicKey = "OFhCF56BrV9tjqW1sxqXEKH/GdqamUT1SqZYSADl5GA=";
}
];
};
}
{ # iperf3 { # iperf3
networking.firewall.allowedUDPPorts = [ 5201 ]; networking.firewall.allowedUDPPorts = [ 5201 ];
networking.firewall.allowedTCPPorts = [ 5201 ]; networking.firewall.allowedTCPPorts = [ 5201 ];

View File

@ -0,0 +1,23 @@
{
"type": "devices",
"content": {
"sda": {
"type": "table",
"format": "msdos",
"partitions": [
{ "type": "partition",
"part-type": "primary",
"start": "1M",
"end": "100%",
"bootable": true,
"content": {
"type": "filesystem",
"format": "ext4",
"mountpoint": "/"
}
}
]
}
}
}

View File

@ -11,6 +11,7 @@ with import <stockholm/lib>;
# TODO: NIX_PATH and nix.nixPath are being set by default.nix right now # TODO: NIX_PATH and nix.nixPath are being set by default.nix right now
# cd ~/stockholm ; nix-build -A config.system.build.isoImage -I nixos-config=makefu/1systems/iso.nix -I secrets=/home/makefu/secrets/iso /var/src/nixpkgs/nixos # cd ~/stockholm ; nix-build -A config.system.build.isoImage -I nixos-config=makefu/1systems/iso.nix -I secrets=/home/makefu/secrets/iso /var/src/nixpkgs/nixos
krebs.build.host = config.krebs.hosts.iso; krebs.build.host = config.krebs.hosts.iso;
isoImage.isoBaseName = lib.mkForce "stockholm";
krebs.hidden-ssh.enable = true; krebs.hidden-ssh.enable = true;
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
aria2 aria2

View File

@ -4,55 +4,23 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let let
toMapper = id: "/media/crypt${builtins.toString id}"; primaryInterface = config.makefu.server.primary-itf;
byid = dev: "/dev/disk/by-id/" + dev;
keyFile = byid "usb-Verbatim_STORE_N_GO_070B3CEE0B223954-0:0";
rootDisk = byid "ata-SanDisk_SD8SNAT128G1122_162099420904";
rootPartition = byid "ata-SanDisk_SD8SNAT128G1122_162099420904-part2";
primaryInterface = "enp2s0";
firetv = "192.168.1.238";
# cryptsetup luksFormat $dev --cipher aes-xts-plain64 -s 512 -h sha512
# cryptsetup luksAddKey $dev tmpkey
# cryptsetup luksOpen $dev crypt0 --key-file tmpkey --keyfile-size=4096
# mkfs.xfs /dev/mapper/crypt0 -L crypt0
# omo Chassis:
# __FRONT_
# |* d0 |
# | |
# |* d1 |
# | |
# |* d3 |
# | |
# |* |
# |* d2 |
# | * |
# | * |
# |_______|
# cryptDisk0 = byid "ata-ST2000DM001-1CH164_Z240XTT6";
cryptDisk0 = byid "ata-ST8000DM004-2CX188_ZCT01PLV";
cryptDisk1 = byid "ata-TP02000GB_TPW151006050068";
cryptDisk2 = byid "ata-ST4000DM000-1F2168_Z303HVSG";
cryptDisk3 = byid "ata-ST8000DM004-2CX188_ZCT01SG4";
# cryptDisk3 = byid "ata-WDC_WD20EARS-00MVWB0_WD-WMAZA1786907";
# all physical disks
# TODO callPackage ../3modules/MonitorDisks { disks = allDisks }
dataDisks = [ cryptDisk0 cryptDisk1 cryptDisk2 cryptDisk3 ];
allDisks = [ rootDisk ] ++ dataDisks;
in { in {
imports = imports =
[ [
#./hw/omo.nix
./hw/tsp.nix
<stockholm/makefu> <stockholm/makefu>
# TODO: unlock home partition via ssh
<stockholm/makefu/2configs/fs/sda-crypto-root.nix>
<stockholm/makefu/2configs/zsh-user.nix> <stockholm/makefu/2configs/zsh-user.nix>
<stockholm/makefu/2configs/backup.nix> <stockholm/makefu/2configs/backup.nix>
<stockholm/makefu/2configs/exim-retiolum.nix> <stockholm/makefu/2configs/exim-retiolum.nix>
<stockholm/makefu/2configs/smart-monitor.nix> # <stockholm/makefu/2configs/smart-monitor.nix>
<stockholm/makefu/2configs/mail-client.nix> <stockholm/makefu/2configs/mail-client.nix>
<stockholm/makefu/2configs/mosh.nix> <stockholm/makefu/2configs/mosh.nix>
<stockholm/makefu/2configs/tools/core.nix>
<stockholm/makefu/2configs/tools/desktop.nix>
<stockholm/makefu/2configs/tools/mobility.nix> <stockholm/makefu/2configs/tools/mobility.nix>
{ environment.systemPackages = [ pkgs.esniper ]; }
# <stockholm/makefu/2configs/disable_v6.nix> # <stockholm/makefu/2configs/disable_v6.nix>
#<stockholm/makefu/2configs/graphite-standalone.nix> #<stockholm/makefu/2configs/graphite-standalone.nix>
#<stockholm/makefu/2configs/share-user-sftp.nix> #<stockholm/makefu/2configs/share-user-sftp.nix>
@ -68,16 +36,17 @@ in {
# logs to influx # logs to influx
<stockholm/makefu/2configs/stats/external/aralast.nix> <stockholm/makefu/2configs/stats/external/aralast.nix>
<stockholm/makefu/2configs/stats/telegraf> <stockholm/makefu/2configs/stats/telegraf>
<stockholm/makefu/2configs/stats/telegraf/europastats.nix> # <stockholm/makefu/2configs/stats/telegraf/europastats.nix>
<stockholm/makefu/2configs/stats/telegraf/hamstats.nix>
<stockholm/makefu/2configs/stats/arafetch.nix> <stockholm/makefu/2configs/stats/arafetch.nix>
# services # services
<stockholm/makefu/2configs/syncthing.nix> <stockholm/makefu/2configs/syncthing.nix>
<stockholm/makefu/2configs/mqtt.nix>
<stockholm/makefu/2configs/remote-build/slave.nix> <stockholm/makefu/2configs/remote-build/slave.nix>
<stockholm/makefu/2configs/deployment/google-muell.nix> <stockholm/makefu/2configs/deployment/google-muell.nix>
<stockholm/makefu/2configs/virtualisation/docker.nix> <stockholm/makefu/2configs/virtualisation/docker.nix>
<stockholm/makefu/2configs/bluetooth-mpd.nix> <stockholm/makefu/2configs/bluetooth-mpd.nix>
<stockholm/makefu/2configs/deployment/homeautomation>
{ {
hardware.pulseaudio.systemWide = true; hardware.pulseaudio.systemWide = true;
makefu.mpd.musicDirectory = "/media/cryptX/music"; makefu.mpd.musicDirectory = "/media/cryptX/music";
@ -99,75 +68,10 @@ in {
# Temporary: # Temporary:
# <stockholm/makefu/2configs/temp/rst-issue.nix> # <stockholm/makefu/2configs/temp/rst-issue.nix>
{ # ncdc
environment.systemPackages = [ pkgs.ncdc ];
networking.firewall = {
allowedUDPPorts = [ 51411 ];
allowedTCPPorts = [ 51411 ];
};
}
{
systemd.services.firetv = {
wantedBy = [ "multi-user.target" ];
serviceConfig = {
User = "nobody";
ExecStart = "${pkgs.python-firetv}/bin/firetv-server -d ${firetv}:5555";
};
};
nixpkgs.config.permittedInsecurePackages = [
"homeassistant-0.65.5"
];
services.home-assistant = {
config = {
homeassistant = {
name = "Home"; time_zone = "Europe/Berlin";
latitude = "48.7687";
longitude = "9.2478";
};
media_player = [
{ platform = "kodi";
host = firetv;
}
{ platform = "firetv";
# assumes python-firetv running
}
];
sensor = [
{ platform = "luftdaten";
name = "Ditzingen";
sensorid = "663";
monitored_conditions = [ "P1" "P2" ];
}
# https://www.home-assistant.io/cookbook/automation_for_rainy_days/
{ platform = "darksky";
api_key = "c73619e6ea79e553a585be06aacf3679";
language = "de";
monitored_conditions = [ "summary" "icon"
"nearest_storm_distance" "precip_probability"
"precip_intensity"
"temperature" # "temperature_high" "temperature_low"
"hourly_summary"
"uv_index" ];
units = "si" ;
update_interval = {
days = 0;
hours = 0;
minutes = 10;
seconds = 0;
};
}
];
frontend = { };
http = { };
};
enable = true;
#configDir = "/var/lib/hass";
};
}
]; ];
makefu.full-populate = true; makefu.full-populate = true;
makefu.server.primary-itf = primaryInterface; krebs.rtorrent = (builtins.trace (builtins.toJSON config.services.telegraf.extraConfig)) {
krebs.rtorrent = {
downloadDir = lib.mkForce "/media/cryptX/torrent"; downloadDir = lib.mkForce "/media/cryptX/torrent";
extraConfig = '' extraConfig = ''
upload_rate = 200 upload_rate = 200
@ -178,18 +82,6 @@ in {
members = [ "makefu" "misa" ]; members = [ "makefu" "misa" ];
}; };
networking.firewall.trustedInterfaces = [ primaryInterface ]; networking.firewall.trustedInterfaces = [ primaryInterface ];
# udp:137 udp:138 tcp:445 tcp:139 - samba, allowed in local net
# tcp:80 - nginx for sharing files
# tcp:655 udp:655 - tinc
# tcp:8111 - graphite
# tcp:8112 - pyload
# tcp:9090 - sabnzbd
# tcp:9200 - elasticsearch
# tcp:5601 - kibana
networking.firewall.allowedUDPPorts = [ 655 ];
networking.firewall.allowedTCPPorts = [ 80 655 5601 8111 8112 9200 9090 ];
# services.openssh.allowSFTP = false;
# copy config from <secrets/sabnzbd.ini> to /var/lib/sabnzbd/ # copy config from <secrets/sabnzbd.ini> to /var/lib/sabnzbd/
services.sabnzbd.enable = true; services.sabnzbd.enable = true;
@ -199,90 +91,11 @@ in {
enable = true; enable = true;
servedir = "/media/cryptX/emu/ps3"; servedir = "/media/cryptX/emu/ps3";
}; };
# HDD Array stuff
services.smartd.devices = builtins.map (x: { device = x; }) allDisks;
makefu.snapraid = {
enable = true;
# TODO: 3 is not protected
disks = map toMapper [ 0 1 ];
parity = toMapper 2;
};
# TODO create folders in /media
system.activationScripts.createCryptFolders = ''
${lib.concatMapStringsSep "\n"
(d: "install -m 755 -d " + (toMapper d) )
[ 0 1 2 "X" ]}
'';
environment.systemPackages = with pkgs;[
mergerfs # hard requirement for mount
wol # wake up filepimp
f3
];
fileSystems = let
cryptMount = name:
{ "/media/${name}" = {
device = "/dev/mapper/${name}"; fsType = "xfs";
options = [ "nofail" ];
};};
in cryptMount "crypt0"
// cryptMount "crypt1"
// cryptMount "crypt2"
// cryptMount "crypt3"
// { "/media/cryptX" = {
device = (lib.concatMapStringsSep ":" (d: (toMapper d)) [ 0 1 2 3 ]);
fsType = "mergerfs";
noCheck = true;
options = [ "defaults" "allow_other" "nofail" "nonempty" ];
};
};
powerManagement.powerUpCommands = lib.concatStrings (map (disk: ''
${pkgs.hdparm}/sbin/hdparm -S 100 ${disk}
${pkgs.hdparm}/sbin/hdparm -B 127 ${disk}
${pkgs.hdparm}/sbin/hdparm -y ${disk}
'') allDisks);
# crypto unlocking
boot = {
initrd.luks = {
devices = let
usbkey = name: device: {
inherit name device keyFile;
keyFileSize = 4096;
allowDiscards = true;
};
in [
(usbkey "luksroot" rootPartition)
(usbkey "crypt0" cryptDisk0)
(usbkey "crypt1" cryptDisk1)
(usbkey "crypt2" cryptDisk2)
(usbkey "crypt3" cryptDisk3)
];
};
loader.grub.device = lib.mkForce rootDisk;
initrd.availableKernelModules = [
"ahci"
"ohci_pci"
"ehci_pci"
"pata_atiixp"
"firewire_ohci"
"usb_storage"
"usbhid"
];
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
};
users.users.misa = { users.users.misa = {
uid = 9002; uid = 9002;
name = "misa"; name = "misa";
}; };
# hardware.enableAllFirmware = true;
hardware.enableRedistributableFirmware = true;
hardware.cpu.intel.updateMicrocode = true;
zramSwap.enable = true; zramSwap.enable = true;
@ -290,23 +103,23 @@ in {
nickname = "Reaktor|shack"; nickname = "Reaktor|shack";
workdir = "/var/lib/Reaktor/shack"; workdir = "/var/lib/Reaktor/shack";
channels = [ "#shackspace" ]; channels = [ "#shackspace" ];
plugins = with pkgs.ReaktorPlugins;[ plugins = with pkgs.ReaktorPlugins;
shack-correct [ shack-correct
# stockholm-issue # stockholm-issue
sed-plugin sed-plugin
random-emoji ]; random-emoji ];
}; };
krebs.Reaktor.reaktor-bgt = { krebs.Reaktor.reaktor-bgt = {
nickname = "Reaktor|bgt"; nickname = "Reaktor|bgt";
workdir = "/var/lib/Reaktor/bgt"; workdir = "/var/lib/Reaktor/bgt";
channels = [ "#binaergewitter" ]; channels = [ "#binaergewitter" ];
plugins = with pkgs.ReaktorPlugins;[ plugins = with pkgs.ReaktorPlugins;
titlebot [ titlebot
# stockholm-issue # stockholm-issue
nixos-version nixos-version
shack-correct shack-correct
sed-plugin sed-plugin
random-emoji ]; random-emoji ];
}; };
krebs.build.host = config.krebs.hosts.omo; krebs.build.host = config.krebs.hosts.omo;

View File

@ -0,0 +1,117 @@
{ config, pkgs, lib, ... }:
let
toMapper = id: "/media/crypt${builtins.toString id}";
byid = dev: "/dev/disk/by-id/" + dev;
keyFile = byid "usb-Verbatim_STORE_N_GO_070B3CEE0B223954-0:0";
rootDisk = byid "ata-SanDisk_SD8SNAT128G1122_162099420904";
rootPartition = byid "ata-SanDisk_SD8SNAT128G1122_162099420904-part2";
primaryInterface = "enp2s0";
# cryptsetup luksFormat $dev --cipher aes-xts-plain64 -s 512 -h sha512
# cryptsetup luksAddKey $dev tmpkey
# cryptsetup luksOpen $dev crypt0 --key-file tmpkey --keyfile-size=4096
# mkfs.xfs /dev/mapper/crypt0 -L crypt0
# omo Chassis:
# __FRONT_
# |* d0 |
# | |
# |* d1 |
# | |
# |* d3 |
# | |
# |* |
# |* d2 |
# | * |
# | * |
# |_______|
# cryptDisk0 = byid "ata-ST2000DM001-1CH164_Z240XTT6";
cryptDisk0 = byid "ata-ST8000DM004-2CX188_ZCT01PLV";
cryptDisk1 = byid "ata-TP02000GB_TPW151006050068";
cryptDisk2 = byid "ata-ST4000DM000-1F2168_Z303HVSG";
cryptDisk3 = byid "ata-ST8000DM004-2CX188_ZCT01SG4";
# cryptDisk3 = byid "ata-WDC_WD20EARS-00MVWB0_WD-WMAZA1786907";
# all physical disks
# TODO callPackage ../3modules/MonitorDisks { disks = allDisks }
dataDisks = [ cryptDisk0 cryptDisk1 cryptDisk2 cryptDisk3 ];
allDisks = [ rootDisk ] ++ dataDisks;
in {
imports =
[ # TODO: unlock home partition via ssh
<stockholm/makefu/2configs/fs/sda-crypto-root.nix> ];
makefu.server.primary-itf = primaryInterface;
system.activationScripts.createCryptFolders = ''
${lib.concatMapStringsSep "\n"
(d: "install -m 755 -d " + (toMapper d) )
[ 0 1 2 "X" ]}
'';
makefu.snapraid = {
enable = true;
# TODO: 3 is not protected
disks = map toMapper [ 0 1 ];
parity = toMapper 2;
};
fileSystems = let
cryptMount = name:
{ "/media/${name}" = {
device = "/dev/mapper/${name}"; fsType = "xfs";
options = [ "nofail" ];
};};
in cryptMount "crypt0"
// cryptMount "crypt1"
// cryptMount "crypt2"
// cryptMount "crypt3"
// { "/media/cryptX" = {
device = (lib.concatMapStringsSep ":" (d: (toMapper d)) [ 0 1 2 3 ]);
fsType = "mergerfs";
noCheck = true;
options = [ "defaults" "allow_other" "nofail" "nonempty" ];
};
};
powerManagement.powerUpCommands = lib.concatStrings (map (disk: ''
${pkgs.hdparm}/sbin/hdparm -S 100 ${disk}
${pkgs.hdparm}/sbin/hdparm -B 127 ${disk}
${pkgs.hdparm}/sbin/hdparm -y ${disk}
'') allDisks);
# crypto unlocking
boot = {
initrd.luks = {
devices = let
usbkey = name: device: {
inherit name device keyFile;
keyFileSize = 4096;
allowDiscards = true;
};
in [
(usbkey "luksroot" rootPartition)
(usbkey "crypt0" cryptDisk0)
(usbkey "crypt1" cryptDisk1)
(usbkey "crypt2" cryptDisk2)
(usbkey "crypt3" cryptDisk3)
];
};
loader.grub.device = lib.mkForce rootDisk;
initrd.availableKernelModules = [
"ahci"
"ohci_pci"
"ehci_pci"
"pata_atiixp"
"firewire_ohci"
"usb_storage"
"usbhid"
];
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
};
environment.systemPackages = with pkgs;[
mergerfs # hard requirement for mount
];
hardware.enableRedistributableFirmware = true;
hardware.cpu.intel.updateMicrocode = true;
}

View File

@ -0,0 +1,11 @@
let
disko = import (builtins.fetchGit {
url = https://cgit.lassul.us/disko/;
rev = "9c9b62e15e4ac11d4379e66b974f1389daf939fe";
});
cfg = builtins.fromJSON (builtins.readFile ../../hardware/tsp-disk.json);
in ''
${disko.create cfg}
${disko.mount cfg}
''

View File

@ -0,0 +1,41 @@
{ pkgs, ... }:
with builtins;
let
disko = import (builtins.fetchGit {
url = https://cgit.lassul.us/disko/;
rev = "9c9b62e15e4ac11d4379e66b974f1389daf939fe";
});
cfg = fromJSON (readFile ../../hardware/tsp-disk.json);
# primaryInterface = "enp1s0";
primaryInterface = "wlp2s0";
rootDisk = "/dev/sda"; # TODO same as disko uses
in {
imports = [
(disko.config cfg)
];
makefu.server.primary-itf = primaryInterface;
boot = {
loader.grub.device = rootDisk;
initrd.availableKernelModules = [
"ahci"
"ohci_pci"
"ehci_pci"
"pata_atiixp"
"firewire_ohci"
"usb_storage"
"usbhid"
];
kernelModules = [ "kvm-intel" ];
};
networking.wireless.enable = true;
hardware.enableRedistributableFirmware = true;
hardware.cpu.intel.updateMicrocode = true;
services.logind.lidSwitch = "ignore";
services.logind.lidSwitchDocked = "ignore";
services.logind.extraConfig = ''
HandleSuspendKey = ignore
'';
powerManagement.enable = false;
}

View File

@ -6,13 +6,13 @@
[ # Include the results of the hardware scan. [ # Include the results of the hardware scan.
<stockholm/makefu> <stockholm/makefu>
# <stockholm/makefu/2configs/hw/vbox-guest.nix> <stockholm/makefu/2configs/hw/vbox-guest.nix>
{ # until virtualbox-image is fixed #{ # until virtualbox-image is fixed
imports = [ # imports = [
<stockholm/makefu/2configs/fs/single-partition-ext4.nix> # <stockholm/makefu/2configs/fs/single-partition-ext4.nix>
]; # ];
boot.loader.grub.device = "/dev/sda"; # boot.loader.grub.device = lib.mkForce "/dev/sda";
} #}
<stockholm/makefu/2configs/main-laptop.nix> <stockholm/makefu/2configs/main-laptop.nix>
# <secrets/extra-hosts.nix> # <secrets/extra-hosts.nix>

View File

@ -0,0 +1,49 @@
{ config, pkgs, lib, ... }:
with import <stockholm/lib>;
let
disk = "/dev/sda";
in {
imports = [
<stockholm/makefu>
<nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix>
<nixpkgs/nixos/modules/installer/cd-dvd/channel.nix>
<stockholm/makefu/2configs/tools/core.nix>
];
# TODO: NIX_PATH and nix.nixPath are being set by default.nix right now
# cd ~/stockholm ; nix-build -A config.system.build.isoImage -I nixos-config=makefu/1systems/iso.nix -I secrets=/home/makefu/secrets/iso /var/src/nixpkgs/nixos
krebs.build.host = config.krebs.hosts.iso;
krebs.hidden-ssh.enable = true;
environment.extraInit = ''
EDITOR=vim
'';
# iso-specific
boot.kernelParams = [ "copytoram" ];
environment.systemPackages = [
pkgs.parted
( pkgs.writeScriptBin "shack-install" ''
#! /bin/sh
echo "go ahead and try NIX_PATH=/root/.nix-defexpr/channels/ nixos-install"
'')
];
systemd.services.wpa_supplicant.wantedBy = lib.mkForce [ "multi-user.target" ];
networking.wireless = {
enable = true;
networks.shack.psk = "welcome2shack";
};
services.openssh = {
enable = true;
hostKeys = [
{ bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
];
};
# enable ssh in the iso boot process
systemd.services.sshd.wantedBy = lib.mkForce [ "multi-user.target" ];
}

View File

@ -0,0 +1,5 @@
#!/bin/sh
set -euf
parted -s ${disk} mklabel msdos
parted -s ${disk} -- mkpart primary linux-swap 1M 4096M
parted -s ${disk} -- mkpart primary ext2 4096M 100%

View File

@ -0,0 +1,231 @@
{ config, pkgs, lib, ... }:
{
imports = [
./hardware-configuration.nix
# TODO:
];
# shacks-specific
networking.wireless = {
enable = true;
networks.shack.psk = "181471eb97eb23f12c6871227bc4a7b13c8f6af56dcc0d0e8b71f4d7a510cb4e";
};
networking.hostName = "shackbook";
boot.tmpOnTmpfs = true;
users.users.shack = {
createHome = true;
useDefaultShell = true;
home = "/home/shack";
uid = 9001;
packages = with pkgs;[
chromium
firefox
];
extraGroups = [ "audio" "wheel" ];
hashedPassword = "$6$KIxlQTLEnKl7cwC$LrmbwZ64Mlm7zqUUZ0EObPJMES3C0mQ6Sw7ynTuXzUo7d9EWg/k5XCGkDHMFvL/Pz19Awcv0knHB1j3dHT6fh/" ;
};
environment.variables = let
ca-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
in {
EDITOR = lib.mkForce "vim";
CURL_CA_BUNDLE = ca-bundle;
GIT_SSL_CAINFO = ca-bundle;
SSL_CERT_FILE = ca-bundle;
};
services.printing = {
enable = true;
# TODO: shack-printer
};
environment.systemPackages = with pkgs;[
parted
ddrescue
tmux
jq git gnumake htop rxvt_unicode.terminfo
(pkgs.vim_configurable.customize {
name = "vim";
vimrcConfig.customRC = ''
set nocompatible
syntax on
set list
set listchars=tab:\
"set list listchars=tab:>-,trail:.,extends:>
filetype off
filetype plugin indent on
colorscheme darkblue
set background=dark
set number
set relativenumber
set mouse=a
set ignorecase
set incsearch
set wildignore=*.o,*.obj,*.bak,*.exe,*.os
set textwidth=79
set shiftwidth=2
set expandtab
set softtabstop=2
set shiftround
set smarttab
set tabstop=2
set et
set autoindent
set backspace=indent,eol,start
inoremap <F1> <ESC>
nnoremap <F1> <ESC>
vnoremap <F1> <ESC>
nnoremap <F5> :UndotreeToggle<CR>
set undodir =~/.vim/undo
set undofile
"maximum number of changes that can be undone
set undolevels=1000000
"maximum number lines to save for undo on a buffer reload
set undoreload=10000000
nnoremap <F2> :set invpaste paste?<CR>
set pastetoggle=<F2>
set showmode
set showmatch
set matchtime=3
set hlsearch
autocmd ColorScheme * highlight ExtraWhitespace ctermbg=red guibg=red
" save on focus lost
au FocusLost * :wa
autocmd BufRead *.json set filetype=json
au BufNewFile,BufRead *.mustache set syntax=mustache
cnoremap SudoWrite w !sudo tee > /dev/null %
" create Backup/tmp/undo dirs
set backupdir=~/.vim/backup
set directory=~/.vim/tmp
function! InitBackupDir()
let l:parent = $HOME . '/.vim/'
let l:backup = l:parent . 'backup/'
let l:tmpdir = l:parent . 'tmp/'
let l:undodir= l:parent . 'undo/'
if !isdirectory(l:parent)
call mkdir(l:parent)
endif
if !isdirectory(l:backup)
call mkdir(l:backup)
endif
if !isdirectory(l:tmpdir)
call mkdir(l:tmpdir)
endif
if !isdirectory(l:undodir)
call mkdir(l:undodir)
endif
endfunction
call InitBackupDir()
augroup Binary
" edit binaries in xxd-output, xxd is part of vim
au!
au BufReadPre *.bin let &bin=1
au BufReadPost *.bin if &bin | %!xxd
au BufReadPost *.bin set ft=xxd | endif
au BufWritePre *.bin if &bin | %!xxd -r
au BufWritePre *.bin endif
au BufWritePost *.bin if &bin | %!xxd
au BufWritePost *.bin set nomod | endif
augroup END
'';
vimrcConfig.vam.knownPlugins = pkgs.vimPlugins;
vimrcConfig.vam.pluginDictionaries = [
{ names = [ "undotree" ]; }
# vim-nix handles indentation better but does not perform sanity
{ names = [ "vim-addon-nix" ]; ft_regex = "^nix\$"; }
];
})
];
programs.bash = {
enableCompletion = true;
interactiveShellInit = ''
HISTCONTROL='erasedups:ignorespace'
HISTSIZE=900001
HISTFILESIZE=$HISTSIZE
shopt -s checkhash
shopt -s histappend histreedit histverify
shopt -s no_empty_cmd_completion
PS1='\[\e[1;32m\]\w\[\e[0m\] '
'';
};
services.journald.extraConfig = ''
SystemMaxUse=1G
RuntimeMaxUse=128M
'';
nix = {
package = pkgs.nixUnstable;
optimise.automatic = true;
useSandbox = true;
gc.automatic = true;
};
system.autoUpgrade.enable = true;
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.device = "/dev/sda";
fileSystems."/".options = [ "noatime" "nodiratime" "discard" ];
# gui and stuff
i18n = {
consoleFont = "Lat2-Terminus16";
consoleKeyMap = "us";
defaultLocale = "en_US.UTF-8";
};
fonts = {
enableFontDir = true;
enableGhostscriptFonts = true;
fonts = [ pkgs.terminus_font ];
};
time.timeZone = "Europe/Berlin";
services.timesyncd.enable = true;
# GUI
hardware.pulseaudio.enable = true;
services.xserver = {
enable = true;
displayManager.auto.enable = true;
displayManager.auto.user = "shack";
desktopManager.xfce.enable = true;
layout = "us";
xkbVariant = "altgr-intl";
xkbOptions = "ctrl:nocaps, eurosign:e";
};
services.openssh = {
enable = true;
hostKeys = [
{ bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
];
};
}

View File

@ -0,0 +1,24 @@
#!/bin/sh
set -euf
p(){
parted -s ${disk} -- $@
}
p mklabel gpt
p mkpart primary fat32 1M 551M
p set 1 boot on
p mkpart primary linux-swap 51M 4647M
p mkpart primary ext2 4647M 100%
udevadm settle
mkfs.fat -nboot -F32 /dev/sda1
udevadm settle
mkswap ${disk}2 -L swap
swapon -L swap
mkfs.ext4 -L nixos ${disk}3
mount LABEL=nixos /mnt
mkdir /mnt/boot
mount LABEL=boot /mnt/boot
mkdir -p /mnt/etc/nixos
cp ${./shack-config.nix} /mnt/etc/nixos/configuration.nix
nixos-generate-config --root /mnt

View File

@ -8,57 +8,32 @@
[ # Include the results of the hardware scan. [ # Include the results of the hardware scan.
<stockholm/makefu> <stockholm/makefu>
<stockholm/makefu/2configs/main-laptop.nix> <stockholm/makefu/2configs/main-laptop.nix>
<stockholm/makefu/2configs/tools/all.nix> # <stockholm/makefu/2configs/tools/all.nix>
<stockholm/makefu/2configs/fs/sda-crypto-root.nix> <stockholm/makefu/2configs/fs/single-partition-ext4.nix>
# hardware specifics are in here # hardware specifics are in here
# imports tp-x2x0.nix # imports tp-x2x0.nix
# <stockholm/makefu/2configs/hw/tp-x200.nix> <stockholm/makefu/2configs/hw/tp-x230.nix>
<stockholm/makefu/2configs/hw/bluetooth.nix>
<stockholm/makefu/2configs/hw/network-manager.nix>
# <stockholm/makefu/2configs/rad1o.nix> # <stockholm/makefu/2configs/rad1o.nix>
<stockholm/makefu/2configs/zsh-user.nix> <stockholm/makefu/2configs/zsh-user.nix>
<stockholm/makefu/2configs/exim-retiolum.nix> <stockholm/makefu/2configs/exim-retiolum.nix>
<stockholm/makefu/2configs/tinc/retiolum.nix> <stockholm/makefu/2configs/tinc/retiolum.nix>
<stockholm/makefu/2configs/sshd-totp.nix>
{
programs.adb.enable = true;
}
]; ];
# not working in vm
krebs.build.host = config.krebs.hosts.tsp; krebs.build.host = config.krebs.hosts.tsp;
boot.initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; allowDiscards=true; }]; boot.loader.grub.device = "/dev/sda";
boot.loader.grub.copyKernels = true;
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
25 25
]; ];
# acer aspire
networking.wireless.enable = lib.mkDefault true;
services.xserver.synaptics.enable = true;
hardware.enableAllFirmware = true; hardware.enableAllFirmware = true;
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
hardware.cpu.intel.updateMicrocode = true;
zramSwap.enable = true;
zramSwap.numDevices = 2;
services.tlp.enable = true;
services.tlp.extraConfig = ''
# BUG: http://linrunner.de/en/tlp/docs/tlp-faq.html#erratic-battery
START_CHARGE_THRESH_BAT0=67
STOP_CHARGE_THRESH_BAT0=100
CPU_SCALING_GOVERNOR_ON_AC=performance
CPU_SCALING_GOVERNOR_ON_BAT=ondemand
CPU_MIN_PERF_ON_AC=0
CPU_MAX_PERF_ON_AC=100
CPU_MIN_PERF_ON_BAT=0
CPU_MAX_PERF_ON_BAT=30
'';
powerManagement.resumeCommands = ''
${pkgs.rfkill}/bin/rfkill unblock all
'';
} }

View File

@ -1,14 +1,16 @@
# #
# #
# #
{ config, pkgs, ... }: { config, pkgs, lib, ... }:
with import <stockholm/lib>;
{ {
imports = imports =
[ # base [ # base
<stockholm/makefu> <stockholm/makefu>
<stockholm/makefu/2configs/nur.nix> <stockholm/makefu/2configs/nur.nix>
<stockholm/makefu/2configs/home-manager>
<stockholm/makefu/2configs/home-manager/desktop.nix>
<stockholm/makefu/2configs/home-manager/cli.nix>
<stockholm/makefu/2configs/home-manager/mail.nix>
<stockholm/makefu/2configs/main-laptop.nix> <stockholm/makefu/2configs/main-laptop.nix>
<stockholm/makefu/2configs/extra-fonts.nix> <stockholm/makefu/2configs/extra-fonts.nix>
<stockholm/makefu/2configs/tools/all.nix> <stockholm/makefu/2configs/tools/all.nix>
@ -43,6 +45,7 @@ with import <stockholm/lib>;
<stockholm/makefu/2configs/mail-client.nix> <stockholm/makefu/2configs/mail-client.nix>
<stockholm/makefu/2configs/printer.nix> <stockholm/makefu/2configs/printer.nix>
<stockholm/makefu/2configs/task-client.nix> <stockholm/makefu/2configs/task-client.nix>
# <stockholm/makefu/2configs/syncthing.nix>
# Virtualization # Virtualization
<stockholm/makefu/2configs/virtualisation/libvirt.nix> <stockholm/makefu/2configs/virtualisation/libvirt.nix>
@ -149,4 +152,6 @@ with import <stockholm/lib>;
"/home/makefu/backup/borgun" "/home/makefu/backup/borgun"
"/home/makefu/.mail/" "/home/makefu/.mail/"
]; ];
services.syncthing.user = lib.mkForce "makefu";
services.syncthing.dataDir = lib.mkForce "/home/makefu/.config/syncthing/";
} }

View File

@ -6,5 +6,6 @@
unstable = true; unstable = true;
mic92 = true; mic92 = true;
clever_kexec = true; clever_kexec = true;
home-manager = true;
# torrent = true; # torrent = true;
} }

View File

@ -0,0 +1,9 @@
{ pkgs, ... }:
{ # ncdc
environment.systemPackages = [ pkgs.ncdc ];
networking.firewall = {
allowedUDPPorts = [ 51411 ];
allowedTCPPorts = [ 51411 ];
};
}

View File

@ -30,6 +30,7 @@ let
'') dict)} '') dict)}
''; '';
uhubDir = "/var/lib/uhub";
in { in {
users.extraUsers = singleton { users.extraUsers = singleton {
@ -65,22 +66,31 @@ in {
PrivateTmp = true; PrivateTmp = true;
PermissionsStartOnly = true; PermissionsStartOnly = true;
ExecStartPre = pkgs.writeDash "uhub-pre" '' ExecStartPre = pkgs.writeDash "uhub-pre" ''
cp ${toString <secrets/wildcard.krebsco.de.crt>} /tmp/uhub.crt cp -f ${toString <secrets/wildcard.krebsco.de.crt>} ${uhubDir}/uhub.crt
cp ${toString <secrets/wildcard.krebsco.de.key>} /tmp/uhub.key cp -f ${toString <secrets/wildcard.krebsco.de.key>} ${uhubDir}/uhub.key
cp ${toString <secrets/uhub.sql>} /tmp/uhub.sql if test -d ${uhubDir};then
chown uhub /tmp/* echo "Directory ${uhubDir} already exists, skipping db init"
else
echo "Copying sql user db"
cp ${toString <secrets/uhub.sql>} ${uhubDir}/uhub.sql
fi
chown -R uhub ${uhubDir}
''; '';
}; };
users.users.uhub = {
home = uhubDir;
createHome = true;
};
services.uhub = { services.uhub = {
enable = true; enable = true;
port = 1511; port = 1511;
enableTLS = true; enableTLS = true;
hubConfig = '' hubConfig = ''
hub_name = "krebshub" hub_name = "krebshub"
tls_certificate = /tmp/uhub.crt tls_certificate = ${uhubDir}/uhub.crt
tls_private_key = /tmp/uhub.key tls_private_key = ${uhubDir}/uhub.key
registered_users_only = true registered_users_only = true
''; '';
plugins = { plugins = {
welcome = { welcome = {
@ -93,7 +103,7 @@ in {
}; };
authSqlite = { authSqlite = {
enable = true; enable = true;
file = "/tmp/uhub.sql"; file = "${uhubDir}/uhub.sql";
}; };
}; };

View File

@ -1,48 +1,43 @@
{ pkgs, lib, ... }: { pkgs, lib, ... }:
let let
tasmota_plug = name: topic: { tasmota_plug = name: topic:
platform = "mqtt"; { platform = "mqtt";
inherit name; inherit name;
state_topic = "/bam/${topic}/stat/POWER"; state_topic = "/bam/${topic}/stat/POWER1";
command_topic = "/bam/${topic}/cmnd/POWER"; command_topic = "/bam/${topic}/cmnd/POWER1";
availability_topic = "/bam/${topic}/tele/LWT"; availability_topic = "/bam/${topic}/tele/LWT";
qos = 1; payload_on= "ON";
payload_on= "ON"; payload_off= "OFF";
payload_off= "OFF"; payload_available= "Online";
payload_available= "Online"; payload_not_available= "Offline";
payload_not_available= "Offline"; };
retain= false;
};
espeasy_dht22 = name: [ espeasy_dht22 = name: [
{ { platform = "mqtt";
platform = "mqtt"; name = "${name} DHT22 Temperature";
device_class = "temperature"; device_class = "temperature";
state_topic = "/bam/${name}/dht22/Temperature"; state_topic = "/bam/${name}/dht22/Temperature";
availability_topic = "/bam/${name}/status/LWT"; availability_topic = "/bam/${name}/tele/LWT";
payload_available = "Connected"; payload_available = "Online";
payload_not_available = "Connection Lost"; payload_not_available = "Offline";
} }
{ { platform = "mqtt";
platform = "mqtt"; device_class = "humidity";
device_class = "humidity"; name = "${name} DHT22 Humidity";
state_topic = "/bam/${name}/dht22/Temperature"; state_topic = "/bam/${name}/dht22/Humidity";
unit_of_measurement = "C"; availability_topic = "/bam/${name}/tele/LWT";
availability_topic = "/bam/${name}/status/LWT"; payload_available = "Online";
payload_available = "Connected"; payload_not_available = "Offline";
payload_not_available = "Connection Lost"; }];
}]; espeasy_ds18 = name:
espeasy_ds18 = name: [ { platform = "mqtt";
{ name = "${name} DS18 Temperature";
platform = "mqtt"; state_topic = "/bam/${name}/ds18/Temperature";
device_class = "temperature"; availability_topic = "/bam/${name}/tele/LWT";
state_topic = "/bam/${name}/ds18/Temperature"; payload_available = "Online";
availability_topic = "/bam/${name}/status/LWT"; payload_not_available = "Offline";
payload_available = "Connected"; };
payload_not_available = "Connection Lost";
}
];
in { in {
networking.firewall.allowedTCPPorts = [ 8123 ];
nixpkgs.config.permittedInsecurePackages = [ nixpkgs.config.permittedInsecurePackages = [
"homeassistant-0.65.5" "homeassistant-0.65.5"
]; ];
@ -81,18 +76,19 @@ in {
(tasmota_plug "Pluggy" "plug4") (tasmota_plug "Pluggy" "plug4")
]; ];
binary_sensor = [ binary_sensor = [
{ # esp_easy { platform = "mqtt";
platform = "mqtt";
device_class = "motion"; device_class = "motion";
name = "Motion";
state_topic = "/bam/easy2/movement/Switch"; state_topic = "/bam/easy2/movement/Switch";
payload_on = "1"; payload_on = "1";
payload_off = "0"; payload_off = "0";
availability_topic = "/bam/easy2/status/LWT"; availability_topic = "/bam/easy2/tele/LWT";
payload_available = "Connected"; payload_available = "Online";
payload_not_available = "Connection Lost"; payload_not_available = "Offline";
} }
]; ];
sensor = sensor =
(espeasy_dht22 "easy1") ++
(espeasy_dht22 "easy2") ++ (espeasy_dht22 "easy2") ++
[ (espeasy_ds18 "easy3" ) [ (espeasy_ds18 "easy3" )
{ platform = "luftdaten"; { platform = "luftdaten";

View File

@ -5,7 +5,10 @@ let
home = "/var/lib/ampel"; home = "/var/lib/ampel";
sec = "${toString <secrets>}/google-muell.json"; sec = "${toString <secrets>}/google-muell.json";
ampelsec = "${home}/google-muell.json"; ampelsec = "${home}/google-muell.json";
esp = "192.168.1.23"; cred = "${toString <secrets>}/google-muell-creds.json";
# TODO: generate this credential file locally
ampelcred = "${home}/google-muell-creds.json";
esp = "192.168.8.204";
sleepval = "1800"; sleepval = "1800";
in { in {
users.users.ampel = { users.users.ampel = {
@ -21,10 +24,10 @@ in {
serviceConfig = { serviceConfig = {
User = "ampel"; User = "ampel";
ExecStartPre = pkgs.writeDash "copy-ampel-secrets" '' ExecStartPre = pkgs.writeDash "copy-ampel-secrets" ''
cp ${sec} ${ampelsec} install -m600 -o ampel ${sec} ${ampelsec}
chown ampel ${ampelsec} install -m600 -o ampel ${cred} ${ampelcred}
''; '';
ExecStart = "${pkg}/bin/google-muell --esp=${esp} --client-secrets=${ampelsec} --credential-path=${home}/google-muell-creds.json --sleepval=${sleepval}"; ExecStart = "${pkg}/bin/google-muell --esp=${esp} --client-secrets=${ampelsec} --credential-path=${ampelcred} --sleepval=${sleepval}";
PermissionsStartOnly = true; PermissionsStartOnly = true;
Restart = "always"; Restart = "always";
RestartSec = 10; RestartSec = 10;

View File

@ -0,0 +1,141 @@
{ pkgs, config, ... }:
# Ideas:
## wake-on-lan server
##
let
firetv = "192.168.1.238";
tasmota_plug = name: topic:
{ platform = "mqtt";
inherit name;
state_topic = "/ham/${topic}/stat/POWER1";
command_topic = "/ham/${topic}/cmnd/POWER1";
availability_topic = "/ham/${topic}/tele/LWT";
payload_on= "ON";
payload_off= "OFF";
payload_available= "Online";
payload_not_available= "Offline";
};
tasmota_bme = name: topic:
[ { platform = "mqtt";
name = "${name} Temperatur";
state_topic = "/ham/${topic}/tele/SENSOR";
value_template = "{{ value_json.BME280.Temperature }}";
unit_of_measurement = "°C";
}
{ platform = "mqtt";
name = "${name} Luftfeuchtigkeit";
state_topic = "/ham/${topic}/tele/SENSOR";
value_template = "{{ value_json.BME280.Humidity }}";
unit_of_measurement = "%";
}
{ platform = "mqtt";
name = "${name} Luftdruck";
state_topic = "/ham/${topic}/tele/SENSOR";
value_template = "{{ value_json.BME280.Pressure }}";
unit_of_measurement = "hPa";
}
];
in {
imports = [
./mqtt.nix
];
systemd.services.firetv = {
wantedBy = [ "multi-user.target" ];
serviceConfig = {
User = "nobody";
ExecStart = "${pkgs.python-firetv}/bin/firetv-server -d ${firetv}:5555";
};
};
nixpkgs.config.permittedInsecurePackages = [
"homeassistant-0.65.5"
];
services.home-assistant = {
config = {
homeassistant = {
name = "Home"; time_zone = "Europe/Berlin";
latitude = "48.7687";
longitude = "9.2478";
elevation = 247;
};
discovery = {};
conversation = {};
history = {};
logbook = {};
tts = [
{ platform = "google";}
];
sun.elevation = 247;
recorder = {};
media_player = [
{ platform = "kodi";
host = firetv;
}
{ platform = "firetv";
# assumes python-firetv running
}
];
mqtt = {
broker = "localhost";
port = 1883;
client_id = "home-assistant";
username = "hass";
password = builtins.readFile <secrets/mqtt/hass>;
keepalive = 60;
protocol = 3.1;
birth_message = {
topic = "/ham/hass/tele/LWT";
payload = "Online";
qos = 1;
retain = true;
};
will_message = {
topic = "/ham/hass/tele/LWT";
payload = "Offline";
qos = 1;
retain = true;
};
};
sensor = [
{ platform = "speedtest";
monitored_conditions = [ "ping" "download" "upload" ];
}
{ platform = "luftdaten";
name = "Ditzingen";
sensorid = "663";
monitored_conditions = [ "P1" "P2" ];
}
# https://www.home-assistant.io/cookbook/automation_for_rainy_days/
{ platform = "darksky";
api_key = "c73619e6ea79e553a585be06aacf3679";
language = "de";
monitored_conditions = [ "summary" "icon"
"nearest_storm_distance" "precip_probability"
"precip_intensity"
"temperature" # "temperature_high" "temperature_low"
"hourly_summary"
"uv_index" ];
units = "si" ;
update_interval = {
days = 0;
hours = 0;
minutes = 10;
seconds = 0;
};
}
] ++ (tasmota_bme "Schlafzimmer" "schlafzimmer");
frontend = { };
#group = [
# { default_view = { view = "yes"; entities = [
# "sensor.luftdaten"
# ]}
#];
http = { };
switch = [
(tasmota_plug "Lichterkette Schlafzimmer" "schlafzimmer")
];
};
enable = true;
#configDir = "/var/lib/hass";
};
}

View File

@ -0,0 +1,24 @@
{ pkgs, config, ... }:
{
services.mosquitto = {
enable = true;
host = "0.0.0.0";
allowAnonymous = false;
checkPasswords = true;
# see <host>/mosquitto
users.sensor = {
hashedPassword = "$6$2DXU7W1bvqXPqxkF$vtdz5KTd/T09hmoc9LjgEGFjvpwQbQth6vlVcr5hJNLgcBHv4U03YCKC8TKXbmQAa8xiJ76xJIg25kcL+KI3tg==";
acl = [ "topic readwrite #" ];
};
users.hass = {
hashedPassword = "$6$SHuYGrE5kPSUc/hu$EomZ0KBy+vkxLt/6eJkrSBjYblCCeMjhDfUd2mwqXYJ4XsP8hGmZ59mMlmBCd3AvlFYQxb4DT/j3TYlrqo7cDA==";
acl = [ "topic readwrite #" ];
};
users.stats = {
hashedPassword = "$6$j4H7KXD/YZgvgNmL$8e9sUKRXowDqJLOVgzCdDrvDE3+4dGgU6AngfAeN/rleGOgaMhee2Mbg2KS5TC1TOW3tYbk9NhjLYtjBgfRkoA==";
acl = [ "topic read #" ];
};
};
environment.systemPackages = [ pkgs.mosquitto ];
# port open via trusted interface
}

View File

@ -1,5 +1,7 @@
{config, ...}: {config, ...}:
{ {
# fdisk /dev/sda
# mkfs.ext4 -L nixos /dev/sda1
boot.loader.grub.enable = assert config.boot.loader.grub.device != ""; true; boot.loader.grub.enable = assert config.boot.loader.grub.device != ""; true;
boot.loader.grub.version = 2; boot.loader.grub.version = 2;

View File

@ -31,6 +31,7 @@ let
ampel = { }; ampel = { };
europastats = { }; europastats = { };
arafetch = { }; arafetch = { };
disko = { };
init-stockholm = { init-stockholm = {
cgit.desc = "Init stuff for stockholm"; cgit.desc = "Init stuff for stockholm";
}; };

View File

@ -0,0 +1,12 @@
{
home-manager.users.makefu = {
services.gpg-agent = {
defaultCacheTtl = 900;
maxCacheTtl = 7200;
defaultCacheTtlSsh = 3600;
maxCacheTtlSsh = 86400;
enableSshSupport = true;
};
programs.fzf.enable = true; # alt-c
};
}

View File

@ -0,0 +1,7 @@
{
imports = [
<home-manager/nixos>
];
home-manager.users.makefu = {
};
}

View File

@ -0,0 +1,31 @@
{pkgs, ... }: {
home-manager.users.makefu = {
programs.browserpass = { browsers = [ "firefox" ] ; enable = true; };
services.network-manager-applet.enable = true;
services.blueman-applet.enable = true;
services.pasystray.enable = true;
systemd.user.services.network-manager-applet.Service.Environment = ''
XDG_DATA_DIRS=/etc/profiles/per-user/makefu/share GDK_PIXBUF_MODULE_FILE=${pkgs.librsvg.out}/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache
'';
systemd.user.services.clipit = {
Unit = {
Description = "clipboard manager";
After = [ "graphical-session-pre.target" ];
PartOf = [ "graphical-session.target" ];
};
Install = {
WantedBy = [ "graphical-session.target" ];
};
Service = {
Environment = ''
XDG_DATA_DIRS=/etc/profiles/per-user/makefu/share GDK_PIXBUF_MODULE_FILE=${pkgs.librsvg.out}/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache
'';
ExecStart = "${pkgs.clipit}/bin/clipit";
Restart = "on-abort";
};
};
};
}

View File

@ -0,0 +1,46 @@
{
home-manager.users.makefu = {
accounts.email.accounts.syntaxfehler = {
address = "felix.richter@syntax-fehler.de";
userName = "Felix.Richter@syntax-fehler.de";
imap = {
host = "syntax-fehler.de";
tls = {
enable = true;
};
};
smtp = {
host = "syntax-fehler.de";
tls = {
enable = true;
};
};
msmtp.enable = true;
notmuch.enable = true;
offlineimap = {
enable = true;
postSyncHookCommand = "notmuch new";
extraConfig.remote = {
holdconnectionopen = true;
idlefolders = "['INBOX']";
};
};
primary = true;
realName = "Felix Richter";
passwordCommand = "gpg --use-agent --quiet --batch -d /home/makefu/.mail/syntax-fehler.gpg";
};
programs.offlineimap.enable = true;
programs.offlineimap.extraConfig = {
mbnames = {
filename = "~/.mutt/muttrc.mailboxes";
header = "'mailboxes '";
peritem = "'+%(accountname)s/%(foldername)s'";
sep = "' '";
footer = "'\\n'";
};
general = {
ui = "TTY.TTYUI";
};
};
};
}

View File

@ -29,11 +29,14 @@
# presumably a2dp Sink # presumably a2dp Sink
# Enable profile: # Enable profile:
## pacmd set-card-profile "$(pactl list cards short | egrep -o bluez_card[[:alnum:]._]+)" a2dp_sink ## pacmd set-card-profile "$(pactl list cards short | egrep -o bluez_card[[:alnum:]._]+)" a2dp_sink
hardware.bluetooth.extraConfig = '';
[general]
Enable=Source,Sink,Media,Socket
'';
# connect via https://nixos.wiki/wiki/Bluetooth#Using_Bluetooth_headsets_with_PulseAudio # connect via https://nixos.wiki/wiki/Bluetooth#Using_Bluetooth_headsets_with_PulseAudio
hardware.bluetooth.enable = true; hardware.bluetooth = {
enable = true;
powerOnBoot = false;
extraConfig = ''
[general]
Enable=Source,Sink,Media,Socket
'';
};
} }

View File

@ -0,0 +1,47 @@
{ config, pkgs, ... }:
{
imports = [
(builtins.fetchTarball "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/v2.1.4/nixos-mailserver-v2.1.4.tar.gz")
];
mailserver = {
enable = true;
fqdn = "euer.eloop.org";
domains = [ "euer.eloop.org" ];
loginAccounts = {
"makefu@euer.eloop.org" = {
hashedPassword = "$6$5gFFAPnI/c/EHIx$3aHj64p5SX./C.MPb.eBmyLDRdWS1yaoV0s9r3Yexw4UO9URdUkBDgqT7F0Mjgt6.gyYaJ5E50h0Yg7iHtLWI/";
aliases = [ "root@euer.eloop.org" ];
catchAll = [ "euer.eloop.org" ];
};
};
certificateScheme = 3;
# Enable IMAP and POP3
enableImap = true;
enablePop3 = false;
enableImapSsl = true;
enablePop3Ssl = false;
# Enable the ManageSieve protocol
enableManageSieve = true;
virusScanning = false;
};
services.dovecot2.extraConfig = ''
ssl_dh = </var/lib/dhparams/dovecot.pem
'';
# workaround for DH creation
# security.dhparams = {
# enable = true;
# params = {
# dovecot = 2048;
# };
# };
# systemd.services.dovecot2.requires = [ "dhparams-gen-dovecot.service" ];
# systemd.services.dovecot2.after = [ "dhparams-gen-dovecot.service" ];
}

View File

@ -4,6 +4,7 @@
enable = true; enable = true;
host = "0.0.0.0"; host = "0.0.0.0";
users = {}; users = {};
# TODO: secure that shit
allowAnonymous = true; allowAnonymous = true;
}; };
} }

View File

@ -10,7 +10,12 @@ let
in { in {
services.nginx = { services.nginx = {
enable = mkDefault true; enable = mkDefault true;
virtualHosts."mon.euer.krebsco.de" = { virtualHosts."mon.euer.krebsco.de" = let
# flesh_wrap
authFile = pkgs.writeText "influx.conf" ''
user:$apr1$ZG9oQCum$FhtIe/cl3jf8Sa4zq/BWd1
'';
in {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."/" = { locations."/" = {
@ -21,6 +26,17 @@ in {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
''; '';
}; };
locations."/influxdb/" = {
proxyPass = "http://wbob.r:8086/";
extraConfig = ''
auth_basic "Needs Autherization to visit";
auth_basic_user_file ${authFile};
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect off;
'';
};
}; };
}; };
} }

View File

@ -0,0 +1,43 @@
{ config, pkgs, ... }:
let
system = builtins.currentSystem; #we can also build for other platforms
iso = (import <nixpkgs/nixos/lib/eval-config.nix>
{ inherit system;
modules = [ ../../1systems/iso/config.nix ]; }
);
image = iso.config.system.build.isoImage;
name = iso.config.isoImage.isoName;
drivedroid-cfg = builtins.toJSON [{
id = "stockholm";
imageUrl = http://krebsco.de/krebs-v2.png;
name = "stockholm";
tags = [ "hybrid" ];
url = http://krebsco.de;
releases = [
{ version = iso.config.system.nixos.label;
url = "/stockholm.iso";
arch = system; }
];
# size = TODO;
}];
web = pkgs.linkFarm "web" [{
name = "drivedroid.json";
path = pkgs.writeText "drivedroid.json" drivedroid-cfg; }
{ name = "stockholm.iso";
path = "${image}/iso/${name}"; }
];
in
{
services.nginx = {
virtualHosts = {
"iso.euer.krebsco.de" = {
enableACME = true;
forceSSL = true;
root = web;
locations."/".index = "drivedroid.json";
};
};
};
}

View File

@ -3,7 +3,7 @@
services.nginx = { services.nginx = {
enable = lib.mkDefault true; enable = lib.mkDefault true;
virtualHosts."misa-felix-hochzeit.ml" = { virtualHosts."misa-felix-hochzeit.ml" = {
serverAliases = [ "www.misa-felix-hochzeit.ml" "misa-felix.ml" "www.misa-felix.ml" ]; serverAliases = [ "misa-felix.ml" "www.misa-felix.ml" ];
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations = { locations = {

View File

@ -1,11 +1,10 @@
{ {config,...}:{
nix.trustedUsers = [ "nixBuild" ]; nix.trustedUsers = [ "nixBuild" ];
users.users.nixBuild = { users.users.nixBuild = {
name = "nixBuild"; name = "nixBuild";
useDefaultShell = true; useDefaultShell = true;
# TODO: put this somewhere else
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPlhb0TIBW9RN9T8Is4YRIc1RjOg+cxbZCaDjbM4zxrX nixBuild" config.krebs.users.buildbotSlave.pubkey
]; ];
}; };
} }

Some files were not shown because too many files have changed in this diff Show More