Mic92
/
stockholm
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge remote-tracking branch 'lass/master' into 22.05

This commit is contained in:
makefu 2022-06-07 00:17:23 +02:00
parent 1e405be047 bdc80e5541
commit 9c1799914a
No known key found for this signature in database
GPG Key ID: 36F7711F3FC0F225
62 changed files with 633 additions and 314 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/repo-sync.yml vendored
View File

@ -8,7 +8,7 @@ jobs:
if: github.repository_owner == 'Mic92'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v3
with:
persist-credentials: false
- name: repo-sync

2
krebs/2configs/container-networking.nix
View File

@ -1,7 +1,7 @@
{ lib, ... }:
{
networking.nat.enable = true;
networking.nat.internalInterfaces = ["ve-+"];
networking.nat.internalInterfaces = ["ve-+" "ctr+" ];
networking.nat.externalInterface = lib.mkDefault "et0";
networking.networkmanager.unmanaged = [ "interface-name:ve-*" ];
}

9
krebs/2configs/matterbridge.nix
View File

@ -19,11 +19,6 @@
inherit Nick;
};
};
mumble.lassulus = {
Server = "lassul.us:64738";
Nick = "krebs_bridge";
SkipTLSVerify = true;
};
gateway = [
{
name = "krebs-bridge";
@ -37,10 +32,6 @@
account = "telegram.krebs";
channel = "-330372458";
}
{
account = "mumble.lassulus";
channel = 6; # "nixos"
}
];
}
];

2
krebs/2configs/news.nix
View File

@ -164,7 +164,7 @@
if [ ''${#youtube_url} -eq 24 ]; then
youtube_id=$youtube_url
else
youtube_id=$(${pkgs.youtube-dl}/bin/youtube-dl --max-downloads 1 -j "$youtube_url" | ${pkgs.jq}/bin/jq -r '.channel_id')
youtube_id=$(${pkgs.yt-dlp}/bin/yt-dlp --max-downloads 1 -j "$youtube_url" | ${pkgs.jq}/bin/jq -r '.channel_id')
fi
echo "brockman: add yt_$youtube_nick http://rss.r/?action=display&bridge=Youtube&context=By+channel+id&c=$youtube_id&duration_min=&duration_max=&format=Mrss"
'';

1
krebs/2configs/reaktor2.nix
View File

@ -148,6 +148,7 @@ in {
services.nginx = {
virtualHosts."agenda.r" = {
serverAliases = [ "kri.r" ];
locations."= /index.html".extraConfig = ''
alias ${pkgs.writeText "agenda.html" ''
<!DOCTYPE html>

2
krebs/2configs/security-workarounds.nix
View File

@ -1,6 +1,4 @@
{ config, lib, pkgs, ... }:
with import <stockholm/lib>;
{
# https://github.com/Lassulus/CVE-2021-4034
security.wrappers.pkexec.source = lib.mkForce (pkgs.writeText "pkexec" "");
}

19
krebs/3modules/acl.nix
View File

@ -1,7 +1,7 @@
{ config, lib, pkgs, ... }: let
parents = dir:
if dir == "/" then
[ dir ]
[]
else
[ dir ] ++ parents (builtins.dirOf dir)
;
@ -40,13 +40,16 @@ in {
pkgs.coreutils
];
serviceConfig = {
ExecStart = pkgs.writers.writeDash "acl" (lib.concatStrings (
lib.mapAttrsToList (_: rule: ''
setfacl -${lib.optionalString rule.recursive "R"}m ${rule.rule} ${path}
${lib.optionalString rule.default "setfacl -${lib.optionalString rule.recursive "R"}dm ${rule.rule} ${path}"}
${lib.optionalString rule.parents (lib.concatMapStringsSep "\n" (folder: "setfacl -m ${rule.rule} ${folder}") (parents path))}
'') rules
));
ExecStart = pkgs.writers.writeDash "acl" ''
mkdir -p "${path}"
${lib.concatStrings (
lib.mapAttrsToList (_: rule: ''
setfacl -${lib.optionalString rule.recursive "R"}m ${rule.rule} ${path}
${lib.optionalString rule.default "setfacl -${lib.optionalString rule.recursive "R"}dm ${rule.rule} ${path}"}
${lib.optionalString rule.parents (lib.concatMapStringsSep "\n" (folder: "setfacl -m ${rule.rule} ${folder}") (parents (builtins.dirOf path)))}
'') rules
)}
'';
RemainAfterExit = true;
Type = "simple";
};

1
krebs/3modules/krebs/default.nix
View File

@ -74,6 +74,7 @@ in {
aliases = [
"hotdog.r"
"agenda.r"
"kri.r"
"build.r"
"build.hotdog.r"
"ca.r"

6
krebs/5pkgs/haskell/brockman/default.nix
View File

@ -7,19 +7,19 @@
}:
mkDerivation rec {
pname = "brockman";
version = "4.0.3";
version = "4.0.4";
src = fetchFromGitHub {
owner = "kmein";
repo = "brockman";
rev = version;
sha256 = "sha256-rjwroSG9ys0FV2JM70kzmCutMVpUTx8cQ+jQq8Hw1kw=";
sha256 = "sha256-GOEEUjehFgMMf6cNpi0AP/Rz74sTDEcpKRbLD+6YEz0=";
};
isLibrary = false;
isExecutable = true;
executableHaskellDepends = [
aeson aeson-pretty base bytestring case-insensitive conduit
containers directory feed filepath hashable hslogger html-entity
http-client irc-conduit lens lrucache lrucaching network
http-client irc-conduit lens lrucache network
optparse-applicative random safe text time timerep wreq
];
license = lib.licenses.mit;

8
krebs/5pkgs/haskell/reaktor2/default.nix
View File

@ -8,11 +8,11 @@
}:
mkDerivation rec {
pname = "reaktor2";
version = "0.4.0";
version = "0.4.0a";
src = fetchgit {
url = "https://cgit.krebsco.de/reaktor2";
sha256 = "0bnn23hjl57y0a5rf3h8kq078dziby7il7fandz5wh6s4i3psicp";
rev = "v${version}";
url = "https://cgit.lassul.us/reaktor2";
sha256 = "sha256-x1i2TWcycYVFij6832xaBiQa1RQ1VmSfu5Qt1QrUtds=";
rev = "6d3eb6de5e770ee26874bb7449934f0c55bd1efa";
fetchSubmodules = true;
};
isLibrary = false;

2
krebs/5pkgs/simple/realwallpaper/default.nix
View File

@ -122,7 +122,7 @@ pkgs.writers.writeDashBin "generate-wallpaper" ''
'https://neo.sci.gsfc.nasa.gov/view.php?datasetId=MOD14A1_E_FIRE') &
# regular fetches
fetch marker.json.tmp "$marker_url"
fetch marker.json.tmp "$marker_url" || :
if [ -s marker.json.tmp ]; then
mv marker.json.tmp marker.json
fi

85
krebs/5pkgs/simple/weechat-declarative/default.nix
View File

@ -109,45 +109,60 @@ let
};
};
setFile = pkgs.writeText "weechat.set" (
lib.optionalString (cfg.settings != {})
(lib.concatStringsSep "\n" (
lib.optionals
(cfg.settings.irc or {} != {})
(lib.mapAttrsToList
(name: server: "/server add ${name} ${lib.toWeechatValue server.addresses}")
cfg.settings.irc.server)
++
lib.optionals
(cfg.settings.matrix or {} != {})
(lib.mapAttrsToList
(name: server: "/matrix server add ${name} ${server.address}")
cfg.settings.matrix.server)
++
lib.mapAttrsToList lib.setCommand (lib.attrPathsSep "." cfg.settings)
++
lib.optionals
(cfg.settings.filters or {} != {})
(lib.mapAttrsToList lib.filterAddreplace cfg.settings.filters)
++
lib.singleton cfg.extraCommands
))
);
weechat = pkgs.weechat.override {
configure = _: {
init = lib.optionalString (cfg.settings != {})
(lib.concatStringsSep "\n" (
lib.optionals
(cfg.settings.irc or {} != {})
(lib.mapAttrsToList
(name: server: "/server add ${name} ${server.address}")
cfg.settings.irc.server)
++
lib.optionals
(cfg.settings.matrix or {} != {})
(lib.mapAttrsToList
(name: server: "/matrix server add ${name} ${server.address}")
cfg.settings.matrix.server)
++
lib.mapAttrsToList lib.setCommand (lib.attrPathsSep "." cfg.settings)
++
lib.optionals
(cfg.settings.filters or {} != {})
(lib.mapAttrsToList lib.filterAddreplace cfg.settings.filters)
++
lib.singleton cfg.extraCommands
));
init = "/exec -oc cat ${setFile}";
scripts = cfg.scripts;
};
};
in pkgs.writers.writeDashBin "weechat" ''
CONFDIR=''${XDG_CONFIG_HOME:-$HOME/.config}/weechat
${pkgs.coreutils}/bin/mkdir -p "$CONFDIR"
${lib.concatStringsSep "\n"
(lib.mapAttrsToList
(name: target: /* sh */ ''
${pkgs.coreutils}/bin/ln -s ${lib.escapeShellArg target} "$CONFDIR"/${lib.escapeShellArg name}
'')
cfg.files
)
}
exec ${weechat}/bin/weechat "$@"
''
wrapper = pkgs.writers.writeDashBin "weechat" ''
CONFDIR=''${XDG_CONFIG_HOME:-$HOME/.config}/weechat
${pkgs.coreutils}/bin/mkdir -p "$CONFDIR"
${lib.concatStringsSep "\n"
(lib.mapAttrsToList
(name: target: /* sh */ ''
${pkgs.coreutils}/bin/ln -s ${lib.escapeShellArg target} "$CONFDIR"/${lib.escapeShellArg name}
'')
cfg.files
)
}
exec ${weechat}/bin/weechat "$@"
'';
in pkgs.symlinkJoin {
name = "weechat-configured";
paths = [
wrapper
pkgs.weechat
];
postBuild = ''
ln -s ${setFile} $out/weechat.set
'';
}

8
krebs/nixpkgs-unstable.json
View File

@ -1,9 +1,9 @@
{
"url": "https://github.com/NixOS/nixpkgs",
"rev": "2a3aac479caeba0a65b2ad755fe5f284f1fde74d",
"date": "2022-05-09T07:45:23+00:00",
"path": "/nix/store/56hy8l0ky71qdx5zibjzzg0q8ivkk7vc-nixpkgs",
"sha256": "0px2fk64s56qxd8ir8xg8bsj5yz1w399ps4xfkyx29n2ywp9ar7c",
"rev": "5ce6597eca7d7b518c03ecda57d45f9404b5e060",
"date": "2022-05-24T17:55:48+02:00",
"path": "/nix/store/glvcj0zmqq9z5wf6bppnppbpf8w85iwf-nixpkgs",
"sha256": "1hs1lnnbp1dky3nfp7xlricpp5c63sr46jyrnvykci8bl8jnxnl3",
"fetchLFS": false,
"fetchSubmodules": false,
"deepClone": false,

8
krebs/nixpkgs.json
View File

@ -1,9 +1,9 @@
{
"url": "https://github.com/NixOS/nixpkgs",
"rev": "fd3e33d696b81e76b30160dfad2efb7ac1f19879",
"date": "2022-04-30T11:27:15+02:00",
"path": "/nix/store/4n9dqxd8j90h0j99n8pyim6n5q1zviwg-nixpkgs",
"sha256": "1liw3glyv1cx0bxgxnq2yjp0ismg0np2ycg72rqghv75qb73zf9h",
"rev": "d1086907f56c5a6c33c0c2e8dc9f42ef6988294f",
"date": "2022-05-28T12:29:49+02:00",
"path": "/nix/store/56gsa390lyiik6jdapnj98a2ww8af8ig-nixpkgs",
"sha256": "009dc0njvdn5pzcyd8bp4sc9byf70w4msdkv6q2zfdlnh36im1jl",
"fetchLFS": false,
"fetchSubmodules": false,
"deepClone": false,

2
krebs/update-nixpkgs.sh
View File

@ -3,7 +3,7 @@ dir=$(dirname $0)
oldrev=$(cat $dir/nixpkgs.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/')
nix-shell -p nix-prefetch-git --run 'nix-prefetch-git \
--url https://github.com/NixOS/nixpkgs \
--rev refs/heads/nixos-21.11' \
--rev refs/heads/nixos-22.05' \
> $dir/nixpkgs.json
newrev=$(cat $dir/nixpkgs.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/')
git commit $dir/nixpkgs.json -m "nixpkgs: $oldrev -> $newrev"

40
lass/1systems/daedalus/config.nix
View File

@ -43,7 +43,7 @@ with import <stockholm/lib>;
libreoffice
audacity
zathura
skype
skypeforlinux
wine
geeqie
vlc
@ -56,22 +56,32 @@ with import <stockholm/lib>;
services.xserver.layout = "de";
}
{
krebs.per-user.bitcoin.packages = [
pkgs.electrum
pkgs.electron-cash
pkgs.litecoin
];
users.extraUsers = {
bitcoin = {
name = "bitcoin";
description = "user for bitcoin stuff";
home = "/home/bitcoin";
isNormalUser = true;
useDefaultShell = true;
createHome = true;
extraGroups = [ "audio" ];
users = {
groups.plugdev = {};
users = {
bitcoin = {
name = "bitcoin";
description = "user for bitcoin stuff";
home = "/home/bitcoin";
isNormalUser = true;
useDefaultShell = true;
createHome = true;
extraGroups = [
"audio"
"networkmanager"
"plugdev"
];
packages = let
unstable = import <nixpkgs-unstable> { config.allowUnfree = true; };
in [
pkgs.electrum
pkgs.electron-cash
unstable.ledger-live-desktop
];
};
};
};
hardware.ledger.enable = true;
security.sudo.extraConfig = ''
bubsy ALL=(bitcoin) NOPASSWD: ALL
'';

1
lass/1systems/lasspi/physical.nix
View File

@ -25,7 +25,6 @@
version = 4;
};
boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = true;
# Required for the Wireless firmware
hardware.enableRedistributableFirmware = true;

1
lass/1systems/prism/config.nix
View File

@ -124,6 +124,7 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/container-networking.nix>
<stockholm/lass/2configs/jitsi.nix>
<stockholm/lass/2configs/fysiirc.nix>
<stockholm/lass/2configs/bgt-bot>
{
services.tor = {
enable = true;

2
lass/1systems/xerxes/config.nix
View File

@ -47,7 +47,7 @@
wantedBy = [ "multi-user.target" ];
script = ''
${pkgs.xboxdrv.overrideAttrs(o: {
patches = [ (pkgs.fetchurl {
patches = o.patches ++ [ (pkgs.fetchurl {
url = "https://patch-diff.githubusercontent.com/raw/xboxdrv/xboxdrv/pull/251.patch";
sha256 = "17784y20mxqrlhgvwvszh8lprxrvgmb7ah9dknmbhj5jhkjl8wq5";
}) ];

33
lass/2configs/IM.nix
View File

@ -1,38 +1,23 @@
with (import <stockholm/lib>);
{ config, lib, pkgs, ... }: let
weechat = pkgs.weechat.override {
configure = { availablePlugins, ... }: with pkgs.weechatScripts; {
plugins = lib.attrValues (availablePlugins // {
python = availablePlugins.python.withPackages (_: [ weechat-matrix ]);
});
scripts = [ weechat-matrix ];
configure = { availablePlugins, ... }: {
scripts = with pkgs.weechatScripts; [
weechat-matrix
];
};
};
tmux = pkgs.writeDashBin "tmux" ''
exec ${pkgs.tmux}/bin/tmux -f ${pkgs.writeText "tmux.conf" ''
set-option -g prefix `
unbind-key C-b
bind ` send-prefix
set-option -g status off
set-option -g default-terminal screen-256color
#use session instead of windows
bind-key c new-session
bind-key p switch-client -p
bind-key n switch-client -n
bind-key C-s switch-client -l
''} "$@"
'';
tmux = "/run/current-system/sw/bin/tmux";
in {
imports = [
./bitlbee.nix
];
environment.systemPackages = [ tmux weechat ];
environment.systemPackages = [ weechat ];
systemd.services.chat = {
description = "chat environment setup";
environment.WEECHAT_HOME = "\$HOME/.weechat";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
@ -46,8 +31,8 @@ in {
User = "lass";
RemainAfterExit = true;
Type = "oneshot";
ExecStart = "${tmux}/bin/tmux -2 new-session -d -s IM ${weechat}/bin/weechat";
ExecStop = "${tmux}/bin/tmux kill-session -t IM"; # TODO run save in weechat
ExecStart = "${tmux} -2 new-session -d -s IM ${weechat}/bin/weechat";
ExecStop = "${tmux} kill-session -t IM"; # TODO run save in weechat
};
};
}

37
lass/2configs/alacritty.nix
View File

@ -89,9 +89,40 @@ in {
};
};
"themes/dark/alacritty.yaml".text = alacritty-cfg {
colors.primary = {
background = "#000000";
foreground = "#ffffff";
colors = {
# Default colors
primary = {
background = "0x000000";
foreground = "0xffffff";
};
cursor = {
text = "0xF81CE5";
cursor = "0xffffff";
};
# Normal colors
normal = {
black = "0x000000";
red = "0xfe0100";
green = "0x33ff00";
yellow = "0xfeff00";
blue = "0x0066ff";
magenta = "0xcc00ff";
cyan = "0x00ffff";
white = "0xd0d0d0";
};
# Bright colors
bright = {
black = "0x808080";
red = "0xfe0100";
green = "0x33ff00";
yellow = "0xfeff00";
blue = "0x0066ff";
magenta = "0xcc00ff";
cyan = "0x00ffff";
white = "0xFFFFFF";
};
};
};
};

8
lass/2configs/baseX.nix
View File

@ -16,7 +16,7 @@ in {
./xmonad.nix
./themes.nix
{
krebs.per-user.lass.packages = [
users.users.mainUser.packages = [
pkgs.sshuttle
];
security.sudo.extraConfig = ''
@ -46,7 +46,7 @@ in {
}
];
users.users.mainUser.extraGroups = [ "audio" "video" ];
users.users.mainUser.extraGroups = [ "audio" "pipewire" "video" ];
time.timeZone = "Europe/Berlin";
@ -64,7 +64,7 @@ in {
font-size
fzfmenu
gimp
gitAndTools.hub
gitAndTools.gh
git-crypt
git-preview
dconf
@ -79,11 +79,13 @@ in {
ponymix
powertop
rxvt_unicode-with-plugins
sshvnc
sxiv
taskwarrior
termite
transgui
wirelesstools
x11vnc
xclip
xephyrify
xorg.xhost

57
lass/2configs/bgt-bot/bgt-check.sh Normal file
View File

@ -0,0 +1,57 @@
#!/bin/sh
# needs in path:
# curl gnugrep jq
# creates and manages $PWD/state
set -xeuf
send_reaktor(){
# usage: send_reaktor "text"
echo "send_reaktor: $1"
curl -fsS "http://localhost:$REAKTOR_PORT" \
-H content-type:application/json \
-d "$(jq -n \
--arg text "$1" \
--arg channel "$IRC_CHANNEL" \
'{
command:"PRIVMSG",
params:[$channel,$text]
}'
)"
}
live=$(shuf -n1 <<EOF
Binärgewitter Liveshow hat begonnen! http://stream.radiotux.de:8000/binaergewitter.mp3
EOF
)
offline=$(shuf -n1 <<EOF
Live stream vorbei
EOF
)
error=$(shuf -n1 <<EOF
something went wrong
EOF
)
if curl -Ss http://stream.radiotux.de:8000 | grep -q 'Mount Point /binaergewitter'; then
state='live'
else
state='offline'
fi
prevstate=$(cat state ||:)
if test "$state" == "$(cat state)";then
#echo "current and last state is the same ($state), doing nothing"
:
else
echo "API state and last state differ ( '$state' != '$prevstate')"
if test "$state" == 'live';then
send_reaktor "$live"
elif test "$state" == 'offline';then
send_reaktor "$offline"
else
send_reaktor "$error"
fi
echo 'updating state'
printf "%s" "$state" > state
fi

44
lass/2configs/bgt-bot/default.nix Normal file
View File

@ -0,0 +1,44 @@
{ config, lib, pkgs, ... }:
let
bot_port = "7654";
irc_channel = "#binaergewitter";
in
{
krebs.reaktor2.bgt-announce = {
hostname = "irc.libera.chat";
port = "6697";
nick = "bgt-announce";
API.listen = "inet://127.0.0.1:${bot_port}";
plugins = [
{
plugin = "register";
config = {
channels = [
irc_channel
];
};
}
];
};
systemd.services.check_bgt_show = {
startAt = "*:0/5";
environment = {
IRC_CHANNEL = irc_channel;
REAKTOR_PORT = bot_port;
};
path = with pkgs; [
curl
gnugrep
jq
];
script = builtins.readFile ./bgt-check.sh;
serviceConfig = {
DynamicUser = true;
StateDirectory = "bgt-announce";
WorkingDirectory = "/var/lib/bgt-announce";
PrivateTmp = true;
};
};
}

1
lass/2configs/bitcoin.nix
View File

@ -28,7 +28,6 @@ in {
};
};
security.sudo.extraConfig = ''
${mainUser.name} ALL=(bch) ALL
${mainUser.name} ALL=(bitcoin) ALL
${mainUser.name} ALL=(monero) ALL
'';

2
lass/2configs/bitlbee.nix
View File

@ -11,7 +11,7 @@ with (import <stockholm/lib>);
pkgs.bitlbee-discord
];
libpurple_plugins = [
pkgs.telegram-purple
# pkgs.telegram-purple
# pkgs.tdlib-purple
# pkgs.purple-gowhatsapp
];

1
lass/2configs/blue.nix
View File

@ -8,7 +8,6 @@ with (import <stockholm/lib>);
];
environment.systemPackages = with pkgs; [
ag
dic
nmap
git-preview

2
lass/2configs/br.nix
View File

@ -46,4 +46,6 @@ with import <stockholm/lib>;
];
};
users.users.mainUser.extraGroups = [ "scanner" "lp" ];
}

5
lass/2configs/codimd.nix
View File

@ -28,6 +28,10 @@ in {
params.hedgedoc = {};
};
systemd.services.hedgedoc.environment = {
CMD_COOKIE_POLICY = "none";
CMD_CSP_ALLOW_FRAMING = "true";
};
services.hedgedoc = {
enable = true;
configuration.allowOrigin = [ domain ];
@ -47,6 +51,7 @@ in {
sslCertPath = "/var/lib/acme/${domain}/cert.pem";
sslKeyPath = "/var/lib/acme/${domain}/key.pem";
dhParamPath = config.security.dhparams.params.hedgedoc.path;
};
};
}

5
lass/2configs/default.nix
View File

@ -10,6 +10,8 @@ with import <stockholm/lib>;
./htop.nix
<stockholm/krebs/2configs/security-workarounds.nix>
./wiregrill.nix
./tmux.nix
./tor-ssh.nix
{
users.extraUsers =
mapAttrs (_: h: { hashedPassword = h; })
@ -122,6 +124,9 @@ with import <stockholm/lib>;
q
rs
untilport
(pkgs.writeDashBin "urgent" ''
printf '\a'
'')
usbutils
logify
goify

2
lass/2configs/games.nix
View File

@ -61,7 +61,7 @@ in {
name = "games";
description = "user playing games";
home = "/home/games";
extraGroups = [ "audio" "video" "input" "loot" ];
extraGroups = [ "audio" "video" "input" "loot" "pipewire" ];
createHome = true;
useDefaultShell = true;
packages = with pkgs; [

2
lass/2configs/git-brain.nix
View File

@ -28,7 +28,7 @@ let
# TODO: get the list of all krebsministers
krebsminister = with config.krebs.users; [ makefu tv ];
krebsminister = with config.krebs.users; [ makefu tv kmein ];
krebs-rules = repo:
set-owners repo [ config.krebs.users.lass ] ++ set-ro-access repo krebsminister;

6
lass/2configs/git.nix
View File

@ -122,12 +122,6 @@ let
cgit.section = "configuration";
};
} // mapAttrs make-public-repo-silent {
nixos-aws = {
collaborators = [ {
name = "fabio";
pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFst8DvnfOu4pQJYxcwdf//jWTvP+jj0iSrOdt59c9Gbujm/8K1mBXhcSQhHj/GBRC1Qc1wipf9qZsWnEHMI+SRwq6tDr8gqlAcdWmHAs1bU96jJtc8EgmUKbXTFG/VmympMPi4cEbNUtH93v6NUjQKwq9szvDhhqSW4Y8zE32xLkySwobQapNaUrGAtQp3eTxu5Lkx+cEaaartaAspt8wSosXjUHUJktg0O5/XOP+CiWAx89AXxbQCy4XTQvUExoRGdw9sdu0lF0/A0dF4lFF/dDUS7+avY8MrKEcQ8Fwk8NcW1XrKMmCdNdpvou0whL9aHCdTJ+522dsSB1zZWh63Si4CrLKlc1TiGKCXdvzmCYrD+6WxbPJdRpMM4dFNtpAwhCm/dM+CBXfDkP0s5veFiYvp1ri+3hUqV/sep9r5/+d+5/R1gQs8WDNjWqcshveFbD5LxE6APEySB4QByGxIrw7gFbozE+PNxtlVP7bq4MyE6yIzL6ofQgO1e4THquPcqSCfCvyib5M2Q1phi5DETlMemWp84AsNkqbhRa4BGRycuOXXrBzE+RgQokcIY7t3xcu3q0xJo2+HxW/Lqi72zYU1NdT4nJMETEaG49FfIAnUuoVaQWWvOz8mQuVEmmdw2Yzo2ikILYSUdHTp1VPOeo6aNPvESkPw1eM0xDRlQ== ada";
} ];
};
};
restricted-repos = mapAttrs make-restricted-repo (

4
lass/2configs/home-media.nix
View File

@ -4,10 +4,10 @@ with import <stockholm/lib>;
users.users.media = {
isNormalUser = true;
uid = genid_uint31 "media";
extraGroups = [ "video" "audio" ];
extraGroups = [ "video" "audio" "pipewire" ];
};
services.xserver.displayManager.lightdm.autoLogin = {
services.xserver.displayManager.autoLogin = {
enable = true;
user = "media";
};

3
lass/2configs/jitsi.nix
View File

@ -7,10 +7,13 @@
config = {
enableWelcomePage = true;
requireDisplayName = true;
analytics.disabled = true;
};
interfaceConfig = {
SHOW_JITSI_WATERMARK = false;
SHOW_WATERMARK_FOR_GUESTS = false;
DISABLE_PRESENCE_STATUS = true;
GENERATE_ROOMNAMES_ON_WELCOME_PAGE = false;
};
};

10
lass/2configs/mail.nix
View File

@ -144,15 +144,7 @@ let
set sort=threads
set index_format="${pkgs.writeDash "mutt-index" ''
# http://www.mutt.org/doc/manual/#formatstrings
recipent="$(echo $1 | sed 's/[^,]*<\([^>]*\)[^,]*/ \1/g')"
# output to mutt
# V
echo "%4C %Z %?GI?%GI& ? %[%y-%m-%d] %-20.20a %?M?(%3M)& ? %s %> $recipent %?g?%g?%"
# args to mutt-index dash script
# V
''} %r |"
set index_format="%4C %Z %?GI?%GI& ? %[%y-%m-%d] %-20.20a %?M?(%3M)& ? %s %> %r %g"
virtual-mailboxes "Unread" "notmuch://?query=tag:unread"
virtual-mailboxes "INBOX" "notmuch://?query=tag:inbox"

1
lass/2configs/minecraft.nix
View File

@ -11,6 +11,5 @@ in {
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p tcp --dport 25565"; target = "ACCEPT"; }
{ predicate = "-p udp --dport 25565"; target = "ACCEPT"; }
{ predicate = "-p tcp --dport 8123"; target = "ACCEPT"; }
];
}

30
lass/2configs/mpv.nix
View File

@ -76,15 +76,43 @@ let
mp.add_key_binding('S', "download_subs", download)
'';
mpvInput = pkgs.writeText "mpv.input" ''
: script-binding console/enable
'';
mpvConfig = pkgs.writeText "mpv.conf" ''
osd-font-size=20
'';
mpv = pkgs.symlinkJoin {
name = "mpv";
paths = [
(pkgs.writeDashBin "mpv" ''
exec ${pkgs.mpv}/bin/mpv \
set -efu
if [ -n "''${DISPLAY+x}" ]; then
Y_RES=$(${pkgs.xorg.xrandr}/bin/xrandr |
${pkgs.jc}/bin/jc --xrandr |
${pkgs.jq}/bin/jq '.screens[0].current_width'
)
else
Y_RES=1000
fi
# we need to disable sponsorblock local database because of
# https://github.com/po5/mpv_sponsorblock/issues/31
exec ${pkgs.mpv.override {
scripts = with pkgs.mpvScripts; [
sponsorblock
youtube-quality
];
}}/bin/mpv \
-vo=gpu \
--no-config \
--input-conf=${mpvInput} \
--include=${mpvConfig} \
--script=${autosub} \
--ytdl-format="best[height<$Y_RES]" \
--script-opts=ytdl_hook-ytdl_path=${pkgs.yt-dlp}/bin/yt-dlp \
--script-opts-append=sponsorblock-local_database=no \
"$@"
'')
pkgs.mpv

4
lass/2configs/paste.nix
View File

@ -57,10 +57,8 @@ with import <stockholm/lib>;
addSSL = true;
serverAliases = [ "p.krebsco.de" ];
locations."/".extraConfig = ''
if ($request_method != GET) {
return 403;
}
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:${toString config.krebs.htgen.paste.port};
'';
locations."/image".extraConfig = ''

35
lass/2configs/programs.nix
View File

@ -4,9 +4,11 @@
{
environment.systemPackages = with pkgs; [
aria2
generate-secrets
gnupg1compat
htop
i3lock
l-gen-secrets
mosh
pass
pavucontrol
@ -18,18 +20,41 @@
transmission
wget
xsel
youtube-dl
yt-dlp
(pkgs.writeDashBin "youtube-dl" ''
exec ${pkgs.yt-dlp}/bin/yt-dlp "$@"
'')
(pkgs.writeDashBin "tether-on" ''
adb shell svc usb setFunctions rndis
'')
(pkgs.writeDashBin "tether-off" ''
adb shell svc usb setFunctions
'')
(pkgs.writeDashBin "dl-movie" ''
${pkgs.transmission}/bin/transmission-remote yellow.r -w /var/download/finished/sorted/movies -a "$@"
(pkgs.writeDashBin "deploy" ''
set -eu
export SYSTEM="$1"
$(nix-build $HOME/sync/stockholm/lass/krops.nix --no-out-link --argstr name "$SYSTEM" -A deploy)
'')
(pkgs.writeDashBin "dl-series" ''
${pkgs.transmission}/bin/transmission-remote yellow.r -w /var/download/finished/sorted/series -a "$@"
(pkgs.writeDashBin "krebsco.de" ''
TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d)
${pkgs.brain}/bin/brain show krebs-secrets/ovh-secrets.json > "$TMPDIR"/ovh-secrets.json
OVH_ZONE_CONFIG="$TMPDIR"/ovh-secrets.json ${pkgs.krebszones}/bin/krebszones import
${pkgs.coreutils}/bin/rm -rf "$TMPDIR"
'')
(pkgs.writeDashBin "lassul.us" ''
TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d)
${pkgs.pass}/bin/pass show admin/ovh/api.config > "$TMPDIR"/ovh-secrets.json
OVH_ZONE_CONFIG="$TMPDIR"/ovh-secrets.json ${pkgs.ovh-zone}/bin/ovh-zone import /etc/zones/lassul.us lassul.us
${pkgs.coreutils}/bin/rm -rf "$TMPDIR"
'')
(pkgs.writeDashBin "btc-coinbase" ''
${pkgs.curl}/bin/curl -Ss 'https://api.coinbase.com/v2/prices/spot?currency=EUR' | ${pkgs.jq}/bin/jq '.data.amount'
'')
(pkgs.writeDashBin "btc-wex" ''
${pkgs.curl}/bin/curl -Ss 'https://wex.nz/api/3/ticker/btc_eur' | ${pkgs.jq}/bin/jq '.btc_eur.avg'
'')
(pkgs.writeDashBin "btc-kraken" ''
${pkgs.curl}/bin/curl -Ss 'https://api.kraken.com/0/public/Ticker?pair=BTCEUR' | ${pkgs.jq}/bin/jq '.result.XXBTZEUR.a[0]'
'')
];
}

5
lass/2configs/radio/default.nix
View File

@ -107,6 +107,7 @@ let
in {
imports = [
./news.nix
./weather.nix
];
users.users = {
@ -165,14 +166,14 @@ in {
output.icecast(mount = '/music.ogg', password = 'hackme', %vorbis(quality = 1), source)
output.icecast(mount = '/music.mp3', password = 'hackme', %mp3.vbr(), source)
output.icecast(mount = '/music.opus', password = 'hackme', %opus(bitrate = 64), source)
output.icecast(mount = '/music.opus', password = 'hackme', %opus(bitrate = 96), source)
extra_input = audio_to_stereo(input.harbor("live", port=1338))
o = smooth_add(normal = source, special = extra_input)
output.icecast(mount = '/radio.ogg', password = 'hackme', %vorbis(quality = 1), o)
output.icecast(mount = '/radio.mp3', password = 'hackme', %mp3.vbr(), o)
output.icecast(mount = '/radio.opus', password = 'hackme', %opus(bitrate = 64), o)
output.icecast(mount = '/radio.opus', password = 'hackme', %opus(bitrate = 96), o)
'';
services.icecast = {
enable = true;

46
lass/2configs/radio/news.nix
View File

@ -1,45 +1,28 @@
{ config, lib, pkgs, ... }:
let
weather_for_ips = pkgs.writers.writePython3Bin "weather_for_ips" {
libraries = [ pkgs.python3Packages.geoip2 ];
} ./weather_for_ips.py;
weather_report = pkgs.writers.writeDashBin "weather_report" ''
set -efu
export PATH="${lib.makeBinPath [
pkgs.coreutils
pkgs.curl
pkgs.iproute2
pkgs.jc
pkgs.jq
]}"
curl -z /tmp/GeoLite2-City.mmdb -o /tmp/GeoLite2-City.mmdb http://c.r/GeoLite2-City.mmdb
MAXMIND_GEOIP_DB="/tmp/GeoLite2-City.mmdb"; export MAXMIND_GEOIP_DB
OPENWEATHER_API_KEY=$(cat "$CREDENTIALS_DIRECTORY/openweather_api"); export OPENWEATHER_API_KEY
ss -no 'sport = :8000' |
jc --ss | jq -r '.[] |
select(
.local_address != "[::ffff:127.0.0.1]"
and .local_address != "[::1]"
) | .peer_address | gsub("[\\[\\]]"; "")
' |
${weather_for_ips}/bin/weather_for_ips
'';
send_to_radio = pkgs.writers.writeDashBin "send_to_radio" ''
${pkgs.vorbisTools}/bin/oggenc - |
${pkgs.vorbis-tools}/bin/oggenc - |
${pkgs.libshout}/bin/shout --format ogg --host localhost --port 1338 --mount /live
'';
gc_news = pkgs.writers.writeDashBin "gc_news" ''
set -xefu
export TZ=UTC #workaround for jq parsing wrong timestamp
${pkgs.coreutils}/bin/cat $HOME/news | ${pkgs.jq}/bin/jq -cs 'map(select((.to|fromdateiso8601) > now)) | .[]' > $HOME/bla-news.tmp
${pkgs.coreutils}/bin/mv $HOME/bla-news.tmp $HOME/news
'';
get_current_news = pkgs.writers.writeDashBin "get_current_news" ''
set -xefu
${pkgs.coreutils}/bin/cat $HOME/news | ${pkgs.jq}/bin/jq -rs 'map(select(((.to | fromdateiso8601) > now) and (.from|fromdateiso8601) < now) | .text) | .[]'
export TZ=UTC #workaround for jq parsing wrong timestamp
${pkgs.coreutils}/bin/cat $HOME/news | ${pkgs.jq}/bin/jq -rs '
sort_by(.priority) |
map(select(
((.to | fromdateiso8601) > now) and
(.from|fromdateiso8601) < now) |
.text
) | .[]'
'';
newsshow = pkgs.writers.writeDashBin "newsshow" /* sh */ ''
@ -50,7 +33,6 @@ let
todays news:
$(get_current_news)
$(gc_news)
$(weather_report)
EOF
'';
in
@ -61,7 +43,6 @@ in
send_to_radio
gc_news
get_current_news
weather_report
pkgs.curl
pkgs.retry
];
@ -74,9 +55,6 @@ in
startAt = "*:00:00";
serviceConfig = {
User = "radio-news";
LoadCredential = [
"openweather_api:${toString <secrets>}/openweather_api_key"
];
};
};
@ -107,8 +85,8 @@ in
;;
"POST /")
payload=$(head -c "$req_content_length")
echo "$payload" | jq 'has("from") and has("to") and has("text")' >&2
echo "$payload" | jq -c '{ from: (.from | fromdate | todate), to: (.to | fromdate | todate), text: .text }' >> "$HOME"/news
printf '%s' "$payload" | jq 'has("from") and has("to") and has("text")' >&2
printf '%s' "$payload" | jq -c '{ from: .from, to: .to, text: .text, priority: (.priority // 0)}' >> "$HOME"/news
printf 'HTTP/1.1 200 OK\r\n'
printf 'Connection: close\r\n'
printf '\r\n'

55
lass/2configs/radio/weather.nix Normal file
View File

@ -0,0 +1,55 @@
{ config, lib, pkgs, ... }:
let
weather_for_ips = pkgs.writers.writePython3Bin "weather_for_ips" {
libraries = [ pkgs.python3Packages.geoip2 ];
flakeIgnore = [ "E501" ];
} ./weather_for_ips.py;
weather_report = pkgs.writers.writeDashBin "weather_report" ''
set -efu
export PATH="${lib.makeBinPath [
pkgs.coreutils
pkgs.curl
pkgs.iproute2
pkgs.jc
pkgs.jq
]}"
curl -z /tmp/GeoLite2-City.mmdb -o /tmp/GeoLite2-City.mmdb http://c.r/GeoLite2-City.mmdb
MAXMIND_GEOIP_DB="/tmp/GeoLite2-City.mmdb"; export MAXMIND_GEOIP_DB
OPENWEATHER_API_KEY=$(cat "$CREDENTIALS_DIRECTORY/openweather_api"); export OPENWEATHER_API_KEY
ss -no 'sport = :8000' |
jc --ss | jq -r '.[] |
select(
.local_address != "[::ffff:127.0.0.1]"
and .local_address != "[::1]"
) | .peer_address | gsub("[\\[\\]]"; "")
' |
${weather_for_ips}/bin/weather_for_ips
'';
in {
systemd.services.weather = {
path = [
weather_report
pkgs.retry
pkgs.jq
pkgs.curl
];
script = ''
set -xefu
retry -t 5 -d 10 -- weather_report |
jq \
--arg from "$(date -u +'%FT%TZ')" \
--arg to "$(date -u +'%FT%TZ' -d '+1 hours')" \
--slurp --raw-input --compact-output --ascii-output \
'{text: ., from: $from, to: $to, priority: 100}' |
retry -t 5 -d 10 -- curl -v -d@- http://radio-news.r
'';
startAt = "*:58:00";
serviceConfig = {
User = "radio-news";
LoadCredential = [
"openweather_api:${toString <secrets>}/openweather_api_key"
];
};
};
}

12
lass/2configs/radio/weather_for_ips.py
View File

@ -21,13 +21,13 @@ for ip in fileinput.input():
f'&units=metric'
)
resp = requests.get(url)
weather = json.loads(resp.text)['current']
weather = json.loads(resp.text)
output.append(
f'Weather report for {location.city.name}'
f', {location.country.name}. '
f'Currently it is {weather["weather"][0]["description"]} outside '
f'with a temperature of {weather["temp"]} degrees '
f'and a windspeed of {weather["wind_speed"]} meter per second. '
f'Weather report for {location.city.name}, {location.country.name}. '
f'Currently it is {weather["current"]["weather"][0]["description"]} outside '
f'with a temperature of {weather["current"]["temp"]} degrees, '
f'and a wind speed of {weather["current"]["wind_speed"]} meters per second. '
f'The probability of precipitation is {weather["hourly"][0]["pop"] * 100} percent. '
)
print('\n'.join(output))

4
lass/2configs/realwallpaper.nix
View File

@ -22,6 +22,10 @@ in {
hostname
"${hostname}.r"
];
locations."/realwallpaper/".extraConfig = ''
index on;
root /var/realwallpaper";
'';
locations."/realwallpaper.png".extraConfig = ''
root /var/realwallpaper/;
'';

1
lass/2configs/retiolum.nix
View File

@ -21,6 +21,7 @@
"eve"
];
extraConfig = ''
AutoConnect = no
StrictSubnets = yes
${lib.optionalString (config.krebs.build.host.nets.retiolum.via != null) ''
LocalDiscovery = no

2
lass/2configs/ssh-cryptsetup.nix
View File

@ -6,7 +6,7 @@
ssh = {
enable = true;
authorizedKeys = with config.krebs.users; [
config.krebs.users.lass-mors.pubkey
config.krebs.users.lass.pubkey
config.krebs.users.lass-blue.pubkey
];
};

9
lass/2configs/sync/decsync.nix
View File

@ -3,9 +3,8 @@
path = "/home/lass/decsync";
devices = [ "mors" "blue" "green" "phone" ];
};
krebs.permown."/home/lass/decsync" = {
owner = "lass";
group = "syncthing";
umask = "0007";
};
krebs.acl."/home/lass/decsync"."u:syncthing:X".parents = true;
krebs.acl."/home/lass/decsync"."u:syncthing:rwX" = {};
krebs.acl."/home/lass/decsync"."u:lass:rwX" = {};
}

11
lass/2configs/sync/sync.nix
View File

@ -2,12 +2,7 @@
services.syncthing.folders."/home/lass/sync" = {
devices = [ "mors" "icarus" "xerxes" "shodan" "green" "blue" "coaxmetal" ];
};
krebs.permown."/home/lass/sync" = {
file-mode = "u+rw,g+rw";
owner = "lass";
group = "syncthing";
umask = "0002";
keepGoing = true;
};
krebs.acl."/home/lass/sync"."u:syncthing:X".parents = true;
krebs.acl."/home/lass/sync"."u:syncthing:rwX" = {};
krebs.acl."/home/lass/sync"."u:lass:rwX" = {};
}

8
lass/2configs/sync/weechat.nix
View File

@ -1,8 +1,6 @@
{
services.syncthing.folders."/home/lass/.weechat".devices = [ "green" "mors" ];
krebs.permown."/home/lass/.weechat" = {
owner = "lass";
group = "syncthing";
umask = "0007";
};
krebs.acl."/home/lass/.weechat"."u:syncthing:X".parents = true;
krebs.acl."/home/lass/.weechat"."u:syncthing:rwX" = {};
krebs.acl."/home/lass/.weechat"."u:lass:rwX" = {};
}

0
lass/2configs/tests/dummy-secrets/ssh-tor.priv Normal file
View File

1
lass/2configs/themes.nix
View File

@ -9,6 +9,7 @@
${placeholder "out"}/bin/switch-theme dark
fi
elif test -e "/etc/themes/$1"; then
${pkgs.coreutils}/bin/mkdir -p /var/theme/config
${pkgs.rsync}/bin/rsync --chown=lass:users -a --delete "/etc/themes/$1/" /var/theme/config/
echo "$1" > /var/theme/current_theme
${pkgs.coreutils}/bin/chown lass:users /var/theme/current_theme

29
lass/2configs/tmux.nix
View File

@ -2,25 +2,26 @@ with import <stockholm/lib>;
{ config, pkgs, ... }:
{
environment.etc."tmux.conf".text = ''
#prefix key to `
set-option -g prefix2 `
bind-key r source-file /etc/tmux.conf \; display-message "/etc/tmux.conf reloaded"
set-option -g default-terminal screen-256color
#use session instead of windows
bind-key c new-session
bind-key p switch-client -p
bind-key n switch-client -n
bind-key C-s switch-client -l
'';
nixpkgs.config.packageOverrides = super: {
tmux = pkgs.symlinkJoin {
name = "tmux";
paths = [
(pkgs.writeDashBin "tmux" ''
exec ${super.tmux}/bin/tmux -f ${pkgs.writeText "tmux.conf" ''
#change prefix key to `
set-option -g prefix `
unbind-key C-b
bind ` send-prefix
set-option -g default-terminal screen-256color
#use session instead of windows
bind-key c new-session
bind-key p switch-client -p
bind-key n switch-client -n
bind-key C-s switch-client -l
''} "$@"
exec ${super.tmux}/bin/tmux -f /etc/tmux.conf "$@"
'')
super.tmux
];

14
lass/2configs/tor-ssh.nix Normal file
View File

@ -0,0 +1,14 @@
{
services.tor = {
enable = true;
relay.onionServices.ssh = {
version = 3;
map = [{
port = 22;
target.port = 22;
}];
secretKey = <secrets/ssh-tor.priv>;
};
};
}

62
lass/2configs/vim.nix
View File

@ -21,6 +21,7 @@ let
set backup
set backupdir=${dirs.backupdir}/
set directory=${dirs.swapdir}//
set list listchars=tab:\ ,extends:,precedes:,nbsp:,trail:· showbreak=¬
set hlsearch
set incsearch
set ttymouse=sgr
@ -51,7 +52,7 @@ let
filetype plugin indent on
set t_Co=256
colorscheme hack
colorscheme dim
syntax on
au Syntax * syn match Garbage containedin=ALL /\s\+$/
@ -114,10 +115,17 @@ let
" copy/paste from/to xclipboard
set clipboard=unnamedplus
" use fzf to switch files
nnoremap <C-p> :FZF<CR>
nnoremap <C-l> :Rg<CR>
let g:fzf_layout = { 'down': '~15%' }
'';
extra-runtimepath = concatMapStringsSep "," (pkg: "${pkg.rtp}") [
pkgs.vimPlugins.undotree
pkgs.vimPlugins.fzf-vim
pkgs.vimPlugins.fzfWrapper
(pkgs.vimUtils.buildVimPlugin {
name = "file-line-1.0";
src = pkgs.fetchFromGitHub {
@ -127,49 +135,15 @@ let
sha256 = "0z47zq9rqh06ny0q8lpcdsraf3lyzn9xvb59nywnarf3nxrk6hx0";
};
})
((rtp: rtp // { inherit rtp; }) (pkgs.writeTextFile (let
name = "hack";
in {
name = "vim-color-${name}-1.0.2";
destination = "/colors/${name}.vim";
text = /* vim */ ''
set background=dark
hi clear
if exists("syntax_on")
syntax clear
endif
let colors_name = ${toJSON name}
hi Normal ctermbg=016
hi Comment ctermfg=255
hi Constant ctermfg=229
hi Identifier ctermfg=123
hi Function ctermfg=041
hi Statement ctermfg=167
hi PreProc ctermfg=167
hi Type ctermfg=046
hi Delimiter ctermfg=251
hi Special ctermfg=146
hi Garbage ctermbg=124
hi TabStop ctermbg=020
hi NBSP ctermbg=056
hi NarrowNBSP ctermbg=097
hi Todo ctermfg=174 ctermbg=NONE
hi NixCode ctermfg=190
hi NixData ctermfg=149
hi NixQuote ctermfg=119
hi diffNewFile ctermfg=207
hi diffFile ctermfg=207
hi diffLine ctermfg=207
hi diffSubname ctermfg=207
hi diffAdded ctermfg=010
hi diffRemoved ctermfg=009
'';
})))
(pkgs.vimUtils.buildVimPlugin {
name = "vim-dim-1.1.0";
src = pkgs.fetchFromGitHub {
owner = "jeffkreeftmeijer";
repo = "vim-dim";
rev = "1.1.0";
sha256 = "sha256-lyTZUgqUEEJRrzGo1FD8/t8KBioPrtB3MmGvPeEVI/g=";
};
})
((rtp: rtp // { inherit rtp; }) (pkgs.writeTextFile (let
name = "vim";
in {

56
lass/2configs/websites/domsen.nix
View File

@ -29,6 +29,8 @@ in {
(servePage [ "apanowicz.de" "www.apanowicz.de" ])
(servePage [ "reich-gebaeudereinigung.de" "www.reich-gebaeudereinigung.de" ])
(servePage [ "illustra.de" "www.illustra.de" ])
(servePage [ "nirwanabluete.de" "www.nirwanabluete.de" ])
(servePage [ "familienrat-hamburg.de" "www.familienrat-hamburg.de" ])
(servePage [
"freemonkey.art"
"www.freemonkey.art"
@ -36,20 +38,20 @@ in {
(serveOwncloud [ "o.ubikmedia.de" ])
(serveWordpress [
"ubikmedia.de"
"nirwanabluete.de"
"ubikmedia.eu"
"youthtube.xyz"
"joemisch.com"
"weirdwednesday.de"
"jarugadesign.de"
"beesmooth.ch"
"www.nirwanabluete.de"
"www.ubikmedia.eu"
"www.youthtube.xyz"
"www.ubikmedia.de"
"www.joemisch.com"
"www.weirdwednesday.de"
"www.jarugadesign.de"
"www.beesmooth.ch"
"aldona2.ubikmedia.de"
"cinevita.ubikmedia.de"
@ -64,9 +66,13 @@ in {
"jarugadesign.ubikmedia.de"
"crypto4art.ubikmedia.de"
"jarugadesign.ubikmedia.de"
"beesmooth.ubikmedia.de"
])
];
# https://github.com/nextcloud/server/issues/25436
services.mysql.settings.mysqld.innodb_read_only_compressed = 0;
services.mysql.ensureDatabases = [ "ubikmedia_de" "o_ubikmedia_de" ];
services.mysql.ensureUsers = [
{ ensurePermissions = { "ubikmedia_de.*" = "ALL"; }; name = "nginx"; }
@ -98,7 +104,7 @@ in {
services.nextcloud = {
enable = true;
hostName = "o.xanf.org";
package = pkgs.nextcloud21;
package = pkgs.nextcloud23;
config = {
adminpassFile = "/run/nextcloud.pw";
overwriteProtocol = "https";
@ -159,6 +165,7 @@ in {
{ from = "ubik@ubikmedia.eu"; to = "domsen, jms, ms"; }
{ from = "kontakt@alewis.de"; to ="klabusterbeere"; }
{ from = "hallo@jarugadesign.de"; to ="kasia"; }
{ from = "noreply@beeshmooth.ch"; to ="besmooth@gmx.ch"; }
{ from = "testuser@lassul.us"; to = "testuser"; }
{ from = "testuser@ubikmedia.eu"; to = "testuser"; }
@ -170,10 +177,12 @@ in {
"apanowicz.de"
"alewis.de"
"jarugadesign.de"
"beesmooth.ch"
];
dkim = [
{ domain = "ubikmedia.eu"; }
{ domain = "apanowicz.de"; }
{ domain = "beesmooth.ch"; }
];
ssl_cert = "/var/lib/acme/lassul.us/fullchain.pem";
ssl_key = "/var/lib/acme/lassul.us/key.pem";
@ -332,6 +341,27 @@ in {
isNormalUser = true;
};
users.users.avada = {
uid = genid_uint31 "avada";
home = "/home/avada";
useDefaultShell = true;
createHome = true;
isNormalUser = true;
};
users.users.familienrat = {
uid = genid_uint31 "familienrat";
home = "/home/familienrat";
useDefaultShell = true;
createHome = true;
isNormalUser = true;
};
krebs.acl."/srv/http/familienrat-hamburg.de"."u:familienrat:rwX" = {};
krebs.acl."/srv/http"."u:familienrat:X" = {
default = false;
recursive = false;
};
users.groups.xanf = {};
krebs.on-failure.plans.restic-backups-domsen = {
@ -372,18 +402,14 @@ in {
${pkgs.coreutils}/bin/chmod 750 /backups
'';
krebs.permown = {
"/srv/http" = {
group = "syncthing";
owner = "nginx";
umask = "0007";
};
"/home/xanf/XANF_TEAM" = {
owner = "XANF_TEAM";
group = "xanf";
umask = "0007";
};
# takes too long!!
# krebs.acl."/srv/http"."u:syncthing:rwX" = {};
# krebs.acl."/srv/http"."u:nginx:rwX" = {};
# krebs.acl."/srv/http/ubikmedia.de"."u:avada:rwX" = {};
krebs.acl."/home/xanf/XANF_TEAM"."g:xanf:rwX" = {};
krebs.acl."/home/xanf"."g:xanf:X" = {
default = false;
recursive = false;
};
}

32
lass/2configs/websites/lassulus.nix
View File

@ -10,6 +10,7 @@ in {
imports = [
./default.nix
../git.nix
./ref.ptkk.de
];
security.acme = {
@ -20,11 +21,8 @@ in {
};
};
krebs.tinc_graphs.enable = true;
users.groups.lasscert.members = [
"dovecot2"
"ejabberd"
"exim"
"nginx"
];
@ -48,10 +46,6 @@ in {
locations."= /wireguard-key".extraConfig = ''
alias ${pkgs.writeText "prism.wg" config.krebs.hosts.prism.nets.wiregrill.wireguard.pubkey};
'';
locations."/tinc/".extraConfig = ''
index index.html;
alias ${config.krebs.tinc_graphs.workingDir}/external/;
'';
locations."= /krebspage".extraConfig = ''
default_type "text/html";
alias ${pkgs.krebspage}/index.html;
@ -64,14 +58,14 @@ in {
alias ${initscript}/bin/init;
'';
locations."= /blue.pub".extraConfig = ''
alias ${pkgs.writeText "pub" config.krebs.users.lass.pubkey};
alias ${pkgs.writeText "pub" config.krebs.users.lass-blue.pubkey};
'';
locations."= /mors.pub".extraConfig = ''
alias ${pkgs.writeText "pub" config.krebs.users.lass-mors.pubkey};
'';
locations."= /yubi.pub".extraConfig = ''
locations."= /ssh.pub".extraConfig = ''
alias ${pkgs.writeText "pub" config.krebs.users.lass-yubikey.pubkey};
'';
locations."= /gpg.pub".extraConfig = ''
alias ${pkgs.writeText "pub" config.krebs.users.lass-yubikey.pgp.pubkeys.default};
'';
};
security.acme.certs."cgit.lassul.us" = {
@ -90,19 +84,5 @@ in {
root /var/lib/acme/acme-challenge;
'';
};
users.users.blog = {
uid = genid_uint31 "blog";
group = "nginx";
description = "lassul.us blog deployment";
home = "/srv/http/lassul.us";
useDefaultShell = true;
createHome = true;
isSystemUser = true;
openssh.authorizedKeys.keys = with config.krebs.users; [
lass.pubkey
lass-mors.pubkey
];
};
}

89
lass/2configs/websites/ref.ptkk.de/default.nix Normal file
View File

@ -0,0 +1,89 @@
{ config, lib, pkgs, ... }:
{
services.nginx.virtualHosts."ref.ptkk.de" = {
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:4626";
extraConfig = ''
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Upgrade $http_upgrade;
proxy_cache_bypass $http_upgrade;
'';
};
locations."/static/" = {
alias = "/var/lib/ref.ptkk.de/static/";
};
forceSSL = true;
};
systemd.services."ref.ptkk.de" = {
wantedBy = [ "multi-user.target" ];
environment = {
PRODUCTION = "yip";
DATA_DIR = "/var/lib/ref.ptkk.de/data";
PORT = "4626";
STATIC_ROOT = "/var/lib/ref.ptkk.de/static";
};
path = with pkgs; [
git
gnutar
gzip
nix
];
serviceConfig = {
ExecStartPre = [
"${pkgs.coreutils}/bin/mkdir -p /var/lib/ref.ptkk.de/data"
"${pkgs.coreutils}/bin/mkdir -p /var/lib/ref.ptkk.de/code"
"${pkgs.coreutils}/bin/mkdir -p /var/lib/ref.ptkk.de/static"
];
ExecStart = pkgs.writers.writeDash "nixify" ''
cd code
if test -e shell.nix; then
${pkgs.nix}/bin/nix-shell -I /var/src --run serve
else
echo 'no shell.nix, bailing out'
exit 0
fi
'';
LoadCredential = [
"django-secret.key:${toString <secrets>}/ref.ptkk.de-django.key"
];
User = "ref.ptkk.de";
WorkingDirectory = "/var/lib/ref.ptkk.de";
StateDirectory = "ref.ptkk.de";
Restart = "always";
RestartSec = "100s";
};
};
systemd.services."ref.ptkk.de-restarter" = {
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.systemd}/bin/systemctl restart ref.ptkk.de.service";
};
};
systemd.paths."ref.ptkk.de-restarter" = {
wantedBy = [ "multi-user.target" ];
pathConfig.PathChanged = [
"/var/lib/ref.ptkk.de/code"
"/var/src/nixpkgs"
];
};
users.users."ref.ptkk.de" = {
isSystemUser = true;
uid = pkgs.stockholm.lib.genid_uint31 "ref.ptkk.de";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF6fu6LtyRdk++qIBpP0BdZQHSTqzNNlvp7ML2Dv0IxD CI@github.com"
config.krebs.users.lass.pubkey
];
group = "nginx";
home = "/var/lib/ref.ptkk.de";
useDefaultShell = true;
};
}

1
lass/2configs/websites/util.nix
View File

@ -174,6 +174,7 @@ rec {
services.phpfpm.pools."${domain}" = {
user = "nginx";
group = "nginx";
phpPackage = pkgs.php74;
extraConfig = ''
listen = /srv/http/${domain}/phpfpm.pool
pm = dynamic

4
lass/2configs/wiregrill.nix
View File

@ -18,6 +18,10 @@ in mkIf (hasAttr "wiregrill" config.krebs.build.host.nets) {
];
krebs.iptables.tables.filter.FORWARD.rules = mkIf isRouter [
{ precedence = 1000; predicate = "-i wiregrill -o wiregrill"; target = "ACCEPT"; }
{ precedence = 1000; predicate = "-i wiregrill -o retiolum"; target = "ACCEPT"; }
{ precedence = 1000; predicate = "-i retiolum -o wiregrill"; target = "ACCEPT"; }
{ precedence = 1000; predicate = "-i wiregrill -o eth0"; target = "ACCEPT"; }
{ precedence = 1000; predicate = "-o wiregrill -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
];
networking.wireguard.interfaces.wiregrill = {

2
lass/2configs/yubikey.nix
View File

@ -38,7 +38,7 @@
}
});
polkit.addRule(function(action, subject) {
polkit.log("user " + subject.user + " is attempting action " + action.id + " from PID " + subject.pid);
polkit.log("subject: " + subject + " action: " + action);
});
'';

11
lass/5pkgs/sshvnc/default.nix Normal file
View File

@ -0,0 +1,11 @@
{ pkgs }:
pkgs.writers.writeBashBin "sshvnc" ''
set -xm
RANDOM_HIGH_PORT=$(shuf -i 20000-65000 -n 1)
ssh "$@" -f -L $RANDOM_HIGH_PORT:localhost:$RANDOM_HIGH_PORT -- x11vnc -noxdamage -noxfixes -noxrecord -display :0 -localhost -rfbport $RANDOM_HIGH_PORT
sleep 3
_JAVA_AWT_WM_NONREPARENTING=1 ${pkgs.turbovnc}/bin/vncviewer localhost:$RANDOM_HIGH_PORT
''