Merge remote-tracking branch 'lass/master'

2019-09-25 15:21:03 +02:00 · 2019-09-25 15:21:03 +02:00 · be19e6a618
commit be19e6a618
parent ab8cb5c126 53c6b483ba
18 changed files with 249 additions and 21 deletions
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@ -638,6 +638,46 @@ in {
      ssh.privkey.path = <secrets/ssh.id_ed25519>;
      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHXS60mmNWMdMRvaPxGn91Cm/hm7zY8xn5rkI4n2KG/f ";
    };
+    hilum = {
+      cores = 1;
+      nets = {
+        retiolum = {
+          ip4.addr = "10.243.20.123";
+          ip6.addr = r6 "005b";
+          aliases = [
+            "hilum.r"
+          ];
+          tinc.pubkey = ''
+            -----BEGIN PUBLIC KEY-----
+            MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAul1zLdJ76kIqVWjxT2bb
+            pLx6gu6VycxaDcWAoTWSjPsOT2IJf3NYC6i8D6WASnRqR6djp06OG7Onu0r5hZhi
+            V5nelDUvR75qVAx9ZeuQDSdNpWuVMds/C3cQM6QQHD1kFwnr2n6VH/qy0W9duW8c
+            SGX3C80nRpmY0cCEEnxFdFdLSd0c15M+lFVAaqh2225ujXyyvkwH874yvpWLPSdh
+            4xjZdrOFarl5yb9q83HcZsdunn+469BeKCWB8bs+nRsp9Wwj1en1yAZTB3WazYNE
+            saFQ0xGa7VGfHN0PjqgZEF2I2IiQJ+H3N5XRQ7dcJzsDRB8lMrCx2ynJkJRSjLXz
+            vgZjW+Rf47V9CLRjJGCp1xh6GbXqjsIYh5yqZkgH4Sm1VpMBYdr/kLjiygwzV8jY
+            8uoBUgEHLc5B73/D3GlMe3bOJmxxMfyPITVTFHgznycalBNBSsgKpIwWae6LbYhZ
+            wrpi66IQOyC6YYThqn8pz3KUz17HxyacA/mS6/jcRP+IiHb9CYcS4BsjTpH3NnM3
+            RkSWE3FGE+ULH1W/VeA8pZRKAR1rypvMRdewbFTQpe/dNgif5O5Fe/7l/6KDzzCh
+            Zqqr6sEFhutPUd6PcaVtQlfzYkJ9MGYWYr4S17D7Q9V0H37a0AcRaYH59FCmlFjl
+            87b8jfJNXlKFW+EBxBxN2uECAwEAAQ==
+            -----END PUBLIC KEY-----
+          '';
+        };
+        wiregrill = {
+          ip6.addr = w6 "005b";
+          aliases = [
+            "hilum.w"
+          ];
+          wireguard.pubkey = ''
+            0DRcCDR0O+UqV07DsGfS4On+6YaZ3LPfvni9u1NZNhw=
+          '';
+        };
+      };
+      ssh.privkey.path = <secrets/ssh.id_ed25519>;
+      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPARXXe0HaP1r0pLqtInhnbYSZsP0g4VC6aaWP7qi5+w";
+      syncthing.id = "J6PHKTS-2JG5NOL-H5ZWOF6-6L6ENA7-L4RO6DV-BQHU7YL-CHOLDCC-S5YX3AC";
+    };
  };
  users = rec {
    lass = lass-blue;
--- a/krebs/3modules/tinc.nix
+++ b/krebs/3modules/tinc.nix
@ -110,8 +110,12 @@ let
        hostsArchive = mkOption {
          type = types.package;
          default = pkgs.runCommand "retiolum-hosts.tar.bz2" {} ''
-            ${pkgs.coreutils}/bin/ln -s ${tinc.config.hostsPackage} hosts
-            ${pkgs.gnutar}/bin/tar -hcjf $out hosts
+            cp \
+                --no-preserve=mode \
+                --recursive \
+                ${tinc.config.hostsPackage} \
+                hosts
+            ${pkgs.gnutar}/bin/tar -cjf $out hosts
          '';
          readOnly = true;
        };
--- a/krebs/5pkgs/haskell/blessings.nix
+++ b/krebs/5pkgs/haskell/blessings.nix
@ -6,19 +6,10 @@ with import <stockholm/lib>;
      version = "1.1.0";
      sha256 = "1k908zap3694fcxdk4bb29s54b0lhdh557y10ybjskfwnym7szn1";
    };
-    "18.09" = {
-      version = "2.2.0";
-      sha256 = "1pb56dgf3jj2kq3cbbppwzyg3ccgqy9xara62hkjwyxzdx20clk1";
-    };
-    "19.03" = {
-      version = "2.2.0";
-      sha256 = "1pb56dgf3jj2kq3cbbppwzyg3ccgqy9xara62hkjwyxzdx20clk1";
-    };
-    "19.09" = {
-      version = "2.2.0";
-      sha256 = "1pb56dgf3jj2kq3cbbppwzyg3ccgqy9xara62hkjwyxzdx20clk1";
-    };
-  }.${versions.majorMinor version};
+  }.${versions.majorMinor version} or {
+    version = "2.2.0";
+    sha256 = "1pb56dgf3jj2kq3cbbppwzyg3ccgqy9xara62hkjwyxzdx20clk1";
+  };

 in mkDerivation {
  pname = "blessings";
--- a/krebs/nixpkgs-unstable.json
+++ b/krebs/nixpkgs-unstable.json
@ -0,0 +1,7 @@
+{
+  "url": "https://github.com/NixOS/nixpkgs-channels",
+  "rev": "d484f2b7fc0834a068e8ace851faa449a03963f5",
+  "date": "2019-09-20T22:58:43+02:00",
+  "sha256": "0jk93ikryi2hqc30l2n5i4vlgmklrlzb8cf7b3sg1q3k70q344jn",
+  "fetchSubmodules": false
+}
--- a/krebs/nixpkgs.json
+++ b/krebs/nixpkgs.json
@ -1,7 +1,7 @@
 {
  "url": "https://github.com/NixOS/nixpkgs-channels",
-  "rev": "8a30e242181410931bcd0384f7147b6f1ce286a2",
-  "date": "2019-09-10T08:24:01-04:00",
-  "sha256": "0574zwcgy3pqjcxli4948sd3sy6h0qw6fvsm4r530gqj41gpwf6b",
+  "rev": "021d733ea3f87b8c9232020b4e606d08eaca160b",
+  "date": "2019-09-20T08:20:21+02:00",
+  "sha256": "13600nzrakvg2hsfg5yr7x0jp9m762nvjyddf07q60d3m7vx9jxy",
  "fetchSubmodules": false
 }
--- a/krebs/update-nixpkgs-unstable.sh
+++ b/krebs/update-nixpkgs-unstable.sh
@ -0,0 +1,9 @@
+#!/bin/sh
+dir=$(dirname $0)
+oldrev=$(cat $dir/nixpkgs-unstable.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/')
+nix-shell -p nix-prefetch-git --run 'nix-prefetch-git \
+  --url https://github.com/NixOS/nixpkgs-channels \
+  --rev refs/heads/nixos-unstable' \
+> $dir/nixpkgs-unstable.json
+newrev=$(cat $dir/nixpkgs-unstable.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/')
+git commit $dir/nixpkgs.json -m "nixpkgs-unstable: $oldrev -> $newrev"
--- a/krebs/update-nixpkgs.sh
+++ b/krebs/update-nixpkgs.sh
--- a/lass/1systems/hilum/config.nix
+++ b/lass/1systems/hilum/config.nix
@ -0,0 +1,28 @@
+{ config, ... }:
+{
+  imports = [
+    <stockholm/lass>
+
+    <stockholm/lass/2configs/retiolum.nix>
+    <stockholm/lass/2configs/baseX.nix>
+    <stockholm/lass/2configs/browsers.nix>
+    <stockholm/lass/2configs/programs.nix>
+    <stockholm/lass/2configs/network-manager.nix>
+    <stockholm/lass/2configs/mail.nix>
+    <stockholm/lass/2configs/syncthing.nix>
+  ];
+
+  krebs.build.host = config.krebs.hosts.hilum;
+
+  boot.loader.grub.extraEntries = ''
+    menuentry "grml" {
+      iso_path=/isos/grml.iso
+      export iso_path
+      search --set=root --file $iso_path
+      loopback loop $iso_path
+      root=(loop)
+      configfile /boot/grub/loopback.cfg
+      loopback --delete loop
+    }
+  '';
+}
--- a/lass/1systems/hilum/physical.nix
+++ b/lass/1systems/hilum/physical.nix
@ -0,0 +1,35 @@
+{ lib, pkgs, ... }:
+
+{
+  imports = [
+    ./config.nix
+    <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
+  ];
+
+  boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "xhci_pci" "usb_storage" "sd_mod" "sdhci_pci" ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.efiSupport = true;
+  boot.loader.grub.device = "/dev/disk/by-id/usb-General_USB_Flash_Disk_0374116060006128-0:0";
+  boot.loader.grub.efiInstallAsRemovable = true;
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/6db29cdd-ff64-496d-b541-5f1616665dc2";
+      fsType = "ext4";
+    };
+
+  boot.initrd.luks.devices."usb_nix".device = "/dev/disk/by-uuid/3c8ab3af-57fb-4564-9e27-b2766404f5d4";
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/2B9E-5131";
+      fsType = "vfat";
+    };
+
+  swapDevices = [ ];
+
+  nix.maxJobs = lib.mkDefault 4;
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+}
--- a/lass/1systems/mors/config.nix
+++ b/lass/1systems/mors/config.nix
@ -54,7 +54,7 @@ with import <stockholm/lib>;
        folders = {
          the_playlist = {
            path = "/home/lass/tmp/the_playlist";
-            peers = [ "mors" "phone" "prism" ];
+            peers = [ "mors" "phone" "prism" "xerxes" ];
          };
          free_music = {
            id = "mu9mn-zgvsw";
--- a/lass/1systems/prism/config.nix
+++ b/lass/1systems/prism/config.nix
@ -31,7 +31,15 @@ with import <stockholm/lib>;
        openssh.authorizedKeys.keys = [
          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6o6sdTu/CX1LW2Ff5bNDqGEAGwAsjf0iIe5DCdC7YikCct+7x4LTXxY+nDlPMeGcOF88X9/qFwdyh+9E4g0nUAZaeL14Uc14QDqDt/aiKjIXXTepxE/i4JD9YbTqStAnA/HYAExU15yqgUdj2dnHu7OZcGxk0ZR1OY18yclXq7Rq0Fd3pN3lPP1T4QHM9w66r83yJdFV9szvu5ral3/QuxQnCNohTkR6LoJ4Ny2RbMPTRtb+jPbTQYTWUWwV69mB8ot5nRTP4MRM9pu7vnoPF4I2S5DvSnx4C5zdKzsb7zmIvD4AmptZLrXj4UXUf00Xf7Js5W100Ne2yhYyhq+35 riot@lagrange"
        ];
+        packages = [
+          (pkgs.writeDashBin "kick-routing" ''
+            /run/wrappers/bin/sudo ${pkgs.systemd}/bin/systemctl restart krebs-iptables.service
+          '')
+        ];
      };
+      security.sudo.extraConfig = ''
+        riot ALL=(root) NOPASSWD: ${pkgs.systemd}/bin/systemctl restart krebs-iptables.service
+      '';

      # TODO write function for proxy_pass (ssl/nonssl)

--- a/lass/1systems/prism/physical.nix
+++ b/lass/1systems/prism/physical.nix
@ -20,6 +20,11 @@
    fsType = "ext4";
  };

+  fileSystems."/backups" = {
+    device = "tank/backups";
+    fsType = "zfs";
+  };
+
  fileSystems."/srv/http" = {
    device = "tank/srv-http";
    fsType = "zfs";
--- a/lass/1systems/shodan/config.nix
+++ b/lass/1systems/shodan/config.nix
@ -17,6 +17,7 @@ with import <stockholm/lib>;
    <stockholm/lass/2configs/blue-host.nix>
    <stockholm/lass/2configs/green-host.nix>
    <stockholm/lass/2configs/ssh-cryptsetup.nix>
+    <stockholm/lass/2configs/nfs-dl.nix>
  ];

  krebs.build.host = config.krebs.hosts.shodan;
@ -24,4 +25,90 @@ with import <stockholm/lib>;
  services.logind.extraConfig = ''
    HandleLidSwitch=ignore
  '';
+
+  #media center
+  users.users.media = {
+    isNormalUser = true;
+    uid = genid_uint31 "media";
+    extraGroups = [ "video" "audio" ];
+  };
+
+  services.xserver.displayManager.lightdm.autoLogin = {
+    enable = true;
+    user = "media";
+  };
+
+  #hass
+  krebs.iptables.tables.filter.INPUT.rules = [
+    { predicate = "-p tcp --dport 8123"; target = "ACCEPT"; }
+    { predicate = "-p tcp --dport 1883"; target = "ACCEPT"; }
+    # zerotierone
+    { predicate = "-p udp --dport 9993"; target = "ACCEPT"; }
+  ];
+
+  services.home-assistant = let
+    tasmota_s20 = name: topic: {
+      platform = "mqtt";
+      inherit name;
+      state_topic = "stat/${topic}/POWER";
+      command_topic = "cmnd/${topic}/POWER";
+      payload_on = "ON";
+      payload_off = "OFF";
+    };
+  in {
+    enable = true;
+    package = pkgs.home-assistant.override {
+      python3 = pkgs.python36;
+      #extraComponents = [
+      #  (pkgs.fetchgit {
+      #    url = "https://github.com/marcschumacher/dwd_pollen";
+      #    rev = "0.1";
+      #    sha256 = "12vldwsds27c9l15ffc6svk9mj17jhypcz736pvpmpqbsymllz2p";
+      #  })
+      #];
+    };
+    config = {
+      homeassistant = {
+        name = "Home"; time_zone = "Europe/Berlin";
+        latitude = "48.7687";
+        longitude = "9.2478";
+        elevation = 247;
+      };
+      sun.elevation = 66;
+      discovery = {};
+      frontend = { };
+      mqtt = {
+        broker = "localhost";
+        port = 1883;
+        client_id = "home-assistant";
+        username = "gg23";
+        password = "gg23-mqtt";
+        keepalive = 60;
+        protocol = 3.1;
+      };
+      sensor = [
+      ];
+      switch = [
+        (tasmota_s20 "Drucker Strom" "drucker")
+        (tasmota_s20 "Bett Licht" "bett")
+      ];
+      device_tracker = [
+        {
+          platform = "luci";
+        }
+      ];
+    };
+  };
+
+  services.mosquitto = {
+    enable = true;
+    host = "0.0.0.0";
+    allowAnonymous = false;
+    checkPasswords = true;
+    users.gg23 = {
+      password = "gg23-mqtt";
+      acl = [ "topic readwrite #" ];
+    };
+  };
+  environment.systemPackages = [ pkgs.mosquitto ];
 }
--- a/lass/1systems/shodan/physical.nix
+++ b/lass/1systems/shodan/physical.nix
@ -13,7 +13,6 @@
    initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ];
    initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ];
    initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ];
-    #kernelModules = [ "kvm-intel" "msr" ];
  };
  fileSystems = {
    "/" = {
--- a/lass/2configs/backup.nix
+++ b/lass/2configs/backup.nix
@ -6,6 +6,7 @@ with import <stockholm/lib>;
    useDefaultShell = true;
    home = "/backups";
    createHome = true;
+    group = "syncthing";
    openssh.authorizedKeys.keys = with config.krebs.hosts; [
      blue.ssh.pubkey
    ];
--- a/lass/2configs/baseX.nix
+++ b/lass/2configs/baseX.nix
@ -59,6 +59,7 @@ in {

  environment.systemPackages = with pkgs; [
    acpi
+    acpilight
    ag
    cabal2nix
    cholerab
@ -72,6 +73,7 @@ in {
    lm_sensors
    ncdu
    nix-index
+    nix-review
    nmap
    pavucontrol
    powertop
@ -79,9 +81,10 @@ in {
    sxiv
    taskwarrior
    termite
+    transgui
+    wirelesstools
    xclip
    xephyrify
-    xorg.xbacklight
    xorg.xhost
    xsel
    zathura
@ -94,6 +97,12 @@ in {
    xlibs.fontschumachermisc
  ];

+  services.udev.extraRules = ''
+    SUBSYSTEM=="backlight", ACTION=="add", \
+    RUN+="${pkgs.coreutils}/bin/chgrp video /sys/class/backlight/%k/brightness", \
+    RUN+="${pkgs.coreutils}/bin/chmod g+w /sys/class/backlight/%k/brightness"
+  '';
+
  services.xserver = {
    enable = true;
    layout = "us";
--- a/tv/3modules/default.nix
+++ b/tv/3modules/default.nix
@ -3,6 +3,7 @@
    ./charybdis
    ./dnsmasq.nix
    ./ejabberd
+    ./focus.nix
    ./hosts.nix
    ./iptables.nix
    ./slock.nix
--- a/tv/3modules/focus.nix
+++ b/tv/3modules/focus.nix
@ -0,0 +1,4 @@
+with import <stockholm/lib>;
+{
+  options.tv.focus.enable = mkEnableOption "tv.focus";
+}