Merge branch 'master' into 20.09

2020-11-16 21:39:22 +01:00 · 2020-11-16 21:39:22 +01:00 · edf61887ab
commit edf61887ab
parent 2408e07fd3 e824baec5e
22 changed files with 297 additions and 83 deletions
--- a/krebs/0tests/data/secrets/initrd/host_ecdsa.pub
+++ b/krebs/0tests/data/secrets/initrd/host_ecdsa.pub
--- a/krebs/0tests/data/secrets/initrd/host_ecdsa_key
+++ b/krebs/0tests/data/secrets/initrd/host_ecdsa_key
--- a/krebs/0tests/data/secrets/initrd/hostname
+++ b/krebs/0tests/data/secrets/initrd/hostname
--- a/krebs/0tests/data/secrets/initrd/hs_ed25519_public_key
+++ b/krebs/0tests/data/secrets/initrd/hs_ed25519_public_key
--- a/krebs/0tests/data/secrets/initrd/hs_ed25519_secret_key
+++ b/krebs/0tests/data/secrets/initrd/hs_ed25519_secret_key
--- a/krebs/1systems/puyak/config.nix
+++ b/krebs/1systems/puyak/config.nix
@ -7,19 +7,104 @@
    <stockholm/krebs/2configs/secret-passwords.nix>
    <stockholm/krebs/2configs/hw/x220.nix>

+
+    ## initrd unlocking
+    # (brain hosts/puyak/luks-ssd;echo)  | ssh root@$(brain krebs-secrets/puyak/initrd/hostname) 'cat > /crypt-ramfs/passphrase'
+    <stockholm/krebs/2configs/tor/initrd.nix>
+
    <stockholm/krebs/2configs/binary-cache/nixos.nix>
    <stockholm/krebs/2configs/binary-cache/prism.nix>
    <stockholm/krebs/2configs/go.nix>
    <stockholm/krebs/2configs/ircd.nix>
    <stockholm/krebs/2configs/news.nix>
    <stockholm/krebs/2configs/news-spam.nix>
+
+    ###   shackspace
+    # handle the worlddomination map via coap
+    <stockholm/krebs/2configs/shack/worlddomination.nix>
    <stockholm/krebs/2configs/shack/ssh-keys.nix>
+
+    # drivedroid.shack for shackphone
+    <stockholm/krebs/2configs/shack/drivedroid.nix>
+    # <stockholm/krebs/2configs/shack/nix-cacher.nix>
+
+    # Say if muell will be collected
+    <stockholm/krebs/2configs/shack/muell_caller.nix>
+    # provide muellshack api: muell.shack
+    <stockholm/krebs/2configs/shack/muellshack.nix>
+    # send mail if muell was not handled
+    <stockholm/krebs/2configs/shack/muell_mail.nix>
+
+    # provide light control api
+    <stockholm/krebs/2configs/shack/node-light.nix> # light.shack lounge.light.shack power.light.shack openhab.shack lightapi.shack
+    # light.shack web-ui
+    <stockholm/krebs/2configs/shack/light.shack.nix> #light.shack
+
+    # powerraw usb serial to mqtt and raw socket
+    <stockholm/krebs/2configs/shack/powerraw.nix> # powerraw.shack standby.shack
+    # send power stats to s3
+    <stockholm/krebs/2configs/shack/s3-power.nix> # powerraw.shack must be available
+
+
+    { # do not log to /var/spool/log
+      services.nginx.appendHttpConfig = ''
+          map $request_method $loggable {
+            default 1;
+            GET 0;
+          }
+          log_format vhost '$host $remote_addr - $remote_user '
+                     '[$time_local] "$request" $status '
+                     '$body_bytes_sent "$http_referer" '
+                     '"$http_user_agent"';
+          error_log stderr;
+          access_log syslog:server=unix:/dev/log vhost;
+      '';
+      services.journald.rateLimitBurst = 10000;
+    }
+
+    # create samba share for anonymous usage with the laser and 3d printer pc
+    <stockholm/krebs/2configs/shack/share.nix>
+
+    # mobile.lounge.mpd.shack
+    <stockholm/krebs/2configs/shack/mobile.mpd.nix>
+
+    # hass.shack
+    <stockholm/krebs/2configs/shack/glados>
+
+    # connect to git.shackspace.de as group runner for rz
+    <stockholm/krebs/2configs/shack/gitlab-runner.nix>
+
+    # Statistics collection and visualization
+    # <stockholm/krebs/2configs/shack/graphite.nix> # graphiteApi is broken and unused(hopefully)
+    ## Collect data from mqtt.shack and store in graphite database
+    <stockholm/krebs/2configs/shack/mqtt_sub.nix>
+    ## Collect radioactive data and put into graphite
+    <stockholm/krebs/2configs/shack/radioactive.nix>
+    ## mqtt.shack
+    <stockholm/krebs/2configs/shack/mqtt.nix>
+    ## influx.shack
+    <stockholm/krebs/2configs/shack/influx.nix>
+
+    ## Collect local statistics via collectd and send to collectd
+    <stockholm/krebs/2configs/stats/shack-client.nix>
+    <stockholm/krebs/2configs/stats/shack-debugging.nix>
+
+    ## netbox.shack: Netbox is disabled as nobody seems to be using it anyway
+    # <stockholm/krebs/2configs/shack/netbox.nix>
+
+    # grafana.shack
+    <stockholm/krebs/2configs/shack/grafana.nix>
+
+    # shackdns.shack
+    # replacement for leases.shack and shackles.shack
+    <stockholm/krebs/2configs/shack/shackDNS.nix>
+
+    # monitoring: prometheus.shack
    <stockholm/krebs/2configs/shack/prometheus/node.nix>
    <stockholm/krebs/2configs/shack/prometheus/server.nix>
    <stockholm/krebs/2configs/shack/prometheus/blackbox.nix>
    <stockholm/krebs/2configs/shack/prometheus/unifi.nix>
    <stockholm/krebs/2configs/shack/prometheus/alertmanager-telegram.nix>
-    <stockholm/krebs/2configs/shack/gitlab-runner.nix>

    ## Collect local statistics via collectd and send to collectd
    <stockholm/krebs/2configs/stats/shack-client.nix>
--- a/krebs/1systems/wolf/config.nix
+++ b/krebs/1systems/wolf/config.nix
@ -14,85 +14,15 @@ in
    <stockholm/krebs/2configs/binary-cache/nixos.nix>
    <stockholm/krebs/2configs/binary-cache/prism.nix>

-    # handle the worlddomination map via coap
-    <stockholm/krebs/2configs/shack/worlddomination.nix>
-    <stockholm/krebs/2configs/shack/ssh-keys.nix>
+    #### shackspace services
+    <stockholm/krebs/2configs/shack/share.nix> # wolf.shack

-    # drivedroid.shack for shackphone
-    <stockholm/krebs/2configs/shack/drivedroid.nix>
-    # <stockholm/krebs/2configs/shack/nix-cacher.nix>
-    # Say if muell will be collected
-    <stockholm/krebs/2configs/shack/muell_caller.nix>
-    # provide muellshack api
-    <stockholm/krebs/2configs/shack/muellshack.nix>
-    # provide light control api
-    <stockholm/krebs/2configs/shack/node-light.nix>
-    # light.shack web-ui
-    <stockholm/krebs/2configs/shack/light.shack.nix>
-    # send mail if muell was not handled
-    <stockholm/krebs/2configs/shack/muell_mail.nix>
-    # send mail if muell was not handled
-    <stockholm/krebs/2configs/shack/s3-power.nix>
-    # powerraw usb serial to mqtt and raw socket
-    <stockholm/krebs/2configs/shack/powerraw.nix>
-
-    { # do not log to /var/spool/log
-      services.nginx.appendHttpConfig = ''
-          map $request_method $loggable {
-            default 1;
-            GET 0;
-          }
-          log_format vhost '$host $remote_addr - $remote_user '
-                     '[$time_local] "$request" $status '
-                     '$body_bytes_sent "$http_referer" '
-                     '"$http_user_agent"';
-          error_log stderr;
-          access_log syslog:server=unix:/dev/log vhost;
-      '';
-      services.journald.rateLimitBurst = 10000;
-    }
-
-    # create samba share for anonymous usage with the laser and 3d printer pc
-    <stockholm/krebs/2configs/shack/share.nix>
-
-    # mobile.lounge.mpd.shack
-    <stockholm/krebs/2configs/shack/mobile.mpd.nix>
-
-    # hass.shack
-    <stockholm/krebs/2configs/shack/glados>
-
-    # connect to git.shackspace.de as group runner for rz
+    # gitlab runner
    <stockholm/krebs/2configs/shack/gitlab-runner.nix>
-
-    # Statistics collection and visualization
-    # <stockholm/krebs/2configs/shack/graphite.nix> # graphiteApi is broken and unused(hopefully)
-    ## Collect data from mqtt.shack and store in graphite database
-    <stockholm/krebs/2configs/shack/mqtt_sub.nix>
-    ## Collect radioactive data and put into graphite
-    <stockholm/krebs/2configs/shack/radioactive.nix>
-    ## mqtt.shack
-    <stockholm/krebs/2configs/shack/mqtt.nix>
-    ## influx.shack
-    <stockholm/krebs/2configs/shack/influx.nix>
-
-    ## Collect local statistics via collectd and send to collectd
-    <stockholm/krebs/2configs/stats/shack-client.nix>
-    <stockholm/krebs/2configs/stats/shack-debugging.nix>
-
-    <stockholm/krebs/2configs/shack/netbox.nix>
-    # prometheus.shack
-    #<stockholm/krebs/2configs/shack/prometheus/server.nix>
-    <stockholm/krebs/2configs/shack/prometheus/node.nix>
-    #<stockholm/krebs/2configs/shack/prometheus/unifi.nix>
-    # grafana.shack
-    <stockholm/krebs/2configs/shack/grafana.nix>
-
-    # shackdns.shack
-    # replacement for leases.shack and shackles.shack
-    <stockholm/krebs/2configs/shack/shackDNS.nix>
-
    # misc
+    <stockholm/krebs/2configs/shack/ssh-keys.nix>
    <stockholm/krebs/2configs/save-diskspace.nix>
+    <stockholm/krebs/2configs/shack/prometheus/node.nix>

  ];
  # use your own binary cache, fallback use cache.nixos.org (which is used by
--- a/krebs/2configs/shack/share.nix
+++ b/krebs/2configs/shack/share.nix
@ -37,6 +37,9 @@
      # for legacy systems
      client min protocol = NT1
      server min protocol = NT1
+      workgroup = WORKGROUP
+      server string = ${config.networking.hostName}
+      netbios name = ${config.networking.hostName}
    '';
  };
 }
--- a/krebs/2configs/tor/initrd.nix
+++ b/krebs/2configs/tor/initrd.nix
@ -0,0 +1,50 @@
+{config, pkgs, ... }:
+## unlock command:
+# (brain hosts/puyak/luks-ssd;echo)  | ssh root@$(brain krebs-secrets/puyak/initrd/hostname) 'cat > /crypt-ramfs/passphrase'
+{
+  boot.initrd.network.enable = true;
+  boot.initrd.network.ssh = {
+    enable = true;
+    port = 22;
+    authorizedKeys = [
+      config.krebs.users.jeschli-brauerei.pubkey
+      config.krebs.users.lass.pubkey
+      config.krebs.users.lass-mors.pubkey
+      config.krebs.users.makefu.pubkey
+      config.krebs.users.tv.pubkey
+    ];
+    hostECDSAKey = <secrets/initrd/host_ecdsa_key>;
+  };
+  boot.initrd.availableKernelModules = [ "e1000e" ];
+
+  boot.initrd.secrets = {
+    "/etc/tor/onion/bootup" = <secrets/initrd>;
+  };
+
+  boot.initrd.extraUtilsCommands = ''
+    copy_bin_and_libs ${pkgs.tor}/bin/tor
+  '';
+
+  # start tor during boot process
+  boot.initrd.network.postCommands = let
+    torRc = (pkgs.writeText "tor.rc" ''
+      DataDirectory /etc/tor
+      SOCKSPort 127.0.0.1:9050 IsolateDestAddr
+      SOCKSPort 127.0.0.1:9063
+      HiddenServiceDir /etc/tor/onion/bootup
+      HiddenServicePort 22 127.0.0.1:22
+    '');
+  in ''
+    echo "tor: preparing onion folder"
+    # have to do this otherwise tor does not want to start
+    chmod -R 700 /etc/tor
+
+    echo "make sure localhost is up"
+    ip a a 127.0.0.1/8 dev lo
+    ip link set lo up
+
+    echo "tor: starting tor"
+    tor -f ${torRc} --verify-config
+    tor -f ${torRc} &
+  '';
+}
--- a/makefu/1systems/omo/config.nix
+++ b/makefu/1systems/omo/config.nix
@ -47,6 +47,7 @@ in {
      # <stockholm/makefu/2configs/legacy_only.nix>

      <stockholm/makefu/2configs/share/omo.nix>
+      <stockholm/makefu/2configs/share/gum-client.nix>
      <stockholm/makefu/2configs/dcpp/airdcpp.nix>
      { krebs.airdcpp.dcpp.shares = let
          d = path: "/media/cryptX/${path}";
--- a/makefu/2configs/bureautomation/kalauerbot.nix
+++ b/makefu/2configs/bureautomation/kalauerbot.nix
@ -12,6 +12,9 @@
      WorkingDirectory = "/var/lib/kalauerbot";
      ExecStart = "${pkgs.kalauerbot}/bin/kalauerbot";
      PrivateTmp = true;
+
+      Restart = "always";
+      RuntimeMaxSec = "12h";
    };
  };
 }
--- a/makefu/2configs/hw/droidcam.nix
+++ b/makefu/2configs/hw/droidcam.nix
@ -0,0 +1,7 @@
+{ pkgs, config, ... }: 
+{
+  boot.extraModprobeConfig = "options v4l2loopback_dc width=640 height=480";
+  boot.extraModulePackages = [
+    (pkgs.callPackage  ../../5pkgs/v4l2loopback-dc { kernel = config.boot.kernelPackages.kernel; })
+  ];
+}
--- a/makefu/2configs/minimal.nix
+++ b/makefu/2configs/minimal.nix
@ -81,4 +81,5 @@
    "net.ipv6.conf.all.use_tempaddr" = 2;
    "net.ipv6.conf.default.use_tempaddr" = 2;
  };
+
 }
--- a/makefu/2configs/printer.nix
+++ b/makefu/2configs/printer.nix
@ -21,16 +21,20 @@ in {
  hardware.sane = {
    enable = true;
    extraBackends = [ ];
+    netConf =
+      # drucker.lan SCX-3205W
+      ''
+        192.168.1.6''
+      # uhrenkind.shack magicolor 1690mf
+    + ''
+        10.42.20.30'';

    # $ scanimage -p --format=jpg --mode=Gray --source="Automatic Document Feeder" -v --batch="lol%d.jpg" --resolution=150

    # requires 'sane-extra', scan via:
-    #extraConfig."magicolor" = ''
-    #  net 10.42.20.30 0x2098
-    #''; # 10.42.20.30: uhrenkind.shack magicolor 1690mf
-    extraConfig."xerox_mfp" = ''
-      tcp 192.168.1.5
-    ''; #home printer SCX-3205W
+    extraConfig."magicolor" = ''
+      net 10.42.20.30 0x2098
+    ''; # 10.42.20.30: uhrenkind.shack magicolor 1690mf
  };
  state = [ "/var/lib/cups" ];
 }
--- a/makefu/2configs/remote-build/gum.nix
+++ b/makefu/2configs/remote-build/gum.nix
@ -10,6 +10,14 @@
        system = "x86_64-linux";
        supportedFeatures = [ ];
      }
+      {
+        hostName = "gum.krebsco.de";
+        maxJobs = 8;
+        sshKey = toString <secrets/id_nixBuild>;
+        sshUser = "nixBuild";
+        system = "armv6l-linux";
+        supportedFeatures = [ ];
+      }
    ];
  };
 }
--- a/makefu/2configs/share/omo.nix
+++ b/makefu/2configs/share/omo.nix
@ -82,6 +82,9 @@ in {
      printing = bsd
      printcap name = /dev/null
      disable spoolss = yes
+      workgroup = WORKGROUP
+      server string = ${config.networking.hostName}
+      netbios name = ${config.networking.hostName}
    '';
  };
 }
--- a/makefu/2configs/urlwatch/default.nix
+++ b/makefu/2configs/urlwatch/default.nix
@ -34,6 +34,9 @@ in {
      https://pypi.python.org/simple/pyserial/
      https://pypi.python.org/simple/semantic_version/
      # weird shit
+      { url = "https://www.zigbee2mqtt.io/information/supported_adapters.html";
+        filter = "html2text";
+      }
      http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/
      https://erdgeist.org/gitweb/opentracker/info/refs?service=git-upload-pack

--- a/makefu/2configs/wireguard/server.nix
+++ b/makefu/2configs/wireguard/server.nix
@ -54,4 +54,10 @@ in { # wireguard server
    }
    ];
  };
+  # TODO: this issue is related to the router which connects to the host but is
+  # unable to re-connect once restarted
+  systemd.services.wireguard-wg0.serviceConfig = {
+    Restart = "always";
+    RuntimeMaxSec = "12h";
+  };
 }
--- a/makefu/5pkgs/droidcam/default.nix
+++ b/makefu/5pkgs/droidcam/default.nix
@ -0,0 +1,55 @@
+{ stdenv, fetchFromGitHub
+, pkg-config
+, alsaLib
+, libjpeg_turbo
+, ffmpeg
+, libusbmuxd
+, speex
+, gtk3
+, libappindicator-gtk3
+}:
+
+stdenv.mkDerivation rec {
+  pname = "droidcam";
+  version = "1.6";
+
+  src = fetchFromGitHub {
+    owner = "aramg";
+    repo = "droidcam";
+    rev = "v${version}";
+    sha256 = "1d9qpnmqa3pfwsrpjnxdz76ipk4w37bbxyrazchh4vslnfc886fx";
+  };
+
+  sourceRoot = "source/linux";
+
+  nativeBuildInputs = [ pkg-config ];
+  buildInputs = [
+    alsaLib
+    libjpeg_turbo
+    ffmpeg
+    libusbmuxd
+    speex
+    gtk3
+    libappindicator-gtk3
+  ];
+
+  buildPhase = ''
+    runHook preBuild
+    make JPEG_DIR="" JPEG_INCLUDE="" JPEG_LIB="" JPEG="$(pkg-config --libs --cflags libturbojpeg)"
+  '';
+  installPhase = ''
+    runHook preInstall
+    install -Dm755 "droidcam" "$out/bin/droidcam"
+    install -Dm755 "droidcam-cli" "$out/bin/droidcam-cli"
+    install -Dm644 icon2.png "$out/share/pixmaps/droidcam.png"
+    install -Dm644 README.md "$out/share/licenses/droidcam/LICENSE"
+  '';
+
+  meta = with stdenv.lib; {
+    description = "A kernel module to create V4L2 loopback devices";
+    homepage = "https://github.com/aramg/droidcam";
+    license = licenses.gpl2;
+    maintainers = [ maintainers.makefu ];
+    platforms = platforms.linux;
+  };
+}
--- a/makefu/5pkgs/kalauerbot/badsync.patch
+++ b/makefu/5pkgs/kalauerbot/badsync.patch
@ -0,0 +1,14 @@
+diff --git a/matrix_client/client.py b/matrix_client/client.py
+index af0e08f..f848c4f 100644
+--- a/matrix_client/client.py
+++ b/matrix_client/client.py
+@@ -471,7 +471,7 @@ class MatrixClient(object):
+         self._sync(timeout_ms)
+ 
+     def listen_forever(self, timeout_ms=30000, exception_handler=None,
+-                       bad_sync_timeout=5):
+                       bad_sync_timeout=61):
+         """ Keep listening for events forever.
+ 
+         Args:
+
--- a/makefu/5pkgs/kalauerbot/default.nix
+++ b/makefu/5pkgs/kalauerbot/default.nix
@ -8,7 +8,12 @@ rev = "08d98aa";
    sha256 = "017hh61smgq4zsxd10brgwmykwgwabgllxjs31xayvs1hnqmkv2v";
  };
  propagatedBuildInputs = with python3.pkgs;[
-    (callPackage ./python-matrixbot.nix {})
+     (callPackage ./python-matrixbot.nix {
+      matrix-client = (stdenv.lib.overrideDerivation matrix-client (self: {
+      patches = [ ./badsync.patch ];
+    }));
+    })
+
    (stdenv.lib.overrideDerivation googletrans (self: {
      patches = [ ./translate.patch ];
    }))
--- a/makefu/5pkgs/v4l2loopback-dc/default.nix
+++ b/makefu/5pkgs/v4l2loopback-dc/default.nix
@ -0,0 +1,36 @@
+{ stdenv, fetchFromGitHub, kernel, kmod }:
+
+stdenv.mkDerivation rec {
+  name = "v4l2loopback-dc-${version}-${kernel.version}";
+  version = "1.6";
+
+  src = fetchFromGitHub {
+    owner = "aramg";
+    repo = "droidcam";
+    rev = "v${version}";
+    sha256 = "1d9qpnmqa3pfwsrpjnxdz76ipk4w37bbxyrazchh4vslnfc886fx";
+  };
+
+  sourceRoot = "source/linux/v4l2loopback";
+
+  buildTargets = "v4l2loopback-dc";
+  hardeningDisable = [ "pic" ];
+
+  nativeBuildInputs = kernel.moduleBuildDependencies;
+  buildInputs = [ kmod ];
+
+
+  makeFlags = [
+    "KERNELRELEASE=${kernel.modDirVersion}"
+    "KERNEL_DIR=${kernel.dev}/lib/modules/${kernel.modDirVersion}/build"
+    "INSTALL_MOD_PATH=$(out)"
+  ];
+
+  meta = with stdenv.lib; {
+    description = "A kernel module to create V4L2 loopback devices";
+    homepage = "https://github.com/aramg/droidcam";
+    license = licenses.gpl2;
+    maintainers = [ maintainers.makefu ];
+    platforms = platforms.linux;
+  };
+}