Mic92/stockholm
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

lass: migrate away

Browse Source
This commit is contained in:
lassulus 2023-09-07 12:26:31 +02:00
parent 85ae348bf3
commit f55307fd73
323 changed files with 2 additions and 17633 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.gitmodules vendored
View File

@ -4,9 +4,6 @@
[submodule "submodules/krops"] [submodule "submodules/krops"]
path = submodules/krops path = submodules/krops
url = https://cgit.krebsco.de/krops url = https://cgit.krebsco.de/krops
[submodule "lass/5pkgs/autowifi"]
path = lass/5pkgs/autowifi
url = https://github.com/Lassulus/autowifi
[submodule "submodules/disko"] [submodule "submodules/disko"]
path = submodules/disko path = submodules/disko
url = https://github.com/nix-community/disko url = https://github.com/nix-community/disko

2
kartei/lass/default.nix
View File

@ -17,7 +17,7 @@ in {
hosts = lib.mapAttrs (_: lib.recursiveUpdate { hosts = lib.mapAttrs (_: lib.recursiveUpdate {
owner = config.krebs.users.lass; owner = config.krebs.users.lass;
consul = true; consul = true;
ci = true; ci = false;
monitoring = true; monitoring = true;
}) ( }) (
lib.genAttrs hostFiles (host: import (./. + "/${host}.nix") { lib.genAttrs hostFiles (host: import (./. + "/${host}.nix") {

167
lass/1systems/aergia/config.nix
View File

@ -1,167 +0,0 @@
{ config, lib, pkgs, ... }:
{
imports = [
<stockholm/lass>
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/exim-retiolum.nix>
<stockholm/lass/2configs/baseX.nix>
<stockholm/lass/2configs/pipewire.nix>
<stockholm/lass/2configs/browsers.nix>
<stockholm/lass/2configs/programs.nix>
<stockholm/lass/2configs/network-manager.nix>
<stockholm/lass/2configs/syncthing.nix>
<stockholm/lass/2configs/sync/sync.nix>
<stockholm/lass/2configs/games.nix>
<stockholm/lass/2configs/steam.nix>
<stockholm/lass/2configs/wine.nix>
<stockholm/lass/2configs/fetchWallpaper.nix>
<stockholm/lass/2configs/yellow-mounts/samba.nix>
<stockholm/lass/2configs/pass.nix>
<stockholm/lass/2configs/mail.nix>
<stockholm/lass/2configs/bitcoin.nix>
# <stockholm/lass/2configs/xonsh.nix>
<stockholm/lass/2configs/review.nix>
<stockholm/lass/2configs/dunst.nix>
<stockholm/lass/2configs/print.nix>
<stockholm/lass/2configs/br.nix>
<stockholm/lass/2configs/c-base.nix>
# steam-deck like experience https://github.com/Jovian-Experiments/Jovian-NixOS
{
imports = [
"${builtins.fetchTarball "https://github.com/Jovian-Experiments/Jovian-NixOS/archive/master.tar.gz"}/modules"
];
jovian.steam.enable = true;
}
{ # autorandrs
services.autorandr = {
enable = true;
hooks.postswitch.reset_usb = ''
echo 0 > /sys/bus/usb/devices/usb9/authorized; echo 1 > /sys/bus/usb/devices/usb9/authorized
${pkgs.xorg.xmodmap}/bin/xmodmap -e 'keycode 96 = F12 Insert F12 F12' # rebind shift + F12 to shift + insert
'';
profiles = {
default = {
fingerprint = {
eDP = "00ffffffffffff00288931000100000016200104805932780a0dc9a05747982712484c0000000101010101010101010101010101010108700088a1401360c820a300d9870000001ead4a0088a1401360c820a30020c23100001e000000fd0016480f5a1e000a202020202020000000fc0047504431303031480a2020202000cf";
};
config = {
eDP = {
enable = true;
primary = true;
position = "0x0";
mode = "2560x1600";
rate = "60.01";
transform = [
[ 0.750000 0.000000 0.000000 ]
[ 0.000000 0.750000 0.000000 ]
[ 0.000000 0.000000 1.000000 ]
];
# scale = {
# x = 0.599991;
# y = 0.599991;
# };
};
};
};
docked2 = {
fingerprint = {
eDP = config.services.autorandr.profiles.default.fingerprint.eDP;
DisplayPort-8 = "00ffffffffffff0010ac39d14c3346300f200104b5462878fb26f5af4f46a5240f5054a54b00714f8140818081c081009500b300d1c0565e00a0a0a0295030203500b9882100001a000000ff00444342375847330a2020202020000000fc0044454c4c204733323233440a20000000fd0030a5fafa41010a2020202020200181020332f149030212110490131f3f2309070783010000e200eae305c000e606050162622c6d1a0000020b30a50007622c622c5a8780a070384d4030203500b9882100001af4fb0050a0a0285008206800b9882100001a40e7006aa0a0675008209804b9882100001a6fc200a0a0a0555030203500b9882100001a000000000009";
DisplayPort-7 = "00ffffffffffff0020a32f00010000000c190103807341780acf74a3574cb02309484c21080081c0814081800101010101010101010104740030f2705a80b0588a00501d7400001e023a801871382d40582c4500501d7400001e000000fc00484953454e53450a2020202020000000fd00324b0f451e000a2020202020200172020333714f5f5e5d01020400101113001f2021222909070715075057070083010000e200f96d030c002000183c200060010203662150b051001b304070360056005300001e011d8018711c1620582c2500c48e2100009e011d007251d01e206e285500c48e2100001800000000000000000000000000000000000000000000ea";
};
config = {
DisplayPort-7 = {
enable = true;
position = "2560x0";
mode = "1920x1080";
rate = "60.00";
};
DisplayPort-8 = config.services.autorandr.profiles.docked1.config.DisplayPort-1;
eDP = config.services.autorandr.profiles.docked1.config.eDP;
};
};
docked1 = {
fingerprint = {
eDP = config.services.autorandr.profiles.default.fingerprint.eDP;
DisplayPort-1 = "00ffffffffffff0010ac39d14c3346300f200104b5462878fb26f5af4f46a5240f5054a54b00714f8140818081c081009500b300d1c0565e00a0a0a0295030203500b9882100001a000000ff00444342375847330a2020202020000000fc0044454c4c204733323233440a20000000fd0030a5fafa41010a2020202020200181020332f149030212110490131f3f2309070783010000e200eae305c000e606050162622c6d1a0000020b30a50007622c622c000000000000000000000000000000000000f4fb0050a0a0285008206800b9882100001a40e7006aa0a0675008209804b9882100001a6fc200a0a0a0555030203500b9882100001a000000000040";
};
config = {
DisplayPort-1 = {
enable = true;
primary = true;
position = "0x0";
mode = "2560x1440";
rate = "165.08";
};
eDP = config.services.autorandr.profiles.default.config.eDP // {
primary = false;
position = "640x1440";
};
};
};
docked1_hack = {
fingerprint = {
eDP = config.services.autorandr.profiles.default.fingerprint.eDP;
HDMI-A-0 = "00ffffffffffff0010ac31d14c3346300f20010380462878ea26f5af4f46a5240f5054a54b00714f8140818081c081009500b300d1c0565e00a0a0a0295030203500b9882100001a000000ff00444342375847330a2020202020000000fc0044454c4c204733323233440a20000000fd0030901ee63c000a20202020202001db020346f14d030212110113042f141f05103f2309070783010000e200ea67030c001000383c67d85dc4017888006d1a0000020b3090e607622c622ce305c000e606050162622c40e7006aa0a0675008209804b9882100001a6fc200a0a0a05550302035001d4e3100001a000000000000000000000000000000000000000000fc";
};
config = {
HDMI-A-0 = {
enable = true;
primary = true;
position = "0x0";
mode = "2560x1440";
rate = "165.08";
};
eDP = config.services.autorandr.profiles.default.config.eDP // {
primary = false;
position = "640x1440";
};
};
};
};
};
}
];
system.stateVersion = "22.11";
krebs.build.host = config.krebs.hosts.aergia;
environment.systemPackages = with pkgs; [
brain
bank
l-gen-secrets
generate-secrets
nixpkgs-review
pipenv
];
programs.adb.enable = true;
hardware.bluetooth = {
enable = true;
powerOnBoot = true;
};
hardware.pulseaudio.package = pkgs.pulseaudioFull;
nix.trustedUsers = [ "root" "lass" ];
# nix.extraOptions = ''
# extra-experimental-features = nix-command flakes
# '';
services.tor = {
enable = true;
client.enable = true;
};
documentation.nixos.enable = true;
boot.binfmt.emulatedSystems = [
"aarch64-linux"
];
boot.cleanTmpDir = true;
programs.noisetorch.enable = true;
}

63
lass/1systems/aergia/disk.nix
View File

@ -1,63 +0,0 @@
{ lib, ... }:
{
disk = {
main = {
type = "disk";
device = "/dev/nvme0n1";
content = {
type = "table";
format = "gpt";
partitions = [
{
name = "boot";
start = "0";
end = "1M";
part-type = "primary";
flags = ["bios_grub"];
}
{
name = "ESP";
start = "1MiB";
end = "1GiB";
fs-type = "fat32";
bootable = true;
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
}
{
name = "root";
start = "1GiB";
end = "100%";
content = {
type = "luks";
name = "aergia1";
content = {
type = "btrfs";
extraArgs = "-f"; # Override existing partition
subvolumes = {
# Subvolume name is different from mountpoint
"/rootfs" = {
mountpoint = "/";
};
# Mountpoints inferred from subvolume name
"/home" = {
mountOptions = [];
mountpoint = "/home";
};
"/nix" = {
mountOptions = [];
mountpoint = "/nix";
};
};
};
};
}
];
};
};
};
}

3
lass/1systems/aergia/install.sh
View File

@ -1,3 +0,0 @@
#!/bin/sh
target=$1

117
lass/1systems/aergia/physical.nix
View File

@ -1,117 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [
./config.nix
(modulesPath + "/installer/scan/not-detected.nix")
<stockholm/lass/2configs/antimicrox>
];
disko.devices = import ./disk.nix;
networking.hostId = "deadbeef";
# boot.loader.efi.canTouchEfiVariables = true;
boot.loader.grub = {
enable = true;
device = "/dev/nvme0n1";
efiSupport = true;
efiInstallAsRemovable = true;
};
# boot.kernelPackages = pkgs.linuxPackages_latest;
boot.kernelParams = [
# use less power with pstate
"amd_pstate=passive"
# suspend
"resume_offset=178345675"
];
boot.kernelModules = [
# Enables the amd cpu scaling https://www.kernel.org/doc/html/latest/admin-guide/pm/amd-pstate.html
# On recent AMD CPUs this can be more energy efficient.
"amd-pstate"
"kvm-amd"
];
# hardware.cpu.amd.updateMicrocode = true;
services.xserver.videoDrivers = [
"amdgpu"
];
boot.initrd.availableKernelModules = [
"nvme"
"thunderbolt"
"xhci_pci"
"usbhid"
];
boot.initrd.kernelModules = [
"amdgpu"
];
environment.systemPackages = [
pkgs.vulkan-tools
(pkgs.writers.writeDashBin "set_tdp" ''
set -efux
watt=$1
value=$(( $watt * 1000 ))
${pkgs.ryzenadj}/bin/ryzenadj --stapm-limit="$value" --fast-limit="$value" --slow-limit="$value"
'')
];
# corectrl
programs.corectrl = {
enable = true;
gpuOverclock = {
enable = true;
ppfeaturemask = "0xffffffff";
};
};
users.users.mainUser.extraGroups = [ "corectrl" ];
# keyboard quirks
services.xserver.displayManager.sessionCommands = ''
${pkgs.xorg.xmodmap}/bin/xmodmap -e 'keycode 96 = F12 Insert F12 F12' # rebind shift + F12 to shift + insert
'';
services.udev.extraHwdb = /* sh */ ''
# disable back buttons
evdev:input:b0003v2F24p0135* # /dev/input/event2
KEYBOARD_KEY_70026=reserved
KEYBOARD_KEY_70027=reserved
'';
# update cpu microcode
hardware.cpu.amd.updateMicrocode = true;
hardware.opengl.enable = true;
hardware.opengl.extraPackages = [
pkgs.amdvlk
pkgs.rocm-opencl-icd
pkgs.rocm-opencl-runtime
];
# suspend to disk
swapDevices = [{
device = "/swapfile";
}];
boot.resumeDevice = "/dev/mapper/aergia1";
services.logind.lidSwitch = "suspend-then-hibernate";
services.logind.extraConfig = ''
HandlePowerKey=hibernate
'';
# systemd.sleep.extraConfig = ''
# HibernateDelaySec=1800
# '';
# firefox touchscreen support
environment.sessionVariables.MOZ_USE_XINPUT2 = "1";
# enable thunderbolt
services.hardware.bolt.enable = true;
# reinit usb after docking station connect
services.udev.extraRules = ''
SUBSYSTEM=="drm", ACTION=="change", RUN+="${pkgs.dash}/bin/dash -c 'echo 0 > /sys/bus/usb/devices/usb9/authorized; echo 1 > /sys/bus/usb/devices/usb9/authorized'"
'';
}

21
lass/1systems/aergia/source.nix
View File

@ -1,21 +0,0 @@
{ lib, pkgs, test, ... }: let
npkgs = lib.importJSON ../../../krebs/nixpkgs-unstable.json;
in {
nixpkgs = (if test then lib.mkForce ({ derivation = let
rev = npkgs.rev;
sha256 = npkgs.sha256;
in ''
with import (builtins.fetchTarball {
url = "https://github.com/nixos/nixpkgs/archive/${rev}.tar.gz";
sha256 = "${sha256}";
}) {};
pkgs.fetchFromGitHub {
owner = "nixos";
repo = "nixpkgs";
rev = "${rev}";
sha256 = "${sha256}";
}
''; }) else {
git.ref = lib.mkForce npkgs.rev;
});
}

22
lass/1systems/blue/config.nix
View File

@ -1,22 +0,0 @@
with import <stockholm/lib>;
{ config, lib, pkgs, ... }:
{
imports = [
<stockholm/lass>
<stockholm/lass/2configs>
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/exim-retiolum.nix>
<stockholm/lass/2configs/blue.nix>
<stockholm/lass/2configs/syncthing.nix>
<stockholm/lass/2configs/sync/sync.nix>
<stockholm/lass/2configs/sync/decsync.nix>
];
krebs.build.host = config.krebs.hosts.blue;
networking.nameservers = [ "1.1.1.1" ];
time.timeZone = "Europe/Berlin";
users.users.mainUser.openssh.authorizedKeys.keys = [ config.krebs.users.lass-android.pubkey ];
}

7
lass/1systems/blue/physical.nix
View File

@ -1,7 +0,0 @@
{
imports = [
./config.nix
];
boot.isContainer = true;
networking.useDHCP = false;
}

17
lass/1systems/blue/source.nix
View File

@ -1,17 +0,0 @@
{ lib, pkgs, test, ... }:
if test then {} else {
nixpkgs = lib.mkIf (! test) (lib.mkForce {
file = {
path = toString (pkgs.fetchFromGitHub {
owner = "nixos";
repo = "nixpkgs";
rev = (lib.importJSON ../../../krebs/nixpkgs.json).rev;
sha256 = (lib.importJSON ../../../krebs/nixpkgs.json).sha256;
});
useChecksum = true;
};
});
nixpkgs-unstable = lib.mkForce {
file.path = "/var/empty";
};
}

63
lass/1systems/coaxmetal/config.nix
View File

@ -1,63 +0,0 @@
{ config, lib, pkgs, ... }:
{
imports = [
<stockholm/lass>
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/exim-retiolum.nix>
<stockholm/lass/2configs/baseX.nix>
<stockholm/lass/2configs/browsers.nix>
<stockholm/lass/2configs/programs.nix>
<stockholm/lass/2configs/network-manager.nix>
<stockholm/lass/2configs/syncthing.nix>
<stockholm/lass/2configs/sync/sync.nix>
<stockholm/lass/2configs/games.nix>
<stockholm/lass/2configs/steam.nix>
<stockholm/lass/2configs/wine.nix>
<stockholm/lass/2configs/fetchWallpaper.nix>
<stockholm/lass/2configs/yellow-mounts/samba.nix>
<stockholm/lass/2configs/pass.nix>
<stockholm/lass/2configs/mail.nix>
<stockholm/lass/2configs/bitcoin.nix>
<stockholm/lass/2configs/review.nix>
<stockholm/lass/2configs/dunst.nix>
# <stockholm/krebs/2configs/ircd.nix>
];
krebs.build.host = config.krebs.hosts.coaxmetal;
environment.systemPackages = with pkgs; [
brain
bank
l-gen-secrets
(pkgs.writeDashBin "deploy" ''
set -eu
export SYSTEM="$1"
$(nix-build $HOME/sync/stockholm/lass/krops.nix --no-out-link --argstr name "$SYSTEM" -A deploy)
'')
(pkgs.writeDashBin "usb-tether-on" ''
adb shell su -c service call connectivity 33 i32 1 s16 text
'')
(pkgs.writeDashBin "usb-tether-off" ''
adb shell su -c service call connectivity 33 i32 0 s16 text
'')
];
programs.adb.enable = true;
hardware.bluetooth = {
enable = true;
powerOnBoot = true;
};
hardware.pulseaudio.package = pkgs.pulseaudioFull;
nix.trustedUsers = [ "root" "lass" ];
services.tor = {
enable = true;
client.enable = true;
};
documentation.nixos.enable = true;
}

59
lass/1systems/coaxmetal/physical.nix
View File

@ -1,59 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [
./config.nix
(modulesPath + "/installer/scan/not-detected.nix")
];
networking.hostId = "e0c335ea";
boot.zfs.requestEncryptionCredentials = true;
boot.zfs.enableUnstable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.loader.grub = {
enable = true;
# device = "/dev/disk/by-id/nvme-WDC_PC_SN730_SDBQNTY-1T00-1001_205349800040";
device = "nodev";
efiSupport = true;
# efiInstallAsRemovable = true;
};
services.xserver.videoDrivers = [
"amdgpu"
];
hardware.opengl.extraPackages = [ pkgs.amdvlk ];
environment.variables.VK_ICD_FILENAMES =
"/run/opengl-driver/share/vulkan/icd.d/amd_icd64.json";
boot.initrd.availableKernelModules = [ "nvme" "ehci_pci" "xhci_pci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
boot.kernelModules = [ "kvm-amd" ];
fileSystems."/" = {
device = "zpool/root/root";
fsType = "zfs";
};
fileSystems."/home" = {
device = "zpool/root/home";
fsType = "zfs";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/50A7-1889";
fsType = "vfat";
};
services.logind.lidSwitch = "ignore";
services.logind.lidSwitchDocked = "ignore";
# Mouse stuff
services.xserver.libinput.enable = lib.mkForce false;
services.xserver.synaptics.enable = true;
services.xserver.displayManager.sessionCommands = ''
xinput disable 'ETPS/2 Elantech Touchpad'
xinput set-prop 'ETPS/2 Elantech TrackPoint' 'Evdev Wheel Emulation' 1
xinput set-prop 'ETPS/2 Elantech TrackPoint' 'Evdev Wheel Emulation Button' 2
xinput set-prop 'ETPS/2 Elantech TrackPoint' 'Evdev Wheel Emulation Axes' 6 7 4 5
'';
}

21
lass/1systems/coaxmetal/source.nix
View File

@ -1,21 +0,0 @@
{ lib, pkgs, test, ... }: let
npkgs = lib.importJSON ../../../krebs/nixpkgs-unstable.json;
in {
nixpkgs = (if test then lib.mkForce ({ derivation = let
rev = npkgs.rev;
sha256 = npkgs.sha256;
in ''
with import (builtins.fetchTarball {
url = "https://github.com/nixos/nixpkgs/archive/${rev}.tar.gz";
sha256 = "${sha256}";
}) {};
pkgs.fetchFromGitHub {
owner = "nixos";
repo = "nixpkgs";
rev = "${rev}";
sha256 = "${sha256}";
}
''; }) else {
git.ref = lib.mkForce npkgs.rev;
});
}

115
lass/1systems/daedalus/config.nix
View File

@ -1,115 +0,0 @@
with import <stockholm/lib>;
{ config, pkgs, ... }:
{
imports = [
<stockholm/lass>
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/pipewire.nix>
# <stockholm/lass/2configs/nfs-dl.nix>
{
# bubsy config
users.users.bubsy = {
uid = genid "bubsy";
home = "/home/bubsy";
group = "users";
createHome = true;
extraGroups = [
"audio"
"networkmanager"
"pipewire"
# "plugdev"
];
useDefaultShell = true;
isNormalUser = true;
};
networking.networkmanager.enable = true;
networking.wireless.enable = mkForce false;
# programs.chromium = {
# enable = true;
# extensions = [
# "cjpalhdlnbpafiamejdnhcphjbkeiagm" # ublock origin
# ];
# };
environment.systemPackages = with pkgs; [
ark
pavucontrol
#firefox
chromium
hexchat
networkmanagerapplet
libreoffice
audacity
zathura
skypeforlinux
wine
geeqie
vlc
zsnes
telegram-desktop
];
# services.udev.packages = [ pkgs.ledger-udev-rules ];
nixpkgs.config.firefox.enableAdobeFlash = true;
services.xserver.enable = true;
services.xserver.displayManager.lightdm.enable = true;
services.xserver.desktopManager.plasma5.enable = true;
services.tlp.enable = lib.mkForce false;
services.xserver.layout = "de";
}
{
users = {
groups.plugdev = {};
users = {
bitcoin = {
name = "bitcoin";
description = "user for bitcoin stuff";
home = "/home/bitcoin";
isNormalUser = true;
useDefaultShell = true;
createHome = true;
extraGroups = [
"audio"
"networkmanager"
"plugdev"
];
packages = [
pkgs.electrum
pkgs.electron-cash
pkgs.ledger-live-desktop
];
};
};
};
hardware.ledger.enable = true;
security.sudo.extraConfig = ''
bubsy ALL=(bitcoin) NOPASSWD: ALL
'';
}
{
#remote control
environment.systemPackages = with pkgs; [
x11vnc
# torbrowser
];
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p tcp -i retiolum --dport 5900"; target = "ACCEPT"; }
];
}
];
time.timeZone = "Europe/Berlin";
hardware.trackpoint = {
enable = true;
sensitivity = 220;
speed = 0;
emulateWheel = true;
};
services.logind.extraConfig = ''
HandleLidSwitch=ignore
'';
krebs.build.host = config.krebs.hosts.daedalus;
}

24
lass/1systems/daedalus/physical.nix
View File

@ -1,24 +0,0 @@
{
imports = [
./config.nix
<stockholm/lass/2configs/hw/x220.nix>
<stockholm/lass/2configs/boot/coreboot.nix>
];
fileSystems = {
"/bku" = {
device = "/dev/mapper/pool-bku";
fsType = "btrfs";
options = ["defaults" "noatime" "ssd" "compress=lzo"];
};
"/backups" = {
device = "/dev/pool/backup";
fsType = "ext4";
};
};
services.udev.extraRules = ''
SUBSYSTEM=="net", ATTR{address}=="08:11:96:0a:5d:6c", NAME="wl0"
SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:71:cb:35", NAME="et0"
'';
}

13
lass/1systems/dishfire/config.nix
View File

@ -1,13 +0,0 @@
{ config, lib, pkgs, ... }:
{
imports = [
<stockholm/lass>
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/monitoring/prometheus.nix>
<stockholm/lass/2configs/monitoring/telegraf.nix>
<stockholm/lass/2configs/consul.nix>
];
krebs.build.host = config.krebs.hosts.dishfire;
}

21
lass/1systems/dishfire/physical.nix
View File

@ -1,21 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [
./config.nix
(modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "virtio_pci" "xhci_pci" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
boot.loader.grub.devices = [ "/dev/sda" ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/84053adc-49bc-4e02-8a19-3838bf3a43fd";
fsType = "ext4";
};
swapDevices = [ ];
}

17
lass/1systems/echelon/config.nix
View File

@ -1,17 +0,0 @@
{ config, pkgs, ... }:
{
imports = [
<stockholm/lass>
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/tor-initrd.nix>
<stockholm/lass/2configs/syncthing.nix>
<stockholm/lass/2configs/green-host.nix>
];
krebs.build.host = config.krebs.hosts.echelon;
boot.tmpOnTmpfs = true;
}

33
lass/1systems/echelon/physical.nix
View File

@ -1,33 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [
./config.nix
(modulesPath + "/profiles/qemu-guest.nix")
];
# Use the GRUB 2 boot loader.
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.efiSupport = true;
boot.loader.grub.efiInstallAsRemovable = true;
# Define on which hard drive you want to install Grub.
boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.initrd.luks.devices.luksroot.device = "/dev/sda3";
networking.useDHCP = false;
networking.interfaces.ens18.useDHCP = true;
fileSystems."/" = {
device = "/dev/disk/by-uuid/5186edb1-9234-48ae-8679-61facb56b818";
fsType = "xfs";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/56D1-34A0";
fsType = "vfat";
};
}

75
lass/1systems/green/config.nix
View File

@ -1,75 +0,0 @@
with import <stockholm/lib>;
{ config, lib, pkgs, ... }:
{
imports = [
<stockholm/lass>
<stockholm/lass/2configs>
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/exim-retiolum.nix>
<stockholm/lass/2configs/mail.nix>
<stockholm/lass/2configs/syncthing.nix>
<stockholm/lass/2configs/sync/sync.nix>
<stockholm/lass/2configs/sync/decsync.nix>
<stockholm/lass/2configs/weechat.nix>
<stockholm/lass/2configs/bitlbee.nix>
<stockholm/lass/2configs/pass.nix>
<stockholm/lass/2configs/git-brain.nix>
<stockholm/lass/2configs/et-server.nix>
<stockholm/lass/2configs/consul.nix>
<stockholm/lass/2configs/atuin-server.nix>
];
krebs.build.host = config.krebs.hosts.green;
krebs.sync-containers3.inContainer = {
enable = true;
pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFlUMf943qEQG64ob81p6dgoHq4jUjq7tSvmSdEOEU2y";
};
systemd.tmpfiles.rules = [
"d /home/lass/.local/share 0700 lass users -"
"d /home/lass/.local 0700 lass users -"
"d /home/lass/.config 0700 lass users -"
"d /var/state/lass_mail 0700 lass users -"
"L+ /home/lass/Maildir - - - - ../../var/state/lass_mail"
"d /var/state/lass_ssh 0700 lass users -"
"L+ /home/lass/.ssh - - - - ../../var/state/lass_ssh"
"d /var/state/lass_gpg 0700 lass users -"
"L+ /home/lass/.gnupg - - - - ../../var/state/lass_gpg"
"d /var/state/lass_sync 0700 lass users -"
"L+ /home/lass/sync - - - - ../../var/state/lass_sync"
"d /var/state/git 0700 git nogroup -"
"L+ /var/lib/git - - - - ../../var/state/git"
];
users.users.mainUser.openssh.authorizedKeys.keys = [
config.krebs.users.lass-android.pubkey
config.krebs.users.lass-tablet.pubkey
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKgpZwye6yavIs3gUIYvSi70spDa0apL2yHR0ASW74z8" # weechat ssh tunnel
];
krebs.iptables.tables.nat.PREROUTING.rules = [
{ predicate = "-i eth0 -p tcp -m tcp --dport 22"; target = "ACCEPT"; }
];
# workaround for ssh access from yubikey via android
services.openssh.extraConfig = ''
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
'';
services.dovecot2 = {
enable = true;
mailLocation = "maildir:~/Maildir";
};
networking.firewall.allowedTCPPorts = [ 143 ];
}

7
lass/1systems/green/physical.nix
View File

@ -1,7 +0,0 @@
{
imports = [
./config.nix
];
boot.isContainer = true;
networking.useDHCP = true;
}

6
lass/1systems/green/source.nix
View File

@ -1,6 +0,0 @@
{ lib, pkgs, test, ... }: let
npkgs = lib.importJSON ../../../krebs/nixpkgs-unstable.json;
in if test then {} else {
nixpkgs.git.ref = lib.mkForce npkgs.rev;
nixpkgs-unstable = lib.mkForce { file = "/var/empty"; };
}

33
lass/1systems/hilum/config.nix
View File

@ -1,33 +0,0 @@
{ config, pkgs, ... }:
{
imports = [
<stockholm/lass>
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/network-manager.nix>
<stockholm/lass/2configs/syncthing.nix>
];
krebs.build.host = config.krebs.hosts.hilum;
boot.loader.grub = {
extraEntries = ''
submenu isos {
source /grub/autoiso.cfg
}
'';
extraFiles."/grub/autoiso.cfg" = (pkgs.stdenv.mkDerivation {
name = "autoiso.cfg";
src = pkgs.grub2.src;
phases = [ "unpackPhase" "installPhase" ];
installPhase = ''
cp docs/autoiso.cfg $out
'';
});
};
services.logind.lidSwitch = "ignore";
services.logind.lidSwitchDocked = "ignore";
boot.tmpOnTmpfs = true;
}

43
lass/1systems/hilum/disk.nix
View File

@ -1,43 +0,0 @@
{ lib, disk, keyFile, ... }:
{
disk = {
main = {
type = "disk";
device = disk;
content = {
type = "table";
format = "gpt";
partitions = [
{
name = "boot";
start = "0";
end = "1M";
flags = ["bios_grub"];
}
{
name = "ESP";
start = "1M";
end = "50%";
bootable = true;
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
}
{
name = "root";
start = "50%";
end = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
}
];
};
};
};
}

43
lass/1systems/hilum/flash-stick.sh
View File

@ -1,43 +0,0 @@
#!/bin/sh
set -efux
disk=$1
cd "$(dirname "$0")"
export NIXPKGS_ALLOW_UNFREE=1
(umask 077; pass show admin/hilum/luks > /tmp/hilum.luks)
trap 'rm -f /tmp/hilum.luks' EXIT
echo "$disk" > /tmp/hilum-disk
trap 'rm -f /tmp/hilum-disk' EXIT
stockholm_root=$(git rev-parse --show-toplevel)
ssh root@localhost -t -- $(nix-build \
--no-out-link \
-I nixpkgs=/var/src/nixpkgs \
-I stockholm="$stockholm_root" \
-I secrets="$stockholm_root"/lass/2configs/tests/dummy-secrets \
-E "with import <nixpkgs> {}; (pkgs.nixos [
{
luksPassFile = \"/tmp/hilum.luks\";
mainDisk = \"$disk\";
disko.rootMountPoint = \"/mnt/hilum\";
}
./physical.nix
]).disko"
)
rm -f /tmp/hilum.luks
$(nix-build \
--no-out-link \
-I nixpkgs=/var/src/nixpkgs \
"$stockholm_root"/lass/krops.nix -A populate \
--argstr name hilum \
--argstr target "root@localhost/mnt/hilum/var/src" \
--arg force true
)
ssh root@localhost << SSH
set -efux
mkdir -p /mnt/hilum/etc
NIXOS_CONFIG=/mnt/hilum/var/src/nixos-config nixos-install --no-bootloader --no-root-password --root /mnt/hilum -I /var/src
nixos-enter --root /mnt/hilum -- nixos-rebuild -I /var/src switch --install-bootloader
umount -Rv /mnt/hilum
SSH

53
lass/1systems/hilum/physical.nix
View File

@ -1,53 +0,0 @@
{ config, lib, pkgs, ... }:
{
imports = [
./config.nix
<nixpkgs/nixos/modules/installer/scan/not-detected.nix>
{
# nice hack to carry around state passed impurely at the beginning
options.mainDisk = let
tryFile = path: default:
if lib.elem (builtins.baseNameOf path) (lib.attrNames (builtins.readDir (builtins.dirOf path))) then
builtins.readFile path
else
default
;
in lib.mkOption {
type = lib.types.str;
default = tryFile "/etc/hilum-disk" (tryFile "/tmp/hilum-disk" "/dev/sdz");
};
config.environment.etc.hilum-disk.text = config.mainDisk;
}
{
options.luksPassFile = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
};
}
];
disko.devices = import ./disk.nix {
inherit lib;
disk = config.mainDisk;
keyFile = config.luksPassFile;
};
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "xhci_pci" "usb_storage" "sd_mod" "sdhci_pci" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.loader.grub.enable = true;
boot.loader.grub.efiSupport = true;
boot.loader.grub.device = config.mainDisk;
boot.loader.grub.efiInstallAsRemovable = true;
swapDevices = [ ];
nix.maxJobs = lib.mkDefault 4;
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
#weird bug with nixos-enter
services.logrotate.enable = false;
}

30
lass/1systems/icarus/config.nix
View File

@ -1,30 +0,0 @@
{ config, lib, pkgs, ... }:
with import <stockholm/lib>;
{
imports = [
<stockholm/lass>
<stockholm/lass/2configs/mouse.nix>
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/git.nix>
<stockholm/lass/2configs/exim-retiolum.nix>
<stockholm/lass/2configs/baseX.nix>
<stockholm/lass/2configs/pipewire.nix>
<stockholm/lass/2configs/browsers.nix>
<stockholm/lass/2configs/programs.nix>
<stockholm/lass/2configs/fetchWallpaper.nix>
<stockholm/lass/2configs/games.nix>
<stockholm/lass/2configs/bitcoin.nix>
<stockholm/lass/2configs/wine.nix>
#<stockholm/lass/2configs/prism-share.nix>
<stockholm/lass/2configs/network-manager.nix>
<stockholm/lass/2configs/snapclient.nix>
<stockholm/lass/2configs/consul.nix>
];
krebs.build.host = config.krebs.hosts.icarus;
environment.systemPackages = [ pkgs.chromium ];
}

49
lass/1systems/icarus/physical.nix
View File

@ -1,49 +0,0 @@
{ config, lib, pkgs, ... }:
{
imports = [
./config.nix
#<stockholm/lass/2configs/hw/x220.nix>
#<stockholm/lass/2configs/boot/universal.nix>
<nixpkgs/nixos/modules/installer/scan/not-detected.nix>
<stockholm/krebs/2configs/hw/x220.nix>
];
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.efiSupport = true;
boot.loader.grub.efiInstallAsRemovable = true;
boot.loader.grub.device = "/dev/disk/by-id/wwn-0x5002538d702f5ac6";
boot.initrd.luks.devices.ssd.device = "/dev/disk/by-id/wwn-0x5002538d702f5ac6-part3";
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "xhci_pci" "sd_mod" "sdhci_pci" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/298eb635-8db2-4c15-a73d-2e0d6afa10e8";
fsType = "xfs";
};
fileSystems."/home" = {
device = "/dev/disk/by-uuid/eec94bef-e745-4d95-ad17-4df728f5fd31";
fsType = "xfs";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/D975-2CAB";
fsType = "vfat";
};
swapDevices = [ ];
nix.maxJobs = lib.mkDefault 4;
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
services.udev.extraRules = ''
SUBSYSTEM=="net", ATTR{address}=="00:24:d7:f0:a0:0c", NAME="wl0"
SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:71:cb:35", NAME="et0"
'';
services.logind.lidSwitch = "ignore";
}

25
lass/1systems/lasspi/config.nix
View File

@ -1,25 +0,0 @@
{ config, lib, pkgs, ... }:
let
in
{
imports = [
<stockholm/lass>
<stockholm/lass/2configs>
<stockholm/lass/2configs/retiolum.nix>
];
krebs.build.host = config.krebs.hosts.lasspi;
networking = {
networkmanager = {
enable = true;
};
};
environment.systemPackages = with pkgs; [
vim
rxvt-unicode-unwrapped.terminfo
];
services.openssh.enable = true;
system.stateVersion = "22.05";
}

45
lass/1systems/lasspi/physical.nix
View File

@ -1,45 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
./config.nix
];
boot = {
# kernelPackages = pkgs.linuxPackages_rpi4;
tmpOnTmpfs = true;
initrd.availableKernelModules = [ "usbhid" "usb_storage" "xhci_pci" ];
# ttyAMA0 is the serial console broken out to the GPIO
kernelParams = [
"8250.nr_uarts=1"
"console=ttyAMA0,115200"
"console=tty1"
# Some gui programs need this
"cma=128M"
];
};
# boot.loader.raspberryPi = {
# enable = true;
# version = 4;
# # uboot.enable = true;
# };
boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = true;
# Required for the Wireless firmware
hardware.enableRedistributableFirmware = true;
networking.interfaces.eth0.useDHCP = true;
# Assuming this is installed on top of the disk image.
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
fsType = "ext4";
options = [ "noatime" ];
};
};
powerManagement.cpuFreqGovernor = "ondemand";
}

30
lass/1systems/littleT/config.nix
View File

@ -1,30 +0,0 @@
with import <stockholm/lib>;
{ config, pkgs, ... }:
{
imports = [
<stockholm/lass>
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/blue-host.nix>
<stockholm/lass/2configs/green-host.nix>
<stockholm/lass/2configs/syncthing.nix>
];
networking.networkmanager.enable = true;
networking.wireless.enable = mkForce false;
time.timeZone = "Europe/Berlin";
hardware.trackpoint = {
enable = true;
sensitivity = 220;
speed = 0;
emulateWheel = true;
};
services.logind.extraConfig = ''
HandleLidSwitch=ignore
'';
krebs.build.host = config.krebs.hosts.littleT;
}

25
lass/1systems/littleT/physical.nix
View File

@ -1,25 +0,0 @@
{
imports = [
./config.nix
<nixpkgs/nixos/modules/installer/scan/not-detected.nix>
];
fileSystems."/" =
{ device = "rpool/root";
fsType = "zfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/5B2E-3734";
fsType = "vfat";
};
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.efiSupport = true;
boot.loader.grub.efiInstallAsRemovable = true;
boot.loader.grub.device = "nodev";
networking.hostId = "584248c6";
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usb_storage" "sd_mod" "sdhci_pci" ];
boot.kernelModules = [ "kvm-intel" ];
}

167
lass/1systems/mors/config.nix
View File

@ -1,167 +0,0 @@
{ config, lib, pkgs, ... }:
with import <stockholm/lib>;
{
imports = [
<stockholm/lass>
<stockholm/lass/2configs/mouse.nix>
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/baseX.nix>
<stockholm/lass/2configs/pipewire.nix>
<stockholm/lass/2configs/exim-retiolum.nix>
<stockholm/lass/2configs/programs.nix>
<stockholm/lass/2configs/bitcoin.nix>
<stockholm/lass/2configs/browsers.nix>
<stockholm/lass/2configs/games.nix>
<stockholm/lass/2configs/pass.nix>
<stockholm/lass/2configs/elster.nix>
<stockholm/lass/2configs/steam.nix>
<stockholm/lass/2configs/wine.nix>
<stockholm/lass/2configs/fetchWallpaper.nix>
<stockholm/lass/2configs/mail.nix>
<stockholm/lass/2configs/logf.nix>
<stockholm/lass/2configs/syncthing.nix>
<stockholm/lass/2configs/sync/sync.nix>
<stockholm/lass/2configs/sync/decsync.nix>
<stockholm/lass/2configs/sync/weechat.nix>
<stockholm/lass/2configs/sync/the_playlist.nix>
#<stockholm/lass/2configs/c-base.nix>
<stockholm/lass/2configs/br.nix>
<stockholm/lass/2configs/ableton.nix>
<stockholm/lass/2configs/dunst.nix>
<stockholm/lass/2configs/rtl-sdr.nix>
<stockholm/lass/2configs/print.nix>
<stockholm/lass/2configs/network-manager.nix>
<stockholm/lass/2configs/yellow-mounts/samba.nix>
<stockholm/lass/2configs/ppp/x220-modem.nix>
<stockholm/lass/2configs/ppp/umts-stick.nix>
# <stockholm/lass/2configs/remote-builder/morpheus.nix>
# <stockholm/lass/2configs/remote-builder/prism.nix>
<stockholm/lass/2configs/consul.nix>
<stockholm/lass/2configs/networkd.nix>
<stockholm/lass/2configs/autotether.nix>
{
krebs.iptables.tables.filter.INPUT.rules = [
#risk of rain
{ predicate = "-p tcp --dport 11100"; target = "ACCEPT"; }
#quake3
{ predicate = "-p tcp --dport 27950:27965"; target = "ACCEPT"; }
{ predicate = "-p udp --dport 27950:27965"; target = "ACCEPT"; }
];
}
{
services.nginx = {
enable = true;
virtualHosts.default = {
default = true;
serverAliases = [
"localhost"
"${config.krebs.build.host.name}"
"${config.krebs.build.host.name}.r"
];
locations."~ ^/~(.+?)(/.*)?\$".extraConfig = ''
alias /home/$1/public_html$2;
'';
};
};
}
{
services.redis.enable = true;
}
{
environment.systemPackages = [
pkgs.ovh-zone
pkgs.bank
pkgs.adb-sync
pkgs.transgui
];
}
{
services.tor = {
enable = true;
client.enable = true;
};
}
];
krebs.build.host = config.krebs.hosts.mors;
environment.systemPackages = with pkgs; [
acronym
brain
cac-api
sshpass
get
hashPassword
urban
mk_sql_pair
remmina
transmission
macchanger
dnsutils
woeusb
(pkgs.writeDashBin "play-on" ''
HOST=$(echo 'styx\nshodan' | fzfmenu)
ssh -t "$HOST" -- mpv "$@"
'')
];
#TODO: fix this shit
##fprint stuff
##sudo fprintd-enroll $USER to save fingerprints
#services.fprintd.enable = true;
#security.pam.services.sudo.fprintAuth = true;
users.extraGroups = {
loot = {
members = [
config.users.extraUsers.mainUser.name
"firefox"
"chromium"
"google"
"virtual"
];
};
};
krebs.repo-sync.timerConfig = {
OnCalendar = "00:37";
};
nixpkgs.config.android_sdk.accept_license = true;
programs.adb.enable = true;
services.earlyoom = {
enable = true;
freeMemThreshold = 5;
};
# It may leak your data, but look how FAST it is!1!!
# https://make-linux-fast-again.com/
boot.kernelParams = [
"noibrs"
"noibpb"
"nopti"
"nospectre_v2"
"nospectre_v1"
"l1tf=off"
"nospec_store_bypass_disable"
"no_stf_barrier"
"mds=off"
"mitigations=off"
];
boot.binfmt.emulatedSystems = [
"aarch64-linux"
];
nix.trustedUsers = [ "root" "lass" ];
services.nscd.enableNsncd = true;
}

48
lass/1systems/mors/physical.nix
View File

@ -1,48 +0,0 @@
{
imports = [
./config.nix
<stockholm/lass/2configs/hw/x220.nix>
<stockholm/lass/2configs/boot/universal.nix>
];
boot.kernelParams = [ "acpi_backlight=native" ];
fileSystems = {
"/bku" = {
device = "/dev/mapper/pool-bku";
fsType = "btrfs";
options = ["defaults" "noatime" "ssd" "compress=lzo"];
};
"/home/virtual" = {
device = "/dev/mapper/pool-virtual";
fsType = "ext4";
};
"/backups" = {
device = "/dev/pool/backup";
fsType = "ext4";
};
};
services.udev.extraRules = ''
SUBSYSTEM=="net", DEVPATH=="/devices/pci*/*1c.1/*/net/*", NAME="wl0"
SUBSYSTEM=="net", ATTR{address}=="3c:97:0e:37:15:d9", NAME="et0"
'';
#TODO activationScripts seem broken, fix them!
#activationScripts
#split up and move into base
system.activationScripts.powertopTunables = ''
#Runtime PMs
echo 'auto' > '/sys/bus/pci/devices/0000:00:02.0/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:00.0/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.3/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.2/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.0/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:1d.0/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.0/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:1b.0/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:1a.0/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:19.0/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.1/power/control'
'';
}

21
lass/1systems/mors/source.nix
View File

@ -1,21 +0,0 @@
{ lib, pkgs, test, ... }: let
npkgs = lib.importJSON ../../../krebs/nixpkgs-unstable.json;
in {
nixpkgs = (if test then lib.mkForce ({ derivation = let
rev = npkgs.rev;
sha256 = npkgs.sha256;
in ''
with import (builtins.fetchTarball {
url = "https://github.com/nixos/nixpkgs/archive/${rev}.tar.gz";
sha256 = "${sha256}";
}) {};
pkgs.fetchFromGitHub {
owner = "nixos";
repo = "nixpkgs";
rev = "${rev}";
sha256 = "${sha256}";
}
''; }) else {
git.ref = lib.mkForce npkgs.rev;
});
}

51
lass/1systems/neoprism/config.nix
View File

@ -1,51 +0,0 @@
{ config, lib, pkgs, ... }:
{
imports = [
<stockholm/lass>
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/mail/internet-gateway.nix>
<stockholm/lass/2configs/binary-cache/server.nix>
<stockholm/lass/2configs/matrix.nix>
<stockholm/lass/2configs/gsm-wiki.nix>
# sync-containers
<stockholm/lass/2configs/consul.nix>
<stockholm/lass/2configs/services/flix/container-host.nix>
<stockholm/lass/2configs/services/radio/container-host.nix>
<stockholm/lass/2configs/ubik-host.nix>
<stockholm/lass/2configs/orange-host.nix>
<stockholm/krebs/2configs/hotdog-host.nix>
# other containers
<stockholm/lass/2configs/riot.nix>
# proxying of services
<stockholm/lass/2configs/services/radio/proxy.nix>
<stockholm/lass/2configs/services/flix/proxy.nix>
<stockholm/lass/2configs/services/coms/proxy.nix>
];
krebs.build.host = config.krebs.hosts.neoprism;
networking.firewall.allowedTCPPorts = [ 80 443 ];
security.acme.acceptTerms = true;
security.acme.defaults.email = "acme@lassul.us";
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
enableReload = true;
virtualHosts.default = {
default = true;
locations."= /etc/os-release".extraConfig = ''
default_type text/plain;
alias /etc/os-release;
'';
locations."~ ^/.well-known/acme-challenge/".root = "/var/lib/acme/acme-challenge";
};
};
}

118
lass/1systems/neoprism/disk.nix
View File

@ -1,118 +0,0 @@
{ lib, ... }:
{
disk = (lib.genAttrs [ "/dev/nvme0n1" "/dev/nvme1n1" ] (disk: {
type = "disk";
device = disk;
content = {
type = "gpt";
partitions = {
boot = {
size = "1M";
type = "EF02";
};
ESP = {
size = "1G";
content = {
type = "mdraid";
name = "boot";
};
};
zfs = {
size = "100%";
content = {
type = "zfs";
pool = "zroot";
};
};
};
};
})) // {
hdd1 = {
type = "disk";
device = "/dev/sda";
content = {
type = "zfs";
pool = "tank";
};
};
};
mdadm = {
boot = {
type = "mdadm";
level = 1;
metadata = "1.0";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
};
zpool = {
zroot = {
type = "zpool";
mode = "mirror";
mountpoint = "/";
rootFsOptions = {
};
datasets.reserved = {
type = "zfs_fs";
options.refreservation = "1G";
};
};
tank = {
type = "zpool";
datasets = {
reserved = {
type = "zfs_fs";
options.refreservation = "1G";
};
containers = {
type = "zfs_fs";
mountpoint = "/var/lib/containers";
options = {
canmount = "noauto";
};
};
home = {
type = "zfs_fs";
mountpoint = "/home";
options = {
canmount = "noauto";
};
};
srv = {
type = "zfs_fs";
mountpoint = "/srv";
options = {
canmount = "noauto";
};
};
libvirt = {
type = "zfs_fs";
mountpoint = "/var/lib/libvirt";
options = {
canmount = "noauto";
};
};
# encrypted = {
# type = "zfs_fs";
# options = {
# canmount = "noauto";
# mountpoint = "none";
# encryption = "aes-256-gcm";
# keyformat = "passphrase";
# keylocation = "prompt";
# };
# };
# "encrypted/download" = {
# type = "zfs_fs";
# mountpoint = "/var/download";
# options = {
# canmount = "noauto";
# };
# };
};
};
};
}

79
lass/1systems/neoprism/physical.nix
View File

@ -1,79 +0,0 @@
{ config, lib, pkgs, ... }:
{
imports = [
./config.nix
<nixpkgs/nixos/modules/installer/scan/not-detected.nix>
];
disko.devices = import ./disk.nix;
networking.hostId = "9c0a74ac";
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.efiSupport = true;
boot.loader.grub.devices = [
config.disko.devices.disk."/dev/nvme0n1".device
config.disko.devices.disk."/dev/nvme1n1".device
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "sd_mod" ];
boot.kernelModules = [ "kvm-amd" ];
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
# networking config
networking.useNetworkd = true;
systemd.network = {
enable = true;
config = {
networkConfig.SpeedMeter = true;
};
# netdevs.ext-br.netdevConfig = {
# Kind = "bridge";
# Name = "ext-br";
# MACAddress = "a8:a1:59:0f:2d:69";
# };
# networks.ext-br = {
# name = "ext-br";
# address = [
# "95.217.192.59/26"
# "2a01:4f9:4a:4f1a::1/64"
# ];
# gateway = [
# "95.217.192.1"
# "fe80::1"
# ];
# };
networks.eth0 = {
#bridge = [ "ext-br" ];
matchConfig.Name = "eth0";
address = [
"95.217.192.59/26"
"2a01:4f9:4a:4f1a::1/64"
];
gateway = [
"95.217.192.1"
"fe80::1"
];
};
};
networking.useDHCP = false;
# boot.initrd.network = {
# enable = true;
# ssh = {
# enable = true;
# authorizedKeys = [ config.krebs.users.lass.pubkey ];
# port = 2222;
# hostKeys = [
# (<secrets/ssh.id_ed25519>)
# (<secrets/ssh.id_rsa>)
# ];
# };
# };
# boot.kernelParams = [
# "net.ifnames=0"
# "ip=dhcp"
# "boot.trace"
# ];
}

25
lass/1systems/orange/config.nix
View File

@ -1,25 +0,0 @@
with import <stockholm/lib>;
{ config, lib, pkgs, ... }:
{
imports = [
<stockholm/lass>
<stockholm/lass/2configs>
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/mumble-reminder.nix>
<stockholm/lass/2configs/services/git>
];
krebs.build.host = config.krebs.hosts.orange;
services.nginx.enable = true;
networking.firewall.allowedTCPPorts = [ 80 443 ];
security.acme = {
acceptTerms = true;
defaults.email = "acme@lassul.us";
};
krebs.sync-containers3.inContainer = {
enable = true;
pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFQWzKuXrwQopBc1mzb2VpljmwAs7Y8bRl9a8hBXLC+l";
};
}

7
lass/1systems/orange/physical.nix
View File

@ -1,7 +0,0 @@
{
imports = [
./config.nix
];
boot.isContainer = true;
networking.useDHCP = true;
}

37
lass/1systems/prism/backup.nix
View File

@ -1,37 +0,0 @@
{ config, lib, pkgs, ... }:
{
services.postgresqlBackup.enable = true;
systemd.services.borgbackup-job-hetzner.serviceConfig.ReadWritePaths = [ "/var/log/telegraf" ];
services.borgbackup.jobs.hetzner = {
paths = [
"/var/backup"
];
exclude = [
"*.pyc"
];
repo = "u364341@u364341.your-storagebox.de:/./hetzner";
encryption.mode = "none";
compression = "auto,zstd";
startAt = "daily";
# TODO: change backup key
environment.BORG_RSH = "ssh -oPort=23 -i ${toString <secrets> + "/borgbackup.ssh.id25519"}";
preHook = ''
set -x
'';
postHook = ''
cat > /var/log/telegraf/borgbackup-job-hetzner.service <<EOF
task,frequency=daily last_run=$(date +%s)i,state="$([[ $exitStatus == 0 ]] && echo ok || echo fail)"
EOF
'';
prune.keep = {
within = "1d"; # Keep all archives from the last day
daily = 7;
weekly = 4;
monthly = 0;
};
};
}

380
lass/1systems/prism/config.nix
View File

@ -1,380 +0,0 @@
{ config, lib, pkgs, ... }:
with import <stockholm/lib>;
{
imports = [
./backup.nix
<stockholm/lass>
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/libvirt.nix>
<stockholm/lass/2configs/tv.nix>
<stockholm/lass/2configs/websites/lassulus.nix>
<stockholm/lass/2configs/services/git/proxy.nix>
<stockholm/lass/2configs/monitoring/telegraf.nix>
<stockholm/lass/2configs/consul.nix>
{
services.nginx.enable = true;
imports = [
<stockholm/lass/2configs/websites/domsen.nix>
];
# needed by domsen.nix ^^
lass.usershadow = {
enable = true;
};
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p tcp --dport http"; target = "ACCEPT"; }
{ predicate = "-p tcp --dport https"; target = "ACCEPT"; }
];
}
{ # TODO make new hfos.nix out of this vv
users.users.riot = {
uid = genid_uint31 "riot";
isNormalUser = true;
extraGroups = [ "libvirtd" ];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6o6sdTu/CX1LW2Ff5bNDqGEAGwAsjf0iIe5DCdC7YikCct+7x4LTXxY+nDlPMeGcOF88X9/qFwdyh+9E4g0nUAZaeL14Uc14QDqDt/aiKjIXXTepxE/i4JD9YbTqStAnA/HYAExU15yqgUdj2dnHu7OZcGxk0ZR1OY18yclXq7Rq0Fd3pN3lPP1T4QHM9w66r83yJdFV9szvu5ral3/QuxQnCNohTkR6LoJ4Ny2RbMPTRtb+jPbTQYTWUWwV69mB8ot5nRTP4MRM9pu7vnoPF4I2S5DvSnx4C5zdKzsb7zmIvD4AmptZLrXj4UXUf00Xf7Js5W100Ne2yhYyhq+35 riot@lagrange"
];
};
krebs.iptables.tables.filter.FORWARD.rules = mkBefore [
{ v6 = false; predicate = "--destination 95.216.1.130"; target = "ACCEPT"; }
{ v6 = false; predicate = "--source 95.216.1.130"; target = "ACCEPT"; }
];
}
{
users.users.tv = {
uid = genid_uint31 "tv";
isNormalUser = true;
openssh.authorizedKeys.keys = [
config.krebs.users.tv.pubkey
];
};
users.users.makefu = {
uid = genid_uint31 "makefu";
isNormalUser = true;
openssh.authorizedKeys.keys = [
config.krebs.users.makefu.pubkey
];
};
users.extraUsers.dritter = {
uid = genid_uint31 "dritter";
isNormalUser = true;
extraGroups = [
"download"
];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnqOWDDk7QkSAvrSLkEoz7dY22+xPyv5JDn2zlfUndfavmTMfZvPx9REMjgULbcCSM4m3Ncf40yUjciDpVleGoEz82+p/ObHAkVWPQyXRS3ZRM2IJJultBHEFc61+61Pi8k3p5pBhPPaig6VncJ4uUuuNqen9jqLesSTVXNtdntU2IvnC8B8k1Kq6fu9q1T2yEOMxkD31D5hVHlqAly0LdRiYvtsRIoCSmRvlpGl70uvPprhQxhtoiEUeDqmIL7BG9x7gU0Swdl7R0/HtFXlFuOwSlNYDmOf/Zrb1jhOpj4AlCliGUkM0iKIJhgH0tnJna6kfkGKHDwuzITGIh6SpZ dritter@Janeway"
];
};
users.extraUsers.juhulian = {
uid = 1339;
isNormalUser = true;
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBQhLGvfv4hyQ/nqJGy1YgHXPSVl6igeWTroJSvAhUFgoh+rG+zvqY0EahKXNb3sq0/OYDCTJVuucc0hgCg7T2KqTqMtTb9EEkRmCFbD7F7DWZojCrh/an6sHneqT5eFvzAPZ8E5hup7oVQnj5P5M3I9keRHBWt1rq6q0IcOEhsFvne4qJc73aLASTJkxzlo5U8ju3JQOl6474ECuSn0lb1fTrQ/SR1NgF7jV11eBldkS8SHEB+2GXjn4Yrn+QUKOnDp+B85vZmVlJSI+7XR1/U/xIbtAjGTEmNwB6cTbBv9NCG9jloDDOZG4ZvzzHYrlBXjaigtQh2/4mrHoKa5eV juhulian@juhulian"
];
};
users.users.hellrazor = {
uid = genid_uint31 "hellrazor";
isNormalUser = true;
extraGroups = [
"download"
];
openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDQFaYOWRUvHP6I37q9Dd4PJOq8FNQqAeJZ8pLx0G62uC450kbPGcG80rHHvXmk7HqQP6biJmMg48bOsvXAScPot2Qhp1Qc35CuUqVhLiTvUAsi8l/iJjhjZ23yRGDCAmW5+JIOzIvECkcbMnG7YoYAQ9trNGHe9qwGzQGhpt3QVClE23WtE3PVKRLQx1VbiabSnAm6tXVd2zpUoSdpWt8Gpi2taM4XXJ5+l744MNxFHvDapN5xqpYzwrA34Ii13jNLWcGbtgxESpR+VjnamdWByrkBsW4X5/xn2K1I1FrujaM/DBHV1QMaDKst9V8+uL5X7aYNt0OUBu2eyZdg6aujY2BYovB9uRyR1JIuSbA/a54MM96yN9WirMUufJF/YZrV0L631t9EW8ORyWUo1GRzMuBHVHQlfApj7NCU/jEddUuTqKgwyRgTmMFMUI4M0tRULAB/7pBE1Vbcx9tg6RsKIk8VkskfbBJW9Y6Sx6YoFlxPdgMNIrBefqEjIV62piP7YLMlvfIDCJ7TNd9dLN86XGggZ/nD5zt6SL1o61vVnw9If8pHosppxADPJsJvcdN6fOe16/tFAeE0JRo0jTcyFVTBGfhpey+rFfuW8wtUyuO5WPUxkOn7xMHGMWHJAtWX2vwVIDtLxvqn48B4SmEOpPD6ii+vcpwqAex3ycqBUQ==" ];
};
}
{
services.nginx.virtualHosts."radio.lassul.us" = {
enableACME = true;
addSSL = true;
locations."/" = {
# recommendedProxySettings = true;
proxyWebsockets = true;
proxyPass = "http://radio.r";
extraConfig = ''
proxy_set_header Host radio.r;
# get source ip for weather reports
proxy_set_header user-agent "$http_user_agent; client-ip=$remote_addr";
'';
};
};
krebs.htgen.radio-redirect = {
port = 8000;
scriptFile = pkgs.writers.writeDash "redir" ''
printf 'HTTP/1.1 301 Moved Permanently\r\n'
printf "Location: http://radio.lassul.us''${Request_URI}\r\n"
printf '\r\n'
'';
};
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p tcp --dport 8000"; target = "ACCEPT"; }
];
}
<stockholm/lass/2configs/exim-smarthost.nix>
<stockholm/lass/2configs/privoxy-retiolum.nix>
<stockholm/lass/2configs/binary-cache/server.nix>
<stockholm/lass/2configs/binary-cache/proxy.nix>
<stockholm/lass/2configs/iodined.nix>
<stockholm/lass/2configs/paste.nix>
<stockholm/lass/2configs/syncthing.nix>
<stockholm/lass/2configs/reaktor-coders.nix>
<stockholm/lass/2configs/ciko.nix>
<stockholm/lass/2configs/container-networking.nix>
<stockholm/lass/2configs/fysiirc.nix>
<stockholm/lass/2configs/bgt-bot>
<stockholm/lass/2configs/matrix.nix>
<stockholm/krebs/2configs/mastodon-proxy.nix>
{
services.tor = {
enable = true;
};
}
{
imports = [
<stockholm/lass/2configs/realwallpaper.nix>
];
services.nginx.virtualHosts."lassul.us".locations = {
"= /wallpaper-marker.png".extraConfig = ''
alias /var/realwallpaper/realwallpaper-marker.png;
'';
"= /wallpaper.png".extraConfig = ''
alias /var/realwallpaper/realwallpaper.png;
'';
"= /wallpaper-stars-berlin.png".extraConfig = ''
alias /var/realwallpaper/realwallpaper-krebs-stars-berlin.png;
'';
};
}
<stockholm/lass/2configs/minecraft.nix>
<stockholm/lass/2configs/codimd.nix>
<stockholm/lass/2configs/go.nix>
{
lass.nichtparasoup.enable = true;
services.nginx = {
enable = true;
virtualHosts."lol.lassul.us" = {
forceSSL = true;
enableACME = true;
locations."/".extraConfig = ''
proxy_pass http://localhost:5001;
'';
};
};
}
{
imports = [
<stockholm/lass/2configs/wiregrill.nix>
];
krebs.iptables.tables.nat.PREROUTING.rules = mkOrder 999 [
{ v6 = false; predicate = "-s 10.244.0.0/16"; target = "ACCEPT"; }
{ v4 = false; predicate = "-s 42:1::/32"; target = "ACCEPT"; }
];
krebs.iptables.tables.filter.FORWARD.rules = mkBefore [
{ predicate = "-i wiregrill -o retiolum"; target = "ACCEPT"; }
{ predicate = "-i retiolum -o wiregrill"; target = "ACCEPT"; }
];
krebs.iptables.tables.nat.POSTROUTING.rules = [
{ v4 = false; predicate = "-s 42:1::/32 ! -d 42:1::/48"; target = "MASQUERADE"; }
{ v6 = false; predicate = "-s 10.244.0.0/16 ! -d 10.244.0.0/16"; target = "MASQUERADE"; }
];
services.dnsmasq = {
enable = true;
resolveLocalQueries = false;
extraConfig= ''
bind-interfaces
interface=wiregrill
interface=retiolum
'';
};
}
{
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p udp --dport 60000:61000"; target = "ACCEPT"; }
];
}
<stockholm/lass/2configs/services/coms/jitsi.nix>
<stockholm/lass/2configs/services/coms/murmur.nix>
{
services.nginx.virtualHosts."flix.lassul.us" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://yellow.r:8096";
proxyWebsockets = true;
recommendedProxySettings = true;
};
};
services.nginx.virtualHosts."lassul.us" = {
locations."^~ /flix/".extraConfig = ''
if ($scheme != "https") {
rewrite ^ https://$host$request_uri permanent;
}
auth_basic "Restricted Content";
auth_basic_user_file ${pkgs.writeText "flix-user-pass" ''
krebs:$apr1$1Fwt/4T0$YwcUn3OBmtmsGiEPlYWyq0
''};
proxy_pass http://yellow.r:80/;
proxy_set_header Accept-Encoding "";
sub_filter "https://lassul.us/" "https://lassul.us/flix/";
sub_filter_once off;
'';
locations."^~ /chatty/".extraConfig = ''
rewrite ^ https://$host/flix/$request_uri permanent;
'';
#locations."^~ /transmission".return = "301 https://$host/transmission/web/";
locations."^~ /transmission/".extraConfig = ''
if ($scheme != "https") {
rewrite ^ https://$host$request_uri permanent;
}
auth_basic "Restricted Content";
auth_basic_user_file ${pkgs.writeText "transmission-user-pass" ''
krebs:$apr1$1Fwt/4T0$YwcUn3OBmtmsGiEPlYWyq0
''};
proxy_pass_header X-Transmission-Session-Id;
proxy_pass http://10.233.2.14:9091;
'';
};
users.groups.download = {};
users.users = {
download = {
createHome = false;
group = "download";
name = "download";
home = "/var/download";
useDefaultShell = true;
uid = genid "download";
isSystemUser = true;
openssh.authorizedKeys.keys = with config.krebs.users; [
lass.pubkey
lass-android.pubkey
makefu.pubkey
palo.pubkey
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDB0d0JA20Vqn7I4lCte6Ne2EOmLZyMJyS9yIKJYXNLjbLwkQ4AYoQKantPBkTxR75M09E7d3j5heuWnCjWH45TrfQfe1EOSSC3ppCI6C6aIVlaNs+KhAYZS0m2Y8WkKn+TT5JLEa8yybYVN/RlZPOilpj/1QgjU6CQK+eJ1k/kK+QFXcwN82GDVh5kbTVcKUNp2tiyxFA+z9LY0xFDg/JHif2ROpjJVLQBJ+YPuOXZN5LDnVcuyLWKThjxy5srQ8iDjoxBg7dwLHjby5Mv41K4W61Gq6xM53gDEgfXk4cQhJnmx7jA/pUnsn2ZQDeww3hcc7vRf8soogXXz2KC9maiq0M/svaATsa9Ul4hrKnqPZP9Q8ScSEAUX+VI+x54iWrnW0p/yqBiRAzwsczdPzaQroUFTBxrq8R/n5TFdSHRMX7fYNOeVMjhfNca/gtfw9dYBVquCvuqUuFiRc0I7yK44rrMjjVQRcAbw6F8O7+04qWCmaJ8MPlmApwu2c05VMv9hiJo5p6PnzterRSLCqF6rIdhSnuOwrUIt1s/V+EEZXHCwSaNLaQJnYL0H9YjaIuGz4c8kVzxw4c0B6nl+hqW5y5/B2cuHiumnlRIDKOIzlv8ufhh21iN7QpIsPizahPezGoT1XqvzeXfH4qryo8O4yTN/PWoA+f7o9POU7L6hQ== lhebendanz@nixos"
"AAAAB3NzaC1yc2EAAAADAQABAAABgQC4ECL9NSCWqs4KVe+FF+2BPtl5Bv5aQPHqnXllCyiESZykwRKLx6/AbF5SbUAUMVZtp9oDSdp28m3BvVeWJ/q7hAbIxUtfd/jp+JBRZ8Kj6K5GzUO7Bhgl/o0A7xEjAeOKHiYuLjdPMcFUyl6Ah4ey/mcQYf6AdU0+hYUDeUlKe/YxxYD6202W0GJq2xGdIqs/TbopT9iaX+sv0wdXDVfFY72nFqOUwJW3u6O2viKKRugrz/eo50Eo3ts7pYz/FpDXExrUvV9Vu/bQ34pa8nKgF3/AKQHgmzljNQSVZKyAV8OY0UFonjBMXCBg2tXtwfnlzdx2SyuQVv55x+0AuRKsi85G2xLpXu1A3921pseBTW6Q6kbYK9eqxAay2c/kNbwNqFnO+nCvQ6Ier/hvGddOtItMu96IuU2E7mPN6WgvM8/3fjJRFWnZxFxqu/k7iH+yYT8qwRgdiSqZc76qvkYEuabdk2itstTRY0A3SpI3hFMZDw/7bxgMZtqpfyoRk5s= philip@shiki11:15 <Profpatsch> AAAAB3NzaC1yc2EAAAADAQABAAABgQC4ECL9NSCWqs4KVe+FF+2BPtl5Bv5aQPHqnXllCyiESZykwRKLx6/AbF5SbUAUMVZtp9oDSdp28m3BvVeWJ/q7hAbIxUtfd/jp+JBRZ8Kj6K5GzUO7Bhgl/o0A7xEjAeOKHiYuLjdPMcFUyl6Ah4ey/mcQYf6AdU0+hYUDeUlKe/YxxYD6202W0GJq2xGdIqs/TbopT9iaX+sv0wdXDVfFY72nFqOUwJW3u6O2viKKRugrz/eo50Eo3ts7pYz/FpDXExrUvV9Vu/bQ34pa8nKgF3/AKQHgmzljNQSVZKyAV8OY0UFonjBMXCBg2tXtwfnlzdx2SyuQVv55x+0AuRKsi85G2xLpXu1A3921pseBTW6Q6kbYK9eqxAay2c/kNbwNqFnO+nCvQ6Ier/hvGddOtItMu96IuU2E7mPN6WgvM8/3fjJRFWnZxFxqu/k7iH+yYT8qwRgdiSqZc76qvkYEuabdk2itstTRY0A3SpI3hFMZDw/7bxgMZtqpfyoRk5s= philip@shiki"
mic92.pubkey
qubasa.pubkey
];
};
};
system.activationScripts.downloadFolder = ''
mkdir -p /var/download
chmod 775 /var/download
ln -fnsT /var/lib/containers/yellow/var/download/finished /var/download/finished || :
chown download: /var/download/finished
'';
fileSystems."/export/download" = {
device = "/var/lib/containers/yellow/var/download/finished";
options = [ "bind" ];
};
services.nfs.server = {
enable = true;
exports = ''
/export 42::/16(insecure,ro,crossmnt)
'';
lockdPort = 4001;
mountdPort = 4002;
statdPort = 4000;
};
services.samba = {
enable = true;
enableNmbd = false;
extraConfig = ''
workgroup = WORKGROUP
netbios name = PRISM
server string = ${config.networking.hostName}
# only allow retiolum addresses
hosts allow = 42::/16 10.243.0.0/16 10.244.0.0/16
# Use sendfile() for performance gain
use sendfile = true
# No NetBIOS is needed
disable netbios = true
# Only mangle non-valid NTFS names, don't care about DOS support
mangled names = illegal
# Performance optimizations
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536
# Disable all printing
load printers = false
disable spoolss = true
printcap name = /dev/null
map to guest = Bad User
max log size = 50
dns proxy = no
security = user
[global]
syslog only = yes
'';
shares.public = {
comment = "Warez";
path = "/export";
public = "yes";
"only guest" = "yes";
"create mask" = "0644";
"directory mask" = "2777";
writable = "no";
printable = "no";
};
};
krebs.iptables.tables.filter.INPUT.rules = [
# smbd
{ predicate = "-i retiolum -p tcp --dport 445"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p tcp --dport 111"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p udp --dport 111"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p tcp --dport 2049"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p udp --dport 2049"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p tcp --dport 4000:4002"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p udp --dport 4000:4002"; target = "ACCEPT"; }
{ predicate = "-i wiregrill -p tcp --dport 445"; target = "ACCEPT"; }
{ predicate = "-i wiregrill -p tcp --dport 111"; target = "ACCEPT"; }
{ predicate = "-i wiregrill -p udp --dport 111"; target = "ACCEPT"; }
{ predicate = "-i wiregrill -p tcp --dport 2049"; target = "ACCEPT"; }
{ predicate = "-i wiregrill -p udp --dport 2049"; target = "ACCEPT"; }
{ predicate = "-i wiregrill -p tcp --dport 4000:4002"; target = "ACCEPT"; }
{ predicate = "-i wiregrill -p udp --dport 4000:4002"; target = "ACCEPT"; }
];
}
{ # acme fallback for neoprism migration
services.nginx.virtualHosts."lassul.us".acmeFallbackHost = "orange.r";
services.nginx.virtualHosts."radio.lassul.us".acmeFallbackHost = "neoprism.r";
services.nginx.virtualHosts."flix.lassul.us".acmeFallbackHost = "neoprism.r";
services.nginx.virtualHosts."jitsi.lassul.us".acmeFallbackHost = "neoprism.r";
services.nginx.virtualHosts."cgit.lassul.us".acmeFallbackHost = "orange.r";
services.nginx.virtualHosts."mail.lassul.us".acmeFallbackHost = "neoprism.r";
services.nginx.virtualHosts."mumble.lassul.us".acmeFallbackHost = "neoprism.r";
services.nginx.virtualHosts."mail.ubikmedia.eu" = {
enableACME = true;
forceSSL = true;
acmeFallbackHost = "ubik.r";
locations."/" = {
recommendedProxySettings = true;
proxyWebsockets = true;
proxyPass = "https://ubik.r";
};
};
}
];
krebs.build.host = config.krebs.hosts.prism;
services.earlyoom = {
enable = true;
freeMemThreshold = 5;
};
# prism rsa hack
services.openssh.hostKeys = [{
path = toString <secrets> + "ssh.id_rsa";
type = "rsa";
}];
}

107
lass/1systems/prism/physical.nix
View File

@ -1,107 +0,0 @@
{ config, lib, pkgs, ... }:
{
imports = [
./config.nix
<nixpkgs/nixos/modules/installer/scan/not-detected.nix>
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "sd_mod" ];
boot.kernelModules = [ "kvm-intel" ];
boot.swraid.enable = true;
fileSystems."/" = {
device = "rpool/root/nixos";
fsType = "zfs";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/d155d6ff-8e89-4876-a9e7-d1b7ba6a4804";
fsType = "ext4";
};
fileSystems."/backups" = {
device = "tank/backups";
fsType = "zfs";
};
fileSystems."/srv/http" = {
device = "tank/srv-http";
fsType = "zfs";
};
fileSystems."/var/download" = {
device = "tank/download";
fsType = "zfs";
};
fileSystems."/var/lib/containers" = {
device = "tank/containers";
fsType = "zfs";
};
fileSystems."/home" = {
device = "tank/home";
fsType = "zfs";
};
fileSystems."/var/lib/nextcloud" = {
device = "tank/nextcloud";
fsType = "zfs";
};
fileSystems."/var/lib/libvirt" = {
device = "tank/libvirt";
fsType = "zfs";
};
fileSystems."/var/realwallpaper/archive" = {
device = "tank/wallpaper";
fsType = "zfs";
};
# silence mdmonitor.service failures
# https://github.com/NixOS/nixpkgs/issues/72394
environment.etc."mdadm.conf".text = ''
MAILADDR root
'';
nix.maxJobs = lib.mkDefault 8;
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.devices = [ "/dev/sda" "/dev/sdb" ];
# we don't pay for power there and this might solve a problem we observed at least once
# https://www.thomas-krenn.com/de/wiki/PCIe_Bus_Error_Status_00001100_beheben
boot.kernelParams = [ "pcie_aspm=off" "net.ifnames=0" "nomodeset" ];
networking.dhcpcd.enable = false;
networking.useNetworkd = lib.mkForce false;
systemd.network.enable = lib.mkForce false;
# bridge config
networking.bridges."ext-br".interfaces = [ "eth0" ];
networking = {
hostId = "2283aaae";
defaultGateway = "95.216.1.129";
defaultGateway6 = { address = "fe80::1"; interface = "ext-br"; };
# Use google's public DNS server
nameservers = [ "8.8.8.8" ];
interfaces.ext-br.ipv4.addresses = [
{
address = "95.216.1.150";
prefixLength = 26;
}
];
interfaces.ext-br.ipv6.addresses = [
{
address = "2a01:4f9:2a:1e9::1";
prefixLength = 64;
}
];
};
}

24
lass/1systems/radio/config.nix
View File

@ -1,24 +0,0 @@
with import <stockholm/lib>;
{ config, lib, pkgs, ... }:
{
imports = [
<stockholm/lass>
<stockholm/lass/2configs>
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/syncthing.nix>
<stockholm/lass/2configs/services/radio>
];
krebs.build.host = config.krebs.hosts.radio;
security.acme = {
acceptTerms = true;
defaults.email = "acme@lassul.us";
};
krebs.sync-containers3.inContainer = {
enable = true;
pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOvPKdbVwMEFCDMyNAzR8NdVjTbQL2G+03Xomxn6KKFt";
};
}

7
lass/1systems/radio/physical.nix
View File

@ -1,7 +0,0 @@
{
imports = [
./config.nix
];
boot.isContainer = true;
networking.useDHCP = true;
}

6
lass/1systems/radio/source.nix
View File

@ -1,6 +0,0 @@
{ lib, pkgs, test, ... }: let
npkgs = lib.importJSON ../../../krebs/nixpkgs-unstable.json;
in if test then {} else {
nixpkgs.git.ref = lib.mkForce npkgs.rev;
nixpkgs-unstable = lib.mkForce { file = "/var/empty"; };
}

28
lass/1systems/shodan/config.nix
View File

@ -1,28 +0,0 @@
{ config, lib, pkgs, ... }:
{
imports = [
<stockholm/lass>
<stockholm/lass/2configs/mouse.nix>
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/baseX.nix>
<stockholm/lass/2configs/pipewire.nix>
<stockholm/lass/2configs/exim-retiolum.nix>
<stockholm/lass/2configs/browsers.nix>
<stockholm/lass/2configs/programs.nix>
<stockholm/lass/2configs/wine.nix>
<stockholm/lass/2configs/bitcoin.nix>
<stockholm/lass/2configs/yellow-mounts/samba.nix>
<stockholm/lass/2configs/fetchWallpaper.nix>
<stockholm/lass/2configs/consul.nix>
<stockholm/lass/2configs/snapclient.nix>
];
krebs.build.host = config.krebs.hosts.shodan;
services.logind.lidSwitch = "ignore";
services.logind.lidSwitchDocked = "ignore";
nix.trustedUsers = [ "root" "lass" ];
system.stateVersion = "22.05";
}

45
lass/1systems/shodan/physical.nix
View File

@ -1,45 +0,0 @@
{
#TODO reinstall with correct layout and use lass/hw/x220
imports = [
./config.nix
<stockholm/krebs/2configs/hw/x220.nix>
];
boot = {
loader.grub.enable = true;
loader.grub.version = 2;
loader.grub.device = "/dev/sda";
initrd.luks.devices.lusksroot.device = "/dev/sda2";
initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ];
};
fileSystems = {
"/" = {
device = "/dev/pool/nix";
fsType = "btrfs";
};
"/boot" = {
device = "/dev/sda1";
};
"/home" = {
device = "/dev/mapper/pool-home";
fsType = "btrfs";
options = ["defaults" "noatime" "ssd" "compress=lzo"];
};
"/bku" = {
device = "/dev/pool/bku";
fsType = "btrfs";
};
"/backups" = {
device = "/dev/pool/backup";
fsType = "ext4";
};
};
services.udev.extraRules = ''
SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:29:26:bc", NAME="wl0"
SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:0c:a7:63", NAME="et0"
SUBSYSTEM=="net", ATTR{address}=="00:e0:4c:69:ea:71", NAME="int0"
'';
}

41
lass/1systems/skynet/config.nix
View File

@ -1,41 +0,0 @@
{ config, pkgs, ... }:
with import <stockholm/lib>;
{
imports = [
<stockholm/lass>
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/blue-host.nix>
<stockholm/lass/2configs/green-host.nix>
<stockholm/lass/2configs/power-action.nix>
<stockholm/lass/2configs/syncthing.nix>
{
services.xserver.enable = true;
services.xserver.desktopManager.xfce.enable = true;
users.users.discordius = {
uid = genid "diskordius";
isNormalUser = true;
extraGroups = [
"audio"
"networkmanager"
];
};
environment.systemPackages = with pkgs; [
google-chrome
];
hardware.pulseaudio = {
enable = true;
systemWide = true;
};
}
];
krebs.build.host = config.krebs.hosts.skynet;
networking.wireless.enable = false;
networking.networkmanager.enable = true;
services.logind.lidSwitch = "ignore";
services.logind.lidSwitchDocked = "ignore";
}

29
lass/1systems/skynet/physical.nix
View File

@ -1,29 +0,0 @@
{
imports = [
./config.nix
<stockholm/krebs/2configs/hw/x220.nix>
];
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.efiSupport = true;
boot.loader.grub.efiInstallAsRemovable = true;
boot.loader.grub.device = "nodev";
networking.hostId = "06442b9a";
fileSystems."/" = {
device = "rpool/root";
fsType = "zfs";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/0876-B308";
fsType = "vfat";
};
services.udev.extraRules = ''
SUBSYSTEM=="net", ATTR{address}=="10:0b:a9:a6:44:04", NAME="wl0"
SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:d1:90:fc", NAME="et0"
'';
}

116
lass/1systems/styx/config.nix
View File

@ -1,116 +0,0 @@
{ config, pkgs, ... }:
with import <stockholm/lib>;
{
imports = [
<stockholm/lass>
<stockholm/lass/2configs/mouse.nix>
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/baseX.nix>
<stockholm/lass/2configs/pipewire.nix>
<stockholm/lass/2configs/exim-retiolum.nix>
<stockholm/lass/2configs/browsers.nix>
<stockholm/lass/2configs/programs.nix>
<stockholm/lass/2configs/nfs-dl.nix>
<stockholm/lass/2configs/yellow-mounts/samba.nix>
<stockholm/lass/2configs/gg23.nix>
<stockholm/lass/2configs/hass>
<stockholm/lass/2configs/green-host.nix>
<stockholm/krebs/2configs/news-host.nix>
# <stockholm/lass/2configs/br.nix>
<stockholm/lass/2configs/fetchWallpaper.nix>
<stockholm/lass/2configs/home-media.nix>
<stockholm/lass/2configs/syncthing.nix>
# <stockholm/lass/2configs/idc.nix>
<stockholm/lass/2configs/ppp/umts-stick.nix>
<stockholm/lass/2configs/snapserver.nix>
<stockholm/lass/2configs/snapclient.nix>
<stockholm/lass/2configs/consul.nix>
];
krebs.build.host = config.krebs.hosts.styx;
networking.firewall.interfaces.int0.allowedTCPPorts = [ config.services.smokeping.port ];
networking.firewall.interfaces.retiolum.allowedTCPPorts = [ config.services.smokeping.port ];
networking.firewall.interfaces.wiregrill.allowedTCPPorts = [ config.services.smokeping.port ];
krebs.power-action.enable = mkForce false;
environment.systemPackages = with pkgs; [
wol
(writeDashBin "wake-alien" ''
${wol}/bin/wol -h 10.42.0.255 10:65:30:68:83:a3
'')
(writers.writeDashBin "iptv" ''
set -efu
/run/current-system/sw/bin/mpv \
--audio-display=no --audio-channels=stereo \
--audio-samplerate=48000 --audio-format=s16 \
--ao-pcm-file=/run/snapserver/snapfifo --ao=pcm \
--audio-delay=-1 \
--playlist=https://iptv-org.github.io/iptv/index.nsfw.m3u \
--idle=yes \
--input-ipc-server=/tmp/mpv.ipc \
"$@"
'')
];
users.users.mainUser.openssh.authorizedKeys.keys = [
config.krebs.users.lass-android.pubkey
];
# http://10.42.0.1:8081/smokeping.fcgi
services.smokeping = {
enable = true;
host = null;
targetConfig = ''
probe = FPing
menu = top
title = top
+ Local
menu = Local
title = Local Network
++ LocalMachine
menu = Local Machine
title = This host
host = localhost
+ Internet
menu = internet
title = internet
++ CloudflareDNS
menu = Cloudflare DNS
title = Cloudflare DNS server
host = 1.1.1.1
++ GoogleDNS
menu = Google DNS
title = Google DNS server
host = 8.8.8.8
+ retiolum
menu = retiolum
title = retiolum
++ gum
menu = gum.r
title = gum.r
host = gum.r
++ ni
menu = ni.r
title = ni.r
host = ni.r
++ prism
menu = prism.r
title = prism.r
host = prism.r
'';
};
# for usb internet
hardware.usbWwan.enable = true;
}

38
lass/1systems/styx/physical.nix
View File

@ -1,38 +0,0 @@
{ config, lib, pkgs, ... }:
{
imports = [
./config.nix
<nixpkgs/nixos/modules/installer/scan/not-detected.nix>
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
boot.loader.grub.enable = true;
boot.loader.grub.efiSupport = true;
boot.loader.grub.device = "/dev/disk/by-id/ata-SanDisk_SSD_G5_BICS4_20248F446514";
boot.loader.grub.efiInstallAsRemovable = true;
fileSystems."/" =
{ device = "/dev/disk/by-uuid/ee5c9099-17fa-401e-852e-67cb4ae068f4";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/EAA5-88A9";
fsType = "vfat";
};
swapDevices = [ ];
nix.maxJobs = lib.mkDefault 4;
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
services.udev.extraRules = ''
SUBSYSTEM=="net", ATTR{address}=="3c:7c:3f:7e:e2:39", NAME="et0"
SUBSYSTEM=="net", ATTR{address}=="00:e0:4c:78:91:50", NAME="int0"
'';
}

276
lass/1systems/ubik/config.nix
View File

@ -1,276 +0,0 @@
with import <stockholm/lib>;
{ config, lib, pkgs, ... }:
{
imports = [
<stockholm/lass>
<stockholm/lass/2configs>
<stockholm/lass/2configs/retiolum.nix>
];
krebs.build.host = config.krebs.hosts.ubik;
krebs.sync-containers3.inContainer = {
enable = true;
pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPBFGMjH0+Dco6DVFZbByENMci8CFTLXCL7j53yctPnM";
};
security.acme = {
acceptTerms = true;
defaults.email = "acme@lassul.us";
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
# nextcloud
services.nginx.virtualHosts."c.apanowicz.de" = {
enableACME = true;
forceSSL = true;
};
services.nextcloud = {
enable = true;
enableBrokenCiphersForSSE = false;
hostName = "c.apanowicz.de";
package = pkgs.nextcloud25;
config.adminpassFile = "/run/nextcloud.pw";
https = true;
maxUploadSize = "9001M";
};
systemd.services.nextcloud-setup.serviceConfig.ExecStartPre = [
"+${pkgs.writeDash "copy-pw" ''
${pkgs.rsync}/bin/rsync \
--chown nextcloud:nextcloud \
--chmod 0700 \
/var/src/secrets/nextcloud.pw /run/nextcloud.pw
''}"
];
# mail
lass.usershadow.enable = true;
services.nginx.virtualHosts."mail.ubikmedia.eu" = {
enableACME = true;
forceSSL = true;
};
services.roundcube = {
enable = true;
hostName = "mail.ubikmedia.eu";
extraConfig = ''
$config['smtp_debug'] = true;
$config['smtp_host'] = "localhost:25";
'';
};
services.dovecot2 = {
enable = true;
showPAMFailure = true;
mailLocation = "maildir:~/Mail";
sslServerCert = "/var/lib/acme/mail.ubikmedia.eu/fullchain.pem";
sslServerKey = "/var/lib/acme/mail.ubikmedia.eu/key.pem";
};
krebs.exim-smarthost = {
ssl_cert = "/var/lib/acme/mail.ubikmedia.eu/fullchain.pem";
ssl_key = "/var/lib/acme/mail.ubikmedia.eu/key.pem";
authenticators.PLAIN = ''
driver = plaintext
public_name = PLAIN
server_condition = ''${run{/run/wrappers/bin/shadow_verify_arg ${config.lass.usershadow.pattern} $auth2 $auth3}{yes}{no}}
'';
authenticators.LOGIN = ''
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = ''${run{/run/wrappers/bin/shadow_verify_arg ${config.lass.usershadow.pattern} $auth1 $auth2}{yes}{no}}
# server_condition = ''${run{/run/current-system/sw/bin/debug_exim ${config.lass.usershadow.pattern} $auth1 $auth2}{yes}{no}}
'';
internet-aliases = [
{ from = "dma@ubikmedia.de"; to = "domsen"; }
{ from = "dma@ubikmedia.eu"; to = "domsen"; }
{ from = "hallo@apanowicz.de"; to = "domsen"; }
{ from = "bruno@apanowicz.de"; to = "bruno"; }
{ from = "mail@jla-trading.com"; to = "jla-trading"; }
{ from = "jms@ubikmedia.eu"; to = "jms"; }
{ from = "ms@ubikmedia.eu"; to = "ms"; }
{ from = "ubik@ubikmedia.eu"; to = "domsen, jms, ms"; }
{ from = "kontakt@alewis.de"; to ="klabusterbeere"; }
{ from = "hallo@jarugadesign.de"; to ="kasia"; }
{ from = "noreply@beeshmooth.ch"; to ="besmooth@gmx.ch"; }
{ from = "testuser@ubikmedia.eu"; to = "testuser"; }
];
sender_domains = [
"jla-trading.com"
"ubikmedia.eu"
"ubikmedia.de"
"apanowicz.de"
"alewis.de"
"jarugadesign.de"
"beesmooth.ch"
"event-extra.de"
];
dkim = [
{ domain = "ubikmedia.eu"; }
{ domain = "apanowicz.de"; }
{ domain = "beesmooth.ch"; }
];
};
# users
users.users.UBIK-SFTP = {
uid = pkgs.stockholm.lib.genid_uint31 "UBIK-SFTP";
home = "/home/UBIK-SFTP";
useDefaultShell = true;
createHome = true;
isNormalUser = true;
};
users.users.xanf = {
uid = pkgs.stockholm.lib.genid_uint31 "xanf";
group = "xanf";
home = "/home/xanf";
useDefaultShell = true;
createHome = false; # creathome forces permissions
isNormalUser = true;
};
users.users.domsen = {
uid = pkgs.stockholm.lib.genid_uint31 "domsen";
description = "maintenance acc for domsen";
home = "/home/domsen";
useDefaultShell = true;
extraGroups = [ "syncthing" "download" "xanf" ];
createHome = true;
isNormalUser = true;
};
users.users.bruno = {
uid = pkgs.stockholm.lib.genid_uint31 "bruno";
home = "/home/bruno";
useDefaultShell = true;
createHome = true;
isNormalUser = true;
};
users.users.jla-trading = {
uid = pkgs.stockholm.lib.genid_uint31 "jla-trading";
home = "/home/jla-trading";
useDefaultShell = true;
createHome = true;
isNormalUser = true;
};
users.users.jms = {
uid = pkgs.stockholm.lib.genid_uint31 "jms";
home = "/home/jms";
useDefaultShell = true;
createHome = true;
isNormalUser = true;
};
users.users.ms = {
uid = pkgs.stockholm.lib.genid_uint31 "ms";
home = "/home/ms";
useDefaultShell = true;
createHome = true;
isNormalUser = true;
};
users.users.testuser = {
uid = pkgs.stockholm.lib.genid_uint31 "testuser";
home = "/home/testuser";
useDefaultShell = true;
createHome = true;
isNormalUser = true;
};
users.users.bui = {
uid = pkgs.stockholm.lib.genid_uint31 "bui";
home = "/home/bui";
useDefaultShell = true;
createHome = true;
isNormalUser = true;
};
users.users.klabusterbeere = {
uid = pkgs.stockholm.lib.genid_uint31 "klabusterbeere";
home = "/home/klabusterbeere";
useDefaultShell = true;
createHome = true;
isNormalUser = true;
};
users.users.kasia = {
uid = pkgs.stockholm.lib.genid_uint31 "kasia";
home = "/home/kasia";
useDefaultShell = true;
createHome = true;
isNormalUser = true;
};
users.users.XANF_TEAM = {
uid = pkgs.stockholm.lib.genid_uint31 "XANF_TEAM";
group = "xanf";
home = "/home/XANF_TEAM";
useDefaultShell = true;
createHome = true;
isNormalUser = true;
};
users.users.dif = {
uid = pkgs.stockholm.lib.genid_uint31 "dif";
home = "/home/dif";
useDefaultShell = true;
extraGroups = [ "xanf" ];
createHome = true;
isNormalUser = true;
};
users.users.lavafilms = {
uid = pkgs.stockholm.lib.genid_uint31 "lavafilms";
home = "/home/lavafilms";
useDefaultShell = true;
extraGroups = [ "xanf" ];
createHome = true;
isNormalUser = true;
};
users.users.movematchers = {
uid = pkgs.stockholm.lib.genid_uint31 "movematchers";
home = "/home/movematchers";
useDefaultShell = true;
extraGroups = [ "xanf" ];
createHome = true;
isNormalUser = true;
};
users.users.blackphoton = {
uid = pkgs.stockholm.lib.genid_uint31 "blackphoton";
home = "/home/blackphoton";
useDefaultShell = true;
extraGroups = [ "xanf" ];
createHome = true;
isNormalUser = true;
};
users.users.line = {
uid = pkgs.stockholm.lib.genid_uint31 "line";
home = "/home/line";
useDefaultShell = true;
# extraGroups = [ "xanf" ];
createHome = true;
isNormalUser = true;
};
users.users.avada = {
uid = pkgs.stockholm.lib.genid_uint31 "avada";
home = "/home/avada";
useDefaultShell = true;
createHome = true;
isNormalUser = true;
};
users.users.familienrat = {
uid = pkgs.stockholm.lib.genid_uint31 "familienrat";
home = "/home/familienrat";
useDefaultShell = true;
createHome = true;
isNormalUser = true;
};
}

7
lass/1systems/ubik/physical.nix
View File

@ -1,7 +0,0 @@
{
imports = [
./config.nix
];
boot.isContainer = true;
networking.useDHCP = true;
}

287
lass/1systems/wizard/config.nix
View File

@ -1,287 +0,0 @@
{ config, lib, pkgs, ... }:
with import <stockholm/lib>;
let
icon = pkgs.writeText "icon" ''
//
//
_ //
.' . // '.
'_ '_\/_' `_
. . \\ . .
.==. ` \\' .'
.\| //bd\\ \,
\_'`._\\__//_.'`.;
`.__ __,' \\
| | \\
| | `
| |
| |
|____|
l42 ==' '==
'';
messenger = pkgs.writeText "message" ''
.
| \/|
(\ _ ) )|/|
(/ _----. /.'.'
.-._________.. .' @ _\ .'
'.._______. '. / (_| .')
'._____. / '-/ | _.'
'.______ ( ) ) \
'..____ '._ ) )
.' __.--\ , , // ((
'.' mrf| \/ (_.'(
' \ .'
\ (
\ '.
\ \ '.)
'-'-'
'';
waiting = pkgs.writeText "waiting" ''
Z
Z
z
z
* '
/ \
/___\
( - - )
) L ( .--------------.
__()(-)()__ | \ |
.~~ )()()() ~. | . :
/ )()() ` | `-.__________)
| )() ~ | : :
| ) | : |
| _ | | [ ## :
\ ~~-. | , oo_______.'
`_ ( \) _____/~~~~ `--___
| ~`-) ) `-. `--- ( - a:f -
| '///` | `-.
| | | | `-.
| | | | `-.
| | |\ |
| | | \|
`-. | | |
`-| '
'';
wizard = pkgs.writers.writeDash "wizard" ''
cat ${icon}
echo -n '${''
welcome to the computer wizard
first we will check for internet connectivity
''}'
read -p '(press enter to continue...)' key
until ping -c1 8.8.8.8; do
${pkgs.nm-dmenu}/bin/nm-dmenu
done
mode=$(echo -n '${''
1. Help of the wizard
2. Install NixOS
3. I know what I need to do
''}' | ${pkgs.fzf}/bin/fzf --reverse)
case "$mode" in
1*)
echo 'mode_1' > /tmp/mode
clear
echo 'waiting for the messenger to reach the wizard'
cat ${messenger}
# get pubkeys
mkdir -p /root/.ssh/
touch /root/.ssh/authorized_keys
curl -Ss 'https://lassul.us/mors.pub' >> /root/.ssh/authorized_keys
curl -Ss 'https://lassul.us/blue.pub' >> /root/.ssh/authorized_keys
curl -Ss 'https://lassul.us/yubi.pub' >> /root/.ssh/authorized_keys
# write via irc
systemctl start hidden-ssh-announce.service
tmux new-session -s help ${pkgs.writers.writeDash "waiting" ''
cat ${waiting}
read -p 'waiting for the wizard to wake up' key
${pkgs.bashInteractive}/bin/bash
''}
;;
2*)
echo 'mode_2' > /tmp/mode
${pkgs.nixos-installer}/bin/nixos-installer
;;
3*)
echo 'mode_3' > /tmp/mode
;;
*)
echo 'no mode selected'
;;
esac
'';
in {
imports = [
<stockholm/krebs>
<stockholm/lass/3modules>
<stockholm/lass/2configs/vim.nix>
# <nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-base.nix>
{
nixpkgs.config.packageOverrides = import <stockholm/lass/5pkgs> pkgs;
krebs.enable = true;
krebs.build.user = config.krebs.users.lass;
krebs.build.host = {};
}
# {
# systemd.services.wizard = {
# description = "Computer Wizard";
# wantedBy = [ "multi-user.target" ];
# serviceConfig = {
# ExecStart = pkgs.writers.writeDash "wizard" ''
# set -efu
# cat <<EOF
# welcome to the computer wizard
# you can choose between the following modes
# echo -n '1\n2\n3' | ${pkgs.fzf}/bin/fzf
# EOF
# '';
# StandardInput = "tty";
# StandardOutput = "tty";
# # TTYPath = "/dev/tty1";
# TTYPath = "/dev/ttyS0";
# TTYReset = true;
# TTYVTDisallocate = true;
# Restart = "always";
# };
# };
# }
];
networking.hostName = "wizard";
nixpkgs.config.allowUnfree = true;
# users.extraUsers = {
# root = {
# openssh.authorizedKeys.keys = [
# config.krebs.users.lass.pubkey
# config.krebs.users.lass-mors.pubkey
# ];
# };
# };
environment.systemPackages = with pkgs; [
#stockholm
git
gnumake
jq
parallel
proot
populate
#style
most
rxvt-unicode-unwrapped.terminfo
#monitoring tools
htop
iotop
#network
iptables
iftop
nm-dmenu
#stuff for dl
aria2
#neat utils
chntpw
hashPassword
krebspaste
pciutils
psmisc
tmux
usbutils
#unpack stuff
p7zip
unzip
unrar
#data recovery
ddrescue
ntfs3g
dosfstools
nixos-installer
];
environment.extraInit = ''
EDITOR=vim
'';
programs.bash = {
enableCompletion = true;
interactiveShellInit = ''
HISTCONTROL='erasedups:ignorespace'
HISTSIZE=65536
HISTFILESIZE=$HISTSIZE
shopt -s checkhash
shopt -s histappend histreedit histverify
shopt -s no_empty_cmd_completion
complete -d cd
'';
promptInit = ''
if test $UID = 0; then
PS1='\[\033[1;31m\]\w\[\033[0m\] '
PROMPT_COMMAND='echo -ne "\033]0;$$ $USER@$PWD\007"'
elif test $UID = 1337; then
PS1='\[\033[1;32m\]\w\[\033[0m\] '
PROMPT_COMMAND='echo -ne "\033]0;$$ $PWD\007"'
else
PS1='\[\033[1;33m\]\u@\w\[\033[0m\] '
PROMPT_COMMAND='echo -ne "\033]0;$$ $USER@$PWD\007"'
fi
if test -n "$SSH_CLIENT"; then
PS1='\[\033[35m\]\h'" $PS1"
PROMPT_COMMAND='echo -ne "\033]0;$$ $HOSTNAME $USER@$PWD\007"'
fi
if ! test -e /tmp/mode; then
${wizard}
fi
'';
};
services.openssh.enable = true;
systemd.services.sshd.wantedBy = mkForce [ "multi-user.target" ];
networking.firewall = {
enable = true;
allowedTCPPorts = [ 22 ];
};
networking.networkmanager.enable = true;
networking.wireless.enable = mkForce false;
krebs.hidden-ssh = {
enable = true;
channel = "##lassulus-wizard";
message = "lassulus: torify sshn root@";
};
systemd.services.hidden-ssh-announce.wantedBy = mkForce [];
services.getty.autologinUser = lib.mkForce "root";
nixpkgs.config.packageOverrides = super: {
dmenu = pkgs.writeDashBin "dmenu" ''
${pkgs.fzf}/bin/fzf \
--history=/dev/null \
--print-query \
--prompt=\"$PROMPT\"
'';
};
boot.tmpOnTmpfs = true;
}

7
lass/1systems/wizard/generate-iso.sh
View File

@ -1,7 +0,0 @@
#!/usr/bin/env nix-shell
#! nix-shell -i bash -p nixos-generators
set -xefu
WD=$(dirname "$0")
nixos-generate -I stockholm="$WD"/../../.. -c "$WD"/config.nix -f install-iso

7
lass/1systems/wizard/run-vm.sh
View File

@ -1,7 +0,0 @@
#!/usr/bin/env nix-shell
#! nix-shell -i bash -p nixos-generators
set -efu
WD=$(dirname "$0")
nixos-generate -I stockholm="$WD"/../../.. -c "$WD"/config.nix -f vm-nogui --run

10
lass/1systems/wizard/test.nix
View File

@ -1,10 +0,0 @@
{ config, lib, pkgs, ... }:
{
imports = [
./config.nix
];
virtualisation.emptyDiskImages = [
8000
];
virtualisation.memorySize = 1024;
}

76
lass/1systems/xerxes/config.nix
View File

@ -1,76 +0,0 @@
{ config, lib, pkgs, ... }:
{
imports = [
<stockholm/lass>
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/exim-retiolum.nix>
<stockholm/lass/2configs/baseX.nix>
<stockholm/lass/2configs/pipewire.nix>
<stockholm/lass/2configs/browsers.nix>
<stockholm/lass/2configs/programs.nix>
<stockholm/lass/2configs/network-manager.nix>
<stockholm/lass/2configs/syncthing.nix>
<stockholm/lass/2configs/sync/sync.nix>
<stockholm/lass/2configs/steam.nix>
<stockholm/lass/2configs/wine.nix>
<stockholm/lass/2configs/fetchWallpaper.nix>
<stockholm/lass/2configs/pass.nix>
<stockholm/lass/2configs/mail.nix>
];
krebs.build.host = config.krebs.hosts.xerxes;
environment.shellAliases = {
deploy = pkgs.writeDash "deploy" ''
set -eu
export SYSTEM="$1"
$(nix-build $HOME/sync/stockholm/lass/krops.nix --no-out-link --argstr name "$SYSTEM" -A deploy)
'';
usb-tether-on = pkgs.writeDash "usb-tether-on" ''
adb shell su -c service call connectivity 33 i32 1 s16 text
'';
usb-tether-off = pkgs.writeDash "usb-tether-off" ''
adb shell su -c service call connectivity 33 i32 0 s16 text
'';
};
services.xserver = {
displayManager.lightdm.autoLogin.enable = true;
displayManager.lightdm.autoLogin.user = "lass";
};
boot.blacklistedKernelModules = [ "xpad" ];
systemd.services.xboxdrv = {
wantedBy = [ "multi-user.target" ];
script = ''
${pkgs.xboxdrv.overrideAttrs(o: {
patches = o.patches ++ [ (pkgs.fetchurl {
url = "https://patch-diff.githubusercontent.com/raw/xboxdrv/xboxdrv/pull/251.patch";
sha256 = "17784y20mxqrlhgvwvszh8lprxrvgmb7ah9dknmbhj5jhkjl8wq5";
}) ];
})}/bin/xboxdrv --type xbox360 --dbus disabled -D
'';
};
programs.adb.enable = true;
services.logind.lidSwitch = "suspend";
lass.screenlock.enable = lib.mkForce false;
hardware.bluetooth = {
enable = true;
powerOnBoot = true;
};
hardware.pulseaudio.package = pkgs.pulseaudioFull;
# hardware.pulseaudio.configFile = pkgs.writeText "default.pa" ''
# load-module module-bluetooth-policy
# load-module module-bluetooth-discover
# ## module fails to load with
# ## module-bluez5-device.c: Failed to get device path from module arguments
# ## module.c: Failed to load module "module-bluez5-device" (argument: ""): initialization failed.
# # load-module module-bluez5-device
# # load-module module-bluez5-discover
# '';
}

73
lass/1systems/xerxes/physical.nix
View File

@ -1,73 +0,0 @@
{ pkgs, lib, ... }:
{
imports = [
./config.nix
<nixpkgs/nixos/modules/installer/scan/not-detected.nix>
];
boot.loader.grub = {
enable = true;
device = "/dev/sda";
efiSupport = true;
efiInstallAsRemovable = true;
};
boot.blacklistedKernelModules = [
"sdhci_pci"
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "sd_mod" ];
boot.initrd.luks.devices.crypted.device = "/dev/sda3";
boot.kernelModules = [ "kvm-intel" ];
boot.kernelParams = [
"fbcon=rotate:1"
"boot.shell_on_fail"
];
fileSystems."/" = {
device = "/dev/disk/by-uuid/8efd0c22-f712-46bf-baad-1fbf19d9ec25";
fsType = "xfs";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/7F23-DDB4";
fsType = "vfat";
};
swapDevices = [ ];
boot.extraModprobeConfig = ''
options zfs zfs_arc_max=107374182
'';
nix.maxJobs = lib.mkDefault 4;
networking.hostId = "9b0a74ac";
networking.networkmanager.enable = true;
hardware.opengl.enable = true;
services.tlp.enable = true;
services.tlp.extraConfig = ''
CPU_SCALING_GOVERNOR_ON_AC=ondemand
CPU_SCALING_GOVERNOR_ON_BAT=powersave
CPU_MIN_PERF_ON_AC=0
CPU_MAX_PERF_ON_AC=100
CPU_MIN_PERF_ON_BAT=0
CPU_MAX_PERF_ON_BAT=30
'';
services.logind.extraConfig = ''
HandlePowerKey=suspend
IdleAction=suspend
IdleActionSec=300
'';
services.xserver = {
videoDrivers = [ "intel" ];
displayManager.sessionCommands = ''
(sleep 2 && ${pkgs.xorg.xrandr}/bin/xrandr --output eDP1 --rotate right)
(sleep 2 && ${pkgs.xorg.xinput}/bin/xinput set-prop "pointer:Goodix Capacitive TouchScreen" --type=float "Coordinate Transformation Matrix" 0 1 0 -1 0 1 0 0 1)
'';
};
}

45
lass/1systems/yellow/config.nix
View File

@ -1,45 +0,0 @@
{ config, lib, pkgs, ... }: let
vpnPort = 1637;
torrentport = 56709; # port forwarded in airvpn webinterface
in {
imports = [
<stockholm/lass>
<stockholm/lass/2configs>
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/services/flix>
];
krebs.build.host = config.krebs.hosts.yellow;
krebs.sync-containers3.inContainer = {
enable = true;
pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN737BAP36KiZO97mPKTIUGJUcr97ps8zjfFag6cUiYL";
};
networking.useHostResolvConf = false;
networking.useNetworkd = true;
networking.wg-quick.interfaces.airvpn.configFile = "/var/src/secrets/airvpn.conf";
services.transmission.settings.peer-port = torrentport;
# only allow traffic through openvpn
krebs.iptables = {
enable = true;
tables.filter.INPUT.rules = [
{ predicate = "-i airvpn -p tcp --dport ${toString torrentport}"; target = "ACCEPT"; }
{ predicate = "-i airvpn -p udp --dport ${toString torrentport}"; target = "ACCEPT"; }
];
tables.filter.OUTPUT = {
policy = "DROP";
rules = [
{ predicate = "-o lo"; target = "ACCEPT"; }
{ predicate = "-p udp --dport ${toString vpnPort}"; target = "ACCEPT"; }
{ predicate = "-o airvpn"; target = "ACCEPT"; }
{ predicate = "-o retiolum"; target = "ACCEPT"; }
{ v6 = false; predicate = "-d 1.1.1.1/32"; target = "ACCEPT"; }
{ v6 = false; predicate = "-d 1.0.0.1/32"; target = "ACCEPT"; }
{ v6 = false; predicate = "-o eth0 -d 10.233.2.0/24"; target = "ACCEPT"; }
];
};
};
}

7
lass/1systems/yellow/physical.nix
View File

@ -1,7 +0,0 @@
{
imports = [
./config.nix
];
boot.isContainer = true;
networking.useDHCP = false;
}

83
lass/2configs/AP.nix
View File

@ -1,83 +0,0 @@
{ config, pkgs, ... }:
with import <stockholm/lib>;
let
wifi = "wlp0s29u1u2";
in {
boot.extraModulePackages = [
pkgs.linuxPackages.rtl8814au
];
networking.networkmanager.unmanaged = [ wifi "et0" ];
systemd.services.hostapd = {
description = "hostapd wireless AP";
path = [ pkgs.hostapd ];
wantedBy = [ "network.target" ];
after = [ "${wifi}-cfg.service" "nat.service" "bind.service" "dhcpd.service" "sys-subsystem-net-devices-${wifi}.device" ];
serviceConfig = {
ExecStart = "${pkgs.hostapd}/bin/hostapd ${pkgs.writeText "hostapd.conf" ''
interface=${wifi}
hw_mode=a
channel=36
ieee80211d=1
country_code=DE
ieee80211n=1
ieee80211ac=1
wmm_enabled=1
# 5ghz
ssid=krebsing
auth_algs=1
wpa=2
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP
wpa_passphrase=aidsballz
''}";
Restart = "always";
};
};
networking.bridges.br0.interfaces = [
wifi
"et0"
];
networking.interfaces.br0.ipv4.addresses = [
{ address = "10.99.0.1"; prefixLength = 24; }
];
services.dhcpd4 = {
enable = true;
interfaces = [ "br0" ];
extraConfig = ''
option subnet-mask 255.255.255.0;
option routers 10.99.0.1;
option domain-name-servers 1.1.1.1, 8.8.8.8;
subnet 10.99.0.0 netmask 255.255.255.0 {
range 10.99.0.100 10.99.0.200;
}
'';
};
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
krebs.iptables.tables.filter.FORWARD.rules = [
{ v6 = false; predicate = "-d 10.99.0.0/24 -o br0 -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
{ v6 = false; predicate = "-s 10.99.0.0/24 -i br0"; target = "ACCEPT"; }
{ v6 = false; predicate = "-i br0 -o br0"; target = "ACCEPT"; }
{ v6 = false; predicate = "-i br0 -o br0"; target = "ACCEPT"; }
{ v6 = false; predicate = "-o br0"; target = "REJECT --reject-with icmp-port-unreachable"; }
{ v6 = false; predicate = "-i br0"; target = "REJECT --reject-with icmp-port-unreachable"; }
];
krebs.iptables.tables.nat.PREROUTING.rules = mkBefore [
{ v6 = false; predicate = "-s 10.99.0.0/24"; target = "ACCEPT"; }
];
krebs.iptables.tables.nat.POSTROUTING.rules = [
#TODO find out what this is about?
{ v6 = false; predicate = "-s 10.99.0.0/24 -d 224.0.0.0/24"; target = "RETURN"; }
{ v6 = false; predicate = "-s 10.99.0.0/24 -d 255.255.255.255"; target = "RETURN"; }
{ v6 = false; predicate = "-s 10.99.0.0/24 ! -d 10.99.0.0/24"; target = "MASQUERADE"; }
{ v6 = false; predicate = "-s 10.99.0.0/24 ! -d 10.99.0.0/24 -p tcp"; target = "MASQUERADE --to-ports 1024-65535"; }
{ v6 = false; predicate = "-s 10.99.0.0/24 ! -d 10.99.0.0/24 -p udp"; target = "MASQUERADE --to-ports 1024-65535"; }
];
}

38
lass/2configs/IM.nix
View File

@ -1,38 +0,0 @@
with (import <stockholm/lib>);
{ config, lib, pkgs, ... }: let
weechat = pkgs.weechat.override {
configure = { availablePlugins, ... }: {
scripts = with pkgs.weechatScripts; [
weechat-matrix
];
};
};
tmux = "/run/current-system/sw/bin/tmux";
in {
imports = [
./bitlbee.nix
];
environment.systemPackages = [ weechat ];
systemd.services.chat = {
description = "chat environment setup";
environment.WEECHAT_HOME = "\$HOME/.weechat";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
restartIfChanged = false;
path = [
pkgs.rxvt-unicode-unwrapped.terminfo
];
serviceConfig = {
User = "lass";
RemainAfterExit = true;
Type = "oneshot";
ExecStart = "${tmux} -2 new-session -d -s IM ${weechat}/bin/weechat";
ExecStop = "${tmux} kill-session -t IM"; # TODO run save in weechat
};
};
}

20
lass/2configs/ableton.nix
View File

@ -1,20 +0,0 @@
{ config, pkgs, ... }: let
mainUser = config.users.extraUsers.mainUser;
in {
users.users= {
ableton = {
isNormalUser = true;
extraGroups = [
"audio"
"video"
];
packages = [
pkgs.wine
pkgs.winetricks
];
};
};
security.sudo.extraConfig = ''
${mainUser.name} ALL=(ableton) NOPASSWD: ALL
'';
}

134
lass/2configs/alacritty.nix
View File

@ -1,134 +0,0 @@
{ config, lib, pkgs, ... }: let
alacritty-cfg = extrVals: builtins.toJSON ({
font = let
family = "Iosevka Term SS15";
in {
normal = {
family = family;
style = "Regular";
};
bold = {
family = family;
style = "Bold";
};
italic = {
family = family;
style = "Italic";
};
bold_italic = {
family = family;
style = "Bold Italic";
};
size = 12;
};
live_config_reload = true;
window.dimensions = {
columns = 80;
lines = 20;
};
env.WINIT_X11_SCALE_FACTOR = "1.0";
# window.opacity = 0;
hints.enabled = [
{
regex = ''(mailto:|gemini:|gopher:|https:|http:|news:|file:|git:|ssh:|ftp:)[^\u0000-\u001F\u007F-\u009F<>"\s{-}\^`]+'';
command = "/run/current-system/sw/bin/xdg-open";
post_processing = true;
mouse.enabled = true;
binding = {
key = "U";
mods = "Alt";
};
}
];
} // extrVals);
alacritty = pkgs.symlinkJoin {
name = "alacritty";
paths = [
(pkgs.writeDashBin "alacritty" ''
${pkgs.alacritty}/bin/alacritty --config-file /var/theme/config/alacritty.yaml msg create-window "$@" ||
${pkgs.alacritty}/bin/alacritty --config-file /var/theme/config/alacritty.yaml "$@"
'')
pkgs.alacritty
];
};
in {
environment.etc = {
"themes/light/alacritty.yaml".text = alacritty-cfg {
colors = {
# Default colors
primary = {
# hard contrast: background = '#f9f5d7'
# background = "#fbf1c7";
background = "#f9f5d7";
# soft contrast: background = '#f2e5bc'
foreground = "#3c3836";
};
# Normal colors
normal = {
black = "#fbf1c7";
red = "#cc241d";
green = "#98971a";
yellow = "#d79921";
blue = "#458588";
magenta = "#b16286";
cyan = "#689d6a";
white = "#7c6f64";
};
# Bright colors
bright = {
black = "#928374";
red = "#9d0006";
green = "#79740e";
yellow = "#b57614";
blue = "#076678";
magenta = "#8f3f71";
cyan = "#427b58";
white = "#3c3836";
};
};
};
"themes/dark/alacritty.yaml".text = alacritty-cfg {
colors = {
# Default colors
primary = {
background = "0x000000";
foreground = "0xffffff";
};
cursor = {
text = "0xF81CE5";
cursor = "0xffffff";
};
# Normal colors
normal = {
black = "0x000000";
red = "0xfe0100";
green = "0x33ff00";
yellow = "0xfeff00";
blue = "0x0066ff";
magenta = "0xcc00ff";
cyan = "0x00ffff";
white = "0xd0d0d0";
};
# Bright colors
bright = {
black = "0x808080";
red = "0xfe0100";
green = "0x33ff00";
yellow = "0xfeff00";
blue = "0x0066ff";
magenta = "0xcc00ff";
cyan = "0x00ffff";
white = "0xFFFFFF";
};
};
};
};
environment.systemPackages = [ alacritty ];
}

39
lass/2configs/antimicrox/default.nix
View File

@ -1,39 +0,0 @@
{ config, lib, pkgs, ... }:
{
systemd.services.antimicrox = {
after = [ "display-manager.service" ];
wantedBy = [ "multi-user.target" ];
environment = {
DISPLAY = ":0";
};
serviceConfig = {
User = config.users.users.mainUser.name;
ExecStartPre = lib.singleton (pkgs.writeDash "init_state" "echo 0 > /tmp/gamepad.state");
ExecStart = "${pkgs.antimicrox}/bin/antimicrox --hidden --profile ${./mouse.gamecontroller.amgp}";
};
};
services.udev.extraRules = ''
KERNEL=="uinput", MODE="0660", GROUP="input", OPTIONS+="static_node=uinput"
'';
environment.systemPackages = [
pkgs.antimicrox
(pkgs.writers.writeDashBin "gamepad_mouse_disable" ''
echo 1 > /tmp/gamepad.state
${pkgs.antimicrox}/bin/antimicrox --profile ${./empty.gamecontroller.amgp}
'')
(pkgs.writers.writeDashBin "gamepad_mouse_enable" ''
echo 0 > /tmp/gamepad.state
${pkgs.antimicrox}/bin/antimicrox --profile ${./mouse.gamecontroller.amgp}
'')
(pkgs.writers.writeDashBin "gamepad_mouse_toggle" ''
state=$(${pkgs.coreutils}/bin/cat /tmp/gamepad.state)
if [ "$state" = 1 ]; then
/run/current-system/sw/bin/gamepad_mouse_enable
else
/run/current-system/sw/bin/gamepad_mouse_disable
fi
'')
];
}

20
lass/2configs/antimicrox/empty.gamecontroller.amgp
View File

@ -1,20 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<gamecontroller configversion="19" appversion="3.3.2">
<!--The SDL name for a joystick is included for informational purposes only.-->
<sdlname>XInput Controller</sdlname>
<!--The Unique ID for a joystick is included for informational purposes only.-->
<uniqueID>030000005e0400008e020000010100001118654</uniqueID>
<stickAxisAssociation index="2" xAxis="3" yAxis="4"/>
<stickAxisAssociation index="1" xAxis="1" yAxis="2"/>
<vdpadButtonAssociations index="1">
<vdpadButtonAssociation axis="0" button="12" direction="1"/>
<vdpadButtonAssociation axis="0" button="13" direction="4"/>
<vdpadButtonAssociation axis="0" button="14" direction="8"/>
<vdpadButtonAssociation axis="0" button="15" direction="2"/>
</vdpadButtonAssociations>
<names>
<controlstickname index="2">R Stick</controlstickname>
<controlstickname index="1">L Stick</controlstickname>
</names>
<sets/>
</gamecontroller>

281
lass/2configs/antimicrox/mouse.gamecontroller.amgp
View File

@ -1,281 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<gamecontroller configversion="19" appversion="3.3.2">
<!--The SDL name for a joystick is included for informational purposes only.-->
<sdlname>XInput Controller</sdlname>
<!--The Unique ID for a joystick is included for informational purposes only.-->
<uniqueID>030000005e0400008e020000010100001118654</uniqueID>
<stickAxisAssociation index="2" xAxis="3" yAxis="4"/>
<stickAxisAssociation index="1" xAxis="1" yAxis="2"/>
<vdpadButtonAssociations index="1">
<vdpadButtonAssociation axis="0" button="12" direction="1"/>
<vdpadButtonAssociation axis="0" button="13" direction="4"/>
<vdpadButtonAssociation axis="0" button="14" direction="8"/>
<vdpadButtonAssociation axis="0" button="15" direction="2"/>
</vdpadButtonAssociations>
<names>
<controlstickname index="2">Stick 2</controlstickname>
<controlstickname index="1">Stick 1</controlstickname>
</names>
<sets>
<set index="1">
<stick index="2">
<deadZone>1</deadZone>
<maxZone>29501</maxZone>
<modifierZone>1412</modifierZone>
<diagonalRange>90</diagonalRange>
<squareStick>100</squareStick>
<stickbutton index="1">
<mousespeedx>74</mousespeedx>
<mousespeedy>74</mousespeedy>
<accelerationmultiplier>4</accelerationmultiplier>
<startaccelmultiplier>20</startaccelmultiplier>
<minaccelthreshold>3</minaccelthreshold>
<extraaccelerationcurve>easeoutquad</extraaccelerationcurve>
<slots>
<slot>
<code>1</code>
<mode>mousemovement</mode>
</slot>
</slots>
</stickbutton>
<stickbutton index="3">
<mousespeedx>74</mousespeedx>
<mousespeedy>74</mousespeedy>
<accelerationmultiplier>4</accelerationmultiplier>
<startaccelmultiplier>20</startaccelmultiplier>
<minaccelthreshold>3</minaccelthreshold>
<extraaccelerationcurve>easeoutquad</extraaccelerationcurve>
<slots>
<slot>
<code>4</code>
<mode>mousemovement</mode>
</slot>
</slots>
</stickbutton>
<stickbutton index="2">
<mousespeedx>74</mousespeedx>
<mousespeedy>74</mousespeedy>
</stickbutton>
<stickbutton index="5">
<mousespeedx>74</mousespeedx>
<mousespeedy>74</mousespeedy>
<accelerationmultiplier>4</accelerationmultiplier>
<startaccelmultiplier>20</startaccelmultiplier>
<minaccelthreshold>3</minaccelthreshold>
<extraaccelerationcurve>easeoutquad</extraaccelerationcurve>
<slots>
<slot>
<code>2</code>
<mode>mousemovement</mode>
</slot>
</slots>
</stickbutton>
<stickbutton index="4">
<mousespeedx>74</mousespeedx>
<mousespeedy>74</mousespeedy>
</stickbutton>
<stickbutton index="7">
<mousespeedx>74</mousespeedx>
<mousespeedy>74</mousespeedy>
<accelerationmultiplier>4</accelerationmultiplier>
<startaccelmultiplier>20</startaccelmultiplier>
<minaccelthreshold>3</minaccelthreshold>
<extraaccelerationcurve>easeoutquad</extraaccelerationcurve>
<slots>
<slot>
<code>3</code>
<mode>mousemovement</mode>
</slot>
</slots>
</stickbutton>
<stickbutton index="6">
<mousespeedx>74</mousespeedx>
<mousespeedy>74</mousespeedy>
</stickbutton>
<stickbutton index="8">
<mousespeedx>74</mousespeedx>
<mousespeedy>74</mousespeedy>
</stickbutton>
</stick>
<stick index="1">
<deadZone>2578</deadZone>
<maxZone>30799</maxZone>
<stickbutton index="1">
<mouseacceleration>linear</mouseacceleration>
<slots>
<slot>
<code>4</code>
<mode>mousebutton</mode>
</slot>
</slots>
</stickbutton>
<stickbutton index="3">
<mouseacceleration>linear</mouseacceleration>
<slots>
<slot>
<code>7</code>
<mode>mousebutton</mode>
</slot>
</slots>
</stickbutton>
<stickbutton index="2">
<mouseacceleration>linear</mouseacceleration>
</stickbutton>
<stickbutton index="5">
<mouseacceleration>linear</mouseacceleration>
<slots>
<slot>
<code>5</code>
<mode>mousebutton</mode>
</slot>
</slots>
</stickbutton>
<stickbutton index="4">
<mouseacceleration>linear</mouseacceleration>
</stickbutton>
<stickbutton index="7">
<mouseacceleration>linear</mouseacceleration>
<slots>
<slot>
<code>6</code>
<mode>mousebutton</mode>
</slot>
</slots>
</stickbutton>
<stickbutton index="6">
<mouseacceleration>linear</mouseacceleration>
</stickbutton>
<stickbutton index="8">
<mouseacceleration>linear</mouseacceleration>
</stickbutton>
</stick>
<dpad index="1">
<dpadbutton index="12">
<wheelspeedx>2</wheelspeedx>
<wheelspeedy>10</wheelspeedy>
</dpadbutton>
<dpadbutton index="1">
<wheelspeedx>10</wheelspeedx>
<wheelspeedy>10</wheelspeedy>
<slots>
<slot>
<code>0x1000013</code>
<mode>keyboard</mode>
</slot>
</slots>
</dpadbutton>
<dpadbutton index="3">
<wheelspeedx>2</wheelspeedx>
<wheelspeedy>10</wheelspeedy>
</dpadbutton>
<dpadbutton index="2">
<wheelspeedx>2</wheelspeedx>
<wheelspeedy>10</wheelspeedy>
<slots>
<slot>
<code>0x1000014</code>
<mode>keyboard</mode>
</slot>
</slots>
</dpadbutton>
<dpadbutton index="4">
<wheelspeedx>2</wheelspeedx>
<wheelspeedy>10</wheelspeedy>
<slots>
<slot>
<code>0x1000015</code>
<mode>keyboard</mode>
</slot>
</slots>
</dpadbutton>
<dpadbutton index="6">
<wheelspeedx>2</wheelspeedx>
<wheelspeedy>10</wheelspeedy>
</dpadbutton>
<dpadbutton index="9">
<wheelspeedx>2</wheelspeedx>
<wheelspeedy>10</wheelspeedy>
</dpadbutton>
<dpadbutton index="8">
<wheelspeedx>2</wheelspeedx>
<wheelspeedy>10</wheelspeedy>
<slots>
<slot>
<code>0x1000012</code>
<mode>keyboard</mode>
</slot>
</slots>
</dpadbutton>
</dpad>
<trigger index="6">
<deadZone>2000</deadZone>
<throttle>positivehalf</throttle>
<triggerbutton index="1">
<mousespeedx>100</mousespeedx>
<mousespeedy>100</mousespeedy>
</triggerbutton>
<triggerbutton index="2">
<mousespeedx>100</mousespeedx>
<mousespeedy>100</mousespeedy>
<slots>
<slot>
<code>250</code>
<mode>mousespeedmod</mode>
</slot>
</slots>
</triggerbutton>
</trigger>
<trigger index="5">
<throttle>positivehalf</throttle>
</trigger>
<button index="11">
<slots>
<slot>
<code>1</code>
<mode>mousebutton</mode>
</slot>
</slots>
</button>
<button index="2">
<slots>
<slot>
<code>3</code>
<mode>mousebutton</mode>
</slot>
</slots>
</button>
<button index="1">
<slots>
<slot>
<code>1</code>
<mode>mousebutton</mode>
</slot>
</slots>
</button>
<button index="4">
<slots>
<slot>
<code>0x1000004</code>
<mode>keyboard</mode>
</slot>
</slots>
</button>
<button index="3">
<slots>
<slot>
<code>2</code>
<mode>mousebutton</mode>
</slot>
</slots>
</button>
<button index="5">
<slots>
<slot>
<code>1</code>
<mode>mousebutton</mode>
</slot>
</slots>
</button>
</set>
</sets>
</gamecontroller>

10
lass/2configs/atuin-server.nix
View File

@ -1,10 +0,0 @@
{ config, lib, pkgs, ... }:
{
services.atuin = {
enable = true;
host = "0.0.0.0";
maxHistoryLength = 1000000;
openFirewall = true;
};
}

16
lass/2configs/autotether.nix
View File

@ -1,16 +0,0 @@
{ config, lib, pkgs, ... }:
{
systemd.services.usb_tether = {
script = ''
${pkgs.android-tools}/bin/adb -s QV770FAMEK wait-for-device
${pkgs.android-tools}/bin/adb -s QV770FAMEK shell svc usb setFunctions rndis
'';
};
services.udev.extraRules = ''
ACTION=="add", SUBSYSTEM=="usb", ENV{PRODUCT}=="fce/320d/510", TAG+="systemd", ENV{SYSTEMD_WANTS}="usb_tether.service"
'';
systemd.network.networks.android = {
matchConfig.Name = "enp0s20u1";
DHCP = "yes";
};
}

196
lass/2configs/baseX.nix
View File

@ -1,196 +0,0 @@
{ config, pkgs, ... }:
with import <stockholm/lib>;
let
user = config.krebs.build.user;
in {
imports = [
./alacritty.nix
./mpv.nix
./power-action.nix
./urxvt.nix
./xdg-open.nix
./yubikey.nix
./pipewire.nix
./tmux.nix
./xmonad.nix
./themes.nix
./fonts.nix
{
users.users.mainUser.packages = [
pkgs.sshuttle
];
security.sudo.extraConfig = ''
lass ALL= (root) NOPASSWD:SETENV: ${pkgs.sshuttle}/bin/.sshuttle-wrapped
'';
}
{ #font magic
options.lass.fonts = {
regular = mkOption {
type = types.str;
default = "xft:Iosevka Term SS15:style=regular";
};
bold = mkOption {
type = types.str;
default = "xft:Iosevka Term SS15:style=bold";
};
italic = mkOption {
type = types.str;
default = "xft:Iosevka Term SS15:style=italic";
};
};
config.krebs.xresources.resources.X = ''
*.font: ${config.lass.fonts.regular}
*.boldFont: ${config.lass.fonts.bold}
*.italicFont: ${config.lass.fonts.italic}
'';
}
];
users.users.mainUser.extraGroups = [ "audio" "pipewire" "video" ];
time.timeZone = "Europe/Berlin";
programs.ssh.agentTimeout = "10m";
programs.ssh.startAgent = false;
services.openssh.forwardX11 = true;
environment.systemPackages = with pkgs; [
acpi
acpilight
ripgrep
cabal2nix
dic
dmenu
font-size
fzfmenu
gimp
gitAndTools.gh
git-crypt
git-preview
dconf
iodine
libarchive
lm_sensors
ncdu
nix-index
nixpkgs-review
nmap
pavucontrol
ponymix
powertop
rxvt-unicode
sshvnc
sxiv
nsxiv
taskwarrior
termite
transgui
wirelesstools
x11vnc
xclip
xephyrify
xorg.xmodmap
xorg.xhost
xdotool
xsel
zathura
flameshot
(pkgs.writeDashBin "screenshot" ''
set -efu
${pkgs.flameshot}/bin/flameshot gui &&
${pkgs.klem}/bin/klem
'')
(pkgs.writers.writeDashBin "IM" ''
${pkgs.mosh}/bin/mosh green.r -- tmux new-session -A -s IM -- weechat
'')
(pkgs.writers.writeDashBin "deploy_hm" ''
target=$1
shift
hm_profile=$(${pkgs.home-manager}/bin/home-manager -f ~/sync/stockholm/lass/2configs/home-manager.nix build "$@")
nix-copy-closure --to "$target" "$hm_profile"
ssh "$target" -- "$hm_profile"/activate
'')
zbar
];
services.udev.extraRules = ''
SUBSYSTEM=="backlight", ACTION=="add", \
RUN+="${pkgs.coreutils}/bin/chgrp video /sys/class/backlight/%k/brightness", \
RUN+="${pkgs.coreutils}/bin/chmod g+w /sys/class/backlight/%k/brightness"
'';
services.xserver = {
enable = true;
layout = "us";
display = mkForce 0;
xkbVariant = "altgr-intl";
xkbOptions = "caps:escape";
libinput.enable = true;
exportConfiguration = true;
displayManager = {
lightdm.enable = true;
defaultSession = "none+xmonad";
sessionCommands = ''
${pkgs.xorg.xhost}/bin/xhost +LOCAL:
'';
};
};
nixpkgs.config.packageOverrides = super: {
dmenu = pkgs.writeDashBin "dmenu" ''
${pkgs.fzfmenu}/bin/fzfmenu "$@"
'';
};
krebs.xresources.enable = true;
lass.klem = {
kpaste.script = pkgs.writeDash "kpaste-wrapper" ''
${pkgs.kpaste}/bin/kpaste \
| ${pkgs.coreutils}/bin/tail -1 \
| ${pkgs.coreutils}/bin/tr -d '\r\n'
'';
go = {
target = "STRING";
script = "${pkgs.goify}/bin/goify";
};
"go.lassul.us" = {
target = "STRING";
script = pkgs.writeDash "go.lassul.us" ''
export GO_HOST='go.lassul.us'
${pkgs.goify}/bin/goify
'';
};
qrcode = {
target = "image";
script = pkgs.writeDash "zbar" ''
${pkgs.zbar}/bin/zbarimg -q --raw -
'';
};
ocr = {
target = "image";
script = pkgs.writeDash "gocr" ''
${pkgs.netpbm}/bin/pngtopnm - \
| ${pkgs.gocr}/bin/gocr -
'';
};
};
services.clipmenu.enable = true;
# synchronize all the clipboards
systemd.user.services.autocutsel = {
enable = true;
wantedBy = [ "graphical-session.target" ];
after = [ "graphical-session.target" ];
serviceConfig = {
Type = "forking";
ExecStart = pkgs.writers.writeDash "autocutsel" ''
${pkgs.autocutsel}/bin/autocutsel -fork -selection PRIMARY
${pkgs.autocutsel}/bin/autocutsel -fork -selection CLIPBOARD
'';
};
};
}

57
lass/2configs/bgt-bot/bgt-check.sh
View File

@ -1,57 +0,0 @@
#!/bin/sh
# needs in path:
# curl gnugrep jq
# creates and manages $PWD/state
set -xeuf
send_reaktor(){
# usage: send_reaktor "text"
echo "send_reaktor: $1"
curl -fsS "http://localhost:$REAKTOR_PORT" \
-H content-type:application/json \
-d "$(jq -n \
--arg text "$1" \
--arg channel "$IRC_CHANNEL" \
'{
command:"PRIVMSG",
params:[$channel,$text]
}'
)"
}
live=$(shuf -n1 <<EOF
Binärgewitter Liveshow hat begonnen! http://stream.radiotux.de:8000/binaergewitter.mp3
EOF
)
offline=$(shuf -n1 <<EOF
Live stream vorbei
EOF
)
error=$(shuf -n1 <<EOF
something went wrong
EOF
)
if curl -Ss http://stream.radiotux.de:8000 | grep -q 'Mount Point /binaergewitter'; then
state='live'
else
state='offline'
fi
prevstate=$(cat state ||:)
if test "$state" == "$(cat state)";then
#echo "current and last state is the same ($state), doing nothing"
:
else
echo "API state and last state differ ( '$state' != '$prevstate')"
if test "$state" == 'live';then
send_reaktor "$live"
elif test "$state" == 'offline';then
send_reaktor "$offline"
else
send_reaktor "$error"
fi
echo 'updating state'
printf "%s" "$state" > state
fi

44
lass/2configs/bgt-bot/default.nix
View File

@ -1,44 +0,0 @@
{ config, lib, pkgs, ... }:
let
bot_port = "7654";
irc_channel = "#binaergewitter";
in
{
krebs.reaktor2.bgt-announce = {
hostname = "irc.libera.chat";
port = "6697";
nick = "bgt-announce";
API.listen = "inet://127.0.0.1:${bot_port}";
plugins = [
{
plugin = "register";
config = {
channels = [
irc_channel
];
};
}
];
};
systemd.services.check_bgt_show = {
startAt = "*:0/5";
environment = {
IRC_CHANNEL = irc_channel;
REAKTOR_PORT = bot_port;
};
path = with pkgs; [
curl
gnugrep
jq
];
script = builtins.readFile ./bgt-check.sh;
serviceConfig = {
DynamicUser = true;
StateDirectory = "bgt-announce";
WorkingDirectory = "/var/lib/bgt-announce";
PrivateTmp = true;
};
};
}

17
lass/2configs/binary-cache/client.nix
View File

@ -1,17 +0,0 @@
{ config, ... }:
{
nix = {
binaryCaches = [
"http://cache.prism.r"
"http://cache.neoprism.r"
"https://cache.nixos.org/"
];
binaryCachePublicKeys = [
"cache.prism-1:+S+6Lo/n27XEtvdlQKuJIcb1yO5NUqUCE2lolmTgNJU="
"cache.prism-2:YwmCm3/s/D+SxrPKN/ETjlpw/219pNUbpnluatp6FKI="
"hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs="
];
};
}

13
lass/2configs/binary-cache/proxy.nix
View File

@ -1,13 +0,0 @@
{ config, lib, pkgs, ...}:
{
services.nginx = {
enable = true;
virtualHosts."cache.krebsco.de" = {
enableACME = true;
forceSSL = true;
locations."/".extraConfig = ''
proxy_pass http://cache.neoprism.r/;
'';
};
};
}

31
lass/2configs/binary-cache/server.nix
View File

@ -1,31 +0,0 @@
{ config, lib, pkgs, ...}:
{
# nixpkgs.config.packageOverrides = p: {
# nix-serve = p.haskellPackages.nix-serve-ng;
# };
# generate private key with:
# nix-store --generate-binary-cache-key my-secret-key my-public-key
services.nix-serve = {
enable = true;
secretKeyFile = toString <secrets> + "/nix-serve.key";
port = 5005;
};
services.nginx = {
enable = true;
virtualHosts.nix-serve = {
serverAliases = [ "cache.${config.networking.hostName}.r" ];
locations."/".extraConfig = ''
proxy_pass http://localhost:${toString config.services.nix-serve.port};
'';
locations."= /nix-cache-info".extraConfig = ''
alias ${pkgs.writeText "cache-info" ''
StoreDir: /nix/store
WantMassQuery: 1
Priority: 42
''};
'';
};
};
}

13
lass/2configs/bird.nix
View File

@ -1,13 +0,0 @@
{ config, ... }:
{
config.services.bird = {
enable = true;
config = ''
router id 192.168.122.1;
protocol device {
scan time 10;
}
'';
};
}

34
lass/2configs/bitcoin.nix
View File

@ -1,34 +0,0 @@
{ config, pkgs, ... }:
let
mainUser = config.users.extraUsers.mainUser;
in {
users.extraUsers = {
bitcoin = {
name = "bitcoin";
description = "user for bitcoin stuff";
home = "/home/bitcoin";
useDefaultShell = true;
createHome = true;
packages = [ pkgs.electrum ];
isNormalUser = true;
};
monero = {
name = "monero";
description = "user for monero stuff";
home = "/home/monero";
useDefaultShell = true;
createHome = true;
packages = [
pkgs.monero
pkgs.monero-gui
];
isNormalUser = true;
};
};
security.sudo.extraConfig = ''
${mainUser.name} ALL=(bitcoin) ALL
${mainUser.name} ALL=(monero) ALL
'';
}

34
lass/2configs/bitlbee.nix
View File

@ -1,34 +0,0 @@
with (import <stockholm/lib>);
{ config, lib, pkgs, ... }:
{
services.bitlbee = {
enable = true;
portNumber = 6666;
plugins = [
pkgs.bitlbee-facebook
pkgs.bitlbee-steam
pkgs.bitlbee-discord
];
libpurple_plugins = [
# pkgs.telegram-purple
# pkgs.tdlib-purple
# pkgs.purple-gowhatsapp
];
configDir = "/var/state/bitlbee";
};
systemd.services.bitlbee.serviceConfig = {
ExecStartPre = [
"+${pkgs.writeDash "setup-bitlbee" ''
${pkgs.coreutils}/bin/chown bitlbee:bitlbee /var/state/bitlbee || :
''}"
];
ReadWritePaths = [
"/var/state/bitlbee"
];
};
systemd.tmpfiles.rules = [
"d /var/state/bitlbee 0700 - - -"
];
}

116
lass/2configs/blue-host.nix
View File

@ -1,116 +0,0 @@
{ config, lib, pkgs, ... }:
with import <stockholm/lib>;
let
all_hosts = [
"icarus"
"shodan"
"daedalus"
"skynet"
"prism"
"littleT"
];
remote_hosts = filter (h: h != config.networking.hostName) all_hosts;
in {
imports = [
<stockholm/lass/2configs/container-networking.nix>
{ #hack for already defined
systemd.services."container@blue".reloadIfChanged = mkForce false;
systemd.services."container@blue".preStart = ''
${pkgs.mount}/bin/mount | ${pkgs.gnugrep}/bin/grep -q '^encfs on /var/lib/containers/blue'
'';
systemd.services."container@blue".preStop = ''
/run/wrappers/bin/fusermount -u /var/lib/containers/blue
'';
}
];
system.activationScripts.containerPermissions = ''
mkdir -p /var/lib/containers
chmod 711 /var/lib/containers
'';
containers.blue = {
config = { ... }: {
environment.systemPackages = [
pkgs.git
pkgs.rxvt-unicode-unwrapped.terminfo
];
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [
config.krebs.users.lass.pubkey
];
};
autoStart = false;
enableTun = true;
privateNetwork = true;
hostAddress = "10.233.2.9";
localAddress = "10.233.2.10";
};
#systemd.services = builtins.listToAttrs (map (host:
# let
# in nameValuePair "sync-blue-${host}" {
# bindsTo = [ "container@blue.service" ];
# wantedBy = [ "container@blue.service" ];
# # ssh needed for rsync
# path = [ pkgs.openssh ];
# serviceConfig = {
# Restart = "always";
# RestartSec = 10;
# ExecStart = pkgs.writeDash "sync-blue-${host}" ''
# set -efu
# #make sure blue is running
# /run/wrappers/bin/ping -c1 blue.r > /dev/null
# #make sure the container is unlocked
# ${pkgs.mount}/bin/mount | ${pkgs.gnugrep}/bin/grep -q '^encfs on /var/lib/containers/blue'
# #make sure our target is reachable
# ${pkgs.untilport}/bin/untilport ${host}.r 22 2>/dev/null
# #start sync
# ${pkgs.lsyncd}/bin/lsyncd -log scarce ${pkgs.writeText "lsyncd-config.lua" ''
# settings {
# nodaemon = true,
# inotifyMode = "CloseWrite or Modify",
# }
# sync {
# default.rsyncssh,
# source = "/var/lib/containers/.blue",
# host = "${host}.r",
# targetdir = "/var/lib/containers/.blue",
# rsync = {
# archive = true,
# owner = true,
# group = true,
# };
# ssh = {
# binary = "${pkgs.openssh}/bin/ssh";
# identityFile = "/var/lib/containers/blue/home/lass/.ssh/id_rsa",
# },
# }
# ''}
# '';
# };
# unitConfig.ConditionPathExists = "!/var/run/ppp0.pid";
# }
#) remote_hosts);
environment.systemPackages = [
(pkgs.writeDashBin "start-blue" ''
set -ef
if ! $(mount | ${pkgs.gnugrep}/bin/grep -qi '^encfs on /var/lib/containers/blue'); then
${pkgs.encfs}/bin/encfs --public /var/lib/containers/.blue /var/lib/containers/blue
fi
nixos-container start blue
nixos-container run blue -- nixos-rebuild -I /var/src dry-build
if ping -c1 blue.r >/dev/null; then
echo 'blue is already running. bailing out'
exit 23
fi
nixos-container run blue -- nixos-rebuild -I /var/src switch
'')
];
}

33
lass/2configs/blue.nix
View File

@ -1,33 +0,0 @@
with (import <stockholm/lib>);
{ config, lib, pkgs, ... }:
{
imports = [
./mail.nix
./pass.nix
];
environment.systemPackages = with pkgs; [
dic
nmap
git-preview
l-gen-secrets
];
services.tor.enable = true;
services.tor.client.enable = true;
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-i retiolum -p udp --dport 60000:61000"; target = "ACCEPT";}
{ predicate = "-i wiregrill -p udp --dport 60000:61000"; target = "ACCEPT";}
{ predicate = "-i retiolum -p tcp --dport 9998:9999"; target = "ACCEPT";}
{ predicate = "-i wiregrill -p tcp --dport 9998:9999"; target = "ACCEPT";}
{ predicate = "-i retiolum -p tcp --dport imap"; target = "ACCEPT";}
{ predicate = "-i wiregrill -p tcp --dport imap"; target = "ACCEPT";}
];
services.dovecot2 = {
enable = true;
mailLocation = "maildir:~/Maildir";
};
}

10
lass/2configs/boot/coreboot.nix
View File

@ -1,10 +0,0 @@
{ ... }:
{
boot = {
loader.grub.enable = true;
loader.grub.version = 2;
loader.grub.device = "/dev/sda";
loader.grub.efiSupport = true;
};
}

8
lass/2configs/boot/stock-x220.nix
View File

@ -1,8 +0,0 @@
{ ... }:
{
boot = {
loader.systemd-boot.enable = true;
loader.efi.canTouchEfiVariables = true;
};
}

11
lass/2configs/boot/universal.nix
View File

@ -1,11 +0,0 @@
{ ... }:
{
boot = {
loader.grub.enable = true;
loader.grub.version = 2;
loader.grub.device = "/dev/sda";
loader.grub.efiSupport = true;
loader.grub.efiInstallAsRemovable = true;
};
}

51
lass/2configs/br.nix
View File

@ -1,51 +0,0 @@
with import <stockholm/lib>;
{ config, pkgs, ... }: {
imports = [
<nixpkgs/nixos/modules/services/hardware/sane_extra_backends/brscan4.nix>
];
krebs.nixpkgs.allowUnfreePredicate = pkg: any (eq (packageName pkg)) [
"brother-udev-rule-type1"
"brscan4"
"brscan4-etc-files"
"mfcl2700dnlpr"
];
hardware.sane = {
enable = true;
brscan4 = {
enable = true;
netDevices = {
bra = {
model = "MFCL2700DN";
ip = "10.42.0.4";
};
};
};
};
services.saned.enable = true;
# usage: scanimage -d "$(find-scanner bra)" --batch --format=tiff --resolution 150 -x 211 -y 298
environment.systemPackages = [
(pkgs.writeDashBin "find-scanner" ''
set -efu
name=$1
${pkgs.sane-backends}/bin/scanimage -f '%m %d
' \
| ${pkgs.gawk}/bin/awk -v dev="*$name" '$1 == dev { print $2; exit }' \
| ${pkgs.gnugrep}/bin/grep .
'')
];
services.printing = {
enable = true;
drivers = [
pkgs.mfcl2700dncupswrapper
];
};
users.users.mainUser.extraGroups = [ "scanner" "lp" ];
}

8
lass/2configs/browsers.nix
View File

@ -1,8 +0,0 @@
{ config, lib, pkgs, ... }:
{
programs.firefox.nativeMessagingHosts.tridactyl = true;
environment.variables.BROWSER = "${pkgs.firefox}/bin/firefox";
environment.systemPackages = [
pkgs.firefox-devedition
];
}

115
lass/2configs/c-base.nix
View File

@ -1,115 +0,0 @@
{ config, lib, pkgs, ... }:
let
in {
environment.systemPackages = [
pkgs.cifs-utils
];
systemd.network.networks.c-base = {
matchConfig.Name = "c-base";
networkConfig = {
IgnoreCarrierLoss = "3s";
KeepConfiguration = "static";
DNS = "10.0.1.254";
Domains = "cbrp3.c-base.org";
};
routes = [
{ routeConfig = {
Destination = "10.0.0.0/23";
Gateway = "172.31.77.1";
};}
{ routeConfig = {
Destination = "91.102.9.99/32"; # vorstand.c-base.org
Gateway = "172.31.77.1";
};}
];
};
services.openvpn.servers.c-base = {
config = ''
remote vpn.ext.c-base.org 1194
verify-x509-name vpn.ext.c-base.org name
client
proto udp
dev-type tun
dev c-base
resolv-retry infinite
nobind
# user openvpn
# group openvpn
persist-key
persist-tun
comp-lzo
# register-dns
# block-outside-dns
script-security 2
auth-user-pass ${toString <secrets/cbase.txt>}
#auth-user-pass
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
54a66ed1048bed7508703347e89d68d6
5586e6a5d1218cf8675941031d540be6
993e07200a16ad3b770b659932ee71e5
f8080b5c9fa2acb3893abd40fad2552c
fdaf17565e617ae450efcccf5652dca5
a16419509024b075941098731eb25ac0
a64f963ece3dca1d2a64a9c5e17839d7
5b5080165a9b2dc90ef111879d7d3173
2d1027ae42d869394aca08da4472a9d0
6b724b4ed43a957feef7d6dfc86da241
74828fa0e1240941586f0d937cac32fc
13cc81e7bed58817353d6afaff7e6a26
4f9cc086af79c1cdca660d86e18cff96
69dd3d392caf09a468894a8504f4cc7c
7ae0072e6d9ad90b166ad13a39c57b3c
3a869e27a1d89deb161c255227551713
-----END OpenVPN Static key V1-----
</tls-auth>
<ca>
-----BEGIN CERTIFICATE-----
MIIGsDCCBJigAwIBAgIJAPkM1l2zA306MA0GCSqGSIb3DQEBCwUAMIGWMQswCQYD
VQQGEwJERTEPMA0GA1UEBxMGQmVybGluMRswGQYDVQQLExJ2cG4uZXh0LmMtYmFz
ZS5vcmcxGzAZBgNVBAMTEnZwbi5leHQuYy1iYXNlLm9yZzEbMBkGA1UEKRMSdnBu
LmV4dC5jLWJhc2Uub3JnMR8wHQYJKoZIhvcNAQkBFhBhZG1heEBjLWJhc2Uub3Jn
MB4XDTE2MDcwOTE4MjkyMFoXDTI2MDcxMDE4MjkyMFowgZYxCzAJBgNVBAYTAkRF
MQ8wDQYDVQQHEwZCZXJsaW4xGzAZBgNVBAsTEnZwbi5leHQuYy1iYXNlLm9yZzEb
MBkGA1UEAxMSdnBuLmV4dC5jLWJhc2Uub3JnMRswGQYDVQQpExJ2cG4uZXh0LmMt
YmFzZS5vcmcxHzAdBgkqhkiG9w0BCQEWEGFkbWF4QGMtYmFzZS5vcmcwggIiMA0G
CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDXEs+uWCXLNmm+lgP9x7u3FqWa4pPI
h64c6EWIULMATrhEw+Ej4fpCXwU9otFaO04fAeJmZGkDcnAYdBDiCeI0luOSdj44
Bg9KecSei/TskqjhDVnEBp65hiz0rZE6c1baPdLYmD5xrXWb3i0zrlBYFawuL6C2
lwVCEm3cadvkDJ2DleMuu3NblV8ViIDN0HZqzJNP72g1I0MgohkpetACXlf7MzQV
PFHfzvb04Rj2lJ8BDhceQ0WmjtVV/Ag6nka5oi954OeHMujRuH+rZYiQZDZpJLHK
Kh1KWTVlWPRy+AvCi9lweDWSmLccq7Ug4xMtDF4I5qW3tjCd0xqpZ21Xmo2JyKtY
4h8wEDPqiJvgwvkXsH17GLn5ZxiMcQuRJQYZqJephkzR9uccJeWSS76kwm/vLqG3
+eORlYnyjiNXtiMIhmAEFjpWUrGH8v4CijpUNP6E63ynGrRVXK684YQXkqL+xPAt
t6dsMBUwf94a2S1o2kgvuRCim1wlHvf1QsHrO/Hwgpzc8no/daWL+Z9Rq9okTHNK
nc1G5dv8TkmxIDYnLm07QMzzBoOT36BcGtkEBA+0xhQlX5PyQdM5/jnZVhdSBmoP
MbZXPoU/gJAIuuBuwdTlgCzYf44/9/YU/AnW8eLrbhm9KtMtoMpatrWorKqk/GPv
/lGNRQuNffrbiQIDAQABo4H+MIH7MB0GA1UdDgQWBBTf5cYbK+KCF9u9aobFlLbu
ilwX4jCBywYDVR0jBIHDMIHAgBTf5cYbK+KCF9u9aobFlLbuilwX4qGBnKSBmTCB
ljELMAkGA1UEBhMCREUxDzANBgNVBAcTBkJlcmxpbjEbMBkGA1UECxMSdnBuLmV4
dC5jLWJhc2Uub3JnMRswGQYDVQQDExJ2cG4uZXh0LmMtYmFzZS5vcmcxGzAZBgNV
BCkTEnZwbi5leHQuYy1iYXNlLm9yZzEfMB0GCSqGSIb3DQEJARYQYWRtYXhAYy1i
YXNlLm9yZ4IJAPkM1l2zA306MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQAD
ggIBAMs1moiS7UZ4neOivQjqwKrBbm1j3tgmPLhDfNMmXYarGhnBGAlLxLAQWtG+
Fnbx8KcsJnrsWcGfZcst1z45S4a5oBdVNKOfgkMOG0glZorIDO8Odrb51rpyzU0v
0wcNumMNWhkFuo2OTBHPnnJIWEAFwwCCSCL0I0hQxxoaV36kphjuIwzrMJhd+XAT
24En58cNp6sPRDd+FzOH08uFINevyzKWYxkMgVj+e3fbuiyOB8RqvndKvtfBBcpB
cCO86lGnj/ETMDciTczUShxaMn9wV1zr1KH1xvT3ohUeOcQZGbGTcjG4mxlns8ZO
U5J3Yrcd1eMfJq9Bwd3zPsTLnT8LwIS8vfYRav9b34XdqcBG73dhrjsicMK0Qy0z
Qz7vKJzcvrEnKuaMyB3mCxz/UvbNc2Bupwm4FmzN5eFjDs+7paYFdfOzqMjoRP+8
bcXSqDN5P2eUd7cdsZXaFNcsf1FkWlE3GudVBOmNJqz9zBab/T5J+l4Z90Pd6OUX
GNozEvLhcJkvPKA526TegHTGC8hMquxKc9tpOzNRqZJMFa+UG1mgMrMepRmM/B3s
QrKI1C11iCVYfb9J0tQUkfENHMx4J7mG2DZAhnKWQDU2awM41qU4A7aBYaJvDPnQ
RRcbaT0D794lKUQwH/mZuyKzF22oZNk1o1TV2SaFXqgX5tDt
-----END CERTIFICATE-----
</ca>
'';
};
}

20
lass/2configs/ciko.nix
View File

@ -1,20 +0,0 @@
{ config, pkgs, ... }:
with import <stockholm/lib>;
{
users.users.ciko = {
uid = genid_uint31 "ciko";
description = "acc for ciko";
home = "/home/ciko";
useDefaultShell = true;
createHome = true;
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDTUWm/fISw/gbuHvf3kwxGEuk1aY5HrNNvr8QXCQv0khDdaYmZSELbtFQtE04WGTWmackNcLpld5mETVyCM0BjOgqMJYQNhtywxfYcodEY5xxHCuGgA3S1t94MZub+DRodXCfB0yUV85Wbb0sltkMTJufMwYmLEGxSLRukxAOcNsXdjlyro96csmYrIiV6R7+REnz8OcR7sKlI4tvKA1mbvWmjbDBd1MZ8Jc0Lwf+b0H/rH69wEQIcB5HRHHJIChoAk0t2azSjXagk1+4AebONZTCKvTHxs/D2wUBIzoxyjmh5S0aso/cKw8qpKcl/A2mZiIvW3KMlJAM5U+RQKMrr"
];
isNormalUser = true;
};
system.activationScripts.user-shadow = ''
${pkgs.coreutils}/bin/chmod +x /home/ciko
'';
}

70
lass/2configs/codimd.nix
View File

@ -1,70 +0,0 @@
{ config, pkgs, lib, ... }:
with import <stockholm/lib>;
let
domain = "pad.lassul.us";
in
{
# redirect legacy domain to new one
services.nginx.virtualHosts."codi.lassul.us" = {
enableACME = true;
addSSL = true;
locations."/".return = "301 https://${domain}\$request_uri";
};
services.nginx.virtualHosts.${domain} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "https://localhost:3091";
proxyWebsockets = true;
};
};
security.acme.certs.${domain}.group = "hedgecert";
users.groups.hedgecert.members = [ "hedgedoc" "nginx" ];
security.dhparams = {
enable = true;
params.hedgedoc = { };
};
systemd.services.hedgedoc.environment = {
CMD_COOKIE_POLICY = "none";
CMD_CSP_ALLOW_FRAMING = "true";
};
services.borgbackup.jobs.hetzner.paths = [
"/var/backup"
"/var/lib/hedgedoc"
];
systemd.services.hedgedoc-backup = {
startAt = "daily";
serviceConfig = {
ExecStart = ''${pkgs.sqlite}/bin/sqlite3 /var/lib/hedgedoc/db.hedgedoc.sqlite ".backup /var/backup/hedgedoc/backup.sq3"'';
Type = "oneshot";
};
};
services.hedgedoc = {
enable = true;
configuration.allowOrigin = [ domain ];
settings = {
db = {
dialect = "sqlite";
storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite";
};
useCDN = false;
port = 3091;
domain = domain;
allowFreeURL = true;
useSSL = true;
protocolUseSSL = true;
sslCAPath = [ "/etc/ssl/certs/ca-certificates.crt" ];
sslCertPath = "/var/lib/acme/${domain}/cert.pem";
sslKeyPath = "/var/lib/acme/${domain}/key.pem";
dhParamPath = config.security.dhparams.params.hedgedoc.path;
};
};
}

40
lass/2configs/consul.nix
View File

@ -1,40 +0,0 @@
{ config, lib, pkgs, ... }:
{
services.consul = {
enable = true;
# dropPrivileges = false;
webUi = true;
# interface.bind = "retiolum";
extraConfig = {
bind_addr = config.krebs.build.host.nets.retiolum.ip4.addr;
bootstrap_expect = 3;
server = true;
# retry_join = config.services.consul.extraConfig.start_join;
retry_join = lib.mapAttrsToList (n: h:
lib.head h.nets.retiolum.aliases
) (lib.filterAttrs (n: h: h.consul) config.krebs.hosts);
rejoin_after_leave = true;
# try to fix random lock loss on leader reelection
retry_interval = "3s";
};
};
environment.etc."consul.d/testservice.json".text = builtins.toJSON {
service = {
name = "testing";
};
};
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-i retiolum -p tcp --dport 8300"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p tcp --dport 8301"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p udp --dport 8301"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p tcp --dport 8302"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p udp --dport 8302"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p tcp --dport 8400"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p tcp --dport 8500"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p tcp --dport 8600"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p udp --dport 8500"; target = "ACCEPT"; }
];
}

22
lass/2configs/container-networking.nix
View File

@ -1,22 +0,0 @@
{ lib, ... }:
{
krebs.iptables.tables.filter.FORWARD.rules = [
{ v6 = false; predicate = "-d 10.233.2.0/24 -o ve-+ -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
{ v6 = false; predicate = "-s 10.233.2.0/24 -i ve-+"; target = "ACCEPT"; }
{ v6 = false; predicate = "-i ve-+ -o ve-+"; target = "ACCEPT"; }
{ v6 = false; predicate = "-o ve-+"; target = "REJECT --reject-with icmp-port-unreachable"; }
{ v6 = false; predicate = "-i ve-+"; target = "REJECT --reject-with icmp-port-unreachable"; }
];
krebs.iptables.tables.nat.PREROUTING.rules = lib.mkBefore [
{ v6 = false; predicate = "-s 10.233.2.0/24"; target = "ACCEPT"; }
];
krebs.iptables.tables.nat.POSTROUTING.rules = [
{ v6 = false; predicate = "-s 10.233.2.0/24 -d 224.0.0.0/24"; target = "RETURN"; }
{ v6 = false; predicate = "-s 10.233.2.0/24 -d 255.255.255.255"; target = "RETURN"; }
{ v6 = false; predicate = "-s 10.233.2.0/24 ! -d 10.233.2.0/24"; target = "MASQUERADE"; }
{ v6 = false; predicate = "-s 10.233.2.0/24 ! -d 10.233.2.0/24 -p tcp"; target = "MASQUERADE --to-ports 1024-65535"; }
{ v6 = false; predicate = "-s 10.233.2.0/24 ! -d 10.233.2.0/24 -p udp"; target = "MASQUERADE --to-ports 1024-65535"; }
];
boot.kernel.sysctl."net.ipv4.ip_forward" = lib.mkDefault 1;
}

37
lass/2configs/copyq.nix
View File

@ -1,37 +0,0 @@
{ config, pkgs, ... }:
with import <stockholm/lib>;
let
copyqConfig = pkgs.writeDash "copyq-config" ''
${pkgs.copyq}/bin/copyq config check_clipboard true
${pkgs.copyq}/bin/copyq config check_selection true
${pkgs.copyq}/bin/copyq config copy_clipboard true
${pkgs.copyq}/bin/copyq config copy_selection true
${pkgs.copyq}/bin/copyq config activate_closes true
${pkgs.copyq}/bin/copyq config clipboard_notification_lines 0
${pkgs.copyq}/bin/copyq config clipboard_tab \&clipboard
${pkgs.copyq}/bin/copyq config disable_tray true
${pkgs.copyq}/bin/copyq config hide_tabs true
${pkgs.copyq}/bin/copyq config hide_toolbar true
${pkgs.copyq}/bin/copyq config item_popup_interval true
${pkgs.copyq}/bin/copyq config maxitems 1000
${pkgs.copyq}/bin/copyq config move true
${pkgs.copyq}/bin/copyq config text_wrap true
'';
in {
systemd.user.services.copyq = {
wantedBy = [ "graphical-session.target" ];
requires = [ "xmonad.service" ];
environment = {
DISPLAY = ":${toString config.services.xserver.display}";
};
serviceConfig = {
SyslogIdentifier = "copyq";
ExecStart = "${pkgs.copyq}/bin/copyq";
ExecStartPost = copyqConfig;
Restart = "always";
RestartSec = "15s";
StartLimitBurst = 0;
};
};
}

249
lass/2configs/default.nix
View File

@ -1,249 +0,0 @@
with import <stockholm/lib>;
{ config, pkgs, ... }:
{
imports = [
./binary-cache/client.nix
./gc.nix
./mc.nix
./vim.nix
./zsh.nix
./htop.nix
<stockholm/krebs/2configs/security-workarounds.nix>
./wiregrill.nix
./tmux.nix
./tor-ssh.nix
./networkd.nix
{
users.extraUsers =
mapAttrs (_: h: { hashedPassword = h; })
(import <secrets/hashedPasswords.nix>);
}
{
users.extraUsers = {
root = {
openssh.authorizedKeys.keys = [
config.krebs.users.lass.pubkey
config.krebs.users.lass-blue.pubkey
config.krebs.users.lass-green.pubkey
];
};
mainUser = {
name = "lass";
uid = 1337;
home = "/home/lass";
group = "users";
createHome = true;
useDefaultShell = true;
isNormalUser = true;
extraGroups = [
"audio"
"video"
"fuse"
"wheel"
"tor"
];
openssh.authorizedKeys.keys = [
config.krebs.users.lass.pubkey
config.krebs.users.lass-blue.pubkey
config.krebs.users.lass-green.pubkey
];
};
};
}
{
environment.variables = {
NIX_PATH = mkForce "secrets=/var/src/stockholm/null:/var/src";
};
}
(let ca-bundle = "/etc/ssl/certs/ca-bundle.crt"; in {
environment.variables = {
CURL_CA_BUNDLE = ca-bundle;
GIT_SSL_CAINFO = ca-bundle;
SSL_CERT_FILE = ca-bundle;
};
})
{
#for sshuttle
environment.systemPackages = [
pkgs.python3Packages.python
];
}
];
networking.hostName = config.krebs.build.host.name;
krebs = {
enable = true;
build.user = config.krebs.users.lass;
ssl.trustIntermediate = true;
};
nix.useSandbox = true;
users.mutableUsers = false;
services.timesyncd.enable = mkForce true;
# multiple-definition-problem when defining environment.variables.EDITOR
environment.extraInit = ''
EDITOR=vim
'';
nixpkgs.config.allowUnfree = true;
environment.systemPackages = with pkgs; [
#stockholm
deploy
git
git-absorb
git-preview
gnumake
jq
nix-output-monitor
#style
rxvt-unicode-unwrapped.terminfo
alacritty.terminfo
#monitoring tools
htop
iotop
#network
iptables
iftop
tcpdump
mosh
eternal-terminal
sshify
#stuff for dl
aria2
#neat utils
file
hashPassword
kpaste
cyberlocker-tools
pciutils
pop
q
rs
untilport
(pkgs.writeDashBin "urgent" ''
printf '\a'
'')
usbutils
logify
goify
#unpack stuff
libarchive
(pkgs.writeDashBin "sshn" ''
${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no "$@"
'')
];
environment.shellAliases = {
ll = "ls -l";
la = "ls -la";
ls = "ls --color";
ip = "ip -color=auto";
grep = "grep --color=auto";
};
programs.bash = {
enableCompletion = true;
interactiveShellInit = ''
HISTCONTROL='erasedups:ignorespace'
HISTSIZE=65536
HISTFILESIZE=$HISTSIZE
shopt -s checkhash
shopt -s histappend histreedit histverify
shopt -s no_empty_cmd_completion
complete -d cd
LS_COLORS=$LS_COLORS:'di=1;31:' ; export LS_COLORS
'';
promptInit = ''
if test $UID = 0; then
PS1='\[\033[1;31m\]\w\[\033[0m\] '
PROMPT_COMMAND='echo -ne "\033]0;$$ $USER@$PWD\007"'
elif test $UID = 1337; then
PS1='\[\033[1;32m\]\w\[\033[0m\] '
PROMPT_COMMAND='echo -ne "\033]0;$$ $PWD\007"'
else
PS1='\[\033[1;33m\]\u@\w\[\033[0m\] '
PROMPT_COMMAND='echo -ne "\033]0;$$ $USER@$PWD\007"'
fi
if test -n "$SSH_CLIENT"; then
PS1='\[\033[35m\]\h'" $PS1"
PROMPT_COMMAND='echo -ne "\033]0;$$ $HOSTNAME $USER@$PWD\007"'
fi
'';
};
services.openssh.enable = true;
services.journald.extraConfig = ''
SystemMaxUse=1G
RuntimeMaxUse=128M
Storage=persistent
'';
krebs.iptables = {
enable = true;
tables = {
nat.PREROUTING.rules = [
{ predicate = "-i retiolum -p tcp -m tcp --dport 22"; target = "ACCEPT"; }
{ predicate = "-i wiregrill -p tcp -m tcp --dport 22"; target = "ACCEPT"; }
{ predicate = "-p tcp -m tcp --dport 22"; target = "REDIRECT --to-ports 0"; }
{ predicate = "-p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; }
];
nat.OUTPUT.rules = [
{ predicate = "-o lo -p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; }
];
filter.INPUT.policy = "DROP";
filter.FORWARD.policy = "DROP";
filter.INPUT.rules = mkMerge [
(mkBefore [
{ predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
{ predicate = "-p icmp"; target = "ACCEPT"; }
{ predicate = "-p ipv6-icmp"; target = "ACCEPT"; v4 = false; }
{ predicate = "-i lo"; target = "ACCEPT"; }
{ predicate = "-p tcp --dport 22"; target = "ACCEPT"; }
])
(mkOrder 1000 [
{ predicate = "-i retiolum -p udp --dport 60000:61000"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p udp -m udp --dport 53"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p tcp --dport 19999"; target = "ACCEPT"; }
])
(mkAfter [
{ predicate = "-p tcp -i retiolum"; target = "REJECT --reject-with tcp-reset"; }
{ predicate = "-p udp -i retiolum"; target = "REJECT --reject-with icmp-port-unreachable"; v6 = false; }
{ predicate = "-i retiolum"; target = "REJECT --reject-with icmp-proto-unreachable"; v6 = false; }
])
];
};
};
networking.dhcpcd.extraConfig = ''
noipv4ll
'';
networking.extraHosts = ''
10.42.0.1 styx.gg23
'';
nix.extraOptions = ''
experimental-features = nix-command flakes
'';
# use 24:00 time format, the default got sneakily changed around 20.03
i18n.defaultLocale = mkDefault "C.UTF-8";
time.timeZone = mkDefault"Europe/Berlin";
# disable doc usually
documentation.nixos.enable = mkDefault false;
}

6
lass/2configs/docker.nix
View File

@ -1,6 +0,0 @@
{ pkgs, lib, config, ... }:
{
systemd.services.krebs-iptables.serviceConfig.ExecStartPost = pkgs.writeDash "kick_docker" ''
${pkgs.systemd}/bin/systemctl restart docker.service
'';
}

277
lass/2configs/dunst.nix
View File

@ -1,277 +0,0 @@
{ config, pkgs, ... }:
with import <stockholm/lib>;
let
dunstConfig = pkgs.writeText "dunst-config" ''
[global]
font = Iosevka Term 11
# Allow a small subset of html markup:
# <b>bold</b>
# <i>italic</i>
# <s>strikethrough</s>
# <u>underline</u>
#
# For a complete reference see
# <http://developer.gnome.org/pango/stable/PangoMarkupFormat.html>.
# If markup is not allowed, those tags will be stripped out of the
# message.
markup = yes
plain_text = no
# The format of the message. Possible variables are:
# %a appname
# %s summary
# %b body
# %i iconname (including its path)
# %I iconname (without its path)
# %p progress value if set ([ 0%] to [100%]) or nothing
# Markup is allowed
format = "%a\n<b>%s</b>\n%b"
# Sort messages by urgency.
sort = yes
# Show how many messages are currently hidden (because of geometry).
indicate_hidden = yes
# Alignment of message text.
# Possible values are "left", "center" and "right".
alignment = center
# The frequency with wich text that is longer than the notification
# window allows bounces back and forth.
# This option conflicts with "word_wrap".
# Set to 0 to disable.
bounce_freq = 0
# Show age of message if message is older than show_age_threshold
# seconds.
# Set to -1 to disable.
show_age_threshold = 1
# Split notifications into multiple lines if they don't fit into
# geometry.
word_wrap = yes
# Ignore newlines '\n' in notifications.
ignore_newline = no
# Hide duplicate's count and stack them
stack_duplicates = yes
hide_duplicates_count = no
# The geometry of the window:
# [{width}]x{height}[+/-{x}+/-{y}]
# The geometry of the message window.
# The height is measured in number of notifications everything else
# in pixels. If the width is omitted but the height is given
# ("-geometry x2"), the message window expands over the whole screen
# (dmenu-like). If width is 0, the window expands to the longest
# message displayed. A positive x is measured from the left, a
# negative from the right side of the screen. Y is measured from
# the top and down respectevly.
# The width can be negative. In this case the actual width is the
# screen width minus the width defined in within the geometry option.
geometry = "500x10-0+0"
# Shrink window if it's smaller than the width. Will be ignored if
# width is 0.
shrink = no
# The transparency of the window. Range: [0; 100].
# This option will only work if a compositing windowmanager is
# present (e.g. xcompmgr, compiz, etc.).
# transparency = 5
# Don't remove messages, if the user is idle (no mouse or keyboard input)
# for longer than idle_threshold seconds.
# Set to 0 to disable.
idle_threshold = 0
# Which monitor should the notifications be displayed on.
monitor = keyboard
# Display notification on focused monitor. Possible modes are:
# mouse: follow mouse pointer
# keyboard: follow window with keyboard focus
# none: don't follow anything
#
# "keyboard" needs a windowmanager that exports the
# _NET_ACTIVE_WINDOW property.
# This should be the case for almost all modern windowmanagers.
#
# If this option is set to mouse or keyboard, the monitor option
# will be ignored.
follow = none
# Should a notification popped up from history be sticky or timeout
# as if it would normally do.
sticky_history = yes
# Maximum amount of notifications kept in history
history_length = 15
# Display indicators for URLs (U) and actions (A).
show_indicators = no
# The height of a single line. If the height is smaller than the
# font height, it will get raised to the font height.
# This adds empty space above and under the text.
line_height = 3
# Draw a line of "separatpr_height" pixel height between two
# notifications.
# Set to 0 to disable.
separator_height = 1
# Padding between text and separator.
padding = 1
# Horizontal padding.
horizontal_padding = 1
# Define a color for the separator.
# possible values are:
# * auto: dunst tries to find a color fitting to the background;
# * foreground: use the same color as the foreground;
# * frame: use the same color as the frame;
# * anything else will be interpreted as a X color.
separator_color = frame
# Print a notification on startup.
# This is mainly for error detection, since dbus (re-)starts dunst
# automatically after a crash.
startup_notification = true
# dmenu path.
dmenu = ${pkgs.dmenu}/bin/dmenu -p dunst:
# Browser for opening urls in context menu.
browser = /usr/bin/firefox -new-tab
# Align icons left/right/off
icon_position = off
max_icon_size = 80
# Paths to default icons.
icon_folders = /usr/share/icons/Paper/16x16/mimetypes/:/usr/share/icons/Paper/48x48/status/:/usr/share/icons/Paper/16x16/devices/:/usr/share/icons/Paper/48x48/notifications/:/usr/share/icons/Paper/48x48/emblems/
frame_width = 2
frame_color = "#8EC07C"
[shortcuts]
# Shortcuts are specified as [modifier+][modifier+]...key
# Available modifiers are "ctrl", "mod1" (the alt-key), "mod2",
# "mod3" and "mod4" (windows-key).
# Xev might be helpful to find names for keys.
# Close notification.
close = ctrl+space
# Close all notifications.
close_all = ctrl+shift+space
# Redisplay last message(s).
# On the US keyboard layout "grave" is normally above TAB and left
# of "1".
history = ctrl+grave
# Context menu.
context = mod4+u
[urgency_low]
# IMPORTANT: colors have to be defined in quotation marks.
# Otherwise the "#" and following would be interpreted as a comment.
frame_color = "#3B7C87"
foreground = "#3B7C87"
background = "#191311"
#background = "#2B313C"
timeout = 1
[urgency_normal]
frame_color = "#5B8234"
foreground = "#5B8234"
background = "#191311"
#background = "#2B313C"
timeout = 1
[urgency_critical]
frame_color = "#B7472A"
foreground = "#B7472A"
background = "#191311"
#background = "#2B313C"
timeout = 1
# Every section that isn't one of the above is interpreted as a rules to
# override settings for certain messages.
# Messages can be matched by "appname", "summary", "body", "icon", "category",
# "msg_urgency" and you can override the "timeout", "urgency", "foreground",
# "background", "new_icon" and "format".
# Shell-like globbing will get expanded.
#
# SCRIPTING
# You can specify a script that gets run when the rule matches by
# setting the "script" option.
# The script will be called as follows:
# script appname summary body icon urgency
# where urgency can be "LOW", "NORMAL" or "CRITICAL".
#
# NOTE: if you don't want a notification to be displayed, set the format
# to "".
# NOTE: It might be helpful to run dunst -print in a terminal in order
# to find fitting options for rules.
#[espeak]
# summary = "*"
# script = dunst_espeak.sh
#[script-test]
# summary = "*script*"
# script = dunst_test.sh
#[ignore]
# # This notification will not be displayed
# summary = "foobar"
# format = ""
#[signed_on]
# appname = Pidgin
# summary = "*signed on*"
# urgency = low
#
#[signed_off]
# appname = Pidgin
# summary = *signed off*
# urgency = low
#
#[says]
# appname = Pidgin
# summary = *says*
# urgency = critical
#
#[twitter]
# appname = Pidgin
# summary = *twitter.com*
# urgency = normal
#
# vim: ft=cfg
'';
in {
systemd.user.services.dunst = {
wantedBy = [ "graphical-session.target" ];
requires = [ "xmonad.service" ];
environment = {
DISPLAY = ":${toString config.services.xserver.display}";
};
serviceConfig = {
SyslogIdentifier = "dunst";
ExecStart = "${pkgs.dunst}/bin/dunst -conf ${dunstConfig}";
Restart = "always";
RestartSec = "15s";
StartLimitBurst = 0;
};
};
}

24
lass/2configs/elster.nix
View File

@ -1,24 +0,0 @@
{ config, pkgs, ... }:
let
mainUser = config.users.extraUsers.mainUser;
in {
users.extraUsers = {
elster = {
name = "elster";
description = "user for running elster-online";
home = "/home/elster";
useDefaultShell = true;
extraGroups = [];
createHome = true;
isNormalUser = true;
};
};
krebs.per-user.elster.packages = [
pkgs.chromium
];
security.sudo.extraConfig = ''
${mainUser.name} ALL=(elster) NOPASSWD: ALL
'';
}

7
lass/2configs/et-server.nix
View File

@ -1,7 +0,0 @@
{ config, lib, pkgs, ... }:
{
services.eternal-terminal = {
enable = true;
};
networking.firewall.allowedTCPPorts = [ config.services.eternal-terminal.port ];
}

15
lass/2configs/exim-retiolum.nix
View File

@ -1,15 +0,0 @@
{ config, lib, pkgs, ... }:
with import <stockholm/lib>;
{
krebs.exim-retiolum = {
enable = true;
system-aliases = [
{ from = "root"; to = "lass"; }
];
};
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-i retiolum -p tcp --dport smtp"; target = "ACCEPT"; }
];
}

62
lass/2configs/exim-smarthost.nix
View File

@ -1,62 +0,0 @@
{ config, lib, pkgs, ... }: with import <stockholm/lib>; let
to = concatStringsSep "," [
"lass@green.r"
];
mails = import <secrets/mails.nix>;
in {
environment.systemPackages = [ pkgs.review-mail-queue ];
krebs.exim-smarthost = {
enable = true;
dkim = [
{ domain = "lassul.us"; }
];
ssl_cert = "/var/lib/acme/mail.lassul.us/fullchain.pem";
ssl_key = "/var/lib/acme/mail.lassul.us/key.pem";
primary_hostname = "lassul.us";
sender_domains = [
"lassul.us"
];
relay_from_hosts = map (host: host.nets.retiolum.ip6.addr) [
config.krebs.hosts.aergia
config.krebs.hosts.blue
config.krebs.hosts.coaxmetal
config.krebs.hosts.green
config.krebs.hosts.mors
config.krebs.hosts.xerxes
];
internet-aliases = map (from: { inherit from to; }) mails ++ [
];
system-aliases = [
{ from = "mailer-daemon"; to = "postmaster"; }
{ from = "postmaster"; to = "root"; }
{ from = "nobody"; to = "root"; }
{ from = "hostmaster"; to = "root"; }
{ from = "usenet"; to = "root"; }
{ from = "news"; to = "root"; }
{ from = "webmaster"; to = "root"; }
{ from = "www"; to = "root"; }
{ from = "ftp"; to = "root"; }
{ from = "abuse"; to = "root"; }
{ from = "noc"; to = "root"; }
{ from = "security"; to = "root"; }
{ from = "root"; to = "lass"; }
];
};
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p tcp --dport smtp"; target = "ACCEPT"; }
];
security.acme.certs."mail.lassul.us" = {
group = "lasscert";
webroot = "/var/lib/acme/acme-challenge";
};
users.groups.lasscert.members = [
"dovecot2"
"exim"
"nginx"
];
}

Some files were not shown because too many files have changed in this diff Show More