diff options
author | jeschli <jeschli@gmail.com> | 2019-04-23 20:15:10 +0200 |
---|---|---|
committer | jeschli <jeschli@gmail.com> | 2019-04-23 20:15:10 +0200 |
commit | 35fdfbe5ccb3b5844b62ac2486352107484e75d4 (patch) | |
tree | 561ff21ae90ce6826ab3d74ebd9f27dee7054a0d | |
parent | a4be985644762dcc2750a366db5780687690ef7d (diff) | |
parent | cd825d99342050bae35d5373e927ca999bae82cf (diff) |
Merge branch 'master' of prism.r:stockholm
82 files changed, 844 insertions, 277 deletions
diff --git a/krebs/1systems/hotdog/config.nix b/krebs/1systems/hotdog/config.nix index 916073375..f68c8ce50 100644 --- a/krebs/1systems/hotdog/config.nix +++ b/krebs/1systems/hotdog/config.nix @@ -21,5 +21,4 @@ boot.isContainer = true; networking.useDHCP = false; - environment.variables.NIX_REMOTE = "daemon"; } diff --git a/krebs/2configs/reaktor2.nix b/krebs/2configs/reaktor2.nix index 4d90ae3d5..b52125ae8 100644 --- a/krebs/2configs/reaktor2.nix +++ b/krebs/2configs/reaktor2.nix @@ -115,6 +115,11 @@ let in { + users.users.reaktor2 = { + uid = genid_uint31 "reaktor2"; + home = stateDir; + }; + krebs.reaktor2 = { freenode = { hostname = "irc.freenode.org"; diff --git a/krebs/3modules/bepasty-server.nix b/krebs/3modules/bepasty-server.nix index e12367b7c..94a509520 100644 --- a/krebs/3modules/bepasty-server.nix +++ b/krebs/3modules/bepasty-server.nix @@ -2,10 +2,10 @@ with import <stockholm/lib>; let - gunicorn = pkgs.pythonPackages.gunicorn; - bepasty = pkgs.bepasty; - gevent = pkgs.pythonPackages.gevent; - python = pkgs.pythonPackages.python; + gunicorn = pkgs.python27Packages.gunicorn; + bepasty = pkgs.bepasty.override { python3Packages = pkgs.python27Packages; }; + gevent = pkgs.python27Packages.gevent; + python = pkgs.python27Packages.python; cfg = config.krebs.bepasty; out = { diff --git a/krebs/3modules/ci.nix b/krebs/3modules/ci.nix index a47dbe611..244de1a0d 100644 --- a/krebs/3modules/ci.nix +++ b/krebs/3modules/ci.nix @@ -108,10 +108,12 @@ let name=str(new_step), command=[ "${pkgs.writeDash "build-stepper.sh" '' - set -efu + set -xefu profile=${shell.escape profileRoot}/$build_name result=$("$build_script") - ${pkgs.nix}/bin/nix-env -p "$profile" --set "$result" + if [ -n "$result" ]; then + ${pkgs.nix}/bin/nix-env -p "$profile" --set "$result" + fi ''}" ], env={ diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 567c077eb..4d40f3856 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -39,6 +39,7 @@ let ./nixpkgs.nix ./on-failure.nix ./os-release.nix + ./permown.nix ./per-user.nix ./power-action.nix ./Reaktor.nix diff --git a/krebs/3modules/external/default.nix b/krebs/3modules/external/default.nix index c9715cb85..9bfc920a3 100644 --- a/krebs/3modules/external/default.nix +++ b/krebs/3modules/external/default.nix @@ -429,6 +429,17 @@ in { }; }; }; + ada = { + owner = config.krebs.users.filly; + nets = { + wiregrill = { + aliases = [ "ada.w" ]; + wireguard = { + pubkey = "+t0j9j7TZqvSFPzgunnON/ArXVGpMS/L3DldpanLoUk="; + }; + }; + }; + }; }; users = { ciko = { @@ -464,6 +475,8 @@ in { }; miaoski = { }; + filly = { + }; }; } diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index a3b8cab39..41f3852b9 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -20,6 +20,7 @@ in { extraZones = { "krebsco.de" = '' cache IN A ${nets.internet.ip4.addr} + p IN A ${nets.internet.ip4.addr} paste IN A ${nets.internet.ip4.addr} prism IN A ${nets.internet.ip4.addr} ''; @@ -38,6 +39,7 @@ in { io 60 IN NS ions.lassul.us. ions 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} lol 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} + matrix 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} paste 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} radio 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} ''; @@ -239,6 +241,7 @@ in { secure = true; ssh.privkey.path = <secrets/ssh.id_ed25519>; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC9vup68R0I+62FK+8LNtwM90V9P4ukBmU7G7d54wf4C"; + syncthing.id = "AU5RTWC-HXNMDRT-TN4ZHXY-JMQ6EQB-4ZPOZL7-AICZMCZ-LNS2XXQ-DGTI2Q6"; }; icarus = { cores = 2; diff --git a/krebs/3modules/permown.nix b/krebs/3modules/permown.nix new file mode 100644 index 000000000..63adb2236 --- /dev/null +++ b/krebs/3modules/permown.nix @@ -0,0 +1,102 @@ +with import <stockholm/lib>; +{ config, pkgs, ... }: { + + options.krebs.permown = mkOption { + default = {}; + type = types.attrsOf (types.submodule ({ config, ... }: { + options = { + directory-mode = mkOption { + default = "=rwx"; + type = types.str; # TODO + }; + file-mode = mkOption { + default = "=rw"; + type = types.str; # TODO + }; + group = mkOption { + apply = x: if x == null then "" else x; + default = null; + type = types.nullOr types.groupname; + }; + owner = mkOption { + type = types.username; + }; + path = mkOption { + default = config._module.args.name; + type = types.absolute-pathname; + }; + umask = mkOption { + default = "0027"; + type = types.file-mode; + }; + }; + })); + }; + + config = let + plans = attrValues config.krebs.permown; + in mkIf (plans != []) { + + system.activationScripts.permown = let + mkdir = plan: /* sh */ '' + ${pkgs.coreutils}/bin/mkdir -p ${shell.escape plan.path} + ''; + in concatMapStrings mkdir plans; + + systemd.services = genAttrs' plans (plan: { + name = "permown.${replaceStrings ["/"] ["_"] plan.path}"; + value = { + environment = { + DIR_MODE = plan.directory-mode; + FILE_MODE = plan.file-mode; + OWNER_GROUP = "${plan.owner}:${plan.group}"; + ROOT_PATH = plan.path; + }; + path = [ + pkgs.coreutils + pkgs.findutils + pkgs.inotifyTools + ]; + serviceConfig = { + ExecStart = pkgs.writeDash "permown" '' + set -efu + + find "$ROOT_PATH" -exec chown -h "$OWNER_GROUP" {} + + find "$ROOT_PATH" -type d -exec chmod "$DIR_MODE" {} + + find "$ROOT_PATH" -type f -exec chmod "$FILE_MODE" {} + + + paths=/tmp/paths + rm -f "$paths" + mkfifo "$paths" + + inotifywait -mrq -e CREATE --format %w%f "$ROOT_PATH" > "$paths" & + inotifywaitpid=$! + + trap cleanup EXIT + cleanup() { + kill "$inotifywaitpid" + } + + while read -r path; do + if test -d "$path"; then + cleanup + exec "$0" "$@" + fi + chown -h "$OWNER_GROUP" "$path" + if test -f "$path"; then + chmod "$FILE_MODE" "$path" + fi + done < "$paths" + ''; + PrivateTemp = true; + Restart = "always"; + RestartSec = 10; + UMask = plan.umask; + }; + wantedBy = [ "multi-user.target" ]; + }; + }); + + }; + +} diff --git a/krebs/3modules/realwallpaper.nix b/krebs/3modules/realwallpaper.nix index cb940efef..a0c00c20d 100644 --- a/krebs/3modules/realwallpaper.nix +++ b/krebs/3modules/realwallpaper.nix @@ -78,7 +78,7 @@ let serviceConfig = { Type = "simple"; ExecStart = pkgs.writeDash "generate-wallpaper" '' - set -xeuf + set -euf # usage: getimg FILENAME URL fetch() { diff --git a/krebs/3modules/setuid.nix b/krebs/3modules/setuid.nix index 3ba598a45..97cf21cdd 100644 --- a/krebs/3modules/setuid.nix +++ b/krebs/3modules/setuid.nix @@ -21,8 +21,8 @@ let default = config._module.args.name; }; envp = mkOption { - type = types.attrsOf types.str; - default = {}; + type = types.nullOr (types.attrsOf types.str); + default = null; }; filename = mkOption { type = mkOptionType { diff --git a/krebs/3modules/syncthing.nix b/krebs/3modules/syncthing.nix index 34879fd3f..897ba1e7f 100644 --- a/krebs/3modules/syncthing.nix +++ b/krebs/3modules/syncthing.nix @@ -10,7 +10,7 @@ let addresses = peer.addresses; }) cfg.peers; - folders = map (folder: { + folders = mapAttrsToList ( _: folder: { inherit (folder) path id type; devices = map (peer: { deviceId = cfg.peers.${peer}.id; }) folder.peers; rescanIntervalS = folder.rescanInterval; @@ -81,17 +81,18 @@ in }; folders = mkOption { - default = []; - type = types.listOf (types.submodule ({ config, ... }: { + default = {}; + type = types.attrsOf (types.submodule ({ config, ... }: { options = { path = mkOption { type = types.absolute-pathname; + default = config._module.args.name; }; id = mkOption { type = types.str; - default = config.path; + default = config._module.args.name; }; peers = mkOption { @@ -133,8 +134,16 @@ in systemd.services.syncthing = mkIf (cfg.cert != null || cfg.key != null) { preStart = '' - ${optionalString (cfg.cert != null) "cp ${toString cfg.cert} ${config.services.syncthing.dataDir}/cert.pem"} - ${optionalString (cfg.key != null) "cp ${toString cfg.key} ${config.services.syncthing.dataDir}/key.pem"} + ${optionalString (cfg.cert != null) '' + cp ${toString cfg.cert} ${config.services.syncthing.dataDir}/cert.pem + chown ${config.services.syncthing.user}:${config.services.syncthing.group} ${config.services.syncthing.dataDir}/cert.pem + chmod 400 ${config.services.syncthing.dataDir}/cert.pem + ''} + ${optionalString (cfg.key != null) '' + cp ${toString cfg.key} ${config.services.syncthing.dataDir}/key.pem + chown ${config.services.syncthing.user}:${config.services.syncthing.group} ${config.services.syncthing.dataDir}/key.pem + chmod 400 ${config.services.syncthing.dataDir}/key.pem + ''} ''; }; diff --git a/krebs/5pkgs/haskell/blessings.nix b/krebs/5pkgs/haskell/blessings.nix index f730cc72b..c35706ebf 100644 --- a/krebs/5pkgs/haskell/blessings.nix +++ b/krebs/5pkgs/haskell/blessings.nix @@ -10,6 +10,10 @@ with import <stockholm/lib>; version = "2.2.0"; sha256 = "1pb56dgf3jj2kq3cbbppwzyg3ccgqy9xara62hkjwyxzdx20clk1"; }; + "19.03" = { + version = "2.2.0"; + sha256 = "1pb56dgf3jj2kq3cbbppwzyg3ccgqy9xara62hkjwyxzdx20clk1"; + }; }.${versions.majorMinor nixpkgsVersion}; in mkDerivation { diff --git a/krebs/5pkgs/haskell/email-header.nix b/krebs/5pkgs/haskell/email-header.nix index 4049168c1..6689f1d2c 100644 --- a/krebs/5pkgs/haskell/email-header.nix +++ b/krebs/5pkgs/haskell/email-header.nix @@ -15,6 +15,11 @@ with import <stockholm/lib>; rev = "refs/tags/v${cfg.version}"; sha256 = "11xjivpj495r2ss9aqljnpzzycb57cm4sr7yzmf939rzwsd3ib0x"; }; + "19.03" = { + version = "0.4.1-tv1"; + rev = "refs/tags/v${cfg.version}"; + sha256 = "11xjivpj495r2ss9aqljnpzzycb57cm4sr7yzmf939rzwsd3ib0x"; + }; }.${versions.majorMinor nixpkgsVersion}; in mkDerivation { diff --git a/krebs/5pkgs/simple/kpaste/default.nix b/krebs/5pkgs/simple/kpaste/default.nix index d6823d584..217cb8a44 100644 --- a/krebs/5pkgs/simple/kpaste/default.nix +++ b/krebs/5pkgs/simple/kpaste/default.nix @@ -1,5 +1,6 @@ -{ curl, writeDashBin }: +{ curl, gnused, writeDashBin }: writeDashBin "kpaste" '' - exec ${curl}/bin/curl -sS http://p.r --data-binary @- + ${curl}/bin/curl -sS http://p.r --data-binary @- | + ${gnused}/bin/sed '$ {p;s/\<r\>/krebsco.de/}' '' diff --git a/krebs/5pkgs/simple/krebspaste/default.nix b/krebs/5pkgs/simple/krebspaste/default.nix index a11c8c90a..d97b6a053 100644 --- a/krebs/5pkgs/simple/krebspaste/default.nix +++ b/krebs/5pkgs/simple/krebspaste/default.nix @@ -1,6 +1,12 @@ -{ writeDashBin, bepasty-client-cli }: +{ bepasty-client-cli, gnused, writeDashBin }: -# TODO use `pkgs.exec` instead? writeDashBin "krebspaste" '' - exec ${bepasty-client-cli}/bin/bepasty-cli -L 1m --url http://paste.r "$@" | sed '$ s/$/\/+inline/g' + ${bepasty-client-cli}/bin/bepasty-cli -L 1m --url http://paste.r "$@" | + ${gnused}/bin/sed ' + $ { + s/$/\/+inline/ + p + s/\<r\>/krebsco.de/ + } + ' '' diff --git a/krebs/5pkgs/simple/qrscan.nix b/krebs/5pkgs/simple/qrscan.nix new file mode 100644 index 000000000..7d99dcee7 --- /dev/null +++ b/krebs/5pkgs/simple/qrscan.nix @@ -0,0 +1,27 @@ +{ coreutils, gnused, writeDashBin, zbar }: + +writeDashBin "qrscan" '' + set -efu + + tmpdir=$(${coreutils}/bin/mktemp --tmpdir -d qrscan.XXXXXXXX) + codefile=$tmpdir/code + + cleanup() { + ${coreutils}/bin/rm "$codefile" + ${coreutils}/bin/rmdir "$tmpdir" + } + + ${coreutils}/bin/mkfifo "$codefile" + + ${zbar}/bin/zbarcam > "$codefile" & + zbarcampid=$! + + exec < "$codefile" + while read -r code; do + code=$(printf %s "$code" | ${gnused}/bin/sed -n 's/^QR-Code://p') + if test -n "$code"; then + ${coreutils}/bin/kill "$zbarcampid" + echo "$code" + fi + done +'' diff --git a/krebs/nixpkgs.json b/krebs/nixpkgs.json index 1ee21020b..d5ca0e21f 100644 --- a/krebs/nixpkgs.json +++ b/krebs/nixpkgs.json @@ -1,7 +1,7 @@ { "url": "https://github.com/NixOS/nixpkgs-channels", - "rev": "222950952f15f6b1e9f036b80440b597f23e652d", - "date": "2019-04-05T10:07:50+02:00", - "sha256": "1hfchhy8vlc333sglabk1glkcnv4mrnarm9j4havqn7g5ri68vrd", + "rev": "8ea36d732567c80b2d11eb029e10400fe85ca786", + "date": "2019-04-18T22:37:03+01:00", + "sha256": "1d59i55qwqd76n2d0hr1si26q333ydizkd91h8lfczb00xnr5pqn", "fetchSubmodules": false } diff --git a/krebs/update-channel.sh b/krebs/update-channel.sh index 7f24cd31a..08354357a 100755 --- a/krebs/update-channel.sh +++ b/krebs/update-channel.sh @@ -3,7 +3,7 @@ dir=$(dirname $0) oldrev=$(cat $dir/nixpkgs.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/') nix-shell -p nix-prefetch-git --run 'nix-prefetch-git \ --url https://github.com/NixOS/nixpkgs-channels \ - --rev refs/heads/nixos-18.09' \ + --rev refs/heads/nixos-19.03' \ > $dir/nixpkgs.json newrev=$(cat $dir/nixpkgs.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/') git commit $dir/nixpkgs.json -m "nixpkgs: $oldrev -> $newrev" diff --git a/lass/1systems/blue/config.nix b/lass/1systems/blue/config.nix index a287f548b..14f4971f7 100644 --- a/lass/1systems/blue/config.nix +++ b/lass/1systems/blue/config.nix @@ -9,17 +9,12 @@ with import <stockholm/lib>; <stockholm/lass/2configs/blue.nix> <stockholm/lass/2configs/syncthing.nix> + <stockholm/lass/2configs/sync/decsync.nix> + <stockholm/lass/2configs/sync/weechat.nix> ]; krebs.build.host = config.krebs.hosts.blue; - krebs.syncthing.folders = [ - { id = "contacts"; path = "/home/lass/contacts"; peers = [ "mors" "blue" "green" "phone" ]; } - ]; - lass.ensure-permissions = [ - { folder = "/home/lass/contacts"; owner = "lass"; group = "syncthing"; } - ]; - environment.shellAliases = { deploy = pkgs.writeDash "deploy" '' set -eu diff --git a/lass/1systems/blue/physical.nix b/lass/1systems/blue/physical.nix index 7499ff723..b6aa3a894 100644 --- a/lass/1systems/blue/physical.nix +++ b/lass/1systems/blue/physical.nix @@ -4,5 +4,4 @@ ]; boot.isContainer = true; networking.useDHCP = false; - environment.variables.NIX_REMOTE = "daemon"; } diff --git a/lass/1systems/daedalus/config.nix b/lass/1systems/daedalus/config.nix index e28fbf2f8..6e3df12f0 100644 --- a/lass/1systems/daedalus/config.nix +++ b/lass/1systems/daedalus/config.nix @@ -27,6 +27,12 @@ with import <stockholm/lib>; enable = true; systemWide = true; }; + programs.chromium = { + enable = true; + extensions = [ + "cjpalhdlnbpafiamejdnhcphjbkeiagm" # ublock origin + ]; + }; environment.systemPackages = with pkgs; [ pavucontrol #firefox @@ -40,7 +46,7 @@ with import <stockholm/lib>; wine geeqie vlc - minecraft + zsnes ]; nixpkgs.config.firefox.enableAdobeFlash = true; services.xserver.enable = true; diff --git a/lass/1systems/green/config.nix b/lass/1systems/green/config.nix index 6ae157e38..0b4b50ee4 100644 --- a/lass/1systems/green/config.nix +++ b/lass/1systems/green/config.nix @@ -8,20 +8,13 @@ with import <stockholm/lib>; <stockholm/lass/2configs/exim-retiolum.nix> <stockholm/lass/2configs/mail.nix> - #<stockholm/lass/2configs/blue.nix> <stockholm/lass/2configs/syncthing.nix> + <stockholm/lass/2configs/sync/decsync.nix> + <stockholm/lass/2configs/sync/weechat.nix> ]; krebs.build.host = config.krebs.hosts.green; - krebs.syncthing.folders = [ - { id = "contacts"; path = "/home/lass/contacts"; peers = [ "mors" "blue" "green" "phone" ]; } - ]; - lass.ensure-permissions = [ - { folder = "/home/lass/contacts"; owner = "lass"; group = "syncthing"; } - ]; - - #networking.nameservers = [ "1.1.1.1" ]; #time.timeZone = "Europe/Berlin"; diff --git a/lass/1systems/green/physical.nix b/lass/1systems/green/physical.nix index 7499ff723..b6aa3a894 100644 --- a/lass/1systems/green/physical.nix +++ b/lass/1systems/green/physical.nix @@ -4,5 +4,4 @@ ]; boot.isContainer = true; networking.useDHCP = false; - environment.variables.NIX_REMOTE = "daemon"; } diff --git a/lass/1systems/icarus/config.nix b/lass/1systems/icarus/config.nix index 06b1e7366..d8c8699ae 100644 --- a/lass/1systems/icarus/config.nix +++ b/lass/1systems/icarus/config.nix @@ -20,6 +20,7 @@ <stockholm/lass/2configs/syncthing.nix> <stockholm/lass/2configs/nfs-dl.nix> <stockholm/lass/2configs/prism-share.nix> + <stockholm/lass/2configs/ssh-cryptsetup.nix> ]; krebs.build.host = config.krebs.hosts.icarus; diff --git a/lass/1systems/iso.nix b/lass/1systems/iso.nix index be064bed2..a814cc6b9 100644 --- a/lass/1systems/iso.nix +++ b/lass/1systems/iso.nix @@ -6,7 +6,6 @@ with import <stockholm/lib>; <nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix> <stockholm/krebs> <stockholm/lass/3modules> - <stockholm/lass/5pkgs> <stockholm/lass/2configs/mc.nix> <stockholm/lass/2configs/vim.nix> { @@ -40,9 +39,10 @@ with import <stockholm/lib>; networking.hostName = "lass-iso"; } { + nixpkgs.config.packageOverrides = import <stockholm/lass/5pkgs> pkgs; krebs.enable = true; krebs.build.user = config.krebs.users.lass; - krebs.build.host = config.krebs.hosts.iso; + krebs.build.host = {}; } { nixpkgs.config.allowUnfree = true; @@ -174,11 +174,13 @@ with import <stockholm/lib>; user = "lass"; }; windowManager.default = "xmonad"; - windowManager.session = [{ + windowManager.session = let + xmonad-lass = pkgs.callPackage <stockholm/lass/5pkgs/custom/xmonad-lass> { inherit config; }; + in [{ name = "xmonad"; start = '' ${pkgs.xorg.xhost}/bin/xhost +LOCAL: - ${pkgs.xmonad-lass}/bin/xmonad & + ${xmonad-lass}/bin/xmonad & waitPID=$! ''; }]; diff --git a/lass/1systems/littleT/config.nix b/lass/1systems/littleT/config.nix index eee23ee60..d44e62053 100644 --- a/lass/1systems/littleT/config.nix +++ b/lass/1systems/littleT/config.nix @@ -8,6 +8,7 @@ with import <stockholm/lib>; <stockholm/lass/2configs/retiolum.nix> <stockholm/lass/2configs/blue-host.nix> <stockholm/lass/2configs/syncthing.nix> + <stockholm/lass/2configs/green-host.nix> ]; networking.networkmanager.enable = true; diff --git a/lass/1systems/morpheus/config.nix b/lass/1systems/morpheus/config.nix index 0d82ba611..cab267d54 100644 --- a/lass/1systems/morpheus/config.nix +++ b/lass/1systems/morpheus/config.nix @@ -30,4 +30,12 @@ with import <stockholm/lib>; ]; }; }; + + + services.xserver.desktopManager.default = "none"; + services.xserver.displayManager.lightdm.autoLogin = { + enable = true; + user = "lass"; + timeout = 5; + }; } diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix index 250d96e53..f911b79d6 100644 --- a/lass/1systems/mors/config.nix +++ b/lass/1systems/mors/config.nix @@ -26,6 +26,8 @@ with import <stockholm/lib>; <stockholm/lass/2configs/syncthing.nix> <stockholm/lass/2configs/otp-ssh.nix> <stockholm/lass/2configs/c-base.nix> + <stockholm/lass/2configs/sync/decsync.nix> + <stockholm/lass/2configs/sync/weechat.nix> <stockholm/lass/2configs/br.nix> <stockholm/lass/2configs/ableton.nix> <stockholm/lass/2configs/starcraft.nix> @@ -36,27 +38,26 @@ with import <stockholm/lib>; <stockholm/lass/2configs/blue-host.nix> <stockholm/lass/2configs/network-manager.nix> <stockholm/lass/2configs/nfs-dl.nix> - <stockholm/lass/2configs/hardening.nix> + #<stockholm/lass/2configs/hardening.nix> { krebs.iptables.tables.filter.INPUT.rules = [ #risk of rain { predicate = "-p tcp --dport 11100"; target = "ACCEPT"; } - #chromecast - { predicate = "-p udp -m multiport --sports 32768:61000 -m multiport --dports 32768:61000"; target = "ACCEPT"; } #quake3 { predicate = "-p tcp --dport 27950:27965"; target = "ACCEPT"; } { predicate = "-p udp --dport 27950:27965"; target = "ACCEPT"; } ]; } { - krebs.syncthing.folders = [ - { id = "contacts"; path = "/home/lass/contacts"; peers = [ "mors" "blue" "green" "phone" ]; } - { id = "the_playlist"; path = "/home/lass/tmp/the_playlist"; peers = [ "mors" "phone" ]; } - ]; - lass.ensure-permissions = [ - { folder = "/home/lass/contacts"; owner = "lass"; group = "syncthing"; } - { folder = "/home/lass/tmp/the_playlist"; owner = "lass"; group = "syncthing"; } - ]; + krebs.syncthing.folders."the_playlist" = { + path = "/home/lass/tmp/the_playlist"; + peers = [ "mors" "phone" "prism" ]; + }; + krebs.permown."/home/lass/tmp/the_playlist" = { + owner = "lass"; + group = "syncthing"; + umask = "0007"; + }; } { lass.umts = { @@ -92,6 +93,7 @@ with import <stockholm/lib>; pkgs.ovh-zone pkgs.bank pkgs.adb-sync + pkgs.transgui ]; } { @@ -135,6 +137,18 @@ with import <stockholm/lib>; (pkgs.writeDashBin "btc-kraken" '' ${pkgs.curl}/bin/curl -Ss 'https://api.kraken.com/0/public/Ticker?pair=BTCEUR' | ${pkgs.jq}/bin/jq '.result.XXBTZEUR.a[0]' '') + (pkgs.writeDashBin "krebsco.de" '' + TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d) + ${pkgs.brain}/bin/brain show krebs-secrets/ovh-secrets.json > "$TMPDIR"/ovh-secrets.json + OVH_ZONE_CONFIG="$TMPDIR"/ovh-secrets.json ${pkgs.krebszones}/bin/krebszones import + ${pkgs.coreutils}/bin/rm -rf "$TMPDIR" + '') + (pkgs.writeDashBin "lassul.us" '' + TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d) + ${pkgs.pass}/bin/pass show admin/ovh/api.config > "$TMPDIR"/ovh-secrets.json + OVH_ZONE_CONFIG="$TMPDIR"/ovh-secrets.json ${pkgs.ovh-zone}/bin/ovh-zone import /etc/zones/lassul.us lassul.us + ${pkgs.coreutils}/bin/rm -rf "$TMPDIR" + '') ]; #TODO: fix this shit diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index b3b7ac0df..d7b0b701a 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -413,6 +413,42 @@ with import <stockholm/lib>; ]; }; } + { #macos mounting of yellow + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-i wiregrill -p tcp --dport 139"; target = "ACCEPT"; } + { predicate = "-i wiregrill -p tcp --dport 445"; target = "ACCEPT"; } + { predicate = "-i wiregrill -p udp --dport 137"; target = "ACCEPT"; } + { predicate = "-i wiregrill -p udp --dport 138"; target = "ACCEPT"; } + ]; + users.users.smbguest = { + name = "smbguest"; + uid = config.ids.uids.smbguest; + description = "smb guest user"; + home = "/home/share"; + createHome = true; + }; + services.samba = { + enable = true; + enableNmbd = true; + shares = { + download = { + path = "/var/download/finished"; + "read only" = "yes"; + browseable = "yes"; + "guest ok" = "yes"; + }; + }; + extraConfig = '' + guest account = smbguest + map to guest = bad user + # disable printing + load printers = no + printing = bsd + printcap name = /dev/null + disable spoolss = yes + ''; + }; + } ]; krebs.build.host = config.krebs.hosts.prism; diff --git a/lass/1systems/red/physical.nix b/lass/1systems/red/physical.nix index 7499ff723..b6aa3a894 100644 --- a/lass/1systems/red/physical.nix +++ b/lass/1systems/red/physical.nix @@ -4,5 +4,4 @@ ]; boot.isContainer = true; networking.useDHCP = false; - environment.variables.NIX_REMOTE = "daemon"; } diff --git a/lass/1systems/shodan/config.nix b/lass/1systems/shodan/config.nix index 39c0791fc..5de87d790 100644 --- a/lass/1systems/shodan/config.nix +++ b/lass/1systems/shodan/config.nix @@ -15,6 +15,8 @@ with import <stockholm/lib>; <stockholm/lass/2configs/bitcoin.nix> <stockholm/lass/2configs/backup.nix> <stockholm/lass/2configs/blue-host.nix> + <stockholm/lass/2configs/green-host.nix> + <stockholm/lass/2configs/ssh-cryptsetup.nix> ]; krebs.build.host = config.krebs.hosts.shodan; diff --git a/lass/1systems/skynet/config.nix b/lass/1systems/skynet/config.nix index 0bf3e6b4d..70787e514 100644 --- a/lass/1systems/skynet/config.nix +++ b/lass/1systems/skynet/config.nix @@ -8,6 +8,7 @@ with import <stockholm/lib>; <stockholm/lass/2configs/blue-host.nix> <stockholm/lass/2configs/power-action.nix> <stockholm/lass/2configs/syncthing.nix> + <stockholm/lass/2configs/green-host.nix> { services.xserver.enable = true; services.xserver.desktopManager.xfce.enable = true; diff --git a/lass/1systems/yellow/config.nix b/lass/1systems/yellow/config.nix index 8b3b2814f..cda0d0a33 100644 --- a/lass/1systems/yellow/config.nix +++ b/lass/1systems/yellow/config.nix @@ -31,6 +31,7 @@ with import <stockholm/lib>; download-dir = "/var/download/finished"; incomplete-dir = "/var/download/incoming"; incomplete-dir-enable = true; + message-level = 1; umask = "002"; rpc-whitelist-enabled = false; rpc-host-whitelist-enabled = false; diff --git a/lass/1systems/yellow/physical.nix b/lass/1systems/yellow/physical.nix index 7499ff723..b6aa3a894 100644 --- a/lass/1systems/yellow/physical.nix +++ b/lass/1systems/yellow/physical.nix @@ -4,5 +4,4 @@ ]; boot.isContainer = true; networking.useDHCP = false; - environment.variables.NIX_REMOTE = "daemon"; } diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index 26d6622ae..5003d2279 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -9,6 +9,7 @@ in { ./power-action.nix ./copyq.nix ./urxvt.nix + ./xdg-open.nix { hardware.pulseaudio = { enable = true; diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix index aec59261c..4216bd67a 100644 --- a/lass/2configs/exim-smarthost.nix +++ b/lass/2configs/exim-smarthost.nix @@ -100,6 +100,9 @@ with import <stockholm/lib>; { from = "box@lassul.us"; to = lass.mail; } { from = "paloalto@lassul.us"; to = lass.mail; } { from = "subtitles@lassul.us"; to = lass.mail; } + { from = "lobsters@lassul.us"; to = lass.mail; } + { from = "fysitech@lassul.us"; to = lass.mail; } + { from = "threema@lassul.us"; to = lass.mail; } ]; system-aliases = [ { from = "mailer-daemon"; to = "postmaster"; } diff --git a/lass/2configs/green-host.nix b/lass/2configs/green-host.nix new file mode 100644 index 000000000..1421eede7 --- /dev/null +++ b/lass/2configs/green-host.nix @@ -0,0 +1,82 @@ +{ config, lib, pkgs, ... }: +with import <stockholm/lib>; + +{ + imports = [ + <stockholm/lass/2configs/container-networking.nix> + <stockholm/lass/2configs/syncthing.nix> + { #hack for already defined + systemd.services."container@green".reloadIfChanged = mkForce false; + systemd.services."container@green".preStart = '' + ${pkgs.mount}/bin/mount | ${pkgs.gnugrep}/bin/grep -q ' on /var/lib/containers/green ' + ''; + systemd.services."container@green".postStop = '' + set -x + ${pkgs.umount}/bin/umount /var/lib/containers/green + ls -la /dev/mapper/control + ${pkgs.devicemapper}/bin/dmsetup ls + ${pkgs.cryptsetup}/bin/cryptsetup -v luksClose /var/lib/sync-containers/green.img + ''; + } + ]; + + krebs.syncthing.folders."/var/lib/sync-containers".peers = [ "icarus" "skynet" "littleT" "shodan" ]; + krebs.permown."/var/lib/sync-containers" = { + owner = "root"; + group = "syncthing"; + umask = "0007"; + }; + + system.activationScripts.containerPermissions = '' + mkdir -p /var/lib/containers + chmod 711 /var/lib/containers + ''; + + containers.green = { + config = { ... }: { + environment.systemPackages = [ + pkgs.git + pkgs.rxvt_unicode.terminfo + ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + ]; + }; + autoStart = false; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.15"; + localAddress = "10.233.2.16"; + }; + + environment.systemPackages = [ + (pkgs.writeDashBin "start-green" '' + set -fu + CONTAINER='green' + IMAGE='/var/lib/sync-containers/green.img' + + ${pkgs.cryptsetup}/bin/cryptsetup status "$CONTAINER" >/dev/null + if [ "$?" -ne 0 ]; then + ${pkgs.cryptsetup}/bin/cryptsetup luksOpen "$IMAGE" "$CONTAINER" + fi + + mkdir -p /var/lib/containers/"$CONTAINER" + + ${pkgs.mount}/bin/mount | grep -q " on /var/lib/containers/"$CONTAINER" " + if [ "$?" -ne 0 ]; then + ${pkgs.mount}/bin/mount -o sync /dev/mapper/"$CONTAINER" /var/lib/containers/"$CONTAINER" + fi + + STATE=$(${pkgs.nixos-container}/bin/nixos-container status "$CONTAINER") + if [ "$STATE" = 'down' ]; then + ${pkgs.nixos-container}/bin/nixos-container start "$CONTAINER" + fi + ping -c1 green.r + if [ "$?" -ne 0 ]; then + ${pkgs.nixos-container}/bin/nixos-container run green -- nixos-rebuild -I /var/src switch + fi + + '') + ]; +} diff --git a/lass/2configs/hw/x220.nix b/lass/2configs/hw/x220.nix index f5651da13..5649041f9 100644 --- a/lass/2configs/hw/x220.nix +++ b/lass/2configs/hw/x220.nix @@ -30,8 +30,7 @@ }; }; - services.logind.extraConfig = '' - HandleLidSwitch=ignore - ''; + services.logind.lidSwitch = "ignore"; + services.logind.lidSwitchDocked = "ignore"; } diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix index 0803846aa..6de111ba8 100644 --- a/lass/2configs/mail.nix +++ b/lass/2configs/mail.nix @@ -233,8 +233,4 @@ in { tag-new-mails tag-old-mails ]; - - nixpkgs.config.packageOverrides = opkgs: { - notmuch = (opkgs.notmuch.overrideAttrs (o: { doCheck = false; })); - }; } diff --git a/lass/2configs/paste.nix b/lass/2configs/paste.nix index 293691c0f..3c3d8e636 100644 --- a/lass/2configs/paste.nix +++ b/lass/2configs/paste.nix @@ -10,6 +10,16 @@ with import <stockholm/lib>; proxy_pass http://localhost:9081; ''; }; + services.nginx.virtualHosts.paste-readonly = { + serverAliases = [ "p.krebsco.de" ]; + locations."/".extraConfig = '' + if ($request_method != GET) { + return 403; + } + proxy_set_header Host $host; + proxy_pass http://localhost:9081; + ''; + }; krebs.htgen.paste = { port = 9081; script = toString [ diff --git a/lass/2configs/prism-share.nix b/lass/2configs/prism-share.nix index 70e616ec6..aa3eb541d 100644 --- a/lass/2configs/prism-share.nix +++ b/lass/2configs/prism-share.nix @@ -21,7 +21,7 @@ with import <stockholm/lib>; shares = { incoming = { path = "/mnt/prism"; - "read only" = "no"; + "read only" = "yes"; browseable = "yes"; "guest ok" = "yes"; }; diff --git a/lass/2configs/radio.nix b/lass/2configs/radio.nix index f88b2627b..88899c554 100644 --- a/lass/2configs/radio.nix +++ b/lass/2configs/radio.nix @@ -10,7 +10,7 @@ let source-password = import <secrets/icecast-source-pw>; add_random = pkgs.writeDashBin "add_random" '' - ${pkgs.mpc_cli}/bin/mpc add "$(${pkgs.mpc_cli}/bin/mpc ls | shuf -n1)" + ${pkgs.mpc_cli}/bin/mpc add "$(${pkgs.mpc_cli}/bin/mpc ls the_playlist/music | grep '\.ogg$' | shuf -n1)" ''; skip_track = pkgs.writeDashBin "skip_track" '' @@ -57,8 +57,11 @@ in { services.mpd = { enable = true; group = "radio"; - musicDirectory = "/home/radio/the_playlist/music"; + musicDirectory = "/home/radio/music"; extraConfig = '' + log_level "default" + auto_update "yes" + audio_output { type "shout" encoding "lame" @@ -245,4 +248,13 @@ in { alias ${html}; ''; }; + krebs.syncthing.folders."the_playlist" = { + path = "/home/radio/music/the_playlist"; + peers = [ "mors" "phone" "prism" ]; + }; + krebs.permown."/home/radio/music/the_playlist" = { + owner = "radio"; + group = "syncthing"; + umask = "0002"; + }; } diff --git a/lass/2configs/ssh-cryptsetup.nix b/lass/2configs/ssh-cryptsetup.nix new file mode 100644 index 000000000..c5e1c5928 --- /dev/null +++ b/lass/2configs/ssh-cryptsetup.nix @@ -0,0 +1,17 @@ +{ config, ... }: +{ + boot.initrd = { + network = { + enable = true; + ssh = { + enable = true; + authorizedKeys = with config.krebs.users; [ + config.krebs.users.lass-mors.pubkey + config.krebs.users.lass-blue.pubkey + config.krebs.users.lass-shodan.pubkey + config.krebs.users.lass-icarus.pubkey + ]; + }; + }; + }; +} diff --git a/lass/2configs/sync/decsync.nix b/lass/2configs/sync/decsync.nix new file mode 100644 index 000000000..c3f6511c2 --- /dev/null +++ b/lass/2configs/sync/decsync.nix @@ -0,0 +1,11 @@ +{ + krebs.syncthing.folders.decsync = { + path = "/home/lass/decsync"; + peers = [ "mors" "blue" "green" "phone" ]; + }; + krebs.permown."/home/lass/decsync" = { + owner = "lass"; + group = "syncthing"; + umask = "0007"; + }; +} diff --git a/lass/2configs/sync/weechat.nix b/lass/2configs/sync/weechat.nix new file mode 100644 index 000000000..30c7b262b --- /dev/null +++ b/lass/2configs/sync/weechat.nix @@ -0,0 +1,8 @@ +{ + krebs.syncthing.folders."/home/lass/.weechat".peers = [ "blue" "green" "mors" ]; + krebs.permown."/home/lass/.weechat" = { + owner = "lass"; + group = "syncthing"; + umask = "0007"; + }; +} diff --git a/lass/2configs/syncthing.nix b/lass/2configs/syncthing.nix index 842abc195..48f2625c1 100644 --- a/lass/2configs/syncthing.nix +++ b/lass/2configs/syncthing.nix @@ -1,9 +1,10 @@ -{ config, pkgs, ... }: -with import <stockholm/lib>; -{ +{ config, pkgs, ... }: with import <stockholm/lib>; let + peers = mapAttrs (n: v: { id = v.syncthing.id; }) (filterAttrs (n: v: v.syncthing.id != null) config.krebs.hosts); +in { services.syncthing = { enable = true; group = "syncthing"; + configDir = "/var/lib/syncthing"; }; krebs.iptables.tables.filter.INPUT.rules = [ { predicate = "-p tcp --dport 22000"; target = "ACCEPT";} @@ -13,17 +14,17 @@ with import <stockholm/lib>; enable = true; cert = toString <secrets/syncthing.cert>; key = toString <secrets/syncthing.key>; - peers = mapAttrs (n: v: { id = v.syncthing.id; }) (filterAttrs (n: v: v.syncthing.id != null) config.krebs.hosts); - folders = [ - { path = "/home/lass/sync"; peers = [ "icarus" "mors" "skynet" "blue" "green" "littleT" "prism"]; } - ]; + peers = peers; + folders."/home/lass/sync".peers = attrNames peers; }; system.activationScripts.syncthing-home = '' ${pkgs.coreutils}/bin/chmod a+x /home/lass ''; - lass.ensure-permissions = [ - { folder = "/home/lass/sync"; owner = "lass"; group = "syncthing"; } - ]; + krebs.permown."/home/lass/sync" = { + owner = "lass"; + group = "syncthing"; + umask = "0007"; + }; } diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index b58484773..2131c7c62 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -119,7 +119,7 @@ in { authenticators.PLAIN = '' driver = plaintext public_name = PLAIN - server_condition = ''${run{${config.lass.usershadow.path}/bin/verify_arg ${config.lass.usershadow.pattern} $auth2 $auth3}{yes}{no}} + server_condition = ''${run{/run/wrappers/bin/shadow_verify_arg ${config.lass.usershadow.pattern} $auth2 $auth3}{yes}{no}} ''; authenticators.LOGIN = '' driver = plaintext @@ -237,8 +237,8 @@ in { krebs.on-failure.plans.restic-backups-domsen = {}; services.restic.backups.domsen = { initialize = true; - extraOptions = [ "sftp.command='ssh efOVcMWSZ@wilhelmstr.duckdns.org -S none -v -p 52222 -i ${toString <secrets> + "/ssh.id_ed25519"} -s sftp'" ]; - repository = "sftp:efOVcMWSZ@wilhelmstr.duckdns.org:/mnt/UBIK-9TB-Pool/BACKUP/XXXX-MAX-UND-ANDERES"; + extraOptions = [ "sftp.command='ssh efOVcMWSZ@wilhelmstr2.duckdns.org -S none -v -p 52222 -i ${toString <secrets> + "/ssh.id_ed25519"} -s sftp'" ]; + repository = "sftp:efOVcMWSZ@wilhelmstr2.duckdns.org:/mnt/UBIK-9TB-Pool/BACKUP/XXXX-MAX-UND-ANDERES"; passwordFile = toString <secrets> + "/domsen_backup_pw"; timerConfig = { OnCalendar = "00:05"; RandomizedDelaySec = "5h"; }; paths = [ diff --git a/lass/2configs/xdg-open.nix b/lass/2configs/xdg-open.nix new file mode 100644 index 000000000..824c36dc7 --- /dev/null +++ b/lass/2configs/xdg-open.nix @@ -0,0 +1,66 @@ +{ config, pkgs, lib, ... }: with import <stockholm/lib>; let + + xdg-open-wrapper = pkgs.writeDashBin "xdg-open" '' + /run/wrappers/bin/sudo -u lass ${xdg-open} "$@" + ''; + + xdg-open = pkgs.writeBash "xdg-open" '' + set -e + FILE="$1" + mime= + + case "$FILE" in + http://*|https://*) + mime=text/html + ;; + mailto:*) + mime=special/mailaddress + ;; + magnet:*) + mime=application/x-bittorrent + ;; + irc:*) + mime=x-scheme-handler/irc + ;; + *) + # it’s a file + + # strip possible protocol + FILE=''${FILE#file://} + mime=''$(file -E --brief --mime-type "$FILE") \ + || (echo "$mime" 1>&2; exit 1) + # ^ echo the error message of file + ;; + esac + + case "$mime" in + special/mailaddress) + urxvtc --execute vim "$FILE" ;; + ${optionalString (hasAttr "browser" config.lass) '' + text/html) + ${config.lass.browser.select}/bin/browser-select "$FILE" ;; + text/xml) + ${config.lass.browser.select}/bin/browser-select "$FILE" ;; + ''} + text/*) + urxvtc --execute vim "$FILE" ;; + image/*) + sxiv "$FILE" ;; + application/x-bittorrent) + env DISPLAY=:0 transgui "$FILE" ;; + application/pdf) + zathura "$FILE" ;; + inode/directory) + sudo -u lass -i urxvtc --execute mc "$FILE" ;; + *) + # open dmenu and ask for program to open with + $(dmenu_path | dmenu) "$FILE";; + esac + ''; +in { + environment.systemPackages = [ xdg-open-wrapper ]; + + security.sudo.extraConfig = '' + cr ALL=(lass) NOPASSWD: ${xdg-open} * + ''; +} diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix index 59043aeb1..613c7c8ac 100644 --- a/lass/3modules/default.nix +++ b/lass/3modules/default.nix @@ -3,7 +3,6 @@ _: imports = [ ./dnsmasq.nix ./ejabberd - ./ensure-permissions.nix ./folderPerms.nix ./hosts.nix ./mysql-backup.nix diff --git a/lass/3modules/ensure-permissions.nix b/lass/3modules/ensure-permissions.nix deleted file mode 100644 index 36edc1127..000000000 --- a/lass/3modules/ensure-permissions.nix +++ /dev/null @@ -1,66 +0,0 @@ -{ config, pkgs, ... }: with import <stockholm/lib>; - -let - - cfg = config.lass.ensure-permissions; - -in - -{ - options.lass.ensure-permissions = mkOption { - default = []; - type = types.listOf (types.submodule ({ - options = { - - folder = mkOption { - type = types.absolute-pathname; - }; - - owner = mkOption { - # TODO user type - type = types.str; - default = "root"; - }; - - group = mkOption { - # TODO group type - type = types.str; - default = "root"; - }; - - permission = mkOption { - # TODO permission type - type = types.str; - default = "u+rw,g+rw"; - }; - - }; - })); - }; - - config = mkIf (cfg != []) { - - system.activationScripts.ensure-permissions = concatMapStringsSep "\n" (plan: '' - ${pkgs.coreutils}/bin/mkdir -p ${plan.folder} - ${pkgs.coreutils}/bin/chmod -R ${plan.permission} ${plan.folder} - ${pkgs.coreutils}/bin/chown -R ${plan.owner}:${plan.group} ${plan.folder} - '') cfg; - systemd.services = - listToAttrs (map (plan: nameValuePair "ensure-permisson.${replaceStrings ["/"] ["_"] plan.folder}" { - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - Restart = "always"; - RestartSec = 10; - ExecStart = pkgs.writeDash "ensure-perms" '' - ${pkgs.inotifyTools}/bin/inotifywait -mrq -e CREATE --format %w%f ${plan.folder} \ - | while IFS= read -r FILE; do - ${pkgs.coreutils}/bin/chmod -R ${plan.permission} "$FILE" 2>/dev/null - ${pkgs.coreutils}/bin/chown -R ${plan.owner}:${plan.group} "$FILE" 2>/dev/null - done - ''; - }; - }) cfg) - ; - - }; -} diff --git a/lass/3modules/usershadow.nix b/lass/3modules/usershadow.nix index cb2890969..51da2ec93 100644 --- a/lass/3modules/usershadow.nix +++ b/lass/3modules/usershadow.nix @@ -31,13 +31,24 @@ session required pam_loginuid.so ''; - security.pam.services.dovecot2.text = '' - auth required pam_exec.so expose_authtok ${usershadow}/bin/verify_pam ${cfg.pattern} - auth required pam_permit.so - account required pam_permit.so - session required pam_permit.so - session required pam_env.so envfile=${config.system.build.pamEnvironment} - ''; + security.pam.services.dovecot2 = { + text = '' + auth required pam_exec.so debug expose_authtok log=/tmp/lol /run/wrappers/bin/shadow_verify_pam ${cfg.pattern} + auth required pam_permit.so + account required pam_permit.so + session required pam_permit.so + session required pam_env.so envfile=${config.system.build.pamEnvironment} + ''; + }; + + security.wrappers.shadow_verify_pam = { + source = "${usershadow}/bin/verify_pam"; + owner = "root"; + }; + security.wrappers.shadow_verify_arg = { + source = "${usershadow}/bin/verify_arg"; + owner = "root"; + }; }; usershadow = let { @@ -46,10 +57,13 @@ "bytestring" ]; body = pkgs.writeHaskellPackage "passwords" { + ghc-options = [ + "-rtsopts" + "-Wall" + ]; executables.verify_pam = { extra-depends = deps; text = '' - import Data.Monoid import System.IO import Data.Char (chr) import System.Environment (getEnv, getArgs) @@ -72,7 +86,6 @@ executables.verify_arg = { extra-depends = deps; text = '' - import Data.Monoid import System.Environment (getArgs) import Crypto.PasswordStore (verifyPasswordWith, pbkdf2) import qualified Data.ByteString.Char8 as BS8 diff --git a/lib/types.nix b/lib/types.nix index 9001bc7c3..ffae8c7bc 100644 --- a/lib/types.nix +++ b/lib/types.nix @@ -89,7 +89,7 @@ rec { syncthing.id = mkOption { # TODO syncthing id type - type = nullOr string; + type = nullOr str; default = null; }; }; @@ -542,21 +542,28 @@ rec { merge = mergeOneOption; }; - # POSIX.1‐2013, 3.278 Portable Filename Character Set + # POSIX.1‐2017, 3.190 Group Name + groupname = mkOptionType { + name = "POSIX group name"; + check = filename.check; + merge = mergeOneOption; + }; + + # POSIX.1‐2017, 3.281 Portable Filename filename = mkOptionType { - name = "POSIX filename"; + name = "POSIX portable filename"; check = test "[0-9A-Za-z._][0-9A-Za-z._-]*"; merge = mergeOneOption; }; - # POSIX.1‐2013, 3.2 Absolute Pathname + # POSIX.1‐2017, 3.2 Absolute Pathname absolute-pathname = mkOptionType { name = "POSIX absolute pathname"; check = x: isString x && substring 0 1 x == "/" && pathname.check x; merge = mergeOneOption; }; - # POSIX.1‐2013, 3.267 Pathname + # POSIX.1-2017, 3.271 Pathname pathname = mkOptionType { name = "POSIX pathname"; check = x: @@ -570,9 +577,9 @@ rec { merge = mergeOneOption; }; - # POSIX.1-2013, 3.431 User Name + # POSIX.1-2017, 3.216 Login Name username = mkOptionType { - name = "POSIX username"; + name = "POSIX login name"; check = filename.check; merge = mergeOneOption; }; diff --git a/makefu/1systems/sdev/config.nix b/makefu/1systems/sdev/config.nix index 2f289d500..66f822c02 100644 --- a/makefu/1systems/sdev/config.nix +++ b/makefu/1systems/sdev/config.nix @@ -6,13 +6,13 @@ [ # Include the results of the hardware scan. <stockholm/makefu> - <stockholm/makefu/2configs/hw/vbox-guest.nix> - #{ # until virtualbox-image is fixed - # imports = [ - # <stockholm/makefu/2configs/fs/single-partition-ext4.nix> - # ]; - # boot.loader.grub.device = lib.mkForce "/dev/sda"; - #} + # <stockholm/makefu/2configs/hw/vbox-guest.nix> # broken since 2019-04-18 + { # until virtualbox-image is fixed + imports = [ + <stockholm/makefu/2configs/fs/single-partition-ext4.nix> + ]; + boot.loader.grub.device = lib.mkForce "/dev/sda"; + } <stockholm/makefu/2configs/main-laptop.nix> # <secrets/extra-hosts.nix> diff --git a/makefu/1systems/x/config.nix b/makefu/1systems/x/config.nix index de55e9e89..3c5e50c4b 100644 --- a/makefu/1systems/x/config.nix +++ b/makefu/1systems/x/config.nix @@ -11,9 +11,13 @@ <stockholm/makefu/2configs/home-manager/desktop.nix> <stockholm/makefu/2configs/home-manager/cli.nix> <stockholm/makefu/2configs/home-manager/mail.nix> + <stockholm/makefu/2configs/home-manager/taskwarrior.nix> + <stockholm/makefu/2configs/main-laptop.nix> <stockholm/makefu/2configs/extra-fonts.nix> <stockholm/makefu/2configs/tools/all.nix> + { programs.adb.enable = true; } + <stockholm/makefu/2configs/dict.nix> #<stockholm/makefu/3modules/netboot_server.nix> #{ @@ -23,7 +27,14 @@ # }; #} + # Restore: + # systemctl cat borgbackup-job-state + # export BORG_PASSCOMMAND BORG_REPO BORG_RSH + # borg list "$BORG_REPO" + # mount newroot somewhere && cd somewhere + # borg extract "$BORG_REPO::x-state-2019-04-17T01:41:51" --progress # < extract to cwd <stockholm/makefu/2configs/backup/state.nix> + # <stockholm/makefu/2configs/dnscrypt/client.nix> <stockholm/makefu/2configs/avahi.nix> <stockholm/makefu/2configs/support-nixos.nix> @@ -46,19 +57,18 @@ # Krebs <stockholm/makefu/2configs/tinc/retiolum.nix> - <stockholm/makefu/2configs/share/gum-client.nix> + # <stockholm/makefu/2configs/share/gum-client.nix> # applications <stockholm/makefu/2configs/exim-retiolum.nix> <stockholm/makefu/2configs/mail-client.nix> <stockholm/makefu/2configs/printer.nix> - <stockholm/makefu/2configs/task-client.nix> # <stockholm/makefu/2configs/syncthing.nix> # Virtualization - <stockholm/makefu/2configs/virtualisation/libvirt.nix> - <stockholm/makefu/2configs/virtualisation/docker.nix> + # <stockholm/makefu/2configs/virtualisation/libvirt.nix> + # <stockholm/makefu/2configs/virtualisation/docker.nix> <stockholm/makefu/2configs/virtualisation/virtualbox.nix> #{ # networking.firewall.allowedTCPPorts = [ 8080 ]; @@ -71,35 +81,43 @@ # Services <stockholm/makefu/2configs/git/brain-retiolum.nix> <stockholm/makefu/2configs/tor.nix> - <stockholm/makefu/2configs/vpn/vpngate.nix> + # <stockholm/makefu/2configs/vpn/vpngate.nix> # <stockholm/makefu/2configs/buildbot-standalone.nix> <stockholm/makefu/2configs/remote-build/aarch64-community.nix> - <stockholm/makefu/2configs/remote-build/gum.nix> - { nixpkgs.overlays = [ (self: super: super.prefer-remote-fetch self super) ]; } + # <stockholm/makefu/2configs/remote-build/gum.nix> + # { nixpkgs.overlays = [ (self: super: super.prefer-remote-fetch self super) ]; } + + <stockholm/makefu/2configs/binary-cache/gum.nix> + <stockholm/makefu/2configs/binary-cache/lass.nix> # Hardware <stockholm/makefu/2configs/hw/tp-x230.nix> - <stockholm/makefu/2configs/hw/mceusb.nix> - <stockholm/makefu/2configs/hw/malduino_elite.nix> + # <stockholm/makefu/2configs/hw/mceusb.nix> # <stockholm/makefu/2configs/hw/tpm.nix> # <stockholm/makefu/2configs/hw/rtl8812au.nix> <stockholm/makefu/2configs/hw/network-manager.nix> - <stockholm/makefu/2configs/hw/stk1160.nix> - <stockholm/makefu/2configs/hw/irtoy.nix> + # <stockholm/makefu/2configs/hw/stk1160.nix> + # <stockholm/makefu/2configs/hw/irtoy.nix> + # <stockholm/makefu/2configs/hw/malduino_elite.nix> <stockholm/makefu/2configs/hw/switch.nix> <stockholm/makefu/2configs/hw/bluetooth.nix> # <stockholm/makefu/2configs/hw/rad1o.nix> <stockholm/makefu/2configs/hw/smartcard.nix> + { + services.upower.enable = true; + users.users.makefu.packages = [ pkgs.gnome3.gnome-power-manager ]; + } + # Filesystem <stockholm/makefu/2configs/fs/sda-crypto-root-home.nix> # Security <stockholm/makefu/2configs/sshd-totp.nix> - { programs.adb.enable = true; } + # temporary - { services.redis.enable = true; } - <stockholm/makefu/2configs/pyload.nix> + # { services.redis.enable = true; } + # <stockholm/makefu/2configs/pyload.nix> # <stockholm/makefu/2configs/dcpp/airdcpp.nix> # <stockholm/makefu/2configs/nginx/rompr.nix> # <stockholm/makefu/2configs/lanparty/lancache.nix> @@ -136,6 +154,9 @@ makefu.server.primary-itf = "wlp3s0"; nixpkgs.config.allowUnfree = true; + nixpkgs.config.oraclejdk.accept_license = true; + + # configure pulseAudio to provide a HDMI sink as well networking.firewall.enable = true; @@ -163,7 +184,6 @@ "/home/makefu/.ssh/" "/home/makefu/.zsh_history" "/home/makefu/.bash_history" - "/home/makefu/.zshrc" "/home/makefu/bin" "/home/makefu/.gnupg" "/home/makefu/.imapfilter" @@ -171,6 +191,7 @@ "/home/makefu/docs" "/home/makefu/.password-store" "/home/makefu/.secrets-pass" + "/home/makefu/.config/syncthing" ]; services.syncthing.user = lib.mkForce "makefu"; diff --git a/makefu/2configs/binary-cache/gum.nix b/makefu/2configs/binary-cache/gum.nix new file mode 100644 index 000000000..fc54bd917 --- /dev/null +++ b/makefu/2configs/binary-cache/gum.nix @@ -0,0 +1,13 @@ + +{ config, ... }: + +{ + nix = { + binaryCaches = [ + "https://cache.euer.krebsco.de/" + ]; + binaryCachePublicKeys = [ + "gum:iIXIFlCAotib+MgI3V/i3HMlFXiVYOT/jfP0y54Zuvg=" + ]; + }; +} diff --git a/makefu/2configs/binary-cache/server.nix b/makefu/2configs/binary-cache/server.nix index ad6256830..c8f68c84d 100644 --- a/makefu/2configs/binary-cache/server.nix +++ b/makefu/2configs/binary-cache/server.nix @@ -19,9 +19,10 @@ }; services.nginx = { enable = true; - virtualHosts.nix-serve = { - serverAliases = [ "cache.gum.r" - "cache.euer.krebsco.de" + virtualHosts."cache.euer.krebsco.de" = { + forceSSL = true; + enableACME = true; + serverAliases = [ # "cache.gum.r" "cache.gum.krebsco.de" ]; locations."/".proxyPass= "http://localhost:${toString config.services.nix-serve.port}"; diff --git a/makefu/2configs/bureautomation/automation/bureau-shutdown.nix b/makefu/2configs/bureautomation/automation/bureau-shutdown.nix index c632a9e69..d54d9762a 100644 --- a/makefu/2configs/bureautomation/automation/bureau-shutdown.nix +++ b/makefu/2configs/bureautomation/automation/bureau-shutdown.nix @@ -5,14 +5,40 @@ entity_id = "group.team"; from = "not_home"; to = "home"; + for.seconds = 30; }; - action = { - service = "homeassistant.turn_on"; - entity_id = [ - "switch.fernseher" - "switch.feuer" - ]; - }; + action = [ + { + service = "homeassistant.turn_on"; + entity_id = [ + "switch.fernseher" + "switch.feuer" + ]; + } + { + service = "media_player.kodi_call_method"; + data = { + entity_id = "media_player.kodi"; + method = "Player.Open"; + item.partymode = "music"; + }; + } + { + service = "tts.google_say"; + entity_id = "media_player.kodi"; + data = { + message = "Willkommen in deinem Lieblingsbüro"; + language = "de"; + }; + } + { + service = "notify.telegrambot"; + data = { + title = "Bureau Startup"; + message = "Willkommen {{ trigger.platform }}"; + }; + } + ]; } { alias = "Turn off Fernseher after last in group left"; trigger = [ @@ -42,7 +68,7 @@ service = "notify.telegrambot"; data = { title = "Bureau Shutdown"; - message = "All devices are turned off due to {{ trigger.platform }} - {{ trigger }}"; + message = "All devices are turned off due to {{ trigger.platform }}"; }; } ]; diff --git a/makefu/2configs/bureautomation/automation/hass-restart.nix b/makefu/2configs/bureautomation/automation/hass-restart.nix new file mode 100644 index 000000000..be16f6966 --- /dev/null +++ b/makefu/2configs/bureautomation/automation/hass-restart.nix @@ -0,0 +1,31 @@ +[ + { alias = "State on HA start-up"; + trigger = { + platform = "homeassistant"; + event = "start"; + }; + action = [ + # Startup State + { service = "mqtt.publish"; + data = { + topic = "/bam/sonoffs/cmnd/state"; + payload = ""; + }; + } + # Firmware Version + { service = "mqtt.publish"; + data = { + topic = "/bam/sonoffs/cmnd/status"; + payload = "2"; + }; + } + # Will trigger restart of all devices! + #{ service = "mqtt.publish"; + # data = { + # topic = "sonoffs/cmnd/SetOption59"; # configure sending state on power change + # payload = "1"; + # }; + #} + ]; + } +] diff --git a/makefu/2configs/bureautomation/automation/nachtlicht.nix b/makefu/2configs/bureautomation/automation/nachtlicht.nix index 2becd4a39..ec6fa20c7 100644 --- a/makefu/2configs/bureautomation/automation/nachtlicht.nix +++ b/makefu/2configs/bureautomation/automation/nachtlicht.nix @@ -1,43 +1,35 @@ [ - { - alias = "Turn off Nachtlicht on sunrise"; - trigger = - { - platform = "sun"; - event = "sunrise"; - }; - action = - { - service = "homeassistant.turn_off"; - entity_id = [ "group.nachtlicht" ]; - }; - } + # TODO: trigger if it is before dusk and somebody arives but nachtlichter are + # off from last day + # TODO: do not have nachtlicht turned on at night + { + alias = "Turn on Nachtlicht at dusk"; # when it gets dim + trigger = + { platform = "numeric_state"; + entity_id = "sun.sun"; + value_template = "{{ state.attributes.elevation }}"; + below = 10; - { - alias = "Turn on Nachtlicht on motion and dusk"; - trigger = - { - platform = "state"; - entity_id = "binary_sensor.motion"; - to = "on"; - }; - condition = # 'when dark' - { - condition = "or"; - conditions = [ - { condition = "sun"; - after = "sunset"; - after_offset = "-00:45:00"; # on dusk - } - { condition = "sun"; - before = "sunrise"; - } - ]; - }; - action = - { - service = "homeassistant.turn_on"; - entity_id = [ "group.nachtlicht" ]; - }; - } + }; + action = + { service = "homeassistant.turn_on"; + entity_id = [ "group.nachtlicht" ]; + }; + } + { + alias = "Turn off Nachtlicht at dawn"; + trigger = + { platform = "sun"; + event = "sunrise"; + offset = "01:30:00"; # on dawn + }; + # TODO: when somebody is still in the buero + # condition = + #{ + #}; + action = + { service = "homeassistant.turn_off"; + entity_id = [ "group.nachtlicht" ]; + }; + } ] diff --git a/makefu/2configs/bureautomation/default.nix b/makefu/2configs/bureautomation/default.nix index 917044d63..1782becd8 100644 --- a/makefu/2configs/bureautomation/default.nix +++ b/makefu/2configs/bureautomation/default.nix @@ -20,6 +20,9 @@ let mosquitto_pub -t /bam/$topic/cmnd/POWER -m OFF ''; in { + imports = [ + ./ota.nix + ]; services.logstash = { package = pkgs.logstash5; enable = true; diff --git a/makefu/2configs/bureautomation/hass.nix b/makefu/2configs/bureautomation/hass.nix index 4e5fe7b63..02465520c 100644 --- a/makefu/2configs/bureautomation/hass.nix +++ b/makefu/2configs/bureautomation/hass.nix @@ -6,6 +6,7 @@ in { state = [ "/var/lib/hass/known_devices.yaml" ]; services.home-assistant = { enable = true; + package = pkgs.home-assistant.override { python3 = pkgs.python36; }; config = { homeassistant = { name = "Bureautomation"; @@ -13,8 +14,14 @@ in { latitude = "48.8265"; longitude = "9.0676"; elevation = 303; + auth_providers = [ + { type = "homeassistant";} + { type = "legacy_api_password";} + { type = "trusted_networks"; + # allow_bypass_login = true; + } + ]; }; - mqtt = { broker = "localhost"; port = 1883; @@ -79,7 +86,8 @@ in { sensor = (import ./sensor/espeasy.nix) ++ ((import ./sensor/outside.nix) {inherit lib;}) ++ - (import ./sensor/influxdb.nix); + (import ./sensor/influxdb.nix) ++ + (import ./sensor/tasmota_firmware.nix); camera = (import ./camera/verkehrskamera.nix); @@ -89,12 +97,22 @@ in { # (import ./person/team.nix ); frontend = { }; - http = { }; + http = { + # TODO: https://github.com/home-assistant/home-assistant/issues/16149 + api_password = "sistemas"; + trusted_networks = [ + "127.0.0.1/32" + "192.168.8.0/24" + "::1/128" + "fd00::/8" + ]; + }; conversation = {}; history = {}; logbook = {}; tts = [ { platform = "google";} ]; recorder = {}; + sun = {}; telegram_bot = [ (builtins.fromJSON (builtins.readFile <secrets/hass/telegram-bot.json>)) @@ -156,8 +174,10 @@ in { outside = [ # "sensor.ditzingen_pm10" # "sensor.ditzingen_pm25" + "sensor.dark_sky_icon" "sensor.dark_sky_temperature" "sensor.dark_sky_humidity" + "sensor.dark_sky_uv_index" # "sensor.dark_sky_pressure" "sensor.dark_sky_hourly_summary" "device_tracker.router" @@ -169,6 +189,7 @@ in { # home-assistant automation = (import ./automation/bureau-shutdown.nix) ++ (import ./automation/nachtlicht.nix) ++ + (import ./automation/hass-restart.nix) ++ (import ./automation/10h_timer.nix); device_tracker = (import ./device_tracker/openwrt.nix ); }; diff --git a/makefu/2configs/bureautomation/light/statuslight.nix b/makefu/2configs/bureautomation/light/statuslight.nix index 0acab7281..31f52f492 100644 --- a/makefu/2configs/bureautomation/light/statuslight.nix +++ b/makefu/2configs/bureautomation/light/statuslight.nix @@ -20,7 +20,7 @@ let payload_not_available= "Offline"; # brightness brightness_state_topic = "/bam/${topic}/tele/STATE"; - brightness_value_template = "{{value_json.Dimmer}}"; + brightness_value_template = "{{value_json.Dimmer|default(100)}}"; brightness_command_topic = "/bam/${topic}/cmnd/Dimmer"; brightness_scale = 100; # color @@ -30,9 +30,8 @@ let rgb_command_template = "{{ '%02x%02x%02x' | format(red, green, blue)}}"; # effects effect_state_topic = "/bam/${topic}/tele/STATE"; - effects_value_template = "{{value_json.Scheme}}"; + effects_value_template = "{{value_json.Scheme|default(0)}}"; effect_command_topic = "/bam/${topic}/cmnd/Scheme"; - effect_value_template = "{{ value_json.Scheme }}"; effect_list = [ 0 # single color for LED light 1 # start wake up sequence (same as Wakeup) diff --git a/makefu/2configs/bureautomation/ota.nix b/makefu/2configs/bureautomation/ota.nix new file mode 100644 index 000000000..f2f931d21 --- /dev/null +++ b/makefu/2configs/bureautomation/ota.nix @@ -0,0 +1,15 @@ +{ + # mosquitto_pub -t /bam/sonoffs/cmnd/OtaUrl -m "http://192.168.8.11/sonoff.bin" + # mosquitto_pub -t /bam/sonoffs/cmnd/upgrade -m "6.5.0" + # wget https://github.com/arendst/Sonoff-Tasmota/releases/download/v6.5.0/sonoff.bin + # wget https://github.com/arendst/Sonoff-Tasmota/releases/download/v6.5.0/sonoff-minimal.bin + services.nginx = { + enable = true; + virtualHosts."192.168.8.11" = { + root = "/var/www/tasmota"; + extraConfig = '' + autoindex on; + ''; + }; + }; +} diff --git a/makefu/2configs/bureautomation/sensor/tasmota_firmware.nix b/makefu/2configs/bureautomation/sensor/tasmota_firmware.nix new file mode 100644 index 000000000..1a4738e12 --- /dev/null +++ b/makefu/2configs/bureautomation/sensor/tasmota_firmware.nix @@ -0,0 +1,16 @@ +let + tasmota_firmware = topic: + { platform = "mqtt"; + name = "${topic} Firmware"; + state_topic = "/bam/${topic}/stat/STATUS2"; + availability_topic = "/bam/${topic}/tele/LWT"; + value_template = "v{{value_json.StatusFWR.Version}}"; + payload_available= "Online"; + payload_not_available= "Offline"; + }; +in + map tasmota_firmware [ + "plug" "plug2" "plug3" "plug4" "plug5" + "status1" "status2" "buslicht" + "rfbridge" + ] diff --git a/makefu/2configs/deployment/owncloud.nix b/makefu/2configs/deployment/owncloud.nix index d7c082662..6f073fd4c 100644 --- a/makefu/2configs/deployment/owncloud.nix +++ b/makefu/2configs/deployment/owncloud.nix @@ -23,9 +23,9 @@ let in { system.activationScripts."prepare-nextcloud-${domain}" = '' if test ! -e ${root} ;then - echo "copying latest ${pkgs.owncloud.name} release to ${root}" + echo "copying latest ${pkgs.nextcloud.name} release to ${root}" mkdir -p $(dirname "${root}") - cp -r ${pkgs.owncloud} "${root}" + cp -r ${pkgs.nextcloud} "${root}" chown -R nginx:nginx "${root}" chmod 770 "${root}" fi diff --git a/makefu/2configs/home-manager/default.nix b/makefu/2configs/home-manager/default.nix index 2a4574cc8..f68b1092f 100644 --- a/makefu/2configs/home-manager/default.nix +++ b/makefu/2configs/home-manager/default.nix @@ -2,7 +2,9 @@ imports = [ <home-manager/nixos> ]; + home-manager.useUserPackages = true; home-manager.users.makefu = { + home.stateVersion = "19.03"; }; environment.variables = { GTK_DATA_PREFIX = "/run/current-system/sw"; diff --git a/makefu/2configs/home-manager/desktop.nix b/makefu/2configs/home-manager/desktop.nix index 63a5cdbef..406f7f0d1 100644 --- a/makefu/2configs/home-manager/desktop.nix +++ b/makefu/2configs/home-manager/desktop.nix @@ -5,7 +5,10 @@ home-manager.users.makefu = { systemd.user.services.network-manager-applet.Service.Environment = ''XDG_DATA_DIRS=/run/current-system/sw/share:${pkgs.networkmanagerapplet}/share GDK_PIXBUF_MODULE_FILE=${pkgs.librsvg.out}/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache''; programs.browserpass = { browsers = [ "firefox" ] ; enable = true; }; - programs.firefox.enable = true; + programs.firefox = { + enable = true; + enableIcedTea = true; + }; programs.obs-studio.enable = true; xdg.enable = true; services.network-manager-applet.enable = true; @@ -20,7 +23,6 @@ filenamePattern=%F_%T_shot ''; - systemd.user.services.pasystray.Service.Environment = "PATH=" + (lib.makeBinPath (with pkgs;[ pavucontrol paprefs /* pavumeter */ /* paman */ ]) ); programs.chromium = { enable = true; extensions = [ diff --git a/makefu/2configs/home-manager/recording.nix b/makefu/2configs/home-manager/recording.nix new file mode 100644 index 000000000..31ca77b2b --- /dev/null +++ b/makefu/2configs/home-manager/recording.nix @@ -0,0 +1,4 @@ +{pkgs, ... }: +{ + home-manager.users.makefu.programs.obs-studio.enable = true; +} diff --git a/makefu/2configs/home-manager/taskwarrior.nix b/makefu/2configs/home-manager/taskwarrior.nix index 8ad16dcf2..57ba1a08d 100644 --- a/makefu/2configs/home-manager/taskwarrior.nix +++ b/makefu/2configs/home-manager/taskwarrior.nix @@ -3,6 +3,12 @@ let loc = "/home/makefu/.task"; in { state = [ "${loc}/keys" ]; + environment.shellAliases = { + tshack = "task tags:shack"; + tkrebs = "task tags:krebs"; + thome = "task tags:home"; + t = "task project: "; + }; home-manager.users.makefu.programs.taskwarrior = { enable = true; dataLocation = loc; diff --git a/makefu/2configs/home-manager/zsh.nix b/makefu/2configs/home-manager/zsh.nix index 6c7b632e1..267a2e878 100644 --- a/makefu/2configs/home-manager/zsh.nix +++ b/makefu/2configs/home-manager/zsh.nix @@ -67,6 +67,7 @@ home-manager.users.makefu.programs.zsh.shellAliases = { cat = "bat"; catn = "${pkgs.coreutils}/bin/cat"; + ncat = "${pkgs.coreutils}/bin/cat"; }; } ]; diff --git a/makefu/2configs/homeautomation/default.nix b/makefu/2configs/homeautomation/default.nix index 4e9ac0ee3..c4fef1bfc 100644 --- a/makefu/2configs/homeautomation/default.nix +++ b/makefu/2configs/homeautomation/default.nix @@ -108,6 +108,7 @@ in { ]; services.home-assistant = { + package = pkgs.home-assistant.override { python3 = pkgs.python36; }; config = { homeassistant = { name = "Home"; time_zone = "Europe/Berlin"; diff --git a/makefu/2configs/hw/tp-x2x0.nix b/makefu/2configs/hw/tp-x2x0.nix index 42ae309d0..b4b2562fe 100644 --- a/makefu/2configs/hw/tp-x2x0.nix +++ b/makefu/2configs/hw/tp-x2x0.nix @@ -1,6 +1,5 @@ { config, lib, pkgs, ... }: -with import <stockholm/lib>; { imports = [ ./tpm.nix @@ -19,7 +18,6 @@ with import <stockholm/lib>; hardware.cpu.intel.updateMicrocode = true; zramSwap.enable = true; - zramSwap.numDevices = 2; # enable synaptics so we can easily disable the touchpad # enable the touchpad with `synclient TouchpadOff=0` diff --git a/makefu/2configs/tools/android-pentest.nix b/makefu/2configs/tools/android-pentest.nix index 05560db90..036f6e6fe 100644 --- a/makefu/2configs/tools/android-pentest.nix +++ b/makefu/2configs/tools/android-pentest.nix @@ -3,7 +3,7 @@ { nixpkgs.config.android_sdk.accept_license = true; users.users.makefu.packages = with pkgs; [ - mitmproxy + # mitmproxy nmap msf drozer diff --git a/makefu/2configs/tools/core-gui.nix b/makefu/2configs/tools/core-gui.nix index 41bfef270..ee4f05980 100644 --- a/makefu/2configs/tools/core-gui.nix +++ b/makefu/2configs/tools/core-gui.nix @@ -10,7 +10,8 @@ keepassx pcmanfm evince - mirage + # replacement for mirage: + sxiv tightvnc gnome3.dconf xdotool diff --git a/makefu/2configs/tools/media.nix b/makefu/2configs/tools/media.nix index 88a7c6882..3f2cf3096 100644 --- a/makefu/2configs/tools/media.nix +++ b/makefu/2configs/tools/media.nix @@ -7,7 +7,7 @@ vlc mumble mplayer - quodlibet # exfalso + # quodlibet # exfalso plowshare streamripper diff --git a/makefu/5pkgs/nixpkgs-pytools/default.nix b/makefu/5pkgs/nixpkgs-pytools/default.nix new file mode 100644 index 000000000..35146d155 --- /dev/null +++ b/makefu/5pkgs/nixpkgs-pytools/default.nix @@ -0,0 +1,17 @@ +{pkgs, fetchFromGitHub}: +with pkgs.python3.pkgs; + +buildPythonPackage rec { + pname = "nixpkgs-pytools"; + version = "1.0.0-dev"; + src = fetchFromGitHub { + owner = "nix-community"; + repo = pname; + rev = "593443b5689333cad3b6fa5b42e96587df68b0f8"; + sha256 = "1cjpngr1rn5q59a1krgmpq2qm96wbiirc8yf1xmm21p3mskb2db4"; + }; + propagatedBuildInputs = [ + jinja2 setuptools + ]; + checkInputs = [ black ]; +} diff --git a/makefu/5pkgs/prison-break/default.nix b/makefu/5pkgs/prison-break/default.nix index f86ac3762..051a46184 100644 --- a/makefu/5pkgs/prison-break/default.nix +++ b/makefu/5pkgs/prison-break/default.nix @@ -3,12 +3,12 @@ with pkgs.python3.pkgs; buildPythonPackage rec { pname = "prison-break"; - version = "0.1.0"; + version = "1.0.0"; src = fetchFromGitHub { owner = "makefu"; repo = pname; - rev = "5eed6371e151e716faafa054e005bd98d77b4b5d"; - sha256 = "170zs9grbgkx83ghg6pm13v7vhi604y44j550ypp2x26nidaw63j"; + rev = "1.0.0"; + sha256 = "0ab42z6qr42vz4fc077irn9ykrrylagx1dzlw8dqcanf49dxd961"; }; propagatedBuildInputs = [ docopt diff --git a/makefu/krops.nix b/makefu/krops.nix index 7c3fbcf4a..36c882d7e 100644 --- a/makefu/krops.nix +++ b/makefu/krops.nix @@ -1,6 +1,6 @@ { config ? config, name, target ? name }: let krops = ../submodules/krops; - nixpkgs-src = lib.importJSON ./nixpkgs.json; + nixpkgs-src = lib.importJSON ../krebs/nixpkgs.json; lib = import "${krops}/lib"; pkgs = import "${krops}/pkgs" {}; @@ -20,10 +20,6 @@ } // import (./. + "/1systems/${name}/source.nix"); source = { test }: lib.evalSource [ { - # nixos-18.09 @ 2018-09-18 - # + uhub/sqlite: 5dd7610401747 - # + hovercraft: 7134801b17d72 - # + PR#53934: eac6797380af1 nixpkgs = if host-src.arm6 then { # TODO: we want to track the unstable channel symlink = "/nix/var/nix/profiles/per-user/root/channels/nixos/"; @@ -31,7 +27,7 @@ derivation = '' with import <nixpkgs> {}; pkgs.fetchFromGitHub { - owner = "makefu"; + owner = "nixos"; repo = "nixpkgs"; rev = "${nixpkgs-src.rev}"; sha256 = "${nixpkgs-src.sha256}"; @@ -75,7 +71,7 @@ (lib.mkIf ( host-src.home-manager ) { home-manager.git = { url = https://github.com/rycee/home-manager; - ref = "4aa07c3"; + ref = "ff602cb906e3dd5d5f89c7c1d0fae65bc67119a0"; }; }) ]; diff --git a/tv/2configs/mail-client.nix b/tv/2configs/mail-client.nix index 0caf5264a..fc8fc81f2 100644 --- a/tv/2configs/mail-client.nix +++ b/tv/2configs/mail-client.nix @@ -3,7 +3,6 @@ pkgs.haskellPackages.much pkgs.msmtp pkgs.notmuch - pkgs.pythonPackages.alot pkgs.qprint pkgs.w3m ]; diff --git a/tv/2configs/pulse.nix b/tv/2configs/pulse.nix index 2e679bd14..ea3970152 100644 --- a/tv/2configs/pulse.nix +++ b/tv/2configs/pulse.nix @@ -1,10 +1,12 @@ -{ config, lib, pkgs, pkgs_i686, ... }: +{ config, lib, pkgs, ... }: with import <stockholm/lib>; let pkg = pkgs.pulseaudioLight; runDir = "/run/pulse"; + pkgs_i686 = pkgs.pkgsi686Linux; + support32Bit = pkgs.stdenv.isx86_64 && pkgs_i686.alsaLib != null && diff --git a/tv/5pkgs/default.nix b/tv/5pkgs/default.nix index 605d827ef..8f960dd79 100644 --- a/tv/5pkgs/default.nix +++ b/tv/5pkgs/default.nix @@ -45,10 +45,9 @@ foldl' mergeAttrs {} self.callPackage ./compat/18.03/pass { pass-otp = self.callPackage ./compat/18.03/pass-otp {}; }; - "18.09" = + }.${versions.majorMinor nixpkgsVersion} or super.pass.withExtensions (ext: [ ext.pass-otp ]); - }.${versions.majorMinor nixpkgsVersion}; } diff --git a/tv/5pkgs/simple/utsushi.nix b/tv/5pkgs/simple/utsushi.nix index 55e8800a6..0ae4ed880 100644 --- a/tv/5pkgs/simple/utsushi.nix +++ b/tv/5pkgs/simple/utsushi.nix @@ -51,13 +51,19 @@ let src = if stdenv.system == "i686-linux" then fetchurl { - url = "https://download2.ebz.epson.net/imagescanv3/debian/latest1/deb/x64/imagescan-bundle-debian-9-1.3.21.x86.deb.tar.gz"; - sha256 = "16xv1pdfm2ryis815fawb7zqg6c4swww726g272ssx044r5dp80r"; + urls = [ + "https://download2.ebz.epson.net/imagescanv3/debian/latest1/deb/x86/imagescan-bundle-debian-9-3.55.0.x86.deb.tar.gz" + "http://ni.r/~tv/mirrors/epson/imagescan-bundle-debian-9-3.55.0.x86.deb.tar.gz" + ]; + sha256 = "12syk4y8z22hm9r1lgxqp81vd24jbqgmq83b7yiyqfd4wfxb6k3s"; } else if stdenv.system == "x86_64-linux" then fetchurl { - url = "https://download2.ebz.epson.net/imagescanv3/debian/latest1/deb/x64/imagescan-bundle-debian-9-1.3.21.x64.deb.tar.gz"; - sha256 = "0zik35h2jwrvkwcmq55wc72imidwdnmn1bayhypzhjcz61rasjg2"; + urls = [ + "https://download2.ebz.epson.net/imagescanv3/debian/latest1/deb/x64/imagescan-bundle-debian-9-3.55.0.x64.deb.tar.gz" + "http://ni.r/~tv/mirrors/epson/imagescan-bundle-debian-9-3.55.0.x64.deb.tar.gz" + ]; + sha256 = "1wp372hqhzdar6ldxy7s9js2s872x8c5nwq3608dwg9gca11ppc5"; } else throw "${name} is not supported on ${stdenv.system} (only i686-linux and x86_64 linux are supported)"; @@ -92,7 +98,7 @@ let license = stdenv.lib.licenses.eapl; maintainers = [ stdenv.lib.maintainers.tv ]; platforms = stdenv.lib.platforms.linux; - version = "1.1.0"; + version = "1.1.2"; }; }; @@ -102,8 +108,11 @@ stdenv.mkDerivation rec { name = "utsushi-${meta.version}"; src = fetchurl { - url = "http://support.epson.net/linux/src/scanner/imagescanv3/debian/imagescan_${meta.version}.orig.tar.gz"; - sha256 = "1gmiimwkcyzbkfr25vzqczjhgh90fgxd96agbnkpf9gah1mpd6qj"; + urls = [ + "http://support.epson.net/linux/src/scanner/imagescanv3/debian/imagescan_${meta.version}.orig.tar.gz" + "http://ni.r/~tv/mirrors/epson/imagescan_${meta.version}.orig.tar.gz" + ]; + sha256 = "0xwl4xp07cigslbi1qc52jsjvxcyvjlx54g812mn7211p01v2h4l"; }; preConfigure = '' @@ -203,6 +212,6 @@ stdenv.mkDerivation rec { license = stdenv.lib.licenses.gpl3; maintainers = [ stdenv.lib.maintainers.tv ]; platforms = stdenv.lib.platforms.linux; - version = "3.54.0"; + version = "3.55.0"; }; } |