diff options
author | makefu <github@syntax-fehler.de> | 2022-06-07 00:17:23 +0200 |
---|---|---|
committer | makefu <github@syntax-fehler.de> | 2022-06-07 00:17:23 +0200 |
commit | 9c1799914a2e6f2dc736fe2eaad7134602a3d837 (patch) | |
tree | 08347f7f29bc00c3b40be2a49e069268c0163716 | |
parent | 1e405be047a79e1abd0c28e52b5009b9675909b8 (diff) | |
parent | bdc80e55411e197f89990e988f8b7e67c084d3d3 (diff) |
Merge remote-tracking branch 'lass/master' into 22.05
62 files changed, 633 insertions, 314 deletions
diff --git a/.github/workflows/repo-sync.yml b/.github/workflows/repo-sync.yml index b4c91299f..5112f7e0c 100644 --- a/.github/workflows/repo-sync.yml +++ b/.github/workflows/repo-sync.yml @@ -8,7 +8,7 @@ jobs: if: github.repository_owner == 'Mic92' runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 with: persist-credentials: false - name: repo-sync diff --git a/krebs/2configs/container-networking.nix b/krebs/2configs/container-networking.nix index fa4488800..bf3fe711e 100644 --- a/krebs/2configs/container-networking.nix +++ b/krebs/2configs/container-networking.nix @@ -1,7 +1,7 @@ { lib, ... }: { networking.nat.enable = true; - networking.nat.internalInterfaces = ["ve-+"]; + networking.nat.internalInterfaces = ["ve-+" "ctr+" ]; networking.nat.externalInterface = lib.mkDefault "et0"; networking.networkmanager.unmanaged = [ "interface-name:ve-*" ]; } diff --git a/krebs/2configs/matterbridge.nix b/krebs/2configs/matterbridge.nix index 9c0908def..a68aa292c 100644 --- a/krebs/2configs/matterbridge.nix +++ b/krebs/2configs/matterbridge.nix @@ -19,11 +19,6 @@ inherit Nick; }; }; - mumble.lassulus = { - Server = "lassul.us:64738"; - Nick = "krebs_bridge"; - SkipTLSVerify = true; - }; gateway = [ { name = "krebs-bridge"; @@ -37,10 +32,6 @@ account = "telegram.krebs"; channel = "-330372458"; } - { - account = "mumble.lassulus"; - channel = 6; # "nixos" - } ]; } ]; diff --git a/krebs/2configs/news.nix b/krebs/2configs/news.nix index 1f966bf24..9e2cec10a 100644 --- a/krebs/2configs/news.nix +++ b/krebs/2configs/news.nix @@ -164,7 +164,7 @@ if [ ''${#youtube_url} -eq 24 ]; then youtube_id=$youtube_url else - youtube_id=$(${pkgs.youtube-dl}/bin/youtube-dl --max-downloads 1 -j "$youtube_url" | ${pkgs.jq}/bin/jq -r '.channel_id') + youtube_id=$(${pkgs.yt-dlp}/bin/yt-dlp --max-downloads 1 -j "$youtube_url" | ${pkgs.jq}/bin/jq -r '.channel_id') fi echo "brockman: add yt_$youtube_nick http://rss.r/?action=display&bridge=Youtube&context=By+channel+id&c=$youtube_id&duration_min=&duration_max=&format=Mrss" ''; diff --git a/krebs/2configs/reaktor2.nix b/krebs/2configs/reaktor2.nix index 305d31405..205cc96f4 100644 --- a/krebs/2configs/reaktor2.nix +++ b/krebs/2configs/reaktor2.nix @@ -148,6 +148,7 @@ in { services.nginx = { virtualHosts."agenda.r" = { + serverAliases = [ "kri.r" ]; locations."= /index.html".extraConfig = '' alias ${pkgs.writeText "agenda.html" '' <!DOCTYPE html> diff --git a/krebs/2configs/security-workarounds.nix b/krebs/2configs/security-workarounds.nix index 0743f2b49..b1a492f51 100644 --- a/krebs/2configs/security-workarounds.nix +++ b/krebs/2configs/security-workarounds.nix @@ -1,6 +1,4 @@ { config, lib, pkgs, ... }: with import <stockholm/lib>; { - # https://github.com/Lassulus/CVE-2021-4034 - security.wrappers.pkexec.source = lib.mkForce (pkgs.writeText "pkexec" ""); } diff --git a/krebs/3modules/acl.nix b/krebs/3modules/acl.nix index 9cdbb6cff..d23706499 100644 --- a/krebs/3modules/acl.nix +++ b/krebs/3modules/acl.nix @@ -1,7 +1,7 @@ { config, lib, pkgs, ... }: let parents = dir: if dir == "/" then - [ dir ] + [] else [ dir ] ++ parents (builtins.dirOf dir) ; @@ -40,13 +40,16 @@ in { pkgs.coreutils ]; serviceConfig = { - ExecStart = pkgs.writers.writeDash "acl" (lib.concatStrings ( - lib.mapAttrsToList (_: rule: '' - setfacl -${lib.optionalString rule.recursive "R"}m ${rule.rule} ${path} - ${lib.optionalString rule.default "setfacl -${lib.optionalString rule.recursive "R"}dm ${rule.rule} ${path}"} - ${lib.optionalString rule.parents (lib.concatMapStringsSep "\n" (folder: "setfacl -m ${rule.rule} ${folder}") (parents path))} - '') rules - )); + ExecStart = pkgs.writers.writeDash "acl" '' + mkdir -p "${path}" + ${lib.concatStrings ( + lib.mapAttrsToList (_: rule: '' + setfacl -${lib.optionalString rule.recursive "R"}m ${rule.rule} ${path} + ${lib.optionalString rule.default "setfacl -${lib.optionalString rule.recursive "R"}dm ${rule.rule} ${path}"} + ${lib.optionalString rule.parents (lib.concatMapStringsSep "\n" (folder: "setfacl -m ${rule.rule} ${folder}") (parents (builtins.dirOf path)))} + '') rules + )} + ''; RemainAfterExit = true; Type = "simple"; }; diff --git a/krebs/3modules/krebs/default.nix b/krebs/3modules/krebs/default.nix index d58f0fbaa..854176f0b 100644 --- a/krebs/3modules/krebs/default.nix +++ b/krebs/3modules/krebs/default.nix @@ -74,6 +74,7 @@ in { aliases = [ "hotdog.r" "agenda.r" + "kri.r" "build.r" "build.hotdog.r" "ca.r" diff --git a/krebs/5pkgs/haskell/brockman/default.nix b/krebs/5pkgs/haskell/brockman/default.nix index 8a2311a2e..6a0c7f9df 100644 --- a/krebs/5pkgs/haskell/brockman/default.nix +++ b/krebs/5pkgs/haskell/brockman/default.nix @@ -7,19 +7,19 @@ }: mkDerivation rec { pname = "brockman"; - version = "4.0.3"; + version = "4.0.4"; src = fetchFromGitHub { owner = "kmein"; repo = "brockman"; rev = version; - sha256 = "sha256-rjwroSG9ys0FV2JM70kzmCutMVpUTx8cQ+jQq8Hw1kw="; + sha256 = "sha256-GOEEUjehFgMMf6cNpi0AP/Rz74sTDEcpKRbLD+6YEz0="; }; isLibrary = false; isExecutable = true; executableHaskellDepends = [ aeson aeson-pretty base bytestring case-insensitive conduit containers directory feed filepath hashable hslogger html-entity - http-client irc-conduit lens lrucache lrucaching network + http-client irc-conduit lens lrucache network optparse-applicative random safe text time timerep wreq ]; license = lib.licenses.mit; diff --git a/krebs/5pkgs/haskell/reaktor2/default.nix b/krebs/5pkgs/haskell/reaktor2/default.nix index d41d8d818..9ff2bd883 100644 --- a/krebs/5pkgs/haskell/reaktor2/default.nix +++ b/krebs/5pkgs/haskell/reaktor2/default.nix @@ -8,11 +8,11 @@ }: mkDerivation rec { pname = "reaktor2"; - version = "0.4.0"; + version = "0.4.0a"; src = fetchgit { - url = "https://cgit.krebsco.de/reaktor2"; - sha256 = "0bnn23hjl57y0a5rf3h8kq078dziby7il7fandz5wh6s4i3psicp"; - rev = "v${version}"; + url = "https://cgit.lassul.us/reaktor2"; + sha256 = "sha256-x1i2TWcycYVFij6832xaBiQa1RQ1VmSfu5Qt1QrUtds="; + rev = "6d3eb6de5e770ee26874bb7449934f0c55bd1efa"; fetchSubmodules = true; }; isLibrary = false; diff --git a/krebs/5pkgs/simple/realwallpaper/default.nix b/krebs/5pkgs/simple/realwallpaper/default.nix index 2fbc7ff86..832e47f26 100644 --- a/krebs/5pkgs/simple/realwallpaper/default.nix +++ b/krebs/5pkgs/simple/realwallpaper/default.nix @@ -122,7 +122,7 @@ pkgs.writers.writeDashBin "generate-wallpaper" '' 'https://neo.sci.gsfc.nasa.gov/view.php?datasetId=MOD14A1_E_FIRE') & # regular fetches - fetch marker.json.tmp "$marker_url" + fetch marker.json.tmp "$marker_url" || : if [ -s marker.json.tmp ]; then mv marker.json.tmp marker.json fi diff --git a/krebs/5pkgs/simple/weechat-declarative/default.nix b/krebs/5pkgs/simple/weechat-declarative/default.nix index e6ecfd631..5f9c8635b 100644 --- a/krebs/5pkgs/simple/weechat-declarative/default.nix +++ b/krebs/5pkgs/simple/weechat-declarative/default.nix @@ -109,45 +109,60 @@ let }; }; + setFile = pkgs.writeText "weechat.set" ( + lib.optionalString (cfg.settings != {}) + (lib.concatStringsSep "\n" ( + lib.optionals + (cfg.settings.irc or {} != {}) + (lib.mapAttrsToList + (name: server: "/server add ${name} ${lib.toWeechatValue server.addresses}") + cfg.settings.irc.server) + ++ + lib.optionals + (cfg.settings.matrix or {} != {}) + (lib.mapAttrsToList + (name: server: "/matrix server add ${name} ${server.address}") + cfg.settings.matrix.server) + ++ + lib.mapAttrsToList lib.setCommand (lib.attrPathsSep "." cfg.settings) + ++ + lib.optionals + (cfg.settings.filters or {} != {}) + (lib.mapAttrsToList lib.filterAddreplace cfg.settings.filters) + ++ + lib.singleton cfg.extraCommands + )) + ); + weechat = pkgs.weechat.override { configure = _: { - init = lib.optionalString (cfg.settings != {}) - (lib.concatStringsSep "\n" ( - lib.optionals - (cfg.settings.irc or {} != {}) - (lib.mapAttrsToList - (name: server: "/server add ${name} ${server.address}") - cfg.settings.irc.server) - ++ - lib.optionals - (cfg.settings.matrix or {} != {}) - (lib.mapAttrsToList - (name: server: "/matrix server add ${name} ${server.address}") - cfg.settings.matrix.server) - ++ - lib.mapAttrsToList lib.setCommand (lib.attrPathsSep "." cfg.settings) - ++ - lib.optionals - (cfg.settings.filters or {} != {}) - (lib.mapAttrsToList lib.filterAddreplace cfg.settings.filters) - ++ - lib.singleton cfg.extraCommands - )); + init = "/exec -oc cat ${setFile}"; scripts = cfg.scripts; }; }; -in pkgs.writers.writeDashBin "weechat" '' - CONFDIR=''${XDG_CONFIG_HOME:-$HOME/.config}/weechat - ${pkgs.coreutils}/bin/mkdir -p "$CONFDIR" - ${lib.concatStringsSep "\n" - (lib.mapAttrsToList - (name: target: /* sh */ '' - ${pkgs.coreutils}/bin/ln -s ${lib.escapeShellArg target} "$CONFDIR"/${lib.escapeShellArg name} - '') - cfg.files - ) - } - exec ${weechat}/bin/weechat "$@" -'' + wrapper = pkgs.writers.writeDashBin "weechat" '' + CONFDIR=''${XDG_CONFIG_HOME:-$HOME/.config}/weechat + ${pkgs.coreutils}/bin/mkdir -p "$CONFDIR" + ${lib.concatStringsSep "\n" + (lib.mapAttrsToList + (name: target: /* sh */ '' + ${pkgs.coreutils}/bin/ln -s ${lib.escapeShellArg target} "$CONFDIR"/${lib.escapeShellArg name} + '') + cfg.files + ) + } + exec ${weechat}/bin/weechat "$@" + ''; + +in pkgs.symlinkJoin { + name = "weechat-configured"; + paths = [ + wrapper + pkgs.weechat + ]; + postBuild = '' + ln -s ${setFile} $out/weechat.set + ''; +} diff --git a/krebs/nixpkgs-unstable.json b/krebs/nixpkgs-unstable.json index 30be112d1..49d65160d 100644 --- a/krebs/nixpkgs-unstable.json +++ b/krebs/nixpkgs-unstable.json @@ -1,9 +1,9 @@ { "url": "https://github.com/NixOS/nixpkgs", - "rev": "2a3aac479caeba0a65b2ad755fe5f284f1fde74d", - "date": "2022-05-09T07:45:23+00:00", - "path": "/nix/store/56hy8l0ky71qdx5zibjzzg0q8ivkk7vc-nixpkgs", - "sha256": "0px2fk64s56qxd8ir8xg8bsj5yz1w399ps4xfkyx29n2ywp9ar7c", + "rev": "5ce6597eca7d7b518c03ecda57d45f9404b5e060", + "date": "2022-05-24T17:55:48+02:00", + "path": "/nix/store/glvcj0zmqq9z5wf6bppnppbpf8w85iwf-nixpkgs", + "sha256": "1hs1lnnbp1dky3nfp7xlricpp5c63sr46jyrnvykci8bl8jnxnl3", "fetchLFS": false, "fetchSubmodules": false, "deepClone": false, diff --git a/krebs/nixpkgs.json b/krebs/nixpkgs.json index 970ffa20a..3e20b2a87 100644 --- a/krebs/nixpkgs.json +++ b/krebs/nixpkgs.json @@ -1,9 +1,9 @@ { "url": "https://github.com/NixOS/nixpkgs", - "rev": "fd3e33d696b81e76b30160dfad2efb7ac1f19879", - "date": "2022-04-30T11:27:15+02:00", - "path": "/nix/store/4n9dqxd8j90h0j99n8pyim6n5q1zviwg-nixpkgs", - "sha256": "1liw3glyv1cx0bxgxnq2yjp0ismg0np2ycg72rqghv75qb73zf9h", + "rev": "d1086907f56c5a6c33c0c2e8dc9f42ef6988294f", + "date": "2022-05-28T12:29:49+02:00", + "path": "/nix/store/56gsa390lyiik6jdapnj98a2ww8af8ig-nixpkgs", + "sha256": "009dc0njvdn5pzcyd8bp4sc9byf70w4msdkv6q2zfdlnh36im1jl", "fetchLFS": false, "fetchSubmodules": false, "deepClone": false, diff --git a/krebs/update-nixpkgs.sh b/krebs/update-nixpkgs.sh index bc421a75f..59dbd91b5 100755 --- a/krebs/update-nixpkgs.sh +++ b/krebs/update-nixpkgs.sh @@ -3,7 +3,7 @@ dir=$(dirname $0) oldrev=$(cat $dir/nixpkgs.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/') nix-shell -p nix-prefetch-git --run 'nix-prefetch-git \ --url https://github.com/NixOS/nixpkgs \ - --rev refs/heads/nixos-21.11' \ + --rev refs/heads/nixos-22.05' \ > $dir/nixpkgs.json newrev=$(cat $dir/nixpkgs.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/') git commit $dir/nixpkgs.json -m "nixpkgs: $oldrev -> $newrev" diff --git a/lass/1systems/daedalus/config.nix b/lass/1systems/daedalus/config.nix index b08919802..d6943c110 100644 --- a/lass/1systems/daedalus/config.nix +++ b/lass/1systems/daedalus/config.nix @@ -43,7 +43,7 @@ with import <stockholm/lib>; libreoffice audacity zathura - skype + skypeforlinux wine geeqie vlc @@ -56,22 +56,32 @@ with import <stockholm/lib>; services.xserver.layout = "de"; } { - krebs.per-user.bitcoin.packages = [ - pkgs.electrum - pkgs.electron-cash - pkgs.litecoin - ]; - users.extraUsers = { - bitcoin = { - name = "bitcoin"; - description = "user for bitcoin stuff"; - home = "/home/bitcoin"; - isNormalUser = true; - useDefaultShell = true; - createHome = true; - extraGroups = [ "audio" ]; + users = { + groups.plugdev = {}; + users = { + bitcoin = { + name = "bitcoin"; + description = "user for bitcoin stuff"; + home = "/home/bitcoin"; + isNormalUser = true; + useDefaultShell = true; + createHome = true; + extraGroups = [ + "audio" + "networkmanager" + "plugdev" + ]; + packages = let + unstable = import <nixpkgs-unstable> { config.allowUnfree = true; }; + in [ + pkgs.electrum + pkgs.electron-cash + unstable.ledger-live-desktop + ]; + }; }; }; + hardware.ledger.enable = true; security.sudo.extraConfig = '' bubsy ALL=(bitcoin) NOPASSWD: ALL ''; diff --git a/lass/1systems/lasspi/physical.nix b/lass/1systems/lasspi/physical.nix index 80c459a95..868bafad5 100644 --- a/lass/1systems/lasspi/physical.nix +++ b/lass/1systems/lasspi/physical.nix @@ -25,7 +25,6 @@ version = 4; }; boot.loader.grub.enable = false; - boot.loader.generic-extlinux-compatible.enable = true; # Required for the Wireless firmware hardware.enableRedistributableFirmware = true; diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index d174e6057..62c6f0b71 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -124,6 +124,7 @@ with import <stockholm/lib>; <stockholm/lass/2configs/container-networking.nix> <stockholm/lass/2configs/jitsi.nix> <stockholm/lass/2configs/fysiirc.nix> + <stockholm/lass/2configs/bgt-bot> { services.tor = { enable = true; diff --git a/lass/1systems/xerxes/config.nix b/lass/1systems/xerxes/config.nix index bf818a9b2..6972567d7 100644 --- a/lass/1systems/xerxes/config.nix +++ b/lass/1systems/xerxes/config.nix @@ -47,7 +47,7 @@ wantedBy = [ "multi-user.target" ]; script = '' ${pkgs.xboxdrv.overrideAttrs(o: { - patches = [ (pkgs.fetchurl { + patches = o.patches ++ [ (pkgs.fetchurl { url = "https://patch-diff.githubusercontent.com/raw/xboxdrv/xboxdrv/pull/251.patch"; sha256 = "17784y20mxqrlhgvwvszh8lprxrvgmb7ah9dknmbhj5jhkjl8wq5"; }) ]; diff --git a/lass/2configs/IM.nix b/lass/2configs/IM.nix index 5b8cebf5c..8567def02 100644 --- a/lass/2configs/IM.nix +++ b/lass/2configs/IM.nix @@ -1,38 +1,23 @@ with (import <stockholm/lib>); { config, lib, pkgs, ... }: let weechat = pkgs.weechat.override { - configure = { availablePlugins, ... }: with pkgs.weechatScripts; { - plugins = lib.attrValues (availablePlugins // { - python = availablePlugins.python.withPackages (_: [ weechat-matrix ]); - }); - scripts = [ weechat-matrix ]; + configure = { availablePlugins, ... }: { + scripts = with pkgs.weechatScripts; [ + weechat-matrix + ]; }; }; - tmux = pkgs.writeDashBin "tmux" '' - exec ${pkgs.tmux}/bin/tmux -f ${pkgs.writeText "tmux.conf" '' - set-option -g prefix ` - unbind-key C-b - bind ` send-prefix - - set-option -g status off - set-option -g default-terminal screen-256color - - #use session instead of windows - bind-key c new-session - bind-key p switch-client -p - bind-key n switch-client -n - bind-key C-s switch-client -l - ''} "$@" - ''; + tmux = "/run/current-system/sw/bin/tmux"; in { imports = [ ./bitlbee.nix ]; - environment.systemPackages = [ tmux weechat ]; + environment.systemPackages = [ weechat ]; systemd.services.chat = { description = "chat environment setup"; + environment.WEECHAT_HOME = "\$HOME/.weechat"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; @@ -46,8 +31,8 @@ in { User = "lass"; RemainAfterExit = true; Type = "oneshot"; - ExecStart = "${tmux}/bin/tmux -2 new-session -d -s IM ${weechat}/bin/weechat"; - ExecStop = "${tmux}/bin/tmux kill-session -t IM"; # TODO run save in weechat + ExecStart = "${tmux} -2 new-session -d -s IM ${weechat}/bin/weechat"; + ExecStop = "${tmux} kill-session -t IM"; # TODO run save in weechat }; }; } diff --git a/lass/2configs/alacritty.nix b/lass/2configs/alacritty.nix index a57dc7c25..903ddf6cc 100644 --- a/lass/2configs/alacritty.nix +++ b/lass/2configs/alacritty.nix @@ -89,9 +89,40 @@ in { }; }; "themes/dark/alacritty.yaml".text = alacritty-cfg { - colors.primary = { - background = "#000000"; - foreground = "#ffffff"; + colors = { + # Default colors + primary = { + background = "0x000000"; + foreground = "0xffffff"; + }; + cursor = { + text = "0xF81CE5"; + cursor = "0xffffff"; + }; + + # Normal colors + normal = { + black = "0x000000"; + red = "0xfe0100"; + green = "0x33ff00"; + yellow = "0xfeff00"; + blue = "0x0066ff"; + magenta = "0xcc00ff"; + cyan = "0x00ffff"; + white = "0xd0d0d0"; + }; + + # Bright colors + bright = { + black = "0x808080"; + red = "0xfe0100"; + green = "0x33ff00"; + yellow = "0xfeff00"; + blue = "0x0066ff"; + magenta = "0xcc00ff"; + cyan = "0x00ffff"; + white = "0xFFFFFF"; + }; }; }; }; diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index 22a3037d7..e94cbbd2c 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -16,7 +16,7 @@ in { ./xmonad.nix ./themes.nix { - krebs.per-user.lass.packages = [ + users.users.mainUser.packages = [ pkgs.sshuttle ]; security.sudo.extraConfig = '' @@ -46,7 +46,7 @@ in { } ]; - users.users.mainUser.extraGroups = [ "audio" "video" ]; + users.users.mainUser.extraGroups = [ "audio" "pipewire" "video" ]; time.timeZone = "Europe/Berlin"; @@ -64,7 +64,7 @@ in { font-size fzfmenu gimp - gitAndTools.hub + gitAndTools.gh git-crypt git-preview dconf @@ -79,11 +79,13 @@ in { ponymix powertop rxvt_unicode-with-plugins + sshvnc sxiv taskwarrior termite transgui wirelesstools + x11vnc xclip xephyrify xorg.xhost diff --git a/lass/2configs/bgt-bot/bgt-check.sh b/lass/2configs/bgt-bot/bgt-check.sh new file mode 100644 index 000000000..30185ba18 --- /dev/null +++ b/lass/2configs/bgt-bot/bgt-check.sh @@ -0,0 +1,57 @@ +#!/bin/sh +# needs in path: +# curl gnugrep jq +# creates and manages $PWD/state +set -xeuf + +send_reaktor(){ + # usage: send_reaktor "text" + echo "send_reaktor: $1" + curl -fsS "http://localhost:$REAKTOR_PORT" \ + -H content-type:application/json \ + -d "$(jq -n \ + --arg text "$1" \ + --arg channel "$IRC_CHANNEL" \ + '{ + command:"PRIVMSG", + params:[$channel,$text] + }' + )" +} + +live=$(shuf -n1 <<EOF +Binärgewitter Liveshow hat begonnen! http://stream.radiotux.de:8000/binaergewitter.mp3 +EOF +) + +offline=$(shuf -n1 <<EOF +Live stream vorbei +EOF +) +error=$(shuf -n1 <<EOF +something went wrong +EOF +) + +if curl -Ss http://stream.radiotux.de:8000 | grep -q 'Mount Point /binaergewitter'; then + state='live' +else + state='offline' +fi +prevstate=$(cat state ||:) + +if test "$state" == "$(cat state)";then + #echo "current and last state is the same ($state), doing nothing" + : +else + echo "API state and last state differ ( '$state' != '$prevstate')" + if test "$state" == 'live';then + send_reaktor "$live" + elif test "$state" == 'offline';then + send_reaktor "$offline" + else + send_reaktor "$error" + fi + echo 'updating state' + printf "%s" "$state" > state +fi diff --git a/lass/2configs/bgt-bot/default.nix b/lass/2configs/bgt-bot/default.nix new file mode 100644 index 000000000..6f9e33704 --- /dev/null +++ b/lass/2configs/bgt-bot/default.nix @@ -0,0 +1,44 @@ +{ config, lib, pkgs, ... }: +let + + bot_port = "7654"; + irc_channel = "#binaergewitter"; +in +{ + krebs.reaktor2.bgt-announce = { + hostname = "irc.libera.chat"; + port = "6697"; + nick = "bgt-announce"; + API.listen = "inet://127.0.0.1:${bot_port}"; + plugins = [ + { + plugin = "register"; + config = { + channels = [ + irc_channel + ]; + }; + } + ]; + }; + systemd.services.check_bgt_show = { + startAt = "*:0/5"; + environment = { + IRC_CHANNEL = irc_channel; + REAKTOR_PORT = bot_port; + }; + path = with pkgs; [ + curl + gnugrep + jq + ]; + script = builtins.readFile ./bgt-check.sh; + serviceConfig = { + DynamicUser = true; + StateDirectory = "bgt-announce"; + WorkingDirectory = "/var/lib/bgt-announce"; + PrivateTmp = true; + }; + }; +} + diff --git a/lass/2configs/bitcoin.nix b/lass/2configs/bitcoin.nix index de6562cbc..e9dd055f9 100644 --- a/lass/2configs/bitcoin.nix +++ b/lass/2configs/bitcoin.nix @@ -28,7 +28,6 @@ in { }; }; security.sudo.extraConfig = '' - ${mainUser.name} ALL=(bch) ALL ${mainUser.name} ALL=(bitcoin) ALL ${mainUser.name} ALL=(monero) ALL ''; diff --git a/lass/2configs/bitlbee.nix b/lass/2configs/bitlbee.nix index b84221155..84f06e587 100644 --- a/lass/2configs/bitlbee.nix +++ b/lass/2configs/bitlbee.nix @@ -11,7 +11,7 @@ with (import <stockholm/lib>); pkgs.bitlbee-discord ]; libpurple_plugins = [ - pkgs.telegram-purple + # pkgs.telegram-purple # pkgs.tdlib-purple # pkgs.purple-gowhatsapp ]; diff --git a/lass/2configs/blue.nix b/lass/2configs/blue.nix index 28c7d640d..2698f67e0 100644 --- a/lass/2configs/blue.nix +++ b/lass/2configs/blue.nix @@ -8,7 +8,6 @@ with (import <stockholm/lib>); ]; environment.systemPackages = with pkgs; [ - ag dic nmap git-preview diff --git a/lass/2configs/br.nix b/lass/2configs/br.nix index 6e0a2385c..273a9c963 100644 --- a/lass/2configs/br.nix +++ b/lass/2configs/br.nix @@ -46,4 +46,6 @@ with import <stockholm/lib>; ]; }; + users.users.mainUser.extraGroups = [ "scanner" "lp" ]; + } diff --git a/lass/2configs/codimd.nix b/lass/2configs/codimd.nix index 271dcfca4..b3bf1b761 100644 --- a/lass/2configs/codimd.nix +++ b/lass/2configs/codimd.nix @@ -28,6 +28,10 @@ in { params.hedgedoc = {}; }; + systemd.services.hedgedoc.environment = { + CMD_COOKIE_POLICY = "none"; + CMD_CSP_ALLOW_FRAMING = "true"; + }; services.hedgedoc = { enable = true; configuration.allowOrigin = [ domain ]; @@ -47,6 +51,7 @@ in { sslCertPath = "/var/lib/acme/${domain}/cert.pem"; sslKeyPath = "/var/lib/acme/${domain}/key.pem"; dhParamPath = config.security.dhparams.params.hedgedoc.path; + }; }; } diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index f03d8b568..e8ac55988 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -10,6 +10,8 @@ with import <stockholm/lib>; ./htop.nix <stockholm/krebs/2configs/security-workarounds.nix> ./wiregrill.nix + ./tmux.nix + ./tor-ssh.nix { users.extraUsers = mapAttrs (_: h: { hashedPassword = h; }) @@ -122,6 +124,9 @@ with import <stockholm/lib>; q rs untilport + (pkgs.writeDashBin "urgent" '' + printf '\a' + '') usbutils logify goify diff --git a/lass/2configs/games.nix b/lass/2configs/games.nix index 829773b87..26707f1f0 100644 --- a/lass/2configs/games.nix +++ b/lass/2configs/games.nix @@ -61,7 +61,7 @@ in { name = "games"; description = "user playing games"; home = "/home/games"; - extraGroups = [ "audio" "video" "input" "loot" ]; + extraGroups = [ "audio" "video" "input" "loot" "pipewire" ]; createHome = true; useDefaultShell = true; packages = with pkgs; [ diff --git a/lass/2configs/git-brain.nix b/lass/2configs/git-brain.nix index 1c6f92fcd..f4d1a27cd 100644 --- a/lass/2configs/git-brain.nix +++ b/lass/2configs/git-brain.nix @@ -28,7 +28,7 @@ let # TODO: get the list of all krebsministers - krebsminister = with config.krebs.users; [ makefu tv ]; + krebsminister = with config.krebs.users; [ makefu tv kmein ]; krebs-rules = repo: set-owners repo [ config.krebs.users.lass ] ++ set-ro-access repo krebsminister; diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix index e6c77f64b..891aefcfd 100644 --- a/lass/2configs/git.nix +++ b/lass/2configs/git.nix @@ -122,12 +122,6 @@ let cgit.section = "configuration"; }; } // mapAttrs make-public-repo-silent { - nixos-aws = { - collaborators = [ { - name = "fabio"; - pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFst8DvnfOu4pQJYxcwdf//jWTvP+jj0iSrOdt59c9Gbujm/8K1mBXhcSQhHj/GBRC1Qc1wipf9qZsWnEHMI+SRwq6tDr8gqlAcdWmHAs1bU96jJtc8EgmUKbXTFG/VmympMPi4cEbNUtH93v6NUjQKwq9szvDhhqSW4Y8zE32xLkySwobQapNaUrGAtQp3eTxu5Lkx+cEaaartaAspt8wSosXjUHUJktg0O5/XOP+CiWAx89AXxbQCy4XTQvUExoRGdw9sdu0lF0/A0dF4lFF/dDUS7+avY8MrKEcQ8Fwk8NcW1XrKMmCdNdpvou0whL9aHCdTJ+522dsSB1zZWh63Si4CrLKlc1TiGKCXdvzmCYrD+6WxbPJdRpMM4dFNtpAwhCm/dM+CBXfDkP0s5veFiYvp1ri+3hUqV/sep9r5/+d+5/R1gQs8WDNjWqcshveFbD5LxE6APEySB4QByGxIrw7gFbozE+PNxtlVP7bq4MyE6yIzL6ofQgO1e4THquPcqSCfCvyib5M2Q1phi5DETlMemWp84AsNkqbhRa4BGRycuOXXrBzE+RgQokcIY7t3xcu3q0xJo2+HxW/Lqi72zYU1NdT4nJMETEaG49FfIAnUuoVaQWWvOz8mQuVEmmdw2Yzo2ikILYSUdHTp1VPOeo6aNPvESkPw1eM0xDRlQ== ada"; - } ]; - }; }; restricted-repos = mapAttrs make-restricted-repo ( diff --git a/lass/2configs/home-media.nix b/lass/2configs/home-media.nix index 7e10aed34..f250ca8d8 100644 --- a/lass/2configs/home-media.nix +++ b/lass/2configs/home-media.nix @@ -4,10 +4,10 @@ with import <stockholm/lib>; users.users.media = { isNormalUser = true; uid = genid_uint31 "media"; - extraGroups = [ "video" "audio" ]; + extraGroups = [ "video" "audio" "pipewire" ]; }; - services.xserver.displayManager.lightdm.autoLogin = { + services.xserver.displayManager.autoLogin = { enable = true; user = "media"; }; diff --git a/lass/2configs/jitsi.nix b/lass/2configs/jitsi.nix index 1435ccb5c..fa41f6634 100644 --- a/lass/2configs/jitsi.nix +++ b/lass/2configs/jitsi.nix @@ -7,10 +7,13 @@ config = { enableWelcomePage = true; requireDisplayName = true; + analytics.disabled = true; }; interfaceConfig = { SHOW_JITSI_WATERMARK = false; SHOW_WATERMARK_FOR_GUESTS = false; + DISABLE_PRESENCE_STATUS = true; + GENERATE_ROOMNAMES_ON_WELCOME_PAGE = false; }; }; diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix index 4682865c6..b874695a8 100644 --- a/lass/2configs/mail.nix +++ b/lass/2configs/mail.nix @@ -144,15 +144,7 @@ let set sort=threads - set index_format="${pkgs.writeDash "mutt-index" '' - # http://www.mutt.org/doc/manual/#formatstrings - recipent="$(echo $1 | sed 's/[^,]*<\([^>]*\)[^,]*/ \1/g')" - # output to mutt - # V - echo "%4C %Z %?GI?%GI& ? %[%y-%m-%d] %-20.20a %?M?(%3M)& ? %s %> $recipent %?g?%g?%" - # args to mutt-index dash script - # V - ''} %r |" + set index_format="%4C %Z %?GI?%GI& ? %[%y-%m-%d] %-20.20a %?M?(%3M)& ? %s %> %r %g" virtual-mailboxes "Unread" "notmuch://?query=tag:unread" virtual-mailboxes "INBOX" "notmuch://?query=tag:inbox" diff --git a/lass/2configs/minecraft.nix b/lass/2configs/minecraft.nix index d2a3672c5..34da3047e 100644 --- a/lass/2configs/minecraft.nix +++ b/lass/2configs/minecraft.nix @@ -11,6 +11,5 @@ in { krebs.iptables.tables.filter.INPUT.rules = [ { predicate = "-p tcp --dport 25565"; target = "ACCEPT"; } { predicate = "-p udp --dport 25565"; target = "ACCEPT"; } - { predicate = "-p tcp --dport 8123"; target = "ACCEPT"; } ]; } diff --git a/lass/2configs/mpv.nix b/lass/2configs/mpv.nix index 854af3eb5..f88d0d91d 100644 --- a/lass/2configs/mpv.nix +++ b/lass/2configs/mpv.nix @@ -76,15 +76,43 @@ let mp.add_key_binding('S', "download_subs", download) ''; + mpvInput = pkgs.writeText "mpv.input" '' + : script-binding console/enable + ''; + + mpvConfig = pkgs.writeText "mpv.conf" '' + osd-font-size=20 + ''; + mpv = pkgs.symlinkJoin { name = "mpv"; paths = [ (pkgs.writeDashBin "mpv" '' - exec ${pkgs.mpv}/bin/mpv \ + set -efu + if [ -n "''${DISPLAY+x}" ]; then + Y_RES=$(${pkgs.xorg.xrandr}/bin/xrandr | + ${pkgs.jc}/bin/jc --xrandr | + ${pkgs.jq}/bin/jq '.screens[0].current_width' + ) + else + Y_RES=1000 + fi + # we need to disable sponsorblock local database because of + # https://github.com/po5/mpv_sponsorblock/issues/31 + exec ${pkgs.mpv.override { + scripts = with pkgs.mpvScripts; [ + sponsorblock + youtube-quality + ]; + }}/bin/mpv \ -vo=gpu \ --no-config \ + --input-conf=${mpvInput} \ + --include=${mpvConfig} \ --script=${autosub} \ + --ytdl-format="best[height<$Y_RES]" \ --script-opts=ytdl_hook-ytdl_path=${pkgs.yt-dlp}/bin/yt-dlp \ + --script-opts-append=sponsorblock-local_database=no \ "$@" '') pkgs.mpv diff --git a/lass/2configs/paste.nix b/lass/2configs/paste.nix index 68a55c71c..affc35307 100644 --- a/lass/2configs/paste.nix +++ b/lass/2configs/paste.nix @@ -57,10 +57,8 @@ with import <stockholm/lib>; addSSL = true; serverAliases = [ "p.krebsco.de" ]; locations."/".extraConfig = '' - if ($request_method != GET) { - return 403; - } proxy_set_header Host $host; + proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://127.0.0.1:${toString config.krebs.htgen.paste.port}; ''; locations."/image".extraConfig = '' diff --git a/lass/2configs/programs.nix b/lass/2configs/programs.nix index 0a4b4fd9b..0997b41a8 100644 --- a/lass/2configs/programs.nix +++ b/lass/2configs/programs.nix @@ -4,9 +4,11 @@ { environment.systemPackages = with pkgs; [ aria2 + generate-secrets gnupg1compat htop i3lock + l-gen-secrets mosh pass pavucontrol @@ -18,18 +20,41 @@ transmission wget xsel - youtube-dl + yt-dlp + (pkgs.writeDashBin "youtube-dl" '' + exec ${pkgs.yt-dlp}/bin/yt-dlp "$@" + '') (pkgs.writeDashBin "tether-on" '' adb shell svc usb setFunctions rndis '') (pkgs.writeDashBin "tether-off" '' adb shell svc usb setFunctions '') - (pkgs.writeDashBin "dl-movie" '' - ${pkgs.transmission}/bin/transmission-remote yellow.r -w /var/download/finished/sorted/movies -a "$@" + (pkgs.writeDashBin "deploy" '' + set -eu + export SYSTEM="$1" + $(nix-build $HOME/sync/stockholm/lass/krops.nix --no-out-link --argstr name "$SYSTEM" -A deploy) + '') + (pkgs.writeDashBin "krebsco.de" '' + TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d) + ${pkgs.brain}/bin/brain show krebs-secrets/ovh-secrets.json > "$TMPDIR"/ovh-secrets.json + OVH_ZONE_CONFIG="$TMPDIR"/ovh-secrets.json ${pkgs.krebszones}/bin/krebszones import + ${pkgs.coreutils}/bin/rm -rf "$TMPDIR" + '') + (pkgs.writeDashBin "lassul.us" '' + TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d) + ${pkgs.pass}/bin/pass show admin/ovh/api.config > "$TMPDIR"/ovh-secrets.json + OVH_ZONE_CONFIG="$TMPDIR"/ovh-secrets.json ${pkgs.ovh-zone}/bin/ovh-zone import /etc/zones/lassul.us lassul.us + ${pkgs.coreutils}/bin/rm -rf "$TMPDIR" + '') + (pkgs.writeDashBin "btc-coinbase" '' + ${pkgs.curl}/bin/curl -Ss 'https://api.coinbase.com/v2/prices/spot?currency=EUR' | ${pkgs.jq}/bin/jq '.data.amount' + '') + (pkgs.writeDashBin "btc-wex" '' + ${pkgs.curl}/bin/curl -Ss 'https://wex.nz/api/3/ticker/btc_eur' | ${pkgs.jq}/bin/jq '.btc_eur.avg' '') - (pkgs.writeDashBin "dl-series" '' - ${pkgs.transmission}/bin/transmission-remote yellow.r -w /var/download/finished/sorted/series -a "$@" + (pkgs.writeDashBin "btc-kraken" '' + ${pkgs.curl}/bin/curl -Ss 'https://api.kraken.com/0/public/Ticker?pair=BTCEUR' | ${pkgs.jq}/bin/jq '.result.XXBTZEUR.a[0]' '') ]; } diff --git a/lass/2configs/radio/default.nix b/lass/2configs/radio/default.nix index 0611be7ce..b8d958865 100644 --- a/lass/2configs/radio/default.nix +++ b/lass/2configs/radio/default.nix @@ -107,6 +107,7 @@ let in { imports = [ ./news.nix + ./weather.nix ]; users.users = { @@ -165,14 +166,14 @@ in { output.icecast(mount = '/music.ogg', password = 'hackme', %vorbis(quality = 1), source) output.icecast(mount = '/music.mp3', password = 'hackme', %mp3.vbr(), source) - output.icecast(mount = '/music.opus', password = 'hackme', %opus(bitrate = 64), source) + output.icecast(mount = '/music.opus', password = 'hackme', %opus(bitrate = 96), source) extra_input = audio_to_stereo(input.harbor("live", port=1338)) o = smooth_add(normal = source, special = extra_input) output.icecast(mount = '/radio.ogg', password = 'hackme', %vorbis(quality = 1), o) output.icecast(mount = '/radio.mp3', password = 'hackme', %mp3.vbr(), o) - output.icecast(mount = '/radio.opus', password = 'hackme', %opus(bitrate = 64), o) + output.icecast(mount = '/radio.opus', password = 'hackme', %opus(bitrate = 96), o) ''; services.icecast = { enable = true; diff --git a/lass/2configs/radio/news.nix b/lass/2configs/radio/news.nix index 27b124093..e5b5405ff 100644 --- a/lass/2configs/radio/news.nix +++ b/lass/2configs/radio/news.nix @@ -1,45 +1,28 @@ { config, lib, pkgs, ... }: let - weather_for_ips = pkgs.writers.writePython3Bin "weather_for_ips" { - libraries = [ pkgs.python3Packages.geoip2 ]; - } ./weather_for_ips.py; - - weather_report = pkgs.writers.writeDashBin "weather_report" '' - set -efu - export PATH="${lib.makeBinPath [ - pkgs.coreutils - pkgs.curl - pkgs.iproute2 - pkgs.jc - pkgs.jq - ]}" - curl -z /tmp/GeoLite2-City.mmdb -o /tmp/GeoLite2-City.mmdb http://c.r/GeoLite2-City.mmdb - MAXMIND_GEOIP_DB="/tmp/GeoLite2-City.mmdb"; export MAXMIND_GEOIP_DB - OPENWEATHER_API_KEY=$(cat "$CREDENTIALS_DIRECTORY/openweather_api"); export OPENWEATHER_API_KEY - ss -no 'sport = :8000' | - jc --ss | jq -r '.[] | - select( - .local_address != "[::ffff:127.0.0.1]" - and .local_address != "[::1]" - ) | .peer_address | gsub("[\\[\\]]"; "") - ' | - ${weather_for_ips}/bin/weather_for_ips - ''; send_to_radio = pkgs.writers.writeDashBin "send_to_radio" '' - ${pkgs.vorbisTools}/bin/oggenc - | + ${pkgs.vorbis-tools}/bin/oggenc - | ${pkgs.libshout}/bin/shout --format ogg --host localhost --port 1338 --mount /live ''; gc_news = pkgs.writers.writeDashBin "gc_news" '' set -xefu + export TZ=UTC #workaround for jq parsing wrong timestamp ${pkgs.coreutils}/bin/cat $HOME/news | ${pkgs.jq}/bin/jq -cs 'map(select((.to|fromdateiso8601) > now)) | .[]' > $HOME/bla-news.tmp ${pkgs.coreutils}/bin/mv $HOME/bla-news.tmp $HOME/news ''; get_current_news = pkgs.writers.writeDashBin "get_current_news" '' set -xefu - ${pkgs.coreutils}/bin/cat $HOME/news | ${pkgs.jq}/bin/jq -rs 'map(select(((.to | fromdateiso8601) > now) and (.from|fromdateiso8601) < now) | .text) | .[]' + export TZ=UTC #workaround for jq parsing wrong timestamp + ${pkgs.coreutils}/bin/cat $HOME/news | ${pkgs.jq}/bin/jq -rs ' + sort_by(.priority) | + map(select( + ((.to | fromdateiso8601) > now) and + (.from|fromdateiso8601) < now) | + .text + ) | .[]' ''; newsshow = pkgs.writers.writeDashBin "newsshow" /* sh */ '' @@ -50,7 +33,6 @@ let todays news: $(get_current_news) $(gc_news) - $(weather_report) EOF ''; in @@ -61,7 +43,6 @@ in send_to_radio gc_news get_current_news - weather_report pkgs.curl pkgs.retry ]; @@ -74,9 +55,6 @@ in startAt = "*:00:00"; serviceConfig = { User = "radio-news"; - LoadCredential = [ - "openweather_api:${toString <secrets>}/openweather_api_key" - ]; }; }; @@ -107,8 +85,8 @@ in ;; "POST /") payload=$(head -c "$req_content_length") - echo "$payload" | jq 'has("from") and has("to") and has("text")' >&2 - echo "$payload" | jq -c '{ from: (.from | fromdate | todate), to: (.to | fromdate | todate), text: .text }' >> "$HOME"/news + printf '%s' "$payload" | jq 'has("from") and has("to") and has("text")' >&2 + printf '%s' "$payload" | jq -c '{ from: .from, to: .to, text: .text, priority: (.priority // 0)}' >> "$HOME"/news printf 'HTTP/1.1 200 OK\r\n' printf 'Connection: close\r\n' printf '\r\n' diff --git a/lass/2configs/radio/weather.nix b/lass/2configs/radio/weather.nix new file mode 100644 index 000000000..3beac6693 --- /dev/null +++ b/lass/2configs/radio/weather.nix @@ -0,0 +1,55 @@ +{ config, lib, pkgs, ... }: +let + weather_for_ips = pkgs.writers.writePython3Bin "weather_for_ips" { + libraries = [ pkgs.python3Packages.geoip2 ]; + flakeIgnore = [ "E501" ]; + } ./weather_for_ips.py; + + weather_report = pkgs.writers.writeDashBin "weather_report" '' + set -efu + export PATH="${lib.makeBinPath [ + pkgs.coreutils + pkgs.curl + pkgs.iproute2 + pkgs.jc + pkgs.jq + ]}" + curl -z /tmp/GeoLite2-City.mmdb -o /tmp/GeoLite2-City.mmdb http://c.r/GeoLite2-City.mmdb + MAXMIND_GEOIP_DB="/tmp/GeoLite2-City.mmdb"; export MAXMIND_GEOIP_DB + OPENWEATHER_API_KEY=$(cat "$CREDENTIALS_DIRECTORY/openweather_api"); export OPENWEATHER_API_KEY + ss -no 'sport = :8000' | + jc --ss | jq -r '.[] | + select( + .local_address != "[::ffff:127.0.0.1]" + and .local_address != "[::1]" + ) | .peer_address | gsub("[\\[\\]]"; "") + ' | + ${weather_for_ips}/bin/weather_for_ips + ''; +in { + systemd.services.weather = { + path = [ + weather_report + pkgs.retry + pkgs.jq + pkgs.curl + ]; + script = '' + set -xefu + retry -t 5 -d 10 -- weather_report | + jq \ + --arg from "$(date -u +'%FT%TZ')" \ + --arg to "$(date -u +'%FT%TZ' -d '+1 hours')" \ + --slurp --raw-input --compact-output --ascii-output \ + '{text: ., from: $from, to: $to, priority: 100}' | + retry -t 5 -d 10 -- curl -v -d@- http://radio-news.r + ''; + startAt = "*:58:00"; + serviceConfig = { + User = "radio-news"; + LoadCredential = [ + "openweather_api:${toString <secrets>}/openweather_api_key" + ]; + }; + }; +} diff --git a/lass/2configs/radio/weather_for_ips.py b/lass/2configs/radio/weather_for_ips.py index 8d9a2e7bc..f7cc2dace 100644 --- a/lass/2configs/radio/weather_for_ips.py +++ b/lass/2configs/radio/weather_for_ips.py @@ -21,13 +21,13 @@ for ip in fileinput.input(): f'&units=metric' ) resp = requests.get(url) - weather = json.loads(resp.text)['current'] + weather = json.loads(resp.text) output.append( - f'Weather report for {location.city.name}' - f', {location.country.name}. ' - f'Currently it is {weather["weather"][0]["description"]} outside ' - f'with a temperature of {weather["temp"]} degrees ' - f'and a windspeed of {weather["wind_speed"]} meter per second. ' + f'Weather report for {location.city.name}, {location.country.name}. ' + f'Currently it is {weather["current"]["weather"][0]["description"]} outside ' + f'with a temperature of {weather["current"]["temp"]} degrees, ' + f'and a wind speed of {weather["current"]["wind_speed"]} meters per second. ' + f'The probability of precipitation is {weather["hourly"][0]["pop"] * 100} percent. ' ) print('\n'.join(output)) diff --git a/lass/2configs/realwallpaper.nix b/lass/2configs/realwallpaper.nix index 0bae91d89..a82e1d010 100644 --- a/lass/2configs/realwallpaper.nix +++ b/lass/2configs/realwallpaper.nix @@ -22,6 +22,10 @@ in { hostname "${hostname}.r" ]; + locations."/realwallpaper/".extraConfig = '' + index on; + root /var/realwallpaper"; + ''; locations."/realwallpaper.png".extraConfig = '' root /var/realwallpaper/; ''; diff --git a/lass/2configs/retiolum.nix b/lass/2configs/retiolum.nix index d4d97a889..b8c9d4f8d 100644 --- a/lass/2configs/retiolum.nix +++ b/lass/2configs/retiolum.nix @@ -21,6 +21,7 @@ "eve" ]; extraConfig = '' + AutoConnect = no StrictSubnets = yes ${lib.optionalString (config.krebs.build.host.nets.retiolum.via != null) '' LocalDiscovery = no diff --git a/lass/2configs/ssh-cryptsetup.nix b/lass/2configs/ssh-cryptsetup.nix index f08f85b49..0126c33b2 100644 --- a/lass/2configs/ssh-cryptsetup.nix +++ b/lass/2configs/ssh-cryptsetup.nix @@ -6,7 +6,7 @@ ssh = { enable = true; authorizedKeys = with config.krebs.users; [ - config.krebs.users.lass-mors.pubkey + config.krebs.users.lass.pubkey config.krebs.users.lass-blue.pubkey ]; }; diff --git a/lass/2configs/sync/decsync.nix b/lass/2configs/sync/decsync.nix index a38cff8d6..5fded10a2 100644 --- a/lass/2configs/sync/decsync.nix +++ b/lass/2configs/sync/decsync.nix @@ -3,9 +3,8 @@ path = "/home/lass/decsync"; devices = [ "mors" "blue" "green" "phone" ]; }; - krebs.permown."/home/lass/decsync" = { - owner = "lass"; - group = "syncthing"; - umask = "0007"; - }; + + krebs.acl."/home/lass/decsync"."u:syncthing:X".parents = true; + krebs.acl."/home/lass/decsync"."u:syncthing:rwX" = {}; + krebs.acl."/home/lass/decsync"."u:lass:rwX" = {}; } diff --git a/lass/2configs/sync/sync.nix b/lass/2configs/sync/sync.nix index a0927c199..2714fa83e 100644 --- a/lass/2configs/sync/sync.nix +++ b/lass/2configs/sync/sync.nix @@ -2,12 +2,7 @@ services.syncthing.folders."/home/lass/sync" = { devices = [ "mors" "icarus" "xerxes" "shodan" "green" "blue" "coaxmetal" ]; }; - krebs.permown."/home/lass/sync" = { - file-mode = "u+rw,g+rw"; - owner = "lass"; - group = "syncthing"; - umask = "0002"; - keepGoing = true; - }; + krebs.acl."/home/lass/sync"."u:syncthing:X".parents = true; + krebs.acl."/home/lass/sync"."u:syncthing:rwX" = {}; + krebs.acl."/home/lass/sync"."u:lass:rwX" = {}; } - diff --git a/lass/2configs/sync/weechat.nix b/lass/2configs/sync/weechat.nix index eb6b0aa16..b32015b84 100644 --- a/lass/2configs/sync/weechat.nix +++ b/lass/2configs/sync/weechat.nix @@ -1,8 +1,6 @@ { services.syncthing.folders."/home/lass/.weechat".devices = [ "green" "mors" ]; - krebs.permown."/home/lass/.weechat" = { - owner = "lass"; - group = "syncthing"; - umask = "0007"; - }; + krebs.acl."/home/lass/.weechat"."u:syncthing:X".parents = true; + krebs.acl."/home/lass/.weechat"."u:syncthing:rwX" = {}; + krebs.acl."/home/lass/.weechat"."u:lass:rwX" = {}; } diff --git a/lass/2configs/tests/dummy-secrets/ssh-tor.priv b/lass/2configs/tests/dummy-secrets/ssh-tor.priv new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/lass/2configs/tests/dummy-secrets/ssh-tor.priv diff --git a/lass/2configs/themes.nix b/lass/2configs/themes.nix index e020c62c4..eb1a53987 100644 --- a/lass/2configs/themes.nix +++ b/lass/2configs/themes.nix @@ -9,6 +9,7 @@ ${placeholder "out"}/bin/switch-theme dark fi elif test -e "/etc/themes/$1"; then + ${pkgs.coreutils}/bin/mkdir -p /var/theme/config ${pkgs.rsync}/bin/rsync --chown=lass:users -a --delete "/etc/themes/$1/" /var/theme/config/ echo "$1" > /var/theme/current_theme ${pkgs.coreutils}/bin/chown lass:users /var/theme/current_theme diff --git a/lass/2configs/tmux.nix b/lass/2configs/tmux.nix index c977a1105..10931365d 100644 --- a/lass/2configs/tmux.nix +++ b/lass/2configs/tmux.nix @@ -2,25 +2,26 @@ with import <stockholm/lib>; { config, pkgs, ... }: { + environment.etc."tmux.conf".text = '' + #prefix key to ` + set-option -g prefix2 ` + + bind-key r source-file /etc/tmux.conf \; display-message "/etc/tmux.conf reloaded" + + set-option -g default-terminal screen-256color + + #use session instead of windows + bind-key c new-session + bind-key p switch-client -p + bind-key n switch-client -n + bind-key C-s switch-client -l + ''; nixpkgs.config.packageOverrides = super: { tmux = pkgs.symlinkJoin { name = "tmux"; paths = [ (pkgs.writeDashBin "tmux" '' - exec ${super.tmux}/bin/tmux -f ${pkgs.writeText "tmux.conf" '' - #change prefix key to ` - set-option -g prefix ` - unbind-key C-b - bind ` send-prefix - - set-option -g default-terminal screen-256color - - #use session instead of windows - bind-key c new-session - bind-key p switch-client -p - bind-key n switch-client -n - bind-key C-s switch-client -l - ''} "$@" + exec ${super.tmux}/bin/tmux -f /etc/tmux.conf "$@" '') super.tmux ]; diff --git a/lass/2configs/tor-ssh.nix b/lass/2configs/tor-ssh.nix new file mode 100644 index 000000000..8b36733e2 --- /dev/null +++ b/lass/2configs/tor-ssh.nix @@ -0,0 +1,14 @@ +{ + services.tor = { + enable = true; + relay.onionServices.ssh = { + version = 3; + map = [{ + port = 22; + target.port = 22; + }]; + secretKey = <secrets/ssh-tor.priv>; + }; + }; +} + diff --git a/lass/2configs/vim.nix b/lass/2configs/vim.nix index 36ce3d74c..210133f48 100644 --- a/lass/2configs/vim.nix +++ b/lass/2configs/vim.nix @@ -21,6 +21,7 @@ let set backup set backupdir=${dirs.backupdir}/ set directory=${dirs.swapdir}// + set list listchars=tab:⇥\ ,extends:❯,precedes:❮,nbsp:␣,trail:· showbreak=¬ set hlsearch set incsearch set ttymouse=sgr @@ -51,7 +52,7 @@ let filetype plugin indent on set t_Co=256 - colorscheme hack + colorscheme dim syntax on au Syntax * syn match Garbage containedin=ALL /\s\+$/ @@ -114,10 +115,17 @@ let " copy/paste from/to xclipboard set clipboard=unnamedplus + + " use fzf to switch files + nnoremap <C-p> :FZF<CR> + nnoremap <C-l> :Rg<CR> + let g:fzf_layout = { 'down': '~15%' } ''; extra-runtimepath = concatMapStringsSep "," (pkg: "${pkg.rtp}") [ pkgs.vimPlugins.undotree + pkgs.vimPlugins.fzf-vim + pkgs.vimPlugins.fzfWrapper (pkgs.vimUtils.buildVimPlugin { name = "file-line-1.0"; src = pkgs.fetchFromGitHub { @@ -127,49 +135,15 @@ let sha256 = "0z47zq9rqh06ny0q8lpcdsraf3lyzn9xvb59nywnarf3nxrk6hx0"; }; }) - ((rtp: rtp // { inherit rtp; }) (pkgs.writeTextFile (let - name = "hack"; - in { - name = "vim-color-${name}-1.0.2"; - destination = "/colors/${name}.vim"; - text = /* vim */ '' - set background=dark - hi clear - if exists("syntax_on") - syntax clear - endif - - let colors_name = ${toJSON name} - - hi Normal ctermbg=016 - hi Comment ctermfg=255 - hi Constant ctermfg=229 - hi Identifier ctermfg=123 - hi Function ctermfg=041 - hi Statement ctermfg=167 - hi PreProc ctermfg=167 - hi Type ctermfg=046 - hi Delimiter ctermfg=251 - hi Special ctermfg=146 - - hi Garbage ctermbg=124 - hi TabStop ctermbg=020 - hi NBSP ctermbg=056 - hi NarrowNBSP ctermbg=097 - hi Todo ctermfg=174 ctermbg=NONE - - hi NixCode ctermfg=190 - hi NixData ctermfg=149 - hi NixQuote ctermfg=119 - - hi diffNewFile ctermfg=207 - hi diffFile ctermfg=207 - hi diffLine ctermfg=207 - hi diffSubname ctermfg=207 - hi diffAdded ctermfg=010 - hi diffRemoved ctermfg=009 - ''; - }))) + (pkgs.vimUtils.buildVimPlugin { + name = "vim-dim-1.1.0"; + src = pkgs.fetchFromGitHub { + owner = "jeffkreeftmeijer"; + repo = "vim-dim"; + rev = "1.1.0"; + sha256 = "sha256-lyTZUgqUEEJRrzGo1FD8/t8KBioPrtB3MmGvPeEVI/g="; + }; + }) ((rtp: rtp // { inherit rtp; }) (pkgs.writeTextFile (let name = "vim"; in { diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index 3f055e370..fe4d78a3b 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -29,6 +29,8 @@ in { (servePage [ "apanowicz.de" "www.apanowicz.de" ]) (servePage [ "reich-gebaeudereinigung.de" "www.reich-gebaeudereinigung.de" ]) (servePage [ "illustra.de" "www.illustra.de" ]) + (servePage [ "nirwanabluete.de" "www.nirwanabluete.de" ]) + (servePage [ "familienrat-hamburg.de" "www.familienrat-hamburg.de" ]) (servePage [ "freemonkey.art" "www.freemonkey.art" @@ -36,20 +38,20 @@ in { (serveOwncloud [ "o.ubikmedia.de" ]) (serveWordpress [ "ubikmedia.de" - "nirwanabluete.de" "ubikmedia.eu" "youthtube.xyz" "joemisch.com" "weirdwednesday.de" "jarugadesign.de" + "beesmooth.ch" - "www.nirwanabluete.de" "www.ubikmedia.eu" "www.youthtube.xyz" "www.ubikmedia.de" "www.joemisch.com" "www.weirdwednesday.de" "www.jarugadesign.de" + "www.beesmooth.ch" "aldona2.ubikmedia.de" "cinevita.ubikmedia.de" @@ -64,9 +66,13 @@ in { "jarugadesign.ubikmedia.de" "crypto4art.ubikmedia.de" "jarugadesign.ubikmedia.de" + "beesmooth.ubikmedia.de" ]) ]; + # https://github.com/nextcloud/server/issues/25436 + services.mysql.settings.mysqld.innodb_read_only_compressed = 0; + services.mysql.ensureDatabases = [ "ubikmedia_de" "o_ubikmedia_de" ]; services.mysql.ensureUsers = [ { ensurePermissions = { "ubikmedia_de.*" = "ALL"; }; name = "nginx"; } @@ -98,7 +104,7 @@ in { services.nextcloud = { enable = true; hostName = "o.xanf.org"; - package = pkgs.nextcloud21; + package = pkgs.nextcloud23; config = { adminpassFile = "/run/nextcloud.pw"; overwriteProtocol = "https"; @@ -159,6 +165,7 @@ in { { from = "ubik@ubikmedia.eu"; to = "domsen, jms, ms"; } { from = "kontakt@alewis.de"; to ="klabusterbeere"; } { from = "hallo@jarugadesign.de"; to ="kasia"; } + { from = "noreply@beeshmooth.ch"; to ="besmooth@gmx.ch"; } { from = "testuser@lassul.us"; to = "testuser"; } { from = "testuser@ubikmedia.eu"; to = "testuser"; } @@ -170,10 +177,12 @@ in { "apanowicz.de" "alewis.de" "jarugadesign.de" + "beesmooth.ch" ]; dkim = [ { domain = "ubikmedia.eu"; } { domain = "apanowicz.de"; } + { domain = "beesmooth.ch"; } ]; ssl_cert = "/var/lib/acme/lassul.us/fullchain.pem"; ssl_key = "/var/lib/acme/lassul.us/key.pem"; @@ -332,6 +341,27 @@ in { isNormalUser = true; }; + users.users.avada = { + uid = genid_uint31 "avada"; + home = "/home/avada"; + useDefaultShell = true; + createHome = true; + isNormalUser = true; + }; + + users.users.familienrat = { + uid = genid_uint31 "familienrat"; + home = "/home/familienrat"; + useDefaultShell = true; + createHome = true; + isNormalUser = true; + }; + krebs.acl."/srv/http/familienrat-hamburg.de"."u:familienrat:rwX" = {}; + krebs.acl."/srv/http"."u:familienrat:X" = { + default = false; + recursive = false; + }; + users.groups.xanf = {}; krebs.on-failure.plans.restic-backups-domsen = { @@ -372,18 +402,14 @@ in { ${pkgs.coreutils}/bin/chmod 750 /backups ''; - krebs.permown = { - "/srv/http" = { - group = "syncthing"; - owner = "nginx"; - umask = "0007"; - }; - "/home/xanf/XANF_TEAM" = { - owner = "XANF_TEAM"; - group = "xanf"; - umask = "0007"; - }; + # takes too long!! + # krebs.acl."/srv/http"."u:syncthing:rwX" = {}; + # krebs.acl."/srv/http"."u:nginx:rwX" = {}; + # krebs.acl."/srv/http/ubikmedia.de"."u:avada:rwX" = {}; + krebs.acl."/home/xanf/XANF_TEAM"."g:xanf:rwX" = {}; + krebs.acl."/home/xanf"."g:xanf:X" = { + default = false; + recursive = false; }; - } diff --git a/lass/2configs/websites/lassulus.nix b/lass/2configs/websites/lassulus.nix index 5bf8de013..411234b82 100644 --- a/lass/2configs/websites/lassulus.nix +++ b/lass/2configs/websites/lassulus.nix @@ -10,6 +10,7 @@ in { imports = [ ./default.nix ../git.nix + ./ref.ptkk.de ]; security.acme = { @@ -20,11 +21,8 @@ in { }; }; - krebs.tinc_graphs.enable = true; - users.groups.lasscert.members = [ "dovecot2" - "ejabberd" "exim" "nginx" ]; @@ -48,10 +46,6 @@ in { locations."= /wireguard-key".extraConfig = '' alias ${pkgs.writeText "prism.wg" config.krebs.hosts.prism.nets.wiregrill.wireguard.pubkey}; ''; - locations."/tinc/".extraConfig = '' - index index.html; - alias ${config.krebs.tinc_graphs.workingDir}/external/; - ''; locations."= /krebspage".extraConfig = '' default_type "text/html"; alias ${pkgs.krebspage}/index.html; @@ -64,14 +58,14 @@ in { alias ${initscript}/bin/init; ''; locations."= /blue.pub".extraConfig = '' - alias ${pkgs.writeText "pub" config.krebs.users.lass.pubkey}; + alias ${pkgs.writeText "pub" config.krebs.users.lass-blue.pubkey}; ''; - locations."= /mors.pub".extraConfig = '' - alias ${pkgs.writeText "pub" config.krebs.users.lass-mors.pubkey}; - ''; - locations."= /yubi.pub".extraConfig = '' + locations."= /ssh.pub".extraConfig = '' alias ${pkgs.writeText "pub" config.krebs.users.lass-yubikey.pubkey}; ''; + locations."= /gpg.pub".extraConfig = '' + alias ${pkgs.writeText "pub" config.krebs.users.lass-yubikey.pgp.pubkeys.default}; + ''; }; security.acme.certs."cgit.lassul.us" = { @@ -90,19 +84,5 @@ in { root /var/lib/acme/acme-challenge; ''; }; - - users.users.blog = { - uid = genid_uint31 "blog"; - group = "nginx"; - description = "lassul.us blog deployment"; - home = "/srv/http/lassul.us"; - useDefaultShell = true; - createHome = true; - isSystemUser = true; - openssh.authorizedKeys.keys = with config.krebs.users; [ - lass.pubkey - lass-mors.pubkey - ]; - }; } diff --git a/lass/2configs/websites/ref.ptkk.de/default.nix b/lass/2configs/websites/ref.ptkk.de/default.nix new file mode 100644 index 000000000..14ce58b8e --- /dev/null +++ b/lass/2configs/websites/ref.ptkk.de/default.nix @@ -0,0 +1,89 @@ +{ config, lib, pkgs, ... }: +{ + services.nginx.virtualHosts."ref.ptkk.de" = { + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:4626"; + extraConfig = '' + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header Connection $connection_upgrade; + proxy_set_header Upgrade $http_upgrade; + proxy_cache_bypass $http_upgrade; + ''; + }; + locations."/static/" = { + alias = "/var/lib/ref.ptkk.de/static/"; + }; + forceSSL = true; + }; + systemd.services."ref.ptkk.de" = { + wantedBy = [ "multi-user.target" ]; + environment = { + PRODUCTION = "yip"; + DATA_DIR = "/var/lib/ref.ptkk.de/data"; + PORT = "4626"; + STATIC_ROOT = "/var/lib/ref.ptkk.de/static"; + }; + path = with pkgs; [ + git + gnutar + gzip + nix + ]; + serviceConfig = { + ExecStartPre = [ + "${pkgs.coreutils}/bin/mkdir -p /var/lib/ref.ptkk.de/data" + "${pkgs.coreutils}/bin/mkdir -p /var/lib/ref.ptkk.de/code" + "${pkgs.coreutils}/bin/mkdir -p /var/lib/ref.ptkk.de/static" + ]; + ExecStart = pkgs.writers.writeDash "nixify" '' + cd code + if test -e shell.nix; then + ${pkgs.nix}/bin/nix-shell -I /var/src --run serve + else + echo 'no shell.nix, bailing out' + exit 0 + fi + ''; + LoadCredential = [ + "django-secret.key:${toString <secrets>}/ref.ptkk.de-django.key" + ]; + User = "ref.ptkk.de"; + WorkingDirectory = "/var/lib/ref.ptkk.de"; + StateDirectory = "ref.ptkk.de"; + Restart = "always"; + RestartSec = "100s"; + }; + }; + systemd.services."ref.ptkk.de-restarter" = { + serviceConfig = { + Type = "oneshot"; + ExecStart = "${pkgs.systemd}/bin/systemctl restart ref.ptkk.de.service"; + }; + }; + systemd.paths."ref.ptkk.de-restarter" = { + wantedBy = [ "multi-user.target" ]; + pathConfig.PathChanged = [ + "/var/lib/ref.ptkk.de/code" + "/var/src/nixpkgs" + ]; + }; + + users.users."ref.ptkk.de" = { + isSystemUser = true; + uid = pkgs.stockholm.lib.genid_uint31 "ref.ptkk.de"; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF6fu6LtyRdk++qIBpP0BdZQHSTqzNNlvp7ML2Dv0IxD CI@github.com" + config.krebs.users.lass.pubkey + ]; + group = "nginx"; + home = "/var/lib/ref.ptkk.de"; + useDefaultShell = true; + }; +} diff --git a/lass/2configs/websites/util.nix b/lass/2configs/websites/util.nix index b6765037c..22b1669b0 100644 --- a/lass/2configs/websites/util.nix +++ b/lass/2configs/websites/util.nix @@ -174,6 +174,7 @@ rec { services.phpfpm.pools."${domain}" = { user = "nginx"; group = "nginx"; + phpPackage = pkgs.php74; extraConfig = '' listen = /srv/http/${domain}/phpfpm.pool pm = dynamic diff --git a/lass/2configs/wiregrill.nix b/lass/2configs/wiregrill.nix index 0183bd4e5..54257d2c4 100644 --- a/lass/2configs/wiregrill.nix +++ b/lass/2configs/wiregrill.nix @@ -18,6 +18,10 @@ in mkIf (hasAttr "wiregrill" config.krebs.build.host.nets) { ]; krebs.iptables.tables.filter.FORWARD.rules = mkIf isRouter [ { precedence = 1000; predicate = "-i wiregrill -o wiregrill"; target = "ACCEPT"; } + { precedence = 1000; predicate = "-i wiregrill -o retiolum"; target = "ACCEPT"; } + { precedence = 1000; predicate = "-i retiolum -o wiregrill"; target = "ACCEPT"; } + { precedence = 1000; predicate = "-i wiregrill -o eth0"; target = "ACCEPT"; } + { precedence = 1000; predicate = "-o wiregrill -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } ]; networking.wireguard.interfaces.wiregrill = { diff --git a/lass/2configs/yubikey.nix b/lass/2configs/yubikey.nix index d92b18f81..a37752d5e 100644 --- a/lass/2configs/yubikey.nix +++ b/lass/2configs/yubikey.nix @@ -38,7 +38,7 @@ } }); polkit.addRule(function(action, subject) { - polkit.log("user " + subject.user + " is attempting action " + action.id + " from PID " + subject.pid); + polkit.log("subject: " + subject + " action: " + action); }); ''; diff --git a/lass/5pkgs/sshvnc/default.nix b/lass/5pkgs/sshvnc/default.nix new file mode 100644 index 000000000..f66ed1b0d --- /dev/null +++ b/lass/5pkgs/sshvnc/default.nix @@ -0,0 +1,11 @@ +{ pkgs }: +pkgs.writers.writeBashBin "sshvnc" '' + set -xm + + RANDOM_HIGH_PORT=$(shuf -i 20000-65000 -n 1) + ssh "$@" -f -L $RANDOM_HIGH_PORT:localhost:$RANDOM_HIGH_PORT -- x11vnc -noxdamage -noxfixes -noxrecord -display :0 -localhost -rfbport $RANDOM_HIGH_PORT + + sleep 3 + + _JAVA_AWT_WM_NONREPARENTING=1 ${pkgs.turbovnc}/bin/vncviewer localhost:$RANDOM_HIGH_PORT +'' |