diff options
59 files changed, 819 insertions, 525 deletions
diff --git a/krebs/1systems/hotdog/config.nix b/krebs/1systems/hotdog/config.nix index a100e414d..9f1ac9134 100644 --- a/krebs/1systems/hotdog/config.nix +++ b/krebs/1systems/hotdog/config.nix @@ -10,6 +10,9 @@ <stockholm/krebs/2configs/ircd.nix> <stockholm/krebs/2configs/reaktor2.nix> <stockholm/krebs/2configs/wiki.nix> + + ## shackie irc bot + <stockholm/krebs/2configs/shack/reaktor.nix> ]; krebs.build.host = config.krebs.hosts.hotdog; diff --git a/krebs/1systems/puyak/config.nix b/krebs/1systems/puyak/config.nix index 2f122f6ff..5ed946aca 100644 --- a/krebs/1systems/puyak/config.nix +++ b/krebs/1systems/puyak/config.nix @@ -109,7 +109,7 @@ <stockholm/krebs/2configs/shack/prometheus/node.nix> <stockholm/krebs/2configs/shack/prometheus/server.nix> <stockholm/krebs/2configs/shack/prometheus/blackbox.nix> - <stockholm/krebs/2configs/shack/prometheus/unifi.nix> + #<stockholm/krebs/2configs/shack/prometheus/unifi.nix> <stockholm/krebs/2configs/shack/prometheus/alertmanager-telegram.nix> ## Collect local statistics via collectd and send to collectd @@ -124,7 +124,6 @@ loader.efi.canTouchEfiVariables = true; initrd.luks.devices.luksroot.device = "/dev/sda3"; - initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; kernelModules = [ "kvm-intel" ]; diff --git a/krebs/1systems/test-all-krebs-modules/config.nix b/krebs/1systems/test-all-krebs-modules/config.nix index 2e1b5c1ad..8495a3ded 100644 --- a/krebs/1systems/test-all-krebs-modules/config.nix +++ b/krebs/1systems/test-all-krebs-modules/config.nix @@ -10,7 +10,6 @@ in { enable = true; build.user = config.krebs.users.krebs; build.host = config.krebs.hosts.test-all-krebs-modules; - Reaktor.test = {}; apt-cacher-ng.enable = true; backup.enable = true; bepasty.enable = true; diff --git a/krebs/2configs/reaktor2.nix b/krebs/2configs/reaktor2.nix index 4a33c33ec..cbf3e7889 100644 --- a/krebs/2configs/reaktor2.nix +++ b/krebs/2configs/reaktor2.nix @@ -47,7 +47,7 @@ let activate = "always"; command = { filename = - "${pkgs.Reaktor.src}/reaktor/commands/tell-on_join"; + <stockholm/krebs/5pkgs/simple/Reaktor/scripts/tell-on_join.sh>; env = { PATH = makeBinPath [ pkgs.coreutils # XXX env, touch @@ -95,10 +95,10 @@ let } hooks.sed (generators.command_hook { - inherit (commands) hello random-emoji nixos-version; + inherit (commands) random-emoji nixos-version; tell = { filename = - "${pkgs.Reaktor.src}/reaktor/commands/tell-on_privmsg"; + <stockholm/krebs/5pkgs/simple/Reaktor/scripts/tell-on_privmsg.sh>; env = { PATH = makeBinPath [ pkgs.coreutils # XXX date, env @@ -223,9 +223,13 @@ in { spanDate.title = new Date(entryDate).toString(); spanDate.appendChild(document.createTextNode(entryDate)); + const link = document.createElement("a"); + link.href = "http://wiki.r/agenda/" + encodeURIComponent(agendaItem.description.replaceAll("/", "\u29F8")); + link.appendChild(document.createTextNode(agendaItem.description)); + const dd = document.createElement("dd"); dd.className = "description"; - dd.appendChild(document.createTextNode(agendaItem.description)); + dd.appendChild(link); dd.appendChild(document.createTextNode(" ")); dd.appendChild(spanDate); diff --git a/krebs/2configs/repo-sync.nix b/krebs/2configs/repo-sync.nix index 392e6bed3..e2be477fd 100644 --- a/krebs/2configs/repo-sync.nix +++ b/krebs/2configs/repo-sync.nix @@ -183,7 +183,6 @@ in { (sync-remote { name = "skytraq-datalogger"; url = "https://github.com/makefu/skytraq-datalogger"; }) (sync-remote { name = "realwallpaper"; url = "https://github.com/lassulus/realwallpaper"; }) (sync-remote { name = "painload"; url = "https://github.com/krebs/painload"; }) - (sync-remote { name = "Reaktor"; url = "https://github.com/krebs/Reaktor"; }) (sync-remote { name = "nixos-wiki"; url = "https://github.com/Mic92/nixos-wiki.wiki.git"; }) ]; } diff --git a/krebs/2configs/shack/doorstatus.sh b/krebs/2configs/shack/doorstatus.sh new file mode 100755 index 000000000..11e710cfd --- /dev/null +++ b/krebs/2configs/shack/doorstatus.sh @@ -0,0 +1,74 @@ +#!/bin/sh +# needs in path: +# curl jq +# creates and manages $PWD/state +set -euf + +send_reaktor(){ + # usage: send_reaktor "text" + echo "send_reaktor: $1" + curl -fsS http://localhost:7777 \ + -H content-type:application/json \ + -d "$(jq -n \ + --arg text "$1" '{ + command:"PRIVMSG", + params:["#shackspace",$text] + }' + )" +} + +open=$(shuf -n1 <<EOF +happy hacking, shack ist offen +Heureka, der shack ist offen +Die Türe ist offen, der shack will bespielt werden +Frohlocket, der shack ist offen +shack is love, shack is life, shack is offen +Bin da, wer noch? shack hat geöffnet! +shack hat geöffnet: Arbeiten Sie sicher, arbeiten Sie klug! +Bin ich schon drin? Ich bin schon drin.. das war ja einfach. Also im shack. +Uuuuund es setzt sich in Bewegung, wir öffnen den shack, los, los! Ja da guckt ihr, jetzt gehts looos! +EOF +) + +close=$(shuf -n1 <<EOF +Hacking vorbei, shack ist zu! +Tja, shack ist zu +Shackie-closie +Der Sandmann kommt, alle shackies sind zu haus und die Tür ist zu +shack hat Stromsparmodus aktiviert +Tür ist zu, shackspace ist jetzt koronakonform +Oh nein, eine Tür, sie ist verschlossen! Also, die vom shack +Ihr kennt das ja: Abschalten. Der shack ist zu. +EOF +) +error=$(shuf -n1 <<EOF +Hase, api ist kaputt! Bitte reparieren +API liefert kein sinnvolles Ergebnis, keine Ahnung ob shack offen oder zu ist +shack api defekt :( +Hubel Hubel, jemand könnte mal die shack api reparieren +API sagt derp +Siehste das? API? Da soll ich jetzt nen Request drauf machen? Jetzt werd ich aber langsam n bisschen wild hier langsam! +Der API ist ein bisschen ein Otto geworden, ischwör der will mich flaxen +ich möchte den geschäftsführer sprechen, das API geht nicht mehr! +Herr makefu an Kasse 3 bitte, Kasse 3 bitte Herr makefu. Der API Computer ist mal wieder ausgefallen +EOF +) + +state=$(curl https://api.shackspace.de/v1/space | jq .doorState.open) +prevstate=$(cat state ||:) + +if test "$state" == "$(cat state)";then + #echo "current and last state is the same ($state), doing nothing" + : +else + echo "API state and last state differ ( '$state' != '$prevstate')" + if test "$state" == "true";then + send_reaktor "$open" + elif test "$state" == "false";then + send_reaktor "$close" + else + send_reaktor "$error" + fi + echo "updating state" + printf "%s" "$state" > state +fi diff --git a/krebs/2configs/shack/glados/default.nix b/krebs/2configs/shack/glados/default.nix index 53d6e6f4a..51c2ad94f 100644 --- a/krebs/2configs/shack/glados/default.nix +++ b/krebs/2configs/shack/glados/default.nix @@ -112,7 +112,8 @@ in { } { platform = "mpd"; name = "kiosk"; - host = "lounge.kiosk.shack"; + #host = "lounge.kiosk.shack"; + host = "kiosk.shack"; } ]; @@ -123,7 +124,7 @@ in { http = { base_url = "http://hass.shack"; use_x_forwarded_for = true; - trusted_proxies = "127.0.0.1"; + trusted_proxies = [ "127.0.0.1" "::1" ]; }; #conversation = {}; @@ -139,6 +140,7 @@ in { language = "de"; cache = true; time_memory = 57600; + base_url = "http://hass.shack"; } ]; device_tracker = []; diff --git a/krebs/2configs/shack/light.shack.nix b/krebs/2configs/shack/light.shack.nix index 8e01cb1bf..715339a69 100644 --- a/krebs/2configs/shack/light.shack.nix +++ b/krebs/2configs/shack/light.shack.nix @@ -1,7 +1,9 @@ { config, pkgs, ... }: let - light-shack-src = pkgs.fetchgit { - url = "https://git.shackspace.de/rz/standby.shack"; + light-shack-src = + pkgs.fetchFromGitHub { + owner = "shackspace"; + repo = "standby.shack"; rev = "e1b90a0a"; sha256 = "07fmz63arc5rxa0a3778srwz0jflp4ad6xnwkkc56hwybby0bclh"; }; diff --git a/krebs/2configs/shack/muell_mail.nix b/krebs/2configs/shack/muell_mail.nix index 951450200..9308c7b13 100644 --- a/krebs/2configs/shack/muell_mail.nix +++ b/krebs/2configs/shack/muell_mail.nix @@ -2,8 +2,9 @@ let pkg = pkgs.callPackage ( - pkgs.fetchgit { - url = "https://git.shackspace.de/rz/muell_mail"; + pkgs.fetchFromGitHub { + owner = "shackspace"; + repo = "muell_mail"; rev = "c3e43687879f95e01a82ef176fa15678543b2eb8"; sha256 = "0hgchwam5ma96s2v6mx2jfkh833psadmisjbm3k3153rlxp46frx"; }) { mkYarnPackage = pkgs.yarn2nix-moretea.mkYarnPackage; }; diff --git a/krebs/2configs/shack/muellshack.nix b/krebs/2configs/shack/muellshack.nix index b032b4299..cabe72b40 100644 --- a/krebs/2configs/shack/muellshack.nix +++ b/krebs/2configs/shack/muellshack.nix @@ -2,8 +2,9 @@ let pkg = pkgs.callPackage ( - pkgs.fetchgit { - url = "https://git.shackspace.de/rz/muellshack"; + pkgs.fetchFromGitHub { + owner = "shackspace"; + repo = "muellshack"; rev = "dc80cf1edaa3d86ec2bebae8596ad1d4c4e3650a"; sha256 = "1yipr66zhrg5m20pf3rzvgvvl78an6ddkq6zc45rxb2r0i7ipkyh"; diff --git a/krebs/2configs/shack/node-light.nix b/krebs/2configs/shack/node-light.nix index 2e69d5aaa..7a648d4ee 100644 --- a/krebs/2configs/shack/node-light.nix +++ b/krebs/2configs/shack/node-light.nix @@ -2,8 +2,9 @@ let pkg = pkgs.callPackage ( - pkgs.fetchgit { - url = "https://git.shackspace.de/rz/node-light.git"; + pkgs.fetchFromGitHub { + owner = "shackspace"; + repo = "node-light"; rev = "90a9347b73af3a9960bd992e6293b357226ef6a0"; sha256 = "1av9w3w8aknlra25jw6gqxzbb01i9kdlfziy29lwz7mnryjayvwk"; }) { }; diff --git a/krebs/2configs/shack/powerraw.nix b/krebs/2configs/shack/powerraw.nix index 43c743587..64e1911cf 100644 --- a/krebs/2configs/shack/powerraw.nix +++ b/krebs/2configs/shack/powerraw.nix @@ -6,14 +6,16 @@ let influx-url = "http://influx.shack:8086"; pkg = pkgs.python3.pkgs.callPackage ( - pkgs.fetchgit { - url = "https://git.shackspace.de/rz/powermeter.git"; + pkgs.fetchFromGitHub { + owner = "shackspace"; + repo = "powermeter"; rev = "438b08f"; sha256 = "0c5czmrwlw985b7ia6077mfrvbf2fq51iajb481pgqbywgxqis5m"; }) {}; in { # receive response from light.shack / standby.shack networking.firewall.allowedUDPPorts = [ 11111 ]; + networking.firewall.allowedTCPPorts = [ 11111 ]; users.users.powermeter = { extraGroups = [ "dialout" ]; isSystemUser = true; diff --git a/krebs/2configs/shack/reaktor.nix b/krebs/2configs/shack/reaktor.nix new file mode 100644 index 000000000..a31c7a687 --- /dev/null +++ b/krebs/2configs/shack/reaktor.nix @@ -0,0 +1,30 @@ +{ config, lib, pkgs, ... }: +{ + krebs.reaktor2.shackie = { + hostname = "irc.libera.chat"; + port = "6697"; + nick = "shackie"; + API.listen = "inet://127.0.0.1:7777"; + plugins = [ + { + plugin = "register"; + config = { + channels = [ + "#shackspace" + ]; + }; + } + ]; + }; + systemd.services.announce_doorstatus = { + startAt = "*:0/1"; + path = with pkgs; [ curl jq ]; + script = builtins.readFile ./doorstatus.sh; + serviceConfig = { + DynamicUser = true; + StateDirectory = "doorstatus"; + WorkingDirectory = "/var/lib/doorstatus"; + PrivateTmp = true; + }; + }; +} diff --git a/krebs/2configs/shack/s3-power.nix b/krebs/2configs/shack/s3-power.nix index 0ce8a8786..bed98d860 100644 --- a/krebs/2configs/shack/s3-power.nix +++ b/krebs/2configs/shack/s3-power.nix @@ -2,8 +2,9 @@ let pkg = pkgs.callPackage ( - pkgs.fetchgit { - url = "https://git.shackspace.de/rz/s3-power"; + pkgs.fetchFromGitHub { + owner = "shackspace"; + repo = "s3-power"; rev = "0687ab64"; sha256 = "1m8h4bwykv24bbgr5v51mam4wsbp5424xcrawhs4izv563jjf130"; }) { mkYarnPackage = pkgs.yarn2nix-moretea.mkYarnPackage; }; diff --git a/krebs/2configs/shack/shackDNS.nix b/krebs/2configs/shack/shackDNS.nix index c9cdfd24b..00f79abc4 100644 --- a/krebs/2configs/shack/shackDNS.nix +++ b/krebs/2configs/shack/shackDNS.nix @@ -1,9 +1,10 @@ { config, lib, pkgs, ... }: let - pkg = - pkgs.fetchgit { - url = "https://git.shackspace.de/rz/shackdns"; + pkg = + pkgs.fetchFromGitHub { + owner = "shackspace"; + repo = "shackdns"; rev = "e55cc906c734b398683f9607b93f1ad6435d8575"; sha256 = "1hkwhf3hqb4fz06b1ckh7sl0zcyi4da5fgdlksian8lxyd19n8sq"; }; diff --git a/krebs/2configs/shack/worlddomination.nix b/krebs/2configs/shack/worlddomination.nix index 4bdb095f1..e339d3174 100644 --- a/krebs/2configs/shack/worlddomination.nix +++ b/krebs/2configs/shack/worlddomination.nix @@ -4,8 +4,9 @@ with import <stockholm/lib>; let pkg = pkgs.stdenv.mkDerivation { name = "worlddomination-2020-12-01"; - src = pkgs.fetchgit { - url = "https://git.shackspace.de/rz/worlddomination.git"; + src = pkgs.fetchFromGitHub { + owner = "shackspace"; + repo = "worlddomination"; rev = "c7aedcde7cd1fcb870b5356a6125e1a384b0776c"; sha256 = "0y6haz5apwa33lz64l7b2x78wrrckbw39j4wzyd1hfk46478xi2y"; }; diff --git a/krebs/3modules/Reaktor.nix b/krebs/3modules/Reaktor.nix deleted file mode 100644 index 2a035d7be..000000000 --- a/krebs/3modules/Reaktor.nix +++ /dev/null @@ -1,155 +0,0 @@ -{ config, lib, pkgs, ... }: - -with import <stockholm/lib>; -let - - cfg = config.krebs.Reaktor; - homedir = "/var/lib/Reaktor"; - - out = { - options.krebs.Reaktor = api; - config = mkIf (cfg != {}) imp; - }; - - api = mkOption { - default = {}; - type = with types; attrsOf (submodule ({ options = { - - nickname = mkOption { - default = config.krebs.build.host.name + "|r"; - type = types.str; - description = '' - The nick name of the irc bot. - Defaults to {hostname}|r - ''; - }; - - overrideConfig = mkOption { - default = null; - type = types.nullOr types.str; - description = '' - configuration to be used instead of default ones. - Reaktor default cfg can be retrieved via `reaktor get-config` - ''; - }; - - plugins = mkOption { - default = [pkgs.ReaktorPlugins.nixos-version]; - }; - - workdir = mkOption { - default = "/var/lib/Reaktor"; - type = types.path; - description = '' - path to be used as workdir (home dir is still /var/lib/Reaktor) - ''; - }; - - extraConfig = mkOption { - default = ""; - type = types.str; - description = '' - configuration appended to the default or overridden configuration - ''; - }; - - extraEnviron = mkOption { - default = {}; - type = types.attrsOf types.str; - description = '' - Environment to be provided to the service, can be: - REAKTOR_HOST - REAKTOR_PORT - REAKTOR_STATEDIR - - debug and nickname can be set separately via the Reaktor api - ''; - }; - - channels = mkOption { - default = [ "#krebs" ]; - type = types.listOf types.str; - description = '' - Channels the Reaktor should connect to at startup. - ''; - }; - - debug = mkOption { - default = false; - description = '' - Reaktor debug output - ''; - }; - };})); - }; - - imp = { - # TODO get user per configured bot - # TODO get home from api - # for reaktor get-config - users.extraUsers = singleton rec { - name = "Reaktor"; - uid = genid name; - description = "Reaktor user"; - home = homedir; - createHome = true; - }; - - #users.extraGroups = singleton { - # name = "Reaktor"; - # gid = config.ids.gids.Reaktor; - #}; - - systemd.services = mapAttrs' (name: botcfg: - let - ReaktorConfig = pkgs.writeText "config.py" '' - ${if (isString botcfg.overrideConfig ) then '' - # Overriden Config - ${botcfg.overrideConfig} - '' else ""} - ## Extra Config - ${concatStringsSep "\n" (map (plug: plug.config) botcfg.plugins)} - ${botcfg.extraConfig} - ''; - in nameValuePair "Reaktor-${name}" { - path = with pkgs; [ - git # for nag - jq # for tell - python # for caps - utillinux # flock for tell - ]; - description = "Reaktor IRC Bot"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - environment = { - GIT_SSL_CAINFO = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; - PYTHONPATH = "${pkgs.Reaktor}/lib/python3.6/site-packages"; - REAKTOR_NICKNAME = botcfg.nickname; - REAKTOR_DEBUG = (if botcfg.debug then "True" else "False"); - REAKTOR_CHANNELS = lib.concatStringsSep "," botcfg.channels; - state_dir = botcfg.workdir; - - } // botcfg.extraEnviron; - serviceConfig= { - ExecStartPre = pkgs.writeScript "Reaktor-init" '' - #! /bin/sh - ${if (isString botcfg.overrideConfig) then - ''cp ${ReaktorConfig} /tmp/reaktor-${name}-config.py'' - else - ''(${pkgs.Reaktor}/bin/reaktor get-config;cat "${ReaktorConfig}" ) > /tmp/reaktor-${name}-config.py'' - } - mkdir -p ${botcfg.workdir} - ''; - ExecStart = "${pkgs.Reaktor}/bin/reaktor run /tmp/reaktor-${name}-config.py"; - PrivateTmp = "true"; - User = "Reaktor"; - Restart = "always"; - RestartSec= "30" ; - }; - } - ) cfg; - - }; - -in -out diff --git a/krebs/3modules/announce-activation.nix b/krebs/3modules/announce-activation.nix index 76eb4b136..a40ae8cef 100644 --- a/krebs/3modules/announce-activation.nix +++ b/krebs/3modules/announce-activation.nix @@ -9,6 +9,7 @@ with import <stockholm/lib>; ${shell.escape (toString cfg.irc.port)} \ ${shell.escape cfg.irc.nick} \ ${shell.escape cfg.irc.channel} \ + ${escapeShellArg cfg.irc.tls} \ "$message" ''; default-get-message = pkgs.writeDash "announce-activation-get-message" '' @@ -50,6 +51,10 @@ in { default = "irc.r"; type = types.hostname; }; + tls = mkOption { + default = false; + type = types.bool; + }; }; }; config = mkIf cfg.enable { diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 30ca82b97..149995a23 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -43,7 +43,6 @@ let ./permown.nix ./per-user.nix ./power-action.nix - ./Reaktor.nix ./reaktor2.nix ./realwallpaper.nix ./retiolum-bootstrap.nix diff --git a/krebs/3modules/external/default.nix b/krebs/3modules/external/default.nix index 75be58326..eff2967e0 100644 --- a/krebs/3modules/external/default.nix +++ b/krebs/3modules/external/default.nix @@ -18,42 +18,14 @@ with import <stockholm/lib>; in { hosts = mapAttrs hostDefaults { - toum = { - owner = config.krebs.users.kmein; - nets = { - retiolum = { - ip4.addr = "10.243.2.3"; - aliases = [ - "toum.r" - "toum.kmein.r" - ]; - tinc.pubkey = '' - -----BEGIN PUBLIC KEY----- - MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2tRtskPP6391+ZX9xzsx - CUotXuqYucYmnUbrRSIlxASVqTmAf3nDOE5EDBBcTdSwnb02JcJW4Zh7+BGgMxjF - GxDPs6ETI28mHK+6rp8TOkMnyDb5mtSGVZPvKJU9fFOt6aAX1J1BzTfwtHtVQq7K - WBzdpeKXlw4dIQ6K6SGmPIPpEh9pE1Xb+GuVljCXKxGJFbW40dmh2ZdadO7umBDu - vRk08jT9/BUnUP6KrZlvyePnG38z6srMrVU+XAHu5D2qZ9y+QIp3kw7Y5JUrNXc7 - 9q9P9TYx15GiIz2mSJKcLVmkLRebsaqdV7dBibPbfdGE+NB+F1FYPGDdW4cnonon - DzzjGm/FDfOCXEnSkYGQDBWpfd/8AWum1xGJxJCPNBJElGE2o5jDWo4Y1b9gHP0M - vARm8AOK8R1pQ7BP+pNMO0gGw2NDrtWiWpTeZ7SqXmZAZ/Gmyen9X+/fowcbTyDH - b9joIuMQeOtxbUV2JprZIdit9NBFSZq/7Re/GBUwjGBm3LabIXFNGKZovx/f9lf8 - r5tVs4SPauiKzZS0K1Gz1NSq+3OXaY5EwVrBUXptYqRT7uyhVloOPRUsqRFeB0Fn - Y5xOpDJ0UiJxgFbdH5Vb81D/VjNO9Q4nZib8wSEuLrYLHGoceQPX4+Ov9IdhIL4B - BMTCaF+VCWC5PCLr0e61KqMCAwEAAQ== - -----END PUBLIC KEY----- - ''; - }; - }; - }; - wilde = { + kabsa = { owner = config.krebs.users.kmein; nets = { retiolum = { ip4.addr = "10.243.2.4"; aliases = [ - "wilde.r" - "wilde.kmein.r" + "kabsa.r" + "kabsa.kmein.r" ]; tinc.pubkey = '' -----BEGIN PUBLIC KEY----- @@ -99,34 +71,6 @@ in { }; }; }; - homeros = { - owner = config.krebs.users.kmein; - nets = { - retiolum = { - ip4.addr = "10.243.2.1"; - aliases = [ - "homeros.r" - "homeros.kmein.r" - ]; - tinc.pubkey = '' - -----BEGIN PUBLIC KEY----- - MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoZq6BwB6rV6EfTf8PWOd - ZhEWig5VcK1FcH0qi7KgojAhGSHhWmtFlvRSoGpQrSFRN0g5eTnrrguuTiIs6djc - 6Al9HMqwSD1IOkqFm8jM4aG5NqjYg3in6blOFarBEOglfnsYHiUPt6T4fERxRZ9v - RguEWrishNMSv+D4vclKwctTB/6dQNsTAfnplcyDZ9un/ql9BG2cgU9yqeYLDdXd - vRvrWX9eZKGJvTrQmAiKONlSvspr1d28FxcUrUnCsdRLvP3Cc4JZiUhSA7ixFxn3 - +LgGIZiMKTnl8syrsHk5nvLi5EUER7xkVX8iBlKA4JD4XTZVyBxPB1mJnOCUShQc - QK6nVr6auvJbRn7DHHKxDflSBgYt4qaf92+5A4xEsZtgMpmIFH5t6ifGQsQwgYsm - fOexviy9gMyZrHjQDUs4smQxxYq3AJLdfOg2jQXeAbgZpCVw5l8YHk3ECoAk7Fvh - VMJVPwukErGuVn2LpCHeVyFBXNft4bem1g0gtaf2SuGFEnl7ABetQ0bRwClRSLd7 - k7PGDbdcCImsWhqyuLpkNcm95DfBrXa12GETm48Wv9jV52C5tfWFmOnJ0mOnvtxX - gpizJjFzHz275TVnJHhmIr2DkiGpaIVUL4FRkTslejSJQoUTZfDAvKF2gRyk+n6N - mJ/hywVtvLxNkNimyztoKKMCAwEAAQ== - -----END PUBLIC KEY----- - ''; - }; - }; - }; horisa = { cores = 2; owner = config.krebs.users.ulrich; # main laptop @@ -205,6 +149,7 @@ in { aliases = [ "makanek.r" "makanek.kmein.r" + "grafana.kmein.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- @@ -317,6 +262,7 @@ in { aliases = [ "zaatar.r" "zaatar.kmein.r" + "radio.kmein.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- @@ -639,7 +585,7 @@ in { nets = { retiolum = { ip4.addr = "10.243.13.12"; - aliases = [ "catalonia.r" ]; + aliases = [ "catalonia.r" "aleph.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- MIICCgKCAgEAug+nej8/spuRHdzcfBYAuzUVoiq4YufmJqXSshvgf4aqjeVEt91Y diff --git a/krebs/3modules/hidden-ssh.nix b/krebs/3modules/hidden-ssh.nix index 1e56e62f9..acbe717d9 100644 --- a/krebs/3modules/hidden-ssh.nix +++ b/krebs/3modules/hidden-ssh.nix @@ -19,6 +19,14 @@ let type = types.str; default = "irc.hackint.org"; }; + port = mkOption { + type = types.int; + default = 6697; + }; + tls = mkOption { + type = types.bool; + default = true; + }; message = mkOption { type = types.str; default = "SSH Hidden Service at "; @@ -27,14 +35,17 @@ let imp = let torDirectory = "/var/lib/tor"; # from tor.nix - hiddenServiceDir = torDirectory + "/ssh-announce-service"; + hiddenServiceDir = torDirectory + "/onion/hidden-ssh"; in { services.tor = { enable = true; - extraConfig = '' - HiddenServiceDir ${hiddenServiceDir} - HiddenServicePort 22 127.0.0.1:22 - ''; + relay.onionServices.hidden-ssh = { + version = 3; + map = [{ + port = 22; + target.port = 22; + }]; + }; client.enable = true; }; systemd.services.hidden-ssh-announce = { @@ -50,10 +61,14 @@ let echo "still waiting for ${hiddenServiceDir}/hostname" sleep 1 done - ${pkgs.untilport}/bin/untilport ${cfg.server} 6667 && \ - ${pkgs.irc-announce}/bin/irc-announce \ - ${cfg.server} 6667 ${config.krebs.build.host.name}-ssh \ - \${cfg.channel} \ + ${pkgs.untilport}/bin/untilport ${escapeShellArg cfg.server} ${toString cfg.port} + + ${pkgs.irc-announce}/bin/irc-announce \ + ${escapeShellArg cfg.server} \ + ${toString cfg.port} \ + "${config.krebs.build.host.name}-ssh" \ + ${escapeShellArg cfg.channel} \ + ${escapeShellArg cfg.tls} \ "${cfg.message}$(cat ${hiddenServiceDir}/hostname)" ''; PrivateTmp = "true"; diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index b19e2e6fc..3419d806c 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -47,6 +47,7 @@ in { radio 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} jitsi 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} streaming 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} + mumble 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} ''; }; nets = rec { @@ -783,6 +784,62 @@ in { }; ssh.privkey.path = <secrets/ssh.id_ed25519>; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIn+o0uCBSot254kZKlNepVKFcwDPdr8s6+lQmYGM3Hd "; + syncthing.id = "TT4MBZS-YNDZUYO-Y6L4GOK-5IYUCXY-2RKFOSK-5SMZYSR-5QMOXSS-6DNJIAZ"; + }; + + lasspi = { + cores = 1; + nets = { + retiolum = { + ip4.addr = "10.243.1.89"; + ip6.addr = r6 "189"; + aliases = [ + "lasspi.r" + ]; + tinc.pubkey = '' + -----BEGIN PUBLIC KEY----- + MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA3zUXIiw8/9okrGaxlAR1 + JvoXNxAzLj5wwE2B0A+9ppev7Vl52HJarNoM6+0RN4aZDGMhDWg8J5ZQSdGUNm5F + CIdxE1TwLXxzW5nd7BIb+MVsjtw0pxId7Gxq6Wgtx1QljUdsp8OVrJActqsmXYMl + oYEWdENHRONYTCyhs+Kd18MERyxQCqOXOnD170iaFuCcHiIa2nSOtlk+aIPNIE/P + Qsp7Q0RCRvqd5LszsI7bp3gZL9mgGquQEW+3ZxSaIYHGTdK/zI4PHYpEa7IvdJFS + BJjJj+PbilnSxy7iL826O8ckxBqA0rNS0EynCKCI0DoVimCeklk20vLagDyXiDyC + VW2774j1rF35eIowPTBVJNfquEptNDl9MLV3MC2P8gnCZp5x+7dEwpqsvecBQ7Z8 + +Ry9JZ/zlWi5qT86SrwKKqJqRhWHjZZSRzWdo4ypaNOy0cKHb2DcVfgn38Kf16xs + QM11XLCRE8VLIVl5UFgrF6q/0f8JP1BG8RO90NDsLwIW/EwKiJ9OGFtayvxkmgHP + zgmzgws8cn50762OPkp4OVzVexN77d9N8GU9QXAlsFyn2FJlO26DvFON4fHIf0bP + 6lqI1Up2jAy0eSl2txlxxKbKRlkIaebHulhxIxQ1djA+xPb/5cfasom9Qqwf6/Lc + 287nChBcbY+HlshTe0lZdrkCAwEAAQ== + -----END PUBLIC KEY----- + ''; + }; + wiregrill = { + ip6.addr = w6 "189"; + aliases = [ + "lasspi.w" + ]; + wireguard.pubkey = '' + IIBAiG7jZEliQJJsNUQswLsB5FQFkAfq5IwyHAp71Vw= + ''; + }; + }; + ssh.privkey.path = <secrets/ssh.id_ed25519>; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEjYOaTQE9OvvIaWWjO+3/uSy7rvnhnJA48rWYeB2DfB"; + }; + + domsen-pixel = { + nets = { + wiregrill = { + ip4.addr = "10.244.1.17"; + ip6.addr = w6 "d0"; + aliases = [ + "domsen-pixel.w" + ]; + wireguard.pubkey = "cGuBSB1DftIsanbxrSG/i4FiC+TmQrs+Z0uE6SPscHY="; + }; + }; + external = true; + ci = false; }; }; diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index 30d90bf2b..03431ce5f 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -233,6 +233,7 @@ in { "wiki.gum.r" "wiki.makefu.r" "warrior.gum.r" + "rss.makefu.r" "sick.makefu.r" "dl.gum.r" "dl.makefu.r" diff --git a/krebs/3modules/realwallpaper.nix b/krebs/3modules/realwallpaper.nix index 76f333963..1fa6012cf 100644 --- a/krebs/3modules/realwallpaper.nix +++ b/krebs/3modules/realwallpaper.nix @@ -51,6 +51,7 @@ let serviceConfig = { Type = "simple"; + Restart = "on-failure"; ExecStart = "${pkgs.realwallpaper}/bin/generate-wallpaper"; User = "realwallpaper"; }; diff --git a/krebs/5pkgs/default.nix b/krebs/5pkgs/default.nix index d18c3e4c8..c077bf4d7 100644 --- a/krebs/5pkgs/default.nix +++ b/krebs/5pkgs/default.nix @@ -15,6 +15,4 @@ foldl' mergeAttrs {} { brockman = self.haskellPackages.brockman; reaktor2 = self.haskellPackages.reaktor2; - - ReaktorPlugins = self.callPackage ./simple/Reaktor/plugins.nix {}; } diff --git a/krebs/5pkgs/haskell/brockman/default.nix b/krebs/5pkgs/haskell/brockman/default.nix index ef9f36217..d3dbcd89c 100644 --- a/krebs/5pkgs/haskell/brockman/default.nix +++ b/krebs/5pkgs/haskell/brockman/default.nix @@ -7,12 +7,12 @@ }: mkDerivation rec { pname = "brockman"; - version = "3.4.5"; + version = "4.0.1"; src = fetchFromGitHub { owner = "kmein"; repo = "brockman"; rev = version; - sha256 = "1q56ibgijcz6fgd60h0d1f2020l4n2i2nh98yaq95zhzwg0qsciy"; + sha256 = "0hppgban8hfyhn4c8qgm8j7ml6jaa35pjgrv3k3q27ln71wnr8rz"; }; isLibrary = false; isExecutable = true; diff --git a/krebs/5pkgs/simple/Reaktor/default.nix b/krebs/5pkgs/simple/Reaktor/default.nix deleted file mode 100644 index 1cc498a68..000000000 --- a/krebs/5pkgs/simple/Reaktor/default.nix +++ /dev/null @@ -1,24 +0,0 @@ -{ lib, pkgs, python3Packages, fetchFromGitHub, ... }: - -python3Packages.buildPythonPackage rec { - name = "Reaktor-${version}"; - version = "0.7.1"; - - doCheck = false; - - propagatedBuildInputs = with pkgs;[ - python3Packages.docopt - python3Packages.requests - ]; - src = fetchFromGitHub { - owner = "krebs"; - repo = "Reaktor"; - rev = "v${version}"; - sha256 = "0cv5a4x73ls6sk8qj2qi6gqn31rv8kvdg13dsf3jv92xdfx6brjn"; - }; - meta = { - homepage = http://krebsco.de/; - description = "An IRC bot based on asynchat"; - license = lib.licenses.wtfpl; - }; -} diff --git a/krebs/5pkgs/simple/Reaktor/plugins.nix b/krebs/5pkgs/simple/Reaktor/plugins.nix deleted file mode 100644 index 1b19a1178..000000000 --- a/krebs/5pkgs/simple/Reaktor/plugins.nix +++ /dev/null @@ -1,182 +0,0 @@ -{ stdenv, lib, pkgs, makeWrapper }: - -rec { - # Begin API - buildBaseReaktorPlugin = { name - , config # python extra configuration for plugin - , phases ? [] - , ... } @ attrs: - stdenv.mkDerivation (attrs // { - name = "Reaktor-plugin-" + name; - isReaktorPlugin = true; - }); - - buildSimpleReaktorPlugin = name: { script - , path ? [] - , env ? {} - , append_rule ? false # append the rule instead of insert - , pattern ? "" - , ... } @ attrs: - let - path_env = { "PATH" = lib.makeSearchPath "bin" (path ++ [ pkgs.coreutils ]); }; - src_dir = pkgs.substituteAll ( { - inherit name; - dir = "bin"; - isExecutable = true; - src = script; - }); - src_file = "${src_dir}/bin/${name}"; - config = '' - public_commands.${if append_rule then "append(" else "insert(0," }{ - 'capname' : "${name}", - 'pattern' : ${if pattern == "" then - ''indirect_pattern.format("${name}")'' else - ''"${pattern}"'' }, - 'argv' : ["${src_file}"], - 'env' : ${builtins.toJSON (path_env // env)} }) - ''; - config_file = pkgs.writeText "plugin.py" config; - in buildBaseReaktorPlugin (attrs // rec { - inherit name config; - - phases = [ "installPhase" ]; - buildInputs = [ makeWrapper ]; - installPhase = '' - mkdir -p $out/bin $out/etc/Reaktor - ln -s ${src_file} $out/bin - wrapProgram $out/bin/${name} \ - --prefix PATH : ${path_env.PATH} - ln -s ${config_file} $out/etc/Reaktor/plugin.py - ''; - - }); - # End API - - # Begin Plugins - random-emoji = buildSimpleReaktorPlugin "emoji" { - path = with pkgs; [ gnused gnugrep xmlstarlet curl ]; - script = ./scripts/random-emoji.sh; - }; - - sed-plugin = buildSimpleReaktorPlugin "sed-plugin" { - path = [ pkgs.gnused pkgs.python3 ]; - # only support s///gi the plugin needs to see every msg - # TODO: this will eat up the last regex, fix Reaktor to support fallthru - append_rule = true; - pattern = "^(?P<args>.*)$$"; - script = ./scripts/sed-plugin.py; - }; - - shack-correct = buildSimpleReaktorPlugin "shack-correct" { - path = [ pkgs.gnused ]; - pattern = "^(?P<args>.*Shack.*)$$"; - script = ./scripts/shack-correct.sh; - }; - - nixos-version = buildSimpleReaktorPlugin "nixos-version" { - script = pkgs.writeDash "nixos-version" '' - . /etc/os-release - echo "$PRETTY_NAME" - ''; - }; - stockholm-issue = buildSimpleReaktorPlugin "stockholm-issue" { - script = ./scripts/random-issue.sh; - path = with pkgs; [ git gnused haskellPackages.lentil ]; - env = { "origin" = "http://cgit.gum/stockholm"; }; - }; - - titlebot = - let - pypkgs = pkgs.python3Packages; - titlebot_cmds = pypkgs.buildPythonPackage { - name = "titlebot_cmds"; - propagatedBuildInputs = with pypkgs; [ setuptools ]; - src = pkgs.fetchurl { - url = "https://github.com/makefu/reaktor-titlebot/archive/2.1.0.tar.gz"; - sha256 = "0wvf09wmk8b52f9j65qrw81nwrhs9pfhijwrlkzp5l7l2q8cjkp6"; - }; - }; - in buildBaseReaktorPlugin rec { - name = "titlebot"; - phases = [ "installPhase" ]; - installPhase = '' - mkdir -p $out - ln -s ${titlebot_cmds}/* $out - ''; - config = '' - def titlebot_cmd(cmd): - from os import environ - return { 'capname': None, - 'env': { 'TITLEDB': - environ['state_dir']+'/suggestions.json' }, - 'pattern': '^\\.' + cmd + '\\s*(?:\\s+(?P<args>.*))?$$', - 'argv': [ '${titlebot_cmds}/bin/' + cmd ] } - for i in ['up','help','list','top','new']: - public_commands.insert(0,titlebot_cmd(i)) - commands.insert(0,titlebot_cmd('clear')) - ''; - }; - - url-title = (buildSimpleReaktorPlugin "url-title" { - pattern = "^.*(?P<args>http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+).*$$"; - path = with pkgs; [ curl perl ]; - script = pkgs.writePython3 "url-title" { deps = with pkgs.python3Packages; [ beautifulsoup4 lxml ]; } '' - import cgi - import sys - import urllib.request - from bs4 import BeautifulSoup - - try: - req = urllib.request.Request(sys.argv[1]) - req.add_header('user-agent', 'Reaktor-url-title') - resp = urllib.request.urlopen(req) - if resp.headers['content-type'].find('text/html') >= 0: - soup = BeautifulSoup(resp.read(16000), "lxml") - title = soup.find('title').string - - if len(title.split('\n')) > 5: - title = '\n'.join(title.split('\n')[:5]) - - print(title[:450]) - else: - cd_header = resp.headers['content-disposition'] - print(cgi.parse_header(cd_header)[1]['filename']) - except: # noqa: E722 - pass - ''; - }); - - task = name: let - rcFile = builtins.toFile "taskrc" '' - confirmation=no - ''; - in { - add = buildSimpleReaktorPlugin "${name}-task-add" { - pattern = "^${name}-add: (?P<args>.*)$$"; - script = pkgs.writeDash "${name}-add" '' - TASKDATA=$HOME/${name} ${pkgs.taskwarrior}/bin/task rc:${rcFile} add "$*" - ''; - }; - - list = buildSimpleReaktorPlugin "task-list" { - pattern = "^${name}-list"; - script = pkgs.writeDash "task-list" '' - TASKDATA=$HOME/${name} ${pkgs.taskwarrior}/bin/task rc:${rcFile} export | ${pkgs.jq}/bin/jq -r '.[] | select(.id != 0) | "\(.id) \(.description)"' - ''; - }; - - delete = buildSimpleReaktorPlugin "task-delete" { - pattern = "^${name}-delete: (?P<args>.*)$$"; - script = pkgs.writeDash "task-delete" '' - TASKDATA=$HOME/${name} ${pkgs.taskwarrior}/bin/task rc:${rcFile} delete "$*" - ''; - }; - - done = buildSimpleReaktorPlugin "task-done" { - pattern = "^${name}-done: (?P<args>.*)$$"; - script = pkgs.writeDash "task-done" '' - TASKDATA=$HOME/${name} ${pkgs.taskwarrior}/bin/task rc:${rcFile} done "$*" - ''; - }; - }; -} diff --git a/krebs/5pkgs/simple/Reaktor/scripts/tell-on_join.sh b/krebs/5pkgs/simple/Reaktor/scripts/tell-on_join.sh new file mode 100755 index 000000000..c21dc8776 --- /dev/null +++ b/krebs/5pkgs/simple/Reaktor/scripts/tell-on_join.sh @@ -0,0 +1,25 @@ +#! /bin/sh +set -euf + +# require flock from util-linux (pkgs.utillinux) +if test "${FLOCK-}" != "$state_file"; then + exec env FLOCK="$state_file" flock "$state_file" "$0" "$@" +fi + +# TODO tell now, if already joined +jq -r <"$state_file" \ + --arg to "$_from" \ + --arg msgtarget "$_msgtarget" \ + ' + select(.to == $to and .msgtarget == $msgtarget) | + "\(.to): \(.text) \u00032-- \(.from)\u00032 \(.date)" + ' + +jq -c <"$state_file" >"$state_file.tmp" \ + --arg to "$_from" \ + --arg msgtarget "$_msgtarget" \ + ' + select((.to == $to and .msgtarget == $msgtarget) | not) + ' + +mv "$state_file.tmp" "$state_file" diff --git a/krebs/5pkgs/simple/Reaktor/scripts/tell-on_privmsg.sh b/krebs/5pkgs/simple/Reaktor/scripts/tell-on_privmsg.sh new file mode 100755 index 000000000..fc05bdefb --- /dev/null +++ b/krebs/5pkgs/simple/Reaktor/scripts/tell-on_privmsg.sh @@ -0,0 +1,18 @@ +#! /bin/sh +set -euf + +# require flock from util-linux +if test "${FLOCK-}" != "$state_file"; then + exec env FLOCK="$state_file" flock "$state_file" "$0" "$@" +fi + +# TODO tell now, if already joined +jq -cn \ + --arg from "$_from" \ + --arg to "${1%% *}" \ + --arg text "${1#* }" \ + --arg msgtarget "$_msgtarget" \ + '{ $from, $to, $text, $msgtarget, date: (now | todate) }' \ + >> "$state_file" + +echo 'Consider it noted.' # that's what lambdabot says... diff --git a/krebs/5pkgs/simple/cyberlocker-tools/default.nix b/krebs/5pkgs/simple/cyberlocker-tools/default.nix index d43be1d69..6e6563fb1 100644 --- a/krebs/5pkgs/simple/cyberlocker-tools/default.nix +++ b/krebs/5pkgs/simple/cyberlocker-tools/default.nix @@ -5,15 +5,19 @@ pkgs.symlinkJoin { (pkgs.writers.writeDashBin "cput" '' set -efu path=''${1:-$(hostname)} + path=$(echo "/$path" | sed -E 's:/+:/:') + url=http://c.r$path - ${pkgs.curl}/bin/curl -fSs --data-binary @- "http://c.r/$path" - echo "http://c.r/$path" + ${pkgs.curl}/bin/curl -fSs --data-binary @- "$url" + echo "$url" '') (pkgs.writers.writeDashBin "cdel" '' set -efu path=$1 + path=$(echo "/$path" | sed -E 's:/+:/:') + url=http://c.r$path - ${pkgs.curl}/bin/curl -f -X DELETE "http://c.r/$path" + ${pkgs.curl}/bin/curl -f -X DELETE "$url" '') ]; } diff --git a/krebs/5pkgs/simple/git-hooks/default.nix b/krebs/5pkgs/simple/git-hooks/default.nix index 0a2c84410..acf34ad69 100644 --- a/krebs/5pkgs/simple/git-hooks/default.nix +++ b/krebs/5pkgs/simple/git-hooks/default.nix @@ -12,6 +12,7 @@ with import <stockholm/lib>; , port ? 6667 , refs ? [] , server + , tls ? false , verbose ? false }: /* sh */ '' #! /bin/sh @@ -39,6 +40,7 @@ with import <stockholm/lib>; nick=${escapeShellArg nick} channel=${escapeShellArg channel} server=${escapeShellArg server} + tls=${escapeShellArg tls} port=${toString port} host=$nick @@ -114,6 +116,7 @@ with import <stockholm/lib>; "$port" \ "$nick" \ "$channel" \ + "$tls" \ "$message" fi ''; diff --git a/krebs/5pkgs/simple/htgen-cyberlocker/src/htgen-cyberlocker b/krebs/5pkgs/simple/htgen-cyberlocker/src/htgen-cyberlocker index 6c3ed6552..ab9c4e8e3 100644 --- a/krebs/5pkgs/simple/htgen-cyberlocker/src/htgen-cyberlocker +++ b/krebs/5pkgs/simple/htgen-cyberlocker/src/htgen-cyberlocker @@ -57,10 +57,7 @@ case "$Method $path" in mkdir -v -p $STATEDIR/items >&2 cp -v $content $item >&2 - - scheme=${req_x_forwarded_proto-http} - link=$scheme://$req_host/$path - + exit ;; 'GET /'*) item=$STATEDIR/items/$(echo "$path" | jq -rR @uri) diff --git a/krebs/5pkgs/simple/irc-announce/default.nix b/krebs/5pkgs/simple/irc-announce/default.nix index 52cf12862..5797b3667 100644 --- a/krebs/5pkgs/simple/irc-announce/default.nix +++ b/krebs/5pkgs/simple/irc-announce/default.nix @@ -17,7 +17,8 @@ pkgs.writeDashBin "irc-announce" '' IRC_PORT=$2 IRC_NICK=$3_$$ IRC_CHANNEL=$4 - message=$5 + IRC_TLS=$5 + message=$6 export IRC_CHANNEL # for privmsg_cat @@ -34,6 +35,8 @@ pkgs.writeDashBin "irc-announce" '' # privmsg_cat transforms stdin to a privmsg privmsg_cat() { awk '{ print "PRIVMSG "ENVIRON["IRC_CHANNEL"]" :"$0 }'; } + tls_flag() { if [ "$IRC_TLS" -eq 1 ]; then echo "-c"; fi } + # ircin is used to feed the output of netcat back to the "irc client" # so we can implement expect-like behavior with sed^_^ # XXX mkselfdestructingtmpfifo would be nice instead of this cruft @@ -51,6 +54,8 @@ pkgs.writeDashBin "irc-announce" '' echo2 "USER $LOGNAME 0 * :$LOGNAME@$(hostname)" echo2 "NICK $IRC_NICK" + awk 'match($0, /PING(.*)/, m) {print "PONG", m[1]; exit}' + # wait for MODE message sed -n '/^:[^ ]* MODE /q' @@ -67,5 +72,5 @@ pkgs.writeDashBin "irc-announce" '' echo2 'QUIT :Gone to have lunch' } < ircin \ - | nc "$IRC_SERVER" "$IRC_PORT" | tee -a ircin + | nc $(tls_flag) "$IRC_SERVER" "$IRC_PORT" | tee -a ircin '' diff --git a/krebs/5pkgs/simple/reaktor2-plugins.nix b/krebs/5pkgs/simple/reaktor2-plugins.nix index 48464c0b6..4cd9e7d89 100644 --- a/krebs/5pkgs/simple/reaktor2-plugins.nix +++ b/krebs/5pkgs/simple/reaktor2-plugins.nix @@ -14,10 +14,6 @@ rec { commands = { - hello = { - filename = "${pkgs.Reaktor.src}/reaktor/commands/hello"; - }; - random-emoji = { filename = <stockholm/krebs/5pkgs/simple/Reaktor/scripts/random-emoji.sh>; env = { diff --git a/krebs/nixpkgs-unstable.json b/krebs/nixpkgs-unstable.json index d0d3cd82d..6b5f8ec8f 100644 --- a/krebs/nixpkgs-unstable.json +++ b/krebs/nixpkgs-unstable.json @@ -1,9 +1,9 @@ { "url": "https://github.com/NixOS/nixpkgs", - "rev": "8d8a28b47b7c41aeb4ad01a2bd8b7d26986c3512", - "date": "2021-08-29T22:49:37+08:00", - "path": "/nix/store/vg29bg0awqam80djwz68ym0awvasrw6i-nixpkgs", - "sha256": "1s29nc3ppsjdq8kgbh8pc26xislkv01yph58xv2vjklkvsmz5pzm", + "rev": "09cd65b33c5653d7d2954fef4b9f0e718c899743", + "date": "2021-09-08T11:21:07-05:00", + "path": "/nix/store/h4hgs0aiaszmgqcwwhw7q10vqgvgbimf-nixpkgs", + "sha256": "1h696xv2wdl1859jcr0bmv0m0rfsq4vpc1vc0hg3msfsdnz0aixl", "fetchSubmodules": false, "deepClone": false, "leaveDotGit": false diff --git a/krebs/nixpkgs.json b/krebs/nixpkgs.json index 92ce9aa90..d0a011869 100644 --- a/krebs/nixpkgs.json +++ b/krebs/nixpkgs.json @@ -1,9 +1,9 @@ { "url": "https://github.com/NixOS/nixpkgs", - "rev": "74d017edb6717ad76d38edc02ad3210d4ad66b96", - "date": "2021-08-27T16:58:49+02:00", - "path": "/nix/store/82jg1p0rlf7mkryjpdn0z6b95q4i9lnq-nixpkgs", - "sha256": "0wvz41izp4djzzr0a6x54hcm3xjr51nlj8vqghfgyrjpk8plyk4s", + "rev": "6120ac5cd201f6cb593d1b80e861be0342495be9", + "date": "2021-09-18T21:31:09+02:00", + "path": "/nix/store/g1a0swq7h7b24g4vkn3wr3d8rwjazfmv-nixpkgs", + "sha256": "04mrjxr1qsdcgcryx7yy72cgcw14c0770gfcgzrdfpnvmjdgbi9i", "fetchSubmodules": false, "deepClone": false, "leaveDotGit": false diff --git a/lass/1systems/coaxmetal/physical.nix b/lass/1systems/coaxmetal/physical.nix index 3632ffd3e..b033477fe 100644 --- a/lass/1systems/coaxmetal/physical.nix +++ b/lass/1systems/coaxmetal/physical.nix @@ -22,8 +22,6 @@ ]; hardware.opengl.extraPackages = [ pkgs.amdvlk ]; - # is required for amd graphics support ( xorg wont boot otherwise ) - boot.kernelPackages = pkgs.linuxPackages_latest; environment.variables.VK_ICD_FILENAMES = "/run/opengl-driver/share/vulkan/icd.d/amd_icd64.json"; @@ -47,7 +45,25 @@ services.logind.lidSwitch = "ignore"; services.logind.lidSwitchDocked = "ignore"; - boot.extraModprobeConfig = '' - options psmouse proto=imps + + # Mouse stuff + services.xserver.libinput.enable = lib.mkForce false; + services.xserver.synaptics.enable = true; + + services.xserver.displayManager.sessionCommands = '' + xinput disable 'ETPS/2 Elantech Touchpad' + xinput set-prop 'ETPS/2 Elantech TrackPoint' 'Evdev Wheel Emulation' 1 + xinput set-prop 'ETPS/2 Elantech TrackPoint' 'Evdev Wheel Emulation Button' 2 + xinput set-prop 'ETPS/2 Elantech TrackPoint' 'Evdev Wheel Emulation Axes' 6 7 4 5 ''; + + # https://forums.lenovo.com/t5/Fedora/T14s-AMD-Trackpoint-almost-unusable/m-p/5064952?page=4 + # https://bugzilla.kernel.org/show_bug.cgi?id=209167#c1 + boot.kernelPatches = [{ + name = "fix-trackpoint-jumping"; + patch = pkgs.fetchurl { + url = "https://patchwork.kernel.org/project/linux-input/patch/20210729010940.5752-1-phoenix@emc.com.tw/raw/"; + sha256 = "0apbf7c8w830dbdsrmxpip90d5zbg74a939x89jfgpvm5gbdqdjg"; + }; + }]; } diff --git a/lass/1systems/lasspi/config.nix b/lass/1systems/lasspi/config.nix new file mode 100644 index 000000000..9f823dfc8 --- /dev/null +++ b/lass/1systems/lasspi/config.nix @@ -0,0 +1,26 @@ +with import <stockholm/lib>; +{ config, lib, pkgs, ... }: +let +in +{ + imports = [ + <stockholm/lass> + <stockholm/lass/2configs> + <stockholm/lass/2configs/retiolum.nix> + ]; + + krebs.build.host = config.krebs.hosts.lasspi; + + networking = { + networkmanager = { + enable = true; + }; + }; + environment.systemPackages = with pkgs; [ + vim + rxvt_unicode.terminfo + ]; + services.openssh.enable = true; + + system.stateVersion = "21.05"; +} diff --git a/lass/1systems/lasspi/physical.nix b/lass/1systems/lasspi/physical.nix new file mode 100644 index 000000000..80c459a95 --- /dev/null +++ b/lass/1systems/lasspi/physical.nix @@ -0,0 +1,43 @@ +{ config, lib, pkgs, ... }: +{ + # This configuration worked on 09-03-2021 nixos-unstable @ commit 102eb68ceec + # The image used https://hydra.nixos.org/build/134720986 + imports = [ + ./config.nix + ]; + + boot = { + # kernelPackages = pkgs.linuxPackages_rpi4; + tmpOnTmpfs = true; + initrd.availableKernelModules = [ "usbhid" "usb_storage" ]; + # ttyAMA0 is the serial console broken out to the GPIO + kernelParams = [ + "8250.nr_uarts=1" + "console=ttyAMA0,115200" + "console=tty1" + # Some gui programs need this + "cma=128M" + ]; + }; + + boot.loader.raspberryPi = { + enable = true; + version = 4; + }; + boot.loader.grub.enable = false; + boot.loader.generic-extlinux-compatible.enable = true; + + # Required for the Wireless firmware + hardware.enableRedistributableFirmware = true; + + # Assuming this is installed on top of the disk image. + fileSystems = { + "/" = { + device = "/dev/disk/by-label/NIXOS_SD"; + fsType = "ext4"; + options = [ "noatime" ]; + }; + }; + + powerManagement.cpuFreqGovernor = "ondemand"; +} diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 421afab2a..d43fb804a 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -7,11 +7,12 @@ with import <stockholm/lib>; <stockholm/lass/2configs/retiolum.nix> <stockholm/lass/2configs/libvirt.nix> <stockholm/lass/2configs/tv.nix> + <stockholm/lass/2configs/websites/lassulus.nix> + <stockholm/lass/2configs/telegraf.nix> { services.nginx.enable = true; imports = [ <stockholm/lass/2configs/websites/domsen.nix> - <stockholm/lass/2configs/websites/lassulus.nix> ]; # needed by domsen.nix ^^ lass.usershadow = { @@ -275,19 +276,8 @@ with import <stockholm/lib>; { predicate = "-p udp --dport 60000:61000"; target = "ACCEPT";} ]; } - { - services.murmur = { - enable = true; - bandwidth = 10000000; - registerName = "lassul.us"; - autobanTime = 30; - }; - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport 64738"; target = "ACCEPT";} - { predicate = "-p udp --dport 64738"; target = "ACCEPT";} - ]; - - } + <stockholm/lass/2configs/murmur.nix> + <stockholm/lass/2configs/docker.nix> { systemd.services."container@yellow".reloadIfChanged = mkForce false; containers.yellow = { diff --git a/lass/1systems/wizard/config.nix b/lass/1systems/wizard/config.nix index 8f9db7d3c..e158fa728 100644 --- a/lass/1systems/wizard/config.nix +++ b/lass/1systems/wizard/config.nix @@ -271,7 +271,7 @@ in { message = "lassulus: torify sshn root@"; }; systemd.services.hidden-ssh-announce.wantedBy = mkForce []; - services.mingetty.autologinUser = lib.mkForce "root"; + services.getty.autologinUser = lib.mkForce "root"; nixpkgs.config.packageOverrides = super: { dmenu = pkgs.writeDashBin "dmenu" '' diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index 655e7912f..23eaa2802 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -10,14 +10,7 @@ in { ./urxvt.nix ./xdg-open.nix ./yubikey.nix - { - hardware.pulseaudio = { - enable = true; - systemWide = true; - }; - security.rtkit.enable = true; - sound.enableOSSEmulation = false; - } + ./pipewire.nix ./xmonad.nix { krebs.per-user.lass.packages = [ @@ -50,7 +43,7 @@ in { } ]; - users.extraUsers.mainUser.extraGroups = [ "audio" "video" ]; + users.users.mainUser.extraGroups = [ "audio" "video" ]; time.timeZone = "Europe/Berlin"; diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index adfeef19d..eb38d0e97 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -117,6 +117,7 @@ with import <stockholm/lib>; iftop tcpdump mosh + sshify #stuff for dl aria2 diff --git a/lass/2configs/docker.nix b/lass/2configs/docker.nix new file mode 100644 index 000000000..2bc3a2361 --- /dev/null +++ b/lass/2configs/docker.nix @@ -0,0 +1,6 @@ +{ pkgs, lib, config, ... }: +{ + systemd.services.krebs-iptables.serviceConfig.ExecStartPost = pkgs.writeDash "kick_docker" '' + ${pkgs.systemd}/bin/systemctl restart docker.service + ''; +} diff --git a/lass/2configs/murmur.nix b/lass/2configs/murmur.nix new file mode 100644 index 000000000..9f325d0af --- /dev/null +++ b/lass/2configs/murmur.nix @@ -0,0 +1,39 @@ +{ config, lib, pkgs, ... }: +{ + services.murmur = { + enable = true; + bandwidth = 10000000; + registerName = "lassul.us"; + autobanTime = 30; + }; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport 64738"; target = "ACCEPT";} + { predicate = "-p udp --dport 64738"; target = "ACCEPT";} + ]; + + systemd.services.docker-mumble-web.serviceConfig = { + StandardOutput = lib.mkForce "journal"; + StandardError = lib.mkForce "journal"; + }; + virtualisation.oci-containers.containers.mumble-web = { + image = "rankenstein/mumble-web"; + environment = { + MUMBLE_SERVER = "lassul.us:64738"; + }; + ports = [ + "64739:8080" + ]; + }; + + services.nginx.virtualHosts."mumble.lassul.us" = { + enableACME = true; + forceSSL = true; + locations."/".extraConfig = '' + proxy_pass http://localhost:64739/; + proxy_set_header Accept-Encoding ""; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + ''; + }; +} diff --git a/lass/2configs/pipewire.nix b/lass/2configs/pipewire.nix new file mode 100644 index 000000000..8fdcff4e3 --- /dev/null +++ b/lass/2configs/pipewire.nix @@ -0,0 +1,72 @@ +{ config, lib, pkgs, ... }: +# TODO test `alsactl init` after suspend to reinit mic +{ + security.rtkit.enable = true; + + hardware.bluetooth = { + enable = true; + powerOnBoot = true; + }; + + # autostart with login + systemd.user.services.pipewire-pulse = { + wantedBy = [ "graphical-session.target" ]; + }; + + environment.systemPackages = with pkgs; [ + alsaUtils + pulseaudioLight + ]; + + environment.variables.PULSE_SERVER = "localhost:4713"; + services.pipewire = { + enable = true; + socketActivation = false; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + jack.enable = true; + # https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/Migrate-PulseAudio#module-native-protocol-tcp + config.pipewire-pulse = { + "context.properties" = { + "log.level" = 2; + }; + "context.modules" = [ + { + name = "libpipewire-module-rtkit"; + # args = { + # "nice.level" = -15; + # "rt.prio" = 88; + # "rt.time.soft" = 200000; + # "rt.time.hard" = 200000; + # }; + flags = [ "ifexists" "nofail" ]; + } + { name = "libpipewire-module-protocol-native"; } + { name = "libpipewire-module-client-node"; } + { name = "libpipewire-module-adapter"; } + { name = "libpipewire-module-metadata"; } + { + name = "libpipewire-module-protocol-pulse"; + args = { + "vm.overrides" = { + # "pulse.min.req" = "32/48000"; + # "pulse.default.req" = "32/48000"; + # "pulse.max.req" = "32/48000"; + "pulse.min.quantum" = "1024/48000"; + # "pulse.max.quantum" = "32/48000"; + }; + "server.address" = [ + "unix:native" + "tcp:4713" + ]; + }; + } + ]; + "stream.properties" = { + # "node.latency" = "32/48000"; + # "resample.quality" = 1; + }; + }; + }; +} diff --git a/lass/2configs/telegraf.nix b/lass/2configs/telegraf.nix new file mode 100644 index 000000000..4f46cd721 --- /dev/null +++ b/lass/2configs/telegraf.nix @@ -0,0 +1,67 @@ +{ config, lib, pkgs, ... }: +let + isVM = lib.any (mod: mod == "xen-blkfront" || mod == "virtio_console") config.boot.initrd.kernelModules; +in { + + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-i retiolum -p tcp --dport 9273"; target = "ACCEPT"; } + ]; + + systemd.services.telegraf.path = [ pkgs.nvme-cli ]; + + services.telegraf = { + enable = true; + extraConfig = { + agent.interval = "60s"; + inputs = { + prometheus.metric_version = 2; + kernel_vmstat = { }; + # smart = lib.mkIf (!isVM) { + # path = pkgs.writeShellScript "smartctl" '' + # exec /run/wrappers/bin/sudo ${pkgs.smartmontools}/bin/smartctl "$@" + # ''; + # }; + system = { }; + mem = { }; + file = [{ + data_format = "influx"; + file_tag = "name"; + files = [ "/var/log/telegraf/*" ]; + }] ++ lib.optional (lib.any (fs: fs == "ext4") config.boot.supportedFilesystems) { + name_override = "ext4_errors"; + files = [ "/sys/fs/ext4/*/errors_count" ]; + data_format = "value"; + }; + exec = lib.optionalAttrs (lib.any (fs: fs == "zfs") config.boot.supportedFilesystems) { + ## Commands array + commands = [ + (pkgs.writeScript "zpool-health" '' + #!${pkgs.gawk}/bin/awk -f + BEGIN { + while ("${pkgs.zfs}/bin/zpool status" | getline) { + if ($1 ~ /pool:/) { printf "zpool_status,name=%s ", $2 } + if ($1 ~ /state:/) { printf " state=\"%s\",", $2 } + if ($1 ~ /errors:/) { + if (index($2, "No")) printf "errors=0i\n"; else printf "errors=%di\n", $2 + } + } + } + '') + ]; + data_format = "influx"; + }; + systemd_units = { }; + swap = { }; + disk.tagdrop = { + fstype = [ "tmpfs" "ramfs" "devtmpfs" "devfs" "iso9660" "overlay" "aufs" "squashfs" ]; + device = [ "rpc_pipefs" "lxcfs" "nsfs" "borgfs" ]; + }; + diskio = { }; + }; + outputs.prometheus_client = { + listen = ":9273"; + metric_version = 2; + }; + }; + }; +} diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index e603f49da..40f67537e 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -28,6 +28,7 @@ in { (servePage [ "aldonasiech.com" "www.aldonasiech.com" ]) (servePage [ "apanowicz.de" "www.apanowicz.de" ]) (servePage [ "reich-gebaeudereinigung.de" "www.reich-gebaeudereinigung.de" ]) + (servePage [ "illustra.de" "www.illustra.de" ]) (servePage [ "freemonkey.art" "www.freemonkey.art" @@ -81,6 +82,7 @@ in { "o_ubikmedia_de" ]; + services.phpfpm.phpPackage = pkgs.php73; services.phpfpm.phpOptions = '' sendmail_path = ${sendmail} -t upload_max_filesize = 100M @@ -88,12 +90,18 @@ in { file_uploads = on ''; + krebs.secret.files.nextcloud_pw = { + path = "/run/nextcloud.pw"; + owner.name = "nextcloud"; + group-name = "nextcloud"; + source-path = toString <secrets> + "/nextcloud_pw"; + }; services.nextcloud = { enable = true; hostName = "o.xanf.org"; - package = pkgs.nextcloud20; + package = pkgs.nextcloud21; config = { - adminpassFile = toString <secrets> + "/nextcloud_pw"; + adminpassFile = "/run/nextcloud.pw"; overwriteProtocol = "https"; }; https = true; @@ -178,7 +186,7 @@ in { group = "xanf"; home = "/home/xanf"; useDefaultShell = true; - createHome = true; + createHome = false; # creathome forces permissions isNormalUser = true; }; @@ -291,6 +299,24 @@ in { isNormalUser = true; }; + users.users.movematchers = { + uid = genid_uint31 "movematchers"; + home = "/home/movematchers"; + useDefaultShell = true; + extraGroups = [ "xanf" ]; + createHome = true; + isNormalUser = true; + }; + + users.users.blackphoton = { + uid = genid_uint31 "blackphoton"; + home = "/home/blackphoton"; + useDefaultShell = true; + extraGroups = [ "xanf" ]; + createHome = true; + isNormalUser = true; + }; + users.groups.xanf = {}; krebs.on-failure.plans.restic-backups-domsen = { @@ -332,14 +358,14 @@ in { ''; krebs.permown = { - "/backups/domsen" = { - owner = "backup"; + "/srv/http" = { group = "syncthing"; + owner = "nginx"; umask = "0007"; }; - "/srv/http" = { - owner = "syncthing"; - group = "nginx"; + "/home/xanf/XANF_TEAM" = { + owner = "XANF_TEAM"; + group = "xanf"; umask = "0007"; }; }; diff --git a/lass/5pkgs/proxychains-ng/default.nix b/lass/5pkgs/proxychains-ng/default.nix new file mode 100644 index 000000000..488293f7c --- /dev/null +++ b/lass/5pkgs/proxychains-ng/default.nix @@ -0,0 +1,16 @@ +{ lib +, stdenv +, fetchFromGitHub +}: + +stdenv.mkDerivation rec { + pname = "proxychains-ng"; + version = "4.15"; + + src = fetchFromGitHub { + owner = "rofl0r"; + repo = pname; + rev = "v${version}"; + sha256 = "128d502y8pn7q2ls6glx9bvibwzfh321sah5r5li6b6iywh2zqlc"; + }; +} diff --git a/lass/5pkgs/sshify/default.nix b/lass/5pkgs/sshify/default.nix new file mode 100644 index 000000000..aba0ab6bb --- /dev/null +++ b/lass/5pkgs/sshify/default.nix @@ -0,0 +1,38 @@ +{ pkgs }: +pkgs.writers.writeBashBin "sshify" '' + set -efu + + TMPDIR=$(mktemp -d) + + SSH_ARGS=() + + while [[ "$#" -gt 0 ]]; do + case $1 in + --) + shift + break + ;; + *) + SSH_ARGS+=($1) + ;; + esac + shift + done + + if [[ "$#" -le 0 ]]; then + echo no command specified + exit 1 + fi + + RANDOM_HIGH_PORT=$(shuf -i 20000-65000 -n 1) + + cat << EOF >$TMPDIR/proxychains.conf + [ProxyList] + socks4 127.0.0.1 $RANDOM_HIGH_PORT + EOF + + ssh -fNM -S "$TMPDIR/socket" -D "$RANDOM_HIGH_PORT" "''${SSH_ARGS[@]}" + trap "ssh -S $TMPDIR/socket -O exit bla 2>/dev/null; rm -rf $TMPDIR >&2" EXIT + + ${pkgs.proxychains-ng}/bin/proxychains4 -q -f "$TMPDIR/proxychains.conf" "$@" +'' diff --git a/makefu/0tests/data/secrets/mediawikibot-config.json b/makefu/0tests/data/secrets/mediawikibot-config.json new file mode 100644 index 000000000..0967ef424 --- /dev/null +++ b/makefu/0tests/data/secrets/mediawikibot-config.json @@ -0,0 +1 @@ +{} diff --git a/makefu/1systems/gum/config.nix b/makefu/1systems/gum/config.nix index 1cfa8e4a4..2a1d39c04 100644 --- a/makefu/1systems/gum/config.nix +++ b/makefu/1systems/gum/config.nix @@ -23,6 +23,8 @@ in { } <stockholm/makefu/2configs/nur.nix> <stockholm/makefu/2configs/support-nixos.nix> + <stockholm/makefu/2configs/nix-community/mediawiki-matrix-bot.nix> + <stockholm/makefu/2configs/nix-community/supervision.nix> <stockholm/makefu/2configs/home-manager> <stockholm/makefu/2configs/home-manager/cli.nix> # <stockholm/makefu/2configs/stats/client.nix> @@ -182,7 +184,7 @@ in { <stockholm/makefu/2configs/virtualisation/libvirt.nix> # krebs infrastructure services - <stockholm/makefu/2configs/stats/server.nix> + # <stockholm/makefu/2configs/stats/server.nix> ]; makefu.dl-dir = "/var/download"; diff --git a/makefu/2configs/nix-community/mediawiki-matrix-bot.nix b/makefu/2configs/nix-community/mediawiki-matrix-bot.nix new file mode 100644 index 000000000..6dff64121 --- /dev/null +++ b/makefu/2configs/nix-community/mediawiki-matrix-bot.nix @@ -0,0 +1,23 @@ +{ pkgs, ... }: +let + seccfg = toString <secrets/mediawikibot-config.json>; + statecfg = "/var/lib/mediawiki-matrix-bot/config.json"; +in { + systemd.services.mediawiki-matrix-bot = { + description = "Mediawiki Matrix Bot"; + after = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Restart = "always"; + RestartSec = "60s"; + DynamicUser = true; + StateDirectory = "mediawiki-matrix-bot"; + PermissionsStartOnly = true; + ExecStartPre = pkgs.writeDash "mediawikibot-copy-config" '' + install -D -m644 ${seccfg} ${statecfg} + ''; + ExecStart = "${pkgs.mediawiki-matrix-bot}/bin/mediawiki-matrix-bot ${statecfg}"; + PrivateTmp = true; + }; + }; +} diff --git a/makefu/2configs/nix-community/supervision.nix b/makefu/2configs/nix-community/supervision.nix new file mode 100644 index 000000000..f648b9c17 --- /dev/null +++ b/makefu/2configs/nix-community/supervision.nix @@ -0,0 +1,82 @@ +{ config, lib, pkgs, ... }: +let + isVM = lib.any (mod: mod == "xen-blkfront" || mod == "virtio_console") config.boot.initrd.kernelModules; + port = "9273"; +in { + + networking.firewall.extraCommands = '' + iptables -A INPUT -i retiolum -p tcp --dport ${port} -j ACCEPT + ''; + + services.telegraf = { + enable = true; + extraConfig = { + agent.interval = "60s"; + inputs = { + prometheus.metric_version = 2; + kernel_vmstat = { }; + smart = lib.mkIf (!isVM) { + path = pkgs.writeShellScript "smartctl" '' + exec /run/wrappers/bin/sudo ${pkgs.smartmontools}/bin/smartctl "$@" + ''; + }; + system = { }; + mem = { }; + file = [{ + data_format = "influx"; + file_tag = "name"; + files = [ "/var/log/telegraf/*" ]; + }] ++ lib.optional (lib.any (fs: fs == "ext4") config.boot.supportedFilesystems) { + name_override = "ext4_errors"; + files = [ "/sys/fs/ext4/*/errors_count" ]; + data_format = "value"; + }; + exec = lib.optionalAttrs (lib.any (fs: fs == "zfs") config.boot.supportedFilesystems) { + ## Commands array + commands = [ + (pkgs.writeScript "zpool-health" '' + #!${pkgs.gawk}/bin/awk -f + BEGIN { + while ("${pkgs.zfs}/bin/zpool status" | getline) { + if ($1 ~ /pool:/) { printf "zpool_status,name=%s ", $2 } + if ($1 ~ /state:/) { printf " state=\"%s\",", $2 } + if ($1 ~ /errors:/) { + if (index($2, "No")) printf "errors=0i\n"; else printf "errors=%di\n", $2 + } + } + } + '') + ]; + data_format = "influx"; + }; + systemd_units = { }; + swap = { }; + disk.tagdrop = { + fstype = [ "tmpfs" "ramfs" "devtmpfs" "devfs" "iso9660" "overlay" "aufs" "squashfs" ]; + device = [ "rpc_pipefs" "lxcfs" "nsfs" "borgfs" ]; + }; + diskio = { }; + }; + outputs.prometheus_client = { + listen = ":${port}"; + metric_version = 2; + }; + }; + }; + + security.sudo.extraRules = lib.mkIf (!isVM) [{ + users = [ "telegraf" ]; + commands = [{ + command = "${pkgs.smartmontools}/bin/smartctl"; + options = [ "NOPASSWD" ]; + }]; + }]; + # avoid logging sudo use + security.sudo.configFile = '' + Defaults:telegraf !syslog,!pam_session + ''; + # create dummy file to avoid telegraf errors + systemd.tmpfiles.rules = [ + "f /var/log/telegraf/dummy 0444 root root - -" + ]; +} diff --git a/makefu/2configs/tools/dev.nix b/makefu/2configs/tools/dev.nix index ac6d91e85..36f867559 100644 --- a/makefu/2configs/tools/dev.nix +++ b/makefu/2configs/tools/dev.nix @@ -33,6 +33,7 @@ cac-api cac-panel krebszones + cyberlocker-tools ovh-zone gen-oath-safe cdrtools diff --git a/makefu/5pkgs/chitubox/default.nix b/makefu/5pkgs/chitubox/default.nix index bea33e64f..d0596e700 100644 --- a/makefu/5pkgs/chitubox/default.nix +++ b/makefu/5pkgs/chitubox/default.nix @@ -4,26 +4,26 @@ , libpulseaudio , xlibs , gst_all_1 -, kerberos +, krb5 , alsaLib }: # via https://raw.githubusercontent.com/simon-the-sourcerer-ab/chitubox/main/default.nix stdenv.mkDerivation rec { pname = "chitubox"; - version = "1.8.1"; + version = "1.9.0"; src = builtins.fetchTarball { #url = "https://sac.chitubox.com/software/download.do?softwareId=17839&softwareVersionId=v${version}&fileName=CHITUBOX_V${version}.tar.gz"; url = "https://archive.org/download/chitubox-v-1.8.1.tar/CHITUBOX_V${version}.tar.gz"; - sha256 = "08fh8w7s5qvlx6bhdg24g81a7zprq7n8m27w2vdv0cd8j0wixbsx"; + sha256 = "1ywcizxdkwlhi8z3jshl3b6ha8iwibssxh8fk7s32h3z8vl8zcl7"; }; nativeBuildInputs = [ autoPatchelfHook ]; buildInputs = with xlibs; [ stdenv.cc.cc.lib libglvnd libgcrypt zlib glib fontconfig freetype libdrm - libxkbcommon libpulseaudio kerberos alsaLib + libxkbcommon libpulseaudio alsaLib xcbutilwm xcbutilimage xcbutilrenderutil xcbutilkeysyms - gst_all_1.gst-plugins-base gst_all_1.gstreamer + gst_all_1.gst-plugins-base gst_all_1.gstreamer krb5 ]; buildPhase = '' diff --git a/makefu/5pkgs/custom/mediawiki-matrix-bot/default.nix b/makefu/5pkgs/custom/mediawiki-matrix-bot/default.nix new file mode 100644 index 000000000..4a91a9161 --- /dev/null +++ b/makefu/5pkgs/custom/mediawiki-matrix-bot/default.nix @@ -0,0 +1,22 @@ +{ buildPythonApplication, fetchFromGitHub, feedparser, matrix-nio, docopt, aiohttp, aiofiles, +mypy }: + +buildPythonApplication rec { + pname = "mediawiki-matrix-bot"; + version = "1.0.0"; + src = fetchFromGitHub { + owner = "nix-community"; + repo = "mediawiki-matrix-bot"; + rev = "v${version}"; + sha256 = "1923097j1xh34jmm0zhmvma614jcxaagj89c1fc1j2qyv14ybsvs"; + }; + propagatedBuildInputs = [ + feedparser matrix-nio docopt aiohttp aiofiles + ]; + nativeBuildInputs = [ + mypy + ]; + checkPhase = '' + mypy --strict mediawiki_matrix_bot + ''; +} diff --git a/makefu/5pkgs/default.nix b/makefu/5pkgs/default.nix index 756734b65..2d54455e6 100644 --- a/makefu/5pkgs/default.nix +++ b/makefu/5pkgs/default.nix @@ -41,6 +41,7 @@ in { inherit (callPackage ./devpi {}) devpi-web ; nodemcu-uploader = super.pkgs.callPackage ./nodemcu-uploader {}; liveproxy = super.pkgs.python3Packages.callPackage ./custom/liveproxy {}; + mediawiki-matrix-bot = super.pkgs.python3Packages.callPackage ./custom/mediawiki-matrix-bot {}; hydra-check = super.pkgs.python3Packages.callPackage ./custom/hydra-check {}; pwqgen-ger = super.pkgs.passwdqc-utils.override { wordset-file = super.pkgs.fetchurl { |