diff options
38 files changed, 243 insertions, 544 deletions
diff --git a/krebs/2configs/ircd.nix b/krebs/2configs/ircd.nix index d26aa5962..904878731 100644 --- a/krebs/2configs/ircd.nix +++ b/krebs/2configs/ircd.nix @@ -1,13 +1,13 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: { networking.firewall.allowedTCPPorts = [ 6667 6669 ]; - systemd.services.solanum.serviceConfig.LimitNOFILE = 16384; + systemd.services.solanum.serviceConfig.LimitNOFILE = lib.mkForce 16384; - krebs.solanum = { + services.solanum = { enable = true; motd = '' hello diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 149995a23..24b17487b 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -50,7 +50,6 @@ let ./secret.nix ./setuid.nix ./shadow.nix - ./solanum.nix ./sync-containers.nix ./tinc.nix ./tinc_graphs.nix diff --git a/krebs/3modules/external/mic92.nix b/krebs/3modules/external/mic92.nix index 3ef693290..b4e046303 100644 --- a/krebs/3modules/external/mic92.nix +++ b/krebs/3modules/external/mic92.nix @@ -256,6 +256,10 @@ in { okelmann = { owner = config.krebs.users.mic92; nets.retiolum = { + addrs = [ + config.krebs.hosts.okelmann.nets.retiolum.ip4.addr + config.krebs.hosts.okelmann.nets.retiolum.ip6.addr + ]; ip4.addr = "10.243.29.190"; aliases = [ "okelmann.r" @@ -275,6 +279,10 @@ in { aendernix = { owner = config.krebs.users.mic92; nets.retiolum = { + addrs = [ + config.krebs.hosts.aendernix.nets.retiolum.ip4.addr + config.krebs.hosts.aendernix.nets.retiolum.ip6.addr + ]; ip4.addr = "10.243.29.172"; aliases = [ "aendernix.r" @@ -296,6 +304,30 @@ in { ''; }; }; + aenderpad = { + owner = config.krebs.users.mic92; + nets.retiolum = { + addrs = [ + config.krebs.hosts.aenderpad.nets.retiolum.ip4.addr + config.krebs.hosts.aenderpad.nets.retiolum.ip6.addr + ]; + ip4.addr = "10.243.29.201"; + aliases = [ + "aendernix.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAvHSVUd6/5P2rK3s9iQhVrxkjufDIi0Kn04iVB4Z0TpUvnmFAP+Hv + d7umo95lNkAPL9c3byv4ooQjOskrp7GmgQRijLUvJSAZ9FBVWPAjMXs+gk9oJnQj + 6bovXJ3DurmW3h1ZRmkWn256j7g8lEMtf5LGFxs9Bwi4wqZTbI6DzTQhmNm76Spb + 2UMSzr9kDcNj5r6LDhDKEDtx4P1Opshgsf9AusV81N5nqDcvAYsvEqYoPvjKIPwF + 5jtfHY7hM7SdYoVgdAY8RFH7xuRkLQW4LBxPKjP3pEQPCgXcuEELm33PGr+w/vhC + jxeyKP+uSeuBBMSatTWG3kU8W2LxVML65QIDAQAB + -----END RSA PUBLIC KEY----- + Ed25519PublicKey = jC2UzKiUtWUlZF2ET88qM+Ot+GpoWxFFfpi8TCCr0uM + ''; + }; + }; dimitra = { owner = config.krebs.users.mic92; nets.retiolum = { @@ -761,5 +793,81 @@ in { }; }; }; + + + ryan = { + owner = config.krebs.users.mic92; + nets = rec { + retiolum = { + addrs = [ + config.krebs.hosts.ryan.nets.retiolum.ip4.addr + config.krebs.hosts.ryan.nets.retiolum.ip6.addr + ]; + ip4.addr = "10.243.29.198"; + aliases = [ "ryan.r" ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEA0RE5jmBiEGmaYLVFmpCyVvlb6K3Zh2uxh7sVm44k31d9PEHHm4Wz + HQH+ueaefGVu19xLRJQGu4ZMl7oRbb5awiqKdSGgInhQaNzxUIHW4cCCdOVkgZSy + NjI9LMcc8tQtkoFGt6OhAzaViuGMo+aJAkLuXNf8hz5uR2flqQEeKfG5Kc7Z1DAQ + QNoBRtY0pltyK2y/Ip8cZ9cdxR5oLww67ykhY+eLy9tZLfKs6uWSq+2CV0cpNNQ9 + Sh8fSbkjb4+JkxWAHDOyAnwFxnxstMcW0cscOW7nXYDi5IpvvesJlk698un7bLhm + vCkAd+WiNuTGfs9t0r6FDDVDREBhNk1sLwIDAQAB + -----END RSA PUBLIC KEY----- + Ed25519PublicKey = sOD149OLZ2yUEjRpwbGdwHULKF2qNY3F+9AsEi1G0ZM + ''; + }; + }; + }; + + graham = { + owner = config.krebs.users.mic92; + nets = rec { + retiolum = { + addrs = [ + config.krebs.hosts.graham.nets.retiolum.ip4.addr + config.krebs.hosts.graham.nets.retiolum.ip6.addr + ]; + ip4.addr = "10.243.29.199"; + aliases = [ "graham.r" ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAtnM8VqFlEPLPYfKOZvN4kKklrVEyX4WewlqHO8vtxML9ND5BHCdn + UeRsThvbKVRqEvZLTAXKClZRYVr2IroHqfx0euTq3FYTUbNNQ4KgcFAfLKWoxGfK + HsQbYpS93/sUtmhRBGcgXPnEkE6yqvFBXxcmB1QqdmgYKdY2Gtikwrv/5hb4AlNe + /gyzKGtAKYogspLI6EpEwlD9CGDNIUPJ4uQ56gDhV/qtyMSE6X0igSSVZayDc+x1 + InPkH90xsa0/uXjYDnXNdMguLArGkRzMhd6DzK4vEaPFIX59yMX+tEj46rGY7xAI + gUZUI2codqY5Z93W5GC+ws34y0bpfeMMWwIDAQAB + -----END RSA PUBLIC KEY----- + Ed25519PublicKey = xMJNMMXZRCbWkN9CzLFohkGUK54dPcrrosFD7xgIFXA + ''; + }; + }; + }; + + maurice = { + owner = config.krebs.users.mic92; + nets = rec { + retiolum = { + addrs = [ + config.krebs.hosts.maurice.nets.retiolum.ip4.addr + config.krebs.hosts.maurice.nets.retiolum.ip6.addr + ]; + ip4.addr = "10.243.29.200"; + aliases = [ "maurice.r" ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAsLKBfPtZkjWGu6uitCV+4c5aQox2t4N8XNhY2mqE806XsYrqAC+y + d0oLOxRMUjfh9stDnEW/YRoLEKz9oZdRYd4eenP0Q3c3HdRFDBNCs27M5a8ysqZD + 5w9+B+9OfUmMv61NyKiaR6WtoGbE849cj1UNk1z04elshfU7h829D8QnD4j1A1gf + bOaNG+RzOP6qP/6Q30rxAiTxRPi+FhcHvxa33y1ZVobvnfGcJa+AzsTbgH9T9Yob + GuXFZvuQVSyWOLOgY/vVml904q8gScMpBesAsZJ7DEXxSTga0Rt99Ti3d9ABwBI5 + 1YabQlGLaAkrj3PMgrDyayzGBDDDva9fEQIDAQAB + -----END RSA PUBLIC KEY----- + Ed25519PublicKey = pkMuJ4kbyleQAdau+sfmLtzTuUy7uL+wwcgV/GWC7/N + ''; + }; + }; + }; }; } diff --git a/krebs/3modules/fetchWallpaper.nix b/krebs/3modules/fetchWallpaper.nix index 852c8f630..dc0133a63 100644 --- a/krebs/3modules/fetchWallpaper.nix +++ b/krebs/3modules/fetchWallpaper.nix @@ -55,10 +55,12 @@ let name = "fetchWallpaper"; uid = genid_uint31 "fetchWallpaper"; description = "fetchWallpaper user"; + group = "fetchWallpaper"; home = cfg.stateDir; createHome = true; isSystemUser = true; }; + users.groups.fetchWallpaper = {}; systemd.timers.fetchWallpaper = { description = "fetch wallpaper timer"; diff --git a/krebs/3modules/krebs/default.nix b/krebs/3modules/krebs/default.nix index c05409fe9..ec499d63d 100644 --- a/krebs/3modules/krebs/default.nix +++ b/krebs/3modules/krebs/default.nix @@ -105,6 +105,7 @@ in { "go.r" "rss.r" ]; + tinc.port = 0; tinc.pubkey = '' -----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA9PY6t6P1ytgo8qYL2QDc @@ -165,6 +166,7 @@ in { "build.puyak.r" "cgit.puyak.r" ]; + tinc.port = 0; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- MIIBCgKCAQEAwwDvaVKSJmAi1fpbsmjLz1DQVTgqnx56GkHKbz5sHwAfPVQej955 diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index 3419d806c..95669c243 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -48,6 +48,7 @@ in { jitsi 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} streaming 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} mumble 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} + mail 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} ''; }; nets = rec { @@ -122,33 +123,6 @@ in { ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsANFdMi825qWQXQbWLYuNZ6/fARt3lnh1KStQHQQMD"; syncthing.id = "QITFKYQ-VEPIPL2-AZIXHMD-BBT62ML-YHSB35A-BSUIBXS-QYMPFHW-M7XN2QU"; }; - uriel = { - monitoring = false; - cores = 1; - nets = { - retiolum = { - ip4.addr = "10.243.81.176"; - ip6.addr = r6 "1e1"; - aliases = [ - "uriel.r" - ]; - tinc.port = 0; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAzw0pvoEmqeqiZrzSOPH0IT99gr1rrvMZbvabXoU4MAiVgGoGrkmR - duJkk8Fj12ftMc+Of1gnwDkFhRcfAKOeH1RSc4CTircWVq99WyecTwEZoaR/goQb - MND022kIBoG6NQNxv1Y5I1B/h7hfloMFEPym9oFtOAXoGhBY2vVl4g64NNz+RLME - m1RipLXKANAh6LRNPGPQCUYX4TVY2ZJVxM3CM1XdomUAdOYXJmWFyUg9NcIKaacx - uRrmuy7J9yFBcihZX5Y7NV361kINrpRmZYxJRf9cr0hb5EkJJ7bMIKQMEFQ5RnYo - u7MPGKD7aNHa6hLLCeIfJ5u0igVmSLh3pwIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; - }; - ssh.privkey.path = <secrets/ssh.id_ed25519>; - ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBryIo/Waw8SWvlQ0+5I+Bd/dJgcMd6iPXtELS6gQXoc"; - secure = true; - }; mors = { cores = 2; nets = { @@ -418,38 +392,6 @@ in { ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5HyLyaIvVH0qHIQ4ciKhDiElhSqsK+uXcA6lTvL+5n"; syncthing.id = "EA76ZHP-DF2I3CJ-NNTFEUH-YGPQK5S-T7FQ6JA-BNQQUNC-GF2YL46-CKOZCQM"; }; - red = { - monitoring = false; - cores = 1; - nets = { - retiolum = { - ip4.addr = "10.243.0.13"; - ip6.addr = r6 "12ed"; - aliases = [ - "red.r" - ]; - tinc.port = 0; - tinc.pubkey = '' - -----BEGIN PUBLIC KEY----- - MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArAN/62V2MV18wsZ9VMTG - 4/cqsjvHlffAN8jYDq+GImgREvbiLlFhhHgxwKh0gcDTR8P1xX/00P3/fx/g5bRF - Te7LZT2AFmVFFFfx1n9NBweN/gG2/hzB9J8epbWLNT+RzpzHuAoREvDZ+jweSXaI - phdmQY2s36yrR3TAShqq0q4cwlXuHT00J+InDutM0mTftBQG/fvYkBhHOfq4WSY0 - FeMK7DTKNbsqQiKKQ/kvWi7KfTW0F0c7SDpi7BLwbQzP2WbogtGy9MIrw9ZhE6Ox - TVdAksPKw0TlYdb16X/MkbzBqTYbxFlmWzpMJABMxIVwAfQx3ZGYvJDdDXmQS2qa - mDN2xBb/5pj3fbfp4wbwWlRVSd/AJQtRvaNY24F+UsRJb0WinIguDI6oRZx7Xt8w - oYirKqqq1leb3EYUt8TMIXQsOw0/Iq+JJCwB+ZyLLGVNB19XOxdR3RN1JYeZANpE - cMSS3SdFGgZ//ZAdhIN5kw9yMeKo6Rnt+Vdz3vZWTuSVp/xYO3IMGXNGAdIWIwrJ - 7fwSl/rfXGG816h0sD46U0mxd+i68YOtHlzOKe+vMZ4/FJZYd/E5/IDQluV8HLwa - 5lODfZXUmfStdV+GDA9KVEGUP5xSkC3rMnir66NgHzKpIL002/g/HfGu7O3MrvpW - ng7AMvRv5vbsYcJBj2HUhKUCAwEAAQ== - -----END PUBLIC KEY----- - ''; - }; - }; - ssh.privkey.path = <secrets/ssh.id_ed25519>; - ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd/6eCR8yxC14zBJLIQgVa4Zbutv5yr2S8k08ztmBpp"; - }; yellow = { cores = 1; nets = { @@ -583,44 +525,6 @@ in { ci = false; syncthing.id = "PWKVXPB-JCNO6E4-KVIQ7CK-6FSOWHM-AWORMDU-HVVYLKW-44DQTYW-XZT7DQJ"; }; - morpheus = { - cores = 1; - nets = { - retiolum = { - ip4.addr = "10.243.0.19"; - ip6.addr = r6 "012f"; - aliases = [ - "morpheus.r" - ]; - tinc.port = 0; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIICCgKCAgEAptrlSKQKsBH2QMQxllZR94S/fXneajpJifRjXR5bi+7ME2ThdQXY - T7yWiKaUuBJThWged9PdPltLUEMmv+ubQqpWHZq442VWSS36r1yMSGpUeKK+oYMN - /Sfu+1yC4m2uXno95wpJZIcDfbbn26jT6ldJ4Yd97zyrXKljvcdrz3wZzQq0tojh - S5Q59x/aQMJbnQpnlFnMIEVgULuFPW16+vPGsXIPdYNggaF1avcBaFl8i3M0EZVz - Swn4hArDynDJhR7M0QdlwOpOh7O+1iOnmXqqei3LxMVHb+YtzfHgxOPxggUsy7CR - bj9uBR9loGwgmZwaxXd1Vfbw8kn/feOb9FcW73u+SZyzwEA9HFRV0jGQe3P9mGfI - Bwe02DOTVXEB8jTAGCw5T3bXLIOX8kqdlCECuAWFfrt8H+GjZDuGUWRcMn32orMz - sMvkab95ZOHK6Q31mrhILOIOdyZWKPZIabL3HF6CZtu52h6MDHbmGS0w0OJYhj2+ - VnT9ZBoaeooVg8QOE43rCXvmL5vzhLKrj4s/53wTGG5SpzLs9Q9rrJVgAnz4YQ7j - 3Ov5q3Zxyr+vO6O7Pb5X49vCQw/jzK41S0/15GEmKcoxXemzeZCpX1mbeeTUtLvA - U7OJwldrElzictBJ1gT94L4BDvoGZVqAkXJCJPamfsWaiw6SsMqtTfECAwEAAQ== - -----END RSA PUBLIC KEY----- - ''; - }; - wiregrill = { - ip6.addr = w6 "012f"; - aliases = [ - "morpheus.w" - ]; - wireguard.pubkey = "BdiIHJjJQThmZD8DehxPGA+bboBHjljedwaRaV5yyDY="; - }; - }; - ssh.privkey.path = <secrets/ssh.id_ed25519>; - ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHXS60mmNWMdMRvaPxGn91Cm/hm7zY8xn5rkI4n2KG/f "; - syncthing.id = "JS4RFIL-MJP2SMJ-EOQXCPQ-MC3NB4V-BQ77GN5-LPKGLWY-GHDP732-G22OJQQ"; - }; hilum = { cores = 1; nets = { diff --git a/krebs/3modules/solanum.nix b/krebs/3modules/solanum.nix deleted file mode 100644 index 9094d1003..000000000 --- a/krebs/3modules/solanum.nix +++ /dev/null @@ -1,104 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - inherit (lib) mkEnableOption mkIf mkOption singleton types; - inherit (pkgs) coreutils solanum; - cfg = config.krebs.solanum; - - configFile = pkgs.writeText "solanum.conf" '' - ${cfg.config} - ''; -in - -{ - - ###### interface - - options = { - - krebs.solanum = { - - enable = mkEnableOption "Solanum IRC daemon"; - - config = mkOption { - type = types.str; - description = '' - Solanum IRC daemon configuration file. - ''; - }; - - statedir = mkOption { - type = types.path; - default = "/var/lib/solanum"; - description = '' - Location of the state directory of solanum. - ''; - }; - - user = mkOption { - type = types.str; - default = "ircd"; - description = '' - Solanum IRC daemon user. - ''; - }; - - group = mkOption { - type = types.str; - default = "ircd"; - description = '' - Solanum IRC daemon group. - ''; - }; - - motd = mkOption { - type = types.nullOr types.lines; - default = null; - description = '' - Solanum MOTD text. - - Solanum will read its MOTD from /etc/solanum/ircd.motd . - If set, the value of this option will be written to this path. - ''; - }; - - }; - - }; - - - ###### implementation - - config = mkIf cfg.enable (lib.mkMerge [ - { - users.users.${cfg.user} = { - description = "Solanum IRC daemon user"; - uid = config.ids.uids.ircd; - group = cfg.group; - }; - - users.groups.${cfg.group} = { - gid = config.ids.gids.ircd; - }; - - systemd.tmpfiles.rules = [ - "d ${cfg.statedir} - ${cfg.user} ${cfg.group} - -" - ]; - - systemd.services.solanum = { - description = "Solanum IRC daemon"; - wantedBy = [ "multi-user.target" ]; - serviceConfig = { - ExecStart = "${solanum}/bin/solanum -foreground -logfile /dev/stdout -configfile ${configFile} -pidfile ${cfg.statedir}/ircd.pid"; - Group = cfg.group; - User = cfg.user; - }; - }; - - } - - (mkIf (cfg.motd != null) { - environment.etc."solanum/ircd.motd".text = cfg.motd; - }) - ]); -} diff --git a/krebs/3modules/sync-containers.nix b/krebs/3modules/sync-containers.nix index fcfaf1dd0..e47f9a3a7 100644 --- a/krebs/3modules/sync-containers.nix +++ b/krebs/3modules/sync-containers.nix @@ -94,7 +94,7 @@ in { programs.fuse.userAllowOther = true; # allow syncthing to enter /var/lib/containers system.activationScripts.containers-enter = mkDefault '' - ${pkgs.coreutils}/bin/chmod a+x /var/lib/containers + ${pkgs.coreutils}/bin/chmod a+x /var/lib/containers || : ''; services.syncthing.declarative.folders = (mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" ({ diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix index a8a78a43e..2c19aefdb 100644 --- a/krebs/3modules/tinc.nix +++ b/krebs/3modules/tinc.nix @@ -237,9 +237,14 @@ let inherit (cfg.user) home name uid; createHome = true; isSystemUser = true; + group = netname; } ) config.krebs.tinc; + users.groups = mapAttrs' (netname: cfg: + nameValuePair netname {} + ) config.krebs.tinc; + environment.etc = mapAttrs' (netname: cfg: nameValuePair "tinc/${netname}" (mkIf cfg.enableLegacy { source = cfg.confDir; diff --git a/krebs/5pkgs/simple/htgen-cyberlocker/src/htgen-cyberlocker b/krebs/5pkgs/simple/htgen-cyberlocker/src/htgen-cyberlocker index ab9c4e8e3..5ca0ddd3e 100644 --- a/krebs/5pkgs/simple/htgen-cyberlocker/src/htgen-cyberlocker +++ b/krebs/5pkgs/simple/htgen-cyberlocker/src/htgen-cyberlocker @@ -1,3 +1,10 @@ +emptyok_response() {( + printf "HTTP/1.1 204 OK\r\n" + printf 'Connection: close\r\n' + printf 'Server: %s\r\n' "$Server" + printf '\r\n' +)} + delete_response() { jq -n -r \ --arg server "$Server" \ @@ -44,7 +51,10 @@ read_uri() { } uri=$(read_uri "$Request_URI") -path=$(jq -nr --argjson uri "$uri" '$uri.path') +path=$(jq -nr --argjson uri "$uri" ' + $uri.path | + gsub("/+"; "/") +') case "$Method $path" in 'POST /'*|'PUT /'*) @@ -57,6 +67,8 @@ case "$Method $path" in mkdir -v -p $STATEDIR/items >&2 cp -v $content $item >&2 + + emptyok_response exit ;; 'GET /'*) diff --git a/krebs/5pkgs/simple/nomads-cloud/default.nix b/krebs/5pkgs/simple/nomads-cloud/default.nix index 97cf10d1f..cc9e7a964 100644 --- a/krebs/5pkgs/simple/nomads-cloud/default.nix +++ b/krebs/5pkgs/simple/nomads-cloud/default.nix @@ -1,10 +1,10 @@ { writers, coreutils, grib2json, curl, jq, findutils, imagemagick }: writers.writeDashBin "nomads-cloud" '' prefix=$(mktemp -d) - grib_path=$prefix.grib - json_path=$prefix.json - pgm_path=$prefix.pgm - png_path="$1" + grib_path=$prefix/clouds.grib + json_path=$prefix/clouds.json + pgm_path=$prefix/clouds.pgm + png_path=$1 mkdir -p "$prefix" diff --git a/krebs/nixpkgs-unstable.json b/krebs/nixpkgs-unstable.json index e464cb568..9a5c5386f 100644 --- a/krebs/nixpkgs-unstable.json +++ b/krebs/nixpkgs-unstable.json @@ -1,9 +1,10 @@ { "url": "https://github.com/NixOS/nixpkgs", - "rev": "70088dc29994c32f8520150e34c6e57e8453f895", - "date": "2021-10-07T22:46:35+08:00", - "path": "/nix/store/f0i4rdi62kkwa95v7ap8fzxybrikqi01-nixpkgs", - "sha256": "08ldqfh2cmbvf930yq9pv220sv83k9shq183935l5d8p61fxh5zr", + "rev": "34ad3ffe08adfca17fcb4e4a47bb5f3b113687be", + "date": "2021-10-21T10:14:45+08:00", + "path": "/nix/store/ga9jr8sgxlay545v6j6q2nfj7gih4ix3-nixpkgs", + "sha256": "02li241rz5668nfyp88zfjilxf0mr9yansa93fbl38hjwkhf3ix6", + "fetchLFS": false, "fetchSubmodules": false, "deepClone": false, "leaveDotGit": false diff --git a/krebs/nixpkgs.json b/krebs/nixpkgs.json index bf2808dce..5be907d21 100644 --- a/krebs/nixpkgs.json +++ b/krebs/nixpkgs.json @@ -1,9 +1,10 @@ { "url": "https://github.com/NixOS/nixpkgs", - "rev": "ce7a1190a0fa4ba3465b5f5471b08567060ca14c", - "date": "2021-10-08T11:14:43-05:00", - "path": "/nix/store/y01vzcdhna8pjvy3w2bz7nc9zqyylxg3-nixpkgs", - "sha256": "1zr1s9gp0h5g4arlba1bpb9yqfaaby5195ydm6a2psaxhm748li9", + "rev": "95eed9b64eee24975b880308065654fd059f22c3", + "date": "2021-10-23T23:27:41+02:00", + "path": "/nix/store/05rxgy84zni4bminfyyk4nkc4ccw91sz-nixpkgs", + "sha256": "1x59xdxh2vrnhh4j29nyq7npq70v178j5acdm2zsgamcagm3qif9", + "fetchLFS": false, "fetchSubmodules": false, "deepClone": false, "leaveDotGit": false diff --git a/lass/1systems/blue/source.nix b/lass/1systems/blue/source.nix index 2b4158211..0b2bf5f5b 100644 --- a/lass/1systems/blue/source.nix +++ b/lass/1systems/blue/source.nix @@ -1,5 +1,5 @@ { lib, pkgs, test, ... }: -{ +if test then {} else { nixpkgs = lib.mkIf (! test) (lib.mkForce { file = { path = toString (pkgs.fetchFromGitHub { diff --git a/lass/1systems/coaxmetal/config.nix b/lass/1systems/coaxmetal/config.nix index 227c5e1e9..0e6bddf5e 100644 --- a/lass/1systems/coaxmetal/config.nix +++ b/lass/1systems/coaxmetal/config.nix @@ -16,7 +16,7 @@ <stockholm/lass/2configs/steam.nix> <stockholm/lass/2configs/wine.nix> <stockholm/lass/2configs/fetchWallpaper.nix> - # <stockholm/lass/2configs/nfs-dl.nix> + <stockholm/lass/2configs/prism-mounts/samba.nix> <stockholm/lass/2configs/pass.nix> <stockholm/lass/2configs/mail.nix> <stockholm/lass/2configs/bitcoin.nix> diff --git a/lass/1systems/coaxmetal/source.nix b/lass/1systems/coaxmetal/source.nix new file mode 100644 index 000000000..abbf26c75 --- /dev/null +++ b/lass/1systems/coaxmetal/source.nix @@ -0,0 +1,21 @@ +{ lib, pkgs, test, ... }: let + npkgs = lib.importJSON ../../../krebs/nixpkgs-unstable.json; +in { + nixpkgs = (if test then lib.mkForce ({ derivation = let + rev = npkgs.rev; + sha256 = npkgs.sha256; + in '' + with import (builtins.fetchTarball { + url = "https://github.com/nixos/nixpkgs/archive/${rev}.tar.gz"; + sha256 = "${sha256}"; + }) {}; + pkgs.fetchFromGitHub { + owner = "nixos"; + repo = "nixpkgs"; + rev = "${rev}"; + sha256 = "${sha256}"; + } + ''; }) else { + git.ref = lib.mkForce npkgs.rev; + }); +} diff --git a/lass/1systems/echelon/config.nix b/lass/1systems/echelon/config.nix index 9e72916b3..eacdff782 100644 --- a/lass/1systems/echelon/config.nix +++ b/lass/1systems/echelon/config.nix @@ -5,10 +5,13 @@ <stockholm/lass/2configs/retiolum.nix> <stockholm/lass/2configs/tor-initrd.nix> + <stockholm/lass/2configs/syncthing.nix> + <stockholm/lass/2configs/green-host.nix> ]; krebs.build.host = config.krebs.hosts.echelon; boot.tmpOnTmpfs = true; + } diff --git a/lass/1systems/green/source.nix b/lass/1systems/green/source.nix index 48499c9db..da137e064 100644 --- a/lass/1systems/green/source.nix +++ b/lass/1systems/green/source.nix @@ -1,5 +1,4 @@ -{ lib, pkgs, ... }: -{ +{ lib, pkgs, test, ... }: +if test then {} else { nixpkgs-unstable = lib.mkForce { file = "/var/empty"; }; - nixpkgs.git.shallow = true; } diff --git a/lass/1systems/morpheus/config.nix b/lass/1systems/morpheus/config.nix deleted file mode 100644 index 79d4f528d..000000000 --- a/lass/1systems/morpheus/config.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ config, pkgs, ... }: -with import <stockholm/lib>; -{ - imports = [ - <stockholm/lass> - <stockholm/lass/2configs/retiolum.nix> - - <stockholm/lass/2configs/syncthing.nix> - <stockholm/lass/2configs/green-host.nix> - ]; - - krebs.build.host = config.krebs.hosts.morpheus; - - networking.wireless.enable = false; - networking.networkmanager.enable = true; - - services.logind.lidSwitch = "ignore"; - services.logind.lidSwitchDocked = "ignore"; - - environment.systemPackages = with pkgs; [ - gitAndTools.hub - nix-review - firefox - ag - ]; - - services.openssh.forwardX11 = true; - programs.x2goserver.enable = true; -} diff --git a/lass/1systems/morpheus/physical.nix b/lass/1systems/morpheus/physical.nix deleted file mode 100644 index 6e59a2273..000000000 --- a/lass/1systems/morpheus/physical.nix +++ /dev/null @@ -1,44 +0,0 @@ -{ - imports = [ - ./config.nix - <nixpkgs/nixos/modules/installer/scan/not-detected.nix> - ]; - - boot.loader.grub.enable = true; - boot.loader.grub.version = 2; - boot.loader.grub.efiSupport = true; - boot.loader.grub.efiInstallAsRemovable = true; - boot.loader.grub.device = "nodev"; - - networking.hostId = "06442b9a"; - - fileSystems."/" = { - device = "/dev/pool/root"; - fsType = "btrfs"; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/1F60-17C6"; - fsType = "vfat"; - }; - - fileSystems."/home" = { - device = "/dev/pool/home"; - fsType = "btrfs"; - }; - - fileSystems."/tmp" = { - device = "tmpfs"; - fsType = "tmpfs"; - options = ["nosuid" "nodev" "noatime"]; - }; - boot.initrd.luks = { - cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; - devices.luksroot.device = "/dev/nvme0n1p3"; - }; - - services.udev.extraRules = '' - SUBSYSTEM=="net", ATTR{address}=="f8:59:71:a9:05:65", NAME="wl0" - SUBSYSTEM=="net", ATTR{address}=="54:e1:ad:4f:06:83", NAME="et0" - ''; -} diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index d43fb804a..45f9ae00e 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -112,7 +112,6 @@ with import <stockholm/lib>; }; } <stockholm/lass/2configs/exim-smarthost.nix> - <stockholm/lass/2configs/ts3.nix> <stockholm/lass/2configs/privoxy-retiolum.nix> <stockholm/lass/2configs/radio.nix> <stockholm/lass/2configs/binary-cache/server.nix> @@ -124,16 +123,6 @@ with import <stockholm/lib>; <stockholm/lass/2configs/ciko.nix> <stockholm/lass/2configs/container-networking.nix> <stockholm/lass/2configs/jitsi.nix> - { # quasi bepasty.nix - imports = [ - <stockholm/lass/2configs/bepasty.nix> - ]; - krebs.bepasty.servers."paste.r".nginx.extraConfig = '' - if ( $server_addr = "${config.krebs.build.host.nets.internet.ip4.addr}" ) { - return 403; - } - ''; - } { services.tor = { enable = true; diff --git a/lass/1systems/prism/physical.nix b/lass/1systems/prism/physical.nix index 1a3bee850..26ecd1cda 100644 --- a/lass/1systems/prism/physical.nix +++ b/lass/1systems/prism/physical.nix @@ -65,6 +65,12 @@ fsType = "ext4"; }; + # silence mdmonitor.service failures + # https://github.com/NixOS/nixpkgs/issues/72394 + environment.etc."mdadm.conf".text = '' + MAILADDR root + ''; + nix.maxJobs = lib.mkDefault 8; powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; diff --git a/lass/1systems/red/config.nix b/lass/1systems/red/config.nix deleted file mode 100644 index 3139e94a2..000000000 --- a/lass/1systems/red/config.nix +++ /dev/null @@ -1,28 +0,0 @@ -with import <stockholm/lib>; -{ config, lib, pkgs, ... }: -let - inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;}) - servephpBB - ; -in -{ - imports = [ - <stockholm/lass> - <stockholm/lass/2configs> - <stockholm/lass/2configs/retiolum.nix> - <stockholm/lass/2configs/websites> - <stockholm/lass/2configs/websites/sqlBackup.nix> - (servephpBB [ "rote-allez-fraktion.de" ]) - ]; - - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport 80"; target = "ACCEPT"; } - ]; - - krebs.build.host = config.krebs.hosts.red; - - services.nginx.enable = true; - environment.systemPackages = [ - pkgs.mk_sql_pair - ]; -} diff --git a/lass/1systems/red/physical.nix b/lass/1systems/red/physical.nix deleted file mode 100644 index b6aa3a894..000000000 --- a/lass/1systems/red/physical.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ - imports = [ - ./config.nix - ]; - boot.isContainer = true; - networking.useDHCP = false; -} diff --git a/lass/1systems/uriel/config.nix b/lass/1systems/uriel/config.nix deleted file mode 100644 index c3ce8fced..000000000 --- a/lass/1systems/uriel/config.nix +++ /dev/null @@ -1,47 +0,0 @@ -{ config, pkgs, ... }: - -with builtins; -with import <stockholm/lib>; -{ - imports = [ - <stockholm/lass> - <stockholm/lass/2configs/retiolum.nix> - <stockholm/lass/2configs/exim-retiolum.nix> - { - # locke config - i18n.defaultLocale ="de_DE.UTF-8"; - time.timeZone = "Europe/Berlin"; - services.xserver.enable = true; - services.xserver.libinput.enable = false; - users.users.locke = { - uid = genid "locke"; - home = "/home/locke"; - group = "users"; - createHome = true; - extraGroups = [ - "audio" - "networkmanager" - ]; - useDefaultShell = true; - isNormalUser = true; - }; - networking.networkmanager.enable = true; - hardware.pulseaudio = { - enable = true; - systemWide = true; - }; - environment.systemPackages = with pkgs; [ - pavucontrol - firefox - hexchat - networkmanagerapplet - ]; - services.xserver.desktopManager.xfce = { - enable = true; - }; - } - ]; - - krebs.build.host = config.krebs.hosts.uriel; - nixpkgs.config.allowUnfree = true; -} diff --git a/lass/1systems/uriel/physical.nix b/lass/1systems/uriel/physical.nix deleted file mode 100644 index 82a088643..000000000 --- a/lass/1systems/uriel/physical.nix +++ /dev/null @@ -1,59 +0,0 @@ -{ - imports = [ - ./config.nix - ]; - - hardware.enableRedistributableFirmware = true; - boot = { - #kernelParams = [ - # "acpi.brightness_switch_enabled=0" - #]; - #loader.grub.enable = true; - #loader.grub.version = 2; - #loader.grub.device = "/dev/sda"; - - loader.systemd-boot.enable = true; - loader.timeout = 5; - - initrd.luks.devices.luksroot.device = "/dev/sda2"; - initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; - initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; - #kernelModules = [ "kvm-intel" "msr" ]; - kernelModules = [ "msr" ]; - }; - fileSystems = { - "/" = { - device = "/dev/pool/root"; - fsType = "ext4"; - }; - - "/bku" = { - device = "/dev/pool/bku"; - fsType = "ext4"; - }; - - "/boot" = { - device = "/dev/sda1"; - }; - "/tmp" = { - device = "tmpfs"; - fsType = "tmpfs"; - options = ["nosuid" "nodev" "noatime"]; - }; - }; - - services.udev.extraRules = '' - SUBSYSTEM=="net", ATTR{address}=="64:27:37:7d:d8:ae", NAME="wl0" - SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:b8:c8:2e", NAME="et0" - ''; - - services.xserver.synaptics = { - enable = true; - twoFingerScroll = true; - accelFactor = "0.035"; - additionalOptions = '' - Option "FingerHigh" "60" - Option "FingerLow" "60" - ''; - }; -} diff --git a/lass/2configs/bepasty.nix b/lass/2configs/bepasty.nix deleted file mode 100644 index 9bd416c05..000000000 --- a/lass/2configs/bepasty.nix +++ /dev/null @@ -1,44 +0,0 @@ -{ config, pkgs, ... }: -with import <stockholm/lib>; - -# secrets used: -# wildcard.krebsco.de.crt -# wildcard.krebsco.de.key -# bepasty-secret.nix <- contains single string - -with import <stockholm/lib>; -let - secKey = import <secrets/bepasty-secret.nix>; - ext-doms = [ - "paste.lassul.us" - "paste.krebsco.de" - ]; -in { - - services.nginx.enable = mkDefault true; - krebs.bepasty = { - enable = true; - serveNginx= true; - - servers = { - "paste.r" = { - nginx = { - serverAliases = [ - "paste.${config.krebs.build.host.name}" - "paste.r" - ]; - }; - defaultPermissions = "admin,list,create,read,delete"; - secretKey = secKey; - }; - } // - genAttrs ext-doms (ext-dom: { - nginx = { - forceSSL = true; - enableACME = true; - }; - defaultPermissions = "read,create"; - secretKey = secKey; - }); - }; -} diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index eb38d0e97..1bcfb162c 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -89,8 +89,6 @@ with import <stockholm/lib>; services.timesyncd.enable = mkForce true; - boot.tmpOnTmpfs = true; - # multiple-definition-problem when defining environment.variables.EDITOR environment.extraInit = '' EDITOR=vim diff --git a/lass/2configs/green-host.nix b/lass/2configs/green-host.nix index 355daba9c..a83ed0544 100644 --- a/lass/2configs/green-host.nix +++ b/lass/2configs/green-host.nix @@ -6,12 +6,12 @@ ]; krebs.sync-containers.containers.green = { peers = [ + "echelon" "icarus" + "littleT" + "mors" "shodan" "skynet" - "mors" - "morpheus" - "littleT" "styx" ]; hostIp = "10.233.2.15"; @@ -25,5 +25,9 @@ repo = "/var/lib/sync-containers/green/backup"; compression = "auto,lzma"; startAt = "daily"; + prune.keep = { + daily = 7; + weekly = 4; + }; }; } diff --git a/lass/2configs/mpv.nix b/lass/2configs/mpv.nix index 210551a62..854af3eb5 100644 --- a/lass/2configs/mpv.nix +++ b/lass/2configs/mpv.nix @@ -80,7 +80,12 @@ let name = "mpv"; paths = [ (pkgs.writeDashBin "mpv" '' - exec ${pkgs.mpv}/bin/mpv -vo=gpu --no-config --script=${autosub} "$@" + exec ${pkgs.mpv}/bin/mpv \ + -vo=gpu \ + --no-config \ + --script=${autosub} \ + --script-opts=ytdl_hook-ytdl_path=${pkgs.yt-dlp}/bin/yt-dlp \ + "$@" '') pkgs.mpv ]; diff --git a/lass/2configs/murmur.nix b/lass/2configs/murmur.nix index 9f325d0af..7cc4051a8 100644 --- a/lass/2configs/murmur.nix +++ b/lass/2configs/murmur.nix @@ -16,7 +16,7 @@ StandardError = lib.mkForce "journal"; }; virtualisation.oci-containers.containers.mumble-web = { - image = "rankenstein/mumble-web"; + image = "rankenstein/mumble-web:0.5"; environment = { MUMBLE_SERVER = "lassul.us:64738"; }; @@ -28,12 +28,9 @@ services.nginx.virtualHosts."mumble.lassul.us" = { enableACME = true; forceSSL = true; - locations."/".extraConfig = '' - proxy_pass http://localhost:64739/; - proxy_set_header Accept-Encoding ""; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - ''; + locations."/" = { + proxyPass = "http://localhost:64739"; + proxyWebsockets = true; + }; }; } diff --git a/lass/2configs/pass.nix b/lass/2configs/pass.nix index 48070ea06..8ec3ac092 100644 --- a/lass/2configs/pass.nix +++ b/lass/2configs/pass.nix @@ -4,7 +4,15 @@ users.users.mainUser.packages = with pkgs; [ (pass.withExtensions (ext: [ ext.pass-otp ])) gnupg + (pkgs.writers.writeDashBin "unlock" '' + set -efu + HOST=$1 + + pw=$(pass show "admin/$HOST/luks") + torify sshn root@$(pass "hosts/$HOST/initrd/hostname") "echo $pw > /crypt-ramfs/passphrase" + '') ]; programs.gnupg.agent.enable = true; + } diff --git a/lass/2configs/prism-mounts/samba.nix b/lass/2configs/prism-mounts/samba.nix new file mode 100644 index 000000000..4b1475ef3 --- /dev/null +++ b/lass/2configs/prism-mounts/samba.nix @@ -0,0 +1,15 @@ +{ + fileSystems."/mnt/prism" = { + device = "//prism.r/public"; + fsType = "cifs"; + options = [ + "guest" + "nofail" + "noauto" + "ro" + "x-systemd.automount" + "x-systemd.device-timeout=1" + "x-systemd.idle-timeout=1min" + ]; + }; + } diff --git a/lass/2configs/ts3.nix b/lass/2configs/ts3.nix deleted file mode 100644 index d0cfdf478..000000000 --- a/lass/2configs/ts3.nix +++ /dev/null @@ -1,19 +0,0 @@ -{ config, ... }: - -{ - services.teamspeak3 = { - enable = true; - }; - - krebs.iptables.tables.filter.INPUT.rules = [ - #voice port - { predicate = "-p tcp --dport 9987"; target = "ACCEPT"; } - { predicate = "-p udp --dport 9987"; target = "ACCEPT"; } - ##file transfer port - { predicate = "-p tcp --dport 30033"; target = "ACCEPT"; } - { predicate = "-p udp --dport 30033"; target = "ACCEPT"; } - ##query port - #{ predicate = "-p tcp --dport 10011"; target = "ACCEPT"; } - #{ predicate = "-p udp --dport 10011"; target = "ACCEPT"; } - ]; -} diff --git a/lass/2configs/vim.nix b/lass/2configs/vim.nix index 0e4ac5394..6c730efdd 100644 --- a/lass/2configs/vim.nix +++ b/lass/2configs/vim.nix @@ -5,16 +5,6 @@ let out = { environment.systemPackages = [ (hiPrio vim) - (pkgs.writeDashBin "govet" '' - go vet "$@" - '') - (hiPrio (pkgs.python3.withPackages (ps: [ - ps.python-language-server - ps.pyls-isort - ps.pyflakes - ps.flake8 - ps.yapf - ]))) ]; environment.etc.vimrc.source = vimrc; @@ -126,11 +116,7 @@ let ''; extra-runtimepath = concatMapStringsSep "," (pkg: "${pkg.rtp}") [ - pkgs.vimPlugins.ack-vim pkgs.vimPlugins.undotree - pkgs.vimPlugins.vim-go - pkgs.vimPlugins.fzf-vim - pkgs.vimPlugins.LanguageClient-neovim (pkgs.vimUtils.buildVimPlugin { name = "file-line-1.0"; src = pkgs.fetchFromGitHub { diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index 40f67537e..3f055e370 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -82,7 +82,6 @@ in { "o_ubikmedia_de" ]; - services.phpfpm.phpPackage = pkgs.php73; services.phpfpm.phpOptions = '' sendmail_path = ${sendmail} -t upload_max_filesize = 100M @@ -117,6 +116,13 @@ in { # workaround for android 7 security.acme.certs."lassul.us".keyType = "rsa4096"; + services.roundcube = { + enable = true; + hostName = "mail.lassul.us"; + extraConfig = '' + $config['smtp_port'] = 25; + ''; + }; services.dovecot2 = { enable = true; mailLocation = "maildir:~/Mail"; @@ -138,7 +144,7 @@ in { driver = plaintext public_name = LOGIN server_prompts = "Username:: : Password::" - server_condition = ''${run{${config.lass.usershadow.path}/bin/verify_arg ${config.lass.usershadow.pattern} $auth1 $auth2}{yes}{no}} + server_condition = ''${run{/run/wrappers/bin/shadow_verify_arg ${config.lass.usershadow.pattern} $auth1 $auth2}{yes}{no}} ''; internet-aliases = [ { from = "dma@ubikmedia.de"; to = "domsen"; } @@ -317,6 +323,15 @@ in { isNormalUser = true; }; + users.users.line = { + uid = genid_uint31 "line"; + home = "/home/line"; + useDefaultShell = true; + # extraGroups = [ "xanf" ]; + createHome = true; + isNormalUser = true; + }; + users.groups.xanf = {}; krebs.on-failure.plans.restic-backups-domsen = { diff --git a/lass/3modules/klem.nix b/lass/3modules/klem.nix index a297adcd1..8536d967d 100644 --- a/lass/3modules/klem.nix +++ b/lass/3modules/klem.nix @@ -38,7 +38,7 @@ in { # match filetype against patterns ${concatMapStringsSep "\n" (script: '' ${pkgs.xclip}/bin/xclip -selection clipboard -target TARGETS -out \ - | grep -q '${script.target}' + | ${pkgs.gnugrep}/bin/grep -q '${script.target}' if [ $? -eq 0 ]; then labels="$labels:${script.label}" fi diff --git a/lass/krops.nix b/lass/krops.nix index 128c9ee04..fe5c00f3d 100644 --- a/lass/krops.nix +++ b/lass/krops.nix @@ -24,7 +24,7 @@ }; }; } - (if (lib.pathExists (./. + "/1systems/${name}/source.nix")) && (! test) then + (if lib.pathExists (./. + "/1systems/${name}/source.nix") then import (./. + "/1systems/${name}/source.nix") { inherit lib pkgs test; } else {} |