From 77638b8fe76c41c8314f970f509b752569eecc14 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 20 Jan 2023 00:32:18 +0100 Subject: !confuse: allow inline queries --- krebs/2configs/reaktor2.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/krebs/2configs/reaktor2.nix b/krebs/2configs/reaktor2.nix index 11aaf876a..39039cc11 100644 --- a/krebs/2configs/reaktor2.nix +++ b/krebs/2configs/reaktor2.nix @@ -52,7 +52,7 @@ let }; confuse = { - pattern = "^!confuse (.*)$"; + pattern = "!confuse (.*)$"; activate = "match"; arguments = [1]; command = { @@ -90,7 +90,7 @@ let }; confuse_hackint = { - pattern = "^!confuse (.*)$"; + pattern = "!confuse (.*)$"; activate = "match"; arguments = [1]; command = { -- cgit v1.2.3 From dbc3870841223051e4f617b4c06065c168c69c10 Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 23 Jan 2023 00:41:26 +0100 Subject: ma 2configs: use nix.settings --- makefu/2configs/binary-cache/gum.nix | 6 +++--- makefu/2configs/binary-cache/lass.nix | 6 +++--- makefu/2configs/binary-cache/nixos.nix | 6 +++--- makefu/2configs/default.nix | 2 +- makefu/2configs/minimal.nix | 4 ++-- 5 files changed, 12 insertions(+), 12 deletions(-) diff --git a/makefu/2configs/binary-cache/gum.nix b/makefu/2configs/binary-cache/gum.nix index fc54bd917..fc6e26fe0 100644 --- a/makefu/2configs/binary-cache/gum.nix +++ b/makefu/2configs/binary-cache/gum.nix @@ -2,11 +2,11 @@ { config, ... }: { - nix = { - binaryCaches = [ + nix.settings = { + substituters = [ "https://cache.euer.krebsco.de/" ]; - binaryCachePublicKeys = [ + trusted-public-keys = [ "gum:iIXIFlCAotib+MgI3V/i3HMlFXiVYOT/jfP0y54Zuvg=" ]; }; diff --git a/makefu/2configs/binary-cache/lass.nix b/makefu/2configs/binary-cache/lass.nix index 51b4a1afc..7d7549d8d 100644 --- a/makefu/2configs/binary-cache/lass.nix +++ b/makefu/2configs/binary-cache/lass.nix @@ -1,11 +1,11 @@ { config, ... }: { - nix = { - binaryCaches = [ + nix.settings = { + substituters = [ "https://cache.krebsco.de" ]; - binaryCachePublicKeys = [ + trusted-public-keys = [ "cache.prism-1:+S+6Lo/n27XEtvdlQKuJIcb1yO5NUqUCE2lolmTgNJU=" "cache.prism-2:YwmCm3/s/D+SxrPKN/ETjlpw/219pNUbpnluatp6FKI=" ]; diff --git a/makefu/2configs/binary-cache/nixos.nix b/makefu/2configs/binary-cache/nixos.nix index 2ff5e1307..299130059 100644 --- a/makefu/2configs/binary-cache/nixos.nix +++ b/makefu/2configs/binary-cache/nixos.nix @@ -1,11 +1,11 @@ { config, ... }: { - nix = { - binaryCaches = [ + nix.settings = { + substituters = [ "https://cache.nixos.org/" ]; - binaryCachePublicKeys = [ + trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ]; }; diff --git a/makefu/2configs/default.nix b/makefu/2configs/default.nix index ef4f8fbcd..2bfb42732 100644 --- a/makefu/2configs/default.nix +++ b/makefu/2configs/default.nix @@ -30,7 +30,7 @@ with import ; openssh.authorizedKeys.keys = [ config.krebs.users.makefu.pubkey ]; }; }; - nix.trustedUsers = [ config.krebs.build.user.name ]; + nix.settings.trusted-users = [ config.krebs.build.user.name ]; boot.kernelPackages = lib.mkDefault pkgs.linuxPackages; diff --git a/makefu/2configs/minimal.nix b/makefu/2configs/minimal.nix index 1761f65e2..0334422c8 100644 --- a/makefu/2configs/minimal.nix +++ b/makefu/2configs/minimal.nix @@ -8,13 +8,13 @@ time.timeZone = "Europe/Berlin"; networking.hostName = lib.mkIf (lib.hasAttr "host" config.krebs.build) config.krebs.build.host.name; - nix.buildCores = 0; # until https://github.com/NixOS/nixpkgs/pull/50440 is in stable # we use gpg if necessary (or nothing at all) programs.ssh.startAgent = false; # all boxes look the same - nix.useSandbox = true; + nix.settings.sandbox = true; + nix.settings.cores = 0; # until https://github.com/NixOS/nixpkgs/pull/50440 is in stable # we configure users via nix users.mutableUsers = false; -- cgit v1.2.3 From ad93b27981e754498c06351a020bd47b16511d52 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 25 Jan 2023 23:27:16 +0100 Subject: l yubikey: fix initial setup --- lass/2configs/yubikey.nix | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/lass/2configs/yubikey.nix b/lass/2configs/yubikey.nix index a37752d5e..bf6a587af 100644 --- a/lass/2configs/yubikey.nix +++ b/lass/2configs/yubikey.nix @@ -3,6 +3,7 @@ environment.systemPackages = with pkgs; [ yubikey-personalization yubikey-manager + pinentry-curses pinentry-qt ]; services.udev.packages = with pkgs; [ yubikey-personalization ]; @@ -11,6 +12,7 @@ services.pcscd.enable = true; systemd.user.services.gpg-agent.serviceConfig.ExecStartPre = pkgs.writers.writeDash "init_gpg" '' set -x + mkdir -p $HOME/.gnupg ${pkgs.coreutils}/bin/ln -sf ${pkgs.writeText "scdaemon.conf" '' disable-ccid pcsc-driver ${pkgs.pcsclite.out}/lib/libpcsclite.so.1 @@ -25,6 +27,10 @@ reader-port Yubico YubiKey ''} $HOME/.gnupg/scdaemon.conf ''; + systemd.user.services.gpg-agent.serviceConfig.ExecStartPost = pkgs.writers.writeDash "init_gpg" '' + ${pkgs.gnupg}/bin/gpg --import ${../../kartei/lass/pgp/yubikey.pgp} >/dev/null + echo -e '5\ny\n' | gpg --command-fd 0 --expert --edit-key DBCD757846069B392EA9401D6657BE8A8D1EE807 trust >/dev/null || : + ''; security.polkit.extraConfig = '' polkit.addRule(function(action, subject) { @@ -38,13 +44,14 @@ } }); polkit.addRule(function(action, subject) { - polkit.log("subject: " + subject + " action: " + action); + polkit.log("subject: " + subject + " action: " + action); }); ''; environment.shellInit = '' if [ "$UID" -eq 1337 ] && [ -z "$SSH_CONNECTION" ]; then export GPG_TTY="$(tty)" + mkdir -p $HOME/.gnupg gpg-connect-agent --quiet updatestartuptty /bye > /dev/null export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh" if [ -z "$SSH_AUTH_SOCK" ]; then @@ -61,6 +68,7 @@ ssh.startAgent = false; gnupg.agent = { enable = true; + pinentryFlavor = "qt"; # enableSSHSupport = true; }; }; -- cgit v1.2.3 From dbfc4044ef79153f2b80b0d6c252ddbf2ab476ab Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 25 Jan 2023 23:27:49 +0100 Subject: l install-system: support install via hilum --- lass/5pkgs/install-system/default.nix | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/lass/5pkgs/install-system/default.nix b/lass/5pkgs/install-system/default.nix index 9a392e669..0e13265f6 100644 --- a/lass/5pkgs/install-system/default.nix +++ b/lass/5pkgs/install-system/default.nix @@ -5,13 +5,21 @@ pkgs.writers.writeDashBin "install-system" '' TARGET=$2 # format if ! (sshn "$TARGET" -- mountpoint /mnt); then - nix run github:numtide/nixos-remote -- --stop-after-disko --store-paths "$(nix-build --no-out-link -I stockholm="$HOME"/sync/stockholm -I nixos-config="$HOME"/sync/stockholm/lass/1systems/"$SYSTEM"/physical.nix '' -A config.system.build.diskoNoDeps)" /dev/null "$TARGET" + if ! (sshn "$TARGET" -- type -p nix); then + nix run github:numtide/nixos-remote -- --stop-after-disko --store-paths "$(nix-build --no-out-link -I stockholm="$HOME"/sync/stockholm -I nixos-config="$HOME"/sync/stockholm/lass/1systems/"$SYSTEM"/physical.nix '' -A config.system.build.diskoNoDeps)" /dev/null "$TARGET" + else + disko=$(nix-build -I stockholm=$HOME/sync/stockholm -I secrets=$HOME/sync/stockholm/lass/2configs/tests/dummy-secrets -I nixos-config=$HOME/sync/stockholm/lass/1systems/$SYSTEM/physical.nix '' -A config.system.build.disko) + NIX_SSHOPTS='-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' nix-copy-closure --to "$TARGET" "$disko" + sshn -t "$TARGET" -- "$disko" + fi fi # install dependencies sshn "$TARGET" << SSH - nix-channel --update - nix-env -iA nixos.git + if ! type -p git; then + nix-channel --update + nix-env -iA nixos.git + fi SSH # populate @@ -19,8 +27,9 @@ pkgs.writers.writeDashBin "install-system" '' # install sshn "$TARGET" << SSH - ln -s /mnt/var/src /var/src - NIXOS_CONFIG=/var/src/nixos-config nixos-install --no-root-password -I /var/src + NIXOS_CONFIG=/var/src/nixos-config nixos-install --no-root-password -I /mnt/var/src + nixos-enter -- nixos-rebuild -I /var/src switch --install-bootloader + umount -R /mnt zpool export -fa SSH '' -- cgit v1.2.3 From 18efc15b2a2694dac07f89d33bb1243492358a88 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 26 Jan 2023 16:13:42 +0100 Subject: l aergia.r: init --- kartei/lass/aergia.nix | 39 ++++++++++++++++++++++ lass/1systems/aergia/config.nix | 70 +++++++++++++++++++++++++++++++++++++++ lass/1systems/aergia/disk.nix | 64 +++++++++++++++++++++++++++++++++++ lass/1systems/aergia/install.sh | 3 ++ lass/1systems/aergia/physical.nix | 40 ++++++++++++++++++++++ lass/1systems/aergia/source.nix | 21 ++++++++++++ 6 files changed, 237 insertions(+) create mode 100644 kartei/lass/aergia.nix create mode 100644 lass/1systems/aergia/config.nix create mode 100644 lass/1systems/aergia/disk.nix create mode 100644 lass/1systems/aergia/install.sh create mode 100644 lass/1systems/aergia/physical.nix create mode 100644 lass/1systems/aergia/source.nix diff --git a/kartei/lass/aergia.nix b/kartei/lass/aergia.nix new file mode 100644 index 000000000..d186f912c --- /dev/null +++ b/kartei/lass/aergia.nix @@ -0,0 +1,39 @@ +{ r6, w6, ... }: +{ + nets = { + retiolum = { + ip4.addr = "10.243.0.1"; + ip6.addr = r6 "ae12"; + aliases = [ + "aergia.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEAqLtEUExq0qmXbi3aykdoW1WIneePfmm1SnFxCVcEBecJ1z326cNl + EIhYFSzhctwui0vG1dscmNMXHJ0rRQ0QHks1kp/x2MNMlun3Wl8Md9PQrTRGqZOf + ltdlNKzn8QbqcQQa9BYMgnFRzhbzzsSO3q5xqncJJ8qSxxWy/boIR9fO+OI/aUfe + rVLVHj/i5TTAmov5johqQZOyb7ydEbLiTbaaPSo1H/I/as0iv2jaDRdoVBL5/r+q + JvYFfhcdePjpwjRVNohdRwPquyM2ut91e2UyxD5N5eUoQBn+Xr18f6CQlyfJmMrc + /oGL+DScrDzFQ/ezCzks3O02dWAmgJsU6odUyNqtdU2x+0lhSqTRH0IXfdkj5n3k + K5U340/84e8Bn/1BJQoaGpBZJbK8RHdZd/0r+9+aXcI5tm2YAGaPPYzgLUYg06NZ + fMES28iByiCecIPci4vUZ50oOQFGQYaBNA12JC4TRbL/EfLlaax9bRAaUQr7qIXS + OBmKrC8eN9QO53T2d2w8Llk5d1rwq0TE3lyJEFLt7sqrHvlBFJ4fpeC+JqZAObqf + AJlCvFrqDYXBPzuNC2cZQX9QJ4FlGBpOObGg5KtkY0hPUyBO96OMxIDQ2+Jqc7F0 + isAUVvn23h6i3m77jRE1AGFyIC/ReMaCH70/83AJQxRpTkzKcF98xU8CAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "Jb8RJkm+ufh8o0acM31P2BolEUneYFB4xbtyoLQywLG"; + }; + wiregrill = { + ip6.addr = w6 "ae12"; + aliases = [ + "aergia.w" + ]; + wireguard.pubkey = '' + h2GFkqW1ThHpDiALrLkJEsR5NU1lXHvwk0Kers1vIxg= + ''; + }; + }; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPAGcqlL5fcxT3iCTlOm5rNPGKZmx1SEDWS71d3Tvbs/"; + syncthing.id = "K5G46ZC-AKEG3WE-MQTG6MB-PC3ZA7O-C2BOKW6-KCXTSEW-RWHKP4B-Q7FCRQ7"; +} diff --git a/lass/1systems/aergia/config.nix b/lass/1systems/aergia/config.nix new file mode 100644 index 000000000..a723a6385 --- /dev/null +++ b/lass/1systems/aergia/config.nix @@ -0,0 +1,70 @@ +{ config, lib, pkgs, ... }: + +{ + imports = [ + + + + + + + + + + + + + + + + + + + + # + + + + + ]; + + system.stateVersion = "22.11"; + + krebs.build.host = config.krebs.hosts.aergia; + + environment.systemPackages = with pkgs; [ + brain + bank + l-gen-secrets + generate-secrets + ]; + + programs.adb.enable = true; + + hardware.bluetooth = { + enable = true; + powerOnBoot = true; + }; + hardware.pulseaudio.package = pkgs.pulseaudioFull; + + lass.browser.config = { + fy = { browser = "chromium"; groups = [ "audio" "video" ]; hidden = true; }; + qt = { browser = "qutebrowser"; groups = [ "audio" "video" ]; hidden = true; }; + }; + + nix.trustedUsers = [ "root" "lass" ]; + + # nix.extraOptions = '' + # extra-experimental-features = nix-command flakes + # ''; + + services.tor = { + enable = true; + client.enable = true; + }; + + documentation.nixos.enable = true; + boot.binfmt.emulatedSystems = [ + "aarch64-linux" + ]; +} diff --git a/lass/1systems/aergia/disk.nix b/lass/1systems/aergia/disk.nix new file mode 100644 index 000000000..0ae0892ee --- /dev/null +++ b/lass/1systems/aergia/disk.nix @@ -0,0 +1,64 @@ +{ lib, ... }: +{ + disk = { + main = { + type = "disk"; + device = "/dev/nvme0n1"; + content = { + type = "table"; + format = "gpt"; + partitions = [ + { + name = "boot"; + type = "partition"; + start = "0"; + end = "1M"; + part-type = "primary"; + flags = ["bios_grub"]; + } + { + type = "partition"; + name = "ESP"; + start = "1MiB"; + end = "1GiB"; + fs-type = "fat32"; + bootable = true; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + } + { + name = "root"; + type = "partition"; + start = "1GiB"; + end = "100%"; + content = { + type = "luks"; + name = "aergia1"; + content = { + type = "btrfs"; + extraArgs = "-f"; # Override existing partition + subvolumes = { + # Subvolume name is different from mountpoint + "/rootfs" = { + mountpoint = "/"; + }; + # Mountpoints inferred from subvolume name + "/home" = { + mountOptions = []; + }; + "/nix" = { + mountOptions = []; + }; + }; + }; + }; + } + ]; + }; + }; + }; +} + diff --git a/lass/1systems/aergia/install.sh b/lass/1systems/aergia/install.sh new file mode 100644 index 000000000..0e4f0ab4c --- /dev/null +++ b/lass/1systems/aergia/install.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +target=$1 diff --git a/lass/1systems/aergia/physical.nix b/lass/1systems/aergia/physical.nix new file mode 100644 index 000000000..800202396 --- /dev/null +++ b/lass/1systems/aergia/physical.nix @@ -0,0 +1,40 @@ +{ config, lib, pkgs, modulesPath, ... }: +{ + imports = [ + ./config.nix + (modulesPath + "/installer/scan/not-detected.nix") + ]; + disko.devices = import ./disk.nix; + + networking.hostId = "deadbeef"; + # boot.loader.efi.canTouchEfiVariables = true; + boot.loader.grub = { + enable = true; + device = "/dev/nvme0n1"; + efiSupport = true; + efiInstallAsRemovable = true; + }; + + + # Enables the amd cpu scaling https://www.kernel.org/doc/html/latest/admin-guide/pm/amd-pstate.html + # On recent AMD CPUs this can be more energy efficient. + boot.kernelModules = [ "kvm-amd" ]; + + # hardware.cpu.amd.updateMicrocode = true; + + services.xserver.videoDrivers = [ + "amdgpu" + ]; + + boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ]; + + services.logind.lidSwitch = "ignore"; + services.logind.lidSwitchDocked = "ignore"; + + environment.systemPackages = [ + pkgs.ryzenadj + ]; + + # textsize + services.xserver.dpi = 200; +} diff --git a/lass/1systems/aergia/source.nix b/lass/1systems/aergia/source.nix new file mode 100644 index 000000000..abbf26c75 --- /dev/null +++ b/lass/1systems/aergia/source.nix @@ -0,0 +1,21 @@ +{ lib, pkgs, test, ... }: let + npkgs = lib.importJSON ../../../krebs/nixpkgs-unstable.json; +in { + nixpkgs = (if test then lib.mkForce ({ derivation = let + rev = npkgs.rev; + sha256 = npkgs.sha256; + in '' + with import (builtins.fetchTarball { + url = "https://github.com/nixos/nixpkgs/archive/${rev}.tar.gz"; + sha256 = "${sha256}"; + }) {}; + pkgs.fetchFromGitHub { + owner = "nixos"; + repo = "nixpkgs"; + rev = "${rev}"; + sha256 = "${sha256}"; + } + ''; }) else { + git.ref = lib.mkForce npkgs.rev; + }); +} -- cgit v1.2.3 From 2b01c332826d2d59b7fdbf4a7924e827338920f9 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 26 Jan 2023 16:14:47 +0100 Subject: l hilum.r: create with disko, add script --- lass/1systems/hilum/disk.nix | 53 ++++++++++++++++++++++++++++++++++++++ lass/1systems/hilum/flash-stick.sh | 27 +++++++++++++++++++ lass/1systems/hilum/physical.nix | 29 +++++++++++---------- 3 files changed, 95 insertions(+), 14 deletions(-) create mode 100644 lass/1systems/hilum/disk.nix create mode 100644 lass/1systems/hilum/flash-stick.sh diff --git a/lass/1systems/hilum/disk.nix b/lass/1systems/hilum/disk.nix new file mode 100644 index 000000000..4a7253bab --- /dev/null +++ b/lass/1systems/hilum/disk.nix @@ -0,0 +1,53 @@ +{ lib, disk, ... }: +{ + disk = { + main = { + type = "disk"; + device = disk; + content = { + type = "table"; + format = "gpt"; + partitions = [ + { + name = "boot"; + type = "partition"; + start = "0"; + end = "1M"; + part-type = "primary"; + flags = ["bios_grub"]; + } + { + type = "partition"; + name = "ESP"; + start = "1MiB"; + end = "50%"; + fs-type = "fat32"; + bootable = true; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + } + { + name = "root"; + type = "partition"; + start = "50%"; + end = "100%"; + content = { + type = "luks"; + name = "hilum_luks"; + # keyFile = "/tmp/secret.key"; + content = { + type = "filesystem"; + format = "xfs"; + mountpoint = "/"; + }; + }; + } + ]; + }; + }; + }; +} + diff --git a/lass/1systems/hilum/flash-stick.sh b/lass/1systems/hilum/flash-stick.sh new file mode 100644 index 000000000..7b787f92a --- /dev/null +++ b/lass/1systems/hilum/flash-stick.sh @@ -0,0 +1,27 @@ +#!/bin/sh +set -efux + +disk=$1 + +export NIXPKGS_ALLOW_UNFREE=1 +stockholm_root=$(git rev-parse --show-toplevel) +ssh root@localhost -t -- $(nix-build \ + --no-out-link \ + -I nixpkgs=/var/src/nixpkgs \ + -I stockholm="$stockholm_root" \ + -I secrets="$stockholm_root"/lass/2configs/tests/dummy-secrets \ + -E "with import {}; (pkgs.nixos [ { mainDisk = \"$disk\"; disko.rootMountPoint = \"/mnt/hilum\"; } ./physical.nix ]).mountScript" +) +$(nix-build \ + --no-out-link \ + -I nixpkgs=/var/src/nixpkgs \ + "$stockholm_root"/lass/krops.nix -A populate \ + --argstr name hilum \ + --argstr target "root@localhost/mnt/hilum/var/src" \ + --arg force true +) +ssh root@localhost << SSH +nixos-install --no-root-password --root /mnt/hilum -I /var/src +nixos-enter --root /mnt/hilum -- nixos-rebuild -I /var/src switch --install-bootloader +umount -Rv /mnt/hilum +SSH diff --git a/lass/1systems/hilum/physical.nix b/lass/1systems/hilum/physical.nix index f8bab57d6..e6860a496 100644 --- a/lass/1systems/hilum/physical.nix +++ b/lass/1systems/hilum/physical.nix @@ -1,11 +1,24 @@ -{ lib, pkgs, ... }: +{ config, lib, pkgs, ... }: { imports = [ ./config.nix + { + # nice hack to carry around state passed impurely at the beginning + options.mainDisk = lib.mkOption { + type = lib.types.str; + default = builtins.readFile "/etc/hilum-disk"; + }; + config.environment.etc.hilum-disk.text = config.mainDisk; + } ]; + disko.devices = import ./disk.nix { + inherit lib; + disk = config.mainDisk; + }; + boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "xhci_pci" "usb_storage" "sd_mod" "sdhci_pci" ]; boot.initrd.kernelModules = [ "dm-snapshot" ]; boot.kernelModules = [ "kvm-intel" ]; @@ -13,21 +26,9 @@ boot.loader.grub.enable = true; boot.loader.grub.efiSupport = true; - boot.loader.grub.device = "/dev/disk/by-id/usb-General_USB_Flash_Disk_0374116060006128-0:0"; + boot.loader.grub.device = config.mainDisk; boot.loader.grub.efiInstallAsRemovable = true; - fileSystems."/" = - { device = "/dev/disk/by-uuid/6db29cdd-ff64-496d-b541-5f1616665dc2"; - fsType = "ext4"; - }; - - boot.initrd.luks.devices."usb_nix".device = "/dev/disk/by-uuid/3c8ab3af-57fb-4564-9e27-b2766404f5d4"; - - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/2B9E-5131"; - fsType = "vfat"; - }; - swapDevices = [ ]; nix.maxJobs = lib.mkDefault 4; -- cgit v1.2.3 From ab06eab6af32e794882687a25746a35a66ef481d Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 26 Jan 2023 16:15:35 +0100 Subject: l ubik.r: init on neoprism.r --- kartei/lass/ubik.nix | 38 ++++++++++++++++++++++++++++++++++++++ lass/1systems/neoprism/config.nix | 1 + lass/1systems/ubik/config.nix | 33 +++++++++++++++++++++++++++++++++ lass/1systems/ubik/physical.nix | 7 +++++++ lass/2configs/ubik-host.nix | 26 ++++++++++++++++++++++++++ 5 files changed, 105 insertions(+) create mode 100644 kartei/lass/ubik.nix create mode 100644 lass/1systems/ubik/config.nix create mode 100644 lass/1systems/ubik/physical.nix create mode 100644 lass/2configs/ubik-host.nix diff --git a/kartei/lass/ubik.nix b/kartei/lass/ubik.nix new file mode 100644 index 000000000..94a4a8b05 --- /dev/null +++ b/kartei/lass/ubik.nix @@ -0,0 +1,38 @@ +{ r6, w6, ... }: +{ + nets = { + retiolum = { + ip4.addr = "10.243.0.12"; + ip6.addr = r6 "0b1c"; + aliases = [ + "ubik.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEAnWJKDrDmmGZbwVeaBhvOdTR4nsumo1yzOR2Iu+SMTOH6fbgJM5cW + WtlgPhrdOMrBYR956SBiBNkvsdczRrOF7F6hvXyDwwoGdWGsZXzaTMJlNAYjP5Y4 + fbJlDq8/QV/SvVFGeu4XP3g2yuU/aNu/4FkU4jlysX+8wo9qGpIFPLpLvqfuU247 + jHCatNzHfLK60fx7yt57iDhuX2plyFfQVX7xPTxudfGZKD7rEDEnKX4Ghd5dUkOA + z0lr0B1AOrkZgrnajU0ZmkjnNy8lrylCWDOnEPhJdao53gL4XFmUcZaR4uFsWuS7 + V1VM+VivuMTAXRUnJScyLap2mo6dcr9h11kas70c/R7tI2pGmxlNk9t2uYy/jQnC + WmyzNCcqpPSfKikx5sRVAVIuv2wtAKYDuZg+1D4YEfeklA0+ZZlHO43NnRnIoKeO + Za0SNUE6vtd/EPoiifMkOWtHaO0LppgOxMTk8OgUxR6dcTmbuL0Roz3aY0rSW3EG + +li3yjS3YAtMtvhQwuqooVrkBFrcGQLjTnAfCeUHbCjZidGAHnqhESA+Aj+LKx32 + 0ALQY439xAs6Vf3rICs93cO4Yxa8W1F5sHE6ANOGU+jCmSkCWI2hdHGbckD3L0AQ + NBJ+jyXm0kFfVgqRS2i17JPz2ZZxhAHw3KH13Ef1KI4tMdzCvFSayW0CAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "BcbZOID7dipWNH0/uowqCF7Ivqm4QktMoz11Yv249tG"; + }; + wiregrill = { + ip6.addr = w6 "0b1c"; + aliases = [ + "ubik.w" + ]; + wireguard.pubkey = '' + JakWwg7Rq76jjzLFWPBQJPpzRHbIEbb46VLsSUOKI2I= + ''; + }; + }; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHlqW8zqJpjbva0NTty9Ex7R/Jk2emDxHJNpaM3WPt5L"; +} diff --git a/lass/1systems/neoprism/config.nix b/lass/1systems/neoprism/config.nix index 8e5a60c36..dc2702e6a 100644 --- a/lass/1systems/neoprism/config.nix +++ b/lass/1systems/neoprism/config.nix @@ -9,6 +9,7 @@ + # other containers diff --git a/lass/1systems/ubik/config.nix b/lass/1systems/ubik/config.nix new file mode 100644 index 000000000..1d1d32f3f --- /dev/null +++ b/lass/1systems/ubik/config.nix @@ -0,0 +1,33 @@ +with import ; +{ config, lib, pkgs, ... }: +{ + imports = [ + + + + ]; + + krebs.build.host = config.krebs.hosts.ubik; + + lass.sync-containers3.inContainer = { + enable = true; + pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPBFGMjH0+Dco6DVFZbByENMci8CFTLXCL7j53yctPnM"; + }; + + networking.firewall.allowedTCPPorts = [ 80 ]; + services.nextcloud = { + enable = true; + hostName = "c.apanowicz.de"; + package = pkgs.nextcloud25; + config.adminpassFile = "/run/nextcloud.pw"; + https = true; + }; + systemd.services.nextcloud-setup.serviceConfig.ExecStartPre = [ + "+${pkgs.writeDash "copy-pw" '' + ${pkgs.rsync}/bin/rsync \ + --chown nextcloud:nextcloud \ + --chmod 0700 \ + /var/src/secrets/nextcloud.pw /run/nextcloud.pw + ''}" + ]; +} diff --git a/lass/1systems/ubik/physical.nix b/lass/1systems/ubik/physical.nix new file mode 100644 index 000000000..8577daf34 --- /dev/null +++ b/lass/1systems/ubik/physical.nix @@ -0,0 +1,7 @@ +{ + imports = [ + ./config.nix + ]; + boot.isContainer = true; + networking.useDHCP = true; +} diff --git a/lass/2configs/ubik-host.nix b/lass/2configs/ubik-host.nix new file mode 100644 index 000000000..874d4ecb8 --- /dev/null +++ b/lass/2configs/ubik-host.nix @@ -0,0 +1,26 @@ +{ config, pkgs, ... }: +{ + lass.sync-containers3.containers.ubik = { + sshKey = "${toString }/ubik.sync.key"; + }; + containers.ubik.bindMounts."/var/lib" = { + hostPath = "/var/lib/sync-containers3/ubik/state"; + isReadOnly = false; + }; + containers.ubik.bindMounts."/var/lib/nextcloud/data" = { + hostPath = "/var/ubik"; + isReadOnly = false; + }; + services.nginx.virtualHosts."c.apanowicz.de" = { + enableACME = true; + forceSSL = true; + locations."/" = { + recommendedProxySettings = true; + proxyWebsockets = true; + proxyPass = "http://ubik.r"; + extraConfig = '' + client_max_body_size 9001M; + ''; + }; + }; +} -- cgit v1.2.3 From 30599f5f60c87969180ce49a702a47b272ff1c20 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 26 Jan 2023 16:15:49 +0100 Subject: l neoprism.r: add nginx with acme --- lass/1systems/neoprism/config.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/lass/1systems/neoprism/config.nix b/lass/1systems/neoprism/config.nix index dc2702e6a..7f6be782e 100644 --- a/lass/1systems/neoprism/config.nix +++ b/lass/1systems/neoprism/config.nix @@ -16,4 +16,9 @@ ]; krebs.build.host = config.krebs.hosts.neoprism; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + services.nginx.enable = true; + security.acme.acceptTerms = true; + security.acme.defaults.email = "acme@lassul.us"; } -- cgit v1.2.3 From f10b0ca342af20cdd1f4f25bd47e6f21a115a300 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 26 Jan 2023 20:03:58 +0100 Subject: l gg23: disable link local on wan --- lass/2configs/gg23.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lass/2configs/gg23.nix b/lass/2configs/gg23.nix index 1af2fa226..b35b0cb85 100644 --- a/lass/2configs/gg23.nix +++ b/lass/2configs/gg23.nix @@ -12,9 +12,9 @@ with import ; linkConfig = { RequiredForOnline = "routable"; }; - # networkConfig = { - # LinkLocalAddressing = "no"; - # }; + networkConfig = { + LinkLocalAddressing = "no"; + }; # dhcpV6Config = { # PrefixDelegationHint = "::/60"; # }; -- cgit v1.2.3 From 34360eb931e89b09512091fe819fb59568852441 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 26 Jan 2023 23:46:51 +0100 Subject: l hilum.r: pass luks passphrase in flash script --- lass/1systems/hilum/disk.nix | 4 ++-- lass/1systems/hilum/flash-stick.sh | 14 ++++++++++++-- lass/1systems/hilum/physical.nix | 7 +++++++ 3 files changed, 21 insertions(+), 4 deletions(-) mode change 100644 => 100755 lass/1systems/hilum/flash-stick.sh diff --git a/lass/1systems/hilum/disk.nix b/lass/1systems/hilum/disk.nix index 4a7253bab..926401648 100644 --- a/lass/1systems/hilum/disk.nix +++ b/lass/1systems/hilum/disk.nix @@ -1,4 +1,4 @@ -{ lib, disk, ... }: +{ lib, disk, keyFile, ... }: { disk = { main = { @@ -37,7 +37,7 @@ content = { type = "luks"; name = "hilum_luks"; - # keyFile = "/tmp/secret.key"; + keyFile = keyFile; content = { type = "filesystem"; format = "xfs"; diff --git a/lass/1systems/hilum/flash-stick.sh b/lass/1systems/hilum/flash-stick.sh old mode 100644 new mode 100755 index 7b787f92a..17a5fc580 --- a/lass/1systems/hilum/flash-stick.sh +++ b/lass/1systems/hilum/flash-stick.sh @@ -4,14 +4,24 @@ set -efux disk=$1 export NIXPKGS_ALLOW_UNFREE=1 +(umask 077; pass show admin/hilum/luks > /tmp/hilum.luks) +trap 'rm -f /tmp/hilum.luks' EXIT stockholm_root=$(git rev-parse --show-toplevel) ssh root@localhost -t -- $(nix-build \ --no-out-link \ -I nixpkgs=/var/src/nixpkgs \ -I stockholm="$stockholm_root" \ -I secrets="$stockholm_root"/lass/2configs/tests/dummy-secrets \ - -E "with import {}; (pkgs.nixos [ { mainDisk = \"$disk\"; disko.rootMountPoint = \"/mnt/hilum\"; } ./physical.nix ]).mountScript" + -E "with import {}; (pkgs.nixos [ + { + luksPassFile = \"/tmp/hilum.luks\"; + mainDisk = \"$disk\"; + disko.rootMountPoint = \"/mnt/hilum\"; + } + ./physical.nix + ]).disko" ) +rm -f /tmp/hilum.luks $(nix-build \ --no-out-link \ -I nixpkgs=/var/src/nixpkgs \ @@ -21,7 +31,7 @@ $(nix-build \ --arg force true ) ssh root@localhost << SSH -nixos-install --no-root-password --root /mnt/hilum -I /var/src +NIXOS_CONFIG=/mnt/hilum/var/src/nixos-config nixos-install --no-root-password --root /mnt/hilum -I /var/src nixos-enter --root /mnt/hilum -- nixos-rebuild -I /var/src switch --install-bootloader umount -Rv /mnt/hilum SSH diff --git a/lass/1systems/hilum/physical.nix b/lass/1systems/hilum/physical.nix index e6860a496..f97873aa9 100644 --- a/lass/1systems/hilum/physical.nix +++ b/lass/1systems/hilum/physical.nix @@ -12,11 +12,18 @@ }; config.environment.etc.hilum-disk.text = config.mainDisk; } + { + options.luksPassFile = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + }; + } ]; disko.devices = import ./disk.nix { inherit lib; disk = config.mainDisk; + keyFile = config.luksPassFile; }; boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "xhci_pci" "usb_storage" "sd_mod" "sdhci_pci" ]; -- cgit v1.2.3 From d0b3d234e57c3960ee278c5e29feef448f958c4a Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 26 Jan 2023 23:47:07 +0100 Subject: l hilum.r: introduce tryFile --- lass/1systems/hilum/physical.nix | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/lass/1systems/hilum/physical.nix b/lass/1systems/hilum/physical.nix index f97873aa9..6f160062d 100644 --- a/lass/1systems/hilum/physical.nix +++ b/lass/1systems/hilum/physical.nix @@ -6,9 +6,16 @@ { # nice hack to carry around state passed impurely at the beginning - options.mainDisk = lib.mkOption { + options.mainDisk = let + tryFile = path: default: + if lib.elem (builtins.baseNameOf path) (lib.attrNames (builtins.readDir (builtins.dirOf path))) then + builtins.readFile path + else + default + ; + in lib.mkOption { type = lib.types.str; - default = builtins.readFile "/etc/hilum-disk"; + default = tryFile "/etc/hilum-disk" "/dev/sdz"; }; config.environment.etc.hilum-disk.text = config.mainDisk; } -- cgit v1.2.3 From 4b2b7add164158119729e60078e0d7c03107dbf8 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 28 Jan 2023 21:27:26 +0100 Subject: l mail: create dirs on first use, minor issues --- lass/2configs/mail.nix | 57 ++++++++++++++++++++++++++++++++------------------ 1 file changed, 37 insertions(+), 20 deletions(-) diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix index b874695a8..098982892 100644 --- a/lass/2configs/mail.nix +++ b/lass/2configs/mail.nix @@ -1,5 +1,4 @@ -with import ; -{ pkgs, ... }: +{ config, lib, pkgs, ... }: let @@ -14,7 +13,6 @@ let port 465 tls on tls_starttls off - tls_fingerprint 9C:82:3B:0F:31:CE:1B:8E:96:00:CC:C9:FF:E7:BE:66:95:92:4F:22:DD:D6:2E:0E:1D:90:76:BE:8E:9E:8E:16 auth on user lassulus passwordeval pass show c-base/pass @@ -24,11 +22,12 @@ let notmuch-config = pkgs.writeText "notmuch-config" '' [database] path=/home/lass/Maildir + mail_root=/home/lass/Maildir [user] name=lassulus primary_email=lassulus@lassul.us - other_email=lass@mors.r;${concatStringsSep ";" (flatten (attrValues mailboxes))} + other_email=lass@mors.r;${lib.concatStringsSep ";" (lib.flatten (lib.attrValues mailboxes))} [new] tags=unread;inbox; @@ -93,11 +92,37 @@ let tag-new-mails = pkgs.writeDashBin "nm-tag-init" '' ${pkgs.notmuch}/bin/notmuch new - ${concatMapStringsSep "\n" (i: ''${pkgs.notmuch}/bin/notmuch tag -inbox +${i.name} -- tag:inbox ${concatMapStringsSep " or " (f: "${f}") i.value}'') (mapAttrsToList nameValuePair mailboxes)} + ${lib.concatMapStringsSep "\n" (i: '' + '') (lib.mapAttrsToList lib.nameValuePair mailboxes)} + ${lib.concatMapStringsSep "\n" (i: '' + mkdir -p "$HOME/Maildir/.${i.name}/cur" + for mail in $(${pkgs.notmuch}/bin/notmuch search --output=files 'tag:inbox and (${lib.concatMapStringsSep " or " (f: "${f}") i.value})'); do + if test -e "$mail"; then + mv "$mail" "$HOME/Maildir/.${i.name}/cur/" + else + echo "$mail does not exist" + fi + done + ${pkgs.notmuch}/bin/notmuch tag -inbox +${i.name} -- tag:inbox ${lib.concatMapStringsSep " or " (f: "${f}") i.value} + '') (lib.mapAttrsToList lib.nameValuePair mailboxes)} + ${pkgs.notmuch}/bin/notmuch new + ${pkgs.notmuch}/bin/notmuch dump > "$HOME/Maildir/notmuch.backup" ''; tag-old-mails = pkgs.writeDashBin "nm-tag-old" '' - ${concatMapStringsSep "\n" (i: ''${pkgs.notmuch}/bin/notmuch tag -inbox -archive +${i.name} -- ${concatMapStringsSep " or " (f: "${f}") i.value}'') (mapAttrsToList nameValuePair mailboxes)} + set -efux + ${lib.concatMapStringsSep "\n" (i: '' + ${pkgs.notmuch}/bin/notmuch tag -inbox -archive +${i.name} -- ${lib.concatMapStringsSep " or " (f: "${f}") i.value} + mkdir -p "$HOME/Maildir/.${i.name}/cur" + for mail in $(${pkgs.notmuch}/bin/notmuch search --output=files ${lib.concatMapStringsSep " or " (f: "${f}") i.value}); do + if test -e "$mail"; then + mv "$mail" "$HOME/Maildir/.${i.name}/cur/" + else + echo "$mail does not exist" + fi + done + '') (lib.mapAttrsToList lib.nameValuePair mailboxes)} + ${pkgs.notmuch}/bin/notmuch new --no-hooks ''; muttrc = pkgs.writeText "muttrc" '' @@ -110,17 +135,6 @@ let set crypt_verify_sig = yes set pgp_verify_command = "gpg --no-verbose --batch --output - --verify %s %f" - macro index \Cv \ - " set my_crypt_verify_sig=\$crypt_verify_sig \ - set crypt_verify_sig=yes \ - set crypt_verify_sig=\$my_crypt_verify_sig" \ - 'Verify PGP signature and open the message' - - macro pager \Cv \ - " set my_crypt_verify_sig=\$crypt_verify_sig \ - set crypt_verify_sig=yes \ - set crypt_verify_sig=\$my_crypt_verify_sig" \ - 'Verify PGP signature' # read html mails auto_view text/html @@ -138,8 +152,8 @@ let set sendmail="${msmtp}/bin/msmtp" # enables parsing of outgoing mail set from="lassulus@lassul.us" alternates ^.*@lassul\.us$ ^.*@.*\.r$ - set use_from=yes - set envelope_from=yes + unset envelope_from_address + set use_envelope_from set reverse_name set sort=threads @@ -148,7 +162,7 @@ let virtual-mailboxes "Unread" "notmuch://?query=tag:unread" virtual-mailboxes "INBOX" "notmuch://?query=tag:inbox" - ${concatMapStringsSep "\n" (i: ''${" "}virtual-mailboxes "${i.name}" "notmuch://?query=tag:${i.name}"'') (mapAttrsToList nameValuePair mailboxes)} + ${lib.concatMapStringsSep "\n" (i: ''${" "}virtual-mailboxes "${i.name}" "notmuch://?query=tag:${i.name}"'') (lib.mapAttrsToList lib.nameValuePair mailboxes)} virtual-mailboxes "TODO" "notmuch://?query=tag:TODO" virtual-mailboxes "Starred" "notmuch://?query=tag:*" virtual-mailboxes "Archive" "notmuch://?query=tag:archive" @@ -213,6 +227,9 @@ let macro pager ,@3 " set pager_index_lines=7; macro pager ] ,@1 'Toggle indexbar" macro pager ] ,@1 'Toggle indexbar + # urlview + macro pager \cb '${pkgs.urlview}/bin/urlview' 'Follow links with urlview' + # sidebar set sidebar_divider_char = '│' set sidebar_delim_chars = "/" -- cgit v1.2.3 From 23f4065929de6c0438647725220915b7cdf6700b Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 28 Jan 2023 21:27:42 +0100 Subject: l mail: add muchsync keybinding --- lass/2configs/mail.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix index 098982892..f5b2e22b7 100644 --- a/lass/2configs/mail.nix +++ b/lass/2configs/mail.nix @@ -180,6 +180,15 @@ let macro index + "+*\n" # tag as starred macro index - "-*\n" # tag as unstarred + # muchsync + bind index \Cr noop + macro index \Cr \ + "unset wait_key \ + ${pkgs.writeDash "muchsync" '' + set -efu + ${pkgs.muchsync}/bin/muchsync -F lass@green.r + ''} \ + 'run muchsync to green.r' #killed bind index d noop -- cgit v1.2.3 From f33b7b1c800604fc08237176c05cd9d64a5cd9aa Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 28 Jan 2023 21:39:44 +0100 Subject: l xmonad: paste on shift+f12 --- lass/2configs/xmonad.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lass/2configs/xmonad.nix b/lass/2configs/xmonad.nix index 8784da379..edede2995 100644 --- a/lass/2configs/xmonad.nix +++ b/lass/2configs/xmonad.nix @@ -53,6 +53,7 @@ import XMonad.Util.EZConfig (additionalKeysP) import XMonad.Util.NamedWindows (getName) import XMonad.Util.Run (safeSpawn) import XMonad.Util.Ungrab (unGrab) +import XMonad.Util.Paste (pasteSelection) data LibNotifyUrgencyHook = LibNotifyUrgencyHook deriving (Read, Show) @@ -177,13 +178,13 @@ myKeyMap = , ("M4-", spawn "${pkgs.redshift}/bin/redshift -x") , ("M4-", spawn "${config.lass.screenlock.command}") - , ("M4-", spawn "${pkgs.systemd}/bin/systemctl suspend -i") , ("M4-u", spawn "${pkgs.xcalib}/bin/xcalib -invert -alter") , ("M4-y", spawn "/run/current-system/sw/bin/switch-theme toggle") , ("M4-s", spawn "${pkgs.knav}/bin/knav") , ("M4-i", spawn "/run/current-system/sw/bin/screenshot") + , ("S-", pasteSelection) --, ("M4-w", screenWorkspace 0 >>= (windows . W.greedyView)) --, ("M4-e", screenWorkspace 1 >>= (windows . W.greedyView)) -- cgit v1.2.3 From aab4b1ce8cbcdd9f31292650e42baab83757764e Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 28 Jan 2023 21:40:32 +0100 Subject: l xmonad: brain is now in pass, emotiocons -> unimenu --- lass/2configs/xmonad.nix | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/lass/2configs/xmonad.nix b/lass/2configs/xmonad.nix index edede2995..8fdfeb3f4 100644 --- a/lass/2configs/xmonad.nix +++ b/lass/2configs/xmonad.nix @@ -106,11 +106,9 @@ floatHooks = composeAll myKeyMap :: [([Char], X ())] myKeyMap = - [ ("M4-C-p", forkFile "${pkgs.scrot}/bin/scrot" [ "~/public_html/scrot.png" ] Nothing ) - , ("M4-p", forkFile "${pkgs.pass}/bin/passmenu" [ "--type" ] Nothing) + [ ("M4-p", forkFile "${pkgs.pass}/bin/passmenu" [ "--type" ] Nothing) , ("M4-S-p", forkFile "${pkgs.otpmenu}/bin/otpmenu" [] Nothing) - , ("M4-o", forkFile "${pkgs.brain}/bin/brainmenu --type" [] Nothing) - , ("M4-z", forkFile "${pkgs.emot-menu}/bin/emoticons" [] Nothing) + , ("M4-z", forkFile "${pkgs.unimenu}/bin/unimenu" [] Nothing) , ("M4-S-q", restart "xmonad" True) -- cgit v1.2.3 From 201bb10881ce51a170c4c33be560b48d05a661fe Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 28 Jan 2023 21:40:47 +0100 Subject: l xmonad: knav -> warpd --- lass/2configs/xmonad.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lass/2configs/xmonad.nix b/lass/2configs/xmonad.nix index 8fdfeb3f4..b506e026d 100644 --- a/lass/2configs/xmonad.nix +++ b/lass/2configs/xmonad.nix @@ -180,7 +180,7 @@ myKeyMap = , ("M4-u", spawn "${pkgs.xcalib}/bin/xcalib -invert -alter") , ("M4-y", spawn "/run/current-system/sw/bin/switch-theme toggle") - , ("M4-s", spawn "${pkgs.knav}/bin/knav") + ${lib.optionalString (builtins.hasAttr "warpd" pkgs) '', ("M4-s", spawn "${pkgs.warpd}/bin/warpd --hint")''} , ("M4-i", spawn "/run/current-system/sw/bin/screenshot") , ("S-", pasteSelection) -- cgit v1.2.3 From e01e296e5d34aa74a4d6edf8203b3dd015a94112 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 28 Jan 2023 21:52:52 +0100 Subject: l: init pkgs.unimenu --- lass/5pkgs/unimenu/default.nix | 91 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 91 insertions(+) create mode 100644 lass/5pkgs/unimenu/default.nix diff --git a/lass/5pkgs/unimenu/default.nix b/lass/5pkgs/unimenu/default.nix new file mode 100644 index 000000000..d452195fc --- /dev/null +++ b/lass/5pkgs/unimenu/default.nix @@ -0,0 +1,91 @@ +{ + lib, + runCommand, + fetchurl, + writeText, + writers, + coreutils, + dmenu, + gnused, + libnotify, + xclip, + xdotool, + gawk, +}: let + unicode-file = runCommand "unicode.txt" {} '' + ${ + writers.writePython3 "generate.py" {flakeIgnore = ["E501" "E722"];} '' + import csv + + with open("${ + fetchurl { + url = "https://unicode.org/Public/UCD/latest/ucd/UnicodeData.txt"; + sha256 = "sha256-NgGOaGV/3LNIX2NmMP/oyFMuAcl3cD0oA/W4nWxf6vs="; + } + }", "r") as unicode_data: + reader = csv.reader(unicode_data, delimiter=";") + next(reader) # skip first row containing \0 + for row in reader: + codepoint = row[0] + name = row[1] + alternate_name = row[10] + try: + print(chr(int(codepoint, 16)), codepoint, name, alternate_name, sep=" ") + except: + continue + '' + } > $out + ''; + kaomoji-file = writeText "kaomoji.txt" '' + ¯\(°_o)/¯ dunno lol shrug dlol + ¯\_(ツ)_/¯ dunno lol shrug dlol + ( ͡° ͜ʖ ͡°) lenny + ¯\_( ͡° ͜ʖ ͡°)_/¯ lenny shrug dlol + ( ゚д゚) aaah sad noo + ヽ(^o^)丿 hi yay hello + (^o^: ups hehe + (^∇^) yay + ┗(`皿´)┛ angry argh + ヾ(^_^) byebye!! bye + <(^.^<) <(^.^)> (>^.^)> (7^.^)7 (>^.^<) dance + (-.-)Zzz... sleep + (∩╹□╹∩) oh noes woot + (╯°□°)╯ ┻━┻ table flip + (」゜ロ゜)」 why woot + (_゜_゜_) gloom I see you + ༼ ༎ຶ ෴ ༎ຶ༽ sad + (\/) (°,,,,°) (\/) krebs + ┳━┳ ヽ(ಠل͜ಠ)ノ putting table back + ┻━┻︵ \(°□°)/ ︵ ┻━┻ flip all dem tablez + (`・ω・´) bear look + ᕦ(ຈل͜ຈ)ᕤ strong flex muscle bicep + ᕦ(ò_óˇ)ᕤ strong flex muscle bicep + (๑>ᴗ<๑) excite + (∩ ` -´)⊃━━☆゚.*・。゚ wizard spell magic + ◕ ◡ ◕ puss in boots big eye + ≋≋≋≋≋̯̫⌧̯̫(ˆ•̮ ̮•ˆ) nyan cat + ʕ•ᴥ•ʔ bear + (ԾɷԾ) adventure time + (⁀ᗢ⁀) happy yay + (≧◡≦) happy yay + \(º □ º )/ panic + 𓂺 penis + 𓂸 penis + ''; +in + # ref https://github.com/LukeSmithxyz/voidrice/blob/9fe6802122f6e0392c7fe20eefd30437771d7f8e/.local/bin/dmenuunicode + writers.writeDashBin "unimenu" '' + history_file=$HOME/.cache/unimenu + PATH=${lib.makeBinPath [coreutils dmenu gnused libnotify xclip xdotool]} + chosen=$(cat "$history_file" ${kaomoji-file} ${unicode-file} | dmenu -p unicode -i -l 10 | tee --append "$history_file" | sed "s/ .*//") + + [ "$chosen" != "" ] || exit + + echo "$chosen" | tr -d '\n' | xclip -selection clipboard + + if [ -n "$1" ]; then + xdotool key Shift+Insert + else + notify-send --app-name="$(basename "$0")" "'$chosen' copied to clipboard." & + fi + '' -- cgit v1.2.3 From 2adf9ebfcc9ba12c75eb812843c4daa32d5f07d4 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 30 Jan 2023 00:27:34 +0100 Subject: l aergia.r: finetune hardware --- lass/1systems/aergia/physical.nix | 40 +++++++++++++++++++++++++++++++++++---- 1 file changed, 36 insertions(+), 4 deletions(-) diff --git a/lass/1systems/aergia/physical.nix b/lass/1systems/aergia/physical.nix index 800202396..df310e578 100644 --- a/lass/1systems/aergia/physical.nix +++ b/lass/1systems/aergia/physical.nix @@ -15,10 +15,20 @@ efiInstallAsRemovable = true; }; + boot.kernelPackages = pkgs.linuxPackages_latest; + + boot.kernelParams = [ + # Enable energy savings during sleep + "mem_sleep_default=deep" + "initcall_blacklist=acpi_cpufreq_init" + + # for ryzenadj -i + "iomem=relaxed" + ]; # Enables the amd cpu scaling https://www.kernel.org/doc/html/latest/admin-guide/pm/amd-pstate.html # On recent AMD CPUs this can be more energy efficient. - boot.kernelModules = [ "kvm-amd" ]; + boot.kernelModules = [ "amd-pstate" "kvm-amd" ]; # hardware.cpu.amd.updateMicrocode = true; @@ -28,13 +38,35 @@ boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ]; - services.logind.lidSwitch = "ignore"; - services.logind.lidSwitchDocked = "ignore"; - environment.systemPackages = [ + pkgs.vulkan-tools pkgs.ryzenadj + (pkgs.writers.writeDashBin "set_tdp" '' + set -efux + watt=$1 + value=$(( $watt * 1000 )) + ${pkgs.ryzenadj}/bin/ryzenadj --stapm-limit="$value" --fast-limit="$value" --slow-limit="$value" + '') ]; # textsize services.xserver.dpi = 200; + hardware.video.hidpi.enable = lib.mkDefault true; + + # corectrl + programs.corectrl.enable = true; + users.users.mainUser.extraGroups = [ "corectrl" ]; + + # use newer ryzenadj + nixpkgs.config.packageOverrides = super: { + ryzenadj = super.ryzenadj.overrideAttrs (old: { + version = "unstable-2023-01-15"; + src = pkgs.fetchFromGitHub { + owner = "FlyGoat"; + repo = "RyzenAdj"; + rev = "1052fb52b2c0e23ac4cd868c4e74d4a9510be57c"; # unstable on 2023-01-15 + sha256 = "sha256-/IxkbQ1XrBrBVrsR4EdV6cbrFr1m+lGwz+rYBqxYG1k="; + }; + }); + }; } -- cgit v1.2.3 From 74c3dae909b5a8080577b844ae37d6bb11690fe2 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 30 Jan 2023 15:53:18 +0100 Subject: l aergia.r: clean /tmp, add vbox --- lass/1systems/aergia/config.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lass/1systems/aergia/config.nix b/lass/1systems/aergia/config.nix index a723a6385..ed5bbcf12 100644 --- a/lass/1systems/aergia/config.nix +++ b/lass/1systems/aergia/config.nix @@ -67,4 +67,10 @@ boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; + + boot.cleanTmpDir = true; + + # vbox + virtualisation.virtualbox.host.enable = true; + users.users.mainUser.extraGroups = [ "vboxusers" ]; } -- cgit v1.2.3 From 3c528d6a28f9f837db5a029e4e0c05be282a6e08 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 30 Jan 2023 15:53:59 +0100 Subject: l aergia.r: rebind shift + f12 --- lass/1systems/aergia/physical.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/lass/1systems/aergia/physical.nix b/lass/1systems/aergia/physical.nix index df310e578..c6b657abc 100644 --- a/lass/1systems/aergia/physical.nix +++ b/lass/1systems/aergia/physical.nix @@ -69,4 +69,9 @@ }; }); }; + + # keyboard quirks + services.xserver.displayManager.sessionCommands = '' + xmodmap -e 'keycode 96 = F12 Insert F12 F12' # rebind shift + F12 to shift + insert + ''; } -- cgit v1.2.3 From 0c3a901a1b39369230816d4d26b814ecc22a74e1 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 30 Jan 2023 16:13:28 +0100 Subject: l aergia.r: ignore backbuttons --- lass/1systems/aergia/physical.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lass/1systems/aergia/physical.nix b/lass/1systems/aergia/physical.nix index c6b657abc..d6fe26ac9 100644 --- a/lass/1systems/aergia/physical.nix +++ b/lass/1systems/aergia/physical.nix @@ -74,4 +74,10 @@ services.xserver.displayManager.sessionCommands = '' xmodmap -e 'keycode 96 = F12 Insert F12 F12' # rebind shift + F12 to shift + insert ''; + services.udev.extraHwdb = /* sh */ '' + # disable back buttons + evdev:input:b0003v2F24p0135* # /dev/input/event2 + KEYBOARD_KEY_70026=reserved + KEYBOARD_KEY_70027=reserved + ''; } -- cgit v1.2.3 From f620d8002e224e3e35cbaaf8405ce861ea4f7537 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 30 Jan 2023 16:13:47 +0100 Subject: l aergia.r: ignore power key --- lass/1systems/aergia/physical.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lass/1systems/aergia/physical.nix b/lass/1systems/aergia/physical.nix index d6fe26ac9..de5f7540e 100644 --- a/lass/1systems/aergia/physical.nix +++ b/lass/1systems/aergia/physical.nix @@ -80,4 +80,7 @@ KEYBOARD_KEY_70026=reserved KEYBOARD_KEY_70027=reserved ''; + + # ignore power key + services.logind.extraConfig = "HandlePowerKey=ignore"; } -- cgit v1.2.3 From bf4a3fe78e4814b9281b7e20d8eae2e0461fed72 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 30 Jan 2023 20:40:25 +0100 Subject: l orange.r: init --- kartei/lass/orange.nix | 38 ++++++++++++++++++++++++++++++++++++++ lass/1systems/orange/config.nix | 21 +++++++++++++++++++++ lass/1systems/orange/physical.nix | 7 +++++++ lass/2configs/orange-host.nix | 15 +++++++++++++++ 4 files changed, 81 insertions(+) create mode 100644 kartei/lass/orange.nix create mode 100644 lass/1systems/orange/config.nix create mode 100644 lass/1systems/orange/physical.nix create mode 100644 lass/2configs/orange-host.nix diff --git a/kartei/lass/orange.nix b/kartei/lass/orange.nix new file mode 100644 index 000000000..7f656c260 --- /dev/null +++ b/kartei/lass/orange.nix @@ -0,0 +1,38 @@ +{ r6, w6, ... }: +{ + nets = { + retiolum = { + ip4.addr = "10.243.0.15"; + ip6.addr = r6 "012a"; + aliases = [ + "orange.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEAlnHedIf4f3/6Wfl5PSSz+7KvdIMkygp5m/U270sdPBh46MqYa8cn + OfPq40LcbWIZqAVex7mP+fK7vq8LTIr+sCKvzY46o3ZLbQQ7cCtQi02GFnSAPhVT + 4XEmPn9dX/nRmI8xQqzh5jRMpgeOKE+xY6QfgkERD9mflkJi5dGYCOVW1UUK7pHR + 7giCrUiLuQbUeIz+G7KOeIRHxU8dwD8it1Jk6KxdM3MW6HwFsuqZu0qjbBPKhTEe + fgzSTDtZEGmcQw5vA/RwjxoRvKYThbK/lLoVJItFAhUCWUJA8bJuIanwzPfOF0JO + xWkxiY3ntvn5ykbvhF6LoHE+kEfcBJzBfRFRSXV5qU5wW1FC4AQylUDrest/qXQh + DY8boUqK/hi/MlC2ciPH+DlBOi5wduWty8F0KqNzjg1IIEOk8H+z9hgBDbdJnYHH + MBjYOZ3MFpoNb2VCJTE7dlIarVdH1OOO2KkzX/GGW7wGQK94iqLHjBcGl15GcGOz + EOivq+783VOtzZGS4jd8D0OcCo725FzhuWi6KR5QTljwrd5C1gGFoAW7RCsUiveZ + 0by9aB+G2DWmSRWZsmPnnbYo6yPvp+WR2yfPu1pKwjyNsmAgTYm4bkwRIvODb6Xk + ShgawP5V8RDp+hUmr27KgJvUJnQbVeJf9SO1pT7IfNOjLwHv26iOo7UCAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "dVIOgHjuKLDJ+QB+sDjL9Pk3pXs8wKo+gemGvNG3z1H"; + }; + wiregrill = { + ip6.addr = w6 "012a"; + aliases = [ + "orange.w" + ]; + wireguard.pubkey = '' + NP8zM9+ocwsHhY9Rn6tFqIU1FR8JidqtDs7IKpl3yU8= + ''; + }; + }; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDnHnTPPwMW1Oy3DBuaT4fG5ryhWmVS9Y8Sw0ezUGuLn"; +} diff --git a/lass/1systems/orange/config.nix b/lass/1systems/orange/config.nix new file mode 100644 index 000000000..3c13ebe85 --- /dev/null +++ b/lass/1systems/orange/config.nix @@ -0,0 +1,21 @@ +with import ; +{ config, lib, pkgs, ... }: +{ + imports = [ + + + + ]; + + krebs.build.host = config.krebs.hosts.orange; + + security.acme = { + acceptTerms = true; + defaults.email = "acme@lassul.us"; + }; + + lass.sync-containers3.inContainer = { + enable = true; + pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFQWzKuXrwQopBc1mzb2VpljmwAs7Y8bRl9a8hBXLC+l"; + }; +} diff --git a/lass/1systems/orange/physical.nix b/lass/1systems/orange/physical.nix new file mode 100644 index 000000000..8577daf34 --- /dev/null +++ b/lass/1systems/orange/physical.nix @@ -0,0 +1,7 @@ +{ + imports = [ + ./config.nix + ]; + boot.isContainer = true; + networking.useDHCP = true; +} diff --git a/lass/2configs/orange-host.nix b/lass/2configs/orange-host.nix new file mode 100644 index 000000000..3fbf417a7 --- /dev/null +++ b/lass/2configs/orange-host.nix @@ -0,0 +1,15 @@ +{ config, pkgs, ... }: +{ + lass.sync-containers3.containers.orange = { + sshKey = "${toString }/orange.sync.key"; + }; + services.nginx.virtualHosts."lassul.us" = { + # enableACME = config.security; + # forceSSL = true; + locations."/" = { + recommendedProxySettings = true; + proxyWebsockets = true; + proxyPass = "http://orange.r"; + }; + }; +} -- cgit v1.2.3 From c7417c8bc1b50d466dae493ac3619d9f324f34f8 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 30 Jan 2023 20:53:24 +0100 Subject: sync-containers3: lass -> krebs --- krebs/3modules/default.nix | 1 + krebs/3modules/sync-containers3.nix | 343 +++++++++++++++++++++++++++++++++ lass/1systems/green/config.nix | 2 +- lass/1systems/orange/config.nix | 2 +- lass/1systems/radio/config.nix | 2 +- lass/1systems/ubik/config.nix | 2 +- lass/1systems/yellow/config.nix | 2 +- lass/2configs/green-host.nix | 6 +- lass/2configs/orange-host.nix | 2 +- lass/2configs/radio/container-host.nix | 2 +- lass/2configs/red-host.nix | 2 +- lass/2configs/ubik-host.nix | 2 +- lass/2configs/yellow-host.nix | 2 +- lass/3modules/default.nix | 1 - lass/3modules/sync-containers3.nix | 343 --------------------------------- 15 files changed, 355 insertions(+), 359 deletions(-) create mode 100644 krebs/3modules/sync-containers3.nix delete mode 100644 lass/3modules/sync-containers3.nix diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index bff7e135f..6d763afed 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -53,6 +53,7 @@ let ./sitemap.nix ./ssl.nix ./sync-containers.nix + ./sync-containers3.nix ./systemd.nix ./tinc.nix ./tinc_graphs.nix diff --git a/krebs/3modules/sync-containers3.nix b/krebs/3modules/sync-containers3.nix new file mode 100644 index 000000000..4a00b23ab --- /dev/null +++ b/krebs/3modules/sync-containers3.nix @@ -0,0 +1,343 @@ +{ config, lib, pkgs, ... }: let + cfg = config.krebs.sync-containers3; + slib = pkgs.stockholm.lib; +in { + options.krebs.sync-containers3 = { + inContainer = { + enable = lib.mkEnableOption "container config for syncing"; + pubkey = lib.mkOption { + type = lib.types.str; # TODO ssh key + }; + }; + containers = lib.mkOption { + default = {}; + type = lib.types.attrsOf (lib.types.submodule ({ config, ... }: { + options = { + name = lib.mkOption { + type = lib.types.str; + default = config._module.args.name; + }; + sshKey = lib.mkOption { + type = slib.types.absolute-pathname; + }; + luksKey = lib.mkOption { + type = slib.types.absolute-pathname; + default = config.sshKey; + }; + ephemeral = lib.mkOption { + type = lib.types.bool; + default = false; + }; + runContainer = lib.mkOption { + type = lib.types.bool; + default = true; + }; + }; + })); + }; + }; + config = lib.mkMerge [ + (lib.mkIf (cfg.containers != {}) { + + containers = lib.mapAttrs' (n: ctr: lib.nameValuePair ctr.name { + config = { + environment.systemPackages = [ + pkgs.dhcpcd + pkgs.git + pkgs.jq + ]; + networking.useDHCP = lib.mkForce true; + systemd.services.autoswitch = { + environment = { + NIX_REMOTE = "daemon"; + }; + wantedBy = [ "multi-user.target" ]; + serviceConfig.ExecStart = pkgs.writers.writeDash "autoswitch" '' + set -efu + mkdir -p /var/state/var_src + ln -Tfrs /var/state/var_src /var/src + if test -e /var/src/nixos-config; then + /run/current-system/sw/bin/nixos-rebuild -I /var/src switch || : + fi + ''; + unitConfig.X-StopOnRemoval = false; + }; + }; + autoStart = false; + enableTun = true; + ephemeral = ctr.ephemeral; + privateNetwork = true; + hostBridge = "ctr0"; + bindMounts = { + "/var/lib/self/disk" = { + hostPath = "/var/lib/sync-containers3/${ctr.name}/disk"; + isReadOnly = false; + }; + "/var/state" = { + hostPath = "/var/lib/sync-containers3/${ctr.name}/state"; + isReadOnly = false; + }; + }; + }) (lib.filterAttrs (_: ctr: ctr.runContainer) cfg.containers); + + systemd.services = lib.foldr lib.recursiveUpdate {} (lib.flatten (map (ctr: [ + { "${ctr.name}_syncer" = { + path = with pkgs; [ + coreutils + consul + rsync + openssh + systemd + ]; + startAt = "*:0/1"; + serviceConfig = { + User = "${ctr.name}_container"; + LoadCredential = [ + "ssh_key:${ctr.sshKey}" + ]; + ExecCondition = pkgs.writers.writeDash "${ctr.name}_checker" '' + set -efu + ! systemctl is-active --quiet container@${ctr.name}.service + ''; + ExecStart = pkgs.writers.writeDash "${ctr.name}_syncer" '' + set -efux + consul lock sync_${ctr.name} ${pkgs.writers.writeDash "${ctr.name}-sync" '' + set -efux + if /run/wrappers/bin/ping -c 1 ${ctr.name}.r; then + nice --adjustment=30 rsync -a -e "ssh -i $CREDENTIALS_DIRECTORY/ssh_key" --timeout=30 container_sync@${ctr.name}.r:disk "$HOME"/disk + rm -f "$HOME"/incomplete + fi + ''} + ''; + }; + }; } + { "${ctr.name}_watcher" = lib.mkIf ctr.runContainer { + path = with pkgs; [ + coreutils + consul + cryptsetup + curl + mount + util-linux + jq + retry + ]; + serviceConfig = { + ExecStart = pkgs.writers.writeDash "${ctr.name}_watcher" '' + set -efux + while sleep 5; do + # get the payload + # check if the host reacted recently + case $(curl -s -o /dev/null --retry 10 --retry-delay 10 -w '%{http_code}' http://127.0.0.1:8500/v1/kv/containers/${ctr.name}) in + 404) + echo 'got 404 from kv, should kill the container' + break + ;; + 500) + echo 'got 500 from kv, will kill container' + break + ;; + 200) + # echo 'got 200 from kv, will check payload' + payload=$(consul kv get containers/${ctr.name}) || continue + export payload + if [ "$(jq -rn 'env.payload | fromjson.host')" = '${config.networking.hostName}' ]; then + # echo 'we are the host, trying to reach container' + if $(retry -t 10 -d 10 -- /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null); then + # echo 'container is reachable, continueing' + continue + else + # echo 'container seems dead, killing' + break + fi + else + echo 'we are not host, killing container' + break + fi + ;; + *) + echo 'unknown state, continuing' + continue + ;; + esac + done + /run/current-system/sw/bin/nixos-container stop ${ctr.name} || : + umount /var/lib/sync-containers3/${ctr.name}/state || : + cryptsetup luksClose ${ctr.name} || : + ''; + }; + }; } + { "${ctr.name}_scheduler" = lib.mkIf ctr.runContainer { + wantedBy = [ "multi-user.target" ]; + path = with pkgs; [ + coreutils + consul + cryptsetup + mount + util-linux + curl + systemd + jq + retry + bc + ]; + serviceConfig = { + Restart = "always"; + RestartSec = "30s"; + ExecStart = pkgs.writers.writeDash "${ctr.name}_scheduler" '' + set -efux + # get the payload + # check if the host reacted recently + case $(curl -s -o /dev/null --retry 10 -w '%{http_code}' http://127.0.0.1:8500/v1/kv/containers/${ctr.name}) in + 404) + # echo 'got 404 from kv, will create container' + ;; + 500) + # echo 'got 500 from kv, retrying again' + exit 0 + ;; + 200) + # echo 'got 200 from kv, will check payload' + export payload=$(consul kv get containers/${ctr.name}) + if [ "$(jq -rn 'env.payload | fromjson.host')" = '${config.networking.hostName}' ]; then + echo 'we are the host, starting container' + else + # echo 'we are not host, checking timestamp' + # if [ $(echo "$(date +%s) - $(jq -rn 'env.payload | fromjson.time') > 100" | bc) -eq 1 ]; then + if [ "$(jq -rn 'env.payload | fromjson.time | now - tonumber > 100')" = 'true' ]; then + echo 'last beacon is more than 100s ago, taking over' + else + # echo 'last beacon was recent. trying again' + exit 0 + fi + fi + ;; + *) + echo 'unknown state, bailing out' + exit 0 + ;; + esac + consul kv put containers/${ctr.name} "$(jq -cn '{host: "${config.networking.hostName}", time: now}')" >/dev/null + consul lock -verbose -monitor-retry=100 -timeout 30s -name container_${ctr.name} container_${ctr.name} ${pkgs.writers.writeBash "${ctr.name}-start" '' + set -efu + cryptsetup luksOpen --key-file ${ctr.luksKey} /var/lib/sync-containers3/${ctr.name}/disk ${ctr.name} || : + mkdir -p /var/lib/sync-containers3/${ctr.name}/state + mountpoint /var/lib/sync-containers3/${ctr.name}/state || mount /dev/mapper/${ctr.name} /var/lib/sync-containers3/${ctr.name}/state + /run/current-system/sw/bin/nixos-container start ${ctr.name} + # wait for system to become reachable for the first time + systemctl start ${ctr.name}_watcher.service + retry -t 10 -d 10 -- /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null + while systemctl is-active container@${ctr.name}.service >/devnull && /run/wrappers/bin/ping -q -c 3 ${ctr.name}.r >/dev/null; do + consul kv put containers/${ctr.name} "$(jq -cn '{host: "${config.networking.hostName}", time: now}')" >/dev/null + sleep 10 + done + ''} + ''; + }; + }; } + { "container@${ctr.name}" = lib.mkIf ctr.runContainer { + serviceConfig = { + ExecStop = pkgs.writers.writeDash "remove_interface" '' + ${pkgs.iproute2}/bin/ip link del vb-${ctr.name} + ''; + }; + }; } + ]) (lib.attrValues cfg.containers))); + + systemd.timers = lib.mapAttrs' (n: ctr: lib.nameValuePair "${ctr.name}_syncer" { + timerConfig = { + RandomizedDelaySec = 100; + }; + }) cfg.containers; + + users.groups = lib.mapAttrs' (_: ctr: lib.nameValuePair "${ctr.name}_container" { + }) cfg.containers; + users.users = lib.mapAttrs' (_: ctr: lib.nameValuePair "${ctr.name}_container" ({ + group = "${ctr.name}_container"; + isNormalUser = true; + uid = slib.genid_uint31 "container_${ctr.name}"; + home = "/var/lib/sync-containers3/${ctr.name}"; + createHome = true; + homeMode = "705"; + })) cfg.containers; + + environment.systemPackages = lib.mapAttrsToList (_: ctr: (pkgs.writers.writeDashBin "${ctr.name}_init" '' + set -efux + export PATH=${lib.makeBinPath [ + pkgs.coreutils + pkgs.cryptsetup + pkgs.libxfs.bin + ]}:$PATH + truncate -s 5G /var/lib/sync-containers3/${ctr.name}/disk + cryptsetup luksFormat /var/lib/sync-containers3/${ctr.name}/disk ${ctr.luksKey} + cryptsetup luksOpen --key-file ${ctr.luksKey} /var/lib/sync-containers3/${ctr.name}/disk ${ctr.name} + mkfs.xfs /dev/mapper/${ctr.name} + mkdir -p /var/lib/sync-containers3/${ctr.name}/state + mountpoint /var/lib/sync-containers3/${ctr.name}/state || mount /dev/mapper/${ctr.name} /var/lib/sync-containers3/${ctr.name}/state + /run/current-system/sw/bin/nixos-container start ${ctr.name} + /run/current-system/sw/bin/nixos-container run ${ctr.name} -- ${pkgs.writeDash "init" '' + mkdir -p /var/state + ''} + '')) cfg.containers; + }) + (lib.mkIf (cfg.containers != {}) { + # networking + + # needed because otherwise we lose local dns + environment.etc."resolv.conf".source = lib.mkForce "/run/systemd/resolve/resolv.conf"; + + boot.kernel.sysctl."net.ipv4.ip_forward" = lib.mkForce 1; + systemd.network.networks.ctr0 = { + name = "ctr0"; + address = [ + "10.233.0.1/24" + ]; + networkConfig = { + # IPForward = "yes"; + # IPMasquerade = "both"; + ConfigureWithoutCarrier = true; + DHCPServer = "yes"; + }; + }; + systemd.network.netdevs.ctr0.netdevConfig = { + Kind = "bridge"; + Name = "ctr0"; + }; + networking.networkmanager.unmanaged = [ "ctr0" ]; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-i ctr0"; target = "ACCEPT"; } + ]; + krebs.iptables.tables.filter.FORWARD.rules = [ + { predicate = "-i ctr0"; target = "ACCEPT"; } + { predicate = "-o ctr0"; target = "ACCEPT"; } + ]; + krebs.iptables.tables.nat.POSTROUTING.rules = [ + { v6 = false; predicate = "-s 10.233.0.0/24"; target = "MASQUERADE"; } + ]; + }) + (lib.mkIf cfg.inContainer.enable { + users.groups.container_sync = {}; + users.users.container_sync = { + group = "container_sync"; + uid = slib.genid_uint31 "container_sync"; + isNormalUser = true; + home = "/var/lib/self"; + createHome = true; + openssh.authorizedKeys.keys = [ + cfg.inContainer.pubkey + ]; + }; + + networking.useHostResolvConf = false; + networking.useNetworkd = true; + systemd.network = { + enable = true; + networks.eth0 = { + matchConfig.Name = "eth0"; + DHCP = "yes"; + dhcpV4Config.UseDNS = true; + }; + }; + }) + ]; +} diff --git a/lass/1systems/green/config.nix b/lass/1systems/green/config.nix index cd38c3585..077f7b3fa 100644 --- a/lass/1systems/green/config.nix +++ b/lass/1systems/green/config.nix @@ -27,7 +27,7 @@ with import ; krebs.build.host = config.krebs.hosts.green; - lass.sync-containers3.inContainer = { + krebs.sync-containers3.inContainer = { enable = true; pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFlUMf943qEQG64ob81p6dgoHq4jUjq7tSvmSdEOEU2y"; }; diff --git a/lass/1systems/orange/config.nix b/lass/1systems/orange/config.nix index 3c13ebe85..3bc20878e 100644 --- a/lass/1systems/orange/config.nix +++ b/lass/1systems/orange/config.nix @@ -14,7 +14,7 @@ with import ; defaults.email = "acme@lassul.us"; }; - lass.sync-containers3.inContainer = { + krebs.sync-containers3.inContainer = { enable = true; pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFQWzKuXrwQopBc1mzb2VpljmwAs7Y8bRl9a8hBXLC+l"; }; diff --git a/lass/1systems/radio/config.nix b/lass/1systems/radio/config.nix index 2fd23a448..5e34335d3 100644 --- a/lass/1systems/radio/config.nix +++ b/lass/1systems/radio/config.nix @@ -17,7 +17,7 @@ with import ; defaults.email = "acme@lassul.us"; }; - lass.sync-containers3.inContainer = { + krebs.sync-containers3.inContainer = { enable = true; pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOvPKdbVwMEFCDMyNAzR8NdVjTbQL2G+03Xomxn6KKFt"; }; diff --git a/lass/1systems/ubik/config.nix b/lass/1systems/ubik/config.nix index 1d1d32f3f..1d836d4ec 100644 --- a/lass/1systems/ubik/config.nix +++ b/lass/1systems/ubik/config.nix @@ -9,7 +9,7 @@ with import ; krebs.build.host = config.krebs.hosts.ubik; - lass.sync-containers3.inContainer = { + krebs.sync-containers3.inContainer = { enable = true; pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPBFGMjH0+Dco6DVFZbByENMci8CFTLXCL7j53yctPnM"; }; diff --git a/lass/1systems/yellow/config.nix b/lass/1systems/yellow/config.nix index 73d7f3780..ff8189e24 100644 --- a/lass/1systems/yellow/config.nix +++ b/lass/1systems/yellow/config.nix @@ -9,7 +9,7 @@ in { krebs.build.host = config.krebs.hosts.yellow; - lass.sync-containers3.inContainer = { + krebs.sync-containers3.inContainer = { enable = true; pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN737BAP36KiZO97mPKTIUGJUcr97ps8zjfFag6cUiYL"; }; diff --git a/lass/2configs/green-host.nix b/lass/2configs/green-host.nix index 1e41e8e02..66088a562 100644 --- a/lass/2configs/green-host.nix +++ b/lass/2configs/green-host.nix @@ -1,10 +1,6 @@ { config, pkgs, ... }: { - imports = [ - - ]; - - lass.sync-containers3.containers.green = { + krebs.sync-containers3.containers.green = { sshKey = "${toString }/green.sync.key"; }; } diff --git a/lass/2configs/orange-host.nix b/lass/2configs/orange-host.nix index 3fbf417a7..e4bfcff89 100644 --- a/lass/2configs/orange-host.nix +++ b/lass/2configs/orange-host.nix @@ -1,6 +1,6 @@ { config, pkgs, ... }: { - lass.sync-containers3.containers.orange = { + krebs.sync-containers3.containers.orange = { sshKey = "${toString }/orange.sync.key"; }; services.nginx.virtualHosts."lassul.us" = { diff --git a/lass/2configs/radio/container-host.nix b/lass/2configs/radio/container-host.nix index e32095ffa..de0ea9afe 100644 --- a/lass/2configs/radio/container-host.nix +++ b/lass/2configs/radio/container-host.nix @@ -1,6 +1,6 @@ { config, pkgs, ... }: { - lass.sync-containers3.containers.radio = { + krebs.sync-containers3.containers.radio = { sshKey = "${toString }/radio.sync.key"; }; containers.radio = { diff --git a/lass/2configs/red-host.nix b/lass/2configs/red-host.nix index cbd9c097e..171191dac 100644 --- a/lass/2configs/red-host.nix +++ b/lass/2configs/red-host.nix @@ -8,7 +8,7 @@ in ]; - lass.sync-containers3.containers.red = { + krebs.sync-containers3.containers.red = { sshKey = "${toString }/containers/red/sync.key"; ephemeral = true; }; diff --git a/lass/2configs/ubik-host.nix b/lass/2configs/ubik-host.nix index 874d4ecb8..a4ad5e55e 100644 --- a/lass/2configs/ubik-host.nix +++ b/lass/2configs/ubik-host.nix @@ -1,6 +1,6 @@ { config, pkgs, ... }: { - lass.sync-containers3.containers.ubik = { + krebs.sync-containers3.containers.ubik = { sshKey = "${toString }/ubik.sync.key"; }; containers.ubik.bindMounts."/var/lib" = { diff --git a/lass/2configs/yellow-host.nix b/lass/2configs/yellow-host.nix index d07c222c6..36027cb5d 100644 --- a/lass/2configs/yellow-host.nix +++ b/lass/2configs/yellow-host.nix @@ -1,6 +1,6 @@ { config, pkgs, ... }: { - lass.sync-containers3.containers.yellow = { + krebs.sync-containers3.containers.yellow = { sshKey = "${toString }/yellow.sync.key"; }; containers.yellow.bindMounts."/var/lib" = { diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix index 42efa8cd6..3a0b1306c 100644 --- a/lass/3modules/default.nix +++ b/lass/3modules/default.nix @@ -15,6 +15,5 @@ _: ./xjail.nix ./autowifi.nix ./browsers.nix - ./sync-containers3.nix ]; } diff --git a/lass/3modules/sync-containers3.nix b/lass/3modules/sync-containers3.nix deleted file mode 100644 index 5188f270d..000000000 --- a/lass/3modules/sync-containers3.nix +++ /dev/null @@ -1,343 +0,0 @@ -{ config, lib, pkgs, ... }: let - cfg = config.lass.sync-containers3; - slib = pkgs.stockholm.lib; -in { - options.lass.sync-containers3 = { - inContainer = { - enable = lib.mkEnableOption "container config for syncing"; - pubkey = lib.mkOption { - type = lib.types.str; # TODO ssh key - }; - }; - containers = lib.mkOption { - default = {}; - type = lib.types.attrsOf (lib.types.submodule ({ config, ... }: { - options = { - name = lib.mkOption { - type = lib.types.str; - default = config._module.args.name; - }; - sshKey = lib.mkOption { - type = slib.types.absolute-pathname; - }; - luksKey = lib.mkOption { - type = slib.types.absolute-pathname; - default = config.sshKey; - }; - ephemeral = lib.mkOption { - type = lib.types.bool; - default = false; - }; - runContainer = lib.mkOption { - type = lib.types.bool; - default = true; - }; - }; - })); - }; - }; - config = lib.mkMerge [ - (lib.mkIf (cfg.containers != {}) { - - containers = lib.mapAttrs' (n: ctr: lib.nameValuePair ctr.name { - config = { - environment.systemPackages = [ - pkgs.dhcpcd - pkgs.git - pkgs.jq - ]; - networking.useDHCP = lib.mkForce true; - systemd.services.autoswitch = { - environment = { - NIX_REMOTE = "daemon"; - }; - wantedBy = [ "multi-user.target" ]; - serviceConfig.ExecStart = pkgs.writers.writeDash "autoswitch" '' - set -efu - mkdir -p /var/state/var_src - ln -Tfrs /var/state/var_src /var/src - if test -e /var/src/nixos-config; then - /run/current-system/sw/bin/nixos-rebuild -I /var/src switch || : - fi - ''; - unitConfig.X-StopOnRemoval = false; - }; - }; - autoStart = false; - enableTun = true; - ephemeral = ctr.ephemeral; - privateNetwork = true; - hostBridge = "ctr0"; - bindMounts = { - "/var/lib/self/disk" = { - hostPath = "/var/lib/sync-containers3/${ctr.name}/disk"; - isReadOnly = false; - }; - "/var/state" = { - hostPath = "/var/lib/sync-containers3/${ctr.name}/state"; - isReadOnly = false; - }; - }; - }) (lib.filterAttrs (_: ctr: ctr.runContainer) cfg.containers); - - systemd.services = lib.foldr lib.recursiveUpdate {} (lib.flatten (map (ctr: [ - { "${ctr.name}_syncer" = { - path = with pkgs; [ - coreutils - consul - rsync - openssh - systemd - ]; - startAt = "*:0/1"; - serviceConfig = { - User = "${ctr.name}_container"; - LoadCredential = [ - "ssh_key:${ctr.sshKey}" - ]; - ExecCondition = pkgs.writers.writeDash "${ctr.name}_checker" '' - set -efu - ! systemctl is-active --quiet container@${ctr.name}.service - ''; - ExecStart = pkgs.writers.writeDash "${ctr.name}_syncer" '' - set -efux - consul lock sync_${ctr.name} ${pkgs.writers.writeDash "${ctr.name}-sync" '' - set -efux - if /run/wrappers/bin/ping -c 1 ${ctr.name}.r; then - nice --adjustment=30 rsync -a -e "ssh -i $CREDENTIALS_DIRECTORY/ssh_key" --timeout=30 container_sync@${ctr.name}.r:disk "$HOME"/disk - rm -f "$HOME"/incomplete - fi - ''} - ''; - }; - }; } - { "${ctr.name}_watcher" = lib.mkIf ctr.runContainer { - path = with pkgs; [ - coreutils - consul - cryptsetup - curl - mount - util-linux - jq - retry - ]; - serviceConfig = { - ExecStart = pkgs.writers.writeDash "${ctr.name}_watcher" '' - set -efux - while sleep 5; do - # get the payload - # check if the host reacted recently - case $(curl -s -o /dev/null --retry 10 --retry-delay 10 -w '%{http_code}' http://127.0.0.1:8500/v1/kv/containers/${ctr.name}) in - 404) - echo 'got 404 from kv, should kill the container' - break - ;; - 500) - echo 'got 500 from kv, will kill container' - break - ;; - 200) - # echo 'got 200 from kv, will check payload' - payload=$(consul kv get containers/${ctr.name}) || continue - export payload - if [ "$(jq -rn 'env.payload | fromjson.host')" = '${config.networking.hostName}' ]; then - # echo 'we are the host, trying to reach container' - if $(retry -t 10 -d 10 -- /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null); then - # echo 'container is reachable, continueing' - continue - else - # echo 'container seems dead, killing' - break - fi - else - echo 'we are not host, killing container' - break - fi - ;; - *) - echo 'unknown state, continuing' - continue - ;; - esac - done - /run/current-system/sw/bin/nixos-container stop ${ctr.name} || : - umount /var/lib/sync-containers3/${ctr.name}/state || : - cryptsetup luksClose ${ctr.name} || : - ''; - }; - }; } - { "${ctr.name}_scheduler" = lib.mkIf ctr.runContainer { - wantedBy = [ "multi-user.target" ]; - path = with pkgs; [ - coreutils - consul - cryptsetup - mount - util-linux - curl - systemd - jq - retry - bc - ]; - serviceConfig = { - Restart = "always"; - RestartSec = "30s"; - ExecStart = pkgs.writers.writeDash "${ctr.name}_scheduler" '' - set -efux - # get the payload - # check if the host reacted recently - case $(curl -s -o /dev/null --retry 10 -w '%{http_code}' http://127.0.0.1:8500/v1/kv/containers/${ctr.name}) in - 404) - # echo 'got 404 from kv, will create container' - ;; - 500) - # echo 'got 500 from kv, retrying again' - exit 0 - ;; - 200) - # echo 'got 200 from kv, will check payload' - export payload=$(consul kv get containers/${ctr.name}) - if [ "$(jq -rn 'env.payload | fromjson.host')" = '${config.networking.hostName}' ]; then - echo 'we are the host, starting container' - else - # echo 'we are not host, checking timestamp' - # if [ $(echo "$(date +%s) - $(jq -rn 'env.payload | fromjson.time') > 100" | bc) -eq 1 ]; then - if [ "$(jq -rn 'env.payload | fromjson.time | now - tonumber > 100')" = 'true' ]; then - echo 'last beacon is more than 100s ago, taking over' - else - # echo 'last beacon was recent. trying again' - exit 0 - fi - fi - ;; - *) - echo 'unknown state, bailing out' - exit 0 - ;; - esac - consul kv put containers/${ctr.name} "$(jq -cn '{host: "${config.networking.hostName}", time: now}')" >/dev/null - consul lock -verbose -monitor-retry=100 -timeout 30s -name container_${ctr.name} container_${ctr.name} ${pkgs.writers.writeBash "${ctr.name}-start" '' - set -efu - cryptsetup luksOpen --key-file ${ctr.luksKey} /var/lib/sync-containers3/${ctr.name}/disk ${ctr.name} || : - mkdir -p /var/lib/sync-containers3/${ctr.name}/state - mountpoint /var/lib/sync-containers3/${ctr.name}/state || mount /dev/mapper/${ctr.name} /var/lib/sync-containers3/${ctr.name}/state - /run/current-system/sw/bin/nixos-container start ${ctr.name} - # wait for system to become reachable for the first time - systemctl start ${ctr.name}_watcher.service - retry -t 10 -d 10 -- /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null - while systemctl is-active container@${ctr.name}.service >/devnull && /run/wrappers/bin/ping -q -c 3 ${ctr.name}.r >/dev/null; do - consul kv put containers/${ctr.name} "$(jq -cn '{host: "${config.networking.hostName}", time: now}')" >/dev/null - sleep 10 - done - ''} - ''; - }; - }; } - { "container@${ctr.name}" = lib.mkIf ctr.runContainer { - serviceConfig = { - ExecStop = pkgs.writers.writeDash "remove_interface" '' - ${pkgs.iproute2}/bin/ip link del vb-${ctr.name} - ''; - }; - }; } - ]) (lib.attrValues cfg.containers))); - - systemd.timers = lib.mapAttrs' (n: ctr: lib.nameValuePair "${ctr.name}_syncer" { - timerConfig = { - RandomizedDelaySec = 100; - }; - }) cfg.containers; - - users.groups = lib.mapAttrs' (_: ctr: lib.nameValuePair "${ctr.name}_container" { - }) cfg.containers; - users.users = lib.mapAttrs' (_: ctr: lib.nameValuePair "${ctr.name}_container" ({ - group = "${ctr.name}_container"; - isNormalUser = true; - uid = slib.genid_uint31 "container_${ctr.name}"; - home = "/var/lib/sync-containers3/${ctr.name}"; - createHome = true; - homeMode = "705"; - })) cfg.containers; - - environment.systemPackages = lib.mapAttrsToList (_: ctr: (pkgs.writers.writeDashBin "${ctr.name}_init" '' - set -efux - export PATH=${lib.makeBinPath [ - pkgs.coreutils - pkgs.cryptsetup - pkgs.libxfs.bin - ]}:$PATH - truncate -s 5G /var/lib/sync-containers3/${ctr.name}/disk - cryptsetup luksFormat /var/lib/sync-containers3/${ctr.name}/disk ${ctr.luksKey} - cryptsetup luksOpen --key-file ${ctr.luksKey} /var/lib/sync-containers3/${ctr.name}/disk ${ctr.name} - mkfs.xfs /dev/mapper/${ctr.name} - mkdir -p /var/lib/sync-containers3/${ctr.name}/state - mountpoint /var/lib/sync-containers3/${ctr.name}/state || mount /dev/mapper/${ctr.name} /var/lib/sync-containers3/${ctr.name}/state - /run/current-system/sw/bin/nixos-container start ${ctr.name} - /run/current-system/sw/bin/nixos-container run ${ctr.name} -- ${pkgs.writeDash "init" '' - mkdir -p /var/state - ''} - '')) cfg.containers; - }) - (lib.mkIf (cfg.containers != {}) { - # networking - - # needed because otherwise we lose local dns - environment.etc."resolv.conf".source = lib.mkForce "/run/systemd/resolve/resolv.conf"; - - boot.kernel.sysctl."net.ipv4.ip_forward" = lib.mkForce 1; - systemd.network.networks.ctr0 = { - name = "ctr0"; - address = [ - "10.233.0.1/24" - ]; - networkConfig = { - # IPForward = "yes"; - # IPMasquerade = "both"; - ConfigureWithoutCarrier = true; - DHCPServer = "yes"; - }; - }; - systemd.network.netdevs.ctr0.netdevConfig = { - Kind = "bridge"; - Name = "ctr0"; - }; - networking.networkmanager.unmanaged = [ "ctr0" ]; - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-i ctr0"; target = "ACCEPT"; } - ]; - krebs.iptables.tables.filter.FORWARD.rules = [ - { predicate = "-i ctr0"; target = "ACCEPT"; } - { predicate = "-o ctr0"; target = "ACCEPT"; } - ]; - krebs.iptables.tables.nat.POSTROUTING.rules = [ - { v6 = false; predicate = "-s 10.233.0.0/24"; target = "MASQUERADE"; } - ]; - }) - (lib.mkIf cfg.inContainer.enable { - users.groups.container_sync = {}; - users.users.container_sync = { - group = "container_sync"; - uid = slib.genid_uint31 "container_sync"; - isNormalUser = true; - home = "/var/lib/self"; - createHome = true; - openssh.authorizedKeys.keys = [ - cfg.inContainer.pubkey - ]; - }; - - networking.useHostResolvConf = false; - networking.useNetworkd = true; - systemd.network = { - enable = true; - networks.eth0 = { - matchConfig.Name = "eth0"; - DHCP = "yes"; - dhcpV4Config.UseDNS = true; - }; - }; - }) - ]; -} -- cgit v1.2.3 From b970b171420253321581241afdd8267f22ce5349 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sun, 22 Jan 2023 19:15:11 +0100 Subject: add warez.r --- kartei/mic92/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/kartei/mic92/default.nix b/kartei/mic92/default.nix index 178cf27a2..75f5b7fc9 100644 --- a/kartei/mic92/default.nix +++ b/kartei/mic92/default.nix @@ -107,6 +107,7 @@ in { "eve.r" "tts.r" "flood.r" + "warez.r" "navidrome.r" ]; tinc.pubkey = '' -- cgit v1.2.3 From f6666bc1782c5385493fdc5e38c30bcddeb5bbd7 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 31 Jan 2023 01:25:08 +0100 Subject: l mors.r: rip free music --- lass/1systems/mors/config.nix | 28 ---------------------------- 1 file changed, 28 deletions(-) diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix index 6d0d177ec..a3486cffa 100644 --- a/lass/1systems/mors/config.nix +++ b/lass/1systems/mors/config.nix @@ -51,34 +51,6 @@ with import ; { predicate = "-p udp --dport 27950:27965"; target = "ACCEPT"; } ]; } - { - services.syncthing.declarative = { - devices.schasch.addresses = [ "schasch.r:22000" ]; - folders = { - the_playlist = { - path = "/home/lass/tmp/the_playlist"; - devices = [ "mors" "phone" "prism" "xerxes" ]; - }; - free_music = { - id = "mu9mn-zgvsw"; - path = "/home/lass/tmp/free_music"; - devices = [ "mors" "schasch" ]; - }; - }; - }; - krebs.permown = { - "/home/lass/tmp/free_music" = { - owner = "lass"; - group = "syncthing"; - umask = "0007"; - }; - "/home/lass/tmp/the_playlist" = { - owner = "lass"; - group = "syncthing"; - umask = "0007"; - }; - }; - } { services.nginx = { enable = true; -- cgit v1.2.3 From 982afeb68fcaa0f0832da87add3092a94ff32673 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 31 Jan 2023 19:38:14 +0100 Subject: nixpkgs: 2f9fd35 -> 0218941 --- krebs/nixpkgs.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/krebs/nixpkgs.json b/krebs/nixpkgs.json index fd6aeb114..20b1237dc 100644 --- a/krebs/nixpkgs.json +++ b/krebs/nixpkgs.json @@ -1,9 +1,9 @@ { "url": "https://github.com/NixOS/nixpkgs", - "rev": "2f9fd351ec37f5d479556cd48be4ca340da59b8f", - "date": "2023-01-15T13:38:37-03:00", - "path": "/nix/store/mn2dwzki0d159fl09y87jrvyvcjgyy03-nixpkgs", - "sha256": "0w3ysrhbqhgr1qnh0r9miyqd7yf7vsd4wcd21dffwjlb99lynla8", + "rev": "0218941ea68b4c625533bead7bbb94ccce52dceb", + "date": "2023-01-31T16:39:44+08:00", + "path": "/nix/store/82grl4czg5pgacsa93nqssf5m7qrmmna-nixpkgs", + "sha256": "0vwszpqs1x9sgnabvj3413mvcrj7k2ix4wv4hfvw6nmp6k4z6ic1", "fetchLFS": false, "fetchSubmodules": false, "deepClone": false, -- cgit v1.2.3 From bd785cc6292f86079a11b89d51072bf294912de9 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 31 Jan 2023 19:38:33 +0100 Subject: nixpkgs-unstable: befc839 -> 2caf4ef --- krebs/nixpkgs-unstable.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/krebs/nixpkgs-unstable.json b/krebs/nixpkgs-unstable.json index 6af475a29..96c23d47c 100644 --- a/krebs/nixpkgs-unstable.json +++ b/krebs/nixpkgs-unstable.json @@ -1,9 +1,9 @@ { "url": "https://github.com/NixOS/nixpkgs", - "rev": "befc83905c965adfd33e5cae49acb0351f6e0404", - "date": "2023-01-13T18:32:21+01:00", - "path": "/nix/store/bwpp6fchhfw699jn9hsdypyc7ggb72gx-nixpkgs", - "sha256": "0m0ik7z06q3rshhhrg2p0vsrkf2jnqcq5gq1q6wb9g291rhyk6h2", + "rev": "2caf4ef5005ecc68141ecb4aac271079f7371c44", + "date": "2023-01-30T22:55:03+01:00", + "path": "/nix/store/mkif1y61ndjfi6fl2hzm7gmgqn40rchn-nixpkgs", + "sha256": "1f8d0v4q687r4z3qpg54asglgi3v07ac75hzxzxl0qxjyh0asdz3", "fetchLFS": false, "fetchSubmodules": false, "deepClone": false, -- cgit v1.2.3 From 46ae6fc00c3e1aee5bc5db846ec91e30c430f0f1 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 1 Feb 2023 23:27:47 +0100 Subject: filebitch.r: rotate tinc keys --- kartei/krebs/default.nix | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/kartei/krebs/default.nix b/kartei/krebs/default.nix index 7419ba13f..414b66e9f 100644 --- a/kartei/krebs/default.nix +++ b/kartei/krebs/default.nix @@ -50,15 +50,20 @@ in { aliases = [ "filebitch.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEA8ZSLsOlPy9Vd8XdEcIoP8H3rztsbB0McTYPGhUaZ6/aqcD/MBSQa - FT9NZS0+N0Pev7y90As6Rj5Wrom92xlThcFPaX0Dzmzz+7363M4qtlrtmmWkx2FX - VDrPOYbe4hGGOCsPNOTNJkcW4zs2Ym5YKbZeXHfnuqCW+yuhKBCgO9slc740jkHZ - 5xuv5zbU3ZMRk1H8xi4+cQcHqh+1PY75lJxVSNvrbe5pvGxm9yVdp235b49ohDRU - UfUjXmymPlnfJgTOMxmHwl+UmwYR4Yw2CZKXTjbJe5HjbykleTwUb1qyijM8suJf - eXRyma8VGILcY6K/HmE4nz7ESAlI1c+QlwIDAQAB + MIICCgKCAgEA8S3eYZB/z1oT8SlSeHXdHVlSZE1Z15KA2Icd/qLnopqIj9qi8rGa + TVptxNPAnI6ohLw3MnFix2fZCizHremrIV5lObSB/hYfqJZq73/Og3zb7GO25cl+ + bb/ApgmTHKjrI0xJPnRxC4Wl0KawEFfX+J3pS0ty9JHN7VNHfPzCnd3NO/LplY+9 + hxsV6Oegt4+X4onv7/5xjd/PYe7CsA3BvKGqtLwznEg/fZdm/e2UJv2U/ddk2MUU + JwDpQ3n4WYSv4ltY6TcTP1CiFHNOzaPV4AxUROimvI8natuTC+Yapv/J5DDowatX + Fo51GXXptTr3lASHNfonWDBTmhkELp3uS48MYO6z/fxLNqS4Un7q845sEN4GQQXL + StdUQEDp7+ycui2zHG7GHfbGqK5qZ1/hVU8sofnlfIGlfgwcMN4NHjhS5GifQGPC + Fuwx5e/r06HI9FaC5BM6muouaFiGWkK2Xb/coSZb7eoXffVIyiX1didrlwCYzI5b + K/KMQRsJu1mhAjUrlxxvtW5Y2yj+kP70Kz9FaPAIlWirMK+EQFCToK63CbCO5X2y + 5Pxkomg/KCeZ9grBSugnI2i6WqYeyOTGHM45VugxhU39mgBxzcIVjDy+UKVh/ILS + 3IYJVNzCFcbDueHp+G56ClCT1HYYPuAieFhawzwAQ7jUN3mhvdOr5fUCAwEAAQ== -----END RSA PUBLIC KEY----- - Ed25519PublicKey = NPjEmo1dkxNS2Xm7qUyWhLKdFYF4MnhIM79NPQELWHC ''; + tinc.pubkey_ed25519 = "D5TYSZW9OAkdnvQ/NL98UgheRC2Zg4SMNZ8M4/KwdeL"; }; }; ssh.privkey.path = ; -- cgit v1.2.3 [cgit] Unable to lock slot /tmp/cgit/e1200000.lock: No such file or directory (2)