makefu/stockholm
1
0
Fork 0
Code Issues Pull requests Actions1 Packages Projects Releases Wiki Activity

Merge branch 'master' of prism.r:stockholm

Browse source
This commit is contained in:
jeschli 2019-06-25 22:43:02 +02:00
parent 8079877eee 1d23dceb5d
commit 1cfc265bbf
69 changed files with 1182 additions and 631 deletions

0
krebs/0tests/data/secrets/github-hosts-sync.ssh.id_ed25519 Normal file
View file

0
krebs/0tests/data/secrets/shackspace-gitlab-ci Normal file
View file

1
krebs/1systems/hotdog/config.nix
View file

@ -18,6 +18,7 @@
];
krebs.build.host = config.krebs.hosts.hotdog;
krebs.github-hosts-sync.enable = true;
boot.isContainer = true;
networking.useDHCP = false;

7
krebs/1systems/puyak/config.nix
View file

@ -73,6 +73,13 @@
system.activationScripts."disengage fancontrol" = ''
echo level disengaged > /proc/acpi/ibm/fan
'';
# to access vorstand vm
users.users.root.openssh.authorizedKeys.keys = [
config.krebs.users.ulrich.pubkey
config.krebs.users.raute.pubkey
];
users.users.joerg = {
openssh.authorizedKeys.keys = [ config.krebs.users.Mic92.pubkey ];
isNormalUser = true;

91
krebs/1systems/wolf/config.nix
View file

@ -11,83 +11,44 @@ in
<stockholm/krebs>
<stockholm/krebs/2configs>
<nixpkgs/nixos/modules/profiles/qemu-guest.nix>
<stockholm/krebs/2configs/collectd-base.nix>
<stockholm/krebs/2configs/stats/wolf-client.nix>
<stockholm/krebs/2configs/graphite.nix>
<stockholm/krebs/2configs/binary-cache/nixos.nix>
<stockholm/krebs/2configs/binary-cache/prism.nix>
# handle the worlddomination map via coap
<stockholm/krebs/2configs/shack/worlddomination.nix>
# drivedroid.shack for shackphone
<stockholm/krebs/2configs/shack/drivedroid.nix>
# <stockholm/krebs/2configs/shack/nix-cacher.nix>
<stockholm/krebs/2configs/shack/mqtt_sub.nix>
# Say if muell will be collected
<stockholm/krebs/2configs/shack/muell_caller.nix>
<stockholm/krebs/2configs/shack/radioactive.nix>
<stockholm/krebs/2configs/shack/share.nix>
<stockholm/krebs/2configs/shack/mobile.mpd.nix>
{
systemd.services.telegraf.path = [ pkgs.net_snmp ]; # for snmptranslate
systemd.services.telegraf.environment = {
MIBDIRS = pkgs.fetchgit {
url = "http://git.shackspace.de/makefu/modem-mibs.git";
sha256 =
"1rhrpaascvj5p3dj29hrw79gm39rp0aa787x95m3r2jrcq83ln1k";
}; # extra mibs like ADSL
};
services.telegraf = {
enable = true;
extraConfig = {
inputs = {
snmp = {
agents = [ "10.0.1.3:161" ];
version = 2;
community = "shack";
name = "snmp";
field = [
{
name = "hostname";
oid = "RFC1213-MIB::sysName.0";
is_tag = true;
}
{
name = "load-percent"; #cisco
oid = ".1.3.6.1.4.1.9.9.109.1.1.1.1.4.9";
}
{
name = "uptime";
oid = "DISMAN-EVENT-MIB::sysUpTimeInstance";
}
];
table = [{
name = "snmp";
inherit_tags = [ "hostname" ];
oid = "IF-MIB::ifXTable";
field = [{
name = "ifName";
oid = "IF-MIB::ifName";
is_tag = true;
}];
}];
};
};
outputs = {
influxdb = {
urls = [ "http://${influx-host}:8086" ];
database = "telegraf";
write_consistency = "any";
timeout = "5s";
};
};
};
};
}
# create samba share for anonymous usage with the laser and 3d printer pc
<stockholm/krebs/2configs/shack/share.nix>
# mobile.lounge.mpd.shack
<stockholm/krebs/2configs/shack/mobile.mpd.nix>
# connect to git.shackspace.de as group runner for rz
<stockholm/krebs/2configs/shack/gitlab-runner.nix>
# Statistics collection and visualization
<stockholm/krebs/2configs/graphite.nix>
## Collect data from mqtt.shack and store in graphite database
<stockholm/krebs/2configs/shack/mqtt_sub.nix>
## Collect radioactive data and put into graphite
<stockholm/krebs/2configs/shack/radioactive.nix>
## Collect local statistics via collectd and send to collectd
<stockholm/krebs/2configs/stats/wolf-client.nix>
## write collectd statistics to wolf.shack
<stockholm/krebs/2configs/collectd-base.nix>
{ services.influxdb.enable = true; }
<stockholm/krebs/2configs/shack/netbox.nix>
];
# use your own binary cache, fallback use cache.nixos.org (which is used by
# apt-cacher-ng in first place)
services.influxdb.enable = true;
# local discovery in shackspace
nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; };
@ -156,10 +117,10 @@ in
# fallout of ipv6calypse
networking.extraHosts = ''
hass.shack 10.42.2.191
heidi.shack 10.42.2.135
'';
users.extraUsers.root.openssh.authorizedKeys.keys = [
config.krebs.users."0x4a6f".pubkey
config.krebs.users.ulrich.pubkey
config.krebs.users.raute.pubkey
config.krebs.users.makefu-omo.pubkey

21
krebs/2configs/shack/gitlab-runner.nix Normal file
View file

@ -0,0 +1,21 @@
{ pkgs, ... }:
let
runner-src = builtins.fetchTarball {
url = "https://gitlab.com/arianvp/nixos-gitlab-runner/-/archive/master/nixos-gitlab-runner-master.tar.gz";
sha256 = "1s0fy5ny2ygcfvx35xws8xz5ih4z4kdfqlq3r6byxpylw7r52fyi";
};
in
{
systemd.services.gitlab-runner.path = [
"/run/wrappers" # /run/wrappers/bin/su
"/" # /bin/sh
];
imports = [
"${runner-src}/gitlab-runner.nix"
];
services.gitlab-runner2.enable = true;
## registrationConfigurationFile contains:
# CI_SERVER_URL=<CI server URL>
# REGISTRATION_TOKEN=<registration secret>
services.gitlab-runner2.registrationConfigFile = <secrets/shackspace-gitlab-ci>;
}

39
krebs/2configs/shack/netbox.nix Normal file
View file

@ -0,0 +1,39 @@
{ pkgs, ... }:
{
environment.systemPackages = [ pkgs.docker-compose ];
virtualisation.docker.enable = true;
services.nginx = {
enable = true;
virtualHosts."netbox.shack".locations."/".proxyPass = "http://localhost:18080";
};
# we store the netbox config there:
# state = [ "/var/lib/netbox" ];
systemd.services.backup-netbox = {
after = [ "netbox-docker-compose.service" ];
startAt = "daily";
path = with pkgs; [ docker-compose docker gzip coreutils ];
script = ''
cd /var/lib/netbox
mkdir -p backup
docker-compose exec -T -upostgres postgres pg_dumpall \
| gzip > backup/netdata_$(date -Iseconds).dump.gz
'';
};
systemd.services.netbox-docker-compose = {
wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" "docker.service" ];
environment.VERSION = "v2.5.13";
serviceConfig = {
WorkingDirectory = "/var/lib/netbox";
# TODO: grep -q NAPALM_SECRET env/netbox.env
# TODO: grep -q NAPALM_SECRET netbox-netprod-importer/switches.yml
ExecStartPre = "${pkgs.docker-compose}/bin/docker-compose pull";
ExecStart = "${pkgs.docker-compose}/bin/docker-compose up";
Restart = "always";
RestartSec = "10";
StartLimitIntervalSec = 60;
StartLimitBurst = 3;
};
};
}

92
krebs/3modules/exim-retiolum.nix
View file

@ -1,15 +1,17 @@
{ config, pkgs, lib, ... }:
with import <stockholm/lib>;
let
{ config, pkgs, lib, ... }: let
cfg = config.krebs.exim-retiolum;
out = {
options.krebs.exim-retiolum = api;
config = lib.mkIf cfg.enable imp;
};
# Due to improvements to the JSON notation, braces around top-level objects
# are not necessary^Wsupported by rspamd's parser when including files:
# https://github.com/rspamd/rspamd/issues/2674
toMostlyJSON = value:
assert typeOf value == "set";
(s: substring 1 (stringLength s - 2) s)
(toJSON value);
api = {
in {
options.krebs.exim-retiolum = {
enable = mkEnableOption "krebs.exim-retiolum";
local_domains = mkOption {
type = with types; listOf hostname;
@ -28,22 +30,70 @@ let
"*.r"
];
};
rspamd = {
enable = mkEnableOption "krebs.exim-retiolum.rspamd" // {
default = false;
};
locals = {
logging = {
level = mkOption {
type = types.enum [
"error"
"warning"
"notice"
"info"
"debug"
"silent"
];
default = "notice";
};
};
options = {
local_networks = mkOption {
type = types.listOf types.cidr;
default = [
config.krebs.build.host.nets.retiolum.ip4.prefix
config.krebs.build.host.nets.retiolum.ip6.prefix
];
};
};
};
};
};
imp = {
imports = [
{
config = lib.mkIf cfg.rspamd.enable {
services.rspamd.enable = true;
services.rspamd.locals =
mapAttrs'
(name: value: nameValuePair "${name}.inc" {
text = toMostlyJSON value;
})
cfg.rspamd.locals;
users.users.${config.krebs.exim.user.name}.extraGroups = [
config.services.rspamd.group
];
};
}
];
config = lib.mkIf cfg.enable {
krebs.exim = {
enable = true;
config =
# This configuration makes only sense for retiolum-enabled hosts.
# TODO modular configuration
assert config.krebs.tinc.retiolum.enable;
''
/* exim */ ''
keep_environment =
primary_hostname = ${cfg.primary_hostname}
domainlist local_domains = ${concatStringsSep ":" cfg.local_domains}
domainlist relay_to_domains = ${concatStringsSep ":" cfg.relay_to_domains}
${optionalString cfg.rspamd.enable /* exim */ ''
spamd_address = /run/rspamd/rspamd.sock variant=rspamd
''}
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
@ -72,6 +122,24 @@ let
acl_check_data:
${optionalString cfg.rspamd.enable /* exim */ ''
accept condition = ''${if eq{$interface_port}{587}}
warn remove_header = ${concatStringsSep " : " [
"x-spam"
"x-spam-report"
"x-spam-score"
]}
warn
spam = nobody:true
warn
condition = ''${if !eq{$spam_action}{no action}}
add_header = X-Spam: Yes
add_header = X-Spam-Report: $spam_report
add_header = X-Spam-Score: $spam_score
''}
accept
@ -118,4 +186,4 @@ let
'';
};
};
in out
}

6
krebs/3modules/exim-smarthost.nix
View file

@ -121,7 +121,7 @@ let
};
krebs.exim = {
enable = true;
config = ''
config = /* exim */ ''
keep_environment =
primary_hostname = ${cfg.primary_hostname}
@ -233,7 +233,7 @@ let
remote_smtp:
driver = smtp
${optionalString (cfg.dkim != []) (indent ''
${optionalString (cfg.dkim != []) (indent /* exim */ ''
dkim_canon = relaxed
dkim_domain = $sender_address_domain
dkim_private_key = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_private_key}}}
@ -262,7 +262,7 @@ let
begin rewrite
begin authenticators
${concatStringsSep "\n" (mapAttrsToList (name: text: ''
${concatStringsSep "\n" (mapAttrsToList (name: text: /* exim */ ''
${name}:
${indent text}
'') cfg.authenticators)}

2
krebs/3modules/exim.nix
View file

@ -37,7 +37,7 @@ in {
};
config = lib.mkIf cfg.enable {
environment = {
etc."exim.conf".source = pkgs.writeEximConfig "exim.conf" ''
etc."exim.conf".source = pkgs.writeEximConfig "exim.conf" /* exim */ ''
exim_user = ${cfg.user.name}
exim_group = ${cfg.group.name}
exim_path = /run/wrappers/bin/exim

187
krebs/3modules/external/default.nix vendored
View file

@ -43,6 +43,31 @@ in {
};
};
};
wilde = {
owner = config.krebs.users.kmein;
nets = {
retiolum = {
ip4.addr = "10.243.2.4";
aliases = [ "wilde.r" ];
tinc.pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtz/MY5OSxJqrEMv6Iwjk
g/V58MATljj+2bmOuOuPui/AUYHEZX759lHW4MgLjYdNbZEoVq8UgkxNk0KPGlSg
2lsJ7FneCU7jBSE2iLT1aHuNFFa56KzSThFUl6Nj6Vyg5ghSmDF2tikurtG2q+Ay
uxf5/yEhFUPc1ZxmvJDqVHMeW5RZkuKXH00C7yN+gdcPuuFEFq+OtHNkBVmaxu7L
a8Q6b/QbrwQJAR9FAcm5WSQIj2brv50qnD8pZrU4loVu8dseQIicWkRowC0bzjAo
IHZTbF/S+CK0u0/q395sWRQJISkD+WAZKz5qOGHc4djJHBR3PWgHWBnRdkYqlQYM
C9zA/n4I+Y2BEfTWtgkD2g0dDssNGP5dlgFScGmRclR9pJ/7dsIbIeo9C72c6q3q
sg0EIWggQ8xyWrUTXIMoDXt37htlTSnTgjGsuwRzjotAEMJmgynWRf3br3yYChrq
10Exq8Lej+iOuKbdAXlwjKEk0qwN7JWft3OzVc2DMtKf7rcZQkBoLfWKzaCTQ4xo
1Y7d4OlcjbgrkLwHltTaShyosm8kbttdeinyBG1xqQcK11pMO43GFj8om+uKrz57
lQUVipu6H3WIVGnvLmr0e9MQfThpC1em/7Aq2exn1JNUHhCdEho/mK2x/doiiI+0
QAD64zPmuo9wsHnSMR2oKs0CAwEAAQ==
-----END PUBLIC KEY-----
'';
};
};
};
dpdkm = {
owner = config.krebs.users.Mic92;
nets = rec {
@ -167,6 +192,20 @@ in {
};
};
};
horisa = {
cores = 2;
owner = config.krebs.users.ulrich; # main laptop
nets = {
retiolum = {
ip4.addr = "10.243.226.213";
ip6.addr = "42:0:e644:9099:4f8:b9aa:3856:4e85";
aliases = [
"horisa.r"
];
tinc.pubkey = tinc-for "horisa";
};
};
};
idontcare = {
owner = config.krebs.users.Mic92;
nets = rec {
@ -190,6 +229,35 @@ in {
};
};
};
inspector = {
owner = config.krebs.users.Mic92;
nets = rec {
internet = {
ip4.addr = "141.76.44.154";
aliases = [ "inspector.i" ];
};
retiolum = {
via = internet;
ip4.addr = "10.243.29.172";
aliases = [ "inspector.r" ];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAr3l/u7qcxmFa2hUICU3oPDhB2ij2R3lKHyjSsVFVLNfl6TpOdppG
EDXOapeXL0s+PfBRHdRI3v/dibj4PG9eyKmFxsUJ2gRz4ghb1UE23aQ3pkr3x8sZ
7GR+nJYATYf+jolFF9O1x+f0Uo5xaYWkGOMH8wVVzm6+kcsZOYuTEbJAsbTRZywF
m1MdRfk54hLiDsj2rjGRZIR+ZfUKVs2MTWOLCpBAHLJK+r3HfUiR2nAgeNkJCFLw
WIir1ftDIViT3Ly6b7enaOkVZ695FNYdPWFZCE4AJI0s9wsbMClzUqCl+0mUkumd
eRXgWXkmvBsxR4GECnxUhxs6U8Wh3kbQavvemt4vcIKNhkw32+toYc1AFK/n4G03
OUJBbRqgJYx9wIvo8PEu4DTTdsPlQZnMwiaKsn+Gi4Ap6JAnG/iLN8sChoQf7Dau
ARZA3sf9CkKx5sZ+9dVrLbzGynKE18Z/ysvf1BLd/rVVOps1B/YRBxDwPj8MZJ0x
B7b0j+hRVV5palp3RRdcExuWaBrMQQGsXwLUZOFHJJaZUHF9XRdy+5XVJdNOArkG
q1+yGhosL1DLTQE/VwCxmBHyYTr3L7yZ2lSaeWdIeYvcRvouDROUjREVFrQjdqwj
7vIP1cvDxSSqA07h/xEC4YZKACBYc/PI2mqYK5dvAUG3mGrEsjHktPUCAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
};
};
};
justraute = {
owner = config.krebs.users.raute; # laptop
nets = {
@ -202,6 +270,30 @@ in {
};
};
};
matchbox = {
owner = config.krebs.users.Mic92;
nets = {
retiolum = {
ip4.addr = "10.243.29.176";
aliases = [ "matchbox.r" ];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAqwB9pzV889vpMp/am+T0sfm5qO/wAWS/tv0auYK3Zyx3ChxrQX2m
VrxO5a/bjR/g1fi/t2kJIV/6tsVSRHfzKuKHprE2KxeNOmwUuSjjiM4CboASMR+w
nra6U0Ldf5vBxtEj5bj384QxwxxVLhSw8NbE43FCM07swSvAT8Y/ZmGUd738674u
TNC6zM6zwLvN0dxCDLuD5bwUq7y73JNQTm2YXv1Hfw3T8XqJK/Xson2Atv2Y5ZbE
TA0RaH3PoEkhkVeJG/EuUIJhvmunS5bBjFSiOiUZ8oEOSjo9nHUMD0u+x1BZIg/1
yy5B5iB4YSGPAtjMJhwD/LRIoI8msWpdVCCnA+FlKCKAsgC7JbJgcOUtK9eDFdbO
4FyzdUJbK+4PDguraPGzIX7p+K3SY8bbyo3SSp5rEb+CEWtFf26oJm7eBhDBT6K4
Ofmzp0GjFbS8qkqEGCQcfi4cAsXMVCn4AJ6CKs89y19pLZ42fUtWg7WgUZA7GWV/
bPE2RSBMUkGb0ovgoe7Z7NXsL3AST8EQEy+3lAEyUrPFLiwoeGJZmfTDTy1VBFI4
nCShp7V+MSmz4DnLK1HLksLVLmGyZmouGsLjYUnEa414EI6NJF3bfEO2ZRGaswyR
/vW066YCTe7wi+YrvrMDgkdbyfn/ecMTn2iXsTb4k9/fuO0+hsqL+isCAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
};
};
};
qubasa = {
owner = config.krebs.users.qubasa;
nets = {
@ -227,6 +319,13 @@ in {
};
};
};
rilke = {
owner = config.krebs.users.kmein;
nets.wiregrill = {
aliases = [ "rilke.w" ];
wireguard.pubkey = "09yVPHL/ucvqc6V5n7vFQ2Oi1LBMdwQZDL+7jBwy+iQ=";
};
};
rock = {
owner = config.krebs.users.Mic92;
nets = {
@ -365,56 +464,53 @@ in {
};
};
};
inspector = {
owner = config.krebs.users.Mic92;
nets = rec {
internet = {
ip4.addr = "141.76.44.154";
aliases = [ "inspector.i" ];
};
uppreisn = {
owner = config.krebs.users.ilmu;
nets = {
retiolum = {
via = internet;
ip4.addr = "10.243.29.172";
aliases = [ "inspector.r" ];
ip4.addr = "10.243.42.13";
aliases = [ "ilmu.r" ];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAr3l/u7qcxmFa2hUICU3oPDhB2ij2R3lKHyjSsVFVLNfl6TpOdppG
EDXOapeXL0s+PfBRHdRI3v/dibj4PG9eyKmFxsUJ2gRz4ghb1UE23aQ3pkr3x8sZ
7GR+nJYATYf+jolFF9O1x+f0Uo5xaYWkGOMH8wVVzm6+kcsZOYuTEbJAsbTRZywF
m1MdRfk54hLiDsj2rjGRZIR+ZfUKVs2MTWOLCpBAHLJK+r3HfUiR2nAgeNkJCFLw
WIir1ftDIViT3Ly6b7enaOkVZ695FNYdPWFZCE4AJI0s9wsbMClzUqCl+0mUkumd
eRXgWXkmvBsxR4GECnxUhxs6U8Wh3kbQavvemt4vcIKNhkw32+toYc1AFK/n4G03
OUJBbRqgJYx9wIvo8PEu4DTTdsPlQZnMwiaKsn+Gi4Ap6JAnG/iLN8sChoQf7Dau
ARZA3sf9CkKx5sZ+9dVrLbzGynKE18Z/ysvf1BLd/rVVOps1B/YRBxDwPj8MZJ0x
B7b0j+hRVV5palp3RRdcExuWaBrMQQGsXwLUZOFHJJaZUHF9XRdy+5XVJdNOArkG
q1+yGhosL1DLTQE/VwCxmBHyYTr3L7yZ2lSaeWdIeYvcRvouDROUjREVFrQjdqwj
7vIP1cvDxSSqA07h/xEC4YZKACBYc/PI2mqYK5dvAUG3mGrEsjHktPUCAwEAAQ==
-----END RSA PUBLIC KEY-----
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAweAz7KtgYVuAfqP7Zoax
BrQ++qig30Aabnou5C62bYIf1Fn8Z9RbDROTmkGeF7No7mZ7wH0hNpRXo1N/sLNt
gr4bX7fXAvQ3NeeoMmM6VcC+pExnE4NMMnu0Dm3Z/WcQkCsJukkcvpC1gWkjPXea
gn3ODl2wbKMiRBhQDA2Ro0zDQ+gAIsgtS9fDA85Rb0AToLwifHHavz81SXF+9piv
qIl3rJZVBo1kOiolv5BCh4/O+R5boiFfPGAiqEcob0cTcmSCXaMqis8UNorlm08j
ytNG7kazeRQb9olJ/ovCA1b+6iAZ4251twuQkHfNdfC3VM32jbGq7skMyhX3qN/b
WoHHeBZR8eH5MpTTIODI+r4cLswAJqlCk816bGMmg6MuZutTlQCRTy1S/wXY/8ei
STAZ1IZH6dnwCJ9HXgMC6hcYuOs/KmvSdaa7F+yTEq83IAASewbRgn/YHsMksftI
d8db17rEOT5uC1jOGKF98d7e30MX5saTJZLB6XmNDsql/lFoooGzTz/L80JUYiJ0
fQFADznZpA+NE+teOH9aXsucDQkX6BOPSO4XKXV86RIejHUSEx5WdaqGOUfmhFUo
9hZhr0qiiKNlXlP8noM9n+hPNKNkOlctQcpnatgdU3uQMtITPyKSLMUDoQIJlSgq
lak5LCqzwU9qa9EQSU4nLZ0CAwEAAQ==
-----END PUBLIC KEY-----
'';
};
};
};
matchbox = {
owner = config.krebs.users.Mic92;
unnamed = {
owner = config.krebs.users.pie_;
nets = {
retiolum = {
ip4.addr = "10.243.29.176";
aliases = [ "matchbox.r" ];
ip4.addr = "10.243.3.14";
aliases = [ "unnamed.r" ];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAqwB9pzV889vpMp/am+T0sfm5qO/wAWS/tv0auYK3Zyx3ChxrQX2m
VrxO5a/bjR/g1fi/t2kJIV/6tsVSRHfzKuKHprE2KxeNOmwUuSjjiM4CboASMR+w
nra6U0Ldf5vBxtEj5bj384QxwxxVLhSw8NbE43FCM07swSvAT8Y/ZmGUd738674u
TNC6zM6zwLvN0dxCDLuD5bwUq7y73JNQTm2YXv1Hfw3T8XqJK/Xson2Atv2Y5ZbE
TA0RaH3PoEkhkVeJG/EuUIJhvmunS5bBjFSiOiUZ8oEOSjo9nHUMD0u+x1BZIg/1
yy5B5iB4YSGPAtjMJhwD/LRIoI8msWpdVCCnA+FlKCKAsgC7JbJgcOUtK9eDFdbO
4FyzdUJbK+4PDguraPGzIX7p+K3SY8bbyo3SSp5rEb+CEWtFf26oJm7eBhDBT6K4
Ofmzp0GjFbS8qkqEGCQcfi4cAsXMVCn4AJ6CKs89y19pLZ42fUtWg7WgUZA7GWV/
bPE2RSBMUkGb0ovgoe7Z7NXsL3AST8EQEy+3lAEyUrPFLiwoeGJZmfTDTy1VBFI4
nCShp7V+MSmz4DnLK1HLksLVLmGyZmouGsLjYUnEa414EI6NJF3bfEO2ZRGaswyR
/vW066YCTe7wi+YrvrMDgkdbyfn/ecMTn2iXsTb4k9/fuO0+hsqL+isCAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvGXVl+WV/bDxFAnYnAhZ
2rHCU5dqtBvSg0sywV1j++lEuELBx4Zq14qyjDRGkkIGdgzCZBLK2cCgxPJ3MRFx
ZwiO3jPscTu3I7zju7ULO/LqGQG+Yf86estfGh394zFJ2rnFSwegeMNqCpOaurOH
GuYtNdjkxn/2wj00s+JEJjCNRMg8bkTMT3czuTr2k+6ICI8SgLZMDH7TjRfePHEW
X9/v4O3kMSZccT/wZWmezXuYlO7CJs7f4VV98z+sgubmIZz3uLfQFY8y9gmGp46y
5n5QyD0iIqkLNGIldNnToVJPToRaW5OdNKtZFayU4pWZ296sEcJI0NWLYqy7yZfD
PG2FlCQmebUxMYk+iK0cYRLFzOgnr14uXihXxhuHYJ8R1VIbWuto1YFGUv5J/Jct
3vgjwOlHwZKC9FTqnRjgp58QtnKneXGNZ446eKHUCmSRDKl8fc/m9ePHrISnGROY
gXMieAmOZtsQIxwRpBGCLjrr3sx8RRNY8ROycqPaQWp3upp61jAvvQW3SIvkp1+M
jGvfebJOSkEZurwGcWUar9w9t/oDfsV+R9Nm9n2IkdkNlnvXD1rcj7KqbFPtGf1a
MmB3AmwyIVv9Rk1Vpjkz4EtL4kPqiuhPrf1bHQhAdcwqwFGyo8HXsoMedb3Irhwm
OxwCRYLtEweku7HLhUVTnDkCAwEAAQ==
-----END PUBLIC KEY-----
'';
};
};
};
@ -449,6 +545,9 @@ in {
mail = "dickbutt@excogitation.de";
pubkey = ssh-for "exco";
};
ilmu = {
mail = "ilmu@rishi.is";
};
jan = {
mail = "jan.heidbrink@posteo.de";
};
@ -473,10 +572,14 @@ in {
mail = "shackspace.de@myvdr.de";
pubkey = ssh-for "ulrich";
};
"0x4a6f" = {
mail = "0x4a6f@shackspace.de";
pubkey = ssh-for "0x4a6f";
};
miaoski = {
};
filly = {
};
pie_ = {};
};
}

6
krebs/3modules/external/palo.nix vendored
View file

@ -34,7 +34,10 @@ in {
retiolum = {
ip4.addr = "10.243.23.3";
tinc.port = 720;
aliases = [ "kruck.r" ];
aliases = [
"kruck.r"
"video.kruck.r"
];
tinc.pubkey = tinc-for "palo";
};
};
@ -49,6 +52,7 @@ in {
tinc.pubkey = tinc-for "palo";
};
};
syncthing.id = "FLY7DHI-TJLEQBJ-JZNC4YV-NBX53Z2-ZBRWADL-BKSFXYZ-L4FMDVH-MOSEVAQ";
};
workhorse = {
owner = config.krebs.users.palo;

1
krebs/3modules/external/ssh/0x4a6f.pub vendored Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKMoQSUz0wcV8tnTKsYO3sO6XG6EHap8R63ihfMHkxPS

8
krebs/3modules/external/tinc/horisa.pub vendored Normal file
View file

@ -0,0 +1,8 @@
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEA1hhBqCku98gimv0yXr6DFwE2HUemigyqX8o7IsPOW5XT/K8o+V40
Oxk3r0+c7IYREvug/raxoullf5TMJFzTzqzX4njgsiTs25V8D7hVT4jcRKTcXmBn
XpjtD+tIeDW1E6dIMMDbxKCyfd/qaeg83G7gPobeFYr4JNqQLXrnotlWMO9S13UT
+EgSP2pixv/dGIqX8WRg23YumO8jZKbso/sKKFMIEOJvnh/5EcWb24+q2sDRCitP
sWJ5j/9M1Naec/Zl27Ac2HyMWRk39F9Oo+iSbc47QvjKTEmn37P4bBg3hY9FSSFo
M90wG/NRbw1Voz6BgGlwOAoA+Ln0rVKqDQIDAQAB
-----END RSA PUBLIC KEY-----

28
krebs/3modules/github-hosts-sync.nix
View file

@ -11,17 +11,25 @@ let
api = {
enable = mkEnableOption "krebs.github-hosts-sync";
port = mkOption {
type = types.int; # TODO port type
default = 1028;
};
dataDir = mkOption {
type = types.str; # TODO path (but not just into store)
default = "/var/lib/github-hosts-sync";
};
srcDir = mkOption {
type = types.str;
default = "${config.krebs.tinc.retiolum.confDir}/hosts";
};
ssh-identity-file = mkOption {
type = types.suffixed-str [".ssh.id_ed25519" ".ssh.id_rsa"];
default = toString <secrets/github-hosts-sync.ssh.id_rsa>;
default = toString <secrets/github-hosts-sync.ssh.id_ed25519>;
};
url = mkOption {
type = types.str;
default = "git@github.com:krebs/hosts.git";
};
workTree = mkOption {
type = types.absolute-pathname;
default = "${cfg.dataDir}/cache";
};
};
@ -30,13 +38,18 @@ let
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
environment = {
port = toString cfg.port;
GITHUB_HOST_SYNC_USER_MAIL = user.mail;
GITHUB_HOST_SYNC_USER_NAME = user.name;
GITHUB_HOST_SYNC_SRCDIR = cfg.srcDir;
GITHUB_HOST_SYNC_WORKTREE = cfg.workTree;
GITHUB_HOST_SYNC_URL = cfg.url;
};
serviceConfig = {
PermissionsStartOnly = "true";
SyslogIdentifier = "github-hosts-sync";
User = user.name;
Restart = "always";
Type = "oneshot";
RemainAfterExit = true;
ExecStartPre = pkgs.writeDash "github-hosts-sync-init" ''
set -euf
install -m 0711 -o ${user.name} -d ${cfg.dataDir}
@ -56,6 +69,7 @@ let
};
user = rec {
mail = "${name}@${config.krebs.build.host.name}";
name = "github-hosts-sync";
uid = genid_uint31 name;
};

10
krebs/3modules/github-known-hosts.nix
View file

@ -28,12 +28,22 @@
"140.82.125.*"
"140.82.126.*"
"140.82.127.*"
"13.114.40.48"
"13.229.188.59"
"13.234.176.102"
"13.234.210.38"
"13.236.229.21"
"13.237.44.5"
"13.250.177.223"
"15.164.81.167"
"18.194.104.89"
"18.195.85.27"
"35.159.8.160"
"52.192.72.89"
"52.64.108.95"
"52.69.186.44"
"52.74.223.119"
"52.78.231.108"
];
publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==";
};

1
krebs/3modules/lass/default.nix
View file

@ -35,6 +35,7 @@ in {
default._domainkey 60 IN TXT "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUv3DMndFellqu208feABEzT/PskOfTSdJCOF/HELBR0PHnbBeRoeHEm9XAcOe/Mz2t/ysgZ6JFXeFxCtoM5fG20brUMRzsVRxb9Ur5cEvOYuuRrbChYcKa+fopu8pYrlrqXD3miHISoy6ErukIYCRpXWUJHi1TlNQhLWFYqAaywIDAQAB"
cache 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
cgit 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
codi 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
go 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
io 60 IN NS ions.lassul.us.
ions 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}

24
krebs/3modules/makefu/default.nix
View file

@ -143,11 +143,19 @@ in {
ci = true;
cores = 4;
nets = {
lan = {
ip4.addr = "192.168.8.11";
aliases = [
"wbob.lan"
"log.wbob.lan"
];
};
retiolum = {
ip4.addr = "10.243.214.15";
aliases = [
"wbob.r"
"hydra.wbob.r"
"log.wbob.r"
];
};
};
@ -182,6 +190,7 @@ in {
wiki.euer IN A ${nets.internet.ip4.addr}
wikisearch IN A ${nets.internet.ip4.addr}
io IN NS gum.krebsco.de.
mediengewitter IN CNAME over.dose.io.
'';
};
cores = 8;
@ -196,13 +205,13 @@ in {
};
wiregrill = {
via = internet;
ip4.addr = "10.244.245.1";
ip6.addr = w6 "1";
wireguard = {
subnets = [
(krebs.genipv6 "wiregrill" "external" 0).subnetCIDR
wireguard.port = 51821;
wireguard.subnets = [
(krebs.genipv6 "wiregrill" "makefu" 0).subnetCIDR
];
};
"10.244.245.0/24" # required for routing directly to gum via rockit
];
};
retiolum = {
via = internet;
@ -247,7 +256,6 @@ in {
cores = 1;
extraZones = {
"krebsco.de" = ''
mediengewitter IN A ${nets.internet.ip4.addr}
flap IN A ${nets.internet.ip4.addr}
'';
};
@ -281,6 +289,10 @@ in {
};
};
};
rockit = rec { # router@home
cores = 1;
nets.wiregrill.ip4.addr = "10.244.245.2";
};
senderechner = rec {
cores = 2;

2
krebs/3modules/makefu/wiregrill/gum.pub
View file

@ -1 +1 @@
yAKvxTvcEVdn+MeKsmptZkR3XSEue+wSyLxwcjBYxxo=
A7UPKSUaCZaJ9hXv6X4jvcZ+5X+PlS1EmCwxlLBAKH0=

1
krebs/3modules/makefu/wiregrill/rockit.pub Normal file
View file

@ -0,0 +1 @@
YmvTL4c13WS6f88ZAz2m/2deL2pnPXI0Ay3edCPE1Qc=

99
krebs/3modules/syncthing.nix
View file

@ -2,40 +2,69 @@
let
cfg = config.krebs.syncthing;
kcfg = config.krebs.syncthing;
scfg = config.services.syncthing;
devices = mapAttrsToList (name: peer: {
name = name;
deviceID = peer.id;
addresses = peer.addresses;
}) cfg.peers;
}) kcfg.peers;
folders = mapAttrsToList ( _: folder: {
inherit (folder) path id type;
devices = map (peer: { deviceId = cfg.peers.${peer}.id; }) folder.peers;
devices = map (peer: { deviceId = kcfg.peers.${peer}.id; }) folder.peers;
rescanIntervalS = folder.rescanInterval;
fsWatcherEnabled = folder.watch;
fsWatcherDelayS = folder.watchDelay;
ignoreDelete = folder.ignoreDelete;
ignorePerms = folder.ignorePerms;
}) cfg.folders;
}) kcfg.folders;
getApiKey = pkgs.writeDash "getAPIKey" ''
${pkgs.libxml2}/bin/xmllint \
--xpath 'string(configuration/gui/apikey)'\
${config.services.syncthing.dataDir}/config.xml
${scfg.configDir}/config.xml
'';
updateConfig = pkgs.writeDash "merge-syncthing-config" ''
set -efu
# XXX this assumes the GUI address to be "IPv4 address and port"
host=${shell.escape (elemAt (splitString ":" scfg.guiAddress) 0)}
port=${shell.escape (elemAt (splitString ":" scfg.guiAddress) 1)}
# wait for service to restart
${pkgs.untilport}/bin/untilport localhost 8384
${pkgs.untilport}/bin/untilport "$host" "$port"
API_KEY=$(${getApiKey})
CFG=$(${pkgs.curl}/bin/curl -Ss -H "X-API-Key: $API_KEY" localhost:8384/rest/system/config)
echo "$CFG" | ${pkgs.jq}/bin/jq -s '.[] * {
"devices": ${builtins.toJSON devices},
"folders": ${builtins.toJSON folders}
}' | ${pkgs.curl}/bin/curl -Ss -H "X-API-Key: $API_KEY" localhost:8384/rest/system/config -d @-
${pkgs.curl}/bin/curl -Ss -H "X-API-Key: $API_KEY" localhost:8384/rest/system/restart -X POST
_curl() {
${pkgs.curl}/bin/curl \
-Ss \
-H "X-API-Key: $API_KEY" \
"http://$host:$port/rest""$@"
}
old_config=$(_curl /system/config)
new_config=${shell.escape (toJSON {
inherit devices folders;
})}
new_config=$(${pkgs.jq}/bin/jq -en \
--argjson old_config "$old_config" \
--argjson new_config "$new_config" \
'
$old_config * $new_config
${optionalString (!kcfg.overridePeers) ''
* { devices: $old_config.devices }
''}
${optionalString (!kcfg.overrideFolders) ''
* { folders: $old_config.folders }
''}
'
)
echo $new_config | _curl /system/config -d @-
_curl /system/restart -X POST
'';
in
@ -45,11 +74,6 @@ in
enable = mkEnableOption "syncthing-init";
id = mkOption {
type = types.str;
default = config.krebs.build.host.name;
};
cert = mkOption {
type = types.nullOr types.absolute-pathname;
default = null;
@ -60,6 +84,13 @@ in
default = null;
};
overridePeers = mkOption {
type = types.bool;
default = true;
description = ''
Whether to delete the peers which are not configured via the peers option
'';
};
peers = mkOption {
default = {};
type = types.attrsOf (types.submodule ({
@ -80,6 +111,13 @@ in
}));
};
overrideFolders = mkOption {
type = types.bool;
default = true;
description = ''
Whether to delete the folders which are not configured via the peers option
'';
};
folders = mkOption {
default = {};
type = types.attrsOf (types.submodule ({ config, ... }: {
@ -120,6 +158,11 @@ in
default = 10;
};
ignoreDelete = mkOption {
type = types.bool;
default = false;
};
ignorePerms = mkOption {
type = types.bool;
default = true;
@ -130,19 +173,19 @@ in
};
};
config = (mkIf cfg.enable) {
config = mkIf kcfg.enable {
systemd.services.syncthing = mkIf (cfg.cert != null || cfg.key != null) {
systemd.services.syncthing = mkIf (kcfg.cert != null || kcfg.key != null) {
preStart = ''
${optionalString (cfg.cert != null) ''
cp ${toString cfg.cert} ${config.services.syncthing.dataDir}/cert.pem
chown ${config.services.syncthing.user}:${config.services.syncthing.group} ${config.services.syncthing.dataDir}/cert.pem
chmod 400 ${config.services.syncthing.dataDir}/cert.pem
${optionalString (kcfg.cert != null) ''
cp ${toString kcfg.cert} ${scfg.configDir}/cert.pem
chown ${scfg.user}:${scfg.group} ${scfg.configDir}/cert.pem
chmod 400 ${scfg.configDir}/cert.pem
''}
${optionalString (cfg.key != null) ''
cp ${toString cfg.key} ${config.services.syncthing.dataDir}/key.pem
chown ${config.services.syncthing.user}:${config.services.syncthing.group} ${config.services.syncthing.dataDir}/key.pem
chmod 400 ${config.services.syncthing.dataDir}/key.pem
${optionalString (kcfg.key != null) ''
cp ${toString kcfg.key} ${scfg.configDir}/key.pem
chown ${scfg.user}:${scfg.group} ${scfg.configDir}/key.pem
chmod 400 ${scfg.configDir}/key.pem
''}
'';
};
@ -152,7 +195,7 @@ in
wantedBy = [ "multi-user.target" ];
serviceConfig = {
User = config.services.syncthing.user;
User = scfg.user;
RemainAfterExit = true;
Type = "oneshot";
ExecStart = updateConfig;

39
krebs/5pkgs/simple/github-hosts-sync/default.nix
View file

@ -1,37 +1,32 @@
{ pkgs, stdenv, ... }:
stdenv.mkDerivation {
name = "github-hosts-sync";
stdenv.mkDerivation rec {
name = "github-hosts-sync-${version}";
version = "2.0.0";
src = pkgs.painload;
src = ./src;
phases = [
"unpackPhase"
"installPhase"
];
installPhase =
let
ca-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
path = stdenv.lib.makeBinPath (with pkgs; [
coreutils
findutils
git
gnugrep
gnused
nettools
openssh
socat
]);
in
installPhase = let
ca-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
path = stdenv.lib.makeBinPath [
pkgs.git
pkgs.nettools
pkgs.openssh
pkgs.rsync
];
in
''
mkdir -p $out/bin
sed \
's,^main() {$,&\n export PATH=${path} GIT_SSL_CAINFO=${ca-bundle},' \
< ./retiolum/scripts/github_hosts_sync/hosts-sync \
> $out/bin/github-hosts-sync
cp hosts-sync $out/bin/github-hosts-sync
chmod +x $out/bin/github-hosts-sync
sed -i \
'1s,$,\nPATH=${path}''${PATH+:$PATH} GIT_SSL_CAINFO=${ca-bundle},' \
$out/bin/github-hosts-sync
'';
}

33
krebs/5pkgs/simple/github-hosts-sync/src/hosts-sync Executable file
View file

@ -0,0 +1,33 @@
#! /bin/sh
set -efu
exec >&2
hosts_srcdir=$GITHUB_HOST_SYNC_SRCDIR
hosts_worktree=${GITHUB_HOST_SYNC_WORKTREE-/tmp/hosts}
hosts_url=${GITHUB_HOST_SYNC_URL-git@github.com:krebs/hosts.git}
user_mail=${GITHUB_HOST_SYNC_USER_MAIL-$LOGNAME@$(hostname)}
user_name=${GITHUB_HOST_SYNC_USER_NAME-$LOGNAME}
test -d "$hosts_worktree" || git clone "$hosts_url" "$hosts_worktree"
cd "$hosts_worktree"
git pull
rsync \
--chmod D755,F644 \
--delete-excluded \
--filter 'protect .git' \
--recursive \
--verbose \
"$hosts_srcdir/" \
.
git add .
if test -n "$(git status --porcelain)"; then
git config user.email "$user_mail"
git config user.name "$user_name"
git commit -m bump
git push
fi

2
krebs/krops.nix
View file

@ -50,7 +50,7 @@
{
nixos-config.symlink = "stockholm/krebs/1systems/${name}/config.nix";
secrets = if test then {
file = toString <stockholm/krebs/0tests/data/secrets>;
file = toString ./0tests/data/secrets;
} else {
pass = {
dir = "${lib.getEnv "HOME"}/brain";

6
krebs/nixpkgs.json
View file

@ -1,7 +1,7 @@
{
"url": "https://github.com/NixOS/nixpkgs-channels",
"rev": "705986f5a986be5c5ae13193b487c7ec8ca05f16",
"date": "2019-05-18T20:38:59-04:00",
"sha256": "0zpch2cpl2yx0mp7hnyjd03hqs7rxza9wc2p97njsdzhi56gxwxp",
"rev": "d77e3bd661354ea775a8cacc97bb59ddde513c09",
"date": "2019-06-18T23:08:17+02:00",
"sha256": "1m82zs00n6nc0pkdpmd9amm013qxwksjfhzcm6gck3p469q7n866",
"fetchSubmodules": false
}

2
lass/1systems/daedalus/config.nix
View file

@ -57,6 +57,8 @@ with import <stockholm/lib>;
{
krebs.per-user.bitcoin.packages = [
pkgs.electrum
pkgs.electron-cash
pkgs.altcoins.litecoin
];
users.extraUsers = {
bitcoin = {

31
lass/1systems/mors/config.nix
View file

@ -49,14 +49,31 @@ with import <stockholm/lib>;
];
}
{
krebs.syncthing.folders."the_playlist" = {
path = "/home/lass/tmp/the_playlist";
peers = [ "mors" "phone" "prism" ];
krebs.syncthing = {
peers.schasch.addresses = [ "schasch.r:22000" ];
folders = {
the_playlist = {
path = "/home/lass/tmp/the_playlist";
peers = [ "mors" "phone" "prism" ];
};
free_music = {
id = "mu9mn-zgvsw";
path = "/home/lass/tmp/free_music";
peers = [ "mors" "schasch" ];
};
};
};
krebs.permown."/home/lass/tmp/the_playlist" = {
owner = "lass";
group = "syncthing";
umask = "0007";
krebs.permown = {
"/home/lass/tmp/free_music" = {
owner = "lass";
group = "syncthing";
umask = "0007";
};
"/home/lass/tmp/the_playlist" = {
owner = "lass";
group = "syncthing";
umask = "0007";
};
};
}
{

2
lass/1systems/mors/physical.nix
View file

@ -22,7 +22,7 @@
};
services.udev.extraRules = ''
SUBSYSTEM=="net", ATTR{address}=="10:0b:a9:72:f4:88", NAME="wl0"
SUBSYSTEM=="net", DEVPATH=="/devices/pci*/*1c.1/*/net/*", NAME="wl0"
SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:c4:7a:f1", NAME="et0"
'';

15
lass/1systems/prism/config.nix
View file

@ -195,6 +195,7 @@ with import <stockholm/lib>;
};
}
<stockholm/lass/2configs/minecraft.nix>
<stockholm/lass/2configs/codimd.nix>
{
services.taskserver = {
enable = true;
@ -382,7 +383,7 @@ with import <stockholm/lib>;
'';
fileSystems."/export/download" = {
device = "/var/lib/containers/yellow/var/download";
device = "/var/lib/containers/yellow/var/download/finished";
options = [ "bind" ];
};
services.nfs.server = {
@ -395,6 +396,12 @@ with import <stockholm/lib>;
statdPort = 4000;
};
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-i retiolum -p tcp --dport 111"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p udp --dport 111"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p tcp --dport 2049"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p udp --dport 2049"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p tcp --dport 4000:4002"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p udp --dport 4000:4002"; target = "ACCEPT"; }
{ predicate = "-i wiregrill -p tcp --dport 111"; target = "ACCEPT"; }
{ predicate = "-i wiregrill -p udp --dport 111"; target = "ACCEPT"; }
{ predicate = "-i wiregrill -p tcp --dport 2049"; target = "ACCEPT"; }
@ -456,4 +463,10 @@ with import <stockholm/lib>;
enable = true;
freeMemThreshold = 5;
};
# prism rsa hack
services.openssh.hostKeys = [{
path = toString <secrets> + "ssh.id_rsa";
type = "rsa";
}];
}

1
lass/2configs/browsers.nix
View file

@ -66,7 +66,6 @@ in {
extensions = [
"cjpalhdlnbpafiamejdnhcphjbkeiagm" # ublock origin
"dbepggeogbaibhgnhhndojpepiihcmeb" # vimium
"liloimnbhkghhdhlamdjipkmadhpcjmn" # krebsgold
];
};

28
lass/2configs/codimd.nix Normal file
View file

@ -0,0 +1,28 @@
{ config, pkgs, ... }:
with import <stockholm/lib>;
{
services.nginx.virtualHosts.codimd = {
enableACME = true;
addSSL = true;
serverName = "codi.lassul.us";
locations."/".extraConfig = ''
client_max_body_size 4G;
proxy_set_header Host $host;
proxy_pass http://localhost:3091;
'';
};
services.codimd = {
enable = true;
configuration = {
db = {
dialect = "sqlite";
storage = "/var/lib/codimd/db.codimd.sqlite";
useCDN = false;
};
port = 3091;
};
};
}

3
lass/2configs/exim-smarthost.nix
View file

@ -103,6 +103,9 @@ with import <stockholm/lib>;
{ from = "lobsters@lassul.us"; to = lass.mail; }
{ from = "fysitech@lassul.us"; to = lass.mail; }
{ from = "threema@lassul.us"; to = lass.mail; }
{ from = "ubisoft@lassul.us"; to = lass.mail; }
{ from = "kottezeller@lassul.us"; to = lass.mail; }
{ from = "pie@lassul.us"; to = lass.mail; }
];
system-aliases = [
{ from = "mailer-daemon"; to = "postmaster"; }

2
lass/2configs/network-manager.nix
View file

@ -15,6 +15,8 @@
};
};
networking.networkmanager = {
ethernet.macAddress = "random";
wifi.macAddress = "random";
enable = true;
unmanaged = [
"docker*"

22
lass/2configs/radio.nix
View file

@ -97,12 +97,17 @@ in {
services.icecast = {
enable = true;
hostname = "config.krebs.build.host.name";
hostname = "radio.lassul.us";
admin.password = admin-password;
extraConf = ''
<authentication>
<source-password>${source-password}</source-password>
</authentication>
<mount>
<mount-name>/radio.mp3</mount-name>
<password>${source-password}</password>
</mount>
<mount>
<mount-name>/radio.ogg</mount-name>
<password>${source-password}</password>
</mount>
'';
};
@ -194,8 +199,8 @@ in {
workdir = config.krebs.reaktor2.the_playlist.stateDir;
hooks.PRIVMSG = [
{
activate = "match";
pattern = ''!([^ ]+)(?:\s*(.*))?'';
#activate = "match";
pattern = "^\\s*([0-9A-Za-z._][0-9A-Za-z._-]*)(?:\\s+(.*\\S))?\\s*$";
command = 1;
arguments = [2];
commands = {
@ -218,6 +223,11 @@ in {
forceSSL = true;
enableACME = true;
locations."/".extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://localhost:8000;
'';
locations."/recent".extraConfig = ''

4
lass/2configs/retiolum.nix
View file

@ -20,8 +20,10 @@
"prism"
"gum"
"ni"
"dishfire"
];
extraConfig = ''
LocalDiscovery = yes
'';
};
nixpkgs.config.packageOverrides = pkgs: {

11
lass/2configs/syncthing.nix
View file

@ -1,5 +1,7 @@
{ config, pkgs, ... }: with import <stockholm/lib>; let
peers = mapAttrs (n: v: { id = v.syncthing.id; }) (filterAttrs (n: v: v.syncthing.id != null) config.krebs.hosts);
all_peers = filterAttrs (n: v: v.syncthing.id != null) config.krebs.hosts;
own_peers = filterAttrs (n: v: v.owner.name == "lass") all_peers;
mk_peers = mapAttrs (n: v: { id = v.syncthing.id; });
in {
services.syncthing = {
enable = true;
@ -14,8 +16,8 @@ in {
enable = true;
cert = toString <secrets/syncthing.cert>;
key = toString <secrets/syncthing.key>;
peers = peers;
folders."/home/lass/sync".peers = attrNames peers;
peers = mk_peers all_peers;
folders."/home/lass/sync".peers = attrNames (filterAttrs (n: v: n != "phone") own_peers);
};
system.activationScripts.syncthing-home = ''
@ -23,8 +25,9 @@ in {
'';
krebs.permown."/home/lass/sync" = {
file-mode = "u+rw,g+rw";
owner = "lass";
group = "syncthing";
umask = "0007";
umask = "0002";
};
}

47
lass/2configs/websites/domsen.nix
View file

@ -26,6 +26,7 @@ in {
./default.nix
./sqlBackup.nix
(servePage [ "reich-gebaeudereinigung.de" "www.reich-gebaeudereinigung.de" ])
(servePage [ "jarugadesign.de" "www.jarugadesign.de" ])
(servePage [
"freemonkey.art"
"www.freemonkey.art"
@ -93,6 +94,7 @@ in {
hostName = "o.xanf.org";
config = {
adminpassFile = toString <secrets> + "/nextcloud_pw";
overwriteProtocol = "https";
};
https = true;
nginx.enable = true;
@ -141,6 +143,7 @@ in {
{ from = "akayguen@freemonkey.art"; to ="akayguen"; }
{ from = "bui@freemonkey.art"; to ="bui"; }
{ from = "kontakt@alewis.de"; to ="klabusterbeere"; }
{ from = "hallo@jarugadesign.de"; to ="kasia"; }
{ from = "testuser@lassul.us"; to = "testuser"; }
{ from = "testuser@ubikmedia.eu"; to = "testuser"; }
@ -150,6 +153,7 @@ in {
"ubikmedia.eu"
"ubikmedia.de"
"alewis.de"
"jarugadesign.de"
];
ssl_cert = "/var/lib/acme/lassul.us/fullchain.pem";
ssl_key = "/var/lib/acme/lassul.us/key.pem";
@ -234,7 +238,18 @@ in {
createHome = true;
};
krebs.on-failure.plans.restic-backups-domsen = {};
users.users.kasia = {
uid = genid_uint31 "kasia";
home = "/home/kasia";
useDefaultShell = true;
createHome = true;
};
krebs.on-failure.plans.restic-backups-domsen = {
journalctl = {
lines = 1000;
};
};
services.restic.backups.domsen = {
initialize = true;
extraOptions = [ "sftp.command='ssh efOVcMWSZ@wilhelmstr2.duckdns.org -S none -v -p 52222 -i ${toString <secrets> + "/ssh.id_ed25519"} -s sftp'" ];
@ -247,11 +262,41 @@ in {
"/home/ms/Mail"
"/home/klabusterbeere/Mail"
"/home/jms/Mail"
"/home/kasia/Mail"
"/home/bruno/Mail"
"/home/akayguen/Mail"
"/backups/sql_dumps"
];
};
boot.kernel.sysctl."fs.inotify.max_user_watches" = "1048576";
krebs.permown = {
"/srv/http/ubikmedia.de" = {
owner = "domsen";
group = "nginx";
umask = "0007";
};
"/srv/http/o.ubikmedia.de" = {
owner = "domsen";
group = "nginx";
umask = "0007";
};
"/srv/http/freemonkey.art" = {
owner = "domsen";
group = "nginx";
umask = "0002";
};
"/srv/http/jarugadesign.de" = {
owner = "domsen";
group = "nginx";
umask = "0002";
};
"/srv/http/reich-gebaeudereinigung.de" = {
owner = "domsen";
group = "nginx";
umask = "0002";
};
};
}

1
makefu/2configs/backup/ssh/wbob.pub Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOUZcfi2SXxCo1if0oU3x9qPK8/O5FmiXy2HFZyTp/P1 makefu@x

1
makefu/2configs/bureautomation/hass.nix
View file

@ -146,6 +146,7 @@ in {
"device_tracker.ecki_tablet"
"device_tracker.daniel_phone"
"device_tracker.carsten_phone"
"device_tracker.thierry_phone"
# "person.thorsten"
# "person.felix"
# "person.ecki"

1
makefu/2configs/editor/vim.nix
View file

@ -23,7 +23,6 @@ in {
vimrcConfig.vam.pluginDictionaries = [
{ names = [ "undotree"
# "YouCompleteMe"
"LanguageClient-neovim"
"vim-better-whitespace" ]; }
# vim-nix handles indentation better but does not perform sanity
{ names = [ "vim-addon-nix" ]; ft_regex = "^nix\$"; }

11
makefu/2configs/editor/vimrc
View file

@ -96,14 +96,3 @@ augroup Binary
au BufWritePost *.bin if &bin | %!xxd
au BufWritePost *.bin set nomod | endif
augroup END
let g:LanguageClient_serverCommands = {
\ 'python': ['pyls']
\ }
nnoremap <F6> :call LanguageClient_contextMenu()<CR>
nnoremap <silent> gh :call LanguageClient_textDocument_hover()<CR>
nnoremap <silent> gd :call LanguageClient_textDocument_definition()<CR>
nnoremap <silent> gr :call LanguageClient_textDocument_references()<CR>
nnoremap <silent> gs :call LanguageClient_textDocument_documentSymbol()<CR>
nnoremap <silent> <F2> :call LanguageClient_textDocument_rename()<CR>
nnoremap <silent> gf :call LanguageClient_textDocument_formatting()<CR>

26
makefu/2configs/fs/sda-crypto-root-home.nix
View file

@ -8,7 +8,31 @@
# / (main-root)
# /home (main-home)
with import <stockholm/lib>;
# clean the boot sector:
# dd if=/dev/zero of=/dev/sda count=2048
# Installation Instruction on ISO:
# fdisk /dev/sda
# boot 500M
# rest rest
# cryptsetup luksFormat /dev/sda2
# mkfs.ext4 -L nixboot /dev/sda1
# cryptsetup luksOpen /dev/sda2 cryptoluks
# pvcreate /dev/mapper/cryptoluks
# vgcreate main /dev/mapper/cryptoluks
# lvcreate -L 200Gib main -n root
# lvcreate -L 800Gib main -n home
# mkfs.ext4 /dev/main/root
# mkfs.ext4 /dev/main/home
# mount /dev/mapper/main-root /mnt
# mkdir -p /mnt/{boot,home,var/src} /var/src
# mount /dev/sda1 /mnt/boot
# mount /dev/mapper/main-home /mnt/home
# touch /mnt/var/src/.populate
# mount -o bind /mnt/var/src /var/src
# nix-channel --add https://nixos.org/channels/nixos-19.03 nixpkgs && # nix-channel --update
# nix-env -iA nixpkgs.gitMinimal
# (on deploy-host) $(nix-build ~/stockholm/makefu/krops.nix --no-out-link --argstr name x --argstr target 10.42.22.91 -A deploy --show-trace)
# NIXOS_CONFIG=/var/src/nixos-config nixos-install -I /var/src --no-root-passwd --no-channel-copy
{
imports = [

3
makefu/2configs/fs/sda-crypto-root.nix
View file

@ -9,8 +9,7 @@
# boot 500M
# rest rest
# cryptsetup luksFormat /dev/sda2
#
with import <stockholm/lib>;
# mkfs.ext4 -L nixboot /dev/sda1
{
boot = {
loader.grub.enable = true;

4
makefu/2configs/home-manager/zsh.nix
View file

@ -25,12 +25,12 @@
then
[ -d .direnv ] || mkdir .direnv
local tmp=$(nix-shell --show-trace "$@" \
--run "\"$direnv\" dump bash")
--run "\"$direnv\" dump zsh")
echo "$tmp" > "$cache"
fi
local path_backup=$PATH term_backup=$TERM
direnv_load cat "$cache"
. "$cache"
export PATH=$PATH:$path_backup TERM=$term_backup

8
makefu/2configs/mail/mail.euer.nix
View file

@ -1,7 +1,7 @@
{ config, pkgs, ... }:
{
imports = [
(builtins.fetchTarball "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/v2.2.0/nixos-mailserver-v2.2.0.tar.gz")
(builtins.fetchTarball "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/v2.2.1/nixos-mailserver-v2.2.1.tar.gz")
];
mailserver = {
@ -32,8 +32,12 @@
};
services.dovecot2.extraConfig = ''
ssl_dh = </var/lib/dhparams/dovecot.pem
ssl_dh = </var/lib/dhparams/dovecot2.pem
'';
state = [ # https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/wikis/A-Complete-Backup-Guide
config.mailserver.mailDirectory
config.mailserver.dkimKeyDirectory
];
# workaround for DH creation
# security.dhparams = {
# enable = true;

3
makefu/2configs/mqtt.nix
View file

@ -5,6 +5,9 @@
host = "0.0.0.0";
users = {};
# TODO: secure that shit
aclExtraConf = ''
pattern readwrite /#
'';
allowAnonymous = true;
};
}

6
makefu/2configs/nur.nix
View file

@ -1,7 +1,7 @@
{ pkgs, ... }:{
nixpkgs.config.packageOverrides = pkgs: {
nur = pkgs.callPackage (import (builtins.fetchGit {
url = "https://github.com/nix-community/NUR";
})) {};
nur = import (builtins.fetchTarball "https://github.com/nix-community/NUR/archive/master.tar.gz") {
inherit pkgs;
};
};
}

1
makefu/2configs/printer.nix
View file

@ -32,4 +32,5 @@ in {
tcp 192.168.1.5
''; #home printer SCX-3205W
};
state = [ "/var/lib/cups" ];
}

6
makefu/2configs/stats/arafetch.nix
View file

@ -2,7 +2,7 @@
with import <stockholm/lib>;
let
pkg = with pkgs.python3Packages;buildPythonPackage rec {
rev = "762d747";
rev = "775d0c2";
name = "arafetch-${rev}";
propagatedBuildInputs = [
requests
@ -13,7 +13,7 @@ let
src = pkgs.fetchgit {
url = "http://cgit.euer.krebsco.de/arafetch";
inherit rev;
sha256 = "164xiqbrr914lz0nh3i1dxz8iwg6vm2af3i3803cd3242nznw0ws";
sha256 = "0z35avn7vmbd1661ca1zkc9i4lwcm03kpwgiqxddpkp1yxhl548p";
};
};
home = "/var/lib/arafetch";
@ -34,7 +34,7 @@ in {
path = [ pkg pkgs.git pkgs.wget ];
serviceConfig = {
User = "arafetch";
Restart = "always";
# Restart = "always";
WorkingDirectory = home;
PrivateTmp = true;
ExecStart = pkgs.writeDash "start-weekrun" ''

7
makefu/2configs/task-client.nix
View file

@ -4,11 +4,4 @@
pkgs.taskwarrior
];
environment.shellAliases = {
tshack = "task project:shack";
twork = "task project:soc";
tpki = "task project:pki";
tkrebs = "task project:krebs";
t = "task project: ";
};
}

1
makefu/2configs/taskd.nix
View file

@ -1,5 +1,6 @@
{config, ... }:
{
state = [ config.services.taskserver.dataDir ];
services.taskserver.enable = true;
services.taskserver.fqdn = config.krebs.build.host.name;
services.taskserver.listenHost = "::";

1
makefu/5pkgs/default.nix
View file

@ -40,6 +40,7 @@ in {
qcma = super.pkgs.libsForQt5.callPackage ./custom/qcma { };
inherit (callPackage ./devpi {}) devpi-web ;
nodemcu-uploader = super.pkgs.callPackage ./nodemcu-uploader {};
prison-break = abort "`prison-break` moved from this namespace to `nur.repos.krebs.prison-break`";
}
// (mapAttrs (_: flip callPackage {})

44
makefu/5pkgs/pico2wave/default.nix Normal file
View file

@ -0,0 +1,44 @@
{ stdenv, lib, fetchurl
, popt
, libredirect
, dpkg
, makeWrapper
, autoPatchelfHook
, ...
}:
# https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=svox-pico-bin
let
pkgrel="8";
_arch = "amd64";
in
stdenv.mkDerivation rec {
name = "pico2wave"; # svox-pico-bin
version = "1.0+git20130326";
srcs = [
(fetchurl { url = "http://mirrors.kernel.org/ubuntu/pool/multiverse/s/svox/libttspico0_${version}-${pkgrel}_${_arch}.deb"; sha256 = "0b8r7r8by5kamnm960bsicimnj1a40ghy3475nzy1jvwj5xgqhrj"; })
(fetchurl { url = "http://mirrors.kernel.org/ubuntu/pool/multiverse/s/svox/libttspico-dev_${version}-${pkgrel}_${_arch}.deb"; sha256 = "1knjiwi117h02nbf7k6ll080vl65gxwx3rpj0fq5xkvxbqpjjbvz"; })
(fetchurl { url = "http://mirrors.kernel.org/ubuntu/pool/multiverse/s/svox/libttspico-data_${version}-${pkgrel}_all.deb"; sha256 = "0k0x5jh5qzzasrg766pfmls3ksj18wwdbssysvpxkq98aqg4fgmx"; })
(fetchurl { url = "http://mirrors.kernel.org/ubuntu/pool/multiverse/s/svox/libttspico-utils_${version}-${pkgrel}_${_arch}.deb"; sha256 = "11yk25fh4n7qz4xjg0dri68ygc3aapj1bk9cvhcwkfvm46j5lrjv"; })
] ;
nativeBuildInputs = [ dpkg makeWrapper autoPatchelfHook ];
dontBuild = true;
buildInputs = [ popt ];
unpackPhase = lib.concatMapStringsSep ";" (src: "dpkg-deb -x ${src} .") srcs;
installPhase = ''
mkdir -p $out
cp -r usr/. $out/
mv $out/lib/*-linux-gnu/* $out/lib/
rmdir $out/lib/*-linux-gnu
wrapProgram "$out/bin/pico2wave" \
--set LD_PRELOAD "${libredirect}/lib/libredirect.so" \
--set NIX_REDIRECTS /usr/share/pico/lang=$out/share/pico/lang
'';
}

6
krebs/5pkgs/simple/prison-break/default.nix → makefu/5pkgs/prison-break/default.nix
View file

@ -3,12 +3,12 @@ with pkgs.python3.pkgs;
buildPythonPackage rec {
pname = "prison-break";
version = "1.0.0";
version = "1.2.0";
src = fetchFromGitHub {
owner = "makefu";
repo = pname;
rev = "1.0.0";
sha256 = "0ab42z6qr42vz4fc077irn9ykrrylagx1dzlw8dqcanf49dxd961";
rev = version;
sha256 = "07wy6f06vj9s131c16gw1xl1jf9gq5xiqia8awfb26s99gxlv7l9";
};
propagatedBuildInputs = [
docopt

0
krebs/5pkgs/simple/prison-break/straight-plugin.nix → makefu/5pkgs/prison-break/straight-plugin.nix
View file

2
submodules/krops

@ -1 +1 @@
Subproject commit 5b8fb8dc0ee14672d7fd533bd98635b8725dbb29
Subproject commit ee41207df1ce718e0b154ed8047384118a0133a4

1
tv/2configs/exim-retiolum.nix
View file

@ -7,5 +7,6 @@ with import <stockholm/lib>;
pkgs.eximlog
];
krebs.exim-retiolum.enable = true;
krebs.exim-retiolum.rspamd.enable = config.krebs.build.host.name == "nomic";
tv.iptables.input-retiolum-accept-tcp = singleton "smtp";
}

5
tv/2configs/hw/x220.nix
View file

@ -57,6 +57,11 @@
HandleSuspendKey=ignore
'';
# because extraConfig is not extra enough:
services.logind.lidSwitch = "ignore";
services.logind.lidSwitchDocked = "ignore";
services.logind.lidSwitchExternalPower = "ignore";
services.xserver = {
videoDriver = "intel";
};

390
tv/2configs/vim.nix
View file

@ -14,389 +14,17 @@ let {
};
extra-runtimepath = concatMapStringsSep "," (pkg: "${pkg.rtp}") [
# cannot use pkgs.vimPlugins.fzf-vim as it's missing :Rg
(pkgs.vimUtils.buildVimPlugin {
name = "fzf-2018-11-14";
src = pkgs.fetchgit {
url = https://github.com/junegunn/fzf.vim;
rev = "ad1833ecbc9153b6e34a4292dc089a58c4bcb8dc";
sha256 = "1z2q71q6l9hq9fqfqpj1svhyk4yk1bzw1ljhksx4bnpz8gkfbx2m";
};
})
pkgs.tv.vimPlugins.elixir
pkgs.tv.vimPlugins.file-line
pkgs.tv.vimPlugins.fzf
pkgs.tv.vimPlugins.hack
pkgs.tv.vimPlugins.jq
pkgs.tv.vimPlugins.nix
pkgs.tv.vimPlugins.showsyntax
pkgs.tv.vimPlugins.tv
pkgs.tv.vimPlugins.vim
pkgs.vimPlugins.fzfWrapper
pkgs.vimPlugins.undotree
(pkgs.vimUtils.buildVimPlugin {
name = "vim-elixir-2018-08-17";
src = pkgs.fetchgit {
url = https://github.com/elixir-editors/vim-elixir;
rev = "0a847f0faed5ba2d94bb3d51f355c50f37ba025b";
sha256 = "1jl85wpgywhcvhgw02y8zpvqf0glr4i8522kxpvhsiacb1v1xh04";
};
})
(pkgs.vimUtils.buildVimPlugin {
name = "vim-syntax-jq";
src = pkgs.fetchgit {
url = https://github.com/vito-c/jq.vim;
rev = "99d55a300047946a82ecdd7617323a751199ad2d";
sha256 = "09c94nah47wx0cr556w61h6pfznxld18pfblc3nv51ivbw7cjqyx";
};
})
(pkgs.vimUtils.buildVimPlugin {
name = "file-line-1.0";
src = pkgs.fetchgit {
url = git://github.com/bogado/file-line;
rev = "refs/tags/1.0";
sha256 = "0z47zq9rqh06ny0q8lpcdsraf3lyzn9xvb59nywnarf3nxrk6hx0";
};
})
((rtp: rtp // { inherit rtp; }) (pkgs.writeTextFile (let
name = "hack";
in {
name = "vim-color-${name}-1.0.2";
destination = "/colors/${name}.vim";
text = /* vim */ ''
set background=dark
hi clear
if exists("syntax_on")
syntax clear
endif
let colors_name = ${toJSON name}
hi Normal ctermbg=235
hi Comment ctermfg=242
hi Constant ctermfg=255
hi Identifier ctermfg=253
hi Function ctermfg=253
hi Statement ctermfg=253
hi PreProc ctermfg=251
hi Type ctermfg=251
hi Delimiter ctermfg=251
hi Special ctermfg=255
hi Garbage ctermbg=088
hi TabStop ctermbg=016
hi Todo ctermfg=174 ctermbg=NONE
hi NixCode ctermfg=040
hi NixData ctermfg=046
hi NixQuote ctermfg=071
hi diffNewFile ctermfg=207
hi diffFile ctermfg=207
hi diffLine ctermfg=207
hi diffSubname ctermfg=207
hi diffAdded ctermfg=010
hi diffRemoved ctermfg=009
hi Search cterm=NONE ctermbg=216
'';
})))
((rtp: rtp // { inherit rtp; }) (pkgs.writeTextFile (let
name = "vim";
in {
name = "vim-syntax-${name}-1.0.0";
destination = "/syntax/${name}.vim";
text = /* vim */ ''
${concatMapStringsSep "\n" (s: /* vim */ ''
syn keyword vimColor${s} ${s}
\ containedin=ALLBUT,vimComment,vimLineComment
hi vimColor${s} ctermfg=${s}
'') (map (i: lpad 3 "0" (toString i)) (range 0 255))}
'';
})))
((rtp: rtp // { inherit rtp; }) (pkgs.writeTextFile (let
name = "showsyntax";
in {
name = "vim-plugin-${name}-1.0.0";
destination = "/plugin/${name}.vim";
text = /* vim */ ''
if exists('g:loaded_showsyntax')
finish
endif
let g:loaded_showsyntax = 0
fu! ShowSyntax()
let id = synID(line("."), col("."), 1)
let name = synIDattr(id, "name")
let transName = synIDattr(synIDtrans(id),"name")
if name != transName
let name .= " (" . transName . ")"
endif
echo "Syntax: " . name
endfu
command! -n=0 -bar ShowSyntax :call ShowSyntax()
'';
})))
((rtp: rtp // { inherit rtp; }) (pkgs.write "vim-tv" {
#
# Haskell
#
"/ftplugin/haskell.vim".text = ''
if exists("g:vim_tv_ftplugin_haskell_loaded")
finish
endif
let g:vim_tv_ftplugin_haskell_loaded = 1
setlocal iskeyword+='
'';
#
# TODO
#
"/ftdetect/todo.vim".text = ''
au BufRead,BufNewFile TODO set ft=todo
'';
"/ftplugin/todo.vim".text = ''
setlocal foldmethod=syntax
'';
"/syntax/todo.vim".text = ''
syn match todoComment /#.*/
syn match todoDate /^[1-9]\S*/
\ nextgroup=todoSummary
syn region todoSummary
\ contained
\ contains=todoTag
\ start="." end="$\n"
\ nextgroup=todoBlock
syn match todoTag /\[[A-Za-z]\+\]/hs=s+1,he=e-1
\ contained
syn region todoBlock
\ contained
\ contains=Comment
\ fold
\ start="^[^1-9]" end="^[1-9 ]"re=s-1,he=s-1,me=s-1
syn sync minlines=1000
hi link todoComment Comment
hi todoDate ctermfg=255
hi todoSummary ctermfg=229
hi todoBlock ctermfg=248
hi todoTag ctermfg=217
'';
}))
((rtp: rtp // { inherit rtp; }) (pkgs.write "vim-syntax-nix-nested" {
"/syntax/haskell.vim".text = ''
syn region String start=+\[[[:alnum:]]*|+ end=+|]+
hi link ConId Identifier
hi link VarId Identifier
hi link hsDelimiter Delimiter
'';
"/syntax/nix.vim".text = ''
"" Quit when a (custom) syntax file was already loaded
"if exists("b:current_syntax")
" finish
"endif
"setf nix
" Ref <nix/src/libexpr/lexer.l>
syn match NixID /[a-zA-Z\_][a-zA-Z0-9\_\'\-]*/
syn match NixINT /\<[0-9]\+\>/
syn match NixPATH /[a-zA-Z0-9\.\_\-\+]*\(\/[a-zA-Z0-9\.\_\-\+]\+\)\+/
syn match NixHPATH /\~\(\/[a-zA-Z0-9\.\_\-\+]\+\)\+/
syn match NixSPATH /<[a-zA-Z0-9\.\_\-\+]\+\(\/[a-zA-Z0-9\.\_\-\+]\+\)*>/
syn match NixURI /[a-zA-Z][a-zA-Z0-9\+\-\.]*:[a-zA-Z0-9\%\/\?\:\@\&\=\+\$\,\-\_\.\!\~\*\']\+/
syn region NixSTRING
\ matchgroup=NixSTRING
\ start='"'
\ skip='\\"'
\ end='"'
syn region NixIND_STRING
\ matchgroup=NixIND_STRING
\ start="'''"
\ skip="'''\('\|[$]\|\\[nrt]\)"
\ end="'''"
syn match NixOther /[-!+&<>|():/;=.,?\[\]*@]/
syn match NixCommentMatch /\(^\|\s\)#.*/
syn region NixCommentRegion start="/\*" end="\*/"
hi link NixCode Statement
hi link NixData Constant
hi link NixComment Comment
hi link NixCommentMatch NixComment
hi link NixCommentRegion NixComment
hi link NixID NixCode
hi link NixINT NixData
hi link NixPATH NixData
hi link NixHPATH NixData
hi link NixSPATH NixData
hi link NixURI NixData
hi link NixSTRING NixData
hi link NixIND_STRING NixData
hi link NixEnter NixCode
hi link NixOther NixCode
hi link NixQuote NixData
syn cluster nix_has_dollar_curly contains=@nix_ind_strings,@nix_strings
syn cluster nix_ind_strings contains=NixIND_STRING
syn cluster nix_strings contains=NixSTRING
${concatStringsSep "\n" (mapAttrsToList (name: {
extraStart ? null,
lang ? name
}:
let
startAlts = filter isString [
''/\* ${name} \*/''
extraStart
];
sigil = ''\(${concatStringsSep ''\|'' startAlts}\)[ \t\r\n]*'';
in /* vim */ ''
syn include @nix_${lang}_syntax syntax/${lang}.vim
if exists("b:current_syntax")
unlet b:current_syntax
endif
syn match nix_${lang}_sigil
\ X${replaceStrings ["X"] ["\\X"] sigil}\ze\('''\|"\)X
\ nextgroup=nix_${lang}_region_IND_STRING,nix_${lang}_region_STRING
\ transparent
syn region nix_${lang}_region_STRING
\ matchgroup=NixSTRING
\ start='"'
\ skip='\\"'
\ end='"'
\ contained
\ contains=@nix_${lang}_syntax
\ transparent
syn region nix_${lang}_region_IND_STRING
\ matchgroup=NixIND_STRING
\ start="'''"
\ skip="'''\('\|[$]\|\\[nrt]\)"
\ end="'''"
\ contained
\ contains=@nix_${lang}_syntax
\ transparent
syn cluster nix_ind_strings
\ add=nix_${lang}_region_IND_STRING
syn cluster nix_strings
\ add=nix_${lang}_region_STRING
" This is required because containedin isn't transitive.
syn cluster nix_has_dollar_curly
\ add=@nix_${lang}_syntax
'') (let
capitalize = s: let
xs = stringToCharacters s;
in
toUpper (head xs) + concatStrings (tail xs);
alts = xs: ''\(${concatStringsSep ''\|'' xs}\)'';
def = k: ''${k}[ \t\r\n]*='';
writer = k: ''write${k}[^ \t\r\n]*[ \t\r\n]*\("[^"]*"\|[a-z]\+\)'';
writerExt = k: writerName ''[^"]*\.${k}'';
writerName = k: ''write[^ \t\r\n]*[ \t\r\n]*"${k}"'';
in {
c = {};
cabal = {};
diff = {};
haskell = {};
jq.extraStart = alts [
(writer "Jq")
(writerExt "jq")
];
javascript.extraStart = ''/\* js \*/'';
lua = {};
python.extraStart = ''/\* py \*/'';
sed.extraStart = writer "Sed";
sh.extraStart = let
phases = [
"unpack"
"patch"
"configure"
"build"
"check"
"install"
"fixup"
"installCheck"
"dist"
];
shells = [
"ash"
"bash"
"dash"
];
in alts [
(def "shellHook")
(def "${alts phases}Phase")
(def "${alts ["pre" "post"]}${alts (map capitalize phases)}")
(writer (alts (map capitalize shells)))
];
yaml = {};
vim.extraStart = alts [
(def ''"[^"]*\.vim"\.text'')
(writerExt "vim")
(writerName ''\([^"]*\.\)\?vimrc'')
];
xdefaults = {};
xmodmap = {};
}))}
" Clear syntax that interferes with nixINSIDE_DOLLAR_CURLY.
syn clear shVarAssign
syn region nixINSIDE_DOLLAR_CURLY
\ matchgroup=NixEnter
\ start="[$]{"
\ end="}"
\ contains=TOP
\ containedin=@nix_has_dollar_curly
\ transparent
syn region nix_inside_curly
\ matchgroup=NixEnter
\ start="{"
\ end="}"
\ contains=TOP
\ containedin=nixINSIDE_DOLLAR_CURLY,nix_inside_curly
\ transparent
syn match NixQuote /'''\(''$\|\\.\)/he=s+2
\ containedin=@nix_ind_strings
\ contained
syn match NixQuote /'''\('\|\\.\)/he=s+1
\ containedin=@nix_ind_strings
\ contained
syn match NixQuote /\\./he=s+1
\ containedin=@nix_strings
\ contained
syn sync fromstart
let b:current_syntax = "nix"
set isk=@,48-57,_,192-255,-,'
'';
"/syntax/sed.vim".text = ''
syn region sedBranch
\ matchgroup=sedFunction start="T"
\ matchgroup=sedSemicolon end=";\|$"
\ contains=sedWhitespace
'';
"/syntax/xmodmap.vim".text = ''
syn match xmodmapComment /^\s*!.*/
'';
}))
];
dirs = {

7
tv/5pkgs/vim/default.nix Normal file
View file

@ -0,0 +1,7 @@
with import <stockholm/lib>;
self: super: {
tv = super.tv // {
vimPlugins = mapNixDir (path: self.callPackage path {}) ./.;
};
}

9
tv/5pkgs/vim/elixir.nix Normal file
View file

@ -0,0 +1,9 @@
{ pkgs }:
pkgs.vimUtils.buildVimPlugin {
name = "vim-elixir-2018-08-17";
src = pkgs.fetchgit {
url = https://github.com/elixir-editors/vim-elixir;
rev = "0a847f0faed5ba2d94bb3d51f355c50f37ba025b";
sha256 = "1jl85wpgywhcvhgw02y8zpvqf0glr4i8522kxpvhsiacb1v1xh04";
};
}

10
tv/5pkgs/vim/file-line.nix Normal file
View file

@ -0,0 +1,10 @@
{ pkgs }:
pkgs.vimUtils.buildVimPlugin {
name = "file-line-1.0";
src = pkgs.fetchgit {
url = git://github.com/bogado/file-line;
rev = "refs/tags/1.0";
sha256 = "0z47zq9rqh06ny0q8lpcdsraf3lyzn9xvb59nywnarf3nxrk6hx0";
};
}

11
tv/5pkgs/vim/fzf.nix Normal file
View file

@ -0,0 +1,11 @@
{ pkgs }:
# cannot use pkgs.vimPlugins.fzf-vim as it's missing :Rg
pkgs.vimUtils.buildVimPlugin {
name = "fzf-2018-11-14";
src = pkgs.fetchgit {
url = https://github.com/junegunn/fzf.vim;
rev = "ad1833ecbc9153b6e34a4292dc089a58c4bcb8dc";
sha256 = "1z2q71q6l9hq9fqfqpj1svhyk4yk1bzw1ljhksx4bnpz8gkfbx2m";
};
}

46
tv/5pkgs/vim/hack.nix Normal file
View file

@ -0,0 +1,46 @@
with import <stockholm/lib>;
{ pkgs }:
(rtp: rtp // { inherit rtp; }) (pkgs.writeTextFile (let
name = "hack";
in {
name = "vim-color-${name}-1.0.2";
destination = "/colors/${name}.vim";
text = /* vim */ ''
set background=dark
hi clear
if exists("syntax_on")
syntax clear
endif
let colors_name = ${toJSON name}
hi Normal ctermbg=235
hi Comment ctermfg=242
hi Constant ctermfg=255
hi Identifier ctermfg=253
hi Function ctermfg=253
hi Statement ctermfg=253
hi PreProc ctermfg=251
hi Type ctermfg=251
hi Delimiter ctermfg=251
hi Special ctermfg=255
hi Garbage ctermbg=088
hi TabStop ctermbg=016
hi Todo ctermfg=174 ctermbg=NONE
hi NixCode ctermfg=040
hi NixData ctermfg=046
hi NixQuote ctermfg=071
hi diffNewFile ctermfg=207
hi diffFile ctermfg=207
hi diffLine ctermfg=207
hi diffSubname ctermfg=207
hi diffAdded ctermfg=010
hi diffRemoved ctermfg=009
hi Search cterm=NONE ctermbg=216
'';
}))

10
tv/5pkgs/vim/jq.nix Normal file
View file

@ -0,0 +1,10 @@
{ pkgs }:
pkgs.vimUtils.buildVimPlugin {
name = "vim-syntax-jq";
src = pkgs.fetchgit {
url = https://github.com/vito-c/jq.vim;
rev = "99d55a300047946a82ecdd7617323a751199ad2d";
sha256 = "09c94nah47wx0cr556w61h6pfznxld18pfblc3nv51ivbw7cjqyx";
};
}

223
tv/5pkgs/vim/nix.nix Normal file
View file

@ -0,0 +1,223 @@
with import <stockholm/lib>;
{ pkgs }:
(rtp: rtp // { inherit rtp; }) (pkgs.write "vim-syntax-nix-nested" {
"/syntax/haskell.vim".text = ''
syn region String start=+\[[[:alnum:]]*|+ end=+|]+
hi link ConId Identifier
hi link VarId Identifier
hi link hsDelimiter Delimiter
'';
"/syntax/nix.vim".text = ''
"" Quit when a (custom) syntax file was already loaded
"if exists("b:current_syntax")
" finish
"endif
"setf nix
" Ref <nix/src/libexpr/lexer.l>
syn match NixID /[a-zA-Z\_][a-zA-Z0-9\_\'\-]*/
syn match NixINT /\<[0-9]\+\>/
syn match NixPATH /[a-zA-Z0-9\.\_\-\+]*\(\/[a-zA-Z0-9\.\_\-\+]\+\)\+/
syn match NixHPATH /\~\(\/[a-zA-Z0-9\.\_\-\+]\+\)\+/
syn match NixSPATH /<[a-zA-Z0-9\.\_\-\+]\+\(\/[a-zA-Z0-9\.\_\-\+]\+\)*>/
syn match NixURI /[a-zA-Z][a-zA-Z0-9\+\-\.]*:[a-zA-Z0-9\%\/\?\:\@\&\=\+\$\,\-\_\.\!\~\*\']\+/
syn region NixSTRING
\ matchgroup=NixSTRING
\ start='"'
\ skip='\\"'
\ end='"'
syn region NixIND_STRING
\ matchgroup=NixIND_STRING
\ start="'''"
\ skip="'''\('\|[$]\|\\[nrt]\)"
\ end="'''"
syn match NixOther /[-!+&<>|():/;=.,?\[\]*@]/
syn match NixCommentMatch /\(^\|\s\)#.*/
syn region NixCommentRegion start="/\*" end="\*/"
hi link NixCode Statement
hi link NixData Constant
hi link NixComment Comment
hi link NixCommentMatch NixComment
hi link NixCommentRegion NixComment
hi link NixID NixCode
hi link NixINT NixData
hi link NixPATH NixData
hi link NixHPATH NixData
hi link NixSPATH NixData
hi link NixURI NixData
hi link NixSTRING NixData
hi link NixIND_STRING NixData
hi link NixEnter NixCode
hi link NixOther NixCode
hi link NixQuote NixData
syn cluster nix_has_dollar_curly contains=@nix_ind_strings,@nix_strings
syn cluster nix_ind_strings contains=NixIND_STRING
syn cluster nix_strings contains=NixSTRING
${concatStringsSep "\n" (mapAttrsToList (name: {
extraStart ? null,
lang ? name
}:
let
startAlts = filter isString [
''/\* ${name} \*/''
extraStart
];
sigil = ''\(${concatStringsSep ''\|'' startAlts}\)[ \t\r\n]*'';
in /* vim */ ''
syn include @nix_${lang}_syntax syntax/${lang}.vim
if exists("b:current_syntax")
unlet b:current_syntax
endif
syn match nix_${lang}_sigil
\ X${replaceStrings ["X"] ["\\X"] sigil}\ze\('''\|"\)X
\ nextgroup=nix_${lang}_region_IND_STRING,nix_${lang}_region_STRING
\ transparent
syn region nix_${lang}_region_STRING
\ matchgroup=NixSTRING
\ start='"'
\ skip='\\"'
\ end='"'
\ contained
\ contains=@nix_${lang}_syntax
\ transparent
syn region nix_${lang}_region_IND_STRING
\ matchgroup=NixIND_STRING
\ start="'''"
\ skip="'''\('\|[$]\|\\[nrt]\)"
\ end="'''"
\ contained
\ contains=@nix_${lang}_syntax
\ transparent
syn cluster nix_ind_strings
\ add=nix_${lang}_region_IND_STRING
syn cluster nix_strings
\ add=nix_${lang}_region_STRING
" This is required because containedin isn't transitive.
syn cluster nix_has_dollar_curly
\ add=@nix_${lang}_syntax
'') (let
# TODO move this higher
capitalize = s: let
xs = stringToCharacters s;
in
toUpper (head xs) + concatStrings (tail xs);
alts = xs: ''\(${concatStringsSep ''\|'' xs}\)'';
def = k: ''${k}[ \t\r\n]*='';
writer = k: ''write${k}[^ \t\r\n]*[ \t\r\n]*\("[^"]*"\|[a-z]\+\)'';
writerExt = k: writerName ''[^"]*\.${k}'';
writerName = k: ''write[^ \t\r\n]*[ \t\r\n]*"${k}"'';
in {
c = {};
cabal = {};
diff = {};
exim = {};
haskell = {};
jq.extraStart = alts [
(writer "Jq")
(writerExt "jq")
];
javascript.extraStart = ''/\* js \*/'';
lua = {};
#nginx = {};
python.extraStart = ''/\* py \*/'';
sed.extraStart = writer "Sed";
sh.extraStart = let
phases = [
"unpack"
"patch"
"configure"
"build"
"check"
"install"
"fixup"
"installCheck"
"dist"
];
shells = [
"ash"
"bash"
"dash"
];
in alts [
(def "shellHook")
(def "${alts phases}Phase")
(def "${alts ["pre" "post"]}${alts (map capitalize phases)}")
(writer (alts (map capitalize shells)))
];
yaml = {};
vim.extraStart = alts [
(def ''"[^"]*\.vim"\.text'')
(writerExt "vim")
(writerName ''\([^"]*\.\)\?vimrc'')
];
xdefaults = {};
xmodmap = {};
}))}
" Clear syntax that interferes with nixINSIDE_DOLLAR_CURLY.
syn clear shVarAssign
syn region nixINSIDE_DOLLAR_CURLY
\ matchgroup=NixEnter
\ start="[$]{"
\ end="}"
\ contains=TOP
\ containedin=@nix_has_dollar_curly
\ transparent
syn region nix_inside_curly
\ matchgroup=NixEnter
\ start="{"
\ end="}"
\ contains=TOP
\ containedin=nixINSIDE_DOLLAR_CURLY,nix_inside_curly
\ transparent
syn match NixQuote /'''\(''$\|\\.\)/he=s+2
\ containedin=@nix_ind_strings
\ contained
syn match NixQuote /'''\('\|\\.\)/he=s+1
\ containedin=@nix_ind_strings
\ contained
syn match NixQuote /\\./he=s+1
\ containedin=@nix_strings
\ contained
syn sync fromstart
let b:current_syntax = "nix"
set isk=@,48-57,_,192-255,-,'
'';
"/syntax/sed.vim".text = ''
syn region sedBranch
\ matchgroup=sedFunction start="T"
\ matchgroup=sedSemicolon end=";\|$"
\ contains=sedWhitespace
'';
"/syntax/xmodmap.vim".text = ''
syn match xmodmapComment /^\s*!.*/
'';
})

26
tv/5pkgs/vim/showsyntax.nix Normal file
View file

@ -0,0 +1,26 @@
{ pkgs }:
(rtp: rtp // { inherit rtp; }) (pkgs.writeTextFile (let
name = "showsyntax";
in {
name = "vim-plugin-${name}-1.0.0";
destination = "/plugin/${name}.vim";
text = /* vim */ ''
if exists('g:loaded_showsyntax')
finish
endif
let g:loaded_showsyntax = 0
fu! ShowSyntax()
let id = synID(line("."), col("."), 1)
let name = synIDattr(id, "name")
let transName = synIDattr(synIDtrans(id),"name")
if name != transName
let name .= " (" . transName . ")"
endif
echo "Syntax: " . name
endfu
command! -n=0 -bar ShowSyntax :call ShowSyntax()
'';
}))

53
tv/5pkgs/vim/tv.nix Normal file
View file

@ -0,0 +1,53 @@
{ pkgs }:
(rtp: rtp // { inherit rtp; }) (pkgs.write "vim-tv" {
#
# Haskell
#
"/ftplugin/haskell.vim".text = ''
if exists("g:vim_tv_ftplugin_haskell_loaded")
finish
endif
let g:vim_tv_ftplugin_haskell_loaded = 1
setlocal iskeyword+='
'';
#
# TODO
#
"/ftdetect/todo.vim".text = ''
au BufRead,BufNewFile TODO set ft=todo
'';
"/ftplugin/todo.vim".text = ''
setlocal foldmethod=syntax
'';
"/syntax/todo.vim".text = ''
syn match todoComment /#.*/
syn match todoDate /^[1-9]\S*/
\ nextgroup=todoSummary
syn region todoSummary
\ contained
\ contains=todoTag
\ start="." end="$\n"
\ nextgroup=todoBlock
syn match todoTag /\[[A-Za-z]\+\]/hs=s+1,he=e-1
\ contained
syn region todoBlock
\ contained
\ contains=Comment
\ fold
\ start="^[^1-9]" end="^[1-9 ]"re=s-1,he=s-1,me=s-1
syn sync minlines=1000
hi link todoComment Comment
hi todoDate ctermfg=255
hi todoSummary ctermfg=229
hi todoBlock ctermfg=248
hi todoTag ctermfg=217
'';
})

16
tv/5pkgs/vim/vim.nix Normal file
View file

@ -0,0 +1,16 @@
with import <stockholm/lib>;
{ pkgs }:
(rtp: rtp // { inherit rtp; }) (pkgs.writeTextFile (let
name = "vim";
in {
name = "vim-syntax-${name}-1.0.0";
destination = "/syntax/${name}.vim";
text = /* vim */ ''
${concatMapStringsSep "\n" (s: /* vim */ ''
syn keyword vimColor${s} ${s}
\ containedin=ALLBUT,vimComment,vimLineComment
hi vimColor${s} ctermfg=${s}
'') (map (i: lpad 3 "0" (toString i)) (range 0 255))}
'';
}))