makefu/stockholm
1
0
Fork 0
Code Issues Pull requests Actions 1 Packages Projects Releases Wiki Activity

Merge branch 'master' of prism.r:stockholm

Browse source
This commit is contained in:
jeschli 2019-04-23 20:15:10 +02:00
parent a4be985644 cd825d9934
commit 35fdfbe5cc
82 changed files with 844 additions and 277 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
krebs/1systems/hotdog/config.nix
View file

@ -21,5 +21,4 @@
boot.isContainer = true;
networking.useDHCP = false;
environment.variables.NIX_REMOTE = "daemon";
}

5
krebs/2configs/reaktor2.nix
View file

@ -115,6 +115,11 @@ let
in {
users.users.reaktor2 = {
uid = genid_uint31 "reaktor2";
home = stateDir;
};
krebs.reaktor2 = {
freenode = {
hostname = "irc.freenode.org";

8
krebs/3modules/bepasty-server.nix
View file

@ -2,10 +2,10 @@
with import <stockholm/lib>;
let
gunicorn = pkgs.pythonPackages.gunicorn;
bepasty = pkgs.bepasty;
gevent = pkgs.pythonPackages.gevent;
python = pkgs.pythonPackages.python;
gunicorn = pkgs.python27Packages.gunicorn;
bepasty = pkgs.bepasty.override { python3Packages = pkgs.python27Packages; };
gevent = pkgs.python27Packages.gevent;
python = pkgs.python27Packages.python;
cfg = config.krebs.bepasty;
out = {

6
krebs/3modules/ci.nix
View file

@ -108,10 +108,12 @@ let
name=str(new_step),
command=[
"${pkgs.writeDash "build-stepper.sh" ''
set -efu
set -xefu
profile=${shell.escape profileRoot}/$build_name
result=$("$build_script")
${pkgs.nix}/bin/nix-env -p "$profile" --set "$result"
if [ -n "$result" ]; then
${pkgs.nix}/bin/nix-env -p "$profile" --set "$result"
fi
''}"
],
env={

1
krebs/3modules/default.nix
View file

@ -39,6 +39,7 @@ let
./nixpkgs.nix
./on-failure.nix
./os-release.nix
./permown.nix
./per-user.nix
./power-action.nix
./Reaktor.nix

13
krebs/3modules/external/default.nix vendored
View file

@ -429,6 +429,17 @@ in {
};
};
};
ada = {
owner = config.krebs.users.filly;
nets = {
wiregrill = {
aliases = [ "ada.w" ];
wireguard = {
pubkey = "+t0j9j7TZqvSFPzgunnON/ArXVGpMS/L3DldpanLoUk=";
};
};
};
};
};
users = {
ciko = {
@ -464,6 +475,8 @@ in {
};
miaoski = {
};
filly = {
};
};
}

3
krebs/3modules/lass/default.nix
View file

@ -20,6 +20,7 @@ in {
extraZones = {
"krebsco.de" = ''
cache IN A ${nets.internet.ip4.addr}
p IN A ${nets.internet.ip4.addr}
paste IN A ${nets.internet.ip4.addr}
prism IN A ${nets.internet.ip4.addr}
'';
@ -38,6 +39,7 @@ in {
io 60 IN NS ions.lassul.us.
ions 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
lol 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
matrix 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
paste 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
radio 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
'';
@ -239,6 +241,7 @@ in {
secure = true;
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC9vup68R0I+62FK+8LNtwM90V9P4ukBmU7G7d54wf4C";
syncthing.id = "AU5RTWC-HXNMDRT-TN4ZHXY-JMQ6EQB-4ZPOZL7-AICZMCZ-LNS2XXQ-DGTI2Q6";
};
icarus = {
cores = 2;

102
krebs/3modules/permown.nix Normal file
View file

@ -0,0 +1,102 @@
with import <stockholm/lib>;
{ config, pkgs, ... }: {
options.krebs.permown = mkOption {
default = {};
type = types.attrsOf (types.submodule ({ config, ... }: {
options = {
directory-mode = mkOption {
default = "=rwx";
type = types.str; # TODO
};
file-mode = mkOption {
default = "=rw";
type = types.str; # TODO
};
group = mkOption {
apply = x: if x == null then "" else x;
default = null;
type = types.nullOr types.groupname;
};
owner = mkOption {
type = types.username;
};
path = mkOption {
default = config._module.args.name;
type = types.absolute-pathname;
};
umask = mkOption {
default = "0027";
type = types.file-mode;
};
};
}));
};
config = let
plans = attrValues config.krebs.permown;
in mkIf (plans != []) {
system.activationScripts.permown = let
mkdir = plan: /* sh */ ''
${pkgs.coreutils}/bin/mkdir -p ${shell.escape plan.path}
'';
in concatMapStrings mkdir plans;
systemd.services = genAttrs' plans (plan: {
name = "permown.${replaceStrings ["/"] ["_"] plan.path}";
value = {
environment = {
DIR_MODE = plan.directory-mode;
FILE_MODE = plan.file-mode;
OWNER_GROUP = "${plan.owner}:${plan.group}";
ROOT_PATH = plan.path;
};
path = [
pkgs.coreutils
pkgs.findutils
pkgs.inotifyTools
];
serviceConfig = {
ExecStart = pkgs.writeDash "permown" ''
set -efu
find "$ROOT_PATH" -exec chown -h "$OWNER_GROUP" {} +
find "$ROOT_PATH" -type d -exec chmod "$DIR_MODE" {} +
find "$ROOT_PATH" -type f -exec chmod "$FILE_MODE" {} +
paths=/tmp/paths
rm -f "$paths"
mkfifo "$paths"
inotifywait -mrq -e CREATE --format %w%f "$ROOT_PATH" > "$paths" &
inotifywaitpid=$!
trap cleanup EXIT
cleanup() {
kill "$inotifywaitpid"
}
while read -r path; do
if test -d "$path"; then
cleanup
exec "$0" "$@"
fi
chown -h "$OWNER_GROUP" "$path"
if test -f "$path"; then
chmod "$FILE_MODE" "$path"
fi
done < "$paths"
'';
PrivateTemp = true;
Restart = "always";
RestartSec = 10;
UMask = plan.umask;
};
wantedBy = [ "multi-user.target" ];
};
});
};
}

2
krebs/3modules/realwallpaper.nix
View file

@ -78,7 +78,7 @@ let
serviceConfig = {
Type = "simple";
ExecStart = pkgs.writeDash "generate-wallpaper" ''
set -xeuf
set -euf
# usage: getimg FILENAME URL
fetch() {

4
krebs/3modules/setuid.nix
View file

@ -21,8 +21,8 @@ let
default = config._module.args.name;
};
envp = mkOption {
type = types.attrsOf types.str;
default = {};
type = types.nullOr (types.attrsOf types.str);
default = null;
};
filename = mkOption {
type = mkOptionType {

21
krebs/3modules/syncthing.nix
View file

@ -10,7 +10,7 @@ let
addresses = peer.addresses;
}) cfg.peers;
folders = map (folder: {
folders = mapAttrsToList ( _: folder: {
inherit (folder) path id type;
devices = map (peer: { deviceId = cfg.peers.${peer}.id; }) folder.peers;
rescanIntervalS = folder.rescanInterval;
@ -81,17 +81,18 @@ in
};
folders = mkOption {
default = [];
type = types.listOf (types.submodule ({ config, ... }: {
default = {};
type = types.attrsOf (types.submodule ({ config, ... }: {
options = {
path = mkOption {
type = types.absolute-pathname;
default = config._module.args.name;
};
id = mkOption {
type = types.str;
default = config.path;
default = config._module.args.name;
};
peers = mkOption {
@ -133,8 +134,16 @@ in
systemd.services.syncthing = mkIf (cfg.cert != null || cfg.key != null) {
preStart = ''
${optionalString (cfg.cert != null) "cp ${toString cfg.cert} ${config.services.syncthing.dataDir}/cert.pem"}
${optionalString (cfg.key != null) "cp ${toString cfg.key} ${config.services.syncthing.dataDir}/key.pem"}
${optionalString (cfg.cert != null) ''
cp ${toString cfg.cert} ${config.services.syncthing.dataDir}/cert.pem
chown ${config.services.syncthing.user}:${config.services.syncthing.group} ${config.services.syncthing.dataDir}/cert.pem
chmod 400 ${config.services.syncthing.dataDir}/cert.pem
''}
${optionalString (cfg.key != null) ''
cp ${toString cfg.key} ${config.services.syncthing.dataDir}/key.pem
chown ${config.services.syncthing.user}:${config.services.syncthing.group} ${config.services.syncthing.dataDir}/key.pem
chmod 400 ${config.services.syncthing.dataDir}/key.pem
''}
'';
};

4
krebs/5pkgs/haskell/blessings.nix
View file

@ -10,6 +10,10 @@ with import <stockholm/lib>;
version = "2.2.0";
sha256 = "1pb56dgf3jj2kq3cbbppwzyg3ccgqy9xara62hkjwyxzdx20clk1";
};
"19.03" = {
version = "2.2.0";
sha256 = "1pb56dgf3jj2kq3cbbppwzyg3ccgqy9xara62hkjwyxzdx20clk1";
};
}.${versions.majorMinor nixpkgsVersion};
in mkDerivation {

5
krebs/5pkgs/haskell/email-header.nix
View file

@ -15,6 +15,11 @@ with import <stockholm/lib>;
rev = "refs/tags/v${cfg.version}";
sha256 = "11xjivpj495r2ss9aqljnpzzycb57cm4sr7yzmf939rzwsd3ib0x";
};
"19.03" = {
version = "0.4.1-tv1";
rev = "refs/tags/v${cfg.version}";
sha256 = "11xjivpj495r2ss9aqljnpzzycb57cm4sr7yzmf939rzwsd3ib0x";
};
}.${versions.majorMinor nixpkgsVersion};
in mkDerivation {

5
krebs/5pkgs/simple/kpaste/default.nix
View file

@ -1,5 +1,6 @@
{ curl, writeDashBin }:
{ curl, gnused, writeDashBin }:
writeDashBin "kpaste" ''
exec ${curl}/bin/curl -sS http://p.r --data-binary @-
${curl}/bin/curl -sS http://p.r --data-binary @- |
${gnused}/bin/sed '$ {p;s/\<r\>/krebsco.de/}'
''

12
krebs/5pkgs/simple/krebspaste/default.nix
View file

@ -1,6 +1,12 @@
{ writeDashBin, bepasty-client-cli }:
{ bepasty-client-cli, gnused, writeDashBin }:
# TODO use `pkgs.exec` instead?
writeDashBin "krebspaste" ''
exec ${bepasty-client-cli}/bin/bepasty-cli -L 1m --url http://paste.r "$@" | sed '$ s/$/\/+inline/g'
${bepasty-client-cli}/bin/bepasty-cli -L 1m --url http://paste.r "$@" |
${gnused}/bin/sed '
$ {
s/$/\/+inline/
p
s/\<r\>/krebsco.de/
}
'
''

27
krebs/5pkgs/simple/qrscan.nix Normal file
View file

@ -0,0 +1,27 @@
{ coreutils, gnused, writeDashBin, zbar }:
writeDashBin "qrscan" ''
set -efu
tmpdir=$(${coreutils}/bin/mktemp --tmpdir -d qrscan.XXXXXXXX)
codefile=$tmpdir/code
cleanup() {
${coreutils}/bin/rm "$codefile"
${coreutils}/bin/rmdir "$tmpdir"
}
${coreutils}/bin/mkfifo "$codefile"
${zbar}/bin/zbarcam > "$codefile" &
zbarcampid=$!
exec < "$codefile"
while read -r code; do
code=$(printf %s "$code" | ${gnused}/bin/sed -n 's/^QR-Code://p')
if test -n "$code"; then
${coreutils}/bin/kill "$zbarcampid"
echo "$code"
fi
done
''

6
krebs/nixpkgs.json
View file

@ -1,7 +1,7 @@
{
"url": "https://github.com/NixOS/nixpkgs-channels",
"rev": "222950952f15f6b1e9f036b80440b597f23e652d",
"date": "2019-04-05T10:07:50+02:00",
"sha256": "1hfchhy8vlc333sglabk1glkcnv4mrnarm9j4havqn7g5ri68vrd",
"rev": "8ea36d732567c80b2d11eb029e10400fe85ca786",
"date": "2019-04-18T22:37:03+01:00",
"sha256": "1d59i55qwqd76n2d0hr1si26q333ydizkd91h8lfczb00xnr5pqn",
"fetchSubmodules": false
}

2
krebs/update-channel.sh
View file

@ -3,7 +3,7 @@ dir=$(dirname $0)
oldrev=$(cat $dir/nixpkgs.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/')
nix-shell -p nix-prefetch-git --run 'nix-prefetch-git \
--url https://github.com/NixOS/nixpkgs-channels \
--rev refs/heads/nixos-18.09' \
--rev refs/heads/nixos-19.03' \
> $dir/nixpkgs.json
newrev=$(cat $dir/nixpkgs.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/')
git commit $dir/nixpkgs.json -m "nixpkgs: $oldrev -> $newrev"

9
lass/1systems/blue/config.nix
View file

@ -9,17 +9,12 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/blue.nix>
<stockholm/lass/2configs/syncthing.nix>
<stockholm/lass/2configs/sync/decsync.nix>
<stockholm/lass/2configs/sync/weechat.nix>
];
krebs.build.host = config.krebs.hosts.blue;
krebs.syncthing.folders = [
{ id = "contacts"; path = "/home/lass/contacts"; peers = [ "mors" "blue" "green" "phone" ]; }
];
lass.ensure-permissions = [
{ folder = "/home/lass/contacts"; owner = "lass"; group = "syncthing"; }
];
environment.shellAliases = {
deploy = pkgs.writeDash "deploy" ''
set -eu

1
lass/1systems/blue/physical.nix
View file

@ -4,5 +4,4 @@
];
boot.isContainer = true;
networking.useDHCP = false;
environment.variables.NIX_REMOTE = "daemon";
}

8
lass/1systems/daedalus/config.nix
View file

@ -27,6 +27,12 @@ with import <stockholm/lib>;
enable = true;
systemWide = true;
};
programs.chromium = {
enable = true;
extensions = [
"cjpalhdlnbpafiamejdnhcphjbkeiagm" # ublock origin
];
};
environment.systemPackages = with pkgs; [
pavucontrol
#firefox
@ -40,7 +46,7 @@ with import <stockholm/lib>;
wine
geeqie
vlc
minecraft
zsnes
];
nixpkgs.config.firefox.enableAdobeFlash = true;
services.xserver.enable = true;

11
lass/1systems/green/config.nix
View file

@ -8,20 +8,13 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/exim-retiolum.nix>
<stockholm/lass/2configs/mail.nix>
#<stockholm/lass/2configs/blue.nix>
<stockholm/lass/2configs/syncthing.nix>
<stockholm/lass/2configs/sync/decsync.nix>
<stockholm/lass/2configs/sync/weechat.nix>
];
krebs.build.host = config.krebs.hosts.green;
krebs.syncthing.folders = [
{ id = "contacts"; path = "/home/lass/contacts"; peers = [ "mors" "blue" "green" "phone" ]; }
];
lass.ensure-permissions = [
{ folder = "/home/lass/contacts"; owner = "lass"; group = "syncthing"; }
];
#networking.nameservers = [ "1.1.1.1" ];
#time.timeZone = "Europe/Berlin";

1
lass/1systems/green/physical.nix
View file

@ -4,5 +4,4 @@
];
boot.isContainer = true;
networking.useDHCP = false;
environment.variables.NIX_REMOTE = "daemon";
}

1
lass/1systems/icarus/config.nix
View file

@ -20,6 +20,7 @@
<stockholm/lass/2configs/syncthing.nix>
<stockholm/lass/2configs/nfs-dl.nix>
<stockholm/lass/2configs/prism-share.nix>
<stockholm/lass/2configs/ssh-cryptsetup.nix>
];
krebs.build.host = config.krebs.hosts.icarus;

10
lass/1systems/iso.nix
View file

@ -6,7 +6,6 @@ with import <stockholm/lib>;
<nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix>
<stockholm/krebs>
<stockholm/lass/3modules>
<stockholm/lass/5pkgs>
<stockholm/lass/2configs/mc.nix>
<stockholm/lass/2configs/vim.nix>
{
@ -40,9 +39,10 @@ with import <stockholm/lib>;
networking.hostName = "lass-iso";
}
{
nixpkgs.config.packageOverrides = import <stockholm/lass/5pkgs> pkgs;
krebs.enable = true;
krebs.build.user = config.krebs.users.lass;
krebs.build.host = config.krebs.hosts.iso;
krebs.build.host = {};
}
{
nixpkgs.config.allowUnfree = true;
@ -174,11 +174,13 @@ with import <stockholm/lib>;
user = "lass";
};
windowManager.default = "xmonad";
windowManager.session = [{
windowManager.session = let
xmonad-lass = pkgs.callPackage <stockholm/lass/5pkgs/custom/xmonad-lass> { inherit config; };
in [{
name = "xmonad";
start = ''
${pkgs.xorg.xhost}/bin/xhost +LOCAL:
${pkgs.xmonad-lass}/bin/xmonad &
${xmonad-lass}/bin/xmonad &
waitPID=$!
'';
}];

1
lass/1systems/littleT/config.nix
View file

@ -8,6 +8,7 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/blue-host.nix>
<stockholm/lass/2configs/syncthing.nix>
<stockholm/lass/2configs/green-host.nix>
];
networking.networkmanager.enable = true;

8
lass/1systems/morpheus/config.nix
View file

@ -30,4 +30,12 @@ with import <stockholm/lib>;
];
};
};
services.xserver.desktopManager.default = "none";
services.xserver.displayManager.lightdm.autoLogin = {
enable = true;
user = "lass";
timeout = 5;
};
}

36
lass/1systems/mors/config.nix
View file

@ -26,6 +26,8 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/syncthing.nix>
<stockholm/lass/2configs/otp-ssh.nix>
<stockholm/lass/2configs/c-base.nix>
<stockholm/lass/2configs/sync/decsync.nix>
<stockholm/lass/2configs/sync/weechat.nix>
<stockholm/lass/2configs/br.nix>
<stockholm/lass/2configs/ableton.nix>
<stockholm/lass/2configs/starcraft.nix>
@ -36,27 +38,26 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/blue-host.nix>
<stockholm/lass/2configs/network-manager.nix>
<stockholm/lass/2configs/nfs-dl.nix>
<stockholm/lass/2configs/hardening.nix>
#<stockholm/lass/2configs/hardening.nix>
{
krebs.iptables.tables.filter.INPUT.rules = [
#risk of rain
{ predicate = "-p tcp --dport 11100"; target = "ACCEPT"; }
#chromecast
{ predicate = "-p udp -m multiport --sports 32768:61000 -m multiport --dports 32768:61000"; target = "ACCEPT"; }
#quake3
{ predicate = "-p tcp --dport 27950:27965"; target = "ACCEPT"; }
{ predicate = "-p udp --dport 27950:27965"; target = "ACCEPT"; }
];
}
{
krebs.syncthing.folders = [
{ id = "contacts"; path = "/home/lass/contacts"; peers = [ "mors" "blue" "green" "phone" ]; }
{ id = "the_playlist"; path = "/home/lass/tmp/the_playlist"; peers = [ "mors" "phone" ]; }
];
lass.ensure-permissions = [
{ folder = "/home/lass/contacts"; owner = "lass"; group = "syncthing"; }
{ folder = "/home/lass/tmp/the_playlist"; owner = "lass"; group = "syncthing"; }
];
krebs.syncthing.folders."the_playlist" = {
path = "/home/lass/tmp/the_playlist";
peers = [ "mors" "phone" "prism" ];
};
krebs.permown."/home/lass/tmp/the_playlist" = {
owner = "lass";
group = "syncthing";
umask = "0007";
};
}
{
lass.umts = {
@ -92,6 +93,7 @@ with import <stockholm/lib>;
pkgs.ovh-zone
pkgs.bank
pkgs.adb-sync
pkgs.transgui
];
}
{
@ -135,6 +137,18 @@ with import <stockholm/lib>;
(pkgs.writeDashBin "btc-kraken" ''
${pkgs.curl}/bin/curl -Ss 'https://api.kraken.com/0/public/Ticker?pair=BTCEUR' | ${pkgs.jq}/bin/jq '.result.XXBTZEUR.a[0]'
'')
(pkgs.writeDashBin "krebsco.de" ''
TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d)
${pkgs.brain}/bin/brain show krebs-secrets/ovh-secrets.json > "$TMPDIR"/ovh-secrets.json
OVH_ZONE_CONFIG="$TMPDIR"/ovh-secrets.json ${pkgs.krebszones}/bin/krebszones import
${pkgs.coreutils}/bin/rm -rf "$TMPDIR"
'')
(pkgs.writeDashBin "lassul.us" ''
TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d)
${pkgs.pass}/bin/pass show admin/ovh/api.config > "$TMPDIR"/ovh-secrets.json
OVH_ZONE_CONFIG="$TMPDIR"/ovh-secrets.json ${pkgs.ovh-zone}/bin/ovh-zone import /etc/zones/lassul.us lassul.us
${pkgs.coreutils}/bin/rm -rf "$TMPDIR"
'')
];
#TODO: fix this shit

36
lass/1systems/prism/config.nix
View file

@ -413,6 +413,42 @@ with import <stockholm/lib>;
];
};
}
{ #macos mounting of yellow
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-i wiregrill -p tcp --dport 139"; target = "ACCEPT"; }
{ predicate = "-i wiregrill -p tcp --dport 445"; target = "ACCEPT"; }
{ predicate = "-i wiregrill -p udp --dport 137"; target = "ACCEPT"; }
{ predicate = "-i wiregrill -p udp --dport 138"; target = "ACCEPT"; }
];
users.users.smbguest = {
name = "smbguest";
uid = config.ids.uids.smbguest;
description = "smb guest user";
home = "/home/share";
createHome = true;
};
services.samba = {
enable = true;
enableNmbd = true;
shares = {
download = {
path = "/var/download/finished";
"read only" = "yes";
browseable = "yes";
"guest ok" = "yes";
};
};
extraConfig = ''
guest account = smbguest
map to guest = bad user
# disable printing
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
'';
};
}
];
krebs.build.host = config.krebs.hosts.prism;

1
lass/1systems/red/physical.nix
View file

@ -4,5 +4,4 @@
];
boot.isContainer = true;
networking.useDHCP = false;
environment.variables.NIX_REMOTE = "daemon";
}

2
lass/1systems/shodan/config.nix
View file

@ -15,6 +15,8 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/bitcoin.nix>
<stockholm/lass/2configs/backup.nix>
<stockholm/lass/2configs/blue-host.nix>
<stockholm/lass/2configs/green-host.nix>
<stockholm/lass/2configs/ssh-cryptsetup.nix>
];
krebs.build.host = config.krebs.hosts.shodan;

1
lass/1systems/skynet/config.nix
View file

@ -8,6 +8,7 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/blue-host.nix>
<stockholm/lass/2configs/power-action.nix>
<stockholm/lass/2configs/syncthing.nix>
<stockholm/lass/2configs/green-host.nix>
{
services.xserver.enable = true;
services.xserver.desktopManager.xfce.enable = true;

1
lass/1systems/yellow/config.nix
View file

@ -31,6 +31,7 @@ with import <stockholm/lib>;
download-dir = "/var/download/finished";
incomplete-dir = "/var/download/incoming";
incomplete-dir-enable = true;
message-level = 1;
umask = "002";
rpc-whitelist-enabled = false;
rpc-host-whitelist-enabled = false;

1
lass/1systems/yellow/physical.nix
View file

@ -4,5 +4,4 @@
];
boot.isContainer = true;
networking.useDHCP = false;
environment.variables.NIX_REMOTE = "daemon";
}

1
lass/2configs/baseX.nix
View file

@ -9,6 +9,7 @@ in {
./power-action.nix
./copyq.nix
./urxvt.nix
./xdg-open.nix
{
hardware.pulseaudio = {
enable = true;

3
lass/2configs/exim-smarthost.nix
View file

@ -100,6 +100,9 @@ with import <stockholm/lib>;
{ from = "box@lassul.us"; to = lass.mail; }
{ from = "paloalto@lassul.us"; to = lass.mail; }
{ from = "subtitles@lassul.us"; to = lass.mail; }
{ from = "lobsters@lassul.us"; to = lass.mail; }
{ from = "fysitech@lassul.us"; to = lass.mail; }
{ from = "threema@lassul.us"; to = lass.mail; }
];
system-aliases = [
{ from = "mailer-daemon"; to = "postmaster"; }

82
lass/2configs/green-host.nix Normal file
View file

@ -0,0 +1,82 @@
{ config, lib, pkgs, ... }:
with import <stockholm/lib>;
{
imports = [
<stockholm/lass/2configs/container-networking.nix>
<stockholm/lass/2configs/syncthing.nix>
{ #hack for already defined
systemd.services."container@green".reloadIfChanged = mkForce false;
systemd.services."container@green".preStart = ''
${pkgs.mount}/bin/mount | ${pkgs.gnugrep}/bin/grep -q ' on /var/lib/containers/green '
'';
systemd.services."container@green".postStop = ''
set -x
${pkgs.umount}/bin/umount /var/lib/containers/green
ls -la /dev/mapper/control
${pkgs.devicemapper}/bin/dmsetup ls
${pkgs.cryptsetup}/bin/cryptsetup -v luksClose /var/lib/sync-containers/green.img
'';
}
];
krebs.syncthing.folders."/var/lib/sync-containers".peers = [ "icarus" "skynet" "littleT" "shodan" ];
krebs.permown."/var/lib/sync-containers" = {
owner = "root";
group = "syncthing";
umask = "0007";
};
system.activationScripts.containerPermissions = ''
mkdir -p /var/lib/containers
chmod 711 /var/lib/containers
'';
containers.green = {
config = { ... }: {
environment.systemPackages = [
pkgs.git
pkgs.rxvt_unicode.terminfo
];
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [
config.krebs.users.lass.pubkey
];
};
autoStart = false;
enableTun = true;
privateNetwork = true;
hostAddress = "10.233.2.15";
localAddress = "10.233.2.16";
};
environment.systemPackages = [
(pkgs.writeDashBin "start-green" ''
set -fu
CONTAINER='green'
IMAGE='/var/lib/sync-containers/green.img'
${pkgs.cryptsetup}/bin/cryptsetup status "$CONTAINER" >/dev/null
if [ "$?" -ne 0 ]; then
${pkgs.cryptsetup}/bin/cryptsetup luksOpen "$IMAGE" "$CONTAINER"
fi
mkdir -p /var/lib/containers/"$CONTAINER"
${pkgs.mount}/bin/mount | grep -q " on /var/lib/containers/"$CONTAINER" "
if [ "$?" -ne 0 ]; then
${pkgs.mount}/bin/mount -o sync /dev/mapper/"$CONTAINER" /var/lib/containers/"$CONTAINER"
fi
STATE=$(${pkgs.nixos-container}/bin/nixos-container status "$CONTAINER")
if [ "$STATE" = 'down' ]; then
${pkgs.nixos-container}/bin/nixos-container start "$CONTAINER"
fi
ping -c1 green.r
if [ "$?" -ne 0 ]; then
${pkgs.nixos-container}/bin/nixos-container run green -- nixos-rebuild -I /var/src switch
fi
'')
];
}

5
lass/2configs/hw/x220.nix
View file

@ -30,8 +30,7 @@
};
};
services.logind.extraConfig = ''
HandleLidSwitch=ignore
'';
services.logind.lidSwitch = "ignore";
services.logind.lidSwitchDocked = "ignore";
}

4
lass/2configs/mail.nix
View file

@ -233,8 +233,4 @@ in {
tag-new-mails
tag-old-mails
];
nixpkgs.config.packageOverrides = opkgs: {
notmuch = (opkgs.notmuch.overrideAttrs (o: { doCheck = false; }));
};
}

10
lass/2configs/paste.nix
View file

@ -10,6 +10,16 @@ with import <stockholm/lib>;
proxy_pass http://localhost:9081;
'';
};
services.nginx.virtualHosts.paste-readonly = {
serverAliases = [ "p.krebsco.de" ];
locations."/".extraConfig = ''
if ($request_method != GET) {
return 403;
}
proxy_set_header Host $host;
proxy_pass http://localhost:9081;
'';
};
krebs.htgen.paste = {
port = 9081;
script = toString [

2
lass/2configs/prism-share.nix
View file

@ -21,7 +21,7 @@ with import <stockholm/lib>;
shares = {
incoming = {
path = "/mnt/prism";
"read only" = "no";
"read only" = "yes";
browseable = "yes";
"guest ok" = "yes";
};

16
lass/2configs/radio.nix
View file

@ -10,7 +10,7 @@ let
source-password = import <secrets/icecast-source-pw>;
add_random = pkgs.writeDashBin "add_random" ''
${pkgs.mpc_cli}/bin/mpc add "$(${pkgs.mpc_cli}/bin/mpc ls | shuf -n1)"
${pkgs.mpc_cli}/bin/mpc add "$(${pkgs.mpc_cli}/bin/mpc ls the_playlist/music | grep '\.ogg$' | shuf -n1)"
'';
skip_track = pkgs.writeDashBin "skip_track" ''
@ -57,8 +57,11 @@ in {
services.mpd = {
enable = true;
group = "radio";
musicDirectory = "/home/radio/the_playlist/music";
musicDirectory = "/home/radio/music";
extraConfig = ''
log_level "default"
auto_update "yes"
audio_output {
type "shout"
encoding "lame"
@ -245,4 +248,13 @@ in {
alias ${html};
'';
};
krebs.syncthing.folders."the_playlist" = {
path = "/home/radio/music/the_playlist";
peers = [ "mors" "phone" "prism" ];
};
krebs.permown."/home/radio/music/the_playlist" = {
owner = "radio";
group = "syncthing";
umask = "0002";
};
}

17
lass/2configs/ssh-cryptsetup.nix Normal file
View file

@ -0,0 +1,17 @@
{ config, ... }:
{
boot.initrd = {
network = {
enable = true;
ssh = {
enable = true;
authorizedKeys = with config.krebs.users; [
config.krebs.users.lass-mors.pubkey
config.krebs.users.lass-blue.pubkey
config.krebs.users.lass-shodan.pubkey
config.krebs.users.lass-icarus.pubkey
];
};
};
};
}

11
lass/2configs/sync/decsync.nix Normal file
View file

@ -0,0 +1,11 @@
{
krebs.syncthing.folders.decsync = {
path = "/home/lass/decsync";
peers = [ "mors" "blue" "green" "phone" ];
};
krebs.permown."/home/lass/decsync" = {
owner = "lass";
group = "syncthing";
umask = "0007";
};
}

8
lass/2configs/sync/weechat.nix Normal file
View file

@ -0,0 +1,8 @@
{
krebs.syncthing.folders."/home/lass/.weechat".peers = [ "blue" "green" "mors" ];
krebs.permown."/home/lass/.weechat" = {
owner = "lass";
group = "syncthing";
umask = "0007";
};
}

21
lass/2configs/syncthing.nix
View file

@ -1,9 +1,10 @@
{ config, pkgs, ... }:
with import <stockholm/lib>;
{
{ config, pkgs, ... }: with import <stockholm/lib>; let
peers = mapAttrs (n: v: { id = v.syncthing.id; }) (filterAttrs (n: v: v.syncthing.id != null) config.krebs.hosts);
in {
services.syncthing = {
enable = true;
group = "syncthing";
configDir = "/var/lib/syncthing";
};
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p tcp --dport 22000"; target = "ACCEPT";}
@ -13,17 +14,17 @@ with import <stockholm/lib>;
enable = true;
cert = toString <secrets/syncthing.cert>;
key = toString <secrets/syncthing.key>;
peers = mapAttrs (n: v: { id = v.syncthing.id; }) (filterAttrs (n: v: v.syncthing.id != null) config.krebs.hosts);
folders = [
{ path = "/home/lass/sync"; peers = [ "icarus" "mors" "skynet" "blue" "green" "littleT" "prism"]; }
];
peers = peers;
folders."/home/lass/sync".peers = attrNames peers;
};
system.activationScripts.syncthing-home = ''
${pkgs.coreutils}/bin/chmod a+x /home/lass
'';
lass.ensure-permissions = [
{ folder = "/home/lass/sync"; owner = "lass"; group = "syncthing"; }
];
krebs.permown."/home/lass/sync" = {
owner = "lass";
group = "syncthing";
umask = "0007";
};
}

6
lass/2configs/websites/domsen.nix
View file

@ -119,7 +119,7 @@ in {
authenticators.PLAIN = ''
driver = plaintext
public_name = PLAIN
server_condition = ''${run{${config.lass.usershadow.path}/bin/verify_arg ${config.lass.usershadow.pattern} $auth2 $auth3}{yes}{no}}
server_condition = ''${run{/run/wrappers/bin/shadow_verify_arg ${config.lass.usershadow.pattern} $auth2 $auth3}{yes}{no}}
'';
authenticators.LOGIN = ''
driver = plaintext
@ -237,8 +237,8 @@ in {
krebs.on-failure.plans.restic-backups-domsen = {};
services.restic.backups.domsen = {
initialize = true;
extraOptions = [ "sftp.command='ssh efOVcMWSZ@wilhelmstr.duckdns.org -S none -v -p 52222 -i ${toString <secrets> + "/ssh.id_ed25519"} -s sftp'" ];
repository = "sftp:efOVcMWSZ@wilhelmstr.duckdns.org:/mnt/UBIK-9TB-Pool/BACKUP/XXXX-MAX-UND-ANDERES";
extraOptions = [ "sftp.command='ssh efOVcMWSZ@wilhelmstr2.duckdns.org -S none -v -p 52222 -i ${toString <secrets> + "/ssh.id_ed25519"} -s sftp'" ];
repository = "sftp:efOVcMWSZ@wilhelmstr2.duckdns.org:/mnt/UBIK-9TB-Pool/BACKUP/XXXX-MAX-UND-ANDERES";
passwordFile = toString <secrets> + "/domsen_backup_pw";
timerConfig = { OnCalendar = "00:05"; RandomizedDelaySec = "5h"; };
paths = [

66
lass/2configs/xdg-open.nix Normal file
View file

@ -0,0 +1,66 @@
{ config, pkgs, lib, ... }: with import <stockholm/lib>; let
xdg-open-wrapper = pkgs.writeDashBin "xdg-open" ''
/run/wrappers/bin/sudo -u lass ${xdg-open} "$@"
'';
xdg-open = pkgs.writeBash "xdg-open" ''
set -e
FILE="$1"
mime=
case "$FILE" in
http://*|https://*)
mime=text/html
;;
mailto:*)
mime=special/mailaddress
;;
magnet:*)
mime=application/x-bittorrent
;;
irc:*)
mime=x-scheme-handler/irc
;;
*)
# its a file
# strip possible protocol
FILE=''${FILE#file://}
mime=''$(file -E --brief --mime-type "$FILE") \
|| (echo "$mime" 1>&2; exit 1)
# ^ echo the error message of file
;;
esac
case "$mime" in
special/mailaddress)
urxvtc --execute vim "$FILE" ;;
${optionalString (hasAttr "browser" config.lass) ''
text/html)
${config.lass.browser.select}/bin/browser-select "$FILE" ;;
text/xml)
${config.lass.browser.select}/bin/browser-select "$FILE" ;;
''}
text/*)
urxvtc --execute vim "$FILE" ;;
image/*)
sxiv "$FILE" ;;
application/x-bittorrent)
env DISPLAY=:0 transgui "$FILE" ;;
application/pdf)
zathura "$FILE" ;;
inode/directory)
sudo -u lass -i urxvtc --execute mc "$FILE" ;;
*)
# open dmenu and ask for program to open with
$(dmenu_path | dmenu) "$FILE";;
esac
'';
in {
environment.systemPackages = [ xdg-open-wrapper ];
security.sudo.extraConfig = ''
cr ALL=(lass) NOPASSWD: ${xdg-open} *
'';
}

1
lass/3modules/default.nix
View file

@ -3,7 +3,6 @@ _:
imports = [
./dnsmasq.nix
./ejabberd
./ensure-permissions.nix
./folderPerms.nix
./hosts.nix
./mysql-backup.nix

66
lass/3modules/ensure-permissions.nix
View file

@ -1,66 +0,0 @@
{ config, pkgs, ... }: with import <stockholm/lib>;
let
cfg = config.lass.ensure-permissions;
in
{
options.lass.ensure-permissions = mkOption {
default = [];
type = types.listOf (types.submodule ({
options = {
folder = mkOption {
type = types.absolute-pathname;
};
owner = mkOption {
# TODO user type
type = types.str;
default = "root";
};
group = mkOption {
# TODO group type
type = types.str;
default = "root";
};
permission = mkOption {
# TODO permission type
type = types.str;
default = "u+rw,g+rw";
};
};
}));
};
config = mkIf (cfg != []) {
system.activationScripts.ensure-permissions = concatMapStringsSep "\n" (plan: ''
${pkgs.coreutils}/bin/mkdir -p ${plan.folder}
${pkgs.coreutils}/bin/chmod -R ${plan.permission} ${plan.folder}
${pkgs.coreutils}/bin/chown -R ${plan.owner}:${plan.group} ${plan.folder}
'') cfg;
systemd.services =
listToAttrs (map (plan: nameValuePair "ensure-permisson.${replaceStrings ["/"] ["_"] plan.folder}" {
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Restart = "always";
RestartSec = 10;
ExecStart = pkgs.writeDash "ensure-perms" ''
${pkgs.inotifyTools}/bin/inotifywait -mrq -e CREATE --format %w%f ${plan.folder} \
| while IFS= read -r FILE; do
${pkgs.coreutils}/bin/chmod -R ${plan.permission} "$FILE" 2>/dev/null
${pkgs.coreutils}/bin/chown -R ${plan.owner}:${plan.group} "$FILE" 2>/dev/null
done
'';
};
}) cfg)
;
};
}

31
lass/3modules/usershadow.nix
View file

@ -31,13 +31,24 @@
session required pam_loginuid.so
'';
security.pam.services.dovecot2.text = ''
auth required pam_exec.so expose_authtok ${usershadow}/bin/verify_pam ${cfg.pattern}
auth required pam_permit.so
account required pam_permit.so
session required pam_permit.so
session required pam_env.so envfile=${config.system.build.pamEnvironment}
'';
security.pam.services.dovecot2 = {
text = ''
auth required pam_exec.so debug expose_authtok log=/tmp/lol /run/wrappers/bin/shadow_verify_pam ${cfg.pattern}
auth required pam_permit.so
account required pam_permit.so
session required pam_permit.so
session required pam_env.so envfile=${config.system.build.pamEnvironment}
'';
};
security.wrappers.shadow_verify_pam = {
source = "${usershadow}/bin/verify_pam";
owner = "root";
};
security.wrappers.shadow_verify_arg = {
source = "${usershadow}/bin/verify_arg";
owner = "root";
};
};
usershadow = let {
@ -46,10 +57,13 @@
"bytestring"
];
body = pkgs.writeHaskellPackage "passwords" {
ghc-options = [
"-rtsopts"
"-Wall"
];
executables.verify_pam = {
extra-depends = deps;
text = ''
import Data.Monoid
import System.IO
import Data.Char (chr)
import System.Environment (getEnv, getArgs)
@ -72,7 +86,6 @@
executables.verify_arg = {
extra-depends = deps;
text = ''
import Data.Monoid
import System.Environment (getArgs)
import Crypto.PasswordStore (verifyPasswordWith, pbkdf2)
import qualified Data.ByteString.Char8 as BS8

21
lib/types.nix
View file

@ -89,7 +89,7 @@ rec {
syncthing.id = mkOption {
# TODO syncthing id type
type = nullOr string;
type = nullOr str;
default = null;
};
};
@ -542,21 +542,28 @@ rec {
merge = mergeOneOption;
};
# POSIX.12013, 3.278 Portable Filename Character Set
# POSIX.12017, 3.190 Group Name
groupname = mkOptionType {
name = "POSIX group name";
check = filename.check;
merge = mergeOneOption;
};
# POSIX.12017, 3.281 Portable Filename
filename = mkOptionType {
name = "POSIX filename";
name = "POSIX portable filename";
check = test "[0-9A-Za-z._][0-9A-Za-z._-]*";
merge = mergeOneOption;
};
# POSIX.12013, 3.2 Absolute Pathname
# POSIX.12017, 3.2 Absolute Pathname
absolute-pathname = mkOptionType {
name = "POSIX absolute pathname";
check = x: isString x && substring 0 1 x == "/" && pathname.check x;
merge = mergeOneOption;
};
# POSIX.12013, 3.267 Pathname
# POSIX.1-2017, 3.271 Pathname
pathname = mkOptionType {
name = "POSIX pathname";
check = x:
@ -570,9 +577,9 @@ rec {
merge = mergeOneOption;
};
# POSIX.1-2013, 3.431 User Name
# POSIX.1-2017, 3.216 Login Name
username = mkOptionType {
name = "POSIX username";
name = "POSIX login name";
check = filename.check;
merge = mergeOneOption;
};

14
makefu/1systems/sdev/config.nix
View file

@ -6,13 +6,13 @@
[ # Include the results of the hardware scan.
<stockholm/makefu>
<stockholm/makefu/2configs/hw/vbox-guest.nix>
#{ # until virtualbox-image is fixed
# imports = [
# <stockholm/makefu/2configs/fs/single-partition-ext4.nix>
# ];
# boot.loader.grub.device = lib.mkForce "/dev/sda";
#}
# <stockholm/makefu/2configs/hw/vbox-guest.nix> # broken since 2019-04-18
{ # until virtualbox-image is fixed
imports = [
<stockholm/makefu/2configs/fs/single-partition-ext4.nix>
];
boot.loader.grub.device = lib.mkForce "/dev/sda";
}
<stockholm/makefu/2configs/main-laptop.nix>
# <secrets/extra-hosts.nix>

51
makefu/1systems/x/config.nix
View file

@ -11,9 +11,13 @@
<stockholm/makefu/2configs/home-manager/desktop.nix>
<stockholm/makefu/2configs/home-manager/cli.nix>
<stockholm/makefu/2configs/home-manager/mail.nix>
<stockholm/makefu/2configs/home-manager/taskwarrior.nix>
<stockholm/makefu/2configs/main-laptop.nix>
<stockholm/makefu/2configs/extra-fonts.nix>
<stockholm/makefu/2configs/tools/all.nix>
{ programs.adb.enable = true; }
<stockholm/makefu/2configs/dict.nix>
#<stockholm/makefu/3modules/netboot_server.nix>
#{
@ -23,7 +27,14 @@
# };
#}
# Restore:
# systemctl cat borgbackup-job-state
# export BORG_PASSCOMMAND BORG_REPO BORG_RSH
# borg list "$BORG_REPO"
# mount newroot somewhere && cd somewhere
# borg extract "$BORG_REPO::x-state-2019-04-17T01:41:51" --progress # < extract to cwd
<stockholm/makefu/2configs/backup/state.nix>
# <stockholm/makefu/2configs/dnscrypt/client.nix>
<stockholm/makefu/2configs/avahi.nix>
<stockholm/makefu/2configs/support-nixos.nix>
@ -46,19 +57,18 @@
# Krebs
<stockholm/makefu/2configs/tinc/retiolum.nix>
<stockholm/makefu/2configs/share/gum-client.nix>
# <stockholm/makefu/2configs/share/gum-client.nix>
# applications
<stockholm/makefu/2configs/exim-retiolum.nix>
<stockholm/makefu/2configs/mail-client.nix>
<stockholm/makefu/2configs/printer.nix>
<stockholm/makefu/2configs/task-client.nix>
# <stockholm/makefu/2configs/syncthing.nix>
# Virtualization
<stockholm/makefu/2configs/virtualisation/libvirt.nix>
<stockholm/makefu/2configs/virtualisation/docker.nix>
# <stockholm/makefu/2configs/virtualisation/libvirt.nix>
# <stockholm/makefu/2configs/virtualisation/docker.nix>
<stockholm/makefu/2configs/virtualisation/virtualbox.nix>
#{
# networking.firewall.allowedTCPPorts = [ 8080 ];
@ -71,35 +81,43 @@
# Services
<stockholm/makefu/2configs/git/brain-retiolum.nix>
<stockholm/makefu/2configs/tor.nix>
<stockholm/makefu/2configs/vpn/vpngate.nix>
# <stockholm/makefu/2configs/vpn/vpngate.nix>
# <stockholm/makefu/2configs/buildbot-standalone.nix>
<stockholm/makefu/2configs/remote-build/aarch64-community.nix>
<stockholm/makefu/2configs/remote-build/gum.nix>
{ nixpkgs.overlays = [ (self: super: super.prefer-remote-fetch self super) ]; }
# <stockholm/makefu/2configs/remote-build/gum.nix>
# { nixpkgs.overlays = [ (self: super: super.prefer-remote-fetch self super) ]; }
<stockholm/makefu/2configs/binary-cache/gum.nix>
<stockholm/makefu/2configs/binary-cache/lass.nix>
# Hardware
<stockholm/makefu/2configs/hw/tp-x230.nix>
<stockholm/makefu/2configs/hw/mceusb.nix>
<stockholm/makefu/2configs/hw/malduino_elite.nix>
# <stockholm/makefu/2configs/hw/mceusb.nix>
# <stockholm/makefu/2configs/hw/tpm.nix>
# <stockholm/makefu/2configs/hw/rtl8812au.nix>
<stockholm/makefu/2configs/hw/network-manager.nix>
<stockholm/makefu/2configs/hw/stk1160.nix>
<stockholm/makefu/2configs/hw/irtoy.nix>
# <stockholm/makefu/2configs/hw/stk1160.nix>
# <stockholm/makefu/2configs/hw/irtoy.nix>
# <stockholm/makefu/2configs/hw/malduino_elite.nix>
<stockholm/makefu/2configs/hw/switch.nix>
<stockholm/makefu/2configs/hw/bluetooth.nix>
# <stockholm/makefu/2configs/hw/rad1o.nix>
<stockholm/makefu/2configs/hw/smartcard.nix>
{
services.upower.enable = true;
users.users.makefu.packages = [ pkgs.gnome3.gnome-power-manager ];
}
# Filesystem
<stockholm/makefu/2configs/fs/sda-crypto-root-home.nix>
# Security
<stockholm/makefu/2configs/sshd-totp.nix>
{ programs.adb.enable = true; }
# temporary
{ services.redis.enable = true; }
<stockholm/makefu/2configs/pyload.nix>
# { services.redis.enable = true; }
# <stockholm/makefu/2configs/pyload.nix>
# <stockholm/makefu/2configs/dcpp/airdcpp.nix>
# <stockholm/makefu/2configs/nginx/rompr.nix>
# <stockholm/makefu/2configs/lanparty/lancache.nix>
@ -136,6 +154,9 @@
makefu.server.primary-itf = "wlp3s0";
nixpkgs.config.allowUnfree = true;
nixpkgs.config.oraclejdk.accept_license = true;
# configure pulseAudio to provide a HDMI sink as well
networking.firewall.enable = true;
@ -163,7 +184,6 @@
"/home/makefu/.ssh/"
"/home/makefu/.zsh_history"
"/home/makefu/.bash_history"
"/home/makefu/.zshrc"
"/home/makefu/bin"
"/home/makefu/.gnupg"
"/home/makefu/.imapfilter"
@ -171,6 +191,7 @@
"/home/makefu/docs"
"/home/makefu/.password-store"
"/home/makefu/.secrets-pass"
"/home/makefu/.config/syncthing"
];
services.syncthing.user = lib.mkForce "makefu";

13
makefu/2configs/binary-cache/gum.nix Normal file
View file

@ -0,0 +1,13 @@
{ config, ... }:
{
nix = {
binaryCaches = [
"https://cache.euer.krebsco.de/"
];
binaryCachePublicKeys = [
"gum:iIXIFlCAotib+MgI3V/i3HMlFXiVYOT/jfP0y54Zuvg="
];
};
}

7
makefu/2configs/binary-cache/server.nix
View file

@ -19,9 +19,10 @@
};
services.nginx = {
enable = true;
virtualHosts.nix-serve = {
serverAliases = [ "cache.gum.r"
"cache.euer.krebsco.de"
virtualHosts."cache.euer.krebsco.de" = {
forceSSL = true;
enableACME = true;
serverAliases = [ # "cache.gum.r"
"cache.gum.krebsco.de"
];
locations."/".proxyPass= "http://localhost:${toString config.services.nix-serve.port}";

42
makefu/2configs/bureautomation/automation/bureau-shutdown.nix
View file

@ -5,14 +5,40 @@
entity_id = "group.team";
from = "not_home";
to = "home";
for.seconds = 30;
};
action = {
service = "homeassistant.turn_on";
entity_id = [
"switch.fernseher"
"switch.feuer"
];
};
action = [
{
service = "homeassistant.turn_on";
entity_id = [
"switch.fernseher"
"switch.feuer"
];
}
{
service = "media_player.kodi_call_method";
data = {
entity_id = "media_player.kodi";
method = "Player.Open";
item.partymode = "music";
};
}
{
service = "tts.google_say";
entity_id = "media_player.kodi";
data = {
message = "Willkommen in deinem Lieblingsbüro";
language = "de";
};
}
{
service = "notify.telegrambot";
data = {
title = "Bureau Startup";
message = "Willkommen {{ trigger.platform }}";
};
}
];
}
{ alias = "Turn off Fernseher after last in group left";
trigger = [
@ -42,7 +68,7 @@
service = "notify.telegrambot";
data = {
title = "Bureau Shutdown";
message = "All devices are turned off due to {{ trigger.platform }} - {{ trigger }}";
message = "All devices are turned off due to {{ trigger.platform }}";
};
}
];

31
makefu/2configs/bureautomation/automation/hass-restart.nix Normal file
View file

@ -0,0 +1,31 @@
[
{ alias = "State on HA start-up";
trigger = {
platform = "homeassistant";
event = "start";
};
action = [
# Startup State
{ service = "mqtt.publish";
data = {
topic = "/bam/sonoffs/cmnd/state";
payload = "";
};
}
# Firmware Version
{ service = "mqtt.publish";
data = {
topic = "/bam/sonoffs/cmnd/status";
payload = "2";
};
}
# Will trigger restart of all devices!
#{ service = "mqtt.publish";
# data = {
# topic = "sonoffs/cmnd/SetOption59"; # configure sending state on power change
# payload = "1";
# };
#}
];
}
]

72
makefu/2configs/bureautomation/automation/nachtlicht.nix
View file

@ -1,43 +1,35 @@
[
{
alias = "Turn off Nachtlicht on sunrise";
trigger =
{
platform = "sun";
event = "sunrise";
};
action =
{
service = "homeassistant.turn_off";
entity_id = [ "group.nachtlicht" ];
};
}
# TODO: trigger if it is before dusk and somebody arives but nachtlichter are
# off from last day
# TODO: do not have nachtlicht turned on at night
{
alias = "Turn on Nachtlicht at dusk"; # when it gets dim
trigger =
{ platform = "numeric_state";
entity_id = "sun.sun";
value_template = "{{ state.attributes.elevation }}";
below = 10;
{
alias = "Turn on Nachtlicht on motion and dusk";
trigger =
{
platform = "state";
entity_id = "binary_sensor.motion";
to = "on";
};
condition = # 'when dark'
{
condition = "or";
conditions = [
{ condition = "sun";
after = "sunset";
after_offset = "-00:45:00"; # on dusk
}
{ condition = "sun";
before = "sunrise";
}
];
};
action =
{
service = "homeassistant.turn_on";
entity_id = [ "group.nachtlicht" ];
};
}
};
action =
{ service = "homeassistant.turn_on";
entity_id = [ "group.nachtlicht" ];
};
}
{
alias = "Turn off Nachtlicht at dawn";
trigger =
{ platform = "sun";
event = "sunrise";
offset = "01:30:00"; # on dawn
};
# TODO: when somebody is still in the buero
# condition =
#{
#};
action =
{ service = "homeassistant.turn_off";
entity_id = [ "group.nachtlicht" ];
};
}
]

3
makefu/2configs/bureautomation/default.nix
View file

@ -20,6 +20,9 @@ let
mosquitto_pub -t /bam/$topic/cmnd/POWER -m OFF
'';
in {
imports = [
./ota.nix
];
services.logstash = {
package = pkgs.logstash5;
enable = true;

27
makefu/2configs/bureautomation/hass.nix
View file

@ -6,6 +6,7 @@ in {
state = [ "/var/lib/hass/known_devices.yaml" ];
services.home-assistant = {
enable = true;
package = pkgs.home-assistant.override { python3 = pkgs.python36; };
config = {
homeassistant = {
name = "Bureautomation";
@ -13,8 +14,14 @@ in {
latitude = "48.8265";
longitude = "9.0676";
elevation = 303;
auth_providers = [
{ type = "homeassistant";}
{ type = "legacy_api_password";}
{ type = "trusted_networks";
# allow_bypass_login = true;
}
];
};
mqtt = {
broker = "localhost";
port = 1883;
@ -79,7 +86,8 @@ in {
sensor =
(import ./sensor/espeasy.nix) ++
((import ./sensor/outside.nix) {inherit lib;}) ++
(import ./sensor/influxdb.nix);
(import ./sensor/influxdb.nix) ++
(import ./sensor/tasmota_firmware.nix);
camera =
(import ./camera/verkehrskamera.nix);
@ -89,12 +97,22 @@ in {
# (import ./person/team.nix );
frontend = { };
http = { };
http = {
# TODO: https://github.com/home-assistant/home-assistant/issues/16149
api_password = "sistemas";
trusted_networks = [
"127.0.0.1/32"
"192.168.8.0/24"
"::1/128"
"fd00::/8"
];
};
conversation = {};
history = {};
logbook = {};
tts = [ { platform = "google";} ];
recorder = {};
sun = {};
telegram_bot = [
(builtins.fromJSON
(builtins.readFile <secrets/hass/telegram-bot.json>))
@ -156,8 +174,10 @@ in {
outside = [
# "sensor.ditzingen_pm10"
# "sensor.ditzingen_pm25"
"sensor.dark_sky_icon"
"sensor.dark_sky_temperature"
"sensor.dark_sky_humidity"
"sensor.dark_sky_uv_index"
# "sensor.dark_sky_pressure"
"sensor.dark_sky_hourly_summary"
"device_tracker.router"
@ -169,6 +189,7 @@ in {
# home-assistant
automation = (import ./automation/bureau-shutdown.nix) ++
(import ./automation/nachtlicht.nix) ++
(import ./automation/hass-restart.nix) ++
(import ./automation/10h_timer.nix);
device_tracker = (import ./device_tracker/openwrt.nix );
};

5
makefu/2configs/bureautomation/light/statuslight.nix
View file

@ -20,7 +20,7 @@ let
payload_not_available= "Offline";
# brightness
brightness_state_topic = "/bam/${topic}/tele/STATE";
brightness_value_template = "{{value_json.Dimmer}}";
brightness_value_template = "{{value_json.Dimmer|default(100)}}";
brightness_command_topic = "/bam/${topic}/cmnd/Dimmer";
brightness_scale = 100;
# color
@ -30,9 +30,8 @@ let
rgb_command_template = "{{ '%02x%02x%02x' | format(red, green, blue)}}";
# effects
effect_state_topic = "/bam/${topic}/tele/STATE";
effects_value_template = "{{value_json.Scheme}}";
effects_value_template = "{{value_json.Scheme|default(0)}}";
effect_command_topic = "/bam/${topic}/cmnd/Scheme";
effect_value_template = "{{ value_json.Scheme }}";
effect_list = [
0 # single color for LED light
1 # start wake up sequence (same as Wakeup)

15
makefu/2configs/bureautomation/ota.nix Normal file
View file

@ -0,0 +1,15 @@
{
# mosquitto_pub -t /bam/sonoffs/cmnd/OtaUrl -m "http://192.168.8.11/sonoff.bin"
# mosquitto_pub -t /bam/sonoffs/cmnd/upgrade -m "6.5.0"
# wget https://github.com/arendst/Sonoff-Tasmota/releases/download/v6.5.0/sonoff.bin
# wget https://github.com/arendst/Sonoff-Tasmota/releases/download/v6.5.0/sonoff-minimal.bin
services.nginx = {
enable = true;
virtualHosts."192.168.8.11" = {
root = "/var/www/tasmota";
extraConfig = ''
autoindex on;
'';
};
};
}

16
makefu/2configs/bureautomation/sensor/tasmota_firmware.nix Normal file
View file

@ -0,0 +1,16 @@
let
tasmota_firmware = topic:
{ platform = "mqtt";
name = "${topic} Firmware";
state_topic = "/bam/${topic}/stat/STATUS2";
availability_topic = "/bam/${topic}/tele/LWT";
value_template = "v{{value_json.StatusFWR.Version}}";
payload_available= "Online";
payload_not_available= "Offline";
};
in
map tasmota_firmware [
"plug" "plug2" "plug3" "plug4" "plug5"
"status1" "status2" "buslicht"
"rfbridge"
]

4
makefu/2configs/deployment/owncloud.nix
View file

@ -23,9 +23,9 @@ let
in {
system.activationScripts."prepare-nextcloud-${domain}" = ''
if test ! -e ${root} ;then
echo "copying latest ${pkgs.owncloud.name} release to ${root}"
echo "copying latest ${pkgs.nextcloud.name} release to ${root}"
mkdir -p $(dirname "${root}")
cp -r ${pkgs.owncloud} "${root}"
cp -r ${pkgs.nextcloud} "${root}"
chown -R nginx:nginx "${root}"
chmod 770 "${root}"
fi

2
makefu/2configs/home-manager/default.nix
View file

@ -2,7 +2,9 @@
imports = [
<home-manager/nixos>
];
home-manager.useUserPackages = true;
home-manager.users.makefu = {
home.stateVersion = "19.03";
};
environment.variables = {
GTK_DATA_PREFIX = "/run/current-system/sw";

6
makefu/2configs/home-manager/desktop.nix
View file

@ -5,7 +5,10 @@
home-manager.users.makefu = {
systemd.user.services.network-manager-applet.Service.Environment = ''XDG_DATA_DIRS=/run/current-system/sw/share:${pkgs.networkmanagerapplet}/share GDK_PIXBUF_MODULE_FILE=${pkgs.librsvg.out}/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache'';
programs.browserpass = { browsers = [ "firefox" ] ; enable = true; };
programs.firefox.enable = true;
programs.firefox = {
enable = true;
enableIcedTea = true;
};
programs.obs-studio.enable = true;
xdg.enable = true;
services.network-manager-applet.enable = true;
@ -20,7 +23,6 @@
filenamePattern=%F_%T_shot
'';
systemd.user.services.pasystray.Service.Environment = "PATH=" + (lib.makeBinPath (with pkgs;[ pavucontrol paprefs /* pavumeter */ /* paman */ ]) );
programs.chromium = {
enable = true;
extensions = [

4
makefu/2configs/home-manager/recording.nix Normal file
View file

@ -0,0 +1,4 @@
{pkgs, ... }:
{
home-manager.users.makefu.programs.obs-studio.enable = true;
}

6
makefu/2configs/home-manager/taskwarrior.nix
View file

@ -3,6 +3,12 @@ let
loc = "/home/makefu/.task";
in {
state = [ "${loc}/keys" ];
environment.shellAliases = {
tshack = "task tags:shack";
tkrebs = "task tags:krebs";
thome = "task tags:home";
t = "task project: ";
};
home-manager.users.makefu.programs.taskwarrior = {
enable = true;
dataLocation = loc;

1
makefu/2configs/home-manager/zsh.nix
View file

@ -67,6 +67,7 @@
home-manager.users.makefu.programs.zsh.shellAliases = {
cat = "bat";
catn = "${pkgs.coreutils}/bin/cat";
ncat = "${pkgs.coreutils}/bin/cat";
};
}
];

1
makefu/2configs/homeautomation/default.nix
View file

@ -108,6 +108,7 @@ in {
];
services.home-assistant = {
package = pkgs.home-assistant.override { python3 = pkgs.python36; };
config = {
homeassistant = {
name = "Home"; time_zone = "Europe/Berlin";

2
makefu/2configs/hw/tp-x2x0.nix
View file

@ -1,6 +1,5 @@
{ config, lib, pkgs, ... }:
with import <stockholm/lib>;
{
imports = [
./tpm.nix
@ -19,7 +18,6 @@ with import <stockholm/lib>;
hardware.cpu.intel.updateMicrocode = true;
zramSwap.enable = true;
zramSwap.numDevices = 2;
# enable synaptics so we can easily disable the touchpad
# enable the touchpad with `synclient TouchpadOff=0`

2
makefu/2configs/tools/android-pentest.nix
View file

@ -3,7 +3,7 @@
{
nixpkgs.config.android_sdk.accept_license = true;
users.users.makefu.packages = with pkgs; [
mitmproxy
# mitmproxy
nmap
msf
drozer

3
makefu/2configs/tools/core-gui.nix
View file

@ -10,7 +10,8 @@
keepassx
pcmanfm
evince
mirage
# replacement for mirage:
sxiv
tightvnc
gnome3.dconf
xdotool

2
makefu/2configs/tools/media.nix
View file

@ -7,7 +7,7 @@
vlc
mumble
mplayer
quodlibet # exfalso
# quodlibet # exfalso
plowshare
streamripper

17
makefu/5pkgs/nixpkgs-pytools/default.nix Normal file
View file

@ -0,0 +1,17 @@
{pkgs, fetchFromGitHub}:
with pkgs.python3.pkgs;
buildPythonPackage rec {
pname = "nixpkgs-pytools";
version = "1.0.0-dev";
src = fetchFromGitHub {
owner = "nix-community";
repo = pname;
rev = "593443b5689333cad3b6fa5b42e96587df68b0f8";
sha256 = "1cjpngr1rn5q59a1krgmpq2qm96wbiirc8yf1xmm21p3mskb2db4";
};
propagatedBuildInputs = [
jinja2 setuptools
];
checkInputs = [ black ];
}

6
makefu/5pkgs/prison-break/default.nix
View file

@ -3,12 +3,12 @@ with pkgs.python3.pkgs;
buildPythonPackage rec {
pname = "prison-break";
version = "0.1.0";
version = "1.0.0";
src = fetchFromGitHub {
owner = "makefu";
repo = pname;
rev = "5eed6371e151e716faafa054e005bd98d77b4b5d";
sha256 = "170zs9grbgkx83ghg6pm13v7vhi604y44j550ypp2x26nidaw63j";
rev = "1.0.0";
sha256 = "0ab42z6qr42vz4fc077irn9ykrrylagx1dzlw8dqcanf49dxd961";
};
propagatedBuildInputs = [
docopt

10
makefu/krops.nix
View file

@ -1,6 +1,6 @@
{ config ? config, name, target ? name }: let
krops = ../submodules/krops;
nixpkgs-src = lib.importJSON ./nixpkgs.json;
nixpkgs-src = lib.importJSON ../krebs/nixpkgs.json;
lib = import "${krops}/lib";
pkgs = import "${krops}/pkgs" {};
@ -20,10 +20,6 @@
} // import (./. + "/1systems/${name}/source.nix");
source = { test }: lib.evalSource [
{
# nixos-18.09 @ 2018-09-18
# + uhub/sqlite: 5dd7610401747
# + hovercraft: 7134801b17d72
# + PR#53934: eac6797380af1
nixpkgs = if host-src.arm6 then {
# TODO: we want to track the unstable channel
symlink = "/nix/var/nix/profiles/per-user/root/channels/nixos/";
@ -31,7 +27,7 @@
derivation = ''
with import <nixpkgs> {};
pkgs.fetchFromGitHub {
owner = "makefu";
owner = "nixos";
repo = "nixpkgs";
rev = "${nixpkgs-src.rev}";
sha256 = "${nixpkgs-src.sha256}";
@ -75,7 +71,7 @@
(lib.mkIf ( host-src.home-manager ) {
home-manager.git = {
url = https://github.com/rycee/home-manager;
ref = "4aa07c3";
ref = "ff602cb906e3dd5d5f89c7c1d0fae65bc67119a0";
};
})
];

1
tv/2configs/mail-client.nix
View file

@ -3,7 +3,6 @@
pkgs.haskellPackages.much
pkgs.msmtp
pkgs.notmuch
pkgs.pythonPackages.alot
pkgs.qprint
pkgs.w3m
];

4
tv/2configs/pulse.nix
View file

@ -1,10 +1,12 @@
{ config, lib, pkgs, pkgs_i686, ... }:
{ config, lib, pkgs, ... }:
with import <stockholm/lib>;
let
pkg = pkgs.pulseaudioLight;
runDir = "/run/pulse";
pkgs_i686 = pkgs.pkgsi686Linux;
support32Bit =
pkgs.stdenv.isx86_64 &&
pkgs_i686.alsaLib != null &&

3
tv/5pkgs/default.nix
View file

@ -45,10 +45,9 @@ foldl' mergeAttrs {}
self.callPackage ./compat/18.03/pass {
pass-otp = self.callPackage ./compat/18.03/pass-otp {};
};
"18.09" =
}.${versions.majorMinor nixpkgsVersion} or
super.pass.withExtensions (ext: [
ext.pass-otp
]);
}.${versions.majorMinor nixpkgsVersion};
}

25
tv/5pkgs/simple/utsushi.nix
View file

@ -51,13 +51,19 @@ let
src =
if stdenv.system == "i686-linux" then
fetchurl {
url = "https://download2.ebz.epson.net/imagescanv3/debian/latest1/deb/x64/imagescan-bundle-debian-9-1.3.21.x86.deb.tar.gz";
sha256 = "16xv1pdfm2ryis815fawb7zqg6c4swww726g272ssx044r5dp80r";
urls = [
"https://download2.ebz.epson.net/imagescanv3/debian/latest1/deb/x86/imagescan-bundle-debian-9-3.55.0.x86.deb.tar.gz"
"http://ni.r/~tv/mirrors/epson/imagescan-bundle-debian-9-3.55.0.x86.deb.tar.gz"
];
sha256 = "12syk4y8z22hm9r1lgxqp81vd24jbqgmq83b7yiyqfd4wfxb6k3s";
}
else if stdenv.system == "x86_64-linux" then
fetchurl {
url = "https://download2.ebz.epson.net/imagescanv3/debian/latest1/deb/x64/imagescan-bundle-debian-9-1.3.21.x64.deb.tar.gz";
sha256 = "0zik35h2jwrvkwcmq55wc72imidwdnmn1bayhypzhjcz61rasjg2";
urls = [
"https://download2.ebz.epson.net/imagescanv3/debian/latest1/deb/x64/imagescan-bundle-debian-9-3.55.0.x64.deb.tar.gz"
"http://ni.r/~tv/mirrors/epson/imagescan-bundle-debian-9-3.55.0.x64.deb.tar.gz"
];
sha256 = "1wp372hqhzdar6ldxy7s9js2s872x8c5nwq3608dwg9gca11ppc5";
}
else throw "${name} is not supported on ${stdenv.system} (only i686-linux and x86_64 linux are supported)";
@ -92,7 +98,7 @@ let
license = stdenv.lib.licenses.eapl;
maintainers = [ stdenv.lib.maintainers.tv ];
platforms = stdenv.lib.platforms.linux;
version = "1.1.0";
version = "1.1.2";
};
};
@ -102,8 +108,11 @@ stdenv.mkDerivation rec {
name = "utsushi-${meta.version}";
src = fetchurl {
url = "http://support.epson.net/linux/src/scanner/imagescanv3/debian/imagescan_${meta.version}.orig.tar.gz";
sha256 = "1gmiimwkcyzbkfr25vzqczjhgh90fgxd96agbnkpf9gah1mpd6qj";
urls = [
"http://support.epson.net/linux/src/scanner/imagescanv3/debian/imagescan_${meta.version}.orig.tar.gz"
"http://ni.r/~tv/mirrors/epson/imagescan_${meta.version}.orig.tar.gz"
];
sha256 = "0xwl4xp07cigslbi1qc52jsjvxcyvjlx54g812mn7211p01v2h4l";
};
preConfigure = ''
@ -203,6 +212,6 @@ stdenv.mkDerivation rec {
license = stdenv.lib.licenses.gpl3;
maintainers = [ stdenv.lib.maintainers.tv ];
platforms = stdenv.lib.platforms.linux;
version = "3.54.0";
version = "3.55.0";
};
}