makefu/stockholm
1
0
Fork 0
Code Issues Pull requests Actions1 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'prism/master'

Browse source
This commit is contained in:
tv 2021-09-28 22:48:17 +02:00
parent 20e3580435 e151cfd329
commit ed2c6bd979
59 changed files with 819 additions and 525 deletions

3
krebs/1systems/hotdog/config.nix
View file

@ -10,6 +10,9 @@
<stockholm/krebs/2configs/ircd.nix>
<stockholm/krebs/2configs/reaktor2.nix>
<stockholm/krebs/2configs/wiki.nix>
## shackie irc bot
<stockholm/krebs/2configs/shack/reaktor.nix>
];
krebs.build.host = config.krebs.hosts.hotdog;

3
krebs/1systems/puyak/config.nix
View file

@ -109,7 +109,7 @@
<stockholm/krebs/2configs/shack/prometheus/node.nix>
<stockholm/krebs/2configs/shack/prometheus/server.nix>
<stockholm/krebs/2configs/shack/prometheus/blackbox.nix>
<stockholm/krebs/2configs/shack/prometheus/unifi.nix>
#<stockholm/krebs/2configs/shack/prometheus/unifi.nix>
<stockholm/krebs/2configs/shack/prometheus/alertmanager-telegram.nix>
## Collect local statistics via collectd and send to collectd
@ -124,7 +124,6 @@
loader.efi.canTouchEfiVariables = true;
initrd.luks.devices.luksroot.device = "/dev/sda3";
initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ];
initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ];
kernelModules = [ "kvm-intel" ];

1
krebs/1systems/test-all-krebs-modules/config.nix
View file

@ -10,7 +10,6 @@ in {
enable = true;
build.user = config.krebs.users.krebs;
build.host = config.krebs.hosts.test-all-krebs-modules;
Reaktor.test = {};
apt-cacher-ng.enable = true;
backup.enable = true;
bepasty.enable = true;

12
krebs/2configs/reaktor2.nix
View file

@ -47,7 +47,7 @@ let
activate = "always";
command = {
filename =
"${pkgs.Reaktor.src}/reaktor/commands/tell-on_join";
<stockholm/krebs/5pkgs/simple/Reaktor/scripts/tell-on_join.sh>;
env = {
PATH = makeBinPath [
pkgs.coreutils # XXX env, touch
@ -95,10 +95,10 @@ let
}
hooks.sed
(generators.command_hook {
inherit (commands) hello random-emoji nixos-version;
inherit (commands) random-emoji nixos-version;
tell = {
filename =
"${pkgs.Reaktor.src}/reaktor/commands/tell-on_privmsg";
<stockholm/krebs/5pkgs/simple/Reaktor/scripts/tell-on_privmsg.sh>;
env = {
PATH = makeBinPath [
pkgs.coreutils # XXX date, env
@ -223,9 +223,13 @@ in {
spanDate.title = new Date(entryDate).toString();
spanDate.appendChild(document.createTextNode(entryDate));
const link = document.createElement("a");
link.href = "http://wiki.r/agenda/" + encodeURIComponent(agendaItem.description.replaceAll("/", "\u29F8"));
link.appendChild(document.createTextNode(agendaItem.description));
const dd = document.createElement("dd");
dd.className = "description";
dd.appendChild(document.createTextNode(agendaItem.description));
dd.appendChild(link);
dd.appendChild(document.createTextNode(" "));
dd.appendChild(spanDate);

1
krebs/2configs/repo-sync.nix
View file

@ -183,7 +183,6 @@ in {
(sync-remote { name = "skytraq-datalogger"; url = "https://github.com/makefu/skytraq-datalogger"; })
(sync-remote { name = "realwallpaper"; url = "https://github.com/lassulus/realwallpaper"; })
(sync-remote { name = "painload"; url = "https://github.com/krebs/painload"; })
(sync-remote { name = "Reaktor"; url = "https://github.com/krebs/Reaktor"; })
(sync-remote { name = "nixos-wiki"; url = "https://github.com/Mic92/nixos-wiki.wiki.git"; })
];
}

74
krebs/2configs/shack/doorstatus.sh Executable file
View file

@ -0,0 +1,74 @@
#!/bin/sh
# needs in path:
# curl jq
# creates and manages $PWD/state
set -euf
send_reaktor(){
# usage: send_reaktor "text"
echo "send_reaktor: $1"
curl -fsS http://localhost:7777 \
-H content-type:application/json \
-d "$(jq -n \
--arg text "$1" '{
command:"PRIVMSG",
params:["#shackspace",$text]
}'
)"
}
open=$(shuf -n1 <<EOF
happy hacking, shack ist offen
Heureka, der shack ist offen
Die Türe ist offen, der shack will bespielt werden
Frohlocket, der shack ist offen
shack is love, shack is life, shack is offen
Bin da, wer noch? shack hat geöffnet!
shack hat geöffnet: Arbeiten Sie sicher, arbeiten Sie klug!
Bin ich schon drin? Ich bin schon drin.. das war ja einfach. Also im shack.
Uuuuund es setzt sich in Bewegung, wir öffnen den shack, los, los! Ja da guckt ihr, jetzt gehts looos!
EOF
)
close=$(shuf -n1 <<EOF
Hacking vorbei, shack ist zu!
Tja, shack ist zu
Shackie-closie
Der Sandmann kommt, alle shackies sind zu haus und die Tür ist zu
shack hat Stromsparmodus aktiviert
Tür ist zu, shackspace ist jetzt koronakonform
Oh nein, eine Tür, sie ist verschlossen! Also, die vom shack
Ihr kennt das ja: Abschalten. Der shack ist zu.
EOF
)
error=$(shuf -n1 <<EOF
Hase, api ist kaputt! Bitte reparieren
API liefert kein sinnvolles Ergebnis, keine Ahnung ob shack offen oder zu ist
shack api defekt :(
Hubel Hubel, jemand könnte mal die shack api reparieren
API sagt derp
Siehste das? API? Da soll ich jetzt nen Request drauf machen? Jetzt werd ich aber langsam n bisschen wild hier langsam!
Der API ist ein bisschen ein Otto geworden, ischwör der will mich flaxen
ich möchte den geschäftsführer sprechen, das API geht nicht mehr!
Herr makefu an Kasse 3 bitte, Kasse 3 bitte Herr makefu. Der API Computer ist mal wieder ausgefallen
EOF
)
state=$(curl https://api.shackspace.de/v1/space | jq .doorState.open)
prevstate=$(cat state ||:)
if test "$state" == "$(cat state)";then
#echo "current and last state is the same ($state), doing nothing"
:
else
echo "API state and last state differ ( '$state' != '$prevstate')"
if test "$state" == "true";then
send_reaktor "$open"
elif test "$state" == "false";then
send_reaktor "$close"
else
send_reaktor "$error"
fi
echo "updating state"
printf "%s" "$state" > state
fi

6
krebs/2configs/shack/glados/default.nix
View file

@ -112,7 +112,8 @@ in {
}
{ platform = "mpd";
name = "kiosk";
host = "lounge.kiosk.shack";
#host = "lounge.kiosk.shack";
host = "kiosk.shack";
}
];
@ -123,7 +124,7 @@ in {
http = {
base_url = "http://hass.shack";
use_x_forwarded_for = true;
trusted_proxies = "127.0.0.1";
trusted_proxies = [ "127.0.0.1" "::1" ];
};
#conversation = {};
@ -139,6 +140,7 @@ in {
language = "de";
cache = true;
time_memory = 57600;
base_url = "http://hass.shack";
}
];
device_tracker = [];

6
krebs/2configs/shack/light.shack.nix
View file

@ -1,7 +1,9 @@
{ config, pkgs, ... }:
let
light-shack-src = pkgs.fetchgit {
url = "https://git.shackspace.de/rz/standby.shack";
light-shack-src =
pkgs.fetchFromGitHub {
owner = "shackspace";
repo = "standby.shack";
rev = "e1b90a0a";
sha256 = "07fmz63arc5rxa0a3778srwz0jflp4ad6xnwkkc56hwybby0bclh";
};

5
krebs/2configs/shack/muell_mail.nix
View file

@ -2,8 +2,9 @@
let
pkg = pkgs.callPackage (
pkgs.fetchgit {
url = "https://git.shackspace.de/rz/muell_mail";
pkgs.fetchFromGitHub {
owner = "shackspace";
repo = "muell_mail";
rev = "c3e43687879f95e01a82ef176fa15678543b2eb8";
sha256 = "0hgchwam5ma96s2v6mx2jfkh833psadmisjbm3k3153rlxp46frx";
}) { mkYarnPackage = pkgs.yarn2nix-moretea.mkYarnPackage; };

5
krebs/2configs/shack/muellshack.nix
View file

@ -2,8 +2,9 @@
let
pkg = pkgs.callPackage (
pkgs.fetchgit {
url = "https://git.shackspace.de/rz/muellshack";
pkgs.fetchFromGitHub {
owner = "shackspace";
repo = "muellshack";
rev = "dc80cf1edaa3d86ec2bebae8596ad1d4c4e3650a";
sha256 = "1yipr66zhrg5m20pf3rzvgvvl78an6ddkq6zc45rxb2r0i7ipkyh";

5
krebs/2configs/shack/node-light.nix
View file

@ -2,8 +2,9 @@
let
pkg = pkgs.callPackage (
pkgs.fetchgit {
url = "https://git.shackspace.de/rz/node-light.git";
pkgs.fetchFromGitHub {
owner = "shackspace";
repo = "node-light";
rev = "90a9347b73af3a9960bd992e6293b357226ef6a0";
sha256 = "1av9w3w8aknlra25jw6gqxzbb01i9kdlfziy29lwz7mnryjayvwk";
}) { };

6
krebs/2configs/shack/powerraw.nix
View file

@ -6,14 +6,16 @@
let
influx-url = "http://influx.shack:8086";
pkg = pkgs.python3.pkgs.callPackage (
pkgs.fetchgit {
url = "https://git.shackspace.de/rz/powermeter.git";
pkgs.fetchFromGitHub {
owner = "shackspace";
repo = "powermeter";
rev = "438b08f";
sha256 = "0c5czmrwlw985b7ia6077mfrvbf2fq51iajb481pgqbywgxqis5m";
}) {};
in {
# receive response from light.shack / standby.shack
networking.firewall.allowedUDPPorts = [ 11111 ];
networking.firewall.allowedTCPPorts = [ 11111 ];
users.users.powermeter = {
extraGroups = [ "dialout" ];
isSystemUser = true;

30
krebs/2configs/shack/reaktor.nix Normal file
View file

@ -0,0 +1,30 @@
{ config, lib, pkgs, ... }:
{
krebs.reaktor2.shackie = {
hostname = "irc.libera.chat";
port = "6697";
nick = "shackie";
API.listen = "inet://127.0.0.1:7777";
plugins = [
{
plugin = "register";
config = {
channels = [
"#shackspace"
];
};
}
];
};
systemd.services.announce_doorstatus = {
startAt = "*:0/1";
path = with pkgs; [ curl jq ];
script = builtins.readFile ./doorstatus.sh;
serviceConfig = {
DynamicUser = true;
StateDirectory = "doorstatus";
WorkingDirectory = "/var/lib/doorstatus";
PrivateTmp = true;
};
};
}

5
krebs/2configs/shack/s3-power.nix
View file

@ -2,8 +2,9 @@
let
pkg = pkgs.callPackage (
pkgs.fetchgit {
url = "https://git.shackspace.de/rz/s3-power";
pkgs.fetchFromGitHub {
owner = "shackspace";
repo = "s3-power";
rev = "0687ab64";
sha256 = "1m8h4bwykv24bbgr5v51mam4wsbp5424xcrawhs4izv563jjf130";
}) { mkYarnPackage = pkgs.yarn2nix-moretea.mkYarnPackage; };

7
krebs/2configs/shack/shackDNS.nix
View file

@ -1,9 +1,10 @@
{ config, lib, pkgs, ... }:
let
pkg =
pkgs.fetchgit {
url = "https://git.shackspace.de/rz/shackdns";
pkg =
pkgs.fetchFromGitHub {
owner = "shackspace";
repo = "shackdns";
rev = "e55cc906c734b398683f9607b93f1ad6435d8575";
sha256 = "1hkwhf3hqb4fz06b1ckh7sl0zcyi4da5fgdlksian8lxyd19n8sq";
};

5
krebs/2configs/shack/worlddomination.nix
View file

@ -4,8 +4,9 @@ with import <stockholm/lib>;
let
pkg = pkgs.stdenv.mkDerivation {
name = "worlddomination-2020-12-01";
src = pkgs.fetchgit {
url = "https://git.shackspace.de/rz/worlddomination.git";
src = pkgs.fetchFromGitHub {
owner = "shackspace";
repo = "worlddomination";
rev = "c7aedcde7cd1fcb870b5356a6125e1a384b0776c";
sha256 = "0y6haz5apwa33lz64l7b2x78wrrckbw39j4wzyd1hfk46478xi2y";
};

155
krebs/3modules/Reaktor.nix
View file

@ -1,155 +0,0 @@
{ config, lib, pkgs, ... }:
with import <stockholm/lib>;
let
cfg = config.krebs.Reaktor;
homedir = "/var/lib/Reaktor";
out = {
options.krebs.Reaktor = api;
config = mkIf (cfg != {}) imp;
};
api = mkOption {
default = {};
type = with types; attrsOf (submodule ({ options = {
nickname = mkOption {
default = config.krebs.build.host.name + "|r";
type = types.str;
description = ''
The nick name of the irc bot.
Defaults to {hostname}|r
'';
};
overrideConfig = mkOption {
default = null;
type = types.nullOr types.str;
description = ''
configuration to be used instead of default ones.
Reaktor default cfg can be retrieved via `reaktor get-config`
'';
};
plugins = mkOption {
default = [pkgs.ReaktorPlugins.nixos-version];
};
workdir = mkOption {
default = "/var/lib/Reaktor";
type = types.path;
description = ''
path to be used as workdir (home dir is still /var/lib/Reaktor)
'';
};
extraConfig = mkOption {
default = "";
type = types.str;
description = ''
configuration appended to the default or overridden configuration
'';
};
extraEnviron = mkOption {
default = {};
type = types.attrsOf types.str;
description = ''
Environment to be provided to the service, can be:
REAKTOR_HOST
REAKTOR_PORT
REAKTOR_STATEDIR
debug and nickname can be set separately via the Reaktor api
'';
};
channels = mkOption {
default = [ "#krebs" ];
type = types.listOf types.str;
description = ''
Channels the Reaktor should connect to at startup.
'';
};
debug = mkOption {
default = false;
description = ''
Reaktor debug output
'';
};
};}));
};
imp = {
# TODO get user per configured bot
# TODO get home from api
# for reaktor get-config
users.extraUsers = singleton rec {
name = "Reaktor";
uid = genid name;
description = "Reaktor user";
home = homedir;
createHome = true;
};
#users.extraGroups = singleton {
# name = "Reaktor";
# gid = config.ids.gids.Reaktor;
#};
systemd.services = mapAttrs' (name: botcfg:
let
ReaktorConfig = pkgs.writeText "config.py" ''
${if (isString botcfg.overrideConfig ) then ''
# Overriden Config
${botcfg.overrideConfig}
'' else ""}
## Extra Config
${concatStringsSep "\n" (map (plug: plug.config) botcfg.plugins)}
${botcfg.extraConfig}
'';
in nameValuePair "Reaktor-${name}" {
path = with pkgs; [
git # for nag
jq # for tell
python # for caps
utillinux # flock for tell
];
description = "Reaktor IRC Bot";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
environment = {
GIT_SSL_CAINFO = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
PYTHONPATH = "${pkgs.Reaktor}/lib/python3.6/site-packages";
REAKTOR_NICKNAME = botcfg.nickname;
REAKTOR_DEBUG = (if botcfg.debug then "True" else "False");
REAKTOR_CHANNELS = lib.concatStringsSep "," botcfg.channels;
state_dir = botcfg.workdir;
} // botcfg.extraEnviron;
serviceConfig= {
ExecStartPre = pkgs.writeScript "Reaktor-init" ''
#! /bin/sh
${if (isString botcfg.overrideConfig) then
''cp ${ReaktorConfig} /tmp/reaktor-${name}-config.py''
else
''(${pkgs.Reaktor}/bin/reaktor get-config;cat "${ReaktorConfig}" ) > /tmp/reaktor-${name}-config.py''
}
mkdir -p ${botcfg.workdir}
'';
ExecStart = "${pkgs.Reaktor}/bin/reaktor run /tmp/reaktor-${name}-config.py";
PrivateTmp = "true";
User = "Reaktor";
Restart = "always";
RestartSec= "30" ;
};
}
) cfg;
};
in
out

5
krebs/3modules/announce-activation.nix
View file

@ -9,6 +9,7 @@ with import <stockholm/lib>;
${shell.escape (toString cfg.irc.port)} \
${shell.escape cfg.irc.nick} \
${shell.escape cfg.irc.channel} \
${escapeShellArg cfg.irc.tls} \
"$message"
'';
default-get-message = pkgs.writeDash "announce-activation-get-message" ''
@ -50,6 +51,10 @@ in {
default = "irc.r";
type = types.hostname;
};
tls = mkOption {
default = false;
type = types.bool;
};
};
};
config = mkIf cfg.enable {

1
krebs/3modules/default.nix
View file

@ -43,7 +43,6 @@ let
./permown.nix
./per-user.nix
./power-action.nix
./Reaktor.nix
./reaktor2.nix
./realwallpaper.nix
./retiolum-bootstrap.nix

66
krebs/3modules/external/default.nix vendored
View file

@ -18,42 +18,14 @@ with import <stockholm/lib>;
in {
hosts = mapAttrs hostDefaults {
toum = {
owner = config.krebs.users.kmein;
nets = {
retiolum = {
ip4.addr = "10.243.2.3";
aliases = [
"toum.r"
"toum.kmein.r"
];
tinc.pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2tRtskPP6391+ZX9xzsx
CUotXuqYucYmnUbrRSIlxASVqTmAf3nDOE5EDBBcTdSwnb02JcJW4Zh7+BGgMxjF
GxDPs6ETI28mHK+6rp8TOkMnyDb5mtSGVZPvKJU9fFOt6aAX1J1BzTfwtHtVQq7K
WBzdpeKXlw4dIQ6K6SGmPIPpEh9pE1Xb+GuVljCXKxGJFbW40dmh2ZdadO7umBDu
vRk08jT9/BUnUP6KrZlvyePnG38z6srMrVU+XAHu5D2qZ9y+QIp3kw7Y5JUrNXc7
9q9P9TYx15GiIz2mSJKcLVmkLRebsaqdV7dBibPbfdGE+NB+F1FYPGDdW4cnonon
DzzjGm/FDfOCXEnSkYGQDBWpfd/8AWum1xGJxJCPNBJElGE2o5jDWo4Y1b9gHP0M
vARm8AOK8R1pQ7BP+pNMO0gGw2NDrtWiWpTeZ7SqXmZAZ/Gmyen9X+/fowcbTyDH
b9joIuMQeOtxbUV2JprZIdit9NBFSZq/7Re/GBUwjGBm3LabIXFNGKZovx/f9lf8
r5tVs4SPauiKzZS0K1Gz1NSq+3OXaY5EwVrBUXptYqRT7uyhVloOPRUsqRFeB0Fn
Y5xOpDJ0UiJxgFbdH5Vb81D/VjNO9Q4nZib8wSEuLrYLHGoceQPX4+Ov9IdhIL4B
BMTCaF+VCWC5PCLr0e61KqMCAwEAAQ==
-----END PUBLIC KEY-----
'';
};
};
};
wilde = {
kabsa = {
owner = config.krebs.users.kmein;
nets = {
retiolum = {
ip4.addr = "10.243.2.4";
aliases = [
"wilde.r"
"wilde.kmein.r"
"kabsa.r"
"kabsa.kmein.r"
];
tinc.pubkey = ''
-----BEGIN PUBLIC KEY-----
@ -99,34 +71,6 @@ in {
};
};
};
homeros = {
owner = config.krebs.users.kmein;
nets = {
retiolum = {
ip4.addr = "10.243.2.1";
aliases = [
"homeros.r"
"homeros.kmein.r"
];
tinc.pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoZq6BwB6rV6EfTf8PWOd
ZhEWig5VcK1FcH0qi7KgojAhGSHhWmtFlvRSoGpQrSFRN0g5eTnrrguuTiIs6djc
6Al9HMqwSD1IOkqFm8jM4aG5NqjYg3in6blOFarBEOglfnsYHiUPt6T4fERxRZ9v
RguEWrishNMSv+D4vclKwctTB/6dQNsTAfnplcyDZ9un/ql9BG2cgU9yqeYLDdXd
vRvrWX9eZKGJvTrQmAiKONlSvspr1d28FxcUrUnCsdRLvP3Cc4JZiUhSA7ixFxn3
+LgGIZiMKTnl8syrsHk5nvLi5EUER7xkVX8iBlKA4JD4XTZVyBxPB1mJnOCUShQc
QK6nVr6auvJbRn7DHHKxDflSBgYt4qaf92+5A4xEsZtgMpmIFH5t6ifGQsQwgYsm
fOexviy9gMyZrHjQDUs4smQxxYq3AJLdfOg2jQXeAbgZpCVw5l8YHk3ECoAk7Fvh
VMJVPwukErGuVn2LpCHeVyFBXNft4bem1g0gtaf2SuGFEnl7ABetQ0bRwClRSLd7
k7PGDbdcCImsWhqyuLpkNcm95DfBrXa12GETm48Wv9jV52C5tfWFmOnJ0mOnvtxX
gpizJjFzHz275TVnJHhmIr2DkiGpaIVUL4FRkTslejSJQoUTZfDAvKF2gRyk+n6N
mJ/hywVtvLxNkNimyztoKKMCAwEAAQ==
-----END PUBLIC KEY-----
'';
};
};
};
horisa = {
cores = 2;
owner = config.krebs.users.ulrich; # main laptop
@ -205,6 +149,7 @@ in {
aliases = [
"makanek.r"
"makanek.kmein.r"
"grafana.kmein.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
@ -317,6 +262,7 @@ in {
aliases = [
"zaatar.r"
"zaatar.kmein.r"
"radio.kmein.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
@ -639,7 +585,7 @@ in {
nets = {
retiolum = {
ip4.addr = "10.243.13.12";
aliases = [ "catalonia.r" ];
aliases = [ "catalonia.r" "aleph.r" ];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAug+nej8/spuRHdzcfBYAuzUVoiq4YufmJqXSshvgf4aqjeVEt91Y

33
krebs/3modules/hidden-ssh.nix
View file

@ -19,6 +19,14 @@ let
type = types.str;
default = "irc.hackint.org";
};
port = mkOption {
type = types.int;
default = 6697;
};
tls = mkOption {
type = types.bool;
default = true;
};
message = mkOption {
type = types.str;
default = "SSH Hidden Service at ";
@ -27,14 +35,17 @@ let
imp = let
torDirectory = "/var/lib/tor"; # from tor.nix
hiddenServiceDir = torDirectory + "/ssh-announce-service";
hiddenServiceDir = torDirectory + "/onion/hidden-ssh";
in {
services.tor = {
enable = true;
extraConfig = ''
HiddenServiceDir ${hiddenServiceDir}
HiddenServicePort 22 127.0.0.1:22
'';
relay.onionServices.hidden-ssh = {
version = 3;
map = [{
port = 22;
target.port = 22;
}];
};
client.enable = true;
};
systemd.services.hidden-ssh-announce = {
@ -50,10 +61,14 @@ let
echo "still waiting for ${hiddenServiceDir}/hostname"
sleep 1
done
${pkgs.untilport}/bin/untilport ${cfg.server} 6667 && \
${pkgs.irc-announce}/bin/irc-announce \
${cfg.server} 6667 ${config.krebs.build.host.name}-ssh \
\${cfg.channel} \
${pkgs.untilport}/bin/untilport ${escapeShellArg cfg.server} ${toString cfg.port}
${pkgs.irc-announce}/bin/irc-announce \
${escapeShellArg cfg.server} \
${toString cfg.port} \
"${config.krebs.build.host.name}-ssh" \
${escapeShellArg cfg.channel} \
${escapeShellArg cfg.tls} \
"${cfg.message}$(cat ${hiddenServiceDir}/hostname)"
'';
PrivateTmp = "true";

57
krebs/3modules/lass/default.nix
View file

@ -47,6 +47,7 @@ in {
radio 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
jitsi 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
streaming 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
mumble 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
'';
};
nets = rec {
@ -783,6 +784,62 @@ in {
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIn+o0uCBSot254kZKlNepVKFcwDPdr8s6+lQmYGM3Hd ";
syncthing.id = "TT4MBZS-YNDZUYO-Y6L4GOK-5IYUCXY-2RKFOSK-5SMZYSR-5QMOXSS-6DNJIAZ";
};
lasspi = {
cores = 1;
nets = {
retiolum = {
ip4.addr = "10.243.1.89";
ip6.addr = r6 "189";
aliases = [
"lasspi.r"
];
tinc.pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA3zUXIiw8/9okrGaxlAR1
JvoXNxAzLj5wwE2B0A+9ppev7Vl52HJarNoM6+0RN4aZDGMhDWg8J5ZQSdGUNm5F
CIdxE1TwLXxzW5nd7BIb+MVsjtw0pxId7Gxq6Wgtx1QljUdsp8OVrJActqsmXYMl
oYEWdENHRONYTCyhs+Kd18MERyxQCqOXOnD170iaFuCcHiIa2nSOtlk+aIPNIE/P
Qsp7Q0RCRvqd5LszsI7bp3gZL9mgGquQEW+3ZxSaIYHGTdK/zI4PHYpEa7IvdJFS
BJjJj+PbilnSxy7iL826O8ckxBqA0rNS0EynCKCI0DoVimCeklk20vLagDyXiDyC
VW2774j1rF35eIowPTBVJNfquEptNDl9MLV3MC2P8gnCZp5x+7dEwpqsvecBQ7Z8
+Ry9JZ/zlWi5qT86SrwKKqJqRhWHjZZSRzWdo4ypaNOy0cKHb2DcVfgn38Kf16xs
QM11XLCRE8VLIVl5UFgrF6q/0f8JP1BG8RO90NDsLwIW/EwKiJ9OGFtayvxkmgHP
zgmzgws8cn50762OPkp4OVzVexN77d9N8GU9QXAlsFyn2FJlO26DvFON4fHIf0bP
6lqI1Up2jAy0eSl2txlxxKbKRlkIaebHulhxIxQ1djA+xPb/5cfasom9Qqwf6/Lc
287nChBcbY+HlshTe0lZdrkCAwEAAQ==
-----END PUBLIC KEY-----
'';
};
wiregrill = {
ip6.addr = w6 "189";
aliases = [
"lasspi.w"
];
wireguard.pubkey = ''
IIBAiG7jZEliQJJsNUQswLsB5FQFkAfq5IwyHAp71Vw=
'';
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEjYOaTQE9OvvIaWWjO+3/uSy7rvnhnJA48rWYeB2DfB";
};
domsen-pixel = {
nets = {
wiregrill = {
ip4.addr = "10.244.1.17";
ip6.addr = w6 "d0";
aliases = [
"domsen-pixel.w"
];
wireguard.pubkey = "cGuBSB1DftIsanbxrSG/i4FiC+TmQrs+Z0uE6SPscHY=";
};
};
external = true;
ci = false;
};
};

1
krebs/3modules/makefu/default.nix
View file

@ -233,6 +233,7 @@ in {
"wiki.gum.r"
"wiki.makefu.r"
"warrior.gum.r"
"rss.makefu.r"
"sick.makefu.r"
"dl.gum.r"
"dl.makefu.r"

1
krebs/3modules/realwallpaper.nix
View file

@ -51,6 +51,7 @@ let
serviceConfig = {
Type = "simple";
Restart = "on-failure";
ExecStart = "${pkgs.realwallpaper}/bin/generate-wallpaper";
User = "realwallpaper";
};

2
krebs/5pkgs/default.nix
View file

@ -15,6 +15,4 @@ foldl' mergeAttrs {}
{
brockman = self.haskellPackages.brockman;
reaktor2 = self.haskellPackages.reaktor2;
ReaktorPlugins = self.callPackage ./simple/Reaktor/plugins.nix {};
}

4
krebs/5pkgs/haskell/brockman/default.nix
View file

@ -7,12 +7,12 @@
}:
mkDerivation rec {
pname = "brockman";
version = "3.4.5";
version = "4.0.1";
src = fetchFromGitHub {
owner = "kmein";
repo = "brockman";
rev = version;
sha256 = "1q56ibgijcz6fgd60h0d1f2020l4n2i2nh98yaq95zhzwg0qsciy";
sha256 = "0hppgban8hfyhn4c8qgm8j7ml6jaa35pjgrv3k3q27ln71wnr8rz";
};
isLibrary = false;
isExecutable = true;

24
krebs/5pkgs/simple/Reaktor/default.nix
View file

@ -1,24 +0,0 @@
{ lib, pkgs, python3Packages, fetchFromGitHub, ... }:
python3Packages.buildPythonPackage rec {
name = "Reaktor-${version}";
version = "0.7.1";
doCheck = false;
propagatedBuildInputs = with pkgs;[
python3Packages.docopt
python3Packages.requests
];
src = fetchFromGitHub {
owner = "krebs";
repo = "Reaktor";
rev = "v${version}";
sha256 = "0cv5a4x73ls6sk8qj2qi6gqn31rv8kvdg13dsf3jv92xdfx6brjn";
};
meta = {
homepage = http://krebsco.de/;
description = "An IRC bot based on asynchat";
license = lib.licenses.wtfpl;
};
}

182
krebs/5pkgs/simple/Reaktor/plugins.nix
View file

@ -1,182 +0,0 @@
{ stdenv, lib, pkgs, makeWrapper }:
rec {
# Begin API
buildBaseReaktorPlugin = { name
, config # python extra configuration for plugin
, phases ? []
, ... } @ attrs:
stdenv.mkDerivation (attrs // {
name = "Reaktor-plugin-" + name;
isReaktorPlugin = true;
});
buildSimpleReaktorPlugin = name: { script
, path ? []
, env ? {}
, append_rule ? false # append the rule instead of insert
, pattern ? ""
, ... } @ attrs:
let
path_env = { "PATH" = lib.makeSearchPath "bin" (path ++ [ pkgs.coreutils ]); };
src_dir = pkgs.substituteAll ( {
inherit name;
dir = "bin";
isExecutable = true;
src = script;
});
src_file = "${src_dir}/bin/${name}";
config = ''
public_commands.${if append_rule then "append(" else "insert(0," }{
'capname' : "${name}",
'pattern' : ${if pattern == "" then
''indirect_pattern.format("${name}")'' else
''"${pattern}"'' },
'argv' : ["${src_file}"],
'env' : ${builtins.toJSON (path_env // env)} })
'';
config_file = pkgs.writeText "plugin.py" config;
in buildBaseReaktorPlugin (attrs // rec {
inherit name config;
phases = [ "installPhase" ];
buildInputs = [ makeWrapper ];
installPhase = ''
mkdir -p $out/bin $out/etc/Reaktor
ln -s ${src_file} $out/bin
wrapProgram $out/bin/${name} \
--prefix PATH : ${path_env.PATH}
ln -s ${config_file} $out/etc/Reaktor/plugin.py
'';
});
# End API
# Begin Plugins
random-emoji = buildSimpleReaktorPlugin "emoji" {
path = with pkgs; [ gnused gnugrep xmlstarlet curl ];
script = ./scripts/random-emoji.sh;
};
sed-plugin = buildSimpleReaktorPlugin "sed-plugin" {
path = [ pkgs.gnused pkgs.python3 ];
# only support s///gi the plugin needs to see every msg
# TODO: this will eat up the last regex, fix Reaktor to support fallthru
append_rule = true;
pattern = "^(?P<args>.*)$$";
script = ./scripts/sed-plugin.py;
};
shack-correct = buildSimpleReaktorPlugin "shack-correct" {
path = [ pkgs.gnused ];
pattern = "^(?P<args>.*Shack.*)$$";
script = ./scripts/shack-correct.sh;
};
nixos-version = buildSimpleReaktorPlugin "nixos-version" {
script = pkgs.writeDash "nixos-version" ''
. /etc/os-release
echo "$PRETTY_NAME"
'';
};
stockholm-issue = buildSimpleReaktorPlugin "stockholm-issue" {
script = ./scripts/random-issue.sh;
path = with pkgs; [ git gnused haskellPackages.lentil ];
env = { "origin" = "http://cgit.gum/stockholm"; };
};
titlebot =
let
pypkgs = pkgs.python3Packages;
titlebot_cmds = pypkgs.buildPythonPackage {
name = "titlebot_cmds";
propagatedBuildInputs = with pypkgs; [ setuptools ];
src = pkgs.fetchurl {
url = "https://github.com/makefu/reaktor-titlebot/archive/2.1.0.tar.gz";
sha256 = "0wvf09wmk8b52f9j65qrw81nwrhs9pfhijwrlkzp5l7l2q8cjkp6";
};
};
in buildBaseReaktorPlugin rec {
name = "titlebot";
phases = [ "installPhase" ];
installPhase = ''
mkdir -p $out
ln -s ${titlebot_cmds}/* $out
'';
config = ''
def titlebot_cmd(cmd):
from os import environ
return { 'capname': None,
'env': { 'TITLEDB':
environ['state_dir']+'/suggestions.json' },
'pattern': '^\\.' + cmd + '\\s*(?:\\s+(?P<args>.*))?$$',
'argv': [ '${titlebot_cmds}/bin/' + cmd ] }
for i in ['up','help','list','top','new']:
public_commands.insert(0,titlebot_cmd(i))
commands.insert(0,titlebot_cmd('clear'))
'';
};
url-title = (buildSimpleReaktorPlugin "url-title" {
pattern = "^.*(?P<args>http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+).*$$";
path = with pkgs; [ curl perl ];
script = pkgs.writePython3 "url-title" { deps = with pkgs.python3Packages; [ beautifulsoup4 lxml ]; } ''
import cgi
import sys
import urllib.request
from bs4 import BeautifulSoup
try:
req = urllib.request.Request(sys.argv[1])
req.add_header('user-agent', 'Reaktor-url-title')
resp = urllib.request.urlopen(req)
if resp.headers['content-type'].find('text/html') >= 0:
soup = BeautifulSoup(resp.read(16000), "lxml")
title = soup.find('title').string
if len(title.split('\n')) > 5:
title = '\n'.join(title.split('\n')[:5])
print(title[:450])
else:
cd_header = resp.headers['content-disposition']
print(cgi.parse_header(cd_header)[1]['filename'])
except: # noqa: E722
pass
'';
});
task = name: let
rcFile = builtins.toFile "taskrc" ''
confirmation=no
'';
in {
add = buildSimpleReaktorPlugin "${name}-task-add" {
pattern = "^${name}-add: (?P<args>.*)$$";
script = pkgs.writeDash "${name}-add" ''
TASKDATA=$HOME/${name} ${pkgs.taskwarrior}/bin/task rc:${rcFile} add "$*"
'';
};
list = buildSimpleReaktorPlugin "task-list" {
pattern = "^${name}-list";
script = pkgs.writeDash "task-list" ''
TASKDATA=$HOME/${name} ${pkgs.taskwarrior}/bin/task rc:${rcFile} export | ${pkgs.jq}/bin/jq -r '.[] | select(.id != 0) | "\(.id) \(.description)"'
'';
};
delete = buildSimpleReaktorPlugin "task-delete" {
pattern = "^${name}-delete: (?P<args>.*)$$";
script = pkgs.writeDash "task-delete" ''
TASKDATA=$HOME/${name} ${pkgs.taskwarrior}/bin/task rc:${rcFile} delete "$*"
'';
};
done = buildSimpleReaktorPlugin "task-done" {
pattern = "^${name}-done: (?P<args>.*)$$";
script = pkgs.writeDash "task-done" ''
TASKDATA=$HOME/${name} ${pkgs.taskwarrior}/bin/task rc:${rcFile} done "$*"
'';
};
};
}

25
krebs/5pkgs/simple/Reaktor/scripts/tell-on_join.sh Executable file
View file

@ -0,0 +1,25 @@
#! /bin/sh
set -euf
# require flock from util-linux (pkgs.utillinux)
if test "${FLOCK-}" != "$state_file"; then
exec env FLOCK="$state_file" flock "$state_file" "$0" "$@"
fi
# TODO tell now, if already joined
jq -r <"$state_file" \
--arg to "$_from" \
--arg msgtarget "$_msgtarget" \
'
select(.to == $to and .msgtarget == $msgtarget) |
"\(.to): \(.text) \u00032-- \(.from)\u00032 \(.date)"
'
jq -c <"$state_file" >"$state_file.tmp" \
--arg to "$_from" \
--arg msgtarget "$_msgtarget" \
'
select((.to == $to and .msgtarget == $msgtarget) | not)
'
mv "$state_file.tmp" "$state_file"

18
krebs/5pkgs/simple/Reaktor/scripts/tell-on_privmsg.sh Executable file
View file

@ -0,0 +1,18 @@
#! /bin/sh
set -euf
# require flock from util-linux
if test "${FLOCK-}" != "$state_file"; then
exec env FLOCK="$state_file" flock "$state_file" "$0" "$@"
fi
# TODO tell now, if already joined
jq -cn \
--arg from "$_from" \
--arg to "${1%% *}" \
--arg text "${1#* }" \
--arg msgtarget "$_msgtarget" \
'{ $from, $to, $text, $msgtarget, date: (now | todate) }' \
>> "$state_file"
echo 'Consider it noted.' # that's what lambdabot says...

10
krebs/5pkgs/simple/cyberlocker-tools/default.nix
View file

@ -5,15 +5,19 @@ pkgs.symlinkJoin {
(pkgs.writers.writeDashBin "cput" ''
set -efu
path=''${1:-$(hostname)}
path=$(echo "/$path" | sed -E 's:/+:/:')
url=http://c.r$path
${pkgs.curl}/bin/curl -fSs --data-binary @- "http://c.r/$path"
echo "http://c.r/$path"
${pkgs.curl}/bin/curl -fSs --data-binary @- "$url"
echo "$url"
'')
(pkgs.writers.writeDashBin "cdel" ''
set -efu
path=$1
path=$(echo "/$path" | sed -E 's:/+:/:')
url=http://c.r$path
${pkgs.curl}/bin/curl -f -X DELETE "http://c.r/$path"
${pkgs.curl}/bin/curl -f -X DELETE "$url"
'')
];
}

3
krebs/5pkgs/simple/git-hooks/default.nix
View file

@ -12,6 +12,7 @@ with import <stockholm/lib>;
, port ? 6667
, refs ? []
, server
, tls ? false
, verbose ? false
}: /* sh */ ''
#! /bin/sh
@ -39,6 +40,7 @@ with import <stockholm/lib>;
nick=${escapeShellArg nick}
channel=${escapeShellArg channel}
server=${escapeShellArg server}
tls=${escapeShellArg tls}
port=${toString port}
host=$nick
@ -114,6 +116,7 @@ with import <stockholm/lib>;
"$port" \
"$nick" \
"$channel" \
"$tls" \
"$message"
fi
'';

5
krebs/5pkgs/simple/htgen-cyberlocker/src/htgen-cyberlocker
View file

@ -57,10 +57,7 @@ case "$Method $path" in
mkdir -v -p $STATEDIR/items >&2
cp -v $content $item >&2
scheme=${req_x_forwarded_proto-http}
link=$scheme://$req_host/$path
exit
;;
'GET /'*)
item=$STATEDIR/items/$(echo "$path" | jq -rR @uri)

9
krebs/5pkgs/simple/irc-announce/default.nix
View file

@ -17,7 +17,8 @@ pkgs.writeDashBin "irc-announce" ''
IRC_PORT=$2
IRC_NICK=$3_$$
IRC_CHANNEL=$4
message=$5
IRC_TLS=$5
message=$6
export IRC_CHANNEL # for privmsg_cat
@ -34,6 +35,8 @@ pkgs.writeDashBin "irc-announce" ''
# privmsg_cat transforms stdin to a privmsg
privmsg_cat() { awk '{ print "PRIVMSG "ENVIRON["IRC_CHANNEL"]" :"$0 }'; }
tls_flag() { if [ "$IRC_TLS" -eq 1 ]; then echo "-c"; fi }
# ircin is used to feed the output of netcat back to the "irc client"
# so we can implement expect-like behavior with sed^_^
# XXX mkselfdestructingtmpfifo would be nice instead of this cruft
@ -51,6 +54,8 @@ pkgs.writeDashBin "irc-announce" ''
echo2 "USER $LOGNAME 0 * :$LOGNAME@$(hostname)"
echo2 "NICK $IRC_NICK"
awk 'match($0, /PING(.*)/, m) {print "PONG", m[1]; exit}'
# wait for MODE message
sed -n '/^:[^ ]* MODE /q'
@ -67,5 +72,5 @@ pkgs.writeDashBin "irc-announce" ''
echo2 'QUIT :Gone to have lunch'
} < ircin \
| nc "$IRC_SERVER" "$IRC_PORT" | tee -a ircin
| nc $(tls_flag) "$IRC_SERVER" "$IRC_PORT" | tee -a ircin
''

4
krebs/5pkgs/simple/reaktor2-plugins.nix
View file

@ -14,10 +14,6 @@ rec {
commands = {
hello = {
filename = "${pkgs.Reaktor.src}/reaktor/commands/hello";
};
random-emoji = {
filename = <stockholm/krebs/5pkgs/simple/Reaktor/scripts/random-emoji.sh>;
env = {

8
krebs/nixpkgs-unstable.json
View file

@ -1,9 +1,9 @@
{
"url": "https://github.com/NixOS/nixpkgs",
"rev": "8d8a28b47b7c41aeb4ad01a2bd8b7d26986c3512",
"date": "2021-08-29T22:49:37+08:00",
"path": "/nix/store/vg29bg0awqam80djwz68ym0awvasrw6i-nixpkgs",
"sha256": "1s29nc3ppsjdq8kgbh8pc26xislkv01yph58xv2vjklkvsmz5pzm",
"rev": "09cd65b33c5653d7d2954fef4b9f0e718c899743",
"date": "2021-09-08T11:21:07-05:00",
"path": "/nix/store/h4hgs0aiaszmgqcwwhw7q10vqgvgbimf-nixpkgs",
"sha256": "1h696xv2wdl1859jcr0bmv0m0rfsq4vpc1vc0hg3msfsdnz0aixl",
"fetchSubmodules": false,
"deepClone": false,
"leaveDotGit": false

8
krebs/nixpkgs.json
View file

@ -1,9 +1,9 @@
{
"url": "https://github.com/NixOS/nixpkgs",
"rev": "74d017edb6717ad76d38edc02ad3210d4ad66b96",
"date": "2021-08-27T16:58:49+02:00",
"path": "/nix/store/82jg1p0rlf7mkryjpdn0z6b95q4i9lnq-nixpkgs",
"sha256": "0wvz41izp4djzzr0a6x54hcm3xjr51nlj8vqghfgyrjpk8plyk4s",
"rev": "6120ac5cd201f6cb593d1b80e861be0342495be9",
"date": "2021-09-18T21:31:09+02:00",
"path": "/nix/store/g1a0swq7h7b24g4vkn3wr3d8rwjazfmv-nixpkgs",
"sha256": "04mrjxr1qsdcgcryx7yy72cgcw14c0770gfcgzrdfpnvmjdgbi9i",
"fetchSubmodules": false,
"deepClone": false,
"leaveDotGit": false

24
lass/1systems/coaxmetal/physical.nix
View file

@ -22,8 +22,6 @@
];
hardware.opengl.extraPackages = [ pkgs.amdvlk ];
# is required for amd graphics support ( xorg wont boot otherwise )
boot.kernelPackages = pkgs.linuxPackages_latest;
environment.variables.VK_ICD_FILENAMES =
"/run/opengl-driver/share/vulkan/icd.d/amd_icd64.json";
@ -47,7 +45,25 @@
services.logind.lidSwitch = "ignore";
services.logind.lidSwitchDocked = "ignore";
boot.extraModprobeConfig = ''
options psmouse proto=imps
# Mouse stuff
services.xserver.libinput.enable = lib.mkForce false;
services.xserver.synaptics.enable = true;
services.xserver.displayManager.sessionCommands = ''
xinput disable 'ETPS/2 Elantech Touchpad'
xinput set-prop 'ETPS/2 Elantech TrackPoint' 'Evdev Wheel Emulation' 1
xinput set-prop 'ETPS/2 Elantech TrackPoint' 'Evdev Wheel Emulation Button' 2
xinput set-prop 'ETPS/2 Elantech TrackPoint' 'Evdev Wheel Emulation Axes' 6 7 4 5
'';
# https://forums.lenovo.com/t5/Fedora/T14s-AMD-Trackpoint-almost-unusable/m-p/5064952?page=4
# https://bugzilla.kernel.org/show_bug.cgi?id=209167#c1
boot.kernelPatches = [{
name = "fix-trackpoint-jumping";
patch = pkgs.fetchurl {
url = "https://patchwork.kernel.org/project/linux-input/patch/20210729010940.5752-1-phoenix@emc.com.tw/raw/";
sha256 = "0apbf7c8w830dbdsrmxpip90d5zbg74a939x89jfgpvm5gbdqdjg";
};
}];
}

26
lass/1systems/lasspi/config.nix Normal file
View file

@ -0,0 +1,26 @@
with import <stockholm/lib>;
{ config, lib, pkgs, ... }:
let
in
{
imports = [
<stockholm/lass>
<stockholm/lass/2configs>
<stockholm/lass/2configs/retiolum.nix>
];
krebs.build.host = config.krebs.hosts.lasspi;
networking = {
networkmanager = {
enable = true;
};
};
environment.systemPackages = with pkgs; [
vim
rxvt_unicode.terminfo
];
services.openssh.enable = true;
system.stateVersion = "21.05";
}

43
lass/1systems/lasspi/physical.nix Normal file
View file

@ -0,0 +1,43 @@
{ config, lib, pkgs, ... }:
{
# This configuration worked on 09-03-2021 nixos-unstable @ commit 102eb68ceec
# The image used https://hydra.nixos.org/build/134720986
imports = [
./config.nix
];
boot = {
# kernelPackages = pkgs.linuxPackages_rpi4;
tmpOnTmpfs = true;
initrd.availableKernelModules = [ "usbhid" "usb_storage" ];
# ttyAMA0 is the serial console broken out to the GPIO
kernelParams = [
"8250.nr_uarts=1"
"console=ttyAMA0,115200"
"console=tty1"
# Some gui programs need this
"cma=128M"
];
};
boot.loader.raspberryPi = {
enable = true;
version = 4;
};
boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = true;
# Required for the Wireless firmware
hardware.enableRedistributableFirmware = true;
# Assuming this is installed on top of the disk image.
fileSystems = {
"/" = {
device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
options = [ "noatime" ];
};
};
powerManagement.cpuFreqGovernor = "ondemand";
}

18
lass/1systems/prism/config.nix
View file

@ -7,11 +7,12 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/libvirt.nix>
<stockholm/lass/2configs/tv.nix>
<stockholm/lass/2configs/websites/lassulus.nix>
<stockholm/lass/2configs/telegraf.nix>
{
services.nginx.enable = true;
imports = [
<stockholm/lass/2configs/websites/domsen.nix>
<stockholm/lass/2configs/websites/lassulus.nix>
];
# needed by domsen.nix ^^
lass.usershadow = {
@ -275,19 +276,8 @@ with import <stockholm/lib>;
{ predicate = "-p udp --dport 60000:61000"; target = "ACCEPT";}
];
}
{
services.murmur = {
enable = true;
bandwidth = 10000000;
registerName = "lassul.us";
autobanTime = 30;
};
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p tcp --dport 64738"; target = "ACCEPT";}
{ predicate = "-p udp --dport 64738"; target = "ACCEPT";}
];
}
<stockholm/lass/2configs/murmur.nix>
<stockholm/lass/2configs/docker.nix>
{
systemd.services."container@yellow".reloadIfChanged = mkForce false;
containers.yellow = {

2
lass/1systems/wizard/config.nix
View file

@ -271,7 +271,7 @@ in {
message = "lassulus: torify sshn root@";
};
systemd.services.hidden-ssh-announce.wantedBy = mkForce [];
services.mingetty.autologinUser = lib.mkForce "root";
services.getty.autologinUser = lib.mkForce "root";
nixpkgs.config.packageOverrides = super: {
dmenu = pkgs.writeDashBin "dmenu" ''

11
lass/2configs/baseX.nix
View file

@ -10,14 +10,7 @@ in {
./urxvt.nix
./xdg-open.nix
./yubikey.nix
{
hardware.pulseaudio = {
enable = true;
systemWide = true;
};
security.rtkit.enable = true;
sound.enableOSSEmulation = false;
}
./pipewire.nix
./xmonad.nix
{
krebs.per-user.lass.packages = [
@ -50,7 +43,7 @@ in {
}
];
users.extraUsers.mainUser.extraGroups = [ "audio" "video" ];
users.users.mainUser.extraGroups = [ "audio" "video" ];
time.timeZone = "Europe/Berlin";

1
lass/2configs/default.nix
View file

@ -117,6 +117,7 @@ with import <stockholm/lib>;
iftop
tcpdump
mosh
sshify
#stuff for dl
aria2

6
lass/2configs/docker.nix Normal file
View file

@ -0,0 +1,6 @@
{ pkgs, lib, config, ... }:
{
systemd.services.krebs-iptables.serviceConfig.ExecStartPost = pkgs.writeDash "kick_docker" ''
${pkgs.systemd}/bin/systemctl restart docker.service
'';
}

39
lass/2configs/murmur.nix Normal file
View file

@ -0,0 +1,39 @@
{ config, lib, pkgs, ... }:
{
services.murmur = {
enable = true;
bandwidth = 10000000;
registerName = "lassul.us";
autobanTime = 30;
};
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p tcp --dport 64738"; target = "ACCEPT";}
{ predicate = "-p udp --dport 64738"; target = "ACCEPT";}
];
systemd.services.docker-mumble-web.serviceConfig = {
StandardOutput = lib.mkForce "journal";
StandardError = lib.mkForce "journal";
};
virtualisation.oci-containers.containers.mumble-web = {
image = "rankenstein/mumble-web";
environment = {
MUMBLE_SERVER = "lassul.us:64738";
};
ports = [
"64739:8080"
];
};
services.nginx.virtualHosts."mumble.lassul.us" = {
enableACME = true;
forceSSL = true;
locations."/".extraConfig = ''
proxy_pass http://localhost:64739/;
proxy_set_header Accept-Encoding "";
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
'';
};
}

72
lass/2configs/pipewire.nix Normal file
View file

@ -0,0 +1,72 @@
{ config, lib, pkgs, ... }:
# TODO test `alsactl init` after suspend to reinit mic
{
security.rtkit.enable = true;
hardware.bluetooth = {
enable = true;
powerOnBoot = true;
};
# autostart with login
systemd.user.services.pipewire-pulse = {
wantedBy = [ "graphical-session.target" ];
};
environment.systemPackages = with pkgs; [
alsaUtils
pulseaudioLight
];
environment.variables.PULSE_SERVER = "localhost:4713";
services.pipewire = {
enable = true;
socketActivation = false;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
jack.enable = true;
# https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/Migrate-PulseAudio#module-native-protocol-tcp
config.pipewire-pulse = {
"context.properties" = {
"log.level" = 2;
};
"context.modules" = [
{
name = "libpipewire-module-rtkit";
# args = {
# "nice.level" = -15;
# "rt.prio" = 88;
# "rt.time.soft" = 200000;
# "rt.time.hard" = 200000;
# };
flags = [ "ifexists" "nofail" ];
}
{ name = "libpipewire-module-protocol-native"; }
{ name = "libpipewire-module-client-node"; }
{ name = "libpipewire-module-adapter"; }
{ name = "libpipewire-module-metadata"; }
{
name = "libpipewire-module-protocol-pulse";
args = {
"vm.overrides" = {
# "pulse.min.req" = "32/48000";
# "pulse.default.req" = "32/48000";
# "pulse.max.req" = "32/48000";
"pulse.min.quantum" = "1024/48000";
# "pulse.max.quantum" = "32/48000";
};
"server.address" = [
"unix:native"
"tcp:4713"
];
};
}
];
"stream.properties" = {
# "node.latency" = "32/48000";
# "resample.quality" = 1;
};
};
};
}

67
lass/2configs/telegraf.nix Normal file
View file

@ -0,0 +1,67 @@
{ config, lib, pkgs, ... }:
let
isVM = lib.any (mod: mod == "xen-blkfront" || mod == "virtio_console") config.boot.initrd.kernelModules;
in {
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-i retiolum -p tcp --dport 9273"; target = "ACCEPT"; }
];
systemd.services.telegraf.path = [ pkgs.nvme-cli ];
services.telegraf = {
enable = true;
extraConfig = {
agent.interval = "60s";
inputs = {
prometheus.metric_version = 2;
kernel_vmstat = { };
# smart = lib.mkIf (!isVM) {
# path = pkgs.writeShellScript "smartctl" ''
# exec /run/wrappers/bin/sudo ${pkgs.smartmontools}/bin/smartctl "$@"
# '';
# };
system = { };
mem = { };
file = [{
data_format = "influx";
file_tag = "name";
files = [ "/var/log/telegraf/*" ];
}] ++ lib.optional (lib.any (fs: fs == "ext4") config.boot.supportedFilesystems) {
name_override = "ext4_errors";
files = [ "/sys/fs/ext4/*/errors_count" ];
data_format = "value";
};
exec = lib.optionalAttrs (lib.any (fs: fs == "zfs") config.boot.supportedFilesystems) {
## Commands array
commands = [
(pkgs.writeScript "zpool-health" ''
#!${pkgs.gawk}/bin/awk -f
BEGIN {
while ("${pkgs.zfs}/bin/zpool status" | getline) {
if ($1 ~ /pool:/) { printf "zpool_status,name=%s ", $2 }
if ($1 ~ /state:/) { printf " state=\"%s\",", $2 }
if ($1 ~ /errors:/) {
if (index($2, "No")) printf "errors=0i\n"; else printf "errors=%di\n", $2
}
}
}
'')
];
data_format = "influx";
};
systemd_units = { };
swap = { };
disk.tagdrop = {
fstype = [ "tmpfs" "ramfs" "devtmpfs" "devfs" "iso9660" "overlay" "aufs" "squashfs" ];
device = [ "rpc_pipefs" "lxcfs" "nsfs" "borgfs" ];
};
diskio = { };
};
outputs.prometheus_client = {
listen = ":9273";
metric_version = 2;
};
};
};
}

42
lass/2configs/websites/domsen.nix
View file

@ -28,6 +28,7 @@ in {
(servePage [ "aldonasiech.com" "www.aldonasiech.com" ])
(servePage [ "apanowicz.de" "www.apanowicz.de" ])
(servePage [ "reich-gebaeudereinigung.de" "www.reich-gebaeudereinigung.de" ])
(servePage [ "illustra.de" "www.illustra.de" ])
(servePage [
"freemonkey.art"
"www.freemonkey.art"
@ -81,6 +82,7 @@ in {
"o_ubikmedia_de"
];
services.phpfpm.phpPackage = pkgs.php73;
services.phpfpm.phpOptions = ''
sendmail_path = ${sendmail} -t
upload_max_filesize = 100M
@ -88,12 +90,18 @@ in {
file_uploads = on
'';
krebs.secret.files.nextcloud_pw = {
path = "/run/nextcloud.pw";
owner.name = "nextcloud";
group-name = "nextcloud";
source-path = toString <secrets> + "/nextcloud_pw";
};
services.nextcloud = {
enable = true;
hostName = "o.xanf.org";
package = pkgs.nextcloud20;
package = pkgs.nextcloud21;
config = {
adminpassFile = toString <secrets> + "/nextcloud_pw";
adminpassFile = "/run/nextcloud.pw";
overwriteProtocol = "https";
};
https = true;
@ -178,7 +186,7 @@ in {
group = "xanf";
home = "/home/xanf";
useDefaultShell = true;
createHome = true;
createHome = false; # creathome forces permissions
isNormalUser = true;
};
@ -291,6 +299,24 @@ in {
isNormalUser = true;
};
users.users.movematchers = {
uid = genid_uint31 "movematchers";
home = "/home/movematchers";
useDefaultShell = true;
extraGroups = [ "xanf" ];
createHome = true;
isNormalUser = true;
};
users.users.blackphoton = {
uid = genid_uint31 "blackphoton";
home = "/home/blackphoton";
useDefaultShell = true;
extraGroups = [ "xanf" ];
createHome = true;
isNormalUser = true;
};
users.groups.xanf = {};
krebs.on-failure.plans.restic-backups-domsen = {
@ -332,14 +358,14 @@ in {
'';
krebs.permown = {
"/backups/domsen" = {
owner = "backup";
"/srv/http" = {
group = "syncthing";
owner = "nginx";
umask = "0007";
};
"/srv/http" = {
owner = "syncthing";
group = "nginx";
"/home/xanf/XANF_TEAM" = {
owner = "XANF_TEAM";
group = "xanf";
umask = "0007";
};
};

16
lass/5pkgs/proxychains-ng/default.nix Normal file
View file

@ -0,0 +1,16 @@
{ lib
, stdenv
, fetchFromGitHub
}:
stdenv.mkDerivation rec {
pname = "proxychains-ng";
version = "4.15";
src = fetchFromGitHub {
owner = "rofl0r";
repo = pname;
rev = "v${version}";
sha256 = "128d502y8pn7q2ls6glx9bvibwzfh321sah5r5li6b6iywh2zqlc";
};
}

38
lass/5pkgs/sshify/default.nix Normal file
View file

@ -0,0 +1,38 @@
{ pkgs }:
pkgs.writers.writeBashBin "sshify" ''
set -efu
TMPDIR=$(mktemp -d)
SSH_ARGS=()
while [[ "$#" -gt 0 ]]; do
case $1 in
--)
shift
break
;;
*)
SSH_ARGS+=($1)
;;
esac
shift
done
if [[ "$#" -le 0 ]]; then
echo no command specified
exit 1
fi
RANDOM_HIGH_PORT=$(shuf -i 20000-65000 -n 1)
cat << EOF >$TMPDIR/proxychains.conf
[ProxyList]
socks4 127.0.0.1 $RANDOM_HIGH_PORT
EOF
ssh -fNM -S "$TMPDIR/socket" -D "$RANDOM_HIGH_PORT" "''${SSH_ARGS[@]}"
trap "ssh -S $TMPDIR/socket -O exit bla 2>/dev/null; rm -rf $TMPDIR >&2" EXIT
${pkgs.proxychains-ng}/bin/proxychains4 -q -f "$TMPDIR/proxychains.conf" "$@"
''

1
makefu/0tests/data/secrets/mediawikibot-config.json Normal file
View file

@ -0,0 +1 @@
{}

4
makefu/1systems/gum/config.nix
View file

@ -23,6 +23,8 @@ in {
}
<stockholm/makefu/2configs/nur.nix>
<stockholm/makefu/2configs/support-nixos.nix>
<stockholm/makefu/2configs/nix-community/mediawiki-matrix-bot.nix>
<stockholm/makefu/2configs/nix-community/supervision.nix>
<stockholm/makefu/2configs/home-manager>
<stockholm/makefu/2configs/home-manager/cli.nix>
# <stockholm/makefu/2configs/stats/client.nix>
@ -182,7 +184,7 @@ in {
<stockholm/makefu/2configs/virtualisation/libvirt.nix>
# krebs infrastructure services
<stockholm/makefu/2configs/stats/server.nix>
# <stockholm/makefu/2configs/stats/server.nix>
];
makefu.dl-dir = "/var/download";

23
makefu/2configs/nix-community/mediawiki-matrix-bot.nix Normal file
View file

@ -0,0 +1,23 @@
{ pkgs, ... }:
let
seccfg = toString <secrets/mediawikibot-config.json>;
statecfg = "/var/lib/mediawiki-matrix-bot/config.json";
in {
systemd.services.mediawiki-matrix-bot = {
description = "Mediawiki Matrix Bot";
after = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Restart = "always";
RestartSec = "60s";
DynamicUser = true;
StateDirectory = "mediawiki-matrix-bot";
PermissionsStartOnly = true;
ExecStartPre = pkgs.writeDash "mediawikibot-copy-config" ''
install -D -m644 ${seccfg} ${statecfg}
'';
ExecStart = "${pkgs.mediawiki-matrix-bot}/bin/mediawiki-matrix-bot ${statecfg}";
PrivateTmp = true;
};
};
}

82
makefu/2configs/nix-community/supervision.nix Normal file
View file

@ -0,0 +1,82 @@
{ config, lib, pkgs, ... }:
let
isVM = lib.any (mod: mod == "xen-blkfront" || mod == "virtio_console") config.boot.initrd.kernelModules;
port = "9273";
in {
networking.firewall.extraCommands = ''
iptables -A INPUT -i retiolum -p tcp --dport ${port} -j ACCEPT
'';
services.telegraf = {
enable = true;
extraConfig = {
agent.interval = "60s";
inputs = {
prometheus.metric_version = 2;
kernel_vmstat = { };
smart = lib.mkIf (!isVM) {
path = pkgs.writeShellScript "smartctl" ''
exec /run/wrappers/bin/sudo ${pkgs.smartmontools}/bin/smartctl "$@"
'';
};
system = { };
mem = { };
file = [{
data_format = "influx";
file_tag = "name";
files = [ "/var/log/telegraf/*" ];
}] ++ lib.optional (lib.any (fs: fs == "ext4") config.boot.supportedFilesystems) {
name_override = "ext4_errors";
files = [ "/sys/fs/ext4/*/errors_count" ];
data_format = "value";
};
exec = lib.optionalAttrs (lib.any (fs: fs == "zfs") config.boot.supportedFilesystems) {
## Commands array
commands = [
(pkgs.writeScript "zpool-health" ''
#!${pkgs.gawk}/bin/awk -f
BEGIN {
while ("${pkgs.zfs}/bin/zpool status" | getline) {
if ($1 ~ /pool:/) { printf "zpool_status,name=%s ", $2 }
if ($1 ~ /state:/) { printf " state=\"%s\",", $2 }
if ($1 ~ /errors:/) {
if (index($2, "No")) printf "errors=0i\n"; else printf "errors=%di\n", $2
}
}
}
'')
];
data_format = "influx";
};
systemd_units = { };
swap = { };
disk.tagdrop = {
fstype = [ "tmpfs" "ramfs" "devtmpfs" "devfs" "iso9660" "overlay" "aufs" "squashfs" ];
device = [ "rpc_pipefs" "lxcfs" "nsfs" "borgfs" ];
};
diskio = { };
};
outputs.prometheus_client = {
listen = ":${port}";
metric_version = 2;
};
};
};
security.sudo.extraRules = lib.mkIf (!isVM) [{
users = [ "telegraf" ];
commands = [{
command = "${pkgs.smartmontools}/bin/smartctl";
options = [ "NOPASSWD" ];
}];
}];
# avoid logging sudo use
security.sudo.configFile = ''
Defaults:telegraf !syslog,!pam_session
'';
# create dummy file to avoid telegraf errors
systemd.tmpfiles.rules = [
"f /var/log/telegraf/dummy 0444 root root - -"
];
}

1
makefu/2configs/tools/dev.nix
View file

@ -33,6 +33,7 @@
cac-api
cac-panel
krebszones
cyberlocker-tools
ovh-zone
gen-oath-safe
cdrtools

10
makefu/5pkgs/chitubox/default.nix
View file

@ -4,26 +4,26 @@
, libpulseaudio
, xlibs
, gst_all_1
, kerberos
, krb5
, alsaLib
}:
# via https://raw.githubusercontent.com/simon-the-sourcerer-ab/chitubox/main/default.nix
stdenv.mkDerivation rec {
pname = "chitubox";
version = "1.8.1";
version = "1.9.0";
src = builtins.fetchTarball {
#url = "https://sac.chitubox.com/software/download.do?softwareId=17839&softwareVersionId=v${version}&fileName=CHITUBOX_V${version}.tar.gz";
url = "https://archive.org/download/chitubox-v-1.8.1.tar/CHITUBOX_V${version}.tar.gz";
sha256 = "08fh8w7s5qvlx6bhdg24g81a7zprq7n8m27w2vdv0cd8j0wixbsx";
sha256 = "1ywcizxdkwlhi8z3jshl3b6ha8iwibssxh8fk7s32h3z8vl8zcl7";
};
nativeBuildInputs = [ autoPatchelfHook ];
buildInputs = with xlibs; [ stdenv.cc.cc.lib libglvnd libgcrypt zlib glib fontconfig freetype libdrm
libxkbcommon libpulseaudio kerberos alsaLib
libxkbcommon libpulseaudio alsaLib
xcbutilwm xcbutilimage xcbutilrenderutil xcbutilkeysyms
gst_all_1.gst-plugins-base gst_all_1.gstreamer
gst_all_1.gst-plugins-base gst_all_1.gstreamer krb5
];
buildPhase = ''

22
makefu/5pkgs/custom/mediawiki-matrix-bot/default.nix Normal file
View file

@ -0,0 +1,22 @@
{ buildPythonApplication, fetchFromGitHub, feedparser, matrix-nio, docopt, aiohttp, aiofiles,
mypy }:
buildPythonApplication rec {
pname = "mediawiki-matrix-bot";
version = "1.0.0";
src = fetchFromGitHub {
owner = "nix-community";
repo = "mediawiki-matrix-bot";
rev = "v${version}";
sha256 = "1923097j1xh34jmm0zhmvma614jcxaagj89c1fc1j2qyv14ybsvs";
};
propagatedBuildInputs = [
feedparser matrix-nio docopt aiohttp aiofiles
];
nativeBuildInputs = [
mypy
];
checkPhase = ''
mypy --strict mediawiki_matrix_bot
'';
}

1
makefu/5pkgs/default.nix
View file

@ -41,6 +41,7 @@ in {
inherit (callPackage ./devpi {}) devpi-web ;
nodemcu-uploader = super.pkgs.callPackage ./nodemcu-uploader {};
liveproxy = super.pkgs.python3Packages.callPackage ./custom/liveproxy {};
mediawiki-matrix-bot = super.pkgs.python3Packages.callPackage ./custom/mediawiki-matrix-bot {};
hydra-check = super.pkgs.python3Packages.callPackage ./custom/hydra-check {};
pwqgen-ger = super.pkgs.passwdqc-utils.override {
wordset-file = super.pkgs.fetchurl {