Merge remote-tracking branch 'gum/master'

krebs/3modules/external/default.nix

@@ -429,6 +429,17 @@ in {
         };
       };
     };
+    ada = {
+      owner = config.krebs.users.filly;
+      nets = {
+        wiregrill = {
+          aliases = [ "ada.w" ];
+          wireguard = {
+            pubkey = "+t0j9j7TZqvSFPzgunnON/ArXVGpMS/L3DldpanLoUk=";
+          };
+        };
+      };
+    };
   };
   users = {
     ciko = {
@@ -464,6 +475,8 @@ in {
     };
     miaoski = {
     };
+    filly = {
+    };
   };
 }
 

krebs/3modules/lass/default.nix

@@ -39,6 +39,7 @@ in {
           io                  60 IN NS     ions.lassul.us.
           ions                60 IN A      ${config.krebs.hosts.prism.nets.internet.ip4.addr}
           lol                 60 IN A      ${config.krebs.hosts.prism.nets.internet.ip4.addr}
+          matrix              60 IN A      ${config.krebs.hosts.prism.nets.internet.ip4.addr}
           paste               60 IN A      ${config.krebs.hosts.prism.nets.internet.ip4.addr}
           radio               60 IN A      ${config.krebs.hosts.prism.nets.internet.ip4.addr}
         '';
@@ -240,6 +241,7 @@ in {
       secure = true;
       ssh.privkey.path = <secrets/ssh.id_ed25519>;
       ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC9vup68R0I+62FK+8LNtwM90V9P4ukBmU7G7d54wf4C";
+      syncthing.id = "AU5RTWC-HXNMDRT-TN4ZHXY-JMQ6EQB-4ZPOZL7-AICZMCZ-LNS2XXQ-DGTI2Q6";
     };
     icarus = {
       cores = 2;

krebs/3modules/realwallpaper.nix

@@ -78,7 +78,7 @@ let
       serviceConfig = {
         Type = "simple";
         ExecStart = pkgs.writeDash "generate-wallpaper" ''
-          set -xeuf
+          set -euf
 
           # usage: getimg FILENAME URL
           fetch() {

lass/1systems/blue/config.nix

@@ -9,19 +9,12 @@ with import <stockholm/lib>;
 
     <stockholm/lass/2configs/blue.nix>
     <stockholm/lass/2configs/syncthing.nix>
+    <stockholm/lass/2configs/sync/decsync.nix>
+    <stockholm/lass/2configs/sync/weechat.nix>
   ];
 
   krebs.build.host = config.krebs.hosts.blue;
 
-  krebs.syncthing.folders = [
-    { id = "contacts"; path = "/home/lass/contacts"; peers = [ "mors" "blue" "green" "phone" ]; }
-    { path = "/home/lass/.weechat"; peers = [ "blue" "green" "mors" ]; }
-  ];
-  lass.ensure-permissions = [
-    { folder = "/home/lass/contacts"; owner = "lass"; group = "syncthing"; }
-    { folder = "/home/lass/.weechat"; owner = "lass"; group = "syncthing"; }
-  ];
-
   environment.shellAliases = {
     deploy = pkgs.writeDash "deploy" ''
       set -eu

lass/1systems/daedalus/config.nix

@@ -27,6 +27,12 @@ with import <stockholm/lib>;
         enable = true;
         systemWide = true;
       };
+      programs.chromium = {
+        enable = true;
+        extensions = [
+          "cjpalhdlnbpafiamejdnhcphjbkeiagm" # ublock origin
+        ];
+      };
       environment.systemPackages = with pkgs; [
         pavucontrol
         #firefox
@@ -40,7 +46,7 @@ with import <stockholm/lib>;
         wine
         geeqie
         vlc
-        minecraft
+        zsnes
       ];
       nixpkgs.config.firefox.enableAdobeFlash = true;
       services.xserver.enable = true;

lass/1systems/green/config.nix

@@ -8,20 +8,13 @@ with import <stockholm/lib>;
     <stockholm/lass/2configs/exim-retiolum.nix>
     <stockholm/lass/2configs/mail.nix>
 
-    #<stockholm/lass/2configs/blue.nix>
     <stockholm/lass/2configs/syncthing.nix>
+    <stockholm/lass/2configs/sync/decsync.nix>
+    <stockholm/lass/2configs/sync/weechat.nix>
   ];
 
   krebs.build.host = config.krebs.hosts.green;
 
-  krebs.syncthing.folders = [
-    { id = "contacts"; path = "/home/lass/contacts"; peers = [ "mors" "blue" "green" "phone" ]; }
-  ];
-  lass.ensure-permissions = [
-    { folder = "/home/lass/contacts"; owner = "lass"; group = "syncthing"; }
-  ];
-
-
   #networking.nameservers = [ "1.1.1.1" ];
 
   #time.timeZone = "Europe/Berlin";

lass/1systems/icarus/config.nix

@@ -20,6 +20,7 @@
     <stockholm/lass/2configs/syncthing.nix>
     <stockholm/lass/2configs/nfs-dl.nix>
     <stockholm/lass/2configs/prism-share.nix>
+    <stockholm/lass/2configs/ssh-cryptsetup.nix>
   ];
 
   krebs.build.host = config.krebs.hosts.icarus;

lass/1systems/iso.nix

@@ -6,7 +6,6 @@ with import <stockholm/lib>;
     <nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix>
     <stockholm/krebs>
     <stockholm/lass/3modules>
-    <stockholm/lass/5pkgs>
     <stockholm/lass/2configs/mc.nix>
     <stockholm/lass/2configs/vim.nix>
     {
@@ -40,9 +39,10 @@ with import <stockholm/lib>;
       networking.hostName = "lass-iso";
     }
     {
+      nixpkgs.config.packageOverrides = import <stockholm/lass/5pkgs> pkgs;
       krebs.enable = true;
       krebs.build.user = config.krebs.users.lass;
-      krebs.build.host = config.krebs.hosts.iso;
+      krebs.build.host = {};
     }
     {
       nixpkgs.config.allowUnfree = true;
@@ -174,11 +174,13 @@ with import <stockholm/lib>;
           user = "lass";
         };
         windowManager.default = "xmonad";
-        windowManager.session = [{
+        windowManager.session = let
+          xmonad-lass = pkgs.callPackage <stockholm/lass/5pkgs/custom/xmonad-lass> { inherit config; };
+        in [{
           name = "xmonad";
           start = ''
             ${pkgs.xorg.xhost}/bin/xhost +LOCAL:
-            ${pkgs.xmonad-lass}/bin/xmonad &
+            ${xmonad-lass}/bin/xmonad &
             waitPID=$!
           '';
         }];

lass/1systems/littleT/config.nix

@@ -8,6 +8,7 @@ with import <stockholm/lib>;
     <stockholm/lass/2configs/retiolum.nix>
     <stockholm/lass/2configs/blue-host.nix>
     <stockholm/lass/2configs/syncthing.nix>
+    <stockholm/lass/2configs/green-host.nix>
   ];
 
   networking.networkmanager.enable = true;

lass/1systems/morpheus/config.nix

@@ -30,4 +30,12 @@ with import <stockholm/lib>;
       ];
     };
   };
+
+
+  services.xserver.desktopManager.default = "none";
+  services.xserver.displayManager.lightdm.autoLogin = {
+    enable = true;
+    user = "lass";
+    timeout = 5;
+  };
 }

lass/1systems/mors/config.nix

@@ -26,6 +26,8 @@ with import <stockholm/lib>;
     <stockholm/lass/2configs/syncthing.nix>
     <stockholm/lass/2configs/otp-ssh.nix>
     <stockholm/lass/2configs/c-base.nix>
+    <stockholm/lass/2configs/sync/decsync.nix>
+    <stockholm/lass/2configs/sync/weechat.nix>
     <stockholm/lass/2configs/br.nix>
     <stockholm/lass/2configs/ableton.nix>
     <stockholm/lass/2configs/starcraft.nix>
@@ -41,8 +43,6 @@ with import <stockholm/lib>;
       krebs.iptables.tables.filter.INPUT.rules = [
         #risk of rain
         { predicate = "-p tcp --dport 11100"; target = "ACCEPT"; }
-        #chromecast
-        { predicate = "-p udp -m multiport --sports 32768:61000 -m multiport --dports 32768:61000"; target = "ACCEPT"; }
         #quake3
         { predicate = "-p tcp --dport 27950:27965"; target = "ACCEPT"; }
         { predicate = "-p udp --dport 27950:27965"; target = "ACCEPT"; }
@@ -50,14 +50,10 @@ with import <stockholm/lib>;
     }
     {
       krebs.syncthing.folders = [
-        { id = "contacts"; path = "/home/lass/contacts"; peers = [ "mors" "blue" "green" "phone" ]; }
+        { id = "the_playlist"; path = "/home/lass/tmp/the_playlist"; peers = [ "mors" "phone" "prism" ]; }
-        { id = "the_playlist"; path = "/home/lass/tmp/the_playlist"; peers = [ "mors" "phone" ]; }
-        { path = "/home/lass/.weechat"; peers = [ "blue" "green" "mors" ]; }
       ];
       lass.ensure-permissions = [
-        { folder = "/home/lass/contacts"; owner = "lass"; group = "syncthing"; }
         { folder = "/home/lass/tmp/the_playlist"; owner = "lass"; group = "syncthing"; }
-        { folder = "/home/lass/.weechat"; owner = "lass"; group = "syncthing"; }
       ];
     }
     {
@@ -94,6 +90,7 @@ with import <stockholm/lib>;
         pkgs.ovh-zone
         pkgs.bank
         pkgs.adb-sync
+        pkgs.transgui
       ];
     }
     {
@@ -137,6 +134,18 @@ with import <stockholm/lib>;
     (pkgs.writeDashBin "btc-kraken" ''
       ${pkgs.curl}/bin/curl -Ss  'https://api.kraken.com/0/public/Ticker?pair=BTCEUR' | ${pkgs.jq}/bin/jq '.result.XXBTZEUR.a[0]'
     '')
+    (pkgs.writeDashBin "krebsco.de" ''
+      TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d)
+      ${pkgs.brain}/bin/brain show krebs-secrets/ovh-secrets.json > "$TMPDIR"/ovh-secrets.json
+      OVH_ZONE_CONFIG="$TMPDIR"/ovh-secrets.json ${pkgs.krebszones}/bin/krebszones import
+      ${pkgs.coreutils}/bin/rm -rf "$TMPDIR"
+    '')
+    (pkgs.writeDashBin "lassul.us" ''
+      TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d)
+      ${pkgs.pass}/bin/pass show admin/ovh/api.config > "$TMPDIR"/ovh-secrets.json
+      OVH_ZONE_CONFIG="$TMPDIR"/ovh-secrets.json ${pkgs.ovh-zone}/bin/ovh-zone import /etc/zones/lassul.us lassul.us
+      ${pkgs.coreutils}/bin/rm -rf "$TMPDIR"
+    '')
   ];
 
   #TODO: fix this shit

lass/1systems/prism/config.nix

@@ -413,6 +413,42 @@ with import <stockholm/lib>;
         ];
       };
     }
+    { #macos mounting of yellow
+      krebs.iptables.tables.filter.INPUT.rules = [
+        { predicate = "-i wiregrill -p tcp --dport 139"; target = "ACCEPT"; }
+        { predicate = "-i wiregrill -p tcp --dport 445"; target = "ACCEPT"; }
+        { predicate = "-i wiregrill -p udp --dport 137"; target = "ACCEPT"; }
+        { predicate = "-i wiregrill -p udp --dport 138"; target = "ACCEPT"; }
+      ];
+      users.users.smbguest = {
+        name = "smbguest";
+        uid = config.ids.uids.smbguest;
+        description = "smb guest user";
+        home = "/home/share";
+        createHome = true;
+      };
+      services.samba = {
+        enable = true;
+        enableNmbd = true;
+        shares = {
+          download = {
+            path = "/var/download/finished";
+            "read only" = "yes";
+            browseable = "yes";
+            "guest ok" = "yes";
+          };
+        };
+        extraConfig = ''
+          guest account = smbguest
+          map to guest = bad user
+          # disable printing
+          load printers = no
+          printing = bsd
+          printcap name = /dev/null
+          disable spoolss = yes
+        '';
+      };
+    }
   ];
 
   krebs.build.host = config.krebs.hosts.prism;

lass/1systems/shodan/config.nix

@@ -15,6 +15,8 @@ with import <stockholm/lib>;
     <stockholm/lass/2configs/bitcoin.nix>
     <stockholm/lass/2configs/backup.nix>
     <stockholm/lass/2configs/blue-host.nix>
+    <stockholm/lass/2configs/green-host.nix>
+    <stockholm/lass/2configs/ssh-cryptsetup.nix>
   ];
 
   krebs.build.host = config.krebs.hosts.shodan;

lass/1systems/skynet/config.nix

@@ -8,6 +8,7 @@ with import <stockholm/lib>;
     <stockholm/lass/2configs/blue-host.nix>
     <stockholm/lass/2configs/power-action.nix>
     <stockholm/lass/2configs/syncthing.nix>
+    <stockholm/lass/2configs/green-host.nix>
     {
       services.xserver.enable = true;
       services.xserver.desktopManager.xfce.enable = true;

lass/1systems/yellow/config.nix

@@ -31,6 +31,7 @@ with import <stockholm/lib>;
       download-dir = "/var/download/finished";
       incomplete-dir = "/var/download/incoming";
       incomplete-dir-enable = true;
+      message-level = 1;
       umask = "002";
       rpc-whitelist-enabled = false;
       rpc-host-whitelist-enabled = false;

lass/2configs/baseX.nix

@@ -9,6 +9,7 @@ in {
     ./power-action.nix
     ./copyq.nix
     ./urxvt.nix
+    ./xdg-open.nix
     {
       hardware.pulseaudio = {
         enable = true;

lass/2configs/exim-smarthost.nix

@@ -100,6 +100,9 @@ with import <stockholm/lib>;
       { from = "box@lassul.us"; to = lass.mail; }
       { from = "paloalto@lassul.us"; to = lass.mail; }
       { from = "subtitles@lassul.us"; to = lass.mail; }
+      { from = "lobsters@lassul.us"; to = lass.mail; }
+      { from = "fysitech@lassul.us"; to = lass.mail; }
+      { from = "threema@lassul.us"; to = lass.mail; }
     ];
     system-aliases = [
       { from = "mailer-daemon"; to = "postmaster"; }

lass/2configs/green-host.nix

@@ -0,0 +1,83 @@
+{ config, lib, pkgs, ... }:
+with import <stockholm/lib>;
+
+{
+  imports = [
+    <stockholm/lass/2configs/container-networking.nix>
+    <stockholm/lass/2configs/syncthing.nix>
+    { #hack for already defined
+      systemd.services."container@green".reloadIfChanged = mkForce false;
+      systemd.services."container@green".preStart = ''
+        ${pkgs.mount}/bin/mount | ${pkgs.gnugrep}/bin/grep -q ' on /var/lib/containers/green '
+      '';
+      systemd.services."container@green".postStop = ''
+        set -x
+        ${pkgs.umount}/bin/umount /var/lib/containers/green
+        ls -la /dev/mapper/control
+        ${pkgs.devicemapper}/bin/dmsetup ls
+        ${pkgs.cryptsetup}/bin/cryptsetup -v luksClose /var/lib/sync-containers/green.img
+      '';
+    }
+  ];
+
+  lass.ensure-permissions = [
+    { folder = "/var/lib/sync-containers"; owner = "root"; group = "syncthing"; }
+  ];
+
+  krebs.syncthing.folders = [
+    { path = "/var/lib/sync-containers"; peers = [ "icarus" "skynet" "littleT" "shodan" ]; }
+  ];
+
+  system.activationScripts.containerPermissions = ''
+    mkdir -p /var/lib/containers
+    chmod 711 /var/lib/containers
+  '';
+
+  containers.green = {
+    config = { ... }: {
+      environment.systemPackages = [
+        pkgs.git
+        pkgs.rxvt_unicode.terminfo
+      ];
+      services.openssh.enable = true;
+      users.users.root.openssh.authorizedKeys.keys = [
+        config.krebs.users.lass.pubkey
+      ];
+    };
+    autoStart = false;
+    enableTun = true;
+    privateNetwork = true;
+    hostAddress = "10.233.2.15";
+    localAddress = "10.233.2.16";
+  };
+
+  environment.systemPackages = [
+    (pkgs.writeDashBin "start-green" ''
+      set -fu
+      CONTAINER='green'
+      IMAGE='/var/lib/sync-containers/green.img'
+
+      ${pkgs.cryptsetup}/bin/cryptsetup status "$CONTAINER" >/dev/null
+      if [ "$?" -ne 0 ]; then
+        ${pkgs.cryptsetup}/bin/cryptsetup luksOpen "$IMAGE" "$CONTAINER"
+      fi
+
+      mkdir -p /var/lib/containers/"$CONTAINER"
+
+      ${pkgs.mount}/bin/mount | grep -q " on /var/lib/containers/"$CONTAINER" "
+      if [ "$?" -ne 0 ]; then
+        ${pkgs.mount}/bin/mount -o sync /dev/mapper/"$CONTAINER" /var/lib/containers/"$CONTAINER"
+      fi
+
+      STATE=$(${pkgs.nixos-container}/bin/nixos-container status "$CONTAINER")
+      if [ "$STATE" = 'down' ]; then
+        ${pkgs.nixos-container}/bin/nixos-container start "$CONTAINER"
+      fi
+      ping -c1 green.r
+      if [ "$?" -ne 0 ]; then
+        ${pkgs.nixos-container}/bin/nixos-container run green -- nixos-rebuild -I /var/src switch
+      fi
+
+    '')
+  ];
+}

lass/2configs/mail.nix

@@ -233,8 +233,4 @@ in {
     tag-new-mails
     tag-old-mails
   ];
-
-  nixpkgs.config.packageOverrides = opkgs: {
-    notmuch = (opkgs.notmuch.overrideAttrs (o: { doCheck = false; }));
-  };
 }

lass/2configs/prism-share.nix

@@ -21,7 +21,7 @@ with import <stockholm/lib>;
     shares = {
       incoming = {
         path = "/mnt/prism";
-        "read only" = "no";
+        "read only" = "yes";
         browseable = "yes";
         "guest ok" = "yes";
       };

lass/2configs/radio.nix

@@ -59,6 +59,9 @@ in {
     group = "radio";
     musicDirectory = "/home/radio/the_playlist/music";
     extraConfig = ''
+      log_level "default"
+      auto_update "yes"
+
       audio_output {
         type        "shout"
         encoding    "lame"
@@ -245,4 +248,10 @@ in {
       alias ${html};
     '';
   };
+  krebs.syncthing.folders = [
+    { id = "the_playlist"; path = "/home/radio/music/the_playlist"; peers = [ "mors" "phone" "prism" ]; }
+  ];
+  lass.ensure-permissions = [
+    { folder = "/home/radio/music/the_playlist"; owner = "radio"; group = "syncthing"; }
+  ];
 }

lass/2configs/ssh-cryptsetup.nix

@@ -0,0 +1,17 @@
+{ config, ... }:
+{
+  boot.initrd = {
+    network = {
+      enable = true;
+      ssh = {
+        enable = true;
+        authorizedKeys = with config.krebs.users; [
+          config.krebs.users.lass-mors.pubkey
+          config.krebs.users.lass-blue.pubkey
+          config.krebs.users.lass-shodan.pubkey
+          config.krebs.users.lass-icarus.pubkey
+        ];
+      };
+    };
+  };
+}

lass/2configs/sync/decsync.nix

@@ -0,0 +1,8 @@
+{
+  krebs.syncthing.folders = [
+    { id = "decsync"; path = "/home/lass/decsync"; peers = [ "mors" "blue" "green" "phone" ]; }
+  ];
+  lass.ensure-permissions = [
+    { folder = "/home/lass/decsync"; owner = "lass"; group = "syncthing"; }
+  ];
+}

lass/2configs/sync/weechat.nix

@@ -0,0 +1,8 @@
+{
+  krebs.syncthing.folders = [
+    { path = "/home/lass/.weechat"; peers = [ "blue" "green" "mors" ]; }
+  ];
+  lass.ensure-permissions = [
+    { folder = "/home/lass/.weechat"; owner = "lass"; group = "syncthing"; }
+  ];
+}

lass/2configs/syncthing.nix

@@ -16,7 +16,7 @@ with import <stockholm/lib>;
     key = toString <secrets/syncthing.key>;
     peers = mapAttrs (n: v: { id = v.syncthing.id; }) (filterAttrs (n: v: v.syncthing.id != null) config.krebs.hosts);
     folders = [
-      { path = "/home/lass/sync"; peers = [ "icarus" "mors" "skynet" "blue" "green" "littleT" "prism"]; }
+      { path = "/home/lass/sync"; peers = [ "icarus" "mors" "skynet" "blue" "green" "littleT" "prism" "shodan" ]; }
     ];
   };
 

lass/2configs/websites/domsen.nix

@@ -119,7 +119,7 @@ in {
     authenticators.PLAIN = ''
       driver = plaintext
       public_name = PLAIN
-      server_condition = ''${run{${config.lass.usershadow.path}/bin/verify_arg ${config.lass.usershadow.pattern} $auth2 $auth3}{yes}{no}}
+      server_condition = ''${run{/run/wrappers/bin/shadow_verify_arg ${config.lass.usershadow.pattern} $auth2 $auth3}{yes}{no}}
     '';
     authenticators.LOGIN = ''
       driver = plaintext

lass/2configs/xdg-open.nix

@@ -0,0 +1,66 @@
+{ config, pkgs, lib, ... }: with import <stockholm/lib>; let
+
+  xdg-open-wrapper = pkgs.writeDashBin "xdg-open" ''
+    /run/wrappers/bin/sudo -u lass ${xdg-open} "$@"
+  '';
+
+  xdg-open = pkgs.writeBash "xdg-open" ''
+    set -e
+    FILE="$1"
+    mime=
+
+    case "$FILE" in
+      http://*|https://*)
+        mime=text/html
+        ;;
+      mailto:*)
+        mime=special/mailaddress
+        ;;
+      magnet:*)
+        mime=application/x-bittorrent
+        ;;
+      irc:*)
+        mime=x-scheme-handler/irc
+        ;;
+      *)
+        # it’s a file
+
+        # strip possible protocol
+        FILE=''${FILE#file://}
+        mime=''$(file -E --brief --mime-type "$FILE") \
+          || (echo "$mime" 1>&2; exit 1)
+          # ^ echo the error message of file
+        ;;
+    esac
+
+    case "$mime" in
+      special/mailaddress)
+        urxvtc --execute vim "$FILE" ;;
+      ${optionalString (hasAttr "browser" config.lass) ''
+      text/html)
+        ${config.lass.browser.select}/bin/browser-select "$FILE" ;;
+      text/xml)
+        ${config.lass.browser.select}/bin/browser-select "$FILE" ;;
+      ''}
+      text/*)
+        urxvtc --execute vim "$FILE" ;;
+      image/*)
+        sxiv "$FILE" ;;
+      application/x-bittorrent)
+        env DISPLAY=:0 transgui "$FILE" ;;
+      application/pdf)
+        zathura "$FILE" ;;
+      inode/directory)
+        sudo -u lass -i urxvtc --execute mc "$FILE" ;;
+      *)
+        # open dmenu and ask for program to open with
+        $(dmenu_path | dmenu) "$FILE";;
+    esac
+  '';
+in {
+  environment.systemPackages = [ xdg-open-wrapper ];
+
+  security.sudo.extraConfig = ''
+    cr ALL=(lass) NOPASSWD: ${xdg-open} *
+  '';
+}

lass/3modules/usershadow.nix

@@ -45,6 +45,10 @@
       source = "${usershadow}/bin/verify_pam";
       owner = "root";
     };
+    security.wrappers.shadow_verify_arg = {
+      source = "${usershadow}/bin/verify_arg";
+      owner = "root";
+    };
   };
 
   usershadow = let {

makefu/2configs/bureautomation/automation/bureau-shutdown.nix

@@ -5,14 +5,40 @@
       entity_id = "group.team";
       from = "not_home";
       to = "home";
+      for.seconds = 30;
     };
-    action = {
+    action = [
-      service = "homeassistant.turn_on";
+      {
-      entity_id =  [
+        service = "homeassistant.turn_on";
-        "switch.fernseher"
+        entity_id =  [
-        "switch.feuer"
+          "switch.fernseher"
-      ];
+          "switch.feuer"
-    };
+        ];
+      }
+      {
+        service = "media_player.kodi_call_method";
+        data = {
+          entity_id = "media_player.kodi";
+          method = "Player.Open";
+          item.partymode = "music";
+        };
+      }
+      {
+        service = "tts.google_say";
+        entity_id =  "media_player.kodi";
+        data = {
+          message = "Willkommen in deinem Lieblingsbüro";
+          language = "de";
+        };
+      }
+      {
+        service = "notify.telegrambot";
+        data = {
+          title = "Bureau Startup";
+          message = "Willkommen {{ trigger.platform }}";
+        };
+      }
+    ];
   }
   { alias = "Turn off Fernseher after last in group left";
     trigger = [
@@ -42,7 +68,7 @@
         service = "notify.telegrambot";
         data = {
           title = "Bureau Shutdown";
-          message = "All devices are turned off due to {{ trigger.platform }} - {{ trigger }}";
+          message = "All devices are turned off due to {{ trigger.platform }}";
         };
       }
     ];

makefu/2configs/bureautomation/automation/hass-restart.nix

@@ -0,0 +1,31 @@
+[
+  { alias = "State on HA start-up";
+  trigger = {
+      platform = "homeassistant";
+      event = "start";
+    };
+    action = [
+      # Startup State
+      { service = "mqtt.publish";
+        data = {
+          topic = "/bam/sonoffs/cmnd/state";
+          payload = "";
+        };
+      }
+      # Firmware Version
+      { service = "mqtt.publish";
+        data = {
+          topic = "/bam/sonoffs/cmnd/status";
+          payload = "2";
+        };
+      }
+      # Will trigger restart of all devices!
+      #{ service = "mqtt.publish";
+      #  data = {
+      #    topic = "sonoffs/cmnd/SetOption59"; # configure sending state on power change
+      #    payload = "1";
+      #  };
+      #}
+    ];
+  }
+]

makefu/2configs/bureautomation/automation/nachtlicht.nix

@@ -1,43 +1,35 @@
 [
-        {
+  # TODO: trigger if it is before dusk and somebody arives but nachtlichter are
-          alias = "Turn off Nachtlicht on sunrise";
+  # off from last day
-          trigger =
+  # TODO: do not have nachtlicht turned on at night
-          {
+  {
-            platform = "sun";
+    alias = "Turn on Nachtlicht at dusk"; # when it gets dim
-            event = "sunrise";
+    trigger =
-          };
+    { platform = "numeric_state";
-          action =
+      entity_id = "sun.sun";
-          {
+      value_template = "{{ state.attributes.elevation }}";
-            service = "homeassistant.turn_off";
+      below = 10;
-            entity_id =  [ "group.nachtlicht" ];
-          };
-        }
 
-        {
+    };
-          alias = "Turn on Nachtlicht on motion and dusk";
+    action =
-          trigger =
+    { service = "homeassistant.turn_on";
-          {
+      entity_id =  [ "group.nachtlicht" ];
-            platform = "state";
+    };
-            entity_id = "binary_sensor.motion";
+  }
-            to = "on";
+  {
-          };
+    alias = "Turn off Nachtlicht at dawn";
-          condition = # 'when dark'
+    trigger =
-          {
+    { platform = "sun";
-            condition = "or";
+      event = "sunrise";
-            conditions = [
+      offset = "01:30:00"; # on dawn
-              { condition = "sun";
+    };
-                after = "sunset";
+    # TODO: when somebody is still in the buero
-                after_offset = "-00:45:00"; # on dusk
+    # condition = 
-              }
+    #{
-              { condition = "sun";
+    #};
-                before = "sunrise";
+    action =
-              }
+    { service = "homeassistant.turn_off";
-            ];
+      entity_id =  [ "group.nachtlicht" ];
-          };
+    };
-          action =
+  }
-          {
-            service = "homeassistant.turn_on";
-            entity_id =  [ "group.nachtlicht" ];
-          };
-        }
 ]

makefu/2configs/bureautomation/default.nix

@@ -20,6 +20,9 @@ let
     mosquitto_pub -t /bam/$topic/cmnd/POWER -m OFF
   '';
 in {
+  imports = [
+    ./ota.nix
+  ];
   services.logstash = {
     package = pkgs.logstash5;
     enable = true;

makefu/2configs/bureautomation/hass.nix

@@ -6,6 +6,7 @@ in {
   state = [ "/var/lib/hass/known_devices.yaml" ];
   services.home-assistant = {
     enable = true;
+    package = pkgs.home-assistant.override { python3 = pkgs.python36; };
     config = {
       homeassistant = {
         name = "Bureautomation";
@@ -13,8 +14,14 @@ in {
         latitude = "48.8265";
         longitude = "9.0676";
         elevation = 303;
+        auth_providers = [
+          { type = "homeassistant";}
+          { type = "legacy_api_password";}
+          { type = "trusted_networks";
+            # allow_bypass_login = true;
+          }
+        ];
       };
-
       mqtt = {
         broker = "localhost";
         port = 1883;
@@ -79,7 +86,8 @@ in {
       sensor =
         (import ./sensor/espeasy.nix) ++
         ((import ./sensor/outside.nix) {inherit lib;}) ++
-        (import ./sensor/influxdb.nix);
+        (import ./sensor/influxdb.nix) ++
+        (import ./sensor/tasmota_firmware.nix);
 
       camera =
         (import ./camera/verkehrskamera.nix);
@@ -89,12 +97,22 @@ in {
       #  (import ./person/team.nix );
 
       frontend = { };
-      http = { };
+      http = {
+        # TODO: https://github.com/home-assistant/home-assistant/issues/16149
+        api_password = "sistemas";
+        trusted_networks = [
+          "127.0.0.1/32"
+          "192.168.8.0/24"
+          "::1/128"
+          "fd00::/8"
+        ];
+      };
       conversation = {};
       history = {};
       logbook = {};
       tts = [ { platform = "google";} ];
       recorder = {};
+      sun = {};
       telegram_bot = [
         (builtins.fromJSON
           (builtins.readFile <secrets/hass/telegram-bot.json>))
@@ -156,8 +174,10 @@ in {
         outside = [
           # "sensor.ditzingen_pm10"
           # "sensor.ditzingen_pm25"
+          "sensor.dark_sky_icon"
           "sensor.dark_sky_temperature"
           "sensor.dark_sky_humidity"
+          "sensor.dark_sky_uv_index"
           # "sensor.dark_sky_pressure"
           "sensor.dark_sky_hourly_summary"
           "device_tracker.router"
@@ -169,6 +189,7 @@ in {
       # home-assistant
       automation = (import ./automation/bureau-shutdown.nix) ++
                    (import ./automation/nachtlicht.nix) ++
+                   (import ./automation/hass-restart.nix) ++
                    (import ./automation/10h_timer.nix);
       device_tracker = (import ./device_tracker/openwrt.nix );
     };

makefu/2configs/bureautomation/light/statuslight.nix

@@ -20,7 +20,7 @@ let
     payload_not_available= "Offline";
     # brightness
     brightness_state_topic = "/bam/${topic}/tele/STATE";
-    brightness_value_template = "{{value_json.Dimmer}}";
+    brightness_value_template = "{{value_json.Dimmer|default(100)}}";
     brightness_command_topic = "/bam/${topic}/cmnd/Dimmer";
     brightness_scale = 100;
     # color
@@ -30,9 +30,8 @@ let
     rgb_command_template = "{{ '%02x%02x%02x' | format(red, green, blue)}}";
     # effects
     effect_state_topic = "/bam/${topic}/tele/STATE";
-    effects_value_template = "{{value_json.Scheme}}";
+    effects_value_template = "{{value_json.Scheme|default(0)}}";
     effect_command_topic = "/bam/${topic}/cmnd/Scheme";
-    effect_value_template = "{{ value_json.Scheme }}";
     effect_list = [
       0  # single color for LED light
       1  # start wake up sequence (same as Wakeup)

makefu/2configs/bureautomation/ota.nix

@@ -0,0 +1,15 @@
+{
+  # mosquitto_pub -t /bam/sonoffs/cmnd/OtaUrl -m "http://192.168.8.11/sonoff.bin"
+  # mosquitto_pub -t /bam/sonoffs/cmnd/upgrade -m "6.5.0"
+  # wget https://github.com/arendst/Sonoff-Tasmota/releases/download/v6.5.0/sonoff.bin
+  # wget https://github.com/arendst/Sonoff-Tasmota/releases/download/v6.5.0/sonoff-minimal.bin
+  services.nginx = {
+    enable = true;
+    virtualHosts."192.168.8.11" = {
+      root = "/var/www/tasmota";
+      extraConfig = ''
+          autoindex on;
+      '';
+    };
+  };
+}

makefu/2configs/bureautomation/sensor/tasmota_firmware.nix

@@ -0,0 +1,16 @@
+let
+  tasmota_firmware = topic:
+  { platform = "mqtt";
+  name = "${topic} Firmware";
+  state_topic = "/bam/${topic}/stat/STATUS2";
+  availability_topic = "/bam/${topic}/tele/LWT";
+  value_template = "v{{value_json.StatusFWR.Version}}";
+  payload_available= "Online";
+  payload_not_available= "Offline";
+  };
+in
+  map tasmota_firmware [
+    "plug" "plug2" "plug3" "plug4" "plug5"
+    "status1" "status2" "buslicht"
+    "rfbridge"
+  ]

makefu/2configs/deployment/owncloud.nix

@@ -23,9 +23,9 @@ let
     in {
       system.activationScripts."prepare-nextcloud-${domain}" = ''
         if test ! -e ${root} ;then
-          echo "copying latest ${pkgs.owncloud.name} release to ${root}"
+          echo "copying latest ${pkgs.nextcloud.name} release to ${root}"
           mkdir -p $(dirname "${root}")
-          cp -r  ${pkgs.owncloud} "${root}"
+          cp -r  ${pkgs.nextcloud} "${root}"
           chown -R nginx:nginx "${root}"
           chmod 770 "${root}"
         fi

makefu/2configs/home-manager/default.nix

@@ -2,7 +2,9 @@
   imports = [
     <home-manager/nixos>
   ];
+  home-manager.useUserPackages = true;
   home-manager.users.makefu = {
+    home.stateVersion = "19.03";
   };
   environment.variables = {
     GTK_DATA_PREFIX = "/run/current-system/sw";

makefu/2configs/home-manager/desktop.nix

@@ -5,7 +5,10 @@
   home-manager.users.makefu = {
     systemd.user.services.network-manager-applet.Service.Environment = ''XDG_DATA_DIRS=/run/current-system/sw/share:${pkgs.networkmanagerapplet}/share GDK_PIXBUF_MODULE_FILE=${pkgs.librsvg.out}/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache'';
     programs.browserpass = { browsers = [ "firefox" ] ; enable = true; };
-    programs.firefox.enable = true;
+    programs.firefox = {
+      enable = true;
+      enableIcedTea = true;
+    };
     programs.obs-studio.enable = true;
     xdg.enable = true;
     services.network-manager-applet.enable = true;
@@ -20,7 +23,6 @@
       filenamePattern=%F_%T_shot
     '';
 
-    systemd.user.services.pasystray.Service.Environment = "PATH=" + (lib.makeBinPath (with pkgs;[ pavucontrol paprefs /* pavumeter  */  /* paman */ ]) );
     programs.chromium = {
       enable = true;
       extensions = [

makefu/2configs/home-manager/recording.nix

@@ -0,0 +1,4 @@
+{pkgs, ... }:
+{
+    home-manager.users.makefu.programs.obs-studio.enable = true;
+}

makefu/2configs/home-manager/taskwarrior.nix

@@ -3,6 +3,12 @@ let
   loc = "/home/makefu/.task";
 in {
   state = [ "${loc}/keys" ];
+  environment.shellAliases = {
+    tshack = "task tags:shack";
+    tkrebs = "task tags:krebs";
+    thome = "task tags:home";
+    t = "task project: ";
+  };
   home-manager.users.makefu.programs.taskwarrior = {
     enable = true;
     dataLocation = loc;

makefu/2configs/home-manager/zsh.nix

@@ -67,6 +67,7 @@
       home-manager.users.makefu.programs.zsh.shellAliases = {
         cat = "bat";
         catn = "${pkgs.coreutils}/bin/cat";
+        ncat = "${pkgs.coreutils}/bin/cat";
       };
     }
   ];

makefu/2configs/homeautomation/default.nix

@@ -108,6 +108,7 @@ in {
   ];
 
   services.home-assistant = {
+    package = pkgs.home-assistant.override { python3 = pkgs.python36; };
     config = {
       homeassistant = {
         name = "Home"; time_zone = "Europe/Berlin";

makefu/2configs/hw/tp-x2x0.nix

@@ -1,6 +1,5 @@
 { config, lib, pkgs, ... }:
 
-with import <stockholm/lib>;
 {
   imports = [
     ./tpm.nix
@@ -19,7 +18,6 @@ with import <stockholm/lib>;
   hardware.cpu.intel.updateMicrocode = true;
 
   zramSwap.enable = true;
-  zramSwap.numDevices = 2;
 
   # enable synaptics so we can easily disable the touchpad
   #   enable the touchpad with `synclient TouchpadOff=0`

makefu/2configs/tools/android-pentest.nix

@@ -3,7 +3,7 @@
 {
   nixpkgs.config.android_sdk.accept_license = true;
   users.users.makefu.packages = with pkgs; [
-    mitmproxy
+    # mitmproxy
     nmap
     msf
     drozer

makefu/2configs/tools/core-gui.nix

@@ -10,7 +10,8 @@
     keepassx
     pcmanfm
     evince
-    mirage
+    # replacement for mirage:
+    sxiv
     tightvnc
     gnome3.dconf
     xdotool

makefu/2configs/tools/media.nix

@@ -7,7 +7,7 @@
     vlc
     mumble
     mplayer
-    quodlibet # exfalso
+    # quodlibet # exfalso
 
     plowshare
     streamripper

makefu/5pkgs/prison-break/default.nix

@@ -3,12 +3,12 @@ with pkgs.python3.pkgs;
 
 buildPythonPackage rec {
   pname = "prison-break";
-  version = "0.1.0";
+  version = "1.0.0";
   src = fetchFromGitHub {
     owner = "makefu";
     repo = pname;
-    rev = "5eed6371e151e716faafa054e005bd98d77b4b5d";
+    rev = "1.0.0";
-    sha256 = "170zs9grbgkx83ghg6pm13v7vhi604y44j550ypp2x26nidaw63j";
+    sha256 = "0ab42z6qr42vz4fc077irn9ykrrylagx1dzlw8dqcanf49dxd961";
   };
   propagatedBuildInputs = [
     docopt

makefu/krops.nix

@@ -71,7 +71,7 @@
     (lib.mkIf ( host-src.home-manager ) {
       home-manager.git = {
         url = https://github.com/rycee/home-manager;
-        ref = "4aa07c3";
+        ref = "ff602cb906e3dd5d5f89c7c1d0fae65bc67119a0";
       };
     })
   ];