summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authortv <tv@krebsco.de>2022-11-22 19:38:36 +0100
committertv <tv@krebsco.de>2022-11-22 19:38:36 +0100
commit1c4e27473c46faf4b4a4c800cb29cdabf73f716f (patch)
treed9ec3e9b4a2e77f9e8baf2e8601a5cc9439131eb
parent12ce60ff1435a71ee4cf0431223c129010e7df73 (diff)
parentfef385511d07c1ea5be1eae4fd8dd7eba563ab2c (diff)
Merge remote-tracking branch 'prism/master'
Diffstat
-rw-r--r--krebs/2configs/matterbridge.nix10
-rw-r--r--krebs/2configs/news-host.nix3
-rw-r--r--krebs/2configs/reaktor2.nix49
-rwxr-xr-xkrebs/2configs/shack/doorstatus.sh3
-rw-r--r--krebs/3modules/ci/default.nix1
-rw-r--r--krebs/3modules/ergo.nix2
-rw-r--r--krebs/3modules/external/mic92.nix25
-rw-r--r--krebs/3modules/lass/default.nix58
-rw-r--r--krebs/3modules/lass/pgp/yubikey.pgp144
-rw-r--r--krebs/3modules/sync-containers.nix140
-rw-r--r--krebs/5pkgs/simple/ergo/default.nix23
-rw-r--r--krebs/5pkgs/simple/hashPassword/default.nix2
-rw-r--r--krebs/5pkgs/simple/nix-prefetch-github.nix25
-rw-r--r--krebs/5pkgs/simple/stable-generate/default.nix64
-rw-r--r--krebs/5pkgs/simple/weechat-declarative/default.nix5
-rw-r--r--krebs/nixpkgs-unstable.json8
-rw-r--r--krebs/nixpkgs.json8
-rw-r--r--lass/1systems/green/config.nix97
-rw-r--r--lass/1systems/green/physical.nix2
-rw-r--r--lass/1systems/green/source.nix6
-rw-r--r--lass/1systems/shodan/config.nix10
-rw-r--r--lass/1systems/shodan/physical.nix6
-rw-r--r--lass/1systems/yellow/config.nix13
-rw-r--r--lass/2configs/alacritty.nix13
-rw-r--r--lass/2configs/atuin-server.nix38
-rw-r--r--lass/2configs/baseX.nix72
-rw-r--r--lass/2configs/consul.nix43
-rw-r--r--lass/2configs/et-server.nix7
-rw-r--r--lass/2configs/green-host.nix27
-rw-r--r--lass/2configs/red-host.nix167
-rw-r--r--lass/2configs/weechat.nix221
-rw-r--r--lass/2configs/zsh.nix52
-rw-r--r--lass/3modules/default.nix1
-rw-r--r--lass/3modules/sync-containers3.nix313
-rw-r--r--lass/5pkgs/weechat-matrix/default.nix80
-rw-r--r--lib/types.nix8
36 files changed, 1441 insertions, 305 deletions
diff --git a/krebs/2configs/matterbridge.nix b/krebs/2configs/matterbridge.nix
index a68aa292c..b96dea300 100644
--- a/krebs/2configs/matterbridge.nix
+++ b/krebs/2configs/matterbridge.nix
@@ -10,14 +10,10 @@
Charset = "utf-8";
};
telegram.krebs.Token = bridgeBotToken;
- irc = let
+ irc.hackint = {
+ Server = "irc.hackint.org:6697";
+ UseTLS = true;
Nick = "ponte";
- in {
- hackint = {
- Server = "irc.hackint.org:6697";
- UseTLS = true;
- inherit Nick;
- };
};
gateway = [
{
diff --git a/krebs/2configs/news-host.nix b/krebs/2configs/news-host.nix
index b7728986f..07674c86e 100644
--- a/krebs/2configs/news-host.nix
+++ b/krebs/2configs/news-host.nix
@@ -4,10 +4,7 @@
"shodan"
"mors"
"styx"
- "puyak"
];
- hostIp = "10.233.2.101";
- localIp = "10.233.2.102";
format = "plain";
};
}
diff --git a/krebs/2configs/reaktor2.nix b/krebs/2configs/reaktor2.nix
index 41cfd7735..3e88c0899 100644
--- a/krebs/2configs/reaktor2.nix
+++ b/krebs/2configs/reaktor2.nix
@@ -51,6 +51,29 @@ let
};
};
+ confuse = {
+ pattern = "^!confuse (.*)$";
+ activate = "match";
+ arguments = [1];
+ command = {
+ filename = pkgs.writeDash "confuse" ''
+ set -efu
+ export PATH=${makeBinPath [
+ pkgs.coreutils
+ pkgs.curl
+ pkgs.gnused
+ pkgs.stable-generate
+ ]}
+ stable_url=$(stable-generate "$@")
+ paste_url=$(curl -Ss "$stable_url" |
+ curl -Ss https://p.krebsco.de --data-binary @- |
+ tail -1
+ )
+ echo "$_from: $paste_url"
+ '';
+ };
+ };
+
taskRcFile = builtins.toFile "taskrc" ''
confirmation=no
'';
@@ -185,8 +208,9 @@ let
};
}
{
- pattern = "18@p";
+ pattern = ''^18@p\s+(\S+)\s+(\d+)m$'';
activate = "match";
+ arguments = [1 2];
command = {
env = {
CACHE_DIR = "${stateDir}/krebsfood";
@@ -202,14 +226,27 @@ let
osm-restaurants = pkgs.callPackage "${osm-restaurants-src}/osm-restaurants" {};
in pkgs.writeDash "krebsfood" ''
set -efu
- ecke_lat=52.51252
- ecke_lon=13.41740
- ${osm-restaurants}/bin/osm-restaurants --radius 500 --latitude "$ecke_lat" --longitude "$ecke_lon" \
- | ${pkgs.jq}/bin/jq -r '"How about \(.tags.name) (https://www.openstreetmap.org/\(.type)/\(.id)), open \(.tags.opening_hours)?"'
- '
+ export PATH=${makeBinPath [
+ osm-restaurants
+ pkgs.coreutils
+ pkgs.curl
+ pkgs.jq
+ ]}
+ poi=$(curl -fsS http://c.r/poi.json | jq --arg name "$1" '.[$name]')
+ if [ "$poi" = null ]; then
+ latitude=52.51252
+ longitude=13.41740
+ else
+ latitude=$(echo "$poi" | jq -r .latitude)
+ longitude=$(echo "$poi" | jq -r .longitude)
+ fi
+
+ osm-restaurants --radius "$2" --latitude "$latitude" --longitude "$longitude" \
+ | jq -r '"How about \(.tags.name) (https://www.openstreetmap.org/\(.type)/\(.id)), open \(.tags.opening_hours)?"'
'';
};
}
+ confuse
bedger-add
bedger-balance
hooks.sed
diff --git a/krebs/2configs/shack/doorstatus.sh b/krebs/2configs/shack/doorstatus.sh
index 46314cb9c..aa6c1c3d1 100755
--- a/krebs/2configs/shack/doorstatus.sh
+++ b/krebs/2configs/shack/doorstatus.sh
@@ -54,7 +54,8 @@ Herr makefu an Kasse 3 bitte, Kasse 3 bitte Herr makefu. Der API Computer ist ma
EOF
)
-state=$(curl -fSsk https://api.shackspace.de/v1/space | jq .doorState.open)
+payload=$(curl -fSsk https://api.shackspace.de/v1/space)
+state=$(printf '%s' "$payload" | jq .doorState.open)
prevstate=$(cat state ||:)
if test "$state" == "$(cat state)";then
diff --git a/krebs/3modules/ci/default.nix b/krebs/3modules/ci/default.nix
index 0f85b27c0..022da5884 100644
--- a/krebs/3modules/ci/default.nix
+++ b/krebs/3modules/ci/default.nix
@@ -115,6 +115,7 @@ let
build_name = stage,
build_script = stages[stage],
),
+ timeout = 3600,
command="${pkgs.writeDash "build.sh" ''
set -xefu
profile=${shell.escape profileRoot}/$build_name
diff --git a/krebs/3modules/ergo.nix b/krebs/3modules/ergo.nix
index 50c5ab628..d5f167e79 100644
--- a/krebs/3modules/ergo.nix
+++ b/krebs/3modules/ergo.nix
@@ -122,7 +122,7 @@
# reloadIfChanged = true;
restartTriggers = [ configFile ];
serviceConfig = {
- ExecStart = "${pkgs.ergo}/bin/ergo run --conf /etc/ergo.yaml";
+ ExecStart = "${pkgs.ergochat}/bin/ergo run --conf /etc/ergo.yaml";
ExecReload = "${pkgs.util-linux}/bin/kill -HUP $MAINPID";
DynamicUser = true;
StateDirectory = "ergo";
diff --git a/krebs/3modules/external/mic92.nix b/krebs/3modules/external/mic92.nix
index 35e72ec2a..2a3604b25 100644
--- a/krebs/3modules/external/mic92.nix
+++ b/krebs/3modules/external/mic92.nix
@@ -929,5 +929,30 @@ in {
};
};
};
+
+ ruby = {
+ owner = config.krebs.users.mic92;
+ nets = rec {
+ retiolum = {
+ aliases = [ "ruby.r" ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIICCgKCAgEAzqrguDMHqYyidLxbz3jsQS3JVNCy0HaN6wprT1Ge1Anf5E8KtuXh
+ M9IjYPShzzJ162rYaJdd2lBmc5o435j+0/Gg5pySILni9bILhuRr7TMWN0sjNbgr
+ x0JRbpMmpW5DOmQx1BSyA+LLNbyVVnCc1XI0P2EaRr1ZrRSU0bpE/7kJ//Zt7ATu
+ GfqJTuL2aqap12VMKAfjRByyXA9V7szJMRom2Ia3cWSXhie1E0OOvCNT+InKXx4c
+ QbEGX71noCgsNgxbD8AVSwMnNV15vdnbgwK/1QzA0Cep1uxFS05TXJZLZTjcGwG0
+ Kp0kEjntq1rCqgdoUHIubNB17efU/oP6aSrdfvtgeYBjn0zSLHSUYdhf3JHd1Fvf
+ Ov2TwHxt/sm8d91UjhrkYwjf2nzSruAklYDnIDJiHgLFoT5WuOoVlnfUjRpQEw44
+ kp8KXsd24Y0UT5XJO5cQA+kZ1vl2ktHbQGTqYuYDB2FKEnBR/JIwJzJfugcGiyRx
+ OukQ2/rjnS60JA2pHUEfoezIAMhYAF+EPgOgMcNSSRYUVBpPVKD26oGTrNn0AtnO
+ ALW1vqUDwxb0cpv877vN1VfqvLE8n8Zgtt7itdT0+vxNPxICvF6//LNYUeDoQ3pj
+ w+1ZSdYZsvIQ7tDcilnL0hU5/nfsSIbHV+ceuLde1xDt5c7Tnl4v/U0CAwEAAQ==
+ -----END RSA PUBLIC KEY-----
+ '';
+ tinc.pubkey_ed25519 = "TV9byzSblknvqdUjQCwjgLmA8qCB4Tnl/DSd2mbsZTJ";
+ };
+ };
+ };
};
}
diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix
index 3e58fee1d..ca0c757a3 100644
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@@ -1,12 +1,6 @@
with import <stockholm/lib>;
{ config, ... }: let
- hostDefaults = hostName: host: flip recursiveUpdate host {
- ci = true;
- monitoring = true;
- owner = config.krebs.users.lass;
- };
-
r6 = ip: (krebs.genipv6 "retiolum" "lass" ip).address;
w6 = ip: (krebs.genipv6 "wiregrill" "lass" ip).address;
@@ -16,6 +10,7 @@ in {
};
hosts = mapAttrs (_: recursiveUpdate {
owner = config.krebs.users.lass;
+ consul = true;
ci = true;
monitoring = true;
}) {
@@ -418,6 +413,7 @@ in {
};
xerxes = {
cores = 2;
+ consul = false;
nets = rec {
retiolum = {
ip4.addr = "10.243.1.3";
@@ -592,7 +588,53 @@ in {
syncthing.id = "CADHN7J-CWRCWTZ-3GZRLII-JBVZN4N-RGHDGDL-UTAJNYI-RZPHK55-7EYAWQM";
};
+ massulus = {
+ cores = 1;
+ ci = false;
+ nets = {
+ retiolum = {
+ ip4.addr = "10.243.0.113";
+ ip6.addr = r6 "113";
+ aliases = [
+ "massulus.r"
+ ];
+ tinc = {
+ pubkey = ''
+ -----BEGIN PUBLIC KEY-----
+ MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEApwYalnJ2E1e3WOttPCpt
+ ypNm2adUXS/pejcbF68oRvgv6NRMOKVkoFVEzdnCLYTkYkwcpGd+oRO91F+ekZrN
+ ndEoicuzHNyG6NTXfW3Sjj9Au/NoAVwOJxAztzXMBAsH5pi4PSiqIQZC4l6cyv2K
+ zUNm1LvW5Z5/W0J5XCUw3/B4Py7V/HjW9Yxe8MCaCVVP2kF5SwjmfQ+Yp+8csvU3
+ F30xFjcTJjjWUPSkubgxtsfkrbbjzdMZhKldi3l9LhbYWD8O4bUTrTau/Emaaf6e
+ v5paVh9Kczwg7Ugk9Co3GL4tKOE2I7kRQV2Rg0M5NcRBUwfxkl6JTI2PmY0fNmYd
+ kdLQ1fKlFOrkyHuPBjZET1UniomlLpdycyyZii+YWLoQNj4JlFl8nAlPbqkiy8EF
+ LcHvB2VfdjjyBY25TtYPjFzFsEYKd8HQ7djs8rvJvmhu4tLDD6NaOqJPWMo7I7rW
+ EavQWZd+CELCJNN8eJhYWIGpnq+BI00FKayUAX+OSObYCHD1AikiiIaSjfDCrCJb
+ KVDj/uczOjxHk6TUVbepFA7C8EAxZ01sgHtUDkIfvcDMs4DGn88PmjPW+V/4MfKl
+ oqT7aVv6BYJdSK63rH3Iw+qTvdtzj+vcoO+HmRt2I2Be4ZPSeDrt+riaLycrVF00
+ yFmvsQgi48/0ZSwaVGR8lFUCAwEAAQ==
+ -----END PUBLIC KEY-----
+ '';
+ pubkey_ed25519 = "QwKNyv97Q2/fmPrVkgbGIhDTVW+uKu+F2enGCtZJgkM";
+ port = 1655;
+ };
+ };
+ wiregrill = {
+ ip6.addr = w6 "113";
+ aliases = [
+ "massulus.w"
+ ];
+ wireguard.pubkey = ''
+ 4wXpuDBEJS8J1bxS4paz/eZP1MuMfgHDCvOPn4TYtHQ=
+ '';
+ };
+ };
+ ssh.privkey.path = <secrets/ssh.id_ed25519>;
+ ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKH8lFXZ/d2NtqyrpslTGRNBR7FJZCJ6i3UPy0LDl9t7 ";
+ };
+
phone = {
+ consul = false;
nets = {
wiregrill = {
ip4.addr = "10.244.1.13";
@@ -608,6 +650,7 @@ in {
syncthing.id = "PWKVXPB-JCNO6E4-KVIQ7CK-6FSOWHM-AWORMDU-HVVYLKW-44DQTYW-XZT7DQJ";
};
tablet = {
+ consul = false;
nets = {
wiregrill = {
ip4.addr = "10.244.1.14";
@@ -622,6 +665,7 @@ in {
ci = false;
};
hilum = {
+ consul = false;
cores = 1;
nets = {
retiolum = {
@@ -797,6 +841,7 @@ in {
};
lasspi = {
+ consul = false;
cores = 1;
nets = {
retiolum = {
@@ -840,6 +885,7 @@ in {
};
domsen-pixel = {
+ consul = false;
nets = {
wiregrill = {
ip4.addr = "10.244.1.17";
diff --git a/krebs/3modules/lass/pgp/yubikey.pgp b/krebs/3modules/lass/pgp/yubikey.pgp
index d7b3c29c5..be1054048 100644
--- a/krebs/3modules/lass/pgp/yubikey.pgp
+++ b/krebs/3modules/lass/pgp/yubikey.pgp
@@ -58,52 +58,100 @@ D7u4ShvPtxqFf+mv/4eHYx2akBIIUQYAf5OYGnE3E0kqiuK4qHKgt1NI5z1mSd9D
duWIuoRbBUrApTKsHgwtMxNrNVioGIE1dTRuu56drhwY2ZPyzVtSb7q/hRU/a3UZ
5S6EsrmDGIIlAHrgKfKfuerESE5VzN1Nn3QHpfjwX+gq51cosTqlRiu4oMesPk31
ZmPcuG6H/m7nGagX9+l00sDsqISqMG4lZCJAFa020OS/g6V3q6LCqggky6+4sQTG
-5HB8jGba2tXMSQfBQEtDFve6agiRTw8z1V8s1gPCMmPhsLi5Ag0EXaJN1gEQANML
-yxoeknGlTtkG640UP5ZkUEojwXxlni3v2dpWEaEJO9yqvkELCWum5pRz+iDzoDFS
-lUPnP3YKVFkLbAlk56abIAQ6VK7wkOSHCw1F7LlCY830bRkgGJ8/b8us9KpET6Am
-ei7OGYVtqNBUodEJi6XkH5q9RLQeVR+7ynt0LTAxO/mMFYc3nhccrhadubhh5rTd
-e/UcxBL/zYx8tCBy2F4ep6Anx02HOauTwaqk4KLhB9IcdS8sJQHFY7iEVWNcovwF
-8luGEGPJOdOPTMZz4jD4aWFqbT6ragWaG8tisLEe9UhET2LL3r/4DIgAJY4bwg5T
-ZyK/1j+Nj1IyYkQ9A6YF96Y5XCi9DF0MYq9NytWNnMCT8F4QCCDRWhgql714/Er/
-qfwnT2M6m8P4OS1sAHv5vDDYXezB0WrJNstYvhtHhi4ctuolBuwOb7nyIBlZovhk
-5/6IAFmoUprfGHOuttEcPTRDGv737cR1cYaz5QMuz2svNU3ivI/tYfIQwMAjv84A
-ZN2wl63QkghYo/dm9a5Ex78CNwZD/z7HOE3zD+Rd0C9/hXLpVVhN0mKmDzgJHPUo
-VDk//P3YgzM+dtUWWPJ1FfaTz2543V9MwVWUJQj0DIgl4noLHX3wkd/d4gYGAhlW
-kBxkbQPJ4NT7EKBFk44fa6DVuGOGatBAxKQq1GftABEBAAGJAjwEGAEKACYCGwwW
-IQTbzXV4RgabOS6pQB1mV76KjR7oBwUCX4l2DwUJBamPOQAKCRBmV76KjR7oB/Ds
-D/96TGfHa6BW1v2kUyHUKmpdk62UhZz49nTsOu1JeMI2cDMLkKaPyeKLsRpzV2qc
-OoG1dal7dgjtzKsWdz0HxrrbEs0rBJO4xOmg12Sv9fttTocTt2bQMe3d20Vihbi+
-NDEx2PeyncYulDd8PNfDkh8vWUJQoThqimXoVARwKNuH2oDytGceIp+BZLOH8HRz
-0ESH9nCAGw3gVX6vQPtjbMgoIXHAnAJkIe2boyyUHu2ZmD6CGjxGSSICMzShcDvN
-kcyPKG5BbOGRpbehaMcOOiGH0NsudUPOsyxQt90bP/U+WHPhvOTGk0PqGaOf8QDE
-saGlChd3wVK+uCGl60szcxQsbgzlEQVUG3tTW4QGfzL3XK5bHvuGj03Vb45005Y4
-6UCUP4ZkEYDsw1Hrn5bkPOP/Pc8Sz1MQt+nw1U3QXbHLxLb8fB82B6oDMakHPgaw
-73HxYwbaXDswBb6BVTc86RmXRH1+StObDiJp+h16EqdsSyp15tSM80GRf1KaNKxc
-MA4N7/i7j9M/z2fKWT7vTAGdcg8vhZH0MDQ9vRmYsuQZtoNieZVXnyQ/ILAgPhiL
-pdyPffQV0BpWKd68C8kEhoMP0D3h6Uj88ZOuapyOCvsrBvR7SQOVh+L+KMjh1Xgx
-WvPJuoU4Jox4og85/Gz0Ui8EROYyHg5yqPqsBBmz6h8F7rkCDQRdok4KARAAyG97
-rjKhP8Uie1i/16SekDo+GkpodBmvhrZiZdwg75YxriHhgioe2AKKmQItOdZOY+mV
-qMA63FmByDlPodHmQnrIAn/gr7p5V3lM+l0oVTI8maPO39iT7Nh6W/rv4ni8eMBk
-L6P2cPPaTpcv76qWl/WcMiEflPNSAFaxyIapq04rafthcIILWmOBbQ+liMn9YT7a
-6w3nF/Ig4Zxx7hoQE6/HrTC8HcENpCAceQQYAqIrlu8F5y1AQVWHjtyCPee1z/8l
-PNnPg40lSbXozg5kQDP965Pge6XReUoUVVRcgeiSUfkHdYPIkh/tkFy1MtzTNize
-buadqE41Ds6BD1maO5cpGc5iFnf+YY01vWIhwvgPMbAsUKrPOw/RyvYSwOrnWegh
-pKuIRv+sBcDY0jJ799CHB2c8eiAYoTRm64rKyYS8RIilqTCmIHnpoSIq3n1wOlMV
-X4sB4N4CfAZRAbI9LZfx1QEYn0dst9+mCDRJ/ALBxocKz0wRTpwU5nwP1Zz9TZVh
-81wn1Ypj+mFb3aBggpwMLxbifmbsZmd1MwW9k3p2WTs8M1dLFM2ZNA9QmkgRSVFN
-6GTTpAyDOs+ZSGYM7MisG9/EvFbNx2BPg6qZH7JeMnlOZXXOg8K5VcLkiGuL1brO
-Hlg94Axha8ffMmqjsde6XOAgvSl5P9k47SWOcZkAEQEAAYkCPAQYAQoAJgIbIBYh
-BNvNdXhGBps5LqlAHWZXvoqNHugHBQJfiXYPBQkFqY8FAAoJEGZXvoqNHugHuLUP
-+gJ01mSEs3+0jriWqg7V+Q59rulMVrUdV2mjBtzz3gvF9PLiEnVEl7EgGdLpVIr/
-Wr9QIiUnS1NNrDz8oeDf54Q+OXtQOiczGClK+yWSm/CM02+HATFws66umAl4GQ4X
-qAJwdSDDKIHCP1/0VqXNQUOWW0GCCGCAdn55u4pf+B1rmkA3cWhN51SvAriA/YcG
-qmyJZgXO+qZOPWNHxNUdgq9lVEO132dhDzH1b9ufnvQMDxF2V681fQ7E3zWEJZZb
-YLRB4jrSz8oxipGRGKgDLiR7lyQ/xRU161jSawblBTcIRXK9c4hv178xQWAInMjt
-Hst4YCpvclG26ypZLCzvw6swfnXf3A6Q4A8pZQVvogWZ01dlgofwHm8qlYxT7wSq
-eicOu3FkSHD8vNwkXnMLqxwkFr4BcSefzCiXulyMcb3h67ZfXAYAFGrrR581vGEt
-Xy+xfXK5PqBX7CWEl3Vs2an9whEncZuv1I9iyXDUmGP7Y373JjqNtpS2GMMPA73k
-nB7eI/zpVS5qoxUlqw35Pldvt+L4E3hvrvE7iZE3w4lB9WUyY1OnSRDU10l2rqWt
-Ptyk3LE2ed5hz5I+gy8/RsXrAooMBXIGV/GJrhye45wf5F/XQqPulnj38sKhmrQC
-QTubPgJwG/kTpNdrA3YukE3E7T5ejaGTT2n5nKat6bj7
-=h9fX
+5HB8jGba2tXMSQfBQEtDFve6agiRTw8z1V8s1gPCMmPhsLiJBGwEGAEKACACGwIW
+IQTbzXV4RgabOS6pQB1mV76KjR7oBwUCY1E8SAJAwXQgBBkBCgAdFiEEVAotn4qI
+hqe83vdsfheGip18nM8FAl2iTZIACgkQfheGip18nM9DVxAAuqX7iztddbttkIfN
+65R5XJPjz7NRg0AI8G+1qnkvF3c2ufNjL++BJSvlbi/2ov92S+0CPF08E4kDsHjA
+/JM782D6lDfSZltW4YBBqkJZdtiPElcIqIhM6EX7fs3Ag/RjUVPb4tYkH20xcNhy
+l+0RdBuSvR0+KOXXBfoNmsyQM4/hUKiWW3vGOZOBmYPNcvAQcMs+p4D5JHQcOyxg
+tXyiXU/VxvUWI7cH6I7daRDTFR3L4zXoIrRwqEgxIqof2Zm4smoHDLfXxGQrcjj6
+eKkn/gt/T7qYxnhcG5guS2DwIay5c7xV1xuB7pDgM1On56heD21DI4vtXXnTkjo7
+/6hsw2e6TBcn295fEekvBupYVwazefBSlr2f3xxlDvd35D5tWZRVGspzxO15DcTa
+TglOeNtRnYGRwHwE/tiJ0G0uwGfvaI0xeexuhnTfvEkpJ4SJ/iMl+FpOw7I35H7m
+z8MrRNMjtR+Es8gzuw7hNErmbh0SLZvddoPnqt9kF8ayA1iz1X9KiBkkj3EbvI99
+jYjdDDm5lsxCZKLSX4r9Mp236K6DMGlifRN2AfdXziXhPABQkKE5m7kcn1gALn9M
+cg5HgeXTdxan6QP35ygDtmNldJGEP+AWAZ4RwaFK8P3/oqQ/8XhnkwH5n2SPd8WQ
+qnldvrtajUzUegvJUstLS5B1TFQJEGZXvoqNHugHrtcP+waicH+WhpbvPoHJW//U
+c7IwcrsOpWNuh0gKV1+LvBV9dGzGZDlhwsncMeNzT8tnxDwhD1CiJ1uzO2H1m+yX
+CeljVnYFlP0sl9IT/AiV8NNiuaIpOc5RjRY1yvOZ017/J7Hyhnaw0iap1vNDNOwH
+t7tzB1PvM3p6an4Jh0AJZF5adReQTbi9Zw7MW2Yf0XHTT4rFX+Mn5gcuvsV9n39d
+6U3k5G6Hf1bSROsXNVwOwF6VbO8NvBm6ehgNyRcGsino/f82HRwvnQPhJgEakZ1h
+WWUUnakK14mRRMUns8CMNfFh+50ciK1Q8kAVgYLVA1H1NXM0+68YZMl5CiiaD3pM
+17flwcWUdkIu3uWAvc3hSCNw6i9F4Kx1yD/ZdiT0vBapa3ehUXIo5g79NcFl9xnQ
+fnYG+nnl2bLZSHP8b+LZsGivOEZuBHoR2ComeTqqJxeT8ZsEdtLcloaSaf2Em2xf
+b9OfhGOC7hKfS4HAlLFbEydWuZuA8EpTXd6eqINCFbOb9BjpKvSCCLs5S3s7T4WE
+FQB7yHXQQgB1EzYaJxFZstkiD8exu/hiWfwVLaho09QbtPmt2u1lvbxiSxtCdphi
+hoKc6wjhD8F9YM5xxitcF7iAV7oEDZ/1JVkvi/1gWFgW0UmEKuy2KN/Eb/mr41NJ
+bMauCCfjnCbAzoW6dhHpbO45uQINBF2iTdYBEADTC8saHpJxpU7ZBuuNFD+WZFBK
+I8F8ZZ4t79naVhGhCTvcqr5BCwlrpuaUc/og86AxUpVD5z92ClRZC2wJZOemmyAE
+OlSu8JDkhwsNRey5QmPN9G0ZIBifP2/LrPSqRE+gJnouzhmFbajQVKHRCYul5B+a
+vUS0HlUfu8p7dC0wMTv5jBWHN54XHK4Wnbm4Yea03Xv1HMQS/82MfLQgctheHqeg
+J8dNhzmrk8GqpOCi4QfSHHUvLCUBxWO4hFVjXKL8BfJbhhBjyTnTj0zGc+Iw+Glh
+am0+q2oFmhvLYrCxHvVIRE9iy96/+AyIACWOG8IOU2civ9Y/jY9SMmJEPQOmBfem
+OVwovQxdDGKvTcrVjZzAk/BeEAgg0VoYKpe9ePxK/6n8J09jOpvD+DktbAB7+bww
+2F3swdFqyTbLWL4bR4YuHLbqJQbsDm+58iAZWaL4ZOf+iABZqFKa3xhzrrbRHD00
+Qxr+9+3EdXGGs+UDLs9rLzVN4ryP7WHyEMDAI7/OAGTdsJet0JIIWKP3ZvWuRMe/
+AjcGQ/8+xzhN8w/kXdAvf4Vy6VVYTdJipg84CRz1KFQ5P/z92IMzPnbVFljydRX2
+k89ueN1fTMFVlCUI9AyIJeJ6Cx198JHf3eIGBgIZVpAcZG0DyeDU+xCgRZOOH2ug
+1bhjhmrQQMSkKtRn7QARAQABiQI8BBgBCgAmAhsMFiEE2811eEYGmzkuqUAdZle+
+io0e6AcFAl+Jdg8FCQWpjzkACgkQZle+io0e6Afw7A//ekxnx2ugVtb9pFMh1Cpq
+XZOtlIWc+PZ07DrtSXjCNnAzC5Cmj8nii7Eac1dqnDqBtXWpe3YI7cyrFnc9B8a6
+2xLNKwSTuMTpoNdkr/X7bU6HE7dm0DHt3dtFYoW4vjQxMdj3sp3GLpQ3fDzXw5If
+L1lCUKE4aopl6FQEcCjbh9qA8rRnHiKfgWSzh/B0c9BEh/ZwgBsN4FV+r0D7Y2zI
+KCFxwJwCZCHtm6MslB7tmZg+gho8RkkiAjM0oXA7zZHMjyhuQWzhkaW3oWjHDjoh
+h9DbLnVDzrMsULfdGz/1Plhz4bzkxpND6hmjn/EAxLGhpQoXd8FSvrghpetLM3MU
+LG4M5REFVBt7U1uEBn8y91yuWx77ho9N1W+OdNOWOOlAlD+GZBGA7MNR65+W5Dzj
+/z3PEs9TELfp8NVN0F2xy8S2/HwfNgeqAzGpBz4GsO9x8WMG2lw7MAW+gVU3POkZ
+l0R9fkrTmw4iafodehKnbEsqdebUjPNBkX9SmjSsXDAODe/4u4/TP89nylk+70wB
+nXIPL4WR9DA0Pb0ZmLLkGbaDYnmVV58kPyCwID4Yi6Xcj330FdAaVinevAvJBIaD
+D9A94elI/PGTrmqcjgr7Kwb0e0kDlYfi/ijI4dV4MVrzybqFOCaMeKIPOfxs9FIv
+BETmMh4Ocqj6rAQZs+ofBe6JAjYEGAEKACACGwwWIQTbzXV4RgabOS6pQB1mV76K
+jR7oBwUCY1E8SAAKCRBmV76KjR7oBwM+D/0evufvIWftzdge63hol1k4LdZSiSD9
+bh+h8fb/Mm+2HIS8RweHr1+CS8CW/Om9MJoW0ZDsCmC0vU44/vLL3JzbP4+BDuVF
+dky1XX/9Z73Fn/LpakITyXd6YJMsknzAA4ZEzhe4uModNSH5IU818I+/Vyvbe1nX
+Hfg2FYva4zVn9E5Gd4vpHBF7D99dGg0vUINtux06WKfdsDB59MiZxCSWfqty+yTM
+XWwh5fuFIxwjlkKVdrb45101MnUtzJDmxwPxjOpF+z2tJ0qIvs6Zu6FDEh7fcaJM
+mKAPtVXKRxTYaS6j7fpNk5ACFgiHDb+0mI60fH0eiQSqp9Q7cyYbt1yiW2bKY4Pg
+qDOtcLT+uIYYVmxBHTLx38gT3Gp83O7WqNZ9ouctIXAXHWwTNsKzMhwgaEmmPbkP
+7VO8oZZ9hVphirmijgNO1Oz7Qqh5ORYwsGdvYtbPXD4ZUSpqFT5bTMHS5TKPHf70
+5alkwYuwYfLs4m2zYsKadQ+vq12ZX7Z6+DbjfzWAEhzqLP2Y8yGnFSBSmULsALnj
+Zg3RN5sxJe3fhTze09Fm8OTopTLoDH5fR91VPhRLGHahvV1Sm/H4ZdtAXTPsHP20
+phAc8mK2DgEM0k7vDO5RtV4xTLjBopiciXIBL+TzCKGmDRX2+9nTyF3Kx9qjN52H
+EFFJ1mTed/J7VrkCDQRdok4KARAAyG97rjKhP8Uie1i/16SekDo+GkpodBmvhrZi
+Zdwg75YxriHhgioe2AKKmQItOdZOY+mVqMA63FmByDlPodHmQnrIAn/gr7p5V3lM
++l0oVTI8maPO39iT7Nh6W/rv4ni8eMBkL6P2cPPaTpcv76qWl/WcMiEflPNSAFax
+yIapq04rafthcIILWmOBbQ+liMn9YT7a6w3nF/Ig4Zxx7hoQE6/HrTC8HcENpCAc
+eQQYAqIrlu8F5y1AQVWHjtyCPee1z/8lPNnPg40lSbXozg5kQDP965Pge6XReUoU
+VVRcgeiSUfkHdYPIkh/tkFy1MtzTNizebuadqE41Ds6BD1maO5cpGc5iFnf+YY01
+vWIhwvgPMbAsUKrPOw/RyvYSwOrnWeghpKuIRv+sBcDY0jJ799CHB2c8eiAYoTRm
+64rKyYS8RIilqTCmIHnpoSIq3n1wOlMVX4sB4N4CfAZRAbI9LZfx1QEYn0dst9+m
+CDRJ/ALBxocKz0wRTpwU5nwP1Zz9TZVh81wn1Ypj+mFb3aBggpwMLxbifmbsZmd1
+MwW9k3p2WTs8M1dLFM2ZNA9QmkgRSVFN6GTTpAyDOs+ZSGYM7MisG9/EvFbNx2BP
+g6qZH7JeMnlOZXXOg8K5VcLkiGuL1brOHlg94Axha8ffMmqjsde6XOAgvSl5P9k4
+7SWOcZkAEQEAAYkCPAQYAQoAJgIbIBYhBNvNdXhGBps5LqlAHWZXvoqNHugHBQJf
+iXYPBQkFqY8FAAoJEGZXvoqNHugHuLUP+gJ01mSEs3+0jriWqg7V+Q59rulMVrUd
+V2mjBtzz3gvF9PLiEnVEl7EgGdLpVIr/Wr9QIiUnS1NNrDz8oeDf54Q+OXtQOicz
+GClK+yWSm/CM02+HATFws66umAl4GQ4XqAJwdSDDKIHCP1/0VqXNQUOWW0GCCGCA
+dn55u4pf+B1rmkA3cWhN51SvAriA/YcGqmyJZgXO+qZOPWNHxNUdgq9lVEO132dh
+DzH1b9ufnvQMDxF2V681fQ7E3zWEJZZbYLRB4jrSz8oxipGRGKgDLiR7lyQ/xRU1
+61jSawblBTcIRXK9c4hv178xQWAInMjtHst4YCpvclG26ypZLCzvw6swfnXf3A6Q
+4A8pZQVvogWZ01dlgofwHm8qlYxT7wSqeicOu3FkSHD8vNwkXnMLqxwkFr4BcSef
+zCiXulyMcb3h67ZfXAYAFGrrR581vGEtXy+xfXK5PqBX7CWEl3Vs2an9whEncZuv
+1I9iyXDUmGP7Y373JjqNtpS2GMMPA73knB7eI/zpVS5qoxUlqw35Pldvt+L4E3hv
+rvE7iZE3w4lB9WUyY1OnSRDU10l2rqWtPtyk3LE2ed5hz5I+gy8/RsXrAooMBXIG
+V/GJrhye45wf5F/XQqPulnj38sKhmrQCQTubPgJwG/kTpNdrA3YukE3E7T5ejaGT
+T2n5nKat6bj7iQI2BBgBCgAgAhsgFiEE2811eEYGmzkuqUAdZle+io0e6AcFAmNR
+PEgACgkQZle+io0e6AfQpg/+K0gD0WVyXYLOEM6jCvtz5/f9nDQnqj90ck9VfpuN
+QG+cMSK/u3T4ya0k3UDWxEyRih0BzChOlmwnaupBwN7ZbYAzxM0sglwseSdAPpCE
+s63RTnaAxpSWFocsUxtJngSoPnnmD1fVbWL3/j9j6jZkT4NB/l2ekDngMyRqt104
+BmabaLdz44X1VDgg0tXyACkZ8c/8ISBOoPSFg2n9FuCmhI9Atu6hjCFQZOA/youA
+fXzeUxU3iFw5UhyNP084jZ9AK2xwp+rB3JzvzMdiqO3OBFemuiU4/ZKQKFg5a/n4
+UAZtO8V2DGe76o1N9uFUvQ41RSAXolPUOTXiZvP4GfiGIhJUXV96QaPHhKWybKlr
+4MWG5PpwfuWnGoP8vXtLmz2TDRUfEBOQBzYRBRvXmzekq8nFQCM7dGofLLEchMRv
+lYHab2fquGmXiY3LfzyQX+vS3FO9/m2POJcdXcQvSq4MXIzOEzXnJKw5HemfZ3ae
+/AlTTfE4og/AYLwacECY6CZqUFOYtQeVx9hSXV97XnoKotde66D4RyFgzFbsIBM/
+bA5qyvdpKb60hqjpj/rhXjlnhH8KwAwOlaPVgI1cgnW8uJTElJEtqHPhuRkU6y9f
+au4EZ+tsmaxJ0whuziG1/3LJ62AIM9ZpixDEj4GQYaRdkFrx/1IKiUOlw5GQC3y2
+zxs=
+=MmP2
-----END PGP PUBLIC KEY BLOCK-----
diff --git a/krebs/3modules/sync-containers.nix b/krebs/3modules/sync-containers.nix
index e2caa0834..60ca993e6 100644
--- a/krebs/3modules/sync-containers.nix
+++ b/krebs/3modules/sync-containers.nix
@@ -5,27 +5,55 @@ with import <stockholm/lib>;
plain = "/var/lib/containers/${cname}/var/state";
ecryptfs = "${cfg.dataLocation}/${cname}/ecryptfs";
securefs = "${cfg.dataLocation}/${cname}/securefs";
+ luksfile = "${cfg.dataLocation}/${cname}/luksfile";
+ };
+ init = cname: {
+ plain = ''
+ echo 'no need for init'
+ '';
+ ecryptfs = ''
+ ${pkgs.ecrypt}/bin/ecrypt init ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state
+ '';
+ securefs = ''
+ ${pkgs.securefs}/bin/securefs create --format 3 ${cfg.dataLocation}/${cname}/securefs
+ '';
+ luksfile = ''
+ ${pkgs.coreutils}/bin/truncate -s 10G '${(paths cname).luksfile}/fs.luks'
+ ${pkgs.cryptsetup}/bin/cryptsetup luksFormat '${(paths cname).luksfile}/fs.luks'
+ ${pkgs.cryptsetup}/bin/cryptsetup luksOpen '${(paths cname).luksfile}/fs.luks' 'luksfile-${cname}'
+ ${pkgs.xfsprogs}/bin/mkfs.xfs '/dev/mapper/luksfile-${cname}'
+ '';
};
start = cname: {
plain = ''
:
'';
ecryptfs = ''
- if ! mount | grep -q '${cfg.dataLocation}/${cname}/ecryptfs on /var/lib/containers/${cname}/var/state type ecryptfs'; then
- if [ -e ${cfg.dataLocation}/${cname}/ecryptfs/.cfg.json ]; then
+
+ if [ -e ${cfg.dataLocation}/${cname}/ecryptfs/.cfg.json ]; then
+ if ! mount | grep -q '${cfg.dataLocation}/${cname}/ecryptfs on /var/lib/containers/${cname}/var/state type ecryptfs'; then
${pkgs.ecrypt}/bin/ecrypt mount ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state
- else
- ${pkgs.ecrypt}/bin/ecrypt init ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state
fi
+ else
+ echo 'please run init-${cname} first'
+ exit 1
fi
'';
securefs = ''
- ## TODO init file systems if it does not exist
- # ${pkgs.securefs}/bin/securefs create --format 3 ${cfg.dataLocation}/${cname}/securefs
+ ## check if FS was initialized first
if ! ${pkgs.mount}/bin/mount | grep -q '^securefs on /var/lib/containers/${cname}/var/state type fuse.securefs'; then
${pkgs.securefs}/bin/securefs mount ${cfg.dataLocation}/${cname}/securefs /var/lib/containers/${cname}/var/state -b -o allow_other -o default_permissions
fi
'';
+ luksfile = ''
+ mkdir -p /var/lib/containers/${cname}/var/state
+ if ! test -e /dev/mapper/luksfile-${cname}; then
+ ${pkgs.cryptsetup}/bin/cryptsetup luksOpen '${(paths cname).luksfile}/fs.luks' 'luksfile-${cname}'
+ fi
+ if ! ${pkgs.mount}/bin/mount | grep -q '^/dev/mapper/luksfile-${cname} on /var/lib/containers/${cname}/var/state'; then
+ mount '/dev/mapper/luksfile-${cname}' '/var/lib/containers/${cname}/var/state'
+ fi
+ '';
};
stop = cname: {
plain = ''
@@ -37,12 +65,16 @@ with import <stockholm/lib>;
securefs = ''
umount /var/lib/containers/${cname}/var/state
'';
+ luksfile = ''
+ umount /var/lib/containers/${cname}/var/state
+ ${pkgs.cryptsetup}/bin/cryptsetup luksClose luksfile-${cname}
+ '';
};
in {
options.krebs.sync-containers = {
dataLocation = mkOption {
description = ''
- location where the encrypted sync-container lie around
+ location where the encrypted sync-containers lie around
'';
default = "/var/lib/sync-containers";
type = types.absolute-pathname;
@@ -64,25 +96,11 @@ in {
default = [];
type = types.listOf types.str;
};
- hostIp = mkOption { # TODO find this automatically
- description = ''
- hostAddress of the privateNetwork
- '';
- example = "10.233.2.15";
- type = types.str;
- };
- localIp = mkOption { # TODO find this automatically
- description = ''
- localAddress of the privateNetwork
- '';
- example = "10.233.2.16";
- type = types.str;
- };
format = mkOption {
description = ''
file system encrption format of the container
'';
- type = types.enum [ "plain" "ecryptfs" "securefs" ];
+ type = types.enum [ "plain" "ecryptfs" "securefs" "luksfile" ];
};
};
}));
@@ -102,12 +120,11 @@ in {
ignorePerms = false;
})) cfg.containers);
- krebs.permown = (mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" ({
- file-mode = "u+rw";
- directory-mode = "u+rwx";
- owner = "syncthing";
- keepGoing = false;
- })) cfg.containers);
+ krebs.acl = mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" {
+ "u:syncthing:rX".parents = true;
+ "u:syncthing:rwX" = {};
+ }) cfg.containers;
+
systemd.services = mapAttrs' (n: ctr: nameValuePair "containers@${ctr.name}" ({
reloadIfChanged = mkForce false;
@@ -116,8 +133,11 @@ in {
containers = mapAttrs' (n: ctr: nameValuePair ctr.name ({
config = { ... }: {
environment.systemPackages = [
+ pkgs.dhcpcd
pkgs.git
+ pkgs.jq
];
+ networking.useDHCP = mkForce true;
system.activationScripts.fuse = {
text = ''
${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229
@@ -131,11 +151,57 @@ in {
autoStart = false;
enableTun = true;
privateNetwork = true;
- hostAddress = ctr.hostIp;
- localAddress = ctr.localIp;
+ hostBridge = "ctr0";
})) cfg.containers;
- environment.systemPackages = flatten (mapAttrsToList (n: ctr: [
+ networking.networkmanager.unmanaged = [ "ctr0" ];
+ networking.bridges.ctr0.interfaces = [];
+ networking.interfaces.ctr0.ipv4.addresses = [{
+ address = "10.233.0.1";
+ prefixLength = 24;
+ }];
+ # networking.nat = {
+ # enable = true;
+ # externalInterface = lib.mkDefault "et0";
+ # internalInterfaces = [ "ctr0" ];
+ # };
+ services.dhcpd4 = {
+ enable = true;
+ interfaces = [ "ctr0" ];
+ extraConfig = ''
+ option subnet-mask 255.255.255.0;
+ option routers 10.233.0.1;
+ # option domain-name-servers 8.8.8.8; # TODO configure dns server
+ subnet 10.233.0.0 netmask 255.255.255.0 {
+ range 10.233.0.10 10.233.0.250;
+ }
+ '';
+ };
+
+ users.users.root.packages = flatten (mapAttrsToList (n: ctr: [
+ (pkgs.writeDashBin "init-${ctr.name}" ''
+ set -euf
+ set -x
+
+ mkdir -p /var/lib/containers/${ctr.name}/var/state
+ STATE=$(/run/current-system/sw/bin/nixos-container status ${ctr.name})
+ if [ "$STATE" = 'up' ]; then
+ /run/current-system/sw/bin/nixos-container stop ${ctr.name}
+ fi
+ ${(init ctr.name).${ctr.format}}
+ ${(start ctr.name).${ctr.format}}
+ /run/current-system/sw/bin/nixos-container start ${ctr.name}
+ /run/current-system/sw/bin/nixos-container run ${ctr.name} -- ${pkgs.writeDash "deploy-${ctr.name}" ''
+ set -x
+
+ mkdir -p /var/state/var_src
+ ln -sfTr /var/state/var_src /var/src
+ touch /etc/NIXOS
+ ''}
+ target_ip=$(/run/current-system/sw/bin/nixos-container run ${ctr.name} -- ip -j a s eth0 | jq -r '.[].addr_info[] | select(.family=="inet") | .local')
+
+ echo "deploy to $target_ip"
+ '')
(pkgs.writeDashBin "start-${ctr.name}" ''
set -euf
set -x
@@ -144,12 +210,12 @@ in {
${(start ctr.name).${ctr.format}}
- STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${ctr.name})
+ STATE=$(/run/current-system/sw/bin/nixos-container status ${ctr.name})
if [ "$STATE" = 'down' ]; then
- ${pkgs.nixos-container}/bin/nixos-container start ${ctr.name}
+ /run/current-system/sw/bin/nixos-container start ${ctr.name}
fi
- ${pkgs.nixos-container}/bin/nixos-container run ${ctr.name} -- ${pkgs.writeDash "deploy-${ctr.name}" ''
+ /run/current-system/sw/bin/nixos-container run ${ctr.name} -- ${pkgs.writeDash "deploy-${ctr.name}" ''
set -x
mkdir -p /var/state/var_src
@@ -158,15 +224,17 @@ in {
''}
if [ -h /var/lib/containers/${ctr.name}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${ctr.name}.r); then
- ${pkgs.nixos-container}/bin/nixos-container run ${ctr.name} -- nixos-rebuild -I /var/src switch
+ /run/current-system/sw/bin/nixos-container run ${ctr.name} -- nixos-rebuild -I /var/src switch
else
+ echo 'no nixos config, or target already online, bailing out'
${(stop ctr.name).${ctr.format}}
+ /run/current-system/sw/bin/nixos-container stop ${ctr.name}
fi
'')
(pkgs.writeDashBin "stop-${ctr.name}" ''
set -euf
- ${pkgs.nixos-container}/bin/nixos-container stop ${ctr.name}
+ /run/current-system/sw/bin/nixos-container stop ${ctr.name}
${(stop ctr.name).${ctr.format}}
'')
]) cfg.containers);
diff --git a/krebs/5pkgs/simple/ergo/default.nix b/krebs/5pkgs/simple/ergo/default.nix
deleted file mode 100644
index 2c9223eed..000000000
--- a/krebs/5pkgs/simple/ergo/default.nix
+++ /dev/null
@@ -1,23 +0,0 @@
-{ buildGo117Module , fetchFromGitHub, lib }:
-
-buildGo117Module rec {
- pname = "ergo";
- version = "2.9.1";
-
- src = fetchFromGitHub {
- owner = "ergochat";
- repo = "ergo";
- rev = "v${version}";
- sha256 = "sha256-RxsmkTfHymferS/FRW0sLnstKfvGXkW6cEb/JbeS4lc=";
- };
-
- vendorSha256 = null;
-
- meta = {
- description = "A modern IRC server (daemon/ircd) written in Go";
- homepage = "https://github.com/ergochat/ergo";
- license = lib.licenses.mit;
- maintainers = with lib.maintainers; [ lassulus tv ];
- platforms = lib.platforms.linux;
- };
-}
diff --git a/krebs/5pkgs/simple/hashPassword/default.nix b/krebs/5pkgs/simple/hashPassword/default.nix
index 3c604be80..8d3ba2525 100644
--- a/krebs/5pkgs/simple/hashPassword/default.nix
+++ b/krebs/5pkgs/simple/hashPassword/default.nix
@@ -1,6 +1,6 @@
{ lib, pkgs, ... }:
-pkgs.writeDashBin "hashPassword" ''
+pkgs.writers.writeDashBin "hashPassword" ''
# usage: hashPassword [...]
set -euf
diff --git a/krebs/5pkgs/simple/nix-prefetch-github.nix b/krebs/5pkgs/simple/nix-prefetch-github.nix
deleted file mode 100644
index 14096c33f..000000000
--- a/krebs/5pkgs/simple/nix-prefetch-github.nix
+++ /dev/null
@@ -1,25 +0,0 @@
-{ curl, jq, nix, writeDashBin }:
-
-writeDashBin "nix-prefetch-github" ''
- # usage: nix-prefetch-github OWNER REPO [REF]
- set -efu
-
- owner=$1
- repo=$2
- ref=''${3-master}
-
- info_url=https://api.github.com/repos/$owner/$repo/commits/$ref
- info=$(${curl}/bin/curl -fsS "$info_url")
- rev=$(printf %s "$info" | ${jq}/bin/jq -r .sha)
-
- name=$owner-$repo-$ref
- url=https://github.com/$owner/$repo/tarball/$rev
- sha256=$(${nix}/bin/nix-prefetch-url --name "$name" --unpack "$url")
-
- export owner repo rev sha256
- ${jq}/bin/jq -n '
- env | {
- owner, repo, rev, sha256
- }
- '
-''
diff --git a/krebs/5pkgs/simple/stable-generate/default.nix b/krebs/5pkgs/simple/stable-generate/default.nix
new file mode 100644
index 000000000..fac261613
--- /dev/null
+++ b/krebs/5pkgs/simple/stable-generate/default.nix
@@ -0,0 +1,64 @@
+{ pkgs, lib, ... }:
+
+pkgs.writers.writeDashBin "stable-generate" ''
+ set -efu
+
+ export PATH=${lib.makeBinPath [
+ pkgs.curl
+ pkgs.jq
+ ]}
+
+ STABLE_URL=''${STABLE_URL:-http://stable-confusion.r}
+
+ PAYLOAD=$(jq -cn --arg query "$*" '{fn_index: 51, data: [
+ $query,
+ "",
+ "None",
+ "None",
+ 20, # sampling steps
+ "Euler a", # sampling method
+ false, # restore faces
+ false,
+ 1,
+ 1,
+ 7,
+ -1,
+ -1,
+ 0,
+ 0,
+ 0,
+ false,
+ 512, #probably resolution
+ 512, #probably resolution
+ false,
+ 0.7,
+ 0,
+ 0,
+ "None",
+ "",
+ false,
+ false,
+ false,
+ "",
+ "Seed",
+ "",
+ "Nothing",
+ "",
+ true,
+ false,
+ false,
+ null,
+ "",
+ ""], session_hash: "hello_this_is_dog"}')
+
+ data=$(curl -Ssf "$STABLE_URL/run/predict/" \
+ -X POST \
+ --Header 'Content-Type: application/json' \
+ --data "$PAYLOAD"
+ )
+ export data
+
+ filename=$(jq -rn 'env.data | fromjson.data[0][0].name')
+
+ echo "$STABLE_URL/file=$filename"
+''
diff --git a/krebs/5pkgs/simple/weechat-declarative/default.nix b/krebs/5pkgs/simple/weechat-declarative/default.nix
index 5f9c8635b..93c73761c 100644
--- a/krebs/5pkgs/simple/weechat-declarative/default.nix
+++ b/krebs/5pkgs/simple/weechat-declarative/default.nix
@@ -33,7 +33,7 @@ let
eval = lib.evalModules {
modules = lib.singleton {
- _file = toString ./weechat-declarative.nix;
+ _file = toString ./default.nix;
imports = lib.singleton config;
options = {
scripts = lib.mkOption {
@@ -148,7 +148,8 @@ let
${lib.concatStringsSep "\n"
(lib.mapAttrsToList
(name: target: /* sh */ ''
- ${pkgs.coreutils}/bin/ln -s ${lib.escapeShellArg target} "$CONFDIR"/${lib.escapeShellArg name}
+ ${pkgs.coreutils}/bin/cp ${lib.escapeShellArg target} "$CONFDIR"/${lib.escapeShellArg name}
+ ${pkgs.coreutils}/bin/chmod +w "$CONFDIR"/${lib.escapeShellArg name}
'')
cfg.files
)
diff --git a/krebs/nixpkgs-unstable.json b/krebs/nixpkgs-unstable.json
index cd0c57f92..a5d67f2fc 100644
--- a/krebs/nixpkgs-unstable.json
+++ b/krebs/nixpkgs-unstable.json
@@ -1,9 +1,9 @@
{
"url": "https://github.com/NixOS/nixpkgs",
- "rev": "d40fea9aeb8840fea0d377baa4b38e39b9582458",
- "date": "2022-10-31T16:44:53+01:00",
- "path": "/nix/store/6z1f9z44ljsxvn0kzlpz03a5m7lbh096-nixpkgs",
- "sha256": "1ikpccnyi0b7ql6jak4g3wl4876njybpvknfs6gin461xjp5fi24",
+ "rev": "b457130e8a21608675ddf12c7d85227b22a27112",
+ "date": "2022-11-16T11:03:19+00:00",
+ "path": "/nix/store/jr123qfmrl53imi48naxh6zs486fqmz2-nixpkgs",
+ "sha256": "16cjrr3np3f428lxw8yk6n2dqi7mg08zf6h6gv75zpw865jz44df",
"fetchLFS": false,
"fetchSubmodules": false,
"deepClone": false,
diff --git a/krebs/nixpkgs.json b/krebs/nixpkgs.json
index a06b47fb1..f836f63f9 100644
--- a/krebs/nixpkgs.json
+++ b/krebs/nixpkgs.json
@@ -1,9 +1,9 @@
{
"url": "https://github.com/NixOS/nixpkgs",
- "rev": "1b4722674c315de0e191d0d79790b4eac51570a1",
- "date": "2022-10-31T23:14:26+01:00",
- "path": "/nix/store/byvkpdxd5pwixshrfrxgl0z2xc9y9hcs-nixpkgs",
- "sha256": "0ykbqcfwx338m1jcln9pj629byxbyr448d88wsryp8sf6p611cv2",
+ "rev": "6474d93e007e4d165bcf48e7f87de2175c93d10b",
+ "date": "2022-11-16T11:41:31+01:00",
+ "path": "/nix/store/z86f31carhz3sf78kn3lkyq748drgp63-nixpkgs",
+ "sha256": "00swm7hz3fjyzps75bjyqviw6dqg2cc126wc7lcc1rjkpdyk5iwg",
"fetchLFS": false,
"fetchSubmodules": false,
"deepClone": false,
diff --git a/lass/1systems/green/config.nix b/lass/1systems/green/config.nix
index 5cf7d9242..4c98091f1 100644
--- a/lass/1systems/green/config.nix
+++ b/lass/1systems/green/config.nix
@@ -11,78 +11,50 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/syncthing.nix>
<stockholm/lass/2configs/sync/sync.nix>
<stockholm/lass/2configs/sync/decsync.nix>
- <stockholm/lass/2configs/sync/weechat.nix>
+ <stockholm/lass/2configs/weechat.nix>
<stockholm/lass/2configs/bitlbee.nix>
- <stockholm/lass/2configs/IM.nix>
+
<stockholm/lass/2configs/muchsync.nix>
<stockholm/lass/2configs/pass.nix>
<stockholm/lass/2configs/git-brain.nix>
+ <stockholm/lass/2configs/et-server.nix>
+ <stockholm/lass/2configs/consul.nix>
+
+ <stockholm/lass/2configs/atuin-server.nix>
];
krebs.build.host = config.krebs.hosts.green;
- users.users.mainUser.openssh.authorizedKeys.keys = [
- config.krebs.users.lass-android.pubkey
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0rn3003CkJMk3jZrh/3MC6nVorHRymlFSI4x1brCKY" # weechat ssh tunnel
- ];
-
- krebs.bindfs = {
- "/home/lass/.weechat" = {
- source = "/var/state/lass_weechat";
- options = [
- "-M ${concatMapStringsSep ":" (u: toString config.users.users.${u}.uid) [ "syncthing" "mainUser" ]}"
- "--create-for-user=${toString config.users.users.syncthing.uid}"
- ];
- };
- "/home/lass/Maildir" = {
- source = "/var/state/lass_mail";
- options = [
- "-M ${toString config.users.users.mainUser.uid}"
- ];
- };
- "/var/lib/bitlbee" = {
- source = "/var/state/bitlbee";
- options = [
- "-M ${toString config.users.users.bitlbee.uid}"
- ];
- clearTarget = true;
- };
- "/home/lass/.ssh" = {
- source = "/var/state/lass_ssh";
- options = [
- "-M ${toString config.users.users.mainUser.uid}"
- ];
- clearTarget = true;
- };
- "/home/lass/.gnupg" = {
- source = "/var/state/lass_gnupg";
- options = [
- "-M ${toString config.users.users.mainUser.uid}"
- ];
- clearTarget = true;
- };
- "/var/lib/git" = {
- source = "/var/state/git";
- options = [
- "-M ${toString config.users.users.git.uid}"
- ];
- clearTarget = true;
- };
+ lass.sync-containers3.inContainer = {
+ enable = true;
+ pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFlUMf943qEQG64ob81p6dgoHq4jUjq7tSvmSdEOEU2y";
};
- systemd.services."bindfs-_home_lass_Maildir".serviceConfig.ExecStartPost = pkgs.writeDash "symlink-notmuch" ''
- sleep 1
- mkdir -p /home/lass/notmuch
- chown lass: /home/lass/notmuch
- ln -sfTr /home/lass/notmuch /home/lass/Maildir/.notmuch
+ systemd.tmpfiles.rules = [
+ "d /home/lass/.local/share 0700 lass users -"
+ "d /home/lass/.local 0700 lass users -"
- mkdir -p /home/lass/notmuch/muchsync
- chown lass: /home/lass/notmuch/muchsync
- mkdir -p /home/lass/Maildir/.muchsync
- ln -sfTr /home/lass/Maildir/.muchsync /home/lass/notmuch/muchsync/tmp
- '';
+ "d /var/state/lass_mail 0700 lass users -"
+ "L+ /home/lass/Maildir - - - - ../../var/state/lass_mail"
+
+ "d /var/state/lass_ssh 0700 lass users -"
+ "L+ /home/lass/.ssh - - - - ../../var/state/lass_ssh"
+ "d /var/state/lass_gpg 0700 lass users -"
+ "L+ /home/lass/.gnupg - - - - ../../var/state/lass_gpg"
+ "d /var/state/lass_sync 0700 lass users -"
+ "L+ /home/lass/sync - - - - ../../var/state/lass_sync"
+
+ "d /var/state/git 0700 git nogroup -"
+ "L+ /var/lib/git - - - - ../../var/state/git"
+ ];
+
+ users.users.mainUser.openssh.authorizedKeys.keys = [
+ config.krebs.users.lass-android.pubkey
+ config.krebs.users.lass-tablet.pubkey
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKgpZwye6yavIs3gUIYvSi70spDa0apL2yHR0ASW74z8" # weechat ssh tunnel
+ ];
krebs.iptables.tables.nat.PREROUTING.rules = [
{ predicate = "-i eth0 -p tcp -m tcp --dport 22"; target = "ACCEPT"; precedence = 101; }
@@ -93,4 +65,11 @@ with import <stockholm/lib>;
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
'';
+
+ services.dovecot2 = {
+ enable = true;
+ mailLocation = "maildir:~/Maildir";
+ };
+
+ networking.firewall.allowedTCPPorts = [ 143 ];
}
diff --git a/lass/1systems/green/physical.nix b/lass/1systems/green/physical.nix
index b6aa3a894..8577daf34 100644
--- a/lass/1systems/green/physical.nix
+++ b/lass/1systems/green/physical.nix
@@ -3,5 +3,5 @@
./config.nix
];
boot.isContainer = true;
- networking.useDHCP = false;
+ networking.useDHCP = true;
}
diff --git a/lass/1systems/green/source.nix b/lass/1systems/green/source.nix
index da137e064..4acdb0c26 100644
--- a/lass/1systems/green/source.nix
+++ b/lass/1systems/green/source.nix
@@ -1,4 +1,6 @@
-{ lib, pkgs, test, ... }:
-if test then {} else {
+{ lib, pkgs, test, ... }: let
+ npkgs = lib.importJSON ../../../krebs/nixpkgs-unstable.json;
+in if test then {} else {
+ nixpkgs.git.ref = lib.mkForce npkgs.rev;
nixpkgs-unstable = lib.mkForce { file = "/var/empty"; };
}
diff --git a/lass/1systems/shodan/config.nix b/lass/1systems/shodan/config.nix
index 5d6a440e0..ef538f339 100644
--- a/lass/1systems/shodan/config.nix
+++ b/lass/1systems/shodan/config.nix
@@ -1,6 +1,5 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-with import <stockholm/lib>;
{
imports = [
<stockholm/lass>
@@ -17,11 +16,10 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/blue-host.nix>
<stockholm/lass/2configs/green-host.nix>
<stockholm/krebs/2configs/news-host.nix>
- <stockholm/lass/2configs/nfs-dl.nix>
+ <stockholm/lass/2configs/prism-mounts/samba.nix>
<stockholm/lass/2configs/fetchWallpaper.nix>
- <stockholm/lass/2configs/home-media.nix>
- <stockholm/lass/2configs/syncthing.nix>
- <stockholm/lass/2configs/sync/sync.nix>
+ <stockholm/lass/2configs/consul.nix>
+ <stockholm/lass/2configs/red-host.nix>
<stockholm/lass/2configs/snapclient.nix>
];
diff --git a/lass/1systems/shodan/physical.nix b/lass/1systems/shodan/physical.nix
index 55e91b0e4..f94edcf9b 100644
--- a/lass/1systems/shodan/physical.nix
+++ b/lass/1systems/shodan/physical.nix
@@ -11,7 +11,6 @@
loader.grub.device = "/dev/sda";
initrd.luks.devices.lusksroot.device = "/dev/sda2";
- initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ];
initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ];
};
fileSystems = {
@@ -28,11 +27,6 @@
fsType = "btrfs";
options = ["defaults" "noatime" "ssd" "compress=lzo"];
};
- "/tmp" = {
- device = "tmpfs";
- fsType = "tmpfs";
- options = ["nosuid" "nodev" "noatime"];
- };
"/bku" = {
device = "/dev/pool/bku";
fsType = "btrfs";
diff --git a/lass/1systems/yellow/config.nix b/lass/1systems/yellow/config.nix
index 554882bf3..f5071c4b7 100644
--- a/lass/1systems/yellow/config.nix
+++ b/lass/1systems/yellow/config.nix
@@ -154,6 +154,7 @@ with import <stockholm/lib>;
tables.filter.INPUT.rules = [
{ predicate = "-p tcp --dport 80"; target = "ACCEPT"; } # nginx web dir
{ predicate = "-p tcp --dport 9091"; target = "ACCEPT"; } # transmission-web
+ { predicate = "-p tcp --dport 9092"; target = "ACCEPT"; } # magnetico webinterface
{ predicate = "-p tcp --dport 51413"; target = "ACCEPT"; } # transmission-traffic
{ predicate = "-p udp --dport 51413"; target = "ACCEPT"; } # transmission-traffic
{ predicate = "-p tcp --dport 8096"; target = "ACCEPT"; } # jellyfin
@@ -164,7 +165,7 @@ with import <stockholm/lib>;
client
dev tun
proto udp
- remote 196.240.57.43 1194
+ remote 194.110.84.106 1194
resolv-retry infinite
remote-random
nobind
@@ -174,7 +175,7 @@ with import <stockholm/lib>;
persist-key
persist-tun
ping 15
- ping-restart 0
+ ping-restart 15
ping-timer-rem
reneg-sec 0
comp-lzo no
@@ -250,7 +251,7 @@ with import <stockholm/lib>;
path = [
pkgs.coreutils
pkgs.findutils
- pkgs.inotifyTools
+ pkgs.inotify-tools
];
serviceConfig = {
Restart = "always";
@@ -271,4 +272,10 @@ with import <stockholm/lib>;
enable = true;
group = "download";
};
+
+ services.magnetico = {
+ enable = true;
+ web.address = "0.0.0.0";
+ web.port = 9092;
+ };
}
diff --git a/lass/2configs/alacritty.nix b/lass/2configs/alacritty.nix
index 903ddf6cc..e5e001a4c 100644
--- a/lass/2configs/alacritty.nix
+++ b/lass/2configs/alacritty.nix
@@ -1,21 +1,23 @@
{ config, lib, pkgs, ... }: let
alacritty-cfg = extrVals: builtins.toJSON ({
- font = {
+ font = let
+ family = "Iosevka";
+ in {
normal = {
- family = "Inconsolata";
+ family = family;
style = "Regular";
};
bold = {
- family = "Inconsolata";
+ family = family;
style = "Bold";
};
italic = {
- family = "Inconsolata";
+ family = family;
style = "Italic";
};
bold_italic = {
- family = "Inconsolata";
+ family = family;
style = "Bold Italic";
};
size = 8;
@@ -44,6 +46,7 @@
name = "alacritty";
paths = [
(pkgs.writeDashBin "alacritty" ''
+ ${pkgs.alacritty}/bin/alacritty --config-file /var/theme/config/alacritty.yaml msg create-window "$@" ||
${pkgs.alacritty}/bin/alacritty --config-file /var/theme/config/alacritty.yaml "$@"
'')
pkgs.alacritty
diff --git a/lass/2configs/atuin-server.nix b/lass/2configs/atuin-server.nix
new file mode 100644
index 000000000..ad959a311
--- /dev/null
+++ b/lass/2configs/atuin-server.nix
@@ -0,0 +1,38 @@
+{ config, lib, pkgs, ... }:
+{
+ services.postgresql = {
+ enable = true;
+ dataDir = "/var/state/postgresql/${config.services.postgresql.package.psqlSchema}";
+ ensureDatabases = [ "atuin" ];
+ ensureUsers = [{
+ name = "atuin";
+ ensurePermissions."DATABASE atuin" = "ALL PRIVILEGES";
+ }];
+ };
+ systemd.tmpfiles.rules = [
+ "d /var/state/postgresql 0700 postgres postgres -"
+ ];
+ users.groups.atuin = {};
+ users.users.atuin = {
+ uid = pkgs.stockholm.lib.genid_uint31 "atuin";
+ isSystemUser = true;
+ group = "atuin";
+ home = "/run/atuin";
+ createHome = true;
+ };
+
+ systemd.services.atuin = {
+ wantedBy = [ "multi-user.target" ];
+ environment = {
+ ATUIN_HOST = "0.0.0.0";
+ ATUIN_PORT = "8888";
+ ATUIN_OPEN_REGISTRATION = "true";
+ ATUIN_DB_URI = "postgres:///atuin";
+ };
+ serviceConfig = {
+ User = "atuin";
+ ExecStart = "${pkgs.atuin}/bin/atuin server start";
+ };
+ };
+ networking.firewall.allowedTCPPorts = [ 8888 ];
+}
diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix
index d3775ddbe..01c6c8aff 100644
--- a/lass/2configs/baseX.nix
+++ b/lass/2configs/baseX.nix
@@ -7,7 +7,6 @@ in {
./alacritty.nix
./mpv.nix
./power-action.nix
- ./copyq.nix
./urxvt.nix
./xdg-open.nix
./yubikey.nix
@@ -80,7 +79,10 @@ in {
powertop
rxvt-unicode
sshvnc
- sxiv
+ (pkgs.writers.writeDashBin "sxiv" ''
+ ${pkgs.nsxiv}/bin/nsxiv "$@"
+ '')
+ nsxiv
taskwarrior
termite
transgui
@@ -105,10 +107,56 @@ in {
enableGhostscriptFonts = true;
fonts = with pkgs; [
- hack-font
xorg.fontschumachermisc
- terminus_font_ttf
inconsolata
+ noto-fonts
+ (iosevka.override {
+ # https://typeof.net/Iosevka/customizer
+ privateBuildPlan = {
+ family = "Iosevka";
+ spacing = "term";
+ serifs = "slab";
+ no-ligation = true;
+
+ variants.design = {
+ capital-i = "serifless";
+ capital-j = "serifless";
+ a = "double-storey-tailed";
+ b = "toothless-corner";
+ d = "toothless-corner-serifless";
+ f = "flat-hook-tailed";
+ g = "earless-corner";
+ i = "hooky";
+ j = "serifless";
+ l = "tailed";
+
+ m = "earless-corner-double-arch";
+ n = "earless-corner-straight";
+ p = "earless-corner";
+ q = "earless-corner";
+ r = "earless-corner";
+ u = "toothless-rounded";
+ y = "cursive-flat-hook";
+
+ one = "no-base-long-top-serif";
+ two = "straight-neck";
+ three = "flat-top";
+ four = "open";
+ six = "open-contour";
+ seven = "straight-serifless";
+ eight = "two-circles";
+ nine = "open-contour";
+ tilde = "low";
+ asterisk = "hex-low";
+ number-sign = "upright";
+ at = "short";
+ dollar = "open";
+ percent = "dots";
+ question = "corner-flat-hooked";
+ };
+ };
+ set = "kookiefonts";
+ })
];
};
@@ -174,4 +222,20 @@ in {
'';
};
};
+
+ services.clipmenu.enable = true;
+
+ # synchronize all the clipboards
+ systemd.user.services.autocutsel = {
+ enable = true;
+ wantedBy = [ "graphical-session.target" ];
+ after = [ "graphical-session.target" ];
+ serviceConfig = {
+ Type = "forking";
+ ExecStart = pkgs.writers.writeDash "autocutsel" ''
+ ${pkgs.autocutsel}/bin/autocutsel -fork -selection PRIMARY
+ ${pkgs.autocutsel}/bin/autocutsel -fork -selection CLIPBOARD
+ '';
+ };
+ };
}
diff --git a/lass/2configs/consul.nix b/lass/2configs/consul.nix
new file mode 100644
index 000000000..b8d925de5
--- /dev/null
+++ b/lass/2configs/consul.nix
@@ -0,0 +1,43 @@
+{ config, lib, pkgs, ... }:
+{
+ services.consul = {
+ enable = true;
+ # dropPrivileges = false;
+ webUi = true;
+ # interface.bind = "retiolum";
+ extraConfig = {
+ bind_addr = config.krebs.build.host.nets.retiolum.ip4.addr;
+ bootstrap_expect = 3;
+ server = true;
+ # retry_join = config.services.consul.extraConfig.start_join;
+ retry_join = lib.mapAttrsToList (n: h:
+ lib.head h.nets.retiolum.aliases
+ ) (lib.filterAttrs (n: h: h.consul) config.krebs.hosts);
+ rejoin_after_leave = true;
+
+ # try to fix random lock loss on leader reelection
+ retry_interval = "3s";
+ performance = {
+ raft_multiplier = 8;
+ };
+ };
+ };
+
+ environment.etc."consul.d/testservice.json".text = builtins.toJSON {
+ service = {
+ name = "testing";
+ };
+ };
+
+ krebs.iptables.tables.filter.INPUT.rules = [
+ { predicate = "-i retiolum -p tcp --dport 8300"; target = "ACCEPT"; }
+ { predicate = "-i retiolum -p tcp --dport 8301"; target = "ACCEPT"; }
+ { predicate = "-i retiolum -p udp --dport 8301"; target = "ACCEPT"; }
+ { predicate = "-i retiolum -p tcp --dport 8302"; target = "ACCEPT"; }
+ { predicate = "-i retiolum -p udp --dport 8302"; target = "ACCEPT"; }
+ { predicate = "-i retiolum -p tcp --dport 8400"; target = "ACCEPT"; }
+ { predicate = "-i retiolum -p tcp --dport 8500"; target = "ACCEPT"; }
+ { predicate = "-i retiolum -p tcp --dport 8600"; target = "ACCEPT"; }
+ { predicate = "-i retiolum -p udp --dport 8500"; target = "ACCEPT"; }
+ ];
+}
diff --git a/lass/2configs/et-server.nix b/lass/2configs/et-server.nix
new file mode 100644
index 000000000..19961fb84
--- /dev/null
+++ b/lass/2configs/et-server.nix
@@ -0,0 +1,7 @@
+{ config, lib, pkgs, ... }:
+{
+ services.eternal-terminal = {
+ enable = true;
+ };
+ networking.firewall.allowedTCPPorts = [ config.services.eternal-terminal.port ];
+}
diff --git a/lass/2configs/green-host.nix b/lass/2configs/green-host.nix
index a83ed0544..1e41e8e02 100644
--- a/lass/2configs/green-host.nix
+++ b/lass/2configs/green-host.nix
@@ -2,32 +2,9 @@
{
imports = [
<stockholm/lass/2configs/container-networking.nix>
- <stockholm/lass/2configs/syncthing.nix>
];
- krebs.sync-containers.containers.green = {
- peers = [
- "echelon"
- "icarus"
- "littleT"
- "mors"
- "shodan"
- "skynet"
- "styx"
- ];
- hostIp = "10.233.2.15";
- localIp = "10.233.2.16";
- format = "ecryptfs";
- };
- services.borgbackup.jobs.sync-green = {
- encryption.mode = "none";
- paths = "/var/lib/sync-containers/green/ecryptfs";
- repo = "/var/lib/sync-containers/green/backup";
- compression = "auto,lzma";
- startAt = "daily";
- prune.keep = {
- daily = 7;
- weekly = 4;
- };
+ lass.sync-containers3.containers.green = {
+ sshKey = "${toString <secrets>}/green.sync.key";
};
}
diff --git a/lass/2configs/red-host.nix b/lass/2configs/red-host.nix
new file mode 100644
index 000000000..cbd9c097e
--- /dev/null
+++ b/lass/2configs/red-host.nix
@@ -0,0 +1,167 @@
+{ config, lib, pkgs, ... }:
+let
+ ctr.name = "red";
+in
+{
+ imports = [
+ <stockholm/lass/2configs/container-networking.nix>
+ ];
+
+
+ lass.sync-containers3.containers.red = {
+ sshKey = "${toString <secrets>}/containers/red/sync.key";
+ ephemeral = true;
+ };
+
+ # containers.${ctr.name} = {
+ # config = {
+ # environment.systemPackages = [
+ # pkgs.dhcpcd
+ # pkgs.git
+ # pkgs.jq
+ # ];
+ # networking.useDHCP = lib.mkForce true;
+ # systemd.services.autoswitch = {
+ # environment = {
+ # NIX_REMOTE = "daemon";
+ # };
+ # wantedBy = [ "multi-user.target" ];
+ # serviceConfig.ExecStart = pkgs.writers.writeDash "autoswitch" ''
+ # if test -e /var/src/nixos-config; then
+ # /run/current-system/sw/bin/nixos-rebuild -I /var/src switch || :
+ # fi
+ # '';
+ # unitConfig.X-StopOnRemoval = false;
+ # };
+ # };
+ # autoStart = false;
+ # enableTun = true;
+ # privateNetwork = true;
+ # hostBridge = "ctr0";
+ # bindMounts = {
+ # "/etc/resolv.conf".hostPath = "/etc/resolv.conf";
+ # "/var/lib/self-state/disk-image" = {
+ # hostPath = "/var/lib/sync-containers3/${ctr.name}";
+ # isReadOnly = true;
+ # };
+ # };
+ # };
+
+ # systemd.services."${ctr.name}_scheduler" = {
+ # wantedBy = [ "multi-user.target" ];
+ # path = with pkgs; [
+ # coreutils
+ # consul
+ # cryptsetup
+ # mount
+ # util-linux
+ # systemd
+ # untilport
+ # ];
+ # serviceConfig = {
+ # Restart = "always";
+ # RestartSec = "15s";
+ # ExecStart = "${pkgs.consul}/bin/consul lock container_${ctr.name} ${pkgs.writers.writeDash "${ctr.name}-start" ''
+ # set -efux
+ # trap ${pkgs.writers.writeDash "stop-${ctr.name}" ''
+ # set -efux
+ # /run/current-system/sw/bin/nixos-container stop ${ctr.name} || :
+ # umount /var/lib/nixos-containers/${ctr.name}/var/state || :
+ # cryptsetup luksClose ${ctr.name} || :
+ # ''} INT TERM EXIT
+ # consul kv put containers/${ctr.name}/host ${config.networking.hostName}
+ # cryptsetup luksOpen --key-file /var/src/secrets/containers/${ctr.name}/luks /var/lib/sync-containers3/${ctr.name}/disk ${ctr.name}
+ # mkdir -p /var/lib/nixos-containers/${ctr.name}/var/state
+ # mount /dev/mapper/${ctr.name} /var/lib/nixos-containers/${ctr.name}/var/state
+ # ln -frs /var/lib/nixos-containers/${ctr.name}/var/state/var_src /var/lib/nixos-containers/${ctr.name}/var/src
+ # /run/current-system/sw/bin/nixos-container start ${ctr.name}
+ # set +x
+ # until /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null; do sleep 5; done
+ # while /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null; do sleep 5; done
+ # ''}";
+ # };
+ # };
+
+ # users.groups."container_${ctr.name}" = {};
+ # users.users."container_${ctr.name}" = {
+ # group = "container_${ctr.name}";
+ # isSystemUser = true;
+ # home = "/var/lib/sync-containers3/${ctr.name}";
+ # createHome = true;
+ # homeMode = "705";
+ # openssh.authorizedKeys.keys = [
+ # config.krebs.users.lass.pubkey
+ # ];
+ # };
+
+ # systemd.timers."${ctr.name}_syncer" = {
+ # timerConfig = {
+ # RandomizedDelaySec = 300;
+ # };
+ # };
+ # systemd.services."${ctr.name}_syncer" = {
+ # path = with pkgs; [
+ # coreutils
+ # rsync
+ # openssh
+ # systemd
+ # ];
+ # startAt = "*:0/1";
+ # serviceConfig = {
+ # User = "container_${ctr.name}";
+ # LoadCredential = [
+ # "ssh_key:${toString <secrets>}/containers/${ctr.name}/sync.key"
+ # ];
+ # ExecCondition = pkgs.writers.writeDash "${ctr.name}_checker" ''
+ # set -efu
+ # ! systemctl is-active --quiet container@${ctr.name}.service
+ # '';
+ # ExecStart = pkgs.writers.writeDash "${ctr.name}_syncer" ''
+ # set -efu
+ # rsync -a -e "ssh -i $CREDENTIALS_DIRECTORY/ssh_key" --inplace container_sync@${ctr.name}.r:disk-image/disk $HOME/disk
+ # '';
+ # };
+ # };
+
+ # # networking
+ # networking.networkmanager.unmanaged = [ "ctr0" ];
+ # networking.interfaces.dummy0.virtual = true;
+ # networking.bridges.ctr0.interfaces = [ "dummy0" ];
+ # networking.interfaces.ctr0.ipv4.addresses = [{
+ # address = "10.233.0.1";
+ # prefixLength = 24;
+ # }];
+ # systemd.services."dhcpd-ctr0" = {
+ # wantedBy = [ "multi-user.target" ];
+ # after = [ "network.target" ];
+ # serviceConfig = {
+ # Type = "forking";
+ # Restart = "always";
+ # DynamicUser = true;
+ # StateDirectory = "dhcpd-ctr0";
+ # User = "dhcpd-ctr0";
+ # Group = "dhcpd-ctr0";
+ # AmbientCapabilities = [
+ # "CAP_NET_RAW" # to send ICMP messages
+ # "CAP_NET_BIND_SERVICE" # to bind on DHCP port (67)
+ # ];
+ # ExecStartPre = "${pkgs.coreutils}/bin/touch /var/lib/dhcpd-ctr0/dhcpd.leases";
+ # ExecStart = "${pkgs.dhcp}/bin/dhcpd -4 -lf /var/lib/dhcpd-ctr0/dhcpd.leases -cf ${pkgs.writeText "dhpd.conf" ''
+ # default-lease-time 600;
+ # max-lease-time 7200;
+ # authoritative;
+ # ddns-update-style interim;
+ # log-facility local1; # see dhcpd.nix
+
+ # option subnet-mask 255.255.255.0;
+ # option routers 10.233.0.1;
+ # # option domain-name-servers 8.8.8.8; # TODO configure dns server
+ # subnet 10.233.0.0 netmask 255.255.255.0 {
+ # range 10.233.0.10 10.233.0.250;
+ # }
+ # ''} ctr0";
+ # };
+ # };
+
+}
+
diff --git a/lass/2configs/weechat.nix b/lass/2configs/weechat.nix
new file mode 100644
index 000000000..845a7e3b8
--- /dev/null
+++ b/lass/2configs/weechat.nix
@@ -0,0 +1,221 @@
+{ config, lib, pkgs, ... }: let
+
+ weechat-configured = pkgs.weechat-declarative.override {
+ config = {
+ scripts = [
+ pkgs.weechat-matrix
+ pkgs.weechatScripts.wee-slack
+ ];
+ settings = {
+ irc.server_default.nicks = [ "lassulus" "hackulus" ];
+ irc.server.bitlbee = {
+ addresses = "localhost/6666";
+ command = "msg &bitlbee identify \${sec.data.bitlbee}";
+ };
+ irc.server.hackint = {
+ addresses = "irc.hackint.org/6697";
+ autojoin = [
+ "#c3-gsm"
+ "#panthermoderns"
+ "#36c3"
+ "#cccac"
+ "#nixos"
+ "#krebs"
+ "#c-base"
+ "#afra"
+ "#tvl"
+ "#eloop"
+ "#systemdultras"
+ "#rc3"
+ "#krebs-announce"
+ "#the_playlist"
+ "#germany"
+ "#hackint"
+ "#dezentrale"
+ "#hackerfleet \${sec.data.c3-gsm}" # TODO support channel passwords in a cooler way
+ ];
+ ssl = true;
+ sasl_fail = "reconnect";
+ sasl_username = "lassulus";
+ sasl_password = "\${sec.data.hackint_sasl}";
+ };
+ irc.server.r = {
+ addresses = "irc.r";
+ autojoin = [
+ "#xxx"
+ "#autowifi"
+ "#brockman"
+ "#flix"
+ "#kollkoll"
+ "#noise"
+ "#mukke"
+ ];
+ sasl_fail = "reconnect";
+ sasl_username = "lassulus";
+ sasl_password = "\${sec.data.r_sasl}";
+ anti_flood_prio_high = 0;
+ anti_flood_prio_low = 0;
+ };
+ irc.server.libera = {
+ addresses = "irc.libera.chat/6697";
+ autojoin = [
+ "#shackspace"
+ "#nixos"
+ "#krebs"
+ "#dezentrale"
+ "#tinc"
+ "#nixos-de"
+ "#fysi"
+ "#hillhacks"
+ "#nixos-rc3"
+ "#binaergewitter"
+ "#hackerfleet"
+ "#weechat"
+ ];
+ ssl = true;
+ sasl_username = "lassulus";
+ sasl_fail = "reconnect";
+ sasl_password = "\${sec.data.libera_sasl}";
+ };
+ irc.server.news = {
+ addresses = "news.r";
+ autojoin = [
+ "#all"
+ "#aluhut"
+ "#querdenkos"
+ "#news"
+ "#drachengame"
+ ];
+ anti_flood_prio_high = 0;
+ anti_flood_prio_low = 0;
+ };
+ matrix.server.lassulus = {
+ address = "matrix.lassul.us";
+ username = "lassulus";
+ password = "\${sec.data.matrix_lassulus}";
+ device_name = config.networking.hostName;
+ };
+ matrix.server.nixos_dev = {
+ address = "matrix.nixos.dev";
+ username = "@lassulus:nixos.dev";
+ device_name = config.networking.hostName;
+ sso_helper_listening_port = 55123;
+ };
+ plugins.var.python.go.short_name = true;
+ plugins.var.python.go.short_name_server = true;
+ plugins.var.python.go.fuzzy_search = true;
+ relay.network.password = "xxx"; # secret?
+ relay.port.weechat = 9998;
+ relay.weechat.commands = "*,!exec,!quit";
+ weechat.look.buffer_time_format = "%m-%d_%H:%M:%S";
+ weechat.look.item_time_format = "%m-%d_%H:%M:%S";
+ irc.look.color_nicks_in_names = true;
+ irc.look.color_nicks_in_nicklist = true;
+ logger.file.mask = "$plugin.$name/%Y-%m-%d.weechatlog";
+ logger.file.path = "/var/state/weechat_logs";
+ logger.look.backlog = 1000;
+ weechat.notify.python.matrix.nixos_dev."!YLoVsCxScyQODoqIbb:hackint.org" = "none"; #c-base
+ weechat.notify.python.matrix.nixos_dev."!bohcSYPVoePqBDWlvE:hackint.org" = "none"; #krebs
+ weechat.notify.irc.news."#all" = "highlight";
+
+ # setting logger levels for channels is currently not possible declarativly
+ # because of already defined
+ logger.level.core.weechat = 0;
+ logger.level.irc = 3;
+ logger.level.python = 3;
+ weechat.bar.title.color_bg = 0;
+ weechat.bar.status.color_bg = 0;
+ alias.cmd.reload = "exec -oc cat /etc/weechat.set";
+ script.scripts.download_enabled = true;
+ weechat.look.prefix_align = "left";
+ weechat.look.prefix_align_max = 20;
+ irc.look.server_buffer = "independent";
+ matrix.look.server_buffer = "independent";
+ weechat.bar.buflist.size_max = 20;
+ weechat.color.chat_nick_colors = [
+ 1 2 3 4 5 6 9
+ 10 11 12 13 14
+ 28 29
+ 30 31 32 33 34 35 36 37 38 39
+ 70
+ 94
+ 101 102 103 104 105 106 107
+ 130 131 133 134 135 136 137
+ 140 141 142 143
+ 160 161 162 163 165 166 167 168 169
+ 170 171 172 173 174 175
+ 196 197 198 199
+ 200 201 202 203 204 205 206 208 209 209
+ 210 211 212
+ ];
+ };
+ extraCommands = ''
+ /script upgrade
+ /script install go.py
+ /script install nickregain.pl
+ /script install autosort.py
+ /key bind meta-q /go
+ /key bind meta-t /bar toggle nicklist
+ /key bind meta-y /bar toggle buflist
+ /filter addreplace irc_smart * irc_smart_filter *
+ /filter addreplace playlist_topic irc.*.#the_playlist irc_topic *
+ /filter addreplace xxx_joinpart irc.r.#xxx irc_join,irc_part,irc_quit *
+ /set logger.level.irc.news 0
+ /set logger.level.python.server.nixos_dev = 0;
+ /set logger.level.irc.hackint.#the_playlist = 0;
+ /connect bitlbee
+ /connect r
+ /connect news
+ /connect libera
+ /connect hackint
+ /matrix connect nixos_dev
+ /matrix connect lassulus
+ '';
+ files."sec.conf" = toString (pkgs.writeText "sec.conf" ''
+ [crypt]
+ cipher = aes256
+ hash_algo = sha256
+ passphrase_command = "cat $CREDENTIALS_DIRECTORY/WEECHAT_PASSPHRASE"
+ salt = on
+
+ [data]
+ __passphrase__ = on
+ hackint_sasl = "5CA242E92E7A09B180711B50C4AE2E65C42934EB4E584EC82BC1281D8C72CD411D590C16CC435687C0DA13759873CC"
+ libera_sasl = "9500B5AC3B29F9CAA273F1B89DC99550E038AF95C4B47442B1FB4CB9F0D6B86B26015988AD39E642CA9C4A78DED7F42D1F409B268C93E778"
+ r_sasl = "CB6FB1421ED5A9094CD2C05462DB1FA87C4A675628ABD9AEC9928A1A6F3F96C07D9F26472331BAF80B7B73270680EB1BBEFD"
+ c3-gsm = "C49DD845900CFDFA93EEBCE4F1ABF4A963EF6082B7DA6410FA701CC77A04BB6C201FCB864988C4F2B97ED7D44D5A28F162"
+ matrix.server.nixos_dev.access_token = "C40FE41B9B7B73553D51D8FCBD53871E940FE7FCCAB543E7F4720A924B8E1D58E2B1E1F460F5476C954A223F78CCB956337F6529159C0ECD7CB0384C13CB7170FF1270A577B1C4FF744D20FCF5C708259896F8D9"
+ bitlbee = "814ECAC59D9CF6E8340B566563E5D7E92AB92209B49C1EDE4CAAC32DD0DF1EC511D97C75E840C45D69BB9E3D03E79C"
+ matrix_lassulus = "0CA5C0F70A9F893881370F4A665B4CC40FBB1A41E53BC94916CD92B029103528611EC0B390116BE60FA79AE10F486E96E17B0824BE2DE1C97D87B88F5407330DAD70C044147533C36B09B7030CAD97"
+ '');
+ };
+ };
+
+in {
+ users.users.mainUser.packages = [
+ weechat-configured
+ ];
+ environment.etc."weechat.set".source = "${weechat-configured}/weechat.set";
+ systemd.tmpfiles.rules = [
+ "d /var/state/weechat_logs 0700 lass users -"
+ "d /var/state/weechat 0700 lass users -"
+ "d /var/state/weechat_cfg 0700 lass users -"
+ "L+ /home/lass/.local/share/weechat - - - - ../../../../var/state/weechat"
+ "L+ /home/lass/.config/weechat - - - - ../../../../var/state/weechat_cfg"
+ ];
+
+ systemd.services.weechat = {
+ wantedBy = [ "multi-user.target" ];
+ restartIfChanged = false;
+ serviceConfig = {
+ User = "lass";
+ RemainAfterExit = true;
+ Type = "oneshot";
+ LoadCredential = [
+ "WEECHAT_PASSPHRASE:${toString <secrets>}/weechat_passphrase"
+ ];
+ ExecStart = "${pkgs.tmux}/bin/tmux -2 new-session -d -s IM ${weechat-configured}/bin/weechat";
+ ExecStop = "${pkgs.tmux}/bin/tmux kill-session -t IM"; # TODO run save in weechat
+ };
+ };
+}
diff --git a/lass/2configs/zsh.nix b/lass/2configs/zsh.nix
index 6571461ca..a7b0c372c 100644
--- a/lass/2configs/zsh.nix
+++ b/lass/2configs/zsh.nix
@@ -1,6 +1,17 @@
{ config, lib, pkgs, ... }:
{
- environment.systemPackages = [ pkgs.fzf ];
+ environment.systemPackages = with pkgs; [
+ atuin
+ direnv
+ fzf
+ ];
+ environment.variables.ATUIN_CONFIG_DIR = toString (pkgs.writeTextDir "/config.toml" ''
+ auto_sync = true
+ update_check = false
+ sync_address = "http://green.r:8888"
+ sync_frequency = 0
+ style = "compact"
+ '');
programs.zsh = {
enable = true;
shellInit = ''
@@ -12,27 +23,9 @@
setopt autocd extendedglob
bindkey -e
- #history magic
- bindkey "" up-line-or-local-history
- bindkey "" down-line-or-local-history
-
- up-line-or-local-history() {
- zle set-local-history 1
- zle up-line-or-history
- zle set-local-history 0
- }
- zle -N up-line-or-local-history
- down-line-or-local-history() {
- zle set-local-history 1
- zle down-line-or-history
- zle set-local-history 0
- }
- zle -N down-line-or-local-history
-
- setopt SHARE_HISTORY
- setopt HIST_IGNORE_ALL_DUPS
- # setopt inc_append_history
- bindkey '^R' history-incremental-search-backward
+
+ # # setopt inc_append_history
+ # bindkey '^R' history-incremental-search-backward
#C-x C-e open line in editor
autoload -z edit-command-line
@@ -43,6 +36,13 @@
source ${pkgs.fzf}/share/fzf/completion.zsh
source ${pkgs.fzf}/share/fzf/key-bindings.zsh
+ # atuin distributed shell history
+ export ATUIN_NOBIND="true" # disable all keybdinings of atuin
+ eval "$(atuin init zsh)"
+ bindkey '^r' _atuin_search_widget # bind ctrl+r to atuin
+ # use zsh only session history
+ fc -p
+
#completion magic
autoload -Uz compinit
compinit
@@ -65,13 +65,11 @@
bindkey "[8~" end-of-line
bindkey "Oc" emacs-forward-word
bindkey "Od" emacs-backward-word
+
+ # direnv integration
+ eval "$(${pkgs.direnv}/bin/direnv hook zsh)"
'';
promptInit = ''
- # TODO: figure out why we need to set this here
- HISTSIZE=900001
- HISTFILESIZE=$HISTSIZE
- SAVEHIST=$HISTSIZE
-
autoload -U promptinit
promptinit
diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix
index 3a0b1306c..42efa8cd6 100644
--- a/lass/3modules/default.nix
+++ b/lass/3modules/default.nix
@@ -15,5 +15,6 @@ _:
./xjail.nix
./autowifi.nix
./browsers.nix
+ ./sync-containers3.nix
];
}
diff --git a/lass/3modules/sync-containers3.nix b/lass/3modules/sync-containers3.nix
new file mode 100644
index 000000000..1371d5233
--- /dev/null
+++ b/lass/3modules/sync-containers3.nix
@@ -0,0 +1,313 @@
+{ config, lib, pkgs, ... }: let
+ cfg = config.lass.sync-containers3;
+ slib = pkgs.stockholm.lib;
+in {
+ options.lass.sync-containers3 = {
+ inContainer = {
+ enable = lib.mkEnableOption "container config for syncing";
+ pubkey = lib.mkOption {
+ type = lib.types.str; # TODO ssh key
+ };
+ };
+ containers = lib.mkOption {
+ default = {};
+ type = lib.types.attrsOf (lib.types.submodule ({ config, ... }: {
+ options = {
+ name = lib.mkOption {
+ type = lib.types.str;
+ default = config._module.args.name;
+ };
+ sshKey = lib.mkOption {
+ type = slib.types.absolute-pathname;
+ };
+ luksKey = lib.mkOption {
+ type = slib.types.absolute-pathname;
+ default = config.sshKey;
+ };
+ ephemeral = lib.mkOption {
+ type = lib.types.bool;
+ default = false;
+ };
+ };
+ }));
+ };
+ };
+ config = lib.mkMerge [
+ (lib.mkIf (cfg.containers != {}) {
+
+ containers = lib.mapAttrs' (n: ctr: lib.nameValuePair ctr.name {
+ config = {
+ environment.systemPackages = [
+ pkgs.dhcpcd
+ pkgs.git
+ pkgs.jq
+ ];
+ networking.useDHCP = lib.mkForce true;
+ systemd.services.autoswitch = {
+ environment = {
+ NIX_REMOTE = "daemon";
+ };
+ wantedBy = [ "multi-user.target" ];
+ serviceConfig.ExecStart = pkgs.writers.writeDash "autoswitch" ''
+ set -efu
+ ln -frs /var/state/var_src /var/src
+ if test -e /var/src/nixos-config; then
+ /run/current-system/sw/bin/nixos-rebuild -I /var/src switch || :
+ fi
+ '';
+ unitConfig.X-StopOnRemoval = false;
+ };
+ };
+ autoStart = false;
+ enableTun = true;
+ ephemeral = ctr.ephemeral;
+ privateNetwork = true;
+ hostBridge = "ctr0";
+ bindMounts = {
+ "/etc/resolv.conf".hostPath = "/etc/resolv.conf";
+ "/var/lib/self/disk" = {
+ hostPath = "/var/lib/sync-containers3/${ctr.name}/disk";
+ isReadOnly = false;
+ };
+ "/var/state" = {
+ hostPath = "/var/lib/sync-containers3/${ctr.name}/state";
+ isReadOnly = false;
+ };
+ };
+ }) cfg.containers;
+
+ systemd.services = lib.foldr lib.recursiveUpdate {} (lib.flatten (map (ctr: [
+ { "${ctr.name}_syncer" = {
+ path = with pkgs; [
+ coreutils
+ consul
+ rsync
+ openssh
+ systemd
+ ];
+ startAt = "*:0/1";
+ serviceConfig = {
+ User = "${ctr.name}_container";
+ LoadCredential = [
+ "ssh_key:${ctr.sshKey}"
+ ];
+ ExecCondition = pkgs.writers.writeDash "${ctr.name}_checker" ''
+ set -efu
+ ! systemctl is-active --quiet container@${ctr.name}.service
+ '';
+ ExecStart = pkgs.writers.writeDash "${ctr.name}_syncer" ''
+ set -efux
+ consul lock sync_${ctr.name} ${pkgs.writers.writeDash "${ctr.name}-sync" ''
+ set -efux
+ if /run/wrappers/bin/ping -c 1 ${ctr.name}.r; then
+ touch "$HOME"/incomplete
+ rsync -a -e "ssh -i $CREDENTIALS_DIRECTORY/ssh_key" --inplace container_sync@${ctr.name}.r:disk "$HOME"/disk
+ rm "$HOME"/incomplete
+ fi
+ ''}
+ '';
+ };
+ }; }
+ { "${ctr.name}_watcher" = {
+ path = with pkgs; [
+ coreutils
+ consul
+ cryptsetup
+ curl
+ mount
+ util-linux
+ jq
+ retry
+ ];
+ serviceConfig = {
+ ExecStart = pkgs.writers.writeDash "${ctr.name}_watcher" ''
+ set -efux
+ while sleep 5; do
+ # get the payload
+ # check if the host reacted recently
+ case $(curl -s -o /dev/null --retry 10 --retry-delay 10 -w '%{http_code}' http://127.0.0.1:8500/v1/kv/containers/${ctr.name}) in
+ 404)
+ echo 'got 404 from kv, should kill the container'
+ break
+ ;;
+ 500)
+ echo 'got 500 from kv, will kill container'
+ break
+ ;;
+ 200)
+ # echo 'got 200 from kv, will check payload'
+ export payload=$(consul kv get containers/${ctr.name})
+ if [ "$(jq -rn 'env.payload | fromjson.host')" = '${config.networking.hostName}' ]; then
+ # echo 'we are the host, trying to reach container'
+ if $(retry -t 10 -d 10 -- /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null); then
+ # echo 'container is reachable, continueing'
+ continue
+ else
+ # echo 'container seems dead, killing'
+ break
+ fi
+ else
+ echo 'we are not host, killing container'
+ break
+ fi
+ ;;
+ *)
+ echo 'unknown state, continuing'
+ continue
+ ;;
+ esac
+ done
+ /run/current-system/sw/bin/nixos-container stop ${ctr.name} || :
+ umount /var/lib/sync-containers3/${ctr.name}/state || :
+ cryptsetup luksClose ${ctr.name} || :
+ '';
+ };
+ }; }
+ { "${ctr.name}_scheduler" = {
+ wantedBy = [ "multi-user.target" ];
+ path = with pkgs; [
+ coreutils
+ consul
+ cryptsetup
+ mount
+ util-linux
+ curl
+ systemd
+ jq
+ retry
+ bc
+ ];
+ serviceConfig = {
+ Restart = "always";
+ RestartSec = "30s";
+ ExecStart = pkgs.writers.writeDash "${ctr.name}_scheduler" ''
+ set -efux
+ # get the payload
+ # check if the host reacted recently
+ case $(curl -s -o /dev/null --retry 10 -w '%{http_code}' http://127.0.0.1:8500/v1/kv/containers/${ctr.name}) in
+ 404)
+ # echo 'got 404 from kv, will create container'
+ ;;
+ 500)
+ # echo 'got 500 from kv, retrying again'
+ exit 0
+ ;;
+ 200)
+ # echo 'got 200 from kv, will check payload'
+ export payload=$(consul kv get containers/${ctr.name})
+ if [ "$(jq -rn 'env.payload | fromjson.host')" = '${config.networking.hostName}' ]; then
+ echo 'we are the host, starting container'
+ else
+ # echo 'we are not host, checking timestamp'
+ # if [ $(echo "$(date +%s) - $(jq -rn 'env.payload | fromjson.time') > 100" | bc) -eq 1 ]; then
+ if [ "$(jq -rn 'env.payload | fromjson.time | now - tonumber > 100')" = 'true' ]; then
+ echo 'last beacon is more than 100s ago, taking over'
+ else
+ # echo 'last beacon was recent. trying again'
+ exit 0
+ fi
+ fi
+ ;;
+ *)
+ echo 'unknown state, bailing out'
+ exit 0
+ ;;
+ esac
+ if test -e /var/lib/sync-containers3/${ctr.name}/incomplete; then
+ echo 'data is inconistent, start aborted'
+ exit 1
+ fi
+ consul kv put containers/${ctr.name} "$(jq -cn '{host: "${config.networking.hostName}", time: now}')" >/dev/null
+ consul lock -verbose -monitor-retry=100 -timeout 30s -name container_${ctr.name} container_${ctr.name} ${pkgs.writers.writeBash "${ctr.name}-start" ''
+ set -efu
+ cryptsetup luksOpen --key-file ${ctr.luksKey} /var/lib/sync-containers3/${ctr.name}/disk ${ctr.name} || :
+ mkdir -p /var/lib/sync-containers3/${ctr.name}/state
+ mountpoint /var/lib/sync-containers3/${ctr.name}/state || mount /dev/mapper/${ctr.name} /var/lib/sync-containers3/${ctr.name}/state
+ /run/current-system/sw/bin/nixos-container start ${ctr.name}
+ # wait for system to become reachable for the first time
+ retry -t 10 -d 10 -- /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null
+ systemctl start ${ctr.name}_watcher.service
+ while systemctl is-active container@${ctr.name}.service >/devnull && /run/wrappers/bin/ping -q -c 3 ${ctr.name}.r >/dev/null; do
+ consul kv put containers/${ctr.name} "$(jq -cn '{host: "${config.networking.hostName}", time: now}')" >/dev/null
+ sleep 10
+ done
+ ''}
+ '';
+ };
+ }; }
+ ]) (lib.attrValues cfg.containers)));
+
+ systemd.timers = lib.mapAttrs' (n: ctr: lib.nameValuePair "${ctr.name}_syncer" {
+ timerConfig = {
+ RandomizedDelaySec = 100;
+ };
+ }) cfg.containers;
+
+ users.groups = lib.mapAttrs' (_: ctr: lib.nameValuePair "${ctr.name}_container" {
+ }) cfg.containers;
+ users.users = lib.mapAttrs' (_: ctr: lib.nameValuePair "${ctr.name}_container" ({
+ group = "container_${ctr.name}";
+ isNormalUser = true;
+ uid = slib.genid_uint31 "container_${ctr.name}";
+ home = "/var/lib/sync-containers3/${ctr.name}";
+ createHome = true;
+ homeMode = "705";
+ })) cfg.containers;
+
+ })
+ (lib.mkIf (cfg.containers != {}) {
+ # networking
+ networking.networkmanager.unmanaged = [ "ctr0" ];
+ networking.interfaces.dummy0.virtual = true;
+ networking.bridges.ctr0.interfaces = [ "dummy0" ];
+ networking.interfaces.ctr0.ipv4.addresses = [{
+ address = "10.233.0.1";
+ prefixLength = 24;
+ }];
+ systemd.services."dhcpd-ctr0" = {
+ wantedBy = [ "multi-user.target" ];
+ after = [ "network.target" ];
+ serviceConfig = {
+ Type = "forking";
+ Restart = "always";
+ DynamicUser = true;
+ StateDirectory = "dhcpd-ctr0";
+ User = "dhcpd-ctr0";
+ Group = "dhcpd-ctr0";
+ AmbientCapabilities = [
+ "CAP_NET_RAW" # to send ICMP messages
+ "CAP_NET_BIND_SERVICE" # to bind on DHCP port (67)
+ ];
+ ExecStartPre = "${pkgs.coreutils}/bin/touch /var/lib/dhcpd-ctr0/dhcpd.leases";
+ ExecStart = "${pkgs.dhcp}/bin/dhcpd -4 -lf /var/lib/dhcpd-ctr0/dhcpd.leases -cf ${pkgs.writeText "dhpd.conf" ''
+ default-lease-time 600;
+ max-lease-time 7200;
+ authoritative;
+ ddns-update-style interim;
+ log-facility local1; # see dhcpd.nix
+
+ option subnet-mask 255.255.255.0;
+ option routers 10.233.0.1;
+ # option domain-name-servers 8.8.8.8; # TODO configure dns server
+ subnet 10.233.0.0 netmask 255.255.255.0 {
+ range 10.233.0.10 10.233.0.250;
+ }
+ ''} ctr0";
+ };
+ };
+ })
+ (lib.mkIf cfg.inContainer.enable {
+ users.groups.container_sync = {};
+ users.users.container_sync = {
+ group = "container_sync";
+ uid = slib.genid_uint31 "container_sync";
+ isNormalUser = true;
+ home = "/var/lib/self";
+ createHome = true;
+ openssh.authorizedKeys.keys = [
+ cfg.inContainer.pubkey
+ ];
+ };
+ })
+ ];
+}
diff --git a/lass/5pkgs/weechat-matrix/default.nix b/lass/5pkgs/weechat-matrix/default.nix
new file mode 100644
index 000000000..40848caaa
--- /dev/null
+++ b/lass/5pkgs/weechat-matrix/default.nix
@@ -0,0 +1,80 @@
+{ python3Packages
+, lib
+, fetchFromGitHub
+}:
+
+with python3Packages;
+
+let
+ scriptPython = python.withPackages (ps: with ps; [
+ aiohttp
+ requests
+ python_magic
+ ]);
+
+ version = "lassulus-fork";
+in python3Packages.buildPythonPackage {
+ pname = "weechat-matrix";
+ inherit version;
+
+ src = fetchFromGitHub {
+ owner = "poljar";
+ repo = "weechat-matrix";
+ rev = version;
+ hash = "sha256-o4kgneszVLENG167nWnk2FxM+PsMzi+PSyMUMIktZcc=";
+ };
+ # src = ./weechat-matrix;
+
+ propagatedBuildInputs = [
+ pyopenssl
+ webcolors
+ future
+ atomicwrites
+ attrs
+ Logbook
+ pygments
+ matrix-nio
+ aiohttp
+ requests
+ ];
+
+ passthru.scripts = [ "matrix.py" ];
+
+ dontBuild = true;
+ doCheck = false;
+
+ format = "other";
+
+ installPhase = ''
+ mkdir -p $out/share $out/bin
+ cp main.py $out/share/matrix.py
+
+ cp contrib/matrix_upload.py $out/bin/matrix_upload
+ cp contrib/matrix_decrypt.py $out/bin/matrix_decrypt
+ cp contrib/matrix_sso_helper.py $out/bin/matrix_sso_helper
+ substituteInPlace $out/bin/matrix_upload \
+ --replace '/usr/bin/env -S python3' '${scriptPython}/bin/python'
+ substituteInPlace $out/bin/matrix_sso_helper \
+ --replace '/usr/bin/env -S python3' '${scriptPython}/bin/python'
+ substituteInPlace $out/bin/matrix_decrypt \
+ --replace '/usr/bin/env python3' '${scriptPython}/bin/python'
+
+ mkdir -p $out/${python.sitePackages}
+ cp -r matrix $out/${python.sitePackages}/matrix
+ '';
+
+ dontPatchShebangs = true;
+ postFixup = ''
+ addToSearchPath program_PYTHONPATH $out/${python.sitePackages}
+ patchPythonScript $out/share/matrix.py
+ substituteInPlace $out/${python.sitePackages}/matrix/server.py --replace \"matrix_sso_helper\" \"$out/bin/matrix_sso_helper\"
+ '';
+
+ meta = with lib; {
+ description = "A Python plugin for Weechat that lets Weechat communicate over the Matrix protocol";
+ homepage = "https://github.com/poljar/weechat-matrix";
+ license = licenses.isc;
+ platforms = platforms.unix;
+ maintainers = with maintainers; [ tilpner emily ];
+ };
+}
diff --git a/lib/types.nix b/lib/types.nix
index f312b734b..0e0e093fb 100644
--- a/lib/types.nix
+++ b/lib/types.nix
@@ -58,6 +58,14 @@ rec {
default = false;
};
+ consul = mkOption {
+ description = ''
+ Whether the host is a member of the global consul network
+ '';
+ type = bool;
+ default = false;
+ };
+
owner = mkOption {
type = user;
};
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-28 21:31:42 +0000
[cgit] Unable to lock slot /tmp/cgit/14100000.lock: No such file or directory (2)