diff options
| author | makefu <github@syntax-fehler.de> | 2022-01-26 17:59:53 +0100 |
|---|---|---|
| committer | makefu <github@syntax-fehler.de> | 2022-01-26 17:59:53 +0100 |
| commit | 54aaf5af8ed4d62a2e6645b7ca662ffac310e86c (patch) | |
| tree | b3b1a1797791cd8cf763254a3fd88f7d35a2340c | |
| parent | ef48f536a3e539b215bb004b512e62c2d0f96907 (diff) | |
| parent | 31fc5a95c735ab3b9b832d407195e422c07cd4c0 (diff) | |
Merge remote-tracking branch 'lass/master'
43 files changed, 586 insertions, 386 deletions
diff --git a/krebs/1systems/hotdog/config.nix b/krebs/1systems/hotdog/config.nix index 6a51bf45f..cf07d3b4d 100644 --- a/krebs/1systems/hotdog/config.nix +++ b/krebs/1systems/hotdog/config.nix @@ -7,7 +7,7 @@ <stockholm/krebs/2configs/buildbot-stockholm.nix> <stockholm/krebs/2configs/binary-cache/nixos.nix> - <stockholm/krebs/2configs/ergo.nix> + <stockholm/krebs/2configs/ircd.nix> <stockholm/krebs/2configs/reaktor2.nix> <stockholm/krebs/2configs/wiki.nix> <stockholm/krebs/2configs/acme.nix> diff --git a/krebs/2configs/default.nix b/krebs/2configs/default.nix index 9200d41fe..38d770316 100644 --- a/krebs/2configs/default.nix +++ b/krebs/2configs/default.nix @@ -4,6 +4,7 @@ with import <stockholm/lib>; { imports = [ ./backup.nix + ./security-workarounds.nix ]; krebs.announce-activation.enable = true; krebs.enable = true; diff --git a/krebs/2configs/ergo.nix b/krebs/2configs/ergo.nix deleted file mode 100644 index db0bc5748..000000000 --- a/krebs/2configs/ergo.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ config, pkgs, ... }: - -{ - networking.firewall.allowedTCPPorts = [ - 6667 - ]; - - krebs.ergo = { - enable = true; - }; -} - - diff --git a/krebs/2configs/ircd.nix b/krebs/2configs/ircd.nix index 904878731..c6c91e074 100644 --- a/krebs/2configs/ircd.nix +++ b/krebs/2configs/ircd.nix @@ -1,121 +1,44 @@ -{ config, pkgs, lib, ... }: +{ config, pkgs, ... }: { networking.firewall.allowedTCPPorts = [ - 6667 6669 + 6667 ]; - systemd.services.solanum.serviceConfig.LimitNOFILE = lib.mkForce 16384; - - services.solanum = { + krebs.ergo = { enable = true; - motd = '' - hello - ''; - config = '' - loadmodule "extensions/m_omode"; - serverinfo { - name = "${config.krebs.build.host.name}.irc.r"; - sid = "1as"; - description = "irc!"; - network_name = "irc.r"; - - vhost = "0.0.0.0"; - vhost6 = "::"; - - #ssl_private_key = "etc/ssl.key"; - #ssl_cert = "etc/ssl.cert"; - #ssl_dh_params = "etc/dh.pem"; - #ssld_count = 1; - - default_max_clients = 2048; - #nicklen = 30; - }; - - listen { - defer_accept = yes; - - /* If you want to listen on a specific IP only, specify host. - * host definitions apply only to the following port line. - */ - host = "0.0.0.0"; - port = 6667; - #sslport = 6697; - - /* Listen on IPv6 (if you used host= above). */ - host = "::"; - port = 6667; - #sslport = 6697; - }; - - class "users" { - ping_time = 2 minutes; - number_per_ident = 10; - number_per_ip = 4096; - number_per_ip_global = 4096; - cidr_ipv4_bitlen = 24; - cidr_ipv6_bitlen = 64; - number_per_cidr = 65535; - max_number = 65535; - sendq = 1000 megabyte; - }; - - privset "op" { - privs = oper:admin, oper:general; - }; - - operator "aids" { - user = "*@*"; - password = "balls"; - flags = ~encrypted; - snomask = "+s"; - privset = "op"; - }; - - exempt { - ip = "127.0.0.1"; - }; - - exempt { - ip = "10.243.0.0/16"; - }; - - auth { - user = "*@*"; - class = "users"; - flags = kline_exempt, exceed_limit, flood_exempt; - }; - - channel { - autochanmodes = "+t"; - use_invex = yes; - use_except = yes; - use_forward = yes; - use_knock = yes; - knock_delay = 5 minutes; - knock_delay_channel = 1 minute; - max_chans_per_user = 150; - max_bans = 100; - max_bans_large = 500; - default_split_user_count = 0; - default_split_server_count = 0; - no_create_on_split = no; - no_join_on_split = no; - burst_topicwho = yes; - kick_on_split_riding = no; - only_ascii_channels = no; - resv_forcepart = yes; - channel_target_change = yes; - disable_local_channels = no; - }; - - general { - #maybe we want ident someday? - default_floodcount = 10000; - disable_auth = yes; - throttle_duration = 1; - throttle_count = 10000; - }; - ''; + config = { + server.secure-nets = [ + "42::0/16" + "10.240.0.0/12" + ]; + oper-classes.server-admin = { + title = "admin"; + capabilities = [ + "kill" # disconnect user sessions + "ban" # ban IPs, CIDRs, and NUH masks ("d-line" and "k-line") + "nofakelag" # remove "fakelag" restrictions on rate of message sending + "relaymsg" # use RELAYMSG in any channel (see the 'relaymsg' config block) + "vhosts" # add and remove vhosts from users + "sajoin" # join arbitrary channels, including private channels + "samode" # modify arbitrary channel and user modes + "snomasks" # subscribe to arbitrary server notice masks + "roleplay" # use the (deprecated) roleplay commands in any channel + "rehash" # rehash the server, i.e. reload the config at runtime + "accreg" # modify arbitrary account registrations + "chanreg" # modify arbitrary channel registrations + "history" # modify or delete history messages + "defcon" # use the DEFCON command (restrict server capabilities) + "massmessage" # message all users on the server + ]; + }; + opers.aids = { + class = "server-admin"; + hidden = false; + password = "$2a$04$0AtVycWQJ07ymrDdKyAm2un3UVSVIzpzL3wsWbWb3PF95d1CZMcMO"; + }; + }; }; } + + diff --git a/krebs/2configs/mud.nix b/krebs/2configs/mud.nix index d5e4c89c1..30f232b64 100644 --- a/krebs/2configs/mud.nix +++ b/krebs/2configs/mud.nix @@ -156,7 +156,8 @@ in { openssh.authorizedKeys.keys = with config.krebs.users; [ lass.pubkey makefu.pubkey - kmein.pubkey + kmein-kabsa.pubkey + kmein-manakish.pubkey tv.pubkey ]; packages = with pkgs; [ diff --git a/krebs/2configs/news.nix b/krebs/2configs/news.nix index 84a39f95b..9ea4cbf8d 100644 --- a/krebs/2configs/news.nix +++ b/krebs/2configs/news.nix @@ -68,7 +68,13 @@ wantedBy = [ "multi-user.target" ]; }; - systemd.services.brockman.bindsTo = [ "solanum.service" ]; + krebs.ergo.openFilesLimit = 16384; + krebs.ergo.config = { + limits.nicklen = 100; + limits.identlen = 100; + history.enabled = false; + }; + systemd.services.brockman.bindsTo = [ "ergo.service" ]; systemd.services.brockman.serviceConfig.LimitNOFILE = 16384; systemd.services.brockman.environment.BROCKMAN_LOG_LEVEL = "DEBUG"; krebs.brockman = { diff --git a/krebs/2configs/reaktor2.nix b/krebs/2configs/reaktor2.nix index df66fd798..305d31405 100644 --- a/krebs/2configs/reaktor2.nix +++ b/krebs/2configs/reaktor2.nix @@ -95,7 +95,7 @@ let } hooks.sed (generators.command_hook { - inherit (commands) random-emoji nixos-version; + inherit (commands) dance random-emoji nixos-version; tell = { filename = <stockholm/krebs/5pkgs/simple/Reaktor/scripts/tell-on_privmsg.sh>; diff --git a/krebs/2configs/security-workarounds.nix b/krebs/2configs/security-workarounds.nix new file mode 100644 index 000000000..27d1f8485 --- /dev/null +++ b/krebs/2configs/security-workarounds.nix @@ -0,0 +1,6 @@ +{ config, lib, pkgs, ... }: +with import <stockholm/lib>; +{ + # https://github.com/berdav/CVE-2021-4034 + security.wrappers.pkexec.source = lib.mkForce (pkgs.writeText "pkexec" ""); +} diff --git a/krebs/3modules/backup.nix b/krebs/3modules/backup.nix index c5cb1cae6..4a88582a2 100644 --- a/krebs/3modules/backup.nix +++ b/krebs/3modules/backup.nix @@ -157,7 +157,8 @@ let # of the deepest directory: # shellcheck disable=SC2174 ${local.rsync} >&2 \ - -aAXF --delete \ + -aAX --delete \ + --filter='dir-merge /.backup-filter' \ --rsh=${shell.escape ssh} \ --rsync-path=${shell.escape remote.rsync} \ --link-dest=${shell.escape plan.dst.path}/current \ @@ -191,7 +192,8 @@ let echo >&2 "create snapshot: $ns/$name" mkdir -m 0700 -p "$dst_path/$ns" rsync >&2 \ - -aAXF --delete \ + -aAX --delete \ + --filter='dir-merge /.backup-filter' \ --link-dest="$dst_path/current" \ "$dst_path/current/" \ "$dst_path/$ns/.partial.$name" diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index f76d3c536..b58b52038 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -108,6 +108,7 @@ let { krebs = import ./makefu { inherit config; }; } { krebs = import ./external/palo.nix { inherit config; }; } { krebs = import ./external/mic92.nix { inherit config; }; } + { krebs = import ./external/kmein.nix { inherit config; }; } { krebs = import ./tv { inherit config; }; } { krebs.dns.providers = { diff --git a/krebs/3modules/ergo.nix b/krebs/3modules/ergo.nix index 3153e4cfc..50c5ab628 100644 --- a/krebs/3modules/ergo.nix +++ b/krebs/3modules/ergo.nix @@ -2,6 +2,13 @@ options = { krebs.ergo = { enable = lib.mkEnableOption "Ergo IRC daemon"; + openFilesLimit = lib.mkOption { + type = lib.types.int; + default = 1024; + description = '' + Maximum number of open files. Limits the clients and server connections. + ''; + }; config = lib.mkOption { type = (pkgs.formats.json {}).type; description = '' @@ -54,8 +61,8 @@ multiclient = { enabled = true; allowed-by-default = true; - always-on = "opt-in"; - auto-away = "opt-in"; + always-on = "opt-out"; + auto-away = "opt-out"; }; }; channels = { @@ -111,13 +118,15 @@ systemd.services.ergo = { description = "Ergo IRC daemon"; wantedBy = [ "multi-user.target" ]; - reloadIfChanged = true; + # reload currently not working as expected + # reloadIfChanged = true; restartTriggers = [ configFile ]; serviceConfig = { ExecStart = "${pkgs.ergo}/bin/ergo run --conf /etc/ergo.yaml"; ExecReload = "${pkgs.util-linux}/bin/kill -HUP $MAINPID"; DynamicUser = true; StateDirectory = "ergo"; + LimitNOFILE = "${toString cfg.openFilesLimit}"; }; }; }); diff --git a/krebs/3modules/external/default.nix b/krebs/3modules/external/default.nix index 66914797d..1b51f0223 100644 --- a/krebs/3modules/external/default.nix +++ b/krebs/3modules/external/default.nix @@ -16,37 +16,7 @@ with import <stockholm/lib>; tinc-for = name: builtins.readFile (./tinc + "/${name}.pub"); in { - hosts = mapAttrs hostDefaults { - kabsa = { - owner = config.krebs.users.kmein; - nets = { - retiolum = { - ip4.addr = "10.243.2.4"; - aliases = [ - "kabsa.r" - "kabsa.kmein.r" - ]; - tinc.pubkey = '' - -----BEGIN PUBLIC KEY----- - MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtz/MY5OSxJqrEMv6Iwjk - g/V58MATljj+2bmOuOuPui/AUYHEZX759lHW4MgLjYdNbZEoVq8UgkxNk0KPGlSg - 2lsJ7FneCU7jBSE2iLT1aHuNFFa56KzSThFUl6Nj6Vyg5ghSmDF2tikurtG2q+Ay - uxf5/yEhFUPc1ZxmvJDqVHMeW5RZkuKXH00C7yN+gdcPuuFEFq+OtHNkBVmaxu7L - a8Q6b/QbrwQJAR9FAcm5WSQIj2brv50qnD8pZrU4loVu8dseQIicWkRowC0bzjAo - IHZTbF/S+CK0u0/q395sWRQJISkD+WAZKz5qOGHc4djJHBR3PWgHWBnRdkYqlQYM - C9zA/n4I+Y2BEfTWtgkD2g0dDssNGP5dlgFScGmRclR9pJ/7dsIbIeo9C72c6q3q - sg0EIWggQ8xyWrUTXIMoDXt37htlTSnTgjGsuwRzjotAEMJmgynWRf3br3yYChrq - 10Exq8Lej+iOuKbdAXlwjKEk0qwN7JWft3OzVc2DMtKf7rcZQkBoLfWKzaCTQ4xo - 1Y7d4OlcjbgrkLwHltTaShyosm8kbttdeinyBG1xqQcK11pMO43GFj8om+uKrz57 - lQUVipu6H3WIVGnvLmr0e9MQfThpC1em/7Aq2exn1JNUHhCdEho/mK2x/doiiI+0 - QAD64zPmuo9wsHnSMR2oKs0CAwEAAQ== - -----END PUBLIC KEY----- - ''; - tinc.pubkey_ed25519 = "KhOetVTVLtGxB22NmZhkTWC0Uhg8rXJv4ayZqchSgCN"; - }; - }; - }; helsinki = { owner = config.krebs.users.ajs124; nets = { @@ -142,65 +112,6 @@ in { }; }; }; - makanek = { - owner = config.krebs.users.kmein; - nets = { - retiolum = { - ip4.addr = "10.243.2.84"; - aliases = [ - "makanek.r" - "makanek.kmein.r" - "grafana.kmein.r" - "names.kmein.r" - "graph.r" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIICCgKCAgEAwvtxCG7Vua6+WoStGrkL+H/g4BABidL2eikDBtbxWN+oGv2Bjrwb - VzXB8lMTCsu6M2wb3YTXXzAkc5oI4gE1sSOiCKyhYnQRrndc91KewquxTPfKL19u - JiRqax/E49IvWKARPRPXUhPfU/NNw1oIxhbcFkjwJmqDvh9SWhl5VZVynCE28ov5 - hjjhqNXZHOR8CQqPJeY8v38OAAwTWvJ6rhEQwp5dLBqmRAbvPXj7OOzCxKluDY2X - Dl4k6QAjI6NddJXsXHRYRNGiB0CP1UBC91NDtW2+HIjf1Q1Lip5agO4/SkkSUt39 - de7uYKrNcfyDUBb9Suconw0HvW+Dv4Ce5um+aa1RUrWIQdqBCOECbsXYKp66vAnK - Hidf2uznFseWxiyxz1ow8AvvSseABej5GuHI/56lywnFlnHEZLREUF/4PT+BZ0vE - uPRkzqeSNybsYYFieK8aany/RmJaoIsduGutgAiKBvkCCHru895n02xuLhZVkM2G - zfVjA2le+Gxr21/sVPrHfxResLUh4RA8fkS7erWMRF4a3IOpIS4yrM+p4pZTlTxO - Ya8buh4RgyE/0hp4QNpa4K7fvntriK+k6zHs7BcZcG2aMWP3O9/4DgjzBR3eslQV - oou23ajP11wyfrmZK0/PQGTpsU472Jj+06KtMAaH0zo4vAR8s2kV1ukCAwEAAQ== - -----END RSA PUBLIC KEY----- - ''; - tinc.pubkey_ed25519 = "GiAe9EH3ss+K71lRlkGaOcg/MrV/zxNW5tDF0koEGvC"; - }; - }; - }; - manakish = { - owner = config.krebs.users.kmein; - nets = { - retiolum = { - ip4.addr = "10.243.2.85"; - aliases = [ - "manakish.r" - "manakish.kmein.r" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIICCgKCAgEAtZcWwm1tTFoMcO0EOwNdSrZW9m2tSNWzwTGjlfuNFQKPnHiKdFFH - Hym72+WtaIZmffermGTfYdMoB/lWgOB0glqH9oSBFvrLVDgdQL2il589EXBd/1Qy - 7Ye5EVy2/xEA7iZGg3j0i+q1ic48tt6ePd4+QR0LmLEa8+Gz5X0Tp9TTf7gdv+lB - dVA6p7LJixKcBsC5W0jY5oTGUP0fM844AtWbpflmlz0JZNWrkJhCksOnfhUzeIsF - 1m9rCsyK+3jGMV6ZxhEbwaOt99Wlv0N0ouPePw+xLnnGTu0rJ/RKWceYnWnrHIyb - GgGIHnm9GbMd4mAfyp63emRYDMclSQSrddpDUL2GK8TCTttr6bZm4M/pFuXQGJsQ - EG0iaE8FM+nCrhmCRnX8dRWcNmHybd34UoVGCDJ6u+ksLIivqgWeY41CauqN0vQw - U4zqp6XMXRB6vlVcyLzdTASxVKaLJt+BuvHcyqz/YslJ97z4yoLE3d7s/9gZkM// - +FD970bsyvKpKRx72rNRCO9tQJNgPsaMiW5nuHUFw71XxX8o0w//5a0h5cdbiT64 - I4ISySa4ynmHI1/v0a937/sFS0IvRI1Va0Efh2VxasNIqpDmM3hA8auPDj0Js/4c - qVnWMbvqqYlY9l//HCNxUXIhi0vcOr2PoCxBtcP5pHY8nNphQrPjRrcCAwEAAQ== - -----END RSA PUBLIC KEY----- - ''; - tinc.pubkey_ed25519 = "CjSqXJMvJevjqX9W9sqDpLTJs9DXfC04YNAFpYqS2iN"; - }; - }; - }; qubasa = { owner = config.krebs.users.qubasa; nets = { @@ -226,7 +137,6 @@ in { }; }; }; - keller = { owner = config.krebs.users.qubasa; nets = { @@ -279,13 +189,6 @@ in { }; }; - rilke = { - owner = config.krebs.users.kmein; - nets.wiregrill = { - aliases = [ "rilke.w" ]; - wireguard.pubkey = "09yVPHL/ucvqc6V5n7vFQ2Oi1LBMdwQZDL+7jBwy+iQ="; - }; - }; rtjure = { owner = config.krebs.users.rtjure; nets = { @@ -312,37 +215,6 @@ in { }; }; }; - zaatar = { - owner = config.krebs.users.kmein; - nets = { - retiolum = { - ip4.addr = "10.243.2.34"; - aliases = [ - "zaatar.r" - "zaatar.kmein.r" - "grocy.kmein.r" - "bvg.kmein.r" - "moodle.kmein.r" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIICCgKCAgEAyEeesa4mDNAT2QT/PxfmildhqawinWTcUiF3V2wsfy3eXJCFySKM - pRKrLnOpkd2RoLWA88o0/hAfTdel/fXRjAx8TtKlh1n+UoRhYOGqLJKUZDVGImjJ - xTPGCC+g4b2cNCYU3RVdttSu8+zlfO6ktkySULKbVkJN3ocQmSCmWs2tP6hYvk2i - 5OB3Uxw+OwhtVO76dlby6Idmc8o++ZVm3snbYsgiR7RQf9vHZHR8lKr5fZ/ycq2Q - T+agY/cFLJ+jhfUi8LFtKKcqGLyKKrDywADQWTcIG+cjV33k6ftW678jvsEft6e6 - 2RgspZX5XciTbMPIPGMcH5NZPXi6youcUcqcqDtok7Y1Jj3N5dSmJno5ojyKolZp - PRt4bPx9WuerjzwL5gG9E6n6l24neX6Mq7RDyJfBYtpUvZblezXWUuoReGNczAvj - zZrAKXKnuCEgQ/du7pT8V6qHG5NjovIMm0VDxOJV5jBL4NUox3PGbW5g0vS/nxHc - xKWPq+4zoyA6MsL9sGCqIlSWEqNnSERX19GbJZNYjm1J+aGZ/fZ+MaDJGuCzlxn4 - yjLBuuXSkIrPxxtIV+Yh8Wy5qDNRN7XS1wNxUcmjQn0+7Ou/4W+cTWJ/+yZyC1DK - uYEZh8YBMJo0E4bR4s04SFA6uLIvLigPELxzb0jwZSKXRnQhay6zzZ0CAwEAAQ== - -----END RSA PUBLIC KEY----- - ''; - tinc.pubkey_ed25519 = "GYg9UMw0rFWFS0Yr8HFe81HcGjQw0xbu9wqDWtQPDLH"; - }; - }; - }; sokrateslaptop = { owner = config.krebs.users.sokratess; nets = { @@ -691,6 +563,31 @@ in { }; }; }; + papawhakaaro = { + owner = config.krebs.users.feliks; + nets = { + retiolum = { + ip4.addr = "10.243.10.243"; + aliases = [ "papawhakaaro.r" ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEA4bd0lVUVlzFmM8TuH77C5VctcK4lkw02LbMVQDJ5U+Ww075nNahw + oRHqPgJRwfGW0Tgu/1s5czZ2tAFU3lXoOSBYldAspM3KRZ4DKQsFrL9B0oWarGsK + sUgsuOJprlX4mkfj/eBNINqTqf2kVIH+p43VENQ9ioKmc+qJKm4xfRONRLp871GV + 5jmIvRvQ6JP0RtNd2KpNLaeplzx8M61D9PBOAZkNYAUTpBs4LZBNJj4eFnXBugrz + GkBjmm3Rk7olz0uOZzbeTc6Slv2tgtN5FrQifdy4XIlsKcBTzMkYHEZstmldJgd9 + pGvfmem6uPcXrF+eDJzqUn0ArH7eOIS4F0+DzugJz4qX+ytvE4ag7r2Vx0Pa9TCY + hpn0lqwW+ly1clM0SKt59v1nQ4oRW4UIbAZaIgp4UJbb3IGSwbq7NuadvHpNICHi + 4pqQD+1sSEbGLAZ0bFjLIYFg9zzNjLeAxXpn49WHOEyRlq3h+SUQcG2EuVMI28DX + lILKSoOJsuQupURPubaxkiNEa5neYk9hZ8CWgwSG/VlyRLuNsVDVn2dBma43Mr10 + LHMkX2/a9t7ghokugvV2XMP9Es9A9TGFShM9UtFAlovdad+SQ8FBPNheDwIhjCJe + l5NIrMrmQIveq7QJ1szxYhqfl1ifU0c+YxeMkg3tvEuQV/tk/oki/aECAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "5G49yQPjkkoGZxM6CeDy87y6tB/abtelUAk55wJ4GpP"; + }; + }; + }; hydrogen = { owner = config.krebs.users.sandro; nets = rec { @@ -740,10 +637,6 @@ in { jonge = { mail = "jacek.galowicz@gmail.com"; }; - kmein = { - mail = "kmein@posteo.de"; - pubkey = ssh-for "kmein"; - }; mic92 = { mail = "joerg@thalheim.io"; pubkey = ssh-for "mic92"; @@ -799,5 +692,8 @@ in { pie_ = {}; domsen = { }; + feliks = { + mail = "feliks@flipdot.org"; + }; }; } diff --git a/krebs/3modules/external/kmein.nix b/krebs/3modules/external/kmein.nix new file mode 100644 index 000000000..9ef079090 --- /dev/null +++ b/krebs/3modules/external/kmein.nix @@ -0,0 +1,146 @@ +with import <stockholm/lib>; +{ config, ... }: +let + maybeEmpty = attrset: key: if (attrset?key) then attrset.${key} else []; + hostDefaults = hostName: host: flip recursiveUpdate host ({ + ci = false; + external = true; + monitoring = false; + owner = config.krebs.users.kmein; + } // optionalAttrs (host.nets?retiolum) { + nets.retiolum = { + ip6.addr = (krebs.genipv6 "retiolum" "external" { inherit hostName; }).address; + }; + } // optionalAttrs (host.nets?wiregrill) { + nets.wiregrill = { + ip6.addr = (krebs.genipv6 "wiregrill" "external" { inherit hostName; }).address; + }; + }); + ssh-for = name: builtins.readFile (./ssh + "/${name}.pub"); +in +{ + users = rec { + kmein = kmein-kabsa; + kmein-kabsa = { + mail = "kmein@posteo.de"; + pubkey = ssh-for "kmein.kabsa"; + }; + kmein-manakish = { + inherit (kmein-kabsa) mail; + pubkey = ssh-for "kmein.manakish"; + }; + }; + hosts = mapAttrs hostDefaults { + kabsa = { + nets.retiolum = { + aliases = [ "kabsa.r" "kabsa.kmein.r" ]; + ip4.addr = "10.243.2.4"; + tinc.pubkey = '' + -----BEGIN PUBLIC KEY----- + MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtz/MY5OSxJqrEMv6Iwjk + g/V58MATljj+2bmOuOuPui/AUYHEZX759lHW4MgLjYdNbZEoVq8UgkxNk0KPGlSg + 2lsJ7FneCU7jBSE2iLT1aHuNFFa56KzSThFUl6Nj6Vyg5ghSmDF2tikurtG2q+Ay + uxf5/yEhFUPc1ZxmvJDqVHMeW5RZkuKXH00C7yN+gdcPuuFEFq+OtHNkBVmaxu7L + a8Q6b/QbrwQJAR9FAcm5WSQIj2brv50qnD8pZrU4loVu8dseQIicWkRowC0bzjAo + IHZTbF/S+CK0u0/q395sWRQJISkD+WAZKz5qOGHc4djJHBR3PWgHWBnRdkYqlQYM + C9zA/n4I+Y2BEfTWtgkD2g0dDssNGP5dlgFScGmRclR9pJ/7dsIbIeo9C72c6q3q + sg0EIWggQ8xyWrUTXIMoDXt37htlTSnTgjGsuwRzjotAEMJmgynWRf3br3yYChrq + 10Exq8Lej+iOuKbdAXlwjKEk0qwN7JWft3OzVc2DMtKf7rcZQkBoLfWKzaCTQ4xo + 1Y7d4OlcjbgrkLwHltTaShyosm8kbttdeinyBG1xqQcK11pMO43GFj8om+uKrz57 + lQUVipu6H3WIVGnvLmr0e9MQfThpC1em/7Aq2exn1JNUHhCdEho/mK2x/doiiI+0 + QAD64zPmuo9wsHnSMR2oKs0CAwEAAQ== + -----END PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "KhOetVTVLtGxB22NmZhkTWC0Uhg8rXJv4ayZqchSgCN"; + }; + }; + makanek = { + nets.retiolum = { + aliases = [ + "makanek.r" + "makanek.kmein.r" + "grafana.kmein.r" + "names.kmein.r" + "graph.r" + "rrm.r" + ]; + ip4.addr = "10.243.2.84"; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEAwvtxCG7Vua6+WoStGrkL+H/g4BABidL2eikDBtbxWN+oGv2Bjrwb + VzXB8lMTCsu6M2wb3YTXXzAkc5oI4gE1sSOiCKyhYnQRrndc91KewquxTPfKL19u + JiRqax/E49IvWKARPRPXUhPfU/NNw1oIxhbcFkjwJmqDvh9SWhl5VZVynCE28ov5 + hjjhqNXZHOR8CQqPJeY8v38OAAwTWvJ6rhEQwp5dLBqmRAbvPXj7OOzCxKluDY2X + Dl4k6QAjI6NddJXsXHRYRNGiB0CP1UBC91NDtW2+HIjf1Q1Lip5agO4/SkkSUt39 + de7uYKrNcfyDUBb9Suconw0HvW+Dv4Ce5um+aa1RUrWIQdqBCOECbsXYKp66vAnK + Hidf2uznFseWxiyxz1ow8AvvSseABej5GuHI/56lywnFlnHEZLREUF/4PT+BZ0vE + uPRkzqeSNybsYYFieK8aany/RmJaoIsduGutgAiKBvkCCHru895n02xuLhZVkM2G + zfVjA2le+Gxr21/sVPrHfxResLUh4RA8fkS7erWMRF4a3IOpIS4yrM+p4pZTlTxO + Ya8buh4RgyE/0hp4QNpa4K7fvntriK+k6zHs7BcZcG2aMWP3O9/4DgjzBR3eslQV + oou23ajP11wyfrmZK0/PQGTpsU472Jj+06KtMAaH0zo4vAR8s2kV1ukCAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "GiAe9EH3ss+K71lRlkGaOcg/MrV/zxNW5tDF0koEGvC"; + }; + }; + manakish = { + nets.retiolum = { + aliases = [ + "manakish.r" + "manakish.kmein.r" + ]; + ip4.addr = "10.243.2.85"; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEAtZcWwm1tTFoMcO0EOwNdSrZW9m2tSNWzwTGjlfuNFQKPnHiKdFFH + Hym72+WtaIZmffermGTfYdMoB/lWgOB0glqH9oSBFvrLVDgdQL2il589EXBd/1Qy + 7Ye5EVy2/xEA7iZGg3j0i+q1ic48tt6ePd4+QR0LmLEa8+Gz5X0Tp9TTf7gdv+lB + dVA6p7LJixKcBsC5W0jY5oTGUP0fM844AtWbpflmlz0JZNWrkJhCksOnfhUzeIsF + 1m9rCsyK+3jGMV6ZxhEbwaOt99Wlv0N0ouPePw+xLnnGTu0rJ/RKWceYnWnrHIyb + GgGIHnm9GbMd4mAfyp63emRYDMclSQSrddpDUL2GK8TCTttr6bZm4M/pFuXQGJsQ + EG0iaE8FM+nCrhmCRnX8dRWcNmHybd34UoVGCDJ6u+ksLIivqgWeY41CauqN0vQw + U4zqp6XMXRB6vlVcyLzdTASxVKaLJt+BuvHcyqz/YslJ97z4yoLE3d7s/9gZkM// + +FD970bsyvKpKRx72rNRCO9tQJNgPsaMiW5nuHUFw71XxX8o0w//5a0h5cdbiT64 + I4ISySa4ynmHI1/v0a937/sFS0IvRI1Va0Efh2VxasNIqpDmM3hA8auPDj0Js/4c + qVnWMbvqqYlY9l//HCNxUXIhi0vcOr2PoCxBtcP5pHY8nNphQrPjRrcCAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "CjSqXJMvJevjqX9W9sqDpLTJs9DXfC04YNAFpYqS2iN"; + }; + }; + g7power = { + nets.wiregrill = { + ip4.addr = "10.244.2.97"; + aliases = [ "phone.kmein.w" ]; + wireguard.pubkey = "09yVPHL/ucvqc6V5n7vFQ2Oi1LBMdwQZDL+7jBwy+iQ="; + }; + }; + zaatar = { + nets.retiolum = { + ip4.addr = "10.243.2.34"; + aliases = [ + "zaatar.r" + "zaatar.kmein.r" + "grocy.kmein.r" + "moodle.kmein.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIICCgKCAgEAyEeesa4mDNAT2QT/PxfmildhqawinWTcUiF3V2wsfy3eXJCFySKM + pRKrLnOpkd2RoLWA88o0/hAfTdel/fXRjAx8TtKlh1n+UoRhYOGqLJKUZDVGImjJ + xTPGCC+g4b2cNCYU3RVdttSu8+zlfO6ktkySULKbVkJN3ocQmSCmWs2tP6hYvk2i + 5OB3Uxw+OwhtVO76dlby6Idmc8o++ZVm3snbYsgiR7RQf9vHZHR8lKr5fZ/ycq2Q + T+agY/cFLJ+jhfUi8LFtKKcqGLyKKrDywADQWTcIG+cjV33k6ftW678jvsEft6e6 + 2RgspZX5XciTbMPIPGMcH5NZPXi6youcUcqcqDtok7Y1Jj3N5dSmJno5ojyKolZp + PRt4bPx9WuerjzwL5gG9E6n6l24neX6Mq7RDyJfBYtpUvZblezXWUuoReGNczAvj + zZrAKXKnuCEgQ/du7pT8V6qHG5NjovIMm0VDxOJV5jBL4NUox3PGbW5g0vS/nxHc + xKWPq+4zoyA6MsL9sGCqIlSWEqNnSERX19GbJZNYjm1J+aGZ/fZ+MaDJGuCzlxn4 + yjLBuuXSkIrPxxtIV+Yh8Wy5qDNRN7XS1wNxUcmjQn0+7Ou/4W+cTWJ/+yZyC1DK + uYEZh8YBMJo0E4bR4s04SFA6uLIvLigPELxzb0jwZSKXRnQhay6zzZ0CAwEAAQ== + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "GYg9UMw0rFWFS0Yr8HFe81HcGjQw0xbu9wqDWtQPDLH"; + }; + }; + }; +} diff --git a/krebs/3modules/external/mic92.nix b/krebs/3modules/external/mic92.nix index f8c371b7f..cd11fb2c5 100644 --- a/krebs/3modules/external/mic92.nix +++ b/krebs/3modules/external/mic92.nix @@ -526,8 +526,10 @@ in { }; turingmachine = { owner = config.krebs.users.mic92; - nets = { + nets = rec { + internet.addrs = [ "turingmachine.thalheim.io" ]; retiolum = { + via = internet; aliases = [ "turingmachine.r" ]; @@ -675,10 +677,33 @@ in { }; }; }; + jarvis = { + owner = config.krebs.users.mic92; + nets = rec { + internet.addrs = [ "jarvis.thalheim.io" ]; + retiolum = { + via = internet; + aliases = [ "jarvis.r" ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEA7PtJlYBpBr2TK5CAvAukkGvj+esC+sMPKd3mO9iDwdViBrqKdf+D + yEy8SI80Y02dpkL97NjvnzepKpyGQWpG1ZQflJLhCTj7oFyVpWd4XsbIuzYp5ES6 + r8qKWs2xcItc1pbW0ZmrCBzdWsC1B0VAHlYkiz+7vM6pCTvg6hNQugP4c1TRCtJC + Sr+n+EjTXN/NTaKl+f7eoHJGnT5liDO3/xZVxm8AuLnron1xPPDghXClVHfDj5mt + f66f+CLwZhq3BrZuptwXp7TerMfrNtPyTx96b+EyuLPjrYxKeKL/+Nbr3VmmiDIV + tsraNc+0a8OBpVsYh4MQLp55NYwqxAoetQIDAQAB + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "RRkMnGSg+nMkz4L2iqmdFf2fIf4wIfcTM0TlTWLLNCE"; + }; + }; + }; bernie = { owner = config.krebs.users.mic92; nets = rec { + internet.addrs = [ "bernie.thalheim.io" ]; retiolum = { + via = internet; aliases = [ "bernie.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- @@ -700,7 +725,6 @@ in { }; }; - ryan = { owner = config.krebs.users.mic92; nets = rec { diff --git a/krebs/3modules/external/ssh/kmein.pub b/krebs/3modules/external/ssh/kmein.kabsa.pub index 8eade3498..a3cec5f8f 100644 --- a/krebs/3modules/external/ssh/kmein.pub +++ b/krebs/3modules/external/ssh/kmein.kabsa.pub @@ -1,2 +1 @@ ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDyTnGhFq0Q+vghNhrqNrAyY+CsN7nNz8bPfiwIwNpjk -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOiQEc8rTr7C7xVLYV7tQ99BDDBLrJsy5hslxtCEatkB diff --git a/krebs/3modules/external/ssh/kmein.manakish.pub b/krebs/3modules/external/ssh/kmein.manakish.pub new file mode 100644 index 000000000..8be09d407 --- /dev/null +++ b/krebs/3modules/external/ssh/kmein.manakish.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOiQEc8rTr7C7xVLYV7tQ99BDDBLrJsy5hslxtCEatkB diff --git a/krebs/3modules/external/ssh/qubasa.pub b/krebs/3modules/external/ssh/qubasa.pub index e9e1e6a29..a8ab605d8 100644 --- a/krebs/3modules/external/ssh/qubasa.pub +++ b/krebs/3modules/external/ssh/qubasa.pub @@ -1,2 +1 @@ ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDB0d0JA20Vqn7I4lCte6Ne2EOmLZyMJyS9yIKJYXNLjbLwkQ4AYoQKantPBkTxR75M09E7d3j5heuWnCjWH45TrfQfe1EOSSC3ppCI6C6aIVlaNs+KhAYZS0m2Y8WkKn+TT5JLEa8yybYVN/RlZPOilpj/1QgjU6CQK+eJ1k/kK+QFXcwN82GDVh5kbTVcKUNp2tiyxFA+z9LY0xFDg/JHif2ROpjJVLQBJ+YPuOXZN5LDnVcuyLWKThjxy5srQ8iDjoxBg7dwLHjby5Mv41K4W61Gq6xM53gDEgfXk4cQhJnmx7jA/pUnsn2ZQDeww3hcc7vRf8soogXXz2KC9maiq0M/svaATsa9Ul4hrKnqPZP9Q8ScSEAUX+VI+x54iWrnW0p/yqBiRAzwsczdPzaQroUFTBxrq8R/n5TFdSHRMX7fYNOeVMjhfNca/gtfw9dYBVquCvuqUuFiRc0I7yK44rrMjjVQRcAbw6F8O7+04qWCmaJ8MPlmApwu2c05VMv9hiJo5p6PnzterRSLCqF6rIdhSnuOwrUIt1s/V+EEZXHCwSaNLaQJnYL0H9YjaIuGz4c8kVzxw4c0B6nl+hqW5y5/B2cuHiumnlRIDKOIzlv8ufhh21iN7QpIsPizahPezGoT1XqvzeXfH4qryo8O4yTN/PWoA+f7o9POU7L6hQ== lhebendanz@nixos - diff --git a/krebs/3modules/go.nix b/krebs/3modules/go.nix index fea25e036..80cd90e27 100644 --- a/krebs/3modules/go.nix +++ b/krebs/3modules/go.nix @@ -41,11 +41,17 @@ let fi ;; "POST /") - uri=$(head -c "$req_content_length" \ + uri_candidate=$(head -c "$req_content_length" \ | sed 's/+/ /g;s/%\(..\)/\\x\1/g;' \ | xargs -0 echo -e \ - | tee /tmp/tee.log \ - | ${pkgs.urix}/bin/urix \ + ) + + if $(echo "$uri_candidate" | grep -q '^uri=//.*'); then + # fix urls with missing https: in front + uri_candidate=$(echo "$uri_candidate" | sed 's,//,https://,g') + fi + + uri=$(echo "$uri_candidate" | ${pkgs.urix}/bin/urix \ | head -1 \ ) diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index c6924fde5..25125157d 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -681,7 +681,7 @@ in { aliases = [ "styx.r" ]; - tinc.port = 0; + tinc.port = 654; tinc = { pubkey = '' -----BEGIN PUBLIC KEY----- diff --git a/krebs/3modules/tv/default.nix b/krebs/3modules/tv/default.nix index 8d48c2a47..4e40561c2 100644 --- a/krebs/3modules/tv/default.nix +++ b/krebs/3modules/tv/default.nix @@ -82,6 +82,32 @@ in { ssh.privkey.path = config.krebs.secret.file "ssh.id_ed25519"; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsqDuhGJpjpqNv4QmjoOhcODObrPyY3GHLvtVkgXV0g root@au"; }; + bu = { + ci = true; + cores = 4; + nets = { + retiolum = { + ip4.addr = "10.243.13.36"; + aliases = [ + "bu.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAxjAvT1sfHPWExhWRoXG+NJbYUmf5q4yfpfBRvb232LC9sLn4Z2wb + hxKreR5/j9a/2hRIlCz4IwKftl5vroG9Vy4e7zZIz6QvN4TqED8dUjJ1ubhtj47l + jjHW4cHLUWsaqqu6TAuPH26qPSxm9VrD6rZIX9RmQ1bWIaonVB3Q+XnDfPlISw6M + gbQXz4tOsOnC+y/6C3VPUo0nqC+PuA/kyRq/ivVutKd0dTSY8LmCDNla6AEVD5dG + sIqPWX5h8fjqU7G3oOMvMsBrCkvRRB0F0dQzGo8EXwCDJxa+xOuk5n1GYJ2lqeM/ + st7KIxmLvO5AE7cUxdLlDj4EzVLSDoAqOwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "/MXEuv96HlrpHBto8KP2S6Ztiahhi3H7AevmbYS+xqE"; + }; + }; + secure = true; + ssh.privkey.path = config.krebs.secret.file "ssh.id_rsa"; + ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1Y13PvTn+9VjQbgy2ZmpAEFXyYaroYP/5nK9o7B8cidf01Sh39184mG8KN8VuEzCj7b37KnLH8qUDcsukvkxOVSoVHmXH+/Pgbmsxp4c9sxLQLHBfCazhT0S3Zs+BkR6LNQ8GOCS1qsgy05L6fMXoQgds3Zx/X4ZYjLnYVnJo8k+6aP4pU/rB6GFzGG9UrLDvSvk/PoswpEr7S6uFa4bF8JWD5VPkQTPTNwm1LWH4va+ABcw9KOgL2tsAk/jJlkLD4qgXowqgbwcpfe+QCukJb7uIQjRtOgxSAhHqT1nxjS6gROhGt0ojuwALaZaFPr9YtGlqxPhUzAXWKvvbVcr6kkR17HrtXZeLdFqwrUPlkIDFV6yLbYzQGKPFwxtpoJaH/irv6cgeXnHaa9XQJk+XJ5pE0X9uNljGr3B8LMKymdlvvBiWOOLpYsHg5aVOR+K7HvydLSuaah8hpCLjjVyIYIl/pIDL4F/FUSxcFBB4fgdXB77LXm5UizmI7+dqZaOQSm8qXbLZ8P+13ele2JyV1pmvJbLFlhCksDMOXx9jvSJQ6DOjPd+2vtABWh9XGo2Fiy+ekB9LTzlW+xON4FRZDoTPrPmhg40v+s7lySHx3miwCIJfNfLJpf0dxm3pQYWZPIra1RA9hbgstXBJ3+2VA5JEuVRt0SEygN5Kgk1Y5w== root@bu"; + }; hu = { nets = { retiolum = { diff --git a/krebs/5pkgs/haskell/brockman/default.nix b/krebs/5pkgs/haskell/brockman/default.nix index 01b7a0570..8a2311a2e 100644 --- a/krebs/5pkgs/haskell/brockman/default.nix +++ b/krebs/5pkgs/haskell/brockman/default.nix @@ -7,12 +7,12 @@ }: mkDerivation rec { pname = "brockman"; - version = "4.0.2"; + version = "4.0.3"; src = fetchFromGitHub { owner = "kmein"; repo = "brockman"; rev = version; - sha256 = "sha256-EKXKhGdIJRbRklD5zxJNGhOxqPzog4f9NMXo/c8iBGc="; + sha256 = "sha256-rjwroSG9ys0FV2JM70kzmCutMVpUTx8cQ+jQq8Hw1kw="; }; isLibrary = false; isExecutable = true; diff --git a/krebs/5pkgs/haskell/much.nix b/krebs/5pkgs/haskell/much.nix index f3aad2ee6..5045465e6 100644 --- a/krebs/5pkgs/haskell/much.nix +++ b/krebs/5pkgs/haskell/much.nix @@ -9,11 +9,11 @@ }: mkDerivation { pname = "much"; - version = "1.2.0"; + version = "1.3.1"; src = fetchgit { url = "https://cgit.krebsco.de/much"; - sha256 = "0rf27d7gki5hgivy49xi59ld0j6jw3v7nxi4w1gx6byj1xsarwwl"; - rev = "29749366052a8f6c05b314f1ff17201717855ad7"; + sha256 = "0gwyhqcvg9ywna8fhb9hnx97qh5inglj3l0pcwkgwcvm27mfpcqa"; + rev = "77357335a3a88a4b93f91a46ab939a1a9b192977"; fetchSubmodules = true; }; isLibrary = true; diff --git a/krebs/5pkgs/simple/K_belwagen.nix b/krebs/5pkgs/simple/K_belwagen.nix new file mode 100644 index 000000000..80d377b0c --- /dev/null +++ b/krebs/5pkgs/simple/K_belwagen.nix @@ -0,0 +1,38 @@ +{ lib, pkgs, stdenv }: + +stdenv.mkDerivation { + pname = "K_belwagen"; + version = "1.0"; + + src = pkgs.painload; + sourceRoot = "source/K_belwagen"; + + buildInputs = [ + pkgs.jack1 + pkgs.pkgconfig + ]; + + patchPhase = '' + sed -i ' + s@^cd@# &@ + s@^make@# &@ + s@^jackd@# &@ + s@^trap@# &@ + + s@^set.*@&\nPATH=${lib.makeBinPath [ + pkgs.bc + pkgs.coreutils + ]}; export PATH@ + + s@\./a\.out@'"$out"'/lib/a.out@ + ' alarm + ''; + + installPhase = '' + mkdir -p $out/lib + mkdir -p $out/bin + + cp alarm $out/bin + cp a.out $out/lib + ''; +} diff --git a/krebs/5pkgs/simple/ergo/default.nix b/krebs/5pkgs/simple/ergo/default.nix index a057b09f5..2c9223eed 100644 --- a/krebs/5pkgs/simple/ergo/default.nix +++ b/krebs/5pkgs/simple/ergo/default.nix @@ -1,14 +1,14 @@ -{ buildGo116Module , fetchFromGitHub, lib }: +{ buildGo117Module , fetchFromGitHub, lib }: -buildGo116Module rec { +buildGo117Module rec { pname = "ergo"; - version = "2.8.0"; + version = "2.9.1"; src = fetchFromGitHub { owner = "ergochat"; repo = "ergo"; rev = "v${version}"; - sha256 = "sha256-xKcSHNH1ksjH1IikqzDi88fOdHR5CHGs8ya4Fj65MbI="; + sha256 = "sha256-RxsmkTfHymferS/FRW0sLnstKfvGXkW6cEb/JbeS4lc="; }; vendorSha256 = null; @@ -17,7 +17,7 @@ buildGo116Module rec { description = "A modern IRC server (daemon/ircd) written in Go"; homepage = "https://github.com/ergochat/ergo"; license = lib.licenses.mit; - maintainers = [ lib.maintainers.tv ]; + maintainers = with lib.maintainers; [ lassulus tv ]; platforms = lib.platforms.linux; }; } diff --git a/krebs/5pkgs/simple/git-hooks/default.nix b/krebs/5pkgs/simple/git-hooks/default.nix index 00a593be3..c9dcc7541 100644 --- a/krebs/5pkgs/simple/git-hooks/default.nix +++ b/krebs/5pkgs/simple/git-hooks/default.nix @@ -100,6 +100,7 @@ with stockholm.lib; add_message "$( git log \ --format="$(orange %h) %s $(gray '(%ar)')" \ + --no-merges \ --reverse \ $id2..$id diff --git a/krebs/5pkgs/simple/painload/default.nix b/krebs/5pkgs/simple/painload/default.nix index 3b1c83b42..e4cb11604 100644 --- a/krebs/5pkgs/simple/painload/default.nix +++ b/krebs/5pkgs/simple/painload/default.nix @@ -1,7 +1,9 @@ -{ fetchgit, ... }: +{ pkgs }: -fetchgit { - url = https://github.com/krebs/painload; - rev = "c113487f73713a03b1a139b22bb34b86234d0495"; - sha256 = "1irxklnmvm8wsa70ypjahkr8rfqq7357vcy8r0x1sfncs1hy6gr6"; +pkgs.fetchFromGitHub { + owner = "krebs"; + repo = "painload"; + rev = "a963b45d5a3921f19189575420cc7f8f946345b5"; + sha256 = "03q8rxpzy4l9nd4wv0107s0ck3dhfzkfy1rabf8srabkwl0c3vsc"; + fetchSubmodules = true; } diff --git a/krebs/5pkgs/simple/reaktor2-plugins.nix b/krebs/5pkgs/simple/reaktor2-plugins.nix index e23b14a23..54aaf246a 100644 --- a/krebs/5pkgs/simple/reaktor2-plugins.nix +++ b/krebs/5pkgs/simple/reaktor2-plugins.nix @@ -21,6 +21,16 @@ rec { }; }; + dance = { + filename = pkgs.writeDash "dance" '' + echo "<(^.^<)" + echo "<(^.^)>" + echo "(>^.^)>" + echo "(7^.^)7" + echo "(>^.^<)" + ''; + }; + nixos-version = { filename = pkgs.writeDash "nixos-version" '' . /etc/os-release diff --git a/krebs/nixpkgs-unstable.json b/krebs/nixpkgs-unstable.json index cab3ab115..e8b6076a4 100644 --- a/krebs/nixpkgs-unstable.json +++ b/krebs/nixpkgs-unstable.json @@ -1,9 +1,9 @@ { "url": "https://github.com/NixOS/nixpkgs", - "rev": "59bfda72480496f32787cec8c557182738b1bd3f", - "date": "2021-12-31T15:09:52+01:00", - "path": "/nix/store/wy2iidg15nwgmn8xir8fbr1lfz1hqphb-nixpkgs", - "sha256": "18akd1chfvniq1q774rigfxgmxwi0wyjljpa1j9ls59szpzr316d", + "rev": "689b76bcf36055afdeb2e9852f5ecdd2bf483f87", + "date": "2022-01-23T03:10:13+01:00", + "path": "/nix/store/s6kxwpz8k02mg1wqsf06bsjygwi6xr6j-nixpkgs", + "sha256": "08d38db4707jdm3gws82y6bynh6k8qal4s1cms9zqd9cdwcmylyj", "fetchLFS": false, "fetchSubmodules": false, "deepClone": false, diff --git a/krebs/nixpkgs.json b/krebs/nixpkgs.json index 43f298973..001371820 100644 --- a/krebs/nixpkgs.json +++ b/krebs/nixpkgs.json @@ -1,9 +1,9 @@ { "url": "https://github.com/NixOS/nixpkgs", - "rev": "d1e59cfc49961e121583abe32e2f3db1550fbcff", - "date": "2022-01-01T22:20:39+08:00", - "path": "/nix/store/azrxsxpszjwgg75jk1pkzlzjcj0qnw8d-nixpkgs", - "sha256": "03ldf1dlxqf3g8qh9x5vp6vd9zvvr481fyjds111imll69y60wpm", + "rev": "604c44137d97b5111be1ca5c0d97f6e24fbc5c2c", + "date": "2022-01-23T10:04:55-08:00", + "path": "/nix/store/r22j0r232a5y02yhd1avaw27zqdbhx1x-nixpkgs", + "sha256": "0gzhigyn8f7vps4a5vc1c8wbim59724s179a7d0h3gv6ss9avdj4", "fetchLFS": false, "fetchSubmodules": false, "deepClone": false, diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index c92a239f9..a082ea623 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -123,6 +123,7 @@ with import <stockholm/lib>; <stockholm/lass/2configs/ciko.nix> <stockholm/lass/2configs/container-networking.nix> <stockholm/lass/2configs/jitsi.nix> + <stockholm/lass/2configs/fysiirc.nix> { services.tor = { enable = true; diff --git a/lass/1systems/prism/physical.nix b/lass/1systems/prism/physical.nix index 26ecd1cda..151cfbf41 100644 --- a/lass/1systems/prism/physical.nix +++ b/lass/1systems/prism/physical.nix @@ -79,9 +79,11 @@ boot.loader.grub.devices = [ "/dev/sda" "/dev/sdb" ]; boot.kernelParams = [ "net.ifnames=0" ]; + networking.dhcpcd.enable = false; networking = { hostId = "2283aaae"; defaultGateway = "95.216.1.129"; + defaultGateway6 = { address = "fe80::1"; interface = "eth0"; }; # Use google's public DNS server nameservers = [ "8.8.8.8" ]; interfaces.eth0.ipv4.addresses = [ @@ -94,5 +96,11 @@ prefixLength = 26; } ]; + interfaces.eth0.ipv6.addresses = [ + { + address = "2a01:4f9:2a:1e9::1"; + prefixLength = 64; + } + ]; }; } diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index 124eef2cf..59d1e0182 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -65,7 +65,7 @@ in { gitAndTools.hub git-crypt git-preview - gnome3.dconf + dconf iodine libarchive lm_sensors diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index dc97719ad..e2163b688 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -8,7 +8,7 @@ with import <stockholm/lib>; ./vim.nix ./zsh.nix ./htop.nix - ./security-workarounds.nix + <stockholm/krebs/2configs/security-workarounds.nix> ./wiregrill.nix { users.extraUsers = diff --git a/lass/2configs/fysiirc.nix b/lass/2configs/fysiirc.nix new file mode 100644 index 000000000..d2aaa73c5 --- /dev/null +++ b/lass/2configs/fysiirc.nix @@ -0,0 +1,51 @@ +{ config, lib, pkgs, ... }: +{ + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport 44002"; target = "ACCEPT"; } + ]; + krebs.reaktor2.fysiweb-github = { + hostname = "irc.libera.chat"; + port = "6697"; + useTLS = true; + nick = "fysiweb-github"; + API.listen = "inet://127.0.0.1:44001"; + plugins = [ + { + plugin = "register"; + config = { + channels = [ + "#fysi" + ]; + }; + } + ]; + }; + krebs.htgen.fysiweb-github = { + port = 44002; + user = { + name = "reaktor2-fysiweb-github"; + }; + script = ''. ${pkgs.writeDash "github-irc" '' + case "$Method $Request_URI" in + "POST /") + payload=$(head -c "$req_content_length" \ + | sed 's/+/ /g;s/%\(..\)/\\x\1/g;' \ + | xargs -0 echo -e \ + ) + ${pkgs.curl}/bin/curl -fsSv http://localhost:44001/ \ + -H content-type:application/json \ + -d "$(echo "$payload" | ${pkgs.jq}/bin/jq \ + '{ + command:"PRIVMSG", + params:["#fysi", "\(.action): \(.comment.html_url // .issue.html_url // .pull_request.html_url)"] + }' + )" + printf 'HTTP/1.1 200 OK\r\n' + printf 'Connection: close\r\n' + printf '\r\n' + exit + ;; + esac + ''}''; + }; +} diff --git a/lass/2configs/network-manager.nix b/lass/2configs/network-manager.nix index b41cc7ac8..0c59b9592 100644 --- a/lass/2configs/network-manager.nix +++ b/lass/2configs/network-manager.nix @@ -14,8 +14,8 @@ users.users.mainUser = { extraGroups = [ "networkmanager" ]; packages = with pkgs; [ - gnome3.gnome_keyring - gnome3.dconf + gnome3.gnome-keyring + dconf ]; }; environment.systemPackages = [ diff --git a/lass/2configs/pipewire.nix b/lass/2configs/pipewire.nix index c21ab5d9c..24de0e9ed 100644 --- a/lass/2configs/pipewire.nix +++ b/lass/2configs/pipewire.nix @@ -8,67 +8,18 @@ powerOnBoot = true; }; - # autostart with login - systemd.user.services.pipewire-pulse = { - wantedBy = [ "graphical-session.target" ]; - }; - environment.systemPackages = with pkgs; [ alsaUtils pulseaudioLight ponymix ]; - environment.variables.PULSE_SERVER = "localhost:4713"; services.pipewire = { enable = true; - socketActivation = false; + systemWide = true; alsa.enable = true; alsa.support32Bit = true; pulse.enable = true; jack.enable = true; - - # https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/Migrate-PulseAudio#module-native-protocol-tcp - config.pipewire-pulse = { - "context.properties" = { - "log.level" = 2; - }; - "context.modules" = [ - { - name = "libpipewire-module-rtkit"; - # args = { - # "nice.level" = -15; - # "rt.prio" = 88; - # "rt.time.soft" = 200000; - # "rt.time.hard" = 200000; - # }; - flags = [ "ifexists" "nofail" ]; - } - { name = "libpipewire-module-protocol-native"; } - { name = "libpipewire-module-client-node"; } - { name = "libpipewire-module-adapter"; } - { name = "libpipewire-module-metadata"; } - { - name = "libpipewire-module-protocol-pulse"; - args = { - "vm.overrides" = { - # "pulse.min.req" = "32/48000"; - # "pulse.default.req" = "32/48000"; - # "pulse.max.req" = "32/48000"; - "pulse.min.quantum" = "1024/48000"; - # "pulse.max.quantum" = "32/48000"; - }; - "server.address" = [ - "unix:native" - "tcp:4713" - ]; - }; - } - ]; - "stream.properties" = { - # "node.latency" = "32/48000"; - # "resample.quality" = 1; - }; - }; }; } diff --git a/lass/2configs/retiolum.nix b/lass/2configs/retiolum.nix index f900bc28e..2ddfbcf8f 100644 --- a/lass/2configs/retiolum.nix +++ b/lass/2configs/retiolum.nix @@ -17,14 +17,17 @@ enable = true; connectTo = [ "prism" - "gum" "ni" + "eve" ]; extraConfig = '' - LocalDiscovery = yes + StrictSubnets = yes ''; }; + # never connect via gum (he eats our packets!) + krebs.hosts.gum.nets.retiolum.tinc.weight = 9000; + nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; }; diff --git a/lass/2configs/security-workarounds.nix b/lass/2configs/security-workarounds.nix deleted file mode 100644 index 537c8a59b..000000000 --- a/lass/2configs/security-workarounds.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ config, pkgs, ... }: -with import <stockholm/lib>; -{ - # http://seclists.org/oss-sec/2017/q1/471 - boot.extraModprobeConfig = '' - install dccp /run/current-system/sw/bin/false - ''; -} diff --git a/lass/2configs/yubikey.nix b/lass/2configs/yubikey.nix index 9ab6b6ccb..d92b18f81 100644 --- a/lass/2configs/yubikey.nix +++ b/lass/2configs/yubikey.nix @@ -6,15 +6,41 @@ ]; services.udev.packages = with pkgs; [ yubikey-personalization ]; - services.pcscd.enable = true; systemd.user.sockets.gpg-agent-ssh.wantedBy = [ "sockets.target" ]; - ##restart pcscd if yubikey is plugged in - #services.udev.extraRules = '' - # ACTION=="add", ATTRS{idVendor}=="04d9", ATTRS{idProduct}=="2013", RUN+="${pkgs.writeDash "restart_pcscd" '' - # ${pkgs.systemd}/bin/systemctl restart pcscd.service - # ''}" - #''; + services.pcscd.enable = true; + systemd.user.services.gpg-agent.serviceConfig.ExecStartPre = pkgs.writers.writeDash "init_gpg" '' + set -x + ${pkgs.coreutils}/bin/ln -sf ${pkgs.writeText "scdaemon.conf" '' + disable-ccid + pcsc-driver ${pkgs.pcsclite.out}/lib/libpcsclite.so.1 + card-timeout 1 + + # Always try to use yubikey as the first reader + # even when other smart card readers are connected + # Name of the reader can be found using the pcsc_scan command + # If you have problems with gpg not recognizing the Yubikey + # then make sure that the string here matches exacly pcsc_scan + # command output. Also check journalctl -f for errors. + reader-port Yubico YubiKey + ''} $HOME/.gnupg/scdaemon.conf + ''; + + security.polkit.extraConfig = '' + polkit.addRule(function(action, subject) { + if ( + ( + action.id == "org.debian.pcsc-lite.access_pcsc" || + action.id == "org.debian.pcsc-lite.access_card" + ) && subject.user == "lass" + ) { + return polkit.Result.YES; + } + }); + polkit.addRule(function(action, subject) { + polkit.log("user " + subject.user + " is attempting action " + action.id + " from PID " + subject.pid); + }); + ''; environment.shellInit = '' if [ "$UID" -eq 1337 ] && [ -z "$SSH_CONNECTION" ]; then @@ -28,6 +54,9 @@ fi ''; + # allow nix to acces remote builders via yubikey + systemd.services.nix-daemon.environment.SSH_AUTH_SOCK = "/run/user/1337/gnupg/S.gpg-agent.ssh"; + programs = { ssh.startAgent = false; gnupg.agent = { diff --git a/lass/3modules/xjail.nix b/lass/3modules/xjail.nix index f94e7ebbf..08a28b8e3 100644 --- a/lass/3modules/xjail.nix +++ b/lass/3modules/xjail.nix @@ -41,10 +41,6 @@ with import <stockholm/lib>; type = types.path; default = pkgs.writeScript "echo_lol" "echo lol"; }; - vglrun = mkOption { - type = types.bool; - default = false; - }; wm = mkOption { #TODO find type type = types.str; @@ -122,21 +118,14 @@ with import <stockholm/lib>; ${pkgs.coreutils}/bin/kill $XEPHYR_PID ''; # TODO fix xephyr which doesn't honor resizes anymore - sudo_ = pkgs.writeDash "${cfg.name}-sudo" (if cfg.vglrun then '' - /var/run/wrappers/bin/sudo -u ${cfg.name} -i ${vglrun_} "$@" - '' else '' + sudo_ = pkgs.writeDash "${cfg.name}-sudo" '' #/var/run/wrappers/bin/sudo -u ${cfg.name} -i env DISPLAY=:${cfg.display} ${cfg.script} "$@" - /var/run/wrappers/bin/sudo -u ${cfg.name} -i ${cfg.script} "$@" - - ''); - vglrun_ = pkgs.writeDash "${cfg.name}-vglrun" '' - DISPLAY=:${cfg.display} ${pkgs.virtualgl}/bin/vglrun ${cfg.extraVglrunArgs} ${cfg.script} "$@" + ${pkgs.systemd}/bin/machinectl shell -E DISPLAY=:0 --uid=${cfg.name} .host ${cfg.script} "$@" ''; in nameValuePair name { existing = newOrExisting; xephyr = xephyr_; sudo = sudo_; - vglrun = vglrun_; } ) config.lass.xjail; in { @@ -161,10 +150,19 @@ with import <stockholm/lib>; } ) config.lass.xjail; - security.sudo.extraConfig = (concatStringsSep "\n" (mapAttrsToList (_: cfg: - # TODO allow just the right script with sudo - "${cfg.from} ALL=(${cfg.name}) NOPASSWD: ALL" - ) config.lass.xjail)); + security.polkit.extraConfig = (concatStringsSep "\n" (mapAttrsToList (_: cfg: '' + polkit.addRule(function(action, subject) { + if ( + subject.user == "${cfg.from}" && + action.id == "org.freedesktop.machine1.host-shell" && + action.lookup("user") == "${cfg.user}" && + action.lookup("program") == "${cfg.script}" && + true + ) { + return polkit.Result.YES; + } + }); + '') config.lass.xjail)); lass.xjail-bins = mapAttrs' (name: cfg: nameValuePair name (pkgs.writeScriptBin cfg.name '' diff --git a/tv/1systems/bu/config.nix b/tv/1systems/bu/config.nix new file mode 100644 index 000000000..69c5848f5 --- /dev/null +++ b/tv/1systems/bu/config.nix @@ -0,0 +1,40 @@ +{ config, pkgs, ... }: let + lib = import ../../../lib; +in { + + imports = [ + ./disks.nix + <stockholm/tv> + <stockholm/tv/2configs/hw/x220.nix> + <stockholm/tv/2configs/exim-retiolum.nix> + <stockholm/tv/2configs/gitconfig.nix> + <stockholm/tv/2configs/pulse.nix> + <stockholm/tv/2configs/retiolum.nix> + ]; + + environment.homeBinInPath = true; + + krebs.build.host = config.krebs.hosts.bu; + + networking.hostId = lib.mkDefault "00000000"; + + networking.wireless.enable = true; + networking.useDHCP = false; + networking.interfaces.enp0s25.useDHCP = true; + networking.interfaces.wlp3s0.useDHCP = true; + networking.interfaces.wwp0s29u1u4i6.useDHCP = true; + networking.wireless.interfaces = [ + "wlp3s0" + ]; + + programs.gnupg.agent.enable = true; + programs.gnupg.agent.pinentryFlavor = "gtk2"; + + services.earlyoom.enable = true; + services.earlyoom.freeMemThreshold = 5; + systemd.services.earlyoom.environment.EARLYOOM_ARGS = toString [ + "--prefer '(^|/)chromium$'" + ]; + + system.stateVersion = "21.11"; +} diff --git a/tv/1systems/bu/disks.nix b/tv/1systems/bu/disks.nix new file mode 100644 index 000000000..deabefa7b --- /dev/null +++ b/tv/1systems/bu/disks.nix @@ -0,0 +1,19 @@ +{ + boot.initrd.luks.devices.buda2.device = "/dev/sda2"; + fileSystems."/" = { + device = "buda2/root"; + fsType = "zfs"; + }; + fileSystems."/bku" = { + device = "buda2/bku"; + fsType = "zfs"; + }; + fileSystems."/home" = { + device = "buda2/home"; + fsType = "zfs"; + }; + fileSystems."/boot" = { + device = "/dev/sda1"; + fsType = "vfat"; + }; +} diff --git a/tv/2configs/backup.nix b/tv/2configs/backup.nix index b8dec8da4..a5e0cf4c7 100644 --- a/tv/2configs/backup.nix +++ b/tv/2configs/backup.nix @@ -10,6 +10,24 @@ with import <stockholm/lib>; yearly = { format = "%Y"; }; }; }) { + bu-home-wu = { + method = "push"; + src = { host = config.krebs.hosts.bu; path = "/home"; }; + dst = { host = config.krebs.hosts.wu; path = "/bku/bu-home"; }; + startAt = "05:15"; + }; + bu-home-xu = { + method = "push"; + src = { host = config.krebs.hosts.bu; path = "/home"; }; + dst = { host = config.krebs.hosts.xu; path = "/bku/bu-home"; }; + startAt = "05:20"; + }; + bu-home-zu = { + method = "push"; + src = { host = config.krebs.hosts.bu; path = "/home"; }; + dst = { host = config.krebs.hosts.zu; path = "/bku/bu-home"; }; + startAt = "05:25"; + }; nomic-home-xu = { method = "push"; src = { host = config.krebs.hosts.nomic; path = "/home"; }; @@ -40,6 +58,12 @@ with import <stockholm/lib>; dst = { host = config.krebs.hosts.zu; path = "/bku/wu-home"; }; startAt = "05:20"; }; + xu-home-bu = { + method = "push"; + src = { host = config.krebs.hosts.xu; path = "/home"; }; + dst = { host = config.krebs.hosts.bu; path = "/bku/xu-home"; }; + startAt = "04:50"; + }; xu-home-nomic = { method = "push"; src = { host = config.krebs.hosts.xu; path = "/home"; }; |