Merge remote-tracking branch 'lass/master'

9 files changed, 88 insertions, 104 deletions

diff --git a/lass/1systems/daedalus/config.nix b/lass/1systems/daedalus/config.nix
index d6943c110..9ef858e28 100644
--- a/lass/1systems/daedalus/config.nix
+++ b/lass/1systems/daedalus/config.nix
@@ -53,6 +53,7 @@ with import <stockholm/lib>;
       services.xserver.enable = true;
       services.xserver.displayManager.lightdm.enable = true;
       services.xserver.desktopManager.plasma5.enable = true;
+      services.tlp.enable = lib.mkForce false;
       services.xserver.layout = "de";
     }
     {
diff --git a/lass/1systems/green/config.nix b/lass/1systems/green/config.nix
index 5cf7d9242..4c98091f1 100644
--- a/lass/1systems/green/config.nix
+++ b/lass/1systems/green/config.nix
@@ -11,78 +11,50 @@ with import <stockholm/lib>;
     <stockholm/lass/2configs/syncthing.nix>
     <stockholm/lass/2configs/sync/sync.nix>
     <stockholm/lass/2configs/sync/decsync.nix>
-    <stockholm/lass/2configs/sync/weechat.nix>
 
+    <stockholm/lass/2configs/weechat.nix>
     <stockholm/lass/2configs/bitlbee.nix>
-    <stockholm/lass/2configs/IM.nix>
+
     <stockholm/lass/2configs/muchsync.nix>
     <stockholm/lass/2configs/pass.nix>
 
     <stockholm/lass/2configs/git-brain.nix>
+    <stockholm/lass/2configs/et-server.nix>
+    <stockholm/lass/2configs/consul.nix>
+
+    <stockholm/lass/2configs/atuin-server.nix>
   ];
 
   krebs.build.host = config.krebs.hosts.green;
 
-  users.users.mainUser.openssh.authorizedKeys.keys = [
-    config.krebs.users.lass-android.pubkey
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0rn3003CkJMk3jZrh/3MC6nVorHRymlFSI4x1brCKY" # weechat ssh tunnel
-  ];
-
-  krebs.bindfs = {
-    "/home/lass/.weechat" = {
-      source = "/var/state/lass_weechat";
-      options = [
-        "-M ${concatMapStringsSep ":" (u: toString config.users.users.${u}.uid) [ "syncthing" "mainUser" ]}"
-        "--create-for-user=${toString config.users.users.syncthing.uid}"
-      ];
-    };
-    "/home/lass/Maildir" = {
-      source = "/var/state/lass_mail";
-      options = [
-        "-M ${toString config.users.users.mainUser.uid}"
-      ];
-    };
-    "/var/lib/bitlbee" = {
-      source = "/var/state/bitlbee";
-      options = [
-        "-M ${toString config.users.users.bitlbee.uid}"
-      ];
-      clearTarget = true;
-    };
-    "/home/lass/.ssh" = {
-      source = "/var/state/lass_ssh";
-      options = [
-        "-M ${toString config.users.users.mainUser.uid}"
-      ];
-      clearTarget = true;
-    };
-    "/home/lass/.gnupg" = {
-      source = "/var/state/lass_gnupg";
-      options = [
-        "-M ${toString config.users.users.mainUser.uid}"
-      ];
-      clearTarget = true;
-    };
-    "/var/lib/git" = {
-      source = "/var/state/git";
-      options = [
-        "-M ${toString config.users.users.git.uid}"
-      ];
-      clearTarget = true;
-    };
+  lass.sync-containers3.inContainer = {
+    enable = true;
+    pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFlUMf943qEQG64ob81p6dgoHq4jUjq7tSvmSdEOEU2y";
   };
 
-  systemd.services."bindfs-_home_lass_Maildir".serviceConfig.ExecStartPost = pkgs.writeDash "symlink-notmuch" ''
-    sleep 1
-    mkdir -p /home/lass/notmuch
-    chown lass: /home/lass/notmuch
-    ln -sfTr /home/lass/notmuch /home/lass/Maildir/.notmuch
+  systemd.tmpfiles.rules = [
+    "d /home/lass/.local/share 0700 lass users -"
+    "d /home/lass/.local 0700 lass users -"
 
-    mkdir -p /home/lass/notmuch/muchsync
-    chown lass: /home/lass/notmuch/muchsync
-    mkdir -p /home/lass/Maildir/.muchsync
-    ln -sfTr /home/lass/Maildir/.muchsync /home/lass/notmuch/muchsync/tmp
-  '';
+    "d /var/state/lass_mail 0700 lass users -"
+    "L+ /home/lass/Maildir - - - - ../../var/state/lass_mail"
+
+    "d /var/state/lass_ssh 0700 lass users -"
+    "L+ /home/lass/.ssh - - - - ../../var/state/lass_ssh"
+    "d /var/state/lass_gpg 0700 lass users -"
+    "L+ /home/lass/.gnupg - - - - ../../var/state/lass_gpg"
+    "d /var/state/lass_sync 0700 lass users -"
+    "L+ /home/lass/sync - - - - ../../var/state/lass_sync"
+
+    "d /var/state/git 0700 git nogroup -"
+    "L+ /var/lib/git - - - - ../../var/state/git"
+  ];
+
+  users.users.mainUser.openssh.authorizedKeys.keys = [
+    config.krebs.users.lass-android.pubkey
+    config.krebs.users.lass-tablet.pubkey
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKgpZwye6yavIs3gUIYvSi70spDa0apL2yHR0ASW74z8" # weechat ssh tunnel
+  ];
 
   krebs.iptables.tables.nat.PREROUTING.rules = [
     { predicate = "-i eth0 -p tcp -m tcp --dport 22"; target = "ACCEPT"; precedence = 101; }
@@ -93,4 +65,11 @@ with import <stockholm/lib>;
     HostKeyAlgorithms +ssh-rsa
     PubkeyAcceptedAlgorithms +ssh-rsa
   '';
+
+  services.dovecot2 = {
+    enable = true;
+    mailLocation = "maildir:~/Maildir";
+  };
+
+  networking.firewall.allowedTCPPorts = [ 143 ];
 }
diff --git a/lass/1systems/green/physical.nix b/lass/1systems/green/physical.nix
index b6aa3a894..8577daf34 100644
--- a/lass/1systems/green/physical.nix
+++ b/lass/1systems/green/physical.nix
@@ -3,5 +3,5 @@
     ./config.nix
   ];
   boot.isContainer = true;
-  networking.useDHCP = false;
+  networking.useDHCP = true;
 }
diff --git a/lass/1systems/green/source.nix b/lass/1systems/green/source.nix
index da137e064..4acdb0c26 100644
--- a/lass/1systems/green/source.nix
+++ b/lass/1systems/green/source.nix
@@ -1,4 +1,6 @@
-{ lib, pkgs, test, ... }:
-if test then {} else {
+{ lib, pkgs, test, ... }: let
+  npkgs = lib.importJSON ../../../krebs/nixpkgs-unstable.json;
+in if test then {} else {
+  nixpkgs.git.ref = lib.mkForce npkgs.rev;
   nixpkgs-unstable = lib.mkForce { file = "/var/empty"; };
 }
diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix
index 62c6f0b71..594a21c02 100644
--- a/lass/1systems/prism/config.nix
+++ b/lass/1systems/prism/config.nix
@@ -25,7 +25,6 @@ with import <stockholm/lib>;
       ];
     }
     { # TODO make new hfos.nix out of this vv
-      boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
       users.users.riot = {
         uid = genid_uint31 "riot";
         isNormalUser = true;
@@ -33,23 +32,10 @@ with import <stockholm/lib>;
         openssh.authorizedKeys.keys = [
           "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6o6sdTu/CX1LW2Ff5bNDqGEAGwAsjf0iIe5DCdC7YikCct+7x4LTXxY+nDlPMeGcOF88X9/qFwdyh+9E4g0nUAZaeL14Uc14QDqDt/aiKjIXXTepxE/i4JD9YbTqStAnA/HYAExU15yqgUdj2dnHu7OZcGxk0ZR1OY18yclXq7Rq0Fd3pN3lPP1T4QHM9w66r83yJdFV9szvu5ral3/QuxQnCNohTkR6LoJ4Ny2RbMPTRtb+jPbTQYTWUWwV69mB8ot5nRTP4MRM9pu7vnoPF4I2S5DvSnx4C5zdKzsb7zmIvD4AmptZLrXj4UXUf00Xf7Js5W100Ne2yhYyhq+35 riot@lagrange"
         ];
-        packages = [
-          (pkgs.writeDashBin "kick-routing" ''
-            /run/wrappers/bin/sudo ${pkgs.systemd}/bin/systemctl restart krebs-iptables.service
-          '')
-        ];
       };
-      security.sudo.extraConfig = ''
-        riot ALL=(root) NOPASSWD: ${pkgs.systemd}/bin/systemctl restart krebs-iptables.service
-      '';
-
-      # TODO write function for proxy_pass (ssl/nonssl)
-
       krebs.iptables.tables.filter.FORWARD.rules = [
-        { v6 = false; precedence = 1000; predicate = "-d 192.168.122.141"; target = "ACCEPT"; }
-      ];
-      krebs.iptables.tables.nat.PREROUTING.rules = [
-        { v6 = false; precedence = 1000; predicate = "-d 95.216.1.130"; target = "DNAT --to-destination 192.168.122.141"; }
+        { v6 = false; precedence = 1000; predicate = "--destination 95.216.1.130"; target = "ACCEPT"; }
+        { v6 = false; precedence = 1000; predicate = "--source 95.216.1.130"; target = "ACCEPT"; }
       ];
     }
     {
@@ -125,6 +111,8 @@ with import <stockholm/lib>;
     <stockholm/lass/2configs/jitsi.nix>
     <stockholm/lass/2configs/fysiirc.nix>
     <stockholm/lass/2configs/bgt-bot>
+    <stockholm/lass/2configs/mumble-reminder.nix>
+    <stockholm/krebs/2configs/mastodon-proxy.nix>
     {
       services.tor = {
         enable = true;
diff --git a/lass/1systems/prism/physical.nix b/lass/1systems/prism/physical.nix
index 151cfbf41..027a27b2b 100644
--- a/lass/1systems/prism/physical.nix
+++ b/lass/1systems/prism/physical.nix
@@ -78,29 +78,31 @@
   boot.loader.grub.version = 2;
   boot.loader.grub.devices = [ "/dev/sda" "/dev/sdb" ];
 
-  boot.kernelParams = [ "net.ifnames=0" ];
+  # we don't pay for power there and this might solve a problem we observed at least once
+  # https://www.thomas-krenn.com/de/wiki/PCIe_Bus_Error_Status_00001100_beheben
+  boot.kernelParams = [ "pcie_aspm=off" "net.ifnames=0" ];
   networking.dhcpcd.enable = false;
+
+  # bridge config
+  networking.bridges."ext-br".interfaces = [ "eth0" ];
   networking = {
     hostId = "2283aaae";
     defaultGateway = "95.216.1.129";
-    defaultGateway6 = { address = "fe80::1"; interface = "eth0"; };
+    defaultGateway6 = { address = "fe80::1"; interface = "ext-br"; };
     # Use google's public DNS server
     nameservers = [ "8.8.8.8" ];
-    interfaces.eth0.ipv4.addresses = [
+    interfaces.ext-br.ipv4.addresses = [
       {
         address = "95.216.1.150";
         prefixLength = 26;
       }
-      {
-        address = "95.216.1.130";
-        prefixLength = 26;
-      }
     ];
-    interfaces.eth0.ipv6.addresses = [
+    interfaces.ext-br.ipv6.addresses = [
       {
         address = "2a01:4f9:2a:1e9::1";
         prefixLength = 64;
       }
     ];
   };
+
 }
diff --git a/lass/1systems/shodan/config.nix b/lass/1systems/shodan/config.nix
index 5d6a440e0..ef538f339 100644
--- a/lass/1systems/shodan/config.nix
+++ b/lass/1systems/shodan/config.nix
@@ -1,6 +1,5 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 
-with import <stockholm/lib>;
 {
   imports = [
     <stockholm/lass>
@@ -17,11 +16,10 @@ with import <stockholm/lib>;
     <stockholm/lass/2configs/blue-host.nix>
     <stockholm/lass/2configs/green-host.nix>
     <stockholm/krebs/2configs/news-host.nix>
-    <stockholm/lass/2configs/nfs-dl.nix>
+    <stockholm/lass/2configs/prism-mounts/samba.nix>
     <stockholm/lass/2configs/fetchWallpaper.nix>
-    <stockholm/lass/2configs/home-media.nix>
-    <stockholm/lass/2configs/syncthing.nix>
-    <stockholm/lass/2configs/sync/sync.nix>
+    <stockholm/lass/2configs/consul.nix>
+    <stockholm/lass/2configs/red-host.nix>
     <stockholm/lass/2configs/snapclient.nix>
   ];
 
diff --git a/lass/1systems/shodan/physical.nix b/lass/1systems/shodan/physical.nix
index 55e91b0e4..f94edcf9b 100644
--- a/lass/1systems/shodan/physical.nix
+++ b/lass/1systems/shodan/physical.nix
@@ -11,7 +11,6 @@
     loader.grub.device = "/dev/sda";
 
     initrd.luks.devices.lusksroot.device = "/dev/sda2";
-    initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ];
     initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ];
   };
   fileSystems = {
@@ -28,11 +27,6 @@
       fsType = "btrfs";
       options = ["defaults" "noatime" "ssd" "compress=lzo"];
     };
-    "/tmp" = {
-      device = "tmpfs";
-      fsType = "tmpfs";
-      options = ["nosuid" "nodev" "noatime"];
-    };
     "/bku" = {
       device = "/dev/pool/bku";
       fsType = "btrfs";
diff --git a/lass/1systems/yellow/config.nix b/lass/1systems/yellow/config.nix
index 554882bf3..c8077e5ea 100644
--- a/lass/1systems/yellow/config.nix
+++ b/lass/1systems/yellow/config.nix
@@ -1,6 +1,6 @@
-with import <stockholm/lib>;
-{ config, lib, pkgs, ... }:
-{
+{ config, lib, pkgs, ... }: let
+  vpnIp = "85.202.81.161";
+in {
   imports = [
     <stockholm/lass>
     <stockholm/lass/2configs>
@@ -11,6 +11,8 @@ with import <stockholm/lib>;
 
   users.groups.download.members = [ "transmission" ];
 
+  networking.useHostResolvConf = false;
+  networking.useNetworkd = true;
   systemd.services.transmission.bindsTo = [ "openvpn-nordvpn.service" ];
   systemd.services.transmission.after = [ "openvpn-nordvpn.service" ];
   services.transmission = {
@@ -154,17 +156,29 @@ with import <stockholm/lib>;
     tables.filter.INPUT.rules = [
       { predicate = "-p tcp --dport 80"; target = "ACCEPT"; } # nginx web dir
       { predicate = "-p tcp --dport 9091"; target = "ACCEPT"; } # transmission-web
+      { predicate = "-p tcp --dport 9092"; target = "ACCEPT"; } # magnetico webinterface
       { predicate = "-p tcp --dport 51413"; target = "ACCEPT"; } # transmission-traffic
       { predicate = "-p udp --dport 51413"; target = "ACCEPT"; } # transmission-traffic
       { predicate = "-p tcp --dport 8096"; target = "ACCEPT"; } # jellyfin
     ];
+    tables.filter.OUTPUT = {
+      policy = "DROP";
+      rules = [
+        { v6 = false; predicate = "-d ${vpnIp}/32"; target = "ACCEPT"; }
+        { predicate = "-o tun0"; target = "ACCEPT"; }
+        { predicate = "-o retiolum"; target = "ACCEPT"; }
+        { v6 = false; predicate = "-d 1.1.1.1/32"; target = "ACCEPT"; }
+        { v6 = false; predicate = "-d 1.0.0.1/32"; target = "ACCEPT"; }
+        { v6 = false; predicate = "-o eth0 -d 10.233.2.0/24"; target = "ACCEPT"; }
+      ];
+    };
   };
 
   services.openvpn.servers.nordvpn.config = ''
     client
     dev tun
     proto udp
-    remote 196.240.57.43 1194
+    remote ${vpnIp} 1194
     resolv-retry infinite
     remote-random
     nobind
@@ -174,7 +188,7 @@ with import <stockholm/lib>;
     persist-key
     persist-tun
     ping 15
-    ping-restart 0
+    ping-restart 15
     ping-timer-rem
     reneg-sec 0
     comp-lzo no
@@ -250,7 +264,7 @@ with import <stockholm/lib>;
     path = [
       pkgs.coreutils
       pkgs.findutils
-      pkgs.inotifyTools
+      pkgs.inotify-tools
     ];
     serviceConfig = {
       Restart = "always";
@@ -271,4 +285,10 @@ with import <stockholm/lib>;
     enable = true;
     group = "download";
   };
+
+  services.magnetico = {
+    enable = true;
+    web.address = "0.0.0.0";
+    web.port = 9092;
+  };
 }