diff options
Diffstat (limited to 'lass/2configs')
42 files changed, 512 insertions, 223 deletions
diff --git a/lass/2configs/IM.nix b/lass/2configs/IM.nix index 5b8cebf5c..8567def02 100644 --- a/lass/2configs/IM.nix +++ b/lass/2configs/IM.nix @@ -1,38 +1,23 @@ with (import <stockholm/lib>); { config, lib, pkgs, ... }: let weechat = pkgs.weechat.override { - configure = { availablePlugins, ... }: with pkgs.weechatScripts; { - plugins = lib.attrValues (availablePlugins // { - python = availablePlugins.python.withPackages (_: [ weechat-matrix ]); - }); - scripts = [ weechat-matrix ]; + configure = { availablePlugins, ... }: { + scripts = with pkgs.weechatScripts; [ + weechat-matrix + ]; }; }; - tmux = pkgs.writeDashBin "tmux" '' - exec ${pkgs.tmux}/bin/tmux -f ${pkgs.writeText "tmux.conf" '' - set-option -g prefix ` - unbind-key C-b - bind ` send-prefix - - set-option -g status off - set-option -g default-terminal screen-256color - - #use session instead of windows - bind-key c new-session - bind-key p switch-client -p - bind-key n switch-client -n - bind-key C-s switch-client -l - ''} "$@" - ''; + tmux = "/run/current-system/sw/bin/tmux"; in { imports = [ ./bitlbee.nix ]; - environment.systemPackages = [ tmux weechat ]; + environment.systemPackages = [ weechat ]; systemd.services.chat = { description = "chat environment setup"; + environment.WEECHAT_HOME = "\$HOME/.weechat"; after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; @@ -46,8 +31,8 @@ in { User = "lass"; RemainAfterExit = true; Type = "oneshot"; - ExecStart = "${tmux}/bin/tmux -2 new-session -d -s IM ${weechat}/bin/weechat"; - ExecStop = "${tmux}/bin/tmux kill-session -t IM"; # TODO run save in weechat + ExecStart = "${tmux} -2 new-session -d -s IM ${weechat}/bin/weechat"; + ExecStop = "${tmux} kill-session -t IM"; # TODO run save in weechat }; }; } diff --git a/lass/2configs/alacritty.nix b/lass/2configs/alacritty.nix index a57dc7c25..903ddf6cc 100644 --- a/lass/2configs/alacritty.nix +++ b/lass/2configs/alacritty.nix @@ -89,9 +89,40 @@ in { }; }; "themes/dark/alacritty.yaml".text = alacritty-cfg { - colors.primary = { - background = "#000000"; - foreground = "#ffffff"; + colors = { + # Default colors + primary = { + background = "0x000000"; + foreground = "0xffffff"; + }; + cursor = { + text = "0xF81CE5"; + cursor = "0xffffff"; + }; + + # Normal colors + normal = { + black = "0x000000"; + red = "0xfe0100"; + green = "0x33ff00"; + yellow = "0xfeff00"; + blue = "0x0066ff"; + magenta = "0xcc00ff"; + cyan = "0x00ffff"; + white = "0xd0d0d0"; + }; + + # Bright colors + bright = { + black = "0x808080"; + red = "0xfe0100"; + green = "0x33ff00"; + yellow = "0xfeff00"; + blue = "0x0066ff"; + magenta = "0xcc00ff"; + cyan = "0x00ffff"; + white = "0xFFFFFF"; + }; }; }; }; diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index 22a3037d7..e94cbbd2c 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -16,7 +16,7 @@ in { ./xmonad.nix ./themes.nix { - krebs.per-user.lass.packages = [ + users.users.mainUser.packages = [ pkgs.sshuttle ]; security.sudo.extraConfig = '' @@ -46,7 +46,7 @@ in { } ]; - users.users.mainUser.extraGroups = [ "audio" "video" ]; + users.users.mainUser.extraGroups = [ "audio" "pipewire" "video" ]; time.timeZone = "Europe/Berlin"; @@ -64,7 +64,7 @@ in { font-size fzfmenu gimp - gitAndTools.hub + gitAndTools.gh git-crypt git-preview dconf @@ -79,11 +79,13 @@ in { ponymix powertop rxvt_unicode-with-plugins + sshvnc sxiv taskwarrior termite transgui wirelesstools + x11vnc xclip xephyrify xorg.xhost diff --git a/lass/2configs/bgt-bot/bgt-check.sh b/lass/2configs/bgt-bot/bgt-check.sh new file mode 100644 index 000000000..30185ba18 --- /dev/null +++ b/lass/2configs/bgt-bot/bgt-check.sh @@ -0,0 +1,57 @@ +#!/bin/sh +# needs in path: +# curl gnugrep jq +# creates and manages $PWD/state +set -xeuf + +send_reaktor(){ + # usage: send_reaktor "text" + echo "send_reaktor: $1" + curl -fsS "http://localhost:$REAKTOR_PORT" \ + -H content-type:application/json \ + -d "$(jq -n \ + --arg text "$1" \ + --arg channel "$IRC_CHANNEL" \ + '{ + command:"PRIVMSG", + params:[$channel,$text] + }' + )" +} + +live=$(shuf -n1 <<EOF +Binärgewitter Liveshow hat begonnen! http://stream.radiotux.de:8000/binaergewitter.mp3 +EOF +) + +offline=$(shuf -n1 <<EOF +Live stream vorbei +EOF +) +error=$(shuf -n1 <<EOF +something went wrong +EOF +) + +if curl -Ss http://stream.radiotux.de:8000 | grep -q 'Mount Point /binaergewitter'; then + state='live' +else + state='offline' +fi +prevstate=$(cat state ||:) + +if test "$state" == "$(cat state)";then + #echo "current and last state is the same ($state), doing nothing" + : +else + echo "API state and last state differ ( '$state' != '$prevstate')" + if test "$state" == 'live';then + send_reaktor "$live" + elif test "$state" == 'offline';then + send_reaktor "$offline" + else + send_reaktor "$error" + fi + echo 'updating state' + printf "%s" "$state" > state +fi diff --git a/lass/2configs/bgt-bot/default.nix b/lass/2configs/bgt-bot/default.nix new file mode 100644 index 000000000..6f9e33704 --- /dev/null +++ b/lass/2configs/bgt-bot/default.nix @@ -0,0 +1,44 @@ +{ config, lib, pkgs, ... }: +let + + bot_port = "7654"; + irc_channel = "#binaergewitter"; +in +{ + krebs.reaktor2.bgt-announce = { + hostname = "irc.libera.chat"; + port = "6697"; + nick = "bgt-announce"; + API.listen = "inet://127.0.0.1:${bot_port}"; + plugins = [ + { + plugin = "register"; + config = { + channels = [ + irc_channel + ]; + }; + } + ]; + }; + systemd.services.check_bgt_show = { + startAt = "*:0/5"; + environment = { + IRC_CHANNEL = irc_channel; + REAKTOR_PORT = bot_port; + }; + path = with pkgs; [ + curl + gnugrep + jq + ]; + script = builtins.readFile ./bgt-check.sh; + serviceConfig = { + DynamicUser = true; + StateDirectory = "bgt-announce"; + WorkingDirectory = "/var/lib/bgt-announce"; + PrivateTmp = true; + }; + }; +} + diff --git a/lass/2configs/bitcoin.nix b/lass/2configs/bitcoin.nix index de6562cbc..e9dd055f9 100644 --- a/lass/2configs/bitcoin.nix +++ b/lass/2configs/bitcoin.nix @@ -28,7 +28,6 @@ in { }; }; security.sudo.extraConfig = '' - ${mainUser.name} ALL=(bch) ALL ${mainUser.name} ALL=(bitcoin) ALL ${mainUser.name} ALL=(monero) ALL ''; diff --git a/lass/2configs/bitlbee.nix b/lass/2configs/bitlbee.nix index b84221155..84f06e587 100644 --- a/lass/2configs/bitlbee.nix +++ b/lass/2configs/bitlbee.nix @@ -11,7 +11,7 @@ with (import <stockholm/lib>); pkgs.bitlbee-discord ]; libpurple_plugins = [ - pkgs.telegram-purple + # pkgs.telegram-purple # pkgs.tdlib-purple # pkgs.purple-gowhatsapp ]; diff --git a/lass/2configs/blue.nix b/lass/2configs/blue.nix index 28c7d640d..2698f67e0 100644 --- a/lass/2configs/blue.nix +++ b/lass/2configs/blue.nix @@ -8,7 +8,6 @@ with (import <stockholm/lib>); ]; environment.systemPackages = with pkgs; [ - ag dic nmap git-preview diff --git a/lass/2configs/br.nix b/lass/2configs/br.nix index 6e0a2385c..273a9c963 100644 --- a/lass/2configs/br.nix +++ b/lass/2configs/br.nix @@ -46,4 +46,6 @@ with import <stockholm/lib>; ]; }; + users.users.mainUser.extraGroups = [ "scanner" "lp" ]; + } diff --git a/lass/2configs/codimd.nix b/lass/2configs/codimd.nix index 271dcfca4..b3bf1b761 100644 --- a/lass/2configs/codimd.nix +++ b/lass/2configs/codimd.nix @@ -28,6 +28,10 @@ in { params.hedgedoc = {}; }; + systemd.services.hedgedoc.environment = { + CMD_COOKIE_POLICY = "none"; + CMD_CSP_ALLOW_FRAMING = "true"; + }; services.hedgedoc = { enable = true; configuration.allowOrigin = [ domain ]; @@ -47,6 +51,7 @@ in { sslCertPath = "/var/lib/acme/${domain}/cert.pem"; sslKeyPath = "/var/lib/acme/${domain}/key.pem"; dhParamPath = config.security.dhparams.params.hedgedoc.path; + }; }; } diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index f03d8b568..e8ac55988 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -10,6 +10,8 @@ with import <stockholm/lib>; ./htop.nix <stockholm/krebs/2configs/security-workarounds.nix> ./wiregrill.nix + ./tmux.nix + ./tor-ssh.nix { users.extraUsers = mapAttrs (_: h: { hashedPassword = h; }) @@ -122,6 +124,9 @@ with import <stockholm/lib>; q rs untilport + (pkgs.writeDashBin "urgent" '' + printf '\a' + '') usbutils logify goify diff --git a/lass/2configs/games.nix b/lass/2configs/games.nix index 829773b87..26707f1f0 100644 --- a/lass/2configs/games.nix +++ b/lass/2configs/games.nix @@ -61,7 +61,7 @@ in { name = "games"; description = "user playing games"; home = "/home/games"; - extraGroups = [ "audio" "video" "input" "loot" ]; + extraGroups = [ "audio" "video" "input" "loot" "pipewire" ]; createHome = true; useDefaultShell = true; packages = with pkgs; [ diff --git a/lass/2configs/git-brain.nix b/lass/2configs/git-brain.nix index 1c6f92fcd..f4d1a27cd 100644 --- a/lass/2configs/git-brain.nix +++ b/lass/2configs/git-brain.nix @@ -28,7 +28,7 @@ let # TODO: get the list of all krebsministers - krebsminister = with config.krebs.users; [ makefu tv ]; + krebsminister = with config.krebs.users; [ makefu tv kmein ]; krebs-rules = repo: set-owners repo [ config.krebs.users.lass ] ++ set-ro-access repo krebsminister; diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix index e6c77f64b..891aefcfd 100644 --- a/lass/2configs/git.nix +++ b/lass/2configs/git.nix @@ -122,12 +122,6 @@ let cgit.section = "configuration"; }; } // mapAttrs make-public-repo-silent { - nixos-aws = { - collaborators = [ { - name = "fabio"; - pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFst8DvnfOu4pQJYxcwdf//jWTvP+jj0iSrOdt59c9Gbujm/8K1mBXhcSQhHj/GBRC1Qc1wipf9qZsWnEHMI+SRwq6tDr8gqlAcdWmHAs1bU96jJtc8EgmUKbXTFG/VmympMPi4cEbNUtH93v6NUjQKwq9szvDhhqSW4Y8zE32xLkySwobQapNaUrGAtQp3eTxu5Lkx+cEaaartaAspt8wSosXjUHUJktg0O5/XOP+CiWAx89AXxbQCy4XTQvUExoRGdw9sdu0lF0/A0dF4lFF/dDUS7+avY8MrKEcQ8Fwk8NcW1XrKMmCdNdpvou0whL9aHCdTJ+522dsSB1zZWh63Si4CrLKlc1TiGKCXdvzmCYrD+6WxbPJdRpMM4dFNtpAwhCm/dM+CBXfDkP0s5veFiYvp1ri+3hUqV/sep9r5/+d+5/R1gQs8WDNjWqcshveFbD5LxE6APEySB4QByGxIrw7gFbozE+PNxtlVP7bq4MyE6yIzL6ofQgO1e4THquPcqSCfCvyib5M2Q1phi5DETlMemWp84AsNkqbhRa4BGRycuOXXrBzE+RgQokcIY7t3xcu3q0xJo2+HxW/Lqi72zYU1NdT4nJMETEaG49FfIAnUuoVaQWWvOz8mQuVEmmdw2Yzo2ikILYSUdHTp1VPOeo6aNPvESkPw1eM0xDRlQ== ada"; - } ]; - }; }; restricted-repos = mapAttrs make-restricted-repo ( diff --git a/lass/2configs/home-media.nix b/lass/2configs/home-media.nix index 7e10aed34..f250ca8d8 100644 --- a/lass/2configs/home-media.nix +++ b/lass/2configs/home-media.nix @@ -4,10 +4,10 @@ with import <stockholm/lib>; users.users.media = { isNormalUser = true; uid = genid_uint31 "media"; - extraGroups = [ "video" "audio" ]; + extraGroups = [ "video" "audio" "pipewire" ]; }; - services.xserver.displayManager.lightdm.autoLogin = { + services.xserver.displayManager.autoLogin = { enable = true; user = "media"; }; diff --git a/lass/2configs/jitsi.nix b/lass/2configs/jitsi.nix index 1435ccb5c..fa41f6634 100644 --- a/lass/2configs/jitsi.nix +++ b/lass/2configs/jitsi.nix @@ -7,10 +7,13 @@ config = { enableWelcomePage = true; requireDisplayName = true; + analytics.disabled = true; }; interfaceConfig = { SHOW_JITSI_WATERMARK = false; SHOW_WATERMARK_FOR_GUESTS = false; + DISABLE_PRESENCE_STATUS = true; + GENERATE_ROOMNAMES_ON_WELCOME_PAGE = false; }; }; diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix index 4682865c6..b874695a8 100644 --- a/lass/2configs/mail.nix +++ b/lass/2configs/mail.nix @@ -144,15 +144,7 @@ let set sort=threads - set index_format="${pkgs.writeDash "mutt-index" '' - # http://www.mutt.org/doc/manual/#formatstrings - recipent="$(echo $1 | sed 's/[^,]*<\([^>]*\)[^,]*/ \1/g')" - # output to mutt - # V - echo "%4C %Z %?GI?%GI& ? %[%y-%m-%d] %-20.20a %?M?(%3M)& ? %s %> $recipent %?g?%g?%" - # args to mutt-index dash script - # V - ''} %r |" + set index_format="%4C %Z %?GI?%GI& ? %[%y-%m-%d] %-20.20a %?M?(%3M)& ? %s %> %r %g" virtual-mailboxes "Unread" "notmuch://?query=tag:unread" virtual-mailboxes "INBOX" "notmuch://?query=tag:inbox" diff --git a/lass/2configs/minecraft.nix b/lass/2configs/minecraft.nix index d2a3672c5..34da3047e 100644 --- a/lass/2configs/minecraft.nix +++ b/lass/2configs/minecraft.nix @@ -11,6 +11,5 @@ in { krebs.iptables.tables.filter.INPUT.rules = [ { predicate = "-p tcp --dport 25565"; target = "ACCEPT"; } { predicate = "-p udp --dport 25565"; target = "ACCEPT"; } - { predicate = "-p tcp --dport 8123"; target = "ACCEPT"; } ]; } diff --git a/lass/2configs/mpv.nix b/lass/2configs/mpv.nix index 854af3eb5..f88d0d91d 100644 --- a/lass/2configs/mpv.nix +++ b/lass/2configs/mpv.nix @@ -76,15 +76,43 @@ let mp.add_key_binding('S', "download_subs", download) ''; + mpvInput = pkgs.writeText "mpv.input" '' + : script-binding console/enable + ''; + + mpvConfig = pkgs.writeText "mpv.conf" '' + osd-font-size=20 + ''; + mpv = pkgs.symlinkJoin { name = "mpv"; paths = [ (pkgs.writeDashBin "mpv" '' - exec ${pkgs.mpv}/bin/mpv \ + set -efu + if [ -n "''${DISPLAY+x}" ]; then + Y_RES=$(${pkgs.xorg.xrandr}/bin/xrandr | + ${pkgs.jc}/bin/jc --xrandr | + ${pkgs.jq}/bin/jq '.screens[0].current_width' + ) + else + Y_RES=1000 + fi + # we need to disable sponsorblock local database because of + # https://github.com/po5/mpv_sponsorblock/issues/31 + exec ${pkgs.mpv.override { + scripts = with pkgs.mpvScripts; [ + sponsorblock + youtube-quality + ]; + }}/bin/mpv \ -vo=gpu \ --no-config \ + --input-conf=${mpvInput} \ + --include=${mpvConfig} \ --script=${autosub} \ + --ytdl-format="best[height<$Y_RES]" \ --script-opts=ytdl_hook-ytdl_path=${pkgs.yt-dlp}/bin/yt-dlp \ + --script-opts-append=sponsorblock-local_database=no \ "$@" '') pkgs.mpv diff --git a/lass/2configs/paste.nix b/lass/2configs/paste.nix index 68a55c71c..affc35307 100644 --- a/lass/2configs/paste.nix +++ b/lass/2configs/paste.nix @@ -57,10 +57,8 @@ with import <stockholm/lib>; addSSL = true; serverAliases = [ "p.krebsco.de" ]; locations."/".extraConfig = '' - if ($request_method != GET) { - return 403; - } proxy_set_header Host $host; + proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://127.0.0.1:${toString config.krebs.htgen.paste.port}; ''; locations."/image".extraConfig = '' diff --git a/lass/2configs/programs.nix b/lass/2configs/programs.nix index 0a4b4fd9b..0997b41a8 100644 --- a/lass/2configs/programs.nix +++ b/lass/2configs/programs.nix @@ -4,9 +4,11 @@ { environment.systemPackages = with pkgs; [ aria2 + generate-secrets gnupg1compat htop i3lock + l-gen-secrets mosh pass pavucontrol @@ -18,18 +20,41 @@ transmission wget xsel - youtube-dl + yt-dlp + (pkgs.writeDashBin "youtube-dl" '' + exec ${pkgs.yt-dlp}/bin/yt-dlp "$@" + '') (pkgs.writeDashBin "tether-on" '' adb shell svc usb setFunctions rndis '') (pkgs.writeDashBin "tether-off" '' adb shell svc usb setFunctions '') - (pkgs.writeDashBin "dl-movie" '' - ${pkgs.transmission}/bin/transmission-remote yellow.r -w /var/download/finished/sorted/movies -a "$@" + (pkgs.writeDashBin "deploy" '' + set -eu + export SYSTEM="$1" + $(nix-build $HOME/sync/stockholm/lass/krops.nix --no-out-link --argstr name "$SYSTEM" -A deploy) + '') + (pkgs.writeDashBin "krebsco.de" '' + TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d) + ${pkgs.brain}/bin/brain show krebs-secrets/ovh-secrets.json > "$TMPDIR"/ovh-secrets.json + OVH_ZONE_CONFIG="$TMPDIR"/ovh-secrets.json ${pkgs.krebszones}/bin/krebszones import + ${pkgs.coreutils}/bin/rm -rf "$TMPDIR" + '') + (pkgs.writeDashBin "lassul.us" '' + TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d) + ${pkgs.pass}/bin/pass show admin/ovh/api.config > "$TMPDIR"/ovh-secrets.json + OVH_ZONE_CONFIG="$TMPDIR"/ovh-secrets.json ${pkgs.ovh-zone}/bin/ovh-zone import /etc/zones/lassul.us lassul.us + ${pkgs.coreutils}/bin/rm -rf "$TMPDIR" + '') + (pkgs.writeDashBin "btc-coinbase" '' + ${pkgs.curl}/bin/curl -Ss 'https://api.coinbase.com/v2/prices/spot?currency=EUR' | ${pkgs.jq}/bin/jq '.data.amount' + '') + (pkgs.writeDashBin "btc-wex" '' + ${pkgs.curl}/bin/curl -Ss 'https://wex.nz/api/3/ticker/btc_eur' | ${pkgs.jq}/bin/jq '.btc_eur.avg' '') - (pkgs.writeDashBin "dl-series" '' - ${pkgs.transmission}/bin/transmission-remote yellow.r -w /var/download/finished/sorted/series -a "$@" + (pkgs.writeDashBin "btc-kraken" '' + ${pkgs.curl}/bin/curl -Ss 'https://api.kraken.com/0/public/Ticker?pair=BTCEUR' | ${pkgs.jq}/bin/jq '.result.XXBTZEUR.a[0]' '') ]; } diff --git a/lass/2configs/radio/default.nix b/lass/2configs/radio/default.nix index 0611be7ce..b8d958865 100644 --- a/lass/2configs/radio/default.nix +++ b/lass/2configs/radio/default.nix @@ -107,6 +107,7 @@ let in { imports = [ ./news.nix + ./weather.nix ]; users.users = { @@ -165,14 +166,14 @@ in { output.icecast(mount = '/music.ogg', password = 'hackme', %vorbis(quality = 1), source) output.icecast(mount = '/music.mp3', password = 'hackme', %mp3.vbr(), source) - output.icecast(mount = '/music.opus', password = 'hackme', %opus(bitrate = 64), source) + output.icecast(mount = '/music.opus', password = 'hackme', %opus(bitrate = 96), source) extra_input = audio_to_stereo(input.harbor("live", port=1338)) o = smooth_add(normal = source, special = extra_input) output.icecast(mount = '/radio.ogg', password = 'hackme', %vorbis(quality = 1), o) output.icecast(mount = '/radio.mp3', password = 'hackme', %mp3.vbr(), o) - output.icecast(mount = '/radio.opus', password = 'hackme', %opus(bitrate = 64), o) + output.icecast(mount = '/radio.opus', password = 'hackme', %opus(bitrate = 96), o) ''; services.icecast = { enable = true; diff --git a/lass/2configs/radio/news.nix b/lass/2configs/radio/news.nix index 27b124093..e5b5405ff 100644 --- a/lass/2configs/radio/news.nix +++ b/lass/2configs/radio/news.nix @@ -1,45 +1,28 @@ { config, lib, pkgs, ... }: let - weather_for_ips = pkgs.writers.writePython3Bin "weather_for_ips" { - libraries = [ pkgs.python3Packages.geoip2 ]; - } ./weather_for_ips.py; - - weather_report = pkgs.writers.writeDashBin "weather_report" '' - set -efu - export PATH="${lib.makeBinPath [ - pkgs.coreutils - pkgs.curl - pkgs.iproute2 - pkgs.jc - pkgs.jq - ]}" - curl -z /tmp/GeoLite2-City.mmdb -o /tmp/GeoLite2-City.mmdb http://c.r/GeoLite2-City.mmdb - MAXMIND_GEOIP_DB="/tmp/GeoLite2-City.mmdb"; export MAXMIND_GEOIP_DB - OPENWEATHER_API_KEY=$(cat "$CREDENTIALS_DIRECTORY/openweather_api"); export OPENWEATHER_API_KEY - ss -no 'sport = :8000' | - jc --ss | jq -r '.[] | - select( - .local_address != "[::ffff:127.0.0.1]" - and .local_address != "[::1]" - ) | .peer_address | gsub("[\\[\\]]"; "") - ' | - ${weather_for_ips}/bin/weather_for_ips - ''; send_to_radio = pkgs.writers.writeDashBin "send_to_radio" '' - ${pkgs.vorbisTools}/bin/oggenc - | + ${pkgs.vorbis-tools}/bin/oggenc - | ${pkgs.libshout}/bin/shout --format ogg --host localhost --port 1338 --mount /live ''; gc_news = pkgs.writers.writeDashBin "gc_news" '' set -xefu + export TZ=UTC #workaround for jq parsing wrong timestamp ${pkgs.coreutils}/bin/cat $HOME/news | ${pkgs.jq}/bin/jq -cs 'map(select((.to|fromdateiso8601) > now)) | .[]' > $HOME/bla-news.tmp ${pkgs.coreutils}/bin/mv $HOME/bla-news.tmp $HOME/news ''; get_current_news = pkgs.writers.writeDashBin "get_current_news" '' set -xefu - ${pkgs.coreutils}/bin/cat $HOME/news | ${pkgs.jq}/bin/jq -rs 'map(select(((.to | fromdateiso8601) > now) and (.from|fromdateiso8601) < now) | .text) | .[]' + export TZ=UTC #workaround for jq parsing wrong timestamp + ${pkgs.coreutils}/bin/cat $HOME/news | ${pkgs.jq}/bin/jq -rs ' + sort_by(.priority) | + map(select( + ((.to | fromdateiso8601) > now) and + (.from|fromdateiso8601) < now) | + .text + ) | .[]' ''; newsshow = pkgs.writers.writeDashBin "newsshow" /* sh */ '' @@ -50,7 +33,6 @@ let todays news: $(get_current_news) $(gc_news) - $(weather_report) EOF ''; in @@ -61,7 +43,6 @@ in send_to_radio gc_news get_current_news - weather_report pkgs.curl pkgs.retry ]; @@ -74,9 +55,6 @@ in startAt = "*:00:00"; serviceConfig = { User = "radio-news"; - LoadCredential = [ - "openweather_api:${toString <secrets>}/openweather_api_key" - ]; }; }; @@ -107,8 +85,8 @@ in ;; "POST /") payload=$(head -c "$req_content_length") - echo "$payload" | jq 'has("from") and has("to") and has("text")' >&2 - echo "$payload" | jq -c '{ from: (.from | fromdate | todate), to: (.to | fromdate | todate), text: .text }' >> "$HOME"/news + printf '%s' "$payload" | jq 'has("from") and has("to") and has("text")' >&2 + printf '%s' "$payload" | jq -c '{ from: .from, to: .to, text: .text, priority: (.priority // 0)}' >> "$HOME"/news printf 'HTTP/1.1 200 OK\r\n' printf 'Connection: close\r\n' printf '\r\n' diff --git a/lass/2configs/radio/weather.nix b/lass/2configs/radio/weather.nix new file mode 100644 index 000000000..3beac6693 --- /dev/null +++ b/lass/2configs/radio/weather.nix @@ -0,0 +1,55 @@ +{ config, lib, pkgs, ... }: +let + weather_for_ips = pkgs.writers.writePython3Bin "weather_for_ips" { + libraries = [ pkgs.python3Packages.geoip2 ]; + flakeIgnore = [ "E501" ]; + } ./weather_for_ips.py; + + weather_report = pkgs.writers.writeDashBin "weather_report" '' + set -efu + export PATH="${lib.makeBinPath [ + pkgs.coreutils + pkgs.curl + pkgs.iproute2 + pkgs.jc + pkgs.jq + ]}" + curl -z /tmp/GeoLite2-City.mmdb -o /tmp/GeoLite2-City.mmdb http://c.r/GeoLite2-City.mmdb + MAXMIND_GEOIP_DB="/tmp/GeoLite2-City.mmdb"; export MAXMIND_GEOIP_DB + OPENWEATHER_API_KEY=$(cat "$CREDENTIALS_DIRECTORY/openweather_api"); export OPENWEATHER_API_KEY + ss -no 'sport = :8000' | + jc --ss | jq -r '.[] | + select( + .local_address != "[::ffff:127.0.0.1]" + and .local_address != "[::1]" + ) | .peer_address | gsub("[\\[\\]]"; "") + ' | + ${weather_for_ips}/bin/weather_for_ips + ''; +in { + systemd.services.weather = { + path = [ + weather_report + pkgs.retry + pkgs.jq + pkgs.curl + ]; + script = '' + set -xefu + retry -t 5 -d 10 -- weather_report | + jq \ + --arg from "$(date -u +'%FT%TZ')" \ + --arg to "$(date -u +'%FT%TZ' -d '+1 hours')" \ + --slurp --raw-input --compact-output --ascii-output \ + '{text: ., from: $from, to: $to, priority: 100}' | + retry -t 5 -d 10 -- curl -v -d@- http://radio-news.r + ''; + startAt = "*:58:00"; + serviceConfig = { + User = "radio-news"; + LoadCredential = [ + "openweather_api:${toString <secrets>}/openweather_api_key" + ]; + }; + }; +} diff --git a/lass/2configs/radio/weather_for_ips.py b/lass/2configs/radio/weather_for_ips.py index 8d9a2e7bc..f7cc2dace 100644 --- a/lass/2configs/radio/weather_for_ips.py +++ b/lass/2configs/radio/weather_for_ips.py @@ -21,13 +21,13 @@ for ip in fileinput.input(): f'&units=metric' ) resp = requests.get(url) - weather = json.loads(resp.text)['current'] + weather = json.loads(resp.text) output.append( - f'Weather report for {location.city.name}' - f', {location.country.name}. ' - f'Currently it is {weather["weather"][0]["description"]} outside ' - f'with a temperature of {weather["temp"]} degrees ' - f'and a windspeed of {weather["wind_speed"]} meter per second. ' + f'Weather report for {location.city.name}, {location.country.name}. ' + f'Currently it is {weather["current"]["weather"][0]["description"]} outside ' + f'with a temperature of {weather["current"]["temp"]} degrees, ' + f'and a wind speed of {weather["current"]["wind_speed"]} meters per second. ' + f'The probability of precipitation is {weather["hourly"][0]["pop"] * 100} percent. ' ) print('\n'.join(output)) diff --git a/lass/2configs/realwallpaper.nix b/lass/2configs/realwallpaper.nix index 0bae91d89..a82e1d010 100644 --- a/lass/2configs/realwallpaper.nix +++ b/lass/2configs/realwallpaper.nix @@ -22,6 +22,10 @@ in { hostname "${hostname}.r" ]; + locations."/realwallpaper/".extraConfig = '' + index on; + root /var/realwallpaper"; + ''; locations."/realwallpaper.png".extraConfig = '' root /var/realwallpaper/; ''; diff --git a/lass/2configs/retiolum.nix b/lass/2configs/retiolum.nix index d4d97a889..b8c9d4f8d 100644 --- a/lass/2configs/retiolum.nix +++ b/lass/2configs/retiolum.nix @@ -21,6 +21,7 @@ "eve" ]; extraConfig = '' + AutoConnect = no StrictSubnets = yes ${lib.optionalString (config.krebs.build.host.nets.retiolum.via != null) '' LocalDiscovery = no diff --git a/lass/2configs/ssh-cryptsetup.nix b/lass/2configs/ssh-cryptsetup.nix index f08f85b49..0126c33b2 100644 --- a/lass/2configs/ssh-cryptsetup.nix +++ b/lass/2configs/ssh-cryptsetup.nix @@ -6,7 +6,7 @@ ssh = { enable = true; authorizedKeys = with config.krebs.users; [ - config.krebs.users.lass-mors.pubkey + config.krebs.users.lass.pubkey config.krebs.users.lass-blue.pubkey ]; }; diff --git a/lass/2configs/sync/decsync.nix b/lass/2configs/sync/decsync.nix index a38cff8d6..5fded10a2 100644 --- a/lass/2configs/sync/decsync.nix +++ b/lass/2configs/sync/decsync.nix @@ -3,9 +3,8 @@ path = "/home/lass/decsync"; devices = [ "mors" "blue" "green" "phone" ]; }; - krebs.permown."/home/lass/decsync" = { - owner = "lass"; - group = "syncthing"; - umask = "0007"; - }; + + krebs.acl."/home/lass/decsync"."u:syncthing:X".parents = true; + krebs.acl."/home/lass/decsync"."u:syncthing:rwX" = {}; + krebs.acl."/home/lass/decsync"."u:lass:rwX" = {}; } diff --git a/lass/2configs/sync/sync.nix b/lass/2configs/sync/sync.nix index a0927c199..2714fa83e 100644 --- a/lass/2configs/sync/sync.nix +++ b/lass/2configs/sync/sync.nix @@ -2,12 +2,7 @@ services.syncthing.folders."/home/lass/sync" = { devices = [ "mors" "icarus" "xerxes" "shodan" "green" "blue" "coaxmetal" ]; }; - krebs.permown."/home/lass/sync" = { - file-mode = "u+rw,g+rw"; - owner = "lass"; - group = "syncthing"; - umask = "0002"; - keepGoing = true; - }; + krebs.acl."/home/lass/sync"."u:syncthing:X".parents = true; + krebs.acl."/home/lass/sync"."u:syncthing:rwX" = {}; + krebs.acl."/home/lass/sync"."u:lass:rwX" = {}; } - diff --git a/lass/2configs/sync/weechat.nix b/lass/2configs/sync/weechat.nix index eb6b0aa16..b32015b84 100644 --- a/lass/2configs/sync/weechat.nix +++ b/lass/2configs/sync/weechat.nix @@ -1,8 +1,6 @@ { services.syncthing.folders."/home/lass/.weechat".devices = [ "green" "mors" ]; - krebs.permown."/home/lass/.weechat" = { - owner = "lass"; - group = "syncthing"; - umask = "0007"; - }; + krebs.acl."/home/lass/.weechat"."u:syncthing:X".parents = true; + krebs.acl."/home/lass/.weechat"."u:syncthing:rwX" = {}; + krebs.acl."/home/lass/.weechat"."u:lass:rwX" = {}; } diff --git a/lass/2configs/tests/dummy-secrets/ssh-tor.priv b/lass/2configs/tests/dummy-secrets/ssh-tor.priv new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/lass/2configs/tests/dummy-secrets/ssh-tor.priv diff --git a/lass/2configs/themes.nix b/lass/2configs/themes.nix index e020c62c4..eb1a53987 100644 --- a/lass/2configs/themes.nix +++ b/lass/2configs/themes.nix @@ -9,6 +9,7 @@ ${placeholder "out"}/bin/switch-theme dark fi elif test -e "/etc/themes/$1"; then + ${pkgs.coreutils}/bin/mkdir -p /var/theme/config ${pkgs.rsync}/bin/rsync --chown=lass:users -a --delete "/etc/themes/$1/" /var/theme/config/ echo "$1" > /var/theme/current_theme ${pkgs.coreutils}/bin/chown lass:users /var/theme/current_theme diff --git a/lass/2configs/tmux.nix b/lass/2configs/tmux.nix index c977a1105..10931365d 100644 --- a/lass/2configs/tmux.nix +++ b/lass/2configs/tmux.nix @@ -2,25 +2,26 @@ with import <stockholm/lib>; { config, pkgs, ... }: { + environment.etc."tmux.conf".text = '' + #prefix key to ` + set-option -g prefix2 ` + + bind-key r source-file /etc/tmux.conf \; display-message "/etc/tmux.conf reloaded" + + set-option -g default-terminal screen-256color + + #use session instead of windows + bind-key c new-session + bind-key p switch-client -p + bind-key n switch-client -n + bind-key C-s switch-client -l + ''; nixpkgs.config.packageOverrides = super: { tmux = pkgs.symlinkJoin { name = "tmux"; paths = [ (pkgs.writeDashBin "tmux" '' - exec ${super.tmux}/bin/tmux -f ${pkgs.writeText "tmux.conf" '' - #change prefix key to ` - set-option -g prefix ` - unbind-key C-b - bind ` send-prefix - - set-option -g default-terminal screen-256color - - #use session instead of windows - bind-key c new-session - bind-key p switch-client -p - bind-key n switch-client -n - bind-key C-s switch-client -l - ''} "$@" + exec ${super.tmux}/bin/tmux -f /etc/tmux.conf "$@" '') super.tmux ]; diff --git a/lass/2configs/tor-ssh.nix b/lass/2configs/tor-ssh.nix new file mode 100644 index 000000000..8b36733e2 --- /dev/null +++ b/lass/2configs/tor-ssh.nix @@ -0,0 +1,14 @@ +{ + services.tor = { + enable = true; + relay.onionServices.ssh = { + version = 3; + map = [{ + port = 22; + target.port = 22; + }]; + secretKey = <secrets/ssh-tor.priv>; + }; + }; +} + diff --git a/lass/2configs/vim.nix b/lass/2configs/vim.nix index 36ce3d74c..210133f48 100644 --- a/lass/2configs/vim.nix +++ b/lass/2configs/vim.nix @@ -21,6 +21,7 @@ let set backup set backupdir=${dirs.backupdir}/ set directory=${dirs.swapdir}// + set list listchars=tab:⇥\ ,extends:❯,precedes:❮,nbsp:␣,trail:· showbreak=¬ set hlsearch set incsearch set ttymouse=sgr @@ -51,7 +52,7 @@ let filetype plugin indent on set t_Co=256 - colorscheme hack + colorscheme dim syntax on au Syntax * syn match Garbage containedin=ALL /\s\+$/ @@ -114,10 +115,17 @@ let " copy/paste from/to xclipboard set clipboard=unnamedplus + + " use fzf to switch files + nnoremap <C-p> :FZF<CR> + nnoremap <C-l> :Rg<CR> + let g:fzf_layout = { 'down': '~15%' } ''; extra-runtimepath = concatMapStringsSep "," (pkg: "${pkg.rtp}") [ pkgs.vimPlugins.undotree + pkgs.vimPlugins.fzf-vim + pkgs.vimPlugins.fzfWrapper (pkgs.vimUtils.buildVimPlugin { name = "file-line-1.0"; src = pkgs.fetchFromGitHub { @@ -127,49 +135,15 @@ let sha256 = "0z47zq9rqh06ny0q8lpcdsraf3lyzn9xvb59nywnarf3nxrk6hx0"; }; }) - ((rtp: rtp // { inherit rtp; }) (pkgs.writeTextFile (let - name = "hack"; - in { - name = "vim-color-${name}-1.0.2"; - destination = "/colors/${name}.vim"; - text = /* vim */ '' - set background=dark - hi clear - if exists("syntax_on") - syntax clear - endif - - let colors_name = ${toJSON name} - - hi Normal ctermbg=016 - hi Comment ctermfg=255 - hi Constant ctermfg=229 - hi Identifier ctermfg=123 - hi Function ctermfg=041 - hi Statement ctermfg=167 - hi PreProc ctermfg=167 - hi Type ctermfg=046 - hi Delimiter ctermfg=251 - hi Special ctermfg=146 - - hi Garbage ctermbg=124 - hi TabStop ctermbg=020 - hi NBSP ctermbg=056 - hi NarrowNBSP ctermbg=097 - hi Todo ctermfg=174 ctermbg=NONE - - hi NixCode ctermfg=190 - hi NixData ctermfg=149 - hi NixQuote ctermfg=119 - - hi diffNewFile ctermfg=207 - hi diffFile ctermfg=207 - hi diffLine ctermfg=207 - hi diffSubname ctermfg=207 - hi diffAdded ctermfg=010 - hi diffRemoved ctermfg=009 - ''; - }))) + (pkgs.vimUtils.buildVimPlugin { + name = "vim-dim-1.1.0"; + src = pkgs.fetchFromGitHub { + owner = "jeffkreeftmeijer"; + repo = "vim-dim"; + rev = "1.1.0"; + sha256 = "sha256-lyTZUgqUEEJRrzGo1FD8/t8KBioPrtB3MmGvPeEVI/g="; + }; + }) ((rtp: rtp // { inherit rtp; }) (pkgs.writeTextFile (let name = "vim"; in { diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index 3f055e370..fe4d78a3b 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -29,6 +29,8 @@ in { (servePage [ "apanowicz.de" "www.apanowicz.de" ]) (servePage [ "reich-gebaeudereinigung.de" "www.reich-gebaeudereinigung.de" ]) (servePage [ "illustra.de" "www.illustra.de" ]) + (servePage [ "nirwanabluete.de" "www.nirwanabluete.de" ]) + (servePage [ "familienrat-hamburg.de" "www.familienrat-hamburg.de" ]) (servePage [ "freemonkey.art" "www.freemonkey.art" @@ -36,20 +38,20 @@ in { (serveOwncloud [ "o.ubikmedia.de" ]) (serveWordpress [ "ubikmedia.de" - "nirwanabluete.de" "ubikmedia.eu" "youthtube.xyz" "joemisch.com" "weirdwednesday.de" "jarugadesign.de" + "beesmooth.ch" - "www.nirwanabluete.de" "www.ubikmedia.eu" "www.youthtube.xyz" "www.ubikmedia.de" "www.joemisch.com" "www.weirdwednesday.de" "www.jarugadesign.de" + "www.beesmooth.ch" "aldona2.ubikmedia.de" "cinevita.ubikmedia.de" @@ -64,9 +66,13 @@ in { "jarugadesign.ubikmedia.de" "crypto4art.ubikmedia.de" "jarugadesign.ubikmedia.de" + "beesmooth.ubikmedia.de" ]) ]; + # https://github.com/nextcloud/server/issues/25436 + services.mysql.settings.mysqld.innodb_read_only_compressed = 0; + services.mysql.ensureDatabases = [ "ubikmedia_de" "o_ubikmedia_de" ]; services.mysql.ensureUsers = [ { ensurePermissions = { "ubikmedia_de.*" = "ALL"; }; name = "nginx"; } @@ -98,7 +104,7 @@ in { services.nextcloud = { enable = true; hostName = "o.xanf.org"; - package = pkgs.nextcloud21; + package = pkgs.nextcloud23; config = { adminpassFile = "/run/nextcloud.pw"; overwriteProtocol = "https"; @@ -159,6 +165,7 @@ in { { from = "ubik@ubikmedia.eu"; to = "domsen, jms, ms"; } { from = "kontakt@alewis.de"; to ="klabusterbeere"; } { from = "hallo@jarugadesign.de"; to ="kasia"; } + { from = "noreply@beeshmooth.ch"; to ="besmooth@gmx.ch"; } { from = "testuser@lassul.us"; to = "testuser"; } { from = "testuser@ubikmedia.eu"; to = "testuser"; } @@ -170,10 +177,12 @@ in { "apanowicz.de" "alewis.de" "jarugadesign.de" + "beesmooth.ch" ]; dkim = [ { domain = "ubikmedia.eu"; } { domain = "apanowicz.de"; } + { domain = "beesmooth.ch"; } ]; ssl_cert = "/var/lib/acme/lassul.us/fullchain.pem"; ssl_key = "/var/lib/acme/lassul.us/key.pem"; @@ -332,6 +341,27 @@ in { isNormalUser = true; }; + users.users.avada = { + uid = genid_uint31 "avada"; + home = "/home/avada"; + useDefaultShell = true; + createHome = true; + isNormalUser = true; + }; + + users.users.familienrat = { + uid = genid_uint31 "familienrat"; + home = "/home/familienrat"; + useDefaultShell = true; + createHome = true; + isNormalUser = true; + }; + krebs.acl."/srv/http/familienrat-hamburg.de"."u:familienrat:rwX" = {}; + krebs.acl."/srv/http"."u:familienrat:X" = { + default = false; + recursive = false; + }; + users.groups.xanf = {}; krebs.on-failure.plans.restic-backups-domsen = { @@ -372,18 +402,14 @@ in { ${pkgs.coreutils}/bin/chmod 750 /backups ''; - krebs.permown = { - "/srv/http" = { - group = "syncthing"; - owner = "nginx"; - umask = "0007"; - }; - "/home/xanf/XANF_TEAM" = { - owner = "XANF_TEAM"; - group = "xanf"; - umask = "0007"; - }; + # takes too long!! + # krebs.acl."/srv/http"."u:syncthing:rwX" = {}; + # krebs.acl."/srv/http"."u:nginx:rwX" = {}; + # krebs.acl."/srv/http/ubikmedia.de"."u:avada:rwX" = {}; + krebs.acl."/home/xanf/XANF_TEAM"."g:xanf:rwX" = {}; + krebs.acl."/home/xanf"."g:xanf:X" = { + default = false; + recursive = false; }; - } diff --git a/lass/2configs/websites/lassulus.nix b/lass/2configs/websites/lassulus.nix index 5bf8de013..411234b82 100644 --- a/lass/2configs/websites/lassulus.nix +++ b/lass/2configs/websites/lassulus.nix @@ -10,6 +10,7 @@ in { imports = [ ./default.nix ../git.nix + ./ref.ptkk.de ]; security.acme = { @@ -20,11 +21,8 @@ in { }; }; - krebs.tinc_graphs.enable = true; - users.groups.lasscert.members = [ "dovecot2" - "ejabberd" "exim" "nginx" ]; @@ -48,10 +46,6 @@ in { locations."= /wireguard-key".extraConfig = '' alias ${pkgs.writeText "prism.wg" config.krebs.hosts.prism.nets.wiregrill.wireguard.pubkey}; ''; - locations."/tinc/".extraConfig = '' - index index.html; - alias ${config.krebs.tinc_graphs.workingDir}/external/; - ''; locations."= /krebspage".extraConfig = '' default_type "text/html"; alias ${pkgs.krebspage}/index.html; @@ -64,14 +58,14 @@ in { alias ${initscript}/bin/init; ''; locations."= /blue.pub".extraConfig = '' - alias ${pkgs.writeText "pub" config.krebs.users.lass.pubkey}; + alias ${pkgs.writeText "pub" config.krebs.users.lass-blue.pubkey}; ''; - locations."= /mors.pub".extraConfig = '' - alias ${pkgs.writeText "pub" config.krebs.users.lass-mors.pubkey}; - ''; - locations."= /yubi.pub".extraConfig = '' + locations."= /ssh.pub".extraConfig = '' alias ${pkgs.writeText "pub" config.krebs.users.lass-yubikey.pubkey}; ''; + locations."= /gpg.pub".extraConfig = '' + alias ${pkgs.writeText "pub" config.krebs.users.lass-yubikey.pgp.pubkeys.default}; + ''; }; security.acme.certs."cgit.lassul.us" = { @@ -90,19 +84,5 @@ in { root /var/lib/acme/acme-challenge; ''; }; - - users.users.blog = { - uid = genid_uint31 "blog"; - group = "nginx"; - description = "lassul.us blog deployment"; - home = "/srv/http/lassul.us"; - useDefaultShell = true; - createHome = true; - isSystemUser = true; - openssh.authorizedKeys.keys = with config.krebs.users; [ - lass.pubkey - lass-mors.pubkey - ]; - }; } diff --git a/lass/2configs/websites/ref.ptkk.de/default.nix b/lass/2configs/websites/ref.ptkk.de/default.nix new file mode 100644 index 000000000..14ce58b8e --- /dev/null +++ b/lass/2configs/websites/ref.ptkk.de/default.nix @@ -0,0 +1,89 @@ +{ config, lib, pkgs, ... }: +{ + services.nginx.virtualHosts."ref.ptkk.de" = { + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:4626"; + extraConfig = '' + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header Connection $connection_upgrade; + proxy_set_header Upgrade $http_upgrade; + proxy_cache_bypass $http_upgrade; + ''; + }; + locations."/static/" = { + alias = "/var/lib/ref.ptkk.de/static/"; + }; + forceSSL = true; + }; + systemd.services."ref.ptkk.de" = { + wantedBy = [ "multi-user.target" ]; + environment = { + PRODUCTION = "yip"; + DATA_DIR = "/var/lib/ref.ptkk.de/data"; + PORT = "4626"; + STATIC_ROOT = "/var/lib/ref.ptkk.de/static"; + }; + path = with pkgs; [ + git + gnutar + gzip + nix + ]; + serviceConfig = { + ExecStartPre = [ + "${pkgs.coreutils}/bin/mkdir -p /var/lib/ref.ptkk.de/data" + "${pkgs.coreutils}/bin/mkdir -p /var/lib/ref.ptkk.de/code" + "${pkgs.coreutils}/bin/mkdir -p /var/lib/ref.ptkk.de/static" + ]; + ExecStart = pkgs.writers.writeDash "nixify" '' + cd code + if test -e shell.nix; then + ${pkgs.nix}/bin/nix-shell -I /var/src --run serve + else + echo 'no shell.nix, bailing out' + exit 0 + fi + ''; + LoadCredential = [ + "django-secret.key:${toString <secrets>}/ref.ptkk.de-django.key" + ]; + User = "ref.ptkk.de"; + WorkingDirectory = "/var/lib/ref.ptkk.de"; + StateDirectory = "ref.ptkk.de"; + Restart = "always"; + RestartSec = "100s"; + }; + }; + systemd.services."ref.ptkk.de-restarter" = { + serviceConfig = { + Type = "oneshot"; + ExecStart = "${pkgs.systemd}/bin/systemctl restart ref.ptkk.de.service"; + }; + }; + systemd.paths."ref.ptkk.de-restarter" = { + wantedBy = [ "multi-user.target" ]; + pathConfig.PathChanged = [ + "/var/lib/ref.ptkk.de/code" + "/var/src/nixpkgs" + ]; + }; + + users.users."ref.ptkk.de" = { + isSystemUser = true; + uid = pkgs.stockholm.lib.genid_uint31 "ref.ptkk.de"; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF6fu6LtyRdk++qIBpP0BdZQHSTqzNNlvp7ML2Dv0IxD CI@github.com" + config.krebs.users.lass.pubkey + ]; + group = "nginx"; + home = "/var/lib/ref.ptkk.de"; + useDefaultShell = true; + }; +} diff --git a/lass/2configs/websites/util.nix b/lass/2configs/websites/util.nix index b6765037c..22b1669b0 100644 --- a/lass/2configs/websites/util.nix +++ b/lass/2configs/websites/util.nix @@ -174,6 +174,7 @@ rec { services.phpfpm.pools."${domain}" = { user = "nginx"; group = "nginx"; + phpPackage = pkgs.php74; extraConfig = '' listen = /srv/http/${domain}/phpfpm.pool pm = dynamic diff --git a/lass/2configs/wiregrill.nix b/lass/2configs/wiregrill.nix index 0183bd4e5..54257d2c4 100644 --- a/lass/2configs/wiregrill.nix +++ b/lass/2configs/wiregrill.nix @@ -18,6 +18,10 @@ in mkIf (hasAttr "wiregrill" config.krebs.build.host.nets) { ]; krebs.iptables.tables.filter.FORWARD.rules = mkIf isRouter [ { precedence = 1000; predicate = "-i wiregrill -o wiregrill"; target = "ACCEPT"; } + { precedence = 1000; predicate = "-i wiregrill -o retiolum"; target = "ACCEPT"; } + { precedence = 1000; predicate = "-i retiolum -o wiregrill"; target = "ACCEPT"; } + { precedence = 1000; predicate = "-i wiregrill -o eth0"; target = "ACCEPT"; } + { precedence = 1000; predicate = "-o wiregrill -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } ]; networking.wireguard.interfaces.wiregrill = { diff --git a/lass/2configs/yubikey.nix b/lass/2configs/yubikey.nix index d92b18f81..a37752d5e 100644 --- a/lass/2configs/yubikey.nix +++ b/lass/2configs/yubikey.nix @@ -38,7 +38,7 @@ } }); polkit.addRule(function(action, subject) { - polkit.log("user " + subject.user + " is attempting action " + action.id + " from PID " + subject.pid); + polkit.log("subject: " + subject + " action: " + action); }); ''; |