summaryrefslogtreecommitdiffstats
path: root/lass
diff options
context:
space:
mode:
Diffstat (limited to 'lass')
-rw-r--r--lass/1systems/mors/config.nix1
-rw-r--r--lass/2configs/fysiirc.nix42
-rw-r--r--lass/2configs/hass/zigbee.nix2
-rw-r--r--lass/2configs/murmur.nix6
-rw-r--r--lass/2configs/retiolum.nix5
-rw-r--r--lass/2configs/sync/decsync.nix2
-rw-r--r--lass/2configs/sync/sync.nix2
-rw-r--r--lass/2configs/sync/the_playlist.nix9
-rw-r--r--lass/2configs/sync/weechat.nix2
-rw-r--r--lass/3modules/acl.nix55
-rw-r--r--lass/3modules/default.nix1
11 files changed, 112 insertions, 15 deletions
diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix
index 4d042de22..dd479f267 100644
--- a/lass/1systems/mors/config.nix
+++ b/lass/1systems/mors/config.nix
@@ -26,6 +26,7 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/sync/sync.nix>
<stockholm/lass/2configs/sync/decsync.nix>
<stockholm/lass/2configs/sync/weechat.nix>
+ <stockholm/lass/2configs/sync/the_playlist.nix>
#<stockholm/lass/2configs/c-base.nix>
<stockholm/lass/2configs/br.nix>
<stockholm/lass/2configs/ableton.nix>
diff --git a/lass/2configs/fysiirc.nix b/lass/2configs/fysiirc.nix
index d2aaa73c5..f3c1d5b7c 100644
--- a/lass/2configs/fysiirc.nix
+++ b/lass/2configs/fysiirc.nix
@@ -1,5 +1,33 @@
-{ config, lib, pkgs, ... }:
-{
+{ config, lib, pkgs, ... }: let
+
+ format-github-message = pkgs.writeDashBin "format-github-message" ''
+ set -xefu
+ export PATH=${lib.makeBinPath [
+ pkgs.jq
+ ]}
+ INPUT=$(jq -c .)
+ if $(echo "$INPUT" | jq 'has("issue") or has("pull_request")'); then
+ ${write_to_irc} "$(echo "$INPUT" | jq -r '
+ "\(.action): " +
+ "[\(.issue.title // .pull_request.title)] " +
+ "\(.comment.html_url // .issue.html_url // .pull_request.html_url) " +
+ "by \(.comment.user.login // .issue.user.login // .pull_request.user.login)"
+ ')"
+ fi
+ '';
+
+ write_to_irc = pkgs.writeDash "write_to_irc" ''
+ ${pkgs.curl}/bin/curl -fsSv http://localhost:44001 \
+ -H content-type:application/json \
+ -d "$(${pkgs.jq}/bin/jq -n \
+ --arg text "$1" '{
+ command:"PRIVMSG",
+ params:["#fysi",$text]
+ }'
+ )"
+ '';
+
+in {
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p tcp --dport 44002"; target = "ACCEPT"; }
];
@@ -26,20 +54,14 @@
name = "reaktor2-fysiweb-github";
};
script = ''. ${pkgs.writeDash "github-irc" ''
+ set -efu
case "$Method $Request_URI" in
"POST /")
payload=$(head -c "$req_content_length" \
| sed 's/+/ /g;s/%\(..\)/\\x\1/g;' \
| xargs -0 echo -e \
)
- ${pkgs.curl}/bin/curl -fsSv http://localhost:44001/ \
- -H content-type:application/json \
- -d "$(echo "$payload" | ${pkgs.jq}/bin/jq \
- '{
- command:"PRIVMSG",
- params:["#fysi", "\(.action): \(.comment.html_url // .issue.html_url // .pull_request.html_url)"]
- }'
- )"
+ echo "$payload" | ${format-github-message}/bin/format-github-message
printf 'HTTP/1.1 200 OK\r\n'
printf 'Connection: close\r\n'
printf '\r\n'
diff --git a/lass/2configs/hass/zigbee.nix b/lass/2configs/hass/zigbee.nix
index 789a7fb92..8fc02263b 100644
--- a/lass/2configs/hass/zigbee.nix
+++ b/lass/2configs/hass/zigbee.nix
@@ -15,7 +15,7 @@ in {
services.zigbee2mqtt = {
enable = true;
package = unstable-pkgs.zigbee2mqtt;
- config = {
+ settings = {
homeassistant = true;
frontend.port = 1337;
experimental.new_api = true;
diff --git a/lass/2configs/murmur.nix b/lass/2configs/murmur.nix
index 7cc4051a8..42670dfbb 100644
--- a/lass/2configs/murmur.nix
+++ b/lass/2configs/murmur.nix
@@ -2,10 +2,16 @@
{
services.murmur = {
enable = true;
+ allowHtml = false;
bandwidth = 10000000;
registerName = "lassul.us";
autobanTime = 30;
+ sslCert = "/var/lib/acme/lassul.us/cert.pem";
+ sslKey = "/var/lib/acme/lassul.us/key.pem";
};
+ users.groups.lasscert.members = [
+ "murmur"
+ ];
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p tcp --dport 64738"; target = "ACCEPT";}
{ predicate = "-p udp --dport 64738"; target = "ACCEPT";}
diff --git a/lass/2configs/retiolum.nix b/lass/2configs/retiolum.nix
index 2ddfbcf8f..a305d3e18 100644
--- a/lass/2configs/retiolum.nix
+++ b/lass/2configs/retiolum.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
{
@@ -22,6 +22,9 @@
];
extraConfig = ''
StrictSubnets = yes
+ ${lib.optionalString (config.krebs.build.host.nets.retiolum.via != null) ''
+ LocalDiscovery = no
+ ''}
'';
};
diff --git a/lass/2configs/sync/decsync.nix b/lass/2configs/sync/decsync.nix
index 9caefdd2d..a38cff8d6 100644
--- a/lass/2configs/sync/decsync.nix
+++ b/lass/2configs/sync/decsync.nix
@@ -1,5 +1,5 @@
{
- services.syncthing.declarative.folders.decsync = {
+ services.syncthing.folders.decsync = {
path = "/home/lass/decsync";
devices = [ "mors" "blue" "green" "phone" ];
};
diff --git a/lass/2configs/sync/sync.nix b/lass/2configs/sync/sync.nix
index 7c0f2e030..a0927c199 100644
--- a/lass/2configs/sync/sync.nix
+++ b/lass/2configs/sync/sync.nix
@@ -1,5 +1,5 @@
{
- services.syncthing.declarative.folders."/home/lass/sync" = {
+ services.syncthing.folders."/home/lass/sync" = {
devices = [ "mors" "icarus" "xerxes" "shodan" "green" "blue" "coaxmetal" ];
};
krebs.permown."/home/lass/sync" = {
diff --git a/lass/2configs/sync/the_playlist.nix b/lass/2configs/sync/the_playlist.nix
new file mode 100644
index 000000000..5bbf790a7
--- /dev/null
+++ b/lass/2configs/sync/the_playlist.nix
@@ -0,0 +1,9 @@
+{
+ services.syncthing.folders.the_playlist = {
+ path = "/home/lass/tmp/the_playlist";
+ devices = [ "mors" "phone" "prism" ];
+ };
+ lass.acl."/home/lass/tmp/the_playlist"."u:syncthing:X".parents = true;
+ lass.acl."/home/lass/tmp/the_playlist"."u:syncthing:rwX" = {};
+ lass.acl."/home/lass/tmp/the_playlist"."u:lass:rwX" = {};
+}
diff --git a/lass/2configs/sync/weechat.nix b/lass/2configs/sync/weechat.nix
index 7970f3081..eb6b0aa16 100644
--- a/lass/2configs/sync/weechat.nix
+++ b/lass/2configs/sync/weechat.nix
@@ -1,5 +1,5 @@
{
- services.syncthing.declarative.folders."/home/lass/.weechat".devices = [ "green" "mors" ];
+ services.syncthing.folders."/home/lass/.weechat".devices = [ "green" "mors" ];
krebs.permown."/home/lass/.weechat" = {
owner = "lass";
group = "syncthing";
diff --git a/lass/3modules/acl.nix b/lass/3modules/acl.nix
new file mode 100644
index 000000000..81eeae920
--- /dev/null
+++ b/lass/3modules/acl.nix
@@ -0,0 +1,55 @@
+{ config, lib, pkgs, ... }: let
+ parents = dir:
+ if dir == "/" then
+ [ dir ]
+ else
+ [ dir ] ++ parents (builtins.dirOf dir)
+ ;
+in {
+ options.lass.acl = lib.mkOption {
+ type = lib.types.attrsOf (lib.types.attrsOf (lib.types.submodule ({ config, ... }: {
+ options = {
+ rule = lib.mkOption {
+ type = lib.types.str;
+ default = config._module.args.name;
+ };
+ default = lib.mkOption {
+ type = lib.types.bool;
+ default = !config.parents;
+ };
+ recursive = lib.mkOption {
+ type = lib.types.bool;
+ default = !config.parents;
+ };
+ parents = lib.mkOption {
+ type = lib.types.bool;
+ default = false;
+ description = ''
+ apply ACL to every parent folder
+ '';
+ };
+ };
+ })));
+ default = {};
+ };
+ config = lib.mkIf (config.lass.acl != {}) {
+ systemd.services = lib.mapAttrs' (path: rules: lib.nameValuePair "acl-${lib.replaceChars ["/"] ["_"] path}" {
+ wantedBy = [ "multi-user.target" ];
+ path = [
+ pkgs.acl
+ pkgs.coreutils
+ ];
+ serviceConfig = {
+ ExecStart = pkgs.writers.writeDash "acl" (lib.concatStrings (
+ lib.mapAttrsToList (_: rule: ''
+ setfacl -${lib.optionalString rule.recursive "R"}m ${rule.rule} ${path}
+ ${lib.optionalString rule.default "setfacl -${lib.optionalString rule.recursive "R"}dm ${rule.rule} ${path}"}
+ ${lib.optionalString rule.parents (lib.concatMapStringsSep "\n" (folder: "setfacl -m ${rule.rule} ${folder}") (parents path))}
+ '') rules
+ ));
+ RemainAfterExit = true;
+ Type = "simple";
+ };
+ }) config.lass.acl;
+ };
+}
diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix
index 570bb45be..0373bd44c 100644
--- a/lass/3modules/default.nix
+++ b/lass/3modules/default.nix
@@ -1,6 +1,7 @@
_:
{
imports = [
+ ./acl.nix
./dnsmasq.nix
./folderPerms.nix
./hosts.nix