diff options
Diffstat (limited to 'krebs/2configs')
67 files changed, 1432 insertions, 1314 deletions
diff --git a/krebs/2configs/acme.nix b/krebs/2configs/acme.nix index 056aa7ae..0b9cb91a 100644 --- a/krebs/2configs/acme.nix +++ b/krebs/2configs/acme.nix @@ -24,7 +24,7 @@ in { path = "/var/lib/step-ca/intermediate_ca.key"; owner.name = "root"; mode = "1444"; - source-path = builtins.toString <secrets> + "/acme_ca.key"; + source-path = "${config.krebs.secret.directory}/acme_ca.key"; }; services.step-ca = { enable = true; diff --git a/krebs/2configs/agenda.html b/krebs/2configs/agenda.html new file mode 100644 index 00000000..9ccfc241 --- /dev/null +++ b/krebs/2configs/agenda.html @@ -0,0 +1,91 @@ +<!DOCTYPE html> +<html> + <head> + <title>Agenda</title> + <meta charset="utf-8" /> + <meta name="viewport" content="width=device-width, initial-scale=1" /> + <style> + html { + font-family: monospace; + } + + dt { + float: left; + clear: left; + width: 30px; + text-align: right; + font-weight: bold; + } + + dd { + margin: 0 0 0 40px; + padding: 0 0 0.5em 0; + } + + .date { + color: grey; + font-style: italic; + } + </style> + </head> + <body> + <dl id="agenda"></dl> + <script> + const urlSearchParams = new URLSearchParams(window.location.search); + const params = Object.fromEntries(urlSearchParams.entries()); + + if (params.hasOwnProperty("style")) { + const cssUrls = params["style"].split(" ").filter((x) => x.length > 0); + for (const cssUrl of cssUrls) + fetch(cssUrl) + .then((response) => + response.text().then((css) => { + const title = document.getElementsByTagName("head")[0]; + const style = document.createElement("style"); + style.appendChild(document.createTextNode(css)); + title.appendChild(style); + }) + ) + .catch(console.log); + } + + fetch("/agenda.json") + .then((response) => { + response.json().then((agenda) => { + const dl = document.getElementById("agenda"); + for (const agendaItem of agenda) { + if (agendaItem.status !== "pending") continue; + // task warrior date format to ISO + const entryDate = agendaItem.entry.replace( + /(\d{4})(\d{2})(\d{2})T(\d{2})(\d{2})(\d{2})Z/, + "$1-$2-$3T$4:$5:$6Z" + ); + + const dt = document.createElement("dt"); + dt.className = "id"; + dt.appendChild(document.createTextNode(agendaItem.id.toString())); + dl.appendChild(dt); + + const spanDate = document.createElement("span"); + spanDate.className = "date"; + spanDate.title = new Date(entryDate).toString(); + spanDate.appendChild(document.createTextNode(entryDate)); + + const link = document.createElement("a"); + link.href = "http://wiki.r/agenda/" + encodeURIComponent(agendaItem.description.replaceAll("/", "\u29F8")); // we use big solidus instead of slash because gollum will create directories + link.appendChild(document.createTextNode(agendaItem.description)); + + const dd = document.createElement("dd"); + dd.className = "description"; + dd.appendChild(link); + dd.appendChild(document.createTextNode(" ")); + dd.appendChild(spanDate); + + dl.appendChild(dd); + } + }); + }) + .then((data) => console.log(data)); + </script> + </body> +</html> diff --git a/krebs/2configs/backup.nix b/krebs/2configs/backup.nix index 7ee43878..83dbf66f 100644 --- a/krebs/2configs/backup.nix +++ b/krebs/2configs/backup.nix @@ -1,5 +1,5 @@ { config, lib, ... }: -with import <stockholm/lib>; +with lib; { krebs.backup.plans = { } // mapAttrs (_: recursiveUpdate { diff --git a/krebs/2configs/buildbot-stockholm.nix b/krebs/2configs/buildbot-stockholm.nix index 9fc6a79e..32452e01 100644 --- a/krebs/2configs/buildbot-stockholm.nix +++ b/krebs/2configs/buildbot-stockholm.nix @@ -1,5 +1,5 @@ -{ config, ... }: with import <stockholm/lib>; - +{ config, lib, ... }: +with import ../../lib/pure.nix { inherit lib; }; { networking.firewall.allowedTCPPorts = [ 80 ]; services.nginx = { @@ -21,21 +21,21 @@ disko.urls = [ "http://cgit.gum.r/disko" "http://cgit.ni.r/disko" - "http://cgit.prism.r/disko" + "http://cgit.orange.r/disko" ]; krops.urls = [ "http://cgit.ni.r/krops" - "http://cgit.prism.r/krops" + "http://cgit.orange.r/krops" "https://github.com/krebs/krops.git" ]; nix_writers.urls = [ "http://cgit.ni.r/nix-writers" - "http://cgit.prism.r/nix-writers" + "http://cgit.orange.r/nix-writers" ]; stockholm.urls = [ "http://cgit.gum.r/stockholm" "http://cgit.ni.r/stockholm" - "http://cgit.prism.r/stockholm" + "http://cgit.orange.r/stockholm" ]; }; }; diff --git a/krebs/2configs/cache.nsupdate.info.nix b/krebs/2configs/cache.nsupdate.info.nix index 74f34561..1ac63eaf 100644 --- a/krebs/2configs/cache.nsupdate.info.nix +++ b/krebs/2configs/cache.nsupdate.info.nix @@ -9,7 +9,7 @@ in { enable = true; server = "ipv4.nsupdate.info"; username = domain; - password = import ((toString <secrets>) + "/nsupdate-cache.nix"); + password = import "${config.krebs.secret.directory}/nsupdate-cache.nix"; domains = [ domain ]; use= "if, if=et0"; # use = "web, web=http://ipv4.nsupdate.info/myip"; diff --git a/krebs/2configs/cal.nix b/krebs/2configs/cal.nix new file mode 100644 index 00000000..1a0cdf01 --- /dev/null +++ b/krebs/2configs/cal.nix @@ -0,0 +1,117 @@ +{ config, lib, pkgs, ... }: let + slib = import ../../lib/pure.nix { inherit lib; }; + + setupGit = '' + export PATH=${lib.makeBinPath [ + pkgs.coreutils + pkgs.git + ]} + export GIT_SSH_COMMAND='${pkgs.openssh}/bin/ssh -i /var/lib/radicale/.ssh/id_ed25519' + repo='git@localhost:cal' + cd /var/lib/radicale/collections + if ! test -d .git; then + git init + git config user.name "radicale" + git config user.email "radicale@${config.networking.hostName}" + elif ! url=$(git config remote.origin.url); then + git remote add origin "$repo" + elif test "$url" != "$repo"; then + git remote set-url origin "$repo" + fi + cp ${pkgs.writeText "gitignore" '' + .Radicale.cache + ''} .gitignore + git add .gitignore + ''; + + pushCal = pkgs.writers.writeDash "push_cal" '' + ${setupGit} + git fetch origin + git merge --ff-only origin/master || : + ''; + + pushCgit = pkgs.writers.writeDash "push_cgit" '' + ${setupGit} + git push origin master + ''; + +in { + services.radicale = { + enable = true; + rights = { + krebs = { + user = ".*"; + collection = ".*"; + permissions = "rRwW"; + }; + }; + settings = { + auth.type = "none"; + server.hosts = [ + "0.0.0.0:5232" + "[::]:5232" + ]; + storage.filesystem_folder = "/var/lib/radicale/collections"; + storage.hook = "${pkgs.writers.writeDash "radicale-hook" '' + set -efu + ${setupGit} + ${pkgs.git}/bin/git add -A + (${pkgs.git}/bin/git diff --cached --quiet || ${pkgs.git}/bin/git commit -m "Changes by \"$1\"") + ${pushCgit} + ''} %(user)s"; + }; + }; + + services.nginx = { + enable = true; + + virtualHosts = { + "calendar.r".locations."/".proxyPass = "http://localhost:5232/"; + }; + }; + krebs.git = { + enable = true; + cgit.settings = { + root-title = "krebs repos"; + }; + rules = with slib.git; [ + { + user = [ + { + name = "cal"; + pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGe1jtHaNFZKmWemWQVEGVYj+s4QGJaL9WYH+wokOZie"; + } + ] ++ (lib.attrValues config.krebs.users); + repo = [ config.krebs.git.repos.cal ]; + perm = push ''refs/heads/master'' [ create merge ]; + } + ]; + repos.cal = { + public = true; + name = "cal"; + hooks = { + post-receive = '' + ${pkgs.git-hooks.irc-announce { + channel = "#xxx"; + refs = [ + "refs/heads/master" + ]; + nick = config.networking.hostName; + server = "irc.r"; + verbose = true; + }} + /run/wrappers/bin/sudo -S -u radicale ${pushCal} + ''; + }; + }; + }; + krebs.secret.files.calendar = { + path = "/var/lib/radicale/.ssh/id_ed25519"; + owner = { name = "radicale"; }; + source-path = "${config.krebs.secret.directory}/radicale.id_ed25519"; + }; + + security.sudo.extraConfig = '' + git ALL=(radicale) NOPASSWD: ${pushCal} + ''; +} diff --git a/krebs/2configs/default.nix b/krebs/2configs/default.nix index 38d77031..5d64555c 100644 --- a/krebs/2configs/default.nix +++ b/krebs/2configs/default.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with import <stockholm/lib>; +with import ../../lib/pure.nix { inherit lib; }; { imports = [ ./backup.nix @@ -8,7 +8,17 @@ with import <stockholm/lib>; ]; krebs.announce-activation.enable = true; krebs.enable = true; - krebs.tinc.retiolum.enable = mkDefault true; + + # retiolum + krebs.tinc.retiolum = { + enable = mkDefault true; + extraConfig = '' + AutoConnect = yes + LocalDiscovery = yes + ''; + }; + networking.firewall.allowedTCPPorts = [ 655 ]; + networking.firewall.allowedUDPPorts = [ 655 ]; # trust krebs ACME CA krebs.ssl.trustIntermediate = true; @@ -27,9 +37,6 @@ with import <stockholm/lib>; ]; console.keyMap = "us"; - i18n = { - defaultLocale = lib.mkForce "C"; - }; programs.ssh.startAgent = false; @@ -51,13 +58,16 @@ with import <stockholm/lib>; users.mutableUsers = false; users.extraUsers.root.openssh.authorizedKeys.keys = [ - config.krebs.users.jeschli-brauerei.pubkey config.krebs.users.lass.pubkey - config.krebs.users.lass-mors.pubkey config.krebs.users.makefu.pubkey config.krebs.users.tv.pubkey + config.krebs.users.kmein.pubkey + config.krebs.users.mic92.pubkey ]; # The NixOS release to be compatible with for stateful data such as databases. system.stateVersion = "17.03"; + + # maybe fix Error: unsupported locales detected: + i18n.defaultLocale = mkDefault "C.UTF-8"; } diff --git a/krebs/2configs/exim-smarthost.nix b/krebs/2configs/exim-smarthost.nix index 82f8ec94..6445783f 100644 --- a/krebs/2configs/exim-smarthost.nix +++ b/krebs/2configs/exim-smarthost.nix @@ -1,5 +1,6 @@ -with import <stockholm/lib>; -{ config, ... }: let +{ config, lib, ... }: +with import ../../lib/pure.nix { inherit lib; }; +let format = from: to: { inherit from; @@ -16,6 +17,13 @@ in { tv ]; eloop-ml = spam-ml; + krebstel-ml = [ + config.krebs.users."0x4A6F" + { mail = "krebstel-1rxz0mqa95nkmk298s1731ly0ii7vc36kkm36pnjj89hrq52pgn1@ni.r"; } + { mail = "krebstel-1difh7483axpiaq92ghi14r5cql822wbhixqb0nn3y3jkcj0b785@ni.r"; } + { mail = "lass@green.r"; } + tv + ]; spam-ml = [ lass makefu @@ -28,10 +36,12 @@ in { "spam@eloop.org" = eloop-ml; "youtube@eloop.org" = eloop-ml; # obsolete, use spam@eloop.org instead "postmaster@krebsco.de" = spam-ml; # RFC 822 + "krebstel@krebsco.de" = krebstel-ml; "lass@krebsco.de" = lass; "makefu@krebsco.de" = makefu; "spam@krebsco.de" = spam-ml; "tv@krebsco.de" = tv; + "xkey@krebsco.de" = { mail = "lennart@cope.cool"; }; # XXX These are no internet aliases # XXX exim-retiolum hosts should be able to relay to retiolum addresses "lass@retiolum" = lass; diff --git a/krebs/2configs/go.nix b/krebs/2configs/go.nix index ce5db62d..ea3258b9 100644 --- a/krebs/2configs/go.nix +++ b/krebs/2configs/go.nix @@ -1,6 +1,5 @@ { config, lib, pkgs, ... }: -with import <stockholm/lib>; { krebs.go = { enable = true; diff --git a/krebs/2configs/hotdog-host.nix b/krebs/2configs/hotdog-host.nix new file mode 100644 index 00000000..ab2b22b7 --- /dev/null +++ b/krebs/2configs/hotdog-host.nix @@ -0,0 +1,10 @@ +{ config, ... }: +{ + krebs.sync-containers3.containers.hotdog = { + sshKey = "${config.krebs.secret.directory}/hotdog.sync.key"; + }; + containers.hotdog.bindMounts."/var/lib" = { + hostPath = "/var/lib/sync-containers3/hotdog/state"; + isReadOnly = false; + }; +} diff --git a/krebs/2configs/hw/x220.nix b/krebs/2configs/hw/x220.nix index bb273652..980c2c9a 100644 --- a/krebs/2configs/hw/x220.nix +++ b/krebs/2configs/hw/x220.nix @@ -1,6 +1,5 @@ { config, lib, pkgs, ... }: -with import <stockholm/lib>; { networking.wireless.enable = lib.mkDefault true; diff --git a/krebs/2configs/ircd.nix b/krebs/2configs/ircd.nix index c6c91e07..b82aba45 100644 --- a/krebs/2configs/ircd.nix +++ b/krebs/2configs/ircd.nix @@ -5,9 +5,10 @@ 6667 ]; - krebs.ergo = { + services.ergochat = { enable = true; - config = { + settings = { + server.name = "irc.r"; server.secure-nets = [ "42::0/16" "10.240.0.0/12" @@ -37,6 +38,7 @@ hidden = false; password = "$2a$04$0AtVycWQJ07ymrDdKyAm2un3UVSVIzpzL3wsWbWb3PF95d1CZMcMO"; }; + server.lookup-hostnames = true; }; }; } diff --git a/krebs/2configs/mastodon-proxy.nix b/krebs/2configs/mastodon-proxy.nix new file mode 100644 index 00000000..b579a503 --- /dev/null +++ b/krebs/2configs/mastodon-proxy.nix @@ -0,0 +1,17 @@ +{ config, lib, pkgs, ... }: +{ + services.nginx = { + enable = true; + virtualHosts."social.krebsco.de" = { + forceSSL = true; + enableACME = true; + acmeFallbackHost = "hotdog.r"; + locations."/" = { + # TODO use this in 22.11 + recommendedProxySettings = true; + proxyPass = "https://hotdog.r"; + proxyWebsockets = true; + }; + }; + }; +} diff --git a/krebs/2configs/mastodon.nix b/krebs/2configs/mastodon.nix new file mode 100644 index 00000000..ebc4207a --- /dev/null +++ b/krebs/2configs/mastodon.nix @@ -0,0 +1,42 @@ +{ config, lib, pkgs, ... }: +{ + services.postgresql = { + enable = true; + dataDir = "/var/state/postgresql/${config.services.postgresql.package.psqlSchema}"; + package = pkgs.postgresql_16; + }; + systemd.tmpfiles.rules = [ + "d /var/state/postgresql 0700 postgres postgres -" + ]; + + services.mastodon = { + enable = true; + localDomain = "social.krebsco.de"; + configureNginx = true; + streamingProcesses = 3; + trustedProxy = config.krebs.hosts.prism.nets.retiolum.ip6.addr; + smtp.createLocally = false; + smtp.fromAddress = "derp"; + }; + + security.acme.certs."social.krebsco.de".server = "https://acme-staging-v02.api.letsencrypt.org/directory"; + + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + + environment.systemPackages = [ + (pkgs.writers.writeDashBin "clear-mastodon-cache" '' + mastodon-tootctl media remove --prune-profiles --days=14 --concurrency=30 + mastodon-tootctl media remove-orphans + mastodon-tootctl preview_cards remove --days=14 + '') + (pkgs.writers.writeDashBin "create-mastodon-user" '' + set -efu + nick=$1 + /run/current-system/sw/bin/tootctl accounts create "$nick" --email "$nick"@krebsco.de --confirmed + /run/current-system/sw/bin/tootctl accounts approve "$nick" + '') + ]; +} diff --git a/krebs/2configs/matterbridge.nix b/krebs/2configs/matterbridge.nix index a68aa292..f4292182 100644 --- a/krebs/2configs/matterbridge.nix +++ b/krebs/2configs/matterbridge.nix @@ -2,7 +2,7 @@ services.matterbridge = { enable = true; configPath = let - bridgeBotToken = lib.strings.fileContents <secrets/telegram.token>; + bridgeBotToken = lib.strings.fileContents "${config.krebs.secret.directory}/telegram.token"; in toString ((pkgs.formats.toml {}).generate "config.toml" { general = { @@ -10,14 +10,10 @@ Charset = "utf-8"; }; telegram.krebs.Token = bridgeBotToken; - irc = let + irc.hackint = { + Server = "irc.hackint.org:6697"; + UseTLS = true; Nick = "ponte"; - in { - hackint |