67 files changed, 1432 insertions, 1314 deletions

diff --git a/krebs/2configs/acme.nix b/krebs/2configs/acme.nix
index 056aa7ae..0b9cb91a 100644
--- a/krebs/2configs/acme.nix
+++ b/krebs/2configs/acme.nix
@@ -24,7 +24,7 @@ in {
     path = "/var/lib/step-ca/intermediate_ca.key";
     owner.name = "root";
     mode = "1444";
-    source-path = builtins.toString <secrets> + "/acme_ca.key";
+    source-path = "${config.krebs.secret.directory}/acme_ca.key";
   };
   services.step-ca = {
     enable = true;
diff --git a/krebs/2configs/agenda.html b/krebs/2configs/agenda.html
new file mode 100644
index 00000000..9ccfc241
--- /dev/null
+++ b/krebs/2configs/agenda.html
@@ -0,0 +1,91 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>Agenda</title>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <style>
+      html {
+        font-family: monospace;
+      }
+
+      dt {
+        float: left;
+        clear: left;
+        width: 30px;
+        text-align: right;
+        font-weight: bold;
+      }
+
+      dd {
+        margin: 0 0 0 40px;
+        padding: 0 0 0.5em 0;
+      }
+
+      .date {
+        color: grey;
+        font-style: italic;
+      }
+    </style>
+  </head>
+  <body>
+    <dl id="agenda"></dl>
+    <script>
+      const urlSearchParams = new URLSearchParams(window.location.search);
+      const params = Object.fromEntries(urlSearchParams.entries());
+
+      if (params.hasOwnProperty("style")) {
+        const cssUrls = params["style"].split(" ").filter((x) => x.length > 0);
+        for (const cssUrl of cssUrls)
+          fetch(cssUrl)
+            .then((response) =>
+              response.text().then((css) => {
+                const title = document.getElementsByTagName("head")[0];
+                const style = document.createElement("style");
+                style.appendChild(document.createTextNode(css));
+                title.appendChild(style);
+              })
+            )
+            .catch(console.log);
+      }
+
+      fetch("/agenda.json")
+        .then((response) => {
+          response.json().then((agenda) => {
+            const dl = document.getElementById("agenda");
+            for (const agendaItem of agenda) {
+              if (agendaItem.status !== "pending") continue;
+              // task warrior date format to ISO
+              const entryDate = agendaItem.entry.replace(
+                /(\d{4})(\d{2})(\d{2})T(\d{2})(\d{2})(\d{2})Z/,
+                "$1-$2-$3T$4:$5:$6Z"
+              );
+
+              const dt = document.createElement("dt");
+              dt.className = "id";
+              dt.appendChild(document.createTextNode(agendaItem.id.toString()));
+              dl.appendChild(dt);
+
+              const spanDate = document.createElement("span");
+              spanDate.className = "date";
+              spanDate.title = new Date(entryDate).toString();
+              spanDate.appendChild(document.createTextNode(entryDate));
+
+              const link = document.createElement("a");
+              link.href = "http://wiki.r/agenda/" + encodeURIComponent(agendaItem.description.replaceAll("/", "\u29F8")); // we use big solidus instead of slash because gollum will create directories
+              link.appendChild(document.createTextNode(agendaItem.description));
+
+              const dd = document.createElement("dd");
+              dd.className = "description";
+              dd.appendChild(link);
+              dd.appendChild(document.createTextNode(" "));
+              dd.appendChild(spanDate);
+
+              dl.appendChild(dd);
+            }
+          });
+        })
+        .then((data) => console.log(data));
+    </script>
+  </body>
+</html>
diff --git a/krebs/2configs/backup.nix b/krebs/2configs/backup.nix
index 7ee43878..83dbf66f 100644
--- a/krebs/2configs/backup.nix
+++ b/krebs/2configs/backup.nix
@@ -1,5 +1,5 @@
 { config, lib, ... }:
-with import <stockholm/lib>;
+with lib;
 {
   krebs.backup.plans = {
   } // mapAttrs (_: recursiveUpdate {
diff --git a/krebs/2configs/buildbot-stockholm.nix b/krebs/2configs/buildbot-stockholm.nix
index 9fc6a79e..32452e01 100644
--- a/krebs/2configs/buildbot-stockholm.nix
+++ b/krebs/2configs/buildbot-stockholm.nix
@@ -1,5 +1,5 @@
-{ config, ... }: with import <stockholm/lib>;
-
+{ config, lib, ... }:
+with import ../../lib/pure.nix { inherit lib; };
 {
   networking.firewall.allowedTCPPorts = [ 80 ];
   services.nginx = {
@@ -21,21 +21,21 @@
       disko.urls = [
         "http://cgit.gum.r/disko"
         "http://cgit.ni.r/disko"
-        "http://cgit.prism.r/disko"
+        "http://cgit.orange.r/disko"
       ];
       krops.urls = [
         "http://cgit.ni.r/krops"
-        "http://cgit.prism.r/krops"
+        "http://cgit.orange.r/krops"
         "https://github.com/krebs/krops.git"
       ];
       nix_writers.urls = [
         "http://cgit.ni.r/nix-writers"
-        "http://cgit.prism.r/nix-writers"
+        "http://cgit.orange.r/nix-writers"
       ];
       stockholm.urls = [
         "http://cgit.gum.r/stockholm"
         "http://cgit.ni.r/stockholm"
-        "http://cgit.prism.r/stockholm"
+        "http://cgit.orange.r/stockholm"
       ];
     };
   };
diff --git a/krebs/2configs/cache.nsupdate.info.nix b/krebs/2configs/cache.nsupdate.info.nix
index 74f34561..1ac63eaf 100644
--- a/krebs/2configs/cache.nsupdate.info.nix
+++ b/krebs/2configs/cache.nsupdate.info.nix
@@ -9,7 +9,7 @@ in {
     enable = true;
     server = "ipv4.nsupdate.info";
     username = domain;
-    password = import ((toString <secrets>) + "/nsupdate-cache.nix");
+    password = import "${config.krebs.secret.directory}/nsupdate-cache.nix";
     domains = [ domain ];
     use= "if, if=et0";
     # use = "web, web=http://ipv4.nsupdate.info/myip";
diff --git a/krebs/2configs/cal.nix b/krebs/2configs/cal.nix
new file mode 100644
index 00000000..1a0cdf01
--- /dev/null
+++ b/krebs/2configs/cal.nix
@@ -0,0 +1,117 @@
+{ config, lib, pkgs, ... }: let
+  slib = import ../../lib/pure.nix { inherit lib; };
+
+  setupGit = ''
+    export PATH=${lib.makeBinPath [
+      pkgs.coreutils
+      pkgs.git
+    ]}
+    export GIT_SSH_COMMAND='${pkgs.openssh}/bin/ssh -i /var/lib/radicale/.ssh/id_ed25519'
+    repo='git@localhost:cal'
+    cd /var/lib/radicale/collections
+    if ! test -d .git; then
+      git init
+      git config user.name "radicale"
+      git config user.email "radicale@${config.networking.hostName}"
+    elif ! url=$(git config remote.origin.url); then
+      git remote add origin "$repo"
+    elif test "$url" != "$repo"; then
+      git remote set-url origin "$repo"
+    fi
+    cp ${pkgs.writeText "gitignore" ''
+      .Radicale.cache
+    ''} .gitignore
+    git add .gitignore
+  '';
+
+  pushCal = pkgs.writers.writeDash "push_cal" ''
+    ${setupGit}
+    git fetch origin
+    git merge --ff-only origin/master || :
+  '';
+
+  pushCgit = pkgs.writers.writeDash "push_cgit" ''
+    ${setupGit}
+    git push origin master
+  '';
+
+in {
+  services.radicale = {
+    enable = true;
+    rights = {
+      krebs = {
+        user = ".*";
+        collection = ".*";
+        permissions = "rRwW";
+      };
+    };
+    settings = {
+      auth.type = "none";
+      server.hosts = [
+        "0.0.0.0:5232"
+        "[::]:5232"
+      ];
+      storage.filesystem_folder = "/var/lib/radicale/collections";
+      storage.hook = "${pkgs.writers.writeDash "radicale-hook" ''
+        set -efu
+        ${setupGit}
+        ${pkgs.git}/bin/git add -A
+        (${pkgs.git}/bin/git diff --cached --quiet || ${pkgs.git}/bin/git commit -m "Changes by \"$1\"")
+        ${pushCgit}
+      ''} %(user)s";
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+
+    virtualHosts = {
+      "calendar.r".locations."/".proxyPass = "http://localhost:5232/";
+    };
+  };
+  krebs.git = {
+    enable = true;
+    cgit.settings = {
+      root-title = "krebs repos";
+    };
+    rules = with slib.git; [
+      {
+        user = [
+          {
+            name = "cal";
+            pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGe1jtHaNFZKmWemWQVEGVYj+s4QGJaL9WYH+wokOZie";
+          }
+        ] ++ (lib.attrValues config.krebs.users);
+        repo = [ config.krebs.git.repos.cal ];
+        perm = push ''refs/heads/master'' [ create merge ];
+      }
+    ];
+    repos.cal = {
+      public = true;
+      name = "cal";
+      hooks = {
+        post-receive = ''
+          ${pkgs.git-hooks.irc-announce {
+            channel = "#xxx";
+            refs = [
+              "refs/heads/master"
+            ];
+            nick = config.networking.hostName;
+            server = "irc.r";
+            verbose = true;
+          }}
+          /run/wrappers/bin/sudo -S -u radicale ${pushCal}
+        '';
+      };
+    };
+  };
+  krebs.secret.files.calendar = {
+    path = "/var/lib/radicale/.ssh/id_ed25519";
+    owner = { name = "radicale"; };
+    source-path = "${config.krebs.secret.directory}/radicale.id_ed25519";
+  };
+
+  security.sudo.extraConfig = ''
+    git ALL=(radicale) NOPASSWD: ${pushCal}
+  '';
+}
diff --git a/krebs/2configs/default.nix b/krebs/2configs/default.nix
index 38d77031..5d64555c 100644
--- a/krebs/2configs/default.nix
+++ b/krebs/2configs/default.nix
@@ -1,6 +1,6 @@
 { config, lib, pkgs, ... }:
 
-with import <stockholm/lib>;
+with import ../../lib/pure.nix { inherit lib; };
 {
   imports = [
     ./backup.nix
@@ -8,7 +8,17 @@ with import <stockholm/lib>;
   ];
   krebs.announce-activation.enable = true;
   krebs.enable = true;
-  krebs.tinc.retiolum.enable = mkDefault true;
+
+  # retiolum
+  krebs.tinc.retiolum = {
+    enable = mkDefault true;
+    extraConfig = ''
+      AutoConnect = yes
+      LocalDiscovery = yes
+    '';
+  };
+  networking.firewall.allowedTCPPorts = [ 655 ];
+  networking.firewall.allowedUDPPorts = [ 655 ];
 
   # trust krebs ACME CA
   krebs.ssl.trustIntermediate = true;
@@ -27,9 +37,6 @@ with import <stockholm/lib>;
   ];
 
   console.keyMap = "us";
-  i18n = {
-    defaultLocale = lib.mkForce "C";
-  };
 
   programs.ssh.startAgent = false;
 
@@ -51,13 +58,16 @@ with import <stockholm/lib>;
 
   users.mutableUsers = false;
   users.extraUsers.root.openssh.authorizedKeys.keys = [
-    config.krebs.users.jeschli-brauerei.pubkey
     config.krebs.users.lass.pubkey
-    config.krebs.users.lass-mors.pubkey
     config.krebs.users.makefu.pubkey
     config.krebs.users.tv.pubkey
+    config.krebs.users.kmein.pubkey
+    config.krebs.users.mic92.pubkey
   ];
 
   # The NixOS release to be compatible with for stateful data such as databases.
   system.stateVersion = "17.03";
+
+  # maybe fix Error: unsupported locales detected:
+  i18n.defaultLocale = mkDefault "C.UTF-8";
 }
diff --git a/krebs/2configs/exim-smarthost.nix b/krebs/2configs/exim-smarthost.nix
index 82f8ec94..6445783f 100644
--- a/krebs/2configs/exim-smarthost.nix
+++ b/krebs/2configs/exim-smarthost.nix
@@ -1,5 +1,6 @@
-with import <stockholm/lib>;
-{ config, ... }: let
+{ config, lib, ... }:
+with import ../../lib/pure.nix { inherit lib; };
+let
 
   format = from: to: {
     inherit from;
@@ -16,6 +17,13 @@ in {
         tv
       ];
       eloop-ml = spam-ml;
+      krebstel-ml = [
+        config.krebs.users."0x4A6F"
+        { mail = "krebstel-1rxz0mqa95nkmk298s1731ly0ii7vc36kkm36pnjj89hrq52pgn1@ni.r"; }
+        { mail = "krebstel-1difh7483axpiaq92ghi14r5cql822wbhixqb0nn3y3jkcj0b785@ni.r"; }
+        { mail = "lass@green.r"; }
+        tv
+      ];
       spam-ml = [
         lass
         makefu
@@ -28,10 +36,12 @@ in {
       "spam@eloop.org" = eloop-ml;
       "youtube@eloop.org" = eloop-ml; # obsolete, use spam@eloop.org instead
       "postmaster@krebsco.de" = spam-ml; # RFC 822
+      "krebstel@krebsco.de" = krebstel-ml;
       "lass@krebsco.de" = lass;
       "makefu@krebsco.de" = makefu;
       "spam@krebsco.de" = spam-ml;
       "tv@krebsco.de" = tv;
+      "xkey@krebsco.de" = { mail = "lennart@cope.cool"; };
       # XXX These are no internet aliases
       # XXX exim-retiolum hosts should be able to relay to retiolum addresses
       "lass@retiolum" = lass;
diff --git a/krebs/2configs/go.nix b/krebs/2configs/go.nix
index ce5db62d..ea3258b9 100644
--- a/krebs/2configs/go.nix
+++ b/krebs/2configs/go.nix
@@ -1,6 +1,5 @@
 { config, lib, pkgs, ... }:
 
-with import <stockholm/lib>;
 {
   krebs.go = {
     enable = true;
diff --git a/krebs/2configs/hotdog-host.nix b/krebs/2configs/hotdog-host.nix
new file mode 100644
index 00000000..ab2b22b7
--- /dev/null
+++ b/krebs/2configs/hotdog-host.nix
@@ -0,0 +1,10 @@
+{ config, ... }:
+{
+  krebs.sync-containers3.containers.hotdog = {
+    sshKey = "${config.krebs.secret.directory}/hotdog.sync.key";
+  };
+  containers.hotdog.bindMounts."/var/lib" = {
+    hostPath = "/var/lib/sync-containers3/hotdog/state";
+    isReadOnly = false;
+  };
+}
diff --git a/krebs/2configs/hw/x220.nix b/krebs/2configs/hw/x220.nix
index bb273652..980c2c9a 100644
--- a/krebs/2configs/hw/x220.nix
+++ b/krebs/2configs/hw/x220.nix
@@ -1,6 +1,5 @@
 { config, lib, pkgs, ... }:
 
-with import <stockholm/lib>;
 {
   networking.wireless.enable = lib.mkDefault true;
 
diff --git a/krebs/2configs/ircd.nix b/krebs/2configs/ircd.nix
index c6c91e07..b82aba45 100644
--- a/krebs/2configs/ircd.nix
+++ b/krebs/2configs/ircd.nix
@@ -5,9 +5,10 @@
     6667
   ];
 
-  krebs.ergo = {
+  services.ergochat = {
     enable = true;
-    config = {
+    settings = {
+      server.name = "irc.r";
       server.secure-nets = [
         "42::0/16"
         "10.240.0.0/12"
@@ -37,6 +38,7 @@
         hidden = false;
         password = "$2a$04$0AtVycWQJ07ymrDdKyAm2un3UVSVIzpzL3wsWbWb3PF95d1CZMcMO";
       };
+      server.lookup-hostnames = true;
     };
   };
 }
diff --git a/krebs/2configs/mastodon-proxy.nix b/krebs/2configs/mastodon-proxy.nix
new file mode 100644
index 00000000..b579a503
--- /dev/null
+++ b/krebs/2configs/mastodon-proxy.nix
@@ -0,0 +1,17 @@
+{ config, lib, pkgs, ... }:
+{
+  services.nginx = {
+    enable = true;
+    virtualHosts."social.krebsco.de" = {
+      forceSSL = true;
+      enableACME = true;
+      acmeFallbackHost = "hotdog.r";
+      locations."/" = {
+        # TODO use this in 22.11
+        recommendedProxySettings = true;
+        proxyPass = "https://hotdog.r";
+        proxyWebsockets = true;
+      };
+    };
+  };
+}
diff --git a/krebs/2configs/mastodon.nix b/krebs/2configs/mastodon.nix
new file mode 100644
index 00000000..ebc4207a
--- /dev/null
+++ b/krebs/2configs/mastodon.nix
@@ -0,0 +1,42 @@
+{ config, lib, pkgs, ... }:
+{
+  services.postgresql = {
+    enable = true;
+    dataDir = "/var/state/postgresql/${config.services.postgresql.package.psqlSchema}";
+    package = pkgs.postgresql_16;
+  };
+  systemd.tmpfiles.rules = [
+    "d /var/state/postgresql 0700 postgres postgres -"
+  ];
+
+  services.mastodon = {
+    enable = true;
+    localDomain = "social.krebsco.de";
+    configureNginx = true;
+    streamingProcesses = 3;
+    trustedProxy = config.krebs.hosts.prism.nets.retiolum.ip6.addr;
+    smtp.createLocally = false;
+    smtp.fromAddress = "derp";
+  };
+
+  security.acme.certs."social.krebsco.de".server = "https://acme-staging-v02.api.letsencrypt.org/directory";
+
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+
+  environment.systemPackages = [
+    (pkgs.writers.writeDashBin "clear-mastodon-cache" ''
+      mastodon-tootctl media remove --prune-profiles --days=14 --concurrency=30
+      mastodon-tootctl media remove-orphans
+      mastodon-tootctl preview_cards remove --days=14
+    '')
+    (pkgs.writers.writeDashBin "create-mastodon-user" ''
+      set -efu
+      nick=$1
+      /run/current-system/sw/bin/tootctl accounts create "$nick" --email "$nick"@krebsco.de --confirmed
+      /run/current-system/sw/bin/tootctl accounts approve "$nick"
+    '')
+  ];
+}
diff --git a/krebs/2configs/matterbridge.nix b/krebs/2configs/matterbridge.nix
index a68aa292..f4292182 100644
--- a/krebs/2configs/matterbridge.nix
+++ b/krebs/2configs/matterbridge.nix
@@ -2,7 +2,7 @@
   services.matterbridge = {
     enable = true;
     configPath = let
-      bridgeBotToken = lib.strings.fileContents <secrets/telegram.token>;
+      bridgeBotToken = lib.strings.fileContents "${config.krebs.secret.directory}/telegram.token";
     in
       toString ((pkgs.formats.toml {}).generate "config.toml" {
         general = {
@@ -10,14 +10,10 @@
           Charset = "utf-8";
         };
         telegram.krebs.Token = bridgeBotToken;
-        irc = let
+        irc.hackint = {
+          Server = "irc.hackint.org:6697";
+          UseTLS = true;
           Nick = "ponte";
-        in {
-          hackint