From d3ad361ec52d8f963178646e8bac6ca587644c8c Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 1 Aug 2023 13:45:54 +0200 Subject: reaktor2: fix agenda.html reference --- krebs/2configs/reaktor2.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krebs/2configs/reaktor2.nix b/krebs/2configs/reaktor2.nix index 0f7ab0ad..bc5bfc0f 100644 --- a/krebs/2configs/reaktor2.nix +++ b/krebs/2configs/reaktor2.nix @@ -486,7 +486,7 @@ in { services.nginx.virtualHosts."agenda.r" = { serverAliases = [ "kri.r" ]; locations."= /index.html".extraConfig = '' - alias ./agenda.html; + alias ${./agenda.html}; ''; locations."/agenda.json".extraConfig = '' proxy_set_header Host $host; -- cgit v1.2.3 From 61d90dcde00082dfaf4bf0e4d4c7774e420c0632 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 4 Aug 2023 12:58:08 +0200 Subject: nixpkgs-unstable: 2a9d660 -> 66aedfd --- krebs/nixpkgs-unstable.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/krebs/nixpkgs-unstable.json b/krebs/nixpkgs-unstable.json index 4ae0716e..0dcb20e9 100644 --- a/krebs/nixpkgs-unstable.json +++ b/krebs/nixpkgs-unstable.json @@ -1,10 +1,10 @@ { "url": "https://github.com/NixOS/nixpkgs", - "rev": "2a9d660ff0f7ffde9d73be328ee6e6f10ef66b28", - "date": "2023-07-28T14:55:37+02:00", - "path": "/nix/store/38nmp3rkbjic5dm6g9qp4ldwi7pr602p-nixpkgs", - "sha256": "0c2x3bcal4kyxgf6i408622zqvxamz986h11z8zjvd7gc8y4wxn7", - "hash": "sha256-x3ZOPGLvtC0/+iFAg9Kvqm/8hTAIkGjc634SqtgaXTA=", + "rev": "66aedfd010204949cb225cf749be08cb13ce1813", + "date": "2023-08-02T21:56:37+02:00", + "path": "/nix/store/wwmgy3p8svf9ag2s6fimr3fpz5v40mya-nixpkgs", + "sha256": "1jspq3g1wzdfgmnp4wzzrwh2cfn9q2w86b25bgwr7ygdcdap3fqd", + "hash": "sha256-DbtxVWPt+ZP5W0Usg7jAyTomIM//c3Jtfa59Ht7AV8s=", "fetchLFS": false, "fetchSubmodules": false, "deepClone": false, -- cgit v1.2.3 From d42dcd7ad63557cdfa5e6b7bc52f55efd6e016f9 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 4 Aug 2023 12:59:09 +0200 Subject: nixpkgs: 48e82fe -> bd836ac --- krebs/nixpkgs.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/krebs/nixpkgs.json b/krebs/nixpkgs.json index 55e54ec6..cd0714cf 100644 --- a/krebs/nixpkgs.json +++ b/krebs/nixpkgs.json @@ -1,10 +1,10 @@ { "url": "https://github.com/NixOS/nixpkgs", - "rev": "48e82fe1b1c863ee26a33ce9bd39621d2ada0a33", - "date": "2023-07-28T18:34:19+03:00", - "path": "/nix/store/pgqfg8ip3lv0lr6mpwh558npz3c1wwcr-nixpkgs", - "sha256": "0d7na9ygda2r7gs3gbixd9gvcxgdv84993cilkj86bcwbpbg4vp5", - "hash": "sha256-5W7y1l2cLYPkpJGNlAja7XW2X2o9rjf0O1mo9nxS9jQ=", + "rev": "bd836ac5e5a7358dea73cb74a013ca32864ccb86", + "date": "2023-08-02T00:11:43+02:00", + "path": "/nix/store/qj37rmkpa5spmxsr3vb5hrwkahnsn4pm-nixpkgs", + "sha256": "1xcg07nmzz74s99ln079rqzlxyiv2gzzz9g71h5337jf4il0560g", + "hash": "sha256-D5gCaCROnjEKDOel//8TO/pOP87pAEtT0uT8X+0Bj/U=", "fetchLFS": false, "fetchSubmodules": false, "deepClone": false, -- cgit v1.2.3 From 44afefbfb7fe604c2e37417503a6418aaa514937 Mon Sep 17 00:00:00 2001 From: feliks Date: Mon, 14 Aug 2023 00:02:19 +0200 Subject: kartei feliks: update papawhakaaro's keys --- kartei/feliks/default.nix | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/kartei/feliks/default.nix b/kartei/feliks/default.nix index 96c20f60..a124d52d 100644 --- a/kartei/feliks/default.nix +++ b/kartei/feliks/default.nix @@ -25,20 +25,20 @@ in { aliases = [ "papawhakaaro.r" "tp.feliks.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- - MIICCgKCAgEA4bd0lVUVlzFmM8TuH77C5VctcK4lkw02LbMVQDJ5U+Ww075nNahw - oRHqPgJRwfGW0Tgu/1s5czZ2tAFU3lXoOSBYldAspM3KRZ4DKQsFrL9B0oWarGsK - sUgsuOJprlX4mkfj/eBNINqTqf2kVIH+p43VENQ9ioKmc+qJKm4xfRONRLp871GV - 5jmIvRvQ6JP0RtNd2KpNLaeplzx8M61D9PBOAZkNYAUTpBs4LZBNJj4eFnXBugrz - GkBjmm3Rk7olz0uOZzbeTc6Slv2tgtN5FrQifdy4XIlsKcBTzMkYHEZstmldJgd9 - pGvfmem6uPcXrF+eDJzqUn0ArH7eOIS4F0+DzugJz4qX+ytvE4ag7r2Vx0Pa9TCY - hpn0lqwW+ly1clM0SKt59v1nQ4oRW4UIbAZaIgp4UJbb3IGSwbq7NuadvHpNICHi - 4pqQD+1sSEbGLAZ0bFjLIYFg9zzNjLeAxXpn49WHOEyRlq3h+SUQcG2EuVMI28DX - lILKSoOJsuQupURPubaxkiNEa5neYk9hZ8CWgwSG/VlyRLuNsVDVn2dBma43Mr10 - LHMkX2/a9t7ghokugvV2XMP9Es9A9TGFShM9UtFAlovdad+SQ8FBPNheDwIhjCJe - l5NIrMrmQIveq7QJ1szxYhqfl1ifU0c+YxeMkg3tvEuQV/tk/oki/aECAwEAAQ== + MIICCgKCAgEApPx0Xa5tms6t9yOqrdBuz5JVheIqntIF4XK04gXMYr/lcqWj35Sj + jM0fObbB0MXz1Di0DsWT5ukVMpvRfespif2FsRfpUOBzVQymlcFfn7D4t2qUa0nH + AHuvoSqb2qV8YUIvVRNdnNSv1NWlbEpcsKXzg36O2ESdro64vSM5hAVw8Djo8Eoh + AGlZVi1tplVs+DPlsMjUqjCrGeq81V7SiLwaVc7adcx/cNvzDA23axkUosm/X2fN + Ug8UWXHt3SgH/BtTwWIpT48anIdPbkttH0d4ICzt0g3nX6+zmVhdzIjHWNsmjxaQ + qKn2DfC1TcYffE4k4E2yENwLoTkJn3U3cCowt7OTLfNvexRyFj5E/O1Aa1VdwX68 + MTpF89Hv8SKUSMRsbyG/vFAoh/I88Y4lDis+TtBKPs1VLBtsQy1mZaIooSTslPf+ + pcUDBBUsf2/SudwvbBC1XHl1YDnRFBZG74ApVIXeIo5G8Cfm4LasppYqPJ7YzTKp + 6yoR9iKaXONTwQ3xhlBcfpMxObZTE1v8kF9sy3t9Pl8Px9f4PSbuQpp82MJrRJQC + FYTMkUh0PZwbw7vzqDLjeW715YWeNKW6PSFT0TtY8UTNNKFslhUfuBBLGyjsU+T3 + 9m9uNNhRxFoFmlKYziFzyEVWgMl67Eg0CQAulP0q9zv3d4367il6SK8CAwEAAQ== -----END RSA PUBLIC KEY----- ''; - tinc.pubkey_ed25519 = "5G49yQPjkkoGZxM6CeDy87y6tB/abtelUAk55wJ4GpP"; + tinc.pubkey_ed25519 = "8g19LVFwgtdpFPcqTM/pdCzWhy3ins9+LPjHIjwNFvA"; }; }; }; -- cgit v1.2.3 From 947dd631235359a22993ed213828266f0fc60313 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 16 Aug 2023 11:21:52 +0200 Subject: nixpkgs-unstable: 66aedfd -> 8353344 --- krebs/nixpkgs-unstable.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/krebs/nixpkgs-unstable.json b/krebs/nixpkgs-unstable.json index 0dcb20e9..c31b7f70 100644 --- a/krebs/nixpkgs-unstable.json +++ b/krebs/nixpkgs-unstable.json @@ -1,10 +1,10 @@ { "url": "https://github.com/NixOS/nixpkgs", - "rev": "66aedfd010204949cb225cf749be08cb13ce1813", - "date": "2023-08-02T21:56:37+02:00", - "path": "/nix/store/wwmgy3p8svf9ag2s6fimr3fpz5v40mya-nixpkgs", - "sha256": "1jspq3g1wzdfgmnp4wzzrwh2cfn9q2w86b25bgwr7ygdcdap3fqd", - "hash": "sha256-DbtxVWPt+ZP5W0Usg7jAyTomIM//c3Jtfa59Ht7AV8s=", + "rev": "8353344d3236d3fda429bb471c1ee008857d3b7c", + "date": "2023-08-15T09:25:12+02:00", + "path": "/nix/store/r7sblbzjhxfl07r4l3nywhaprk3486zx-nixpkgs", + "sha256": "02431z7g8zmjrmqpmsxsnzz4r91cdl3a2sdz6kiqpsjalnlbxbv5", + "hash": "sha256-Za++qKVK6ovjNL9poQZtLKRM/re663pxzbJ+9M4Pgwg=", "fetchLFS": false, "fetchSubmodules": false, "deepClone": false, -- cgit v1.2.3 From 03f86e7faa67f953b3829b96402f752b1df19c9d Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 23 Aug 2023 22:06:13 +0200 Subject: vicuna-chat: update model name --- krebs/5pkgs/simple/vicuna-chat/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krebs/5pkgs/simple/vicuna-chat/default.nix b/krebs/5pkgs/simple/vicuna-chat/default.nix index 11a11aab..db15899d 100644 --- a/krebs/5pkgs/simple/vicuna-chat/default.nix +++ b/krebs/5pkgs/simple/vicuna-chat/default.nix @@ -23,7 +23,7 @@ pkgs.writers.writeDashBin "vicuna-chat" '' add_to_context "{\"role\": \"user\", \"content\": \"$PROMPT\"}" response=$( jq -nc --slurpfile context "$CONTEXT" '{ - model: "vicuna-13b", + model: "vicuna-13b-v1.5-16k", messages: $context[0], }' | curl -Ss http://vicuna.r/v1/chat/completions -H 'Content-Type: application/json' -d @- -- cgit v1.2.3 From 4acff6e9e977352a1e6ec7a86f0b060a9234f248 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 23 Aug 2023 22:07:31 +0200 Subject: l prism.r: make bootable again --- lass/1systems/prism/physical.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lass/1systems/prism/physical.nix b/lass/1systems/prism/physical.nix index ebc80411..d4dd8838 100644 --- a/lass/1systems/prism/physical.nix +++ b/lass/1systems/prism/physical.nix @@ -9,6 +9,7 @@ boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "sd_mod" ]; boot.kernelModules = [ "kvm-intel" ]; + boot.swraid.enable = true; fileSystems."/" = { device = "rpool/root/nixos"; @@ -80,7 +81,7 @@ # we don't pay for power there and this might solve a problem we observed at least once # https://www.thomas-krenn.com/de/wiki/PCIe_Bus_Error_Status_00001100_beheben - boot.kernelParams = [ "pcie_aspm=off" "net.ifnames=0" ]; + boot.kernelParams = [ "pcie_aspm=off" "net.ifnames=0" "nomodeset" ]; networking.dhcpcd.enable = false; -- cgit v1.2.3 From 36eaa0d88d631905e9d439a6b2b7ae6e6df84919 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 26 Aug 2023 08:24:47 +0200 Subject: mastodon: add clear-cache command --- krebs/2configs/mastodon.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/krebs/2configs/mastodon.nix b/krebs/2configs/mastodon.nix index 145b383e..af308b2c 100644 --- a/krebs/2configs/mastodon.nix +++ b/krebs/2configs/mastodon.nix @@ -33,8 +33,10 @@ ]; environment.systemPackages = [ - (pkgs.writers.writeDashBin "tootctl" '' - sudo -u mastodon /etc/profiles/per-user/mastodon/bin/mastodon-env /etc/profiles/per-user/mastodon/bin/tootctl "$@" + (pkgs.writers.writeDashBin "clear-mastodon-cache" '' + mastodon-tootctl media remove --prune-profiles --days=14 --concurrency=30 + mastodon-tootctl media remove-orphans + mastodon-tootctl preview_cards remove --days=14 '') (pkgs.writers.writeDashBin "create-mastodon-user" '' set -efu -- cgit v1.2.3 From 666a2b0a8a7941768077a7774d6ca7732d8e8c24 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 26 Aug 2023 08:36:05 +0200 Subject: l matrix: remove deprecated pkg override --- lass/2configs/matrix.nix | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/lass/2configs/matrix.nix b/lass/2configs/matrix.nix index cdcbe7ab..1d6a8663 100644 --- a/lass/2configs/matrix.nix +++ b/lass/2configs/matrix.nix @@ -2,24 +2,6 @@ with import ; { services.matrix-synapse = { - # synapse 1.60.0 errors during startup with: - # https://github.com/matrix-org/synapse/issues/15809 - package = pkgs.matrix-synapse.overrideAttrs (oldAttrs: rec { - version = "1.85.2"; - name = "matrix-synapse-${version}"; - src = pkgs.fetchFromGitHub { - owner = "matrix-org"; - repo = "synapse"; - rev = "v${version}"; - hash = "sha256-pFafBsisBPfpDnFYWcimUuBgfFVPZzLna3yHeqIBAAE="; - }; - cargoDeps = pkgs.rustPlatform.fetchCargoTarball { - inherit src; - name = "matrix-synapse-${version}"; - hash = "sha256-dnno+5Ma0YNYpmj3oZ5UG22uAanKwVT67BwQW+mHoFc="; - }; - doCheck = false; - }); enable = true; settings = { server_name = "lassul.us"; -- cgit v1.2.3 From 6592341dc31c6f26422ec3a9fed2e601ab985cfc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Thu, 31 Aug 2023 11:44:53 +0200 Subject: prism: add backup MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jörg Thalheim --- lass/2configs/codimd.nix | 71 +++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 67 insertions(+), 4 deletions(-) diff --git a/lass/2configs/codimd.nix b/lass/2configs/codimd.nix index ccca49fa..0927788a 100644 --- a/lass/2configs/codimd.nix +++ b/lass/2configs/codimd.nix @@ -2,7 +2,8 @@ with import ; let domain = "pad.lassul.us"; -in { +in +{ # redirect legacy domain to new one services.nginx.virtualHosts."codi.lassul.us" = { @@ -25,13 +26,77 @@ in { security.dhparams = { enable = true; - params.hedgedoc = {}; + params.hedgedoc = { }; }; systemd.services.hedgedoc.environment = { CMD_COOKIE_POLICY = "none"; CMD_CSP_ALLOW_FRAMING = "true"; }; + + systemd.services.hedgedoc-backup = { + startAt = "daily"; + serviceConfig = { + ExecStart = ''${pkgs.sqlite}/bin/sqlite3 /var/lib/hedgedoc/db.hedgedoc.sqlite ".backup /var/backup/hedgedoc/backup.sq3"''; + Type = "oneshot"; + }; + }; + + services.postgresqlBackup.enable = true; + + systemd.services.borgbackup-job-hetzner.serviceConfig.ReadWritePaths = [ "/var/log/telegraf" ]; + + services.borgbackup.jobs.hetzner = { + paths = [ + "/home" + "/etc" + "/var" + "/root" + ]; + exclude = [ + "*.pyc" + "/home/*/.direnv" + "/home/*/.cache" + "/home/*/.cargo" + "/home/*/.npm" + "/home/*/.m2" + "/home/*/.gradle" + "/home/*/.opam" + "/home/*/.clangd" + "/var/lib/containerd" + # already included in database backup + "/var/lib/postgresql" + # not so important + "/var/lib/docker/" + "/var/log/journal" + "/var/cache" + "/var/tmp" + "/var/log" + ]; + repo = "u348918@u348918.your-storagebox.de:/./hetzner"; + encryption.mode = "none"; + compression = "auto,zstd"; + startAt = "daily"; + # TODO: change backup key + environment.BORG_RSH = "ssh -oPort=23 -i ${config.sops.secrets.hetzner-borgbackup-ssh.path}"; + preHook = '' + set -x + ''; + + postHook = '' + cat > /var/log/telegraf/borgbackup-job-hetzner.service < Date: Thu, 31 Aug 2023 17:47:17 +0200 Subject: l prism.r: add backups --- lass/1systems/prism/backup.nix | 37 ++++++++++++++++++++++++++ lass/1systems/prism/config.nix | 1 + lass/2configs/codimd.nix | 56 +-------------------------------------- lass/2configs/websites/domsen.nix | 28 +++++++++++++++++++- 4 files changed, 66 insertions(+), 56 deletions(-) create mode 100644 lass/1systems/prism/backup.nix diff --git a/lass/1systems/prism/backup.nix b/lass/1systems/prism/backup.nix new file mode 100644 index 00000000..52b4142b --- /dev/null +++ b/lass/1systems/prism/backup.nix @@ -0,0 +1,37 @@ +{ config, lib, pkgs, ... }: +{ + services.postgresqlBackup.enable = true; + + systemd.services.borgbackup-job-hetzner.serviceConfig.ReadWritePaths = [ "/var/log/telegraf" ]; + + services.borgbackup.jobs.hetzner = { + paths = [ + "/var/backup" + ]; + exclude = [ + "*.pyc" + ]; + repo = "u364341@u364341.your-storagebox.de:/./hetzner"; + encryption.mode = "none"; + compression = "auto,zstd"; + startAt = "daily"; + # TODO: change backup key + environment.BORG_RSH = "ssh -oPort=23 -i ${toString + "/borgbackup.ssh.id25519"}"; + preHook = '' + set -x + ''; + + postHook = '' + cat > /var/log/telegraf/borgbackup-job-hetzner.service <; { imports = [ + ./backup.nix diff --git a/lass/2configs/codimd.nix b/lass/2configs/codimd.nix index 0927788a..f8880dbd 100644 --- a/lass/2configs/codimd.nix +++ b/lass/2configs/codimd.nix @@ -34,6 +34,7 @@ in CMD_CSP_ALLOW_FRAMING = "true"; }; + services.borgbackup.jobs.hetzner.paths = [ "/var/backup" ]; systemd.services.hedgedoc-backup = { startAt = "daily"; serviceConfig = { @@ -42,61 +43,6 @@ in }; }; - services.postgresqlBackup.enable = true; - - systemd.services.borgbackup-job-hetzner.serviceConfig.ReadWritePaths = [ "/var/log/telegraf" ]; - - services.borgbackup.jobs.hetzner = { - paths = [ - "/home" - "/etc" - "/var" - "/root" - ]; - exclude = [ - "*.pyc" - "/home/*/.direnv" - "/home/*/.cache" - "/home/*/.cargo" - "/home/*/.npm" - "/home/*/.m2" - "/home/*/.gradle" - "/home/*/.opam" - "/home/*/.clangd" - "/var/lib/containerd" - # already included in database backup - "/var/lib/postgresql" - # not so important - "/var/lib/docker/" - "/var/log/journal" - "/var/cache" - "/var/tmp" - "/var/log" - ]; - repo = "u348918@u348918.your-storagebox.de:/./hetzner"; - encryption.mode = "none"; - compression = "auto,zstd"; - startAt = "daily"; - # TODO: change backup key - environment.BORG_RSH = "ssh -oPort=23 -i ${config.sops.secrets.hetzner-borgbackup-ssh.path}"; - preHook = '' - set -x - ''; - - postHook = '' - cat > /var/log/telegraf/borgbackup-job-hetzner.service < Date: Sat, 2 Sep 2023 11:36:38 +0200 Subject: l codimd: backup statedir --- lass/2configs/codimd.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lass/2configs/codimd.nix b/lass/2configs/codimd.nix index f8880dbd..d0ba8912 100644 --- a/lass/2configs/codimd.nix +++ b/lass/2configs/codimd.nix @@ -34,7 +34,10 @@ in CMD_CSP_ALLOW_FRAMING = "true"; }; - services.borgbackup.jobs.hetzner.paths = [ "/var/backup" ]; + services.borgbackup.jobs.hetzner.paths = [ + "/var/backup" + "/var/lib/hedgedoc" + ]; systemd.services.hedgedoc-backup = { startAt = "daily"; serviceConfig = { -- cgit v1.2.3 From 046651c48c43b366900d3f3cd46c6413b93e8d01 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 2 Sep 2023 21:24:33 +0200 Subject: nixpkgs: bd836ac -> 9075cba --- krebs/nixpkgs.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/krebs/nixpkgs.json b/krebs/nixpkgs.json index cd0714cf..0b6021ed 100644 --- a/krebs/nixpkgs.json +++ b/krebs/nixpkgs.json @@ -1,10 +1,10 @@ { "url": "https://github.com/NixOS/nixpkgs", - "rev": "bd836ac5e5a7358dea73cb74a013ca32864ccb86", - "date": "2023-08-02T00:11:43+02:00", - "path": "/nix/store/qj37rmkpa5spmxsr3vb5hrwkahnsn4pm-nixpkgs", - "sha256": "1xcg07nmzz74s99ln079rqzlxyiv2gzzz9g71h5337jf4il0560g", - "hash": "sha256-D5gCaCROnjEKDOel//8TO/pOP87pAEtT0uT8X+0Bj/U=", + "rev": "9075cba53e86dc318d159aee55dc9a7c9a4829c1", + "date": "2023-09-02T08:28:47+02:00", + "path": "/nix/store/605bv7zssv38j0ii8rbnxkv1m0f0b53p-nixpkgs", + "sha256": "0kymzp32d31c0hny2b2f7zfn49nzrxlm963xbm4v0axka6abym36", + "hash": "sha256-ZlS/lFGzK7BJXX2YVGnP3yZi3T9OLOEtBCyMJsb91U8=", "fetchLFS": false, "fetchSubmodules": false, "deepClone": false, -- cgit v1.2.3 From 40db172916f1b328d0d03f3753500b3ee2a41c7f Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 2 Sep 2023 21:25:12 +0200 Subject: nixpkgs-unstable: 8353344 -> aa8aa7e --- krebs/nixpkgs-unstable.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/krebs/nixpkgs-unstable.json b/krebs/nixpkgs-unstable.json index c31b7f70..2233cd20 100644 --- a/krebs/nixpkgs-unstable.json +++ b/krebs/nixpkgs-unstable.json @@ -1,10 +1,10 @@ { "url": "https://github.com/NixOS/nixpkgs", - "rev": "8353344d3236d3fda429bb471c1ee008857d3b7c", - "date": "2023-08-15T09:25:12+02:00", - "path": "/nix/store/r7sblbzjhxfl07r4l3nywhaprk3486zx-nixpkgs", - "sha256": "02431z7g8zmjrmqpmsxsnzz4r91cdl3a2sdz6kiqpsjalnlbxbv5", - "hash": "sha256-Za++qKVK6ovjNL9poQZtLKRM/re663pxzbJ+9M4Pgwg=", + "rev": "aa8aa7e2ea35ce655297e8322dc82bf77a31d04b", + "date": "2023-09-01T18:51:16+08:00", + "path": "/nix/store/10xskkarnksmn1fahylswv0y4216c73w-nixpkgs", + "sha256": "0bbv3y86kfpn02zh5vvdbkmnqyzagzbc1gzpvvlb6qbvgg639bf9", + "hash": "sha256-ya00zHt7YbPo3ve/wNZ/6nts61xt7wK/APa6aZAfey0=", "fetchLFS": false, "fetchSubmodules": false, "deepClone": false, -- cgit v1.2.3 From 3bb70cd5c28ebcf8ddee9ef7ad05cc86a2c841af Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 10:59:51 +0200 Subject: l aergia.r: fix mounting with new disko --- lass/1systems/aergia/disk.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lass/1systems/aergia/disk.nix b/lass/1systems/aergia/disk.nix index 84815772..233b320e 100644 --- a/lass/1systems/aergia/disk.nix +++ b/lass/1systems/aergia/disk.nix @@ -45,9 +45,11 @@ # Mountpoints inferred from subvolume name "/home" = { mountOptions = []; + mountpoint = "/home"; }; "/nix" = { mountOptions = []; + mountpoint = "/nix"; }; }; }; -- cgit v1.2.3 From 521dd6afa5518f19a1ba7772a036363d5604441b Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 11:23:46 +0200 Subject: l aergia.r: more hardware settings --- lass/1systems/aergia/physical.nix | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/lass/1systems/aergia/physical.nix b/lass/1systems/aergia/physical.nix index 9f06dccd..e76460d2 100644 --- a/lass/1systems/aergia/physical.nix +++ b/lass/1systems/aergia/physical.nix @@ -16,7 +16,7 @@ efiInstallAsRemovable = true; }; - boot.kernelPackages = pkgs.linuxPackages_latest; + # boot.kernelPackages = pkgs.linuxPackages_latest; boot.kernelParams = [ # use less power with pstate @@ -70,8 +70,6 @@ }; users.users.mainUser.extraGroups = [ "corectrl" ]; - # use newer ryzenadj - # keyboard quirks services.xserver.displayManager.sessionCommands = '' ${pkgs.xorg.xmodmap}/bin/xmodmap -e 'keycode 96 = F12 Insert F12 F12' # rebind shift + F12 to shift + insert @@ -102,9 +100,16 @@ services.logind.extraConfig = '' HandlePowerKey=hibernate ''; + # systemd.sleep.extraConfig = '' + # HibernateDelaySec=1800 + # ''; # firefox touchscreen support environment.sessionVariables.MOZ_USE_XINPUT2 = "1"; + + # enable thunderbolt + services.hardware.bolt.enable = true; + # reinit usb after docking station connect services.udev.extraRules = '' SUBSYSTEM=="drm", ACTION=="change", RUN+="${pkgs.dash}/bin/dash -c 'echo 0 > /sys/bus/usb/devices/usb9/authorized; echo 1 > /sys/bus/usb/devices/usb9/authorized'" -- cgit v1.2.3 From c1656131473f63e415baae35e99507dbb1c780a4 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 11:43:01 +0200 Subject: l prism.r: remove xanf disk --- lass/1systems/prism/physical.nix | 5 ----- 1 file changed, 5 deletions(-) diff --git a/lass/1systems/prism/physical.nix b/lass/1systems/prism/physical.nix index d4dd8838..2260aa64 100644 --- a/lass/1systems/prism/physical.nix +++ b/lass/1systems/prism/physical.nix @@ -61,11 +61,6 @@ fsType = "zfs"; }; - fileSystems."/home/xanf" = { - device = "/dev/disk/by-id/wwn-0x500a07511becb076"; - fsType = "ext4"; - }; - # silence mdmonitor.service failures # https://github.com/NixOS/nixpkgs/issues/72394 environment.etc."mdadm.conf".text = '' -- cgit v1.2.3 From b7fba1c6ba5379cbad60728541259538df5096ec Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 11:45:42 +0200 Subject: l shodan.r: remove containers, add trusted users --- lass/1systems/shodan/config.nix | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/lass/1systems/shodan/config.nix b/lass/1systems/shodan/config.nix index 5e48c216..0bea37e5 100644 --- a/lass/1systems/shodan/config.nix +++ b/lass/1systems/shodan/config.nix @@ -13,13 +13,9 @@ - - - - ]; @@ -27,4 +23,6 @@ services.logind.lidSwitch = "ignore"; services.logind.lidSwitchDocked = "ignore"; + nix.trustedUsers = [ "root" "lass" ]; + system.stateVersion = "22.05"; } -- cgit v1.2.3 From f3f5adc4b67c3fff7af571df8a6e395896c93fea Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 11:46:09 +0200 Subject: l skynet.r: better fileSystems syntax --- lass/1systems/skynet/physical.nix | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/lass/1systems/skynet/physical.nix b/lass/1systems/skynet/physical.nix index e3451293..1ac9708c 100644 --- a/lass/1systems/skynet/physical.nix +++ b/lass/1systems/skynet/physical.nix @@ -12,15 +12,15 @@ networking.hostId = "06442b9a"; - fileSystems."/" = - { device = "rpool/root"; - fsType = "zfs"; - }; + fileSystems."/" = { + device = "rpool/root"; + fsType = "zfs"; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/0876-B308"; - fsType = "vfat"; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/0876-B308"; + fsType = "vfat"; + }; services.udev.extraRules = '' SUBSYSTEM=="net", ATTR{address}=="10:0b:a9:a6:44:04", NAME="wl0" -- cgit v1.2.3 From 1fa53c704e22534219ef85e804eef1feb4643131 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 11:46:56 +0200 Subject: l styx.r: disable syncthing, add consul --- lass/1systems/styx/config.nix | 2 +- lass/1systems/styx/physical.nix | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/lass/1systems/styx/config.nix b/lass/1systems/styx/config.nix index 6c054abf..988cbca7 100644 --- a/lass/1systems/styx/config.nix +++ b/lass/1systems/styx/config.nix @@ -22,11 +22,11 @@ with import ; - # + ]; krebs.build.host = config.krebs.hosts.styx; diff --git a/lass/1systems/styx/physical.nix b/lass/1systems/styx/physical.nix index ae0cdf48..284bbb33 100644 --- a/lass/1systems/styx/physical.nix +++ b/lass/1systems/styx/physical.nix @@ -16,7 +16,6 @@ boot.loader.grub.device = "/dev/disk/by-id/ata-SanDisk_SSD_G5_BICS4_20248F446514"; boot.loader.grub.efiInstallAsRemovable = true; - fileSystems."/" = { device = "/dev/disk/by-uuid/ee5c9099-17fa-401e-852e-67cb4ae068f4"; fsType = "ext4"; -- cgit v1.2.3 From a53b28f0d6b0a6e7523ee38ce56d3c1afeee660f Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 11:47:18 +0200 Subject: l wizard.r: add nm-dmenu --- lass/1systems/wizard/config.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lass/1systems/wizard/config.nix b/lass/1systems/wizard/config.nix index e158fa72..5e69171c 100644 --- a/lass/1systems/wizard/config.nix +++ b/lass/1systems/wizard/config.nix @@ -183,7 +183,7 @@ in { #style most - rxvt_unicode.terminfo + rxvt-unicode-unwrapped.terminfo #monitoring tools htop @@ -192,6 +192,7 @@ in { #network iptables iftop + nm-dmenu #stuff for dl aria2 -- cgit v1.2.3 From 72be85e30bbdd658d100b70efc7deafa2a925267 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 11:55:15 +0200 Subject: l neoprism.r: disable initrd ssh --- lass/1systems/neoprism/physical.nix | 39 ++++++++++++++++++++----------------- 1 file changed, 21 insertions(+), 18 deletions(-) diff --git a/lass/1systems/neoprism/physical.nix b/lass/1systems/neoprism/physical.nix index f2092d9a..cc7734f3 100644 --- a/lass/1systems/neoprism/physical.nix +++ b/lass/1systems/neoprism/physical.nix @@ -13,7 +13,10 @@ boot.loader.grub.enable = true; boot.loader.grub.version = 2; boot.loader.grub.efiSupport = true; - boot.loader.grub.devices = [ "/dev/nvme0n1" "/dev/nvme1n1" ]; + boot.loader.grub.devices = [ + config.disko.devices.disk."/dev/nvme0n1".device + config.disko.devices.disk."/dev/nvme1n1".device + ]; boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "sd_mod" ]; boot.kernelModules = [ "kvm-amd" ]; hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; @@ -56,21 +59,21 @@ }; networking.useDHCP = false; - boot.initrd.network = { - enable = true; - ssh = { - enable = true; - authorizedKeys = [ config.krebs.users.lass.pubkey ]; - port = 2222; - hostKeys = [ - (toString ) - (toString ) - ]; - }; - }; - boot.kernelParams = [ - "net.ifnames=0" - "ip=dhcp" - "boot.trace" - ]; + # boot.initrd.network = { + # enable = true; + # ssh = { + # enable = true; + # authorizedKeys = [ config.krebs.users.lass.pubkey ]; + # port = 2222; + # hostKeys = [ + # () + # () + # ]; + # }; + # }; + # boot.kernelParams = [ + # "net.ifnames=0" + # "ip=dhcp" + # "boot.trace" + # ]; } -- cgit v1.2.3 From f58eceedb1ce03b17b75b2cb033a6722f9d72a72 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 11:55:59 +0200 Subject: l xerxes.r: disable some stuff --- lass/1systems/xerxes/config.nix | 21 +-------------------- 1 file changed, 1 insertion(+), 20 deletions(-) diff --git a/lass/1systems/xerxes/config.nix b/lass/1systems/xerxes/config.nix index 6972567d..d1ee4cf7 100644 --- a/lass/1systems/xerxes/config.nix +++ b/lass/1systems/xerxes/config.nix @@ -7,16 +7,15 @@ + - - ]; @@ -60,24 +59,6 @@ services.logind.lidSwitch = "suspend"; lass.screenlock.enable = lib.mkForce false; - systemd.services.suspend-again = { - after = [ "suspend.target" ]; - requiredBy = [ "suspend.target" ]; - # environment = { - # DISPLAY = ":${toString config.services.xserver.display}"; - # }; - serviceConfig = { - ExecStart = pkgs.writeDash "suspend-again" '' - ${pkgs.gnugrep}/bin/grep -q closed /proc/acpi/button/lid/LID0/state - if [ "$?" -eq 0 ]; then - echo 'wakeup with closed lid' - ${pkgs.systemd}/bin/systemctl suspend - fi - ''; - Type = "simple"; - }; - }; - hardware.bluetooth = { enable = true; powerOnBoot = true; -- cgit v1.2.3 From be170d796f8520b88102a0f540f028d0fa395a55 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 11:56:59 +0200 Subject: l binary-cache: disable nix-serve-ng --- lass/2configs/binary-cache/server.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lass/2configs/binary-cache/server.nix b/lass/2configs/binary-cache/server.nix index bdd568c1..49060164 100644 --- a/lass/2configs/binary-cache/server.nix +++ b/lass/2configs/binary-cache/server.nix @@ -1,8 +1,8 @@ { config, lib, pkgs, ...}: { - nixpkgs.config.packageOverrides = p: { - nix-serve = p.haskellPackages.nix-serve-ng; - }; + # nixpkgs.config.packageOverrides = p: { + # nix-serve = p.haskellPackages.nix-serve-ng; + # }; # generate private key with: # nix-store --generate-binary-cache-key my-secret-key my-public-key services.nix-serve = { -- cgit v1.2.3 From 32bac4e0549b6b41aa6062aee48f1aa7eb493a3f Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 11:57:19 +0200 Subject: l green-hosts: add different implementations --- lass/2configs/green-hosts/cryfs.nix | 95 ++++++++++++++++++++++++++ lass/2configs/green-hosts/ecryptfs.nix | 99 +++++++++++++++++++++++++++ lass/2configs/green-hosts/plain-bindfs.nix | 90 +++++++++++++++++++++++++ lass/2configs/green-hosts/plain-permown.nix | 88 ++++++++++++++++++++++++ lass/2configs/green-hosts/plain.nix | 87 ++++++++++++++++++++++++ lass/2configs/green-hosts/securefs.nix | 101 ++++++++++++++++++++++++++++ 6 files changed, 560 insertions(+) create mode 100644 lass/2configs/green-hosts/cryfs.nix create mode 100644 lass/2configs/green-hosts/ecryptfs.nix create mode 100644 lass/2configs/green-hosts/plain-bindfs.nix create mode 100644 lass/2configs/green-hosts/plain-permown.nix create mode 100644 lass/2configs/green-hosts/plain.nix create mode 100644 lass/2configs/green-hosts/securefs.nix diff --git a/lass/2configs/green-hosts/cryfs.nix b/lass/2configs/green-hosts/cryfs.nix new file mode 100644 index 00000000..d60dc595 --- /dev/null +++ b/lass/2configs/green-hosts/cryfs.nix @@ -0,0 +1,95 @@ +# seems to work, very slow though + +{ config, lib, pkgs, ... }: +with import ; + +let + + cname = "green-cryfs"; + +in { + imports = [ + + + ]; + + programs.fuse.userAllowOther = true; + + services.syncthing.declarative.folders."/var/lib/sync-containers/${cname}/cryfs" = { + devices = [ "icarus" "skynet" "littleT" "shodan" "mors" "morpheus" ]; + ignorePerms = false; + }; + + lass.bindfs."/var/lib/sync-containers/${cname}/cryfs" = { + source = "/var/lib/sync-containers/${cname}/cryfs"; + options = [ + "-M ${toString config.users.users.syncthing.uid} -u root -g root" + ]; + }; + + + systemd.services."container@${cname}".reloadIfChanged = mkForce false; + containers.${cname} = { + config = { ... }: { + environment.systemPackages = [ + pkgs.git + pkgs.rxvt-unicode-unwrapped.terminfo + ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + ]; + system.activationScripts.fuse = { + text = '' + ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229 + ''; + deps = []; + }; + }; + allowedDevices = [ + { modifier = "rwm"; node = "/dev/fuse"; } + ]; + autoStart = false; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.15"; # TODO find way to automatically calculate IPs + localAddress = "10.233.2.16"; # TODO find way to automatically calculate IPs + }; + + environment.systemPackages = [ + (pkgs.writeDashBin "init-${cname}" '' + set -euf + set -x + + mkdir -p /var/lib/sync-containers/${cname}/cryfs + '') + (pkgs.writeDashBin "start-${cname}" '' + set -euf + set -x + + mkdir -p /var/lib/containers/${cname}/var/state + + STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${cname}) + if [ "$STATE" = 'down' ]; then + ${pkgs.nixos-container}/bin/nixos-container start ${cname} + fi + + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- ${pkgs.writeDash "deploy-${cname}" '' + set -x + + mkdir -p /var/state/var_src + ln -sfTr /var/state/var_src /var/src + touch /etc/NIXOS + ''} + + if [ -h /var/lib/containers/${cname}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${cname}.r); then + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- nixos-rebuild -I /var/src switch + fi + '') + (pkgs.writeDashBin "stop-${cname}" '' + set -euf + + ${pkgs.nixos-container}/bin/nixos-container stop ${cname} + '') + ]; +} diff --git a/lass/2configs/green-hosts/ecryptfs.nix b/lass/2configs/green-hosts/ecryptfs.nix new file mode 100644 index 00000000..2c335f6f --- /dev/null +++ b/lass/2configs/green-hosts/ecryptfs.nix @@ -0,0 +1,99 @@ + +{ config, lib, pkgs, ... }: +with import ; + +let + + cname = "green"; + +in { + imports = [ + + + ]; + + programs.fuse.userAllowOther = true; + + services.syncthing.declarative.folders."/var/lib/sync-containers/${cname}/ecryptfs" = { + devices = [ "icarus" "skynet" "littleT" "shodan" "mors" "morpheus" ]; + ignorePerms = false; + }; + + krebs.permown."/var/lib/sync-containers/${cname}/ecryptfs" = { + file-mode = "u+rw"; + directory-mode = "u+rwx"; + owner = "syncthing"; + keepGoing = false; + }; + + systemd.services."container@${cname}".reloadIfChanged = mkForce false; + containers.${cname} = { + config = { ... }: { + environment.systemPackages = [ + pkgs.git + pkgs.rxvt-unicode-unwrapped.terminfo + ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + ]; + system.activationScripts.fuse = { + text = '' + ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229 + ''; + deps = []; + }; + }; + allowedDevices = [ + { modifier = "rwm"; node = "/dev/fuse"; } + ]; + autoStart = false; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.15"; # TODO find way to automatically calculate IPs + localAddress = "10.233.2.16"; # TODO find way to automatically calculate IPs + }; + + environment.systemPackages = [ + pkgs.ecryptfs + pkgs.keyutils + (pkgs.writeDashBin "start-${cname}" '' + set -euf + set -x + + mkdir -p /var/lib/containers/${cname}/var/state + + if ! mount | grep -q '/var/lib/sync-containers/${cname}/ecryptfs on /var/lib/containers/${cname}/var/state type ecryptfs'; then + if [ -e /var/lib/sync-containers/${cname}/ecryptfs/.cfg.json ]; then + ${pkgs.ecrypt}/bin/ecrypt mount /var/lib/sync-containers/${cname}/ecryptfs /var/lib/containers/${cname}/var/state + else + ${pkgs.ecrypt}/bin/ecrypt init /var/lib/sync-containers/${cname}/ecryptfs /var/lib/containers/${cname}/var/state + fi + fi + + STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${cname}) + if [ "$STATE" = 'down' ]; then + ${pkgs.nixos-container}/bin/nixos-container start ${cname} + fi + + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- ${pkgs.writeDash "deploy-${cname}" '' + set -x + + mkdir -p /var/state/var_src + ln -sfTr /var/state/var_src /var/src + touch /etc/NIXOS + ''} + + if [ -h /var/lib/containers/${cname}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${cname}.r); then + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- nixos-rebuild -I /var/src switch + fi + '') + (pkgs.writeDashBin "stop-${cname}" '' + set -euf + + ${pkgs.nixos-container}/bin/nixos-container stop ${cname} + ${pkgs.ecrypt}/bin/ecrypt unmount /var/lib/sync-containers/${cname}/ecryptfs /var/lib/containers/${cname}/var/state + '') + ]; +} + diff --git a/lass/2configs/green-hosts/plain-bindfs.nix b/lass/2configs/green-hosts/plain-bindfs.nix new file mode 100644 index 00000000..81d8f20c --- /dev/null +++ b/lass/2configs/green-hosts/plain-bindfs.nix @@ -0,0 +1,90 @@ +# this seems to work, sadly there are no inotify events on the state directory because bindfs hides them, + +{ config, lib, pkgs, ... }: +with import ; + +let + + cname = "green-plain"; + +in { + imports = [ + + + ]; + + programs.fuse.userAllowOther = true; + + services.syncthing.declarative.folders."/var/lib/containers/${cname}/var/state" = { + devices = [ "icarus" "skynet" "littleT" "shodan" "mors" "morpheus" ]; + ignorePerms = false; + }; + + lass.bindfs."/var/lib/containers/${cname}/var/state" = { + source = "/var/lib/containers/${cname}/var/state"; + options = [ + "-M ${toString config.users.users.syncthing.uid} -u root -g root" + ]; + }; + + + systemd.services."container@${cname}".reloadIfChanged = mkForce false; + containers.${cname} = { + config = { ... }: { + environment.systemPackages = [ + pkgs.git + pkgs.rxvt-unicode-unwrapped.terminfo + ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + ]; + system.activationScripts.fuse = { + text = '' + ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229 + ''; + deps = []; + }; + }; + allowedDevices = [ + { modifier = "rwm"; node = "/dev/fuse"; } + ]; + autoStart = false; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.15"; # TODO find way to automatically calculate IPs + localAddress = "10.233.2.16"; # TODO find way to automatically calculate IPs + }; + + environment.systemPackages = [ + (pkgs.writeDashBin "start-${cname}" '' + set -euf + set -x + + mkdir -p /var/lib/containers/${cname}/var/state + + STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${cname}) + if [ "$STATE" = 'down' ]; then + ${pkgs.nixos-container}/bin/nixos-container start ${cname} + fi + + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- ${pkgs.writeDash "deploy-${cname}" '' + set -x + + mkdir -p /var/state/var_src + ln -sfTr /var/state/var_src /var/src + touch /etc/NIXOS + ''} + + if [ -h /var/lib/containers/${cname}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${cname}.r); then + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- nixos-rebuild -I /var/src switch + fi + '') + (pkgs.writeDashBin "stop-${cname}" '' + set -euf + + ${pkgs.nixos-container}/bin/nixos-container stop ${cname} + '') + ]; +} + diff --git a/lass/2configs/green-hosts/plain-permown.nix b/lass/2configs/green-hosts/plain-permown.nix new file mode 100644 index 00000000..21a7d008 --- /dev/null +++ b/lass/2configs/green-hosts/plain-permown.nix @@ -0,0 +1,88 @@ +# this seems to work fine, downsides are, all state is owned by syncthing and could be read by the guests syncthing + + +{ config, lib, pkgs, ... }: +with import ; + +let + + cname = "green-plain"; + +in { + imports = [ + + + ]; + + services.syncthing.declarative.folders."/var/lib/containers/${cname}/var/state" = { + devices = [ "icarus" "skynet" "littleT" "shodan" "mors" "morpheus" ]; + ignorePerms = false; + }; + + krebs.permown."/var/lib/containers/${cname}/var/state" = { + file-mode = "u+rw"; + directory-mode = "u+rwx"; + owner = "syncthing"; + keepGoing = true; + }; + + systemd.services."container@${cname}".reloadIfChanged = mkForce false; + containers.${cname} = { + config = { ... }: { + environment.systemPackages = [ + pkgs.git + pkgs.rxvt-unicode-unwrapped.terminfo + ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + ]; + system.activationScripts.fuse = { + text = '' + ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229 + ''; + deps = []; + }; + }; + allowedDevices = [ + { modifier = "rwm"; node = "/dev/fuse"; } + ]; + autoStart = false; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.15"; # TODO find way to automatically calculate IPs + localAddress = "10.233.2.16"; # TODO find way to automatically calculate IPs + }; + + environment.systemPackages = [ + (pkgs.writeDashBin "start-${cname}" '' + set -euf + set -x + + mkdir -p /var/lib/containers/${cname}/var/state + + STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${cname}) + if [ "$STATE" = 'down' ]; then + ${pkgs.nixos-container}/bin/nixos-container start ${cname} + fi + + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- ${pkgs.writeDash "deploy-${cname}" '' + set -x + + mkdir -p /var/state/var_src + ln -sfTr /var/state/var_src /var/src + touch /etc/NIXOS + ''} + + if [ -h /var/lib/containers/${cname}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${cname}.r); then + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- nixos-rebuild -I /var/src switch + fi + '') + (pkgs.writeDashBin "stop-${cname}" '' + set -euf + + ${pkgs.nixos-container}/bin/nixos-container stop ${cname} + '') + ]; +} + diff --git a/lass/2configs/green-hosts/plain.nix b/lass/2configs/green-hosts/plain.nix new file mode 100644 index 00000000..58f54b74 --- /dev/null +++ b/lass/2configs/green-hosts/plain.nix @@ -0,0 +1,87 @@ +{ config, lib, pkgs, ... }: +with import ; + +let + + cname = "green-plain"; + +in { + imports = [ + + + ]; + + programs.fuse.userAllowOther = true; + + services.syncthing.declarative.folders."/var/lib/containers/${cname}/var/state" = { + devices = [ "icarus" "skynet" "littleT" "shodan" "mors" "morpheus" ]; + ignorePerms = false; + }; + + krebs.permown."/var/lib/containers/${cname}/var/state" = { + file-mode = "u+rw"; + directory-mode = "u+rwx"; + owner = "syncthing"; + keepGoing = true; + }; + + systemd.services."container@${cname}".reloadIfChanged = mkForce false; + containers.${cname} = { + config = { ... }: { + environment.systemPackages = [ + pkgs.git + pkgs.rxvt-unicode-unwrapped.terminfo + ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + ]; + system.activationScripts.fuse = { + text = '' + ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229 + ''; + deps = []; + }; + }; + allowedDevices = [ + { modifier = "rwm"; node = "/dev/fuse"; } + ]; + autoStart = false; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.15"; # TODO find way to automatically calculate IPs + localAddress = "10.233.2.16"; # TODO find way to automatically calculate IPs + }; + + environment.systemPackages = [ + (pkgs.writeDashBin "start-${cname}" '' + set -euf + set -x + + mkdir -p /var/lib/containers/${cname}/var/state + + STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${cname}) + if [ "$STATE" = 'down' ]; then + ${pkgs.nixos-container}/bin/nixos-container start ${cname} + fi + + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- ${pkgs.writeDash "deploy-${cname}" '' + set -x + + mkdir -p /var/state/var_src + ln -sfTr /var/state/var_src /var/src + touch /etc/NIXOS + ''} + + if [ -h /var/lib/containers/${cname}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${cname}.r); then + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- nixos-rebuild -I /var/src switch + fi + '') + (pkgs.writeDashBin "stop-${cname}" '' + set -euf + + ${pkgs.nixos-container}/bin/nixos-container stop ${cname} + '') + ]; +} + diff --git a/lass/2configs/green-hosts/securefs.nix b/lass/2configs/green-hosts/securefs.nix new file mode 100644 index 00000000..a69cfe6c --- /dev/null +++ b/lass/2configs/green-hosts/securefs.nix @@ -0,0 +1,101 @@ +# broken, muchsync cant sync into the folders which should be handles by bindfs +# ls -la also does not show the full directory permissions +{ config, lib, pkgs, ... }: +with import ; + +let + + cname = "green"; + +in { + imports = [ + + + ]; + + programs.fuse.userAllowOther = true; + + services.syncthing.declarative.folders."/var/lib/sync-containers/${cname}/securefs" = { + devices = [ "icarus" "skynet" "littleT" "shodan" "mors" "morpheus" ]; + ignorePerms = false; + }; + + krebs.permown."/var/lib/sync-containers/${cname}/securefs" = { + file-mode = "u+rw"; + directory-mode = "u+rwx"; + owner = "syncthing"; + keepGoing = false; + }; + + systemd.services."container@${cname}".reloadIfChanged = mkForce false; + containers.${cname} = { + config = { ... }: { + environment.systemPackages = [ + pkgs.git + pkgs.rxvt-unicode-unwrapped.terminfo + ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + ]; + system.activationScripts.fuse = { + text = '' + ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229 + ''; + deps = []; + }; + }; + allowedDevices = [ + { modifier = "rwm"; node = "/dev/fuse"; } + ]; + autoStart = false; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.15"; # TODO find way to automatically calculate IPs + localAddress = "10.233.2.16"; # TODO find way to automatically calculate IPs + }; + + environment.systemPackages = [ + (pkgs.writeDashBin "start-${cname}" '' + set -euf + set -x + + mkdir -p /var/lib/containers/${cname}/var/state + + if ! mount | grep -q 'securefs on /var/lib/containers/${cname}/var/state type fuse.securefs'; then + if ! ${pkgs.securefs}/bin/securefs info /var/lib/sync-containers/${cname}/securefs; then + ${pkgs.securefs}/bin/securefs create --format 4 /var/lib/sync-containers/${cname}/securefs + fi + + ${pkgs.securefs}/bin/securefs mount -b \ + -o allow_other -o default_permissions \ + --log /var/lib/sync-containers/${cname}/securefs.log \ + /var/lib/sync-containers/${cname}/securefs /var/lib/containers/${cname}/var/state + fi + + STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${cname}) + if [ "$STATE" = 'down' ]; then + ${pkgs.nixos-container}/bin/nixos-container start ${cname} + fi + + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- ${pkgs.writeDash "deploy-${cname}" '' + set -x + + mkdir -p /var/state/var_src + ln -sfTr /var/state/var_src /var/src + touch /etc/NIXOS + ''} + + if [ -h /var/lib/containers/${cname}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${cname}.r); then + ${pkgs.nixos-container}/bin/nixos-container run ${cname} -- nixos-rebuild -I /var/src switch + fi + '') + (pkgs.writeDashBin "stop-${cname}" '' + set -euf + + ${pkgs.nixos-container}/bin/nixos-container stop ${cname} + umount /var/lib/containers/${cname}/var/state + '') + ]; +} + -- cgit v1.2.3 From ba79c70bbdd357e9c97306beeb181645bad03219 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 11:57:38 +0200 Subject: l telegraf: update config --- lass/2configs/monitoring/telegraf.nix | 175 ++++++++++++++++++++++++++-------- 1 file changed, 133 insertions(+), 42 deletions(-) diff --git a/lass/2configs/monitoring/telegraf.nix b/lass/2configs/monitoring/telegraf.nix index 5258b87e..b172b9c6 100644 --- a/lass/2configs/monitoring/telegraf.nix +++ b/lass/2configs/monitoring/telegraf.nix @@ -1,60 +1,127 @@ -{ config, lib, pkgs, ... }: +{ pkgs, lib, config, ... }: +# To use this module you also need to allow port 9273 either on the internet or on a vpn interface +# i.e. networking.firewall.interfaces."vpn0".allowedTCPPorts = [ 9273 ]; +# Example prometheus alert rules: +# - https://github.com/Mic92/dotfiles/blob/master/nixos/eva/modules/prometheus/alert-rules.nix let isVM = lib.any (mod: mod == "xen-blkfront" || mod == "virtio_console") config.boot.initrd.kernelModules; -in { + # potentially wrong if the nvme is not used at boot... + hasNvme = lib.any (m: m == "nvme") config.boot.initrd.availableKernelModules; - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-i retiolum -p tcp --dport 9273"; target = "ACCEPT"; } - ]; + ipv6DadCheck = pkgs.writeShellScript "ipv6-dad-check" '' + ${pkgs.iproute2}/bin/ip --json addr | \ + ${pkgs.jq}/bin/jq -r 'map(.addr_info) | flatten(1) | map(select(.dadfailed == true)) | map(.local) | @text "ipv6_dad_failures count=\(length)i"' + ''; - systemd.services.telegraf.path = [ pkgs.nvme-cli ]; + zfsChecks = lib.optional + (lib.any (fs: fs == "zfs") config.boot.supportedFilesystems) + (pkgs.writeScript "zpool-health" '' + #!${pkgs.gawk}/bin/awk -f + BEGIN { + while ("${pkgs.zfs}/bin/zpool status" | getline) { + if ($1 ~ /pool:/) { printf "zpool_status,name=%s ", $2 } + if ($1 ~ /state:/) { printf " state=\"%s\",", $2 } + if ($1 ~ /errors:/) { + if (index($2, "No")) printf "errors=0i\n"; else printf "errors=%di\n", $2 + } + } + } + ''); + + nfsChecks = + let + collectHosts = shares: fs: + if builtins.elem fs.fsType [ "nfs" "nfs3" "nfs4" ] + then + shares + // ( + let + # also match ipv6 addresses + group = builtins.match "\\[?([^\]]+)]?:([^:]+)$" fs.device; + host = builtins.head group; + path = builtins.elemAt group 1; + in + { + ${host} = (shares.${host} or [ ]) ++ [ path ]; + } + ) + else shares; + nfsHosts = lib.foldl collectHosts { } (builtins.attrValues config.fileSystems); + in + lib.mapAttrsToList + ( + host: args: + (pkgs.writeScript "nfs-health" '' + #!${pkgs.gawk}/bin/awk -f + BEGIN { + for (i = 2; i < ARGC; i++) { + mounts[ARGV[i]] = 1 + } + while ("${pkgs.nfs-utils}/bin/showmount -e " ARGV[1] | getline) { + if (NR == 1) { continue } + if (mounts[$1] == 1) { + printf "nfs_export,host=%s,path=%s present=1\n", ARGV[1], $1 + } + delete mounts[$1] + } + for (mount in mounts) { + printf "nfs_export,host=%s,path=%s present=0\n", ARGV[1], $1 + } + } + '') + + " ${host} ${builtins.concatStringsSep " " args}" + ) + nfsHosts; + +in +{ + + systemd.services.telegraf.path = lib.optional (!isVM && hasNvme) pkgs.nvme-cli; services.telegraf = { enable = true; extraConfig = { agent.interval = "60s"; inputs = { - http_response = [ - { urls = [ - "http://localhost:8080/about/health/" - ]; } + prometheus.urls = lib.mkIf config.services.promtail.enable [ + # default promtail port + "http://localhost:9080/metrics" ]; prometheus.metric_version = 2; kernel_vmstat = { }; - # smart = lib.mkIf (!isVM) { - # path = pkgs.writeShellScript "smartctl" '' - # exec /run/wrappers/bin/sudo ${pkgs.smartmontools}/bin/smartctl "$@" - # ''; - # }; + nginx.urls = lib.mkIf config.services.nginx.statusPage [ + "http://localhost/nginx_status" + ]; + smart = lib.mkIf (!isVM) { + path_smartctl = pkgs.writeShellScript "smartctl" '' + exec /run/wrappers/bin/sudo ${pkgs.smartmontools}/bin/smartctl "$@" + ''; + }; system = { }; mem = { }; - file = [{ - data_format = "influx"; - file_tag = "name"; - files = [ "/var/log/telegraf/*" ]; - }] ++ lib.optional (lib.any (fs: fs == "ext4") config.boot.supportedFilesystems) { - name_override = "ext4_errors"; - files = [ "/sys/fs/ext4/*/errors_count" ]; - data_format = "value"; - }; - exec = lib.optionalAttrs (lib.any (fs: fs == "zfs") config.boot.supportedFilesystems) { - ## Commands array - commands = [ - (pkgs.writeScript "zpool-health" '' - #!${pkgs.gawk}/bin/awk -f - BEGIN { - while ("${pkgs.zfs}/bin/zpool status" | getline) { - if ($1 ~ /pool:/) { printf "zpool_status,name=%s ", $2 } - if ($1 ~ /state:/) { printf " state=\"%s\",", $2 } - if ($1 ~ /errors:/) { - if (index($2, "No")) printf "errors=0i\n"; else printf "errors=%di\n", $2 - } - } - } - '') - ]; - data_format = "influx"; - }; + file = + [ + { + data_format = "influx"; + file_tag = "name"; + files = [ "/var/log/telegraf/*" ]; + } + ] + ++ lib.optional (lib.any (fs: fs == "ext4") config.boot.supportedFilesystems) { + name_override = "ext4_errors"; + files = [ "/sys/fs/ext4/*/errors_count" ]; + data_format = "value"; + }; + exec = [ + { + ## Commands array + commands = + [ ipv6DadCheck ] + ++ zfsChecks + ++ nfsChecks; + data_format = "influx"; + } + ]; systemd_units = { }; swap = { }; disk.tagdrop = { @@ -62,6 +129,11 @@ in { device = [ "rpc_pipefs" "lxcfs" "nsfs" "borgfs" ]; }; diskio = { }; + zfs = { + poolMetrics = true; + }; + } // lib.optionalAttrs (if lib.versionAtLeast (lib.versions.majorMinor lib.version) "23.11" then config.boot.swraid.enable else config.boot.initrd.services.swraid.enable) { + mdstat = { }; }; outputs.prometheus_client = { listen = ":9273"; @@ -69,4 +141,23 @@ in { }; }; }; + security.sudo.extraRules = lib.mkIf (!isVM) [ + { + users = [ "telegraf" ]; + commands = [ + { + command = "${pkgs.smartmontools}/bin/smartctl"; + options = [ "NOPASSWD" ]; + } + ]; + } + ]; + # avoid logging sudo use + security.sudo.configFile = '' + Defaults:telegraf !syslog,!pam_session + ''; + # create dummy file to avoid telegraf errors + systemd.tmpfiles.rules = [ + "f /var/log/telegraf/dummy 0444 root root - -" + ]; } -- cgit v1.2.3 From 77b8c837c5e9a5217e829ae2976a37e691a291b5 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 11:58:42 +0200 Subject: l coms proxy: ipforward ports --- lass/2configs/services/coms/proxy.nix | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/lass/2configs/services/coms/proxy.nix b/lass/2configs/services/coms/proxy.nix index e8555f9b..fd7b36ca 100644 --- a/lass/2configs/services/coms/proxy.nix +++ b/lass/2configs/services/coms/proxy.nix @@ -21,14 +21,13 @@ in proxy_pass ${target}:${toString port}; } '') tcpports} - ${lib.concatMapStringsSep "\n" (port: '' - server { - listen ${toString port} udp; - proxy_pass ${target}:${toString port}; - } - '') udpports} ''; + krebs.iptables.tables.nat.PREROUTING.rules = lib.flatten (map (port: [ + { predicate = "-p udp --dport ${toString port}"; target = "DNAT --to-destination ${config.krebs.hosts.orange.nets.retiolum.ip4.addr}:${toString port}"; v6 = false; } + { predicate = "-p udp --dport ${toString port}"; target = "DNAT --to-destination [${config.krebs.hosts.orange.nets.retiolum.ip6.addr}]:${toString port}"; v4 = false; } + ]) udpports); + services.nginx.virtualHosts."jitsi.lassul.us" = { enableACME = true; acmeFallbackHost = "${target}"; @@ -36,7 +35,7 @@ in locations."/" = { recommendedProxySettings = true; proxyWebsockets = true; - proxyPass = "http://${target}"; + proxyPass = "https://${target}"; }; }; } -- cgit v1.2.3 From 541cfbe3a2544ec74cee6c9b24b1a86051688414 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 11:59:38 +0200 Subject: l radio news: add debug outputs --- lass/2configs/services/radio/news.nix | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/lass/2configs/services/radio/news.nix b/lass/2configs/services/radio/news.nix index 62f7f548..a9cddb62 100644 --- a/lass/2configs/services/radio/news.nix +++ b/lass/2configs/services/radio/news.nix @@ -122,10 +122,9 @@ in ''}''; }; - ## debug - # environment.systemPackages = [ - # weather_report - # send_to_radio - # newsshow - # ]; + # debug + environment.systemPackages = [ + send_to_radio + newsshow + ]; } -- cgit v1.2.3 From 45c3e165c96efa0148ddedffd50f508d7dae6093 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 3 Sep 2023 11:59:53 +0200 Subject: l radio: add watcher --- lass/2configs/services/radio/default.nix | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/lass/2configs/services/radio/default.nix b/lass/2configs/services/radio/default.nix index 5accfe36..5a10b557 100644 --- a/lass/2configs/services/radio/default.nix +++ b/lass/2configs/services/radio/default.nix @@ -104,6 +104,22 @@ in { print_current ]; + + systemd.services.radio_watcher = { + wantedBy = [ "multi-user.target" ]; + after = [ "radio.service" ]; + serviceConfig = { + ExecStart = pkgs.writers.writeDash "radio_watcher" '' + set -efux + while :; do + ${pkgs.curl}/bin/curl -Ss http://localhost:8000/radio.ogg -o /dev/null + ${pkgs.systemd}/bin/sy