summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authortv <tv@krebsco.de>2018-11-27 11:47:54 +0100
committertv <tv@krebsco.de>2018-11-27 11:47:54 +0100
commitc4fabb0bc40e270f7d34a06115b121ef879fc2d1 (patch)
treed745b162ca3fed36057a1d6aa7d4b4b591d76107
parent09144f173677ed33850e484cf46876d13bb37c9e (diff)
parenteef1d7877defd7c310dc20f62bf96c7b8f408044 (diff)
Merge remote-tracking branch 'prism/master'
-rw-r--r--krebs/2configs/cache.nsupdate.info.nix33
-rw-r--r--krebs/3modules/buildbot/master.nix2
-rw-r--r--krebs/3modules/buildbot/slave.nix2
-rw-r--r--krebs/3modules/cachecache.nix171
-rw-r--r--krebs/3modules/ci.nix9
-rw-r--r--krebs/3modules/default.nix1
-rw-r--r--krebs/3modules/fetchWallpaper.nix9
-rw-r--r--krebs/3modules/makefu/default.nix13
-rw-r--r--krebs/nixpkgs.json6
-rw-r--r--lass/1systems/archprism/config.nix1
-rw-r--r--lass/1systems/blue/source.nix11
-rw-r--r--lass/1systems/mors/config.nix1
-rw-r--r--lass/1systems/skynet/config.nix29
-rw-r--r--lass/1systems/skynet/physical.nix21
-rw-r--r--lass/2configs/binary-cache/server.nix9
-rw-r--r--lass/2configs/blue-host.nix99
-rw-r--r--lass/2configs/exim-smarthost.nix1
-rw-r--r--lass/2configs/fetchWallpaper.nix1
-rw-r--r--lass/2configs/mail.nix4
-rw-r--r--lass/2configs/monitoring/prometheus-server.nix3
-rw-r--r--lass/2configs/radio.nix17
-rw-r--r--lass/2configs/websites/domsen.nix7
-rw-r--r--lass/krops.nix15
-rw-r--r--makefu/1systems/omo/config.nix11
-rw-r--r--makefu/1systems/wbob/config.nix7
-rw-r--r--makefu/2configs/nginx/download.binaergewitter.de.nix25
-rw-r--r--makefu/nixpkgs.json6
27 files changed, 461 insertions, 53 deletions
diff --git a/krebs/2configs/cache.nsupdate.info.nix b/krebs/2configs/cache.nsupdate.info.nix
new file mode 100644
index 000000000..056667d8c
--- /dev/null
+++ b/krebs/2configs/cache.nsupdate.info.nix
@@ -0,0 +1,33 @@
+{lib, ... }:
+with lib;
+let
+ domain = "cache.nsupdate.info";
+in {
+ # This only works for a single domain for nsupdate.info as multiple usernames
+ # and passwords are required for multiple domains
+ services.ddclient = {
+ enable = true;
+ server = "ipv4.nsupdate.info";
+ username = domain;
+ password = import ((toString <secrets>) + "/nsupdate-cache.nix");
+ domains = [ domain ];
+ use= "if, if=et0";
+ # use = "web, web=http://ipv4.nsupdate.info/myip";
+
+ };
+ krebs.cachecache = {
+ enable = true;
+ enableSSL = false; # disable letsencrypt for testing
+ cacheDir = "/var/cache/nix-cache-cache";
+ maxSize = "10g";
+
+ # assumes that the domain is reachable from the internet
+ virtualHost = domain;
+ };
+
+ boot.kernelModules = [ "tcp_bbr" ];
+
+ boot.kernel.sysctl."net.ipv4.tcp_congestion_control" = "bbr";
+ boot.kernel.sysctl."net.core.default_qdisc" = "fq";
+ networking.firewall.allowedTCPPorts = [ 80 443 ];
+}
diff --git a/krebs/3modules/buildbot/master.nix b/krebs/3modules/buildbot/master.nix
index 209dbe980..8995753ac 100644
--- a/krebs/3modules/buildbot/master.nix
+++ b/krebs/3modules/buildbot/master.nix
@@ -362,7 +362,7 @@ let
# normally we should write buildbot.tac by our own
# ${pkgs.buildbot-classic}/bin/buildbot upgrade-master ${workdir}
- chmod 700 -R ${workdir}
+ chmod 700 ${workdir}
chown buildbotMaster:buildbotMaster -R ${workdir}
'';
ExecStart = "${pkgs.buildbot-classic}/bin/buildbot start --nodaemon ${workdir}";
diff --git a/krebs/3modules/buildbot/slave.nix b/krebs/3modules/buildbot/slave.nix
index 544f9c4e0..c15169fba 100644
--- a/krebs/3modules/buildbot/slave.nix
+++ b/krebs/3modules/buildbot/slave.nix
@@ -166,7 +166,7 @@ let
echo ${description} > ${workdir}/info/host
chown buildbotSlave:buildbotSlave -R ${workdir}
- chmod 700 -R ${workdir}
+ chmod 700 ${workdir}
'';
ExecStart = "${pkgs.buildbot-classic-slave}/bin/buildslave start ${workdir}";
ExecStop = "${pkgs.buildbot-classic-slave}/bin/buildslave stop ${workdir}";
diff --git a/krebs/3modules/cachecache.nix b/krebs/3modules/cachecache.nix
new file mode 100644
index 000000000..989320480
--- /dev/null
+++ b/krebs/3modules/cachecache.nix
@@ -0,0 +1,171 @@
+{ config, lib, ... }:
+
+
+# fork of https://gist.github.com/rycee/f495fc6cc4130f155e8b670609a1e57b
+# related: https://github.com/nh2/nix-binary-cache-proxy
+
+with lib;
+
+let
+
+ cfg = config.krebs.cachecache;
+
+ nginxCfg = config.services.nginx;
+
+ cacheFallbackConfig = {
+ proxyPass = "$upstream_endpoint";
+ extraConfig = ''
+ # Default is HTTP/1, keepalive is only enabled in HTTP/1.1.
+ proxy_http_version 1.1;
+
+ # Remove the Connection header if the client sends it, it could
+ # be "close" to close a keepalive connection
+ proxy_set_header Connection "";
+
+ # Needed for CloudFront.
+ proxy_ssl_server_name on;
+
+ proxy_set_header Host $proxy_host;
+ proxy_cache nix_cache_cache;
+ proxy_cache_valid 200 302 60m;
+ proxy_cache_valid 404 1m;
+
+ expires max;
+ add_header Cache-Control $nix_cache_cache_header always;
+ '';
+ };
+
+in
+
+{
+ options = {
+ krebs.cachecache = {
+ enable = mkEnableOption "Nix binary cache cache";
+
+ virtualHost = mkOption {
+ type = types.str;
+ default = "nix-cache";
+ description = ''
+ Name of the nginx virtualhost to use and setup. If null, do
+ not setup any virtualhost.
+ '';
+ };
+ enableSSL = mkOption {
+ type = types.bool;
+ default = true;
+ description = ''
+ enable SSL via letsencrypt. Requires working dns resolution and open
+ internet tls port.
+ '';
+ };
+
+ # webRoot = mkOption {
+ # type = types.str;
+ # default = "/";
+ # description = ''
+ # Directory on virtual host that serves the cache. Must end in
+ # <literal>/</literal>.
+ # '';
+ # };
+
+ resolver = mkOption {
+ type = types.str;
+ description = "Address of DNS resolver.";
+ default = "8.8.8.8 ipv6=off";
+ example = "127.0.0.1 ipv6=off";
+ };
+
+ cacheDir = mkOption {
+ type = types.str;
+ default = "/var/cache/nix-cache-cache";
+ description = ''
+ Where nginx should store cached data.
+ '';
+ };
+
+ maxSize = mkOption {
+ type = types.str;
+ default = "50g";
+ description = "Maximum cache size.";
+ };
+ };
+ };
+
+ config = mkIf cfg.enable {
+ networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+
+ systemd.services.nginx.preStart = ''
+ mkdir -p ${cfg.cacheDir} /srv/www/nix-cache-cache
+ chmod 700 ${cfg.cacheDir} /srv/www/nix-cache-cache
+ chown ${nginxCfg.user}:${nginxCfg.group} \
+ ${cfg.cacheDir} /srv/www/nix-cache-cache
+ '';
+
+ services.nginx = {
+ enable = true;
+
+ appendHttpConfig = ''
+ proxy_cache_path ${cfg.cacheDir}
+ levels=1:2
+ keys_zone=nix_cache_cache:100m
+ max_size=${cfg.maxSize}
+ inactive=365d
+ use_temp_path=off;
+
+ # Cache only success status codes; in particular we don't want
+ # to cache 404s. See https://serverfault.com/a/690258/128321.
+ map $status $nix_cache_cache_header {
+ 200 "public";
+ 302 "public";
+ default "no-cache";
+ }
+ '';
+
+ virtualHosts.${cfg.virtualHost} = {
+ addSSL = cfg.enableSSL;
+ enableACME = cfg.enableSSL;
+ extraConfig = ''
+ # Using a variable for the upstream endpoint to ensure that it is
+ # resolved at runtime as opposed to once when the config file is loaded
+ # and then cached forever (we don't want that):
+ # see https://tenzer.dk/nginx-with-dynamic-upstreams/
+ # This fixes errors like
+ #
+ # nginx: [emerg] host not found in upstream "upstream.example.com"
+ #
+ # when the upstream host is not reachable for a short time when
+ # nginx is started.
+ resolver ${cfg.resolver} valid=10s;
+ set $upstream_endpoint https://cache.nixos.org;
+ '';
+
+ locations."/" =
+ {
+ root = "/srv/www/nix-cache-cache";
+ extraConfig = ''
+ expires max;
+ add_header Cache-Control $nix_cache_cache_header always;
+
+ # Ask the upstream server if a file isn't available
+ # locally.
+ error_page 404 = @fallback;
+
+ # Don't bother logging the above 404.
+ log_not_found off;
+ '';
+ };
+
+ locations."@fallback" = cacheFallbackConfig;
+
+ # We always want to copy cache.nixos.org's nix-cache-info
+ # file, and ignore our own, because `nix-push` by default
+ # generates one without `Priority` field, and thus that file
+ # by default has priority 50 (compared to cache.nixos.org's
+ # `Priority: 40`), which will make download clients prefer
+ # `cache.nixos.org` over our binary cache.
+ locations."= /nix-cache-info" = cacheFallbackConfig;
+ };
+ };
+ };
+}
diff --git a/krebs/3modules/ci.nix b/krebs/3modules/ci.nix
index 4cfe598d6..d8d0e7f3d 100644
--- a/krebs/3modules/ci.nix
+++ b/krebs/3modules/ci.nix
@@ -26,8 +26,15 @@ let
hostname = config.networking.hostName;
getJobs = pkgs.writeDash "get_jobs" ''
+ set -efu
nix-build --no-out-link --quiet -Q ./ci.nix > /dev/null
- nix-instantiate --quiet -Q --eval --strict --json ./ci.nix
+ js="$(nix-instantiate --quiet -Q --eval --strict --json ./ci.nix)"
+ echo "$js" | jq -r 'to_entries[] | [.key, .value] | @tsv' \
+ | while read -r host builder; do
+ gcroot=${shell.escape profileRoot}/$host-builder
+ ${pkgs.nix}/bin/nix-env -p "$gcroot" --set "$builder"
+ done
+ echo "$js"
'';
profileRoot = "/nix/var/nix/profiles/ci";
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index ca67ce65c..24cbd9cc9 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -14,6 +14,7 @@ let
./buildbot/master.nix
./buildbot/slave.nix
./build.nix
+ ./cachecache.nix
./charybdis.nix
./ci.nix
./current.nix
diff --git a/krebs/3modules/fetchWallpaper.nix b/krebs/3modules/fetchWallpaper.nix
index f67188122..5a5065565 100644
--- a/krebs/3modules/fetchWallpaper.nix
+++ b/krebs/3modules/fetchWallpaper.nix
@@ -38,11 +38,6 @@ let
'';
default = {};
};
- maxTime = mkOption {
- type = types.int;
- default = 0;
- description = "Time to wait before download is aborted";
- };
};
fetchWallpaperScript = pkgs.writeDash "fetchWallpaper" ''
@@ -51,8 +46,8 @@ let
mkdir -p ${cfg.stateDir}
chmod o+rx ${cfg.stateDir}
cd ${cfg.stateDir}
- (curl --max-time ${toString cfg.maxTime} -s -o wallpaper.tmp -z wallpaper.tmp ${shell.escape cfg.url} && cp wallpaper.tmp wallpaper) || :
- feh --no-fehbg --bg-scale ${shell.escape cfg.stateDir}/wallpaper
+ (curl -s -o wallpaper.tmp -z wallpaper.tmp ${shell.escape cfg.url} && cp wallpaper.tmp wallpaper) || :
+ feh --no-fehbg --bg-scale wallpaper
'';
imp = {
diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix
index bea0f1c0e..188fbc461 100644
--- a/krebs/3modules/makefu/default.nix
+++ b/krebs/3modules/makefu/default.nix
@@ -624,15 +624,16 @@ in {
"blog.makefu.r"
"blog.gum.r"
"dcpp.gum.r"
+ "torrent.gum.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
- MIIBCgKCAQEAucCebFmS96WorD+Br4UQudmAhMlLpacErjwA/u2argBTT2nGHTR8
- aN4e0xf3IYLA+iogLIW/JuQfKLe8evEK21iZ3jleW8N7mbCulhasi/0lqWlirrpO
- npJAiSNF1m7ijoylkEKxtmehze+8ojprUT2hx1ImMlHMWGxvs+TmBbZBMgxAGMJh
- 6cMMDJQi+4d9XrJQ3+XUVK3MkviLA91oIAXsLdFptL6b12siUaz4StQXDJUHemBF
- 3ZwlO+W2Es69ifEhmV6NaDDRcSRdChGbHTz1OU8wYaFNaxWla/iprQQ+jEUldpcN
- VC18QGYRUAgZ0PCIpKurjWNehJFB3zXt+wIDAQAB
+ MIIBCgKCAQEAvgvzx3rT/3zLuCkzXk1ZkYBkG4lltxrLOLNivohw2XAzrYDIw/ZY
+ BTDDcD424EkNOF6g/3tIRWqvVGZ1u12WQ9A/R+2F7i1SsaE4nTxdNlQ5rjy80gO3
+ i1ZubMkTGwd1OYjJytYdcMTwM9V9/8QYFiiWqh77Xxu/FhY6PcQqwHxM7SMyZCJ7
+ 09gtZuR16ngKnKfo2tw6C3hHQtWCfORVbWQq5cmGzCb4sdIKow5BxUC855MulNsS
+ u5l+G8wX+UbDI85VSDAtOP4QaSFzLL+U0aaDAmq0NO1QiODJoCo0iPhULZQTFZUa
+ OMDYHHfqzluEI7n8ENI4WwchDXH+MstsgwIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
diff --git a/krebs/nixpkgs.json b/krebs/nixpkgs.json
index e013645ea..61fd085be 100644
--- a/krebs/nixpkgs.json
+++ b/krebs/nixpkgs.json
@@ -1,7 +1,7 @@
{
"url": "https://github.com/NixOS/nixpkgs-channels",
- "rev": "bf7930d582bcf7953c3b87e649858f3f1873eb9c",
- "date": "2018-11-04T19:36:25+01:00",
- "sha256": "0nvn6g0pxp0glqjg985qxs7ash0cmcdc80h8jxxk6z4pnr3f2n1m",
+ "rev": "5d4a1a3897e2d674522bcb3aa0026c9e32d8fd7c",
+ "date": "2018-11-24T00:40:22-05:00",
+ "sha256": "19kryzx9a6x68mpyxks3dajraf92hkbnw1zf952k73s2k4qw9jlq",
"fetchSubmodules": false
}
diff --git a/lass/1systems/archprism/config.nix b/lass/1systems/archprism/config.nix
index 6706914b5..bed8961b8 100644
--- a/lass/1systems/archprism/config.nix
+++ b/lass/1systems/archprism/config.nix
@@ -110,7 +110,6 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/iodined.nix>
<stockholm/lass/2configs/paste.nix>
<stockholm/lass/2configs/syncthing.nix>
- <stockholm/lass/2configs/reaktor-coders.nix>
<stockholm/lass/2configs/ciko.nix>
<stockholm/lass/2configs/container-networking.nix>
<stockholm/lass/2configs/monitoring/prometheus-server.nix>
diff --git a/lass/1systems/blue/source.nix b/lass/1systems/blue/source.nix
new file mode 100644
index 000000000..8f748ab8f
--- /dev/null
+++ b/lass/1systems/blue/source.nix
@@ -0,0 +1,11 @@
+{ lib, pkgs, ... }:
+{
+ nixpkgs = lib.mkForce {
+ file = toString (pkgs.fetchFromGitHub {
+ owner = "nixos";
+ repo = "nixpkgs";
+ rev = (lib.importJSON ../../../krebs/nixpkgs.json).rev;
+ sha256 = (lib.importJSON ../../../krebs/nixpkgs.json).sha256;
+ });
+ };
+}
diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix
index 6d65b58c2..cac13be2b 100644
--- a/lass/1systems/mors/config.nix
+++ b/lass/1systems/mors/config.nix
@@ -33,6 +33,7 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/rtl-sdr.nix>
<stockholm/lass/2configs/backup.nix>
<stockholm/lass/2configs/print.nix>
+ <stockholm/lass/2configs/blue-host.nix>
{
krebs.iptables.tables.filter.INPUT.rules = [
#risk of rain
diff --git a/lass/1systems/skynet/config.nix b/lass/1systems/skynet/config.nix
index b6c08f797..14aca598e 100644
--- a/lass/1systems/skynet/config.nix
+++ b/lass/1systems/skynet/config.nix
@@ -5,42 +5,35 @@ with import <stockholm/lib>;
<stockholm/lass>
<stockholm/lass/2configs/retiolum.nix>
- #<stockholm/lass/2configs/exim-retiolum.nix>
<stockholm/lass/2configs/fetchWallpaper.nix>
+ <stockholm/lass/2configs/blue-host.nix>
{
- # discordius config
services.xserver.enable = true;
+ services.xserver.desktopManager.xfce.enable = true;
+
users.users.discordius = {
- uid = genid "discordius";
- home = "/home/discordius";
- group = "users";
- createHome = true;
+ uid = genid "diskordius";
+ isNormalUser = true;
extraGroups = [
"audio"
"networkmanager"
];
- useDefaultShell = true;
- };
- networking.networkmanager.enable = true;
- networking.wireless.enable = mkForce false;
- hardware.pulseaudio = {
- enable = true;
- systemWide = true;
};
environment.systemPackages = with pkgs; [
- pavucontrol
- firefox
- hexchat
- networkmanagerapplet
+ google-chrome
];
- services.xserver.desktopManager.gnome3 = {
+ hardware.pulseaudio = {
enable = true;
+ systemWide = true;
};
}
];
krebs.build.host = config.krebs.hosts.skynet;
+ networking.wireless.enable = false;
+ networking.networkmanager.enable = true;
+
services.logind.extraConfig = ''
HandleLidSwitch=ignore
'';
diff --git a/lass/1systems/skynet/physical.nix b/lass/1systems/skynet/physical.nix
index 358e1f511..e3451293f 100644
--- a/lass/1systems/skynet/physical.nix
+++ b/lass/1systems/skynet/physical.nix
@@ -1,10 +1,27 @@
{
imports = [
./config.nix
- <stockholm/lass/2configs/hw/x220.nix>
- <stockholm/lass/2configs/boot/stock-x220.nix>
+ <stockholm/krebs/2configs/hw/x220.nix>
];
+ boot.loader.grub.enable = true;
+ boot.loader.grub.version = 2;
+ boot.loader.grub.efiSupport = true;
+ boot.loader.grub.efiInstallAsRemovable = true;
+ boot.loader.grub.device = "nodev";
+
+ networking.hostId = "06442b9a";
+
+ fileSystems."/" =
+ { device = "rpool/root";
+ fsType = "zfs";
+ };
+
+ fileSystems."/boot" =
+ { device = "/dev/disk/by-uuid/0876-B308";
+ fsType = "vfat";
+ };
+
services.udev.extraRules = ''
SUBSYSTEM=="net", ATTR{address}=="10:0b:a9:a6:44:04", NAME="wl0"
SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:d1:90:fc", NAME="et0"
diff --git a/lass/2configs/binary-cache/server.nix b/lass/2configs/binary-cache/server.nix
index 220e41d0a..86158c468 100644
--- a/lass/2configs/binary-cache/server.nix
+++ b/lass/2configs/binary-cache/server.nix
@@ -20,7 +20,14 @@
services.nginx = {
enable = true;
virtualHosts.nix-serve = {
- serverAliases = [ "cache.prism.r" "cache.krebsco.de" "cache.lassul.us" ];
+ serverAliases = [ "cache.prism.r" ];
+ locations."/".extraConfig = ''
+ proxy_pass http://localhost:${toString config.services.nix-serve.port};
+ '';
+ };
+ virtualHosts."cache.krebsco.de" = {
+ serverAliases = [ "cache.lassul.us" ];
+ enableACME = true;
locations."/".extraConfig = ''
proxy_pass http://localhost:${toString config.services.nix-serve.port};
'';
diff --git a/lass/2configs/blue-host.nix b/lass/2configs/blue-host.nix
index 83c235f3e..fba996743 100644
--- a/lass/2configs/blue-host.nix
+++ b/lass/2configs/blue-host.nix
@@ -1,23 +1,114 @@
{ config, lib, pkgs, ... }:
with import <stockholm/lib>;
+let
+ all_hosts = [
+ "icarus"
+ "shodan"
+ "daedalus"
+ "skynet"
+ "prism"
+ ];
+ remote_hosts = filter (h: h != config.networking.hostName) all_hosts;
-{
+in {
imports = [
<stockholm/lass/2configs/container-networking.nix>
+ { #hack for already defined
+ systemd.services."container@blue".reloadIfChanged = mkForce false;
+ systemd.services."container@blue".preStart = ''
+ ${pkgs.mount}/bin/mount | ${pkgs.gnugrep}/bin/grep -q '^encfs on /var/lib/containers/blue'
+ '';
+ systemd.services."container@blue".preStop = ''
+ /run/wrappers/bin/fusermount -u /var/lib/containers/blue
+ '';
+ }
];
- systemd.services."container@blue".reloadIfChanged = mkForce false;
+
+ system.activationScripts.containerPermissions = ''
+ mkdir -p /var/lib/containers
+ chmod 711 /var/lib/containers
+ '';
+
containers.blue = {
config = { ... }: {
- environment.systemPackages = [ pkgs.git ];
+ environment.systemPackages = [
+ pkgs.git
+ pkgs.rxvt_unicode.terminfo
+ ];
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [
config.krebs.users.lass.pubkey
];
};
- autoStart = true;
+ autoStart = false;
enableTun = true;
privateNetwork = true;
hostAddress = "10.233.2.9";
localAddress = "10.233.2.10";
};
+
+
+ systemd.services = builtins.listToAttrs (map (host:
+ let
+ in nameValuePair "sync-blue-${host}" {
+ bindsTo = [ "container@blue.service" ];
+ wantedBy = [ "container@blue.service" ];
+ # ssh needed for rsync
+ path = [ pkgs.openssh ];
+ serviceConfig = {
+ Restart = "always";
+ RestartSec = 10;
+ ExecStart = pkgs.writeDash "sync-blue-${host}" ''
+ set -efu
+ #make sure blue is running
+ /run/wrappers/bin/ping -c1 blue.r > /dev/null
+
+ #make sure the container is unlocked
+ ${pkgs.mount}/bin/mount | ${pkgs.gnugrep}/bin/grep -q '^encfs on /var/lib/containers/blue'
+
+ #make sure our target is reachable
+ ${pkgs.untilport}/bin/untilport ${host}.r 22 2>/dev/null
+
+ #start sync
+ ${pkgs.lsyncd}/bin/lsyncd -log scarce ${pkgs.writeText "lsyncd-config.lua" ''
+ settings {
+ nodaemon = true,
+ inotifyMode = "CloseWrite or Modify",
+ }
+ sync {
+ default.rsyncssh,
+ source = "/var/lib/containers/.blue",
+ host = "${host}.r",
+ targetdir = "/var/lib/containers/.blue",
+ rsync = {
+ owner = true,
+ group = true,
+ };
+ ssh = {
+ binary = "${pkgs.openssh}/bin/ssh";
+ identityFile = "/var/lib/containers/blue/home/lass/.ssh/id_rsa",
+ },
+ }
+ ''}
+ '';
+ };
+ unitConfig.ConditionPathExists = "!/var/run/ppp0.pid";
+ }
+ ) remote_hosts);
+
+ environment.systemPackages = [
+ (pkgs.writeDashBin "start-blue" ''
+ set -ef
+ if ! $(mount | ${pkgs.gnugrep}/bin/grep -qi '^encfs on /var/lib/containers/blue'); then
+ ${pkgs.encfs}/bin/encfs --public /var/lib/containers/.blue /var/lib/containers/blue
+ fi
+ nixos-container start blue
+ nixos-container run blue -- nixos-rebuild -I /var/src dry-build
+ if ping -c1 blue.r >/dev/null; then
+ echo 'blue is already running. bailing out'
+ exit 23
+ fi
+ nixos-container run blue -- nixos-rebuild -I /var/src switch
+ '')
+ ];
}
diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix
index bf43ee7d1..9bb70d1c2 100644
--- a/lass/2configs/exim-smarthost.nix
+++ b/lass/2configs/exim-smarthost.nix
@@ -92,6 +92,7 @@ with import <stockholm/lib>;
{ from = "ccc@lassul.us"; to = lass.mail; }
{ from = "neocron@lassul.us"; to = lass.mail; }
{ from = "osmocom@lassul.us"; to = lass.mail; }
+ { from = "lesswrong@lassul.us"; to = lass.mail; }
];
system-aliases = [
{ from = "mailer-daemon"; to = "postmaster"; }
diff --git a/lass/2configs/fetchWallpaper.nix b/lass/2configs/fetchWallpaper.nix
index e756c3424..065ee9c42 100644
--- a/lass/2configs/fetchWallpaper.nix
+++ b/lass/2configs/fetchWallpaper.nix
@@ -7,7 +7,6 @@ in {
enable = true;
unitConfig.ConditionPathExists = "!/var/run/ppp0.pid";
url = "prism/realwallpaper-krebs.png";
- maxTime = 10;
};
}
diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix
index 46939c97e..9ea91ae19 100644
--- a/lass/2configs/mail.nix
+++ b/lass/2configs/mail.nix
@@ -31,6 +31,7 @@ let
'';
mailboxes = {
+ afra = [ "to:afra@afra-berlin.de" ];
c-base = [ "to:c-base.org" ];
coins = [
"to:btce@lassul.us"
@@ -46,11 +47,14 @@ let
];
dezentrale = [ "to:dezentrale.space" ];
dhl = [ "to:dhl@lassul.us" ];
+ dn42 = [ "to:dn42@lists.nox.tf" ];
eloop = [ "to:eloop.org" ];
github = [ "to:github@lassul.us" ];
gmail = [ "to:gmail@lassul.us" "to:lassulus@gmail.com" "lassulus@googlemail.com" ];
+ india = [ "to:hillhackers@lists.hillhacks.in" "to:hackbeach@lists.hackbeach.in" ];
kaosstuff = [ "to:gearbest@lassul.us" "to:banggood@lassul.us" "to:tomtop@lassul.us" ];
lugs = [ "to:lugs@lug-s.org" ];
+ meetup = [ "to:meetup@lassul.us" ];
nix = [ "to:nix-devel@googlegroups.com" "to:nix@lassul.us" ];
patreon = [ "to:patreon@lassul.us" ];
paypal = [ "to:paypal@lassul.us" ];
diff --git a/lass/2configs/monitoring/prometheus-server.nix b/lass/2configs/monitoring/prometheus-server.nix
index aef671636..b7083c776 100644
--- a/lass/2configs/monitoring/prometheus-server.nix
+++ b/lass/2configs/monitoring/prometheus-server.nix
@@ -177,7 +177,8 @@
addr = "0.0.0.0";
domain = "grafana.example.com";
rootUrl = "https://grafana.example.com/";
- security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""}
+ auth.anonymous.enable = true;
+ auth.anonymous.org_role = "Admin";
};
};
services.logstash = {
diff --git a/lass/2configs/radio.nix b/lass/2configs/radio.nix
index bf6855804..85faded14 100644
--- a/lass/2configs/radio.nix
+++ b/lass/2configs/radio.nix
@@ -62,8 +62,23 @@ in {
extraConfig = ''
audio_output {
type "shout"
+ encoding "lame"
+ name "the_playlist_mp3"
+ host "localhost"
+ port "8000"
+ mount "/radio.mp3"
+ password "${source-password}"
+ bitrate "128"
+
+ format "44100:16:2"
+
+ user "source"
+ genre "good music"
+ }
+ audio_output {
+ type "shout"
encoding "ogg"
- name "the_playlist"
+ name "the_playlist_ogg"
host "localhost"
port "8000"
mount "/radio.ogg"
diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix
index 828cab95f..4935268a4 100644
--- a/lass/2configs/websites/domsen.nix
+++ b/lass/2configs/websites/domsen.nix
@@ -139,6 +139,13 @@ in {
ssl_key = "/var/lib/acme/lassul.us/key.pem";
};
+ users.users.xanf = {
+ uid = genid_uint31 "xanf";
+ home = "/home/xanf";
+ useDefaultShell = true;
+ createHome = true;
+ };
+
users.users.domsen = {
uid = genid_uint31 "domsen";
description = "maintenance acc for domsen";
diff --git a/lass/krops.nix b/lass/krops.nix
index a898164c3..c2669c8f2 100644
--- a/lass/krops.nix
+++ b/lass/krops.nix
@@ -5,6 +5,12 @@
pkgs
;
+ host-source = if lib.pathExists (./. + "/1systems/${name}/source.nix") then
+ import (./. + "/1systems/${name}/source.nix") { inherit lib pkgs; }
+ else
+ {}
+ ;
+
source = { test }: lib.evalSource [
krebs-source
{
@@ -18,15 +24,24 @@
};
};
}
+ host-source
];
in {
+
# usage: $(nix-build --no-out-link --argstr name HOSTNAME -A deploy)
deploy = { target ? "root@${name}/var/src" }: pkgs.krops.writeDeploy "${name}-deploy" {
source = source { test = false; };
inherit target;
};
+ # usage: $(nix-build --no-out-link --argstr name HOSTNAME --argstr target PATH -A populate)
+ populate = { target, force ? false }: pkgs.populate {
+ inherit force;
+ source = source { test = false; };
+ target = lib.mkTarget target;
+ };
+
# usage: $(nix-build --no-out-link --argstr name HOSTNAME --argstr target PATH -A test)
test = { target }: pkgs.krops.writeTest "${name}-test" {
force = true;
diff --git a/makefu/1systems/omo/confi