diff options
author | makefu <github@syntax-fehler.de> | 2023-01-30 23:43:04 +0100 |
---|---|---|
committer | makefu <github@syntax-fehler.de> | 2023-01-30 23:43:04 +0100 |
commit | 369fa6b7eb3f0fa3e1034bcad438eeda017949f8 (patch) | |
tree | 22f7891595fba32a7e66b755617e0d49b91993f3 /lass/2configs | |
parent | dbc3870841223051e4f617b4c06065c168c69c10 (diff) | |
parent | c7417c8bc1b50d466dae493ac3619d9f324f34f8 (diff) |
Merge remote-tracking branch 'lass/master'
Diffstat (limited to 'lass/2configs')
-rw-r--r-- | lass/2configs/gg23.nix | 30 | ||||
-rw-r--r-- | lass/2configs/green-host.nix | 6 | ||||
-rw-r--r-- | lass/2configs/mail.nix | 66 | ||||
-rw-r--r-- | lass/2configs/orange-host.nix | 15 | ||||
-rw-r--r-- | lass/2configs/radio/container-host.nix | 2 | ||||
-rw-r--r-- | lass/2configs/red-host.nix | 2 | ||||
-rw-r--r-- | lass/2configs/riot.nix | 14 | ||||
-rw-r--r-- | lass/2configs/ubik-host.nix | 26 | ||||
-rw-r--r-- | lass/2configs/xmonad.nix | 11 | ||||
-rw-r--r-- | lass/2configs/yellow-host.nix | 2 | ||||
-rw-r--r-- | lass/2configs/yubikey.nix | 10 |
11 files changed, 138 insertions, 46 deletions
diff --git a/lass/2configs/gg23.nix b/lass/2configs/gg23.nix index 51db9a40a..b35b0cb85 100644 --- a/lass/2configs/gg23.nix +++ b/lass/2configs/gg23.nix @@ -2,17 +2,19 @@ with import <stockholm/lib>; { + # ipv6 from vodafone is really really flaky + boot.kernel.sysctl."net.ipv6.conf.et0.disable_ipv6" = 1; systemd.network.networks."50-et0" = { matchConfig.Name = "et0"; - DHCP = "yes"; + DHCP = "ipv4"; # dhcpV4Config.UseDNS = false; # dhcpV6Config.UseDNS = false; linkConfig = { RequiredForOnline = "routable"; }; - # networkConfig = { - # LinkLocalAddressing = "no"; - # }; + networkConfig = { + LinkLocalAddressing = "no"; + }; # dhcpV6Config = { # PrefixDelegationHint = "::/60"; # }; @@ -23,14 +25,15 @@ with import <stockholm/lib>; # Managed = true; # }; }; + boot.kernel.sysctl."net.ipv4.ip_forward" = 1; systemd.network.networks."50-int0" = { name = "int0"; address = [ "10.42.0.1/24" ]; networkConfig = { - IPForward = "yes"; - IPMasquerade = "both"; + # IPForward = "yes"; + # IPMasquerade = "both"; ConfigureWithoutCarrier = true; DHCPServer = "yes"; # IPv6SendRA = "yes"; @@ -49,9 +52,16 @@ with import <stockholm/lib>; krebs.iptables.tables.nat.PREROUTING.rules = mkBefore [ { v6 = false; predicate = "-s 10.42.0.0/24"; target = "ACCEPT"; } ]; + krebs.iptables.tables.nat.POSTROUTING.rules = [ + { v6 = false; predicate = "-s 10.42.0.0/24"; target = "MASQUERADE"; } + ]; networking.domain = "gg23"; + networking.useHostResolvConf = false; + services.resolved.extraConfig = '' + DNSStubListener=no + ''; services.dnsmasq = { enable = true; resolveLocalQueries = false; @@ -64,4 +74,12 @@ with import <stockholm/lib>; interface=int0 ''; }; + + environment.systemPackages = [ + (pkgs.writers.writeDashBin "restart_router" '' + ${pkgs.mosquitto}/bin/mosquitto_pub -h localhost -t 'cmnd/router/POWER' -u gg23 -P gg23-mqtt -m OFF + sleep 2 + ${pkgs.mosquitto}/bin/mosquitto_pub -h localhost -t 'cmnd/router/POWER' -u gg23 -P gg23-mqtt -m ON + '') + ]; } diff --git a/lass/2configs/green-host.nix b/lass/2configs/green-host.nix index 1e41e8e02..66088a562 100644 --- a/lass/2configs/green-host.nix +++ b/lass/2configs/green-host.nix @@ -1,10 +1,6 @@ { config, pkgs, ... }: { - imports = [ - <stockholm/lass/2configs/container-networking.nix> - ]; - - lass.sync-containers3.containers.green = { + krebs.sync-containers3.containers.green = { sshKey = "${toString <secrets>}/green.sync.key"; }; } diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix index b874695a8..f5b2e22b7 100644 --- a/lass/2configs/mail.nix +++ b/lass/2configs/mail.nix @@ -1,5 +1,4 @@ -with import <stockholm/lib>; -{ pkgs, ... }: +{ config, lib, pkgs, ... }: let @@ -14,7 +13,6 @@ let port 465 tls on tls_starttls off - tls_fingerprint 9C:82:3B:0F:31:CE:1B:8E:96:00:CC:C9:FF:E7:BE:66:95:92:4F:22:DD:D6:2E:0E:1D:90:76:BE:8E:9E:8E:16 auth on user lassulus passwordeval pass show c-base/pass @@ -24,11 +22,12 @@ let notmuch-config = pkgs.writeText "notmuch-config" '' [database] path=/home/lass/Maildir + mail_root=/home/lass/Maildir [user] name=lassulus primary_email=lassulus@lassul.us - other_email=lass@mors.r;${concatStringsSep ";" (flatten (attrValues mailboxes))} + other_email=lass@mors.r;${lib.concatStringsSep ";" (lib.flatten (lib.attrValues mailboxes))} [new] tags=unread;inbox; @@ -93,11 +92,37 @@ let tag-new-mails = pkgs.writeDashBin "nm-tag-init" '' ${pkgs.notmuch}/bin/notmuch new - ${concatMapStringsSep "\n" (i: ''${pkgs.notmuch}/bin/notmuch tag -inbox +${i.name} -- tag:inbox ${concatMapStringsSep " or " (f: "${f}") i.value}'') (mapAttrsToList nameValuePair mailboxes)} + ${lib.concatMapStringsSep "\n" (i: '' + '') (lib.mapAttrsToList lib.nameValuePair mailboxes)} + ${lib.concatMapStringsSep "\n" (i: '' + mkdir -p "$HOME/Maildir/.${i.name}/cur" + for mail in $(${pkgs.notmuch}/bin/notmuch search --output=files 'tag:inbox and (${lib.concatMapStringsSep " or " (f: "${f}") i.value})'); do + if test -e "$mail"; then + mv "$mail" "$HOME/Maildir/.${i.name}/cur/" + else + echo "$mail does not exist" + fi + done + ${pkgs.notmuch}/bin/notmuch tag -inbox +${i.name} -- tag:inbox ${lib.concatMapStringsSep " or " (f: "${f}") i.value} + '') (lib.mapAttrsToList lib.nameValuePair mailboxes)} + ${pkgs.notmuch}/bin/notmuch new + ${pkgs.notmuch}/bin/notmuch dump > "$HOME/Maildir/notmuch.backup" ''; tag-old-mails = pkgs.writeDashBin "nm-tag-old" '' - ${concatMapStringsSep "\n" (i: ''${pkgs.notmuch}/bin/notmuch tag -inbox -archive +${i.name} -- ${concatMapStringsSep " or " (f: "${f}") i.value}'') (mapAttrsToList nameValuePair mailboxes)} + set -efux + ${lib.concatMapStringsSep "\n" (i: '' + ${pkgs.notmuch}/bin/notmuch tag -inbox -archive +${i.name} -- ${lib.concatMapStringsSep " or " (f: "${f}") i.value} + mkdir -p "$HOME/Maildir/.${i.name}/cur" + for mail in $(${pkgs.notmuch}/bin/notmuch search --output=files ${lib.concatMapStringsSep " or " (f: "${f}") i.value}); do + if test -e "$mail"; then + mv "$mail" "$HOME/Maildir/.${i.name}/cur/" + else + echo "$mail does not exist" + fi + done + '') (lib.mapAttrsToList lib.nameValuePair mailboxes)} + ${pkgs.notmuch}/bin/notmuch new --no-hooks ''; muttrc = pkgs.writeText "muttrc" '' @@ -110,17 +135,6 @@ let set crypt_verify_sig = yes set pgp_verify_command = "gpg --no-verbose --batch --output - --verify %s %f" - macro index \Cv \ - "<enter-command> set my_crypt_verify_sig=\$crypt_verify_sig<enter> \ - <enter-command> set crypt_verify_sig=yes<enter> \ - <display-message><enter-command> set crypt_verify_sig=\$my_crypt_verify_sig<enter>" \ - 'Verify PGP signature and open the message' - - macro pager \Cv \ - "<exit><enter-command> set my_crypt_verify_sig=\$crypt_verify_sig<enter> \ - <enter-command> set crypt_verify_sig=yes<enter> \ - <display-message><enter-command> set crypt_verify_sig=\$my_crypt_verify_sig<enter>" \ - 'Verify PGP signature' # read html mails auto_view text/html @@ -138,8 +152,8 @@ let set sendmail="${msmtp}/bin/msmtp" # enables parsing of outgoing mail set from="lassulus@lassul.us" alternates ^.*@lassul\.us$ ^.*@.*\.r$ - set use_from=yes - set envelope_from=yes + unset envelope_from_address + set use_envelope_from set reverse_name set sort=threads @@ -148,7 +162,7 @@ let virtual-mailboxes "Unread" "notmuch://?query=tag:unread" virtual-mailboxes "INBOX" "notmuch://?query=tag:inbox" - ${concatMapStringsSep "\n" (i: ''${" "}virtual-mailboxes "${i.name}" "notmuch://?query=tag:${i.name}"'') (mapAttrsToList nameValuePair mailboxes)} + ${lib.concatMapStringsSep "\n" (i: ''${" "}virtual-mailboxes "${i.name}" "notmuch://?query=tag:${i.name}"'') (lib.mapAttrsToList lib.nameValuePair mailboxes)} virtual-mailboxes "TODO" "notmuch://?query=tag:TODO" virtual-mailboxes "Starred" "notmuch://?query=tag:*" virtual-mailboxes "Archive" "notmuch://?query=tag:archive" @@ -166,6 +180,15 @@ let macro index + "<modify-labels>+*\n<sync-mailbox>" # tag as starred macro index - "<modify-labels>-*\n<sync-mailbox>" # tag as unstarred + # muchsync + bind index \Cr noop + macro index \Cr \ + "<enter-command>unset wait_key<enter> \ + <shell-escape>${pkgs.writeDash "muchsync" '' + set -efu + ${pkgs.muchsync}/bin/muchsync -F lass@green.r + ''}<enter> \ + 'run muchsync to green.r' #killed bind index d noop @@ -213,6 +236,9 @@ let macro pager ,@3 "<enter-command> set pager_index_lines=7; macro pager ] ,@1 'Toggle indexbar<Enter>" macro pager ] ,@1 'Toggle indexbar + # urlview + macro pager \cb <pipe-entry>'${pkgs.urlview}/bin/urlview'<enter> 'Follow links with urlview' + # sidebar set sidebar_divider_char = '│' set sidebar_delim_chars = "/" diff --git a/lass/2configs/orange-host.nix b/lass/2configs/orange-host.nix new file mode 100644 index 000000000..e4bfcff89 --- /dev/null +++ b/lass/2configs/orange-host.nix @@ -0,0 +1,15 @@ +{ config, pkgs, ... }: +{ + krebs.sync-containers3.containers.orange = { + sshKey = "${toString <secrets>}/orange.sync.key"; + }; + services.nginx.virtualHosts."lassul.us" = { + # enableACME = config.security; + # forceSSL = true; + locations."/" = { + recommendedProxySettings = true; + proxyWebsockets = true; + proxyPass = "http://orange.r"; + }; + }; +} diff --git a/lass/2configs/radio/container-host.nix b/lass/2configs/radio/container-host.nix index e32095ffa..de0ea9afe 100644 --- a/lass/2configs/radio/container-host.nix +++ b/lass/2configs/radio/container-host.nix @@ -1,6 +1,6 @@ { config, pkgs, ... }: { - lass.sync-containers3.containers.radio = { + krebs.sync-containers3.containers.radio = { sshKey = "${toString <secrets>}/radio.sync.key"; }; containers.radio = { diff --git a/lass/2configs/red-host.nix b/lass/2configs/red-host.nix index cbd9c097e..171191dac 100644 --- a/lass/2configs/red-host.nix +++ b/lass/2configs/red-host.nix @@ -8,7 +8,7 @@ in ]; - lass.sync-containers3.containers.red = { + krebs.sync-containers3.containers.red = { sshKey = "${toString <secrets>}/containers/red/sync.key"; ephemeral = true; }; diff --git a/lass/2configs/riot.nix b/lass/2configs/riot.nix index 559e7b20d..6aacec5b6 100644 --- a/lass/2configs/riot.nix +++ b/lass/2configs/riot.nix @@ -31,27 +31,31 @@ privateNetwork = true; hostAddress = "10.233.1.1"; localAddress = "10.233.1.2"; - forwardPorts = [ - { hostPort = 45622; containerPort = 22; } - ]; }; systemd.network.networks."50-ve-riot" = { matchConfig.Name = "ve-riot"; networkConfig = { - IPForward = "yes"; # weirdly we have to use POSTROUTING MASQUERADE here + # and set ip_forward manually + # IPForward = "yes"; # IPMasquerade = "both"; LinkLocalAddressing = "no"; KeepConfiguration = "static"; }; }; - # networking.nat can be used instead of this + boot.kernel.sysctl."net.ipv4.ip_forward" = lib.mkDefault 1; + krebs.iptables.tables.nat.POSTROUTING.rules = [ { v6 = false; predicate = "-s ${config.containers.riot.localAddress}"; target = "MASQUERADE"; } ]; + + # networking.nat can be used instead of this + krebs.iptables.tables.nat.PREROUTING.rules = [ + { predicate = "-p tcp --dport 45622"; target = "DNAT --to-destination ${config.containers.riot.localAddress}:22"; v6 = false; } + ]; krebs.iptables.tables.filter.FORWARD.rules = [ { predicate = "-i ve-riot"; target = "ACCEPT"; } { predicate = "-o ve-riot"; target = "ACCEPT"; } diff --git a/lass/2configs/ubik-host.nix b/lass/2configs/ubik-host.nix new file mode 100644 index 000000000..a4ad5e55e --- /dev/null +++ b/lass/2configs/ubik-host.nix @@ -0,0 +1,26 @@ +{ config, pkgs, ... }: +{ + krebs.sync-containers3.containers.ubik = { + sshKey = "${toString <secrets>}/ubik.sync.key"; + }; + containers.ubik.bindMounts."/var/lib" = { + hostPath = "/var/lib/sync-containers3/ubik/state"; + isReadOnly = false; + }; + containers.ubik.bindMounts."/var/lib/nextcloud/data" = { + hostPath = "/var/ubik"; + isReadOnly = false; + }; + services.nginx.virtualHosts."c.apanowicz.de" = { + enableACME = true; + forceSSL = true; + locations."/" = { + recommendedProxySettings = true; + proxyWebsockets = true; + proxyPass = "http://ubik.r"; + extraConfig = '' + client_max_body_size 9001M; + ''; + }; + }; +} diff --git a/lass/2configs/xmonad.nix b/lass/2configs/xmonad.nix index 8784da379..b506e026d 100644 --- a/lass/2configs/xmonad.nix +++ b/lass/2configs/xmonad.nix @@ -53,6 +53,7 @@ import XMonad.Util.EZConfig (additionalKeysP) import XMonad.Util.NamedWindows (getName) import XMonad.Util.Run (safeSpawn) import XMonad.Util.Ungrab (unGrab) +import XMonad.Util.Paste (pasteSelection) data LibNotifyUrgencyHook = LibNotifyUrgencyHook deriving (Read, Show) @@ -105,11 +106,9 @@ floatHooks = composeAll myKeyMap :: [([Char], X ())] myKeyMap = - [ ("M4-C-p", forkFile "${pkgs.scrot}/bin/scrot" [ "~/public_html/scrot.png" ] Nothing ) - , ("M4-p", forkFile "${pkgs.pass}/bin/passmenu" [ "--type" ] Nothing) + [ ("M4-p", forkFile "${pkgs.pass}/bin/passmenu" [ "--type" ] Nothing) , ("M4-S-p", forkFile "${pkgs.otpmenu}/bin/otpmenu" [] Nothing) - , ("M4-o", forkFile "${pkgs.brain}/bin/brainmenu --type" [] Nothing) - , ("M4-z", forkFile "${pkgs.emot-menu}/bin/emoticons" [] Nothing) + , ("M4-z", forkFile "${pkgs.unimenu}/bin/unimenu" [] Nothing) , ("M4-S-q", restart "xmonad" True) @@ -177,13 +176,13 @@ myKeyMap = , ("M4-<F10>", spawn "${pkgs.redshift}/bin/redshift -x") , ("M4-<F11>", spawn "${config.lass.screenlock.command}") - , ("M4-<F12>", spawn "${pkgs.systemd}/bin/systemctl suspend -i") , ("M4-u", spawn "${pkgs.xcalib}/bin/xcalib -invert -alter") , ("M4-y", spawn "/run/current-system/sw/bin/switch-theme toggle") - , ("M4-s", spawn "${pkgs.knav}/bin/knav") + ${lib.optionalString (builtins.hasAttr "warpd" pkgs) '', ("M4-s", spawn "${pkgs.warpd}/bin/warpd --hint")''} , ("M4-i", spawn "/run/current-system/sw/bin/screenshot") + , ("S-<F12>", pasteSelection) --, ("M4-w", screenWorkspace 0 >>= (windows . W.greedyView)) --, ("M4-e", screenWorkspace 1 >>= (windows . W.greedyView)) diff --git a/lass/2configs/yellow-host.nix b/lass/2configs/yellow-host.nix index d07c222c6..36027cb5d 100644 --- a/lass/2configs/yellow-host.nix +++ b/lass/2configs/yellow-host.nix @@ -1,6 +1,6 @@ { config, pkgs, ... }: { - lass.sync-containers3.containers.yellow = { + krebs.sync-containers3.containers.yellow = { sshKey = "${toString <secrets>}/yellow.sync.key"; }; containers.yellow.bindMounts."/var/lib" = { diff --git a/lass/2configs/yubikey.nix b/lass/2configs/yubikey.nix index a37752d5e..bf6a587af 100644 --- a/lass/2configs/yubikey.nix +++ b/lass/2configs/yubikey.nix @@ -3,6 +3,7 @@ environment.systemPackages = with pkgs; [ yubikey-personalization yubikey-manager + pinentry-curses pinentry-qt ]; services.udev.packages = with pkgs; [ yubikey-personalization ]; @@ -11,6 +12,7 @@ services.pcscd.enable = true; systemd.user.services.gpg-agent.serviceConfig.ExecStartPre = pkgs.writers.writeDash "init_gpg" '' set -x + mkdir -p $HOME/.gnupg ${pkgs.coreutils}/bin/ln -sf ${pkgs.writeText "scdaemon.conf" '' disable-ccid pcsc-driver ${pkgs.pcsclite.out}/lib/libpcsclite.so.1 @@ -25,6 +27,10 @@ reader-port Yubico YubiKey ''} $HOME/.gnupg/scdaemon.conf ''; + systemd.user.services.gpg-agent.serviceConfig.ExecStartPost = pkgs.writers.writeDash "init_gpg" '' + ${pkgs.gnupg}/bin/gpg --import ${../../kartei/lass/pgp/yubikey.pgp} >/dev/null + echo -e '5\ny\n' | gpg --command-fd 0 --expert --edit-key DBCD757846069B392EA9401D6657BE8A8D1EE807 trust >/dev/null || : + ''; security.polkit.extraConfig = '' polkit.addRule(function(action, subject) { @@ -38,13 +44,14 @@ } }); polkit.addRule(function(action, subject) { - polkit.log("subject: " + subject + " action: " + action); + polkit.log("subject: " + subject + " action: " + action); }); ''; environment.shellInit = '' if [ "$UID" -eq 1337 ] && [ -z "$SSH_CONNECTION" ]; then export GPG_TTY="$(tty)" + mkdir -p $HOME/.gnupg gpg-connect-agent --quiet updatestartuptty /bye > /dev/null export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh" if [ -z "$SSH_AUTH_SOCK" ]; then @@ -61,6 +68,7 @@ ssh.startAgent = false; gnupg.agent = { enable = true; + pinentryFlavor = "qt"; # enableSSHSupport = true; }; }; |