diff options
author | tv <tv@krebsco.de> | 2021-09-28 22:48:17 +0200 |
---|---|---|
committer | tv <tv@krebsco.de> | 2021-09-28 22:48:17 +0200 |
commit | ed2c6bd9792afbc433ae4eb23f40e17b90420f99 (patch) | |
tree | 289de32dd7f58f46accf7ad25ed184db5aa45198 /lass/2configs | |
parent | 20e358043546482acfa8c6134f095c1a64ef144d (diff) | |
parent | e151cfd3298120ec541987d4beb155e18335a0d8 (diff) |
Merge remote-tracking branch 'prism/master'
Diffstat (limited to 'lass/2configs')
-rw-r--r-- | lass/2configs/baseX.nix | 11 | ||||
-rw-r--r-- | lass/2configs/default.nix | 1 | ||||
-rw-r--r-- | lass/2configs/docker.nix | 6 | ||||
-rw-r--r-- | lass/2configs/murmur.nix | 39 | ||||
-rw-r--r-- | lass/2configs/pipewire.nix | 72 | ||||
-rw-r--r-- | lass/2configs/telegraf.nix | 67 | ||||
-rw-r--r-- | lass/2configs/websites/domsen.nix | 42 |
7 files changed, 221 insertions, 17 deletions
diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index 655e7912f..23eaa2802 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -10,14 +10,7 @@ in { ./urxvt.nix ./xdg-open.nix ./yubikey.nix - { - hardware.pulseaudio = { - enable = true; - systemWide = true; - }; - security.rtkit.enable = true; - sound.enableOSSEmulation = false; - } + ./pipewire.nix ./xmonad.nix { krebs.per-user.lass.packages = [ @@ -50,7 +43,7 @@ in { } ]; - users.extraUsers.mainUser.extraGroups = [ "audio" "video" ]; + users.users.mainUser.extraGroups = [ "audio" "video" ]; time.timeZone = "Europe/Berlin"; diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index adfeef19d..eb38d0e97 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -117,6 +117,7 @@ with import <stockholm/lib>; iftop tcpdump mosh + sshify #stuff for dl aria2 diff --git a/lass/2configs/docker.nix b/lass/2configs/docker.nix new file mode 100644 index 000000000..2bc3a2361 --- /dev/null +++ b/lass/2configs/docker.nix @@ -0,0 +1,6 @@ +{ pkgs, lib, config, ... }: +{ + systemd.services.krebs-iptables.serviceConfig.ExecStartPost = pkgs.writeDash "kick_docker" '' + ${pkgs.systemd}/bin/systemctl restart docker.service + ''; +} diff --git a/lass/2configs/murmur.nix b/lass/2configs/murmur.nix new file mode 100644 index 000000000..9f325d0af --- /dev/null +++ b/lass/2configs/murmur.nix @@ -0,0 +1,39 @@ +{ config, lib, pkgs, ... }: +{ + services.murmur = { + enable = true; + bandwidth = 10000000; + registerName = "lassul.us"; + autobanTime = 30; + }; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport 64738"; target = "ACCEPT";} + { predicate = "-p udp --dport 64738"; target = "ACCEPT";} + ]; + + systemd.services.docker-mumble-web.serviceConfig = { + StandardOutput = lib.mkForce "journal"; + StandardError = lib.mkForce "journal"; + }; + virtualisation.oci-containers.containers.mumble-web = { + image = "rankenstein/mumble-web"; + environment = { + MUMBLE_SERVER = "lassul.us:64738"; + }; + ports = [ + "64739:8080" + ]; + }; + + services.nginx.virtualHosts."mumble.lassul.us" = { + enableACME = true; + forceSSL = true; + locations."/".extraConfig = '' + proxy_pass http://localhost:64739/; + proxy_set_header Accept-Encoding ""; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + ''; + }; +} diff --git a/lass/2configs/pipewire.nix b/lass/2configs/pipewire.nix new file mode 100644 index 000000000..8fdcff4e3 --- /dev/null +++ b/lass/2configs/pipewire.nix @@ -0,0 +1,72 @@ +{ config, lib, pkgs, ... }: +# TODO test `alsactl init` after suspend to reinit mic +{ + security.rtkit.enable = true; + + hardware.bluetooth = { + enable = true; + powerOnBoot = true; + }; + + # autostart with login + systemd.user.services.pipewire-pulse = { + wantedBy = [ "graphical-session.target" ]; + }; + + environment.systemPackages = with pkgs; [ + alsaUtils + pulseaudioLight + ]; + + environment.variables.PULSE_SERVER = "localhost:4713"; + services.pipewire = { + enable = true; + socketActivation = false; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + jack.enable = true; + # https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/Migrate-PulseAudio#module-native-protocol-tcp + config.pipewire-pulse = { + "context.properties" = { + "log.level" = 2; + }; + "context.modules" = [ + { + name = "libpipewire-module-rtkit"; + # args = { + # "nice.level" = -15; + # "rt.prio" = 88; + # "rt.time.soft" = 200000; + # "rt.time.hard" = 200000; + # }; + flags = [ "ifexists" "nofail" ]; + } + { name = "libpipewire-module-protocol-native"; } + { name = "libpipewire-module-client-node"; } + { name = "libpipewire-module-adapter"; } + { name = "libpipewire-module-metadata"; } + { + name = "libpipewire-module-protocol-pulse"; + args = { + "vm.overrides" = { + # "pulse.min.req" = "32/48000"; + # "pulse.default.req" = "32/48000"; + # "pulse.max.req" = "32/48000"; + "pulse.min.quantum" = "1024/48000"; + # "pulse.max.quantum" = "32/48000"; + }; + "server.address" = [ + "unix:native" + "tcp:4713" + ]; + }; + } + ]; + "stream.properties" = { + # "node.latency" = "32/48000"; + # "resample.quality" = 1; + }; + }; + }; +} diff --git a/lass/2configs/telegraf.nix b/lass/2configs/telegraf.nix new file mode 100644 index 000000000..4f46cd721 --- /dev/null +++ b/lass/2configs/telegraf.nix @@ -0,0 +1,67 @@ +{ config, lib, pkgs, ... }: +let + isVM = lib.any (mod: mod == "xen-blkfront" || mod == "virtio_console") config.boot.initrd.kernelModules; +in { + + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-i retiolum -p tcp --dport 9273"; target = "ACCEPT"; } + ]; + + systemd.services.telegraf.path = [ pkgs.nvme-cli ]; + + services.telegraf = { + enable = true; + extraConfig = { + agent.interval = "60s"; + inputs = { + prometheus.metric_version = 2; + kernel_vmstat = { }; + # smart = lib.mkIf (!isVM) { + # path = pkgs.writeShellScript "smartctl" '' + # exec /run/wrappers/bin/sudo ${pkgs.smartmontools}/bin/smartctl "$@" + # ''; + # }; + system = { }; + mem = { }; + file = [{ + data_format = "influx"; + file_tag = "name"; + files = [ "/var/log/telegraf/*" ]; + }] ++ lib.optional (lib.any (fs: fs == "ext4") config.boot.supportedFilesystems) { + name_override = "ext4_errors"; + files = [ "/sys/fs/ext4/*/errors_count" ]; + data_format = "value"; + }; + exec = lib.optionalAttrs (lib.any (fs: fs == "zfs") config.boot.supportedFilesystems) { + ## Commands array + commands = [ + (pkgs.writeScript "zpool-health" '' + #!${pkgs.gawk}/bin/awk -f + BEGIN { + while ("${pkgs.zfs}/bin/zpool status" | getline) { + if ($1 ~ /pool:/) { printf "zpool_status,name=%s ", $2 } + if ($1 ~ /state:/) { printf " state=\"%s\",", $2 } + if ($1 ~ /errors:/) { + if (index($2, "No")) printf "errors=0i\n"; else printf "errors=%di\n", $2 + } + } + } + '') + ]; + data_format = "influx"; + }; + systemd_units = { }; + swap = { }; + disk.tagdrop = { + fstype = [ "tmpfs" "ramfs" "devtmpfs" "devfs" "iso9660" "overlay" "aufs" "squashfs" ]; + device = [ "rpc_pipefs" "lxcfs" "nsfs" "borgfs" ]; + }; + diskio = { }; + }; + outputs.prometheus_client = { + listen = ":9273"; + metric_version = 2; + }; + }; + }; +} diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index e603f49da..40f67537e 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -28,6 +28,7 @@ in { (servePage [ "aldonasiech.com" "www.aldonasiech.com" ]) (servePage [ "apanowicz.de" "www.apanowicz.de" ]) (servePage [ "reich-gebaeudereinigung.de" "www.reich-gebaeudereinigung.de" ]) + (servePage [ "illustra.de" "www.illustra.de" ]) (servePage [ "freemonkey.art" "www.freemonkey.art" @@ -81,6 +82,7 @@ in { "o_ubikmedia_de" ]; + services.phpfpm.phpPackage = pkgs.php73; services.phpfpm.phpOptions = '' sendmail_path = ${sendmail} -t upload_max_filesize = 100M @@ -88,12 +90,18 @@ in { file_uploads = on ''; + krebs.secret.files.nextcloud_pw = { + path = "/run/nextcloud.pw"; + owner.name = "nextcloud"; + group-name = "nextcloud"; + source-path = toString <secrets> + "/nextcloud_pw"; + }; services.nextcloud = { enable = true; hostName = "o.xanf.org"; - package = pkgs.nextcloud20; + package = pkgs.nextcloud21; config = { - adminpassFile = toString <secrets> + "/nextcloud_pw"; + adminpassFile = "/run/nextcloud.pw"; overwriteProtocol = "https"; }; https = true; @@ -178,7 +186,7 @@ in { group = "xanf"; home = "/home/xanf"; useDefaultShell = true; - createHome = true; + createHome = false; # creathome forces permissions isNormalUser = true; }; @@ -291,6 +299,24 @@ in { isNormalUser = true; }; + users.users.movematchers = { + uid = genid_uint31 "movematchers"; + home = "/home/movematchers"; + useDefaultShell = true; + extraGroups = [ "xanf" ]; + createHome = true; + isNormalUser = true; + }; + + users.users.blackphoton = { + uid = genid_uint31 "blackphoton"; + home = "/home/blackphoton"; + useDefaultShell = true; + extraGroups = [ "xanf" ]; + createHome = true; + isNormalUser = true; + }; + users.groups.xanf = {}; krebs.on-failure.plans.restic-backups-domsen = { @@ -332,14 +358,14 @@ in { ''; krebs.permown = { - "/backups/domsen" = { - owner = "backup"; + "/srv/http" = { group = "syncthing"; + owner = "nginx"; umask = "0007"; }; - "/srv/http" = { - owner = "syncthing"; - group = "nginx"; + "/home/xanf/XANF_TEAM" = { + owner = "XANF_TEAM"; + group = "xanf"; umask = "0007"; }; }; |