Merge branch 'master' of prism.r:stockholm

author: jeschli <jeschli@gmail.com> 2019-04-23 20:15:10 +0200
committer: jeschli <jeschli@gmail.com> 2019-04-23 20:15:10 +0200
commit: 35fdfbe5ccb3b5844b62ac2486352107484e75d4 (patch)
tree: 561ff21ae90ce6826ab3d74ebd9f27dee7054a0d /lass/2configs
parent: a4be985644762dcc2750a366db5780687690ef7d (diff)
parent: cd825d99342050bae35d5373e927ca999bae82cf (diff)
14 files changed, 229 insertions, 23 deletions
diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix
index 26d6622ae..5003d2279 100644
--- a/lass/2configs/baseX.nix
+++ b/lass/2configs/baseX.nix
@@ -9,6 +9,7 @@ in {
     ./power-action.nix
     ./copyq.nix
     ./urxvt.nix
+    ./xdg-open.nix
     {
       hardware.pulseaudio = {
         enable = true;
diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix
index aec59261c..4216bd67a 100644
--- a/lass/2configs/exim-smarthost.nix
+++ b/lass/2configs/exim-smarthost.nix
@@ -100,6 +100,9 @@ with import <stockholm/lib>;
       { from = "box@lassul.us"; to = lass.mail; }
       { from = "paloalto@lassul.us"; to = lass.mail; }
       { from = "subtitles@lassul.us"; to = lass.mail; }
+      { from = "lobsters@lassul.us"; to = lass.mail; }
+      { from = "fysitech@lassul.us"; to = lass.mail; }
+      { from = "threema@lassul.us"; to = lass.mail; }
     ];
     system-aliases = [
       { from = "mailer-daemon"; to = "postmaster"; }
diff --git a/lass/2configs/green-host.nix b/lass/2configs/green-host.nix
new file mode 100644
index 000000000..1421eede7
--- /dev/null
+++ b/lass/2configs/green-host.nix
@@ -0,0 +1,82 @@
+{ config, lib, pkgs, ... }:
+with import <stockholm/lib>;
+
+{
+  imports = [
+    <stockholm/lass/2configs/container-networking.nix>
+    <stockholm/lass/2configs/syncthing.nix>
+    { #hack for already defined
+      systemd.services."container@green".reloadIfChanged = mkForce false;
+      systemd.services."container@green".preStart = ''
+        ${pkgs.mount}/bin/mount | ${pkgs.gnugrep}/bin/grep -q ' on /var/lib/containers/green '
+      '';
+      systemd.services."container@green".postStop = ''
+        set -x
+        ${pkgs.umount}/bin/umount /var/lib/containers/green
+        ls -la /dev/mapper/control
+        ${pkgs.devicemapper}/bin/dmsetup ls
+        ${pkgs.cryptsetup}/bin/cryptsetup -v luksClose /var/lib/sync-containers/green.img
+      '';
+    }
+  ];
+
+  krebs.syncthing.folders."/var/lib/sync-containers".peers = [ "icarus" "skynet" "littleT" "shodan" ];
+  krebs.permown."/var/lib/sync-containers" = {
+    owner = "root";
+    group = "syncthing";
+    umask = "0007";
+  };
+
+  system.activationScripts.containerPermissions = ''
+    mkdir -p /var/lib/containers
+    chmod 711 /var/lib/containers
+  '';
+
+  containers.green = {
+    config = { ... }: {
+      environment.systemPackages = [
+        pkgs.git
+        pkgs.rxvt_unicode.terminfo
+      ];
+      services.openssh.enable = true;
+      users.users.root.openssh.authorizedKeys.keys = [
+        config.krebs.users.lass.pubkey
+      ];
+    };
+    autoStart = false;
+    enableTun = true;
+    privateNetwork = true;
+    hostAddress = "10.233.2.15";
+    localAddress = "10.233.2.16";
+  };
+
+  environment.systemPackages = [
+    (pkgs.writeDashBin "start-green" ''
+      set -fu
+      CONTAINER='green'
+      IMAGE='/var/lib/sync-containers/green.img'
+
+      ${pkgs.cryptsetup}/bin/cryptsetup status "$CONTAINER" >/dev/null
+      if [ "$?" -ne 0 ]; then
+        ${pkgs.cryptsetup}/bin/cryptsetup luksOpen "$IMAGE" "$CONTAINER"
+      fi
+
+      mkdir -p /var/lib/containers/"$CONTAINER"
+
+      ${pkgs.mount}/bin/mount | grep -q " on /var/lib/containers/"$CONTAINER" "
+      if [ "$?" -ne 0 ]; then
+        ${pkgs.mount}/bin/mount -o sync /dev/mapper/"$CONTAINER" /var/lib/containers/"$CONTAINER"
+      fi
+
+      STATE=$(${pkgs.nixos-container}/bin/nixos-container status "$CONTAINER")
+      if [ "$STATE" = 'down' ]; then
+        ${pkgs.nixos-container}/bin/nixos-container start "$CONTAINER"
+      fi
+      ping -c1 green.r
+      if [ "$?" -ne 0 ]; then
+        ${pkgs.nixos-container}/bin/nixos-container run green -- nixos-rebuild -I /var/src switch
+      fi
+
+    '')
+  ];
+}
diff --git a/lass/2configs/hw/x220.nix b/lass/2configs/hw/x220.nix
index f5651da13..5649041f9 100644
--- a/lass/2configs/hw/x220.nix
+++ b/lass/2configs/hw/x220.nix
@@ -30,8 +30,7 @@
     };
   };
 
-  services.logind.extraConfig = ''
-    HandleLidSwitch=ignore
-  '';
+  services.logind.lidSwitch = "ignore";
+  services.logind.lidSwitchDocked = "ignore";
 
 }
diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix
index 0803846aa..6de111ba8 100644
--- a/lass/2configs/mail.nix
+++ b/lass/2configs/mail.nix
@@ -233,8 +233,4 @@ in {
     tag-new-mails
     tag-old-mails
   ];
-
-  nixpkgs.config.packageOverrides = opkgs: {
-    notmuch = (opkgs.notmuch.overrideAttrs (o: { doCheck = false; }));
-  };
 }
diff --git a/lass/2configs/paste.nix b/lass/2configs/paste.nix
index 293691c0f..3c3d8e636 100644
--- a/lass/2configs/paste.nix
+++ b/lass/2configs/paste.nix
@@ -10,6 +10,16 @@ with import <stockholm/lib>;
       proxy_pass http://localhost:9081;
     '';
   };
+  services.nginx.virtualHosts.paste-readonly = {
+    serverAliases = [ "p.krebsco.de" ];
+    locations."/".extraConfig = ''
+      if ($request_method != GET) {
+        return 403;
+      }
+      proxy_set_header Host $host;
+      proxy_pass http://localhost:9081;
+    '';
+  };
   krebs.htgen.paste = {
     port = 9081;
     script = toString [
diff --git a/lass/2configs/prism-share.nix b/lass/2configs/prism-share.nix
index 70e616ec6..aa3eb541d 100644
--- a/lass/2configs/prism-share.nix
+++ b/lass/2configs/prism-share.nix
@@ -21,7 +21,7 @@ with import <stockholm/lib>;
     shares = {
       incoming = {
         path = "/mnt/prism";
-        "read only" = "no";
+        "read only" = "yes";
         browseable = "yes";
         "guest ok" = "yes";
       };
diff --git a/lass/2configs/radio.nix b/lass/2configs/radio.nix
index f88b2627b..88899c554 100644
--- a/lass/2configs/radio.nix
+++ b/lass/2configs/radio.nix
@@ -10,7 +10,7 @@ let
   source-password = import <secrets/icecast-source-pw>;
 
   add_random = pkgs.writeDashBin "add_random" ''
-    ${pkgs.mpc_cli}/bin/mpc add "$(${pkgs.mpc_cli}/bin/mpc ls | shuf -n1)"
+    ${pkgs.mpc_cli}/bin/mpc add "$(${pkgs.mpc_cli}/bin/mpc ls the_playlist/music | grep '\.ogg$' | shuf -n1)"
   '';
 
   skip_track = pkgs.writeDashBin "skip_track" ''
@@ -57,8 +57,11 @@ in {
   services.mpd = {
     enable = true;
     group = "radio";
-    musicDirectory = "/home/radio/the_playlist/music";
+    musicDirectory = "/home/radio/music";
     extraConfig = ''
+      log_level "default"
+      auto_update "yes"
+
       audio_output {
         type        "shout"
         encoding    "lame"
@@ -245,4 +248,13 @@ in {
       alias ${html};
     '';
   };
+  krebs.syncthing.folders."the_playlist" = {
+    path = "/home/radio/music/the_playlist";
+    peers = [ "mors" "phone" "prism" ];
+  };
+  krebs.permown."/home/radio/music/the_playlist" = {
+    owner = "radio";
+    group = "syncthing";
+    umask = "0002";
+  };
 }
diff --git a/lass/2configs/ssh-cryptsetup.nix b/lass/2configs/ssh-cryptsetup.nix
new file mode 100644
index 000000000..c5e1c5928
--- /dev/null
+++ b/lass/2configs/ssh-cryptsetup.nix
@@ -0,0 +1,17 @@
+{ config, ... }:
+{
+  boot.initrd = {
+    network = {
+      enable = true;
+      ssh = {
+        enable = true;
+        authorizedKeys = with config.krebs.users; [
+          config.krebs.users.lass-mors.pubkey
+          config.krebs.users.lass-blue.pubkey
+          config.krebs.users.lass-shodan.pubkey
+          config.krebs.users.lass-icarus.pubkey
+        ];
+      };
+    };
+  };
+}
diff --git a/lass/2configs/sync/decsync.nix b/lass/2configs/sync/decsync.nix
new file mode 100644
index 000000000..c3f6511c2
--- /dev/null
+++ b/lass/2configs/sync/decsync.nix
@@ -0,0 +1,11 @@
+{
+  krebs.syncthing.folders.decsync = {
+    path = "/home/lass/decsync";
+    peers = [ "mors" "blue" "green" "phone" ];
+  };
+  krebs.permown."/home/lass/decsync" = {
+    owner = "lass";
+    group = "syncthing";
+    umask = "0007";
+  };
+}
diff --git a/lass/2configs/sync/weechat.nix b/lass/2configs/sync/weechat.nix
new file mode 100644
index 000000000..30c7b262b
--- /dev/null
+++ b/lass/2configs/sync/weechat.nix
@@ -0,0 +1,8 @@
+{
+  krebs.syncthing.folders."/home/lass/.weechat".peers = [ "blue" "green" "mors" ];
+  krebs.permown."/home/lass/.weechat" = {
+    owner = "lass";
+    group = "syncthing";
+    umask = "0007";
+  };
+}
diff --git a/lass/2configs/syncthing.nix b/lass/2configs/syncthing.nix
index 842abc195..48f2625c1 100644
--- a/lass/2configs/syncthing.nix
+++ b/lass/2configs/syncthing.nix
@@ -1,9 +1,10 @@
-{ config, pkgs, ... }:
-with import <stockholm/lib>;
-{
+{ config, pkgs, ... }: with import <stockholm/lib>; let
+  peers = mapAttrs (n: v: { id = v.syncthing.id; }) (filterAttrs (n: v: v.syncthing.id != null) config.krebs.hosts);
+in {
   services.syncthing = {
     enable = true;
     group = "syncthing";
+    configDir = "/var/lib/syncthing";
   };
   krebs.iptables.tables.filter.INPUT.rules = [
     { predicate = "-p tcp --dport 22000"; target = "ACCEPT";}
@@ -13,17 +14,17 @@ with import <stockholm/lib>;
     enable = true;
     cert = toString <secrets/syncthing.cert>;
     key = toString <secrets/syncthing.key>;
-    peers = mapAttrs (n: v: { id = v.syncthing.id; }) (filterAttrs (n: v: v.syncthing.id != null) config.krebs.hosts);
-    folders = [
-      { path = "/home/lass/sync"; peers = [ "icarus" "mors" "skynet" "blue" "green" "littleT" "prism"]; }
-    ];
+    peers = peers;
+    folders."/home/lass/sync".peers = attrNames peers;
   };
 
   system.activationScripts.syncthing-home = ''
     ${pkgs.coreutils}/bin/chmod a+x /home/lass
   '';
 
-  lass.ensure-permissions = [
-    { folder = "/home/lass/sync"; owner = "lass"; group = "syncthing"; }
-  ];
+  krebs.permown."/home/lass/sync" = {
+    owner = "lass";
+    group = "syncthing";
+    umask = "0007";
+  };
 }
diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix
index b58484773..2131c7c62 100644
--- a/lass/2configs/websites/domsen.nix
+++ b/lass/2configs/websites/domsen.nix
@@ -119,7 +119,7 @@ in {
     authenticators.PLAIN = ''
       driver = plaintext
       public_name = PLAIN
-      server_condition = ''${run{${config.lass.usershadow.path}/bin/verify_arg ${config.lass.usershadow.pattern} $auth2 $auth3}{yes}{no}}
+      server_condition = ''${run{/run/wrappers/bin/shadow_verify_arg ${config.lass.usershadow.pattern} $auth2 $auth3}{yes}{no}}
     '';
     authenticators.LOGIN = ''
       driver = plaintext
@@ -237,8 +237,8 @@ in {
   krebs.on-failure.plans.restic-backups-domsen = {};
   services.restic.backups.domsen = {
     initialize = true;
-    extraOptions = [ "sftp.command='ssh efOVcMWSZ@wilhelmstr.duckdns.org -S none -v -p 52222 -i ${toString <secrets> + "/ssh.id_ed25519"} -s sftp'" ];
-    repository = "sftp:efOVcMWSZ@wilhelmstr.duckdns.org:/mnt/UBIK-9TB-Pool/BACKUP/XXXX-MAX-UND-ANDERES";
+    extraOptions = [ "sftp.command='ssh efOVcMWSZ@wilhelmstr2.duckdns.org -S none -v -p 52222 -i ${toString <secrets> + "/ssh.id_ed25519"} -s sftp'" ];
+    repository = "sftp:efOVcMWSZ@wilhelmstr2.duckdns.org:/mnt/UBIK-9TB-Pool/BACKUP/XXXX-MAX-UND-ANDERES";
     passwordFile = toString <secrets> + "/domsen_backup_pw";
     timerConfig = { OnCalendar = "00:05"; RandomizedDelaySec = "5h"; };
     paths = [
diff --git a/lass/2configs/xdg-open.nix b/lass/2configs/xdg-open.nix
new file mode 100644
index 000000000..824c36dc7
--- /dev/null
+++ b/lass/2configs/xdg-open.nix
@@ -0,0 +1,66 @@
+{ config, pkgs, lib, ... }: with import <stockholm/lib>; let
+
+  xdg-open-wrapper = pkgs.writeDashBin "xdg-open" ''
+    /run/wrappers/bin/sudo -u lass ${xdg-open} "$@"
+  '';
+
+  xdg-open = pkgs.writeBash "xdg-open" ''
+    set -e
+    FILE="$1"
+    mime=
+
+    case "$FILE" in
+      http://*|https://*)
+        mime=text/html
+        ;;
+      mailto:*)
+        mime=special/mailaddress
+        ;;
+      magnet:*)
+        mime=application/x-bittorrent
+        ;;
+      irc:*)
+        mime=x-scheme-handler/irc
+        ;;
+      *)
+        # it’s a file
+
+        # strip possible protocol
+        FILE=''${FILE#file://}
+        mime=''$(file -E --brief --mime-type "$FILE") \
+          || (echo "$mime" 1>&2; exit 1)
+          # ^ echo the error message of file
+        ;;
+    esac
+
+    case "$mime" in
+      special/mailaddress)
+        urxvtc --execute vim "$FILE" ;;
+      ${optionalString (hasAttr "browser" config.lass) ''
+      text/html)
+        ${config.lass.browser.select}/bin/browser-select "$FILE" ;;
+      text/xml)
+        ${config.lass.browser.select}/bin/browser-select "$FILE" ;;
+      ''}
+      text/*)
+        urxvtc --execute vim "$FILE" ;;
+      image/*)
+        sxiv "$FILE" ;;
+      application/x-bittorrent)
+        env DISPLAY=:0 transgui "$FILE" ;;
+      application/pdf)
+        zathura "$FILE" ;;
+      inode/directory)
+        sudo -u lass -i urxvtc --execute mc "$FILE" ;;
+      *)
+        # open dmenu and ask for program to open with
+        $(dmenu_path | dmenu) "$FILE";;
+    esac
+  '';
+in {
+  environment.systemPackages = [ xdg-open-wrapper ];
+
+  security.sudo.extraConfig = ''
+    cr ALL=(lass) NOPASSWD: ${xdg-open} *
+  '';
+}
author	jeschli <jeschli@gmail.com>	2019-04-23 20:15:10 +0200
committer	jeschli <jeschli@gmail.com>	2019-04-23 20:15:10 +0200
commit	35fdfbe5ccb3b5844b62ac2486352107484e75d4 (patch)
tree	561ff21ae90ce6826ab3d74ebd9f27dee7054a0d /lass/2configs
parent	a4be985644762dcc2750a366db5780687690ef7d (diff)
parent	cd825d99342050bae35d5373e927ca999bae82cf (diff)