diff options
author | tv <tv@krebsco.de> | 2021-01-18 15:24:18 +0100 |
---|---|---|
committer | tv <tv@krebsco.de> | 2021-01-18 15:24:18 +0100 |
commit | ff6f5ef5e1cdbd27b2211c54643fa2754f888cbb (patch) | |
tree | b33763a7ac8040efe988f8bed2fe1c649cc155dd /lass | |
parent | 7b7ebd8708885633c926c21a4b71d5d4ce8931cf (diff) | |
parent | 2a32b7731496615e43a06ec1049f6716c49a1999 (diff) |
Merge remote-tracking branch 'prism/master'
Diffstat (limited to 'lass')
-rw-r--r-- | lass/1systems/prism/config.nix | 1 | ||||
-rw-r--r-- | lass/2configs/exim-smarthost.nix | 114 | ||||
-rw-r--r-- | lass/2configs/green-host.nix | 19 | ||||
-rw-r--r-- | lass/2configs/jitsi.nix | 21 | ||||
-rw-r--r-- | lass/2configs/tests/dummy-secrets/mails.nix | 1 | ||||
-rw-r--r-- | lass/2configs/tv.nix | 128 | ||||
-rw-r--r-- | lass/3modules/bindfs.nix | 51 | ||||
-rw-r--r-- | lass/3modules/default.nix | 2 | ||||
-rw-r--r-- | lass/3modules/sync-containers.nix | 166 |
9 files changed, 387 insertions, 116 deletions
diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 1b63246c6..f63c6a05a 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -121,6 +121,7 @@ with import <stockholm/lib>; <stockholm/lass/2configs/reaktor-coders.nix> <stockholm/lass/2configs/ciko.nix> <stockholm/lass/2configs/container-networking.nix> + <stockholm/lass/2configs/jitsi.nix> { # quasi bepasty.nix imports = [ <stockholm/lass/2configs/bepasty.nix> diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix index 797864b15..b677fe455 100644 --- a/lass/2configs/exim-smarthost.nix +++ b/lass/2configs/exim-smarthost.nix @@ -1,120 +1,10 @@ { config, lib, pkgs, ... }: with import <stockholm/lib>; let to = concatStringsSep "," [ - "lass@blue.r" + "lass@green.r" ]; - mails = [ - "postmaster@lassul.us" - "lass@lassul.us" - "lassulus@lassul.us" - "test@lassul.us" - "outlook@lassul.us" - "steuer@aidsballs.de" - "lass@aidsballs.de" - "wordpress@ubikmedia.de" - "finanzamt@lassul.us" - "netzclub@lassul.us" - "nebenan@lassul.us" - "feed@lassul.us" - "art@lassul.us" - "irgendwas@lassul.us" - "polo@lassul.us" - "shack@lassul.us" - "nix@lassul.us" - "c-base@lassul.us" - "paypal@lassul.us" - "patreon@lassul.us" - "steam@lassul.us" - "securityfocus@lassul.us" - "radio@lassul.us" - "btce@lassul.us" - "raf@lassul.us" - "apple@lassul.us" - "coinbase@lassul.us" - "tomtop@lassul.us" - "aliexpress@lassul.us" - "business@lassul.us" - "payeer@lassul.us" - "github@lassul.us" - "bitwala@lassul.us" - "bitstamp@lassul.us" - "bitcoin.de@lassul.us" - "ableton@lassul.us" - "dhl@lassul.us" - "sipgate@lassul.us" - "coinexchange@lassul.us" - "verwaltung@lassul.us" - "gearbest@lassul.us" - "binance@lassul.us" - "bitfinex@lassul.us" - "alternate@lassul.us" - "redacted@lassul.us" - "mytaxi@lassul.us" - "pizza@lassul.us" - "robinhood@lassul.us" - "drivenow@lassul.us" - "aws@lassul.us" - "reddit@lassul.us" - "banggood@lassul.us" - "immoscout@lassul.us" - "gmail@lassul.us" - "amazon@lassul.us" - "humblebundle@lassul.us" - "meetup@lassul.us" - "gebfrei@lassul.us" - "github@lassul.us" - "ovh@lassul.us" - "hetzner@lassul.us" - "allygator@lassul.us" - "immoscout@lassul.us" - "elitedangerous@lassul.us" - "boardgamegeek@lassul.us" - "qwertee@lassul.us" - "zazzle@lassul.us" - "hackbeach@lassul.us" - "transferwise@lassul.us" - "cis@lassul.us" - "afra@lassul.us" - "ksp@lassul.us" - "ccc@lassul.us" - "neocron@lassul.us" - "osmocom@lassul.us" - "lesswrong@lassul.us" - "nordvpn@lassul.us" - "csv-direct@lassul.us" - "nintendo@lassul.us" - "overleaf@lassul.us" - "box@lassul.us" - "paloalto@lassul.us" - "subtitles@lassul.us" - "lobsters@lassul.us" - "fysitech@lassul.us" - "threema@lassul.us" - "ubisoft@lassul.us" - "kottezeller@lassul.us" - "pie@lassul.us" - "vebit@lassul.us" - "vcvrack@lassul.us" - "epic@lassul.us" - "microsoft@lassul.us" - "stickers@lassul.us" - "nextbike@lassul.us" - "mytello@lassul.us" - "camp@lassul.us" - "urlwatch@lassul.us" - "lidl@lassul.us" - "geizhals@lassul.us" - "auschein@lassul.us" - "tleech@lassul.us" - "durstexpress@lassul.us" - "acme@lassul.us" - "antstore@lassul.us" - "openweather@lassul.us" - "lobsters@lassul.us" - "rewe@lassul.us" - "spotify@lassul.us" - ]; + mails = import <secrets/mails.nix>; in { environment.systemPackages = [ pkgs.review-mail-queue ]; diff --git a/lass/2configs/green-host.nix b/lass/2configs/green-host.nix new file mode 100644 index 000000000..1f17c78c8 --- /dev/null +++ b/lass/2configs/green-host.nix @@ -0,0 +1,19 @@ +{ config, pkgs, ... }: +{ + imports = [ + <stockholm/lass/2configs/container-networking.nix> + <stockholm/lass/2configs/syncthing.nix> + ]; + lass.sync-containers.containers.green = { + peers = [ + "icarus" + "shodan" + "skynet" + "mors" + "littleT" + ]; + hostIp = "10.233.2.15"; + localIp = "10.233.2.16"; + format = "ecryptfs"; + }; +} diff --git a/lass/2configs/jitsi.nix b/lass/2configs/jitsi.nix new file mode 100644 index 000000000..1435ccb5c --- /dev/null +++ b/lass/2configs/jitsi.nix @@ -0,0 +1,21 @@ +{ config, lib, pkgs, ... }: +{ + + services.jitsi-meet = { + enable = true; + hostName = "jitsi.lassul.us"; + config = { + enableWelcomePage = true; + requireDisplayName = true; + }; + interfaceConfig = { + SHOW_JITSI_WATERMARK = false; + SHOW_WATERMARK_FOR_GUESTS = false; + }; + }; + + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport 4443"; target = "ACCEPT"; } + { predicate = "-p udp --dport 10000"; target = "ACCEPT"; } + ]; +} diff --git a/lass/2configs/tests/dummy-secrets/mails.nix b/lass/2configs/tests/dummy-secrets/mails.nix new file mode 100644 index 000000000..fe51488c7 --- /dev/null +++ b/lass/2configs/tests/dummy-secrets/mails.nix @@ -0,0 +1 @@ +[] diff --git a/lass/2configs/tv.nix b/lass/2configs/tv.nix index 8e208d5e5..0ca1b340f 100644 --- a/lass/2configs/tv.nix +++ b/lass/2configs/tv.nix @@ -32,7 +32,7 @@ nginxCfg = pkgs.writeText "nginx.conf" '' application/vnd.apple.mpegurl m3u8; video/mp2t ts; } - root /tmp; + root /var/lib/rtmp/tmp; add_header Cache-Control no-cache; # CORS setup @@ -106,6 +106,11 @@ nginxCfg = pkgs.writeText "nginx.conf" '' </html> ''}; } + + location /records { + autoindex on; + root /var/lib/rtmp; + } } } @@ -120,21 +125,128 @@ nginxCfg = pkgs.writeText "nginx.conf" '' live on; hls on; - hls_path /tmp/hls; + hls_path /var/lib/rtmp/tmp/hls; + hls_fragment 1; + hls_playlist_length 10; dash on; - dash_path /tmp/dash; + dash_path /var/lib/rtmp/tmp/dash; } } } ''; in { + + services.nginx = { + enable = true; + virtualHosts."streaming.lassul.us" = { + enableACME = true; + addSSL = true; + locations."/hls".extraConfig = '' + # Serve HLS fragments + types { + application/vnd.apple.mpegurl m3u8; + video/mp2t ts; + } + root /var/lib/rtmp/tmp; + + # Allow CORS preflight requests + if ($request_method = 'OPTIONS') { + add_header 'Access-Control-Allow-Origin' '*'; + add_header 'Access-Control-Max-Age' 1728000; + add_header 'Content-Type' 'text/plain charset=UTF-8'; + add_header 'Content-Length' 0; + return 204; + } + + if ($request_method != 'OPTIONS') { + add_header Cache-Control no-cache; + + # CORS setup + add_header 'Access-Control-Allow-Origin' '*' always; + add_header 'Access-Control-Expose-Headers' 'Content-Length'; + } + ''; + locations."/dash".extraConfig = '' + # Serve DASH fragments + types { + application/dash+xml mpd; + video/mp4 mp4; + } + root /var/lib/rtmp/tmp; + + # Allow CORS preflight requests + if ($request_method = 'OPTIONS') { + add_header 'Access-Control-Allow-Origin' '*'; + add_header 'Access-Control-Max-Age' 1728000; + add_header 'Content-Type' 'text/plain charset=UTF-8'; + add_header 'Content-Length' 0; + return 204; + } + if ($request_method != 'OPTIONS') { + add_header Cache-Control no-cache; + + # CORS setup + add_header 'Access-Control-Allow-Origin' '*' always; + add_header 'Access-Control-Expose-Headers' 'Content-Length'; + } + ''; + locations."= /dash.all.min.js".extraConfig = '' + default_type "text/javascript"; + alias ${pkgs.fetchurl { + url = "http://cdn.dashjs.org/v3.2.0/dash.all.min.js"; + sha256 = "16f0b40gdqsnwqi01s5sz9f1q86dwzscgc3m701jd1sczygi481c"; + }}; + ''; + locations."= /player".extraConfig = '' + default_type "text/html"; + alias ${pkgs.writeText "player.html" '' + <!DOCTYPE html> + <html lang="en"> + <head> + <meta charset="utf-8"> + <title>lassulus livestream</title> + </head> + <body> + <div> + <video id="player" controls></video> + </video> + </div> + <script src="/dash.all.min.js"></script> + <script> + (function(){ + var url = "/dash/nixos.mpd"; + var player = dashjs.MediaPlayer().create(); + player.initialize(document.querySelector("#player"), url, true); + })(); + </script> + </body> + </html> + ''}; + ''; + locations."/records".extraConfig = '' + autoindex on; + root /var/lib/rtmp; + ''; + }; + }; + + fileSystems."/var/lib/rtmp/tmp" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = [ "nosuid" "nodev" "noatime" ]; + }; + users.users.rtmp = { - home = "/var/lib/rmtp"; + home = "/var/lib/rtmp"; uid = genid_uint31 "rtmp"; isNormalUser = true; createHome = true; + openssh.authorizedKeys.keys = with config.krebs.users; [ + mic92.pubkey + palo.pubkey + ]; }; systemd.services.nginx-rtmp = { @@ -149,6 +261,14 @@ in { }}/bin/nginx -c ${nginxCfg} -p /var/lib/rtmp ''; serviceConfig = { + ExecStartPre = pkgs.writers.writeDash "setup-rtmp" '' + mkdir -p /var/lib/rtmp/tmp/hls + mkdir -p /var/lib/rtmp/tmp/dash + chown rtmp:users /var/lib/rtmp/tmp/hls + chown rtmp:users /var/lib/rtmp/tmp/dash + chmod 755 /var/lib/rtmp/tmp/hls + chmod 755 /var/lib/rtmp/tmp/dash + ''; User = "rtmp"; }; }; diff --git a/lass/3modules/bindfs.nix b/lass/3modules/bindfs.nix new file mode 100644 index 000000000..5c8df8dc5 --- /dev/null +++ b/lass/3modules/bindfs.nix @@ -0,0 +1,51 @@ +with import <stockholm/lib>; +{ config, pkgs, ... }: +let + cfg = config.lass.bindfs; +in { + options.lass.bindfs = mkOption { + type = types.attrsOf (types.submodule ({ config, ... }: { + options = { + target = mkOption { + description = '' + destination where bindfs mounts to. + second positional argument to bindfs. + ''; + default = config._module.args.name; + type = types.absolute-pathname; + }; + source = mkOption { + description = '' + source folder where the mounted directory is originally. + first positional argument to bindfs. + ''; + type = types.absolute-pathname; + }; + options = mkOption { + description = '' + additional arguments to bindfs + ''; + type = types.listOf types.str; + default = []; + }; + }; + })); + default = {}; + }; + + config = mkIf (cfg != {}) { + systemd.services = mapAttrs' (n: mount: let + name = replaceStrings [ "/" ] [ "_" ] n; + in nameValuePair "bindfs-${name}" { + wantedBy = [ "local-fs.target" ]; + path = [ pkgs.coreutils ]; + serviceConfig = { + ExecStartPre = pkgs.writeDash "bindfs-init-${name}" '' + mkdir -p '${mount.source}' + mkdir -p '${mount.target}' + ''; + ExecStart = "${pkgs.bindfs}/bin/bindfs -f ${concatStringsSep " " mount.options} ${mount.source} ${mount.target}"; + }; + }) cfg; + }; +} diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix index c3c73bdcb..8bee08caa 100644 --- a/lass/3modules/default.nix +++ b/lass/3modules/default.nix @@ -1,6 +1,7 @@ _: { imports = [ + ./bindfs.nix ./dnsmasq.nix ./ejabberd ./folderPerms.nix @@ -12,6 +13,7 @@ _: ./pyload.nix ./restic.nix ./screenlock.nix + ./sync-containers.nix ./usershadow.nix ./xjail.nix ./autowifi.nix diff --git a/lass/3modules/sync-containers.nix b/lass/3modules/sync-containers.nix new file mode 100644 index 000000000..ca81458a9 --- /dev/null +++ b/lass/3modules/sync-containers.nix @@ -0,0 +1,166 @@ +with import <stockholm/lib>; +{ config, pkgs, ... }: let + cfg = config.lass.sync-containers; + paths = cname: { + plain = "/var/lib/containers/${cname}/var/state"; + ecryptfs = "${cfg.dataLocation}/${cname}/ecryptfs"; + securefs = "${cfg.dataLocation}/${cname}/securefs"; + }; + start = cname: { + plain = '' + ''; + ecryptfs = '' + if ! mount | grep -q '${cfg.dataLocation}/${cname}/ecryptfs on /var/lib/containers/${cname}/var/state type ecryptfs'; then + if [ -e ${cfg.dataLocation}/${cname}/ecryptfs/.cfg.json ]; then + ${pkgs.ecrypt}/bin/ecrypt mount ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state + else + ${pkgs.ecrypt}/bin/ecrypt init ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state + fi + fi + ''; + securefs = '' + ## TODO init file systems if it does not exist + # ${pkgs.securefs}/bin/securefs create --format 3 ${cfg.dataLocation}/${cname}/securefs + if ! ${pkgs.mount}/bin/mount | grep -q '^securefs on /var/lib/containers/${cname}/var/state type fuse.securefs'; then + ${pkgs.securefs}/bin/securefs mount ${cfg.dataLocation}/${cname}/securefs /var/lib/containers/${cname}/var/state -b -o allow_other -o default_permissions + fi + ''; + }; + stop = cname: { + plain = '' + ''; + ecryptfs = '' + ${pkgs.ecrypt}/bin/ecrypt unmount ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state + ''; + securefs = '' + umount /var/lib/containers/${cname}/var/state + ''; + }; +in { + options.lass.sync-containers = { + dataLocation = mkOption { + description = '' + location where the encrypted sync-container lie around + ''; + default = "/var/lib/sync-containers"; + type = types.absolute-pathname; + }; + containers = mkOption { + type = types.attrsOf (types.submodule ({ config, ... }: { + options = { + name = mkOption { + description = '' + name of the container + ''; + default = config._module.args.name; + type = types.str; + }; + peers = mkOption { + description = '' + syncthing peers to share this container with + ''; + default = []; + type = types.listOf types.str; + }; + hostIp = mkOption { # TODO find this automatically + description = '' + hostAddress of the privateNetwork + ''; + example = "10.233.2.15"; + type = types.str; + }; + localIp = mkOption { # TODO find this automatically + description = '' + localAddress of the privateNetwork + ''; + example = "10.233.2.16"; + type = types.str; + }; + format = mkOption { + description = '' + file system encrption format of the container + ''; + type = types.enum [ "plain" "ecryptfs" "securefs" ]; + }; + }; + })); + default = {}; + }; + }; + + config = mkIf (cfg.containers != {}) { + programs.fuse.userAllowOther = true; + + services.syncthing.declarative.folders = (mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" ({ + devices = ctr.peers; + ignorePerms = false; + })) cfg.containers); + + krebs.permown = (mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" ({ + file-mode = "u+rw"; + directory-mode = "u+rwx"; + owner = "syncthing"; + keepGoing = false; + })) cfg.containers); + + systemd.services = mapAttrs' (n: ctr: nameValuePair "containers@${ctr.name}" ({ + reloadIfChanged = mkForce false; + })) cfg.containers; + + containers = mapAttrs' (n: ctr: nameValuePair ctr.name ({ + config = { ... }: { + environment.systemPackages = [ + pkgs.git + ]; + system.activationScripts.fuse = { + text = '' + ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229 + ''; + deps = []; + }; + }; + allowedDevices = [ + { modifier = "rwm"; node = "/dev/fuse"; } + ]; + autoStart = false; + enableTun = true; + privateNetwork = true; + hostAddress = ctr.hostIp; + localAddress = ctr.localIp; + })) cfg.containers; + + environment.systemPackages = flatten (mapAttrsToList (n: ctr: [ + (pkgs.writeDashBin "start-${ctr.name}" '' + set -euf + set -x + + mkdir -p /var/lib/containers/${ctr.name}/var/state + + ${(start ctr.name).${ctr.format}} + + STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${ctr.name}) + if [ "$STATE" = 'down' ]; then + ${pkgs.nixos-container}/bin/nixos-container start ${ctr.name} + fi + + ${pkgs.nixos-container}/bin/nixos-container run ${ctr.name} -- ${pkgs.writeDash "deploy-${ctr.name}" '' + set -x + + mkdir -p /var/state/var_src + ln -sfTr /var/state/var_src /var/src + touch /etc/NIXOS + ''} + + if [ -h /var/lib/containers/${ctr.name}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${ctr.name}.r); then + ${pkgs.nixos-container}/bin/nixos-container run ${ctr.name} -- nixos-rebuild -I /var/src switch + fi + '') + (pkgs.writeDashBin "stop-${ctr.name}" '' + set -euf + + ${pkgs.nixos-container}/bin/nixos-container stop ${ctr.name} + ${(stop ctr.name).${ctr.format}} + '') + ]) cfg.containers); + }; +} |