summaryrefslogtreecommitdiffstats
path: root/lass
diff options
context:
space:
mode:
authortv <tv@krebsco.de>2021-01-18 15:24:18 +0100
committertv <tv@krebsco.de>2021-01-18 15:24:18 +0100
commitff6f5ef5e1cdbd27b2211c54643fa2754f888cbb (patch)
treeb33763a7ac8040efe988f8bed2fe1c649cc155dd /lass
parent7b7ebd8708885633c926c21a4b71d5d4ce8931cf (diff)
parent2a32b7731496615e43a06ec1049f6716c49a1999 (diff)
Merge remote-tracking branch 'prism/master'
Diffstat (limited to 'lass')
-rw-r--r--lass/1systems/prism/config.nix1
-rw-r--r--lass/2configs/exim-smarthost.nix114
-rw-r--r--lass/2configs/green-host.nix19
-rw-r--r--lass/2configs/jitsi.nix21
-rw-r--r--lass/2configs/tests/dummy-secrets/mails.nix1
-rw-r--r--lass/2configs/tv.nix128
-rw-r--r--lass/3modules/bindfs.nix51
-rw-r--r--lass/3modules/default.nix2
-rw-r--r--lass/3modules/sync-containers.nix166
9 files changed, 387 insertions, 116 deletions
diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix
index 1b63246c6..f63c6a05a 100644
--- a/lass/1systems/prism/config.nix
+++ b/lass/1systems/prism/config.nix
@@ -121,6 +121,7 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/reaktor-coders.nix>
<stockholm/lass/2configs/ciko.nix>
<stockholm/lass/2configs/container-networking.nix>
+ <stockholm/lass/2configs/jitsi.nix>
{ # quasi bepasty.nix
imports = [
<stockholm/lass/2configs/bepasty.nix>
diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix
index 797864b15..b677fe455 100644
--- a/lass/2configs/exim-smarthost.nix
+++ b/lass/2configs/exim-smarthost.nix
@@ -1,120 +1,10 @@
{ config, lib, pkgs, ... }: with import <stockholm/lib>; let
to = concatStringsSep "," [
- "lass@blue.r"
+ "lass@green.r"
];
- mails = [
- "postmaster@lassul.us"
- "lass@lassul.us"
- "lassulus@lassul.us"
- "test@lassul.us"
- "outlook@lassul.us"
- "steuer@aidsballs.de"
- "lass@aidsballs.de"
- "wordpress@ubikmedia.de"
- "finanzamt@lassul.us"
- "netzclub@lassul.us"
- "nebenan@lassul.us"
- "feed@lassul.us"
- "art@lassul.us"
- "irgendwas@lassul.us"
- "polo@lassul.us"
- "shack@lassul.us"
- "nix@lassul.us"
- "c-base@lassul.us"
- "paypal@lassul.us"
- "patreon@lassul.us"
- "steam@lassul.us"
- "securityfocus@lassul.us"
- "radio@lassul.us"
- "btce@lassul.us"
- "raf@lassul.us"
- "apple@lassul.us"
- "coinbase@lassul.us"
- "tomtop@lassul.us"
- "aliexpress@lassul.us"
- "business@lassul.us"
- "payeer@lassul.us"
- "github@lassul.us"
- "bitwala@lassul.us"
- "bitstamp@lassul.us"
- "bitcoin.de@lassul.us"
- "ableton@lassul.us"
- "dhl@lassul.us"
- "sipgate@lassul.us"
- "coinexchange@lassul.us"
- "verwaltung@lassul.us"
- "gearbest@lassul.us"
- "binance@lassul.us"
- "bitfinex@lassul.us"
- "alternate@lassul.us"
- "redacted@lassul.us"
- "mytaxi@lassul.us"
- "pizza@lassul.us"
- "robinhood@lassul.us"
- "drivenow@lassul.us"
- "aws@lassul.us"
- "reddit@lassul.us"
- "banggood@lassul.us"
- "immoscout@lassul.us"
- "gmail@lassul.us"
- "amazon@lassul.us"
- "humblebundle@lassul.us"
- "meetup@lassul.us"
- "gebfrei@lassul.us"
- "github@lassul.us"
- "ovh@lassul.us"
- "hetzner@lassul.us"
- "allygator@lassul.us"
- "immoscout@lassul.us"
- "elitedangerous@lassul.us"
- "boardgamegeek@lassul.us"
- "qwertee@lassul.us"
- "zazzle@lassul.us"
- "hackbeach@lassul.us"
- "transferwise@lassul.us"
- "cis@lassul.us"
- "afra@lassul.us"
- "ksp@lassul.us"
- "ccc@lassul.us"
- "neocron@lassul.us"
- "osmocom@lassul.us"
- "lesswrong@lassul.us"
- "nordvpn@lassul.us"
- "csv-direct@lassul.us"
- "nintendo@lassul.us"
- "overleaf@lassul.us"
- "box@lassul.us"
- "paloalto@lassul.us"
- "subtitles@lassul.us"
- "lobsters@lassul.us"
- "fysitech@lassul.us"
- "threema@lassul.us"
- "ubisoft@lassul.us"
- "kottezeller@lassul.us"
- "pie@lassul.us"
- "vebit@lassul.us"
- "vcvrack@lassul.us"
- "epic@lassul.us"
- "microsoft@lassul.us"
- "stickers@lassul.us"
- "nextbike@lassul.us"
- "mytello@lassul.us"
- "camp@lassul.us"
- "urlwatch@lassul.us"
- "lidl@lassul.us"
- "geizhals@lassul.us"
- "auschein@lassul.us"
- "tleech@lassul.us"
- "durstexpress@lassul.us"
- "acme@lassul.us"
- "antstore@lassul.us"
- "openweather@lassul.us"
- "lobsters@lassul.us"
- "rewe@lassul.us"
- "spotify@lassul.us"
- ];
+ mails = import <secrets/mails.nix>;
in {
environment.systemPackages = [ pkgs.review-mail-queue ];
diff --git a/lass/2configs/green-host.nix b/lass/2configs/green-host.nix
new file mode 100644
index 000000000..1f17c78c8
--- /dev/null
+++ b/lass/2configs/green-host.nix
@@ -0,0 +1,19 @@
+{ config, pkgs, ... }:
+{
+ imports = [
+ <stockholm/lass/2configs/container-networking.nix>
+ <stockholm/lass/2configs/syncthing.nix>
+ ];
+ lass.sync-containers.containers.green = {
+ peers = [
+ "icarus"
+ "shodan"
+ "skynet"
+ "mors"
+ "littleT"
+ ];
+ hostIp = "10.233.2.15";
+ localIp = "10.233.2.16";
+ format = "ecryptfs";
+ };
+}
diff --git a/lass/2configs/jitsi.nix b/lass/2configs/jitsi.nix
new file mode 100644
index 000000000..1435ccb5c
--- /dev/null
+++ b/lass/2configs/jitsi.nix
@@ -0,0 +1,21 @@
+{ config, lib, pkgs, ... }:
+{
+
+ services.jitsi-meet = {
+ enable = true;
+ hostName = "jitsi.lassul.us";
+ config = {
+ enableWelcomePage = true;
+ requireDisplayName = true;
+ };
+ interfaceConfig = {
+ SHOW_JITSI_WATERMARK = false;
+ SHOW_WATERMARK_FOR_GUESTS = false;
+ };
+ };
+
+ krebs.iptables.tables.filter.INPUT.rules = [
+ { predicate = "-p tcp --dport 4443"; target = "ACCEPT"; }
+ { predicate = "-p udp --dport 10000"; target = "ACCEPT"; }
+ ];
+}
diff --git a/lass/2configs/tests/dummy-secrets/mails.nix b/lass/2configs/tests/dummy-secrets/mails.nix
new file mode 100644
index 000000000..fe51488c7
--- /dev/null
+++ b/lass/2configs/tests/dummy-secrets/mails.nix
@@ -0,0 +1 @@
+[]
diff --git a/lass/2configs/tv.nix b/lass/2configs/tv.nix
index 8e208d5e5..0ca1b340f 100644
--- a/lass/2configs/tv.nix
+++ b/lass/2configs/tv.nix
@@ -32,7 +32,7 @@ nginxCfg = pkgs.writeText "nginx.conf" ''
application/vnd.apple.mpegurl m3u8;
video/mp2t ts;
}
- root /tmp;
+ root /var/lib/rtmp/tmp;
add_header Cache-Control no-cache;
# CORS setup
@@ -106,6 +106,11 @@ nginxCfg = pkgs.writeText "nginx.conf" ''
</html>
''};
}
+
+ location /records {
+ autoindex on;
+ root /var/lib/rtmp;
+ }
}
}
@@ -120,21 +125,128 @@ nginxCfg = pkgs.writeText "nginx.conf" ''
live on;
hls on;
- hls_path /tmp/hls;
+ hls_path /var/lib/rtmp/tmp/hls;
+ hls_fragment 1;
+ hls_playlist_length 10;
dash on;
- dash_path /tmp/dash;
+ dash_path /var/lib/rtmp/tmp/dash;
}
}
}
'';
in {
+
+ services.nginx = {
+ enable = true;
+ virtualHosts."streaming.lassul.us" = {
+ enableACME = true;
+ addSSL = true;
+ locations."/hls".extraConfig = ''
+ # Serve HLS fragments
+ types {
+ application/vnd.apple.mpegurl m3u8;
+ video/mp2t ts;
+ }
+ root /var/lib/rtmp/tmp;
+
+ # Allow CORS preflight requests
+ if ($request_method = 'OPTIONS') {
+ add_header 'Access-Control-Allow-Origin' '*';
+ add_header 'Access-Control-Max-Age' 1728000;
+ add_header 'Content-Type' 'text/plain charset=UTF-8';
+ add_header 'Content-Length' 0;
+ return 204;
+ }
+
+ if ($request_method != 'OPTIONS') {
+ add_header Cache-Control no-cache;
+
+ # CORS setup
+ add_header 'Access-Control-Allow-Origin' '*' always;
+ add_header 'Access-Control-Expose-Headers' 'Content-Length';
+ }
+ '';
+ locations."/dash".extraConfig = ''
+ # Serve DASH fragments
+ types {
+ application/dash+xml mpd;
+ video/mp4 mp4;
+ }
+ root /var/lib/rtmp/tmp;
+
+ # Allow CORS preflight requests
+ if ($request_method = 'OPTIONS') {
+ add_header 'Access-Control-Allow-Origin' '*';
+ add_header 'Access-Control-Max-Age' 1728000;
+ add_header 'Content-Type' 'text/plain charset=UTF-8';
+ add_header 'Content-Length' 0;
+ return 204;
+ }
+ if ($request_method != 'OPTIONS') {
+ add_header Cache-Control no-cache;
+
+ # CORS setup
+ add_header 'Access-Control-Allow-Origin' '*' always;
+ add_header 'Access-Control-Expose-Headers' 'Content-Length';
+ }
+ '';
+ locations."= /dash.all.min.js".extraConfig = ''
+ default_type "text/javascript";
+ alias ${pkgs.fetchurl {
+ url = "http://cdn.dashjs.org/v3.2.0/dash.all.min.js";
+ sha256 = "16f0b40gdqsnwqi01s5sz9f1q86dwzscgc3m701jd1sczygi481c";
+ }};
+ '';
+ locations."= /player".extraConfig = ''
+ default_type "text/html";
+ alias ${pkgs.writeText "player.html" ''
+ <!DOCTYPE html>
+ <html lang="en">
+ <head>
+ <meta charset="utf-8">
+ <title>lassulus livestream</title>
+ </head>
+ <body>
+ <div>
+ <video id="player" controls></video>
+ </video>
+ </div>
+ <script src="/dash.all.min.js"></script>
+ <script>
+ (function(){
+ var url = "/dash/nixos.mpd";
+ var player = dashjs.MediaPlayer().create();
+ player.initialize(document.querySelector("#player"), url, true);
+ })();
+ </script>
+ </body>
+ </html>
+ ''};
+ '';
+ locations."/records".extraConfig = ''
+ autoindex on;
+ root /var/lib/rtmp;
+ '';
+ };
+ };
+
+ fileSystems."/var/lib/rtmp/tmp" = {
+ device = "tmpfs";
+ fsType = "tmpfs";
+ options = [ "nosuid" "nodev" "noatime" ];
+ };
+
users.users.rtmp = {
- home = "/var/lib/rmtp";
+ home = "/var/lib/rtmp";
uid = genid_uint31 "rtmp";
isNormalUser = true;
createHome = true;
+ openssh.authorizedKeys.keys = with config.krebs.users; [
+ mic92.pubkey
+ palo.pubkey
+ ];
};
systemd.services.nginx-rtmp = {
@@ -149,6 +261,14 @@ in {
}}/bin/nginx -c ${nginxCfg} -p /var/lib/rtmp
'';
serviceConfig = {
+ ExecStartPre = pkgs.writers.writeDash "setup-rtmp" ''
+ mkdir -p /var/lib/rtmp/tmp/hls
+ mkdir -p /var/lib/rtmp/tmp/dash
+ chown rtmp:users /var/lib/rtmp/tmp/hls
+ chown rtmp:users /var/lib/rtmp/tmp/dash
+ chmod 755 /var/lib/rtmp/tmp/hls
+ chmod 755 /var/lib/rtmp/tmp/dash
+ '';
User = "rtmp";
};
};
diff --git a/lass/3modules/bindfs.nix b/lass/3modules/bindfs.nix
new file mode 100644
index 000000000..5c8df8dc5
--- /dev/null
+++ b/lass/3modules/bindfs.nix
@@ -0,0 +1,51 @@
+with import <stockholm/lib>;
+{ config, pkgs, ... }:
+let
+ cfg = config.lass.bindfs;
+in {
+ options.lass.bindfs = mkOption {
+ type = types.attrsOf (types.submodule ({ config, ... }: {
+ options = {
+ target = mkOption {
+ description = ''
+ destination where bindfs mounts to.
+ second positional argument to bindfs.
+ '';
+ default = config._module.args.name;
+ type = types.absolute-pathname;
+ };
+ source = mkOption {
+ description = ''
+ source folder where the mounted directory is originally.
+ first positional argument to bindfs.
+ '';
+ type = types.absolute-pathname;
+ };
+ options = mkOption {
+ description = ''
+ additional arguments to bindfs
+ '';
+ type = types.listOf types.str;
+ default = [];
+ };
+ };
+ }));
+ default = {};
+ };
+
+ config = mkIf (cfg != {}) {
+ systemd.services = mapAttrs' (n: mount: let
+ name = replaceStrings [ "/" ] [ "_" ] n;
+ in nameValuePair "bindfs-${name}" {
+ wantedBy = [ "local-fs.target" ];
+ path = [ pkgs.coreutils ];
+ serviceConfig = {
+ ExecStartPre = pkgs.writeDash "bindfs-init-${name}" ''
+ mkdir -p '${mount.source}'
+ mkdir -p '${mount.target}'
+ '';
+ ExecStart = "${pkgs.bindfs}/bin/bindfs -f ${concatStringsSep " " mount.options} ${mount.source} ${mount.target}";
+ };
+ }) cfg;
+ };
+}
diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix
index c3c73bdcb..8bee08caa 100644
--- a/lass/3modules/default.nix
+++ b/lass/3modules/default.nix
@@ -1,6 +1,7 @@
_:
{
imports = [
+ ./bindfs.nix
./dnsmasq.nix
./ejabberd
./folderPerms.nix
@@ -12,6 +13,7 @@ _:
./pyload.nix
./restic.nix
./screenlock.nix
+ ./sync-containers.nix
./usershadow.nix
./xjail.nix
./autowifi.nix
diff --git a/lass/3modules/sync-containers.nix b/lass/3modules/sync-containers.nix
new file mode 100644
index 000000000..ca81458a9
--- /dev/null
+++ b/lass/3modules/sync-containers.nix
@@ -0,0 +1,166 @@
+with import <stockholm/lib>;
+{ config, pkgs, ... }: let
+ cfg = config.lass.sync-containers;
+ paths = cname: {
+ plain = "/var/lib/containers/${cname}/var/state";
+ ecryptfs = "${cfg.dataLocation}/${cname}/ecryptfs";
+ securefs = "${cfg.dataLocation}/${cname}/securefs";
+ };
+ start = cname: {
+ plain = ''
+ '';
+ ecryptfs = ''
+ if ! mount | grep -q '${cfg.dataLocation}/${cname}/ecryptfs on /var/lib/containers/${cname}/var/state type ecryptfs'; then
+ if [ -e ${cfg.dataLocation}/${cname}/ecryptfs/.cfg.json ]; then
+ ${pkgs.ecrypt}/bin/ecrypt mount ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state
+ else
+ ${pkgs.ecrypt}/bin/ecrypt init ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state
+ fi
+ fi
+ '';
+ securefs = ''
+ ## TODO init file systems if it does not exist
+ # ${pkgs.securefs}/bin/securefs create --format 3 ${cfg.dataLocation}/${cname}/securefs
+ if ! ${pkgs.mount}/bin/mount | grep -q '^securefs on /var/lib/containers/${cname}/var/state type fuse.securefs'; then
+ ${pkgs.securefs}/bin/securefs mount ${cfg.dataLocation}/${cname}/securefs /var/lib/containers/${cname}/var/state -b -o allow_other -o default_permissions
+ fi
+ '';
+ };
+ stop = cname: {
+ plain = ''
+ '';
+ ecryptfs = ''
+ ${pkgs.ecrypt}/bin/ecrypt unmount ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state
+ '';
+ securefs = ''
+ umount /var/lib/containers/${cname}/var/state
+ '';
+ };
+in {
+ options.lass.sync-containers = {
+ dataLocation = mkOption {
+ description = ''
+ location where the encrypted sync-container lie around
+ '';
+ default = "/var/lib/sync-containers";
+ type = types.absolute-pathname;
+ };
+ containers = mkOption {
+ type = types.attrsOf (types.submodule ({ config, ... }: {
+ options = {
+ name = mkOption {
+ description = ''
+ name of the container
+ '';
+ default = config._module.args.name;
+ type = types.str;
+ };
+ peers = mkOption {
+ description = ''
+ syncthing peers to share this container with
+ '';
+ default = [];
+ type = types.listOf types.str;
+ };
+ hostIp = mkOption { # TODO find this automatically
+ description = ''
+ hostAddress of the privateNetwork
+ '';
+ example = "10.233.2.15";
+ type = types.str;
+ };
+ localIp = mkOption { # TODO find this automatically
+ description = ''
+ localAddress of the privateNetwork
+ '';
+ example = "10.233.2.16";
+ type = types.str;
+ };
+ format = mkOption {
+ description = ''
+ file system encrption format of the container
+ '';
+ type = types.enum [ "plain" "ecryptfs" "securefs" ];
+ };
+ };
+ }));
+ default = {};
+ };
+ };
+
+ config = mkIf (cfg.containers != {}) {
+ programs.fuse.userAllowOther = true;
+
+ services.syncthing.declarative.folders = (mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" ({
+ devices = ctr.peers;
+ ignorePerms = false;
+ })) cfg.containers);
+
+ krebs.permown = (mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" ({
+ file-mode = "u+rw";
+ directory-mode = "u+rwx";
+ owner = "syncthing";
+ keepGoing = false;
+ })) cfg.containers);
+
+ systemd.services = mapAttrs' (n: ctr: nameValuePair "containers@${ctr.name}" ({
+ reloadIfChanged = mkForce false;
+ })) cfg.containers;
+
+ containers = mapAttrs' (n: ctr: nameValuePair ctr.name ({
+ config = { ... }: {
+ environment.systemPackages = [
+ pkgs.git
+ ];
+ system.activationScripts.fuse = {
+ text = ''
+ ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229
+ '';
+ deps = [];
+ };
+ };
+ allowedDevices = [
+ { modifier = "rwm"; node = "/dev/fuse"; }
+ ];
+ autoStart = false;
+ enableTun = true;
+ privateNetwork = true;
+ hostAddress = ctr.hostIp;
+ localAddress = ctr.localIp;
+ })) cfg.containers;
+
+ environment.systemPackages = flatten (mapAttrsToList (n: ctr: [
+ (pkgs.writeDashBin "start-${ctr.name}" ''
+ set -euf
+ set -x
+
+ mkdir -p /var/lib/containers/${ctr.name}/var/state
+
+ ${(start ctr.name).${ctr.format}}
+
+ STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${ctr.name})
+ if [ "$STATE" = 'down' ]; then
+ ${pkgs.nixos-container}/bin/nixos-container start ${ctr.name}
+ fi
+
+ ${pkgs.nixos-container}/bin/nixos-container run ${ctr.name} -- ${pkgs.writeDash "deploy-${ctr.name}" ''
+ set -x
+
+ mkdir -p /var/state/var_src
+ ln -sfTr /var/state/var_src /var/src
+ touch /etc/NIXOS
+ ''}
+
+ if [ -h /var/lib/containers/${ctr.name}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${ctr.name}.r); then
+ ${pkgs.nixos-container}/bin/nixos-container run ${ctr.name} -- nixos-rebuild -I /var/src switch
+ fi
+ '')
+ (pkgs.writeDashBin "stop-${ctr.name}" ''
+ set -euf
+
+ ${pkgs.nixos-container}/bin/nixos-container stop ${ctr.name}
+ ${(stop ctr.name).${ctr.format}}
+ '')
+ ]) cfg.containers);
+ };
+}