diff options
| author | tv <tv@krebsco.de> | 2021-09-28 22:48:17 +0200 |
|---|---|---|
| committer | tv <tv@krebsco.de> | 2021-09-28 22:48:17 +0200 |
| commit | ed2c6bd9792afbc433ae4eb23f40e17b90420f99 (patch) | |
| tree | 289de32dd7f58f46accf7ad25ed184db5aa45198 /lass | |
| parent | 20e358043546482acfa8c6134f095c1a64ef144d (diff) | |
| parent | e151cfd3298120ec541987d4beb155e18335a0d8 (diff) | |
Merge remote-tracking branch 'prism/master'
Diffstat (limited to 'lass')
| -rw-r--r-- | lass/1systems/coaxmetal/physical.nix | 24 | ||||
| -rw-r--r-- | lass/1systems/lasspi/config.nix | 26 | ||||
| -rw-r--r-- | lass/1systems/lasspi/physical.nix | 43 | ||||
| -rw-r--r-- | lass/1systems/prism/config.nix | 18 | ||||
| -rw-r--r-- | lass/1systems/wizard/config.nix | 2 | ||||
| -rw-r--r-- | lass/2configs/baseX.nix | 11 | ||||
| -rw-r--r-- | lass/2configs/default.nix | 1 | ||||
| -rw-r--r-- | lass/2configs/docker.nix | 6 | ||||
| -rw-r--r-- | lass/2configs/murmur.nix | 39 | ||||
| -rw-r--r-- | lass/2configs/pipewire.nix | 72 | ||||
| -rw-r--r-- | lass/2configs/telegraf.nix | 67 | ||||
| -rw-r--r-- | lass/2configs/websites/domsen.nix | 42 | ||||
| -rw-r--r-- | lass/5pkgs/proxychains-ng/default.nix | 16 | ||||
| -rw-r--r-- | lass/5pkgs/sshify/default.nix | 38 |
14 files changed, 369 insertions, 36 deletions
diff --git a/lass/1systems/coaxmetal/physical.nix b/lass/1systems/coaxmetal/physical.nix index 3632ffd3e..b033477fe 100644 --- a/lass/1systems/coaxmetal/physical.nix +++ b/lass/1systems/coaxmetal/physical.nix @@ -22,8 +22,6 @@ ]; hardware.opengl.extraPackages = [ pkgs.amdvlk ]; - # is required for amd graphics support ( xorg wont boot otherwise ) - boot.kernelPackages = pkgs.linuxPackages_latest; environment.variables.VK_ICD_FILENAMES = "/run/opengl-driver/share/vulkan/icd.d/amd_icd64.json"; @@ -47,7 +45,25 @@ services.logind.lidSwitch = "ignore"; services.logind.lidSwitchDocked = "ignore"; - boot.extraModprobeConfig = '' - options psmouse proto=imps + + # Mouse stuff + services.xserver.libinput.enable = lib.mkForce false; + services.xserver.synaptics.enable = true; + + services.xserver.displayManager.sessionCommands = '' + xinput disable 'ETPS/2 Elantech Touchpad' + xinput set-prop 'ETPS/2 Elantech TrackPoint' 'Evdev Wheel Emulation' 1 + xinput set-prop 'ETPS/2 Elantech TrackPoint' 'Evdev Wheel Emulation Button' 2 + xinput set-prop 'ETPS/2 Elantech TrackPoint' 'Evdev Wheel Emulation Axes' 6 7 4 5 ''; + + # https://forums.lenovo.com/t5/Fedora/T14s-AMD-Trackpoint-almost-unusable/m-p/5064952?page=4 + # https://bugzilla.kernel.org/show_bug.cgi?id=209167#c1 + boot.kernelPatches = [{ + name = "fix-trackpoint-jumping"; + patch = pkgs.fetchurl { + url = "https://patchwork.kernel.org/project/linux-input/patch/20210729010940.5752-1-phoenix@emc.com.tw/raw/"; + sha256 = "0apbf7c8w830dbdsrmxpip90d5zbg74a939x89jfgpvm5gbdqdjg"; + }; + }]; } diff --git a/lass/1systems/lasspi/config.nix b/lass/1systems/lasspi/config.nix new file mode 100644 index 000000000..9f823dfc8 --- /dev/null +++ b/lass/1systems/lasspi/config.nix @@ -0,0 +1,26 @@ +with import <stockholm/lib>; +{ config, lib, pkgs, ... }: +let +in +{ + imports = [ + <stockholm/lass> + <stockholm/lass/2configs> + <stockholm/lass/2configs/retiolum.nix> + ]; + + krebs.build.host = config.krebs.hosts.lasspi; + + networking = { + networkmanager = { + enable = true; + }; + }; + environment.systemPackages = with pkgs; [ + vim + rxvt_unicode.terminfo + ]; + services.openssh.enable = true; + + system.stateVersion = "21.05"; +} diff --git a/lass/1systems/lasspi/physical.nix b/lass/1systems/lasspi/physical.nix new file mode 100644 index 000000000..80c459a95 --- /dev/null +++ b/lass/1systems/lasspi/physical.nix @@ -0,0 +1,43 @@ +{ config, lib, pkgs, ... }: +{ + # This configuration worked on 09-03-2021 nixos-unstable @ commit 102eb68ceec + # The image used https://hydra.nixos.org/build/134720986 + imports = [ + ./config.nix + ]; + + boot = { + # kernelPackages = pkgs.linuxPackages_rpi4; + tmpOnTmpfs = true; + initrd.availableKernelModules = [ "usbhid" "usb_storage" ]; + # ttyAMA0 is the serial console broken out to the GPIO + kernelParams = [ + "8250.nr_uarts=1" + "console=ttyAMA0,115200" + "console=tty1" + # Some gui programs need this + "cma=128M" + ]; + }; + + boot.loader.raspberryPi = { + enable = true; + version = 4; + }; + boot.loader.grub.enable = false; + boot.loader.generic-extlinux-compatible.enable = true; + + # Required for the Wireless firmware + hardware.enableRedistributableFirmware = true; + + # Assuming this is installed on top of the disk image. + fileSystems = { + "/" = { + device = "/dev/disk/by-label/NIXOS_SD"; + fsType = "ext4"; + options = [ "noatime" ]; + }; + }; + + powerManagement.cpuFreqGovernor = "ondemand"; +} diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 421afab2a..d43fb804a 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -7,11 +7,12 @@ with import <stockholm/lib>; <stockholm/lass/2configs/retiolum.nix> <stockholm/lass/2configs/libvirt.nix> <stockholm/lass/2configs/tv.nix> + <stockholm/lass/2configs/websites/lassulus.nix> + <stockholm/lass/2configs/telegraf.nix> { services.nginx.enable = true; imports = [ <stockholm/lass/2configs/websites/domsen.nix> - <stockholm/lass/2configs/websites/lassulus.nix> ]; # needed by domsen.nix ^^ lass.usershadow = { @@ -275,19 +276,8 @@ with import <stockholm/lib>; { predicate = "-p udp --dport 60000:61000"; target = "ACCEPT";} ]; } - { - services.murmur = { - enable = true; - bandwidth = 10000000; - registerName = "lassul.us"; - autobanTime = 30; - }; - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport 64738"; target = "ACCEPT";} - { predicate = "-p udp --dport 64738"; target = "ACCEPT";} - ]; - - } + <stockholm/lass/2configs/murmur.nix> + <stockholm/lass/2configs/docker.nix> { systemd.services."container@yellow".reloadIfChanged = mkForce false; containers.yellow = { diff --git a/lass/1systems/wizard/config.nix b/lass/1systems/wizard/config.nix index 8f9db7d3c..e158fa728 100644 --- a/lass/1systems/wizard/config.nix +++ b/lass/1systems/wizard/config.nix @@ -271,7 +271,7 @@ in { message = "lassulus: torify sshn root@"; }; systemd.services.hidden-ssh-announce.wantedBy = mkForce []; - services.mingetty.autologinUser = lib.mkForce "root"; + services.getty.autologinUser = lib.mkForce "root"; nixpkgs.config.packageOverrides = super: { dmenu = pkgs.writeDashBin "dmenu" '' diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index 655e7912f..23eaa2802 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -10,14 +10,7 @@ in { ./urxvt.nix ./xdg-open.nix ./yubikey.nix - { - hardware.pulseaudio = { - enable = true; - systemWide = true; - }; - security.rtkit.enable = true; - sound.enableOSSEmulation = false; - } + ./pipewire.nix ./xmonad.nix { krebs.per-user.lass.packages = [ @@ -50,7 +43,7 @@ in { } ]; - users.extraUsers.mainUser.extraGroups = [ "audio" "video" ]; + users.users.mainUser.extraGroups = [ "audio" "video" ]; time.timeZone = "Europe/Berlin"; diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index adfeef19d..eb38d0e97 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -117,6 +117,7 @@ with import <stockholm/lib>; iftop tcpdump mosh + sshify #stuff for dl aria2 diff --git a/lass/2configs/docker.nix b/lass/2configs/docker.nix new file mode 100644 index 000000000..2bc3a2361 --- /dev/null +++ b/lass/2configs/docker.nix @@ -0,0 +1,6 @@ +{ pkgs, lib, config, ... }: +{ + systemd.services.krebs-iptables.serviceConfig.ExecStartPost = pkgs.writeDash "kick_docker" '' + ${pkgs.systemd}/bin/systemctl restart docker.service + ''; +} diff --git a/lass/2configs/murmur.nix b/lass/2configs/murmur.nix new file mode 100644 index 000000000..9f325d0af --- /dev/null +++ b/lass/2configs/murmur.nix @@ -0,0 +1,39 @@ +{ config, lib, pkgs, ... }: +{ + services.murmur = { + enable = true; + bandwidth = 10000000; + registerName = "lassul.us"; + autobanTime = 30; + }; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport 64738"; target = "ACCEPT";} + { predicate = "-p udp --dport 64738"; target = "ACCEPT";} + ]; + + systemd.services.docker-mumble-web.serviceConfig = { + StandardOutput = lib.mkForce "journal"; + StandardError = lib.mkForce "journal"; + }; + virtualisation.oci-containers.containers.mumble-web = { + image = "rankenstein/mumble-web"; + environment = { + MUMBLE_SERVER = "lassul.us:64738"; + }; + ports = [ + "64739:8080" + ]; + }; + + services.nginx.virtualHosts."mumble.lassul.us" = { + enableACME = true; + forceSSL = true; + locations."/".extraConfig = '' + proxy_pass http://localhost:64739/; + proxy_set_header Accept-Encoding ""; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + ''; + }; +} diff --git a/lass/2configs/pipewire.nix b/lass/2configs/pipewire.nix new file mode 100644 index 000000000..8fdcff4e3 --- /dev/null +++ b/lass/2configs/pipewire.nix @@ -0,0 +1,72 @@ +{ config, lib, pkgs, ... }: +# TODO test `alsactl init` after suspend to reinit mic +{ + security.rtkit.enable = true; + + hardware.bluetooth = { + enable = true; + powerOnBoot = true; + }; + + # autostart with login + systemd.user.services.pipewire-pulse = { + wantedBy = [ "graphical-session.target" ]; + }; + + environment.systemPackages = with pkgs; [ + alsaUtils + pulseaudioLight + ]; + + environment.variables.PULSE_SERVER = "localhost:4713"; + services.pipewire = { + enable = true; + socketActivation = false; + alsa.enable = true; + alsa.support32Bit = true; + pulse.enable = true; + jack.enable = true; + # https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/Migrate-PulseAudio#module-native-protocol-tcp + config.pipewire-pulse = { + "context.properties" = { + "log.level" = 2; + }; + "context.modules" = [ + { + name = "libpipewire-module-rtkit"; + # args = { + # "nice.level" = -15; + # "rt.prio" = 88; + # "rt.time.soft" = 200000; + # "rt.time.hard" = 200000; + # }; + flags = [ "ifexists" "nofail" ]; + } + { name = "libpipewire-module-protocol-native"; } + { name = "libpipewire-module-client-node"; } + { name = "libpipewire-module-adapter"; } + { name = "libpipewire-module-metadata"; } + { + name = "libpipewire-module-protocol-pulse"; + args = { + "vm.overrides" = { + # "pulse.min.req" = "32/48000"; + # "pulse.default.req" = "32/48000"; + # "pulse.max.req" = "32/48000"; + "pulse.min.quantum" = "1024/48000"; + # "pulse.max.quantum" = "32/48000"; + }; + "server.address" = [ + "unix:native" + "tcp:4713" + ]; + }; + } + ]; + "stream.properties" = { + # "node.latency" = "32/48000"; + # "resample.quality" = 1; + }; + }; + }; +} diff --git a/lass/2configs/telegraf.nix b/lass/2configs/telegraf.nix new file mode 100644 index 000000000..4f46cd721 --- /dev/null +++ b/lass/2configs/telegraf.nix @@ -0,0 +1,67 @@ +{ config, lib, pkgs, ... }: +let + isVM = lib.any (mod: mod == "xen-blkfront" || mod == "virtio_console") config.boot.initrd.kernelModules; +in { + + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-i retiolum -p tcp --dport 9273"; target = "ACCEPT"; } + ]; + + systemd.services.telegraf.path = [ pkgs.nvme-cli ]; + + services.telegraf = { + enable = true; + extraConfig = { + agent.interval = "60s"; + inputs = { + prometheus.metric_version = 2; + kernel_vmstat = { }; + # smart = lib.mkIf (!isVM) { + # path = pkgs.writeShellScript "smartctl" '' + # exec /run/wrappers/bin/sudo ${pkgs.smartmontools}/bin/smartctl "$@" + # ''; + # }; + system = { }; + mem = { }; + file = [{ + data_format = "influx"; + file_tag = "name"; + files = [ "/var/log/telegraf/*" ]; + }] ++ lib.optional (lib.any (fs: fs == "ext4") config.boot.supportedFilesystems) { + name_override = "ext4_errors"; + files = [ "/sys/fs/ext4/*/errors_count" ]; + data_format = "value"; + }; + exec = lib.optionalAttrs (lib.any (fs: fs == "zfs") config.boot.supportedFilesystems) { + ## Commands array + commands = [ + (pkgs.writeScript "zpool-health" '' + #!${pkgs.gawk}/bin/awk -f + BEGIN { + while ("${pkgs.zfs}/bin/zpool status" | getline) { + if ($1 ~ /pool:/) { printf "zpool_status,name=%s ", $2 } + if ($1 ~ /state:/) { printf " state=\"%s\",", $2 } + if ($1 ~ /errors:/) { + if (index($2, "No")) printf "errors=0i\n"; else printf "errors=%di\n", $2 + } + } + } + '') + ]; + data_format = "influx"; + }; + systemd_units = { }; + swap = { }; + disk.tagdrop = { + fstype = [ "tmpfs" "ramfs" "devtmpfs" "devfs" "iso9660" "overlay" "aufs" "squashfs" ]; + device = [ "rpc_pipefs" "lxcfs" "nsfs" "borgfs" ]; + }; + diskio = { }; + }; + outputs.prometheus_client = { + listen = ":9273"; + metric_version = 2; + }; + }; + }; +} diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index e603f49da..40f67537e 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -28,6 +28,7 @@ in { (servePage [ "aldonasiech.com" "www.aldonasiech.com" ]) (servePage [ "apanowicz.de" "www.apanowicz.de" ]) (servePage [ "reich-gebaeudereinigung.de" "www.reich-gebaeudereinigung.de" ]) + (servePage [ "illustra.de" "www.illustra.de" ]) (servePage [ "freemonkey.art" "www.freemonkey.art" @@ -81,6 +82,7 @@ in { "o_ubikmedia_de" ]; + services.phpfpm.phpPackage = pkgs.php73; services.phpfpm.phpOptions = '' sendmail_path = ${sendmail} -t upload_max_filesize = 100M @@ -88,12 +90,18 @@ in { file_uploads = on ''; + krebs.secret.files.nextcloud_pw = { + path = "/run/nextcloud.pw"; + owner.name = "nextcloud"; + group-name = "nextcloud"; + source-path = toString <secrets> + "/nextcloud_pw"; + }; services.nextcloud = { enable = true; hostName = "o.xanf.org"; - package = pkgs.nextcloud20; + package = pkgs.nextcloud21; config = { - adminpassFile = toString <secrets> + "/nextcloud_pw"; + adminpassFile = "/run/nextcloud.pw"; overwriteProtocol = "https"; }; https = true; @@ -178,7 +186,7 @@ in { group = "xanf"; home = "/home/xanf"; useDefaultShell = true; - createHome = true; + createHome = false; # creathome forces permissions isNormalUser = true; }; @@ -291,6 +299,24 @@ in { isNormalUser = true; }; + users.users.movematchers = { + uid = genid_uint31 "movematchers"; + home = "/home/movematchers"; + useDefaultShell = true; + extraGroups = [ "xanf" ]; + createHome = true; + isNormalUser = true; + }; + + users.users.blackphoton = { + uid = genid_uint31 "blackphoton"; + home = "/home/blackphoton"; + useDefaultShell = true; + extraGroups = [ "xanf" ]; + createHome = true; + isNormalUser = true; + }; + users.groups.xanf = {}; krebs.on-failure.plans.restic-backups-domsen = { @@ -332,14 +358,14 @@ in { ''; krebs.permown = { - "/backups/domsen" = { - owner = "backup"; + "/srv/http" = { group = "syncthing"; + owner = "nginx"; umask = "0007"; }; - "/srv/http" = { - owner = "syncthing"; - group = "nginx"; + "/home/xanf/XANF_TEAM" = { + owner = "XANF_TEAM"; + group = "xanf"; umask = "0007"; }; }; diff --git a/lass/5pkgs/proxychains-ng/default.nix b/lass/5pkgs/proxychains-ng/default.nix new file mode 100644 index 000000000..488293f7c --- /dev/null +++ b/lass/5pkgs/proxychains-ng/default.nix @@ -0,0 +1,16 @@ +{ lib +, stdenv +, fetchFromGitHub +}: + +stdenv.mkDerivation rec { + pname = "proxychains-ng"; + version = "4.15"; + + src = fetchFromGitHub { + owner = "rofl0r"; + repo = pname; + rev = "v${version}"; + sha256 = "128d502y8pn7q2ls6glx9bvibwzfh321sah5r5li6b6iywh2zqlc"; + }; +} diff --git a/lass/5pkgs/sshify/default.nix b/lass/5pkgs/sshify/default.nix new file mode 100644 index 000000000..aba0ab6bb --- /dev/null +++ b/lass/5pkgs/sshify/default.nix @@ -0,0 +1,38 @@ +{ pkgs }: +pkgs.writers.writeBashBin "sshify" '' + set -efu + + TMPDIR=$(mktemp -d) + + SSH_ARGS=() + + while [[ "$#" -gt 0 ]]; do + case $1 in + --) + shift + break + ;; + *) + SSH_ARGS+=($1) + ;; + esac + shift + done + + if [[ "$#" -le 0 ]]; then + echo no command specified + exit 1 + fi + + RANDOM_HIGH_PORT=$(shuf -i 20000-65000 -n 1) + + cat << EOF >$TMPDIR/proxychains.conf + [ProxyList] + socks4 127.0.0.1 $RANDOM_HIGH_PORT + EOF + + ssh -fNM -S "$TMPDIR/socket" -D "$RANDOM_HIGH_PORT" "''${SSH_ARGS[@]}" + trap "ssh -S $TMPDIR/socket -O exit bla 2>/dev/null; rm -rf $TMPDIR >&2" EXIT + + ${pkgs.proxychains-ng}/bin/proxychains4 -q -f "$TMPDIR/proxychains.conf" "$@" +'' |