diff options
| -rw-r--r-- | krebs/2configs/syncthing.nix | 8 | ||||
| -rw-r--r-- | krebs/3modules/external/kmein.nix | 1 | ||||
| -rw-r--r-- | krebs/3modules/makefu/default.nix | 3 | ||||
| -rw-r--r-- | krebs/3modules/tinc.nix | 3 | ||||
| -rw-r--r-- | krebs/5pkgs/simple/krebsdance/default.nix | 157 | ||||
| -rw-r--r-- | krebs/5pkgs/simple/reaktor2-plugins.nix | 6 | ||||
| -rw-r--r-- | lass/1systems/mors/config.nix | 1 | ||||
| -rw-r--r-- | lass/2configs/fysiirc.nix | 42 | ||||
| -rw-r--r-- | lass/2configs/hass/zigbee.nix | 2 | ||||
| -rw-r--r-- | lass/2configs/murmur.nix | 6 | ||||
| -rw-r--r-- | lass/2configs/retiolum.nix | 5 | ||||
| -rw-r--r-- | lass/2configs/sync/decsync.nix | 2 | ||||
| -rw-r--r-- | lass/2configs/sync/sync.nix | 2 | ||||
| -rw-r--r-- | lass/2configs/sync/the_playlist.nix | 9 | ||||
| -rw-r--r-- | lass/2configs/sync/weechat.nix | 2 | ||||
| -rw-r--r-- | lass/3modules/acl.nix | 55 | ||||
| -rw-r--r-- | lass/3modules/default.nix | 1 | ||||
| -rw-r--r-- | makefu/2configs/tinc/retiolum.nix | 10 |
18 files changed, 287 insertions, 28 deletions
diff --git a/krebs/2configs/syncthing.nix b/krebs/2configs/syncthing.nix index 125e2aea4..dac1863d5 100644 --- a/krebs/2configs/syncthing.nix +++ b/krebs/2configs/syncthing.nix @@ -8,11 +8,9 @@ in { services.syncthing = { enable = true; configDir = "/var/lib/syncthing"; - declarative = { - devices = mk_peers used_peers; - key = toString <secrets/syncthing.key>; - cert = toString <secrets/syncthing.cert>; - }; + devices = mk_peers used_peers; + key = toString <secrets/syncthing.key>; + cert = toString <secrets/syncthing.cert>; }; boot.kernel.sysctl."fs.inotify.max_user_watches" = 524288; diff --git a/krebs/3modules/external/kmein.nix b/krebs/3modules/external/kmein.nix index 9ef079090..1e4a68057 100644 --- a/krebs/3modules/external/kmein.nix +++ b/krebs/3modules/external/kmein.nix @@ -123,6 +123,7 @@ in "zaatar.kmein.r" "grocy.kmein.r" "moodle.kmein.r" + "radio.kmein.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index 62316bfdb..b3c09db78 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -102,6 +102,7 @@ in { x = { ci = true; cores = 4; + syncthing.id = "OA36OF6-JEFCUJQ-OEYVTMH-DPCACQI-3AJRE5G-BFVMOUG-RPYJQE3-4ZCUWA5"; nets = { retiolum.ip4.addr = "10.243.0.91"; wiregrill = { @@ -121,7 +122,7 @@ in { omo = rec { ci = true; cores = 2; - + syncthing.id = "Y5OTK3S-JOJLAUU-KTBXKUW-M7S5UEQ-MMQPUK2-7CXO5V6-NOUDLKP-PRGAFAK"; nets = { retiolum = { ip4.addr = "10.243.0.89"; diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix index 21ddde1c6..4a54d2950 100644 --- a/krebs/3modules/tinc.nix +++ b/krebs/3modules/tinc.nix @@ -233,6 +233,7 @@ with import <stockholm/lib>; cfg.iproutePackage cfg.tincPackage ]; + reloadIfChanged = true; serviceConfig = { Restart = "always"; LoadCredential = filter (x: x != "") [ @@ -260,7 +261,7 @@ with import <stockholm/lib>; "-o PrivateKeyFile=\${CREDENTIALS_DIRECTORY}/rsa_key" "--pidfile=/var/run/tinc.${netname}.pid" ]; - ExecReload = "${cfg.tincPackage}/sbin/tinc -n ${netname} reload"; + ExecReload = "${cfg.tincPackage}/sbin/tinc -n ${netname} restart"; SyslogIdentifier = netname; }; }) config.krebs.tinc; diff --git a/krebs/5pkgs/simple/krebsdance/default.nix b/krebs/5pkgs/simple/krebsdance/default.nix new file mode 100644 index 000000000..cdfe23ef2 --- /dev/null +++ b/krebs/5pkgs/simple/krebsdance/default.nix @@ -0,0 +1,157 @@ +{ writers }: +writers.writePython3Bin "krebsdance" { flakeIgnore = [ "E501" ]; } '' + import argparse + import random + import itertools + + claws = [ + dict( + up="(\\/)", + down="(/\\)", + left="(\\\\)", + right="(//)", + ), + dict( + up="(V)", + down="(A)", + left=">)=", + right="=(<", + ), + dict( + up="(U)", + down="(n)", + left=")==", + right="==(", + ), + ] + + eyes = [ + "°", + "*", + "^", + "ö", + "o", + "O", + "X", + "x", + "U", + "u", + ] + + bodies = [ + dict( + left="(", + right=")", + ), + dict( + left="{", + right="}", + ), + dict( + left="[", + right="]", + ), + dict( + left="<", + right=">", + ), + dict( + left="|", + right="|", + ), + ] + + mouths = [ + ",,,,", + ",mm,", + "_mm_", + "-mm-", + ";;;;", + ";mm;", + ":mm:", + "::::", + ":ww:", + ":<>:", + ] + + + def all_krebses(): + for mouth, body, eye, claw in itertools.product(mouths, bodies, eyes, claws): + yield f'{claw["up"]} {body["left"]}{eye}{mouth}{eye}{body["right"]} {claw["up"]}' + + + def escape_graph(text): + return text.replace("\\", "\\\\") + + + def krebs_graph() -> str: + return "\n".join(itertools.chain( + ["digraph {"], + [escape_graph(f'"{krebs}"->"{generate(seed=krebs)}"') for krebs in all_krebses()], + "}", + )) + + + def generate(*, seed: str, dancing: bool = False) -> str: + if seed: + random.seed(seed) + clawstyle = random.choice(claws) + body = random.choice(bodies) + eye = random.choice(eyes) + mouth = random.choice(mouths) + if dancing: + return "\n".join( + [ + f'{clawstyle["down"]} {body["left"]}{eye}{mouth}{eye}{body["right"]}{clawstyle["up"]}', + f'{clawstyle["left"]}{body["left"]}{eye}{mouth}{eye}{body["right"]} {clawstyle["right"]}', + f'{clawstyle["right"]} {body["left"]}{eye}{mouth}{eye}{body["right"]} {clawstyle["left"]}', + f'{clawstyle["down"]}{body["left"]}{eye}{mouth}{eye}{body["right"]}{clawstyle["down"]}', + ] + ) + else: + return f'{clawstyle["up"]} {body["left"]}{eye}{mouth}{eye}{body["right"]} {clawstyle["up"]}' + + + def fixpoints(): + for krebs in all_krebses(): + if generate(seed=krebs) == krebs: + yield krebs + + + def main(): + parser = argparse.ArgumentParser() + + parser.add_argument( + "seed", + nargs="?", + help="random seed to use for generating the krebs variant", + ) + + parser.add_argument( + "--dance", + "-d", + dest="dance", + help="if the krebs should dance", + default=False, + action="store_true", + ) + + parser.add_argument( + "--mode", + "-m", + dest="mode", + choices=["graphviz", "plain"], + default="plain", + ) + + args = parser.parse_args() + + if args.mode == "plain": + print(generate(seed=args.seed, dancing=args.dance)) + elif args.mode == "graphviz": + print(krebs_graph()) + + + if __name__ == "__main__": + main() +'' diff --git a/krebs/5pkgs/simple/reaktor2-plugins.nix b/krebs/5pkgs/simple/reaktor2-plugins.nix index 54aaf246a..052e389a6 100644 --- a/krebs/5pkgs/simple/reaktor2-plugins.nix +++ b/krebs/5pkgs/simple/reaktor2-plugins.nix @@ -23,11 +23,7 @@ rec { dance = { filename = pkgs.writeDash "dance" '' - echo "<(^.^<)" - echo "<(^.^)>" - echo "(>^.^)>" - echo "(7^.^)7" - echo "(>^.^<)" + ${pkgs.krebsdance}/bin/krebsdance --dance "$@"; ''; }; diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix index 4d042de22..dd479f267 100644 --- a/lass/1systems/mors/config.nix +++ b/lass/1systems/mors/config.nix @@ -26,6 +26,7 @@ with import <stockholm/lib>; <stockholm/lass/2configs/sync/sync.nix> <stockholm/lass/2configs/sync/decsync.nix> <stockholm/lass/2configs/sync/weechat.nix> + <stockholm/lass/2configs/sync/the_playlist.nix> #<stockholm/lass/2configs/c-base.nix> <stockholm/lass/2configs/br.nix> <stockholm/lass/2configs/ableton.nix> diff --git a/lass/2configs/fysiirc.nix b/lass/2configs/fysiirc.nix index d2aaa73c5..f3c1d5b7c 100644 --- a/lass/2configs/fysiirc.nix +++ b/lass/2configs/fysiirc.nix @@ -1,5 +1,33 @@ -{ config, lib, pkgs, ... }: -{ +{ config, lib, pkgs, ... }: let + + format-github-message = pkgs.writeDashBin "format-github-message" '' + set -xefu + export PATH=${lib.makeBinPath [ + pkgs.jq + ]} + INPUT=$(jq -c .) + if $(echo "$INPUT" | jq 'has("issue") or has("pull_request")'); then + ${write_to_irc} "$(echo "$INPUT" | jq -r ' + "\(.action): " + + "[\(.issue.title // .pull_request.title)] " + + "\(.comment.html_url // .issue.html_url // .pull_request.html_url) " + + "by \(.comment.user.login // .issue.user.login // .pull_request.user.login)" + ')" + fi + ''; + + write_to_irc = pkgs.writeDash "write_to_irc" '' + ${pkgs.curl}/bin/curl -fsSv http://localhost:44001 \ + -H content-type:application/json \ + -d "$(${pkgs.jq}/bin/jq -n \ + --arg text "$1" '{ + command:"PRIVMSG", + params:["#fysi",$text] + }' + )" + ''; + +in { krebs.iptables.tables.filter.INPUT.rules = [ { predicate = "-p tcp --dport 44002"; target = "ACCEPT"; } ]; @@ -26,20 +54,14 @@ name = "reaktor2-fysiweb-github"; }; script = ''. ${pkgs.writeDash "github-irc" '' + set -efu case "$Method $Request_URI" in "POST /") payload=$(head -c "$req_content_length" \ | sed 's/+/ /g;s/%\(..\)/\\x\1/g;' \ | xargs -0 echo -e \ ) - ${pkgs.curl}/bin/curl -fsSv http://localhost:44001/ \ - -H content-type:application/json \ - -d "$(echo "$payload" | ${pkgs.jq}/bin/jq \ - '{ - command:"PRIVMSG", - params:["#fysi", "\(.action): \(.comment.html_url // .issue.html_url // .pull_request.html_url)"] - }' - )" + echo "$payload" | ${format-github-message}/bin/format-github-message printf 'HTTP/1.1 200 OK\r\n' printf 'Connection: close\r\n' printf '\r\n' diff --git a/lass/2configs/hass/zigbee.nix b/lass/2configs/hass/zigbee.nix index 789a7fb92..8fc02263b 100644 --- a/lass/2configs/hass/zigbee.nix +++ b/lass/2configs/hass/zigbee.nix @@ -15,7 +15,7 @@ in { services.zigbee2mqtt = { enable = true; package = unstable-pkgs.zigbee2mqtt; - config = { + settings = { homeassistant = true; frontend.port = 1337; experimental.new_api = true; diff --git a/lass/2configs/murmur.nix b/lass/2configs/murmur.nix index 7cc4051a8..42670dfbb 100644 --- a/lass/2configs/murmur.nix +++ b/lass/2configs/murmur.nix @@ -2,10 +2,16 @@ { services.murmur = { enable = true; + allowHtml = false; bandwidth = 10000000; registerName = "lassul.us"; autobanTime = 30; + sslCert = "/var/lib/acme/lassul.us/cert.pem"; + sslKey = "/var/lib/acme/lassul.us/key.pem"; }; + users.groups.lasscert.members = [ + "murmur" + ]; krebs.iptables.tables.filter.INPUT.rules = [ { predicate = "-p tcp --dport 64738"; target = "ACCEPT";} { predicate = "-p udp --dport 64738"; target = "ACCEPT";} diff --git a/lass/2configs/retiolum.nix b/lass/2configs/retiolum.nix index 2ddfbcf8f..a305d3e18 100644 --- a/lass/2configs/retiolum.nix +++ b/lass/2configs/retiolum.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ config, lib, pkgs, ... }: { @@ -22,6 +22,9 @@ ]; extraConfig = '' StrictSubnets = yes + ${lib.optionalString (config.krebs.build.host.nets.retiolum.via != null) '' + LocalDiscovery = no + ''} ''; }; diff --git a/lass/2configs/sync/decsync.nix b/lass/2configs/sync/decsync.nix index 9caefdd2d..a38cff8d6 100644 --- a/lass/2configs/sync/decsync.nix +++ b/lass/2configs/sync/decsync.nix @@ -1,5 +1,5 @@ { - services.syncthing.declarative.folders.decsync = { + services.syncthing.folders.decsync = { path = "/home/lass/decsync"; devices = [ "mors" "blue" "green" "phone" ]; }; diff --git a/lass/2configs/sync/sync.nix b/lass/2configs/sync/sync.nix index 7c0f2e030..a0927c199 100644 --- a/lass/2configs/sync/sync.nix +++ b/lass/2configs/sync/sync.nix @@ -1,5 +1,5 @@ { - services.syncthing.declarative.folders."/home/lass/sync" = { + services.syncthing.folders."/home/lass/sync" = { devices = [ "mors" "icarus" "xerxes" "shodan" "green" "blue" "coaxmetal" ]; }; krebs.permown."/home/lass/sync" = { diff --git a/lass/2configs/sync/the_playlist.nix b/lass/2configs/sync/the_playlist.nix new file mode 100644 index 000000000..5bbf790a7 --- /dev/null +++ b/lass/2configs/sync/the_playlist.nix @@ -0,0 +1,9 @@ +{ + services.syncthing.folders.the_playlist = { + path = "/home/lass/tmp/the_playlist"; + devices = [ "mors" "phone" "prism" ]; + }; + lass.acl."/home/lass/tmp/the_playlist"."u:syncthing:X".parents = true; + lass.acl."/home/lass/tmp/the_playlist"."u:syncthing:rwX" = {}; + lass.acl."/home/lass/tmp/the_playlist"."u:lass:rwX" = {}; +} diff --git a/lass/2configs/sync/weechat.nix b/lass/2configs/sync/weechat.nix index 7970f3081..eb6b0aa16 100644 --- a/lass/2configs/sync/weechat.nix +++ b/lass/2configs/sync/weechat.nix @@ -1,5 +1,5 @@ { - services.syncthing.declarative.folders."/home/lass/.weechat".devices = [ "green" "mors" ]; + services.syncthing.folders."/home/lass/.weechat".devices = [ "green" "mors" ]; krebs.permown."/home/lass/.weechat" = { owner = "lass"; group = "syncthing"; diff --git a/lass/3modules/acl.nix b/lass/3modules/acl.nix new file mode 100644 index 000000000..81eeae920 --- /dev/null +++ b/lass/3modules/acl.nix @@ -0,0 +1,55 @@ +{ config, lib, pkgs, ... }: let + parents = dir: + if dir == "/" then + [ dir ] + else + [ dir ] ++ parents (builtins.dirOf dir) + ; +in { + options.lass.acl = lib.mkOption { + type = lib.types.attrsOf (lib.types.attrsOf (lib.types.submodule ({ config, ... }: { + options = { + rule = lib.mkOption { + type = lib.types.str; + default = config._module.args.name; + }; + default = lib.mkOption { + type = lib.types.bool; + default = !config.parents; + }; + recursive = lib.mkOption { + type = lib.types.bool; + default = !config.parents; + }; + parents = lib.mkOption { + type = lib.types.bool; + default = false; + description = '' + apply ACL to every parent folder + ''; + }; + }; + }))); + default = {}; + }; + config = lib.mkIf (config.lass.acl != {}) { + systemd.services = lib.mapAttrs' (path: rules: lib.nameValuePair "acl-${lib.replaceChars ["/"] ["_"] path}" { + wantedBy = [ "multi-user.target" ]; + path = [ + pkgs.acl + pkgs.coreutils + ]; + serviceConfig = { + ExecStart = pkgs.writers.writeDash "acl" (lib.concatStrings ( + lib.mapAttrsToList (_: rule: '' + setfacl -${lib.optionalString rule.recursive "R"}m ${rule.rule} ${path} + ${lib.optionalString rule.default "setfacl -${lib.optionalString rule.recursive "R"}dm ${rule.rule} ${path}"} + ${lib.optionalString rule.parents (lib.concatMapStringsSep "\n" (folder: "setfacl -m ${rule.rule} ${folder}") (parents path))} + '') rules + )); + RemainAfterExit = true; + Type = "simple"; + }; + }) config.lass.acl; + }; +} diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix index 570bb45be..0373bd44c 100644 --- a/lass/3modules/default.nix +++ b/lass/3modules/default.nix @@ -1,6 +1,7 @@ _: { imports = [ + ./acl.nix ./dnsmasq.nix ./folderPerms.nix ./hosts.nix diff --git a/makefu/2configs/tinc/retiolum.nix b/makefu/2configs/tinc/retiolum.nix index 0d2774209..a2b24d35a 100644 --- a/makefu/2configs/tinc/retiolum.nix +++ b/makefu/2configs/tinc/retiolum.nix @@ -1,10 +1,18 @@ -{ pkgs, config, ... }: +{ pkgs, lib, config, ... }: { imports = [ ../binary-cache/lass.nix ]; krebs.tinc.retiolum.enable = true; + krebs.tinc.retiolum.extraConfig = '' + StrictSubnets = yes + ${lib.optionalString (config.krebs.build.host.nets.retiolum.via != null) '' + LocalDiscovery = no + ''} + ''; + #krebs.tinc.retiolum.connectTo = [ "gum" ]; environment.systemPackages = [ pkgs.tinc ]; networking.firewall.allowedTCPPorts = [ config.krebs.build.host.nets.retiolum.tinc.port ]; networking.firewall.allowedUDPPorts = [ config.krebs.build.host.nets.retiolum.tinc.port ]; + } |