diff options
49 files changed, 486 insertions, 105 deletions
diff --git a/krebs/3modules/external/default.nix b/krebs/3modules/external/default.nix index c9715cb85..9bfc920a3 100644 --- a/krebs/3modules/external/default.nix +++ b/krebs/3modules/external/default.nix @@ -429,6 +429,17 @@ in { }; }; }; + ada = { + owner = config.krebs.users.filly; + nets = { + wiregrill = { + aliases = [ "ada.w" ]; + wireguard = { + pubkey = "+t0j9j7TZqvSFPzgunnON/ArXVGpMS/L3DldpanLoUk="; + }; + }; + }; + }; }; users = { ciko = { @@ -464,6 +475,8 @@ in { }; miaoski = { }; + filly = { + }; }; } diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index 3396c2802..41f3852b9 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -39,6 +39,7 @@ in { io 60 IN NS ions.lassul.us. ions 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} lol 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} + matrix 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} paste 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} radio 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} ''; @@ -240,6 +241,7 @@ in { secure = true; ssh.privkey.path = <secrets/ssh.id_ed25519>; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC9vup68R0I+62FK+8LNtwM90V9P4ukBmU7G7d54wf4C"; + syncthing.id = "AU5RTWC-HXNMDRT-TN4ZHXY-JMQ6EQB-4ZPOZL7-AICZMCZ-LNS2XXQ-DGTI2Q6"; }; icarus = { cores = 2; diff --git a/krebs/3modules/realwallpaper.nix b/krebs/3modules/realwallpaper.nix index cb940efef..a0c00c20d 100644 --- a/krebs/3modules/realwallpaper.nix +++ b/krebs/3modules/realwallpaper.nix @@ -78,7 +78,7 @@ let serviceConfig = { Type = "simple"; ExecStart = pkgs.writeDash "generate-wallpaper" '' - set -xeuf + set -euf # usage: getimg FILENAME URL fetch() { diff --git a/lass/1systems/blue/config.nix b/lass/1systems/blue/config.nix index 43c80d52f..14f4971f7 100644 --- a/lass/1systems/blue/config.nix +++ b/lass/1systems/blue/config.nix @@ -9,19 +9,12 @@ with import <stockholm/lib>; <stockholm/lass/2configs/blue.nix> <stockholm/lass/2configs/syncthing.nix> + <stockholm/lass/2configs/sync/decsync.nix> + <stockholm/lass/2configs/sync/weechat.nix> ]; krebs.build.host = config.krebs.hosts.blue; - krebs.syncthing.folders = [ - { id = "contacts"; path = "/home/lass/contacts"; peers = [ "mors" "blue" "green" "phone" ]; } - { path = "/home/lass/.weechat"; peers = [ "blue" "green" "mors" ]; } - ]; - lass.ensure-permissions = [ - { folder = "/home/lass/contacts"; owner = "lass"; group = "syncthing"; } - { folder = "/home/lass/.weechat"; owner = "lass"; group = "syncthing"; } - ]; - environment.shellAliases = { deploy = pkgs.writeDash "deploy" '' set -eu diff --git a/lass/1systems/daedalus/config.nix b/lass/1systems/daedalus/config.nix index e28fbf2f8..6e3df12f0 100644 --- a/lass/1systems/daedalus/config.nix +++ b/lass/1systems/daedalus/config.nix @@ -27,6 +27,12 @@ with import <stockholm/lib>; enable = true; systemWide = true; }; + programs.chromium = { + enable = true; + extensions = [ + "cjpalhdlnbpafiamejdnhcphjbkeiagm" # ublock origin + ]; + }; environment.systemPackages = with pkgs; [ pavucontrol #firefox @@ -40,7 +46,7 @@ with import <stockholm/lib>; wine geeqie vlc - minecraft + zsnes ]; nixpkgs.config.firefox.enableAdobeFlash = true; services.xserver.enable = true; diff --git a/lass/1systems/green/config.nix b/lass/1systems/green/config.nix index 6ae157e38..0b4b50ee4 100644 --- a/lass/1systems/green/config.nix +++ b/lass/1systems/green/config.nix @@ -8,20 +8,13 @@ with import <stockholm/lib>; <stockholm/lass/2configs/exim-retiolum.nix> <stockholm/lass/2configs/mail.nix> - #<stockholm/lass/2configs/blue.nix> <stockholm/lass/2configs/syncthing.nix> + <stockholm/lass/2configs/sync/decsync.nix> + <stockholm/lass/2configs/sync/weechat.nix> ]; krebs.build.host = config.krebs.hosts.green; - krebs.syncthing.folders = [ - { id = "contacts"; path = "/home/lass/contacts"; peers = [ "mors" "blue" "green" "phone" ]; } - ]; - lass.ensure-permissions = [ - { folder = "/home/lass/contacts"; owner = "lass"; group = "syncthing"; } - ]; - - #networking.nameservers = [ "1.1.1.1" ]; #time.timeZone = "Europe/Berlin"; diff --git a/lass/1systems/icarus/config.nix b/lass/1systems/icarus/config.nix index 06b1e7366..d8c8699ae 100644 --- a/lass/1systems/icarus/config.nix +++ b/lass/1systems/icarus/config.nix @@ -20,6 +20,7 @@ <stockholm/lass/2configs/syncthing.nix> <stockholm/lass/2configs/nfs-dl.nix> <stockholm/lass/2configs/prism-share.nix> + <stockholm/lass/2configs/ssh-cryptsetup.nix> ]; krebs.build.host = config.krebs.hosts.icarus; diff --git a/lass/1systems/iso.nix b/lass/1systems/iso.nix index be064bed2..a814cc6b9 100644 --- a/lass/1systems/iso.nix +++ b/lass/1systems/iso.nix @@ -6,7 +6,6 @@ with import <stockholm/lib>; <nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix> <stockholm/krebs> <stockholm/lass/3modules> - <stockholm/lass/5pkgs> <stockholm/lass/2configs/mc.nix> <stockholm/lass/2configs/vim.nix> { @@ -40,9 +39,10 @@ with import <stockholm/lib>; networking.hostName = "lass-iso"; } { + nixpkgs.config.packageOverrides = import <stockholm/lass/5pkgs> pkgs; krebs.enable = true; krebs.build.user = config.krebs.users.lass; - krebs.build.host = config.krebs.hosts.iso; + krebs.build.host = {}; } { nixpkgs.config.allowUnfree = true; @@ -174,11 +174,13 @@ with import <stockholm/lib>; user = "lass"; }; windowManager.default = "xmonad"; - windowManager.session = [{ + windowManager.session = let + xmonad-lass = pkgs.callPackage <stockholm/lass/5pkgs/custom/xmonad-lass> { inherit config; }; + in [{ name = "xmonad"; start = '' ${pkgs.xorg.xhost}/bin/xhost +LOCAL: - ${pkgs.xmonad-lass}/bin/xmonad & + ${xmonad-lass}/bin/xmonad & waitPID=$! ''; }]; diff --git a/lass/1systems/littleT/config.nix b/lass/1systems/littleT/config.nix index eee23ee60..d44e62053 100644 --- a/lass/1systems/littleT/config.nix +++ b/lass/1systems/littleT/config.nix @@ -8,6 +8,7 @@ with import <stockholm/lib>; <stockholm/lass/2configs/retiolum.nix> <stockholm/lass/2configs/blue-host.nix> <stockholm/lass/2configs/syncthing.nix> + <stockholm/lass/2configs/green-host.nix> ]; networking.networkmanager.enable = true; diff --git a/lass/1systems/morpheus/config.nix b/lass/1systems/morpheus/config.nix index 0d82ba611..cab267d54 100644 --- a/lass/1systems/morpheus/config.nix +++ b/lass/1systems/morpheus/config.nix @@ -30,4 +30,12 @@ with import <stockholm/lib>; ]; }; }; + + + services.xserver.desktopManager.default = "none"; + services.xserver.displayManager.lightdm.autoLogin = { + enable = true; + user = "lass"; + timeout = 5; + }; } diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix index 52bcc9e15..7e183f40f 100644 --- a/lass/1systems/mors/config.nix +++ b/lass/1systems/mors/config.nix @@ -26,6 +26,8 @@ with import <stockholm/lib>; <stockholm/lass/2configs/syncthing.nix> <stockholm/lass/2configs/otp-ssh.nix> <stockholm/lass/2configs/c-base.nix> + <stockholm/lass/2configs/sync/decsync.nix> + <stockholm/lass/2configs/sync/weechat.nix> <stockholm/lass/2configs/br.nix> <stockholm/lass/2configs/ableton.nix> <stockholm/lass/2configs/starcraft.nix> @@ -41,8 +43,6 @@ with import <stockholm/lib>; krebs.iptables.tables.filter.INPUT.rules = [ #risk of rain { predicate = "-p tcp --dport 11100"; target = "ACCEPT"; } - #chromecast - { predicate = "-p udp -m multiport --sports 32768:61000 -m multiport --dports 32768:61000"; target = "ACCEPT"; } #quake3 { predicate = "-p tcp --dport 27950:27965"; target = "ACCEPT"; } { predicate = "-p udp --dport 27950:27965"; target = "ACCEPT"; } @@ -50,14 +50,10 @@ with import <stockholm/lib>; } { krebs.syncthing.folders = [ - { id = "contacts"; path = "/home/lass/contacts"; peers = [ "mors" "blue" "green" "phone" ]; } - { id = "the_playlist"; path = "/home/lass/tmp/the_playlist"; peers = [ "mors" "phone" ]; } - { path = "/home/lass/.weechat"; peers = [ "blue" "green" "mors" ]; } + { id = "the_playlist"; path = "/home/lass/tmp/the_playlist"; peers = [ "mors" "phone" "prism" ]; } ]; lass.ensure-permissions = [ - { folder = "/home/lass/contacts"; owner = "lass"; group = "syncthing"; } { folder = "/home/lass/tmp/the_playlist"; owner = "lass"; group = "syncthing"; } - { folder = "/home/lass/.weechat"; owner = "lass"; group = "syncthing"; } ]; } { @@ -94,6 +90,7 @@ with import <stockholm/lib>; pkgs.ovh-zone pkgs.bank pkgs.adb-sync + pkgs.transgui ]; } { @@ -137,6 +134,18 @@ with import <stockholm/lib>; (pkgs.writeDashBin "btc-kraken" '' ${pkgs.curl}/bin/curl -Ss 'https://api.kraken.com/0/public/Ticker?pair=BTCEUR' | ${pkgs.jq}/bin/jq '.result.XXBTZEUR.a[0]' '') + (pkgs.writeDashBin "krebsco.de" '' + TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d) + ${pkgs.brain}/bin/brain show krebs-secrets/ovh-secrets.json > "$TMPDIR"/ovh-secrets.json + OVH_ZONE_CONFIG="$TMPDIR"/ovh-secrets.json ${pkgs.krebszones}/bin/krebszones import + ${pkgs.coreutils}/bin/rm -rf "$TMPDIR" + '') + (pkgs.writeDashBin "lassul.us" '' + TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d) + ${pkgs.pass}/bin/pass show admin/ovh/api.config > "$TMPDIR"/ovh-secrets.json + OVH_ZONE_CONFIG="$TMPDIR"/ovh-secrets.json ${pkgs.ovh-zone}/bin/ovh-zone import /etc/zones/lassul.us lassul.us + ${pkgs.coreutils}/bin/rm -rf "$TMPDIR" + '') ]; #TODO: fix this shit diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index b3b7ac0df..d7b0b701a 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -413,6 +413,42 @@ with import <stockholm/lib>; ]; }; } + { #macos mounting of yellow + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-i wiregrill -p tcp --dport 139"; target = "ACCEPT"; } + { predicate = "-i wiregrill -p tcp --dport 445"; target = "ACCEPT"; } + { predicate = "-i wiregrill -p udp --dport 137"; target = "ACCEPT"; } + { predicate = "-i wiregrill -p udp --dport 138"; target = "ACCEPT"; } + ]; + users.users.smbguest = { + name = "smbguest"; + uid = config.ids.uids.smbguest; + description = "smb guest user"; + home = "/home/share"; + createHome = true; + }; + services.samba = { + enable = true; + enableNmbd = true; + shares = { + download = { + path = "/var/download/finished"; + "read only" = "yes"; + browseable = "yes"; + "guest ok" = "yes"; + }; + }; + extraConfig = '' + guest account = smbguest + map to guest = bad user + # disable printing + load printers = no + printing = bsd + printcap name = /dev/null + disable spoolss = yes + ''; + }; + } ]; krebs.build.host = config.krebs.hosts.prism; diff --git a/lass/1systems/shodan/config.nix b/lass/1systems/shodan/config.nix index 39c0791fc..5de87d790 100644 --- a/lass/1systems/shodan/config.nix +++ b/lass/1systems/shodan/config.nix @@ -15,6 +15,8 @@ with import <stockholm/lib>; <stockholm/lass/2configs/bitcoin.nix> <stockholm/lass/2configs/backup.nix> <stockholm/lass/2configs/blue-host.nix> + <stockholm/lass/2configs/green-host.nix> + <stockholm/lass/2configs/ssh-cryptsetup.nix> ]; krebs.build.host = config.krebs.hosts.shodan; diff --git a/lass/1systems/skynet/config.nix b/lass/1systems/skynet/config.nix index 0bf3e6b4d..70787e514 100644 --- a/lass/1systems/skynet/config.nix +++ b/lass/1systems/skynet/config.nix @@ -8,6 +8,7 @@ with import <stockholm/lib>; <stockholm/lass/2configs/blue-host.nix> <stockholm/lass/2configs/power-action.nix> <stockholm/lass/2configs/syncthing.nix> + <stockholm/lass/2configs/green-host.nix> { services.xserver.enable = true; services.xserver.desktopManager.xfce.enable = true; diff --git a/lass/1systems/yellow/config.nix b/lass/1systems/yellow/config.nix index 8b3b2814f..cda0d0a33 100644 --- a/lass/1systems/yellow/config.nix +++ b/lass/1systems/yellow/config.nix @@ -31,6 +31,7 @@ with import <stockholm/lib>; download-dir = "/var/download/finished"; incomplete-dir = "/var/download/incoming"; incomplete-dir-enable = true; + message-level = 1; umask = "002"; rpc-whitelist-enabled = false; rpc-host-whitelist-enabled = false; diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index 26d6622ae..5003d2279 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -9,6 +9,7 @@ in { ./power-action.nix ./copyq.nix ./urxvt.nix + ./xdg-open.nix { hardware.pulseaudio = { enable = true; diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix index aec59261c..4216bd67a 100644 --- a/lass/2configs/exim-smarthost.nix +++ b/lass/2configs/exim-smarthost.nix @@ -100,6 +100,9 @@ with import <stockholm/lib>; { from = "box@lassul.us"; to = lass.mail; } { from = "paloalto@lassul.us"; to = lass.mail; } { from = "subtitles@lassul.us"; to = lass.mail; } + { from = "lobsters@lassul.us"; to = lass.mail; } + { from = "fysitech@lassul.us"; to = lass.mail; } + { from = "threema@lassul.us"; to = lass.mail; } ]; system-aliases = [ { from = "mailer-daemon"; to = "postmaster"; } diff --git a/lass/2configs/green-host.nix b/lass/2configs/green-host.nix new file mode 100644 index 000000000..860d7c113 --- /dev/null +++ b/lass/2configs/green-host.nix @@ -0,0 +1,83 @@ +{ config, lib, pkgs, ... }: +with import <stockholm/lib>; + +{ + imports = [ + <stockholm/lass/2configs/container-networking.nix> + <stockholm/lass/2configs/syncthing.nix> + { #hack for already defined + systemd.services."container@green".reloadIfChanged = mkForce false; + systemd.services."container@green".preStart = '' + ${pkgs.mount}/bin/mount | ${pkgs.gnugrep}/bin/grep -q ' on /var/lib/containers/green ' + ''; + systemd.services."container@green".postStop = '' + set -x + ${pkgs.umount}/bin/umount /var/lib/containers/green + ls -la /dev/mapper/control + ${pkgs.devicemapper}/bin/dmsetup ls + ${pkgs.cryptsetup}/bin/cryptsetup -v luksClose /var/lib/sync-containers/green.img + ''; + } + ]; + + lass.ensure-permissions = [ + { folder = "/var/lib/sync-containers"; owner = "root"; group = "syncthing"; } + ]; + + krebs.syncthing.folders = [ + { path = "/var/lib/sync-containers"; peers = [ "icarus" "skynet" "littleT" "shodan" ]; } + ]; + + system.activationScripts.containerPermissions = '' + mkdir -p /var/lib/containers + chmod 711 /var/lib/containers + ''; + + containers.green = { + config = { ... }: { + environment.systemPackages = [ + pkgs.git + pkgs.rxvt_unicode.terminfo + ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + ]; + }; + autoStart = false; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.15"; + localAddress = "10.233.2.16"; + }; + + environment.systemPackages = [ + (pkgs.writeDashBin "start-green" '' + set -fu + CONTAINER='green' + IMAGE='/var/lib/sync-containers/green.img' + + ${pkgs.cryptsetup}/bin/cryptsetup status "$CONTAINER" >/dev/null + if [ "$?" -ne 0 ]; then + ${pkgs.cryptsetup}/bin/cryptsetup luksOpen "$IMAGE" "$CONTAINER" + fi + + mkdir -p /var/lib/containers/"$CONTAINER" + + ${pkgs.mount}/bin/mount | grep -q " on /var/lib/containers/"$CONTAINER" " + if [ "$?" -ne 0 ]; then + ${pkgs.mount}/bin/mount -o sync /dev/mapper/"$CONTAINER" /var/lib/containers/"$CONTAINER" + fi + + STATE=$(${pkgs.nixos-container}/bin/nixos-container status "$CONTAINER") + if [ "$STATE" = 'down' ]; then + ${pkgs.nixos-container}/bin/nixos-container start "$CONTAINER" + fi + ping -c1 green.r + if [ "$?" -ne 0 ]; then + ${pkgs.nixos-container}/bin/nixos-container run green -- nixos-rebuild -I /var/src switch + fi + + '') + ]; +} diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix index 0803846aa..6de111ba8 100644 --- a/lass/2configs/mail.nix +++ b/lass/2configs/mail.nix @@ -233,8 +233,4 @@ in { tag-new-mails tag-old-mails ]; - - nixpkgs.config.packageOverrides = opkgs: { - notmuch = (opkgs.notmuch.overrideAttrs (o: { doCheck = false; })); - }; } diff --git a/lass/2configs/prism-share.nix b/lass/2configs/prism-share.nix index 70e616ec6..aa3eb541d 100644 --- a/lass/2configs/prism-share.nix +++ b/lass/2configs/prism-share.nix @@ -21,7 +21,7 @@ with import <stockholm/lib>; shares = { incoming = { path = "/mnt/prism"; - "read only" = "no"; + "read only" = "yes"; browseable = "yes"; "guest ok" = "yes"; }; diff --git a/lass/2configs/radio.nix b/lass/2configs/radio.nix index f88b2627b..d67d970f8 100644 --- a/lass/2configs/radio.nix +++ b/lass/2configs/radio.nix @@ -59,6 +59,9 @@ in { group = "radio"; musicDirectory = "/home/radio/the_playlist/music"; extraConfig = '' + log_level "default" + auto_update "yes" + audio_output { type "shout" encoding "lame" @@ -245,4 +248,10 @@ in { alias ${html}; ''; }; + krebs.syncthing.folders = [ + { id = "the_playlist"; path = "/home/radio/music/the_playlist"; peers = [ "mors" "phone" "prism" ]; } + ]; + lass.ensure-permissions = [ + { folder = "/home/radio/music/the_playlist"; owner = "radio"; group = "syncthing"; } + ]; } diff --git a/lass/2configs/ssh-cryptsetup.nix b/lass/2configs/ssh-cryptsetup.nix new file mode 100644 index 000000000..c5e1c5928 --- /dev/null +++ b/lass/2configs/ssh-cryptsetup.nix @@ -0,0 +1,17 @@ +{ config, ... }: +{ + boot.initrd = { + network = { + enable = true; + ssh = { + enable = true; + authorizedKeys = with config.krebs.users; [ + config.krebs.users.lass-mors.pubkey + config.krebs.users.lass-blue.pubkey + config.krebs.users.lass-shodan.pubkey + config.krebs.users.lass-icarus.pubkey + ]; + }; + }; + }; +} diff --git a/lass/2configs/sync/decsync.nix b/lass/2configs/sync/decsync.nix new file mode 100644 index 000000000..94569c94d --- /dev/null +++ b/lass/2configs/sync/decsync.nix @@ -0,0 +1,8 @@ +{ + krebs.syncthing.folders = [ + { id = "decsync"; path = "/home/lass/decsync"; peers = [ "mors" "blue" "green" "phone" ]; } + ]; + lass.ensure-permissions = [ + { folder = "/home/lass/decsync"; owner = "lass"; group = "syncthing"; } + ]; +} diff --git a/lass/2configs/sync/weechat.nix b/lass/2configs/sync/weechat.nix new file mode 100644 index 000000000..d10177b1d --- /dev/null +++ b/lass/2configs/sync/weechat.nix @@ -0,0 +1,8 @@ +{ + krebs.syncthing.folders = [ + { path = "/home/lass/.weechat"; peers = [ "blue" "green" "mors" ]; } + ]; + lass.ensure-permissions = [ + { folder = "/home/lass/.weechat"; owner = "lass"; group = "syncthing"; } + ]; +} diff --git a/lass/2configs/syncthing.nix b/lass/2configs/syncthing.nix index d8b3c9f90..fc10b2cb4 100644 --- a/lass/2configs/syncthing.nix +++ b/lass/2configs/syncthing.nix @@ -16,7 +16,7 @@ with import <stockholm/lib>; key = toString <secrets/syncthing.key>; peers = mapAttrs (n: v: { id = v.syncthing.id; }) (filterAttrs (n: v: v.syncthing.id != null) config.krebs.hosts); folders = [ - { pat |