summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--.github/dependabot.yml6
-rw-r--r--.github/workflows/repo-sync.yml19
-rw-r--r--krebs/0tests/data/secrets/syncthing.cert0
-rw-r--r--krebs/0tests/data/secrets/syncthing.key0
-rw-r--r--krebs/1systems/news/config.nix7
-rw-r--r--krebs/1systems/puyak/config.nix6
-rw-r--r--krebs/1systems/puyak/net.nix4
-rw-r--r--krebs/2configs/container-networking.nix7
-rw-r--r--krebs/2configs/ircd.nix1
-rw-r--r--krebs/2configs/news-host.nix1
-rw-r--r--krebs/2configs/news.nix29
-rw-r--r--krebs/2configs/shack/prometheus/alert-rules.nix9
-rw-r--r--krebs/2configs/syncthing.nix4
-rw-r--r--krebs/3modules/external/default.nix1
-rw-r--r--krebs/3modules/external/mic92.nix215
-rw-r--r--krebs/3modules/external/ssh/rtjure.pub1
-rw-r--r--krebs/3modules/go.nix48
-rw-r--r--krebs/3modules/krebs/default.nix2
-rw-r--r--krebs/3modules/lass/default.nix58
-rw-r--r--krebs/3modules/makefu/default.nix1
-rw-r--r--krebs/3modules/realwallpaper.nix9
-rw-r--r--krebs/3modules/sync-containers.nix2
-rw-r--r--krebs/5pkgs/haskell/recht.nix25
-rw-r--r--krebs/5pkgs/simple/nomads-cloud/default.nix3
-rw-r--r--krebs/5pkgs/simple/realwallpaper/default.nix82
-rw-r--r--krebs/5pkgs/simple/realwallpaper/get_constellations.py36
-rw-r--r--krebs/nixpkgs-unstable.json8
-rw-r--r--krebs/nixpkgs.json8
-rw-r--r--lass/1systems/echelon/config.nix14
-rw-r--r--lass/1systems/echelon/physical.nix33
-rw-r--r--lass/1systems/prism/config.nix1
-rw-r--r--lass/2configs/fetchWallpaper.nix3
-rw-r--r--lass/2configs/hass/default.nix6
-rw-r--r--lass/2configs/realwallpaper.nix6
-rw-r--r--lass/2configs/searx.nix23
-rw-r--r--lass/2configs/syncthing.nix6
-rw-r--r--lass/2configs/tests/dummy-secrets/initrd/ssh.ed25519_key0
-rw-r--r--lass/2configs/tests/dummy-secrets/searx.key1
-rw-r--r--lass/2configs/tor-initrd.nix49
-rw-r--r--lass/5pkgs/searx/default.nix69
-rw-r--r--makefu/1systems/gum/config.nix5
-rw-r--r--makefu/1systems/omo/config.nix2
-rw-r--r--makefu/2configs/backup/ssh/gum.pub2
-rw-r--r--makefu/2configs/bgt/backup.nix3
-rw-r--r--makefu/2configs/bgt/social-to-irc.nix7
-rw-r--r--makefu/2configs/bgt/template.md16
-rw-r--r--makefu/2configs/bitwarden.nix46
-rw-r--r--makefu/2configs/bureautomation/automation/philosophische-tuer.nix4
-rw-r--r--makefu/2configs/bureautomation/default.nix2
-rw-r--r--makefu/2configs/bureautomation/kalauerbot.nix10
-rw-r--r--makefu/2configs/deployment/docker/archiveteam-warrior.nix2
-rw-r--r--makefu/2configs/deployment/owncloud.nix14
-rw-r--r--makefu/2configs/deployment/rss.euer.krebsco.de.nix8
-rw-r--r--makefu/2configs/home/airsonic.nix2
-rw-r--r--makefu/2configs/home/ham/default.nix9
-rw-r--r--makefu/2configs/home/ham/device_tracker/openwrt.nix2
-rw-r--r--makefu/2configs/home/ham/nginx.nix2
-rw-r--r--makefu/2configs/home/ham/zigbee2mqtt.nix (renamed from makefu/2configs/home/zigbee2mqtt/hass.nix)2
-rw-r--r--makefu/2configs/home/metube.nix2
-rw-r--r--makefu/2configs/home/photoprism.nix2
-rw-r--r--makefu/2configs/home/zigbee2mqtt/default.nix2
-rw-r--r--makefu/2configs/printer.nix2
-rw-r--r--makefu/2configs/share/omo.nix2
-rw-r--r--makefu/2configs/shiori.nix2
-rw-r--r--makefu/2configs/storj/client.nix2
-rw-r--r--makefu/2configs/systemdultras/ircbot.nix5
-rw-r--r--makefu/2configs/tools/dev.nix3
-rw-r--r--makefu/2configs/workadventure/workadventure.nix10
-rw-r--r--makefu/5pkgs/kalauerbot/default.nix4
69 files changed, 787 insertions, 190 deletions
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 000000000..5ace4600a
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,6 @@
+version: 2
+updates:
+ - package-ecosystem: "github-actions"
+ directory: "/"
+ schedule:
+ interval: "weekly"
diff --git a/.github/workflows/repo-sync.yml b/.github/workflows/repo-sync.yml
new file mode 100644
index 000000000..4284463f9
--- /dev/null
+++ b/.github/workflows/repo-sync.yml
@@ -0,0 +1,19 @@
+on:
+ schedule:
+ - cron: "*/15 * * * *"
+ workflow_dispatch:
+
+jobs:
+ repo-sync:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+ with:
+ persist-credentials: false
+ - name: repo-sync
+ uses: repo-sync/github-sync@v2
+ with:
+ source_repo: "https://git.thalheim.io/Mic92/stockholm.git"
+ source_branch: "master"
+ destination_branch: "master"
+ github_token: ${{ secrets.PAT }}
diff --git a/krebs/0tests/data/secrets/syncthing.cert b/krebs/0tests/data/secrets/syncthing.cert
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/krebs/0tests/data/secrets/syncthing.cert
diff --git a/krebs/0tests/data/secrets/syncthing.key b/krebs/0tests/data/secrets/syncthing.key
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/krebs/0tests/data/secrets/syncthing.key
diff --git a/krebs/1systems/news/config.nix b/krebs/1systems/news/config.nix
index 5c4b37aef..79946dad7 100644
--- a/krebs/1systems/news/config.nix
+++ b/krebs/1systems/news/config.nix
@@ -18,13 +18,6 @@
boot.isContainer = true;
networking.useDHCP = false;
krebs.bindfs = {
- "/var/lib/htgen-go" = {
- source = "/var/state/htgen-go";
- options = [
- "-m ${toString config.users.users.htgen-go.uid}"
- ];
- clearTarget = true;
- };
"/var/lib/brockman" = {
source = "/var/state/brockman";
options = [
diff --git a/krebs/1systems/puyak/config.nix b/krebs/1systems/puyak/config.nix
index 1e0687ba7..2f122f6ff 100644
--- a/krebs/1systems/puyak/config.nix
+++ b/krebs/1systems/puyak/config.nix
@@ -19,6 +19,12 @@
<stockholm/krebs/2configs/binary-cache/nixos.nix>
<stockholm/krebs/2configs/binary-cache/prism.nix>
+ ## news host
+
+ <stockholm/krebs/2configs/container-networking.nix>
+ <stockholm/krebs/2configs/syncthing.nix>
+ <stockholm/krebs/2configs/news-host.nix>
+
### shackspace ###
# handle the worlddomination map via coap
<stockholm/krebs/2configs/shack/worlddomination.nix>
diff --git a/krebs/1systems/puyak/net.nix b/krebs/1systems/puyak/net.nix
index 8dab11e16..a46a24952 100644
--- a/krebs/1systems/puyak/net.nix
+++ b/krebs/1systems/puyak/net.nix
@@ -8,8 +8,8 @@ in {
SUBSYSTEM=="net", ATTR{address}=="3c:97:0e:07:b9:14", NAME="${ext-if}"
'';
networking = {
- firewall.enable = false;
- firewall.allowedTCPPorts = [ 8088 8086 8083 5901 ];
+ firewall.enable = true;
+ firewall.allowedTCPPorts = [ 80 443 8088 8086 8083 5901 ];
interfaces."${ext-if}".ipv4.addresses = [
{
address = shack-ip;
diff --git a/krebs/2configs/container-networking.nix b/krebs/2configs/container-networking.nix
new file mode 100644
index 000000000..fa4488800
--- /dev/null
+++ b/krebs/2configs/container-networking.nix
@@ -0,0 +1,7 @@
+{ lib, ... }:
+{
+ networking.nat.enable = true;
+ networking.nat.internalInterfaces = ["ve-+"];
+ networking.nat.externalInterface = lib.mkDefault "et0";
+ networking.networkmanager.unmanaged = [ "interface-name:ve-*" ];
+}
diff --git a/krebs/2configs/ircd.nix b/krebs/2configs/ircd.nix
index 0de07a027..3ef2e7d2b 100644
--- a/krebs/2configs/ircd.nix
+++ b/krebs/2configs/ircd.nix
@@ -87,6 +87,7 @@
};
channel {
+ autochanmodes = "+t";
use_invex = yes;
use_except = yes;
use_forward = yes;
diff --git a/krebs/2configs/news-host.nix b/krebs/2configs/news-host.nix
index 82360a670..b7728986f 100644
--- a/krebs/2configs/news-host.nix
+++ b/krebs/2configs/news-host.nix
@@ -4,6 +4,7 @@
"shodan"
"mors"
"styx"
+ "puyak"
];
hostIp = "10.233.2.101";
localIp = "10.233.2.102";
diff --git a/krebs/2configs/news.nix b/krebs/2configs/news.nix
index 410beb041..2da3e6fcc 100644
--- a/krebs/2configs/news.nix
+++ b/krebs/2configs/news.nix
@@ -15,6 +15,16 @@
serverAliases = [
"news.r"
];
+ locations."/api".extraConfig = ''
+ proxy_pass http://127.0.0.1:7777/;
+ proxy_pass_header Server;
+ '';
+ locations."= /graph.html".extraConfig = ''
+ alias ${pkgs.fetchurl {
+ url = "https://raw.githubusercontent.com/kmein/brockman/05d33c8caaaf6255752f9600981974bb58390851/tools/graph.html";
+ sha256 = "0iw2vdzj6kzkix1c447ybmc953lns6z4ap6sr9pcib8bany4g43w";
+ }};
+ '';
locations."/".extraConfig = ''
root /var/lib/brockman;
index brockman.json;
@@ -27,6 +37,7 @@
};
systemd.tmpfiles.rules = [
"d /var/lib/brockman 1750 brockman nginx -"
+ "d /run/irc-api 1750 brockman nginx -"
];
systemd.services.brockman-graph = {
@@ -67,12 +78,28 @@
shortener = "http://go.r";
controller = {
nick = "brockman";
- channels = [ "#all" ];
+ extraChannels = [ "#all" ];
};
bots = {};
};
};
+ krebs.reaktor2.api = {
+ hostname = "localhost";
+ port = "6667";
+ nick = "api";
+ API.listen = "inet://127.0.0.1:7777";
+ plugins = [
+ {
+ plugin = "register";
+ config = {
+ channels = [
+ "#all"
+ ];
+ };
+ }
+ ];
+ };
krebs.reaktor2.news = let
name = "candyman";
in {
diff --git a/krebs/2configs/shack/prometheus/alert-rules.nix b/krebs/2configs/shack/prometheus/alert-rules.nix
index 12c691466..65e5d9005 100644
--- a/krebs/2configs/shack/prometheus/alert-rules.nix
+++ b/krebs/2configs/shack/prometheus/alert-rules.nix
@@ -14,7 +14,14 @@ in {
labels.severity = "warning";
annotations.summary = "{{ $labels.alias }} root disk full";
annotations.url = "http://grafana.shack/d/hb7fSE0Zz/shack-system-dashboard?orgId=1&var-job=node&var-hostname=All&var-node=wolf.shack:9100&var-device=All&var-maxmount=%2F&var-show_hostname=wolf";
- annotations.description = ''The root disk of {{ $labels.alias }} has {{ $value | printf "%.2f" }}% free disk space (Threshold at ${disk_free_threshold}%). CI for deploying new configuration will seize working. Log in to the system and run `nix-collect-garbage -d` and clean up the shack share folder in `/home/share` .If this does not help you can check `du -hs /var/ | sort -h`, run `docker system prune` or if you are really desperate run `du -hs / | sort -h` and go through the folders recursively until you've found something to delete'';
+ annotations.description = ''The root disk of {{ $labels.alias }} has {{ $value | printf "%.2f" }}% free disk space (Threshold at ${disk_free_threshold}%). CI for deploying new configuration will seize working. Log in to the system and try to clean up the obsolete files on the machine. There are a couple of things you can do:
+1. `nix-collect-garbage -d`
+2. clean up the shack share folder in `/home/share`
+3. check `du -hs /var/ | sort -h`.
+4. run `docker system prune`
+5. `find /var/lib/containers/news/var/lib/htgen-go/items -mtime +7 -delete;` to clean up the link shortener data
+5. If you are really desperate run `du -hs / | sort -h` and go through the folders recursively until you've found something to delete
+6. as a last resort the root disk can be expanded via `lvresize -L +10G /dev/pool/root && btrfs filesystem resize max /` '';
}
{
alert = "RootPartitionFull";
diff --git a/krebs/2configs/syncthing.nix b/krebs/2configs/syncthing.nix
index 31e33ad5e..125e2aea4 100644
--- a/krebs/2configs/syncthing.nix
+++ b/krebs/2configs/syncthing.nix
@@ -10,6 +10,10 @@ in {
configDir = "/var/lib/syncthing";
declarative = {
devices = mk_peers used_peers;
+ key = toString <secrets/syncthing.key>;
+ cert = toString <secrets/syncthing.cert>;
};
};
+
+ boot.kernel.sysctl."fs.inotify.max_user_watches" = 524288;
}
diff --git a/krebs/3modules/external/default.nix b/krebs/3modules/external/default.nix
index c8e360a1e..809d5a7db 100644
--- a/krebs/3modules/external/default.nix
+++ b/krebs/3modules/external/default.nix
@@ -671,6 +671,7 @@ in {
pubkey = ssh-for "raute";
};
rtjure = {
+ pubkey = ssh-for "rtjure";
};
sokratess = {
};
diff --git a/krebs/3modules/external/mic92.nix b/krebs/3modules/external/mic92.nix
index 306ab34eb..15136cbce 100644
--- a/krebs/3modules/external/mic92.nix
+++ b/krebs/3modules/external/mic92.nix
@@ -152,30 +152,6 @@ in {
};
};
};
- dpdkm = {
- owner = config.krebs.users.mic92;
- nets = rec {
- retiolum = {
- ip4.addr = "10.243.29.173";
- aliases = [ "dpdkm.r" ];
- tinc.pubkey = ''
- -----BEGIN RSA PUBLIC KEY-----
- MIICCgKCAgEAuW31xGBdPMSS45KmsCX81yuTcDZv1z7wSpsGQiAw7RsApG0fbBDj
- NvzWZaZpTTUueG7gtt7U9Gk8DhWYR1hNt8bLXxE5QlY+gxVjU8+caRvlv10Y9XYp
- qZEr1n1O5R7jS1srvutPt74uiA8I3hBoeP5TXndu8tVcehjRWXPqJj4VCy9pT2gP
- X880Z30cXm0jUIu9XKhzQU2UNaxbqRzhJTvFUG04M+0a9olsUoN7PnDV6MC5Dxzn
- f0ZZZDgHkcx6vsSkN/C8Tik/UCXr3tS/VX6/3+PREz6Z3bPd2QfaWdowrlFQPeYa
- bELPvuqYiq7zR/jw3vVsWX2e91goAfKH5LYKNmzJCj5yYq+knB7Wil3HgBn86zvL
- Joj56VsuB8fQrrUxjrDetNgtdwci+yFeXkJouQRLM0r0W24liyCuBX4B6nqbj71T
- B6rAMzhBbl1yixgf31EgiCYFSusk+jiT+hye5lAhes4gBW9GAWxGNU9zE4QeAc1w
- tkPH/CxRIAeuPYNwmjvYI2eQH9UQkgSBa3/Kz7/KT9scbykbs8nhDHCXwT6oAp+n
- dR5aHkuBrTQOCU3Xx5ZwU5A0T83oLExIeH8jR1h2mW1JoJDdO85dAOrIBHWnjLls
- mqrJusBh2gbgvNqIrDaQ9J+o1vefw1QeSvcF71JjF1CEBUmTbUAp8KMCAwEAAQ==
- -----END RSA PUBLIC KEY-----
- '';
- };
- };
- };
herbert = {
owner = config.krebs.users.mic92;
nets = rec {
@@ -199,35 +175,6 @@ in {
};
};
};
- inspector = {
- owner = config.krebs.users.mic92;
- nets = rec {
- internet = {
- ip4.addr = "141.76.44.154";
- aliases = [ "inspector.i" ];
- };
- retiolum = {
- via = internet;
- ip4.addr = "10.243.29.172";
- aliases = [ "inspector.r" ];
- tinc.pubkey = ''
- -----BEGIN RSA PUBLIC KEY-----
- MIICCgKCAgEAr3l/u7qcxmFa2hUICU3oPDhB2ij2R3lKHyjSsVFVLNfl6TpOdppG
- EDXOapeXL0s+PfBRHdRI3v/dibj4PG9eyKmFxsUJ2gRz4ghb1UE23aQ3pkr3x8sZ
- 7GR+nJYATYf+jolFF9O1x+f0Uo5xaYWkGOMH8wVVzm6+kcsZOYuTEbJAsbTRZywF
- m1MdRfk54hLiDsj2rjGRZIR+ZfUKVs2MTWOLCpBAHLJK+r3HfUiR2nAgeNkJCFLw
- WIir1ftDIViT3Ly6b7enaOkVZ695FNYdPWFZCE4AJI0s9wsbMClzUqCl+0mUkumd
- eRXgWXkmvBsxR4GECnxUhxs6U8Wh3kbQavvemt4vcIKNhkw32+toYc1AFK/n4G03
- OUJBbRqgJYx9wIvo8PEu4DTTdsPlQZnMwiaKsn+Gi4Ap6JAnG/iLN8sChoQf7Dau
- ARZA3sf9CkKx5sZ+9dVrLbzGynKE18Z/ysvf1BLd/rVVOps1B/YRBxDwPj8MZJ0x
- B7b0j+hRVV5palp3RRdcExuWaBrMQQGsXwLUZOFHJJaZUHF9XRdy+5XVJdNOArkG
- q1+yGhosL1DLTQE/VwCxmBHyYTr3L7yZ2lSaeWdIeYvcRvouDROUjREVFrQjdqwj
- 7vIP1cvDxSSqA07h/xEC4YZKACBYc/PI2mqYK5dvAUG3mGrEsjHktPUCAwEAAQ==
- -----END RSA PUBLIC KEY-----
- '';
- };
- };
- };
eddie = {
owner = config.krebs.users.mic92;
nets = rec {
@@ -303,6 +250,82 @@ in {
};
};
};
+ okelmann = {
+ owner = config.krebs.users.mic92;
+ nets.retiolum = {
+ ip4.addr = "10.243.29.190";
+ aliases = [
+ "okelmann.r"
+ ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIIBCgKCAQEAxquUuiW9a304H9Ls81+2BMm4bviDUU2Zogu0F1mPp6X8TpdjYpDs
+ +tlakSTEPHo+aIdcV9rHpjOC3tirNbYU56D8DdoSo1Ra6XNFbxWrw7usSR9gz7L+
+ kYp1Uij4gKTfg6YQkU0lkufk13if6zvb/GjoBUTS/Tx+8sZm2/JKEK8JLQaCkmMu
+ LAUTsHj35Q8S99TzCLAoQLo136AtvPqcwwHVwkdX+S4WqtlODxfJ7T+9KFxGg54B
+ 1M6btg8iL5sdTFrLIBi7oK6GuLK9izvZ4O9O9H2bStW6LodqPtw2v5WA8li+YJx7
+ LBgLO4aAAA6bF9WFcYyKBh6iCX0WxB7LowIDAQAB
+ -----END RSA PUBLIC KEY-----
+ '';
+ };
+ };
+ anindya = {
+ owner = config.krebs.users.mic92;
+ nets.retiolum = {
+ ip4.addr = "10.243.29.191";
+ aliases = [
+ "anindya.r"
+ ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIIBCgKCAQEA8yWr01WlmM4RYuJdxvzvfdN3C5T3DOknWvK7U3y92HYgtQfYtZwu
+ +J8r1fpTsdIS8wKdSEqz7Mjhb1JabJBB1fv/2mkAF4V/gkMbP0jqZ6QQL29kgkNP
+ aI/+zG1yh4kEDgSn843J6XnTsJ/4Na2zmbVP1iIIQYMXyh+meWsBVR6DKV5ighjz
+ 4h3wKbuMmDrS50aTk8ahgWoiqcE2DTUMeprw4SIL+RTepmsCINQtAJui5Ys6AAbK
+ ab6gxMzRH2txLBcTfSrbqTX3qHZHLlB9Ai5FEItWqMBxquD6OCxn8DNU+5LgGpt1
+ Z37SI1U0c4uu1oo7kOSx6wYP2ZVOatys6QIDAQAB
+ -----END RSA PUBLIC KEY-----
+ '';
+ };
+ };
+ dimitra = {
+ owner = config.krebs.users.mic92;
+ nets.retiolum = {
+ ip4.addr = "10.243.29.192";
+ aliases = [
+ "dimitra.r"
+ ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIIBCgKCAQEAtgvjWP2KIawJDk32P8Uiwz95REACx43CXUIgcBx5qg9ZQrHnJZxH
+ RkXLnWUmjpnEmPUfvg/b8YCyoHgzD6GQEXcWaiMXBQ/nsrSEN4mpY7tzInerzGsv
+ /M66WzPUWSUC9kbncLXt+2A64B23h1ki+MyMyKGIpHq21+F1b6ZHW2rkMnk3BKa4
+ aJKNfadjP4V1lnPd40VBpcA3dlQfGF057GJz+2fzlfh1Bp41r/uP2NHieSAlyBws
+ IaVZPWbfxFyYU8JbrlYUAlLjdXFG1meo5On0K0N8tTBKfnD1nwSqTPAfM7WqOm4A
+ ImYB8LzjmIdXM+QUqbVFTgiY4jBDg61krwIDAQAB
+ -----END RSA PUBLIC KEY-----
+ '';
+ };
+ };
+ philipsaendig = {
+ owner = config.krebs.users.mic92;
+ nets.retiolum = {
+ ip4.addr = "10.243.29.193";
+ aliases = [
+ "philipsaendig.r"
+ ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIIBCgKCAQEAyWdCrXD0M9CIt0ZgVB6W5ozOvLDoxPmGzLBJUnAZV8f9oqfaIEIX
+ 5TIaxozN3QMEgS0ChaOHTNFiQZjiiwJL/wPx1eFvKfDkkn7ayrRS/pP+bKhcDpKl
+ 4tPejipee9T2ZhYg9tbk291CDBe1fHR5S2F8kPm8OuqwE2Fv9N8wldcsDLxHcTZl
+ +wp4Oe/Wn5WLvZb3SUao17vKnNBLfMMCGC01yRfhZub41NkGYVWBjErsIVxQ+/rF
+ Y7DdCekus+BQCKz+beEmtzG7d0Xwqwkif51HQ05CvwFNEtdUGodd8OrIO+gpIV6S
+ oN+Q5zxsenLo6QRfsLD+nn7A7qbzd57kUwIDAQAB
+ -----END RSA PUBLIC KEY-----
+ '';
+ };
+ };
martha = {
owner =