diff options
Diffstat (limited to 'krebs/2configs')
73 files changed, 1560 insertions, 1522 deletions
diff --git a/krebs/2configs/acme.nix b/krebs/2configs/acme.nix index 056aa7ae4..0b9cb91af 100644 --- a/krebs/2configs/acme.nix +++ b/krebs/2configs/acme.nix @@ -24,7 +24,7 @@ in { path = "/var/lib/step-ca/intermediate_ca.key"; owner.name = "root"; mode = "1444"; - source-path = builtins.toString <secrets> + "/acme_ca.key"; + source-path = "${config.krebs.secret.directory}/acme_ca.key"; }; services.step-ca = { enable = true; diff --git a/krebs/2configs/agenda.html b/krebs/2configs/agenda.html new file mode 100644 index 000000000..9ccfc241c --- /dev/null +++ b/krebs/2configs/agenda.html @@ -0,0 +1,91 @@ +<!DOCTYPE html> +<html> + <head> + <title>Agenda</title> + <meta charset="utf-8" /> + <meta name="viewport" content="width=device-width, initial-scale=1" /> + <style> + html { + font-family: monospace; + } + + dt { + float: left; + clear: left; + width: 30px; + text-align: right; + font-weight: bold; + } + + dd { + margin: 0 0 0 40px; + padding: 0 0 0.5em 0; + } + + .date { + color: grey; + font-style: italic; + } + </style> + </head> + <body> + <dl id="agenda"></dl> + <script> + const urlSearchParams = new URLSearchParams(window.location.search); + const params = Object.fromEntries(urlSearchParams.entries()); + + if (params.hasOwnProperty("style")) { + const cssUrls = params["style"].split(" ").filter((x) => x.length > 0); + for (const cssUrl of cssUrls) + fetch(cssUrl) + .then((response) => + response.text().then((css) => { + const title = document.getElementsByTagName("head")[0]; + const style = document.createElement("style"); + style.appendChild(document.createTextNode(css)); + title.appendChild(style); + }) + ) + .catch(console.log); + } + + fetch("/agenda.json") + .then((response) => { + response.json().then((agenda) => { + const dl = document.getElementById("agenda"); + for (const agendaItem of agenda) { + if (agendaItem.status !== "pending") continue; + // task warrior date format to ISO + const entryDate = agendaItem.entry.replace( + /(\d{4})(\d{2})(\d{2})T(\d{2})(\d{2})(\d{2})Z/, + "$1-$2-$3T$4:$5:$6Z" + ); + + const dt = document.createElement("dt"); + dt.className = "id"; + dt.appendChild(document.createTextNode(agendaItem.id.toString())); + dl.appendChild(dt); + + const spanDate = document.createElement("span"); + spanDate.className = "date"; + spanDate.title = new Date(entryDate).toString(); + spanDate.appendChild(document.createTextNode(entryDate)); + + const link = document.createElement("a"); + link.href = "http://wiki.r/agenda/" + encodeURIComponent(agendaItem.description.replaceAll("/", "\u29F8")); // we use big solidus instead of slash because gollum will create directories + link.appendChild(document.createTextNode(agendaItem.description)); + + const dd = document.createElement("dd"); + dd.className = "description"; + dd.appendChild(link); + dd.appendChild(document.createTextNode(" ")); + dd.appendChild(spanDate); + + dl.appendChild(dd); + } + }); + }) + .then((data) => console.log(data)); + </script> + </body> +</html> diff --git a/krebs/2configs/backup.nix b/krebs/2configs/backup.nix index 7ee438784..83dbf66fb 100644 --- a/krebs/2configs/backup.nix +++ b/krebs/2configs/backup.nix @@ -1,5 +1,5 @@ { config, lib, ... }: -with import <stockholm/lib>; +with lib; { krebs.backup.plans = { } // mapAttrs (_: recursiveUpdate { diff --git a/krebs/2configs/buildbot-stockholm.nix b/krebs/2configs/buildbot-stockholm.nix index 9fc6a79e5..32452e010 100644 --- a/krebs/2configs/buildbot-stockholm.nix +++ b/krebs/2configs/buildbot-stockholm.nix @@ -1,5 +1,5 @@ -{ config, ... }: with import <stockholm/lib>; - +{ config, lib, ... }: +with import ../../lib/pure.nix { inherit lib; }; { networking.firewall.allowedTCPPorts = [ 80 ]; services.nginx = { @@ -21,21 +21,21 @@ disko.urls = [ "http://cgit.gum.r/disko" "http://cgit.ni.r/disko" - "http://cgit.prism.r/disko" + "http://cgit.orange.r/disko" ]; krops.urls = [ "http://cgit.ni.r/krops" - "http://cgit.prism.r/krops" + "http://cgit.orange.r/krops" "https://github.com/krebs/krops.git" ]; nix_writers.urls = [ "http://cgit.ni.r/nix-writers" - "http://cgit.prism.r/nix-writers" + "http://cgit.orange.r/nix-writers" ]; stockholm.urls = [ "http://cgit.gum.r/stockholm" "http://cgit.ni.r/stockholm" - "http://cgit.prism.r/stockholm" + "http://cgit.orange.r/stockholm" ]; }; }; diff --git a/krebs/2configs/buildbot/master.nix b/krebs/2configs/buildbot/master.nix new file mode 100644 index 000000000..9598f6fa0 --- /dev/null +++ b/krebs/2configs/buildbot/master.nix @@ -0,0 +1,33 @@ +{buildbot-nix,...}: +let + #domain = "buildbot.krebsco.de"; + domain = "build.hotdog.r"; +in { + imports = [ + buildbot-nix.nixosModules.buildbot-master + ]; + + #services.nginx.virtualHosts."${domain}" = { + # enableACME = true; + # forceSSL = true; + #}; + + + services.buildbot-nix.master = { + enable = true; + admins = [ "makefu" ]; + buildSystems = [ "x86_64-linux" "aarch64-linux" ]; + inherit domain; + evalMaxMemorySize = "4096"; + evalWorkerCount = 16; + workersFile = "/var/src/secrets/buildbot/nix-workers"; + github = { + tokenFile = "/var/src/secrets/buildbot/github-token"; + webhookSecretFile = "/var/src/secrets/buildbot/github-webhook-secret"; + oauthSecretFile = "/var/src/secrets/buildbot/github-oauth-secret"; + oauthId = "Ov23lizFP7t7qoE9FuDA"; + user = "krebs-bob"; + topic = "buildbot"; + }; + }; +} diff --git a/krebs/2configs/buildbot/worker.nix b/krebs/2configs/buildbot/worker.nix new file mode 100644 index 000000000..5526a83d3 --- /dev/null +++ b/krebs/2configs/buildbot/worker.nix @@ -0,0 +1,13 @@ +{ config, buildbot-nix, ... }: +{ + imports = [ + buildbot-nix.nixosModules.buildbot-worker + ]; + + services.buildbot-nix.worker = { + enable = true; + name = config.krebs.build.host.name; + workerPasswordFile = "/var/src/secrets/nix-worker-file"; + masterUrl = "tcp:host=gum:port=9989"; + }; +} diff --git a/krebs/2configs/cache.nsupdate.info.nix b/krebs/2configs/cache.nsupdate.info.nix index 74f345614..1ac63eaf5 100644 --- a/krebs/2configs/cache.nsupdate.info.nix +++ b/krebs/2configs/cache.nsupdate.info.nix @@ -9,7 +9,7 @@ in { enable = true; server = "ipv4.nsupdate.info"; username = domain; - password = import ((toString <secrets>) + "/nsupdate-cache.nix"); + password = import "${config.krebs.secret.directory}/nsupdate-cache.nix"; domains = [ domain ]; use= "if, if=et0"; # use = "web, web=http://ipv4.nsupdate.info/myip"; diff --git a/krebs/2configs/cal.nix b/krebs/2configs/cal.nix new file mode 100644 index 000000000..1a0cdf019 --- /dev/null +++ b/krebs/2configs/cal.nix @@ -0,0 +1,117 @@ +{ config, lib, pkgs, ... }: let + slib = import ../../lib/pure.nix { inherit lib; }; + + setupGit = '' + export PATH=${lib.makeBinPath [ + pkgs.coreutils + pkgs.git + ]} + export GIT_SSH_COMMAND='${pkgs.openssh}/bin/ssh -i /var/lib/radicale/.ssh/id_ed25519' + repo='git@localhost:cal' + cd /var/lib/radicale/collections + if ! test -d .git; then + git init + git config user.name "radicale" + git config user.email "radicale@${config.networking.hostName}" + elif ! url=$(git config remote.origin.url); then + git remote add origin "$repo" + elif test "$url" != "$repo"; then + git remote set-url origin "$repo" + fi + cp ${pkgs.writeText "gitignore" '' + .Radicale.cache + ''} .gitignore + git add .gitignore + ''; + + pushCal = pkgs.writers.writeDash "push_cal" '' + ${setupGit} + git fetch origin + git merge --ff-only origin/master || : + ''; + + pushCgit = pkgs.writers.writeDash "push_cgit" '' + ${setupGit} + git push origin master + ''; + +in { + services.radicale = { + enable = true; + rights = { + krebs = { + user = ".*"; + collection = ".*"; + permissions = "rRwW"; + }; + }; + settings = { + auth.type = "none"; + server.hosts = [ + "0.0.0.0:5232" + "[::]:5232" + ]; + storage.filesystem_folder = "/var/lib/radicale/collections"; + storage.hook = "${pkgs.writers.writeDash "radicale-hook" '' + set -efu + ${setupGit} + ${pkgs.git}/bin/git add -A + (${pkgs.git}/bin/git diff --cached --quiet || ${pkgs.git}/bin/git commit -m "Changes by \"$1\"") + ${pushCgit} + ''} %(user)s"; + }; + }; + + services.nginx = { + enable = true; + + virtualHosts = { + "calendar.r".locations."/".proxyPass = "http://localhost:5232/"; + }; + }; + krebs.git = { + enable = true; + cgit.settings = { + root-title = "krebs repos"; + }; + rules = with slib.git; [ + { + user = [ + { + name = "cal"; + pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGe1jtHaNFZKmWemWQVEGVYj+s4QGJaL9WYH+wokOZie"; + } + ] ++ (lib.attrValues config.krebs.users); + repo = [ config.krebs.git.repos.cal ]; + perm = push ''refs/heads/master'' [ create merge ]; + } + ]; + repos.cal = { + public = true; + name = "cal"; + hooks = { + post-receive = '' + ${pkgs.git-hooks.irc-announce { + channel = "#xxx"; + refs = [ + "refs/heads/master" + ]; + nick = config.networking.hostName; + server = "irc.r"; + verbose = true; + }} + /run/wrappers/bin/sudo -S -u radicale ${pushCal} + ''; + }; + }; + }; + krebs.secret.files.calendar = { + path = "/var/lib/radicale/.ssh/id_ed25519"; + owner = { name = "radicale"; }; + source-path = "${config.krebs.secret.directory}/radicale.id_ed25519"; + }; + + security.sudo.extraConfig = '' + git ALL=(radicale) NOPASSWD: ${pushCal} + ''; +} diff --git a/krebs/2configs/default.nix b/krebs/2configs/default.nix index 38d770316..e7bf3078f 100644 --- a/krebs/2configs/default.nix +++ b/krebs/2configs/default.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, ... }: -with import <stockholm/lib>; +with import ../../lib/pure.nix { inherit lib; }; { imports = [ ./backup.nix @@ -8,7 +8,17 @@ with import <stockholm/lib>; ]; krebs.announce-activation.enable = true; krebs.enable = true; - krebs.tinc.retiolum.enable = mkDefault true; + + # retiolum + krebs.tinc.retiolum = { + enable = mkDefault true; + extraConfig = '' + AutoConnect = yes + LocalDiscovery = yes + ''; + }; + networking.firewall.allowedTCPPorts = [ 655 ]; + networking.firewall.allowedUDPPorts = [ 655 ]; # trust krebs ACME CA krebs.ssl.trustIntermediate = true; @@ -18,18 +28,14 @@ with import <stockholm/lib>; networking.hostName = config.krebs.build.host.name; nix.maxJobs = 1; - nix.useSandbox = true; + nix.settings.sandbox = true; environment.systemPackages = with pkgs; [ git vim - rxvt_unicode.terminfo ]; console.keyMap = "us"; - i18n = { - defaultLocale = lib.mkForce "C"; - }; programs.ssh.startAgent = false; @@ -51,13 +57,16 @@ with import <stockholm/lib>; users.mutableUsers = false; users.extraUsers.root.openssh.authorizedKeys.keys = [ - config.krebs.users.jeschli-brauerei.pubkey config.krebs.users.lass.pubkey - config.krebs.users.lass-mors.pubkey config.krebs.users.makefu.pubkey config.krebs.users.tv.pubkey + config.krebs.users.kmein.pubkey + config.krebs.users.mic92.pubkey ]; # The NixOS release to be compatible with for stateful data such as databases. system.stateVersion = "17.03"; + + # maybe fix Error: unsupported locales detected: + i18n.defaultLocale = mkDefault "C.UTF-8"; } diff --git a/krebs/2configs/exim-smarthost.nix b/krebs/2configs/exim-smarthost.nix index 82f8ec942..ceb11ca64 100644 --- a/krebs/2configs/exim-smarthost.nix +++ b/krebs/2configs/exim-smarthost.nix @@ -1,5 +1,6 @@ -with import <stockholm/lib>; -{ config, ... }: let +{ config, lib, ... }: +with import ../../lib/pure.nix { inherit lib; }; +let format = from: to: { inherit from; @@ -15,7 +16,16 @@ in { makefu tv ]; - eloop-ml = spam-ml; + eloop-ml = spam-ml ++ [ + { mail = "unreal@rtinf.net"; } + ]; + krebstel-ml = [ + config.krebs.users."0x4A6F" + { mail = "krebstel-1rxz0mqa95nkmk298s1731ly0ii7vc36kkm36pnjj89hrq52pgn1@ni.r"; } + { mail = "krebstel-1difh7483axpiaq92ghi14r5cql822wbhixqb0nn3y3jkcj0b785@ni.r"; } + { mail = "lass@green.r"; } + tv + ]; spam-ml = [ lass makefu @@ -24,14 +34,17 @@ in { in { "brain@krebsco.de" = brain-ml; "eloop2022@krebsco.de" = eloop-ml; + "2024@eloop.org" = eloop-ml; "root@eloop.org" = eloop-ml; # obsolete, use spam@eloop.org instead "spam@eloop.org" = eloop-ml; "youtube@eloop.org" = eloop-ml; # obsolete, use spam@eloop.org instead "postmaster@krebsco.de" = spam-ml; # RFC 822 + "krebstel@krebsco.de" = krebstel-ml; "lass@krebsco.de" = lass; "makefu@krebsco.de" = makefu; "spam@krebsco.de" = spam-ml; "tv@krebsco.de" = tv; + "xkey@krebsco.de" = { mail = "lennart@cope.cool"; }; # XXX These are no internet aliases # XXX exim-retiolum hosts should be able to relay to retiolum addresses "lass@retiolum" = lass; diff --git a/krebs/2configs/go.nix b/krebs/2configs/go.nix index ce5db62d4..ea3258b9c 100644 --- a/krebs/2configs/go.nix +++ b/krebs/2configs/go.nix @@ -1,6 +1,5 @@ { config, lib, pkgs, ... }: -with import <stockholm/lib>; { krebs.go = { enable = true; diff --git a/krebs/2configs/hotdog-host.nix b/krebs/2configs/hotdog-host.nix new file mode 100644 index 000000000..ab2b22b7c --- /dev/null +++ b/krebs/2configs/hotdog-host.nix @@ -0,0 +1,10 @@ +{ config, ... }: +{ + krebs.sync-containers3.containers.hotdog = { + sshKey = "${config.krebs.secret.directory}/hotdog.sync.key"; + }; + containers.hotdog.bindMounts."/var/lib" = { + hostPath = "/var/lib/sync-containers3/hotdog/state"; + isReadOnly = false; + }; +} diff --git a/krebs/2configs/hw/x220.nix b/krebs/2configs/hw/x220.nix index bb273652d..a797673c9 100644 --- a/krebs/2configs/hw/x220.nix +++ b/krebs/2configs/hw/x220.nix @@ -1,6 +1,5 @@ -{ config, lib, pkgs, ... }: +{ lib, pkgs, ... }: -with import &l |