diff options
Diffstat (limited to 'krebs')
| -rw-r--r-- | krebs/1systems/filebitch/config.nix | 1 | ||||
| -rw-r--r-- | krebs/1systems/news/config.nix | 25 | ||||
| -rw-r--r-- | krebs/1systems/puyak/config.nix | 84 | ||||
| -rw-r--r-- | krebs/1systems/wolf/config.nix | 1 | ||||
| -rw-r--r-- | krebs/2configs/buildbot/worker.nix | 4 | ||||
| -rw-r--r-- | krebs/2configs/news-host.nix | 7 | ||||
| -rw-r--r-- | krebs/2configs/news.nix | 207 | ||||
| -rw-r--r-- | krebs/3modules/go.nix | 10 | ||||
| -rw-r--r-- | krebs/3modules/iptables.nix | 4 | ||||
| -rw-r--r-- | krebs/3modules/reaktor2.nix | 4 | ||||
| -rw-r--r-- | krebs/5pkgs/simple/rss-bridge/default.nix | 33 |
11 files changed, 54 insertions, 326 deletions
diff --git a/krebs/1systems/filebitch/config.nix b/krebs/1systems/filebitch/config.nix index 254306ecb..44c14674e 100644 --- a/krebs/1systems/filebitch/config.nix +++ b/krebs/1systems/filebitch/config.nix @@ -28,7 +28,6 @@ in ]; krebs.build.host = config.krebs.hosts.filebitch; - sound.enable = false; services.udev.extraRules = '' SUBSYSTEM=="net", ATTR{address}=="60:a4:4c:3d:52:cf", NAME="et0" diff --git a/krebs/1systems/news/config.nix b/krebs/1systems/news/config.nix deleted file mode 100644 index 290870fce..000000000 --- a/krebs/1systems/news/config.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - imports = [ - ../../../krebs - ../../../krebs/2configs - - ../../../krebs/2configs/ircd.nix - ../../../krebs/2configs/go.nix - - #### NEWS #### - ../../../krebs/2configs/ircd.nix - ../../../krebs/2configs/news.nix - ]; - - krebs.build.host = config.krebs.hosts.news; - krebs.hosts.news.ssh.privkey.path = "${config.krebs.secret.directory}/ssh.id_ed25519"; - - boot.isContainer = true; - networking.useDHCP = lib.mkForce true; - krebs.sync-containers3.inContainer = { - enable = true; - pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMBVZomw68WDQy0HsHhNbWK1KpzaR5aRUG1oioE7IgCv"; - }; -} diff --git a/krebs/1systems/puyak/config.nix b/krebs/1systems/puyak/config.nix index d3891af82..542106d5f 100644 --- a/krebs/1systems/puyak/config.nix +++ b/krebs/1systems/puyak/config.nix @@ -2,51 +2,52 @@ { imports = [ ./net.nix - <stockholm/krebs> - <stockholm/krebs/2configs> - <stockholm/krebs/2configs/secret-passwords.nix> - <stockholm/krebs/2configs/hw/x220.nix> + ../../../krebs + ../../../krebs/2configs + ../../2configs/secret-passwords.nix + ../../2configs/hw/x220.nix # see documentation in included getty-for-esp.nix: # brain hosts/puyak/root - <stockholm/krebs/2configs/hw/getty-for-esp.nix> + ../../2configs/hw/getty-for-esp.nix + ../../2configs/buildbot/worker.nix ## initrd unlocking - # (brain hosts/puyak/luks-ssd;echo) | ssh root@$(brain krebs-secrets/puyak/initrd/hostname) 'cat > /crypt-ramfs/passphrase' - <stockholm/krebs/2configs/tor/initrd.nix> + # (brain hosts/puyak/luks-ssd;echo) | ssh root@$(brain krebs-secrets/puyak/initrd/hostname) 'cat /crypt-ramfs/passphrase' + ../../2configs/tor/initrd.nix - <stockholm/krebs/2configs/binary-cache/nixos.nix> - <stockholm/krebs/2configs/binary-cache/prism.nix> + ../../2configs/binary-cache/nixos.nix + ../../2configs/binary-cache/prism.nix ## news host - <stockholm/krebs/2configs/container-networking.nix> - <stockholm/krebs/2configs/syncthing.nix> + ../../2configs/container-networking.nix + ../../2configs/syncthing.nix ### shackspace ### # handle the worlddomination map via coap - <stockholm/krebs/2configs/shack/worlddomination.nix> - <stockholm/krebs/2configs/shack/ssh-keys.nix> + ../../2configs/shack/worlddomination.nix + ../../2configs/shack/ssh-keys.nix # drivedroid.shack for shackphone - <stockholm/krebs/2configs/shack/drivedroid.nix> - # <stockholm/krebs/2configs/shack/nix-cacher.nix> + ../../2configs/shack/drivedroid.nix + # ../../2configs/shack/nix-cacher.nix # Say if muell will be collected - <stockholm/krebs/2configs/shack/muell_caller.nix> + ../../2configs/shack/muell_caller.nix # provide muellshack api: muell.shack - <stockholm/krebs/2configs/shack/muellshack.nix> + ../../2configs/shack/muellshack.nix # send mail if muell was not handled - <stockholm/krebs/2configs/shack/muell_mail.nix> + ../../2configs/shack/muell_mail.nix # provide light control api - <stockholm/krebs/2configs/shack/node-light.nix> # light.shack lounge.light.shack power.light.shack openhab.shack lightapi.shack + ../../2configs/shack/node-light.nix # light.shack lounge.light.shack power.light.shack openhab.shack lightapi.shack # light.shack web-ui - <stockholm/krebs/2configs/shack/light.shack.nix> #light.shack + ../../2configs/shack/light.shack.nix #light.shack # fetch the u300 power stats - <stockholm/krebs/2configs/shack/power/u300-power.nix> + ../../2configs/shack/power/u300-power.nix { # do not log to /var/spool/log @@ -66,56 +67,55 @@ } # create samba share for anonymous usage with the laser and 3d printer pc - <stockholm/krebs/2configs/shack/share.nix> + ../../2configs/shack/share.nix # mobile.lounge.mpd.shack - <stockholm/krebs/2configs/shack/mobile.mpd.nix> + ../../2configs/shack/mobile.mpd.nix # hass.shack - <stockholm/krebs/2configs/shack/glados> - <stockholm/krebs/2configs/shack/esphome.nix> + ../../2configs/shack/glados + ../../2configs/shack/esphome.nix # connect to git.shackspace.de as group runner for rz - <stockholm/krebs/2configs/shack/gitlab-runner.nix> + ../../2configs/shack/gitlab-runner.nix # Statistics collection and visualization - # <stockholm/krebs/2configs/shack/graphite.nix> # graphiteApi is broken and unused(hopefully) + # ../../2configs/shack/graphite.nix # graphiteApi is broken and unused(hopefully) ## Collect data from mqtt.shack and store in graphite database - <stockholm/krebs/2configs/shack/mqtt_sub.nix> + ../../2configs/shack/mqtt_sub.nix ## Collect radioactive data and put into graphite - <stockholm/krebs/2configs/shack/radioactive.nix> + ../../2configs/shack/radioactive.nix ## mqtt.shack - <stockholm/krebs/2configs/shack/mqtt.nix> + ../../2configs/shack/mqtt.nix ## influx.shack - <stockholm/krebs/2configs/shack/influx.nix> + ../../2configs/shack/influx.nix ## Collect local statistics via collectd and send to collectd - # <stockholm/krebs/2configs/stats/shack-client.nix> - # <stockholm/krebs/2configs/stats/shack-debugging.nix> + # ../../2configs/stats/shack-client.nix + # ../../2configs/stats/shack-debugging.nix ## netbox.shack: Netbox is disabled as nobody seems to be using it anyway - # <stockholm/krebs/2configs/shack/netbox.nix> + # ../../2configs/shack/netbox.nix # grafana.shack - <stockholm/krebs/2configs/shack/grafana.nix> + ../../2configs/shack/grafana.nix # shackdns.shack # replacement for leases.shack and shackles.shack - <stockholm/krebs/2configs/shack/shackDNS.nix> + ../../2configs/shack/shackDNS.nix # monitoring: prometheus.shack - <stockholm/krebs/2configs/shack/prometheus/node.nix> - <stockholm/krebs/2configs/shack/prometheus/server.nix> - <stockholm/krebs/2configs/shack/prometheus/blackbox.nix> - #<stockholm/krebs/2configs/shack/prometheus/unifi.nix> + ../../2configs/shack/prometheus/node.nix + ../../2configs/shack/prometheus/server.nix + ../../2configs/shack/prometheus/blackbox.nix + #../../2configs/shack/prometheus/unifi.nix # TODO: alertmanager 0.24+ supports telegram - # <stockholm/krebs/2configs/shack/prometheus/alertmanager-telegram.nix> + # ../../2configs/shack/prometheus/alertmanager-telegram.nix ]; krebs.build.host = config.krebs.hosts.puyak; krebs.hosts.puyak.ssh.privkey.path = "${config.krebs.secret.directory}/ssh.id_ed25519"; - sound.enable = false; boot = { loader.systemd-boot.enable = true; loader.efi.canTouchEfiVariables = true; diff --git a/krebs/1systems/wolf/config.nix b/krebs/1systems/wolf/config.nix index 6ff280f79..9f966ee01 100644 --- a/krebs/1systems/wolf/config.nix +++ b/krebs/1systems/wolf/config.nix @@ -73,7 +73,6 @@ in ''; time.timeZone = "Europe/Berlin"; - sound.enable = false; # avahi services.avahi = { diff --git a/krebs/2configs/buildbot/worker.nix b/krebs/2configs/buildbot/worker.nix index e96c6df14..5526a83d3 100644 --- a/krebs/2configs/buildbot/worker.nix +++ b/krebs/2configs/buildbot/worker.nix @@ -1,4 +1,4 @@ -{ buildbot-nix, ... }: +{ config, buildbot-nix, ... }: { imports = [ buildbot-nix.nixosModules.buildbot-worker @@ -6,6 +6,8 @@ services.buildbot-nix.worker = { enable = true; + name = config.krebs.build.host.name; workerPasswordFile = "/var/src/secrets/nix-worker-file"; + masterUrl = "tcp:host=gum:port=9989"; }; } diff --git a/krebs/2configs/news-host.nix b/krebs/2configs/news-host.nix deleted file mode 100644 index 9b8627d61..000000000 --- a/krebs/2configs/news-host.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ config,lib, ... }: -{ - nixpkgs.config.allowUnfree = true; # "consul-1.18.0" - krebs.sync-containers3.containers.news = { - sshKey = "${config.krebs.secret.directory}/news.sync.key"; - }; -} diff --git a/krebs/2configs/news.nix b/krebs/2configs/news.nix deleted file mode 100644 index 9d9470727..000000000 --- a/krebs/2configs/news.nix +++ /dev/null @@ -1,207 +0,0 @@ -{ config, pkgs, ... }: - -{ - services.rss-bridge = { - enable = true; - whitelist = [ "*" ]; - }; - services.nginx.virtualHosts = { - rss-bridge = { - serverAliases = [ - "rss.r" - ]; - }; - "brockman.r" = { - serverAliases = [ - "news.r" - ]; - locations."/api".extraConfig = '' - proxy_pass http://127.0.0.1:7777/; - proxy_pass_header Server; - ''; - locations."= /graph.html".extraConfig = '' - alias ${pkgs.fetchurl { - url = "https://raw.githubusercontent.com/kmein/brockman/05d33c8caaaf6255752f9600981974bb58390851/tools/graph.html"; - sha256 = "0iw2vdzj6kzkix1c447ybmc953lns6z4ap6sr9pcib8bany4g43w"; - }}; - ''; - locations."/".extraConfig = '' - root /var/lib/brockman; - index brockman.json; - ''; - extraConfig = '' - add_header 'Access-Control-Allow-Origin' '*'; - add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; - ''; - }; - }; - systemd.tmpfiles.rules = [ - "d /var/lib/brockman 1750 brockman nginx -" - "d /run/irc-api 1750 brockman nginx -" - ]; - - systemd.services.brockman-graph = { - path = [ - pkgs.graphviz - pkgs.jq - pkgs.inotify-tools - ]; - serviceConfig = { - ExecStart = pkgs.writers.writeDash "brockman-graph" '' - - while :; do - graphviz="$(cat /var/lib/brockman/brockman.json \ - | jq -r ' - .bots | - to_entries | - map(select(.value.extraChannels|length > 1 )) | - .[] | - "\"\(.key)\" -> {\(.value.extraChannels|map("\""+.+"\"")|join(" "))}" - ')" - echo "digraph news { $graphviz }" | circo -Tsvg > /var/lib/brockman/graph.svg - - inotifywait -q -e MODIFY /var/lib/brockman/brockman.json - done - ''; - User = "brockman"; - }; - wantedBy = [ "multi-user.target" ]; - }; - - services.ergochat.openFilesLimit = 16384; - services.ergochat.settings = { - limits.nicklen = 100; - limits.identlen = 100; - history.enabled = false; - }; - systemd.services.brockman.bindsTo = [ "ergochat.service" ]; - systemd.services.brockman.serviceConfig.LimitNOFILE = 16384; - systemd.services.brockman.environment.BROCKMAN_LOG_LEVEL = "DEBUG"; - krebs.brockman = { - enable = true; - config = { - irc.host = "localhost"; - channel = "#all"; - shortener = "http://go.r"; - controller = { - nick = "brockman"; - extraChannels = [ "#all" ]; - }; - statePath = "/var/state/brockman/brockman.json"; - bots = {}; - }; - }; - - krebs.reaktor2.api = { - hostname = "localhost"; - port = "6667"; - nick = "api"; - API.listen = "inet://127.0.0.1:7777"; - plugins = [ - { - plugin = "register"; - config = { - channels = [ - "#all" - ]; - }; - } - ]; - }; - krebs.reaktor2.news = let - name = "candyman"; - in { - hostname = "localhost"; - port = "6667"; - nick = name; - plugins = [ - { - plugin = "register"; - config = { - channels = [ - "#all" - "#aluhut" - "#news" - "#lasstube" - ]; - }; - } - { - plugin = "system"; - config = { - hooks.PRIVMSG = [ - { - activate = "match"; - pattern = "^${name}:\\s*(\\S*)(?:\\s+(.*\\S))?\\s*$"; - command = 1; - arguments = [2]; - commands = { - add-reddit.filename = pkgs.writeDash "add-reddit" '' - set -euf - if [ "$#" -ne 1 ]; then - echo 'usage: ${name}: add-reddit $reddit_channel' - exit 1 - fi - reddit_channel=$(echo "$1" | ${pkgs.jq}/bin/jq -Rr '[match("(\\S+)\\s*";"g").captures[].string][0]') - echo "brockman: add r_$reddit_channel http://rss.r/?action=display&bridge=Reddit&context=single&r=$reddit_channel&format=Atom" - ''; - add-telegram.filename = pkgs.writeDash "add-telegram" '' - set -euf - if [ "$#" -ne 1 ]; then - echo 'usage: ${name}: add-telegram $telegram_user' - exit 1 - fi - telegram_user=$(echo "$1" | ${pkgs.jq}/bin/jq -Rr '[match("(\\S+)\\s*";"g").captures[].string][0]') - echo "brockman: add t_$telegram_user http://rss.r/?action=display&bridge=Telegram&username=$telegram_user&format=Mrss" - ''; - add-youtube.filename = pkgs.writeDash "add-youtube" '' - set -euf - if [ "$#" -ne 1 ]; then - echo 'usage: ${name}: add-youtube $nick $channel/video/stream/id' - exit 1 - fi - youtube_nick=$(echo "$1" | ${pkgs.jq}/bin/jq -Rr '[match("(\\S+)\\s*";"g").captures[].string][0]') - youtube_url=$(echo "$1" | ${pkgs.jq}/bin/jq -Rr '[match("(\\S+)\\s*";"g").captures[].string][1]') - if [ ''${#youtube_url} -eq 24 ]; then - youtube_id=$youtube_url - else - youtube_id=$(${pkgs.yt-dlp}/bin/yt-dlp --max-downloads 1 -j "$youtube_url" | ${pkgs.jq}/bin/jq -r '.channel_id') - fi - echo "brockman: add yt_$youtube_nick http://rss.r/?action=display&bridge=Youtube&context=By+channel+id&c=$youtube_id&duration_min=&duration_max=&format=Mrss" - ''; - add-twitch.filename = pkgs.writeDash "add-twitch" '' - set -euf - if [ "$#" -ne 1 ]; then - echo 'usage: ${name}: add-twitch $handle' - exit 1 - fi - twitch_nick=$(echo "$1" | ${pkgs.jq}/bin/jq -Rr '[match("(\\S+)\\s*";"g").captures[].string][0]') - echo "brockman: add twitch_$twitch_nick http://rss.r/?action=display&bridge=Twitch&channel=$twitch_nick&type=all&format=Atom" - ''; - add-twitter.filename = pkgs.writeDash "add-twitter" '' - set -euf - if [ "$#" -ne 1 ]; then - echo 'usage: ${name}: add-twitter $handle' - exit 1 - fi - twitter_nick=$(echo "$1" | ${pkgs.jq}/bin/jq -Rr '[match("(\\S+)\\s*";"g").captures[].string][0]') - echo "brockman: add tw_$twitter_nick http://rss.r/?action=display&bridge=Twitter&context=By+username&u=$twitter_nick&norep=on&noretweet=on&nopinned=on&nopic=on&format=Atom" - ''; - search.filename = pkgs.writeDash "search" '' - set -euf - if [ "$#" -ne 1 ]; then - echo 'usage: ${name}: search $searchterm' - exit 1 - fi - searchterm=$(echo "$1" | ${pkgs.jq}/bin/jq -Rr '[match("(\\S+)\\s*";"g").captures[].string][0]') - ${pkgs.curl}/bin/curl -Ss "https://feedsearch.dev/api/v1/search?url=$searchterm&info=true&favicon=false" | - ${pkgs.jq}/bin/jq '.[].url' - ''; - }; - } - ]; - }; - } - ]; - }; -} diff --git a/krebs/3modules/go.nix b/krebs/3modules/go.nix index 0c3f42f1c..f52394dbc 100644 --- a/krebs/3modules/go.nix +++ b/krebs/3modules/go.nix @@ -21,6 +21,7 @@ let imp = { services.redis.servers.go.enable = true; + users.users.htgen-go.extraGroups = [ "redis-go" ]; krebs.htgen.go = { port = cfg.port; @@ -29,7 +30,7 @@ let case "$Method $Request_URI" in "GET /"*) - if item=$(${pkgs.redis}/bin/redis-cli --raw get "''${Request_URI#/}"); then + if item=$(${pkgs.redis}/bin/redis-cli -s /run/redis-go/redis.sock --raw get "''${Request_URI#/}"); then printf 'HTTP/1.1 302 Found\r\n' printf 'Content-Type: text/plain\r\n' printf 'Connection: closed\r\n' @@ -54,11 +55,10 @@ let ) sha256=$(echo "$uri" | sha256sum -b | cut -d\ -f1) - base32=$(${pkgs.nixStable}/bin/nix-hash --to-base32 --type sha256 "$sha256") - base32short=$(echo "$base32" | cut -c48-52) - ${pkgs.redis}/bin/redis-cli set "$base32short" "$uri" >/dev/null + short=$(echo "$sha256" | cut -c1-8) + ${pkgs.redis}/bin/redis-cli -s /run/redis-go/redis.sock set "$short" "$uri" >/dev/null - ref="http://$req_host/$base32short" + ref="http://$req_host/$short" printf 'HTTP/1.1 200 OK\r\n' printf 'Content-Type: text/plain; charset=UTF-8\r\n' diff --git a/krebs/3modules/iptables.nix b/krebs/3modules/iptables.nix index 32a5273a5..16f1f3c84 100644 --- a/krebs/3modules/iptables.nix +++ b/krebs/3modules/iptables.nix @@ -108,12 +108,12 @@ let }) ({ krebs.iptables.tables.filter.INPUT.rules = map - (portRange: { predicate = "-p tcp --dport ${toString port.from}:${toString port.to}"; target = "ACCEPT"; }) + (portRange: { predicate = "-p tcp --dport ${toString portRange.from}:${toString portRange.to}"; target = "ACCEPT"; }) config.networking.firewall.allowedTCPPortRanges; }) ({ krebs.iptables.tables.filter.INPUT.rules = map - (portRange: { predicate = "-p udp --dport ${toString port.from}:${toString port.to}"; target = "ACCEPT"; }) + (portRange: { predicate = "-p udp --dport ${toString portRange.from}:${toString portRange.to}"; target = "ACCEPT"; }) config.networking.firewall.allowedUDPPortRanges; }) ({ diff --git a/krebs/3modules/reaktor2.nix b/krebs/3modules/reaktor2.nix index 978e0c9c0..aa6254786 100644 --- a/krebs/3modules/reaktor2.nix +++ b/krebs/3modules/reaktor2.nix @@ -18,7 +18,7 @@ with import ../../lib/pure.nix { inherit lib; }; { }; port = mkOption { default = "6667"; - # TODO type = types.service-name + type = types.str; }; plugins = mkOption { default = []; @@ -70,7 +70,7 @@ with import ../../lib/pure.nix { inherit lib; }; { DynamicUser = true; StateDirectory = cfg.username; ExecStart = let - configFile = pkgs.writeJSON configFileName configValue; + configFile = pkgs.writers.writeJSON configFileName configValue; configFileName = "${cfg.systemd-service-name}.config.json"; configValue = stripAttr ( recursiveUpdate { diff --git a/krebs/5pkgs/simple/rss-bridge/default.nix b/krebs/5pkgs/simple/rss-bridge/default.nix deleted file mode 100644 index 2ad322d48..000000000 --- a/krebs/5pkgs/simple/rss-bridge/default.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ config, lib, pkgs, fetchFromGitHub, stdenv, ... }: - -stdenv.mkDerivation rec { - pname = "rss-bridge"; - version = "unstable-2021-12-02"; - - src = fetchFromGitHub { - owner = "RSS-Bridge"; - repo = "rss-bridge"; - rev = "f469489b569d22fb5edbd13c6e5f5abf2a4ee186"; - sha256 = "sha256-LyxcycXbOFZR0mMDMUqAOjWrHIE2ftxkAYUGBbcQF5k=="; - }; - - patchPhase = '' - substituteInPlace lib/rssbridge.php \ - --replace "define('PATH_CACHE', PATH_ROOT . 'cache/');" "define('PATH_CACHE', getenv('RSSBRIDGE_DATA') . '/cache/');" \ - --replace "define('FILE_CONFIG', PATH_ROOT . 'config.ini.php');" "define('FILE_CONFIG', getenv('RSSBRIDGE_DATA') . '/config.ini.php');" \ - --replace "define('WHITELIST', PATH_ROOT . 'whitelist.txt');" "define('WHITELIST', getenv('RSSBRIDGE_DATA') . '/whitelist.txt');" - ''; - - installPhase = '' - mkdir $out/ - cp -R ./* $out - ''; - - meta = with lib; { - description = "The RSS feed for websites missing it"; - homepage = "https://github.com/RSS-Bridge/rss-bridge"; - license = licenses.unlicense; - maintainers = with maintainers; [ dawidsowa ]; - platforms = platforms.all; - }; -} |