diff options
Diffstat (limited to 'krebs')
-rw-r--r-- | krebs/1systems/news/config.nix | 2 | ||||
-rw-r--r-- | krebs/2configs/security-workarounds.nix | 2 | ||||
-rwxr-xr-x | krebs/2configs/shack/doorstatus.sh | 2 | ||||
-rw-r--r-- | krebs/2configs/shack/reaktor.nix | 15 | ||||
-rw-r--r-- | krebs/3modules/ci/default.nix (renamed from krebs/3modules/ci.nix) | 33 | ||||
-rw-r--r-- | krebs/3modules/ci/modules/irc_notify.py | 145 | ||||
-rw-r--r-- | krebs/3modules/default.nix | 2 | ||||
-rw-r--r-- | krebs/3modules/git.nix | 2 | ||||
-rw-r--r-- | krebs/3modules/lass/default.nix | 21 | ||||
-rw-r--r-- | krebs/3modules/setuid.nix | 2 | ||||
-rw-r--r-- | krebs/5pkgs/simple/realwallpaper/default.nix | 14 |
11 files changed, 200 insertions, 40 deletions
diff --git a/krebs/1systems/news/config.nix b/krebs/1systems/news/config.nix index 79946dad7..620e6249e 100644 --- a/krebs/1systems/news/config.nix +++ b/krebs/1systems/news/config.nix @@ -16,7 +16,7 @@ krebs.build.host = config.krebs.hosts.news; boot.isContainer = true; - networking.useDHCP = false; + networking.useDHCP = lib.mkForce true; krebs.bindfs = { "/var/lib/brockman" = { source = "/var/state/brockman"; diff --git a/krebs/2configs/security-workarounds.nix b/krebs/2configs/security-workarounds.nix index b1a492f51..c0d5bec9a 100644 --- a/krebs/2configs/security-workarounds.nix +++ b/krebs/2configs/security-workarounds.nix @@ -1,4 +1,4 @@ { config, lib, pkgs, ... }: -with import <stockholm/lib>; { + services.nginx.package = lib.mkDefault (pkgs.nginxStable.override { openssl = pkgs.libressl; }); } diff --git a/krebs/2configs/shack/doorstatus.sh b/krebs/2configs/shack/doorstatus.sh index 11e710cfd..46314cb9c 100755 --- a/krebs/2configs/shack/doorstatus.sh +++ b/krebs/2configs/shack/doorstatus.sh @@ -54,7 +54,7 @@ Herr makefu an Kasse 3 bitte, Kasse 3 bitte Herr makefu. Der API Computer ist ma EOF ) -state=$(curl https://api.shackspace.de/v1/space | jq .doorState.open) +state=$(curl -fSsk https://api.shackspace.de/v1/space | jq .doorState.open) prevstate=$(cat state ||:) if test "$state" == "$(cat state)";then diff --git a/krebs/2configs/shack/reaktor.nix b/krebs/2configs/shack/reaktor.nix index a31c7a687..1f723c8e6 100644 --- a/krebs/2configs/shack/reaktor.nix +++ b/krebs/2configs/shack/reaktor.nix @@ -14,6 +14,21 @@ ]; }; } + { + plugin = "system"; + config = { + hooks.PRIVMSG = [ + { + pattern = ''\.open\??$|\.offen\??$''; + activate = "match"; + command.filename = pkgs.writers.writeDash "is_shack_open" '' + ${pkgs.curl}/bin/curl -fSsk https://api.shackspace.de/v1/space | + ${pkgs.jq}/bin/jq '.doorState.open' + ''; + } + ]; + }; + } ]; }; systemd.services.announce_doorstatus = { diff --git a/krebs/3modules/ci.nix b/krebs/3modules/ci/default.nix index 5efe41786..0f85b27c0 100644 --- a/krebs/3modules/ci.nix +++ b/krebs/3modules/ci/default.nix @@ -51,7 +51,7 @@ let "${url}", workdir='${name}-${elemAt(splitString "." url) 1}', branches=True, project='${name}', - pollinterval=100 + pollinterval=30 ) '') repo.urls ) cfg.repos; @@ -84,6 +84,7 @@ let from buildbot.process import buildstep, logobserver from twisted.internet import defer import json + import sys class GenerateStagesCommand(buildstep.ShellMixin, steps.BuildStep): def __init__(self, **kwargs): @@ -157,19 +158,29 @@ let ) ) '') cfg.repos)} + + # fancy irc notification by Mic92 https://github.com/Mic92/dotfiles/tree/master/nixos/eve/modules/buildbot + sys.path.append("${./modules}") + from irc_notify import NotifyFailedBuilds + c['services'].append( + NotifyFailedBuilds("irc://buildbot|test@irc.r:6667/#xxx") + ) + ''; enable = true; - reporters = ['' - reporters.IRC( - host = "irc.r", - nick = "buildbot|${hostname}", - notify_events = [ 'started', 'finished', 'failure', 'success', 'exception', 'problem' ], - channels = [{"channel": "#xxx"}], - showBlameList = True, - authz={'force': True}, - ) - '']; + reporters = [ + '' + reporters.IRC( + host = "irc.r", + nick = "buildbot|${hostname}", + notify_events = [ 'started', 'finished', 'failure', 'success', 'exception', 'problem' ], + channels = [{"channel": "#xxx"}], + showBlameList = True, + authz={'force': True}, + ) + '' + ]; buildbotUrl = "http://build.${hostname}.r/"; }; diff --git a/krebs/3modules/ci/modules/irc_notify.py b/krebs/3modules/ci/modules/irc_notify.py new file mode 100644 index 000000000..4b7969aaf --- /dev/null +++ b/krebs/3modules/ci/modules/irc_notify.py @@ -0,0 +1,145 @@ +from typing import Optional, Generator, Any +import socket +import ssl +import threading +import re +from urllib.parse import urlparse +import base64 + +from buildbot.reporters.base import ReporterBase +from buildbot.reporters.generators.build import BuildStatusGenerator +from buildbot.reporters.message import MessageFormatter +from twisted.internet import defer + +DEBUG = False + + +def _irc_send( + server: str, + nick: str, + channel: str, + sasl_password: Optional[str] = None, + server_password: Optional[str] = None, + tls: bool = True, + port: int = 6697, + messages: list[str] = [], +) -> None: + if not messages: + return + + # don't give a shit about legacy ip + sock = socket.socket(family=socket.AF_INET6) + if tls: + sock = ssl.wrap_socket( + sock, cert_reqs=ssl.CERT_NONE, ssl_version=ssl.PROTOCOL_TLSv1_2 + ) + + def _send(command: str) -> int: + if DEBUG: + print(command) + return sock.send((f"{command}\r\n").encode()) + + def _pong(ping: str): + if ping.startswith("PING"): + sock.send(ping.replace("PING", "PONG").encode("ascii")) + + recv_file = sock.makefile(mode="r") + + print(f"connect {server}:{port}") + sock.connect((server, port)) + if server_password: + _send(f"PASS {server_password}") + _send(f"USER {nick} 0 * :{nick}") + _send(f"NICK {nick}") + for line in recv_file.readline(): + if re.match(r"^:[^ ]* (MODE|221|376|422) ", line): + break + else: + _pong(line) + + if sasl_password: + _send("CAP REQ :sasl") + _send("AUTHENTICATE PLAIN") + auth = base64.encodebytes(f"{nick}\0{nick}\0{sasl_password}".encode("ascii")) + _send(f"AUTHENTICATE {auth.decode('ascii')}") + _send("CAP END") + _send(f"JOIN :{channel}") + + for m in messages: + _send(f"PRIVMSG {channel} :{m}") + + _send("INFO") + for line in recv_file: + if DEBUG: + print(line, end="") + # Assume INFO reply means we are done + if "End of /INFO" in line: + break + else: + _pong(line) + + sock.send(b"QUIT") + print("disconnect") + sock.close() + + +def irc_send( + url: str, notifications: list[str], password: Optional[str] = None +) -> None: + parsed = urlparse(f"{url}") + username = parsed.username or "prometheus" + server = parsed.hostname or "chat.freenode.net" + if parsed.fragment != "": + channel = f"#{parsed.fragment}" + else: + channel = "#krebs-announce" + port = parsed.port or 6697 + if not password: + password = parsed.password + if len(notifications) == 0: + return + # put this in a thread to not block buildbot + t = threading.Thread( + target=_irc_send, + kwargs=dict( + server=server, + nick=username, + sasl_password=password, + channel=channel, + port=port, + messages=notifications, + tls=parsed.scheme == "irc+tls", + ), + ) + t.start() + + +subject_template = """\ +{{ '☠' if result_names[results] == 'failure' else '☺' if result_names[results] == 'success' else '☝' }} \ +{{ build['properties'].get('project', ['whole buildset'])[0] if is_buildset else buildername }} \ +- \ +{{ build['state_string'] }} \ +{{ '(%s)' % (build['properties']['branch'][0] if (build['properties']['branch'] and build['properties']['branch'][0]) else build['properties'].get('got_revision', ['(unknown revision)'])[0]) }} \ +({{ build_url }}) +""" # # noqa pylint: disable=line-too-long + + +class NotifyFailedBuilds(ReporterBase): + def _generators(self) -> list[BuildStatusGenerator]: + formatter = MessageFormatter(template_type="plain", subject=subject_template) + return [BuildStatusGenerator(message_formatter=formatter)] + + def checkConfig(self, url: str): + super().checkConfig(generators=self._generators()) + + @defer.inlineCallbacks + def reconfigService(self, url: str) -> Generator[Any, object, Any]: + self.url = url + yield super().reconfigService(generators=self._generators()) + + def sendMessage(self, reports: list): + msgs = [] + for r in reports: + if r["builds"][0]["state_string"] != "build successful": + msgs.append(r["subject"]) + irc_send(self.url, notifications=msgs) diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 5ba436580..01436d352 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -16,7 +16,7 @@ let ./brockman.nix ./build.nix ./cachecache.nix - ./ci.nix + ./ci ./current.nix ./dns.nix ./ergo.nix diff --git a/krebs/3modules/git.nix b/krebs/3modules/git.nix index c038fd4c6..02c673e43 100644 --- a/krebs/3modules/git.nix +++ b/krebs/3modules/git.nix @@ -628,7 +628,7 @@ let # TODO fix correctly with stringAfter chown -R ${toString config.users.users.git.uid}:nogroup "$repodir" fi - ln -s ${hooks} "$repodir/hooks" + ln -Tfs ${hooks} "$repodir/hooks" '' ) (attrValues cfg.repos)} diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index b05e774b4..3e58fee1d 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -55,7 +55,6 @@ in { ''; pubkey_ed25519 = "P+bhzhgTNdohWdec//t/e+8cI7zUOsS+Kq/AOtineAO"; }; - tinc.port = 655; }; }; ssh.privkey.path = <secrets/ssh.id_ed25519>; @@ -78,7 +77,7 @@ in { 60 IN NS dns16.ovh.net. 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} 60 IN AAAA ${config.krebs.hosts.prism.nets.internet.ip6.addr} - IN MX 5 lassul.us. + IN MX 5 mail.lassul.us. 60 IN TXT v=spf1 mx a:lassul.us -all 60 IN TXT ( "v=DKIM1; k=rsa; t=s; s=*; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUv3DMndFellqu208feABEzT/PskOfTSdJCOF/HELBR0PHnbBeRoeHEm9XAcOe/Mz2t/ysgZ6JFXeFxCtoM5fG20brUMRzsVRxb9Ur5cEvOYuuRrbChYcKa+fopu8pYrlrqXD3miHISoy6ErukIYCRpXWUJHi1TlNQhLWFYqAaywIDAQAB" ) default._domainkey 60 IN TXT "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUv3DMndFellqu208feABEzT/PskOfTSdJCOF/HELBR0PHnbBeRoeHEm9XAcOe/Mz2t/ysgZ6JFXeFxCtoM5fG20brUMRzsVRxb9Ur5cEvOYuuRrbChYcKa+fopu8pYrlrqXD3miHISoy6ErukIYCRpXWUJHi1TlNQhLWFYqAaywIDAQAB" @@ -97,6 +96,9 @@ in { streaming 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} mumble 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} mail 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} + flix 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} + confusion 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} + testing 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} ''; }; nets = rec { @@ -123,6 +125,7 @@ in { "prism.r" "cache.prism.r" "cgit.prism.r" + "bota.r" "flix.r" "jelly.r" "paste.r" @@ -131,7 +134,6 @@ in { "search.r" "radio-news.r" ]; - tinc.port = 655; tinc = { pubkey = '' -----BEGIN RSA PUBLIC KEY----- @@ -192,7 +194,6 @@ in { aliases = [ "mors.r" ]; - tinc.port = 0; tinc = { pubkey = '' -----BEGIN RSA PUBLIC KEY----- @@ -229,7 +230,6 @@ in { aliases = [ "shodan.r" ]; - tinc.port = 0; tinc = { pubkey = '' -----BEGIN RSA PUBLIC KEY----- @@ -267,7 +267,6 @@ in { aliases = [ "icarus.r" ]; - tinc.port = 0; tinc = { pubkey = '' -----BEGIN RSA PUBLIC KEY----- @@ -304,7 +303,6 @@ in { aliases = [ "daedalus.r" ]; - tinc.port = 0; tinc = { pubkey = '' -----BEGIN RSA PUBLIC KEY----- @@ -339,7 +337,6 @@ in { aliases = [ "skynet.r" ]; - tinc.port = 0; tinc = { pubkey = '' -----BEGIN RSA PUBLIC KEY----- @@ -376,7 +373,6 @@ in { aliases = [ "littleT.r" ]; - tinc.port = 0; tinc = { pubkey = '' -----BEGIN RSA PUBLIC KEY----- @@ -429,7 +425,6 @@ in { aliases = [ "xerxes.r" ]; - tinc.port = 0; tinc = { pubkey = '' -----BEGIN RSA PUBLIC KEY----- @@ -482,7 +477,6 @@ in { aliases = [ "yellow.r" ]; - tinc.port = 0; tinc = { pubkey = '' -----BEGIN PUBLIC KEY----- @@ -523,7 +517,6 @@ in { aliases = [ "blue.r" ]; - tinc.port = 0; tinc = { pubkey = '' -----BEGIN PUBLIC KEY----- @@ -566,7 +559,6 @@ in { aliases = [ "green.r" ]; - tinc.port = 0; tinc = { pubkey = '' -----BEGIN PUBLIC KEY----- @@ -638,7 +630,6 @@ in { aliases = [ "hilum.r" ]; - tinc.port = 0; tinc = { pubkey = '' -----BEGIN PUBLIC KEY----- @@ -682,7 +673,6 @@ in { aliases = [ "styx.r" ]; - tinc.port = 654; tinc = { pubkey = '' -----BEGIN PUBLIC KEY----- @@ -727,7 +717,6 @@ in { aliases = [ "coaxmetal.r" ]; - tinc.port = 0; tinc = { pubkey = '' -----BEGIN PUBLIC KEY----- diff --git a/krebs/3modules/setuid.nix b/krebs/3modules/setuid.nix index b141c7de4..e186478eb 100644 --- a/krebs/3modules/setuid.nix +++ b/krebs/3modules/setuid.nix @@ -69,7 +69,7 @@ with import <stockholm/lib>; in /* sh */ '' mkdir -p ${cfg.wrapperDir} cp ${src} ${dst} - chown ${cfg.owner}.${cfg.group} ${dst} + chown ${cfg.owner}:${cfg.group} ${dst} chmod ${cfg.mode} ${dst} ${optionalString (cfg.capabilities != []) /* sh */ '' ${pkgs.libcap.out}/bin/setcap ${concatMapStringsSep "," shell.escape cfg.capabilities} ${dst} diff --git a/krebs/5pkgs/simple/realwallpaper/default.nix b/krebs/5pkgs/simple/realwallpaper/default.nix index 832e47f26..236d75d72 100644 --- a/krebs/5pkgs/simple/realwallpaper/default.nix +++ b/krebs/5pkgs/simple/realwallpaper/default.nix @@ -1,6 +1,6 @@ { pkgs, ... }: pkgs.writers.writeDashBin "generate-wallpaper" '' - set -xeuf + set -euf export PATH=${with pkgs; lib.makeBinPath [ coreutils @@ -86,7 +86,7 @@ pkgs.writers.writeDashBin "generate-wallpaper" '' } main() { - cd "$working_dir" + cd "''${working_dir:-$PWD}" # fetch source images in parallel fetch_once nightmap-raw.jpg \ @@ -113,16 +113,16 @@ pkgs.writers.writeDashBin "generate-wallpaper" '' 'https://raw.githubusercontent.com/krebs/painload/master/cholerab/bling/krebs_aquarium.svg' & fetch_older_min 720 ice-raw.jpg $(get_neo_url \ - 'https://neo.sci.gsfc.nasa.gov/view.php?datasetId=NISE_D') & + 'https://neo.gsfc.nasa.gov/view.php?datasetId=NISE_D') & fetch_older_days 1 snow-raw.jpg $(get_neo_url \ - 'https://neo.sci.gsfc.nasa.gov/view.php?datasetId=MOD10C1_E_SNOW') & + 'https://neo.gsfc.nasa.gov/view.php?datasetId=MOD10C1_E_SNOW') & fetch_older_days 1 chlora-raw.jpg $(get_neo_url \ - 'https://neo.sci.gsfc.nasa.gov/view.php?datasetId=MY1DMM_CHLORA') & + 'https://neo.gsfc.nasa.gov/view.php?datasetId=MY1DMM_CHLORA') & fetch_older_days 1 fire-raw.jpg $(get_neo_url \ - 'https://neo.sci.gsfc.nasa.gov/view.php?datasetId=MOD14A1_E_FIRE') & + 'https://neo.gsfc.nasa.gov/view.php?datasetId=MOD14A1_E_FIRE') & # regular fetches - fetch marker.json.tmp "$marker_url" || : + fetch marker.json.tmp "''${marker_url:-}" || : if [ -s marker.json.tmp ]; then mv marker.json.tmp marker.json fi |