summaryrefslogtreecommitdiffstats
path: root/krebs
diff options
context:
space:
mode:
Diffstat (limited to 'krebs')
-rw-r--r--krebs/1systems/news/config.nix2
-rw-r--r--krebs/2configs/security-workarounds.nix2
-rwxr-xr-xkrebs/2configs/shack/doorstatus.sh2
-rw-r--r--krebs/2configs/shack/reaktor.nix15
-rw-r--r--krebs/3modules/ci/default.nix (renamed from krebs/3modules/ci.nix)33
-rw-r--r--krebs/3modules/ci/modules/irc_notify.py145
-rw-r--r--krebs/3modules/default.nix2
-rw-r--r--krebs/3modules/git.nix2
-rw-r--r--krebs/3modules/lass/default.nix21
-rw-r--r--krebs/3modules/setuid.nix2
-rw-r--r--krebs/5pkgs/simple/realwallpaper/default.nix14
11 files changed, 200 insertions, 40 deletions
diff --git a/krebs/1systems/news/config.nix b/krebs/1systems/news/config.nix
index 79946dad7..620e6249e 100644
--- a/krebs/1systems/news/config.nix
+++ b/krebs/1systems/news/config.nix
@@ -16,7 +16,7 @@
krebs.build.host = config.krebs.hosts.news;
boot.isContainer = true;
- networking.useDHCP = false;
+ networking.useDHCP = lib.mkForce true;
krebs.bindfs = {
"/var/lib/brockman" = {
source = "/var/state/brockman";
diff --git a/krebs/2configs/security-workarounds.nix b/krebs/2configs/security-workarounds.nix
index b1a492f51..c0d5bec9a 100644
--- a/krebs/2configs/security-workarounds.nix
+++ b/krebs/2configs/security-workarounds.nix
@@ -1,4 +1,4 @@
{ config, lib, pkgs, ... }:
-with import <stockholm/lib>;
{
+ services.nginx.package = lib.mkDefault (pkgs.nginxStable.override { openssl = pkgs.libressl; });
}
diff --git a/krebs/2configs/shack/doorstatus.sh b/krebs/2configs/shack/doorstatus.sh
index 11e710cfd..46314cb9c 100755
--- a/krebs/2configs/shack/doorstatus.sh
+++ b/krebs/2configs/shack/doorstatus.sh
@@ -54,7 +54,7 @@ Herr makefu an Kasse 3 bitte, Kasse 3 bitte Herr makefu. Der API Computer ist ma
EOF
)
-state=$(curl https://api.shackspace.de/v1/space | jq .doorState.open)
+state=$(curl -fSsk https://api.shackspace.de/v1/space | jq .doorState.open)
prevstate=$(cat state ||:)
if test "$state" == "$(cat state)";then
diff --git a/krebs/2configs/shack/reaktor.nix b/krebs/2configs/shack/reaktor.nix
index a31c7a687..1f723c8e6 100644
--- a/krebs/2configs/shack/reaktor.nix
+++ b/krebs/2configs/shack/reaktor.nix
@@ -14,6 +14,21 @@
];
};
}
+ {
+ plugin = "system";
+ config = {
+ hooks.PRIVMSG = [
+ {
+ pattern = ''\.open\??$|\.offen\??$'';
+ activate = "match";
+ command.filename = pkgs.writers.writeDash "is_shack_open" ''
+ ${pkgs.curl}/bin/curl -fSsk https://api.shackspace.de/v1/space |
+ ${pkgs.jq}/bin/jq '.doorState.open'
+ '';
+ }
+ ];
+ };
+ }
];
};
systemd.services.announce_doorstatus = {
diff --git a/krebs/3modules/ci.nix b/krebs/3modules/ci/default.nix
index 5efe41786..0f85b27c0 100644
--- a/krebs/3modules/ci.nix
+++ b/krebs/3modules/ci/default.nix
@@ -51,7 +51,7 @@ let
"${url}",
workdir='${name}-${elemAt(splitString "." url) 1}', branches=True,
project='${name}',
- pollinterval=100
+ pollinterval=30
)
'') repo.urls
) cfg.repos;
@@ -84,6 +84,7 @@ let
from buildbot.process import buildstep, logobserver
from twisted.internet import defer
import json
+ import sys
class GenerateStagesCommand(buildstep.ShellMixin, steps.BuildStep):
def __init__(self, **kwargs):
@@ -157,19 +158,29 @@ let
)
)
'') cfg.repos)}
+
+ # fancy irc notification by Mic92 https://github.com/Mic92/dotfiles/tree/master/nixos/eve/modules/buildbot
+ sys.path.append("${./modules}")
+ from irc_notify import NotifyFailedBuilds
+ c['services'].append(
+ NotifyFailedBuilds("irc://buildbot|test@irc.r:6667/#xxx")
+ )
+
'';
enable = true;
- reporters = [''
- reporters.IRC(
- host = "irc.r",
- nick = "buildbot|${hostname}",
- notify_events = [ 'started', 'finished', 'failure', 'success', 'exception', 'problem' ],
- channels = [{"channel": "#xxx"}],
- showBlameList = True,
- authz={'force': True},
- )
- ''];
+ reporters = [
+ ''
+ reporters.IRC(
+ host = "irc.r",
+ nick = "buildbot|${hostname}",
+ notify_events = [ 'started', 'finished', 'failure', 'success', 'exception', 'problem' ],
+ channels = [{"channel": "#xxx"}],
+ showBlameList = True,
+ authz={'force': True},
+ )
+ ''
+ ];
buildbotUrl = "http://build.${hostname}.r/";
};
diff --git a/krebs/3modules/ci/modules/irc_notify.py b/krebs/3modules/ci/modules/irc_notify.py
new file mode 100644
index 000000000..4b7969aaf
--- /dev/null
+++ b/krebs/3modules/ci/modules/irc_notify.py
@@ -0,0 +1,145 @@
+from typing import Optional, Generator, Any
+import socket
+import ssl
+import threading
+import re
+from urllib.parse import urlparse
+import base64
+
+from buildbot.reporters.base import ReporterBase
+from buildbot.reporters.generators.build import BuildStatusGenerator
+from buildbot.reporters.message import MessageFormatter
+from twisted.internet import defer
+
+DEBUG = False
+
+
+def _irc_send(
+ server: str,
+ nick: str,
+ channel: str,
+ sasl_password: Optional[str] = None,
+ server_password: Optional[str] = None,
+ tls: bool = True,
+ port: int = 6697,
+ messages: list[str] = [],
+) -> None:
+ if not messages:
+ return
+
+ # don't give a shit about legacy ip
+ sock = socket.socket(family=socket.AF_INET6)
+ if tls:
+ sock = ssl.wrap_socket(
+ sock, cert_reqs=ssl.CERT_NONE, ssl_version=ssl.PROTOCOL_TLSv1_2
+ )
+
+ def _send(command: str) -> int:
+ if DEBUG:
+ print(command)
+ return sock.send((f"{command}\r\n").encode())
+
+ def _pong(ping: str):
+ if ping.startswith("PING"):
+ sock.send(ping.replace("PING", "PONG").encode("ascii"))
+
+ recv_file = sock.makefile(mode="r")
+
+ print(f"connect {server}:{port}")
+ sock.connect((server, port))
+ if server_password:
+ _send(f"PASS {server_password}")
+ _send(f"USER {nick} 0 * :{nick}")
+ _send(f"NICK {nick}")
+ for line in recv_file.readline():
+ if re.match(r"^:[^ ]* (MODE|221|376|422) ", line):
+ break
+ else:
+ _pong(line)
+
+ if sasl_password:
+ _send("CAP REQ :sasl")
+ _send("AUTHENTICATE PLAIN")
+ auth = base64.encodebytes(f"{nick}\0{nick}\0{sasl_password}".encode("ascii"))
+ _send(f"AUTHENTICATE {auth.decode('ascii')}")
+ _send("CAP END")
+ _send(f"JOIN :{channel}")
+
+ for m in messages:
+ _send(f"PRIVMSG {channel} :{m}")
+
+ _send("INFO")
+ for line in recv_file:
+ if DEBUG:
+ print(line, end="")
+ # Assume INFO reply means we are done
+ if "End of /INFO" in line:
+ break
+ else:
+ _pong(line)
+
+ sock.send(b"QUIT")
+ print("disconnect")
+ sock.close()
+
+
+def irc_send(
+ url: str, notifications: list[str], password: Optional[str] = None
+) -> None:
+ parsed = urlparse(f"{url}")
+ username = parsed.username or "prometheus"
+ server = parsed.hostname or "chat.freenode.net"
+ if parsed.fragment != "":
+ channel = f"#{parsed.fragment}"
+ else:
+ channel = "#krebs-announce"
+ port = parsed.port or 6697
+ if not password:
+ password = parsed.password
+ if len(notifications) == 0:
+ return
+ # put this in a thread to not block buildbot
+ t = threading.Thread(
+ target=_irc_send,
+ kwargs=dict(
+ server=server,
+ nick=username,
+ sasl_password=password,
+ channel=channel,
+ port=port,
+ messages=notifications,
+ tls=parsed.scheme == "irc+tls",
+ ),
+ )
+ t.start()
+
+
+subject_template = """\
+{{ '☠' if result_names[results] == 'failure' else '☺' if result_names[results] == 'success' else '☝' }} \
+{{ build['properties'].get('project', ['whole buildset'])[0] if is_buildset else buildername }} \
+- \
+{{ build['state_string'] }} \
+{{ '(%s)' % (build['properties']['branch'][0] if (build['properties']['branch'] and build['properties']['branch'][0]) else build['properties'].get('got_revision', ['(unknown revision)'])[0]) }} \
+({{ build_url }})
+""" # # noqa pylint: disable=line-too-long
+
+
+class NotifyFailedBuilds(ReporterBase):
+ def _generators(self) -> list[BuildStatusGenerator]:
+ formatter = MessageFormatter(template_type="plain", subject=subject_template)
+ return [BuildStatusGenerator(message_formatter=formatter)]
+
+ def checkConfig(self, url: str):
+ super().checkConfig(generators=self._generators())
+
+ @defer.inlineCallbacks
+ def reconfigService(self, url: str) -> Generator[Any, object, Any]:
+ self.url = url
+ yield super().reconfigService(generators=self._generators())
+
+ def sendMessage(self, reports: list):
+ msgs = []
+ for r in reports:
+ if r["builds"][0]["state_string"] != "build successful":
+ msgs.append(r["subject"])
+ irc_send(self.url, notifications=msgs)
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index 5ba436580..01436d352 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -16,7 +16,7 @@ let
./brockman.nix
./build.nix
./cachecache.nix
- ./ci.nix
+ ./ci
./current.nix
./dns.nix
./ergo.nix
diff --git a/krebs/3modules/git.nix b/krebs/3modules/git.nix
index c038fd4c6..02c673e43 100644
--- a/krebs/3modules/git.nix
+++ b/krebs/3modules/git.nix
@@ -628,7 +628,7 @@ let
# TODO fix correctly with stringAfter
chown -R ${toString config.users.users.git.uid}:nogroup "$repodir"
fi
- ln -s ${hooks} "$repodir/hooks"
+ ln -Tfs ${hooks} "$repodir/hooks"
''
) (attrValues cfg.repos)}
diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix
index b05e774b4..3e58fee1d 100644
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@@ -55,7 +55,6 @@ in {
'';
pubkey_ed25519 = "P+bhzhgTNdohWdec//t/e+8cI7zUOsS+Kq/AOtineAO";
};
- tinc.port = 655;
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
@@ -78,7 +77,7 @@ in {
60 IN NS dns16.ovh.net.
60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
60 IN AAAA ${config.krebs.hosts.prism.nets.internet.ip6.addr}
- IN MX 5 lassul.us.
+ IN MX 5 mail.lassul.us.
60 IN TXT v=spf1 mx a:lassul.us -all
60 IN TXT ( "v=DKIM1; k=rsa; t=s; s=*; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUv3DMndFellqu208feABEzT/PskOfTSdJCOF/HELBR0PHnbBeRoeHEm9XAcOe/Mz2t/ysgZ6JFXeFxCtoM5fG20brUMRzsVRxb9Ur5cEvOYuuRrbChYcKa+fopu8pYrlrqXD3miHISoy6ErukIYCRpXWUJHi1TlNQhLWFYqAaywIDAQAB" )
default._domainkey 60 IN TXT "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUv3DMndFellqu208feABEzT/PskOfTSdJCOF/HELBR0PHnbBeRoeHEm9XAcOe/Mz2t/ysgZ6JFXeFxCtoM5fG20brUMRzsVRxb9Ur5cEvOYuuRrbChYcKa+fopu8pYrlrqXD3miHISoy6ErukIYCRpXWUJHi1TlNQhLWFYqAaywIDAQAB"
@@ -97,6 +96,9 @@ in {
streaming 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
mumble 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
mail 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
+ flix 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
+ confusion 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
+ testing 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
'';
};
nets = rec {
@@ -123,6 +125,7 @@ in {
"prism.r"
"cache.prism.r"
"cgit.prism.r"
+ "bota.r"
"flix.r"
"jelly.r"
"paste.r"
@@ -131,7 +134,6 @@ in {
"search.r"
"radio-news.r"
];
- tinc.port = 655;
tinc = {
pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
@@ -192,7 +194,6 @@ in {
aliases = [
"mors.r"
];
- tinc.port = 0;
tinc = {
pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
@@ -229,7 +230,6 @@ in {
aliases = [
"shodan.r"
];
- tinc.port = 0;
tinc = {
pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
@@ -267,7 +267,6 @@ in {
aliases = [
"icarus.r"
];
- tinc.port = 0;
tinc = {
pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
@@ -304,7 +303,6 @@ in {
aliases = [
"daedalus.r"
];
- tinc.port = 0;
tinc = {
pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
@@ -339,7 +337,6 @@ in {
aliases = [
"skynet.r"
];
- tinc.port = 0;
tinc = {
pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
@@ -376,7 +373,6 @@ in {
aliases = [
"littleT.r"
];
- tinc.port = 0;
tinc = {
pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
@@ -429,7 +425,6 @@ in {
aliases = [
"xerxes.r"
];
- tinc.port = 0;
tinc = {
pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
@@ -482,7 +477,6 @@ in {
aliases = [
"yellow.r"
];
- tinc.port = 0;
tinc = {
pubkey = ''
-----BEGIN PUBLIC KEY-----
@@ -523,7 +517,6 @@ in {
aliases = [
"blue.r"
];
- tinc.port = 0;
tinc = {
pubkey = ''
-----BEGIN PUBLIC KEY-----
@@ -566,7 +559,6 @@ in {
aliases = [
"green.r"
];
- tinc.port = 0;
tinc = {
pubkey = ''
-----BEGIN PUBLIC KEY-----
@@ -638,7 +630,6 @@ in {
aliases = [
"hilum.r"
];
- tinc.port = 0;
tinc = {
pubkey = ''
-----BEGIN PUBLIC KEY-----
@@ -682,7 +673,6 @@ in {
aliases = [
"styx.r"
];
- tinc.port = 654;
tinc = {
pubkey = ''
-----BEGIN PUBLIC KEY-----
@@ -727,7 +717,6 @@ in {
aliases = [
"coaxmetal.r"
];
- tinc.port = 0;
tinc = {
pubkey = ''
-----BEGIN PUBLIC KEY-----
diff --git a/krebs/3modules/setuid.nix b/krebs/3modules/setuid.nix
index b141c7de4..e186478eb 100644
--- a/krebs/3modules/setuid.nix
+++ b/krebs/3modules/setuid.nix
@@ -69,7 +69,7 @@ with import <stockholm/lib>;
in /* sh */ ''
mkdir -p ${cfg.wrapperDir}
cp ${src} ${dst}
- chown ${cfg.owner}.${cfg.group} ${dst}
+ chown ${cfg.owner}:${cfg.group} ${dst}
chmod ${cfg.mode} ${dst}
${optionalString (cfg.capabilities != []) /* sh */ ''
${pkgs.libcap.out}/bin/setcap ${concatMapStringsSep "," shell.escape cfg.capabilities} ${dst}
diff --git a/krebs/5pkgs/simple/realwallpaper/default.nix b/krebs/5pkgs/simple/realwallpaper/default.nix
index 832e47f26..236d75d72 100644
--- a/krebs/5pkgs/simple/realwallpaper/default.nix
+++ b/krebs/5pkgs/simple/realwallpaper/default.nix
@@ -1,6 +1,6 @@
{ pkgs, ... }:
pkgs.writers.writeDashBin "generate-wallpaper" ''
- set -xeuf
+ set -euf
export PATH=${with pkgs; lib.makeBinPath [
coreutils
@@ -86,7 +86,7 @@ pkgs.writers.writeDashBin "generate-wallpaper" ''
}
main() {
- cd "$working_dir"
+ cd "''${working_dir:-$PWD}"
# fetch source images in parallel
fetch_once nightmap-raw.jpg \
@@ -113,16 +113,16 @@ pkgs.writers.writeDashBin "generate-wallpaper" ''
'https://raw.githubusercontent.com/krebs/painload/master/cholerab/bling/krebs_aquarium.svg' &
fetch_older_min 720 ice-raw.jpg $(get_neo_url \
- 'https://neo.sci.gsfc.nasa.gov/view.php?datasetId=NISE_D') &
+ 'https://neo.gsfc.nasa.gov/view.php?datasetId=NISE_D') &
fetch_older_days 1 snow-raw.jpg $(get_neo_url \
- 'https://neo.sci.gsfc.nasa.gov/view.php?datasetId=MOD10C1_E_SNOW') &
+ 'https://neo.gsfc.nasa.gov/view.php?datasetId=MOD10C1_E_SNOW') &
fetch_older_days 1 chlora-raw.jpg $(get_neo_url \
- 'https://neo.sci.gsfc.nasa.gov/view.php?datasetId=MY1DMM_CHLORA') &
+ 'https://neo.gsfc.nasa.gov/view.php?datasetId=MY1DMM_CHLORA') &
fetch_older_days 1 fire-raw.jpg $(get_neo_url \
- 'https://neo.sci.gsfc.nasa.gov/view.php?datasetId=MOD14A1_E_FIRE') &
+ 'https://neo.gsfc.nasa.gov/view.php?datasetId=MOD14A1_E_FIRE') &
# regular fetches
- fetch marker.json.tmp "$marker_url" || :
+ fetch marker.json.tmp "''${marker_url:-}" || :
if [ -s marker.json.tmp ]; then
mv marker.json.tmp marker.json
fi