8 files changed, 97 insertions, 71 deletions
diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix
index 124eef2cf..59d1e0182 100644
--- a/lass/2configs/baseX.nix
+++ b/lass/2configs/baseX.nix
@@ -65,7 +65,7 @@ in {
     gitAndTools.hub
     git-crypt
     git-preview
-    gnome3.dconf
+    dconf
     iodine
     libarchive
     lm_sensors
diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix
index dc97719ad..e2163b688 100644
--- a/lass/2configs/default.nix
+++ b/lass/2configs/default.nix
@@ -8,7 +8,7 @@ with import <stockholm/lib>;
     ./vim.nix
     ./zsh.nix
     ./htop.nix
-    ./security-workarounds.nix
+    <stockholm/krebs/2configs/security-workarounds.nix>
     ./wiregrill.nix
     {
       users.extraUsers =
diff --git a/lass/2configs/fysiirc.nix b/lass/2configs/fysiirc.nix
new file mode 100644
index 000000000..d2aaa73c5
--- /dev/null
+++ b/lass/2configs/fysiirc.nix
@@ -0,0 +1,51 @@
+{ config, lib, pkgs, ... }:
+{
+  krebs.iptables.tables.filter.INPUT.rules = [
+    { predicate = "-p tcp --dport 44002"; target = "ACCEPT"; }
+  ];
+  krebs.reaktor2.fysiweb-github = {
+    hostname = "irc.libera.chat";
+    port = "6697";
+    useTLS = true;
+    nick = "fysiweb-github";
+    API.listen = "inet://127.0.0.1:44001";
+    plugins = [
+      {
+        plugin = "register";
+        config = {
+          channels = [
+            "#fysi"
+          ];
+        };
+      }
+    ];
+  };
+  krebs.htgen.fysiweb-github = {
+    port = 44002;
+    user = {
+      name = "reaktor2-fysiweb-github";
+    };
+    script = ''. ${pkgs.writeDash "github-irc" ''
+      case "$Method $Request_URI" in
+        "POST /")
+          payload=$(head -c "$req_content_length" \
+            | sed 's/+/ /g;s/%\(..\)/\\x\1/g;' \
+            | xargs -0 echo -e \
+          )
+          ${pkgs.curl}/bin/curl -fsSv http://localhost:44001/ \
+           -H content-type:application/json \
+           -d "$(echo "$payload" | ${pkgs.jq}/bin/jq \
+             '{
+               command:"PRIVMSG",
+               params:["#fysi", "\(.action): \(.comment.html_url // .issue.html_url // .pull_request.html_url)"]
+             }'
+           )"
+          printf 'HTTP/1.1 200 OK\r\n'
+          printf 'Connection: close\r\n'
+          printf '\r\n'
+          exit
+        ;;
+      esac
+    ''}'';
+  };
+}
diff --git a/lass/2configs/network-manager.nix b/lass/2configs/network-manager.nix
index b41cc7ac8..0c59b9592 100644
--- a/lass/2configs/network-manager.nix
+++ b/lass/2configs/network-manager.nix
@@ -14,8 +14,8 @@
   users.users.mainUser = {
     extraGroups = [ "networkmanager" ];
     packages = with pkgs; [
-      gnome3.gnome_keyring
-      gnome3.dconf
+      gnome3.gnome-keyring
+      dconf
     ];
   };
   environment.systemPackages = [
diff --git a/lass/2configs/pipewire.nix b/lass/2configs/pipewire.nix
index c21ab5d9c..24de0e9ed 100644
--- a/lass/2configs/pipewire.nix
+++ b/lass/2configs/pipewire.nix
@@ -8,67 +8,18 @@
     powerOnBoot = true;
   };
 
-  # autostart with login
-  systemd.user.services.pipewire-pulse = {
-    wantedBy = [ "graphical-session.target" ];
-  };
-
   environment.systemPackages = with pkgs; [
     alsaUtils
     pulseaudioLight
     ponymix
   ];
 
-  environment.variables.PULSE_SERVER = "localhost:4713";
   services.pipewire = {
     enable = true;
-    socketActivation = false;
+    systemWide = true;
     alsa.enable = true;
     alsa.support32Bit = true;
     pulse.enable = true;
     jack.enable = true;
-
-    # https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/Migrate-PulseAudio#module-native-protocol-tcp
-    config.pipewire-pulse = {
-      "context.properties" = {
-        "log.level" = 2;
-      };
-      "context.modules" = [
-        {
-          name = "libpipewire-module-rtkit";
-          # args = {
-          #   "nice.level" = -15;
-          #   "rt.prio" = 88;
-          #   "rt.time.soft" = 200000;
-          #   "rt.time.hard" = 200000;
-          # };
-          flags = [ "ifexists" "nofail" ];
-        }
-        { name = "libpipewire-module-protocol-native"; }
-        { name = "libpipewire-module-client-node"; }
-        { name = "libpipewire-module-adapter"; }
-        { name = "libpipewire-module-metadata"; }
-        {
-          name = "libpipewire-module-protocol-pulse";
-          args = {
-            "vm.overrides" = {
-              # "pulse.min.req" = "32/48000";
-              # "pulse.default.req" = "32/48000";
-              # "pulse.max.req" = "32/48000";
-              "pulse.min.quantum" = "1024/48000";
-              # "pulse.max.quantum" = "32/48000";
-            };
-            "server.address" = [
-              "unix:native"
-              "tcp:4713"
-            ];
-          };
-        }
-      ];
-      "stream.properties" = {
-        # "node.latency" = "32/48000";
-        # "resample.quality" = 1;
-      };
-    };
   };
 }
diff --git a/lass/2configs/retiolum.nix b/lass/2configs/retiolum.nix
index f900bc28e..2ddfbcf8f 100644
--- a/lass/2configs/retiolum.nix
+++ b/lass/2configs/retiolum.nix
@@ -17,14 +17,17 @@
     enable = true;
     connectTo = [
       "prism"
-      "gum"
       "ni"
+      "eve"
     ];
     extraConfig = ''
-      LocalDiscovery = yes
+      StrictSubnets = yes
     '';
   };
 
+  # never connect via gum (he eats our packets!)
+  krebs.hosts.gum.nets.retiolum.tinc.weight = 9000;
+
   nixpkgs.config.packageOverrides = pkgs: {
     tinc = pkgs.tinc_pre;
   };
diff --git a/lass/2configs/security-workarounds.nix b/lass/2configs/security-workarounds.nix
deleted file mode 100644
index 537c8a59b..000000000
--- a/lass/2configs/security-workarounds.nix
+++ /dev/null
@@ -1,8 +0,0 @@
-{ config, pkgs, ... }:
-with import <stockholm/lib>;
-{
-  # http://seclists.org/oss-sec/2017/q1/471
-  boot.extraModprobeConfig = ''
-    install dccp /run/current-system/sw/bin/false
-  '';
-}
diff --git a/lass/2configs/yubikey.nix b/lass/2configs/yubikey.nix
index 9ab6b6ccb..d92b18f81 100644
--- a/lass/2configs/yubikey.nix
+++ b/lass/2configs/yubikey.nix
@@ -6,15 +6,41 @@
   ];
 
   services.udev.packages = with pkgs; [ yubikey-personalization ];
-  services.pcscd.enable = true;
   systemd.user.sockets.gpg-agent-ssh.wantedBy = [ "sockets.target" ];
 
-  ##restart pcscd if yubikey is plugged in
-  #services.udev.extraRules = ''
-  #  ACTION=="add", ATTRS{idVendor}=="04d9", ATTRS{idProduct}=="2013", RUN+="${pkgs.writeDash "restart_pcscd" ''
-  #    ${pkgs.systemd}/bin/systemctl restart pcscd.service
-  #  ''}"
-  #'';
+  services.pcscd.enable = true;
+  systemd.user.services.gpg-agent.serviceConfig.ExecStartPre = pkgs.writers.writeDash "init_gpg" ''
+    set -x
+    ${pkgs.coreutils}/bin/ln -sf ${pkgs.writeText "scdaemon.conf" ''
+      disable-ccid
+      pcsc-driver ${pkgs.pcsclite.out}/lib/libpcsclite.so.1
+      card-timeout 1
+
+      # Always try to use yubikey as the first reader
+      # even when other smart card readers are connected
+      # Name of the reader can be found using the pcsc_scan command
+      # If you have problems with gpg not recognizing the Yubikey
+      # then make sure that the string here matches exacly pcsc_scan
+      # command output. Also check journalctl -f for errors.
+      reader-port Yubico YubiKey
+    ''} $HOME/.gnupg/scdaemon.conf
+  '';
+
+  security.polkit.extraConfig = ''
+    polkit.addRule(function(action, subject) {
+      if (
+        (
+          action.id == "org.debian.pcsc-lite.access_pcsc" ||
+          action.id == "org.debian.pcsc-lite.access_card"
+        ) && subject.user == "lass"
+      ) {
+        return polkit.Result.YES;
+      }
+    });
+    polkit.addRule(function(action, subject) {
+     polkit.log("user " +  subject.user + " is attempting action " + action.id + " from PID " + subject.pid);
+    });
+  '';
 
   environment.shellInit = ''
     if [ "$UID" -eq 1337 ] && [ -z "$SSH_CONNECTION" ]; then
@@ -28,6 +54,9 @@
     fi
   '';
 
+  # allow nix to acces remote builders via yubikey
+  systemd.services.nix-daemon.environment.SSH_AUTH_SOCK = "/run/user/1337/gnupg/S.gpg-agent.ssh";
+
   programs = {
     ssh.startAgent = false;
     gnupg.agent = {