7 files changed, 221 insertions, 17 deletions

diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix
index 655e7912f..23eaa2802 100644
--- a/lass/2configs/baseX.nix
+++ b/lass/2configs/baseX.nix
@@ -10,14 +10,7 @@ in {
     ./urxvt.nix
     ./xdg-open.nix
     ./yubikey.nix
-    {
-      hardware.pulseaudio = {
-        enable = true;
-        systemWide = true;
-      };
-      security.rtkit.enable = true;
-      sound.enableOSSEmulation = false;
-    }
+    ./pipewire.nix
     ./xmonad.nix
     {
       krebs.per-user.lass.packages = [
@@ -50,7 +43,7 @@ in {
     }
   ];
 
-  users.extraUsers.mainUser.extraGroups = [ "audio" "video" ];
+  users.users.mainUser.extraGroups = [ "audio" "video" ];
 
   time.timeZone = "Europe/Berlin";
 
diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix
index adfeef19d..eb38d0e97 100644
--- a/lass/2configs/default.nix
+++ b/lass/2configs/default.nix
@@ -117,6 +117,7 @@ with import <stockholm/lib>;
     iftop
     tcpdump
     mosh
+    sshify
 
   #stuff for dl
     aria2
diff --git a/lass/2configs/docker.nix b/lass/2configs/docker.nix
new file mode 100644
index 000000000..2bc3a2361
--- /dev/null
+++ b/lass/2configs/docker.nix
@@ -0,0 +1,6 @@
+{ pkgs, lib, config, ... }:
+{
+  systemd.services.krebs-iptables.serviceConfig.ExecStartPost = pkgs.writeDash "kick_docker" ''
+    ${pkgs.systemd}/bin/systemctl restart docker.service
+  '';
+}
diff --git a/lass/2configs/murmur.nix b/lass/2configs/murmur.nix
new file mode 100644
index 000000000..9f325d0af
--- /dev/null
+++ b/lass/2configs/murmur.nix
@@ -0,0 +1,39 @@
+{ config, lib, pkgs, ... }:
+{
+  services.murmur = {
+    enable = true;
+    bandwidth = 10000000;
+    registerName = "lassul.us";
+    autobanTime = 30;
+  };
+  krebs.iptables.tables.filter.INPUT.rules = [
+    { predicate = "-p tcp --dport 64738"; target = "ACCEPT";}
+    { predicate = "-p udp --dport 64738"; target = "ACCEPT";}
+  ];
+
+  systemd.services.docker-mumble-web.serviceConfig = {
+    StandardOutput = lib.mkForce "journal";
+    StandardError = lib.mkForce "journal";
+  };
+  virtualisation.oci-containers.containers.mumble-web = {
+    image = "rankenstein/mumble-web";
+    environment = {
+      MUMBLE_SERVER = "lassul.us:64738";
+    };
+    ports = [
+      "64739:8080"
+    ];
+  };
+
+  services.nginx.virtualHosts."mumble.lassul.us" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/".extraConfig = ''
+      proxy_pass http://localhost:64739/;
+      proxy_set_header Accept-Encoding "";
+      proxy_http_version 1.1;
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection $connection_upgrade;
+    '';
+  };
+}
diff --git a/lass/2configs/pipewire.nix b/lass/2configs/pipewire.nix
new file mode 100644
index 000000000..8fdcff4e3
--- /dev/null
+++ b/lass/2configs/pipewire.nix
@@ -0,0 +1,72 @@
+{ config, lib, pkgs, ... }:
+# TODO test `alsactl init` after suspend to reinit mic
+{
+  security.rtkit.enable = true;
+
+  hardware.bluetooth = {
+    enable = true;
+    powerOnBoot = true;
+  };
+
+  # autostart with login
+  systemd.user.services.pipewire-pulse = {
+    wantedBy = [ "graphical-session.target" ];
+  };
+
+  environment.systemPackages = with pkgs; [
+    alsaUtils
+    pulseaudioLight
+  ];
+
+  environment.variables.PULSE_SERVER = "localhost:4713";
+  services.pipewire = {
+    enable = true;
+    socketActivation = false;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+    jack.enable = true;
+    # https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/Migrate-PulseAudio#module-native-protocol-tcp
+    config.pipewire-pulse = {
+      "context.properties" = {
+        "log.level" = 2;
+      };
+      "context.modules" = [
+        {
+          name = "libpipewire-module-rtkit";
+          # args = {
+          #   "nice.level" = -15;
+          #   "rt.prio" = 88;
+          #   "rt.time.soft" = 200000;
+          #   "rt.time.hard" = 200000;
+          # };
+          flags = [ "ifexists" "nofail" ];
+        }
+        { name = "libpipewire-module-protocol-native"; }
+        { name = "libpipewire-module-client-node"; }
+        { name = "libpipewire-module-adapter"; }
+        { name = "libpipewire-module-metadata"; }
+        {
+          name = "libpipewire-module-protocol-pulse";
+          args = {
+            "vm.overrides" = {
+              # "pulse.min.req" = "32/48000";
+              # "pulse.default.req" = "32/48000";
+              # "pulse.max.req" = "32/48000";
+              "pulse.min.quantum" = "1024/48000";
+              # "pulse.max.quantum" = "32/48000";
+            };
+            "server.address" = [
+              "unix:native"
+              "tcp:4713"
+            ];
+          };
+        }
+      ];
+      "stream.properties" = {
+        # "node.latency" = "32/48000";
+        # "resample.quality" = 1;
+      };
+    };
+  };
+}
diff --git a/lass/2configs/telegraf.nix b/lass/2configs/telegraf.nix
new file mode 100644
index 000000000..4f46cd721
--- /dev/null
+++ b/lass/2configs/telegraf.nix
@@ -0,0 +1,67 @@
+{ config, lib, pkgs, ... }:
+let
+  isVM = lib.any (mod: mod == "xen-blkfront" || mod == "virtio_console") config.boot.initrd.kernelModules;
+in {
+
+  krebs.iptables.tables.filter.INPUT.rules = [
+    { predicate = "-i retiolum -p tcp --dport 9273"; target = "ACCEPT"; }
+  ];
+
+  systemd.services.telegraf.path = [ pkgs.nvme-cli ];
+
+  services.telegraf = {
+    enable = true;
+    extraConfig = {
+      agent.interval = "60s";
+      inputs = {
+        prometheus.metric_version = 2;
+        kernel_vmstat = { };
+        # smart = lib.mkIf (!isVM) {
+        #   path = pkgs.writeShellScript "smartctl" ''
+        #     exec /run/wrappers/bin/sudo ${pkgs.smartmontools}/bin/smartctl "$@"
+        #   '';
+        # };
+        system = { };
+        mem = { };
+        file = [{
+          data_format = "influx";
+          file_tag = "name";
+          files = [ "/var/log/telegraf/*" ];
+        }] ++ lib.optional (lib.any (fs: fs == "ext4") config.boot.supportedFilesystems) {
+          name_override = "ext4_errors";
+          files = [ "/sys/fs/ext4/*/errors_count" ];
+          data_format = "value";
+        };
+        exec = lib.optionalAttrs (lib.any (fs: fs == "zfs") config.boot.supportedFilesystems) {
+          ## Commands array
+          commands = [
+            (pkgs.writeScript "zpool-health" ''
+              #!${pkgs.gawk}/bin/awk -f
+              BEGIN {
+                while ("${pkgs.zfs}/bin/zpool status" | getline) {
+                  if ($1 ~ /pool:/) { printf "zpool_status,name=%s ", $2 }
+                  if ($1 ~ /state:/) { printf " state=\"%s\",", $2 }
+                  if ($1 ~ /errors:/) {
+                    if (index($2, "No")) printf "errors=0i\n"; else printf "errors=%di\n", $2
+                  }
+                }
+              }
+            '')
+          ];
+          data_format = "influx";
+        };
+        systemd_units = { };
+        swap = { };
+        disk.tagdrop = {
+          fstype = [ "tmpfs" "ramfs" "devtmpfs" "devfs" "iso9660" "overlay" "aufs" "squashfs" ];
+          device = [ "rpc_pipefs" "lxcfs" "nsfs" "borgfs" ];
+        };
+        diskio = { };
+      };
+      outputs.prometheus_client = {
+        listen = ":9273";
+        metric_version = 2;
+      };
+    };
+  };
+}
diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix
index e603f49da..40f67537e 100644
--- a/lass/2configs/websites/domsen.nix
+++ b/lass/2configs/websites/domsen.nix
@@ -28,6 +28,7 @@ in {
     (servePage [ "aldonasiech.com" "www.aldonasiech.com" ])
     (servePage [ "apanowicz.de" "www.apanowicz.de" ])
     (servePage [ "reich-gebaeudereinigung.de" "www.reich-gebaeudereinigung.de" ])
+    (servePage [ "illustra.de" "www.illustra.de" ])
     (servePage [
       "freemonkey.art"
       "www.freemonkey.art"
@@ -81,6 +82,7 @@ in {
     "o_ubikmedia_de"
   ];
 
+  services.phpfpm.phpPackage = pkgs.php73;
   services.phpfpm.phpOptions = ''
     sendmail_path = ${sendmail} -t
     upload_max_filesize = 100M
@@ -88,12 +90,18 @@ in {
     file_uploads = on
   '';
 
+  krebs.secret.files.nextcloud_pw = {
+    path = "/run/nextcloud.pw";
+    owner.name = "nextcloud";
+    group-name = "nextcloud";
+    source-path = toString <secrets> + "/nextcloud_pw";
+  };
   services.nextcloud = {
     enable = true;
     hostName = "o.xanf.org";
-    package = pkgs.nextcloud20;
+    package = pkgs.nextcloud21;
     config = {
-      adminpassFile = toString <secrets> + "/nextcloud_pw";
+      adminpassFile = "/run/nextcloud.pw";
       overwriteProtocol = "https";
     };
     https = true;
@@ -178,7 +186,7 @@ in {
     group = "xanf";
     home = "/home/xanf";
     useDefaultShell = true;
-    createHome = true;
+    createHome = false; # creathome forces permissions
     isNormalUser = true;
   };
 
@@ -291,6 +299,24 @@ in {
     isNormalUser = true;
   };
 
+  users.users.movematchers = {
+    uid = genid_uint31 "movematchers";
+    home = "/home/movematchers";
+    useDefaultShell = true;
+    extraGroups = [ "xanf" ];
+    createHome = true;
+    isNormalUser = true;
+  };
+
+  users.users.blackphoton = {
+    uid = genid_uint31 "blackphoton";
+    home = "/home/blackphoton";
+    useDefaultShell = true;
+    extraGroups = [ "xanf" ];
+    createHome = true;
+    isNormalUser = true;
+  };
+
   users.groups.xanf = {};
 
   krebs.on-failure.plans.restic-backups-domsen = {
@@ -332,14 +358,14 @@ in {
   '';
 
   krebs.permown = {
-    "/backups/domsen" = {
-      owner = "backup";
+    "/srv/http" = {
       group = "syncthing";
+      owner = "nginx";
       umask = "0007";
     };
-    "/srv/http" = {
-      owner = "syncthing";
-      group = "nginx";
+    "/home/xanf/XANF_TEAM" = {
+      owner = "XANF_TEAM";
+      group = "xanf";
       umask = "0007";
     };
   };