9 files changed, 174 insertions, 123 deletions

diff --git a/lass/2configs/gg23.nix b/lass/2configs/gg23.nix
index 6bcbd740..51db9a40 100644
--- a/lass/2configs/gg23.nix
+++ b/lass/2configs/gg23.nix
@@ -2,37 +2,56 @@
 with import <stockholm/lib>;
 
 {
+  systemd.network.networks."50-et0" = {
+    matchConfig.Name = "et0";
+    DHCP = "yes";
+    # dhcpV4Config.UseDNS = false;
+    # dhcpV6Config.UseDNS = false;
+    linkConfig = {
+      RequiredForOnline = "routable";
+    };
+    # networkConfig = {
+    #   LinkLocalAddressing = "no";
+    # };
+    # dhcpV6Config = {
+    #   PrefixDelegationHint = "::/60";
+    # };
+    # networkConfig = {
+    #   IPv6AcceptRA = true;
+    # };
+    # ipv6PrefixDelegationConfig = {
+    #   Managed = true;
+    # };
+  };
+  systemd.network.networks."50-int0" = {
+    name = "int0";
+    address = [
+      "10.42.0.1/24"
+    ];
+    networkConfig = {
+      IPForward = "yes";
+      IPMasquerade = "both";
+      ConfigureWithoutCarrier = true;
+      DHCPServer = "yes";
+      # IPv6SendRA = "yes";
+      # DHCPPrefixDelegation = "yes";
+    };
+  };
   networking.networkmanager.unmanaged = [ "int0" ];
-  networking.interfaces.int0.ipv4.addresses = [{
-    address = "10.42.0.1";
-    prefixLength = 24;
-  }];
+  krebs.iptables.tables.filter.INPUT.rules = [
+    { predicate = "-i int0"; target = "ACCEPT"; }
+  ];
+  krebs.iptables.tables.filter.FORWARD.rules = [
+    { predicate = "-i int0"; target = "ACCEPT"; }
+    { predicate = "-o int0"; target = "ACCEPT"; }
+    { predicate = "-p ipv6-icmp"; target = "ACCEPT"; v4 = false; }
+  ];
+  krebs.iptables.tables.nat.PREROUTING.rules = mkBefore [
+    { v6 = false; predicate = "-s 10.42.0.0/24"; target = "ACCEPT"; }
+  ];
 
   networking.domain = "gg23";
 
-  services.dhcpd4 = {
-    enable = true;
-    interfaces = [ "int0" ];
-    extraConfig = ''
-      option subnet-mask 255.255.255.0;
-      option routers 10.42.0.1;
-      option domain-name-servers 10.42.0.1;
-      subnet 10.42.0.0 netmask 255.255.255.0 {
-        range 10.42.0.100 10.42.0.200;
-      }
-    '';
-    machines = [
-      { ethernetAddress = "a8:a6:48:65:ce:4c"; hostName = "tv"; ipAddress = "10.42.0.3"; }
-      { ethernetAddress = "3c:2a:f4:22:28:37"; hostName = "drucker"; ipAddress = "10.42.0.4"; }
-      { ethernetAddress = "80:7d:3a:67:b7:01"; hostName = "s20-tv"; ipAddress = "10.42.0.10"; }
-      { ethernetAddress = "80:7d:3a:68:04:f0"; hostName = "s20-drucker"; ipAddress = "10.42.0.11"; }
-      { ethernetAddress = "80:7d:3a:68:11:a5"; hostName = "s20-wasch"; ipAddress = "10.42.0.12"; }
-      { ethernetAddress = "80:7d:3a:67:bb:69"; hostName = "s20-stereo"; ipAddress = "10.42.0.13"; }
-      { ethernetAddress = "ec:b5:fa:07:78:16"; hostName = "hue-bridge"; ipAddress = "10.42.0.21"; }
-      { ethernetAddress = "80:8d:b7:c5:80:dc"; hostName = "arubaAP"; ipAddress = "10.42.0.99"; }
-    ];
-  };
-
   services.dnsmasq = {
     enable = true;
     resolveLocalQueries = false;
@@ -45,22 +64,4 @@ with import <stockholm/lib>;
       interface=int0
     '';
   };
-
-  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
-  krebs.iptables.tables.filter.INPUT.rules = [
-    { predicate = "-i int0 -p udp --dport 53"; target = "ACCEPT"; } # dns
-  ];
-  krebs.iptables.tables.filter.FORWARD.rules = [
-    { v6 = false; predicate = "-d 10.42.0.0/24 -o int0 -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
-    { v6 = false; predicate = "-s 10.42.0.0/24 -i int0"; target = "ACCEPT"; }
-    { v6 = false; predicate = "-o int0"; target = "REJECT --reject-with icmp-port-unreachable"; }
-    { v6 = false; predicate = "-i int0"; target = "REJECT --reject-with icmp-port-unreachable"; }
-  ];
-  krebs.iptables.tables.nat.PREROUTING.rules = mkBefore [
-    { v6 = false; predicate = "-s 10.42.0.0/24"; target = "ACCEPT"; }
-  ];
-  krebs.iptables.tables.nat.POSTROUTING.rules = [
-    { v6 = false; predicate = "-s 10.42.0.0/24 ! -d 10.42.0.0/24"; target = "MASQUERADE"; }
-  ];
 }
-
diff --git a/lass/2configs/radio/container-host.nix b/lass/2configs/radio/container-host.nix
new file mode 100644
index 00000000..e32095ff
--- /dev/null
+++ b/lass/2configs/radio/container-host.nix
@@ -0,0 +1,23 @@
+{ config, pkgs, ... }:
+{
+  lass.sync-containers3.containers.radio = {
+    sshKey = "${toString <secrets>}/radio.sync.key";
+  };
+  containers.radio = {
+    bindMounts."/var/music" = {
+      hostPath = "/var/music";
+      isReadOnly = false;
+    };
+  };
+  krebs.iptables.tables.filter.INPUT.rules = [
+    { predicate = "-p tcp --dport 8000"; target = "ACCEPT"; }
+  ];
+  krebs.htgen.radio-redirect = {
+    port = 8000;
+    scriptFile = pkgs.writers.writeDash "redir" ''
+      printf 'HTTP/1.1 301 Moved Permanently\r\n'
+      printf "Location: http://radio.lassul.us''${Request_URI}\r\n"
+      printf '\r\n'
+    '';
+  };
+}
diff --git a/lass/2configs/radio/default.nix b/lass/2configs/radio/default.nix
index dfb3d7e0..a511196f 100644
--- a/lass/2configs/radio/default.nix
+++ b/lass/2configs/radio/default.nix
@@ -3,7 +3,7 @@
 let
   name = "radio";
 
-  music_dir = "/home/radio/music";
+  music_dir = "/var/music";
 
   skip_track = pkgs.writers.writeBashBin "skip_track" ''
     set -eu
@@ -113,7 +113,7 @@ in {
         LIMIT=1000 #how many tracks to keep in the history
         HISTORY_FILE=/var/lib/radio/recent
 
-        listeners=$(${pkgs.curl}/bin/curl -fSs lassul.us:8000/status-json.xsl |
+        listeners=$(${pkgs.curl}/bin/curl -fSs http://localhost:8000/status-json.xsl |
           ${pkgs.jq}/bin/jq '[.icestats.source[].listeners] | add' || echo 0)
         echo "$(${pkgs.coreutils}/bin/date -Is)" "$filename" | ${pkgs.coreutils}/bin/tee -a "$HISTORY_FILE"
         echo "$(${pkgs.coreutils}/bin/tail -$LIMIT "$HISTORY_FILE")" > "$HISTORY_FILE"
@@ -128,14 +128,33 @@ in {
     serviceConfig.User = lib.mkForce "radio";
   };
 
+  nixpkgs.config.packageOverrides = opkgs: {
+    icecast = opkgs.icecast.overrideAttrs (old: rec {
+      version = "2.5-beta3";
+
+      src = pkgs.fetchurl {
+        url = "http://downloads.xiph.org/releases/icecast/icecast-${version}.tar.gz";
+        sha256 = "sha256-4FDokoA9zBDYj8RAO/kuTHaZ6jZYBLSJZiX/IYFaCW8=";
+      };
+
+      buildInputs = old.buildInputs ++ [ pkgs.pkg-config ];
+    });
+  };
   services.icecast = {
     enable = true;
     hostname = "radio.lassul.us";
     admin.password = "hackme";
     extraConf = ''
       <authentication>
-       <source-password>hackme</source-password>
+        <source-password>hackme</source-password>
+        <admin-user>admin</admin-user>
+        <admin-password>hackme</admin-password>
       </authentication>
+      <logging>
+        <accesslog>-</accesslog>
+        <errorlog>-</errorlog>
+        <loglevel>3</loglevel>
+      </logging>
     '';
   };
 
@@ -234,18 +253,38 @@ in {
     '';
   };
 
+  networking.firewall.allowedTCPPorts = [ 80 ];
   services.nginx = {
     enable = true;
-    virtualHosts."radio.lassul.us" = {
-      forceSSL = true;
-      enableACME = true;
+    virtualHosts."radio.r" = {
       locations."/".extraConfig = ''
-        proxy_set_header Host $host;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Host $host;
-        proxy_set_header X-Forwarded-Server $host;
-        proxy_set_header X-Real-IP $remote_addr;
+        # https://github.com/aswild/icecast-notes#core-nginx-config
         proxy_pass http://localhost:8000;
+        # Disable request size limit, very important for uploading large files
+        client_max_body_size 0;
+
+        # Enable support `Transfer-Encoding: chunked`
+        chunked_transfer_encoding on;
+
+        # Disable request and response buffering, minimize latency to/from Icecast
+        proxy_buffering off;
+        proxy_request_buffering off;
+
+        # Icecast needs HTTP/1.1, not 1.0 or 2
+        proxy_http_version 1.1;
+
+        # Forward all original request headers
+        proxy_pass_request_headers on;
+
+        # Set some standard reverse proxy headers. Icecast server currently ignores these,
+        # but may support them in a future version so that access logs are more useful.
+        proxy_set_header  Host              $host;
+        proxy_set_header  X-Real-IP         $remote_addr;
+        proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header  X-Forwarded-Proto $scheme;
+
+        # get source ip for weather reports
+        proxy_set_header user-agent "$http_user_agent; client-ip=$remote_addr";
       '';
       locations."= /recent".extraConfig = ''
         default_type "text/plain";
@@ -266,7 +305,7 @@ in {
         while sleep 1; do
           mpv \
             --cache-secs=0 --demuxer-readahead-secs=0 --untimed --cache-pause=no \
-            'http://lassul.us:8000/radio.ogg'
+            'http://radio.lassul.us/radio.ogg'
         done
       '';
       locations."= /controls".extraConfig = ''
@@ -278,35 +317,12 @@ in {
         add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
       '';
     };
-    virtualHosts."lassul.us".locations."= /the_playlist".extraConfig = let
-      html = pkgs.writeText "index.html" ''
-        <!DOCTYPE html>
-        <html lang="en">
-          <head>
-            <meta charset="utf-8">
-            <title>lassulus playlist</title>
-          </head>
-          <body>
-            <div style="display:inline-block;margin:0px;padding:0px;overflow:hidden">
-              <iframe src="https://kiwiirc.com/client/irc.hackint.org/?nick=kiwi_test|?&theme=cli#the_playlist" frameborder="0" style="overflow:hidden;overflow-x:hidden;overflow-y:hidden;height:95%;width:100%;position:absolute;top:0px;left:0px;right:0px;bottom:0px" height="95%" width="100%"></iframe>
-            </div>
-            <div style="position:absolute;bottom:1px;display:inline-block;background-color:red;">
-              <audio controls autoplay="autoplay"><source src="http://lassul.us:8000/radio.ogg" type="audio/ogg">Your browser does not support the audio element.</audio>
-            </div>
-            <!-- page content -->
-          </body>
-        </html>
-      '';
-    in ''
-      default_type "text/html";
-      alias ${html};
-    '';
   };
   services.syncthing.declarative.folders."the_playlist" = {
-    path = "/home/radio/music/the_playlist";
-    devices = [ "mors" "phone" "prism" "omo" ];
+    path = "/var/music/the_playlist";
+    devices = [ "mors" "phone" "prism" "omo" "radio" ];
   };
-  krebs.acl."/home/radio/music/the_playlist"."u:syncthing:X".parents = true;
-  krebs.acl."/home/radio/music/the_playlist"."u:syncthing:rwX" = {};
-  krebs.acl."/home/radio/music/the_playlist"."u:radio:rwX" = {};
+  krebs.acl."/var/music/the_playlist"."u:syncthing:X".parents = true;
+  krebs.acl."/var/music/the_playlist"."u:syncthing:rwX" = {};
+  krebs.acl."/var/music/the_playlist"."u:radio:rwX" = {};
 }
diff --git a/lass/2configs/radio/radio.liq b/lass/2configs/radio/radio.liq
index 70d31604..1366287a 100644
--- a/lass/2configs/radio/radio.liq
+++ b/lass/2configs/radio/radio.liq
@@ -10,7 +10,7 @@ def stringify_attrs(attrs) =
   out
 end
 
-def filter_graveyard(req) =
+def filter_music(req) =
   filename = request.filename(req)
   if string.match(pattern = '.*/\\.graveyard/.*', filename) then
     false
@@ -27,7 +27,7 @@ end
 env = environment()
 port = string.to_int(env["RADIO_PORT"], default = 8000)
 
-all_music = playlist(env["MUSIC"], check_next = filter_graveyard)
+all_music = playlist(env["MUSIC"], check_next = filter_music)
 wishlist = request.queue()
 tracks = fallback(track_sensitive = true, [wishlist, all_music])
 tracks = blank.eat(tracks)
@@ -36,7 +36,7 @@ last_metadata = ref([])
 def on_metadata(m) =
   last_metadata := m
   print("changing tracks")
-  out = process.read(env["HOOK_TRACK_CHANGE"], env = m)
+  out = process.read(env["HOOK_TRACK_CHANGE"], env = m, timeout = 5.0)
   print(out)
 end
 tracks.on_metadata(on_metadata)
diff --git a/lass/2configs/radio/weather.nix b/lass/2configs/radio/weather.nix
index 704bf721..dca8a784 100644
--- a/lass/2configs/radio/weather.nix
+++ b/lass/2configs/radio/weather.nix
@@ -10,20 +10,25 @@ let
     export PATH="${lib.makeBinPath [
       pkgs.coreutils
       pkgs.curl
-      pkgs.iproute2
-      pkgs.jc
       pkgs.jq
     ]}"
     curl -fSsz /tmp/GeoLite2-City.mmdb -o /tmp/GeoLite2-City.mmdb http://c.r/GeoLite2-City.mmdb
     MAXMIND_GEOIP_DB="/tmp/GeoLite2-City.mmdb"; export MAXMIND_GEOIP_DB
     OPENWEATHER_API_KEY=$(cat "$CREDENTIALS_DIRECTORY/openweather_api"); export OPENWEATHER_API_KEY
-    ss -no 'sport = :8000' |
-      jc --ss | jq -r '.[] |
-        select(
-          .local_address != "[::ffff:127.0.0.1]"
-          and .local_address != "[::1]"
-        ) | .peer_address | gsub("[\\[\\]]"; "")
-      ' |
+    (
+      curl -sS 'http://admin:hackme@localhost:8000/admin/listclients.json?mount=/radio.ogg'
+      curl -sS 'http://admin:hackme@localhost:8000/admin/listclients.json?mount=/radio.mp3'
+      curl -sS 'http://admin:hackme@localhost:8000/admin/listclients.json?mount=/radio.opus'
+    ) | jq -rs '
+      [
+        .[][].source|values|to_entries[].value |
+        (.listener//[]) [] |
+        (.useragent | capture("client-ip=(?<ip>[a-f0-9.:]+)")).ip // .ip
+      ] |
+        unique[] |
+        select(. != "127.0.0.1") |
+        select(. != "::1")
+    ' |
       ${weather_for_ips}/bin/weather_for_ips
   '';
 in {
diff --git a/lass/2configs/radio/weather_for_ips.py b/lass/2configs/radio/weather_for_ips.py
index 447c6389..62206a98 100644
--- a/lass/2configs/radio/weather_for_ips.py
+++ b/lass/2configs/radio/weather_for_ips.py
@@ -20,26 +20,29 @@ for ip in fileinput.input():
             f'The probability of reincarnation is {random.randrange(0, 100)} percent.'
         )
     else:
-        location = geoip.city(ip.strip())
-        if location.city.geoname_id not in seen:
-            seen[location.city.geoname_id] = True
-            weather_api_key = os.environ['OPENWEATHER_API_KEY']
-            url = (
-                f'https://api.openweathermap.org/data/2.5/onecall'
-                f'?lat={location.location.latitude}'
-                f'&lon={location.location.longitude}'
-                f'&appid={weather_api_key}'
-                f'&units=metric'
-            )
-            resp = requests.get(url)
-            weather = json.loads(resp.text)
-            output.append(
-                f'Weather report for {location.city.name}, {location.country.name}. '
-                f'It is {weather["current"]["weather"][0]["description"]} outside '
-                f'with a temperature of {weather["current"]["temp"]:.1f} degrees, '
-                f'a wind speed of {weather["current"]["wind_speed"]:.1f} meters per second '
-                f'and a humidity of {weather["current"]["humidity"]} percent. '
-                f'The probability of precipitation is {weather["hourly"][0]["pop"] * 100:.0f} percent. '
-            )
+        try:
+            location = geoip.city(ip.strip())
+            if location.city.geoname_id not in seen:
+                seen[location.city.geoname_id] = True
+                weather_api_key = os.environ['OPENWEATHER_API_KEY']
+                url = (
+                    f'https://api.openweathermap.org/data/2.5/onecall'
+                    f'?lat={location.location.latitude}'
+                    f'&lon={location.location.longitude}'
+                    f'&appid={weather_api_key}'
+                    f'&units=metric'
+                )
+                resp = requests.get(url)
+                weather = json.loads(resp.text)
+                output.append(
+                    f'Weather report for {location.city.name}, {location.country.name}. '
+                    f'It is {weather["current"]["weather"][0]["description"]} outside '
+                    f'with a temperature of {weather["current"]["temp"]:.1f} degrees, '
+                    f'a wind speed of {weather["current"]["wind_speed"]:.1f} meters per second '
+                    f'and a humidity of {weather["current"]["humidity"]} percent. '
+                    f'The probability of precipitation is {weather["hourly"][0]["pop"] * 100:.0f} percent. '
+                )
+        except:  # noqa E722
+            pass
 
 print('\n'.join(output))
diff --git a/lass/2configs/riot.nix b/lass/2configs/riot.nix
index 37a6298c..559e7b20 100644
--- a/lass/2configs/riot.nix
+++ b/lass/2configs/riot.nix
@@ -7,8 +7,11 @@
         pkgs.git
         pkgs.jq
       ];
-      networking.useDHCP = lib.mkForce true;
-      networking.firewall.enable = false;
+      services.openssh.enable = true;
+      users.users.root.openssh.authorizedKeys.keys = [
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6o6sdTu/CX1LW2Ff5bNDqGEAGwAsjf0iIe5DCdC7YikCct+7x4LTXxY+nDlPMeGcOF88X9/qFwdyh+9E4g0nUAZaeL14Uc14QDqDt/aiKjIXXTepxE/i4JD9YbTqStAnA/HYAExU15yqgUdj2dnHu7OZcGxk0ZR1OY18yclXq7Rq0Fd3pN3lPP1T4QHM9w66r83yJdFV9szvu5ral3/QuxQnCNohTkR6LoJ4Ny2RbMPTRtb+jPbTQYTWUWwV69mB8ot5nRTP4MRM9pu7vnoPF4I2S5DvSnx4C5zdKzsb7zmIvD4AmptZLrXj4UXUf00Xf7Js5W100Ne2yhYyhq+35 riot@lagrange"
+      ];
+      networking.defaultGateway = "10.233.1.1";
       systemd.services.autoswitch = {
         environment = {
           NIX_REMOTE = "daemon";
diff --git a/lass/2configs/sync/the_playlist.nix b/lass/2configs/sync/the_playlist.nix
index c01a11cc..233ca8fb 100644
--- a/lass/2configs/sync/the_playlist.nix
+++ b/lass/2configs/sync/the_playlist.nix
@@ -1,7 +1,7 @@
 {
   services.syncthing.folders.the_playlist = {
     path = "/home/lass/tmp/the_playlist";
-    devices = [ "mors" "phone" "prism" "omo" ];
+    devices = [ "mors" "phone" "prism" "omo" "radio" ];
   };
   krebs.acl."/home/lass/tmp/the_playlist"."u:syncthing:X".parents = true;
   krebs.acl."/home/lass/tmp/the_playlist"."u:syncthing:rwX" = {};
diff --git a/lass/2configs/prism-mounts/samba.nix b/lass/2configs/yellow-mounts/samba.nix
index 4b1475ef..e16f1cc4 100644
--- a/lass/2configs/prism-mounts/samba.nix
+++ b/lass/2configs/yellow-mounts/samba.nix
@@ -1,6 +1,6 @@
 {
-  fileSystems."/mnt/prism" = {
-    device = "//prism.r/public";
+  fileSystems."/mnt/yellow" = {
+    device = "//yellow.r/public";
     fsType = "cifs";
     options = [
       "guest"