diff options
Diffstat (limited to 'lass')
50 files changed, 412 insertions, 455 deletions
diff --git a/lass/1systems/blue/source.nix b/lass/1systems/blue/source.nix index 2b4158211..0b2bf5f5b 100644 --- a/lass/1systems/blue/source.nix +++ b/lass/1systems/blue/source.nix @@ -1,5 +1,5 @@ { lib, pkgs, test, ... }: -{ +if test then {} else { nixpkgs = lib.mkIf (! test) (lib.mkForce { file = { path = toString (pkgs.fetchFromGitHub { diff --git a/lass/1systems/coaxmetal/config.nix b/lass/1systems/coaxmetal/config.nix index 227c5e1e9..0e6bddf5e 100644 --- a/lass/1systems/coaxmetal/config.nix +++ b/lass/1systems/coaxmetal/config.nix @@ -16,7 +16,7 @@ <stockholm/lass/2configs/steam.nix> <stockholm/lass/2configs/wine.nix> <stockholm/lass/2configs/fetchWallpaper.nix> - # <stockholm/lass/2configs/nfs-dl.nix> + <stockholm/lass/2configs/prism-mounts/samba.nix> <stockholm/lass/2configs/pass.nix> <stockholm/lass/2configs/mail.nix> <stockholm/lass/2configs/bitcoin.nix> diff --git a/lass/1systems/coaxmetal/source.nix b/lass/1systems/coaxmetal/source.nix new file mode 100644 index 000000000..abbf26c75 --- /dev/null +++ b/lass/1systems/coaxmetal/source.nix @@ -0,0 +1,21 @@ +{ lib, pkgs, test, ... }: let + npkgs = lib.importJSON ../../../krebs/nixpkgs-unstable.json; +in { + nixpkgs = (if test then lib.mkForce ({ derivation = let + rev = npkgs.rev; + sha256 = npkgs.sha256; + in '' + with import (builtins.fetchTarball { + url = "https://github.com/nixos/nixpkgs/archive/${rev}.tar.gz"; + sha256 = "${sha256}"; + }) {}; + pkgs.fetchFromGitHub { + owner = "nixos"; + repo = "nixpkgs"; + rev = "${rev}"; + sha256 = "${sha256}"; + } + ''; }) else { + git.ref = lib.mkForce npkgs.rev; + }); +} diff --git a/lass/1systems/echelon/config.nix b/lass/1systems/echelon/config.nix index 9e72916b3..eacdff782 100644 --- a/lass/1systems/echelon/config.nix +++ b/lass/1systems/echelon/config.nix @@ -5,10 +5,13 @@ <stockholm/lass/2configs/retiolum.nix> <stockholm/lass/2configs/tor-initrd.nix> + <stockholm/lass/2configs/syncthing.nix> + <stockholm/lass/2configs/green-host.nix> ]; krebs.build.host = config.krebs.hosts.echelon; boot.tmpOnTmpfs = true; + } diff --git a/lass/1systems/green/config.nix b/lass/1systems/green/config.nix index d7bf62b40..b41e396c9 100644 --- a/lass/1systems/green/config.nix +++ b/lass/1systems/green/config.nix @@ -17,6 +17,8 @@ with import <stockholm/lib>; <stockholm/lass/2configs/IM.nix> <stockholm/lass/2configs/muchsync.nix> <stockholm/lass/2configs/pass.nix> + + <stockholm/lass/2configs/git-brain.nix> ]; krebs.build.host = config.krebs.hosts.green; @@ -68,6 +70,13 @@ with import <stockholm/lib>; ]; clearTarget = true; }; + "/var/lib/git" = { + source = "/var/state/git"; + options = [ + "-M ${toString config.users.users.git.uid}" + ]; + clearTarget = true; + }; }; systemd.services."bindfs-_home_lass_Maildir".serviceConfig.ExecStartPost = pkgs.writeDash "symlink-notmuch" '' diff --git a/lass/1systems/green/source.nix b/lass/1systems/green/source.nix index 48499c9db..da137e064 100644 --- a/lass/1systems/green/source.nix +++ b/lass/1systems/green/source.nix @@ -1,5 +1,4 @@ -{ lib, pkgs, ... }: -{ +{ lib, pkgs, test, ... }: +if test then {} else { nixpkgs-unstable = lib.mkForce { file = "/var/empty"; }; - nixpkgs.git.shallow = true; } diff --git a/lass/1systems/morpheus/config.nix b/lass/1systems/morpheus/config.nix deleted file mode 100644 index 79d4f528d..000000000 --- a/lass/1systems/morpheus/config.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ config, pkgs, ... }: -with import <stockholm/lib>; -{ - imports = [ - <stockholm/lass> - <stockholm/lass/2configs/retiolum.nix> - - <stockholm/lass/2configs/syncthing.nix> - <stockholm/lass/2configs/green-host.nix> - ]; - - krebs.build.host = config.krebs.hosts.morpheus; - - networking.wireless.enable = false; - networking.networkmanager.enable = true; - - services.logind.lidSwitch = "ignore"; - services.logind.lidSwitchDocked = "ignore"; - - environment.systemPackages = with pkgs; [ - gitAndTools.hub - nix-review - firefox - ag - ]; - - services.openssh.forwardX11 = true; - programs.x2goserver.enable = true; -} diff --git a/lass/1systems/morpheus/physical.nix b/lass/1systems/morpheus/physical.nix deleted file mode 100644 index 6e59a2273..000000000 --- a/lass/1systems/morpheus/physical.nix +++ /dev/null @@ -1,44 +0,0 @@ -{ - imports = [ - ./config.nix - <nixpkgs/nixos/modules/installer/scan/not-detected.nix> - ]; - - boot.loader.grub.enable = true; - boot.loader.grub.version = 2; - boot.loader.grub.efiSupport = true; - boot.loader.grub.efiInstallAsRemovable = true; - boot.loader.grub.device = "nodev"; - - networking.hostId = "06442b9a"; - - fileSystems."/" = { - device = "/dev/pool/root"; - fsType = "btrfs"; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/1F60-17C6"; - fsType = "vfat"; - }; - - fileSystems."/home" = { - device = "/dev/pool/home"; - fsType = "btrfs"; - }; - - fileSystems."/tmp" = { - device = "tmpfs"; - fsType = "tmpfs"; - options = ["nosuid" "nodev" "noatime"]; - }; - boot.initrd.luks = { - cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; - devices.luksroot.device = "/dev/nvme0n1p3"; - }; - - services.udev.extraRules = '' - SUBSYSTEM=="net", ATTR{address}=="f8:59:71:a9:05:65", NAME="wl0" - SUBSYSTEM=="net", ATTR{address}=="54:e1:ad:4f:06:83", NAME="et0" - ''; -} diff --git a/lass/1systems/mors/source.nix b/lass/1systems/mors/source.nix new file mode 100644 index 000000000..abbf26c75 --- /dev/null +++ b/lass/1systems/mors/source.nix @@ -0,0 +1,21 @@ +{ lib, pkgs, test, ... }: let + npkgs = lib.importJSON ../../../krebs/nixpkgs-unstable.json; +in { + nixpkgs = (if test then lib.mkForce ({ derivation = let + rev = npkgs.rev; + sha256 = npkgs.sha256; + in '' + with import (builtins.fetchTarball { + url = "https://github.com/nixos/nixpkgs/archive/${rev}.tar.gz"; + sha256 = "${sha256}"; + }) {}; + pkgs.fetchFromGitHub { + owner = "nixos"; + repo = "nixpkgs"; + rev = "${rev}"; + sha256 = "${sha256}"; + } + ''; }) else { + git.ref = lib.mkForce npkgs.rev; + }); +} diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index d43fb804a..45f9ae00e 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -112,7 +112,6 @@ with import <stockholm/lib>; }; } <stockholm/lass/2configs/exim-smarthost.nix> - <stockholm/lass/2configs/ts3.nix> <stockholm/lass/2configs/privoxy-retiolum.nix> <stockholm/lass/2configs/radio.nix> <stockholm/lass/2configs/binary-cache/server.nix> @@ -124,16 +123,6 @@ with import <stockholm/lib>; <stockholm/lass/2configs/ciko.nix> <stockholm/lass/2configs/container-networking.nix> <stockholm/lass/2configs/jitsi.nix> - { # quasi bepasty.nix - imports = [ - <stockholm/lass/2configs/bepasty.nix> - ]; - krebs.bepasty.servers."paste.r".nginx.extraConfig = '' - if ( $server_addr = "${config.krebs.build.host.nets.internet.ip4.addr}" ) { - return 403; - } - ''; - } { services.tor = { enable = true; diff --git a/lass/1systems/prism/physical.nix b/lass/1systems/prism/physical.nix index 1a3bee850..26ecd1cda 100644 --- a/lass/1systems/prism/physical.nix +++ b/lass/1systems/prism/physical.nix @@ -65,6 +65,12 @@ fsType = "ext4"; }; + # silence mdmonitor.service failures + # https://github.com/NixOS/nixpkgs/issues/72394 + environment.etc."mdadm.conf".text = '' + MAILADDR root + ''; + nix.maxJobs = lib.mkDefault 8; powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; diff --git a/lass/1systems/red/config.nix b/lass/1systems/red/config.nix deleted file mode 100644 index 3139e94a2..000000000 --- a/lass/1systems/red/config.nix +++ /dev/null @@ -1,28 +0,0 @@ -with import <stockholm/lib>; -{ config, lib, pkgs, ... }: -let - inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;}) - servephpBB - ; -in -{ - imports = [ - <stockholm/lass> - <stockholm/lass/2configs> - <stockholm/lass/2configs/retiolum.nix> - <stockholm/lass/2configs/websites> - <stockholm/lass/2configs/websites/sqlBackup.nix> - (servephpBB [ "rote-allez-fraktion.de" ]) - ]; - - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport 80"; target = "ACCEPT"; } - ]; - - krebs.build.host = config.krebs.hosts.red; - - services.nginx.enable = true; - environment.systemPackages = [ - pkgs.mk_sql_pair - ]; -} diff --git a/lass/1systems/red/physical.nix b/lass/1systems/red/physical.nix deleted file mode 100644 index b6aa3a894..000000000 --- a/lass/1systems/red/physical.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ - imports = [ - ./config.nix - ]; - boot.isContainer = true; - networking.useDHCP = false; -} diff --git a/lass/1systems/uriel/config.nix b/lass/1systems/uriel/config.nix deleted file mode 100644 index c3ce8fced..000000000 --- a/lass/1systems/uriel/config.nix +++ /dev/null @@ -1,47 +0,0 @@ -{ config, pkgs, ... }: - -with builtins; -with import <stockholm/lib>; -{ - imports = [ - <stockholm/lass> - <stockholm/lass/2configs/retiolum.nix> - <stockholm/lass/2configs/exim-retiolum.nix> - { - # locke config - i18n.defaultLocale ="de_DE.UTF-8"; - time.timeZone = "Europe/Berlin"; - services.xserver.enable = true; - services.xserver.libinput.enable = false; - users.users.locke = { - uid = genid "locke"; - home = "/home/locke"; - group = "users"; - createHome = true; - extraGroups = [ - "audio" - "networkmanager" - ]; - useDefaultShell = true; - isNormalUser = true; - }; - networking.networkmanager.enable = true; - hardware.pulseaudio = { - enable = true; - systemWide = true; - }; - environment.systemPackages = with pkgs; [ - pavucontrol - firefox - hexchat - networkmanagerapplet - ]; - services.xserver.desktopManager.xfce = { - enable = true; - }; - } - ]; - - krebs.build.host = config.krebs.hosts.uriel; - nixpkgs.config.allowUnfree = true; -} diff --git a/lass/1systems/uriel/physical.nix b/lass/1systems/uriel/physical.nix deleted file mode 100644 index 82a088643..000000000 --- a/lass/1systems/uriel/physical.nix +++ /dev/null @@ -1,59 +0,0 @@ -{ - imports = [ - ./config.nix - ]; - - hardware.enableRedistributableFirmware = true; - boot = { - #kernelParams = [ - # "acpi.brightness_switch_enabled=0" - #]; - #loader.grub.enable = true; - #loader.grub.version = 2; - #loader.grub.device = "/dev/sda"; - - loader.systemd-boot.enable = true; - loader.timeout = 5; - - initrd.luks.devices.luksroot.device = "/dev/sda2"; - initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; - initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; - #kernelModules = [ "kvm-intel" "msr" ]; - kernelModules = [ "msr" ]; - }; - fileSystems = { - "/" = { - device = "/dev/pool/root"; - fsType = "ext4"; - }; - - "/bku" = { - device = "/dev/pool/bku"; - fsType = "ext4"; - }; - - "/boot" = { - device = "/dev/sda1"; - }; - "/tmp" = { - device = "tmpfs"; - fsType = "tmpfs"; - options = ["nosuid" "nodev" "noatime"]; - }; - }; - - services.udev.extraRules = '' - SUBSYSTEM=="net", ATTR{address}=="64:27:37:7d:d8:ae", NAME="wl0" - SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:b8:c8:2e", NAME="et0" - ''; - - services.xserver.synaptics = { - enable = true; - twoFingerScroll = true; - accelFactor = "0.035"; - additionalOptions = '' - Option "FingerHigh" "60" - Option "FingerLow" "60" - ''; - }; -} diff --git a/lass/2configs/IM.nix b/lass/2configs/IM.nix index 5108f6bc1..5b8cebf5c 100644 --- a/lass/2configs/IM.nix +++ b/lass/2configs/IM.nix @@ -30,7 +30,7 @@ in { imports = [ ./bitlbee.nix ]; - environment.systemPackages = [ tmux ]; + environment.systemPackages = [ tmux weechat ]; systemd.services.chat = { description = "chat environment setup"; after = [ "network.target" ]; diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index 23eaa2802..124eef2cf 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -11,6 +11,7 @@ in { ./xdg-open.nix ./yubikey.nix ./pipewire.nix + ./tmux.nix ./xmonad.nix { krebs.per-user.lass.packages = [ @@ -61,7 +62,8 @@ in { font-size fzfmenu gimp - gitAndTools.qgit + gitAndTools.hub + git-crypt git-preview gnome3.dconf iodine @@ -85,6 +87,7 @@ in { xorg.xhost xsel zathura + flameshot-once (pkgs.writeDashBin "screenshot" '' set -efu diff --git a/lass/2configs/bepasty.nix b/lass/2configs/bepasty.nix deleted file mode 100644 index 9bd416c05..000000000 --- a/lass/2configs/bepasty.nix +++ /dev/null @@ -1,44 +0,0 @@ -{ config, pkgs, ... }: -with import <stockholm/lib>; - -# secrets used: -# wildcard.krebsco.de.crt -# wildcard.krebsco.de.key -# bepasty-secret.nix <- contains single string - -with import <stockholm/lib>; -let - secKey = import <secrets/bepasty-secret.nix>; - ext-doms = [ - "paste.lassul.us" - "paste.krebsco.de" - ]; -in { - - services.nginx.enable = mkDefault true; - krebs.bepasty = { - enable = true; - serveNginx= true; - - servers = { - "paste.r" = { - nginx = { - serverAliases = [ - "paste.${config.krebs.build.host.name}" - "paste.r" - ]; - }; - defaultPermissions = "admin,list,create,read,delete"; - secretKey = secKey; - }; - } // - genAttrs ext-doms (ext-dom: { - nginx = { - forceSSL = true; - enableACME = true; - }; - defaultPermissions = "read,create"; - secretKey = secKey; - }); - }; -} diff --git a/lass/2configs/binary-cache/server.nix b/lass/2configs/binary-cache/server.nix index 101dd045f..baa891821 100644 --- a/lass/2configs/binary-cache/server.nix +++ b/lass/2configs/binary-cache/server.nix @@ -29,6 +29,13 @@ locations."/".extraConfig = '' proxy_pass http://localhost:${toString config.services.nix-serve.port}; ''; + locations."= /nix-cache-info".extraConfig = '' + alias ${pkgs.writeText "cache-info" '' + StoreDir: /nix/store + WantMassQuery: 1 + Priority: 42 + ''}; + ''; }; virtualHosts."cache.krebsco.de" = { forceSSL = true; diff --git a/lass/2configs/blue.nix b/lass/2configs/blue.nix index 15408a200..28c7d640d 100644 --- a/lass/2configs/blue.nix +++ b/lass/2configs/blue.nix @@ -2,16 +2,13 @@ with (import <stockholm/lib>); { config, lib, pkgs, ... }: { - imports = [ - ./bitlbee.nix ./mail.nix ./pass.nix ]; environment.systemPackages = with pkgs; [ ag - brain dic nmap git-preview @@ -30,43 +27,6 @@ with (import <stockholm/lib>); { predicate = "-i wiregrill -p tcp --dport imap"; target = "ACCEPT";} ]; - systemd.services.chat = let - tmux = pkgs.writeDash "tmux" '' - exec ${pkgs.tmux}/bin/tmux -f ${pkgs.writeText "tmux.conf" '' - set-option -g prefix ` - unbind-key C-b - bind ` send-prefix - - set-option -g status off - set-option -g default-terminal screen-256color - - #use session instead of windows - bind-key c new-session - bind-key p switch-client -p - bind-key n switch-client -n - bind-key C-s switch-client -l - ''} "$@" - ''; - in { - description = "chat environment setup"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - - restartIfChanged = false; - - path = [ - pkgs.rxvt_unicode.terminfo - ]; - - serviceConfig = { - User = "lass"; - RemainAfterExit = true; - Type = "oneshot"; - ExecStart = "${tmux} -2 new-session -d -s IM ${pkgs.weechat}/bin/weechat"; - ExecStop = "${tmux} kill-session -t IM"; - }; - }; - services.dovecot2 = { enable = true; mailLocation = "maildir:~/Maildir"; diff --git a/lass/2configs/codimd.nix b/lass/2configs/codimd.nix index d29a65210..271dcfca4 100644 --- a/lass/2configs/codimd.nix +++ b/lass/2configs/codimd.nix @@ -1,27 +1,52 @@ { config, pkgs, lib, ... }: with import <stockholm/lib>; -{ - services.nginx.virtualHosts.codimd = { +let + domain = "pad.lassul.us"; +in { + + # redirect legacy domain to new one + services.nginx.virtualHosts."codi.lassul.us" = { enableACME = true; addSSL = true; - serverName = "codi.lassul.us"; - locations."/".extraConfig = '' - client_max_body_size 4G; - proxy_set_header Host $host; - proxy_pass http://localhost:3091; - ''; + locations."/".return = "301 https://${domain}\$request_uri"; + }; + + services.nginx.virtualHosts.${domain} = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "https://localhost:3091"; + proxyWebsockets = true; + }; + }; + + security.acme.certs.${domain}.group = "hedgecert"; + users.groups.hedgecert.members = [ "codimd" "nginx" ]; + + security.dhparams = { + enable = true; + params.hedgedoc = {}; }; services.hedgedoc = { enable = true; - configuration.allowOrigin = [ "*" ]; + configuration.allowOrigin = [ domain ]; configuration = { db = { dialect = "sqlite"; storage = "/var/lib/codimd/db.codimd.sqlite"; - useCDN = false; }; + useCDN = false; port = 3091; + domain = domain; + allowFreeURL = true; + + useSSL = true; + protocolUseSSL = true; |