diff options
Diffstat (limited to 'lass')
-rw-r--r-- | lass/1systems/green/config.nix | 94 | ||||
-rw-r--r-- | lass/1systems/yellow/config.nix | 13 | ||||
-rw-r--r-- | lass/2configs/IM.nix | 2 | ||||
-rw-r--r-- | lass/2configs/baseX.nix | 2 | ||||
-rw-r--r-- | lass/2configs/blue-host.nix | 2 | ||||
-rw-r--r-- | lass/2configs/consul.nix | 43 | ||||
-rw-r--r-- | lass/2configs/default.nix | 2 | ||||
-rw-r--r-- | lass/2configs/et-server.nix | 7 | ||||
-rw-r--r-- | lass/2configs/pipewire.nix | 2 | ||||
-rw-r--r-- | lass/2configs/weechat.nix | 221 | ||||
-rw-r--r-- | lass/2configs/xmonad.nix | 2 | ||||
-rw-r--r-- | lass/2configs/zsh.nix | 52 | ||||
-rw-r--r-- | lass/3modules/default.nix | 1 | ||||
-rw-r--r-- | lass/3modules/sync-containers3.nix | 306 | ||||
-rw-r--r-- | lass/5pkgs/weechat-matrix/default.nix | 80 |
15 files changed, 733 insertions, 96 deletions
diff --git a/lass/1systems/green/config.nix b/lass/1systems/green/config.nix index 5cf7d9242..4fe7782e6 100644 --- a/lass/1systems/green/config.nix +++ b/lass/1systems/green/config.nix @@ -11,78 +11,47 @@ with import <stockholm/lib>; <stockholm/lass/2configs/syncthing.nix> <stockholm/lass/2configs/sync/sync.nix> <stockholm/lass/2configs/sync/decsync.nix> - <stockholm/lass/2configs/sync/weechat.nix> + <stockholm/lass/2configs/weechat.nix> <stockholm/lass/2configs/bitlbee.nix> - <stockholm/lass/2configs/IM.nix> + <stockholm/lass/2configs/muchsync.nix> <stockholm/lass/2configs/pass.nix> <stockholm/lass/2configs/git-brain.nix> + <stockholm/lass/2configs/et-server.nix> + <stockholm/lass/2configs/consul.nix> ]; krebs.build.host = config.krebs.hosts.green; - users.users.mainUser.openssh.authorizedKeys.keys = [ - config.krebs.users.lass-android.pubkey - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0rn3003CkJMk3jZrh/3MC6nVorHRymlFSI4x1brCKY" # weechat ssh tunnel - ]; - - krebs.bindfs = { - "/home/lass/.weechat" = { - source = "/var/state/lass_weechat"; - options = [ - "-M ${concatMapStringsSep ":" (u: toString config.users.users.${u}.uid) [ "syncthing" "mainUser" ]}" - "--create-for-user=${toString config.users.users.syncthing.uid}" - ]; - }; - "/home/lass/Maildir" = { - source = "/var/state/lass_mail"; - options = [ - "-M ${toString config.users.users.mainUser.uid}" - ]; - }; - "/var/lib/bitlbee" = { - source = "/var/state/bitlbee"; - options = [ - "-M ${toString config.users.users.bitlbee.uid}" - ]; - clearTarget = true; - }; - "/home/lass/.ssh" = { - source = "/var/state/lass_ssh"; - options = [ - "-M ${toString config.users.users.mainUser.uid}" - ]; - clearTarget = true; - }; - "/home/lass/.gnupg" = { - source = "/var/state/lass_gnupg"; - options = [ - "-M ${toString config.users.users.mainUser.uid}" - ]; - clearTarget = true; - }; - "/var/lib/git" = { - source = "/var/state/git"; - options = [ - "-M ${toString config.users.users.git.uid}" - ]; - clearTarget = true; - }; + lass.sync-containers3.inContainer = { + enable = true; + pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFlUMf943qEQG64ob81p6dgoHq4jUjq7tSvmSdEOEU2y"; }; - systemd.services."bindfs-_home_lass_Maildir".serviceConfig.ExecStartPost = pkgs.writeDash "symlink-notmuch" '' - sleep 1 - mkdir -p /home/lass/notmuch - chown lass: /home/lass/notmuch - ln -sfTr /home/lass/notmuch /home/lass/Maildir/.notmuch + systemd.tmpfiles.rules = [ + "d /var/state/lass_mail 0700 lass users -" + "L+ /home/lass/Maildir - - - - ../../var/state/lass_mail" + "d /home/lass/notmuch 0700 lass users -" + "L+ /var/state/lass_mail/.notmuch - - - - /home/lass/notmuch" - mkdir -p /home/lass/notmuch/muchsync - chown lass: /home/lass/notmuch/muchsync - mkdir -p /home/lass/Maildir/.muchsync - ln -sfTr /home/lass/Maildir/.muchsync /home/lass/notmuch/muchsync/tmp - ''; + "d /var/state/lass_ssh 0700 lass users -" + "L+ /home/lass/.ssh - - - - ../../var/state/lass_ssh" + "d /var/state/lass_gpg 0700 lass users -" + "L+ /home/lass/.gnupg - - - - ../../var/state/lass_gpg" + "d /var/state/lass_sync 0700 lass users -" + "L+ /home/lass/sync - - - - ../../var/state/lass_sync" + + "d /var/state/git 0700 git nogroup -" + "L+ /var/lib/git - - - - ../../var/state/git" + ]; + + users.users.mainUser.openssh.authorizedKeys.keys = [ + config.krebs.users.lass-android.pubkey + config.krebs.users.lass-tablet.pubkey + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKgpZwye6yavIs3gUIYvSi70spDa0apL2yHR0ASW74z8" # weechat ssh tunnel + ]; krebs.iptables.tables.nat.PREROUTING.rules = [ { predicate = "-i eth0 -p tcp -m tcp --dport 22"; target = "ACCEPT"; precedence = 101; } @@ -93,4 +62,11 @@ with import <stockholm/lib>; HostKeyAlgorithms +ssh-rsa PubkeyAcceptedAlgorithms +ssh-rsa ''; + + services.dovecot2 = { + enable = true; + mailLocation = "maildir:~/Maildir"; + }; + + networking.firewall.allowedTCPPorts = [ 143 ]; } diff --git a/lass/1systems/yellow/config.nix b/lass/1systems/yellow/config.nix index 554882bf3..f5071c4b7 100644 --- a/lass/1systems/yellow/config.nix +++ b/lass/1systems/yellow/config.nix @@ -154,6 +154,7 @@ with import <stockholm/lib>; tables.filter.INPUT.rules = [ { predicate = "-p tcp --dport 80"; target = "ACCEPT"; } # nginx web dir { predicate = "-p tcp --dport 9091"; target = "ACCEPT"; } # transmission-web + { predicate = "-p tcp --dport 9092"; target = "ACCEPT"; } # magnetico webinterface { predicate = "-p tcp --dport 51413"; target = "ACCEPT"; } # transmission-traffic { predicate = "-p udp --dport 51413"; target = "ACCEPT"; } # transmission-traffic { predicate = "-p tcp --dport 8096"; target = "ACCEPT"; } # jellyfin @@ -164,7 +165,7 @@ with import <stockholm/lib>; client dev tun proto udp - remote 196.240.57.43 1194 + remote 194.110.84.106 1194 resolv-retry infinite remote-random nobind @@ -174,7 +175,7 @@ with import <stockholm/lib>; persist-key persist-tun ping 15 - ping-restart 0 + ping-restart 15 ping-timer-rem reneg-sec 0 comp-lzo no @@ -250,7 +251,7 @@ with import <stockholm/lib>; path = [ pkgs.coreutils pkgs.findutils - pkgs.inotifyTools + pkgs.inotify-tools ]; serviceConfig = { Restart = "always"; @@ -271,4 +272,10 @@ with import <stockholm/lib>; enable = true; group = "download"; }; + + services.magnetico = { + enable = true; + web.address = "0.0.0.0"; + web.port = 9092; + }; } diff --git a/lass/2configs/IM.nix b/lass/2configs/IM.nix index 8567def02..8db2a05d6 100644 --- a/lass/2configs/IM.nix +++ b/lass/2configs/IM.nix @@ -24,7 +24,7 @@ in { restartIfChanged = false; path = [ - pkgs.rxvt_unicode.terminfo + pkgs.rxvt-unicode-unwrapped.terminfo ]; serviceConfig = { diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index e94cbbd2c..d3775ddbe 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -78,7 +78,7 @@ in { pavucontrol ponymix powertop - rxvt_unicode-with-plugins + rxvt-unicode sshvnc sxiv taskwarrior diff --git a/lass/2configs/blue-host.nix b/lass/2configs/blue-host.nix index 7aabf0931..532e55fe5 100644 --- a/lass/2configs/blue-host.nix +++ b/lass/2configs/blue-host.nix @@ -34,7 +34,7 @@ in { config = { ... }: { environment.systemPackages = [ pkgs.git - pkgs.rxvt_unicode.terminfo + pkgs.rxvt-unicode-unwrapped.terminfo ]; services.openssh.enable = true; users.users.root.openssh.authorizedKeys.keys = [ diff --git a/lass/2configs/consul.nix b/lass/2configs/consul.nix new file mode 100644 index 000000000..b8d925de5 --- /dev/null +++ b/lass/2configs/consul.nix @@ -0,0 +1,43 @@ +{ config, lib, pkgs, ... }: +{ + services.consul = { + enable = true; + # dropPrivileges = false; + webUi = true; + # interface.bind = "retiolum"; + extraConfig = { + bind_addr = config.krebs.build.host.nets.retiolum.ip4.addr; + bootstrap_expect = 3; + server = true; + # retry_join = config.services.consul.extraConfig.start_join; + retry_join = lib.mapAttrsToList (n: h: + lib.head h.nets.retiolum.aliases + ) (lib.filterAttrs (n: h: h.consul) config.krebs.hosts); + rejoin_after_leave = true; + + # try to fix random lock loss on leader reelection + retry_interval = "3s"; + performance = { + raft_multiplier = 8; + }; + }; + }; + + environment.etc."consul.d/testservice.json".text = builtins.toJSON { + service = { + name = "testing"; + }; + }; + + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-i retiolum -p tcp --dport 8300"; target = "ACCEPT"; } + { predicate = "-i retiolum -p tcp --dport 8301"; target = "ACCEPT"; } + { predicate = "-i retiolum -p udp --dport 8301"; target = "ACCEPT"; } + { predicate = "-i retiolum -p tcp --dport 8302"; target = "ACCEPT"; } + { predicate = "-i retiolum -p udp --dport 8302"; target = "ACCEPT"; } + { predicate = "-i retiolum -p tcp --dport 8400"; target = "ACCEPT"; } + { predicate = "-i retiolum -p tcp --dport 8500"; target = "ACCEPT"; } + { predicate = "-i retiolum -p tcp --dport 8600"; target = "ACCEPT"; } + { predicate = "-i retiolum -p udp --dport 8500"; target = "ACCEPT"; } + ]; +} diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index e8ac55988..49a04e9c2 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -98,7 +98,7 @@ with import <stockholm/lib>; jq #style - rxvt_unicode.terminfo + rxvt-unicode-unwrapped.terminfo #monitoring tools htop diff --git a/lass/2configs/et-server.nix b/lass/2configs/et-server.nix new file mode 100644 index 000000000..19961fb84 --- /dev/null +++ b/lass/2configs/et-server.nix @@ -0,0 +1,7 @@ +{ config, lib, pkgs, ... }: +{ + services.eternal-terminal = { + enable = true; + }; + networking.firewall.allowedTCPPorts = [ config.services.eternal-terminal.port ]; +} diff --git a/lass/2configs/pipewire.nix b/lass/2configs/pipewire.nix index f6ccd48d4..ec5a67b6e 100644 --- a/lass/2configs/pipewire.nix +++ b/lass/2configs/pipewire.nix @@ -9,7 +9,7 @@ }; environment.systemPackages = with pkgs; [ - alsaUtils + alsa-utils pulseaudio ponymix ]; diff --git a/lass/2configs/weechat.nix b/lass/2configs/weechat.nix new file mode 100644 index 000000000..845a7e3b8 --- /dev/null +++ b/lass/2configs/weechat.nix @@ -0,0 +1,221 @@ +{ config, lib, pkgs, ... }: let + + weechat-configured = pkgs.weechat-declarative.override { + config = { + scripts = [ + pkgs.weechat-matrix + pkgs.weechatScripts.wee-slack + ]; + settings = { + irc.server_default.nicks = [ "lassulus" "hackulus" ]; + irc.server.bitlbee = { + addresses = "localhost/6666"; + command = "msg &bitlbee identify \${sec.data.bitlbee}"; + }; + irc.server.hackint = { + addresses = "irc.hackint.org/6697"; + autojoin = [ + "#c3-gsm" + "#panthermoderns" + "#36c3" + "#cccac" + "#nixos" + "#krebs" + "#c-base" + "#afra" + "#tvl" + "#eloop" + "#systemdultras" + "#rc3" + "#krebs-announce" + "#the_playlist" + "#germany" + "#hackint" + "#dezentrale" + "#hackerfleet \${sec.data.c3-gsm}" # TODO support channel passwords in a cooler way + ]; + ssl = true; + sasl_fail = "reconnect"; + sasl_username = "lassulus"; + sasl_password = "\${sec.data.hackint_sasl}"; + }; + irc.server.r = { + addresses = "irc.r"; + autojoin = [ + "#xxx" + "#autowifi" + "#brockman" + "#flix" + "#kollkoll" + "#noise" + "#mukke" + ]; + sasl_fail = "reconnect"; + sasl_username = "lassulus"; + sasl_password = "\${sec.data.r_sasl}"; + anti_flood_prio_high = 0; + anti_flood_prio_low = 0; + }; + irc.server.libera = { + addresses = "irc.libera.chat/6697"; + autojoin = [ + "#shackspace" + "#nixos" + "#krebs" + "#dezentrale" + "#tinc" + "#nixos-de" + "#fysi" + "#hillhacks" + "#nixos-rc3" + "#binaergewitter" + "#hackerfleet" + "#weechat" + ]; + ssl = true; + sasl_username = "lassulus"; + sasl_fail = "reconnect"; + sasl_password = "\${sec.data.libera_sasl}"; + }; + irc.server.news = { + addresses = "news.r"; + autojoin = [ + "#all" + "#aluhut" + "#querdenkos" + "#news" + "#drachengame" + ]; + anti_flood_prio_high = 0; + anti_flood_prio_low = 0; + }; + matrix.server.lassulus = { + address = "matrix.lassul.us"; + username = "lassulus"; + password = "\${sec.data.matrix_lassulus}"; + device_name = config.networking.hostName; + }; + matrix.server.nixos_dev = { + address = "matrix.nixos.dev"; + username = "@lassulus:nixos.dev"; + device_name = config.networking.hostName; + sso_helper_listening_port = 55123; + }; + plugins.var.python.go.short_name = true; + plugins.var.python.go.short_name_server = true; + plugins.var.python.go.fuzzy_search = true; + relay.network.password = "xxx"; # secret? + relay.port.weechat = 9998; + relay.weechat.commands = "*,!exec,!quit"; + weechat.look.buffer_time_format = "%m-%d_%H:%M:%S"; + weechat.look.item_time_format = "%m-%d_%H:%M:%S"; + irc.look.color_nicks_in_names = true; + irc.look.color_nicks_in_nicklist = true; + logger.file.mask = "$plugin.$name/%Y-%m-%d.weechatlog"; + logger.file.path = "/var/state/weechat_logs"; + logger.look.backlog = 1000; + weechat.notify.python.matrix.nixos_dev."!YLoVsCxScyQODoqIbb:hackint.org" = "none"; #c-base + weechat.notify.python.matrix.nixos_dev."!bohcSYPVoePqBDWlvE:hackint.org" = "none"; #krebs + weechat.notify.irc.news."#all" = "highlight"; + + # setting logger levels for channels is currently not possible declarativly + # because of already defined + logger.level.core.weechat = 0; + logger.level.irc = 3; + logger.level.python = 3; + weechat.bar.title.color_bg = 0; + weechat.bar.status.color_bg = 0; + alias.cmd.reload = "exec -oc cat /etc/weechat.set"; + script.scripts.download_enabled = true; + weechat.look.prefix_align = "left"; + weechat.look.prefix_align_max = 20; + irc.look.server_buffer = "independent"; + matrix.look.server_buffer = "independent"; + weechat.bar.buflist.size_max = 20; + weechat.color.chat_nick_colors = [ + 1 2 3 4 5 6 9 + 10 11 12 13 14 + 28 29 + 30 31 32 33 34 35 36 37 38 39 + 70 + 94 + 101 102 103 104 105 106 107 + 130 131 133 134 135 136 137 + 140 141 142 143 + 160 161 162 163 165 166 167 168 169 + 170 171 172 173 174 175 + 196 197 198 199 + 200 201 202 203 204 205 206 208 209 209 + 210 211 212 + ]; + }; + extraCommands = '' + /script upgrade + /script install go.py + /script install nickregain.pl + /script install autosort.py + /key bind meta-q /go + /key bind meta-t /bar toggle nicklist + /key bind meta-y /bar toggle buflist + /filter addreplace irc_smart * irc_smart_filter * + /filter addreplace playlist_topic irc.*.#the_playlist irc_topic * + /filter addreplace xxx_joinpart irc.r.#xxx irc_join,irc_part,irc_quit * + /set logger.level.irc.news 0 + /set logger.level.python.server.nixos_dev = 0; + /set logger.level.irc.hackint.#the_playlist = 0; + /connect bitlbee + /connect r + /connect news + /connect libera + /connect hackint + /matrix connect nixos_dev + /matrix connect lassulus + ''; + files."sec.conf" = toString (pkgs.writeText "sec.conf" '' + [crypt] + cipher = aes256 + hash_algo = sha256 + passphrase_command = "cat $CREDENTIALS_DIRECTORY/WEECHAT_PASSPHRASE" + salt = on + + [data] + __passphrase__ = on + hackint_sasl = "5CA242E92E7A09B180711B50C4AE2E65C42934EB4E584EC82BC1281D8C72CD411D590C16CC435687C0DA13759873CC" + libera_sasl = "9500B5AC3B29F9CAA273F1B89DC99550E038AF95C4B47442B1FB4CB9F0D6B86B26015988AD39E642CA9C4A78DED7F42D1F409B268C93E778" + r_sasl = "CB6FB1421ED5A9094CD2C05462DB1FA87C4A675628ABD9AEC9928A1A6F3F96C07D9F26472331BAF80B7B73270680EB1BBEFD" + c3-gsm = "C49DD845900CFDFA93EEBCE4F1ABF4A963EF6082B7DA6410FA701CC77A04BB6C201FCB864988C4F2B97ED7D44D5A28F162" + matrix.server.nixos_dev.access_token = "C40FE41B9B7B73553D51D8FCBD53871E940FE7FCCAB543E7F4720A924B8E1D58E2B1E1F460F5476C954A223F78CCB956337F6529159C0ECD7CB0384C13CB7170FF1270A577B1C4FF744D20FCF5C708259896F8D9" + bitlbee = "814ECAC59D9CF6E8340B566563E5D7E92AB92209B49C1EDE4CAAC32DD0DF1EC511D97C75E840C45D69BB9E3D03E79C" + matrix_lassulus = "0CA5C0F70A9F893881370F4A665B4CC40FBB1A41E53BC94916CD92B029103528611EC0B390116BE60FA79AE10F486E96E17B0824BE2DE1C97D87B88F5407330DAD70C044147533C36B09B7030CAD97" + ''); + }; + }; + +in { + users.users.mainUser.packages = [ + weechat-configured + ]; + environment.etc."weechat.set".source = "${weechat-configured}/weechat.set"; + systemd.tmpfiles.rules = [ + "d /var/state/weechat_logs 0700 lass users -" + "d /var/state/weechat 0700 lass users -" + "d /var/state/weechat_cfg 0700 lass users -" + "L+ /home/lass/.local/share/weechat - - - - ../../../../var/state/weechat" + "L+ /home/lass/.config/weechat - - - - ../../../../var/state/weechat_cfg" + ]; + + systemd.services.weechat = { + wantedBy = [ "multi-user.target" ]; + restartIfChanged = false; + serviceConfig = { + User = "lass"; + RemainAfterExit = true; + Type = "oneshot"; + LoadCredential = [ + "WEECHAT_PASSPHRASE:${toString <secrets>}/weechat_passphrase" + ]; + ExecStart = "${pkgs.tmux}/bin/tmux -2 new-session -d -s IM ${weechat-configured}/bin/weechat"; + ExecStop = "${pkgs.tmux}/bin/tmux kill-session -t IM"; # TODO run save in weechat + }; + }; +} diff --git a/lass/2configs/xmonad.nix b/lass/2configs/xmonad.nix index 3b372189c..fd70f8b15 100644 --- a/lass/2configs/xmonad.nix +++ b/lass/2configs/xmonad.nix @@ -63,8 +63,6 @@ instance UrgencyHook LibNotifyUrgencyHook where safeSpawn "${pkgs.libnotify}/bin/notify-send" [show name, "workspace " ++ idx] myTerm :: FilePath --- myTerm = "${pkgs.rxvt_unicode-with-plugins}/bin/urxvtc -e /run/current-system/sw/bin/xonsh" --- myTerm = "${pkgs.rxvt_unicode-with-plugins}/bin/urxvtc" myTerm = "/run/current-system/sw/bin/alacritty" myFont :: String diff --git a/lass/2configs/zsh.nix b/lass/2configs/zsh.nix index 6571461ca..a7b0c372c 100644 --- a/lass/2configs/zsh.nix +++ b/lass/2configs/zsh.nix @@ -1,6 +1,17 @@ { config, lib, pkgs, ... }: { - environment.systemPackages = [ pkgs.fzf ]; + environment.systemPackages = with pkgs; [ + atuin + direnv + fzf + ]; + environment.variables.ATUIN_CONFIG_DIR = toString (pkgs.writeTextDir "/config.toml" '' + auto_sync = true + update_check = false + sync_address = "http://green.r:8888" + sync_frequency = 0 + style = "compact" + ''); programs.zsh = { enable = true; shellInit = '' @@ -12,27 +23,9 @@ setopt autocd extendedglob bindkey -e - #history magic - bindkey "[A" up-line-or-local-history - bindkey "[B" down-line-or-local-history - - up-line-or-local-history() { - zle set-local-history 1 - zle up-line-or-history - zle set-local-history 0 - } - zle -N up-line-or-local-history - down-line-or-local-history() { - zle set-local-history 1 - zle down-line-or-history - zle set-local-history 0 - } - zle -N down-line-or-local-history - - setopt SHARE_HISTORY - setopt HIST_IGNORE_ALL_DUPS - # setopt inc_append_history - bindkey '^R' history-incremental-search-backward + + # # setopt inc_append_history + # bindkey '^R' history-incremental-search-backward #C-x C-e open line in editor autoload -z edit-command-line @@ -43,6 +36,13 @@ source ${pkgs.fzf}/share/fzf/completion.zsh source ${pkgs.fzf}/share/fzf/key-bindings.zsh + # atuin distributed shell history + export ATUIN_NOBIND="true" # disable all keybdinings of atuin + eval "$(atuin init zsh)" + bindkey '^r' _atuin_search_widget # bind ctrl+r to atuin + # use zsh only session history + fc -p + #completion magic autoload -Uz compinit compinit @@ -65,13 +65,11 @@ bindkey "[8~" end-of-line bindkey "Oc" emacs-forward-word bindkey "Od" emacs-backward-word + + # direnv integration + eval "$(${pkgs.direnv}/bin/direnv hook zsh)" ''; promptInit = '' - # TODO: figure out why we need to set this here - HISTSIZE=900001 - HISTFILESIZE=$HISTSIZE - SAVEHIST=$HISTSIZE - autoload -U promptinit promptinit diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix index 3a0b1306c..42efa8cd6 100644 --- a/lass/3modules/default.nix +++ b/lass/3modules/default.nix @@ -15,5 +15,6 @@ _: ./xjail.nix ./autowifi.nix ./browsers.nix + ./sync-containers3.nix ]; } diff --git a/lass/3modules/sync-containers3.nix b/lass/3modules/sync-containers3.nix new file mode 100644 index 000000000..104b92b24 --- /dev/null +++ b/lass/3modules/sync-containers3.nix @@ -0,0 +1,306 @@ +{ config, lib, pkgs, ... }: let + cfg = config.lass.sync-containers3; + slib = pkgs.stockholm.lib; +in { + options.lass.sync-containers3 = { + inContainer = { + enable = lib.mkEnableOption "container config for syncing"; + pubkey = lib.mkOption { + type = lib.types.str; # TODO ssh key + }; + }; + containers = lib.mkOption { + default = {}; + type = lib.types.attrsOf (lib.types.submodule ({ config, ... }: { + options = { + name = lib.mkOption { + type = lib.types.str; + default = config._module.args.name; + }; + sshKey = lib.mkOption { + type = slib.types.absolute-pathname; + }; + luksKey = lib.mkOption { + type = slib.types.absolute-pathname; + default = config.sshKey; + }; + ephemeral = lib.mkOption { + type = lib.types.bool; + default = false; + }; + }; + })); + }; + }; + config = lib.mkMerge [ + (lib.mkIf (cfg.containers != {}) { + + containers = lib.mapAttrs' (n: ctr: lib.nameValuePair ctr.name { + config = { + environment.systemPackages = [ + pkgs.dhcpcd + pkgs.git + pkgs.jq + ]; + networking.useDHCP = lib.mkForce true; + systemd.services.autoswitch = { + environment = { + NIX_REMOTE = "daemon"; + }; + wantedBy = [ "multi-user.target" ]; + serviceConfig.ExecStart = pkgs.writers.writeDash "autoswitch" '' + set -efu + ln -frs /var/state/var_src /var/src + if test -e /var/src/nixos-config; then + /run/current-system/sw/bin/nixos-rebuild -I /var/src switch || : + fi + ''; + unitConfig.X-StopOnRemoval = false; + }; + }; + autoStart = false; + enableTun = true; + ephemeral = ctr.ephemeral; + privateNetwork = true; + hostBridge = "ctr0"; + bindMounts = { + "/etc/resolv.conf".hostPath = "/etc/resolv.conf"; + "/var/lib/self/disk" = { + hostPath = "/var/lib/sync-containers3/${ctr.name}/disk"; + isReadOnly = false; + }; + "/var/state" = { + hostPath = "/var/lib/sync-containers3/${ctr.name}/state"; + isReadOnly = false; + }; + }; + }) cfg.containers; + + systemd.services = lib.foldr lib.recursiveUpdate {} (lib.flatten (map (ctr: [ + { "${ctr.name}_syncer" = { + path = with pkgs; [ + coreutils + consul + rsync + openssh + systemd + ]; + startAt = "*:0/1"; + serviceConfig = { + User = "${ctr.name}_container"; + LoadCredential = [ + "ssh_key:${ctr.sshKey}" + ]; + ExecCondition = pkgs.writers.writeDash "${ctr.name}_checker" '' + set -efu + ! systemctl is-active --quiet container@${ctr.name}.service + ''; + ExecStart = pkgs.writers.writeDash "${ctr.name}_syncer" '' + set -efux + consul lock sync_${ctr.name} ${pkgs.writers.writeDash "${ctr.name}-sync" '' + set -efux + if /run/wrappers/bin/ping -c 1 ${ctr.name}.r; then + touch "$HOME"/incomplete + rsync -a -e "ssh -i $CREDENTIALS_DIRECTORY/ssh_key" --inplace container_sync@${ctr.name}.r:disk "$HOME"/disk + rm "$HOME"/incomplete + fi + ''} + ''; + }; + }; } + { "${ctr.name}_watcher" = { + path = with pkgs; [ + coreutils + consul + cryptsetup + curl + mount + util-linux + jq + ]; + serviceConfig = { + ExecStart = pkgs.writers.writeDash "${ctr.name}_watcher" '' + set -efux + while sleep 5; do + # get the payload + # check if the host reacted recently + case $(curl -s -o /dev/null --retry 10 -w '%{http_code}' http://127.0.0.1:8500/v1/kv/containers/${ctr.name}) in + 404) + echo 'got 404 from kv, should kill the container' + break + ;; + 500) + echo 'got 500 from kv, will kill container' + break + ;; + 200) + # echo 'got 200 from kv, will check payload' + export payload=$(consul kv get containers/${ctr.name}) + if [ "$(jq -rn 'env.payload | fromjson.host')" = '${config.networking.hostName}' ]; then + # echo 'we are the host, continuing' + continue + else + echo 'we are not host, killing container' + break + fi + ;; + *) + echo 'unknown state, continuing' + continue + ;; + esac + done + /run/current-system/sw/bin/nixos-container stop ${ctr.name} || : + umount /var/lib/sync-containers3/${ctr.name}/state || : + cryptsetup luksClose ${ctr.name} || : + ''; + }; + }; } + { "${ctr.name}_scheduler" = { + wantedBy = [ "multi-user.target" ]; + path = with pkgs; [ + coreutils + consul + cryptsetup + mount + util-linux + curl + systemd + jq + retry + bc + ]; + serviceConfig = { + Restart = "always"; + RestartSec = "30s"; + ExecStart = pkgs.writers.writeDash "${ctr.name}_scheduler" '' + set -efux + # get the payload + # check if the host reacted recently + case $(curl -s -o /dev/null --retry 10 -w '%{http_code}' http://127.0.0.1:8500/v1/kv/containers/${ctr.name}) in + 404) + # echo 'got 404 from kv, will create container' + ;; + 500) + # echo 'got 500 from kv, retrying again' + exit 0 + ;; + 200) + # echo 'got 200 from kv, will check payload' + export payload=$(consul kv get containers/${ctr.name}) + if [ "$(jq -rn 'env.payload | fromjson.host')" = '${config.networking.hostName}' ]; then + echo 'we are the host, starting container' + else + # echo 'we are not host, checking timestamp' + # if [ $(echo "$(date +%s) - $(jq -rn 'env.payload | fromjson.time') > 100" | bc) -eq 1 ]; then + if [ "$(jq -rn 'env.payload | fromjson.time | now - tonumber > 100')" = 'true' ]; then + echo 'last beacon is more than 100s ago, taking over' + else + # echo 'last beacon was recent. trying again' + exit 0 + fi + fi + ;; + *) + echo 'unknown state, bailing out' + exit 0 + ;; + esac + if test -e /var/lib/sync-containers3/${ctr.name}/incomplete; then + echo 'data is inconistent, start aborted' + exit 1 + fi + consul kv put containers/${ctr.name} "$(jq -cn '{host: "${config.networking.hostName}", time: now}')" >/dev/null + consul lock -verbose -monitor-retry=100 -timeout 30s -name container_${ctr.name} container_${ctr.name} ${pkgs.writers.writeBash "${ctr.name}-start" '' + set -efu + cryptsetup luksOpen --key-file ${ctr.luksKey} /var/lib/sync-containers3/${ctr.name}/disk ${ctr.name} || : + mkdir -p /var/lib/sync-containers3/${ctr.name}/state + mountpoint /var/lib/sync-containers3/${ctr.name}/state || mount /dev/mapper/${ctr.name} /var/lib/sync-containers3/${ctr.name}/state + /run/current-system/sw/bin/nixos-container start ${ctr.name} + # wait for system to become reachable for the first time + retry -t 10 -d 10 -- /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null + systemctl start ${ctr.name}_watcher.service + while systemctl is-active container@${ctr.name}.service >/devnull && /run/wrappers/bin/ping -q -c 3 ${ctr.name}.r >/dev/null; do + consul kv put containers/${ctr.name} "$(jq -cn '{host: "${config.networking.hostName}", ti |