summaryrefslogtreecommitdiffstats
path: root/lass
diff options
context:
space:
mode:
Diffstat (limited to 'lass')
-rw-r--r--lass/1systems/green/config.nix94
-rw-r--r--lass/1systems/yellow/config.nix13
-rw-r--r--lass/2configs/IM.nix2
-rw-r--r--lass/2configs/baseX.nix2
-rw-r--r--lass/2configs/blue-host.nix2
-rw-r--r--lass/2configs/consul.nix43
-rw-r--r--lass/2configs/default.nix2
-rw-r--r--lass/2configs/et-server.nix7
-rw-r--r--lass/2configs/pipewire.nix2
-rw-r--r--lass/2configs/weechat.nix221
-rw-r--r--lass/2configs/xmonad.nix2
-rw-r--r--lass/2configs/zsh.nix52
-rw-r--r--lass/3modules/default.nix1
-rw-r--r--lass/3modules/sync-containers3.nix306
-rw-r--r--lass/5pkgs/weechat-matrix/default.nix80
15 files changed, 733 insertions, 96 deletions
diff --git a/lass/1systems/green/config.nix b/lass/1systems/green/config.nix
index 5cf7d9242..4fe7782e6 100644
--- a/lass/1systems/green/config.nix
+++ b/lass/1systems/green/config.nix
@@ -11,78 +11,47 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/syncthing.nix>
<stockholm/lass/2configs/sync/sync.nix>
<stockholm/lass/2configs/sync/decsync.nix>
- <stockholm/lass/2configs/sync/weechat.nix>
+ <stockholm/lass/2configs/weechat.nix>
<stockholm/lass/2configs/bitlbee.nix>
- <stockholm/lass/2configs/IM.nix>
+
<stockholm/lass/2configs/muchsync.nix>
<stockholm/lass/2configs/pass.nix>
<stockholm/lass/2configs/git-brain.nix>
+ <stockholm/lass/2configs/et-server.nix>
+ <stockholm/lass/2configs/consul.nix>
];
krebs.build.host = config.krebs.hosts.green;
- users.users.mainUser.openssh.authorizedKeys.keys = [
- config.krebs.users.lass-android.pubkey
- "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0rn3003CkJMk3jZrh/3MC6nVorHRymlFSI4x1brCKY" # weechat ssh tunnel
- ];
-
- krebs.bindfs = {
- "/home/lass/.weechat" = {
- source = "/var/state/lass_weechat";
- options = [
- "-M ${concatMapStringsSep ":" (u: toString config.users.users.${u}.uid) [ "syncthing" "mainUser" ]}"
- "--create-for-user=${toString config.users.users.syncthing.uid}"
- ];
- };
- "/home/lass/Maildir" = {
- source = "/var/state/lass_mail";
- options = [
- "-M ${toString config.users.users.mainUser.uid}"
- ];
- };
- "/var/lib/bitlbee" = {
- source = "/var/state/bitlbee";
- options = [
- "-M ${toString config.users.users.bitlbee.uid}"
- ];
- clearTarget = true;
- };
- "/home/lass/.ssh" = {
- source = "/var/state/lass_ssh";
- options = [
- "-M ${toString config.users.users.mainUser.uid}"
- ];
- clearTarget = true;
- };
- "/home/lass/.gnupg" = {
- source = "/var/state/lass_gnupg";
- options = [
- "-M ${toString config.users.users.mainUser.uid}"
- ];
- clearTarget = true;
- };
- "/var/lib/git" = {
- source = "/var/state/git";
- options = [
- "-M ${toString config.users.users.git.uid}"
- ];
- clearTarget = true;
- };
+ lass.sync-containers3.inContainer = {
+ enable = true;
+ pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFlUMf943qEQG64ob81p6dgoHq4jUjq7tSvmSdEOEU2y";
};
- systemd.services."bindfs-_home_lass_Maildir".serviceConfig.ExecStartPost = pkgs.writeDash "symlink-notmuch" ''
- sleep 1
- mkdir -p /home/lass/notmuch
- chown lass: /home/lass/notmuch
- ln -sfTr /home/lass/notmuch /home/lass/Maildir/.notmuch
+ systemd.tmpfiles.rules = [
+ "d /var/state/lass_mail 0700 lass users -"
+ "L+ /home/lass/Maildir - - - - ../../var/state/lass_mail"
+ "d /home/lass/notmuch 0700 lass users -"
+ "L+ /var/state/lass_mail/.notmuch - - - - /home/lass/notmuch"
- mkdir -p /home/lass/notmuch/muchsync
- chown lass: /home/lass/notmuch/muchsync
- mkdir -p /home/lass/Maildir/.muchsync
- ln -sfTr /home/lass/Maildir/.muchsync /home/lass/notmuch/muchsync/tmp
- '';
+ "d /var/state/lass_ssh 0700 lass users -"
+ "L+ /home/lass/.ssh - - - - ../../var/state/lass_ssh"
+ "d /var/state/lass_gpg 0700 lass users -"
+ "L+ /home/lass/.gnupg - - - - ../../var/state/lass_gpg"
+ "d /var/state/lass_sync 0700 lass users -"
+ "L+ /home/lass/sync - - - - ../../var/state/lass_sync"
+
+ "d /var/state/git 0700 git nogroup -"
+ "L+ /var/lib/git - - - - ../../var/state/git"
+ ];
+
+ users.users.mainUser.openssh.authorizedKeys.keys = [
+ config.krebs.users.lass-android.pubkey
+ config.krebs.users.lass-tablet.pubkey
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKgpZwye6yavIs3gUIYvSi70spDa0apL2yHR0ASW74z8" # weechat ssh tunnel
+ ];
krebs.iptables.tables.nat.PREROUTING.rules = [
{ predicate = "-i eth0 -p tcp -m tcp --dport 22"; target = "ACCEPT"; precedence = 101; }
@@ -93,4 +62,11 @@ with import <stockholm/lib>;
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
'';
+
+ services.dovecot2 = {
+ enable = true;
+ mailLocation = "maildir:~/Maildir";
+ };
+
+ networking.firewall.allowedTCPPorts = [ 143 ];
}
diff --git a/lass/1systems/yellow/config.nix b/lass/1systems/yellow/config.nix
index 554882bf3..f5071c4b7 100644
--- a/lass/1systems/yellow/config.nix
+++ b/lass/1systems/yellow/config.nix
@@ -154,6 +154,7 @@ with import <stockholm/lib>;
tables.filter.INPUT.rules = [
{ predicate = "-p tcp --dport 80"; target = "ACCEPT"; } # nginx web dir
{ predicate = "-p tcp --dport 9091"; target = "ACCEPT"; } # transmission-web
+ { predicate = "-p tcp --dport 9092"; target = "ACCEPT"; } # magnetico webinterface
{ predicate = "-p tcp --dport 51413"; target = "ACCEPT"; } # transmission-traffic
{ predicate = "-p udp --dport 51413"; target = "ACCEPT"; } # transmission-traffic
{ predicate = "-p tcp --dport 8096"; target = "ACCEPT"; } # jellyfin
@@ -164,7 +165,7 @@ with import <stockholm/lib>;
client
dev tun
proto udp
- remote 196.240.57.43 1194
+ remote 194.110.84.106 1194
resolv-retry infinite
remote-random
nobind
@@ -174,7 +175,7 @@ with import <stockholm/lib>;
persist-key
persist-tun
ping 15
- ping-restart 0
+ ping-restart 15
ping-timer-rem
reneg-sec 0
comp-lzo no
@@ -250,7 +251,7 @@ with import <stockholm/lib>;
path = [
pkgs.coreutils
pkgs.findutils
- pkgs.inotifyTools
+ pkgs.inotify-tools
];
serviceConfig = {
Restart = "always";
@@ -271,4 +272,10 @@ with import <stockholm/lib>;
enable = true;
group = "download";
};
+
+ services.magnetico = {
+ enable = true;
+ web.address = "0.0.0.0";
+ web.port = 9092;
+ };
}
diff --git a/lass/2configs/IM.nix b/lass/2configs/IM.nix
index 8567def02..8db2a05d6 100644
--- a/lass/2configs/IM.nix
+++ b/lass/2configs/IM.nix
@@ -24,7 +24,7 @@ in {
restartIfChanged = false;
path = [
- pkgs.rxvt_unicode.terminfo
+ pkgs.rxvt-unicode-unwrapped.terminfo
];
serviceConfig = {
diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix
index e94cbbd2c..d3775ddbe 100644
--- a/lass/2configs/baseX.nix
+++ b/lass/2configs/baseX.nix
@@ -78,7 +78,7 @@ in {
pavucontrol
ponymix
powertop
- rxvt_unicode-with-plugins
+ rxvt-unicode
sshvnc
sxiv
taskwarrior
diff --git a/lass/2configs/blue-host.nix b/lass/2configs/blue-host.nix
index 7aabf0931..532e55fe5 100644
--- a/lass/2configs/blue-host.nix
+++ b/lass/2configs/blue-host.nix
@@ -34,7 +34,7 @@ in {
config = { ... }: {
environment.systemPackages = [
pkgs.git
- pkgs.rxvt_unicode.terminfo
+ pkgs.rxvt-unicode-unwrapped.terminfo
];
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [
diff --git a/lass/2configs/consul.nix b/lass/2configs/consul.nix
new file mode 100644
index 000000000..b8d925de5
--- /dev/null
+++ b/lass/2configs/consul.nix
@@ -0,0 +1,43 @@
+{ config, lib, pkgs, ... }:
+{
+ services.consul = {
+ enable = true;
+ # dropPrivileges = false;
+ webUi = true;
+ # interface.bind = "retiolum";
+ extraConfig = {
+ bind_addr = config.krebs.build.host.nets.retiolum.ip4.addr;
+ bootstrap_expect = 3;
+ server = true;
+ # retry_join = config.services.consul.extraConfig.start_join;
+ retry_join = lib.mapAttrsToList (n: h:
+ lib.head h.nets.retiolum.aliases
+ ) (lib.filterAttrs (n: h: h.consul) config.krebs.hosts);
+ rejoin_after_leave = true;
+
+ # try to fix random lock loss on leader reelection
+ retry_interval = "3s";
+ performance = {
+ raft_multiplier = 8;
+ };
+ };
+ };
+
+ environment.etc."consul.d/testservice.json".text = builtins.toJSON {
+ service = {
+ name = "testing";
+ };
+ };
+
+ krebs.iptables.tables.filter.INPUT.rules = [
+ { predicate = "-i retiolum -p tcp --dport 8300"; target = "ACCEPT"; }
+ { predicate = "-i retiolum -p tcp --dport 8301"; target = "ACCEPT"; }
+ { predicate = "-i retiolum -p udp --dport 8301"; target = "ACCEPT"; }
+ { predicate = "-i retiolum -p tcp --dport 8302"; target = "ACCEPT"; }
+ { predicate = "-i retiolum -p udp --dport 8302"; target = "ACCEPT"; }
+ { predicate = "-i retiolum -p tcp --dport 8400"; target = "ACCEPT"; }
+ { predicate = "-i retiolum -p tcp --dport 8500"; target = "ACCEPT"; }
+ { predicate = "-i retiolum -p tcp --dport 8600"; target = "ACCEPT"; }
+ { predicate = "-i retiolum -p udp --dport 8500"; target = "ACCEPT"; }
+ ];
+}
diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix
index e8ac55988..49a04e9c2 100644
--- a/lass/2configs/default.nix
+++ b/lass/2configs/default.nix
@@ -98,7 +98,7 @@ with import <stockholm/lib>;
jq
#style
- rxvt_unicode.terminfo
+ rxvt-unicode-unwrapped.terminfo
#monitoring tools
htop
diff --git a/lass/2configs/et-server.nix b/lass/2configs/et-server.nix
new file mode 100644
index 000000000..19961fb84
--- /dev/null
+++ b/lass/2configs/et-server.nix
@@ -0,0 +1,7 @@
+{ config, lib, pkgs, ... }:
+{
+ services.eternal-terminal = {
+ enable = true;
+ };
+ networking.firewall.allowedTCPPorts = [ config.services.eternal-terminal.port ];
+}
diff --git a/lass/2configs/pipewire.nix b/lass/2configs/pipewire.nix
index f6ccd48d4..ec5a67b6e 100644
--- a/lass/2configs/pipewire.nix
+++ b/lass/2configs/pipewire.nix
@@ -9,7 +9,7 @@
};
environment.systemPackages = with pkgs; [
- alsaUtils
+ alsa-utils
pulseaudio
ponymix
];
diff --git a/lass/2configs/weechat.nix b/lass/2configs/weechat.nix
new file mode 100644
index 000000000..845a7e3b8
--- /dev/null
+++ b/lass/2configs/weechat.nix
@@ -0,0 +1,221 @@
+{ config, lib, pkgs, ... }: let
+
+ weechat-configured = pkgs.weechat-declarative.override {
+ config = {
+ scripts = [
+ pkgs.weechat-matrix
+ pkgs.weechatScripts.wee-slack
+ ];
+ settings = {
+ irc.server_default.nicks = [ "lassulus" "hackulus" ];
+ irc.server.bitlbee = {
+ addresses = "localhost/6666";
+ command = "msg &bitlbee identify \${sec.data.bitlbee}";
+ };
+ irc.server.hackint = {
+ addresses = "irc.hackint.org/6697";
+ autojoin = [
+ "#c3-gsm"
+ "#panthermoderns"
+ "#36c3"
+ "#cccac"
+ "#nixos"
+ "#krebs"
+ "#c-base"
+ "#afra"
+ "#tvl"
+ "#eloop"
+ "#systemdultras"
+ "#rc3"
+ "#krebs-announce"
+ "#the_playlist"
+ "#germany"
+ "#hackint"
+ "#dezentrale"
+ "#hackerfleet \${sec.data.c3-gsm}" # TODO support channel passwords in a cooler way
+ ];
+ ssl = true;
+ sasl_fail = "reconnect";
+ sasl_username = "lassulus";
+ sasl_password = "\${sec.data.hackint_sasl}";
+ };
+ irc.server.r = {
+ addresses = "irc.r";
+ autojoin = [
+ "#xxx"
+ "#autowifi"
+ "#brockman"
+ "#flix"
+ "#kollkoll"
+ "#noise"
+ "#mukke"
+ ];
+ sasl_fail = "reconnect";
+ sasl_username = "lassulus";
+ sasl_password = "\${sec.data.r_sasl}";
+ anti_flood_prio_high = 0;
+ anti_flood_prio_low = 0;
+ };
+ irc.server.libera = {
+ addresses = "irc.libera.chat/6697";
+ autojoin = [
+ "#shackspace"
+ "#nixos"
+ "#krebs"
+ "#dezentrale"
+ "#tinc"
+ "#nixos-de"
+ "#fysi"
+ "#hillhacks"
+ "#nixos-rc3"
+ "#binaergewitter"
+ "#hackerfleet"
+ "#weechat"
+ ];
+ ssl = true;
+ sasl_username = "lassulus";
+ sasl_fail = "reconnect";
+ sasl_password = "\${sec.data.libera_sasl}";
+ };
+ irc.server.news = {
+ addresses = "news.r";
+ autojoin = [
+ "#all"
+ "#aluhut"
+ "#querdenkos"
+ "#news"
+ "#drachengame"
+ ];
+ anti_flood_prio_high = 0;
+ anti_flood_prio_low = 0;
+ };
+ matrix.server.lassulus = {
+ address = "matrix.lassul.us";
+ username = "lassulus";
+ password = "\${sec.data.matrix_lassulus}";
+ device_name = config.networking.hostName;
+ };
+ matrix.server.nixos_dev = {
+ address = "matrix.nixos.dev";
+ username = "@lassulus:nixos.dev";
+ device_name = config.networking.hostName;
+ sso_helper_listening_port = 55123;
+ };
+ plugins.var.python.go.short_name = true;
+ plugins.var.python.go.short_name_server = true;
+ plugins.var.python.go.fuzzy_search = true;
+ relay.network.password = "xxx"; # secret?
+ relay.port.weechat = 9998;
+ relay.weechat.commands = "*,!exec,!quit";
+ weechat.look.buffer_time_format = "%m-%d_%H:%M:%S";
+ weechat.look.item_time_format = "%m-%d_%H:%M:%S";
+ irc.look.color_nicks_in_names = true;
+ irc.look.color_nicks_in_nicklist = true;
+ logger.file.mask = "$plugin.$name/%Y-%m-%d.weechatlog";
+ logger.file.path = "/var/state/weechat_logs";
+ logger.look.backlog = 1000;
+ weechat.notify.python.matrix.nixos_dev."!YLoVsCxScyQODoqIbb:hackint.org" = "none"; #c-base
+ weechat.notify.python.matrix.nixos_dev."!bohcSYPVoePqBDWlvE:hackint.org" = "none"; #krebs
+ weechat.notify.irc.news."#all" = "highlight";
+
+ # setting logger levels for channels is currently not possible declarativly
+ # because of already defined
+ logger.level.core.weechat = 0;
+ logger.level.irc = 3;
+ logger.level.python = 3;
+ weechat.bar.title.color_bg = 0;
+ weechat.bar.status.color_bg = 0;
+ alias.cmd.reload = "exec -oc cat /etc/weechat.set";
+ script.scripts.download_enabled = true;
+ weechat.look.prefix_align = "left";
+ weechat.look.prefix_align_max = 20;
+ irc.look.server_buffer = "independent";
+ matrix.look.server_buffer = "independent";
+ weechat.bar.buflist.size_max = 20;
+ weechat.color.chat_nick_colors = [
+ 1 2 3 4 5 6 9
+ 10 11 12 13 14
+ 28 29
+ 30 31 32 33 34 35 36 37 38 39
+ 70
+ 94
+ 101 102 103 104 105 106 107
+ 130 131 133 134 135 136 137
+ 140 141 142 143
+ 160 161 162 163 165 166 167 168 169
+ 170 171 172 173 174 175
+ 196 197 198 199
+ 200 201 202 203 204 205 206 208 209 209
+ 210 211 212
+ ];
+ };
+ extraCommands = ''
+ /script upgrade
+ /script install go.py
+ /script install nickregain.pl
+ /script install autosort.py
+ /key bind meta-q /go
+ /key bind meta-t /bar toggle nicklist
+ /key bind meta-y /bar toggle buflist
+ /filter addreplace irc_smart * irc_smart_filter *
+ /filter addreplace playlist_topic irc.*.#the_playlist irc_topic *
+ /filter addreplace xxx_joinpart irc.r.#xxx irc_join,irc_part,irc_quit *
+ /set logger.level.irc.news 0
+ /set logger.level.python.server.nixos_dev = 0;
+ /set logger.level.irc.hackint.#the_playlist = 0;
+ /connect bitlbee
+ /connect r
+ /connect news
+ /connect libera
+ /connect hackint
+ /matrix connect nixos_dev
+ /matrix connect lassulus
+ '';
+ files."sec.conf" = toString (pkgs.writeText "sec.conf" ''
+ [crypt]
+ cipher = aes256
+ hash_algo = sha256
+ passphrase_command = "cat $CREDENTIALS_DIRECTORY/WEECHAT_PASSPHRASE"
+ salt = on
+
+ [data]
+ __passphrase__ = on
+ hackint_sasl = "5CA242E92E7A09B180711B50C4AE2E65C42934EB4E584EC82BC1281D8C72CD411D590C16CC435687C0DA13759873CC"
+ libera_sasl = "9500B5AC3B29F9CAA273F1B89DC99550E038AF95C4B47442B1FB4CB9F0D6B86B26015988AD39E642CA9C4A78DED7F42D1F409B268C93E778"
+ r_sasl = "CB6FB1421ED5A9094CD2C05462DB1FA87C4A675628ABD9AEC9928A1A6F3F96C07D9F26472331BAF80B7B73270680EB1BBEFD"
+ c3-gsm = "C49DD845900CFDFA93EEBCE4F1ABF4A963EF6082B7DA6410FA701CC77A04BB6C201FCB864988C4F2B97ED7D44D5A28F162"
+ matrix.server.nixos_dev.access_token = "C40FE41B9B7B73553D51D8FCBD53871E940FE7FCCAB543E7F4720A924B8E1D58E2B1E1F460F5476C954A223F78CCB956337F6529159C0ECD7CB0384C13CB7170FF1270A577B1C4FF744D20FCF5C708259896F8D9"
+ bitlbee = "814ECAC59D9CF6E8340B566563E5D7E92AB92209B49C1EDE4CAAC32DD0DF1EC511D97C75E840C45D69BB9E3D03E79C"
+ matrix_lassulus = "0CA5C0F70A9F893881370F4A665B4CC40FBB1A41E53BC94916CD92B029103528611EC0B390116BE60FA79AE10F486E96E17B0824BE2DE1C97D87B88F5407330DAD70C044147533C36B09B7030CAD97"
+ '');
+ };
+ };
+
+in {
+ users.users.mainUser.packages = [
+ weechat-configured
+ ];
+ environment.etc."weechat.set".source = "${weechat-configured}/weechat.set";
+ systemd.tmpfiles.rules = [
+ "d /var/state/weechat_logs 0700 lass users -"
+ "d /var/state/weechat 0700 lass users -"
+ "d /var/state/weechat_cfg 0700 lass users -"
+ "L+ /home/lass/.local/share/weechat - - - - ../../../../var/state/weechat"
+ "L+ /home/lass/.config/weechat - - - - ../../../../var/state/weechat_cfg"
+ ];
+
+ systemd.services.weechat = {
+ wantedBy = [ "multi-user.target" ];
+ restartIfChanged = false;
+ serviceConfig = {
+ User = "lass";
+ RemainAfterExit = true;
+ Type = "oneshot";
+ LoadCredential = [
+ "WEECHAT_PASSPHRASE:${toString <secrets>}/weechat_passphrase"
+ ];
+ ExecStart = "${pkgs.tmux}/bin/tmux -2 new-session -d -s IM ${weechat-configured}/bin/weechat";
+ ExecStop = "${pkgs.tmux}/bin/tmux kill-session -t IM"; # TODO run save in weechat
+ };
+ };
+}
diff --git a/lass/2configs/xmonad.nix b/lass/2configs/xmonad.nix
index 3b372189c..fd70f8b15 100644
--- a/lass/2configs/xmonad.nix
+++ b/lass/2configs/xmonad.nix
@@ -63,8 +63,6 @@ instance UrgencyHook LibNotifyUrgencyHook where
safeSpawn "${pkgs.libnotify}/bin/notify-send" [show name, "workspace " ++ idx]
myTerm :: FilePath
--- myTerm = "${pkgs.rxvt_unicode-with-plugins}/bin/urxvtc -e /run/current-system/sw/bin/xonsh"
--- myTerm = "${pkgs.rxvt_unicode-with-plugins}/bin/urxvtc"
myTerm = "/run/current-system/sw/bin/alacritty"
myFont :: String
diff --git a/lass/2configs/zsh.nix b/lass/2configs/zsh.nix
index 6571461ca..a7b0c372c 100644
--- a/lass/2configs/zsh.nix
+++ b/lass/2configs/zsh.nix
@@ -1,6 +1,17 @@
{ config, lib, pkgs, ... }:
{
- environment.systemPackages = [ pkgs.fzf ];
+ environment.systemPackages = with pkgs; [
+ atuin
+ direnv
+ fzf
+ ];
+ environment.variables.ATUIN_CONFIG_DIR = toString (pkgs.writeTextDir "/config.toml" ''
+ auto_sync = true
+ update_check = false
+ sync_address = "http://green.r:8888"
+ sync_frequency = 0
+ style = "compact"
+ '');
programs.zsh = {
enable = true;
shellInit = ''
@@ -12,27 +23,9 @@
setopt autocd extendedglob
bindkey -e
- #history magic
- bindkey "" up-line-or-local-history
- bindkey "" down-line-or-local-history
-
- up-line-or-local-history() {
- zle set-local-history 1
- zle up-line-or-history
- zle set-local-history 0
- }
- zle -N up-line-or-local-history
- down-line-or-local-history() {
- zle set-local-history 1
- zle down-line-or-history
- zle set-local-history 0
- }
- zle -N down-line-or-local-history
-
- setopt SHARE_HISTORY
- setopt HIST_IGNORE_ALL_DUPS
- # setopt inc_append_history
- bindkey '^R' history-incremental-search-backward
+
+ # # setopt inc_append_history
+ # bindkey '^R' history-incremental-search-backward
#C-x C-e open line in editor
autoload -z edit-command-line
@@ -43,6 +36,13 @@
source ${pkgs.fzf}/share/fzf/completion.zsh
source ${pkgs.fzf}/share/fzf/key-bindings.zsh
+ # atuin distributed shell history
+ export ATUIN_NOBIND="true" # disable all keybdinings of atuin
+ eval "$(atuin init zsh)"
+ bindkey '^r' _atuin_search_widget # bind ctrl+r to atuin
+ # use zsh only session history
+ fc -p
+
#completion magic
autoload -Uz compinit
compinit
@@ -65,13 +65,11 @@
bindkey "[8~" end-of-line
bindkey "Oc" emacs-forward-word
bindkey "Od" emacs-backward-word
+
+ # direnv integration
+ eval "$(${pkgs.direnv}/bin/direnv hook zsh)"
'';
promptInit = ''
- # TODO: figure out why we need to set this here
- HISTSIZE=900001
- HISTFILESIZE=$HISTSIZE
- SAVEHIST=$HISTSIZE
-
autoload -U promptinit
promptinit
diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix
index 3a0b1306c..42efa8cd6 100644
--- a/lass/3modules/default.nix
+++ b/lass/3modules/default.nix
@@ -15,5 +15,6 @@ _:
./xjail.nix
./autowifi.nix
./browsers.nix
+ ./sync-containers3.nix
];
}
diff --git a/lass/3modules/sync-containers3.nix b/lass/3modules/sync-containers3.nix
new file mode 100644
index 000000000..104b92b24
--- /dev/null
+++ b/lass/3modules/sync-containers3.nix
@@ -0,0 +1,306 @@
+{ config, lib, pkgs, ... }: let
+ cfg = config.lass.sync-containers3;
+ slib = pkgs.stockholm.lib;
+in {
+ options.lass.sync-containers3 = {
+ inContainer = {
+ enable = lib.mkEnableOption "container config for syncing";
+ pubkey = lib.mkOption {
+ type = lib.types.str; # TODO ssh key
+ };
+ };
+ containers = lib.mkOption {
+ default = {};
+ type = lib.types.attrsOf (lib.types.submodule ({ config, ... }: {
+ options = {
+ name = lib.mkOption {
+ type = lib.types.str;
+ default = config._module.args.name;
+ };
+ sshKey = lib.mkOption {
+ type = slib.types.absolute-pathname;
+ };
+ luksKey = lib.mkOption {
+ type = slib.types.absolute-pathname;
+ default = config.sshKey;
+ };
+ ephemeral = lib.mkOption {
+ type = lib.types.bool;
+ default = false;
+ };
+ };
+ }));
+ };
+ };
+ config = lib.mkMerge [
+ (lib.mkIf (cfg.containers != {}) {
+
+ containers = lib.mapAttrs' (n: ctr: lib.nameValuePair ctr.name {
+ config = {
+ environment.systemPackages = [
+ pkgs.dhcpcd
+ pkgs.git
+ pkgs.jq
+ ];
+ networking.useDHCP = lib.mkForce true;
+ systemd.services.autoswitch = {
+ environment = {
+ NIX_REMOTE = "daemon";
+ };
+ wantedBy = [ "multi-user.target" ];
+ serviceConfig.ExecStart = pkgs.writers.writeDash "autoswitch" ''
+ set -efu
+ ln -frs /var/state/var_src /var/src
+ if test -e /var/src/nixos-config; then
+ /run/current-system/sw/bin/nixos-rebuild -I /var/src switch || :
+ fi
+ '';
+ unitConfig.X-StopOnRemoval = false;
+ };
+ };
+ autoStart = false;
+ enableTun = true;
+ ephemeral = ctr.ephemeral;
+ privateNetwork = true;
+ hostBridge = "ctr0";
+ bindMounts = {
+ "/etc/resolv.conf".hostPath = "/etc/resolv.conf";
+ "/var/lib/self/disk" = {
+ hostPath = "/var/lib/sync-containers3/${ctr.name}/disk";
+ isReadOnly = false;
+ };
+ "/var/state" = {
+ hostPath = "/var/lib/sync-containers3/${ctr.name}/state";
+ isReadOnly = false;
+ };
+ };
+ }) cfg.containers;
+
+ systemd.services = lib.foldr lib.recursiveUpdate {} (lib.flatten (map (ctr: [
+ { "${ctr.name}_syncer" = {
+ path = with pkgs; [
+ coreutils
+ consul
+ rsync
+ openssh
+ systemd
+ ];
+ startAt = "*:0/1";
+ serviceConfig = {
+ User = "${ctr.name}_container";
+ LoadCredential = [
+ "ssh_key:${ctr.sshKey}"
+ ];
+ ExecCondition = pkgs.writers.writeDash "${ctr.name}_checker" ''
+ set -efu
+ ! systemctl is-active --quiet container@${ctr.name}.service
+ '';
+ ExecStart = pkgs.writers.writeDash "${ctr.name}_syncer" ''
+ set -efux
+ consul lock sync_${ctr.name} ${pkgs.writers.writeDash "${ctr.name}-sync" ''
+ set -efux
+ if /run/wrappers/bin/ping -c 1 ${ctr.name}.r; then
+ touch "$HOME"/incomplete
+ rsync -a -e "ssh -i $CREDENTIALS_DIRECTORY/ssh_key" --inplace container_sync@${ctr.name}.r:disk "$HOME"/disk
+ rm "$HOME"/incomplete
+ fi
+ ''}
+ '';
+ };
+ }; }
+ { "${ctr.name}_watcher" = {
+ path = with pkgs; [
+ coreutils
+ consul
+ cryptsetup
+ curl
+ mount
+ util-linux
+ jq
+ ];
+ serviceConfig = {
+ ExecStart = pkgs.writers.writeDash "${ctr.name}_watcher" ''
+ set -efux
+ while sleep 5; do
+ # get the payload
+ # check if the host reacted recently
+ case $(curl -s -o /dev/null --retry 10 -w '%{http_code}' http://127.0.0.1:8500/v1/kv/containers/${ctr.name}) in
+ 404)
+ echo 'got 404 from kv, should kill the container'
+ break
+ ;;
+ 500)
+ echo 'got 500 from kv, will kill container'
+ break
+ ;;
+ 200)
+ # echo 'got 200 from kv, will check payload'
+ export payload=$(consul kv get containers/${ctr.name})
+ if [ "$(jq -rn 'env.payload | fromjson.host')" = '${config.networking.hostName}' ]; then
+ # echo 'we are the host, continuing'
+ continue
+ else
+ echo 'we are not host, killing container'
+ break
+ fi
+ ;;
+ *)
+ echo 'unknown state, continuing'
+ continue
+ ;;
+ esac
+ done
+ /run/current-system/sw/bin/nixos-container stop ${ctr.name} || :
+ umount /var/lib/sync-containers3/${ctr.name}/state || :
+ cryptsetup luksClose ${ctr.name} || :
+ '';
+ };
+ }; }
+ { "${ctr.name}_scheduler" = {
+ wantedBy = [ "multi-user.target" ];
+ path = with pkgs; [
+ coreutils
+ consul
+ cryptsetup
+ mount
+ util-linux
+ curl
+ systemd
+ jq
+ retry
+ bc
+ ];
+ serviceConfig = {
+ Restart = "always";
+ RestartSec = "30s";
+ ExecStart = pkgs.writers.writeDash "${ctr.name}_scheduler" ''
+ set -efux
+ # get the payload
+ # check if the host reacted recently
+ case $(curl -s -o /dev/null --retry 10 -w '%{http_code}' http://127.0.0.1:8500/v1/kv/containers/${ctr.name}) in
+ 404)
+ # echo 'got 404 from kv, will create container'
+ ;;
+ 500)
+ # echo 'got 500 from kv, retrying again'
+ exit 0
+ ;;
+ 200)
+ # echo 'got 200 from kv, will check payload'
+ export payload=$(consul kv get containers/${ctr.name})
+ if [ "$(jq -rn 'env.payload | fromjson.host')" = '${config.networking.hostName}' ]; then
+ echo 'we are the host, starting container'
+ else
+ # echo 'we are not host, checking timestamp'
+ # if [ $(echo "$(date +%s) - $(jq -rn 'env.payload | fromjson.time') > 100" | bc) -eq 1 ]; then
+ if [ "$(jq -rn 'env.payload | fromjson.time | now - tonumber > 100')" = 'true' ]; then
+ echo 'last beacon is more than 100s ago, taking over'
+ else
+ # echo 'last beacon was recent. trying again'
+ exit 0
+ fi
+ fi
+ ;;
+ *)
+ echo 'unknown state, bailing out'
+ exit 0
+ ;;
+ esac
+ if test -e /var/lib/sync-containers3/${ctr.name}/incomplete; then
+ echo 'data is inconistent, start aborted'
+ exit 1
+ fi
+ consul kv put containers/${ctr.name} "$(jq -cn '{host: "${config.networking.hostName}", time: now}')" >/dev/null
+ consul lock -verbose -monitor-retry=100 -timeout 30s -name container_${ctr.name} container_${ctr.name} ${pkgs.writers.writeBash "${ctr.name}-start" ''
+ set -efu
+ cryptsetup luksOpen --key-file ${ctr.luksKey} /var/lib/sync-containers3/${ctr.name}/disk ${ctr.name} || :
+ mkdir -p /var/lib/sync-containers3/${ctr.name}/state
+ mountpoint /var/lib/sync-containers3/${ctr.name}/state || mount /dev/mapper/${ctr.name} /var/lib/sync-containers3/${ctr.name}/state
+ /run/current-system/sw/bin/nixos-container start ${ctr.name}
+ # wait for system to become reachable for the first time
+ retry -t 10 -d 10 -- /run/wrappers/bin/ping -q -c 1 ${ctr.name}.r > /dev/null
+ systemctl start ${ctr.name}_watcher.service
+ while systemctl is-active container@${ctr.name}.service >/devnull && /run/wrappers/bin/ping -q -c 3 ${ctr.name}.r >/dev/null; do
+ consul kv put containers/${ctr.name} "$(jq -cn '{host: "${config.networking.hostName}", ti