diff options
33 files changed, 772 insertions, 173 deletions
diff --git a/krebs/2configs/news.nix b/krebs/2configs/news.nix index 3bf991433..7f4020ca2 100644 --- a/krebs/2configs/news.nix +++ b/krebs/2configs/news.nix @@ -42,7 +42,7 @@ krebs.reaktor2.news = { hostname = "localhost"; port = "6667"; - nick = "brockman-helper"; + nick = "candyman"; plugins = [ { plugin = "register"; @@ -71,7 +71,7 @@ exit 1 fi reddit_channel=$(echo "$1" | ${pkgs.jq}/bin/jq -Rr '[match("(\\S+)\\s*";"g").captures[].string][0]') - echo "brockman: add r_$reddit_channel http://rss.r/?action=display&bridge=Telegram&username=$reddit_channel&format=Mrss" + echo "brockman: add r_$reddit_channel http://rss.r/?action=display&bridge=Reddit&context=single&r=$reddit_channel&format=Atom" ''; add-telegram.filename = pkgs.writeDash "add-telegram" '' set -euf diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index 2cb70eec4..c8e1e0386 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -197,6 +197,15 @@ in { wg.euer IN A ${nets.internet.ip4.addr} wiki.euer IN A ${nets.internet.ip4.addr} wikisearch IN A ${nets.internet.ip4.addr} + + meet.euer IN A ${nets.internet.ip4.addr} + work.euer IN A ${nets.internet.ip4.addr} + admin.work.euer IN A ${nets.internet.ip4.addr} + push.work.euer IN A ${nets.internet.ip4.addr} + api.work.euer IN A ${nets.internet.ip4.addr} + maps.work.euer IN A ${nets.internet.ip4.addr} + play.work.euer IN A ${nets.internet.ip4.addr} + ul.work.euer IN A ${nets.internet.ip4.addr} ''; }; cores = 8; diff --git a/krebs/5pkgs/haskell/brockman.nix b/krebs/5pkgs/haskell/brockman.nix deleted file mode 100644 index 5f1166a25..000000000 --- a/krebs/5pkgs/haskell/brockman.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ mkDerivation, aeson, aeson-pretty, base, bloomfilter, bytestring -, case-insensitive, conduit, containers, directory, feed, filepath -, hslogger, html-entity, http-client, irc-conduit, lens, network -, optparse-applicative, random, safe, stdenv, text, time, timerep -, wreq -, fetchFromGitHub -}: -mkDerivation rec { - pname = "brockman"; - version = "3.2.3"; - src = fetchFromGitHub { - owner = "kmein"; - repo = "brockman"; - rev = version; - sha256 = "1qbjbf0l1ikfzmvky4cnvv7nlcwi2in4afliifh618j0a4f7j427"; - }; - isLibrary = false; - isExecutable = true; - executableHaskellDepends = [ - aeson aeson-pretty base bloomfilter bytestring case-insensitive - conduit containers directory feed filepath hslogger html-entity - http-client irc-conduit lens network optparse-applicative random - safe text time timerep wreq - ]; - license = stdenv.lib.licenses.mit; -} diff --git a/krebs/5pkgs/haskell/brockman/default.nix b/krebs/5pkgs/haskell/brockman/default.nix new file mode 100644 index 000000000..aec89b7ad --- /dev/null +++ b/krebs/5pkgs/haskell/brockman/default.nix @@ -0,0 +1,26 @@ +{ mkDerivation, aeson, aeson-pretty, base, bytestring +, case-insensitive, conduit, containers, directory, feed, filepath +, hslogger, html-entity, http-client, irc-conduit, lens, lrucache +, network, optparse-applicative, random, safe, stdenv, text, time +, timerep, wreq +, fetchFromGitHub +}: +mkDerivation rec { + pname = "brockman"; + version = "3.2.4"; + src = fetchFromGitHub { + owner = "kmein"; + repo = "brockman"; + rev = version; + sha256 = "1jh2i3rxbw8x0p5xs9ph95ixpsa6h6qm0msjb9xqnw9j8by2fkk2"; + }; + isLibrary = false; + isExecutable = true; + executableHaskellDepends = [ + aeson aeson-pretty base bytestring case-insensitive conduit + containers directory feed filepath hslogger html-entity http-client + irc-conduit lens lrucache network optparse-applicative random safe + text time timerep wreq + ]; + license = stdenv.lib.licenses.mit; +} diff --git a/krebs/nixpkgs.json b/krebs/nixpkgs.json index 97afb10f8..74a8665c8 100644 --- a/krebs/nixpkgs.json +++ b/krebs/nixpkgs.json @@ -1,9 +1,9 @@ { "url": "https://github.com/NixOS/nixpkgs", - "rev": "a058d005b3cbb370bf171ebce01839dd6ff52222", - "date": "2021-01-23T17:41:51-05:00", - "path": "/nix/store/6ps307ghgrp10q3mwgw4lq143pmz0h25-nixpkgs", - "sha256": "154mpqw0ya31hzgz9hggg1rb26yx8d00rsj9l90ndsdldrssgvbb", + "rev": "90cec09c3642b9be6699015a35e404ecb503aa0d", + "date": "2021-02-02T17:56:41+01:00", + "path": "/nix/store/jrvfl6bw8fwb6sq8w4m6mhj26y52nhr7-nixpkgs", + "sha256": "0134xglcwrq8wp4mnxn6byww9pf2iipxghwpm92bdyknf79msdv1", "fetchSubmodules": false, "deepClone": false, "leaveDotGit": false diff --git a/makefu/1systems/gum/config.nix b/makefu/1systems/gum/config.nix index f65c6672b..2fd99122a 100644 --- a/makefu/1systems/gum/config.nix +++ b/makefu/1systems/gum/config.nix @@ -65,7 +65,7 @@ in { }; networking.firewall = { allowedTCPPorts = - [ + [ 53 655 21031 @@ -83,6 +83,9 @@ in { # <stockholm/makefu/2configs/exim-retiolum.nix> <stockholm/makefu/2configs/git/cgit-retiolum.nix> + ### systemdUltras ### + <stockholm/makefu/2configs/systemdultras/ircbot.nix> + ###### Shack ##### # <stockholm/makefu/2configs/shack/events-publisher> # <stockholm/makefu/2configs/shack/gitlab-runner> @@ -98,7 +101,7 @@ in { { krebs.exim.enable = mkDefault true; } # sharing - <stockholm/makefu/2configs/share/gum.nix> + <stockholm/makefu/2configs/share/gum.nix> # samba sahre <stockholm/makefu/2configs/torrent.nix> <stockholm/makefu/2configs/sickbeard> @@ -145,7 +148,10 @@ in { <stockholm/makefu/2configs/deployment/gecloudpad> <stockholm/makefu/2configs/deployment/docker/archiveteam-warrior.nix> <stockholm/makefu/2configs/deployment/docker/etherpad.euer.krebsco.de.nix> + # <stockholm/makefu/2configs/deployment/systemdultras-rss.nix> + <stockholm/makefu/2configs/shiori.nix> + <stockholm/makefu/2configs/workadventure> <stockholm/makefu/2configs/bgt/download.binaergewitter.de.nix> <stockholm/makefu/2configs/bgt/hidden_service.nix> @@ -177,12 +183,19 @@ in { { bits = 4096; path = (toString <secrets/ssh_host_rsa_key>); type = "rsa"; } { path = (toString <secrets/ssh_host_ed25519_key>); type = "ed25519"; } ]; ###### stable - - services.nginx.virtualHosts."cgit.euer.krebsco.de" = { - forceSSL = true; - enableACME = true; - locations."/".proxyPass = "http://localhost/"; - locations."/".extraConfig = ''proxy_set_header Host cgit;''; + security.acme.certs."cgit.euer.krebsco.de" = { + email = "letsencrypt@syntax-fehler.de"; + webroot = "/var/lib/acme/acme-challenge"; + group = "nginx"; + }; + services.nginx.virtualHosts."cgit" = { + serverAliases = [ "cgit.euer.krebsco.de" ]; + addSSL = true; + sslCertificate = "/var/lib/acme/cgit.euer.krebsco.de/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/cgit.euer.krebsco.de/key.pem"; + locations."/.well-known/acme-challenge".extraConfig = '' + root /var/lib/acme/acme-challenge; + ''; }; krebs.build.host = config.krebs.hosts.gum; @@ -190,6 +203,7 @@ in { # Network networking = { firewall = { + allowedTCPPorts = [ 80 443 ]; allowPing = true; logRefusedConnections = false; }; diff --git a/makefu/1systems/gum/hardware-config.nix b/makefu/1systems/gum/hardware-config.nix index 2d7efe9cf..1881329ce 100644 --- a/makefu/1systems/gum/hardware-config.nix +++ b/makefu/1systems/gum/hardware-config.nix @@ -69,7 +69,7 @@ in { fsType = "ext4"; options = [ "nofail" ]; }; - fileSystems."/var/www/o.euer.krebsco.de" = { + fileSystems."/var/lib/nextcloud/data" = { device = "/dev/nixos/nextcloud"; fsType = "ext4"; options = [ "nofail" ]; diff --git a/makefu/1systems/x/config.nix b/makefu/1systems/x/config.nix index 4781af357..6c0388e59 100644 --- a/makefu/1systems/x/config.nix +++ b/makefu/1systems/x/config.nix @@ -4,7 +4,30 @@ { config, pkgs, lib, ... }: { imports = - [ # base + [ + # hardware-dependent + # device + + + ./x13 + # ./x230 + + # Common Hardware Components + + # <stockholm/makefu/2configs/hw/mceusb.nix> + # <stockholm/makefu/2configs/hw/rtl8812au.nix> + <stockholm/makefu/2configs/hw/network-manager.nix> + # <stockholm/makefu/2configs/hw/stk1160.nix> + # <stockholm/makefu/2configs/hw/irtoy.nix> + # <stockholm/makefu/2configs/hw/malduino_elite.nix> + <stockholm/makefu/2configs/hw/switch.nix> + # <stockholm/makefu/2configs/hw/rad1o.nix> + <stockholm/makefu/2configs/hw/cc2531.nix> + <stockholm/makefu/2configs/hw/droidcam.nix> + <stockholm/makefu/2configs/hw/smartcard.nix> + <stockholm/makefu/2configs/hw/upower.nix> + + # base <stockholm/makefu> <stockholm/makefu/2configs/nur.nix> <stockholm/makefu/2configs/home-manager> @@ -19,8 +42,37 @@ <stockholm/makefu/2configs/editor/neovim> <stockholm/makefu/2configs/tools/all.nix> { programs.adb.enable = true; } + { + services.openssh.hostKeys = [ + { bits = 4096; path = (toString <secrets/ssh_host_rsa_key>); type = "rsa";} + ]; + } - { systemd.services.docker.wantedBy = lib.mkForce []; } + #{ + # users.users.makefu.packages = with pkgs;[ mpc_cli ncmpcpp ]; + # services.ympd.enable = true; + # services.mpd = { + # enable = true; + # extraConfig = '' + # log_level "default" + # auto_update "yes" + + # audio_output { + # type "httpd" + # name "lassulus radio" + # encoder "vorbis" # optional + # port "8000" + # quality "5.0" # do not define if bitrate is defined + # # bitrate "128" # do not define if quality is defined + # format "44100:16:2" + # always_on "yes" # prevent MPD from disconnecting all listeners when playback is stopped. + # tags "yes" # httpd supports sending tags to listening streams. + # } + # ''; + # }; + #} + + # { systemd.services.docker.wantedBy = lib.mkForce []; } <stockholm/makefu/2configs/dict.nix> # <stockholm/makefu/2configs/legacy_only.nix> #<stockholm/makefu/3modules/netboot_server.nix> @@ -59,10 +111,13 @@ # <stockholm/makefu/2configs/deployment/hound> # <stockholm/makefu/2configs/deployment/photostore.krebsco.de.nix> # <stockholm/makefu/2configs/deployment/bureautomation/hass.nix> + <stockholm/makefu/2configs/bureautomation/office-radio> # Krebs <stockholm/makefu/2configs/tinc/retiolum.nix> - # <stockholm/makefu/2configs/share/gum-client.nix> + # <stockholm/makefu/2configs/share/anon-ftp.nix> + # <stockholm/makefu/2configs/share/anon-sftp.nix> + <stockholm/makefu/2configs/share/gum-client.nix> # <stockholm/makefu/2configs/share/temp-share-samba.nix> @@ -75,7 +130,7 @@ # Virtualization # <stockholm/makefu/2configs/virtualisation/libvirt.nix> <stockholm/makefu/2configs/virtualisation/docker.nix> - <stockholm/makefu/2configs/virtualisation/virtualbox.nix> + # <stockholm/makefu/2configs/virtualisation/virtualbox.nix> #{ # networking.firewall.allowedTCPPorts = [ 8080 ]; # networking.nat = { @@ -96,26 +151,10 @@ <stockholm/makefu/2configs/binary-cache/gum.nix> <stockholm/makefu/2configs/binary-cache/lass.nix> - # Hardware - <stockholm/makefu/2configs/hw/tp-x230.nix> # + bluetooth - # <stockholm/makefu/2configs/hw/mceusb.nix> - <stockholm/makefu/2configs/hw/tpm.nix> - # <stockholm/makefu/2configs/hw/rtl8812au.nix> - <stockholm/makefu/2configs/hw/network-manager.nix> - # <stockholm/makefu/2configs/hw/stk1160.nix> - # <stockholm/makefu/2configs/hw/irtoy.nix> - # <stockholm/makefu/2configs/hw/malduino_elite.nix> - <stockholm/makefu/2configs/hw/switch.nix> - # <stockholm/makefu/2configs/hw/rad1o.nix> - <stockholm/makefu/2configs/hw/cc2531.nix> - <stockholm/makefu/2configs/hw/smartcard.nix> - <stockholm/makefu/2configs/hw/upower.nix> - # Filesystem - <stockholm/makefu/2configs/fs/sda-crypto-root-home.nix> # Security - <stockholm/makefu/2configs/sshd-totp.nix> + # <stockholm/makefu/2configs/sshd-totp.nix> # temporary # { services.redis.enable = true; } @@ -149,7 +188,6 @@ } ]; - makefu.server.primary-itf = "wlp3s0"; nixpkgs.config.allowUnfree = true; nixpkgs.config.oraclejdk.accept_license = true; @@ -158,19 +196,13 @@ # configure pulseAudio to provide a HDMI sink as well networking.firewall.enable = true; - networking.firewall.allowedUDPPorts = [ 665 26061 ]; - networking.firewall.trustedInterfaces = [ "vboxnet0" ]; + networking.firewall.allowedUDPPorts = [ 665 26061 1514 ]; + networking.firewall.trustedInterfaces = [ "vboxnet0" "enp0s25" ]; krebs.build.host = config.krebs.hosts.x; krebs.tinc.retiolum.connectTo = [ "omo" "prism" "nextgum" "wbob" ]; - # hard dependency because otherwise the device will not be unlocked - boot.initrd.luks.devices.luksroot = - { - device = "/dev/sda2"; - allowDiscards = true; - }; environment.systemPackages = [ pkgs.passwdqc-utils ]; diff --git a/makefu/1systems/x/x13/default.nix b/makefu/1systems/x/x13/default.nix new file mode 100644 index 000000000..b0400232e --- /dev/null +++ b/makefu/1systems/x/x13/default.nix @@ -0,0 +1,52 @@ +{ pkgs, lib, ... }: +# new zfs deployment +{ + imports = [ + ./zfs.nix + ./input.nix + <stockholm/makefu/2configs/hw/bluetooth.nix> + <nixos-hardware/lenovo/thinkpad/l14/amd> # close enough + # <stockholm/makefu/2configs/hw/tpm.nix> + <stockholm/makefu/2configs/hw/ssd.nix> + ]; + boot.zfs.requestEncryptionCredentials = true; + networking.hostId = "f8b8e0a2"; + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + # services.xserver.enable = lib.mkForce false; + + services.xserver.videoDrivers = [ + "amdgpu" + ]; + hardware.opengl.extraPackages = [ pkgs.amdvlk ]; + # is required for amd graphics support ( xorg wont boot otherwise ) + boot.kernelPackages = pkgs.linuxPackages_latest; + environment.variables.VK_ICD_FILENAMES = + "/run/opengl-driver/share/vulkan/icd.d/amd_icd64.json"; + + + programs.light.enable = true; + services.actkbd = { + enable = true; + bindings = [ + { keys = [ 225 ]; events = [ "key" ]; command = "${pkgs.light}/bin/light -A 10"; } + { keys = [ 224 ]; events = [ "key" ]; command = "${pkgs.light}/bin/light -U 10"; } + { keys = [ 227 ]; events = [ "key" ]; command = builtins.toString ( + pkgs.writers.writeDash "toggle_lcdshadow" '' + proc=/proc/acpi/ibm/lcdshadow + status=$(${pkgs.gawk}/bin/awk '/status:/{print $2}' "$proc") + if [ "$status" -eq 0 ];then + echo 1 > "$proc" + else + echo 0 > "$proc" + fi + ''); + } + ]; + }; + + users.groups.video = {}; + users.users.makefu.extraGroups = [ "video" ]; +} + diff --git a/makefu/1systems/x/x13/input.nix b/makefu/1systems/x/x13/input.nix new file mode 100644 index 000000000..68b855d8e --- /dev/null +++ b/makefu/1systems/x/x13/input.nix @@ -0,0 +1,13 @@ +{ + # current issues: + # 1. for pressing insert hold shift+fn+Fin + + # scroll by holding middle mouse + services.xserver.displayManager.sessionCommands ='' + xinput set-int-prop "ETPS/2 Elantech TrackPoint" "Evdev Wheel Emulation" 8 1 + xinput set-int-prop "ETPS/2 Elantech TrackPoint" "Evdev Wheel Emulation Button" 8 2 + xinput set-prop "ETPS/2 Elantech TrackPoint" "Evdev Wheel Emulation Axes" 6 7 4 5 + # configure timeout of pressing and holding middle button + # xinput set-int-prop "ETPS/2 Elantech TrackPoint" "Evdev Wheel Emulation Timeout" 8 200 + ''; +} diff --git a/makefu/1systems/x/x13/toggle_brightness b/makefu/1systems/x/x13/toggle_brightness new file mode 100644 index 000000000..dc1436cb6 --- /dev/null +++ b/makefu/1systems/x/x13/toggle_brightness @@ -0,0 +1,8 @@ +#!/bin/sh +proc=/proc/acpi/ibm/lcdshadow +status=$(awk '/status:/{print $2}' "$proc") +if [ "$status" -eq 0 ];then + echo 1 > "$proc" +else + echo 0 > "$proc" +fi diff --git a/makefu/1systems/x/x13/zfs.nix b/makefu/1systems/x/x13/zfs.nix new file mode 100644 index 000000000..adfebbf96 --- /dev/null +++ b/makefu/1systems/x/x13/zfs.nix @@ -0,0 +1,32 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "nvme" "ehci_pci" "xhci_pci" "rtsx_pci_sdmmc" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "zroot/root/nixos"; + fsType = "zfs"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/20BF-2755"; + fsType = "vfat"; + }; + + fileSystems."/home" = + { device = "zroot/root/home"; + fsType = "zfs"; + }; + + swapDevices = [ ]; +} diff --git a/makefu/1systems/x/x230/default.nix b/makefu/1systems/x/x230/default.nix new file mode 100644 index 000000000..c2a635ca7 --- /dev/null +++ b/makefu/1systems/x/x230/default.nix @@ -0,0 +1,19 @@ +{ + imports = [ + <stockholm/makefu/2configs/hw/tp-x230.nix> # + bluetooth + <stockholm/makefu/2configs/fs/sda-crypto-root-home.nix> + + <stockholm/makefu/2configs/hw/tpm.nix> + <stockholm/makefu/2configs/hw/ssd.nix> + + # hard dependency because otherwise the device will not be unlocked + { + boot.initrd.luks.devices.luksroot = + { + device = "/dev/sda2"; + allowDiscards = true; + }; + } + { makefu.server.primary-itf = "wlp3s0"; } + ]; +} diff --git a/makefu/2configs/bureautomation/office-radio/default.nix b/makefu/2configs/bureautomation/office-radio/default.nix new file mode 100644 index 000000000..d1c0f4730 --- /dev/null +++ b/makefu/2configs/bureautomation/office-radio/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ./mpd.nix + ./webserver.nix + ]; +} diff --git a/makefu/2configs/bureautomation/office-radio/mpd.nix b/makefu/2configs/bureautomation/office-radio/mpd.nix new file mode 100644 index 000000000..4fc31fff9 --- /dev/null +++ b/makefu/2configs/bureautomation/office-radio/mpd.nix @@ -0,0 +1,58 @@ +{ config, lib, pkgs, ... }: + +let + mpds = import ./mpdconfig.nix; + systemd_mpd = name: value: let + path = "/var/lib/mpd-${name}"; + num = lib.strings.fixedWidthNumber 2 value; + mpdconf = pkgs.writeText "mpd-config-${name}" '' + music_directory "${path}/music" + playlist_directory "${path}/playlists" + db_file "${path}/tag_cache" + state_file "${path}/state" + sticker_file "${path}/sticker.sql" + + bind_to_address "127.0.0.1" + port "66${num}" + log_level "default" + auto_update "yes" + audio_output { + type "httpd" + name "Office Radio ${num} - ${name}" + encoder "vorbis" # optional + port "280${num}" + quality "5.0" # do not define if bitrate is defined + # bitrate "128" # do not define if quality is defined + format "44100:16:2" + always_on "yes" # prevent MPD from disconnecting all listeners when playback is stopped. + tags "yes" # httpd supports sending tags to listening streams. + } + ''; +in { + after = [ "network.target" ]; + description = "Office Radio MPD ${toString value} - ${name}"; + wantedBy = ["multi-user.target"]; + serviceConfig = { + #User = "mpd"; + DynamicUser = true; + ExecStart = "${pkgs.mpd}/bin/mpd --no-daemon ${mpdconf}"; + LimitRTPRIO = 50; + LimitRTTIME = "infinity"; + ProtectSystem = true; + NoNewPrivileges = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + ProtectKernelModules = true; + RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX AF_NETLINK"; + RestrictNamespaces = true; + Restart = "always"; + StateDirectory = [ "mpd-${name}" ]; + }; + }; +in + { + systemd.services = lib.attrsets.mapAttrs' (name: value: + lib.attrsets.nameValuePair + ("office-radio-" +name) (systemd_mpd name value)) + mpds; + } diff --git a/makefu/2configs/bureautomation/office-radio/mpdconfig.nix b/makefu/2configs/bureautomation/office-radio/mpdconfig.nix new file mode 100644 index 000000000..b48ceb629 --- /dev/null +++ b/makefu/2configs/bureautomation/office-radio/mpdconfig.nix @@ -0,0 +1,6 @@ +{ + "cybertisch1" = 0; + "cybertisch2" = 1; + "cyberklo" = 2; + "baellebad" = 3; +} diff --git a/makefu/2configs/bureautomation/office-radio/webserver.nix b/makefu/2configs/bureautomation/office-radio/webserver.nix new file mode 100644 index 000000000..e2fc6d9e8 --- /dev/null +++ b/makefu/2configs/bureautomation/office-radio/webserver.nix @@ -0,0 +1,40 @@ +{ pkgs, ... }: +let + mpds = import ./mpdconfig.nix; + pkg = pkgs.office-radio; +in { + systemd.services.office-radio-appsrv = { + after = [ "network.target" ]; + description = "Office Radio Appserver"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${pkg}/bin/office-radio"; + DynamicUser = true; + ProtectSystem = true; + NoNewPrivileges = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + ProtectKernelModules = true; + RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX AF_NETLINK"; + RestrictNamespaces = true; + Restart = "always"; + }; + }; + systemd.services.office-radio-stopper = { + after = [ "network.target" ]; + description = "Office Radio Script to stop idle streams"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + ExecStart = "${pkg}/bin/stop-idle-streams"; + DynamicUser = true; + ProtectSystem = true; + NoNewPrivileges = true; + ProtectKernelTunables = true; + ProtectControlGroups = true; + ProtectKernelModules = true; + RestrictAddressFamilies = "AF_INET AF_INET6 AF_UNIX AF_NETLINK"; + RestrictNamespaces = true; + Restart = "always"; + }; + }; +} diff --git a/makefu/2configs/deployment/mycube.connector.one.nix b/makefu/2configs/deployment/mycube.connector.one.nix index 379176f78..aa9ff514c 100644 --- a/makefu/2configs/deployment/mycube.connector.one.nix +++ b/makefu/2configs/deployment/mycube.connector.one.nix @@ -1,15 +1,12 @@ { config, lib, pkgs, ... }: # more than just nginx config but not enough to become a module -with import <stockholm/lib>; let hostname = config.krebs.build.host.name; external-ip = config.krebs.build.host.nets.internet.ip4.addr; wsgi-sock = "${config.services.uwsgi.runDir}/uwsgi.sock"; in { - services.redis = { - enable = true; - }; - systemd.services.redis.serviceConfig.LimitNOFILE=10032; + services.redis = { enable = true; }; + systemd.services.redis.serviceConfig.LimitNOFILE=65536; services.uwsgi = { enable = true; @@ -28,7 +25,7 @@ in { }; services.nginx = { - enable = mkDefault true; |