diff options
-rw-r--r-- | krebs/1systems/hotdog/config.nix | 2 | ||||
-rw-r--r-- | krebs/2configs/ergo.nix | 13 | ||||
-rw-r--r-- | krebs/2configs/ircd.nix | 149 | ||||
-rw-r--r-- | krebs/2configs/news.nix | 8 | ||||
-rw-r--r-- | krebs/3modules/backup.nix | 6 | ||||
-rw-r--r-- | krebs/3modules/ergo.nix | 15 | ||||
-rw-r--r-- | krebs/3modules/external/default.nix | 1 | ||||
-rw-r--r-- | krebs/3modules/external/mic92.nix | 19 | ||||
-rw-r--r-- | krebs/3modules/tv/default.nix | 26 | ||||
-rw-r--r-- | krebs/5pkgs/haskell/brockman/default.nix | 4 | ||||
-rw-r--r-- | krebs/5pkgs/haskell/much.nix | 6 | ||||
-rw-r--r-- | krebs/5pkgs/simple/git-hooks/default.nix | 1 | ||||
-rw-r--r-- | tv/1systems/bu/config.nix | 40 | ||||
-rw-r--r-- | tv/1systems/bu/disks.nix | 19 | ||||
-rw-r--r-- | tv/2configs/backup.nix | 24 |
15 files changed, 194 insertions, 139 deletions
diff --git a/krebs/1systems/hotdog/config.nix b/krebs/1systems/hotdog/config.nix index 6a51bf45f..cf07d3b4d 100644 --- a/krebs/1systems/hotdog/config.nix +++ b/krebs/1systems/hotdog/config.nix @@ -7,7 +7,7 @@ <stockholm/krebs/2configs/buildbot-stockholm.nix> <stockholm/krebs/2configs/binary-cache/nixos.nix> - <stockholm/krebs/2configs/ergo.nix> + <stockholm/krebs/2configs/ircd.nix> <stockholm/krebs/2configs/reaktor2.nix> <stockholm/krebs/2configs/wiki.nix> <stockholm/krebs/2configs/acme.nix> diff --git a/krebs/2configs/ergo.nix b/krebs/2configs/ergo.nix deleted file mode 100644 index db0bc5748..000000000 --- a/krebs/2configs/ergo.nix +++ /dev/null @@ -1,13 +0,0 @@ -{ config, pkgs, ... }: - -{ - networking.firewall.allowedTCPPorts = [ - 6667 - ]; - - krebs.ergo = { - enable = true; - }; -} - - diff --git a/krebs/2configs/ircd.nix b/krebs/2configs/ircd.nix index 904878731..c6c91e074 100644 --- a/krebs/2configs/ircd.nix +++ b/krebs/2configs/ircd.nix @@ -1,121 +1,44 @@ -{ config, pkgs, lib, ... }: +{ config, pkgs, ... }: { networking.firewall.allowedTCPPorts = [ - 6667 6669 + 6667 ]; - systemd.services.solanum.serviceConfig.LimitNOFILE = lib.mkForce 16384; - - services.solanum = { + krebs.ergo = { enable = true; - motd = '' - hello - ''; - config = '' - loadmodule "extensions/m_omode"; - serverinfo { - name = "${config.krebs.build.host.name}.irc.r"; - sid = "1as"; - description = "irc!"; - network_name = "irc.r"; - - vhost = "0.0.0.0"; - vhost6 = "::"; - - #ssl_private_key = "etc/ssl.key"; - #ssl_cert = "etc/ssl.cert"; - #ssl_dh_params = "etc/dh.pem"; - #ssld_count = 1; - - default_max_clients = 2048; - #nicklen = 30; - }; - - listen { - defer_accept = yes; - - /* If you want to listen on a specific IP only, specify host. - * host definitions apply only to the following port line. - */ - host = "0.0.0.0"; - port = 6667; - #sslport = 6697; - - /* Listen on IPv6 (if you used host= above). */ - host = "::"; - port = 6667; - #sslport = 6697; - }; - - class "users" { - ping_time = 2 minutes; - number_per_ident = 10; - number_per_ip = 4096; - number_per_ip_global = 4096; - cidr_ipv4_bitlen = 24; - cidr_ipv6_bitlen = 64; - number_per_cidr = 65535; - max_number = 65535; - sendq = 1000 megabyte; - }; - - privset "op" { - privs = oper:admin, oper:general; - }; - - operator "aids" { - user = "*@*"; - password = "balls"; - flags = ~encrypted; - snomask = "+s"; - privset = "op"; - }; - - exempt { - ip = "127.0.0.1"; - }; - - exempt { - ip = "10.243.0.0/16"; - }; - - auth { - user = "*@*"; - class = "users"; - flags = kline_exempt, exceed_limit, flood_exempt; - }; - - channel { - autochanmodes = "+t"; - use_invex = yes; - use_except = yes; - use_forward = yes; - use_knock = yes; - knock_delay = 5 minutes; - knock_delay_channel = 1 minute; - max_chans_per_user = 150; - max_bans = 100; - max_bans_large = 500; - default_split_user_count = 0; - default_split_server_count = 0; - no_create_on_split = no; - no_join_on_split = no; - burst_topicwho = yes; - kick_on_split_riding = no; - only_ascii_channels = no; - resv_forcepart = yes; - channel_target_change = yes; - disable_local_channels = no; - }; - - general { - #maybe we want ident someday? - default_floodcount = 10000; - disable_auth = yes; - throttle_duration = 1; - throttle_count = 10000; - }; - ''; + config = { + server.secure-nets = [ + "42::0/16" + "10.240.0.0/12" + ]; + oper-classes.server-admin = { + title = "admin"; + capabilities = [ + "kill" # disconnect user sessions + "ban" # ban IPs, CIDRs, and NUH masks ("d-line" and "k-line") + "nofakelag" # remove "fakelag" restrictions on rate of message sending + "relaymsg" # use RELAYMSG in any channel (see the 'relaymsg' config block) + "vhosts" # add and remove vhosts from users + "sajoin" # join arbitrary channels, including private channels + "samode" # modify arbitrary channel and user modes + "snomasks" # subscribe to arbitrary server notice masks + "roleplay" # use the (deprecated) roleplay commands in any channel + "rehash" # rehash the server, i.e. reload the config at runtime + "accreg" # modify arbitrary account registrations + "chanreg" # modify arbitrary channel registrations + "history" # modify or delete history messages + "defcon" # use the DEFCON command (restrict server capabilities) + "massmessage" # message all users on the server + ]; + }; + opers.aids = { + class = "server-admin"; + hidden = false; + password = "$2a$04$0AtVycWQJ07ymrDdKyAm2un3UVSVIzpzL3wsWbWb3PF95d1CZMcMO"; + }; + }; }; } + + diff --git a/krebs/2configs/news.nix b/krebs/2configs/news.nix index 84a39f95b..9ea4cbf8d 100644 --- a/krebs/2configs/news.nix +++ b/krebs/2configs/news.nix @@ -68,7 +68,13 @@ wantedBy = [ "multi-user.target" ]; }; - systemd.services.brockman.bindsTo = [ "solanum.service" ]; + krebs.ergo.openFilesLimit = 16384; + krebs.ergo.config = { + limits.nicklen = 100; + limits.identlen = 100; + history.enabled = false; + }; + systemd.services.brockman.bindsTo = [ "ergo.service" ]; systemd.services.brockman.serviceConfig.LimitNOFILE = 16384; systemd.services.brockman.environment.BROCKMAN_LOG_LEVEL = "DEBUG"; krebs.brockman = { diff --git a/krebs/3modules/backup.nix b/krebs/3modules/backup.nix index c5cb1cae6..4a88582a2 100644 --- a/krebs/3modules/backup.nix +++ b/krebs/3modules/backup.nix @@ -157,7 +157,8 @@ let # of the deepest directory: # shellcheck disable=SC2174 ${local.rsync} >&2 \ - -aAXF --delete \ + -aAX --delete \ + --filter='dir-merge /.backup-filter' \ --rsh=${shell.escape ssh} \ --rsync-path=${shell.escape remote.rsync} \ --link-dest=${shell.escape plan.dst.path}/current \ @@ -191,7 +192,8 @@ let echo >&2 "create snapshot: $ns/$name" mkdir -m 0700 -p "$dst_path/$ns" rsync >&2 \ - -aAXF --delete \ + -aAX --delete \ + --filter='dir-merge /.backup-filter' \ --link-dest="$dst_path/current" \ "$dst_path/current/" \ "$dst_path/$ns/.partial.$name" diff --git a/krebs/3modules/ergo.nix b/krebs/3modules/ergo.nix index 3153e4cfc..50c5ab628 100644 --- a/krebs/3modules/ergo.nix +++ b/krebs/3modules/ergo.nix @@ -2,6 +2,13 @@ options = { krebs.ergo = { enable = lib.mkEnableOption "Ergo IRC daemon"; + openFilesLimit = lib.mkOption { + type = lib.types.int; + default = 1024; + description = '' + Maximum number of open files. Limits the clients and server connections. + ''; + }; config = lib.mkOption { type = (pkgs.formats.json {}).type; description = '' @@ -54,8 +61,8 @@ multiclient = { enabled = true; allowed-by-default = true; - always-on = "opt-in"; - auto-away = "opt-in"; + always-on = "opt-out"; + auto-away = "opt-out"; }; }; channels = { @@ -111,13 +118,15 @@ systemd.services.ergo = { description = "Ergo IRC daemon"; wantedBy = [ "multi-user.target" ]; - reloadIfChanged = true; + # reload currently not working as expected + # reloadIfChanged = true; restartTriggers = [ configFile ]; serviceConfig = { ExecStart = "${pkgs.ergo}/bin/ergo run --conf /etc/ergo.yaml"; ExecReload = "${pkgs.util-linux}/bin/kill -HUP $MAINPID"; DynamicUser = true; StateDirectory = "ergo"; + LimitNOFILE = "${toString cfg.openFilesLimit}"; }; }; }); diff --git a/krebs/3modules/external/default.nix b/krebs/3modules/external/default.nix index 66914797d..4a1efe8fc 100644 --- a/krebs/3modules/external/default.nix +++ b/krebs/3modules/external/default.nix @@ -321,7 +321,6 @@ in { "zaatar.r" "zaatar.kmein.r" "grocy.kmein.r" - "bvg.kmein.r" "moodle.kmein.r" ]; tinc.pubkey = '' diff --git a/krebs/3modules/external/mic92.nix b/krebs/3modules/external/mic92.nix index f8c371b7f..349a6c343 100644 --- a/krebs/3modules/external/mic92.nix +++ b/krebs/3modules/external/mic92.nix @@ -675,6 +675,25 @@ in { }; }; }; + jarvis = { + owner = config.krebs.users.mic92; + nets = rec { + retiolum = { + aliases = [ "jarvis.r" ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEA7PtJlYBpBr2TK5CAvAukkGvj+esC+sMPKd3mO9iDwdViBrqKdf+D + yEy8SI80Y02dpkL97NjvnzepKpyGQWpG1ZQflJLhCTj7oFyVpWd4XsbIuzYp5ES6 + r8qKWs2xcItc1pbW0ZmrCBzdWsC1B0VAHlYkiz+7vM6pCTvg6hNQugP4c1TRCtJC + Sr+n+EjTXN/NTaKl+f7eoHJGnT5liDO3/xZVxm8AuLnron1xPPDghXClVHfDj5mt + f66f+CLwZhq3BrZuptwXp7TerMfrNtPyTx96b+EyuLPjrYxKeKL/+Nbr3VmmiDIV + tsraNc+0a8OBpVsYh4MQLp55NYwqxAoetQIDAQAB + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "RRkMnGSg+nMkz4L2iqmdFf2fIf4wIfcTM0TlTWLLNCE"; + }; + }; + }; bernie = { owner = config.krebs.users.mic92; nets = rec { diff --git a/krebs/3modules/tv/default.nix b/krebs/3modules/tv/default.nix index 8d48c2a47..4e40561c2 100644 --- a/krebs/3modules/tv/default.nix +++ b/krebs/3modules/tv/default.nix @@ -82,6 +82,32 @@ in { ssh.privkey.path = config.krebs.secret.file "ssh.id_ed25519"; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsqDuhGJpjpqNv4QmjoOhcODObrPyY3GHLvtVkgXV0g root@au"; }; + bu = { + ci = true; + cores = 4; + nets = { + retiolum = { + ip4.addr = "10.243.13.36"; + aliases = [ + "bu.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAxjAvT1sfHPWExhWRoXG+NJbYUmf5q4yfpfBRvb232LC9sLn4Z2wb + hxKreR5/j9a/2hRIlCz4IwKftl5vroG9Vy4e7zZIz6QvN4TqED8dUjJ1ubhtj47l + jjHW4cHLUWsaqqu6TAuPH26qPSxm9VrD6rZIX9RmQ1bWIaonVB3Q+XnDfPlISw6M + gbQXz4tOsOnC+y/6C3VPUo0nqC+PuA/kyRq/ivVutKd0dTSY8LmCDNla6AEVD5dG + sIqPWX5h8fjqU7G3oOMvMsBrCkvRRB0F0dQzGo8EXwCDJxa+xOuk5n1GYJ2lqeM/ + st7KIxmLvO5AE7cUxdLlDj4EzVLSDoAqOwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + tinc.pubkey_ed25519 = "/MXEuv96HlrpHBto8KP2S6Ztiahhi3H7AevmbYS+xqE"; + }; + }; + secure = true; + ssh.privkey.path = config.krebs.secret.file "ssh.id_rsa"; + ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1Y13PvTn+9VjQbgy2ZmpAEFXyYaroYP/5nK9o7B8cidf01Sh39184mG8KN8VuEzCj7b37KnLH8qUDcsukvkxOVSoVHmXH+/Pgbmsxp4c9sxLQLHBfCazhT0S3Zs+BkR6LNQ8GOCS1qsgy05L6fMXoQgds3Zx/X4ZYjLnYVnJo8k+6aP4pU/rB6GFzGG9UrLDvSvk/PoswpEr7S6uFa4bF8JWD5VPkQTPTNwm1LWH4va+ABcw9KOgL2tsAk/jJlkLD4qgXowqgbwcpfe+QCukJb7uIQjRtOgxSAhHqT1nxjS6gROhGt0ojuwALaZaFPr9YtGlqxPhUzAXWKvvbVcr6kkR17HrtXZeLdFqwrUPlkIDFV6yLbYzQGKPFwxtpoJaH/irv6cgeXnHaa9XQJk+XJ5pE0X9uNljGr3B8LMKymdlvvBiWOOLpYsHg5aVOR+K7HvydLSuaah8hpCLjjVyIYIl/pIDL4F/FUSxcFBB4fgdXB77LXm5UizmI7+dqZaOQSm8qXbLZ8P+13ele2JyV1pmvJbLFlhCksDMOXx9jvSJQ6DOjPd+2vtABWh9XGo2Fiy+ekB9LTzlW+xON4FRZDoTPrPmhg40v+s7lySHx3miwCIJfNfLJpf0dxm3pQYWZPIra1RA9hbgstXBJ3+2VA5JEuVRt0SEygN5Kgk1Y5w== root@bu"; + }; hu = { nets = { retiolum = { diff --git a/krebs/5pkgs/haskell/brockman/default.nix b/krebs/5pkgs/haskell/brockman/default.nix index 01b7a0570..8a2311a2e 100644 --- a/krebs/5pkgs/haskell/brockman/default.nix +++ b/krebs/5pkgs/haskell/brockman/default.nix @@ -7,12 +7,12 @@ }: mkDerivation rec { pname = "brockman"; - version = "4.0.2"; + version = "4.0.3"; src = fetchFromGitHub { owner = "kmein"; repo = "brockman"; rev = version; - sha256 = "sha256-EKXKhGdIJRbRklD5zxJNGhOxqPzog4f9NMXo/c8iBGc="; + sha256 = "sha256-rjwroSG9ys0FV2JM70kzmCutMVpUTx8cQ+jQq8Hw1kw="; }; isLibrary = false; isExecutable = true; diff --git a/krebs/5pkgs/haskell/much.nix b/krebs/5pkgs/haskell/much.nix index f3aad2ee6..5045465e6 100644 --- a/krebs/5pkgs/haskell/much.nix +++ b/krebs/5pkgs/haskell/much.nix @@ -9,11 +9,11 @@ }: mkDerivation { pname = "much"; - version = "1.2.0"; + version = "1.3.1"; src = fetchgit { url = "https://cgit.krebsco.de/much"; - sha256 = "0rf27d7gki5hgivy49xi59ld0j6jw3v7nxi4w1gx6byj1xsarwwl"; - rev = "29749366052a8f6c05b314f1ff17201717855ad7"; + sha256 = "0gwyhqcvg9ywna8fhb9hnx97qh5inglj3l0pcwkgwcvm27mfpcqa"; + rev = "77357335a3a88a4b93f91a46ab939a1a9b192977"; fetchSubmodules = true; }; isLibrary = true; diff --git a/krebs/5pkgs/simple/git-hooks/default.nix b/krebs/5pkgs/simple/git-hooks/default.nix index 00a593be3..c9dcc7541 100644 --- a/krebs/5pkgs/simple/git-hooks/default.nix +++ b/krebs/5pkgs/simple/git-hooks/default.nix @@ -100,6 +100,7 @@ with stockholm.lib; add_message "$( git log \ --format="$(orange %h) %s $(gray '(%ar)')" \ + --no-merges \ --reverse \ $id2..$id diff --git a/tv/1systems/bu/config.nix b/tv/1systems/bu/config.nix new file mode 100644 index 000000000..69c5848f5 --- /dev/null +++ b/tv/1systems/bu/config.nix @@ -0,0 +1,40 @@ +{ config, pkgs, ... }: let + lib = import ../../../lib; +in { + + imports = [ + ./disks.nix + <stockholm/tv> + <stockholm/tv/2configs/hw/x220.nix> + <stockholm/tv/2configs/exim-retiolum.nix> + <stockholm/tv/2configs/gitconfig.nix> + <stockholm/tv/2configs/pulse.nix> + <stockholm/tv/2configs/retiolum.nix> + ]; + + environment.homeBinInPath = true; + + krebs.build.host = config.krebs.hosts.bu; + + networking.hostId = lib.mkDefault "00000000"; + + networking.wireless.enable = true; + networking.useDHCP = false; + networking.interfaces.enp0s25.useDHCP = true; + networking.interfaces.wlp3s0.useDHCP = true; + networking.interfaces.wwp0s29u1u4i6.useDHCP = true; + networking.wireless.interfaces = [ + "wlp3s0" + ]; + + programs.gnupg.agent.enable = true; + programs.gnupg.agent.pinentryFlavor = "gtk2"; + + services.earlyoom.enable = true; + services.earlyoom.freeMemThreshold = 5; + systemd.services.earlyoom.environment.EARLYOOM_ARGS = toString [ + "--prefer '(^|/)chromium$'" + ]; + + system.stateVersion = "21.11"; +} diff --git a/tv/1systems/bu/disks.nix b/tv/1systems/bu/disks.nix new file mode 100644 index 000000000..deabefa7b --- /dev/null +++ b/tv/1systems/bu/disks.nix @@ -0,0 +1,19 @@ +{ + boot.initrd.luks.devices.buda2.device = "/dev/sda2"; + fileSystems."/" = { + device = "buda2/root"; + fsType = "zfs"; + }; + fileSystems."/bku" = { + device = "buda2/bku"; + fsType = "zfs"; + }; + fileSystems."/home" = { + device = "buda2/home"; + fsType = "zfs"; + }; + fileSystems."/boot" = { + device = "/dev/sda1"; + fsType = "vfat"; + }; +} diff --git a/tv/2configs/backup.nix b/tv/2configs/backup.nix index b8dec8da4..a5e0cf4c7 100644 --- a/tv/2configs/backup.nix +++ b/tv/2configs/backup.nix @@ -10,6 +10,24 @@ with import <stockholm/lib>; yearly = { format = "%Y"; }; }; }) { + bu-home-wu = { + method = "push"; + src = { host = config.krebs.hosts.bu; path = "/home"; }; + dst = { host = config.krebs.hosts.wu; path = "/bku/bu-home"; }; + startAt = "05:15"; + }; + bu-home-xu = { + method = "push"; + src = { host = config.krebs.hosts.bu; path = "/home"; }; + dst = { host = config.krebs.hosts.xu; path = "/bku/bu-home"; }; + startAt = "05:20"; + }; + bu-home-zu = { + method = "push"; + src = { host = config.krebs.hosts.bu; path = "/home"; }; + dst = { host = config.krebs.hosts.zu; path = "/bku/bu-home"; }; + startAt = "05:25"; + }; nomic-home-xu = { method = "push"; src = { host = config.krebs.hosts.nomic; path = "/home"; }; @@ -40,6 +58,12 @@ with import <stockholm/lib>; dst = { host = config.krebs.hosts.zu; path = "/bku/wu-home"; }; startAt = "05:20"; }; + xu-home-bu = { + method = "push"; + src = { host = config.krebs.hosts.xu; path = "/home"; }; + dst = { host = config.krebs.hosts.bu; path = "/bku/xu-home"; }; + startAt = "04:50"; + }; xu-home-nomic = { method = "push"; src = { host = config.krebs.hosts.xu; path = "/home"; }; |