diff options
52 files changed, 263 insertions, 80 deletions
diff --git a/krebs/0tests/data/secrets/syncthing.cert b/krebs/0tests/data/secrets/syncthing.cert new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/krebs/0tests/data/secrets/syncthing.cert diff --git a/krebs/0tests/data/secrets/syncthing.key b/krebs/0tests/data/secrets/syncthing.key new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/krebs/0tests/data/secrets/syncthing.key diff --git a/krebs/1systems/news/config.nix b/krebs/1systems/news/config.nix index 5c4b37aef..79946dad7 100644 --- a/krebs/1systems/news/config.nix +++ b/krebs/1systems/news/config.nix @@ -18,13 +18,6 @@ boot.isContainer = true; networking.useDHCP = false; krebs.bindfs = { - "/var/lib/htgen-go" = { - source = "/var/state/htgen-go"; - options = [ - "-m ${toString config.users.users.htgen-go.uid}" - ]; - clearTarget = true; - }; "/var/lib/brockman" = { source = "/var/state/brockman"; options = [ diff --git a/krebs/1systems/puyak/config.nix b/krebs/1systems/puyak/config.nix index 1e0687ba7..2f122f6ff 100644 --- a/krebs/1systems/puyak/config.nix +++ b/krebs/1systems/puyak/config.nix @@ -19,6 +19,12 @@ <stockholm/krebs/2configs/binary-cache/nixos.nix> <stockholm/krebs/2configs/binary-cache/prism.nix> + ## news host + + <stockholm/krebs/2configs/container-networking.nix> + <stockholm/krebs/2configs/syncthing.nix> + <stockholm/krebs/2configs/news-host.nix> + ### shackspace ### # handle the worlddomination map via coap <stockholm/krebs/2configs/shack/worlddomination.nix> diff --git a/krebs/1systems/puyak/net.nix b/krebs/1systems/puyak/net.nix index 8dab11e16..a46a24952 100644 --- a/krebs/1systems/puyak/net.nix +++ b/krebs/1systems/puyak/net.nix @@ -8,8 +8,8 @@ in { SUBSYSTEM=="net", ATTR{address}=="3c:97:0e:07:b9:14", NAME="${ext-if}" ''; networking = { - firewall.enable = false; - firewall.allowedTCPPorts = [ 8088 8086 8083 5901 ]; + firewall.enable = true; + firewall.allowedTCPPorts = [ 80 443 8088 8086 8083 5901 ]; interfaces."${ext-if}".ipv4.addresses = [ { address = shack-ip; diff --git a/krebs/2configs/container-networking.nix b/krebs/2configs/container-networking.nix new file mode 100644 index 000000000..fa4488800 --- /dev/null +++ b/krebs/2configs/container-networking.nix @@ -0,0 +1,7 @@ +{ lib, ... }: +{ + networking.nat.enable = true; + networking.nat.internalInterfaces = ["ve-+"]; + networking.nat.externalInterface = lib.mkDefault "et0"; + networking.networkmanager.unmanaged = [ "interface-name:ve-*" ]; +} diff --git a/krebs/2configs/ircd.nix b/krebs/2configs/ircd.nix index 0de07a027..3ef2e7d2b 100644 --- a/krebs/2configs/ircd.nix +++ b/krebs/2configs/ircd.nix @@ -87,6 +87,7 @@ }; channel { + autochanmodes = "+t"; use_invex = yes; use_except = yes; use_forward = yes; diff --git a/krebs/2configs/news-host.nix b/krebs/2configs/news-host.nix index 82360a670..b7728986f 100644 --- a/krebs/2configs/news-host.nix +++ b/krebs/2configs/news-host.nix @@ -4,6 +4,7 @@ "shodan" "mors" "styx" + "puyak" ]; hostIp = "10.233.2.101"; localIp = "10.233.2.102"; diff --git a/krebs/2configs/news.nix b/krebs/2configs/news.nix index 410beb041..2da3e6fcc 100644 --- a/krebs/2configs/news.nix +++ b/krebs/2configs/news.nix @@ -15,6 +15,16 @@ serverAliases = [ "news.r" ]; + locations."/api".extraConfig = '' + proxy_pass http://127.0.0.1:7777/; + proxy_pass_header Server; + ''; + locations."= /graph.html".extraConfig = '' + alias ${pkgs.fetchurl { + url = "https://raw.githubusercontent.com/kmein/brockman/05d33c8caaaf6255752f9600981974bb58390851/tools/graph.html"; + sha256 = "0iw2vdzj6kzkix1c447ybmc953lns6z4ap6sr9pcib8bany4g43w"; + }}; + ''; locations."/".extraConfig = '' root /var/lib/brockman; index brockman.json; @@ -27,6 +37,7 @@ }; systemd.tmpfiles.rules = [ "d /var/lib/brockman 1750 brockman nginx -" + "d /run/irc-api 1750 brockman nginx -" ]; systemd.services.brockman-graph = { @@ -67,12 +78,28 @@ shortener = "http://go.r"; controller = { nick = "brockman"; - channels = [ "#all" ]; + extraChannels = [ "#all" ]; }; bots = {}; }; }; + krebs.reaktor2.api = { + hostname = "localhost"; + port = "6667"; + nick = "api"; + API.listen = "inet://127.0.0.1:7777"; + plugins = [ + { + plugin = "register"; + config = { + channels = [ + "#all" + ]; + }; + } + ]; + }; krebs.reaktor2.news = let name = "candyman"; in { diff --git a/krebs/2configs/shack/prometheus/alert-rules.nix b/krebs/2configs/shack/prometheus/alert-rules.nix index 12c691466..65e5d9005 100644 --- a/krebs/2configs/shack/prometheus/alert-rules.nix +++ b/krebs/2configs/shack/prometheus/alert-rules.nix @@ -14,7 +14,14 @@ in { labels.severity = "warning"; annotations.summary = "{{ $labels.alias }} root disk full"; annotations.url = "http://grafana.shack/d/hb7fSE0Zz/shack-system-dashboard?orgId=1&var-job=node&var-hostname=All&var-node=wolf.shack:9100&var-device=All&var-maxmount=%2F&var-show_hostname=wolf"; - annotations.description = ''The root disk of {{ $labels.alias }} has {{ $value | printf "%.2f" }}% free disk space (Threshold at ${disk_free_threshold}%). CI for deploying new configuration will seize working. Log in to the system and run `nix-collect-garbage -d` and clean up the shack share folder in `/home/share` .If this does not help you can check `du -hs /var/ | sort -h`, run `docker system prune` or if you are really desperate run `du -hs / | sort -h` and go through the folders recursively until you've found something to delete''; + annotations.description = ''The root disk of {{ $labels.alias }} has {{ $value | printf "%.2f" }}% free disk space (Threshold at ${disk_free_threshold}%). CI for deploying new configuration will seize working. Log in to the system and try to clean up the obsolete files on the machine. There are a couple of things you can do: +1. `nix-collect-garbage -d` +2. clean up the shack share folder in `/home/share` +3. check `du -hs /var/ | sort -h`. +4. run `docker system prune` +5. `find /var/lib/containers/news/var/lib/htgen-go/items -mtime +7 -delete;` to clean up the link shortener data +5. If you are really desperate run `du -hs / | sort -h` and go through the folders recursively until you've found something to delete +6. as a last resort the root disk can be expanded via `lvresize -L +10G /dev/pool/root && btrfs filesystem resize max /` ''; } { alert = "RootPartitionFull"; diff --git a/krebs/2configs/syncthing.nix b/krebs/2configs/syncthing.nix index 31e33ad5e..125e2aea4 100644 --- a/krebs/2configs/syncthing.nix +++ b/krebs/2configs/syncthing.nix @@ -10,6 +10,10 @@ in { configDir = "/var/lib/syncthing"; declarative = { devices = mk_peers used_peers; + key = toString <secrets/syncthing.key>; + cert = toString <secrets/syncthing.cert>; }; }; + + boot.kernel.sysctl."fs.inotify.max_user_watches" = 524288; } diff --git a/krebs/3modules/krebs/default.nix b/krebs/3modules/krebs/default.nix index 8c164cfe3..37b939358 100644 --- a/krebs/3modules/krebs/default.nix +++ b/krebs/3modules/krebs/default.nix @@ -77,6 +77,7 @@ in { "wiki.r" "wiki.hotdog.r" ]; + tinc.port = 0; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- MIIBCgKCAQEAs9+Au3oj29C5ol/YnkG9GjfCH5z53wxjH2iy8UPike8C7GASZKqc @@ -177,6 +178,7 @@ in { }; ssh.privkey.path = <secrets/ssh.id_ed25519>; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPpVwKv9mQGfcn5oFwuitq+b6Dz4jBG9sGhVoCYFw5RY"; + syncthing.id = "DK5CEE2-PNUXYCE-Q42H2HP-623GART-B7KS4VK-HU2RBGQ-EK6QPUP-HUL3PAR"; }; wolf = { ci = true; diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index 6978c0b4e..300ea2ccc 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -67,7 +67,9 @@ in { "cgit.prism.r" "paste.r" "p.r" + "search.r" ]; + tinc.port = 655; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- MIIECgKCBAEAtpI0+jz2deUiH18T/+JcRshQi7lq8zlRvaXpvyuxJlYCz+o5cLje @@ -126,6 +128,7 @@ in { aliases = [ "uriel.r" ]; + tinc.port = 0; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- MIIBCgKCAQEAzw0pvoEmqeqiZrzSOPH0IT99gr1rrvMZbvabXoU4MAiVgGoGrkmR @@ -151,6 +154,7 @@ in { aliases = [ "mors.r" ]; + tinc.port = 0; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- MIIBCgKCAQEAsj1PCibKOfF68gmFQ+wwyfhUWpqKqpznrJX1dZ+daae7l7nBHvsE @@ -184,6 +188,7 @@ in { aliases = [ "shodan.r" ]; + tinc.port = 0; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- MIIBCgKCAQEA9bUSItw8rEu2Cm2+3IGHyRxopre9lqpFjZNG2QTnjXkZ97QlDesT @@ -218,6 +223,7 @@ in { aliases = [ "icarus.r" ]; + tinc.port = 0; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- MIIBCgKCAQEAydCY+IWzF8DocCNzPiUM+xccbiDTWS/+r2le812+O4r+sUojXuzr @@ -251,6 +257,7 @@ in { aliases = [ "daedalus.r" ]; + tinc.port = 0; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- MIIBCgKCAQEAzlIJfYIoQGXishIQGFNOcaVoeelqy7a731FJ+VfrqeR8WURQ6D+8 @@ -282,6 +289,7 @@ in { aliases = [ "skynet.r" ]; + tinc.port = 0; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- MIIBCgKCAQEArNpBoTs7MoaZq2edGJLYUjmoLa5ZtXhOFBHjS1KtQ3hMtWkcqpYX @@ -315,6 +323,7 @@ in { aliases = [ "littleT.r" ]; + tinc.port = 0; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- MIIECgKCBAEA2nPi6ui8nJhEL3lFzDoPelFbEwFWqPnQa0uVxLAhf2WnmT/vximF @@ -364,6 +373,7 @@ in { aliases = [ "xerxes.r" ]; + tinc.port = 0; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- MIIECgKCBAEArqEaK+m7WZe/9/Vbc+qx2TjkkRJ9lDgDMr1dvj98xb8/EveUME6U @@ -414,6 +424,7 @@ in { aliases = [ "red.r" ]; + tinc.port = 0; tinc.pubkey = '' -----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArAN/62V2MV18wsZ9VMTG @@ -444,6 +455,7 @@ in { aliases = [ "yellow.r" ]; + tinc.port = 0; tinc.pubkey = '' -----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA6lHmzq8+04h3zivJmIbP @@ -481,6 +493,7 @@ in { aliases = [ "blue.r" ]; + tinc.port = 0; tinc.pubkey = '' -----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA28b+WMiQaWbwUPcJlacd @@ -520,6 +533,7 @@ in { aliases = [ "green.r" ]; + tinc.port = 0; tinc.pubkey = '' -----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwpgFxMxWQ0Cp3I82bLWk @@ -574,6 +588,7 @@ in { aliases = [ "morpheus.r" ]; + tinc.port = 0; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- MIICCgKCAgEAptrlSKQKsBH2QMQxllZR94S/fXneajpJifRjXR5bi+7ME2ThdQXY @@ -611,6 +626,7 @@ in { aliases = [ "hilum.r" ]; + tinc.port = 0; tinc.pubkey = '' -----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAul1zLdJ76kIqVWjxT2bb @@ -651,6 +667,7 @@ in { aliases = [ "styx.r" ]; + tinc.port = 0; tinc.pubkey = '' -----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuMJFklzpbxoDGD8LQ3tn @@ -692,6 +709,7 @@ in { aliases = [ "coaxmetal.r" ]; + tinc.port = 0; tinc.pubkey = '' -----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAwcuMl/W6DZ7UMK4RHrxA diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index f9fa037d3..30d90bf2b 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -187,6 +187,7 @@ in { maps.work.euer IN A ${nets.internet.ip4.addr} play.work.euer IN A ${nets.internet.ip4.addr} ul.work.euer IN A ${nets.internet.ip4.addr} + bw.euer IN A ${nets.internet.ip4.addr} ''; }; cores = 8; diff --git a/krebs/3modules/sync-containers.nix b/krebs/3modules/sync-containers.nix index d31022d3a..fcfaf1dd0 100644 --- a/krebs/3modules/sync-containers.nix +++ b/krebs/3modules/sync-containers.nix @@ -93,7 +93,7 @@ in { config = mkIf (cfg.containers != {}) { programs.fuse.userAllowOther = true; # allow syncthing to enter /var/lib/containers - system.activationScripts.syncthing-home = '' + system.activationScripts.containers-enter = mkDefault '' ${pkgs.coreutils}/bin/chmod a+x /var/lib/containers ''; diff --git a/krebs/5pkgs/haskell/recht.nix b/krebs/5pkgs/haskell/recht.nix new file mode 100644 index 000000000..7d884a9fa --- /dev/null +++ b/krebs/5pkgs/haskell/recht.nix @@ -0,0 +1,25 @@ +{ mkDerivation, ansi-terminal, async, base, binary, bytestring +, data-default, directory, filepath, megaparsec +, optparse-applicative, pandoc, random, safe, scalpel, stdenv, text +, time +, fetchFromGitHub +}: +mkDerivation rec { + pname = "recht"; + version = "0.3.0"; + src = fetchFromGitHub { + owner = "kmein"; + repo = "recht"; + rev = version; + sha256 = "07cyd06wbnzcp33v0nq8cxyggvqrnbni0v2g8cpxar6idn1wlz85"; + + }; + isLibrary = false; + isExecutable = true; + executableHaskellDepends = [ + ansi-terminal async base binary bytestring data-default directory + filepath megaparsec optparse-applicative pandoc random safe scalpel + text time + ]; + license = stdenv.lib.licenses.mit; +} diff --git a/krebs/nixpkgs-unstable.json b/krebs/nixpkgs-unstable.json index c0ffcf3e3..25389ad9c 100644 --- a/krebs/nixpkgs-unstable.json +++ b/krebs/nixpkgs-unstable.json @@ -1,9 +1,9 @@ { "url": "https://github.com/NixOS/nixpkgs", - "rev": "266dc8c3d052f549826ba246d06787a219533b8f", - "date": "2021-03-15T09:37:03+01:00", - "path": "/nix/store/dkim3k1b5bdga370xpw0r52w0ac5y3fn-nixpkgs", - "sha256": "09ydqx2lznixmw8z4cfz1j3k137mh8n3cdpygwqymknhfdjq7lg4", + "rev": "04a2b269d8921505a2969fc9ec25c1f517f2b307", + "date": "2021-03-30T01:32:47-04:00", + "path": "/nix/store/wb6m2d6p3kadk6pbqdjq3ydswbvmb0lq-nixpkgs", + "sha256": "15hgx2i71pqgvzv56jwzfs8rkhjbm35wk1i6mxrqbq6wd0y10isv", "fetchSubmodules": false, "deepClone": false, "leaveDotGit": false diff --git a/krebs/nixpkgs.json b/krebs/nixpkgs.json index 837782ff6..44a5d0c37 100644 --- a/krebs/nixpkgs.json +++ b/krebs/nixpkgs.json @@ -1,9 +1,9 @@ { "url": "https://github.com/NixOS/nixpkgs", - "rev": "36e15cd6e7d55ba143caf3dc930467ace573d85c", - "date": "2021-03-16T08:18:29+01:00", - "path": "/nix/store/rsh8kmy9jiwdhsm390zw0mq1p256xzrk-nixpkgs", - "sha256": "15dwscz9s71n6hn1wml95il8hl8aza16jj9qwywps8bsdamgymfq", + "rev": "dec334fa196a4aeedb1b60d8f7d61aa00d327499", + "date": "2021-04-14T01:54:42+02:00", + "path": "/nix/store/x1dkzxknsrf0060pz1vwa7ibmq7899wb-nixpkgs", + "sha256": "1sm1p2qliz11qw6va01knm0rikhpq2h4c70ci98vi4q26y4q9z72", "fetchSubmodules": false, "deepClone": false, "leaveDotGit": false diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 6f61ea57e..25d688696 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -194,6 +194,7 @@ with import <stockholm/lib>; } <stockholm/lass/2configs/minecraft.nix> <stockholm/lass/2configs/codimd.nix> + <stockholm/lass/2configs/searx.nix> { services.taskserver = { enable = true; diff --git a/lass/2configs/hass/default.nix b/lass/2configs/hass/default.nix index 7765db84e..be9c32809 100644 --- a/lass/2configs/hass/default.nix +++ b/lass/2configs/hass/default.nix @@ -43,11 +43,9 @@ in { services.home-assistant = { enable = true; - package = (unstable.home-assistant.overrideAttrs (old: { + package = unstable.home-assistant.overrideAttrs (old: { doInstallCheck = false; - })).override { - extraPackages = _: [ dwdwfsapi ]; - }; + }); configWritable = true; lovelaceConfigWritable = true; config = let diff --git a/lass/2configs/searx.nix b/lass/2configs/searx.nix new file mode 100644 index 000000000..ed6586a26 --- /dev/null +++ b/lass/2configs/searx.nix @@ -0,0 +1,23 @@ +{ pkgs, ... }: +let + port = 8889; +in { + services.nginx.virtualHosts.search = { + serverAliases = [ "search.r" ]; + locations."/".extraConfig = '' + proxy_set_header Host $host; + proxy_pass http://127.0.0.1:${builtins.toString port}; + ''; + }; + + services.searx = { + enable = true; + configFile = pkgs.writeText "searx.cfg" (builtins.toJSON { + use_default_settings = true; + server = { + port = port; + secret_key = builtins.readFile <secrets/searx.key>; + }; + }); + }; +} diff --git a/lass/2configs/syncthing.nix b/lass/2configs/syncthing.nix index 7801c758c..7b8850681 100644 --- a/lass/2configs/syncthing.nix +++ b/lass/2configs/syncthing.nix @@ -3,10 +3,6 @@ imports = [ <stockholm/krebs/2configs/syncthing.nix> ]; services.syncthing = { group = "syncthing"; - declarative = { - key = toString <secrets/syncthing.key>; - cert = toString <secrets/syncthing.cert>; - }; }; krebs.iptables.tables.filter.INPUT.rules = [ { predicate = "-p tcp --dport 22000"; target = "ACCEPT";} @@ -16,6 +12,4 @@ system.activationScripts.syncthing-home = mkDefault '' ${pkgs.coreutils}/bin/chmod a+x /home/lass ''; - - boot.kernel.sysctl."fs.inotify.ma |