9 files changed, 387 insertions, 116 deletions
diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix
index 1b63246c6..f63c6a05a 100644
--- a/lass/1systems/prism/config.nix
+++ b/lass/1systems/prism/config.nix
@@ -121,6 +121,7 @@ with import <stockholm/lib>;
     <stockholm/lass/2configs/reaktor-coders.nix>
     <stockholm/lass/2configs/ciko.nix>
     <stockholm/lass/2configs/container-networking.nix>
+    <stockholm/lass/2configs/jitsi.nix>
     { # quasi bepasty.nix
       imports = [
         <stockholm/lass/2configs/bepasty.nix>
diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix
index 797864b15..b677fe455 100644
--- a/lass/2configs/exim-smarthost.nix
+++ b/lass/2configs/exim-smarthost.nix
@@ -1,120 +1,10 @@
 { config, lib, pkgs, ... }: with import <stockholm/lib>; let
 
   to = concatStringsSep "," [
-    "lass@blue.r"
+    "lass@green.r"
   ];
 
-  mails = [
-    "postmaster@lassul.us"
-    "lass@lassul.us"
-    "lassulus@lassul.us"
-    "test@lassul.us"
-    "outlook@lassul.us"
-    "steuer@aidsballs.de"
-    "lass@aidsballs.de"
-    "wordpress@ubikmedia.de"
-    "finanzamt@lassul.us"
-    "netzclub@lassul.us"
-    "nebenan@lassul.us"
-    "feed@lassul.us"
-    "art@lassul.us"
-    "irgendwas@lassul.us"
-    "polo@lassul.us"
-    "shack@lassul.us"
-    "nix@lassul.us"
-    "c-base@lassul.us"
-    "paypal@lassul.us"
-    "patreon@lassul.us"
-    "steam@lassul.us"
-    "securityfocus@lassul.us"
-    "radio@lassul.us"
-    "btce@lassul.us"
-    "raf@lassul.us"
-    "apple@lassul.us"
-    "coinbase@lassul.us"
-    "tomtop@lassul.us"
-    "aliexpress@lassul.us"
-    "business@lassul.us"
-    "payeer@lassul.us"
-    "github@lassul.us"
-    "bitwala@lassul.us"
-    "bitstamp@lassul.us"
-    "bitcoin.de@lassul.us"
-    "ableton@lassul.us"
-    "dhl@lassul.us"
-    "sipgate@lassul.us"
-    "coinexchange@lassul.us"
-    "verwaltung@lassul.us"
-    "gearbest@lassul.us"
-    "binance@lassul.us"
-    "bitfinex@lassul.us"
-    "alternate@lassul.us"
-    "redacted@lassul.us"
-    "mytaxi@lassul.us"
-    "pizza@lassul.us"
-    "robinhood@lassul.us"
-    "drivenow@lassul.us"
-    "aws@lassul.us"
-    "reddit@lassul.us"
-    "banggood@lassul.us"
-    "immoscout@lassul.us"
-    "gmail@lassul.us"
-    "amazon@lassul.us"
-    "humblebundle@lassul.us"
-    "meetup@lassul.us"
-    "gebfrei@lassul.us"
-    "github@lassul.us"
-    "ovh@lassul.us"
-    "hetzner@lassul.us"
-    "allygator@lassul.us"
-    "immoscout@lassul.us"
-    "elitedangerous@lassul.us"
-    "boardgamegeek@lassul.us"
-    "qwertee@lassul.us"
-    "zazzle@lassul.us"
-    "hackbeach@lassul.us"
-    "transferwise@lassul.us"
-    "cis@lassul.us"
-    "afra@lassul.us"
-    "ksp@lassul.us"
-    "ccc@lassul.us"
-    "neocron@lassul.us"
-    "osmocom@lassul.us"
-    "lesswrong@lassul.us"
-    "nordvpn@lassul.us"
-    "csv-direct@lassul.us"
-    "nintendo@lassul.us"
-    "overleaf@lassul.us"
-    "box@lassul.us"
-    "paloalto@lassul.us"
-    "subtitles@lassul.us"
-    "lobsters@lassul.us"
-    "fysitech@lassul.us"
-    "threema@lassul.us"
-    "ubisoft@lassul.us"
-    "kottezeller@lassul.us"
-    "pie@lassul.us"
-    "vebit@lassul.us"
-    "vcvrack@lassul.us"
-    "epic@lassul.us"
-    "microsoft@lassul.us"
-    "stickers@lassul.us"
-    "nextbike@lassul.us"
-    "mytello@lassul.us"
-    "camp@lassul.us"
-    "urlwatch@lassul.us"
-    "lidl@lassul.us"
-    "geizhals@lassul.us"
-    "auschein@lassul.us"
-    "tleech@lassul.us"
-    "durstexpress@lassul.us"
-    "acme@lassul.us"
-    "antstore@lassul.us"
-    "openweather@lassul.us"
-    "lobsters@lassul.us"
-    "rewe@lassul.us"
-    "spotify@lassul.us"
-  ];
+  mails = import <secrets/mails.nix>;
 
 in {
   environment.systemPackages = [ pkgs.review-mail-queue ];
diff --git a/lass/2configs/green-host.nix b/lass/2configs/green-host.nix
new file mode 100644
index 000000000..1f17c78c8
--- /dev/null
+++ b/lass/2configs/green-host.nix
@@ -0,0 +1,19 @@
+{ config, pkgs, ... }:
+{
+  imports = [
+    <stockholm/lass/2configs/container-networking.nix>
+    <stockholm/lass/2configs/syncthing.nix>
+  ];
+  lass.sync-containers.containers.green = {
+    peers = [
+      "icarus"
+      "shodan"
+      "skynet"
+      "mors"
+      "littleT"
+    ];
+    hostIp = "10.233.2.15";
+    localIp = "10.233.2.16";
+    format = "ecryptfs";
+  };
+}
diff --git a/lass/2configs/jitsi.nix b/lass/2configs/jitsi.nix
new file mode 100644
index 000000000..1435ccb5c
--- /dev/null
+++ b/lass/2configs/jitsi.nix
@@ -0,0 +1,21 @@
+{ config, lib, pkgs, ... }:
+{
+
+  services.jitsi-meet = {
+    enable = true;
+    hostName = "jitsi.lassul.us";
+    config = {
+      enableWelcomePage = true;
+      requireDisplayName = true;
+    };
+    interfaceConfig = {
+      SHOW_JITSI_WATERMARK = false;
+      SHOW_WATERMARK_FOR_GUESTS = false;
+    };
+  };
+
+  krebs.iptables.tables.filter.INPUT.rules = [
+    { predicate = "-p tcp --dport 4443"; target = "ACCEPT"; }
+    { predicate = "-p udp --dport 10000"; target = "ACCEPT"; }
+  ];
+}
diff --git a/lass/2configs/tests/dummy-secrets/mails.nix b/lass/2configs/tests/dummy-secrets/mails.nix
new file mode 100644
index 000000000..fe51488c7
--- /dev/null
+++ b/lass/2configs/tests/dummy-secrets/mails.nix
@@ -0,0 +1 @@
+[]
diff --git a/lass/2configs/tv.nix b/lass/2configs/tv.nix
index 8e208d5e5..0ca1b340f 100644
--- a/lass/2configs/tv.nix
+++ b/lass/2configs/tv.nix
@@ -32,7 +32,7 @@ nginxCfg = pkgs.writeText "nginx.conf" ''
           application/vnd.apple.mpegurl m3u8;
           video/mp2t ts;
         }
-        root /tmp;
+        root /var/lib/rtmp/tmp;
         add_header Cache-Control no-cache;
 
         # CORS setup
@@ -106,6 +106,11 @@ nginxCfg = pkgs.writeText "nginx.conf" ''
           </html>
         ''};
       }
+
+      location /records {
+        autoindex on;
+        root /var/lib/rtmp;
+      }
     }
   }
 
@@ -120,21 +125,128 @@ nginxCfg = pkgs.writeText "nginx.conf" ''
         live on;
 
         hls on;
-        hls_path /tmp/hls;
+        hls_path /var/lib/rtmp/tmp/hls;
+        hls_fragment 1;
+        hls_playlist_length 10;
 
         dash on;
-        dash_path /tmp/dash;
+        dash_path /var/lib/rtmp/tmp/dash;
       }
     }
   }
 '';
 
 in {
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."streaming.lassul.us" = {
+      enableACME = true;
+      addSSL = true;
+      locations."/hls".extraConfig = ''
+        # Serve HLS fragments
+        types {
+          application/vnd.apple.mpegurl m3u8;
+          video/mp2t ts;
+        }
+        root /var/lib/rtmp/tmp;
+
+        # Allow CORS preflight requests
+        if ($request_method = 'OPTIONS') {
+          add_header 'Access-Control-Allow-Origin' '*';
+          add_header 'Access-Control-Max-Age' 1728000;
+          add_header 'Content-Type' 'text/plain charset=UTF-8';
+          add_header 'Content-Length' 0;
+          return 204;
+        }
+
+        if ($request_method != 'OPTIONS') {
+          add_header Cache-Control no-cache;
+
+          # CORS setup
+          add_header 'Access-Control-Allow-Origin' '*' always;
+          add_header 'Access-Control-Expose-Headers' 'Content-Length';
+        }
+      '';
+      locations."/dash".extraConfig = ''
+        # Serve DASH fragments
+        types {
+          application/dash+xml mpd;
+          video/mp4 mp4;
+        }
+        root /var/lib/rtmp/tmp;
+
+        # Allow CORS preflight requests
+        if ($request_method = 'OPTIONS') {
+          add_header 'Access-Control-Allow-Origin' '*';
+          add_header 'Access-Control-Max-Age' 1728000;
+          add_header 'Content-Type' 'text/plain charset=UTF-8';
+          add_header 'Content-Length' 0;
+          return 204;
+        }
+        if ($request_method != 'OPTIONS') {
+          add_header Cache-Control no-cache;
+
+          # CORS setup
+          add_header 'Access-Control-Allow-Origin' '*' always;
+          add_header 'Access-Control-Expose-Headers' 'Content-Length';
+        }
+      '';
+      locations."= /dash.all.min.js".extraConfig = ''
+        default_type "text/javascript";
+        alias ${pkgs.fetchurl {
+          url = "http://cdn.dashjs.org/v3.2.0/dash.all.min.js";
+          sha256 = "16f0b40gdqsnwqi01s5sz9f1q86dwzscgc3m701jd1sczygi481c";
+        }};
+      '';
+      locations."= /player".extraConfig = ''
+        default_type "text/html";
+        alias ${pkgs.writeText "player.html" ''
+          <!DOCTYPE html>
+          <html lang="en">
+            <head>
+              <meta charset="utf-8">
+              <title>lassulus livestream</title>
+            </head>
+            <body>
+              <div>
+                <video id="player" controls></video>
+                </video>
+              </div>
+              <script src="/dash.all.min.js"></script>
+              <script>
+                (function(){
+                  var url = "/dash/nixos.mpd";
+                  var player = dashjs.MediaPlayer().create();
+                  player.initialize(document.querySelector("#player"), url, true);
+                })();
+              </script>
+            </body>
+          </html>
+        ''};
+      '';
+      locations."/records".extraConfig = ''
+        autoindex on;
+        root /var/lib/rtmp;
+      '';
+    };
+  };
+
+  fileSystems."/var/lib/rtmp/tmp" = {
+    device = "tmpfs";
+    fsType = "tmpfs";
+    options = [ "nosuid" "nodev" "noatime" ];
+  };
+
   users.users.rtmp = {
-    home = "/var/lib/rmtp";
+    home = "/var/lib/rtmp";
     uid = genid_uint31 "rtmp";
     isNormalUser = true;
     createHome = true;
+    openssh.authorizedKeys.keys = with config.krebs.users; [
+      mic92.pubkey
+      palo.pubkey
+    ];
   };
 
   systemd.services.nginx-rtmp = {
@@ -149,6 +261,14 @@ in {
       }}/bin/nginx -c ${nginxCfg} -p /var/lib/rtmp
     '';
     serviceConfig = {
+      ExecStartPre = pkgs.writers.writeDash "setup-rtmp" ''
+        mkdir -p /var/lib/rtmp/tmp/hls
+        mkdir -p /var/lib/rtmp/tmp/dash
+        chown rtmp:users /var/lib/rtmp/tmp/hls
+        chown rtmp:users /var/lib/rtmp/tmp/dash
+        chmod 755 /var/lib/rtmp/tmp/hls
+        chmod 755 /var/lib/rtmp/tmp/dash
+      '';
       User = "rtmp";
     };
   };
diff --git a/lass/3modules/bindfs.nix b/lass/3modules/bindfs.nix
new file mode 100644
index 000000000..5c8df8dc5
--- /dev/null
+++ b/lass/3modules/bindfs.nix
@@ -0,0 +1,51 @@
+with import <stockholm/lib>;
+{ config, pkgs, ... }:
+let
+  cfg = config.lass.bindfs;
+in {
+  options.lass.bindfs = mkOption {
+    type = types.attrsOf (types.submodule ({ config, ... }: {
+      options = {
+        target = mkOption {
+          description = ''
+            destination where bindfs mounts to.
+            second positional argument to bindfs.
+          '';
+          default = config._module.args.name;
+          type = types.absolute-pathname;
+        };
+        source = mkOption {
+          description = ''
+            source folder where the mounted directory is originally.
+            first positional argument to bindfs.
+          '';
+          type = types.absolute-pathname;
+        };
+        options = mkOption {
+          description = ''
+            additional arguments to bindfs
+          '';
+          type = types.listOf types.str;
+          default = [];
+        };
+      };
+    }));
+    default = {};
+  };
+
+  config = mkIf (cfg != {}) {
+    systemd.services = mapAttrs' (n: mount: let
+      name = replaceStrings [ "/" ] [ "_" ] n;
+    in nameValuePair "bindfs-${name}" {
+      wantedBy = [ "local-fs.target" ];
+      path = [ pkgs.coreutils ];
+      serviceConfig = {
+        ExecStartPre = pkgs.writeDash "bindfs-init-${name}" ''
+          mkdir -p '${mount.source}'
+          mkdir -p '${mount.target}'
+        '';
+        ExecStart = "${pkgs.bindfs}/bin/bindfs -f ${concatStringsSep " " mount.options} ${mount.source} ${mount.target}";
+      };
+    }) cfg;
+  };
+}
diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix
index c3c73bdcb..8bee08caa 100644
--- a/lass/3modules/default.nix
+++ b/lass/3modules/default.nix
@@ -1,6 +1,7 @@
 _:
 {
   imports = [
+    ./bindfs.nix
     ./dnsmasq.nix
     ./ejabberd
     ./folderPerms.nix
@@ -12,6 +13,7 @@ _:
     ./pyload.nix
     ./restic.nix
     ./screenlock.nix
+    ./sync-containers.nix
     ./usershadow.nix
     ./xjail.nix
     ./autowifi.nix
diff --git a/lass/3modules/sync-containers.nix b/lass/3modules/sync-containers.nix
new file mode 100644
index 000000000..ca81458a9
--- /dev/null
+++ b/lass/3modules/sync-containers.nix
@@ -0,0 +1,166 @@
+with import <stockholm/lib>;
+{ config, pkgs, ... }: let
+  cfg = config.lass.sync-containers;
+  paths = cname: {
+    plain = "/var/lib/containers/${cname}/var/state";
+    ecryptfs = "${cfg.dataLocation}/${cname}/ecryptfs";
+    securefs = "${cfg.dataLocation}/${cname}/securefs";
+  };
+  start = cname: {
+    plain = ''
+    '';
+    ecryptfs = ''
+      if ! mount | grep -q '${cfg.dataLocation}/${cname}/ecryptfs on /var/lib/containers/${cname}/var/state type ecryptfs'; then
+        if [ -e ${cfg.dataLocation}/${cname}/ecryptfs/.cfg.json ]; then
+          ${pkgs.ecrypt}/bin/ecrypt mount ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state
+        else
+          ${pkgs.ecrypt}/bin/ecrypt init ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state
+        fi
+      fi
+    '';
+    securefs = ''
+      ## TODO init file systems if it does not exist
+      # ${pkgs.securefs}/bin/securefs create --format 3 ${cfg.dataLocation}/${cname}/securefs
+      if ! ${pkgs.mount}/bin/mount | grep -q '^securefs on /var/lib/containers/${cname}/var/state type fuse.securefs'; then
+        ${pkgs.securefs}/bin/securefs mount ${cfg.dataLocation}/${cname}/securefs /var/lib/containers/${cname}/var/state -b -o allow_other -o default_permissions
+      fi
+    '';
+  };
+  stop = cname: {
+    plain = ''
+    '';
+    ecryptfs = ''
+      ${pkgs.ecrypt}/bin/ecrypt unmount ${cfg.dataLocation}/${cname}/ecryptfs /var/lib/containers/${cname}/var/state
+    '';
+    securefs = ''
+      umount /var/lib/containers/${cname}/var/state
+    '';
+  };
+in {
+  options.lass.sync-containers = {
+    dataLocation = mkOption {
+      description = ''
+        location where the encrypted sync-container lie around
+      '';
+      default = "/var/lib/sync-containers";
+      type = types.absolute-pathname;
+    };
+    containers = mkOption {
+      type = types.attrsOf (types.submodule ({ config, ... }: {
+        options = {
+          name = mkOption {
+            description = ''
+              name of the container
+            '';
+            default = config._module.args.name;
+            type = types.str;
+          };
+          peers = mkOption {
+            description = ''
+              syncthing peers to share this container with
+            '';
+            default = [];
+            type = types.listOf types.str;
+          };
+          hostIp = mkOption { # TODO find this automatically
+            description = ''
+              hostAddress of the privateNetwork
+            '';
+            example = "10.233.2.15";
+            type = types.str;
+          };
+          localIp = mkOption { # TODO find this automatically
+            description = ''
+              localAddress of the privateNetwork
+            '';
+            example = "10.233.2.16";
+            type = types.str;
+          };
+          format = mkOption {
+            description = ''
+              file system encrption format of the container
+            '';
+            type = types.enum [ "plain" "ecryptfs" "securefs" ];
+          };
+        };
+      }));
+      default = {};
+    };
+  };
+
+  config = mkIf (cfg.containers != {}) {
+    programs.fuse.userAllowOther = true;
+
+    services.syncthing.declarative.folders = (mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" ({
+      devices = ctr.peers;
+      ignorePerms = false;
+    })) cfg.containers);
+
+    krebs.permown = (mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" ({
+      file-mode = "u+rw";
+      directory-mode = "u+rwx";
+      owner = "syncthing";
+      keepGoing = false;
+    })) cfg.containers);
+
+    systemd.services = mapAttrs' (n: ctr: nameValuePair "containers@${ctr.name}" ({
+      reloadIfChanged = mkForce false;
+    })) cfg.containers;
+
+    containers = mapAttrs' (n: ctr: nameValuePair ctr.name ({
+      config = { ... }: {
+        environment.systemPackages = [
+          pkgs.git
+        ];
+        system.activationScripts.fuse = {
+          text = ''
+            ${pkgs.coreutils}/bin/mknod /dev/fuse c 10 229
+          '';
+          deps = [];
+        };
+      };
+      allowedDevices = [
+        { modifier = "rwm"; node = "/dev/fuse"; }
+      ];
+      autoStart = false;
+      enableTun = true;
+      privateNetwork = true;
+      hostAddress = ctr.hostIp;
+      localAddress = ctr.localIp;
+    })) cfg.containers;
+
+    environment.systemPackages = flatten (mapAttrsToList (n: ctr: [
+      (pkgs.writeDashBin "start-${ctr.name}" ''
+        set -euf
+        set -x
+
+        mkdir -p /var/lib/containers/${ctr.name}/var/state
+
+        ${(start ctr.name).${ctr.format}}
+
+        STATE=$(${pkgs.nixos-container}/bin/nixos-container status ${ctr.name})
+        if [ "$STATE" = 'down' ]; then
+          ${pkgs.nixos-container}/bin/nixos-container start ${ctr.name}
+        fi
+
+        ${pkgs.nixos-container}/bin/nixos-container run ${ctr.name} -- ${pkgs.writeDash "deploy-${ctr.name}" ''
+          set -x
+
+          mkdir -p /var/state/var_src
+          ln -sfTr /var/state/var_src /var/src
+          touch /etc/NIXOS
+        ''}
+
+        if [ -h /var/lib/containers/${ctr.name}/var/src/nixos-config ] && (! ping -c1 -q -w5 ${ctr.name}.r); then
+          ${pkgs.nixos-container}/bin/nixos-container run ${ctr.name} -- nixos-rebuild -I /var/src switch
+        fi
+      '')
+      (pkgs.writeDashBin "stop-${ctr.name}" ''
+        set -euf
+
+        ${pkgs.nixos-container}/bin/nixos-container stop ${ctr.name}
+        ${(stop ctr.name).${ctr.format}}
+      '')
+    ]) cfg.containers);
+  };
+}