From 6f26a01e0a849e30b71f1f4646774cf244b79ce2 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Tue, 15 Feb 2022 22:29:33 +0100
Subject: k 3 ma: init latte

---
 krebs/3modules/makefu/default.nix                | 40 +++++++++++++++++++++++-
 krebs/3modules/makefu/retiolum/latte.pub         |  8 +++++
 krebs/3modules/makefu/retiolum/latte_ed25519.pub |  1 +
 3 files changed, 48 insertions(+), 1 deletion(-)
 create mode 100644 krebs/3modules/makefu/retiolum/latte.pub
 create mode 100644 krebs/3modules/makefu/retiolum/latte_ed25519.pub

(limited to 'krebs/3modules')

diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix
index f87802b45..1695db3f5 100644
--- a/krebs/3modules/makefu/default.nix
+++ b/krebs/3modules/makefu/default.nix
@@ -148,6 +148,44 @@ in {
         };
       };
     };
+    latte = rec {
+      ci = true;
+      extraZones = {
+        "krebsco.de" = ''
+          latte.euer     IN A      ${nets.internet.ip4.addr}
+        '';
+      };
+      cores = 4;
+      nets = rec {
+        internet = {
+          ip4.addr = "178.254.30.202";
+          ip6.addr = "2a00:6800:3:18c::2";
+          aliases = [
+            "latte.i"
+          ];
+        };
+        #wiregrill = {
+        #  via = internet;
+        #  ip4.addr = "10.244.245.1";
+        #  ip6.addr = w6 "1";
+        #  wireguard.port = 51821;
+        #  wireguard.subnets = [
+        #      (krebs.genipv6 "wiregrill" "makefu" 0).subnetCIDR
+        #      "10.244.245.0/24" # required for routing directly to gum via rockit
+        #  ];
+        #};
+        retiolum = {
+          via = internet;
+          ip4.addr = "10.243.0.214";
+          # never connect via gum (he eats your packets!)
+          #tinc.weight = 9001;
+
+          aliases = [
+            "latte.r"
+          ];
+        };
+      };
+    };
     gum = rec {
       ci = true;
       extraZones = {
@@ -220,7 +258,7 @@ in {
           via = internet;
           ip4.addr = "10.243.0.213";
           # never connect via gum (he eats your packets!)
-          tinc.weight = 9001;
+          #tinc.weight = 9001;
 
           aliases = [
             "gum.r"
diff --git a/krebs/3modules/makefu/retiolum/latte.pub b/krebs/3modules/makefu/retiolum/latte.pub
new file mode 100644
index 000000000..17fca2b40
--- /dev/null
+++ b/krebs/3modules/makefu/retiolum/latte.pub
@@ -0,0 +1,8 @@
+-----BEGIN RSA PUBLIC KEY-----
+MIIBCgKCAQEAx70gmNoP4RYeF3ShddEMsbNad9L5ezegwxJTZA7XTfF+/cwr/QwU
+5BL0QXTwBnKzS0gun5NXmhwPzvOdvfczAxtJLk8/NjVHFeE39CiTHGgIxkZFgnbo
+r2Rj6jJb89ZPaTr+hl0+0WQQVpl9NI7MTCUimvFBaD6IPmBh5wTySu6mYBs0mqmf
+43RrvS42ieqQJAvVPkIzxxJeTS/M3NXmjbJ3bdx/2Yzd7INdfPkMhOONHcQhTKS4
+GSXJRTytLYZEah8lp8F4ONggN6ixlhlcQAotToFP4s8c+KqYfIZrtP+pRj7W72Y6
+vhnobLDJwBbAsW1RQ6FHcw10TrP2H+haewIDAQAB
+-----END RSA PUBLIC KEY-----
diff --git a/krebs/3modules/makefu/retiolum/latte_ed25519.pub b/krebs/3modules/makefu/retiolum/latte_ed25519.pub
new file mode 100644
index 000000000..f987f3077
--- /dev/null
+++ b/krebs/3modules/makefu/retiolum/latte_ed25519.pub
@@ -0,0 +1 @@
+Ed25519PublicKey = ILtT9Y5pGBtc5/wR56RYzzYeZMvmmutaC6IED6I1oTI
-- 
cgit v1.2.3


From 66341414c5fe2e440acdd3b77178b7826dcded23 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Thu, 17 Feb 2022 22:46:55 +0100
Subject: ma retiolum: fix ed25519 for latte

---
 krebs/3modules/makefu/retiolum/latte_ed25519.pub | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'krebs/3modules')

diff --git a/krebs/3modules/makefu/retiolum/latte_ed25519.pub b/krebs/3modules/makefu/retiolum/latte_ed25519.pub
index f987f3077..7974bb6e5 100644
--- a/krebs/3modules/makefu/retiolum/latte_ed25519.pub
+++ b/krebs/3modules/makefu/retiolum/latte_ed25519.pub
@@ -1 +1 @@
-Ed25519PublicKey = ILtT9Y5pGBtc5/wR56RYzzYeZMvmmutaC6IED6I1oTI
+ILtT9Y5pGBtc5/wR56RYzzYeZMvmmutaC6IED6I1oTI
-- 
cgit v1.2.3


From c88b48f0266ebfffd1bfd5ea2045f01cb15760b8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kier=C3=A1n=20Meinhardt?= <kmein@posteo.de>
Date: Tue, 22 Feb 2022 20:32:16 +0100
Subject: external: add redaktion.r

---
 krebs/3modules/external/kmein.nix | 1 +
 1 file changed, 1 insertion(+)

(limited to 'krebs/3modules')

diff --git a/krebs/3modules/external/kmein.nix b/krebs/3modules/external/kmein.nix
index 1e4a68057..4605fbdf0 100644
--- a/krebs/3modules/external/kmein.nix
+++ b/krebs/3modules/external/kmein.nix
@@ -63,6 +63,7 @@ in
           "names.kmein.r"
           "graph.r"
           "rrm.r"
+          "redaktion.r"
         ];
         ip4.addr = "10.243.2.84";
         tinc.pubkey = ''
-- 
cgit v1.2.3


From d085a1b0b47092a3eaf728c5e8cc978169e158e1 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Tue, 22 Feb 2022 21:47:38 +0100
Subject: k 3 ma: torrent.latte.r

---
 krebs/3modules/makefu/default.nix | 1 +
 1 file changed, 1 insertion(+)

(limited to 'krebs/3modules')

diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix
index 1695db3f5..7a3d2fcc2 100644
--- a/krebs/3modules/makefu/default.nix
+++ b/krebs/3modules/makefu/default.nix
@@ -182,6 +182,7 @@ in {
 
           aliases = [
             "latte.r"
+            "torrent.latte.r"
           ];
         };
       };
-- 
cgit v1.2.3


From 123221de60a626ccf42c4ee5049bf385597c1bb3 Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Mon, 28 Feb 2022 21:44:27 +0100
Subject: ma rss.euer: gum -> latte

---
 krebs/3modules/makefu/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'krebs/3modules')

diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix
index 7a3d2fcc2..68484a102 100644
--- a/krebs/3modules/makefu/default.nix
+++ b/krebs/3modules/makefu/default.nix
@@ -153,6 +153,7 @@ in {
       extraZones = {
         "krebsco.de" = ''
           latte.euer     IN A      ${nets.internet.ip4.addr}
+          rss.euer          IN A      ${nets.internet.ip4.addr}
         '';
       };
       cores = 4;
@@ -212,7 +213,6 @@ in {
           feed.euer         IN A      ${nets.internet.ip4.addr}
           board.euer        IN A      ${nets.internet.ip4.addr}
           etherpad.euer     IN A      ${nets.internet.ip4.addr}
-          rss.euer          IN A      ${nets.internet.ip4.addr}
           mediengewitter    IN CNAME  over.dose.io.
           mon.euer          IN A      ${nets.internet.ip4.addr}
           netdata.euer      IN A      ${nets.internet.ip4.addr}
-- 
cgit v1.2.3


From 0086cc952bd397b27940cbf02877f19c510f9f7d Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Mon, 28 Feb 2022 21:45:20 +0100
Subject: k 3 rtorrent: rip

in favor of upstream rtorret + flood
---
 krebs/3modules/default.nix  |   1 -
 krebs/3modules/rtorrent.nix | 348 --------------------------------------------
 2 files changed, 349 deletions(-)
 delete mode 100644 krebs/3modules/rtorrent.nix

(limited to 'krebs/3modules')

diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index fc57d8188..2d73da884 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -46,7 +46,6 @@ let
       ./realwallpaper.nix
       ./repo-sync.nix
       ./retiolum-bootstrap.nix
-      ./rtorrent.nix
       ./secret.nix
       ./setuid.nix
       ./shadow.nix
diff --git a/krebs/3modules/rtorrent.nix b/krebs/3modules/rtorrent.nix
deleted file mode 100644
index 4a96f6203..000000000
--- a/krebs/3modules/rtorrent.nix
+++ /dev/null
@@ -1,348 +0,0 @@
-{ config, lib, pkgs, options, ... }:
-
-with import <stockholm/lib>;
-let
-  cfg = config.krebs.rtorrent;
-  webcfg = config.krebs.rtorrent.web;
-  rucfg = config.krebs.rtorrent.rutorrent;
-
-  nginx-user = config.services.nginx.user;
-  nginx-group = config.services.nginx.group;
-  fpm-socket = config.services.phpfpm.pools.rutorrent.socket;
-
-  webdir = rucfg.webdir;
-  systemd-logfile = cfg.workDir + "/rtorrent-systemd.log";
-
-  # rutorrent requires a couple of binaries to be available to either the
-  # rtorrent process or to phpfpm
-
-  rutorrent-deps = with pkgs; [ curl php coreutils procps ffmpeg mediainfo ] ++
-    (if (config.nixpkgs.config.allowUnfree or false) then
-      trace "enabling unfree packages for rutorrent" [ unrar unzip ] else
-      trace "not enabling unfree packages for rutorrent because allowUnfree is unset" []);
-
-  configFile = pkgs.writeText "rtorrent-config" ''
-    # THIS FILE IS AUTOGENERATED
-    ${optionalString (cfg.listenPort != null) ''
-      port_range = ${toString cfg.listenPort}-${toString cfg.listenPort}
-      port_random = no
-    ''}
-
-    ${optionalString (cfg.watchDir != null) ''
-      directory.watch.added = "${cfg.watchDir}", load.start_verbose
-    ''}
-
-    directory = ${cfg.downloadDir}
-    session = ${cfg.sessionDir}
-
-    ${optionalString (cfg.enableXMLRPC ) ''
-      # prepare socket and set permissions. rtorrent user is part of group nginx
-      # TODO: configure a shared torrent group
-      execute.nothrow = rm,${cfg.xmlrpc-socket}
-      scgi_local = ${cfg.xmlrpc-socket}
-      schedule = scgi_permission,0,0,"execute.nothrow=chmod,\"ug+w,o=\",${cfg.xmlrpc-socket}"
-    ''}
-
-    system.file.allocate.set = ${if cfg.preAllocate then "yes" else "no"}
-
-    # Prepare systemd logging
-    log.open_file = "rtorrent-systemd", ${systemd-logfile}
-    log.add_output = "warn", "rtorrent-systemd"
-    log.add_output = "notice", "rtorrent-systemd"
-    log.add_output = "info", "rtorrent-systemd"
-    # log.add_output = "debug", "rtorrent-systemd"
-    ${cfg.extraConfig}
-  '';
-
-  out = {
-    options.krebs.rtorrent = api;
-    # This only works because none of the attrsets returns the same key
-    config = with lib; mkIf cfg.enable (lib.mkMerge [
-      (lib.mkIf webcfg.enable rpcweb-imp)
-      # only build rutorrent-imp if webcfg is enabled as well
-      (lib.mkIf (webcfg.enable && rucfg.enable) rutorrent-imp)
-      imp
-    ]);
-  };
-
-  api = {
-    enable = mkEnableOption "rtorrent";
-
-    web = {
-      # configure NGINX to provide /RPC2 for listen address
-      # authentication also applies to rtorrent.rutorrent
-      enable = mkEnableOption "rtorrent nginx web RPC";
-
-      addr = mkOption {
-        type = types.addr4;
-        default = "0.0.0.0";
-        description = ''
-          the address to listen on
-          default is 0.0.0.0
-        '';
-      };
-
-      port = mkOption {
-        type = types.nullOr types.int;
-        description =''
-          nginx listen port for rtorrent
-        '';
-        default = 8006;
-      };
-
-      basicAuth = mkOption {
-        type = types.attrsOf types.str ;
-        description = ''
-          basic authentication to be used. If unset, no authentication will be
-          enabled.
-
-          Refer to `services.nginx.virtualHosts.‹name›.basicAuth`
-        '';
-        default = {};
-      };
-    };
-
-    rutorrent = {
-      enable = mkEnableOption "rutorrent"; # requires rtorrent.web.enable
-
-      package = mkOption {
-        type = types.package;
-        description = ''
-          path to rutorrent package. When using your own ruTorrent package,
-          scgi_port and scgi_host will be patched on startup.
-        '';
-        default = pkgs.rutorrent;
-      };
-
-      webdir = mkOption {
-        type = types.path;
-        description = ''
-          rutorrent php files will be written to this folder.
-          when using nginx, be aware that the the folder should be readable by nginx.
-          because rutorrent does not hold mutable data in a separate folder
-          these files must be writable.
-        '';
-        default = "/var/lib/rutorrent";
-      };
-
-    };
-
-    package = mkOption {
-      type = types.package;
-      default = pkgs.rtorrent;
-    };
-
-    # TODO: enable xmlrpc with web.enable
-    enableXMLRPC = mkEnableOption "rtorrent xmlrpc via socket";
-    xmlrpc-socket = mkOption {
-      type = types.str;
-      description = ''
-        enable xmlrpc at given socket. Required for web-interface.
-
-        for documentation see:
-        https://github.com/rakshasa/rtorrent/wiki/RPC-Setup-XMLRPC
-      '';
-      default = cfg.workDir + "/rtorrent.sock";
-    };
-
-    preAllocate = mkOption {
-      type = types.bool;
-      description = ''
-        Pre-Allocate torrent files
-      '';
-      default = true;
-    };
-
-    downloadDir = mkOption {
-      type = types.path;
-      description = ''
-        directory where torrents are stored
-      '';
-      default = cfg.workDir + "/downloads";
-    };
-
-    sessionDir = mkOption {
-      type = types.path;
-      description = ''
-        directory where torrent progress is stored
-      '';
-      default = cfg.workDir + "/rtorrent-session";
-    };
-
-    watchDir = mkOption {
-      type = with types; nullOr str;
-      description = ''
-        directory to watch for torrent files.
-        If unset, no watch directory will be configured
-      '';
-      default = null;
-    };
-
-    listenPort = mkOption {
-      type = with types; nullOr int;
-      description =''
-        listening port. if you want multiple ports, use extraConfig port_range
-      '';
-    };
-
-    extraConfig = mkOption {
-      type = types.lines;
-      description = ''
-        config to be placed into ${cfg.workDir}/.rtorrent.rc
-
-        see ${cfg.package}/share/doc/rtorrent/rtorrent.rc
-      '';
-      example = literalExample ''
-        log.execute = ${cfg.workDir}/execute.log
-        log.xmlrpc = ${cfg.workDir}/xmlrpc.log
-      '';
-      default = "";
-    };
-
-    user = mkOption {
-      description = ''
-        user which will run rtorrent. if kept default a new user will be created
-      '';
-      type = types.str;
-      default = "rtorrent";
-    };
-
-    workDir = mkOption {
-      description = ''
-        working directory. rtorrent will search in HOME for `.rtorrent.rc`
-      '';
-      type = types.str;
-      default = "/var/lib/rtorrent";
-    };
-
-  };
-
-  imp = {
-    systemd.services = {
-      rtorrent-daemon = {
-        description = "rtorrent headless";
-        after = [ "network.target" ];
-        wantedBy = [ "multi-user.target" ];
-        restartIfChanged = true;
-        serviceConfig = {
-          Type = "forking";
-          ExecStartPre = pkgs.writeDash "prepare-folder" ''
-            mkdir -p ${cfg.workDir} ${cfg.sessionDir}
-            chmod 770 ${cfg.workDir} ${cfg.sessionDir}
-            touch ${systemd-logfile}
-            cp -f ${configFile} ${cfg.workDir}/.rtorrent.rc
-          '';
-          ExecStart = "${pkgs.tmux}/bin/tmux new-session -s rt -n rtorrent -d 'PATH=/bin:/usr/bin:${makeBinPath rutorrent-deps} ${cfg.package}/bin/rtorrent'";
-          Restart = "always";
-          RestartSec = "10";
-
-          ## you can simply sudo -u rtorrent tmux a if privateTmp is set to false
-          ## otherwise the tmux session is stored in some private folder in /tmp
-          PrivateTmp = false;
-
-          WorkingDirectory = cfg.workDir;
-          User = "${cfg.user}";
-        };
-      };
-      rtorrent-log = {
-        after = [ "rtorrent-daemon.service" ];
-        bindsTo = [ "rtorrent-daemon.service" ];
-        wantedBy = [ "rtorrent-daemon.service" ];
-        serviceConfig = {
-          ExecStart = "${pkgs.coreutils}/bin/tail -f ${systemd-logfile}";
-          User = "${cfg.user}";
-        };
-      };
-    } // (optionalAttrs webcfg.enable {
-      rutorrent-prepare = {
-        after = [ "rtorrent-daemon.service" ];
-        wantedBy = [ "rtorrent-daemon.service" ];
-        serviceConfig = {
-          Type = "oneshot";
-          # we create the folder and set the permissions to allow nginx
-          # TODO: update files if the version of rutorrent changed
-          ExecStart = pkgs.writeDash "create-webconfig-dir" ''
-            if [ ! -e ${webdir} ];then
-              echo "creating webconfiguration directory for rutorrent: ${webdir}"
-              cp -vr ${rucfg.package} ${webdir}
-              echo "setting permissions for webdir to ${cfg.user}:${nginx-group}"
-              chown -R ${cfg.user}:${nginx-group} ${webdir}
-              chmod -R 770 ${webdir}
-            else
-              echo "not overwriting ${webdir}"
-
-            fi
-            echo "updating xmlrpc-socket with unix://${cfg.xmlrpc-socket}"
-            sed -i -e 's#^\s*$scgi_port.*#$scgi_port = 0;#' \
-                -e 's#^\s*$scgi_host.*#$scgi_host = "unix://${cfg.xmlrpc-socket}";#' \
-                  "${webdir}/conf/config.php"
-          '';
-        };
-      };
-    })
-      // (optionalAttrs rucfg.enable { });
-
-    users = lib.mkIf (cfg.user == "rtorrent") {
-      users.rtorrent = {
-        uid = genid "rtorrent";
-        home = cfg.workDir;
-        group = nginx-group; # required for rutorrent to work
-        shell = "/bin/sh"; #required for tmux
-        isSystemUser = true;
-        createHome = true;
-      };
-      groups.rtorrent.gid = genid "rtorrent";
-    };
-  };
-
-  rpcweb-imp = {
-    services.nginx.enable = mkDefault true;
-    services.nginx.virtualHosts.rtorrent = {
-      default = mkDefault true;
-      inherit (webcfg) basicAuth;
-      root = optionalString rucfg.enable webdir;
-      listen = [ { inherit (webcfg) addr port; } ];
-
-      locations = {
-        "/RPC2".extraConfig = ''
-          include ${pkgs.nginx}/conf/scgi_params;
-          scgi_param    SCRIPT_NAME  /RPC2;
-          scgi_pass unix:${cfg.xmlrpc-socket};
-        '';
-      } // (optionalAttrs rucfg.enable {
-        "~ \.php$".extraConfig = ''
-          client_max_body_size 200M;
-          fastcgi_split_path_info ^(.+\.php)(/.+)$;
-          fastcgi_pass unix:${fpm-socket};
-          try_files $uri =404;
-          fastcgi_index  index.php;
-          include ${pkgs.nginx}/conf/fastcgi_params;
-          include ${pkgs.nginx}/conf/fastcgi.conf;
-        ''; }
-      );
-    };
-  };
-
-  rutorrent-imp = {
-    services.phpfpm = {
-      pools.rutorrent = {
-        user =  nginx-user;
-        group =  nginx-group;
-        phpEnv.PATH = makeBinPath rutorrent-deps;
-
-        settings = {
-          "listen.owner" = nginx-user;
-          "pm" = "dynamic";
-          "pm.max_children" = 5;
-          "pm.start_servers" = 2;
-          "pm.min_spare_servers" = 1;
-          "pm.max_spare_servers" = 3;
-          "chdir" = "/";
-          "php_admin_value[error_log]" = "stderr";
-          "php_admin_flag[log_errors]" = "on";
-          "catch_workers_output" = "yes";
-        };
-      };
-    };
-  };
-in out
-- 
cgit v1.2.3


From 6002189225e347418f07a99d6a85b033fa0edaf7 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Tue, 1 Mar 2022 14:20:57 +0100
Subject: tinc tinc-up: don't rely on store path interpreter

---
 krebs/3modules/tinc.nix | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'krebs/3modules')

diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix
index bc85aa0a6..e9d1b30ae 100644
--- a/krebs/3modules/tinc.nix
+++ b/krebs/3modules/tinc.nix
@@ -25,7 +25,8 @@ with import <stockholm/lib>;
                 Port = ${toString tinc.config.host.nets.${netname}.tinc.port}
                 ${tinc.config.extraConfig}
               '';
-              "tinc-up" = pkgs.writeDash "${netname}-tinc-up" ''
+              "tinc-up" = pkgs.writeScript "${netname}-tinc-up" ''
+                #!/bin/sh
                 ip link set ${netname} up
                 ${tinc.config.tincUp}
               '';
-- 
cgit v1.2.3


From 87a44dd1573cbdc8f0fc3553b0896b470bcfa44d Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Thu, 3 Mar 2022 10:53:25 +0100
Subject: tinc: add logLevel with default of 3

---
 krebs/3modules/tinc.nix | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'krebs/3modules')

diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix
index e9d1b30ae..1b28628d6 100644
--- a/krebs/3modules/tinc.nix
+++ b/krebs/3modules/tinc.nix
@@ -19,6 +19,7 @@ with import <stockholm/lib>;
               "hosts" = tinc.config.hostsPackage;
               "tinc.conf" = pkgs.writeText "${netname}-tinc.conf" ''
                 Name = ${tinc.config.host.name}
+                LogLevel = ${toString tinc.config.logLevel}
                 Interface = ${netname}
                 Broadcast = no
                 ${concatMapStrings (c: "ConnectTo = ${c}\n") tinc.config.connectTo}
@@ -193,6 +194,14 @@ with import <stockholm/lib>;
           '';
         };
 
+        logLevel = mkOption {
+          type = types.int;
+          description = ''
+            LogLevel in tinc.conf
+          '';
+          default = 3;
+        };
+
         user = mkOption {
           type = types.user;
           default = {
-- 
cgit v1.2.3