kfm/niveum
1
0
Fork 0
mirror of https://github.com/kmein/niveum synced 2026-03-16 10:11:08 +01:00
Code Releases Activity

chore: format with alejandra

Browse Source
This commit is contained in:
Kierán Meinhardt
2022-03-10 21:52:12 +01:00
parent 13727abfd6
commit d37e90cb97
159 changed files with 4239 additions and 3405 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
systems/kabsa/configuration.nix
View File

@@ -1,8 +1,11 @@
{ config, pkgs, lib, ... }:
let
inherit (import <niveum/lib>) retiolumAddresses;
in
{
config,
pkgs,
lib,
...
}: let
inherit (import <niveum/lib>) retiolumAddresses;
in {
imports = [
./hardware-configuration.nix
<niveum/configs/battery.nix>
@@ -21,11 +24,11 @@ in
maxJobs = 2;
};
environment.systemPackages = [ pkgs.minecraft ];
environment.systemPackages = [pkgs.minecraft];
networking = {
hostName = "kabsa";
wireless.interfaces = [ "wlp3s0" ];
wireless.interfaces = ["wlp3s0"];
retiolum = retiolumAddresses.kabsa;
};

17
systems/kabsa/hardware-configuration.nix
View File

@@ -1,14 +1,19 @@
{ config, lib, pkgs, ... }: {
imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
{
config,
lib,
pkgs,
...
}: {
imports = [<nixpkgs/nixos/modules/installer/scan/not-detected.nix>];
boot = {
initrd = {
availableKernelModules = [ "ehci_pci" "ahci" "xhci_pci" "usb_storage" "sd_mod" "sdhci_pci" ];
availableKernelModules = ["ehci_pci" "ahci" "xhci_pci" "usb_storage" "sd_mod" "sdhci_pci"];
luks.devices."luksmap".device = "/dev/disk/by-uuid/03b6abd0-e9ce-49c8-9659-a1d94f645d0f";
kernelModules = [ ];
kernelModules = [];
};
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
kernelModules = ["kvm-intel"];
extraModulePackages = [];
loader = {
efi.canTouchEfiVariables = true;
systemd-boot = {

22
systems/makanek/configuration.nix
View File

@@ -1,8 +1,11 @@
{ lib, config, pkgs, ... }:
let
inherit (import <niveum/lib>) kieran retiolumAddresses restic;
in
{
lib,
config,
pkgs,
...
}: let
inherit (import <niveum/lib>) kieran retiolumAddresses restic;
in {
imports = [
./gitea.nix
./hardware-configuration.nix
@@ -33,7 +36,10 @@ in
services.restic.backups.niveum = {
initialize = true;
inherit (restic) repository;
timerConfig = { OnCalendar = "daily"; RandomizedDelaySec = "1h"; };
timerConfig = {
OnCalendar = "daily";
RandomizedDelaySec = "1h";
};
passwordFile = toString <secrets/restic/password>;
paths = [
"/var/lib/codimd"
@@ -46,10 +52,10 @@ in
];
};
nix.nixPath = [ "/var/src" ];
nix.nixPath = ["/var/src"];
networking = {
firewall.allowedTCPPorts = [ 80 443 ];
firewall.allowedTCPPorts = [80 443];
hostName = "makanek";
interfaces.ens3.useDHCP = true;
retiolum = retiolumAddresses.makanek;
@@ -72,5 +78,5 @@ in
email = kieran.email;
};
environment.systemPackages = [ pkgs.vim pkgs.git pkgs.tmux pkgs.python3 ];
environment.systemPackages = [pkgs.vim pkgs.git pkgs.tmux pkgs.python3];
}

20
systems/makanek/hardware-configuration.nix
View File

@@ -1,18 +1,22 @@
{ config, lib, pkgs, ... }:
{
imports = [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix> ];
config,
lib,
pkgs,
...
}: {
imports = [<nixpkgs/nixos/modules/profiles/qemu-guest.nix>];
boot = {
initrd = {
availableKernelModules = [ "ata_piix" "virtio_pci" "xhci_pci" "sd_mod" "sr_mod" ];
kernelModules = [ ];
availableKernelModules = ["ata_piix" "virtio_pci" "xhci_pci" "sd_mod" "sr_mod"];
kernelModules = [];
};
kernelModules = [ ];
extraModulePackages = [ ];
kernelModules = [];
extraModulePackages = [];
loader.grub = {
enable = true;
version = 2;
devices = [ "/dev/sda" ];
devices = ["/dev/sda"];
};
};
@@ -21,7 +25,7 @@
fsType = "ext4";
};
swapDevices = [ ];
swapDevices = [];
zramSwap.enable = true;
nix.maxJobs = lib.mkDefault 2;

56
systems/makanek/hedgedoc.nix
View File

@@ -1,12 +1,14 @@
{ config, pkgs, ... }:
let
{
config,
pkgs,
...
}: let
backupLocation = "/var/lib/codimd-backup";
stateLocation = "/var/lib/codimd/state.sqlite";
nixpkgs-unstable = import <nixpkgs-unstable> {};
domain = "pad.kmein.de";
in
{
imports = [ <stockholm/krebs/3modules/permown.nix> ];
in {
imports = [<stockholm/krebs/3modules/permown.nix>];
services.nginx.virtualHosts.${domain} = {
enableACME = true;
@@ -18,7 +20,7 @@ in
};
security.acme.certs.${domain}.group = "hedgecert";
users.groups.hedgecert.members = [ "codimd" "nginx" ];
users.groups.hedgecert.members = ["codimd" "nginx"];
security.dhparams = {
enable = true;
@@ -28,7 +30,7 @@ in
services.hedgedoc = {
enable = true;
configuration = {
allowOrigin = [ domain ];
allowOrigin = [domain];
allowAnonymous = true;
allowGravatar = false;
allowFreeURL = true;
@@ -40,35 +42,41 @@ in
domain = domain;
useSSL = true;
protocolUseSSL = true;
sslCAPath = [ "/etc/ssl/certs/ca-certificates.crt" ];
sslCAPath = ["/etc/ssl/certs/ca-certificates.crt"];
sslCertPath = "/var/lib/acme/${domain}/cert.pem";
sslKeyPath = "/var/lib/acme/${domain}/key.pem";
dhParamPath = config.security.dhparams.params.hedgedoc.path;
};
};
krebs.permown.${backupLocation} = { owner = "codimd"; group = "codimd"; umask = "0002"; };
krebs.permown.${backupLocation} = {
owner = "codimd";
group = "codimd";
umask = "0002";
};
systemd.services.hedgedoc-backup = {
description = "Hedgedoc backup service";
script = ''
${nixpkgs-unstable.sqlite}/bin/sqlite3 -json ${stateLocation} "select shortid, alias, ownerId, content from Notes" \
| ${pkgs.writers.writePython3 "hedgedoc-json-to-fs.py" {} ''
import json
import pathlib
import sys
| ${
pkgs.writers.writePython3 "hedgedoc-json-to-fs.py" {} ''
import json
import pathlib
import sys
for note in json.load(sys.stdin):
user_directory = pathlib.Path()
if note["ownerId"]:
user_directory = pathlib.Path(note["ownerId"])
user_directory.mkdir(exist_ok=True)
file_path = user_directory / (
(note["alias"] if note["alias"] else note["shortid"]) + ".md"
)
file_path.write_text(note["content"])
print(f" {file_path}", file=sys.stderr)
''}
for note in json.load(sys.stdin):
user_directory = pathlib.Path()
if note["ownerId"]:
user_directory = pathlib.Path(note["ownerId"])
user_directory.mkdir(exist_ok=True)
file_path = user_directory / (
(note["alias"] if note["alias"] else note["shortid"]) + ".md"
)
file_path.write_text(note["content"])
print(f" {file_path}", file=sys.stderr)
''
}
'';
startAt = "hourly";
serviceConfig = {

19
systems/makanek/horoscopy.nix
View File

@@ -1,5 +1,8 @@
{ pkgs, lib, ... }:
let
{
pkgs,
lib,
...
}: let
port = 5040;
punkt = pkgs.fetchzip {
url = "https://raw.githubusercontent.com/nltk/nltk_data/gh-pages/packages/tokenizers/punkt.zip";
@@ -11,17 +14,19 @@ let
hash = "sha256-KBAbCvayTEr4+cOHnMXHCBA+8RWDMiQF65xzP4fOdaE=";
};
horoscopy = import horoscopy-src;
in
{
in {
systemd.services.horoscopy = {
wants = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
wants = ["network-online.target"];
wantedBy = ["multi-user.target"];
description = "AI astrologer";
serviceConfig = {
DynamicUser = true;
};
environment.NLTK_DATA = pkgs.linkFarm "punkt-tokenizers" [
{ name = "tokenizers/punkt"; path = punkt; }
{
name = "tokenizers/punkt";
path = punkt;
}
];
script = ''
cd ${horoscopy-src}

88
systems/makanek/matterbridge.nix
View File

@@ -1,45 +1,53 @@
{ pkgs, lib, ... }:
{
pkgs,
lib,
...
}: {
services.matterbridge = {
enable = true;
configPath =
let bridgeBotToken = lib.strings.fileContents <system-secrets/telegram/kmein.token>;
in toString ((pkgs.formats.toml {}).generate "config.toml" {
general = {
RemoteNickFormat = "[{NICK}] ";
Charset = "utf-8";
};
telegram.kmein.Token = bridgeBotToken;
irc =
let Nick = "ponte";
in {
hackint = { Server = "irc.hackint.org:6697"; UseTLS = true; inherit Nick; };
};
mumble.lassulus = {
Server = "lassul.us:64738";
Nick = "krebs_bridge";
SkipTLSVerify = true;
};
gateway = [
{
name = "krebs-bridge";
enable = true;
inout = [
{
account = "irc.hackint";
channel = "#krebs";
}
{
account = "telegram.kmein";
channel = "-330372458";
}
{
account = "mumble.lassulus";
channel = 6; # "nixos"
}
];
}
];
});
configPath = let
bridgeBotToken = lib.strings.fileContents <system-secrets/telegram/kmein.token>;
in
toString ((pkgs.formats.toml {}).generate "config.toml" {
general = {
RemoteNickFormat = "[{NICK}] ";
Charset = "utf-8";
};
telegram.kmein.Token = bridgeBotToken;
irc = let
Nick = "ponte";
in {
hackint = {
Server = "irc.hackint.org:6697";
UseTLS = true;
inherit Nick;
};
};
mumble.lassulus = {
Server = "lassul.us:64738";
Nick = "krebs_bridge";
SkipTLSVerify = true;
};
gateway = [
{
name = "krebs-bridge";
enable = true;
inout = [
{
account = "irc.hackint";
channel = "#krebs";
}
{
account = "telegram.kmein";
channel = "-330372458";
}
{
account = "mumble.lassulus";
channel = 6; # "nixos"
}
];
}
];
});
};
}

16
systems/makanek/menstruation.nix
View File

@@ -1,13 +1,15 @@
{ pkgs, lib, ... }:
let
{
pkgs,
lib,
...
}: let
backend = pkgs.callPackage <menstruation-backend> {};
telegram = pkgs.callPackage <menstruation-telegram> {};
backendPort = 8000;
in
{
in {
services.redis.enable = true;
environment.systemPackages = [ pkgs.redis ];
environment.systemPackages = [pkgs.redis];
systemd.services.menstruation-telegram = {
wants = [
@@ -15,7 +17,7 @@ in
"menstruation-backend.service"
"redis.service"
];
wantedBy = [ "multi-user.target" ];
wantedBy = ["multi-user.target"];
environment = {
MENSTRUATION_TOKEN = lib.strings.fileContents <system-secrets/telegram/menstruation.token>;
MENSTRUATION_ENDPOINT = "http://localhost:${toString backendPort}";
@@ -29,7 +31,7 @@ in
};
systemd.services.menstruation-backend = {
wants = [ "network-online.target" ];
wants = ["network-online.target"];
environment.ROCKET_PORT = toString backendPort;
serviceConfig = {
Restart = "always";

3
systems/makanek/moinbot.nix
View File

@@ -1,5 +1,4 @@
{ pkgs, ... }:
{
{pkgs, ...}: {
systemd.services.moinbot = {
startAt = "7:00";
script = ''

2
systems/makanek/monitoring/blackbox.nix
View File

@@ -8,7 +8,7 @@
method = "GET";
no_follow_redirects = false;
preferred_ip_protocol = "ip4";
valid_http_versions = [ "HTTP/1.1" "HTTP/2.0" ];
valid_http_versions = ["HTTP/1.1" "HTTP/2.0"];
tls_config.insecure_skip_verify = true;
};
prober = "http";

326
systems/makanek/monitoring/default.nix
View File

@@ -1,10 +1,13 @@
{ lib, config, pkgs, ... }:
let
{
lib,
config,
pkgs,
...
}: let
lokiConfig = import ./loki.nix;
blackboxConfig = import ./blackbox.nix;
inherit (import <niveum/lib>) restic;
in
{
in {
services.grafana = {
enable = true;
domain = "grafana.kmein.r";
@@ -19,103 +22,110 @@ in
};
};
services.prometheus.rules = let diskFreeThreshold = 10; in [(builtins.toJSON {
groups = [{
name = "niveum";
rules = [
services.prometheus.rules = let
diskFreeThreshold = 10;
in [
(builtins.toJSON {
groups = [
{
alert = "ServiceDown";
expr = ''node_systemd_unit_state{state="failed"} == 1'';
annotations = {
summary = "{{$labels.name}} failed on {{$labels.job}}";
};
}
{
alert = "RootPartitionFull";
for = "10m";
expr = ''(node_filesystem_free_bytes{mountpoint="/"} * 100) / node_filesystem_size_bytes{mountpoint="/"} < ${toString diskFreeThreshold}'';
annotations = {
summary = ''{{ $labels.job }} running out of space: {{ $value | printf "%.2f" }}% < ${toString diskFreeThreshold}%'';
};
}
{
alert = "RootPartitionFullWeek";
for = "1h";
expr = ''node_filesystem_free_bytes{mountpoint="/"} ''
+ ''and predict_linear(node_filesystem_free_bytes{mountpoint="/"}[2d], 7*24*3600) <= 0'';
annotations = {
summary = "{{$labels.job}} running out of space in 7 days";
};
}
{
alert = "HighLoad";
expr = ''node_load15 / on(job) count(node_cpu_seconds_total{mode="system"}) by (job) >= 1.0'';
for = "10m";
annotations = {
summary = "{{$labels.job}} running on high load: {{$value}}";
};
}
{
alert = "HighRAM";
expr = "node_memory_MemFree_bytes + node_memory_Buffers_bytes + node_memory_Cached_bytes < node_memory_MemTotal_bytes * 0.1";
for = "1h";
annotations.summary = "{{$labels.job}} using lots of RAM";
}
{
alert = "UptimeMonster";
expr = "time() - node_boot_time_seconds > 2592000";
annotations.summary = "uptime monster {{$labels.job}} up for more than 30 days";
}
{
alert = "HostDown";
expr = ''up == 0'';
for = "5m";
annotations = {
summary = "{{ $labels.job }} seeming down since 5 minutes";
};
}
{
alert = "Reboot";
expr = "time() - node_boot_time_seconds < 300";
annotations.summary = "{{$labels.job}} rebooted";
}
{
alert = "ProbeFailed";
expr = "probe_success == 0";
for = "5m";
annotations.summary = "HTTP probe failed for {{$labels.instance}}";
}
{
alert = "SlowProbe";
expr = "avg_over_time(probe_http_duration_seconds[1m]) > 1";
for = "5m";
annotations.summary = "HTTP probe slow for {{$labels.instance}}";
}
{
alert = "HttpStatusCode";
expr = "probe_http_status_code != 0 AND (probe_http_status_code <= 199 OR probe_http_status_code >= 400)";
for = "5m";
annotations.summary = "status code {{$value}} for {{$labels.instance}}";
}
{
alert = "SslExpirySoon";
expr = "probe_ssl_earliest_cert_expiry - time() < 86400 * 30";
for = "5m";
annotations.summary = "SSL certificate for {{$labels.instance}} expires in 30 days";
}
{
alert = "SslExpiry";
expr = "probe_ssl_earliest_cert_expiry - time() <= 0";
for = "5m";
annotations.summary = "SSL certificate for {{$labels.instance}} has expired";
name = "niveum";
rules = [
{
alert = "ServiceDown";
expr = ''node_systemd_unit_state{state="failed"} == 1'';
annotations = {
summary = "{{$labels.name}} failed on {{$labels.job}}";
};
}
{
alert = "RootPartitionFull";
for = "10m";
expr = ''(node_filesystem_free_bytes{mountpoint="/"} * 100) / node_filesystem_size_bytes{mountpoint="/"} < ${toString diskFreeThreshold}'';
annotations = {
summary = ''{{ $labels.job }} running out of space: {{ $value | printf "%.2f" }}% < ${toString diskFreeThreshold}%'';
};
}
{
alert = "RootPartitionFullWeek";
for = "1h";
expr =
''node_filesystem_free_bytes{mountpoint="/"} ''
+ ''and predict_linear(node_filesystem_free_bytes{mountpoint="/"}[2d], 7*24*3600) <= 0'';
annotations = {
summary = "{{$labels.job}} running out of space in 7 days";
};
}
{
alert = "HighLoad";
expr = ''node_load15 / on(job) count(node_cpu_seconds_total{mode="system"}) by (job) >= 1.0'';
for = "10m";
annotations = {
summary = "{{$labels.job}} running on high load: {{$value}}";
};
}
{
alert = "HighRAM";
expr = "node_memory_MemFree_bytes + node_memory_Buffers_bytes + node_memory_Cached_bytes < node_memory_MemTotal_bytes * 0.1";
for = "1h";
annotations.summary = "{{$labels.job}} using lots of RAM";
}
{
alert = "UptimeMonster";
expr = "time() - node_boot_time_seconds > 2592000";
annotations.summary = "uptime monster {{$labels.job}} up for more than 30 days";
}
{
alert = "HostDown";
expr = ''up == 0'';
for = "5m";
annotations = {
summary = "{{ $labels.job }} seeming down since 5 minutes";
};
}
{
alert = "Reboot";
expr = "time() - node_boot_time_seconds < 300";
annotations.summary = "{{$labels.job}} rebooted";
}
{
alert = "ProbeFailed";
expr = "probe_success == 0";
for = "5m";
annotations.summary = "HTTP probe failed for {{$labels.instance}}";
}
{
alert = "SlowProbe";
expr = "avg_over_time(probe_http_duration_seconds[1m]) > 1";
for = "5m";
annotations.summary = "HTTP probe slow for {{$labels.instance}}";
}
{
alert = "HttpStatusCode";
expr = "probe_http_status_code != 0 AND (probe_http_status_code <= 199 OR probe_http_status_code >= 400)";
for = "5m";
annotations.summary = "status code {{$value}} for {{$labels.instance}}";
}
{
alert = "SslExpirySoon";
expr = "probe_ssl_earliest_cert_expiry - time() < 86400 * 30";
for = "5m";
annotations.summary = "SSL certificate for {{$labels.instance}} expires in 30 days";
}
{
alert = "SslExpiry";
expr = "probe_ssl_earliest_cert_expiry - time() <= 0";
for = "5m";
annotations.summary = "SSL certificate for {{$labels.instance}} has expired";
}
];
}
];
}];
})];
})
];
systemd.services.alertmanager-bot-telegram = {
wantedBy = [ "multi-user.target" ];
after = [ "ip-up.target" ];
wantedBy = ["multi-user.target"];
after = ["ip-up.target"];
environment.TELEGRAM_ADMIN = "18980945";
environment.TELEGRAM_TOKEN = lib.strings.fileContents <system-secrets/telegram/prometheus.token>;
serviceConfig = {
@@ -123,17 +133,19 @@ in
RestartSec = "15s";
DynamicUser = true;
StateDirectory = "alertbot";
ExecStart = ''${pkgs.alertmanager-bot-telegram}/bin/alertmanager-bot \
--alertmanager.url=http://localhost:9093 --log.level=info \
--store=bolt --bolt.path=/var/lib/alertbot/bot.db \
--listen.addr="0.0.0.0:16320" \
--template.paths=${pkgs.writeText "template.tmpl" ''
{{ define "telegram.default" }}
{{range .Alerts -}}
{{.Status}}: {{ index .Annotations "summary"}}
{{end -}}
{{end}}
''}'';
ExecStart = '' ${pkgs.alertmanager-bot-telegram}/bin/alertmanager-bot \
--alertmanager.url=http://localhost:9093 --log.level=info \
--store=bolt --bolt.path=/var/lib/alertbot/bot.db \
--listen.addr="0.0.0.0:16320" \
--template.paths=${
pkgs.writeText "template.tmpl" ''
{{ define "telegram.default" }}
{{range .Alerts -}}
{{.Status}}: {{ index .Annotations "summary"}}
{{end -}}
{{end}}
''
}'';
};
};
@@ -146,64 +158,88 @@ in
repeat_interval = "4h";
receiver = "me";
};
receivers = [{
name = "me";
webhook_configs = [{
url = "http://localhost:16320";
send_resolved = true;
}];
}];
receivers = [
{
name = "me";
webhook_configs = [
{
url = "http://localhost:16320";
send_resolved = true;
}
];
}
];
};
};
services.prometheus.alertmanagers = [{
scheme = "http";
path_prefix = "/";
static_configs = [ { targets = [ "localhost:9093" ]; } ];
}];
services.prometheus.alertmanagers = [
{
scheme = "http";
path_prefix = "/";
static_configs = [{targets = ["localhost:9093"];}];
}
];
services.prometheus.scrapeConfigs = [
{
job_name = "makanek";
static_configs = [ { targets = [
"127.0.0.1:${toString config.services.prometheus.exporters.node.port}"
]; } ];
static_configs = [
{
targets = [
"127.0.0.1:${toString config.services.prometheus.exporters.node.port}"
];
}
];
}
{
scrape_interval = "5m";
job_name = "blackbox";
metrics_path = "/probe";
params.module = [ "http_2xx" ];
params.module = ["http_2xx"];
relabel_configs = [
{ source_labels = ["__address__"]; target_label = "__param_target"; }
{ source_labels = ["__param_target"]; target_label = "instance"; }
{ replacement = "127.0.0.1:${toString config.services.prometheus.exporters.blackbox.port}"; target_label = "__address__"; }
{
source_labels = ["__address__"];
target_label = "__param_target";
}
{
source_labels = ["__param_target"];
target_label = "instance";
}
{
replacement = "127.0.0.1:${toString config.services.prometheus.exporters.blackbox.port}";
target_label = "__address__";
}
];
static_configs = [
{
targets = [
"alew.hu-berlin.de"
"pad.kmein.de"
"code.kmein.de"
"radio.kmein.de"
"tarot.kmein.de"
"cloud.xn--kiern-0qa.de"
"grafana.kmein.r"
"names.kmein.r"
"rrm.r"
"graph.r"
];
}
];
static_configs = [{
targets = [
"alew.hu-berlin.de"
"pad.kmein.de"
"code.kmein.de"
"radio.kmein.de"
"tarot.kmein.de"
"cloud.xn--kiern-0qa.de"
"grafana.kmein.r"
"names.kmein.r"
"rrm.r"
"graph.r"
];
}];
}
{
job_name = "zaatar";
static_configs = [ { targets = [
"zaatar.r:${toString config.services.prometheus.exporters.node.port}"
"zaatar.r:${toString restic.port}"
]; } ];
static_configs = [
{
targets = [
"zaatar.r:${toString config.services.prometheus.exporters.node.port}"
"zaatar.r:${toString restic.port}"
];
}
];
}
];
services.prometheus.exporters.blackbox = {
enable = true;
configFile = (pkgs.formats.yaml {}).generate "blackbox.yaml" blackboxConfig;

12
systems/makanek/monitoring/loki.nix
View File

@@ -17,11 +17,11 @@
};
final_sleep = "0s";
};
chunk_idle_period = "1h"; # Any chunk not receiving new logs in this time will be flushed
max_chunk_age = "1h"; # All chunks will be flushed when they hit this age, default is 1h
chunk_target_size = 1048576; # Loki will attempt to build chunks up to 1.5MB, flushing first if chunk_idle_period or max_chunk_age is reached first
chunk_retain_period = "30s"; # Must be greater than index read cache TTL if using an index cache (Default index read cache TTL is 5m)
max_transfer_retries = 0; # Chunk transfers disabled
chunk_idle_period = "1h"; # Any chunk not receiving new logs in this time will be flushed
max_chunk_age = "1h"; # All chunks will be flushed when they hit this age, default is 1h
chunk_target_size = 1048576; # Loki will attempt to build chunks up to 1.5MB, flushing first if chunk_idle_period or max_chunk_age is reached first
chunk_retain_period = "30s"; # Must be greater than index read cache TTL if using an index cache (Default index read cache TTL is 5m)
max_transfer_retries = 0; # Chunk transfers disabled
};
schema_config.configs = [
{
@@ -39,7 +39,7 @@
boltdb_shipper = {
active_index_directory = "/tmp/loki/boltdb-shipper-active";
cache_location = "/tmp/loki/boltdb-shipper-cache";
cache_ttl = "24h"; # Can be increased for faster performance over longer query periods, uses more disk space
cache_ttl = "24h"; # Can be increased for faster performance over longer query periods, uses more disk space
shared_store = "filesystem";
};
filesystem.directory = "/tmp/loki/chunks";

19
systems/makanek/moodle-dl-borsfaye.nix
View File

@@ -1,11 +1,16 @@
{ config, pkgs, lib, ... }:
let
moodle-dl-package = pkgs.moodle-dl.overrideAttrs (old: old // {
patches = [ <niveum/packages/moodle-dl/telegram-format.patch> ];
});
in
{
imports = [ <niveum/modules/moodle-dl.nix> ];
config,
pkgs,
lib,
...
}: let
moodle-dl-package = pkgs.moodle-dl.overrideAttrs (old:
old
// {
patches = [<niveum/packages/moodle-dl/telegram-format.patch>];
});
in {
imports = [<niveum/modules/moodle-dl.nix>];
services.moodle-dl = {
enable = true;

14
systems/makanek/names.nix
View File

@@ -1,13 +1,15 @@
{ pkgs, lib, ... }:
let
{
pkgs,
lib,
...
}: let
port = 5703;
geogen-src = "${<scripts>}/onomastics";
geogen = pkgs.callPackage geogen-src {};
in
{
in {
systemd.services.names = {
wants = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
wants = ["network-online.target"];
wantedBy = ["multi-user.target"];
description = "Better clone of geogen.stoepel.net";
serviceConfig = {
DynamicUser = true;

13
systems/makanek/nextcloud.nix
View File

@@ -1,9 +1,11 @@
{ pkgs, lib, ... }:
let
{
pkgs,
lib,
...
}: let
passwordFile = path: toString (pkgs.writeText "password" (lib.strings.fileContents path));
inherit (import <niveum/lib>) localAddresses;
in
{
in {
services.nextcloud = {
enable = true;
package = pkgs.nextcloud22;
@@ -33,7 +35,7 @@ in
services.postgresql = {
enable = true;
ensureDatabases = [ "nextcloud" ];
ensureDatabases = ["nextcloud"];
ensureUsers = [
{
name = "nextcloud";
@@ -42,7 +44,6 @@ in
];
};
services.nginx.virtualHosts."cloud.xn--kiern-0qa.de" = {
enableACME = true;
forceSSL = true;

10
systems/makanek/radio-news.nix
View File

@@ -1,9 +1,11 @@
{ pkgs, lib, ... }:
let
{
pkgs,
lib,
...
}: let
inherit (import <niveum/lib>) serveHtml;
remote = "https://cgit.lassul.us/stockholm";
in
{
in {
services.nginx.virtualHosts."redaktion.r".locations."/".extraConfig = serveHtml <niveum/lib/radio-news.html> pkgs;
systemd.services.stockholm-history = {

10
systems/makanek/radio.nix
View File

@@ -1,5 +1,9 @@
{ lib, pkgs, config, ... }:
let
{
lib,
pkgs,
config,
...
}: let
inherit (import <niveum/lib>) tmpfilesConfig;
liquidsoapDirectory = "/var/cache/liquidsoap";
icecastPassword = "hackme";
@@ -105,7 +109,6 @@ in {
})
];
services.icecast = {
enable = true;
hostname = "radio.kmein.de";
@@ -118,7 +121,6 @@ in {
'';
};
services.nginx.virtualHosts."radio.kmein.de" = {
enableACME = true;
forceSSL = true;

19
systems/makanek/retiolum-map.nix
View File

@@ -1,5 +1,9 @@
{ config, pkgs, lib, ... }:
let
{
config,
pkgs,
lib,
...
}: let
network = "retiolum";
stateDirectory = "retiolum-map";
@@ -8,11 +12,10 @@ let
geo-ip-database-path = "${config.services.geoipupdate.settings.DatabaseDirectory}/${geo-ip-database}";
tinc-graph = pkgs.callPackage <tinc-graph> {};
in
{
in {
systemd.services.retiolum-index = {
description = "Retiolum indexing service";
wants = [ "tinc.${network}.service" ];
wants = ["tinc.${network}.service"];
script = ''
${tinc-graph}/bin/tinc-graph --geoip-file ${geo-ip-database-path} --network ${network} \
| ${pkgs.coreutils}/bin/tee network.json \
@@ -23,7 +26,7 @@ in
cp ${tinc-graph}/static/graph.html graph.html
'';
startAt = "hourly";
path = [ pkgs.coreutils pkgs.jq pkgs.tinc_pre ];
path = [pkgs.coreutils pkgs.jq pkgs.tinc_pre];
serviceConfig = {
Type = "oneshot";
User = "root";
@@ -37,7 +40,7 @@ in
settings = {
AccountID = 608777;
LicenseKey = toString <system-secrets/maxmind/license.key>;
EditionIDs = [ "GeoLite2-City" ];
EditionIDs = ["GeoLite2-City"];
};
};
@@ -53,7 +56,7 @@ in
};
systemd.services.geoip-share = {
after = [ "geoipupdate.service" ];
after = ["geoipupdate.service"];
script = let
cyberlocker-tools = pkgs.callPackage <stockholm/krebs/5pkgs/simple/cyberlocker-tools> {};
in "${cyberlocker-tools}/bin/cput ${geo-ip-database} < ${geo-ip-database-path}";

73
systems/makanek/tarot.nix
View File

@@ -1,5 +1,9 @@
{ config, pkgs, lib, ... }:
let
{
config,
pkgs,
lib,
...
}: let
tarotPort = 7407;
tarotFiles = pkgs.fetchzip {
url = "https://c.krebsco.de/tarot.zip";
@@ -10,37 +14,38 @@ let
url = "http://c.krebsco.de/tarot.pdf";
sha256 = "1n2m53kjg2vj9dbr70b9jrsbqwdfrcb48l4wswn21549fi24g6dx";
};
in
{
imports = [ <stockholm/krebs/3modules/htgen.nix> ];
in {
imports = [<stockholm/krebs/3modules/htgen.nix>];
krebs.htgen.tarot = {
port = tarotPort;
user.name = "radio";
script = ''. ${pkgs.writers.writeDash "tarot" ''
case "$Method $Request_URI" in
"GET /")
if item=$(${pkgs.findutils}/bin/find ${toString tarotFiles} -type f | ${pkgs.coreutils}/bin/shuf -n1); then
card=$(mktemp --tmpdir tarot.XXX)
trap 'rm $card' EXIT
reverse=$(${pkgs.coreutils}/bin/shuf -i0-1 -n1)
if [ "$reverse" -eq 1 ]; then
${pkgs.imagemagick}/bin/convert -rotate 180 "$item" "$card"
else
${pkgs.coreutils}/bin/cp "$item" "$card"
fi
printf 'HTTP/1.1 200 OK\r\n'
printf 'Content-Type: %s\r\n' "$(${pkgs.file}/bin/file -ib "$card")"
printf 'Server: %s\r\n' "$Server"
printf 'Connection: close\r\n'
printf 'Content-Length: %d\r\n' $(${pkgs.coreutils}/bin/wc -c < "$card")
printf '\r\n'
cat "$card"
exit
fi
;;
esac
''}'';
script = ''. ${
pkgs.writers.writeDash "tarot" ''
case "$Method $Request_URI" in
"GET /")
if item=$(${pkgs.findutils}/bin/find ${toString tarotFiles} -type f | ${pkgs.coreutils}/bin/shuf -n1); then
card=$(mktemp --tmpdir tarot.XXX)
trap 'rm $card' EXIT
reverse=$(${pkgs.coreutils}/bin/shuf -i0-1 -n1)
if [ "$reverse" -eq 1 ]; then
${pkgs.imagemagick}/bin/convert -rotate 180 "$item" "$card"
else
${pkgs.coreutils}/bin/cp "$item" "$card"
fi
printf 'HTTP/1.1 200 OK\r\n'
printf 'Content-Type: %s\r\n' "$(${pkgs.file}/bin/file -ib "$card")"
printf 'Server: %s\r\n' "$Server"
printf 'Connection: close\r\n'
printf 'Content-Length: %d\r\n' $(${pkgs.coreutils}/bin/wc -c < "$card")
printf '\r\n'
cat "$card"
exit
fi
;;
esac
''
}'';
};
services.nginx.virtualHosts."tarot.kmein.de" = {
@@ -50,8 +55,14 @@ in
"/".proxyPass = "http://127.0.0.1:${toString tarotPort}";
"/files/" = {
root = pkgs.linkFarm "tarot" [
{ name = "files/key.pdf"; path = tarotKey; }
{ name = "files/cards"; path = tarotFiles; }
{
name = "files/key.pdf";
path = tarotKey;
}
{
name = "files/cards";
path = tarotFiles;
}
];
extraConfig = ''
autoindex on;

49
systems/makanek/urlwatch.nix
View File

@@ -1,5 +1,9 @@
{ pkgs, config, lib, ... }:
let
{
pkgs,
config,
lib,
...
}: let
inherit (import <niveum/lib>) kieran;
urlwatchDir = "/var/lib/urlwatch";
@@ -10,17 +14,17 @@ let
{
name = "Corona-Verordnung";
url = "https://www.berlin.de/corona/massnahmen/verordnung/";
filter = [ { css = "[role=main]"; } "html2text" "strip" ];
filter = [{css = "[role=main]";} "html2text" "strip"];
}
{
name = "HU Semester";
url = "https://agnes.hu-berlin.de/lupo/rds?state=change&type=6&moduleParameter=semesterSelect&nextdir=change&next=SearchSelect.vm&subdir=applications&targettype=7&targetstate=change&getglobal=semester";
filter = [ { css = "fieldset"; } "html2text" "strip" ];
filter = [{css = "fieldset";} "html2text" "strip"];
}
{
name = "Lammla 2021";
url = "http://lammla.info/index.php?reihe=30";
filter = [ "html2text" "strip" ];
filter = ["html2text" "strip"];
}
{
name = "Tatort";
@@ -38,77 +42,77 @@ let
{
name = "Kratylos";
url = "https://kratylos.reichert-online.org/current_issue/KRATYLOS";
filter = [ { element-by-id = "content"; } "html2text" "strip" ];
filter = [{element-by-id = "content";} "html2text" "strip"];
}
{
name = "Zeno Free E-Books";
url = "http://www.zeno.org/Lesesaal/M/E-Books";
filter = [ { element-by-class = "zenoCOMain"; } "html2text" "strip" ];
filter = [{element-by-class = "zenoCOMain";} "html2text" "strip"];
}
{
name = "Arnshaugk Neuerscheinungen";
url = "http://www.arnshaugk.de/index.php";
filter = [ "html2text" "strip" ];
filter = ["html2text" "strip"];
}
{
name = "Carolina Welslau";
url = "https://carolinawelslau.de/";
filter = [ { element-by-id = "main"; } "html2text" "strip" ];
filter = [{element-by-id = "main";} "html2text" "strip"];
}
{
name = "Lisa Littmann";
url = "https://lisalittmann.de/";
filter = [ { element-by-id = "main"; } "html2text" "strip" ];
filter = [{element-by-id = "main";} "html2text" "strip"];
}
{
name = "Lisa Littmann: Projects";
url = "https://lisalittmann.de/projects/";
filter = [ { element-by-id = "main"; } "html2text" "strip" ];
filter = [{element-by-id = "main";} "html2text" "strip"];
}
{
name = "Lisa Littmann: Archive";
url = "https://lisalittmann.de/archive/";
filter = [ { element-by-id = "main"; } "html2text" "strip" ];
filter = [{element-by-id = "main";} "html2text" "strip"];
}
{
name = "WarpGrid: Idiomarium";
url = "https://warpgrid.de/idiomarium/";
filter = [ { element-by-id = "site-content"; } "html2text" "strip" ];
filter = [{element-by-id = "site-content";} "html2text" "strip"];
}
{
name = "WarpGrid: Futurism";
url = "https://warpgrid.de/futurism/";
filter = [ { element-by-id = "site-content"; } "html2text" "strip" ];
filter = [{element-by-id = "site-content";} "html2text" "strip"];
}
{
name = "WarpGrid: Imagiary";
url = "https://warpgrid.de/imagiary/";
filter = [ { element-by-id = "site-content"; } "html2text" "strip" ];
filter = [{element-by-id = "site-content";} "html2text" "strip"];
}
{
name = "WarpGrid: Cook";
url = "https://warpgrid.de/alchemy/";
filter = [ { element-by-id = "site-content"; } "html2text" "strip" ];
filter = [{element-by-id = "site-content";} "html2text" "strip"];
}
{
name = "Indogermanische Forschungen";
url = "https://www.degruyter.com/journal/key/INDO/html";
filter = [ { element-by-id = "latestIssue"; } "html2text" "strip" ];
filter = [{element-by-id = "latestIssue";} "html2text" "strip"];
}
{
name = "IG Neuigkeiten";
url = "https://www.indogermanistik.org/aktuelles/neuigkeiten.html";
filter = [ { css = "[itemprop=articleBody]"; } "html2text" "strip" ];
filter = [{css = "[itemprop=articleBody]";} "html2text" "strip"];
}
{
name = "IG Tagungen";
url = "https://www.indogermanistik.org/tagungen/tagungen-der-ig.html";
filter = [ { css = "[itemprop=articleBody]"; } "html2text" "strip" ];
filter = [{css = "[itemprop=articleBody]";} "html2text" "strip"];
}
{
name = "Christian-Metz-Blamage";
url = "https://www.deutschlandfunk.de/meine-nacht-schlaeft-nicht-pflanze-mich-nicht-in-dein-herz.700.de.html?dram:article_id=486475";
filter = [ { element-by-class = "dlf-articledetail"; } "html2text" "strip" ];
filter = [{element-by-class = "dlf-articledetail";} "html2text" "strip"];
}
{
name = "fxght.or.flxght";
@@ -170,10 +174,9 @@ let
};
};
urlwatch = pkgs.urlwatch.overrideAttrs (attrs: {
patches = [ <niveum/packages/urlwatch-insecure.patch> ];
patches = [<niveum/packages/urlwatch-insecure.patch>];
});
in
{
in {
users.extraUsers.urlwatch = {
home = urlwatchDir;
createHome = true;

68
systems/makanek/weechat.nix
View File

@@ -1,25 +1,29 @@
{ lib, pkgs, ... }:
let
{
lib,
pkgs,
...
}: let
inherit (import <niveum/lib>) kieran;
relayPassword = lib.fileContents <system-secrets/weechat/relay>;
in {
systemd.services.weechat =
let
systemd.services.weechat = let
tmux = pkgs.writers.writeDash "tmux" ''
exec ${pkgs.tmux}/bin/tmux -f ${pkgs.writeText "tmux.conf" ''
set-option -g prefix `
unbind-key C-b
bind ` send-prefix
exec ${pkgs.tmux}/bin/tmux -f ${
pkgs.writeText "tmux.conf" ''
set-option -g prefix `
unbind-key C-b
bind ` send-prefix
set-option -g status off
set-option -g default-terminal screen-256color
set-option -g status off
set-option -g default-terminal screen-256color
#use session instead of windows
bind-key c new-session
bind-key p switch-client -p
bind-key n switch-client -n
bind-key C-s switch-client -l
''} "$@"
#use session instead of windows
bind-key c new-session
bind-key p switch-client -p
bind-key n switch-client -n
bind-key C-s switch-client -l
''
} "$@"
'';
weechat = pkgs.weechat-declarative.override {
config = {
@@ -28,7 +32,9 @@ in {
pkgs.weechatScripts.colorize_nicks
pkgs.weechatScripts.weechat-matrix
];
settings = let nick = "kmein"; in {
settings = let
nick = "kmein";
in {
weechat = {
look.mouse = true;
look.prefix_align_max = 15;
@@ -52,7 +58,7 @@ in {
address = "irc.hackint.org/6697";
ipv6 = true;
ssl = true;
autojoin = [ "#krebs" "#hsmr" "#nixos" "#the_playlist" "#flipdot-berlin" "#hackint" ];
autojoin = ["#krebs" "#hsmr" "#nixos" "#the_playlist" "#flipdot-berlin" "#hackint"];
sasl_mechanism = "plain";
sasl_username = nick;
sasl_password = lib.strings.fileContents <system-secrets/irc/hackint>;
@@ -61,7 +67,7 @@ in {
autoconnect = true;
address = "irc.libera.chat/6697";
ssl = true;
autojoin = [ "#flipdot" "#haskell" "#nixos" "#fysi" "#binaergewitter" "#neovim" "#lojban" "#vim" ];
autojoin = ["#flipdot" "#haskell" "#nixos" "#fysi" "#binaergewitter" "#neovim" "#lojban" "#vim"];
sasl_mechanism = "plain";
sasl_username = nick;
sasl_password = lib.strings.fileContents <system-secrets/irc/libera>;
@@ -75,12 +81,12 @@ in {
"/msg nickserv identify ${lib.strings.fileContents <system-secrets/irc/oftc>}"
"/msg nickserv set cloak on"
];
autojoin = [ "#home-manager" ];
autojoin = ["#home-manager"];
};
retiolum = {
autoconnect = true;
address = "irc.r";
autojoin = [ "#xxx" "#brockman" "#flix" "#autowifi" ];
autojoin = ["#xxx" "#brockman" "#flix" "#autowifi"];
command = lib.concatStringsSep "\\;" [
"/oper admin aidsballs"
"/msg nickserv always-on true"
@@ -94,7 +100,7 @@ in {
news = {
autoconnect = true;
address = "news.r";
autojoin = [ "#cook" "#drachengame" "#oepnv" "#kmeinung" "#memes" ];
autojoin = ["#cook" "#drachengame" "#oepnv" "#kmeinung" "#memes"];
command = "/oper aids balls";
};
};
@@ -134,7 +140,7 @@ in {
};
bots = {
buffer = "irc.retiolum.*";
tags = [ "nick_gitlab" ];
tags = ["nick_gitlab"];
regex = "*";
};
};
@@ -144,10 +150,10 @@ in {
};
in {
description = "Weechat bouncer";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
after = ["network.target"];
wantedBy = ["multi-user.target"];
restartIfChanged = true;
path = [ pkgs.alacritty.terminfo ];
path = [pkgs.alacritty.terminfo];
environment.WEECHAT_HOME = "/var/lib/weechat";
preStart = "${pkgs.coreutils}/bin/rm $WEECHAT_HOME/*.conf";
script = "${tmux} -2 new-session -d -s IM ${weechat}/bin/weechat";
@@ -163,13 +169,15 @@ in {
users.groups.weechat = {};
users.extraUsers.weechat = {
useDefaultShell = true;
openssh.authorizedKeys.keys = kieran.sshKeys pkgs ++ [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC+KVDmYYH7mA8v81e9O3swXm3ZVYY9t4HP65ud61uXy weechat_android@heym"
];
openssh.authorizedKeys.keys =
kieran.sshKeys pkgs
++ [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC+KVDmYYH7mA8v81e9O3swXm3ZVYY9t4HP65ud61uXy weechat_android@heym"
];
createHome = true;
group = "weechat";
home = "/var/lib/weechat";
isSystemUser = true;
packages = [ pkgs.tmux ];
packages = [pkgs.tmux];
};
}

15
systems/manakish/configuration.nix
View File

@@ -1,9 +1,12 @@
{ config, pkgs, ... }:
let
inherit (import <niveum/lib>) retiolumAddresses;
in
{
imports = [ # Include the results of the hardware scan.
config,
pkgs,
...
}: let
inherit (import <niveum/lib>) retiolumAddresses;
in {
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
./hdmi.nix
<niveum/configs/default.nix>
@@ -24,7 +27,7 @@ in
wlp3s0.useDHCP = true;
wwp0s20u4i6.useDHCP = true;
};
wireless.interfaces = [ "wlp3s0" ];
wireless.interfaces = ["wlp3s0"];
retiolum = retiolumAddresses.manakish;
hostName = "manakish";
};

17
systems/manakish/hardware-configuration.nix
View File

@@ -1,15 +1,20 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
config,
lib,
pkgs,
modulesPath,
...
}: {
imports = [(modulesPath + "/installer/scan/not-detected.nix")];
boot = {
initrd = {
availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "sdhci_pci" ];
availableKernelModules = ["xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "sdhci_pci"];
kernelModules = [];
luks.devices."crypted".device = "/dev/disk/by-uuid/493cb228-c292-4f71-9f38-dcb3e96dec47";
};
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
kernelModules = ["kvm-intel"];
extraModulePackages = [];
loader.grub = {
enable = true;
version = 2;
@@ -30,7 +35,7 @@
};
};
swapDevices = [ ];
swapDevices = [];
zramSwap.enable = true;
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";

15
systems/manakish/hdmi.nix
View File

@@ -1,13 +1,12 @@
{ pkgs, ... }:
{
services.xserver.displayManager.sessionCommands =
let
{pkgs, ...}: {
services.xserver.displayManager.sessionCommands = let
intern = "LVDS-1";
extern = "HDMI-1";
pulseaudioCard = "alsa_card.pci-0000_00_1b.0";
pulseaudioProfile = "output:hdmi-stereo+input:analog-stereo";
in toString (pkgs.writers.writeDash "hdmi-on" ''
${pkgs.xorg.xrandr}/bin/xrandr --output ${intern} --primary --auto --output ${extern} --above ${intern} --auto
${pkgs.pulseaudio}/bin/pactl set-card-profile ${pulseaudioCard} ${pulseaudioProfile}
'');
in
toString (pkgs.writers.writeDash "hdmi-on" ''
${pkgs.xorg.xrandr}/bin/xrandr --output ${intern} --primary --auto --output ${extern} --above ${intern} --auto
${pkgs.pulseaudio}/bin/pactl set-card-profile ${pulseaudioCard} ${pulseaudioProfile}
'');
}

30
systems/zaatar/backup.nix
View File

@@ -1,17 +1,19 @@
{ pkgs, lib, ... }:
let
{
pkgs,
lib,
...
}: let
niveumLib = import <niveum/lib>;
inherit (niveumLib) retiolumAddresses restic;
firewall = niveumLib.firewall lib;
dataDir = "/backup/restic";
in
{
in {
services.restic.server = {
enable = true;
appendOnly = true;
inherit dataDir;
prometheus = true;
extraFlags = [ "--no-auth" ]; # auth is done via firewall
extraFlags = ["--no-auth"]; # auth is done via firewall
listenAddress = ":${toString restic.port}";
};
@@ -26,14 +28,22 @@ in
fsType = "ext4";
};
networking.firewall =
let
networking.firewall = let
dport = restic.port;
protocol = "tcp";
rules = [
(firewall.accept { inherit dport protocol; source = retiolumAddresses.kabsa.ipv4; })
(firewall.accept { inherit dport protocol; source = retiolumAddresses.manakish.ipv4; })
(firewall.accept { inherit dport protocol; source = retiolumAddresses.makanek.ipv4; })
(firewall.accept {
inherit dport protocol;
source = retiolumAddresses.kabsa.ipv4;
})
(firewall.accept {
inherit dport protocol;
source = retiolumAddresses.manakish.ipv4;
})
(firewall.accept {
inherit dport protocol;
source = retiolumAddresses.makanek.ipv4;
})
];
in {
extraCommands = firewall.addRules rules;

23
systems/zaatar/configuration.nix
View File

@@ -1,8 +1,11 @@
{ config, pkgs, lib, ... }:
let
inherit (import <niveum/lib>) retiolumAddresses restic;
in
{
config,
pkgs,
lib,
...
}: let
inherit (import <niveum/lib>) retiolumAddresses restic;
in {
imports = [
./backup.nix
./gaslight.nix
@@ -29,14 +32,17 @@ in
services.restic.backups.moodle-dl = {
initialize = true;
inherit (restic) repository;
timerConfig = { OnCalendar = "daily"; RandomizedDelaySec = "1h"; };
timerConfig = {
OnCalendar = "daily";
RandomizedDelaySec = "1h";
};
passwordFile = toString <secrets/restic/password>;
paths = [
"/var/lib/moodle-dl"
];
};
nix.nixPath = [ "/var/src" ];
nix.nixPath = ["/var/src"];
services.logind = {
lidSwitch = "ignore";
@@ -46,8 +52,7 @@ in
services.illum.enable = true;
environment.systemPackages =
let
environment.systemPackages = let
worldradio = pkgs.callPackage <niveum/packages/worldradio.nix> {};
in [
(pkgs.writers.writeDashBin "mpv" ''${pkgs.mpv}/bin/mpv --no-video "$@"'')
@@ -62,7 +67,7 @@ in
networking = {
hostName = "zaatar";
wireless.interfaces = [ "wlp2s0" ];
wireless.interfaces = ["wlp2s0"];
retiolum = retiolumAddresses.zaatar;
};

12
systems/zaatar/gaslight.nix
View File

@@ -1,5 +1,4 @@
{ pkgs, ... }:
{
{pkgs, ...}: {
environment.systemPackages = [
(pkgs.writers.writeDashBin "gaslight-stream" ''
${pkgs.ffmpeg}/bin/ffmpeg -r 14 -s 640x480 -f video4linux2 -i /dev/video0 -f alsa -i default -c:v libx264 -preset ultrafast -c:a aac -f avi -
@@ -16,10 +15,9 @@
'')
];
}
/*
ssh machine gaslight-stream | mpv -
ssh machine gaslight-say "blablabla"
*/
ssh machine gaslight-stream | mpv -
ssh machine gaslight-say "blablabla"
*/

16
systems/zaatar/hardware-configuration.nix
View File

@@ -1,11 +1,15 @@
{ config, lib, pkgs, ... }:
{
imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
config,
lib,
pkgs,
...
}: {
imports = [<nixpkgs/nixos/modules/installer/scan/not-detected.nix>];
boot = {
initrd.availableKernelModules = [ "ahci" "xhci_pci" "usb_storage" "sd_mod" "sdhci_acpi" "rtsx_usb_sdmmc" ];
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
initrd.availableKernelModules = ["ahci" "xhci_pci" "usb_storage" "sd_mod" "sdhci_acpi" "rtsx_usb_sdmmc"];
kernelModules = ["kvm-intel"];
extraModulePackages = [];
loader = {
systemd-boot = {
enable = true;
@@ -26,7 +30,7 @@
};
};
swapDevices = [{ device = "/dev/disk/by-label/swap"; }];
swapDevices = [{device = "/dev/disk/by-label/swap";}];
nix.maxJobs = lib.mkDefault 4;
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";

33
systems/zaatar/kiosk.nix
View File

@@ -1,25 +1,30 @@
{ config, pkgs, lib, ... }:
{
config,
pkgs,
lib,
...
}: {
users.extraUsers.kiosk = {
isNormalUser = true;
password = "";
extraGroups = [ "audio" ];
extraGroups = ["audio"];
};
services.cage = {
enable = true;
user = config.users.extraUsers.kiosk.name;
extraArguments = [ "-s" ]; # allow vt switching
program =
let startUrls = [ "https://youtube.com" "http://radio.kmein.r" ];
in pkgs.writers.writeDash "kiosk-browser" ''
while true; do
${pkgs.brave}/bin/brave \
--no-first-run --no-message-box --noerrdialogs \
--default-browser --no-default-browser-check \
--start-maximized ${lib.escapeShellArgs startUrls}
sleep 0.5
done
'';
extraArguments = ["-s"]; # allow vt switching
program = let
startUrls = ["https://youtube.com" "http://radio.kmein.r"];
in
pkgs.writers.writeDash "kiosk-browser" ''
while true; do
${pkgs.brave}/bin/brave \
--no-first-run --no-message-box --noerrdialogs \
--default-browser --no-default-browser-check \
--start-maximized ${lib.escapeShellArgs startUrls}
sleep 0.5
done
'';
};
systemd.services.cage-tty1.environment.XKB_DEFAULT_LAYOUT = "de";
programs.chromium = {

30
systems/zaatar/moodle-dl-meinhark.nix
View File

@@ -1,11 +1,16 @@
{ config, pkgs, lib, ... }:
let
moodle-dl-package = pkgs.moodle-dl.overrideAttrs (old: old // {
patches = [ <niveum/packages/moodle-dl/telegram-format.patch> ];
});
in
{
imports = [ <niveum/modules/moodle-dl.nix> ];
config,
pkgs,
lib,
...
}: let
moodle-dl-package = pkgs.moodle-dl.overrideAttrs (old:
old
// {
patches = [<niveum/packages/moodle-dl/telegram-format.patch>];
});
in {
imports = [<niveum/modules/moodle-dl.nix>];
services.moodle-dl = {
enable = true;
@@ -77,15 +82,14 @@ in
fileSystems."/export/moodle" = {
device = config.services.moodle-dl.directory;
options = [ "bind" ];
options = ["bind"];
};
networking.firewall.allowedTCPPorts = [ 2049 ];
networking.firewall.allowedTCPPorts = [2049];
services.nginx.enable = true;
services.nginx.virtualHosts."moodle.kmein.r" =
let
services.nginx.virtualHosts."moodle.kmein.r" = let
identity = lib.strings.fileContents <secrets/eduroam/identity>;
password = lib.strings.fileContents <secrets/eduroam/password>;
in {
@@ -101,7 +105,9 @@ in
services.nfs.server = {
enable = true;
exports = let machines = with (import <niveum/lib>).retiolumAddresses; [kabsa manakish]; in ''
exports = let
machines = with (import <niveum/lib>).retiolumAddresses; [kabsa manakish];
in ''
/export ${lib.concatMapStringsSep " " (machine: "${machine.ipv4}(fsid=0)") machines}
/export/moodle ${lib.concatMapStringsSep " " (machine: "${machine.ipv4}(insecure,rw)") machines}
'';

4
systems/zaatar/pulseaudio.nix
View File

@@ -6,9 +6,9 @@
systemWide = true;
tcp = {
enable = true;
anonymousClients.allowedIpRanges = [ "127.0.0.1" "10.243.2.0/24" "192.168.0.0/16" ];
anonymousClients.allowedIpRanges = ["127.0.0.1" "10.243.2.0/24" "192.168.0.0/16"];
};
zeroconf.publish.enable = true;
};
networking.firewall.allowedTCPPorts = [ 4713 ];
networking.firewall.allowedTCPPorts = [4713];
}

6
systems/zaatar/spotifyd.nix
View File

@@ -1,5 +1,9 @@
{ config, pkgs, lib, ... }:
{
config,
pkgs,
lib,
...
}: {
services.spotifyd = {
enable = true;
settings = {

60
systems/zaatar/tuna.nix
View File

@@ -1,5 +1,9 @@
{ config, pkgs, lib, ... }:
let
{
config,
pkgs,
lib,
...
}: let
firewall = (import <niveum/lib>).firewall lib;
streams = import <niveum/lib/streams.nix> {
@@ -7,13 +11,14 @@ let
};
multi-room-audio-port = 8000;
password = lib.strings.fileContents <system-secrets/mpd-web.key>;
in
{
in {
imports = [
<niveum/modules/tuna.nix>
];
services.syncthing = let mpd-directory = config.services.mpd.dataDir; in {
services.syncthing = let
mpd-directory = config.services.mpd.dataDir;
in {
enable = true;
user = config.services.mpd.user; # config.users.extraUsers.moodle.name;
openDefaultPorts = true;
@@ -25,7 +30,7 @@ in
inherit ((import <niveum/lib>).syncthing.devices) kabsa manakish heym;
};
folders.${config.services.mpd.musicDirectory} = {
devices = [ "heym" "kabsa" "manakish" ];
devices = ["heym" "kabsa" "manakish"];
id = "music";
type = "receiveonly";
};
@@ -45,24 +50,29 @@ in
'';
};
environment.systemPackages = [ pkgs.mpc_cli ];
environment.systemPackages = [pkgs.mpc_cli];
networking.firewall =
let
networking.firewall = let
dport = config.services.mpd.network.port;
protocol = "tcp";
rules = [
(firewall.accept { inherit dport protocol; source = "192.168.0.0/16"; })
(firewall.accept { inherit dport protocol; source = "127.0.0.0/8"; })
(firewall.accept {
inherit dport protocol;
source = "192.168.0.0/16";
})
(firewall.accept {
inherit dport protocol;
source = "127.0.0.0/8";
})
];
in {
allowedTCPPorts = [ 80 ];
allowedTCPPorts = [80];
extraCommands = firewall.addRules rules;
extraStopCommands = firewall.removeRules rules;
};
system.activationScripts.mpd-playlists =
let playlistFile = pkgs.writeText "radio.m3u" (lib.concatMapStringsSep "\n" (lib.getAttr "stream") streams);
system.activationScripts.mpd-playlists = let
playlistFile = pkgs.writeText "radio.m3u" (lib.concatMapStringsSep "\n" (lib.getAttr "stream") streams);
in ''
rm -rf /var/lib/mpd/playlists
install -d /var/lib/mpd/playlists
@@ -72,17 +82,28 @@ in
services.tuna = {
enable = true;
# stationsFile = "/etc/tuna/stations.json";
stations = lib.lists.imap0 (id: {desc ? "", logo ? "https://picsum.photos/seed/${builtins.hashString "md5" stream}/300", stream, station}: { inherit id desc logo stream station; }) streams;
stations = lib.lists.imap0 (id: {
desc ? "",
logo ? "https://picsum.photos/seed/${builtins.hashString "md5" stream}/300",
stream,
station,
}: {inherit id desc logo stream station;})
streams;
webPort = 8080;
};
systemd.services.tuna-stations =
let
stations = lib.lists.imap0 (id: {desc ? "", logo ? "https://picsum.photos/seed/${builtins.hashString "md5" stream}/300", stream, station}: { inherit id desc logo stream station; }) streams;
systemd.services.tuna-stations = let
stations = lib.lists.imap0 (id: {
desc ? "",
logo ? "https://picsum.photos/seed/${builtins.hashString "md5" stream}/300",
stream,
station,
}: {inherit id desc logo stream station;})
streams;
stationsJson = (pkgs.formats.json {}).generate "stations.json" stations;
in {
enable = false;
wantedBy = [ "tuna.service" ];
wantedBy = ["tuna.service"];
startAt = "hourly";
script = ''
mkdir -p /etc/tuna
@@ -95,7 +116,6 @@ in
'';
};
services.nginx = {
enable = true;
recommendedGzipSettings = true;