wip: add specus VPN

2026-03-31 01:31:13 +02:00 · 2023-04-14 08:43:23 +02:00
17 changed files with 208 additions and 126 deletions
--- a/configs/khal.nix
+++ b/configs/khal.nix
@@ -112,10 +112,6 @@ in {
        path = ${davHome}/calendar/personal
        color = "light cyan"

-        [[krebs]]
-        path = ${davHome}/calendar/krebs
-        color = "light red"
-
        [[uni]]
        path = ${davHome}/calendar/uni-1
        color = "yellow"
@@ -166,12 +162,6 @@ in {
        collections = ["personal", "alew", "uni-1"]
        conflict_resolution = "b wins"

-        [pair krebs]
-        a = "kalender_local"
-        b = "krebs_cloud"
-        collections = ["3edef929-d509-7944-2440-000a54f2d054"]
-        conflict_resolution = "b wins"
-
        [pair fysi]
        a = "kalender_local"
        b = "fysi_cloud"
@@ -200,12 +190,6 @@ in {
        username = "${kmeinCloud.username}"
        password.fetch = ["command", "cat", "${kmeinCloud.passwordFile}"]

-        [storage krebs_cloud]
-        type = "caldav"
-        url = "http://calendar.r/krebs/"
-        username = "krebs"
-        password = "krebs"
-
        [storage fysi_cloud]
        type = "caldav"
        url = "${fysiCloud.davEndpoint}/calendars/${fysiCloud.username}/"
--- a/configs/stardict.nix
+++ b/configs/stardict.nix
@@ -161,11 +161,11 @@
    turkish = {
      BabylonTurkishEnglish = pkgs.fetchzip {
        url = "http://download.huzheng.org/babylon/bidirectional/stardict-babylon-Babylon_Turkish_English-2.4.2.tar.bz2";
-        sha256 = "1zpzgk3w0536gww31bj58cmn3imnkndyjwbcr7bay8ibq2kzv44z";
+        sha256 = "17rv46r95nkikg7aszqmfrbgdhz9ny52w423m8n01g3p93shdb4i";
      };
      BabylonEnglishTurkish = pkgs.fetchzip {
        url = "http://download.huzheng.org/babylon/bidirectional/stardict-babylon-Babylon_English_Turkish-2.4.2.tar.bz2";
-        sha256 = "0myx31xzb7nrn5m657h0bwdgm5xp93ccwp6lcpbxgjxdjm3q0hc5";
+        sha256 = "063dl02s8ii8snsxgma8wi49xwr6afk6ysq0v986fygx5511353f";
      };
    };
  };
--- a/flake.lock
+++ b/flake.lock
@@ -8,11 +8,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1682101079,
-        "narHash": "sha256-MdAhtjrLKnk2uiqun1FWABbKpLH090oeqCSiWemtuck=",
+        "lastModified": 1680281360,
+        "narHash": "sha256-XdLTgAzjJNDhAG2V+++0bHpSzfvArvr2pW6omiFfEJk=",
        "owner": "ryantm",
        "repo": "agenix",
-        "rev": "2994d002dcff5353ca1ac48ec584c7f6589fe447",
+        "rev": "e64961977f60388dd0b49572bb0fc453b871f896",
        "type": "github"
      },
      "original": {
@@ -363,11 +363,11 @@
    },
    "nixpkgs_4": {
      "locked": {
-        "lastModified": 1682173319,
-        "narHash": "sha256-tPhOpJJ+wrWIusvGgIB2+x6ILfDkEgQMX0BTtM5vd/4=",
+        "lastModified": 1681269223,
+        "narHash": "sha256-i6OeI2f7qGvmLfD07l1Az5iBL+bFeP0RHixisWtpUGo=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "ee7ec1c71adc47d2e3c2d5eb0d6b8fbbd42a8d1c",
+        "rev": "87edbd74246ccdfa64503f334ed86fa04010bab9",
        "type": "github"
      },
      "original": {
@@ -458,11 +458,11 @@
    },
    "nur": {
      "locked": {
-        "lastModified": 1682309301,
-        "narHash": "sha256-5E7nk7Bzzr8G/OjXFMkTZKQfN7S9sImaycm9dfhT0CE=",
+        "lastModified": 1681454031,
+        "narHash": "sha256-JOamj7vKkFRp5mJ7FKt5dPfCmWj33sZLnBGDt15c/sc=",
        "owner": "nix-community",
        "repo": "NUR",
-        "rev": "c051709889ce5c4b69bf6432d064b4862cd8f2b7",
+        "rev": "8a35714f0be00235e2a1c8b759e6dc3888763d8b",
        "type": "github"
      },
      "original": {
@@ -493,11 +493,11 @@
    },
    "retiolum": {
      "locked": {
-        "lastModified": 1682243210,
-        "narHash": "sha256-k5i9R0qpfSp3xX0vxtup+9ZHm5UVy0u8FAk6H0N9Hp4=",
+        "lastModified": 1681246809,
+        "narHash": "sha256-3RUAwk0ApPjq2Ms8KiAh+gG6EJKWurIur612w2m3Zu8=",
        "ref": "refs/heads/master",
-        "rev": "853738dda1ba91891a45b979a2af43dc04fe6645",
-        "revCount": 303,
+        "rev": "c8ddb36f3d85be762aeb1893a79da36014f55658",
+        "revCount": 296,
        "type": "git",
        "url": "https://git.thalheim.io/Mic92/retiolum"
      },
@@ -724,11 +724,11 @@
    "voidrice": {
      "flake": false,
      "locked": {
-        "lastModified": 1681996877,
-        "narHash": "sha256-wwh5ygv3VNI8HqbbAAO351EmWMMQIYvgzqX8Wc2Pu7M=",
+        "lastModified": 1681301489,
+        "narHash": "sha256-5Zz33Q3E4A9nsEmxPQikYeX7Rvu3hM+PlXx/0SIqG34=",
        "owner": "Lukesmithxyz",
        "repo": "voidrice",
-        "rev": "77fd62b9f315644be161c8a15287963552af99bd",
+        "rev": "d4ff2ebaf3e88efe20cae0d1e592fddfc433c96e",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -40,24 +40,7 @@
    ...
  }:
    {
-      apps =
-        nixinate.nixinate.x86_64-linux self
-        // {
-          x86_64-linux.deploy = let
-            pkgs = nixpkgs.legacyPackages.x86_64-linux;
-          in {
-            type = "app";
-            program = toString (pkgs.writers.writeDash "deploy" ''
-              if [ $# -eq 0 ]
-              then
-                systems='${toString (builtins.attrNames self.nixosConfigurations)}'
-              else
-                systems=$*
-              fi
-              ${pkgs.parallel}/bin/parallel --line-buffer --tagstring '{}' 'nix run .\?submodules=1\#apps.nixinate.{}' ::: $systems
-            '');
-          };
-        };
+      apps = nixinate.nixinate.x86_64-linux self;

      nixosModules = {
        htgen = import modules/htgen.nix;
@@ -66,6 +49,7 @@
        passport = import modules/passport.nix;
        panoptikon = import modules/panoptikon.nix;
        power-action = import modules/power-action.nix;
+        specus = import modules/specus.nix;
        system-dependent = import modules/system-dependent.nix;
        telegram-bot = import modules/telegram-bot.nix;
        traadfri = import modules/traadfri.nix;
@@ -96,6 +80,7 @@
            systems/ful/configuration.nix
            agenix.nixosModules.default
            inputs.self.nixosModules.passport
+            inputs.self.nixosModules.specus
            inputs.self.nixosModules.panoptikon
            retiolum.nixosModules.retiolum
            nur.nixosModules.nur
@@ -144,6 +129,7 @@
            inputs.self.nixosModules.telegram-bot
            inputs.self.nixosModules.htgen
            inputs.self.nixosModules.passport
+            inputs.self.nixosModules.specus
            agenix.nixosModules.default
            retiolum.nixosModules.retiolum
            nur.nixosModules.nur
@@ -207,6 +193,7 @@
            systems/kabsa/configuration.nix
            agenix.nixosModules.default
            retiolum.nixosModules.retiolum
+            inputs.self.nixosModules.specus
            home-manager.nixosModules.home-manager
            nur.nixosModules.nur
          ];
--- a/lib/colours/owickstrom-dark.nix
+++ b/lib/colours/owickstrom-dark.nix
@@ -1,38 +1,37 @@
-{
-  # all dark colours are 20% darker than the bright ones
+rec {
  black = {
-    bright = "#4c5363"; # "#282c34";
-    dark = "#20232a";
+    bright = "#282c34";
+    dark = "#282c34";
  };
  red = {
-    bright = "#e68990"; #"#e06c75";
-    dark = "#d43541";
+    bright = "#e06c75";
+    dark = "#e06c75";
  };
  green = {
-    bright = "#acce93"; #"#98c379";
-    dark = "#77af4e";
+    bright = "#98c379";
+    dark = "#98c379";
  };
  yellow = {
-    bright = "#eacc95"; #"#e5c07b";
-    dark = "#d9a440";
+    bright = "#e5c07b";
+    dark = "#e5c07b";
  };
  blue = {
-    bright = "#80bff2"; #"#61afef";
-    dark = "#2490e9";
+    bright = "#61afef";
+    dark = "#61afef";
  };
  magenta = {
-    bright = "#d193e3"; #"#c678dd";
-    dark = "#af42cf";
+    bright = "#c678dd";
+    dark = "#c678dd";
  };
  cyan = {
-    bright = "#77c4ce"; #"#56b6c2";
-    dark = "#3b99a5";
+    bright = "#56b6c2";
+    dark = "#56b6c2";
  };
  white = {
-    bright = "#e3e5e9"; #"#dcdfe4";
-    dark = "#a9b1bd";
+    bright = "#dcdfe4";
+    dark = "#dcdfe4";
  };
-  background = "#282c34"; #black.dark;
-  foreground = "#dcdfe4"; #white.bright;
+  background = black.dark;
+  foreground = white.bright;
  cursor = "#a3b3cc";
 }
--- a/lib/colours/owickstrom-light.nix
+++ b/lib/colours/owickstrom-light.nix
@@ -29,9 +29,9 @@ rec {
  };
  white = {
    bright = "#8c00ec";
-    dark = "#bfbfbf";
+    dark = "#efefef";
  };
-  background = "#efefef";
+  background = white.dark;
  foreground = "#181818";
-  cursor = "#a3b3cc";
+  cursor = "#bbbbbb";
 }
--- a/modules/specus.nix
+++ b/modules/specus.nix
@@ -0,0 +1,96 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  specusMachines = {
+    servers = {
+      makanek = {
+        ipv4 = "10.100.0.1";
+        publicKey = "KhcScd4fBpdhQzK8Vc+1mEHQMQBpbKBUPB4oZ7skeSk=";
+      };
+      ful = {
+        ipv4 = "10.100.0.2";
+        publicKey = "0Y7+zoXkWJGVOWWnMjvYjtwP+WpggAlmkRbgMw0z8Dk=";
+      };
+    };
+    clients = {
+      kabsa = {
+        ipv4 = "10.100.0.101";
+        publicKey = "nRkzoRi9crKHF7263U37lt4GGL7/8637NBSKjifI9hY=";
+      };
+    };
+  };
+in {
+  options.services.specus = {
+    server = {
+      enable = lib.mkEnableOption "Specus private VPN (server)";
+    };
+    client = {
+      enable = lib.mkEnableOption "Specus private VPN (client)";
+    };
+    privateKeyFile = lib.mkOption {
+      type = lib.types.path;
+      description = "Private key file of the server/client machine";
+    };
+  };
+
+  config = let
+    cfg = config.services.specus;
+    specusPort = 22;
+  in
+    {
+      assertions = [
+        {
+          assertion =
+            !(cfg.server.enable && cfg.client.enable);
+          message = "specus: systems cannot be client and server at the same time";
+        }
+      ];
+    }
+    // lib.mkIf cfg.server.enable {
+      networking.nat = {
+        enable = true;
+        externalInterface = "eth0"; # TODO
+        internalInterfaces = ["specus"];
+      };
+      networking.firewall.allowedUDPPorts = [specusPort];
+      networking.wireguard.interfaces.specus = {
+        ips = ["${specusMachines.servers.${config.networking.hostName}.ipv4}/24"];
+        # For this to work you have to set the dnsserver IP of your router (or dnsserver of choice) in your clients
+        postSetup = ''
+          ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+        '';
+        postShutdown = ''
+          ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
+        '';
+        listenPort = specusPort;
+        privateKeyFile = cfg.privateKeyFile;
+        peers =
+          lib.mapAttrsToList (clientName: clientConfig: {
+            publicKey = clientConfig.publicKey;
+            allowedIPs = ["${clientConfig.ipv4}/32"];
+          })
+          specusMachines.clients;
+      };
+    }
+    // lib.mkIf cfg.client.enable {
+      networking.firewall.allowedUDPPorts = [specusPort];
+      networking.wireguard.interfaces = lib.attrsets.mapAttrs' (serverName: serverConfig:
+        lib.nameValuePair "specus-${serverName}" {
+          ips = ["${specusMachines.clients.${config.networking.hostName}.ipv4}/24"];
+          listenPort = specusPort;
+          privateKeyFile = cfg.privateKeyFile;
+          peers = [
+            {
+              allowedIPs = ["0.0.0.0/0"];
+              endpoint = "${(import ../lib/external-network.nix).${serverName}}:${toString specusPort}";
+              persistentKeepalive = 25;
+              publicKey = serverConfig.publicKey;
+            }
+          ];
+        })
+      specusMachines.servers;
+    };
+}
--- a/packages/itl.nix
+++ b/packages/itl.nix
@@ -0,0 +1,23 @@
+{ stdenv, fetchFromGitHub, cmake, lib }:
+stdenv.mkDerivation rec {
+  pname = "itl";
+  version = "0.8.0";
+  src = fetchFromGitHub {
+    owner = "arabeyes-org";
+    repo = "ITL";
+    rev = "v${version}";
+    sha256 = "sha256-GTicTbZmFbPhzInFob3cfvtTxOpUZuqsQz1w9CoWu9w=";
+  };
+  nativeBuildInputs = [cmake];
+  cmakeFlags = [
+    "-DCMAKE_INSTALL_PREFIX=${placeholder "out"}"
+    "-DCMAKE_INSTALL_LIBDIR=lib"
+  ];
+  meta = {
+    homepage = "https://www.arabeyes.org/ITL";
+    description = "Islamic Tools and Libraries";
+    license = lib.licenses.lgpl2;
+    platforms = lib.platforms.all;
+    maintainer = [lib.maintainers.kmein];
+  };
+}
--- a/packages/itools.nix
+++ b/packages/itools.nix
@@ -0,0 +1,21 @@
+{ stdenv, fetchFromGitHub, itl, lib, autoreconfHook }:
+stdenv.mkDerivation rec {
+  pname = "itools";
+  version = "1.0";
+  src = fetchFromGitHub {
+    owner = "arabeyes-org";
+    repo = "itools";
+    rev = version;
+    sha256 = "sha256-g9bsjupC4Sb5ywAgUNbjYLbHZ/i994lbNSnX2JyaP3g=";
+  };
+  preAutoreconf = "autoupdate";
+  nativeBuildInputs = [autoreconfHook];
+  buildInputs = [itl];
+  meta = {
+    homepage = "https://www.arabeyes.org/ITL";
+    description = "The itools package is a set of user friendly applications utilizing Arabeyes' ITL library. ";
+    license = lib.licenses.gpl2;
+    platforms = lib.platforms.all;
+    maintainer = [lib.maintainers.kmein];
+  };
+}
--- a/2
+++ b/2
--- a/systems/ful/configuration.nix
+++ b/systems/ful/configuration.nix
@@ -49,6 +49,12 @@ in {
    };
    root.file = ../../secrets/ful-root.age;
    restic.file = ../../secrets/restic.age;
+    specus.file = ../../secrets/ful-specus-privateKey.age;
+  };
+
+  services.specus = {
+    privateKeyFile = config.age.secrets.specus.path;
+    server.enable = true;
  };

  services.restic.backups.niveum = {
--- a/systems/ful/panoptikon.nix
+++ b/systems/ful/panoptikon.nix
@@ -24,14 +24,7 @@ in {
    enable = true;
    watchers = {
      "github-meta" = {
-        script = panoptikon.urlJSON {
-          jqScript = ''
-            {
-              ssh_key_fingerprints: .ssh_key_fingerprints,
-              ssh_keys: .ssh_keys
-            }
-          '';
-        } "https://api.github.com/meta";
+        script = panoptikon.urlJSON {} "https://api.github.com/meta";
        reporters = [irc-xxx];
      };
      lammla = {
--- a/systems/kabsa/configuration.nix
+++ b/systems/kabsa/configuration.nix
@@ -40,10 +40,16 @@ in {
    restic.file = ../../secrets/restic.age;
    syncthing-cert.file = ../../secrets/kabsa-syncthing-cert.age;
    syncthing-key.file = ../../secrets/kabsa-syncthing-key.age;
+    specus.file = ../../secrets/kabsa-specus-privateKey.age;
  };

  environment.systemPackages = [pkgs.minecraft pkgs.zeroad];

+  services.specus = {
+    privateKeyFile = config.age.secrets.specus.path;
+    client.enable = false;
+  };
+
  networking = {
    hostName = "kabsa";
    wireless.interfaces = ["wlp3s0"];
--- a/systems/makanek/configuration.nix
+++ b/systems/makanek/configuration.nix
@@ -16,7 +16,6 @@ in {
    ./names.nix
    ./nextcloud.nix
    ./radio-news.nix
-    ./onlyoffice.nix
    ./retiolum-map.nix
    ./tarot.nix
    ./tt-rss.nix
@@ -96,6 +95,12 @@ in {
      group = "tinc.retiolum";
    };
    restic.file = ../../secrets/restic.age;
+    specus.file = ../../secrets/makanek-specus-privateKey.age;
+  };
+
+  services.specus = {
+    privateKeyFile = config.age.secrets.specus.path;
+    server.enable = true;
  };

  system.stateVersion = "20.03";
--- a/systems/makanek/monitoring/default.nix
+++ b/systems/makanek/monitoring/default.nix
@@ -223,7 +223,8 @@ in {
          email_configs = let
            inherit (import ../../../lib) kieran;
            inherit (import ../../../lib/email.nix {inherit lib;}) cock;
-            cockConfig = {
+          in [
+            {
              send_resolved = true;
              to = kieran.email;
              from = cock.user;
@@ -231,8 +232,7 @@ in {
              auth_username = cock.user;
              auth_identity = cock.user;
              auth_password = "$EMAIL_PASSWORD";
-            };
-          in [
+            }
          ];
        }
      ];
--- a/systems/makanek/onlyoffice.nix
+++ b/systems/makanek/onlyoffice.nix
@@ -1,29 +0,0 @@
-{
-  pkgs,
-  config,
-  ...
-}: {
-  services.onlyoffice = {
-    enable = true;
-    port = 8111;
-    hostname = "onlyoffice.kmein.de";
-    jwtSecretFile = config.age.secrets.onlyoffice-key.path;
-  };
-
-  age.secrets.onlyoffice-key = {
-    file = ../../secrets/onlyoffice-jwt-key.age;
-    owner = "onlyoffice";
-  };
-
-  # otherwise this leads to nginx
-  # open() "/var/lib/onlyoffice/documentserver/App_Data/cache/files/data/conv_check_1138411943_docx/output.docx" failed (13: Permission denied)
-  # and mysterious 403 errors
-  system.activationScripts.onlyoffice-readable.text = ''
-    chmod a+x /var/lib/onlyoffice/documentserver/
-  '';
-
-  services.nginx.virtualHosts.${config.services.onlyoffice.hostname} = {
-    enableACME = true;
-    forceSSL = true;
-  };
-}
--- a/systems/zaatar/moodle-dl-meinhark.nix
+++ b/systems/zaatar/moodle-dl-meinhark.nix
@@ -95,15 +95,6 @@ in {
        # WS 2022
        115414 # Nonnos
        116108 # Dialektologie
-
-        # SS 2023
-        117967 # Archaische Lyrik
-        119658 # Dyskolos
-        118963 # Antike Biographie
-        92668 # Taa
-        120671 # Jiddisch
-        120720 # Sorbisch
-        118076 # X-Tutorial
      ];
      download_submissions = true;
      download_descriptions = true;