diff options
Diffstat (limited to 'users/sterni/machines')
20 files changed, 1148 insertions, 0 deletions
diff --git a/users/sterni/machines/.skip-subtree b/users/sterni/machines/.skip-subtree new file mode 100644 index 0000000000..a79762853e --- /dev/null +++ b/users/sterni/machines/.skip-subtree @@ -0,0 +1 @@ +Subdirectories are manually reexposed by default.nix as the contain NixOS modules diff --git a/users/sterni/machines/default.nix b/users/sterni/machines/default.nix new file mode 100644 index 0000000000..291d9756c7 --- /dev/null +++ b/users/sterni/machines/default.nix @@ -0,0 +1,81 @@ +{ depot, lib, pkgs, ... }: + +let + bins = depot.nix.getBins pkgs.nq [ "fq" "nq" ]; + + machines = lib.mapAttrs + (name: _: + depot.ops.nixos.nixosFor (import (./. + ("/" + name))) + ) + (lib.filterAttrs (_: type: type == "directory") (builtins.readDir ./.)); + + # TODO(sterni): share code with rebuild-system + localDeployScriptFor = { system, config, ... }: + pkgs.writeShellScript "local-deploy-${system.name}" '' + set -eu + if [[ "$(hostname)" != "${config.networking.hostName}" ]]; then + echo "$0: unexpected hostname: $(hostname). Are you deploying on the right machine?" + exit 1 + fi + nix-env -p /nix/var/nix/profiles/system --set "${system}" + "${system}/bin/switch-to-configuration" switch + ''; + + # Builds the system on the remote machine + deployScriptFor = { system, ... }@machine: + pkgs.writeShellScript "remote-deploy-${system.name}" '' + set -eu + + if [ $# != 1 ]; then + printf 'usage: %s [USER@]HOST' "$0" + exit 100 + fi + + readonly TARGET_HOST="$1" + readonly DEPLOY_DRV="${ + builtins.unsafeDiscardOutputDependency ( + # Wrapper script around localDeployScriptFor that merely starts the + # local deploy script using and nq and then waits using fq. This means + # we can't Ctrl-C the deploy and it won't be terminated by a lost + # connection. + pkgs.writeShellScript "queue-deploy-${system.name}" '' + readonly STATE_DIR="''${XDG_STATE_HOME:-$HOME/.local/state}/sterni-deploy" + mkdir -p "$STATE_DIR" + + export NQDIR="$STATE_DIR" + + "${bins.nq}" "${localDeployScriptFor machine}" + "${bins.fq}" + '' + ).drvPath + }" + + nix-copy-closure -s --gzip --to "$TARGET_HOST" "$DEPLOY_DRV" + + readonly DEPLOY_OUT="$(ssh "$TARGET_HOST" "nix-store -r '$DEPLOY_DRV'")" + + ssh "$TARGET_HOST" "$DEPLOY_OUT" + ''; + +in + +depot.nix.readTree.drvTargets ( + # this somehow becomes necessarily ugly with nixpkgs-fmt + machines // { inherit deployScriptFor; } // + + lib.mapAttrs' + (name: _: { + name = "${name}System"; + value = machines.${name}.system; + }) + machines + + // + + lib.mapAttrs' + (name: _: { + name = "${name}Deploy"; + value = deployScriptFor machines.${name}; + }) + machines +) diff --git a/users/sterni/machines/edwin/default.nix b/users/sterni/machines/edwin/default.nix new file mode 100644 index 0000000000..68f20787a9 --- /dev/null +++ b/users/sterni/machines/edwin/default.nix @@ -0,0 +1,19 @@ +{ config, lib, pkgs, depot, ... }: + +{ + imports = [ + # Third party modules we use + "${depot.third_party.agenix.src}/modules/age.nix" + # Basic settings + ../../modules/common.nix + # These modules touch things related to booting (filesystems, initrd network…) + ./hardware.nix + ./network.nix + # These modules configure services, websites etc. + (depot.path.origSrc + "/ops/modules/btrfs-auto-scrub.nix") + ]; + + config = { + system.stateVersion = "20.09"; + }; +} diff --git a/users/sterni/machines/edwin/hardware.nix b/users/sterni/machines/edwin/hardware.nix new file mode 100644 index 0000000000..0e33de753a --- /dev/null +++ b/users/sterni/machines/edwin/hardware.nix @@ -0,0 +1,63 @@ +{ config, lib, pkgs, depot, ... }: + +{ + config = { + boot = { + loader.grub = { + enable = true; + # TODO(sterni): use /dev/disk/by-id ? + devices = [ + "/dev/sda" + "/dev/sdb" + ]; + }; + + kernelModules = [ + "kvm-intel" + ]; + + initrd.availableKernelModules = [ + "ahci" + "sd_mod" + "btrfs" + "realtek" + "r8169" + ]; + }; + + boot.initrd.luks.devices = { + "crypt1".device = "/dev/disk/by-uuid/02ac34ee-be10-401b-90c2-1c6aa54c4d5f"; + "crypt2".device = "/dev/disk/by-uuid/7ce07191-e704-4aed-a60f-dfa3ce386b26"; + "crypt-swap1".device = "/dev/disk/by-uuid/fec7155c-6a65-4f25-b271-43763e4c31eb"; + "crypt-swap2".device = "/dev/disk/by-uuid/7b0a03fc-51de-4578-9811-94b00df09d88"; + }; + + fileSystems = { + "/" = { + device = "/dev/disk/by-label/root"; + fsType = "btrfs"; + }; + + "/boot" = { + device = "/dev/disk/by-label/boot"; + fsType = "btrfs"; + }; + }; + + swapDevices = [ + { device = "/dev/disk/by-label/swap1"; } + { device = "/dev/disk/by-label/swap2"; } + ]; + + powerManagement.cpuFreqGovernor = "performance"; + hardware = { + enableRedistributableFirmware = true; + cpu.intel.updateMicrocode = true; + }; + + nix.settings = { + max-jobs = 2; + cores = 4; + }; + }; +} diff --git a/users/sterni/machines/edwin/network.nix b/users/sterni/machines/edwin/network.nix new file mode 100644 index 0000000000..1e3d4e76f0 --- /dev/null +++ b/users/sterni/machines/edwin/network.nix @@ -0,0 +1,62 @@ +{ config, pkgs, lib, depot, ... }: + +let + ipv6 = "2a01:4f8:151:54d0::/64"; + + ipv4 = "176.9.107.207"; + gatewayv4 = "176.9.107.193"; + netmaskv4 = "255.255.255.224"; +in + +{ + config = { + boot = { + kernelParams = [ + "ip=${ipv4}::${gatewayv4}:${netmaskv4}::eth0:none" + ]; + + initrd.network = { + enable = true; + ssh = { + enable = true; + authorizedKeys = depot.users.sterni.keys.all; + hostKeys = [ + "/etc/nixos/unlock_rsa_key_openssh" + "/etc/nixos/unlock_ed25519_key_openssh" + ]; + }; + postCommands = '' + echo 'cryptsetup-askpass' >> /root/.profile + ''; + }; + }; + + networking = { + usePredictableInterfaceNames = false; + useDHCP = false; + interfaces."eth0".useDHCP = false; + + hostName = "edwin"; + + firewall = { + enable = true; + allowPing = true; + allowedTCPPorts = [ 22 80 443 ]; + }; + }; + + systemd.network = { + enable = true; + networks."eth0".extraConfig = '' + [Match] + Name = eth0 + + [Network] + Address = ${ipv6} + Gateway = fe80::1 + Address = ${ipv4}/27 + Gateway = ${gatewayv4} + ''; + }; + }; +} diff --git a/users/sterni/machines/ingeborg/default.nix b/users/sterni/machines/ingeborg/default.nix new file mode 100644 index 0000000000..2d026ae05b --- /dev/null +++ b/users/sterni/machines/ingeborg/default.nix @@ -0,0 +1,33 @@ +{ config, lib, pkgs, depot, ... }: + +{ + imports = [ + # Third party modules + "${depot.third_party.agenix.src}/modules/age.nix" + # Basic settings + ../../modules/common.nix + # These modules touch things related to booting (filesystems, initrd network…) + ./hardware.nix + ./network.nix + # (More or less) pluggable service configuration + (depot.path.origSrc + "/ops/modules/btrfs-auto-scrub.nix") + ./monitoring.nix + ./minecraft.nix + ./http/sterni.lv.nix + ./http/code.sterni.lv.nix + ./http/flipdot.openlab-augsburg.de.nix + ./tv.nix + ./quassel.nix + + # Inactive: + # ./http/likely-music.sterni.lv.nix + # ./gopher.nix + + # TODO(sterni): fail2ban + # TODO(sterni): automatic backups for full recovery + ]; + + config = { + system.stateVersion = "24.05"; + }; +} diff --git a/users/sterni/machines/ingeborg/gopher.nix b/users/sterni/machines/ingeborg/gopher.nix new file mode 100644 index 0000000000..57275e13a5 --- /dev/null +++ b/users/sterni/machines/ingeborg/gopher.nix @@ -0,0 +1,19 @@ +{ depot, ... }: + +{ + config = { + services.spacecookie = { + enable = true; + openFirewall = true; + settings = { + hostname = "sterni.lv"; + root = depot.users.sterni.lv.gopher; + log = { + enable = true; + hide-ips = true; + hide-time = true; + }; + }; + }; + }; +} diff --git a/users/sterni/machines/ingeborg/hardware.nix b/users/sterni/machines/ingeborg/hardware.nix new file mode 100644 index 0000000000..982598131e --- /dev/null +++ b/users/sterni/machines/ingeborg/hardware.nix @@ -0,0 +1,76 @@ +{ config, lib, pkgs, depot, ... }: + +{ + # Booting / Kernel + boot = { + loader.grub = { + enable = true; + devices = [ + "/dev/disk/by-id/wwn-0x5000c500a4859731" + "/dev/disk/by-id/wwn-0x5000c500a485c1b5" + ]; + }; + + initrd = { + availableKernelModules = [ + "ahci" + "btrfs" + "sd_mod" + "xhci_pci" + "e1000e" + ]; + kernelModules = [ + "dm-snapshot" + ]; + }; + + swraid = { + enable = true; + mdadmConf = '' + ARRAY /dev/md/boot-raid metadata=1.2 name=nixos:boot-raid UUID=13007b9d:ab7a1129:c45ec40f:3c9f2111 + ARRAY /dev/md/encrypted-container-raid metadata=1.2 name=nixos:encrypted-container-raid UUID=38dfa683:a6d30690:32a5de6f:fb7980fe + ''; + }; + + kernelModules = [ + "kvm-intel" + ]; + }; + + # Filesystems + services.lvm.enable = true; + + boot.initrd.luks.devices."container" = { + device = "/dev/md/encrypted-container-raid"; + preLVM = true; + }; + + fileSystems = { + "/" = { + device = "/dev/mainvg/root"; + fsType = "btrfs"; + }; + + "/boot" = { + device = "/dev/disk/by-label/boot"; + fsType = "ext4"; + }; + }; + + swapDevices = [ + { device = "/dev/mainvg/swap"; } + ]; + + # CPU + hardware = { + cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + enableRedistributableFirmware = true; + }; + + nix.settings = { + max-jobs = 2; + cores = 4; + }; + + powerManagement.cpuFreqGovernor = "performance"; +} diff --git a/users/sterni/machines/ingeborg/http/code.sterni.lv.nix b/users/sterni/machines/ingeborg/http/code.sterni.lv.nix new file mode 100644 index 0000000000..fd4975ed1d --- /dev/null +++ b/users/sterni/machines/ingeborg/http/code.sterni.lv.nix @@ -0,0 +1,263 @@ +{ depot, pkgs, lib, config, ... }: + +let + virtualHost = "code.sterni.lv"; + + repoSections = [ + { + section = "active"; + repos = { + spacecookie = { + description = "gopher server (and library for Haskell)"; + upstream = "https://github.com/sternenseemann/spacecookie.git"; + }; + "mirror/depot" = { + description = "monorepo for the virus lounge"; + upstream = "https://code.tvl.fyi/depot.git"; + cgit.defbranch = "canon"; + }; + "mirror/flipdot-gschichtler" = { + description = "message queue system for OpenLab's flipdot display"; + upstream = "https://github.com/openlab-aux/flipdot-gschichtler.git"; + }; + "mirror/nixpkgs" = { + description = "Nix packages collection"; + upstream = "https://github.com/nixos/nixpkgs.git"; + cgit.enable-commit-graph = "0"; # too slow + }; + "mirror/vuizvui" = { + description = "Nix(OS) expressions used by the OpenLab and its members"; + upstream = "https://github.com/openlab-aux/vuizvui.git"; + }; + }; + } + { + section = "poc"; + repos = { + emoji-generic = { + description = "generic emoji library for Haskell"; + upstream = "https://github.com/sternenseemann/emoji-generic.git"; + }; + grav2ty = { + description = "“realistic” 2d space game"; + upstream = "https://github.com/sternenseemann/grav2ty.git"; + }; + haskell-dot-time = { + description = "UTC-centric time library for haskell with dot time support"; + cgit.defbranch = "main"; + }; + buchstabensuppe = { + description = "toy font rendering for low pixelcount, high contrast displays"; + upstream = "https://github.com/sternenseemann/buchstabensuppe.git"; + cgit.defbranch = "main"; + }; + "mirror/saneterm" = { + description = "modern line-oriented terminal emulator without support for TUIs"; + upstream = "https://git.8pit.net/saneterm.git"; + }; + }; + } + { + # TODO(sterni): resisort, klammeraffe, cl-ca, ponify, tinyrl + section = "archive"; + repos = { + gopher-proxy = { + description = "Gopher over HTTP proxy"; + upstream = "https://github.com/sternenseemann/gopher-proxy.git"; + }; + likely-music = { + description = "experimental application for probabilistic music composition"; + upstream = "https://github.com/sternenseemann/likely-music.git"; + }; + logbook = { + description = "file format for keeping a personal log"; + upstream = "https://github.com/sternenseemann/logbook.git"; + }; + sternenblog = { + description = "file based cgi blog software"; + upstream = "https://github.com/sternenseemann/sternenblog.git"; + }; + }; + } + ]; + + repoPath = name: repo: repo.path or "/srv/git/${name}.git"; + + cgitRepoEntry = name: repo: + lib.concatStringsSep "\n" ( + [ + "repo.url=${name}" + "repo.path=${repoPath name repo}" + ] + ++ lib.optional (repo ? description) "repo.desc=${repo.description}" + ++ lib.mapAttrsToList (n: v: "repo.${n}=${v}") repo.cgit or { } + ); + + cgitHead = pkgs.writeText "cgit-head.html" '' + <style> + #summary { + max-width: 80em; + } + + #summary * { + max-width: 100%; + } + </style> + ''; + + cgitConfig = pkgs.writeText "cgitrc" '' + virtual-root=/ + + enable-http-clone=1 + clone-url=https://${virtualHost}/$CGIT_REPO_URL + + enable-blame=1 + enable-log-filecount=1 + enable-log-linecount=1 + enable-index-owner=0 + enable-blame=1 + enable-commit-graph=1 + + root-title=code.sterni.lv + css=/cgit.css + head-include=${cgitHead} + + mimetype-file=${pkgs.mime-types}/etc/mime.types + + about-filter=${depot.tools.cheddar.about-filter}/bin/cheddar-about + source-filter=${depot.tools.cheddar}/bin/cheddar + readme=:README.md + readme=:readme.md + + section-sort=0 + ${ + lib.concatMapStringsSep "\n" (section: + '' + section=${section.section} + + '' + + builtins.concatStringsSep "\n\n" (lib.mapAttrsToList cgitRepoEntry section.repos) + ) repoSections + } + ''; + + /* Merge a list of attrs, but fail when the same attribute occurs twice. + + Type: [ attrs ] -> attrs + */ + mergeManyDistinctAttrs = lib.foldAttrs + ( + val: nul: + if nul == null then val else throw "Every attribute name may occur only once" + ) + null; + + flatRepos = mergeManyDistinctAttrs + (builtins.map (section: section.repos) repoSections); + + reposToMirror = lib.filterAttrs (_: repo: repo ? upstream) flatRepos; + + # User and group name used for running the mirror scripts + mirroredReposOwner = "git"; + + # Make repo name suitable for systemd unit/timer + unitName = name: "mirror-${lib.strings.sanitizeDerivationName name}"; +in + +{ + imports = [ + ./nginx.nix + ./fcgiwrap.nix + ]; + + config = { + services.nginx.virtualHosts."${virtualHost}" = { + enableACME = true; + forceSSL = true; + root = "${pkgs.cgit-pink}/cgit/"; + extraConfig = '' + try_files $uri @cgit; + + location @cgit { + include ${pkgs.nginx}/conf/fastcgi_params; + fastcgi_param SCRIPT_FILENAME ${pkgs.cgit-pink}/cgit/cgit.cgi; + fastcgi_param PATH_INFO $uri; + fastcgi_param QUERY_STRING $args; + fastcgi_param HTTP_HOST $server_name; + fastcgi_param CGIT_CONFIG ${cgitConfig}; + fastcgi_pass unix:${toString config.services.fcgiwrap.socketAddress}; + } + ''; + }; + + users = { + users.${mirroredReposOwner} = { + group = mirroredReposOwner; + isSystemUser = true; + }; + + groups.${mirroredReposOwner} = { }; + }; + + + systemd.timers = lib.mapAttrs' + ( + name: repo: + { + name = unitName name; + value = { + description = "regularly update mirror git repository ${name}"; + wantedBy = [ "timers.target" ]; + enable = true; + timerConfig = { + # Fire every 6h and distribute the workload over next 6h randomly + OnCalendar = "*-*-* 00/6:00:00"; + RandomizedDelaySec = "6h"; + Persistent = true; + }; + }; + } + ) + reposToMirror; + + systemd.services = lib.mapAttrs' + ( + name: repo: + { + name = unitName name; + value = { + description = "mirror git repository ${name}"; + requires = [ "network-online.target" ]; + after = [ "network-online.target" ]; + + script = + let + path = repoPath name repo; + in + '' + set -euo pipefail + + export PATH="${lib.makeBinPath [ pkgs.coreutils pkgs.git ]}" + + if test ! -d "${path}"; then + mkdir -p "$(dirname "${path}")" + git clone --mirror "${repo.upstream}" "${path}" + exit 0 + fi + + cd "${path}" + + git fetch "${repo.upstream}" '+refs/*:refs/*' --prune + ''; + + serviceConfig = { + Type = "oneshot"; + User = mirroredReposOwner; + Group = mirroredReposOwner; + }; + }; + } + ) + reposToMirror; + }; +} diff --git a/users/sterni/machines/ingeborg/http/fcgiwrap.nix b/users/sterni/machines/ingeborg/http/fcgiwrap.nix new file mode 100644 index 0000000000..19696d85d4 --- /dev/null +++ b/users/sterni/machines/ingeborg/http/fcgiwrap.nix @@ -0,0 +1,15 @@ +{ ... }: + +{ + imports = [ + ./nginx.nix + ]; + + config.services.fcgiwrap = { + enable = true; + socketType = "unix"; + socketAddress = "/run/fcgiwrap.sock"; + user = "http"; + group = "http"; + }; +} diff --git a/users/sterni/machines/ingeborg/http/flipdot.openlab-augsburg.de.nix b/users/sterni/machines/ingeborg/http/flipdot.openlab-augsburg.de.nix new file mode 100644 index 0000000000..c86956a0a4 --- /dev/null +++ b/users/sterni/machines/ingeborg/http/flipdot.openlab-augsburg.de.nix @@ -0,0 +1,36 @@ +{ depot, lib, config, ... }: + +let + inherit (depot.users.sterni.external.flipdot-gschichtler) + bahnhofshalle + warteraum + nixosModule + ; +in + +{ + imports = [ + nixosModule + ./nginx.nix + ]; + + config = { + age.secrets = lib.genAttrs [ + "warteraum-salt" + "warteraum-tokens" + ] + (name: { + file = depot.users.sterni.secrets."${name}.age"; + }); + + services.flipdot-gschichtler = { + enable = true; + virtualHost = "flipdot.openlab-augsburg.de"; + packages = { + inherit bahnhofshalle warteraum; + }; + saltFile = config.age.secretsDir + "/warteraum-salt"; + tokensFile = config.age.secretsDir + "/warteraum-tokens"; + }; + }; +} diff --git a/users/sterni/machines/ingeborg/http/likely-music.sterni.lv.nix b/users/sterni/machines/ingeborg/http/likely-music.sterni.lv.nix new file mode 100644 index 0000000000..8da03ac5e6 --- /dev/null +++ b/users/sterni/machines/ingeborg/http/likely-music.sterni.lv.nix @@ -0,0 +1,23 @@ +{ depot, ... }: + +let + inherit (depot.users.sterni.external.likely-music) + nixosModule + likely-music + ; +in + +{ + imports = [ + ./nginx.nix + nixosModule + ]; + + config = { + services.likely-music = { + enable = true; + virtualHost = "likely-music.sterni.lv"; + package = likely-music; + }; + }; +} diff --git a/users/sterni/machines/ingeborg/http/nginx.nix b/users/sterni/machines/ingeborg/http/nginx.nix new file mode 100644 index 0000000000..d551b8391d --- /dev/null +++ b/users/sterni/machines/ingeborg/http/nginx.nix @@ -0,0 +1,30 @@ +{ ... }: + +{ + config = { + users = { + users.http = { + isSystemUser = true; + group = "http"; + }; + + groups.http = { }; + }; + + services.nginx = { + enable = true; + recommendedTlsSettings = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + + user = "http"; + group = "http"; + + appendHttpConfig = '' + charset utf-8; + ''; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; + }; +} diff --git a/users/sterni/machines/ingeborg/http/sterni.lv.nix b/users/sterni/machines/ingeborg/http/sterni.lv.nix new file mode 100644 index 0000000000..50c1bac293 --- /dev/null +++ b/users/sterni/machines/ingeborg/http/sterni.lv.nix @@ -0,0 +1,34 @@ +{ pkgs, depot, ... }: + +let + inherit (depot.users.sterni.nix.html) + __findFile + withDoctype + ; +in + +{ + imports = [ + ./nginx.nix + ]; + + config = { + services.nginx.virtualHosts."sterni.lv" = { + enableACME = true; + forceSSL = true; + root = pkgs.writeTextFile { + name = "sterni.lv-http-root"; + destination = "/index.html"; + text = withDoctype (<html> { } [ + (<head> { } [ + (<meta> { charset = "utf-8"; } null) + (<title> { } "no thoughts") + ]) + (<body> { } "🦩") + ]); + }; + # TODO(sterni): tmp.sterni.lv + locations."/tmp/".root = toString /srv/http; + }; + }; +} diff --git a/users/sterni/machines/ingeborg/irccat.nix b/users/sterni/machines/ingeborg/irccat.nix new file mode 100644 index 0000000000..0c40f15e33 --- /dev/null +++ b/users/sterni/machines/ingeborg/irccat.nix @@ -0,0 +1,23 @@ +{ depot, config, pkgs, lib, ... }: + +{ + imports = [ + (depot.path.origSrc + "/ops/modules/irccat.nix") + ]; + + config = { + services.depot.irccat = { + enable = true; + secretsFile = builtins.toFile "empty.json" "{}"; # TODO(sterni): register + config = { + tcp.listen = ":4722"; # ircc + irc = { + server = "irc.hackint.org:6697"; + tls = true; + nick = config.networking.hostName; + realname = "irccat"; + }; + }; + }; + }; +} diff --git a/users/sterni/machines/ingeborg/minecraft.nix b/users/sterni/machines/ingeborg/minecraft.nix new file mode 100644 index 0000000000..383fee8ca0 --- /dev/null +++ b/users/sterni/machines/ingeborg/minecraft.nix @@ -0,0 +1,125 @@ +{ pkgs, depot, config, ... }: + +let + carpet = pkgs.fetchurl { + url = "https://github.com/gnembon/fabric-carpet/releases/download/1.4.128/fabric-carpet-1.20.3-1.4.128+v231205.jar"; + sha256 = "1jh2pb9pjwyfv1ianzykmja21nqlv175a8rg926xg3w4hhhwzrfq"; + }; + + carpet-extra = pkgs.fetchurl { + url = "https://github.com/gnembon/carpet-extra/releases/download/1.4.128/carpet-extra-1.20.3-1.4.128.jar"; + sha256 = "0gxwm5ayr0y5dri0kxlnrrgy9pyaim34rl6km1j42fkyvc4r8p6x"; + }; + + userGroup = "minecraft"; + + makeJvmOpts = megs: [ + "-Xms${toString megs}M" + "-Xmx${toString megs}M" + ]; + + whitelist = { + spreadwasser = "242a66eb-2df2-4585-9a28-ac763ad0d0f9"; + sternenseemann = "d8e48069-1905-4886-a5da-a4ee917ee254"; + }; + + rconPasswordFile = config.age.secretsDir + "/minecraft-rcon"; + + baseProperties = { + white-list = true; + allow-flight = true; + difficulty = "hard"; + function-permission-level = 4; + snooper-enabled = false; + view-distance = 12; + sync-chunk-writes = "false"; # the single biggest performance fix + max-tick-time = 6000000; # TODO(sterni): disable watchdog via carpet + enforce-secure-profile = false; + }; +in + +{ + imports = [ + ../../modules/minecraft-fabric.nix + ../../modules/backup-minecraft-fabric.nix + ]; + + config = { + environment.systemPackages = [ + pkgs.mcrcon + pkgs.jre + ]; + + users = { + users."${userGroup}" = { + isNormalUser = true; + openssh.authorizedKeys.keys = depot.users.sterni.keys.all; + shell = "${pkgs.fish}/bin/fish"; + }; + + groups."${userGroup}" = { }; + }; + + age.secrets = { + minecraft-rcon.file = depot.users.sterni.secrets."minecraft-rcon.age"; + }; + + services.backup-minecraft-fabric-servers = { + enable = true; + repository = "/srv/backup/from-local/minecraft"; + }; + + services.minecraft-fabric-server = { + creative = { + enable = false; # not actively used + version = "1.20.4"; + mods = [ + carpet + carpet-extra + ]; + world = config.users.users.${userGroup}.home + "/worlds/creative"; + + jvmOpts = makeJvmOpts 2048; + user = userGroup; + group = userGroup; + + inherit whitelist rconPasswordFile; + ops = whitelist; + + serverProperties = baseProperties // { + server-port = 25566; + "rcon.port" = 25576; + gamemode = "creative"; + enable-command-block = true; + motd = "storage design server"; + spawn-protection = 2; + }; + }; + + carpet = { + enable = true; + version = "1.20.4"; + mods = [ + carpet + carpet-extra + ]; + world = config.users.users.${userGroup}.home + "/worlds/carpet"; + + jvmOpts = makeJvmOpts 4096; + user = userGroup; + group = userGroup; + + inherit whitelist rconPasswordFile; + ops = whitelist; + + serverProperties = baseProperties // { + server-port = 25565; + "rcon.port" = 25575; + motd = "ich tu fleissig hustlen nenn mich bob der baumeister"; + + level-seed = 7240251176989694927; # for posterity + }; + }; + }; + }; +} diff --git a/users/sterni/machines/ingeborg/monitoring.nix b/users/sterni/machines/ingeborg/monitoring.nix new file mode 100644 index 0000000000..6244bc5e88 --- /dev/null +++ b/users/sterni/machines/ingeborg/monitoring.nix @@ -0,0 +1,152 @@ +{ pkgs, lib, config, ... }: + +let + ircChannel = "#sterni.lv"; + irccatPort = + builtins.replaceStrings [ ":" ] [ "" ] + config.services.depot.irccat.config.tcp.listen; + + mkIrcMessager = + { name + , msgExpr + }: + pkgs.writeShellScript name '' + set -euo pipefail + printf '%s %s\n' ${lib.escapeShellArg ircChannel} ${msgExpr} | \ + ${lib.getBin pkgs.netcat-openbsd}/bin/nc -N localhost ${irccatPort} + ''; + + netdataPort = 19999; +in + +{ + imports = [ + ./irccat.nix + ]; + + config = { + services.depot.irccat.config.irc.channels = [ + ircChannel + ]; + + # Since we have irccat we can wire up mdadm --monitor + boot.swraid.mdadmConf = '' + PROGRAM ${ + mkIrcMessager { + name = "mdmonitor-to-irc"; + # prog EVENT MD_DEVICE COMPONENT_DEVICE + msgExpr = ''"mdmonitor: $1($2''${3:+, $3})"''; + } + } + ''; + + # TODO(sterni): irc notifications (?) + services = { + smartd = { + enable = true; + autodetect = true; + # Short self test every day 03:00 + # Long self test every tuesday 05:00 + defaults.autodetected = "-a -o on -s (S/../.././03|L/../../2/05)"; + extraOptions = [ + "-A" + "/var/log/smartd/" + ]; + }; + + netdata = { + enable = true; + config = { + logs = { + access = "syslog"; + error = "syslog"; + debug = "syslog"; + health = "syslog"; + collector = "syslog"; + }; + web = { + "default port" = toString netdataPort; + "bind to" = "localhost:${toString netdataPort}"; + }; + health = { + "script to execute on alarm" = pkgs.writeShellScript "simple-alarm-notify" '' + set -euo pipefail + + # This humongous list is copied over from netdata's alarm-notify.sh + roles="''${1}" # the roles that should be notified for this event + args_host="''${2}" # the host generated this event + unique_id="''${3}" # the unique id of this event + alarm_id="''${4}" # the unique id of the alarm that generated this event + event_id="''${5}" # the incremental id of the event, for this alarm id + when="''${6}" # the timestamp this event occurred + name="''${7}" # the name of the alarm, as given in netdata health.d entries + chart="''${8}" # the name of the chart (type.id) + status="''${9}" # the current status : REMOVED, UNINITIALIZED, UNDEFINED, CLEAR, WARNING, CRITICAL + old_status="''${10}" # the previous status: REMOVED, UNINITIALIZED, UNDEFINED, CLEAR, WARNING, CRITICAL + value="''${11}" # the current value of the alarm + old_value="''${12}" # the previous value of the alarm + src="''${13}" # the line number and file the alarm has been configured + duration="''${14}" # the duration in seconds of the previous alarm state + non_clear_duration="''${15}" # the total duration in seconds this is/was non-clear + units="''${16}" # the units of the value + info="''${17}" # a short description of the alarm + value_string="''${18}" # friendly value (with units) + # shellcheck disable=SC2034 + # variable is unused, but https://github.com/netdata/netdata/pull/5164#discussion_r255572947 + old_value_string="''${19}" # friendly old value (with units), previously named "old_value_string" + calc_expression="''${20}" # contains the expression that was evaluated to trigger the alarm + calc_param_values="''${21}" # the values of the parameters in the expression, at the time of the evaluation + total_warnings="''${22}" # Total number of alarms in WARNING state + total_critical="''${23}" # Total number of alarms in CRITICAL state + total_warn_alarms="''${24}" # List of alarms in warning state + total_crit_alarms="''${25}" # List of alarms in critical state + classification="''${26}" # The class field from .conf files + edit_command_line="''${27}" # The command to edit the alarm, with the line number + child_machine_guid="''${28}" # the machine_guid of the child + transition_id="''${29}" # the transition_id of the alert + summary="''${30}" # the summary text field of the alert + + # Verify that they haven't extended the arg list + ARG_COUNT_EXPECTED=30 + + if [[ "$#" != "$ARG_COUNT_EXPECTED" ]]; then + echo "$0: WARNING: unexpected number of arguments: $#. Did netdata add more?" >&2 + fi + + MSG="netdata: $status ''${name//_/ } ($chart): ''${summary//_/ } = $value_string" + + # Filter rules by chart name. This is necessary, since the "enabled alarms" + # filter only allows for filtering alarm types, not specific alarms + # belonging to that alarm. + case "$chart" in + # netdata prefers the automatically assigned names (dm-<n>, md<n>, + # sd<c>) over ids for alerts, so this configuration assumes that + # we have two physical disks which we kind of assert using the + # grub configuration (it is more difficult with the soft raid + # config). + # ${assert builtins.length config.boot.loader.grub.devices == 2; ""} + disk_util.sda | disk_util.sdb | disk_backlog.sda | disk_backlog.sdb) + + ;; + disk_util.* | disk_backlog.*) + echo "$0: INFO: DISCARDING message: $MSG" >&2 + exit 0 + ;; + *) + ;; + esac + + echo "$0: INFO: sending message: $MSG" >&2 + ${ + mkIrcMessager { + name = "trivial-send-to-irc"; + msgExpr = "\"$1\""; + } + } "$MSG" + ''; + }; + }; + }; + }; + }; +} diff --git a/users/sterni/machines/ingeborg/network.nix b/users/sterni/machines/ingeborg/network.nix new file mode 100644 index 0000000000..fceb530d55 --- /dev/null +++ b/users/sterni/machines/ingeborg/network.nix @@ -0,0 +1,62 @@ +{ config, pkgs, lib, depot, ... }: + +let + ipv6 = "2a01:4f9:2a:1bc6::/64"; + + ipv4 = "95.216.27.158"; + gatewayv4 = "95.216.27.129"; + netmaskv4 = "255.255.255.192"; +in + +{ + config = { + boot = { + kernelParams = [ + "ip=${ipv4}::${gatewayv4}:${netmaskv4}::eth0:none" + ]; + + initrd.network = { + enable = true; + ssh = { + enable = true; + authorizedKeys = depot.users.sterni.keys.all; + hostKeys = [ + "/etc/nixos/unlock_rsa_key_openssh" + "/etc/nixos/unlock_ed25519_key_openssh" + ]; + }; + postCommands = '' + echo 'cryptsetup-askpass' >> /root/.profile + ''; + }; + }; + + networking = { + usePredictableInterfaceNames = false; + useDHCP = false; + interfaces."eth0".useDHCP = false; + + hostName = "ingeborg"; + + firewall = { + enable = true; + allowPing = true; + allowedTCPPorts = [ 22 ]; + }; + }; + + systemd.network = { + enable = true; + networks."eth0".extraConfig = '' + [Match] + Name = eth0 + + [Network] + Address = ${ipv6} + Gateway = fe80::1 + Address = ${ipv4}/27 + Gateway = ${gatewayv4} + ''; + }; + }; +} diff --git a/users/sterni/machines/ingeborg/quassel.nix b/users/sterni/machines/ingeborg/quassel.nix new file mode 100644 index 0000000000..cd8dacc917 --- /dev/null +++ b/users/sterni/machines/ingeborg/quassel.nix @@ -0,0 +1,18 @@ +{ depot, ... }: + +{ + imports = [ + (depot.path.origSrc + "/ops/modules/quassel.nix") + ]; + + config = { + services.depot.quassel = { + enable = true; + acmeHost = "sterni.lv"; + bindAddresses = [ + "0.0.0.0" + "::" + ]; + }; + }; +} diff --git a/users/sterni/machines/ingeborg/tv.nix b/users/sterni/machines/ingeborg/tv.nix new file mode 100644 index 0000000000..016ad256ef --- /dev/null +++ b/users/sterni/machines/ingeborg/tv.nix @@ -0,0 +1,13 @@ +{ pkgs, ... }: + +{ + config = { + # TODO(sterni): smb or nfs may be a faster alternative? + services.openssh.allowSFTP = true; + + users.users.tv = { + group = "users"; + isNormalUser = true; + }; + }; +} |