diff options
| author | tv <tv@krebsco.de> | 2023-07-25 20:39:35 +0200 |
|---|---|---|
| committer | tv <tv@krebsco.de> | 2023-07-25 20:39:35 +0200 |
| commit | 5d1b0675cf179f863a5b34b67661a953197b6057 (patch) | |
| tree | dd9c83dff894fd97cee61dd1b2df3eaeecbbd740 /lass/2configs | |
| parent | a2c9ad05b2e8237b915a100e1e38ca0f3d18526c (diff) | |
| parent | 8eab63eaa81717391269a61355cb7fb64341fd1a (diff) | |
Merge remote-tracking branch 'orange/master'
Diffstat (limited to 'lass/2configs')
26 files changed, 682 insertions, 256 deletions
diff --git a/lass/2configs/antimicrox/default.nix b/lass/2configs/antimicrox/default.nix index 16f546ce6..2b683b8bc 100644 --- a/lass/2configs/antimicrox/default.nix +++ b/lass/2configs/antimicrox/default.nix @@ -1,6 +1,7 @@ { config, lib, pkgs, ... }: { systemd.services.antimicrox = { + after = [ "display-manager.service" ]; wantedBy = [ "multi-user.target" ]; environment = { DISPLAY = ":0"; @@ -8,18 +9,23 @@ serviceConfig = { User = config.users.users.mainUser.name; ExecStartPre = lib.singleton (pkgs.writeDash "init_state" "echo 0 > /tmp/gamepad.state"); - ExecStart = "${pkgs.antimicrox}/bin/antimicrox --no-tray --hidden --profile ${./mouse.amgp}"; + ExecStart = "${pkgs.antimicrox}/bin/antimicrox --hidden --profile ${./mouse.gamecontroller.amgp}"; }; }; + services.udev.extraRules = '' + KERNEL=="uinput", MODE="0660", GROUP="input", OPTIONS+="static_node=uinput" + ''; + environment.systemPackages = [ + pkgs.antimicrox (pkgs.writers.writeDashBin "gamepad_mouse_disable" '' echo 1 > /tmp/gamepad.state - ${pkgs.antimicrox}/bin/antimicrox --profile ${./empty.amgp} + ${pkgs.antimicrox}/bin/antimicrox --profile ${./empty.gamecontroller.amgp} '') (pkgs.writers.writeDashBin "gamepad_mouse_enable" '' echo 0 > /tmp/gamepad.state - ${pkgs.antimicrox}/bin/antimicrox --profile ${./mouse.amgp} + ${pkgs.antimicrox}/bin/antimicrox --profile ${./mouse.gamecontroller.amgp} '') (pkgs.writers.writeDashBin "gamepad_mouse_toggle" '' state=$(${pkgs.coreutils}/bin/cat /tmp/gamepad.state) diff --git a/lass/2configs/antimicrox/empty.amgp b/lass/2configs/antimicrox/empty.gamecontroller.amgp index 0257bfe71..0257bfe71 100644 --- a/lass/2configs/antimicrox/empty.amgp +++ b/lass/2configs/antimicrox/empty.gamecontroller.amgp diff --git a/lass/2configs/antimicrox/mouse.amgp b/lass/2configs/antimicrox/mouse.gamecontroller.amgp index 313e598de..743618f54 100644 --- a/lass/2configs/antimicrox/mouse.amgp +++ b/lass/2configs/antimicrox/mouse.gamecontroller.amgp @@ -23,7 +23,8 @@ <maxZone>29501</maxZone> <modifierZone>1412</modifierZone> <diagonalRange>90</diagonalRange> - <stickbutton index="7"> + <squareStick>100</squareStick> + <stickbutton index="1"> <mousespeedx>74</mousespeedx> <mousespeedy>74</mousespeedy> <accelerationmultiplier>4</accelerationmultiplier> @@ -32,16 +33,12 @@ <extraaccelerationcurve>easeoutquad</extraaccelerationcurve> <slots> <slot> - <code>3</code> + <code>1</code> <mode>mousemovement</mode> </slot> </slots> </stickbutton> - <stickbutton index="6"> - <mousespeedx>74</mousespeedx> - <mousespeedy>74</mousespeedy> - </stickbutton> - <stickbutton index="5"> + <stickbutton index="3"> <mousespeedx>74</mousespeedx> <mousespeedy>74</mousespeedy> <accelerationmultiplier>4</accelerationmultiplier> @@ -50,16 +47,16 @@ <extraaccelerationcurve>easeoutquad</extraaccelerationcurve> <slots> <slot> - <code>2</code> + <code>4</code> <mode>mousemovement</mode> </slot> </slots> </stickbutton> - <stickbutton index="4"> + <stickbutton index="2"> <mousespeedx>74</mousespeedx> <mousespeedy>74</mousespeedy> </stickbutton> - <stickbutton index="3"> + <stickbutton index="5"> <mousespeedx>74</mousespeedx> <mousespeedy>74</mousespeedy> <accelerationmultiplier>4</accelerationmultiplier> @@ -68,16 +65,16 @@ <extraaccelerationcurve>easeoutquad</extraaccelerationcurve> <slots> <slot> - <code>4</code> + <code>2</code> <mode>mousemovement</mode> </slot> </slots> </stickbutton> - <stickbutton index="2"> + <stickbutton index="4"> <mousespeedx>74</mousespeedx> <mousespeedy>74</mousespeedy> </stickbutton> - <stickbutton index="1"> + <stickbutton index="7"> <mousespeedx>74</mousespeedx> <mousespeedy>74</mousespeedy> <accelerationmultiplier>4</accelerationmultiplier> @@ -86,11 +83,15 @@ <extraaccelerationcurve>easeoutquad</extraaccelerationcurve> <slots> <slot> - <code>1</code> + <code>3</code> <mode>mousemovement</mode> </slot> </slots> </stickbutton> + <stickbutton index="6"> + <mousespeedx>74</mousespeedx> + <mousespeedy>74</mousespeedy> + </stickbutton> <stickbutton index="8"> <mousespeedx>74</mousespeedx> <mousespeedy>74</mousespeedy> @@ -99,66 +100,66 @@ <stick index="1"> <deadZone>2578</deadZone> <maxZone>30799</maxZone> - <stickbutton index="7"> + <stickbutton index="1"> <mouseacceleration>linear</mouseacceleration> <slots> <slot> - <code>6</code> + <code>4</code> <mode>mousebutton</mode> </slot> </slots> </stickbutton> - <stickbutton index="6"> - <mouseacceleration>linear</mouseacceleration> - </stickbutton> - <stickbutton index="5"> + <stickbutton index="3"> <mouseacceleration>linear</mouseacceleration> <slots> <slot> - <code>5</code> + <code>7</code> <mode>mousebutton</mode> </slot> </slots> </stickbutton> - <stickbutton index="4"> + <stickbutton index="2"> <mouseacceleration>linear</mouseacceleration> </stickbutton> - <stickbutton index="3"> + <stickbutton index="5"> <mouseacceleration>linear</mouseacceleration> <slots> <slot> - <code>7</code> + <code>5</code> <mode>mousebutton</mode> </slot> </slots> </stickbutton> - <stickbutton index="2"> + <stickbutton index="4"> <mouseacceleration>linear</mouseacceleration> </stickbutton> - <stickbutton index="1"> + <stickbutton index="7"> <mouseacceleration>linear</mouseacceleration> <slots> <slot> - <code>4</code> + <code>6</code> <mode>mousebutton</mode> </slot> </slots> </stickbutton> + <stickbutton index="6"> + <mouseacceleration>linear</mouseacceleration> + </stickbutton> <stickbutton index="8"> <mouseacceleration>linear</mouseacceleration> </stickbutton> </stick> <dpad index="1"> - <dpadbutton index="6"> + <dpadbutton index="12"> <wheelspeedx>2</wheelspeedx> <wheelspeedy>10</wheelspeedy> </dpadbutton> - <dpadbutton index="4"> - <wheelspeedx>2</wheelspeedx> + <dpadbutton index="1"> + <wheelspeedx>10</wheelspeedx> <wheelspeedy>10</wheelspeedy> <slots> <slot> - <code>0x1000017</code> + <code>0x1000013</code> <mode>keyboard</mode> </slot> </slots> @@ -172,22 +173,22 @@ <wheelspeedy>10</wheelspeedy> <slots> <slot> - <code>0x1000011</code> + <code>0x1000014</code> <mode>keyboard</mode> </slot> </slots> </dpadbutton> - <dpadbutton index="1"> - <wheelspeedx>10</wheelspeedx> + <dpadbutton index="4"> + <wheelspeedx>2</wheelspeedx> <wheelspeedy>10</wheelspeedy> <slots> <slot> - <code>0x1000016</code> + <code>0x1000015</code> <mode>keyboard</mode> </slot> </slots> </dpadbutton> - <dpadbutton index="12"> + <dpadbutton index="6"> <wheelspeedx>2</wheelspeedx> <wheelspeedy>10</wheelspeedy> </dpadbutton> @@ -200,7 +201,7 @@ <wheelspeedy>10</wheelspeedy> <slots> <slot> - <code>0x1000010</code> + <code>0x1000012</code> <mode>keyboard</mode> </slot> </slots> @@ -235,31 +236,39 @@ </slot> </slots> </button> - <button index="5"> + <button index="2"> <slots> <slot> - <code>1</code> + <code>3</code> <mode>mousebutton</mode> </slot> </slots> </button> - <button index="3"> + <button index="1"> <slots> <slot> - <code>2</code> + <code>1</code> <mode>mousebutton</mode> </slot> </slots> </button> - <button index="2"> + <button index="4"> <slots> <slot> - <code>3</code> + <code>0x1000004</code> + <mode>keyboard</mode> + </slot> + </slots> + </button> + <button index="3"> + <slots> + <slot> + <code>2</code> <mode>mousebutton</mode> </slot> </slots> </button> - <button index="1"> + <button index="5"> <slots> <slot> <code>1</code> diff --git a/lass/2configs/atuin-server.nix b/lass/2configs/atuin-server.nix index ad959a311..05d3b4fd4 100644 --- a/lass/2configs/atuin-server.nix +++ b/lass/2configs/atuin-server.nix @@ -1,38 +1,10 @@ { config, lib, pkgs, ... }: { - services.postgresql = { + services.atuin = { enable = true; - dataDir = "/var/state/postgresql/${config.services.postgresql.package.psqlSchema}"; - ensureDatabases = [ "atuin" ]; - ensureUsers = [{ - name = "atuin"; - ensurePermissions."DATABASE atuin" = "ALL PRIVILEGES"; - }]; - }; - systemd.tmpfiles.rules = [ - "d /var/state/postgresql 0700 postgres postgres -" - ]; - users.groups.atuin = {}; - users.users.atuin = { - uid = pkgs.stockholm.lib.genid_uint31 "atuin"; - isSystemUser = true; - group = "atuin"; - home = "/run/atuin"; - createHome = true; + host = "0.0.0.0"; + maxHistoryLength = 1000000; + openFirewall = true; }; - systemd.services.atuin = { - wantedBy = [ "multi-user.target" ]; - environment = { - ATUIN_HOST = "0.0.0.0"; - ATUIN_PORT = "8888"; - ATUIN_OPEN_REGISTRATION = "true"; - ATUIN_DB_URI = "postgres:///atuin"; - }; - serviceConfig = { - User = "atuin"; - ExecStart = "${pkgs.atuin}/bin/atuin server start"; - }; - }; - networking.firewall.allowedTCPPorts = [ 8888 ]; } diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index 654247728..e5b1f0b90 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -89,16 +89,30 @@ in { x11vnc xclip xephyrify + xorg.xmodmap xorg.xhost + xdotool xsel zathura flameshot (pkgs.writeDashBin "screenshot" '' set -efu - ${pkgs.flameshot}/bin/flameshot gui + ${pkgs.flameshot}/bin/flameshot gui && ${pkgs.klem}/bin/klem '') + (pkgs.writers.writeDashBin "IM" '' + ${pkgs.mosh}/bin/mosh green.r -- tmux new-session -A -s IM -- weechat + '') + (pkgs.writers.writeDashBin "deploy_hm" '' + target=$1 + shift + + hm_profile=$(${pkgs.home-manager}/bin/home-manager -f ~/sync/stockholm/lass/2configs/home-manager.nix build "$@") + nix-copy-closure --to "$target" "$hm_profile" + ssh "$target" -- "$hm_profile"/activate + '') + zbar ]; services.udev.extraRules = '' @@ -114,6 +128,7 @@ in { xkbVariant = "altgr-intl"; xkbOptions = "caps:escape"; libinput.enable = true; + exportConfiguration = true; displayManager = { lightdm.enable = true; defaultSession = "none+xmonad"; @@ -130,7 +145,6 @@ in { }; krebs.xresources.enable = true; - lass.screenlock.enable = true; lass.klem = { kpaste.script = pkgs.writeDash "kpaste-wrapper" '' @@ -152,7 +166,7 @@ in { qrcode = { target = "image"; script = pkgs.writeDash "zbar" '' - ${pkgs.zbar}/bin/zbarimg -q - + ${pkgs.zbar}/bin/zbarimg -q --raw - ''; }; ocr = { diff --git a/lass/2configs/boot/universal.nix b/lass/2configs/boot/universal.nix new file mode 100644 index 000000000..33f4323cc --- /dev/null +++ b/lass/2configs/boot/universal.nix @@ -0,0 +1,11 @@ +{ ... }: + +{ + boot = { + loader.grub.enable = true; + loader.grub.version = 2; + loader.grub.device = "/dev/sda"; + loader.grub.efiSupport = true; + loader.grub.efiInstallAsRemovable = true; + }; +} diff --git a/lass/2configs/codimd.nix b/lass/2configs/codimd.nix index b3bf1b761..ccca49fac 100644 --- a/lass/2configs/codimd.nix +++ b/lass/2configs/codimd.nix @@ -21,7 +21,7 @@ in { }; security.acme.certs.${domain}.group = "hedgecert"; - users.groups.hedgecert.members = [ "codimd" "nginx" ]; + users.groups.hedgecert.members = [ "hedgedoc" "nginx" ]; security.dhparams = { enable = true; @@ -35,10 +35,10 @@ in { services.hedgedoc = { enable = true; configuration.allowOrigin = [ domain ]; - configuration = { + settings = { db = { dialect = "sqlite"; - storage = "/var/lib/codimd/db.codimd.sqlite"; + storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite"; }; useCDN = false; port = 3091; diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index 3d7188dc6..72dbfc480 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -12,6 +12,7 @@ with import <stockholm/lib>; ./wiregrill.nix ./tmux.nix ./tor-ssh.nix + ./networkd.nix { users.extraUsers = mapAttrs (_: h: { hashedPassword = h; }) diff --git a/lass/2configs/hass/default.nix b/lass/2configs/hass/default.nix index cc8189f51..1745bbfe5 100644 --- a/lass/2configs/hass/default.nix +++ b/lass/2configs/hass/default.nix @@ -41,8 +41,7 @@ in { configWritable = true; lovelaceConfigWritable = true; config = let - tasmota_s20 = name: topic: { - platform = "mqtt"; + tasmota = name: topic: { inherit name; state_topic = "stat/${topic}/POWER"; command_topic = "cmnd/${topic}/POWER"; @@ -57,7 +56,7 @@ in { longitude = "13.41489"; elevation = 90; unit_system = "metric"; - customize = friendly_names; + # customize = friendly_names; }; config = {}; sun.elevation = 66; @@ -65,36 +64,37 @@ in { discovery = {}; frontend = {}; http = {}; - mqtt = { - broker = "localhost"; - port = 1883; - client_id = "home-assistant"; - username = "gg23"; - password = "gg23-mqtt"; - keepalive = 60; - protocol = 3.1; + # mqtt = { + # broker = "localhost"; + # port = 1883; + # client_id = "home-assistant"; + # username = "gg23"; + # password = "gg23-mqtt"; + # keepalive = 60; + # protocol = 3.1; - discovery = true; - birth_message = { - topic = "/hass/status"; - payload = "online"; - }; - will_message = { - topic = "/hass/status"; - payload = "offline"; - }; - }; + # discovery = true; + # birth_message = { + # topic = "/hass/status"; + # payload = "online"; + # }; + # will_message = { + # topic = "/hass/status"; + # payload = "offline"; + # }; + # }; sensor = [ { platform = "dwd_weather_warnings"; region_name = "Berlin"; } ]; - switch = [ - (tasmota_s20 "TV" "tv") - (tasmota_s20 "Drucker Strom" "drucker") - (tasmota_s20 "Waschmaschine" "wasch") - (tasmota_s20 "Stereo Anlage" "stereo") + mqtt.switch = [ + (tasmota "TV" "tv") + (tasmota "Drucker Strom" "drucker") + (tasmota "Waschmaschine" "wasch") + (tasmota "Stereo Anlage" "stereo") + (tasmota "Wohnzimmer Lampe" "wohn_lampe") ]; mobile_app = {}; weather = [ @@ -106,6 +106,10 @@ in { system_health = {}; history = {}; shopping_list = {}; + media_player = { + platform = "snapcast"; + host = "127.0.0.1"; + }; }; }; diff --git a/lass/2configs/hass/lib.nix b/lass/2configs/hass/lib.nix index 1f9f9945d..72ff2966f 100644 --- a/lass/2configs/hass/lib.nix +++ b/lass/2configs/hass/lib.nix @@ -1,24 +1,24 @@ { lib, ... }: rec { lights = { - bett = "0x0017880106ed3bd8"; - essen = "0x0017880108327622"; - arbeit = "0x0017880106ee2865"; - nass = "0x00178801082e9f2f"; + bett = "l_bett"; + essen = "l_essen"; + arbeit = "l_arbeit"; + nass = "l_nass"; }; switches = { dimmer = { - bett = "0x00178801086ac38c"; - essen = "0x00178801086ad1fb"; - nass = "0x00178801086ac373"; + bett = "i_bett"; + essen = "i_essen"; + nass = "i_nass"; }; }; sensors = { movement = { - essen = "0x0017880106f772f2"; - nass = "0x0017880106f77f30"; + essen = "s_essen"; + nass = "s_nass"; }; }; diff --git a/lass/2configs/hass/zigbee.nix b/lass/2configs/hass/zigbee.nix index 8fc02263b..210c761b5 100644 --- a/lass/2configs/hass/zigbee.nix +++ b/lass/2configs/hass/zigbee.nix @@ -34,117 +34,42 @@ in { advanced = { pan_id = 4222; }; - }; - }; + devices = let + set_device = id: name: + lib.nameValuePair id { + }; + in { + # lights https://www.zigbee2mqtt.io/devices/9290022166.html#philips-9290022166 + "0x0017880106ed3bd8".friendly_name = "l_bett"; + "0x0017880108327622".friendly_name = "l_essen"; + "0x0017880106ee2865".friendly_name = "l_arbeit"; + "0x00178801082e9f2f".friendly_name = "l_nass"; - services.home-assistant.config = { - sensor = [ - # Sensor for monitoring the bridge state - { - platform = "mqtt"; - name = "Zigbee2mqtt Bridge state"; - state_topic = "/zigbee2mqtt/bridge/state"; - icon = "mdi:router-wireless"; - } - # Sensor for Showing the Zigbee2mqtt Version - { - platform = "mqtt"; - name = "Zigbee2mqtt Version"; - state_topic = "/zigbee2mqtt/bridge/config"; - value_template = "{{ value_json.version }}"; - icon = "mdi:zigbee"; - } - # Sensor for Showing the Coordinator Version - { - platform = "mqtt"; - name = "Coordinator Version"; - state_topic = "/zigbee2mqtt/bridge/config"; - value_template = "{{ value_json.coordinator }}"; - icon = "mdi:chip"; - } - ]; - switch = [ - { - platform = "mqtt"; - name = "zigbee2mqtt_join"; - state_topic = "/zigbee2mqtt/bridge/config/permit_join"; - command_topic = "/zigbee2mqtt/bridge/config/permit_join"; - payload_on = "true"; - payload_off = "false"; - } - ]; - automation = [ - #{ - # alias = "Zigbee2mqtt Log Level"; - # initial_state = "on"; - # trigger = { - # platform = "state"; - # entity_id = "input_select.zigbee2mqtt_log_level"; - # }; - # action = [ - # { - # service = "mqtt.publish"; - # data = { - # payload_template = "{{ states('input_select.zigbee2mqtt_log_level') }}"; - # topic = "/zigbee2mqtt/bridge/config/log_level"; - # }; - # } - # ]; - #} - # Automation to start timer when enable join is turned on - { - id = "zigbee_join_enabled"; - alias = ""; - trigger = { - platform = "state"; - entity_id = "switch.zigbee2mqtt_join"; - to = "on"; - }; - action = { - service = "timer.start"; - entity_id = "timer.zigbee_permit_join"; + # switches https://www.zigbee2mqtt.io/devices/324131092621.html#philips-324131092621 + "0x00178801086ac38c".friendly_name = "i_bett"; + "0x00178801086ad1fb".friendly_name = "i_essen"; + "0x00178801086ac373".friendly_name = "i_nass"; + + # sensors https://www.zigbee2mqtt.io/devices/9290012607.html#philips-9290012607 + "0x0017880106f772f2".friendly_name = "s_essen"; + "0x0017880106f77f30".friendly_name = "s_nass"; + + # heat https://www.zigbee2mqtt.io/devices/701721.html#popp-701721 + "0x842e14fffe27109a".friendly_name = "t_bett"; + "0x842e14fffe269a73".friendly_name = "t_nass"; + "0x842e14fffe269a56".friendly_name = "t_arbeit"; + + # rotation https://www.zigbee2mqtt.io/devices/E1744.html + "0x8cf681fffe065493" = { + friendly_name = "r_test"; + device_id = "r_test"; + simulated_brightness = { + delta = 2; + interval = 100; + }; }; - } - # Automation to stop timer when switch turned off and turn off switch when timer finished - { - id = "zigbee_join_disabled"; - trigger = [ - { - platform = "event"; - event_type = "timer.finished"; - event_data.entity_id = "timer.zigbee_permit_join"; - } - { - platform = "state"; - entity_id = "switch.zigbee2mqtt_join"; - to = "off"; - } - ]; - action = [ - { service = "timer.cancel"; - data.entity_id = "timer.zigbee_permit_join"; - } - { service = "switch.turn_off"; - entity_id = "switch.zigbee2mqtt_join"; - } - ]; - } - ]; - #input_select.zigbee2mqtt_log_level = { - # name = "Zigbee2mqtt Log Level"; - # options = [ - # "debug" - # "info" - # "warn" - # "error" - # ]; - # initial = "info"; - # icon = "mdi:format-list-bulleted"; - #}; - timer.zigbee_permit_join = { - name = "Zigbee Time remaining"; - duration = 120; + }; }; }; } diff --git a/lass/2configs/mail/internet-gateway.nix b/lass/2configs/mail/internet-gateway.nix new file mode 100644 index 000000000..134e408a4 --- /dev/null +++ b/lass/2configs/mail/internet-gateway.nix @@ -0,0 +1,48 @@ +{ config, lib, pkgs, ... }: +{ + security.acme.certs."mail.lassul.us" = { + group = "lasscert"; + webroot = "/var/lib/acme/acme-challenge"; + }; + users.groups.lasscert.members = [ + "exim" + "nginx" + ]; + + krebs.exim-smarthost = { + enable = true; + primary_hostname = "lassul.us"; + dkim = [ + { domain = "lassul.us"; } + ]; + ssl_cert = "/var/lib/acme/mail.lassul.us/fullchain.pem"; + ssl_key = "/var/lib/acme/mail.lassul.us/key.pem"; + local_domains = [ + "localhost" + "lassul.us" + "ubikmedia.eu" + "ubikmedia.de" + "apanowicz.de" + "alewis.de" + "jarugadesign.de" + "beesmooth.ch" + "event-extra.de" + "jla-trading.com" + ]; + extraRouters = '' + forward_lassul_us: + driver = manualroute + domains = lassul.us + transport = remote_smtp + route_list = * orange.r + no_more + + forward_ubik: + driver = manualroute + domains = ubikmedia.eu:ubikmedia.de:apanowicz.de:alewis.de:jarugadesign.de:beesmooth.ch:event-extra.de:jla-trading.com + transport = remote_smtp + route_list = * ubik.r + no_more + ''; + }; +} diff --git a/lass/2configs/monitoring/alert-rules.nix b/lass/2configs/monitoring/alert-rules.nix new file mode 100644 index 000000000..eae2569fb --- /dev/null +++ b/lass/2configs/monitoring/alert-rules.nix @@ -0,0 +1,208 @@ +# inspiration from https://github.com/Mic92/dotfiles/blob/master/nixos/eva/modules/prometheus/alert-rules.nix +{ lib }: + +lib.mapAttrsToList + (name: opts: { + alert = name; + expr = opts.condition; + for = opts.time or "2m"; + labels = { }; + annotations.description = opts.description; + }) + ({ + prometheus_too_many_restarts = { + condition = ''changes(process_start_time_seconds{job=~"prometheus|pushgateway|alertmanager|telegraf"}[15m]) > 2''; + description = "Prometheus has restarted more than twice in the last 15 minutes. It might be crashlooping."; + }; + + alert_manager_config_not_synced = { + condition = ''count(count_values("config_hash", alertmanager_config_hash)) > 1''; + description = "Configurations of AlertManager cluster instances are out of sync."; + }; + + prometheus_not_connected_to_alertmanager = { + condition = "prometheus_notifications_alertmanagers_discovered < 1"; + description = "Prometheus cannot connect the alertmanager\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"; + }; + + prometheus_rule_evaluation_failures = { + condition = "increase(prometheus_rule_evaluation_failures_total[3m]) > 0"; + description = "Prometheus encountered {{ $value }} rule evaluation failures, leading to potentially ignored alerts.\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"; + }; + + prometheus_template_expansion_failures = { + condition = "increase(prometheus_template_text_expansion_failures_total[3m]) > 0"; + time = "0m"; + description = "Prometheus encountered {{ $value }} template text expansion failures\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"; + }; + + promtail_request_errors = { + condition = ''100 * sum(rate(promtail_request_duration_seconds_count{status_code=~"5..|failed"}[1m])) by (namespace, job, route, instance) / sum(rate(promtail_request_duration_seconds_count[1m])) by (namespace, job, route, instance) > 10''; + time = "15m"; + description = ''{{ $labels.job }} {{ $labels.route }} is experiencing {{ printf "%.2f" $value }}% errors.''; + }; + + promtail_file_lagging = { + condition = ''abs(promtail_file_bytes_total - promtail_read_bytes_total) > 1e6''; + time = "15m"; + description = ''{{ $labels.instance }} {{ $labels.job }} {{ $labels.path }} has been lagging by more than 1MB for more than 15m.''; + }; + + filesystem_full_80percent = { + condition = ''disk_used_percent{mode!="ro"} >= 95''; + time = "10m"; + description = "{{$labels.instance}} device {{$labels.device}} on {{$labels.path}} got less than 20% space left on its filesystem."; + }; + + filesystem_full_krebs = { + condition = ''disk_used_percent{mode!="ro", org="krebs"} >= 95''; + time = "10m"; + description = "{{$labels.instance}} device {{$labels.device}} on {{$labels.path}} got less than 5% space left on its filesystem."; + }; + + filesystem_inodes_full = { + condition = ''disk_inodes_free / disk_inodes_total < 0.10''; + time = "10m"; + description = "{{$labels.instance}} device {{$labels.device}} on {{$labels.path}} got less than 10% inodes left on its filesystem."; + }; + + daily_task_not_run = { + # give 6 hours grace period + condition = ''time() - task_last_run{state="ok",frequency="daily"} > (24 + 6) * 60 * 60''; + description = "{{$labels.host}}: {{$labels.name}} was not run in the last 24h"; + }; + + daily_task_failed = { + condition = ''task_last_run{state="fail"}''; + description = "{{$labels.host}}: {{$labels.name}} failed to run"; + }; + + swap_using_30percent = { + condition = "mem_swap_total - (mem_swap_cached + mem_swap_free) > mem_swap_total * 0.3"; + time = "30m"; + description = "{{$labels.host}} is using 30% of its swap space for at least 30 minutes."; + }; + + systemd_service_failed = { + condition = ''systemd_units_active_code{name!~"nixpkgs-update-.*.service"} == 3''; + description = "{{$labels.host}} failed to (re)start service {{$labels.name}}."; + }; + + service_not_running = { + condition = ''systemd_units_active_code{name=~"teamspeak3-server.service|tt-rss.service", sub!="running"}''; + description = "{{$labels.host}} should have a running {{$labels.name}}."; + }; + + nfs_export_not_present = { + condition = "nfs_export_present == 0"; + time = "1h"; + description = "{{$labels.host}} cannot reach nfs export [{{$labels.server}}]:{{$labels.path}}"; + }; + + ram_using_90percent = { + condition = "mem_buffered + mem_free + mem_cached < mem_total * 0.1"; + time = "1h"; + description = "{{$labels.host}} is using at least 90% of its RAM for at least 1 hour."; + }; + load15 = { + condition = ''system_load15 / system_n_cpus{org!="nix-community"} >= 2.0''; + time = "10m"; + description = "{{$labels.host}} is running with load15 > 1 for at least 5 minutes: {{$value}}"; + }; + reboot = { + condition = "system_uptime < 300"; + description = "{{$labels.host}} just rebooted."; + }; + uptime = { + # too scared to upgrade matchbox + condition = ''system_uptime {host!~"^(matchbox|grandalf)$"} > 2592000''; + description = "Uptime monster: {{$labels.host}} has been up for more than 30 days."; + }; + telegraf_down = { + condition = ''min(up{job=~"telegraf",type!='mobile'}) by (source, job, instance, org) == 0''; + time = "3m"; + description = "{{$labels.instance}}: {{$labels.job}} telegraf exporter from {{$labels.source}} is down."; + }; + ping = { + condition = "ping_result_code{type!='mobile'} != 0"; + description = "{{$labels.url}}: ping from {{$labels.instance}} has failed!"; + }; + ping_high_latency = { + condition = "ping_average_response_ms{type!='mobile'} > 5000"; + description = "{{$labels.instance}}: ping probe from {{$labels.source}} is encountering high latency!"; + }; + http = { + condition = "http_response_result_code != 0"; + description = "{{$labels.server}} : http request failed from {{$labels.instance}}: {{$labels.result}}!"; + }; + http_match_failed = { + condition = "http_response_response_string_match == 0"; + description = "{{$labels.server}} : http body not as expected; status code: {{$labels.status_code}}!"; + }; + dns_query = { + condition = "dns_query_result_code != 0"; + description = "{{$labels.domain}} : could retrieve A record {{$labels.instance}} from server {{$labels.server}}: {{$labels.result}}!"; + }; + secure_dns_query = { + condition = "secure_dns_state != 0"; + description = "{{$labels.domain}} : could retrieve A record {{$labels.instance}} from server {{$labels.server}}: {{$labels.result}} for protocol {{$labels.protocol}}!"; + }; + connection_failed = { + condition = "net_response_result_code != 0"; + description = "{{$labels.server}}: connection to {{$labels.port}}({{$labels.protocol}}) failed from {{$labels.instance}}"; + }; + healthchecks = { + condition = "hc_check_up == 0"; + description = "{{$labels.instance}}: healtcheck {{$labels.job}} fails!"; + }; + cert_expiry = { + condition = "x509_cert_expiry < 7*24*3600"; + description = "{{$labels.instance}}: The TLS certificate from {{$labels.source}} will expire in less than 7 days: {{$value}}s"; + }; + + postfix_queue_length = { + condition = "avg_over_time(postfix_queue_length[1h]) > 10"; + description = "{{$labels.instance}}: postfix mail queue has undelivered {{$value}} items"; + }; + + zfs_errors = { + condition = "zfs_arcstats_l2_io_error + zfs_dmu_tx_error + zfs_arcstats_l2_writes_error > 0"; + description = "{{$labels.instance}} reports: {{$value}} ZFS IO errors."; + }; + + # ignore devices that disabled S.M.A.R.T (example if attached via USB) + smart_errors = { + condition = ''smart_device_health_ok{enabled!="Disabled"} != 1''; + description = "{{$labels.instance}}: S.M.A.R.T reports: {{$labels.device}} ({{$labels.model}}) has errors."; + }; + + oom_kills = { + condition = "increase(kernel_vmstat_oom_kill[5m]) > 0"; + description = "{{$labels.instance}}: OOM kill detected"; + }; + + unusual_disk_read_latency = { + condition = "rate(diskio_read_time[1m]) / rate(diskio_reads[1m]) > 0.1 and rate(diskio_reads[1m]) > 0"; + description = "{{$labels.instance}}: Disk latency is growing (read operations > 100ms)\n"; + }; + + unusual_disk_write_latency = { + condition = "rate(diskio_write_time[1m]) / rate(diskio_write[1m]) > 0.1 and rate(diskio_write[1m]) > 0"; + description = "{{$labels.instance}}: Disk latency is growing (write operations > 100ms)\n"; + }; + + host_memory_under_memory_pressure = { + condition = "rate(node_vmstat_pgmajfault[1m]) > 1000"; + description = "{{$labels.instance}}: The node is under heavy memory pressure. High rate of major page faults: {{$value}}"; + }; + + ext4_errors = { + condition = "ext4_errors_value > 0"; + description = "{{$labels.instance}}: ext4 has reported {{$value}} I/O errors: check /sys/fs/ext4/*/errors_count"; + }; + + alerts_silences_changed = { + condition = ''abs(delta(alertmanager_silences{state="active"}[1h])) >= 1''; + description = "alertmanager: number of active silences has changed: {{$value}}"; + }; + }) diff --git a/lass/2configs/monitoring/prometheus.nix b/lass/2configs/monitoring/prometheus.nix new file mode 100644 index 000000000..ba32c62a7 --- /dev/null +++ b/lass/2configs/monitoring/prometheus.nix @@ -0,0 +1,110 @@ +{ config, lib, pkgs, ... }: +{ + #prometheus + krebs.iptables = { + enable = true; + tables.filter.INPUT.rules = [ + { predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; } # nginx + # { predicate = "-i retiolum -p tcp --dport 3012"; target = "ACCEPT"; } # grafana + # { predicate = "-i retiolum -p tcp --dport 9093"; target = "ACCEPT"; } # alertmanager + # { predicate = "-i retiolum -p tcp --dport 9223"; target = "ACCEPT"; } # alertmanager + ]; + }; + + services.nginx = { + enable = true; + virtualHosts = { + "prometheus.lass.r" = { + locations."/".proxyPass = "http://localhost:9090"; + }; + "alert.lass.r" = { + locations."/".proxyPass = "http://localhost:9093"; + }; + "grafana.lass.r" = { + locations."/".proxyPass = "http://localhost:3012"; + }; + }; + }; + + services.grafana = { + enable = true; + addr = "0.0.0.0"; + port = 3012; + auth.anonymous = { + enable = true; + org_role = "Admin"; + }; + }; + services.prometheus = { + enable = true; + ruleFiles = [ + (pkgs.writeText "prometheus-rules.yml" (builtins.toJSON { + groups = [{ + name = "alerting-rules"; + rules = import ./alert-rules.nix { inherit lib; }; + }]; + })) + ]; + scrapeConfigs = [ + { + job_name = "telegraf"; + scrape_interval = "60s"; + metrics_path = "/metrics"; + static_configs = [ + { + targets = [ + "prism.r:9273" + "dishfire.r:9273" + "yellow.r:9273" + ]; + } + ]; + } + ]; + alertmanagers = [ + { scheme = "http"; + path_prefix = "/"; + static_configs = [ { targets = [ "localhost:9093" ]; } ]; + } + ]; + alertmanager = { + enable = true; + webExternalUrl = "https://alert.lass.r"; + listenAddress = "[::1]"; + configuration = { + global = { + # The smarthost and SMTP sender used for mail notifications. + smtp_smarthost = "localhost:587"; + smtp_from = "alertmanager@alert.lass.r"; + # smtp_auth_username = "alertmanager@thalheim.io"; + # smtp_auth_password = "$SMTP_PASSWORD"; + }; + route = { + receiver = "default"; + routes = [ + { + group_by = [ "host" ]; + group_wait = "30s"; + group_interval = "2m"; + repeat_interval = "2h"; + receiver = "all"; + } + ]; + }; + receivers = [ + { + name = "all"; + webhook_configs = [{ + url = "http://127.0.0.1:9223/"; + max_alerts = 5; + }]; + } + { + name = "default"; + } + ]; + }; + }; + }; + +} diff --git a/lass/2configs/monitoring/telegraf.nix b/lass/2configs/monitoring/telegraf.nix new file mode 100644 index 000000000..5258b87ed --- /dev/null +++ b/lass/2configs/monitoring/telegraf.nix @@ -0,0 +1,72 @@ +{ config, lib, pkgs, ... }: +let + isVM = lib.any (mod: mod == "xen-blkfront" || mod == "virtio_console") config.boot.initrd.kernelModules; +in { + + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-i retiolum -p tcp --dport 9273"; target = "ACCEPT"; } + ]; + + systemd.services.telegraf.path = [ pkgs.nvme-cli ]; + + services.telegraf = { + enable = true; + extraConfig = { + agent.interval = "60s"; + inputs = { + http_response = [ + { urls = [ + "http://localhost:8080/about/health/" + ]; } + ]; + prometheus.metric_version = 2; + kernel_vmstat = { }; + # smart = lib.mkIf (!isVM) { + # path = pkgs.writeShellScript "smartctl" '' + # exec /run/wrappers/bin/sudo ${pkgs.smartmontools}/bin/smartctl "$@" + # ''; + # }; + system = { }; + mem = { }; + file = [{ + data_format = "influx"; + file_tag = "name"; + files = [ "/var/log/telegraf/*" ]; + }] ++ lib.optional (lib.any (fs: fs == "ext4") config.boot.supportedFilesystems) { + name_override = "ext4_errors"; + files = [ "/sys/fs/ext4/*/errors_count" ]; + data_format = "value"; + }; + exec = lib.optionalAttrs (lib.any (fs: fs == "zfs") config.boot.supportedFilesystems) { + ## Commands array + commands = [ + (pkgs.writeScript "zpool-health" '' + #!${pkgs.gawk}/bin/awk -f + BEGIN { + while ("${pkgs.zfs}/bin/zpool status" | getline) { + if ($1 ~ /pool:/) { printf "zpool_status,name=%s ", $2 } + if ($1 ~ /state:/) { printf " state=\"%s\",", $2 } + if ($1 ~ /errors:/) { + if (index($2, "No")) printf "errors=0i\n"; else printf "errors=%di\n", $2 + } + } + } + '') + ]; + data_format = "influx"; + }; + systemd_units = { }; + swap = { }; + disk.tagdrop = { + fstype = [ "tmpfs" "ramfs" "devtmpfs" "devfs" "iso9660" "overlay" "aufs" "squashfs" ]; + device = [ "rpc_pipefs" "lxcfs" "nsfs" "borgfs" ]; + }; + diskio = { }; + }; + outputs.prometheus_client = { + listen = ":9273"; + metric_version = 2; + }; + }; + }; +} diff --git a/lass/2configs/mpv.nix b/lass/2configs/mpv.nix index b11e54c2c..d65b4a87a 100644 --- a/lass/2configs/mpv.nix +++ b/lass/2configs/mpv.nix @@ -78,7 +78,7 @@ let exec ${pkgs.mpv.override { scripts = with pkgs.mpvScripts; [ sponsorblock - youtube-quality + quality-menu ]; }}/bin/mpv \ --no-config \ diff --git a/lass/2configs/networkd.nix b/lass/2configs/networkd.nix new file mode 100644 index 000000000..12ffe0bd7 --- /dev/null +++ b/lass/2configs/networkd.nix @@ -0,0 +1,20 @@ +{ config, lib, pkgs, ... }: +{ + systemd.services.systemd-networkd-wait-online.enable = lib.mkForce false; + systemd.services.systemd-networkd.stopIfChanged = false; + # Services that are only restarted might be not able to resolve when resolved is stopped before + systemd.services.systemd-resolved.stopIfChanged = false; + + networking.useNetworkd = true; + systemd.network = { + enable = true; + networks.wl0 = { + matchConfig.Name = "wl0"; + DHCP = "yes"; + networkConfig = { + IgnoreCarrierLoss = "3s"; + }; + dhcpV4Config.UseDNS = true; + }; + }; +} diff --git a/lass/2configs/services/git/default.nix b/lass/2configs/services/git/default.nix index 096f73c03..2b68905ed 100644 --- a/lass/2configs/services/git/default.nix +++ b/lass/2configs/services/git/default.nix @@ -7,5 +7,15 @@ enableACME = true; addSSL = true; locations = config.services.nginx.virtualHosts.cgit.locations; + extraConfig = '' + client_max_body_size 300M; + client_body_timeout 2024; + client_header_timeout 2024; + + fastcgi_buffers 16 512k; + fastcgi_buffer_size 512k; + fastcgi_read_timeout 500; + fastcgi_send_timeout 500; + ''; }; } diff --git a/lass/2configs/services/git/proxy.nix b/lass/2configs/services/git/proxy.nix index cb05c3f6c..9875898ea 100644 --- a/lass/2configs/services/git/proxy.nix +++ b/lass/2configs/services/git/proxy.nix @@ -9,5 +9,15 @@ proxyWebsockets = true; recommendedProxySettings = true; }; + extraConfig = '' + client_max_body_size 300M; + client_body_timeout 2024; + client_header_timeout 2024; + + fastcgi_buffers 16 512k; + fastcgi_buffer_size 512k; + fastcgi_read_timeout 500; + fastcgi_send_timeout 500; + ''; }; } diff --git a/lass/2configs/services/radio/default.nix b/lass/2configs/services/radio/default.nix index 16ef31b6f..5accfe360 100644 --- a/lass/2configs/services/radio/default.nix +++ b/lass/2configs/services/radio/default.nix @@ -169,6 +169,7 @@ in { # allow reaktor2 to modify files systemd.services."reaktor2-the_playlist".serviceConfig.DynamicUser = lib.mkForce false; + systemd.services."reaktor2-the_playlist".serviceConfig.Group = lib.mkForce "radio"; krebs.reaktor2.the_playlist = { hostname = "irc.hackint.org"; diff --git a/lass/2configs/services/radio/weather_for_ips.py b/lass/2configs/services/radio/weather_for_ips.py index 62206a985..c44c5e46a 100644 --- a/lass/2configs/services/radio/weather_for_ips.py +++ b/lass/2configs/services/radio/weather_for_ips.py @@ -12,12 +12,12 @@ output = [] for ip in fileinput.input(): if "80.147.140.51" in ip: output.append( - 'Weather report for c-base, space.' + 'Weather report for c-base, space. ' 'It is empty space outside ' 'with a temperature of -270 degrees, ' 'a lightspeed of 299792 kilometers per second ' 'and a humidity of Not a Number percent. ' - f'The probability of reincarnation is {random.randrange(0, 100)} percent.' + f'The probability of reincarnation is {random.randrange(0, 100)} percent. ' ) else: try: diff --git a/lass/2configs/sync/decsync.nix b/lass/2configs/sync/decsync.nix index 5fded10a2..98479c7f5 100644 --- a/lass/2configs/sync/decsync.nix +++ b/lass/2configs/sync/decsync.nix @@ -1,7 +1,7 @@ { services.syncthing.folders.decsync = { path = "/home/lass/decsync"; - devices = [ "mors" "blue" "green" "phone" ]; + devices = [ "mors" "blue" "green" "phone" "massulus" ]; }; krebs.acl."/home/lass/decsync"."u:syncthing:X".parents = true; diff --git a/lass/2configs/sync/sync.nix b/lass/2configs/sync/sync.nix index 2714fa83e..09f94378b 100644 --- a/lass/2configs/sync/sync.nix +++ b/lass/2configs/sync/sync.nix @@ -1,6 +1,13 @@ { services.syncthing.folders."/home/lass/sync" = { - devices = [ "mors" "icarus" "xerxes" "shodan" "green" "blue" "coaxmetal" ]; + devices = [ + "mors" + "xerxes" + "green" + "blue" + "coaxmetal" + "aergia" + ]; }; krebs.acl."/home/lass/sync"."u:syncthing:X".parents = true; krebs.acl."/home/lass/sync"."u:syncthing:rwX" = {}; diff --git a/lass/2configs/websites/default.nix b/lass/2configs/websites/default.nix index bfd86ad7e..ebf4d8345 100644 --- a/lass/2configs/websites/default.nix +++ b/lass/2configs/websites/default.nix @@ -4,6 +4,7 @@ with import <stockholm/lib>; { services.nginx = { + enable = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedTlsSettings = true; diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index c57fb5907..9d28bedc6 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -96,6 +96,7 @@ in { file_uploads = on ''; + systemd.services.nextcloud-setup.after = [ "secret-nextcloud_pw.service" ]; krebs.secret.files.nextcloud_pw = { path = "/run/nextcloud.pw"; owner.name = "nextcloud"; @@ -121,18 +122,17 @@ in { # MAIL STUFF # TODO: make into its own module - # workaround for android 7 - security.acme.certs."lassul.us".keyType = "rsa4096"; - services.roundcube = { enable = true; hostName = "mail.lassul.us"; extraConfig = '' - $config['smtp_port'] = 25; + $config['smtp_debug'] = true; + $config['smtp_host'] = "localhost:25"; ''; }; services.dovecot2 = { enable = true; + showPAMFailure = true; mailLocation = "maildir:~/Mail"; sslServerCert = "/var/lib/acme/lassul.us/fullchain.pem"; sslServerKey = "/var/lib/acme/lassul.us/key.pem"; @@ -142,6 +142,17 @@ in { { predicate = "-p tcp --dport imaps"; target = "ACCEPT"; } ]; + environment.systemPackages = [ + (pkgs.writers.writeDashBin "debug_exim" '' + set -ef + export PATH="${lib.makeBinPath [ pkgs.coreutils ]}" + echo "$@" >> /tmp/xxx + /run/wrappers/bin/shadow_verify_arg "${config.lass.usershadow.pattern}" "$2" "$3" 2>>/tmp/xxx1 + echo "ok" >> /tmp/yyy + exit 23 + '') + ]; + krebs.exim-smarthost = { authenticators.PLAIN = '' driver = plaintext @@ -153,6 +164,7 @@ in { public_name = LOGIN server_prompts = "Username:: : Password::" server_condition = ''${run{/run/wrappers/bin/shadow_verify_arg ${config.lass.usershadow.pattern} $auth1 $auth2}{yes}{no}} + # server_condition = ''${run{/run/current-system/sw/bin/debug_exim ${config.lass.usershadow.pattern} $auth1 $auth2}{yes}{no}} ''; internet-aliases = [ { from = "dma@ubikmedia.de"; to = "domsen"; } @@ -180,14 +192,13 @@ in { "alewis.de" "jarugadesign.de" "beesmooth.ch" + "event-extra.de" ]; dkim = [ { domain = "ubikmedia.eu"; } { domain = "apanowicz.de"; } { domain = "beesmooth.ch"; } ]; - ssl_cert = "/var/lib/acme/lassul.us/fullchain.pem"; - ssl_key = "/var/lib/acme/lassul.us/key.pem"; }; users.users.UBIK-SFTP = { diff --git a/lass/2configs/websites/lassulus.nix b/lass/2configs/websites/lassulus.nix index 411234b82..9440413aa 100644 --- a/lass/2configs/websites/lassulus.nix +++ b/lass/2configs/websites/lassulus.nix @@ -9,8 +9,6 @@ let in { imports = [ ./default.nix - ../git.nix - ./ref.ptkk.de ]; security.acme = { @@ -66,23 +64,11 @@ in { locations."= /gpg.pub".extraConfig = '' alias ${pkgs.writeText "pub" config.krebs.users.lass-yubikey.pgp.pubkeys.default}; ''; + locations."= /ip".extraConfig = '' + return 200 '$remote_addr'; + ''; }; - security.acme.certs."cgit.lassul.us" = { - email = "lassulus@lassul.us"; - webroot = "/var/lib/acme/acme-challenge"; - group = "nginx"; - }; - services.nginx.virtualHosts.cgit = { - serverName = "cgit.lassul.us"; - addSSL = true; - sslCertificate = "/var/lib/acme/cgit.lassul.us/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/cgit.lassul.us/key.pem"; - locations."/.well-known/acme-challenge".extraConfig = '' - root /var/lib/acme/acme-challenge; - ''; - }; } - |