Merge remote-tracking branch 'origin/master'

Author: Lassulus

2configs/consul.nix

@@ -12,7 +12,7 @@
     # interface.bind = "retiolum";
     extraConfig = {
       bind_addr = config.krebs.build.host.nets.retiolum.ip4.addr;
-      bootstrap_expect = 1;
+      bootstrap_expect = 3;
       server = true;
       # retry_join = config.services.consul.extraConfig.start_join;
       retry_join = lib.mapAttrsToList (_n: h: lib.head h.nets.retiolum.aliases) (
@@ -29,16 +29,20 @@
         cleanup_dead_servers = true;
         # How long a server must be stable before promoting
         server_stabilization_time = "10s";
-        # Only requires 3 servers minimum instead of all configured servers
-        min_quorum = 3;
+        # Allow cluster to operate with 2 of 3 nodes (majority quorum)
+        min_quorum = 2;
       };
 
-      # Performance tuning for faster leader elections
+      # Performance tuning - slightly relaxed for network tolerance
       performance = {
-        # Reduce raft timing for faster recovery
-        raft_multiplier = 1;
+        # 2 = default, gives more time for slow/unstable networks
+        # 1 was too aggressive and caused leader flapping
+        raft_multiplier = 2;
       };
 
+      # Reconnect timeout for failed nodes (default 72h, reduce for faster cleanup)
+      reconnect_timeout = "24h";
+
       # Leave on terminate for cleaner shutdowns
       leave_on_terminate = true;
     };
@@ -48,9 +52,6 @@
   systemd.services.consul = {
     # Add pre-start script to clean up potential issues
     preStart = ''
-      # Remove any stale peers.json from failed recovery attempts
-      rm -f /var/lib/consul/raft/peers.json
-
       # Ensure proper permissions
       chown -R consul:consul /var/lib/consul
     '';

2configs/paste.nix

@@ -11,8 +11,6 @@
     self.inputs.stockholm.nixosModules.htgen
   ];
 
-  security.acme.certs."cyberlocker".server = config.krebs.ssl.acmeURL;
-  security.acme.certs."paste".server = config.krebs.ssl.acmeURL;
   services.nginx.virtualHosts.cyberlocker = {
     enableACME = true;
     addSSL = true;

5pkgs/system-audio-dump/package.nix

@@ -0,0 +1,57 @@
+{
+  lib,
+  fetchFromGitHub,
+  swift,
+  swiftpm,
+  swiftPackages,
+}:
+
+swiftPackages.stdenv.mkDerivation {
+  pname = "system-audio-dump";
+  version = "0-unstable-2025-09-02";
+
+  src = fetchFromGitHub {
+    owner = "sohzm";
+    repo = "systemAudioDump";
+    rev = "19caa4f6c0661c03a10d1f08c79a11f0b00f251a";
+    hash = "sha256-H2TeB7/Meq7EvfW7zLZn5GGFrKwCyZuJvafv61ZWdrA=";
+  };
+
+  nativeBuildInputs = [
+    swift
+    swiftpm
+  ];
+
+  postPatch = ''
+    # Downgrade swift-tools-version from 6.0 to 5.10 and macOS from v15 to v14
+    sed -i 's/swift-tools-version:6.0/swift-tools-version:5.10/' Package.swift
+    sed -i 's/.macOS(.v15)/.macOS(.v14)/' Package.swift
+
+    # Patch Swift 6 / macOS 15 features in source
+    # Remove @retroactive attribute (Swift 6 feature for silencing conformance warnings)
+    sed -i 's/@retroactive //' Sources/SystemAudioDump/main.swift
+    # Remove captureMicrophone (macOS 15+ only, defaults to false anyway)
+    sed -i '/captureMicrophone/d' Sources/SystemAudioDump/main.swift
+  '';
+
+  buildPhase = ''
+    runHook preBuild
+    swift build -c release
+    runHook postBuild
+  '';
+
+  installPhase = ''
+    runHook preInstall
+    mkdir -p $out/bin
+    cp .build/release/SystemAudioDump $out/bin/system-audio-dump
+    runHook postInstall
+  '';
+
+  meta = {
+    description = "macOS CLI that captures system audio and outputs raw PCM to stdout";
+    homepage = "https://github.com/sohzm/systemAudioDump";
+    license = lib.licenses.mit;
+    platforms = lib.platforms.darwin;
+    mainProgram = "system-audio-dump";
+  };
+}

5pkgs/vosk/package.nix

@@ -0,0 +1,62 @@
+{
+  lib,
+  python3Packages,
+  fetchurl,
+  stdenv,
+}:
+let
+  version = "0.3.44";
+
+  # Platform-specific wheels
+  wheels = {
+    "x86_64-linux" = {
+      url = "https://files.pythonhosted.org/packages/py3/v/vosk/vosk-${version}-py3-none-manylinux_2_12_x86_64.manylinux2010_x86_64.whl";
+      hash = "sha256-JlLvITxMeAfcQK8eeqV43Mz8TcQZKCKia8RalZG8v3Y=";
+    };
+    "aarch64-linux" = {
+      url = "https://files.pythonhosted.org/packages/py3/v/vosk/vosk-${version}-py3-none-manylinux2014_aarch64.whl";
+      hash = "sha256-mZW3+lQ0sTS0vQmJfiSQ28VhFcKtKUPAMGIeEMcDezQ=";
+    };
+    "x86_64-darwin" = {
+      url = "https://files.pythonhosted.org/packages/py3/v/vosk/vosk-${version}-py3-none-macosx_10_6_universal2.whl";
+      hash = "sha256-Ap0LPWpc/4dMV1uKWBSkzM+zdgjP9S6EbAKoxnqIKAE=";
+    };
+    "aarch64-darwin" = {
+      url = "https://files.pythonhosted.org/packages/py3/v/vosk/vosk-${version}-py3-none-macosx_10_6_universal2.whl";
+      hash = "sha256-Ap0LPWpc/4dMV1uKWBSkzM+zdgjP9S6EbAKoxnqIKAE=";
+    };
+  };
+
+  wheel =
+    wheels.${stdenv.hostPlatform.system}
+      or (throw "Unsupported platform: ${stdenv.hostPlatform.system}");
+in
+python3Packages.buildPythonPackage {
+  pname = "vosk";
+  inherit version;
+  format = "wheel";
+
+  src = fetchurl {
+    inherit (wheel) url hash;
+  };
+
+  dependencies = with python3Packages; [
+    cffi
+    requests
+    tqdm
+    srt
+    websockets
+  ];
+
+  # Skip tests as they require audio files and models
+  doCheck = false;
+
+  pythonImportsCheck = [ "vosk" ];
+
+  meta = {
+    description = "Offline speech recognition API based on Kaldi and Vosk";
+    homepage = "https://alphacephei.com/vosk/";
+    license = lib.licenses.asl20;
+    platforms = lib.attrNames wheels;
+  };
+}

machines/shodan/physical.nix

@@ -6,6 +6,9 @@
     self.inputs.nixos-hardware.nixosModules.lenovo-thinkpad-x220
   ];
 
+  # Disable hdapsd - not needed for SSD, and the package is broken with newer GCC
+  services.hdapsd.enable = false;
+
   boot.loader.grub = {
     enable = true;
     device = "/dev/disk/by-id/ata-Samsung_SSD_850_EVO_500GB_S2RBNX0H662201F";

tools/record/flake-module.nix

@@ -0,0 +1,17 @@
+{ ... }:
+{
+  perSystem =
+    { pkgs, self', ... }:
+    {
+      packages.record = pkgs.writeShellApplication {
+        name = "record";
+        runtimeInputs = [
+          pkgs.ffmpeg
+          pkgs.gum
+        ]
+        ++ pkgs.lib.optionals pkgs.stdenv.hostPlatform.isLinux [ pkgs.pulseaudio ]
+        ++ pkgs.lib.optionals pkgs.stdenv.hostPlatform.isDarwin [ self'.packages.system-audio-dump ];
+        text = builtins.readFile ./rec.sh;
+      };
+    };
+}

tools/record/rec.sh

@@ -0,0 +1,97 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+list_sources() {
+  if [[ "$OSTYPE" == "darwin"* ]]; then
+    # macOS: list audio devices via ffmpeg avfoundation
+    echo "system: System Audio (via ScreenCaptureKit)"
+    ffmpeg -f avfoundation -list_devices true -i "" 2>&1 | \
+      sed -n '/AVFoundation audio devices:/,/^[^[]/p' | \
+      grep -E '^\[AVFoundation.*\[[0-9]+\]' | \
+      sed 's/.*\[\([0-9]*\)\] \(.*\)/\1: \2/'
+  else
+    # Linux: list PulseAudio/PipeWire sources including monitors (for system audio)
+    # Sources ending in .monitor capture the output of that sink (system audio)
+    pactl list sources short | awk '{print $2}' | while read -r source; do
+      if [[ "$source" == *.monitor ]]; then
+        echo "$source (system audio)"
+      else
+        echo "$source"
+      fi
+    done
+  fi
+}
+
+get_source_name() {
+  # Strip the description suffix for actual recording
+  local name="$1"
+  echo "${name% (system audio)}"
+}
+
+record_source() {
+  local source="$1"
+
+  if [[ "$OSTYPE" == "darwin"* ]]; then
+    if [[ "$source" == "system" ]]; then
+      # Use system-audio-dump for system audio (ScreenCaptureKit)
+      # Output is raw PCM 24kHz 16-bit stereo, convert to WAV for compatibility
+      system-audio-dump | ffmpeg -f s16le -ar 24000 -ac 2 -i - -f wav -acodec pcm_s16le - 2>/dev/null
+    else
+      # Use avfoundation for mic input, source is the device index
+      ffmpeg -f avfoundation -i ":${source}" -f wav -acodec pcm_s16le - 2>/dev/null
+    fi
+  else
+    # Linux: use pulse
+    ffmpeg -f pulse -i "$source" -f wav -acodec pcm_s16le - 2>/dev/null
+  fi
+}
+
+# Show help
+if [[ "${1:-}" == "-h" ]] || [[ "${1:-}" == "--help" ]]; then
+  echo "Usage: record [SOURCE]"
+  echo ""
+  echo "Record audio from a source and output WAV to stdout."
+  echo "If no source is provided, prompts interactively with gum."
+  echo ""
+  echo "Options:"
+  echo "  -l, --list    List available audio sources"
+  echo "  -h, --help    Show this help"
+  echo ""
+  echo "System audio:"
+  echo "  Linux:  Select a .monitor source (captures sink output)"
+  echo "  macOS:  Use 'system' source (requires Screen Recording permission)"
+  echo ""
+  echo "Examples:"
+  echo "  record | mpv -"
+  echo "  record system | mpv -                         # macOS system audio"
+  echo "  record 0 | mpv -                              # macOS device index"
+  echo "  record alsa_output.pci-xxx.monitor | mpv -    # Linux system audio"
+  exit 0
+fi
+
+# List sources
+if [[ "${1:-}" == "-l" ]] || [[ "${1:-}" == "--list" ]]; then
+  list_sources
+  exit 0
+fi
+
+# Get source from argument or prompt
+if [[ -n "${1:-}" ]]; then
+  SOURCE="$1"
+else
+  # Use gum to select a source
+  if [[ "$OSTYPE" == "darwin"* ]]; then
+    SOURCE=$(list_sources | gum choose --header "Select audio source:" | cut -d: -f1)
+  else
+    SELECTION=$(list_sources | gum choose --header "Select audio source:")
+    SOURCE=$(get_source_name "$SELECTION")
+  fi
+fi
+
+if [[ -z "$SOURCE" ]]; then
+  echo "Error: No source selected" >&2
+  exit 1
+fi
+
+echo "Recording from: $SOURCE (Ctrl+C to stop)" >&2
+record_source "$SOURCE"

tools/stt/flake-module.nix

@@ -0,0 +1,29 @@
+{ ... }:
+{
+  perSystem =
+    { pkgs, self', ... }:
+    let
+      python = pkgs.python3.withPackages (_ps: [
+        self'.packages.vosk
+      ]);
+    in
+    {
+      packages.stt = pkgs.stdenv.mkDerivation {
+        pname = "stt";
+        version = "0.4.0";
+        src = ./.;
+        nativeBuildInputs = [ pkgs.makeWrapper ];
+        installPhase = ''
+          runHook preInstall
+          mkdir -p $out/bin
+          cp stt.py $out/bin/stt
+          chmod +x $out/bin/stt
+          wrapProgram $out/bin/stt \
+            --prefix PATH : ${python}/bin \
+            --set PYTHONPATH ${python}/${python.sitePackages}
+          runHook postInstall
+        '';
+        meta.mainProgram = "stt";
+      };
+    };
+}