diff options
| author | nin <nineinchnade@gmail.com> | 2017-10-17 19:54:15 +0200 |
|---|---|---|
| committer | nin <nineinchnade@gmail.com> | 2017-10-17 19:54:15 +0200 |
| commit | 9afe5210f2a44cacac4f3527b6c8b561d9e4296b (patch) | |
| tree | a83c412966783b123cd3152fe34a6f7cddcb55d6 | |
| parent | f4bf9110727f2c7113c80aaa88427b81605016ae (diff) | |
| parent | 4667bb8e4111abde822ae57993a29929c5cc9aad (diff) | |
Merge remote-tracking branch 'temp/master'
124 files changed, 2318 insertions, 690 deletions
diff --git a/krebs/1systems/hotdog/config.nix b/krebs/1systems/hotdog/config.nix index 2ad22f49c..4fdb53ae7 100644 --- a/krebs/1systems/hotdog/config.nix +++ b/krebs/1systems/hotdog/config.nix @@ -12,6 +12,9 @@ <stockholm/krebs/2configs/buildbot-all.nix> <stockholm/krebs/2configs/gitlab-runner-shackspace.nix> <stockholm/krebs/2configs/binary-cache/nixos.nix> + <stockholm/krebs/2configs/ircd.nix> + <stockholm/krebs/2configs/reaktor-krebs.nix> + <stockholm/krebs/2configs/reaktor-retiolum.nix> ]; krebs.build.host = config.krebs.hosts.hotdog; diff --git a/krebs/1systems/puyak/config.nix b/krebs/1systems/puyak/config.nix index 978bd18e0..d2664ef84 100644 --- a/krebs/1systems/puyak/config.nix +++ b/krebs/1systems/puyak/config.nix @@ -27,6 +27,11 @@ initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda3"; } ]; initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; + + kernelModules = [ "kvm-intel" ]; + extraModprobeConfig = '' + options thinkpad_acpi fan_control=1 + ''; }; fileSystems = { @@ -65,7 +70,10 @@ ''; environment.systemPackages = [ pkgs.zsh ]; - boot.kernelModules = [ "kvm-intel" ]; + + system.activationScripts."disengage fancontrol" = '' + echo level disengaged > /proc/acpi/ibm/fan + ''; users.users.joerg = { openssh.authorizedKeys.keys = [ config.krebs.users.Mic92.pubkey ]; isNormalUser = true; diff --git a/krebs/2configs/binary-cache/prism.nix b/krebs/2configs/binary-cache/prism.nix index 4813eeb0f..46b386e14 100644 --- a/krebs/2configs/binary-cache/prism.nix +++ b/krebs/2configs/binary-cache/prism.nix @@ -7,6 +7,7 @@ ]; binaryCachePublicKeys = [ "cache.prism-1:+S+6Lo/n27XEtvdlQKuJIcb1yO5NUqUCE2lolmTgNJU=" + "cache.prism-2:YwmCm3/s/D+SxrPKN/ETjlpw/219pNUbpnluatp6FKI=" ]; }; } diff --git a/krebs/2configs/gitlab-runner-shackspace.nix b/krebs/2configs/gitlab-runner-shackspace.nix index d9b4cd589..f4247b6da 100644 --- a/krebs/2configs/gitlab-runner-shackspace.nix +++ b/krebs/2configs/gitlab-runner-shackspace.nix @@ -1,4 +1,4 @@ -{ config, ... }: +{ config, pkgs, ... }: let url = "https://git.shackspace.de/"; # generate token from CI-token via: @@ -6,7 +6,7 @@ let ## cat /etc/gitlab-runner/config.toml token = import <secrets/shackspace-gitlab-ci-token.nix> ; in { - systemd.services.gitlab-runner.path = [ + systemd.services.gitlab-runner.path = [ "/run/wrappers" # /run/wrappers/bin/su "/" # /bin/sh ]; @@ -16,19 +16,18 @@ in { enable = true; # configFile, configOptions and gracefulTimeout not yet in stable # gracefulTimeout = "120min"; - configText = '' - concurrent = 1 - check_interval = 0 - - [[runners]] - name = "krebs-shell" - url = "${url}" - token = "${token}" - executor = "shell" - shell = "sh" - environment = ["PATH=/bin:/run/wrappers/bin:/etc/per-user/gitlab-runner/bin:/etc/per-user-pkgs/gitlab-runner/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin"] - [runners.cache] + configFile = pkgs.writeText "gitlab-runner.cfg" '' + concurrent = 1 + check_interval = 0 + [[runners]] + name = "krebs-shell" + url = "${url}" + token = "${token}" + executor = "shell" + shell = "sh" + environment = ["PATH=/bin:/run/wrappers/bin:/etc/per-user/gitlab-runner/bin:/etc/per-user-pkgs/gitlab-runner/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin"] + [runners.cache] ''; }; } diff --git a/krebs/2configs/hw/x220.nix b/krebs/2configs/hw/x220.nix index c85bac0d4..44743b87d 100644 --- a/krebs/2configs/hw/x220.nix +++ b/krebs/2configs/hw/x220.nix @@ -8,6 +8,8 @@ with import <stockholm/lib>; hardware.cpu.intel.updateMicrocode = true; + hardware.opengl.enable = true; + services.tlp.enable = true; boot = { diff --git a/krebs/2configs/ircd.nix b/krebs/2configs/ircd.nix index 116337733..38f58952e 100644 --- a/krebs/2configs/ircd.nix +++ b/krebs/2configs/ircd.nix @@ -92,6 +92,7 @@ }; general { #maybe we want ident someday? + default_floodcount = 1000; disable_auth = yes; throttle_duration = 1; throttle_count = 1000; diff --git a/lass/2configs/reaktor-krebs.nix b/krebs/2configs/reaktor-krebs.nix index 6b17b457d..6b17b457d 100644 --- a/lass/2configs/reaktor-krebs.nix +++ b/krebs/2configs/reaktor-krebs.nix diff --git a/krebs/2configs/reaktor-retiolum.nix b/krebs/2configs/reaktor-retiolum.nix new file mode 100644 index 000000000..144b7d484 --- /dev/null +++ b/krebs/2configs/reaktor-retiolum.nix @@ -0,0 +1,15 @@ +{ config, lib, pkgs, ... }: +with import <stockholm/lib>; + +{ + krebs.Reaktor.retiolum = { + nickname = "Reaktor|lass"; + channels = [ "#xxx" ]; + extraEnviron = { + REAKTOR_HOST = "irc.r"; + }; + plugins = with pkgs.ReaktorPlugins; [ + sed-plugin + ]; + }; +} diff --git a/krebs/2configs/repo-sync.nix b/krebs/2configs/repo-sync.nix index b0b0b2f62..84b7d9c0e 100644 --- a/krebs/2configs/repo-sync.nix +++ b/krebs/2configs/repo-sync.nix @@ -15,8 +15,8 @@ let post-receive = pkgs.git-hooks.irc-announce { nick = config.networking.hostName; verbose = false; - channel = "#retiolum"; - server = "ni.r"; + channel = "#xxx"; + server = "irc.r"; branches = [ "master" ]; }; }); diff --git a/krebs/2configs/shack/muell_caller.nix b/krebs/2configs/shack/muell_caller.nix index 7e8d278f6..19768cb2e 100644 --- a/krebs/2configs/shack/muell_caller.nix +++ b/krebs/2configs/shack/muell_caller.nix @@ -12,7 +12,7 @@ let buildInputs = [ (pkgs.python3.withPackages (pythonPackages: with pythonPackages; [ docopt - requests2 + requests paramiko python ])) diff --git a/krebs/2configs/shack/radioactive.nix b/krebs/2configs/shack/radioactive.nix index 378b54056..566146d6e 100644 --- a/krebs/2configs/shack/radioactive.nix +++ b/krebs/2configs/shack/radioactive.nix @@ -12,7 +12,7 @@ let buildInputs = [ (pkgs.python3.withPackages (pythonPackages: with pythonPackages; [ docopt - requests2 + requests python ])) ]; diff --git a/krebs/2configs/shack/worlddomination.nix b/krebs/2configs/shack/worlddomination.nix index d0f9f5fa6..828b6cd70 100644 --- a/krebs/2configs/shack/worlddomination.nix +++ b/krebs/2configs/shack/worlddomination.nix @@ -37,7 +37,7 @@ let docopt LinkHeader aiocoap - requests2 + requests paramiko python ])) diff --git a/krebs/3modules/announce-activation.nix b/krebs/3modules/announce-activation.nix index 5a3a788c2..8f8440eb7 100644 --- a/krebs/3modules/announce-activation.nix +++ b/krebs/3modules/announce-activation.nix @@ -35,7 +35,7 @@ in { irc = { # TODO rename channel to target? channel = mkOption { - default = "#retiolum"; + default = "#xxx"; type = types.str; # TODO types.irc-channel }; nick = mkOption { @@ -47,7 +47,7 @@ in { type = types.int; }; server = mkOption { - default = "ni.r"; + default = "irc.r"; type = types.hostname; }; }; diff --git a/krebs/3modules/bepasty-server.nix b/krebs/3modules/bepasty-server.nix index 0ca13366b..dd29a4e17 100644 --- a/krebs/3modules/bepasty-server.nix +++ b/krebs/3modules/bepasty-server.nix @@ -3,7 +3,7 @@ with import <stockholm/lib>; let gunicorn = pkgs.pythonPackages.gunicorn; - bepasty = pkgs.pythonPackages.bepasty-server; + bepasty = pkgs.bepasty; gevent = pkgs.pythonPackages.gevent; python = pkgs.pythonPackages.python; cfg = config.krebs.bepasty; diff --git a/krebs/3modules/buildbot/slave.nix b/krebs/3modules/buildbot/slave.nix index 544f9c4e0..0af553c5d 100644 --- a/krebs/3modules/buildbot/slave.nix +++ b/krebs/3modules/buildbot/slave.nix @@ -160,6 +160,8 @@ let # TODO: maybe also prepare buildbot.tac? ExecStartPre = pkgs.writeDash "buildbot-master-init" '' set -efux + #remove garbage from old versions + rm -r ${workdir} mkdir -p ${workdir}/info cp ${buildbot-slave-init} ${workdir}/buildbot.tac echo ${contact} > ${workdir}/info/admin diff --git a/krebs/3modules/ci.nix b/krebs/3modules/ci.nix index dab87792e..adbc1ebe1 100644 --- a/krebs/3modules/ci.nix +++ b/krebs/3modules/ci.nix @@ -133,8 +133,8 @@ in irc = { enable = true; nick = "build|${hostname}"; - server = "ni.r"; - channels = [ "retiolum" "noise" ]; + server = "irc.r"; + channels = [ "xxx" "noise" ]; allowForce = true; }; extraConfig = '' diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 42df3f053..48cf7971b 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -24,6 +24,7 @@ let ./go.nix ./hidden-ssh.nix ./htgen.nix + ./iana-etc.nix ./iptables.nix ./kapacitor.nix ./monit.nix diff --git a/krebs/3modules/iana-etc.nix b/krebs/3modules/iana-etc.nix new file mode 100644 index 000000000..f6d47f27e --- /dev/null +++ b/krebs/3modules/iana-etc.nix @@ -0,0 +1,55 @@ +with import <stockholm/lib>; +{ config, pkgs, ... }: { + + options.krebs.iana-etc.services = mkOption { + default = {}; + type = types.attrsOf (types.submodule ({ config, ... }: { + options = { + port = mkOption { + default = config._module.args.name; + type = types.addCheck types.str (test "[1-9][0-9]*"); + }; + } // genAttrs ["tcp" "udp"] (protocol: mkOption { + default = null; + type = types.nullOr (types.submodule { + options = { + name = mkOption { + type = types.str; + }; + }; + }); + }); + })); + }; + + config.environment.etc = mkIf (config.krebs.iana-etc.services != {}) { + services.source = mkForce (pkgs.runCommand "krebs-iana-etc" {} '' + exec < ${pkgs.iana_etc}/etc/services + exec > $out + awk -F '[ /]+' ' + BEGIN { + port=0 + } + ${concatMapStringsSep "\n" (entry: '' + $2 == ${entry.port} { + port=$2 + next + } + port == ${entry.port} { + ${concatMapStringsSep "\n" + (proto: let + s = "${entry.${proto}.name} ${entry.port}/${proto}"; + in + "print ${toJSON s}") + (filter (proto: entry.${proto} != null) ["tcp" "udp"])} + port=0 + } + '') (attrValues config.krebs.iana-etc.services)} + { + print $0 + } + ' + ''); + }; + +} diff --git a/krebs/3modules/krebs/default.nix b/krebs/3modules/krebs/default.nix index 2fe3e5115..1e626f0a0 100644 --- a/krebs/3modules/krebs/default.nix +++ b/krebs/3modules/krebs/default.nix @@ -74,6 +74,7 @@ in { "build.r" "build.hotdog.r" "cgit.hotdog.r" + "irc.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index ca3c8b45b..3e03e71cb 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -83,7 +83,7 @@ with import <stockholm/lib>; }; nets = rec { internet = { - ip4.addr = "213.239.205.240"; + ip4.addr = "46.4.114.247"; aliases = [ "prism.i" "paste.i" @@ -103,6 +103,47 @@ with import <stockholm/lib>; ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- + MIIECgKCBAEAtpI0+jz2deUiH18T/+JcRshQi7lq8zlRvaXpvyuxJlYCz+o5cLje + fxrKn67JbDb0cTAiDkI88alHBd8xeq2I6+CY90NT6PNVfsQBFx2v5YXafELXJWlo + rBvPFrR7nt1VzmG/hzkY8RwgC8hC6jRn7cvWWPCkvm2ZnNtYqAjiYMcUcWv6Vn9Z + ytPgkebDF9KpD8bL4vQu9iPZGNZpwncCw/Ix66oyTM6e24j/fTYgp7xn28wVUzUB + wWDH0uMQOxyBGFutEvAQ48XZ+QQxZv+2ZGqWJ+MeXreUPNP5wTxFCQOrkR1EXNio + /jgdHXtU5wVvqPwziukwwnfGJYUUHw7mjdo6ps5rch/aDxs0lahNc2TMbhr3rqgA + BkXVfwDTt8W/PB6Z0Y/djXOlUmQKO39OgZuhsYzqM4Uj17up7CDY77SiQYrV901C + 9CR5oFsAvV+WIMFUBc7ZZGPotJ9nZ2yyLQh+fT3sXuqFpGlyaI2SAm2edZUXKWQ5 + Q6AIyQRPkTNRCDuvXxIMdmOE++tBnyCI/Psn/Qet5gFcSsUMPhto8Yaka4SgJfyu + 3iIojFUzskowLWt6dBOGm5brI/OaKz0gyw5K3Hb4T7Jz+EwoeJfhbdZYA6NIY+qH + TGGl+47ffT+8e+1hvcAnO+bN5Br8WPN3+VD4FQD5yTb6pCFdZuL3QEyoKc9eugDb + g/+rFOsI8bfVeH5zZrl6B6XJBLGeKEECf3zwE2JObO3IuwxATSkahx1jAEy+hFyZ + kPwooGj03tkgVGc2AxgdHbfmNUbSVkO+m+ouBojikSrnFNKRTS/wZ69RVg3tl4qg + 7F4Vs/aMQ9bSWycvRBZQXITPQ1Y6mCEUj2mSKVHmgy/5rqwz2va/Yc1zhUptcINo + 7ztGiEzFMPGagkTs/Ntuqh2VbC/MwTao0BKl+gyCNwrACnNW87X4og2gtG3ukduz + cnSupO84hdTrclthsSEH/rLUauBsuIch58S/F7KCz9hwK45+Btky7Kz4mf/pE451 + k88QfDHw/cTSzlESPnEnthrRnhxn0fW7FRwJpieKm2AmyEEjSiiYt8mUdD3teKj0 + dgYrcGQkCnhmKDawgcw46wstBG/sAKT8qnZPRmlzKpcCS186ffuobQvj42LSmuMu + ToANi5pw2yEfzwLxNG/3whozB9rqwbqV/YAR/mthMxD0IXpLDKXlV1IeD7MfpV8i + jx6SghnkX/s2F7UTOlwJYe/Gl1biLRB8EPnOZKadHR0BRWFd+Qz6pJDp0B13jT3/ + AEPNGXLwVjmdhy2TVec3OGL/CukPEdiW1Urw5lfOc9dacTXjTNTXzod7Ub6s7ZOE + T7Y4dsVeW4OM7NmE/riqS3cG9obGWO7gIQIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + ssh.privkey.path = <secrets/ssh.id_ed25519>; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsANFdMi825qWQXQbWLYuNZ6/fARt3lnh1KStQHQQMD"; + }; + archprism = rec { + cores = 4; + nets = rec { + retiolum = { + via = internet; + ip4.addr = "10.243.0.104"; + ip6.addr = "42::fa17"; + aliases = [ + "archprism.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- MIIBCgKCAQEAvzhoBsxUaEwm7ctiw3xvLFP2RoVaiHnF+Sm4J8E4DOerPToXxlyl kxvMPaRnhtiO6MK0Vv2+VswKIeRkMm5YuD5MG7wni4vUKcRx9cCgKji/s0vGqLhl JKK9i23q7epvQ32Is/e3P+fQ5KM50EO+TWACNaroCNoyJvZ/G8BWXw6WnIOsuX0I @@ -112,6 +153,13 @@ with import <stockholm/lib>; -----END RSA PUBLIC KEY----- ''; }; + internet = { + ip4.addr = "213.239.205.240"; + aliases = [ + "archprism.i" + ]; + ssh.port = 45621; + }; }; ssh.privkey.path = <secrets/ssh.id_rsa>; ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQChm4sqQ2bUZj+2YnTf6G5HHRTpSe1jTUhJRnwcYPYZKF+CBqBncipRpuGlGXEsptNa+7ZMcQC0ySsz5SUOMt3Ih+NehVe/qt3VtRz0l0MgOWmH2qBwKK9Y4IuxrJQzUmP4UGlOGlFj9DORssSMOyFIG4eZ9k2qMn3xal0NVRfGTShKlouWsiUILZ8I+sDNE00z8DAYesgc1yazvRnjzvLkRxdNdpYiAFBbmXMpPKK95McRJaWsuNSeal9kd5p5PagWcgN4DZ6+ebzz3NKnmzk4j+vuHX0U9lTXBqKMlzzmM2YNLRtDPfrtJNyHqLpZUpFhJKqZCD+4/0zdrzRfC7Th+5czzUCSvHiKPVsqw5eOdiQX6EyzNAF5zpkpRp//QdUNNXC5/Ku6GKCO491+TuA8VCha0fOwBONccTLUI/hGNmCh88mLbukVoeGJrbYNCOA/6kEz7ZLEveU4i+TT7okhDElMsNk+AWCZ8/NdJQNX3/K6+JJ9qAn+/yC8LdjgYYJ2oU/aw5/HyOgiQ0z4n9UfQ7j+nHysY9CQb1b3guX7yjJoc3KpNXCXEztuIRHjFD1EP8NRTSmGjsa/VjLmTLSsqjD+7IE5mT0tO5RJvmagDgdJSr/iR5D9zjW7hx7ttvektrlp9g0v3CiCFVaW4l95hGYT0HaNBLJ5R0YHm0lD+Q=="; @@ -384,8 +432,19 @@ with import <stockholm/lib>; eddie = { ci = false; external = true; - nets = { - retiolum = { + nets = rec { + internet = { + ip4.addr = "129.215.90.4"; + aliases = [ "eddie.i" ]; + }; + retiolum = rec { + via = internet; + addrs = [ + # edinburgh university + "129.215.0.0/16" + ip4.addr + ip6.addr + ]; ip4.addr = "10.243.29.170"; ip6.addr = "42:4992:6a6d:700::1"; aliases = [ "eddie.r" ]; @@ -437,8 +496,13 @@ with import <stockholm/lib>; inspector = { ci = false; external = true; - nets = { + nets = rec { + internet = { + ip4.addr = "141.76.44.154"; + aliases = [ "inspector.i" ]; + }; retiolum = { + via = internet; ip4.addr = "10.243.29.172"; ip6.addr = "42:4992:6a6d:800::1"; aliases = [ "inspector.r" ]; @@ -467,6 +531,10 @@ with import <stockholm/lib>; pubkey = builtins.readFile ./ssh/mors.rsa; pgp.pubkeys.default = builtins.readFile ./pgp/mors.pgp; }; + lass-android = { + mail = "lassulus@gmail.com"; + pubkey = builtins.readFile ./ssh/android.rsa; + }; lass-helios = { mail = "lass@helios.r"; pubkey = builtins.readFile ./ssh/helios.rsa; @@ -487,10 +555,14 @@ with import <stockholm/lib>; fritz = { pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCz34435NSXgj72YAOL4cIlRq/4yInKEyL9no+gymURoW5x1nkYpP0EK331e7UyQQSOdWOogRo6d7YHcFqNlYWv5xlYcHucIhgJwC4Zda1liVA+v7tSOJz2BjmFvOT3/qlcPS69f3zdLHZooz2C33uHX1FgGRXlxiA8dpqGnSr8o76QLZjuQkuDqr8reOspjO/RHCo2Moq0Xm5q9OgN1WLAZzupqt9A5lx567mRzYsRAr23pUxVN8T/tSCgDlPe4ktEjYX9CXLKfMyh9WuBVi+AuH4GFEWBT+AMpsHeF45w+w956x56mz0F5nYOQNK87gFr+Jr+mh2AF1ot2CxzrfTb fritz@scriptkiddiT540"; }; - prism-repo-sync = { + archprism-repo-sync = { pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINR9oL/OPHjjKjQ+IyRqWpgrXdZrKKAwFKIte8gYml6C"; mail = "lass@prism.r"; }; + prism-repo-sync = { + pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKhpCKTnSq6VDJPB+0NiHu2ZxSKEIxHN6uPAPnbXYNCe"; + mail = "lass@prism.r"; + }; mors-repo-sync = { pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGv6N/UjFnX5vUicT9Sw0+3x4mR0760iaVWZ/JDtdV4h"; mail = "lass@mors.r"; diff --git a/krebs/3modules/lass/ssh/android.rsa b/krebs/3modules/lass/ssh/android.rsa new file mode 100644 index 000000000..f5190f45c --- /dev/null +++ b/krebs/3modules/lass/ssh/android.rsa @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEZgGgImN/9D4yJBjYlkAvT3X45kzt4n8hmgsqPcdcHWNC7fofWG4fZe8NNrTLdKsK+xYxTstj49l8Vb3YDvw4fAyyyhms/eFRlD2BRqAISwc39EIeTC4g3PXNeUtUGdczXKxsJf5iWf4kxUrUOuZ3FeKxeYXDMSqzzk1oKalhWNl4PmgRc5FzjeRJ2WziilwFq7ntLswoeTBW3c53fbcp3XuPza3M1/sN3NHJx9ZMpWVfJhZ/CXr+nqpc25ZIr5HZVZbgDTyJQimlTF5JCfU0NiiBIh7ep7x4o93tARmilit7+mWUkkxk6ba+zG6nr+s+zyd85AFAYRioOEczbC6mI44UZUB11KkEzOon5JWSA8pK+DPqsqhFkwWYMHLXZp8zemdp9kushRZ6nuI9MzBwacngro1vAvDL6jrS5MR7zf7rMAo6wexovWoEowvZz629mjC3OAt9iOm4VJdvEmq+rHLfjjznVEY6llF7DUu2QNEazaXhxZH9V9N1gyubIE97SQVqmwDrf8BGC0Hq+hC4OOweqfo4XP0etbqAfDozZbqcqyE1m9Bj8DpjrSXka1PuJf5fgEtoxPadd2qdiHMfIx9sM+4uu2nI5aFvWO3OlJmhF80QzNdFzZWjsyvJ24C1/a2FAyzoab1Sg9ljstQThseTtvlXcX8jfFn0U3RbgXgCgOWad3Oy9vA0OCdsHut0nzv3UO+T5+wv2+lvE3QSSKOlmVtdKMhCFb+Rg+FliKxyd820h9yR3wDYmkurVkAxaj8Kx5MaY/7aypOi8fRAV2FSDtCKkuMyPv4xEtdPi/4lj55pRBEO8lJkeb+WurCzZ7ZeaPdrW1YIQtToPpiz3dXeRhkts6jq8247xIplzHh9Iu18gOrnZ+ygn70g19x842vvcfLQNAghDPS93msJdSe+EtulMCwNTjUaF9LyzhW9ptLG9NmwgbT5kGsFiRw3BFdyfcQVWVzDhuP3hPPx+hjiZtFfpIKpxV9MjO1xQ830Ngk3JpSphMZTQ432yfvu9yEsUWmAa8ax1jxJ361AiIp0U2xioJmdVd3E2sxkpOUYqE89IR9X6hS3fH38Gc5IL5+BnhuZvRgXuA+nrqdU4pMB3TIoC5oXlOMRXpxaS91YiO4ERx2t6WkBRCoaDuRWnLpewV6lhjwi1+4Emlrs2q1R0K64emZTv7O1MKwWRHOlBJD3HLyCCS763OzYW4mEQcfBAQtbm6sTooJ+D/zbmYgbnZt0z/nP9R/n25pzlSPpZ49fCiRV7QN6D9mksISTz8qIiCzNBn1F7DUewXqkrdPopl4npeNVcOyyo7P1lFFGde+jq/7REdzD+vno1h9+17WZbyzQtlOyipQYzb6l4QuXq/zejJrELJAQdN4yRQq5NJzIh0HXaPnPC083T791moBflyqiwPEIWsSMfILqSqL1jVVNgvV4fHnMixgH2zK9f0EyE3fG9PnuRribPR2DlESqpHZTcBixgh660EPKh0gCLYoWKgU= lass-android@XperiaXCompact diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index 6e0e876b8..401cba97a 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -4,6 +4,31 @@ with import <stockholm/lib>; { hosts = mapAttrs (_: setAttr "owner" config.krebs.users.makefu) { + cake = rec { + cores = 1; + ci = false; + nets = { + retiolum = { + ip4.addr = "10.243.136.236"; + ip6.addr = "42:b3b2:9552:eef0:ee67:f3b3:8d33:eee1"; + aliases = [ + "cake.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEA0khdelSrOV/ZI9vvbV5aT1wVn2IfUfIdDCQIOnF2mZsrnIcuaedu + jRfZnJST1vOfL7JksF1+8pYwSn34CjJCGhyFf25lc6mARXmZe/araNrVpTntCy2+ + MqG8KZe4mIda/WPTXRYGtFVQZeClM5SCZ7EECtw8sEkwt2QtOv43p/hiMXAkOQsq + 6xc9/b4Bry7d+IjJs3waKfFQllF+C+GuK8yF0YnCEb6GZw7xkxHIO1QV4KSQ4CH7 + 36kEAdCSQ5rgaygRanUlUl+duQn1MLQ+lRlerAEcFfKrr3MKNz2jmGth8iUURdyP + MHjSWe+RkLQ6zzBaVgoKKuI9MbIbhenJWwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + ssh.privkey.path = <secrets/ssh_host_ed25519_key>; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGyJlI0YpIh/LiiPMseD2IBHg+uVGrkSy0MPNeD+Jv8Y cake"; + }; drop = rec { ci = true; cores = 1; @@ -78,6 +103,37 @@ with import <stockholm/lib>; }; }; }; + latte = rec { + ci = true; + cores = 1; + ssh.privkey.path = <secrets/ssh_host_ed25519_key>; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIrkK1mWfPvfZ9ALC1irGLuzOtMefaGAmGY1VD4dj7K1 latte"; + nets = { + internet = { + ip4.addr = "185.215.224.160"; + aliases = [ + "latte.i" + ]; + }; + retiolum = { + ip4.addr = "10.243.80.249"; + ip6.addr = "42:ecb0:376:b37d:cf47:1ecf:f32b:a3b9"; + aliases = [ + "latte.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAx70gmNoP4RYeF3ShddEMsbNad9L5ezegwxJTZA7XTfF+/cwr/QwU + 5BL0QXTwBnKzS0gun5NXmhwPzvOdvfczAxtJLk8/NjVHFeE39CiTHGgIxkZFgnbo + r2Rj6jJb89ZPaTr+hl0+0WQQVpl9NI7MTCUimvFBaD6IPmBh5wTySu6mYBs0mqmf + 43RrvS42ieqQJAvVPkIzxxJeTS/M3NXmjbJ3bdx/2Yzd7INdfPkMhOONHcQhTKS4 + GSXJRTytLYZEah8lp8F4ONggN6ixlhlcQAotToFP4s8c+KqYfIZrtP+pRj7W72Y6 + vhnobLDJwBbAsW1RQ6FHcw10TrP2H+haewIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; pnp = { ci = true; @@ -460,6 +516,8 @@ with import <stockholm/lib>; ''; }; }; + ssh.privkey.path = <secrets/ssh.id_ed25519>; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN5ZmJSypW3LXIJ67DdbxMxCfLtORFkl5jEuD131S5Tr"; }; gum = rec { @@ -522,7 +580,8 @@ with import <stockholm/lib>; ''; }; }; - ssh.privkey.path = <secrets/ssh_host_ed25519_key>; + # configured manually + # ssh.privkey.path = <secrets/ssh_host_ed25519_key>; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcxWFEPzke/Sdd9qNX6rSJgXal8NmINYajpFCxXfYdj root@gum"; }; shoney = rec { @@ -973,6 +1032,10 @@ with import <stockholm/lib>; inherit (makefu) mail pgp; pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDOXG6iwvm6zUVk+OE9ZviO+WNosAHSZw4ku0RxWbXSlSG0RfzvV4IfByF3Dw+4a8yZQmjwNkQalUURh2fEqhBLBI9XNEIL7qIu17zheguyXzpE3Smy4pbI+fjdsnfFrw+WE2n/IO8N6ojdH6sMmnWwfkFZYqqofWyLB3WUN9wy2b2z0w/jc56+HxxyTl3rD7CttTs9ak67HqIn3/pNeHoOM+JQ/te8t4ageIlPi8yJJpqZgww1RUWCgPPwZ9DP6gQjo85he76x0h9jvhnFd7m9N1aGdRDcK55QyoY/9x07R24GRutohAB/KDWSkDWQv5BW7M1LCawpJcF3DDslD1i7 makefu@gum"; }; + makefu-android = { + inherit (makefu) mail pgp; + pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDoAtBa10AbiFXfYL4Za7e0CLeXJeH6FhMqVZFqElLkJBKmQ7c7WEMlnuRhEZWSFDXBpaS7p73s5MMOZA13uYv6fI2ipOOwE9Ej1EoMsrQGegBp2VDMo0wnr/sgTL1do+uGI85E/i0uFw0DYhXqlZQk1eK8SdgXYltiVL27IA3NG2kYuoTIvJgRnaPJjTbhLBWti3m586LuO+pBKtcTt1D9EV6wp+6Jum4owPtCgVPQaZfFGYWkEiINV83WX9HoIk4S3bTPLh8Kfp0je0xsioS4T9/cxSPgUie8MjSg0irvLJXRH0JOVuG5NvZTYhAAekwNkHll9CtypPrutjbrXPXf makefu@x"; + }; makefu-bob = { inherit (makefu) mail pgp; pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+fEK1bCB8cdDiBzXBXEWLFQyp/7xjNGQ5GyqHOtgxxe6Ypb0kAaWJaG3Ak/qI/nToGKwkQJLsuYNA3lZj2rFyBdoxnNO3kRFTc7NoaU5mC2BlHbpmn9dzvgiBoRAKAlzj/022u65SI19AFciKXtwqQfjuB3mPVOFOfCFB2SYjjWb8ffPnHp6PB5KKNLxaVPCbZgOdSju25/wB2lY00W8WIDOTqfbNClQnjkLsUZpTuRnvpHTemKtt1FH+WBZiMwMXRt19rm9LFSO7pvrZjdJz0l1TZVsODkbKZzQzSixoCPmdpPPAYaqrGUQpmukXk0xQtR3E2jEsk+FJv4AkIKqD"; diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix index 8af15c13b..b032f3148 100644 --- a/krebs/3modules/tinc.nix +++ b/krebs/3modules/tinc.nix @@ -1,5 +1,5 @@ -{ config, pkgs, lib, ... }: with import <stockholm/lib>; +{ config, pkgs, ... }: let out = { options.krebs.tinc = api; @@ -11,7 +11,7 @@ let description = '' define a tinc network ''; - type = with types; attrsOf (submodule (tinc: { + type = types.attrsOf (types.submodule (tinc: { options = let netname = tinc.config._module.args.name; in { @@ -116,7 +116,7 @@ let phases = [ "installPhase" ]; installPhase = '' mkdir $out - ${concatStrings (lib.mapAttrsToList (_: host: '' + ${concatStrings (mapAttrsToList (_: host: '' echo ${shell.escape host.nets."${tinc.config.netname}".tinc.config} \ > $out/${shell.escape host.name} '') tinc.config.hosts)} diff --git a/krebs/5pkgs/simple/Reaktor/default.nix b/krebs/5pkgs/simple/Reaktor/default.nix index fc3710820..6989bb02b 100644 --- a/krebs/5pkgs/simple/Reaktor/default.nix +++ b/krebs/5pkgs/simple/Reaktor/default.nix @@ -8,7 +8,7 @@ python3Packages.buildPythonPackage rec { propagatedBuildInputs = with pkgs;[ python3Packages.docopt - python3Packages.requests2 + python3Packages.requests ]; src = fetchurl { url = "https://pypi.python.org/packages/source/R/Reaktor/Reaktor-${version}.tar.gz"; diff --git a/krebs/5pkgs/simple/bepasty-client-cli/default.nix b/krebs/5pkgs/simple/bepasty-client-cli/default.nix index c58e637b3..7811ef5fc 100644 --- a/krebs/5pkgs/simple/bepasty-client-cli/default.nix +++ b/krebs/5pkgs/simple/bepasty-client-cli/default.nix @@ -5,7 +5,7 @@ with pythonPackages; buildPythonPackage rec { propagatedBuildInputs = [ python_magic click - requests2 + requests ]; src = fetchFromGitHub { diff --git a/krebs/5pkgs/simple/cac-panel/default.nix b/krebs/5pkgs/simple/cac-panel/default.nix index fd4799535..57f58f4de 100644 --- a/krebs/5pkgs/simple/cac-panel/default.nix +++ b/krebs/5pkgs/simple/cac-panel/default.nix @@ -11,7 +11,7 @@ python3Packages.buildPythonPackage rec { propagatedBuildInputs = with python3Packages; [ docopt - requests2 + requests beautifulsoup4 ]; } diff --git a/krebs/5pkgs/simple/git-preview.nix b/krebs/5pkgs/simple/git-preview.nix new file mode 100644 index 000000000..d6c9579a7 --- /dev/null +++ b/krebs/5pkgs/simple/git-preview.nix @@ -0,0 +1,17 @@ +{ coreutils, git, writeDashBin }: + +writeDashBin "git-preview" '' + set -efu + head_commit=$(${git}/bin/git log -1 --format=%H) + merge_commit=$1; shift + merge_message='Merge for git-preview' + preview_dir=$(${coreutils}/bin/mktemp --tmpdir -d git-preview.XXXXXXXX) + preview_branch=$(${coreutils}/bin/basename "$preview_dir") + ${git}/bin/git worktree add -b "$preview_branch" "$preview_dir" >/dev/null + ${git}/bin/git -C "$preview_dir" checkout "$head_commit" + ${git}/bin/git -C "$preview_dir" merge -m "$merge_message" "$merge_commit" + ${git}/bin/git -C "$preview_dir" diff "$head_commit.." "$@" & + ${git}/bin/git branch -fd "$preview_branch" + ${coreutils}/bin/rm -fR "$preview_dir" + wait +'' diff --git a/krebs/5pkgs/simple/treq/default.nix b/krebs/5pkgs/simple/treq/default.nix index 20387b9cb..7cb826a51 100644 --- a/krebs/5pkgs/simple/treq/default.nix +++ b/krebs/5pkgs/simple/treq/default.nix @@ -11,7 +11,7 @@ pythonPackages.buildPythonPackage rec { propagatedBuildInputs = with pythonPackages; [ twisted pyopenssl - requests2 + requests service-identity ]; } diff --git a/krebs/5pkgs/simple/urlwatch/default.nix b/krebs/5pkgs/simple/urlwatch/default.nix index 509555669..adaefbc4d 100644 --- a/krebs/5pkgs/simple/urlwatch/default.nix +++ b/krebs/5pkgs/simple/urlwatch/default.nix @@ -13,7 +13,7 @@ python3Packages.buildPythonPackage rec { minidb pycodestyle pyyaml - requests2 + requests ]; meta = { diff --git a/krebs/source.nix b/krebs/source.nix index 1aba3d7ff..09edc817b 100644 --- a/krebs/source.nix +++ b/krebs/source.nix @@ -14,6 +14,6 @@ in stockholm.file = toString <stockholm>; nixpkgs.git = { url = https://github.com/NixOS/nixpkgs; - ref = "8ed299faacbf8813fc47b4fca34f32b835d6481e"; # nixos-17.03 @ 2017-09-09 + ref = "07ca7b64d2ff2fa7a79e4eab1aba70ff746fed8c"; # nixos-17.09 @ 2017-10-02 }; } diff --git a/lass/1systems/archprism/config.nix b/lass/1systems/archprism/config.nix new file mode 100644 index 000000000..6411c423d --- /dev/null +++ b/lass/1systems/archprism/config.nix @@ -0,0 +1,328 @@ +{ config, lib, pkgs, ... }: +with import <stockholm/lib>; + +let + ip = config.krebs.build.host.nets.internet.ip4.addr; + +in { + imports = [ + <stockholm/lass> + { + networking.interfaces.et0.ip4 = [ + { + address = ip; + prefixLength = 24; + } + ]; + networking.defaultGateway = "213.239.205.225"; + networking.nameservers = [ + "8.8.8.8" + ]; + services.udev.extraRules = '' + SUBSYSTEM=="net", ATTR{address}=="54:04:a6:7e:f4:06", NAME="et0" + ''; + } + <stockholm/lass/2configs/retiolum.nix> + <stockholm/lass/2configs/exim-smarthost.nix> + #<stockholm/lass/2configs/downloading.nix> + <stockholm/lass/2configs/ts3.nix> + <stockholm/lass/2configs/bitlbee.nix> + <stockholm/lass/2configs/weechat.nix> + <stockholm/lass/2configs/privoxy-retiolum.nix> + <stockholm/lass/2configs/radio.nix> + <stockholm/lass/2configs/repo-sync.nix> + <stockholm/lass/2configs/binary-cache/server.nix> + <stockholm/lass/2configs/iodined.nix> + <stockholm/lass/2configs/libvirt.nix> + <stockholm/lass/2configs/hfos.nix> + <stockholm/lass/2configs/monitoring/server.nix> + <stockholm/lass/2configs/monitoring/monit-alarms.nix> + <stockholm/lass/2configs/paste.nix> + <stockholm/lass/2configs/syncthing.nix> + #<stockholm/lass/2configs/reaktor-coders.nix> + <stockholm/lass/2configs/ciko.nix> + <stockholm/lass/2configs/container-networking.nix> + #<stockholm/lass/2configs/reaktor-krebs.nix> + #{ + # lass.pyload.enable = true; + #} + { + imports = [ + <stockholm/lass/2configs/bepasty.nix> + ]; + krebs.bepasty.servers."paste.r".nginx.extraConfig = '' + if ( $server_addr = "${config.krebs.build.host.nets.internet.ip4.addr}" ) { + return 403; + } + ''; + } + { + users.extraGroups = { + # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories + # Loaded: loaded (/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/example/systemd/system/systemd-tmpfiles-setup.service) + # Active: failed (Result: exit-code) since Mon 2015-03-16 10:29:18 UTC; 4s ago + # Docs: man:tmpfiles.d(5) + # man:systemd-tmpfiles(8) + # Process: 19272 ExecStart=/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev (code=exited, status=1/FAILURE) + # Main PID: 19272 (code=exited, status=1/FAILURE) + # + # Mar 16 10:29:17 cd systemd-tmpfiles[19272]: [/usr/lib/tmpfiles.d/legacy.conf:26] Unknown group 'lock'. + # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal configured, ignoring. + # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal/7b35116927d74ea58785e00b47ac0f0d configured, ignoring. + # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service: main process exited, code=exited, status=1/FAILURE + # Mar 16 10:29:18 cd systemd[1]: Failed to start Create Volatile Files and Directories. + # Mar 16 10:29:18 cd systemd[1]: Unit systemd-tmpfiles-setup.service entered failed state. + # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service failed. + # warning: error(s) occured while switching to the new configuration + lock.gid = 10001; + }; + } + { + boot.loader.grub = { + devices = [ + "/dev/sda" + "/dev/sdb" + ]; + splashImage = null; + }; + + boot.initrd.availableKernelModules = [ + "ata_piix" + "vmw_pvscsi" + ]; + + fileSystems."/" = { + device = "/dev/pool/nix"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/7ca12d8c-606d-41ce-b10d-62b654e50e36"; + }; + + fileSystems."/var/download" = { + device = "/dev/pool/download"; + }; + + fileSystems."/srv/http" = { + device = "/dev/pool/http"; + }; + + fileSystems."/srv/o.ubikmedia.de-data" = { + device = "/dev/pool/owncloud-ubik-data"; + }; + + fileSystems."/bku" = { + device = "/dev/pool/bku"; + }; + + fileSystems."/tmp" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = ["nosuid" "nodev" "noatime"]; + }; + + } + { + sound.enable = false; + } + { + nixpkgs.config.allowUnfree = true; + } + { + #stuff for juhulian + users.extraUsers.juhulian = { + name = "juhulian"; + uid = 1339; + home = "/home/juhulian"; + group = "users"; + createHome = true; + useDefaultShell = true; + extraGroups = [ + ]; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBQhLGvfv4hyQ/nqJGy1YgHXPSVl6igeWTroJSvAhUFgoh+rG+zvqY0EahKXNb3sq0/OYDCTJVuucc0hgCg7T2KqTqMtTb9EEkRmCFbD7F7DWZojCrh/an6sHneqT5eFvzAPZ8E5hup7oVQnj5P5M3I9keRHBWt1rq6q0IcOEhsFvne4qJc73aLASTJkxzlo5U8ju3JQOl6474ECuSn0lb1fTrQ/SR1NgF7jV11eBldkS8SHEB+2GXjn4Yrn+QUKOnDp+B85vZmVlJSI+7XR1/U/xIbtAjGTEmNwB6cTbBv9NCG9jloDDOZG4ZvzzHYrlBXjaigtQh2/4mrHoKa5eV juhulian@juhulian" + ]; + }; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p udp --dport 60000:61000"; target = "ACCEPT";} + ]; + } + { + environment.systemPackages = [ + pkgs.perlPackages.Plack + ]; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport 8080"; target = "ACCEPT";} + ]; + } + { + time.timeZone = "Europe/Berlin"; + } + { + imports = [ + <stockholm/lass/2configs/websites/domsen.nix> + <stockholm/lass/2configs/websites/lassulus.nix> + ]; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport http"; target = "ACCEPT"; } + { predicate = "-p tcp --dport https"; target = "ACCEPT"; } + ]; + } + { + services.tor = { + enable = true; + }; + } + { + lass.ejabberd = { + enable = true; + hosts = [ "lassul.us" ]; + }; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport xmpp-client"; target = "ACCEPT"; } + { predicate = "-p tcp --dport xmpp-server"; target = "ACCEPT"; } + ]; + } + { + imports = [ + <stockholm/lass/2configs/realwallpaper.nix> + ]; + services.nginx.virtualHosts."lassul.us".locations."/wallpaper.png".extraConfig = '' + alias /var/realwallpaper/realwallpaper.png; + ''; + } + { + environment.systemPackages = with pkgs; [ + mk_sql_pair + ]; + } + { + users.users.tv = { + uid = genid "tv"; + inherit (config.krebs.users.tv) home; + group = "users"; + createHome = true; + useDefaultShell = true; + openssh.authorizedKeys.keys = [ + config.krebs.users.tv.pubkey + ]; + }; + users.users.makefu = { + uid = genid "makefu"; + isNormalUser = true; + openssh.authorizedKeys.keys = [ + config.krebs.users.makefu.pubkey + ]; + }; + users.users.nin = { + uid = genid "nin"; + inherit (config.krebs.users.nin) home; + group = "users"; + createHome = true; + useDefaultShell = true; + openssh.authorizedKeys.keys = [ + config.krebs.users.nin.pubkey + ]; + extraGroups = [ + "libvirtd" + ]; + }; + } + { + krebs.repo-sync.timerConfig = { + OnBootSec = "15min"; + OnUnitInactiveSec = "90min"; + RandomizedDelaySec = "30min"; + }; + krebs.repo-sync.repos.stockholm.timerConfig = { + OnBootSec = "5min"; + OnUnitInactiveSec = "2min"; + RandomizedDelaySec = "2min"; + }; + } + { + lass.usershadow = { + enable = true; + }; + } + #{ + # krebs.Reaktor.prism = { + # nickname = "Reaktor|lass"; + # channels = [ "#retiolum" ]; + # extraEnviron = { + # REAKTOR_HOST = "ni.r"; + # }; + # plugins = with pkgs.ReaktorPlugins; [ + # sed-plugin + # ]; + # }; + #} + { + #stuff for dritter + users.extraUsers.dritter = { + name = "dritter"; + uid = genid "dritter"; + home = "/home/dritter"; + group = "users"; + createHome = true; + useDefaultShell = true; + extraGroups = [ + "download" + ]; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnqOWDDk7QkSAvrSLkEoz7dY22+xPyv5JDn2zlfUndfavmTMfZvPx9REMjgULbcCSM4m3Ncf40yUjciDpVleGoEz82+p/ObHAkVWPQyXRS3ZRM2IJJultBHEFc61+61Pi8k3p5pBhPPaig6VncJ4uUuuNqen9jqLesSTVXNtdntU2IvnC8B8k1Kq6fu9q1T2yEOMxkD31D5hVHlqAly0LdRiYvtsRIoCSmRvlpGl70uvPprhQxhtoiEUeDqmIL7BG9x7gU0Swdl7R0/HtFXlFuOwSlNYDmOf/Zrb1jhOpj4AlCliGUkM0iKIJhgH0tnJna6kfkGKHDwuzITGIh6SpZ dritter@Janeway" + ]; + }; + } + { + #hotdog + containers.hotdog = { + config = { ... }: { + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + ]; + }; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.1"; + localAddress = "10.233.2.2"; + }; + } + { + #kaepsele + containers.kaepsele = { + config = { ... }: { + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = with config.krebs.users; [ + lass.pubkey + tv.pubkey + ]; + }; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.3"; + localAddress = "10.233.2.4"; + }; + } + { + #onondaga + containers.onondaga = { + config = { ... }: { + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + config.krebs.users.nin.pubkey + ]; + }; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.4"; + localAddress = "10.233.2.5"; + }; + } + ]; + + krebs.build.host = config.krebs.hosts.archprism; +} diff --git a/lass/1systems/archprism/source.nix b/lass/1systems/archprism/source.nix new file mode 100644 index 000000000..3e96c1d38 --- /dev/null +++ b/lass/1systems/archprism/source.nix @@ -0,0 +1,3 @@ +import <stockholm/lass/source.nix> { + name = "archprism"; +} diff --git a/lass/1systems/daedalus/config.nix b/lass/1systems/daedalus/config.nix index e1bce5da8..7b90ebb63 100644 --- a/lass/1systems/daedalus/config.nix +++ b/lass/1systems/daedalus/config.nix @@ -9,6 +9,8 @@ with import <stockholm/lib>; <stockholm/lass/2configs/retiolum.nix> <stockholm/lass/2configs/backups.nix> + <stockholm/lass/2configs/games.nix> + <stockholm/lass/2configs/steam.nix> { # bubsy config users.users.bubsy = { @@ -34,6 +36,7 @@ with import <stockholm/lib>; hexchat networkmanagerapplet libreoffice + audacity ]; services.xserver.enable = true; services.xserver.displayManager.lightdm.enable = true; diff --git a/lass/1systems/helios/config.nix b/lass/1systems/helios/config.nix index 37bdc0290..6db6f8fd1 100644 --- a/lass/1systems/helios/config.nix +++ b/lass/1systems/helios/config.nix @@ -11,7 +11,7 @@ with import <stockholm/lib>; <stockholm/lass/2configs/retiolum.nix> <stockholm/lass/2configs/otp-ssh.nix> <stockholm/lass/2configs/git.nix> - <stockholm/lass/2configs/fetchWallpaper.nix> + <stockholm/lass/2configs/dcso-vpn.nix> { # automatic hardware detection boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; boot.kernelModules = [ "kvm-intel" ]; @@ -45,7 +45,19 @@ with import <stockholm/lib>; { services.xserver.dpi = 200; fonts.fontconfig.dpi = 200; - lass.myFont = "-schumacher-clean-*-*-*-*-25-*-*-*-*-*-iso10646-1"; + lass.fonts.regular = "xft:Hack-Regular:pixelsize=22,xft:Symbola"; + lass.fonts.bold = "xft:Hack-Bold:pixelsize=22,xft:Symbola"; + lass.fonts.italic = "xft:Hack-RegularOblique:pixelsize=22,xft:Symbol"; + } + { #TAPIR, AGATIS, sentral, a3 - foo + services.redis.enable = true; + } + { + krebs.fetchWallpaper = { + enable = true; + url = "http://i.imgur.com/0ktqxSg.png"; + maxTime = 9001; + }; } ]; krebs.build.host = config.krebs.hosts.helios; @@ -66,6 +78,7 @@ with import <stockholm/lib>; hardware.enableRedistributableFirmware = true; environment.systemPackages = with pkgs; [ + ag vim rxvt_unicode git @@ -84,4 +97,22 @@ with import <stockholm/lib>; programs.ssh.startAgent = lib.mkForce true; services.tlp.enable = true; + + services.xserver.videoDrivers = [ "nvidia" ]; + services.xserver.xrandrHeads = [ + { output = "DP-0.8"; } + { output = "DP-4"; monitorConfig = ''Option "Rotate" "right"''; } + { output = "DP-2"; primary = true; } + ]; + + security.pki.certificateFiles = [ + (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC1G1.pem"; sha256 = "14vz9c0fk6li0a26vx0s5ha6y3yivnshx9pjlh9vmnpkbph5a7rh"; }) + (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC2G1.pem"; sha256 = "0r1dd48a850cv7whk4g2maik550rd0vsrsl73r6x0ivzz7ap1xz5"; }) + (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC3G1.pem"; sha256 = "0b5cdchdkvllnr0kz35d8jrmrf9cjw0kd98mmvzr0x6nkc8hwpdy"; }) + + (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC2G1.pem"; sha256 = "0rn57zv1ry9vj4p2248mxmafmqqmdhbrfx1plszrxsphshbk2hfz"; }) + (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC3G1.pem"; sha256 = "0w88qaqhwxzvdkx40kzj2gka1yi85ipppjdkxah4mscwfhlryrnk"; }) + (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC2G1.pem"; sha256 = "1z2qkyhgjvri13bvi06ynkb7mjmpcznmc9yw8chx1lnwc3cxa7kf"; }) + (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC3G1.pem"; sha256 = "0smdjjvz95n652cb45yhzdb2lr83zg52najgbzf6lm3w71f8mv7f"; }) + ]; } diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix index 8b90cce77..610bfef8e 100644 --- a/lass/1systems/mors/config.nix +++ b/lass/1systems/mors/config.nix @@ -157,4 +157,38 @@ with import <stockholm/lib>; krebs.repo-sync.timerConfig = { OnCalendar = "00:37"; }; + + environment.shellAliases = { + deploy = pkgs.writeDash "deploy" '' + set -eu + export PATH=${makeBinPath [ + pkgs.bash + pkgs.coreutils + pkgs.nix + (pkgs.writeDashBin "is-git-crypt-locked" '' + magic=$(dd status=none if="$1" skip=1 bs=1 count=8) + test "$magic" = GITCRYPT + '') + ]} + cd ~/stockholm + export SYSTEM="$1" + if is-git-crypt-locked ~/secrets/ready; then + echo 'secrets are crypted' >&2 + exit 23 + else + exec nix-shell -I stockholm="$PWD" --run 'deploy --system="$SYSTEM"' + fi + ''; + predeploy = pkgs.writeDash "predeploy" '' + set -eu + export PATH=${makeBinPath [ + pkgs.bash + pkgs.coreutils + pkgs.nix + ]} + cd ~/stockholm + export SYSTEM="$1" + exec nix-shell -I stockholm="$PWD" --run 'test --system="$SYSTEM" --target="$SYSTEM/var/test/" --force-populate' + ''; + }; } diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 5983456b3..30d5c8dab 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -11,73 +11,20 @@ in { networking.interfaces.et0.ip4 = [ { address = ip; - prefixLength = 24; + prefixLength = 27; } ]; - networking.defaultGateway = "213.239.205.225"; + networking.defaultGateway = "46.4.114.225"; networking.nameservers = [ "8.8.8.8" ]; services.udev.extraRules = '' - SUBSYSTEM=="net", ATTR{address}=="54:04:a6:7e:f4:06", NAME="et0" + SUBSYSTEM=="net", ATTR{address}=="08:60:6e:e7:87:04", NAME="et0" ''; } - <stockholm/lass/2configs/retiolum.nix> - <stockholm/lass/2configs/exim-smarthost.nix> - <stockholm/lass/2configs/downloading.nix> - <stockholm/lass/2configs/ts3.nix> - <stockholm/lass/2configs/bitlbee.nix> - <stockholm/lass/2configs/weechat.nix> - <stockholm/lass/2configs/privoxy-retiolum.nix> - <stockholm/lass/2configs/radio.nix> - <stockholm/lass/2configs/repo-sync.nix> - <stockholm/lass/2configs/binary-cache/server.nix> - <stockholm/lass/2configs/iodined.nix> - <stockholm/lass/2configs/libvirt.nix> - <stockholm/lass/2configs/hfos.nix> - <stockholm/lass/2configs/monitoring/server.nix> - <stockholm/lass/2configs/monitoring/monit-alarms.nix> - <stockholm/lass/2configs/paste.nix> - <stockholm/lass/2configs/syncthing.nix> - <stockholm/lass/2configs/reaktor-coders.nix> - <stockholm/lass/2configs/ciko.nix> - <stockholm/lass/2configs/container-networking.nix> - <stockholm/lass/2configs/reaktor-krebs.nix> - { - lass.pyload.enable = true; - } - { - imports = [ - <stockholm/lass/2configs/bepasty.nix> - ]; - krebs.bepasty.servers."paste.r".nginx.extraConfig = '' - if ( $server_addr = "${config.krebs.build.host.nets.internet.ip4.addr}" ) { - return 403; - } - ''; - } - { - users.extraGroups = { - # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories - # Loaded: loaded (/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/example/systemd/system/systemd-tmpfiles-setup.service) - # Active: failed (Result: exit-code) since Mon 2015-03-16 10:29:18 UTC; 4s ago - # Docs: man:tmpfiles.d(5) - # man:systemd-tmpfiles(8) - # Process: 19272 ExecStart=/nix/store/2l33gg7nmncqkpysq9f5fxyhlw6ncm2j-systemd-217/bin/systemd-tmpfiles --create --remove --boot --exclude-prefix=/dev (code=exited, status=1/FAILURE) - # Main PID: 19272 (code=exited, status=1/FAILURE) - # - # Mar 16 10:29:17 cd systemd-tmpfiles[19272]: [/usr/lib/tmpfiles.d/legacy.conf:26] Unknown group 'lock'. - # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal configured, ignoring. - # Mar 16 10:29:18 cd systemd-tmpfiles[19272]: Two or more conflicting lines for /var/log/journal/7b35116927d74ea58785e00b47ac0f0d configured, ignoring. - # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service: main process exited, code=exited, status=1/FAILURE - # Mar 16 10:29:18 cd systemd[1]: Failed to start Create Volatile Files and Directories. - # Mar 16 10:29:18 cd systemd[1]: Unit systemd-tmpfiles-setup.service entered failed state. - # Mar 16 10:29:18 cd systemd[1]: systemd-tmpfiles-setup.service failed. - # warning: error(s) occured while switching to the new configuration - lock.gid = 10001; - }; - } { + imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ]; + boot.loader.grub = { devices = [ "/dev/sda" @@ -89,126 +36,103 @@ in { boot.initrd.availableKernelModules = [ "ata_piix" "vmw_pvscsi" + "ahci" "sd_mod" ]; + boot.kernelModules = [ "kvm-intel" ]; + fileSystems."/" = { - device = "/dev/pool/nix"; + device = "/dev/pool/nix_root"; fsType = "ext4"; }; - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/7ca12d8c-606d-41ce-b10d-62b654e50e36"; + fileSystems."/tmp" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = ["nosuid" "nodev" "noatime"]; }; fileSystems."/var/download" = { device = "/dev/pool/download"; + fsType = "ext4"; }; fileSystems."/srv/http" = { device = "/dev/pool/http"; + fsType = "ext4"; }; - fileSystems."/srv/o.ubikmedia.de-data" = { - device = "/dev/pool/owncloud-ubik-data"; - }; - - fileSystems."/bku" = { - device = "/dev/pool/bku"; + fileSystems."/home" = { + device = "/dev/pool/home"; + fsType = "ext4"; }; - fileSystems."/tmp" = { - device = "tmpfs"; - fsType = "tmpfs"; - options = ["nosuid" "nodev" "noatime"]; - }; + swapDevices = [ + { label = "swap1"; } + { label = "swap2"; } + ]; - } - { sound.enable = false; - } - { nixpkgs.config.allowUnfree = true; - } - { - #stuff for juhulian - users.extraUsers.juhulian = { - name = "juhulian"; - uid = 1339; - home = "/home/juhulian"; - group = "users"; - createHome = true; - useDefaultShell = true; - extraGroups = [ - ]; - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBQhLGvfv4hyQ/nqJGy1YgHXPSVl6igeWTroJSvAhUFgoh+rG+zvqY0EahKXNb3sq0/OYDCTJVuucc0hgCg7T2KqTqMtTb9EEkRmCFbD7F7DWZojCrh/an6sHneqT5eFvzAPZ8E5hup7oVQnj5P5M3I9keRHBWt1rq6q0IcOEhsFvne4qJc73aLASTJkxzlo5U8ju3JQOl6474ECuSn0lb1fTrQ/SR1NgF7jV11eBldkS8SHEB+2GXjn4Yrn+QUKOnDp+B85vZmVlJSI+7XR1/U/xIbtAjGTEmNwB6cTbBv9NCG9jloDDOZG4ZvzzHYrlBXjaigtQh2/4mrHoKa5eV juhulian@juhulian" - ]; - }; - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p udp --dport 60000:61000"; target = "ACCEPT";} - ]; - } - { - environment.systemPackages = [ - pkgs.perlPackages.Plack - ]; - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport 8080"; target = "ACCEPT";} - ]; - } - { - users.users.chat.openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDjesiOnhpT9XgWZqw/64M5lVQg3q0k22BtMyCv+33sGX8VmfTyD11GuwSjNGf5WiswKLqFvYBQsHfDDtS3k0ZNTDncGw3Pbilm6QoCuHEyDPaQYin0P+JmkocrL/6QF5uhZVFnsXCH5wntwOa00VFGwpMgQYSfRlReRx42Pu9Jk+iJduZMRBbOMvJI68Z7iJ4DgW/1U9J4MQdCsk7QlFgUstQQfV1zk4VfVfXuxDP3hjx6Q05nDChjpmzJbFunzb7aiy/1/Sl0QhROTpvxrQLksg7yYLw4BRs9ptjehX45A2Sxi8WKOb/g5u3xJNy0X07rE+N+o5v2hS7wF0DLQdK5+4TGtO+Y+ABUCqqA+T1ynAjNBWvsgY5uD4PZjuPgCMSw0JBmIy/P0THi3v5/8Cohvfnspl7Jpf80qENMu3unvvE9EePzgSRZY1PvDjPQfkWy0yBX1yQMhHuVGke9QgaletitwuahRujml37waeUuOl8Rpz+2iV+6OIS4tfO368uLFHKWbobXTbTDXODBgxZ/IyvO7vxM2uDX/kIWaeYKrip3nSyWBYnixwrcS4vm6ZQcoejwp2KCfGQwIE4MnGYRlwcOEYjvyjLkZHDiZEivUQ0rThMYBzec8bQ08QW8oxF+NXkFKG3awt3f7TKTRkYqQcOMpFKmV24KDiwgwm0miQ== JuiceSSH" - ]; - } - { time.timeZone = "Europe/Berlin"; } + <stockholm/lass/2configs/retiolum.nix> + <stockholm/lass/2configs/libvirt.nix> { + services.nginx.enable = true; imports = [ <stockholm/lass/2configs/websites/domsen.nix> <stockholm/lass/2configs/websites/lassulus.nix> ]; + # needed by domsen.nix ^^ + lass.usershadow = { + enable = true; + }; + krebs.iptables.tables.filter.INPUT.rules = [ { predicate = "-p tcp --dport http"; target = "ACCEPT"; } { predicate = "-p tcp --dport https"; target = "ACCEPT"; } ]; } - { - services.tor = { - enable = true; + { # TODO make new hfos.nix out of this vv + users.users.riot = { + uid = genid "riot"; + isNormalUser = true; + extraGroups = [ "libvirtd" ]; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6o6sdTu/CX1LW2Ff5bNDqGEAGwAsjf0iIe5DCdC7YikCct+7x4LTXxY+nDlPMeGcOF88X9/qFwdyh+9E4g0nUAZaeL14Uc14QDqDt/aiKjIXXTepxE/i4JD9YbTqStAnA/HYAExU15yqgUdj2dnHu7OZcGxk0ZR1OY18yclXq7Rq0Fd3pN3lPP1T4QHM9w66r83yJdFV9szvu5ral3/QuxQnCNohTkR6LoJ4Ny2RbMPTRtb+jPbTQYTWUWwV69mB8ot5nRTP4MRM9pu7vnoPF4I2S5DvSnx4C5zdKzsb7zmIvD4AmptZLrXj4UXUf00Xf7Js5W100Ne2yhYyhq+35 riot@lagrange" + ]; }; - } - { - lass.ejabberd = { - enable = true; - hosts = [ "lassul.us" ]; + + # TODO write function for proxy_pass (ssl/nonssl) + services.nginx.virtualHosts."hackerfleet.de" = { + serverAliases = [ + "*.hackerfleet.de" + ]; + locations."/".extraConfig = '' + proxy_pass http://192.168.122.92:80; + ''; + }; + services.nginx.virtualHosts."hackerfleet.de-s" = { + serverName = "hackerfleet.de"; + listen = [ + { + addr = "0.0.0.0"; + port = 443; + } + ]; + serverAliases = [ + "*.hackerfleet.de" + ]; + locations."/".extraConfig = '' + proxy_pass http://192.168.122.92:443; + ''; }; - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport xmpp-client"; target = "ACCEPT"; } - { predicate = "-p tcp --dport xmpp-server"; target = "ACCEPT"; } - ]; - } - { - imports = [ - <stockholm/lass/2configs/realwallpaper.nix> - ]; - services.nginx.virtualHosts."lassul.us".locations."/wallpaper.png".extraConfig = '' - alias /var/realwallpaper/realwallpaper.png; - ''; - } - { - environment.systemPackages = with pkgs; [ - mk_sql_pair - ]; } { users.users.tv = { uid = genid "tv"; - inherit (config.krebs.users.tv) home; - group = "users"; - createHome = true; - useDefaultShell = true; + isNormalUser = true; openssh.authorizedKeys.keys = [ config.krebs.users.tv.pubkey ]; @@ -222,56 +146,14 @@ in { }; users.users.nin = { uid = genid "nin"; - inherit (config.krebs.users.nin) home; - group = "users"; - createHome = true; - useDefaultShell = true; + isNormalUser = true; openssh.authorizedKeys.keys = [ config.krebs.users.nin.pubkey ]; - extraGroups = [ - "libvirtd" - ]; - }; - } - { - krebs.repo-sync.timerConfig = { - OnBootSec = "15min"; - OnUnitInactiveSec = "90min"; - RandomizedDelaySec = "30min"; - }; - krebs.repo-sync.repos.stockholm.timerConfig = { - OnBootSec = "5min"; - OnUnitInactiveSec = "2min"; - RandomizedDelaySec = "2min"; - }; - } - { - lass.usershadow = { - enable = true; - }; - } - { - krebs.Reaktor.prism = { - nickname = "Reaktor|lass"; - channels = [ "#retiolum" ]; - extraEnviron = { - REAKTOR_HOST = "ni.r"; - }; - plugins = with pkgs.ReaktorPlugins; [ - sed-plugin - ]; }; - } - { - #stuff for dritter users.extraUsers.dritter = { - name = "dritter"; uid = genid "dritter"; - home = "/home/dritter"; - group = "users"; - createHome = true; - useDefaultShell = true; + isNormalUser = true; extraGroups = [ "download" ]; @@ -279,6 +161,13 @@ in { "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnqOWDDk7QkSAvrSLkEoz7dY22+xPyv5JDn2zlfUndfavmTMfZvPx9REMjgULbcCSM4m3Ncf40yUjciDpVleGoEz82+p/ObHAkVWPQyXRS3ZRM2IJJultBHEFc61+61Pi8k3p5pBhPPaig6VncJ4uUuuNqen9jqLesSTVXNtdntU2IvnC8B8k1Kq6fu9q1T2yEOMxkD31D5hVHlqAly0LdRiYvtsRIoCSmRvlpGl70uvPprhQxhtoiEUeDqmIL7BG9x7gU0Swdl7R0/HtFXlFuOwSlNYDmOf/Zrb1jhOpj4AlCliGUkM0iKIJhgH0tnJna6kfkGKHDwuzITGIh6SpZ dritter@Janeway" ]; }; + users.extraUsers.juhulian = { + uid = 1339; + isNormalUser = true; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBQhLGvfv4hyQ/nqJGy1YgHXPSVl6igeWTroJSvAhUFgoh+rG+zvqY0EahKXNb3sq0/OYDCTJVuucc0hgCg7T2KqTqMtTb9EEkRmCFbD7F7DWZojCrh/an6sHneqT5eFvzAPZ8E5hup7oVQnj5P5M3I9keRHBWt1rq6q0IcOEhsFvne4qJc73aLASTJkxzlo5U8ju3JQOl6474ECuSn0lb1fTrQ/SR1NgF7jV11eBldkS8SHEB+2GXjn4Yrn+QUKOnDp+B85vZmVlJSI+7XR1/U/xIbtAjGTEmNwB6cTbBv9NCG9jloDDOZG4ZvzzHYrlBXjaigtQh2/4mrHoKa5eV juhulian@juhulian" + ]; + }; } { #hotdog @@ -327,7 +216,65 @@ in { localAddress = "10.233.2.5"; }; } + <stockholm/lass/2configs/exim-smarthost.nix> + <stockholm/lass/2configs/ts3.nix> + <stockholm/lass/2configs/bitlbee.nix> + <stockholm/lass/2configs/weechat.nix> + <stockholm/lass/2configs/privoxy-retiolum.nix> + <stockholm/lass/2configs/radio.nix> + <stockholm/lass/2configs/repo-sync.nix> + <stockholm/lass/2configs/binary-cache/server.nix> + <stockholm/lass/2configs/iodined.nix> + <stockholm/lass/2configs/monitoring/server.nix> + <stockholm/lass/2configs/monitoring/monit-alarms.nix> + <stockholm/lass/2configs/paste.nix> + <stockholm/lass/2configs/syncthing.nix> + <stockholm/lass/2configs/reaktor-coders.nix> + <stockholm/lass/2configs/ciko.nix> + <stockholm/lass/2configs/container-networking.nix> + { # quasi bepasty.nix + imports = [ + <stockholm/lass/2configs/bepasty.nix> + ]; + krebs.bepasty.servers."paste.r".nginx.extraConfig = '' + if ( $server_addr = "${config.krebs.build.host.nets.internet.ip4.addr}" ) { + return 403; + } + ''; + } + { + services.tor = { + enable = true; + }; + } + { + lass.ejabberd = { + enable = true; + hosts = [ "lassul.us" ]; + }; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport xmpp-client"; target = "ACCEPT"; } + { predicate = "-p tcp --dport xmpp-server"; target = "ACCEPT"; } + ]; + } + { + imports = [ + <stockholm/lass/2configs/realwallpaper.nix> + ]; + services.nginx.virtualHosts."lassul.us".locations."/wallpaper.png".extraConfig = '' + alias /var/realwallpaper/realwallpaper.png; + ''; + } + { + services.minecraft-server.enable = true; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport 25565"; target = "ACCEPT"; } + { predicate = "-p udp --dport 25565"; target = "ACCEPT"; } + ]; + } ]; krebs.build.host = config.krebs.hosts.prism; + # workaround because grub store paths are broken + boot.copyKernels = true; } diff --git a/lass/1systems/prism/source.nix b/lass/1systems/prism/source.nix index 557fbf509..3dbd6c52b 100644 --- a/lass/1systems/prism/source.nix +++ b/lass/1systems/prism/source.nix @@ -1,3 +1,4 @@ +with import <stockholm/lib>; import <stockholm/lass/source.nix> { name = "prism"; } diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index f6390ce4d..9d4ad8c6a 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -28,9 +28,19 @@ in { ''; } { #font magic - options.lass.myFont = mkOption { - type = types.str; - default = "-schumacher-clean-*-*-*-*-*-*-*-*-*-*-iso10646-1"; + options.lass.fonts = { + regular = mkOption { + type = types.str; + default = "xft:Hack-Regular:pixelsize=11,xft:Symbola"; + }; + bold = mkOption { + type = types.str; + default = "xft:Hack-Bold:pixelsize=11,xft:Symbola"; + }; + italic = mkOption { + type = types.str; + default = "xft:Hack-RegularOblique:pixelsize=11,xft:Symbol"; + }; }; } ]; @@ -82,8 +92,11 @@ in { termite ]; - fonts.fonts = [ - pkgs.xlibs.fontschumachermisc + fonts.fonts = with pkgs; [ + hack-font + hasklig + symbola + xlibs.fontschumachermisc ]; services.xserver = { diff --git a/lass/2configs/bepasty.nix b/lass/2configs/bepasty.nix index b2d40d4f3..43647892f 100644 --- a/lass/2configs/bepasty.nix +++ b/lass/2configs/bepasty.nix @@ -31,7 +31,6 @@ in { } // genAttrs ext-doms (ext-dom: { nginx = { - enableSSL = true; forceSSL = true; enableACME = true; }; diff --git a/lass/2configs/binary-cache/client.nix b/lass/2configs/binary-cache/client.nix index 9dba5fbfb..b0e0a8b88 100644 --- a/lass/2configs/binary-cache/client.nix +++ b/lass/2configs/binary-cache/client.nix @@ -8,6 +8,7 @@ ]; binaryCachePublicKeys = [ "cache.prism-1:+S+6Lo/n27XEtvdlQKuJIcb1yO5NUqUCE2lolmTgNJU=" + "cache.prism-2:YwmCm3/s/D+SxrPKN/ETjlpw/219pNUbpnluatp6FKI=" "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" ]; }; diff --git a/lass/2configs/copyq.nix b/lass/2configs/copyq.nix index b255254f2..fa01a99c9 100644 --- a/lass/2configs/copyq.nix +++ b/lass/2configs/copyq.nix @@ -25,12 +25,15 @@ in { environment = { DISPLAY = ":0"; }; + path = with pkgs; [ + qt5.full + ]; serviceConfig = { SyslogIdentifier = "copyq"; ExecStart = "${pkgs.copyq}/bin/copyq"; ExecStartPost = copyqConfig; Restart = "always"; - RestartSec = "2s"; + RestartSec = "15s"; StartLimitBurst = 0; User = "lass"; }; diff --git a/lass/2configs/dcso-vpn.nix b/lass/2configs/dcso-vpn.nix new file mode 100644 index 000000000..0a5623bf0 --- /dev/null +++ b/lass/2configs/dcso-vpn.nix @@ -0,0 +1,44 @@ +with import <stockholm/lib>; +{ ... }: + +{ + + users.extraUsers = { + dcsovpn = rec { + name = "dcsovpn"; + uid = genid "dcsovpn"; + description = "user for running dcso openvpn"; + home = "/home/${name}"; + }; + }; + + users.extraGroups.dcsovpn.gid = genid "dcsovpn"; + + services.openvpn.servers = { + dcso = { + config = '' + client + dev tun + tun-mtu 1356 + mssfix + proto udp + float + remote 217.111.55.41 1194 + nobind + user dcsovpn + group dcsovpn + persist-key + persist-tun + ca ${toString <secrets/dcsovpn/ca.pem>} + cert ${toString <secrets/dcsovpn/cert.pem>} + key ${toString <secrets/dcsovpn/cert.key>} + verb 3 + mute 20 + auth-user-pass ${toString <secrets/dcsovpn/login.txt>} + route-method exe + route-delay 2 + ''; + updateResolvConf = true; + }; + }; +} diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index e96f4dc7e..f745dc4a1 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -119,6 +119,7 @@ with import <stockholm/lib>; aria2 #neat utils + file kpaste krebspaste mosh diff --git a/lass/2configs/dns-stuff.nix b/lass/2configs/dns-stuff.nix index 0c96e6e91..e305145f5 100644 --- a/lass/2configs/dns-stuff.nix +++ b/lass/2configs/dns-stuff.nix @@ -4,7 +4,12 @@ with import <stockholm/lib>; services.dnscrypt-proxy = { enable = true; localAddress = "127.1.0.1"; - resolverName = "cs-de"; + customResolver = { + address = config.krebs.hosts.gum.nets.internet.ip4.addr; + port = 15251; + name = "2.dnscrypt-cert.euer.krebsco.de"; + key = "1AFC:E58D:F242:0FBB:9EE9:4E51:47F4:5373:D9AE:C2AB:DD96:8448:333D:5D79:272C:A44C"; + }; }; services.dnsmasq = { enable = true; @@ -17,8 +22,6 @@ with import <stockholm/lib>; all-servers dnssec trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 - address=/blog/127.0.0.1 - address=/blog/::1 rebind-domain-ok=/onion/ server=/.onion/127.0.0.1#9053 port=53 diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix index c9d7a369a..0b56f6f47 100644 --- a/lass/2configs/exim-smarthost.nix +++ b/lass/2configs/exim-smarthost.nix @@ -43,6 +43,8 @@ with import <stockholm/lib>; { from = "radio@lassul.us"; to = lass.mail; } { from = "btce@lassul.us"; to = lass.mail; } { from = "raf@lassul.us"; to = lass.mail; } + { from = "apple@lassul.us"; to = lass.mail; } + { from = "coinbase@lassul.us"; to = lass.mail; } ]; system-aliases = [ { from = "mailer-daemon"; to = "postmaster"; } diff --git a/lass/2configs/gc.nix b/lass/2configs/gc.nix index 00f318e51..ad015180a 100644 --- a/lass/2configs/gc.nix +++ b/lass/2configs/gc.nix @@ -3,6 +3,6 @@ with import <stockholm/lib>; { nix.gc = { - automatic = ! elem config.krebs.build.host.name [ "prism" "mors" ]; + automatic = ! elem config.krebs.build.host.name [ "prism" "mors" "helios" ]; }; } diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix index 3991acadc..4a2199b39 100644 --- a/lass/2configs/git.nix +++ b/lass/2configs/git.nix @@ -53,6 +53,10 @@ let cgit.desc = "Good Music collection + tools"; cgit.section = "art"; }; + nix-user-chroot = { + cgit.desc = "Fork of nix-user-chroot my lethalman"; + cgit.section = "software"; + }; } // mapAttrs make-public-repo-silent { }; @@ -73,8 +77,8 @@ let post-receive = pkgs.git-hooks.irc-announce { # TODO make nick = config.krebs.build.host.name the default nick = config.krebs.build.host.name; - channel = "#retiolum"; - server = "ni.r"; + channel = "#xxx"; + server = "irc.r"; verbose = config.krebs.build.host.name == "prism"; # TODO define branches in some kind of option per repo branches = [ "master" "staging*" ]; @@ -94,8 +98,8 @@ let post-receive = pkgs.git-hooks.irc-announce { # TODO make nick = config.krebs.build.host.name the default nick = config.krebs.build.host.name; - channel = "#retiolum"; - server = "ni.r"; + channel = "#xxx"; + server = "irc.r"; verbose = true; # TODO define branches in some kind of option per repo branches = [ "master" "staging*" ]; diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix index 7a9881186..91127f737 100644 --- a/lass/2configs/mail.nix +++ b/lass/2configs/mail.nix @@ -74,12 +74,9 @@ let virtual-mailboxes \ "Unread" "notmuch://?query=tag:unread"\ "INBOX" "notmuch://?query=tag:inbox \ - and NOT tag:killed \ - and NOT to:shackspace \ - and NOT to:c-base \ - and NOT from:security-alert@hpe.com \ and NOT to:nix-devel\ - and NOT to:radio"\ + and NOT to:shackspace\ + and NOT to:c-base" \ "shack" "notmuch://?query=to:shackspace"\ "c-base" "notmuch://?query=to:c-base"\ "security" "notmuch://?query=to:securityfocus or from:security-alert@hpe.com"\ diff --git a/lass/2configs/monitoring/monit-alarms.nix b/lass/2configs/monitoring/monit-alarms.nix index 65b91a745..2cfc292e5 100644 --- a/lass/2configs/monitoring/monit-alarms.nix +++ b/lass/2configs/monitoring/monit-alarms.nix @@ -6,7 +6,7 @@ let set -euf export LOGNAME=prism-alarm ${pkgs.irc-announce}/bin/irc-announce \ - ni.r 6667 ${config.networking.hostName}-alarm \#noise "${msg}" >/dev/null + irc.r 6667 ${config.networking.hostName}-alarm \#noise "${msg}" >/dev/null ''; in { diff --git a/lass/2configs/monitoring/server.nix b/lass/2configs/monitoring/server.nix index d1ff234ee..adaecde2c 100644 --- a/lass/2configs/monitoring/server.nix +++ b/lass/2configs/monitoring/server.nix @@ -29,7 +29,7 @@ with import <stockholm/lib>; data="$(${pkgs.jq}/bin/jq -r .message)" export LOGNAME=prism-alarm ${pkgs.irc-announce}/bin/irc-announce \ - ni.r 6667 prism-alarm \#noise "$data" >/dev/null + irc.r 6667 prism-alarm \#noise "$data" >/dev/null ''; in { enable = true; diff --git a/lass/2configs/pass.nix b/lass/2configs/pass.nix index 5bd2f2f7f..1c253a6c5 100644 --- a/lass/2configs/pass.nix +++ b/lass/2configs/pass.nix @@ -3,7 +3,8 @@ { krebs.per-user.lass.packages = with pkgs; [ pass - gnupg1 + gnupg ]; + programs.gnupg.agent.enable = true; } diff --git a/lass/2configs/repo-sync.nix b/lass/2configs/repo-sync.nix index f0c0ebfee..f3ef23e67 100644 --- a/lass/2configs/repo-sync.nix +++ b/lass/2configs/repo-sync.nix @@ -15,8 +15,8 @@ let post-receive = pkgs.git-hooks.irc-announce { nick = config.networking.hostName; verbose = false; - channel = "#retiolum"; - server = "ni.r"; + channel = "#xxx"; + server = "irc.r"; branches = [ "newest" ]; }; }); diff --git a/lass/2configs/tests/dummy-secrets/dcsovpn/ca.pem b/lass/2configs/tests/dummy-secrets/dcsovpn/ca.pem new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/lass/2configs/tests/dummy-secrets/dcsovpn/ca.pem diff --git a/lass/2configs/tests/dummy-secrets/dcsovpn/cert.key b/lass/2configs/tests/dummy-secrets/dcsovpn/cert.key new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/lass/2configs/tests/dummy-secrets/dcsovpn/cert.key diff --git a/lass/2configs/tests/dummy-secrets/dcsovpn/cert.pem b/lass/2configs/tests/dummy-secrets/dcsovpn/cert.pem new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/lass/2configs/tests/dummy-secrets/dcsovpn/cert.pem diff --git a/lass/2configs/tests/dummy-secrets/dcsovpn/login.txt b/lass/2configs/tests/dummy-secrets/dcsovpn/login.txt new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/lass/2configs/tests/dummy-secrets/dcsovpn/login.txt diff --git a/lass/2configs/vim.nix b/lass/2configs/vim.nix index 7f36fcd90..698344b09 100644 --- a/lass/2configs/vim.nix +++ b/lass/2configs/vim.nix @@ -5,7 +5,7 @@ let out = { environment.systemPackages = [ (hiPrio vim) - pkgs.pythonPackages.flake8 + pkgs.python35Packages.flake8 ]; environment.etc.vimrc.source = vimrc; @@ -97,13 +97,17 @@ let noremap <esc>[b <nop> | noremap! <esc>[b <nop> noremap <esc>[c <nop> | noremap! <esc>[c <nop> noremap <esc>[d <nop> | noremap! <esc>[d <nop> - vnoremap u <nop> + + let g:ackprg = 'ag --vimgrep' + cnoreabbrev Ack Ack! ''; extra-runtimepath = concatMapStringsSep "," (pkg: "${pkg.rtp}") [ + pkgs.vimPlugins.ack-vim pkgs.vimPlugins.Gundo pkgs.vimPlugins.Syntastic pkgs.vimPlugins.undotree + pkgs.vimPlugins.vim-go (pkgs.vimUtils.buildVimPlugin { name = "file-line-1.0"; src = pkgs.fetchFromGitHub { diff --git a/lass/2configs/websites/lassulus.nix b/lass/2configs/websites/lassulus.nix index 17c39a5f4..6e185a4d6 100644 --- a/lass/2configs/websites/lassulus.nix +++ b/lass/2configs/websites/lassulus.nix @@ -73,17 +73,6 @@ in { allowKeysForGroup = true; group = "lasscert"; }; - certs."cgit.lassul.us" = { - email = "lassulus@gmail.com"; - webroot = "/var/lib/acme/acme-challenges"; - plugins = [ - "account_key.json" - "key.pem" - "fullchain.pem" - ]; - group = "nginx"; - allowKeysForGroup = true; - }; }; krebs.tinc_graphs.enable = true; @@ -119,8 +108,8 @@ in { ]; services.nginx.virtualHosts."lassul.us" = { + addSSL = true; enableACME = true; - serverAliases = [ "lassul.us" ]; locations."/".extraConfig = '' root /srv/http/lassul.us; ''; @@ -158,30 +147,12 @@ in { in '' alias ${initscript}; ''; - - enableSSL = true; - extraConfig = '' - listen 80; - listen [::]:80; - ''; - sslCertificate = "/var/lib/acme/lassul.us/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/lassul.us/key.pem"; }; services.nginx.virtualHosts.cgit = { - serverAliases = [ - "cgit.lassul.us" - ]; - locations."/.well-known/acme-challenge".extraConfig = '' - root /var/lib/acme/acme-challenges; - ''; - enableSSL = true; - extraConfig = '' - listen 80; - listen [::]:80; - ''; - sslCertificate = "/var/lib/acme/cgit.lassul.us/fullchain.pem"; - sslCertificateKey = "/var/lib/acme/cgit.lassul.us/key.pem"; + serverName = "cgit.lassul.us"; + addSSL = true; + enableACME = true; }; users.users.blog = { diff --git a/lass/2configs/websites/sqlBackup.nix b/lass/2configs/websites/sqlBackup.nix index 7cb4b320e..2fffa6cc9 100644 --- a/lass/2configs/websites/sqlBackup.nix +++ b/lass/2configs/websites/sqlBackup.nix @@ -3,12 +3,13 @@ { krebs.secret.files.mysql_rootPassword = { path = "${config.services.mysql.dataDir}/mysql_rootPassword"; - owner.name = "root"; + owner.name = "mysql"; source-path = toString <secrets> + "/mysql_rootPassword"; }; services.mysql = { enable = true; + dataDir = "/var/mysql"; package = pkgs.mariadb; rootPassword = config.krebs.secret.files.mysql_rootPassword.path; }; diff --git a/lass/2configs/weechat.nix b/lass/2configs/weechat.nix index 1e5f2d177..d5496ac09 100644 --- a/lass/2configs/weechat.nix +++ b/lass/2configs/weechat.nix @@ -13,13 +13,19 @@ in { uid = genid "chat"; useDefaultShell = true; createHome = true; - openssh.authorizedKeys.keys = [ - config.krebs.users.lass.pubkey - config.krebs.users.lass-shodan.pubkey - config.krebs.users.lass-icarus.pubkey + openssh.authorizedKeys.keys = with config.krebs.users; [ + lass.pubkey + lass-shodan.pubkey + lass-icarus.pubkey + lass-android.pubkey ]; }; + # mosh + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p udp --dport 60000:61000"; target = "ACCEPT";} + ]; + #systemd.services.chat = { # description = "chat environment setup"; # after = [ "network.target" ]; diff --git a/lass/2configs/wine.nix b/lass/2configs/wine.nix index 2444d32d3..0d2b731ca 100644 --- a/lass/2configs/wine.nix +++ b/lass/2configs/wine.nix @@ -5,7 +5,7 @@ let in { krebs.per-user.wine.packages = with pkgs; [ - wineFull + wine #(wineFull.override { wineBuild = "wine64"; }) ]; users.users= { diff --git a/lass/2configs/xresources.nix b/lass/2configs/xresources.nix index adbcd353d..a3c54f3a1 100644 --- a/lass/2configs/xresources.nix +++ b/lass/2configs/xresources.nix @@ -8,8 +8,10 @@ let URxvt*scrollBar: false URxvt*urgentOnBell: true URxvt*SaveLines: 4096 - URxvt*font: ${config.lass.myFont} - URxvt*boldFont: ${config.lass.myFont} + + URxvt.font: ${config.lass.fonts.regular} + URxvt.boldFont: ${config.lass.fonts.bold} + URxvt.italicFont: ${config.lass.fonts.italic} ! ref https://github.com/muennich/urxvt-perls URxvt.perl-lib: ${pkgs.urxvt_perls}/lib/urxvt/perl diff --git a/lass/3modules/ejabberd/config.nix b/lass/3modules/ejabberd/config.nix index b1fca08d3..68bcfa340 100644 --- a/lass/3modules/ejabberd/config.nix +++ b/lass/3modules/ejabberd/config.nix @@ -1,93 +1,129 @@ -{ config, ... }: with import <stockholm/lib>; let - cfg = config.lass.ejabberd; +with import <stockholm/lib>; +{ config, ... }: let - # XXX this is a placeholder that happens to work the default strings. - toErlang = builtins.toJSON; -in toFile "ejabberd.conf" '' - {loglevel, 3}. - {hosts, ${toErlang cfg.hosts}}. - {listen, - [ - {5222, ejabberd_c2s, [ - starttls, - {certfile, ${toErlang cfg.certfile.path}}, - {access, c2s}, - {shaper, c2s_shaper}, - {max_stanza_size, 65536} - ]}, - {5269, ejabberd_s2s_in, [ - {shaper, s2s_shaper}, - {max_stanza_size, 131072} - ]}, - {5280, ejabberd_http, [ - captcha, - http_bind, - http_poll, - web_admin - ]} - ]}. - {s2s_use_starttls, required}. - {s2s_certfile, ${toErlang cfg.s2s_certfile.path}}. - {auth_method, internal}. - {shaper, normal, {maxrate, 1000}}. - {shaper, fast, {maxrate, 50000}}. - {max_fsm_queue, 1000}. - {acl, local, {user_regexp, ""}}. - {access, max_user_sessions, [{10, all}]}. - {access, max_user_offline_messages, [{5000, admin}, {100, all}]}. - {access, local, [{allow, local}]}. - {access, c2s, [{deny, blocked}, - {allow, all}]}. - {access, c2s_shaper, [{none, admin}, - {normal, all}]}. - {access, s2s_shaper, [{fast, all}]}. - {access, announce, [{allow, admin}]}. - {access, configure, [{allow, admin}]}. - {access, muc_admin, [{allow, admin}]}. - {access, muc_create, [{allow, local}]}. - {access, muc, [{allow, all}]}. - {access, pubsub_createnode, [{allow, local}]}. - {access, register, [{allow, local}]}. - {language, "en"}. - {modules, - [ - {mod_adhoc, []}, - {mod_announce, [{access, announce}]}, - {mod_blocking,[]}, - {mod_caps, []}, - {mod_configure,[]}, - {mod_disco, []}, - {mod_irc, []}, - {mod_http_bind, []}, - {mod_last, []}, - {mod_muc, [ - {access, muc}, - {access_create, muc_create}, - {access_persistent, muc_create}, - {access_admin, muc_admin} - ]}, - {mod_offline, [{access_max_user_messages, max_user_offline_messages}]}, - {mod_ping, []}, - {mod_privacy, []}, - {mod_private, []}, - {mod_pubsub, [ - {access_createnode, pubsub_createnode}, - {ignore_pep_from_offline, true}, - {last_item_cache, false}, - {plugins, ["flat", "hometree", "pep"]} - ]}, - {mod_register, [ - {welcome_message, {"Welcome!", - "Hi.\nWelcome to this XMPP server."}}, - {ip_access, [{allow, "127.0.0.0/8"}, - {allow, "0.0.0.0/0"}]}, - {access, register} - ]}, - {mod_roster, []}, - {mod_shared_roster,[]}, - {mod_stats, []}, - {mod_time, []}, - {mod_vcard, []}, - {mod_version, []} - ]}. + # See https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example + + ciphers = concatStringsSep ":" [ + "ECDHE-ECDSA-AES256-GCM-SHA384" + "ECDHE-RSA-AES256-GCM-SHA384" + "ECDHE-ECDSA-CHACHA20-POLY1305" + "ECDHE-RSA-CHACHA20-POLY1305" + "ECDHE-ECDSA-AES128-GCM-SHA256" + "ECDHE-RSA-AES128-GCM-SHA256" + "ECDHE-ECDSA-AES256-SHA384" + "ECDHE-RSA-AES256-SHA384" + "ECDHE-ECDSA-AES128-SHA256" + "ECDHE-RSA-AES128-SHA256" + ]; + + protocol_options = [ + "no_sslv2" + "no_sslv3" + "no_tlsv1" + "no_tlsv1_10" + ]; + +in /* yaml */ '' + + access_rules: + announce: + - allow: admin + local: + - allow: local + configure: + - allow: admin + register: + - allow + s2s: + - allow + trusted_network: + - allow: loopback + + acl: + local: + user_regexp: "" + loopback: + ip: + - "127.0.0.0/8" + - "::1/128" + - "::FFFF:127.0.0.1/128" + + hosts: ${toJSON config.hosts} + + language: "en" + + listen: + - + port: 5222 + ip: "::" + module: ejabberd_c2s + shaper: c2s_shaper + certfile: ${toJSON config.certfile.path} + ciphers: ${toJSON ciphers} + dhfile: ${toJSON config.dhfile.path} + protocol_options: ${toJSON protocol_options} + starttls: true + starttls_required: true + tls: false + tls_compression: false + max_stanza_size: 65536 + - + port: 5269 + ip: "::" + module: ejabberd_s2s_in + shaper: s2s_shaper + max_stanza_size: 131072 + + loglevel: 4 + + modules: + mod_adhoc: {} + mod_admin_extra: {} + mod_announce: + access: announce + mod_caps: {} + mod_carboncopy: {} + mod_client_state: {} + mod_configure: {} + mod_disco: {} + mod_echo: {} + mod_irc: {} + mod_bosh: {} + mod_last: {} + mod_offline: + access_max_user_messages: max_user_offline_messages + mod_ping: {} + mod_privacy: {} + mod_private: {} + mod_register: + access_from: deny + access: register + ip_access: trusted_network + registration_watchers: ${toJSON config.registration_watchers} + mod_roster: {} + mod_shared_roster: {} + mod_stats: {} + mod_time: {} + mod_vcard: + search: false + mod_version: {} + mod_http_api: {} + + s2s_access: s2s + s2s_certfile: ${toJSON config.s2s_certfile.path} + s2s_ciphers: ${toJSON ciphers} + s2s_dhfile: ${toJSON config.dhfile.path} + s2s_protocol_options: ${toJSON protocol_options} + s2s_tls_compression: false + s2s_use_starttls: required + + shaper_rules: + max_user_offline_messages: + - 5000: admin + - 100 + max_user_sessions: 10 + c2s_shaper: + - none: admin + - normal + s2s_shaper: fast '' diff --git a/lass/3modules/ejabberd/default.nix b/lass/3modules/ejabberd/default.nix index e2fba5ff5..4838a9093 100644 --- a/lass/3modules/ejabberd/default.nix +++ b/lass/3modules/ejabberd/default.nix @@ -1,5 +1,16 @@ { config, lib, pkgs, ... }@args: with import <stockholm/lib>; let cfg = config.lass.ejabberd; + + gen-dhparam = pkgs.writeDash "gen-dhparam" '' + set -efu + path=$1 + bits=2048 + # TODO regenerate dhfile after some time? + if ! test -e "$path"; then + ${pkgs.openssl}/bin/openssl dhparam "$bits" > "$path" + fi + ''; + in { options.lass.ejabberd = { enable = mkEnableOption "lass.ejabberd"; @@ -11,20 +22,36 @@ in { source-path = "/var/lib/acme/lassul.us/full.pem"; }; }; + dhfile = mkOption { + type = types.secret-file; + default = { + path = "${cfg.user.home}/dhparams.pem"; + owner = cfg.user; + source-path = "/dev/null"; + }; + }; hosts = mkOption { type = with types; listOf str; }; pkgs.ejabberdctl = mkOption { type = types.package; default = pkgs.writeDashBin "ejabberdctl" '' - set -efu - export SPOOLDIR=${shell.escape cfg.user.home} - export EJABBERD_CONFIG_PATH=${shell.escape (import ./config.nix args)} exec ${pkgs.ejabberd}/bin/ejabberdctl \ + --config ${toFile "ejabberd.yaml" (import ./config.nix { + inherit pkgs; + config = cfg; + })} \ --logs ${shell.escape cfg.user.home} \ + --spool ${shell.escape cfg.user.home} \ "$@" ''; }; + registration_watchers = mkOption { + type = types.listOf types.str; + default = [ + config.krebs.users.tv.mail + ]; + }; s2s_certfile = mkOption { type = types.secret-file; default = cfg.certfile; @@ -50,12 +77,12 @@ in { requires = [ "secret.service" ]; after = [ "network.target" "secret.service" ]; serviceConfig = { - Type = "oneshot"; - RemainAfterExit = "yes"; - PermissionsStartOnly = "true"; + ExecStartPre = "${gen-dhparam} ${cfg.dhfile.path}"; + ExecStart = "${cfg.pkgs.ejabberdctl}/bin/ejabberdctl foreground"; + PermissionsStartOnly = true; SyslogIdentifier = "ejabberd"; User = cfg.user.name; - ExecStart = "${cfg.pkgs.ejabberdctl}/bin/ejabberdctl start"; + TimeoutStartSec = 60; }; }; diff --git a/lass/5pkgs/default.nix b/lass/5pkgs/default.nix index 46633ba1a..d04833255 100644 --- a/lass/5pkgs/default.nix +++ b/lass/5pkgs/default.nix @@ -4,9 +4,6 @@ nixpkgs.config.packageOverrides = rec { acronym = pkgs.callPackage ./acronym/default.nix {}; dpass = pkgs.callPackage ./dpass {}; - ejabberd = pkgs.callPackage ./ejabberd { - erlang = pkgs.erlangR16; - }; firefoxPlugins = { noscript = pkgs.callPackage ./firefoxPlugins/noscript.nix {}; ublock = pkgs.callPackage ./firefoxPlugins/ublock.nix {}; diff --git a/lass/5pkgs/ejabberd/default.nix b/lass/5pkgs/ejabberd/default.nix deleted file mode 100644 index 3a77c5cd1..000000000 --- a/lass/5pkgs/ejabberd/default.nix +++ /dev/null @@ -1,28 +0,0 @@ -{stdenv, fetchurl, expat, erlang, zlib, openssl, pam, lib}: - -stdenv.mkDerivation rec { - version = "2.1.13"; - name = "ejabberd-${version}"; - src = fetchurl { - url = "http://www.process-one.net/downloads/ejabberd/${version}/${name}.tgz"; - sha256 = "0vf8mfrx7vr3c5h3nfp3qcgwf2kmzq20rjv1h9sk3nimwir1q3d8"; - }; - buildInputs = [ expat erlang zlib openssl pam ]; - patchPhase = '' - sed -i \ - -e "s|erl \\\|${erlang}/bin/erl \\\|" \ - -e 's|EXEC_CMD=\"sh -c\"|EXEC_CMD=\"${stdenv.shell} -c\"|' \ - src/ejabberdctl.template - ''; - preConfigure = '' - cd src - ''; - configureFlags = ["--enable-pam"]; - - meta = { - description = "Open-source XMPP application server written in Erlang"; - license = stdenv.lib.licenses.gpl2; - homepage = http://www.ejabberd.im; - maintainers = [ lib.maintainers.sander ]; - }; -} diff --git a/lass/5pkgs/xmonad-lass.nix b/lass/5pkgs/xmonad-lass.nix index 0a2945c21..997b60b8f 100644 --- a/lass/5pkgs/xmonad-lass.nix +++ b/lass/5pkgs/xmonad-lass.nix @@ -31,6 +31,7 @@ import XMonad.Actions.CycleWS (toggleWS) import XMonad.Actions.DynamicWorkspaces ( addWorkspacePrompt, renameWorkspace, removeEmptyWorkspace) import XMonad.Actions.DynamicWorkspaces (withWorkspace) import XMonad.Actions.GridSelect (GSConfig(..), gridselectWorkspace, navNSearch) +import XMonad.Actions.UpdatePointer (updatePointer) import XMonad.Hooks.FloatNext (floatNext) import XMonad.Hooks.FloatNext (floatNextHook) import XMonad.Hooks.ManageDocks (avoidStruts, ToggleStruts(ToggleStruts)) @@ -47,11 +48,11 @@ import XMonad.Layout.SimpleFloat (simpleFloat) import XMonad.Stockholm.Shutdown -urxvtcPath :: FilePath -urxvtcPath = "${pkgs.rxvt_unicode}/bin/urxvtc" +myTerm :: FilePath +myTerm = "${pkgs.rxvt_unicode}/bin/urxvtc" myFont :: String -myFont = "${config.lass.myFont}" +myFont = "${config.lass.fonts.regular}" main :: IO () main = getArgs >>= \case @@ -63,14 +64,15 @@ mainNoArgs = do xmonad' $ withUrgencyHook (SpawnUrgencyHook "echo emit Urgency ") $ def - { terminal = urxvtcPath - , modMask = mod4Mask - , layoutHook = smartBorders $ myLayoutHook - , manageHook = placeHook (smart (1,0)) <+> floatNextHook + { terminal = myTerm + , modMask = mod4Mask + , layoutHook = smartBorders $ myLayoutHook + , logHook = updatePointer (0.25, 0.25) (0.25, 0.25) + , manageHook = placeHook (smart (1,0)) <+> floatNextHook , normalBorderColor = "#1c1c1c" , focusedBorderColor = "#f000b0" - , handleEventHook = handleShutdownEvent - , workspaces = [ "dashboard" ] + , handleEventHook = handleShutdownEvent + , workspaces = [ "dashboard", "sys", "wp" ] } `additionalKeysP` myKeyMap myLayoutHook = defLayout @@ -113,13 +115,13 @@ myKeyMap = , ("M4-S-<Backspace>", removeEmptyWorkspace) , ("M4-S-c", kill1) , ("M4-<Esc>", toggleWS) - , ("M4-S-<Enter>", spawn urxvtcPath) - , ("M4-x", floatNext True >> spawn urxvtcPath) + , ("M4-S-<Enter>", spawn myTerm) + , ("M4-x", floatNext True >> spawn myTerm) , ("M4-c", floatNext True >> spawn "${pkgs.termite}/bin/termite") , ("M4-f", floatNext True) , ("M4-b", sendMessage ToggleStruts) - , ("M4-v", withWorkspace autoXPConfig (windows . W.view)) + , ("M4-v", withWorkspace autoXPConfig (windows . W.greedyView)) , ("M4-S-v", withWorkspace autoXPConfig (windows . W.shift)) , ("M4-C-v", withWorkspace autoXPConfig (windows . copy)) @@ -131,12 +133,12 @@ myKeyMap = , ("M4-S-q", return ()) - , ("M4-w", floatNext True >> spawn "${pkgs.copyq}/bin/copyq show") + , ("M4-d", floatNext True >> spawn "${pkgs.copyq}/bin/copyq show") - , ("M4-<F1>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 1") - , ("M4-<F2>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 10") - , ("M4-<F3>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 33") - , ("M4-<F4>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 100") + , ("M4-<F5>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 1") + , ("M4-<F6>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 10") + , ("M4-<F7>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 33") + , ("M4-<F8>", spawn "${pkgs.xorg.xbacklight}/bin/xbacklight -set 100") ] forkFile :: FilePath -> [String] -> Maybe [(String, String)] -> X () diff --git a/lass/source.nix b/lass/source.nix index 9cc08299b..bd0395bcd 100644 --- a/lass/source.nix +++ b/lass/source.nix @@ -9,13 +9,8 @@ in { nixos-config.symlink = "stockholm/lass/1systems/${name}/config.nix"; nixpkgs.git = { - url = http://cgit.lassul.us/nixpkgs; - # nixos-17.03 - # + copytoram: - # 87a4615 & 334ac4f - # + acme permissions for groups - # fd7a8f1 - ref = "2d3b4fe"; + url = https://github.com/nixos/nixpkgs; + ref = "68ef4b1"; }; secrets.file = getAttr builder { buildbot = toString <stockholm/lass/2configs/tests/dummy-secrets>; diff --git a/lib/types.nix b/lib/types.nix index 70570a6b3..08dc0974e 100644 --- a/lib/types.nix +++ b/lib/types.nix @@ -92,7 +92,7 @@ rec { default = null; }; addrs = mkOption { - type = listOf addr; + type = listOf cidr; default = optional (config.ip4 != null) config.ip4.addr ++ optional (config.ip6 != null) config.ip6.addr; @@ -109,7 +109,7 @@ rec { type = addr4; }; prefix = mkOption ({ - type = str; # TODO routing prefix (CIDR) + type = cidr4; } // optionalAttrs (config.name == "retiolum") { default = "10.243.0.0/16"; }); @@ -125,7 +125,7 @@ rec { apply = lib.normalize-ip6-addr; }; prefix = mkOption ({ - type = str; # TODO routing prefix (CIDR) + type = cidr6; } // optionalAttrs (config.name == "retiolum") { default = "42::/16"; }); @@ -364,6 +364,26 @@ rec { merge = mergeOneOption; }; + cidr = either cidr4 cidr6; + cidr4 = mkOptionType { + name = "CIDRv4 address"; + check = let + CIDRv4address = let d = "([1-9]?[0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])"; in + concatMapStringsSep "." (const d) (range 1 4) + "(/([1-2]?[0-9]|3[0-2]))?"; + in + test CIDRv4address; + merge = mergeOneOption; + }; + cidr6 = mkOptionType { + name = "CIDRv6 address"; + check = let + # TODO check IPv6 address harder + CIDRv6address = "[0-9a-f.:]+(/([0-9][0-9]?|1[0-2][0-8]))?"; + in + test CIDRv6address; + merge = mergeOneOption; + }; + binary-cache-pubkey = str; pgp-pubkey = str; diff --git a/makefu/1systems/cake/config.nix b/makefu/1systems/cake/config.nix new file mode 100644 index 000000000..c287c28df --- /dev/null +++ b/makefu/1systems/cake/config.nix @@ -0,0 +1,55 @@ +{ config, lib, pkgs, ... }: +{ + imports = [ + <stockholm/makefu> + <stockholm/makefu/2configs/tools/core.nix> +# configure your hw: +# <stockholm/makefu/2configs/save-diskspace.nix> + ]; + users.extraUsers.root.openssh.authorizedKeys.keys = [ + config.krebs.users.tv.pubkey + ]; + krebs = { + enable = true; + tinc.retiolum.enable = true; + build.host = config.krebs.hosts.cake; + }; + boot.loader.grub.enable = false; + boot.loader.generic-extlinux-compatible.enable = true; + boot.kernelPackages = pkgs.linuxPackages_latest; + boot.kernelParams = ["cma=32M" "console=ttyS0,115200n8" "console=tty0" ]; + + programs.info.enable = false; + programs.man.enable = false; + services.nixosManual.enable = false; + boot.tmpOnTmpfs = lib.mkForce false; + + hardware.enableRedistributableFirmware = true; + hardware.firmware = [ + (pkgs.stdenv.mkDerivation { + name = "broadcom-rpi3-rest"; + src = pkgs.fetchurl { + url = "https://raw.githubusercontent.com/RPi-Distro/firmware-nonfree/54bab3d/brcm80211/brcm/brcmfmac43430-sdio.txt"; + sha256 = "19bmdd7w0xzybfassn7x4rb30l70vynnw3c80nlapna2k57xwbw7"; + }; + phases = [ "installPhase" ]; + installPhase = '' + mkdir -p $out/lib/firmware/brcm + cp $src $out/lib/firmware/brcm/brcmfmac43430-sdio.txt + ''; + }) + ]; + networking.wireless.enable = true; + +# File systems configuration for using the installer's partition layout + fileSystems = { + "/boot" = { + device = "/dev/disk/by-label/NIXOS_BOOT"; + fsType = "vfat"; + }; + "/" = { + device = "/dev/disk/by-label/NIXOS_SD"; + fsType = "ext4"; + }; + }; +} diff --git a/makefu/1systems/cake/source.nix b/makefu/1systems/cake/source.nix new file mode 100644 index 000000000..cd97a7c62 --- /dev/null +++ b/makefu/1systems/cake/source.nix @@ -0,0 +1,4 @@ +import <stockholm/makefu/source.nix> { + name="cake"; + full = true; +} diff --git a/makefu/1systems/gum/config.nix b/makefu/1systems/gum/config.nix index 2f288e708..e769b1e22 100644 --- a/makefu/1systems/gum/config.nix +++ b/makefu/1systems/gum/config.nix @@ -40,10 +40,11 @@ in { # services <stockholm/makefu/2configs/share/gum.nix> <stockholm/makefu/2configs/sabnzbd.nix> - # <stockholm/makefu/2configs/torrent.nix> + <stockholm/makefu/2configs/torrent.nix> <stockholm/makefu/2configs/iodined.nix> <stockholm/makefu/2configs/vpn/openvpn-server.nix> <stockholm/makefu/2configs/dnscrypt/server.nix> + <stockholm/makefu/2configs/remote-build/slave.nix> ## Web <stockholm/makefu/2configs/nginx/share-download.nix> @@ -74,10 +75,15 @@ in { <stockholm/makefu/2configs/stats/client.nix> # <stockholm/makefu/2configs/logging/client.nix> + # Temporary: + <stockholm/makefu/2configs/temp/rst-issue.nix> + ]; makefu.dl-dir = "/var/download"; - + services.openssh.hostKeys = [ + { bits = 4096; path = <secrets/ssh_host_rsa_key>; type = "rsa"; } + { path = <secrets/ssh_host_ed25519_key>; type = "ed25519"; } ]; ###### stable services.nginx.virtualHosts.cgit.serverAliases = [ "cgit.euer.krebsco.de" ]; krebs.build.host = config.krebs.hosts.gum; @@ -143,6 +149,8 @@ in { 53589 # temp vnc 18001 + # temp reverseshell + 31337 ]; allowedUDPPorts = [ # tinc diff --git a/makefu/1systems/latte/config.nix b/makefu/1systems/latte/config.nix new file mode 100644 index 000000000..3b06660c6 --- /dev/null +++ b/makefu/1systems/latte/config.nix @@ -0,0 +1,54 @@ +{ config, pkgs, ... }: +let + + # external-ip = config.krebs.build.host.nets.internet.ip4.addr; + # internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr; + # default-gw = "185.215.224.1"; + # prefixLength = 24; + # external-mac = "46:5b:fc:f4:44:c9"; + # ext-if = "et0"; +in { + + imports = [ + <stockholm/makefu> + # configure your hw: + <stockholm/makefu/2configs/hw/CAC.nix> + <stockholm/makefu/2configs/tinc/retiolum.nix> + <stockholm/makefu/2configs/save-diskspace.nix> + + # Security + <stockholm/makefu/2configs/sshd-totp.nix> + <stockholm/makefu/2configs/stats/client.nix> + + # Tools + <stockholm/makefu/2configs/tools/core.nix> + <stockholm/makefu/2configs/vim.nix> + <stockholm/makefu/2configs/zsh-user.nix> + # Services + <stockholm/makefu/2configs/remote-build/slave.nix> + <stockholm/makefu/2configs/torrent.nix> + + ]; + krebs = { + enable = true; + build.host = config.krebs.hosts.latte; + }; + boot.initrd.availableKernelModules = [ "ata_piix" "ehci_pci" "virtio_pci" "virtio_blk" "virtio_net" "virtio_scsi" ]; + + boot.loader.grub.device = "/dev/vda"; + boot.loader.grub.copyKernels = true; + fileSystems."/" = { + device = "/dev/vda1"; + fsType = "ext4"; + }; + networking = { + firewall = { + allowPing = true; + logRefusedConnections = false; + allowedTCPPorts = [ ]; + allowedUDPPorts = [ 655 ]; + }; + # network interface receives dhcp address + nameservers = [ "8.8.8.8" ]; + }; +} diff --git a/makefu/1systems/latte/source.nix b/makefu/1systems/latte/source.nix new file mode 100644 index 000000000..d9600909a --- /dev/null +++ b/makefu/1systems/latte/source.nix @@ -0,0 +1,4 @@ +import <stockholm/makefu/source.nix> { + name = "latte"; + torrent = true; +} diff --git a/makefu/1systems/omo/config.nix b/makefu/1systems/omo/config.nix index 32cd3f900..a22ff10bd 100644 --- a/makefu/1systems/omo/config.nix +++ b/makefu/1systems/omo/config.nix @@ -65,6 +65,8 @@ in { # services <stockholm/makefu/2configs/syncthing.nix> <stockholm/makefu/2configs/mqtt.nix> + <stockholm/makefu/2configs/remote-build/slave.nix> + # security <stockholm/makefu/2configs/sshd-totp.nix> diff --git a/makefu/1systems/pnp/config.nix b/makefu/1systems/pnp/config.nix index 5fbaaabc7..6c9fc0606 100644 --- a/makefu/1systems/pnp/config.nix +++ b/makefu/1systems/pnp/config.nix @@ -34,10 +34,11 @@ krebs.Reaktor.debug = { debug = true; extraEnviron = { - REAKTOR_HOST = "ni.r"; + # TODO: remove hard-coded server + REAKTOR_HOST = "irc.r"; }; plugins = with pkgs.ReaktorPlugins; [ stockholm-issue nixos-version sed-plugin ]; - channels = [ "#retiolum" ]; + channels = [ "#xxx" ]; }; krebs.build.host = config.krebs.hosts.pnp; diff --git a/makefu/1systems/wbob/config.nix b/makefu/1systems/wbob/config.nix index b776b49d6..3a53b70cb 100644 --- a/makefu/1systems/wbob/config.nix +++ b/makefu/1systems/wbob/config.nix @@ -25,7 +25,9 @@ in { # <stockholm/makefu/2configs/audio/realtime-audio.nix> # <stockholm/makefu/2configs/vncserver.nix> <stockholm/makefu/2configs/temp/rst-issue.nix> - ]; + # Services + <stockholm/makefu/2configs/remote-build/slave.nix> + ]; krebs = { enable = true; @@ -33,10 +35,48 @@ in { }; swapDevices = [ { device = "/var/swap"; } ]; + services.collectd.extraConfig = lib.mkAfter '' + #LoadPlugin ping + # does not work because it requires privileges + #<Plugin "ping"> + # Host "google.de" + # Host "heise.de" + #</Plugin> + + LoadPlugin curl + <Plugin curl> + TotalTime true + NamelookupTime true + ConnectTime true + + <Page "google"> + MeasureResponseTime true + MeasureResponseCode true + URL "https://google.de" + </Page> + + <Page "webde"> + MeasureResponseTime true + MeasureResponseCode true + URL "http://web.de" + </Page> + + </Plugin> + #LoadPlugin netlink + #<Plugin "netlink"> + # Interface "enp0s25" + # Interface "wlp2s0" + # IgnoreSelected false + #</Plugin> + ''; networking.firewall.allowedUDPPorts = [ 655 ]; - networking.firewall.allowedTCPPorts = [ 655 49152 ]; + networking.firewall.allowedTCPPorts = [ + 655 + 8081 #smokeping + 49152 + ]; networking.firewall.trustedInterfaces = [ "enp0s25" ]; #services.tinc.networks.siem = { # name = "display"; @@ -90,4 +130,66 @@ in { serverAddress = "x.r"; }; }; + security.wrappers.fping = { + source = "${pkgs.fping}/bin/fping"; + setuid = true; + }; + services.smokeping = { + enable = true; + targetConfig = '' + probe = FPing + menu = Top + title = Network Latency Grapher + remark = Welcome to this SmokePing website. + + + network + menu = Net latency + title = Network latency (ICMP pings) + + ++ google + probe = FPing + host = google.de + ++ webde + probe = FPing + host = web.de + + + services + menu = Service latency + title = Service latency (DNS, HTTP) + + ++ HTTP + menu = HTTP latency + title = Service latency (HTTP) + + +++ webdeping + probe = EchoPingHttp + host = web.de + + +++ googwebping + probe = EchoPingHttp + host = google.de + + #+++ webwww + #probe = Curl + #host = web.de + + #+++ googwebwww + #probe = Curl + #host = google.de + ''; + probeConfig = '' + + FPing + binary = /run/wrappers/bin/fping + + EchoPingHttp + pings = 5 + url = / + + #+ Curl + ## probe-specific variables + #binary = ${pkgs.curl}/bin/curl + #step = 60 + ## a default for this target-specific variable + #urlformat = http://%host%/ + ''; + }; } diff --git a/makefu/1systems/x/config.nix b/makefu/1systems/x/config.nix index 892eb1095..f7db75564 100644 --- a/makefu/1systems/x/config.nix +++ b/makefu/1systems/x/config.nix @@ -57,6 +57,7 @@ with import <stockholm/lib>; <stockholm/makefu/2configs/tor.nix> <stockholm/makefu/2configs/vpn/vpngate.nix> # <stockholm/makefu/2configs/buildbot-standalone.nix> + # <stockholm/makefu/2configs/remote-build/master.nix> # Hardware <stockholm/makefu/2configs/hw/tp-x230.nix> diff --git a/makefu/2configs/binary-cache/lass.nix b/makefu/2configs/binary-cache/lass.nix index 4813eeb0f..46b386e14 100644 --- a/makefu/2configs/binary-cache/lass.nix +++ b/makefu/2configs/binary-cache/lass.nix @@ -7,6 +7,7 @@ ]; binaryCachePublicKeys = [ "cache.prism-1:+S+6Lo/n27XEtvdlQKuJIcb1yO5NUqUCE2lolmTgNJU=" + "cache.prism-2:YwmCm3/s/D+SxrPKN/ETjlpw/219pNUbpnluatp6FKI=" ]; }; } diff --git a/makefu/2configs/deployment/led-fader.nix b/makefu/2configs/deployment/led-fader.nix index 678370c69..4c17a1d50 100644 --- a/makefu/2configs/deployment/led-fader.nix +++ b/makefu/2configs/deployment/led-fader.nix @@ -29,11 +29,11 @@ in { environment = { NIX_PATH = "/var/src"; }; - # after = [ (lib.optional config.services.mosqitto.enable "mosquitto.service") ]; + after = [ "network-online.target" ] ++ (lib.optional config.services.mosquitto.enable "mosquitto.service"); wantedBy = [ "multi-user.target" ]; - after = [ "network-online.target" ]; serviceConfig = { # User = "nobody"; # need a user with permissions to run nix-shell + ExecStartPre = pkgs.writeDash "sleep.sh" "sleep 2"; ExecStart = "${pkg}/bin/ampel 4 ${pkg}/share/times.json"; PrivateTmp = true; }; diff --git a/makefu/2configs/git/brain-retiolum.nix b/makefu/2configs/git/brain-retiolum.nix index 05754dc7f..3be3fccef 100644 --- a/makefu/2configs/git/brain-retiolum.nix +++ b/makefu/2configs/git/brain-retiolum.nix @@ -19,9 +19,9 @@ let post-receive = pkgs.git-hooks.irc-announce { nick = config.networking.hostName; verbose = true; - channel = "#retiolum"; + channel = "#xxx"; # TODO remove the hardcoded hostname - server = "ni.r"; + server = "irc.r"; }; }; }; diff --git a/makefu/2configs/git/cgit-retiolum.nix b/makefu/2configs/git/cgit-retiolum.nix index 30c0b0b87..da246f66a 100644 --- a/makefu/2configs/git/cgit-retiolum.nix +++ b/makefu/2configs/git/cgit-retiolum.nix @@ -24,6 +24,7 @@ let cac-api = { }; euer_blog = { }; ampel = { }; + europastats = { }; init-stockholm = { cgit.desc = "Init stuff for stockholm"; }; @@ -56,9 +57,9 @@ let post-receive = pkgs.git-hooks.irc-announce { nick = config.networking.hostName; verbose = config.krebs.build.host.name == "gum"; - channel = "#retiolum"; + channel = "#xxx"; # TODO remove the hardcoded hostname - server = "ni.r"; + server = "irc.r"; }; }; }; @@ -67,7 +68,7 @@ let # TODO: get the list of all krebsministers krebsminister = with config.krebs.users; [ lass tv ]; - all-makefu = with config.krebs.users; [ makefu makefu-omo makefu-tsp makefu-vbob makefu-tempx ]; + all-makefu = with config.krebs.users; [ makefu makefu-omo makefu-tsp makefu-vbob makefu-tempx makefu-android ]; all-exco = with config.krebs.users; [ exco ]; priv-rules = repo: set-owners repo all-makefu; diff --git a/makefu/2configs/gui/base.nix b/makefu/2configs/gui/base.nix index 0247010b1..daa0282b8 100644 --- a/makefu/2configs/gui/base.nix +++ b/makefu/2configs/gui/base.nix @@ -58,7 +58,7 @@ in hardware.pulseaudio = { enable = true; - systemWide = true; + # systemWide = true; }; services.xserver.displayManager.sessionCommands = let xdefaultsfile = pkgs.writeText "Xdefaults" '' diff --git a/makefu/2configs/remote-build/master.nix b/makefu/2configs/remote-build/master.nix new file mode 100644 index 000000000..4ad2c5ed8 --- /dev/null +++ b/makefu/2configs/remote-build/master.nix @@ -0,0 +1,14 @@ +{ pkgs, ...}: +let + sshKey = (toString <secrets>) + "/id_nixBuild"; +in { + nix.distributedBuilds = true; + # TODO: iterate over krebs.hosts + nix.buildMachines = map ( hostName: + { inherit hostName sshKey; + sshUser = "nixBuild"; + system = "x86_64-linux"; + maxJobs = 1; + }) [ "omo.r" "gum.r" "latte.r" ]; + # puyak.r "wbob.r" +} diff --git a/makefu/2configs/remote-build/slave.nix b/makefu/2configs/remote-build/slave.nix new file mode 100644 index 000000000..b6e000a34 --- /dev/null +++ b/makefu/2configs/remote-build/slave.nix @@ -0,0 +1,11 @@ +{ + nix.trustedUsers = [ "nixBuild" ]; + users.users.nixBuild = { + name = "nixBuild"; + useDefaultShell = true; + # TODO: put this somewhere else + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPlhb0TIBW9RN9T8Is4YRIc1RjOg+cxbZCaDjbM4zxrX nixBuild" + ]; + }; +} diff --git a/makefu/2configs/stats/server.nix b/makefu/2configs/stats/server.nix index 8f9935658..7548c733e 100644 --- a/makefu/2configs/stats/server.nix +++ b/makefu/2configs/stats/server.nix @@ -2,6 +2,8 @@ with import <stockholm/lib>; let + irc-server = "rc.r"; + irc-nick = "m-alarm"; collectd-port = 25826; influx-port = 8086; grafana-port = 3000; # TODO nginx forward @@ -37,9 +39,9 @@ in { echoToIrc = pkgs.writeDash "echo_irc" '' set -euf data="$(${pkgs.jq}/bin/jq -r .message)" - export LOGNAME=malarm + export LOGNAME=${irc-nick} ${pkgs.irc-announce}/bin/irc-announce \ - irc.freenode.org 6667 malarm \#krebs-bots "$data" >/dev/null + ${irc-server} 6667 ${irc-nick} \#noise "$data" >/dev/null ''; in { enable = true; diff --git a/makefu/2configs/stats/telegraf/europastats.nix b/makefu/2configs/stats/telegraf/europastats.nix index 9249280c5..2ab62766a 100644 --- a/makefu/2configs/stats/telegraf/europastats.nix +++ b/makefu/2configs/stats/telegraf/europastats.nix @@ -4,7 +4,7 @@ let rev = "be31da7"; name = "europastats-${rev}"; propagatedBuildInputs = [ - requests2 + requests docopt ]; src = pkgs.fetchgit { diff --git a/makefu/2configs/tools/core-gui.nix b/makefu/2configs/tools/core-gui.nix index 0538647ae..2f80b08c9 100644 --- a/makefu/2configs/tools/core-gui.nix +++ b/makefu/2configs/tools/core-gui.nix @@ -13,7 +13,6 @@ keepassx pcmanfm evince - skype mirage tightvnc gnome3.dconf diff --git a/makefu/2configs/tools/dev.nix b/makefu/2configs/tools/dev.nix index 6681484fd..d3d50c433 100644 --- a/makefu/2configs/tools/dev.nix +++ b/makefu/2configs/tools/dev.nix @@ -16,5 +16,6 @@ whatsupnix brain gen-oath-safe + cdrtools ]; } diff --git a/makefu/2configs/tools/extra-gui.nix b/makefu/2configs/tools/extra-gui.nix index b2d616764..bcc068d82 100644 --- a/makefu/2configs/tools/extra-gui.nix +++ b/makefu/2configs/tools/extra-gui.nix @@ -6,7 +6,7 @@ gimp inkscape libreoffice - skype + # skype synergy tdesktop virtmanager diff --git a/makefu/2configs/tools/sec-gui.nix b/makefu/2configs/tools/sec-gui.nix index 2db3e4391..95f130ae8 100644 --- a/makefu/2configs/tools/sec-gui.nix +++ b/makefu/2configs/tools/sec-gui.nix @@ -1,8 +1,15 @@ { pkgs, ... }: { - krebs.per-user.makefu.packages = with pkgs; [ - tpmmanager - wireshark - ]; + users.users.makefu = { + extraGroups = [ "wireshark" ]; + packages = with pkgs; [ + tpmmanager + ]; + }; + + programs.wireshark = { + enable = true; + package = pkgs.wireshark; + }; } diff --git a/makefu/2configs/tools/steam.nix b/makefu/2configs/tools/steam.nix index dbe51270d..048c1d1a3 100644 --- a/makefu/2configs/tools/steam.nix +++ b/makefu/2configs/tools/steam.nix @@ -1,9 +1,7 @@ {pkgs, ...}: { - environment.systemPackages = [ - (pkgs.steam.override { - newStdcpp = true; - }) + users.users.makefu.packages = [ + pkgs.steam ]; hardware.opengl.driSupport32Bit = true; hardware.pulseaudio.support32Bit = true; diff --git a/makefu/2configs/urlwatch/default.nix b/makefu/2configs/urlwatch/default.nix index 47b5d7fc3..677950f43 100644 --- a/makefu/2configs/urlwatch/default.nix +++ b/makefu/2configs/urlwatch/default.nix @@ -24,13 +24,18 @@ in { # pypi https://pypi.python.org/simple/bepasty/ - https://pypi.python.org/simple/xstatic/ https://pypi.python.org/simple/devpi-client/ + https://pypi.python.org/simple/oslo.config/ + https://pypi.python.org/simple/sqlalchemy_migrate/ + https://pypi.python.org/simple/xstatic/ + https://pypi.python.org/simple/pyserial/ + https://pypi.python.org/simple/semantic_version/ # weird shit http://guest:derpi@cvs2svn.tigris.org/svn/cvs2svn/tags/ http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/ https://erdgeist.org/gitweb/opentracker/info/refs?service=git-upload-pack https://git.tasktools.org/TM/taskd/info/refs?service=git-upload-pack + http://www.iozone.org/src/current/ { url = https://newellrubbermaid.secure.force.com/dymopkb/articles/en_US/FAQ/Dymo-Drivers-and-Downloads/?l=en_US&c=Segment:Dymo&fs=Search&pn=1 ; diff --git a/makefu/2configs/vim.nix b/makefu/2configs/vim.nix index 9f3a59717..43d362ed9 100644 --- a/makefu/2configs/vim.nix +++ b/makefu/2configs/vim.nix @@ -127,6 +127,7 @@ in { { names = [ "undotree" # "YouCompleteMe" "vim-better-whitespace" ]; } + # vim-nix handles indentation better but does not perform sanity { names = [ "vim-addon-nix" ]; ft_regex = "^nix\$"; } ]; diff --git a/makefu/2configs/vpn/openvpn-server.nix b/makefu/2configs/vpn/openvpn-server.nix index 1e7edbf78..79754264f 100644 --- a/makefu/2configs/vpn/openvpn-server.nix +++ b/makefu/2configs/vpn/openvpn-server.nix @@ -1,13 +1,13 @@ { config, pkgs, ... }: let - out-itf = config.makefu.server.primary-itf; - # generate via openvpn --genkey --secret static.key - client-key = (toString <secrets>) + "/openvpn-laptop.key"; + out-itf = config.makefu.server.primary-itf; + # generate via openvpn --genkey --secret static.key + client-key = (toString <secrets>) + "/openvpn-laptop.key"; # domain = "vpn.euer.krebsco.de"; domain = "gum.krebsco.de"; dev = "tun0"; port = 1194; - tcp-port = 3306; + tcp-port = 3306; in { boot.kernel.sysctl."net.ipv4.ip_forward" = 1; networking.nat = { diff --git a/makefu/3modules/server-config.nix b/makefu/3modules/server-config.nix index 846642580..9cac59205 100644 --- a/makefu/3modules/server-config.nix +++ b/makefu/3modules/server-config.nix @@ -1,15 +1,14 @@ {config, lib, pkgs, ... }: -with import <stockholm/lib>; -{ +with lib;{ options.makefu.server.primary-itf = lib.mkOption { - type = types.str; - description = "Primary interface of the server"; - }; + type = types.str; + description = "Primary interface of the server"; + }; options.makefu.gui.user = lib.mkOption { - type = types.str; - description = "GUI user"; + type = types.str; + description = "GUI user"; default = config.krebs.build.user.name; - }; + }; } diff --git a/makefu/3modules/wvdial.nix b/makefu/3modules/wvdial.nix index 982f4a7db..1ed929ed4 100644 --- a/makefu/3modules/wvdial.nix +++ b/makefu/3modules/wvdial.nix @@ -1,5 +1,6 @@ +# Global configuration for wvdial. + { config, lib, pkgs, ... }: -# from 17.03/nixos/modules/programs/wvdial.nix with lib; diff --git a/makefu/5pkgs/beef/Gemfile b/makefu/5pkgs/beef/Gemfile new file mode 100644 index 000000000..1420feffd --- /dev/null +++ b/makefu/5pkgs/beef/Gemfile @@ -0,0 +1,97 @@ +# BeEF's Gemfile + +# +# Copyright (c) 2006-2017 Wade Alcorn - wade@bindshell.net +# Browser Exploitation Framework (BeEF) - http://beefproject.com +# See the file 'doc/COPYING' for copying permission +# + +gem 'eventmachine' +gem 'thin' +gem 'sinatra' +gem 'rack', '~> 1.6.5' +gem 'em-websocket' # WebSocket support +gem 'uglifier' +gem 'mime-types' +gem 'execjs' +gem 'ansi' +gem 'term-ansicolor', :require => 'term/ansicolor' +gem 'dm-core' +gem 'json' +gem 'data_objects' +gem 'rubyzip', '>= 1.2.1' +gem 'espeak-ruby', '>= 1.0.4' # Text-to-Voice +gem 'nokogiri', '>= 1.7' + +gem 'therubyracer' + +# SQLite support +group :sqlite do + gem 'dm-sqlite-adapter' +end + +# PostgreSQL support +group :postgres do + #gem dm-postgres-adapter +end + +# MySQL support +group :mysql do + #gem dm-mysql-adapter +end + +# Geolocation support +group :geoip do + gem 'geoip' +end + +gem 'parseconfig' +gem 'erubis' +gem 'dm-migrations' + +# Metasploit Integration extension +group :ext_msf do + gem 'msfrpc-client' +end + +# Twitter Notifications extension +group :ext_twitter do + #gem 'twitter', '>= 5.0.0' +end + +# DNS extension +group :ext_dns do + gem 'rubydns', '~> 0.7.3' +end + +# network extension +group :ext_network do + gem 'dm-serializer' +end + +# QRcode extension +group :ext_qrcode do + gem 'qr4r' +end + +# For running unit tests +group :test do +if ENV['BEEF_TEST'] + gem 'rake' + gem 'test-unit' + gem 'test-unit-full' + gem 'curb' + gem 'selenium' + gem 'selenium-webdriver' + gem 'rspec' + gem 'bundler-audit' + # nokogirl is needed by capybara which may require one of the below commands + # sudo apt-get install libxslt-dev libxml2-dev + # sudo port install libxml2 libxslt + gem 'capybara' + # RESTful API tests/generic command module tests + gem 'rest-client', '>= 2.0.1' +end +end + +source 'https://rubygems.org' diff --git a/makefu/5pkgs/beef/Gemfile.lock b/makefu/5pkgs/beef/Gemfile.lock new file mode 100644 index 000000000..d2e6ad45e --- /dev/null +++ b/makefu/5pkgs/beef/Gemfile.lock @@ -0,0 +1,139 @@ +GEM + remote: https://rubygems.org/ + specs: + addressable (2.5.2) + public_suffix (>= 2.0.2, < 4.0) + ansi (1.5.0) + chunky_png (1.3.8) + daemons (1.2.4) + data_objects (0.10.17) + addressable (~> 2.1) + dm-core (1.2.1) + addressable (~> 2.3) + dm-do-adapter (1.2.0) + data_objects (~> 0.10.6) + dm-core (~> 1.2.0) + dm-migrations (1.2.0) + dm-core (~> 1.2.0) + dm-serializer (1.2.2) + dm-core (~> 1.2.0) + fastercsv (~> 1.5) + json (~> 1.6) + json_pure (~> 1.6) + multi_json (~> 1.0) + dm-sqlite-adapter (1.2.0) + dm-do-adapter (~> 1.2.0) + do_sqlite3 (~> 0.10.6) + do_sqlite3 (0.10.17) + data_objects (= 0.10.17) + em-websocket (0.5.1) + eventmachine (>= 0.12.9) + http_parser.rb (~> 0.6.0) + erubis (2.7.0) + espeak-ruby (1.0.4) + eventmachine (1.0.9.1) + execjs (2.7.0) + fastercsv (1.5.5) + filesize (0.1.1) + geoip (1.6.3) + http_parser.rb (0.6.0) + jsobfu (0.4.2) + rkelly-remix + json (1.8.6) + json_pure (1.8.6) + libv8 (3.16.14.19) + metasm (1.0.3) + mime-types (3.1) + mime-types-data (~> 3.2015) + mime-types-data (3.2016.0521) + mini_portile2 (2.3.0) + mojo_magick (0.5.6) + msfrpc-client (1.1.1) + msgpack (~> 1) + rex (~> 2) + msgpack (1.1.0) + multi_json (1.12.2) + nokogiri (1.8.1) + mini_portile2 (~> 2.3.0) + parseconfig (1.0.8) + public_suffix (3.0.0) + qr4r (0.4.1) + mojo_magick + rqrcode + rack (1.6.8) + rack-protection (1.5.3) + rack + rainbow (2.2.2) + rake + rake (12.1.0) + rb-readline (0.5.5) + ref (2.0.0) + rex (2.0.11) + filesize + jsobfu (~> 0.4.1) + json + metasm (~> 1.0.2) + nokogiri + rb-readline + robots + rexec (1.6.3) + rainbow + rkelly-remix (0.0.7) + robots (0.10.1) + rqrcode (0.10.1) + chunky_png (~> 1.0) + rubydns (0.7.3) + eventmachine (~> 1.0.0) + rexec (~> 1.6.2) + rubyzip (1.2.1) + sinatra (1.4.8) + rack (~> 1.5) + rack-protection (~> 1.4) + tilt (>= 1.3, < 3) + term-ansicolor (1.6.0) + tins (~> 1.0) + therubyracer (0.12.3) + libv8 (~> 3.16.14.15) + ref + thin (1.7.2) + daemons (~> 1.0, >= 1.0.9) + eventmachine (~> 1.0, >= 1.0.4) + rack (>= 1, < 3) + tilt (2.0.8) + tins (1.15.0) + uglifier (3.2.0) + execjs (>= 0.3.0, < 3) + +PLATFORMS + ruby + +DEPENDENCIES + ansi + data_objects + dm-core + dm-migrations + dm-serializer + dm-sqlite-adapter + em-websocket + erubis + espeak-ruby (>= 1.0.4) + eventmachine + execjs + geoip + json + mime-types + msfrpc-client + nokogiri (>= 1.7) + parseconfig + qr4r + rack (~> 1.6.5) + rubydns (~> 0.7.3) + rubyzip (>= 1.2.1) + sinatra + term-ansicolor + therubyracer + thin + uglifier + +BUNDLED WITH + 1.15.4 diff --git a/makefu/5pkgs/beef/default.nix b/makefu/5pkgs/beef/default.nix new file mode 100644 index 000000000..82540cde9 --- /dev/null +++ b/makefu/5pkgs/beef/default.nix @@ -0,0 +1,37 @@ +{ stdenv, bundlerEnv, ruby, fetchFromGitHub }: +# nix-shell --command "bundler install && bundix" in the clone, copy gemset.nix, Gemfile and Gemfile.lock +let + gems = bundlerEnv { + name = "beef-env"; + inherit ruby; + gemdir = ./.; + }; +in stdenv.mkDerivation { + name = "beef-2017-09-21"; + src = fetchFromGitHub { + owner = "beefproject"; + repo = "beef"; + rev = "69aa2a3"; + sha256 = "1rky61i0wzpwcq3kqfa0m5hf6wyz8q8jgzs7dpfh04w9qh32ic4p"; + }; + buildInputs = [gems ruby]; + installPhase = '' + mkdir -p $out/{bin,share/beef} + + cp -r * $out/share/beef + # set the default db path, unfortunately setting to /tmp does not seem to work + # sed -i 's#db_file: .*#db_file: "/tmp/beef.db"#' $out/share/beef/config.yaml + + bin=$out/bin/beef + cat > $bin <<EOF +#!/bin/sh -e +exec ${gems}/bin/bundle exec ${ruby}/bin/ruby $out/share/beef/beef "\$@" +EOF + chmod +x $bin + ''; + + # crashes with segfault + # also, db cannot be set + meta.broken = true; + +} diff --git a/makefu/5pkgs/beef/gemset.nix b/makefu/5pkgs/beef/gemset.nix new file mode 100644 index 000000000..b6af75d00 --- /dev/null +++ b/makefu/5pkgs/beef/gemset.nix @@ -0,0 +1,475 @@ +{ + addressable = { + dependencies = ["public_suffix"]; + source = { + remotes = ["https://rubygems.org"]; + sha256 = "0viqszpkggqi8hq87pqp0xykhvz60g99nwmkwsb0v45kc2liwxvk"; + type = "gem"; + }; + version = "2.5.2"; + }; + ansi = { + source = { + remotes = ["https://rubygems.org"]; + sha256 = "14ims9zfal4gs2wpx2m5rd8zsrl2k794d359shkrsgg3fhr2a22l"; + type = "gem"; + }; + version = "1.5.0"; + }; + chunky_png = { + source = { + remotes = ["https://rubygems.org"]; + sha256 = "0j0dngz6s0j3s3zaf9vrimjz65s9k7ad1c3xmmldr1vmz8sbd843"; + type = "gem"; + }; + version = "1.3.8"; + }; + daemons = { + source = { + remotes = ["https://rubygems.org"]; + sha256 = "1bmb4qrd95b5gl3ym5j3q6mf090209f4vkczggn49n56w6s6zldz"; + type = "gem"; + }; + version = "1.2.4"; + }; + data_objects = { + dependencies = ["addressable"]; + source = { + remotes = ["https://rubygems.org"]; + sha256 = "19fw1ckqc5f1wc4r72qrymy2k6cmd8azbxpn61ksbsjqhzc2bgqd"; + type = "gem"; + }; + version = "0.10.17"; + }; + dm-core = { + dependencies = ["addressable"]; + source = { + remotes = ["https://rubygems.org"]; + sha256 = "09x67ka6f1lxh4iwrg87iama0haq0d0z35gavvnvzpx9kn9pfbnw"; + type = "gem"; + }; + version = "1.2.1"; + }; + dm-do-adapter = { + dependencies = ["data_objects" "dm-core"]; + source = { + remotes = ["https://rubygems.org"]; + sha256 = "1v84lsmsq8kawl8k4qz2h87xqc1sr10c08wwasrxbcgrkvp7qk4q"; + type = "gem"; + }; + version = "1.2.0"; + }; + dm-migrations = { + dependencies = ["dm-core"]; + source = { + remotes = ["https://rubygems.org"]; + sha256 = "04hr8qgm4j1z5fg0cfpr8r6apvk5xykad0d0xqfg48rjv5rdwc0i"; + type = "gem"; + }; + version = "1.2.0"; + }; + dm-serializer = { + dependencies = ["dm-core" "fastercsv" "json" "json_pure" "multi_json"]; + source = { + remotes = ["https://rubygems.org"]; + sha256 = "0mvpb2d4cniysw45d3c9xidjpdb3wmfl7x5lgvnsfm69wq24v5y4"; + type = "gem"; + }; + version = "1.2.2"; + }; + dm-sqlite-adapter = { + dependencies = ["dm-do-adapter" "do_sqlite3"]; + source = { + remotes = ["https://rubygems.org"]; + sha256 = "0mq9xrw4jwb753sy8902rq9sfv62mzss2n3875g51i9acqy475hc"; + type = "gem"; + }; + version = "1.2.0"; + }; + do_sqlite3 = { + dependencies = ["data_objects"]; + source = { + remotes = ["https://rubygems.org"]; + sha256 = "0gxz54qjgwg6a2mkqpai28m0i5swbyxpr4qmh9x1nwf20lysrgcf"; + type = "gem"; + }; + version = "0.10.17"; + }; + em-websocket = { + dependencies = ["eventmachine" "http_parser.rb"]; + source = { + remotes = ["https://rubygems.org"]; + sha256 = "1bsw8vjz0z267j40nhbmrvfz7dvacq4p0pagvyp17jif6mj6v7n3"; + type = "gem"; + }; + version = "0.5.1"; + }; + erubis = { + source = { + remotes = ["https://rubygems.org"]; + sha256 = "1fj827xqjs91yqsydf0zmfyw9p4l2jz5yikg3mppz6d7fi8kyrb3"; + type = "gem"; + }; + version = "2.7.0"; + }; + espeak-ruby = { + source = { + remotes = ["https://rubygems.org"]; + sha256 = "0d658zr53jibyrs5qnic7bfl6h69k5987s8asncsbnxwbzzilj6y"; + type = "gem"; + }; + version = "1.0.4"; + }; + eventmachine = { + source = { + remotes = ["https://rubygems.org"]; + sha256 = "17jr1caa3ggg696dd02g2zqzdjqj9x9q2nl7va82l36f7c5v6k4z"; + type = "gem"; + }; + version = "1.0.9.1"; + }; + execjs = { + source = { + remotes = ["https://rubygems.org"]; + sha256 = "1yz55sf2nd3l666ms6xr18sm2aggcvmb8qr3v53lr4rir32y1yp1"; + type = "gem"; + }; + version = "2.7.0"; + }; + fastercsv = { + source = { + remotes = ["https://rubygems.org"]; + sha256 = "1df3vfgw5wg0s405z0pj0rfcvnl9q6wak7ka8gn0xqg4cag1k66h"; + type = "gem"; + }; + version = "1.5.5"; + }; + filesize = { + source = { + remotes = ["https://rubygems.org"]; + sha256 = "061qmg82mm9xnmnq3b7gbi24g28xk62w0b0nw86gybd07m1jn989"; + type = "gem"; + }; + version = "0.1.1"; + }; + geoip = { + source = { + remotes = ["https://rubygems.org"]; + sha256 = "099hxng7h8i3pwibnassivj58iw1x7ygwq06qj6rx7j16iyz6rzx"; + type = "gem"; + }; + version = "1.6.3"; + }; + "http_parser.rb" = { + source = { + remotes = ["https://rubygems.org"]; + sha256 = "15nidriy0v5yqfjsgsra51wmknxci2n2grliz78sf9pga3n0l7gi"; + type = "gem"; + }; + version = "0.6.0"; + }; + jsobfu = { + dependencies = ["rkelly-remix"]; + source = { + remotes = ["https://rubygems.org"]; + sha256 = "1hchns89cfj0gggm2zbr7ghb630imxm2x2d21ffx2jlasn9xbkyk"; + type = "gem"; + }; + version = "0.4.2"; + }; + json = { + source = { + remotes = ["https://rubygems.org"]; + sha256 = "0qmj7fypgb9vag723w1a49qihxrcf5shzars106ynw2zk352gbv5"; + type = "gem"; + }; + version = "1.8.6"; + }; + json_pure = { + source = { + remotes = ["https://rubygems.org"]; + sha256 = "1vllrpm2hpsy5w1r7000mna2mhd7yfrmd8hi713lk0n9mv27bmam"; + type = "gem"; + }; + version = "1.8.6"; + }; + libv8 = { + source = { + remotes = ["https://rubygems.org"]; + sha256 = "0271i5sfma05gvhmrmxqb0jj667bl6m54yd49ay6yrdbh1g4wpl1"; + type = "gem"; + }; + version = "3.16.14.19"; + }; + metasm = { + source = { + remotes = ["https://rubygems.org"]; + sha256 = "0gss57q4lv6l0jkih77zffrpjjzgkdcsy7b9nvvawyzknis9w4s5"; + type = "gem"; + }; + version = "1.0.3"; + }; + mime-types = { + dependencies = ["mime-types-data"]; + source = { + remotes = ["https://rubygems.org"]; + sha256 = "0087z9kbnlqhci7fxh9f6il63hj1k02icq2rs0c6cppmqchr753m"; + type = "gem"; + }; + version = "3.1"; + }; + mime-types-data = { + source = { + remotes = ["https://rubygems.org"]; + sha256 = "04my3746hwa4yvbx1ranhfaqkgf6vavi1kyijjnw8w3dy37vqhkm"; + type = "gem"; + }; + version = "3.2016.0521"; + }; + mini_portile2 = { + source = { + remotes = ["https://rubygems.org"]; + sha256 = "13d32jjadpjj6d2wdhkfpsmy68zjx90p49bgf8f7nkpz86r1fr11"; + type = "gem"; + }; + version = "2.3.0"; + }; + mojo_magick = { + source = { + remotes = ["https://rubygems.org"]; + sha256 = "1n4hzdyvaggzasxb55iqjd8sg6g84yc2dbaip0zzy7nwr5j5h8sm"; + type = "gem"; + }; + version = "0.5.6"; + }; + msfrpc-client = { + dependencies = ["msgpack" "rex"]; + source = { + remotes = ["https://rubygems.org"]; + sha256 = "0q1x0xy857qm3sdxynp5p8kk7f6j25qjw1p28jh0y2qivc5ksik8"; + type = "gem"; + }; + version = "1.1.1"; + }; + msgpack = { + source = { + remotes = ["https://rubygems.org"]; + sha256 = "0ck7w17d6b4jbb8inh1q57bghi9cjkiaxql1d3glmj1yavbpmlh7"; + type = "gem"; + }; + version = "1.1.0"; + }; + multi_json = { + source = { + remotes = ["https://rubygems.org"]; + sha256 = "1raim9ddjh672m32psaa9niw67ywzjbxbdb8iijx3wv9k5b0pk2x"; + type = "gem"; + }; + version = "1.12.2"; + }; + nokogiri = { + dependencies = ["mini_portile2"]; + source = { + remotes = ["https://rubygems.org"]; + sha256 = "105xh2zkr8nsyfaj2izaisarpnkrrl9000y3nyflg9cbzrfxv021"; + type = "gem"; + }; + version = "1.8.1"; + }; + parseconfig = { + source = { + remotes = ["https://rubygems.org"]; + sha256 = "0br2g9k6zc4ygah52aa8cwvpnnkszia29bnvnr8bhpk3rdzi2vmq"; + type = "gem"; + }; + version = "1.0.8"; + }; + public_suffix = { + source = { + remotes = ["https://rubygems.org"]; + sha256 = "0snaj1gxfib4ja1mvy3dzmi7am73i0mkqr0zkz045qv6509dhj5f"; + type = "gem"; + }; + version = "3.0.0"; + }; + qr4r = { + dependencies = ["mojo_magick" "rqrcode"]; + source = { + remotes = ["https://rubygems.org"]; + sha256 = "1ya71fxhmx2zfsmflmqh6xm9jwgjxamsj9d3h1kjp21w4vca0s30"; + type = "gem"; + }; + version = "0.4.1"; + }; + rack = { + source = { + remotes = ["https://rubygems.org"]; + sha256 = "19m7aixb2ri7p1n0iqaqx8ldi97xdhvbxijbyrrcdcl6fv5prqza"; + type = "gem"; + }; + version = "1.6.8"; + }; + rack-protection = { + dependencies = ["rack"]; + source = { + remotes = ["https://rubygems.org"]; + sha256 = "0cvb21zz7p9wy23wdav63z5qzfn4nialik22yqp6gihkgfqqrh5r"; + type = "gem"; + }; + version = "1.5.3"; + }; + rainbow = { + dependencies = ["rake"]; + source = { + remotes = ["https://rubygems.org"]; + sha256 = "08w2ghc5nv0kcq5b257h7dwjzjz1pqcavajfdx2xjyxqsvh2y34w"; + type = "gem"; + }; + version = "2.2.2"; + }; + rake = { + source = { + remotes = ["https://rubygems.org"]; + sha256 = "0mfqgpp3m69s5v1rd51lfh5qpjwyia5p4rg337pw8c8wzm6pgfsw"; + type = "gem"; + }; + version = "12.1.0"; + }; + rb-readline = { + source = { + remotes = ["https://rubygems.org"]; + sha256 = "14w79a121czmvk1s953qfzww30mqjb2zc0k9qhi0ivxxk3hxg6wy"; + type = "gem"; + }; + version = "0.5.5"; + }; + ref = { + source = { + remotes = ["https://rubygems.org"]; + sha256 = "04p4pq4sikly7pvn30dc7v5x2m7fqbfwijci4z1y6a1ilwxzrjii"; + type = "gem"; + }; + version = "2.0.0"; + }; + rex = { + dependencies = ["filesize" "jsobfu" "json" "metasm" "nokogiri" "rb-readline" "robots"]; + source = { + remotes = ["https://rubygems.org"]; + sha256 = "0kxacxq4l1gcqbw1izg2qqvdhxl6b5779a2qa2jk24f6x96bpi68"; + type = "gem"; + }; + version = "2.0.11"; + }; + rexec = { + dependencies = ["rainbow"]; + source = { + remotes = ["https://rubygems.org"]; + sha256 = "1ihc0a6gj4i3287fjm86cn2ax4hlznyk5aqxrhjxkf4y9kabc3in"; + type = "gem"; + }; + version = "1.6.3"; + }; + rkelly-remix = { + source = { + remotes = ["https://rubygems.org"]; + sha256 = "1g7hjl9nx7f953y7lncmfgp0xgxfxvgfm367q6da9niik6rp1y3j"; + type = "gem"; + }; + version = "0.0.7"; + }; + robots = { + source = { + remotes = ["https://rubygems.org"]; + sha256 = "141gvihcr2c0dpzl3dqyh8kqc9121prfdql2iamaaw0mf9qs3njs"; + type = "gem"; + }; + version = "0.10.1"; + }; + rqrcode = { + dependencies = ["chunky_png"]; + source = { + remotes = ["https://rubygems.org"]; + sha256 = "0h1pnnydgs032psakvg3l779w3ghbn08ajhhhw19hpmnfhrs8k0a"; + type = "gem"; + }; + version = "0.10.1"; + }; + rubydns = { + dependencies = ["eventmachine" "rexec"]; + source = { + remotes = ["https://rubygems.org"]; + sha256 = "1mav6589kpqh37wlipkh1nww6ipbw4kzja2crz216v25wwjrbpx2"; + type = "gem"; + }; + version = "0.7.3"; + }; + rubyzip = { + source = { + remotes = ["https://rubygems.org"]; + sha256 = "06js4gznzgh8ac2ldvmjcmg9v1vg9llm357yckkpylaj6z456zqz"; + type = "gem"; + }; + version = "1.2.1"; + }; + sinatra = { + dependencies = ["rack" "rack-protection" "tilt"]; + source = { + remotes = ["https://rubygems.org"]; + sha256 = "0byxzl7rx3ki0xd7aiv1x8mbah7hzd8f81l65nq8857kmgzj1jqq"; + type = "gem"; + }; + version = "1.4.8"; + }; + term-ansicolor = { + dependencies = ["tins"]; + source = { + remotes = ["https://rubygems.org"]; + sha256 = "1b1wq9ljh7v3qyxkk8vik2fqx2qzwh5lval5f92llmldkw7r7k7b"; + type = "gem"; + }; + version = "1.6.0"; + }; + therubyracer = { + dependencies = ["libv8" "ref"]; + source = { + remotes = ["https://rubygems.org"]; + sha256 = "1g95bzs2axjglyjyj6xvsywqgr80bnzlkw7mddxx1fdrak5wni2q"; + type = "gem"; + }; + version = "0.12.3"; + }; + thin = { + dependencies = ["daemons" "eventmachine" "rack"]; + source = { + remotes = ["https://rubygems.org"]; + sha256 = "0nagbf9pwy1vg09k6j4xqhbjjzrg5dwzvkn4ffvlj76fsn6vv61f"; + type = "gem"; + }; + version = "1.7.2"; + }; + tilt = { + source = { + remotes = ["https://rubygems.org"]; + sha256 = "0020mrgdf11q23hm1ddd6fv691l51vi10af00f137ilcdb2ycfra"; + type = "gem"; + }; + version = "2.0.8"; + }; + tins = { + source = { + remotes = ["https://rubygems.org"]; + sha256 = "09whix5a7ics6787zrkwjmp16kqyh6560p9f317syks785805f7s"; + type = "gem"; + }; + version = "1.15.0"; + }; + uglifier = { + dependencies = ["execjs"]; + source = { + remotes = ["https://rubygems.org"]; + sha256 = "0wmqvn4xncw6h3d5gp2a44170zwxfyj3iq4rsjp16zarvzbdmgnz"; + type = "gem"; + }; + version = "3.2.0"; + }; +}
\ No newline at end of file diff --git a/makefu/5pkgs/beef/shell.nix b/makefu/5pkgs/beef/shell.nix new file mode 100644 index 000000000..cd7a01214 --- /dev/null +++ b/makefu/5pkgs/beef/shell.nix @@ -0,0 +1,16 @@ +# Env to update Gemfile.lock / gemset.nix +with import <nixpkgs> {}; +stdenv.mkDerivation { + name = "env"; + buildInputs = [ + ruby.devEnv + git + sqlite + libpcap + postgresql + libxml2 + libxslt + pkgconfig + bundix + ]; +} diff --git a/makefu/5pkgs/custom/inkscape/dxf_fix.patch b/makefu/5pkgs/custom/inkscape/dxf_fix.patch index 5ea0a073e..b7b491d4e 100644 --- a/makefu/5pkgs/custom/inkscape/dxf_fix.patch +++ b/makefu/5pkgs/custom/inkscape/dxf_fix.patch @@ -1,13 +1,12 @@ ---- ./share/extensions/dxf_outlines.py 2017-02-14 00:46:57.000000000 +0100 -+++ ./share/extensions/dxf_outlines.py.new 2017-05-10 04:15:03.000000000 +0200 -@@ -340,7 +340,7 @@ - scale = eval(self.options.units) +--- ./share/extensions/dxf_outlines.py 2017-10-08 17:28:45.553368917 +0200 ++++ ./share/extensions/dxf_outlines.py.new 2017-10-08 17:29:20.172554152 +0200 +@@ -341,7 +341,7 @@ if not scale: scale = 25.4/96 # if no scale is specified, assume inch as baseunit + scale /= self.unittouu('1px') - h = self.unittouu(self.document.getroot().xpath('@height', namespaces=inkex.NSS)[0]) -+ h = self.unittouu(self.getDocumentHeight()) ++ h = self.unittouu(self.documentHeight()) self.groupmat = [[[scale, 0.0, 0.0], [0.0, -scale, h*scale]]] doc = self.document.getroot() self.process_group(doc) - diff --git a/makefu/5pkgs/default.nix b/makefu/5pkgs/default.nix index 96975e54f..e99aa696b 100644 --- a/makefu/5pkgs/default.nix +++ b/makefu/5pkgs/default.nix @@ -24,7 +24,7 @@ in { alsa-hdspmixer = callPackage ./custom/alsa-tools { alsaToolTarget="hdspmixer";}; alsa-hdsploader = callPackage ./custom/alsa-tools { alsaToolTarget="hdsploader";}; qcma = super.pkgs.libsForQt5.callPackage ./custom/qcma { }; - inherit (callPackage ./devpi {}) devpi-web devpi-server devpi-client; + inherit (callPackage ./devpi {}) devpi-web devpi-server; nodemcu-uploader = super.pkgs.callPackage ./nodemcu-uploader {}; inkscape = super.pkgs.stdenv.lib.overrideDerivation super.inkscape (old: { patches = [ ./custom/inkscape/dxf_fix.patch ]; diff --git a/makefu/5pkgs/drozer/default.nix b/makefu/5pkgs/drozer/default.nix index f91d5b984..3df67d07e 100644 --- a/makefu/5pkgs/drozer/default.nix +++ b/makefu/5pkgs/drozer/default.nix @@ -1,11 +1,11 @@ -{ pkgs, lib, fetchFromGitHub, pythonPackages, jre7, jdk7, ... }: +{ pkgs, lib, fetchFromGitHub, pythonPackages, jre7, jdk7 }: pythonPackages.buildPythonApplication rec { name = "drozer-${version}"; version = "2.4.3"; buildInputs = [ jdk7 ]; propagatedBuildInputs = with pythonPackages; [ - protobuf3_2 + protobuf pyopenssl pyyaml ] ++ [ diff --git a/makefu/5pkgs/esptool/default.nix b/makefu/5pkgs/esptool/default.nix deleted file mode 100644 index 84bb232cd..000000000 --- a/makefu/5pkgs/esptool/default.nix +++ /dev/null @@ -1,32 +0,0 @@ -{ pkgs, fetchFromGitHub, ... }: -with pkgs.python2Packages; -let - pyaes = buildPythonPackage rec { - name = "pyaes-${version}"; - version = "1.6.0"; - src = fetchFromGitHub { - owner = "ricmoo"; - repo = "pyaes"; - rev = "v${version}"; - sha256 = "04934a9zgwc8g3qhfrkcfv0bs557paigllnkrnfhp9m1azr3bfqb"; - }; - doCheck = false; - }; -in -buildPythonPackage rec { - name = "esptool-${version}"; - version = "2.0beta2"; - propagatedBuildInputs = [ - pyserial - flake8 - ecdsa - pyaes - ]; - src = fetchFromGitHub { - owner = "themadinventor"; - repo = "esptool"; - rev = "v${version}"; - sha256 = "0n96pyi1k4qlyfqk5k7xpgq8726wz74qvd3gqjg0bpsl3wr7l94i"; - }; - doCheck = false; -} diff --git a/makefu/5pkgs/logstash-input-rss/default.nix b/makefu/5pkgs/logstash-input-rss/default.nix new file mode 100644 index 000000000..af66359ef --- /dev/null +++ b/makefu/5pkgs/logstash-input-rss/default.nix @@ -0,0 +1,31 @@ +{ pkgs, stdenv, lib, fetchFromGitHub }: + + +stdenv.mkDerivation rec { + name = "logstash-input-rss-${version}"; + version = "3.0.3"; + + src = fetchFromGitHub { + owner = "logstash-plugins"; + repo = "logstash-input-rss"; + rev = "v${version}"; + sha256 = "026902g256385dx3qkbknz10vsp9dm2ymjdx6s6rkh3krs67w09l"; + }; + + dontBuild = true; + dontPatchELF = true; + dontStrip = true; + dontPatchShebangs = true; + installPhase = '' + mkdir -p $out/logstash + cp -r lib/* $out/ + ''; + + meta = with lib; { + description = "logstash output plugin"; + homepage = https://github.com/logstash-plugins/logstash-input-rss; + license = stdenv.lib.licenses.asl20; + platforms = stdenv.lib.platforms.unix; + maintainers = with maintainers; [ makefu ]; + }; +} diff --git a/makefu/5pkgs/udpt/default.nix b/makefu/5pkgs/udpt/default.nix deleted file mode 100644 index 99bcac18b..000000000 --- a/makefu/5pkgs/udpt/default.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ stdenv, boost, sqlite, fetchFromGitHub }: - -stdenv.mkDerivation rec { - proj = "udpt"; - name = "udpt-${rev}"; - rev = "0790558"; - - enableParallelBuilding = true; - - src = fetchFromGitHub { - owner = "naim94a"; - repo = "udpt"; - inherit rev; - sha256 = "0rgkjwvnqwbnqy7pm3dk176d3plb5lypaf12533yr0yfzcp6gnzk"; - }; - buildInputs = [ boost sqlite ]; - installPhase = '' - mkdir -p $out/bin $out/etc/ - cp udpt $out/bin - cp udpt.conf $out/etc/ - ''; - meta = { - description = "udp tracker"; - homepage = https://github.com/naim94a/udpt; - license = stdenv.lib.licenses.gpl3; - platforms = stdenv.lib.platforms.linux; - maintainers = with stdenv.lib.maintainers; [ makefu ]; - }; -} diff --git a/makefu/6tests/data/secrets/ssh_host_rsa_key b/makefu/6tests/data/secrets/ssh_host_rsa_key new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/makefu/6tests/data/secrets/ssh_host_rsa_key diff --git a/makefu/source.nix b/makefu/source.nix index fdd367cba..8c880a8e2 100644 --- a/makefu/source.nix +++ b/makefu/source.nix @@ -11,10 +11,9 @@ let then "buildbot" else "makefu"; _file = <stockholm> + "/makefu/1systems/${name}/source.nix"; - ref = "c91346e"; # unstable @ 2017-09-04 - # + graceful requests2 (a772c3aa) - # + mitmproxy fix (eee2d174) - # + tpm-tools fix (5cb9987) + ref = "809cf38"; # unstable @ 2017-10-07 + # + ruby stuff (2f0b17e4be9,55a952be5b5) + # + mitmproxy fix (360a5efd,ef52c95b) in evalSource (toString _file) [ diff --git a/mv/source.nix b/mv/source.nix index aa2b13fd8..2fa53a13e 100644 --- a/mv/source.nix +++ b/mv/source.nix @@ -9,8 +9,8 @@ in { nixos-config.symlink = "stockholm/mv/1systems/${name}/config.nix"; nixpkgs.git = { - # nixos-17.03 - ref = mkDefault "56da88a298a6f549701a10bb12072804a1ebfbd5"; + # nixos-17.09 + ref = mkDefault "d0f0657ca06cc8cb239cb94f430b53bcdf755887"; url = https://github.com/NixOS/nixpkgs; }; secrets.file = getAttr builder { @@ -22,7 +22,12 @@ let . ${init.env} . ${init.proxy opts} - exec ${utils.deploy} + # Use system's nixos-rebuild, which is not self-contained + export PATH=/run/current-system/sw/bin + exec ${utils.with-whatsupnix} \ + nixos-rebuild switch \ + --show-trace \ + -I "$target_path" ''); cmds.install = pkgs.withGetopt { @@ -205,16 +210,6 @@ let -I "$target_path" \ ''; - utils.deploy = pkgs.writeDash "utils.deploy" '' - set -efu - # Use system's nixos-rebuild, which is not self-contained - export PATH=/run/current-system/sw/bin - ${utils.with-whatsupnix} \ - nixos-rebuild switch \ - --show-trace \ - -I "$target_path" - ''; - utils.with-whatsupnix = pkgs.writeDash "utils.with-whatsupnix" '' set -efu if \test "$quiet" = true; then diff --git a/tv/1systems/alnus/source.nix b/tv/1systems/alnus/source.nix index c3ed4dcfb..9fd2f668c 100644 --- a/tv/1systems/alnus/source.nix +++ b/tv/1systems/alnus/source.nix @@ -1,4 +1,4 @@ import <stockholm/tv/source.nix> { name = "alnus"; - override.nixpkgs.git.ref = "9b948ea439ddbaa26740ce35543e7e35d2aa6d18"; + override.nixpkgs.git.ref = "d0f0657ca06cc8cb239cb94f430b53bcdf755887"; } diff --git a/tv/1systems/mu/config.nix b/tv/1systems/mu/config.nix index f3e7b515b..10d7b2197 100644 --- a/tv/1systems/mu/config.nix +++ b/tv/1systems/mu/config.nix @@ -56,7 +56,6 @@ with import <stockholm/lib>; firefoxWrapper gimp iptables - kdeApplications.l10n.de.qt5 libreoffice pidginotr pidgin-with-plugins diff --git a/tv/2configs/br.nix b/tv/2configs/br.nix index c7eb20e90..d660ebc35 100644 --- a/tv/2configs/br.nix +++ b/tv/2configs/br.nix @@ -45,5 +45,4 @@ with import <stockholm/lib>; ]; }; - systemd.services.cups.serviceConfig.PrivateTmp = true; } diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix index 9ad0253a3..f418b9ff0 100644 --- a/tv/2configs/default.nix +++ b/tv/2configs/default.nix @@ -80,6 +80,12 @@ with import <stockholm/lib>; dmesg = "dmesg -L --reltime"; view = "vim -R"; + deploy = pkgs.writeDash "deploy" '' + set -eu + cd ~/stockholm + export SYSTEM="$1" + exec nix-shell -I stockholm="$PWD" --run 'deploy --system="$SYSTEM"' + ''; reload = "systemctl reload"; restart = "systemctl restart"; start = "systemctl start"; diff --git a/tv/2configs/gitrepos.nix b/tv/2configs/gitrepos.nix index b6480f356..2c4b4868e 100644 --- a/tv/2configs/gitrepos.nix +++ b/tv/2configs/gitrepos.nix @@ -100,10 +100,10 @@ let { ); irc-announce = args: pkgs.git-hooks.irc-announce (recursiveUpdate { - channel = "#retiolum"; + channel = "#xxx"; # TODO make nick = config.krebs.build.host.name the default nick = config.krebs.build.host.name; - server = "ni.r"; + server = "irc.r"; verbose = true; } args); diff --git a/tv/2configs/urlwatch.nix b/tv/2configs/urlwatch.nix index 5779240ba..515f8996f 100644 --- a/tv/2configs/urlwatch.nix +++ b/tv/2configs/urlwatch.nix @@ -31,7 +31,7 @@ with import <stockholm/lib>; ## other - https://nixos.org/channels/nixos-17.03/git-revision + https://nixos.org/channels/nixos-17.09/git-revision https://nixos.org/channels/nixos-unstable/git-revision ## 2014-10-17 diff --git a/tv/3modules/default.nix b/tv/3modules/default.nix index 57ffbfab8..493cc8b72 100644 --- a/tv/3modules/default.nix +++ b/tv/3modules/default.nix @@ -1,5 +1,3 @@ -_: - { imports = [ ./charybdis diff --git a/tv/3modules/ejabberd/default.nix b/tv/3modules/ejabberd/default.nix index d7b8deb7e..e99b94ff9 100644 --- a/tv/3modules/ejabberd/default.nix +++ b/tv/3modules/ejabberd/default.nix @@ -34,18 +34,24 @@ in { hosts = mkOption { type = with types; listOf str; }; - pkgs.ejabberdctl = mkOption { + pkgs.ejabberd = mkOption { type = types.package; - default = pkgs.writeDashBin "ejabberdctl" '' - exec ${pkgs.ejabberd}/bin/ejabberdctl \ - --config ${toFile "ejabberd.yaml" (import ./config.nix { - inherit pkgs; - config = cfg; - })} \ - --logs ${shell.escape cfg.user.home} \ - --spool ${shell.escape cfg.user.home} \ - "$@" - ''; + default = pkgs.symlinkJoin { + name = "ejabberd-wrapper"; + paths = [ + (pkgs.writeDashBin "ejabberdctl" '' + exec ${pkgs.ejabberd}/bin/ejabberdctl \ + --config ${toFile "ejabberd.yaml" (import ./config.nix { + inherit pkgs; + config = cfg; + })} \ + --logs ${shell.escape cfg.user.home} \ + --spool ${shell.escape cfg.user.home} \ + "$@" + '') + pkgs.ejabberd + ]; + }; }; registration_watchers = mkOption { type = types.listOf types.str; @@ -66,7 +72,21 @@ in { }; }; config = lib.mkIf cfg.enable { - environment.systemPackages = [ cfg.pkgs.ejabberdctl ]; + environment.systemPackages = [ + (pkgs.symlinkJoin { + name = "ejabberd-sudo-wrapper"; + paths = [ + (pkgs.writeDashBin "ejabberdctl" '' + set -efu + cd ${shell.escape cfg.user.home} + exec /run/wrappers/bin/sudo \ + -u ${shell.escape cfg.user.name} \ + ${cfg.pkgs.ejabberd}/bin/ejabberdctl "$@" + '') + cfg.pkgs.ejabberd + ]; + }) + ]; krebs.secret.files = { ejabberd-certfile = cfg.certfile; @@ -79,7 +99,7 @@ in { after = [ "network.target" "secret.service" ]; serviceConfig = { ExecStartPre = "${gen-dhparam} ${cfg.dhfile.path}"; - ExecStart = "${cfg.pkgs.ejabberdctl}/bin/ejabberdctl foreground"; + ExecStart = "${cfg.pkgs.ejabberd}/bin/ejabberdctl foreground"; PermissionsStartOnly = true; SyslogIdentifier = "ejabberd"; User = cfg.user.name; diff --git a/tv/5pkgs/default.nix b/tv/5pkgs/default.nix index 1796609a9..9dc7ae7b1 100644 --- a/tv/5pkgs/default.nix +++ b/tv/5pkgs/default.nix @@ -13,6 +13,14 @@ foldl' mergeAttrs {} // { + brscan4 = overrideDerivation super.brscan4 (original: rec { + name = "brscan4-0.4.4-4"; + src = super.fetchurl { + url = "http://download.brother.com/welcome/dlf006645/${name}.amd64.deb"; + sha256 = "0xy5px96y1saq9l80vwvfn6anr2q42qlxdhm6ci2a0diwib5q9fd"; + }; + }); + # TODO use XDG_RUNTIME_DIR? cr = self.writeDashBin "cr" '' set -efu @@ -32,7 +40,7 @@ foldl' mergeAttrs {} exec ${self.firefoxWrapper}/bin/firefox "$@" ''; - gnupg = self.gnupg21; + gnupg = self.gnupg22; # https://github.com/NixOS/nixpkgs/issues/16113 wvdial = let diff --git a/tv/5pkgs/simple/mfcl2700dncupswrapper/default.nix b/tv/5pkgs/simple/mfcl2700dncupswrapper/default.nix deleted file mode 100644 index 1ef018b33..000000000 --- a/tv/5pkgs/simple/mfcl2700dncupswrapper/default.nix +++ /dev/null @@ -1,45 +0,0 @@ -{ coreutils, dpkg, fetchurl, gnugrep, gnused, makeWrapper, mfcl2700dnlpr, -perl, stdenv }: - -stdenv.mkDerivation rec { - name = "mfcl2700dncupswrapper-${meta.version}"; - - src = fetchurl { - url = "http://download.brother.com/welcome/dlf102086/${name}.i386.deb"; - sha256 = "07w48mah0xbv4h8vsh1qd5cd4b463bx8y6gc5x9pfgsxsy6h6da1"; - }; - - nativeBuildInputs = [ dpkg makeWrapper ]; - - phases = [ "installPhase" ]; - - installPhase = '' - dpkg-deb -x $src $out - - basedir=${mfcl2700dnlpr}/opt/brother/Printers/MFCL2700DN - dir=$out/opt/brother/Printers/MFCL2700DN - - substituteInPlace $dir/cupswrapper/brother_lpdwrapper_MFCL2700DN \ - --replace /usr/bin/perl ${perl}/bin/perl \ - --replace "basedir =~" "basedir = \"$basedir\"; #" \ - --replace "PRINTER =~" "PRINTER = \"MFCL2700DN\"; #" - - wrapProgram $dir/cupswrapper/brother_lpdwrapper_MFCL2700DN \ - --prefix PATH : ${stdenv.lib.makeBinPath [ coreutils gnugrep gnused ]} - - mkdir -p $out/lib/cups/filter - mkdir -p $out/share/cups/model - - ln $dir/cupswrapper/brother_lpdwrapper_MFCL2700DN $out/lib/cups/filter - ln $dir/cupswrapper/brother-MFCL2700DN-cups-en.ppd $out/share/cups/model - ''; - - meta = { - description = "Brother MFC-L2700DN CUPS wrapper driver"; - homepage = "http://www.brother.com/"; - license = stdenv.lib.licenses.gpl2Plus; - maintainers = [ stdenv.lib.maintainers.tv ]; - platforms = stdenv.lib.platforms.linux; - version = "3.2.0-1"; - }; -} diff --git a/tv/5pkgs/simple/mfcl2700dnlpr/default.nix b/tv/5pkgs/simple/mfcl2700dnlpr/default.nix deleted file mode 100644 index fc11b53e9..000000000 --- a/tv/5pkgs/simple/mfcl2700dnlpr/default.nix +++ /dev/null @@ -1,44 +0,0 @@ -{ coreutils, dpkg, fetchurl, ghostscript, gnugrep, gnused, pkgsi686Linux, makeWrapper, perl, stdenv, which }: - -stdenv.mkDerivation rec { - name = "mfcl2700dnlpr-${meta.version}"; - - src = fetchurl { - url = "http://download.brother.com/welcome/dlf102085/${name}.i386.deb"; - sha256 = "170qdzxlqikzvv2wphvfb37m19mn13az4aj88md87ka3rl5knk4m"; - }; - - nativeBuildInputs = [ dpkg makeWrapper ]; - - phases = [ "installPhase" ]; - - installPhase = '' - dpkg-deb -x $src $out - - dir=$out/opt/brother/Printers/MFCL2700DN - - substituteInPlace $dir/lpd/filter_MFCL2700DN \ - --replace /usr/bin/perl ${perl}/bin/perl \ - --replace "BR_PRT_PATH =~" "BR_PRT_PATH = \"$dir\"; #" \ - --replace "PRINTER =~" "PRINTER = \"MFCL2700DN\"; #" - - wrapProgram $dir/lpd/filter_MFCL2700DN \ - --prefix PATH : ${stdenv.lib.makeBinPath [ - coreutils ghostscript gnugrep gnused which - ]} - - interpreter=${pkgsi686Linux.stdenv.cc.libc.out}/lib/ld-linux.so.2 - patchelf --set-interpreter "$interpreter" $dir/inf/braddprinter - patchelf --set-interpreter "$interpreter" $dir/lpd/brprintconflsr3 - patchelf --set-interpreter "$interpreter" $dir/lpd/rawtobr3 - ''; - - meta = { - description = "Brother MFC-L2700DN LPR driver"; - homepage = "http://www.brother.com/"; - license = stdenv.lib.licenses.unfree; - maintainers = [ stdenv.lib.maintainers.tv ]; - platforms = stdenv.lib.platforms.linux; - version = "3.2.0-1"; - }; -} diff --git a/tv/source.nix b/tv/source.nix index 18733ee5c..f3bda2715 100644 --- a/tv/source.nix +++ b/tv/source.nix @@ -9,8 +9,8 @@ in { nixos-config.symlink = "stockholm/tv/1systems/${name}/config.nix"; nixpkgs.git = { - # nixos-17.03 - ref = mkDefault "94941cb0455bfc50b1bf63186cfad7136d629f78"; + # nixos-17.09 + ref = mkDefault "d0f0657ca06cc8cb239cb94f430b53bcdf755887"; url = https://github.com/NixOS/nixpkgs; }; secrets.file = getAttr builder { |