diff options
47 files changed, 496 insertions, 366 deletions
@@ -51,8 +51,6 @@ $(if $(target_user),,$(error unbound variable: target_user)) $(if $(target_port),,$(error unbound variable: target_port)) $(if $(target_path),,$(error unbound variable: target_path)) -target ?= $(target_user)@$(target_host):$(target_port)$(target_path) - build = \ nix-build \ --no-out-link \ @@ -88,6 +86,8 @@ deploy: nixos-rebuild $(rebuild-command) --show-trace -I $(target_path) # usage: make populate system=foo +populate: populate-target = \ + $(target_user)@$(target_host):$(target_port)$(target_path) ifeq ($(debug),true) populate: populate-flags += --debug endif @@ -96,7 +96,7 @@ populate: populate-flags += --ssh=$(ssh) endif populate: $(call evaluate,config.krebs.build.source) --json --strict | \ - populate $(target) $(populate-flags) + populate $(populate-target) $(populate-flags) # usage: make pkgs.populate pkgs:;@$(error no package selected) diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index de5be964f..f5190b6ba 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -791,6 +791,7 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB } // { # hosts only maintained in stockholm, not owned by me muhbaasu = rec { + owner = config.krebs.users.root; cores = 1; nets = { internet = { diff --git a/krebs/3modules/rtorrent.nix b/krebs/3modules/rtorrent.nix index 57a579bc0..d53482339 100644 --- a/krebs/3modules/rtorrent.nix +++ b/krebs/3modules/rtorrent.nix @@ -336,7 +336,6 @@ let pm.min_spare_servers = 1 pm.max_spare_servers = 3 chdir = / - # errors to journal php_admin_value[error_log] = 'stderr' php_admin_flag[log_errors] = on catch_workers_output = yes diff --git a/krebs/3modules/shared/default.nix b/krebs/3modules/shared/default.nix index 47767d370..a9868954e 100644 --- a/krebs/3modules/shared/default.nix +++ b/krebs/3modules/shared/default.nix @@ -8,6 +8,7 @@ let "test-centos7" "test-all-krebs-modules" ] (name: { + owner = config.krebs.users.shared; inherit name; cores = 1; nets = { @@ -34,6 +35,7 @@ let in { hosts = { wolf = { + owner = config.krebs.users.shared; nets = { shack = { ip4.addr = "10.42.2.150" ; diff --git a/krebs/4lib/default.nix b/krebs/4lib/default.nix index 49241cc82..c40b9a868 100644 --- a/krebs/4lib/default.nix +++ b/krebs/4lib/default.nix @@ -1,19 +1,12 @@ -{ config, lib, ... }: +_: -with builtins; -with lib; - -let out = import <stockholm/lib> // rec { - - eq = x: y: x == y; - ne = x: y: x != y; +let + lib = import <stockholm/lib>; +in - mod = x: y: x - y * (x / y); - - addName = name: set: - set // { inherit name; }; +with lib; - addNames = mapAttrs addName; +let out = lib // rec { guard = spec@{ type, value, ... }: assert isOptionType type; @@ -26,12 +19,9 @@ let out = import <stockholm/lib> // rec { ])); types = import ./types.nix { - inherit config; lib = lib // { inherit genid optionalTrace; }; }; - dir.has-default-nix = path: pathExists (path + "/default.nix"); - genid = import ./genid.nix { lib = lib // out; }; genid_signed = x: ((genid x) + 16777216) / 2; git = import ./git.nix { lib = lib // out; }; diff --git a/krebs/4lib/git.nix b/krebs/4lib/git.nix index d50ba2018..005c017a9 100644 --- a/krebs/4lib/git.nix +++ b/krebs/4lib/git.nix @@ -1,7 +1,12 @@ { lib, ... }: +with lib; + let - inherit (lib) addNames escapeShellArg makeSearchPath optionalString; + addName = name: set: + set // { inherit name; }; + + addNames = mapAttrs addName; commands = addNames { git-receive-pack = {}; diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix index 37d44606b..8d6ace2e5 100644 --- a/krebs/4lib/types.nix +++ b/krebs/4lib/types.nix @@ -1,14 +1,9 @@ -{ config, lib, ... }: +{ lib, ... }: with builtins; with lib; with types; -let - # Inherited attributes are used in submodules that have their own `config`. - inherit (config.krebs) build users; -in - types // rec { host = submodule ({ config, ... }: { @@ -27,7 +22,6 @@ types // rec { owner = mkOption { type = user; - default = users.krebs; }; extraZones = mkOption { @@ -49,10 +43,6 @@ types // rec { ssh.pubkey = mkOption { type = nullOr ssh-pubkey; default = null; - apply = x: - optionalTrace (x == null && config.owner.name == build.user.name) - "The option `krebs.hosts.${config.name}.ssh.pubkey' is unused." - x; }; ssh.privkey = mkOption { type = nullOr ssh-privkey; @@ -187,7 +177,6 @@ types // rec { }; owner = mkOption { type = user; - default = users.root; }; group-name = mkOption { type = str; @@ -284,6 +273,7 @@ types // rec { }; mail = mkOption { type = str; # TODO retiolum mail address + default = "${config._module.args.name}@${config.networking.hostName}.r"; }; name = mkOption { type = username; diff --git a/krebs/5pkgs/charybdis/default.nix b/krebs/5pkgs/charybdis/default.nix index f3e6be40e..6968be264 100644 --- a/krebs/5pkgs/charybdis/default.nix +++ b/krebs/5pkgs/charybdis/default.nix @@ -6,7 +6,7 @@ stdenv.mkDerivation rec { src = fetchgit { url = "https://github.com/atheme/charybdis.git"; rev = "61815bf9324e872f51255e09fe37a8c595f94a60"; - sha256 = "0zsd6xk2cnspc1cvryy2296p3ix4hwjd9k24wmgbh5wzks0wahwy"; + sha256 = "1q9h7j2pm1wsbcybmm7r7hzimp1zda04lw9x2akb26l9p12zgfgc"; }; patches = [ diff --git a/krebs/5pkgs/default.nix b/krebs/5pkgs/default.nix index cdab64212..75d1dac82 100644 --- a/krebs/5pkgs/default.nix +++ b/krebs/5pkgs/default.nix @@ -17,7 +17,7 @@ with config.krebs.lib; in {} // import ./builders.nix args // mapAttrs (_: flip callPackage {}) - (filterAttrs (_: dir.has-default-nix) + (filterAttrs (_: dir: pathExists (dir + "/default.nix")) (subdirsOf ./.)) // { empty = pkgs.runCommand "empty-1.0.0" {} "mkdir $out"; diff --git a/krebs/5pkgs/dic/default.nix b/krebs/5pkgs/dic/default.nix index 3566de8cd..12cbedc60 100644 --- a/krebs/5pkgs/dic/default.nix +++ b/krebs/5pkgs/dic/default.nix @@ -6,7 +6,7 @@ stdenv.mkDerivation { src = fetchgit { url = https://github.com/krebscode/painload; rev = "35ccac73d563ad30d2851b9aeed4cfef69ff74e3"; - sha256 = "1y1fs2p3xj2yrqpw0h5kd0f3c5p1y70xk1hjnw99sr33r67s9c35"; + sha256 = "0arsfcd8qdrqafw7cxiag7f0kn95nwxxwrs0kdzxxdryfr6l1h07"; }; phases = [ diff --git a/krebs/5pkgs/exim/default.nix b/krebs/5pkgs/exim/default.nix deleted file mode 100644 index 835970555..000000000 --- a/krebs/5pkgs/exim/default.nix +++ /dev/null @@ -1,64 +0,0 @@ -{ coreutils, fetchurl, db, openssl, pam, pcre, perl, pkgconfig, stdenv }: - -stdenv.mkDerivation rec { - name = "exim-4.87"; - - src = fetchurl { - url = "http://mirror.switch.ch/ftp/mirror/exim/exim/exim4/${name}.tar.bz2"; - sha256 = "1jbxn13shq90kpn0s73qpjnx5xm8jrpwhcwwgqw5s6sdzw6iwsbl"; - }; - - buildInputs = [ coreutils db openssl pam pcre perl pkgconfig ]; - - preBuild = '' - sed ' - s:^\(BIN_DIRECTORY\)=.*:\1='"$out"'/bin: - s:^\(CONFIGURE_FILE\)=.*:\1=/etc/exim.conf: - s:^\(EXIM_USER\)=.*:\1=ref\:nobody: - s:^\(SPOOL_DIRECTORY\)=.*:\1=/exim-homeless-shelter: - s:^# \(SUPPORT_MAILDIR\)=.*:\1=yes: - s:^EXIM_MONITOR=.*$:# &: - s:^\(FIXED_NEVER_USERS\)=root$:\1=0: - s:^# \(WITH_CONTENT_SCAN\)=.*:\1=yes: - s:^# \(AUTH_PLAINTEXT\)=.*:\1=yes: - s:^# \(SUPPORT_TLS\)=.*:\1=yes: - s:^# \(USE_OPENSSL_PC=openssl\)$:\1: - s:^# \(LOG_FILE_PATH=syslog\)$:\1: - s:^# \(SUPPORT_PAM\)=.*:\1=yes\nEXTRALIBS=-lpam: - s:^# \(HAVE_IPV6=yes\)$:\1: - s:^# \(CHOWN_COMMAND\)=.*:\1=${coreutils}/bin/chown: - s:^# \(CHGRP_COMMAND\)=.*:\1=${coreutils}/bin/chgrp: - s:^# \(CHMOD_COMMAND\)=.*:\1=${coreutils}/bin/chmod: - s:^# \(MV_COMMAND\)=.*:\1=${coreutils}/bin/mv: - s:^# \(RM_COMMAND\)=.*:\1=${coreutils}/bin/rm: - s:^# \(TOUCH_COMMAND\)=.*:\1=${coreutils}/bin/touch: - s:^# \(PERL_COMMAND\)=.*:\1=${perl}/bin/perl: - #/^\s*#.*/d - #/^\s*$/d - ' < src/EDITME > Local/Makefile - ''; - - installPhase = '' - mkdir -p $out/bin $out/share/man/man8 - cp doc/exim.8 $out/share/man/man8 - - ( cd build-Linux-* - cp exicyclog exim_checkaccess exim_dumpdb exim_lock exim_tidydb \ - exipick exiqsumm exigrep exim_dbmbuild exim exim_fixdb eximstats \ - exinext exiqgrep exiwhat \ - $out/bin ) - - ( cd $out/bin - for i in mailq newaliases rmail rsmtp runq sendmail; do - ln -s exim $i - done ) - ''; - - meta = { - homepage = http://exim.org/; - description = "A mail transfer agent (MTA)"; - license = stdenv.lib.licenses.gpl3; - platforms = stdenv.lib.platforms.linux; - maintainers = [ stdenv.lib.maintainers.tv ]; - }; -} diff --git a/krebs/5pkgs/haskell-overrides/blessings.nix b/krebs/5pkgs/haskell-overrides/blessings.nix index 741fb5c36..ba776b352 100644 --- a/krebs/5pkgs/haskell-overrides/blessings.nix +++ b/krebs/5pkgs/haskell-overrides/blessings.nix @@ -5,7 +5,7 @@ mkDerivation { src = fetchgit { url = http://cgit.cd.krebsco.de/blessings; rev = "25a510dcb38ea9158e9969d56eb66cb1b860ab5f"; - sha256 = "b962153e80e51519b52220199d8350b54154833e4bc25a792ecc58898fef3fb2"; + sha256 = "0xg329h1y68ndg4w3m1jp38pkg3gqg7r19q70gqqj4mswb6qcrqc"; }; libraryHaskellDepends = [ base ]; doHaddock = false; diff --git a/krebs/5pkgs/haskell-overrides/email-header.nix b/krebs/5pkgs/haskell-overrides/email-header.nix index 8c62f2f70..b54240809 100644 --- a/krebs/5pkgs/haskell-overrides/email-header.nix +++ b/krebs/5pkgs/haskell-overrides/email-header.nix @@ -7,8 +7,8 @@ mkDerivation { version = "0.3.0"; src = fetchgit { url = "https://github.com/4z3/email-header"; - sha256 = "f33fba567a39b1f2448869b269c26c40d8007599c23ab83bde5b4dfd9fd76ebc"; rev = "7b179bd31192ead8afe7a0b6e34bcad4039deaa8"; + sha256 = "12j2n3sbvzjnw99gga7kkdygm8n3qx2lh8q26ad6a53xm5whnz59"; }; buildDepends = [ attoparsec base base64-bytestring bytestring case-insensitive diff --git a/krebs/5pkgs/haskell-overrides/scanner.nix b/krebs/5pkgs/haskell-overrides/scanner.nix index b88b9dbe3..5146fa41d 100644 --- a/krebs/5pkgs/haskell-overrides/scanner.nix +++ b/krebs/5pkgs/haskell-overrides/scanner.nix @@ -5,7 +5,7 @@ mkDerivation { src = fetchgit { url = http://cgit.cd.krebsco.de/scanner; rev = "7f091a3bc152ad3974a1873b460fa1759bf8dcad"; - sha256 = "7d123c227777932039d26fc832b8d32a90f04c0bd6b7e8bcff0a6f49a54e0054"; + sha256 = "1lgl158axczsm4fx53fyq1d4116v91jsx4dbz66ka4k1ljqrmhgn"; }; libraryHaskellDepends = [ base ]; license = stdenv.lib.licenses.wtfpl; diff --git a/krebs/5pkgs/much/default.nix b/krebs/5pkgs/much/default.nix index efe84fbf0..61a58b01b 100644 --- a/krebs/5pkgs/much/default.nix +++ b/krebs/5pkgs/much/default.nix @@ -14,7 +14,7 @@ mkDerivation { src = fetchgit { url = "http://cgit.cd.krebsco.de/much"; rev = "045dc986b4de225a927175f81c8ccfdab450202c"; - sha256 = "cec175e3dc32ef93029ee5285f6c4042ce11d637945bc8cec02cb6699d06cc13"; + sha256 = "17jbw7x82a3bgn1qv5k764f103knrf865dmx48h7192vdh8gz766"; }; isLibrary = false; isExecutable = true; diff --git a/krebs/5pkgs/noVNC/default.nix b/krebs/5pkgs/noVNC/default.nix index 629d288ae..45c3afb3a 100644 --- a/krebs/5pkgs/noVNC/default.nix +++ b/krebs/5pkgs/noVNC/default.nix @@ -7,7 +7,7 @@ stdenv.mkDerivation rec { src = fetchgit { url = https://github.com/kanaka/noVNC; rev = "refs/tags/v0.5.1"; - sha256 = "1azsnppwnrsv3axj0r5bw8lfarkibgz5vhgcyj8dzn4afn98f55w"; + sha256 = "1vckvvfcawgfqmx415r5rnl6k2alx53jbqmsj49kxpbdvvxpb49d"; }; phases = [ diff --git a/lass/1systems/helios.nix b/lass/1systems/helios.nix index 26ad316ce..8ce1d5748 100644 --- a/lass/1systems/helios.nix +++ b/lass/1systems/helios.nix @@ -102,6 +102,11 @@ with config.krebs.lib; device = "/dev/pool/bku"; fsType = "ext4"; }; + "/tmp" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = ["nosuid" "nodev" "noatime"]; + }; }; #services.udev.extraRules = '' diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index 1aa4d9b23..1028ca652 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -23,7 +23,7 @@ with config.krebs.lib; ../2configs/teamviewer.nix ../2configs/libvirt.nix ../2configs/fetchWallpaper.nix - ../2configs/c-base.nix + #../2configs/c-base.nix ../2configs/mail.nix ../2configs/krebs-pass.nix ../2configs/repo-sync.nix @@ -54,8 +54,8 @@ with config.krebs.lib; enable = true; package = pkgs.postgresql; }; - virtualisation.docker.enable = true; - users.users.mainUser.extraGroups = [ "docker" ]; + #virtualisation.docker.enable = true; + #users.users.mainUser.extraGroups = [ "docker" ]; } { lass.umts = { @@ -140,6 +140,11 @@ with config.krebs.lib; device = "/dev/big/conf"; fsType = "ext4"; }; + "/tmp" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = ["nosuid" "nodev" "noatime"]; + }; }; services.udev.extraRules = '' @@ -192,8 +197,12 @@ with config.krebs.lib; urban mk_sql_pair remmina + thunderbird logf + iodine + + macchanger ]; #TODO: fix this shit diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index c7c765302..51d106b5e 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -23,6 +23,7 @@ in { ../2configs/buildbot-standalone.nix ../2configs/repo-sync.nix ../2configs/binary-cache/server.nix + ../2configs/iodined.nix { imports = [ ../2configs/git.nix @@ -119,6 +120,12 @@ in { device = "/dev/pool/bku"; }; + fileSystems."/tmp" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = ["nosuid" "nodev" "noatime"]; + }; + } { sound.enable = false; @@ -260,6 +267,11 @@ in { { predicate = "-p tcp --dport 8088"; target = "ACCEPT"; } ]; } + { + krebs.repo-sync.timerConfig = { + OnCalendar = "*:0/5"; + }; + } ]; krebs.build.host = config.krebs.hosts.prism; diff --git a/lass/1systems/shodan.nix b/lass/1systems/shodan.nix index af98c6968..5140591af 100644 --- a/lass/1systems/shodan.nix +++ b/lass/1systems/shodan.nix @@ -50,6 +50,11 @@ with builtins; device = "/dev/pool/home-lass"; fsType = "ext4"; }; + "/tmp" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = ["nosuid" "nodev" "noatime"]; + }; }; services.udev.extraRules = '' diff --git a/lass/1systems/uriel.nix b/lass/1systems/uriel.nix index 16c39280d..aa5286ae0 100644 --- a/lass/1systems/uriel.nix +++ b/lass/1systems/uriel.nix @@ -1,33 +1,45 @@ { config, pkgs, ... }: with builtins; +with config.krebs.lib; { imports = [ ../. ../2configs/retiolum.nix - ../2configs/baseX.nix ../2configs/exim-retiolum.nix - ../2configs/browsers.nix - ../2configs/games.nix - ../2configs/pass.nix - ../2configs/bird.nix - ../2configs/git.nix - ../2configs/chromium-patched.nix - ../2configs/bitlbee.nix - ../2configs/weechat.nix - ../2configs/skype.nix { - lass.umts = { + # locke config + time.timeZone = "Europe/Berlin"; + services.xserver.enable = true; + users.users.locke = { + uid = genid "locke"; + home = "/home/locke"; + group = "users"; + createHome = true; + extraGroups = [ + "audio" + "networkmanager" + ]; + useDefaultShell = true; + }; + networking.networkmanager.enable = true; + hardware.pulseaudio = { + enable = true; + systemWide = true; + }; + environment.systemPackages = with pkgs; [ + firefox + hexchat + networkmanagerapplet + ]; + services.xserver.desktopManager.xfce = { enable = true; - modem = "/dev/serial/by-id/usb-HUAWEI_Technologies_HUAWEI_Mobile-if00-port0"; }; } ]; krebs.build.host = config.krebs.hosts.uriel; - networking.wireless.enable = true; - hardware.enableAllFirmware = true; nixpkgs.config.allowUnfree = true; @@ -62,6 +74,11 @@ with builtins; "/boot" = { device = "/dev/sda1"; }; + "/tmp" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = ["nosuid" "nodev" "noatime"]; + }; }; services.udev.extraRules = '' diff --git a/lass/2configs/backups.nix b/lass/2configs/backups.nix index 7d3046d43..916e08219 100644 --- a/lass/2configs/backups.nix +++ b/lass/2configs/backups.nix @@ -23,10 +23,10 @@ with config.krebs.lib; dst = { host = config.krebs.hosts.mors; path = "/bku/dishfire-http"; }; startAt = "03:05"; }; - dishfire-http-uriel = { + dishfire-http-shodan = { method = "pull"; src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; }; - dst = { host = config.krebs.hosts.uriel; path = "/bku/dishfire-http"; }; + dst = { host = config.krebs.hosts.shodan; path = "/bku/dishfire-http"; }; startAt = "03:10"; }; dishfire-sql-prism = { @@ -41,10 +41,10 @@ with config.krebs.lib; dst = { host = config.krebs.hosts.mors; path = "/bku/dishfire-sql"; }; startAt = "03:20"; }; - dishfire-sql-uriel = { + dishfire-sql-shodan = { method = "pull"; src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; }; - dst = { host = config.krebs.hosts.uriel; path = "/bku/dishfire-sql"; }; + dst = { host = config.krebs.hosts.shodan; path = "/bku/dishfire-sql"; }; startAt = "03:25"; }; prism-bitlbee-mors = { @@ -53,10 +53,10 @@ with config.krebs.lib; dst = { host = config.krebs.hosts.mors; path = |