diff options
-rw-r--r-- | krebs/3modules/makefu/default.nix | 10 | ||||
-rw-r--r-- | lass/1systems/prism.nix | 12 | ||||
-rw-r--r-- | lass/2configs/default.nix | 1 | ||||
-rw-r--r-- | lass/2configs/websites/domsen.nix | 7 | ||||
-rw-r--r-- | lass/5pkgs/default.nix | 1 | ||||
-rw-r--r-- | lass/5pkgs/pop/default.nix | 10 | ||||
-rw-r--r-- | makefu/1systems/darth.nix | 19 | ||||
-rw-r--r-- | makefu/1systems/omo.nix | 6 | ||||
-rw-r--r-- | makefu/1systems/shoney.nix | 14 | ||||
-rw-r--r-- | makefu/1systems/vbob.nix | 20 | ||||
-rw-r--r-- | makefu/2configs/binary-cache/lass.nix | 12 | ||||
-rw-r--r-- | makefu/2configs/binary-cache/nixos.nix | 12 | ||||
-rw-r--r-- | makefu/2configs/default.nix | 10 | ||||
-rw-r--r-- | makefu/2configs/temp-share-samba.nix | 5 | ||||
-rw-r--r-- | makefu/2configs/virtualization-virtualbox.nix | 11 | ||||
-rw-r--r-- | makefu/3modules/default.nix | 1 | ||||
-rw-r--r-- | makefu/3modules/forward-journal.nix | 50 | ||||
-rw-r--r-- | makefu/5pkgs/awesomecfg/kiosk.lua | 6 | ||||
-rw-r--r-- | makefu/5pkgs/default.nix | 2 | ||||
-rw-r--r-- | makefu/5pkgs/git-xlsx-textconv/default.nix | 30 | ||||
-rw-r--r-- | makefu/5pkgs/mergerfs/default.nix | 26 |
21 files changed, 235 insertions, 30 deletions
diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index e5cb0e7f6..d5537cf56 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -66,6 +66,16 @@ with config.krebs.lib; }; }; }; + honeydrive = { # vm on darth + nets = { + internet = { # via shoney + ip4.addr = "64.137.234.232"; + aliases = [ + "honeydrive.i" + ]; + }; + }; + }; tsp = { cores = 1; nets = { diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index 270bb6fc2..77d72a5ac 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -223,6 +223,18 @@ in { mk_sql_pair ]; } + { + users.users.tv = { + uid = genid "tv"; + home = "/home/tv"; + group = "users"; + createHome = true; + useDefaultShell = true; + openssh.authorizedKeys.keys = [ + config.krebs.users.tv.pubkey + ]; + }; + } ]; krebs.build.host = config.krebs.hosts.prism; diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index b8c50f1aa..81abff3ed 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -113,6 +113,7 @@ with config.krebs.lib; #neat utils krebspaste pciutils + pop psmisc q rs diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index 8a2161e45..07df2e8de 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -78,6 +78,12 @@ in { ]) ]; + krebs.nginx.servers."ubikmedia.de".locations = [ + (lib.nameValuePair "/piwik" '' + try_files $uri $uri/ /index.php?$args; + '') + ]; + lass.mysqlBackup.config.all.databases = [ "ubikmedia_de" "o_ubikmedia_de" @@ -121,6 +127,7 @@ in { options = '' extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so sendmail_path = "${sendmail} -t -i" + always_populate_raw_post_data = -1 ''; } '' cat ${pkgs.php}/etc/php-recommended.ini > $out diff --git a/lass/5pkgs/default.nix b/lass/5pkgs/default.nix index c48188f9d..0beda7481 100644 --- a/lass/5pkgs/default.nix +++ b/lass/5pkgs/default.nix @@ -13,6 +13,7 @@ }; mk_sql_pair = pkgs.callPackage ./mk_sql_pair/default.nix {}; mpv-poll = pkgs.callPackage ./mpv-poll/default.nix {}; + pop = pkgs.callPackage ./pop/default.nix {}; q = pkgs.callPackage ./q {}; rs = pkgs.callPackage ./rs/default.nix {}; untilport = pkgs.callPackage ./untilport/default.nix {}; diff --git a/lass/5pkgs/pop/default.nix b/lass/5pkgs/pop/default.nix new file mode 100644 index 000000000..cec22e3b1 --- /dev/null +++ b/lass/5pkgs/pop/default.nix @@ -0,0 +1,10 @@ +{ pkgs, ... }: + +pkgs.writeScriptBin "pop" '' + #! ${pkgs.bash}/bin/bash + + file=$1 + + head -1 $file + sed -i 1d $file +'' diff --git a/makefu/1systems/darth.nix b/makefu/1systems/darth.nix index 5f1d6e121..87029a693 100644 --- a/makefu/1systems/darth.nix +++ b/makefu/1systems/darth.nix @@ -16,16 +16,32 @@ in { ../2configs/smart-monitor.nix ../2configs/exim-retiolum.nix ../2configs/virtualization.nix + + ../2configs/temp-share-samba.nix ]; + services.samba.shares = { + isos = { + path = "/data/isos/"; + "read only" = "yes"; + browseable = "yes"; + "guest ok" = "yes"; + }; + }; services.tinc.networks.siem = { name = "sdarth"; extraConfig = "ConnectTo = sjump"; }; + + makefu.forward-journal = { + enable = true; + src = "10.8.10.2"; + dst = "10.8.10.6"; + }; + #networking.firewall.enable = false; krebs.retiolum.enable = true; boot.kernelModules = [ "coretemp" "f71882fg" ]; - hardware.enableAllFirmware = true; nixpkgs.config.allowUnfree = true; networking = { @@ -33,6 +49,7 @@ in { firewall = { allowPing = true; logRefusedConnections = false; + trustedInterfaces = [ "eno1" ]; allowedUDPPorts = [ 80 655 1655 67 ]; allowedTCPPorts = [ 80 655 1655 ]; }; diff --git a/makefu/1systems/omo.nix b/makefu/1systems/omo.nix index e71055f54..8c24e0ff5 100644 --- a/makefu/1systems/omo.nix +++ b/makefu/1systems/omo.nix @@ -75,6 +75,7 @@ in { # HDD Array stuff + environment.systemPackages = [ pkgs.mergerfs ]; services.smartd.devices = builtins.map (x: { device = x; }) allDisks; makefu.snapraid = let @@ -129,7 +130,10 @@ in { kernelModules = [ "kvm-intel" ]; extraModulePackages = [ ]; }; - + users.users.misa = { + uid = 9002; + name = "misa"; + }; hardware.enableAllFirmware = true; hardware.cpu.intel.updateMicrocode = true; diff --git a/makefu/1systems/shoney.nix b/makefu/1systems/shoney.nix index 1fe8871d2..3a3ac9c7c 100644 --- a/makefu/1systems/shoney.nix +++ b/makefu/1systems/shoney.nix @@ -3,8 +3,9 @@ let tinc-siem-ip = "10.8.10.1"; ip = "64.137.234.215"; - alt-ip = "64.137.234.210"; - extra-ip = "64.137.234.114"; #currently unused + alt-ip = "64.137.234.210"; # honeydrive honeyd + extra-ip1 = "64.137.234.114"; # floating tinc.siem + extra-ip2 = "64.137.234.232"; # honeydrive gw = "64.137.234.1"; in { imports = [ @@ -15,7 +16,7 @@ in { ]; - + environment.systemPackages = [ pkgs.honeyd ]; services.tinc.networks.siem.name = "sjump"; krebs = { @@ -37,10 +38,15 @@ in { }; }; }; + makefu.forward-journal = { + enable = true; + src = "10.8.10.1"; + dst = "10.8.10.6"; + }; networking = { interfaces.enp2s1.ip4 = [ { address = ip; prefixLength = 24; } - { address = alt-ip; prefixLength = 24; } + # { address = alt-ip; prefixLength = 24; } ]; defaultGateway = gw; diff --git a/makefu/1systems/vbob.nix b/makefu/1systems/vbob.nix index 8b71b1393..3fcb173ce 100644 --- a/makefu/1systems/vbob.nix +++ b/makefu/1systems/vbob.nix @@ -5,23 +5,23 @@ imports = [ # Include the results of the hardware scan. ../. - <nixpkgs/nixos/modules/virtualisation/virtualbox-image.nix> + (toString <nixpkgs/nixos/modules/virtualisation/virtualbox-image.nix>) + (toString <nixpkgs/nixos/modules/virtualisation/virtualbox-guest.nix>) ../2configs/main-laptop.nix #< base-gui + # (toString <secrets>)/extra-hosts.nix # environment ]; - nixpkgs.config.allowUnfree = true; + # workaround for https://github.com/NixOS/nixpkgs/issues/16641 + services.xserver.videoDrivers = lib.mkOverride 45 [ "virtualbox" "modesetting" ]; + nixpkgs.config.allowUnfree = true; fileSystems."/nix" = { device ="/dev/disk/by-label/nixstore"; fsType = "ext4"; }; - fileSystems."/var/lib/docker" = { - device ="/dev/disk/by-label/nix-docker"; - fsType = "ext4"; - }; - #makefu.buildbot.master.enable = true; + # allow vbob to deploy self users.extraUsers = { root = { @@ -52,11 +52,7 @@ "gum" ]; }; - - networking.extraHosts = '' - 172.17.20.190 gitlab - 172.17.62.27 svbittool01 tool - ''; + virtualisation.docker.enable = false; fileSystems."/media/share" = { fsType = "vboxsf"; diff --git a/makefu/2configs/binary-cache/lass.nix b/makefu/2configs/binary-cache/lass.nix new file mode 100644 index 000000000..4813eeb0f --- /dev/null +++ b/makefu/2configs/binary-cache/lass.nix @@ -0,0 +1,12 @@ +{ config, ... }: + +{ + nix = { + binaryCaches = [ + "http://cache.prism.r" + ]; + binaryCachePublicKeys = [ + "cache.prism-1:+S+6Lo/n27XEtvdlQKuJIcb1yO5NUqUCE2lolmTgNJU=" + ]; + }; +} diff --git a/makefu/2configs/binary-cache/nixos.nix b/makefu/2configs/binary-cache/nixos.nix new file mode 100644 index 000000000..2ff5e1307 --- /dev/null +++ b/makefu/2configs/binary-cache/nixos.nix @@ -0,0 +1,12 @@ +{ config, ... }: + +{ + nix = { + binaryCaches = [ + "https://cache.nixos.org/" + ]; + binaryCachePublicKeys = [ + "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" + ]; + }; +} diff --git a/makefu/2configs/default.nix b/makefu/2configs/default.nix index 58a537a2b..f3bf0c46e 100644 --- a/makefu/2configs/default.nix +++ b/makefu/2configs/default.nix @@ -2,8 +2,6 @@ with config.krebs.lib; { - system.stateVersion = "15.09"; - imports = [ { users.extraUsers = @@ -11,6 +9,8 @@ with config.krebs.lib; (import <secrets/hashedPasswords.nix>); } ./vim.nix + ./binary-cache/nixos.nix + ./binary-cache/lass.nix ]; nixpkgs.config.allowUnfreePredicate = (pkg: pkgs.lib.hasPrefix "unrar-" pkg.name); @@ -18,13 +18,14 @@ with config.krebs.lib; enable = true; dns.providers.siem = "hosts"; + dns.providers.lan = "hosts"; search-domain = "retiolum"; build = { user = config.krebs.users.makefu; source = let inherit (config.krebs.build) host user; in { nixpkgs.git = { url = https://github.com/nixos/nixpkgs; - ref = "63b9785"; # stable @ 2016-06-01 + rev = "0546a4a"; # stable @ 2016-06-11 }; secrets.file = if getEnv "dummy_secrets" == "true" @@ -64,9 +65,6 @@ with config.krebs.lib; programs.ssh = { startAgent = false; - extraConfig = '' - UseRoaming no - ''; }; services.openssh.enable = true; nix.useChroot = true; diff --git a/makefu/2configs/temp-share-samba.nix b/makefu/2configs/temp-share-samba.nix index 5f21e3bf7..0907c2dbf 100644 --- a/makefu/2configs/temp-share-samba.nix +++ b/makefu/2configs/temp-share-samba.nix @@ -1,9 +1,12 @@ {config, ... }:{ + networking.firewall.allowedUDPPorts = [ 137 138 ]; + networking.firewall.allowedTCPPorts = [ 139 445 ]; users.users.smbguest = { name = "smbguest"; uid = config.ids.uids.smbguest; description = "smb guest user"; - home = "/var/empty"; + home = "/home/share"; + createHome = true; }; services.samba = { enable = true; diff --git a/makefu/2configs/virtualization-virtualbox.nix b/makefu/2configs/virtualization-virtualbox.nix index aaabcd50e..2b4e24774 100644 --- a/makefu/2configs/virtualization-virtualbox.nix +++ b/makefu/2configs/virtualization-virtualbox.nix @@ -2,8 +2,8 @@ let mainUser = config.krebs.build.user; - version = "5.0.6"; - rev = "103037"; + version = "5.0.20"; + rev = "106931"; vboxguestpkg = pkgs.fetchurl { url = "http://download.virtualbox.org/virtualbox/${version}/Oracle_VM_VirtualBox_Extension_Pack-${version}-${rev}.vbox-extpack"; sha256 = "1dc70x2m7x266zzw5vw36mxqj7xykkbk357fc77f9zrv4lylzvaf"; @@ -14,5 +14,10 @@ in { nixpkgs.config.virtualbox.enableExtensionPack = true; users.extraGroups.vboxusers.members = [ "${mainUser.name}" ]; - environment.systemPackages = [ vboxguestpkg ]; + nixpkgs.config.packageOverrides = super: { + boot.kernelPackages = super.boot.kernelPackages.virtualbox.override { + buildInputs = super.boot.kernelPackages.virtualBox.buildInputs + ++ [ vboxguestpkg ]; + }; + }; } diff --git a/makefu/3modules/default.nix b/makefu/3modules/default.nix index 853bdca04..febebaa18 100644 --- a/makefu/3modules/default.nix +++ b/makefu/3modules/default.nix @@ -6,6 +6,7 @@ _: ./umts.nix ./taskserver.nix ./awesome-extra.nix + ./forward-journal.nix ]; } diff --git a/makefu/3modules/forward-journal.nix b/makefu/3modules/forward-journal.nix new file mode 100644 index 000000000..26de3ffdd --- /dev/null +++ b/makefu/3modules/forward-journal.nix @@ -0,0 +1,50 @@ +{ config, lib, pkgs, ... }: + +with config.krebs.lib; +let + cfg = config.makefu.forward-journal; + + out = { + options.makefu.forward-journal = api; + config = lib.mkIf cfg.enable imp; + }; + + api = { + enable = mkEnableOption "forward journal via syslog"; + src = mkOption { + type = types.str; + description = "syslog host identifier"; + default = config.networking.hostName; + }; + dst = mkOption { + type = types.str; + description = "syslog host identifier"; + default = ""; + }; + proto = mkOption { + type = types.str; + default = "udp"; + }; + port = mkOption { + type = types.int; + description = "destination port"; + default = 514; + }; + + }; + + imp = { + services.syslog-ng = { + enable = true; + extraConfig = '' + template t_remote { template("<$PRI>$DATE ${cfg.src} $PROGRAM[$PID]: $MSG\n"); }; + source s_all { system(); internal(); }; + destination d_loghost { udp("${cfg.dst}" port(${toString cfg.port}) template(t_remote)); }; + log { source(s_all); destination(d_loghost); }; + ''; + }; + }; + +in +out + diff --git a/makefu/5pkgs/awesomecfg/kiosk.lua b/makefu/5pkgs/awesomecfg/kiosk.lua index 81ec99225..ec255a8af 100644 --- a/makefu/5pkgs/awesomecfg/kiosk.lua +++ b/makefu/5pkgs/awesomecfg/kiosk.lua @@ -521,13 +521,15 @@ awful.rules.rules = { } -- awful.util.spawn_with_shell("chromium --new-window --kiosk https://www.checkpoint.com/ThreatPortal/livemap.html") -awful.util.spawn_with_shell("chromium --new-window --kiosk http://wolf:3000/dashboard/db/soc-critical-values") +--awful.util.spawn_with_shell("chromium --new-window --kiosk http://wolf:3000/dashboard/db/soc-critical-values") -- awful.util.spawn_with_shell("sleep 0.5;chromium --new-window --kiosk http://wolf:3000/dashboard/db/aralast") --awful.util.spawn_with_shell("chromium --new-window --kiosk http://gast.aramark.de/thales-deutschland/menu/pdf/woche_de.php") -awful.util.spawn_with_shell("sleep 0.5;chromium --new-window --kiosk http://map.norsecorp.com") +--awful.util.spawn_with_shell("sleep 0.5;chromium --new-window --kiosk http://map.norsecorp.com") --awful.util.spawn_with_shell("sleep 0.5;chromium --new-window --kiosk http://threatmap.fortiguard.com") +awful.util.spawn_with_shell("chromium --new-window --kiosk 'https://ossim.siem/ossim/#dashboard/overview/overview'") +awful.util.spawn_with_shell("chromium --new-window --kiosk 'https://ossim.siem/ossim/#analysis/alarms/alarms'") -- }}} diff --git a/makefu/5pkgs/default.nix b/makefu/5pkgs/default.nix index f6a6b674b..f94136c0b 100644 --- a/makefu/5pkgs/default.nix +++ b/makefu/5pkgs/default.nix @@ -10,6 +10,8 @@ in alsa-hdsploader = callPackage ./alsa-tools { alsaToolTarget="hdsploader";}; awesomecfg = callPackage ./awesomecfg {}; bintray-upload = callPackage ./bintray-upload {}; + git-xlsx-textconv = callPackage ./git-xlsx-textconv {}; + mergerfs = callPackage ./mergerfs {}; mycube-flask = callPackage ./mycube-flask {}; nodemcu-uploader = callPackage ./nodemcu-uploader {}; tw-upload-plugin = callPackage ./tw-upload-plugin {}; diff --git a/makefu/5pkgs/git-xlsx-textconv/default.nix b/makefu/5pkgs/git-xlsx-textconv/default.nix new file mode 100644 index 000000000..1f631f020 --- /dev/null +++ b/makefu/5pkgs/git-xlsx-textconv/default.nix @@ -0,0 +1,30 @@ +{ stdenv, lib, goPackages, fetchFromGitHub }: +let + go-xlsx = goPackages.buildGoPackage rec { + name = "go-xlsx-${version}"; + version = "46e6e472d"; + + goPackagePath = "github.com/tealeg/xlsx"; + src = fetchFromGitHub { + rev = version; + owner = "tealeg"; + repo = "xlsx"; + sha256 = "1vls05asms7azhyszbqpgdby9l45jpgisbzzmbrzi30n6cvs89zg"; + }; +}; +in +(goPackages.buildGoPackage rec { + name = "git-xlsx-textconv-${version}"; + version = "70685e7f8"; + + + goPackagePath = "github.com/tokuhirom/git-xlsx-textconv"; + + src = fetchFromGitHub { + rev = version; + owner = "tokuhirom"; + repo = "git-xlsx-textconv"; + sha256 = "055f3caj1y8v7sc2pz9q0dfyi2ij77d499pby4sjfvm5kjy9msdi"; + }; + propagatedBuildInputs = [ go-xlsx ]; +}).bin diff --git a/makefu/5pkgs/mergerfs/default.nix b/makefu/5pkgs/mergerfs/default.nix new file mode 100644 index 000000000..64e8fc671 --- /dev/null +++ b/makefu/5pkgs/mergerfs/default.nix @@ -0,0 +1,26 @@ +{ stdenv, fetchgit, fuse, pkgconfig, which, attr, pandoc, git }: + +stdenv.mkDerivation rec { + name = "mergerfs-${version}"; + version = "2.14.0"; + + # not using fetchFromGitHub because of changelog being built with git log + src = fetchgit { + url = "https://github.com/trapexit/mergerfs"; + rev = "refs/tags/${version}"; + sha256 = "0j5r96xddlj5gp3n1xhfwjmr6yf861xg3hgby4p078c8zfriq5rm"; + deepClone = true; + }; + + buildInputs = [ fuse pkgconfig which attr pandoc git ]; + + makeFlags = [ "PREFIX=$(out)" "XATTR_AVAILABLE=1" ]; + + + meta = { + homepage = https://github.com/trapexit/mergerfs; + description = "a FUSE based union filesystem"; + license = stdenv.lib.licenses.isc; + maintainers = [ stdenv.lib.maintainers.makefu ]; + }; +} |