diff options
44 files changed, 676 insertions, 506 deletions
diff --git a/krebs/3modules/bepasty-server.nix b/krebs/3modules/bepasty-server.nix index 50e04cf80..4e035e725 100644 --- a/krebs/3modules/bepasty-server.nix +++ b/krebs/3modules/bepasty-server.nix @@ -22,6 +22,16 @@ let servers = mkOption { type = with types; attrsOf optionSet; + example = '' + { + "paste.r" = { + defaultPermissions = "read,delete,create"; + }; + "paste.krebsco.de" = { + defaultPermissions = "read"; + }; + } + ''; options = singleton { nginx = mkOption { # TODO use the correct type @@ -30,7 +40,6 @@ let additional nginx configuration. see krebs.nginx for all options ''; }; - secretKey = mkOption { type = types.str; description = '' @@ -39,6 +48,7 @@ let default = ""; }; + # we create a wsgi socket in $workDir/gunicorn-${name}.wsgi workDir = mkOption { type = types.str; @@ -143,25 +153,25 @@ let }; nginx-imp = { - assertions = [{ assertion = config.krebs.nginx.enable; - message = "krebs.nginx.enable must be true"; }]; - - krebs.nginx.servers = mapAttrs' (name: server: - nameValuePair("bepasty-server-${name}") - (mkMerge [ server.nginx { - extraConfig = '' - client_max_body_size 32M; - ''; - locations = [ - (nameValuePair "/" '' - proxy_set_header Host $http_host; - proxy_pass http://unix:${server.workDir}/gunicorn-${name}.sock; - '') - (nameValuePair "/static/" '' - alias ${bepasty}/lib/${python.libPrefix}/site-packages/bepasty/static/; - '') - ]; - }])) cfg.servers ; + assertions = [{ assertion = config.services.nginx.enable; + message = "services.nginx.enable must be true"; }]; + + services.nginx.virtualHosts = mapAttrs ( name: server: + (mkMerge [ + server.nginx + { + extraConfig = '' + client_max_body_size 32M; + ''; + locations = { + "/".extraConfig = "proxy_set_header Host $http_host;"; + "/".proxyPass = "http://unix:${server.workDir}/gunicorn-${name}.sock"; + "/static/".extraConfig = '' + alias ${bepasty}/lib/${python.libPrefix}/site-packages/bepasty/static/; + ''; + }; + }]) + ) cfg.servers ; }; in out diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index 5af1e37cd..2d1819dee 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -202,6 +202,7 @@ with import <stockholm/lib>; "mors.retiolum" "mors.r" "cgit.mors.retiolum" + "cgit.mors.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- @@ -273,6 +274,33 @@ with import <stockholm/lib>; ssh.privkey.path = <secrets/ssh.id_ed25519>; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC9vup68R0I+62FK+8LNtwM90V9P4ukBmU7G7d54wf4C"; }; + icarus = { + cores = 2; + nets = rec { + retiolum = { + ip4.addr = "10.243.133.114"; + ip6.addr = "42:0000:0000:0000:0000:0000:d15f:1214"; + aliases = [ + "icarus.retiolum" + "icarus.r" + "cgit.icarus.retiolum" + "cgit.icarus.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAydCY+IWzF8DocCNzPiUM+xccbiDTWS/+r2le812+O4r+sUojXuzr + Q4CeN+pi2SZHEOiRm3jO8sOkGlv4I1WGs/nOu5Beb4/8wFH6wbm4cqXTqH/qFwCK + 7+9Bke8TUaoDj9E4ol9eyOx6u8Cto3ZRAUi6m1ilrfs1szFGS5ZX7mxI73uhki6t + k6Zb5sa9G8WLcLPIN7tk3Nd0kofd/smwxSN0mXoTgbAf1DZ3Fnkgox/M5VnwpPW7 + zLzbWNFyLIgDGbQ5vZBlJW7c4O0KrMlftvEQ80GeZXaKNt6UK7LSAQ4Njn+8sXTt + gl0Dx29bSPU3L8udj0Vu6ul7CiQ5bZzUCQIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + ssh.privkey.path = <secrets/ssh.id_ed25519>; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOPgQIMYiyD4/Co+nlOQWEzCKssemOEXAY/lbIZZaMhj"; + }; }; users = { @@ -294,6 +322,10 @@ with import <stockholm/lib>; pubkey = builtins.readFile ./ssh/shodan.rsa; pgp.pubkeys.default = builtins.readFile ./pgp/shodan.pgp; }; + lass-icarus = { + mail = "lass@icarus.retiolum"; + pubkey = builtins.readFile ./ssh/icarus.rsa; + }; fritz = { pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCz34435NSXgj72YAOL4cIlRq/4yInKEyL9no+gymURoW5x1nkYpP0EK331e7UyQQSOdWOogRo6d7YHcFqNlYWv5xlYcHucIhgJwC4Zda1liVA+v7tSOJz2BjmFvOT3/qlcPS69f3zdLHZooz2C33uHX1FgGRXlxiA8dpqGnSr8o76QLZjuQkuDqr8reOspjO/RHCo2Moq0Xm5q9OgN1WLAZzupqt9A5lx567mRzYsRAr23pUxVN8T/tSCgDlPe4ktEjYX9CXLKfMyh9WuBVi+AuH4GFEWBT+AMpsHeF45w+w956x56mz0F5nYOQNK87gFr+Jr+mh2AF1ot2CxzrfTb fritz@scriptkiddiT540"; }; diff --git a/krebs/3modules/lass/ssh/icarus.rsa b/krebs/3modules/lass/ssh/icarus.rsa new file mode 100644 index 000000000..da99fcfdf --- /dev/null +++ b/krebs/3modules/lass/ssh/icarus.rsa @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDz97C5WVGXgKZ3I7FMvL4TyUv+0rsrSOGI7jj5uQaaHx0SSR0V4tnZtv2hXYrfnkaPHwu2PYUeeUdMBHfbZS6l2dmaXRI9f2WG7182G3IUskMktpi84DMyh0kwK2pWmHoS+Kwo//q+lu4WXIRy4X5wVMVpPT1Oc7boDtqJt4rK8uZkuVmVzGi+5SFaBxspCsdZsX/uDWOeC4/U2l+2Pd4YYl8UdmgN3bJceKTwqKIcbK7AL91My0jrnRSU6XLuED0hcVKzjkjc6bcj1R+Mlch9cflsMQV8TfT6p7VGGvUOtVwhG1+CjraHfilzFn76wINClsQXF/ncKrGabTEWO3zTi12ukAzL2/B0IB0q61tror9uYqeI74WgLjwhnuF98hUL7hnqgV3KB1ytpt6yzXqf1Uz784z9dh0n9r0fLTkeTDbJ4uOz1XzpmAMRwuo0o7/Op7rRBLHohu2Tp6AV8sISKJN5hDGe0wD6861pH9ZrRBiUux6uylzfWp2qrZmERnk0brBl+oDQNhKs3Z0CZmLG4DZWMc5pxpQ5751/8bb6nEorg2ulDZ/h+G3myC+9Zbc/owb/HHOGOBMEpyYYYMvYAfchu50e4xtHd+wMqzFxzjfcM7u6dTdyDEXi6+TFXKBEZyvaAhW2J27HKj4iK6Td2GyK59myPG6OtCnIbw9BPw== lass@icarus diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index ff187b878..c85bf1ccd 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -26,6 +26,31 @@ with import <stockholm/lib>; }; }; }; + fileleech = rec { + cores = 4; + ssh.privkey.path = <secrets/ssh_host_ed25519_key>; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM+jB5QdPsAJc90alYDhAEP3sPDJb6eIj9bebj+rTBEJ fileleech"; + nets = { + retiolum = { + ip4.addr = "10.243.113.98"; + ip6.addr = "42:5cf1:e7f2:3fd:cd4c:a1ee:ec71:7096"; + aliases = [ + "fileleech.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEA2W20+jYvuFUjPQ+E+7Xlabf8fW/XSnTTelfo2uRcJ3FMLYQ9H3rF + 8L8StPmxn8Q20FFH/MvRmgW8pU9z4RQ3nAi+utVYqAJQtOYA9FPMxssC08w82r0K + YC6sgc9MeRjnCjQxQrQs4fqA6KpqSLxRf2c6kfNwYRgCxFMns2ncxOiPOoGLZait + nJR3m0cSRm8yCTMbznlGH99+5+3HgvuBE/UYXmmGBs7w8DevaX76butzprZ8fm4z + e5C7R9ofdVW70GGksfSI81y5xODWMbfjTRHKm4OBX7NOCiOTwx1wu8bYDN3EzN6V + UM5PJfU42sViPEZmVuC8cDcP1xemHTkh9QIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + pnp = { cores = 1; nets = { diff --git a/krebs/3modules/rtorrent.nix b/krebs/3modules/rtorrent.nix index bcc52fb6e..0c478aded 100644 --- a/krebs/3modules/rtorrent.nix +++ b/krebs/3modules/rtorrent.nix @@ -73,22 +73,23 @@ let # authentication also applies to rtorrent.rutorrent enable = mkEnableOption "rtorrent nginx web RPC"; - listenAddress = mkOption { - type = types.str; + port = mkOption { + type = types.nullOr types.int; description ='' - nginx listen address for rtorrent web + nginx listen port for rtorrent ''; - default = "localhost:8006"; + default = 8006; }; - enableAuth = mkEnableOption "rutorrent authentication"; - authfile = mkOption { - type = types.path; + basicAuth = mkOption { + type = types.attrsOf types.str ; description = '' - basic authentication file to be used. - Use `${pkgs.apacheHttpd}/bin/htpasswd -c <file> <username>` to create the file. - Only in use if authentication is enabled. + basic authentication to be used. If unset, no authentication will be + enabled. + + Refer to `services.nginx.virtualHosts.<name>.basicAuth` ''; + default = {}; }; }; @@ -104,7 +105,6 @@ let default = pkgs.rutorrent; }; - webdir = mkOption { type = types.path; description = '' @@ -286,36 +286,28 @@ let }; rpcweb-imp = { - krebs.nginx.enable = mkDefault true; - krebs.nginx.servers.rtorrent = { - listen = [ webcfg.listenAddress ]; - server-names = [ "default" ]; - extraConfig = '' - ${optionalString webcfg.enableAuth '' - auth_basic "rtorrent"; - auth_basic_user_file ${webcfg.authfile}; - ''} - ${optionalString rucfg.enable '' - root ${webdir}; - ''} - ''; - locations = [ - (nameValuePair "/RPC2" '' + services.nginx.enable = mkDefault true; + services.nginx.virtualHosts.rtorrent = { + default = mkDefault true; + inherit (webcfg) basicAuth port; + root = optionalString rucfg.enable webdir; + + locations = { + "/RPC2".extraConfig = '' include ${pkgs.nginx}/conf/scgi_params; scgi_param SCRIPT_NAME /RPC2; scgi_pass unix:${cfg.xmlrpc-socket}; - '') - ] ++ (optional rucfg.enable - (nameValuePair "~ \.php$" '' + ''; + } // (optionalAttrs rucfg.enable { + "~ \.php$".extraConfig = '' client_max_body_size 200M; - root ${webdir}; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:${fpm-socket}; try_files $uri =404; fastcgi_index index.php; include ${pkgs.nginx}/conf/fastcgi_params; include ${pkgs.nginx}/conf/fastcgi.conf; - '') + ''; } ); }; }; diff --git a/krebs/3modules/tinc_graphs.nix b/krebs/3modules/tinc_graphs.nix index 26a51de00..197835e73 100644 --- a/krebs/3modules/tinc_graphs.nix +++ b/krebs/3modules/tinc_graphs.nix @@ -35,35 +35,28 @@ let nginx = { enable = mkEnableOption "enable tinc_graphs to be served with nginx"; - anonymous = { - server-names = mkOption { - type = with types; listOf str; - description = "hostnames which serve anonymous graphs"; - default = [ "graphs.${config.krebs.build.host.name}" ]; - }; - - listen = mkOption { - # use the type of the nginx listen option - type = with types; listOf str; - description = "listen address for anonymous graphs"; - default = [ "80" ]; - }; - + anonymous = mkOption { + type = types.attrsOf types.unspecified; + description = '' + nginx virtualHost options to be merged into the anonymous graphs + vhost entry. + ''; + }; + anonymous-domain = mkOption { + type = types.str; + description = '' + external domainname to be used for anonymous graphs + it will be used if you want to enable ACME + ''; + default = "graphs.krebsco.de"; }; - complete = { - server-names = mkOption { - type = with types; listOf str; - description = "hostname which serves complete graphs"; - default = [ "graphs.${config.krebs.build.host.name}" ]; - }; - - listen = mkOption { - type = with types; listOf str; - description = "listen address for complete graphs"; - default = [ "127.0.0.1:80" ]; - }; - + complete = mkOption { + type = types.attrsOf types.unspecified; + description = '' + nginx virtualHost options to be merged into the complete graphs + vhost entry. + ''; }; }; @@ -134,24 +127,20 @@ let uid = genid "tinc_graphs"; home = "/var/spool/tinc_graphs"; }; - krebs.nginx = mkIf cfg.nginx.enable { + services.nginx = mkIf cfg.nginx.enable { enable = mkDefault true; - servers = { + virtualHosts = { tinc_graphs_complete = mkMerge [ cfg.nginx.complete { - locations = [ - (nameValuePair "/" '' - autoindex on; - root ${internal_dir}; - '') - ]; - }] ; - tinc_graphs_anonymous = mkMerge [ cfg.nginx.anonymous { - locations = [ - (nameValuePair "/" '' - autoindex on; - root ${external_dir}; - '') - ]; + locations = { + "/".extraConfig = "autoindex on;"; + "/".root = internal_dir; + }; + }]; + "${cfg.nginx.anonymous-domain}" = mkMerge [ cfg.nginx.anonymous { + locations = { + "/".extraConfig = "autoindex on;"; + "/".root = external_dir; + }; }]; }; }; diff --git a/krebs/5pkgs/rutorrent/default.nix b/krebs/5pkgs/rutorrent/default.nix index 5a2259552..1084e7ce7 100644 --- a/krebs/5pkgs/rutorrent/default.nix +++ b/krebs/5pkgs/rutorrent/default.nix @@ -1,11 +1,11 @@ { pkgs, ... }: pkgs.stdenv.mkDerivation { - name = "rutorrent-src-3.7"; + name = "rutorrent-src_2016-12-09"; src = pkgs.fetchFromGitHub { owner = "Novik"; repo = "rutorrent"; - rev = "b727523a153454d4976f04b0c47336ae57cc50d5"; - sha256 = "0s5wa0jnck781amln9c2p4pc0i5mq3j5693ra151lnwhz63aii4a"; + rev = "580bba8c538b55c1f75f3ad65310ff4ff2a153f7"; + sha256 = "1d9lgrzipy58dnx88z393p152kx6lki0x4aw40k8w9awsci4cx7p"; }; phases = [ "installPhase" ]; diff --git a/lass/1systems/helios.nix b/lass/1systems/helios.nix index 4472816e3..298c9083d 100644 --- a/lass/1systems/helios.nix +++ b/lass/1systems/helios.nix @@ -30,6 +30,7 @@ with import <stockholm/lib>; networking.wireless.enable = true; hardware.pulseaudio = { enable = true; + systemWide = true; }; users.users.ferret = { uid = genid "ferret"; diff --git a/lass/1systems/icarus.nix b/lass/1systems/icarus.nix new file mode 100644 index 000000000..9a6654648 --- /dev/null +++ b/lass/1systems/icarus.nix @@ -0,0 +1,59 @@ +{ config, pkgs, ... }: + +with import <stockholm/lib>; +{ + imports = [ + ../. + ../2configs/retiolum.nix + ../2configs/hw/tp-x220.nix + ../2configs/baseX.nix + ../2configs/git.nix + ../2configs/exim-retiolum.nix + ../2configs/browsers.nix + ../2configs/programs.nix + ../2configs/fetchWallpaper.nix + ../2configs/backups.nix + #{ + # users.extraUsers = { + # root = { + # openssh.authorizedKeys.keys = map readFile [ + # ../../krebs/Zpubkeys/uriel.ssh.pub + # ]; + # }; + # }; + #} + ]; + + krebs.build.host = config.krebs.hosts.icarus; + + boot = { + loader.grub.enable = true; + loader.grub.version = 2; + loader.grub.device = "/dev/sda"; + + initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ]; + initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; + initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; + #kernelModules = [ "kvm-intel" "msr" ]; + }; + fileSystems = { + "/" = { + device = "/dev/pool/nix"; + fsType = "btrfs"; + }; + + "/boot" = { + device = "/dev/sda1"; + }; + "/tmp" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = ["nosuid" "nodev" "noatime"]; + }; + }; + + services.udev.extraRules = '' + SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:29:26:bc", NAME="wl0" + SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:0c:a7:63", NAME="et0" + ''; +} diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index 594f342db..4553cc15b 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -68,11 +68,19 @@ with import <stockholm/lib>; { krebs.nginx = { enable = true; - servers.default.locations = [ - (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' - alias /home/$1/public_html$2; - '') - ]; + servers.default = { + server-names = [ + "localhost" + "${config.krebs.build.host.name}" + "${config.krebs.build.host.name}.r" + "${config.krebs.build.host.name}.retiolum" + ]; + locations = [ + (nameValuePair "~ ^/~(.+?)(/.*)?\$" '' + alias /home/$1/public_html$2; + '') + ]; + }; }; } { diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index 269f94526..6c11a2f62 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -230,6 +230,7 @@ in { } { virtualisation.libvirtd.enable = true; + users.users.mainUser.extraGroups = [ "libvirtd" ]; } ]; diff --git a/lass/2configs/buildbot-standalone.nix b/lass/2configs/buildbot-standalone.nix index 72cd66420..7057d0c3d 100644 --- a/lass/2configs/buildbot-standalone.nix +++ b/lass/2configs/buildbot-standalone.nix @@ -102,7 +102,7 @@ in { ] ) - for i in [ "mors", "uriel", "shodan", "helios", "cloudkrebs", "echelon", "dishfire", "prism" ]: + for i in [ "mors", "uriel", "shodan", "helios", "icarus", "cloudkrebs", "echelon", "dishfire", "prism" ]: addShell(f,name="build-{}".format(i),env=env_lass, command=nixshell + \ ["mkdir -p /tmp/testbuild/$LOGNAME && touch /tmp/testbuild/$LOGNAME/.populate; \ diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index 21a2ec038..900dd36b3 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -32,6 +32,7 @@ with import <stockholm/lib>; createHome = true; useDefaultShell = true; extraGroups = [ + "audio" "fuse" ]; openssh.authorizedKeys.keys = [ diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix index 57950e1b7..ded0922b8 100644 --- a/lass/2configs/git.nix +++ b/lass/2configs/git.nix @@ -75,7 +75,7 @@ let with git // config.krebs.users; repo: singleton { - user = [ lass lass-uriel ]; + user = [ lass lass-shodan ]; repo = [ repo ]; perm = push "refs/*" [ non-fast-forward create delete merge ]; } ++ diff --git a/lass/2configs/power-action.nix b/lass/2configs/power-action.nix index c83dc80dc..f22bf451a 100644 --- a/lass/2configs/power-action.nix +++ b/lass/2configs/power-action.nix @@ -14,8 +14,8 @@ in { krebs.power-action = { enable = true; plans.low-battery = { - upperLimit = 30; - lowerLimit = 25; + upperLimit = 10; + lowerLimit = 15; charging = false; action = pkgs.writeDash "warn-low-battery" '' ${speak "power level low"} diff --git a/lass/2configs/weechat.nix b/lass/2configs/weechat.nix index ae07b9a2e..1e5f2d177 100644 --- a/lass/2configs/weechat.nix +++ b/lass/2configs/weechat.nix @@ -16,6 +16,7 @@ in { openssh.authorizedKeys.keys = [ config.krebs.users.lass.pubkey config.krebs.users.lass-shodan.pubkey + config.krebs.users.lass-icarus.pubkey ]; }; diff --git a/lass/2configs/zsh.nix b/lass/2configs/zsh.nix index aa159be07..442a1d4d9 100644 --- a/lass/2configs/zsh.nix +++ b/lass/2configs/zsh.nix @@ -118,4 +118,5 @@ fi ''; }; + users.users.${config.krebs.build.user.name}.shell = "/run/current-system/sw/bin/zsh"; } diff --git a/makefu/1systems/fileleech.nix b/makefu/1systems/fileleech.nix new file mode 100644 index 000000000..1eac141dc --- /dev/null +++ b/makefu/1systems/fileleech.nix @@ -0,0 +1,111 @@ +{ config, pkgs, lib, ... }: +let + toMapper = id: "/media/crypt${builtins.toString id}"; + byid = dev: "/dev/disk/by-id/" + dev; + keyFile = byid "usb-Intuix_DiskOnKey_09A07360336198F8-0:0"; + rootDisk = byid "ata-INTEL_SSDSA2M080G2GC_CVPO003402PB080BGN"; + rootPartition = rootDisk + "-part3"; + + dataDisks = let + idpart = dev: byid dev + "-part1"; + in [ + { name = "crypt0"; device = idpart "scsi-1ATA_HUA722020ALA330_B9GDLJEF";} + { name |