diff options
64 files changed, 483 insertions, 224 deletions
diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix index bda563f8d..0ad952e3b 100644 --- a/krebs/3modules/exim-smarthost.nix +++ b/krebs/3modules/exim-smarthost.nix @@ -55,7 +55,7 @@ let local_domains = mkOption { type = with types; listOf hostname; - default = ["localhost"] ++ config.krebs.build.host.nets.retiolum.aliases; + default = unique (["localhost" cfg.primary_hostname] ++ config.krebs.build.host.nets.retiolum.aliases); }; relay_from_hosts = mkOption { diff --git a/krebs/3modules/exim.nix b/krebs/3modules/exim.nix index 1127c0a50..0044f5b32 100644 --- a/krebs/3modules/exim.nix +++ b/krebs/3modules/exim.nix @@ -40,7 +40,7 @@ in { etc."exim.conf".source = pkgs.writeEximConfig "exim.conf" '' exim_user = ${cfg.user.name} exim_group = ${cfg.group.name} - exim_path = /var/setuid-wrappers/exim + exim_path = /run/wrappers/bin/exim spool_directory = ${cfg.user.home} ${cfg.config} ''; diff --git a/krebs/3modules/on-failure.nix b/krebs/3modules/on-failure.nix index 8bb022442..4da303dec 100644 --- a/krebs/3modules/on-failure.nix +++ b/krebs/3modules/on-failure.nix @@ -58,7 +58,7 @@ }; sendmail = mkOption { type = types.str; - default = "/var/setuid-wrappers/sendmail"; + default = "/run/wrappers/bin/sendmail"; }; }; diff --git a/krebs/3modules/setuid.nix b/krebs/3modules/setuid.nix index 13f981437..c9677fd24 100644 --- a/krebs/3modules/setuid.nix +++ b/krebs/3modules/setuid.nix @@ -73,7 +73,7 @@ let }; imp = { - system.activationScripts."krebs.setuid" = stringAfter [ "setuid" ] + system.activationScripts."krebs.setuid" = stringAfter [ "wrappers" ] (concatMapStringsSep "\n" (getAttr "activate") (attrValues cfg)); }; diff --git a/krebs/3modules/tv/default.nix b/krebs/3modules/tv/default.nix index 1220143a7..d44c322aa 100644 --- a/krebs/3modules/tv/default.nix +++ b/krebs/3modules/tv/default.nix @@ -85,7 +85,7 @@ with import <stockholm/lib>; }; nets = { internet = { - ip4.addr = "64.137.177.226"; + ip4.addr = "45.62.237.203"; aliases = [ "cd.i" "cd.krebsco.de" diff --git a/krebs/3modules/urlwatch.nix b/krebs/3modules/urlwatch.nix index e43f8de4a..126fc33bb 100644 --- a/krebs/3modules/urlwatch.nix +++ b/krebs/3modules/urlwatch.nix @@ -178,7 +178,7 @@ let echo To: ${shell.escape cfg.mailto} echo cat changes - } | /var/setuid-wrappers/sendmail -t + } | /run/wrappers/bin/sendmail -t fi ''; }; diff --git a/krebs/5pkgs/git-hooks/default.nix b/krebs/5pkgs/git-hooks/default.nix index 9355a878c..4017b873b 100644 --- a/krebs/5pkgs/git-hooks/default.nix +++ b/krebs/5pkgs/git-hooks/default.nix @@ -1,13 +1,10 @@ -{ lib, pkgs, ... }: +{ pkgs, ... }: -with lib; - -let - out = { - inherit irc-announce; - }; +with import <stockholm/lib>; +{ # TODO irc-announce should return a derivation + # but it cannot because krebs.git.repos.*.hooks :: attrsOf str irc-announce = { nick, channel, server, port ? 6667, verbose ? false, branches ? [] }: '' #! /bin/sh set -euf @@ -37,7 +34,7 @@ let port=${toString port} host=$nick - cgit_endpoint=http://cgit.$host + cgit_endpoint=http://cgit.$host.r empty=0000000000000000000000000000000000000000 @@ -99,7 +96,7 @@ let done if test -n "''${message-}"; then - exec ${irc-announce-script} \ + exec ${pkgs.irc-announce}/bin/irc-announce \ "$server" \ "$port" \ "$nick" \ @@ -107,6 +104,4 @@ let "$message" fi ''; - - irc-announce-script = "${pkgs.irc-announce}/bin/irc-announce"; -in out +} diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index 81520ad5f..b55732f65 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -215,6 +215,7 @@ in { } { krebs.repo-sync.timerConfig = { + OnBootSec = "5min"; OnUnitInactiveSec = "3min"; RandomizedDelaySec = "2min"; }; @@ -247,7 +248,13 @@ in { ]; } { - krebs.Reaktor.coders = { + krebs.Reaktor.coders = let + lambdabot = (import (pkgs.fetchFromGitHub { + owner = "NixOS"; repo = "nixpkgs"; + rev = "a4ec1841da14fc98c5c35cc72242c23bb698d4ac"; + sha256 = "148fpw31s922hxrf28yhrci296f7c7zd81hf0k6zs05rq0i3szgy"; + }) {}).lambdabot; + in { nickname = "reaktor-lass"; channels = [ "#coders" ]; extraEnviron = { @@ -263,7 +270,7 @@ in { (buildSimpleReaktorPlugin "lambdabot-pl" { pattern = "^@pl (?P<args>.*)$$"; script = pkgs.writeDash "lambda-pl" '' - exec ${pkgs.lambdabot}/bin/lambdabot \ + exec ${lambdabot}/bin/lambdabot \ ${indent lambdabotflags} -e "@pl $1" ''; @@ -271,7 +278,7 @@ in { (buildSimpleReaktorPlugin "lambdabot-type" { pattern = "^@type (?P<args>.*)$$"; script = pkgs.writeDash "lambda-type" '' - exec ${pkgs.lambdabot}/bin/lambdabot \ + exec ${lambdabot}/bin/lambdabot \ ${indent lambdabotflags} -e "@type $1" ''; @@ -279,7 +286,7 @@ in { (buildSimpleReaktorPlugin "lambdabot-let" { pattern = "^@let (?P<args>.*)$$"; script = pkgs.writeDash "lambda-let" '' - exec ${pkgs.lambdabot}/bin/lambdabot \ + exec ${lambdabot}/bin/lambdabot \ ${indent lambdabotflags} -e "@let $1" ''; @@ -287,7 +294,7 @@ in { (buildSimpleReaktorPlugin "lambdabot-run" { pattern = "^@run (?P<args>.*)$$"; script = pkgs.writeDash "lambda-run" '' - exec ${pkgs.lambdabot}/bin/lambdabot \ + exec ${lambdabot}/bin/lambdabot \ ${indent lambdabotflags} -e "@run $1" ''; @@ -295,7 +302,7 @@ in { (buildSimpleReaktorPlugin "lambdabot-kind" { pattern = "^@kind (?P<args>.*)$$"; script = pkgs.writeDash "lambda-kind" '' - exec ${pkgs.lambdabot}/bin/lambdabot \ + exec ${lambdabot}/bin/lambdabot \ ${indent lambdabotflags} -e "@kind $1" ''; @@ -303,7 +310,7 @@ in { (buildSimpleReaktorPlugin "lambdabot-kind" { pattern = "^@kind (?P<args>.*)$$"; script = pkgs.writeDash "lambda-kind" '' - exec ${pkgs.lambdabot}/bin/lambdabot \ + exec ${lambdabot}/bin/lambdabot \ ${indent lambdabotflags} -e "@kind $1" ''; diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index 539fdc875..275b93f26 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -8,6 +8,8 @@ in { ./power-action.nix ./screenlock.nix ./copyq.nix + ./xresources.nix + ./livestream.nix { hardware.pulseaudio = { enable = true; @@ -32,15 +34,15 @@ in { programs.ssh.startAgent = false; - security.setuidPrograms = [ "slock" ]; - services.printing = { enable = true; - drivers = [ pkgs.foomatic_filters ]; + drivers = [ + pkgs.foomatic_filters + pkgs.gutenprint + ]; }; environment.systemPackages = with pkgs; [ - acpi dic dmenu @@ -76,7 +78,13 @@ in { enable = true; desktopManager.xterm.enable = false; - displayManager.slim.enable = true; + desktopManager.default = "none"; + displayManager.lightdm.enable = true; + displayManager.lightdm.autoLogin = { + enable = true; + user = "lass"; + }; + windowManager.default = "xmonad"; windowManager.session = [{ name = "xmonad"; start = '' diff --git a/lass/2configs/binary-cache/client.nix b/lass/2configs/binary-cache/client.nix index 108ff7a1e..9dba5fbfb 100644 --- a/lass/2configs/binary-cache/client.nix +++ b/lass/2configs/binary-cache/client.nix @@ -2,8 +2,14 @@ { nix = { - binaryCaches = ["http://cache.prism.r"]; - binaryCachePublicKeys = ["cache.prism-1:+S+6Lo/n27XEtvdlQKuJIcb1yO5NUqUCE2lolmTgNJU="]; + binaryCaches = [ + "http://cache.prism.r" + "https://cache.nixos.org/" + ]; + binaryCachePublicKeys = [ + "cache.prism-1:+S+6Lo/n27XEtvdlQKuJIcb1yO5NUqUCE2lolmTgNJU=" + "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs=" + ]; }; } diff --git a/lass/2configs/browsers.nix b/lass/2configs/browsers.nix index 88ee70802..6c381863c 100644 --- a/lass/2configs/browsers.nix +++ b/lass/2configs/browsers.nix @@ -20,7 +20,7 @@ let createChromiumUser = name: extraGroups: let bin = pkgs.writeScriptBin name '' - /var/setuid-wrappers/sudo -u ${name} -i ${pkgs.chromium}/bin/chromium $@ + /var/run/wrappers/bin/sudo -u ${name} -i ${pkgs.chromium}/bin/chromium $@ ''; in { users.extraUsers.${name} = { @@ -43,7 +43,7 @@ let createFirefoxUser = name: extraGroups: let bin = pkgs.writeScriptBin name '' - /var/setuid-wrappers/sudo -u ${name} -i ${pkgs.firefox}/bin/firefox $@ + /var/run/wrappers/bin/sudo -u ${name} -i ${pkgs.firefox}/bin/firefox $@ ''; in { users.extraUsers.${name} = { diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index 8100a433f..3e7881fb4 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -1,5 +1,4 @@ -{ config, lib, pkgs, ... }: - +{ config, pkgs, ... }: with import <stockholm/lib>; { imports = [ @@ -11,6 +10,7 @@ with import <stockholm/lib>; ../2configs/vim.nix ../2configs/monitoring/client.nix ./backups.nix + ./security-workarounds.nix { users.extraUsers = mapAttrs (_: h: { hashedPassword = h; }) @@ -135,6 +135,7 @@ with import <stockholm/lib>; #neat utils krebspaste + mosh pciutils pop psmisc diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix index d120dfcad..3353cdac0 100644 --- a/lass/2configs/exim-smarthost.nix +++ b/lass/2configs/exim-smarthost.nix @@ -8,11 +8,12 @@ with import <stockholm/lib>; dkim = [ { domain = "lassul.us"; } ]; + primary_hostname = "lassul.us"; sender_domains = [ "lassul.us" "aidsballs.de" ]; - relay_from_hosts = map (host: host.nets.retiolum.ip4.addr) [ + relay_from_hosts = map (host: host.nets.retiolum.ip6.addr) [ config.krebs.hosts.mors config.krebs.hosts.uriel config.krebs.hosts.helios diff --git a/lass/2configs/games.nix b/lass/2configs/games.nix index 58051560a..d114a826d 100644 --- a/lass/2configs/games.nix +++ b/lass/2configs/games.nix @@ -84,5 +84,6 @@ in { krebs.iptables.tables.filter.INPUT.rules = [ { predicate = "-p tcp --dport 10666"; target = "ACCEPT"; } + { predicate = "-p udp --dport 10666"; target = "ACCEPT"; } ]; } diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix index bdd65ce09..3e1b2c6e3 100644 --- a/lass/2configs/git.nix +++ b/lass/2configs/git.nix @@ -5,6 +5,7 @@ with import <stockholm/lib>; let out = { + services.nginx.enable = true; krebs.git = { enable = true; cgit = { diff --git a/lass/2configs/hfos.nix b/lass/2configs/hfos.nix index dcd50dd7b..a28a6a5d2 100644 --- a/lass/2configs/hfos.nix +++ b/lass/2configs/hfos.nix @@ -8,7 +8,6 @@ with import <stockholm/lib>; extraGroups = [ "libvirtd" ]; openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMkyCwdwBrsbs3qrNQcy/SqQpex4aaQoAMuT+NDefFc8KVHOMfmkDccEyAggDTgQhUrEVIvo/fFUmGBd9sm1vN1IthO2Qh5nX+qiK/A2R7sxci0Ry6piU03R27JfpZqi6g8TSPNi1C9rC8eBqOfO3OB8oQOkFmM48Q9cmS8AV3ERLR0LaHoEqUbs86JELbtHrMdKk4Hzo8zTM/isP3GO8iDHRt4dBS/03Ve7+WVxgNwWU2HW3a3jJd3tWHrqGmS/ZfCEC/47eIj4WSW+JiH9Q0BarNEbkkMV1Mvm32MX52stGPd5FaIIUtFqD4745iVSiw8esUGFUxJ1RjWgUHr99h riot@vortex" - config.krebs.users.lass.pubkey ]; }; diff --git a/lass/2configs/livestream.nix b/lass/2configs/livestream.nix new file mode 100644 index 000000000..c877a8c0a --- /dev/null +++ b/lass/2configs/livestream.nix @@ -0,0 +1,12 @@ +{ config, pkgs, ... }: +with import <stockholm/lib>; + +let + + stream = pkgs.writeDashBin "stream" '' + ${pkgs.python27Packages.livestreamer}/bin/livestreamer --http-header Client-ID=jzkbprff40iqj646a697cyrvl0zt2m6 -p mpv "$@" + ''; + +in { + environment.systemPackages = [ stream ]; +} diff --git a/lass/2configs/nixpkgs.nix b/lass/2configs/nixpkgs.nix index ad39848b6..9c3eafffd 100644 --- a/lass/2configs/nixpkgs.nix +++ b/lass/2configs/nixpkgs.nix @@ -3,6 +3,6 @@ { krebs.build.source.nixpkgs.git = { url = https://github.com/nixos/nixpkgs; - ref = "6651c72"; + ref = "5b0c9d4"; }; } diff --git a/lass/2configs/programs.nix b/lass/2configs/programs.nix index 6cf23deaf..241d263f8 100644 --- a/lass/2configs/programs.nix +++ b/lass/2configs/programs.nix @@ -12,7 +12,6 @@ pavucontrol pv pwgen - python34Packages.livestreamer remmina silver-searcher wget diff --git a/lass/2configs/security-workarounds.nix b/lass/2configs/security-workarounds.nix new file mode 100644 index 000000000..537c8a59b --- /dev/null +++ b/lass/2configs/security-workarounds.nix @@ -0,0 +1,8 @@ +{ config, pkgs, ... }: +with import <stockholm/lib>; +{ + # http://seclists.org/oss-sec/2017/q1/471 + boot.extraModprobeConfig = '' + install dccp /run/current-system/sw/bin/false + ''; +} diff --git a/lass/2configs/termite.nix b/lass/2configs/termite.nix new file mode 100644 index 000000000..245b89e9c --- /dev/null +++ b/lass/2configs/termite.nix @@ -0,0 +1,22 @@ +{ config, pkgs, ... }: +with import <stockholm/lib>; + +{ + environment.systemPackages = [ + pkgs.termite + ]; + + krebs.per-user.lass.packages = let + termitecfg = pkgs.writeTextFile { + name = "termite-config"; + destination = "/etc/xdg/termite/config"; + text = '' + [colors] + foreground = #d0d7d0 + background = #000000 + ''; + }; + in [ + termitecfg + ]; +} diff --git a/lass/2configs/vim.nix b/lass/2configs/vim.nix index 4d6dfe366..4e0af0dc7 100644 --- a/lass/2configs/vim.nix +++ b/lass/2configs/vim.nix @@ -66,6 +66,7 @@ let "Syntastic config let g:syntastic_python_checkers=['flake8'] + let g:syntastic_python_flake8_post_args='--ignore=E501' nmap <esc>q :buffer nmap <M-q> :buffer diff --git a/lass/2configs/websites/util.nix b/lass/2configs/websites/util.nix index d596e9db9..6d14de731 100644 --- a/lass/2configs/websites/util.nix +++ b/lass/2configs/websites/util.nix @@ -32,6 +32,7 @@ rec { let domain = head domains; in { + services.phpfpm.phpPackage = pkgs.php56; services.nginx.virtualHosts."${domain}" = { enableACME = true; enableSSL = true; @@ -181,10 +182,10 @@ rec { user = nginx group = nginx pm = dynamic - pm.max_children = 5 - pm.start_servers = 2 + pm.max_children = 15 + pm.start_servers = 3 pm.min_spare_servers = 1 - pm.max_spare_servers = 3 + pm.max_spare_servers = 10 listen.owner = nginx listen.group = nginx php_admin_value[error_log] = 'stderr' diff --git a/lass/2configs/xresources.nix b/lass/2configs/xresources.nix new file mode 100644 index 000000000..35dbe2044 --- /dev/null +++ b/lass/2configs/xresources.nix @@ -0,0 +1, |