summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--krebs/3modules/Reaktor.nix216
-rw-r--r--krebs/3modules/default.nix3
-rw-r--r--krebs/3modules/exim-smarthost.nix1
-rw-r--r--krebs/3modules/fetchWallpaper.nix2
-rw-r--r--krebs/3modules/git.nix8
-rw-r--r--krebs/3modules/nginx.nix2
-rw-r--r--krebs/3modules/nin/default.nix65
-rw-r--r--krebs/3modules/tv/default.nix2
-rw-r--r--krebs/4lib/infest/prepare.sh10
-rw-r--r--krebs/5pkgs/Reaktor/plugins.nix12
-rw-r--r--krebs/5pkgs/bepasty-client-cli/default.nix13
-rw-r--r--krebs/5pkgs/kapacitor/default.nix23
-rw-r--r--krebs/5pkgs/telegraf/default.nix27
-rw-r--r--krebs/5pkgs/telegraf/deps-1.1.2.nix588
-rw-r--r--lass/1systems/icarus.nix30
-rw-r--r--lass/1systems/mors.nix7
-rw-r--r--lass/1systems/prism.nix156
-rw-r--r--lass/1systems/shodan.nix8
-rw-r--r--lass/2configs/baseX.nix9
-rw-r--r--lass/2configs/default.nix13
-rw-r--r--lass/2configs/fetchWallpaper.nix4
-rw-r--r--lass/2configs/git.nix3
-rw-r--r--lass/2configs/hfos.nix4
-rw-r--r--lass/2configs/hw/tp-x220.nix4
-rw-r--r--lass/2configs/nixpkgs.nix4
-rw-r--r--lass/2configs/radio.nix39
-rw-r--r--lass/2configs/retiolum.nix4
-rw-r--r--lass/2configs/screenlock.nix17
-rw-r--r--lass/2configs/smartd.nix17
-rw-r--r--lass/2configs/vim.nix167
-rw-r--r--lass/2configs/websites/domsen.nix83
-rw-r--r--lass/2configs/websites/fritz.nix9
-rw-r--r--lass/2configs/websites/lassulus.nix9
-rw-r--r--lass/2configs/xserver/default.nix35
-rw-r--r--lass/2configs/zsh.nix2
-rw-r--r--lass/3modules/default.nix2
-rw-r--r--lass/3modules/kapacitor.nix221
-rw-r--r--lass/3modules/telegraf.nix67
-rw-r--r--lass/3modules/usershadow.nix7
-rw-r--r--lass/5pkgs/default.nix3
-rw-r--r--lass/5pkgs/init/default.nix143
-rw-r--r--lass/5pkgs/xmonad-lass.nix10
-rw-r--r--lib/default.nix2
-rw-r--r--makefu/1systems/pnp.nix3
-rw-r--r--makefu/1systems/wry.nix3
-rw-r--r--nin/1systems/hiawatha.nix122
-rw-r--r--nin/1systems/onondaga.nix83
-rw-r--r--nin/2configs/default.nix169
-rw-r--r--nin/2configs/nixpkgs.nix8
-rw-r--r--nin/2configs/retiolum.nix28
-rw-r--r--nin/2configs/vim.nix354
-rw-r--r--nin/2configs/weechat.nix21
-rw-r--r--nin/default.nix7
-rw-r--r--shared/1systems/test-all-krebs-modules.nix2
-rw-r--r--tv/1systems/alnus.nix6
-rw-r--r--tv/1systems/cd.nix4
-rw-r--r--tv/1systems/wu.nix15
-rw-r--r--tv/2configs/backup.nix12
-rw-r--r--tv/2configs/git.nix6
-rw-r--r--tv/2configs/hw/w110er.nix8
-rw-r--r--tv/2configs/urlwatch.nix2
-rw-r--r--tv/2configs/vim.nix7
-rw-r--r--tv/3modules/iptables.nix16
63 files changed, 2536 insertions, 391 deletions
diff --git a/krebs/3modules/Reaktor.nix b/krebs/3modules/Reaktor.nix
index d87003ac2..a70f1ef5d 100644
--- a/krebs/3modules/Reaktor.nix
+++ b/krebs/3modules/Reaktor.nix
@@ -3,99 +3,88 @@
with import <stockholm/lib>;
let
- ReaktorConfig = pkgs.writeText "config.py" ''
- ${if (isString cfg.overrideConfig ) then ''
- # Overriden Config
- ${cfg.overrideConfig}
- '' else ""}
- ## Extra Config
- ${concatStringsSep "\n" (map (plug: plug.config) cfg.plugins)}
- ${cfg.extraConfig}
- '';
cfg = config.krebs.Reaktor;
+ workdir = "/var/lib/Reaktor";
+
out = {
options.krebs.Reaktor = api;
- config = lib.mkIf cfg.enable imp;
+ config = imp;
};
- api = {
- enable = mkOption {
- default = false;
- description = ''
- Start Reaktor at system boot
- '';
- };
+ api = mkOption {
+ default = {};
+ type = with types; attrsOf (submodule ({ options = {
- nickname = mkOption {
- default = config.krebs.build.host.name + "|r";
- type = types.string;
- description = ''
- The nick name of the irc bot.
- Defaults to {hostname}|r
- '';
- };
+ nickname = mkOption {
+ default = config.krebs.build.host.name + "|r";
+ type = types.string;
+ description = ''
+ The nick name of the irc bot.
+ Defaults to {hostname}|r
+ '';
+ };
- overrideConfig = mkOption {
- default = null;
- type = types.nullOr types.str;
- description = ''
- configuration to be used instead of default ones.
- Reaktor default cfg can be retrieved via `reaktor get-config`
- '';
- };
- plugins = mkOption {
- default = [pkgs.ReaktorPlugins.nixos-version];
- };
- extraConfig = mkOption {
- default = "";
- type = types.string;
- description = ''
- configuration appended to the default or overridden configuration
- '';
- };
+ overrideConfig = mkOption {
+ default = null;
+ type = types.nullOr types.str;
+ description = ''
+ configuration to be used instead of default ones.
+ Reaktor default cfg can be retrieved via `reaktor get-config`
+ '';
+ };
- workdir = mkOption {
- default = "/var/lib/Reaktor";
- type = types.str;
- description = ''
- Reaktor working directory
- '';
- };
- extraEnviron = mkOption {
- default = {};
- type = types.attrsOf types.str;
- description = ''
- Environment to be provided to the service, can be:
- REAKTOR_HOST
- REAKTOR_PORT
- REAKTOR_STATEDIR
-
- debug and nickname can be set separately via the Reaktor api
- '';
- };
- channels = mkOption {
- default = [ "#krebs" ];
- type = types.listOf types.str;
- description = ''
- Channels the Reaktor should connect to at startup.
- '';
- };
- debug = mkOption {
- default = false;
- description = ''
- Reaktor debug output
- '';
- };
+ plugins = mkOption {
+ default = [pkgs.ReaktorPlugins.nixos-version];
+ };
+
+ extraConfig = mkOption {
+ default = "";
+ type = types.string;
+ description = ''
+ configuration appended to the default or overridden configuration
+ '';
+ };
+
+ extraEnviron = mkOption {
+ default = {};
+ type = types.attrsOf types.str;
+ description = ''
+ Environment to be provided to the service, can be:
+ REAKTOR_HOST
+ REAKTOR_PORT
+ REAKTOR_STATEDIR
+
+ debug and nickname can be set separately via the Reaktor api
+ '';
+ };
+
+ channels = mkOption {
+ default = [ "#krebs" ];
+ type = types.listOf types.str;
+ description = ''
+ Channels the Reaktor should connect to at startup.
+ '';
+ };
+
+ debug = mkOption {
+ default = false;
+ description = ''
+ Reaktor debug output
+ '';
+ };
+ };}));
};
imp = {
+ # TODO get user per configured bot
+ # TODO get home from api
# for reaktor get-config
users.extraUsers = singleton rec {
name = "Reaktor";
uid = genid name;
description = "Reaktor user";
- home = cfg.workdir;
+ home = workdir;
createHome = true;
};
@@ -104,39 +93,52 @@ let
# gid = config.ids.gids.Reaktor;
#};
- systemd.services.Reaktor = {
- path = with pkgs; [
- utillinux #flock for tell_on-join
- git # for nag
- python # for caps
- ];
- description = "Reaktor IRC Bot";
- after = [ "network.target" ];
- wantedBy = [ "multi-user.target" ];
- environment = {
- GIT_SSL_CAINFO = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
- REAKTOR_NICKNAME = cfg.nickname;
- REAKTOR_DEBUG = (if cfg.debug then "True" else "False");
- REAKTOR_CHANNELS = lib.concatStringsSep "," cfg.channels;
- state_dir = cfg.workdir;
-
- } // cfg.extraEnviron;
- serviceConfig= {
- ExecStartPre = pkgs.writeScript "Reaktor-init" ''
- #! /bin/sh
- ${if (isString cfg.overrideConfig) then
- ''cp ${ReaktorConfig} /tmp/config.py''
- else
- ''(${pkgs.Reaktor}/bin/reaktor get-config;cat "${ReaktorConfig}" ) > /tmp/config.py''
- }
+ systemd.services = mapAttrs' (name: botcfg:
+ let
+ ReaktorConfig = pkgs.writeText "config.py" ''
+ ${if (isString botcfg.overrideConfig ) then ''
+ # Overriden Config
+ ${botcfg.overrideConfig}
+ '' else ""}
+ ## Extra Config
+ ${concatStringsSep "\n" (map (plug: plug.config) botcfg.plugins)}
+ ${botcfg.extraConfig}
'';
- ExecStart = "${pkgs.Reaktor}/bin/reaktor run /tmp/config.py";
- PrivateTmp = "true";
- User = "Reaktor";
- Restart = "always";
- RestartSec= "30" ;
+ in nameValuePair "Reaktor-${name}" {
+ path = with pkgs; [
+ utillinux #flock for tell_on-join
+ git # for nag
+ python # for caps
+ ];
+ description = "Reaktor IRC Bot";
+ after = [ "network.target" ];
+ wantedBy = [ "multi-user.target" ];
+ environment = {
+ GIT_SSL_CAINFO = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
+ REAKTOR_NICKNAME = botcfg.nickname;
+ REAKTOR_DEBUG = (if botcfg.debug then "True" else "False");
+ REAKTOR_CHANNELS = lib.concatStringsSep "," botcfg.channels;
+ state_dir = workdir;
+
+ } // botcfg.extraEnviron;
+ serviceConfig= {
+ ExecStartPre = pkgs.writeScript "Reaktor-init" ''
+ #! /bin/sh
+ ${if (isString botcfg.overrideConfig) then
+ ''cp ${ReaktorConfig} /tmp/reaktor-${name}-config.py''
+ else
+ ''(${pkgs.Reaktor}/bin/reaktor get-config;cat "${ReaktorConfig}" ) > /tmp/reaktor-${name}-config.py''
+ }
+ '';
+ ExecStart = "${pkgs.Reaktor}/bin/reaktor run /tmp/reaktor-${name}-config.py";
+ PrivateTmp = "true";
+ User = "Reaktor";
+ Restart = "always";
+ RestartSec= "30" ;
};
- };
+ }
+ ) cfg;
+
};
in
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index bf09b7424..4b17c4abd 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -93,6 +93,7 @@ let
{ krebs = import ./lass { inherit config; }; }
{ krebs = import ./makefu { inherit config; }; }
{ krebs = import ./mv { inherit config; }; }
+ { krebs = import ./nin { inherit config; }; }
{ krebs = import ./shared { inherit config; }; }
{ krebs = import ./tv { inherit config; }; }
{
@@ -200,7 +201,7 @@ let
})
//
# GitHub's IPv4 address range is 192.30.252.0/22
- # Refs https://help.github.com/articles/what-ip-addresses-does-github-use-that-i-should-whitelist/
+ # Refs https://help.github.com/articles/github-s-ip-addresses/
# 192.30.252.0/22 = 192.30.252.0-192.30.255.255 (1024 addresses)
# Because line length is limited by OPENSSH_LINE_MAX (= 8192),
# we split each /24 into its own entry.
diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix
index c96b14723..bda563f8d 100644
--- a/krebs/3modules/exim-smarthost.nix
+++ b/krebs/3modules/exim-smarthost.nix
@@ -2,7 +2,6 @@
with import <stockholm/lib>;
let
- indent = replaceChars ["\n"] ["\n "];
cfg = config.krebs.exim-smarthost;
out = {
diff --git a/krebs/3modules/fetchWallpaper.nix b/krebs/3modules/fetchWallpaper.nix
index 94bcbed9d..aed5f595c 100644
--- a/krebs/3modules/fetchWallpaper.nix
+++ b/krebs/3modules/fetchWallpaper.nix
@@ -45,7 +45,7 @@ let
mkdir -p ${shell.escape cfg.stateDir}
cd ${shell.escape cfg.stateDir}
- curl -s -o wallpaper.tmp -z wallpaper ${shell.escape cfg.url} && mv wallpaper.tmp wallpaper
+ (curl -s -o wallpaper.tmp -z wallpaper ${shell.escape cfg.url} && mv wallpaper.tmp wallpaper) || :
feh --no-fehbg --bg-scale ${shell.escape cfg.stateDir}/wallpaper
'';
diff --git a/krebs/3modules/git.nix b/krebs/3modules/git.nix
index 164831846..a08dbb32c 100644
--- a/krebs/3modules/git.nix
+++ b/krebs/3modules/git.nix
@@ -339,9 +339,11 @@ let
description = "Git repository hosting user";
shell = "/bin/sh";
openssh.authorizedKeys.keys =
- mapAttrsToList (_: makeAuthorizedKey git-ssh-command)
- (filterAttrs (_: user: isString user.pubkey)
- config.krebs.users);
+ unique
+ (sort lessThan
+ (map (makeAuthorizedKey git-ssh-command)
+ (filter (user: isString user.pubkey)
+ (concatMap (getAttr "user") cfg.rules))));
};
};
diff --git a/krebs/3modules/nginx.nix b/krebs/3modules/nginx.nix
index 933c2e513..b28e97e37 100644
--- a/krebs/3modules/nginx.nix
+++ b/krebs/3modules/nginx.nix
@@ -129,8 +129,6 @@ let
};
};
- indent = replaceChars ["\n"] ["\n "];
-
to-acme = { server-names, ssl, ... }:
optionalAttrs ssl.acmeEnable {
email = "lassulus@gmail.com";
diff --git a/krebs/3modules/nin/default.nix b/krebs/3modules/nin/default.nix
new file mode 100644
index 000000000..3231c0e23
--- /dev/null
+++ b/krebs/3modules/nin/default.nix
@@ -0,0 +1,65 @@
+{ config, ... }:
+
+with import <stockholm/lib>;
+
+{
+ hosts = mapAttrs (_: setAttr "owner" config.krebs.users.nin) {
+ hiawatha = {
+ cores = 2;
+ nets = {
+ retiolum = {
+ ip4.addr = "10.243.132.96";
+ ip6.addr = "42:0000:0000:0000:0000:0000:0000:2342";
+ aliases = [
+ "hiawatha.retiolum"
+ "hiawatha.r"
+ ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIIBCgKCAQEAucIe5yLzKJ8F982XRpZT6CvyXuPrtnNTmw/E/T6Oyq88m/OVHh6o
+ Viho1XAlJZZwqNniItD0AQB98uFB3+3yA7FepnwwC+PEceIfBG4bTDNyYD3ZCsAB
+ iWpmRar9SQ7LFnoZ6X2lYaJkUD9afmvXqJJLR5MClnRQo5OSqXaFdp7ryWinHP7E
+ UkPSNByu4LbQ9CnBEW8mmCVZSBLb8ezxg3HpJSigmUcJgiDBJ6aj22BsZ5L+j1Sr
+ lvUuaCr8WOS41AYsD5dbTYk7EG42tU5utrOS6z5yHmhbA5r8Ro2OFi/R3Td68BIJ
+ yw/m8sfItBCvjJSMEpKHEDfGMBCfQKltCwIDAQAB
+ -----END RSA PUBLIC KEY-----
+ '';
+ };
+ };
+ ssh.privkey.path = <secrets/ssh.id_ed25519>;
+ ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFizK5kauDlnjm/IzyzLi+W4hLKqjSWMkfuxzLwg6egx";
+ };
+ onondaga = {
+ cores = 1;
+ nets = {
+ retiolum = {
+ ip4.addr = "10.243.132.55";
+ ip6.addr = "42:0000:0000:0000:0000:0000:0000:1357";
+ aliases = [
+ "onondaga.retiolum"
+ "onondaga.r"
+ ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIIBCgKCAQEAqj6NPhRVsr8abz9FFx9+ld3amfxN7SRNccbksUOqkufGS0vaupFR
+ OWsgj4Qmt3lQ82YVt5yjx0FZHkAsenCEKM3kYoIb4nipT0e1MWkQ7plVveMfGkiu
+ htaJ1aCbI2Adxfmk4YbyAr8k3G+Zl9t7gTikBRh7cf5PMiu2JhGUZHzx9urR0ieH
+ xyashZFjl4TtIy4q6QTiyST9kfzteh8k7CJ72zfYkdHl9dPlr5Nk22zH9xPkyzmO
+ kCNeknuDqKeTT9erNtRLk6pjEcyutt0y2/Uq6iZ38z5qq9k4JzcMuQ3YPpNy8bxn
+ hVuk2qBu6kBTUW3iLchoh0d4cfFLWLx1SQIDAQAB
+ -----END RSA PUBLIC KEY-----
+ '';
+ };
+ };
+ ssh.privkey.path = <secrets/ssh.id_ed25519>;
+ ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGmQk7AXsYLzjUrOjsuhZ3+gT7FjhPtjwxv5XnuU8GJO";
+ };
+
+ };
+ users = {
+ nin = {
+ mail = "nin@hiawatha.retiolum";
+ pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDicZLUPEVNX7SgqYWcjPo0UESRizEfIvVVbiwa1aApA8x25u/5R3sevcgbIpLHYKDMl5tebny9inr6G2zqB6oq/pocQjHxrPnuLzqjvqeSpbjQjlNWJ9GaHT5koTXZHdkEXGL0vfv1SRDNWUiK0rNymr3GXab4DyrnRnuNl/G1UtLf4Zka94YUD0SSPdS9y6knnRrUWKjGMFBZEbNSgHqMGATPQP9VDwKHIO2OWGfiBAJ4nj/MWj+BxHDleCMY9zbym8yY7p/0PLaUe9eIyLC8MftJ5suuMmASlj+UGWgnqUxWxsMHax9y7CTAc23r1NNCXN5LC6/facGt0rEQrdrTizBgOA1FSHAPCl5f0DBEgWBrRuygEcAueuGWvI8/uvtvQQZLhosDbXEfs/3vm2xoYBe7wH4NZHm+d2LqgIcPXehH9hVQsl6pczngTCJt0Q/6tIMffjhDHeYf6xbe/n3AqFT0PylUSvOw/H5iHws3R6rxtgnOio7yTJ4sq0NMzXCtBY6LYPGnkwf0oKsgB8KavZVnxzF8B1TD4nNi0a7ma7bd1LMzI/oGE6i8kDMROgisIECOcoe8YYJZXIne/wimhhRKZAsd+VrKUo4SzNIavCruCodGAVh2vfrqRJD+HD/aWH7Vr1fCEexquaxeKpRtKGIPW9LRCcEsTilqpZdAiw== nin@hiawatha";
+ };
+ };
+}
diff --git a/krebs/3modules/tv/default.nix b/krebs/3modules/tv/default.nix
index d44c322aa..1220143a7 100644
--- a/krebs/3modules/tv/default.nix
+++ b/krebs/3modules/tv/default.nix
@@ -85,7 +85,7 @@ with import <stockholm/lib>;
};
nets = {
internet = {
- ip4.addr = "45.62.237.203";
+ ip4.addr = "64.137.177.226";
aliases = [
"cd.i"
"cd.krebsco.de"
diff --git a/krebs/4lib/infest/prepare.sh b/krebs/4lib/infest/prepare.sh
index e265b0e67..3f5d66431 100644
--- a/krebs/4lib/infest/prepare.sh
+++ b/krebs/4lib/infest/prepare.sh
@@ -143,10 +143,10 @@ prepare_common() {(
mkdir -p /mnt/boot
if mount | grep -Fq ' on /boot type '; then
- bootdev=$(mount | grep " on /boot type " | sed 's/ .*//')
- mount $bootdev /mnt/boot
+ bootpart=$(mount | grep ' on /boot type ' | sed 's/ .*//')
+ mount $bootpart /mnt/boot
else
- mount --bind /boot/ /mnt/boot
+ mount --bind /boot /mnt/boot
fi
fi
@@ -155,10 +155,12 @@ prepare_common() {(
# prepare install directory
#
- rootpart=$(mount | grep " on / type" | sed 's/ .*//')
+ rootpart=$(mount | grep ' on / type ' | sed 's/ .*//')
mkdir -p /mnt/etc/nixos
mkdir -m 0555 -p /mnt/var/empty
+ mkdir -p /mnt/var/src
+ touch /mnt/var/src/.populate
if ! mount | grep -Fq "$rootpart on /mnt/root type "; then
mkdir -p /mnt/root
diff --git a/krebs/5pkgs/Reaktor/plugins.nix b/krebs/5pkgs/Reaktor/plugins.nix
index a483db32c..d4774dd69 100644
--- a/krebs/5pkgs/Reaktor/plugins.nix
+++ b/krebs/5pkgs/Reaktor/plugins.nix
@@ -116,4 +116,16 @@ rec {
commands.insert(0,titlebot_cmd('clear'))
'';
};
+
+ url-title = (buildSimpleReaktorPlugin "url-title" {
+ pattern = "^.*(?P<args>http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+)$$";
+ path = with pkgs; [ curl perl ];
+ script = pkgs.writeDash "lambda-pl" ''
+ if [ "$#" -gt 0 ]; then
+ curl -SsL --max-time 5 "$1" |
+