diff options
| -rw-r--r-- | krebs/5pkgs/simple/Reaktor/plugins.nix | 23 | ||||
| -rw-r--r-- | krebs/5pkgs/simple/generate-secrets/default.nix | 46 | ||||
| -rw-r--r-- | krebs/5pkgs/simple/zandronum-bin/default.nix | 83 | ||||
| -rw-r--r-- | krebs/kops.nix | 4 | ||||
| -rw-r--r-- | krebs/source.nix | 5 | ||||
| -rw-r--r-- | lass/1systems/mors/config.nix | 39 | ||||
| -rw-r--r-- | lass/1systems/prism/config.nix | 36 | ||||
| -rw-r--r-- | lass/2configs/games.nix | 4 | ||||
| -rw-r--r-- | lass/2configs/reaktor-coders.nix | 15 | ||||
| -rw-r--r-- | lass/2configs/syncthing.nix | 1 | ||||
| -rw-r--r-- | lass/2configs/websites/util.nix | 6 | ||||
| -rw-r--r-- | lass/3modules/default.nix | 1 | ||||
| -rw-r--r-- | lass/3modules/restic.nix | 119 | ||||
| -rw-r--r-- | lass/5pkgs/l-gen-secrets/default.nix (renamed from lass/5pkgs/generate-secrets/default.nix) | 6 | ||||
| -rw-r--r-- | nin/2configs/games.nix | 4 |
15 files changed, 262 insertions, 130 deletions
diff --git a/krebs/5pkgs/simple/Reaktor/plugins.nix b/krebs/5pkgs/simple/Reaktor/plugins.nix index bcfcbf76b..f3b771190 100644 --- a/krebs/5pkgs/simple/Reaktor/plugins.nix +++ b/krebs/5pkgs/simple/Reaktor/plugins.nix @@ -120,11 +120,24 @@ rec { url-title = (buildSimpleReaktorPlugin "url-title" { pattern = "^.*(?P<args>http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+).*$$"; path = with pkgs; [ curl perl ]; - script = pkgs.writeDash "lambda-pl" '' - if [ "$#" -gt 0 ]; then - curl -SsL --max-time 5 "$1" | - perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' - fi + script = pkgs.writePython3 [ "beautifulsoup4" "lxml" ] "url-title" '' + import sys + import urllib.request + from bs4 import BeautifulSoup + + try: + soup = BeautifulSoup(urllib.request.urlopen(sys.argv[1]), "lxml") + title = soup.find('title').string + + if title: + if len(title) > 512: + print('message to long, skipped') + elif len(title.split('\n')) > 5: + print('to many lines, skipped') + else: + print(title) + except: # noqa: E722 + pass ''; }); diff --git a/krebs/5pkgs/simple/generate-secrets/default.nix b/krebs/5pkgs/simple/generate-secrets/default.nix new file mode 100644 index 000000000..a800ff543 --- /dev/null +++ b/krebs/5pkgs/simple/generate-secrets/default.nix @@ -0,0 +1,46 @@ +{ pkgs }: +pkgs.writeDashBin "generate-secrets" '' + HOSTNAME="$1" + TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d) + PASSWORD=$(${pkgs.pwgen}/bin/pwgen 25 1) + HASHED_PASSWORD=$(echo $PASSWORD | ${pkgs.hashPassword}/bin/hashPassword -s) > /dev/null + + ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f $TMPDIR/ssh.id_ed25519 -P "" -C "" >/dev/null + ${pkgs.openssl}/bin/openssl genrsa -out $TMPDIR/retiolum.rsa_key.priv 4096 2>/dev/null > /dev/null + ${pkgs.openssl}/bin/openssl rsa -in $TMPDIR/retiolum.rsa_key.priv -pubout -out $TMPDIR/retiolum.rsa_key.pub 2>/dev/null > /dev/null + cat <<EOF > $TMPDIR/hashedPasswords.nix + { + root = "$HASHED_PASSWORD"; + } + EOF + + cd $TMPDIR + for x in *; do + ${pkgs.coreutils}/bin/cat $x | ${pkgs.brain}/bin/brain insert -m krebs-secrets/$HOSTNAME/$x > /dev/null + done + echo $PASSWORD | ${pkgs.brain}/bin/brain insert -m hosts/$HOSTNAME/root > /dev/null + + cat <<EOF + $HOSTNAME = { + cores = 1; + owner = config.krebs.users.krebs; + nets = { + retiolum = { + ip4.addr = "10.243.0.changeme"; + ip6.addr = "42:0:0:0:0:0:0:changeme"; + aliases = [ + "$HOSTNAME.r" + ]; + tinc.pubkey = ${"''"} + $(cat $TMPDIR/retiolum.rsa_key.pub) + ${"''"}; + }; + }; + ssh.privkey.path = <secrets/ssh.id_ed25519>; + ssh.pubkey = "$(cat $TMPDIR/ssh.id_ed25519.pub)"; + }; + EOF + + rm -rf $TMPDIR +'' + diff --git a/krebs/5pkgs/simple/zandronum-bin/default.nix b/krebs/5pkgs/simple/zandronum-bin/default.nix deleted file mode 100644 index e97f46add..000000000 --- a/krebs/5pkgs/simple/zandronum-bin/default.nix +++ /dev/null @@ -1,83 +0,0 @@ -{ stdenv -, atk -, bzip2 -, cairo -, fetchurl -, fluidsynth -, fontconfig -, freetype -, gdk_pixbuf -, glib -, gtk2 -, libjpeg_turbo -, mesa_glu -, mesa_noglu -, openssl -, pango -, SDL -, zlib -, makeWrapper -}: - -stdenv.mkDerivation rec { - name = "zandronum-3.0"; - - src = fetchurl { - url = "http://zandronum.com/downloads/testing/3.0/ZandroDev3.0-170205-2117linux-x86_64.tar.bz2"; - sha256 = "17vrzk0m5b17sp3sqcg57r7812ma97lp3qxn9hmd39fwl1z40fz3"; - }; - - libPath = stdenv.lib.makeLibraryPath [ - atk - bzip2 - cairo - fluidsynth - fontconfig - freetype - gdk_pixbuf - glib - gtk2 - libjpeg_turbo - mesa_glu - mesa_noglu - openssl - pango - SDL - stdenv.cc.cc - zlib - ]; - - nativeBuildInputs = [ makeWrapper ]; - - phases = [ "unpackPhase" "installPhase" ]; - - sourceRoot = "."; - - installPhase = '' - mkdir -p $out/bin - mkdir -p $out/share/zandronum - cp *.so *.pk3 zandronum zandronum-server $out/share/zandronum - - patchelf \ - --set-interpreter $(cat ${stdenv.cc}/nix-support/dynamic-linker) \ - --set-rpath $libPath:$out/share/zandronum \ - $out/share/zandronum/zandronum - patchelf \ - --set-interpreter $(cat ${stdenv.cc}/nix-support/dynamic-linker) \ - --set-rpath $libPath \ - $out/share/zandronum/zandronum-server - - # If we don't set absolute argv0, zandronum.wad file is not found. - makeWrapper $out/share/zandronum/zandronum $out/bin/zandronum - makeWrapper $out/share/zandronum/zandronum-server $out/bin/zandronum-server - ''; - - meta = { - homepage = http://zandronum.com/; - description = "Multiplayer oriented port, based off Skulltag, for Doom and Doom II by id Software. Binary version for online play"; - maintainers = [ stdenv.lib.maintainers.lassulus ]; - # Binary version has different version string than source code version. - license = stdenv.lib.licenses.unfreeRedistributable; - platforms = [ "x86_64-linux" ]; - }; -} diff --git a/krebs/kops.nix b/krebs/kops.nix index 9774b5cab..f544b93d2 100644 --- a/krebs/kops.nix +++ b/krebs/kops.nix @@ -13,10 +13,10 @@ krebs-source = { nixpkgs.git = { - ref = "09bca91e3b5a18d7f37f7632175ac71f2bf369ff"; + ref = "4b4bbce199d3b3a8001ee93495604289b01aaad3"; url = https://github.com/NixOS/nixpkgs; }; - stockholm.file = toString ~/stockholm; + stockholm.file = toString ../.; stockholm-version.pipe = toString (pkgs.writeDash "${name}-version" '' set -efu cd $HOME/stockholm diff --git a/krebs/source.nix b/krebs/source.nix index 1f83d29f7..3ee12b37f 100644 --- a/krebs/source.nix +++ b/krebs/source.nix @@ -22,10 +22,7 @@ in }; stockholm.file = toString <stockholm>; stockholm-version.pipe = "${pkgs.stockholm}/bin/get-version"; - nixpkgs.git = { - url = https://github.com/NixOS/nixpkgs; - ref = "09bca91e3b5a18d7f37f7632175ac71f2bf369ff"; # nixos-18.03 # 2018-04-02 - }; + nixpkgs = (import ./kops.nix { name = ""; }).krebs-source.nixpkgs; } override ] diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix index cd259d0fe..c59494e4d 100644 --- a/lass/1systems/mors/config.nix +++ b/lass/1systems/mors/config.nix @@ -141,6 +141,15 @@ with import <stockholm/lib>; dnsutils generate-secrets + (pkgs.writeDashBin "btc-coinbase" '' + ${pkgs.curl}/bin/curl -Ss 'https://api.coinbase.com/v2/prices/spot?currency=EUR' | ${pkgs.jq}/bin/jq '.data.amount' + '') + (pkgs.writeDashBin "btc-wex" '' + ${pkgs.curl}/bin/curl -Ss 'https://wex.nz/api/3/ticker/btc_eur' | ${pkgs.jq}/bin/jq '.btc_eur.avg' + '') + (pkgs.writeDashBin "btc-kraken" '' + ${pkgs.curl}/bin/curl -Ss 'https://api.kraken.com/0/public/Ticker?pair=BTCEUR' | ${pkgs.jq}/bin/jq '.result.XXBTZEUR.a[0]' + '') ]; #TODO: fix this shit @@ -177,4 +186,34 @@ with import <stockholm/lib>; programs.adb.enable = true; users.users.mainUser.extraGroups = [ "adbusers" "docker" ]; virtualisation.docker.enable = true; + + lass.restic = genAttrs [ + "daedalus" + "icarus" + "littleT" + "prism" + "shodan" + "skynet" + ] (dest: { + dirs = [ + "/home/lass/src" + "/home/lass/work" + "/home/lass/.gnupg" + "/home/lass/Maildir" + "/home/lass/stockholm" + "/home/lass/.password-store" + "/home/bitcoin" + "/home/bch" + ]; + passwordFile = (toString <secrets>) + "/restic/${dest}"; + repo = "sftp:backup@${dest}.r:/backups/mors"; + #sshPrivateKey = config.krebs.build.host.ssh.privkey.path; + extraArguments = [ + "sftp.command='ssh backup@${dest}.r -i ${config.krebs.build.host.ssh.privkey.path} -s sftp'" + ]; + timerConfig = { + OnCalendar = "00:05"; + RandomizedDelaySec = "5h"; + }; + }); } diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index c0e4620cc..983604f8e 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -8,11 +8,15 @@ in { imports = [ <stockholm/lass> { - networking.interfaces.et0.ip4 = [ + networking.interfaces.et0.ipv4.addresses = [ { address = ip; prefixLength = 27; } + { + address = "46.4.114.243"; + prefixLength = 27; + } ]; networking.defaultGateway = "46.4.114.225"; networking.nameservers = [ @@ -110,29 +114,13 @@ in { }; # TODO write function for proxy_pass (ssl/nonssl) - services.nginx.virtualHosts."hackerfleet.de" = { - serverAliases = [ - "*.hackerfleet.de" - ]; - locations."/".extraConfig = '' - proxy_pass http://192.168.122.92:80; - ''; - }; - services.nginx.virtualHosts."hackerfleet.de-s" = { - serverName = "hackerfleet.de"; - listen = [ - { - addr = "0.0.0.0"; - port = 443; - } - ]; - serverAliases = [ - "*.hackerfleet.de" - ]; - locations."/".extraConfig = '' - proxy_pass http://192.168.122.92:443; - ''; - }; + + krebs.iptables.tables.filter.FORWARD.rules = [ + { v6 = false; precedence = 1000; predicate = "-d 192.168.122.92"; target = "ACCEPT"; } + ]; + krebs.iptables.tables.nat.PREROUTING.rules = [ + { v6 = false; precedence = 1000; predicate = "-d 46.4.114.243"; target = "DNAT --to-destination 192.168.122.92"; } + ]; } { users.users.tv = { diff --git a/lass/2configs/games.nix b/lass/2configs/games.nix index 50362cda4..3ee3a98a5 100644 --- a/lass/2configs/games.nix +++ b/lass/2configs/games.nix @@ -3,7 +3,7 @@ let mainUser = config.users.extraUsers.mainUser; vdoom = pkgs.writeDash "vdoom" '' - ${pkgs.zandronum-bin}/bin/zandronum \ + ${pkgs.zandronum}/bin/zandronum \ -fov 120 \ "$@" ''; @@ -50,7 +50,7 @@ let vdoomserver = pkgs.writeDashBin "vdoomserver" '' DOOM_DIR=''${DOOM_DIR:-~/doom/} - ${pkgs.zandronum-bin}/bin/zandronum-server \ + ${pkgs.zandronum}/bin/zandronum-server \ +exec ${doomservercfg} \ "$@" ''; diff --git a/lass/2configs/reaktor-coders.nix b/lass/2configs/reaktor-coders.nix index 5fa1611ae..5a39f7115 100644 --- a/lass/2configs/reaktor-coders.nix +++ b/lass/2configs/reaktor-coders.nix @@ -4,7 +4,7 @@ with import <stockholm/lib>; { krebs.Reaktor.coders = { nickname = "Reaktor|lass"; - channels = [ "#coders" "#germany" ]; + channels = [ "#coders" "#germany" "#panthermoderns" ]; extraEnviron = { REAKTOR_HOST = "irc.hackint.org"; }; @@ -87,6 +87,19 @@ with import <stockholm/lib>; exec /run/wrappers/bin/ping -q -c1 "$1" 2>&1 | tail -1 ''; }) + (buildSimpleReaktorPlugin "google" { + pattern = "^!g (?P<args>.*)$$"; + script = pkgs.writeDash "google" '' + exec ${pkgs.ddgr}/bin/ddgr -C -n1 --json "$@" | \ + ${pkgs.jq}/bin/jq '@text "\(.[0].abstract) \(.[0].url)"' + ''; + }) + (buildSimpleReaktorPlugin "blockchain" { + pattern = ".*[Bb]lockchain.*$$"; + script = pkgs.writeDash "blockchain" '' + exec echo 'DID SOMEBODY SAY BLOCKCHAIN? https://paste.krebsco.de/r99pMoQq/+inline' + ''; + }) ]; }; } diff --git a/lass/2configs/syncthing.nix b/lass/2configs/syncthing.nix index cef43d1e6..17debf822 100644 --- a/lass/2configs/syncthing.nix +++ b/lass/2configs/syncthing.nix @@ -3,7 +3,6 @@ with import <stockholm/lib>; { services.syncthing = { enable = true; - useInotify = true; }; krebs.iptables.tables.filter.INPUT.rules = [ { predicate = "-p tcp --dport 22000"; target = "ACCEPT";} diff --git a/lass/2configs/websites/util.nix b/lass/2configs/websites/util.nix index 62055d0fd..441b7af90 100644 --- a/lass/2configs/websites/util.nix +++ b/lass/2configs/websites/util.nix @@ -16,7 +16,7 @@ rec { in { services.nginx.virtualHosts.${domain} = { enableACME = true; - enableSSL = true; + onlySSL = true; extraConfig = '' listen 80; listen [::]:80; @@ -34,7 +34,7 @@ rec { in { services.nginx.virtualHosts."${domain}" = { enableACME = true; - enableSSL = true; + onlySSL = true; serverAliases = domains; extraConfig = '' listen 80; @@ -148,7 +148,7 @@ rec { in { services.nginx.virtualHosts."${domain}" = { enableACME = true; - enableSSL = true; + onlySSL = true; serverAliases = domains; extraConfig = '' listen 80; diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix index 0c10e1ec2..5e7e6dff3 100644 --- a/lass/3modules/default.nix +++ b/lass/3modules/default.nix @@ -8,6 +8,7 @@ _: ./mysql-backup.nix ./news.nix ./pyload.nix + ./restic.nix ./screenlock.nix ./umts.nix ./usershadow.nix diff --git a/lass/3modules/restic.nix b/lass/3modules/restic.nix new file mode 100644 index 000000000..c720793b1 --- /dev/null +++ b/lass/3modules/restic.nix @@ -0,0 +1,119 @@ +{ config, lib, pkgs, ... }: + +with import <stockholm/lib>; + +{ + options.lass.restic = mkOption { + type = types.attrsOf (types.submodule ({ config, ... }: { + options = { + name = mkOption { + type = types.str; + default = config._module.args.name; + }; + passwordFile = mkOption { + type = types.str; + default = toString <secrets/restic-password>; + description = '' + read the repository password from a file. + ''; + example = "/etc/nixos/restic-password"; + + }; + repo = mkOption { + type = types.str; + default = "sftp:backup@prism.r:/backups/${config.name}"; + description = '' + repository to backup to. + ''; + example = "sftp:backup@192.168.1.100:/backups/${config.name}"; + }; + dirs = mkOption { + type = types.listOf types.str; + default = []; + description = '' + which directories to backup. + ''; + example = [ + "/var/lib/postgresql" + "/home/user/backup" + ]; + }; + timerConfig = mkOption { + type = types.attrsOf types.str; + default = { + OnCalendar = "daily"; + }; + description = '' + When to run the backup. See man systemd.timer for details. + ''; + example = { + OnCalendar = "00:05"; + RandomizedDelaySec = "5h"; + }; + }; + user = mkOption { + type = types.str; + default = "root"; + description = '' + As which user the backup should run. + ''; + example = "postgresql"; + }; + extraArguments = mkOption { + type = types.listOf types.str; + default = []; + description = '' + Extra arguments to append to the restic command. + ''; + example = [ + "sftp.command='ssh backup@192.168.1.100 -i /home/user/.ssh/id_rsa -s sftp" + ]; + }; + initialize = mkOption { + type = types.bool; + default = false; + description = '' + Create the repository if it doesn't exist. + ''; + }; + }; + })); + default = {}; + }; + + config = { + systemd.services = + mapAttrs' (_: plan: + let + extraArguments = concatMapStringsSep " " (arg: "-o ${arg}") plan.extraArguments; + connectTo = elemAt (splitString ":" plan.repo) 1; + resticCmd = "${pkgs.restic}/bin/restic ${extraArguments}"; + in nameValuePair "backup.${plan.name}" { + environment = { + RESTIC_PASSWORD_FILE = plan.passwordFile; + RESTIC_REPOSITORY = plan.repo; + }; + path = with pkgs; [ + openssh + ]; + restartIfChanged = false; + serviceConfig = { + ExecStartPre = mkIf plan.initialize (pkgs.writeScript "rustic-${plan.name}-init" '' + #! ${pkgs.bash}/bin/bash + ${resticCmd} snapshots || ${resticCmd} init + ''); + ExecStart = pkgs.writeDash "rustic-${plan.name}" ( + "#! ${pkgs.bash}/bin/bash\n" + + concatMapStringsSep "\n" (dir: "${resticCmd} backup ${dir}") plan.dirs + ); + User = plan.user; + }; + } + ) config.lass.restic; + systemd.timers = + mapAttrs' (_: plan: nameValuePair "backup.${plan.name}" { + wantedBy = [ "timers.target" ]; + timerConfig = plan.timerConfig; + }) config.lass.restic; + }; +} diff --git a/lass/5pkgs/generate-secrets/default.nix b/lass/5pkgs/l-gen-secrets/default.nix index 5a4afe7c5..4b25fbd4c 100644 --- a/lass/5pkgs/generate-secrets/default.nix +++ b/lass/5pkgs/l-gen-secrets/default.nix @@ -1,5 +1,5 @@ { pkgs }: -pkgs.writeDashBin "generate-secrets" '' +pkgs.writeDashBin "l-gen-secrets" '' HOSTNAME="$1" TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d) PASSWORD=$(${pkgs.pwgen}/bin/pwgen 25 1) @@ -17,9 +17,9 @@ pkgs.writeDashBin "generate-secrets" '' cd $TMPDIR for x in *; do - ${pkgs.coreutils}/bin/cat $x | ${pkgs.pass}/bin/pass insert -m hosts/$HOSTNAME/$x > /dev/null + ${pkgs.coreutils}/bin/cat $x | ${pkgs.pass}/bin/pass insert -m krebs-secrets/$HOSTNAME/$x > /dev/null done - echo $PASSWORD | ${pkgs.pass}/bin/pass insert -m admin/hosts/$HOSTNAME/pass > /dev/null + echo $PASSWORD | ${pkgs.pass}/bin/pass insert -m hosts/$HOSTNAME/pass > /dev/null cat <<EOF $HOSTNAME = { diff --git a/nin/2configs/games.nix b/nin/2configs/games.nix index a7edae078..15e17238d 100644 --- a/nin/2configs/games.nix +++ b/nin/2configs/games.nix @@ -3,7 +3,7 @@ let mainUser = config.users.extraUsers.mainUser; vdoom = pkgs.writeDash "vdoom" '' - ${pkgs.zandronum-bin}/bin/zandronum \ + ${pkgs.zandronum}/bin/zandronum \ -fov 120 \ "$@" ''; @@ -50,7 +50,7 @@ let vdoomserver = pkgs.writeDashBin "vdoomserver" '' DOOM_DIR=''${DOOM_DIR:-~/doom/} - ${pkgs.zandronum-bin}/bin/zandronum-server \ + ${pkgs.zandronum}/bin/zandronum-server \ +exec ${doomservercfg} \ "$@" ''; |