summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--default.nix14
-rw-r--r--krebs/3modules/default.nix1
-rw-r--r--krebs/3modules/iptables.nix (renamed from lass/3modules/iptables.nix)37
-rw-r--r--krebs/3modules/lass/default.nix2
-rw-r--r--krebs/5pkgs/default.nix1
-rw-r--r--krebs/5pkgs/get/default.nix6
-rw-r--r--krebs/5pkgs/jq/default.nix33
-rw-r--r--krebs/default.nix1
-rw-r--r--lass/1systems/cloudkrebs.nix19
-rw-r--r--lass/1systems/echelon.nix1
-rw-r--r--lass/1systems/mors.nix15
-rw-r--r--lass/1systems/uriel.nix81
-rw-r--r--lass/2configs/base.nix12
-rw-r--r--lass/2configs/browsers.nix38
-rw-r--r--lass/2configs/desktop-base.nix2
-rw-r--r--lass/2configs/downloading.nix3
-rw-r--r--lass/2configs/fastpoke-pages.nix6
-rw-r--r--lass/2configs/mors/repos.nix87
-rw-r--r--lass/2configs/new-repos.nix1
-rw-r--r--lass/2configs/privoxy-retiolum.nix21
-rw-r--r--lass/2configs/privoxy.nix15
-rw-r--r--lass/2configs/realwallpaper-server.nix32
-rw-r--r--lass/2configs/realwallpaper.nix9
-rw-r--r--lass/2configs/retiolum.nix5
-rw-r--r--lass/2configs/steam.nix4
-rw-r--r--lass/2configs/virtualbox.nix2
-rw-r--r--lass/2configs/weechat.nix22
-rw-r--r--lass/2configs/wordpress.nix4
-rw-r--r--lass/3modules/default.nix2
-rw-r--r--lass/3modules/realwallpaper.nix102
-rw-r--r--lass/5pkgs/default.nix1
-rw-r--r--lass/5pkgs/realwallpaper.nix28
-rw-r--r--tv/2configs/git.nix1
-rw-r--r--tv/4lib/git.nix28
34 files changed, 379 insertions, 257 deletions
diff --git a/default.nix b/default.nix
index c6a635c29..f14329d40 100644
--- a/default.nix
+++ b/default.nix
@@ -11,7 +11,21 @@ let
user-modules-path = ./. + "/${current-user-name}/3modules";
user-pkgs-path = ./. + "/${current-user-name}/5pkgs";
+ # XXX This is only used interactively, e.g. using get.
+ pkgs =
+ let
+ pkgs = import <nixpkgs> {};
+ args = {
+ inherit pkgs;
+ lib = pkgs.lib;
+ };
+ in
+ pkgs //
+ import krebs-pkgs-path args //
+ import user-pkgs-path args;
+
out =
+ { inherit pkgs; } //
lib.mapAttrs (_: builtins.getAttr "main")
(lib.filterAttrs (_: builtins.hasAttr "main")
(lib.mapAttrs
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index 8e9a42fd0..9ec9d0a8a 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -11,6 +11,7 @@ let
./exim-smarthost.nix
./github-hosts-sync.nix
./git.nix
+ ./iptables.nix
./nginx.nix
./Reaktor.nix
./retiolum.nix
diff --git a/lass/3modules/iptables.nix b/krebs/3modules/iptables.nix
index 8c6ad3fa1..9596229de 100644
--- a/lass/3modules/iptables.nix
+++ b/krebs/3modules/iptables.nix
@@ -3,6 +3,10 @@ arg@{ config, lib, pkgs, ... }:
let
inherit (pkgs) writeScript writeText;
+ inherit (builtins)
+ elem
+ ;
+
inherit (lib)
concatMapStringsSep
concatStringsSep
@@ -20,15 +24,13 @@ let
mkOption
mkIf
types
- sort;
-
- elemIsIn = a: as:
- any (x: x == a) as;
+ sort
+ ;
- cfg = config.lass.iptables;
+ cfg = config.krebs.iptables;
out = {
- options.lass.iptables = api;
+ options.krebs.iptables = api;
config = mkIf cfg.enable imp;
};
@@ -74,8 +76,8 @@ let
imp = {
networking.firewall.enable = false;
- systemd.services.lass-iptables = {
- description = "lass-iptables";
+ systemd.services.krebs-iptables = {
+ description = "krebs-iptables";
wantedBy = [ "network-pre.target" ];
before = [ "network-pre.target" ];
after = [ "systemd-modules-load.service" ];
@@ -90,7 +92,7 @@ let
Type = "simple";
RemainAfterExit = true;
Restart = "always";
- ExecStart = "@${startScript} lass-iptables_start";
+ ExecStart = "@${startScript} krebs-iptables_start";
};
};
};
@@ -110,13 +112,10 @@ let
in
#TODO: double check should be unneccessary, refactor!
- if (hasAttr "rules" ts."${tn}"."${cn}") then
- if (ts."${tn}"."${cn}".rules == null) then
- ""
- else
- concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([]
- ++ map (buildRule tn cn) sortedRules
- )
+ if ts.${tn}.${cn}.rules or null != null then
+ concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([]
+ ++ map (buildRule tn cn) sortedRules
+ )
else
""
;
@@ -124,7 +123,7 @@ let
buildRule = tn: cn: rule:
#target validation test:
- assert (elemIsIn rule.target ([ "ACCEPT" "REJECT" "DROP" "QUEUE" "LOG" "RETURN" ] ++ (attrNames ts."${tn}")));
+ assert (elem rule.target ([ "ACCEPT" "REJECT" "DROP" "QUEUE" "LOG" "RETURN" ] ++ (attrNames ts."${tn}")));
#predicate validation test:
#maybe use iptables-test
@@ -171,11 +170,11 @@ let
tables = tables-defaults // cfg.tables;
in
- writeText "lass-iptables-rules${toString iptables-version}" ''
+ writeText "krebs-iptables-rules${toString iptables-version}" ''
${buildTables iptables-version tables}
'';
- startScript = writeScript "lass-iptables_start" ''
+ startScript = writeScript "krebs-iptables_start" ''
#! /bin/sh
set -euf
iptables-restore < ${rules4 4}
diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix
index 32b366b91..0065f7692 100644
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@@ -9,7 +9,7 @@ with import ../../4lib { inherit lib; };
dc = "lass"; #dc = "cac";
nets = rec {
internet = {
- addrs4 = ["104.233.84.57"];
+ addrs4 = ["162.248.162.105"];
aliases = [
"echelon.internet"
];
diff --git a/krebs/5pkgs/default.nix b/krebs/5pkgs/default.nix
index 52b5dc78c..7e136d96f 100644
--- a/krebs/5pkgs/default.nix
+++ b/krebs/5pkgs/default.nix
@@ -15,6 +15,7 @@ rec {
github-hosts-sync = callPackage ./github-hosts-sync {};
github-known_hosts = callPackage ./github-known_hosts {};
hashPassword = callPackage ./hashPassword {};
+ jq = callPackage ./jq {};
krebszones = callPackage ./krebszones {};
lentil = callPackage ./lentil {};
much = callPackage ./much {};
diff --git a/krebs/5pkgs/get/default.nix b/krebs/5pkgs/get/default.nix
index 20bbfd014..d4f5f6b46 100644
--- a/krebs/5pkgs/get/default.nix
+++ b/krebs/5pkgs/get/default.nix
@@ -1,12 +1,12 @@
{ coreutils, gnugrep, gnused, fetchgit, jq, nix, stdenv, ... }:
stdenv.mkDerivation {
- name = "get-1.3.0";
+ name = "get-1.3.1";
src = fetchgit {
url = http://cgit.cd.retiolum/get;
- rev = "fbe8f8d12ede9762fceb15b9944b69a4ee6331eb";
- sha256 = "bcdf036f8b5d1467285d0998aeac7e48280adfb9e1278f9f424c9c8b5e6ed8fa";
+ rev = "64c97edd3f9952cd5e703208c46748a035a515bf";
+ sha256 = "32ca83f4fd86fd3285bef9dcfd0917308086d239189858daceca175de49ff97c";
};
phases = [
diff --git a/krebs/5pkgs/jq/default.nix b/krebs/5pkgs/jq/default.nix
new file mode 100644
index 000000000..41db0f284
--- /dev/null
+++ b/krebs/5pkgs/jq/default.nix
@@ -0,0 +1,33 @@
+{stdenv, fetchurl}:
+let
+ s = # Generated upstream information
+ rec {
+ baseName="jq";
+ version="1.5";
+ name="${baseName}-${version}";
+ url=https://github.com/stedolan/jq/releases/download/jq-1.5/jq-1.5.tar.gz;
+ sha256="0g29kyz4ykasdcrb0zmbrp2jqs9kv1wz9swx849i2d1ncknbzln4";
+ };
+ buildInputs = [
+ ];
+in
+stdenv.mkDerivation {
+ inherit (s) name version;
+ inherit buildInputs;
+ src = fetchurl {
+ inherit (s) url sha256;
+ };
+
+ # jq is linked to libjq:
+ configureFlags = [
+ "LDFLAGS=-Wl,-rpath,\\\${libdir}"
+ ];
+ meta = {
+ inherit (s) version;
+ description = ''A lightweight and flexible command-line JSON processor'';
+ license = stdenv.lib.licenses.mit ;
+ maintainers = [stdenv.lib.maintainers.raskin];
+ platforms = stdenv.lib.platforms.linux ++ stdenv.lib.platforms.darwin;
+ };
+}
+
diff --git a/krebs/default.nix b/krebs/default.nix
index 0ec4c6079..b98fad558 100644
--- a/krebs/default.nix
+++ b/krebs/default.nix
@@ -85,6 +85,7 @@
# s:^nix-env:chroot $mountPoint '"$nix_env"':
#' nixos-install
+ unset SSL_CERT_FILE
./nixos-install
${builtins.readFile ./4lib/infest/finalize.sh}
diff --git a/lass/1systems/cloudkrebs.nix b/lass/1systems/cloudkrebs.nix
index 5235c25e5..2a6a70ffd 100644
--- a/lass/1systems/cloudkrebs.nix
+++ b/lass/1systems/cloudkrebs.nix
@@ -1,6 +1,12 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
-{
+let
+ inherit (import ../4lib { inherit pkgs lib; }) getDefaultGateway;
+ inherit (lib) head;
+
+ ip = (head config.krebs.build.host.nets.internet.addrs4);
+ r_ip = (head config.krebs.build.host.nets.retiolum.addrs4);
+in {
imports = [
../../tv/2configs/CAC-Developer-2.nix
../../tv/2configs/CAC-CentOS-7-64bit.nix
@@ -8,14 +14,15 @@
../2configs/retiolum.nix
../2configs/fastpoke-pages.nix
../2configs/new-repos.nix
+ ../2configs/realwallpaper.nix
{
networking.interfaces.enp2s1.ip4 = [
{
- address = "104.167.113.104";
+ address = ip;
prefixLength = 24;
}
];
- networking.defaultGateway = "104.167.113.1";
+ networking.defaultGateway = getDefaultGateway ip;
networking.nameservers = [
"8.8.8.8"
];
@@ -40,4 +47,8 @@
networking.hostName = "cloudkrebs";
+ environment.systemPackages = [
+ pkgs.dic
+ ];
+
}
diff --git a/lass/1systems/echelon.nix b/lass/1systems/echelon.nix
index d1a3f34f7..782674cb0 100644
--- a/lass/1systems/echelon.nix
+++ b/lass/1systems/echelon.nix
@@ -11,6 +11,7 @@ in {
../../tv/2configs/CAC-CentOS-7-64bit.nix
../2configs/base.nix
../2configs/retiolum.nix
+ ../2configs/realwallpaper.nix
{
networking.interfaces.enp2s1.ip4 = [
{
diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix
index b7291a8f2..414afcbba 100644
--- a/lass/1systems/mors.nix
+++ b/lass/1systems/mors.nix
@@ -23,6 +23,7 @@
../2configs/wordpress.nix
../2configs/bitlbee.nix
../2configs/firefoxPatched.nix
+ ../2configs/realwallpaper.nix
];
krebs.build = {
@@ -174,7 +175,9 @@
environment.systemPackages = with pkgs; [
cac
+ sshpass
get
+ genid
];
#TODO: fix this shit
@@ -195,21 +198,11 @@
};
};
- networking.firewall = {
- allowPing = true;
- allowedTCPPorts = [
- 8000
- ];
- allowedUDPPorts = [
- 67
- ];
- };
-
services.mongodb = {
enable = true;
};
- lass.iptables = {
+ krebs.iptables = {
tables = {
filter.INPUT.rules = [
{ predicate = "-p tcp --dport 8000"; target = "ACCEPT"; precedence = 9001; }
diff --git a/lass/1systems/uriel.nix b/lass/1systems/uriel.nix
index 9d96e7814..bd3770b43 100644
--- a/lass/1systems/uriel.nix
+++ b/lass/1systems/uriel.nix
@@ -12,6 +12,8 @@ with builtins;
../2configs/new-repos.nix
../2configs/chromium-patched.nix
../2configs/retiolum.nix
+ ../2configs/bitlbee.nix
+ ../2configs/weechat.nix
{
users.extraUsers = {
root = {
@@ -82,9 +84,6 @@ with builtins;
SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:b8:c8:2e", NAME="et0"
'';
- #services.xserver = {
- #};
-
services.xserver.synaptics = {
enable = true;
twoFingerScroll = true;
@@ -101,80 +100,4 @@ with builtins;
#for google hangout
users.extraUsers.google.extraGroups = [ "audio" "video" ];
-
-
- #users.extraGroups = {
- # loot = {
- # members = [
- # "lass"
- # "firefox"
- # "chromium"
- # "google"
- # ];
- # };
- #};
- #
- # iptables
- #
- #networking.firewall.enable = false;
- #system.activationScripts.iptables =
- # let
- # log = false;
- # when = c: f: if c then f else "";
- # in
- # ''
- # ip4tables() { ${pkgs.iptables}/sbin/iptables "$@"; }
- # ip6tables() { ${pkgs.iptables}/sbin/ip6tables "$@"; }
- # ipXtables() { ip4tables "$@"; ip6tables "$@"; }
-
- # #
- # # nat
- # #
-
- # # reset tables
- # ipXtables -t nat -F
- # ipXtables -t nat -X
-
- # #
- # #ipXtables -t nat -A PREROUTING -j REDIRECT ! -i retiolum -p tcp --dport ssh --to-ports 0
- # ipXtables -t nat -A PREROUTING -j REDIRECT -p tcp --dport 11423 --to-ports ssh
-
- # #
- # # filter
- # #
-
- # # reset tables
- # ipXtables -P INPUT DROP
- # ipXtables -P FORWARD DROP
- # ipXtables -F
- # ipXtables -X
-
- # # create custom chains
- # ipXtables -N Retiolum
-
- # # INPUT
- # ipXtables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED
- # ipXtables -A INPUT -j ACCEPT -i lo
- # ipXtables -A INPUT -j ACCEPT -p tcp --dport ssh -m conntrack --ctstate NEW
- # ipXtables -A INPUT -j ACCEPT -p tcp --dport http -m conntrack --ctstate NEW
- # ipXtables -A INPUT -j ACCEPT -p tcp --dport tinc -m conntrack --ctstate NEW
- # ipXtables -A INPUT -j Retiolum -i retiolum
- # ${when log "ipXtables -A INPUT -j LOG --log-level info --log-prefix 'INPUT DROP '"}
-
- # # FORWARD
- # ${when log "ipXtables -A FORWARD -j LOG --log-level info --log-prefix 'FORWARD DROP '"}
-
- # # Retiolum
- # ip4tables -A Retiolum -j ACCEPT -p icmp --icmp-type echo-request
- # ip6tables -A Retiolum -j ACCEPT -p ipv6-icmp -m icmp6 --icmpv6-type echo-request
-
-
- # ${when log "ipXtables -A Retiolum -j LOG --log-level info --log-prefix 'REJECT '"}
- # ipXtables -A Retiolum -j REJECT -p tcp --reject-with tcp-reset
- # ip4tables -A Retiolum -j REJECT -p udp --reject-with icmp-port-unreachable
- # ip4tables -A Retiolum -j REJECT --reject-with icmp-proto-unreachable
- # ip6tables -A Retiolum -j REJECT -p udp --reject-with icmp6-port-unreachable
- # ip6tables -A Retiolum -j REJECT
-
- # '';
}
diff --git a/lass/2configs/base.nix b/lass/2configs/base.nix
index 46435649b..43c4f4e34 100644
--- a/lass/2configs/base.nix
+++ b/lass/2configs/base.nix
@@ -3,14 +3,13 @@
with lib;
{
imports = [
- ../3modules/iptables.nix
../2configs/vim.nix
../2configs/zsh.nix
../2configs/mc.nix
{
users.extraUsers =
mapAttrs (_: h: { hashedPassword = h; })
- (import /root/src/secrets/hashedPasswords.nix);
+ (import /root/secrets/hashedPasswords.nix);
}
{
users.extraUsers = {
@@ -45,7 +44,7 @@ with lib;
build.source = {
git.nixpkgs = {
url = https://github.com/Lassulus/nixpkgs;
- rev = "68bd8e4a9dc247726ae89cc8739574261718e328";
+ rev = "e916273209560b302ab231606babf5ce1c481f08";
};
};
};
@@ -71,7 +70,12 @@ with lib;
'';
environment.systemPackages = with pkgs; [
+ #stockholm
git
+ jq
+ parallel
+
+ #style
most
rxvt_unicode.terminfo
@@ -137,7 +141,7 @@ with lib;
RuntimeMaxUse=128M
'';
- lass.iptables = {
+ krebs.iptables = {
enable = true;
tables = {
filter.INPUT.policy = "DROP";
diff --git a/lass/2configs/browsers.nix b/lass/2configs/browsers.nix
index f37dace2c..5a1857973 100644
--- a/lass/2configs/browsers.nix
+++ b/lass/2configs/browsers.nix
@@ -6,14 +6,12 @@ let
mainUser = config.users.extraUsers.mainUser;
createChromiumUser = name: extraGroups: packages:
{
- users.extraUsers = {
- ${name} = {
- inherit name;
- inherit extraGroups;
- home = "/home/${name}";
- useDefaultShell = true;
- createHome = true;
- };
+ users.extraUsers.${name} = {
+ inherit name;
+ inherit extraGroups;
+ home = "/home/${name}";
+ useDefaultShell = true;
+ createHome = true;
};
lass.per-user.${name}.packages = packages;
security.sudo.extraConfig = ''
@@ -28,14 +26,12 @@ let
createFirefoxUser = name: extraGroups: packages:
{
- users.extraUsers = {
- ${name} = {
- inherit name;
- inherit extraGroups;
- home = "/home/${name}";
- useDefaultShell = true;
- createHome = true;
- };
+ users.extraUsers.${name} = {
+ inherit name;
+ inherit extraGroups;
+ home = "/home/${name}";
+ useDefaultShell = true;
+ createHome = true;
};
lass.per-user.${name}.packages = packages;
security.sudo.extraConfig = ''
@@ -66,16 +62,16 @@ in {
( createChromiumUser "cr" [ "audio" ] [ pkgs.chromium ] )
( createChromiumUser "fb" [ ] [ pkgs.chromium ] )
( createChromiumUser "gm" [ ] [ pkgs.chromium ] )
- ( createChromiumUser "flash" [ ] [ pkgs.flash ] )
+ # ( createChromiumUser "flash" [ ] [ pkgs.flash ] )
];
nixpkgs.config.packageOverrides = pkgs : {
flash = pkgs.chromium.override {
- pulseSupport = true;
+ # pulseSupport = true;
enablePepperFlash = true;
};
- chromium = pkgs.chromium.override {
- pulseSupport = true;
- };
+ #chromium = pkgs.chromium.override {
+ # pulseSupport = true;
+ #};
};
}
diff --git a/lass/2configs/desktop-base.nix b/lass/2configs/desktop-base.nix
index 8ae768ca9..ed84edefa 100644
--- a/lass/2configs/desktop-base.nix
+++ b/lass/2configs/desktop-base.nix
@@ -34,6 +34,8 @@ in {
haskellPackages.yeganesh
dmenu2
xlibs.fontschumachermisc
+
+ sxiv
];
fonts.fonts = [
diff --git a/lass/2configs/downloading.nix b/lass/2configs/downloading.nix
index e6d31a6c4..5052da5c8 100644
--- a/lass/2configs/downloading.nix
+++ b/lass/2configs/downloading.nix
@@ -2,7 +2,6 @@
{
imports = [
- ../3modules/iptables.nix
../3modules/folderPerms.nix
];
@@ -47,7 +46,7 @@
};
};
- lass.iptables = {
+ krebs.iptables = {
enable = true;
tables.filter.INPUT.rules = [
{ predicate = "-p tcp --dport 9091"; target = "ACCEPT"; }
diff --git a/lass/2configs/fastpoke-pages.nix b/lass/2configs/fastpoke-pages.nix
index 1c8106a88..0470865b6 100644
--- a/lass/2configs/fastpoke-pages.nix
+++ b/lass/2configs/fastpoke-pages.nix
@@ -29,9 +29,7 @@ let
};
in {
- imports = [
- ../3modules/iptables.nix
- ] ++ map createStaticPage [
+ imports = map createStaticPage [
"habsys.de"
"pixelpocket.de"
"karlaskop.de"
@@ -39,7 +37,7 @@ in {
"apanowicz.de"
];
- lass.iptables = {
+ krebs.iptables = {
tables = {
filter.INPUT.rules = [
{ predicate = "-p tcp --dport http"; target = "ACCEPT"; }
diff --git a/lass/2configs/mors/repos.nix b/lass/2configs/mors/repos.nix
deleted file mode 100644
index 1f7f33456..000000000
--- a/lass/2configs/mors/repos.nix
+++ /dev/null
@@ -1,87 +0,0 @@
-{ ... }:
-
-{
- imports = [
- ../lass/gitolite-base.nix
- ../common/krebs-keys.nix
- ../common/krebs-repos.nix
- ];
-
- services.gitolite = {
- repos = {
-
- config = {
- users = {
- lass = "RW+";
- uriel = "R";
- tv = "R";
- };
- extraConfig = "option hook.post-receive = irc-announce";
- };
-
- pass = {
- users = {
- lass = "RW+";
- uriel = "R";
- };
- };
-
- load-env = {
- users = {
- lass = "RW+";
- uriel = "R";
- tv = "R";
- };
- extraConfig = "option hook.post-receive = irc-announce";
- };
-
- emse-drywall = {
- users = {
- lass = "RW+";
- uriel = "R";
- tv = "R";
- };
- extraConfig = "option hook.post-receive = irc-announce";
- };
-
- emse-hsdb = {
- users = {
- lass = "RW+";
- uriel = "R";
- tv = "R";
- };
- extraConfig = "option hook.post-receive = irc-announce";
- };
-
- brain = {
- users = {
- lass = "RW+";
- };
- extraConfig = "option hook.post-receive = irc-announce";
- #hooks.post-receive = irc-announce;
- };
-
- painload = {
- users = {
- lass = "RW+";
- };
- extraConfig = "option hook.post-receive = irc-announce";
- };
-
- services = {
- users = {
- lass = "RW+";
- };
- extraConfig = "option hook.post-receive = irc-announce";
- };
-
- xmonad-config = {
- users = {
- lass = "RW+";
- uriel = "R";
- };
- };
-
- };
- };
-}
diff --git a/lass/2configs/new-repos.nix b/lass/2configs/new-repos.nix
index 026f9a665..3d293d654 100644
--- a/lass/2configs/new-repos.nix
+++ b/lass/2configs/new-repos.nix
@@ -47,6 +47,7 @@ let
nick = config.krebs.build.host.name;
channel = "#retiolum";
server = "cd.retiolum";
+ verbose = config.krebs.build.host.name == "cloudkrebs";
};
};
};
diff --git a/lass/2configs/privoxy-retiolum.nix b/lass/2configs/privoxy-retiolum.nix
new file mode 100644
index 000000000..3a3641ad8
--- /dev/null
+++ b/lass/2configs/privoxy-retiolum.nix
@@ -0,0 +1,21 @@
+{ config, lib, ... }:
+
+let
+ r_ip = (head config.krebs.build.host.nets.retiolum.addrs4);
+ inherit (lib) head;
+
+in {
+ imports = [
+ ./privoxy.nix
+ ];
+
+ services.privoxy.listenAddress = "${r_ip}:8118";
+
+ krebs.iptables = {
+ tables = {
+ filter.INPUT.rules = [
+ { predicate = "-i retiolum -p tcp --dport 8118"; target = "ACCEPT"; }
+ ];
+ };
+ };
+}
diff --git a/lass/2configs/privoxy.nix b/lass/2configs/privoxy.nix
new file mode 100644
index 000000000..bf5f6e206
--- /dev/null
+++ b/lass/2configs/privoxy.nix
@@ -0,0 +1,15 @@
+{ config, ... }:
+
+{
+ services.privoxy = {
+ enable = true;
+ extraConfig = ''
+ #use polipo
+ forward / localhost:8123
+
+ #route .onion through tor
+ forward-socks4a .onion localhost:9050