17 files changed, 148 insertions, 127 deletions

diff --git a/lass/2configs/AP.nix b/lass/2configs/AP.nix
index 5ce7cfff8..dfffbfdf9 100644
--- a/lass/2configs/AP.nix
+++ b/lass/2configs/AP.nix
@@ -6,7 +6,7 @@ in {
   boot.extraModulePackages = [
     pkgs.linuxPackages.rtl8814au
   ];
-  networking.networkmanager.unmanaged = [ wifi ];
+  networking.networkmanager.unmanaged = [ wifi "et0" ];
 
   systemd.services.hostapd = {
     description = "hostapd wireless AP";
@@ -38,12 +38,17 @@ in {
     };
   };
 
-  networking.interfaces.${wifi}.ipv4.addresses = [
+  networking.bridges.br0.interfaces = [
+    wifi
+    "et0"
+  ];
+
+  networking.interfaces.br0.ipv4.addresses = [
     { address = "10.99.0.1"; prefixLength = 24; }
   ];
   services.dhcpd4 = {
     enable = true;
-    interfaces = [ wifi ];
+    interfaces = [ "br0" ];
     extraConfig = ''
       option subnet-mask 255.255.255.0;
       option routers 10.99.0.1;
@@ -56,11 +61,12 @@ in {
 
   boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
   krebs.iptables.tables.filter.FORWARD.rules = [
-    { v6 = false; predicate = "-d 10.99.0.0/24 -o ${wifi} -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
-    { v6 = false; predicate = "-s 10.99.0.0/24 -i ${wifi}"; target = "ACCEPT"; }
-    { v6 = false; predicate = "-i ${wifi} -o ${wifi}"; target = "ACCEPT"; }
-    { v6 = false; predicate = "-o ${wifi}"; target = "REJECT --reject-with icmp-port-unreachable"; }
-    { v6 = false; predicate = "-i ${wifi}"; target = "REJECT --reject-with icmp-port-unreachable"; }
+    { v6 = false; predicate = "-d 10.99.0.0/24 -o br0 -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
+    { v6 = false; predicate = "-s 10.99.0.0/24 -i br0"; target = "ACCEPT"; }
+    { v6 = false; predicate = "-i br0 -o br0"; target = "ACCEPT"; }
+    { v6 = false; predicate = "-i br0 -o br0"; target = "ACCEPT"; }
+    { v6 = false; predicate = "-o br0"; target = "REJECT --reject-with icmp-port-unreachable"; }
+    { v6 = false; predicate = "-i br0"; target = "REJECT --reject-with icmp-port-unreachable"; }
   ];
   krebs.iptables.tables.nat.PREROUTING.rules = [
     { v6 = false; predicate = "-s 10.99.0.0/24"; target = "ACCEPT"; precedence = 1000; }
diff --git a/lass/2configs/IM.nix b/lass/2configs/IM.nix
deleted file mode 100644
index 7d3dfd428..000000000
--- a/lass/2configs/IM.nix
+++ /dev/null
@@ -1,73 +0,0 @@
-with (import <stockholm/lib>);
-{ config, lib, pkgs, ... }:
-
-let
-  tmux = pkgs.writeDash "tmux" ''
-    exec ${pkgs.tmux}/bin/tmux -f ${pkgs.writeText "tmux.conf" ''
-      set-option -g prefix `
-      unbind-key C-b
-      bind ` send-prefix
-
-      set-option -g status off
-      set-option -g default-terminal screen-256color
-
-      #use session instead of windows
-      bind-key c new-session
-      bind-key p switch-client -p
-      bind-key n switch-client -n
-      bind-key C-s switch-client -l
-    ''} "$@"
-  '';
-in {
-
-  services.bitlbee = {
-    enable = true;
-    portNumber = 6666;
-    plugins = [
-      pkgs.bitlbee-facebook
-      pkgs.bitlbee-steam
-      pkgs.bitlbee-discord
-    ];
-    libpurple_plugins = [ pkgs.telegram-purple ];
-  };
-
-  users.extraUsers.chat = {
-    home = "/home/chat";
-    uid = genid "chat";
-    useDefaultShell = true;
-    createHome = true;
-    openssh.authorizedKeys.keys = with config.krebs.users; [
-      lass.pubkey
-      lass-shodan.pubkey
-      lass-icarus.pubkey
-      lass-android.pubkey
-      lass-helios.pubkey
-    ];
-  };
-
-  # mosh
-  krebs.iptables.tables.filter.INPUT.rules = [
-    { predicate = "-p udp --dport 60000:61000"; target = "ACCEPT";}
-    { predicate = "-p tcp --dport 9999"; target = "ACCEPT";}
-  ];
-
-  systemd.services.chat = {
-    description = "chat environment setup";
-    after = [ "network.target" ];
-    wantedBy = [ "multi-user.target" ];
-
-    restartIfChanged = false;
-
-    path = [
-      pkgs.rxvt_unicode.terminfo
-    ];
-
-    serviceConfig = {
-      User = "chat";
-      RemainAfterExit = true;
-      Type = "oneshot";
-      ExecStart = "${tmux} -2 new-session -d -s IM ${pkgs.weechat}/bin/weechat";
-      ExecStop = "${tmux} kill-session -t IM";
-    };
-  };
-}
diff --git a/lass/2configs/backup.nix b/lass/2configs/backup.nix
index 27adf6d2a..d23cf9a43 100644
--- a/lass/2configs/backup.nix
+++ b/lass/2configs/backup.nix
@@ -15,6 +15,7 @@ with import <stockholm/lib>;
     openssh.authorizedKeys.keys = with config.krebs.hosts; [
       mors.ssh.pubkey
       prism.ssh.pubkey
+      blue.ssh.pubkey
     ];
   };
 }
diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix
index e2e44b6fc..a387f2c5d 100644
--- a/lass/2configs/baseX.nix
+++ b/lass/2configs/baseX.nix
@@ -69,11 +69,13 @@ in {
   environment.systemPackages = with pkgs; [
     acpi
     bank
+    cabal2nix
     dic
     dmenu
     gi
-    git-preview
     gitAndTools.qgit
+    git-preview
+    gnome3.dconf
     lm_sensors
     mpv-poll
     much
@@ -86,19 +88,18 @@ in {
     rxvt_unicode_with-plugins
     slock
     sxiv
-    timewarrior
     taskwarrior
     termite
+    thesauron
+    timewarrior
     xclip
+    xephyrify
     xorg.xbacklight
     xorg.xhost
     xsel
     youtube-tools
     yt-next
     zathura
-
-    cabal2nix
-    xephyrify
   ];
 
   fonts.fonts = with pkgs; [
diff --git a/lass/2configs/bitlbee.nix b/lass/2configs/bitlbee.nix
new file mode 100644
index 000000000..1220fa0cd
--- /dev/null
+++ b/lass/2configs/bitlbee.nix
@@ -0,0 +1,15 @@
+with (import <stockholm/lib>);
+{ config, lib, pkgs, ... }:
+
+{
+  services.bitlbee = {
+    enable = true;
+    portNumber = 6666;
+    plugins = [
+      pkgs.bitlbee-facebook
+      pkgs.bitlbee-steam
+      pkgs.bitlbee-discord
+    ];
+    libpurple_plugins = [ pkgs.telegram-purple ];
+  };
+}
diff --git a/lass/2configs/blue-host.nix b/lass/2configs/blue-host.nix
new file mode 100644
index 000000000..657234bc1
--- /dev/null
+++ b/lass/2configs/blue-host.nix
@@ -0,0 +1,22 @@
+{ config, lib, pkgs, ... }:
+with import <stockholm/lib>;
+
+{
+  imports = [
+    <stockholm/lass/2configs/container-networking.nix>
+  ];
+  containers.blue = {
+    config = { ... }: {
+      environment.systemPackages = [ pkgs.git ];
+      services.openssh.enable = true;
+      users.users.root.openssh.authorizedKeys.keys = [
+        config.krebs.users.lass.pubkey
+      ];
+    };
+    autoStart = true;
+    enableTun = true;
+    privateNetwork = true;
+    hostAddress = "10.233.2.9";
+    localAddress = "10.233.2.10";
+  };
+}
diff --git a/lass/2configs/blue.nix b/lass/2configs/blue.nix
new file mode 100644
index 000000000..c0417b865
--- /dev/null
+++ b/lass/2configs/blue.nix
@@ -0,0 +1,55 @@
+with (import <stockholm/lib>);
+{ config, lib, pkgs, ... }:
+
+{
+
+  imports = [
+    ./bitlbee.nix
+    ./mail.nix
+    ./pass.nix
+  ];
+
+  services.tor.enable = true;
+
+  krebs.iptables.tables.filter.INPUT.rules = [
+    { predicate = "-i retiolum -p udp --dport 60000:61000"; target = "ACCEPT";}
+    { predicate = "-i retiolum -p tcp --dport 9999"; target = "ACCEPT";}
+  ];
+
+  systemd.services.chat = let
+    tmux = pkgs.writeDash "tmux" ''
+      exec ${pkgs.tmux}/bin/tmux -f ${pkgs.writeText "tmux.conf" ''
+        set-option -g prefix `
+        unbind-key C-b
+        bind ` send-prefix
+
+        set-option -g status off
+        set-option -g default-terminal screen-256color
+
+        #use session instead of windows
+        bind-key c new-session
+        bind-key p switch-client -p
+        bind-key n switch-client -n
+        bind-key C-s switch-client -l
+      ''} "$@"
+    '';
+  in {
+    description = "chat environment setup";
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+
+    restartIfChanged = false;
+
+    path = [
+      pkgs.rxvt_unicode.terminfo
+    ];
+
+    serviceConfig = {
+      User = "lass";
+      RemainAfterExit = true;
+      Type = "oneshot";
+      ExecStart = "${tmux} -2 new-session -d -s IM ${pkgs.weechat}/bin/weechat";
+      ExecStop = "${tmux} kill-session -t IM";
+    };
+  };
+}
diff --git a/lass/2configs/container-networking.nix b/lass/2configs/container-networking.nix
index 3dae3420d..f04e4342d 100644
--- a/lass/2configs/container-networking.nix
+++ b/lass/2configs/container-networking.nix
@@ -1,12 +1,6 @@
-{ ... }:
+{ lib, ... }:
 
 {
-  #krebs.iptables.tables.filter.INPUT.rules = [
-  #  { v6 = false; predicate = "-i ve-+ -p udp -m udp --dport 53"; target = "ACCEPT"; }
-  #  { v6 = false; predicate = "-i ve-+ -p tcp -m tcp --dport 53"; target = "ACCEPT"; }
-  #  { v6 = false; predicate = "-i ve-+ -p udp -m udp --dport 67"; target = "ACCEPT"; }
-  #  { v6 = false; predicate = "-i ve-+ -p tcp -m tcp --dport 67"; target = "ACCEPT"; }
-  #];
   krebs.iptables.tables.filter.FORWARD.rules = [
     { v6 = false; predicate = "-d 10.233.2.0/24 -o ve-+ -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
     { v6 = false; predicate = "-s 10.233.2.0/24 -i ve-+"; target = "ACCEPT"; }
@@ -14,9 +8,9 @@
     { v6 = false; predicate = "-o ve-+"; target = "REJECT --reject-with icmp-port-unreachable"; }
     { v6 = false; predicate = "-i ve-+"; target = "REJECT --reject-with icmp-port-unreachable"; }
   ];
-  #krebs.iptables.tables.filter.OUTPUT.rules = [
-  #  { v6 = false; predicate = "-o ve-+ -p udp -m udp --dport 68"; target = "ACCEPT"; }
-  #];
+  krebs.iptables.tables.nat.PREROUTING.rules = [
+    { v6 = false; predicate = "-s 10.233.2.0/24"; target = "ACCEPT"; precedence = 1000; }
+  ];
   krebs.iptables.tables.nat.POSTROUTING.rules = [
     { v6 = false; predicate = "-s 10.233.2.0/24 -d 224.0.0.0/24"; target = "RETURN"; }
     { v6 = false; predicate = "-s 10.233.2.0/24 -d 255.255.255.255"; target = "RETURN"; }
@@ -24,4 +18,5 @@
     { v6 = false; predicate = "-s 10.233.2.0/24 ! -d 10.233.2.0/24 -p tcp"; target = "MASQUERADE --to-ports 1024-65535"; }
     { v6 = false; predicate = "-s 10.233.2.0/24 ! -d 10.233.2.0/24 -p udp"; target = "MASQUERADE --to-ports 1024-65535"; }
   ];
+  boot.kernel.sysctl."net.ipv4.ip_forward" = lib.mkDefault 1;
 }
diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix
index 12a814605..ed97b4897 100644
--- a/lass/2configs/default.nix
+++ b/lass/2configs/default.nix
@@ -19,7 +19,8 @@ with import <stockholm/lib>;
       users.extraUsers = {
         root = {
           openssh.authorizedKeys.keys = [
-            config.krebs.users.lass.pubkey
+            config.krebs.users.lass-mors.pubkey
+            config.krebs.users.lass-blue.pubkey
             config.krebs.users.lass-shodan.pubkey
             config.krebs.users.lass-icarus.pubkey
             config.krebs.users.lass-xerxes.pubkey
@@ -38,7 +39,8 @@ with import <stockholm/lib>;
             "wheel"
           ];
           openssh.authorizedKeys.keys = [
-            config.krebs.users.lass.pubkey
+            config.krebs.users.lass-mors.pubkey
+            config.krebs.users.lass-blue.pubkey
             config.krebs.users.lass-shodan.pubkey
             config.krebs.users.lass-icarus.pubkey
           ];
diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix
index e05ed2427..371f20885 100644
--- a/lass/2configs/exim-smarthost.nix
+++ b/lass/2configs/exim-smarthost.nix
@@ -14,7 +14,7 @@ with import <stockholm/lib>;
     ];
     relay_from_hosts = map (host: host.nets.retiolum.ip6.addr) [
       config.krebs.hosts.mors
-      config.krebs.hosts.uriel
+      config.krebs.hosts.blue
     ];
     internet-aliases = with config.krebs.users; [
       { from = "postmaster@lassul.us"; to = lass.mail; } # RFC 822
@@ -80,6 +80,9 @@ with import <stockholm/lib>;
       { from = "hetzner@lassul.us"; to = lass.mail; }
       { from = "allygator@lassul.us"; to = lass.mail; }
       { from = "immoscout@lassul.us"; to = lass.mail; }
+      { from = "elitedangerous@lassul.us"; to = lass.mail; }
+      { from = "boardgamegeek@lassul.us"; to = lass.mail; }
+      { from = "qwertee@lassul.us"; to = lass.mail; }
     ];
     system-aliases = [
       { from = "mailer-daemon"; to = "postmaster"; }
diff --git a/lass/2configs/games.nix b/lass/2configs/games.nix
index 3ee3a98a5..81f53bf69 100644
--- a/lass/2configs/games.nix
+++ b/lass/2configs/games.nix
@@ -80,6 +80,7 @@ in {
     };
   };
 
+  hardware.opengl.driSupport32Bit = true;
   hardware.pulseaudio.support32Bit = true;
 
   security.sudo.extraConfig = ''
diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix
index 43085ba5e..e41ff606f 100644
--- a/lass/2configs/git.nix
+++ b/lass/2configs/git.nix
@@ -57,17 +57,17 @@ let
       cgit.desc = "Fork of nix-user-chroot my lethalman";
       cgit.section = "software";
     };
+    krops = {
+      cgit.desc = "krebs deployment";
+      cgit.section = "software";
+    };
+  } // mapAttrs make-public-repo-silent {
     nixos-aws = {
       collaborators = [ {
         name = "fabio";
         pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFst8DvnfOu4pQJYxcwdf//jWTvP+jj0iSrOdt59c9Gbujm/8K1mBXhcSQhHj/GBRC1Qc1wipf9qZsWnEHMI+SRwq6tDr8gqlAcdWmHAs1bU96jJtc8EgmUKbXTFG/VmympMPi4cEbNUtH93v6NUjQKwq9szvDhhqSW4Y8zE32xLkySwobQapNaUrGAtQp3eTxu5Lkx+cEaaartaAspt8wSosXjUHUJktg0O5/XOP+CiWAx89AXxbQCy4XTQvUExoRGdw9sdu0lF0/A0dF4lFF/dDUS7+avY8MrKEcQ8Fwk8NcW1XrKMmCdNdpvou0whL9aHCdTJ+522dsSB1zZWh63Si4CrLKlc1TiGKCXdvzmCYrD+6WxbPJdRpMM4dFNtpAwhCm/dM+CBXfDkP0s5veFiYvp1ri+3hUqV/sep9r5/+d+5/R1gQs8WDNjWqcshveFbD5LxE6APEySB4QByGxIrw7gFbozE+PNxtlVP7bq4MyE6yIzL6ofQgO1e4THquPcqSCfCvyib5M2Q1phi5DETlMemWp84AsNkqbhRa4BGRycuOXXrBzE+RgQokcIY7t3xcu3q0xJo2+HxW/Lqi72zYU1NdT4nJMETEaG49FfIAnUuoVaQWWvOz8mQuVEmmdw2Yzo2ikILYSUdHTp1VPOeo6aNPvESkPw1eM0xDRlQ== ada";
       } ];
     };
-    krops = {
-      cgit.desc = "krebs deployment";
-      cgit.section = "software";
-    };
-  } // mapAttrs make-public-repo-silent {
   };
 
   restricted-repos = mapAttrs make-restricted-repo (
@@ -121,7 +121,7 @@ let
     with git // config.krebs.users;
     repo:
       singleton {
-        user = [ lass lass-shodan ];
+        user = [ lass-mors lass-shodan lass-icarus lass-blue ];
         repo = [ repo ];
         perm = push "refs/*" [ non-fast-forward create delete merge ];
       } ++
diff --git a/lass/2configs/libvirt.nix b/lass/2configs/libvirt.nix
index a71638323..78d5ae0e9 100644
--- a/lass/2configs/libvirt.nix
+++ b/lass/2configs/libvirt.nix
@@ -20,6 +20,9 @@
   krebs.iptables.tables.filter.OUTPUT.rules = [
     { v6 = false; predicate = "-o virbr0 -p udp -m udp --dport 68"; target = "ACCEPT"; }
   ];
+  krebs.iptables.tables.nat.PREROUTING.rules = [
+    { v6 = false; predicate = "-s 192.168.122.0/24"; target = "ACCEPT"; precedence = 1000; }
+  ];
   krebs.iptables.tables.nat.POSTROUTING.rules = [
     { v6 = false; predicate = "-s 192.168.122.0/24 -d 224.0.0.0/24"; target = "RETURN"; }
     { v6 = false; predicate = "-s 192.168.122.0/24 -d 255.255.255.255"; target = "RETURN"; }
diff --git a/lass/2configs/monitoring/prometheus-server.nix b/lass/2configs/monitoring/prometheus-server.nix
index e16d421a0..aef671636 100644
--- a/lass/2configs/monitoring/prometheus-server.nix
+++ b/lass/2configs/monitoring/prometheus-server.nix
@@ -159,7 +159,6 @@
               "email_configs" = [
                 {
                   "to" = "devnull@example.com";
-                  "send_resolved" = true;
                 }
               ];
               "webhook_configs" = [
diff --git a/lass/2configs/steam.nix b/lass/2configs/steam.nix
index 225ddd308..e1b523e3a 100644
--- a/lass/2configs/steam.nix
+++ b/lass/2configs/steam.nix
@@ -10,8 +10,6 @@
   # source: https://nixos.org/wiki/Talk:Steam
   #
   ##TODO: make steam module
-  hardware.opengl.driSupport32Bit = true;
-
   nixpkgs.config.steam.java = true;
   environment.systemPackages = with pkgs; [
     steam
diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix
index 7a72499c9..4e8361a17 100644
--- a/lass/2configs/websites/domsen.nix
+++ b/lass/2configs/websites/domsen.nix
@@ -26,12 +26,7 @@ in {
     ./default.nix
     ./sqlBackup.nix
     (servePage [ "reich-gebaeudereinigung.de" "www.reich-gebaeudereinigung.de" ])
-    (servePage [
-      "habsys.de"
-      "habsys.eu"
-      "www.habsys.de"
-      "www.habsys.eu"
-    ])
+    (servePage [ "freemonkey.art" ])
     (serveOwncloud [ "o.ubikmedia.de" ])
     (serveWordpress [
       "ubikmedia.de"
@@ -120,6 +115,7 @@ in {
       { from = "jms@ubikmedia.eu"; to = "jms"; }
       { from = "ms@ubikmedia.eu"; to = "ms"; }
       { from = "ubik@ubikmedia.eu"; to = "domsen, jms, ms"; }
+      { from = "akayguen@freemonkey.art"; to ="akayguen"; }
 
       { from = "testuser@lassul.us"; to = "testuser"; }
       { from = "testuser@ubikmedia.eu"; to = "testuser"; }
@@ -177,5 +173,12 @@ in {
     createHome = true;
   };
 
+  users.users.akayguen = {
+    uid = genid_signed "akayguen";
+    home = "/home/akayguen";
+    useDefaultShell = true;
+    createHome = true;
+  };
+
 }
 
diff --git a/lass/2configs/websites/util.nix b/lass/2configs/websites/util.nix
index 61b5543ce..816449c14 100644
--- a/lass/2configs/websites/util.nix
+++ b/lass/2configs/websites/util.nix
@@ -16,11 +16,7 @@ rec {
     in {
       services.nginx.virtualHosts.${domain} = {
         enableACME = true;
-        onlySSL = true;
-        extraConfig = ''
-          listen 80;
-          listen [::]:80;
-        '';
+        addSSL = true;
         serverAliases = domains;
         locations."/".extraConfig = ''
           root /srv/http/${domain};
@@ -87,12 +83,9 @@ rec {
     in {
       services.nginx.virtualHosts."${domain}" = {
         enableACME = true;
-        onlySSL = true;
+        addSSL = true;
         serverAliases = domains;
         extraConfig = ''
-          listen 80;
-          listen [::]:80;
-
           # Add headers to serve security related headers
           add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
           add_header X-Content-Type-Options nosniff;
@@ -201,12 +194,9 @@ rec {
     in {
       services.nginx.virtualHosts."${domain}" = {
         enableACME = true;
-        onlySSL = true;
+        addSSL = true;
         serverAliases = domains;
         extraConfig = ''
-          listen 80;
-          listen [::]:80;
-
           root /srv/http/${domain}/;
           index index.php;
           access_log /tmp/nginx_acc.log;