diff options
Diffstat (limited to 'lass')
74 files changed, 1537 insertions, 1097 deletions
diff --git a/lass/1systems/blue/config.nix b/lass/1systems/blue/config.nix new file mode 100644 index 000000000..a84bb37f6 --- /dev/null +++ b/lass/1systems/blue/config.nix @@ -0,0 +1,49 @@ +with import <stockholm/lib>; +{ config, lib, pkgs, ... }: +{ + imports = [ + <stockholm/lass> + <stockholm/lass/2configs> + <stockholm/lass/2configs/retiolum.nix> + <stockholm/lass/2configs/exim-retiolum.nix> + + <stockholm/lass/2configs/blue.nix> + ]; + + krebs.build.host = config.krebs.hosts.blue; + + environment.shellAliases = { + deploy = pkgs.writeDash "deploy" '' + set -eu + export SYSTEM="$1" + $(nix-build $HOME/stockholm/lass/krops.nix --no-out-link --argstr name "$SYSTEM" -A deploy) + ''; + }; + + networking.nameservers = [ "1.1.1.1" ]; + + lass.restic = genAttrs [ + "daedalus" + "icarus" + "littleT" + "prism" + "shodan" + "skynet" + ] (dest: { + dirs = [ + "/home/" + "/var/lib" + ]; + passwordFile = (toString <secrets>) + "/restic/${dest}"; + repo = "sftp:backup@${dest}.r:/backups/blue"; + extraArguments = [ + "sftp.command='ssh backup@${dest}.r -i ${config.krebs.build.host.ssh.privkey.path} -s sftp'" + ]; + timerConfig = { + OnCalendar = "00:05"; + RandomizedDelaySec = "5h"; + }; + }); + time.timeZone = "Europe/Berlin"; + users.users.mainUser.openssh.authorizedKeys.keys = [ config.krebs.users.lass-android.pubkey ]; +} diff --git a/lass/1systems/blue/physical.nix b/lass/1systems/blue/physical.nix new file mode 100644 index 000000000..7499ff723 --- /dev/null +++ b/lass/1systems/blue/physical.nix @@ -0,0 +1,8 @@ +{ + imports = [ + ./config.nix + ]; + boot.isContainer = true; + networking.useDHCP = false; + environment.variables.NIX_REMOTE = "daemon"; +} diff --git a/lass/1systems/blue/source.nix b/lass/1systems/blue/source.nix new file mode 100644 index 000000000..d8b979812 --- /dev/null +++ b/lass/1systems/blue/source.nix @@ -0,0 +1,4 @@ +import <stockholm/lass/source.nix> { + name = "blue"; + secure = true; +} diff --git a/lass/1systems/cabal/config.nix b/lass/1systems/cabal/config.nix index 7eba86c52..64c179e67 100644 --- a/lass/1systems/cabal/config.nix +++ b/lass/1systems/cabal/config.nix @@ -3,8 +3,6 @@ { imports = [ <stockholm/lass> - <stockholm/lass/2configs/hw/x220.nix> - <stockholm/lass/2configs/boot/stock-x220.nix> <stockholm/lass/2configs/mouse.nix> <stockholm/lass/2configs/retiolum.nix> @@ -13,23 +11,11 @@ <stockholm/lass/2configs/browsers.nix> <stockholm/lass/2configs/programs.nix> <stockholm/lass/2configs/fetchWallpaper.nix> - <stockholm/lass/2configs/backups.nix> <stockholm/lass/2configs/games.nix> <stockholm/lass/2configs/bitcoin.nix> + <stockholm/lass/2configs/AP.nix> + <stockholm/lass/2configs/blue-host.nix> ]; krebs.build.host = config.krebs.hosts.cabal; - - #fileSystems = { - # "/bku" = { - # device = "/dev/mapper/pool-bku"; - # fsType = "btrfs"; - # options = ["defaults" "noatime" "ssd" "compress=lzo"]; - # }; - #}; - - #services.udev.extraRules = '' - # SUBSYSTEM=="net", ATTR{address}=="00:24:d7:f0:a0:0c", NAME="wl0" - # SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:71:cb:35", NAME="et0" - #''; } diff --git a/lass/1systems/cabal/physical.nix b/lass/1systems/cabal/physical.nix new file mode 100644 index 000000000..3cc4af03b --- /dev/null +++ b/lass/1systems/cabal/physical.nix @@ -0,0 +1,12 @@ +{ + imports = [ + ./config.nix + <stockholm/lass/2configs/hw/x220.nix> + <stockholm/lass/2configs/boot/stock-x220.nix> + ]; + + services.udev.extraRules = '' + SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:45:85:ac", NAME="wl0" + SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:62:2b:1b", NAME="et0" + ''; +} diff --git a/lass/1systems/daedalus/config.nix b/lass/1systems/daedalus/config.nix index 609fae3c8..eafc0d06c 100644 --- a/lass/1systems/daedalus/config.nix +++ b/lass/1systems/daedalus/config.nix @@ -4,13 +4,11 @@ with import <stockholm/lib>; { imports = [ <stockholm/lass> - <stockholm/lass/2configs/hw/x220.nix> - <stockholm/lass/2configs/boot/coreboot.nix> <stockholm/lass/2configs/retiolum.nix> - <stockholm/lass/2configs/backups.nix> <stockholm/lass/2configs/games.nix> <stockholm/lass/2configs/steam.nix> + <stockholm/lass/2configs/backup.nix> { # bubsy config users.users.bubsy = { @@ -94,17 +92,4 @@ with import <stockholm/lib>; ''; krebs.build.host = config.krebs.hosts.daedalus; - - fileSystems = { - "/bku" = { - device = "/dev/mapper/pool-bku"; - fsType = "btrfs"; - options = ["defaults" "noatime" "ssd" "compress=lzo"]; - }; - }; - - services.udev.extraRules = '' - SUBSYSTEM=="net", ATTR{address}=="08:11:96:0a:5d:6c", NAME="wl0" - SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:71:cb:35", NAME="et0" - ''; } diff --git a/lass/1systems/daedalus/physical.nix b/lass/1systems/daedalus/physical.nix new file mode 100644 index 000000000..33a0cb473 --- /dev/null +++ b/lass/1systems/daedalus/physical.nix @@ -0,0 +1,20 @@ +{ + imports = [ + ./config.nix + <stockholm/lass/2configs/hw/x220.nix> + <stockholm/lass/2configs/boot/coreboot.nix> + ]; + + fileSystems = { + "/bku" = { + device = "/dev/mapper/pool-bku"; + fsType = "btrfs"; + options = ["defaults" "noatime" "ssd" "compress=lzo"]; + }; + }; + + services.udev.extraRules = '' + SUBSYSTEM=="net", ATTR{address}=="08:11:96:0a:5d:6c", NAME="wl0" + SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:71:cb:35", NAME="et0" + ''; +} diff --git a/lass/1systems/dishfire/config.nix b/lass/1systems/dishfire/config.nix index 7993c763e..3d5f32180 100644 --- a/lass/1systems/dishfire/config.nix +++ b/lass/1systems/dishfire/config.nix @@ -4,42 +4,8 @@ imports = [ <stockholm/lass> <stockholm/lass/2configs/retiolum.nix> - <nixpkgs/nixos/modules/profiles/qemu-guest.nix> <stockholm/lass/2configs/git.nix> { - boot.loader.grub = { - device = "/dev/vda"; - splashImage = null; - }; - - boot.initrd.availableKernelModules = [ - "ata_piix" - "ehci_pci" - "uhci_hcd" - "virtio_pci" - "virtio_blk" - ]; - - fileSystems."/" = { - device = "/dev/mapper/pool-nix"; - fsType = "ext4"; - }; - - fileSystems."/srv/http" = { - device = "/dev/pool/srv_http"; - fsType = "ext4"; - }; - - fileSystems."/boot" = { - device = "/dev/vda1"; - fsType = "ext4"; - }; - fileSystems."/bku" = { - device = "/dev/pool/bku"; - fsType = "ext4"; - }; - } - { networking.dhcpcd.allowInterfaces = [ "enp*" "eth*" diff --git a/lass/1systems/dishfire/physical.nix b/lass/1systems/dishfire/physical.nix new file mode 100644 index 000000000..64e3904e0 --- /dev/null +++ b/lass/1systems/dishfire/physical.nix @@ -0,0 +1,39 @@ +{ config, lib, pkgs, ... }: +{ + imports = [ + ./config.nix + <nixpkgs/nixos/modules/profiles/qemu-guest.nix> + ]; + + boot.loader.grub = { + device = "/dev/vda"; + splashImage = null; + }; + + boot.initrd.availableKernelModules = [ + "ata_piix" + "ehci_pci" + "uhci_hcd" + "virtio_pci" + "virtio_blk" + ]; + + fileSystems."/" = { + device = "/dev/mapper/pool-nix"; + fsType = "ext4"; + }; + + fileSystems."/srv/http" = { + device = "/dev/pool/srv_http"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/vda1"; + fsType = "ext4"; + }; + fileSystems."/bku" = { + device = "/dev/pool/bku"; + fsType = "ext4"; + }; +} diff --git a/lass/1systems/echelon/config.nix b/lass/1systems/echelon/config.nix deleted file mode 100644 index 6f96883bf..000000000 --- a/lass/1systems/echelon/config.nix +++ /dev/null @@ -1,50 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - inherit (import <stockholm/lass/4lib> { inherit pkgs lib; }) getDefaultGateway; - ip = config.krebs.build.host.nets.internet.ip4.addr; -in { - imports = [ - <stockholm/lass> - <stockholm/lass/2configs/retiolum.nix> - <stockholm/lass/2configs/os-templates/CAC-CentOS-7-64bit.nix> - <stockholm/lass/2configs/exim-retiolum.nix> - <stockholm/lass/2configs/privoxy-retiolum.nix> - <stockholm/lass/2configs/git.nix> - { - networking.interfaces.enp2s1.ip4 = [ - { - address = ip; - prefixLength = 24; - } - ]; - networking.defaultGateway = getDefaultGateway ip; - networking.nameservers = [ - "8.8.8.8" - ]; - - } - { - sound.enable = false; - } - { - users.extraUsers = { - satan = { - name = "satan"; - uid = 1338; - home = "/home/satan"; - group = "users"; - createHome = true; - useDefaultShell = true; - extraGroups = [ - ]; - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+l3ajjOd80uJBM8oHO9HRbtA5hK6hvrpxxnk7qWW7OloT9IXcoM8bbON755vK0O6XyxZo1JZ1SZ7QIaOREGVIRDjcbJbqD3O+nImc6Rzxnrz7hvE+tuav9Yylwcw5HeQi82UIMGTEAwMHwLvsW6R/xyMCuOTbbzo9Ib8vlJ8IPDECY/05RhL7ZYFR0fdphI7jq7PobnO8WEpCZDhMvSYjO9jf3ac53wyghT3gH7AN0cxTR9qgQlPHhTbw+nZEI0sUKtrIhjfVE80wgK3NQXZZj7YAplRs/hYwSi7i8V0+8CBt2epc/5RKnJdDHFQnaTENq9kYQPOpUCP6YUwQIo8X nineinchnade@gmail.com" - ]; - }; - }; - } - ]; - - krebs.build.host = config.krebs.hosts.echelon; -} diff --git a/lass/1systems/helios/config.nix b/lass/1systems/helios/config.nix index e64cfbe79..bd7f75c3e 100644 --- a/lass/1systems/helios/config.nix +++ b/lass/1systems/helios/config.nix @@ -12,47 +12,12 @@ with import <stockholm/lib>; <stockholm/lass/2configs/otp-ssh.nix> # TODO fix krebs.git.rules.[definition 2-entry 2].lass not defined #<stockholm/lass/2configs/git.nix> - <stockholm/lass/2configs/dcso-vpn.nix> + #<stockholm/lass/2configs/dcso-vpn.nix> <stockholm/lass/2configs/virtualbox.nix> <stockholm/lass/2configs/dcso-dev.nix> <stockholm/lass/2configs/steam.nix> <stockholm/lass/2configs/rtl-sdr.nix> - { # automatic hardware detection - boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; - boot.kernelModules = [ "kvm-intel" ]; - - fileSystems."/" = { - device = "/dev/pool/root"; - fsType = "btrfs"; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/1F60-17C6"; - fsType = "vfat"; - }; - - fileSystems."/home" = { - device = "/dev/pool/home"; - fsType = "btrfs"; - }; - - fileSystems."/tmp" = { - device = "tmpfs"; - fsType = "tmpfs"; - options = ["nosuid" "nodev" "noatime"]; - }; - - nix.maxJobs = lib.mkDefault 8; - } - { # crypto stuff - boot.initrd.luks = { - cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; - devices = [{ - name = "luksroot"; - device = "/dev/nvme0n1p3"; - }]; - }; - } + <stockholm/lass/2configs/backup.nix> { services.xserver.dpi = 200; fonts.fontconfig.dpi = 200; @@ -98,13 +63,6 @@ with import <stockholm/lib>; } ]; - # Use the systemd-boot EFI boot loader. - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - - networking.wireless.enable = true; - hardware.enableRedistributableFirmware = true; - environment.systemPackages = with pkgs; [ ag vim @@ -123,49 +81,17 @@ with import <stockholm/lib>; services.tlp.enable = true; - services.xserver.videoDrivers = [ "nvidia" ]; - services.xserver.xrandrHeads = [ - { output = "DP-2"; primary = true; } - { output = "DP-4"; monitorConfig = ''Option "Rotate" "left"''; } - { output = "DP-0"; } - ]; - - services.xserver.displayManager.sessionCommands = '' - ${pkgs.xorg.xrandr}/bin/xrandr --output DP-6 --off --output DP-5 --off --output DP-4 --mode 2560x1440 --pos 3840x0 --rotate left --output DP-3 --off --output DP-2 --primary --mode 3840x2160 --scale 0.5x0.5 --pos 0x400 --rotate normal --output DP-1 --off --output DP-0 --mode 2560x1440 --pos 5280x1120 --rotate normal - ''; - networking.hostName = lib.mkForce "BLN02NB0162"; security.pki.certificateFiles = [ - (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC1G1.pem"; sha256 = "14vz9c0fk6li0a26vx0s5ha6y3yivnshx9pjlh9vmnpkbph5a7rh"; }) - (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC2G1.pem"; sha256 = "0r1dd48a850cv7whk4g2maik550rd0vsrsl73r6x0ivzz7ap1xz5"; }) - (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC3G1.pem"; sha256 = "0b5cdchdkvllnr0kz35d8jrmrf9cjw0kd98mmvzr0x6nkc8hwpdy"; }) - - (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC2G1.pem"; sha256 = "0rn57zv1ry9vj4p2248mxmafmqqmdhbrfx1plszrxsphshbk2hfz"; }) - (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC3G1.pem"; sha256 = "0w88qaqhwxzvdkx40kzj2gka1yi85ipppjdkxah4mscwfhlryrnk"; }) - (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC2G1.pem"; sha256 = "1z2qkyhgjvri13bvi06ynkb7mjmpcznmc9yw8chx1lnwc3cxa7kf"; }) - (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC3G1.pem"; sha256 = "0smdjjvz95n652cb45yhzdb2lr83zg52najgbzf6lm3w71f8mv7f"; }) - (pkgs.writeText "minio.cert" '' - -----BEGIN CERTIFICATE----- - MIIDFDCCAfygAwIBAgIQBEKYm9VmbR6T/XNLP2P5kDANBgkqhkiG9w0BAQsFADAS - MRAwDgYDVQQKEwdBY21lIENvMB4XDTE4MDIxNDEyNTk1OVoXDTE5MDIxNDEyNTk1 - OVowEjEQMA4GA1UEChMHQWNtZSBDbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC - AQoCggEBAMmRGUTMDxOaoEZ3osG1ZpGj4enHl6ToWaoCXvRXvI6RB/99QOFlwLdL - 8lGjIbXyovNkH686pVsfgCTOLRGzftWHmWgfmaSUv0TToBW8F9DN4ww9YgiLZjvV - YZunRyp1n0x9OrBXMs7xEBBa4q0AG1IvlRJTrd7CW519FlVq7T95LLB7P6t6K54C - ksG4kEzXLRPD/FMdU7LWbhWnQSOxPMCq8erTv3kW3A3Y9hSAKOFQKQHH/3O2HDrM - CbK5ldNklswg2rIHxx7kg1fteLD1lVCNPfCMfuwlLUaMeoRZ03HDof8wFlRz3pzw - hQRWPvfLfRvFCZ0LFNvfgAqXtmG/ywUCAwEAAaNmMGQwDgYDVR0PAQH/BAQDAgKk - MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wLAYDVR0RBCUw - I4IJbG9jYWxob3N0ggZoZWxpb3OCCGhlbGlvcy5yhwR/AAABMA0GCSqGSIb3DQEB - CwUAA4IBAQBzrPb3NmAn60awoJG3d4BystaotaFKsO3iAnP4Lfve1bhKRELIjJ30 - hX/mRYkEVRbfwKRgkkLab4zpJ/abjb3DjFNo8E4QPNeCqS+8xxeBOf7x61Kg/0Ox - jRQ95fTATyItiChwNkoxYjVIwosqxBVsbe3KxwhkmKPQ6wH/nvr6URX/IGUz2qWY - EqHdjsop83u4Rjn3C0u46U0P+W4U5IFiLfcE3RzFFYh67ko5YEhkyXP+tBNSgrTM - zFisVoQZdXpMCWWxBVWulB4FvvTx3jKUPRZVOrfexBfY4TA/PyhXLoz7FeEK9n2a - qFkrxy+GrHBXfSRZgCaHQFdKorg2fwwa - -----END CERTIFICATE----- - '') + (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC1G1.pem"; sha256 = "006j61q2z44z6d92638iin6r46r4cj82ipwm37784h34i5x4mp0d"; }) + (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC2G1.pem"; sha256 = "1nkd1rjcn02q9xxjg7sw79lbwy08i7hb4v4pn98djknvcmplpz5m"; }) + (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC3G1.pem"; sha256 = "094m12npglnnv1nf1ijcv70p8l15l00id44qq7rwynhcgxi5539i"; }) + + (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC2G1.pem"; sha256 = "1anfncdf5xsp219kryncv21ra87flpzcjwcc85hzvlwbxhid3g4x"; }) + (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC3G1.pem"; sha256 = "035kkfizyl5dndj7rhvmy91rr75lakqbqgjx4dpiw0kqq369mz8r"; }) + (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC2G1.pem"; sha256 = "14fpzx1qjs9ws9sz0y7pb6j40336xlckkqcm2rc5j86yn7r22lp7"; }) + (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC3G1.pem"; sha256 = "1yjl3kyw4chc8vw7bnqac2h9vn8dxryw7lr7i03lqi9sdvs4108s"; }) ]; programs.adb.enable = true; diff --git a/lass/1systems/helios/physical.nix b/lass/1systems/helios/physical.nix new file mode 100644 index 000000000..a5212454f --- /dev/null +++ b/lass/1systems/helios/physical.nix @@ -0,0 +1,64 @@ +{ pkgs, ... }: +{ + imports = [ + ./config.nix + { # automatic hardware detection + boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; + boot.kernelModules = [ "kvm-intel" ]; + + fileSystems."/" = { + device = "/dev/pool/root"; + fsType = "btrfs"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/1F60-17C6"; + fsType = "vfat"; + }; + + fileSystems."/home" = { + device = "/dev/pool/home"; + fsType = "btrfs"; + }; + + fileSystems."/tmp" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = ["nosuid" "nodev" "noatime"]; + }; + } + { # crypto stuff + boot.initrd.luks = { + cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; + devices = [{ + name = "luksroot"; + device = "/dev/nvme0n1p3"; + }]; + }; + } + ]; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking.wireless.enable = true; + hardware.enableRedistributableFirmware = true; + + + services.udev.extraRules = '' + SUBSYSTEM=="net", ATTR{address}=="f8:59:71:a9:05:65", NAME="wl0" + SUBSYSTEM=="net", ATTR{address}=="54:e1:ad:4f:06:83", NAME="et0" + ''; + + services.xserver.videoDrivers = [ "nvidia" ]; + services.xserver.xrandrHeads = [ + { output = "DP-2"; primary = true; } + { output = "DP-4"; monitorConfig = ''Option "Rotate" "left"''; } + { output = "DP-0"; } + ]; + + services.xserver.displayManager.sessionCommands = '' + ${pkgs.xorg.xrandr}/bin/xrandr --output DP-6 --off --output DP-5 --off --output DP-4 --mode 2560x1440 --pos 3840x0 --rotate left --output DP-3 --off --output DP-2 --primary --mode 3840x2160 --scale 0.5x0.5 --pos 0x400 --rotate normal --output DP-1 --off --output DP-0 --mode 2560x1440 --pos 5280x1120 --rotate normal + ''; +} diff --git a/lass/1systems/icarus/config.nix b/lass/1systems/icarus/config.nix index 46dc5e873..d54bd3e9e 100644 --- a/lass/1systems/icarus/config.nix +++ b/lass/1systems/icarus/config.nix @@ -3,8 +3,6 @@ { imports = [ <stockholm/lass> - <stockholm/lass/2configs/hw/x220.nix> - <stockholm/lass/2configs/boot/coreboot.nix> <stockholm/lass/2configs/mouse.nix> <stockholm/lass/2configs/retiolum.nix> @@ -14,23 +12,21 @@ <stockholm/lass/2configs/browsers.nix> <stockholm/lass/2configs/programs.nix> <stockholm/lass/2configs/fetchWallpaper.nix> - <stockholm/lass/2configs/backups.nix> <stockholm/lass/2configs/games.nix> <stockholm/lass/2configs/bitcoin.nix> + <stockholm/lass/2configs/backup.nix> + <stockholm/lass/2configs/wine.nix> ]; krebs.build.host = config.krebs.hosts.icarus; - fileSystems = { - "/bku" = { - device = "/dev/mapper/pool-bku"; - fsType = "btrfs"; - options = ["defaults" "noatime" "ssd" "compress=lzo"]; - }; + environment.systemPackages = with pkgs; [ + macchanger + dpass + ]; + services.redshift = { + enable = true; + provider = "geoclue2"; }; - - services.udev.extraRules = '' - SUBSYSTEM=="net", ATTR{address}=="00:24:d7:f0:a0:0c", NAME="wl0" - SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:71:cb:35", NAME="et0" - ''; + programs.adb.enable = true; } diff --git a/lass/1systems/icarus/physical.nix b/lass/1systems/icarus/physical.nix new file mode 100644 index 000000000..6cc77a47d --- /dev/null +++ b/lass/1systems/icarus/physical.nix @@ -0,0 +1,20 @@ +{ + imports = [ + ./config.nix + <stockholm/lass/2configs/hw/x220.nix> + <stockholm/lass/2configs/boot/coreboot.nix> + ]; + + fileSystems = { + "/bku" = { + device = "/dev/mapper/pool-bku"; + fsType = "btrfs"; + options = ["defaults" "noatime" "ssd" "compress=lzo"]; + }; + }; + + services.udev.extraRules = '' + SUBSYSTEM=="net", ATTR{address}=="00:24:d7:f0:a0:0c", NAME="wl0" + SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:71:cb:35", NAME="et0" + ''; +} diff --git a/lass/1systems/littleT/config.nix b/lass/1systems/littleT/config.nix index 7211c78eb..44617d3e7 100644 --- a/lass/1systems/littleT/config.nix +++ b/lass/1systems/littleT/config.nix @@ -4,11 +4,9 @@ with import <stockholm/lib>; { imports = [ <stockholm/lass> - <stockholm/lass/2configs/hw/x220.nix> - <stockholm/lass/2configs/boot/stock-x220.nix> <stockholm/lass/2configs/retiolum.nix> - <stockholm/lass/2configs/backups.nix> + <stockholm/lass/2configs/backup.nix> <stockholm/lass/2configs/steam.nix> { users.users.blacky = { @@ -68,17 +66,4 @@ with import <stockholm/lib>; ''; krebs.build.host = config.krebs.hosts.littleT; - - #fileSystems = { - # "/bku" = { - # device = "/dev/mapper/pool-bku"; - # fsType = "btrfs"; - # options = ["defaults" "noatime" "ssd" "compress=lzo"]; - # }; - #}; - - #services.udev.extraRules = '' - # SUBSYSTEM=="net", ATTR{address}=="08:11:96:0a:5d:6c", NAME="wl0" - # SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:71:cb:35", NAME="et0" - #''; } diff --git a/lass/1systems/littleT/physical.nix b/lass/1systems/littleT/physical.nix new file mode 100644 index 000000000..9776211ae --- /dev/null +++ b/lass/1systems/littleT/physical.nix @@ -0,0 +1,7 @@ +{ + imports = [ + ./config.nix + <stockholm/lass/2configs/hw/x220.nix> + <stockholm/lass/2configs/boot/stock-x220.nix> + ]; +} diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix index cd259d0fe..97e69146e 100644 --- a/lass/1systems/mors/config.nix +++ b/lass/1systems/mors/config.nix @@ -4,8 +4,6 @@ with import <stockholm/lib>; { imports = [ <stockholm/lass> - <stockholm/lass/2configs/hw/x220.nix> - <stockholm/lass/2configs/boot/stock-x220.nix> <stockholm/lass/2configs/mouse.nix> <stockholm/lass/2configs/retiolum.nix> @@ -33,10 +31,13 @@ with import <stockholm/lib>; <stockholm/lass/2configs/ableton.nix> <stockholm/lass/2configs/dunst.nix> <stockholm/lass/2configs/rtl-sdr.nix> + <stockholm/lass/2configs/backup.nix> { - #risk of rain port krebs.iptables.tables.filter.INPUT.rules = [ + #risk of rain { predicate = "-p tcp --dport 11100"; target = "ACCEPT"; } + #chromecast + { predicate = "-p udp -m multiport --sports 32768:61000 -m multiport --dports 32768:61000"; target = "ACCEPT"; } ]; } { @@ -85,43 +86,6 @@ with import <stockholm/lib>; krebs.build.host = config.krebs.hosts.mors; - fileSystems = { - "/bku" = { - device = "/dev/mapper/pool-bku"; - fsType = "btrfs"; - options = ["defaults" "noatime" "ssd" "compress=lzo"]; - }; - "/home/virtual" = { - device = "/dev/mapper/pool-virtual"; - fsType = "ext4"; - }; - }; - - services.udev.extraRules = '' - SUBSYSTEM=="net", ATTR{address}=="00:24:d7:f0:e8:c8", NAME="wl0" - SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:8f:8a:78", NAME="et0" - ''; - - #TODO activationScripts seem broken, fix them! - #activationScripts - #split up and move into base - system.activationScripts.powertopTunables = '' - #Runtime PMs - echo 'auto' > '/sys/bus/pci/devices/0000:00:02.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:00.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.3/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.2/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1d.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.3/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1b.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1a.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:19.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.1/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.4/power/control' - ''; - environment.systemPackages = with pkgs; [ acronym brain @@ -140,7 +104,18 @@ with import <stockholm/lib>; dpass dnsutils + woeusb + l-gen-secrets generate-secrets + (pkgs.writeDashBin "btc-coinbase" '' + ${pkgs.curl}/bin/curl -Ss 'https://api.coinbase.com/v2/prices/spot?currency=EUR' | ${pkgs.jq}/bin/jq '.data.amount' + '') + (pkgs.writeDashBin "btc-wex" '' + ${pkgs.curl}/bin/curl -Ss 'https://wex.nz/api/3/ticker/btc_eur' | ${pkgs.jq}/bin/jq '.btc_eur.avg' + '') + (pkgs.writeDashBin "btc-kraken" '' + ${pkgs.curl}/bin/curl -Ss 'https://api.kraken.com/0/public/Ticker?pair=BTCEUR' | ${pkgs.jq}/bin/jq '.result.XXBTZEUR.a[0]' + '') ]; #TODO: fix this shit @@ -165,16 +140,43 @@ with import <stockholm/lib>; OnCalendar = "00:37"; }; - environment.shellAliases = { - deploy = pkgs.writeDash "deploy" '' - set -eu - export SYSTEM="$1" - $(nix-build $HOME/stockholm/lass/kops.nix --no-out-link --argstr name "$SYSTEM" -A deploy) - ''; - }; - nix.package = pkgs.nixUnstable; programs.adb.enable = true; users.users.mainUser.extraGroups = [ "adbusers" "docker" ]; virtualisation.docker.enable = true; + services.redshift = { + enable = true; + provider = "geoclue2"; + }; + + lass.restic = genAttrs [ + "daedalus" + "icarus" + "littleT" + "prism" + "shodan" + "skynet" + ] (dest: { + dirs = [ + "/home/lass/src" + "/home/lass/work" + "/home/lass/.gnupg" + "/home/lass/Maildir" + "/home/lass/stockholm" + "/home/lass/.password-store" + "/home/bitcoin" + "/home/bch" + ]; + passwordFile = (toString <secrets>) + "/restic/${dest}"; + repo = "sftp:backup@${dest}.r:/backups/mors"; + #sshPrivateKey = config.krebs.build.host.ssh.privkey.path; + extraArguments = [ + "sftp.command='ssh backup@${dest}.r -i ${config.krebs.build.host.ssh.privkey.path} -s sftp'" + ]; + timerConfig = { + OnCalendar = "00:05"; + RandomizedDelaySec = "5h"; + }; + }); + virtualisation.libvirtd.enable = true; } diff --git a/lass/1systems/mors/physical.nix b/lass/1systems/mors/physical.nix new file mode 100644 index 000000000..680dc9bde --- /dev/null +++ b/lass/1systems/mors/physical.nix @@ -0,0 +1,44 @@ +{ + imports = [ + ./config.nix + <stockholm/lass/2configs/hw/x220.nix> + <stockholm/lass/2configs/boot/stock-x220.nix> + ]; + + fileSystems = { + "/bku" = { + device = "/dev/mapper/pool-bku"; + fsType = "btrfs"; + options = ["defaults" "noatime" "ssd" "compress=lzo"]; + }; + "/home/virtual" = { + device = "/dev/mapper/pool-virtual"; + fsType = "ext4"; + }; + }; + + services.udev.extraRules = '' + SUBSYSTEM=="net", ATTR{address}=="10:0b:a9:72:f4:88", NAME="wl0" + SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:c4:7a:f1", NAME="et0" + ''; + + #TODO activationScripts seem broken, fix them! + #activationScripts + #split up and move into base + system.activationScripts.powertopTunables = '' + #Runtime PMs + echo 'auto' > '/sys/bus/pci/devices/0000:00:02.0/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:00.0/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.3/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.2/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.0/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:1d.0/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.3/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.0/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:1b.0/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:1a.0/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:19.0/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.1/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.4/power/control' + ''; +} diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index c0e4620cc..9a0bb49e9 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -1,86 +1,9 @@ { config, lib, pkgs, ... }: with import <stockholm/lib>; -let - ip = config.krebs.build.host.nets.internet.ip4.addr; - -in { +{ imports = [ <stockholm/lass> - { - networking.interfaces.et0.ip4 = [ - { - address = ip; - prefixLength = 27; - } - ]; - networking.defaultGateway = "46.4.114.225"; - networking.nameservers = [ - "8.8.8.8" - ]; - services.udev.extraRules = '' - SUBSYSTEM=="net", ATTR{address}=="08:60:6e:e7:87:04", NAME="et0" - ''; - } - { - imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ]; - - boot.loader.grub = { - devices = [ - "/dev/sda" - "/dev/sdb" - ]; - splashImage = null; - }; - - boot.initrd.availableKernelModules = [ - "ata_piix" - "vmw_pvscsi" - "ahci" "sd_mod" - ]; - - boot.kernelModules = [ "kvm-intel" ]; - - fileSystems."/" = { - device = "/dev/pool/nix_root"; - fsType = "ext4"; - }; - - fileSystems."/tmp" = { - device = "tmpfs"; - fsType = "tmpfs"; - options = ["nosuid" "nodev" "noatime"]; - }; - - fileSystems."/var/download" = { - device = "/dev/pool/download"; - fsType = "ext4"; - }; - - fileSystems."/srv/http" = { - device = "/dev/pool/http"; - fsType = "ext4"; - }; - - fileSystems."/home" = { - device = "/dev/pool/home"; - fsType = "ext4"; - }; - - fileSystems."/bku" = { - device = "/dev/pool/bku"; - fsType = "ext4"; - }; - - swapDevices = [ - { label = "swap1"; } - { label = "swap2"; } - ]; - - sound.enable = false; - nixpkgs.config.allowUnfree = true; - time.timeZone = "Europe/Berlin"; - } <stockholm/lass/2configs/retiolum.nix> <stockholm/lass/2configs/libvirt.nix> { @@ -100,6 +23,7 @@ in { ]; } { # TODO make new hfos.nix out of this vv + boot.kernel.sysctl."net.ipv4.ip_forward" = 1; users.users.riot = { uid = genid "riot"; isNormalUser = true; @@ -110,29 +34,13 @@ in { }; # TODO write function for proxy_pass (ssl/nonssl) - services.nginx.virtualHosts."hackerfleet.de" = { - serverAliases = [ - "*.hackerfleet.de" - ]; - locations."/".extraConfig = '' - proxy_pass http://192.168.122.92:80; - ''; - }; - services.nginx.virtualHosts."hackerfleet.de-s" = { - serverName = "hackerfleet.de"; - listen = [ - { - addr = "0.0.0.0"; - port = 443; - } - ]; - serverAliases = [ - "*.hackerfleet.de" - ]; - locations."/".extraConfig = '' - proxy_pass http://192.168.122.92:443; - ''; - }; + + krebs.iptables.tables.filter.FORWARD.rules = [ + { v6 = false; precedence = 1000; predicate = "-d 192.168.122.92"; target = "ACCEPT"; } + ]; + krebs.iptables.tables.nat.PREROUTING.rules = [ + { v6 = false; precedence = 1000; predicate = "-d 46.4.114.243"; target = "DNAT --to-destination 192.168.122.92"; } + ]; } { users.users.tv = { @@ -202,26 +110,6 @@ in { }; } { - #kaepsele - systemd.services."container@kaepsele".reloadIfChanged = mkForce false; - containers.kaepsele = { - config = { ... }: { - imports = [ <stockholm/lass/2configs/rebuild-on-boot.nix> ]; - environment.systemPackages = [ pkgs.git ]; - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keys = with config.krebs.users; [ - lass.pubkey - tv.pubkey - ]; - }; - autoStart = true; - enableTun = true; - privateNetwork = true; - hostAddress = "10.233.2.3"; - localAddress = "10.233.2.4"; - }; - } - { #onondaga systemd.services."container@onondaga".reloadIfChanged = mkForce false; containers.onondaga = { @@ -243,19 +131,17 @@ in { } <stockholm/lass/2configs/exim-smarthost.nix> <stockholm/lass/2configs/ts3.nix> - <stockholm/lass/2configs/IM.nix> <stockholm/lass/2configs/privoxy-retiolum.nix> <stockholm/lass/2configs/radio.nix> <stockholm/lass/2configs/repo-sync.nix> <stockholm/lass/2configs/binary-cache/server.nix> <stockholm/lass/2configs/iodined.nix> - <stockholm/lass/2configs/monitoring/server.nix> - <stockholm/lass/2configs/monitoring/monit-alarms.nix> <stockholm/lass/2configs/paste.nix> <stockholm/lass/2configs/syncthing.nix> <stockholm/lass/2configs/reaktor-coders.nix> <stockholm/lass/2configs/ciko.nix> <stockholm/lass/2configs/container-networking.nix> + <stockholm/lass/2configs/monitoring/prometheus-server.nix> { # quasi bepasty.nix imports = [ <stockholm/lass/2configs/bepasty.nix> @@ -289,7 +175,6 @@ in { alias /var/realwallpaper/realwallpaper.png; ''; } - <stockholm/krebs/2configs/reaktor-krebs.nix> <stockholm/lass/2configs/dcso-dev.nix> { users.users.jeschli = { @@ -336,6 +221,126 @@ in { { predicate = "-p tcp --dport 53589"; target = "ACCEPT"; } ]; } + <stockholm/lass/2configs/go.nix> + { + environment.systemPackages = [ pkgs.cryptsetup ]; + systemd.services."container@red".reloadIfChanged = mkForce false; + containers.red = { + config = { ... }: { + environment.systemPackages = [ pkgs.git ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + ]; + }; + autoStart = false; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.3"; + localAddress = "10.233.2.4"; + }; + services.nginx.virtualHosts."rote-allez-fraktion.de" = { + enableACME = true; + forceSSL = true; + locations."/" = { + extraConfig = '' + proxy_set_header Host rote-allez-fraktion.de; + proxy_pass http://10.233.2.4; + ''; + }; + }; + } + { + imports = [ <stockholm/lass/2configs/backup.nix> ]; + lass.restic = genAttrs [ + "daedalus" + "icarus" + "littleT" + "mors" + "shodan" + "skynet" + ] (dest: { + dirs = [ + "/home/chat/.weechat" + "/bku/sql_dumps" + ]; + passwordFile = (toString <secrets>) + "/restic/${dest}"; + repo = "sftp:backup@${dest}.r:/backups/prism"; + extraArguments = [ + "sftp.command='ssh backup@${dest}.r -i ${config.krebs.build.host.ssh.privkey.path} -s sftp'" + ]; + timerConfig = { + OnCalendar = "00:05"; + RandomizedDelaySec = "5h"; + }; + }); + } + { + users.users.download.openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDB0d0JA20Vqn7I4lCte6Ne2EOmLZyMJyS9yIKJYXNLjbLwkQ4AYoQKantPBkTxR75M09E7d3j5heuWnCjWH45TrfQfe1EOSSC3ppCI6C6aIVlaNs+KhAYZS0m2Y8WkKn+TT5JLEa8yybYVN/RlZPOilpj/1QgjU6CQK+eJ1k/kK+QFXcwN82GDVh5kbTVcKUNp2tiyxFA+z9LY0xFDg/JHif2ROpjJVLQBJ+YPuOXZN5LDnVcuyLWKThjxy5srQ8iDjoxBg7dwLHjby5Mv41K4W61Gq6xM53gDEgfXk4cQhJnmx7jA/pUnsn2ZQDeww3hcc7vRf8soogXXz2KC9maiq0M/svaATsa9Ul4hrKnqPZP9Q8ScSEAUX+VI+x54iWrnW0p/yqBiRAzwsczdPzaQroUFTBxrq8R/n5TFdSHRMX7fYNOeVMjhfNca/gtfw9dYBVquCvuqUuFiRc0I7yK44rrMjjVQRcAbw6F8O7+04qWCmaJ8MPlmApwu2c05VMv9hiJo5p6PnzterRSLCqF6rIdhSnuOwrUIt1s/V+EEZXHCwSaNLaQJnYL0H9YjaIuGz4c8kVzxw4c0B6nl+hqW5y5/B2cuHiumnlRIDKOIzlv8ufhh21iN7QpIsPizahPezGoT1XqvzeXfH4qryo8O4yTN/PWoA+f7o9POU7L6hQ== lhebendanz@nixos" + ]; + } + { + lass.nichtparasoup.enable = true; + services.nginx = { + enable = true; + virtualHosts."lol.lassul.us" = { + forceSSL = true; + enableACME = true; + locations."/".extraConfig = '' + proxy_pass http://localhost:5001; + ''; + }; + }; + } + { #weechat port forwarding to blue + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport 9998"; target = "ACCEPT";} + ]; + krebs.iptables.tables.nat.PREROUTING.rules = [ + { v6 = false; precedence = 1000; predicate = "-d ${config.krebs.hosts.prism.nets.internet.ip4.addr} -p tcp --dport 9998"; target = "DNAT --to-destination ${config.krebs.hosts.blue.nets.retiolum.ip4.addr}:9999"; } + ]; + krebs.iptables.tables.filter.FORWARD.rules = [ + { v6 = false; precedence = 1000; predicate = "-d ${config.krebs.hosts.blue.nets.retiolum.ip4.addr} -p tcp --dport 9999"; target = "ACCEPT"; } + { v6 = false; precedence = 1000; predicate = "-s ${config.krebs.hosts.blue.nets.retiolum.ip4.addr}"; target = "ACCEPT"; } + ]; + krebs.iptables.tables.nat.POSTROUTING.rules = [ + { v6 = false; predicate = "-d ${config.krebs.hosts.blue.nets.retiolum.ip4.addr} -p tcp --dport 9999"; target = "MASQUERADE"; } + ]; + } + { + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p udp --dport 51820"; target = "ACCEPT"; } + ]; + krebs.iptables.tables.nat.PREROUTING.rules = [ + { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; } + ]; + krebs.iptables.tables.filter.FORWARD.rules = [ + { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; } + { v6 = false; precedence = 1000; predicate = "-s 10.243.0.0/16 -d 10.244.1.0/24"; target = "ACCEPT"; } + ]; + krebs.iptables.tables.nat.POSTROUTING.rules = [ + { v6 = false; predicate = "-s 10.244.1.0/24 ! -d 10.244.1.0/24"; target = "MASQUERADE"; } + ]; + networking.wireguard.interfaces.wg0 = { + ips = [ "10.244.1.1/24" ]; + listenPort = 51820; + privateKeyFile = (toString <secrets>) + "/wireguard.key"; + allowedIPsAsRoutes = true; + peers = [ + { + # lass-android + allowedIPs = [ "10.244.1.2/32" ]; + publicKey = "63+ns9AGv6e6a8WgxiZNFEt1xQT0YKFlEHzRaYJWtmk="; + } + ]; + }; + } + { + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p udp --dport 60000:61000"; target = "ACCEPT";} + ]; + } ]; krebs.build.host = config.krebs.hosts.prism; diff --git a/lass/1systems/prism/physical.nix b/lass/1systems/prism/physical.nix new file mode 100644 index 000000000..83f127c22 --- /dev/null +++ b/lass/1systems/prism/physical.nix @@ -0,0 +1,85 @@ +{ config, lib, pkgs, ... }: +{ + imports = [ + ./config.nix + { + networking.interfaces.et0.ipv4.addresses = [ + { + address = config.krebs.build.host.nets.internet.ip4.addr; + prefixLength = 27; + } + { + address = "46.4.114.243"; + prefixLength = 27; + } + ]; + networking.defaultGateway = "46.4.114.225"; + networking.nameservers = [ + "8.8.8.8" + ]; + services.udev.extraRules = '' + SUBSYSTEM=="net", ATTR{address}=="08:60:6e:e7:87:04", NAME="et0" + ''; + } + { + imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ]; + + boot.loader.grub = { + devices = [ + "/dev/sda" + "/dev/sdb" + ]; + splashImage = null; + }; + + boot.initrd.availableKernelModules = [ + "ata_piix" + "vmw_pvscsi" + "ahci" "sd_mod" + ]; + + boot.kernelModules = [ "kvm-intel" ]; + + fileSystems."/" = { + device = "/dev/pool/nix_root"; + fsType = "ext4"; + }; + + fileSystems."/tmp" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = ["nosuid" "nodev" "noatime"]; + }; + + fileSystems."/var/download" = { + device = "/dev/pool/download"; + fsType = "ext4"; + }; + + fileSystems."/srv/http" = { + device = "/dev/pool/http"; + fsType = "ext4"; + }; + + fileSystems."/home" = { + device = "/dev/pool/home"; + fsType = "ext4"; + }; + + fileSystems."/bku" = { + device = "/dev/pool/bku"; + fsType = "ext4"; + }; + + swapDevices = [ + { label = "swap1"; } + { label = "swap2"; } + ]; + + sound.enable = false; + nixpkgs.config.allowUnfree = true; + time.timeZone = "Europe/Berlin"; + } + ]; + +} diff --git a/lass/1systems/red/config.nix b/lass/1systems/red/config.nix new file mode 100644 index 000000000..3139e94a2 --- /dev/null +++ b/lass/1systems/red/config.nix @@ -0,0 +1,28 @@ +with import <stockholm/lib>; +{ config, lib, pkgs, ... }: +let + inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;}) + servephpBB + ; +in +{ + imports = [ + <stockholm/lass> + <stockholm/lass/2configs> + <stockholm/lass/2configs/retiolum.nix> + <stockholm/lass/2configs/websites> + <stockholm/lass/2configs/websites/sqlBackup.nix> + (servephpBB [ "rote-allez-fraktion.de" ]) + ]; + + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport 80"; target = "ACCEPT"; } + ]; + + krebs.build.host = config.krebs.hosts.red; + + services.nginx.enable = true; + environment.systemPackages = [ + pkgs.mk_sql_pair + ]; +} diff --git a/lass/1systems/red/physical.nix b/lass/1systems/red/physical.nix new file mode 100644 index 000000000..7499ff723 --- /dev/null +++ b/lass/1systems/red/physical.nix @@ -0,0 +1,8 @@ +{ + imports = [ + ./config.nix + ]; + boot.isContainer = true; + networking.useDHCP = false; + environment.variables.NIX_REMOTE = "daemon"; +} diff --git a/lass/1systems/echelon/source.nix b/lass/1systems/red/source.nix index 96888d5a8..f2bad743c 100644 --- a/lass/1systems/echelon/source.nix +++ b/lass/1systems/red/source.nix @@ -1,3 +1,4 @@ import <stockholm/lass/source.nix> { - name = "echelon"; + name = "red"; + secure = true; } diff --git a/lass/1systems/shodan/config.nix b/lass/1systems/shodan/config.nix index 7fb57544f..8405b0f1f 100644 --- a/lass/1systems/shodan/config.nix +++ b/lass/1systems/shodan/config.nix @@ -4,8 +4,6 @@ with import <stockholm/lib>; { imports = [ <stockholm/lass> - #TODO reinstall with correct layout and use lass/hw/x220 - <stockholm/krebs/2configs/hw/x220.nix> <stockholm/lass/2configs/mouse.nix> <stockholm/lass/2configs/retiolum.nix> @@ -15,53 +13,13 @@ with import <stockholm/lib>; <stockholm/lass/2configs/browsers.nix> <stockholm/lass/2configs/programs.nix> <stockholm/lass/2configs/fetchWallpaper.nix> - <stockholm/lass/2configs/backups.nix> <stockholm/lass/2configs/wine.nix> <stockholm/lass/2configs/bitcoin.nix> + <stockholm/lass/2configs/backup.nix> ]; krebs.build.host = config.krebs.hosts.shodan; - boot = { - loader.grub.enable = true; - loader.grub.version = 2; - loader.grub.device = "/dev/sda"; - - initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ]; - initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; - initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; - #kernelModules = [ "kvm-intel" "msr" ]; - }; - fileSystems = { - "/" = { - device = "/dev/pool/nix"; - fsType = "btrfs"; - }; - - "/boot" = { - device = "/dev/sda1"; - }; - "/home" = { - device = "/dev/mapper/pool-home"; - fsType = "btrfs"; - options = ["defaults" "noatime" "ssd" "compress=lzo"]; - }; - "/tmp" = { - device = "tmpfs"; - fsType = "tmpfs"; - options = ["nosuid" "nodev" "noatime"]; - }; - "/bku" = { - device = "/dev/pool/bku"; - fsType = "btrfs"; - }; - }; - - services.udev.extraRules = '' - SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:29:26:bc", NAME="wl0" - SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:0c:a7:63", NAME="et0" - ''; - services.logind.extraConfig = '' HandleLidSwitch=ignore ''; diff --git a/lass/1systems/shodan/physical.nix b/lass/1systems/shodan/physical.nix new file mode 100644 index 000000000..4a550d0a4 --- /dev/null +++ b/lass/1systems/shodan/physical.nix @@ -0,0 +1,47 @@ +{ + #TODO reinstall with correct layout and use lass/hw/x220 + imports = [ + ./config.nix + <stockholm/krebs/2configs/hw/x220.nix> + ]; + + boot = { + loader.grub.enable = true; + loader.grub.version = 2; + loader.grub.device = "/dev/sda"; + + initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ]; + initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; + initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; + #kernelModules = [ "kvm-intel" "msr" ]; + }; + fileSystems = { + "/" = { + device = "/dev/pool/nix"; + fsType = "btrfs"; + }; + + "/boot" = { + device = "/dev/sda1"; + }; + "/home" = { + device = "/dev/mapper/pool-home"; + fsType = "btrfs"; + options = ["defaults" "noatime" "ssd" "compress=lzo"]; + }; + "/tmp" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = ["nosuid" "nodev" "noatime"]; + }; + "/bku" = { + device = "/dev/pool/bku"; + fsType = "btrfs"; + }; + }; + + services.udev.extraRules = '' + SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:29:26:bc", NAME="wl0" + SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:0c:a7:63", NAME="et0" + ''; +} diff --git a/lass/1systems/skynet/config.nix b/lass/1systems/skynet/config.nix index 0b9499982..b6c08f797 100644 --- a/lass/1systems/skynet/config.nix +++ b/lass/1systems/skynet/config.nix @@ -3,13 +3,10 @@ with import <stockholm/lib>; { imports = [ <stockholm/lass> - <stockholm/lass/2configs/hw/x220.nix> - <stockholm/lass/2configs/boot/stock-x220.nix> <stockholm/lass/2configs/retiolum.nix> #<stockholm/lass/2configs/exim-retiolum.nix> <stockholm/lass/2configs/fetchWallpaper.nix> - <stockholm/lass/2configs/backups.nix> { # discordius config services.xserver.enable = true; @@ -47,17 +44,4 @@ with import <stockholm/lib>; services.logind.extraConfig = '' HandleLidSwitch=ignore ''; - - #fileSystems = { - # "/bku" = { - # device = "/dev/mapper/pool-bku"; - # fsType = "btrfs"; - # options = ["defaults" "noatime" "ssd" "compress=lzo"]; - # }; - #}; - - services.udev.extraRules = '' - SUBSYSTEM=="net", ATTR{address}=="10:0b:a9:a6:44:04", NAME="wl0" - SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:d1:90:fc", NAME="et0" - ''; } diff --git a/lass/1systems/skynet/physical.nix b/lass/1systems/skynet/physical.nix new file mode 100644 index 000000000..358e1f511 --- /dev/null +++ b/lass/1systems/skynet/physical.nix @@ -0,0 +1,12 @@ +{ + imports = [ + ./config.nix + <stockholm/lass/2configs/hw/x220.nix> + <stockholm/lass/2configs/boot/stock-x220.nix> + ]; + + services.udev.extraRules = '' + SUBSYSTEM=="net", ATTR{address}=="10:0b:a9:a6:44:04", NAME="wl0" + SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:d1:90:fc", NAME="et0" + ''; +} diff --git a/lass/1systems/uriel/config.nix b/lass/1systems/uriel/config.nix index 70bef9883..3eddcfc52 100644 --- a/lass/1systems/uriel/config.nix +++ b/lass/1systems/uriel/config.nix @@ -41,60 +41,5 @@ with import <stockholm/lib>; ]; krebs.build.host = config.krebs.hosts.uriel; - - hardware.enableAllFirmware = true; nixpkgs.config.allowUnfree = true; - - boot = { - #kernelParams = [ - # "acpi.brightness_switch_enabled=0" - #]; - #loader.grub.enable = true; - #loader.grub.version = 2; - #loader.grub.device = "/dev/sda"; - - loader.systemd-boot.enable = true; - loader.timeout = 5; - - initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ]; - initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; - initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; - #kernelModules = [ "kvm-intel" "msr" ]; - kernelModules = [ "msr" ]; - }; - fileSystems = { - "/" = { - device = "/dev/pool/root"; - fsType = "ext4"; - }; - - "/bku" = { - device = "/dev/pool/bku"; - fsType = "ext4"; - }; - - "/boot" = { - device = "/dev/sda1"; - }; - "/tmp" = { - device = "tmpfs"; - fsType = "tmpfs"; - options = ["nosuid" "nodev" "noatime"]; - }; - }; - - services.udev.extraRules = '' - SUBSYSTEM=="net", ATTR{address}=="64:27:37:7d:d8:ae", NAME="wl0" - SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:b8:c8:2e", NAME="et0" - ''; - - services.xserver.synaptics = { - enable = true; - twoFingerScroll = true; - accelFactor = "0.035"; - additionalOptions = '' - Option "FingerHigh" "60" - Option "FingerLow" "60" - ''; - }; } diff --git a/lass/1systems/uriel/physical.nix b/lass/1systems/uriel/physical.nix new file mode 100644 index 000000000..9ac3468a8 --- /dev/null +++ b/lass/1systems/uriel/physical.nix @@ -0,0 +1,59 @@ +{ + imports = [ + ./config.nix + ]; + + hardware.enableAllFirmware = true; + boot = { + #kernelParams = [ + # "acpi.brightness_switch_enabled=0" + #]; + #loader.grub.enable = true; + #loader.grub.version = 2; + #loader.grub.device = "/dev/sda"; + + loader.systemd-boot.enable = true; + loader.timeout = 5; + + initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ]; + initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; + initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; + #kernelModules = [ "kvm-intel" "msr" ]; + kernelModules = [ "msr" ]; + }; + fileSystems = { + "/" = { + device = "/dev/pool/root"; + fsType = "ext4"; + }; + + "/bku" = { + device = "/dev/pool/bku"; + fsType = "ext4"; + }; + + "/boot" = { + device = "/dev/sda1"; + }; + "/tmp" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = ["nosuid" "nodev" "noatime"]; + }; + }; + + services.udev.extraRules = '' + SUBSYSTEM=="net", ATTR{address}=="64:27:37:7d:d8:ae", NAME="wl0" + SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:b8:c8:2e", NAME="et0" + ''; + + services.xserver.synaptics = { + enable = true; + twoFingerScroll = true; + accelFactor = "0.035"; + additionalOptions = '' + Option "FingerHigh" "60" + Option "FingerLow" "60" + ''; + }; +} diff --git a/lass/1systems/xerxes/config.nix b/lass/1systems/xerxes/config.nix index 0669748f5..1bd6cf2c5 100644 --- a/lass/1systems/xerxes/config.nix +++ b/lass/1systems/xerxes/config.nix @@ -3,8 +3,6 @@ { imports = [ <stockholm/lass> - <stockholm/lass/2configs/hw/gpd-pocket.nix> - <stockholm/lass/2configs/boot/stock-x220.nix> <stockholm/lass/2configs/retiolum.nix> <stockholm/lass/2configs/exim-retiolum.nix> @@ -15,26 +13,4 @@ ]; krebs.build.host = config.krebs.hosts.xerxes; - - services.udev.extraRules = '' - SUBSYSTEM=="net", ATTR{address}=="b0:f1:ec:9f:5c:78", NAME="wl0" - ''; - - fileSystems."/" = { - device = "/dev/disk/by-uuid/d227d88f-bd24-4e8a-aa14-9e966b471437"; - fsType = "btrfs"; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/16C8-D053"; - fsType = "vfat"; - }; - - fileSystems."/home" = { - device = "/dev/disk/by-uuid/1ec4193b-7f41-490d-8782-7677d437b358"; - fsType = "btrfs"; - }; - - boot.initrd.luks.devices = [ { name = "luksroot"; device = "/dev/disk/by-uuid/d17f19a3-dcba-456d-b5da-e45cc15dc9c8"; } ]; - networking.wireless.enable = true; } diff --git a/lass/1systems/xerxes/physical.nix b/lass/1systems/xerxes/physical.nix new file mode 100644 index 000000000..17caccfe6 --- /dev/null +++ b/lass/1systems/xerxes/physical.nix @@ -0,0 +1,29 @@ +{ + imports = [ + ./config.nix + <stockholm/lass/2configs/hw/gpd-pocket.nix> + <stockholm/lass/2configs/boot/stock-x220.nix> + ]; + services.udev.extraRules = '' + SUBSYSTEM=="net", ATTR{address}=="b0:f1:ec:9f:5c:78", NAME="wl0" + ''; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/d227d88f-bd24-4e8a-aa14-9e966b471437"; + fsType = "btrfs"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/16C8-D053"; + fsType = "vfat"; + }; + + fileSystems."/home" = { + device = "/dev/disk/by-uuid/1ec4193b-7f41-490d-8782-7677d437b358"; + fsType = "btrfs"; + }; + + boot.initrd.luks.devices = [ { name = "luksroot"; device = "/dev/disk/by-uuid/d17f19a3-dcba-456d-b5da-e45cc15dc9c8"; } ]; + + networking.wireless.enable = true; +} diff --git a/lass/1systems/xerxes/source.nix b/lass/1systems/xerxes/source.nix index 11f5bf796..d256b885b 100644 --- a/lass/1systems/xerxes/source.nix +++ b/lass/1systems/xerxes/source.nix @@ -2,10 +2,4 @@ with import <stockholm/lib>; import <stockholm/lass/source.nix> { name = "xerxes"; secure = true; - override = { - nixpkgs.git = mkForce { - url = https://github.com/lassulus/nixpkgs; - ref = "3eccd0b"; - }; - }; } diff --git a/lass/2configs/AP.nix b/lass/2configs/AP.nix new file mode 100644 index 000000000..dfffbfdf9 --- /dev/null +++ b/lass/2configs/AP.nix @@ -0,0 +1,83 @@ +{ config, pkgs, ... }: +with import <stockholm/lib>; +let + wifi = "wlp0s29u1u2"; +in { + boot.extraModulePackages = [ + pkgs.linuxPackages.rtl8814au + ]; + networking.networkmanager.unmanaged = [ wifi "et0" ]; + + systemd.services.hostapd = { + description = "hostapd wireless AP"; + path = [ pkgs.hostapd ]; + wantedBy = [ "network.target" ]; + + after = [ "${wifi}-cfg.service" "nat.service" "bind.service" "dhcpd.service" "sys-subsystem-net-devices-${wifi}.device" ]; + + serviceConfig = { + ExecStart = "${pkgs.hostapd}/bin/hostapd ${pkgs.writeText "hostapd.conf" '' + interface=${wifi} + hw_mode=a + channel=36 + ieee80211d=1 + country_code=DE + ieee80211n=1 + ieee80211ac=1 + wmm_enabled=1 + + # 5ghz + ssid=krebsing + auth_algs=1 + wpa=2 + wpa_key_mgmt=WPA-PSK + rsn_pairwise=CCMP + wpa_passphrase=aidsballz + ''}"; + Restart = "always"; + }; + }; + + networking.bridges.br0.interfaces = [ + wifi + "et0" + ]; + + networking.interfaces.br0.ipv4.addresses = [ + { address = "10.99.0.1"; prefixLength = 24; } + ]; + services.dhcpd4 = { + enable = true; + interfaces = [ "br0" ]; + extraConfig = '' + option subnet-mask 255.255.255.0; + option routers 10.99.0.1; + option domain-name-servers 1.1.1.1, 8.8.8.8; + subnet 10.99.0.0 netmask 255.255.255.0 { + range 10.99.0.100 10.99.0.200; + } + ''; + }; + + boot.kernel.sysctl."net.ipv4.ip_forward" = 1; + krebs.iptables.tables.filter.FORWARD.rules = [ + { v6 = false; predicate = "-d 10.99.0.0/24 -o br0 -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } + { v6 = false; predicate = "-s 10.99.0.0/24 -i br0"; target = "ACCEPT"; } + { v6 = false; predicate = "-i br0 -o br0"; target = "ACCEPT"; } + { v6 = false; predicate = "-i br0 -o br0"; target = "ACCEPT"; } + { v6 = false; predicate = "-o br0"; target = "REJECT --reject-with icmp-port-unreachable"; } + { v6 = false; predicate = "-i br0"; target = "REJECT --reject-with icmp-port-unreachable"; } + ]; + krebs.iptables.tables.nat.PREROUTING.rules = [ + { v6 = false; predicate = "-s 10.99.0.0/24"; target = "ACCEPT"; precedence = 1000; } + ]; + krebs.iptables.tables.nat.POSTROUTING.rules = [ + #TODO find out what this is about? + { v6 = false; predicate = "-s 10.99.0.0/24 -d 224.0.0.0/24"; target = "RETURN"; } + { v6 = false; predicate = "-s 10.99.0.0/24 -d 255.255.255.255"; target = "RETURN"; } + + { v6 = false; predicate = "-s 10.99.0.0/24 ! -d 10.99.0.0/24"; target = "MASQUERADE"; } + { v6 = false; predicate = "-s 10.99.0.0/24 ! -d 10.99.0.0/24 -p tcp"; target = "MASQUERADE --to-ports 1024-65535"; } + { v6 = false; predicate = "-s 10.99.0.0/24 ! -d 10.99.0.0/24 -p udp"; target = "MASQUERADE --to-ports 1024-65535"; } + ]; +} diff --git a/lass/2configs/IM.nix b/lass/2configs/IM.nix deleted file mode 100644 index 7d3dfd428..000000000 --- a/lass/2configs/IM.nix +++ /dev/null @@ -1,73 +0,0 @@ -with (import <stockholm/lib>); -{ config, lib, pkgs, ... }: - -let - tmux = pkgs.writeDash "tmux" '' - exec ${pkgs.tmux}/bin/tmux -f ${pkgs.writeText "tmux.conf" '' - set-option -g prefix ` - unbind-key C-b - bind ` send-prefix - - set-option -g status off - set-option -g default-terminal screen-256color - - #use session instead of windows - bind-key c new-session - bind-key p switch-client -p - bind-key n switch-client -n - bind-key C-s switch-client -l - ''} "$@" - ''; -in { - - services.bitlbee = { - enable = true; - portNumber = 6666; - plugins = [ - pkgs.bitlbee-facebook - pkgs.bitlbee-steam - pkgs.bitlbee-discord - ]; - libpurple_plugins = [ pkgs.telegram-purple ]; - }; - - users.extraUsers.chat = { - home = "/home/chat"; - uid = genid "chat"; - useDefaultShell = true; - createHome = true; - openssh.authorizedKeys.keys = with config.krebs.users; [ - lass.pubkey - lass-shodan.pubkey - lass-icarus.pubkey - lass-android.pubkey - lass-helios.pubkey - ]; - }; - - # mosh - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p udp --dport 60000:61000"; target = "ACCEPT";} - { predicate = "-p tcp --dport 9999"; target = "ACCEPT";} - ]; - - systemd.services.chat = { - description = "chat environment setup"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - - restartIfChanged = false; - - path = [ - pkgs.rxvt_unicode.terminfo - ]; - - serviceConfig = { - User = "chat"; - RemainAfterExit = true; - Type = "oneshot"; - ExecStart = "${tmux} -2 new-session -d -s IM ${pkgs.weechat}/bin/weechat"; - ExecStop = "${tmux} kill-session -t IM"; - }; - }; -} diff --git a/lass/2configs/backup.nix b/lass/2configs/backup.nix new file mode 100644 index 000000000..d23cf9a43 --- /dev/null +++ b/lass/2configs/backup.nix @@ -0,0 +1,21 @@ +{ config, lib, ... }: +with import <stockholm/lib>; + +{ + fileSystems = { + "/backups" = { + device = "/dev/pool/backup"; + fsType = "ext4"; + }; + }; + users.users.backup = { + useDefaultShell = true; + home = "/backups"; + createHome = true; + openssh.authorizedKeys.keys = with config.krebs.hosts; [ + mors.ssh.pubkey + prism.ssh.pubkey + blue.ssh.pubkey + ]; + }; +} diff --git a/lass/2configs/backups.nix b/lass/2configs/backups.nix deleted file mode 100644 index c4fb85420..000000000 --- a/lass/2configs/backups.nix +++ /dev/null @@ -1,173 +0,0 @@ -{ config, lib, ... }: -with import <stockholm/lib>; -{ - - # TODO add timerConfig to krebs.backup and randomize startup - # TODO define plans more abstract - krebs.backup.plans = { - } // mapAttrs (_: recursiveUpdate { - snapshots = { - daily = { format = "%Y-%m-%d"; retain = 7; }; - weekly = { format = "%YW%W"; retain = 4; }; - monthly = { format = "%Y-%m"; retain = 12; }; - yearly = { format = "%Y"; }; - }; - }) { - dishfire-http-prism = { - method = "pull"; - src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; }; - dst = { host = config.krebs.hosts.prism; path = "/bku/dishfire-http"; }; - startAt = "03:00"; - }; - dishfire-http-icarus = { - method = "pull"; - src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; }; - dst = { host = config.krebs.hosts.icarus; path = "/bku/dishfire-http"; }; - startAt = "03:10"; - }; - dishfire-http-mors = { - method = "pull"; - src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; }; - dst = { host = config.krebs.hosts.mors; path = "/bku/dishfire-http"; }; - startAt = "03:05"; - }; - dishfire-http-shodan = { - method = "pull"; - src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; }; - dst = { host = config.krebs.hosts.shodan; path = "/bku/dishfire-http"; }; - startAt = "03:10"; - }; - dishfire-sql-prism = { - method = "pull"; - src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; }; - dst = { host = config.krebs.hosts.prism; path = "/bku/dishfire-sql"; }; - startAt = "03:15"; - }; - dishfire-sql-icarus = { - method = "pull"; - src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; }; - dst = { host = config.krebs.hosts.icarus; path = "/bku/dishfire-sql"; }; - startAt = "03:25"; - }; - dishfire-sql-mors = { - method = "pull"; - src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; }; - dst = { host = config.krebs.hosts.mors; path = "/bku/dishfire-sql"; }; - startAt = "03:20"; - }; - dishfire-sql-shodan = { - method = "pull"; - src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; }; - dst = { host = config.krebs.hosts.shodan; path = "/bku/dishfire-sql"; }; - startAt = "03:25"; - }; - prism-bitlbee-icarus = { - method = "pull"; - src = { host = config.krebs.hosts.prism; path = "/var/lib/bitlbee"; }; - dst = { host = config.krebs.hosts.icarus; path = "/bku/prism-bitlbee"; }; - startAt = "03:25"; - }; - prism-bitlbee-mors = { - method = "pull"; - src = { host = config.krebs.hosts.prism; path = "/var/lib/bitlbee"; }; - dst = { host = config.krebs.hosts.mors; path = "/bku/prism-bitlbee"; }; - startAt = "03:25"; - }; - prism-bitlbee-shodan = { - method = "pull"; - src = { host = config.krebs.hosts.prism; path = "/var/lib/bitlbee"; }; - dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-bitlbee"; }; - startAt = "03:25"; - }; - prism-chat-icarus = { - method = "pull"; - src = { host = config.krebs.hosts.prism; path = "/home/chat"; }; - dst = { host = config.krebs.hosts.icarus; path = "/bku/prism-chat"; }; - startAt = "03:35"; - }; - prism-chat-mors = { - method = "pull"; - src = { host = config.krebs.hosts.prism; path = "/home/chat"; }; - dst = { host = config.krebs.hosts.mors; path = "/bku/prism-chat"; }; - startAt = "03:30"; - }; - prism-chat-shodan = { - method = "pull"; - src = { host = config.krebs.hosts.prism; path = "/home/chat"; }; - dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-chat"; }; - startAt = "03:35"; - }; - prism-sql-icarus = { - method = "pull"; - src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; }; - dst = { host = config.krebs.hosts.icarus; path = "/bku/prism-sql_dumps"; }; - startAt = "03:45"; - }; - prism-sql-mors = { - method = "pull"; - src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; }; - dst = { host = config.krebs.hosts.mors; path = "/bku/prism-sql_dumps"; }; - startAt = "03:40"; - }; - prism-sql-shodan = { - method = "pull"; - src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; }; - dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-sql_dumps"; }; - startAt = "03:45"; - }; - prism-http-icarus = { - method = "pull"; - src = { host = config.krebs.hosts.prism; path = "/srv/http"; }; - dst = { host = config.krebs.hosts.icarus; path = "/bku/prism-http"; }; - startAt = "03:55"; - }; - prism-http-mors = { - method = "pull"; - src = { host = config.krebs.hosts.prism; path = "/srv/http"; }; - dst = { host = config.krebs.hosts.mors; path = "/bku/prism-http"; }; - startAt = "03:50"; - }; - prism-http-shodan = { - method = "pull"; - src = { host = config.krebs.hosts.prism; path = "/srv/http"; }; - dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-http"; }; - startAt = "03:55"; - }; - icarus-home-mors = { - method = "pull"; - src = { host = config.krebs.hosts.icarus; path = "/home"; }; - dst = { host = config.krebs.hosts.mors; path = "/bku/icarus-home"; }; - startAt = "05:00"; - }; - icarus-home-shodan = { - method = "push"; - src = { host = config.krebs.hosts.icarus; path = "/home"; }; - dst = { host = config.krebs.hosts.shodan; path = "/bku/icarus-home"; }; - startAt = "05:00"; - }; - mors-home-icarus = { - method = "push"; - src = { host = config.krebs.hosts.mors; path = "/home"; }; - dst = { host = config.krebs.hosts.icarus; path = "/bku/mors-home"; }; - startAt = "05:00"; - }; - mors-home-shodan = { - method = "push"; - src = { host = config.krebs.hosts.mors; path = "/home"; }; - dst = { host = config.krebs.hosts.shodan; path = "/bku/mors-home"; }; - startAt = "05:00"; - }; - shodan-home-icarus = { - method = "pull"; - src = { host = config.krebs.hosts.shodan; path = "/home"; }; - dst = { host = config.krebs.hosts.icarus; path = "/bku/shodan-home"; }; - startAt = "04:00"; - }; - shodan-home-mors = { - method = "pull"; - src = { host = config.krebs.hosts.shodan; path = "/home"; }; - dst = { host = config.krebs.hosts.mors; path = "/bku/shodan-home"; }; - startAt = "04:00"; - }; - }; -} diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index ed179ded6..afdefaa45 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -9,7 +9,6 @@ in { ./power-action.nix ./copyq.nix ./livestream.nix - ./dns-stuff.nix ./urxvt.nix ./network-manager.nix { @@ -69,12 +68,15 @@ in { environment.systemPackages = with pkgs; [ acpi + ag bank + cabal2nix dic dmenu gi - git-preview gitAndTools.qgit + git-preview + gnome3.dconf lm_sensors mpv-poll much @@ -87,19 +89,18 @@ in { rxvt_unicode_with-plugins slock sxiv - timewarrior taskwarrior termite + thesauron + timewarrior xclip + xephyrify xorg.xbacklight xorg.xhost xsel youtube-tools yt-next zathura - - cabal2nix - xephyrify ]; fonts.fonts = with pkgs; [ diff --git a/lass/2configs/bitcoin.nix b/lass/2configs/bitcoin.nix index a405addfc..9f6fd3bf0 100644 --- a/lass/2configs/bitcoin.nix +++ b/lass/2configs/bitcoin.nix @@ -10,9 +10,6 @@ in { krebs.per-user.bitcoin.packages = [ pkgs.electrum ]; - krebs.per-user.ethereum.packages = [ - pkgs.go-ethereum - ]; users.extraUsers = { bch = { name = "bch"; @@ -28,13 +25,6 @@ in { useDefaultShell = true; createHome = true; }; - ethereum = { - name = "ethereum"; - description = "user for ethereum stuff"; - home = "/home/ethereum"; - useDefaultShell = true; - createHome = true; - }; }; security.sudo.extraConfig = '' ${mainUser.name} ALL=(bitcoin) NOPASSWD: ALL diff --git a/lass/2configs/bitlbee.nix b/lass/2configs/bitlbee.nix new file mode 100644 index 000000000..1220fa0cd --- /dev/null +++ b/lass/2configs/bitlbee.nix @@ -0,0 +1,15 @@ +with (import <stockholm/lib>); +{ config, lib, pkgs, ... }: + +{ + services.bitlbee = { + enable = true; + portNumber = 6666; + plugins = [ + pkgs.bitlbee-facebook + pkgs.bitlbee-steam + pkgs.bitlbee-discord + ]; + libpurple_plugins = [ pkgs.telegram-purple ]; + }; +} diff --git a/lass/2configs/blue-host.nix b/lass/2configs/blue-host.nix new file mode 100644 index 000000000..657234bc1 --- /dev/null +++ b/lass/2configs/blue-host.nix @@ -0,0 +1,22 @@ +{ config, lib, pkgs, ... }: +with import <stockholm/lib>; + +{ + imports = [ + <stockholm/lass/2configs/container-networking.nix> + ]; + containers.blue = { + config = { ... }: { + environment.systemPackages = [ pkgs.git ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + ]; + }; + autoStart = true; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.9"; + localAddress = "10.233.2.10"; + }; +} diff --git a/lass/2configs/blue.nix b/lass/2configs/blue.nix new file mode 100644 index 000000000..363705edc --- /dev/null +++ b/lass/2configs/blue.nix @@ -0,0 +1,60 @@ +with (import <stockholm/lib>); +{ config, lib, pkgs, ... }: + +{ + + imports = [ + ./bitlbee.nix + ./mail.nix + ./pass.nix + ]; + + environment.systemPackages = with pkgs; [ + ag + nmap + ]; + + services.tor.enable = true; + + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-i retiolum -p udp --dport 60000:61000"; target = "ACCEPT";} + { predicate = "-i retiolum -p tcp --dport 9999"; target = "ACCEPT";} + ]; + + systemd.services.chat = let + tmux = pkgs.writeDash "tmux" '' + exec ${pkgs.tmux}/bin/tmux -f ${pkgs.writeText "tmux.conf" '' + set-option -g prefix ` + unbind-key C-b + bind ` send-prefix + + set-option -g status off + set-option -g default-terminal screen-256color + + #use session instead of windows + bind-key c new-session + bind-key p switch-client -p + bind-key n switch-client -n + bind-key C-s switch-client -l + ''} "$@" + ''; + in { + description = "chat environment setup"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + restartIfChanged = false; + + path = [ + pkgs.rxvt_unicode.terminfo + ]; + + serviceConfig = { + User = "lass"; + RemainAfterExit = true; + Type = "oneshot"; + ExecStart = "${tmux} -2 new-session -d -s IM ${pkgs.weechat}/bin/weechat"; + ExecStop = "${tmux} kill-session -t IM"; + }; + }; +} diff --git a/lass/2configs/container-networking.nix b/lass/2configs/container-networking.nix index 3dae3420d..f04e4342d 100644 --- a/lass/2configs/container-networking.nix +++ b/lass/2configs/container-networking.nix @@ -1,12 +1,6 @@ -{ ... }: +{ lib, ... }: { - #krebs.iptables.tables.filter.INPUT.rules = [ - # { v6 = false; predicate = "-i ve-+ -p udp -m udp --dport 53"; target = "ACCEPT"; } - # { v6 = false; predicate = "-i ve-+ -p tcp -m tcp --dport 53"; target = "ACCEPT"; } - # { v6 = false; predicate = "-i ve-+ -p udp -m udp --dport 67"; target = "ACCEPT"; } - # { v6 = false; predicate = "-i ve-+ -p tcp -m tcp --dport 67"; target = "ACCEPT"; } - #]; krebs.iptables.tables.filter.FORWARD.rules = [ { v6 = false; predicate = "-d 10.233.2.0/24 -o ve-+ -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } { v6 = false; predicate = "-s 10.233.2.0/24 -i ve-+"; target = "ACCEPT"; } @@ -14,9 +8,9 @@ { v6 = false; predicate = "-o ve-+"; target = "REJECT --reject-with icmp-port-unreachable"; } { v6 = false; predicate = "-i ve-+"; target = "REJECT --reject-with icmp-port-unreachable"; } ]; - #krebs.iptables.tables.filter.OUTPUT.rules = [ - # { v6 = false; predicate = "-o ve-+ -p udp -m udp --dport 68"; target = "ACCEPT"; } - #]; + krebs.iptables.tables.nat.PREROUTING.rules = [ + { v6 = false; predicate = "-s 10.233.2.0/24"; target = "ACCEPT"; precedence = 1000; } + ]; krebs.iptables.tables.nat.POSTROUTING.rules = [ { v6 = false; predicate = "-s 10.233.2.0/24 -d 224.0.0.0/24"; target = "RETURN"; } { v6 = false; predicate = "-s 10.233.2.0/24 -d 255.255.255.255"; target = "RETURN"; } @@ -24,4 +18,5 @@ { v6 = false; predicate = "-s 10.233.2.0/24 ! -d 10.233.2.0/24 -p tcp"; target = "MASQUERADE --to-ports 1024-65535"; } { v6 = false; predicate = "-s 10.233.2.0/24 ! -d 10.233.2.0/24 -p udp"; target = "MASQUERADE --to-ports 1024-65535"; } ]; + boot.kernel.sysctl."net.ipv4.ip_forward" = lib.mkDefault 1; } diff --git a/lass/2configs/dcso-dev.nix b/lass/2configs/dcso-dev.nix index ae1c7bc8d..b985b67b3 100644 --- a/lass/2configs/dcso-dev.nix +++ b/lass/2configs/dcso-dev.nix @@ -9,6 +9,7 @@ in { dev = { name = "dev"; uid = genid "dev"; + extraGroups = [ "docker" ]; description = "user for collaborative development"; home = "/home/dev"; useDefaultShell = true; diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index 5a5f1b347..a43113177 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -6,10 +6,9 @@ with import <stockholm/lib>; ./gc.nix ./mc.nix ./vim.nix - ./monitoring/client.nix + ./monitoring/node-exporter.nix ./zsh.nix ./htop.nix - ./backups.nix ./security-workarounds.nix { users.extraUsers = @@ -20,10 +19,10 @@ with import <stockholm/lib>; users.extraUsers = { root = { openssh.authorizedKeys.keys = [ - config.krebs.users.lass.pubkey + config.krebs.users.lass-mors.pubkey + config.krebs.users.lass-blue.pubkey config.krebs.users.lass-shodan.pubkey config.krebs.users.lass-icarus.pubkey - config.krebs.users.lass-xerxes.pubkey ]; }; mainUser = { @@ -39,7 +38,8 @@ with import <stockholm/lib>; "wheel" ]; openssh.authorizedKeys.keys = [ - config.krebs.users.lass.pubkey + config.krebs.users.lass-mors.pubkey + config.krebs.users.lass-blue.pubkey config.krebs.users.lass-shodan.pubkey config.krebs.users.lass-icarus.pubkey ]; diff --git a/lass/2configs/dns-stuff.nix b/lass/2configs/dns-stuff.nix deleted file mode 100644 index cbcce8df9..000000000 --- a/lass/2configs/dns-stuff.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ config, pkgs, ... }: -with import <stockholm/lib>; -{ - services.dnscrypt-proxy = { - enable = true; - localAddress = "127.1.0.1"; - customResolver = { - address = config.krebs.hosts.gum.nets.internet.ip4.addr; - port = 15251; - name = "2.dnscrypt-cert.euer.krebsco.de"; - key = "1AFC:E58D:F242:0FBB:9EE9:4E51:47F4:5373:D9AE:C2AB:DD96:8448:333D:5D79:272C:A44C"; - }; - }; - services.resolved.enable = true; - services.resolved.fallbackDns = [ "127.1.0.1" ]; -} diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix index 4455d2761..371f20885 100644 --- a/lass/2configs/exim-smarthost.nix +++ b/lass/2configs/exim-smarthost.nix @@ -14,7 +14,7 @@ with import <stockholm/lib>; ]; relay_from_hosts = map (host: host.nets.retiolum.ip6.addr) [ config.krebs.hosts.mors - config.krebs.hosts.uriel + config.krebs.hosts.blue ]; internet-aliases = with config.krebs.users; [ { from = "postmaster@lassul.us"; to = lass.mail; } # RFC 822 @@ -79,6 +79,10 @@ with import <stockholm/lib>; { from = "ovh@lassul.us"; to = lass.mail; } { from = "hetzner@lassul.us"; to = lass.mail; } { from = "allygator@lassul.us"; to = lass.mail; } + { from = "immoscout@lassul.us"; to = lass.mail; } + { from = "elitedangerous@lassul.us"; to = lass.mail; } + { from = "boardgamegeek@lassul.us"; to = lass.mail; } + { from = "qwertee@lassul.us"; to = lass.mail; } ]; system-aliases = [ { from = "mailer-daemon"; to = "postmaster"; } diff --git a/lass/2configs/games.nix b/lass/2configs/games.nix index 3ee3a98a5..81f53bf69 100644 --- a/lass/2configs/games.nix +++ b/lass/2configs/games.nix @@ -80,6 +80,7 @@ in { }; }; + hardware.opengl.driSupport32Bit = true; hardware.pulseaudio.support32Bit = true; security.sudo.extraConfig = '' diff --git a/lass/2configs/gc.nix b/lass/2configs/gc.nix index ad015180a..c5073e384 100644 --- a/lass/2configs/gc.nix +++ b/lass/2configs/gc.nix @@ -3,6 +3,6 @@ with import <stockholm/lib>; { nix.gc = { - automatic = ! elem config.krebs.build.host.name [ "prism" "mors" "helios" ]; + automatic = ! (elem config.krebs.build.host.name [ "prism" "mors" "helios" ] || config.boot.isContainer); }; } diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix index 1fe87c666..72cfd5e75 100644 --- a/lass/2configs/git.nix +++ b/lass/2configs/git.nix @@ -54,10 +54,20 @@ let cgit.section = "art"; }; nix-user-chroot = { - cgit.desc = "Fork of nix-user-chroot my lethalman"; + cgit.desc = "Fork of nix-user-chroot by lethalman"; + cgit.section = "software"; + }; + krops = { + cgit.desc = "krebs deployment"; cgit.section = "software"; }; } // mapAttrs make-public-repo-silent { + nixos-aws = { + collaborators = [ { + name = "fabio"; + pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFst8DvnfOu4pQJYxcwdf//jWTvP+jj0iSrOdt59c9Gbujm/8K1mBXhcSQhHj/GBRC1Qc1wipf9qZsWnEHMI+SRwq6tDr8gqlAcdWmHAs1bU96jJtc8EgmUKbXTFG/VmympMPi4cEbNUtH93v6NUjQKwq9szvDhhqSW4Y8zE32xLkySwobQapNaUrGAtQp3eTxu5Lkx+cEaaartaAspt8wSosXjUHUJktg0O5/XOP+CiWAx89AXxbQCy4XTQvUExoRGdw9sdu0lF0/A0dF4lFF/dDUS7+avY8MrKEcQ8Fwk8NcW1XrKMmCdNdpvou0whL9aHCdTJ+522dsSB1zZWh63Si4CrLKlc1TiGKCXdvzmCYrD+6WxbPJdRpMM4dFNtpAwhCm/dM+CBXfDkP0s5veFiYvp1ri+3hUqV/sep9r5/+d+5/R1gQs8WDNjWqcshveFbD5LxE6APEySB4QByGxIrw7gFbozE+PNxtlVP7bq4MyE6yIzL6ofQgO1e4THquPcqSCfCvyib5M2Q1phi5DETlMemWp84AsNkqbhRa4BGRycuOXXrBzE+RgQokcIY7t3xcu3q0xJo2+HxW/Lqi72zYU1NdT4nJMETEaG49FfIAnUuoVaQWWvOz8mQuVEmmdw2Yzo2ikILYSUdHTp1VPOeo6aNPvESkPw1eM0xDRlQ== ada"; + } ]; + }; }; restricted-repos = mapAttrs make-restricted-repo ( @@ -70,8 +80,8 @@ let import <secrets/repos.nix> { inherit config lib pkgs; } ); - make-public-repo = name: { cgit ? {}, ... }: { - inherit cgit name; + make-public-repo = name: { cgit ? {}, collaborators ? [], ... }: { + inherit cgit collaborators name; public = true; hooks = { post-receive = pkgs.git-hooks.irc-announce { @@ -111,7 +121,7 @@ let with git // config.krebs.users; repo: singleton { - user = [ lass lass-shodan ]; + user = [ lass-mors lass-shodan lass-icarus lass-blue ]; repo = [ repo ]; perm = push "refs/*" [ non-fast-forward create delete merge ]; } ++ diff --git a/lass/2configs/go.nix b/lass/2configs/go.nix new file mode 100644 index 000000000..ecf89b298 --- /dev/null +++ b/lass/2configs/go.nix @@ -0,0 +1,19 @@ +{ config, lib, pkgs, ... }: +{ + krebs.go = { + enable = true; + }; + services.nginx = { + enable = true; + virtualHosts.go = { + locations."/".extraConfig = '' + proxy_set_header Host go.lassul.us; + proxy_pass http://localhost:1337; + ''; + serverAliases = [ + "go.lassul.us" + ]; + }; + }; +} + diff --git a/lass/2configs/libvirt.nix b/lass/2configs/libvirt.nix index a71638323..78d5ae0e9 100644 --- a/lass/2configs/libvirt.nix +++ b/lass/2configs/libvirt.nix @@ -20,6 +20,9 @@ krebs.iptables.tables.filter.OUTPUT.rules = [ { v6 = false; predicate = "-o virbr0 -p udp -m udp --dport 68"; target = "ACCEPT"; } ]; + krebs.iptables.tables.nat.PREROUTING.rules = [ + { v6 = false; predicate = "-s 192.168.122.0/24"; target = "ACCEPT"; precedence = 1000; } + ]; krebs.iptables.tables.nat.POSTROUTING.rules = [ { v6 = false; predicate = "-s 192.168.122.0/24 -d 224.0.0.0/24"; target = "RETURN"; } { v6 = false; predicate = "-s 192.168.122.0/24 -d 255.255.255.255"; target = "RETURN"; } diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix index 81db59617..2bb51b50a 100644 --- a/lass/2configs/mail.nix +++ b/lass/2configs/mail.nix @@ -206,8 +206,11 @@ in { msmtp mutt pkgs.much - pkgs.notmuch tag-new-mails tag-old-mails ]; + + nixpkgs.config.packageOverrides = opkgs: { + notmuch = (opkgs.notmuch.overrideAttrs (o: { doCheck = false; })); + }; } diff --git a/lass/2configs/monitoring/client.nix b/lass/2configs/monitoring/client.nix deleted file mode 100644 index b8c245215..000000000 --- a/lass/2configs/monitoring/client.nix +++ /dev/null @@ -1,26 +0,0 @@ -{pkgs, config, ...}: -with import <stockholm/lib>; -{ - services.telegraf = { - enable = true; - - extraConfig = { - agent.interval = "1s"; - outputs = { - influxdb = { - urls = ["http://prism:8086"]; - database = "telegraf_db"; - user_agent = "telegraf"; - }; - }; - inputs = { - cpu = { - percpu = false; - totalcpu = true; - }; - mem = {}; - net = {}; - }; - }; - }; -} diff --git a/lass/2configs/monitoring/monit-alarms.nix b/lass/2configs/monitoring/monit-alarms.nix deleted file mode 100644 index 2cfc292e5..000000000 --- a/lass/2configs/monitoring/monit-alarms.nix +++ /dev/null @@ -1,44 +0,0 @@ -{pkgs, config, ...}: -with import <stockholm/lib>; -let - echoToIrc = msg: - pkgs.writeDash "echo_irc" '' - set -euf - export LOGNAME=prism-alarm - ${pkgs.irc-announce}/bin/irc-announce \ - irc.r 6667 ${config.networking.hostName}-alarm \#noise "${msg}" >/dev/null - ''; - -in { - krebs.monit = { - enable = true; - http.enable = true; - alarms = { - nirwanabluete = { - test = "${pkgs.curl}/bin/curl -sf 'https://nirwanabluete.de/'"; - alarm = echoToIrc "test nirwanabluete failed"; - }; - ubik = { - test = "${pkgs.curl}/bin/curl -sf 'https://ubikmedia.de'"; - alarm = echoToIrc "test ubik failed"; - }; - cac-panel = { - test = "${pkgs.curl}/bin/curl -sf 'https://panel.cloudatcost.com/login.php'"; - alarm = echoToIrc "test cac-panel failed"; - }; - radio = { - test = pkgs.writeBash "check_stream" '' - ${pkgs.curl}/bin/curl -sif http://lassul.us:8000/radio.ogg \ - | ${pkgs.gawk}/bin/awk '/^\r$/{exit}{print $0}' \ - | ${pkgs.gnugrep}/bin/grep -q "200 OK" || exit "''${PIPESTATUS[0]}" - ''; - alarm = echoToIrc "test radio failed"; - }; - }; - }; - - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp -i retiolum --dport 9093"; target = "ACCEPT"; } - ]; -} - diff --git a/lass/2configs/monitoring/node-exporter.nix b/lass/2configs/monitoring/node-exporter.nix new file mode 100644 index 000000000..561e3a25c --- /dev/null +++ b/lass/2configs/monitoring/node-exporter.nix @@ -0,0 +1,15 @@ +{ config, lib, pkgs, ... }: +{ + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-i retiolum -p tcp --dport 9100 -s ${config.krebs.hosts.prism.nets.retiolum.ip4.addr}"; target = "ACCEPT"; v6 = false; } + { predicate = "-i retiolum -p tcp --dport 9100 -s ${config.krebs.hosts.prism.nets.retiolum.ip6.addr}"; target = "ACCEPT"; v4 = false; } + ]; + services.prometheus.exporters = { + node = { + enable = true; + enabledCollectors = [ + "systemd" + ]; + }; + }; +} diff --git a/lass/2configs/monitoring/prometheus-server.nix b/lass/2configs/monitoring/prometheus-server.nix new file mode 100644 index 000000000..aef671636 --- /dev/null +++ b/lass/2configs/monitoring/prometheus-server.nix @@ -0,0 +1,216 @@ +{ pkgs, lib, config, ... }: +{ + #networking = { + # firewall.allowedTCPPorts = [ + # 3000 # grafana + # 9090 # prometheus + # 9093 # alertmanager + # ]; + # useDHCP = true; + #}; + + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-i retiolum -p tcp --dport 3000"; target = "ACCEPT"; } + { predicate = "-i retiolum -p tcp --dport 9090"; target = "ACCEPT"; } + { predicate = "-i retiolum -p tcp --dport 9093"; target = "ACCEPT"; } + ]; + + services = { + prometheus = { + enable = true; + extraFlags = [ + "-storage.local.retention 8760h" + "-storage.local.series-file-shrink-ratio 0.3" + "-storage.local.memory-chunks 2097152" + "-storage.local.max-chunks-to-persist 1048576" + "-storage.local.index-cache-size.fingerprint-to-metric 2097152" + "-storage.local.index-cache-size.fingerprint-to-timerange 1048576" + "-storage.local.index-cache-size.label-name-to-label-values 2097152" + "-storage.local.index-cache-size.label-pair-to-fingerprints 41943040" + ]; + alertmanagerURL = [ "http://localhost:9093" ]; + rules = [ + '' + ALERT node_down + IF up == 0 + FOR 5m + LABELS { + severity="page" + } + ANNOTATIONS { + summary = "{{$labels.alias}}: Node is down.", + description = "{{$labels.alias}} has been down for more than 5 minutes." + } + ALERT node_systemd_service_failed + IF node_systemd_unit_state{state="failed"} == 1 + FOR 4m + LABELS { + severity="page" + } + ANNOTATIONS { + summary = "{{$labels.alias}}: Service {{$labels.name}} failed to start.", + description = "{{$labels.alias}} failed to (re)start service {{$labels.name}}." + } + ALERT node_filesystem_full_90percent + IF sort(node_filesystem_free{device!="ramfs"} < node_filesystem_size{device!="ramfs"} * 0.1) / 1024^3 + FOR 5m + LABELS { + severity="page" + } + ANNOTATIONS { + summary = "{{$labels.alias}}: Filesystem is running out of space soon.", + description = "{{$labels.alias}} device {{$labels.device}} on {{$labels.mountpoint}} got less than 10% space left on its filesystem." + } + ALERT node_filesystem_full_in_4h + IF predict_linear(node_filesystem_free{device!="ramfs"}[1h], 4*3600) <= 0 + FOR 5m + LABELS { + severity="page" + } + ANNOTATIONS { + summary = "{{$labels.alias}}: Filesystem is running out of space in 4 hours.", + description = "{{$labels.alias}} device {{$labels.device}} on {{$labels.mountpoint}} is running out of space of in approx. 4 hours" + } + ALERT node_filedescriptors_full_in_3h + IF predict_linear(node_filefd_allocated[1h], 3*3600) >= node_filefd_maximum + FOR 20m + LABELS { + severity="page" + } + ANNOTATIONS { + summary = "{{$labels.alias}} is running out of available file descriptors in 3 hours.", + description = "{{$labels.alias}} is running out of available file descriptors in approx. 3 hours" + } + ALERT node_load1_90percent + IF node_load1 / on(alias) count(node_cpu{mode="system"}) by (alias) >= 0.9 + FOR 1h + LABELS { + severity="page" + } + ANNOTATIONS { + summary = "{{$labels.alias}}: Running on high load.", + description = "{{$labels.alias}} is running with > 90% total load for at least 1h." + } + ALERT node_cpu_util_90percent + IF 100 - (avg by (alias) (irate(node_cpu{mode="idle"}[5m])) * 100) >= 90 + FOR 1h + LABELS { + severity="page" + } + ANNOTATIONS { + summary = "{{$labels.alias}}: High CPU utilization.", + description = "{{$labels.alias}} has total CPU utilization over 90% for at least 1h." + } + ALERT node_ram_using_90percent + IF node_memory_MemFree + node_memory_Buffers + node_memory_Cached < node_memory_MemTotal * 0.1 + FOR 30m + LABELS { + severity="page" + } + ANNOTATIONS { + summary="{{$labels.alias}}: Using lots of RAM.", + description="{{$labels.alias}} is using at least 90% of its RAM for at least 30 minutes now.", + } + ALERT node_swap_using_80percent + IF node_memory_SwapTotal - (node_memory_SwapFree + node_memory_SwapCached) > node_memory_SwapTotal * 0.8 + FOR 10m + LABELS { + severity="page" + } + ANNOTATIONS { + summary="{{$labels.alias}}: Running out of swap soon.", + description="{{$labels.alias}} is using 80% of its swap space for at least 10 minutes now." + } + '' + ]; + scrapeConfigs = [ + { + job_name = "node"; + scrape_interval = "10s"; + static_configs = [ + { + targets = [ + ] ++ map (host: "${host}:9100") (lib.attrNames (lib.filterAttrs (_: host: host.owner.name == "lass" && host.monitoring) config.krebs.hosts)); + #labels = { + # alias = "prometheus.example.com"; + #}; + } + ]; + } + ]; + alertmanager = { + enable = true; + listenAddress = "0.0.0.0"; + configuration = { + "global" = { + "smtp_smarthost" = "smtp.example.com:587"; + "smtp_from" = "alertmanager@example.com"; + }; + "route" = { + "group_by" = [ "alertname" "alias" ]; + "group_wait" = "30s"; + "group_interval" = "2m"; + "repeat_interval" = "4h"; + "receiver" = "team-admins"; + }; + "receivers" = [ + { + "name" = "team-admins"; + "email_configs" = [ + { + "to" = "devnull@example.com"; + } + ]; + "webhook_configs" = [ + { + "url" = "http://127.0.0.1:14813/prometheus-alerts"; + "send_resolved" = true; + } + ]; + } + ]; + }; + }; + }; + grafana = { + enable = true; + addr = "0.0.0.0"; + domain = "grafana.example.com"; + rootUrl = "https://grafana.example.com/"; + security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""} + }; + }; + services.logstash = { + enable = true; + inputConfig = '' + http { + port => 14813 + host => "127.0.0.1" + } + ''; + filterConfig = '' + if ([alerts]) { + ruby { + code => ' + lines = [] + event["alerts"].each {|p| + lines << "#{p["labels"]["instance"]}#{p["annotations"]["summary"]} #{p["status"]}" + } + event["output"] = lines.join("\n") + ' + } + } + ''; + outputConfig = '' + file { path => "/tmp/logs.json" codec => "json_lines" } + irc { + channels => [ "#noise" ] + host => "irc.r" + nick => "alarm" + codec => "json_lines" + format => "%{output}" + } + ''; + #plugins = [ ]; + }; +} diff --git a/lass/2configs/monitoring/server.nix b/lass/2configs/monitoring/server.nix deleted file mode 100644 index adaecde2c..000000000 --- a/lass/2configs/monitoring/server.nix +++ /dev/null @@ -1,87 +0,0 @@ -{pkgs, config, ...}: -with import <stockholm/lib>; -{ - services.influxdb.enable = true; - - services.influxdb.extraConfig = { - meta.hostname = config.krebs.build.host.name; - # meta.logging-enabled = true; - http.bind-address = ":8086"; - admin.bind-address = ":8083"; - http.log-enabled = false; - monitoring = { - enabled = false; - # write-interval = "24h"; - }; - collectd = [{ - enabled = true; - typesdb = "${pkgs.collectd}/share/collectd/types.db"; - database = "collectd_db"; - port = 25826; - }]; - }; - - krebs.kapacitor = - let - db = "telegraf_db"; - echoToIrc = pkgs.writeDash "echo_irc" '' - set -euf - data="$(${pkgs.jq}/bin/jq -r .message)" - export LOGNAME=prism-alarm - ${pkgs.irc-announce}/bin/irc-announce \ - irc.r 6667 prism-alarm \#noise "$data" >/dev/null - ''; - in { - enable = true; - alarms = { - cpu = { - database = db; - text = '' - var data = batch - |query(${"'''"} - SELECT mean("usage_user") AS mean - FROM "${db}"."default"."cpu" - ${"'''"}) - .period(10m) - .every(1m) - .groupBy('host') - data |alert() - .crit(lambda: "mean" > 90) - .exec('${echoToIrc}') - data |deadman(1.0,5m) - .stateChangesOnly() - .exec('${echoToIrc}') - ''; - }; - ram = { - database = db; - text = '' - var data = batch - |query(${"'''"} - SELECT mean("used_percent") AS mean - FROM "${db}"."default"."mem" - ${"'''"}) - .period(10m) - .every(1m) - .groupBy('host') - data |alert() - .crit(lambda: "mean" > 90) - .exec('${echoToIrc}') - ''; - }; - }; - }; - - services.grafana = { - enable = true; - addr = "0.0.0.0"; - auth.anonymous.enable = true; - security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""} - }; - - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp -i retiolum --dport 8086"; target = "ACCEPT"; } - { predicate = "-p tcp -i retiolum --dport 3000"; target = "ACCEPT"; } - { predicate = "-p udp -i retiolum --dport 25826"; target = "ACCEPT"; } - ]; -} diff --git a/lass/2configs/reaktor-coders.nix b/lass/2configs/reaktor-coders.nix index 5fa1611ae..5a39f7115 100644 --- a/lass/2configs/reaktor-coders.nix +++ b/lass/2configs/reaktor-coders.nix @@ -4,7 +4,7 @@ with import <stockholm/lib>; { krebs.Reaktor.coders = { nickname = "Reaktor|lass"; - channels = [ "#coders" "#germany" ]; + channels = [ "#coders" "#germany" "#panthermoderns" ]; extraEnviron = { REAKTOR_HOST = "irc.hackint.org"; }; @@ -87,6 +87,19 @@ with import <stockholm/lib>; exec /run/wrappers/bin/ping -q -c1 "$1" 2>&1 | tail -1 ''; }) + (buildSimpleReaktorPlugin "google" { + pattern = "^!g (?P<args>.*)$$"; + script = pkgs.writeDash "google" '' + exec ${pkgs.ddgr}/bin/ddgr -C -n1 --json "$@" | \ + ${pkgs.jq}/bin/jq '@text "\(.[0].abstract) \(.[0].url)"' + ''; + }) + (buildSimpleReaktorPlugin "blockchain" { + pattern = ".*[Bb]lockchain.*$$"; + script = pkgs.writeDash "blockchain" '' + exec echo 'DID SOMEBODY SAY BLOCKCHAIN? https://paste.krebsco.de/r99pMoQq/+inline' + ''; + }) ]; }; } diff --git a/lass/2configs/repo-sync.nix b/lass/2configs/repo-sync.nix index ad44c67e1..615f5a728 100644 --- a/lass/2configs/repo-sync.nix +++ b/lass/2configs/repo-sync.nix @@ -126,8 +126,8 @@ in { (sync-remote "xintmap" "https://github.com/4z3/xintmap") (sync-remote "realwallpaper" "https://github.com/lassulus/realwallpaper") (sync-remote "lassulus-blog" "https://github.com/lassulus/lassulus-blog") - (sync-remote "painload" "https://github.com/krebscode/painload") - (sync-remote "Reaktor" "https://github.com/krebscode/Reaktor") + (sync-remote "painload" "https://github.com/krebs/painload") + (sync-remote "Reaktor" "https://github.com/krebs/Reaktor") (sync-remote "nixos-wiki" "https://github.com/Mic92/nixos-wiki.wiki.git") (sync-retiolum "go") (sync-retiolum "much") @@ -135,7 +135,6 @@ in { (sync-retiolum "populate") (sync-retiolum "stockholm") (sync-retiolum "wai-middleware-time") - (sync-retiolum "web-routes-wai-custom") (sync-retiolum "xmonad-stockholm") ]; } diff --git a/lass/2configs/steam.nix b/lass/2configs/steam.nix index 225ddd308..e1b523e3a 100644 --- a/lass/2configs/steam.nix +++ b/lass/2configs/steam.nix @@ -10,8 +10,6 @@ # source: https://nixos.org/wiki/Talk:Steam # ##TODO: make steam module - hardware.opengl.driSupport32Bit = true; - nixpkgs.config.steam.java = true; environment.systemPackages = with pkgs; [ steam diff --git a/lass/2configs/syncthing.nix b/lass/2configs/syncthing.nix index cef43d1e6..17debf822 100644 --- a/lass/2configs/syncthing.nix +++ b/lass/2configs/syncthing.nix @@ -3,7 +3,6 @@ with import <stockholm/lib>; { services.syncthing = { enable = true; - useInotify = true; }; krebs.iptables.tables.filter.INPUT.rules = [ { predicate = "-p tcp --dport 22000"; target = "ACCEPT";} diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index 7a72499c9..e4f50e2d1 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -27,10 +27,8 @@ in { ./sqlBackup.nix (servePage [ "reich-gebaeudereinigung.de" "www.reich-gebaeudereinigung.de" ]) (servePage [ - "habsys.de" - "habsys.eu" - "www.habsys.de" - "www.habsys.eu" + "freemonkey.art" + "www.freemonkey.art" ]) (serveOwncloud [ "o.ubikmedia.de" ]) (serveWordpress [ @@ -120,6 +118,7 @@ in { { from = "jms@ubikmedia.eu"; to = "jms"; } { from = "ms@ubikmedia.eu"; to = "ms"; } { from = "ubik@ubikmedia.eu"; to = "domsen, jms, ms"; } + { from = "akayguen@freemonkey.art"; to ="akayguen"; } { from = "testuser@lassul.us"; to = "testuser"; } { from = "testuser@ubikmedia.eu"; to = "testuser"; } @@ -177,5 +176,12 @@ in { createHome = true; }; + users.users.akayguen = { + uid = genid_signed "akayguen"; + home = "/home/akayguen"; + useDefaultShell = true; + createHome = true; + }; + } diff --git a/lass/2configs/websites/lassulus.nix b/lass/2configs/websites/lassulus.nix index 25ca1f455..53f1eea5c 100644 --- a/lass/2configs/websites/lassulus.nix +++ b/lass/2configs/websites/lassulus.nix @@ -6,66 +6,10 @@ let genid ; - servephpBB = domains: - let - domain = head domains; - - in { - services.nginx.virtualHosts."${domain}" = { - enableACME = true; - forceSSL = true; - serverAliases = domains; - extraConfig = '' - index index.php; - root /srv/http/${domain}/; - access_log /tmp/nginx_acc.log; - error_log /tmp/nginx_err.log; - error_page 404 /404.html; - error_page 500 502 503 504 /50x.html; - client_max_body_size 100m; - ''; - locations."/".extraConfig = '' - try_files $uri $uri/ /index.php?$args; - ''; - locations."~ \.php(?:$|/)".extraConfig = '' - fastcgi_split_path_info ^(.+\.php)(/.+)$; - include ${pkgs.nginx}/conf/fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $fastcgi_path_info; - fastcgi_param HTTPS on; - fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice - fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool; - fastcgi_intercept_errors on; - ''; - #Directives to send expires headers and turn off 404 error logging. - locations."~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$".extraConfig = '' - access_log off; - log_not_found off; - expires max; - ''; - }; - services.phpfpm.poolConfigs."${domain}" = '' - listen = /srv/http/${domain}/phpfpm.pool - user = nginx - group = nginx - pm = dynamic - pm.max_children = 25 - pm.start_servers = 5 - pm.min_spare_servers = 3 - pm.max_spare_servers = 20 - listen.owner = nginx - listen.group = nginx - php_admin_value[error_log] = 'stderr' - php_admin_flag[log_errors] = on - catch_workers_output = yes - ''; - }; - in { imports = [ ./default.nix ../git.nix - (servephpBB [ "rote-allez-fraktion.de" ]) ]; security.acme = { diff --git a/lass/2configs/websites/util.nix b/lass/2configs/websites/util.nix index 62055d0fd..816449c14 100644 --- a/lass/2configs/websites/util.nix +++ b/lass/2configs/websites/util.nix @@ -16,11 +16,7 @@ rec { in { services.nginx.virtualHosts.${domain} = { enableACME = true; - enableSSL = true; - extraConfig = '' - listen 80; - listen [::]:80; - ''; + addSSL = true; serverAliases = domains; locations."/".extraConfig = '' root /srv/http/${domain}; @@ -28,18 +24,68 @@ rec { }; }; + servephpBB = domains: + let + domain = head domains; + + in { + services.nginx.virtualHosts."${domain}" = { + serverAliases = domains; + extraConfig = '' + index index.php; + root /srv/http/${domain}/; + access_log /tmp/nginx_acc.log; + error_log /tmp/nginx_err.log; + error_page 404 /404.html; + error_page 500 502 503 504 /50x.html; + client_max_body_size 100m; + ''; + locations."/".extraConfig = '' + try_files $uri $uri/ /index.php?$args; + ''; + locations."~ \.php(?:$|/)".extraConfig = '' + fastcgi_split_path_info ^(.+\.php)(/.+)$; + include ${pkgs.nginx}/conf/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param HTTPS on; + fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice + fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool; + fastcgi_intercept_errors on; + ''; + #Directives to send expires headers and turn off 404 error logging. + locations."~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$".extraConfig = '' + access_log off; + log_not_found off; + expires max; + ''; + }; + services.phpfpm.poolConfigs."${domain}" = '' + listen = /srv/http/${domain}/phpfpm.pool + user = nginx + group = nginx + pm = dynamic + pm.max_children = 25 + pm.start_servers = 5 + pm.min_spare_servers = 3 + pm.max_spare_servers = 20 + listen.owner = nginx + listen.group = nginx + php_admin_value[error_log] = 'stderr' + php_admin_flag[log_errors] = on + catch_workers_output = yes + ''; + }; + serveOwncloud = domains: let domain = head domains; in { services.nginx.virtualHosts."${domain}" = { enableACME = true; - enableSSL = true; + addSSL = true; serverAliases = domains; extraConfig = '' - listen 80; - listen [::]:80; - # Add headers to serve security related headers add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; add_header X-Content-Type-Options nosniff; @@ -148,12 +194,9 @@ rec { in { services.nginx.virtualHosts."${domain}" = { enableACME = true; - enableSSL = true; + addSSL = true; serverAliases = domains; extraConfig = '' - listen 80; - listen [::]:80; - root /srv/http/${domain}/; index index.php; access_log /tmp/nginx_acc.log; diff --git a/lass/2configs/zsh.nix b/lass/2configs/zsh.nix index aa3e6731d..76cac9f56 100644 --- a/lass/2configs/zsh.nix +++ b/lass/2configs/zsh.nix @@ -54,8 +54,8 @@ eval $(dircolors -b ${pkgs.fetchFromGitHub { owner = "trapd00r"; repo = "LS_COLORS"; - rev = "master"; - sha256="05lh5w3bgj9h8d8lrbbwbzw8788709cnzzkl8yh7m1dawkpf6nlp"; + rev = "a75fca8545f91abb8a5f802981033ef54bf1eac0"; + sha256="1lzj0qnj89mzh76ha137mnz2hf86k278rh0y9x124ghxj9yqsnb4"; }}/LS_COLORS) alias ls='ls --color' zstyle ':completion:*:default' list-colors ''${(s.:.)LS_COLORS} diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix index 0c10e1ec2..2cf6a66b9 100644 --- a/lass/3modules/default.nix +++ b/lass/3modules/default.nix @@ -7,7 +7,9 @@ _: ./hosts.nix ./mysql-backup.nix ./news.nix + ./nichtparasoup.nix ./pyload.nix + ./restic.nix ./screenlock.nix ./umts.nix ./usershadow.nix diff --git a/lass/3modules/nichtparasoup.nix b/lass/3modules/nichtparasoup.nix new file mode 100644 index 000000000..632481b69 --- /dev/null +++ b/lass/3modules/nichtparasoup.nix @@ -0,0 +1,48 @@ +{ config, lib, pkgs, ... }: + +with import <stockholm/lib>; + +{ + options.lass.nichtparasoup = { + enable = mkEnableOption "nichtparasoup funny image page"; + config = mkOption { + type = types.str; + default = '' + [General] + Port: 5001 + IP: 0.0.0.0 + Useragent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25 + + [Cache] + Images_min_limit: 15 + + [Logging] + ;; possible destinations: file syslog + Destination: syslog + Verbosity: ERROR + + [Sites] + SoupIO: everyone + Pr0gramm: new,top + Reddit: gifs,reactiongifs,ANormalDayInRussia,perfectloops,reallifedoodles,bizarrebuildings,cablefail,cableporn,educationalgifs,EngineeringPorn,holdmybeer,itsaunixsystem,loadingicon,michaelbaygifs,nononoyesno,oddlysatisfying,ofcoursethatsathing,OSHA,PeopleFuckingDying,PerfectTiming,PixelArt,RetroFuturism,robotsbeingjerks,scriptedasiangifs,shittyrobots,startrekstabilized,ThingsCutInHalfPorn,totallynotrobots,Unexpected + NineGag: geeky,wtf,hot,trending + Instagram: nature,wtf + Fourchan: sci + ''; + }; + }; + + config = mkIf config.lass.nichtparasoup.enable { + systemd.services.nichtparasoup = { + description = "nichtparasoup"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + restartIfChanged = true; + serviceConfig = { + Restart = "always"; + ExecStart = "${pkgs.nichtparasoup}/bin/nichtparasoup -c ${pkgs.writeText "config.ini"config.lass.nichtparasoup.config}"; + }; + }; + }; +} diff --git a/lass/3modules/restic.nix b/lass/3modules/restic.nix new file mode 100644 index 000000000..c720793b1 --- /dev/null +++ b/lass/3modules/restic.nix @@ -0,0 +1,119 @@ +{ config, lib, pkgs, ... }: + +with import <stockholm/lib>; + +{ + options.lass.restic = mkOption { + type = types.attrsOf (types.submodule ({ config, ... }: { + options = { + name = mkOption { + type = types.str; + default = config._module.args.name; + }; + passwordFile = mkOption { + type = types.str; + default = toString <secrets/restic-password>; + description = '' + read the repository password from a file. + ''; + example = "/etc/nixos/restic-password"; + + }; + repo = mkOption { + type = types.str; + default = "sftp:backup@prism.r:/backups/${config.name}"; + description = '' + repository to backup to. + ''; + example = "sftp:backup@192.168.1.100:/backups/${config.name}"; + }; + dirs = mkOption { + type = types.listOf types.str; + default = []; + description = '' + which directories to backup. + ''; + example = [ + "/var/lib/postgresql" + "/home/user/backup" + ]; + }; + timerConfig = mkOption { + type = types.attrsOf types.str; + default = { + OnCalendar = "daily"; + }; + description = '' + When to run the backup. See man systemd.timer for details. + ''; + example = { + OnCalendar = "00:05"; + RandomizedDelaySec = "5h"; + }; + }; + user = mkOption { + type = types.str; + default = "root"; + description = '' + As which user the backup should run. + ''; + example = "postgresql"; + }; + extraArguments = mkOption { + type = types.listOf types.str; + default = []; + description = '' + Extra arguments to append to the restic command. + ''; + example = [ + "sftp.command='ssh backup@192.168.1.100 -i /home/user/.ssh/id_rsa -s sftp" + ]; + }; + initialize = mkOption { + type = types.bool; + default = false; + description = '' + Create the repository if it doesn't exist. + ''; + }; + }; + })); + default = {}; + }; + + config = { + systemd.services = + mapAttrs' (_: plan: + let + extraArguments = concatMapStringsSep " " (arg: "-o ${arg}") plan.extraArguments; + connectTo = elemAt (splitString ":" plan.repo) 1; + resticCmd = "${pkgs.restic}/bin/restic ${extraArguments}"; + in nameValuePair "backup.${plan.name}" { + environment = { + RESTIC_PASSWORD_FILE = plan.passwordFile; + RESTIC_REPOSITORY = plan.repo; + }; + path = with pkgs; [ + openssh + ]; + restartIfChanged = false; + serviceConfig = { + ExecStartPre = mkIf plan.initialize (pkgs.writeScript "rustic-${plan.name}-init" '' + #! ${pkgs.bash}/bin/bash + ${resticCmd} snapshots || ${resticCmd} init + ''); + ExecStart = pkgs.writeDash "rustic-${plan.name}" ( + "#! ${pkgs.bash}/bin/bash\n" + + concatMapStringsSep "\n" (dir: "${resticCmd} backup ${dir}") plan.dirs + ); + User = plan.user; + }; + } + ) config.lass.restic; + systemd.timers = + mapAttrs' (_: plan: nameValuePair "backup.${plan.name}" { + wantedBy = [ "timers.target" ]; + timerConfig = plan.timerConfig; + }) config.lass.restic; + }; +} diff --git a/lass/5pkgs/custom/xmonad-lass/default.nix b/lass/5pkgs/custom/xmonad-lass/default.nix index 18cb25b5b..868c1072a 100644 --- a/lass/5pkgs/custom/xmonad-lass/default.nix +++ b/lass/5pkgs/custom/xmonad-lass/default.nix @@ -90,7 +90,7 @@ main' = do myLayoutHook = defLayout where - defLayout = minimize $ ((avoidStruts $ Tall 1 (3/100) (1/2) ||| Full ||| Mirror (Tall 1 (3/100) (1/2))) ||| FixedColumn 2 80 80 1 ||| simplestFloat) + defLayout = minimize $ ((avoidStruts $ Mirror (Tall 1 (3/100) (1/2))) ||| Full ||| FixedColumn 2 80 80 1 ||| Tall 1 (3/100) (1/2) ||| simplestFloat) floatHooks :: Query (Endo WindowSet) floatHooks = composeAll . concat $ diff --git a/lass/5pkgs/generate-secrets/default.nix b/lass/5pkgs/l-gen-secrets/default.nix index 5a4afe7c5..b6cb2ec7e 100644 --- a/lass/5pkgs/generate-secrets/default.nix +++ b/lass/5pkgs/l-gen-secrets/default.nix @@ -1,5 +1,5 @@ { pkgs }: -pkgs.writeDashBin "generate-secrets" '' +pkgs.writeDashBin "l-gen-secrets" '' HOSTNAME="$1" TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d) PASSWORD=$(${pkgs.pwgen}/bin/pwgen 25 1) @@ -19,7 +19,7 @@ pkgs.writeDashBin "generate-secrets" '' for x in *; do ${pkgs.coreutils}/bin/cat $x | ${pkgs.pass}/bin/pass insert -m hosts/$HOSTNAME/$x > /dev/null done - echo $PASSWORD | ${pkgs.pass}/bin/pass insert -m admin/hosts/$HOSTNAME/pass > /dev/null + echo $PASSWORD | ${pkgs.pass}/bin/pass insert -m admin/$HOSTNAME/pass > /dev/null cat <<EOF $HOSTNAME = { diff --git a/lass/5pkgs/nichtparasoup/default.nix b/lass/5pkgs/nichtparasoup/default.nix new file mode 100644 index 000000000..fcff7ad54 --- /dev/null +++ b/lass/5pkgs/nichtparasoup/default.nix @@ -0,0 +1,15 @@ +{ stdenv, pkgs, ... }: +let + py = pkgs.python3Packages.python.withPackages (p: [ + p.werkzeug + p.beautifulsoup4 + ]); + src = pkgs.fetchFromGitHub { + owner = "k4cg"; + repo = "nichtparasoup"; + rev = "c6dcd0d"; + sha256 = "10xy20bjdnd5bjv2hf6v5y5wi0mc9555awxkjqf57rk6ngc5w6ss"; + }; +in pkgs.writeDashBin "nichtparasoup" '' + ${py}/bin/python ${src}/nichtparasoup.py "$@" +'' diff --git a/lass/5pkgs/nichtparasoup/exception.patch b/lass/5pkgs/nichtparasoup/exception.patch new file mode 100644 index 000000000..34c177de0 --- /dev/null +++ b/lass/5pkgs/nichtparasoup/exception.patch @@ -0,0 +1,13 @@ +diff --git a/nichtparasoup.py b/nichtparasoup.py +index 9da9a2b..833ca71 100755 +--- a/nichtparasoup.py ++++ b/nichtparasoup.py +@@ -211,7 +211,7 @@ def cache_fill_loop(): + try: + sources[crawler][site].crawl() + info = Crawler.info() +- except Exception, e: ++ except Exception as e: + logger.error("Error in crawler %s - %s: %s" % (crawler, site, e)) + break + diff --git a/lass/kops.nix b/lass/krops.nix index 9d0ab911a..776a3a55d 100644 --- a/lass/kops.nix +++ b/lass/krops.nix @@ -1,5 +1,5 @@ -{ name }: let - inherit (import ../krebs/kops.nix { inherit name; }) +{ config ? config, name }: let + inherit (import ../krebs/krops.nix { inherit name; }) krebs-source lib pkgs @@ -8,7 +8,7 @@ source = { test }: lib.evalSource [ krebs-source { - nixos-config.symlink = "stockholm/lass/1systems/${name}/config.nix"; + nixos-config.symlink = "stockholm/lass/1systems/${name}/physical.nix"; secrets = if test then { file = "/home/lass/stockholm/lass/2configs/tests/dummy-secrets"; } else { @@ -22,14 +22,21 @@ in { # usage: $(nix-build --no-out-link --argstr name HOSTNAME -A deploy) - deploy = pkgs.kops.writeDeploy "${name}-deploy" { + deploy = pkgs.krops.writeDeploy "${name}-deploy" { source = source { test = false; }; target = "root@${name}/var/src"; }; # usage: $(nix-build --no-out-link --argstr name HOSTNAME -A test) - test = pkgs.kops.writeTest "${name}-test" { + test = pkgs.krops.writeTest "${name}-test" { source = source { test = true; }; - target = "${lib.getEnv "HOME"}/tmp/${name}-kops-test-src"; + target = "${lib.getEnv "HOME"}/tmp/${name}-krops-test-src"; }; + + ci = map (host: + pkgs.krops.writeTest "${host.name}-test" { + source = source { test = true; }; + target = "${lib.getEnv "TMPDIR"}/lass/${host.name}"; + } + ) (lib.filter (host: lib.getAttr "ci" host && host.owner == "lass") (lib.attrValues config.krebs.hosts)); } diff --git a/lass/source.nix b/lass/source.nix index 1d840f38f..e7991da2a 100644 --- a/lass/source.nix +++ b/lass/source.nix @@ -12,7 +12,7 @@ host@{ name, secure ? false, override ? {} }: let in evalSource (toString _file) [ { - nixos-config.symlink = "stockholm/lass/1systems/${name}/config.nix"; + nixos-config.symlink = "stockholm/lass/1systems/${name}/physical.nix"; nixpkgs = (import <stockholm/krebs/source.nix> host).nixpkgs; secrets = getAttr builder { buildbot.file = toString <stockholm/lass/2configs/tests/dummy-secrets>; |