6 files changed, 110 insertions, 56 deletions

diff --git a/makefu/2configs/lanparty/lancache.nix b/makefu/2configs/lanparty/lancache.nix
index ff5b0d788..3df2e3f59 100644
--- a/makefu/2configs/lanparty/lancache.nix
+++ b/makefu/2configs/lanparty/lancache.nix
@@ -36,38 +36,39 @@ let
   };
 in {
   systemd.services.nginx-lancache = {
-      description = "Nginx lancache Server";
-      after = [ "network.target" ];
-      wantedBy = [ "multi-user.target" ];
-      restartIfChanged = true;
+    description = "Nginx lancache Server";
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+    restartIfChanged = true;
 
-      preStart = ''
-        mkdir -p ${cfg.statedir} && cd ${cfg.statedir}
-        PATH_CACHE=$PATH_BASE/cache
-        PATH_LOGS=$PATH_BASE/logs
+    preStart = ''
+      mkdir -p ${cfg.statedir} && cd ${cfg.statedir}
+      PATH_CACHE=$PATH_BASE/cache
+      PATH_LOGS=$PATH_BASE/logs
 
-        mkdir -p cache/{installers,tmp} logs
-        rm -f conf; ln -s ${lancache} conf
-        chown -R ${cfg.user}:${cfg.group} .
-        '';
-      serviceConfig = {
-        ExecStart = "${cfg.package}/bin/nginx  -p ${cfg.statedir}";
-        ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
-        Restart = "always";
-        RestartSec = "10s";
-        StartLimitInterval = "1min";
-      };
+      mkdir -p cache/{installers,tmp} logs
+      rm -f conf; ln -s ${lancache} conf
+      chown -R ${cfg.user}:${cfg.group} .
+      '';
+    serviceConfig = {
+      ExecStart = "${cfg.package}/bin/nginx  -p ${cfg.statedir}";
+      ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+      Restart = "always";
+      RestartSec = "10s";
+      StartLimitInterval = "1min";
     };
-    environment.etc.nginx.source = lancache;
-      users.extraUsers = (singleton
-    { name = cfg.user;
-      group = cfg.group;
-      uid = genid cfg.group;
-    });
+  };
 
-    users.extraGroups = (singleton
-      { name = "${cfg.group}";
-        gid = genid cfg.group;
-    });
+  environment.etc.nginx.source = lancache;
+    users.extraUsers = (singleton
+  { name = cfg.user;
+    group = cfg.group;
+    uid = genid cfg.group;
+  });
 
+  users.extraGroups = (singleton
+    { name = "${cfg.group}";
+      gid = genid cfg.group;
+  });
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
 }
diff --git a/makefu/2configs/sshd-totp.nix b/makefu/2configs/sshd-totp.nix
new file mode 100644
index 000000000..f9984e245
--- /dev/null
+++ b/makefu/2configs/sshd-totp.nix
@@ -0,0 +1,18 @@
+{ pkgs, ... }:
+# Enables second factor for ssh password login
+
+## Usage:
+#  gen-oath-safe <username> totp
+## scan the qrcode with google authenticator (or FreeOTP)
+## copy last line into secrets/<host>/users.oath (chmod 700)
+{
+  security.pam.oath = {
+    # enabling it will make it a requisite of `all` services
+    # enable = true;
+    digits = 6;
+    # TODO assert existing
+    usersFile = (toString <secrets>) + "/users.oath";
+  };
+  # I want TFA only active for sshd with password-auth
+  security.pam.services.sshd.oathAuth = true;
+}
diff --git a/makefu/2configs/tools/dev.nix b/makefu/2configs/tools/dev.nix
index e40f5b36f..42006eb22 100644
--- a/makefu/2configs/tools/dev.nix
+++ b/makefu/2configs/tools/dev.nix
@@ -14,5 +14,6 @@
     ovh-zone
     whatsupnix
     brain
+    gen-oath-safe
   ];
 }
diff --git a/makefu/2configs/urlwatch.nix b/makefu/2configs/urlwatch.nix
deleted file mode 100644
index 9493b2b7b..000000000
--- a/makefu/2configs/urlwatch.nix
+++ /dev/null
@@ -1,27 +0,0 @@
-{ config, lib, ... }:
-
-{
-  krebs.urlwatch = {
-    enable = true;
-    mailto = config.krebs.users.makefu.mail;
-    onCalendar = "*-*-* 05:00:00";
-    urls = [
-      ## nixpkgs maintenance
-      https://api.github.com/repos/ovh/python-ovh/tags
-      https://api.github.com/repos/embray/d2to1/tags
-      https://api.github.com/repos/Mic92/vicious/tags
-      https://pypi.python.org/simple/bepasty/
-      https://pypi.python.org/simple/xstatic/
-      http://guest:derpi@cvs2svn.tigris.org/svn/cvs2svn/tags/
-      http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/
-      https://github.com/amadvance/snapraid/releases.atom
-      https://erdgeist.org/gitweb/opentracker/info/refs?service=git-upload-pack
-      https://api.github.com/repos/embray/d2to1/tags
-      https://api.github.com/repos/dorimanx/exfat-nofuse/commits
-      https://api.github.com/repos/dorimanx/exfat-nofuse/tags
-      https://api.github.com/repos/radare/radare2/tags
-      https://api.github.com/repos/rapid7/metasploit-framework/tags
-    ];
-  };
-}
-
diff --git a/makefu/2configs/urlwatch/default.nix b/makefu/2configs/urlwatch/default.nix
new file mode 100644
index 000000000..f17bcdc3a
--- /dev/null
+++ b/makefu/2configs/urlwatch/default.nix
@@ -0,0 +1,45 @@
+{ config, lib, ... }:
+
+{
+  krebs.urlwatch = {
+    enable = true;
+    mailto = config.krebs.users.makefu.mail;
+    onCalendar = "*-*-* 05:00:00";
+    hooksFile = ./hook.py;
+    urls = [
+      ## nixpkgs maintenance
+      # github 
+      ## No rate limit
+      https://github.com/amadvance/snapraid/releases.atom
+      https://github.com/radare/radare2/releases.atom
+      https://github.com/ovh/python-ovh/releases.atom
+      https://github.com/embray/d2to1/releases.atom
+      https://github.com/Mic92/vicious/releases.atom
+      https://github.com/embray/d2to1/releases.atom
+      https://github.com/dorimanx/exfat-nofuse/releases.atom
+      https://github.com/rapid7/metasploit-framework/releases.atom
+      ## rate limited
+      # https://api.github.com/repos/dorimanx/exfat-nofuse/commits
+      # https://api.github.com/repos/mcepl/gen-oath-safe/commits
+      https://api.github.com/repos/naim94a/udpt/commits
+      https://api.github.com/repos/dirkvdb/ps3netsrv--/commits
+
+      # pypi
+      https://pypi.python.org/simple/bepasty/
+      https://pypi.python.org/simple/xstatic/
+      https://pypi.python.org/simple/devpi-client/
+      # weird shit
+      http://guest:derpi@cvs2svn.tigris.org/svn/cvs2svn/tags/
+      http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/
+      https://erdgeist.org/gitweb/opentracker/info/refs?service=git-upload-pack
+      https://git.tasktools.org/TM/taskd/info/refs?service=git-upload-pack
+
+      {
+        url = https://newellrubbermaid.secure.force.com/dymopkb/articles/en_US/FAQ/Dymo-Drivers-and-Downloads/?l=en_US&c=Segment:Dymo&fs=Search&pn=1 ;
+        filter = "grep:Software/Linux/dymo-cups-drivers";
+      }
+      # TODO: dymo cups
+    ];
+  };
+}
+
diff --git a/makefu/2configs/urlwatch/hook.py b/makefu/2configs/urlwatch/hook.py
new file mode 100644
index 000000000..7d9282c7e
--- /dev/null
+++ b/makefu/2configs/urlwatch/hook.py
@@ -0,0 +1,16 @@
+import logging
+logging.basicConfig(level=logging.INFO)
+log = logging.getLogger()
+log.setLevel(level=logging.INFO)
+
+import re
+import json
+
+from urlwatch import filters
+
+
+class JsonFilter(filters.RegexMatchFilter):
+    MATCH = {'url': re.compile('https?://api.github.com/.*')}
+
+    def filter(self, data):
+        return json.dumps(json.loads(data),indent=2,sort_keys=True)