From 55df7c1df55aaa8dc3f48ae83dbd87ce4d3057ba Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 22 Mar 2016 17:40:59 +0100 Subject: l 1 mors: remove broken pythonenv container --- lass/1systems/mors.nix | 33 --------------------------------- lass/2configs/base.nix | 1 + 2 files changed, 1 insertion(+), 33 deletions(-) diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index 1f7a13c56..9b5c92ff3 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -98,39 +98,6 @@ # { predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; precedence = 9998; } # ]; #} - { - containers.pythonenv = { - config = { - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keys = [ - config.krebs.users.lass.pubkey - ]; - - environment = { - systemPackages = with pkgs; [ - git - libxml2 - libxslt - libzip - python27Full - python27Packages.buildout - stdenv - zlib - ]; - - pathsToLink = [ "/include" ]; - - shellInit = '' - # help pip to find libz.so when building lxml - export LIBRARY_PATH=/var/run/current-system/sw/lib - # ditto for header files, e.g. sqlite - export C_INCLUDE_PATH=/var/run/current-system/sw/include - ''; - }; - - }; - }; - } { services.mysql = { enable = true; diff --git a/lass/2configs/base.nix b/lass/2configs/base.nix index 8017d4270..a50df128e 100644 --- a/lass/2configs/base.nix +++ b/lass/2configs/base.nix @@ -88,6 +88,7 @@ with config.krebs.lib; environment.systemPackages = with pkgs; [ #stockholm git + gnumake jq parallel proot -- cgit v1.2.3 From 780ba9bd1197191d9a6a9bf156683fafaac385b7 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 23 Mar 2016 13:44:21 +0100 Subject: l 2 base: fix hashedPasswords path --- lass/2configs/base.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lass/2configs/base.nix b/lass/2configs/base.nix index a50df128e..30ab90997 100644 --- a/lass/2configs/base.nix +++ b/lass/2configs/base.nix @@ -10,7 +10,7 @@ with config.krebs.lib; { users.extraUsers = mapAttrs (_: h: { hashedPassword = h; }) - (import /root/secrets/hashedPasswords.nix); + (import ); } { users.extraUsers = { -- cgit v1.2.3 From e7c6d97f7cfd743f1dc6ad5cf4883daebc20d5ca Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 23 Mar 2016 13:44:41 +0100 Subject: l 2 downloading: add uriel to authorized_keys --- lass/2configs/downloading.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/lass/2configs/downloading.nix b/lass/2configs/downloading.nix index 115cb8b61..ccd751413 100644 --- a/lass/2configs/downloading.nix +++ b/lass/2configs/downloading.nix @@ -20,6 +20,7 @@ in { ]; openssh.authorizedKeys.keys = [ config.krebs.users.lass.pubkey + config.krebs.users.lass-uriel.pubkey ]; }; -- cgit v1.2.3 From 18d0cc3048243d15cf6108ccd05d62390ecf5503 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 23 Mar 2016 13:45:06 +0100 Subject: l 2 websites domsen: add domsen user --- lass/2configs/websites/domsen.nix | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index 109c216c0..895146d25 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -1,6 +1,8 @@ { config, pkgs, ... }: -{ +let + inherit (config.krebs.lib) genid; +in { imports = [ ../../3modules/static_nginx.nix ../../3modules/owncloud_nginx.nix @@ -26,6 +28,15 @@ rootPassword = toString (); }; + users.users.domsen = { + uid = genid "domsen"; + description = "maintenance acc for domsen"; + home = "/home/domsen"; + useDefaultShell = true; + extraGroups = [ "nginx" ]; + createHome = true; + }; + #lass.wordpress = { # "ubikmedia.de" = { # }; -- cgit v1.2.3 From 45bb05d291402b9f8cf6d7227e96a7d07fac2dec Mon Sep 17 00:00:00 2001 From: makefu Date: Fri, 8 Apr 2016 16:08:29 +0200 Subject: ma 5 taskserver: init will be removed when #14506 is in upstream --- makefu/5pkgs/default.nix | 1 + makefu/5pkgs/taskserver/default.nix | 43 +++++++++++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+) create mode 100644 makefu/5pkgs/taskserver/default.nix diff --git a/makefu/5pkgs/default.nix b/makefu/5pkgs/default.nix index 8caab433e..c64ee036e 100644 --- a/makefu/5pkgs/default.nix +++ b/makefu/5pkgs/default.nix @@ -12,5 +12,6 @@ in nodemcu-uploader = callPackage ./nodemcu-uploader {}; mycube-flask = callPackage ./mycube-flask {}; tw-upload-plugin = callPackage ./tw-upload-plugin {}; + taskserver = callPackage ./taskserver {}; }; } diff --git a/makefu/5pkgs/taskserver/default.nix b/makefu/5pkgs/taskserver/default.nix new file mode 100644 index 000000000..a1502b4d6 --- /dev/null +++ b/makefu/5pkgs/taskserver/default.nix @@ -0,0 +1,43 @@ +{ stdenv, fetchurl, cmake, libuuid, gnutls, makeWrapper }: + +stdenv.mkDerivation rec { + name = "taskserver-${version}"; + version = "1.1.0"; + + enableParallelBuilding = true; + + src = fetchurl { + url = "http://www.taskwarrior.org/download/taskd-${version}.tar.gz"; + sha256 = "1d110q9vw8g5syzihxymik7hd27z1592wkpz55kya6lphzk8i13v"; + }; + + patchPhase = '' + pkipath=$out/share/taskd/pki + mkdir -p $pkipath + cp -r pki/* $pkipath + echo "patching paths in pki/generate" + sed -i "s#^\.#$pkipath#" $pkipath/generate + for f in $pkipath/generate* ;do + i=$(basename $f) + echo patching $i + sed -i \ + -e 's/which/type -p/g' \ + -e 's#^\. ./vars#if test -e ./vars;then . ./vars; else echo "cannot find ./vars - copy the template from '$pkipath'/vars into the working directory";exit 1; fi#' $f + + echo wrapping $i + makeWrapper $pkipath/$i $out/bin/taskd-pki-$i \ + --prefix PATH : ${gnutls}/bin/ + done + ''; + + buildInputs = [ makeWrapper ]; + nativeBuildInputs = [ cmake libuuid gnutls ]; + + meta = { + description = "Server for synchronising Taskwarrior clients"; + homepage = http://taskwarrior.org; + license = stdenv.lib.licenses.mit; + platforms = stdenv.lib.platforms.linux; + maintainers = with stdenv.lib.maintainers; [ matthiasbeyer makefu ]; + }; +} -- cgit v1.2.3 From c4350d4f28b3a021791b70d104848f3419ffc498 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 9 Apr 2016 00:18:51 +0200 Subject: l 1 prism: add new mount for o.ubikmedia.de --- lass/1systems/prism.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index 4d40c8d59..9eb1d54d3 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -79,6 +79,10 @@ in { device = "/dev/pool/download"; }; + fileSystems."/srv/http/o.ubikmedia.de" = { + device = "/dev/pool/owncloud-ubik"; + }; + } { sound.enable = false; -- cgit v1.2.3 From fae50b203d7d3211eec1221fb07f97416edc729c Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 9 Apr 2016 00:36:22 +0200 Subject: l 1 prism: update JuiceSSH key --- lass/1systems/prism.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index 9eb1d54d3..db4f1f606 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -123,7 +123,7 @@ in { } { users.users.chat.openssh.authorizedKeys.keys = [ - "ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAFhFJUMTfPbv3SzqlT9S67Av/m/ctLfTd3mMhD4O9hZc+t+dZmaHWj3v1KujzMBiDp3Yfo2YdVVZLTwTluHD8yNoQH418Vm01nrYHwOsc5J0br3mb0URZSstPiz6/6Fc+PNCDfQ2skUAWUidWiH+JolROFQ4y2lfpLOw+wsK2jj+Gqx6w== JuiceSSH" + "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBBQjn/3n283RZkBs2CFqbpukyQ3zkLIjewRpKttPa5d4PUiT7/vOlutWH5EP4BxXQSoeZStx8D2alGjxfK+nfDvRJGGofpm23cN4j4i24Fcam1y1H7wqRXO1qbz5AB3qPg== JuiceSSH" config.krebs.users.lass-uriel.pubkey ]; } -- cgit v1.2.3 From 38e5cc513cabd4a145bb78db71aa7387bb4278fa Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 9 Apr 2016 00:36:38 +0200 Subject: l 1 prism: allow https in iptables --- lass/1systems/prism.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index db4f1f606..4f6770c38 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -136,7 +136,8 @@ in { ../2configs/websites/domsen.nix ]; krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport 80"; target = "ACCEPT"; } + { predicate = "-p tcp --dport http"; target = "ACCEPT"; } + { predicate = "-p tcp --dport https"; target = "ACCEPT"; } ]; } { -- cgit v1.2.3 From 5268f22ee99672a2185b959231208a23fd24f073 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 9 Apr 2016 00:43:33 +0200 Subject: l 2 fastpoke-pages: remove file --- lass/1systems/cloudkrebs.nix | 1 - lass/2configs/fastpoke-pages.nix | 101 --------------------------------------- 2 files changed, 102 deletions(-) delete mode 100644 lass/2configs/fastpoke-pages.nix diff --git a/lass/1systems/cloudkrebs.nix b/lass/1systems/cloudkrebs.nix index 98f509050..fb949ce33 100644 --- a/lass/1systems/cloudkrebs.nix +++ b/lass/1systems/cloudkrebs.nix @@ -11,7 +11,6 @@ in { ../2configs/os-templates/CAC-CentOS-7-64bit.nix ../2configs/base.nix ../2configs/retiolum.nix - ../2configs/fastpoke-pages.nix ../2configs/git.nix ../2configs/realwallpaper.nix { diff --git a/lass/2configs/fastpoke-pages.nix b/lass/2configs/fastpoke-pages.nix deleted file mode 100644 index bf6ea8952..000000000 --- a/lass/2configs/fastpoke-pages.nix +++ /dev/null @@ -1,101 +0,0 @@ -{ config, lib, pkgs, ... }: - -with config.krebs.lib; - -let - createStaticPage = domain: - { - krebs.nginx.servers."${domain}" = { - server-names = [ - "${domain}" - "www.${domain}" - ]; - locations = [ - (nameValuePair "/" '' - root /var/lib/http/${domain}; - '') - ]; - }; - #networking.extraHosts = '' - # 10.243.206.102 ${domain} - #''; - users.extraUsers = { - ${domain} = { - name = domain; - home = "/var/lib/http/${domain}"; - createHome = true; - }; - }; - }; - -in { - imports = map createStaticPage [ - "habsys.de" - "pixelpocket.de" - "karlaskop.de" - "ubikmedia.de" - "apanowicz.de" - ]; - - krebs.iptables = { - tables = { - filter.INPUT.rules = [ - { predicate = "-p tcp --dport http"; target = "ACCEPT"; } - ]; - }; - }; - - - krebs.nginx = { - enable = true; - servers = { - #"habsys.de" = { - # server-names = [ - # "habsys.de" - # "www.habsys.de" - # ]; - # locations = [ - # (nameValuePair "/" '' - # root /var/lib/http/habsys.de; - # '') - # ]; - #}; - - #"karlaskop.de" = { - # server-names = [ - # "karlaskop.de" - # "www.karlaskop.de" - # ]; - # locations = [ - # (nameValuePair "/" '' - # root /var/lib/http/karlaskop.de; - # '') - # ]; - #}; - - #"pixelpocket.de" = { - # server-names = [ - # "pixelpocket.de" - # "www.karlaskop.de" - # ]; - # locations = [ - # (nameValuePair "/" '' - # root /var/lib/http/karlaskop.de; - # '') - # ]; - #}; - - }; - }; - - #services.postgresql = { - # enable = true; - #}; - - #config.services.vsftpd = { - # enable = true; - # userlistEnable = true; - # userlistFile = pkgs.writeFile "vsftpd-userlist" '' - # ''; - #}; -} -- cgit v1.2.3 From 5a85d6b6964a0906df0d562b03415217f50aa17d Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 9 Apr 2016 14:14:19 +0200 Subject: l 1 dishfire: add mount for /srv/http --- lass/1systems/dishfire.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/lass/1systems/dishfire.nix b/lass/1systems/dishfire.nix index c7d016cd3..7043809a5 100644 --- a/lass/1systems/dishfire.nix +++ b/lass/1systems/dishfire.nix @@ -26,6 +26,11 @@ fsType = "ext4"; }; + fileSystems."/srv/http" = { + device = "/dev/pool/srv_http"; + fsType = "ext4"; + }; + fileSystems."/boot" = { device = "/dev/vda1"; fsType = "ext4"; -- cgit v1.2.3 From 76be13147a300e9449ab826e009f4c61b9330b60 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 9 Apr 2016 14:14:43 +0200 Subject: l 2 base: nixpkgs rev 40c586b -> e781a82 --- lass/2configs/base.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lass/2configs/base.nix b/lass/2configs/base.nix index 30ab90997..77646a03e 100644 --- a/lass/2configs/base.nix +++ b/lass/2configs/base.nix @@ -55,7 +55,7 @@ with config.krebs.lib; stockholm = "/home/lass/stockholm"; nixpkgs = { url = https://github.com/NixOS/nixpkgs; - rev = "40c586b7ce2c559374df435f46d673baf711c543"; + rev = "e781a8257b4312f6b138c7d0511c77d8c06ed819"; dev = "/home/lass/src/nixpkgs"; }; } // optionalAttrs config.krebs.build.host.secure { -- cgit v1.2.3 From b8b7ba2890d658081c59bd3d5e2f143f825e47e7 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 9 Apr 2016 14:16:07 +0200 Subject: l 1 mors: remove old test cases --- lass/1systems/mors.nix | 74 -------------------------------------------------- 1 file changed, 74 deletions(-) diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index 9b5c92ff3..4fa8e412d 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -33,71 +33,6 @@ { predicate = "-p tcp --dport 11100"; target = "ACCEPT"; } ]; } - { - #static-nginx-test - imports = [ - ../3modules/static_nginx.nix - ]; - lass.staticPage."testserver.de" = { - #sslEnable = true; - #certificate = "${toString }/testserver.de/server.cert"; - #certificate_key = "${toString }/testserver.de/server.pem"; - ssl = { - enable = true; - certificate = "${toString }/testserver.de/server.cert"; - certificate_key = "${toString }/testserver.de/server.pem"; - }; - }; - networking.extraHosts = '' - 10.243.0.2 testserver.de - ''; - } - #{ - # #wordpress-test - # #imports = singleton (sitesGenerators.createWordpress "testserver.de"); - # imports = [ - # ../3modules/wordpress_nginx.nix - # ]; - # lass.wordpress."testserver.de" = { - # multiSite = { - # "1" = "testserver.de"; - # "2" = "bla.testserver.de"; - # }; - # }; - - # services.mysql = { - # enable = true; - # package = pkgs.mariadb; - # rootPassword = "/mysql_rootPassword"; - # }; - # networking.extraHosts = '' - # 10.243.0.2 testserver.de - # ''; - # krebs.iptables.tables.filter.INPUT.rules = [ - # { predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; precedence = 9998; } - # ]; - #} - #{ - # #owncloud-test - # #imports = singleton (sitesGenerators.createWordpress "testserver.de"); - # imports = [ - # ../3modules/owncloud_nginx.nix - # ]; - # lass.owncloud."owncloud-test.de" = { - # }; - - # #services.mysql = { - # # enable = true; - # # package = pkgs.mariadb; - # # rootPassword = "/mysql_rootPassword"; - # #}; - # networking.extraHosts = '' - # 10.243.0.2 owncloud-test.de - # ''; - # krebs.iptables.tables.filter.INPUT.rules = [ - # { predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; precedence = 9998; } - # ]; - #} { services.mysql = { enable = true; @@ -125,15 +60,6 @@ networking.wireless.enable = true; - networking.extraHosts = '' - 213.239.205.240 wohnprojekt-rhh.de - 213.239.205.240 karlaskop.de - 213.239.205.240 makeup.apanowicz.de - 213.239.205.240 pixelpocket.de - 213.239.205.240 reich-gebaeudereinigung.de - 213.239.205.240 o.ubikmedia.de - ''; - hardware.enableAllFirmware = true; nixpkgs.config.allowUnfree = true; -- cgit v1.2.3 From c9529ca1e781f023c1280dd96cb589a2c198177a Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 9 Apr 2016 14:16:21 +0200 Subject: l 2 base: add unpackers to pkgs --- lass/2configs/base.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/lass/2configs/base.nix b/lass/2configs/base.nix index 77646a03e..88bb3ff60 100644 --- a/lass/2configs/base.nix +++ b/lass/2configs/base.nix @@ -85,6 +85,8 @@ with config.krebs.lib; MANPAGER=most ''; + nixpkgs.config.allowUnfree = true; + environment.systemPackages = with pkgs; [ #stockholm git @@ -109,6 +111,11 @@ with config.krebs.lib; #neat utils krebspaste + + #unpack stuff + p7zip + unzip + unrar ]; programs.bash = { -- cgit v1.2.3 From d5ccc03a5cc8d30443d81ff4aba7a613c198d268 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 9 Apr 2016 14:16:47 +0200 Subject: l 2 games: add user to loot group --- lass/2configs/games.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lass/2configs/games.nix b/lass/2configs/games.nix index 6043a8759..0eec97922 100644 --- a/lass/2configs/games.nix +++ b/lass/2configs/games.nix @@ -13,7 +13,7 @@ in { name = "games"; description = "user playing games"; home = "/home/games"; - extraGroups = [ "audio" "video" "input" ]; + extraGroups = [ "audio" "video" "input" "loot" ]; createHome = true; useDefaultShell = true; }; -- cgit v1.2.3 From 9113a203848d9ceab57fd9c1e891066f96443e6e Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 9 Apr 2016 14:17:09 +0200 Subject: l 2 newsbot-js: remove times feed --- lass/2configs/newsbot-js.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/lass/2configs/newsbot-js.nix b/lass/2configs/newsbot-js.nix index d7c68bd7d..636b44395 100644 --- a/lass/2configs/newsbot-js.nix +++ b/lass/2configs/newsbot-js.nix @@ -154,7 +154,6 @@ let telepolis|http://www.heise.de/tp/rss/news-atom.xml|#news the_insider|http://www.theinsider.org/rss/news/headlines-xml.asp|#news tigsource|http://www.tigsource.com/feed/|#news - times|http://www.thetimes.co.uk/tto/news/rss|#news tinc|http://tinc-vpn.org/news/index.rss|#news topix_b|http://www.topix.com/rss/wire/de/berlin|#news torr_bits|http://feeds.feedburner.com/TorrentfreakBits|#news -- cgit v1.2.3 From e907a52246bd206eddd2a48c92f63215ff37a53a Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 9 Apr 2016 14:17:30 +0200 Subject: l 2 pass: remove obsolete startGnuPGAgent --- lass/2configs/pass.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/lass/2configs/pass.nix b/lass/2configs/pass.nix index 33eca0a17..610887621 100644 --- a/lass/2configs/pass.nix +++ b/lass/2configs/pass.nix @@ -6,5 +6,4 @@ gnupg1 ]; - services.xserver.startGnuPGAgent = true; } -- cgit v1.2.3 From b517ea29707efc6677fe8c0e7ff6dadff4de3c3d Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 9 Apr 2016 14:21:19 +0200 Subject: l 4: add website helper functions --- lass/4lib/default.nix | 127 +++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 125 insertions(+), 2 deletions(-) diff --git a/lass/4lib/default.nix b/lass/4lib/default.nix index a751a2995..d45313894 100644 --- a/lass/4lib/default.nix +++ b/lass/4lib/default.nix @@ -1,10 +1,133 @@ -{ lib, ... }: +{ lib, pkgs, ... }: with lib; -{ +rec { getDefaultGateway = ip: concatStringsSep "." (take 3 (splitString "." ip) ++ ["1"]); + manageCert = domain: + { + security.acme = { + certs."${domain}" = { + email = "lassulus@gmail.com"; + webroot = "/var/lib/acme/challenges/${domain}"; + plugins = [ + "account_key.json" + "cert.pem" + "key.pem" + "fullchain.pem" + ]; + group = "nginx"; + allowKeysForGroup = true; + }; + }; + + krebs.nginx.servers."${domain}" = { + locations = [ + (nameValuePair "/.well-known/acme-challenge" '' + root /var/lib/acme/challenges/${domain}/; + '') + ]; + }; + }; + + ssl = domain: + { + imports = [ + ( manageCert domain ) + ( activateACME domain ) + ]; + }; + + activateACME = domain: + { + krebs.nginx.servers."${domain}" = { + ssl = { + enable = true; + certificate = "/var/lib/acme/${domain}/cert.pem"; + certificate_key = "/var/lib/acme/${domain}/key.pem"; + }; + }; + }; + + servePage = domain: + { + krebs.nginx.servers."${domain}" = { + server-names = [ + "${domain}" + "www.${domain}" + ]; + locations = [ + (nameValuePair "/" '' + root /srv/http/${domain}; + '') + ]; + }; + }; + + serveOwncloud = domain: + { + krebs.nginx.servers."${domain}" = { + server-names = [ + "${domain}" + "www.${domain}" + ]; + locations = [ + (nameValuePair "/" '' + # The following 2 rules are only needed with webfinger + rewrite ^/.well-known/host-meta /public.php?service=host-meta last; + rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; + + rewrite ^/.well-known/carddav /remote.php/carddav/ redirect; + rewrite ^/.well-known/caldav /remote.php/caldav/ redirect; + + rewrite ^(/core/doc/[^\/]+/)$ $1/index.html; + + try_files $uri $uri/ /index.php; + '') + (nameValuePair "~ \.php$" '' + fastcgi_split_path_info ^(.+\.php)(/.+)$; + include ${pkgs.nginx}/conf/fastcgi.conf; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool; + '') + ]; + extraConfig = '' + root /srv/http/${domain}/; + #index index.php; + access_log /tmp/nginx_acc.log; + error_log /tmp/nginx_err.log; + + # set max upload size + client_max_body_size 10G; + fastcgi_buffers 64 4K; + + rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect; + rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect; + rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect; + + error_page 403 /core/templates/403.php; + error_page 404 /core/templates/404.php; + ''; + }; + services.phpfpm.poolConfigs."${domain}" = '' + listen = /srv/http/${domain}/phpfpm.pool + user = nginx + group = nginx + pm = dynamic + pm.max_children = 5 + pm.start_servers = 2 + pm.min_spare_servers = 1 + pm.max_spare_servers = 3 + listen.owner = nginx + listen.group = nginx + # errors to journal + php_admin_value[error_log] = 'stderr' + php_admin_flag[log_errors] = on + catch_workers_output = yes + ''; + }; + } -- cgit v1.2.3 From 7af3dfe9bf367f02619881c47060b4645d12f71e Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 9 Apr 2016 14:21:39 +0200 Subject: l 2 websites: use helper functions --- lass/2configs/websites/domsen.nix | 38 ++++++++++++--------- lass/2configs/websites/fritz.nix | 48 ++++++++++++++++++--------- lass/2configs/websites/wohnprojekt-rhh.de.nix | 20 +++++++---- 3 files changed, 67 insertions(+), 39 deletions(-) diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index 895146d25..173e87864 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -1,26 +1,32 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: let inherit (config.krebs.lib) genid; + inherit (import ../../4lib { inherit lib pkgs; }) + manageCert + activateACME + ssl + servePage + serveOwncloud; + in { imports = [ - ../../3modules/static_nginx.nix - ../../3modules/owncloud_nginx.nix - ../../3modules/wordpress_nginx.nix - ]; + ( ssl "reich-gebaeudereinigung.de" ) + ( servePage "reich-gebaeudereinigung.de" ) - lass.staticPage = { - "karlaskop.de" = {}; - "makeup.apanowicz.de" = {}; - "pixelpocket.de" = {}; - "reich-gebaeudereinigung.de" = {}; - }; + ( servePage "karlaskop.de" ) + ( manageCert "karlaskop.de" ) - lass.owncloud = { - "o.ubikmedia.de" = { - instanceid = "oc8n8ddbftgh"; - }; - }; + ( servePage "makeup.apanowicz.de" ) + ( manageCert "makeup.apanowicz.de" ) + + ( servePage "pixelpocket.de" ) + ( manageCert "pixelpocket.de" ) + + ( ssl "o.ubikmedia.de" ) + ( serveOwncloud "o.ubikmedia.de" ) + + ]; services.mysql = { enable = true; diff --git a/lass/2configs/websites/fritz.nix b/lass/2configs/websites/fritz.nix index 073f3de14..16a240d7c 100644 --- a/lass/2configs/websites/fritz.nix +++ b/lass/2configs/websites/fritz.nix @@ -1,23 +1,39 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: -{ +let + inherit (import ../../4lib { inherit lib pkgs; }) + manageCert + activateACME + ssl + servePage + serveOwncloud; +in { imports = [ - ../../3modules/static_nginx.nix - ../../3modules/owncloud_nginx.nix - ../../3modules/wordpress_nginx.nix - ]; + ( manageCert "biostase.de" ) + ( servePage "biostase.de" ) + + ( manageCert "gs-maubach.de" ) + ( servePage "gs-maubach.de" ) + + ( manageCert "spielwaren-kern.de" ) + ( servePage "spielwaren-kern.de" ) + + ( manageCert "societyofsimtech.de" ) + ( servePage "societyofsimtech.de" ) - lass.staticPage = { - "biostase.de" = {}; - "gs-maubach.de" = {}; - "spielwaren-kern.de" = {}; - "societyofsimtech.de" = {}; - "ttf-kleinaspach.de" = {}; - "edsn.de" = {}; - "eab.berkeley.edu" = {}; - "habsys.de" = {}; - }; + ( manageCert "ttf-kleinaspach.de" ) + ( servePage "ttf-kleinaspach.de" ) + + ( manageCert "edsn.de" ) + ( servePage "edsn.de" ) + + ( manageCert "eab.berkeley.edu" ) + ( servePage "eab.berkeley.edu" ) + + ( manageCert "habsys.de" ) + ( servePage "habsys.de" ) + ]; #lass.owncloud = { # "o.ubikmedia.de" = { diff --git a/lass/2configs/websites/wohnprojekt-rhh.de.nix b/lass/2configs/websites/wohnprojekt-rhh.de.nix index ac784d4c7..4e3eb071a 100644 --- a/lass/2configs/websites/wohnprojekt-rhh.de.nix +++ b/lass/2configs/websites/wohnprojekt-rhh.de.nix @@ -1,14 +1,20 @@ -{ config, ... }: +{ config, pkgs, lib, ... }: -{ +let + inherit (config.krebs.lib) genid; + inherit (import ../../4lib { inherit lib pkgs; }) + manageCert + activateACME + ssl + servePage + serveOwncloud; + +in { imports = [ - ../../3modules/static_nginx.nix + ( ssl "wohnprojekt-rhh.de" ) + ( servePage "wohnprojekt-rhh.de" ) ]; - lass.staticPage = { - "wohnprojekt-rhh.de" = {}; - }; - users.users.laura = { home = "/srv/http/wohnprojekt-rhh.de"; createHome = true; -- cgit v1.2.3 From ed37b759286a1989ee3830b0268134a177303d23 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 9 Apr 2016 21:20:35 +0200 Subject: l 4: update owncloud config to solve errors --- lass/4lib/default.nix | 98 +++++++++++++++++++++++++++++++++++++-------------- 1 file changed, 72 insertions(+), 26 deletions(-) diff --git a/lass/4lib/default.nix b/lass/4lib/default.nix index d45313894..4d3adfd1d 100644 --- a/lass/4lib/default.nix +++ b/lass/4lib/default.nix @@ -74,43 +74,89 @@ rec { "${domain}" "www.${domain}" ]; + extraConfig = '' + # Add headers to serve security related headers + add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + + # Path to the root of your installation + root /srv/http/${domain}/; + # set max upload size + client_max_body_size 10G; + fastcgi_buffers 64 4K; + + # Disable gzip to avoid the removal of the ETag header + gzip off; + + # Uncomment if your server is build with the ngx_pagespeed module + # This module is currently not supported. + #pagespeed off; + + index index.php; + error_page 403 /core/templates/403.php; + error_page 404 /core/templates/404.php; + + rewrite ^/.well-known/carddav /remote.php/carddav/ permanent; + rewrite ^/.well-known/caldav /remote.php/caldav/ permanent; + + # The following 2 rules are only needed for the user_webfinger app. + # Uncomment it if you're planning to use this app. + rewrite ^/.well-known/host-meta /public.php?service=host-meta last; + rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; + ''; locations = [ - (nameValuePair "/" '' - # The following 2 rules are only needed with webfinger - rewrite ^/.well-known/host-meta /public.php?service=host-meta last; - rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; + (nameValuePair "/robots.txt" '' + allow all; + log_not_found off; + access_log off; + '') + (nameValuePair "~ ^/(build|tests|config|lib|3rdparty|templates|data)/" '' + deny all; + '') - rewrite ^/.well-known/carddav /remote.php/carddav/ redirect; - rewrite ^/.well-known/caldav /remote.php/caldav/ redirect; + (nameValuePair "~ ^/(?:autotest|occ|issue|indie|db_|console)" '' + deny all; + '') + (nameValuePair "/" '' + rewrite ^/remote/(.*) /remote.php last; rewrite ^(/core/doc/[^\/]+/)$ $1/index.html; - - try_files $uri $uri/ /index.php; + try_files $uri $uri/ =404; '') - (nameValuePair "~ \.php$" '' + + (nameValuePair "~ \.php(?:$|/)" '' fastcgi_split_path_info ^(.+\.php)(/.+)$; - include ${pkgs.nginx}/conf/fastcgi.conf; + include ${pkgs.nginx}/conf/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param HTTPS on; + fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool; + fastcgi_intercept_errors on; '') - ]; - extraConfig = '' - root /srv/http/${domain}/; - #index index.php; - access_log /tmp/nginx_acc.log; - error_log /tmp/nginx_err.log; - - # set max upload size - client_max_body_size 10G; - fastcgi_buffers 64 4K; - rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect; - rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect; - rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect; + # Adding the cache control header for js and css files + # Make sure it is BELOW the location ~ \.php(?:$|/) { block + (nameValuePair "~* \.(?:css|js)$" '' + add_header Cache-Control "public, max-age=7200"; + # Add headers to serve security related headers + add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + # Optional: Don't log access to assets + access_log off; + '') - error_page 403 /core/templates/403.php; - error_page 404 /core/templates/404.php; - ''; + # Optional: Don't log access to other assets + (nameValuePair "~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$" '' + access_log off; + '') + ]; }; services.phpfpm.poolConfigs."${domain}" = '' listen = /srv/http/${domain}/phpfpm.pool -- cgit v1.2.3 From 6f4bc4b34c3cbac56f6a23740dca566980823990 Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 10 Apr 2016 23:24:15 +0200 Subject: makefu: init taskserver, keep an eye on https://github.com/NixOS/nixpkgs/pull/14476 --- makefu/1systems/gum.nix | 4 +++ makefu/3modules/default.nix | 1 + makefu/3modules/taskserver.nix | 60 ++++++++++++++++++++++++++++++++++++++++++ makefu/5pkgs/default.nix | 2 +- 4 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 makefu/3modules/taskserver.nix diff --git a/makefu/1systems/gum.nix b/makefu/1systems/gum.nix index 710421659..96a5f4854 100644 --- a/makefu/1systems/gum.nix +++ b/makefu/1systems/gum.nix @@ -41,6 +41,8 @@ in { ]; }; + makefu.taskserver.enable = true; + krebs.nginx.servers.cgit = { server-names = [ "cgit.euer.krebsco.de" ]; listen = [ "${external-ip}:80" "${internal-ip}:80" ]; @@ -86,6 +88,8 @@ in { 21032 # tinc-retiolum 21031 + # taskserver + 53589 ]; allowedUDPPorts = [ # tinc diff --git a/makefu/3modules/default.nix b/makefu/3modules/default.nix index f007a8418..0a10b1532 100644 --- a/makefu/3modules/default.nix +++ b/makefu/3modules/default.nix @@ -4,6 +4,7 @@ _: imports = [ ./snapraid.nix ./umts.nix + ./taskserver.nix ]; } diff --git a/makefu/3modules/taskserver.nix b/makefu/3modules/taskserver.nix new file mode 100644 index 000000000..41247fff3 --- /dev/null +++ b/makefu/3modules/taskserver.nix @@ -0,0 +1,60 @@ +{ config, lib, pkgs, ... }: + +with config.krebs.lib; +let + cfg = config.makefu.taskserver; + + out = { + options.makefu.taskserver = api; + config = lib.mkIf cfg.enable imp; + }; + + api = { + enable = mkEnableOption "taskserver"; + + workingDir = mkOption { + type = types.str; + default = "/var/lib/taskserver"; + }; + + package = mkOption { + type = types.package; + default = pkgs.taskserver; + }; + + + }; + + imp = { + environment.systemPackages = [ cfg.package ]; + systemd.services.taskserver = { + description = "taskd server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + restartIfChanged = true; + unitConfig = { + Documentation = "http://taskwarrior.org/docs/#taskd" ; + # https://taskwarrior.org/docs/taskserver/configure.html + ConditionPathExists = "${cfg.workingDir}/config"; + }; + serviceConfig = { + Type = "simple"; + ExecStart = "${cfg.package}/bin/taskd server --data ${cfg.workingDir}"; + WorkingDirectory = cfg.workingDir; + PrivateTmp = true; + InaccessibleDirectories = "/home /boot /opt /mnt /media"; + User = "taskd"; + }; + }; + + users.users.taskd = { + uid = genid "taskd"; + home = cfg.workingDir; + createHome = true; + }; + users.groups.taskd.gid = genid "taskd"; + }; + +in +out + diff --git a/makefu/5pkgs/default.nix b/makefu/5pkgs/default.nix index c64ee036e..fff92725e 100644 --- a/makefu/5pkgs/default.nix +++ b/makefu/5pkgs/default.nix @@ -9,8 +9,8 @@ in alsa-hdspconf = callPackage ./alsa-tools { alsaToolTarget="hdspconf";}; alsa-hdsploader = callPackage ./alsa-tools { alsaToolTarget="hdsploader";}; awesomecfg = callPackage ./awesomecfg {}; - nodemcu-uploader = callPackage ./nodemcu-uploader {}; mycube-flask = callPackage ./mycube-flask {}; + nodemcu-uploader = callPackage ./nodemcu-uploader {}; tw-upload-plugin = callPackage ./tw-upload-plugin {}; taskserver = callPackage ./taskserver {}; }; -- cgit v1.2.3 From c60d7637bd84ab0fc34798f68544d02c34da88c9 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 11 Apr 2016 16:43:25 +0200 Subject: l 1 mors: /mnt/backup is now /bku --- lass/1systems/mors.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index 4fa8e412d..0d8db212a 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -99,7 +99,7 @@ fsType = "ext4"; }; - "/mnt/backups" = { + "/bku" = { device = "/dev/big/backups"; fsType = "ext4"; }; -- cgit v1.2.3 From 375277a3c67102fc887b7b67837c8977035d8227 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 11 Apr 2016 16:43:52 +0200 Subject: l 1 prism: new fileschema for better backups --- lass/1systems/prism.nix | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index 80dd8c4e9..09a802b53 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -77,8 +77,16 @@ in { device = "/dev/pool/download"; }; - fileSystems."/srv/http/o.ubikmedia.de" = { - device = "/dev/pool/owncloud-ubik"; + fileSystems."/srv/http" = { + device = "/dev/pool/http"; + }; + + fileSystems."/srv/o.ubikmedia.de-data" = { + device = "/dev/pool/owncloud-ubik-data"; + }; + + fileSystems."/bku" = { + device = "/dev/pool/bku"; }; } -- cgit v1.2.3 From 0a5f8b64b2b34e7d24ee9e7573eebd7937341e01 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 11 Apr 2016 16:47:06 +0200 Subject: l 1 uriel: add /bku --- lass/1systems/uriel.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/lass/1systems/uriel.nix b/lass/1systems/uriel.nix index 4e4eca21f..8bb2348e6 100644 --- a/lass/1systems/uriel.nix +++ b/lass/1systems/uriel.nix @@ -47,6 +47,11 @@ with builtins; fsType = "ext4"; }; + "/bku" = { + device = "/dev/pool/bku"; + fsType = "ext4"; + }; + "/boot" = { device = "/dev/sda1"; }; -- cgit v1.2.3 From 1773a9cd92ca2c0d78ba55c9ba16f7580cde388e Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 11 Apr 2016 16:49:52 +0200 Subject: l 4: add more helpers for wordpress hosting --- lass/4lib/default.nix | 80 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 80 insertions(+) diff --git a/lass/4lib/default.nix b/lass/4lib/default.nix index 4d3adfd1d..e089f022c 100644 --- a/lass/4lib/default.nix +++ b/lass/4lib/default.nix @@ -33,6 +33,34 @@ rec { }; }; + manageCerts = domains: + let + domain = head domains; + in { + security.acme = { + certs."${domain}" = { + email = "lassulus@gmail.com"; + webroot = "/var/lib/acme/challenges/${domain}"; + plugins = [ + "account_key.json" + "key.pem" + "fullchain.pem" + ]; + group = "nginx"; + allowKeysForGroup = true; + extraDomains = genAttrs domains (_: null); + }; + }; + + krebs.nginx.servers."${domain}" = { + locations = [ + (nameValuePair "/.well-known/acme-challenge" '' + root /var/lib/acme/challenges/${domain}/; + '') + ]; + }; + }; + ssl = domain: { imports = [ @@ -176,4 +204,56 @@ rec { ''; }; + serveWordpress = domains: + let + domain = head domains; + + in { + krebs.nginx.servers."${domain}" = { + server-names = domains; + extraConfig = '' + root /srv/http/${domain}/; + index index.php; + access_log /tmp/nginx_acc.log; + error_log /tmp/nginx_err.log; + error_page 404 /404.html; + error_page 500 502 503 504 /50x.html; + ''; + locations = [ + (nameValuePair "/" '' + try_files $uri $uri/ /index.php?$args; + '') + (nameValuePair "~ \.php$" '' + fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool; + include ${pkgs.nginx}/conf/fastcgi.conf; + '') + (nameValuePair "~ /\\." '' + deny all; + '') + #Directives to send expires headers and turn off 404 error logging. + (nameValuePair "~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$" '' + access_log off; + log_not_found off; + expires max; + '') + ]; + }; + services.phpfpm.poolConfigs."${domain}" = '' + listen = /srv/http/${domain}/phpfpm.pool + user = nginx + group = nginx + pm = dynamic + pm.max_children = 5 + pm.start_servers = 2 + pm.min_spare_servers = 1 + pm.max_spare_servers = 3 + listen.owner = nginx + listen.group = nginx + # errors to journal + php_admin_value[error_log] = 'stderr' + php_admin_flag[log_errors] = on + catch_workers_output = yes + ''; + }; + } -- cgit v1.2.3 From a638c4eecd55420e3a579763561e4cfa672d1cd5 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 11 Apr 2016 16:50:22 +0200 Subject: l 2 websites domsen: serve wordpress --- lass/2configs/websites/domsen.nix | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index 173e87864..b02f31629 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -4,28 +4,32 @@ let inherit (config.krebs.lib) genid; inherit (import ../../4lib { inherit lib pkgs; }) manageCert + manageCerts activateACME ssl servePage - serveOwncloud; + serveOwncloud + serveWordpress; in { imports = [ ( ssl "reich-gebaeudereinigung.de" ) ( servePage "reich-gebaeudereinigung.de" ) - ( servePage "karlaskop.de" ) ( manageCert "karlaskop.de" ) + ( servePage "karlaskop.de" ) - ( servePage "makeup.apanowicz.de" ) ( manageCert "makeup.apanowicz.de" ) + ( servePage "makeup.apanowicz.de" ) - ( servePage "pixelpocket.de" ) ( manageCert "pixelpocket.de" ) + ( servePage "pixelpocket.de" ) ( ssl "o.ubikmedia.de" ) ( serveOwncloud "o.ubikmedia.de" ) + ( manageCerts [ "ubikmedia.de" "apanowicz.de" "nirwanabluete.de" "aldonasiech.com" "360gradvideo.tv" "ubikmedia.eu" ] ) + ( serveWordpress [ "ubikmedia.de" "*.ubikmedia.de" "apanowicz.de" "nirwanabluete.de" "aldonasiech.com" "360gradvideo.tv" "ubikmedia.eu" ] ) ]; services.mysql = { -- cgit v1.2.3 From 72e46878ea759f8909c90d2f5f293bfb8f3a6104 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 11 Apr 2016 16:50:49 +0200 Subject: l 2 websites: activate sqlBackups --- lass/2configs/websites/domsen.nix | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index b02f31629..cbda7b99e 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -38,6 +38,15 @@ in { rootPassword = toString (); }; + services.mysqlBackup = { + enable = true; + databases = [ + "ubikmedia_de" + "o_ubikmedia_de" + ]; + location = "/bku/sql_dumps"; + }; + users.users.domsen = { uid = genid "domsen"; description = "maintenance acc for domsen"; -- cgit v1.2.3 From 2723a1fcd85ccaf9fea6faa6ec51358f706b8883 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 11 Apr 2016 16:51:12 +0200 Subject: l 2 websites domsen: add apcu to phpfpm --- lass/2configs/websites/domsen.nix | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index cbda7b99e..1b62bd977 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -56,10 +56,13 @@ in { createHome = true; }; - #lass.wordpress = { - # "ubikmedia.de" = { - # }; - #}; - + services.phpfpm.phpIni = pkgs.runCommand "php.ini" { + options = '' + extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so + ''; + } '' + cat ${pkgs.php}/etc/php-recommended.ini > $out + echo "$options" >> $out + ''; } -- cgit v1.2.3 From 4bd4e58baa56635f08661a7a5c1dfe9f59a719a7 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 11 Apr 2016 16:51:49 +0200 Subject: l 2: add backups.nix --- lass/2configs/backups.nix | 63 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 lass/2configs/backups.nix diff --git a/lass/2configs/backups.nix b/lass/2configs/backups.nix new file mode 100644 index 000000000..c3275aece --- /dev/null +++ b/lass/2configs/backups.nix @@ -0,0 +1,63 @@ +{ config, lib, ... }: +with config.krebs.lib; +{ + + krebs.backup.plans = { + } // mapAttrs (_: recursiveUpdate { + snapshots = { + daily = { format = "%Y-%m-%d"; retain = 7; }; + weekly = { format = "%YW%W"; retain = 4; }; + monthly = { format = "%Y-%m"; retain = 12; }; + yearly = { format = "%Y"; }; + }; + }) { + prism-chat-uriel = { + method = "pull"; + src = { host = config.krebs.hosts.prism; path = "/home/chat"; }; + dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-chat"; }; + startAt = "03:00"; + }; + prism-chat-mors = { + method = "pull"; + src = { host = config.krebs.hosts.prism; path = "/home/chat"; }; + dst = { host = config.krebs.hosts.mors; path = "/bku/prism-chat"; }; + startAt = "03:00"; + }; + mors-home-uriel = { + method = "push"; + src = { host = config.krebs.hosts.mors; path = "/home"; }; + dst = { host = config.krebs.hosts.uriel; path = "/bku/mors-home"; }; + startAt = "04:00"; + }; + uriel-home-mors = { + method = "pull"; + src = { host = config.krebs.hosts.uriel; path = "/home"; }; + dst = { host = config.krebs.hosts.mors; path = "/bku/uriel-home"; }; + startAt = "04:00"; + }; + prism-http-uriel = { + method = "pull"; + src = { host = config.krebs.hosts.prism; path = "/srv/http"; }; + dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-http"; }; + startAt = "04:30"; + }; + prism-http-mors = { + method = "pull"; + src = { host = config.krebs.hosts.prism; path = "/srv/http"; }; + dst = { host = config.krebs.hosts.mors; path = "/bku/prism-http"; }; + startAt = "04:30"; + }; + prism-sql-uriel = { + method = "pull"; + src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; }; + dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-sql_dumps"; }; + startAt = "05:00"; + }; + prism-sql-mors = { + method = "pull"; + src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; }; + dst = { host = config.krebs.hosts.mors; path = "/bku/prism-sql_dumps"; }; + startAt = "05:00"; + }; + }; +} -- cgit v1.2.3 From 84c7ba200a02dff803023388d54e2dea8e16ae2f Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 11 Apr 2016 16:52:15 +0200 Subject: l 2 base: import backups.nix --- lass/2configs/base.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/lass/2configs/base.nix b/lass/2configs/base.nix index 88bb3ff60..ad5df26e8 100644 --- a/lass/2configs/base.nix +++ b/lass/2configs/base.nix @@ -7,6 +7,7 @@ with config.krebs.lib; ../2configs/zsh.nix ../2configs/mc.nix ../2configs/retiolum.nix + ./backups.nix { users.extraUsers = mapAttrs (_: h: { hashedPassword = h; }) -- cgit v1.2.3 From 8f20cf974e334157a241dee5ad729eb5708637ee Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 11 Apr 2016 16:52:43 +0200 Subject: l 4: use fullchain.pem as certificate --- lass/4lib/default.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/lass/4lib/default.nix b/lass/4lib/default.nix index e089f022c..22a8c3c6e 100644 --- a/lass/4lib/default.nix +++ b/lass/4lib/default.nix @@ -15,7 +15,6 @@ rec { webroot = "/var/lib/acme/challenges/${domain}"; plugins = [ "account_key.json" - "cert.pem" "key.pem" "fullchain.pem" ]; @@ -74,7 +73,7 @@ rec { krebs.nginx.servers."${domain}" = { ssl = { enable = true; - certificate = "/var/lib/acme/${domain}/cert.pem"; + certificate = "/var/lib/acme/${domain}/fullchain.pem"; certificate_key = "/var/lib/acme/${domain}/key.pem"; }; }; -- cgit v1.2.3 From 7023d4141044d9de656f0d52e39650466d709728 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 12 Apr 2016 15:09:08 +0200 Subject: k 3 iptables: allow REDIRECT target --- krebs/3modules/iptables.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/krebs/3modules/iptables.nix b/krebs/3modules/iptables.nix index 9596229de..4b99873a1 100644 --- a/krebs/3modules/iptables.nix +++ b/krebs/3modules/iptables.nix @@ -20,6 +20,7 @@ let flatten length hasAttr + hasPrefix mkEnableOption mkOption mkIf @@ -123,7 +124,7 @@ let buildRule = tn: cn: rule: #target validation test: - assert (elem rule.target ([ "ACCEPT" "REJECT" "DROP" "QUEUE" "LOG" "RETURN" ] ++ (attrNames ts."${tn}"))); + assert (elem rule.target ([ "ACCEPT" "REJECT" "DROP" "QUEUE" "LOG" "RETURN" ] ++ (attrNames ts."${tn}"))) || hasPrefix "REDIRECT" rule.target; #predicate validation test: #maybe use iptables-test -- cgit v1.2.3 From a1d80db7cc499bb9a850250357b0921fa61f5a59 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 12 Apr 2016 15:09:56 +0200 Subject: l 2 base: remove helios from authorized_keys(root) --- lass/2configs/base.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/lass/2configs/base.nix b/lass/2configs/base.nix index ad5df26e8..d83e53772 100644 --- a/lass/2configs/base.nix +++ b/lass/2configs/base.nix @@ -19,7 +19,6 @@ with config.krebs.lib; openssh.authorizedKeys.keys = [ config.krebs.users.lass.pubkey config.krebs.users.lass-uriel.pubkey - config.krebs.users.lass-helios.pubkey ]; }; mainUser = { -- cgit v1.2.3 From be6bfb17365046486abdd3af01f05b0cb99331ea Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 12 Apr 2016 15:11:31 +0200 Subject: l 2 base: redirect internet ssh port to 45621 --- lass/2configs/base.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/lass/2configs/base.nix b/lass/2configs/base.nix index d83e53772..4a4468300 100644 --- a/lass/2configs/base.nix +++ b/lass/2configs/base.nix @@ -173,6 +173,13 @@ with config.krebs.lib; krebs.iptables = { enable = true; tables = { + nat.PREROUTING.rules = [ + { predicate = "! -i retiolum -p tcp -m tcp --dport 22"; target = "REDIRECT --to-ports 0"; precedence = 100; } + { predicate = "-p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 99; } + ]; + nat.OUTPUT.rules = [ + { predicate = "-o lo -p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 100; } + ]; filter.INPUT.policy = "DROP"; filter.FORWARD.policy = "DROP"; filter.INPUT.rules = [ -- cgit v1.2.3 From 4f04085d5239e2c688a370706f9007edd0a0d5bb Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 12 Apr 2016 15:16:17 +0200 Subject: l 2: add exim-retiolum.nix --- lass/2configs/exim-retiolum.nix | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 lass/2configs/exim-retiolum.nix diff --git a/lass/2configs/exim-retiolum.nix b/lass/2configs/exim-retiolum.nix new file mode 100644 index 000000000..ea2f553b8 --- /dev/null +++ b/lass/2configs/exim-retiolum.nix @@ -0,0 +1,14 @@ +{ config, lib, pkgs, ... }: + +with config.krebs.lib; + +{ + krebs.exim-retiolum.enable = true; + krebs.setuid.sendmail = { + filename = "${pkgs.exim}/bin/exim"; + mode = "4111"; + }; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-i retiolum -p tcp --dport smtp"; target = "ACCEPT"; } + ]; +} -- cgit v1.2.3 From 6da220c50848843a4d6e546a8639d0a573bf210b Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 12 Apr 2016 15:16:40 +0200 Subject: l 2: add exim-smarthost configuration --- lass/2configs/exim-smarthost.nix | 49 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 lass/2configs/exim-smarthost.nix diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix new file mode 100644 index 000000000..7f838a316 --- /dev/null +++ b/lass/2configs/exim-smarthost.nix @@ -0,0 +1,49 @@ +{ config, lib, pkgs, ... }: + +with config.krebs.lib; + +{ + krebs.exim-smarthost = { + enable = true; + #dkim = [ + # { domain = "lassul.us"; } + #]; + sender_domains = [ + "lassul.us" + ]; + relay_from_hosts = map (host: host.nets.retiolum.ip4.addr) [ + config.krebs.hosts.mors + config.krebs.hosts.uriel + config.krebs.hosts.helios + ]; + internet-aliases = with config.krebs.users; [ + { from = "postmaster@lassul.us"; to = lass.mail; } # RFC 822 + { from = "lass@lassul.us"; to = lass.mail; } + { from = "lassulus@lassul.us"; to = lass.mail; } + { from = "test@lassul.us"; to = lass.mail; } + ]; + system-aliases = [ + { from = "mailer-daemon"; to = "postmaster"; } + { from = "postmaster"; to = "root"; } + { from = "nobody"; to = "root"; } + { from = "hostmaster"; to = "root"; } + { from = "usenet"; to = "root"; } + { from = "news"; to = "root"; } + { from = "webmaster"; to = "root"; } + { from = "www"; to = "root"; } + { from = "ftp"; to = "root"; } + { from = "abuse"; to = "root"; } + { from = "noc"; to = "root"; } + { from = "security"; to = "root"; } + { from = "root"; to = "lass"; } + ]; + }; + + krebs.setuid.sendmail = { + filename = "${pkgs.exim}/bin/exim"; + mode = "4111"; + }; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport smtp"; target = "ACCEPT"; } + ]; +} -- cgit v1.2.3 From 3d8689494f994a6849b1815b98dcbd027f59b1c6 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 12 Apr 2016 15:16:58 +0200 Subject: l 2 base: remove exim & sendmail stuff --- lass/2configs/base.nix | 5 ----- 1 file changed, 5 deletions(-) diff --git a/lass/2configs/base.nix b/lass/2configs/base.nix index 4a4468300..8c6078ba5 100644 --- a/lass/2configs/base.nix +++ b/lass/2configs/base.nix @@ -45,7 +45,6 @@ with config.krebs.lib; krebs = { enable = true; search-domain = "retiolum"; - exim-retiolum.enable = true; build = { user = config.krebs.users.lass; source = mapAttrs (_: mkDefault) ({ @@ -153,10 +152,6 @@ with config.krebs.lib; ''; }; - security.setuidPrograms = [ - "sendmail" - ]; - services.openssh = { enable = true; hostKeys = [ -- cgit v1.2.3 From fa039a83d8c2d5f2756856794461ac9795a6ee11 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 12 Apr 2016 15:17:42 +0200 Subject: l 1 *: import exim config from l 2 exim-* --- lass/1systems/cloudkrebs.nix | 1 + lass/1systems/dishfire.nix | 1 + lass/1systems/echelon.nix | 1 + lass/1systems/helios.nix | 1 + lass/1systems/mors.nix | 1 + lass/1systems/prism.nix | 1 + lass/1systems/uriel.nix | 1 + 7 files changed, 7 insertions(+) diff --git a/lass/1systems/cloudkrebs.nix b/lass/1systems/cloudkrebs.nix index 636d6a855..82c172050 100644 --- a/lass/1systems/cloudkrebs.nix +++ b/lass/1systems/cloudkrebs.nix @@ -9,6 +9,7 @@ in { ../. ../2configs/os-templates/CAC-CentOS-7-64bit.nix ../2configs/base.nix + ../2configs/exim-retiolum.nix ../2configs/retiolum.nix ../2configs/git.nix ../2configs/realwallpaper.nix diff --git a/lass/1systems/dishfire.nix b/lass/1systems/dishfire.nix index 7043809a5..04ebca588 100644 --- a/lass/1systems/dishfire.nix +++ b/lass/1systems/dishfire.nix @@ -5,6 +5,7 @@ ../. ../2configs/base.nix + ../2configs/exim-retiolum.nix ../2configs/git.nix ../2configs/websites/fritz.nix { diff --git a/lass/1systems/echelon.nix b/lass/1systems/echelon.nix index 80611ee80..e2fa1c5f4 100644 --- a/lass/1systems/echelon.nix +++ b/lass/1systems/echelon.nix @@ -9,6 +9,7 @@ in { ../. ../2configs/os-templates/CAC-CentOS-7-64bit.nix ../2configs/base.nix + ../2configs/exim-retiolum.nix ../2configs/retiolum.nix ../2configs/realwallpaper-server.nix ../2configs/privoxy-retiolum.nix diff --git a/lass/1systems/helios.nix b/lass/1systems/helios.nix index cc98c2c5b..0c7c0d8e3 100644 --- a/lass/1systems/helios.nix +++ b/lass/1systems/helios.nix @@ -5,6 +5,7 @@ with builtins; imports = [ ../. ../2configs/baseX.nix + ../2configs/exim-retiolum.nix ../2configs/browsers.nix ../2configs/programs.nix ../2configs/git.nix diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index 0d8db212a..18f86ef91 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -4,6 +4,7 @@ imports = [ ../. ../2configs/baseX.nix + ../2configs/exim-retiolum.nix ../2configs/programs.nix ../2configs/bitcoin.nix ../2configs/browsers.nix diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index 09a802b53..e1743c997 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -6,6 +6,7 @@ in { imports = [ ../. ../2configs/base.nix + ../2configs/exim-smarthost.nix ../2configs/downloading.nix ../2configs/git.nix ../2configs/ts3.nix diff --git a/lass/1systems/uriel.nix b/lass/1systems/uriel.nix index 8bb2348e6..92996c181 100644 --- a/lass/1systems/uriel.nix +++ b/lass/1systems/uriel.nix @@ -5,6 +5,7 @@ with builtins; imports = [ ../. ../2configs/baseX.nix + ../2configs/exim-retiolum.nix ../2configs/browsers.nix ../2configs/games.nix ../2configs/pass.nix -- cgit v1.2.3 From 1b717d487791ce6874caa439461d4deeb942a835 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 12 Apr 2016 16:32:58 +0200 Subject: l 2 exim-smarthost: activate DKIM --- lass/2configs/exim-smarthost.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix index 7f838a316..f1c682416 100644 --- a/lass/2configs/exim-smarthost.nix +++ b/lass/2configs/exim-smarthost.nix @@ -5,9 +5,9 @@ with config.krebs.lib; { krebs.exim-smarthost = { enable = true; - #dkim = [ - # { domain = "lassul.us"; } - #]; + dkim = [ + { domain = "lassul.us"; } + ]; sender_domains = [ "lassul.us" ]; -- cgit v1.2.3 From 4382ba5b9ddad77a1e0f44b5ff88862678a5d33e Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 13 Apr 2016 16:27:41 +0200 Subject: l 1 dishfire: add /bku mount --- lass/1systems/dishfire.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lass/1systems/dishfire.nix b/lass/1systems/dishfire.nix index 04ebca588..532ccb29a 100644 --- a/lass/1systems/dishfire.nix +++ b/lass/1systems/dishfire.nix @@ -36,6 +36,10 @@ device = "/dev/vda1"; fsType = "ext4"; }; + fileSystems."/bku" = { + device = "/dev/pool/bku"; + fsType = "ext4"; + }; } { networking.dhcpcd.allowInterfaces = [ -- cgit v1.2.3 From 8a8d2c8ec979b30901e69cb6a0d063968b5c42b6 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 13 Apr 2016 16:29:13 +0200 Subject: l 1 mors: disable test dbs --- lass/1systems/mors.nix | 40 +++++++++++++++++++++------------------- 1 file changed, 21 insertions(+), 19 deletions(-) diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index 18f86ef91..6e89b2957 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -34,26 +34,28 @@ { predicate = "-p tcp --dport 11100"; target = "ACCEPT"; } ]; } + #{ + # services.mysql = { + # enable = true; + # package = pkgs.mariadb; + # rootPassword = "/mysql_rootPassword"; + # }; + #} + #{ + # services.elasticsearch = { + # enable = true; + # plugins = [ + # # pkgs.elasticsearchPlugins.elasticsearch_kopf + # ]; + # }; + #} + #{ + # services.postgresql = { + # enable = true; + # package = pkgs.postgresql; + # }; + #} { - services.mysql = { - enable = true; - package = pkgs.mariadb; - rootPassword = "/mysql_rootPassword"; - }; - } - { - services.elasticsearch = { - enable = true; - plugins = [ - # pkgs.elasticsearchPlugins.elasticsearch_kopf - ]; - }; - } - { - services.postgresql = { - enable = true; - package = pkgs.postgresql; - }; } ]; -- cgit v1.2.3 From 40ce314996762fe286a5f8d27873cd0ae9fab145 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 13 Apr 2016 16:29:52 +0200 Subject: l 2 exim-smarthost: add outlook@lassul.us --- lass/2configs/exim-smarthost.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix index f1c682416..e1aa29c49 100644 --- a/lass/2configs/exim-smarthost.nix +++ b/lass/2configs/exim-smarthost.nix @@ -21,6 +21,7 @@ with config.krebs.lib; { from = "lass@lassul.us"; to = lass.mail; } { from = "lassulus@lassul.us"; to = lass.mail; } { from = "test@lassul.us"; to = lass.mail; } + { from = "outlook@lassul.us"; to = lass.mail; } ]; system-aliases = [ { from = "mailer-daemon"; to = "postmaster"; } -- cgit v1.2.3 From 4c4ac83e1fb21611e947c40d612d51bbab91257e Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 13 Apr 2016 16:30:17 +0200 Subject: l 2 backups: more backups --- lass/2configs/backups.nix | 86 +++++++++++++++++++++++++++++++++-------------- 1 file changed, 61 insertions(+), 25 deletions(-) diff --git a/lass/2configs/backups.nix b/lass/2configs/backups.nix index c3275aece..ca9ff20a1 100644 --- a/lass/2configs/backups.nix +++ b/lass/2configs/backups.nix @@ -11,52 +11,88 @@ with config.krebs.lib; yearly = { format = "%Y"; }; }; }) { - prism-chat-uriel = { + dishfire-http-prism = { method = "pull"; - src = { host = config.krebs.hosts.prism; path = "/home/chat"; }; - dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-chat"; }; + src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; }; + dst = { host = config.krebs.hosts.prism; path = "/bku/dishfire-http"; }; startAt = "03:00"; }; + dishfire-http-mors = { + method = "pull"; + src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; }; + dst = { host = config.krebs.hosts.mors; path = "/bku/dishfire-http"; }; + startAt = "03:05"; + }; + dishfire-http-uriel = { + method = "pull"; + src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; }; + dst = { host = config.krebs.hosts.uriel; path = "/bku/dishfire-http"; }; + startAt = "03:10"; + }; +