From 7db4c634fc266d25ac80f2545c6c77d5b4d28708 Mon Sep 17 00:00:00 2001 From: makefu Date: Fri, 29 Sep 2017 21:29:26 +0200 Subject: ma latte.r: init --- makefu/1systems/latte/config.nix | 53 ++++++++++++++++++++++++++++++++++++++++ makefu/1systems/latte/source.nix | 3 +++ 2 files changed, 56 insertions(+) create mode 100644 makefu/1systems/latte/config.nix create mode 100644 makefu/1systems/latte/source.nix (limited to 'makefu/1systems') diff --git a/makefu/1systems/latte/config.nix b/makefu/1systems/latte/config.nix new file mode 100644 index 000000000..d532f216f --- /dev/null +++ b/makefu/1systems/latte/config.nix @@ -0,0 +1,53 @@ +{ config, pkgs, ... }: +let + + # external-ip = config.krebs.build.host.nets.internet.ip4.addr; + # internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr; + # default-gw = "185.215.224.1"; + # prefixLength = 24; + # external-mac = "46:5b:fc:f4:44:c9"; + # ext-if = "et0"; +in { + + imports = [ + + # configure your hw: + + + + + # Security + + + + # Tools + + + + # Services + + + ]; + krebs = { + enable = true; + build.host = config.krebs.hosts.latte; + }; + boot.initrd.availableKernelModules = [ "ata_piix" "ehci_pci" "virtio_pci" "virtio_blk" "virtio_net" "virtio_scsi" ]; + + boot.loader.grub.device = "/dev/vda"; + boot.loader.grub.copyKernels = true; + fileSystems."/" = { + device = "/dev/vda1"; + fsType = "ext4"; + }; + networking = { + firewall = { + allowPing = true; + logRefusedConnections = false; + allowedTCPPorts = [ ]; + allowedUDPPorts = [ 655 ]; + }; + # network interface receives dhcp address + nameservers = [ "8.8.8.8" ]; + }; +} diff --git a/makefu/1systems/latte/source.nix b/makefu/1systems/latte/source.nix new file mode 100644 index 000000000..d997fb3f0 --- /dev/null +++ b/makefu/1systems/latte/source.nix @@ -0,0 +1,3 @@ +import { + name="latte"; +} -- cgit v1.2.3 From e2a8aab44294584d185b6501cede7857c0529d36 Mon Sep 17 00:00:00 2001 From: makefu Date: Fri, 29 Sep 2017 21:37:24 +0200 Subject: ma: enable remote-build on gum,omo - x is master --- makefu/1systems/gum/config.nix | 8 +++++++- makefu/1systems/omo/config.nix | 2 ++ makefu/1systems/x/config.nix | 1 + 3 files changed, 10 insertions(+), 1 deletion(-) (limited to 'makefu/1systems') diff --git a/makefu/1systems/gum/config.nix b/makefu/1systems/gum/config.nix index 2f288e708..e1357ff01 100644 --- a/makefu/1systems/gum/config.nix +++ b/makefu/1systems/gum/config.nix @@ -40,10 +40,11 @@ in { # services - # + + ## Web @@ -74,6 +75,9 @@ in { # + # Temporary: + + ]; makefu.dl-dir = "/var/download"; @@ -143,6 +147,8 @@ in { 53589 # temp vnc 18001 + # temp reverseshell + 31337 ]; allowedUDPPorts = [ # tinc diff --git a/makefu/1systems/omo/config.nix b/makefu/1systems/omo/config.nix index 32cd3f900..a22ff10bd 100644 --- a/makefu/1systems/omo/config.nix +++ b/makefu/1systems/omo/config.nix @@ -65,6 +65,8 @@ in { # services + + # security diff --git a/makefu/1systems/x/config.nix b/makefu/1systems/x/config.nix index 892eb1095..443f912d8 100644 --- a/makefu/1systems/x/config.nix +++ b/makefu/1systems/x/config.nix @@ -57,6 +57,7 @@ with import ; # + # Hardware -- cgit v1.2.3 From aa273ee8802c7de6283e0bea2a7624bf099d251d Mon Sep 17 00:00:00 2001 From: makefu Date: Fri, 29 Sep 2017 21:38:08 +0200 Subject: ma wbob: enable extended logging --- makefu/1systems/wbob/config.nix | 106 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 104 insertions(+), 2 deletions(-) (limited to 'makefu/1systems') diff --git a/makefu/1systems/wbob/config.nix b/makefu/1systems/wbob/config.nix index b776b49d6..3a53b70cb 100644 --- a/makefu/1systems/wbob/config.nix +++ b/makefu/1systems/wbob/config.nix @@ -25,7 +25,9 @@ in { # # - ]; + # Services + + ]; krebs = { enable = true; @@ -33,10 +35,48 @@ in { }; swapDevices = [ { device = "/var/swap"; } ]; + services.collectd.extraConfig = lib.mkAfter '' + #LoadPlugin ping + # does not work because it requires privileges + # + # Host "google.de" + # Host "heise.de" + # + + LoadPlugin curl + + TotalTime true + NamelookupTime true + ConnectTime true + + + MeasureResponseTime true + MeasureResponseCode true + URL "https://google.de" + + + + MeasureResponseTime true + MeasureResponseCode true + URL "http://web.de" + + + + #LoadPlugin netlink + # + # Interface "enp0s25" + # Interface "wlp2s0" + # IgnoreSelected false + # + ''; networking.firewall.allowedUDPPorts = [ 655 ]; - networking.firewall.allowedTCPPorts = [ 655 49152 ]; + networking.firewall.allowedTCPPorts = [ + 655 + 8081 #smokeping + 49152 + ]; networking.firewall.trustedInterfaces = [ "enp0s25" ]; #services.tinc.networks.siem = { # name = "display"; @@ -90,4 +130,66 @@ in { serverAddress = "x.r"; }; }; + security.wrappers.fping = { + source = "${pkgs.fping}/bin/fping"; + setuid = true; + }; + services.smokeping = { + enable = true; + targetConfig = '' + probe = FPing + menu = Top + title = Network Latency Grapher + remark = Welcome to this SmokePing website. + + + network + menu = Net latency + title = Network latency (ICMP pings) + + ++ google + probe = FPing + host = google.de + ++ webde + probe = FPing + host = web.de + + + services + menu = Service latency + title = Service latency (DNS, HTTP) + + ++ HTTP + menu = HTTP latency + title = Service latency (HTTP) + + +++ webdeping + probe = EchoPingHttp + host = web.de + + +++ googwebping + probe = EchoPingHttp + host = google.de + + #+++ webwww + #probe = Curl + #host = web.de + + #+++ googwebwww + #probe = Curl + #host = google.de + ''; + probeConfig = '' + + FPing + binary = /run/wrappers/bin/fping + + EchoPingHttp + pings = 5 + url = / + + #+ Curl + ## probe-specific variables + #binary = ${pkgs.curl}/bin/curl + #step = 60 + ## a default for this target-specific variable + #urlformat = http://%host%/ + ''; + }; } -- cgit v1.2.3 From 5b536e2d311ae6beea7f7e73115c3a061d523a59 Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 1 Oct 2017 14:01:19 +0200 Subject: ma irc: ni.r -> irc.r --- makefu/1systems/pnp/config.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'makefu/1systems') diff --git a/makefu/1systems/pnp/config.nix b/makefu/1systems/pnp/config.nix index 5fbaaabc7..47fa74c00 100644 --- a/makefu/1systems/pnp/config.nix +++ b/makefu/1systems/pnp/config.nix @@ -34,7 +34,8 @@ krebs.Reaktor.debug = { debug = true; extraEnviron = { - REAKTOR_HOST = "ni.r"; + # TODO: remove hard-coded server + REAKTOR_HOST = "irc.r"; }; plugins = with pkgs.ReaktorPlugins; [ stockholm-issue nixos-version sed-plugin ]; channels = [ "#retiolum" ]; -- cgit v1.2.3 From 0fe3f562d7dc66dc4dcf39522fc17ccce6ee30b4 Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 1 Oct 2017 14:01:48 +0200 Subject: ma cake.r: init --- makefu/1systems/cake/config.nix | 20 ++++++++++++++++++++ makefu/1systems/cake/source.nix | 3 +++ 2 files changed, 23 insertions(+) create mode 100644 makefu/1systems/cake/config.nix create mode 100644 makefu/1systems/cake/source.nix (limited to 'makefu/1systems') diff --git a/makefu/1systems/cake/config.nix b/makefu/1systems/cake/config.nix new file mode 100644 index 000000000..0630d19ad --- /dev/null +++ b/makefu/1systems/cake/config.nix @@ -0,0 +1,20 @@ +{ config, pkgs, ... }: +{ + imports = [ + + # configure your hw: + # + # + # { + name="cake"; +} \ No newline at end of file -- cgit v1.2.3 From b01385c974dd3f4a9cbf0e7e992e960cd9ebf295 Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 1 Oct 2017 14:28:34 +0200 Subject: ma: #retiolum -> #xxx --- makefu/1systems/pnp/config.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'makefu/1systems') diff --git a/makefu/1systems/pnp/config.nix b/makefu/1systems/pnp/config.nix index 47fa74c00..6c9fc0606 100644 --- a/makefu/1systems/pnp/config.nix +++ b/makefu/1systems/pnp/config.nix @@ -38,7 +38,7 @@ REAKTOR_HOST = "irc.r"; }; plugins = with pkgs.ReaktorPlugins; [ stockholm-issue nixos-version sed-plugin ]; - channels = [ "#retiolum" ]; + channels = [ "#xxx" ]; }; krebs.build.host = config.krebs.hosts.pnp; -- cgit v1.2.3 From fbaf146bcacc0632a01dd81830d172a58a649434 Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 1 Oct 2017 20:12:06 +0200 Subject: ma cake.r: update config --- makefu/1systems/cake/config.nix | 45 ++++++++++++++++++++++++++--------------- 1 file changed, 29 insertions(+), 16 deletions(-) (limited to 'makefu/1systems') diff --git a/makefu/1systems/cake/config.nix b/makefu/1systems/cake/config.nix index 0630d19ad..826af24e7 100644 --- a/makefu/1systems/cake/config.nix +++ b/makefu/1systems/cake/config.nix @@ -1,20 +1,33 @@ { config, pkgs, ... }: { - imports = [ - - # configure your hw: - # - # - # +# configure your hw: +# + ]; + krebs = { + enable = true; + tinc.retiolum.enable = true; + build.host = config.krebs.hosts.cake; + }; + boot.loader.grub.enable = false; + boot.loader.generic-extlinux-compatible.enable = true; + boot.kernelPackages = pkgs.linuxPackages_latest; + boot.kernelParams = ["cma=32M" "console=ttyS0,115200n8" "console=tty0" ]; + + programs.info.enable = false; + programs.man.enable = false; + services.nixosManual.enable = false; + +# File systems configuration for using the installer's partition layout + fileSystems = { + "/boot" = { + device = "/dev/disk/by-label/NIXOS_BOOT"; + fsType = "vfat"; }; - # You want to change these :) - boot.loader.grub.device = "/dev/sda"; - fileSystems."/" = { - device = "/dev/sda1"; + "/" = { + device = "/dev/disk/by-label/NIXOS_SD"; + fsType = "ext4"; }; -} \ No newline at end of file + }; +} -- cgit v1.2.3 From f8eeed31f27528b1aef90d60ce97c599288f4dd2 Mon Sep 17 00:00:00 2001 From: makefu Date: Tue, 3 Oct 2017 15:42:42 +0200 Subject: ma cake.r: disable tmpfs --- makefu/1systems/cake/config.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'makefu/1systems') diff --git a/makefu/1systems/cake/config.nix b/makefu/1systems/cake/config.nix index 826af24e7..444c99a22 100644 --- a/makefu/1systems/cake/config.nix +++ b/makefu/1systems/cake/config.nix @@ -1,7 +1,8 @@ -{ config, pkgs, ... }: +{ config, lib, pkgs, ... }: { imports = [ + # configure your hw: # ]; @@ -18,6 +19,7 @@ programs.info.enable = false; programs.man.enable = false; services.nixosManual.enable = false; + boot.tmpOnTmpfs = lib.mkForce false; # File systems configuration for using the installer's partition layout fileSystems = { -- cgit v1.2.3 From 6513f6a8233e7b542015199388a149642e6a50eb Mon Sep 17 00:00:00 2001 From: makefu Date: Tue, 3 Oct 2017 15:42:59 +0200 Subject: ma cake.r/source: full deploy --- makefu/1systems/cake/source.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'makefu/1systems') diff --git a/makefu/1systems/cake/source.nix b/makefu/1systems/cake/source.nix index 797417a1d..cd97a7c62 100644 --- a/makefu/1systems/cake/source.nix +++ b/makefu/1systems/cake/source.nix @@ -1,3 +1,4 @@ import { name="cake"; -} \ No newline at end of file + full = true; +} -- cgit v1.2.3 From 9d0e857dad5efb4778ebc4a773ad4b313000145c Mon Sep 17 00:00:00 2001 From: makefu Date: Sat, 7 Oct 2017 11:29:04 +0200 Subject: ma x.r: disabel remode building again --- makefu/1systems/cake/config.nix | 3 +++ makefu/1systems/x/config.nix | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) (limited to 'makefu/1systems') diff --git a/makefu/1systems/cake/config.nix b/makefu/1systems/cake/config.nix index 444c99a22..35eac3ab4 100644 --- a/makefu/1systems/cake/config.nix +++ b/makefu/1systems/cake/config.nix @@ -21,6 +21,9 @@ services.nixosManual.enable = false; boot.tmpOnTmpfs = lib.mkForce false; + hardware.enableRedistributableFirmware = true; + networking.wireless.enable = true; + # File systems configuration for using the installer's partition layout fileSystems = { "/boot" = { diff --git a/makefu/1systems/x/config.nix b/makefu/1systems/x/config.nix index 443f912d8..f7db75564 100644 --- a/makefu/1systems/x/config.nix +++ b/makefu/1systems/x/config.nix @@ -57,7 +57,7 @@ with import ; # - + # # Hardware -- cgit v1.2.3 From f7f1d7a4462a801f23c3483fb1c3d2a4130a5240 Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 8 Oct 2017 22:21:16 +0200 Subject: ma cake.r: add firmware for wifi --- makefu/1systems/cake/config.nix | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'makefu/1systems') diff --git a/makefu/1systems/cake/config.nix b/makefu/1systems/cake/config.nix index 35eac3ab4..e8438e50d 100644 --- a/makefu/1systems/cake/config.nix +++ b/makefu/1systems/cake/config.nix @@ -22,6 +22,20 @@ boot.tmpOnTmpfs = lib.mkForce false; hardware.enableRedistributableFirmware = true; + hardware.firmware = [ + (pkgs.stdenv.mkDerivation { + name = "broadcom-rpi3-rest"; + src = pkgs.fetchurl { + url = "https://raw.githubusercontent.com/RPi-Distro/firmware-nonfree/54bab3d/brcm80211/brcm/brcmfmac43430-sdio.txt"; + sha256 = "19bmdd7w0xzybfassn7x4rb30l70vynnw3c80nlapna2k57xwbw7"; + }; + phases = [ "installPhase" ]; + installPhase = '' + mkdir -p $out/lib/firmware/brcm + cp $src $out/lib/firmware/brcm/brcmfmac43430-sdio.txt + ''; + }) + ]; networking.wireless.enable = true; # File systems configuration for using the installer's partition layout -- cgit v1.2.3 From 903a1182b5c27cf0c07d267f136a0f2e5be3d89b Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 8 Oct 2017 23:14:14 +0200 Subject: gum.r: disable privkey setting via krebs manually configure the secrets instead --- makefu/1systems/gum/config.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'makefu/1systems') diff --git a/makefu/1systems/gum/config.nix b/makefu/1systems/gum/config.nix index e1357ff01..e769b1e22 100644 --- a/makefu/1systems/gum/config.nix +++ b/makefu/1systems/gum/config.nix @@ -81,7 +81,9 @@ in { ]; makefu.dl-dir = "/var/download"; - + services.openssh.hostKeys = [ + { bits = 4096; path = ; type = "rsa"; } + { path = ; type = "ed25519"; } ]; ###### stable services.nginx.virtualHosts.cgit.serverAliases = [ "cgit.euer.krebsco.de" ]; krebs.build.host = config.krebs.hosts.gum; -- cgit v1.2.3 From 0652354ee674005a9e0f5477c1741fbaaa69999e Mon Sep 17 00:00:00 2001 From: makefu Date: Tue, 10 Oct 2017 00:04:14 +0200 Subject: ma latte.r: add torrent --- makefu/1systems/latte/config.nix | 1 + makefu/1systems/latte/source.nix | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) (limited to 'makefu/1systems') diff --git a/makefu/1systems/latte/config.nix b/makefu/1systems/latte/config.nix index d532f216f..3b06660c6 100644 --- a/makefu/1systems/latte/config.nix +++ b/makefu/1systems/latte/config.nix @@ -26,6 +26,7 @@ in { # Services + ]; krebs = { diff --git a/makefu/1systems/latte/source.nix b/makefu/1systems/latte/source.nix index d997fb3f0..d9600909a 100644 --- a/makefu/1systems/latte/source.nix +++ b/makefu/1systems/latte/source.nix @@ -1,3 +1,4 @@ import { - name="latte"; + name = "latte"; + torrent = true; } -- cgit v1.2.3 From b9731d4851ec4f49235c0ea9e460bd96d2ff29a9 Mon Sep 17 00:00:00 2001 From: makefu Date: Tue, 10 Oct 2017 22:11:32 +0200 Subject: ma cake.r: add tv --- makefu/1systems/cake/config.nix | 3 +++ 1 file changed, 3 insertions(+) (limited to 'makefu/1systems') diff --git a/makefu/1systems/cake/config.nix b/makefu/1systems/cake/config.nix index e8438e50d..c287c28df 100644 --- a/makefu/1systems/cake/config.nix +++ b/makefu/1systems/cake/config.nix @@ -6,6 +6,9 @@ # configure your hw: # ]; + users.extraUsers.root.openssh.authorizedKeys.keys = [ + config.krebs.users.tv.pubkey + ]; krebs = { enable = true; tinc.retiolum.enable = true; -- cgit v1.2.3