From 0b88f7d2fee456eb0a5c8ec426e5d6f5d7d2e1f3 Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 26 Jun 2017 16:00:54 +0200 Subject: ma x.r: cleanup imports --- makefu/1systems/x.nix | 49 ++++++++++++++++++------------------------------- 1 file changed, 18 insertions(+), 31 deletions(-) (limited to 'makefu/1systems') diff --git a/makefu/1systems/x.nix b/makefu/1systems/x.nix index ee3a7bb1b..77b9915ae 100644 --- a/makefu/1systems/x.nix +++ b/makefu/1systems/x.nix @@ -13,59 +13,48 @@ with import ; ../2configs/tools/all.nix ../2configs/laptop-backup.nix ../2configs/dnscrypt.nix + ../2configs/avahi.nix - # testing - # ../2configs/openvpn/vpngate.nix - #../2configs/temp/share-samba.nix - # ../2configs/mediawiki.nix - # ../2configs/wordpress.nix - # ../2configs/nginx/public_html.nix - # ../2configs/nginx/icecult.nix - - # ../2configs/elchos/irc-token.nix - # ../2configs/elchos/log.nix - - #../2configs/elchos/search.nix - #../2configs/elchos/stats.nix - #../2configs/elchos/test/ftpservers.nix - - # ../2configs/tinc/siem.nix - #../2configs/torrent.nix - # temporary modules - - # ../2configs/torrent.nix - #../2configs/temp/elkstack.nix - # ../2configs/temp/sabnzbd.nix + # Debugging + # ../2configs/disable_v6.nix + # Testing + # ../2configs/deployment/dirctator.nix + # ../2configs/vncserver.nix + # ../2configs/deployment/led-fader + # ../2configs/deployment/hound # development ../2configs/sources # Krebs - # ../2configs/disable_v6.nix ../2configs/tinc/retiolum.nix # applications ../2configs/exim-retiolum.nix ../2configs/mail-client.nix ../2configs/printer.nix + + # Virtualization ../2configs/virtualization.nix + ../2configs/docker.nix ../2configs/virtualization-virtualbox.nix - ../2configs/wwan.nix - ../2configs/rad1o.nix - # services + # Services ../2configs/git/brain-retiolum.nix ../2configs/tor.nix ../2configs/steam.nix # ../2configs/buildbot-standalone.nix - # hardware specifics are in here + # Hardware ../2configs/hw/tp-x230.nix ../2configs/hw/rtl8812au.nix - ../2configs/hw/stk1160.nix + ../2configs/hw/exfat-nofuse.nix + ../2configs/hw/wwan.nix + # ../2configs/hw/stk1160.nix + # ../2configs/rad1o.nix - # mount points + # Filesystem ../2configs/fs/sda-crypto-root-home.nix ]; @@ -76,10 +65,8 @@ with import ; nixpkgs.config.allowUnfree = true; - boot.extraModulePackages = [ config.boot.kernelPackages.exfat-nofuse ]; environment.systemPackages = [ pkgs.passwdqc-utils ]; - virtualisation.docker.enable = true; # configure pulseAudio to provide a HDMI sink as well networking.firewall.enable = true; -- cgit v1.3.1 From b28b68250d13bfa15b6cc58e597873737e616e93 Mon Sep 17 00:00:00 2001 From: makefu Date: Tue, 27 Jun 2017 21:01:40 +0200 Subject: make x.r: init lancache prepare deployment of lan party steam cache --- makefu/1systems/x.nix | 1 + makefu/2configs/lancache.nix | 79 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 80 insertions(+) create mode 100644 makefu/2configs/lancache.nix (limited to 'makefu/1systems') diff --git a/makefu/1systems/x.nix b/makefu/1systems/x.nix index 77b9915ae..b37c32944 100644 --- a/makefu/1systems/x.nix +++ b/makefu/1systems/x.nix @@ -34,6 +34,7 @@ with import ; ../2configs/exim-retiolum.nix ../2configs/mail-client.nix ../2configs/printer.nix + ../2configs/task-client.nix # Virtualization ../2configs/virtualization.nix diff --git a/makefu/2configs/lancache.nix b/makefu/2configs/lancache.nix new file mode 100644 index 000000000..8ec401361 --- /dev/null +++ b/makefu/2configs/lancache.nix @@ -0,0 +1,79 @@ +{ pkgs, lib, config, ... }: +with import ; +let + # see https://github.com/zeropingheroes/lancache for full docs + cachedir = "/var/lancache/cache"; + logdir = "/var/lancache/log"; + + lancache= pkgs.stdenv.mkDerivation rec { + name = "lancache-2017-06-26"; + src = pkgs.fetchFromGitHub { + # origin: https://github.com/multiplay/lancache + # forked: https://github.com/zeropingheroes/lancache + repo = "lancache"; + owner = "zeropingheroes"; + rev = "143f7bb"; + sha256 = "1ra4l7qz3k231j5wabr89s5hh80n1kk8vgd3dsh0xx5mdpjhvdl6"; + }; + phases = [ "unpackPhase" "installPhase" ]; + # here we can chance to edit `includes/proxy-cache-paths.conf` + installPhase = '' + mkdir -p $out + cp -r * $out/ + sed -i -e 's/^\(user\).*/\1 ${cfg.user} ${cfg.group};/' \ + -e 's/^\(error_log\).*/\1 stderr;\ndaemon off;/' $out/nginx.conf + ''; + }; + cfg = { + group = "nginx-lancache"; + user = "nginx-lancache"; + stateDir = "/var/lancache"; + package = pkgs.stdenv.lib.overrideDerivation pkgs.nginx (old:{ + configureFlags = old.configureFlags ++ [ + "--with-http_slice_module" + "--with-stream" + "--with-pcre" + ]; + }); + }; +in { + systemd.services.nginx-lancache = { + description = "Nginx lancache Server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + restartIfChanged = true; + + preStart = '' + PATH_CACHE="/var/lancache/cache" + PATH_LOGS="/var/lancache/logs" + WWW_USER="${cfg.user}" + WWW_GROUP="${cfg.group}" + + mkdir -p $PATH_CACHE + cd $PATH_CACHE + mkdir -p installers tmp + mkdir -p $PATH_LOGS + + chown -R $WWW_USER:$WWW_USER $PATH_CACHE + chown -R $WWW_USER:$WWW_USER $PATH_LOGS + ''; + serviceConfig = { + ExecStart = "${cfg.package}/bin/nginx -c ${lancache}/nginx.conf -p ${lancache}"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + Restart = "always"; + RestartSec = "10s"; + StartLimitInterval = "1min"; + }; + }; + users.extraUsers = (singleton + { name = cfg.user; + group = cfg.group; + uid = genid cfg.group; + }); + + users.extraGroups = (singleton + { name = "${cfg.group}"; + gid = genid cfg.group; + }); + +} -- cgit v1.3.1 From 890e20f59ca67c612ce29dd356497062b935e81b Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 28 Jun 2017 23:46:27 +0200 Subject: ma vbob: remove videodrivers workaround --- makefu/1systems/vbob.nix | 2 -- 1 file changed, 2 deletions(-) (limited to 'makefu/1systems') diff --git a/makefu/1systems/vbob.nix b/makefu/1systems/vbob.nix index 7421125e4..53ee11474 100644 --- a/makefu/1systems/vbob.nix +++ b/makefu/1systems/vbob.nix @@ -14,8 +14,6 @@ ]; networking.extraHosts = import (toString ); - # workaround for https://github.com/NixOS/nixpkgs/issues/16641 - services.xserver.videoDrivers = lib.mkOverride 45 [ "virtualbox" "modesetting" ]; nixpkgs.config.allowUnfree = true; fileSystems."/nix" = { -- cgit v1.3.1 From 89fd62c21a65fc129c9f6dd59513a55a6298d921 Mon Sep 17 00:00:00 2001 From: makefu Date: Thu, 29 Jun 2017 00:14:54 +0200 Subject: ma vbob: realtime kernel with jack-audio --- makefu/1systems/vbob.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'makefu/1systems') diff --git a/makefu/1systems/vbob.nix b/makefu/1systems/vbob.nix index 53ee11474..b79ec64c0 100644 --- a/makefu/1systems/vbob.nix +++ b/makefu/1systems/vbob.nix @@ -9,9 +9,19 @@ (toString ) ../2configs/main-laptop.nix #< base-gui + # Tools + ../2configs/tools/core.nix + ../2configs/tools/core-gui.nix + ../2configs/tools/dev.nix + ../2configs/tools/extra-gui.nix + ../2configs/tools/sec.nix + # environment ../2configs/tinc/retiolum.nix + ../2configs/audio/jack-on-pulse.nix + ../2configs/audio/realtime-audio.nix + ]; networking.extraHosts = import (toString ); -- cgit v1.3.1 From 7cd2ff2679b688e8fa0c98bc9ecf1d99602c0421 Mon Sep 17 00:00:00 2001 From: makefu Date: Fri, 30 Jun 2017 23:49:05 +0200 Subject: ma 2fa: init and enable for gum --- makefu/1systems/gum.nix | 3 +++ makefu/2configs/sshd-totp.nix | 18 ++++++++++++++++++ 2 files changed, 21 insertions(+) create mode 100644 makefu/2configs/sshd-totp.nix (limited to 'makefu/1systems') diff --git a/makefu/1systems/gum.nix b/makefu/1systems/gum.nix index 519313f57..6e57d1404 100644 --- a/makefu/1systems/gum.nix +++ b/makefu/1systems/gum.nix @@ -26,6 +26,9 @@ in { ../2configs/tinc/retiolum.nix ../2configs/urlwatch.nix + # Security + ../2configs/sshd-totp.nix + # Tools ../2configs/tools/core.nix ../2configs/tools/dev.nix diff --git a/makefu/2configs/sshd-totp.nix b/makefu/2configs/sshd-totp.nix new file mode 100644 index 000000000..f9984e245 --- /dev/null +++ b/makefu/2configs/sshd-totp.nix @@ -0,0 +1,18 @@ +{ pkgs, ... }: +# Enables second factor for ssh password login + +## Usage: +# gen-oath-safe totp +## scan the qrcode with google authenticator (or FreeOTP) +## copy last line into secrets//users.oath (chmod 700) +{ + security.pam.oath = { + # enabling it will make it a requisite of `all` services + # enable = true; + digits = 6; + # TODO assert existing + usersFile = (toString ) + "/users.oath"; + }; + # I want TFA only active for sshd with password-auth + security.pam.services.sshd.oathAuth = true; +} -- cgit v1.3.1 From d95039620550368bcee37f74d9828db97d38722f Mon Sep 17 00:00:00 2001 From: makefu Date: Sat, 1 Jul 2017 01:12:52 +0200 Subject: ma vbob: enable totp --- makefu/1systems/vbob.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'makefu/1systems') diff --git a/makefu/1systems/vbob.nix b/makefu/1systems/vbob.nix index b79ec64c0..d8e275bf6 100644 --- a/makefu/1systems/vbob.nix +++ b/makefu/1systems/vbob.nix @@ -8,6 +8,7 @@ (toString ) (toString ) ../2configs/main-laptop.nix #< base-gui + ../2configs/sshd-totp.nix # Tools ../2configs/tools/core.nix -- cgit v1.3.1 From 38a9f8f6d51bbaa83c7bbd50525844a3039f53fc Mon Sep 17 00:00:00 2001 From: makefu Date: Sat, 1 Jul 2017 01:13:28 +0200 Subject: ma x.r: enable 2fa for sshd --- makefu/1systems/x.nix | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'makefu/1systems') diff --git a/makefu/1systems/x.nix b/makefu/1systems/x.nix index b37c32944..235862e85 100644 --- a/makefu/1systems/x.nix +++ b/makefu/1systems/x.nix @@ -19,6 +19,8 @@ with import ; # ../2configs/disable_v6.nix # Testing + # ../2configs/lanparty/lancache.nix + # ../2configs/lanparty/lancache-dns.nix # ../2configs/deployment/dirctator.nix # ../2configs/vncserver.nix # ../2configs/deployment/led-fader @@ -58,6 +60,9 @@ with import ; # Filesystem ../2configs/fs/sda-crypto-root-home.nix + # Security + ../2configs/sshd-totp.nix + ]; makefu.server.primary-itf = "wlp3s0"; -- cgit v1.3.1 From 5f3bece0d647f65c2354ae0944a50d775a3b488e Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 2 Jul 2017 23:09:30 +0200 Subject: ma gum: use urlwatch folder --- makefu/1systems/gum.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'makefu/1systems') diff --git a/makefu/1systems/gum.nix b/makefu/1systems/gum.nix index 6e57d1404..51761d3fd 100644 --- a/makefu/1systems/gum.nix +++ b/makefu/1systems/gum.nix @@ -24,7 +24,7 @@ in { # ../2configs/disable_v6.nix ../2configs/exim-retiolum.nix ../2configs/tinc/retiolum.nix - ../2configs/urlwatch.nix + ../2configs/urlwatch # Security ../2configs/sshd-totp.nix -- cgit v1.3.1