From d9cc50653d0c7998052284cfb66b2229e0ce849b Mon Sep 17 00:00:00 2001 From: makefu Date: Fri, 30 Jun 2017 22:36:25 +0200 Subject: ma gen-oath-safe: init --- makefu/5pkgs/gen-oath-safe/default.nix | 37 ++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 makefu/5pkgs/gen-oath-safe/default.nix (limited to 'makefu') diff --git a/makefu/5pkgs/gen-oath-safe/default.nix b/makefu/5pkgs/gen-oath-safe/default.nix new file mode 100644 index 000000000..245e65174 --- /dev/null +++ b/makefu/5pkgs/gen-oath-safe/default.nix @@ -0,0 +1,37 @@ +{ coreutils, makeWrapper, openssl, libcaca, qrencode, fetchFromGitHub, yubikey-manager, python, stdenv, ... }: + +stdenv.mkDerivation { + name = "geno-oath-safe-2017-06-30"; + src = fetchFromGitHub { + owner = "mcepl"; + repo = "gen-oath-safe"; + rev = "fb53841"; + sha256 = "0018kqmhg0861r5xkbis2a1rx49gyn0dxcyj05wap5ms7zz69m0m"; + }; + + phases = [ + "unpackPhase" + "installPhase" + "fixupPhase" + ]; + + buildInputs = [ makeWrapper ]; + + installPhase = + let + path = stdenv.lib.makeBinPath [ + coreutils + openssl + qrencode + yubikey-manager + libcaca + python + ]; + in + '' + mkdir -p $out/bin + cp gen-oath-safe $out/bin/ + wrapProgram $out/bin/gen-oath-safe \ + --prefix PATH : ${path} + ''; +} -- cgit v1.2.3 From 7cd2ff2679b688e8fa0c98bc9ecf1d99602c0421 Mon Sep 17 00:00:00 2001 From: makefu Date: Fri, 30 Jun 2017 23:49:05 +0200 Subject: ma 2fa: init and enable for gum --- makefu/1systems/gum.nix | 3 +++ makefu/2configs/sshd-totp.nix | 18 ++++++++++++++++++ 2 files changed, 21 insertions(+) create mode 100644 makefu/2configs/sshd-totp.nix (limited to 'makefu') diff --git a/makefu/1systems/gum.nix b/makefu/1systems/gum.nix index 519313f57..6e57d1404 100644 --- a/makefu/1systems/gum.nix +++ b/makefu/1systems/gum.nix @@ -26,6 +26,9 @@ in { ../2configs/tinc/retiolum.nix ../2configs/urlwatch.nix + # Security + ../2configs/sshd-totp.nix + # Tools ../2configs/tools/core.nix ../2configs/tools/dev.nix diff --git a/makefu/2configs/sshd-totp.nix b/makefu/2configs/sshd-totp.nix new file mode 100644 index 000000000..f9984e245 --- /dev/null +++ b/makefu/2configs/sshd-totp.nix @@ -0,0 +1,18 @@ +{ pkgs, ... }: +# Enables second factor for ssh password login + +## Usage: +# gen-oath-safe totp +## scan the qrcode with google authenticator (or FreeOTP) +## copy last line into secrets//users.oath (chmod 700) +{ + security.pam.oath = { + # enabling it will make it a requisite of `all` services + # enable = true; + digits = 6; + # TODO assert existing + usersFile = (toString ) + "/users.oath"; + }; + # I want TFA only active for sshd with password-auth + security.pam.services.sshd.oathAuth = true; +} -- cgit v1.2.3 From 09e31fb8a27d1f9f7acfc1f40f0b2ae598a22e34 Mon Sep 17 00:00:00 2001 From: makefu Date: Sat, 1 Jul 2017 01:10:31 +0200 Subject: ma lancache: retab --- makefu/2configs/lanparty/lancache.nix | 59 ++++++++++++++++++----------------- 1 file changed, 30 insertions(+), 29 deletions(-) (limited to 'makefu') diff --git a/makefu/2configs/lanparty/lancache.nix b/makefu/2configs/lanparty/lancache.nix index ff5b0d788..3df2e3f59 100644 --- a/makefu/2configs/lanparty/lancache.nix +++ b/makefu/2configs/lanparty/lancache.nix @@ -36,38 +36,39 @@ let }; in { systemd.services.nginx-lancache = { - description = "Nginx lancache Server"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - restartIfChanged = true; + description = "Nginx lancache Server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + restartIfChanged = true; - preStart = '' - mkdir -p ${cfg.statedir} && cd ${cfg.statedir} - PATH_CACHE=$PATH_BASE/cache - PATH_LOGS=$PATH_BASE/logs + preStart = '' + mkdir -p ${cfg.statedir} && cd ${cfg.statedir} + PATH_CACHE=$PATH_BASE/cache + PATH_LOGS=$PATH_BASE/logs - mkdir -p cache/{installers,tmp} logs - rm -f conf; ln -s ${lancache} conf - chown -R ${cfg.user}:${cfg.group} . - ''; - serviceConfig = { - ExecStart = "${cfg.package}/bin/nginx -p ${cfg.statedir}"; - ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - Restart = "always"; - RestartSec = "10s"; - StartLimitInterval = "1min"; - }; + mkdir -p cache/{installers,tmp} logs + rm -f conf; ln -s ${lancache} conf + chown -R ${cfg.user}:${cfg.group} . + ''; + serviceConfig = { + ExecStart = "${cfg.package}/bin/nginx -p ${cfg.statedir}"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + Restart = "always"; + RestartSec = "10s"; + StartLimitInterval = "1min"; }; - environment.etc.nginx.source = lancache; - users.extraUsers = (singleton - { name = cfg.user; - group = cfg.group; - uid = genid cfg.group; - }); + }; - users.extraGroups = (singleton - { name = "${cfg.group}"; - gid = genid cfg.group; - }); + environment.etc.nginx.source = lancache; + users.extraUsers = (singleton + { name = cfg.user; + group = cfg.group; + uid = genid cfg.group; + }); + users.extraGroups = (singleton + { name = "${cfg.group}"; + gid = genid cfg.group; + }); + networking.firewall.allowedTCPPorts = [ 80 443 ]; } -- cgit v1.2.3 From 4d9d70c6cc7c47cf62a83e838d70134c33594065 Mon Sep 17 00:00:00 2001 From: makefu Date: Sat, 1 Jul 2017 01:11:31 +0200 Subject: ma: add gen-oath-safe to dev tools --- makefu/2configs/tools/dev.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'makefu') diff --git a/makefu/2configs/tools/dev.nix b/makefu/2configs/tools/dev.nix index e40f5b36f..42006eb22 100644 --- a/makefu/2configs/tools/dev.nix +++ b/makefu/2configs/tools/dev.nix @@ -14,5 +14,6 @@ ovh-zone whatsupnix brain + gen-oath-safe ]; } -- cgit v1.2.3 From d95039620550368bcee37f74d9828db97d38722f Mon Sep 17 00:00:00 2001 From: makefu Date: Sat, 1 Jul 2017 01:12:52 +0200 Subject: ma vbob: enable totp --- makefu/1systems/vbob.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'makefu') diff --git a/makefu/1systems/vbob.nix b/makefu/1systems/vbob.nix index b79ec64c0..d8e275bf6 100644 --- a/makefu/1systems/vbob.nix +++ b/makefu/1systems/vbob.nix @@ -8,6 +8,7 @@ (toString ) (toString ) ../2configs/main-laptop.nix #< base-gui + ../2configs/sshd-totp.nix # Tools ../2configs/tools/core.nix -- cgit v1.2.3 From 38a9f8f6d51bbaa83c7bbd50525844a3039f53fc Mon Sep 17 00:00:00 2001 From: makefu Date: Sat, 1 Jul 2017 01:13:28 +0200 Subject: ma x.r: enable 2fa for sshd --- makefu/1systems/x.nix | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'makefu') diff --git a/makefu/1systems/x.nix b/makefu/1systems/x.nix index b37c32944..235862e85 100644 --- a/makefu/1systems/x.nix +++ b/makefu/1systems/x.nix @@ -19,6 +19,8 @@ with import ; # ../2configs/disable_v6.nix # Testing + # ../2configs/lanparty/lancache.nix + # ../2configs/lanparty/lancache-dns.nix # ../2configs/deployment/dirctator.nix # ../2configs/vncserver.nix # ../2configs/deployment/led-fader @@ -58,6 +60,9 @@ with import ; # Filesystem ../2configs/fs/sda-crypto-root-home.nix + # Security + ../2configs/sshd-totp.nix + ]; makefu.server.primary-itf = "wlp3s0"; -- cgit v1.2.3 From b4bcf2b0a4dd5fbc69a4b539b32f82fb3eccc4a2 Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 2 Jul 2017 23:06:36 +0200 Subject: ma urlwatch: use hook for json api --- makefu/2configs/urlwatch.nix | 27 --------------------------- makefu/2configs/urlwatch/default.nix | 35 +++++++++++++++++++++++++++++++++++ makefu/2configs/urlwatch/hook.py | 12 ++++++++++++ 3 files changed, 47 insertions(+), 27 deletions(-) delete mode 100644 makefu/2configs/urlwatch.nix create mode 100644 makefu/2configs/urlwatch/default.nix create mode 100644 makefu/2configs/urlwatch/hook.py (limited to 'makefu') diff --git a/makefu/2configs/urlwatch.nix b/makefu/2configs/urlwatch.nix deleted file mode 100644 index 9493b2b7b..000000000 --- a/makefu/2configs/urlwatch.nix +++ /dev/null @@ -1,27 +0,0 @@ -{ config, lib, ... }: - -{ - krebs.urlwatch = { - enable = true; - mailto = config.krebs.users.makefu.mail; - onCalendar = "*-*-* 05:00:00"; - urls = [ - ## nixpkgs maintenance - https://api.github.com/repos/ovh/python-ovh/tags - https://api.github.com/repos/embray/d2to1/tags - https://api.github.com/repos/Mic92/vicious/tags - https://pypi.python.org/simple/bepasty/ - https://pypi.python.org/simple/xstatic/ - http://guest:derpi@cvs2svn.tigris.org/svn/cvs2svn/tags/ - http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/ - https://github.com/amadvance/snapraid/releases.atom - https://erdgeist.org/gitweb/opentracker/info/refs?service=git-upload-pack - https://api.github.com/repos/embray/d2to1/tags - https://api.github.com/repos/dorimanx/exfat-nofuse/commits - https://api.github.com/repos/dorimanx/exfat-nofuse/tags - https://api.github.com/repos/radare/radare2/tags - https://api.github.com/repos/rapid7/metasploit-framework/tags - ]; - }; -} - diff --git a/makefu/2configs/urlwatch/default.nix b/makefu/2configs/urlwatch/default.nix new file mode 100644 index 000000000..54c8ee924 --- /dev/null +++ b/makefu/2configs/urlwatch/default.nix @@ -0,0 +1,35 @@ +{ config, lib, ... }: + +{ + krebs.urlwatch = { + enable = true; + mailto = config.krebs.users.makefu.mail; + onCalendar = "*-*-* 05:00:00"; + hooksFile = ./hook.py; + urls = [ + ## nixpkgs maintenance + https://api.github.com/repos/ovh/python-ovh/tags + https://api.github.com/repos/embray/d2to1/tags + https://api.github.com/repos/Mic92/vicious/tags + https://pypi.python.org/simple/bepasty/ + https://pypi.python.org/simple/xstatic/ + https://pypi.python.org/simple/devpi-client/ + http://guest:derpi@cvs2svn.tigris.org/svn/cvs2svn/tags/ + http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/ + https://github.com/amadvance/snapraid/releases.atom + https://erdgeist.org/gitweb/opentracker/info/refs?service=git-upload-pack + https://api.github.com/repos/embray/d2to1/tags + https://api.github.com/repos/dorimanx/exfat-nofuse/commits + https://api.github.com/repos/dorimanx/exfat-nofuse/tags + https://api.github.com/repos/radare/radare2/tags + https://api.github.com/repos/rapid7/metasploit-framework/tags + https://api.github.com/repos/mcepl/gen-oath-safe/commits + https://api.github.com/repos/naim94a/udpt/commits + https://git.tasktools.org/TM/taskd/info/refs?service=git-upload-pack + https://api.github.com/repos/dirkvdb/ps3netsrv--/commits + # TODO: dymo cups + + ]; + }; +} + diff --git a/makefu/2configs/urlwatch/hook.py b/makefu/2configs/urlwatch/hook.py new file mode 100644 index 000000000..fc598423f --- /dev/null +++ b/makefu/2configs/urlwatch/hook.py @@ -0,0 +1,12 @@ +import logging +logging.basicConfig(level=logging.INFO) +log = logging.getLogger() +# log.setLevel(level=logging.INFO) +def filter(url, data): + log.info("handling url '{}'".format(url)) + if "api.github.com" in url: + import json + log.info("url is a github api link, assuming json") + return json.dumps(json.loads(data),indent=2) + + return data -- cgit v1.2.3 From 2eb910183a92bd6e8d3796d821c783d878ae956b Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 2 Jul 2017 23:09:12 +0200 Subject: ma urlwatch: refactor --- makefu/2configs/urlwatch/default.nix | 36 +++++++++++++++++++++++------------- makefu/2configs/urlwatch/hook.py | 22 +++++++++++++--------- 2 files changed, 36 insertions(+), 22 deletions(-) (limited to 'makefu') diff --git a/makefu/2configs/urlwatch/default.nix b/makefu/2configs/urlwatch/default.nix index 54c8ee924..f17bcdc3a 100644 --- a/makefu/2configs/urlwatch/default.nix +++ b/makefu/2configs/urlwatch/default.nix @@ -8,27 +8,37 @@ hooksFile = ./hook.py; urls = [ ## nixpkgs maintenance - https://api.github.com/repos/ovh/python-ovh/tags - https://api.github.com/repos/embray/d2to1/tags - https://api.github.com/repos/Mic92/vicious/tags + # github + ## No rate limit + https://github.com/amadvance/snapraid/releases.atom + https://github.com/radare/radare2/releases.atom + https://github.com/ovh/python-ovh/releases.atom + https://github.com/embray/d2to1/releases.atom + https://github.com/Mic92/vicious/releases.atom + https://github.com/embray/d2to1/releases.atom + https://github.com/dorimanx/exfat-nofuse/releases.atom + https://github.com/rapid7/metasploit-framework/releases.atom + ## rate limited + # https://api.github.com/repos/dorimanx/exfat-nofuse/commits + # https://api.github.com/repos/mcepl/gen-oath-safe/commits + https://api.github.com/repos/naim94a/udpt/commits + https://api.github.com/repos/dirkvdb/ps3netsrv--/commits + + # pypi https://pypi.python.org/simple/bepasty/ https://pypi.python.org/simple/xstatic/ https://pypi.python.org/simple/devpi-client/ + # weird shit http://guest:derpi@cvs2svn.tigris.org/svn/cvs2svn/tags/ http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/ - https://github.com/amadvance/snapraid/releases.atom https://erdgeist.org/gitweb/opentracker/info/refs?service=git-upload-pack - https://api.github.com/repos/embray/d2to1/tags - https://api.github.com/repos/dorimanx/exfat-nofuse/commits - https://api.github.com/repos/dorimanx/exfat-nofuse/tags - https://api.github.com/repos/radare/radare2/tags - https://api.github.com/repos/rapid7/metasploit-framework/tags - https://api.github.com/repos/mcepl/gen-oath-safe/commits - https://api.github.com/repos/naim94a/udpt/commits https://git.tasktools.org/TM/taskd/info/refs?service=git-upload-pack - https://api.github.com/repos/dirkvdb/ps3netsrv--/commits - # TODO: dymo cups + { + url = https://newellrubbermaid.secure.force.com/dymopkb/articles/en_US/FAQ/Dymo-Drivers-and-Downloads/?l=en_US&c=Segment:Dymo&fs=Search&pn=1 ; + filter = "grep:Software/Linux/dymo-cups-drivers"; + } + # TODO: dymo cups ]; }; } diff --git a/makefu/2configs/urlwatch/hook.py b/makefu/2configs/urlwatch/hook.py index fc598423f..7d9282c7e 100644 --- a/makefu/2configs/urlwatch/hook.py +++ b/makefu/2configs/urlwatch/hook.py @@ -1,12 +1,16 @@ import logging logging.basicConfig(level=logging.INFO) log = logging.getLogger() -# log.setLevel(level=logging.INFO) -def filter(url, data): - log.info("handling url '{}'".format(url)) - if "api.github.com" in url: - import json - log.info("url is a github api link, assuming json") - return json.dumps(json.loads(data),indent=2) - - return data +log.setLevel(level=logging.INFO) + +import re +import json + +from urlwatch import filters + + +class JsonFilter(filters.RegexMatchFilter): + MATCH = {'url': re.compile('https?://api.github.com/.*')} + + def filter(self, data): + return json.dumps(json.loads(data),indent=2,sort_keys=True) -- cgit v1.2.3 From 5f3bece0d647f65c2354ae0944a50d775a3b488e Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 2 Jul 2017 23:09:30 +0200 Subject: ma gum: use urlwatch folder --- makefu/1systems/gum.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'makefu') diff --git a/makefu/1systems/gum.nix b/makefu/1systems/gum.nix index 6e57d1404..51761d3fd 100644 --- a/makefu/1systems/gum.nix +++ b/makefu/1systems/gum.nix @@ -24,7 +24,7 @@ in { # ../2configs/disable_v6.nix ../2configs/exim-retiolum.nix ../2configs/tinc/retiolum.nix - ../2configs/urlwatch.nix + ../2configs/urlwatch # Security ../2configs/sshd-totp.nix -- cgit v1.2.3