diff options
author | nin <nineinchnade@gmail.com> | 2017-07-06 20:36:05 +0200 |
---|---|---|
committer | nin <nineinchnade@gmail.com> | 2017-07-06 20:36:05 +0200 |
commit | de8baa21bf122242c4ad6a4c17405259037149c8 (patch) | |
tree | 85e34f8040799313fa73a23eddb41ab5eec1d9e9 | |
parent | 060ae725c32e6490d47bc3153de076ace26b59fd (diff) | |
parent | 438fdd2bd8e363567f544966e49d00f728921301 (diff) |
Merge branch 'master' of prism:stockholm
59 files changed, 912 insertions, 281 deletions
@@ -51,13 +51,23 @@ $(if $(target_user),,$(error unbound variable: target_user)) $(if $(target_port),,$(error unbound variable: target_port)) $(if $(target_path),,$(error unbound variable: target_path)) +whatsupnix = \ + if type whatsupnix >/dev/null 2>&1; then \ + whatsupnix $(1); \ + else \ + cat; \ + fi + build = \ nix-build \ + -Q \ --no-out-link \ --show-trace \ -I nixos-config=$(nixos-config) \ -I stockholm=$(stockholm) \ - -E "with import <stockholm>; $(1)" + -E "with import <stockholm>; $(1)" \ + $(2) \ + |& $(call whatsupnix) evaluate = \ nix-instantiate \ @@ -66,7 +76,8 @@ evaluate = \ --show-trace \ -I nixos-config=$(nixos-config) \ -I stockholm=$(stockholm) \ - -E "let eval = import <stockholm>; in with eval; $(1)" + -E "let eval = import <stockholm>; in with eval; $(1)" \ + $(2) ifeq ($(MAKECMDGOALS),) $(error No goals specified) @@ -84,11 +95,7 @@ deploy: $(ssh) $(target_user)@$(target_host) -p $(target_port) \ env STOCKHOLM_VERSION="$$STOCKHOLM_VERSION" \ nixos-rebuild -Q $(rebuild-command) --show-trace -I $(target_path) \ - |& if type whatsupnix 2>/dev/null; then \ - whatsupnix $(target_user)@$(target_host):$(target_port); \ - else \ - cat; \ - fi + |& $(call whatsupnix,$(target_user)@$(target_host):$(target_port)) # usage: make populate system=foo populate: populate-target = \ @@ -126,10 +133,10 @@ install: # usage: make test system=foo [target=bar] [method={eval,build}] method ?= eval ifeq ($(method),build) -test: command = nix-build --no-out-link +test: test = $(call build,$(1),$(2)) else ifeq ($(method),eval) -test: command ?= nix-instantiate --eval --json --readonly-mode --strict +test: test ?= $(call evaluate,$(1),$(2)) --json --strict | jq -r . else $(error bad method: $(method)) endif @@ -141,6 +148,4 @@ else test: wrapper = $(ssh) $(target_user)@$(target_host) -p $(target_port) endif test: populate - $(wrapper) \ - $(command) --show-trace -I $(target_path) \ - -A config.system.build.toplevel $(target_path)/stockholm + $(wrapper) $(call test,config.system.build.toplevel,-I $(target_path)) diff --git a/doc/Commit_Messages_Guideline.md b/doc/Commit_Messages_Guideline.md new file mode 100644 index 000000000..e704ee575 --- /dev/null +++ b/doc/Commit_Messages_Guideline.md @@ -0,0 +1,53 @@ +# Commit Messages Guideline + +Commits SHOULD have the following format: + +``` +<namespace?> <component>: <change> + +<rationale> + +(<reference-name>: <reference-id>)? +``` + +## `<namespace>` +Defines where the change took place. This can be omitted if the +namespace is `krebs`. Namespaces may be shortened to one to four characters ( +lassulus -> lass, makefu -> make, tv -> tv, shared -> sha) + +## `<component>` +Name of the component which was touched. `component` is +rather fuzzy and may mean different things, just choose what would fit best. + +Here are a numbers of samples for defining the component: + +* Change `gum` in `krebs/3modules/makefu/default.nix`: `gum.r: change ip` +* Change `prepare.sh` in `krebs/4libs/infest`: `infest: prepare stockholm ISO` +* Remove `concat` in `krebs/5pkgs`: `concat: RIP`, this commit may like some `<rationale>` +* Update `types` in `krebs/3modules`: `lib/types: add managed bool to host type` +* Change host `gum` in `makefu/1systems/gum`: `ma gum.r: add taskserver` +* Change `tinc` module in `krebs/3modules`: `tinc module: add option enableLegacy` + +## `<rationale>` +Describe some trivia why the commit was done: +``` +whatsupnix: init + +Import from https://github.com/NixOS/nix/issues/443#issuecomment-296752535 +``` + +## `<reference>` +Defines external resouces related to the commit: +``` +Closes: #123533 +CVE: CVE-2016-00001 +URL: https://example.com/CVE-2016-00001 +``` + +## Remarks +As a general rule of thumb you can check out: https://www.slideshare.net/TarinGamberini/commit-messages-goodpractices +Of course the pattern not always fits perfectly (for example for refactoring), +just apply some common sense and define a useful commit message, +like `refactor krebs.setuid`. + + diff --git a/doc/makefu/logbook/install_fileleech.md b/doc/makefu/logbook/install_fileleech.md new file mode 100644 index 000000000..15f8c1bca --- /dev/null +++ b/doc/makefu/logbook/install_fileleech.md @@ -0,0 +1,17 @@ +# install fileleech + +``` +builder$ python3 host.py --create-ssh-keys --create-passwords fileleech +iso$ fdisk /dev/sda # 3 partitions, grub,boot,crypt +iso$ cryptsetup luksFormat /dev/sda3 --cipher aes-xts-plain64 -s 512 -h sha512 +iso$ cryptsetup luksAddKey /dev/sda3 hddkey +iso$ cryptsetup luksOpen --keyfile-size=4096 -d /dev/disk/by-id/usb-Intuix_DiskOnKey_09A07360336198F8-0:0 /dev/disk/by-id/ata-INTEL_SSDSA2M080G2GC_CVPO003402PB080BGN-part3 luksroot +iso$ mkfs.ext4 -Lnixboot /dev/sda2 +iso$ mkfs.ext4 -Lroot /dev/mapper/luksroot +iso$ echo 1 > /proc/sys/net/ipv6/conf/enp8s0f0/disable_ipv6 +iso$ mount /dev/mapper/luksroot /mnt +iso$ mkdir /mnt/boot +iso$ mount /dev/sda2 /mnt/boot +iso$ mkdir -p /mnt/var/src +iso$ touch /mnt/var/src/.populate +``` diff --git a/doc/makefu/logbook/transfer_gum.md b/doc/makefu/logbook/transfer_gum.md new file mode 100644 index 000000000..5f9c88256 --- /dev/null +++ b/doc/makefu/logbook/transfer_gum.md @@ -0,0 +1,16 @@ +# transfer gum to new hosts + +``` +builder$ vim krebs/3modules/makefu/default.nix +## update ip +builder$ vim makefu/1systems/gum.nix +## update hardware config + +old-gum$ rsync --progress -lprtvzF . <newip>:/mnt/ + +new-gum$ touch /mnt/var/src/.populate +new-gum$ gdisk /dev/sda r;g;w # gpt to mbr + +builder$ make -C ~/stockholm system=gum target=vcygfnhdxyxr47zu.onion install + +``` diff --git a/krebs/3modules/build.nix b/krebs/3modules/build.nix index 51f192703..976d378f9 100644 --- a/krebs/3modules/build.nix +++ b/krebs/3modules/build.nix @@ -24,4 +24,6 @@ with import <stockholm/lib>; type = types.user; }; }; + + config.krebs.build.source.stockholm.file = mkDefault (toString <stockholm>); } diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index 4c0ce0fe3..c517ac1d8 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -308,7 +308,6 @@ with import <stockholm/lib>; extraZones = { "krebsco.de" = '' wry IN A ${nets.internet.ip4.addr} - io IN NS wry.krebsco.de. tinc IN A ${nets.internet.ip4.addr} ''; }; @@ -470,6 +469,7 @@ with import <stockholm/lib>; wiki.euer IN A ${nets.internet.ip4.addr} graph IN A ${nets.internet.ip4.addr} ghook IN A ${nets.internet.ip4.addr} + io IN NS gum.krebsco.de. ''; }; nets = rec { diff --git a/krebs/3modules/urlwatch.nix b/krebs/3modules/urlwatch.nix index c06e5ddb1..463fa26ba 100644 --- a/krebs/3modules/urlwatch.nix +++ b/krebs/3modules/urlwatch.nix @@ -60,6 +60,7 @@ let description = "URL to watch."; example = [ https://nixos.org/channels/nixos-unstable/git-revision + { url = http://localhost ; filter = "grep:important.*stuff"; } ]; apply = map (x: getAttr (typeOf x) { set = x; @@ -79,7 +80,8 @@ let }; urlsFile = pkgs.writeText "urls" - (concatMapStringsSep "\n---\n" toJSON cfg.urls); + (concatMapStringsSep "\n---\n" + (x: toJSON (filterAttrs (n: v: n != "_module") x)) cfg.urls); hooksFile = cfg.hooksFile; @@ -142,17 +144,6 @@ let PrivateTmp = "true"; SyslogIdentifier = "urlwatch"; Type = "oneshot"; - ExecStartPre = - pkgs.writeDash "urlwatch-prestart" '' - set -euf - - dataDir=$HOME - - if ! test -e "$dataDir"; then - mkdir -m 0700 -p "$dataDir" - chown ${user.name}: "$dataDir" - fi - ''; ExecStart = pkgs.writeDash "urlwatch" '' set -euf @@ -185,6 +176,8 @@ let }; users.extraUsers = singleton { inherit (user) name uid; + home = cfg.dataDir; + createHome = true; }; }; diff --git a/krebs/5pkgs/simple/ucspi-tcp/chmod.patch b/krebs/5pkgs/simple/ucspi-tcp/chmod.patch new file mode 100644 index 000000000..dd6933208 --- /dev/null +++ b/krebs/5pkgs/simple/ucspi-tcp/chmod.patch @@ -0,0 +1,15 @@ +diff --git a/hier.c b/hier.c +index 5663ada..1d73b84 100644 +--- a/hier.c ++++ b/hier.c +@@ -2,8 +2,8 @@ + + void hier() + { +- h(auto_home,-1,-1,02755); +- d(auto_home,"bin",-1,-1,02755); ++ h(auto_home,-1,-1,0755); ++ d(auto_home,"bin",-1,-1,0755); + + c(auto_home,"bin","tcpserver",-1,-1,0755); + c(auto_home,"bin","tcprules",-1,-1,0755); diff --git a/krebs/5pkgs/simple/ucspi-tcp/default.nix b/krebs/5pkgs/simple/ucspi-tcp/default.nix new file mode 100644 index 000000000..3b043be06 --- /dev/null +++ b/krebs/5pkgs/simple/ucspi-tcp/default.nix @@ -0,0 +1,86 @@ +{ stdenv, fetchurl }: + +stdenv.mkDerivation rec { + name = "ucspi-tcp-0.88"; + + src = fetchurl { + url = "http://cr.yp.to/ucspi-tcp/${name}.tar.gz"; + sha256 = "171yl9kfm8w7l17dfxild99mbf877a9k5zg8yysgb1j8nz51a1ja"; + }; + + # Plain upstream tarball doesn't build, get patches from Debian + patches = [ + (fetchurl { + url = "http://ftp.de.debian.org/debian/pool/main/u/ucspi-tcp/ucspi-tcp_0.88-3.diff.gz"; + sha256 = "0mzmhz8hjkrs0khmkzs5i0s1kgmgaqz07h493bd5jj5fm5njxln6"; + }) + ./chmod.patch + ]; + + # Apply Debian patches + postPatch = '' + for fname in debian/diff/*.diff; do + echo "Applying patch $fname" + patch < "$fname" + done + ''; + + # The build system is weird; 'make install' doesn't install anything, instead + # it builds an executable called ./install (from C code) which installs + # binaries to the directory given on line 1 in ./conf-home. + # + # Also, assume getgroups and setgroups work, instead of doing a build time + # test that breaks on NixOS (I think because nixbld users lack CAP_SETGID + # capability). + preBuild = '' + echo "$out" > conf-home + + echo "main() { return 0; }" > chkshsgr.c + ''; + + installPhase = '' + mkdir -p "$out/bin" + mkdir -p "$out/share/man/man1" + + # run the newly built installer + ./install + + # Install Debian man pages (upstream has none) + cp debian/ucspi-tcp-man/*.1 "$out/share/man/man1" + ''; + + meta = with stdenv.lib; { + description = "Command-line tools for building TCP client-server applications"; + longDescription = '' + tcpserver waits for incoming connections and, for each connection, runs a + program of your choice. Your program receives environment variables + showing the local and remote host names, IP addresses, and port numbers. + + tcpserver offers a concurrency limit to protect you from running out of + processes and memory. When you are handling 40 (by default) simultaneous + connections, tcpserver smoothly defers acceptance of new connections. + + tcpserver also provides TCP access control features, similar to + tcp-wrappers/tcpd's hosts.allow but much faster. Its access control rules + are compiled into a hashed format with cdb, so it can easily deal with + thousands of different hosts. + + This package includes a recordio tool that monitors all the input and + output of a server. + + tcpclient makes a TCP connection and runs a program of your choice. It + sets up the same environment variables as tcpserver. + + This package includes several sample clients built on top of tcpclient: + who@, date@, finger@, http@, tcpcat, and mconnect. + + tcpserver and tcpclient conform to UCSPI, the UNIX Client-Server Program + Interface, using the TCP protocol. UCSPI tools are available for several + different networks. + ''; + homepage = http://cr.yp.to/ucspi-tcp.html; + license = licenses.publicDomain; + platforms = platforms.linux; + maintainers = [ maintainers.bjornfor ]; + }; +} diff --git a/krebs/5pkgs/simple/whatsupnix/whatsupnix.bash b/krebs/5pkgs/simple/whatsupnix/whatsupnix.bash index 042763048..2ad9aadc9 100644 --- a/krebs/5pkgs/simple/whatsupnix/whatsupnix.bash +++ b/krebs/5pkgs/simple/whatsupnix/whatsupnix.bash @@ -17,25 +17,22 @@ # 2 Build error; at least one failed derivation could be found. # -GAWK=${GAWK:-gawk} -NIX_STORE=${NIX_STORE:-nix-store} - failed_drvs=$(mktemp --tmpdir whatsupnix.XXXXXXXX) trap 'rm -f -- "$failed_drvs"' EXIT exec >&2 -$GAWK -v failed_drvs="$failed_drvs" ' +gawk -v failed_drvs="$failed_drvs" ' match($0, /^builder for ‘(\/nix\/store\/[^’]+\.drv)’ failed/, m) { print m[1] >> failed_drvs } - { print $0 } + { print $0; fflush("/dev/stdout") } ' case $# in 0) print_log() { - NIX_PAGER= $NIX_STORE -l "$1" + NIX_PAGER= nix-store -l "$1" } ;; 1) diff --git a/lass/1systems/icarus.nix b/lass/1systems/icarus.nix index b869a67a7..13c517e3b 100644 --- a/lass/1systems/icarus.nix +++ b/lass/1systems/icarus.nix @@ -6,9 +6,9 @@ with import <stockholm/lib>; ../. ../2configs/retiolum.nix ../2configs/hw/tp-x220.nix - ../2configs/baseX.nix ../2configs/git.nix ../2configs/exim-retiolum.nix + ../2configs/baseX.nix ../2configs/browsers.nix ../2configs/programs.nix ../2configs/fetchWallpaper.nix @@ -22,9 +22,9 @@ with import <stockholm/lib>; loader.grub.enable = true; loader.grub.version = 2; loader.grub.device = "/dev/sda"; - loader.grub.enableCryptodisk = true; + loader.grub.efiSupport = true; - initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ]; + initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda3"; } ]; initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; }; @@ -34,11 +34,14 @@ with import <stockholm/lib>; fsType = "btrfs"; options = ["defaults" "noatime" "ssd" "compress=lzo"]; }; - "/bku" = { - device = "/dev/mapper/pool-bku"; - fsType = "btrfs"; - options = ["defaults" "noatime" "ssd" "compress=lzo"]; + "/boot" = { + device = "/dev/sda2"; }; + #"/bku" = { + # device = "/dev/mapper/pool-bku"; + # fsType = "btrfs"; + # options = ["defaults" "noatime" "ssd" "compress=lzo"]; + #}; "/home" = { device = "/dev/mapper/pool-home"; fsType = "btrfs"; diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index b9ab54503..0bfd54515 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -96,49 +96,30 @@ with import <stockholm/lib>; loader.grub.enable = true; loader.grub.version = 2; loader.grub.device = "/dev/sda"; + loader.grub.efiSupport = true; - initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ]; + initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda3"; } ]; initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; }; fileSystems = { "/" = { - device = "/dev/big/nix"; - fsType = "ext4"; + device = "/dev/mapper/pool-root"; + fsType = "btrfs"; + options = ["defaults" "noatime" "ssd" "compress=lzo"]; }; - "/boot" = { - device = "/dev/sda1"; - }; - - "/mnt/loot" = { - device = "/dev/big/loot"; - fsType = "ext4"; + device = "/dev/sda2"; }; - + #"/bku" = { + # device = "/dev/mapper/pool-bku"; + # fsType = "btrfs"; + # options = ["defaults" "noatime" "ssd" "compress=lzo"]; + #}; "/home" = { - device = "/dev/big/home"; - fsType = "ext4"; - }; - - "/home/lass" = { - device = "/dev/big/home-lass"; - fsType = "ext4"; - }; - - "/home/games/.local/share/Steam" = { - device = "/dev/big/steam"; - fsType = "ext4"; - }; - - "/home/virtual/virtual" = { - device = "/dev/big/virtual"; - fsType = "ext4"; - }; - - "/mnt/conf" = { - device = "/dev/big/conf"; - fsType = "ext4"; + device = "/dev/mapper/pool-home"; + fsType = "btrfs"; + options = ["defaults" "noatime" "ssd" "compress=lzo"]; }; "/tmp" = { device = "tmpfs"; diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index af847333d..531dec9df 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -229,6 +229,10 @@ in { OnUnitInactiveSec = "2min"; RandomizedDelaySec = "2min"; }; + krebs.repo-sync.repos.nixpkgs.timerConfig = { + OnBootSec = "90min"; + OnUnitInactiveSec = "24h"; + }; } { lass.usershadow = { diff --git a/lass/1systems/shodan.nix b/lass/1systems/shodan.nix index dca616936..044e2ccf8 100644 --- a/lass/1systems/shodan.nix +++ b/lass/1systems/shodan.nix @@ -13,6 +13,7 @@ with import <stockholm/lib>; ../2configs/programs.nix ../2configs/fetchWallpaper.nix ../2configs/backups.nix + ../2configs/wine.nix #{ # users.extraUsers = { # root = { diff --git a/lass/2configs/buildbot-standalone.nix b/lass/2configs/buildbot-standalone.nix index e765ddbb4..6c2a92c08 100644 --- a/lass/2configs/buildbot-standalone.nix +++ b/lass/2configs/buildbot-standalone.nix @@ -56,51 +56,6 @@ in { mode='full' ) - # TODO: get nixpkgs/stockholm paths from krebs - env_lass = { - "LOGNAME": "lass", - "NIX_REMOTE": "daemon", - "dummy_secrets": "true", - } - env_makefu = { - "LOGNAME": "makefu", - "NIX_REMOTE": "daemon", - "dummy_secrets": "true", - } - env_nin = { - "LOGNAME": "nin", - "NIX_REMOTE": "daemon", - "dummy_secrets": "true", - } - env_shared = { - "LOGNAME": "shared", - "NIX_REMOTE": "daemon", - "dummy_secrets": "true", - } - env_tv = { - "LOGNAME": "tv", - "NIX_REMOTE": "daemon", - "dummy_secrets": "true", - } - - # prepare nix-shell - # the dependencies which are used by the test script - deps = [ - "gnumake", - "jq", - "nix", - "(import <stockholm>).pkgs.populate", - "openssh" - ] - # TODO: --pure , prepare ENV in nix-shell command: - # SSL_CERT_FILE,LOGNAME,NIX_REMOTE - nixshell = [ - "nix-shell", - "-I", "/var/src", - "-I", "stockholm=.", - "-p" - ] + deps + [ "--run" ] - # prepare addShell function def addShell(factory,**kwargs): factory.addStep(steps.ShellCommand(**kwargs)) @@ -110,30 +65,35 @@ in { f = util.BuildFactory() f.addStep(grab_repo) - def build_host(env, host): - addShell(f,name="build-{}".format(i),env=env, - command=nixshell + ["mkdir -p $HOME/$LOGNAME && touch $HOME/$LOGNAME/.populate; \ - echo $HOME; echo $LOGNAME; \ - test -e $HOME/$LOGNAME/nixpkgs || cp -r /var/src/nixpkgs $HOME/$LOGNAME/; \ - make NIX_PATH=$HOME/$LOGNAME:secrets=/var/src/stockholm/null test method=build \ - target=buildbotworker@${config.krebs.build.host.name}$HOME/$LOGNAME \ - system={}".format(host)] + def build_host(user, host): + addShell(f, + name="{}".format(i), + env={ + "LOGNAME": user, + "NIX_PATH": "secrets=/var/src/stockholm/null:/var/src", + "NIX_REMOTE": "daemon", + "dummy_secrets": "true", + }, + command=[ + "nix-shell", "--run", + "test --system={} --target=buildbotworker@${config.krebs.build.host.name}$HOME/$LOGNAME".format(host) + ] ) - for i in [ "alnus", "mu", "nomic", "wu", "xu", "zu" ]: - build_host(env_tv, i) - for i in [ "mors", "uriel", "shodan", "icarus", "cloudkrebs", "echelon", "dishfire", "prism" ]: - build_host(env_lass, i) + build_host("lass", i) for i in [ "x", "wry", "vbob", "wbob", "shoney" ]: - build_host(env_makefu, i) + build_host("makefu", i) for i in [ "hiawatha", "onondaga" ]: - build_host(env_nin, i) + build_host("nin", i) for i in [ "test-minimal-deploy", "test-all-krebs-modules", "wolf", "test-centos7" ]: - build_host(env_shared, i) + build_host("shared", i) + + for i in [ "alnus", "mu", "nomic", "wu", "xu", "zu" ]: + build_host("tv", i) bu.append( util.BuilderConfig( diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index d7deb3165..27b74a30b 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -79,7 +79,6 @@ with import <stockholm/lib>; if getEnv "dummy_secrets" == "true" then toString <stockholm/lass/2configs/tests/dummy-secrets> else "/home/lass/secrets/${host.name}"; - stockholm.file = getEnv "PWD"; }; }; }; diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix index b8d00e7d4..fd2f1f765 100644 --- a/lass/2configs/exim-smarthost.nix +++ b/lass/2configs/exim-smarthost.nix @@ -32,6 +32,8 @@ with import <stockholm/lib>; { from = "feed@lassul.us"; to = lass.mail; } { from = "art@lassul.us"; to = lass.mail; } { from = "irgendwas@lassul.us"; to = lass.mail; } + { from = "polo@lassul.us"; to = lass.mail; } + { from = "shack@lassul.us"; to = lass.mail; } ]; system-aliases = [ { from = "mailer-daemon"; to = "postmaster"; } diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix index feb532709..e39c09b84 100644 --- a/lass/2configs/mail.nix +++ b/lass/2configs/mail.nix @@ -48,6 +48,8 @@ let set use_from=yes set envelope_from=yes + set sort=threads + set index_format="%4C %Z %?GI?%GI& ? %[%d/%b] %-16.15F %?M?(%3M)& ? %s %> %?g?%g?" virtual-mailboxes \ diff --git a/lass/2configs/nixpkgs.nix b/lass/2configs/nixpkgs.nix index 2adba34bb..151242e45 100644 --- a/lass/2configs/nixpkgs.nix +++ b/lass/2configs/nixpkgs.nix @@ -3,6 +3,6 @@ { krebs.build.source.nixpkgs.git = { url = https://cgit.lassul.us/nixpkgs; - ref = "4847963"; + ref = "2e983f1"; }; } diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index aaf311576..36ded3b30 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -61,6 +61,11 @@ in { "karlaskop.ubikmedia.de" "nb.ubikmedia.de" "youthtube.ubikmedia.de" + "weirdwednesday.ubikmedia.de" + "weirdwednesday.de" + "www.weirdwednesday.de" + "freemonkey.ubikmedia.de" + "jarugadesign.ubikmedia.de" ]) ]; diff --git a/lass/5pkgs/init/default.nix b/lass/5pkgs/init/default.nix index b484d2c38..679187531 100644 --- a/lass/5pkgs/init/default.nix +++ b/lass/5pkgs/init/default.nix @@ -19,14 +19,15 @@ pkgs.writeText "init" '' disk=${disk} - luksdev=${disk}2 + luksdev=${disk}3 luksmap=/dev/mapper/${luksmap} vgname=${vgname} + bootdev=/dev/sda2 + rootdev=/dev/mapper/${vgname}-root homedev=/dev/mapper/${vgname}-home - bkudev=/dev/mapper/${vgname}-bku # #generate keyfile @@ -49,7 +50,8 @@ pkgs.writeText "init" '' mklabel gpt \ mkpart no-fs 0 1024KiB \ set 1 bios_grub on \ - mkpart primary 1025KiB 100% + mkpart ESP fat32 1025KiB 1024MiB set 2 boot on \ + mkpart primary 1025MiB 100% fi if ! test "$(blkid -o value -s PARTLABEL "$luksdev")" = primary; then @@ -78,9 +80,8 @@ pkgs.writeText "init" '' lvchange -a y /dev/mapper/"$vgname" - if ! test -e "$rootdev"; then lvcreate -L 100G -n root "$vgname"; fi - if ! test -e "$homedev"; then lvcreate -L 100G -n home "$vgname"; fi - if ! test -e "$bkudev"; then lvcreate -L 200G -n bku "$vgname"; fi + if ! test -e "$rootdev"; then lvcreate -L 7G -n root "$vgname"; fi + if ! test -e "$homedev"; then lvcreate -L 100M -n home "$vgname"; fi # lvchange -a n "$vgname" @@ -89,6 +90,10 @@ pkgs.writeText "init" '' # formatting # + if ! test "$(blkid -o value -s TYPE "$bootdev")" = vfat; then + mkfs.vfat "$bootdev" + fi + if ! test "$(blkid -o value -s TYPE "$rootdev")" = btrfs; then mkfs.btrfs "$rootdev" fi @@ -97,22 +102,18 @@ pkgs.writeText "init" '' mkfs.btrfs "$homedev" fi - if ! test "$(blkid -o value -s TYPE "$bkudev")" = btrfs; then - mkfs.btrfs "$bkudev" - fi - if ! test "$(lsblk -n -o MOUNTPOINT "$rootdev")" = /mnt; then mount "$rootdev" /mnt fi + if ! test "$(lsblk -n -o MOUNTPOINT "$bootdev")" = /mnt/boot; then + mkdir -m 0000 -p /mnt/boot + mount "$bootdev" /mnt/boot + fi if ! test "$(lsblk -n -o MOUNTPOINT "$homedev")" = /mnt/home; then mkdir -m 0000 -p /mnt/home mount "$homedev" /mnt/home fi - if ! test "$(lsblk -n -o MOUNTPOINT "$bkudev")" = /mnt/bku; then - mkdir -m 0000 -p /mnt/bku - mount "$bkudev" /mnt/bku - fi # umount -R /mnt @@ -122,6 +123,7 @@ pkgs.writeText "init" '' nix-env -iA nixos.git + # TODO: get sentinal file from target_path mkdir -p /mnt/var/src touch /mnt/var/src/.populate diff --git a/makefu/1systems/gum.nix b/makefu/1systems/gum.nix index 519313f57..51761d3fd 100644 --- a/makefu/1systems/gum.nix +++ b/makefu/1systems/gum.nix @@ -24,7 +24,10 @@ in { # ../2configs/disable_v6.nix ../2configs/exim-retiolum.nix ../2configs/tinc/retiolum.nix - ../2configs/urlwatch.nix + ../2configs/urlwatch + + # Security + ../2configs/sshd-totp.nix # Tools ../2configs/tools/core.nix diff --git a/makefu/1systems/vbob.nix b/makefu/1systems/vbob.nix index 7421125e4..d8e275bf6 100644 --- a/makefu/1systems/vbob.nix +++ b/makefu/1systems/vbob.nix @@ -8,14 +8,23 @@ (toString <nixpkgs/nixos/modules/virtualisation/virtualbox-image.nix>) (toString <nixpkgs/nixos/modules/virtualisation/virtualbox-guest.nix>) ../2configs/main-laptop.nix #< base-gui + ../2configs/sshd-totp.nix + + # Tools + ../2configs/tools/core.nix + ../2configs/tools/core-gui.nix + ../2configs/tools/dev.nix + ../2configs/tools/extra-gui.nix + ../2configs/tools/sec.nix # environment ../2configs/tinc/retiolum.nix + ../2configs/audio/jack-on-pulse.nix + ../2configs/audio/realtime-audio.nix + ]; networking.extraHosts = import (toString <secrets/extra-hosts.nix>); - # workaround for https://github.com/NixOS/nixpkgs/issues/16641 - services.xserver.videoDrivers = lib.mkOverride 45 [ "virtualbox" "modesetting" ]; nixpkgs.config.allowUnfree = true; fileSystems."/nix" = { diff --git a/makefu/1systems/x.nix b/makefu/1systems/x.nix index ee3a7bb1b..235862e85 100644 --- a/makefu/1systems/x.nix +++ b/makefu/1systems/x.nix @@ -13,61 +13,56 @@ with import <stockholm/lib>; ../2configs/tools/all.nix ../2configs/laptop-backup.nix ../2configs/dnscrypt.nix + ../2configs/avahi.nix - # testing - # ../2configs/openvpn/vpngate.nix - #../2configs/temp/share-samba.nix - # ../2configs/mediawiki.nix - # ../2configs/wordpress.nix - # ../2configs/nginx/public_html.nix - # ../2configs/nginx/icecult.nix - - # ../2configs/elchos/irc-token.nix - # ../2configs/elchos/log.nix - - #../2configs/elchos/search.nix - #../2configs/elchos/stats.nix - #../2configs/elchos/test/ftpservers.nix - - # ../2configs/tinc/siem.nix - #../2configs/torrent.nix - # temporary modules - - # ../2configs/torrent.nix - #../2configs/temp/elkstack.nix - # ../2configs/temp/sabnzbd.nix + # Debugging + # ../2configs/disable_v6.nix + # Testing + # ../2configs/lanparty/lancache.nix + # ../2configs/lanparty/lancache-dns.nix + # ../2configs/deployment/dirctator.nix + # ../2configs/vncserver.nix + # ../2configs/deployment/led-fader + # ../2configs/deployment/hound # development ../2configs/sources # Krebs - # ../2configs/disable_v6.nix ../2configs/tinc/retiolum.nix # applications ../2configs/exim-retiolum.nix ../2configs/mail-client.nix ../2configs/printer.nix + ../2configs/task-client.nix + + # Virtualization ../2configs/virtualization.nix + ../2configs/docker.nix ../2configs/virtualization-virtualbox.nix - ../2configs/wwan.nix - ../2configs/rad1o.nix - # services + # Services ../2configs/git/brain-retiolum.nix ../2configs/tor.nix ../2configs/steam.nix # ../2configs/buildbot-standalone.nix - # hardware specifics are in here + # Hardware ../2configs/hw/tp-x230.nix ../2configs/hw/rtl8812au.nix - ../2configs/hw/stk1160.nix + ../2configs/hw/exfat-nofuse.nix + ../2configs/hw/wwan.nix + # ../2configs/hw/stk1160.nix + # ../2configs/rad1o.nix - # mount points + # Filesystem ../2configs/fs/sda-crypto-root-home.nix + # Security + ../2configs/sshd-totp.nix + ]; makefu.server.primary-itf = "wlp3s0"; @@ -76,10 +71,8 @@ with import <stockholm/lib>; nixpkgs.config.allowUnfree = true; - boot.extraModulePackages = [ config.boot.kernelPackages.exfat-nofuse ]; environment.systemPackages = [ pkgs.passwdqc-utils ]; - virtualisation.docker.enable = true; # configure pulseAudio to provide a HDMI sink as well networking.firewall.enable = true; diff --git a/makefu/2configs/audio/jack-on-pulse.nix b/makefu/2configs/audio/jack-on-pulse.nix index 49b61d5a2..a8ee05c7d 100644 --- a/makefu/2configs/audio/jack-on-pulse.nix +++ b/makefu/2configs/audio/jack-on-pulse.nix @@ -11,7 +11,10 @@ in package = pulse; }; - environment.systemPackages = with pkgs; [ jack2Full ]; + environment.systemPackages = with pkgs; [ + jack2Full + jack_capture + ]; # from http://anderspapitto.com/posts/2015-11-26-overtone-on-nixos-with-jack-and-pulseaudio.html systemd.user.services = { diff --git a/makefu/2configs/audio/realtime-audio.nix b/makefu/2configs/audio/realtime-audio.nix index fbeacd025..6cb18c45c 100644 --- a/makefu/2configs/audio/realtime-audio.nix +++ b/makefu/2configs/audio/realtime-audio.nix @@ -10,7 +10,7 @@ in musnix.enable = true; musnix.kernel.optimize = true; musnix.kernel.realtime = true; - # TODO: musnix.kernel.packages = pkgs.linuxPackages_latest_rt; + musnix.kernel.packages = pkgs.linuxPackages_latest_rt; users.users."${user}".extraGroups = [ "audio" ]; } diff --git a/makefu/2configs/default.nix b/makefu/2configs/default.nix index bcd998826..0b4ef8909 100644 --- a/makefu/2configs/default.nix +++ b/makefu/2configs/default.nix @@ -22,7 +22,7 @@ with import <stockholm/lib>; user = config.krebs.users.makefu; source = let inherit (config.krebs.build) host user; - ref = "7a7c39c"; # unstable @ 2017-05-09 + graceful requests2 + logstash5 + ref = "06734d1"; # unstable @ 2017-07-03 + graceful requests2 (a772c3aa) in { nixpkgs = if config.makefu.full-populate || (getEnv "dummy_secrets" == "true") then { diff --git a/makefu/2configs/deployment/dirctator.nix b/makefu/2configs/deployment/dirctator.nix index b8e61955d..4f2f8818d 100644 --- a/makefu/2configs/deployment/dirctator.nix +++ b/makefu/2configs/deployment/dirctator.nix @@ -25,6 +25,10 @@ in { stdout { codec => rubydebug } exec { command => "${runit} '%{message}" } ''; - plugins = [ ]; + extraSettings = '' + path.plugins: [ "${pkgs.logstash-output-exec}" ] + ''; + ## NameError: `@path.plugins' is not allowable as an instance variable name + # plugins = [ pkgs.logstash-output-exec ]; }; } diff --git a/makefu/2configs/deployment/led-fader.nix b/makefu/2configs/deployment/led-fader.nix index 50023693d..678370c69 100644 --- a/makefu/2configs/deployment/led-fader.nix +++ b/makefu/2configs/deployment/led-fader.nix @@ -31,6 +31,7 @@ in { }; # after = [ (lib.optional config.services.mosqitto.enable "mosquitto.service") ]; wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; serviceConfig = { # User = "nobody"; # need a user with permissions to run nix-shell ExecStart = "${pkg}/bin/ampel 4 ${pkg}/share/times.json"; diff --git a/makefu/2configs/docker.nix b/makefu/2configs/docker.nix new file mode 100644 index 000000000..98fd980cc --- /dev/null +++ b/makefu/2configs/docker.nix @@ -0,0 +1,4 @@ +{...}: +{ + virtualisation.docker.enable = true; +} diff --git a/makefu/2configs/hw/exfat-nofuse.nix b/makefu/2configs/hw/exfat-nofuse.nix new file mode 100644 index 000000000..ca3485e9f --- /dev/null +++ b/makefu/2configs/hw/exfat-nofuse.nix @@ -0,0 +1,4 @@ +{ config, ... }: +{ + boot.extraModulePackages = [ config.boot.kernelPackages.exfat-nofuse ]; +} diff --git a/makefu/2configs/hw/stk1160.nix b/makefu/2configs/hw/stk1160.nix index b4d033d76..e73741e26 100644 --- a/makefu/2configs/hw/stk1160.nix +++ b/makefu/2configs/hw/stk1160.nix @@ -1,9 +1,8 @@ { pkgs, ... }: { # TODO: un-pin linuxPackages somehow - boot.kernelPackages = builtins.trace "Warning: overriding kernel Packages with 4.9" pkgs.linuxPackages_4_9; nixpkgs.config.packageOverrides = pkgs: { - linux_4_9 = pkgs.linux_4_9.override { + linux_latest = pkgs.linux_latest.override { extraConfig = '' MEDIA_ANALOG_TV_SUPPORT y VIDEO_STK1160_COMMON m diff --git a/makefu/2configs/hw/tp-x230.nix b/makefu/2configs/hw/tp-x230.nix index 2de32dd94..c705b52a7 100644 --- a/makefu/2configs/hw/tp-x230.nix +++ b/makefu/2configs/hw/tp-x230.nix @@ -44,8 +44,7 @@ with import <stockholm/lib>; ''; # enable HDMI output switching with pulseaudio - hardware.pulseaudio.configFile = pkgs.writeText "pulse-default-pa" '' - ${builtins.readFile "${config.hardware.pulseaudio.package.out}/etc/pulse/default.pa"} + hardware.pulseaudio.extraConfig = '' load-module module-alsa-sink device=hw:0,3 sink_properties=device.description="HDMIOutput" sink_name="HDMI" ''; diff --git a/makefu/2configs/wwan.nix b/makefu/2configs/hw/wwan.nix index 0eb0c97d7..0eb0c97d7 100644 --- a/makefu/2configs/wwan.nix +++ b/makefu/2configs/hw/wwan.nix diff --git a/makefu/2configs/lanparty/lancache-dns.nix b/makefu/2configs/lanparty/lancache-dns.nix new file mode 100644 index 000000000..4b4ebf0a0 --- /dev/null +++ b/makefu/2configs/lanparty/lancache-dns.nix @@ -0,0 +1,55 @@ +{ pkgs, lib, config, ... }: +with import <stockholm/lib>; +let + # see https://github.com/zeropingheroes/lancache for full docs + lancache-dns = pkgs.stdenv.mkDerivation rec { + name = "lancache-dns-2017-06-28"; + src = pkgs.fetchFromGitHub { + # forked: https://github.com/zeropingheroes/lancache-dns + repo = "lancache-dns"; + owner = "zeropingheroes"; + rev = "420aa62"; + sha256 = "0ik7by7ripdv2avyy5kk9jp1i7rz9ksc8xmg7n9iik365q9pv94m"; + }; + phases = [ "unpackPhase" "installPhase" ]; + # here we can chance to edit `includes/proxy-cache-paths.conf` + installPhase = '' + mkdir -p $out + cp -r * $out/ + ''; + }; + stateDir = "/var/lib/unbound"; + user = "unbound"; + upstream-server = "8.8.8.8"; +in { + services.unbound = { + enable = true; + allowedAccess = [ "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" ]; + interfaces = ["0.0.0.0" "::" ]; + forwardAddresses = [ upstream-server ]; + extraConfig = '' + include: "${stateDir}/lancache/*.conf" + ''; + }; + services.dnscrypt-proxy.enable = lib.mkForce false; + virtualisation.libvirtd.enable = lib.mkForce false; + systemd.services.dns-lancache-prepare = { + wantedBy = [ "unbound.service" ]; + before = [ "unbound.service" ]; + after = [ "network-online.target" ]; + partOf= [ "unbound.service" ]; + + path = [ pkgs.gawk pkgs.iproute pkgs.gnused ]; + script = '' + set -xeu + current_ip=$(ip route get 8.8.8.8 | awk '/8.8.8.8/ {print $NF}') + old_ip=10.1.1.250 + mkdir -p ${stateDir} + rm -rvf ${stateDir}/lancache + cp -r ${lancache-dns}/upstreams-available ${stateDir}/lancache + sed -i "s/$old_ip/$current_ip/g" ${stateDir}/lancache/*.conf + chown -R unbound ${stateDir} + ''; + }; + networking.firewall.allowedUDPPorts = [ 53 ]; +} diff --git a/makefu/2configs/lanparty/lancache.nix b/makefu/2configs/lanparty/lancache.nix new file mode 100644 index 000000000..3df2e3f59 --- /dev/null +++ b/makefu/2configs/lanparty/lancache.nix @@ -0,0 +1,74 @@ +{ pkgs, lib, config, ... }: +with import <stockholm/lib>; +let + # see https://github.com/zeropingheroes/lancache for full docs + lancache= pkgs.stdenv.mkDerivation rec { + name = "lancache-2017-06-26"; + src = pkgs.fetchFromGitHub { + # origin: https://github.com/multiplay/lancache + # forked: https://github.com/zeropingheroes/lancache + repo = "lancache"; + owner = "zeropingheroes"; + rev = "143f7bb"; + sha256 = "1ra4l7qz3k231j5wabr89s5hh80n1kk8vgd3dsh0xx5mdpjhvdl6"; + }; + phases = [ "unpackPhase" "installPhase" ]; + # here we can chance to edit `includes/proxy-cache-paths.conf` + installPhase = '' + mkdir -p $out + cp -r * $out/ + sed -i -e 's/^\(user\).*/\1 ${cfg.user} ${cfg.group};/' \ + -e '1 idaemon off;' \ + $out/nginx.conf + ''; + }; + cfg = { + group = "nginx-lancache"; + user = "nginx-lancache"; + statedir = "/var/lancache"; + package = pkgs.stdenv.lib.overrideDerivation pkgs.nginx (old:{ + configureFlags = old.configureFlags ++ [ + "--with-http_slice_module" + "--with-stream" + "--with-pcre" + ]; + }); + }; +in { + systemd.services.nginx-lancache = { + description = "Nginx lancache Server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + restartIfChanged = true; + + preStart = '' + mkdir -p ${cfg.statedir} && cd ${cfg.statedir} + PATH_CACHE=$PATH_BASE/cache + PATH_LOGS=$PATH_BASE/logs + + mkdir -p cache/{installers,tmp} logs + rm -f conf; ln -s ${lancache} conf + chown -R ${cfg.user}:${cfg.group} . + ''; + serviceConfig = { + ExecStart = "${cfg.package}/bin/nginx -p ${cfg.statedir}"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + Restart = "always"; + RestartSec = "10s"; + StartLimitInterval = "1min"; + }; + }; + + environment.etc.nginx.source = lancache; + users.extraUsers = (singleton + { name = cfg.user; + group = cfg.group; + uid = genid cfg.group; + }); + + users.extraGroups = (singleton + { name = "${cfg.group}"; + gid = genid cfg.group; + }); + networking.firewall.allowedTCPPorts = [ 80 443 ]; +} diff --git a/makefu/2configs/sources/musnix.nix b/makefu/2configs/sources/musnix.nix index d02dd4a48..a5be303e9 100644 --- a/makefu/2configs/sources/musnix.nix +++ b/makefu/2configs/sources/musnix.nix @@ -1,6 +1,6 @@ { krebs.build.source.musnix.git = { url = https://github.com/musnix/musnix.git; - ref = "37a8378"; + ref = "f0ec1f3"; }; } diff --git a/makefu/2configs/sshd-totp.nix b/makefu/2configs/sshd-totp.nix new file mode 100644 index 000000000..f9984e245 --- /dev/null +++ b/makefu/2configs/sshd-totp.nix @@ -0,0 +1,18 @@ +{ pkgs, ... }: +# Enables second factor for ssh password login + +## Usage: +# gen-oath-safe <username> totp +## scan the qrcode with google authenticator (or FreeOTP) +## copy last line into secrets/<host>/users.oath (chmod 700) +{ + security.pam.oath = { + # enabling it will make it a requisite of `all` services + # enable = true; + digits = 6; + # TODO assert existing + usersFile = (toString <secrets>) + "/users.oath"; + }; + # I want TFA only active for sshd with password-auth + security.pam.services.sshd.oathAuth = true; +} diff --git a/makefu/2configs/task-client.nix b/makefu/2configs/task-client.nix new file mode 100644 index 000000000..330616f4a --- /dev/null +++ b/makefu/2configs/task-client.nix @@ -0,0 +1,14 @@ +{ pkgs, ... }: +{ + krebs.per-user.makefu.packages = [ + pkgs.taskwarrior + ]; + + environment.shellAliases = { + tshack = "task project:shack"; + twork = "task project:soc"; + tpki = "task project:pki"; + tkrebs = "task project:krebs"; + t = "task project: "; + }; +} diff --git a/makefu/2configs/tools/dev.nix b/makefu/2configs/tools/dev.nix index 4fe7f8bf4..42006eb22 100644 --- a/makefu/2configs/tools/dev.nix +++ b/makefu/2configs/tools/dev.nix @@ -12,5 +12,8 @@ cac-api cac-panel ovh-zone + whatsupnix + brain + gen-oath-safe ]; } diff --git a/makefu/2configs/tools/extra-gui.nix b/makefu/2configs/tools/extra-gui.nix index 56cdccd1f..1e68e935c 100644 --- a/makefu/2configs/tools/extra-gui.nix +++ b/makefu/2configs/tools/extra-gui.nix @@ -2,13 +2,16 @@ { krebs.per-user.makefu.packages = with pkgs;[ + # media gimp inkscape libreoffice - saleae-logic skype synergy tdesktop virtmanager + # Dev + saleae-logic + arduino-user-env ]; } diff --git a/makefu/2configs/urlwatch.nix b/makefu/2configs/urlwatch.nix deleted file mode 100644 index 9493b2b7b..000000000 --- a/makefu/2configs/urlwatch.nix +++ /dev/null @@ -1,27 +0,0 @@ -{ config, lib, ... }: - -{ - krebs.urlwatch = { - enable = true; - mailto = config.krebs.users.makefu.mail; - onCalendar = "*-*-* 05:00:00"; - urls = [ - ## nixpkgs maintenance - https://api.github.com/repos/ovh/python-ovh/tags - https://api.github.com/repos/embray/d2to1/tags - https://api.github.com/repos/Mic92/vicious/tags - https://pypi.python.org/simple/bepasty/ - https://pypi.python.org/simple/xstatic/ - http://guest:derpi@cvs2svn.tigris.org/svn/cvs2svn/tags/ - http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/ - https://github.com/amadvance/snapraid/releases.atom - https://erdgeist.org/gitweb/opentracker/info/refs?service=git-upload-pack - https://api.github.com/repos/embray/d2to1/tags - https://api.github.com/repos/dorimanx/exfat-nofuse/commits - https://api.github.com/repos/dorimanx/exfat-nofuse/tags - https://api.github.com/repos/radare/radare2/tags - https://api.github.com/repos/rapid7/metasploit-framework/tags - ]; - }; -} - diff --git a/makefu/2configs/urlwatch/default.nix b/makefu/2configs/urlwatch/default.nix new file mode 100644 index 000000000..f17bcdc3a --- /dev/null +++ b/makefu/2configs/urlwatch/default.nix @@ -0,0 +1,45 @@ +{ config, lib, ... }: + +{ + krebs.urlwatch = { + enable = true; + mailto = config.krebs.users.makefu.mail; + onCalendar = "*-*-* 05:00:00"; + hooksFile = ./hook.py; + urls = [ + ## nixpkgs maintenance + # github + ## No rate limit + https://github.com/amadvance/snapraid/releases.atom + https://github.com/radare/radare2/releases.atom + https://github.com/ovh/python-ovh/releases.atom + https://github.com/embray/d2to1/releases.atom + https://github.com/Mic92/vicious/releases.atom + https://github.com/embray/d2to1/releases.atom + https://github.com/dorimanx/exfat-nofuse/releases.atom + https://github.com/rapid7/metasploit-framework/releases.atom + ## rate limited + # https://api.github.com/repos/dorimanx/exfat-nofuse/commits + # https://api.github.com/repos/mcepl/gen-oath-safe/commits + https://api.github.com/repos/naim94a/udpt/commits + https://api.github.com/repos/dirkvdb/ps3netsrv--/commits + + # pypi + https://pypi.python.org/simple/bepasty/ + https://pypi.python.org/simple/xstatic/ + https://pypi.python.org/simple/devpi-client/ + # weird shit + http://guest:derpi@cvs2svn.tigris.org/svn/cvs2svn/tags/ + http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/ + https://erdgeist.org/gitweb/opentracker/info/refs?service=git-upload-pack + https://git.tasktools.org/TM/taskd/info/refs?service=git-upload-pack + + { + url = https://newellrubbermaid.secure.force.com/dymopkb/articles/en_US/FAQ/Dymo-Drivers-and-Downloads/?l=en_US&c=Segment:Dymo&fs=Search&pn=1 ; + filter = "grep:Software/Linux/dymo-cups-drivers"; + } + # TODO: dymo cups + ]; + }; +} + diff --git a/makefu/2configs/urlwatch/hook.py b/makefu/2configs/urlwatch/hook.py new file mode 100644 index 000000000..7d9282c7e --- /dev/null +++ b/makefu/2configs/urlwatch/hook.py @@ -0,0 +1,16 @@ +import logging +logging.basicConfig(level=logging.INFO) +log = logging.getLogger() +log.setLevel(level=logging.INFO) + +import re +import json + +from urlwatch import filters + + +class JsonFilter(filters.RegexMatchFilter): + MATCH = {'url': re.compile('https?://api.github.com/.*')} + + def filter(self, data): + return json.dumps(json.loads(data),indent=2,sort_keys=True) diff --git a/makefu/5pkgs/arduino-user-env/default.nix b/makefu/5pkgs/arduino-user-env/default.nix new file mode 100644 index 000000000..7339c50a2 --- /dev/null +++ b/makefu/5pkgs/arduino-user-env/default.nix @@ -0,0 +1,35 @@ +{ lib, pkgs, ... }: let + +#TODO: make sure env exists prior to running +env_nix = pkgs.writeText "env.nix" '' + { pkgs ? import <nixpkgs> {} }: + + (pkgs.buildFHSUserEnv { + name = "arduino-user-env"; + targetPkgs = pkgs: with pkgs; [ + coreutils + ]; + multiPkgs = pkgs: with pkgs; [ + arduino + alsaLib + zlib + xorg.libXxf86vm + curl + openal + openssl_1_0_2 + xorg.libXext + xorg.libX11 + xorg.libXrandr + xorg.libXcursor + xorg.libXinerama + xorg.libXi + mesa_glu + ]; + runScript = "zsh"; + }).env +''; + + +in pkgs.writeDashBin "arduino-user-env" '' + nix-shell ${env_nix} +'' diff --git a/makefu/5pkgs/gen-oath-safe/default.nix b/makefu/5pkgs/gen-oath-safe/default.nix new file mode 100644 index 000000000..245e65174 --- /dev/null +++ b/makefu/5pkgs/gen-oath-safe/default.nix @@ -0,0 +1,37 @@ +{ coreutils, makeWrapper, openssl, libcaca, qrencode, fetchFromGitHub, yubikey-manager, python, stdenv, ... }: + +stdenv.mkDerivation { + name = "geno-oath-safe-2017-06-30"; + src = fetchFromGitHub { + owner = "mcepl"; + repo = "gen-oath-safe"; + rev = "fb53841"; + sha256 = "0018kqmhg0861r5xkbis2a1rx49gyn0dxcyj05wap5ms7zz69m0m"; + }; + + phases = [ + "unpackPhase" + "installPhase" + "fixupPhase" + ]; + + buildInputs = [ makeWrapper ]; + + installPhase = + let + path = stdenv.lib.makeBinPath [ + coreutils + openssl + qrencode + yubikey-manager + libcaca + python + ]; + in + '' + mkdir -p $out/bin + cp gen-oath-safe $out/bin/ + wrapProgram $out/bin/gen-oath-safe \ + --prefix PATH : ${path} + ''; +} diff --git a/shared/2configs/default.nix b/shared/2configs/default.nix index 894f8a997..398f125e4 100644 --- a/shared/2configs/default.nix +++ b/shared/2configs/default.nix @@ -11,7 +11,7 @@ with import <stockholm/lib>; nixos-config.symlink = "stockholm/${user.name}/1systems/${host.name}.nix"; nixpkgs.git = { url = https://github.com/NixOS/nixpkgs; - ref = "58e227052d40021d82d015f3f8da011ae54ea430"; # nixos-17.03 @ 2017-05-24 + ref = "72c9ed78d0b1d9d5f531805ddf5bf06bfd447614"; # nixos-17.03 @ 2017-06-17 }; secrets.file = if getEnv "dummy_secrets" == "true" diff --git a/shell.nix b/shell.nix new file mode 100644 index 000000000..3e7ba81c1 --- /dev/null +++ b/shell.nix @@ -0,0 +1,186 @@ +let + lib = import ./lib; + pkgs = import <nixpkgs> { overlays = [(import ./krebs/5pkgs)]; }; + + # usage: deploy --system=SYSTEM [--target=TARGET] + cmds.deploy = pkgs.writeDash "cmds.deploy" '' + set -efu + + command=deploy + . ${init.args} + \test -n "''${target-}" || target=$system + . ${init.env} + + exec ${utils.deploy} + ''; + + # usage: test --system=SYSTEM --target=TARGET + cmds.test = pkgs.writeDash "cmds.test" /* sh */ '' + set -efu + + command=test + . ${init.args} + . ${init.env} + + export dummy_secrets=true + exec ${utils.build} config.system.build.toplevel + ''; + + init.args = pkgs.writeText "init.args" /* sh */ '' + args=$(${pkgs.utillinux}/bin/getopt -n "$command" -s sh \ + -o s:t: \ + -l system:,target: \ + -- "$@") + if \test $? != 0; then exit 1; fi + eval set -- "$args" + while :; do case $1 in + -s|--system) system=$2; shift 2;; + -t|--target) target=$2; shift 2;; + --) shift; break;; + esac; done + for arg; do echo "$command: bad argument: $arg" >&2; done + if \test $# != 0; then exit 2; fi + ''; + + init.env = pkgs.writeText "init.env" /* sh */ '' + config=''${config-$LOGNAME/1systems/$system.nix} + + export config + export system + export target + + export target_object="$(${init.env.parsetarget} $target)" + export target_user="$(echo $target_object | ${pkgs.jq}/bin/jq -r .user)" + export target_host="$(echo $target_object | ${pkgs.jq}/bin/jq -r .host)" + export target_port="$(echo $target_object | ${pkgs.jq}/bin/jq -r .port)" + export target_path="$(echo $target_object | ${pkgs.jq}/bin/jq -r .path)" + export target_local="$(echo $target_object | ${pkgs.jq}/bin/jq -r .local)" + + if \test "''${using_proxy-}" != true; then + ${init.env.populate} + if \test "$target_local" != true; then + exec ${init.env.proxy} "$command" "$@" + fi + fi + '' // { + parsetarget = pkgs.writeDash "init.env.parsetarget" '' + set -efu + exec ${pkgs.jq}/bin/jq \ + -enr \ + --arg target "$1" \ + -f ${init.env.parsetarget.jq} + '' // { + jq = pkgs.writeText "init.env.parsetarget.jq" '' + def when(c; f): if c then f else . end; + def capturesDef(i; v): .captures[i].string | when(. == null; v); + $target | match("^(?:([^@]+)@)?([^:/]+)?(?::([0-9]+))?(/.*)?$") | { + user: capturesDef(0; "root"), + host: capturesDef(1; env.system), + port: capturesDef(2; "22"), + path: capturesDef(3; "/var/src"), + } | . + { + local: (.user == env.LOGNAME and .host == env.HOSTNAME), + } + ''; + }; + populate = pkgs.writeDash "init.env.populate" '' + set -efu + ${pkgs.nix}/bin/nix-instantiate \ + --eval \ + --json \ + --readonly-mode \ + --show-trace \ + --strict \ + -I nixos-config="$config" \ + -E 'with import <stockholm>; config.krebs.build.source' \ + | + ${pkgs.populate}/bin/populate \ + "$target_user@$target_host:$target_port$target_path" \ + >&2 + ''; + proxy = pkgs.writeDash "init.env.proxy" '' + set -efu + q() { + ${pkgs.jq}/bin/jq -nr --arg x "$*" '$x | @sh "\(.)"' + } + exec ${pkgs.openssh}/bin/ssh \ + "$target_user@$target_host" -p "$target_port" \ + cd "$target_path/stockholm" \; \ + NIX_PATH=$(q "$target_path") \ + STOCKHOLM_VERSION=$STOCKHOLM_VERSION \ + nix-shell \ + --command $(q \ + config=$config \ + system=$system \ + target=$target \ + using_proxy=true \ + "$*" + ) + ''; + }; + + utils.build = pkgs.writeDash "utils.build" '' + set -efu + ${pkgs.nix}/bin/nix-build \ + -Q \ + --no-out-link \ + --show-trace \ + -E "with import <stockholm>; $1" \ + -I "$target_path" \ + 2>&1 | + ${pkgs.whatsupnix}/bin/whatsupnix + ''; + + utils.deploy = pkgs.writeDash "utils.deploy" '' + set -efu + PATH=/run/current-system/sw/bin nixos-rebuild switch \ + -Q \ + --show-trace \ + -I "$target_path" \ + 2>&1 | + ${pkgs.whatsupnix}/bin/whatsupnix + ''; + + shell.get-version = pkgs.writeDash "shell.get-version" '' + set -efu + version=git.$(${pkgs.git}/bin/git describe --always --dirty) + case $version in (*-dirty) + version=$version@$HOSTNAME + esac + date=$(${pkgs.coreutils}/bin/date +%y.%m) + echo "$date.$version" + ''; + + shell.cmdspkg = pkgs.writeOut "shell.cmdspkg" (lib.mapAttrs' (name: link: + lib.nameValuePair "/bin/${name}" { inherit link; } + ) cmds); + +in pkgs.stdenv.mkDerivation { + name = "stockholm"; + shellHook = /* sh */ '' + export NIX_PATH="stockholm=$PWD''${NIX_PATH+:$NIX_PATH}" + export PATH=${lib.makeBinPath [ + shell.cmdspkg + ]} + + eval "$(declare -F | ${pkgs.gnused}/bin/sed s/declare/unset/)" + shopt -u no_empty_cmd_completion + unalias -a + + enable -n \ + . [ alias bg bind break builtin caller cd command compgen complete \ + compopt continue dirs disown eval exec false fc fg getopts hash \ + help history jobs kill let local logout mapfile popd printf pushd \ + pwd read readarray readonly shift source suspend test times trap \ + true typeset ulimit umask unalias wait + + exitHandler() { + : + } + + export HOSTNAME="$(${pkgs.nettools}/bin/hostname)" + export STOCKHOLM_VERSION="''${STOCKHOLM_VERSION-$(${shell.get-version})}" + + PS1='\[\e[38;5;162m\]\w\[\e[0m\] ' + ''; +} diff --git a/tv/1systems/alnus.nix b/tv/1systems/alnus.nix index 4bc0318e8..ef2a0500f 100644 --- a/tv/1systems/alnus.nix +++ b/tv/1systems/alnus.nix @@ -58,7 +58,7 @@ with import <stockholm/lib>; krebs.build = { host = config.krebs.hosts.alnus; user = mkForce config.krebs.users.dv; - source.nixpkgs.git.ref = mkForce "e924319cb6c74aa2a9c943eddeb0caef79db01bc"; + source.nixpkgs.git.ref = mkForce "9b948ea439ddbaa26740ce35543e7e35d2aa6d18"; }; networking.networkmanager.enable = true; diff --git a/tv/1systems/cd.nix b/tv/1systems/cd.nix index 108006f34..9f2cec574 100644 --- a/tv/1systems/cd.nix +++ b/tv/1systems/cd.nix @@ -25,7 +25,6 @@ with import <stockholm/lib>; }; environment.systemPackages = with pkgs; [ - htop iftop iotop iptables diff --git a/tv/1systems/mu.nix b/tv/1systems/mu.nix index fcd0a2178..3f3b2c2f4 100644 --- a/tv/1systems/mu.nix +++ b/tv/1systems/mu.nix @@ -79,15 +79,12 @@ with import <stockholm/lib>; gimp xsane firefoxWrapper - chromiumDev + chromium skype libreoffice - kde4.l10n.de - kde4.plasma-nm pidgin-with-plugins pidginotr - kde4.print_manager #foomatic_filters #gutenprint #cups_pdf_filter @@ -101,7 +98,7 @@ with import <stockholm/lib>; security.wrappers = { sendmail.source = "${pkgs.exim}/bin/sendmail"; # for cron - slock.slock = "${pkgs.slock}/bin/slock"; + slock.source = "${pkgs.slock}/bin/slock"; }; security.pam.loginLimits = [ @@ -138,7 +135,9 @@ with import <stockholm/lib>; twoFingerScroll = true; }; - services.xserver.desktopManager.kde4.enable = true; + services.xserver.desktopManager.plasma5 = { + enable = true; + }; services.xserver.displayManager.auto = { enable = true; user = "vv"; diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix index 60f9fa100..4b3bf8538 100644 --- a/tv/1systems/wu.nix +++ b/tv/1systems/wu.nix @@ -31,7 +31,6 @@ with import <stockholm/lib>; get gnupg1compat haskellPackages.hledger - htop jq mkpasswd netcat diff --git a/tv/1systems/xu.nix b/tv/1systems/xu.nix index 3add01748..d82f45ac0 100644 --- a/tv/1systems/xu.nix +++ b/tv/1systems/xu.nix @@ -34,7 +34,6 @@ with import <stockholm/lib>; file gnupg1compat haskellPackages.hledger - htop jq krebszones mkpasswd diff --git a/tv/1systems/zu.nix b/tv/1systems/zu.nix index 5552ef065..4fae3ca75 100644 --- a/tv/1systems/zu.nix +++ b/tv/1systems/zu.nix @@ -36,7 +36,6 @@ with import <stockholm/lib>; file gnupg1compat haskellPackages.hledger - htop jq mkpasswd netcat diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix index 4a1247ef5..bab1c72b6 100644 --- a/tv/2configs/default.nix +++ b/tv/2configs/default.nix @@ -1,20 +1,20 @@ -{ config, lib, pkgs, ... }: - with import <stockholm/lib>; - -{ +{ config, lib, pkgs, ... }: let + builder = if getEnv "dummy_secrets" == "true" + then "buildbot" + else "tv"; +in { krebs.enable = true; krebs.build = { user = config.krebs.users.tv; source = let inherit (config.krebs.build) host; in { nixos-config.symlink = "stockholm/tv/1systems/${host.name}.nix"; - secrets.file = - if getEnv "dummy_secrets" == "true" - then toString <stockholm/tv/dummy_secrets> - else "/home/tv/secrets/${host.name}"; + secrets.file = getAttr builder { + buildbot = toString <stockholm/tv/dummy_secrets>; + tv = "/home/tv/secrets/${host.name}"; + }; secrets-common.file = "/home/tv/secrets/common"; - stockholm.file = "/home/tv/stockholm"; nixpkgs.git = { url = https://github.com/NixOS/nixpkgs; ref = "412b0a17aa2975e092c7ab95a38561c5f82908d4"; # nixos-17.03 @@ -158,9 +158,10 @@ with import <stockholm/lib>; { environment.systemPackages = [ pkgs.get + pkgs.htop pkgs.krebspaste - pkgs.ovh-zone pkgs.nix-prefetch-scripts + pkgs.ovh-zone pkgs.push ]; } diff --git a/tv/2configs/htop.nix b/tv/2configs/htop.nix index 5d7e0272b..d7d2d7bfd 100644 --- a/tv/2configs/htop.nix +++ b/tv/2configs/htop.nix @@ -7,7 +7,6 @@ with import <stockholm/lib>; htop = pkgs.symlinkJoin { name = "htop"; paths = [ - super.htop (pkgs.writeDashBin "htop" '' export HTOPRC=${pkgs.writeText "htoprc" '' fields=0 48 17 18 38 39 40 2 46 47 49 1 @@ -37,6 +36,7 @@ with import <stockholm/lib>; ''} exec ${super.htop}/bin/htop "$@" '') + super.htop ]; }; }; diff --git a/tv/2configs/vim.nix b/tv/2configs/vim.nix index 93ed46dc8..a3af93772 100644 --- a/tv/2configs/vim.nix +++ b/tv/2configs/vim.nix @@ -300,7 +300,6 @@ let { vim-wrapper = pkgs.symlinkJoin { name = "vim"; paths = [ - pkgs.vim_configurable (pkgs.writeDashBin "vim" '' set -efu (umask 0077; exec ${pkgs.coreutils}/bin/mkdir -p ${toString mkdirs}) @@ -310,6 +309,7 @@ let { # vim-orgmode needs Python, thus vim_configurable instead of just vim exec ${pkgs.vim_configurable}/bin/vim "$@" '') + pkgs.vim_configurable ]; }; diff --git a/tv/5pkgs/default.nix b/tv/5pkgs/default.nix index ae47ab0f3..284e42a79 100644 --- a/tv/5pkgs/default.nix +++ b/tv/5pkgs/default.nix @@ -1,40 +1,54 @@ -{ config, pkgs, ... }: with import <stockholm/lib>; -{ - nixpkgs.config.packageOverrides = super: let - - # This callPackage will try to detect obsolete overrides. - callPackage = path: args: let - override = super.callPackage path args; - upstream = optionalAttrs (override ? "name") - (super.${(parseDrvName override.name).name} or {}); - in if upstream ? "name" && - override ? "name" && - compareVersions upstream.name override.name != -1 - then trace "Upstream `${upstream.name}' gets overridden by `${override.name}'." override - else override; - - in {} - // mapAttrs (_: flip callPackage {}) - (filterAttrs (_: dir: pathExists (dir + "/default.nix")) - (subdirsOf ./.)) - // { - # TODO use XDG_RUNTIME_DIR? - cr = pkgs.writeDashBin "cr" '' - set -efu - export LC_TIME=de_DE.utf8 - exec ${pkgs.chromium}/bin/chromium \ - --ssl-version-min=tls1 \ - --disk-cache-dir=/tmp/chromium-disk-cache_"$LOGNAME" \ - --disk-cache-size=50000000 \ - "$@" - ''; - ejabberd = callPackage ./ejabberd { - erlang = pkgs.erlangR16; - }; - ff = pkgs.writeDashBin "ff" '' - exec ${pkgs.firefoxWrapper}/bin/firefox "$@" - ''; - gnupg = pkgs.gnupg21; +self: super: let + + # This callPackage will try to detect obsolete overrides. + callPackage = path: args: let + override = super.callPackage path args; + upstream = optionalAttrs (override ? "name") + (super.${(parseDrvName override.name).name} or {}); + in if upstream ? "name" && + override ? "name" && + compareVersions upstream.name override.name != -1 + then + trace + "Upstream `${upstream.name}' gets overridden by `${override.name}'." + override + else override; + +in { + + # TODO use XDG_RUNTIME_DIR? + cr = self.writeDashBin "cr" '' + set -efu + export LC_TIME=de_DE.utf8 + exec ${self.chromium}/bin/chromium \ + --ssl-version-min=tls1 \ + --disk-cache-dir=/tmp/chromium-disk-cache_"$LOGNAME" \ + --disk-cache-size=50000000 \ + "$@" + ''; + + ejabberd = callPackage ./ejabberd { + erlang = self.erlangR16; }; + + ff = self.writeDashBin "ff" '' + exec ${self.firefoxWrapper}/bin/firefox "$@" + ''; + + gnupg = self.gnupg21; + + # https://github.com/NixOS/nixpkgs/issues/16113 + wvdial = let + nixpkgs-1509 = import (self.fetchFromGitHub { + owner = "NixOS"; repo = "nixpkgs-channels"; + rev = "91371c2bb6e20fc0df7a812332d99c38b21a2bda"; + sha256 = "1as1i0j9d2n3iap9b471y4x01561r2s3vmjc5281qinirlr4al73"; + }) {}; + in nixpkgs-1509.wvdial; + } + +// mapAttrs (_: flip callPackage {}) + (filterAttrs (_: dir: pathExists (dir + "/default.nix")) + (subdirsOf ./.)) diff --git a/tv/default.nix b/tv/default.nix index b1c7c1be8..d077cc09f 100644 --- a/tv/default.nix +++ b/tv/default.nix @@ -1,9 +1,9 @@ -_: +{ pkgs, ... }: { imports = [ ../krebs ./2configs ./3modules - ./5pkgs ]; + nixpkgs.config.packageOverrides = import ./5pkgs pkgs; } |