diff options
| author | makefu <github@syntax-fehler.de> | 2019-04-17 21:48:16 +0200 |
|---|---|---|
| committer | makefu <github@syntax-fehler.de> | 2019-04-17 21:48:16 +0200 |
| commit | 12f77bbed628e4071ac300af77857815be97a344 (patch) | |
| tree | 4f8233712a96ac5a38a386e1cc9df24de8a2b31a | |
| parent | e9743b162d51c4eb04d7939f8445e1acaa2d723d (diff) | |
| parent | d0d3fcb2d2b9ed82dd1ff2864b9fbbd88aa65ff4 (diff) | |
Merge remote-tracking branch 'lass/master'
37 files changed, 373 insertions, 68 deletions
diff --git a/krebs/3modules/bepasty-server.nix b/krebs/3modules/bepasty-server.nix index e12367b7c..94a509520 100644 --- a/krebs/3modules/bepasty-server.nix +++ b/krebs/3modules/bepasty-server.nix @@ -2,10 +2,10 @@ with import <stockholm/lib>; let - gunicorn = pkgs.pythonPackages.gunicorn; - bepasty = pkgs.bepasty; - gevent = pkgs.pythonPackages.gevent; - python = pkgs.pythonPackages.python; + gunicorn = pkgs.python27Packages.gunicorn; + bepasty = pkgs.bepasty.override { python3Packages = pkgs.python27Packages; }; + gevent = pkgs.python27Packages.gevent; + python = pkgs.python27Packages.python; cfg = config.krebs.bepasty; out = { diff --git a/krebs/3modules/ci.nix b/krebs/3modules/ci.nix index a47dbe611..244de1a0d 100644 --- a/krebs/3modules/ci.nix +++ b/krebs/3modules/ci.nix @@ -108,10 +108,12 @@ let name=str(new_step), command=[ "${pkgs.writeDash "build-stepper.sh" '' - set -efu + set -xefu profile=${shell.escape profileRoot}/$build_name result=$("$build_script") - ${pkgs.nix}/bin/nix-env -p "$profile" --set "$result" + if [ -n "$result" ]; then + ${pkgs.nix}/bin/nix-env -p "$profile" --set "$result" + fi ''}" ], env={ diff --git a/krebs/3modules/external/default.nix b/krebs/3modules/external/default.nix index c9715cb85..9bfc920a3 100644 --- a/krebs/3modules/external/default.nix +++ b/krebs/3modules/external/default.nix @@ -429,6 +429,17 @@ in { }; }; }; + ada = { + owner = config.krebs.users.filly; + nets = { + wiregrill = { + aliases = [ "ada.w" ]; + wireguard = { + pubkey = "+t0j9j7TZqvSFPzgunnON/ArXVGpMS/L3DldpanLoUk="; + }; + }; + }; + }; }; users = { ciko = { @@ -464,6 +475,8 @@ in { }; miaoski = { }; + filly = { + }; }; } diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index a3b8cab39..41f3852b9 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -20,6 +20,7 @@ in { extraZones = { "krebsco.de" = '' cache IN A ${nets.internet.ip4.addr} + p IN A ${nets.internet.ip4.addr} paste IN A ${nets.internet.ip4.addr} prism IN A ${nets.internet.ip4.addr} ''; @@ -38,6 +39,7 @@ in { io 60 IN NS ions.lassul.us. ions 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} lol 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} + matrix 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} paste 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} radio 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} ''; @@ -239,6 +241,7 @@ in { secure = true; ssh.privkey.path = <secrets/ssh.id_ed25519>; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC9vup68R0I+62FK+8LNtwM90V9P4ukBmU7G7d54wf4C"; + syncthing.id = "AU5RTWC-HXNMDRT-TN4ZHXY-JMQ6EQB-4ZPOZL7-AICZMCZ-LNS2XXQ-DGTI2Q6"; }; icarus = { cores = 2; diff --git a/krebs/3modules/realwallpaper.nix b/krebs/3modules/realwallpaper.nix index cb940efef..a0c00c20d 100644 --- a/krebs/3modules/realwallpaper.nix +++ b/krebs/3modules/realwallpaper.nix @@ -78,7 +78,7 @@ let serviceConfig = { Type = "simple"; ExecStart = pkgs.writeDash "generate-wallpaper" '' - set -xeuf + set -euf # usage: getimg FILENAME URL fetch() { diff --git a/krebs/3modules/setuid.nix b/krebs/3modules/setuid.nix index 3ba598a45..97cf21cdd 100644 --- a/krebs/3modules/setuid.nix +++ b/krebs/3modules/setuid.nix @@ -21,8 +21,8 @@ let default = config._module.args.name; }; envp = mkOption { - type = types.attrsOf types.str; - default = {}; + type = types.nullOr (types.attrsOf types.str); + default = null; }; filename = mkOption { type = mkOptionType { diff --git a/krebs/5pkgs/simple/kpaste/default.nix b/krebs/5pkgs/simple/kpaste/default.nix index d6823d584..217cb8a44 100644 --- a/krebs/5pkgs/simple/kpaste/default.nix +++ b/krebs/5pkgs/simple/kpaste/default.nix @@ -1,5 +1,6 @@ -{ curl, writeDashBin }: +{ curl, gnused, writeDashBin }: writeDashBin "kpaste" '' - exec ${curl}/bin/curl -sS http://p.r --data-binary @- + ${curl}/bin/curl -sS http://p.r --data-binary @- | + ${gnused}/bin/sed '$ {p;s/\<r\>/krebsco.de/}' '' diff --git a/krebs/5pkgs/simple/krebspaste/default.nix b/krebs/5pkgs/simple/krebspaste/default.nix index a11c8c90a..d97b6a053 100644 --- a/krebs/5pkgs/simple/krebspaste/default.nix +++ b/krebs/5pkgs/simple/krebspaste/default.nix @@ -1,6 +1,12 @@ -{ writeDashBin, bepasty-client-cli }: +{ bepasty-client-cli, gnused, writeDashBin }: -# TODO use `pkgs.exec` instead? writeDashBin "krebspaste" '' - exec ${bepasty-client-cli}/bin/bepasty-cli -L 1m --url http://paste.r "$@" | sed '$ s/$/\/+inline/g' + ${bepasty-client-cli}/bin/bepasty-cli -L 1m --url http://paste.r "$@" | + ${gnused}/bin/sed ' + $ { + s/$/\/+inline/ + p + s/\<r\>/krebsco.de/ + } + ' '' diff --git a/lass/1systems/blue/config.nix b/lass/1systems/blue/config.nix index a287f548b..14f4971f7 100644 --- a/lass/1systems/blue/config.nix +++ b/lass/1systems/blue/config.nix @@ -9,17 +9,12 @@ with import <stockholm/lib>; <stockholm/lass/2configs/blue.nix> <stockholm/lass/2configs/syncthing.nix> + <stockholm/lass/2configs/sync/decsync.nix> + <stockholm/lass/2configs/sync/weechat.nix> ]; krebs.build.host = config.krebs.hosts.blue; - krebs.syncthing.folders = [ - { id = "contacts"; path = "/home/lass/contacts"; peers = [ "mors" "blue" "green" "phone" ]; } - ]; - lass.ensure-permissions = [ - { folder = "/home/lass/contacts"; owner = "lass"; group = "syncthing"; } - ]; - environment.shellAliases = { deploy = pkgs.writeDash "deploy" '' set -eu diff --git a/lass/1systems/daedalus/config.nix b/lass/1systems/daedalus/config.nix index e28fbf2f8..6e3df12f0 100644 --- a/lass/1systems/daedalus/config.nix +++ b/lass/1systems/daedalus/config.nix @@ -27,6 +27,12 @@ with import <stockholm/lib>; enable = true; systemWide = true; }; + programs.chromium = { + enable = true; + extensions = [ + "cjpalhdlnbpafiamejdnhcphjbkeiagm" # ublock origin + ]; + }; environment.systemPackages = with pkgs; [ pavucontrol #firefox @@ -40,7 +46,7 @@ with import <stockholm/lib>; wine geeqie vlc - minecraft + zsnes ]; nixpkgs.config.firefox.enableAdobeFlash = true; services.xserver.enable = true; diff --git a/lass/1systems/green/config.nix b/lass/1systems/green/config.nix index 6ae157e38..0b4b50ee4 100644 --- a/lass/1systems/green/config.nix +++ b/lass/1systems/green/config.nix @@ -8,20 +8,13 @@ with import <stockholm/lib>; <stockholm/lass/2configs/exim-retiolum.nix> <stockholm/lass/2configs/mail.nix> - #<stockholm/lass/2configs/blue.nix> <stockholm/lass/2configs/syncthing.nix> + <stockholm/lass/2configs/sync/decsync.nix> + <stockholm/lass/2configs/sync/weechat.nix> ]; krebs.build.host = config.krebs.hosts.green; - krebs.syncthing.folders = [ - { id = "contacts"; path = "/home/lass/contacts"; peers = [ "mors" "blue" "green" "phone" ]; } - ]; - lass.ensure-permissions = [ - { folder = "/home/lass/contacts"; owner = "lass"; group = "syncthing"; } - ]; - - #networking.nameservers = [ "1.1.1.1" ]; #time.timeZone = "Europe/Berlin"; diff --git a/lass/1systems/icarus/config.nix b/lass/1systems/icarus/config.nix index 06b1e7366..d8c8699ae 100644 --- a/lass/1systems/icarus/config.nix +++ b/lass/1systems/icarus/config.nix @@ -20,6 +20,7 @@ <stockholm/lass/2configs/syncthing.nix> <stockholm/lass/2configs/nfs-dl.nix> <stockholm/lass/2configs/prism-share.nix> + <stockholm/lass/2configs/ssh-cryptsetup.nix> ]; krebs.build.host = config.krebs.hosts.icarus; diff --git a/lass/1systems/iso.nix b/lass/1systems/iso.nix index be064bed2..a814cc6b9 100644 --- a/lass/1systems/iso.nix +++ b/lass/1systems/iso.nix @@ -6,7 +6,6 @@ with import <stockholm/lib>; <nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix> <stockholm/krebs> <stockholm/lass/3modules> - <stockholm/lass/5pkgs> <stockholm/lass/2configs/mc.nix> <stockholm/lass/2configs/vim.nix> { @@ -40,9 +39,10 @@ with import <stockholm/lib>; networking.hostName = "lass-iso"; } { + nixpkgs.config.packageOverrides = import <stockholm/lass/5pkgs> pkgs; krebs.enable = true; krebs.build.user = config.krebs.users.lass; - krebs.build.host = config.krebs.hosts.iso; + krebs.build.host = {}; } { nixpkgs.config.allowUnfree = true; @@ -174,11 +174,13 @@ with import <stockholm/lib>; user = "lass"; }; windowManager.default = "xmonad"; - windowManager.session = [{ + windowManager.session = let + xmonad-lass = pkgs.callPackage <stockholm/lass/5pkgs/custom/xmonad-lass> { inherit config; }; + in [{ name = "xmonad"; start = '' ${pkgs.xorg.xhost}/bin/xhost +LOCAL: - ${pkgs.xmonad-lass}/bin/xmonad & + ${xmonad-lass}/bin/xmonad & waitPID=$! ''; }]; diff --git a/lass/1systems/littleT/config.nix b/lass/1systems/littleT/config.nix index eee23ee60..d44e62053 100644 --- a/lass/1systems/littleT/config.nix +++ b/lass/1systems/littleT/config.nix @@ -8,6 +8,7 @@ with import <stockholm/lib>; <stockholm/lass/2configs/retiolum.nix> <stockholm/lass/2configs/blue-host.nix> <stockholm/lass/2configs/syncthing.nix> + <stockholm/lass/2configs/green-host.nix> ]; networking.networkmanager.enable = true; diff --git a/lass/1systems/morpheus/config.nix b/lass/1systems/morpheus/config.nix index 0d82ba611..cab267d54 100644 --- a/lass/1systems/morpheus/config.nix +++ b/lass/1systems/morpheus/config.nix @@ -30,4 +30,12 @@ with import <stockholm/lib>; ]; }; }; + + + services.xserver.desktopManager.default = "none"; + services.xserver.displayManager.lightdm.autoLogin = { + enable = true; + user = "lass"; + timeout = 5; + }; } diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix index fa5fb5518..7e183f40f 100644 --- a/lass/1systems/mors/config.nix +++ b/lass/1systems/mors/config.nix @@ -26,6 +26,8 @@ with import <stockholm/lib>; <stockholm/lass/2configs/syncthing.nix> <stockholm/lass/2configs/otp-ssh.nix> <stockholm/lass/2configs/c-base.nix> + <stockholm/lass/2configs/sync/decsync.nix> + <stockholm/lass/2configs/sync/weechat.nix> <stockholm/lass/2configs/br.nix> <stockholm/lass/2configs/ableton.nix> <stockholm/lass/2configs/starcraft.nix> @@ -41,8 +43,6 @@ with import <stockholm/lib>; krebs.iptables.tables.filter.INPUT.rules = [ #risk of rain { predicate = "-p tcp --dport 11100"; target = "ACCEPT"; } - #chromecast - { predicate = "-p udp -m multiport --sports 32768:61000 -m multiport --dports 32768:61000"; target = "ACCEPT"; } #quake3 { predicate = "-p tcp --dport 27950:27965"; target = "ACCEPT"; } { predicate = "-p udp --dport 27950:27965"; target = "ACCEPT"; } @@ -50,11 +50,9 @@ with import <stockholm/lib>; } { krebs.syncthing.folders = [ - { id = "contacts"; path = "/home/lass/contacts"; peers = [ "mors" "blue" "green" "phone" ]; } - { id = "the_playlist"; path = "/home/lass/tmp/the_playlist"; peers = [ "mors" "phone" ]; } + { id = "the_playlist"; path = "/home/lass/tmp/the_playlist"; peers = [ "mors" "phone" "prism" ]; } ]; lass.ensure-permissions = [ - { folder = "/home/lass/contacts"; owner = "lass"; group = "syncthing"; } { folder = "/home/lass/tmp/the_playlist"; owner = "lass"; group = "syncthing"; } ]; } @@ -92,6 +90,7 @@ with import <stockholm/lib>; pkgs.ovh-zone pkgs.bank pkgs.adb-sync + pkgs.transgui ]; } { @@ -135,6 +134,18 @@ with import <stockholm/lib>; (pkgs.writeDashBin "btc-kraken" '' ${pkgs.curl}/bin/curl -Ss 'https://api.kraken.com/0/public/Ticker?pair=BTCEUR' | ${pkgs.jq}/bin/jq '.result.XXBTZEUR.a[0]' '') + (pkgs.writeDashBin "krebsco.de" '' + TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d) + ${pkgs.brain}/bin/brain show krebs-secrets/ovh-secrets.json > "$TMPDIR"/ovh-secrets.json + OVH_ZONE_CONFIG="$TMPDIR"/ovh-secrets.json ${pkgs.krebszones}/bin/krebszones import + ${pkgs.coreutils}/bin/rm -rf "$TMPDIR" + '') + (pkgs.writeDashBin "lassul.us" '' + TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d) + ${pkgs.pass}/bin/pass show admin/ovh/api.config > "$TMPDIR"/ovh-secrets.json + OVH_ZONE_CONFIG="$TMPDIR"/ovh-secrets.json ${pkgs.ovh-zone}/bin/ovh-zone import /etc/zones/lassul.us lassul.us + ${pkgs.coreutils}/bin/rm -rf "$TMPDIR" + '') ]; #TODO: fix this shit diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index b3b7ac0df..d7b0b701a 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -413,6 +413,42 @@ with import <stockholm/lib>; ]; }; } + { #macos mounting of yellow + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-i wiregrill -p tcp --dport 139"; target = "ACCEPT"; } + { predicate = "-i wiregrill -p tcp --dport 445"; target = "ACCEPT"; } + { predicate = "-i wiregrill -p udp --dport 137"; target = "ACCEPT"; } + { predicate = "-i wiregrill -p udp --dport 138"; target = "ACCEPT"; } + ]; + users.users.smbguest = { + name = "smbguest"; + uid = config.ids.uids.smbguest; + description = "smb guest user"; + home = "/home/share"; + createHome = true; + }; + services.samba = { + enable = true; + enableNmbd = true; + shares = { + download = { + path = "/var/download/finished"; + "read only" = "yes"; + browseable = "yes"; + "guest ok" = "yes"; + }; + }; + extraConfig = '' + guest account = smbguest + map to guest = bad user + # disable printing + load printers = no + printing = bsd + printcap name = /dev/null + disable spoolss = yes + ''; + }; + } ]; krebs.build.host = config.krebs.hosts.prism; diff --git a/lass/1systems/shodan/config.nix b/lass/1systems/shodan/config.nix index 39c0791fc..5de87d790 100644 --- a/lass/1systems/shodan/config.nix +++ b/lass/1systems/shodan/config.nix @@ -15,6 +15,8 @@ with import <stockholm/lib>; <stockholm/lass/2configs/bitcoin.nix> <stockholm/lass/2configs/backup.nix> <stockholm/lass/2configs/blue-host.nix> + <stockholm/lass/2configs/green-host.nix> + <stockholm/lass/2configs/ssh-cryptsetup.nix> ]; krebs.build.host = config.krebs.hosts.shodan; diff --git a/lass/1systems/skynet/config.nix b/lass/1systems/skynet/config.nix index 0bf3e6b4d..70787e514 100644 --- a/lass/1systems/skynet/config.nix +++ b/lass/1systems/skynet/config.nix @@ -8,6 +8,7 @@ with import <stockholm/lib>; <stockholm/lass/2configs/blue-host.nix> <stockholm/lass/2configs/power-action.nix> <stockholm/lass/2configs/syncthing.nix> + <stockholm/lass/2configs/green-host.nix> { services.xserver.enable = true; services.xserver.desktopManager.xfce.enable = true; diff --git a/lass/1systems/yellow/config.nix b/lass/1systems/yellow/config.nix index 8b3b2814f..cda0d0a33 100644 --- a/lass/1systems/yellow/config.nix +++ b/lass/1systems/yellow/config.nix @@ -31,6 +31,7 @@ with import <stockholm/lib>; download-dir = "/var/download/finished"; incomplete-dir = "/var/download/incoming"; incomplete-dir-enable = true; + message-level = 1; umask = "002"; rpc-whitelist-enabled = false; rpc-host-whitelist-enabled = false; diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index 26d6622ae..5003d2279 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -9,6 +9,7 @@ in { ./power-action.nix ./copyq.nix ./urxvt.nix + ./xdg-open.nix { hardware.pulseaudio = { enable = true; diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix index aec59261c..4216bd67a 100644 --- a/lass/2configs/exim-smarthost.nix +++ b/lass/2configs/exim-smarthost.nix @@ -100,6 +100,9 @@ with import <stockholm/lib>; { from = "box@lassul.us"; to = lass.mail; } { from = "paloalto@lassul.us"; to = lass.mail; } { from = "subtitles@lassul.us"; to = lass.mail; } + { from = "lobsters@lassul.us"; to = lass.mail; } + { from = "fysitech@lassul.us"; to = lass.mail; } + { from = "threema@lassul.us"; to = lass.mail; } ]; system-aliases = [ { from = "mailer-daemon"; to = "postmaster"; } diff --git a/lass/2configs/green-host.nix b/lass/2configs/green-host.nix new file mode 100644 index 000000000..860d7c113 --- /dev/null +++ b/lass/2configs/green-host.nix @@ -0,0 +1,83 @@ +{ config, lib, pkgs, ... }: +with import <stockholm/lib>; + +{ + imports = [ + <stockholm/lass/2configs/container-networking.nix> + <stockholm/lass/2configs/syncthing.nix> + { #hack for already defined + systemd.services."container@green".reloadIfChanged = mkForce false; + systemd.services."container@green".preStart = '' + ${pkgs.mount}/bin/mount | ${pkgs.gnugrep}/bin/grep -q ' on /var/lib/containers/green ' + ''; + systemd.services."container@green".postStop = '' + set -x + ${pkgs.umount}/bin/umount /var/lib/containers/green + ls -la /dev/mapper/control + ${pkgs.devicemapper}/bin/dmsetup ls + ${pkgs.cryptsetup}/bin/cryptsetup -v luksClose /var/lib/sync-containers/green.img + ''; + } + ]; + + lass.ensure-permissions = [ + { folder = "/var/lib/sync-containers"; owner = "root"; group = "syncthing"; } + ]; + + krebs.syncthing.folders = [ + { path = "/var/lib/sync-containers"; peers = [ "icarus" "skynet" "littleT" "shodan" ]; } + ]; + + system.activationScripts.containerPermissions = '' + mkdir -p /var/lib/containers + chmod 711 /var/lib/containers + ''; + + containers.green = { + config = { ... }: { + environment.systemPackages = [ + pkgs.git + pkgs.rxvt_unicode.terminfo + ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + ]; + }; + autoStart = false; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.15"; + localAddress = "10.233.2.16"; + }; + + environment.systemPackages = [ + (pkgs.writeDashBin "start-green" '' + set -fu + CONTAINER='green' + IMAGE='/var/lib/sync-containers/green.img' + + ${pkgs.cryptsetup}/bin/cryptsetup status "$CONTAINER" >/dev/null + if [ "$?" -ne 0 ]; then + ${pkgs.cryptsetup}/bin/cryptsetup luksOpen "$IMAGE" "$CONTAINER" + fi + + mkdir -p /var/lib/containers/"$CONTAINER" + + ${pkgs.mount}/bin/mount | grep -q " on /var/lib/containers/"$CONTAINER" " + if [ "$?" -ne 0 ]; then + ${pkgs.mount}/bin/mount -o sync /dev/mapper/"$CONTAINER" /var/lib/containers/"$CONTAINER" + fi + + STATE=$(${pkgs.nixos-container}/bin/nixos-container status "$CONTAINER") + if [ "$STATE" = 'down' ]; then + ${pkgs.nixos-container}/bin/nixos-container start "$CONTAINER" + fi + ping -c1 green.r + if [ "$?" -ne 0 ]; then + ${pkgs.nixos-container}/bin/nixos-container run green -- nixos-rebuild -I /var/src switch + fi + + '') + ]; +} diff --git a/lass/2configs/hw/x220.nix b/lass/2configs/hw/x220.nix index f5651da13..5649041f9 100644 --- a/lass/2configs/hw/x220.nix +++ b/lass/2configs/hw/x220.nix @@ -30,8 +30,7 @@ }; }; - services.logind.extraConfig = '' - HandleLidSwitch=ignore - ''; + services.logind.lidSwitch = "ignore"; + services.logind.lidSwitchDocked = "ignore"; } diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix index 0803846aa..6de111ba8 100644 --- a/lass/2configs/mail.nix +++ b/lass/2configs/mail.nix @@ -233,8 +233,4 @@ in { tag-new-mails tag-old-mails ]; - - nixpkgs.config.packageOverrides = opkgs: { - notmuch = (opkgs.notmuch.overrideAttrs (o: { doCheck = false; })); - }; } diff --git a/lass/2configs/paste.nix b/lass/2configs/paste.nix index 293691c0f..3c3d8e636 100644 --- a/lass/2configs/paste.nix +++ b/lass/2configs/paste.nix @@ -10,6 +10,16 @@ with import <stockholm/lib>; proxy_pass http://localhost:9081; ''; }; + services.nginx.virtualHosts.paste-readonly = { + serverAliases = [ "p.krebsco.de" ]; + locations."/".extraConfig = '' + if ($request_method != GET) { + return 403; + } + proxy_set_header Host $host; + proxy_pass http://localhost:9081; + ''; + }; krebs.htgen.paste = { port = 9081; script = toString [ diff --git a/lass/2configs/prism-share.nix b/lass/2configs/prism-share.nix index 70e616ec6..aa3eb541d 100644 --- a/lass/2configs/prism-share.nix +++ b/lass/2configs/prism-share.nix @@ -21,7 +21,7 @@ with import <stockholm/lib>; shares = { incoming = { path = "/mnt/prism"; - "read only" = "no"; + "read only" = "yes"; browseable = "yes"; "guest ok" = "yes"; }; diff --git a/lass/2configs/radio.nix b/lass/2configs/radio.nix index f88b2627b..d67d970f8 100644 --- a/lass/2configs/radio.nix +++ b/lass/2configs/radio.nix @@ -59,6 +59,9 @@ in { group = "radio"; musicDirectory = "/home/radio/the_playlist/music"; extraConfig = '' + log_level "default" + auto_update "yes" + audio_output { type "shout" encoding "lame" @@ -245,4 +248,10 @@ in { alias ${html}; ''; }; + krebs.syncthing.folders = [ + { id = "the_playlist"; path = "/home/radio/music/the_playlist"; peers = [ "mors" "phone" "prism" ]; } + ]; + lass.ensure-permissions = [ + { folder = "/home/radio/music/the_playlist"; owner = "radio"; group = "syncthing"; } + ]; } diff --git a/lass/2configs/ssh-cryptsetup.nix b/lass/2configs/ssh-cryptsetup.nix new file mode 100644 index 000000000..c5e1c5928 --- /dev/null +++ b/lass/2configs/ssh-cryptsetup.nix @@ -0,0 +1,17 @@ +{ config, ... }: +{ + boot.initrd = { + network = { + enable = true; + ssh = { + enable = true; + authorizedKeys = with config.krebs.users; [ + config.krebs.users.lass-mors.pubkey + config.krebs.users.lass-blue.pubkey + config.krebs.users.lass-shodan.pubkey + config.krebs.users.lass-icarus.pubkey + ]; + }; + }; + }; +} diff --git a/lass/2configs/sync/decsync.nix b/lass/2configs/sync/decsync.nix new file mode 100644 index 000000000..94569c94d --- /dev/null +++ b/lass/2configs/sync/decsync.nix @@ -0,0 +1,8 @@ +{ + krebs.syncthing.folders = [ + { id = "decsync"; path = "/home/lass/decsync"; peers = [ "mors" "blue" "green" "phone" ]; } + ]; + lass.ensure-permissions = [ + { folder = "/home/lass/decsync"; owner = "lass"; group = "syncthing"; } + ]; +} diff --git a/lass/2configs/sync/weechat.nix b/lass/2configs/sync/weechat.nix new file mode 100644 index 000000000..d10177b1d --- /dev/null +++ b/lass/2configs/sync/weechat.nix @@ -0,0 +1,8 @@ +{ + krebs.syncthing.folders = [ + { path = "/home/lass/.weechat"; peers = [ "blue" "green" "mors" ]; } + ]; + lass.ensure-permissions = [ + { folder = "/home/lass/.weechat"; owner = "lass"; group = "syncthing"; } + ]; +} diff --git a/lass/2configs/syncthing.nix b/lass/2configs/syncthing.nix index 842abc195..fc10b2cb4 100644 --- a/lass/2configs/syncthing.nix +++ b/lass/2configs/syncthing.nix @@ -4,6 +4,7 @@ with import <stockholm/lib>; services.syncthing = { enable = true; group = "syncthing"; + configDir = "/var/lib/syncthing"; }; krebs.iptables.tables.filter.INPUT.rules = [ { predicate = "-p tcp --dport 22000"; target = "ACCEPT";} @@ -15,7 +16,7 @@ with import <stockholm/lib>; key = toString <secrets/syncthing.key>; peers = mapAttrs (n: v: { id = v.syncthing.id; }) (filterAttrs (n: v: v.syncthing.id != null) config.krebs.hosts); folders = [ - { path = "/home/lass/sync"; peers = [ "icarus" "mors" "skynet" "blue" "green" "littleT" "prism"]; } + { path = "/home/lass/sync"; peers = [ "icarus" "mors" "skynet" "blue" "green" "littleT" "prism" "shodan" ]; } ]; }; diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index 5bd5a7cac..2131c7c62 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -119,7 +119,7 @@ in { authenticators.PLAIN = '' driver = plaintext public_name = PLAIN - server_condition = ''${run{${config.lass.usershadow.path}/bin/verify_arg ${config.lass.usershadow.pattern} $auth2 $auth3}{yes}{no}} + server_condition = ''${run{/run/wrappers/bin/shadow_verify_arg ${config.lass.usershadow.pattern} $auth2 $auth3}{yes}{no}} ''; authenticators.LOGIN = '' driver = plaintext diff --git a/lass/2configs/xdg-open.nix b/lass/2configs/xdg-open.nix new file mode 100644 index 000000000..824c36dc7 --- /dev/null +++ b/lass/2configs/xdg-open.nix @@ -0,0 +1,66 @@ +{ config, pkgs, lib, ... }: with import <stockholm/lib>; let + + xdg-open-wrapper = pkgs.writeDashBin "xdg-open" '' + /run/wrappers/bin/sudo -u lass ${xdg-open} "$@" + ''; + + xdg-open = pkgs.writeBash "xdg-open" '' + set -e + FILE="$1" + mime= + + case "$FILE" in + http://*|https://*) + mime=text/html + ;; + mailto:*) + mime=special/mailaddress + ;; + magnet:*) + mime=application/x-bittorrent + ;; + irc:*) + mime=x-scheme-handler/irc + ;; + *) + # it’s a file + + # strip possible protocol + FILE=''${FILE#file://} + mime=''$(file -E --brief --mime-type "$FILE") \ + || (echo "$mime" 1>&2; exit 1) + # ^ echo the error message of file + ;; + esac + + case "$mime" in + special/mailaddress) + urxvtc --execute vim "$FILE" ;; + ${optionalString (hasAttr "browser" config.lass) '' + text/html) + ${config.lass.browser.select}/bin/browser-select "$FILE" ;; + text/xml) + ${config.lass.browser.select}/bin/browser-select "$FILE" ;; + ''} + text/*) + urxvtc --execute vim "$FILE" ;; + image/*) + sxiv "$FILE" ;; + application/x-bittorrent) + env DISPLAY=:0 transgui "$FILE" ;; + application/pdf) + zathura "$FILE" ;; + inode/directory) + sudo -u lass -i urxvtc --execute mc "$FILE" ;; + *) + # open dmenu and ask for program to open with + $(dmenu_path | dmenu) "$FILE";; + esac + ''; +in { + environment.systemPackages = [ xdg-open-wrapper ]; + + security.sudo.extraConfig = '' + cr ALL=(lass) NOPASSWD: ${xdg-open} * + ''; +} diff --git a/lass/3modules/usershadow.nix b/lass/3modules/usershadow.nix index cb2890969..51da2ec93 100644 --- a/lass/3modules/usershadow.nix +++ b/lass/3modules/usershadow.nix @@ -31,13 +31,24 @@ session required pam_loginuid.so ''; - security.pam.services.dovecot2.text = '' - auth required pam_exec.so expose_authtok ${usershadow}/bin/verify_pam ${cfg.pattern} - auth required pam_permit.so - account required pam_permit.so - session required pam_permit.so - session required pam_env.so envfile=${config.system.build.pamEnvironment} - ''; + security.pam.services.dovecot2 = { + text = '' + auth required pam_exec.so debug expose_authtok log=/tmp/lol /run/wrappers/bin/shadow_verify_pam ${cfg.pattern} + auth required pam_permit.so + account required pam_permit.so + session required pam_permit.so + session required pam_env.so envfile=${config.system.build.pamEnvironment} + ''; + }; + + security.wrappers.shadow_verify_pam = { + source = "${usershadow}/bin/verify_pam"; + owner = "root"; + }; + security.wrappers.shadow_verify_arg = { + source = "${usershadow}/bin/verify_arg"; + owner = "root"; + }; }; usershadow = let { @@ -46,10 +57,13 @@ "bytestring" ]; body = pkgs.writeHaskellPackage "passwords" { + ghc-options = [ + "-rtsopts" + "-Wall" + ]; executables.verify_pam = { extra-depends = deps; text = '' - import Data.Monoid import System.IO import Data.Char (chr) import System.Environment (getEnv, getArgs) @@ -72,7 +86,6 @@ executables.verify_arg = { extra-depends = deps; text = '' - import Data.Monoid import System.Environment (getArgs) import Crypto.PasswordStore (verifyPasswordWith, pbkdf2) import qualified Data.ByteString.Char8 as BS8 diff --git a/lib/types.nix b/lib/types.nix index 9001bc7c3..23919af38 100644 --- a/lib/types.nix +++ b/lib/types.nix @@ -89,7 +89,7 @@ rec { syncthing.id = mkOption { # TODO syncthing id type - type = nullOr string; + type = nullOr str; default = null; }; }; diff --git a/tv/5pkgs/simple/utsushi.nix b/tv/5pkgs/simple/utsushi.nix index 55e8800a6..0ae4ed880 100644 --- a/tv/5pkgs/simple/utsushi.nix +++ b/tv/5pkgs/simple/utsushi.nix @@ -51,13 +51,19 @@ let src = if stdenv.system == "i686-linux" then fetchurl { - url = "https://download2.ebz.epson.net/imagescanv3/debian/latest1/deb/x64/imagescan-bundle-debian-9-1.3.21.x86.deb.tar.gz"; - sha256 = "16xv1pdfm2ryis815fawb7zqg6c4swww726g272ssx044r5dp80r"; + urls = [ + "https://download2.ebz.epson.net/imagescanv3/debian/latest1/deb/x86/imagescan-bundle-debian-9-3.55.0.x86.deb.tar.gz" + "http://ni.r/~tv/mirrors/epson/imagescan-bundle-debian-9-3.55.0.x86.deb.tar.gz" + ]; + sha256 = "12syk4y8z22hm9r1lgxqp81vd24jbqgmq83b7yiyqfd4wfxb6k3s"; } else if stdenv.system == "x86_64-linux" then fetchurl { - url = "https://download2.ebz.epson.net/imagescanv3/debian/latest1/deb/x64/imagescan-bundle-debian-9-1.3.21.x64.deb.tar.gz"; - sha256 = "0zik35h2jwrvkwcmq55wc72imidwdnmn1bayhypzhjcz61rasjg2"; + urls = [ + "https://download2.ebz.epson.net/imagescanv3/debian/latest1/deb/x64/imagescan-bundle-debian-9-3.55.0.x64.deb.tar.gz" + "http://ni.r/~tv/mirrors/epson/imagescan-bundle-debian-9-3.55.0.x64.deb.tar.gz" + ]; + sha256 = "1wp372hqhzdar6ldxy7s9js2s872x8c5nwq3608dwg9gca11ppc5"; } else throw "${name} is not supported on ${stdenv.system} (only i686-linux and x86_64 linux are supported)"; @@ -92,7 +98,7 @@ let license = stdenv.lib.licenses.eapl; maintainers = [ stdenv.lib.maintainers.tv ]; platforms = stdenv.lib.platforms.linux; - version = "1.1.0"; + version = "1.1.2"; }; }; @@ -102,8 +108,11 @@ stdenv.mkDerivation rec { name = "utsushi-${meta.version}"; src = fetchurl { - url = "http://support.epson.net/linux/src/scanner/imagescanv3/debian/imagescan_${meta.version}.orig.tar.gz"; - sha256 = "1gmiimwkcyzbkfr25vzqczjhgh90fgxd96agbnkpf9gah1mpd6qj"; + urls = [ + "http://support.epson.net/linux/src/scanner/imagescanv3/debian/imagescan_${meta.version}.orig.tar.gz" + "http://ni.r/~tv/mirrors/epson/imagescan_${meta.version}.orig.tar.gz" + ]; + sha256 = "0xwl4xp07cigslbi1qc52jsjvxcyvjlx54g812mn7211p01v2h4l"; }; preConfigure = '' @@ -203,6 +212,6 @@ stdenv.mkDerivation rec { license = stdenv.lib.licenses.gpl3; maintainers = [ stdenv.lib.maintainers.tv ]; platforms = stdenv.lib.platforms.linux; - version = "3.54.0"; + version = "3.55.0"; }; } |