diff options
| author | jeschli <jeschli@gmail.com> | 2018-05-04 16:57:21 +0200 |
|---|---|---|
| committer | jeschli <jeschli@gmail.com> | 2018-05-04 16:57:21 +0200 |
| commit | 74cab14502ce3f482d96759eed4c7e648204e78e (patch) | |
| tree | 1f82d99cc0dafdf87d33fcc3e3a9a865f95f3384 | |
| parent | 4f2bf83ff906b9ee0421dabba4ff7e9dab5b7802 (diff) | |
| parent | b81fe57e3e137a2449fb8cc5e627e484d84bb00e (diff) | |
Merge remote-tracking branch 'origin/master'
88 files changed, 1257 insertions, 972 deletions
diff --git a/jeschli/1systems/bln/config.nix b/jeschli/1systems/bln/config.nix index ad397728d..190f6f539 100644 --- a/jeschli/1systems/bln/config.nix +++ b/jeschli/1systems/bln/config.nix @@ -1,7 +1,7 @@ { config, lib, pkgs, ... }: # bln config file { - imports = [ + imports = [ ./hardware-configuration.nix <stockholm/jeschli> <stockholm/jeschli/2configs/virtualbox.nix> @@ -95,6 +95,12 @@ # Enable the X11 windowing system. services.xserver.videoDrivers = [ "nvidia" ]; +# services.xserver.windowManager.xmonad.enable = true; +# services.xserver.windowManager.xmonad.enableContribAndExtras = true; +# services.xserver.displayManager.sddm.enable = true; +# services.xserver.dpi = 100; +# fonts.fontconfig.dpi = 100; + users.extraUsers.jeschli = { isNormalUser = true; extraGroups = ["docker" "vboxusers" "audio"]; diff --git a/jeschli/2configs/xserver/default.nix b/jeschli/2configs/xserver/default.nix index 4e646811d..748d12258 100644 --- a/jeschli/2configs/xserver/default.nix +++ b/jeschli/2configs/xserver/default.nix @@ -46,6 +46,7 @@ in { dpi = 200; + videoDrivers = [ "nvidia" ]; synaptics = { enable = true; twoFingerScroll = true; diff --git a/jeschli/5pkgs/simple/xmonad-jeschli/default.nix b/jeschli/5pkgs/simple/xmonad-jeschli/default.nix index 5bb391f98..578a51c8f 100644 --- a/jeschli/5pkgs/simple/xmonad-jeschli/default.nix +++ b/jeschli/5pkgs/simple/xmonad-jeschli/default.nix @@ -44,6 +44,7 @@ import XMonad.Layout.Reflect (reflectVert) import XMonad.Layout.FixedColumn (FixedColumn(..)) import XMonad.Hooks.Place (placeHook, smart) import XMonad.Hooks.FloatNext (floatNextHook) +import XMonad.Hooks.SetWMName import XMonad.Actions.PerWorkspaceKeys (chooseAction) import XMonad.Layout.PerWorkspace (onWorkspace) --import XMonad.Layout.BinarySpacePartition @@ -86,7 +87,8 @@ mainNoArgs = do -- , handleEventHook = myHandleEventHooks <+> handleTimerEvent --, handleEventHook = handleTimerEvent , manageHook = placeHook (smart (1,0)) <+> floatNextHook - , startupHook = + , startupHook = do + setWMName "LG3D" whenJustM (liftIO (lookupEnv "XMONAD_STARTUP_HOOK")) (\path -> forkFile path [] Nothing) , normalBorderColor = "#1c1c1c" @@ -217,7 +219,7 @@ myKeys conf = Map.fromList $ pagerConfig :: PagerConfig pagerConfig = def { pc_font = myFont - , pc_cellwidth = 64 + , pc_cellwidth = 256 --, pc_cellheight = 36 -- TODO automatically keep screen aspect --, pc_borderwidth = 1 --, pc_matchcolor = "#f0b000" diff --git a/krebs/1systems/hope/config.nix b/krebs/1systems/hope/config.nix deleted file mode 100644 index c19b210c5..000000000 --- a/krebs/1systems/hope/config.nix +++ /dev/null @@ -1,41 +0,0 @@ -with import <stockholm/lib>; -{ config, pkgs, ... }: let - - ip = config.krebs.build.host.nets.internet.ip4.addr; - bestGuessGateway = addr: elemAt (match "(.*)(\.[^.])" addr) 0 + ".1"; - -in { - imports = [ - <stockholm/krebs> - <stockholm/krebs/2configs> - <stockholm/krebs/2configs/os-templates/CAC-CentOS-7-64bit.nix> - - <stockholm/krebs/2configs/secret-passwords.nix> - { - users.extraUsers = { - satan = { - name = "satan"; - uid = 1338; - home = "/home/satan"; - group = "users"; - createHome = true; - useDefaultShell = true; - initialPassword = "test"; - }; - }; - } - ]; - - krebs.build.host = config.krebs.hosts.hope; - - networking = let - address = config.krebs.build.host.nets.internet.ip4.addr; - in { - defaultGateway = bestGuessGateway address; - interfaces.enp2s1.ip4 = singleton { - inherit address; - prefixLength = 24; - }; - nameservers = ["8.8.8.8"]; - }; -} diff --git a/krebs/1systems/hope/source.nix b/krebs/1systems/hope/source.nix deleted file mode 100644 index 7121d1d9d..000000000 --- a/krebs/1systems/hope/source.nix +++ /dev/null @@ -1,3 +0,0 @@ -import <stockholm/krebs/source.nix> { - name = "hope"; -} diff --git a/krebs/1systems/hotdog/config.nix b/krebs/1systems/hotdog/config.nix index 98fb88702..662e094d1 100644 --- a/krebs/1systems/hotdog/config.nix +++ b/krebs/1systems/hotdog/config.nix @@ -21,4 +21,5 @@ boot.isContainer = true; networking.useDHCP = false; krebs.ci.stockholmSrc = "http://cgit.prism.r/stockholm"; + environment.variables.NIX_REMOTE = "daemon"; } diff --git a/krebs/1systems/onebutton/config.nix b/krebs/1systems/onebutton/config.nix new file mode 100644 index 000000000..dca00a206 --- /dev/null +++ b/krebs/1systems/onebutton/config.nix @@ -0,0 +1,48 @@ +{ config, pkgs, lib, ... }: +{ + # :l <nixpkgs> + # builtins.readDir (pkgs.fetchFromGitHub { owner = "nixos"; repo = "nixpkgs-channels"; rev = "6c064e6b"; sha256 = "1rqzh475xn43phagrr30lb0fd292c1s8as53irihsnd5wcksnbyd"; }) + imports = [ + <stockholm/krebs> + <stockholm/krebs/2configs> + { # flag to rebuild everything yourself: + # environment.noXlibs = true; + + # minimal disk usage + nix.gc.automatic = true; + nix.gc.dates = "03:10"; + documentation.man.enable = false; + documentation.info.enable = false; + services.nixosManual.enable = false; + services.journald.extraConfig = "SystemMaxUse=50M"; + } + ]; + krebs.build.host = config.krebs.hosts.onebutton; + # NixOS wants to enable GRUB by default + boot.loader.grub.enable = false; + + # Enables the generation of /boot/extlinux/extlinux.conf + boot.loader.generic-extlinux-compatible.enable = true; + + boot.kernelPackages = pkgs.linuxPackages_rpi; + + nix.binaryCaches = [ "http://nixos-arm.dezgeg.me/channel" ]; + nix.binaryCachePublicKeys = [ "nixos-arm.dezgeg.me-1:xBaUKS3n17BZPKeyxL4JfbTqECsT+ysbDJz29kLFRW0=%" ]; + + fileSystems = { + "/boot" = { + device = "/dev/disk/by-label/NIXOS_BOOT"; + fsType = "vfat"; + }; + "/" = { + device = "/dev/disk/by-label/NIXOS_SD"; + fsType = "ext4"; + }; + }; + + swapDevices = [ { device = "/swapfile"; size = 1024; } ]; + services.openssh.enable = true; + + networking.wireless.enable = true; + hardware.enableRedistributableFirmware = true; +} diff --git a/krebs/1systems/onebutton/source.nix b/krebs/1systems/onebutton/source.nix new file mode 100644 index 000000000..8f25881c9 --- /dev/null +++ b/krebs/1systems/onebutton/source.nix @@ -0,0 +1,16 @@ +with import <stockholm/lib>; +let + pkgs = import <nixpkgs> {}; + nixpkgs = pkgs.fetchFromGitHub { + owner = "nixos"; + repo = "nixpkgs-channels"; + rev = "6c064e6b"; # only binary cache for unstable arm6 + sha256 = "1rqzh475xn43phagrr30lb0fd292c1s8as53irihsnd5wcksnbyd"; + }; +in import <stockholm/krebs/source.nix> { + name = "onebutton"; + override.nixpkgs = mkForce { + file = toString nixpkgs; + }; + +} diff --git a/krebs/2configs/news-spam.nix b/krebs/2configs/news-spam.nix index 63848c234..69c503bf9 100644 --- a/krebs/2configs/news-spam.nix +++ b/krebs/2configs/news-spam.nix @@ -2,6 +2,7 @@ { krebs.newsbot-js.news-spam = { + urlShortenerHost = "go.lassul.us"; feeds = pkgs.writeText "feeds" '' [SPAM]aje|http://www.aljazeera.com/Services/Rss/?PostingId=2007731105943979989|#snews [SPAM]allafrica|http://allafrica.com/tools/headlines/rdf/latest/headlines.rdf|#snews @@ -120,7 +121,7 @@ [SPAM]sciencemag|http://news.sciencemag.org/rss/current.xml|#snews [SPAM]scmp|http://www.scmp.com/rss/91/feed|#snews [SPAM]sec-db|http://feeds.security-database.com/SecurityDatabaseToolsWatch|#snews - [SPAM]shackspace|http://blog.shackspace.de/?feed=rss2|#snews + [SPAM]shackspace|http://shackspace.de/atom.xml|#snews [SPAM]shz_news|http://www.shz.de/nachrichten/newsticker/rss|#snews [SPAM]sky_busi|http://feeds.skynews.com/feeds/rss/business.xml|#snews [SPAM]sky_pol|http://feeds.skynews.com/feeds/rss/politics.xml|#snews diff --git a/krebs/2configs/news.nix b/krebs/2configs/news.nix index 2628c7986..49a5e3459 100644 --- a/krebs/2configs/news.nix +++ b/krebs/2configs/news.nix @@ -11,7 +11,7 @@ painload|https://github.com/krebscode/painload/commits/master.atom|#news reddit_haskell|http://www.reddit.com/r/haskell/.rss|#news reddit_nix|http://www.reddit.com/r/nixos/.rss|#news - shackspace|http://blog.shackspace.de/?feed=rss2|#news + shackspace|http://shackspace.de/atom.xml|#news tinc|http://tinc-vpn.org/news/index.rss|#news vimperator|https://sites.google.com/a/vimperator.org/www/blog/posts.xml|#news weechat|http://dev.weechat.org/feed/atom|#news diff --git a/krebs/2configs/shack/worlddomination.nix b/krebs/2configs/shack/worlddomination.nix index 828b6cd70..44176a341 100644 --- a/krebs/2configs/shack/worlddomination.nix +++ b/krebs/2configs/shack/worlddomination.nix @@ -2,8 +2,56 @@ with import <stockholm/lib>; let + pkg = pkgs.stdenv.mkDerivation { + name = "worlddomination-2018-04-21"; + src = pkgs.fetchgit { + url = "https://github.com/shackspace/worlddomination/"; + rev = "1b32403b9"; + sha256 = "10x7aiil13k3x9wqy95mi1ys999d6fxg5sys3jwv7a1p930gkl1i"; + }; + buildInputs = [ + (pkgs.python3.withPackages (pythonPackages: with pythonPackages; [ + docopt + LinkHeader + aiocoap + grequests + paramiko + python + ])) + ]; + installPhase = '' + install -m755 -D backend/push_led.py $out/bin/push-led + install -m755 -D backend/loop_single.py $out/bin/loop-single + # copy the provided file to the package + install -m755 -D backend/wd.lst $out/${wdpath} + ''; + }; pythonPackages = pkgs.python3Packages; # https://github.com/chrysn/aiocoap + grequests = pythonPackages.buildPythonPackage rec { + pname = "grequests"; + version = "0.3.1"; + name = "${pname}-${version}"; + + src = pkgs.fetchFromGitHub { + owner = "kennethreitz"; + repo = "grequests"; + rev = "d1e70eb"; + sha256 = "0drfx4fx65k0g5sj0pw8z3q1s0sp7idn2yz8xfb45nd6v82i37hc"; + }; + + doCheck = false; + + propagatedBuildInputs = with pythonPackages; [ requests gevent ]; + + meta = with lib;{ + description = "Asynchronous HTTP requests"; + homepage = https://github.com/kennethreitz/grequests; + license = with licenses; [ bsd2 ]; + maintainers = with maintainers; [ matejc ]; + }; + }; + aiocoap = pythonPackages.buildPythonPackage { name = "aiocoap-0.3"; src = pkgs.fetchurl { url = "https://pypi.python.org/packages/9c/f6/d839e4b14258d76e74a39810829c13f8dd31de2bfe0915579b2a609d1bbe/aiocoap-0.3.tar.gz"; sha256 = "402d4151db6d8d0b1d66af5b6e10e0de1521decbf12140637e5b8d2aa9c5aef6"; }; @@ -25,32 +73,9 @@ let description = "Parse and format link headers according to RFC 5988 \"Web Linking\""; }; }; - pkg = pkgs.stdenv.mkDerivation { - name = "worlddomination-2017-06-10"; - src = pkgs.fetchgit { - url = "https://github.com/shackspace/worlddomination/"; - rev = "72fc9b5"; - sha256 = "05h500rswzypcxy4i22qc1vkc8izbzfqa9m86xg289hjxh133xyf"; - }; - buildInputs = [ - (pkgs.python3.withPackages (pythonPackages: with pythonPackages; [ - docopt - LinkHeader - aiocoap - requests - paramiko - python - ])) - ]; - installPhase = '' - install -m755 -D backend/push_led.py $out/bin/push-led - install -m755 -D backend/loop_single.py $out/bin/loop-single - # copy the provided file to the package - install -m755 -D backend/wd.lst $out/${wdpath} - ''; - }; wdpath = "/usr/worlddomination/wd.lst"; esphost = "10.42.24.7"; # esp8266 + afrihost = "10.42.25.201"; # africa timeout = 10; # minutes in { systemd.services.worlddomination = { @@ -64,4 +89,16 @@ in { PermissionsStartOnly = true; }; }; + + systemd.services.worlddomination-africa = { + description = "run worlddomination africa"; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + User = "nobody"; # TODO separate user + ExecStart = "${pkg}/bin/push-led ${afrihost} ${pkg}/${wdpath} loop ${toString timeout}"; + Restart = "always"; + PrivateTmp = true; + PermissionsStartOnly = true; + }; + }; } diff --git a/krebs/3modules/krebs/default.nix b/krebs/3modules/krebs/default.nix index 1e626f0a0..a938f8ec9 100644 --- a/krebs/3modules/krebs/default.nix +++ b/krebs/3modules/krebs/default.nix @@ -30,38 +30,6 @@ let }); in { hosts = { - hope = { - ci = true; - owner = config.krebs.users.krebs; - nets = { - internet = { - ip4.addr = "45.62.225.18"; - aliases = [ - "hope.i" - ]; - ssh.port = 45621; - }; - retiolum = { - ip4.addr = "10.243.77.4"; - ip6.addr = "42:0:0:0:0:0:77:4"; - aliases = [ - "hope.r" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAsQVWCoNZZd77tYw1qEDlUsfcF0ld+jVorq2uR5il1D8sqER644l5 - uaWxPQjSl27xdq5kvzIH24Ab6/xF2EDgE2fUTwpO5coBYafeiGyi5AwURQmYMp2a - 2CV7uUAagFQaSzD0Aj796r1BXPn1IeE+uRSBmmc/+/7L0hweRGLiha34NOMZkq+4 - A0pwI/CjnyRXdV4AqfORHXkelykJPATm+m3bC+KYogPBeNMP2AV2aYgY8a0UJPMK - fjAJCzxYJjiYxm8faJlm2U1bWytZODQa8pRZOrYQa4he2UoU6x78CNcrQkYLPOFC - K2Q7+B5WJNKV6CqYztXuU/6LTHJRmV0FiwIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; - }; - ssh.privkey.path = <secrets/ssh.id_ed25519>; - ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOdLHRI29xJj1jmfSidE2Dh7EsDNszm+WH3Kj4zYBkP/"; - }; hotdog = { ci = true; owner = config.krebs.users.krebs; @@ -91,6 +59,37 @@ in { ssh.privkey.path = <secrets/ssh.id_ed25519>; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICxFkBln23wUxt4RhIHE3GvdKeBpJbjn++6maupHqUHp"; }; + onebutton = { + cores = 1; + owner = config.krebs.users.krebs; + nets = { + retiolum = { + ip4.addr = "10.243.0.101"; + ip6.addr = "42:0:0:0:0:0:0:101"; + aliases = [ + "onebutton.r" + ]; + tinc.pubkey = '' + -----BEGIN PUBLIC KEY----- + MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA11w6votRExwE0ZEiQmPa + 9WGNsMfNAZEd14iHaHCZH7UPQEH+cH/T6isGPpaysindroMnqFe9mUf/cdYChb6N + aaFreApwGBQaJPUcdy4cfphrFpzmOClpOFuFbnV7ZvAk/wefBad3kUzsq/lK4HvB + 7nPKeOB9kljphLrkzuLL/h2yOenMpO2ZdvwxyWN8HKmUNgvpBQjIr+Hka6cgy7Gp + pBVFHfSnad/eHeEvq91O/bHxrAxzH5N5DVagPDpkbiWYGl+0XVGP/h0CApr15Ael + +j2pJYc0ZlaXIp4KmNRqbd/fLe52JLrWbnFX4rRuY/DhoMqK8kjECEZ7gLiNSpCC + KlnlJ2LXX9c+d79ubzl5yLAJ3d6T4IJqkbAWJDuCrj821M9ZDk/qZwerayhrrvkF + tMYkQoGSe8MvSOU0rTEoH5iSRwDC7M0XzUe4l8/yZLFyD4Prz/dq6coqANfk/tlE + DnH3vDu9lmFvYrLcd6yDWzFfI3mWDJoUa6AKKoScCOaCkRfIM4Aew0i73+h1nJLO + 59AAbZIkDYyWs53QniIG4EQteI9y/9j/628nPAVj68V5oIN76RDXfFHWDWq4DxmU + PpGVmoIKcKZmnl7RrDomRVpuGMdyQ+kCzIGH3XYe12v8Y5beHZBrd3OajgHZ/Tfp + jP873cT6h0hsGm9glgOYho8CAwEAAQ== + -----END PUBLIC KEY----- + ''; + }; + }; + ssh.privkey.path = <secrets/ssh.id_ed25519>; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAcZg+iLaPZ0SpLM+nANxIjZC/RIsansjyutK0+gPhIe "; + }; puyak = { ci = true; owner = config.krebs.users.krebs; diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index 0c3e68c39..48df04bcb 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -9,6 +9,7 @@ with import <stockholm/lib>; hosts = mapAttrs (_: recursiveUpdate { owner = config.krebs.users.lass; ci = true; + monitoring = true; }) { dishfire = { cores = 4; @@ -43,39 +44,6 @@ with import <stockholm/lib>; ssh.privkey.path = <secrets/ssh.id_ed25519>; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGv0JMp0y+E5433GRSFKVK3cQmP0AAlS9aH9fk49yFxy"; }; - echelon = { - cores = 2; - nets = rec { - internet = { - ip4.addr = "64.137.242.41"; - aliases = [ - "echelon.i" - ]; - ssh.port = 45621; - }; - retiolum = { - via = internet; - ip4.addr = "10.243.206.103"; - ip6.addr = "42:941e:2816:35f4:5c5e:206b:3f0b:f763"; - aliases = [ - "echelon.r" - "cgit.echelon.r" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAuscWOYdHu0bpWacvwTNd6bcmrAQ0YFxJWHZF8kPZr+bMKIhnXLkJ - oJheENIM6CA9lQQQFUxh2P2pxZavW5rgVlJxIKeiB+MB4v6ZO60LmZgpCsWGD/dX - MipM2tLtQxYhvLJIJxEBWn3rxIgeEnCtZsH1KLWyLczb+QpvTjMJ4TNh1nEBPE/f - 4LUH1JHaGhcaHl2dLemR9wnnDIjmSj0ENJp2al+hWnIggcA/Zp0e4b86Oqbbs5wA - n++n5j971cTrBdA89nJDYOEtepisglScVRbgLqJG81lDA+n24RWFynn+U3oD/L8p - do+kxlwZUEDRbPU4AO5L+UeIbimsuIfXiQIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; - }; - ssh.privkey.path = <secrets/ssh.id_ed25519>; - ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL21QDOEFdODFh6WAfNp6odrXo15pEsDQuGJfMu/cKzK"; - }; prism = rec { cores = 4; extraZones = { @@ -86,14 +54,17 @@ with import <stockholm/lib>; "lassul.us" = '' $TTL 3600 @ IN SOA dns16.ovh.net. tech.ovh.net. (2017093001 86400 3600 3600000 300) - 60 IN NS ns16.ovh.net. - 60 IN NS dns16.ovh.net. - 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} - 60 IN TXT v=spf1 mx a:lassul.us -all - cgit 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} - io 60 IN NS ions.lassul.us. - ions 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} - paste 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} + 60 IN NS ns16.ovh.net. + 60 IN NS dns16.ovh.net. + 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} + 60 IN TXT v=spf1 mx a:lassul.us -all + 60 IN TXT ( "v=DKIM1; k=rsa; t=s; s=*; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUv3DMndFellqu208feABEzT/PskOfTSdJCOF/HELBR0PHnbBeRoeHEm9XAcOe/Mz2t/ysgZ6JFXeFxCtoM5fG20brUMRzsVRxb9Ur5cEvOYuuRrbChYcKa+fopu8pYrlrqXD3miHISoy6ErukIYCRpXWUJHi1TlNQhLWFYqAaywIDAQAB" ) + default._domainkey 60 IN TXT "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUv3DMndFellqu208feABEzT/PskOfTSdJCOF/HELBR0PHnbBeRoeHEm9XAcOe/Mz2t/ysgZ6JFXeFxCtoM5fG20brUMRzsVRxb9Ur5cEvOYuuRrbChYcKa+fopu8pYrlrqXD3miHISoy6ErukIYCRpXWUJHi1TlNQhLWFYqAaywIDAQAB" + cgit 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} + go 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} + io 60 IN NS ions.lassul.us. + ions 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} + paste 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} ''; }; nets = rec { @@ -149,6 +120,7 @@ with import <stockholm/lib>; }; domsen-nas = { ci = false; + monitoring = false; external = true; nets = rec { internet = { @@ -161,6 +133,7 @@ with import <stockholm/lib>; }; }; uriel = { + monitoring = false; cores = 1; nets = { gg23 = { @@ -399,10 +372,12 @@ with import <stockholm/lib>; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJzb9BPFClubs6wSOi/ivqPFVPlowXwAxBS0jHaB29hX"; }; iso = { + monitoring = false; ci = false; cores = 1; }; sokrateslaptop = { + monitoring = false; ci = false; external = true; nets = { @@ -426,6 +401,7 @@ with import <stockholm/lib>; }; }; turingmachine = { + monitoring = false; ci = false; external = true; nets = { @@ -454,6 +430,7 @@ with import <stockholm/lib>; }; }; eddie = { + monitoring = false; ci = false; external = true; nets = rec { @@ -494,6 +471,7 @@ with import <stockholm/lib>; }; }; borg = { + monitoring = false; ci = false; external = true; nets = { @@ -521,6 +499,7 @@ with import <stockholm/lib>; }; }; inspector = { + monitoring = false; ci = false; external = true; nets = rec { @@ -552,6 +531,7 @@ with import <stockholm/lib>; }; }; dpdkm = { + monitoring = false; ci = false; external = true; nets = rec { @@ -659,6 +639,37 @@ with import <stockholm/lib>; ssh.privkey.path = <secrets/ssh.id_ed25519>; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPsTeSAedrbp7/KmZX8Mvka702fIUy77Mvqo9HwzCbym"; }; + red = { + monitoring = false; + cores = 1; + nets = { + retiolum = { + ip4.addr = "10.243.0.13"; + ip6.addr = "42:0:0:0:0:0:0:12ed"; + aliases = [ + "red.r" + ]; + tinc.pubkey = '' + -----BEGIN PUBLIC KEY----- + MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArAN/62V2MV18wsZ9VMTG + 4/cqsjvHlffAN8jYDq+GImgREvbiLlFhhHgxwKh0gcDTR8P1xX/00P3/fx/g5bRF + Te7LZT2AFmVFFFfx1n9NBweN/gG2/hzB9J8epbWLNT+RzpzHuAoREvDZ+jweSXaI + phdmQY2s36yrR3TAShqq0q4cwlXuHT00J+InDutM0mTftBQG/fvYkBhHOfq4WSY0 + FeMK7DTKNbsqQiKKQ/kvWi7KfTW0F0c7SDpi7BLwbQzP2WbogtGy9MIrw9ZhE6Ox + TVdAksPKw0TlYdb16X/MkbzBqTYbxFlmWzpMJABMxIVwAfQx3ZGYvJDdDXmQS2qa + mDN2xBb/5pj3fbfp4wbwWlRVSd/AJQtRvaNY24F+UsRJb0WinIguDI6oRZx7Xt8w + oYirKqqq1leb3EYUt8TMIXQsOw0/Iq+JJCwB+ZyLLGVNB19XOxdR3RN1JYeZANpE + cMSS3SdFGgZ//ZAdhIN5kw9yMeKo6Rnt+Vdz3vZWTuSVp/xYO3IMGXNGAdIWIwrJ + 7fwSl/rfXGG816h0sD46U0mxd+i68YOtHlzOKe+vMZ4/FJZYd/E5/IDQluV8HLwa + 5lODfZXUmfStdV+GDA9KVEGUP5xSkC3rMnir66NgHzKpIL002/g/HfGu7O3MrvpW + ng7AMvRv5vbsYcJBj2HUhKUCAwEAAQ== + -----END PUBLIC KEY----- + ''; + }; + }; + ssh.privkey.path = <secrets/ssh.id_ed25519>; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd/6eCR8yxC14zBJLIQgVa4Zbutv5yr2S8k08ztmBpp"; + }; }; users = { lass = { diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index e137da7ca..d7a750c6e 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -539,6 +539,7 @@ with import <stockholm/lib>; dl.euer IN A ${nets.internet.ip4.addr} boot.euer IN A ${nets.internet.ip4.addr} wiki.euer IN A ${nets.internet.ip4.addr} + mon.euer IN A ${nets.internet.ip4.addr} graph IN A ${nets.internet.ip4.addr} ghook IN A ${nets.internet.ip4.addr} dockerhub IN A ${nets.internet.ip4.addr} diff --git a/krebs/3modules/newsbot-js.nix b/krebs/3modules/newsbot-js.nix index d372081ee..00e346f8e 100644 --- a/krebs/3modules/newsbot-js.nix +++ b/krebs/3modules/newsbot-js.nix @@ -93,6 +93,7 @@ let User = "newsbot-js"; Restart = "always"; ExecStart = "${newsbot.package}/bin/newsbot"; + WatchdogSec = "86400"; }; } ) cfg; diff --git a/krebs/5pkgs/simple/Reaktor/plugins.nix b/krebs/5pkgs/simple/Reaktor/plugins.nix index bcfcbf76b..f3b771190 100644 --- a/krebs/5pkgs/simple/Reaktor/plugins.nix +++ b/krebs/5pkgs/simple/Reaktor/plugins.nix @@ -120,11 +120,24 @@ rec { url-title = (buildSimpleReaktorPlugin "url-title" { pattern = "^.*(?P<args>http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+).*$$"; path = with pkgs; [ curl perl ]; - script = pkgs.writeDash "lambda-pl" '' - if [ "$#" -gt 0 ]; then - curl -SsL --max-time 5 "$1" | - perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' - fi + script = pkgs.writePython3 [ "beautifulsoup4" "lxml" ] "url-title" '' + import sys + import urllib.request + from bs4 import BeautifulSoup + + try: + soup = BeautifulSoup(urllib.request.urlopen(sys.argv[1]), "lxml") + title = soup.find('title').string + + if title: + if len(title) > 512: + print('message to long, skipped') + elif len(title.split('\n')) > 5: + print('to many lines, skipped') + else: + print(title) + except: # noqa: E722 + pass ''; }); diff --git a/krebs/5pkgs/simple/ejabberd/default.nix b/krebs/5pkgs/simple/ejabberd/default.nix index 2799241fa..9e4ed3df5 100644 --- a/krebs/5pkgs/simple/ejabberd/default.nix +++ b/krebs/5pkgs/simple/ejabberd/default.nix @@ -1,5 +1,6 @@ { stdenv, writeScriptBin, lib, fetchurl, git, cacert -, erlang, openssl, expat, libyaml, bash, gnused, gnugrep, coreutils, utillinux, procps +, erlang, openssl, expat, libyaml, bash, gnused, gnugrep, coreutils, utillinux, procps, gd +, flock , withMysql ? false , withPgsql ? false , withSqlite ? false, sqlite @@ -23,17 +24,17 @@ let ctlpath = lib.makeBinPath [ bash gnused gnugrep coreutils utillinux procps ]; in stdenv.mkDerivation rec { - version = "17.07"; + version = "18.01"; name = "ejabberd-${version}"; src = fetchurl { url = "http://www.process-one.net/downloads/ejabberd/${version}/${name}.tgz"; - sha256 = "1p8ppp2czjgnq8xnhyksd82npvvx99fwr0g3rrq1wvnwh2vgb8km"; + sha256 = "01i2n8mlgw293jdf4172f9q8ca8m35vysjws791p7nynpfdb4cn6"; }; nativeBuildInputs = [ fakegit ]; - buildInputs = [ erlang openssl expat libyaml ] + buildInputs = [ erlang openssl expat libyaml gd ] ++ lib.optional withSqlite sqlite ++ lib.optional withPam pam ++ lib.optional withZlib zlib @@ -50,7 +51,7 @@ in stdenv.mkDerivation rec { configureFlags = [ "--enable-all" "--with-sqlite3=${sqlite.dev}" ]; - buildInputs = [ git erlang openssl expat libyaml sqlite pam zlib elixir ]; + nativeBuildInputs = [ git erlang openssl expat libyaml sqlite pam zlib elixir ]; GIT_SSL_CAINFO = "${cacert}/etc/ssl/certs/ca-bundle.crt"; @@ -74,7 +75,7 @@ in stdenv.mkDerivation rec { outputHashMode = "recursive"; outputHashAlgo = "sha256"; - outputHash = "1q9yzccn4zf5i4hibq1r0i34q4986a93ph4792l1ph07aiisc8p7"; + outputHash = "1v3h0c7kfifb6wsfxyv5j1wc7rlxbb7r0pgd4s340wiyxnllzzhk"; }; configureFlags = @@ -92,6 +93,10 @@ in stdenv.mkDerivation rec { enableParallelBuilding = true; + patches = [ + ./ejabberdctl.patch + ]; + preBuild = '' cp -r $deps deps chmod -R +w deps @@ -101,18 +106,18 @@ in stdenv.mkDerivation rec { postInstall = '' sed -i \ -e '2iexport PATH=${ctlpath}:$PATH' \ - -e 's,\(^ *FLOCK=\).*,\1${utillinux}/bin/flock,' \ + -e 's,\(^ *FLOCK=\).*,\1${flock}/bin/flock,' \ -e 's,\(^ *JOT=\).*,\1,' \ -e 's,\(^ *CONNLOCKDIR=\).*,\1/var/lock/ejabberdctl,' \ $out/sbin/ejabberdctl ''; - meta = { + meta = with stdenv.lib; { description = "Open-source XMPP application server written in Erlang"; - license = lib.licenses.gpl2; + license = licenses.gpl2; homepage = http://www.ejabberd.im; - platforms = lib.platforms.linux; - maintainers = [ lib.maintainers.sander lib.maintainers.abbradar ]; + platforms = platforms.linux; + maintainers = with maintainers; [ sander abbradar ]; broken = withElixir; }; } diff --git a/krebs/5pkgs/simple/ejabberd/ejabberdctl.patch b/krebs/5pkgs/simple/ejabberd/ejabberdctl.patch new file mode 100644 index 000000000..f7c842b7b --- /dev/null +++ b/krebs/5pkgs/simple/ejabberd/ejabberdctl.patch @@ -0,0 +1,32 @@ +--- a/ejabberdctl.template 1970-01-01 01:00:01.000000000 +0100 ++++ b/ejabberdctl.template 2018-04-24 23:06:54.127715441 +0200 +@@ -42,19 +42,18 @@ + esac + + # parse command line parameters +-for arg; do +- case $arg in +- -n|--node) ERLANG_NODE_ARG=$2; shift;; +- -s|--spool) SPOOL_DIR=$2; shift;; +- -l|--logs) LOGS_DIR=$2; shift;; +- -f|--config) EJABBERD_CONFIG_PATH=$2; shift;; +- -c|--ctl-config) EJABBERDCTL_CONFIG_PATH=$2; shift;; +- -d|--config-dir) ETC_DIR=$2; shift;; +- -t|--no-timeout) NO_TIMEOUT="--no-timeout";; +- --) :;; ++while test $# -gt 0; do ++ case $1 in ++ -n|--node) ERLANG_NODE_ARG=$2; shift 2;; ++ -s|--spool) SPOOL_DIR=$2; shift 2;; ++ -l|--logs) LOGS_DIR=$2; shift 2;; ++ -f|--config) EJABBERD_CONFIG_PATH=$2; shift 2;; ++ -c|--ctl-config) EJABBERDCTL_CONFIG_PATH=$2; shift 2;; ++ -d|--config-dir) ETC_DIR=$2; shift 2;; ++ -t|--no-timeout) NO_TIMEOUT="--no-timeout"; shift 1;; ++ # --) :;; what is this for? + *) break;; + esac +- shift + done + + # define ejabberd variables if not already defined from the command line diff --git a/krebs/5pkgs/simple/generate-secrets/default.nix b/krebs/5pkgs/simple/generate-secrets/default.nix new file mode 100644 index 000000000..a800ff543 --- /dev/null +++ b/krebs/5pkgs/simple/generate-secrets/default.nix @@ -0,0 +1,46 @@ +{ pkgs }: +pkgs.writeDashBin "generate-secrets" '' + HOSTNAME="$1" + TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d) + PASSWORD=$(${pkgs.pwgen}/bin/pwgen 25 1) + HASHED_PASSWORD=$(echo $PASSWORD | ${pkgs.hashPassword}/bin/hashPassword -s) > /dev/null + + ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f $TMPDIR/ssh.id_ed25519 -P "" -C "" >/dev/null + ${pkgs.openssl}/bin/openssl genrsa -out $TMPDIR/retiolum.rsa_key.priv 4096 2>/dev/null > /dev/null + ${pkgs.openssl}/bin/openssl rsa -in $TMPDIR/retiolum.rsa_key.priv -pubout -out $TMPDIR/retiolum.rsa_key.pub 2>/dev/null > /dev/null + cat <<EOF > $TMPDIR/hashedPasswords.nix + { + root = "$HASHED_PASSWORD"; + } + EOF + + cd $TMPDIR + for x in *; do + ${pkgs.coreutils}/bin/cat $x | ${pkgs.brain}/bin/brain insert -m krebs-secrets/$HOSTNAME/$x > /dev/null + done + echo $PASSWORD | ${pkgs.brain}/bin/brain insert -m hosts/$HOSTNAME/root > /dev/null + + cat <<EOF + $HOSTNAME = { + cores = 1; + owner = config.krebs.users.krebs; + nets = { + retiolum = { + ip4.addr = "10.243.0.changeme"; + ip6.addr = "42:0:0:0:0:0:0:changeme"; + aliases = [ + "$HOSTNAME.r" + ]; + tinc.pubkey = ${"''"} + $(cat $TMPDIR/retiolum.rsa_key.pub) + ${"''"}; + }; + }; + ssh.privkey.path = <secrets/ssh.id_ed25519>; + ssh.pubkey = "$(cat $TMPDIR/ssh.id_ed25519.pub)"; + }; + EOF + + rm -rf $TMPDIR +'' + diff --git a/krebs/5pkgs/simple/kops.nix b/krebs/5pkgs/simple/kops.nix index a6c82f3ca..8db4b8ddd 100644 --- a/krebs/5pkgs/simple/kops.nix +++ b/krebs/5pkgs/simple/kops.nix @@ -2,6 +2,6 @@ fetchgit { url = https://cgit.krebsco.de/kops; - rev = "refs/tags/v1.0.0"; - sha256 = "0wg8d80sxa46z4i7ir79sci2hwmv3qskzqdg0si64p6vazy8vckb"; + rev = "refs/tags/v1.1.0"; + sha256 = "0k3zhv2830z4bljcdvf6ciwjihk2zzcn9y23p49c6sba5hbsd6jb"; } diff --git a/krebs/5pkgs/simple/pssh/default.nix b/krebs/5pkgs/simple/pssh/default.nix deleted file mode 100644 index 2676af0cf..000000000 --- a/krebs/5pkgs/simple/pssh/default.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ writeDashBin }: - -writeDashBin "pssh" '' - set -efu - case ''${1-} in - - # TODO create plog with -o json | jq ... | map date - - # usage: pssh {-j,--journal} host... - # Follow journal at each host. - -j|--journal) - shift - "$0" journalctl -n0 -ocat --follow --all ::: "$@" \ - | while read line; do - printf '%s %s\n' "$(date --rfc-3339=s)" "$line" - done - ;; - - -*) - echo $0: unknown option: $1 >&2 - exit 1 - ;; - - # usage: pssh command [arg...] ::: host... - # Run command at each host. - *) - exec parallel \ - --line-buffer \ - -j0 \ - --no-notice \ - --tagstring {} \ - ssh -T {} "$@" - ;; - - esac -'' diff --git a/krebs/5pkgs/simple/ucspi-tcp/chmod.patch b/krebs/5pkgs/simple/ucspi-tcp/chmod.patch deleted file mode 100644 index dd6933208..000000000 --- a/krebs/5pkgs/simple/ucspi-tcp/chmod.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff --git a/hier.c b/hier.c -index 5663ada..1d73b84 100644 ---- a/hier.c -+++ b/hier.c -@@ -2,8 +2,8 @@ - - void hier() - { -- h(auto_home,-1,-1,02755); -- d(auto_home,"bin",-1,-1,02755); -+ h(auto_home,-1,-1,0755); -+ d(auto_home,"bin",-1,-1,0755); - - c(auto_home,"bin","tcpserver",-1,-1,0755); - c(auto_home,"bin","tcprules",-1,-1,0755); diff --git a/krebs/5pkgs/simple/ucspi-tcp/default.nix b/krebs/5pkgs/simple/ucspi-tcp/default.nix deleted file mode 100644 index 3b043be06..000000000 --- a/krebs/5pkgs/simple/ucspi-tcp/default.nix +++ /dev/null @@ -1,86 +0,0 @@ -{ stdenv, fetchurl }: - -stdenv.mkDerivation rec { - name = "ucspi-tcp-0.88"; - - src = fetchurl { - url = "http://cr.yp.to/ucspi-tcp/${name}.tar.gz"; - sha256 = "171yl9kfm8w7l17dfxild99mbf877a9k5zg8yysgb1j8nz51a1ja"; - }; - - # Plain upstream tarball doesn't build, get patches from Debian - patches = [ - (fetchurl { - url = "http://ftp.de.debian.org/debian/pool/main/u/ucspi-tcp/ucspi-tcp_0.88-3.diff.gz"; - sha256 = "0mzmhz8hjkrs0khmkzs5i0s1kgmgaqz07h493bd5jj5fm5njxln6"; - }) - ./chmod.patch - ]; - - # Apply Debian patches - postPatch = '' - for fname in debian/diff/*.diff; do - echo "Applying patch $fname" - patch < "$fname" - done - ''; - - # The build system is weird; 'make install' doesn't install anything, instead - # it builds an executable called ./install (from C code) which installs - # binaries to the directory given on line 1 in ./conf-home. - # - # Also, assume getgroups and setgroups work, instead of doing a build time - # test that breaks on NixOS (I think because nixbld users lack CAP_SETGID - # capability). - preBuild = '' - echo "$out" > conf-home - - echo "main() { return 0; }" > chkshsgr.c - ''; - - installPhase = '' - mkdir -p "$out/bin" - mkdir -p "$out/share/man/man1" - - # run the newly built installer - ./install - - # Install Debian man pages (upstream has none) - cp debian/ucspi-tcp-man/*.1 "$out/share/man/man1" - ''; - - meta = with stdenv.lib; { - description = "Command-line tools for building TCP client-server applications"; - longDescription = '' - tcpserver waits for incoming connections and, for each connection, runs a - program of your choice. Your program receives environment variables - showing the local and remote host names, IP addresses, and port numbers. - - tcpserver offers a concurrency limit to protect you from running out of - processes and memory. When you are handling 40 (by default) simultaneous - connections, tcpserver smoothly defers acceptance of new connections. - - tcpserver also provides TCP access control features, similar to - tcp-wrappers/tcpd's hosts.allow but much faster. Its access control rules - are compiled into a hashed format with cdb, so it can easily deal with - thousands of different hosts. - - This package includes a recordio tool that monitors all the input and - output of a server. - - tcpclient makes a TCP connection and runs a program of your choice. It - sets up the same environment variables as tcpserver. - - This package includes several sample clients built on top of tcpclient: - who@, date@, finger@, http@, tcpcat, and mconnect. - - tcpserver and tcpclient conform to UCSPI, the UNIX Client-Server Program - Interface, using the TCP protocol. UCSPI tools are available for several - different networks. - ''; - homepage = http://cr.yp.to/ucspi-tcp.html; - license = licenses.publicDomain; - platforms = platforms.linux; - maintainers = [ maintainers.bjornfor ]; - }; -} diff --git a/krebs/5pkgs/simple/urlwatch/default.nix b/krebs/5pkgs/simple/urlwatch/default.nix deleted file mode 100644 index 64f3ad1ac..000000000 --- a/krebs/5pkgs/simple/urlwatch/default.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ stdenv, fetchFromGitHub, python3Packages }: - -python3Packages.buildPythonApplication rec { - name = "urlwatch-${version}"; - version = "2.8"; - - src = fetchFromGitHub { - owner = "thp"; - repo = "urlwatch"; - rev = version; - sha256 = "1nja7n6pc45azd3l1xyvav89855lvcgwabrvf34rps81dbl8cnl4"; - }; - - propagatedBuildInputs = with python3Packages; [ - appdirs - keyring - minidb - pycodestyle - pyyaml - requests - ]; - - meta = with stdenv.lib; { - description = "A tool for monitoring webpages for updates"; - homepage = https://thp.io/2008/urlwatch/; - license = licenses.bsd3; - maintainers = with maintainers; [ tv ]; - }; -} diff --git a/krebs/kops.nix b/krebs/kops.nix index f544b93d2..abd60ee5a 100644 --- a/krebs/kops.nix +++ b/krebs/kops.nix @@ -13,7 +13,7 @@ krebs-source = { nixpkgs.git = { - ref = "4b4bbce199d3b3a8001ee93495604289b01aaad3"; + ref = "b50443b5c4ac0f382c49352a892b9d5d970eb4e7"; url = https://github.com/NixOS/nixpkgs; }; stockholm.file = toString ../.; diff --git a/lass/1systems/cabal/config.nix b/lass/1systems/cabal/config.nix index 7eba86c52..9ac3cb681 100644 --- a/lass/1systems/cabal/config.nix +++ b/lass/1systems/cabal/config.nix @@ -13,9 +13,9 @@ <stockholm/lass/2configs/browsers.nix> <stockholm/lass/2configs/programs.nix> <stockholm/lass/2configs/fetchWallpaper.nix> - <stockholm/lass/2configs/backups.nix> <stockholm/lass/2configs/games.nix> <stockholm/lass/2configs/bitcoin.nix> + <stockholm/lass/2configs/AP.nix> ]; krebs.build.host = config.krebs.hosts.cabal; diff --git a/lass/1systems/daedalus/config.nix b/lass/1systems/daedalus/config.nix index 609fae3c8..c15fcdc21 100644 --- a/lass/1systems/daedalus/config.nix +++ b/lass/1systems/daedalus/config.nix @@ -8,9 +8,9 @@ with import <stockholm/lib>; <stockholm/lass/2configs/boot/coreboot.nix> <stockholm/lass/2configs/retiolum.nix> - <stockholm/lass/2configs/backups.nix> <stockholm/lass/2configs/games.nix> <stockholm/lass/2configs/steam.nix> + <stockholm/lass/2configs/backup.nix> { # bubsy config users.users.bubsy = { diff --git a/lass/1systems/echelon/config.nix b/lass/1systems/echelon/config.nix deleted file mode 100644 index 6f96883bf..000000000 --- a/lass/1systems/echelon/config.nix +++ /dev/null @@ -1,50 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - inherit (import <stockholm/lass/4lib> { inherit pkgs lib; }) getDefaultGateway; - ip = config.krebs.build.host.nets.internet.ip4.addr; -in { - imports = [ - <stockholm/lass> - <stockholm/lass/2configs/retiolum.nix> - <stockholm/lass/2configs/os-templates/CAC-CentOS-7-64bit.nix> - <stockholm/lass/2configs/exim-retiolum.nix> - <stockholm/lass/2configs/privoxy-retiolum.nix> - <stockholm/lass/2configs/git.nix> - { - networking.interfaces.enp2s1.ip4 = [ - { - address = ip; - prefixLength = 24; - } - ]; - networking.defaultGateway = getDefaultGateway ip; - networking.nameservers = [ - "8.8.8.8" - ]; - - } - { - sound.enable = false; - } - { - users.extraUsers = { - satan = { - name = "satan"; - uid = 1338; - home = "/home/satan"; - group = "users"; - createHome = true; - useDefaultShell = true; - extraGroups = [ - ]; - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+l3ajjOd80uJBM8oHO9HRbtA5hK6hvrpxxnk7qWW7OloT9IXcoM8bbON755vK0O6XyxZo1JZ1SZ7QIaOREGVIRDjcbJbqD3O+nImc6Rzxnrz7hvE+tuav9Yylwcw5HeQi82UIMGTEAwMHwLvsW6R/xyMCuOTbbzo9Ib8vlJ8IPDECY/05RhL7ZYFR0fdphI7jq7PobnO8WEpCZDhMvSYjO9jf3ac53wyghT3gH7AN0cxTR9qgQlPHhTbw+nZEI0sUKtrIhjfVE80wgK3NQXZZj7YAplRs/hYwSi7i8V0+8CBt2epc/5RKnJdDHFQnaTENq9kYQPOpUCP6YUwQIo8X nineinchnade@gmail.com" - ]; - }; - }; - } - ]; - - krebs.build.host = config.krebs.hosts.echelon; -} diff --git a/lass/1systems/helios/config.nix b/lass/1systems/helios/config.nix index e64cfbe79..759bb6d06 100644 --- a/lass/1systems/helios/config.nix +++ b/lass/1systems/helios/config.nix @@ -17,6 +17,7 @@ with import <stockholm/lib>; <stockholm/lass/2configs/dcso-dev.nix> <stockholm/lass/2configs/steam.nix> <stockholm/lass/2configs/rtl-sdr.nix> + <stockholm/lass/2configs/backup.nix> { # automatic hardware detection boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; boot.kernelModules = [ "kvm-intel" ]; @@ -137,35 +138,14 @@ with import <stockholm/lib>; networking.hostName = lib.mkForce "BLN02NB0162"; security.pki.certificateFiles = [ - (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC1G1.pem"; sha256 = "14vz9c0fk6li0a26vx0s5ha6y3yivnshx9pjlh9vmnpkbph5a7rh"; }) - (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC2G1.pem"; sha256 = "0r1dd48a850cv7whk4g2maik550rd0vsrsl73r6x0ivzz7ap1xz5"; }) - (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC3G1.pem"; sha256 = "0b5cdchdkvllnr0kz35d8jrmrf9cjw0kd98mmvzr0x6nkc8hwpdy"; }) - - (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC2G1.pem"; sha256 = "0rn57zv1ry9vj4p2248mxmafmqqmdhbrfx1plszrxsphshbk2hfz"; }) - (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC3G1.pem"; sha256 = "0w88qaqhwxzvdkx40kzj2gka1yi85ipppjdkxah4mscwfhlryrnk"; }) - (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC2G1.pem"; sha256 = "1z2qkyhgjvri13bvi06ynkb7mjmpcznmc9yw8chx1lnwc3cxa7kf"; }) - (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC3G1.pem"; sha256 = "0smdjjvz95n652cb45yhzdb2lr83zg52najgbzf6lm3w71f8mv7f"; }) - (pkgs.writeText "minio.cert" '' - -----BEGIN CERTIFICATE----- - MIIDFDCCAfygAwIBAgIQBEKYm9VmbR6T/XNLP2P5kDANBgkqhkiG9w0BAQsFADAS - MRAwDgYDVQQKEwdBY21lIENvMB4XDTE4MDIxNDEyNTk1OVoXDTE5MDIxNDEyNTk1 - OVowEjEQMA4GA1UEChMHQWNtZSBDbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC - AQoCggEBAMmRGUTMDxOaoEZ3osG1ZpGj4enHl6ToWaoCXvRXvI6RB/99QOFlwLdL - 8lGjIbXyovNkH686pVsfgCTOLRGzftWHmWgfmaSUv0TToBW8F9DN4ww9YgiLZjvV - YZunRyp1n0x9OrBXMs7xEBBa4q0AG1IvlRJTrd7CW519FlVq7T95LLB7P6t6K54C - ksG4kEzXLRPD/FMdU7LWbhWnQSOxPMCq8erTv3kW3A3Y9hSAKOFQKQHH/3O2HDrM - CbK5ldNklswg2rIHxx7kg1fteLD1lVCNPfCMfuwlLUaMeoRZ03HDof8wFlRz3pzw - hQRWPvfLfRvFCZ0LFNvfgAqXtmG/ywUCAwEAAaNmMGQwDgYDVR0PAQH/BAQDAgKk - MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wLAYDVR0RBCUw - I4IJbG9jYWxob3N0ggZoZWxpb3OCCGhlbGlvcy5yhwR/AAABMA0GCSqGSIb3DQEB - CwUAA4IBAQBzrPb3NmAn60awoJG3d4BystaotaFKsO3iAnP4Lfve1bhKRELIjJ30 - hX/mRYkEVRbfwKRgkkLab4zpJ/abjb3DjFNo8E4QPNeCqS+8xxeBOf7x61Kg/0Ox - jRQ95fTATyItiChwNkoxYjVIwosqxBVsbe3KxwhkmKPQ6wH/nvr6URX/IGUz2qWY - EqHdjsop83u4Rjn3C0u46U0P+W4U5IFiLfcE3RzFFYh67ko5YEhkyXP+tBNSgrTM - zFisVoQZdXpMCWWxBVWulB4FvvTx3jKUPRZVOrfexBfY4TA/PyhXLoz7FeEK9n2a - qFkrxy+GrHBXfSRZgCaHQFdKorg2fwwa - -----END CERTIFICATE----- - '') + (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC1G1.pem"; sha256 = "006j61q2z44z6d92638iin6r46r4cj82ipwm37784h34i5x4mp0d"; }) + (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC2G1.pem"; sha256 = "1nkd1rjcn02q9xxjg7sw79lbwy08i7hb4v4pn98djknvcmplpz5m"; }) + (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC3G1.pem"; sha256 = "094m12npglnnv1nf1ijcv70p8l15l00id44qq7rwynhcgxi5539i"; }) + + (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC2G1.pem"; sha256 = "1anfncdf5xsp219kryncv21ra87flpzcjwcc85hzvlwbxhid3g4x"; }) + (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC3G1.pem"; sha256 = "035kkfizyl5dndj7rhvmy91rr75lakqbqgjx4dpiw0kqq369mz8r"; }) + (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC2G1.pem"; sha256 = "14fpzx1qjs9ws9sz0y7pb6j40336xlckkqcm2rc5j86yn7r22lp7"; }) + (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC3G1.pem"; sha256 = "1yjl3kyw4chc8vw7bnqac2h9vn8dxryw7lr7i03lqi9sdvs4108s"; }) ]; programs.adb.enable = true; diff --git a/lass/1systems/icarus/config.nix b/lass/1systems/icarus/config.nix index 46dc5e873..b6a0822b9 100644 --- a/lass/1systems/icarus/config.nix +++ b/lass/1systems/icarus/config.nix @@ -14,9 +14,9 @@ <stockholm/lass/2configs/browsers.nix> <stockholm/lass/2configs/programs.nix> <stockholm/lass/2configs/fetchWallpaper.nix> - <stockholm/lass/2configs/backups.nix> <stockholm/lass/2configs/games.nix> <stockholm/lass/2configs/bitcoin.nix> + <stockholm/lass/2configs/backup.nix> ]; krebs.build.host = config.krebs.hosts.icarus; diff --git a/lass/1systems/littleT/config.nix b/lass/1systems/littleT/config.nix index 7211c78eb..ef19e8d16 100644 --- a/lass/1systems/littleT/config.nix +++ b/lass/1systems/littleT/config.nix @@ -8,7 +8,7 @@ with import <stockholm/lib>; <stockholm/lass/2configs/boot/stock-x220.nix> <stockholm/lass/2configs/retiolum.nix> - <stockholm/lass/2configs/backups.nix> + <stockholm/lass/2configs/backup.nix> <stockholm/lass/2configs/steam.nix> { users.users.blacky = { diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix index cd259d0fe..f8a16ad2e 100644 --- a/lass/1systems/mors/config.nix +++ b/lass/1systems/mors/config.nix @@ -33,6 +33,7 @@ with import <stockholm/lib>; <stockholm/lass/2configs/ableton.nix> <stockholm/lass/2configs/dunst.nix> <stockholm/lass/2configs/rtl-sdr.nix> + <stockholm/lass/2configs/backup.nix> { #risk of rain port krebs.iptables.tables.filter.INPUT.rules = [ @@ -140,7 +141,18 @@ with import <stockholm/lib>; dpass dnsutils + woeusb + l-gen-secrets generate-secrets + (pkgs.writeDashBin "btc-coinbase" '' + ${pkgs.curl}/bin/curl -Ss 'https://api.coinbase.com/v2/prices/spot?currency=EUR' | ${pkgs.jq}/bin/jq '.data.amount' + '') + (pkgs.writeDashBin "btc-wex" '' + ${pkgs.curl}/bin/curl -Ss 'https://wex.nz/api/3/ticker/btc_eur' | ${pkgs.jq}/bin/jq '.btc_eur.avg' + '') + (pkgs.writeDashBin "btc-kraken" '' + ${pkgs.curl}/bin/curl -Ss 'https://api.kraken.com/0/public/Ticker?pair=BTCEUR' | ${pkgs.jq}/bin/jq '.result.XXBTZEUR.a[0]' + '') ]; #TODO: fix this shit @@ -177,4 +189,38 @@ with import <stockholm/lib>; programs.adb.enable = true; users.users.mainUser.extraGroups = [ "adbusers" "docker" ]; virtualisation.docker.enable = true; + services.redshift = { + enable = true; + provider = "geoclue2"; + }; + + lass.restic = genAttrs [ + "daedalus" + "icarus" + "littleT" + "prism" + "shodan" + "skynet" + ] (dest: { + dirs = [ + "/home/lass/src" + "/home/lass/work" + "/home/lass/.gnupg" + "/home/lass/Maildir" + "/home/lass/stockholm" + "/home/lass/.password-store" + "/home/bitcoin" + "/home/bch" + ]; + passwordFile = (toString <secrets>) + "/restic/${dest}"; + repo = "sftp:backup@${dest}.r:/backups/mors"; + #sshPrivateKey = config.krebs.build.host.ssh.privkey.path; + extraArguments = [ + "sftp.command='ssh backup@${dest}.r -i ${config.krebs.build.host.ssh.privkey.path} -s sftp'" + ]; + timerConfig = { + OnCalendar = "00:05"; + RandomizedDelaySec = "5h"; + }; + }); } diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index c0e4620cc..564315e8f 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -8,11 +8,15 @@ in { imports = [ <stockholm/lass> { - networking.interfaces.et0.ip4 = [ + networking.interfaces.et0.ipv4.addresses = [ { address = ip; prefixLength = 27; } + { + address = "46.4.114.243"; + prefixLength = 27; + } ]; networking.defaultGateway = "46.4.114.225"; networking.nameservers = [ @@ -100,6 +104,7 @@ in { ]; } { # TODO make new hfos.nix out of this vv + boot.kernel.sysctl."net.ipv4.ip_forward" = 1; users.users.riot = { uid = genid "riot"; isNormalUser = true; @@ -110,29 +115,13 @@ in { }; # TODO write function for proxy_pass (ssl/nonssl) - services.nginx.virtualHosts."hackerfleet.de" = { - serverAliases = [ - "*.hackerfleet.de" - ]; - locations."/".extraConfig = '' - proxy_pass http://192.168.122.92:80; - ''; - }; - services.nginx.virtualHosts."hackerfleet.de-s" = { - serverName = "hackerfleet.de"; - listen = [ - { - addr = "0.0.0.0"; - port = 443; - } - ]; - serverAliases = [ - "*.hackerfleet.de" - ]; - locations."/".extraConfig = '' - proxy_pass http://192.168.122.92:443; - ''; - }; + + krebs.iptables.tables.filter.FORWARD.rules = [ + { v6 = false; precedence = 1000; predicate = "-d 192.168.122.92"; target = "ACCEPT"; } + ]; + krebs.iptables.tables.nat.PREROUTING.rules = [ + { v6 = false; precedence = 1000; predicate = "-d 46.4.114.243"; target = "DNAT --to-destination 192.168.122.92"; } + ]; } { users.users.tv = { @@ -202,26 +191,6 @@ in { }; } { - #kaepsele - systemd.services."container@kaepsele".reloadIfChanged = mkForce false; - containers.kaepsele = { - config = { ... }: { - imports = [ <stockholm/lass/2configs/rebuild-on-boot.nix> ]; - environment.systemPackages = [ pkgs.git ]; - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keys = with config.krebs.users; [ - lass.pubkey - tv.pubkey - ]; - }; - autoStart = true; - enableTun = true; - privateNetwork = true; - hostAddress = "10.233.2.3"; - localAddress = "10.233.2.4"; - }; - } - { #onondaga systemd.services."container@onondaga".reloadIfChanged = mkForce false; containers.onondaga = { @@ -249,13 +218,12 @@ in { <stockholm/lass/2configs/repo-sync.nix> <stockholm/lass/2configs/binary-cache/server.nix> <stockholm/lass/2configs/iodined.nix> - <stockholm/lass/2configs/monitoring/server.nix> - <stockholm/lass/2configs/monitoring/monit-alarms.nix> <stockholm/lass/2configs/paste.nix> <stockholm/lass/2configs/syncthing.nix> <stockholm/lass/2configs/reaktor-coders.nix> <stockholm/lass/2configs/ciko.nix> <stockholm/lass/2configs/container-networking.nix> + <stockholm/lass/2configs/monitoring/prometheus-server.nix> { # quasi bepasty.nix imports = [ <stockholm/lass/2configs/bepasty.nix> @@ -336,6 +304,60 @@ in { { predicate = "-p tcp --dport 53589"; target = "ACCEPT"; } ]; } + <stockholm/lass/2configs/go.nix> + { + environment.systemPackages = [ pkgs.cryptsetup ]; + systemd.services."container@red".reloadIfChanged = mkForce false; + containers.red = { + config = { ... }: { + environment.systemPackages = [ pkgs.git ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + ]; + }; + autoStart = false; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.3"; + localAddress = "10.233.2.4"; + }; + services.nginx.virtualHosts."rote-allez-fraktion.de" = { + enableACME = true; + addSSL = true; + locations."/" = { + extraConfig = '' + proxy_set_header Host rote-allez-fraktion.de; + proxy_pass http://10.233.2.4; + ''; + }; + }; + } + { + imports = [ <stockholm/lass/2configs/backup.nix> ]; + lass.restic = genAttrs [ + "daedalus" + "icarus" + "littleT" + "mors" + "shodan" + "skynet" + ] (dest: { + dirs = [ + "/home/chat/.weechat" + "/bku/sql_dumps" + ]; + passwordFile = (toString <secrets>) + "/restic/${dest}"; + repo = "sftp:backup@${dest}.r:/backups/prism"; + extraArguments = [ + "sftp.command='ssh backup@${dest}.r -i ${config.krebs.build.host.ssh.privkey.path} -s sftp'" + ]; + timerConfig = { + OnCalendar = "00:05"; + RandomizedDelaySec = "5h"; + }; + }); + } ]; krebs.build.host = config.krebs.hosts.prism; diff --git a/lass/1systems/red/config.nix b/lass/1systems/red/config.nix new file mode 100644 index 000000000..31e2de966 --- /dev/null +++ b/lass/1systems/red/config.nix @@ -0,0 +1,31 @@ +with import <stockholm/lib>; +{ config, lib, pkgs, ... }: +let + inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;}) + servephpBB + ; +in +{ + imports = [ + <stockholm/lass> + <stockholm/lass/2configs> + <stockholm/lass/2configs/retiolum.nix> + <stockholm/lass/2configs/websites> + <stockholm/lass/2configs/websites/sqlBackup.nix> + (servephpBB [ "rote-allez-fraktion.de" ]) + ]; + + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport 80"; target = "ACCEPT"; } + ]; + + krebs.build.host = config.krebs.hosts.red; + boot.isContainer = true; + networking.useDHCP = false; + + services.nginx.enable = true; + environment.variables.NIX_REMOTE = "daemon"; + environment.systemPackages = [ + pkgs.mk_sql_pair + ]; +} diff --git a/lass/1systems/echelon/source.nix b/lass/1systems/red/source.nix index 96888d5a8..f2bad743c 100644 --- a/lass/1systems/echelon/source.nix +++ b/lass/1systems/red/source.nix @@ -1,3 +1,4 @@ import <stockholm/lass/source.nix> { - name = "echelon"; + name = "red"; + secure = true; } diff --git a/lass/1systems/shodan/config.nix b/lass/1systems/shodan/config.nix index 7fb57544f..42a46c5f5 100644 --- a/lass/1systems/shodan/config.nix +++ b/lass/1systems/shodan/config.nix @@ -15,9 +15,9 @@ with import <stockholm/lib>; <stockholm/lass/2configs/browsers.nix> <stockholm/lass/2configs/programs.nix> <stockholm/lass/2configs/fetchWallpaper.nix> - <stockholm/lass/2configs/backups.nix> <stockholm/lass/2configs/wine.nix> <stockholm/lass/2configs/bitcoin.nix> + <stockholm/lass/2configs/backup.nix> ]; krebs.build.host = config.krebs.hosts.shodan; diff --git a/lass/1systems/skynet/config.nix b/lass/1systems/skynet/config.nix index 0b9499982..b2210282f 100644 --- a/lass/1systems/skynet/config.nix +++ b/lass/1systems/skynet/config.nix @@ -9,7 +9,6 @@ with import <stockholm/lib>; <stockholm/lass/2configs/retiolum.nix> #<stockholm/lass/2configs/exim-retiolum.nix> <stockholm/lass/2configs/fetchWallpaper.nix> - <stockholm/lass/2configs/backups.nix> { # discordius config services.xserver.enable = true; diff --git a/lass/1systems/xerxes/source.nix b/lass/1systems/xerxes/source.nix index 11f5bf796..d256b885b 100644 --- a/lass/1systems/xerxes/source.nix +++ b/lass/1systems/xerxes/source.nix @@ -2,10 +2,4 @@ with import <stockholm/lib>; import <stockholm/lass/source.nix> { name = "xerxes"; secure = true; - override = { - nixpkgs.git = mkForce { - url = https://github.com/lassulus/nixpkgs; - ref = "3eccd0b"; - }; - }; } diff --git a/lass/2configs/AP.nix b/lass/2configs/AP.nix new file mode 100644 index 000000000..5ce7cfff8 --- /dev/null +++ b/lass/2configs/AP.nix @@ -0,0 +1,77 @@ +{ config, pkgs, ... }: +with import <stockholm/lib>; +let + wifi = "wlp0s29u1u2"; +in { + boot.extraModulePackages = [ + pkgs.linuxPackages.rtl8814au + ]; + networking.networkmanager.unmanaged = [ wifi ]; + + systemd.services.hostapd = { + description = "hostapd wireless AP"; + path = [ pkgs.hostapd ]; + wantedBy = [ "network.target" ]; + + after = [ "${wifi}-cfg.service" "nat.service" "bind.service" "dhcpd.service" "sys-subsystem-net-devices-${wifi}.device" ]; + + serviceConfig = { + ExecStart = "${pkgs.hostapd}/bin/hostapd ${pkgs.writeText "hostapd.conf" '' + interface=${wifi} + hw_mode=a + channel=36 + ieee80211d=1 + country_code=DE + ieee80211n=1 + ieee80211ac=1 + wmm_enabled=1 + + # 5ghz + ssid=krebsing + auth_algs=1 + wpa=2 + wpa_key_mgmt=WPA-PSK + rsn_pairwise=CCMP + wpa_passphrase=aidsballz + ''}"; + Restart = "always"; + }; + }; + + networking.interfaces.${wifi}.ipv4.addresses = [ + { address = "10.99.0.1"; prefixLength = 24; } + ]; + services.dhcpd4 = { + enable = true; + interfaces = [ wifi ]; + extraConfig = '' + option subnet-mask 255.255.255.0; + option routers 10.99.0.1; + option domain-name-servers 1.1.1.1, 8.8.8.8; + subnet 10.99.0.0 netmask 255.255.255.0 { + range 10.99.0.100 10.99.0.200; + } + ''; + }; + + boot.kernel.sysctl."net.ipv4.ip_forward" = 1; + krebs.iptables.tables.filter.FORWARD.rules = [ + { v6 = false; predicate = "-d 10.99.0.0/24 -o ${wifi} -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } + { v6 = false; predicate = "-s 10.99.0.0/24 -i ${wifi}"; target = "ACCEPT"; } + { v6 = false; predicate = "-i ${wifi} -o ${wifi}"; target = "ACCEPT"; } + { v6 = false; predicate = "-o ${wifi}"; target = "REJECT --reject-with icmp-port-unreachable"; } + { v6 = false; predicate = "-i ${wifi}"; target = "REJECT --reject-with icmp-port-unreachable"; } + ]; + krebs.iptables.tables.nat.PREROUTING.rules = [ + { v6 = false; predicate = "-s 10.99.0.0/24"; target = "ACCEPT"; precedence = 1000; } + ]; + krebs.iptables.tables.nat.POSTROUTING.rules = [ + #TODO find out what this is about? + { v6 = false; predicate = "-s 10.99.0.0/24 -d 224.0.0.0/24"; target = "RETURN"; } + { v6 = false; predicate = "-s 10.99.0.0/24 -d 255.255.255.255"; target = "RETURN"; } + + { v6 = false; predicate = "-s 10.99.0.0/24 ! -d 10.99.0.0/24"; target = "MASQUERADE"; } + { v6 = false; predicate = "-s 10.99.0.0/24 ! -d 10.99.0.0/24 -p tcp"; target = "MASQUERADE --to-ports 1024-65535"; } + { v6 = false; predicate = "-s 10.99.0.0/24 ! -d 10.99.0.0/24 -p udp"; target = "MASQUERADE --to-ports 1024-65535"; } + ]; +} diff --git a/lass/2configs/backup.nix b/lass/2configs/backup.nix new file mode 100644 index 000000000..27adf6d2a --- /dev/null +++ b/lass/2configs/backup.nix @@ -0,0 +1,20 @@ +{ config, lib, ... }: +with import <stockholm/lib>; + +{ + fileSystems = { + "/backups" = { + device = "/dev/pool/backup"; + fsType = "ext4"; + }; + }; + users.users.backup = { + useDefaultShell = true; + home = "/backups"; + createHome = true; + openssh.authorizedKeys.keys = with config.krebs.hosts; [ + mors.ssh.pubkey + prism.ssh.pubkey + ]; + }; +} diff --git a/lass/2configs/backups.nix b/lass/2configs/backups.nix deleted file mode 100644 index c4fb85420..000000000 --- a/lass/2configs/backups.nix +++ /dev/null @@ -1,173 +0,0 @@ -{ config, lib, ... }: -with import <stockholm/lib>; -{ - - # TODO add timerConfig to krebs.backup and randomize startup - # TODO define plans more abstract - krebs.backup.plans = { - } // mapAttrs (_: recursiveUpdate { - snapshots = { - daily = { format = "%Y-%m-%d"; retain = 7; }; - weekly = { format = "%YW%W"; retain = 4; }; - monthly = { format = "%Y-%m"; retain = 12; }; - yearly = { format = "%Y"; }; - }; - }) { - dishfire-http-prism = { - method = "pull"; - src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; }; - dst = { host = config.krebs.hosts.prism; path = "/bku/dishfire-http"; }; - startAt = "03:00"; - }; - dishfire-http-icarus = { - method = "pull"; - src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; }; - dst = { host = config.krebs.hosts.icarus; path = "/bku/dishfire-http"; }; - startAt = "03:10"; - }; - dishfire-http-mors = { - method = "pull"; - src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; }; - dst = { host = config.krebs.hosts.mors; path = "/bku/dishfire-http"; }; - startAt = "03:05"; - }; - dishfire-http-shodan = { - method = "pull"; - src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; }; - dst = { host = config.krebs.hosts.shodan; path = "/bku/dishfire-http"; }; - startAt = "03:10"; - }; - dishfire-sql-prism = { - method = "pull"; - src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; }; - dst = { host = config.krebs.hosts.prism; path = "/bku/dishfire-sql"; }; - startAt = "03:15"; - }; - dishfire-sql-icarus = { - method = "pull"; - src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; }; - dst = { host = config.krebs.hosts.icarus; path = "/bku/dishfire-sql"; }; - startAt = "03:25"; - }; - dishfire-sql-mors = { - method = "pull"; - src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; }; - dst = { host = config.krebs.hosts.mors; path = "/bku/dishfire-sql"; }; - startAt = "03:20"; - }; - dishfire-sql-shodan = { - method = "pull"; - src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; }; - dst = { host = config.krebs.hosts.shodan; path = "/bku/dishfire-sql"; }; - startAt = "03:25"; - }; - prism-bitlbee-icarus = { - method = "pull"; - src = { host = config.krebs.hosts.prism; path = "/var/lib/bitlbee"; }; - dst = { host = config.krebs.hosts.icarus; path = "/bku/prism-bitlbee"; }; - startAt = "03:25"; - }; - prism-bitlbee-mors = { - method = "pull"; - src = { host = config.krebs.hosts.prism; path = "/var/lib/bitlbee"; }; - dst = { host = config.krebs.hosts.mors; path = "/bku/prism-bitlbee"; }; - startAt = "03:25"; - }; - prism-bitlbee-shodan = { - method = "pull"; - src = { host = config.krebs.hosts.prism; path = "/var/lib/bitlbee"; }; - dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-bitlbee"; }; - startAt = "03:25"; - }; - prism-chat-icarus = { - method = "pull"; - src = { host = config.krebs.hosts.prism; path = "/home/chat"; }; - dst = { host = config.krebs.hosts.icarus; path = "/bku/prism-chat"; }; - startAt = "03:35"; - }; - prism-chat-mors = { - method = "pull"; - src = { host = config.krebs.hosts.prism; path = "/home/chat"; }; - dst = { host = config.krebs.hosts.mors; path = "/bku/prism-chat"; }; - startAt = "03:30"; - }; - prism-chat-shodan = { - method = "pull"; - src = { host = config.krebs.hosts.prism; path = "/home/chat"; }; - dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-chat"; }; - startAt = "03:35"; - }; - prism-sql-icarus = { - method = "pull"; - src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; }; - dst = { host = config.krebs.hosts.icarus; path = "/bku/prism-sql_dumps"; }; - startAt = "03:45"; - }; - prism-sql-mors = { - method = "pull"; - src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; }; - dst = { host = config.krebs.hosts.mors; path = "/bku/prism-sql_dumps"; }; - startAt = "03:40"; - }; - prism-sql-shodan = { - method = "pull"; - src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; }; - dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-sql_dumps"; }; - startAt = "03:45"; - }; - prism-http-icarus = { - method = "pull"; - src = { host = config.krebs.hosts.prism; path = "/srv/http"; }; - dst = { host = config.krebs.hosts.icarus; path = "/bku/prism-http"; }; - startAt = "03:55"; - }; - prism-http-mors = { - method = "pull"; - src = { host = config.krebs.hosts.prism; path = "/srv/http"; }; - dst = { host = config.krebs.hosts.mors; path = "/bku/prism-http"; }; - startAt = "03:50"; - }; - prism-http-shodan = { - method = "pull"; - src = { host = config.krebs.hosts.prism; path = "/srv/http"; }; - dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-http"; }; - startAt = "03:55"; - }; - icarus-home-mors = { - method = "pull"; - src = { host = config.krebs.hosts.icarus; path = "/home"; }; - dst = { host = config.krebs.hosts.mors; path = "/bku/icarus-home"; }; - startAt = "05:00"; - }; - icarus-home-shodan = { - method = "push"; - src = { host = config.krebs.hosts.icarus; path = "/home"; }; - dst = { host = config.krebs.hosts.shodan; path = "/bku/icarus-home"; }; - startAt = "05:00"; - }; - mors-home-icarus = { - method = "push"; - src = { host = config.krebs.hosts.mors; path = "/home"; }; - dst = { host = config.krebs.hosts.icarus; path = "/bku/mors-home"; }; - startAt = "05:00"; - }; - mors-home-shodan = { - method = "push"; - src = { host = config.krebs.hosts.mors; path = "/home"; }; - dst = { host = config.krebs.hosts.shodan; path = "/bku/mors-home"; }; - startAt = "05:00"; - }; - shodan-home-icarus = { - method = "pull"; - src = { host = config.krebs.hosts.shodan; path = "/home"; }; - dst = { host = config.krebs.hosts.icarus; path = "/bku/shodan-home"; }; - startAt = "04:00"; - }; - shodan-home-mors = { - method = "pull"; - src = { host = config.krebs.hosts.shodan; path = "/home"; }; - dst = { host = config.krebs.hosts.mors; path = "/bku/shodan-home"; }; - startAt = "04:00"; - }; - }; -} diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index ed179ded6..e2e44b6fc 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -9,7 +9,6 @@ in { ./power-action.nix ./copyq.nix ./livestream.nix - ./dns-stuff.nix ./urxvt.nix ./network-manager.nix { diff --git a/lass/2configs/bitcoin.nix b/lass/2configs/bitcoin.nix index a405addfc..9f6fd3bf0 100644 --- a/lass/2configs/bitcoin.nix +++ b/lass/2configs/bitcoin.nix @@ -10,9 +10,6 @@ in { krebs.per-user.bitcoin.packages = [ pkgs.electrum ]; - krebs.per-user.ethereum.packages = [ - pkgs.go-ethereum - ]; users.extraUsers = { bch = { name = "bch"; @@ -28,13 +25,6 @@ in { useDefaultShell = true; createHome = true; }; - ethereum = { - name = "ethereum"; - description = "user for ethereum stuff"; - home = "/home/ethereum"; - useDefaultShell = true; - createHome = true; - }; }; security.sudo.extraConfig = '' ${mainUser.name} ALL=(bitcoin) NOPASSWD: ALL diff --git a/lass/2configs/dcso-dev.nix b/lass/2configs/dcso-dev.nix index ae1c7bc8d..b985b67b3 100644 --- a/lass/2configs/dcso-dev.nix +++ b/lass/2configs/dcso-dev.nix @@ -9,6 +9,7 @@ in { dev = { name = "dev"; uid = genid "dev"; + extraGroups = [ "docker" ]; description = "user for collaborative development"; home = "/home/dev"; useDefaultShell = true; diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index 5a5f1b347..12a814605 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -6,10 +6,9 @@ with import <stockholm/lib>; ./gc.nix ./mc.nix ./vim.nix - ./monitoring/client.nix + ./monitoring/node-exporter.nix ./zsh.nix ./htop.nix - ./backups.nix ./security-workarounds.nix { users.extraUsers = diff --git a/lass/2configs/dns-stuff.nix b/lass/2configs/dns-stuff.nix deleted file mode 100644 index cbcce8df9..000000000 --- a/lass/2configs/dns-stuff.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ config, pkgs, ... }: -with import <stockholm/lib>; -{ - services.dnscrypt-proxy = { - enable = true; - localAddress = "127.1.0.1"; - customResolver = { - address = config.krebs.hosts.gum.nets.internet.ip4.addr; - port = 15251; - name = "2.dnscrypt-cert.euer.krebsco.de"; - key = "1AFC:E58D:F242:0FBB:9EE9:4E51:47F4:5373:D9AE:C2AB:DD96:8448:333D:5D79:272C:A44C"; - }; - }; - services.resolved.enable = true; - services.resolved.fallbackDns = [ "127.1.0.1" ]; -} diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix index 4455d2761..e05ed2427 100644 --- a/lass/2configs/exim-smarthost.nix +++ b/lass/2configs/exim-smarthost.nix @@ -79,6 +79,7 @@ with import <stockholm/lib>; { from = "ovh@lassul.us"; to = lass.mail; } { from = "hetzner@lassul.us"; to = lass.mail; } { from = "allygator@lassul.us"; to = lass.mail; } + { from = "immoscout@lassul.us"; to = lass.mail; } ]; system-aliases = [ { from = "mailer-daemon"; to = "postmaster"; } diff --git a/lass/2configs/gc.nix b/lass/2configs/gc.nix index ad015180a..c5073e384 100644 --- a/lass/2configs/gc.nix +++ b/lass/2configs/gc.nix @@ -3,6 +3,6 @@ with import <stockholm/lib>; { nix.gc = { - automatic = ! elem config.krebs.build.host.name [ "prism" "mors" "helios" ]; + automatic = ! (elem config.krebs.build.host.name [ "prism" "mors" "helios" ] || config.boot.isContainer); }; } diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix index 1fe87c666..43085ba5e 100644 --- a/lass/2configs/git.nix +++ b/lass/2configs/git.nix @@ -57,6 +57,16 @@ let cgit.desc = "Fork of nix-user-chroot my lethalman"; cgit.section = "software"; }; + nixos-aws = { + collaborators = [ { + name = "fabio"; + pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFst8DvnfOu4pQJYxcwdf//jWTvP+jj0iSrOdt59c9Gbujm/8K1mBXhcSQhHj/GBRC1Qc1wipf9qZsWnEHMI+SRwq6tDr8gqlAcdWmHAs1bU96jJtc8EgmUKbXTFG/VmympMPi4cEbNUtH93v6NUjQKwq9szvDhhqSW4Y8zE32xLkySwobQapNaUrGAtQp3eTxu5Lkx+cEaaartaAspt8wSosXjUHUJktg0O5/XOP+CiWAx89AXxbQCy4XTQvUExoRGdw9sdu0lF0/A0dF4lFF/dDUS7+avY8MrKEcQ8Fwk8NcW1XrKMmCdNdpvou0whL9aHCdTJ+522dsSB1zZWh63Si4CrLKlc1TiGKCXdvzmCYrD+6WxbPJdRpMM4dFNtpAwhCm/dM+CBXfDkP0s5veFiYvp1ri+3hUqV/sep9r5/+d+5/R1gQs8WDNjWqcshveFbD5LxE6APEySB4QByGxIrw7gFbozE+PNxtlVP7bq4MyE6yIzL6ofQgO1e4THquPcqSCfCvyib5M2Q1phi5DETlMemWp84AsNkqbhRa4BGRycuOXXrBzE+RgQokcIY7t3xcu3q0xJo2+HxW/Lqi72zYU1NdT4nJMETEaG49FfIAnUuoVaQWWvOz8mQuVEmmdw2Yzo2ikILYSUdHTp1VPOeo6aNPvESkPw1eM0xDRlQ== ada"; + } ]; + }; + krops = { + cgit.desc = "krebs deployment"; + cgit.section = "software"; + }; } // mapAttrs make-public-repo-silent { }; @@ -70,8 +80,8 @@ let import <secrets/repos.nix> { inherit config lib pkgs; } ); - make-public-repo = name: { cgit ? {}, ... }: { - inherit cgit name; + make-public-repo = name: { cgit ? {}, collaborators ? [], ... }: { + inherit cgit collaborators name; public = true; hooks = { post-receive = pkgs.git-hooks.irc-announce { diff --git a/lass/2configs/go.nix b/lass/2configs/go.nix new file mode 100644 index 000000000..ecf89b298 --- /dev/null +++ b/lass/2configs/go.nix @@ -0,0 +1,19 @@ +{ config, lib, pkgs, ... }: +{ + krebs.go = { + enable = true; + }; + services.nginx = { + enable = true; + virtualHosts.go = { + locations."/".extraConfig = '' + proxy_set_header Host go.lassul.us; + proxy_pass http://localhost:1337; + ''; + serverAliases = [ + "go.lassul.us" + ]; + }; + }; +} + diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix index 81db59617..2bb51b50a 100644 --- a/lass/2configs/mail.nix +++ b/lass/2configs/mail.nix @@ -206,8 +206,11 @@ in { msmtp mutt pkgs.much - pkgs.notmuch tag-new-mails tag-old-mails ]; + + nixpkgs.config.packageOverrides = opkgs: { + notmuch = (opkgs.notmuch.overrideAttrs (o: { doCheck = false; })); + }; } diff --git a/lass/2configs/monitoring/client.nix b/lass/2configs/monitoring/client.nix deleted file mode 100644 index b8c245215..000000000 --- a/lass/2configs/monitoring/client.nix +++ /dev/null @@ -1,26 +0,0 @@ -{pkgs, config, ...}: -with import <stockholm/lib>; -{ - services.telegraf = { - enable = true; - - extraConfig = { - agent.interval = "1s"; - outputs = { - influxdb = { - urls = ["http://prism:8086"]; - database = "telegraf_db"; - user_agent = "telegraf"; - }; - }; - inputs = { - cpu = { - percpu = false; - totalcpu = true; - }; - mem = {}; - net = {}; - }; - }; - }; -} diff --git a/lass/2configs/monitoring/monit-alarms.nix b/lass/2configs/monitoring/monit-alarms.nix deleted file mode 100644 index 2cfc292e5..000000000 --- a/lass/2configs/monitoring/monit-alarms.nix +++ /dev/null @@ -1,44 +0,0 @@ -{pkgs, config, ...}: -with import <stockholm/lib>; -let - echoToIrc = msg: - pkgs.writeDash "echo_irc" '' - set -euf - export LOGNAME=prism-alarm - ${pkgs.irc-announce}/bin/irc-announce \ - irc.r 6667 ${config.networking.hostName}-alarm \#noise "${msg}" >/dev/null - ''; - -in { - krebs.monit = { - enable = true; - http.enable = true; - alarms = { - nirwanabluete = { - test = "${pkgs.curl}/bin/curl -sf 'https://nirwanabluete.de/'"; - alarm = echoToIrc "test nirwanabluete failed"; - }; - ubik = { - test = "${pkgs.curl}/bin/curl -sf 'https://ubikmedia.de'"; - alarm = echoToIrc "test ubik failed"; - }; - cac-panel = { - test = "${pkgs.curl}/bin/curl -sf 'https://panel.cloudatcost.com/login.php'"; - alarm = echoToIrc "test cac-panel failed"; - }; - radio = { - test = pkgs.writeBash "check_stream" '' - ${pkgs.curl}/bin/curl -sif http://lassul.us:8000/radio.ogg \ - | ${pkgs.gawk}/bin/awk '/^\r$/{exit}{print $0}' \ - | ${pkgs.gnugrep}/bin/grep -q "200 OK" || exit "''${PIPESTATUS[0]}" - ''; - alarm = echoToIrc "test radio failed"; - }; - }; - }; - - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp -i retiolum --dport 9093"; target = "ACCEPT"; } - ]; -} - diff --git a/lass/2configs/monitoring/node-exporter.nix b/lass/2configs/monitoring/node-exporter.nix new file mode 100644 index 000000000..561e3a25c --- /dev/null +++ b/lass/2configs/monitoring/node-exporter.nix @@ -0,0 +1,15 @@ +{ config, lib, pkgs, ... }: +{ + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-i retiolum -p tcp --dport 9100 -s ${config.krebs.hosts.prism.nets.retiolum.ip4.addr}"; target = "ACCEPT"; v6 = false; } + { predicate = "-i retiolum -p tcp --dport 9100 -s ${config.krebs.hosts.prism.nets.retiolum.ip6.addr}"; target = "ACCEPT"; v4 = false; } + ]; + services.prometheus.exporters = { + node = { + enable = true; + enabledCollectors = [ + "systemd" + ]; + }; + }; +} diff --git a/lass/2configs/monitoring/prometheus-server.nix b/lass/2configs/monitoring/prometheus-server.nix new file mode 100644 index 000000000..e16d421a0 --- /dev/null +++ b/lass/2configs/monitoring/prometheus-server.nix @@ -0,0 +1,217 @@ +{ pkgs, lib, config, ... }: +{ + #networking = { + # firewall.allowedTCPPorts = [ + # 3000 # grafana + # 9090 # prometheus + # 9093 # alertmanager + # ]; + # useDHCP = true; + #}; + + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-i retiolum -p tcp --dport 3000"; target = "ACCEPT"; } + { predicate = "-i retiolum -p tcp --dport 9090"; target = "ACCEPT"; } + { predicate = "-i retiolum -p tcp --dport 9093"; target = "ACCEPT"; } + ]; + + services = { + prometheus = { + enable = true; + extraFlags = [ + "-storage.local.retention 8760h" + "-storage.local.series-file-shrink-ratio 0.3" + "-storage.local.memory-chunks 2097152" + "-storage.local.max-chunks-to-persist 1048576" + "-storage.local.index-cache-size.fingerprint-to-metric 2097152" + "-storage.local.index-cache-size.fingerprint-to-timerange 1048576" + "-storage.local.index-cache-size.label-name-to-label-values 2097152" + "-storage.local.index-cache-size.label-pair-to-fingerprints 41943040" + ]; + alertmanagerURL = [ "http://localhost:9093" ]; + rules = [ + '' + ALERT node_down + IF up == 0 + FOR 5m + LABELS { + severity="page" + } + ANNOTATIONS { + summary = "{{$labels.alias}}: Node is down.", + description = "{{$labels.alias}} has been down for more than 5 minutes." + } + ALERT node_systemd_service_failed + IF node_systemd_unit_state{state="failed"} == 1 + FOR 4m + LABELS { + severity="page" + } + ANNOTATIONS { + summary = "{{$labels.alias}}: Service {{$labels.name}} failed to start.", + description = "{{$labels.alias}} failed to (re)start service {{$labels.name}}." + } + ALERT node_filesystem_full_90percent + IF sort(node_filesystem_free{device!="ramfs"} < node_filesystem_size{device!="ramfs"} * 0.1) / 1024^3 + FOR 5m + LABELS { + severity="page" + } + ANNOTATIONS { + summary = "{{$labels.alias}}: Filesystem is running out of space soon.", + description = "{{$labels.alias}} device {{$labels.device}} on {{$labels.mountpoint}} got less than 10% space left on its filesystem." + } + ALERT node_filesystem_full_in_4h + IF predict_linear(node_filesystem_free{device!="ramfs"}[1h], 4*3600) <= 0 + FOR 5m + LABELS { + severity="page" + } + ANNOTATIONS { + summary = "{{$labels.alias}}: Filesystem is running out of space in 4 hours.", + description = "{{$labels.alias}} device {{$labels.device}} on {{$labels.mountpoint}} is running out of space of in approx. 4 hours" + } + ALERT node_filedescriptors_full_in_3h + IF predict_linear(node_filefd_allocated[1h], 3*3600) >= node_filefd_maximum + FOR 20m + LABELS { + severity="page" + } + ANNOTATIONS { + summary = "{{$labels.alias}} is running out of available file descriptors in 3 hours.", + description = "{{$labels.alias}} is running out of available file descriptors in approx. 3 hours" + } + ALERT node_load1_90percent + IF node_load1 / on(alias) count(node_cpu{mode="system"}) by (alias) >= 0.9 + FOR 1h + LABELS { + severity="page" + } + ANNOTATIONS { + summary = "{{$labels.alias}}: Running on high load.", + description = "{{$labels.alias}} is running with > 90% total load for at least 1h." + } + ALERT node_cpu_util_90percent + IF 100 - (avg by (alias) (irate(node_cpu{mode="idle"}[5m])) * 100) >= 90 + FOR 1h + LABELS { + severity="page" + } + ANNOTATIONS { + summary = "{{$labels.alias}}: High CPU utilization.", + description = "{{$labels.alias}} has total CPU utilization over 90% for at least 1h." + } + ALERT node_ram_using_90percent + IF node_memory_MemFree + node_memory_Buffers + node_memory_Cached < node_memory_MemTotal * 0.1 + FOR 30m + LABELS { + severity="page" + } + ANNOTATIONS { + summary="{{$labels.alias}}: Using lots of RAM.", + description="{{$labels.alias}} is using at least 90% of its RAM for at least 30 minutes now.", + } + ALERT node_swap_using_80percent + IF node_memory_SwapTotal - (node_memory_SwapFree + node_memory_SwapCached) > node_memory_SwapTotal * 0.8 + FOR 10m + LABELS { + severity="page" + } + ANNOTATIONS { + summary="{{$labels.alias}}: Running out of swap soon.", + description="{{$labels.alias}} is using 80% of its swap space for at least 10 minutes now." + } + '' + ]; + scrapeConfigs = [ + { + job_name = "node"; + scrape_interval = "10s"; + static_configs = [ + { + targets = [ + ] ++ map (host: "${host}:9100") (lib.attrNames (lib.filterAttrs (_: host: host.owner.name == "lass" && host.monitoring) config.krebs.hosts)); + #labels = { + # alias = "prometheus.example.com"; + #}; + } + ]; + } + ]; + alertmanager = { + enable = true; + listenAddress = "0.0.0.0"; + configuration = { + "global" = { + "smtp_smarthost" = "smtp.example.com:587"; + "smtp_from" = "alertmanager@example.com"; + }; + "route" = { + "group_by" = [ "alertname" "alias" ]; + "group_wait" = "30s"; + "group_interval" = "2m"; + "repeat_interval" = "4h"; + "receiver" = "team-admins"; + }; + "receivers" = [ + { + "name" = "team-admins"; + "email_configs" = [ + { + "to" = "devnull@example.com"; + "send_resolved" = true; + } + ]; + "webhook_configs" = [ + { + "url" = "http://127.0.0.1:14813/prometheus-alerts"; + "send_resolved" = true; + } + ]; + } + ]; + }; + }; + }; + grafana = { + enable = true; + addr = "0.0.0.0"; + domain = "grafana.example.com"; + rootUrl = "https://grafana.example.com/"; + security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""} + }; + }; + services.logstash = { + enable = true; + inputConfig = '' + http { + port => 14813 + host => "127.0.0.1" + } + ''; + filterConfig = '' + if ([alerts]) { + ruby { + code => ' + lines = [] + event["alerts"].each {|p| + lines << "#{p["labels"]["instance"]}#{p["annotations"]["summary"]} #{p["status"]}" + } + event["output"] = lines.join("\n") + ' + } + } + ''; + outputConfig = '' + file { path => "/tmp/logs.json" codec => "json_lines" } + irc { + channels => [ "#noise" ] + host => "irc.r" + nick => "alarm" + codec => "json_lines" + format => "%{output}" + } + ''; + #plugins = [ ]; + }; +} diff --git a/lass/2configs/monitoring/server.nix b/lass/2configs/monitoring/server.nix deleted file mode 100644 index adaecde2c..000000000 --- a/lass/2configs/monitoring/server.nix +++ /dev/null @@ -1,87 +0,0 @@ -{pkgs, config, ...}: -with import <stockholm/lib>; -{ - services.influxdb.enable = true; - - services.influxdb.extraConfig = { - meta.hostname = config.krebs.build.host.name; - # meta.logging-enabled = true; - http.bind-address = ":8086"; - admin.bind-address = ":8083"; - http.log-enabled = false; - monitoring = { - enabled = false; - # write-interval = "24h"; - }; - collectd = [{ - enabled = true; - typesdb = "${pkgs.collectd}/share/collectd/types.db"; - database = "collectd_db"; - port = 25826; - }]; - }; - - krebs.kapacitor = - let - db = "telegraf_db"; - echoToIrc = pkgs.writeDash "echo_irc" '' - set -euf - data="$(${pkgs.jq}/bin/jq -r .message)" - export LOGNAME=prism-alarm - ${pkgs.irc-announce}/bin/irc-announce \ - irc.r 6667 prism-alarm \#noise "$data" >/dev/null - ''; - in { - enable = true; - alarms = { - cpu = { - database = db; - text = '' - var data = batch - |query(${"'''"} - SELECT mean("usage_user") AS mean - FROM "${db}"."default"."cpu" - ${"'''"}) - .period(10m) - .every(1m) - .groupBy('host') - data |alert() - .crit(lambda: "mean" > 90) - .exec('${echoToIrc}') - data |deadman(1.0,5m) - .stateChangesOnly() - .exec('${echoToIrc}') - ''; - }; - ram = { - database = db; - text = '' - var data = batch - |query(${"'''"} - SELECT mean("used_percent") AS mean - FROM "${db}"."default"."mem" - ${"'''"}) - .period(10m) - .every(1m) - .groupBy('host') - data |alert() - .crit(lambda: "mean" > 90) - .exec('${echoToIrc}') - ''; - }; - }; - }; - - services.grafana = { - enable = true; - addr = "0.0.0.0"; - auth.anonymous.enable = true; - security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""} - }; - - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp -i retiolum --dport 8086"; target = "ACCEPT"; } - { predicate = "-p tcp -i retiolum --dport 3000"; target = "ACCEPT"; } - { predicate = "-p udp -i retiolum --dport 25826"; target = "ACCEPT"; } - ]; -} diff --git a/lass/2configs/reaktor-coders.nix b/lass/2configs/reaktor-coders.nix index 5fa1611ae..5a39f7115 100644 --- a/lass/2configs/reaktor-coders.nix +++ b/lass/2configs/reaktor-coders.nix @@ -4,7 +4,7 @@ with import <stockholm/lib>; { krebs.Reaktor.coders = { nickname = "Reaktor|lass"; - channels = [ "#coders" "#germany" ]; + channels = [ "#coders" "#germany" "#panthermoderns" ]; extraEnviron = { REAKTOR_HOST = "irc.hackint.org"; }; @@ -87,6 +87,19 @@ with import <stockholm/lib>; exec /run/wrappers/bin/ping -q -c1 "$1" 2>&1 | tail -1 ''; }) + (buildSimpleReaktorPlugin "google" { + pattern = "^!g (?P<args>.*)$$"; + script = pkgs.writeDash "google" '' + exec ${pkgs.ddgr}/bin/ddgr -C -n1 --json "$@" | \ + ${pkgs.jq}/bin/jq '@text "\(.[0].abstract) \(.[0].url)"' + ''; + }) + (buildSimpleReaktorPlugin "blockchain" { + pattern = ".*[Bb]lockchain.*$$"; + script = pkgs.writeDash "blockchain" '' + exec echo 'DID SOMEBODY SAY BLOCKCHAIN? https://paste.krebsco.de/r99pMoQq/+inline' + ''; + }) ]; }; } diff --git a/lass/2configs/repo-sync.nix b/lass/2configs/repo-sync.nix index ad44c67e1..1cf22552c 100644 --- a/lass/2configs/repo-sync.nix +++ b/lass/2configs/repo-sync.nix @@ -135,7 +135,6 @@ in { (sync-retiolum "populate") (sync-retiolum "stockholm") (sync-retiolum "wai-middleware-time") - (sync-retiolum "web-routes-wai-custom") (sync-retiolum "xmonad-stockholm") ]; } diff --git a/lass/2configs/syncthing.nix b/lass/2configs/syncthing.nix index cef43d1e6..17debf822 100644 --- a/lass/2configs/syncthing.nix +++ b/lass/2configs/syncthing.nix @@ -3,7 +3,6 @@ with import <stockholm/lib>; { services.syncthing = { enable = true; - useInotify = true; }; krebs.iptables.tables.filter.INPUT.rules = [ { predicate = "-p tcp --dport 22000"; target = "ACCEPT";} diff --git a/lass/2configs/websites/lassulus.nix b/lass/2configs/websites/lassulus.nix index 25ca1f455..53f1eea5c 100644 --- a/lass/2configs/websites/lassulus.nix +++ b/lass/2configs/websites/lassulus.nix @@ -6,66 +6,10 @@ let genid ; - servephpBB = domains: - let - domain = head domains; - - in { - services.nginx.virtualHosts."${domain}" = { - enableACME = true; - forceSSL = true; - serverAliases = domains; - extraConfig = '' - index index.php; - root /srv/http/${domain}/; - access_log /tmp/nginx_acc.log; - error_log /tmp/nginx_err.log; - error_page 404 /404.html; - error_page 500 502 503 504 /50x.html; - client_max_body_size 100m; - ''; - locations."/".extraConfig = '' - try_files $uri $uri/ /index.php?$args; - ''; - locations."~ \.php(?:$|/)".extraConfig = '' - fastcgi_split_path_info ^(.+\.php)(/.+)$; - include ${pkgs.nginx}/conf/fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $fastcgi_path_info; - fastcgi_param HTTPS on; - fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice - fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool; - fastcgi_intercept_errors on; - ''; - #Directives to send expires headers and turn off 404 error logging. - locations."~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$".extraConfig = '' - access_log off; - log_not_found off; - expires max; - ''; - }; - services.phpfpm.poolConfigs."${domain}" = '' - listen = /srv/http/${domain}/phpfpm.pool - user = nginx - group = nginx - pm = dynamic - pm.max_children = 25 - pm.start_servers = 5 - pm.min_spare_servers = 3 - pm.max_spare_servers = 20 - listen.owner = nginx - listen.group = nginx - php_admin_value[error_log] = 'stderr' - php_admin_flag[log_errors] = on - catch_workers_output = yes - ''; - }; - in { imports = [ ./default.nix ../git.nix - (servephpBB [ "rote-allez-fraktion.de" ]) ]; security.acme = { diff --git a/lass/2configs/websites/util.nix b/lass/2configs/websites/util.nix index 62055d0fd..61b5543ce 100644 --- a/lass/2configs/websites/util.nix +++ b/lass/2configs/websites/util.nix @@ -16,7 +16,7 @@ rec { in { services.nginx.virtualHosts.${domain} = { enableACME = true; - enableSSL = true; + onlySSL = true; extraConfig = '' listen 80; listen [::]:80; @@ -28,13 +28,66 @@ rec { }; }; + servephpBB = domains: + let + domain = head domains; + + in { + services.nginx.virtualHosts."${domain}" = { + serverAliases = domains; + extraConfig = '' + index index.php; + root /srv/http/${domain}/; + access_log /tmp/nginx_acc.log; + error_log /tmp/nginx_err.log; + error_page 404 /404.html; + error_page 500 502 503 504 /50x.html; + client_max_body_size 100m; + ''; + locations."/".extraConfig = '' + try_files $uri $uri/ /index.php?$args; + ''; + locations."~ \.php(?:$|/)".extraConfig = '' + fastcgi_split_path_info ^(.+\.php)(/.+)$; + include ${pkgs.nginx}/conf/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param HTTPS on; + fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice + fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool; + fastcgi_intercept_errors on; + ''; + #Directives to send expires headers and turn off 404 error logging. + locations."~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$".extraConfig = '' + access_log off; + log_not_found off; + expires max; + ''; + }; + services.phpfpm.poolConfigs."${domain}" = '' + listen = /srv/http/${domain}/phpfpm.pool + user = nginx + group = nginx + pm = dynamic + pm.max_children = 25 + pm.start_servers = 5 + pm.min_spare_servers = 3 + pm.max_spare_servers = 20 + listen.owner = nginx + listen.group = nginx + php_admin_value[error_log] = 'stderr' + php_admin_flag[log_errors] = on + catch_workers_output = yes + ''; + }; + serveOwncloud = domains: let domain = head domains; in { services.nginx.virtualHosts."${domain}" = { enableACME = true; - enableSSL = true; + onlySSL = true; serverAliases = domains; extraConfig = '' listen 80; @@ -148,7 +201,7 @@ rec { in { services.nginx.virtualHosts."${domain}" = { enableACME = true; - enableSSL = true; + onlySSL = true; serverAliases = domains; extraConfig = '' listen 80; diff --git a/lass/2configs/zsh.nix b/lass/2configs/zsh.nix index aa3e6731d..76cac9f56 100644 --- a/lass/2configs/zsh.nix +++ b/lass/2configs/zsh.nix @@ -54,8 +54,8 @@ eval $(dircolors -b ${pkgs.fetchFromGitHub { owner = "trapd00r"; repo = "LS_COLORS"; - rev = "master"; - sha256="05lh5w3bgj9h8d8lrbbwbzw8788709cnzzkl8yh7m1dawkpf6nlp"; + rev = "a75fca8545f91abb8a5f802981033ef54bf1eac0"; + sha256="1lzj0qnj89mzh76ha137mnz2hf86k278rh0y9x124ghxj9yqsnb4"; }}/LS_COLORS) alias ls='ls --color' zstyle ':completion:*:default' list-colors ''${(s.:.)LS_COLORS} diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix index 0c10e1ec2..5e7e6dff3 100644 --- a/lass/3modules/default.nix +++ b/lass/3modules/default.nix @@ -8,6 +8,7 @@ _: ./mysql-backup.nix ./news.nix ./pyload.nix + ./restic.nix ./screenlock.nix ./umts.nix ./usershadow.nix diff --git a/lass/3modules/restic.nix b/lass/3modules/restic.nix new file mode 100644 index 000000000..c720793b1 --- /dev/null +++ b/lass/3modules/restic.nix @@ -0,0 +1,119 @@ +{ config, lib, pkgs, ... }: + +with import <stockholm/lib>; + +{ + options.lass.restic = mkOption { + type = types.attrsOf (types.submodule ({ config, ... }: { + options = { + name = mkOption { + type = types.str; + default = config._module.args.name; + }; + passwordFile = mkOption { + type = types.str; + default = toString <secrets/restic-password>; + description = '' + read the repository password from a file. + ''; + example = "/etc/nixos/restic-password"; + + }; + repo = mkOption { + type = types.str; + default = "sftp:backup@prism.r:/backups/${config.name}"; + description = '' + repository to backup to. + ''; + example = "sftp:backup@192.168.1.100:/backups/${config.name}"; + }; + dirs = mkOption { + type = types.listOf types.str; + default = []; + description = '' + which directories to backup. + ''; + example = [ + "/var/lib/postgresql" + "/home/user/backup" + ]; + }; + timerConfig = mkOption { + type = types.attrsOf types.str; + default = { + OnCalendar = "daily"; + }; + description = '' + When to run the backup. See man systemd.timer for details. + ''; + example = { + OnCalendar = "00:05"; + RandomizedDelaySec = "5h"; + }; + }; + user = mkOption { + type = types.str; + default = "root"; + description = '' + As which user the backup should run. + ''; + example = "postgresql"; + }; + extraArguments = mkOption { + type = types.listOf types.str; + default = []; + description = '' + Extra arguments to append to the restic command. + ''; + example = [ + "sftp.command='ssh backup@192.168.1.100 -i /home/user/.ssh/id_rsa -s sftp" + ]; + }; + initialize = mkOption { + type = types.bool; + default = false; + description = '' + Create the repository if it doesn't exist. + ''; + }; + }; + })); + default = {}; + }; + + config = { + systemd.services = + mapAttrs' (_: plan: + let + extraArguments = concatMapStringsSep " " (arg: "-o ${arg}") plan.extraArguments; + connectTo = elemAt (splitString ":" plan.repo) 1; + resticCmd = "${pkgs.restic}/bin/restic ${extraArguments}"; + in nameValuePair "backup.${plan.name}" { + environment = { + RESTIC_PASSWORD_FILE = plan.passwordFile; + RESTIC_REPOSITORY = plan.repo; + }; + path = with pkgs; [ + openssh + ]; + restartIfChanged = false; + serviceConfig = { + ExecStartPre = mkIf plan.initialize (pkgs.writeScript "rustic-${plan.name}-init" '' + #! ${pkgs.bash}/bin/bash + ${resticCmd} snapshots || ${resticCmd} init + ''); + ExecStart = pkgs.writeDash "rustic-${plan.name}" ( + "#! ${pkgs.bash}/bin/bash\n" + + concatMapStringsSep "\n" (dir: "${resticCmd} backup ${dir}") plan.dirs + ); + User = plan.user; + }; + } + ) config.lass.restic; + systemd.timers = + mapAttrs' (_: plan: nameValuePair "backup.${plan.name}" { + wantedBy = [ "timers.target" ]; + timerConfig = plan.timerConfig; + }) config.lass.restic; + }; +} diff --git a/lass/5pkgs/generate-secrets/default.nix b/lass/5pkgs/l-gen-secrets/default.nix index 5a4afe7c5..4b25fbd4c 100644 --- a/lass/5pkgs/generate-secrets/default.nix +++ b/lass/5pkgs/l-gen-secrets/default.nix @@ -1,5 +1,5 @@ { pkgs }: -pkgs.writeDashBin "generate-secrets" '' +pkgs.writeDashBin "l-gen-secrets" '' HOSTNAME="$1" TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d) PASSWORD=$(${pkgs.pwgen}/bin/pwgen 25 1) @@ -17,9 +17,9 @@ pkgs.writeDashBin "generate-secrets" '' cd $TMPDIR for x in *; do - ${pkgs.coreutils}/bin/cat $x | ${pkgs.pass}/bin/pass insert -m hosts/$HOSTNAME/$x > /dev/null + ${pkgs.coreutils}/bin/cat $x | ${pkgs.pass}/bin/pass insert -m krebs-secrets/$HOSTNAME/$x > /dev/null done - echo $PASSWORD | ${pkgs.pass}/bin/pass insert -m admin/hosts/$HOSTNAME/pass > /dev/null + echo $PASSWORD | ${pkgs.pass}/bin/pass insert -m hosts/$HOSTNAME/pass > /dev/null cat <<EOF $HOSTNAME = { diff --git a/lib/types.nix b/lib/types.nix index 1cf2d96c9..d663d2512 100644 --- a/lib/types.nix +++ b/lib/types.nix @@ -50,6 +50,14 @@ rec { default = false; }; + monitoring = mkOption { + description = '' + Whether the host should be monitored by monitoring tools like Prometheus. + ''; + type = bool; + default = false; + }; + owner = mkOption { type = user; }; diff --git a/makefu/1systems/gum/config.nix b/makefu/1systems/gum/config.nix index 40fa233d3..9b6d9d571 100644 --- a/makefu/1systems/gum/config.nix +++ b/makefu/1systems/gum/config.nix @@ -62,10 +62,13 @@ in { ## Web <stockholm/makefu/2configs/nginx/share-download.nix> <stockholm/makefu/2configs/nginx/euer.test.nix> + <stockholm/makefu/2configs/nginx/euer.mon.nix> <stockholm/makefu/2configs/nginx/euer.wiki.nix> <stockholm/makefu/2configs/nginx/euer.blog.nix> + # <stockholm/makefu/2configs/nginx/gum.krebsco.de.nix> <stockholm/makefu/2configs/nginx/public_html.nix> <stockholm/makefu/2configs/nginx/update.connector.one.nix> + <stockholm/makefu/2configs/nginx/misa-felix-hochzeit.ml.nix> <stockholm/makefu/2configs/deployment/photostore.krebsco.de.nix> <stockholm/makefu/2configs/deployment/graphs.nix> @@ -222,6 +225,8 @@ in { 25 # http 80 443 + # httptunnel + 8080 8443 # tinc 655 # tinc-shack diff --git a/makefu/1systems/gum/source.nix b/makefu/1systems/gum/source.nix index b3ce743ca..e3ca472e4 100644 --- a/makefu/1systems/gum/source.nix +++ b/makefu/1systems/gum/source.nix @@ -1,4 +1,5 @@ import <stockholm/makefu/source.nix> { name="gum"; torrent = true; + clever_kexec = true; } diff --git a/makefu/1systems/omo/config.nix b/makefu/1systems/omo/config.nix index bed6ae9fd..a85d5f5ce 100644 --- a/makefu/1systems/omo/config.nix +++ b/makefu/1systems/omo/config.nix @@ -50,6 +50,7 @@ in { <stockholm/makefu/2configs/smart-monitor.nix> <stockholm/makefu/2configs/mail-client.nix> <stockholm/makefu/2configs/mosh.nix> + <stockholm/makefu/2configs/tools/mobility.nix> # <stockholm/makefu/2configs/disable_v6.nix> #<stockholm/makefu/2configs/graphite-standalone.nix> #<stockholm/makefu/2configs/share-user-sftp.nix> @@ -85,7 +86,7 @@ in { <stockholm/makefu/2configs/sshd-totp.nix> # <stockholm/makefu/2configs/logging/central-logging-client.nix> - # <stockholm/makefu/2configs/torrent.nix> + <stockholm/makefu/2configs/torrent.nix> # <stockholm/makefu/2configs/elchos/search.nix> # <stockholm/makefu/2configs/elchos/log.nix> @@ -100,7 +101,7 @@ in { makefu.full-populate = true; makefu.server.primary-itf = primaryInterface; krebs.rtorrent = { - downloadDir = lib.mkForce "/media/crypt0/torrent"; + downloadDir = lib.mkForce "/media/cryptX/torrent"; extraConfig = '' upload_rate = 200 ''; diff --git a/makefu/1systems/wbob/config.nix b/makefu/1systems/wbob/config.nix index cfbcf0e9c..3cf3274f9 100644 --- a/makefu/1systems/wbob/config.nix +++ b/makefu/1systems/wbob/config.nix @@ -33,6 +33,9 @@ in { <stockholm/makefu/2configs/share/wbob.nix> <stockholm/makefu/2configs/bluetooth-mpd.nix> + { + users.users.makefu.extraGroups = [ "pulse" ]; + } # Sensors <stockholm/makefu/2configs/stats/telegraf> @@ -49,9 +52,10 @@ in { db = "collectd_db"; logging-interface = "enp0s25"; in { + networking.firewall.allowedTCPPorts = [ 3000 ]; + services.grafana.enable = true; services.grafana.addr = "0.0.0.0"; - services.influxdb.enable = true; services.influxdb.extraConfig = { meta.hostname = config.krebs.build.host.name; @@ -121,6 +125,7 @@ in { networking.firewall.allowedTCPPorts = [ 655 8081 #smokeping + 8086 #influx 49152 ]; networking.firewall.trustedInterfaces = [ "enp0s25" ]; diff --git a/makefu/1systems/x/config.nix b/makefu/1systems/x/config.nix index f72f2a15b..93bb27efe 100644 --- a/makefu/1systems/x/config.nix +++ b/makefu/1systems/x/config.nix @@ -141,15 +141,6 @@ with import <stockholm/lib>; # connect via https://nixos.wiki/wiki/Bluetooth#Using_Bluetooth_headsets_with_PulseAudio hardware.bluetooth.enable = true; } - { # auto-mounting - services.udisks2.enable = true; - services.devmon.enable = true; - # services.gnome3.gvfs.enable = true; - users.users.makefu.packages = with pkgs;[ - gvfs pcmanfm lxmenu-data - ]; - environment.variables.GIO_EXTRA_MODULES = [ "${pkgs.gvfs}/lib/gio/modules" ]; - } ]; @@ -170,6 +161,7 @@ with import <stockholm/lib>; networking.extraHosts = '' 192.168.1.11 omo.local + 80.92.65.53 www.wifionice.de wifionice.de ''; # hard dependency because otherwise the device will not be unlocked boot.initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; allowDiscards=true; }]; diff --git a/makefu/2configs/bluetooth-mpd.nix b/makefu/2configs/bluetooth-mpd.nix index 226f5cf1f..b59d3ce10 100644 --- a/makefu/2configs/bluetooth-mpd.nix +++ b/makefu/2configs/bluetooth-mpd.nix @@ -34,7 +34,7 @@ in { hardware.pulseaudio = { enable = true; package = pkgs.pulseaudioFull; - # systemWide = true; + # systemWide = true; support32Bit = true; zeroconf.discovery.enable = true; zeroconf.publish.enable = true; @@ -42,12 +42,13 @@ in { enable = true; # PULSE_SERVER=192.168.1.11 pavucontrol anonymousClients.allowAll = true; + anonymousClients.allowedIpRanges = [ "127.0.0.1" "192.168.0.0/16" ]; }; configFile = pkgs.writeText "default.pa" '' load-module module-udev-detect load-module module-bluetooth-policy load-module module-bluetooth-discover - load-module module-native-protocol-unix + load-module module-native-protocol-unix auth-anonymous=1 load-module module-always-sink load-module module-console-kit load-module module-systemd-login @@ -56,13 +57,15 @@ in { load-module module-filter-heuristics load-module module-filter-apply load-module module-switch-on-connect + #load-module module-bluez5-device + #load-module module-bluez5-discover ''; }; - # connect via https://nixos.wiki/wiki/Bluetooth#Using_Bluetooth_headsets_with_PulseAudio + # connect via https://nixos.wiki/wiki/Bluetooth#Using_Bluetooth_headsets_with_PulseAudio hardware.bluetooth.enable = true; - #hardware.bluetooth.extraConfig = '' - # [general] - # Enable=Source,Sink,Media,Socket - #''; + # environment.etc."bluetooth/audio.conf".text = '' + # [General] + # Enable = Source,Sink,Media,Socket + # ''; }; } diff --git a/makefu/2configs/git/cgit-retiolum.nix b/makefu/2configs/git/cgit-retiolum.nix index 30d90f9e3..c209b83f6 100644 --- a/makefu/2configs/git/cgit-retiolum.nix +++ b/makefu/2configs/git/cgit-retiolum.nix @@ -30,6 +30,7 @@ let euer_blog = { }; ampel = { }; europastats = { }; + arafetch = { }; init-stockholm = { cgit.desc = "Init stuff for stockholm"; }; diff --git a/makefu/2configs/gui/automatic-diskmount.nix b/makefu/2configs/gui/automatic-diskmount.nix new file mode 100644 index 000000000..19933111a --- /dev/null +++ b/makefu/2configs/gui/automatic-diskmount.nix @@ -0,0 +1,44 @@ +{ pkgs, ... }: +with import <stockholm/lib>; #genid +{ # auto-mounting via polkit + services.udisks2.enable = true; +## automount all disks: +# services.devmon.enable = true; +# services.gnome3.gvfs.enable = true; + users.groups.storage = { + gid = genid "storage"; + members = [ "makefu" ]; + }; + users.users.makefu.packages = with pkgs;[ + gvfs pcmanfm lxmenu-data + ]; + environment.variables.GIO_EXTRA_MODULES = [ "${pkgs.gvfs}/lib/gio/modules" ]; + +## allow users in group "storage" to mount disk +# https://github.com/coldfix/udiskie/wiki/Permissions + security.polkit.extraConfig = + '' + polkit.addRule(function(action, subject) { + var YES = polkit.Result.YES; + var permission = { + "org.freedesktop.udisks.filesystem-mount": YES, + "org.freedesktop.udisks.luks-unlock": YES, + "org.freedesktop.udisks.drive-eject": YES, + "org.freedesktop.udisks.drive-detach": YES, + "org.freedesktop.udisks2.filesystem-mount": YES, + "org.freedesktop.udisks2.encrypted-unlock": YES, + "org.freedesktop.udisks2.eject-media": YES, + "org.freedesktop.udisks2.power-off-drive": YES, + "org.freedesktop.udisks2.filesystem-mount-other-seat": YES, + "org.freedesktop.udisks2.filesystem-unmount-others": YES, + "org.freedesktop.udisks2.encrypted-unlock-other-seat": YES, + "org.freedesktop.udisks2.eject-media-other-seat": YES, + "org.freedesktop.udisks2.power-off-drive-other-seat": YES + }; + if (subject.isInGroup("storage")) { + return permission[action.id]; + } + }); + ''; + +} diff --git a/makefu/2configs/hw/network-manager.nix b/makefu/2configs/hw/network-manager.nix index 7e29849b1..d322c683d 100644 --- a/makefu/2configs/hw/network-manager.nix +++ b/makefu/2configs/hw/network-manager.nix @@ -11,9 +11,8 @@ systemd.services.modemmanager = { description = "ModemManager"; - after = [ "network-manager.service" ]; bindsTo = [ "network-manager.service" ]; - wantedBy = [ "network-manager.service" ]; + wantedBy = [ "network-manager.service" "multi-user.target" ]; serviceConfig = { ExecStart = "${pkgs.modemmanager}/bin/ModemManager"; PrivateTmp = true; diff --git a/makefu/2configs/hydra/stockholm.nix b/makefu/2configs/hydra/stockholm.nix index 4bdb09213..35999ae57 100644 --- a/makefu/2configs/hydra/stockholm.nix +++ b/makefu/2configs/hydra/stockholm.nix @@ -5,7 +5,6 @@ { # TODO postgres backup - services.postgresql.enable = true; services.hydra = { enable = true; diff --git a/makefu/2configs/main-laptop.nix b/makefu/2configs/main-laptop.nix index 827da0c8d..315fc4706 100644 --- a/makefu/2configs/main-laptop.nix +++ b/makefu/2configs/main-laptop.nix @@ -16,6 +16,7 @@ in { ./zsh-user.nix ./tools/core.nix ./tools/core-gui.nix + ./gui/automatic-diskmount.nix ]; users.users.${config.krebs.build.user.name}.extraGroups = [ "dialout" ]; diff --git a/makefu/2configs/nginx/euer.mon.nix b/makefu/2configs/nginx/euer.mon.nix new file mode 100644 index 000000000..c5a7e68af --- /dev/null +++ b/makefu/2configs/nginx/euer.mon.nix @@ -0,0 +1,26 @@ +{ config, lib, pkgs, ... }: + +with import <stockholm/lib>; +let + hostname = config.krebs.build.host.name; + user = config.services.nginx.user; + group = config.services.nginx.group; + external-ip = config.krebs.build.host.nets.internet.ip4.addr; + internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr; +in { + services.nginx = { + enable = mkDefault true; + virtualHosts."mon.euer.krebsco.de" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://wbob.r:3000/"; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + ''; + }; + }; + }; +} diff --git a/makefu/2configs/nginx/misa-felix-hochzeit.ml.nix b/makefu/2configs/nginx/misa-felix-hochzeit.ml.nix new file mode 100644 index 000000000..d0881a934 --- /dev/null +++ b/makefu/2configs/nginx/misa-felix-hochzeit.ml.nix @@ -0,0 +1,17 @@ +{ config, lib, pkgs, ... }: +{ + services.nginx = { + enable = lib.mkDefault true; + virtualHosts."misa-felix-hochzeit.ml" = { + serverAliases = [ "www.misa-felix-hochzeit.ml" "misa-felix.ml" "www.misa-felix.ml" ]; + forceSSL = true; + enableACME = true; + locations = { + "/" = { + index = "index.html"; + root = "/var/www/misa-felix-hochzeit.ml"; + }; + }; + }; + }; +} diff --git a/makefu/2configs/remote-build/master.nix b/makefu/2configs/remote-build/master.nix deleted file mode 100644 index 2a2c68119..000000000 --- a/makefu/2configs/remote-build/master.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ pkgs, ...}: -let - sshKey = (toString <secrets>) + "/id_nixBuild"; -in { - nix.distributedBuilds = true; - # TODO: iterate over krebs.hosts - nix.buildMachines = map ( hostName: - { inherit hostName sshKey; - sshUser = "nixBuild"; - system = "x86_64-linux"; - maxJobs = 8; - }) [ "hotdog.r" ]; - # puyak.r "wbob.r" "omo.r" "gum.r" "latte.r" -} diff --git a/makefu/2configs/stats/arafetch.nix b/makefu/2configs/stats/arafetch.nix index e04b12f9c..422676b24 100644 --- a/makefu/2configs/stats/arafetch.nix +++ b/makefu/2configs/stats/arafetch.nix @@ -3,7 +3,7 @@ with import <stockholm/lib>; let pkg = with pkgs.python3Packages;buildPythonPackage rec { rev = "762d747"; - name = "europastats-${rev}"; + name = "arafetch-${rev}"; propagatedBuildInputs = [ requests docopt @@ -25,12 +25,25 @@ in { }; systemd.services.arafetch = { - startAt = "Mon 09:15:00"; + startAt = "Mon,Wed,Fri 09:15:00"; wantedBy = [ "multi-user.target" ]; environment = { OUTDIR = home; }; path = [ pkg pkgs.git pkgs.wget ]; - script = "${pkg}/bin/weekrun"; + serviceConfig = { + User = "arafetch"; + WorkingDirectory = home; + PrivateTmp = true; + ExecStart = pkgs.writeDash "start-weekrun" '' + set -x + weekrun || echo "weekrun failed!" + find $OUTDIR/db -name \*.json | while read path;do + file=''${path##*/} + cantine=''${file%%.json} + ara2influx $path --cantine $cantine --host wbob.r + done + ''; + }; }; } diff --git a/makefu/2configs/tools/core-gui.nix b/makefu/2configs/tools/core-gui.nix index 2f80b08c9..898bae10d 100644 --- a/makefu/2configs/tools/core-gui.nix +++ b/makefu/2configs/tools/core-gui.nix @@ -1,10 +1,6 @@ { pkgs, ... }: { - nixpkgs.config.firefox = { - enableAdobeFlash = true; - }; - krebs.per-user.makefu.packages = with pkgs; [ chromium clipit diff --git a/makefu/2configs/urlwatch/default.nix b/makefu/2configs/urlwatch/default.nix index d0fb4fe41..f93d47caa 100644 --- a/makefu/2configs/urlwatch/default.nix +++ b/makefu/2configs/urlwatch/default.nix @@ -25,7 +25,6 @@ in { # pypi https://pypi.python.org/simple/bepasty/ https://pypi.python.org/simple/devpi-client/ - https://pypi.python.org/simple/oslo.config/ https://pypi.python.org/simple/sqlalchemy_migrate/ https://pypi.python.org/simple/xstatic/ https://pypi.python.org/simple/pyserial/ diff --git a/makefu/5pkgs/ampel/default.nix b/makefu/5pkgs/ampel/default.nix index 86518b9b8..9792c2c59 100644 --- a/makefu/5pkgs/ampel/default.nix +++ b/makefu/5pkgs/ampel/default.nix @@ -2,7 +2,7 @@ with pkgs.python3Packages;buildPythonPackage rec { name = "ampel-${version}"; - version = "0.2"; + version = "0.2.1"; propagatedBuildInputs = [ docopt @@ -16,8 +16,8 @@ with pkgs.python3Packages;buildPythonPackage rec { src = pkgs.fetchgit { url = "http://cgit.euer.krebsco.de/ampel"; - rev = "d8a0250"; - sha256 = "0n36lc17ca5db6pl6dswdqd5w9f881rfqck9yc4w33a5qpsxj85f"; + rev = "92321d7"; + sha256 = "0mvpbpf1rx8sc589qjb73gl8z6fir2zs3gl3br1pbhg5jgn0ij4n"; }; meta = { homepage = http://cgit.euer.krebsco.de/ampel; diff --git a/makefu/5pkgs/awesomecfg/full.cfg b/makefu/5pkgs/awesomecfg/full.cfg index e748981c6..e49a88697 100644 --- a/makefu/5pkgs/awesomecfg/full.cfg +++ b/makefu/5pkgs/awesomecfg/full.cfg @@ -412,8 +412,7 @@ clientkeys = awful.util.table.join( end), awful.key({ modkey, }, "m", function (c) - c.maximized_horizontal = not c.maximized_horizontal - c.maximized_vertical = not c.maximized_vertical + c.maximized = not c.maximized end) ) diff --git a/makefu/5pkgs/devpi/default.nix b/makefu/5pkgs/devpi/default.nix index 3ddcd9641..6515ea3d1 100644 --- a/makefu/5pkgs/devpi/default.nix +++ b/makefu/5pkgs/devpi/default.nix @@ -16,16 +16,17 @@ let }; devpi-web = pkgs.python3Packages.buildPythonPackage rec { name = "devpi-web"; - version = "3.1.1"; + version = "3.2.2"; src = pkgs.fetchurl { url = "mirror://pypi/d/devpi-web/devpi-web-${version}.tar.gz"; - sha256 = "0bvqv52jmasfm4sdyccwsgvk9a663d3grj7zjw8r9x7xm7l3svqv"; + sha256 = "1mwg2fcw88rn47ypnhg5f4s1r066129z922113shyinwrwfddhay"; }; - propagatedBuildInputs = with pkgs.python3Packages; - [ pkgs.devpi-server pyramid_chameleon beautifulsoup4 defusedxml readme-renderer ]; + propagatedBuildInputs = with pkgs.python3Packages; builtins.trace pkgs.devpi-server.version + [ pkgs.devpi-server pyramid_chameleon pygments docutils devpi-common + whoosh beautifulsoup4 defusedxml readme-renderer ]; meta = { homepage = https://bitbucket.org/hpk42/devpi; @@ -37,6 +38,6 @@ let in { devpi-web = pkgs.python3.buildEnv.override { - extraLibs = [ devpi-web devpi-server ]; - }; + extraLibs = [ devpi-web pkgs.devpi-server ]; + }; } diff --git a/makefu/source.nix b/makefu/source.nix index d25fe5528..40aeac8b6 100644 --- a/makefu/source.nix +++ b/makefu/source.nix @@ -1,14 +1,16 @@ with import <stockholm/lib>; host@{ name, override ? {} -, secure ? false -, full ? false -, torrent ? false -, hw ? false -, musnix ? false -, python ? false -, unstable ? false #unstable channel checked out -, mic92 ? false +, secure ? false +, full ? false +, torrent ? false +, hw ? false +, musnix ? false +, python ? false +, unstable ? false #unstable channel checked out +, mic92 ? false +, nms ? false +, clever_kexec ?false }: let builder = if getEnv "dummy_secrets" == "true" @@ -21,9 +23,8 @@ let ]; }; # TODO: automate updating of this ref + cherry-picks - ref = "6583793"; # nixos-17.09 @ 2018-03-07 - # + do_sqlite3 ruby: 55a952be5b5 - # + signal: 0f19beef3, 50ad913, 9449782, b7046ab2 + ref = "a09afbfb8a4"; # nixos-18.03 @ 2018-04-04 + # + do_sqlite3 ruby: 55a952be5b5 in evalSource (toString _file) [ @@ -43,18 +44,22 @@ in file = "/home/makefu/store/${ref}"; }; - secrets.file = getAttr builder { - buildbot = toString <stockholm/makefu/6tests/data/secrets>; - makefu = "/home/makefu/secrets/${name}"; + secrets = getAttr builder { + buildbot.file = toString <stockholm/makefu/6tests/data/secrets>; + makefu.pass = { + inherit name; + dir = "${getEnv "HOME"}/.secrets-pass"; + }; }; + stockholm.file = toString <stockholm>; stockholm-version.pipe = "${pkgs.stockholm}/bin/get-version"; } (mkIf ( musnix ) { musnix.git = { url = https://github.com/musnix/musnix.git; - ref = "d8b989f"; + ref = "master"; # follow the musnix channel, lets see how this works out }; }) @@ -73,9 +78,12 @@ in }) (mkIf ( torrent ) { - torrent-secrets.file = getAttr builder { - buildbot = toString <stockholm/makefu/6tests/data/secrets>; - makefu = "/home/makefu/secrets/torrent" ; + torrent-secrets = getAttr builder { + buildbot.file = toString <stockholm/makefu/6tests/data/secrets>; + makefu.pass = { + name = "torrent"; + dir = "${getEnv "HOME"}/.secrets-pass"; + }; }; }) @@ -93,5 +101,19 @@ in }; }) + (mkIf ( nms ) { + nms.git = { + url = https://github.com/r-raymond/nixos-mailserver; + ref = "v2.1.2"; + }; + }) + + (mkIf ( clever_kexec ) { + clever_kexec.git = { + url = https://github.com/cleverca22/nix-tests; + ref = "5a670de7f2decfaafc95c34ffeb0f1896662f3d7"; + }; + }) + override ] diff --git a/nin/2configs/vim.nix b/nin/2configs/vim.nix index 101a80cc0..7b5d37611 100644 --- a/nin/2configs/vim.nix +++ b/nin/2configs/vim.nix @@ -349,6 +349,7 @@ let let b:current_syntax = "nix" set isk=@,48-57,_,192-255,-,' + set bg=dark ''; in out |