diff options
author | tv <tv@krebsco.de> | 2016-06-06 17:17:07 +0200 |
---|---|---|
committer | tv <tv@krebsco.de> | 2016-06-06 17:17:07 +0200 |
commit | dda2887e2cf618a7c7744bee2eed806e3a38fe36 (patch) | |
tree | 19ad3210a2b8485ac22d26f75b2e2493d3f61596 /lass/2configs | |
parent | c1c645b545b960eb639fc6d41dfa35ee187ae164 (diff) | |
parent | 7e344c0627a266685ef1ad79f5193b4e7ba27408 (diff) |
Merge remote-tracking branch 'cloudkrebs/master'
Diffstat (limited to 'lass/2configs')
27 files changed, 1056 insertions, 225 deletions
diff --git a/lass/2configs/backups.nix b/lass/2configs/backups.nix new file mode 100644 index 000000000..7d3046d43 --- /dev/null +++ b/lass/2configs/backups.nix @@ -0,0 +1,135 @@ +{ config, lib, ... }: +with config.krebs.lib; +{ + + krebs.backup.plans = { + } // mapAttrs (_: recursiveUpdate { + snapshots = { + daily = { format = "%Y-%m-%d"; retain = 7; }; + weekly = { format = "%YW%W"; retain = 4; }; + monthly = { format = "%Y-%m"; retain = 12; }; + yearly = { format = "%Y"; }; + }; + }) { + dishfire-http-prism = { + method = "pull"; + src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; }; + dst = { host = config.krebs.hosts.prism; path = "/bku/dishfire-http"; }; + startAt = "03:00"; + }; + dishfire-http-mors = { + method = "pull"; + src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; }; + dst = { host = config.krebs.hosts.mors; path = "/bku/dishfire-http"; }; + startAt = "03:05"; + }; + dishfire-http-uriel = { + method = "pull"; + src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; }; + dst = { host = config.krebs.hosts.uriel; path = "/bku/dishfire-http"; }; + startAt = "03:10"; + }; + dishfire-sql-prism = { + method = "pull"; + src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; }; + dst = { host = config.krebs.hosts.prism; path = "/bku/dishfire-sql"; }; + startAt = "03:15"; + }; + dishfire-sql-mors = { + method = "pull"; + src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; }; + dst = { host = config.krebs.hosts.mors; path = "/bku/dishfire-sql"; }; + startAt = "03:20"; + }; + dishfire-sql-uriel = { + method = "pull"; + src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; }; + dst = { host = config.krebs.hosts.uriel; path = "/bku/dishfire-sql"; }; + startAt = "03:25"; + }; + prism-bitlbee-mors = { + method = "pull"; + src = { host = config.krebs.hosts.prism; path = "/var/lib/bitlbee"; }; + dst = { host = config.krebs.hosts.mors; path = "/bku/prism-bitlbee"; }; + startAt = "03:25"; + }; + prism-bitlbee-uriel = { + method = "pull"; + src = { host = config.krebs.hosts.prism; path = "/var/lib/bitlbee"; }; + dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-bitlbee"; }; + startAt = "03:25"; + }; + prism-chat-mors = { + method = "pull"; + src = { host = config.krebs.hosts.prism; path = "/home/chat"; }; + dst = { host = config.krebs.hosts.mors; path = "/bku/prism-chat"; }; + startAt = "03:30"; + }; + prism-chat-uriel = { + method = "pull"; + src = { host = config.krebs.hosts.prism; path = "/home/chat"; }; + dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-chat"; }; + startAt = "03:35"; + }; + prism-sql-mors = { + method = "pull"; + src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; }; + dst = { host = config.krebs.hosts.mors; path = "/bku/prism-sql_dumps"; }; + startAt = "03:40"; + }; + prism-sql-uriel = { + method = "pull"; + src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; }; + dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-sql_dumps"; }; + startAt = "03:45"; + }; + prism-http-mors = { + method = "pull"; + src = { host = config.krebs.hosts.prism; path = "/srv/http"; }; + dst = { host = config.krebs.hosts.mors; path = "/bku/prism-http"; }; + startAt = "03:50"; + }; + prism-http-uriel = { + method = "pull"; + src = { host = config.krebs.hosts.prism; path = "/srv/http"; }; + dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-http"; }; + startAt = "03:55"; + }; + uriel-home-mors = { + method = "pull"; + src = { host = config.krebs.hosts.uriel; path = "/home"; }; + dst = { host = config.krebs.hosts.mors; path = "/bku/uriel-home"; }; + startAt = "04:00"; + }; + mors-home-uriel = { + method = "push"; + src = { host = config.krebs.hosts.mors; path = "/home"; }; + dst = { host = config.krebs.hosts.uriel; path = "/bku/mors-home"; }; + startAt = "05:00"; + }; + dishfire-http-helios = { + method = "pull"; + src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; }; + dst = { host = config.krebs.hosts.helios; path = "/bku/dishfire-http"; }; + startAt = "12:00"; + }; + dishfire-sql-helios = { + method = "pull"; + src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; }; + dst = { host = config.krebs.hosts.helios; path = "/bku/dishfire-sql"; }; + startAt = "12:15"; + }; + prism-sql-helios = { + method = "pull"; + src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; }; + dst = { host = config.krebs.hosts.helios; path = "/bku/prism-sql_dumps"; }; + startAt = "12:30"; + }; + prism-http-helios = { + method = "pull"; + src = { host = config.krebs.hosts.prism; path = "/srv/http"; }; + dst = { host = config.krebs.hosts.helios; path = "/bku/prism-http"; }; + startAt = "12:45"; + }; + }; +} diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index 6c52240af..16f7502ac 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -4,9 +4,10 @@ let mainUser = config.users.extraUsers.mainUser; in { imports = [ - ./base.nix + ./default.nix #./urxvt.nix ./xserver + ./mpv.nix ]; users.extraUsers.mainUser.extraGroups = [ "audio" ]; @@ -33,17 +34,19 @@ in { dmenu gitAndTools.qgit + lm_sensors much + nmap pavucontrol powertop push slock sxiv + xclip xorg.xbacklight xsel zathura - mpv mpv-poll yt-next #window manager stuff diff --git a/lass/2configs/browsers.nix b/lass/2configs/browsers.nix index 47a16d4cb..ea79053ce 100644 --- a/lass/2configs/browsers.nix +++ b/lass/2configs/browsers.nix @@ -14,7 +14,7 @@ let useDefaultShell = true; createHome = true; }; - lass.per-user.${name}.packages = packages; + krebs.per-user.${name}.packages = packages; security.sudo.extraConfig = '' ${mainUser.name} ALL=(${name}) NOPASSWD: ALL ''; @@ -35,7 +35,7 @@ let useDefaultShell = true; createHome = true; }; - lass.per-user.${name}.packages = packages; + krebs.per-user.${name}.packages = packages; security.sudo.extraConfig = '' ${mainUser.name} ALL=(${name}) NOPASSWD: ALL ''; @@ -59,20 +59,10 @@ in { imports = [ ( createFirefoxUser "ff" [ "audio" ] [ pkgs.firefox ] ) - ( createChromiumUser "cr" [ "audio" ] [ pkgs.chromium ] ) - ( createChromiumUser "wk" [ "audio" ] [ pkgs.chromium ] ) - ( createChromiumUser "fb" [ "audio" ] [ pkgs.chromium ] ) - ( createChromiumUser "gm" [ "audio" ] [ pkgs.chromium ] ) - ( createChromiumUser "flash" [ "audio" ] [ pkgs.flash ] ) + ( createChromiumUser "cr" [ "video" "audio" ] [ pkgs.chromium ] ) + ( createChromiumUser "wk" [ "video" "audio" ] [ pkgs.chromium ] ) + ( createChromiumUser "fb" [ "video" "audio" ] [ pkgs.chromium ] ) + ( createChromiumUser "gm" [ "video" "audio" ] [ pkgs.chromium ] ) + ( createChromiumUser "com" [ "video" "audio" ] [ pkgs.chromium ] ) ]; - - nixpkgs.config.packageOverrides = pkgs : { - flash = pkgs.chromium.override { - # pulseSupport = true; - enablePepperFlash = true; - }; - #chromium = pkgs.chromium.override { - # pulseSupport = true; - #}; - }; } diff --git a/lass/2configs/buildbot-standalone.nix b/lass/2configs/buildbot-standalone.nix index 8c71553fe..604d0728d 100644 --- a/lass/2configs/buildbot-standalone.nix +++ b/lass/2configs/buildbot-standalone.nix @@ -1,15 +1,16 @@ { lib, config, pkgs, ... }: { - #networking.firewall.allowedTCPPorts = [ 8010 9989 ]; - krebs.buildbot.master = { + krebs.buildbot.master = let + stockholm-mirror-url = http://cgit.prism/stockholm ; + in { slaves = { testslave = "lasspass"; }; change_source.stockholm = '' - stockholm_repo = 'http://cgit.mors/stockholm' + stockholm_repo = '${stockholm-mirror-url}' cs.append(changes.GitPoller( stockholm_repo, - workdir='stockholm-poller', branch='master', + workdir='stockholm-poller', branches=True, project='stockholm', pollinterval=120)) ''; @@ -20,10 +21,12 @@ builderNames=["fast-tests"])) ''; fast-tests-scheduler = '' - # test the master real quick + # test everything real quick sched.append(schedulers.SingleBranchScheduler( - change_filter=util.ChangeFilter(branch="master"), - name="fast-master-test", + ## all branches + change_filter=util.ChangeFilter(branch_re=".*"), + # treeStableTimer=10, + name="fast-all-branches", builderNames=["fast-tests"])) ''; }; @@ -38,7 +41,10 @@ deps = [ "gnumake", "jq","nix","rsync" ] # TODO: --pure , prepare ENV in nix-shell command: # SSL_CERT_FILE,LOGNAME,NIX_REMOTE - nixshell = ["nix-shell", "-I", "stockholm=.", "-p" ] + deps + [ "--run" ] + nixshell = ["nix-shell", + "-I", "stockholm=.", + "-I", "nixpkgs=/var/src/nixpkgs", + "-p" ] + deps + [ "--run" ] # prepare addShell function def addShell(factory,**kwargs): @@ -48,13 +54,26 @@ fast-tests = '' f = util.BuildFactory() f.addStep(grab_repo) - addShell(f,name="mors-eval",env=env, - command=nixshell + ["make -s eval get=krebs.deploy filter=json system=mors"]) + for i in [ "prism", "mors", "echelon" ]: + addShell(f,name="populate-{}".format(i),env=env, + command=nixshell + \ + ["{}( make system={} eval.config.krebs.build.populate \ + | jq -er .)".format("!" if "failing" in i else "",i)]) + + addShell(f,name="build-test-minimal",env=env, + command=nixshell + \ + ["nix-instantiate \ + --show-trace --eval --strict --json \ + -I nixos-config=./shared/1systems/test-minimal-deploy.nix \ + -I secrets=. \ + -A config.system.build.toplevel"] + ) bu.append(util.BuilderConfig(name="fast-tests", slavenames=slavenames, factory=f)) - ''; + + ''; }; enable = true; web.enable = true; @@ -72,7 +91,17 @@ masterhost = "localhost"; username = "testslave"; password = "lasspass"; - packages = with pkgs;[ git nix ]; - extraEnviron = { NIX_PATH="nixpkgs=${toString <nixpkgs>}"; }; + packages = with pkgs;[ git nix gnumake jq rsync ]; + extraEnviron = { + NIX_PATH="nixpkgs=/var/src/nixpkgs:nixos-config=./shared/1systems/wolf.nix"; + }; + }; + krebs.iptables = { + tables = { + filter.INPUT.rules = [ + { predicate = "-p tcp --dport 8010"; target = "ACCEPT"; } + { predicate = "-p tcp --dport 9989"; target = "ACCEPT"; } + ]; + }; }; } diff --git a/lass/2configs/base.nix b/lass/2configs/default.nix index 8017d4270..1c06acf38 100644 --- a/lass/2configs/base.nix +++ b/lass/2configs/default.nix @@ -7,10 +7,11 @@ with config.krebs.lib; ../2configs/zsh.nix ../2configs/mc.nix ../2configs/retiolum.nix + ./backups.nix { users.extraUsers = mapAttrs (_: h: { hashedPassword = h; }) - (import /root/secrets/hashedPasswords.nix); + (import <secrets/hashedPasswords.nix>); } { users.extraUsers = { @@ -18,7 +19,7 @@ with config.krebs.lib; openssh.authorizedKeys.keys = [ config.krebs.users.lass.pubkey config.krebs.users.lass-uriel.pubkey - config.krebs.users.lass-helios.pubkey + config.krebs.users.lass-shodan.pubkey ]; }; mainUser = { @@ -29,10 +30,12 @@ with config.krebs.lib; createHome = true; useDefaultShell = true; extraGroups = [ + "fuse" ]; openssh.authorizedKeys.keys = [ config.krebs.users.lass.pubkey config.krebs.users.lass-uriel.pubkey + config.krebs.users.lass-shodan.pubkey ]; }; }; @@ -45,7 +48,6 @@ with config.krebs.lib; krebs = { enable = true; search-domain = "retiolum"; - exim-retiolum.enable = true; build = { user = config.krebs.users.lass; source = mapAttrs (_: mkDefault) ({ @@ -54,8 +56,8 @@ with config.krebs.lib; #secrets-common = "/home/lass/secrets/common"; stockholm = "/home/lass/stockholm"; nixpkgs = { - url = https://github.com/NixOS/nixpkgs; - rev = "40c586b7ce2c559374df435f46d673baf711c543"; + url = https://github.com/lassulus/nixpkgs; + rev = "f632f8edaf80ffa8bf0b8c9b9064cae3ccbe3894"; dev = "/home/lass/src/nixpkgs"; }; } // optionalAttrs config.krebs.build.host.secure { @@ -85,9 +87,12 @@ with config.krebs.lib; MANPAGER=most ''; + nixpkgs.config.allowUnfree = true; + environment.systemPackages = with pkgs; [ #stockholm git + gnumake jq parallel proot @@ -102,12 +107,20 @@ with config.krebs.lib; #network iptables + iftop #stuff for dl aria2 #neat utils krebspaste + psmisc + untilport + + #unpack stuff + p7zip + unzip + unrar ]; programs.bash = { @@ -145,10 +158,6 @@ with config.krebs.lib; ''; }; - security.setuidPrograms = [ - "sendmail" - ]; - services.openssh = { enable = true; hostKeys = [ @@ -165,6 +174,13 @@ with config.krebs.lib; krebs.iptables = { enable = true; tables = { + nat.PREROUTING.rules = [ + { predicate = "! -i retiolum -p tcp -m tcp --dport 22"; target = "REDIRECT --to-ports 0"; precedence = 100; } + { predicate = "-p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 99; } + ]; + nat.OUTPUT.rules = [ + { predicate = "-o lo -p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 100; } + ]; filter.INPUT.policy = "DROP"; filter.FORWARD.policy = "DROP"; filter.INPUT.rules = [ diff --git a/lass/2configs/downloading.nix b/lass/2configs/downloading.nix index 115cb8b61..3639a743a 100644 --- a/lass/2configs/downloading.nix +++ b/lass/2configs/downloading.nix @@ -3,7 +3,7 @@ with config.krebs.lib; let - rpc-password = import <secrets/transmission-pw.nix>; + rpc-password = import <secrets/transmission-pw>; in { imports = [ ../3modules/folderPerms.nix @@ -20,6 +20,7 @@ in { ]; openssh.authorizedKeys.keys = [ config.krebs.users.lass.pubkey + config.krebs.users.lass-uriel.pubkey ]; }; diff --git a/lass/2configs/exim-retiolum.nix b/lass/2configs/exim-retiolum.nix new file mode 100644 index 000000000..c07b6c15a --- /dev/null +++ b/lass/2configs/exim-retiolum.nix @@ -0,0 +1,10 @@ +{ config, lib, pkgs, ... }: + +with config.krebs.lib; + +{ + krebs.exim-retiolum.enable = true; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-i retiolum -p tcp --dport smtp"; target = "ACCEPT"; } + ]; +} diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix new file mode 100644 index 000000000..8199f2bd7 --- /dev/null +++ b/lass/2configs/exim-smarthost.nix @@ -0,0 +1,51 @@ +{ config, lib, pkgs, ... }: + +with config.krebs.lib; + +{ + krebs.exim-smarthost = { + enable = true; + dkim = [ + { domain = "lassul.us"; } + ]; + sender_domains = [ + "lassul.us" + "aidsballs.de" + ]; + relay_from_hosts = map (host: host.nets.retiolum.ip4.addr) [ + config.krebs.hosts.mors + config.krebs.hosts.uriel + config.krebs.hosts.helios + ]; + internet-aliases = with config.krebs.users; [ + { from = "postmaster@lassul.us"; to = lass.mail; } # RFC 822 + { from = "lass@lassul.us"; to = lass.mail; } + { from = "lassulus@lassul.us"; to = lass.mail; } + { from = "test@lassul.us"; to = lass.mail; } + { from = "outlook@lassul.us"; to = lass.mail; } + { from = "steuer@aidsballs.de"; to = lass.mail; } + { from = "lass@aidsballs.de"; to = lass.mail; } + { from = "wordpress@ubikmedia.de"; to = lass.mail; } + { from = "finanzamt@lassul.us"; to = lass.mail; } + { from = "dominik@apanowicz.de"; to = "dma@ubikmedia.eu"; } + ]; + system-aliases = [ + { from = "mailer-daemon"; to = "postmaster"; } + { from = "postmaster"; to = "root"; } + { from = "nobody"; to = "root"; } + { from = "hostmaster"; to = "root"; } + { from = "usenet"; to = "root"; } + { from = "news"; to = "root"; } + { from = "webmaster"; to = "root"; } + { from = "www"; to = "root"; } + { from = "ftp"; to = "root"; } + { from = "abuse"; to = "root"; } + { from = "noc"; to = "root"; } + { from = "security"; to = "root"; } + { from = "root"; to = "lass"; } + ]; + }; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport smtp"; target = "ACCEPT"; } + ]; +} diff --git a/lass/2configs/fastpoke-pages.nix b/lass/2configs/fastpoke-pages.nix deleted file mode 100644 index bf6ea8952..000000000 --- a/lass/2configs/fastpoke-pages.nix +++ /dev/null @@ -1,101 +0,0 @@ -{ config, lib, pkgs, ... }: - -with config.krebs.lib; - -let - createStaticPage = domain: - { - krebs.nginx.servers."${domain}" = { - server-names = [ - "${domain}" - "www.${domain}" - ]; - locations = [ - (nameValuePair "/" '' - root /var/lib/http/${domain}; - '') - ]; - }; - #networking.extraHosts = '' - # 10.243.206.102 ${domain} - #''; - users.extraUsers = { - ${domain} = { - name = domain; - home = "/var/lib/http/${domain}"; - createHome = true; - }; - }; - }; - -in { - imports = map createStaticPage [ - "habsys.de" - "pixelpocket.de" - "karlaskop.de" - "ubikmedia.de" - "apanowicz.de" - ]; - - krebs.iptables = { - tables = { - filter.INPUT.rules = [ - { predicate = "-p tcp --dport http"; target = "ACCEPT"; } - ]; - }; - }; - - - krebs.nginx = { - enable = true; - servers = { - #"habsys.de" = { - # server-names = [ - # "habsys.de" - # "www.habsys.de" - # ]; - # locations = [ - # (nameValuePair "/" '' - # root /var/lib/http/habsys.de; - # '') - # ]; - #}; - - #"karlaskop.de" = { - # server-names = [ - # "karlaskop.de" - # "www.karlaskop.de" - # ]; - # locations = [ - # (nameValuePair "/" '' - # root /var/lib/http/karlaskop.de; - # '') - # ]; - #}; - - #"pixelpocket.de" = { - # server-names = [ - # "pixelpocket.de" - # "www.karlaskop.de" - # ]; - # locations = [ - # (nameValuePair "/" '' - # root /var/lib/http/karlaskop.de; - # '') - # ]; - #}; - - }; - }; - - #services.postgresql = { - # enable = true; - #}; - - #config.services.vsftpd = { - # enable = true; - # userlistEnable = true; - # userlistFile = pkgs.writeFile "vsftpd-userlist" '' - # ''; - #}; -} diff --git a/lass/2configs/fetchWallpaper.nix b/lass/2configs/fetchWallpaper.nix index 9c27706cb..f3b65e816 100644 --- a/lass/2configs/fetchWallpaper.nix +++ b/lass/2configs/fetchWallpaper.nix @@ -5,7 +5,7 @@ let in { krebs.fetchWallpaper = { enable = true; - url = "echelon/wallpaper.png"; + url = "cloudkrebs/wallpaper.png"; }; } diff --git a/lass/2configs/games.nix b/lass/2configs/games.nix index 6043a8759..0eec97922 100644 --- a/lass/2configs/games.nix +++ b/lass/2configs/games.nix @@ -13,7 +13,7 @@ in { name = "games"; description = "user playing games"; home = "/home/games"; - extraGroups = [ "audio" "video" "input" ]; + extraGroups = [ "audio" "video" "input" "loot" ]; createHome = true; useDefaultShell = true; }; diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix index 0aab298c7..aac3f6e02 100644 --- a/lass/2configs/git.nix +++ b/lass/2configs/git.nix @@ -35,6 +35,10 @@ let newsbot-js = {}; kimsufi-check = {}; realwallpaper = {}; + xmonad-stockholm = {}; + the_playlist = {}; + } // mapAttrs make-public-repo-silent { + the_playlist = {}; }; restricted-repos = mapAttrs make-restricted-repo ( @@ -62,6 +66,11 @@ let }; }; + make-public-repo-silent = name: { desc ? null, ... }: { + inherit name desc; + public = true; + }; + make-restricted-repo = name: { collaborators ? [], desc ? null, ... }: { inherit name collaborators desc; public = false; diff --git a/lass/2configs/krebs-pass.nix b/lass/2configs/krebs-pass.nix new file mode 100644 index 000000000..a605bc84b --- /dev/null +++ b/lass/2configs/krebs-pass.nix @@ -0,0 +1,21 @@ +{ pkgs, ... }: + +let + + #TODO: tab-completion + krebs-pass = pkgs.writeDashBin "krebs-pass" '' + PASSWORD_STORE_DIR=$HOME/.krebs-pass \ + exec ${pkgs.pass}/bin/pass $@ + ''; + + krebs-passmenu = pkgs.writeDashBin "krebs-passmenu" '' + PASSWORD_STORE_DIR=$HOME/.krebs-pass \ + exec ${pkgs.pass}/bin/passmenu $@ + ''; + +in { + krebs.per-user.lass.packages = [ + krebs-pass + krebs-passmenu + ]; +} diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix new file mode 100644 index 000000000..72d6f987f --- /dev/null +++ b/lass/2configs/mail.nix @@ -0,0 +1,110 @@ +{ pkgs, ... }: + +let + + msmtprc = pkgs.writeText "msmtprc" '' + defaults + logfile ~/.msmtp.log + account prism + host prism.r + account default: prism + ''; + + msmtp = pkgs.writeDashBin "msmtp" '' + exec ${pkgs.msmtp}/bin/msmtp -C ${msmtprc} $@ + ''; + + muttrc = pkgs.writeText "muttrc" '' + # gpg + source ${pkgs.mutt-kz}/share/doc/mutt-kz/samples/gpg.rc + set pgp_use_gpg_agent = yes + set pgp_sign_as = 0x976A7E4D + set crypt_autosign = yes + set crypt_replyencrypt = yes + set crypt_verify_sig = yes + set pgp_verify_command = "gpg --no-verbose --batch --output - --verify %s %f" + + macro index \Cv \ + "<enter-command> set my_crypt_verify_sig=\$crypt_verify_sig<enter> \ + <enter-command> set crypt_verify_sig=yes<enter> \ + <display-message><enter-command> set crypt_verify_sig=\$my_crypt_verify_sig<enter>" \ + 'Verify PGP signature and open the message' + + macro pager \Cv \ + "<exit><enter-command> set my_crypt_verify_sig=\$crypt_verify_sig<enter> \ + <enter-command> set crypt_verify_sig=yes<enter> \ + <display-message><enter-command> set crypt_verify_sig=\$my_crypt_verify_sig<enter>" \ + 'Verify PGP signature' + + + # notmuch + set nm_default_uri="notmuch://$HOME/Maildir" # path to the maildir + set nm_record = yes + set nm_record_tags = "-inbox me archive" + set virtual_spoolfile=yes # enable virtual folders + set sendmail="msmtp" # enables parsing of outgoing mail + set use_from=yes + set envelope_from=yes + + set index_format="%4C %Z %?GI?%GI& ? %[%d/%b] %-16.15F %?M?(%3M)& ? %s %> %?g?%g?" + + virtual-mailboxes \ + "INBOX" "notmuch://?query=tag:inbox and NOT tag:killed"\ + "Unread" "notmuch://?query=tag:unread"\ + "TODO" "notmuch://?query=tag:TODO"\ + "Starred" "notmuch://?query=tag:*"\ + "Archive" "notmuch://?query=tag:archive"\ + "Sent" "notmuch://?query=tag:sent"\ + "Junk" "notmuch://?query=tag:junk" + + tag-transforms "junk" "k" \ + "unread" "u" \ + "replied" "↻" \ + "TODO" "T" \ + + # notmuch bindings + macro index \\\\ "<vfolder-from-query>" # looks up a hand made query + macro index A "<modify-labels>+archive -unread -inbox\n" # tag as Archived + macro index + "<modify-labels>+*\n<sync-mailbox>" # tag as starred + macro index - "<modify-labels>-*\n<sync-mailbox>" # tag as unstarred + + + #killed + bind index d noop + bind pager d noop + + bind pager S noop + macro index S "<modify-labels-then-hide>-inbox -unread +junk\n" # tag as Junk mail + macro pager S "<modify-labels-then-hide>-inbox -unread +junk\n" # tag as Junk mail + + bind index t noop + bind pager t noop + macro index t "<modify-labels>+TODO\n" # tag as Archived + + + # sidebar + set sidebar_width = 20 + set sidebar_visible = yes # set to "no" to disable sidebar view at startup + color sidebar_new yellow default + # sidebar bindings + bind index <left> sidebar-prev # got to previous folder in sidebar + bind index <right> sidebar-next # got to next folder in sidebar + bind index <space> sidebar-open # open selected folder from sidebar + # sidebar toggle + macro index ,@) "<enter-command> set sidebar_visible=no; macro index ~ ,@( 'Toggle sidebar'<Enter>" + macro index ,@( "<enter-command> set sidebar_visible=yes; macro index ~ ,@) 'Toggle sidebar'<Enter>" + macro index ~ ,@( 'Toggle sidebar' # toggle the sidebar + ''; + + mutt = pkgs.writeDashBin "mutt" '' + exec ${pkgs.mutt-kz}/bin/mutt -F ${muttrc} $@ + ''; + +in { + environment.systemPackages = [ + msmtp + mutt + pkgs.much + pkgs.notmuch + ]; +} diff --git a/lass/2configs/mpv.nix b/lass/2configs/mpv.nix new file mode 100644 index 000000000..ff5698e4e --- /dev/null +++ b/lass/2configs/mpv.nix @@ -0,0 +1,49 @@ +{ pkgs, lib, ... }: + +let + + mpv-config = pkgs.writeText "mpv-config" '' + script=${lib.concatStringsSep "," [ + good + delete + ]} + ''; + mpv = pkgs.writeDashBin "mpv" '' + exec ${pkgs.mpv}/bin/mpv --no-config --include=${mpv-config} "$@" + ''; + + moveToDir = key: dir: pkgs.writeText "move-with-${key}.lua" '' + tmp_dir = "${dir}" + + function move_current_track_${key}() + track = mp.get_property("path") + os.execute("mkdir -p '" .. tmp_dir .. "'") + os.execute("mv '" .. track .. "' '" .. tmp_dir .. "'") + print("moved '" .. track .. "' to " .. tmp_dir) + end + + mp.add_key_binding("${key}", "move_current_track_${key}", move_current_track_${key}) + ''; + + good = moveToDir "G" "./.good"; + delete = moveToDir "D" "./.graveyard"; + + deleteCurrentTrack = pkgs.writeText "delete.lua" '' + deleted_tmp = "./.graveyard" + + -- Delete the current track by moving it to the `deleted_tmp` location. + function delete_current_track() + track = mp.get_property("path") + os.execute("mkdir -p '" .. deleted_tmp .. "'") + os.execute("mv '" .. track .. "' '" .. deleted_tmp .. "'") + print("'" .. track .. "' deleted.") + end + + mp.add_key_binding("D", "delete_current_track", delete_current_track) + ''; + +in { + krebs.per-user.lass.packages = [ + mpv + ]; +} diff --git a/lass/2configs/newsbot-js.nix b/lass/2configs/newsbot-js.nix index d7c68bd7d..636b44395 100644 --- a/lass/2configs/newsbot-js.nix +++ b/lass/2configs/newsbot-js.nix @@ -154,7 +154,6 @@ let telepolis|http://www.heise.de/tp/rss/news-atom.xml|#news the_insider|http://www.theinsider.org/rss/news/headlines-xml.asp|#news tigsource|http://www.tigsource.com/feed/|#news - times|http://www.thetimes.co.uk/tto/news/rss|#news tinc|http://tinc-vpn.org/news/index.rss|#news topix_b|http://www.topix.com/rss/wire/de/berlin|#news torr_bits|http://feeds.feedburner.com/TorrentfreakBits|#news diff --git a/lass/2configs/pass.nix b/lass/2configs/pass.nix index 33eca0a17..5bd2f2f7f 100644 --- a/lass/2configs/pass.nix +++ b/lass/2configs/pass.nix @@ -1,10 +1,9 @@ { config, pkgs, ... }: { - environment.systemPackages = with pkgs; [ + krebs.per-user.lass.packages = with pkgs; [ pass gnupg1 ]; - services.xserver.startGnuPGAgent = true; } diff --git a/lass/2configs/programs.nix b/lass/2configs/programs.nix index e4840383f..6cf23deaf 100644 --- a/lass/2configs/programs.nix +++ b/lass/2configs/programs.nix @@ -8,7 +8,6 @@ htop i3lock mosh - mpv pass pavucontrol pv diff --git a/lass/2configs/radio.nix b/lass/2configs/radio.nix new file mode 100644 index 000000000..17be327b9 --- /dev/null +++ b/lass/2configs/radio.nix @@ -0,0 +1,195 @@ +{ config, pkgs, ... }: + +with config.krebs.lib; + +let + name = "radio"; + mainUser = config.users.extraUsers.mainUser; + inherit (config.krebs.lib) genid; + + admin-password = import <secrets/icecast-admin-pw>; + source-password = import <secrets/icecast-source-pw>; + + add_random = pkgs.writeDashBin "add_random" '' + mpc add "$(mpc ls | shuf -n1)" + ''; + + skip_track = pkgs.writeDashBin "skip_track" '' + ${add_random}/bin/add_random + echo skipping: "$(${print_current}/bin/print_current)" + ${pkgs.mpc_cli}/bin/mpc -q next + ''; + + print_current = pkgs.writeDashBin "print_current" '' + echo "$(${pkgs.mpc_cli}/bin/mpc current -f %file%) \ + $(${pkgs.mpc_cli}/bin/mpc current -f %file% \ + | ${pkgs.gnused}/bin/sed 's@.*\(.\{11\}\)\.ogg@http://www.youtube.com/watch?v=\1@')" + ''; + +in { + users.users = { + "${name}" = rec { + inherit name; + group = name; + uid = genid name; + description = "radio manager"; + home = "/home/${name}"; + useDefaultShell = true; + createHome = true; + openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + ]; + }; + }; + + users.groups = { + "radio" = {}; + }; + + krebs.per-user.${name}.packages = with pkgs; [ + add_random + skip_track + print_current + ncmpcpp + mpc_cli + tmux + ]; + + security.sudo.extraConfig = '' + ${mainUser.name} ALL=(${name}) NOPASSWD: ALL + ''; + + services.mpd = { + enable = true; + group = "radio"; + musicDirectory = "/home/radio/the_playlist/music"; + extraConfig = '' + audio_output { + type "shout" + encoding "ogg" + name "my cool stream" + host "localhost" + port "8000" + mount "/radio.ogg" + + # This is the source password in icecast.xml + password "${source-password}" + + # Set either quality or bit rate + # quality "5.0" + bitrate "128" + + format "44100:16:1" + + # Optional Parameters + user "source" + # description "here is my long description" + # genre "jazz" + } # end of audio_output + + ''; + }; + + services.icecast = { + enable = true; + hostname = "config.krebs.build.host.name"; + admin.password = admin-password; + extraConf = '' + <authentication> + <source-password>${source-password}</source-password> + </authentication> + ''; + }; + + krebs.iptables = { + tables = { + filter.INPUT.rules = [ + { predicate = "-p tcp --dport 8000"; target = "ACCEPT"; } + ]; + }; + }; + + systemd.timers.radio = { + description = "radio autoadder timer"; + wantedBy = [ "timers.target" ]; + + timerConfig = { + OnCalendar = "*:*"; + }; + }; + + systemd.services.radio = let + autoAdd = pkgs.writeDash "autoAdd" '' + LIMIT=$1 #in secconds + + timeLeft () { + playlistDuration=$(mpc --format '%time%' playlist | awk -F ':' 'BEGIN{t=0} {t+=$1*60+$2} END{print t}') + currentTime=$(mpc status | awk '/^\[playing\]/ { sub(/\/.+/,"",$3); split($3,a,/:/); print a[1]*60+a[2] }') + expr ''${playlistDuration:-0} - ''${currentTime:-0} + } + + if test $(timeLeft) -le $LIMIT; then + ${add_random}/bin/add_random + fi + ''; + in { + description = "radio playlist autoadder"; + after = [ "network.target" ]; + + path = with pkgs; [ + gawk + mpc_cli + ]; + + restartIfChanged = true; + + serviceConfig = { + Restart = "always"; + ExecStart = "${autoAdd} 100"; + }; + }; + + krebs.Reaktor = { + enable = true; + nickname = "the_playlist|r"; + channels = [ "#the_playlist" ]; + extraEnviron = { + REAKTOR_HOST = "irc.freenode.org"; + }; + plugins = with pkgs.ReaktorPlugins; [ + (buildSimpleReaktorPlugin "skip" { + script = "${skip_track}/bin/skip_track"; + pattern = "^skip$"; + }) + (buildSimpleReaktorPlugin "current" { + script = "${print_current}/bin/print_current"; + pattern = "^current$"; + }) + ]; + }; + krebs.nginx.servers."lassul.us".locations = let + html = pkgs.writeText "index.html" '' + <!DOCTYPE html> + <html lang="en"> + <head> + <meta charset="utf-8"> + <title>lassulus playlist</title> + </head> + <body> + <div style="display:inline-block;margin:0px;padding:0px;overflow:hidden"> + <iframe src="https://kiwiirc.com/client/irc.freenode.org/?nick=kiwi_test|?&theme=cli#the_playlist" frameborder="0" style="overflow:hidden;overflow-x:hidden;overflow-y:hidden;height:95%;width:100%;position:absolute;top:0px;left:0px;right:0px;bottom:0px" height="95%" width="100%"></iframe> + </div> + <div style="position:absolute;bottom:1px;display:inline-block;background-color:red;"> + <audio controls autoplay="autoplay"><source src="http://lassul.us:8000/radio.ogg" type="audio/ogg">Your browser does not support the audio element.</audio> + </div> + <!-- page content --> + </body> + </html> + ''; + in [ + (nameValuePair "/the_playlist" '' + default_type "text/html"; + alias ${html}; + '') + ]; +} diff --git a/lass/2configs/vim.nix b/lass/2configs/vim.nix index b40227c61..8295d9d49 100644 --- a/lass/2configs/vim.nix +++ b/lass/2configs/vim.nix @@ -147,13 +147,8 @@ in { vimrcConfig.vam.pluginDictionaries = [ { names = [ "brogrammer" - "commentary" - "extradite" "file-line" - "fugitive" "Gundo" - "mustang2" - "unimpaired" ]; } { names = [ "vim-addon-nix" ]; ft_regex = "^nix\$"; } ]; diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index 109c216c0..45d09c3b9 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -1,35 +1,73 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: -{ +let + inherit (import <stockholm/krebs/4lib> { config = {}; inherit lib; }) + genid + ; + inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;}) + ssl + servePage + serveOwncloud + serveWordpress; + + msmtprc = pkgs.writeText "msmtprc" '' + account prism + host localhost + account default: prism + ''; + + sendmail = pkgs.writeDash "msmtp" '' + exec ${pkgs.msmtp}/bin/msmtp --read-envelope-from -C ${msmtprc} "$@" + ''; + +in { imports = [ - ../../3modules/static_nginx.nix - ../../3modules/owncloud_nginx.nix - ../../3modules/wordpress_nginx.nix - ]; + ./sqlBackup.nix + (ssl [ "reich-gebaeudereinigung.de" ]) + (servePage [ "reich-gebaeudereinigung.de" ]) - lass.staticPage = { - "karlaskop.de" = {}; - "makeup.apanowicz.de" = {}; - "pixelpocket.de" = {}; - "reich-gebaeudereinigung.de" = {}; - }; + (ssl [ "karlaskop.de" ]) + (servePage [ "karlaskop.de" ]) - lass.owncloud = { - "o.ubikmedia.de" = { - instanceid = "oc8n8ddbftgh"; - }; - }; + (ssl [ "makeup.apanowicz.de" ]) + (servePage [ "makeup.apanowicz.de" ]) - services.mysql = { - enable = true; - package = pkgs.mariadb; - rootPassword = toString (<secrets/mysql_rootPassword>); - }; + (ssl [ "pixelpocket.de" ]) + (servePage [ "pixelpocket.de" ]) - #lass.wordpress = { - # "ubikmedia.de" = { - # }; - #}; + (ssl [ "o.ubikmedia.de" ]) + (serveOwncloud [ "o.ubikmedia.de" ]) + + (ssl [ "ubikmedia.de" "aldona.ubikmedia.de" "apanowicz.de" "nirwanabluete.de" "aldonasiech.com" "360gradvideo.tv" "ubikmedia.eu" ]) + (serveWordpress [ "ubikmedia.de" "*.ubikmedia.de" "apanowicz.de" "nirwanabluete.de" "aldonasiech.com" "360gradvideo.tv" "ubikmedia.eu" ]) + ]; + + lass.mysqlBackup.config.all.databases = [ + "ubikmedia_de" + "o_ubikmedia_de" + ]; + + users.users.domsen = { + uid = genid "domsen"; + description = "maintenance acc for domsen"; + home = "/home/domsen"; + useDefaultShell = true; + extraGroups = [ "nginx" ]; + createHome = true; + }; + #services.phpfpm.phpOptions = '' + # extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so + # sendmail_path = ${sendmail} -t + #''; + services.phpfpm.phpIni = pkgs.runCommand "php.ini" { + options = '' + extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so + sendmail_path = ${sendmail} -t -i" + ''; + } '' + cat ${pkgs.php}/etc/php-recommended.ini > $out + echo "$options" >> $out + ''; } diff --git a/lass/2configs/websites/fritz.nix b/lass/2configs/websites/fritz.nix index 073f3de14..63efbecb6 100644 --- a/lass/2configs/websites/fritz.nix +++ b/lass/2configs/websites/fritz.nix @@ -1,33 +1,54 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: -{ +let + inherit (import <stockholm/krebs/4lib> { config = {}; inherit lib; }) + genid + head + nameValuePair + ; + inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;}) + ssl + servePage + serveWordpress + ; +in { imports = [ - ../../3modules/static_nginx.nix - ../../3modules/owncloud_nginx.nix - ../../3modules/wordpress_nginx.nix + ./sqlBackup.nix + (ssl [ "biostase.de" "www.biostase.de" ]) + (serveWordpress [ "biostase.de" "www.biostase.de" ]) + + (ssl [ "radical-dreamers.de" "www.radical-dreamers.de" ]) + (serveWordpress [ "radical-dreamers.de" "www.radical-dreamers.de" ]) + + (ssl [ "gs-maubach.de" "www.gs-maubach.de" ]) + (serveWordpress [ "gs-maubach.de" "www.gs-maubach.de" ]) + + (ssl [ "spielwaren-kern.de" "www.spielwaren-kern.de" ]) + (serveWordpress [ "spielwaren-kern.de" "www.spielwaren-kern.de" ]) + + (ssl [ "familienpraxis-korntal.de" "www.familienpraxis-korntal.de" ]) + (servePage [ "familienpraxis-korntal.de" "www.familienpraxis-korntal.de" ]) + + (ssl [ "ttf-kleinaspach.de" "www.ttf-kleinaspach.de" ]) + (serveWordpress [ "ttf-kleinaspach.de" "www.ttf-kleinaspach.de" ]) + + (ssl [ "eastuttgart.de" "www.eastuttgart.de" ]) + (serveWordpress [ "eastuttgart.de" "www.eastuttgart.de" ]) + + (ssl [ "habsys.de" "www.habsys.de" "habsys.eu" "www.habsys.eu" ]) + (servePage [ "habsys.de" "www.habsys.de" "habsys.eu" "www.habsys.eu" ]) ]; - lass.staticPage = { - "biostase.de" = {}; - "gs-maubach.de" = {}; - "spielwaren-kern.de" = {}; - "societyofsimtech.de" = {}; - "ttf-kleinaspach.de" = {}; - "edsn.de" = {}; - "eab.berkeley.edu" = {}; - "habsys.de" = {}; - }; - - #lass.owncloud = { - # "o.ubikmedia.de" = { - # instanceid = "oc8n8ddbftgh"; - # }; - #}; - - #services.mysql = { - # enable = true; - # package = pkgs.mariadb; - # rootPassword = toString (<secrets/mysql_rootPassword>); - #}; + lass.mysqlBackup.config.all.databases = [ + "biostase_de" + "eastuttgart_de" + "radical_dreamers_de" + "spielwaren_kern_de" + "ttf_kleinaspach_de" + ]; + + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.fritz.pubkey + ]; } diff --git a/lass/2configs/websites/sqlBackup.nix b/lass/2configs/websites/sqlBackup.nix new file mode 100644 index 000000000..7cb4b320e --- /dev/null +++ b/lass/2configs/websites/sqlBackup.nix @@ -0,0 +1,28 @@ +{ config, lib, pkgs, ... }: + +{ + krebs.secret.files.mysql_rootPassword = { + path = "${config.services.mysql.dataDir}/mysql_rootPassword"; + owner.name = "root"; + source-path = toString <secrets> + "/mysql_rootPassword"; + }; + + services.mysql = { + enable = true; + package = pkgs.mariadb; + rootPassword = config.krebs.secret.files.mysql_rootPassword.path; + }; + + systemd.services.mysql = { + requires = [ "secret.service" ]; + after = [ "secret.service" ]; + }; + + lass.mysqlBackup = { + enable = true; + config.all = { + password = toString (<secrets/mysql_rootPassword>); + }; + }; +} + diff --git a/lass/2configs/websites/util.nix b/lass/2configs/websites/util.nix new file mode 100644 index 000000000..330d8ba86 --- /dev/null +++ b/lass/2configs/websites/util.nix @@ -0,0 +1,229 @@ +{ lib, pkgs, ... }: + +with lib; + +rec { + + manageCerts = domains: + let + domain = head domains; + in { + security.acme = { + certs."${domain}" = { + email = "lassulus@gmail.com"; + webroot = "/var/lib/acme/challenges/${domain}"; + plugins = [ + "account_key.json" + "key.pem" + "fullchain.pem" + ]; + group = "nginx"; + allowKeysForGroup = true; + extraDomains = genAttrs domains (_: null); + }; + }; + + krebs.nginx.servers."${domain}" = { + server-names = domains; + locations = [ + (nameValuePair "/.well-known/acme-challenge" '' + root /var/lib/acme/challenges/${domain}/; + '') + ]; + }; + }; + + ssl = domains: + { + imports = [ + ( manageCerts domains ) + ( activateACME (head domains) ) + ]; + }; + + activateACME = domain: + { + krebs.nginx.servers.${domain} = { + ssl = { + enable = true; + certificate = "/var/lib/acme/${domain}/fullchain.pem"; + certificate_key = "/var/lib/acme/${domain}/key.pem"; + }; + }; + }; + + servePage = domains: + let + domain = head domains; + in { + krebs.nginx.servers.${domain} = { + server-names = domains; + locations = [ + (nameValuePair "/" '' + root /srv/http/${domain}; + '') + ]; + }; + }; + + serveOwncloud = domains: + let + domain = head domains; + in { + krebs.nginx.servers."${domain}" = { + server-names = domains; + extraConfig = '' + # Add headers to serve security related headers + add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + + # Path to the root of your installation + root /srv/http/${domain}/; + # set max upload size + client_max_body_size 10G; + fastcgi_buffers 64 4K; + + # Disable gzip to avoid the removal of the ETag header + gzip off; + + # Uncomment if your server is build with the ngx_pagespeed module + # This module is currently not supported. + #pagespeed off; + + index index.php; + error_page 403 /core/templates/403.php; + error_page 404 /core/templates/404.php; + + rewrite ^/.well-known/carddav /remote.php/carddav/ permanent; + rewrite ^/.well-known/caldav /remote.php/caldav/ permanent; + + # The following 2 rules are only needed for the user_webfinger app. + # Uncomment it if you're planning to use this app. + rewrite ^/.well-known/host-meta /public.php?service=host-meta last; + rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; + ''; + locations = [ + (nameValuePair "/robots.txt" '' + allow all; + log_not_found off; + access_log off; + '') + (nameValuePair "~ ^/(build|tests|config|lib|3rdparty|templates|data)/" '' + deny all; + '') + + (nameValuePair "~ ^/(?:autotest|occ|issue|indie|db_|console)" '' + deny all; + '') + + (nameValuePair "/" '' + rewrite ^/remote/(.*) /remote.php last; + rewrite ^(/core/doc/[^\/]+/)$ $1/index.html; + try_files $uri $uri/ =404; + '') + + (nameValuePair "~ \.php(?:$|/)" '' + fastcgi_split_path_info ^(.+\.php)(/.+)$; + include ${pkgs.nginx}/conf/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param HTTPS on; + fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice + fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool; + fastcgi_intercept_errors on; + '') + + # Adding the cache control header for js and css files + # Make sure it is BELOW the location ~ \.php(?:$|/) { block + (nameValuePair "~* \.(?:css|js)$" '' + add_header Cache-Control "public, max-age=7200"; + # Add headers to serve security related headers + add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + # Optional: Don't log access to assets + access_log off; + '') + + # Optional: Don't log access to other assets + (nameValuePair "~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$" '' + access_log off; + '') + ]; + }; + services.phpfpm.poolConfigs."${domain}" = '' + listen = /srv/http/${domain}/phpfpm.pool + user = nginx + group = nginx + pm = dynamic + pm.max_children = 5 + pm.start_servers = 2 + pm.min_spare_servers = 1 + pm.max_spare_servers = 3 + listen.owner = nginx + listen.group = nginx + # errors to journal + php_admin_value[error_log] = 'stderr' + php_admin_flag[log_errors] = on + catch_workers_output = yes + ''; + }; + + serveWordpress = domains: + let + domain = head domains; + + in { + krebs.nginx.servers."${domain}" = { + server-names = domains; + extraConfig = '' + root /srv/http/${domain}/; + index index.php; + access_log /tmp/nginx_acc.log; + error_log /tmp/nginx_err.log; + error_page 404 /404.html; + error_page 500 502 503 504 /50x.html; + ''; + locations = [ + (nameValuePair "/" '' + try_files $uri $uri/ /index.php?$args; + '') + (nameValuePair "~ \.php$" '' + fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool; + include ${pkgs.nginx}/conf/fastcgi.conf; + '') + #(nameValuePair "~ /\\." '' + # deny all; + #'') + #Directives to send expires headers and turn off 404 error logging. + (nameValuePair "~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$" '' + access_log off; + log_not_found off; + expires max; + '') + ]; + }; + services.phpfpm.poolConfigs."${domain}" = '' + listen = /srv/http/${domain}/phpfpm.pool + user = nginx + group = nginx + pm = dynamic + pm.max_children = 5 + pm.start_servers = 2 + pm.min_spare_servers = 1 + pm.max_spare_servers = 3 + listen.owner = nginx + listen.group = nginx + # errors to journal + php_admin_value[error_log] = 'stderr' + php_admin_flag[log_errors] = on + catch_workers_output = yes + ''; + }; + +} diff --git a/lass/2configs/websites/wohnprojekt-rhh.de.nix b/lass/2configs/websites/wohnprojekt-rhh.de.nix index ac784d4c7..fb1a58109 100644 --- a/lass/2configs/websites/wohnprojekt-rhh.de.nix +++ b/lass/2configs/websites/wohnprojekt-rhh.de.nix @@ -1,14 +1,19 @@ -{ config, ... }: +{ config, pkgs, lib, ... }: -{ +let + inherit (import <stockholm/krebs/4lib> { config = {}; inherit lib; }) + genid + ; + inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;}) + ssl + servePage + ; +in { imports = [ - ../../3modules/static_nginx.nix + ( ssl [ "wohnprojekt-rhh.de" ]) + ( servePage [ "wohnprojekt-rhh.de" ]) ]; - lass.staticPage = { - "wohnprojekt-rhh.de" = {}; - }; - users.users.laura = { home = "/srv/http/wohnprojekt-rhh.de"; createHome = true; diff --git a/lass/2configs/weechat.nix b/lass/2configs/weechat.nix index 98f5df42a..5e14871ac 100644 --- a/lass/2configs/weechat.nix +++ b/lass/2configs/weechat.nix @@ -16,6 +16,7 @@ in { createHome = true; openssh.authorizedKeys.keys = [ config.krebs.users.lass.pubkey + config.krebs.users.lass-shodan.pubkey ]; }; diff --git a/lass/2configs/xserver/default.nix b/lass/2configs/xserver/default.nix index 30afd787e..80c947a7b 100644 --- a/lass/2configs/xserver/default.nix +++ b/lass/2configs/xserver/default.nix @@ -40,8 +40,8 @@ let }; }; - security.setuidPrograms = [ - "slock" + krebs.per-user.lass.packages = [ + pkgs.rxvt_unicode_with-plugins ]; systemd.services.display-manager.enable = false; @@ -52,7 +52,7 @@ let wantedBy = [ "multi-user.target" ]; requires = [ "xserver.service" ]; environment = xmonad-environment; - restartIfChanged = false; + restartIfChanged = true; serviceConfig = { ExecStart = "${xmonad-start}/bin/xmonad"; ExecStop = "${xmonad-stop}/bin/xmonad-stop"; @@ -82,12 +82,7 @@ let # XXX JSON is close enough :) XMONAD_WORKSPACES0_FILE = pkgs.writeText "xmonad.workspaces0" (toJSON [ - "cr" - "gm" - "ff" - "IM" - "mail" - "stockholm" + "dashboard" ]); }; @@ -96,6 +91,9 @@ let set -efu export PATH; PATH=${makeSearchPath "bin" ([ pkgs.rxvt_unicode + pkgs.i3lock + pkgs.pulseaudioLight + pkgs.xorg.xbacklight ] ++ config.environment.systemPackages)}:/var/setuid-wrappers settle() {( # Use PATH for a clean journal @@ -114,7 +112,8 @@ let xmonad-stop = pkgs.writeScriptBin "xmonad-stop" '' #! /bin/sh - exec ${pkgs.xmonad-lass}/bin/xmonad --shutdown + ${pkgs.xmonad-lass}/bin/xmonad --shutdown + ${pkgs.coreutils}/bin/sleep 2s ''; xserver-environment = { @@ -128,7 +127,7 @@ let xserver = pkgs.writeScriptBin "xserver" '' #! /bin/sh set -efu - exec ${pkgs.xorg.xorgserver}/bin/X \ + exec ${pkgs.xorg.xorgserver.out}/bin/X \ :${toString config.services.xserver.display} \ vt${toString config.services.xserver.tty} \ -config ${import ./xserver.conf.nix args} \ |