diff options
45 files changed, 395 insertions, 387 deletions
diff --git a/krebs/3modules/exim-retiolum.nix b/krebs/3modules/exim-retiolum.nix index d6b7ab753..a18f1c979 100644 --- a/krebs/3modules/exim-retiolum.nix +++ b/krebs/3modules/exim-retiolum.nix @@ -37,7 +37,7 @@ let config = # This configuration makes only sense for retiolum-enabled hosts. # TODO modular configuration - assert config.krebs.retiolum.enable; + assert config.krebs.tinc.retiolum.enable; '' keep_environment = diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index d5537cf56..52db3de85 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -259,8 +259,13 @@ with config.krebs.lib; }; filepimp = rec { cores = 1; - nets = { + lan = { + ip4.addr = "192.168.1.12"; + aliases = [ + "filepimp.lan" + ]; + }; retiolum = { ip4.addr = "10.243.153.102"; ip6.addr = "42:4b0b:d990:55ba:8da8:630f:dc0e:aae0"; @@ -286,6 +291,12 @@ with config.krebs.lib; cores = 2; nets = { + lan = { + ip4.addr = "192.168.1.11"; + aliases = [ + "omo.lan" + ]; + }; retiolum = { ip4.addr = "10.243.0.89"; ip6.addr = "42:f9f0::10"; diff --git a/krebs/3modules/retiolum-bootstrap.nix b/krebs/3modules/retiolum-bootstrap.nix index 40382d098..9d393c90b 100644 --- a/krebs/3modules/retiolum-bootstrap.nix +++ b/krebs/3modules/retiolum-bootstrap.nix @@ -27,12 +27,12 @@ let ssl_certificate_key = mkOption { type = types.str; description = "Certificate key to use for ssl"; - default = "/root/secrets/tinc.krebsco.de.key"; + default = "${toString <secrets>}/tinc.krebsco.de.key"; }; ssl_certificate = mkOption { type = types.str; description = "Certificate file to use for ssl"; - default = "/root/secrets/tinc.krebsco.de.crt" ; + default = "${toString <secrets>}/tinc.krebsco.de.crt" ; }; # in use: # <secrets/tinc.krebsco.de.crt> diff --git a/krebs/3modules/retiolum.nix b/krebs/3modules/retiolum.nix index 22991f093..0bd815211 100644 --- a/krebs/3modules/retiolum.nix +++ b/krebs/3modules/retiolum.nix @@ -1,175 +1,185 @@ { config, pkgs, lib, ... }: with config.krebs.lib; let - cfg = config.krebs.retiolum; - out = { - options.krebs.retiolum = api; - config = lib.mkIf cfg.enable imp; + options.krebs.tinc = api; + config = imp; }; - api = { - enable = mkEnableOption "krebs.retiolum"; - - host = mkOption { - type = types.host; - default = config.krebs.build.host; - }; - - netname = mkOption { - type = types.enum (attrNames cfg.host.nets); - default = "retiolum"; - description = '' - The tinc network name. - It is used to name the TUN device and to generate the default value for - <literal>config.krebs.retiolum.hosts</literal>. - ''; - }; - - extraConfig = mkOption { - type = types.str; - default = ""; - description = '' - Extra Configuration to be appended to tinc.conf - ''; - }; - - tincPackage = mkOption { - type = types.package; - default = pkgs.tinc; - description = "Tincd package to use."; - }; - - hosts = mkOption { - type = with types; attrsOf host; - default = - filterAttrs (_: h: hasAttr cfg.netname h.nets) config.krebs.hosts; - description = '' - Hosts to generate <literal>config.krebs.retiolum.hostsPackage</literal>. - Note that these hosts must have a network named - <literal>config.krebs.retiolum.netname</literal>. - ''; - }; - - hostsPackage = mkOption { - type = types.package; - default = pkgs.stdenv.mkDerivation { - name = "${cfg.netname}-tinc-hosts"; - phases = [ "installPhase" ]; - installPhase = '' - mkdir $out - ${concatStrings (mapAttrsToList (_: host: '' - echo ${shell.escape host.nets.${cfg.netname}.tinc.config} \ - > $out/${shell.escape host.name} - '') cfg.hosts)} - ''; - }; - description = '' - Package of tinc host configuration files. By default, a package will - be generated from <literal>config.krebs.retiolum.hosts</literal>. This - option's main purpose is to expose the generated hosts package to other - modules, like <literal>config.krebs.tinc_graphs</literal>. But it can - also be used to provide a custom hosts directory. - ''; - example = literalExample '' - (pkgs.stdenv.mkDerivation { - name = "my-tinc-hosts"; - src = /home/tv/my-tinc-hosts; - installPhase = "cp -R . $out"; - }) - ''; - }; - - iproutePackage = mkOption { - type = types.package; - default = pkgs.iproute; - description = "Iproute2 package to use."; - }; - - privkey = mkOption { - type = types.secret-file; - default = { - path = "${cfg.user.home}/tinc.rsa_key.priv"; - owner = cfg.user; - source-path = toString <secrets> + "/${cfg.netname}.rsa_key.priv"; - }; - }; - - connectTo = mkOption { - type = types.listOf types.str; - default = [ "fastpoke" "cd" "prism" "gum" ]; - description = '' - The list of hosts in the network which the client will try to connect - to. These hosts should have an 'Address' configured which points to a - routeable IPv4 or IPv6 address. - - In stockholm this can be done by configuring: - krebs.hosts.${connect-host}.nets.${netname?"retiolum"}.via.addrs4 = - [ "${external-ip} ${external-port}" ] - ''; - }; - - user = mkOption { - type = types.user; - default = { - name = cfg.netname; - home = "/var/lib/${cfg.user.name}"; + api = mkOption { + default = {}; + description = '' + define a tinc network + ''; + type = with types; attrsOf (submodule (tinc: { + options = { + + enable = mkEnableOption "krebs.tinc.${tinc.config._module.args.name}" // { default = true; }; + + host = mkOption { + type = types.host; + default = config.krebs.build.host; + }; + + netname = mkOption { + type = types.enum (attrNames tinc.config.host.nets); + default = tinc.config._module.args.name; + description = '' + The tinc network name. + It is used to name the TUN device and to generate the default value for + <literal>config.krebs.tinc.retiolum.hosts</literal>. + ''; + }; + + extraConfig = mkOption { + type = types.str; + default = ""; + description = '' + Extra Configuration to be appended to tinc.conf + ''; + }; + + tincPackage = mkOption { + type = types.package; + default = pkgs.tinc; + description = "Tincd package to use."; + }; + + hosts = mkOption { + type = with types; attrsOf host; + default = + filterAttrs (_: h: hasAttr tinc.config.netname h.nets) config.krebs.hosts; + description = '' + Hosts to generate <literal>config.krebs.tinc.retiolum.hostsPackage</literal>. + Note that these hosts must have a network named + <literal>config.krebs.tinc.retiolum.netname</literal>. + ''; + }; + + hostsPackage = mkOption { + type = types.package; + default = pkgs.stdenv.mkDerivation { + name = "${tinc.config.netname}-tinc-hosts"; + phases = [ "installPhase" ]; + installPhase = '' + mkdir $out + ${concatStrings (lib.mapAttrsToList (_: host: '' + echo ${shell.escape host.nets."${tinc.config.netname}".tinc.config} \ + > $out/${shell.escape host.name} + '') tinc.config.hosts)} + ''; + }; + description = '' + Package of tinc host configuration files. By default, a package will + be generated from <literal>config.krebs.${tinc.config.netname}.hosts</literal>. This + option's main purpose is to expose the generated hosts package to other + modules, like <literal>config.krebs.tinc_graphs</literal>. But it can + also be used to provide a custom hosts directory. + ''; + example = literalExample '' + (pkgs.stdenv.mkDerivation { + name = "my-tinc-hosts"; + src = /home/tv/my-tinc-hosts; + installPhase = "cp -R . $out"; + }) + ''; + }; + + iproutePackage = mkOption { + type = types.package; + default = pkgs.iproute; + description = "Iproute2 package to use."; + }; + + privkey = mkOption { + type = types.secret-file; + default = { + path = "${tinc.config.user.home}/tinc.rsa_key.priv"; + owner = tinc.config.user; + source-path = toString <secrets> + "/${tinc.config.netname}.rsa_key.priv"; + }; + }; + + connectTo = mkOption { + type = types.listOf types.str; + default = [ "fastpoke" "cd" "prism" "gum" ]; + description = '' + The list of hosts in the network which the client will try to connect + to. These hosts should have an 'Address' configured which points to a + routeable IPv4 or IPv6 address. + + In stockholm this can be done by configuring: + krebs.hosts.${connect-host}.nets.${netname?"retiolum"}.via.addrs4 = + [ "${external-ip} ${external-port}" ] + ''; + }; + + user = mkOption { + type = types.user; + default = { + name = tinc.config.netname; + home = "/var/lib/${tinc.config.user.name}"; + }; + }; }; - }; + })); }; imp = { - krebs.secret.files."${cfg.netname}.rsa_key.priv" = cfg.privkey; - - environment.systemPackages = [ tinc iproute ]; - - systemd.services.${cfg.netname} = { - description = "Tinc daemon for Retiolum"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - requires = [ "secret.service" ]; - path = [ tinc iproute ]; - serviceConfig = rec { - Restart = "always"; - ExecStart = "${tinc}/sbin/tincd -c ${confDir} -d 0 -U ${cfg.user.name} -D --pidfile=/var/run/tinc.${SyslogIdentifier}.pid"; - SyslogIdentifier = cfg.netname; - }; - }; - - users.users.${cfg.user.name} = { - inherit (cfg.user) home name uid; - createHome = true; - }; + # TODO `environment.systemPackages = [ cfg.tincPackage cfg.iproutePackage ]` for each network, + # avoid conflicts in environment if the packages differ + + krebs.secret.files = mapAttrs' (netname: cfg: + nameValuePair "${netname}.rsa_key.priv" cfg.privkey ) config.krebs.tinc; + users.users = mapAttrs' (netname: cfg: + nameValuePair "${netname}" { + inherit (cfg.user) home name uid; + createHome = true; + } + ) config.krebs.tinc; + + systemd.services = mapAttrs (netname: cfg: + let + net = cfg.host.nets.${netname}; + tinc = cfg.tincPackage; + iproute = cfg.iproutePackage; + + confDir = let + namePathPair = name: path: { inherit name path; }; + in pkgs.linkFarm "${netname}-etc-tinc" (mapAttrsToList namePathPair { + "hosts" = cfg.hostsPackage; + "tinc.conf" = pkgs.writeText "${cfg.netname}-tinc.conf" '' + Name = ${cfg.host.name} + Interface = ${netname} + ${concatStrings (map (c: "ConnectTo = ${c}\n") cfg.connectTo)} + PrivateKeyFile = ${cfg.privkey.path} + ${cfg.extraConfig} + ''; + "tinc-up" = pkgs.writeDash "${netname}-tinc-up" '' + ${iproute}/sbin/ip link set ${netname} up + ${optionalString (net.ip4 != null) /* sh */ '' + ${iproute}/sbin/ip -4 addr add ${net.ip4.addr} dev ${netname} + ${iproute}/sbin/ip -4 route add ${net.ip4.prefix} dev ${netname} + ''} + ${optionalString (net.ip6 != null) /* sh */ '' + ${iproute}/sbin/ip -6 addr add ${net.ip6.addr} dev ${netname} + ${iproute}/sbin/ip -6 route add ${net.ip6.prefix} dev ${netname} + ''} + ''; + } + ); + in { + description = "Tinc daemon for ${netname}"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + requires = [ "secret.service" ]; + path = [ tinc iproute ]; + serviceConfig = rec { + Restart = "always"; + ExecStart = "${tinc}/sbin/tincd -c ${confDir} -d 0 -U ${cfg.user.name} -D --pidfile=/var/run/tinc.${SyslogIdentifier}.pid"; + SyslogIdentifier = netname; + }; + } + ) config.krebs.tinc; }; - - net = cfg.host.nets.${cfg.netname}; - - tinc = cfg.tincPackage; - - iproute = cfg.iproutePackage; - - confDir = let - namePathPair = name: path: { inherit name path; }; - in pkgs.linkFarm "${cfg.netname}-etc-tinc" (mapAttrsToList namePathPair { - "hosts" = cfg.hostsPackage; - "tinc.conf" = pkgs.writeText "${cfg.netname}-tinc.conf" '' - Name = ${cfg.host.name} - Interface = ${cfg.netname} - ${concatStrings (map (c: "ConnectTo = ${c}\n") cfg.connectTo)} - PrivateKeyFile = ${cfg.privkey.path} - ${cfg.extraConfig} - ''; - "tinc-up" = pkgs.writeDash "${cfg.netname}-tinc-up" '' - ${iproute}/sbin/ip link set ${cfg.netname} up - ${optionalString (net.ip4 != null) /* sh */ '' - ${iproute}/sbin/ip -4 addr add ${net.ip4.addr} dev ${cfg.netname} - ${iproute}/sbin/ip -4 route add ${net.ip4.prefix} dev ${cfg.netname} - ''} - ${optionalString (net.ip6 != null) /* sh */ '' - ${iproute}/sbin/ip -6 addr add ${net.ip6.addr} dev ${cfg.netname} - ${iproute}/sbin/ip -6 route add ${net.ip6.prefix} dev ${cfg.netname} - ''} - ''; - }); - in out diff --git a/krebs/3modules/tinc_graphs.nix b/krebs/3modules/tinc_graphs.nix index 0f1bae090..d783ba03b 100644 --- a/krebs/3modules/tinc_graphs.nix +++ b/krebs/3modules/tinc_graphs.nix @@ -23,7 +23,7 @@ let hostsPath = mkOption { type = types.str; description = "Path to Hosts directory"; - default = "${config.krebs.retiolum.hostsPackage}"; + default = "${config.krebs.tinc.retiolum.hostsPackage}"; }; network = mkOption { diff --git a/krebs/5pkgs/fortclientsslvpn/default.nix b/krebs/5pkgs/fortclientsslvpn/default.nix index 11d567408..07420c4d3 100644 --- a/krebs/5pkgs/fortclientsslvpn/default.nix +++ b/krebs/5pkgs/fortclientsslvpn/default.nix @@ -5,9 +5,10 @@ stdenv.mkDerivation rec { # forticlient will be copied into /tmp before execution. this is necessary as # the software demands $base to be writeable + # TODO: chroot and create the following files instead of copying files manually # mkdir /etc/ppp ; touch /etc/ppp/options - ## i still have not found which tool uses tail ... i tried redirecting it in forticlientsslvpn and subproc # ln -s /run/current-system/sw/bin/tail /usr/bin/tail + # ln -s /run/current-system/sw/bin/pppd /usr/sbin/pppd src = fetchurl { # archive.org mirror: @@ -62,7 +63,7 @@ stdenv.mkDerivation rec { cp -r 64bit/. "$out/opt/fortinet" wrapProgram $out/opt/fortinet/forticlientsslvpn \ --set LD_PRELOAD "${libredirect}/lib/libredirect.so" \ - --set NIX_REDIRECTS /usr/sbin/ip=${iproute}/bin/ip:/usr/sbin/ppp=${ppp}/bin/ppp + --set NIX_REDIRECTS /usr/bin/tail=${coreutils}/bin/tail:/usr/sbin/ip=${iproute}/bin/ip:/usr/sbin/pppd=${ppp}/bin/pppd mkdir -p "$out/bin/" diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index 77d72a5ac..1bc8d5744 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -226,7 +226,7 @@ in { { users.users.tv = { uid = genid "tv"; - home = "/home/tv"; + inherit (config.krebs.users.tv) home; group = "users"; createHome = true; useDefaultShell = true; diff --git a/lass/2configs/audit.nix b/lass/2configs/audit.nix new file mode 100644 index 000000000..644741a5b --- /dev/null +++ b/lass/2configs/audit.nix @@ -0,0 +1,9 @@ +{ ... }: + +{ + security.audit = { + rules = [ + "-a task,never" + ]; + }; +} diff --git a/lass/2configs/buildbot-standalone.nix b/lass/2configs/buildbot-standalone.nix index 4c63d857c..5afb23687 100644 --- a/lass/2configs/buildbot-standalone.nix +++ b/lass/2configs/buildbot-standalone.nix @@ -86,17 +86,17 @@ in { ["make \ test \ ssh=${sshWrapper} \ - target=build@localhost:${config.users.users.build.home}/testbuild \ + target=build@localhost${config.users.users.build.home}/testbuild \ method=build \ system={}".format(i)]) - for i in [ "pornocauster", "wry" ]: + for i in [ "pornocauster", "wry", "vbob", "wbob", "shoney" ]: addShell(f,name="build-{}".format(i),env=env_makefu, command=nixshell + \ ["make \ test \ ssh=${sshWrapper} \ - target=build@localhost:${config.users.users.build.home}/testbuild \ + target=build@localhost${config.users.users.build.home}/testbuild \ method=build \ system={}".format(i)]) @@ -147,7 +147,7 @@ in { password = "lasspass"; packages = with pkgs; [ gnumake jq nix populate ]; extraEnviron = { - NIX_PATH="nixpkgs=/var/src/nixpkgs"; + NIX_PATH="/var/src"; }; }; config.krebs.iptables = { diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index 81abff3ed..622ef1185 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -3,13 +3,14 @@ with config.krebs.lib; { imports = [ - ../2configs/vim.nix - ../2configs/zsh.nix - ../2configs/mc.nix - ../2configs/retiolum.nix - ../2configs/nixpkgs.nix + ../2configs/audit.nix ../2configs/binary-cache/client.nix ../2configs/gc.nix + ../2configs/mc.nix + ../2configs/nixpkgs.nix + ../2configs/retiolum.nix + ../2configs/vim.nix + ../2configs/zsh.nix ./backups.nix { users.extraUsers = diff --git a/lass/2configs/downloading.nix b/lass/2configs/downloading.nix index cf9b631c8..597d20721 100644 --- a/lass/2configs/downloading.nix +++ b/lass/2configs/downloading.nix @@ -5,9 +5,6 @@ with config.krebs.lib; let rpc-password = import <secrets/transmission-pw>; in { - imports = [ - ../3modules/folderPerms.nix - ]; users.extraUsers = { download = { @@ -64,15 +61,4 @@ in { { predicate = "-p udp --dport 51413"; target = "ACCEPT"; } ]; }; - - lass.folderPerms = { - enable = true; - permissions = [ - { - path = "/var/download"; - permission = "775"; - owner = "transmission:download"; - } - ]; - }; } diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix index 1ba99c8cb..00a3612fd 100644 --- a/lass/2configs/exim-smarthost.nix +++ b/lass/2configs/exim-smarthost.nix @@ -27,7 +27,6 @@ with config.krebs.lib; { from = "lass@aidsballs.de"; to = lass.mail; } { from = "wordpress@ubikmedia.de"; to = lass.mail; } { from = "finanzamt@lassul.us"; to = lass.mail; } - { from = "dominik@apanowicz.de"; to = "dma@ubikmedia.eu"; } { from = "netzclub@lassul.us"; to = lass.mail; } { from = "nebenan@lassul.us"; to = lass.mail; } ]; diff --git a/lass/2configs/nixpkgs.nix b/lass/2configs/nixpkgs.nix index 0f940a369..b758bc24a 100644 --- a/lass/2configs/nixpkgs.nix +++ b/lass/2configs/nixpkgs.nix @@ -1,8 +1,8 @@ { ... }: { - krebs.build.source.nixpkgs = { + krebs.build.source.nixpkgs.git = { url = https://github.com/lassulus/nixpkgs; - rev = "446d4c1fc10f53cf97abea1996d067ad93de2ded"; + ref = "c6ca9c8c8b7eb8f8e68868e36fb90e162adf080f"; }; } diff --git a/lass/2configs/repo-sync.nix b/lass/2configs/repo-sync.nix index 45a4e2afd..027f31fe0 100644 --- a/lass/2configs/repo-sync.nix +++ b/lass/2configs/repo-sync.nix @@ -91,12 +91,11 @@ in { (sync-remote "repo-sync" "https://github.com/makefu/repo-sync") (sync-remote "skytraq-datalogger" "https://github.com/makefu/skytraq-datalogger") (sync-remote "xintmap" "https://github.com/4z3/xintmap") + (sync-remote "realwallpaper" "https://github.com/lassulus/realwallpaper") (sync-remote-silent "nixpkgs" "https://github.com/nixos/nixpkgs") (sync-retiolum "go") (sync-retiolum "much") (sync-retiolum "newsbot-js") - (sync-retiolum "painload") - (sync-retiolum "realwallpaper") (sync-retiolum "stockholm") (sync-retiolum "wai-middleware-time") (sync-retiolum "web-routes-wai-custom") diff --git a/lass/2configs/retiolum.nix b/lass/2configs/retiolum.nix index 89e0f217a..eba40532d 100644 --- a/lass/2configs/retiolum.nix +++ b/lass/2configs/retiolum.nix @@ -12,7 +12,7 @@ }; }; - krebs.retiolum = { + krebs.tinc.retiolum = { enable = true; connectTo = [ "prism" diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index 07df2e8de..becd1a872 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -110,14 +110,6 @@ in { }; }; - users.users.domsen = { - uid = genid "domsen"; - description = "maintenance acc for domsen"; - home = "/home/domsen"; - useDefaultShell = true; - extraGroups = [ "nginx" ]; - createHome = true; - }; #services.phpfpm.phpOptions = '' # extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so @@ -133,5 +125,40 @@ in { cat ${pkgs.php}/etc/php-recommended.ini > $out echo "$options" >> $out ''; + + # MAIL STUFF + # TODO: make into its own module + services.dovecot2 = { + enable = true; + mailLocation = "maildir:~/Mail"; + }; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport pop3"; target = "ACCEPT"; } + { predicate = "-p tcp --dport imap"; target = "ACCEPT"; } + ]; + krebs.exim-smarthost = { + internet-aliases = [ + { from = "dominik@apanowicz.de"; to = "dma@ubikmedia.eu"; } + { from = "mail@jla-trading.com"; to = "jla-trading"; } + ]; + system-aliases = [ + ]; + }; + + users.users.domsen = { + uid = genid "domsen"; + description = "maintenance acc for domsen"; + home = "/home/domsen"; + useDefaultShell = true; + extraGroups = [ "nginx" ]; + createHome = true; + }; + + users.users.jla-trading = { + uid = genid "jla-trading"; + home = "/home/jla-trading"; + useDefaultShell = true; + createHome = true; + }; } diff --git a/lass/2configs/websites/fritz.nix b/lass/2configs/websites/fritz.nix index 39f0cce06..48d96b1bf 100644 --- a/lass/2configs/websites/fritz.nix +++ b/lass/2configs/websites/fritz.nix @@ -7,6 +7,7 @@ let head ; inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;}) + manageCerts ssl servePage serveWordpress @@ -48,6 +49,9 @@ in { (ssl [ "habsys.de" "www.habsys.de" "habsys.eu" "www.habsys.eu" ]) (servePage [ "habsys.de" "www.habsys.de" "habsys.eu" "www.habsys.eu" ]) + + (manageCerts [ "goldbarrendiebstahl.radical-dreamers.de" ]) + (serveWordpress [ "goldbarrendiebstahl.radical-dreamers.de" ]) ]; lass.mysqlBackup.config.all.databases = [ @@ -74,6 +78,16 @@ in { config.krebs.users.fritz.pubkey ]; + users.users.goldbarrendiebstahl = { + home = "/srv/http/goldbarrendiebstahl.radical-dreamers.de"; + uid = genid "goldbarrendiebstahl"; + createHome = true; + useDefaultShell = true; + openssh.authorizedKeys.keys = [ + config.krebs.users.fritz.pubkey + ]; + }; + services.phpfpm.phpIni = pkgs.runCommand "php.ini" { options = '' extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so diff --git a/makefu/1systems/darth.nix b/makefu/1systems/darth.nix index 87029a693..c63dcb492 100644 --- a/makefu/1systems/darth.nix +++ b/makefu/1systems/darth.nix @@ -17,6 +17,7 @@ in { ../2configs/exim-retiolum.nix ../2configs/virtualization.nix + ../2configs/tinc/retiolum.nix ../2configs/temp-share-samba.nix ]; services.samba.shares = { @@ -39,7 +40,6 @@ in { }; #networking.firewall.enable = false; - krebs.retiolum.enable = true; boot.kernelModules = [ "coretemp" "f71882fg" ]; hardware.enableAllFirmware = true; diff --git a/makefu/1systems/filepimp.nix b/makefu/1systems/filepimp.nix index 593f77378..c6966c99c 100644 --- a/makefu/1systems/filepimp.nix +++ b/makefu/1systems/filepimp.nix @@ -22,8 +22,8 @@ in { ../. ../2configs/fs/single-partition-ext4.nix ../2configs/smart-monitor.nix + ../2configs/tinc/retiolum.nix ]; - krebs.retiolum.enable = true; krebs.build.host = config.krebs.hosts.filepimp; # AMD N54L boot = { diff --git a/makefu/1systems/gum.nix b/makefu/1systems/gum.nix index 17b2b5093..a4e2d1760 100644 --- a/makefu/1systems/gum.nix +++ b/makefu/1systems/gum.nix @@ -19,6 +19,7 @@ in { ../2configs/deployment/mycube.connector.one.nix ../2configs/exim-retiolum.nix + ../2configs/tinc/retiolum.nix ../2configs/urlwatch.nix ]; @@ -27,8 +28,7 @@ in { ###### stable krebs.build.host = config.krebs.hosts.gum; - krebs.retiolum = { - enable = true; + krebs.tinc.retiolum = { extraConfig = '' ListenAddress = ${external-ip} 53 ListenAddress = ${external-ip} 655 diff --git a/makefu/1systems/omo.nix b/makefu/1systems/omo.nix index 8c24e0ff5..e11abd40d 100644 --- a/makefu/1systems/omo.nix +++ b/makefu/1systems/omo.nix @@ -47,12 +47,12 @@ in { #../2configs/graphite-standalone.nix #../2configs/share-user-sftp.nix ../2configs/omo-share.nix + ../2configs/tinc/retiolum.nix ## as long as pyload is not in nixpkgs: # docker run -d -v /var/lib/pyload:/opt/pyload/pyload-config -v /media/crypt0/pyload:/opt/pyload/Downloads --name pyload --restart=always -p 8112:8000 -P writl/pyload ]; - krebs.retiolum.enable = true; networking.firewall.trustedInterfaces = [ primaryInterface ]; # udp:137 udp:138 tcp:445 tcp:139 - samba, allowed in local net # tcp:80 - nginx for sharing files diff --git a/makefu/1systems/pnp.nix b/makefu/1systems/pnp.nix index 4b8d39c89..a460a87e7 100644 --- a/makefu/1systems/pnp.nix +++ b/makefu/1systems/pnp.nix @@ -15,11 +15,12 @@ <nixpkgs/nixos/modules/profiles/qemu-guest.nix> ../2configs/fs/vm-single-partition.nix + ../2configs/tinc/retiolum.nix + # config.system.build.vm - <nixpkgs/nixos/modules/virtualisation/qemu-vm.nix> + (toString <nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>) ]; - krebs.retiolum.enable = true; virtualisation.graphics = false; # also export secrets, see Usage above fileSystems = pkgs.lib.mkVMOverride { diff --git a/makefu/1systems/pornocauster.nix b/makefu/1systems/pornocauster.nix index 2ab030916..b683e5630 100644 --- a/makefu/1systems/pornocauster.nix +++ b/makefu/1systems/pornocauster.nix @@ -38,8 +38,9 @@ #../2configs/wordpress.nix ../2configs/nginx/public_html.nix + ../2configs/tinc/retiolum.nix # temporary modules - # ../2configs/temp/share-samba.nix + ../2configs/temp/share-samba.nix # ../2configs/temp/elkstack.nix # ../2configs/temp/sabnzbd.nix ]; @@ -69,10 +70,9 @@ krebs.build.host = config.krebs.hosts.pornocauster; krebs.hosts.omo.nets.retiolum.via.ip4.addr = "192.168.1.11"; - krebs.retiolum = { - enable = true; - connectTo = [ "omo" "gum" "prism" ]; - }; + + krebs.tinc.retiolum.connectTo = [ "omo" "gum" "prism" ]; + networking.extraHosts = '' 192.168.1.11 omo.local ''; diff --git a/makefu/1systems/repunit.nix b/makefu/1systems/repunit.nix index bf6ff9fb6..7102b8f81 100644 --- a/makefu/1systems/repunit.nix +++ b/makefu/1systems/repunit.nix @@ -10,6 +10,7 @@ ../. <nixpkgs/nixos/modules/profiles/qemu-guest.nix> ../2configs/git/cgit-retiolum.nix + ../2configs/tinc/retiolum.nix ]; krebs.build.host = config.krebs.hosts.repunit; @@ -31,14 +32,6 @@ { device = "/dev/disk/by-label/nixos"; fsType = "ext4"; }; - krebs.retiolum = { - enable = true; - connectTo = [ - "gum" - "pigstarter" - "fastpoke" - ]; - }; # $ nix-env -qaP | grep wget environment.systemPackages = with pkgs; [ diff --git a/makefu/1systems/shoney.nix b/makefu/1systems/shoney.nix index 3a3ac9c7c..7081f6a95 100644 --- a/makefu/1systems/shoney.nix +++ b/makefu/1systems/shoney.nix @@ -13,15 +13,12 @@ in { ../2configs/save-diskspace.nix ../2configs/hw/CAC.nix ../2configs/fs/CAC-CentOS-7-64bit.nix + ../2configs/tinc/retiolum.nix ]; - environment.systemPackages = [ pkgs.honeyd ]; - services.tinc.networks.siem.name = "sjump"; - krebs = { enable = true; - retiolum.enable = true; build.host = config.krebs.hosts.shoney; nginx.enable = true; tinc_graphs = { diff --git a/makefu/1systems/tsp.nix b/makefu/1systems/tsp.nix index 302ba6f99..9809abf4c 100644 --- a/makefu/1systems/tsp.nix +++ b/makefu/1systems/tsp.nix @@ -17,9 +17,9 @@ ../2configs/zsh-user.nix ../2configs/exim-retiolum.nix + ../2configs/tinc/retiolum.nix ]; # not working in vm - krebs.retiolum.enable = true; krebs.build.host = config.krebs.hosts.tsp; networking.firewall.allowedTCPPorts = [ diff --git a/makefu/1systems/vbob.nix b/makefu/1systems/vbob.nix index 3fcb173ce..27a216316 100644 --- a/makefu/1systems/vbob.nix +++ b/makefu/1systems/vbob.nix @@ -8,9 +8,10 @@ (toString <nixpkgs/nixos/modules/virtualisation/virtualbox-image.nix>) (toString <nixpkgs/nixos/modules/virtualisation/virtualbox-guest.nix>) ../2configs/main-laptop.nix #< base-gui - # (toString <secrets>)/extra-hosts.nix + # <secrets/extra-hosts.nix> # environment + ../2configs/tinc/retiolum.nix ]; # workaround for https://github.com/NixOS/nixpkgs/issues/16641 @@ -28,8 +29,15 @@ openssh.authorizedKeys.keys = [ config.krebs.users.makefu-vbob.pubkey ]; }; }; + + environment.shellAliases = { + forti = "cat ~/vpn/pw.txt | xclip; sudo forticlientsslvpn"; + }; + # TODO: for forticleintsslpn + # ln -s /r/current-system/sw/bin/pppd /usr/sbin/pppd + # ln -s /r/current-system/sw/bin/tail /usr/bin/tail environment.systemPackages = with pkgs;[ - fortclientsslvpn + fortclientsslvpn ppp xclip get logstash docker @@ -45,13 +53,6 @@ 8010 ]; - krebs.retiolum = { - enable = true; - connectTo = [ - "omo" - "gum" - ]; - }; virtualisation.docker.enable = false; fileSystems."/media/share" = { diff --git a/makefu/1systems/wbob.nix b/makefu/1systems/wbob.nix index 45b935af0..e8e0b091f 100644 --- a/makefu/1systems/wbob.nix +++ b/makefu/1systems/wbob.nix @@ -1,5 +1,7 @@ { config, pkgs, ... }: -{ +let rootdisk = "/dev/disk/by-id/ata-TS256GMTS800_C613840115"; +in { + makefu.awesome = { modkey = "Mod1"; #TODO: integrate kiosk config into full config by templating the autostart @@ -9,19 +11,19 @@ [ # Include the results of the hardware scan. ../. ../2configs/main-laptop.nix + ../2configs/virtualization.nix + ../2configs/tinc/retiolum.nix ]; krebs = { enable = true; - retiolum.enable = true; build.host = config.krebs.hosts.wbob; }; networking.firewall.allowedUDPPorts = [ 1655 ]; - networking.firewall.allowedTCPPorts = [ 1655 ]; + networking.firewall.allowedTCPPorts = [ 1655 49152 ]; services.tinc.networks.siem = { name = "display"; extraConfig = '' ConnectTo = sjump - Port = 1655 ''; }; @@ -35,12 +37,12 @@ # nuc hardware - boot.loader.grub.device = "/dev/sda"; + boot.loader.grub.device = rootdisk; hardware.cpu.intel.updateMicrocode = true; boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; boot.kernelModules = [ "kvm-intel" ]; fileSystems."/" = { - device = "/dev/sda1"; + device = rootdisk + "-part1"; fsType = "ext4"; }; diff --git a/makefu/1systems/wry.nix b/makefu/1systems/wry.nix index 5788cb654..3764ab4b5 100644 --- a/makefu/1systems/wry.nix +++ b/makefu/1systems/wry.nix @@ -25,8 +25,9 @@ in { # collectd ../2configs/collectd/collectd-base.nix + + ../2configs/tinc/retiolum.nix ]; - krebs.retiolum.enable = true; krebs.build.host = config.krebs.hosts.wry; diff --git a/makefu/2configs/bepasty-dual.nix b/makefu/2configs/bepasty-dual.nix index 5682f5eb6..f675c4ac8 100644 --- a/makefu/2configs/bepasty-dual.nix +++ b/makefu/2configs/bepasty-dual.nix @@ -15,6 +15,9 @@ let sec = toString <secrets>; # secKey is nothing worth protecting on a local machine secKey = import <secrets/bepasty-secret.nix>; + acmepath = "/var/lib/acme/"; + acmechall = acmepath + "/challenges/"; + ext-dom = "paste.krebsco.de" ; in { krebs.nginx.enable = mkDefault true; @@ -25,7 +28,7 @@ in { servers = { internal = { nginx = { - server-names = [ "paste.retiolum" "paste.${config.krebs.build.host.name}" ]; + server-names = [ "paste.retiolum" "paste.r" "paste.${config.krebs.build.host.name}" ]; }; defaultPermissions = "admin,list,create,read,delete"; secretKey = secKey; @@ -33,17 +36,25 @@ in { external = { nginx = { - server-names = [ "paste.krebsco.de" ]; + server-names = [ ext-dom ]; + ssl = { + enable = true; + certificate = "${acmepath}/${ext-dom}/fullchain.pem"; + certificate_key = "${acmepath}/${ext-dom}/key.pem"; + # these certs will be needed if acme has not yet created certificates: + #certificate = "${sec}/wildcard.krebsco.de.crt"; + #certificate_key = "${sec}/wildcard.krebsco.de.key"; + ciphers = "RC4:HIGH:!aNULL:!MD5" ; + }; + locations = singleton ( nameValuePair "/.well-known/acme-challenge" '' + root ${acmechall}/${ext-dom}/; + ''); extraConfig = '' ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; - ssl_certificate ${sec}/wildcard.krebsco.de.crt; - ssl_certificate_key ${sec}/wildcard.krebsco.de.key; ssl_verify_client off; proxy_ssl_session_reuse off; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers RC4:HIGH:!aNULL:!MD5; - ssl_prefer_server_ciphers on; + if ($scheme = http){ return 301 https://$server_name$request_uri; }''; @@ -53,4 +64,12 @@ in { }; }; }; + security.acme.certs."${ext-dom}" = { + email = "acme@syntax-fehler.de"; + webroot = "${acmechall}/${ext-dom}/"; + group = "nginx"; + allowKeysForGroup = true; + postRun = "systemctl reload nginx.service"; + extraDomains."${ext-dom}" = null ; + }; } diff --git a/makefu/2configs/default.nix b/makefu/2configs/default.nix index 4562a123f..c94f1be7d 100644 --- a/makefu/2configs/default.nix +++ b/makefu/2configs/default.nix @@ -17,7 +17,6 @@ with config.krebs.lib; krebs = { enable = true; - dns.providers.siem = "hosts"; dns.providers.lan = "hosts"; search-domain = "retiolum"; build = { @@ -25,7 +24,7 @@ with config.krebs.lib; source = let inherit (config.krebs.build) host user; in { nixpkgs.git = { url = https://github.com/nixos/nixpkgs; - ref = "0546a4a"; # stable @ 2016-06-11 + ref = "125ffff"; # stable @ 2016-07-20 }; secrets.file = if getEnv "dummy_secrets" == "true" @@ -67,7 +66,7 @@ with config.krebs.lib; startAgent = false; }; services.openssh.enable = true; - nix.useChroot = true; + nix.useSandbox = true; users.mutableUsers = false; @@ -171,4 +170,10 @@ with config.krebs.lib; consoleKeyMap = "us"; defaultLocale = "en_US.UTF-8"; }; + # suppress chrome autit event messages + security.audit = { + rules = [ + "-a task,never" + ]; + }; } diff --git a/makefu/2configs/hw/tp-x220.nix b/makefu/2configs/hw/tp-x220.nix index 1c9a34965..58390e48d 100644 --- a/makefu/2configs/hw/tp-x220.nix +++ b/makefu/2configs/hw/tp-x220.nix @@ -8,10 +8,9 @@ with config.krebs.lib; kernelModules = [ "kvm-intel" "acpi_call" "tpm-rng" ]; extraModulePackages = [ config.boot.kernelPackages.tp_smapi ]; }; - + hardware.opengl.extraPackages = [ pkgs.vaapiIntel pkgs.vaapiVdpau ]; services.xserver = { videoDriver = "intel"; - vaapiDrivers = [ pkgs.vaapiIntel pkgs.vaapiVdpau ]; deviceSection = '' Option "AccelMethod" "sna" ''; diff --git a/makefu/2configs/temp/share-samba.nix b/makefu/2configs/temp/share-samba.nix new file mode 100644 index 000000000..c021e66c6 --- /dev/null +++ b/makefu/2configs/temp/share-samba.nix @@ -0,0 +1,36 @@ +{config, ... }:{ + users.users.smbguest = { + name = "smbguest"; + uid = config.ids.uids.smbguest; + description = "smb guest user"; + home = "/var/empty"; + }; + + networking.firewall.allowedTCPPorts = [ + 139 445 # samba + ]; + + networking.firewall.allowedUDPPorts = [ + 137 138 + ]; + services.samba = { + enable = true; + shares = { + share-home = { + path = "/home/share/"; + "read only" = "no"; + browseable = "yes"; + "guest ok" = "yes"; + }; + }; + extraConfig = '' + guest account = smbguest + map to guest = bad user + # disable printing + load printers = no + printing = bsd + printcap name = /dev/null + disable spoolss = yes + ''; + }; +} diff --git a/makefu/2configs/tinc/retiolum.nix b/makefu/2configs/tinc/retiolum.nix new file mode 100644 index 000000000..dcb072461 --- /dev/null +++ b/makefu/2configs/tinc/retiolum.nix @@ -0,0 +1,4 @@ +_: +{ + krebs.tinc.retiolum.enable = true; +} diff --git a/makefu/2configs/virtualization-virtualbox.nix b/makefu/2configs/virtualization-virtualbox.nix index 2b4e24774..7a14dea7f 100644 --- a/makefu/2configs/virtualization-virtualbox.nix +++ b/makefu/2configs/virtualization-virtualbox.nix @@ -2,20 +2,22 @@ let mainUser = config.krebs.build.user; - version = "5.0.20"; - rev = "106931"; - vboxguestpkg = pkgs.fetchurl { + vboxguestpkg = lib.stdenv.mkDerivation rec { + name = "Virtualbox-Extensions-${version}-${rev}"; + version = "5.0.20"; + rev = "106931"; + src = pkgs.fetchurl { url = "http://download.virtualbox.org/virtualbox/${version}/Oracle_VM_VirtualBox_Extension_Pack-${version}-${rev}.vbox-extpack"; sha256 = "1dc70x2m7x266zzw5vw36mxqj7xykkbk357fc77f9zrv4lylzvaf"; }; + }; in { - #inherit vboxguestpkg; virtualisation.virtualbox.host.enable = true; nixpkgs.config.virtualbox.enableExtensionPack = true; users.extraGroups.vboxusers.members = [ "${mainUser.name}" ]; nixpkgs.config.packageOverrides = super: { - boot.kernelPackages = super.boot.kernelPackages.virtualbox.override { + boot.kernelPackages.virtualbox = super.boot.kernelPackages.virtualbox.override { buildInputs = super.boot.kernelPackages.virtualBox.buildInputs ++ [ vboxguestpkg ]; }; diff --git a/makefu/2configs/zsh-user.nix b/makefu/2configs/zsh-user.nix index 9527ead1a..99c1315e1 100644 --- a/makefu/2configs/zsh-user.nix +++ b/makefu/2configs/zsh-user.nix @@ -22,15 +22,11 @@ in bindkey "\e[3~" delete-char zstyle ':completion:*' menu select - # load gpg-agent - envfile="$HOME/.gnupg/gpg-agent.env" - if [ -e "$envfile" ] && kill -0 $(grep GPG_AGENT_INFO "$envfile" | cut -d: -f 2) 2>/dev/null; then - eval "$(cat "$envfile")" - else - eval "$(${pkgs.gnupg}/bin/gpg-agent --daemon --enable-ssh-support --write-env-file "$envfile")" - fi - export GPG_AGENT_INFO - export SSH_AUTH_SOCK + gpg-connect-agent updatestartuptty /bye >/dev/null + GPG_TTY=$(tty) + export GPG_TTY + unset SSH_AGENT_PID + export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh" ''; promptInit = '' diff --git a/makefu/5pkgs/default.nix b/makefu/5pkgs/default.nix index f94136c0b..718b23c9e 100644 --- a/makefu/5pkgs/default.nix +++ b/makefu/5pkgs/default.nix @@ -19,7 +19,6 @@ in skytraq-logger = callPackage ./skytraq-logger {}; taskserver = callPackage ./taskserver {}; ps3netsrv = callPackage ./ps3netsrv {}; - honeyd = callPackage ./honeyd {}; farpd = callPackage ./farpd {}; }; } diff --git a/makefu/5pkgs/devpi/default.nix b/makefu/5pkgs/devpi/default.nix index 0df8ecd2c..3ccc35c79 100644 --- a/makefu/5pkgs/devpi/default.nix +++ b/makefu/5pkgs/devpi/default.nix @@ -8,7 +8,7 @@ let url = "https://pypi.python.org/packages/source/e/execnet/${name}.tar.gz"; sha256 = "1rpk1vyclhg911p3hql0m0nrpq7q7mysxnaaw6vs29cpa6kx8vgn"; }; - + doCheck = false; # http://prism:8010/builders/build-all/builds/177/steps/build-vbob/logs/stdio propagatedBuildInputs = with pkgs.python3Packages; [ setuptools_scm apipkg ]; meta = { diff --git a/makefu/5pkgs/honeyd/default.nix b/makefu/5pkgs/honeyd/default.nix deleted file mode 100644 index 5dca35f33..000000000 --- a/makefu/5pkgs/honeyd/default.nix +++ /dev/null @@ -1,62 +0,0 @@ -{ stdenv, lib, pkgs, fetchurl,fetchFromGitHub, - libpcap, libdnet, libevent, readline, autoconf, automake, libtool, zlib, pcre, - ... }: -stdenv.mkDerivation rec { - name = "honeyd-${version}"; - - #version = "1.5c"; #original, does not compile due to libc errors - #src = fetchurl { - # url = "http://www.honeyd.org/uploads/honeyd-${version}.tar.gz"; - # sha256 = "0vcih16fk5pir5ssfil8x79nvi62faw0xvk8s5klnysv111db1ii"; - #}; - - #version = "64d087c"; # honeyd-1.6.7 - # sha256 = "0zhnn13r24y1q494xcfx64vyp84zqk8qmsl41fq2674230bn0p31"; - - version = "c135fea08"; #nova-13.09 - src = fetchFromGitHub { - owner = "DataSoft"; - repo = "honeyd"; - rev = version; - sha256 = "1r9qds7a1yp3nkccwh3isrizpr2njhpf1m6qp3lqkj0i9c4w6x44"; - }; - - buildInputs = with pkgs;[ - automake - gnugrep - libpcap - libdnet - pcre - libevent - readline - autoconf - libtool - zlib - coreutils - python - pythonPackages.sqlite3 - ]; - patches = [ ./fix-autogen.patch ]; - - # removes user install script from Makefile before automake - preConfigure = '' - sed -i '/init.py$/d' Makefile.am - sh ./autogen.sh - ''; - - makeFlags = [ "LIBS=-lz" ]; - configureFlags = [ - "--with-libpcap=${libpcap}" - "--with-libevent=${libevent}" - "--with-zlib=${zlib}" - "--with-python" - "--with-libpcre=${pcre}" - "--with-libreadline=${readline}" - ]; - - meta = { - homepage = http://www.honeyd.org/; - description = "virtual Honeypots"; - license = lib.licenses.gpl2; - }; -} diff --git a/makefu/5pkgs/honeyd/fix-autogen.patch b/makefu/5pkgs/honeyd/fix-autogen.patch deleted file mode 100644 index 9fccafa82..000000000 --- a/makefu/5pkgs/honeyd/fix-autogen.patch +++ /dev/null @@ -1,42 +0,0 @@ ---- ./configure.in 2016-06-27 18:36:06.640779048 +0200 -+++ ./configure.in 2016-06-27 18:34:53.968803854 +0200 -@@ -119,11 +119,11 @@ - ;; - *) - AC_MSG_RESULT($withval) -- if test -f $withval/pcap.h -a -f $withval/libpcap.a; then -+ if test -f $withval/include/pcap.h -a -f $withval/lib/libpcap.so; then - owd=`pwd` - if cd $withval; then withval=`pwd`; cd $owd; fi -- PCAPINC="-I$withval -I$withval/bpf" -- PCAPLIB="-L$withval -lpcap" -+ PCAPINC="-I$withval/include -I$withval/include/bpf" -+ PCAPLIB="-L$withval/lib -lpcap" - else - AC_ERROR(pcap.h or libpcap.a not found in $withval) - fi -@@ -230,7 +230,7 @@ - if cd $withval; then withval=`pwd`; cd $owd; fi - EVENTINC="-I$withval" - EVENTLIB="-L$withval -levent" -- elif test -f $withval/include/event.h -a -f $withval/lib/libevent.a; then -+ elif test -f $withval/include/event.h -a -f $withval/lib/libevent.so; then - owd=`pwd` - if cd $withval; then withval=`pwd`; cd $owd; fi - EVENTINC="-I$withval/include" -@@ -354,12 +354,12 @@ - ;; - *) - AC_MSG_RESULT($withval) -- if test -f $withval/readline/readline.h -a -f $withval/libreadline.a; then -+ if test -f $withval/include/readline/readline.h -o -f $withval/lib/libreadline.so; then - owd=`pwd` - if cd $withval; then withval=`pwd`; cd $owd; fi - AC_DEFINE(HAVE_LIBREADLINE, 1, [Define if you have libreadline]) -- EDITINC="-I$withval" -- EDITLIB="-L$withval -lreadline" -+ EDITINC="-I$withval/include" -+ EDITLIB="-L$withval/lib -lreadline" - else - AC_ERROR(readline/readline.h or libreadline.a not found in $withval) - fi diff --git a/shared/1systems/test-all-krebs-modules.nix b/shared/1systems/test-all-krebs-modules.nix index 2034071f0..60d5f3252 100644 --- a/shared/1systems/test-all-krebs-modules.nix +++ b/shared/1systems/test-all-krebs-modules.nix @@ -38,7 +38,7 @@ in { }; nginx.enable = true; realwallpaper.enable = true; - retiolum.enable = true; + tinc.retiolum.enable = true; retiolum-bootstrap.enable = true; tinc_graphs.enable = true; urlwatch.enable = true; diff --git a/shared/1systems/wolf.nix b/shared/1systems/wolf.nix index 180510066..3818cf2c5 100644 --- a/shared/1systems/wolf.nix +++ b/shared/1systems/wolf.nix @@ -15,14 +15,14 @@ in ../2configs/shared-buildbot.nix ../2configs/cgit-mirror.nix ../2configs/repo-sync.nix - # ../2configs/graphite.nix + ../2configs/graphite.nix ]; # use your own binary cache, fallback use cache.nixos.org (which is used by # apt-cacher-ng in first place) # local discovery in shackspace nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; }; - krebs.retiolum.extraConfig = "TCPOnly = yes"; + krebs.tinc.retiolum.extraConfig = "TCPOnly = yes"; services.grafana = { enable = true; addr = "0.0.0.0"; diff --git a/shared/2configs/base.nix b/shared/2configs/base.nix index a92a0df35..5aa5897d7 100644 --- a/shared/2configs/base.nix +++ b/shared/2configs/base.nix @@ -3,7 +3,7 @@ with config.krebs.lib; { krebs.enable = true; - krebs.retiolum.enable = true; + krebs.tinc.retiolum.enable = true; # TODO rename shared user to "krebs" krebs.build.user = mkDefault config.krebs.users.shared; diff --git a/shared/2configs/repo-sync.nix b/shared/2configs/repo-sync.nix index d1d9ab3f8..753b0f473 100644 --- a/shared/2configs/repo-sync.nix +++ b/shared/2configs/repo-sync.nix @@ -17,7 +17,7 @@ with lib; mirror.url = mirror; }; lassulus = { - origin.url = http://cgit.cloudkrebs/stockholm ; + origin.url = http://cgit.prism/stockholm ; mirror.url = mirror; }; "@latest" = { diff --git a/tv/2configs/retiolum.nix b/tv/2configs/retiolum.nix index f79454157..7179be570 100644 --- a/tv/2configs/retiolum.nix +++ b/tv/2configs/retiolum.nix @@ -3,7 +3,7 @@ with config.krebs.lib; { - krebs.retiolum = { + krebs.tinc.retiolum = { enable = true; connectTo = filter (ne config.krebs.build.host.name) [ "gum" |