diff options
41 files changed, 515 insertions, 111 deletions
@@ -1,5 +1,12 @@ stockholm ?= . +export STOCKHOLM_VERSION ?= $(shell \ + version=git.$$(git describe --always --dirty); \ + case $$version in (*-dirty) version=$$version@$$(hostname); esac; \ + date=$$(date +%y.%m); \ + printf '%s' "$$date.$$version"; \ +) + ifndef nixos-config $(if $(system),,$(error unbound variable: system)) nixos-config = ./$(LOGNAME)/1systems/$(system).nix @@ -60,7 +67,8 @@ deploy: ssh ?= ssh deploy: $(call execute,populate) $(ssh) $(target_user)@$(target_host) -p $(target_port) \ - nixos-rebuild switch --show-trace -I $(target_path) + env STOCKHOLM_VERSION="$$STOCKHOLM_VERSION" \ + nixos-rebuild switch --show-trace -I $(target_path) # usage: make LOGNAME=shared system=wolf eval.config.krebs.build.host.name eval eval.:;@$(call evaluate,$${expr-eval}) @@ -75,6 +83,7 @@ install: target_path=/mnt$(target_path) $(call execute,populate) $(ssh) $(target_user)@$(target_host) -p $(target_port) \ env NIXOS_CONFIG=$(target_path)/nixos-config \ + STOCKHOLM_VERSION="$$STOCKHOLM_VERSION" \ nixos-install # usage: make test system=foo [target=bar] [method={eval,build}] diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 186469e97..bdd9049cb 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -23,6 +23,7 @@ let ./lib.nix ./nginx.nix ./nixpkgs.nix + ./os-release.nix ./per-user.nix ./Reaktor.nix ./realwallpaper.nix diff --git a/krebs/3modules/exim-retiolum.nix b/krebs/3modules/exim-retiolum.nix index 6e6928f89..696c48baf 100644 --- a/krebs/3modules/exim-retiolum.nix +++ b/krebs/3modules/exim-retiolum.nix @@ -39,6 +39,8 @@ let # TODO modular configuration assert config.krebs.retiolum.enable; '' + keep_environment = + primary_hostname = ${cfg.primary_hostname} domainlist local_domains = ${concatStringsSep ":" cfg.local_domains} domainlist relay_to_domains = ${concatStringsSep ":" cfg.relay_to_domains} diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix index c976e89de..cee10ce7d 100644 --- a/krebs/3modules/exim-smarthost.nix +++ b/krebs/3modules/exim-smarthost.nix @@ -12,6 +12,29 @@ let api = { enable = mkEnableOption "krebs.exim-smarthost"; + dkim = mkOption { + type = types.listOf (types.submodule ({ config, ... }: { + options = { + domain = mkOption { + type = types.str; + }; + private_key = mkOption { + type = types.secret-file; + default = { + path = "/run/krebs.secret/${config.domain}.dkim_private_key"; + owner.name = "exim"; + source-path = toString <secrets> + "/${config.domain}.dkim.priv"; + }; + }; + selector = mkOption { + type = types.str; + default = "default"; + }; + }; + })); + default = []; + }; + internet-aliases = mkOption { type = types.listOf (types.submodule ({ options = { @@ -72,9 +95,21 @@ let }; imp = { + krebs.secret.files = listToAttrs (flip map cfg.dkim (dkim: { + name = "exim.dkim_private_key/${dkim.domain}"; + value = dkim.private_key; + })); + systemd.services = mkIf (cfg.dkim != []) { + exim = { + after = [ "secret.service" ]; + requires = [ "secret.service" ]; + }; + }; services.exim = { enable = true; config = '' + keep_environment = + primary_hostname = ${cfg.primary_hostname} # HOST_REDIR contains the real destinations for "local_domains". @@ -191,6 +226,12 @@ let remote_smtp: driver = smtp + ${optionalString (cfg.dkim != []) '' + dkim_canon = relaxed + dkim_domain = $sender_address_domain + dkim_private_key = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_private_key}}} + dkim_selector = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_selector}}} + ''} helo_data = ''${if eq{$acl_m_special_dom}{} \ {$primary_hostname} \ {$acl_m_special_dom} } @@ -219,12 +260,20 @@ let }; - lsearch = mapAttrs (name: set: toFile name (to-lsearch set)) { + lsearch = mapAttrs (name: set: toFile name (to-lsearch set)) ({ inherit (cfg) internet-aliases; inherit (cfg) system-aliases; - }; - - to-lsearch = concatMapStringsSep "\n" ({ from, to, ... }: "${from}: ${to}"); - -in -out + } // optionalAttrs (cfg.dkim != []) { + dkim_private_key = flip map cfg.dkim (dkim: { + from = dkim.domain; + to = dkim.private_key.path; + }); + dkim_selector = flip map cfg.dkim (dkim: { + from = dkim.domain; + to = dkim.selector; + }); + }); + + to-lsearch = concatMapStrings ({ from, to, ... }: "${from}: ${to}\n"); + +in out diff --git a/krebs/3modules/git.nix b/krebs/3modules/git.nix index 0cc2f11c9..d2d73ba3d 100644 --- a/krebs/3modules/git.nix +++ b/krebs/3modules/git.nix @@ -400,7 +400,7 @@ let #! /bin/sh set -euf - PATH=${makeSearchPath "bin" (with pkgs; [ + PATH=${makeBinPath (with pkgs; [ coreutils git gnugrep @@ -451,7 +451,7 @@ let #! /bin/sh set -euf - PATH=${makeSearchPath "bin" (with pkgs; [ + PATH=${makeBinPath (with pkgs; [ coreutils findutils gawk @@ -511,7 +511,7 @@ let #! /bin/sh set -euf - PATH=${makeSearchPath "bin" (with pkgs; [ + PATH=${makeBinPath (with pkgs; [ coreutils # env git systemd diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index 4bf10ac56..6220a2d6f 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -19,6 +19,7 @@ with config.krebs.lib; addrs6 = ["42:0000:0000:0000:0000:0000:d15f:1233"]; aliases = [ "dishfire.retiolum" + "dishfire.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- @@ -52,6 +53,7 @@ with config.krebs.lib; "echelon.retiolum" "cgit.echelon.retiolum" "go.retiolum" + "go.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- @@ -83,6 +85,7 @@ with config.krebs.lib; addrs6 = ["42:0000:0000:0000:0000:0000:0000:15ab"]; aliases = [ "prism.retiolum" + "prism.r" "cgit.prism.retiolum" ]; tinc.pubkey = '' @@ -114,6 +117,7 @@ with config.krebs.lib; addrs6 = ["42:422a:194f:ff3b:e196:2f82:5cf5:bc00"]; aliases = [ "fastpoke.retiolum" + "fastpoke.r" "cgit.fastpoke.retiolum" ]; tinc.pubkey = '' @@ -144,6 +148,7 @@ with config.krebs.lib; addrs6 = ["42:941e:2816:35f4:5c5e:206b:3f0b:f762"]; aliases = [ "cloudkrebs.retiolum" + "cloudkrebs.r" "cgit.cloudkrebs.retiolum" ]; tinc.pubkey = '' @@ -173,6 +178,7 @@ with config.krebs.lib; addrs6 = ["42:dc25:60cf:94ef:759b:d2b6:98a9:2e56"]; aliases = [ "uriel.retiolum" + "uriel.r" "cgit.uriel.retiolum" ]; tinc.pubkey = '' @@ -203,6 +209,7 @@ with config.krebs.lib; addrs6 = ["42:0:0:0:0:0:0:dea7"]; aliases = [ "mors.retiolum" + "mors.r" "cgit.mors.retiolum" ]; tinc.pubkey = '' @@ -229,6 +236,7 @@ with config.krebs.lib; addrs6 = ["42:0:0:0:0:0:0:7105"]; aliases = [ "helios.retiolum" + "helios.r" "cgit.helios.retiolum" ]; tinc.pubkey = '' diff --git a/krebs/3modules/nginx.nix b/krebs/3modules/nginx.nix index ec39715d8..196a6eae7 100644 --- a/krebs/3modules/nginx.nix +++ b/krebs/3modules/nginx.nix @@ -39,6 +39,34 @@ let type = with types; string; default = ""; }; + ssl = mkOption { + type = with types; submodule ({ + options = { + enable = mkEnableOption "ssl"; + certificate = mkOption { + type = str; + }; + certificate_key = mkOption { + type = str; + }; + #TODO: check for valid cipher + ciphers = mkOption { + type = str; + default = "AES128+EECDH:AES128+EDH"; + }; + prefer_server_ciphers = mkOption { + type = bool; + default = true; + }; + protocols = mkOption { + type = listOf (enum [ "SSLv2" "SSLv3" "TLSv1" "TLSv1.1" "TLSv1.2" ]); + default = [ "TLSv1.1" "TLSv1.2" ]; + + }; + }; + }); + default = {}; + }; }; }); default = {}; @@ -49,7 +77,6 @@ let services.nginx = { enable = true; httpConfig = '' - include ${pkgs.nginx}/conf/mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; @@ -73,14 +100,28 @@ let } ''; - to-server = { server-names, listen, locations, extraConfig, ... }: '' - server { - ${concatMapStringsSep "\n" (x: "listen ${x};") listen} - server_name ${toString server-names}; - ${indent extraConfig} - ${indent (concatMapStrings to-location locations)} - } - ''; + to-server = { server-names, listen, locations, extraConfig, ssl, ... }: + let + _extraConfig = if ssl.enable then + extraConfig + '' + ssl_certificate ${ssl.certificate}; + ssl_certificate_key ${ssl.certificate_key}; + ${optionalString ssl.prefer_server_ciphers "ssl_prefer_server_ciphers On;"} + ssl_ciphers ${ssl.ciphers}; + ssl_protocols ${toString ssl.protocols}; + '' + else + extraConfig + ; + + in '' + server { + ${concatMapStringsSep "\n" (x: "listen ${x};") (listen ++ optional ssl.enable "443 ssl")} + server_name ${toString server-names}; + ${indent _extraConfig} + ${indent (concatMapStrings to-location locations)} + } + ''; in out diff --git a/krebs/3modules/os-release.nix b/krebs/3modules/os-release.nix new file mode 100644 index 000000000..4c803fff8 --- /dev/null +++ b/krebs/3modules/os-release.nix @@ -0,0 +1,28 @@ +{ config, ... }: +with config.krebs.lib; +let + nixos-version-id = "${config.system.nixosVersion}"; + nixos-version = "${nixos-version-id} (${config.system.nixosCodeName})"; + nixos-pretty-name = "NixOS ${nixos-version}"; + + stockholm-version-id = maybeEnv "STOCKHOLM_VERSION" "unknown"; + stockholm-version = "${stockholm-version-id}"; + stockholm-pretty-name = "stockholm ${stockholm-version}"; + + version = "${stockholm-version}/${nixos-version}"; + version-id = "${stockholm-version-id}/${nixos-version-id}"; + pretty-name = "${stockholm-pretty-name} / ${nixos-pretty-name}"; + + home-url = http://cgit.cd.krebsco.de/stockholm; +in +{ + # http://0pointer.de/public/systemd-man/os-release.html + environment.etc."os-release".text = mkForce '' + NAME="stockholm/NixOS" + ID=stockholm + VERSION="${version}" + VERSION_ID="${version-id}" + PRETTY_NAME="${pretty-name}" + HOME_URL="${home-url}" + ''; +} diff --git a/krebs/5pkgs/builders.nix b/krebs/5pkgs/builders.nix index fa51857ba..146e6f9e1 100644 --- a/krebs/5pkgs/builders.nix +++ b/krebs/5pkgs/builders.nix @@ -29,7 +29,7 @@ rec { execveBin = name: cfg: execve name (cfg // { destination = "/bin/${name}"; }); writeC = name: { destination ? "" }: src: pkgs.runCommand name {} '' - PATH=${makeSearchPath "bin" (with pkgs; [ + PATH=${makeBinPath (with pkgs; [ binutils coreutils gcc diff --git a/krebs/5pkgs/cac-api/default.nix b/krebs/5pkgs/cac-api/default.nix index 52ada4f1b..85a906e1d 100644 --- a/krebs/5pkgs/cac-api/default.nix +++ b/krebs/5pkgs/cac-api/default.nix @@ -18,7 +18,7 @@ stdenv.mkDerivation { mkdir -p $out/bin { cat <<\EOF #! ${dash}/bin/dash - export PATH=${stdenv.lib.makeSearchPath "bin" [ + export PATH=${stdenv.lib.makeBinPath [ bc coreutils curl diff --git a/krebs/5pkgs/cgit/default.nix b/krebs/5pkgs/cgit/default.nix new file mode 100644 index 000000000..3180a5bd3 --- /dev/null +++ b/krebs/5pkgs/cgit/default.nix @@ -0,0 +1,64 @@ +{ stdenv, fetchurl, openssl, zlib, asciidoc, libxml2, libxslt +, docbook_xml_xslt, pkgconfig, luajit +, gzip, bzip2, xz +}: + +stdenv.mkDerivation rec { + name = "cgit-${version}"; + version = "0.12"; + + src = fetchurl { + url = "http://git.zx2c4.com/cgit/snapshot/${name}.tar.xz"; + sha256 = "1dx54hgfyabmg9nm5qp6d01f54nlbqbbdwhwl0llb9imjf237qif"; + }; + + # cgit is tightly coupled with git and needs a git source tree to build. + # IMPORTANT: Remember to check which git version cgit needs on every version + # bump (look in the Makefile). + # NOTE: as of 0.10.1, the git version is compatible from 1.9.0 to + # 1.9.2 (see the repository history) + gitSrc = fetchurl { + url = "mirror://kernel/software/scm/git/git-2.7.2.tar.xz"; + sha256 = "086ga30ksijfxad085ply83ddf955d2b8qxph5sw6c9hab77j15j"; + }; + + buildInputs = [ + openssl zlib asciidoc libxml2 libxslt docbook_xml_xslt pkgconfig luajit + ]; + + postPatch = '' + sed -e 's|"gzip"|"${gzip}/bin/gzip"|' \ + -e 's|"bzip2"|"${bzip2}/bin/bzip2"|' \ + -e 's|"xz"|"${xz}/bin/xz"|' \ + -i ui-snapshot.c + ''; + + # Give cgit a git source tree and pass configuration parameters (as make + # variables). + preBuild = '' + mkdir -p git + tar --strip-components=1 -xf "$gitSrc" -C git + + makeFlagsArray+=(prefix="$out" CGIT_SCRIPT_PATH="$out/cgit/") + ''; + + # Install manpage. + postInstall = '' + # xmllint fails: + #make install-man + + # bypassing xmllint works: + a2x --no-xmllint -f manpage cgitrc.5.txt + mkdir -p "$out/share/man/man5" + cp cgitrc.5 "$out/share/man/man5" + ''; + + meta = { + homepage = http://git.zx2c4.com/cgit/about/; + repositories.git = git://git.zx2c4.com/cgit; + description = "Web frontend for git repositories"; + license = stdenv.lib.licenses.gpl2; + platforms = stdenv.lib.platforms.linux; + maintainers = with stdenv.lib.maintainers; [ bjornfor ]; + }; +} diff --git a/krebs/5pkgs/default.nix b/krebs/5pkgs/default.nix index f7997dd63..0c39324a7 100644 --- a/krebs/5pkgs/default.nix +++ b/krebs/5pkgs/default.nix @@ -1,7 +1,20 @@ { config, lib, pkgs, ... }@args: with config.krebs.lib; { - nixpkgs.config.packageOverrides = pkgs: { + nixpkgs.config.packageOverrides = pkgs: let + + # This callPackage will try to detect obsolete overrides. + callPackage = path: args: let + override = pkgs.callPackage path args; + upstream = optionalAttrs (override ? "name") + (pkgs.${(parseDrvName override.name).name} or {}); + in if upstream ? "name" && + override ? "name" && + compareVersions upstream.name override.name != -1 + then trace "Upstream `${upstream.name}' gets overridden by `${override.name}'." override + else override; + + in { haskellPackages = pkgs.haskellPackages.override { overrides = self: super: mapAttrs (name: path: self.callPackage path {}) @@ -16,18 +29,18 @@ with config.krebs.lib; (builtins.readDir ./haskell-overrides)); }; - push = pkgs.callPackage ./push { + push = callPackage ./push { inherit (subdirs) get; }; - ReaktorPlugins = pkgs.callPackage ./Reaktor/plugins.nix {}; + ReaktorPlugins = callPackage ./Reaktor/plugins.nix {}; test = { - infest-cac-centos7 = pkgs.callPackage ./test/infest-cac-centos7 {}; + infest-cac-centos7 = callPackage ./test/infest-cac-centos7 {}; }; } // import ./builders.nix args - // mapAttrs (_: flip pkgs.callPackage {}) + // mapAttrs (_: flip callPackage {}) (filterAttrs (_: dir.has-default-nix) (subdirsOf ./.)); } diff --git a/krebs/5pkgs/dic/default.nix b/krebs/5pkgs/dic/default.nix index 571773d22..3566de8cd 100644 --- a/krebs/5pkgs/dic/default.nix +++ b/krebs/5pkgs/dic/default.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation { installPhase = let - path = stdenv.lib.makeSearchPath "bin" [ + path = stdenv.lib.makeBinPath [ coreutils curl gnused diff --git a/krebs/5pkgs/exim/default.nix b/krebs/5pkgs/exim/default.nix new file mode 100644 index 000000000..d8d1f0dc3 --- /dev/null +++ b/krebs/5pkgs/exim/default.nix @@ -0,0 +1,63 @@ +{ coreutils, fetchurl, db, openssl, pcre, perl, pkgconfig, stdenv }: + +stdenv.mkDerivation rec { + name = "exim-4.86.2"; + + src = fetchurl { + url = "http://mirror.switch.ch/ftp/mirror/exim/exim/exim4/${name}.tar.bz2"; + sha256 = "1cvfcc1hi60lydv8h3a2rxlfc0v2nflwpvzjj7h7cdsqs2pxwmkp"; + }; + + buildInputs = [ coreutils db openssl pcre perl pkgconfig ]; + + preBuild = '' + sed ' + s:^\(BIN_DIRECTORY\)=.*:\1='"$out"'/bin: + s:^\(CONFIGURE_FILE\)=.*:\1=/etc/exim.conf: + s:^\(EXIM_USER\)=.*:\1=ref\:nobody: + s:^\(SPOOL_DIRECTORY\)=.*:\1=/exim-homeless-shelter: + s:^# \(SUPPORT_MAILDIR\)=.*:\1=yes: + s:^EXIM_MONITOR=.*$:# &: + s:^\(FIXED_NEVER_USERS\)=root$:\1=0: + s:^# \(WITH_CONTENT_SCAN\)=.*:\1=yes: + s:^# \(AUTH_PLAINTEXT\)=.*:\1=yes: + s:^# \(SUPPORT_TLS\)=.*:\1=yes: + s:^# \(USE_OPENSSL_PC=openssl\)$:\1: + s:^# \(LOG_FILE_PATH=syslog\)$:\1: + s:^# \(HAVE_IPV6=yes\)$:\1: + s:^# \(CHOWN_COMMAND\)=.*:\1=${coreutils}/bin/chown: + s:^# \(CHGRP_COMMAND\)=.*:\1=${coreutils}/bin/chgrp: + s:^# \(CHMOD_COMMAND\)=.*:\1=${coreutils}/bin/chmod: + s:^# \(MV_COMMAND\)=.*:\1=${coreutils}/bin/mv: + s:^# \(RM_COMMAND\)=.*:\1=${coreutils}/bin/rm: + s:^# \(TOUCH_COMMAND\)=.*:\1=${coreutils}/bin/touch: + s:^# \(PERL_COMMAND\)=.*:\1=${perl}/bin/perl: + #/^\s*#.*/d + #/^\s*$/d + ' < src/EDITME > Local/Makefile + ''; + + installPhase = '' + mkdir -p $out/bin $out/share/man/man8 + cp doc/exim.8 $out/share/man/man8 + + ( cd build-Linux-* + cp exicyclog exim_checkaccess exim_dumpdb exim_lock exim_tidydb \ + exipick exiqsumm exigrep exim_dbmbuild exim exim_fixdb eximstats \ + exinext exiqgrep exiwhat \ + $out/bin ) + + ( cd $out/bin + for i in mailq newaliases rmail rsmtp runq sendmail; do + ln -s exim $i + done ) + ''; + + meta = { + homepage = http://exim.org/; + description = "A mail transfer agent (MTA)"; + license = stdenv.lib.licenses.gpl3; + platforms = stdenv.lib.platforms.linux; + maintainers = [ stdenv.lib.maintainers.tv ]; + }; +} diff --git a/krebs/5pkgs/fortclientsslvpn/default.nix b/krebs/5pkgs/fortclientsslvpn/default.nix index e1c813479..602766f46 100644 --- a/krebs/5pkgs/fortclientsslvpn/default.nix +++ b/krebs/5pkgs/fortclientsslvpn/default.nix @@ -15,7 +15,7 @@ stdenv.mkDerivation rec { buildInputs = [ makeWrapper ]; - binPath = lib.makeSearchPath "bin" [ + binPath = lib.makeBinPath [ coreutils gawk ]; diff --git a/krebs/5pkgs/get/default.nix b/krebs/5pkgs/get/default.nix index 13cdeca96..f82c7e8b7 100644 --- a/krebs/5pkgs/get/default.nix +++ b/krebs/5pkgs/get/default.nix @@ -16,7 +16,7 @@ stdenv.mkDerivation { installPhase = let - path = stdenv.lib.makeSearchPath "bin" [ + path = stdenv.lib.makeBinPath [ coreutils gnugrep gnused diff --git a/krebs/5pkgs/git-hooks/default.nix b/krebs/5pkgs/git-hooks/default.nix index 5697c31be..3aba90535 100644 --- a/krebs/5pkgs/git-hooks/default.nix +++ b/krebs/5pkgs/git-hooks/default.nix @@ -12,7 +12,7 @@ let #! /bin/sh set -euf - export PATH=${makeSearchPath "bin" (with pkgs; [ + export PATH=${makeBinPath (with pkgs; [ coreutils git gnused diff --git a/krebs/5pkgs/github-hosts-sync/default.nix b/krebs/5pkgs/github-hosts-sync/default.nix index b9dcfa9b8..0dcbe7fd8 100644 --- a/krebs/5pkgs/github-hosts-sync/default.nix +++ b/krebs/5pkgs/github-hosts-sync/default.nix @@ -17,7 +17,7 @@ stdenv.mkDerivation { installPhase = let ca-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; - path = stdenv.lib.makeSearchPath "bin" (with pkgs; [ + path = stdenv.lib.makeBinPath (with pkgs; [ coreutils findutils git diff --git a/krebs/5pkgs/hashPassword/default.nix b/krebs/5pkgs/hashPassword/default.nix index a10340cc4..6a7c51c57 100644 --- a/krebs/5pkgs/hashPassword/default.nix +++ b/krebs/5pkgs/hashPassword/default.nix @@ -5,7 +5,7 @@ pkgs.writeScriptBin "hashPassword" '' # usage: hashPassword set -euf - export PATH=${lib.makeSearchPath "bin" (with pkgs; [ + export PATH=${lib.makeBinPath (with pkgs; [ coreutils mkpasswd openssl diff --git a/krebs/5pkgs/nq/default.nix b/krebs/5pkgs/nq/default.nix deleted file mode 100644 index 0f397a43c..000000000 --- a/krebs/5pkgs/nq/default.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ fetchgit, stdenv }: - -stdenv.mkDerivation rec { - name = "nq-${rev}"; - rev = "0eae839cb1"; - - src = fetchgit { - url = https://github.com/chneukirchen/nq; - inherit rev; - sha256 = "1150274750cde934932d65bd6053d7a0ba2404a59eadfb87fc6bd8a4fb70febb"; - }; - - configurePhase = '' - sed -i "s:^PREFIX=.*:PREFIX=$out:" Makefile - ''; -} diff --git a/krebs/5pkgs/push/default.nix b/krebs/5pkgs/push/default.nix index aa17a21a9..9a627fe36 100644 --- a/krebs/5pkgs/push/default.nix +++ b/krebs/5pkgs/push/default.nix @@ -25,7 +25,7 @@ stdenv.mkDerivation { installPhase = let - path = lib.makeSearchPath "bin" [ + path = lib.makeBinPath [ coreutils git gnumake diff --git a/lass/1systems/helios.nix b/lass/1systems/helios.nix index 0103b6ec0..2784375c2 100644 --- a/lass/1systems/helios.nix +++ b/lass/1systems/helios.nix @@ -19,12 +19,11 @@ with builtins; # }; #} { - krebs.iptables = { - tables = { - filter.INPUT.rules = [ - { predicate = "-p tcp --dport 8000"; target = "ACCEPT"; precedence = 9001; } - ]; - }; + services.elasticsearch = { + enable = true; + plugins = [ + pkgs.elasticsearchPlugins.elasticsearch_kopf + ]; }; } ]; diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index 9f492e2c6..b95e61a58 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -25,6 +25,7 @@ ../2configs/teamviewer.nix ../2configs/libvirt.nix ../2configs/fetchWallpaper.nix + ../2configs/cbase.nix #../2configs/buildbot-standalone.nix { #risk of rain port @@ -141,7 +142,7 @@ services.elasticsearch = { enable = true; plugins = [ - pkgs.elasticsearchPlugins.elasticsearch_kopf + # pkgs.elasticsearchPlugins.elasticsearch_kopf ]; }; } @@ -270,14 +271,14 @@ emulateWheel = true; }; - services.xserver = { - videoDriver = "intel"; - vaapiDrivers = [ pkgs.vaapiIntel ]; - deviceSection = '' - Option "AccelMethod" "sna" - BusID "PCI:0:2:0" - ''; - }; + #services.xserver = { + # videoDriver = "intel"; + # vaapiDrivers = [ pkgs.vaapiIntel ]; + # deviceSection = '' + # Option "AccelMethod" "sna" + # BusID "PCI:0:2:0" + # ''; + #}; environment.systemPackages = with pkgs; [ cac-api @@ -328,7 +329,4 @@ tapButtons = false; twoFingerScroll = true; }; - - #for google hangout - users.extraUsers.gm.extraGroups = [ "audio" "video" ]; } diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index 05b3470e5..4d40c8d59 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -83,10 +83,10 @@ in { { sound.enable = false; } - { - #workaround for server dying after 6-7h - boot.kernelPackages = pkgs.linuxPackages_4_2; - } + #{ + # #workaround for server dying after 6-7h + # boot.kernelPackages = pkgs.linuxPackages_4_2; + #} { nixpkgs.config.allowUnfree = true; } @@ -119,7 +119,8 @@ in { } { users.users.chat.openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDJJKlOeAHyi7lToCqRF/hdA2TrtVbrTUd2ayuWsXe9JWiyeyKH/LNY3SrgxCWPZSItE9VK68ghMuVYK/A8IAcgzNhzFYLDxmtsidjiOJBj2ZGsjqevoQ5HuKB/pob8CLW3dr1Rx38Any/XXxpfeO6vemCJMGLTe5gSlrCI+Tk1qNt0Rz+rke73Hwt9wW39g8X3prF2q9ryL9OFCcsoYUE7PIOV9xM1GaDFfTR4bKux7HyFKmG+rBvmJHB5OPW8UAtVZGY/FIChwlmF6QNO5Zym497bG1RCOGplaLpRXVJrmoUkZUO7EazePPxIjz2duWYqFtwl5R9YGy1+a+F58G19DS7wJHM29td117/ZANjRTxE5q/aJm2okJYOVSqhYzdhji+BWVZ5ai7cktpAdtPo++yiZN90LvogXNB64kFxVGuX52xZcA3KLKmvrd47o9k0pzO+oCoArxPFIx0YkHfy/yw7OG8Z+KLK8l9WXWBZO5TpjcydnEcRZ8OEqVhtmDh+9h1zhPphuFBtT1JPbt8m132RUy23qsNRtZ/lnnfQbrxgHPRzVuvA8o4ahOEUdvV9SYnzKb6qMFXGp25EhlcWnR4/toyG6I3paBtByeHkaxjgCuvm9Hob6f/xFr3kEJ4WXTVguyrcFgNg2EcEfdkrTMhNn9OIHEFFQ8whIBv5jlw== JuiceSSH" + "ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAFhFJUMTfPbv3SzqlT9S67Av/m/ctLfTd3mMhD4O9hZc+t+dZmaHWj3v1KujzMBiDp3Yfo2YdVVZLTwTluHD8yNoQH418Vm01nrYHwOsc5J0br3mb0URZSstPiz6/6Fc+PNCDfQ2skUAWUidWiH+JolROFQ4y2lfpLOw+wsK2jj+Gqx6w== JuiceSSH" + config.krebs.users.lass-uriel.pubkey ]; } { @@ -134,6 +135,12 @@ in { { predicate = "-p tcp --dport 80"; target = "ACCEPT"; } ]; } + { + services.tor = { + enable = true; + client.enable = true; + }; + } ]; krebs.build.host = config.krebs.hosts.prism; diff --git a/lass/1systems/uriel.nix b/lass/1systems/uriel.nix index 0758164f0..4e4eca21f 100644 --- a/lass/1systems/uriel.nix +++ b/lass/1systems/uriel.nix @@ -15,15 +15,6 @@ with builtins; ../2configs/bitlbee.nix ../2configs/weechat.nix ../2configs/skype.nix - { - users.extraUsers = { - root = { - openssh.authorizedKeys.keys = map readFile [ - ../../krebs/Zpubkeys/uriel.ssh.pub - ]; - }; - }; - } ]; krebs.build.host = config.krebs.hosts.uriel; diff --git a/lass/2configs/base.nix b/lass/2configs/base.nix index d2c96fdaa..51a6d9da8 100644 --- a/lass/2configs/base.nix +++ b/lass/2configs/base.nix @@ -54,8 +54,8 @@ with config.krebs.lib; #secrets-common = "/home/lass/secrets/common"; stockholm = "/home/lass/stockholm"; nixpkgs = { - url = https://github.com/Lassulus/nixpkgs; - rev = "d0e3cca04edd5d1b3d61f188b4a5f61f35cdf1ce"; + url = https://github.com/NixOS/nixpkgs; + rev = "40c586b7ce2c559374df435f46d673baf711c543"; dev = "/home/lass/src/nixpkgs"; }; } // optionalAttrs config.krebs.build.host.secure { @@ -104,6 +104,9 @@ with config.krebs.lib; #stuff for dl aria2 + + #neat utils + krebspaste ]; programs.bash = { diff --git a/lass/2configs/browsers.nix b/lass/2configs/browsers.nix index eb764068b..47a16d4cb 100644 --- a/lass/2configs/browsers.nix +++ b/lass/2configs/browsers.nix @@ -1,6 +1,8 @@ { config, lib, pkgs, ... }: let + inherit (config.krebs.lib) genid; + mainUser = config.users.extraUsers.mainUser; createChromiumUser = name: extraGroups: packages: { @@ -8,6 +10,7 @@ let inherit name; inherit extraGroups; home = "/home/${name}"; + uid = genid name; useDefaultShell = true; createHome = true; }; @@ -28,6 +31,7 @@ let inherit name; inherit extraGroups; home = "/home/${name}"; + uid = genid name; useDefaultShell = true; createHome = true; }; @@ -48,16 +52,17 @@ in { environment.systemPackages = [ (pkgs.writeScriptBin "browser-select" '' - BROWSER=$(echo -e "ff\ncr\nfb\ngm\nflash" | dmenu) + BROWSER=$(echo -e "ff\ncr\nwk\nfb\ngm\nflash" | dmenu) $BROWSER $@ '') ]; imports = [ - ( createFirefoxUser "ff" [ "audio" ] [ ] ) + ( createFirefoxUser "ff" [ "audio" ] [ pkgs.firefox ] ) ( createChromiumUser "cr" [ "audio" ] [ pkgs.chromium ] ) - ( createChromiumUser "fb" [ ] [ pkgs.chromium ] ) - ( createChromiumUser "gm" [ ] [ pkgs.chromium ] ) + ( createChromiumUser "wk" [ "audio" ] [ pkgs.chromium ] ) + ( createChromiumUser "fb" [ "audio" ] [ pkgs.chromium ] ) + ( createChromiumUser "gm" [ "audio" ] [ pkgs.chromium ] ) ( createChromiumUser "flash" [ "audio" ] [ pkgs.flash ] ) ]; diff --git a/lass/2configs/cbase.nix b/lass/2configs/cbase.nix new file mode 100644 index 000000000..9d13bc30d --- /dev/null +++ b/lass/2configs/cbase.nix @@ -0,0 +1,93 @@ +{ config, lib, pkgs, ... }: + +let + inherit (config.krebs.lib) genid; + +in { + + users.extraUsers = { + cbasevpn = rec { + name = "cbasevpn"; + uid = genid "cbasevpn"; + description = "user for running c-base openvpn"; + home = "/home/${name}"; + }; + }; + + users.extraGroups.cbasevpn.gid = genid "cbasevpn"; + + services.openvpn.servers = { + c-base = { + config = '' + client + dev tap + proto tcp + remote vpn.ext.c-base.org 1194 + resolv-retry infinite + nobind + user cbasevpn + group cbasevpn + persist-key + persist-tun + + auth-nocache + #auth-user-pass + auth-user-pass ${toString <secrets/cbase.txt>} + + comp-lzo + verb 3 + + #script-security 2 + #up /etc/openvpn/update-resolv-conf + #down /etc/openvpn/update-resolv-conf + + <ca> + -----BEGIN CERTIFICATE----- + MIIDUjCCArugAwIBAgIJAOOk8EXgjsf5MA0GCSqGSIb3DQEBBQUAMHoxCzAJBgNV + BAYTAkRFMQswCQYDVQQIEwJERTEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZj + LWJhc2UxGzAZBgNVBAMTEnZwbi5leHQuYy1iYXNlLm9yZzEfMB0GCSqGSIb3DQEJ + ARYQYWRtYXhAYy1iYXNlLm9yZzAeFw0wOTAyMTMwOTE1MzdaFw0xOTAyMTEwOTE1 + MzdaMHoxCzAJBgNVBAYTAkRFMQswCQYDVQQIEwJERTEPMA0GA1UEBxMGQmVybGlu + MQ8wDQYDVQQKEwZjLWJhc2UxGzAZBgNVBAMTEnZwbi5leHQuYy1iYXNlLm9yZzEf + MB0GCSqGSIb3DQEJARYQYWRtYXhAYy1iYXNlLm9yZzCBnzANBgkqhkiG9w0BAQEF + AAOBjQAwgYkCgYEAt3wEgXbqFKxs8z/E4rv13hkRi6J+QdshNzntm7rTOmUsXKE7 + IEwoJSglrmsDPv4UqE86A7bjW7YYSFjhzxFRkTEHJanyOCF48ZPItVl7Eq7T81co + uR+6lAhxnLDrwnPJCC83NzAa6lw8U1DsQRDkayKlrQrtZq6++pFFEvZvt1cCAwEA + AaOB3zCB3DAdBgNVHQ4EFgQUqkSbdXS90+HtqXDeAI+PcyTSSHEwgawGA1UdIwSB + pDCBoYAUqkSbdXS90+HtqXDeAI+PcyTSSHGhfqR8MHoxCzAJBgNVBAYTAkRFMQsw + CQYDVQQIEwJERTEPMA0GA1UEBxMGQmVybGluMQ8wDQYDVQQKEwZjLWJhc2UxGzAZ + BgNVBAMTEnZwbi5leHQuYy1iYXNlLm9yZzEfMB0GCSqGSIb3DQEJARYQYWRtYXhA + Yy1iYXNlLm9yZ4IJAOOk8EXgjsf5MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF + BQADgYEAOBANG1H4uEEWk3sbeQoSMeA3LFG1+6MgFGk2WAdeHYuV9GKYBq6/PLP5 + ffw+FNkiDjLSeSQO88vHYJr2V1v8n/ZoCIT+1VBcDWXTpGz0YxDI1iBauO3tUPzK + wGs46RA/S0YwiZw64MaUHd88ZVadjKy9kNoO3w6/vpAS6s/Mh+o= + -----END CERTIFICATE----- + </ca> + key-direction 1 + <tls-auth> + # + # 2048 bit OpenVPN static key + # + -----BEGIN OpenVPN Static key V1----- + 5d49aa8c9cec18de7ab6e0b5cd09a368 + d3f1b8b77e055e448804fa0e14f487cb + 491681742f96b54a23fb8639aa9ed14e + c40b86a5546b888c4f3873f23c956e87 + 169076ec869127ffc85353fd5928871c + da19776b79f723abb366fae6cdfe4ad6 + 7ef667b7d05a7b78dfd5ea1d2da276dc + 5f6c82313fe9c1178c7256b8d1d081b0 + 4c80bc8f21add61fbc52c158579edc1d + bbde230afb9d0e531624ce289a17098a + 3261f9144a9a2a6f0da4250c9eed4086 + 187ec6fa757a454de743a349e32af193 + e9f8b49b010014bdfb3240d992f2f234 + 581d0ce05d4e07a2b588ad9b0555b704 + 9d5edc28efde59226ec8942feed690a1 + 2acd0c8bc9424d6074d0d495391023b6 + -----END OpenVPN Static key V1----- + </tls-auth> + ''; + }; + }; +} diff --git a/lass/2configs/retiolum.nix b/lass/2configs/retiolum.nix index f8a63706e..1646cdea9 100644 --- a/lass/2configs/retiolum.nix +++ b/lass/2configs/retiolum.nix @@ -16,8 +16,6 @@ enable = true; connectTo = [ "prism" - "cloudkrebs" - "echelon" "pigstarter" "gum" "flap" diff --git a/lass/2configs/vim.nix b/lass/2configs/vim.nix index 3fe45e1d1..961238b08 100644 --- a/lass/2configs/vim.nix +++ b/lass/2configs/vim.nix @@ -1,13 +1,24 @@ { config, pkgs, ... }: let - customPlugins.mustang2 = pkgs.vimUtils.buildVimPlugin { - name = "Mustang2"; - src = pkgs.fetchFromGitHub { - owner = "croaker"; - repo = "mustang-vim"; - rev = "6533d7d21bf27cae94d9c2caa575f627f003dfd5"; - sha256 = "0zlmcrr04j3dkiivrhqi90f618lmnnnpvbz1b9msfs78cmgw9w67"; + customPlugins = { + mustang2 = pkgs.vimUtils.buildVimPlugin { + name = "Mustang2"; + src = pkgs.fetchFromGitHub { + owner = "croaker"; + repo = "mustang-vim"; + rev = "6533d7d21bf27cae94d9c2caa575f627f003dfd5"; + sha256 = "0zlmcrr04j3dkiivrhqi90f618lmnnnpvbz1b9msfs78cmgw9w67"; + }; + }; + unimpaired = pkgs.vimUtils.buildVimPlugin { + name = "unimpaired-vim"; + src = pkgs.fetchFromGitHub { + owner = "tpope"; + repo = "vim-unimpaired"; + rev = "11dc568dbfd7a56866a4354c737515769f08e9fe"; + sha256 = "1an941j5ckas8l3vkfhchdzjwcray16229rhv3a1d4pbxifwshi8"; + }; }; }; @@ -56,7 +67,8 @@ in { vnoremap < <gv vnoremap > >gv - nmap <esc>q :buffer + nmap <esc>q :buffer + "Tabwidth set ts=2 sts=2 sw=2 et @@ -105,11 +117,24 @@ in { "esc timeout set timeoutlen=1000 ttimeoutlen=0 + + "foldfunctions + inoremap <F9> <C-O>za + nnoremap <F9> za + onoremap <F9> <C-C>za + vnoremap <F9> zf ''; vimrcConfig.vam.knownPlugins = pkgs.vimPlugins // customPlugins; vimrcConfig.vam.pluginDictionaries = [ - { names = [ "Gundo" "commentary" "mustang2" ]; } + { names = [ + "Gundo" + "commentary" + "mustang2" + "extradite" + "fugitive" + "unimpaired" + ]; } { names = [ "vim-addon-nix" ]; ft_regex = "^nix\$"; } ]; diff --git a/lass/2configs/weechat.nix b/lass/2configs/weechat.nix index 6a257f0bb..98f5df42a 100644 --- a/lass/2configs/weechat.nix +++ b/lass/2configs/weechat.nix @@ -1,14 +1,17 @@ { config, lib, pkgs, ... }: -{ - krebs.per-user.chat.packages = [ - pkgs.weechat - pkgs.tmux +let + inherit (config.krebs.lib) genid; +in { + krebs.per-user.chat.packages = with pkgs; [ + mosh + tmux + weechat ]; users.extraUsers.chat = { home = "/home/chat"; - uid = lib.genid "chat"; + uid = genid "chat"; useDefaultShell = true; createHome = true; openssh.authorizedKeys.keys = [ diff --git a/lass/2configs/xserver/default.nix b/lass/2configs/xserver/default.nix index 203ed0b09..48bd31bf4 100644 --- a/lass/2configs/xserver/default.nix +++ b/lass/2configs/xserver/default.nix @@ -49,7 +49,7 @@ let services.xserver.enable = true; systemd.services.xmonad = { - wantedBy = [ "multi-user.target" ]; + #wantedBy = [ "multi-user.target" ]; requires = [ "xserver.service" ]; environment = xmonad-environment; serviceConfig = { diff --git a/lass/3modules/newsbot-js.nix b/lass/3modules/newsbot-js.nix index 5e340b26f..0772971da 100644 --- a/lass/3modules/newsbot-js.nix +++ b/lass/3modules/newsbot-js.nix @@ -4,6 +4,8 @@ with builtins; with lib; let + inherit (config.krebs.lib) genid; + cfg = config.lass.newsbot-js; out = { diff --git a/mv/1systems/stro.nix b/mv/1systems/stro.nix index f251cb092..520bf14eb 100644 --- a/mv/1systems/stro.nix +++ b/mv/1systems/stro.nix @@ -56,7 +56,6 @@ with config.krebs.lib; netcat nix-repl nmap - nq p7zip pass posix_man_pages diff --git a/tv/1systems/nomic.nix b/tv/1systems/nomic.nix index fa9c90816..fed67a105 100644 --- a/tv/1systems/nomic.nix +++ b/tv/1systems/nomic.nix @@ -12,7 +12,7 @@ with config.krebs.lib; ../2configs/git.nix ../2configs/im.nix ../2configs/mail-client.nix - ../2configs/nginx-public_html.nix + ../2configs/nginx/public_html.nix ../2configs/pulse.nix ../2configs/retiolum.nix ../2configs/wu-binary-cache/client.nix diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix index 0bf242109..27dd12520 100644 --- a/tv/1systems/wu.nix +++ b/tv/1systems/wu.nix @@ -13,7 +13,7 @@ with config.krebs.lib; ../2configs/im.nix ../2configs/mail-client.nix ../2configs/man.nix - ../2configs/nginx-public_html.nix + ../2configs/nginx/public_html.nix ../2configs/pulse.nix ../2configs/retiolum.nix ../2configs/wu-binary-cache @@ -46,7 +46,6 @@ with config.krebs.lib; netcat nix-repl nmap - nq p7zip push qrencode diff --git a/tv/1systems/xu.nix b/tv/1systems/xu.nix index 46fb59ff3..96a0545a7 100644 --- a/tv/1systems/xu.nix +++ b/tv/1systems/xu.nix @@ -12,7 +12,7 @@ with config.krebs.lib; ../2configs/git.nix ../2configs/mail-client.nix ../2configs/man.nix - ../2configs/nginx-public_html.nix + ../2configs/nginx/public_html.nix ../2configs/pulse.nix ../2configs/retiolum.nix ../2configs/wu-binary-cache/client.nix @@ -58,7 +58,6 @@ with config.krebs.lib; netcat nix-repl nmap - nq p7zip pass qrencode diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix index 0a3e40a5c..df5d5da29 100644 --- a/tv/2configs/default.nix +++ b/tv/2configs/default.nix @@ -26,6 +26,7 @@ with config.krebs.lib; imports = [ <secrets> ./backup.nix + ./nginx ./vim.nix { # stockholm dependencies diff --git a/tv/2configs/exim-smarthost.nix b/tv/2configs/exim-smarthost.nix index 3ea010524..280d8572b 100644 --- a/tv/2configs/exim-smarthost.nix +++ b/tv/2configs/exim-smarthost.nix @@ -5,6 +5,9 @@ with config.krebs.lib; { krebs.exim-smarthost = { enable = true; + dkim = [ + { domain = "viljetic.de"; } + ]; sender_domains = [ "krebsco.de" "shackspace.de" diff --git a/tv/2configs/nginx/default.nix b/tv/2configs/nginx/default.nix new file mode 100644 index 000000000..1fac65a31 --- /dev/null +++ b/tv/2configs/nginx/default.nix @@ -0,0 +1,17 @@ +{ config, lib, ... }: + +with config.krebs.lib; + +{ + krebs.nginx = { + servers.default.locations = [ + (nameValuePair "= /etc/os-release" '' + default_type text/plain; + alias /etc/os-release; + '') + ]; + }; + tv.iptables = optionalAttrs config.krebs.nginx.enable { + input-retiolum-accept-new-tcp = singleton "http"; + }; +} diff --git a/tv/2configs/nginx-public_html.nix b/tv/2configs/nginx/public_html.nix index 15a3b5482..15a3b5482 100644 --- a/tv/2configs/nginx-public_html.nix +++ b/tv/2configs/nginx/public_html.nix |