diff options
33 files changed, 440 insertions, 97 deletions
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index d64d8047a..9af42acc9 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -28,6 +28,7 @@ let ./on-failure.nix ./os-release.nix ./per-user.nix + ./power-action.nix ./Reaktor.nix ./realwallpaper.nix ./retiolum-bootstrap.nix diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix index aba6ee0b5..cfe2e5f04 100644 --- a/krebs/3modules/exim-smarthost.nix +++ b/krebs/3modules/exim-smarthost.nix @@ -2,6 +2,7 @@ with config.krebs.lib; let + indent = replaceChars ["\n"] ["\n "]; cfg = config.krebs.exim-smarthost; out = { @@ -12,6 +13,11 @@ let api = { enable = mkEnableOption "krebs.exim-smarthost"; + authenticators = mkOption { + type = types.attrsOf types.str; + default = {}; + }; + dkim = mkOption { type = types.listOf (types.submodule ({ config, ... }: { options = { @@ -80,6 +86,16 @@ let default = []; }; + ssl_cert = mkOption { + type = types.nullOr types.str; + default = null; + }; + + ssl_key = mkOption { + type = types.nullOr types.str; + default = null; + }; + system-aliases = mkOption { type = types.listOf (types.submodule ({ options = { @@ -136,7 +152,9 @@ let syslog_timestamp = false syslog_duplication = false - tls_advertise_hosts = + ${optionalString (cfg.ssl_cert != null) "tls_certificate = ${cfg.ssl_cert}"} + ${optionalString (cfg.ssl_key != null) "tls_privatekey = ${cfg.ssl_key}"} + tls_advertise_hosts =${optionalString (cfg.ssl_cert != null) " *"} begin acl @@ -257,6 +275,10 @@ let begin rewrite begin authenticators + ${concatStringsSep "\n" (mapAttrsToList (name: text: '' + ${name}: + ${indent text} + '') cfg.authenticators)} ''; }; }; diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index 52db3de85..dffb6b0a1 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -49,10 +49,22 @@ with config.krebs.lib; ''; }; siem = { - ip4.addr = "10.8.10.2"; + ip4.addr = "10.8.10.2"; + ip4.prefix = "10.8.10.0/24"; aliases = [ "darth.siem" ]; + tinc.pubkey = '' + Ed25519PublicKey = 24t9ye4gRLg6UbVxBvuuDlvU/cnByxMjYjym4LO6GkK + -----BEGIN RSA PUBLIC KEY----- + MIIBCQKCAQEApcUeTecVahqNIfLEkfgNiaW+eHQ9Y90DxHhy9vdPZh8dmLqoFBoW + TCPcZIRpyj7hxRkNIhh34Ewpul0oQ1tzrUGcT2xvMNwaCupRDmhZn9jR9aFFEYKb + fUOplCxb4y2UKbWAA6hie3PKH9wnPfbwSsexb2BSQAqSt4iNIVCV6j7LXpiopbGS + Exs3/Pz+IeMtGyuMYA3rUmJsVRKR1o7axLtlhYK7JSMbqdYhaQJ4NZrvIXw//w21 + kM/TJTPZ4j47ME18jQInO62X5h+xVch6DtvwvjBMMMKbS0am9qw1P3qo7MP3PmQh + rvVQRth8L63q4NLOnT29XmnxPSVGL1PBQQICEAE= + -----END RSA PUBLIC KEY----- + ''; }; }; }; @@ -60,9 +72,20 @@ with config.krebs.lib; nets = { siem = { ip4.addr = "10.8.10.6"; + ip4.prefix = "10.8.10.0/24"; aliases = [ "ossim.siem" ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAv5qv9R3E1AHJOhTnHJ2E5zWjItRdXSw/inpz/W+KcBeM/HSG0XEl + RyGAwty7VP4CiLp7CagWmtVsz/5ytnXJzLDeRLn5t+KzO6am0aOpvAt6ZggZXPhL + cQkn4IGi1TJE5tw+lzabBkUZm3zD1KEXpqJeZ6spA4e9lB/+T3Tx23g9WDEOKand + mAJrsdsvTCIiVJefidOAmgeZVVOV3ltBonNP1nqEy+5v4B3EBT/Uj7ImL2aRj/pd + dPs6dGV2LqSQvnrSbFZzuKVXKpD1M+wgT/5NQk/hVJJxBQC6rxvpg1XyQkepcLWL + WjvogOl4NjXStmKDX2+gPPFx6XTmwDenOwIDAQAB + -----END RSA PUBLIC KEY----- + ''; }; }; }; @@ -103,15 +126,15 @@ with config.krebs.lib; }; }; }; - pornocauster = { + x = { cores = 2; nets = { retiolum = { ip4.addr = "10.243.0.91"; ip6.addr = "42:0b2c:d90e:e717:03dc:9ac1:7c30:a4db"; aliases = [ - "pornocauster.retiolum" - "pornocauster.r" + "x.retiolum" + "x.r" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- @@ -126,13 +149,25 @@ with config.krebs.lib; }; siem = { ip4.addr = "10.8.10.4"; + ip4.prefix = "10.8.10.0/24"; aliases = [ - "arch.siem" + "makefu.siem" ]; + tinc.pubkey = '' + Ed25519PublicKey = rFTglGxm563e/w82Q9Qqy/E+V/ipT4DOTyTuYrWrtmI + -----BEGIN RSA PUBLIC KEY----- + MIIBCQKCAQEAx+OQXQj6rlXIByo48JZXSexRz5G5oJVZTHAJ0GF5f70U65C0x83p + XtNp4LGYti+cyyzmQjf/N7jr2CxUlOATN2nRO4CT+JaMM2MoqnPWqTZBPMDiHq2y + ce0zjLPPl0hVc5mg+6F0tgolbUvTIo2CgAIl5lNvJiVfmXRSehmMprf1NPkxJd/O + vAOD7mgnCjkEAWElf1cfxSGZqSLbNltRK340nE5x6A5tY7iEueP/r9chEmOnVjKm + t+GJAJIe1PClWJHJYAXF8I7R3g+XQIqgw+VTN3Ng5cS5W/mbTFIzLWMZpdZaAhWR + 56pthtZAE5FZ+4vxMpDQ4yeDu0b6gajWNQICEAE= + -----END RSA PUBLIC KEY----- + ''; }; }; ssh.privkey.path = <secrets/ssh_host_ed25519_key>; - ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHDM0E608d/6rGzXqGbNSuMb2RlCojCJSiiz6QcPOC2G root@pornocauster"; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHDM0E608d/6rGzXqGbNSuMb2RlCojCJSiiz6QcPOC2G root@x"; }; @@ -167,6 +202,7 @@ with config.krebs.lib; extraZones = { "krebsco.de" = '' euer IN MX 1 aspmx.l.google.com. + nixos.unstable IN CNAME krebscode.github.io. pigstarter IN A ${nets.internet.ip4.addr} gold IN A ${nets.internet.ip4.addr} boot IN A ${nets.internet.ip4.addr} @@ -324,7 +360,21 @@ with config.krebs.lib; nets = { siem = { ip4.addr = "10.8.10.7"; + ip4.prefix = "10.8.10.0/24"; aliases = [ "display.siem" ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEA+/TpxsVIBL9J9QAe/+jB6sgu/O6J+KY4YrAzZ6dM4kbFv5JA64f5 + 6znv8EFqn6loS9Aez3e08P5scyGjiwWytdKN5Yztlffc0xDD7MUU2RiCsQF1X74J + +1i8NhSq3PJ6UeUURxYYnAYzBlFvsxev4vpniFTsIR9tmcAYX9NT9420D6nV7xq7 + FdkoBlYj4eUQqQzHH1T/Lmt+BGmf+BufIJas+Oo/Sg59vIk9OM08WyAjHVT2iNbg + LXDhzVaeGOOM3GOa0YGG0giM3Rd245YPaPiVbwrMy8HQRBpMzXOPjcC1nYZSjxrW + LQxtRS+dmfEMG7MJ8T2T2bseX6z6mONc1QIDAQAB + -----END RSA PUBLIC KEY----- + -----BEGIN ED25519 PUBLIC KEY----- + 3JGeGnADWR+hfb4TEoHDyopEYgkfGNJKwy71bqcsNrO + -----END ED25519 PUBLIC KEY----- + ''; }; retiolum = { ip4.addr = "10.243.214.15"; @@ -391,13 +441,26 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB }; shoney = rec { cores = 1; - nets = { + nets = rec { siem = { + via = internet; ip4.addr = "10.8.10.1"; + ip4.prefix = "10.8.10.0/24"; aliases = [ - "sjump.siem" + "shoney.siem" "graphs.siem" ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEA0OK28PHsMGMxAqVRiRGv93zzEWJgV3hMFquWrpbYC3OZwHDYcNHu + 74skwRRwwnbcq0ZtWroEvUTmZczuPt2FewdtuEutT7uZJnAYnzSOrB9lmmdoXKQU + l4ho1LEf/J0sMBi7RU/OJosuruQTAl53ca5KQbRCXkcPlmq4KzUpvgPINpEpYQjB + CGC3ErOvw2jXESbDnWomYZgJl3uilJUEYlyQEwyWVG+fO8uxlz9qKLXMlkoJTbs4 + fTIcxh7y6ZA7QfMN3Ruq1R66smfXQ4xu1hybvqL66RLiDQgH3BRyKIgobS1UxI4z + L+xhIsiMXQIo2hv8aOUnf/7Ac9DXNR83GwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + tinc.port = 1655; }; internet = { ip4.addr = "64.137.234.215"; @@ -729,8 +792,8 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB }; users = rec { makefu = { - mail = "makefu@pornocauster.retiolum"; - pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCl3RTOHd5DLiVeUbUr/GSiKoRWknXQnbkIf+uNiFO+XxiqZVojPlumQUVhasY8UzDzj9tSDruUKXpjut50FhIO5UFAgsBeMJyoZbgY/+R+QKU00Q19+IiUtxeFol/9dCO+F4o937MC0OpAC10LbOXN/9SYIXueYk3pJxIycXwUqhYmyEqtDdVh9Rx32LBVqlBoXRHpNGPLiswV2qNe0b5p919IGcslzf1XoUzfE3a3yjk/XbWh/59xnl4V7Oe7+iQheFxOT6rFA30WYwEygs5As//ZYtxvnn0gA02gOnXJsNjOW9irlxOUeP7IOU6Ye3WRKFRR0+7PS+w8IJLag2xb makefu@pornocauster"; + mail = "makefu@x.retiolum"; + pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCl3RTOHd5DLiVeUbUr/GSiKoRWknXQnbkIf+uNiFO+XxiqZVojPlumQUVhasY8UzDzj9tSDruUKXpjut50FhIO5UFAgsBeMJyoZbgY/+R+QKU00Q19+IiUtxeFol/9dCO+F4o937MC0OpAC10LbOXN/9SYIXueYk3pJxIycXwUqhYmyEqtDdVh9Rx32LBVqlBoXRHpNGPLiswV2qNe0b5p919IGcslzf1XoUzfE3a3yjk/XbWh/59xnl4V7Oe7+iQheFxOT6rFA30WYwEygs5As//ZYtxvnn0gA02gOnXJsNjOW9irlxOUeP7IOU6Ye3WRKFRR0+7PS+w8IJLag2xb makefu@x"; pgp.pubkeys.default = builtins.readFile ./default.pgp; pgp.pubkeys.brain = builtins.readFile ./brain.pgp; }; diff --git a/krebs/3modules/nginx.nix b/krebs/3modules/nginx.nix index bc32da3b1..214f55018 100644 --- a/krebs/3modules/nginx.nix +++ b/krebs/3modules/nginx.nix @@ -71,6 +71,14 @@ let type = bool; default = true; }; + force_encryption = mkOption { + type = bool; + default = false; + description = '' + redirect all `http` traffic to the same domain but with ssl + protocol. + ''; + }; protocols = mkOption { type = listOf (enum [ "SSLv2" "SSLv3" "TLSv1" "TLSv1.1" "TLSv1.2" ]); default = [ "TLSv1.1" "TLSv1.2" ]; @@ -120,6 +128,11 @@ let server_name ${toString (unique server-names)}; ${concatMapStringsSep "\n" (x: indent "listen ${x};") listen} ${optionalString ssl.enable (indent '' + ${optionalString ssl.force_encryption '' + if ($scheme = http){ + return 301 https://$server_name$request_uri; + } + ''} listen 443 ssl; ssl_certificate ${ssl.certificate}; ssl_certificate_key ${ssl.certificate_key}; diff --git a/lass/3modules/power-action.nix b/krebs/3modules/power-action.nix index 30875c9a9..bb5b3e521 100644 --- a/lass/3modules/power-action.nix +++ b/krebs/3modules/power-action.nix @@ -3,10 +3,10 @@ with config.krebs.lib; let - cfg = config.lass.power-action; + cfg = config.krebs.power-action; out = { - options.lass.power-action = api; + options.krebs.power-action = api; config = lib.mkIf cfg.enable imp; }; @@ -17,10 +17,8 @@ let default = "BAT0"; }; user = mkOption { - type = types.user; - default = { - name = "power-action"; - }; + type = types.string; + default = "power-action"; }; startAt = mkOption { type = types.str; @@ -35,7 +33,7 @@ let description = '' check for charging status. null = don't care - true = only if system is charging + true = only if system is charging or unknown false = only if system is discharging ''; }; @@ -57,13 +55,10 @@ let systemd.services.power-action = { serviceConfig = rec { ExecStart = startScript; - User = cfg.user.name; + User = cfg.user; }; startAt = cfg.startAt; }; - users.users.${cfg.user.name} = { - inherit (cfg.user) name uid; - }; }; startScript = pkgs.writeDash "power-action" '' diff --git a/krebs/3modules/retiolum.nix b/krebs/3modules/retiolum.nix index 0bd815211..2b181a556 100644 --- a/krebs/3modules/retiolum.nix +++ b/krebs/3modules/retiolum.nix @@ -12,9 +12,11 @@ let define a tinc network ''; type = with types; attrsOf (submodule (tinc: { - options = { + options = let + netname = tinc.config._module.args.name; + in { - enable = mkEnableOption "krebs.tinc.${tinc.config._module.args.name}" // { default = true; }; + enable = mkEnableOption "krebs.tinc.${netname}" // { default = true; }; host = mkOption { type = types.host; @@ -23,7 +25,7 @@ let netname = mkOption { type = types.enum (attrNames tinc.config.host.nets); - default = tinc.config._module.args.name; + default = netname; description = '' The tinc network name. It is used to name the TUN device and to generate the default value for @@ -38,6 +40,27 @@ let Extra Configuration to be appended to tinc.conf ''; }; + tincUp = mkOption { + type = types.string; + default = let + net = tinc.config.host.nets.${netname}; + iproute = tinc.config.iproutePackage; + in '' + ${optionalString (net.ip4 != null) /* sh */ '' + ${iproute}/sbin/ip -4 addr add ${net.ip4.addr} dev ${netname} + ${iproute}/sbin/ip -4 route add ${net.ip4.prefix} dev ${netname} + ''} + ${optionalString (net.ip6 != null) /* sh */ '' + ${iproute}/sbin/ip -6 addr add ${net.ip6.addr} dev ${netname} + ${iproute}/sbin/ip -6 route add ${net.ip6.prefix} dev ${netname} + ''} + ''; + description = '' + tinc-up script to be used. Defaults to setting the + krebs.host.nets.<netname>.ip4 and ip6 for the new ips and + configures forwarding of the respecitive netmask as subnet. + ''; + }; tincPackage = mkOption { type = types.package; @@ -109,8 +132,8 @@ let routeable IPv4 or IPv6 address. In stockholm this can be done by configuring: - krebs.hosts.${connect-host}.nets.${netname?"retiolum"}.via.addrs4 = - [ "${external-ip} ${external-port}" ] + krebs.hosts.${connect-host}.nets.${netname?"retiolum"}.via.ip4.addr = external-ip + krebs.hosts.${connect-host}.nets.${netname?"retiolum"}.tinc.port = 1655; ''; }; @@ -131,6 +154,7 @@ let krebs.secret.files = mapAttrs' (netname: cfg: nameValuePair "${netname}.rsa_key.priv" cfg.privkey ) config.krebs.tinc; + users.users = mapAttrs' (netname: cfg: nameValuePair "${netname}" { inherit (cfg.user) home name uid; @@ -140,7 +164,6 @@ let systemd.services = mapAttrs (netname: cfg: let - net = cfg.host.nets.${netname}; tinc = cfg.tincPackage; iproute = cfg.iproutePackage; @@ -153,18 +176,12 @@ let Interface = ${netname} ${concatStrings (map (c: "ConnectTo = ${c}\n") cfg.connectTo)} PrivateKeyFile = ${cfg.privkey.path} + Port = ${toString cfg.host.nets.${cfg.netname}.tinc.port} ${cfg.extraConfig} ''; "tinc-up" = pkgs.writeDash "${netname}-tinc-up" '' ${iproute}/sbin/ip link set ${netname} up - ${optionalString (net.ip4 != null) /* sh */ '' - ${iproute}/sbin/ip -4 addr add ${net.ip4.addr} dev ${netname} - ${iproute}/sbin/ip -4 route add ${net.ip4.prefix} dev ${netname} - ''} - ${optionalString (net.ip6 != null) /* sh */ '' - ${iproute}/sbin/ip -6 addr add ${net.ip6.addr} dev ${netname} - ${iproute}/sbin/ip -6 route add ${net.ip6.prefix} dev ${netname} - ''} + ${cfg.tincUp} ''; } ); diff --git a/krebs/4lib/default.nix b/krebs/4lib/default.nix index 8a822ed7d..49241cc82 100644 --- a/krebs/4lib/default.nix +++ b/krebs/4lib/default.nix @@ -33,6 +33,7 @@ let out = import <stockholm/lib> // rec { dir.has-default-nix = path: pathExists (path + "/default.nix"); genid = import ./genid.nix { lib = lib // out; }; + genid_signed = x: ((genid x) + 16777216) / 2; git = import ./git.nix { lib = lib // out; }; tree = import ./tree.nix { inherit lib; }; diff --git a/krebs/4lib/types.nix b/krebs/4lib/types.nix index 8906eff4a..37d44606b 100644 --- a/krebs/4lib/types.nix +++ b/krebs/4lib/types.nix @@ -130,16 +130,28 @@ types // rec { type = str; default = concatStringsSep "\n" ( (optionals (net.via != null) - (map (a: "Address = ${a}") net.via.addrs)) + (map (a: "Address = ${a} ${toString config.port}") net.via.addrs)) ++ (map (a: "Subnet = ${a}") net.addrs) ++ + [config.extraConfig] + ++ [config.pubkey] ); }; pubkey = mkOption { type = tinc-pubkey; }; + extraConfig = mkOption { + description = "Extra Configuration to be appended to the hosts file"; + default = ""; + type = string; + }; + port = mkOption { + type = int; + description = "tinc port to use to connect to host"; + default = 655; + }; }; })); default = null; diff --git a/krebs/5pkgs/exim/default.nix b/krebs/5pkgs/exim/default.nix index 0918e308d..835970555 100644 --- a/krebs/5pkgs/exim/default.nix +++ b/krebs/5pkgs/exim/default.nix @@ -1,4 +1,4 @@ -{ coreutils, fetchurl, db, openssl, pcre, perl, pkgconfig, stdenv }: +{ coreutils, fetchurl, db, openssl, pam, pcre, perl, pkgconfig, stdenv }: stdenv.mkDerivation rec { name = "exim-4.87"; @@ -8,7 +8,7 @@ stdenv.mkDerivation rec { sha256 = "1jbxn13shq90kpn0s73qpjnx5xm8jrpwhcwwgqw5s6sdzw6iwsbl"; }; - buildInputs = [ coreutils db openssl pcre perl pkgconfig ]; + buildInputs = [ coreutils db openssl pam pcre perl pkgconfig ]; preBuild = '' sed ' @@ -24,6 +24,7 @@ stdenv.mkDerivation rec { s:^# \(SUPPORT_TLS\)=.*:\1=yes: s:^# \(USE_OPENSSL_PC=openssl\)$:\1: s:^# \(LOG_FILE_PATH=syslog\)$:\1: + s:^# \(SUPPORT_PAM\)=.*:\1=yes\nEXTRALIBS=-lpam: s:^# \(HAVE_IPV6=yes\)$:\1: s:^# \(CHOWN_COMMAND\)=.*:\1=${coreutils}/bin/chown: s:^# \(CHGRP_COMMAND\)=.*:\1=${coreutils}/bin/chgrp: diff --git a/lass/1systems/helios.nix b/lass/1systems/helios.nix index 5f161d731..53026a6fb 100644 --- a/lass/1systems/helios.nix +++ b/lass/1systems/helios.nix @@ -58,7 +58,7 @@ with config.krebs.lib; # }; #} { - lass.power-action.battery = "BAT1"; + krebs.power-action.battery = "BAT1"; } ]; diff --git a/lass/2configs/buildbot-standalone.nix b/lass/2configs/buildbot-standalone.nix index 5afb23687..766fd715e 100644 --- a/lass/2configs/buildbot-standalone.nix +++ b/lass/2configs/buildbot-standalone.nix @@ -3,8 +3,13 @@ with config.krebs.lib; let + sshHostConfig = pkgs.writeText "ssh-config" '' + ControlMaster auto + ControlPath /tmp/%u_sshmux_%r@%h:%p + ControlPersist 4h + ''; sshWrapper = pkgs.writeDash "ssh-wrapper" '' - ${pkgs.openssh}/bin/ssh -i ${shell.escape config.lass.build-ssh-privkey.path} "$@" + ${pkgs.openssh}/bin/ssh -F ${sshHostConfig} -i ${shell.escape config.lass.build-ssh-privkey.path} "$@" ''; in { @@ -90,7 +95,7 @@ in { method=build \ system={}".format(i)]) - for i in [ "pornocauster", "wry", "vbob", "wbob", "shoney" ]: + for i in [ "x", "wry", "vbob", "wbob", "shoney" ]: addShell(f,name="build-{}".format(i),env=env_makefu, command=nixshell + \ ["make \ diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix index 9a1cab176..ab4450715 100644 --- a/lass/2configs/git.nix +++ b/lass/2configs/git.nix @@ -80,7 +80,7 @@ let perm = push "refs/*" [ non-fast-forward create delete merge ]; } ++ optional repo.public { - user = [ tv makefu ]; + user = attrValues config.krebs.users; repo = [ repo ]; perm = fetch; } ++ diff --git a/lass/2configs/power-action.nix b/lass/2configs/power-action.nix index 0ff8547c7..c83dc80dc 100644 --- a/lass/2configs/power-action.nix +++ b/lass/2configs/power-action.nix @@ -11,7 +11,7 @@ let ''; in { - lass.power-action = { + krebs.power-action = { enable = true; plans.low-battery = { upperLimit = 30; @@ -29,6 +29,7 @@ in { /var/setuid-wrappers/sudo ${suspend} ''; }; + user = "lass"; }; users.users.power-action.extraGroups = [ @@ -36,6 +37,6 @@ in { ]; security.sudo.extraConfig = '' - ${config.lass.power-action.user.name} ALL= (root) NOPASSWD: ${suspend} + ${config.krebs.power-action.user} ALL= (root) NOPASSWD: ${suspend} ''; } diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix index 6a3b41ca4..60370b230 100644 --- a/lass/3modules/default.nix +++ b/lass/3modules/default.nix @@ -4,7 +4,6 @@ _: ./ejabberd ./folderPerms.nix ./mysql-backup.nix - ./power-action.nix ./umts.nix ./urxvtd.nix ./wordpress_nginx.nix diff --git a/makefu/1systems/filepimp.nix b/makefu/1systems/filepimp.nix index c6966c99c..4037f693d 100644 --- a/makefu/1systems/filepimp.nix +++ b/makefu/1systems/filepimp.nix @@ -3,6 +3,7 @@ let byid = dev: "/dev/disk/by-id/" + dev; part1 = disk: disk + "-part1"; rootDisk = byid "ata-SanDisk_SDSSDP064G_140237402890"; + primary-interface = "enp2s0"; # c8:cb:b8:cf:e4:dc # N54L Chassis: # ____________________ # |______FRONT_______| @@ -75,4 +76,11 @@ in { (xfsmount "j2" (part1 jDisk2)) // (xfsmount "par0" (part1 jDisk3)) ; + services.wakeonlan.interfaces = [ + { + interface = primary-interface; + method = "password"; + password = "CA:FE:BA:BE:13:37"; + } + ]; } diff --git a/makefu/1systems/omo.nix b/makefu/1systems/omo.nix index e11abd40d..3aa5e943e 100644 --- a/makefu/1systems/omo.nix +++ b/makefu/1systems/omo.nix @@ -4,6 +4,7 @@ { config, pkgs, lib, ... }: let + toMapper = id: "/media/crypt${builtins.toString id}"; byid = dev: "/dev/disk/by-id/" + dev; keyFile = byid "usb-Verbatim_STORE_N_GO_070B3CEE0B223954-0:0"; rootDisk = byid "ata-SanDisk_SD8SNAT128G1122_162099420904"; @@ -33,7 +34,8 @@ let # all physical disks # TODO callPackage ../3modules/MonitorDisks { disks = allDisks } - allDisks = [ rootDisk cryptDisk0 cryptDisk1 cryptDisk2 ]; + dataDisks = [ cryptDisk0 cryptDisk1 cryptDisk2 ]; + allDisks = [ rootDisk ] ++ dataDisks; in { imports = [ @@ -72,26 +74,41 @@ in { systemd.services.sabnzbd.environment.SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; virtualisation.docker.enable = true; - - + makefu.ps3netsrv = { + enable = true; + servedir = "/media/cryptX/emu/ps3"; + }; # HDD Array stuff - environment.systemPackages = [ pkgs.mergerfs ]; services.smartd.devices = builtins.map (x: { device = x; }) allDisks; - makefu.snapraid = let - toMapper = id: "/media/crypt${builtins.toString id}"; - in { + makefu.snapraid = { enable = true; disks = map toMapper [ 0 1 ]; parity = toMapper 2; }; + # TODO create folders in /media + system.activationScripts.createCryptFolders = '' + ${lib.concatMapStringsSep "\n" + (d: "install -m 755 -d " + (toMapper d) ) + [ 0 1 2 "X" ]} + ''; + environment.systemPackages = with pkgs;[ + mergerfs # hard requirement for mount + wol # wake up filepimp + ]; fileSystems = let cryptMount = name: { "/media/${name}" = { device = "/dev/mapper/${name}"; fsType = "xfs"; };}; in cryptMount "crypt0" // cryptMount "crypt1" - // cryptMount "crypt2"; + // cryptMount "crypt2" + // { "/media/cryptX" = { + device = (lib.concatMapStringsSep ":" (d: (toMapper d)) [ 0 1 2 ]); + fsType = "mergerfs"; + options = [ "defaults" "allow_other" ]; + }; + }; powerManagement.powerUpCommands = lib.concatStrings (map (disk: '' ${pkgs.hdparm}/sbin/hdparm -S 100 ${disk} diff --git a/makefu/1systems/wbob.nix b/makefu/1systems/wbob.nix index e8e0b091f..ff593ab35 100644 --- a/makefu/1systems/wbob.nix +++ b/makefu/1systems/wbob.nix @@ -66,7 +66,7 @@ in { client = { enable = true; screenName = "wbob"; - serverAddress = "pornocauster.r"; + serverAddress = "x.r"; }; }; } diff --git a/makefu/1systems/pornocauster.nix b/makefu/1systems/x.nix index b683e5630..d41edfa46 100644 --- a/makefu/1systems/pornocauster.nix +++ b/makefu/1systems/x.nix @@ -43,16 +43,8 @@ ../2configs/temp/share-samba.nix # ../2configs/temp/elkstack.nix # ../2configs/temp/sabnzbd.nix + ../2configs/tinc/siem.nix ]; - - services.tinc.networks.siem = { - name = "makefu"; - extraConfig = '' - ConnectTo = sdarth - ConnectTo = sjump - ''; - }; - krebs.nginx = { default404 = false; servers.default.listen = [ "80 default_server" ]; @@ -65,10 +57,10 @@ # configure pulseAudio to provide a HDMI sink as well networking.firewall.enable = true; - networking.firewall.allowedTCPPorts = [ 80 24800 ]; - networking.firewall.allowedUDPPorts = [ 665 ]; + networking.firewall.allowedTCPPorts = [ 80 24800 26061 ]; + networking.firewall.allowedUDPPorts = [ 665 26061 ]; - krebs.build.host = config.krebs.hosts.pornocauster; + krebs.build.host = config.krebs.hosts.x; krebs.hosts.omo.nets.retiolum.via.ip4.addr = "192.168.1.11"; krebs.tinc.retiolum.connectTo = [ "omo" "gum" "prism" ]; diff --git a/makefu/2configs/base-gui.nix b/makefu/2configs/base-gui.nix index f7d6991c5..b039c12ca 100644 --- a/makefu/2configs/base-gui.nix +++ b/makefu/2configs/base-gui.nix @@ -55,7 +55,7 @@ in hardware.pulseaudio = { enable = true; - # systemWide = true; + systemWide = true; }; services.xserver.displayManager.sessionCommands = let xdefaultsfile = pkgs.writeText "Xdefaults" '' @@ -87,5 +87,8 @@ in URxvt.url-select.underline: true URxvt.searchable-scrollback: CM-s ''; - in "cat ${xdefaultsfile} | xrdb -merge"; + in '' + cat ${xdefaultsfile} | xrdb -merge + ${pkgs.xorg.xhost}/bin/xhost +local: + ''; } diff --git a/makefu/2configs/bepasty-dual.nix b/makefu/2configs/bepasty-dual.nix index f675c4ac8..4b5389c32 100644 --- a/makefu/2configs/bepasty-dual.nix +++ b/makefu/2configs/bepasty-dual.nix @@ -45,6 +45,7 @@ in { #certificate = "${sec}/wildcard.krebsco.de.crt"; #certificate_key = "${sec}/wildcard.krebsco.de.key"; ciphers = "RC4:HIGH:!aNULL:!MD5" ; + force_encryption = true; }; locations = singleton ( nameValuePair "/.well-known/acme-challenge" '' root ${acmechall}/${ext-dom}/; @@ -54,10 +55,7 @@ in { ssl_session_timeout 10m; ssl_verify_client off; proxy_ssl_session_reuse off; - - if ($scheme = http){ - return 301 https://$server_name$request_uri; - }''; + ''; }; defaultPermissions = "read"; secretKey = secKey; diff --git a/makefu/2configs/fetchWallpaper.nix b/makefu/2configs/fetchWallpaper.nix index 786df6d40..fb74919c4 100644 --- a/makefu/2configs/fetchWallpaper.nix +++ b/makefu/2configs/fetchWallpaper.nix @@ -3,7 +3,7 @@ { krebs.fetchWallpaper = { enable = true; - display = ":0"; + display = ":0.0"; unitConfig.ConditionPathExists = "!/var/run/ppp0.pid"; timerConfig = { OnCalendar = "*:0/30"; diff --git a/makefu/2configs/hw/tp-x2x0.nix b/makefu/2configs/hw/tp-x2x0.nix index c10ec1314..9047cfb66 100644 --- a/makefu/2configs/hw/tp-x2x0.nix +++ b/makefu/2configs/hw/tp-x2x0.nix @@ -12,6 +12,12 @@ with config.krebs.lib; zramSwap.enable = true; zramSwap.numDevices = 2; + # enable synaptics so we can easily disable the touchpad + # enable the touchpad with `synclient TouchpadOff=0` + services.xserver.synaptics = { + enable = true; + additionalOptions = ''Option "TouchpadOff" "1"''; + }; hardware.trackpoint = { enable = true; sensitivity = 220; @@ -19,7 +25,6 @@ with config.krebs.lib; emulateWheel = true; }; - services.tlp.enable = true; services.tlp.extraConfig = '' # BUG: http://linrunner.de/en/tlp/docs/tlp-faq.html#erratic-battery diff --git a/makefu/2configs/main-laptop.nix b/makefu/2configs/main-laptop.nix index 3cc91b630..9d5b06f70 100644 --- a/makefu/2configs/main-laptop.nix +++ b/makefu/2configs/main-laptop.nix @@ -6,7 +6,10 @@ # TODO split generic desktop stuff and laptop-specifics like lidswitching with config.krebs.lib; -{ +let + window-manager = "awesome"; + user = config.krebs.build.user.name; +in { imports = [ ./base-gui.nix ./fetchWallpaper.nix @@ -16,6 +19,52 @@ with config.krebs.lib; users.users.${config.krebs.build.user.name}.extraGroups = [ "dialout" ]; + krebs.power-action = let + #speak = "XDG_RUNTIME_DIR=/run/user/$(id -u) ${pkgs.espeak}/bin/espeak"; # when run as user + speak = "${pkgs.espeak}/bin/espeak"; # systemwide pulse + whisper = text: ''${speak} -v +whisper -s 110 "${text}"''; + + note = pkgs.writeDash "note-as-user" '' + eval "export $(egrep -z DBUS_SESSION_BUS_ADDRESS /proc/$(${pkgs.procps}/bin/pgrep -u ${user} ${window-manager})/environ)" + ${pkgs.libnotify}/bin/notify-send "$@"; + ''; + in { + enable = true; + inherit user; + plans.low-battery = { + upperLimit = 25; + lowerLimit = 15; + charging = false; + action = pkgs.writeDash "low-speak" '' + ${whisper "power level low, please plug me in"} + ''; + }; + plans.nag-harder = { + upperLimit = 15; + lowerLimit = 5; + charging = false; + action = pkgs.writeDash "crit-speak" '' + ${note} Battery -u critical -t 60000 "Power level critical, do something!" + ${whisper "Power level critical, do something"} + ''; + }; + plans.last-chance = { + upperLimit = 5; + lowerLimit = 3; + charging = false; + action = pkgs.writeDash "suspend-wrapper" '' + ${note} Battery -u crit "You've had your chance, suspend in 5 seconds" + ${concatMapStringsSep "\n" (i: '' + ${note} -u critical -t 1000 ${toString i} + ${speak} ${toString i} & + sleep 1 + '') + [ 5 4 3 2 1 ]} + /var/setuid-wrappers/sudo ${pkgs.systemd}/bin/systemctl suspend + ''; + }; + }; + security.sudo.extraConfig = "${config.krebs.power-action.user} ALL= (root) NOPASSWD: ${pkgs.systemd}/bin/systemctl suspend"; services.redshift = { enable = true; diff --git a/makefu/2configs/nginx/euer.wiki.nix b/makefu/2configs/nginx/euer.wiki.nix index 10985c833..655dee7b2 100644 --- a/makefu/2configs/nginx/euer.wiki.nix +++ b/makefu/2configs/nginx/euer.wiki.nix @@ -3,8 +3,15 @@ with config.krebs.lib; let sec = toString <secrets>; - ssl_cert = "${sec}/wildcard.krebsco.de.crt"; - ssl_key = "${sec}/wildcard.krebsco.de.key"; + ext-dom = "wiki.euer.krebsco.de"; + acmepath = "/var/lib/acme/"; + acmechall = acmepath + "/challenges/"; + + #ssl_cert = "${sec}/wildcard.krebsco.de.crt"; + #ssl_key = "${sec}/wildcard.krebsco.de.key"; + ssl_cert = "${acmepath}/${ext-dom}/fullchain.pem"; + ssl_key = "${acmepath}/${ext-dom}/key.pem"; + user = config.services.nginx.user; group = config.services.nginx.group; fpm-socket = "/var/run/php5-fpm.sock"; @@ -80,22 +87,23 @@ in { listen = [ "${external-ip}:80" "${external-ip}:443 ssl" "${internal-ip}:80" "${internal-ip}:443 ssl" ]; server-names = [ - "wiki.euer.krebsco.de" + ext-dom "wiki.makefu.retiolum" "wiki.makefu" ]; + ssl = { + enable = true; + # these certs will be needed if acme has not yet created certificates: + certificate = ssl_cert; + certificate_key = ssl_key; + force_encryption = true; + }; extraConfig = '' gzip on; gzip_buffers 4 32k; gzip_types text/plain application/x-javascript text/css; - ssl_certificate ${ssl_cert}; - ssl_certificate_key ${ssl_key}; default_type text/plain; - if ($scheme = http){ - return 301 https://$server_name$request_uri; - } - ''; locations = [ (nameValuePair "/" '' @@ -111,8 +119,20 @@ in { include ${pkgs.nginx}/conf/fastcgi_params; include ${pkgs.nginx}/conf/fastcgi.conf; '') + (nameValuePair "/.well-known/acme-challenge" '' + root ${acmechall}/${ext-dom}/; + '') + ]; }; }; }; + security.acme.certs."${ext-dom}" = { + email = "acme@syntax-fehler.de"; + webroot = "${acmechall}/${ext-dom}/"; + group = "nginx"; + allowKeysForGroup = true; + postRun = "systemctl reload nginx.service"; + extraDomains."${ext-dom}" = null ; + }; } diff --git a/makefu/2configs/tinc/siem.nix b/makefu/2configs/tinc/siem.nix new file mode 100644 index 000000000..8f17f1a0a --- /dev/null +++ b/makefu/2configs/tinc/siem.nix @@ -0,0 +1,12 @@ +{lib, config, ... }: +{ + # TODO do not know why we need to force it, port is only set via default to 655 + krebs.build.host.nets.siem.tinc.port = lib.mkForce 1655; + krebs.dns.providers.siem = "hosts"; + networking.firewall.allowedUDPPorts = [ 1665 ]; + networking.firewall.allowedTCPPorts = [ 1655 ]; + krebs.tinc.siem = { + enable = true; + connectTo = [ "shoney" ]; + }; +} diff --git a/makefu/2configs/zsh-user.nix b/makefu/2configs/zsh-user.nix index 99c1315e1..a3286b7fd 100644 --- a/makefu/2configs/zsh-user.nix +++ b/makefu/2configs/zsh-user.nix @@ -22,7 +22,7 @@ in bindkey "\e[3~" delete-char zstyle ':completion:*' menu select - gpg-connect-agent updatestartuptty /bye >/dev/null + ${pkgs.gnupg}/bin/gpg-connect-agent updatestartuptty /bye >/dev/null GPG_TTY=$(tty) export GPG_TTY unset SSH_AGENT_PID diff --git a/makefu/3modules/default.nix b/makefu/3modules/default.nix index febebaa18..7fc095bab 100644 --- a/makefu/3modules/default.nix +++ b/makefu/3modules/default.nix @@ -2,11 +2,12 @@ _: { imports = [ - ./snapraid.nix - ./umts.nix - ./taskserver.nix ./awesome-extra.nix ./forward-journal.nix + ./ps3netsrv.nix + ./snapraid.nix + ./taskserver.nix + ./umts.nix ]; } diff --git a/makefu/3modules/ps3netsrv.nix b/makefu/3modules/ps3netsrv.nix new file mode 100644 index 000000000..22681637c --- /dev/null +++ b/makefu/3modules/ps3netsrv.nix @@ -0,0 +1,58 @@ +{ config, lib, pkgs, ... }: + +with config.krebs.lib; +let + cfg = config.makefu.ps3netsrv; + + out = { + options.makefu.ps3netsrv = api; + config = lib.mkIf cfg.enable imp; + }; + + api = { + enable = mkEnableOption "ps3netsrv"; + + servedir = mkOption { + description = "path to serve, must be set"; + type = types.str; + }; + + package = mkOption { + type = types.package; + default = pkgs.ps3netsrv; + }; + + user = mkOption { + description = ''user which will run ps3netsrv''; + type = types.str; + default = "ps3netsrv"; + }; + }; + + imp = { + systemd.services.ps3netsrv = { + description = "ps3netsrv server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + restartIfChanged = true; + unitConfig = { + Documentation = "https://www.arm-blog.com/playing-ps3-games-from-your-nas/" ; + ConditionPathExists = cfg.servedir; + }; + serviceConfig = { + Type = "simple"; + ExecStart = "${cfg.package}/bin/ps3netsrv++ ${shell.escape cfg.servedir}"; + PrivateTmp = true; + User = "${cfg.user}"; + }; + }; + + # TODO only create if user is ps3netsrv + users.users.ps3netsrv = { + uid = genid "ps3netsrv"; + }; + users.groups.ps3netsrv.gid = genid "ps3netsrv"; + }; +in +out + diff --git a/makefu/5pkgs/default.nix b/makefu/5pkgs/default.nix index 718b23c9e..6598f5d3f 100644 --- a/makefu/5pkgs/default.nix +++ b/makefu/5pkgs/default.nix @@ -5,20 +5,22 @@ let in { nixpkgs.config.packageOverrides = rec { - alsa-hdspmixer = callPackage ./alsa-tools { alsaToolTarget="hdspmixer";}; alsa-hdspconf = callPackage ./alsa-tools { alsaToolTarget="hdspconf";}; + alsa-hdspmixer = callPackage ./alsa-tools { alsaToolTarget="hdspmixer";}; alsa-hdsploader = callPackage ./alsa-tools { alsaToolTarget="hdsploader";}; awesomecfg = callPackage ./awesomecfg {}; bintray-upload = callPackage ./bintray-upload {}; + inherit (callPackage ./devpi {}) devpi-web devpi-server; + f3 = callPackage ./f3 {}; + farpd = callPackage ./farpd {}; git-xlsx-textconv = callPackage ./git-xlsx-textconv {}; mergerfs = callPackage ./mergerfs {}; mycube-flask = callPackage ./mycube-flask {}; nodemcu-uploader = callPackage ./nodemcu-uploader {}; + ps3netsrv = callPackage ./ps3netsrv {}; tw-upload-plugin = callPackage ./tw-upload-plugin {}; - inherit (callPackage ./devpi {}) devpi-web devpi-server; skytraq-logger = callPackage ./skytraq-logger {}; taskserver = callPackage ./taskserver {}; - ps3netsrv = callPackage ./ps3netsrv {}; - farpd = callPackage ./farpd {}; + wol = callPackage ./wol {}; }; } diff --git a/makefu/5pkgs/f3/default.nix b/makefu/5pkgs/f3/default.nix new file mode 100644 index 000000000..e7f20b1e6 --- /dev/null +++ b/makefu/5pkgs/f3/default.nix @@ -0,0 +1,26 @@ +{ stdenv, fetchFromGitHub }: + +stdenv.mkDerivation rec { + name = "f3-${version}"; + version = "6.0"; + + enableParallelBuilding = true; + + src = fetchFromGitHub { + owner = "AltraMayor"; + repo = "f3"; + rev = "v${version}"; + sha256 = "1azi10ba0h9z7m0gmfnyymmfqb8380k9za8hn1rrw1s442hzgnz2"; + }; + + makeFlags = [ "PREFIX=$(out)" ]; + patchPhase = "sed -i 's/-oroot -groot//' Makefile"; + + meta = { + description = "Fight Flash Fraud"; + homepage = http://oss.digirati.com.br/f3/; + license = stdenv.lib.licenses.gpl2; + platforms = stdenv.lib.platforms.linux; + maintainers = with stdenv.lib.maintainers; [ makefu ]; + }; +} diff --git a/makefu/5pkgs/git-xlsx-textconv/default.nix b/makefu/5pkgs/git-xlsx-textconv/default.nix index 1f631f020..66dde76ef 100644 --- a/makefu/5pkgs/git-xlsx-textconv/default.nix +++ b/makefu/5pkgs/git-xlsx-textconv/default.nix @@ -1,6 +1,6 @@ -{ stdenv, lib, goPackages, fetchFromGitHub }: +{ stdenv, lib, buildGoPackage, fetchFromGitHub }: let - go-xlsx = goPackages.buildGoPackage rec { + go-xlsx = buildGoPackage rec { name = "go-xlsx-${version}"; version = "46e6e472d"; @@ -13,7 +13,7 @@ let }; }; in -(goPackages.buildGoPackage rec { +(buildGoPackage rec { name = "git-xlsx-textconv-${version}"; version = "70685e7f8"; diff --git a/makefu/5pkgs/ps3netsrv/default.nix b/makefu/5pkgs/ps3netsrv/default.nix index 904185934..f62ee0c9a 100644 --- a/makefu/5pkgs/ps3netsrv/default.nix +++ b/makefu/5pkgs/ps3netsrv/default.nix @@ -10,7 +10,7 @@ stdenv.mkDerivation rec { url = "https://github.com/dirkvdb/ps3netsrv--"; fetchSubmodules = true; rev = "e54a66cbf142b86e2cffc1701984b95adb921e81"; # latest @ 2016-05-24 - sha256 = "0l7bp18cs3xr2qgsmcf18diccski49mj9whngxm9isi8wd4r9inj"; + sha256 = "09hvmfzqy2jckpsml0z1gkcnar8sigmgs1q66k718fph2d3g54sa"; }; nativeBuildInputs = [ gnugrep ]; diff --git a/makefu/5pkgs/wol/default.nix b/makefu/5pkgs/wol/default.nix new file mode 100644 index 000000000..a6d54b8a2 --- /dev/null +++ b/makefu/5pkgs/wol/default.nix @@ -0,0 +1,22 @@ +{ stdenv, fetchurl }: + +stdenv.mkDerivation rec { + proj = "wake-on-lan"; + name = "wol-${version}"; + version = "0.7.1"; + + enableParallelBuilding = true; + + src = fetchurl { + url = "mirror://sourceforge/${proj}/${name}.tar.gz"; + sha256 = "08i6l5lr14mh4n3qbmx6kyx7vjqvzdnh3j9yfvgjppqik2dnq270"; + }; + + meta = { + description = "simple wake-on-lan client"; + homepage = https://sourceforge.net/projects/wake-on-lan/; + license = stdenv.lib.licenses.gpl2; + platforms = stdenv.lib.platforms.linux; + maintainers = with stdenv.lib.maintainers; [ makefu ]; + }; +} |