12 files changed, 294 insertions, 154 deletions

diff --git a/lass/2configs/backups.nix b/lass/2configs/backups.nix
new file mode 100644
index 000000000..ca9ff20a1
--- /dev/null
+++ b/lass/2configs/backups.nix
@@ -0,0 +1,99 @@
+{ config, lib, ... }:
+with config.krebs.lib;
+{
+
+  krebs.backup.plans = {
+  } // mapAttrs (_: recursiveUpdate {
+    snapshots = {
+      daily    = { format = "%Y-%m-%d"; retain =  7; };
+      weekly   = { format = "%YW%W";    retain =  4; };
+      monthly  = { format = "%Y-%m";    retain = 12; };
+      yearly   = { format = "%Y";                    };
+    };
+  }) {
+    dishfire-http-prism = {
+      method = "pull";
+      src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; };
+      dst = { host = config.krebs.hosts.prism;    path = "/bku/dishfire-http"; };
+      startAt = "03:00";
+    };
+    dishfire-http-mors = {
+      method = "pull";
+      src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; };
+      dst = { host = config.krebs.hosts.mors;     path = "/bku/dishfire-http"; };
+      startAt = "03:05";
+    };
+    dishfire-http-uriel = {
+      method = "pull";
+      src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; };
+      dst = { host = config.krebs.hosts.uriel;    path = "/bku/dishfire-http"; };
+      startAt = "03:10";
+    };
+    dishfire-sql-prism = {
+      method = "pull";
+      src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; };
+      dst = { host = config.krebs.hosts.prism;    path = "/bku/dishfire-sql"; };
+      startAt = "03:15";
+    };
+    dishfire-sql-mors = {
+      method = "pull";
+      src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; };
+      dst = { host = config.krebs.hosts.mors;     path = "/bku/dishfire-sql"; };
+      startAt = "03:20";
+    };
+    dishfire-sql-uriel = {
+      method = "pull";
+      src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; };
+      dst = { host = config.krebs.hosts.uriel;    path = "/bku/dishfire-sql"; };
+      startAt = "03:25";
+    };
+    prism-chat-mors = {
+      method = "pull";
+      src = { host = config.krebs.hosts.prism; path = "/home/chat"; };
+      dst = { host = config.krebs.hosts.mors;  path = "/bku/prism-chat"; };
+      startAt = "03:30";
+    };
+    prism-chat-uriel = {
+      method = "pull";
+      src = { host = config.krebs.hosts.prism; path = "/home/chat"; };
+      dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-chat"; };
+      startAt = "03:35";
+    };
+    prism-sql-mors = {
+      method = "pull";
+      src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; };
+      dst = { host = config.krebs.hosts.mors;  path = "/bku/prism-sql_dumps"; };
+      startAt = "03:40";
+    };
+    prism-sql-uriel = {
+      method = "pull";
+      src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; };
+      dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-sql_dumps"; };
+      startAt = "03:45";
+    };
+    prism-http-mors = {
+      method = "pull";
+      src = { host = config.krebs.hosts.prism; path = "/srv/http"; };
+      dst = { host = config.krebs.hosts.mors;  path = "/bku/prism-http"; };
+      startAt = "03:50";
+    };
+    prism-http-uriel = {
+      method = "pull";
+      src = { host = config.krebs.hosts.prism; path = "/srv/http"; };
+      dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-http"; };
+      startAt = "03:55";
+    };
+    uriel-home-mors = {
+      method = "pull";
+      src = { host = config.krebs.hosts.uriel; path = "/home"; };
+      dst = { host = config.krebs.hosts.mors;  path = "/bku/uriel-home"; };
+      startAt = "04:00";
+    };
+    mors-home-uriel = {
+      method = "push";
+      src = { host = config.krebs.hosts.mors;  path = "/home"; };
+      dst = { host = config.krebs.hosts.uriel; path = "/bku/mors-home"; };
+      startAt = "05:00";
+    };
+  };
+}
diff --git a/lass/2configs/base.nix b/lass/2configs/base.nix
index 8017d4270..8c6078ba5 100644
--- a/lass/2configs/base.nix
+++ b/lass/2configs/base.nix
@@ -7,10 +7,11 @@ with config.krebs.lib;
     ../2configs/zsh.nix
     ../2configs/mc.nix
     ../2configs/retiolum.nix
+    ./backups.nix
     {
       users.extraUsers =
         mapAttrs (_: h: { hashedPassword = h; })
-                 (import /root/secrets/hashedPasswords.nix);
+                 (import <secrets/hashedPasswords.nix>);
     }
     {
       users.extraUsers = {
@@ -18,7 +19,6 @@ with config.krebs.lib;
           openssh.authorizedKeys.keys = [
             config.krebs.users.lass.pubkey
             config.krebs.users.lass-uriel.pubkey
-            config.krebs.users.lass-helios.pubkey
           ];
         };
         mainUser = {
@@ -45,7 +45,6 @@ with config.krebs.lib;
   krebs = {
     enable = true;
     search-domain = "retiolum";
-    exim-retiolum.enable = true;
     build = {
       user = config.krebs.users.lass;
       source = mapAttrs (_: mkDefault) ({
@@ -55,7 +54,7 @@ with config.krebs.lib;
         stockholm = "/home/lass/stockholm";
         nixpkgs = {
           url = https://github.com/NixOS/nixpkgs;
-          rev = "40c586b7ce2c559374df435f46d673baf711c543";
+          rev = "e781a8257b4312f6b138c7d0511c77d8c06ed819";
           dev = "/home/lass/src/nixpkgs";
         };
       } // optionalAttrs config.krebs.build.host.secure {
@@ -85,9 +84,12 @@ with config.krebs.lib;
     MANPAGER=most
   '';
 
+  nixpkgs.config.allowUnfree = true;
+
   environment.systemPackages = with pkgs; [
   #stockholm
     git
+    gnumake
     jq
     parallel
     proot
@@ -108,6 +110,11 @@ with config.krebs.lib;
 
   #neat utils
     krebspaste
+
+  #unpack stuff
+    p7zip
+    unzip
+    unrar
   ];
 
   programs.bash = {
@@ -145,10 +152,6 @@ with config.krebs.lib;
     '';
   };
 
-  security.setuidPrograms = [
-    "sendmail"
-  ];
-
   services.openssh = {
     enable = true;
     hostKeys = [
@@ -165,6 +168,13 @@ with config.krebs.lib;
   krebs.iptables = {
     enable = true;
     tables = {
+      nat.PREROUTING.rules = [
+        { predicate = "! -i retiolum -p tcp -m tcp --dport 22"; target = "REDIRECT --to-ports 0"; precedence = 100; }
+        { predicate = "-p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 99; }
+      ];
+      nat.OUTPUT.rules = [
+        { predicate = "-o lo -p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 100; }
+      ];
       filter.INPUT.policy = "DROP";
       filter.FORWARD.policy = "DROP";
       filter.INPUT.rules = [
diff --git a/lass/2configs/downloading.nix b/lass/2configs/downloading.nix
index 115cb8b61..ccd751413 100644
--- a/lass/2configs/downloading.nix
+++ b/lass/2configs/downloading.nix
@@ -20,6 +20,7 @@ in {
       ];
       openssh.authorizedKeys.keys = [
         config.krebs.users.lass.pubkey
+        config.krebs.users.lass-uriel.pubkey
       ];
     };
 
diff --git a/lass/2configs/exim-retiolum.nix b/lass/2configs/exim-retiolum.nix
new file mode 100644
index 000000000..ea2f553b8
--- /dev/null
+++ b/lass/2configs/exim-retiolum.nix
@@ -0,0 +1,14 @@
+{ config, lib, pkgs, ... }:
+
+with config.krebs.lib;
+
+{
+  krebs.exim-retiolum.enable = true;
+  krebs.setuid.sendmail = {
+    filename = "${pkgs.exim}/bin/exim";
+    mode = "4111";
+  };
+  krebs.iptables.tables.filter.INPUT.rules = [
+    { predicate = "-i retiolum -p tcp --dport smtp"; target = "ACCEPT"; }
+  ];
+}
diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix
new file mode 100644
index 000000000..e1aa29c49
--- /dev/null
+++ b/lass/2configs/exim-smarthost.nix
@@ -0,0 +1,50 @@
+{ config, lib, pkgs, ... }:
+
+with config.krebs.lib;
+
+{
+  krebs.exim-smarthost = {
+    enable = true;
+    dkim = [
+      { domain = "lassul.us"; }
+    ];
+    sender_domains = [
+      "lassul.us"
+    ];
+    relay_from_hosts = map (host: host.nets.retiolum.ip4.addr) [
+      config.krebs.hosts.mors
+      config.krebs.hosts.uriel
+      config.krebs.hosts.helios
+    ];
+    internet-aliases = with config.krebs.users; [
+      { from = "postmaster@lassul.us"; to = lass.mail; } # RFC 822
+      { from = "lass@lassul.us"; to = lass.mail; }
+      { from = "lassulus@lassul.us"; to = lass.mail; }
+      { from = "test@lassul.us"; to = lass.mail; }
+      { from = "outlook@lassul.us"; to = lass.mail; }
+    ];
+    system-aliases = [
+      { from = "mailer-daemon"; to = "postmaster"; }
+      { from = "postmaster"; to = "root"; }
+      { from = "nobody"; to = "root"; }
+      { from = "hostmaster"; to = "root"; }
+      { from = "usenet"; to = "root"; }
+      { from = "news"; to = "root"; }
+      { from = "webmaster"; to = "root"; }
+      { from = "www"; to = "root"; }
+      { from = "ftp"; to = "root"; }
+      { from = "abuse"; to = "root"; }
+      { from = "noc"; to = "root"; }
+      { from = "security"; to = "root"; }
+      { from = "root"; to = "lass"; }
+    ];
+  };
+
+  krebs.setuid.sendmail = {
+    filename = "${pkgs.exim}/bin/exim";
+    mode = "4111";
+  };
+  krebs.iptables.tables.filter.INPUT.rules = [
+    { predicate = "-p tcp --dport smtp"; target = "ACCEPT"; }
+  ];
+}
diff --git a/lass/2configs/fastpoke-pages.nix b/lass/2configs/fastpoke-pages.nix
deleted file mode 100644
index bf6ea8952..000000000
--- a/lass/2configs/fastpoke-pages.nix
+++ /dev/null
@@ -1,101 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with config.krebs.lib;
-
-let
-  createStaticPage = domain:
-    {
-      krebs.nginx.servers."${domain}" = {
-        server-names = [
-          "${domain}"
-          "www.${domain}"
-        ];
-        locations = [
-          (nameValuePair "/" ''
-            root /var/lib/http/${domain};
-          '')
-        ];
-      };
-      #networking.extraHosts = ''
-      #  10.243.206.102 ${domain}
-      #'';
-      users.extraUsers = {
-        ${domain} = {
-          name = domain;
-          home = "/var/lib/http/${domain}";
-          createHome = true;
-        };
-      };
-    };
-
-in {
-  imports = map createStaticPage [
-    "habsys.de"
-    "pixelpocket.de"
-    "karlaskop.de"
-    "ubikmedia.de"
-    "apanowicz.de"
-  ];
-
-  krebs.iptables = {
-    tables = {
-      filter.INPUT.rules = [
-        { predicate = "-p tcp --dport http"; target = "ACCEPT"; }
-      ];
-    };
-  };
-
-
-  krebs.nginx = {
-    enable = true;
-    servers = {
-      #"habsys.de" = {
-      #  server-names = [
-      #    "habsys.de"
-      #    "www.habsys.de"
-      #  ];
-      #  locations = [
-      #    (nameValuePair "/" ''
-      #      root /var/lib/http/habsys.de;
-      #    '')
-      #  ];
-      #};
-
-      #"karlaskop.de" = {
-      #  server-names = [
-      #    "karlaskop.de"
-      #    "www.karlaskop.de"
-      #  ];
-      #  locations = [
-      #    (nameValuePair "/" ''
-      #      root /var/lib/http/karlaskop.de;
-      #    '')
-      #  ];
-      #};
-
-      #"pixelpocket.de" = {
-      #  server-names = [
-      #    "pixelpocket.de"
-      #    "www.karlaskop.de"
-      #  ];
-      #  locations = [
-      #    (nameValuePair "/" ''
-      #      root /var/lib/http/karlaskop.de;
-      #    '')
-      #  ];
-      #};
-
-    };
-  };
-
-  #services.postgresql = {
-  #  enable = true;
-  #};
-
-  #config.services.vsftpd = {
-  #  enable = true;
-  #  userlistEnable = true;
-  #  userlistFile = pkgs.writeFile "vsftpd-userlist" ''
-  #  '';
-  #};
-}
diff --git a/lass/2configs/games.nix b/lass/2configs/games.nix
index 6043a8759..0eec97922 100644
--- a/lass/2configs/games.nix
+++ b/lass/2configs/games.nix
@@ -13,7 +13,7 @@ in {
       name = "games";
       description = "user playing games";
       home = "/home/games";
-      extraGroups = [ "audio" "video" "input" ];
+      extraGroups = [ "audio" "video" "input" "loot" ];
       createHome = true;
       useDefaultShell = true;
     };
diff --git a/lass/2configs/newsbot-js.nix b/lass/2configs/newsbot-js.nix
index d7c68bd7d..636b44395 100644
--- a/lass/2configs/newsbot-js.nix
+++ b/lass/2configs/newsbot-js.nix
@@ -154,7 +154,6 @@ let
     telepolis|http://www.heise.de/tp/rss/news-atom.xml|#news
     the_insider|http://www.theinsider.org/rss/news/headlines-xml.asp|#news
     tigsource|http://www.tigsource.com/feed/|#news
-    times|http://www.thetimes.co.uk/tto/news/rss|#news
     tinc|http://tinc-vpn.org/news/index.rss|#news
     topix_b|http://www.topix.com/rss/wire/de/berlin|#news
     torr_bits|http://feeds.feedburner.com/TorrentfreakBits|#news
diff --git a/lass/2configs/pass.nix b/lass/2configs/pass.nix
index 33eca0a17..610887621 100644
--- a/lass/2configs/pass.nix
+++ b/lass/2configs/pass.nix
@@ -6,5 +6,4 @@
     gnupg1
   ];
 
-  services.xserver.startGnuPGAgent = true;
 }
diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix
index 109c216c0..caaee96bb 100644
--- a/lass/2configs/websites/domsen.nix
+++ b/lass/2configs/websites/domsen.nix
@@ -1,24 +1,36 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 
-{
+let
+  inherit (config.krebs.lib) genid;
+  inherit (import ../../4lib { inherit lib pkgs; })
+    manageCert
+    manageCerts
+    activateACME
+    ssl
+    servePage
+    serveOwncloud
+    serveWordpress;
+
+in {
   imports = [
-    ../../3modules/static_nginx.nix
-    ../../3modules/owncloud_nginx.nix
-    ../../3modules/wordpress_nginx.nix
-  ];
+    ( ssl [ "reich-gebaeudereinigung.de" ])
+    ( servePage [ "reich-gebaeudereinigung.de" ])
 
-  lass.staticPage = {
-    "karlaskop.de" = {};
-    "makeup.apanowicz.de" = {};
-    "pixelpocket.de" = {};
-    "reich-gebaeudereinigung.de" = {};
-  };
+    ( manageCerts [ "karlaskop.de" ])
+    ( servePage [ "karlaskop.de" ])
 
-  lass.owncloud = {
-    "o.ubikmedia.de" = {
-      instanceid = "oc8n8ddbftgh";
-    };
-  };
+    ( ssl [ "makeup.apanowicz.de" ])
+    ( servePage [ "makeup.apanowicz.de" ])
+
+    ( manageCerts [ "pixelpocket.de" ])
+    ( servePage [ "pixelpocket.de" ])
+
+    ( ssl [ "o.ubikmedia.de" ])
+    ( serveOwncloud [ "o.ubikmedia.de" ])
+
+    ( ssl [ "ubikmedia.de" "aldona.ubikmedia.de" "apanowicz.de" "nirwanabluete.de" "aldonasiech.com" "360gradvideo.tv" "ubikmedia.eu" ] )
+    ( serveWordpress [ "ubikmedia.de" "*.ubikmedia.de" "apanowicz.de" "nirwanabluete.de" "aldonasiech.com" "360gradvideo.tv" "ubikmedia.eu" ] )
+  ];
 
   services.mysql = {
     enable = true;
@@ -26,10 +38,31 @@
     rootPassword = toString (<secrets/mysql_rootPassword>);
   };
 
-  #lass.wordpress = {
-  #  "ubikmedia.de" = {
-  #  };
-  #};
+  services.mysqlBackup = {
+    enable = true;
+    databases = [
+      "ubikmedia_de"
+      "o_ubikmedia_de"
+    ];
+    location = "/bku/sql_dumps";
+  };
+
+  users.users.domsen = {
+    uid = genid "domsen";
+    description = "maintenance acc for domsen";
+    home = "/home/domsen";
+    useDefaultShell = true;
+    extraGroups = [ "nginx" ];
+    createHome = true;
+  };
 
+  services.phpfpm.phpIni = pkgs.runCommand "php.ini" {
+     options = ''
+      extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
+    '';
+  } ''
+    cat ${pkgs.php}/etc/php-recommended.ini > $out
+    echo "$options" >> $out
+  '';
 }
 
diff --git a/lass/2configs/websites/fritz.nix b/lass/2configs/websites/fritz.nix
index 073f3de14..c022dfbe2 100644
--- a/lass/2configs/websites/fritz.nix
+++ b/lass/2configs/websites/fritz.nix
@@ -1,22 +1,55 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
 
-{
+let
+  inherit (import ../../4lib { inherit lib pkgs; })
+    manageCerts
+    activateACME
+    ssl
+    servePage
+    serveWordpress;
 
+in {
   imports = [
-    ../../3modules/static_nginx.nix
-    ../../3modules/owncloud_nginx.nix
-    ../../3modules/wordpress_nginx.nix
+    #( manageCerts [ "biostase.de" ])
+    #( servePage [ "biostase.de" ])
+
+    #( manageCerts [ "gs-maubach.de" ])
+    #( servePage [ "gs-maubach.de" ])
+
+    #( manageCerts [ "spielwaren-kern.de" ])
+    #( servePage [ "spielwaren-kern.de" ])
+
+    #( manageCerts [ "societyofsimtech.de" ])
+    #( servePage [ "societyofsimtech.de" ])
+
+    #( manageCerts [ "ttf-kleinaspach.de" ])
+    #( servePage [ "ttf-kleinaspach.de" ])
+
+    #( manageCerts [ "edsn.de" ])
+    #( servePage [ "edsn.de" ])
+
+    #( manageCerts [ "eab.berkeley.edu" ])
+    #( servePage [ "eab.berkeley.edu" ])
+
+    ( manageCerts [ "eastuttgart.de" ])
+    ( serveWordpress [ "eastuttgart.de" ])
+
+    ( manageCerts [ "habsys.de" ])
+    ( servePage [ "habsys.de" ])
   ];
 
-  lass.staticPage = {
-    "biostase.de" = {};
-    "gs-maubach.de" = {};
-    "spielwaren-kern.de" = {};
-    "societyofsimtech.de" = {};
-    "ttf-kleinaspach.de" = {};
-    "edsn.de" = {};
-    "eab.berkeley.edu" = {};
-    "habsys.de" = {};
+  services.mysql = {
+    enable = true;
+    package = pkgs.mariadb;
+    rootPassword = toString (<secrets/mysql_rootPassword>);
+  };
+
+  services.mysqlBackup = {
+    enable = true;
+    databases = [
+      "eastuttgart_de"
+    ];
+    location = "/bku/sql_dumps";
   };
 
   #lass.owncloud = {
diff --git a/lass/2configs/websites/wohnprojekt-rhh.de.nix b/lass/2configs/websites/wohnprojekt-rhh.de.nix
index ac784d4c7..858054531 100644
--- a/lass/2configs/websites/wohnprojekt-rhh.de.nix
+++ b/lass/2configs/websites/wohnprojekt-rhh.de.nix
@@ -1,14 +1,17 @@
-{ config, ... }:
+{ config, pkgs, lib, ... }:
 
-{
+let
+  inherit (config.krebs.lib) genid;
+  inherit (import ../../4lib { inherit lib pkgs; })
+    ssl
+    servePage;
+
+in {
   imports = [
-    ../../3modules/static_nginx.nix
+    ( ssl [ "wohnprojekt-rhh.de" ])
+    ( servePage [ "wohnprojekt-rhh.de" ])
   ];
 
-  lass.staticPage = {
-    "wohnprojekt-rhh.de" = {};
-  };
-
   users.users.laura = {
     home = "/srv/http/wohnprojekt-rhh.de";
     createHome = true;