Merge remote-tracking branch 'cd/master'
This commit is contained in:
commit
0868101f2a
6
Makefile
6
Makefile
|
@ -51,8 +51,6 @@ $(if $(target_user),,$(error unbound variable: target_user))
|
||||||
$(if $(target_port),,$(error unbound variable: target_port))
|
$(if $(target_port),,$(error unbound variable: target_port))
|
||||||
$(if $(target_path),,$(error unbound variable: target_path))
|
$(if $(target_path),,$(error unbound variable: target_path))
|
||||||
|
|
||||||
target ?= $(target_user)@$(target_host):$(target_port)$(target_path)
|
|
||||||
|
|
||||||
build = \
|
build = \
|
||||||
nix-build \
|
nix-build \
|
||||||
--no-out-link \
|
--no-out-link \
|
||||||
|
@ -88,6 +86,8 @@ deploy:
|
||||||
nixos-rebuild $(rebuild-command) --show-trace -I $(target_path)
|
nixos-rebuild $(rebuild-command) --show-trace -I $(target_path)
|
||||||
|
|
||||||
# usage: make populate system=foo
|
# usage: make populate system=foo
|
||||||
|
populate: populate-target = \
|
||||||
|
$(target_user)@$(target_host):$(target_port)$(target_path)
|
||||||
ifeq ($(debug),true)
|
ifeq ($(debug),true)
|
||||||
populate: populate-flags += --debug
|
populate: populate-flags += --debug
|
||||||
endif
|
endif
|
||||||
|
@ -96,7 +96,7 @@ populate: populate-flags += --ssh=$(ssh)
|
||||||
endif
|
endif
|
||||||
populate:
|
populate:
|
||||||
$(call evaluate,config.krebs.build.source) --json --strict | \
|
$(call evaluate,config.krebs.build.source) --json --strict | \
|
||||||
populate $(target) $(populate-flags)
|
populate $(populate-target) $(populate-flags)
|
||||||
|
|
||||||
# usage: make pkgs.populate
|
# usage: make pkgs.populate
|
||||||
pkgs:;@$(error no package selected)
|
pkgs:;@$(error no package selected)
|
||||||
|
|
|
@ -791,6 +791,7 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
|
||||||
|
|
||||||
} // { # hosts only maintained in stockholm, not owned by me
|
} // { # hosts only maintained in stockholm, not owned by me
|
||||||
muhbaasu = rec {
|
muhbaasu = rec {
|
||||||
|
owner = config.krebs.users.root;
|
||||||
cores = 1;
|
cores = 1;
|
||||||
nets = {
|
nets = {
|
||||||
internet = {
|
internet = {
|
||||||
|
|
|
@ -336,7 +336,6 @@ let
|
||||||
pm.min_spare_servers = 1
|
pm.min_spare_servers = 1
|
||||||
pm.max_spare_servers = 3
|
pm.max_spare_servers = 3
|
||||||
chdir = /
|
chdir = /
|
||||||
# errors to journal
|
|
||||||
php_admin_value[error_log] = 'stderr'
|
php_admin_value[error_log] = 'stderr'
|
||||||
php_admin_flag[log_errors] = on
|
php_admin_flag[log_errors] = on
|
||||||
catch_workers_output = yes
|
catch_workers_output = yes
|
||||||
|
|
|
@ -8,6 +8,7 @@ let
|
||||||
"test-centos7"
|
"test-centos7"
|
||||||
"test-all-krebs-modules"
|
"test-all-krebs-modules"
|
||||||
] (name: {
|
] (name: {
|
||||||
|
owner = config.krebs.users.shared;
|
||||||
inherit name;
|
inherit name;
|
||||||
cores = 1;
|
cores = 1;
|
||||||
nets = {
|
nets = {
|
||||||
|
@ -34,6 +35,7 @@ let
|
||||||
in {
|
in {
|
||||||
hosts = {
|
hosts = {
|
||||||
wolf = {
|
wolf = {
|
||||||
|
owner = config.krebs.users.shared;
|
||||||
nets = {
|
nets = {
|
||||||
shack = {
|
shack = {
|
||||||
ip4.addr = "10.42.2.150" ;
|
ip4.addr = "10.42.2.150" ;
|
||||||
|
|
|
@ -1,19 +1,12 @@
|
||||||
{ config, lib, ... }:
|
_:
|
||||||
|
|
||||||
|
let
|
||||||
|
lib = import <stockholm/lib>;
|
||||||
|
in
|
||||||
|
|
||||||
with builtins;
|
|
||||||
with lib;
|
with lib;
|
||||||
|
|
||||||
let out = import <stockholm/lib> // rec {
|
let out = lib // rec {
|
||||||
|
|
||||||
eq = x: y: x == y;
|
|
||||||
ne = x: y: x != y;
|
|
||||||
|
|
||||||
mod = x: y: x - y * (x / y);
|
|
||||||
|
|
||||||
addName = name: set:
|
|
||||||
set // { inherit name; };
|
|
||||||
|
|
||||||
addNames = mapAttrs addName;
|
|
||||||
|
|
||||||
guard = spec@{ type, value, ... }:
|
guard = spec@{ type, value, ... }:
|
||||||
assert isOptionType type;
|
assert isOptionType type;
|
||||||
|
@ -26,12 +19,9 @@ let out = import <stockholm/lib> // rec {
|
||||||
]));
|
]));
|
||||||
|
|
||||||
types = import ./types.nix {
|
types = import ./types.nix {
|
||||||
inherit config;
|
|
||||||
lib = lib // { inherit genid optionalTrace; };
|
lib = lib // { inherit genid optionalTrace; };
|
||||||
};
|
};
|
||||||
|
|
||||||
dir.has-default-nix = path: pathExists (path + "/default.nix");
|
|
||||||
|
|
||||||
genid = import ./genid.nix { lib = lib // out; };
|
genid = import ./genid.nix { lib = lib // out; };
|
||||||
genid_signed = x: ((genid x) + 16777216) / 2;
|
genid_signed = x: ((genid x) + 16777216) / 2;
|
||||||
git = import ./git.nix { lib = lib // out; };
|
git = import ./git.nix { lib = lib // out; };
|
||||||
|
|
|
@ -1,7 +1,12 @@
|
||||||
{ lib, ... }:
|
{ lib, ... }:
|
||||||
|
|
||||||
|
with lib;
|
||||||
|
|
||||||
let
|
let
|
||||||
inherit (lib) addNames escapeShellArg makeSearchPath optionalString;
|
addName = name: set:
|
||||||
|
set // { inherit name; };
|
||||||
|
|
||||||
|
addNames = mapAttrs addName;
|
||||||
|
|
||||||
commands = addNames {
|
commands = addNames {
|
||||||
git-receive-pack = {};
|
git-receive-pack = {};
|
||||||
|
|
|
@ -1,14 +1,9 @@
|
||||||
{ config, lib, ... }:
|
{ lib, ... }:
|
||||||
|
|
||||||
with builtins;
|
with builtins;
|
||||||
with lib;
|
with lib;
|
||||||
with types;
|
with types;
|
||||||
|
|
||||||
let
|
|
||||||
# Inherited attributes are used in submodules that have their own `config`.
|
|
||||||
inherit (config.krebs) build users;
|
|
||||||
in
|
|
||||||
|
|
||||||
types // rec {
|
types // rec {
|
||||||
|
|
||||||
host = submodule ({ config, ... }: {
|
host = submodule ({ config, ... }: {
|
||||||
|
@ -27,7 +22,6 @@ types // rec {
|
||||||
|
|
||||||
owner = mkOption {
|
owner = mkOption {
|
||||||
type = user;
|
type = user;
|
||||||
default = users.krebs;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
extraZones = mkOption {
|
extraZones = mkOption {
|
||||||
|
@ -49,10 +43,6 @@ types // rec {
|
||||||
ssh.pubkey = mkOption {
|
ssh.pubkey = mkOption {
|
||||||
type = nullOr ssh-pubkey;
|
type = nullOr ssh-pubkey;
|
||||||
default = null;
|
default = null;
|
||||||
apply = x:
|
|
||||||
optionalTrace (x == null && config.owner.name == build.user.name)
|
|
||||||
"The option `krebs.hosts.${config.name}.ssh.pubkey' is unused."
|
|
||||||
x;
|
|
||||||
};
|
};
|
||||||
ssh.privkey = mkOption {
|
ssh.privkey = mkOption {
|
||||||
type = nullOr ssh-privkey;
|
type = nullOr ssh-privkey;
|
||||||
|
@ -187,7 +177,6 @@ types // rec {
|
||||||
};
|
};
|
||||||
owner = mkOption {
|
owner = mkOption {
|
||||||
type = user;
|
type = user;
|
||||||
default = users.root;
|
|
||||||
};
|
};
|
||||||
group-name = mkOption {
|
group-name = mkOption {
|
||||||
type = str;
|
type = str;
|
||||||
|
@ -284,6 +273,7 @@ types // rec {
|
||||||
};
|
};
|
||||||
mail = mkOption {
|
mail = mkOption {
|
||||||
type = str; # TODO retiolum mail address
|
type = str; # TODO retiolum mail address
|
||||||
|
default = "${config._module.args.name}@${config.networking.hostName}.r";
|
||||||
};
|
};
|
||||||
name = mkOption {
|
name = mkOption {
|
||||||
type = username;
|
type = username;
|
||||||
|
|
|
@ -6,7 +6,7 @@ stdenv.mkDerivation rec {
|
||||||
src = fetchgit {
|
src = fetchgit {
|
||||||
url = "https://github.com/atheme/charybdis.git";
|
url = "https://github.com/atheme/charybdis.git";
|
||||||
rev = "61815bf9324e872f51255e09fe37a8c595f94a60";
|
rev = "61815bf9324e872f51255e09fe37a8c595f94a60";
|
||||||
sha256 = "0zsd6xk2cnspc1cvryy2296p3ix4hwjd9k24wmgbh5wzks0wahwy";
|
sha256 = "1q9h7j2pm1wsbcybmm7r7hzimp1zda04lw9x2akb26l9p12zgfgc";
|
||||||
};
|
};
|
||||||
|
|
||||||
patches = [
|
patches = [
|
||||||
|
|
|
@ -17,7 +17,7 @@ with config.krebs.lib;
|
||||||
in {}
|
in {}
|
||||||
// import ./builders.nix args
|
// import ./builders.nix args
|
||||||
// mapAttrs (_: flip callPackage {})
|
// mapAttrs (_: flip callPackage {})
|
||||||
(filterAttrs (_: dir.has-default-nix)
|
(filterAttrs (_: dir: pathExists (dir + "/default.nix"))
|
||||||
(subdirsOf ./.))
|
(subdirsOf ./.))
|
||||||
// {
|
// {
|
||||||
empty = pkgs.runCommand "empty-1.0.0" {} "mkdir $out";
|
empty = pkgs.runCommand "empty-1.0.0" {} "mkdir $out";
|
||||||
|
|
|
@ -6,7 +6,7 @@ stdenv.mkDerivation {
|
||||||
src = fetchgit {
|
src = fetchgit {
|
||||||
url = https://github.com/krebscode/painload;
|
url = https://github.com/krebscode/painload;
|
||||||
rev = "35ccac73d563ad30d2851b9aeed4cfef69ff74e3";
|
rev = "35ccac73d563ad30d2851b9aeed4cfef69ff74e3";
|
||||||
sha256 = "1y1fs2p3xj2yrqpw0h5kd0f3c5p1y70xk1hjnw99sr33r67s9c35";
|
sha256 = "0arsfcd8qdrqafw7cxiag7f0kn95nwxxwrs0kdzxxdryfr6l1h07";
|
||||||
};
|
};
|
||||||
|
|
||||||
phases = [
|
phases = [
|
||||||
|
|
|
@ -1,64 +0,0 @@
|
||||||
{ coreutils, fetchurl, db, openssl, pam, pcre, perl, pkgconfig, stdenv }:
|
|
||||||
|
|
||||||
stdenv.mkDerivation rec {
|
|
||||||
name = "exim-4.87";
|
|
||||||
|
|
||||||
src = fetchurl {
|
|
||||||
url = "http://mirror.switch.ch/ftp/mirror/exim/exim/exim4/${name}.tar.bz2";
|
|
||||||
sha256 = "1jbxn13shq90kpn0s73qpjnx5xm8jrpwhcwwgqw5s6sdzw6iwsbl";
|
|
||||||
};
|
|
||||||
|
|
||||||
buildInputs = [ coreutils db openssl pam pcre perl pkgconfig ];
|
|
||||||
|
|
||||||
preBuild = ''
|
|
||||||
sed '
|
|
||||||
s:^\(BIN_DIRECTORY\)=.*:\1='"$out"'/bin:
|
|
||||||
s:^\(CONFIGURE_FILE\)=.*:\1=/etc/exim.conf:
|
|
||||||
s:^\(EXIM_USER\)=.*:\1=ref\:nobody:
|
|
||||||
s:^\(SPOOL_DIRECTORY\)=.*:\1=/exim-homeless-shelter:
|
|
||||||
s:^# \(SUPPORT_MAILDIR\)=.*:\1=yes:
|
|
||||||
s:^EXIM_MONITOR=.*$:# &:
|
|
||||||
s:^\(FIXED_NEVER_USERS\)=root$:\1=0:
|
|
||||||
s:^# \(WITH_CONTENT_SCAN\)=.*:\1=yes:
|
|
||||||
s:^# \(AUTH_PLAINTEXT\)=.*:\1=yes:
|
|
||||||
s:^# \(SUPPORT_TLS\)=.*:\1=yes:
|
|
||||||
s:^# \(USE_OPENSSL_PC=openssl\)$:\1:
|
|
||||||
s:^# \(LOG_FILE_PATH=syslog\)$:\1:
|
|
||||||
s:^# \(SUPPORT_PAM\)=.*:\1=yes\nEXTRALIBS=-lpam:
|
|
||||||
s:^# \(HAVE_IPV6=yes\)$:\1:
|
|
||||||
s:^# \(CHOWN_COMMAND\)=.*:\1=${coreutils}/bin/chown:
|
|
||||||
s:^# \(CHGRP_COMMAND\)=.*:\1=${coreutils}/bin/chgrp:
|
|
||||||
s:^# \(CHMOD_COMMAND\)=.*:\1=${coreutils}/bin/chmod:
|
|
||||||
s:^# \(MV_COMMAND\)=.*:\1=${coreutils}/bin/mv:
|
|
||||||
s:^# \(RM_COMMAND\)=.*:\1=${coreutils}/bin/rm:
|
|
||||||
s:^# \(TOUCH_COMMAND\)=.*:\1=${coreutils}/bin/touch:
|
|
||||||
s:^# \(PERL_COMMAND\)=.*:\1=${perl}/bin/perl:
|
|
||||||
#/^\s*#.*/d
|
|
||||||
#/^\s*$/d
|
|
||||||
' < src/EDITME > Local/Makefile
|
|
||||||
'';
|
|
||||||
|
|
||||||
installPhase = ''
|
|
||||||
mkdir -p $out/bin $out/share/man/man8
|
|
||||||
cp doc/exim.8 $out/share/man/man8
|
|
||||||
|
|
||||||
( cd build-Linux-*
|
|
||||||
cp exicyclog exim_checkaccess exim_dumpdb exim_lock exim_tidydb \
|
|
||||||
exipick exiqsumm exigrep exim_dbmbuild exim exim_fixdb eximstats \
|
|
||||||
exinext exiqgrep exiwhat \
|
|
||||||
$out/bin )
|
|
||||||
|
|
||||||
( cd $out/bin
|
|
||||||
for i in mailq newaliases rmail rsmtp runq sendmail; do
|
|
||||||
ln -s exim $i
|
|
||||||
done )
|
|
||||||
'';
|
|
||||||
|
|
||||||
meta = {
|
|
||||||
homepage = http://exim.org/;
|
|
||||||
description = "A mail transfer agent (MTA)";
|
|
||||||
license = stdenv.lib.licenses.gpl3;
|
|
||||||
platforms = stdenv.lib.platforms.linux;
|
|
||||||
maintainers = [ stdenv.lib.maintainers.tv ];
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -5,7 +5,7 @@ mkDerivation {
|
||||||
src = fetchgit {
|
src = fetchgit {
|
||||||
url = http://cgit.cd.krebsco.de/blessings;
|
url = http://cgit.cd.krebsco.de/blessings;
|
||||||
rev = "25a510dcb38ea9158e9969d56eb66cb1b860ab5f";
|
rev = "25a510dcb38ea9158e9969d56eb66cb1b860ab5f";
|
||||||
sha256 = "b962153e80e51519b52220199d8350b54154833e4bc25a792ecc58898fef3fb2";
|
sha256 = "0xg329h1y68ndg4w3m1jp38pkg3gqg7r19q70gqqj4mswb6qcrqc";
|
||||||
};
|
};
|
||||||
libraryHaskellDepends = [ base ];
|
libraryHaskellDepends = [ base ];
|
||||||
doHaddock = false;
|
doHaddock = false;
|
||||||
|
|
|
@ -7,8 +7,8 @@ mkDerivation {
|
||||||
version = "0.3.0";
|
version = "0.3.0";
|
||||||
src = fetchgit {
|
src = fetchgit {
|
||||||
url = "https://github.com/4z3/email-header";
|
url = "https://github.com/4z3/email-header";
|
||||||
sha256 = "f33fba567a39b1f2448869b269c26c40d8007599c23ab83bde5b4dfd9fd76ebc";
|
|
||||||
rev = "7b179bd31192ead8afe7a0b6e34bcad4039deaa8";
|
rev = "7b179bd31192ead8afe7a0b6e34bcad4039deaa8";
|
||||||
|
sha256 = "12j2n3sbvzjnw99gga7kkdygm8n3qx2lh8q26ad6a53xm5whnz59";
|
||||||
};
|
};
|
||||||
buildDepends = [
|
buildDepends = [
|
||||||
attoparsec base base64-bytestring bytestring case-insensitive
|
attoparsec base base64-bytestring bytestring case-insensitive
|
||||||
|
|
|
@ -5,7 +5,7 @@ mkDerivation {
|
||||||
src = fetchgit {
|
src = fetchgit {
|
||||||
url = http://cgit.cd.krebsco.de/scanner;
|
url = http://cgit.cd.krebsco.de/scanner;
|
||||||
rev = "7f091a3bc152ad3974a1873b460fa1759bf8dcad";
|
rev = "7f091a3bc152ad3974a1873b460fa1759bf8dcad";
|
||||||
sha256 = "7d123c227777932039d26fc832b8d32a90f04c0bd6b7e8bcff0a6f49a54e0054";
|
sha256 = "1lgl158axczsm4fx53fyq1d4116v91jsx4dbz66ka4k1ljqrmhgn";
|
||||||
};
|
};
|
||||||
libraryHaskellDepends = [ base ];
|
libraryHaskellDepends = [ base ];
|
||||||
license = stdenv.lib.licenses.wtfpl;
|
license = stdenv.lib.licenses.wtfpl;
|
||||||
|
|
|
@ -14,7 +14,7 @@ mkDerivation {
|
||||||
src = fetchgit {
|
src = fetchgit {
|
||||||
url = "http://cgit.cd.krebsco.de/much";
|
url = "http://cgit.cd.krebsco.de/much";
|
||||||
rev = "045dc986b4de225a927175f81c8ccfdab450202c";
|
rev = "045dc986b4de225a927175f81c8ccfdab450202c";
|
||||||
sha256 = "cec175e3dc32ef93029ee5285f6c4042ce11d637945bc8cec02cb6699d06cc13";
|
sha256 = "17jbw7x82a3bgn1qv5k764f103knrf865dmx48h7192vdh8gz766";
|
||||||
};
|
};
|
||||||
isLibrary = false;
|
isLibrary = false;
|
||||||
isExecutable = true;
|
isExecutable = true;
|
||||||
|
|
|
@ -7,7 +7,7 @@ stdenv.mkDerivation rec {
|
||||||
src = fetchgit {
|
src = fetchgit {
|
||||||
url = https://github.com/kanaka/noVNC;
|
url = https://github.com/kanaka/noVNC;
|
||||||
rev = "refs/tags/v0.5.1";
|
rev = "refs/tags/v0.5.1";
|
||||||
sha256 = "1azsnppwnrsv3axj0r5bw8lfarkibgz5vhgcyj8dzn4afn98f55w";
|
sha256 = "1vckvvfcawgfqmx415r5rnl6k2alx53jbqmsj49kxpbdvvxpb49d";
|
||||||
};
|
};
|
||||||
|
|
||||||
phases = [
|
phases = [
|
||||||
|
|
|
@ -102,6 +102,11 @@ with config.krebs.lib;
|
||||||
device = "/dev/pool/bku";
|
device = "/dev/pool/bku";
|
||||||
fsType = "ext4";
|
fsType = "ext4";
|
||||||
};
|
};
|
||||||
|
"/tmp" = {
|
||||||
|
device = "tmpfs";
|
||||||
|
fsType = "tmpfs";
|
||||||
|
options = ["nosuid" "nodev" "noatime"];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
#services.udev.extraRules = ''
|
#services.udev.extraRules = ''
|
||||||
|
|
|
@ -23,7 +23,7 @@ with config.krebs.lib;
|
||||||
../2configs/teamviewer.nix
|
../2configs/teamviewer.nix
|
||||||
../2configs/libvirt.nix
|
../2configs/libvirt.nix
|
||||||
../2configs/fetchWallpaper.nix
|
../2configs/fetchWallpaper.nix
|
||||||
../2configs/c-base.nix
|
#../2configs/c-base.nix
|
||||||
../2configs/mail.nix
|
../2configs/mail.nix
|
||||||
../2configs/krebs-pass.nix
|
../2configs/krebs-pass.nix
|
||||||
../2configs/repo-sync.nix
|
../2configs/repo-sync.nix
|
||||||
|
@ -54,8 +54,8 @@ with config.krebs.lib;
|
||||||
enable = true;
|
enable = true;
|
||||||
package = pkgs.postgresql;
|
package = pkgs.postgresql;
|
||||||
};
|
};
|
||||||
virtualisation.docker.enable = true;
|
#virtualisation.docker.enable = true;
|
||||||
users.users.mainUser.extraGroups = [ "docker" ];
|
#users.users.mainUser.extraGroups = [ "docker" ];
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
lass.umts = {
|
lass.umts = {
|
||||||
|
@ -140,6 +140,11 @@ with config.krebs.lib;
|
||||||
device = "/dev/big/conf";
|
device = "/dev/big/conf";
|
||||||
fsType = "ext4";
|
fsType = "ext4";
|
||||||
};
|
};
|
||||||
|
"/tmp" = {
|
||||||
|
device = "tmpfs";
|
||||||
|
fsType = "tmpfs";
|
||||||
|
options = ["nosuid" "nodev" "noatime"];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.udev.extraRules = ''
|
services.udev.extraRules = ''
|
||||||
|
@ -192,8 +197,12 @@ with config.krebs.lib;
|
||||||
urban
|
urban
|
||||||
mk_sql_pair
|
mk_sql_pair
|
||||||
remmina
|
remmina
|
||||||
|
thunderbird
|
||||||
|
|
||||||
logf
|
logf
|
||||||
|
iodine
|
||||||
|
|
||||||
|
macchanger
|
||||||
];
|
];
|
||||||
|
|
||||||
#TODO: fix this shit
|
#TODO: fix this shit
|
||||||
|
|
|
@ -23,6 +23,7 @@ in {
|
||||||
../2configs/buildbot-standalone.nix
|
../2configs/buildbot-standalone.nix
|
||||||
../2configs/repo-sync.nix
|
../2configs/repo-sync.nix
|
||||||
../2configs/binary-cache/server.nix
|
../2configs/binary-cache/server.nix
|
||||||
|
../2configs/iodined.nix
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
../2configs/git.nix
|
../2configs/git.nix
|
||||||
|
@ -119,6 +120,12 @@ in {
|
||||||
device = "/dev/pool/bku";
|
device = "/dev/pool/bku";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
fileSystems."/tmp" = {
|
||||||
|
device = "tmpfs";
|
||||||
|
fsType = "tmpfs";
|
||||||
|
options = ["nosuid" "nodev" "noatime"];
|
||||||
|
};
|
||||||
|
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
sound.enable = false;
|
sound.enable = false;
|
||||||
|
@ -260,6 +267,11 @@ in {
|
||||||
{ predicate = "-p tcp --dport 8088"; target = "ACCEPT"; }
|
{ predicate = "-p tcp --dport 8088"; target = "ACCEPT"; }
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
{
|
||||||
|
krebs.repo-sync.timerConfig = {
|
||||||
|
OnCalendar = "*:0/5";
|
||||||
|
};
|
||||||
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
krebs.build.host = config.krebs.hosts.prism;
|
krebs.build.host = config.krebs.hosts.prism;
|
||||||
|
|
|
@ -50,6 +50,11 @@ with builtins;
|
||||||
device = "/dev/pool/home-lass";
|
device = "/dev/pool/home-lass";
|
||||||
fsType = "ext4";
|
fsType = "ext4";
|
||||||
};
|
};
|
||||||
|
"/tmp" = {
|
||||||
|
device = "tmpfs";
|
||||||
|
fsType = "tmpfs";
|
||||||
|
options = ["nosuid" "nodev" "noatime"];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.udev.extraRules = ''
|
services.udev.extraRules = ''
|
||||||
|
|
|
@ -1,33 +1,45 @@
|
||||||
{ config, pkgs, ... }:
|
{ config, pkgs, ... }:
|
||||||
|
|
||||||
with builtins;
|
with builtins;
|
||||||
|
with config.krebs.lib;
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
../.
|
../.
|
||||||
../2configs/retiolum.nix
|
../2configs/retiolum.nix
|
||||||
../2configs/baseX.nix
|
|
||||||
../2configs/exim-retiolum.nix
|
../2configs/exim-retiolum.nix
|
||||||
../2configs/browsers.nix
|
|
||||||
../2configs/games.nix
|
|
||||||
../2configs/pass.nix
|
|
||||||
../2configs/bird.nix
|
|
||||||
../2configs/git.nix
|
|
||||||
../2configs/chromium-patched.nix
|
|
||||||
../2configs/bitlbee.nix
|
|
||||||
../2configs/weechat.nix
|
|
||||||
../2configs/skype.nix
|
|
||||||
{
|
{
|
||||||
lass.umts = {
|
# locke config
|
||||||
|
time.timeZone = "Europe/Berlin";
|
||||||
|
services.xserver.enable = true;
|
||||||
|
users.users.locke = {
|
||||||
|
uid = genid "locke";
|
||||||
|
home = "/home/locke";
|
||||||
|
group = "users";
|
||||||
|
createHome = true;
|
||||||
|
extraGroups = [
|
||||||
|
"audio"
|
||||||
|
"networkmanager"
|
||||||
|
];
|
||||||
|
useDefaultShell = true;
|
||||||
|
};
|
||||||
|
networking.networkmanager.enable = true;
|
||||||
|
hardware.pulseaudio = {
|
||||||
|
enable = true;
|
||||||
|
systemWide = true;
|
||||||
|
};
|
||||||
|
environment.systemPackages = with pkgs; [
|
||||||
|
firefox
|
||||||
|
hexchat
|
||||||
|
networkmanagerapplet
|
||||||
|
];
|
||||||
|
services.xserver.desktopManager.xfce = {
|
||||||
enable = true;
|
enable = true;
|
||||||
modem = "/dev/serial/by-id/usb-HUAWEI_Technologies_HUAWEI_Mobile-if00-port0";
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
krebs.build.host = config.krebs.hosts.uriel;
|
krebs.build.host = config.krebs.hosts.uriel;
|
||||||
|
|
||||||
networking.wireless.enable = true;
|
|
||||||
|
|
||||||
hardware.enableAllFirmware = true;
|
hardware.enableAllFirmware = true;
|
||||||
nixpkgs.config.allowUnfree = true;
|
nixpkgs.config.allowUnfree = true;
|
||||||
|
|
||||||
|
@ -62,6 +74,11 @@ with builtins;
|
||||||
"/boot" = {
|
"/boot" = {
|
||||||
device = "/dev/sda1";
|
device = "/dev/sda1";
|
||||||
};
|
};
|
||||||
|
"/tmp" = {
|
||||||
|
device = "tmpfs";
|
||||||
|
fsType = "tmpfs";
|
||||||
|
options = ["nosuid" "nodev" "noatime"];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.udev.extraRules = ''
|
services.udev.extraRules = ''
|
||||||
|
|
|
@ -23,10 +23,10 @@ with config.krebs.lib;
|
||||||
dst = { host = config.krebs.hosts.mors; path = "/bku/dishfire-http"; };
|
dst = { host = config.krebs.hosts.mors; path = "/bku/dishfire-http"; };
|
||||||
startAt = "03:05";
|
startAt = "03:05";
|
||||||
};
|
};
|
||||||
dishfire-http-uriel = {
|
dishfire-http-shodan = {
|
||||||
method = "pull";
|
method = "pull";
|
||||||
src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; };
|
src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; };
|
||||||
dst = { host = config.krebs.hosts.uriel; path = "/bku/dishfire-http"; };
|
dst = { host = config.krebs.hosts.shodan; path = "/bku/dishfire-http"; };
|
||||||
startAt = "03:10";
|
startAt = "03:10";
|
||||||
};
|
};
|
||||||
dishfire-sql-prism = {
|
dishfire-sql-prism = {
|
||||||
|
@ -41,10 +41,10 @@ with config.krebs.lib;
|
||||||
dst = { host = config.krebs.hosts.mors; path = "/bku/dishfire-sql"; };
|
dst = { host = config.krebs.hosts.mors; path = "/bku/dishfire-sql"; };
|
||||||
startAt = "03:20";
|
startAt = "03:20";
|
||||||
};
|
};
|
||||||
dishfire-sql-uriel = {
|
dishfire-sql-shodan = {
|
||||||
method = "pull";
|
method = "pull";
|
||||||
src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; };
|
src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; };
|
||||||
dst = { host = config.krebs.hosts.uriel; path = "/bku/dishfire-sql"; };
|
dst = { host = config.krebs.hosts.shodan; path = "/bku/dishfire-sql"; };
|
||||||
startAt = "03:25";
|
startAt = "03:25";
|
||||||
};
|
};
|
||||||
prism-bitlbee-mors = {
|
prism-bitlbee-mors = {
|
||||||
|
@ -53,10 +53,10 @@ with config.krebs.lib;
|
||||||
dst = { host = config.krebs.hosts.mors; path = "/bku/prism-bitlbee"; };
|
dst = { host = config.krebs.hosts.mors; path = "/bku/prism-bitlbee"; };
|
||||||
startAt = "03:25";
|
startAt = "03:25";
|
||||||
};
|
};
|
||||||
prism-bitlbee-uriel = {
|
prism-bitlbee-shodan = {
|
||||||
method = "pull";
|
method = "pull";
|
||||||
src = { host = config.krebs.hosts.prism; path = "/var/lib/bitlbee"; };
|
src = { host = config.krebs.hosts.prism; path = "/var/lib/bitlbee"; };
|
||||||
dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-bitlbee"; };
|
dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-bitlbee"; };
|
||||||
startAt = "03:25";
|
startAt = "03:25";
|
||||||
};
|
};
|
||||||
prism-chat-mors = {
|
prism-chat-mors = {
|
||||||
|
@ -65,10 +65,10 @@ with config.krebs.lib;
|
||||||
dst = { host = config.krebs.hosts.mors; path = "/bku/prism-chat"; };
|
dst = { host = config.krebs.hosts.mors; path = "/bku/prism-chat"; };
|
||||||
startAt = "03:30";
|
startAt = "03:30";
|
||||||
};
|
};
|
||||||
prism-chat-uriel = {
|
prism-chat-shodan = {
|
||||||
method = "pull";
|
method = "pull";
|
||||||
src = { host = config.krebs.hosts.prism; path = "/home/chat"; };
|
src = { host = config.krebs.hosts.prism; path = "/home/chat"; };
|
||||||
dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-chat"; };
|
dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-chat"; };
|
||||||
startAt = "03:35";
|
startAt = "03:35";
|
||||||
};
|
};
|
||||||
prism-sql-mors = {
|
prism-sql-mors = {
|
||||||
|
@ -77,10 +77,10 @@ with config.krebs.lib;
|
||||||
dst = { host = config.krebs.hosts.mors; path = "/bku/prism-sql_dumps"; };
|
dst = { host = config.krebs.hosts.mors; path = "/bku/prism-sql_dumps"; };
|
||||||
startAt = "03:40";
|
startAt = "03:40";
|
||||||
};
|
};
|
||||||
prism-sql-uriel = {
|
prism-sql-shodan = {
|
||||||
method = "pull";
|
method = "pull";
|
||||||
src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; };
|
src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; };
|
||||||
dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-sql_dumps"; };
|
dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-sql_dumps"; };
|
||||||
startAt = "03:45";
|
startAt = "03:45";
|
||||||
};
|
};
|
||||||
prism-http-mors = {
|
prism-http-mors = {
|
||||||
|
@ -89,22 +89,22 @@ with config.krebs.lib;
|
||||||
dst = { host = config.krebs.hosts.mors; path = "/bku/prism-http"; };
|
dst = { host = config.krebs.hosts.mors; path = "/bku/prism-http"; };
|
||||||
startAt = "03:50";
|
startAt = "03:50";
|
||||||
};
|
};
|
||||||
prism-http-uriel = {
|
prism-http-shodan = {
|
||||||
method = "pull";
|
method = "pull";
|
||||||
src = { host = config.krebs.hosts.prism; path = "/srv/http"; };
|
src = { host = config.krebs.hosts.prism; path = "/srv/http"; };
|
||||||
dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-http"; };
|
dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-http"; };
|
||||||
startAt = "03:55";
|
startAt = "03:55";
|
||||||
};
|
};
|
||||||
uriel-home-mors = {
|
shodan-home-mors = {
|
||||||
method = "pull";
|
method = "pull";
|
||||||
src = { host = config.krebs.hosts.uriel; path = "/home"; };
|
src = { host = config.krebs.hosts.shodan; path = "/home"; };
|
||||||
dst = { host = config.krebs.hosts.mors; path = "/bku/uriel-home"; };
|
dst = { host = config.krebs.hosts.mors; path = "/bku/shodan-home"; };
|
||||||
startAt = "04:00";
|
startAt = "04:00";
|
||||||
};
|
};
|
||||||
mors-home-uriel = {
|
mors-home-shodan = {
|
||||||
method = "push";
|
method = "push";
|
||||||
src = { host = config.krebs.hosts.mors; path = "/home"; };
|
src = { host = config.krebs.hosts.mors; path = "/home"; };
|
||||||
dst = { host = config.krebs.hosts.uriel; path = "/bku/mors-home"; };
|
dst = { host = config.krebs.hosts.shodan; path = "/bku/mors-home"; };
|
||||||
startAt = "05:00";
|
startAt = "05:00";
|
||||||
};
|
};
|
||||||
dishfire-http-helios = {
|
dishfire-http-helios = {
|
||||||
|
|
|
@ -1,11 +1,28 @@
|
||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
with config.krebs.lib;
|
||||||
let
|
let
|
||||||
inherit (config.krebs.lib) genid;
|
|
||||||
|
|
||||||
mainUser = config.users.extraUsers.mainUser;
|
mainUser = config.users.extraUsers.mainUser;
|
||||||
createChromiumUser = name: extraGroups: packages:
|
|
||||||
{
|
browser-select = pkgs.writeScriptBin "browser-select" ''
|
||||||
|
BROWSER=$(echo -e "${concatStringsSep "\\n" (attrNames config.lass.browser.paths)}" | ${pkgs.dmenu}/bin/dmenu)
|
||||||
|
case $BROWSER in
|
||||||
|
${concatMapStringsSep "\n" (n: ''
|
||||||
|
${n})
|
||||||
|
export BIN=${config.lass.browser.paths.${n}}/bin/${n}
|
||||||
|
;;
|
||||||
|
'') (attrNames config.lass.browser.paths)}
|
||||||
|
esac
|
||||||
|
$BIN "$@"
|
||||||
|
'';
|
||||||
|
|
||||||
|
createChromiumUser = name: extraGroups:
|
||||||
|
let
|
||||||
|
bin = pkgs.writeScriptBin name ''
|
||||||
|
/var/setuid-wrappers/sudo -u ${name} -i ${pkgs.chromium}/bin/chromium $@
|
||||||
|
'';
|
||||||
|
in {
|
||||||
users.extraUsers.${name} = {
|
users.extraUsers.${name} = {
|
||||||
inherit name;
|
inherit name;
|
||||||
inherit extraGroups;
|
inherit extraGroups;
|
||||||
|
@ -14,19 +31,21 @@ let
|
||||||
useDefaultShell = true;
|
useDefaultShell = true;
|
||||||
createHome = true;
|
createHome = true;
|
||||||
};
|
};
|
||||||
krebs.per-user.${name}.packages = packages;
|
lass.browser.paths.${name} = bin;
|
||||||
security.sudo.extraConfig = ''
|
security.sudo.extraConfig = ''
|
||||||
${mainUser.name} ALL=(${name}) NOPASSWD: ALL
|
${mainUser.name} ALL=(${name}) NOPASSWD: ALL
|
||||||
'';
|
'';
|
||||||
environment.systemPackages = [
|
environment.systemPackages = [
|
||||||
(pkgs.writeScriptBin name ''
|
bin
|
||||||
/var/setuid-wrappers/sudo -u ${name} -i chromium $@
|
|
||||||
'')
|
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
createFirefoxUser = name: extraGroups: packages:
|
createFirefoxUser = name: extraGroups:
|
||||||
{
|
let
|
||||||
|
bin = pkgs.writeScriptBin name ''
|
||||||
|
/var/setuid-wrappers/sudo -u ${name} -i ${pkgs.firefox}/bin/firefox $@
|
||||||
|
'';
|
||||||
|
in {
|
||||||
users.extraUsers.${name} = {
|
users.extraUsers.${name} = {
|
||||||
inherit name;
|
inherit name;
|
||||||
inherit extraGroups;
|
inherit extraGroups;
|
||||||
|
@ -35,14 +54,12 @@ let
|
||||||
useDefaultShell = true;
|
useDefaultShell = true;
|
||||||
createHome = true;
|
createHome = true;
|
||||||
};
|
};
|
||||||
krebs.per-user.${name}.packages = packages;
|
lass.browser.paths.${name} = bin;
|
||||||
security.sudo.extraConfig = ''
|
security.sudo.extraConfig = ''
|
||||||
${mainUser.name} ALL=(${name}) NOPASSWD: ALL
|
${mainUser.name} ALL=(${name}) NOPASSWD: ALL
|
||||||
'';
|
'';
|
||||||
environment.systemPackages = [
|
environment.systemPackages = [
|
||||||
(pkgs.writeScriptBin name ''
|
bin
|
||||||
/var/setuid-wrappers/sudo -u ${name} -i firefox $@
|
|
||||||
'')
|
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -50,19 +67,26 @@ let
|
||||||
|
|
||||||
in {
|
in {
|
||||||
|
|
||||||
|
lass.browser.select = browser-select;
|
||||||
|
|
||||||
environment.systemPackages = [
|
environment.systemPackages = [
|
||||||
(pkgs.writeScriptBin "browser-select" ''
|
browser-select
|
||||||
BROWSER=$(echo -e "ff\ncr\nwk\nfb\ngm\nflash" | dmenu)
|
|
||||||
$BROWSER $@
|
|
||||||
'')
|
|
||||||
];
|
];
|
||||||
|
|
||||||
imports = [
|
imports = [
|
||||||
( createFirefoxUser "ff" [ "audio" ] [ pkgs.firefox ] )
|
{
|
||||||
( createChromiumUser "cr" [ "video" "audio" ] [ pkgs.chromium ] )
|
options.lass.browser.select = mkOption {
|
||||||
( createChromiumUser "wk" [ "video" "audio" ] [ pkgs.chromium ] )
|
type = types.path;
|
||||||
( createChromiumUser "fb" [ "video" "audio" ] [ pkgs.chromium ] )
|
};
|
||||||
( createChromiumUser "gm" [ "video" "audio" ] [ pkgs.chromium ] )
|
options.lass.browser.paths = mkOption {
|
||||||
( createChromiumUser "com" [ "video" "audio" ] [ pkgs.chromium ] )
|
type = with types; attrsOf path;
|
||||||
|
};
|
||||||
|
}
|
||||||
|
( createFirefoxUser "ff" [ "audio" ] )
|
||||||
|
( createChromiumUser "cr" [ "video" "audio" ] )
|
||||||
|
( createChromiumUser "wk" [ "video" "audio" ] )
|
||||||
|
( createChromiumUser "fb" [ "video" "audio" ] )
|
||||||
|
( createChromiumUser "gm" [ "video" "audio" ] )
|
||||||
|
( createChromiumUser "com" [ "video" "audio" ] )
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
|
@ -21,7 +21,6 @@ with config.krebs.lib;
|
||||||
root = {
|
root = {
|
||||||
openssh.authorizedKeys.keys = [
|
openssh.authorizedKeys.keys = [
|
||||||
config.krebs.users.lass.pubkey
|
config.krebs.users.lass.pubkey
|
||||||
config.krebs.users.lass-uriel.pubkey
|
|
||||||
config.krebs.users.lass-shodan.pubkey
|
config.krebs.users.lass-shodan.pubkey
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
@ -37,7 +36,6 @@ with config.krebs.lib;
|
||||||
];
|
];
|
||||||
openssh.authorizedKeys.keys = [
|
openssh.authorizedKeys.keys = [
|
||||||
config.krebs.users.lass.pubkey
|
config.krebs.users.lass.pubkey
|
||||||
config.krebs.users.lass-uriel.pubkey
|
|
||||||
config.krebs.users.lass-shodan.pubkey
|
config.krebs.users.lass-shodan.pubkey
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
@ -69,7 +67,7 @@ with config.krebs.lib;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
nix.useChroot = true;
|
nix.useSandbox = true;
|
||||||
|
|
||||||
users.mutableUsers = false;
|
users.mutableUsers = false;
|
||||||
|
|
||||||
|
@ -99,6 +97,7 @@ with config.krebs.lib;
|
||||||
jq
|
jq
|
||||||
parallel
|
parallel
|
||||||
proot
|
proot
|
||||||
|
populate
|
||||||
|
|
||||||
#style
|
#style
|
||||||
most
|
most
|
||||||
|
@ -143,15 +142,6 @@ with config.krebs.lib;
|
||||||
shopt -s histappend histreedit histverify
|
shopt -s histappend histreedit histverify
|
||||||
shopt -s no_empty_cmd_completion
|
shopt -s no_empty_cmd_completion
|
||||||
complete -d cd
|
complete -d cd
|
||||||
|
|
||||||
#fancy colors
|
|
||||||
if [ -e ~/LS_COLORS ]; then
|
|
||||||
eval $(dircolors ~/LS_COLORS)
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -e /etc/nixos/dotfiles/link ]; then
|
|
||||||
/etc/nixos/dotfiles/link
|
|
||||||
fi
|
|
||||||
'';
|
'';
|
||||||
promptInit = ''
|
promptInit = ''
|
||||||
if test $UID = 0; then
|
if test $UID = 0; then
|
||||||
|
|
20
lass/2configs/iodined.nix
Normal file
20
lass/2configs/iodined.nix
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
{ pkgs, config, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
# TODO: make this a parameter
|
||||||
|
domain = "io.lassul.us";
|
||||||
|
pw = import <secrets/iodinepw.nix>;
|
||||||
|
in {
|
||||||
|
|
||||||
|
services.iodine.server = {
|
||||||
|
enable = true;
|
||||||
|
domain = domain;
|
||||||
|
ip = "172.16.10.1/24";
|
||||||
|
extraConfig = "-c -P ${pw} -l ${config.krebs.build.host.nets.internet.ip4.addr}";
|
||||||
|
};
|
||||||
|
|
||||||
|
krebs.iptables.tables.filter.INPUT.rules = [
|
||||||
|
{ predicate = "-p udp --dport 53"; target = "ACCEPT";}
|
||||||
|
];
|
||||||
|
|
||||||
|
}
|
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
{
|
{
|
||||||
krebs.build.source.nixpkgs.git = {
|
krebs.build.source.nixpkgs.git = {
|
||||||
url = https://github.com/lassulus/nixpkgs;
|
url = https://github.com/nixos/nixpkgs;
|
||||||
ref = "3fb009d94e70f5d1151f4ec239a90d2de1979a74";
|
ref = "354fd3728952c229fee4f2924737c601d7ab4725";
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
1
lass/2configs/tests/dummy-secrets/iodinepw.nix
Normal file
1
lass/2configs/tests/dummy-secrets/iodinepw.nix
Normal file
|
@ -0,0 +1 @@
|
||||||
|
"derp"
|
|
@ -1,8 +1,10 @@
|
||||||
{ config, pkgs, lib, ... }:
|
{ config, pkgs, lib, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
|
|
||||||
inherit (import <stockholm/krebs/4lib> { config = {}; inherit lib; })
|
inherit (import <stockholm/krebs/4lib> { config = {}; inherit lib; })
|
||||||
genid
|
genid
|
||||||
|
genid_signed
|
||||||
;
|
;
|
||||||
inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;})
|
inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;})
|
||||||
ssl
|
ssl
|
||||||
|
@ -20,6 +22,25 @@ let
|
||||||
exec ${pkgs.msmtp}/bin/msmtp --read-envelope-from -C ${msmtprc} "$@"
|
exec ${pkgs.msmtp}/bin/msmtp --read-envelope-from -C ${msmtprc} "$@"
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
check-password = pkgs.writeDash "check-password" ''
|
||||||
|
read pw
|
||||||
|
|
||||||
|
file="/home/$PAM_USER/.shadow"
|
||||||
|
|
||||||
|
#check if shadow file exists
|
||||||
|
test -e "$file" || exit 123
|
||||||
|
|
||||||
|
hash="$(${pkgs.coreutils}/bin/head -1 $file)"
|
||||||
|
salt="$(echo $hash | ${pkgs.gnused}/bin/sed 's/.*\$\(.*\)\$.*/\1/')"
|
||||||
|
|
||||||
|
calc_hash="$(echo "$pw" | ${pkgs.mkpasswd}/bin/mkpasswd -m sha-512 -S $salt)"
|
||||||
|
if [ "$calc_hash" == $hash ]; then
|
||||||
|
exit 0
|
||||||
|
else
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
'';
|
||||||
|
|
||||||
in {
|
in {
|
||||||
imports = [
|
imports = [
|
||||||
./sqlBackup.nix
|
./sqlBackup.nix
|
||||||
|
@ -122,20 +143,11 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
services.phpfpm.phpOptions = ''
|
||||||
#services.phpfpm.phpOptions = ''
|
sendmail_path = ${sendmail} -t
|
||||||
# extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
|
upload_max_filesize = 100M
|
||||||
# sendmail_path = ${sendmail} -t
|
post_max_size = 100M
|
||||||
#'';
|
file_uploads = on
|
||||||
services.phpfpm.phpIni = pkgs.runCommand "php.ini" {
|
|
||||||
options = ''
|
|
||||||
extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
|
|
||||||
sendmail_path = "${sendmail} -t -i"
|
|
||||||
always_populate_raw_post_data = -1
|
|
||||||
'';
|
|
||||||
} ''
|
|
||||||
cat ${pkgs.php}/etc/php-recommended.ini > $out
|
|
||||||
echo "$options" >> $out
|
|
||||||
'';
|
'';
|
||||||
|
|
||||||
# MAIL STUFF
|
# MAIL STUFF
|
||||||
|
@ -143,18 +155,50 @@ in {
|
||||||
services.dovecot2 = {
|
services.dovecot2 = {
|
||||||
enable = true;
|
enable = true;
|
||||||
mailLocation = "maildir:~/Mail";
|
mailLocation = "maildir:~/Mail";
|
||||||
|
sslServerCert = "/var/lib/acme/lassul.us/fullchain.pem";
|
||||||
|
sslServerKey = "/var/lib/acme/lassul.us/key.pem";
|
||||||
};
|
};
|
||||||
krebs.iptables.tables.filter.INPUT.rules = [
|
krebs.iptables.tables.filter.INPUT.rules = [
|
||||||
{ predicate = "-p tcp --dport pop3"; target = "ACCEPT"; }
|
{ predicate = "-p tcp --dport pop3s"; target = "ACCEPT"; }
|
||||||
{ predicate = "-p tcp --dport imap"; target = "ACCEPT"; }
|
{ predicate = "-p tcp --dport imaps"; target = "ACCEPT"; }
|
||||||
|
{ predicate = "-p tcp --dport 465"; target = "ACCEPT"; }
|
||||||
];
|
];
|
||||||
|
|
||||||
|
security.pam.services.exim.text = ''
|
||||||
|
auth required pam_env.so
|
||||||
|
auth sufficient pam_exec.so debug expose_authtok ${check-password}
|
||||||
|
auth sufficient pam_unix.so likeauth nullok
|
||||||
|
auth required pam_deny.so
|
||||||
|
account required pam_unix.so
|
||||||
|
password required pam_cracklib.so retry=3 type=
|
||||||
|
password sufficient pam_unix.so nullok use_authtok md5shadow
|
||||||
|
password required pam_deny.so
|
||||||
|
session required pam_limits.so
|
||||||
|
session required pam_unix.so
|
||||||
|
'';
|
||||||
|
|
||||||
krebs.exim-smarthost = {
|
krebs.exim-smarthost = {
|
||||||
|
authenticators.PLAIN = ''
|
||||||
|
driver = plaintext
|
||||||
|
server_prompts = :
|
||||||
|
server_condition = "''${if pam{$auth2:$auth3}{yes}{no}}"
|
||||||
|
server_set_id = $auth2
|
||||||
|
'';
|
||||||
|
authenticators.LOGIN = ''
|
||||||
|
driver = plaintext
|
||||||
|
server_prompts = "Username:: : Password::"
|
||||||
|
server_condition = "''${if pam{$auth1:$auth2}{yes}{no}}"
|
||||||
|
server_set_id = $auth1
|
||||||
|
'';
|
||||||
internet-aliases = [
|
internet-aliases = [
|
||||||
{ from = "dominik@apanowicz.de"; to = "dma@ubikmedia.eu"; }
|
{ from = "dominik@apanowicz.de"; to = "dma@ubikmedia.eu"; }
|
||||||
{ from = "mail@jla-trading.com"; to = "jla-trading"; }
|
{ from = "mail@jla-trading.com"; to = "jla-trading"; }
|
||||||
|
{ from = "testuser@lassul.us"; to = "testuser"; }
|
||||||
];
|
];
|
||||||
system-aliases = [
|
system-aliases = [
|
||||||
];
|
];
|
||||||
|
ssl_cert = "/var/lib/acme/lassul.us/fullchain.pem";
|
||||||
|
ssl_key = "/var/lib/acme/lassul.us/key.pem";
|
||||||
};
|
};
|
||||||
|
|
||||||
users.users.domsen = {
|
users.users.domsen = {
|
||||||
|
|
|
@ -167,7 +167,6 @@ rec {
|
||||||
pm.max_spare_servers = 3
|
pm.max_spare_servers = 3
|
||||||
listen.owner = nginx
|
listen.owner = nginx
|
||||||
listen.group = nginx
|
listen.group = nginx
|
||||||
# errors to journal
|
|
||||||
php_admin_value[error_log] = 'stderr'
|
php_admin_value[error_log] = 'stderr'
|
||||||
php_admin_flag[log_errors] = on
|
php_admin_flag[log_errors] = on
|
||||||
catch_workers_output = yes
|
catch_workers_output = yes
|
||||||
|
@ -188,6 +187,7 @@ rec {
|
||||||
error_log /tmp/nginx_err.log;
|
error_log /tmp/nginx_err.log;
|
||||||
error_page 404 /404.html;
|
error_page 404 /404.html;
|
||||||
error_page 500 502 503 504 /50x.html;
|
error_page 500 502 503 504 /50x.html;
|
||||||
|
client_max_body_size 100m;
|
||||||
'';
|
'';
|
||||||
locations = [
|
locations = [
|
||||||
(nameValuePair "/" ''
|
(nameValuePair "/" ''
|
||||||
|
@ -219,7 +219,6 @@ rec {
|
||||||
pm.max_spare_servers = 3
|
pm.max_spare_servers = 3
|
||||||
listen.owner = nginx
|
listen.owner = nginx
|
||||||
listen.group = nginx
|
listen.group = nginx
|
||||||
# errors to journal
|
|
||||||
php_admin_value[error_log] = 'stderr'
|
php_admin_value[error_log] = 'stderr'
|
||||||
php_admin_flag[log_errors] = on
|
php_admin_flag[log_errors] = on
|
||||||
catch_workers_output = yes
|
catch_workers_output = yes
|
||||||
|
|
|
@ -11,7 +11,7 @@ pkgs.writeText "Xresources" ''
|
||||||
! ref https://github.com/muennich/urxvt-perls
|
! ref https://github.com/muennich/urxvt-perls
|
||||||
URxvt.perl-lib: ${pkgs.urxvt_perls}/lib/urxvt/perl
|
URxvt.perl-lib: ${pkgs.urxvt_perls}/lib/urxvt/perl
|
||||||
URxvt.perl-ext-common: default,clipboard,url-select,keyboard-select
|
URxvt.perl-ext-common: default,clipboard,url-select,keyboard-select
|
||||||
URxvt.url-select.launcher: browser-select
|
URxvt.url-select.launcher: ${config.lass.browser.select}/bin/browser-select
|
||||||
URxvt.url-select.underline: true
|
URxvt.url-select.underline: true
|
||||||
URxvt.keysym.M-u: perl:url-select:select_next
|
URxvt.keysym.M-u: perl:url-select:select_next
|
||||||
URxvt.keysym.M-Escape: perl:keyboard-select:activate
|
URxvt.keysym.M-Escape: perl:keyboard-select:activate
|
||||||
|
|
|
@ -1,13 +1,23 @@
|
||||||
{ config, lib, pkgs, ... }@args:
|
{ config, pkgs, ... }@args:
|
||||||
|
|
||||||
with config.krebs.lib;
|
with config.krebs.lib;
|
||||||
|
|
||||||
let
|
let
|
||||||
# TODO krebs.build.user
|
user = config.krebs.build.user;
|
||||||
user = config.users.users.mainUser;
|
in {
|
||||||
|
|
||||||
|
environment.systemPackages = [
|
||||||
|
pkgs.gitAndTools.qgit
|
||||||
|
pkgs.mpv
|
||||||
|
pkgs.sxiv
|
||||||
|
pkgs.xsel
|
||||||
|
pkgs.zathura
|
||||||
|
];
|
||||||
|
|
||||||
|
fonts.fonts = [
|
||||||
|
pkgs.xlibs.fontschumachermisc
|
||||||
|
];
|
||||||
|
|
||||||
out = {
|
|
||||||
services.xserver = {
|
services.xserver = {
|
||||||
|
enable = true;
|
||||||
display = 11;
|
display = 11;
|
||||||
tty = 11;
|
tty = 11;
|
||||||
|
|
||||||
|
@ -17,45 +27,41 @@ let
|
||||||
accelFactor = "0.035";
|
accelFactor = "0.035";
|
||||||
};
|
};
|
||||||
|
|
||||||
#keyboard stuff
|
|
||||||
layout = "us";
|
layout = "us";
|
||||||
xkbVariant = "altgr-intl";
|
xkbVariant = "altgr-intl";
|
||||||
xkbOptions = "caps:backspace";
|
xkbOptions = "caps:backspace";
|
||||||
};
|
};
|
||||||
|
|
||||||
fonts.fonts = [
|
|
||||||
pkgs.xlibs.fontschumachermisc
|
|
||||||
];
|
|
||||||
|
|
||||||
systemd.services.urxvtd = {
|
|
||||||
wantedBy = [ "multi-user.target" ];
|
|
||||||
reloadIfChanged = true;
|
|
||||||
serviceConfig = {
|
|
||||||
ExecReload = need-reload "urxvtd.service";
|
|
||||||
ExecStart = "${pkgs.rxvt_unicode}/bin/urxvtd";
|
|
||||||
Restart = "always";
|
|
||||||
RestartSec = "2s";
|
|
||||||
StartLimitBurst = 0;
|
|
||||||
User = user.name;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
krebs.per-user.lass.packages = [
|
|
||||||
pkgs.rxvt_unicode_with-plugins
|
|
||||||
];
|
|
||||||
|
|
||||||
systemd.services.display-manager.enable = false;
|
systemd.services.display-manager.enable = false;
|
||||||
|
|
||||||
services.xserver.enable = true;
|
|
||||||
|
|
||||||
systemd.services.xmonad = {
|
systemd.services.xmonad = {
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
requires = [ "xserver.service" ];
|
requires = [ "xserver.service" ];
|
||||||
environment = xmonad-environment;
|
environment = {
|
||||||
restartIfChanged = true;
|
DISPLAY = ":${toString config.services.xserver.display}";
|
||||||
|
|
||||||
|
XMONAD_STARTUP_HOOK = pkgs.writeDash "xmonad-startup-hook" ''
|
||||||
|
${pkgs.xorg.xhost}/bin/xhost +LOCAL: &
|
||||||
|
${pkgs.xorg.xrdb}/bin/xrdb -merge ${import ./Xresources.nix args} &
|
||||||
|
${pkgs.xorg.xsetroot}/bin/xsetroot -solid '#1c1c1c' &
|
||||||
|
wait
|
||||||
|
'';
|
||||||
|
|
||||||
|
XMONAD_STATE = "/tmp/xmonad.state";
|
||||||
|
|
||||||
|
# XXX JSON is close enough :)
|
||||||
|
XMONAD_WORKSPACES0_FILE = pkgs.writeText "xmonad.workspaces0" (toJSON [
|
||||||
|
"dashboard" # we start here
|
||||||
|
]);
|
||||||
|
};
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
ExecStart = "${xmonad-start}/bin/xmonad";
|
SyslogIdentifier = "xmonad";
|
||||||
ExecStop = "${xmonad-stop}/bin/xmonad-stop";
|
ExecStart = "${pkgs.xmonad-lass}/bin/xmonad";
|
||||||
|
ExecStop = pkgs.writeScript "xmonad-stop" ''
|
||||||
|
#! /bin/sh
|
||||||
|
${pkgs.xmonad-lass}/bin/xmonad --shutdown
|
||||||
|
${pkgs.coreutils}/bin/sleep 2s
|
||||||
|
'';
|
||||||
User = user.name;
|
User = user.name;
|
||||||
WorkingDirectory = user.home;
|
WorkingDirectory = user.home;
|
||||||
};
|
};
|
||||||
|
@ -68,76 +74,39 @@ let
|
||||||
"acpid.service"
|
"acpid.service"
|
||||||
];
|
];
|
||||||
reloadIfChanged = true;
|
reloadIfChanged = true;
|
||||||
environment = xserver-environment;
|
environment = {
|
||||||
serviceConfig = {
|
|
||||||
ExecReload = need-reload "xserver.service";
|
|
||||||
ExecStart = "${xserver}/bin/xserver";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
xmonad-environment = {
|
|
||||||
DISPLAY = ":${toString config.services.xserver.display}";
|
|
||||||
XMONAD_STATE = "/tmp/xmonad.state";
|
|
||||||
|
|
||||||
# XXX JSON is close enough :)
|
|
||||||
XMONAD_WORKSPACES0_FILE = pkgs.writeText "xmonad.workspaces0" (toJSON [
|
|
||||||
"dashboard"
|
|
||||||
]);
|
|
||||||
};
|
|
||||||
|
|
||||||
xmonad-start = pkgs.writeScriptBin "xmonad" ''
|
|
||||||
#! ${pkgs.bash}/bin/bash
|
|
||||||
set -efu
|
|
||||||
export PATH; PATH=${makeSearchPath "bin" ([
|
|
||||||
pkgs.rxvt_unicode
|
|
||||||
] ++ config.environment.systemPackages)}:/var/setuid-wrappers
|
|
||||||
settle() {(
|
|
||||||
# Use PATH for a clean journal
|
|
||||||
command=''${1##*/}
|
|
||||||
PATH=''${1%/*}; export PATH
|
|
||||||
shift
|
|
||||||
until "$command" "$@"; do
|
|
||||||
${pkgs.coreutils}/bin/sleep 1
|
|
||||||
done
|
|
||||||
)&}
|
|
||||||
settle ${pkgs.xorg.xhost}/bin/xhost +LOCAL:
|
|
||||||
settle ${pkgs.xorg.xrdb}/bin/xrdb -merge ${import ./Xresources.nix args}
|
|
||||||
settle ${pkgs.xorg.xsetroot}/bin/xsetroot -solid '#1c1c1c'
|
|
||||||
exec ${pkgs.xmonad-lass}/bin/xmonad
|
|
||||||
'';
|
|
||||||
|
|
||||||
xmonad-stop = pkgs.writeScriptBin "xmonad-stop" ''
|
|
||||||
#! /bin/sh
|
|
||||||
${pkgs.xmonad-lass}/bin/xmonad --shutdown
|
|
||||||
${pkgs.coreutils}/bin/sleep 2s
|
|
||||||
'';
|
|
||||||
|
|
||||||
xserver-environment = {
|
|
||||||
XKB_BINDIR = "${pkgs.xorg.xkbcomp}/bin"; # Needed for the Xkb extension.
|
XKB_BINDIR = "${pkgs.xorg.xkbcomp}/bin"; # Needed for the Xkb extension.
|
||||||
XORG_DRI_DRIVER_PATH = "/run/opengl-driver/lib/dri"; # !!! Depends on the driver selected at runtime.
|
XORG_DRI_DRIVER_PATH = "/run/opengl-driver/lib/dri"; # !!! Depends on the driver selected at runtime.
|
||||||
LD_LIBRARY_PATH = concatStringsSep ":" (
|
LD_LIBRARY_PATH = concatStringsSep ":" (
|
||||||
[ "${pkgs.xorg.libX11}/lib" "${pkgs.xorg.libXext}/lib" ]
|
[ "${pkgs.xorg.libX11}/lib" "${pkgs.xorg.libXext}/lib" ]
|
||||||
++ concatLists (catAttrs "libPath" config.services.xserver.drivers));
|
++ concatLists (catAttrs "libPath" config.services.xserver.drivers));
|
||||||
};
|
};
|
||||||
|
serviceConfig = {
|
||||||
|
SyslogIdentifier = "xserver";
|
||||||
|
ExecReload = "${pkgs.coreutils}/bin/echo NOP";
|
||||||
|
ExecStart = toString [
|
||||||
|
"${pkgs.xorg.xorgserver}/bin/X"
|
||||||
|
":${toString config.services.xserver.display}"
|
||||||
|
"vt${toString config.services.xserver.tty}"
|
||||||
|
"-config ${import ./xserver.conf.nix args}"
|
||||||
|
"-logfile /dev/null -logverbose 0 -verbose 3"
|
||||||
|
"-nolisten tcp"
|
||||||
|
"-xkbdir ${pkgs.xkeyboard_config}/etc/X11/xkb"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
xserver = pkgs.writeScriptBin "xserver" ''
|
systemd.services.urxvtd = {
|
||||||
#! /bin/sh
|
wantedBy = [ "multi-user.target" ];
|
||||||
set -efu
|
reloadIfChanged = true;
|
||||||
exec ${pkgs.xorg.xorgserver.out}/bin/X \
|
serviceConfig = {
|
||||||
:${toString config.services.xserver.display} \
|
SyslogIdentifier = "urxvtd";
|
||||||
vt${toString config.services.xserver.tty} \
|
ExecReload = "${pkgs.coreutils}/bin/echo NOP";
|
||||||
-config ${import ./xserver.conf.nix args} \
|
ExecStart = "${pkgs.rxvt_unicode}/bin/urxvtd";
|
||||||
-logfile /var/log/X.${toString config.services.xserver.display}.log \
|
Restart = "always";
|
||||||
-nolisten tcp \
|
RestartSec = "2s";
|
||||||
-xkbdir ${pkgs.xkeyboard_config}/etc/X11/xkb \
|
StartLimitBurst = 0;
|
||||||
'';
|
User = user.name;
|
||||||
|
};
|
||||||
need-reload = s: let
|
};
|
||||||
pkg = pkgs.writeScriptBin "need-reload" ''
|
}
|
||||||
#! /bin/sh
|
|
||||||
echo "$*"
|
|
||||||
'';
|
|
||||||
in "${pkg}/bin/need-reload ${s}";
|
|
||||||
|
|
||||||
in out
|
|
||||||
|
|
|
@ -118,5 +118,4 @@
|
||||||
fi
|
fi
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
users.defaultUserShell = "/run/current-system/sw/bin/zsh";
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -3,9 +3,11 @@ _:
|
||||||
imports = [
|
imports = [
|
||||||
./ejabberd
|
./ejabberd
|
||||||
./folderPerms.nix
|
./folderPerms.nix
|
||||||
|
./hosts.nix
|
||||||
./mysql-backup.nix
|
./mysql-backup.nix
|
||||||
./umts.nix
|
./umts.nix
|
||||||
./urxvtd.nix
|
./urxvtd.nix
|
||||||
|
./usershadow.nix
|
||||||
./wordpress_nginx.nix
|
./wordpress_nginx.nix
|
||||||
./xresources.nix
|
./xresources.nix
|
||||||
];
|
];
|
||||||
|
|
12
lass/3modules/hosts.nix
Normal file
12
lass/3modules/hosts.nix
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
{ config, ... }:
|
||||||
|
|
||||||
|
with config.krebs.lib;
|
||||||
|
|
||||||
|
{
|
||||||
|
options.lass.hosts = mkOption {
|
||||||
|
type = types.attrsOf types.host;
|
||||||
|
default =
|
||||||
|
filterAttrs (_: host: host.owner.name == "lass")
|
||||||
|
config.krebs.hosts;
|
||||||
|
};
|
||||||
|
}
|
|
@ -111,7 +111,6 @@ let
|
||||||
pm.max_spare_servers = 3
|
pm.max_spare_servers = 3
|
||||||
listen.owner = ${user}
|
listen.owner = ${user}
|
||||||
listen.group = ${group}
|
listen.group = ${group}
|
||||||
# errors to journal
|
|
||||||
php_admin_value[error_log] = 'stderr'
|
php_admin_value[error_log] = 'stderr'
|
||||||
php_admin_flag[log_errors] = on
|
php_admin_flag[log_errors] = on
|
||||||
catch_workers_output = yes
|
catch_workers_output = yes
|
||||||
|
|
|
@ -41,10 +41,6 @@ let
|
||||||
|
|
||||||
wvdial = nixpkgs-1509.wvdial; # https://github.com/NixOS/nixpkgs/issues/16113
|
wvdial = nixpkgs-1509.wvdial; # https://github.com/NixOS/nixpkgs/issues/16113
|
||||||
|
|
||||||
#modem-device = "/dev/serial/by-id/usb-Lenovo_F5521gw_38214921FBBBC7B0-if09";
|
|
||||||
modem-device = "/dev/serial/by-id/usb-HUAWEI_Technologies_HUAWEI_Mobile-if00-port0";
|
|
||||||
|
|
||||||
# TODO: currently it is only netzclub
|
|
||||||
umts-bin = pkgs.writeScriptBin "umts" ''
|
umts-bin = pkgs.writeScriptBin "umts" ''
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
set -euf
|
set -euf
|
||||||
|
|
85
lass/3modules/usershadow.nix
Normal file
85
lass/3modules/usershadow.nix
Normal file
|
@ -0,0 +1,85 @@
|
||||||
|
{ config, lib, pkgs, ... }@args: with config.krebs.lib; let
|
||||||
|
|
||||||
|
cfg = config.lass.usershadow;
|
||||||
|
|
||||||
|
out = {
|
||||||
|
options.lass.usershadow = api;
|
||||||
|
config = lib.mkIf cfg.enable imp;
|
||||||
|
};
|
||||||
|
|
||||||
|
api = {
|
||||||
|
enable = mkEnableOption "usershadow";
|
||||||
|
pattern = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "/home/%/.shadow";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
imp = {
|
||||||
|
environment.systemPackages = [ usershadow ];
|
||||||
|
security.pam.services.sshd.text = ''
|
||||||
|
auth required pam_exec.so expose_authtok ${usershadow}/bin/verify ${cfg.pattern}
|
||||||
|
auth required pam_permit.so
|
||||||
|
account required pam_permit.so
|
||||||
|
session required pam_permit.so
|
||||||
|
'';
|
||||||
|
|
||||||
|
security.pam.services.exim.text = ''
|
||||||
|
auth required pam_exec.so expose_authtok ${usershadow}/bin/verify ${cfg.pattern}
|
||||||
|
auth required pam_permit.so
|
||||||
|
account required pam_permit.so
|
||||||
|
session required pam_permit.so
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
usershadow = let {
|
||||||
|
deps = [
|
||||||
|
"pwstore-fast"
|
||||||
|
"bytestring"
|
||||||
|
];
|
||||||
|
body = pkgs.writeHaskell "passwords" {
|
||||||
|
executables.verify = {
|
||||||
|
extra-depends = deps;
|
||||||
|
text = ''
|
||||||
|
import Data.Monoid
|
||||||
|
import System.IO
|
||||||
|
import Data.Char (chr)
|
||||||
|
import System.Environment (getEnv, getArgs)
|
||||||
|
import Crypto.PasswordStore (verifyPasswordWith, pbkdf2)
|
||||||
|
import qualified Data.ByteString.Char8 as BS8
|
||||||
|
import System.Exit (exitFailure, exitSuccess)
|
||||||
|
|
||||||
|
main :: IO ()
|
||||||
|
main = do
|
||||||
|
user <- getEnv "PAM_USER"
|
||||||
|
shadowFilePattern <- head <$> getArgs
|
||||||
|
let shadowFile = lhs <> user <> tail rhs
|
||||||
|
(lhs, rhs) = span (/= '%') shadowFilePattern
|
||||||
|
hash <- readFile shadowFile
|
||||||
|
password <- takeWhile (/= (chr 0)) <$> hGetLine stdin
|
||||||
|
let res = verifyPasswordWith pbkdf2 (2^) (BS8.pack password) (BS8.pack hash)
|
||||||
|
if res then exitSuccess else exitFailure
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
executables.passwd = {
|
||||||
|
extra-depends = deps;
|
||||||
|
text = ''
|
||||||
|
import System.Environment (getEnv)
|
||||||
|
import Crypto.PasswordStore (makePasswordWith, pbkdf2)
|
||||||
|
import qualified Data.ByteString.Char8 as BS8
|
||||||
|
import System.IO (stdin, hSetEcho, putStr)
|
||||||
|
|
||||||
|
main :: IO ()
|
||||||
|
main = do
|
||||||
|
home <- getEnv "HOME"
|
||||||
|
putStr "password:"
|
||||||
|
hSetEcho stdin False
|
||||||
|
password <- BS8.hGetLine stdin
|
||||||
|
hash <- makePasswordWith pbkdf2 password 10
|
||||||
|
BS8.writeFile (home ++ "/.shadow") hash
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
in out
|
|
@ -154,7 +154,6 @@ let
|
||||||
pm.max_spare_servers = 3
|
pm.max_spare_servers = 3
|
||||||
listen.owner = ${user}
|
listen.owner = ${user}
|
||||||
listen.group = ${group}
|
listen.group = ${group}
|
||||||
# errors to journal
|
|
||||||
php_admin_value[error_log] = 'stderr'
|
php_admin_value[error_log] = 'stderr'
|
||||||
php_admin_flag[log_errors] = on
|
php_admin_flag[log_errors] = on
|
||||||
catch_workers_output = yes
|
catch_workers_output = yes
|
||||||
|
|
|
@ -9,7 +9,7 @@ pkgs.writeHaskell "xmonad-lass" {
|
||||||
"xmonad-contrib"
|
"xmonad-contrib"
|
||||||
"xmonad-stockholm"
|
"xmonad-stockholm"
|
||||||
];
|
];
|
||||||
text = ''
|
text = /* haskell */ ''
|
||||||
{-# LANGUAGE DeriveDataTypeable #-} -- for XS
|
{-# LANGUAGE DeriveDataTypeable #-} -- for XS
|
||||||
{-# LANGUAGE FlexibleContexts #-} -- for xmonad'
|
{-# LANGUAGE FlexibleContexts #-} -- for xmonad'
|
||||||
{-# LANGUAGE LambdaCase #-}
|
{-# LANGUAGE LambdaCase #-}
|
||||||
|
@ -24,6 +24,7 @@ import Control.Exception
|
||||||
import Data.List (isInfixOf)
|
import Data.List (isInfixOf)
|
||||||
import System.Environment (getArgs, withArgs, getEnv)
|
import System.Environment (getArgs, withArgs, getEnv)
|
||||||
import System.IO (hPutStrLn, stderr)
|
import System.IO (hPutStrLn, stderr)
|
||||||
|
import System.Posix.Process (executeFile)
|
||||||
import Text.Read (readEither)
|
import Text.Read (readEither)
|
||||||
import XMonad.Actions.CopyWindow (copy, kill1)
|
import XMonad.Actions.CopyWindow (copy, kill1)
|
||||||
import XMonad.Actions.CycleWS (toggleWS)
|
import XMonad.Actions.CycleWS (toggleWS)
|
||||||
|
@ -41,12 +42,13 @@ import XMonad.Layout.Minimize (minimize, minimizeWindow, MinimizeMsg(RestoreNext
|
||||||
import XMonad.Layout.NoBorders (smartBorders)
|
import XMonad.Layout.NoBorders (smartBorders)
|
||||||
import XMonad.Prompt (autoComplete, searchPredicate, XPConfig)
|
import XMonad.Prompt (autoComplete, searchPredicate, XPConfig)
|
||||||
import XMonad.Prompt.Window (windowPromptGoto, windowPromptBringCopy)
|
import XMonad.Prompt.Window (windowPromptGoto, windowPromptBringCopy)
|
||||||
import XMonad.Stockholm.Shutdown (sendShutdownEvent, handleShutdownEvent)
|
|
||||||
import XMonad.Util.EZConfig (additionalKeysP)
|
import XMonad.Util.EZConfig (additionalKeysP)
|
||||||
|
import XMonad.Layout.SimpleFloat (simpleFloat)
|
||||||
|
|
||||||
|
import XMonad.Stockholm.Shutdown
|
||||||
|
|
||||||
myTerm :: String
|
urxvtcPath :: FilePath
|
||||||
myTerm = "${pkgs.rxvt_unicode}/bin/urxvtc"
|
urxvtcPath = "${pkgs.rxvt_unicode}/bin/urxvtc"
|
||||||
|
|
||||||
myFont :: String
|
myFont :: String
|
||||||
myFont = "-schumacher-*-*-*-*-*-*-*-*-*-*-*-iso10646-*"
|
myFont = "-schumacher-*-*-*-*-*-*-*-*-*-*-*-iso10646-*"
|
||||||
|
@ -62,12 +64,14 @@ mainNoArgs = do
|
||||||
xmonad'
|
xmonad'
|
||||||
$ withUrgencyHook (SpawnUrgencyHook "echo emit Urgency ")
|
$ withUrgencyHook (SpawnUrgencyHook "echo emit Urgency ")
|
||||||
$ def
|
$ def
|
||||||
{ terminal = myTerm
|
{ terminal = urxvtcPath
|
||||||
, modMask = mod4Mask
|
, modMask = mod4Mask
|
||||||
, workspaces = workspaces0
|
, workspaces = workspaces0
|
||||||
, layoutHook = smartBorders $ myLayoutHook
|
, layoutHook = smartBorders $ myLayoutHook
|
||||||
, manageHook = placeHook (smart (1,0)) <+> floatNextHook
|
, manageHook = placeHook (smart (1,0)) <+> floatNextHook
|
||||||
, startupHook = spawn "echo emit XMonadStartup"
|
, startupHook = do
|
||||||
|
path <- liftIO (getEnv "XMONAD_STARTUP_HOOK")
|
||||||
|
forkFile path [] Nothing
|
||||||
, normalBorderColor = "#1c1c1c"
|
, normalBorderColor = "#1c1c1c"
|
||||||
, focusedBorderColor = "#f000b0"
|
, focusedBorderColor = "#f000b0"
|
||||||
, handleEventHook = handleShutdownEvent
|
, handleEventHook = handleShutdownEvent
|
||||||
|
@ -75,7 +79,7 @@ mainNoArgs = do
|
||||||
|
|
||||||
myLayoutHook = defLayout
|
myLayoutHook = defLayout
|
||||||
where
|
where
|
||||||
defLayout = minimize $ ((avoidStruts $ Tall 1 (3/100) (1/2) ||| Full ||| Mirror (Tall 1 (3/100) (1/2))) ||| FixedColumn 2 80 80 1)
|
defLayout = minimize $ ((avoidStruts $ Tall 1 (3/100) (1/2) ||| Full ||| Mirror (Tall 1 (3/100) (1/2))) ||| FixedColumn 2 80 80 1) ||| simpleFloat
|
||||||
|
|
||||||
|
|
||||||
xmonad' :: (LayoutClass l Window, Read (l Window)) => XConfig l -> IO ()
|
xmonad' :: (LayoutClass l Window, Read (l Window)) => XConfig l -> IO ()
|
||||||
|
@ -83,7 +87,7 @@ xmonad' conf = do
|
||||||
path <- getEnv "XMONAD_STATE"
|
path <- getEnv "XMONAD_STATE"
|
||||||
try (readFile path) >>= \case
|
try (readFile path) >>= \case
|
||||||
Right content -> do
|
Right content -> do
|
||||||
hPutStrLn stderr ("resuming from " ++ path ++ "; state = " ++ show content)
|
hPutStrLn stderr ("resuming from " ++ path)
|
||||||
withArgs ("--resume" : lines content) (xmonad conf)
|
withArgs ("--resume" : lines content) (xmonad conf)
|
||||||
Left e -> do
|
Left e -> do
|
||||||
hPutStrLn stderr (displaySomeException e)
|
hPutStrLn stderr (displaySomeException e)
|
||||||
|
@ -107,7 +111,7 @@ displaySomeException = displayException
|
||||||
|
|
||||||
myKeyMap :: [([Char], X ())]
|
myKeyMap :: [([Char], X ())]
|
||||||
myKeyMap =
|
myKeyMap =
|
||||||
[ ("M4-<F11>", spawn "i3lock -i /var/lib/wallpaper/wallpaper -f")
|
[ ("M4-<F11>", spawn "${pkgs.i3lock}/bin/i3lock -i /var/lib/wallpaper/wallpaper -f")
|
||||||
, ("M4-p", spawn "${pkgs.pass}/bin/passmenu --type")
|
, ("M4-p", spawn "${pkgs.pass}/bin/passmenu --type")
|
||||||
, ("<XF86AudioRaiseVolume>", spawn "${pkgs.pulseaudioLight.out}/bin/pactl -- set-sink-volume 0 +4%")
|
, ("<XF86AudioRaiseVolume>", spawn "${pkgs.pulseaudioLight.out}/bin/pactl -- set-sink-volume 0 +4%")
|
||||||
, ("<XF86AudioLowerVolume>", spawn "${pkgs.pulseaudioLight.out}/bin/pactl -- set-sink-volume 0 -4%")
|
, ("<XF86AudioLowerVolume>", spawn "${pkgs.pulseaudioLight.out}/bin/pactl -- set-sink-volume 0 -4%")
|
||||||
|
@ -123,8 +127,8 @@ myKeyMap =
|
||||||
, ("M4-S-<Backspace>", removeEmptyWorkspace)
|
, ("M4-S-<Backspace>", removeEmptyWorkspace)
|
||||||
, ("M4-S-c", kill1)
|
, ("M4-S-c", kill1)
|
||||||
, ("M4-<Esc>", toggleWS)
|
, ("M4-<Esc>", toggleWS)
|
||||||
, ("M4-S-<Enter>", spawn myTerm)
|
, ("M4-S-<Enter>", spawn urxvtcPath)
|
||||||
, ("M4-x", floatNext True >> spawn myTerm)
|
, ("M4-x", floatNext True >> spawn urxvtcPath)
|
||||||
, ("M4-f", floatNext True)
|
, ("M4-f", floatNext True)
|
||||||
, ("M4-b", sendMessage ToggleStruts)
|
, ("M4-b", sendMessage ToggleStruts)
|
||||||
|
|
||||||
|
@ -141,6 +145,10 @@ myKeyMap =
|
||||||
, ("M4-S-q", return ())
|
, ("M4-S-q", return ())
|
||||||
]
|
]
|
||||||
|
|
||||||
|
forkFile :: FilePath -> [String] -> Maybe [(String, String)] -> X ()
|
||||||
|
forkFile path args env =
|
||||||
|
xfork (executeFile path False args env) >> return ()
|
||||||
|
|
||||||
autoXPConfig :: XPConfig
|
autoXPConfig :: XPConfig
|
||||||
autoXPConfig = def
|
autoXPConfig = def
|
||||||
{ autoComplete = Just 5000
|
{ autoComplete = Just 5000
|
||||||
|
@ -159,8 +167,6 @@ gridConfig = def
|
||||||
, gs_navigate = navNSearch
|
, gs_navigate = navNSearch
|
||||||
, gs_font = myFont
|
, gs_font = myFont
|
||||||
}
|
}
|
||||||
|
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -1,6 +1,10 @@
|
||||||
let
|
let
|
||||||
lib = import <nixpkgs/lib> // builtins // {
|
lib = import <nixpkgs/lib> // builtins // {
|
||||||
shell = import ./shell.nix { inherit lib; };
|
shell = import ./shell.nix { inherit lib; };
|
||||||
|
|
||||||
|
eq = x: y: x == y;
|
||||||
|
ne = x: y: x != y;
|
||||||
|
mod = x: y: x - y * (x / y);
|
||||||
};
|
};
|
||||||
in
|
in
|
||||||
|
|
||||||
|
|
|
@ -24,7 +24,7 @@ with config.krebs.lib;
|
||||||
# stockholm
|
# stockholm
|
||||||
gnumake
|
gnumake
|
||||||
hashPassword
|
hashPassword
|
||||||
haskellPackages.lentil
|
#haskellPackages.lentil
|
||||||
parallel
|
parallel
|
||||||
(pkgs.writeBashBin "im" ''
|
(pkgs.writeBashBin "im" ''
|
||||||
export PATH=${makeSearchPath "bin" (with pkgs; [
|
export PATH=${makeSearchPath "bin" (with pkgs; [
|
||||||
|
@ -60,7 +60,7 @@ with config.krebs.lib;
|
||||||
pass
|
pass
|
||||||
q
|
q
|
||||||
qrencode
|
qrencode
|
||||||
texLive
|
#texLive
|
||||||
tmux
|
tmux
|
||||||
|
|
||||||
#ack
|
#ack
|
||||||
|
@ -138,6 +138,11 @@ with config.krebs.lib;
|
||||||
fsType = "btrfs";
|
fsType = "btrfs";
|
||||||
options = ["defaults" "noatime" "ssd" "compress=lzo"];
|
options = ["defaults" "noatime" "ssd" "compress=lzo"];
|
||||||
};
|
};
|
||||||
|
"/bku" = {
|
||||||
|
device = "/dev/mapper/xuvga-bku";
|
||||||
|
fsType = "btrfs";
|
||||||
|
options = ["defaults" "noatime" "ssd" "compress=lzo"];
|
||||||
|
};
|
||||||
"/home" = {
|
"/home" = {
|
||||||
device = "/dev/mapper/xuvga-home";
|
device = "/dev/mapper/xuvga-home";
|
||||||
fsType = "btrfs";
|
fsType = "btrfs";
|
||||||
|
|
|
@ -14,7 +14,7 @@ with config.krebs.lib;
|
||||||
stockholm.file = "/home/tv/stockholm";
|
stockholm.file = "/home/tv/stockholm";
|
||||||
nixpkgs.git = {
|
nixpkgs.git = {
|
||||||
url = https://github.com/NixOS/nixpkgs;
|
url = https://github.com/NixOS/nixpkgs;
|
||||||
ref = "2568ee3d73bdebd6bab6739adf8a900f3429c8e6";
|
ref = "354fd3728952c229fee4f2924737c601d7ab4725";
|
||||||
};
|
};
|
||||||
} // optionalAttrs host.secure {
|
} // optionalAttrs host.secure {
|
||||||
secrets-master.file = "/home/tv/secrets/master";
|
secrets-master.file = "/home/tv/secrets/master";
|
||||||
|
@ -37,6 +37,7 @@ with config.krebs.lib;
|
||||||
# stockholm dependencies
|
# stockholm dependencies
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
git
|
git
|
||||||
|
populate
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
|
@ -53,6 +54,7 @@ with config.krebs.lib;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
|
security.hideProcessInformation = true;
|
||||||
security.sudo.extraConfig = ''
|
security.sudo.extraConfig = ''
|
||||||
Defaults env_keep+="SSH_CLIENT"
|
Defaults env_keep+="SSH_CLIENT"
|
||||||
Defaults mailto="${config.krebs.users.tv.mail}"
|
Defaults mailto="${config.krebs.users.tv.mail}"
|
||||||
|
@ -63,13 +65,13 @@ with config.krebs.lib;
|
||||||
|
|
||||||
{
|
{
|
||||||
# TODO check if both are required:
|
# TODO check if both are required:
|
||||||
nix.chrootDirs = [ "/etc/protocols" pkgs.iana_etc.outPath ];
|
nix.sandboxPaths = [ "/etc/protocols" pkgs.iana_etc.outPath ];
|
||||||
|
|
||||||
nix.requireSignedBinaryCaches = true;
|
nix.requireSignedBinaryCaches = true;
|
||||||
|
|
||||||
nix.binaryCaches = ["https://cache.nixos.org"];
|
nix.binaryCaches = ["https://cache.nixos.org"];
|
||||||
|
|
||||||
nix.useChroot = true;
|
nix.useSandbox = true;
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
nixpkgs.config.allowUnfree = false;
|
nixpkgs.config.allowUnfree = false;
|
||||||
|
|
|
@ -5,7 +5,7 @@
|
||||||
../smartd.nix
|
../smartd.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
boot.loader.gummiboot.enable = true;
|
boot.loader.systemd-boot.enable = true;
|
||||||
boot.loader.efi.canTouchEfiVariables = true;
|
boot.loader.efi.canTouchEfiVariables = true;
|
||||||
|
|
||||||
networking.wireless.enable = true;
|
networking.wireless.enable = true;
|
||||||
|
@ -13,6 +13,8 @@
|
||||||
# Required for Centrino.
|
# Required for Centrino.
|
||||||
hardware.enableAllFirmware = true;
|
hardware.enableAllFirmware = true;
|
||||||
|
|
||||||
|
hardware.opengl.extraPackages = [ pkgs.vaapiIntel pkgs.vaapiVdpau ];
|
||||||
|
|
||||||
hardware.trackpoint = {
|
hardware.trackpoint = {
|
||||||
enable = true;
|
enable = true;
|
||||||
sensitivity = 220;
|
sensitivity = 220;
|
||||||
|
@ -41,6 +43,5 @@
|
||||||
|
|
||||||
services.xserver = {
|
services.xserver = {
|
||||||
videoDriver = "intel";
|
videoDriver = "intel";
|
||||||
vaapiDrivers = [ pkgs.vaapiIntel pkgs.vaapiVdpau ];
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,10 +1,10 @@
|
||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
{
|
{
|
||||||
environment.etc."man.conf".source = pkgs.runCommand "man.conf" {} ''
|
#environment.etc."man.conf".source = pkgs.runCommand "man.conf" {} ''
|
||||||
${pkgs.gnused}/bin/sed <${pkgs.man}/lib/man.conf >$out '
|
# ${pkgs.gnused}/bin/sed <${pkgs.man}/lib/man.conf >$out '
|
||||||
s:^NROFF\t.*:& -Wbreak:
|
# s:^NROFF\t.*:& -Wbreak:
|
||||||
'
|
# '
|
||||||
'';
|
#'';
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
manpages
|
manpages
|
||||||
posix_man_pages
|
posix_man_pages
|
||||||
|
|
|
@ -31,6 +31,7 @@ with config.krebs.lib;
|
||||||
|
|
||||||
## other
|
## other
|
||||||
|
|
||||||
|
https://nixos.org/channels/nixos-16.09/git-revision
|
||||||
https://nixos.org/channels/nixos-unstable/git-revision
|
https://nixos.org/channels/nixos-unstable/git-revision
|
||||||
|
|
||||||
## 2014-10-17
|
## 2014-10-17
|
||||||
|
|
|
@ -21,7 +21,7 @@ let
|
||||||
src = pkgs.fetchgit {
|
src = pkgs.fetchgit {
|
||||||
url = https://github.com/vito-c/jq.vim;
|
url = https://github.com/vito-c/jq.vim;
|
||||||
rev = "99d55a300047946a82ecdd7617323a751199ad2d";
|
rev = "99d55a300047946a82ecdd7617323a751199ad2d";
|
||||||
sha256 = "00mmwg4swwmllknzzx07af080lcy7y5i6341rc6c08i2vka48nv9";
|
sha256 = "09c94nah47wx0cr556w61h6pfznxld18pfblc3nv51ivbw7cjqyx";
|
||||||
};
|
};
|
||||||
})
|
})
|
||||||
(pkgs.vimUtils.buildVimPlugin {
|
(pkgs.vimUtils.buildVimPlugin {
|
||||||
|
|
|
@ -178,6 +178,11 @@ in
|
||||||
pkgs.writeBashBin "q" ''
|
pkgs.writeBashBin "q" ''
|
||||||
set -eu
|
set -eu
|
||||||
export PATH=/var/empty
|
export PATH=/var/empty
|
||||||
|
(${q-todo}) || :
|
||||||
|
if [ "$PWD" != "$HOME" ]; then
|
||||||
|
(HOME=$PWD; ${q-todo}) || :
|
||||||
|
fi
|
||||||
|
echo
|
||||||
${q-cal}
|
${q-cal}
|
||||||
echo
|
echo
|
||||||
${q-isodate}
|
${q-isodate}
|
||||||
|
@ -189,8 +194,4 @@ pkgs.writeBashBin "q" ''
|
||||||
(${q-online}) &
|
(${q-online}) &
|
||||||
(${q-thermal_zone}) &
|
(${q-thermal_zone}) &
|
||||||
wait
|
wait
|
||||||
${q-todo}
|
|
||||||
if [ "$PWD" != "$HOME" ]; then
|
|
||||||
(HOME=$PWD; ${q-todo})
|
|
||||||
fi
|
|
||||||
''
|
''
|
||||||
|
|
Loading…
Reference in a new issue