makefu/stockholm
1
0
Fork 0
Code Issues Pull requests Actions1 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/staging/jeschli'

Browse source
This commit is contained in:
jeschli 2018-06-19 09:52:04 +02:00
parent 2a3f60d6fb 8eca9165ce
commit 324a8615f1
199 changed files with 2649 additions and 1880 deletions
jeschli
1systems/bln
config.nixdcso-vpn.nixhardware-configuration.nix
2configs
xserver
Xresources.nixdefault.nix
zsh.nix
5pkgs/simple/xmonad-jeschli
default.nix
krebs
0tests
data
secrets
grafana_security.nixhashedPasswords.nixretiolum.rsa_key.privshackspace-gitlab-ci-token.nixssh.id_ed25519
test-config.nixtest-source.nix
default.nixdeploy.nix
1systems
hope
config.nixsource.nix
hotdog
config.nix
onebutton
config.nixsource.nix
2configs
buildbot-all.nixbuildbot-krebs.nixbuildbot-stockholm.nixdefault.nixnews-spam.nixnews.nixreaktor-krebs.nixreaktor-retiolum.nix
shack
worlddomination.nix
3modules
ci.nixdefault.nix
krebs
default.nix
lass
default.nix
pgp
blue.pgpicarus.pgp
ssh
blue.rsa
makefu
default.nix
newsbot-js.nix
tv
default.nix
5pkgs/simple
Reaktor
plugins.nix
buildbot-classic
default.nix
ejabberd
default.nixejabberdctl.patch
generate-secrets
default.nix
kops.nixkrops.nix
painload
default.nix
pssh
default.nix
repo-sync
default.nix
retiolum-bootstrap
default.nix
thesauron
default.nix
ucspi-tcp
chmod.patchdefault.nix
urlwatch
default.nix
krops.nixsource.nix
lass
1systems
blue
config.nixphysical.nixsource.nix
cabal
config.nixphysical.nix
daedalus
config.nixphysical.nix
dishfire
config.nixphysical.nix
echelon
config.nix
helios
config.nixphysical.nix
icarus
config.nixphysical.nix
littleT
config.nixphysical.nix
mors
config.nixphysical.nix
prism
config.nixphysical.nix
red
config.nixphysical.nixsource.nix
shodan
config.nixphysical.nix
skynet
config.nixphysical.nix
uriel
config.nixphysical.nix
xerxes
config.nixphysical.nixsource.nix
2configs
AP.nixIM.nixbackup.nixbackups.nixbaseX.nixbitcoin.nixbitlbee.nixblue-host.nixblue.nixcontainer-networking.nixdcso-dev.nix
Show more

62
jeschli/1systems/bln/config.nix
View file

@ -1,16 +1,32 @@
{ config, lib, pkgs, ... }:
# bln config file
{
imports =
[ <stockholm/jeschli>
<stockholm/jeschli/2configs/virtualbox.nix>
<stockholm/jeschli/2configs/urxvt.nix>
<stockholm/jeschli/2configs/emacs.nix>
./hardware-configuration.nix
];
imports = [
./hardware-configuration.nix
<stockholm/jeschli>
<stockholm/jeschli/2configs/virtualbox.nix>
<stockholm/jeschli/2configs/urxvt.nix>
<stockholm/jeschli/2configs/emacs.nix>
<stockholm/jeschli/2configs/xdg.nix>
<stockholm/jeschli/2configs/xserver>
];
boot.loader.systemd-boot.enable = true;
# boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.loader.efi.efiSysMountPoint = "/boot";
boot.loader.grub = {
devices = [ "nodev" ];
efiSupport = true;
enable = true;
extraEntries = ''
menuentry "Debian" {
insmod ext2
insmod chain
chainloader /EFI/debian/grubx64.efi
}
'';
version = 2;
};
jeschliFontSize = 20;
@ -54,7 +70,6 @@
sqlite
# internet
thunderbird
hipchat
chromium
google-chrome
# programming languages
@ -92,18 +107,17 @@
services.printing.drivers = [ pkgs.postscript-lexmark ];
# Enable the X11 windowing system.
services.xserver.enable = true;
services.xserver.videoDrivers = [ "nvidia" ];
services.xserver.windowManager.xmonad.enable = true;
services.xserver.windowManager.xmonad.enableContribAndExtras = true;
services.xserver.displayManager.sddm.enable = true;
services.xserver.dpi = 100;
fonts.fontconfig.dpi = 100;
# services.xserver.windowManager.xmonad.enable = true;
# services.xserver.windowManager.xmonad.enableContribAndExtras = true;
# services.xserver.displayManager.sddm.enable = true;
# services.xserver.dpi = 100;
# fonts.fontconfig.dpi = 100;
users.extraUsers.jeschli = {
isNormalUser = true;
extraGroups = ["docker" "vboxusers"];
extraGroups = ["docker" "vboxusers" "audio"];
uid = 1000;
};
@ -123,15 +137,17 @@
# DCSO Certificates
security.pki.certificateFiles = [
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC1G1.pem"; sha256 = "14vz9c0fk6li0a26vx0s5ha6y3yivnshx9pjlh9vmnpkbph5a7rh"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC2G1.pem"; sha256 = "0r1dd48a850cv7whk4g2maik550rd0vsrsl73r6x0ivzz7ap1xz5"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC3G1.pem"; sha256 = "0b5cdchdkvllnr0kz35d8jrmrf9cjw0kd98mmvzr0x6nkc8hwpdy"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC2G1.pem"; sha256 = "0rn57zv1ry9vj4p2248mxmafmqqmdhbrfx1plszrxsphshbk2hfz"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC3G1.pem"; sha256 = "0w88qaqhwxzvdkx40kzj2gka1yi85ipppjdkxah4mscwfhlryrnk"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC2G1.pem"; sha256 = "1z2qkyhgjvri13bvi06ynkb7mjmpcznmc9yw8chx1lnwc3cxa7kf"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC3G1.pem"; sha256 = "0smdjjvz95n652cb45yhzdb2lr83zg52najgbzf6lm3w71f8mv7f"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC1G1.pem"; sha256 = "006j61q2z44z6d92638iin6r46r4cj82ipwm37784h34i5x4mp0d"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC2G1.pem"; sha256 = "1nkd1rjcn02q9xxjg7sw79lbwy08i7hb4v4pn98djknvcmplpz5m"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC3G1.pem"; sha256 = "094m12npglnnv1nf1ijcv70p8l15l00id44qq7rwynhcgxi5539i"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC2G1.pem"; sha256 = "1anfncdf5xsp219kryncv21ra87flpzcjwcc85hzvlwbxhid3g4x"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC3G1.pem"; sha256 = "035kkfizyl5dndj7rhvmy91rr75lakqbqgjx4dpiw0kqq369mz8r"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC2G1.pem"; sha256 = "14fpzx1qjs9ws9sz0y7pb6j40336xlckkqcm2rc5j86yn7r22lp7"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC3G1.pem"; sha256 = "1yjl3kyw4chc8vw7bnqac2h9vn8dxryw7lr7i03lqi9sdvs4108s"; })
];
hardware.bluetooth.enable = true;
krebs.build.host = config.krebs.hosts.bln;
}

44
jeschli/1systems/bln/dcso-vpn.nix Normal file
View file

@ -0,0 +1,44 @@
with import <stockholm/lib>;
{ ... }:
{
users.extraUsers = {
dcsovpn = rec {
name = "dcsovpn";
uid = genid "dcsovpn";
description = "user for running dcso openvpn";
home = "/home/${name}";
};
};
users.extraGroups.dcsovpn.gid = genid "dcsovpn";
services.openvpn.servers = {
dcso = {
config = ''
client
dev tun
tun-mtu 1356
mssfix
proto udp
float
remote 217.111.55.41 1194
nobind
user dcsovpn
group dcsovpn
persist-key
persist-tun
ca ${toString <secrets/dcsovpn/ca.pem>}
cert ${toString <secrets/dcsovpn/cert.pem>}
key ${toString <secrets/dcsovpn/cert.key>}
verb 3
mute 20
auth-user-pass ${toString <secrets/dcsovpn/login.txt>}
route-method exe
route-delay 2
'';
updateResolvConf = true;
};
};
}

2
jeschli/1systems/bln/hardware-configuration.nix
View file

@ -30,4 +30,6 @@
nix.maxJobs = lib.mkDefault 8;
powerManagement.cpuFreqGovernor = "powersave";
hardware.pulseaudio.enable = true;
}

4
jeschli/2configs/xserver/Xresources.nix
View file

@ -3,6 +3,10 @@
with import <stockholm/lib>;
pkgs.writeText "Xresources" /* xdefaults */ ''
Xcursor.theme: aero-large-drop
Xcursor.size: 128
Xft.dpi: 144
URxvt*cutchars: "\\`\"'&()*,;<=>?@[]^{|}"
URxvt*eightBitInput: false
URxvt*font: -*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-1

3
jeschli/2configs/xserver/default.nix
View file

@ -43,7 +43,10 @@ in {
enable = true;
display = 11;
tty = 11;
dpi = 200;
videoDrivers = [ "nvidia" ];
synaptics = {
enable = true;
twoFingerScroll = true;

4
jeschli/2configs/zsh.nix
View file

@ -53,8 +53,8 @@
eval $(dircolors -b ${pkgs.fetchFromGitHub {
owner = "trapd00r";
repo = "LS_COLORS";
rev = "master";
sha256="05lh5w3bgj9h8d8lrbbwbzw8788709cnzzkl8yh7m1dawkpf6nlp";
rev = "a75fca8545f91abb8a5f802981033ef54bf1eac0";
sha256="1lzj0qnj89mzh76ha137mnz2hf86k278rh0y9x124ghxj9yqsnb4";
}}/LS_COLORS)
#beautiful colors

5
jeschli/5pkgs/simple/xmonad-jeschli/default.nix
View file

@ -87,7 +87,8 @@ mainNoArgs = do
-- , handleEventHook = myHandleEventHooks <+> handleTimerEvent
--, handleEventHook = handleTimerEvent
, manageHook = placeHook (smart (1,0)) <+> floatNextHook
, startupHook =
, startupHook = do
setWMName "LG3D"
whenJustM (liftIO (lookupEnv "XMONAD_STARTUP_HOOK"))
(\path -> forkFile path [] Nothing) <+> setWMName "LG3D"
, normalBorderColor = "#1c1c1c"
@ -221,7 +222,7 @@ myKeys conf = Map.fromList $
pagerConfig :: PagerConfig
pagerConfig = def
{ pc_font = myFont
, pc_cellwidth = 64
, pc_cellwidth = 256
--, pc_cellheight = 36 -- TODO automatically keep screen aspect
--, pc_borderwidth = 1
--, pc_matchcolor = "#f0b000"

0
krebs/6tests/data/secrets/grafana_security.nix → krebs/0tests/data/secrets/grafana_security.nix
View file

0
krebs/6tests/data/secrets/hashedPasswords.nix → krebs/0tests/data/secrets/hashedPasswords.nix
View file

0
krebs/6tests/data/secrets/retiolum.rsa_key.priv → krebs/0tests/data/secrets/retiolum.rsa_key.priv
View file

0
krebs/6tests/data/secrets/shackspace-gitlab-ci-token.nix → krebs/0tests/data/secrets/shackspace-gitlab-ci-token.nix
View file

0
krebs/6tests/data/secrets/ssh.id_ed25519 → krebs/0tests/data/secrets/ssh.id_ed25519
View file

0
krebs/6tests/data/test-config.nix → krebs/0tests/data/test-config.nix
View file

0
krebs/6tests/data/test-source.nix → krebs/0tests/data/test-source.nix
View file

0
krebs/6tests/default.nix → krebs/0tests/default.nix
View file

2
krebs/6tests/deploy.nix → krebs/0tests/deploy.nix
View file

@ -3,7 +3,7 @@ import <nixpkgs/nixos/tests/make-test.nix> ({ ... }:
let
pkgs = import <nixpkgs> { overlays = [(import ../5pkgs)]; };
test-config = <stockholm/krebs/6tests/data/test-config.nix>;
test-config = <stockholm/krebs/0tests/data/test-config.nix>;
privKey = ''
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW

41
krebs/1systems/hope/config.nix
View file

@ -1,41 +0,0 @@
with import <stockholm/lib>;
{ config, pkgs, ... }: let
ip = config.krebs.build.host.nets.internet.ip4.addr;
bestGuessGateway = addr: elemAt (match "(.*)(\.[^.])" addr) 0 + ".1";
in {
imports = [
<stockholm/krebs>
<stockholm/krebs/2configs>
<stockholm/krebs/2configs/os-templates/CAC-CentOS-7-64bit.nix>
<stockholm/krebs/2configs/secret-passwords.nix>
{
users.extraUsers = {
satan = {
name = "satan";
uid = 1338;
home = "/home/satan";
group = "users";
createHome = true;
useDefaultShell = true;
initialPassword = "test";
};
};
}
];
krebs.build.host = config.krebs.hosts.hope;
networking = let
address = config.krebs.build.host.nets.internet.ip4.addr;
in {
defaultGateway = bestGuessGateway address;
interfaces.enp2s1.ip4 = singleton {
inherit address;
prefixLength = 24;
};
nameservers = ["8.8.8.8"];
};
}

3
krebs/1systems/hope/source.nix
View file

@ -1,3 +0,0 @@
import <stockholm/krebs/source.nix> {
name = "hope";
}

5
krebs/1systems/hotdog/config.nix
View file

@ -9,16 +9,17 @@
<stockholm/krebs>
<stockholm/krebs/2configs>
<stockholm/krebs/2configs/buildbot-all.nix>
<stockholm/krebs/2configs/buildbot-stockholm.nix>
<stockholm/krebs/2configs/gitlab-runner-shackspace.nix>
<stockholm/krebs/2configs/binary-cache/nixos.nix>
<stockholm/krebs/2configs/ircd.nix>
<stockholm/krebs/2configs/reaktor-retiolum.nix>
<stockholm/krebs/2configs/reaktor-krebs.nix>
];
krebs.build.host = config.krebs.hosts.hotdog;
boot.isContainer = true;
networking.useDHCP = false;
krebs.ci.stockholmSrc = "http://cgit.prism.r/stockholm";
environment.variables.NIX_REMOTE = "daemon";
}

48
krebs/1systems/onebutton/config.nix Normal file
View file

@ -0,0 +1,48 @@
{ config, pkgs, lib, ... }:
{
# :l <nixpkgs>
# builtins.readDir (pkgs.fetchFromGitHub { owner = "nixos"; repo = "nixpkgs-channels"; rev = "6c064e6b"; sha256 = "1rqzh475xn43phagrr30lb0fd292c1s8as53irihsnd5wcksnbyd"; })
imports = [
<stockholm/krebs>
<stockholm/krebs/2configs>
{ # flag to rebuild everything yourself:
# environment.noXlibs = true;
# minimal disk usage
nix.gc.automatic = true;
nix.gc.dates = "03:10";
documentation.man.enable = false;
documentation.info.enable = false;
services.nixosManual.enable = false;
services.journald.extraConfig = "SystemMaxUse=50M";
}
];
krebs.build.host = config.krebs.hosts.onebutton;
# NixOS wants to enable GRUB by default
boot.loader.grub.enable = false;
# Enables the generation of /boot/extlinux/extlinux.conf
boot.loader.generic-extlinux-compatible.enable = true;
boot.kernelPackages = pkgs.linuxPackages_rpi;
nix.binaryCaches = [ "http://nixos-arm.dezgeg.me/channel" ];
nix.binaryCachePublicKeys = [ "nixos-arm.dezgeg.me-1:xBaUKS3n17BZPKeyxL4JfbTqECsT+ysbDJz29kLFRW0=%" ];
fileSystems = {
"/boot" = {
device = "/dev/disk/by-label/NIXOS_BOOT";
fsType = "vfat";
};
"/" = {
device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
};
};
swapDevices = [ { device = "/swapfile"; size = 1024; } ];
services.openssh.enable = true;
networking.wireless.enable = true;
hardware.enableRedistributableFirmware = true;
}

16
krebs/1systems/onebutton/source.nix Normal file
View file

@ -0,0 +1,16 @@
with import <stockholm/lib>;
let
pkgs = import <nixpkgs> {};
nixpkgs = pkgs.fetchFromGitHub {
owner = "nixos";
repo = "nixpkgs-channels";
rev = "6c064e6b"; # only binary cache for unstable arm6
sha256 = "1rqzh475xn43phagrr30lb0fd292c1s8as53irihsnd5wcksnbyd";
};
in import <stockholm/krebs/source.nix> {
name = "onebutton";
override.nixpkgs = mkForce {
file = toString nixpkgs;
};
}

9
krebs/2configs/buildbot-all.nix
View file

@ -1,9 +0,0 @@
with import <stockholm/lib>;
{ lib, config, pkgs, ... }:
{
networking.firewall.allowedTCPPorts = [ 80 8010 9989 ];
krebs.ci.enable = true;
krebs.ci.treeStableTimer = 1;
krebs.ci.hosts = filter (getAttr "ci") (attrValues config.krebs.hosts);
}

12
krebs/2configs/buildbot-krebs.nix
View file

@ -1,12 +0,0 @@
with import <stockholm/lib>;
{ lib, config, pkgs, ... }:
{
imports = [
<stockholm/krebs/2configs/repo-sync.nix>
];
networking.firewall.allowedTCPPorts = [ 80 8010 9989 ];
krebs.ci.enable = true;
krebs.ci.treeStableTimer = 120;
krebs.ci.hosts = [ config.krebs.build.host ];
}

178
krebs/2configs/buildbot-stockholm.nix Normal file
View file

@ -0,0 +1,178 @@
{ config, pkgs, ... }: with import <stockholm/lib>;
let
hostname = config.networking.hostName;
in
{
networking.firewall.allowedTCPPorts = [ 80 ];
services.nginx = {
enable = true;
virtualHosts.build = {
serverAliases = [ "build.${hostname}.r" ];
locations."/".extraConfig = ''
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://127.0.0.1:${toString config.krebs.buildbot.master.web.port};
'';
};
};
krebs.buildbot.master = {
slaves = {
testslave = "lasspass";
};
change_source.stockholm = ''
stockholm_repo = 'http://cgit.prism.r/stockholm'
cs.append(
changes.GitPoller(
stockholm_repo,
workdir='stockholm-poller', branches=True,
project='stockholm',
pollinterval=10
)
)
'';
scheduler = {
auto-scheduler = ''
sched.append(
schedulers.SingleBranchScheduler(
change_filter=util.ChangeFilter(branch_re=".*"),
treeStableTimer=60,
name="build-all-branches",
builderNames=[
"hosts",
]
)
)
'';
force-scheduler = ''
sched.append(
schedulers.ForceScheduler(
name="hosts",
builderNames=[
"hosts",
]
)
)
'';
};
builder_pre = ''
# prepare grab_repo step for stockholm
grab_repo = steps.Git(
repourl=stockholm_repo,
mode='full',
)
'';
builder = {
hosts = ''
from buildbot import interfaces
from buildbot.steps.shell import ShellCommand
class StepToStartMoreSteps(ShellCommand):
def __init__(self, **kwargs):
ShellCommand.__init__(self, **kwargs)
def addBuildSteps(self, steps_factories):
for sf in steps_factories:
step = interfaces.IBuildStepFactory(sf).buildStep()
step.setBuild(self.build)
step.setBuildSlave(self.build.slavebuilder.slave)
step_status = self.build.build_status.addStepWithName(step.name)
step.setStepStatus(step_status)
self.build.steps.append(step)
def start(self):
props = self.build.getProperties()
hosts = json.loads(props.getProperty('hosts_json'))
for host in hosts:
user = hosts[host]['owner']
self.addBuildSteps([steps.ShellCommand(
name=str(host),
env={
"NIX_PATH": "secrets=/var/src/stockholm/null:stockholm=./:/var/src",
"NIX_REMOTE": "daemon",
"dummy_secrets": "true",
},
command=[
"nix-shell", "-I", "stockholm=.", "--run", " ".join(["test",
"--user={}".format(user),
"--system={}".format(host),
"--force-populate",
"--target=$LOGNAME@${config.krebs.build.host.name}$HOME/{}".format(user),
])
],
timeout=90001,
workdir='build', # TODO figure out why we need this?
)])
ShellCommand.start(self)
f = util.BuildFactory()
f.addStep(grab_repo)
f.addStep(steps.SetPropertyFromCommand(
env={
"NIX_PATH": "secrets=/var/src/stockholm/null:stockholm=./:/var/src",
"NIX_REMOTE": "daemon",
},
name="get_hosts",
command=["nix-instantiate", "--json", "--strict", "--eval", "-E", """
with import <nixpkgs> {};
let
eval-config = cfg:
import <nixpkgs/nixos/lib/eval-config.nix> {
modules = [
(import cfg)
];
}
;
system = eval-config ./krebs/1systems/hotdog/config.nix; # TODO put a better config here
ci-systems = lib.filterAttrs (_: v: v.ci) system.config.krebs.hosts;
filtered-attrs = lib.mapAttrs ( n: v: {
owner = v.owner.name;
}) ci-systems;
in filtered-attrs
"""],
property="hosts_json"
))
f.addStep(StepToStartMoreSteps(command=["echo"])) # TODO remove dummy command from here
bu.append(
util.BuilderConfig(
name="hosts",
slavenames=slavenames,
factory=f
)
)
'';
};
enable = true;
web.enable = true;
irc = {
enable = true;
nick = "build|${hostname}";
server = "irc.r";
channels = [ "noise" "xxx" ];
allowForce = true;
};
extraConfig = ''
c['buildbotURL'] = "http://build.${hostname}.r/"
'';
};
krebs.buildbot.slave = {
enable = true;
masterhost = "localhost";
username = "testslave";
password = "lasspass";
packages = with pkgs; [ gnumake jq nix populate ];
};
}

1
krebs/2configs/default.nix
View file

@ -50,6 +50,7 @@ with import <stockholm/lib>;
users.extraUsers.root.openssh.authorizedKeys.keys = [
# TODO
config.krebs.users.lass.pubkey
config.krebs.users.lass-mors.pubkey
config.krebs.users.makefu.pubkey
# TODO HARDER:
config.krebs.users.makefu-omo.pubkey

5
krebs/2configs/news-spam.nix
View file

@ -2,6 +2,7 @@
{
krebs.newsbot-js.news-spam = {
urlShortenerHost = "go.lassul.us";
feeds = pkgs.writeText "feeds" ''
[SPAM]aje|http://www.aljazeera.com/Services/Rss/?PostingId=2007731105943979989|#snews
[SPAM]allafrica|http://allafrica.com/tools/headlines/rdf/latest/headlines.rdf|#snews
@ -93,7 +94,7 @@
[SPAM]npr_world|http://www.npr.org/rss/rss.php?id=1004|#snews
[SPAM]nsa|https://www.nsa.gov/rss.xml|#snews #bullerei
[SPAM]nytimes|http://rss.nytimes.com/services/xml/rss/nyt/World.xml|#snews
[SPAM]painload|https://github.com/krebscode/painload/commits/master.atom|#snews
[SPAM]painload|https://github.com/krebs/painload/commits/master.atom|#snews
[SPAM]phys|http://phys.org/rss-feed/|#snews
[SPAM]piraten|https://www.piratenpartei.de/feed/|#snews
[SPAM]polizei_berlin|http://www.berlin.de/polizei/presse-fahndung/_rss_presse.xml|#snews
@ -120,7 +121,7 @@
[SPAM]sciencemag|http://news.sciencemag.org/rss/current.xml|#snews
[SPAM]scmp|http://www.scmp.com/rss/91/feed|#snews
[SPAM]sec-db|http://feeds.security-database.com/SecurityDatabaseToolsWatch|#snews
[SPAM]shackspace|http://blog.shackspace.de/?feed=rss2|#snews
[SPAM]shackspace|http://shackspace.de/atom.xml|#snews
[SPAM]shz_news|http://www.shz.de/nachrichten/newsticker/rss|#snews
[SPAM]sky_busi|http://feeds.skynews.com/feeds/rss/business.xml|#snews
[SPAM]sky_pol|http://feeds.skynews.com/feeds/rss/politics.xml|#snews

6
krebs/2configs/news.nix
View file

@ -8,15 +8,15 @@
ethereum|http://blog.ethereum.org/feed|#news
LtU|http://lambda-the-ultimate.org/rss.xml|#news
mongrel2_master|https://github.com/zedshaw/mongrel2/commits/master.atom|#news
painload|https://github.com/krebscode/painload/commits/master.atom|#news
painload|https://github.com/krebs/painload/commits/master.atom|#news
reddit_haskell|http://www.reddit.com/r/haskell/.rss|#news
reddit_nix|http://www.reddit.com/r/nixos/.rss|#news
shackspace|http://blog.shackspace.de/?feed=rss2|#news
shackspace|http://shackspace.de/atom.xml|#news
tinc|http://tinc-vpn.org/news/index.rss|#news
vimperator|https://sites.google.com/a/vimperator.org/www/blog/posts.xml|#news
weechat|http://dev.weechat.org/feed/atom|#news
xkcd|https://xkcd.com/rss.xml|#news
painload|https://github.com/krebscode/painload/commits/master.atom|#news
painload|https://github.com/krebs/painload/commits/master.atom|#news
'';
};
}

11
krebs/2configs/reaktor-krebs.nix
View file

@ -13,13 +13,8 @@ with import <stockholm/lib>;
};
plugins = with pkgs.ReaktorPlugins; [
sed-plugin
wiki-todo-add
wiki-todo-done
wiki-todo-show
];
] ++
(attrValues (todo "agenda"))
;
};
services.nginx.virtualHosts."lassul.us".locations."/wiki-todo".extraConfig = ''
default_type "text/plain";
alias /var/lib/Reaktor/state/wiki-todo;
'';
}

4
krebs/2configs/reaktor-retiolum.nix
View file

@ -10,6 +10,8 @@ with import <stockholm/lib>;
};
plugins = with pkgs.ReaktorPlugins; [
sed-plugin
];
] ++
(attrValues (todo "agenda"))
;
};
}

85
krebs/2configs/shack/worlddomination.nix
View file

@ -2,8 +2,56 @@
with import <stockholm/lib>;
let
pkg = pkgs.stdenv.mkDerivation {
name = "worlddomination-2018-04-21";
src = pkgs.fetchgit {
url = "https://github.com/shackspace/worlddomination/";
rev = "1b32403b9";
sha256 = "10x7aiil13k3x9wqy95mi1ys999d6fxg5sys3jwv7a1p930gkl1i";
};
buildInputs = [
(pkgs.python3.withPackages (pythonPackages: with pythonPackages; [
docopt
LinkHeader
aiocoap
grequests
paramiko
python
]))
];
installPhase = ''
install -m755 -D backend/push_led.py $out/bin/push-led
install -m755 -D backend/loop_single.py $out/bin/loop-single
# copy the provided file to the package
install -m755 -D backend/wd.lst $out/${wdpath}
'';
};
pythonPackages = pkgs.python3Packages;
# https://github.com/chrysn/aiocoap
grequests = pythonPackages.buildPythonPackage rec {
pname = "grequests";
version = "0.3.1";
name = "${pname}-${version}";
src = pkgs.fetchFromGitHub {
owner = "kennethreitz";
repo = "grequests";
rev = "d1e70eb";
sha256 = "0drfx4fx65k0g5sj0pw8z3q1s0sp7idn2yz8xfb45nd6v82i37hc";
};
doCheck = false;
propagatedBuildInputs = with pythonPackages; [ requests gevent ];
meta = with lib;{
description = "Asynchronous HTTP requests";
homepage = https://github.com/kennethreitz/grequests;
license = with licenses; [ bsd2 ];
maintainers = with maintainers; [ matejc ];
};
};
aiocoap = pythonPackages.buildPythonPackage {
name = "aiocoap-0.3";
src = pkgs.fetchurl { url = "https://pypi.python.org/packages/9c/f6/d839e4b14258d76e74a39810829c13f8dd31de2bfe0915579b2a609d1bbe/aiocoap-0.3.tar.gz"; sha256 = "402d4151db6d8d0b1d66af5b6e10e0de1521decbf12140637e5b8d2aa9c5aef6"; };
@ -25,32 +73,9 @@ let
description = "Parse and format link headers according to RFC 5988 \"Web Linking\"";
};
};
pkg = pkgs.stdenv.mkDerivation {
name = "worlddomination-2017-06-10";
src = pkgs.fetchgit {
url = "https://github.com/shackspace/worlddomination/";
rev = "72fc9b5";
sha256 = "05h500rswzypcxy4i22qc1vkc8izbzfqa9m86xg289hjxh133xyf";
};
buildInputs = [
(pkgs.python3.withPackages (pythonPackages: with pythonPackages; [
docopt
LinkHeader
aiocoap
requests
paramiko
python
]))
];
installPhase = ''
install -m755 -D backend/push_led.py $out/bin/push-led
install -m755 -D backend/loop_single.py $out/bin/loop-single
# copy the provided file to the package
install -m755 -D backend/wd.lst $out/${wdpath}
'';
};
wdpath = "/usr/worlddomination/wd.lst";
esphost = "10.42.24.7"; # esp8266
afrihost = "10.42.25.201"; # africa
timeout = 10; # minutes
in {
systemd.services.worlddomination = {
@ -64,4 +89,16 @@ in {
PermissionsStartOnly = true;
};
};
systemd.services.worlddomination-africa = {
description = "run worlddomination africa";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
User = "nobody"; # TODO separate user
ExecStart = "${pkg}/bin/push-led ${afrihost} ${pkg}/${wdpath} loop ${toString timeout}";
Restart = "always";
PrivateTmp = true;
PermissionsStartOnly = true;
};
};
}

192
krebs/3modules/ci.nix
View file

@ -1,192 +0,0 @@
{ config, pkgs, ... }:
with import <stockholm/lib>;
let
cfg = config.krebs.ci;
hostname = config.networking.hostName;
in
{
options.krebs.ci = {
enable = mkEnableOption "krebs continous integration";
stockholmSrc = mkOption {
type = types.str;
default = "http://cgit.${hostname}.r/stockholm";
};
treeStableTimer = mkOption {
type = types.int;
default = 10;
description = "how long to wait until we test changes (in minutes)";
};
hosts = mkOption {
type = types.listOf types.host;
default = [];
description = ''
List of hosts that should be build
'';
};
tests = mkOption {
type = types.listOf types.str;
default = [];
description = ''
List of tests that should be build
'';
};
};
config = mkIf cfg.enable {
services.nginx = {
enable = true;
virtualHosts.build = {
serverAliases = [ "build.${hostname}.r" ];
locations."/".extraConfig = ''
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://127.0.0.1:${toString config.krebs.buildbot.master.web.port};
'';
};
};
krebs.buildbot.master = {
slaves = {
testslave = "lasspass";
};
change_source.stockholm = ''
stockholm_repo = '${cfg.stockholmSrc}'
cs.append(
changes.GitPoller(
stockholm_repo,
workdir='stockholm-poller', branches=True,
project='stockholm',
pollinterval=10
)
)
'';
scheduler = {
build-scheduler = ''
sched.append(
schedulers.SingleBranchScheduler(
change_filter=util.ChangeFilter(branch_re=".*"),
treeStableTimer=${toString cfg.treeStableTimer}*60,
name="build-all-branches",
builderNames=[
${optionalString (cfg.hosts != []) ''"hosts",''}
${optionalString (cfg.tests != []) ''"tests",''}
]
)
)
'';
force-scheduler = ''
sched.append(
schedulers.ForceScheduler(
name="force",
builderNames=[
${optionalString (cfg.hosts != []) ''"hosts",''}
${optionalString (cfg.tests != []) ''"tests",''}
]
)
)
'';
};
builder_pre = ''
# prepare grab_repo step for stockholm
grab_repo = steps.Git(
repourl=stockholm_repo,
mode='full'
)
# prepare addShell function
def addShell(factory,**kwargs):
factory.addStep(steps.ShellCommand(**kwargs))
'';
builder = {
hosts = mkIf (cfg.hosts != []) ''
f = util.BuildFactory()
f.addStep(grab_repo)
def build_host(user, host):
addShell(f,
name="{}".format(host),
env={
"NIX_PATH": "secrets=/var/src/stockholm/null:/var/src",
"NIX_REMOTE": "daemon",
"dummy_secrets": "true",
},
command=[
"nix-shell", "-I", "stockholm=.", "--run", " ".join(["test",
"--user={}".format(user),
"--system={}".format(host),
"--force-populate",
"--target=$LOGNAME@${config.krebs.build.host.name}$HOME/{}".format(user),
])
],
timeout=90001
)
${concatMapStringsSep "\n" (host:
"build_host(\"${host.owner.name}\", \"${host.name}\")"
) cfg.hosts}
bu.append(
util.BuilderConfig(
name="hosts",
slavenames=slavenames,
factory=f
)
)
'';
tests = mkIf (cfg.tests != []) ''
f = util.BuildFactory()
f.addStep(grab_repo)
def run_test(test):
addShell(f,
name="{}".format(test),
env={
"NIX_PATH": "secrets=/var/src/stockholm/null:/var/src",
"NIX_REMOTE": "daemon",
"dummy_secrets": "true",
},
command=[
"nix-build", "-I", "stockholm=.", "krebs/6tests",
"-A", "{}".format(test)
],
timeout=90001
)
${concatMapStringsSep "\n" (test:
"run_test(\"${test}\")"
) cfg.tests}
bu.append(
util.BuilderConfig(
name="tests",
slavenames=slavenames,
factory=f
)
)
'';
};
enable = true;
web.enable = true;
irc = {
enable = true;
nick = "build|${hostname}";
server = "irc.r";
channels = [ "xxx" "noise" ];
allowForce = true;
};
extraConfig = ''
c['buildbotURL'] = "http://build.${hostname}.r/"
'';
};
krebs.buildbot.slave = {
enable = true;
masterhost = "localhost";
username = "testslave";
password = "lasspass";
packages = with pkgs; [ gnumake jq nix populate ];
};
};
}

1
krebs/3modules/default.nix
View file

@ -13,7 +13,6 @@ let
./buildbot/master.nix
./buildbot/slave.nix
./build.nix
./ci.nix
./current.nix
./exim.nix
./exim-retiolum.nix

63
krebs/3modules/krebs/default.nix
View file

@ -30,38 +30,6 @@ let
});
in {
hosts = {
hope = {
ci = true;
owner = config.krebs.users.krebs;
nets = {
internet = {
ip4.addr = "45.62.225.18";
aliases = [
"hope.i"
];
ssh.port = 45621;
};
retiolum = {
ip4.addr = "10.243.77.4";
ip6.addr = "42:0:0:0:0:0:77:4";
aliases = [
"hope.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAsQVWCoNZZd77tYw1qEDlUsfcF0ld+jVorq2uR5il1D8sqER644l5
uaWxPQjSl27xdq5kvzIH24Ab6/xF2EDgE2fUTwpO5coBYafeiGyi5AwURQmYMp2a
2CV7uUAagFQaSzD0Aj796r1BXPn1IeE+uRSBmmc/+/7L0hweRGLiha34NOMZkq+4
A0pwI/CjnyRXdV4AqfORHXkelykJPATm+m3bC+KYogPBeNMP2AV2aYgY8a0UJPMK
fjAJCzxYJjiYxm8faJlm2U1bWytZODQa8pRZOrYQa4he2UoU6x78CNcrQkYLPOFC
K2Q7+B5WJNKV6CqYztXuU/6LTHJRmV0FiwIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOdLHRI29xJj1jmfSidE2Dh7EsDNszm+WH3Kj4zYBkP/";
};
hotdog = {
ci = true;
owner = config.krebs.users.krebs;
@ -91,6 +59,37 @@ in {
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICxFkBln23wUxt4RhIHE3GvdKeBpJbjn++6maupHqUHp";
};
onebutton = {
cores = 1;
owner = config.krebs.users.krebs;
nets = {
retiolum = {
ip4.addr = "10.243.0.101";
ip6.addr = "42:0:0:0:0:0:0:101";
aliases = [
"onebutton.r"
];
tinc.pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA11w6votRExwE0ZEiQmPa
9WGNsMfNAZEd14iHaHCZH7UPQEH+cH/T6isGPpaysindroMnqFe9mUf/cdYChb6N
aaFreApwGBQaJPUcdy4cfphrFpzmOClpOFuFbnV7ZvAk/wefBad3kUzsq/lK4HvB
7nPKeOB9kljphLrkzuLL/h2yOenMpO2ZdvwxyWN8HKmUNgvpBQjIr+Hka6cgy7Gp
pBVFHfSnad/eHeEvq91O/bHxrAxzH5N5DVagPDpkbiWYGl+0XVGP/h0CApr15Ael
+j2pJYc0ZlaXIp4KmNRqbd/fLe52JLrWbnFX4rRuY/DhoMqK8kjECEZ7gLiNSpCC
KlnlJ2LXX9c+d79ubzl5yLAJ3d6T4IJqkbAWJDuCrj821M9ZDk/qZwerayhrrvkF
tMYkQoGSe8MvSOU0rTEoH5iSRwDC7M0XzUe4l8/yZLFyD4Prz/dq6coqANfk/tlE
DnH3vDu9lmFvYrLcd6yDWzFfI3mWDJoUa6AKKoScCOaCkRfIM4Aew0i73+h1nJLO
59AAbZIkDYyWs53QniIG4EQteI9y/9j/628nPAVj68V5oIN76RDXfFHWDWq4DxmU
PpGVmoIKcKZmnl7RrDomRVpuGMdyQ+kCzIGH3XYe12v8Y5beHZBrd3OajgHZ/Tfp
jP873cT6h0hsGm9glgOYho8CAwEAAQ==
-----END PUBLIC KEY-----
'';
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAcZg+iLaPZ0SpLM+nANxIjZC/RIsansjyutK0+gPhIe ";
};
puyak = {
ci = true;
owner = config.krebs.users.krebs;

135
krebs/3modules/lass/default.nix
View file

@ -9,6 +9,7 @@ with import <stockholm/lib>;
hosts = mapAttrs (_: recursiveUpdate {
owner = config.krebs.users.lass;
ci = true;
monitoring = true;
}) {
dishfire = {
cores = 4;
@ -43,39 +44,6 @@ with import <stockholm/lib>;
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGv0JMp0y+E5433GRSFKVK3cQmP0AAlS9aH9fk49yFxy";
};
echelon = {
cores = 2;
nets = rec {
internet = {
ip4.addr = "64.137.242.41";
aliases = [
"echelon.i"
];
ssh.port = 45621;
};
retiolum = {
via = internet;
ip4.addr = "10.243.206.103";
ip6.addr = "42:941e:2816:35f4:5c5e:206b:3f0b:f763";
aliases = [
"echelon.r"
"cgit.echelon.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAuscWOYdHu0bpWacvwTNd6bcmrAQ0YFxJWHZF8kPZr+bMKIhnXLkJ
oJheENIM6CA9lQQQFUxh2P2pxZavW5rgVlJxIKeiB+MB4v6ZO60LmZgpCsWGD/dX
MipM2tLtQxYhvLJIJxEBWn3rxIgeEnCtZsH1KLWyLczb+QpvTjMJ4TNh1nEBPE/f
4LUH1JHaGhcaHl2dLemR9wnnDIjmSj0ENJp2al+hWnIggcA/Zp0e4b86Oqbbs5wA
n++n5j971cTrBdA89nJDYOEtepisglScVRbgLqJG81lDA+n24RWFynn+U3oD/L8p
do+kxlwZUEDRbPU4AO5L+UeIbimsuIfXiQIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL21QDOEFdODFh6WAfNp6odrXo15pEsDQuGJfMu/cKzK";
};
prism = rec {
cores = 4;
extraZones = {
@ -86,14 +54,18 @@ with import <stockholm/lib>;
"lassul.us" = ''
$TTL 3600
@ IN SOA dns16.ovh.net. tech.ovh.net. (2017093001 86400 3600 3600000 300)
60 IN NS ns16.ovh.net.
60 IN NS dns16.ovh.net.
60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
60 IN TXT v=spf1 mx a:lassul.us -all
cgit 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
io 60 IN NS ions.lassul.us.
ions 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
paste 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
60 IN NS ns16.ovh.net.
60 IN NS dns16.ovh.net.
60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
60 IN TXT v=spf1 mx a:lassul.us -all
60 IN TXT ( "v=DKIM1; k=rsa; t=s; s=*; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUv3DMndFellqu208feABEzT/PskOfTSdJCOF/HELBR0PHnbBeRoeHEm9XAcOe/Mz2t/ysgZ6JFXeFxCtoM5fG20brUMRzsVRxb9Ur5cEvOYuuRrbChYcKa+fopu8pYrlrqXD3miHISoy6ErukIYCRpXWUJHi1TlNQhLWFYqAaywIDAQAB" )
default._domainkey 60 IN TXT "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUv3DMndFellqu208feABEzT/PskOfTSdJCOF/HELBR0PHnbBeRoeHEm9XAcOe/Mz2t/ysgZ6JFXeFxCtoM5fG20brUMRzsVRxb9Ur5cEvOYuuRrbChYcKa+fopu8pYrlrqXD3miHISoy6ErukIYCRpXWUJHi1TlNQhLWFYqAaywIDAQAB"
cgit 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
go 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
io 60 IN NS ions.lassul.us.
ions 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
paste 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
lol 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
'';
};
nets = rec {
@ -149,6 +121,7 @@ with import <stockholm/lib>;
};
domsen-nas = {
ci = false;
monitoring = false;
external = true;
nets = rec {
internet = {
@ -161,6 +134,7 @@ with import <stockholm/lib>;
};
};
uriel = {
monitoring = false;
cores = 1;
nets = {
gg23 = {
@ -399,10 +373,12 @@ with import <stockholm/lib>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJzb9BPFClubs6wSOi/ivqPFVPlowXwAxBS0jHaB29hX";
};
iso = {
monitoring = false;
ci = false;
cores = 1;
};
sokrateslaptop = {
monitoring = false;
ci = false;
external = true;
nets = {
@ -426,6 +402,7 @@ with import <stockholm/lib>;
};
};
turingmachine = {
monitoring = false;
ci = false;
external = true;
nets = {
@ -454,6 +431,7 @@ with import <stockholm/lib>;
};
};
eddie = {
monitoring = false;
ci = false;
external = true;
nets = rec {
@ -494,6 +472,7 @@ with import <stockholm/lib>;
};
};
borg = {
monitoring = false;
ci = false;
external = true;
nets = {
@ -521,6 +500,7 @@ with import <stockholm/lib>;
};
};
inspector = {
monitoring = false;
ci = false;
external = true;
nets = rec {
@ -552,6 +532,7 @@ with import <stockholm/lib>;
};
};
dpdkm = {
monitoring = false;
ci = false;
external = true;
nets = rec {
@ -659,9 +640,76 @@ with import <stockholm/lib>;
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPsTeSAedrbp7/KmZX8Mvka702fIUy77Mvqo9HwzCbym";
};
red = {
monitoring = false;
cores = 1;
nets = {
retiolum = {
ip4.addr = "10.243.0.13";
ip6.addr = "42:0:0:0:0:0:0:12ed";
aliases = [
"red.r"
];
tinc.pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArAN/62V2MV18wsZ9VMTG
4/cqsjvHlffAN8jYDq+GImgREvbiLlFhhHgxwKh0gcDTR8P1xX/00P3/fx/g5bRF
Te7LZT2AFmVFFFfx1n9NBweN/gG2/hzB9J8epbWLNT+RzpzHuAoREvDZ+jweSXaI
phdmQY2s36yrR3TAShqq0q4cwlXuHT00J+InDutM0mTftBQG/fvYkBhHOfq4WSY0
FeMK7DTKNbsqQiKKQ/kvWi7KfTW0F0c7SDpi7BLwbQzP2WbogtGy9MIrw9ZhE6Ox
TVdAksPKw0TlYdb16X/MkbzBqTYbxFlmWzpMJABMxIVwAfQx3ZGYvJDdDXmQS2qa
mDN2xBb/5pj3fbfp4wbwWlRVSd/AJQtRvaNY24F+UsRJb0WinIguDI6oRZx7Xt8w
oYirKqqq1leb3EYUt8TMIXQsOw0/Iq+JJCwB+ZyLLGVNB19XOxdR3RN1JYeZANpE
cMSS3SdFGgZ//ZAdhIN5kw9yMeKo6Rnt+Vdz3vZWTuSVp/xYO3IMGXNGAdIWIwrJ
7fwSl/rfXGG816h0sD46U0mxd+i68YOtHlzOKe+vMZ4/FJZYd/E5/IDQluV8HLwa
5lODfZXUmfStdV+GDA9KVEGUP5xSkC3rMnir66NgHzKpIL002/g/HfGu7O3MrvpW
ng7AMvRv5vbsYcJBj2HUhKUCAwEAAQ==
-----END PUBLIC KEY-----
'';
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd/6eCR8yxC14zBJLIQgVa4Zbutv5yr2S8k08ztmBpp";
};
blue = {
cores = 1;
nets = {
retiolum = {
ip4.addr = "10.243.0.77";
ip6.addr = "42:0:0:0:0:0:0:77";
aliases = [
"blue.r"
];
tinc.pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA28b+WMiQaWbwUPcJlacd
QwyX4PvVm9WItPmmNy+RE2y0Mf04LxZ7RLm5+e0wPuhXXQyhZ06CNd6tjeaKfXUc
sNeC1Vjuh1hsyYJLR5Xf/YRNJQKoaHjbkXGt+rSK7PPuCcsUPOSZSEAgHYVvcFzM
wWE4kTDcBZeISB4+yLmPIZXhnDImRRMEurFNRiocoMmEIu/zyYVq8rnlTl972Agu
PMGo1HqVxCouEWstRvtX5tJmV8yruRbH4tADAruLXErLLwUAx/AYDNRjY1TYYetJ
RoaxejmZVVIvR+hWaDLkHZO89+to6wS5IVChs1anFxMNN6Chq2v8Bb2Nyy1oG/H/
HzXxj1Rn7CN9es5Wl0UX4h9Zg+hfspoI75lQ509GLusYOyFwgmFF02eMpxgHBiWm
khSJzPkFdYJKUKaZI0nQEGGsFJOe/Se5jj70x3Q5XEuUoQqyahAqwQIYh6uwhbuP
49RBPHpE+ry6smhUPLTitrRsqeBU4RZRNsUAYyCbwyAH1i+K3Q5PSovgPtlHVr2N
w+VZCzsrtOY2fxXw0e+mncrx/Qga62s4m6a/dyukA5RytA9f6bBsvSTqr7/EQTs6
ZEBoPudk7ULNEbfjmJtBkeG7wKIlpgzVg/JaCAwMuSgVjrpIHrZmjOVvmOwB8W6J
Ch/o7chVljAwW4JmyRnhZbMCAwEAAQ==
-----END PUBLIC KEY-----
'';
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSBxtPf8yJfzzI7/iYpoRSc/TT+zYmE/HM9XWS3MZlv";
};
};
users = {
lass = {
users = rec {
lass = lass-blue;
lass-blue = {
mail = "lass@blue.r";
pubkey = builtins.readFile ./ssh/blue.rsa;
pgp.pubkeys.default = builtins.readFile ./pgp/blue.pgp;
};
lass-mors = {
mail = "lass@mors.r";
pubkey = builtins.readFile ./ssh/mors.rsa;
pgp.pubkeys.default = builtins.readFile ./pgp/mors.pgp;
@ -686,6 +734,7 @@ with import <stockholm/lib>;
lass-icarus = {
mail = "lass@icarus.r";
pubkey = builtins.readFile ./ssh/icarus.rsa;
pgp.pubkeys.default = builtins.readFile ./pgp/icarus.pgp;
};
lass-xerxes = {
mail = "lass@xerxes.r";

51
krebs/3modules/lass/pgp/blue.pgp Normal file
View file

@ -0,0 +1,51 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFr9fAEBEACz2E2E7uBulVBBtPmk9IR2yB+uAWSe8Hi7vNiGc1Dbs40jzWuy
AqouqyC5xnVw66+cQaYOsgXiwencmu/cFEV2x2uRLDVh1E/fvc8yxAOizEIY0jm/
WZ/4IWvTZLVPF3BOhM4p/HGNbdZhRc4RoljLTB34VuY1KSMhs3Vx7n3HgZzdbD7D
itUFU4oY5CnkQp4yl1Htat08cZmbD51VTZB1hDw2Uea+VuMQ/ImRtTqW+Ss4xyPA
DwUE/vRM3CKwBvcjbNL3uUqc5dtZuvruuFeK3ScmdNLytcgXqJzLlwuzHmSt/Tnc
DQZWKGiHnMvrAOkMEvsmiKhboWSAq4sRUPhISqZ7MSvPfhaH5Gcmhi+hL8FZhGY0
qF7MNLHoimw6MBV6FIIA0vCDn2p5Vwc7L+LqLjWqAvxdfVoeUJjUWbWWNNWg4Tw7
9e7rAR86e4AvhCZRubRn1aOfKGF5vg/El98OeIwBFQHpr7uznKfjmAEpoGveV+vG
amptMCBAr4Hw76U708XWOQkZ2GDY9cfdxUllhAmmPrNQ/OcT2b4x0xKvMi4nA5G8
PBOFErkS61zNxsHgpFe2isG+VDqYLfeQhOdB101Qn6IHw3KxyW85CwImUpdRLMUi
0wtcA7M5GB94HRZ8qW6LtFBjwqm2NGudB0alfIWIq7KuRMXus3sJKQ2gDQARAQAB
tBlsYXNzQGJsdWUuciA8bGFzc0BibHVlLnI+iQJOBBMBCAA4FiEEuOpc8JA44Pd5
NXyK8UJeZkL6H7wFAlr9fAECGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ
8UJeZkL6H7ygPQ/+JydbB0IX64ojm34YaeWKVdM5D7JFBdNuKgbAMf0Uhcja6YcU
0YRvuOPpw4lNZqV/1yxDXGHJrVfGolq6uz28oWr+9VUD8QXH9ODm1EMLsU8Jb1Nh
SE+rWSAhEmdw8l9Bi12wq4v/z/JC93/VJLnBGOL8LDEsJ9OatUw71KIt/a50ERoz
uCZbMeLPym8WqSK1kjQehL5pj97BzxmBNpFYwqaniTAuqTN6bhs2ws+k89vjaWIP
T+bEqsJV/vR9KZcNlmKlTQwbsjQ1BZ9EuV4EBL6IAMrqxDeY3mFnT+EpkabfIVSh
38KmG+4PZDXaj6rCsrsH2pUKaZ/Z6Mr3lmFb/1aaK3xKiQyxcMrbcixIIVI8ihTM
HUC3DFFlA7+02b67QomWFLRiZid4gCry7xhZyryQJkN2l20fzRjWf0myzcPO0qxc
y39gUyEqy1oeaffCc1QgDJH2Hvf+P9StyMZIulNuCKJ9tfQR5nkkDAy/2p405Lmf
mdKOMha6bZ+mA5HbmjMqwyFPHEtU6t/mUhlh7mYqNYAJikuqV00N6nTKVrBb2IfK
atoHeUcmvMWBGL7+x3zxwf2pnum6a5iDES2ir87ltOGKGDeMt2Y/Ap30P+uZGnn1
AiRu2bGkCiQ/WH1StJhAhJeleUfdbOa7/voc14nl3rewqyhqYd8dlI+TWAu5Ag0E
Wv18AQEQAOFMwY2ky5TyRrDqJosq0y/9+8D6RiXlyOnyTQ+bqu4mDEaVu3xNcKLH
CQsTM7gDR9pivapoDo84CK8w519DHCA2EpNGTDO4twcQ3jKqPth809LnibwdKJCe
qsfxsIfN8LbpKDOygZ2av11gcT0ye9uOMkiiRSE2MMGDU/50sskecavUAExDgwFs
v72ReU3fXRfTqYT6p/i/qMB7GbS8PlKFz61JKHDceS5GJUZJ5OWOoq7ZMCz6zrLW
2mQIJ7kblGCJKUnx/lZ5y9nqSCk7jer2qENxWNPOCwD48A78u1Bz8xSN5D1gFO3f
YSKh60kK5UljwkvRD7NvAcg2ifwL1e+/7v8WV9OsHDUBEiJO05tsjJ76QwHnEq6j
4peArcTAHWZ4uGncAgYN/Uii+0vs3oVDsZ9d2uLJxuR3h6T4XVejeuZ3j3o/XX/E
aZwcdH3VpKqEjdG4c4TMz96bN7ZN2DbgTf40rwPFKgWnvhCA9dWlmfy9pW2z2hyg
rJaRGXd/4znj5YlMliDrL4/Yp9j1J1CsoZM68er6/zMU1SA9U/y+MVqMoPCPlczx
mbwWQm1JH6fZv2SzHbZOrZYWKVWX+jPZQV6SjKwSiVrLlZJ0Z8u00HBRRRzXLwXa
OLL/dGP1v+msMv1oCJT1AsMcBEE3bY1efnDP1XK8vBLzoMKGS1RtABEBAAGJAjYE
GAEIACAWIQS46lzwkDjg93k1fIrxQl5mQvofvAUCWv18AQIbDAAKCRDxQl5mQvof
vOC1D/wO+tGKz/y5dc/ifJGTndxoHnU8tarboDll0kcdpTGU7It+ReNustqJZj5v
HK4V/ZXUw5+y6ZasNa/mFYY8oACOI40SlMdyt708XfPqYKXOpnM0oGRGfALi+oKg
iIzYtXsqYk5ZYSFWpgxajHef9HMmHNJ8riSVRugUPubPMKPR65DOXl+BdVIlQw7o
2g3s4Lii0IRKov3BvB51oJMhRK2Ne55VDBid32oIoqXLXS2E2gJQegioAiDUA5J4
1f96RCeYfxOgaPj/o4eiXK0H3owA3W78/tIjq5218PCIYFsOKPhrSqJ7ZF/5yGwW
ppVzsaz1sE9oULR0VOFUwjpYmyH32WwKkLF6mKumb8Q7Pd/FJq0I3/kxD/OrlNVZ
8UCX0CzxMyfEeSUfScunKLMfopEGxXTR4l8jew7CwxX08H0nkqyegDZSN8MjYxQL
V/zoL+aPjYh1WYf1L8wyBZjQbA6khHwYRZPaHrGfGaCGC8MHiSjPb/nt54+vZXtt
17LcX4VvHwWIBf88JpZO9eyTFPdYIZANSyo6ltbRoomuAywuA5IibCwh/BXi/aVa
Jro4UvbiwMqbVgSAt15VAwEK1Re/NNLBTcVVMHsWr5WNmo0s2C7+j+iIMPEOwhRs
ZFj74cztyOF/dGeCv9ycW29g+ejXaPpFOYQz0A9bBdkEdTGWhQ==
=D854
-----END PGP PUBLIC KEY BLOCK-----

51
krebs/3modules/lass/pgp/icarus.pgp Normal file
View file

@ -0,0 +1,51 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFpqAGEBEADWiwVYVFXuK9kM7Y1XFL70jb2ZAZBRIpcZF81URMDFhm6ulvHq
fEhXTpiKKmfnv5Mz6r6wAWLJFKOKZuEvg8NwplRrlBHMkR3iEx4+7sP/dVey7U6f
+gI61ytFHTOKr52gstPVdXO3xhNmdrAI1hFuF2DxoXKloz8tPP92dZcCdm7+5C+2
KSYEBrIp/Zv1cjkbAFwek5y4ut65sBh/VM+RhSLbqwzyCxwfBE9QAJdIEiSmChql
Lcz6CToYrdXhOY0ykx+QhT092k/6Xh66JeZ63WVHGrF+SSabq5NNcbWi7EISioHd
N6JXZmbXMpS/BxgMe145e3mWnd3KOSeOxaiORqev8VOycjRQJfSm8Ky+GtWIyxp7
rwEHbY8vlG2X9RMW5UxVmSRPWLykZoX0Xvmnrpwcohb5WdkuCp9NjqF0gDswU8do
bCqASfeWBvJAQkoAlMLU7YH+ymmeQcSVdLy4Jpv1fk5FocQBihTBnC1+ztt7Rm8m
8VGEpH1h174/z4Xn+bCkRZqopl9GlvpilLT8m8N8jdL7QLZJlQwrHVtima8Rg3XZ
TriW1Ha/NxHZ8nN7pbisqXHCrJB0szzu++yVeQ7Ebr7HA0tIHqDhqVR0s6a1g5AX
JYI8vCErowhvPf+BVCUYfmh5dJAY6tt9zrvCneaZ7ogPzOH9kRnZXYi7ZQARAQAB
tBZpY2FydXMgPGxhc3NAaWNhcnVzLnI+iQJOBBMBCAA4FiEEbimq9dgDayT9DrQy
FSODpr2bDFMFAlpqAGECGwMFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQFSOD
pr2bDFNVohAAiY6Pp4whrAIKwNkzqLkUl2SyQCVSGOce906jthKSixdfaUORZPdD
AnyYUmPyVpWxKYjZl7IfmDDo7D6m21tP8FxCRK8/oYAtz3uRK5b5sb0/5YR77O9+
s65sNhU8jiHetUEHQ0Z9UJKfm1DpanJ37uIhVcye8BC8OuSD0v0s+hZ+2ZaN1qdn
qqCkujAILxOWo1ZDqpXfHaV11AotzlgyYmxlXzClsLB0SGhU7HUZesKETn3JUmrV
88kkpug8gn9MpTSPDIWsTeNUWpNhqdDRA+2TUygtpQSKzJC8sdkFaWkMrH3cF6wA
BZ+4tS2mRMQWq9BNMK+xnkWPvYO9e6v4ddXtlcVgGTUhSo+opCXza3dcXE5Xbv8x
a1T5HJSV0HQPTrlAUoXZveu7ZgYVO5SOTCm1jBNKX8WCmvO6yJRalxo9N/d6gswq
tKAGm9tlXpTXnG6tvebmSxjzjVwjbQMDJGy4Cj4bw0GGCdapDFrPidUDY/INmU7D
TWtNsAJlJRuu7ddxIVTspZ7rmDBAOhYzXxGuU3ntZFTiFm9BpCmHYWpeQ5EKuxhJ
mgxzC9wKDoS8NRKwt5ak/mX0vpXkJjF2Lrza0wCAZ1ZYWFNaehEwhNT51s9kZIi3
w1v2z8xmu7VDq/n2sMRtMe7MVIOh1Nu7l/5Uqeb+EYnEc1NGZsFxcYK5Ag0EWmoA
YQEQALMaaF9HeDpeqDjDpxanjjIz4YXMZoMkXwrLS/Rn2mobG5lJzxU+1AkwXxTD
K45A0YHWsnAH1S8V9Gx+NlUMS/S/m9BruSXNohUKARIJLbltEM/EufOThjgfhW0Y
cLorZ1kOSZvORR9+Ctuq/RcvGFwyLB/4OpcGHUezTIcAkLUo0lKPS4HtT2ogSUIx
UstAMwEOSQIDR6sDDiS0BXNdlkKK6daLpH+snQMGP+ILAyRHGu1MlYkACDQZa5aP
9vpany7zC9Ls7vaewCevZCUJfs00VF72pdCRdBV8oPQqwPfhS+uSCV58WwWCqHTq
8PtxCVVzQdngOvScRvjrijtzlseyyTW3w9DPoDsQ16oM3y0kcnnv2hdfTVuv4+YK
9fVRIrWEAlU3cxud7iws9+vUO9GwyWy+epFLiCgNgJR/RVIIjcHUExn/XAcFStjw
QtW+3BxjYmdJpsh5wvmMJSMZDJFMEdKYPm4RI7ZfKVwl6yFeJt3hNkLxxF7k2fXB
84pIvl03hXA3tRQ5t46wS7L2EPlWT00+MCraczvbIS+SX1nCp4ZXLBs0YmicioBS
Os0zEtVs+80eWMf86MTT7YLwre4t+QRbM/RyIvJFTqBT3ad7/7ZMyEuVJBwDJlpx
LGwZGa6zwnbzcf8Us4kAIRzQoK8VOg/xC/ymJYCk3oJCKD9RABEBAAGJAjYEGAEI
ACAWIQRuKar12ANrJP0OtDIVI4OmvZsMUwUCWmoAYQIbDAAKCRAVI4OmvZsMU1vw
EACDJDmZR5BIPxwr9+1Z5ZgT7XcBUbu4F2w84J3xqCUYqcti6I4lSMtxfw94crMp
HoexOVOhvoTneIliv0a4ZSu84u4CGoFn4M7RA0Ka1SVvbuasXf57sVwRptXjr3LL
f/0olra5rkIyZbsvKm0g2N/bfmCfmtOClFDst2yK/FovW5PJBRx2mT38qBhHG8j2
P7zG0/vO846FxjAGvOMGlEVGmN+R9BeecomOKsKgvUbsycAwzZi/2vWAUGbJBYjx
Yd+K8wjPE8g5CumxaLSH/dlY/0BOZygjank+aHLrwMtNnplYVJmmqDhdbgwN6DDk
cCQNLQyk61IdhtZ7UzJyFTkXnXiirrO4WzL6GJjunNzvcTUAU5vNiG+2he1GdxZF
WiLRrcC+oIMWVST8fNRwJZU+Ibw/UIfEV/rHau0fJlxZatks7Qd8gjxSHIyElUVj
CYrizbFPZ85IhkCirX2tvhycK/nseAYjDuJkJIp3Io0sl3cQ9M8Kx790LUbYzNC4
bZn8vA1YwTr1ny3+vEhMhaaVSTeVrWYV8023kwzcLRWra7F1hJcc9+LNmqHvXR67
uBW2KPIrXKrjJmGkMVBSrf9PJu5jNfvCWOntck7C7xOWoUcgyt3uTpP7FkHVdolh
HFNPouS3w0HoB20zdCpmyFNs6Rjhey2r5JIttd6ATVRVYA==
=gJia
-----END PGP PUBLIC KEY BLOCK-----

1
krebs/3modules/lass/ssh/blue.rsa Normal file
View file

@ -0,0 +1 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEZgHYLHcHSumTUr0jTu1XmmwRMqjLHYvo4AYuEg1QdishDbwU5KCqarSf7sxLTjeBgOugHP/oJZclin+e9GTQ5hlBEtc26IVQqirNVD1BCZrt/y5ok0p8p+2Rhzh89kfRI6Etp+8cPbot4h3Vg6tY57icKn3visaMdH0cI2pAQbPWwSY+cmyXU5cfcFC8ahcZpEgth4ycC5yM/qdHxZek2wN+58ApgjEjuvTD6y4iXqdWmqHVoGaeNV7OFiiKVaYoJND1igHLNw2VEQR5aPsmc8gadBtGIQb43YqObNBDWwMjvozmQVFPycMmMTDwA1n+IWxvwz34KEzyw5jQShUTCRDji4vK58WfC16fPLbW+ohCe+9Yyg7TRdjDFA5jTA3rFM7tZS8EhpLgyHupNi1GbUVmeyhqTdWp+H66u5zTzC5Q/PYOk1M0D/X/C6dXyIcB4lLr9mDTGvS1aOZVZJuDF4pLyI2oZzaySALjcofCJyNpBBUtUXHsiT4VNuJExl4XEXjvQKnPKojEzpTsK1rm/ZSa3vBCv0gBbjQ8uU1q86ODIDy35q2GQvsLMkAbduBLeA9m1EdZXLYComSfVLalArw3Q+4vd/FHhoOicVkrwIzcPiYg9uQZm2NrjiBkYlWCdXTFc49ghIDrPXLnwwWqPuZcs430u6Somk8XzuRZBC7ZDdjbiS5D8vQkDThQrmmFPRs+bp1N9VkC+LaBtFnbFaYARF6i2yFUD9YNSEEu2r14u+KGlg5P7ndIkE+BhAOIp4XcHejVFWfvKvYpMRZ4LDVkPIJdmZ4gIIfGbdBNMv1zRsX6O0NOhiEP1pNYb+HdY5R2YYIvtxn1sC/TrjoN3ELAQA9YBszHEaYjvmqHh08/CWCEpgHIagCccYdSzbtM9GsoAcePL4E7kqSZxIfbNjrYQEBEQbu16pj7bMxVhH8QaouOdjiioqr2tBr5HwA05HP1poGProOzsmJxdph7pb4hJ1P+OEeuwTRIVLudYYl6iBajGW2IdsUo+xGANpuPBpQyB4RajJ4XcXP8K3xVY6x7DfH3DwKfCFAc6KzyADa2xw7/uwBRi2HOyKazkPe5ESYLWY29krqH2tO+IYkgm5tAEkf79j4R9aCeZe/HyjPDlSPZ2NwAZpWKJFkBTveiwoe2noZSAeVKrcblFN5ic0or+ci+CSbmctce8mbqB7QHEJJh5flLDzBMIuh4eroH/Dp5MBbDqxu/T8yCCRHFz70KXpaIFSGlSIebTRt1Om9+CWTgTp95cM0HrAhZDnN/W9FRdAFsA/IjEJ2Eh3tHpdvFZ3XgIq52MrHJdopQo7KUoOVhJiFCo5L0PcKNRVpMbcCKVk1i9k8jqyM9AVgwGrnijiaafUaFmBIlC/U2FZZ+KRtIyDcIRrnGGKE7DEyhBQ9YavxpOFDDSXuC5aPjMNcSGydGArtDd5+5Yp0YraY0oe6UTuzypsxdI8W6IbePryvEeOXG5b/6YayC2sq+7wRconaa9DU= lass@blue

1
krebs/3modules/makefu/default.nix
View file

@ -539,6 +539,7 @@ with import <stockholm/lib>;
dl.euer IN A ${nets.internet.ip4.addr}
boot.euer IN A ${nets.internet.ip4.addr}
wiki.euer IN A ${nets.internet.ip4.addr}
mon.euer IN A ${nets.internet.ip4.addr}
graph IN A ${nets.internet.ip4.addr}
ghook IN A ${nets.internet.ip4.addr}
dockerhub IN A ${nets.internet.ip4.addr}

1
krebs/3modules/newsbot-js.nix
View file

@ -93,6 +93,7 @@ let
User = "newsbot-js";
Restart = "always";
ExecStart = "${newsbot.package}/bin/newsbot";
WatchdogSec = "86400";
};
}
) cfg;

24
krebs/3modules/tv/default.nix
View file

@ -32,30 +32,6 @@ with import <stockholm/lib>;
ssh.privkey.path = <secrets/ssh.id_rsa>;
ssh.pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDP9JS2Nyjx4Pn+/4MrFi1EvBBYVKkGm2Q4lhgaAiSuiGLol53OSsL2KIo01mbcSSBWow9QpQpn8KDoRnT2aMLDrdTFqL20ztDLOXmtrSsz3flgCjmW4f6uOaoZF0RNjAybd1coqwSJ7EINugwoqOsg1zzN2qeIGKYFvqFIKibYFAnQ8hcksmkvPdIO5O8CbdIiP9sZSrSDp0ZyLK2T0PML2jensVZOeqSPulQDFqLsbmavpVLkpDjdzzPRwbZWNB4++YeipbYNOkX4GR1EB4wMZ93IbBV7kpJtib2Zb2AnUf7UW37hxWBjILdstj9ClwNOQggn8kD9ub7YxBzH1dz0Xd8a0mPOAWIDJz9MypXgFRc3vdvPB/W1I4Se0CLbgOkORun9CkgijKr9oEY8JNt8HFd6viZcAaQxOyIm6PNHZTnHfdSc7bIBS2n3e3IZBv0fTd77knGLXg402aTuu2bm/kxsKivxsILXIaGbeXe4ceN3Fynr3FzSM2bUkzHb0mAHu1BQ9YaX0xzCwjVueA5nzGls7ODSFkXsiBfg2FvMN/sTLFca6tnwyqcnD6nujoiS5+BxjDWPgnZYqCaW3B/IkpTsRMsX6QrfhOFcsP8qlJ2Cp82orWoDK/D0vZ9pdzAc6PFGga0RofuJKY2yiq+SRZ7/e9E6VncIVCYZ1OfN0Q==";
};
kaepsele = {
external = true;
nets = {
retiolum = {
ip4.addr = "10.243.166.2";
ip6.addr = "42:b9d:6660:d07c:2bb7:4e91:1a01:2e7d";
aliases = [
"kaepsele.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEA4+kDaKhCBNlpHqRCA2R6c4UEFk0OaiPwHvjmBBjpihTJVyffIEYm
QFZ5ZNkaVumSOAgKk9ygppO9WsNasl1ag+IRWik9oupdzEkNjgvOMBVJGhcwGZGF
6UEY5sdA1n0qg74og5BGSiXUBiaahVM0rAfCNk8gV3qrot5kWJMQLb9BKabJ56eb
JrgWepxuVaw3BoEhz6uusuvw5i1IF382L8R11hlvyefifXONFOAUjCrCr0bCb4uK
ZZcRUU35pbHLDXXTOrOarOO1tuVGu85VXo3S1sLaaouHYjhTVT8bxqbwcNhxBXYf
ONLv0f7G5XwecgUNbE6ZTfjV5PQKaww3lwIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC5Wr36T0MmB8pnSO5/pw9/Dfe5+IMgVHOhm6EUa55jj";
};
mu = {
ci = true;
cores = 2;

65
krebs/5pkgs/simple/Reaktor/plugins.nix
View file

@ -120,33 +120,48 @@ rec {
url-title = (buildSimpleReaktorPlugin "url-title" {
pattern = "^.*(?P<args>http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+).*$$";
path = with pkgs; [ curl perl ];
script = pkgs.writeDash "lambda-pl" ''
if [ "$#" -gt 0 ]; then
curl -SsL --max-time 5 "$1" |
perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si'
fi
script = pkgs.writePython3 [ "beautifulsoup4" "lxml" ] "url-title" ''
import sys
import urllib.request
from bs4 import BeautifulSoup
try:
soup = BeautifulSoup(urllib.request.urlopen(sys.argv[1]), "lxml")
title = soup.find('title').string
if title:
if len(title) > 512:
print('message to long, skipped')
elif len(title.split('\n')) > 5:
print('to many lines, skipped')
else:
print(title)
except: # noqa: E722
pass
'';
});
wiki-todo-add = buildSimpleReaktorPlugin "wiki-todo-add" {
pattern = "^wiki-todo: (?P<args>.*)$$";
script = pkgs.writeDash "wiki-todo-add" ''
echo "$*" >> wiki-todo
echo "added todo. check on http://lassul.us/wiki-todo"
'';
};
wiki-todo-done = buildSimpleReaktorPlugin "wiki-todo-done" {
pattern = "^wiki-done: (?P<args>.*)$$";
script = pkgs.writeDash "wiki-todo-done" ''
${pkgs.gnugrep}/bin/grep -Fvxe "$*" wiki-todo > wiki-todo.tmp
${pkgs.coreutils}/bin/mv wiki-todo.tmp wiki-todo
echo "thank you for resolving todo: $*"
'';
};
wiki-todo-show = buildSimpleReaktorPlugin "wiki-todo" {
pattern = "^wiki-show$";
script = pkgs.writeDash "wiki-show" ''
${pkgs.coreutils}/bin/cat wiki-todo
'';
todo = name: {
add = buildSimpleReaktorPlugin "${name}-add" {
pattern = "^${name}-add: (?P<args>.*)$$";
script = pkgs.writeDash "${name}-add" ''
echo "$*" >> ${name}-todo
echo "added ${name} todo"
'';
};
delete = buildSimpleReaktorPlugin "${name}-delete" {
pattern = "^${name}-delete: (?P<args>.*)$$";
script = pkgs.writeDash "${name}-delete" ''
${pkgs.gnugrep}/bin/grep -Fvxe "$*" ${name}-todo > ${name}-todo.tmp
${pkgs.coreutils}/bin/mv ${name}-todo.tmp ${name}-todo
echo "removed ${name} todo: $*"
'';
};
show = buildSimpleReaktorPlugin "${name}-show" {
pattern = "^${name}-show$";
script = pkgs.writeDash "${name}-show" ''
${pkgs.coreutils}/bin/cat ${name}-todo
'';
};
};
}

2
krebs/5pkgs/simple/buildbot-classic/default.nix
View file

@ -7,7 +7,7 @@ python2Packages.buildPythonApplication rec {
patches = [];
src = fetchFromGitHub {
owner = "krebscode";
owner = "krebs";
repo = "buildbot-classic";
rev = version;
sha256 = "0g686n6m0cjfyympl0ksansllx503gby3hx9gmc8hiyx6x5fkjha";

24
krebs/5pkgs/simple/ejabberd/default.nix
View file

@ -1,5 +1,5 @@
{ stdenv, writeScriptBin, lib, fetchurl, git, cacert
, erlang, openssl, expat, libyaml, bash, gnused, gnugrep, coreutils, utillinux, procps
, erlang, openssl, expat, libyaml, bash, gnused, gnugrep, coreutils, utillinux, procps, gd
, withMysql ? false
, withPgsql ? false
, withSqlite ? false, sqlite
@ -23,17 +23,17 @@ let
ctlpath = lib.makeBinPath [ bash gnused gnugrep coreutils utillinux procps ];
in stdenv.mkDerivation rec {
version = "17.07";
version = "18.01";
name = "ejabberd-${version}";
src = fetchurl {
url = "http://www.process-one.net/downloads/ejabberd/${version}/${name}.tgz";
sha256 = "1p8ppp2czjgnq8xnhyksd82npvvx99fwr0g3rrq1wvnwh2vgb8km";
sha256 = "01i2n8mlgw293jdf4172f9q8ca8m35vysjws791p7nynpfdb4cn6";
};
nativeBuildInputs = [ fakegit ];
buildInputs = [ erlang openssl expat libyaml ]
buildInputs = [ erlang openssl expat libyaml gd ]
++ lib.optional withSqlite sqlite
++ lib.optional withPam pam
++ lib.optional withZlib zlib
@ -50,7 +50,7 @@ in stdenv.mkDerivation rec {
configureFlags = [ "--enable-all" "--with-sqlite3=${sqlite.dev}" ];
buildInputs = [ git erlang openssl expat libyaml sqlite pam zlib elixir ];
nativeBuildInputs = [ git erlang openssl expat libyaml sqlite pam zlib elixir ];
GIT_SSL_CAINFO = "${cacert}/etc/ssl/certs/ca-bundle.crt";
@ -74,7 +74,7 @@ in stdenv.mkDerivation rec {
outputHashMode = "recursive";
outputHashAlgo = "sha256";
outputHash = "1q9yzccn4zf5i4hibq1r0i34q4986a93ph4792l1ph07aiisc8p7";
outputHash = "1v3h0c7kfifb6wsfxyv5j1wc7rlxbb7r0pgd4s340wiyxnllzzhk";
};
configureFlags =
@ -92,6 +92,10 @@ in stdenv.mkDerivation rec {
enableParallelBuilding = true;
patches = [
./ejabberdctl.patch
];
preBuild = ''
cp -r $deps deps
chmod -R +w deps
@ -107,12 +111,12 @@ in stdenv.mkDerivation rec {
$out/sbin/ejabberdctl
'';
meta = {
meta = with stdenv.lib; {
description = "Open-source XMPP application server written in Erlang";
license = lib.licenses.gpl2;
license = licenses.gpl2;
homepage = http://www.ejabberd.im;
platforms = lib.platforms.linux;
maintainers = [ lib.maintainers.sander lib.maintainers.abbradar ];
platforms = platforms.linux;
maintainers = with maintainers; [ sander abbradar ];
broken = withElixir;
};
}

32
krebs/5pkgs/simple/ejabberd/ejabberdctl.patch Normal file
View file

@ -0,0 +1,32 @@
--- a/ejabberdctl.template 1970-01-01 01:00:01.000000000 +0100
+++ b/ejabberdctl.template 2018-04-24 23:06:54.127715441 +0200
@@ -42,19 +42,18 @@
esac
# parse command line parameters
-for arg; do
- case $arg in
- -n|--node) ERLANG_NODE_ARG=$2; shift;;
- -s|--spool) SPOOL_DIR=$2; shift;;
- -l|--logs) LOGS_DIR=$2; shift;;
- -f|--config) EJABBERD_CONFIG_PATH=$2; shift;;
- -c|--ctl-config) EJABBERDCTL_CONFIG_PATH=$2; shift;;
- -d|--config-dir) ETC_DIR=$2; shift;;
- -t|--no-timeout) NO_TIMEOUT="--no-timeout";;
- --) :;;
+while test $# -gt 0; do
+ case $1 in
+ -n|--node) ERLANG_NODE_ARG=$2; shift 2;;
+ -s|--spool) SPOOL_DIR=$2; shift 2;;
+ -l|--logs) LOGS_DIR=$2; shift 2;;
+ -f|--config) EJABBERD_CONFIG_PATH=$2; shift 2;;
+ -c|--ctl-config) EJABBERDCTL_CONFIG_PATH=$2; shift 2;;
+ -d|--config-dir) ETC_DIR=$2; shift 2;;
+ -t|--no-timeout) NO_TIMEOUT="--no-timeout"; shift 1;;
+ # --) :;; what is this for?
*) break;;
esac
- shift
done
# define ejabberd variables if not already defined from the command line

46
krebs/5pkgs/simple/generate-secrets/default.nix Normal file
View file

@ -0,0 +1,46 @@
{ pkgs }:
pkgs.writeDashBin "generate-secrets" ''
HOSTNAME="$1"
TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d)
PASSWORD=$(${pkgs.pwgen}/bin/pwgen 25 1)
HASHED_PASSWORD=$(echo $PASSWORD | ${pkgs.hashPassword}/bin/hashPassword -s) > /dev/null
${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f $TMPDIR/ssh.id_ed25519 -P "" -C "" >/dev/null
${pkgs.openssl}/bin/openssl genrsa -out $TMPDIR/retiolum.rsa_key.priv 4096 2>/dev/null > /dev/null
${pkgs.openssl}/bin/openssl rsa -in $TMPDIR/retiolum.rsa_key.priv -pubout -out $TMPDIR/retiolum.rsa_key.pub 2>/dev/null > /dev/null
cat <<EOF > $TMPDIR/hashedPasswords.nix
{
root = "$HASHED_PASSWORD";
}
EOF
cd $TMPDIR
for x in *; do
${pkgs.coreutils}/bin/cat $x | ${pkgs.brain}/bin/brain insert -m krebs-secrets/$HOSTNAME/$x > /dev/null
done
echo $PASSWORD | ${pkgs.brain}/bin/brain insert -m hosts/$HOSTNAME/root > /dev/null
cat <<EOF
$HOSTNAME = {
cores = 1;
owner = config.krebs.users.krebs;
nets = {
retiolum = {
ip4.addr = "10.243.0.changeme";
ip6.addr = "42:0:0:0:0:0:0:changeme";
aliases = [
"$HOSTNAME.r"
];
tinc.pubkey = ${"''"}
$(cat $TMPDIR/retiolum.rsa_key.pub)
${"''"};
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "$(cat $TMPDIR/ssh.id_ed25519.pub)";
};
EOF
rm -rf $TMPDIR
''

7
krebs/5pkgs/simple/kops.nix
View file

@ -1,7 +0,0 @@
{ fetchgit, ... }:
fetchgit {
url = https://cgit.krebsco.de/kops;
rev = "refs/tags/v1.0.0";
sha256 = "0wg8d80sxa46z4i7ir79sci2hwmv3qskzqdg0si64p6vazy8vckb";
}

7
krebs/5pkgs/simple/krops.nix Normal file
View file

@ -0,0 +1,7 @@
{ fetchgit, ... }:
fetchgit {
url = https://cgit.krebsco.de/krops;
rev = "refs/tags/v1.0.0";
sha256 = "0ahp3fxb3l1vcjylxw0cd0f4hfp98bxskkf3z9d37hl3m7v4pcb4";
}

2
krebs/5pkgs/simple/painload/default.nix
View file

@ -1,7 +1,7 @@
{ fetchgit, ... }:
fetchgit {
url = https://github.com/krebscode/painload;
url = https://github.com/krebs/painload;
rev = "c113487f73713a03b1a139b22bb34b86234d0495";
sha256 = "1irxklnmvm8wsa70ypjahkr8rfqq7357vcy8r0x1sfncs1hy6gr6";
}

36
krebs/5pkgs/simple/pssh/default.nix
View file

@ -1,36 +0,0 @@
{ writeDashBin }:
writeDashBin "pssh" ''
set -efu
case ''${1-} in
# TODO create plog with -o json | jq ... | map date
# usage: pssh {-j,--journal} host...
# Follow journal at each host.
-j|--journal)
shift
"$0" journalctl -n0 -ocat --follow --all ::: "$@" \
| while read line; do
printf '%s %s\n' "$(date --rfc-3339=s)" "$line"
done
;;
-*)
echo $0: unknown option: $1 >&2
exit 1
;;
# usage: pssh command [arg...] ::: host...
# Run command at each host.
*)
exec parallel \
--line-buffer \
-j0 \
--no-notice \
--tagstring {} \
ssh -T {} "$@"
;;
esac
''

2
krebs/5pkgs/simple/repo-sync/default.nix
View file

@ -10,7 +10,7 @@ with python3Packages; buildPythonPackage rec {
pkgs.git
];
src = fetchFromGitHub {
owner = "krebscode";
owner = "krebs";
repo = "repo-sync";
rev = version;
sha256 = "1qjf1jmxf7xzwskybdys4vqncnwj9f3xwk1gv354zrla68s533cw";

4
krebs/5pkgs/simple/retiolum-bootstrap/default.nix
View file

@ -6,7 +6,7 @@ stdenv.mkDerivation rec {
src = fetchurl {
url = https://raw.githubusercontent.com/krebscode/painload/master/retiolum/scripts/tinc_setup/new_install.sh;
url = https://raw.githubusercontent.com/krebs/painload/master/retiolum/scripts/tinc_setup/new_install.sh;
sha256 = "03kmil8q2xm3rdm2jxyah7vww84pw6w01d0c3siid9zpn2j7la9s";
};
@ -21,7 +21,7 @@ stdenv.mkDerivation rec {
meta = {
description = "Retiolum boostrap scripts";
url = https://github.com/krebscode/painload;
url = https://github.com/krebs/painload;
license = licenses.wtfpl;
platforms = platforms.unix;
maintainers = with maintainers; [ makefu ];

7
krebs/5pkgs/simple/thesauron/default.nix Normal file
View file

@ -0,0 +1,7 @@
{ fetchgit, callPackage }: let
src = fetchgit {
url = "https://github.com/krebs/thesauron";
rev = "8ac22588cf2c20465e3c9348e7ce04885599c2a5";
"sha256"= "1ivkjl235dnm5aaqqvarnxkz7zh0gvah22b0fqwlsflrcd5wmgva";
};
in callPackage src {}

15
krebs/5pkgs/simple/ucspi-tcp/chmod.patch
View file

@ -1,15 +0,0 @@
diff --git a/hier.c b/hier.c
index 5663ada..1d73b84 100644
--- a/hier.c
+++ b/hier.c
@@ -2,8 +2,8 @@
void hier()
{
- h(auto_home,-1,-1,02755);
- d(auto_home,"bin",-1,-1,02755);
+ h(auto_home,-1,-1,0755);
+ d(auto_home,"bin",-1,-1,0755);
c(auto_home,"bin","tcpserver",-1,-1,0755);
c(auto_home,"bin","tcprules",-1,-1,0755);

86
krebs/5pkgs/simple/ucspi-tcp/default.nix
View file

@ -1,86 +0,0 @@
{ stdenv, fetchurl }:
stdenv.mkDerivation rec {
name = "ucspi-tcp-0.88";
src = fetchurl {
url = "http://cr.yp.to/ucspi-tcp/${name}.tar.gz";
sha256 = "171yl9kfm8w7l17dfxild99mbf877a9k5zg8yysgb1j8nz51a1ja";
};
# Plain upstream tarball doesn't build, get patches from Debian
patches = [
(fetchurl {
url = "http://ftp.de.debian.org/debian/pool/main/u/ucspi-tcp/ucspi-tcp_0.88-3.diff.gz";
sha256 = "0mzmhz8hjkrs0khmkzs5i0s1kgmgaqz07h493bd5jj5fm5njxln6";
})
./chmod.patch
];
# Apply Debian patches
postPatch = ''
for fname in debian/diff/*.diff; do
echo "Applying patch $fname"
patch < "$fname"
done
'';
# The build system is weird; 'make install' doesn't install anything, instead
# it builds an executable called ./install (from C code) which installs
# binaries to the directory given on line 1 in ./conf-home.
#
# Also, assume getgroups and setgroups work, instead of doing a build time
# test that breaks on NixOS (I think because nixbld users lack CAP_SETGID
# capability).
preBuild = ''
echo "$out" > conf-home
echo "main() { return 0; }" > chkshsgr.c
'';
installPhase = ''
mkdir -p "$out/bin"
mkdir -p "$out/share/man/man1"
# run the newly built installer
./install
# Install Debian man pages (upstream has none)
cp debian/ucspi-tcp-man/*.1 "$out/share/man/man1"
'';
meta = with stdenv.lib; {
description = "Command-line tools for building TCP client-server applications";
longDescription = ''
tcpserver waits for incoming connections and, for each connection, runs a
program of your choice. Your program receives environment variables
showing the local and remote host names, IP addresses, and port numbers.
tcpserver offers a concurrency limit to protect you from running out of
processes and memory. When you are handling 40 (by default) simultaneous
connections, tcpserver smoothly defers acceptance of new connections.
tcpserver also provides TCP access control features, similar to
tcp-wrappers/tcpd's hosts.allow but much faster. Its access control rules
are compiled into a hashed format with cdb, so it can easily deal with
thousands of different hosts.
This package includes a recordio tool that monitors all the input and
output of a server.
tcpclient makes a TCP connection and runs a program of your choice. It
sets up the same environment variables as tcpserver.
This package includes several sample clients built on top of tcpclient:
who@, date@, finger@, http@, tcpcat, and mconnect.
tcpserver and tcpclient conform to UCSPI, the UNIX Client-Server Program
Interface, using the TCP protocol. UCSPI tools are available for several
different networks.
'';
homepage = http://cr.yp.to/ucspi-tcp.html;
license = licenses.publicDomain;
platforms = platforms.linux;
maintainers = [ maintainers.bjornfor ];
};
}

29
krebs/5pkgs/simple/urlwatch/default.nix
View file

@ -1,29 +0,0 @@
{ stdenv, fetchFromGitHub, python3Packages }:
python3Packages.buildPythonApplication rec {
name = "urlwatch-${version}";
version = "2.8";
src = fetchFromGitHub {
owner = "thp";
repo = "urlwatch";
rev = version;
sha256 = "1nja7n6pc45azd3l1xyvav89855lvcgwabrvf34rps81dbl8cnl4";
};
propagatedBuildInputs = with python3Packages; [
appdirs
keyring
minidb
pycodestyle
pyyaml
requests
];
meta = with stdenv.lib; {
description = "A tool for monitoring webpages for updates";
homepage = https://thp.io/2008/urlwatch/;
license = licenses.bsd3;
maintainers = with maintainers; [ tv ];
};
}

21
krebs/kops.nix → krebs/krops.nix
View file

@ -1,19 +1,18 @@
{ name }: rec {
kops = (import <nixpkgs> {}).fetchgit {
url = https://cgit.krebsco.de/kops/;
rev = "e89cf20d4310070a877c2e24a287659546b561c9";
sha256 = "0wg8d80sxa46z4i7ir79sci2hwmv3qskzqdg0si64p6vazy8vckb";
krops = builtins.fetchGit {
url = https://cgit.krebsco.de/krops/;
rev = "4e466eaf05861b47365c5ef46a31a188b70f3615";
};
lib = import "${kops}/lib";
lib = import "${krops}/lib";
# TODO document why pkgs should be used like this
pkgs = import "${kops}/pkgs" {};
pkgs = import "${krops}/pkgs" {};
krebs-source = {
nixpkgs.git = {
ref = "4b4bbce199d3b3a8001ee93495604289b01aaad3";
ref = "7295e175bf6c6e8aa54f1b4d99256ee95d13d385";
url = https://github.com/NixOS/nixpkgs;
};
stockholm.file = toString ../.;
@ -38,7 +37,7 @@
secrets =
if test
then {
file = toString <stockholm/krebs/6tests/data/secrets>;
file = toString <stockholm/krebs/0tests/data/secrets>;
}
else {
pass = {
@ -51,14 +50,14 @@
];
# usage: $(nix-build --no-out-link --argstr name HOSTNAME -A deploy)
deploy = pkgs.kops.writeDeploy "${name}-deploy" {
deploy = pkgs.krops.writeDeploy "${name}-deploy" {
source = source { test = false; };
target = "root@${name}/var/src";
};
# usage: $(nix-build --no-out-link --argstr name HOSTNAME -A test)
test = pkgs.kops.writeTest "${name}-test" {
test = pkgs.krops.writeTest "${name}-test" {
source = source { test = true; };
target = "${lib.getEnv "HOME"}/tmp/${name}-kops-test-src";
target = "${lib.getEnv "HOME"}/tmp/${name}-krops-test-src";
};
}

4
krebs/source.nix
View file

@ -14,7 +14,7 @@ in
{
nixos-config.symlink = "stockholm/krebs/1systems/${name}/config.nix";
secrets = getAttr builder {
buildbot.file = toString <stockholm/krebs/6tests/data/secrets>;
buildbot.file = toString <stockholm/krebs/0tests/data/secrets>;
krebs.pass = {
dir = "${getEnv "HOME"}/brain";
name = "krebs-secrets/${name}";
@ -22,7 +22,7 @@ in
};
stockholm.file = toString <stockholm>;
stockholm-version.pipe = "${pkgs.stockholm}/bin/get-version";
nixpkgs = (import ./kops.nix { name = ""; }).krebs-source.nixpkgs;
nixpkgs = (import ./krops.nix { name = ""; }).krebs-source.nixpkgs;
}
override
]

49
lass/1systems/blue/config.nix Normal file
View file

@ -0,0 +1,49 @@
with import <stockholm/lib>;
{ config, lib, pkgs, ... }:
{
imports = [
<stockholm/lass>
<stockholm/lass/2configs>
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/exim-retiolum.nix>
<stockholm/lass/2configs/blue.nix>
];
krebs.build.host = config.krebs.hosts.blue;
environment.shellAliases = {
deploy = pkgs.writeDash "deploy" ''
set -eu
export SYSTEM="$1"
$(nix-build $HOME/stockholm/lass/krops.nix --no-out-link --argstr name "$SYSTEM" -A deploy)
'';
};
networking.nameservers = [ "1.1.1.1" ];
lass.restic = genAttrs [
"daedalus"
"icarus"
"littleT"
"prism"
"shodan"
"skynet"
] (dest: {
dirs = [
"/home/"
"/var/lib"
];
passwordFile = (toString <secrets>) + "/restic/${dest}";
repo = "sftp:backup@${dest}.r:/backups/blue";
extraArguments = [
"sftp.command='ssh backup@${dest}.r -i ${config.krebs.build.host.ssh.privkey.path} -s sftp'"
];
timerConfig = {
OnCalendar = "00:05";
RandomizedDelaySec = "5h";
};
});
time.timeZone = "Europe/Berlin";
users.users.mainUser.openssh.authorizedKeys.keys = [ config.krebs.users.lass-android.pubkey ];
}

8
lass/1systems/blue/physical.nix Normal file
View file

@ -0,0 +1,8 @@
{
imports = [
./config.nix
];
boot.isContainer = true;
networking.useDHCP = false;
environment.variables.NIX_REMOTE = "daemon";
}

4
lass/1systems/blue/source.nix Normal file
View file

@ -0,0 +1,4 @@
import <stockholm/lass/source.nix> {
name = "blue";
secure = true;
}

18
lass/1systems/cabal/config.nix
View file

@ -3,8 +3,6 @@
{
imports = [
<stockholm/lass>
<stockholm/lass/2configs/hw/x220.nix>
<stockholm/lass/2configs/boot/stock-x220.nix>
<stockholm/lass/2configs/mouse.nix>
<stockholm/lass/2configs/retiolum.nix>
@ -13,23 +11,11 @@
<stockholm/lass/2configs/browsers.nix>
<stockholm/lass/2configs/programs.nix>
<stockholm/lass/2configs/fetchWallpaper.nix>
<stockholm/lass/2configs/backups.nix>
<stockholm/lass/2configs/games.nix>
<stockholm/lass/2configs/bitcoin.nix>
<stockholm/lass/2configs/AP.nix>
<stockholm/lass/2configs/blue-host.nix>
];
krebs.build.host = config.krebs.hosts.cabal;
#fileSystems = {
# "/bku" = {
# device = "/dev/mapper/pool-bku";
# fsType = "btrfs";
# options = ["defaults" "noatime" "ssd" "compress=lzo"];
# };
#};
#services.udev.extraRules = ''
# SUBSYSTEM=="net", ATTR{address}=="00:24:d7:f0:a0:0c", NAME="wl0"
# SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:71:cb:35", NAME="et0"
#'';
}

12
lass/1systems/cabal/physical.nix Normal file
View file

@ -0,0 +1,12 @@
{
imports = [
./config.nix
<stockholm/lass/2configs/hw/x220.nix>
<stockholm/lass/2configs/boot/stock-x220.nix>
];
services.udev.extraRules = ''
SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:45:85:ac", NAME="wl0"
SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:62:2b:1b", NAME="et0"
'';
}

17
lass/1systems/daedalus/config.nix
View file

@ -4,13 +4,11 @@ with import <stockholm/lib>;
{
imports = [
<stockholm/lass>
<stockholm/lass/2configs/hw/x220.nix>
<stockholm/lass/2configs/boot/coreboot.nix>
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/backups.nix>
<stockholm/lass/2configs/games.nix>
<stockholm/lass/2configs/steam.nix>
<stockholm/lass/2configs/backup.nix>
{
# bubsy config
users.users.bubsy = {
@ -94,17 +92,4 @@ with import <stockholm/lib>;
'';
krebs.build.host = config.krebs.hosts.daedalus;
fileSystems = {
"/bku" = {
device = "/dev/mapper/pool-bku";
fsType = "btrfs";
options = ["defaults" "noatime" "ssd" "compress=lzo"];
};
};
services.udev.extraRules = ''
SUBSYSTEM=="net", ATTR{address}=="08:11:96:0a:5d:6c", NAME="wl0"
SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:71:cb:35", NAME="et0"
'';
}

20
lass/1systems/daedalus/physical.nix Normal file
View file

@ -0,0 +1,20 @@
{
imports = [
./config.nix
<stockholm/lass/2configs/hw/x220.nix>
<stockholm/lass/2configs/boot/coreboot.nix>
];
fileSystems = {
"/bku" = {
device = "/dev/mapper/pool-bku";
fsType = "btrfs";
options = ["defaults" "noatime" "ssd" "compress=lzo"];
};
};
services.udev.extraRules = ''
SUBSYSTEM=="net", ATTR{address}=="08:11:96:0a:5d:6c", NAME="wl0"
SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:71:cb:35", NAME="et0"
'';
}

34
lass/1systems/dishfire/config.nix
View file

@ -4,41 +4,7 @@
imports = [
<stockholm/lass>
<stockholm/lass/2configs/retiolum.nix>
<nixpkgs/nixos/modules/profiles/qemu-guest.nix>
<stockholm/lass/2configs/git.nix>
{
boot.loader.grub = {
device = "/dev/vda";
splashImage = null;
};
boot.initrd.availableKernelModules = [
"ata_piix"
"ehci_pci"
"uhci_hcd"
"virtio_pci"
"virtio_blk"
];
fileSystems."/" = {
device = "/dev/mapper/pool-nix";
fsType = "ext4";
};
fileSystems."/srv/http" = {
device = "/dev/pool/srv_http";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/vda1";
fsType = "ext4";
};
fileSystems."/bku" = {
device = "/dev/pool/bku";
fsType = "ext4";
};
}
{
networking.dhcpcd.allowInterfaces = [
"enp*"

39
lass/1systems/dishfire/physical.nix Normal file
View file

@ -0,0 +1,39 @@
{ config, lib, pkgs, ... }:
{
imports = [
./config.nix
<nixpkgs/nixos/modules/profiles/qemu-guest.nix>
];
boot.loader.grub = {
device = "/dev/vda";
splashImage = null;
};
boot.initrd.availableKernelModules = [
"ata_piix"
"ehci_pci"
"uhci_hcd"
"virtio_pci"
"virtio_blk"
];
fileSystems."/" = {
device = "/dev/mapper/pool-nix";
fsType = "ext4";
};
fileSystems."/srv/http" = {
device = "/dev/pool/srv_http";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/vda1";
fsType = "ext4";
};
fileSystems."/bku" = {
device = "/dev/pool/bku";
fsType = "ext4";
};
}

50
lass/1systems/echelon/config.nix
View file

@ -1,50 +0,0 @@
{ config, lib, pkgs, ... }:
let
inherit (import <stockholm/lass/4lib> { inherit pkgs lib; }) getDefaultGateway;
ip = config.krebs.build.host.nets.internet.ip4.addr;
in {
imports = [
<stockholm/lass>
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/os-templates/CAC-CentOS-7-64bit.nix>
<stockholm/lass/2configs/exim-retiolum.nix>
<stockholm/lass/2configs/privoxy-retiolum.nix>
<stockholm/lass/2configs/git.nix>
{
networking.interfaces.enp2s1.ip4 = [
{
address = ip;
prefixLength = 24;
}
];
networking.defaultGateway = getDefaultGateway ip;
networking.nameservers = [
"8.8.8.8"
];
}
{
sound.enable = false;
}
{
users.extraUsers = {
satan = {
name = "satan";
uid = 1338;
home = "/home/satan";
group = "users";
createHome = true;
useDefaultShell = true;
extraGroups = [
];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+l3ajjOd80uJBM8oHO9HRbtA5hK6hvrpxxnk7qWW7OloT9IXcoM8bbON755vK0O6XyxZo1JZ1SZ7QIaOREGVIRDjcbJbqD3O+nImc6Rzxnrz7hvE+tuav9Yylwcw5HeQi82UIMGTEAwMHwLvsW6R/xyMCuOTbbzo9Ib8vlJ8IPDECY/05RhL7ZYFR0fdphI7jq7PobnO8WEpCZDhMvSYjO9jf3ac53wyghT3gH7AN0cxTR9qgQlPHhTbw+nZEI0sUKtrIhjfVE80wgK3NQXZZj7YAplRs/hYwSi7i8V0+8CBt2epc/5RKnJdDHFQnaTENq9kYQPOpUCP6YUwQIo8X nineinchnade@gmail.com"
];
};
};
}
];
krebs.build.host = config.krebs.hosts.echelon;
}

92
lass/1systems/helios/config.nix
View file

@ -12,47 +12,12 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/otp-ssh.nix>
# TODO fix krebs.git.rules.[definition 2-entry 2].lass not defined
#<stockholm/lass/2configs/git.nix>
<stockholm/lass/2configs/dcso-vpn.nix>
#<stockholm/lass/2configs/dcso-vpn.nix>
<stockholm/lass/2configs/virtualbox.nix>
<stockholm/lass/2configs/dcso-dev.nix>
<stockholm/lass/2configs/steam.nix>
<stockholm/lass/2configs/rtl-sdr.nix>
{ # automatic hardware detection
boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
boot.kernelModules = [ "kvm-intel" ];
fileSystems."/" = {
device = "/dev/pool/root";
fsType = "btrfs";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/1F60-17C6";
fsType = "vfat";
};
fileSystems."/home" = {
device = "/dev/pool/home";
fsType = "btrfs";
};
fileSystems."/tmp" = {
device = "tmpfs";
fsType = "tmpfs";
options = ["nosuid" "nodev" "noatime"];
};
nix.maxJobs = lib.mkDefault 8;
}
{ # crypto stuff
boot.initrd.luks = {
cryptoModules = [ "aes" "sha512" "sha1" "xts" ];
devices = [{
name = "luksroot";
device = "/dev/nvme0n1p3";
}];
};
}
<stockholm/lass/2configs/backup.nix>
{
services.xserver.dpi = 200;
fonts.fontconfig.dpi = 200;
@ -98,13 +63,6 @@ with import <stockholm/lib>;
}
];
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.wireless.enable = true;
hardware.enableRedistributableFirmware = true;
environment.systemPackages = with pkgs; [
ag
vim
@ -123,49 +81,17 @@ with import <stockholm/lib>;
services.tlp.enable = true;
services.xserver.videoDrivers = [ "nvidia" ];
services.xserver.xrandrHeads = [
{ output = "DP-2"; primary = true; }
{ output = "DP-4"; monitorConfig = ''Option "Rotate" "left"''; }
{ output = "DP-0"; }
];
services.xserver.displayManager.sessionCommands = ''
${pkgs.xorg.xrandr}/bin/xrandr --output DP-6 --off --output DP-5 --off --output DP-4 --mode 2560x1440 --pos 3840x0 --rotate left --output DP-3 --off --output DP-2 --primary --mode 3840x2160 --scale 0.5x0.5 --pos 0x400 --rotate normal --output DP-1 --off --output DP-0 --mode 2560x1440 --pos 5280x1120 --rotate normal
'';
networking.hostName = lib.mkForce "BLN02NB0162";
security.pki.certificateFiles = [
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC1G1.pem"; sha256 = "14vz9c0fk6li0a26vx0s5ha6y3yivnshx9pjlh9vmnpkbph5a7rh"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC2G1.pem"; sha256 = "0r1dd48a850cv7whk4g2maik550rd0vsrsl73r6x0ivzz7ap1xz5"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC3G1.pem"; sha256 = "0b5cdchdkvllnr0kz35d8jrmrf9cjw0kd98mmvzr0x6nkc8hwpdy"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC1G1.pem"; sha256 = "006j61q2z44z6d92638iin6r46r4cj82ipwm37784h34i5x4mp0d"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC2G1.pem"; sha256 = "1nkd1rjcn02q9xxjg7sw79lbwy08i7hb4v4pn98djknvcmplpz5m"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC3G1.pem"; sha256 = "094m12npglnnv1nf1ijcv70p8l15l00id44qq7rwynhcgxi5539i"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC2G1.pem"; sha256 = "0rn57zv1ry9vj4p2248mxmafmqqmdhbrfx1plszrxsphshbk2hfz"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC3G1.pem"; sha256 = "0w88qaqhwxzvdkx40kzj2gka1yi85ipppjdkxah4mscwfhlryrnk"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC2G1.pem"; sha256 = "1z2qkyhgjvri13bvi06ynkb7mjmpcznmc9yw8chx1lnwc3cxa7kf"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC3G1.pem"; sha256 = "0smdjjvz95n652cb45yhzdb2lr83zg52najgbzf6lm3w71f8mv7f"; })
(pkgs.writeText "minio.cert" ''
-----BEGIN CERTIFICATE-----
MIIDFDCCAfygAwIBAgIQBEKYm9VmbR6T/XNLP2P5kDANBgkqhkiG9w0BAQsFADAS
MRAwDgYDVQQKEwdBY21lIENvMB4XDTE4MDIxNDEyNTk1OVoXDTE5MDIxNDEyNTk1
OVowEjEQMA4GA1UEChMHQWNtZSBDbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAMmRGUTMDxOaoEZ3osG1ZpGj4enHl6ToWaoCXvRXvI6RB/99QOFlwLdL
8lGjIbXyovNkH686pVsfgCTOLRGzftWHmWgfmaSUv0TToBW8F9DN4ww9YgiLZjvV
YZunRyp1n0x9OrBXMs7xEBBa4q0AG1IvlRJTrd7CW519FlVq7T95LLB7P6t6K54C
ksG4kEzXLRPD/FMdU7LWbhWnQSOxPMCq8erTv3kW3A3Y9hSAKOFQKQHH/3O2HDrM
CbK5ldNklswg2rIHxx7kg1fteLD1lVCNPfCMfuwlLUaMeoRZ03HDof8wFlRz3pzw
hQRWPvfLfRvFCZ0LFNvfgAqXtmG/ywUCAwEAAaNmMGQwDgYDVR0PAQH/BAQDAgKk
MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wLAYDVR0RBCUw
I4IJbG9jYWxob3N0ggZoZWxpb3OCCGhlbGlvcy5yhwR/AAABMA0GCSqGSIb3DQEB
CwUAA4IBAQBzrPb3NmAn60awoJG3d4BystaotaFKsO3iAnP4Lfve1bhKRELIjJ30
hX/mRYkEVRbfwKRgkkLab4zpJ/abjb3DjFNo8E4QPNeCqS+8xxeBOf7x61Kg/0Ox
jRQ95fTATyItiChwNkoxYjVIwosqxBVsbe3KxwhkmKPQ6wH/nvr6URX/IGUz2qWY
EqHdjsop83u4Rjn3C0u46U0P+W4U5IFiLfcE3RzFFYh67ko5YEhkyXP+tBNSgrTM
zFisVoQZdXpMCWWxBVWulB4FvvTx3jKUPRZVOrfexBfY4TA/PyhXLoz7FeEK9n2a
qFkrxy+GrHBXfSRZgCaHQFdKorg2fwwa
-----END CERTIFICATE-----
'')
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC2G1.pem"; sha256 = "1anfncdf5xsp219kryncv21ra87flpzcjwcc85hzvlwbxhid3g4x"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC3G1.pem"; sha256 = "035kkfizyl5dndj7rhvmy91rr75lakqbqgjx4dpiw0kqq369mz8r"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC2G1.pem"; sha256 = "14fpzx1qjs9ws9sz0y7pb6j40336xlckkqcm2rc5j86yn7r22lp7"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC3G1.pem"; sha256 = "1yjl3kyw4chc8vw7bnqac2h9vn8dxryw7lr7i03lqi9sdvs4108s"; })
];
programs.adb.enable = true;

64
lass/1systems/helios/physical.nix Normal file
View file

@ -0,0 +1,64 @@
{ pkgs, ... }:
{
imports = [
./config.nix
{ # automatic hardware detection
boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
boot.kernelModules = [ "kvm-intel" ];
fileSystems."/" = {
device = "/dev/pool/root";
fsType = "btrfs";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/1F60-17C6";
fsType = "vfat";
};
fileSystems."/home" = {
device = "/dev/pool/home";
fsType = "btrfs";
};
fileSystems."/tmp" = {
device = "tmpfs";
fsType = "tmpfs";
options = ["nosuid" "nodev" "noatime"];
};
}
{ # crypto stuff
boot.initrd.luks = {
cryptoModules = [ "aes" "sha512" "sha1" "xts" ];
devices = [{
name = "luksroot";
device = "/dev/nvme0n1p3";
}];
};
}
];
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.wireless.enable = true;
hardware.enableRedistributableFirmware = true;
services.udev.extraRules = ''
SUBSYSTEM=="net", ATTR{address}=="f8:59:71:a9:05:65", NAME="wl0"
SUBSYSTEM=="net", ATTR{address}=="54:e1:ad:4f:06:83", NAME="et0"
'';
services.xserver.videoDrivers = [ "nvidia" ];
services.xserver.xrandrHeads = [
{ output = "DP-2"; primary = true; }
{ output = "DP-4"; monitorConfig = ''Option "Rotate" "left"''; }
{ output = "DP-0"; }
];
services.xserver.displayManager.sessionCommands = ''
${pkgs.xorg.xrandr}/bin/xrandr --output DP-6 --off --output DP-5 --off --output DP-4 --mode 2560x1440 --pos 3840x0 --rotate left --output DP-3 --off --output DP-2 --primary --mode 3840x2160 --scale 0.5x0.5 --pos 0x400 --rotate normal --output DP-1 --off --output DP-0 --mode 2560x1440 --pos 5280x1120 --rotate normal
'';
}

24
lass/1systems/icarus/config.nix
View file

@ -3,8 +3,6 @@
{
imports = [
<stockholm/lass>
<stockholm/lass/2configs/hw/x220.nix>
<stockholm/lass/2configs/boot/coreboot.nix>
<stockholm/lass/2configs/mouse.nix>
<stockholm/lass/2configs/retiolum.nix>
@ -14,23 +12,21 @@
<stockholm/lass/2configs/browsers.nix>
<stockholm/lass/2configs/programs.nix>
<stockholm/lass/2configs/fetchWallpaper.nix>
<stockholm/lass/2configs/backups.nix>
<stockholm/lass/2configs/games.nix>
<stockholm/lass/2configs/bitcoin.nix>
<stockholm/lass/2configs/backup.nix>
<stockholm/lass/2configs/wine.nix>
];
krebs.build.host = config.krebs.hosts.icarus;
fileSystems = {
"/bku" = {
device = "/dev/mapper/pool-bku";
fsType = "btrfs";
options = ["defaults" "noatime" "ssd" "compress=lzo"];
};
environment.systemPackages = with pkgs; [
macchanger
dpass
];
services.redshift = {
enable = true;
provider = "geoclue2";
};
services.udev.extraRules = ''
SUBSYSTEM=="net", ATTR{address}=="00:24:d7:f0:a0:0c", NAME="wl0"
SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:71:cb:35", NAME="et0"
'';
programs.adb.enable = true;
}

20
lass/1systems/icarus/physical.nix Normal file
View file

@ -0,0 +1,20 @@
{
imports = [
./config.nix
<stockholm/lass/2configs/hw/x220.nix>
<stockholm/lass/2configs/boot/coreboot.nix>
];
fileSystems = {
"/bku" = {
device = "/dev/mapper/pool-bku";
fsType = "btrfs";
options = ["defaults" "noatime" "ssd" "compress=lzo"];
};
};
services.udev.extraRules = ''
SUBSYSTEM=="net", ATTR{address}=="00:24:d7:f0:a0:0c", NAME="wl0"
SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:71:cb:35", NAME="et0"
'';
}

17
lass/1systems/littleT/config.nix
View file

@ -4,11 +4,9 @@ with import <stockholm/lib>;
{
imports = [
<stockholm/lass>
<stockholm/lass/2configs/hw/x220.nix>
<stockholm/lass/2configs/boot/stock-x220.nix>
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/backups.nix>
<stockholm/lass/2configs/backup.nix>
<stockholm/lass/2configs/steam.nix>
{
users.users.blacky = {
@ -68,17 +66,4 @@ with import <stockholm/lib>;
'';
krebs.build.host = config.krebs.hosts.littleT;
#fileSystems = {
# "/bku" = {
# device = "/dev/mapper/pool-bku";
# fsType = "btrfs";
# options = ["defaults" "noatime" "ssd" "compress=lzo"];
# };
#};
#services.udev.extraRules = ''
# SUBSYSTEM=="net", ATTR{address}=="08:11:96:0a:5d:6c", NAME="wl0"
# SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:71:cb:35", NAME="et0"
#'';
}

7
lass/1systems/littleT/physical.nix Normal file
View file

@ -0,0 +1,7 @@
{
imports = [
./config.nix
<stockholm/lass/2configs/hw/x220.nix>
<stockholm/lass/2configs/boot/stock-x220.nix>
];
}

98
lass/1systems/mors/config.nix
View file

@ -4,8 +4,6 @@ with import <stockholm/lib>;
{
imports = [
<stockholm/lass>
<stockholm/lass/2configs/hw/x220.nix>
<stockholm/lass/2configs/boot/stock-x220.nix>
<stockholm/lass/2configs/mouse.nix>
<stockholm/lass/2configs/retiolum.nix>
@ -33,10 +31,13 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/ableton.nix>
<stockholm/lass/2configs/dunst.nix>
<stockholm/lass/2configs/rtl-sdr.nix>
<stockholm/lass/2configs/backup.nix>
{
#risk of rain port
krebs.iptables.tables.filter.INPUT.rules = [
#risk of rain
{ predicate = "-p tcp --dport 11100"; target = "ACCEPT"; }
#chromecast
{ predicate = "-p udp -m multiport --sports 32768:61000 -m multiport --dports 32768:61000"; target = "ACCEPT"; }
];
}
{
@ -85,43 +86,6 @@ with import <stockholm/lib>;
krebs.build.host = config.krebs.hosts.mors;
fileSystems = {
"/bku" = {
device = "/dev/mapper/pool-bku";
fsType = "btrfs";
options = ["defaults" "noatime" "ssd" "compress=lzo"];
};
"/home/virtual" = {
device = "/dev/mapper/pool-virtual";
fsType = "ext4";
};
};
services.udev.extraRules = ''
SUBSYSTEM=="net", ATTR{address}=="00:24:d7:f0:e8:c8", NAME="wl0"
SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:8f:8a:78", NAME="et0"
'';
#TODO activationScripts seem broken, fix them!
#activationScripts
#split up and move into base
system.activationScripts.powertopTunables = ''
#Runtime PMs
echo 'auto' > '/sys/bus/pci/devices/0000:00:02.0/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:00.0/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.3/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.2/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.0/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:1d.0/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.3/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.0/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:1b.0/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:1a.0/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:19.0/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.1/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.4/power/control'
'';
environment.systemPackages = with pkgs; [
acronym
brain
@ -140,7 +104,18 @@ with import <stockholm/lib>;
dpass
dnsutils
woeusb
l-gen-secrets
generate-secrets
(pkgs.writeDashBin "btc-coinbase" ''
${pkgs.curl}/bin/curl -Ss 'https://api.coinbase.com/v2/prices/spot?currency=EUR' | ${pkgs.jq}/bin/jq '.data.amount'
'')
(pkgs.writeDashBin "btc-wex" ''
${pkgs.curl}/bin/curl -Ss 'https://wex.nz/api/3/ticker/btc_eur' | ${pkgs.jq}/bin/jq '.btc_eur.avg'
'')
(pkgs.writeDashBin "btc-kraken" ''
${pkgs.curl}/bin/curl -Ss 'https://api.kraken.com/0/public/Ticker?pair=BTCEUR' | ${pkgs.jq}/bin/jq '.result.XXBTZEUR.a[0]'
'')
];
#TODO: fix this shit
@ -165,16 +140,43 @@ with import <stockholm/lib>;
OnCalendar = "00:37";
};
environment.shellAliases = {
deploy = pkgs.writeDash "deploy" ''
set -eu
export SYSTEM="$1"
$(nix-build $HOME/stockholm/lass/kops.nix --no-out-link --argstr name "$SYSTEM" -A deploy)
'';
};
nix.package = pkgs.nixUnstable;
programs.adb.enable = true;
users.users.mainUser.extraGroups = [ "adbusers" "docker" ];
virtualisation.docker.enable = true;
services.redshift = {
enable = true;
provider = "geoclue2";
};
lass.restic = genAttrs [
"daedalus"
"icarus"
"littleT"
"prism"
"shodan"
"skynet"
] (dest: {
dirs = [
"/home/lass/src"
"/home/lass/work"
"/home/lass/.gnupg"
"/home/lass/Maildir"
"/home/lass/stockholm"
"/home/lass/.password-store"
"/home/bitcoin"
"/home/bch"
];
passwordFile = (toString <secrets>) + "/restic/${dest}";
repo = "sftp:backup@${dest}.r:/backups/mors";
#sshPrivateKey = config.krebs.build.host.ssh.privkey.path;
extraArguments = [
"sftp.command='ssh backup@${dest}.r -i ${config.krebs.build.host.ssh.privkey.path} -s sftp'"
];
timerConfig = {
OnCalendar = "00:05";
RandomizedDelaySec = "5h";
};
});
virtualisation.libvirtd.enable = true;
}

44
lass/1systems/mors/physical.nix Normal file
View file

@ -0,0 +1,44 @@
{
imports = [
./config.nix
<stockholm/lass/2configs/hw/x220.nix>
<stockholm/lass/2configs/boot/stock-x220.nix>
];
fileSystems = {
"/bku" = {
device = "/dev/mapper/pool-bku";
fsType = "btrfs";
options = ["defaults" "noatime" "ssd" "compress=lzo"];
};
"/home/virtual" = {
device = "/dev/mapper/pool-virtual";
fsType = "ext4";
};
};
services.udev.extraRules = ''
SUBSYSTEM=="net", ATTR{address}=="10:0b:a9:72:f4:88", NAME="wl0"
SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:c4:7a:f1", NAME="et0"
'';
#TODO activationScripts seem broken, fix them!
#activationScripts
#split up and move into base
system.activationScripts.powertopTunables = ''
#Runtime PMs
echo 'auto' > '/sys/bus/pci/devices/0000:00:02.0/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:00.0/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.3/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.2/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.0/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:1d.0/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.3/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.0/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:1b.0/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:1a.0/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:19.0/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.1/power/control'
echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.4/power/control'
'';
}

255
lass/1systems/prism/config.nix
View file

@ -1,86 +1,9 @@
{ config, lib, pkgs, ... }:
with import <stockholm/lib>;
let
ip = config.krebs.build.host.nets.internet.ip4.addr;
in {
{
imports = [
<stockholm/lass>
{
networking.interfaces.et0.ip4 = [
{
address = ip;
prefixLength = 27;
}
];
networking.defaultGateway = "46.4.114.225";
networking.nameservers = [
"8.8.8.8"
];
services.udev.extraRules = ''
SUBSYSTEM=="net", ATTR{address}=="08:60:6e:e7:87:04", NAME="et0"
'';
}
{
imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
boot.loader.grub = {
devices = [
"/dev/sda"
"/dev/sdb"
];
splashImage = null;
};
boot.initrd.availableKernelModules = [
"ata_piix"
"vmw_pvscsi"
"ahci" "sd_mod"
];
boot.kernelModules = [ "kvm-intel" ];
fileSystems."/" = {
device = "/dev/pool/nix_root";
fsType = "ext4";
};
fileSystems."/tmp" = {
device = "tmpfs";
fsType = "tmpfs";
options = ["nosuid" "nodev" "noatime"];
};
fileSystems."/var/download" = {
device = "/dev/pool/download";
fsType = "ext4";
};
fileSystems."/srv/http" = {
device = "/dev/pool/http";
fsType = "ext4";
};
fileSystems."/home" = {
device = "/dev/pool/home";
fsType = "ext4";
};
fileSystems."/bku" = {
device = "/dev/pool/bku";
fsType = "ext4";
};
swapDevices = [
{ label = "swap1"; }
{ label = "swap2"; }
];
sound.enable = false;
nixpkgs.config.allowUnfree = true;
time.timeZone = "Europe/Berlin";
}
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/libvirt.nix>
{
@ -100,6 +23,7 @@ in {
];
}
{ # TODO make new hfos.nix out of this vv
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
users.users.riot = {
uid = genid "riot";
isNormalUser = true;
@ -110,29 +34,13 @@ in {
};
# TODO write function for proxy_pass (ssl/nonssl)
services.nginx.virtualHosts."hackerfleet.de" = {
serverAliases = [
"*.hackerfleet.de"
];
locations."/".extraConfig = ''
proxy_pass http://192.168.122.92:80;
'';
};
services.nginx.virtualHosts."hackerfleet.de-s" = {
serverName = "hackerfleet.de";
listen = [
{
addr = "0.0.0.0";
port = 443;
}
];
serverAliases = [
"*.hackerfleet.de"
];
locations."/".extraConfig = ''
proxy_pass http://192.168.122.92:443;
'';
};
krebs.iptables.tables.filter.FORWARD.rules = [
{ v6 = false; precedence = 1000; predicate = "-d 192.168.122.92"; target = "ACCEPT"; }
];
krebs.iptables.tables.nat.PREROUTING.rules = [
{ v6 = false; precedence = 1000; predicate = "-d 46.4.114.243"; target = "DNAT --to-destination 192.168.122.92"; }
];
}
{
users.users.tv = {
@ -201,26 +109,6 @@ in {
localAddress = "10.233.2.2";
};
}
{
#kaepsele
systemd.services."container@kaepsele".reloadIfChanged = mkForce false;
containers.kaepsele = {
config = { ... }: {
imports = [ <stockholm/lass/2configs/rebuild-on-boot.nix> ];
environment.systemPackages = [ pkgs.git ];
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = with config.krebs.users; [
lass.pubkey
tv.pubkey
];
};
autoStart = true;
enableTun = true;
privateNetwork = true;
hostAddress = "10.233.2.3";
localAddress = "10.233.2.4";
};
}
{
#onondaga
systemd.services."container@onondaga".reloadIfChanged = mkForce false;
@ -243,19 +131,17 @@ in {
}
<stockholm/lass/2configs/exim-smarthost.nix>
<stockholm/lass/2configs/ts3.nix>
<stockholm/lass/2configs/IM.nix>
<stockholm/lass/2configs/privoxy-retiolum.nix>
<stockholm/lass/2configs/radio.nix>
<stockholm/lass/2configs/repo-sync.nix>
<stockholm/lass/2configs/binary-cache/server.nix>
<stockholm/lass/2configs/iodined.nix>
<stockholm/lass/2configs/monitoring/server.nix>
<stockholm/lass/2configs/monitoring/monit-alarms.nix>
<stockholm/lass/2configs/paste.nix>
<stockholm/lass/2configs/syncthing.nix>
<stockholm/lass/2configs/reaktor-coders.nix>
<stockholm/lass/2configs/ciko.nix>
<stockholm/lass/2configs/container-networking.nix>
<stockholm/lass/2configs/monitoring/prometheus-server.nix>
{ # quasi bepasty.nix
imports = [
<stockholm/lass/2configs/bepasty.nix>
@ -289,7 +175,6 @@ in {
alias /var/realwallpaper/realwallpaper.png;
'';
}
<stockholm/krebs/2configs/reaktor-krebs.nix>
<stockholm/lass/2configs/dcso-dev.nix>
{
users.users.jeschli = {
@ -336,6 +221,126 @@ in {
{ predicate = "-p tcp --dport 53589"; target = "ACCEPT"; }
];
}
<stockholm/lass/2configs/go.nix>
{
environment.systemPackages = [ pkgs.cryptsetup ];
systemd.services."container@red".reloadIfChanged = mkForce false;
containers.red = {
config = { ... }: {
environment.systemPackages = [ pkgs.git ];
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [
config.krebs.users.lass.pubkey
];
};
autoStart = false;
enableTun = true;
privateNetwork = true;
hostAddress = "10.233.2.3";
localAddress = "10.233.2.4";
};
services.nginx.virtualHosts."rote-allez-fraktion.de" = {
enableACME = true;
forceSSL = true;
locations."/" = {
extraConfig = ''
proxy_set_header Host rote-allez-fraktion.de;
proxy_pass http://10.233.2.4;
'';
};
};
}
{
imports = [ <stockholm/lass/2configs/backup.nix> ];
lass.restic = genAttrs [
"daedalus"
"icarus"
"littleT"
"mors"
"shodan"
"skynet"
] (dest: {
dirs = [
"/home/chat/.weechat"
"/bku/sql_dumps"
];
passwordFile = (toString <secrets>) + "/restic/${dest}";
repo = "sftp:backup@${dest}.r:/backups/prism";
extraArguments = [
"sftp.command='ssh backup@${dest}.r -i ${config.krebs.build.host.ssh.privkey.path} -s sftp'"
];
timerConfig = {
OnCalendar = "00:05";
RandomizedDelaySec = "5h";
};
});
}
{
users.users.download.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDB0d0JA20Vqn7I4lCte6Ne2EOmLZyMJyS9yIKJYXNLjbLwkQ4AYoQKantPBkTxR75M09E7d3j5heuWnCjWH45TrfQfe1EOSSC3ppCI6C6aIVlaNs+KhAYZS0m2Y8WkKn+TT5JLEa8yybYVN/RlZPOilpj/1QgjU6CQK+eJ1k/kK+QFXcwN82GDVh5kbTVcKUNp2tiyxFA+z9LY0xFDg/JHif2ROpjJVLQBJ+YPuOXZN5LDnVcuyLWKThjxy5srQ8iDjoxBg7dwLHjby5Mv41K4W61Gq6xM53gDEgfXk4cQhJnmx7jA/pUnsn2ZQDeww3hcc7vRf8soogXXz2KC9maiq0M/svaATsa9Ul4hrKnqPZP9Q8ScSEAUX+VI+x54iWrnW0p/yqBiRAzwsczdPzaQroUFTBxrq8R/n5TFdSHRMX7fYNOeVMjhfNca/gtfw9dYBVquCvuqUuFiRc0I7yK44rrMjjVQRcAbw6F8O7+04qWCmaJ8MPlmApwu2c05VMv9hiJo5p6PnzterRSLCqF6rIdhSnuOwrUIt1s/V+EEZXHCwSaNLaQJnYL0H9YjaIuGz4c8kVzxw4c0B6nl+hqW5y5/B2cuHiumnlRIDKOIzlv8ufhh21iN7QpIsPizahPezGoT1XqvzeXfH4qryo8O4yTN/PWoA+f7o9POU7L6hQ== lhebendanz@nixos"
];
}
{
lass.nichtparasoup.enable = true;
services.nginx = {
enable = true;
virtualHosts."lol.lassul.us" = {
forceSSL = true;
enableACME = true;
locations."/".extraConfig = ''
proxy_pass http://localhost:5001;
'';
};
};
}
{ #weechat port forwarding to blue
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p tcp --dport 9998"; target = "ACCEPT";}
];
krebs.iptables.tables.nat.PREROUTING.rules = [
{ v6 = false; precedence = 1000; predicate = "-d ${config.krebs.hosts.prism.nets.internet.ip4.addr} -p tcp --dport 9998"; target = "DNAT --to-destination ${config.krebs.hosts.blue.nets.retiolum.ip4.addr}:9999"; }
];
krebs.iptables.tables.filter.FORWARD.rules = [
{ v6 = false; precedence = 1000; predicate = "-d ${config.krebs.hosts.blue.nets.retiolum.ip4.addr} -p tcp --dport 9999"; target = "ACCEPT"; }
{ v6 = false; precedence = 1000; predicate = "-s ${config.krebs.hosts.blue.nets.retiolum.ip4.addr}"; target = "ACCEPT"; }
];
krebs.iptables.tables.nat.POSTROUTING.rules = [
{ v6 = false; predicate = "-d ${config.krebs.hosts.blue.nets.retiolum.ip4.addr} -p tcp --dport 9999"; target = "MASQUERADE"; }
];
}
{
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p udp --dport 51820"; target = "ACCEPT"; }
];
krebs.iptables.tables.nat.PREROUTING.rules = [
{ v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; }
];
krebs.iptables.tables.filter.FORWARD.rules = [
{ v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; }
{ v6 = false; precedence = 1000; predicate = "-s 10.243.0.0/16 -d 10.244.1.0/24"; target = "ACCEPT"; }
];
krebs.iptables.tables.nat.POSTROUTING.rules = [
{ v6 = false; predicate = "-s 10.244.1.0/24 ! -d 10.244.1.0/24"; target = "MASQUERADE"; }
];
networking.wireguard.interfaces.wg0 = {
ips = [ "10.244.1.1/24" ];
listenPort = 51820;
privateKeyFile = (toString <secrets>) + "/wireguard.key";
allowedIPsAsRoutes = true;
peers = [
{
# lass-android
allowedIPs = [ "10.244.1.2/32" ];
publicKey = "63+ns9AGv6e6a8WgxiZNFEt1xQT0YKFlEHzRaYJWtmk=";
}
];
};
}
{
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p udp --dport 60000:61000"; target = "ACCEPT";}
];
}
];
krebs.build.host = config.krebs.hosts.prism;

85
lass/1systems/prism/physical.nix Normal file
View file

@ -0,0 +1,85 @@
{ config, lib, pkgs, ... }:
{
imports = [
./config.nix
{
networking.interfaces.et0.ipv4.addresses = [
{
address = config.krebs.build.host.nets.internet.ip4.addr;
prefixLength = 27;
}
{
address = "46.4.114.243";
prefixLength = 27;
}
];
networking.defaultGateway = "46.4.114.225";
networking.nameservers = [
"8.8.8.8"
];
services.udev.extraRules = ''
SUBSYSTEM=="net", ATTR{address}=="08:60:6e:e7:87:04", NAME="et0"
'';
}
{
imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
boot.loader.grub = {
devices = [
"/dev/sda"
"/dev/sdb"
];
splashImage = null;
};
boot.initrd.availableKernelModules = [
"ata_piix"
"vmw_pvscsi"
"ahci" "sd_mod"
];
boot.kernelModules = [ "kvm-intel" ];
fileSystems."/" = {
device = "/dev/pool/nix_root";
fsType = "ext4";
};
fileSystems."/tmp" = {
device = "tmpfs";
fsType = "tmpfs";
options = ["nosuid" "nodev" "noatime"];
};
fileSystems."/var/download" = {
device = "/dev/pool/download";
fsType = "ext4";
};
fileSystems."/srv/http" = {
device = "/dev/pool/http";
fsType = "ext4";
};
fileSystems."/home" = {
device = "/dev/pool/home";
fsType = "ext4";
};
fileSystems."/bku" = {
device = "/dev/pool/bku";
fsType = "ext4";
};
swapDevices = [
{ label = "swap1"; }
{ label = "swap2"; }
];
sound.enable = false;
nixpkgs.config.allowUnfree = true;
time.timeZone = "Europe/Berlin";
}
];
}

28
lass/1systems/red/config.nix Normal file
View file

@ -0,0 +1,28 @@
with import <stockholm/lib>;
{ config, lib, pkgs, ... }:
let
inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;})
servephpBB
;
in
{
imports = [
<stockholm/lass>
<stockholm/lass/2configs>
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/websites>
<stockholm/lass/2configs/websites/sqlBackup.nix>
(servephpBB [ "rote-allez-fraktion.de" ])
];
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p tcp --dport 80"; target = "ACCEPT"; }
];
krebs.build.host = config.krebs.hosts.red;
services.nginx.enable = true;
environment.systemPackages = [
pkgs.mk_sql_pair
];
}

8
lass/1systems/red/physical.nix Normal file
View file

@ -0,0 +1,8 @@
{
imports = [
./config.nix
];
boot.isContainer = true;
networking.useDHCP = false;
environment.variables.NIX_REMOTE = "daemon";
}

3
lass/1systems/echelon/source.nix → lass/1systems/red/source.nix
View file

@ -1,3 +1,4 @@
import <stockholm/lass/source.nix> {
name = "echelon";
name = "red";
secure = true;
}

44
lass/1systems/shodan/config.nix
View file

@ -4,8 +4,6 @@ with import <stockholm/lib>;
{
imports = [
<stockholm/lass>
#TODO reinstall with correct layout and use lass/hw/x220
<stockholm/krebs/2configs/hw/x220.nix>
<stockholm/lass/2configs/mouse.nix>
<stockholm/lass/2configs/retiolum.nix>
@ -15,53 +13,13 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/browsers.nix>
<stockholm/lass/2configs/programs.nix>
<stockholm/lass/2configs/fetchWallpaper.nix>
<stockholm/lass/2configs/backups.nix>
<stockholm/lass/2configs/wine.nix>
<stockholm/lass/2configs/bitcoin.nix>
<stockholm/lass/2configs/backup.nix>
];
krebs.build.host = config.krebs.hosts.shodan;
boot = {
loader.grub.enable = true;
loader.grub.version = 2;
loader.grub.device = "/dev/sda";
initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ];
initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ];
initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ];
#kernelModules = [ "kvm-intel" "msr" ];
};
fileSystems = {
"/" = {
device = "/dev/pool/nix";
fsType = "btrfs";
};
"/boot" = {
device = "/dev/sda1";
};
"/home" = {
device = "/dev/mapper/pool-home";
fsType = "btrfs";
options = ["defaults" "noatime" "ssd" "compress=lzo"];
};
"/tmp" = {
device = "tmpfs";
fsType = "tmpfs";
options = ["nosuid" "nodev" "noatime"];
};
"/bku" = {
device = "/dev/pool/bku";
fsType = "btrfs";
};
};
services.udev.extraRules = ''
SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:29:26:bc", NAME="wl0"
SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:0c:a7:63", NAME="et0"
'';
services.logind.extraConfig = ''
HandleLidSwitch=ignore
'';

47
lass/1systems/shodan/physical.nix Normal file
View file

@ -0,0 +1,47 @@
{
#TODO reinstall with correct layout and use lass/hw/x220
imports = [
./config.nix
<stockholm/krebs/2configs/hw/x220.nix>
];
boot = {
loader.grub.enable = true;
loader.grub.version = 2;
loader.grub.device = "/dev/sda";
initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ];
initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ];
initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ];
#kernelModules = [ "kvm-intel" "msr" ];
};
fileSystems = {
"/" = {
device = "/dev/pool/nix";
fsType = "btrfs";
};
"/boot" = {
device = "/dev/sda1";
};
"/home" = {
device = "/dev/mapper/pool-home";
fsType = "btrfs";
options = ["defaults" "noatime" "ssd" "compress=lzo"];
};
"/tmp" = {
device = "tmpfs";
fsType = "tmpfs";
options = ["nosuid" "nodev" "noatime"];
};
"/bku" = {
device = "/dev/pool/bku";
fsType = "btrfs";
};
};
services.udev.extraRules = ''
SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:29:26:bc", NAME="wl0"
SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:0c:a7:63", NAME="et0"
'';
}

16
lass/1systems/skynet/config.nix
View file

@ -3,13 +3,10 @@ with import <stockholm/lib>;
{
imports = [
<stockholm/lass>
<stockholm/lass/2configs/hw/x220.nix>
<stockholm/lass/2configs/boot/stock-x220.nix>
<stockholm/lass/2configs/retiolum.nix>
#<stockholm/lass/2configs/exim-retiolum.nix>
<stockholm/lass/2configs/fetchWallpaper.nix>
<stockholm/lass/2configs/backups.nix>
{
# discordius config
services.xserver.enable = true;
@ -47,17 +44,4 @@ with import <stockholm/lib>;
services.logind.extraConfig = ''
HandleLidSwitch=ignore
'';
#fileSystems = {
# "/bku" = {
# device = "/dev/mapper/pool-bku";
# fsType = "btrfs";
# options = ["defaults" "noatime" "ssd" "compress=lzo"];
# };
#};
services.udev.extraRules = ''
SUBSYSTEM=="net", ATTR{address}=="10:0b:a9:a6:44:04", NAME="wl0"
SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:d1:90:fc", NAME="et0"
'';
}

12
lass/1systems/skynet/physical.nix Normal file
View file

@ -0,0 +1,12 @@
{
imports = [
./config.nix
<stockholm/lass/2configs/hw/x220.nix>
<stockholm/lass/2configs/boot/stock-x220.nix>
];
services.udev.extraRules = ''
SUBSYSTEM=="net", ATTR{address}=="10:0b:a9:a6:44:04", NAME="wl0"
SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:d1:90:fc", NAME="et0"
'';
}

55
lass/1systems/uriel/config.nix
View file

@ -41,60 +41,5 @@ with import <stockholm/lib>;
];
krebs.build.host = config.krebs.hosts.uriel;
hardware.enableAllFirmware = true;
nixpkgs.config.allowUnfree = true;
boot = {
#kernelParams = [
# "acpi.brightness_switch_enabled=0"
#];
#loader.grub.enable = true;
#loader.grub.version = 2;
#loader.grub.device = "/dev/sda";
loader.systemd-boot.enable = true;
loader.timeout = 5;
initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ];
initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ];
initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ];
#kernelModules = [ "kvm-intel" "msr" ];
kernelModules = [ "msr" ];
};
fileSystems = {
"/" = {
device = "/dev/pool/root";
fsType = "ext4";
};
"/bku" = {
device = "/dev/pool/bku";
fsType = "ext4";
};
"/boot" = {
device = "/dev/sda1";
};
"/tmp" = {
device = "tmpfs";
fsType = "tmpfs";
options = ["nosuid" "nodev" "noatime"];
};
};
services.udev.extraRules = ''
SUBSYSTEM=="net", ATTR{address}=="64:27:37:7d:d8:ae", NAME="wl0"
SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:b8:c8:2e", NAME="et0"
'';
services.xserver.synaptics = {
enable = true;
twoFingerScroll = true;
accelFactor = "0.035";
additionalOptions = ''
Option "FingerHigh" "60"
Option "FingerLow" "60"
'';
};
}

59
lass/1systems/uriel/physical.nix Normal file
View file

@ -0,0 +1,59 @@
{
imports = [
./config.nix
];
hardware.enableAllFirmware = true;
boot = {
#kernelParams = [
# "acpi.brightness_switch_enabled=0"
#];
#loader.grub.enable = true;
#loader.grub.version = 2;
#loader.grub.device = "/dev/sda";
loader.systemd-boot.enable = true;
loader.timeout = 5;
initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ];
initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ];
initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ];
#kernelModules = [ "kvm-intel" "msr" ];
kernelModules = [ "msr" ];
};
fileSystems = {
"/" = {
device = "/dev/pool/root";
fsType = "ext4";
};
"/bku" = {
device = "/dev/pool/bku";
fsType = "ext4";
};
"/boot" = {
device = "/dev/sda1";
};
"/tmp" = {
device = "tmpfs";
fsType = "tmpfs";
options = ["nosuid" "nodev" "noatime"];
};
};
services.udev.extraRules = ''
SUBSYSTEM=="net", ATTR{address}=="64:27:37:7d:d8:ae", NAME="wl0"
SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:b8:c8:2e", NAME="et0"
'';
services.xserver.synaptics = {
enable = true;
twoFingerScroll = true;
accelFactor = "0.035";
additionalOptions = ''
Option "FingerHigh" "60"
Option "FingerLow" "60"
'';
};
}

24
lass/1systems/xerxes/config.nix
View file

@ -3,8 +3,6 @@
{
imports = [
<stockholm/lass>
<stockholm/lass/2configs/hw/gpd-pocket.nix>
<stockholm/lass/2configs/boot/stock-x220.nix>
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/exim-retiolum.nix>
@ -15,26 +13,4 @@
];
krebs.build.host = config.krebs.hosts.xerxes;
services.udev.extraRules = ''
SUBSYSTEM=="net", ATTR{address}=="b0:f1:ec:9f:5c:78", NAME="wl0"
'';
fileSystems."/" = {
device = "/dev/disk/by-uuid/d227d88f-bd24-4e8a-aa14-9e966b471437";
fsType = "btrfs";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/16C8-D053";
fsType = "vfat";
};
fileSystems."/home" = {
device = "/dev/disk/by-uuid/1ec4193b-7f41-490d-8782-7677d437b358";
fsType = "btrfs";
};
boot.initrd.luks.devices = [ { name = "luksroot"; device = "/dev/disk/by-uuid/d17f19a3-dcba-456d-b5da-e45cc15dc9c8"; } ];
networking.wireless.enable = true;
}

29
lass/1systems/xerxes/physical.nix Normal file
View file

@ -0,0 +1,29 @@
{
imports = [
./config.nix
<stockholm/lass/2configs/hw/gpd-pocket.nix>
<stockholm/lass/2configs/boot/stock-x220.nix>
];
services.udev.extraRules = ''
SUBSYSTEM=="net", ATTR{address}=="b0:f1:ec:9f:5c:78", NAME="wl0"
'';
fileSystems."/" = {
device = "/dev/disk/by-uuid/d227d88f-bd24-4e8a-aa14-9e966b471437";
fsType = "btrfs";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/16C8-D053";
fsType = "vfat";
};
fileSystems."/home" = {
device = "/dev/disk/by-uuid/1ec4193b-7f41-490d-8782-7677d437b358";
fsType = "btrfs";
};
boot.initrd.luks.devices = [ { name = "luksroot"; device = "/dev/disk/by-uuid/d17f19a3-dcba-456d-b5da-e45cc15dc9c8"; } ];
networking.wireless.enable = true;
}

6
lass/1systems/xerxes/source.nix
View file

@ -2,10 +2,4 @@ with import <stockholm/lib>;
import <stockholm/lass/source.nix> {
name = "xerxes";
secure = true;
override = {
nixpkgs.git = mkForce {
url = https://github.com/lassulus/nixpkgs;
ref = "3eccd0b";
};
};
}

83
lass/2configs/AP.nix Normal file
View file

@ -0,0 +1,83 @@
{ config, pkgs, ... }:
with import <stockholm/lib>;
let
wifi = "wlp0s29u1u2";
in {
boot.extraModulePackages = [
pkgs.linuxPackages.rtl8814au
];
networking.networkmanager.unmanaged = [ wifi "et0" ];
systemd.services.hostapd = {
description = "hostapd wireless AP";
path = [ pkgs.hostapd ];
wantedBy = [ "network.target" ];
after = [ "${wifi}-cfg.service" "nat.service" "bind.service" "dhcpd.service" "sys-subsystem-net-devices-${wifi}.device" ];
serviceConfig = {
ExecStart = "${pkgs.hostapd}/bin/hostapd ${pkgs.writeText "hostapd.conf" ''
interface=${wifi}
hw_mode=a
channel=36
ieee80211d=1
country_code=DE
ieee80211n=1
ieee80211ac=1
wmm_enabled=1
# 5ghz
ssid=krebsing
auth_algs=1
wpa=2
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP
wpa_passphrase=aidsballz
''}";
Restart = "always";
};
};
networking.bridges.br0.interfaces = [
wifi
"et0"
];
networking.interfaces.br0.ipv4.addresses = [
{ address = "10.99.0.1"; prefixLength = 24; }
];
services.dhcpd4 = {
enable = true;
interfaces = [ "br0" ];
extraConfig = ''
option subnet-mask 255.255.255.0;
option routers 10.99.0.1;
option domain-name-servers 1.1.1.1, 8.8.8.8;
subnet 10.99.0.0 netmask 255.255.255.0 {
range 10.99.0.100 10.99.0.200;
}
'';
};
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
krebs.iptables.tables.filter.FORWARD.rules = [
{ v6 = false; predicate = "-d 10.99.0.0/24 -o br0 -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
{ v6 = false; predicate = "-s 10.99.0.0/24 -i br0"; target = "ACCEPT"; }
{ v6 = false; predicate = "-i br0 -o br0"; target = "ACCEPT"; }
{ v6 = false; predicate = "-i br0 -o br0"; target = "ACCEPT"; }
{ v6 = false; predicate = "-o br0"; target = "REJECT --reject-with icmp-port-unreachable"; }
{ v6 = false; predicate = "-i br0"; target = "REJECT --reject-with icmp-port-unreachable"; }
];
krebs.iptables.tables.nat.PREROUTING.rules = [
{ v6 = false; predicate = "-s 10.99.0.0/24"; target = "ACCEPT"; precedence = 1000; }
];
krebs.iptables.tables.nat.POSTROUTING.rules = [
#TODO find out what this is about?
{ v6 = false; predicate = "-s 10.99.0.0/24 -d 224.0.0.0/24"; target = "RETURN"; }
{ v6 = false; predicate = "-s 10.99.0.0/24 -d 255.255.255.255"; target = "RETURN"; }
{ v6 = false; predicate = "-s 10.99.0.0/24 ! -d 10.99.0.0/24"; target = "MASQUERADE"; }
{ v6 = false; predicate = "-s 10.99.0.0/24 ! -d 10.99.0.0/24 -p tcp"; target = "MASQUERADE --to-ports 1024-65535"; }
{ v6 = false; predicate = "-s 10.99.0.0/24 ! -d 10.99.0.0/24 -p udp"; target = "MASQUERADE --to-ports 1024-65535"; }
];
}

73
lass/2configs/IM.nix
View file

@ -1,73 +0,0 @@
with (import <stockholm/lib>);
{ config, lib, pkgs, ... }:
let
tmux = pkgs.writeDash "tmux" ''
exec ${pkgs.tmux}/bin/tmux -f ${pkgs.writeText "tmux.conf" ''
set-option -g prefix `
unbind-key C-b
bind ` send-prefix
set-option -g status off
set-option -g default-terminal screen-256color
#use session instead of windows
bind-key c new-session
bind-key p switch-client -p
bind-key n switch-client -n
bind-key C-s switch-client -l
''} "$@"
'';
in {
services.bitlbee = {
enable = true;
portNumber = 6666;
plugins = [
pkgs.bitlbee-facebook
pkgs.bitlbee-steam
pkgs.bitlbee-discord
];
libpurple_plugins = [ pkgs.telegram-purple ];
};
users.extraUsers.chat = {
home = "/home/chat";
uid = genid "chat";
useDefaultShell = true;
createHome = true;
openssh.authorizedKeys.keys = with config.krebs.users; [
lass.pubkey
lass-shodan.pubkey
lass-icarus.pubkey
lass-android.pubkey
lass-helios.pubkey
];
};
# mosh
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p udp --dport 60000:61000"; target = "ACCEPT";}
{ predicate = "-p tcp --dport 9999"; target = "ACCEPT";}
];
systemd.services.chat = {
description = "chat environment setup";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
restartIfChanged = false;
path = [
pkgs.rxvt_unicode.terminfo
];
serviceConfig = {
User = "chat";
RemainAfterExit = true;
Type = "oneshot";
ExecStart = "${tmux} -2 new-session -d -s IM ${pkgs.weechat}/bin/weechat";
ExecStop = "${tmux} kill-session -t IM";
};
};
}

21
lass/2configs/backup.nix Normal file
View file

@ -0,0 +1,21 @@
{ config, lib, ... }:
with import <stockholm/lib>;
{
fileSystems = {
"/backups" = {
device = "/dev/pool/backup";
fsType = "ext4";
};
};
users.users.backup = {
useDefaultShell = true;
home = "/backups";
createHome = true;
openssh.authorizedKeys.keys = with config.krebs.hosts; [
mors.ssh.pubkey
prism.ssh.pubkey
blue.ssh.pubkey
];
};
}

173
lass/2configs/backups.nix
View file

@ -1,173 +0,0 @@
{ config, lib, ... }:
with import <stockholm/lib>;
{
# TODO add timerConfig to krebs.backup and randomize startup
# TODO define plans more abstract
krebs.backup.plans = {
} // mapAttrs (_: recursiveUpdate {
snapshots = {
daily = { format = "%Y-%m-%d"; retain = 7; };
weekly = { format = "%YW%W"; retain = 4; };
monthly = { format = "%Y-%m"; retain = 12; };
yearly = { format = "%Y"; };
};
}) {
dishfire-http-prism = {
method = "pull";
src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; };
dst = { host = config.krebs.hosts.prism; path = "/bku/dishfire-http"; };
startAt = "03:00";
};
dishfire-http-icarus = {
method = "pull";
src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; };
dst = { host = config.krebs.hosts.icarus; path = "/bku/dishfire-http"; };
startAt = "03:10";
};
dishfire-http-mors = {
method = "pull";
src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; };
dst = { host = config.krebs.hosts.mors; path = "/bku/dishfire-http"; };
startAt = "03:05";
};
dishfire-http-shodan = {
method = "pull";
src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; };
dst = { host = config.krebs.hosts.shodan; path = "/bku/dishfire-http"; };
startAt = "03:10";
};
dishfire-sql-prism = {
method = "pull";
src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; };
dst = { host = config.krebs.hosts.prism; path = "/bku/dishfire-sql"; };
startAt = "03:15";
};
dishfire-sql-icarus = {
method = "pull";
src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; };
dst = { host = config.krebs.hosts.icarus; path = "/bku/dishfire-sql"; };
startAt = "03:25";
};
dishfire-sql-mors = {
method = "pull";
src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; };
dst = { host = config.krebs.hosts.mors; path = "/bku/dishfire-sql"; };
startAt = "03:20";
};
dishfire-sql-shodan = {
method = "pull";
src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; };
dst = { host = config.krebs.hosts.shodan; path = "/bku/dishfire-sql"; };
startAt = "03:25";
};
prism-bitlbee-icarus = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/var/lib/bitlbee"; };
dst = { host = config.krebs.hosts.icarus; path = "/bku/prism-bitlbee"; };
startAt = "03:25";
};
prism-bitlbee-mors = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/var/lib/bitlbee"; };
dst = { host = config.krebs.hosts.mors; path = "/bku/prism-bitlbee"; };
startAt = "03:25";
};
prism-bitlbee-shodan = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/var/lib/bitlbee"; };
dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-bitlbee"; };
startAt = "03:25";
};
prism-chat-icarus = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/home/chat"; };
dst = { host = config.krebs.hosts.icarus; path = "/bku/prism-chat"; };
startAt = "03:35";
};
prism-chat-mors = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/home/chat"; };
dst = { host = config.krebs.hosts.mors; path = "/bku/prism-chat"; };
startAt = "03:30";
};
prism-chat-shodan = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/home/chat"; };
dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-chat"; };
startAt = "03:35";
};
prism-sql-icarus = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; };
dst = { host = config.krebs.hosts.icarus; path = "/bku/prism-sql_dumps"; };
startAt = "03:45";
};
prism-sql-mors = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; };
dst = { host = config.krebs.hosts.mors; path = "/bku/prism-sql_dumps"; };
startAt = "03:40";
};
prism-sql-shodan = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; };
dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-sql_dumps"; };
startAt = "03:45";
};
prism-http-icarus = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/srv/http"; };
dst = { host = config.krebs.hosts.icarus; path = "/bku/prism-http"; };
startAt = "03:55";
};
prism-http-mors = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/srv/http"; };
dst = { host = config.krebs.hosts.mors; path = "/bku/prism-http"; };
startAt = "03:50";
};
prism-http-shodan = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/srv/http"; };
dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-http"; };
startAt = "03:55";
};
icarus-home-mors = {
method = "pull";
src = { host = config.krebs.hosts.icarus; path = "/home"; };
dst = { host = config.krebs.hosts.mors; path = "/bku/icarus-home"; };
startAt = "05:00";
};
icarus-home-shodan = {
method = "push";
src = { host = config.krebs.hosts.icarus; path = "/home"; };
dst = { host = config.krebs.hosts.shodan; path = "/bku/icarus-home"; };
startAt = "05:00";
};
mors-home-icarus = {
method = "push";
src = { host = config.krebs.hosts.mors; path = "/home"; };
dst = { host = config.krebs.hosts.icarus; path = "/bku/mors-home"; };
startAt = "05:00";
};
mors-home-shodan = {
method = "push";
src = { host = config.krebs.hosts.mors; path = "/home"; };
dst = { host = config.krebs.hosts.shodan; path = "/bku/mors-home"; };
startAt = "05:00";
};
shodan-home-icarus = {
method = "pull";
src = { host = config.krebs.hosts.shodan; path = "/home"; };
dst = { host = config.krebs.hosts.icarus; path = "/bku/shodan-home"; };
startAt = "04:00";
};
shodan-home-mors = {
method = "pull";
src = { host = config.krebs.hosts.shodan; path = "/home"; };
dst = { host = config.krebs.hosts.mors; path = "/bku/shodan-home"; };
startAt = "04:00";
};
};
}

13
lass/2configs/baseX.nix
View file

@ -9,7 +9,6 @@ in {
./power-action.nix
./copyq.nix
./livestream.nix
./dns-stuff.nix
./urxvt.nix
./network-manager.nix
{
@ -69,12 +68,15 @@ in {
environment.systemPackages = with pkgs; [
acpi
ag
bank
cabal2nix
dic
dmenu
gi
git-preview
gitAndTools.qgit
git-preview
gnome3.dconf
lm_sensors
mpv-poll
much
@ -87,19 +89,18 @@ in {
rxvt_unicode_with-plugins
slock
sxiv
timewarrior
taskwarrior
termite
thesauron
timewarrior
xclip
xephyrify
xorg.xbacklight
xorg.xhost
xsel
youtube-tools
yt-next
zathura
cabal2nix
xephyrify
];
fonts.fonts = with pkgs; [

10
lass/2configs/bitcoin.nix
View file

@ -10,9 +10,6 @@ in {
krebs.per-user.bitcoin.packages = [
pkgs.electrum
];
krebs.per-user.ethereum.packages = [
pkgs.go-ethereum
];
users.extraUsers = {
bch = {
name = "bch";
@ -28,13 +25,6 @@ in {
useDefaultShell = true;
createHome = true;
};
ethereum = {
name = "ethereum";
description = "user for ethereum stuff";
home = "/home/ethereum";
useDefaultShell = true;
createHome = true;
};
};
security.sudo.extraConfig = ''
${mainUser.name} ALL=(bitcoin) NOPASSWD: ALL

15
lass/2configs/bitlbee.nix Normal file
View file

@ -0,0 +1,15 @@
with (import <stockholm/lib>);
{ config, lib, pkgs, ... }:
{
services.bitlbee = {
enable = true;
portNumber = 6666;
plugins = [
pkgs.bitlbee-facebook
pkgs.bitlbee-steam
pkgs.bitlbee-discord
];
libpurple_plugins = [ pkgs.telegram-purple ];
};
}

22
lass/2configs/blue-host.nix Normal file
View file

@ -0,0 +1,22 @@
{ config, lib, pkgs, ... }:
with import <stockholm/lib>;
{
imports = [
<stockholm/lass/2configs/container-networking.nix>
];
containers.blue = {
config = { ... }: {
environment.systemPackages = [ pkgs.git ];
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [
config.krebs.users.lass.pubkey
];
};
autoStart = true;
enableTun = true;
privateNetwork = true;
hostAddress = "10.233.2.9";
localAddress = "10.233.2.10";
};
}

60
lass/2configs/blue.nix Normal file
View file

@ -0,0 +1,60 @@
with (import <stockholm/lib>);
{ config, lib, pkgs, ... }:
{
imports = [
./bitlbee.nix
./mail.nix
./pass.nix
];
environment.systemPackages = with pkgs; [
ag
nmap
];
services.tor.enable = true;
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-i retiolum -p udp --dport 60000:61000"; target = "ACCEPT";}
{ predicate = "-i retiolum -p tcp --dport 9999"; target = "ACCEPT";}
];
systemd.services.chat = let
tmux = pkgs.writeDash "tmux" ''
exec ${pkgs.tmux}/bin/tmux -f ${pkgs.writeText "tmux.conf" ''
set-option -g prefix `
unbind-key C-b
bind ` send-prefix
set-option -g status off
set-option -g default-terminal screen-256color
#use session instead of windows
bind-key c new-session
bind-key p switch-client -p
bind-key n switch-client -n
bind-key C-s switch-client -l
''} "$@"
'';
in {
description = "chat environment setup";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
restartIfChanged = false;
path = [
pkgs.rxvt_unicode.terminfo
];
serviceConfig = {
User = "lass";
RemainAfterExit = true;
Type = "oneshot";
ExecStart = "${tmux} -2 new-session -d -s IM ${pkgs.weechat}/bin/weechat";
ExecStop = "${tmux} kill-session -t IM";
};
};
}

15
lass/2configs/container-networking.nix
View file

@ -1,12 +1,6 @@
{ ... }:
{ lib, ... }:
{
#krebs.iptables.tables.filter.INPUT.rules = [
# { v6 = false; predicate = "-i ve-+ -p udp -m udp --dport 53"; target = "ACCEPT"; }
# { v6 = false; predicate = "-i ve-+ -p tcp -m tcp --dport 53"; target = "ACCEPT"; }
# { v6 = false; predicate = "-i ve-+ -p udp -m udp --dport 67"; target = "ACCEPT"; }
# { v6 = false; predicate = "-i ve-+ -p tcp -m tcp --dport 67"; target = "ACCEPT"; }
#];
krebs.iptables.tables.filter.FORWARD.rules = [
{ v6 = false; predicate = "-d 10.233.2.0/24 -o ve-+ -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
{ v6 = false; predicate = "-s 10.233.2.0/24 -i ve-+"; target = "ACCEPT"; }
@ -14,9 +8,9 @@
{ v6 = false; predicate = "-o ve-+"; target = "REJECT --reject-with icmp-port-unreachable"; }
{ v6 = false; predicate = "-i ve-+"; target = "REJECT --reject-with icmp-port-unreachable"; }
];
#krebs.iptables.tables.filter.OUTPUT.rules = [
# { v6 = false; predicate = "-o ve-+ -p udp -m udp --dport 68"; target = "ACCEPT"; }
#];
krebs.iptables.tables.nat.PREROUTING.rules = [
{ v6 = false; predicate = "-s 10.233.2.0/24"; target = "ACCEPT"; precedence = 1000; }
];
krebs.iptables.tables.nat.POSTROUTING.rules = [
{ v6 = false; predicate = "-s 10.233.2.0/24 -d 224.0.0.0/24"; target = "RETURN"; }
{ v6 = false; predicate = "-s 10.233.2.0/24 -d 255.255.255.255"; target = "RETURN"; }
@ -24,4 +18,5 @@
{ v6 = false; predicate = "-s 10.233.2.0/24 ! -d 10.233.2.0/24 -p tcp"; target = "MASQUERADE --to-ports 1024-65535"; }
{ v6 = false; predicate = "-s 10.233.2.0/24 ! -d 10.233.2.0/24 -p udp"; target = "MASQUERADE --to-ports 1024-65535"; }
];
boot.kernel.sysctl."net.ipv4.ip_forward" = lib.mkDefault 1;
}

1
lass/2configs/dcso-dev.nix
View file

@ -9,6 +9,7 @@ in {
dev = {
name = "dev";
uid = genid "dev";
extraGroups = [ "docker" ];
description = "user for collaborative development";
home = "/home/dev";
useDefaultShell = true;

Some files were not shown because too many files have changed in this diff Show more