diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index 605ed28b5..d539d4166 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -20,6 +20,7 @@ let
./github-hosts-sync.nix
./git.nix
./go.nix
+ ./hidden-ssh.nix
./htgen.nix
./iptables.nix
./kapacitor.nix
diff --git a/krebs/3modules/hidden-ssh.nix b/krebs/3modules/hidden-ssh.nix
new file mode 100644
index 000000000..3930dbf42
--- /dev/null
+++ b/krebs/3modules/hidden-ssh.nix
@@ -0,0 +1,53 @@
+{ config, lib, pkgs, ... }:
+
+with import <stockholm/lib>;
+let
+ cfg = config.krebs.hidden-ssh;
+
+ out = {
+ options.krebs.hidden-ssh = api;
+ config = lib.mkIf cfg.enable imp;
+ };
+
+ api = {
+ enable = mkEnableOption "hidden SSH announce";
+ };
+
+ imp = let
+ torDirectory = "/var/lib/tor"; # from tor.nix
+ hiddenServiceDir = torDirectory + "/ssh-announce-service";
+ in {
+ services.tor = {
+ enable = true;
+ extraConfig = ''
+ HiddenServiceDir ${hiddenServiceDir}
+ HiddenServicePort 22 127.0.0.1:22
+ '';
+ client.enable = true;
+ };
+ systemd.services.hidden-ssh-announce = {
+ description = "irc announce hidden ssh";
+ after = [ "tor.service" "network-online.target" ];
+ wants = [ "tor.service" ];
+ wantedBy = [ "multi-user.target" ];
+ serviceConfig = {
+ # ${pkgs.tor}/bin/torify
+ ExecStart = pkgs.writeDash "irc-announce-ssh" ''
+ set -efu
+ until test -e ${hiddenServiceDir}/hostname; do
+ echo "still waiting for ${hiddenServiceDir}/hostname"
+ sleep 1
+ done
+ ${pkgs.irc-announce}/bin/irc-announce \
+ irc.freenode.org 6667 ${config.krebs.build.host.name}-ssh \
+ \#krebs-announce \
+ "SSH Hidden Service at $(cat ${hiddenServiceDir}/hostname)"
+ '';
+ PrivateTmp = "true";
+ User = "tor";
+ Type = "oneshot";
+ };
+ };
+ };
+in
+out
diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix
index 56df451b7..cef6a4fd6 100644
--- a/krebs/3modules/makefu/default.nix
+++ b/krebs/3modules/makefu/default.nix
@@ -33,7 +33,7 @@ with import <stockholm/lib>;
nets = {
retiolum = {
ip4.addr = "10.243.113.98";
- ip6.addr = "42:5cf1:e7f2:3fd:cd4c:a1ee:ec71:7096";
+ # ip6.addr = "42:5cf1:e7f2:3fd:cd4c:a1ee:ec71:7096";
aliases = [
"fileleech.r"
];
@@ -247,7 +247,6 @@ with import <stockholm/lib>;
"krebsco.de" = ''
euer IN MX 1 aspmx.l.google.com.
nixos.unstable IN CNAME krebscode.github.io.
- pigstarter IN A ${nets.internet.ip4.addr}
gold IN A ${nets.internet.ip4.addr}
boot IN A ${nets.internet.ip4.addr}
'';
@@ -301,7 +300,7 @@ with import <stockholm/lib>;
ip6.addr = "42:6e1e:cc8a:7cef:827:f938:8c64:baad";
aliases = [
"wry.r"
- "graphs.wry.r"
+ "graph.wry.r"
"paste.wry.r"
];
tinc.pubkey = ''
@@ -436,12 +435,13 @@ with import <stockholm/lib>;
mattermost.euer IN A ${nets.internet.ip4.addr}
git.euer IN A ${nets.internet.ip4.addr}
gum IN A ${nets.internet.ip4.addr}
+ pigstarter IN A ${nets.internet.ip4.addr}
cgit.euer IN A ${nets.internet.ip4.addr}
o.euer IN A ${nets.internet.ip4.addr}
dl.euer IN A ${nets.internet.ip4.addr}
euer IN A ${nets.internet.ip4.addr}
wiki.euer IN A ${nets.internet.ip4.addr}
- graphs IN A ${nets.internet.ip4.addr}
+ graph IN A ${nets.internet.ip4.addr}
'';
};
nets = rec {
@@ -461,7 +461,7 @@ with import <stockholm/lib>;
"o.gum.r"
"tracker.makefu.r"
- "graphs.r"
+ "graph.r"
"wiki.makefu.r"
"wiki.gum.r"
"blog.makefu.r"
@@ -491,7 +491,7 @@ with import <stockholm/lib>;
ip4.prefix = "10.8.10.0/24";
aliases = [
"shoney.siem"
- "graphs.siem"
+ "graph.siem"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
diff --git a/krebs/3modules/realwallpaper.nix b/krebs/3modules/realwallpaper.nix
index f9eae8c92..044811c7d 100644
--- a/krebs/3modules/realwallpaper.nix
+++ b/krebs/3modules/realwallpaper.nix
@@ -32,9 +32,9 @@ let
default = "http://xplanetclouds.com/free/local/clouds_2048.jpg";
};
- outFile = mkOption {
+ marker = mkOption {
type = types.str;
- default = "/tmp/wallpaper.png";
+ default = "http://graph.r/marker.json";
};
timerConfig = mkOption {
@@ -43,7 +43,6 @@ let
OnCalendar = "*:0/15";
};
};
-
};
imp = {
@@ -63,6 +62,7 @@ let
imagemagick
curl
file
+ jq
];
environment = {
@@ -70,7 +70,7 @@ let
nightmap_url = cfg.nightmap;
daymap_url = cfg.daymap;
cloudmap_url = cfg.cloudmap;
- out_file = cfg.outFile;
+ marker_url = cfg.marker;
};
restartIfChanged = true;
diff --git a/krebs/3modules/shared/default.nix b/krebs/3modules/shared/default.nix
index 5e4935e3a..17179a39f 100644
--- a/krebs/3modules/shared/default.nix
+++ b/krebs/3modules/shared/default.nix
@@ -47,6 +47,7 @@ in {
ip6.addr = "42:0:0:0:0:0:77:1";
aliases = [
"wolf.r"
+ "build.wolf.r"
"cgit.wolf.r"
];
tinc.pubkey = ''
diff --git a/krebs/5pkgs/irc-announce/default.nix b/krebs/5pkgs/irc-announce/default.nix
index e1f4919d5..6eb725b71 100644
--- a/krebs/5pkgs/irc-announce/default.nix
+++ b/krebs/5pkgs/irc-announce/default.nix
@@ -24,7 +24,7 @@ pkgs.writeDashBin "irc-announce" ''
# echo2 and cat2 are used output to both, stdout and stderr
# This is used to see what we send to the irc server. (debug output)
echo2() { echo "$*"; echo "$*" >&2; }
- cat2() { tee /dev/stderr; }
+ cat2() { awk '{print;print > "/dev/stderr"}'; }
# privmsg_cat transforms stdin to a privmsg
privmsg_cat() { awk '{ print "PRIVMSG "ENVIRON["IRC_CHANNEL"]" :"$0 }'; }
diff --git a/krebs/5pkgs/krebspaste/default.nix b/krebs/5pkgs/krebspaste/default.nix
index 8c6676d0e..31ad12780 100644
--- a/krebs/5pkgs/krebspaste/default.nix
+++ b/krebs/5pkgs/krebspaste/default.nix
@@ -2,5 +2,5 @@
# TODO use `execve` instead?
writeDashBin "krebspaste" ''
- exec ${bepasty-client-cli}/bin/bepasty-cli -L 1m --url http://paste.r "$@"
+ exec ${bepasty-client-cli}/bin/bepasty-cli -L 1m --url http://paste.r "$@" | sed '$ s/$/\/+inline/g'
''
diff --git a/krebs/5pkgs/realwallpaper/default.nix b/krebs/5pkgs/realwallpaper/default.nix
index 4fea977ec..dec2dada4 100644
--- a/krebs/5pkgs/realwallpaper/default.nix
+++ b/krebs/5pkgs/realwallpaper/default.nix
@@ -5,8 +5,8 @@ stdenv.mkDerivation {
src = fetchgit {
url = https://github.com/Lassulus/realwallpaper;
- rev = "c2778c3c235fc32edc8115d533a0d0853ab101c5";
- sha256 = "0yhbjz19zk8sj5dsvccm6skkqq2vardn1yi70qmd5li7qvp17mvs";
+ rev = "b8408cfb295b6ce5b965309b30358ca6c6409efd";
+ sha256 = "0yyl8hhqshw9bx04xs8glvir3c0qzvfrwzmbvyg318mnz5xalcl0";
};
phases = [
@@ -15,10 +15,6 @@ stdenv.mkDerivation {
];
buildInputs = [
- xplanet
- imagemagick
- curl
- file
];
installPhase = ''
diff --git a/krebs/5pkgs/tinc_graphs/default.nix b/krebs/5pkgs/tinc_graphs/default.nix
index e5f1e40e8..20bbc53ba 100644
--- a/krebs/5pkgs/tinc_graphs/default.nix
+++ b/krebs/5pkgs/tinc_graphs/default.nix
@@ -2,14 +2,14 @@
python3Packages.buildPythonPackage rec {
name = "tinc_graphs-${version}";
- version = "0.3.9";
+ version = "0.3.10";
propagatedBuildInputs = with pkgs;[
python3Packages.pygeoip
## ${geolite-legacy}/share/GeoIP/GeoIPCity.dat
];
src = fetchurl {
- url = "https://pypi.python.org/packages/source/t/tinc_graphs/tinc_graphs-${version}.tar.gz";
- sha256 = "0hjmkiclvyjb3707285x4b8mk5aqjcvh383hvkad1h7p1n61qrfx";
+ url = "mirror://pypi/t/tinc_graphs/${name}.tar.gz";
+ sha256 = "0f4cvb9424fhfmc0hbzmynzh9528fyhx00ayq1nbpgd1p89yw7mc";
};
preFixup = with pkgs;''
wrapProgram $out/bin/build-graphs --prefix PATH : "$out/bin"
diff --git a/lass/1systems/iso.nix b/lass/1systems/iso.nix
index 9dfbf7cb8..99399550c 100644
--- a/lass/1systems/iso.nix
+++ b/lass/1systems/iso.nix
@@ -11,11 +11,34 @@ with import <stockholm/lib>;
../2configs/mc.nix
../2configs/nixpkgs.nix
../2configs/vim.nix
+ {
+ # /dev/stderr doesn't work. I don't know why
+ # /proc/self doesn't seem to work correctly
+ # /dev/pts is empty except for 1 file
+ # my life sucks
+ nixpkgs.config.packageOverrides = super: {
+ irc-announce = super.callPackage <stockholm/krebs/5pkgs/irc-announce> {
+ pkgs = pkgs // { coreutils = pkgs.concat "coreutils-hack" [
+ pkgs.coreutils
+ (pkgs.writeDashBin "tee" ''
+ if test "$1" = /dev/stderr; then
+ while read -r line; do
+ echo "$line"
+ echo "$line" >&2
+ done
+ else
+ ${super.coreutils}/bin/tee "$@"
+ fi
+ '')
+ ];};
+ };
+ };
+ boot.kernelParams = [ "copytoram" ];
+ }
{
krebs.enable = true;
krebs.build.user = config.krebs.users.lass;
krebs.build.host = config.krebs.hosts.iso;
- krebs.build.source.nixos-config.symlink = "stockholm/lass/1systems/${config.krebs.buil.host.name}.nix";
}
{
nixpkgs.config.allowUnfree = true;
@@ -122,18 +145,12 @@ with import <stockholm/lib>;
{ bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
];
};
+ systemd.services.sshd.wantedBy = mkForce [ "multi-user.target" ];
}
{
krebs.iptables = {
enable = true;
tables = {
- nat.PREROUTING.rules = [
- { predicate = "! -i retiolum -p tcp -m tcp --dport 22"; target = "REDIRECT --to-ports 0"; precedence = 100; }
- { predicate = "-p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 99; }
- ];
- nat.OUTPUT.rules = [
- { predicate = "-o lo -p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 100; }
- ];
filter.INPUT.policy = "DROP";
filter.FORWARD.policy = "DROP";
filter.INPUT.rules = [
@@ -148,5 +165,8 @@ with import <stockholm/lib>;
};
};
}
+ {
+ krebs.hidden-ssh.enable = true;
+ }
];
}
diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix
index c196b391a..c8d9465d5 100644
--- a/lass/1systems/mors.nix
+++ b/lass/1systems/mors.nix
@@ -25,6 +25,7 @@ with import <stockholm/lib>;
../2configs/repo-sync.nix
../2configs/ircd.nix
../2configs/logf.nix
+ ../2configs/syncthing.nix
{
#risk of rain port
krebs.iptables.tables.filter.INPUT.rules = [
@@ -76,10 +77,6 @@ with import <stockholm/lib>;
{
services.redis.enable = true;
}
- {
- #ipfs-testing
- services.ipfs.enable = true;
- }
{
environment.systemPackages = [
pkgs.krebszones
@@ -89,6 +86,12 @@ with import <stockholm/lib>;
#ps vita stuff
boot.extraModulePackages = [ config.boot.kernelPackages.exfat-nofuse ];
}
+ {
+ services.tor = {
+ enable = true;
+ client.enable = true;
+ };
+ }
];
krebs.build.host = config.krebs.hosts.mors;
diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix
index e5cbacfc8..41a909f16 100644
--- a/lass/1systems/prism.nix
+++ b/lass/1systems/prism.nix
@@ -46,6 +46,7 @@ in {
../2configs/monitoring/server.nix
../2configs/monitoring/monit-alarms.nix
../2configs/paste.nix
+ ../2configs/syncthing.nix
{
imports = [
../2configs/bepasty.nix
@@ -158,7 +159,7 @@ in {
}
{
users.users.chat.openssh.authorizedKeys.keys = [
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCkmIvB8BekIE2W24+I0gnzkvkEoeulz/zQkDUVJK4oScbIvgTYmcHzQuHJyPueTm67bJCOcYaTwEDNhcR/ZvcyiCQ7Jwa5cLDTkCkcR9LQq8ry5jMNEanvTgrnBIEcwfS7jFpyFb/PRVG6hh2bPOfP+ksFplkq1BTzKt/UTaCBwVEZqi5XuFIlq/MqJg+FIjh+wyeNR5jHtqgAhVjR+YLVNXLgtVPE+dlSfbyRQHuA9FTkUj8BxxnTdwM5Sx33S61ddik1XvRn++IYqFl68fZhzyTME7t/Mvjdz8J7ew2bF2IbJrXt37yQCAOEEp9/RC5OloA7dd/5ZJjZxSzT2HnYROILsYr3S0WV4e+H2G66ZN0ftdUCYh1o5rtY7IrSes6yHsKYbpoij1IAkRkyt2XgEH5EZCk1Omx8AY3ekW1KFIEhz2DZEfnCEjPf4AGCYZ0uy4XEztxzTDkh25TVs/tym1+96qCJ1yAxwWZDbVhS/Z6aSBpsyeDRKcak8qoWVC2dEPdYuTUmwvmo3pmGn/a4UfOLNJTn0jSRjy3kSv1hYzosN4NSYZqEylFB0ABnlqoLpX3tmWtrkiKv19S+djVGxbaaYm3hjPJfds3qCWTJWPvxPPeCE8wGXVLYqOQxa5ZPYeoTwRof5YNSbj5RFYy9sDLTlHl+U4ASTHZM5S3akQ== JuiceSSH"
+ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDjesiOnhpT9XgWZqw/64M5lVQg3q0k22BtMyCv+33sGX8VmfTyD11GuwSjNGf5WiswKLqFvYBQsHfDDtS3k0ZNTDncGw3Pbilm6QoCuHEyDPaQYin0P+JmkocrL/6QF5uhZVFnsXCH5wntwOa00VFGwpMgQYSfRlReRx42Pu9Jk+iJduZMRBbOMvJI68Z7iJ4DgW/1U9J4MQdCsk7QlFgUstQQfV1zk4VfVfXuxDP3hjx6Q05nDChjpmzJbFunzb7aiy/1/Sl0QhROTpvxrQLksg7yYLw4BRs9ptjehX45A2Sxi8WKOb/g5u3xJNy0X07rE+N+o5v2hS7wF0DLQdK5+4TGtO+Y+ABUCqqA+T1ynAjNBWvsgY5uD4PZjuPgCMSw0JBmIy/P0THi3v5/8Cohvfnspl7Jpf80qENMu3unvvE9EePzgSRZY1PvDjPQfkWy0yBX1yQMhHuVGke9QgaletitwuahRujml37waeUuOl8Rpz+2iV+6OIS4tfO368uLFHKWbobXTbTDXODBgxZ/IyvO7vxM2uDX/kIWaeYKrip3nSyWBYnixwrcS4vm6ZQcoejwp2KCfGQwIE4MnGYRlwcOEYjvyjLkZHDiZEivUQ0rThMYBzec8bQ08QW8oxF+NXkFKG3awt3f7TKTRkYqQcOMpFKmV24KDiwgwm0miQ== JuiceSSH"
];
}
{
@@ -194,7 +195,7 @@ in {
../2configs/realwallpaper.nix
];
services.nginx.virtualHosts."lassul.us".locations."/wallpaper.png".extraConfig = ''
- alias /tmp/wallpaper.png;
+ alias /var/realwallpaper/realwallpaper.png;
'';
}
{
@@ -254,19 +255,20 @@ in {
];
}
{
- krebs.Reaktor.coders = let
- lambdabot = (import (pkgs.fetchFromGitHub {
- owner = "NixOS"; repo = "nixpkgs";
- rev = "a4ec1841da14fc98c5c35cc72242c23bb698d4ac";
- sha256 = "148fpw31s922hxrf28yhrci296f7c7zd81hf0k6zs05rq0i3szgy";
- }) {}).lambdabot;
- in {
- nickname = "reaktor-lass";
+ krebs.Reaktor.coders = {
+ nickname = "Reaktor|lass";
channels = [ "#coders" ];
extraEnviron = {
REAKTOR_HOST = "irc.hackint.org";
};
plugins = with pkgs.ReaktorPlugins; let
+
+ lambdabot = (import (pkgs.fetchFromGitHub {
+ owner = "NixOS"; repo = "nixpkgs";
+ rev = "a4ec1841da14fc98c5c35cc72242c23bb698d4ac";
+ sha256 = "148fpw31s922hxrf28yhrci296f7c7zd81hf0k6zs05rq0i3szgy";
+ }) {}).lambdabot;
+
lambdabotflags = ''
-XStandaloneDeriving -XGADTs -XFlexibleContexts \
-XFlexibleInstances -XMultiParamTypeClasses \
@@ -349,6 +351,18 @@ in {
];
};
}
+ {
+ krebs.Reaktor.prism = {
+ nickname = "Reaktor|lass";
+ channels = [ "#retiolum" ];
+ extraEnviron = {
+ REAKTOR_HOST = "ni.r";
+ };
+ plugins = with pkgs.ReaktorPlugins; [
+ sed-plugin
+ ];
+ };
+ }
];
krebs.build.host = config.krebs.hosts.prism;
diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix
index 3032e244f..9c51effdc 100644
--- a/lass/2configs/baseX.nix
+++ b/lass/2configs/baseX.nix
@@ -32,8 +32,6 @@ in {
time.timeZone = "Europe/Berlin";
- virtualisation.libvirtd.enable = true;
-
programs.ssh.startAgent = false;
services.printing = {
diff --git a/lass/2configs/buildbot-standalone.nix b/lass/2configs/buildbot-standalone.nix
index 3006e9dfb..7b38e44c6 100644
--- a/lass/2configs/buildbot-standalone.nix
+++ b/lass/2configs/buildbot-standalone.nix
@@ -20,7 +20,7 @@ in {
};
config.krebs.buildbot.master = let
- stockholm-mirror-url = http://cgit.lassul.us/stockholm ;
+ stockholm-mirror-url = http://cgit.prism.r/stockholm ;
in {
workers = {
testworker = "lasspass";
diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix
index 69f8a681e..e964704c3 100644
--- a/lass/2configs/default.nix
+++ b/lass/2configs/default.nix
@@ -64,7 +64,10 @@ with import <stockholm/lib>;
];
}
{
- services.dnscrypt-proxy.enable = true;
+ services.dnscrypt-proxy = {
+ enable = true;
+ resolverName = "cs-de";
+ };
networking.extraResolvconfConf = ''
name_servers='127.0.0.1'
'';
@@ -151,6 +154,10 @@ with import <stockholm/lib>;
p7zip
unzip
unrar
+
+ (pkgs.writeDashBin "sshn" ''
+ ${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no "$@"
+ '')
];
programs.bash = {
diff --git a/lass/2configs/fetchWallpaper.nix b/lass/2configs/fetchWallpaper.nix
index 971be9588..31a01c754 100644
--- a/lass/2configs/fetchWallpaper.nix
+++ b/lass/2configs/fetchWallpaper.nix
@@ -6,7 +6,7 @@ in {
krebs.fetchWallpaper = {
enable = true;
unitConfig.ConditionPathExists = "!/var/run/ppp0.pid";
- url = "prism/wallpaper.png";
+ url = "prism/realwallpaper-sat-krebs.png";
maxTime = 10;
};
}
diff --git a/lass/2configs/nixpkgs.nix b/lass/2configs/nixpkgs.nix
index 24437d040..5f9800b0f 100644
--- a/lass/2configs/nixpkgs.nix
+++ b/lass/2configs/nixpkgs.nix
@@ -3,6 +3,6 @@
{
krebs.build.source.nixpkgs.git = {
url = https://cgit.lassul.us/nixpkgs;
- ref = "a563923";
+ ref = "c85f39e";
};
}
diff --git a/lass/2configs/realwallpaper.nix b/lass/2configs/realwallpaper.nix
index cf9795071..116d66276 100644
--- a/lass/2configs/realwallpaper.nix
+++ b/lass/2configs/realwallpaper.nix
@@ -10,11 +10,23 @@ in {
krebs.realwallpaper.enable = true;
services.nginx.virtualHosts.wallpaper = {
+ extraConfig = ''
+ if ( $server_addr = "${config.krebs.build.host.nets.internet.ip4.addr}" ) {
+ return 403;
+ }
+ '';
serverAliases = [
hostname
+ "${hostname}.r"
];
- locations."/wallpaper.png".extraConfig = ''
- root /tmp/;
+ locations."/realwallpaper.png".extraConfig = ''
+ root /var/realwallpaper/;
+ '';
+ locations."/realwallpaper-sat.png".extraConfig = ''
+ root /var/realwallpaper/;
+ '';
+ locations."/realwallpaper-sat-krebs.png".extraConfig = ''
+ root /var/realwallpaper/;
'';
};
diff --git a/lass/2configs/syncthing.nix b/lass/2configs/syncthing.nix
new file mode 100644
index 000000000..cef43d1e6
--- /dev/null
+++ b/lass/2configs/syncthing.nix
@@ -0,0 +1,12 @@
+{ config, pkgs, ... }:
+with import <stockholm/lib>;
+{
+ services.syncthing = {
+ enable = true;
+ useInotify = true;
+ };
+ krebs.iptables.tables.filter.INPUT.rules = [
+ { predicate = "-p tcp --dport 22000"; target = "ACCEPT";}
+ { predicate = "-p udp --dport 21027"; target = "ACCEPT";}
+ ];
+}
diff --git a/makefu/1systems/fileleech.nix b/makefu/1systems/fileleech.nix
index 4f92c2b90..3aa5a54f8 100644
--- a/makefu/1systems/fileleech.nix
+++ b/makefu/1systems/fileleech.nix
@@ -32,7 +32,6 @@ in {
../2configs/elchos/log.nix
../2configs/elchos/search.nix
../2configs/elchos/stats.nix
- ../2configs/stats-srv.nix
];
systemd.services.grafana.serviceConfig.LimitNOFILE=10032;
@@ -129,6 +128,7 @@ in {
# createHome = true;
openssh.authorizedKeys.keys = [
config.krebs.users.makefu.pubkey
+ config.krebs.users.lass.pubkey
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC7betFnMWVeBYRhJ+2f0B5WbDdbpteIVg/BlyimXbx79R7lZ7nUq5GyMLrp7B00frUuA0su8oFFN3ODPJDstgBslBIP7kWPR2zW8NOXorrbFo3J2fKvlO77k6/wD5/M11m5nS01/aVJgAgMGLg2W12G7EMf5Wq75YsQJC/S9p8kMca589djMPRuQETu7fWq0t/Gmwq+2ELLL0csRK87LvybA92JYkAIneRnGzIlCguOXq0Vcq6pGQ1J1PfVEP76Do33X29l2hZc/+vR9ExW6s2g7fs5/5LDX9Wnq7+AEsxiEf4IOeL0hCG4/CGGCN23J+6cDrNKOP94AHO1si0O2lxFsxgNU2vdVWPNgSLottiUFBPPNEZFD++sZyutzH6PIz6D90hB2Q52X6WN9ZUtlDfQ91rHd+S2BhR6f4dAqiRDXlI5MNNDdoTT4S5R0wU/UrNwjiV/xiu/hWZYGQK7YgY4grFRblr378r8FqjLvumPDFMDLVa9eJKq1ad1x/GV5tZpsttzWj4nbixaKlZOg+TN2GHboujLx3bANz1Jqfvfto8UOeKTtA8pkb8E1PJPpBMOZcA7oHaqJrp6Vuf/SkmglHnQvGbi60OK3s61nuRmIcBiTXd+4qeAJpq1QyEDj3X/+hV0Gwz8rCo6JGkF1ETW37ZYvqU9rxNXjS+/Pfktw== jules@kvasir-2015-02-13"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDINUD+p2yrc9KoTbCiuYhdfLlRu/eNX6BftToSMLs8O9qWQORjgXbDn8M9iUWXCHzdUZ9sm6Rz8TMdEV0jZq/nB01zYnW4NhMrt+NGtrmGqDa+eYrRZ4G7Rx8AYzM/ZSwERKX10txAVugV44xswRxWvFbCedujjXyWsxelf1ngb+Hiy9/CPuWNYEhTZs/YuvNkupCui2BuKuoSivJAkLhGk5YqwwcllCr39YXa/tFJWsgoQNcB9hwpzfhFm6Cc7m5DhmTWSVhQHEWyaas8Lukmd4v+mRY+KZpuhbomCHWzkxqzdBun8SXiiAKlgem9rtBIgeTEfz9OtOfF3/6VfqE7 toerb@mittagspause ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB0IP143FAHBHWjEEKGOnM8SSTIgNF1MJxGCMKaJvTHf momo@k2.local"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1ZJSpBb7Cxo+c2r2JJIcbYOTm/sJxOv2NFRoDfjxGS9CCwzRbzrwJcv2d23j35mu97x3+fUvo8DyMFLvLvume2PFCijqhMDzZZvjYXZdvXA+hnh53nqZf+Pjq8Xc3tSWBHQxUokaBmZbd4LlKHh8NgKVrP2zve6OPZMzo/Es93v37KEmT8d/PfVMrQEMPZzFrCVdq2RbpdQ1nhx09zRFW7OJOazgotafjx6IYXbVq2VDnjffXInsE9ZxDzYq1cNKIH0c2BLpTd3mv76iD9i+nD6W6s48+usFQnVLt2TY1uKkfMr7043E6jBxx5kNHBe5Xxr6Zs0SkR8kKOEhMO//4ucviUYKZJn8wk2SLkAyMYVBexx8jrTdlI4xgQ7RLpSIDTCm9dfbZY/YhZDJ21lsWduQqu7DFWMe05gg4NZDjf2kwYQOzATyqISGA7ttSEPT1iymr/ffAOgLBLSqWQAteUbI2U5cnflWZGwm33JF/Pyb4S3k3/f2mIBKiRx2lsGv6mx1w0SaYRtJxDWqGYMHuFiNYbq9r/bZfLqV3Fy9kRODFJTfJh8mcTnC4zabpiQ7fnqbh1qHu0WrrBSgFW0PR2WWCJ0e5Btj1yRgXp0+d5OuxxlVInRs+l2HogdxjonMhAHrTCzJtI8UJTKXKN0FBPRDRcepeExhvNqcOUz4Kvw== me@andreaskist.de"
diff --git a/makefu/1systems/gum.nix b/makefu/1systems/gum.nix
index c39997ebf..3186f8887 100644
--- a/makefu/1systems/gum.nix
+++ b/makefu/1systems/gum.nix
@@ -35,10 +35,12 @@ in {
../2configs/nginx/update.connector.one.nix
../2configs/deployment/mycube.connector.one.nix
../2configs/deployment/graphs.nix
+ # ../2configs/ipfs.nix
+ ../2configs/syncthing.nix
# ../2configs/opentracker.nix
../2configs/logging/central-stats-client.nix
- ../2configs/logging/central-logging-client.nix
+ # ../2configs/logging/central-logging-client.nix
];
services.smartd.devices = [ { device = "/dev/sda";} ];
@@ -79,7 +81,6 @@ in {
];
services.bitlbee.enable = true;
systemd.services.bitlbee.environment.BITLBEE_DEBUG="1";
- # systemd.services.bitlbee.serviceConfig.ExecStart = "${pkgs.bitlbee}/bin/bitlbee -Dnv -c
# Hardware
boot.loader.grub.device = "/dev/sda";
diff --git a/makefu/1systems/omo.nix b/makefu/1systems/omo.nix
index 99303b604..ff34ee843 100644
--- a/makefu/1systems/omo.nix
+++ b/makefu/1systems/omo.nix
@@ -53,9 +53,10 @@ in {
../2configs/omo-share.nix
../2configs/tinc/retiolum.nix
../2configs/logging/central-stats-server.nix
- ../2configs/logging/central-logging-server.nix
+ # ../2configs/logging/central-logging-server.nix
../2configs/logging/central-stats-client.nix
- ../2configs/logging/central-logging-client.nix
+ ../2configs/syncthing.nix
+ # ../2configs/logging/central-logging-client.nix
# ../2configs/torrent.nix
diff --git a/makefu/1systems/shoney.nix b/makefu/1systems/shoney.nix
index 96aeb2856..9f04e97eb 100644
--- a/makefu/1systems/shoney.nix
+++ b/makefu/1systems/shoney.nix
@@ -31,7 +31,7 @@ in {
anonymous-domain = "localhost.localdomain";
anonymous.extraConfig = "return 403;";
complete = {
- serverAliases = [ "graphs.siem" ];
+ serverAliases = [ "graph.siem" ];
extraConfig = ''
if ( $server_addr = "${ip}" ) {
return 403;
diff --git a/makefu/1systems/x.nix b/makefu/1systems/x.nix
index 9cedc04a8..866aac3bd 100644
--- a/makefu/1systems/x.nix
+++ b/makefu/1systems/x.nix
@@ -2,6 +2,7 @@
#
#
{ config, pkgs, ... }:
+with import <stockholm/lib>;
{
imports =
@@ -71,14 +72,9 @@
makefu.umts.apn = "web.vodafone.de";
nixpkgs.config.allowUnfree = true;
- krebs.nginx = {
- default404 = false;
- servers.default.listen = [ "80 default_server" ];
- servers.default.server-names = [ "_" ];
- };
boot.extraModulePackages = [ config.boot.kernelPackages.exfat-nofuse ];
- environment.systemPackages = [ pkgs.passwdqc-utils pkgs.bintray-upload ];
+ environment.systemPackages = [ pkgs.passwdqc-utils ];
virtualisation.docker.enable = true;
diff --git a/makefu/2configs/base-gui.nix b/makefu/2configs/base-gui.nix
index ba4c551b3..1a19ab36b 100644
--- a/makefu/2configs/base-gui.nix
+++ b/makefu/2configs/base-gui.nix
@@ -16,7 +16,10 @@ let
mainUser = config.krebs.build.user.name;
in
{
- imports = [ ];
+ imports = [
+ ./urxvtd.nix
+ ];
+
services.xserver = {
enable = true;
layout = "us";
diff --git a/makefu/2configs/default.nix b/makefu/2configs/default.nix
index cd9b4c056..0865c3a31 100644
--- a/makefu/2configs/default.nix
+++ b/makefu/2configs/default.nix
@@ -11,7 +11,7 @@ with import <stockholm/lib>;
./vim.nix
./binary-cache/nixos.nix
];
-
+ programs.command-not-found.enable = false;
nixpkgs.config.allowUnfreePredicate = (pkg: pkgs.lib.hasPrefix "unrar-" pkg.name);
krebs = {
enable = true;
@@ -22,7 +22,7 @@ with import <stockholm/lib>;
user = config.krebs.users.makefu;
source = let
inherit (config.krebs.build) host user;
- ref = "2982661"; # unstable @ 2017-03-31 + cups-dymo + snapraid-11.1
+ ref = "4fac473"; # unstable @ 2017-03-31 + command-not-found
in {
nixpkgs = if config.makefu.full-populate || (getEnv "dummy_secrets" == "true") then
{
diff --git a/makefu/2configs/deployment/graphs.nix b/makefu/2configs/deployment/graphs.nix
index 35a724f6a..b33ddece0 100644
--- a/makefu/2configs/deployment/graphs.nix
+++ b/makefu/2configs/deployment/graphs.nix
@@ -23,8 +23,8 @@ in {
}
'';
serverAliases = [
- "graphs.r" "graphs.retiolum"
- "graphs.${hn}" "graphs.${hn}.retiolum"
+ "graph.r"
+ "graph.${hn}" "graph.${hn}.r"
];
};
anonymous = {
diff --git a/makefu/2configs/dnscrypt.nix b/makefu/2configs/dnscrypt.nix
index d810456f3..6e7ef0f82 100644
--- a/makefu/2configs/dnscrypt.nix
+++ b/makefu/2configs/dnscrypt.nix
@@ -1,5 +1,6 @@
{
services.dnscrypt-proxy.enable = true;
+ services.dnscrypt-proxy.resolverName = "cs-de";
networking.extraResolvconfConf = ''
name_servers='127.0.0.1'
'';
diff --git a/makefu/2configs/fetchWallpaper.nix b/makefu/2configs/fetchWallpaper.nix
index fb74919c4..16a7a13b2 100644
--- a/makefu/2configs/fetchWallpaper.nix
+++ b/makefu/2configs/fetchWallpaper.nix
@@ -8,7 +8,7 @@
timerConfig = {
OnCalendar = "*:0/30";
};
- url = "http://echelon/wallpaper.png";
+ url = "http://prism.r/realwallpaper-sat-krebs.png";
};
}
diff --git a/makefu/2configs/ipfs.nix b/makefu/2configs/ipfs.nix
new file mode 100644
index 000000000..cc07e063d
--- /dev/null
+++ b/makefu/2configs/ipfs.nix
@@ -0,0 +1,5 @@
+{...}:
+{
+ services.ipfs.enable = true;
+ networking.firewall.allowedTCPPorts = [ 4001 ];
+}
diff --git a/makefu/2configs/logging/central-stats-server.nix b/makefu/2configs/logging/central-stats-server.nix
index 30ad63879..4f7961f32 100644
--- a/makefu/2configs/logging/central-stats-server.nix
+++ b/makefu/2configs/logging/central-stats-server.nix
@@ -71,5 +71,12 @@ in {
iptables -A INPUT -i ${logging-interface} -p udp --dport ${toString collectd-port} -j ACCEPT
iptables -A INPUT -i ${logging-interface} -p tcp --dport ${toString influx-port} -j ACCEPT
iptables -A INPUT -i ${logging-interface} -p tcp --dport ${toString grafana-port} -j ACCEPT
+
+ ip6tables -A INPUT -i retiolum -p udp --dport ${toString collectd-port} -j ACCEPT
+ ip6tables -A INPUT -i retiolum -p tcp --dport ${toString influx-port} -j ACCEPT
+ ip6tables -A INPUT -i retiolum -p tcp --dport ${toString grafana-port} -j ACCEPT
+ ip6tables -A INPUT -i ${logging-interface} -p udp --dport ${toString collectd-port} -j ACCEPT
+ ip6tables -A INPUT -i ${logging-interface} -p tcp --dport ${toString influx-port} -j ACCEPT
+ ip6tables -A INPUT -i ${logging-interface} -p tcp --dport ${toString grafana-port} -j ACCEPT
'';
}
diff --git a/makefu/2configs/syncthing.nix b/makefu/2configs/syncthing.nix
new file mode 100644
index 000000000..6b758ea2d
--- /dev/null
+++ b/makefu/2configs/syncthing.nix
@@ -0,0 +1,11 @@
+{...}:
+
+with import <stockholm/lib>; {
+ services.syncthing = {
+ enable = true;
+ openDefaultPorts = true;
+ useInotify = true;
+ group = "download";
+ };
+ users.extraGroups.download.gid = genid "download";
+}
diff --git a/makefu/2configs/tools/core-gui.nix b/makefu/2configs/tools/core-gui.nix
index 6d62e92c0..0538647ae 100644
--- a/makefu/2configs/tools/core-gui.nix
+++ b/makefu/2configs/tools/core-gui.nix
@@ -12,11 +12,11 @@
firefox
keepassx
pcmanfm
+ evince
skype
mirage
tightvnc
gnome3.dconf
- wireshark
xdotool
xorg.xbacklight
scrot
diff --git a/makefu/2configs/tools/core.nix b/makefu/2configs/tools/core.nix
index 86d72c662..6ae2951eb 100644
--- a/makefu/2configs/tools/core.nix
+++ b/makefu/2configs/tools/core.nix
@@ -40,6 +40,7 @@
cac-api
cac-panel
krebspaste
+ krebszones
ledger
pass
];
diff --git a/makefu/2configs/tools/extra-gui.nix b/makefu/2configs/tools/extra-gui.nix
index 9cfacf408..596734dd5 100644
--- a/makefu/2configs/tools/extra-gui.nix
+++ b/makefu/2configs/tools/extra-gui.nix
@@ -4,6 +4,7 @@
krebs.per-user.makefu.packages = with pkgs;[
inkscape
gimp
+ libreoffice
skype
virtmanager
synergy
diff --git a/makefu/2configs/tools/sec.nix b/makefu/2configs/tools/sec.nix
index 5ab699f35..e53d9ee8e 100644
--- a/makefu/2configs/tools/sec.nix
+++ b/makefu/2configs/tools/sec.nix
@@ -11,5 +11,6 @@
nmap
msf
thc-hydra
+ wireshark
];
}
diff --git a/makefu/2configs/urxvtd.nix b/makefu/2configs/urxvtd.nix
new file mode 100644
index 000000000..286b87ab3
--- /dev/null
+++ b/makefu/2configs/urxvtd.nix
@@ -0,0 +1,21 @@
+{ config, pkgs, ... }:
+
+let
+ mainUser = config.krebs.build.user.name;
+in {
+ systemd.services.urxvtd = {
+ wantedBy = [ "multi-user.target" ];
+ before = [ "graphical.target" ];
+ reloadIfChanged = true;
+ serviceConfig = {
+ SyslogIdentifier = "urxvtd";
+ ExecReload = "${pkgs.coreutils}/bin/echo NOP";
+ ExecStart = "${pkgs.rxvt_unicode_with-plugins}/bin/urxvtd";
+ Restart = "always";
+ RestartSec = "2s";
+ StartLimitBurst = 0;
+ User = mainUser;
+ };
+ };
+ # TODO: sessionCommands from base-gui related to urxvt in this file
+}
diff --git a/makefu/5pkgs/awesomecfg/full.cfg b/makefu/5pkgs/awesomecfg/full.cfg
index e43341d25..73ff42e9f 100644
--- a/makefu/5pkgs/awesomecfg/full.cfg
+++ b/makefu/5pkgs/awesomecfg/full.cfg
@@ -90,7 +90,7 @@ client.connect_signal("focus", function(c) c.border_color = beautiful.border_foc
client.connect_signal("unfocus", function(c) c.border_color = beautiful.border_normal end)
-- This is used later as the default terminal and editor to run.
-terminal = "urxvt"
+terminal = "urxvtc"
editor = os.getenv("EDITOR") or "vim"
editor_cmd = terminal .. " -e " .. editor
browser = "firefox"
diff --git a/shared/1systems/wolf.nix b/shared/1systems/wolf.nix
index 0b4448022..75307be12 100644
--- a/shared/1systems/wolf.nix
+++ b/shared/1systems/wolf.nix
@@ -14,6 +14,7 @@ in
../2configs/shack-nix-cacher.nix
../2configs/shared-buildbot.nix
../2configs/share-shack.nix
+ ../2configs/central-stats-client.nix
];
# use your own binary cache, fallback use cache.nixos.org (which is used by
# apt-cacher-ng in first place)
diff --git a/shared/2configs/central-stats-client.nix b/shared/2configs/central-stats-client.nix
new file mode 100644
index 000000000..0412eba9a
--- /dev/null
+++ b/shared/2configs/central-stats-client.nix
@@ -0,0 +1,68 @@
+{pkgs, config, ...}:
+{
+ services.collectd = {
+ enable = true;
+ autoLoadPlugin = true;
+ extraConfig = ''
+ Hostname ${config.krebs.build.host.name}
+ LoadPlugin load
+ LoadPlugin disk
+ LoadPlugin memory
+ LoadPlugin df
+ Interval 30.0
+
+ LoadPlugin interface
+ <Plugin "interface">
+ Interface "*Link"
+ Interface "lo"
+ Interface "vboxnet*"
+ Interface "virbr*"
+ IgnoreSelected true
+ </Plugin>
+
+ LoadPlugin df
+ <Plugin "df">
+ MountPoint "/nix/store"
+ # MountPoint "/run*"
+ # MountPoint "/sys*"
+ # MountPoint "/dev"
+ # MountPoint "/dev/shm"
+ # MountPoint "/tmp"
+ FSType "tmpfs"
+ FSType "binfmt_misc"
+ FSType "debugfs"
+ FSType "mqueue"
+ FSType "hugetlbfs"
+ FSType "systemd-1"
+ FSType "cgroup"
+ FSType "securityfs"
+ FSType "ramfs"
+ FSType "proc"
+ FSType "devpts"
+ FSType "devtmpfs"
+ MountPoint "/var/lib/docker/devicemapper"
+ IgnoreSelected true
+ </Plugin>
+
+ LoadPlugin cpu
+ <Plugin cpu>
+ ReportByCpu true
+ ReportByState true
+ ValuesPercentage true
+ </Plugin>
+
+ LoadPlugin network
+ <Plugin "network">
+ Server "stats.makefu.r" "25826"
+ </Plugin>
+
+ LoadPlugin curl
+ <Plugin curl>
+ <Page "smarthome">
+ URL "http://smarthome.shack/";
+ MeasureResponseTime true
+ </Page>
+ </Plugin>
+ '';
+ };
+}
diff --git a/shared/2configs/shared-buildbot.nix b/shared/2configs/shared-buildbot.nix
index cf08882a9..1d6883afe 100644
--- a/shared/2configs/shared-buildbot.nix
+++ b/shared/2configs/shared-buildbot.nix
@@ -9,11 +9,20 @@
{
# due to the fact that we actually build stuff on the box via the daemon,
# /nix/store should be cleaned up automatically as well
+ services.nginx.virtualHosts.build = {
+ serverAliases = [ "build.wolf.r" ];
+ locations."/".extraConfig = ''
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "upgrade";
+ proxy_pass http://localhost:${toString config.krebs.buildbot.master.web.port};
+ '';
+ };
+
nix.gc.automatic = true;
nix.gc.dates = "05:23";
networking.firewall.allowedTCPPorts = [ 8010 9989 ];
krebs.buildbot.master = let
- stockholm-mirror-url = http://cgit.wolf/stockholm-mirror ;
+ stockholm-mirror-url = http://cgit.wolf.r/stockholm-mirror ;
in {
secrets = [ "retiolum-ci.rsa_key.priv" "cac.json" ];
workers = {
@@ -151,6 +160,9 @@
channels = [ { channel = "retiolum"; } ];
allowForce = true;
};
+ extraConfig = ''
+ c['buildbotURL'] = "http://build.wolf.r/"
+ '';
};
krebs.buildbot.worker = {