makefu/stockholm
1
0
Fork 0
Code Issues Pull requests Actions 1 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/master'

Browse source
This commit is contained in:
jeschli 2018-05-04 16:57:21 +02:00
parent 4f2bf83ff9 b81fe57e3e
commit 74cab14502
88 changed files with 1256 additions and 971 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
jeschli/1systems/bln/config.nix
View file

@ -1,7 +1,7 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
# bln config file # bln config file
{ {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
<stockholm/jeschli> <stockholm/jeschli>
<stockholm/jeschli/2configs/virtualbox.nix> <stockholm/jeschli/2configs/virtualbox.nix>
@ -95,6 +95,12 @@
# Enable the X11 windowing system. # Enable the X11 windowing system.
services.xserver.videoDrivers = [ "nvidia" ]; services.xserver.videoDrivers = [ "nvidia" ];
# services.xserver.windowManager.xmonad.enable = true;
# services.xserver.windowManager.xmonad.enableContribAndExtras = true;
# services.xserver.displayManager.sddm.enable = true;
# services.xserver.dpi = 100;
# fonts.fontconfig.dpi = 100;
users.extraUsers.jeschli = { users.extraUsers.jeschli = {
isNormalUser = true; isNormalUser = true;
extraGroups = ["docker" "vboxusers" "audio"]; extraGroups = ["docker" "vboxusers" "audio"];

1
jeschli/2configs/xserver/default.nix
View file

@ -46,6 +46,7 @@ in {
dpi = 200; dpi = 200;
videoDrivers = [ "nvidia" ];
synaptics = { synaptics = {
enable = true; enable = true;
twoFingerScroll = true; twoFingerScroll = true;

6
jeschli/5pkgs/simple/xmonad-jeschli/default.nix
View file

@ -44,6 +44,7 @@ import XMonad.Layout.Reflect (reflectVert)
import XMonad.Layout.FixedColumn (FixedColumn(..)) import XMonad.Layout.FixedColumn (FixedColumn(..))
import XMonad.Hooks.Place (placeHook, smart) import XMonad.Hooks.Place (placeHook, smart)
import XMonad.Hooks.FloatNext (floatNextHook) import XMonad.Hooks.FloatNext (floatNextHook)
import XMonad.Hooks.SetWMName
import XMonad.Actions.PerWorkspaceKeys (chooseAction) import XMonad.Actions.PerWorkspaceKeys (chooseAction)
import XMonad.Layout.PerWorkspace (onWorkspace) import XMonad.Layout.PerWorkspace (onWorkspace)
--import XMonad.Layout.BinarySpacePartition --import XMonad.Layout.BinarySpacePartition
@ -86,7 +87,8 @@ mainNoArgs = do
-- , handleEventHook = myHandleEventHooks <+> handleTimerEvent -- , handleEventHook = myHandleEventHooks <+> handleTimerEvent
--, handleEventHook = handleTimerEvent --, handleEventHook = handleTimerEvent
, manageHook = placeHook (smart (1,0)) <+> floatNextHook , manageHook = placeHook (smart (1,0)) <+> floatNextHook
, startupHook = , startupHook = do
setWMName "LG3D"
whenJustM (liftIO (lookupEnv "XMONAD_STARTUP_HOOK")) whenJustM (liftIO (lookupEnv "XMONAD_STARTUP_HOOK"))
(\path -> forkFile path [] Nothing) (\path -> forkFile path [] Nothing)
, normalBorderColor = "#1c1c1c" , normalBorderColor = "#1c1c1c"
@ -217,7 +219,7 @@ myKeys conf = Map.fromList $
pagerConfig :: PagerConfig pagerConfig :: PagerConfig
pagerConfig = def pagerConfig = def
{ pc_font = myFont { pc_font = myFont
, pc_cellwidth = 64 , pc_cellwidth = 256
--, pc_cellheight = 36 -- TODO automatically keep screen aspect --, pc_cellheight = 36 -- TODO automatically keep screen aspect
--, pc_borderwidth = 1 --, pc_borderwidth = 1
--, pc_matchcolor = "#f0b000" --, pc_matchcolor = "#f0b000"

41
krebs/1systems/hope/config.nix
View file

@ -1,41 +0,0 @@
with import <stockholm/lib>;
{ config, pkgs, ... }: let
ip = config.krebs.build.host.nets.internet.ip4.addr;
bestGuessGateway = addr: elemAt (match "(.*)(\.[^.])" addr) 0 + ".1";
in {
imports = [
<stockholm/krebs>
<stockholm/krebs/2configs>
<stockholm/krebs/2configs/os-templates/CAC-CentOS-7-64bit.nix>
<stockholm/krebs/2configs/secret-passwords.nix>
{
users.extraUsers = {
satan = {
name = "satan";
uid = 1338;
home = "/home/satan";
group = "users";
createHome = true;
useDefaultShell = true;
initialPassword = "test";
};
};
}
];
krebs.build.host = config.krebs.hosts.hope;
networking = let
address = config.krebs.build.host.nets.internet.ip4.addr;
in {
defaultGateway = bestGuessGateway address;
interfaces.enp2s1.ip4 = singleton {
inherit address;
prefixLength = 24;
};
nameservers = ["8.8.8.8"];
};
}

3
krebs/1systems/hope/source.nix
View file

@ -1,3 +0,0 @@
import <stockholm/krebs/source.nix> {
name = "hope";
}

1
krebs/1systems/hotdog/config.nix
View file

@ -21,4 +21,5 @@
boot.isContainer = true; boot.isContainer = true;
networking.useDHCP = false; networking.useDHCP = false;
krebs.ci.stockholmSrc = "http://cgit.prism.r/stockholm"; krebs.ci.stockholmSrc = "http://cgit.prism.r/stockholm";
environment.variables.NIX_REMOTE = "daemon";
} }

48
krebs/1systems/onebutton/config.nix Normal file
View file

@ -0,0 +1,48 @@
{ config, pkgs, lib, ... }:
{
# :l <nixpkgs>
# builtins.readDir (pkgs.fetchFromGitHub { owner = "nixos"; repo = "nixpkgs-channels"; rev = "6c064e6b"; sha256 = "1rqzh475xn43phagrr30lb0fd292c1s8as53irihsnd5wcksnbyd"; })
imports = [
<stockholm/krebs>
<stockholm/krebs/2configs>
{ # flag to rebuild everything yourself:
# environment.noXlibs = true;
# minimal disk usage
nix.gc.automatic = true;
nix.gc.dates = "03:10";
documentation.man.enable = false;
documentation.info.enable = false;
services.nixosManual.enable = false;
services.journald.extraConfig = "SystemMaxUse=50M";
}
];
krebs.build.host = config.krebs.hosts.onebutton;
# NixOS wants to enable GRUB by default
boot.loader.grub.enable = false;
# Enables the generation of /boot/extlinux/extlinux.conf
boot.loader.generic-extlinux-compatible.enable = true;
boot.kernelPackages = pkgs.linuxPackages_rpi;
nix.binaryCaches = [ "http://nixos-arm.dezgeg.me/channel" ];
nix.binaryCachePublicKeys = [ "nixos-arm.dezgeg.me-1:xBaUKS3n17BZPKeyxL4JfbTqECsT+ysbDJz29kLFRW0=%" ];
fileSystems = {
"/boot" = {
device = "/dev/disk/by-label/NIXOS_BOOT";
fsType = "vfat";
};
"/" = {
device = "/dev/disk/by-label/NIXOS_SD";
fsType = "ext4";
};
};
swapDevices = [ { device = "/swapfile"; size = 1024; } ];
services.openssh.enable = true;
networking.wireless.enable = true;
hardware.enableRedistributableFirmware = true;
}

16
krebs/1systems/onebutton/source.nix Normal file
View file

@ -0,0 +1,16 @@
with import <stockholm/lib>;
let
pkgs = import <nixpkgs> {};
nixpkgs = pkgs.fetchFromGitHub {
owner = "nixos";
repo = "nixpkgs-channels";
rev = "6c064e6b"; # only binary cache for unstable arm6
sha256 = "1rqzh475xn43phagrr30lb0fd292c1s8as53irihsnd5wcksnbyd";
};
in import <stockholm/krebs/source.nix> {
name = "onebutton";
override.nixpkgs = mkForce {
file = toString nixpkgs;
};
}

3
krebs/2configs/news-spam.nix
View file

@ -2,6 +2,7 @@
{ {
krebs.newsbot-js.news-spam = { krebs.newsbot-js.news-spam = {
urlShortenerHost = "go.lassul.us";
feeds = pkgs.writeText "feeds" '' feeds = pkgs.writeText "feeds" ''
[SPAM]aje|http://www.aljazeera.com/Services/Rss/?PostingId=2007731105943979989|#snews [SPAM]aje|http://www.aljazeera.com/Services/Rss/?PostingId=2007731105943979989|#snews
[SPAM]allafrica|http://allafrica.com/tools/headlines/rdf/latest/headlines.rdf|#snews [SPAM]allafrica|http://allafrica.com/tools/headlines/rdf/latest/headlines.rdf|#snews
@ -120,7 +121,7 @@
[SPAM]sciencemag|http://news.sciencemag.org/rss/current.xml|#snews [SPAM]sciencemag|http://news.sciencemag.org/rss/current.xml|#snews
[SPAM]scmp|http://www.scmp.com/rss/91/feed|#snews [SPAM]scmp|http://www.scmp.com/rss/91/feed|#snews
[SPAM]sec-db|http://feeds.security-database.com/SecurityDatabaseToolsWatch|#snews [SPAM]sec-db|http://feeds.security-database.com/SecurityDatabaseToolsWatch|#snews
[SPAM]shackspace|http://blog.shackspace.de/?feed=rss2|#snews [SPAM]shackspace|http://shackspace.de/atom.xml|#snews
[SPAM]shz_news|http://www.shz.de/nachrichten/newsticker/rss|#snews [SPAM]shz_news|http://www.shz.de/nachrichten/newsticker/rss|#snews
[SPAM]sky_busi|http://feeds.skynews.com/feeds/rss/business.xml|#snews [SPAM]sky_busi|http://feeds.skynews.com/feeds/rss/business.xml|#snews
[SPAM]sky_pol|http://feeds.skynews.com/feeds/rss/politics.xml|#snews [SPAM]sky_pol|http://feeds.skynews.com/feeds/rss/politics.xml|#snews

2
krebs/2configs/news.nix
View file

@ -11,7 +11,7 @@
painload|https://github.com/krebscode/painload/commits/master.atom|#news painload|https://github.com/krebscode/painload/commits/master.atom|#news
reddit_haskell|http://www.reddit.com/r/haskell/.rss|#news reddit_haskell|http://www.reddit.com/r/haskell/.rss|#news
reddit_nix|http://www.reddit.com/r/nixos/.rss|#news reddit_nix|http://www.reddit.com/r/nixos/.rss|#news
shackspace|http://blog.shackspace.de/?feed=rss2|#news shackspace|http://shackspace.de/atom.xml|#news
tinc|http://tinc-vpn.org/news/index.rss|#news tinc|http://tinc-vpn.org/news/index.rss|#news
vimperator|https://sites.google.com/a/vimperator.org/www/blog/posts.xml|#news vimperator|https://sites.google.com/a/vimperator.org/www/blog/posts.xml|#news
weechat|http://dev.weechat.org/feed/atom|#news weechat|http://dev.weechat.org/feed/atom|#news

85
krebs/2configs/shack/worlddomination.nix
View file

@ -2,8 +2,56 @@
with import <stockholm/lib>; with import <stockholm/lib>;
let let
pkg = pkgs.stdenv.mkDerivation {
name = "worlddomination-2018-04-21";
src = pkgs.fetchgit {
url = "https://github.com/shackspace/worlddomination/";
rev = "1b32403b9";
sha256 = "10x7aiil13k3x9wqy95mi1ys999d6fxg5sys3jwv7a1p930gkl1i";
};
buildInputs = [
(pkgs.python3.withPackages (pythonPackages: with pythonPackages; [
docopt
LinkHeader
aiocoap
grequests
paramiko
python
]))
];
installPhase = ''
install -m755 -D backend/push_led.py $out/bin/push-led
install -m755 -D backend/loop_single.py $out/bin/loop-single
# copy the provided file to the package
install -m755 -D backend/wd.lst $out/${wdpath}
'';
};
pythonPackages = pkgs.python3Packages; pythonPackages = pkgs.python3Packages;
# https://github.com/chrysn/aiocoap # https://github.com/chrysn/aiocoap
grequests = pythonPackages.buildPythonPackage rec {
pname = "grequests";
version = "0.3.1";
name = "${pname}-${version}";
src = pkgs.fetchFromGitHub {
owner = "kennethreitz";
repo = "grequests";
rev = "d1e70eb";
sha256 = "0drfx4fx65k0g5sj0pw8z3q1s0sp7idn2yz8xfb45nd6v82i37hc";
};
doCheck = false;
propagatedBuildInputs = with pythonPackages; [ requests gevent ];
meta = with lib;{
description = "Asynchronous HTTP requests";
homepage = https://github.com/kennethreitz/grequests;
license = with licenses; [ bsd2 ];
maintainers = with maintainers; [ matejc ];
};
};
aiocoap = pythonPackages.buildPythonPackage { aiocoap = pythonPackages.buildPythonPackage {
name = "aiocoap-0.3"; name = "aiocoap-0.3";
src = pkgs.fetchurl { url = "https://pypi.python.org/packages/9c/f6/d839e4b14258d76e74a39810829c13f8dd31de2bfe0915579b2a609d1bbe/aiocoap-0.3.tar.gz"; sha256 = "402d4151db6d8d0b1d66af5b6e10e0de1521decbf12140637e5b8d2aa9c5aef6"; }; src = pkgs.fetchurl { url = "https://pypi.python.org/packages/9c/f6/d839e4b14258d76e74a39810829c13f8dd31de2bfe0915579b2a609d1bbe/aiocoap-0.3.tar.gz"; sha256 = "402d4151db6d8d0b1d66af5b6e10e0de1521decbf12140637e5b8d2aa9c5aef6"; };
@ -25,32 +73,9 @@ let
description = "Parse and format link headers according to RFC 5988 \"Web Linking\""; description = "Parse and format link headers according to RFC 5988 \"Web Linking\"";
}; };
}; };
pkg = pkgs.stdenv.mkDerivation {
name = "worlddomination-2017-06-10";
src = pkgs.fetchgit {
url = "https://github.com/shackspace/worlddomination/";
rev = "72fc9b5";
sha256 = "05h500rswzypcxy4i22qc1vkc8izbzfqa9m86xg289hjxh133xyf";
};
buildInputs = [
(pkgs.python3.withPackages (pythonPackages: with pythonPackages; [
docopt
LinkHeader
aiocoap
requests
paramiko
python
]))
];
installPhase = ''
install -m755 -D backend/push_led.py $out/bin/push-led
install -m755 -D backend/loop_single.py $out/bin/loop-single
# copy the provided file to the package
install -m755 -D backend/wd.lst $out/${wdpath}
'';
};
wdpath = "/usr/worlddomination/wd.lst"; wdpath = "/usr/worlddomination/wd.lst";
esphost = "10.42.24.7"; # esp8266 esphost = "10.42.24.7"; # esp8266
afrihost = "10.42.25.201"; # africa
timeout = 10; # minutes timeout = 10; # minutes
in { in {
systemd.services.worlddomination = { systemd.services.worlddomination = {
@ -64,4 +89,16 @@ in {
PermissionsStartOnly = true; PermissionsStartOnly = true;
}; };
}; };
systemd.services.worlddomination-africa = {
description = "run worlddomination africa";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
User = "nobody"; # TODO separate user
ExecStart = "${pkg}/bin/push-led ${afrihost} ${pkg}/${wdpath} loop ${toString timeout}";
Restart = "always";
PrivateTmp = true;
PermissionsStartOnly = true;
};
};
} }

63
krebs/3modules/krebs/default.nix
View file

@ -30,38 +30,6 @@ let
}); });
in { in {
hosts = { hosts = {
hope = {
ci = true;
owner = config.krebs.users.krebs;
nets = {
internet = {
ip4.addr = "45.62.225.18";
aliases = [
"hope.i"
];
ssh.port = 45621;
};
retiolum = {
ip4.addr = "10.243.77.4";
ip6.addr = "42:0:0:0:0:0:77:4";
aliases = [
"hope.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAsQVWCoNZZd77tYw1qEDlUsfcF0ld+jVorq2uR5il1D8sqER644l5
uaWxPQjSl27xdq5kvzIH24Ab6/xF2EDgE2fUTwpO5coBYafeiGyi5AwURQmYMp2a
2CV7uUAagFQaSzD0Aj796r1BXPn1IeE+uRSBmmc/+/7L0hweRGLiha34NOMZkq+4
A0pwI/CjnyRXdV4AqfORHXkelykJPATm+m3bC+KYogPBeNMP2AV2aYgY8a0UJPMK
fjAJCzxYJjiYxm8faJlm2U1bWytZODQa8pRZOrYQa4he2UoU6x78CNcrQkYLPOFC
K2Q7+B5WJNKV6CqYztXuU/6LTHJRmV0FiwIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOdLHRI29xJj1jmfSidE2Dh7EsDNszm+WH3Kj4zYBkP/";
};
hotdog = { hotdog = {
ci = true; ci = true;
owner = config.krebs.users.krebs; owner = config.krebs.users.krebs;
@ -91,6 +59,37 @@ in {
ssh.privkey.path = <secrets/ssh.id_ed25519>; ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICxFkBln23wUxt4RhIHE3GvdKeBpJbjn++6maupHqUHp"; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICxFkBln23wUxt4RhIHE3GvdKeBpJbjn++6maupHqUHp";
}; };
onebutton = {
cores = 1;
owner = config.krebs.users.krebs;
nets = {
retiolum = {
ip4.addr = "10.243.0.101";
ip6.addr = "42:0:0:0:0:0:0:101";
aliases = [
"onebutton.r"
];
tinc.pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA11w6votRExwE0ZEiQmPa
9WGNsMfNAZEd14iHaHCZH7UPQEH+cH/T6isGPpaysindroMnqFe9mUf/cdYChb6N
aaFreApwGBQaJPUcdy4cfphrFpzmOClpOFuFbnV7ZvAk/wefBad3kUzsq/lK4HvB
7nPKeOB9kljphLrkzuLL/h2yOenMpO2ZdvwxyWN8HKmUNgvpBQjIr+Hka6cgy7Gp
pBVFHfSnad/eHeEvq91O/bHxrAxzH5N5DVagPDpkbiWYGl+0XVGP/h0CApr15Ael
+j2pJYc0ZlaXIp4KmNRqbd/fLe52JLrWbnFX4rRuY/DhoMqK8kjECEZ7gLiNSpCC
KlnlJ2LXX9c+d79ubzl5yLAJ3d6T4IJqkbAWJDuCrj821M9ZDk/qZwerayhrrvkF
tMYkQoGSe8MvSOU0rTEoH5iSRwDC7M0XzUe4l8/yZLFyD4Prz/dq6coqANfk/tlE
DnH3vDu9lmFvYrLcd6yDWzFfI3mWDJoUa6AKKoScCOaCkRfIM4Aew0i73+h1nJLO
59AAbZIkDYyWs53QniIG4EQteI9y/9j/628nPAVj68V5oIN76RDXfFHWDWq4DxmU
PpGVmoIKcKZmnl7RrDomRVpuGMdyQ+kCzIGH3XYe12v8Y5beHZBrd3OajgHZ/Tfp
jP873cT6h0hsGm9glgOYho8CAwEAAQ==
-----END PUBLIC KEY-----
'';
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAcZg+iLaPZ0SpLM+nANxIjZC/RIsansjyutK0+gPhIe ";
};
puyak = { puyak = {
ci = true; ci = true;
owner = config.krebs.users.krebs; owner = config.krebs.users.krebs;

93
krebs/3modules/lass/default.nix
View file

@ -9,6 +9,7 @@ with import <stockholm/lib>;
hosts = mapAttrs (_: recursiveUpdate { hosts = mapAttrs (_: recursiveUpdate {
owner = config.krebs.users.lass; owner = config.krebs.users.lass;
ci = true; ci = true;
monitoring = true;
}) { }) {
dishfire = { dishfire = {
cores = 4; cores = 4;
@ -43,39 +44,6 @@ with import <stockholm/lib>;
ssh.privkey.path = <secrets/ssh.id_ed25519>; ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGv0JMp0y+E5433GRSFKVK3cQmP0AAlS9aH9fk49yFxy"; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGv0JMp0y+E5433GRSFKVK3cQmP0AAlS9aH9fk49yFxy";
}; };
echelon = {
cores = 2;
nets = rec {
internet = {
ip4.addr = "64.137.242.41";
aliases = [
"echelon.i"
];
ssh.port = 45621;
};
retiolum = {
via = internet;
ip4.addr = "10.243.206.103";
ip6.addr = "42:941e:2816:35f4:5c5e:206b:3f0b:f763";
aliases = [
"echelon.r"
"cgit.echelon.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAuscWOYdHu0bpWacvwTNd6bcmrAQ0YFxJWHZF8kPZr+bMKIhnXLkJ
oJheENIM6CA9lQQQFUxh2P2pxZavW5rgVlJxIKeiB+MB4v6ZO60LmZgpCsWGD/dX
MipM2tLtQxYhvLJIJxEBWn3rxIgeEnCtZsH1KLWyLczb+QpvTjMJ4TNh1nEBPE/f
4LUH1JHaGhcaHl2dLemR9wnnDIjmSj0ENJp2al+hWnIggcA/Zp0e4b86Oqbbs5wA
n++n5j971cTrBdA89nJDYOEtepisglScVRbgLqJG81lDA+n24RWFynn+U3oD/L8p
do+kxlwZUEDRbPU4AO5L+UeIbimsuIfXiQIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL21QDOEFdODFh6WAfNp6odrXo15pEsDQuGJfMu/cKzK";
};
prism = rec { prism = rec {
cores = 4; cores = 4;
extraZones = { extraZones = {
@ -86,14 +54,17 @@ with import <stockholm/lib>;
"lassul.us" = '' "lassul.us" = ''
$TTL 3600 $TTL 3600
@ IN SOA dns16.ovh.net. tech.ovh.net. (2017093001 86400 3600 3600000 300) @ IN SOA dns16.ovh.net. tech.ovh.net. (2017093001 86400 3600 3600000 300)
60 IN NS ns16.ovh.net. 60 IN NS ns16.ovh.net.
60 IN NS dns16.ovh.net. 60 IN NS dns16.ovh.net.
60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
60 IN TXT v=spf1 mx a:lassul.us -all 60 IN TXT v=spf1 mx a:lassul.us -all
cgit 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} 60 IN TXT ( "v=DKIM1; k=rsa; t=s; s=*; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUv3DMndFellqu208feABEzT/PskOfTSdJCOF/HELBR0PHnbBeRoeHEm9XAcOe/Mz2t/ysgZ6JFXeFxCtoM5fG20brUMRzsVRxb9Ur5cEvOYuuRrbChYcKa+fopu8pYrlrqXD3miHISoy6ErukIYCRpXWUJHi1TlNQhLWFYqAaywIDAQAB" )
io 60 IN NS ions.lassul.us. default._domainkey 60 IN TXT "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUv3DMndFellqu208feABEzT/PskOfTSdJCOF/HELBR0PHnbBeRoeHEm9XAcOe/Mz2t/ysgZ6JFXeFxCtoM5fG20brUMRzsVRxb9Ur5cEvOYuuRrbChYcKa+fopu8pYrlrqXD3miHISoy6ErukIYCRpXWUJHi1TlNQhLWFYqAaywIDAQAB"
ions 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} cgit 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
paste 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} go 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
io 60 IN NS ions.lassul.us.
ions 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
paste 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
''; '';
}; };
nets = rec { nets = rec {
@ -149,6 +120,7 @@ with import <stockholm/lib>;
}; };
domsen-nas = { domsen-nas = {
ci = false; ci = false;
monitoring = false;
external = true; external = true;
nets = rec { nets = rec {
internet = { internet = {
@ -161,6 +133,7 @@ with import <stockholm/lib>;
}; };
}; };
uriel = { uriel = {
monitoring = false;
cores = 1; cores = 1;
nets = { nets = {
gg23 = { gg23 = {
@ -399,10 +372,12 @@ with import <stockholm/lib>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJzb9BPFClubs6wSOi/ivqPFVPlowXwAxBS0jHaB29hX"; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJzb9BPFClubs6wSOi/ivqPFVPlowXwAxBS0jHaB29hX";
}; };
iso = { iso = {
monitoring = false;
ci = false; ci = false;
cores = 1; cores = 1;
}; };
sokrateslaptop = { sokrateslaptop = {
monitoring = false;
ci = false; ci = false;
external = true; external = true;
nets = { nets = {
@ -426,6 +401,7 @@ with import <stockholm/lib>;
}; };
}; };
turingmachine = { turingmachine = {
monitoring = false;
ci = false; ci = false;
external = true; external = true;
nets = { nets = {
@ -454,6 +430,7 @@ with import <stockholm/lib>;
}; };
}; };
eddie = { eddie = {
monitoring = false;
ci = false; ci = false;
external = true; external = true;
nets = rec { nets = rec {
@ -494,6 +471,7 @@ with import <stockholm/lib>;
}; };
}; };
borg = { borg = {
monitoring = false;
ci = false; ci = false;
external = true; external = true;
nets = { nets = {
@ -521,6 +499,7 @@ with import <stockholm/lib>;
}; };
}; };
inspector = { inspector = {
monitoring = false;
ci = false; ci = false;
external = true; external = true;
nets = rec { nets = rec {
@ -552,6 +531,7 @@ with import <stockholm/lib>;
}; };
}; };
dpdkm = { dpdkm = {
monitoring = false;
ci = false; ci = false;
external = true; external = true;
nets = rec { nets = rec {
@ -659,6 +639,37 @@ with import <stockholm/lib>;
ssh.privkey.path = <secrets/ssh.id_ed25519>; ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPsTeSAedrbp7/KmZX8Mvka702fIUy77Mvqo9HwzCbym"; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPsTeSAedrbp7/KmZX8Mvka702fIUy77Mvqo9HwzCbym";
}; };
red = {
monitoring = false;
cores = 1;
nets = {
retiolum = {
ip4.addr = "10.243.0.13";
ip6.addr = "42:0:0:0:0:0:0:12ed";
aliases = [
"red.r"
];
tinc.pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArAN/62V2MV18wsZ9VMTG
4/cqsjvHlffAN8jYDq+GImgREvbiLlFhhHgxwKh0gcDTR8P1xX/00P3/fx/g5bRF
Te7LZT2AFmVFFFfx1n9NBweN/gG2/hzB9J8epbWLNT+RzpzHuAoREvDZ+jweSXaI
phdmQY2s36yrR3TAShqq0q4cwlXuHT00J+InDutM0mTftBQG/fvYkBhHOfq4WSY0
FeMK7DTKNbsqQiKKQ/kvWi7KfTW0F0c7SDpi7BLwbQzP2WbogtGy9MIrw9ZhE6Ox
TVdAksPKw0TlYdb16X/MkbzBqTYbxFlmWzpMJABMxIVwAfQx3ZGYvJDdDXmQS2qa
mDN2xBb/5pj3fbfp4wbwWlRVSd/AJQtRvaNY24F+UsRJb0WinIguDI6oRZx7Xt8w
oYirKqqq1leb3EYUt8TMIXQsOw0/Iq+JJCwB+ZyLLGVNB19XOxdR3RN1JYeZANpE
cMSS3SdFGgZ//ZAdhIN5kw9yMeKo6Rnt+Vdz3vZWTuSVp/xYO3IMGXNGAdIWIwrJ
7fwSl/rfXGG816h0sD46U0mxd+i68YOtHlzOKe+vMZ4/FJZYd/E5/IDQluV8HLwa
5lODfZXUmfStdV+GDA9KVEGUP5xSkC3rMnir66NgHzKpIL002/g/HfGu7O3MrvpW
ng7AMvRv5vbsYcJBj2HUhKUCAwEAAQ==
-----END PUBLIC KEY-----
'';
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd/6eCR8yxC14zBJLIQgVa4Zbutv5yr2S8k08ztmBpp";
};
}; };
users = { users = {
lass = { lass = {

1
krebs/3modules/makefu/default.nix
View file

@ -539,6 +539,7 @@ with import <stockholm/lib>;
dl.euer IN A ${nets.internet.ip4.addr} dl.euer IN A ${nets.internet.ip4.addr}
boot.euer IN A ${nets.internet.ip4.addr} boot.euer IN A ${nets.internet.ip4.addr}
wiki.euer IN A ${nets.internet.ip4.addr} wiki.euer IN A ${nets.internet.ip4.addr}
mon.euer IN A ${nets.internet.ip4.addr}
graph IN A ${nets.internet.ip4.addr} graph IN A ${nets.internet.ip4.addr}
ghook IN A ${nets.internet.ip4.addr} ghook IN A ${nets.internet.ip4.addr}
dockerhub IN A ${nets.internet.ip4.addr} dockerhub IN A ${nets.internet.ip4.addr}

1
krebs/3modules/newsbot-js.nix
View file

@ -93,6 +93,7 @@ let
User = "newsbot-js"; User = "newsbot-js";
Restart = "always"; Restart = "always";
ExecStart = "${newsbot.package}/bin/newsbot"; ExecStart = "${newsbot.package}/bin/newsbot";
WatchdogSec = "86400";
}; };
} }
) cfg; ) cfg;

23
krebs/5pkgs/simple/Reaktor/plugins.nix
View file

@ -120,11 +120,24 @@ rec {
url-title = (buildSimpleReaktorPlugin "url-title" { url-title = (buildSimpleReaktorPlugin "url-title" {
pattern = "^.*(?P<args>http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+).*$$"; pattern = "^.*(?P<args>http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+).*$$";
path = with pkgs; [ curl perl ]; path = with pkgs; [ curl perl ];
script = pkgs.writeDash "lambda-pl" '' script = pkgs.writePython3 [ "beautifulsoup4" "lxml" ] "url-title" ''
if [ "$#" -gt 0 ]; then import sys
curl -SsL --max-time 5 "$1" | import urllib.request
perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' from bs4 import BeautifulSoup
fi
try:
soup = BeautifulSoup(urllib.request.urlopen(sys.argv[1]), "lxml")
title = soup.find('title').string
if title:
if len(title) > 512:
print('message to long, skipped')
elif len(title.split('\n')) > 5:
print('to many lines, skipped')
else:
print(title)
except: # noqa: E722
pass
''; '';
}); });

27
krebs/5pkgs/simple/ejabberd/default.nix
View file

@ -1,5 +1,6 @@
{ stdenv, writeScriptBin, lib, fetchurl, git, cacert { stdenv, writeScriptBin, lib, fetchurl, git, cacert
, erlang, openssl, expat, libyaml, bash, gnused, gnugrep, coreutils, utillinux, procps , erlang, openssl, expat, libyaml, bash, gnused, gnugrep, coreutils, utillinux, procps, gd
, flock
, withMysql ? false , withMysql ? false
, withPgsql ? false , withPgsql ? false
, withSqlite ? false, sqlite , withSqlite ? false, sqlite
@ -23,17 +24,17 @@ let
ctlpath = lib.makeBinPath [ bash gnused gnugrep coreutils utillinux procps ]; ctlpath = lib.makeBinPath [ bash gnused gnugrep coreutils utillinux procps ];
in stdenv.mkDerivation rec { in stdenv.mkDerivation rec {
version = "17.07"; version = "18.01";
name = "ejabberd-${version}"; name = "ejabberd-${version}";
src = fetchurl { src = fetchurl {
url = "http://www.process-one.net/downloads/ejabberd/${version}/${name}.tgz"; url = "http://www.process-one.net/downloads/ejabberd/${version}/${name}.tgz";
sha256 = "1p8ppp2czjgnq8xnhyksd82npvvx99fwr0g3rrq1wvnwh2vgb8km"; sha256 = "01i2n8mlgw293jdf4172f9q8ca8m35vysjws791p7nynpfdb4cn6";
}; };
nativeBuildInputs = [ fakegit ]; nativeBuildInputs = [ fakegit ];
buildInputs = [ erlang openssl expat libyaml ] buildInputs = [ erlang openssl expat libyaml gd ]
++ lib.optional withSqlite sqlite ++ lib.optional withSqlite sqlite
++ lib.optional withPam pam ++ lib.optional withPam pam
++ lib.optional withZlib zlib ++ lib.optional withZlib zlib
@ -50,7 +51,7 @@ in stdenv.mkDerivation rec {
configureFlags = [ "--enable-all" "--with-sqlite3=${sqlite.dev}" ]; configureFlags = [ "--enable-all" "--with-sqlite3=${sqlite.dev}" ];
buildInputs = [ git erlang openssl expat libyaml sqlite pam zlib elixir ]; nativeBuildInputs = [ git erlang openssl expat libyaml sqlite pam zlib elixir ];
GIT_SSL_CAINFO = "${cacert}/etc/ssl/certs/ca-bundle.crt"; GIT_SSL_CAINFO = "${cacert}/etc/ssl/certs/ca-bundle.crt";
@ -74,7 +75,7 @@ in stdenv.mkDerivation rec {
outputHashMode = "recursive"; outputHashMode = "recursive";
outputHashAlgo = "sha256"; outputHashAlgo = "sha256";
outputHash = "1q9yzccn4zf5i4hibq1r0i34q4986a93ph4792l1ph07aiisc8p7"; outputHash = "1v3h0c7kfifb6wsfxyv5j1wc7rlxbb7r0pgd4s340wiyxnllzzhk";
}; };
configureFlags = configureFlags =
@ -92,6 +93,10 @@ in stdenv.mkDerivation rec {
enableParallelBuilding = true; enableParallelBuilding = true;
patches = [
./ejabberdctl.patch
];
preBuild = '' preBuild = ''
cp -r $deps deps cp -r $deps deps
chmod -R +w deps chmod -R +w deps
@ -101,18 +106,18 @@ in stdenv.mkDerivation rec {
postInstall = '' postInstall = ''
sed -i \ sed -i \
-e '2iexport PATH=${ctlpath}:$PATH' \ -e '2iexport PATH=${ctlpath}:$PATH' \
-e 's,\(^ *FLOCK=\).*,\1${utillinux}/bin/flock,' \ -e 's,\(^ *FLOCK=\).*,\1${flock}/bin/flock,' \
-e 's,\(^ *JOT=\).*,\1,' \ -e 's,\(^ *JOT=\).*,\1,' \
-e 's,\(^ *CONNLOCKDIR=\).*,\1/var/lock/ejabberdctl,' \ -e 's,\(^ *CONNLOCKDIR=\).*,\1/var/lock/ejabberdctl,' \
$out/sbin/ejabberdctl $out/sbin/ejabberdctl
''; '';
meta = { meta = with stdenv.lib; {
description = "Open-source XMPP application server written in Erlang"; description = "Open-source XMPP application server written in Erlang";
license = lib.licenses.gpl2; license = licenses.gpl2;
homepage = http://www.ejabberd.im; homepage = http://www.ejabberd.im;
platforms = lib.platforms.linux; platforms = platforms.linux;
maintainers = [ lib.maintainers.sander lib.maintainers.abbradar ]; maintainers = with maintainers; [ sander abbradar ];
broken = withElixir; broken = withElixir;
}; };
} }

32
krebs/5pkgs/simple/ejabberd/ejabberdctl.patch Normal file
View file

@ -0,0 +1,32 @@
--- a/ejabberdctl.template 1970-01-01 01:00:01.000000000 +0100
+++ b/ejabberdctl.template 2018-04-24 23:06:54.127715441 +0200
@@ -42,19 +42,18 @@
esac
# parse command line parameters
-for arg; do
- case $arg in
- -n|--node) ERLANG_NODE_ARG=$2; shift;;
- -s|--spool) SPOOL_DIR=$2; shift;;
- -l|--logs) LOGS_DIR=$2; shift;;
- -f|--config) EJABBERD_CONFIG_PATH=$2; shift;;
- -c|--ctl-config) EJABBERDCTL_CONFIG_PATH=$2; shift;;
- -d|--config-dir) ETC_DIR=$2; shift;;
- -t|--no-timeout) NO_TIMEOUT="--no-timeout";;
- --) :;;
+while test $# -gt 0; do
+ case $1 in
+ -n|--node) ERLANG_NODE_ARG=$2; shift 2;;
+ -s|--spool) SPOOL_DIR=$2; shift 2;;
+ -l|--logs) LOGS_DIR=$2; shift 2;;
+ -f|--config) EJABBERD_CONFIG_PATH=$2; shift 2;;
+ -c|--ctl-config) EJABBERDCTL_CONFIG_PATH=$2; shift 2;;
+ -d|--config-dir) ETC_DIR=$2; shift 2;;
+ -t|--no-timeout) NO_TIMEOUT="--no-timeout"; shift 1;;
+ # --) :;; what is this for?
*) break;;
esac
- shift
done
# define ejabberd variables if not already defined from the command line

46
krebs/5pkgs/simple/generate-secrets/default.nix Normal file
View file

@ -0,0 +1,46 @@
{ pkgs }:
pkgs.writeDashBin "generate-secrets" ''
HOSTNAME="$1"
TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d)
PASSWORD=$(${pkgs.pwgen}/bin/pwgen 25 1)
HASHED_PASSWORD=$(echo $PASSWORD | ${pkgs.hashPassword}/bin/hashPassword -s) > /dev/null
${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f $TMPDIR/ssh.id_ed25519 -P "" -C "" >/dev/null
${pkgs.openssl}/bin/openssl genrsa -out $TMPDIR/retiolum.rsa_key.priv 4096 2>/dev/null > /dev/null
${pkgs.openssl}/bin/openssl rsa -in $TMPDIR/retiolum.rsa_key.priv -pubout -out $TMPDIR/retiolum.rsa_key.pub 2>/dev/null > /dev/null
cat <<EOF > $TMPDIR/hashedPasswords.nix
{
root = "$HASHED_PASSWORD";
}
EOF
cd $TMPDIR
for x in *; do
${pkgs.coreutils}/bin/cat $x | ${pkgs.brain}/bin/brain insert -m krebs-secrets/$HOSTNAME/$x > /dev/null
done
echo $PASSWORD | ${pkgs.brain}/bin/brain insert -m hosts/$HOSTNAME/root > /dev/null
cat <<EOF
$HOSTNAME = {
cores = 1;
owner = config.krebs.users.krebs;
nets = {
retiolum = {
ip4.addr = "10.243.0.changeme";
ip6.addr = "42:0:0:0:0:0:0:changeme";
aliases = [
"$HOSTNAME.r"
];
tinc.pubkey = ${"''"}
$(cat $TMPDIR/retiolum.rsa_key.pub)
${"''"};
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "$(cat $TMPDIR/ssh.id_ed25519.pub)";
};
EOF
rm -rf $TMPDIR
''

4
krebs/5pkgs/simple/kops.nix
View file

@ -2,6 +2,6 @@
fetchgit { fetchgit {
url = https://cgit.krebsco.de/kops; url = https://cgit.krebsco.de/kops;
rev = "refs/tags/v1.0.0"; rev = "refs/tags/v1.1.0";
sha256 = "0wg8d80sxa46z4i7ir79sci2hwmv3qskzqdg0si64p6vazy8vckb"; sha256 = "0k3zhv2830z4bljcdvf6ciwjihk2zzcn9y23p49c6sba5hbsd6jb";
} }

36
krebs/5pkgs/simple/pssh/default.nix
View file

@ -1,36 +0,0 @@
{ writeDashBin }:
writeDashBin "pssh" ''
set -efu
case ''${1-} in
# TODO create plog with -o json | jq ... | map date
# usage: pssh {-j,--journal} host...
# Follow journal at each host.
-j|--journal)
shift
"$0" journalctl -n0 -ocat --follow --all ::: "$@" \
| while read line; do
printf '%s %s\n' "$(date --rfc-3339=s)" "$line"
done
;;
-*)
echo $0: unknown option: $1 >&2
exit 1
;;
# usage: pssh command [arg...] ::: host...
# Run command at each host.
*)
exec parallel \
--line-buffer \
-j0 \
--no-notice \
--tagstring {} \
ssh -T {} "$@"
;;
esac
''

15
krebs/5pkgs/simple/ucspi-tcp/chmod.patch
View file

@ -1,15 +0,0 @@
diff --git a/hier.c b/hier.c
index 5663ada..1d73b84 100644
--- a/hier.c
+++ b/hier.c
@@ -2,8 +2,8 @@
void hier()
{
- h(auto_home,-1,-1,02755);
- d(auto_home,"bin",-1,-1,02755);
+ h(auto_home,-1,-1,0755);
+ d(auto_home,"bin",-1,-1,0755);
c(auto_home,"bin","tcpserver",-1,-1,0755);
c(auto_home,"bin","tcprules",-1,-1,0755);

86
krebs/5pkgs/simple/ucspi-tcp/default.nix
View file

@ -1,86 +0,0 @@
{ stdenv, fetchurl }:
stdenv.mkDerivation rec {
name = "ucspi-tcp-0.88";
src = fetchurl {
url = "http://cr.yp.to/ucspi-tcp/${name}.tar.gz";
sha256 = "171yl9kfm8w7l17dfxild99mbf877a9k5zg8yysgb1j8nz51a1ja";
};
# Plain upstream tarball doesn't build, get patches from Debian
patches = [
(fetchurl {
url = "http://ftp.de.debian.org/debian/pool/main/u/ucspi-tcp/ucspi-tcp_0.88-3.diff.gz";
sha256 = "0mzmhz8hjkrs0khmkzs5i0s1kgmgaqz07h493bd5jj5fm5njxln6";
})
./chmod.patch
];
# Apply Debian patches
postPatch = ''
for fname in debian/diff/*.diff; do
echo "Applying patch $fname"
patch < "$fname"
done
'';
# The build system is weird; 'make install' doesn't install anything, instead
# it builds an executable called ./install (from C code) which installs
# binaries to the directory given on line 1 in ./conf-home.
#
# Also, assume getgroups and setgroups work, instead of doing a build time
# test that breaks on NixOS (I think because nixbld users lack CAP_SETGID
# capability).
preBuild = ''
echo "$out" > conf-home
echo "main() { return 0; }" > chkshsgr.c
'';
installPhase = ''
mkdir -p "$out/bin"
mkdir -p "$out/share/man/man1"
# run the newly built installer
./install
# Install Debian man pages (upstream has none)
cp debian/ucspi-tcp-man/*.1 "$out/share/man/man1"
'';
meta = with stdenv.lib; {
description = "Command-line tools for building TCP client-server applications";
longDescription = ''
tcpserver waits for incoming connections and, for each connection, runs a
program of your choice. Your program receives environment variables
showing the local and remote host names, IP addresses, and port numbers.
tcpserver offers a concurrency limit to protect you from running out of
processes and memory. When you are handling 40 (by default) simultaneous
connections, tcpserver smoothly defers acceptance of new connections.
tcpserver also provides TCP access control features, similar to
tcp-wrappers/tcpd's hosts.allow but much faster. Its access control rules
are compiled into a hashed format with cdb, so it can easily deal with
thousands of different hosts.
This package includes a recordio tool that monitors all the input and
output of a server.
tcpclient makes a TCP connection and runs a program of your choice. It
sets up the same environment variables as tcpserver.
This package includes several sample clients built on top of tcpclient:
who@, date@, finger@, http@, tcpcat, and mconnect.
tcpserver and tcpclient conform to UCSPI, the UNIX Client-Server Program
Interface, using the TCP protocol. UCSPI tools are available for several
different networks.
'';
homepage = http://cr.yp.to/ucspi-tcp.html;
license = licenses.publicDomain;
platforms = platforms.linux;
maintainers = [ maintainers.bjornfor ];
};
}

29
krebs/5pkgs/simple/urlwatch/default.nix
View file

@ -1,29 +0,0 @@
{ stdenv, fetchFromGitHub, python3Packages }:
python3Packages.buildPythonApplication rec {
name = "urlwatch-${version}";
version = "2.8";
src = fetchFromGitHub {
owner = "thp";
repo = "urlwatch";
rev = version;
sha256 = "1nja7n6pc45azd3l1xyvav89855lvcgwabrvf34rps81dbl8cnl4";
};
propagatedBuildInputs = with python3Packages; [
appdirs
keyring
minidb
pycodestyle
pyyaml
requests
];
meta = with stdenv.lib; {
description = "A tool for monitoring webpages for updates";
homepage = https://thp.io/2008/urlwatch/;
license = licenses.bsd3;
maintainers = with maintainers; [ tv ];
};
}

2
krebs/kops.nix
View file

@ -13,7 +13,7 @@
krebs-source = { krebs-source = {
nixpkgs.git = { nixpkgs.git = {
ref = "4b4bbce199d3b3a8001ee93495604289b01aaad3"; ref = "b50443b5c4ac0f382c49352a892b9d5d970eb4e7";
url = https://github.com/NixOS/nixpkgs; url = https://github.com/NixOS/nixpkgs;
}; };
stockholm.file = toString ../.; stockholm.file = toString ../.;

2
lass/1systems/cabal/config.nix
View file

@ -13,9 +13,9 @@
<stockholm/lass/2configs/browsers.nix> <stockholm/lass/2configs/browsers.nix>
<stockholm/lass/2configs/programs.nix> <stockholm/lass/2configs/programs.nix>
<stockholm/lass/2configs/fetchWallpaper.nix> <stockholm/lass/2configs/fetchWallpaper.nix>
<stockholm/lass/2configs/backups.nix>
<stockholm/lass/2configs/games.nix> <stockholm/lass/2configs/games.nix>
<stockholm/lass/2configs/bitcoin.nix> <stockholm/lass/2configs/bitcoin.nix>
<stockholm/lass/2configs/AP.nix>
]; ];
krebs.build.host = config.krebs.hosts.cabal; krebs.build.host = config.krebs.hosts.cabal;

2
lass/1systems/daedalus/config.nix
View file

@ -8,9 +8,9 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/boot/coreboot.nix> <stockholm/lass/2configs/boot/coreboot.nix>
<stockholm/lass/2configs/retiolum.nix> <stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/backups.nix>
<stockholm/lass/2configs/games.nix> <stockholm/lass/2configs/games.nix>
<stockholm/lass/2configs/steam.nix> <stockholm/lass/2configs/steam.nix>
<stockholm/lass/2configs/backup.nix>
{ {
# bubsy config # bubsy config
users.users.bubsy = { users.users.bubsy = {

50
lass/1systems/echelon/config.nix
View file

@ -1,50 +0,0 @@
{ config, lib, pkgs, ... }:
let
inherit (import <stockholm/lass/4lib> { inherit pkgs lib; }) getDefaultGateway;
ip = config.krebs.build.host.nets.internet.ip4.addr;
in {
imports = [
<stockholm/lass>
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/os-templates/CAC-CentOS-7-64bit.nix>
<stockholm/lass/2configs/exim-retiolum.nix>
<stockholm/lass/2configs/privoxy-retiolum.nix>
<stockholm/lass/2configs/git.nix>
{
networking.interfaces.enp2s1.ip4 = [
{
address = ip;
prefixLength = 24;
}
];
networking.defaultGateway = getDefaultGateway ip;
networking.nameservers = [
"8.8.8.8"
];
}
{
sound.enable = false;
}
{
users.extraUsers = {
satan = {
name = "satan";
uid = 1338;
home = "/home/satan";
group = "users";
createHome = true;
useDefaultShell = true;
extraGroups = [
];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+l3ajjOd80uJBM8oHO9HRbtA5hK6hvrpxxnk7qWW7OloT9IXcoM8bbON755vK0O6XyxZo1JZ1SZ7QIaOREGVIRDjcbJbqD3O+nImc6Rzxnrz7hvE+tuav9Yylwcw5HeQi82UIMGTEAwMHwLvsW6R/xyMCuOTbbzo9Ib8vlJ8IPDECY/05RhL7ZYFR0fdphI7jq7PobnO8WEpCZDhMvSYjO9jf3ac53wyghT3gH7AN0cxTR9qgQlPHhTbw+nZEI0sUKtrIhjfVE80wgK3NQXZZj7YAplRs/hYwSi7i8V0+8CBt2epc/5RKnJdDHFQnaTENq9kYQPOpUCP6YUwQIo8X nineinchnade@gmail.com"
];
};
};
}
];
krebs.build.host = config.krebs.hosts.echelon;
}

36
lass/1systems/helios/config.nix
View file

@ -17,6 +17,7 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/dcso-dev.nix> <stockholm/lass/2configs/dcso-dev.nix>
<stockholm/lass/2configs/steam.nix> <stockholm/lass/2configs/steam.nix>
<stockholm/lass/2configs/rtl-sdr.nix> <stockholm/lass/2configs/rtl-sdr.nix>
<stockholm/lass/2configs/backup.nix>
{ # automatic hardware detection { # automatic hardware detection
boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ "kvm-intel" ];
@ -137,35 +138,14 @@ with import <stockholm/lib>;
networking.hostName = lib.mkForce "BLN02NB0162"; networking.hostName = lib.mkForce "BLN02NB0162";
security.pki.certificateFiles = [ security.pki.certificateFiles = [
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC1G1.pem"; sha256 = "14vz9c0fk6li0a26vx0s5ha6y3yivnshx9pjlh9vmnpkbph5a7rh"; }) (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC1G1.pem"; sha256 = "006j61q2z44z6d92638iin6r46r4cj82ipwm37784h34i5x4mp0d"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC2G1.pem"; sha256 = "0r1dd48a850cv7whk4g2maik550rd0vsrsl73r6x0ivzz7ap1xz5"; }) (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC2G1.pem"; sha256 = "1nkd1rjcn02q9xxjg7sw79lbwy08i7hb4v4pn98djknvcmplpz5m"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC3G1.pem"; sha256 = "0b5cdchdkvllnr0kz35d8jrmrf9cjw0kd98mmvzr0x6nkc8hwpdy"; }) (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC3G1.pem"; sha256 = "094m12npglnnv1nf1ijcv70p8l15l00id44qq7rwynhcgxi5539i"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC2G1.pem"; sha256 = "0rn57zv1ry9vj4p2248mxmafmqqmdhbrfx1plszrxsphshbk2hfz"; }) (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC2G1.pem"; sha256 = "1anfncdf5xsp219kryncv21ra87flpzcjwcc85hzvlwbxhid3g4x"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC3G1.pem"; sha256 = "0w88qaqhwxzvdkx40kzj2gka1yi85ipppjdkxah4mscwfhlryrnk"; }) (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC3G1.pem"; sha256 = "035kkfizyl5dndj7rhvmy91rr75lakqbqgjx4dpiw0kqq369mz8r"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC2G1.pem"; sha256 = "1z2qkyhgjvri13bvi06ynkb7mjmpcznmc9yw8chx1lnwc3cxa7kf"; }) (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC2G1.pem"; sha256 = "14fpzx1qjs9ws9sz0y7pb6j40336xlckkqcm2rc5j86yn7r22lp7"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC3G1.pem"; sha256 = "0smdjjvz95n652cb45yhzdb2lr83zg52najgbzf6lm3w71f8mv7f"; }) (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC3G1.pem"; sha256 = "1yjl3kyw4chc8vw7bnqac2h9vn8dxryw7lr7i03lqi9sdvs4108s"; })
(pkgs.writeText "minio.cert" ''
-----BEGIN CERTIFICATE-----
MIIDFDCCAfygAwIBAgIQBEKYm9VmbR6T/XNLP2P5kDANBgkqhkiG9w0BAQsFADAS
MRAwDgYDVQQKEwdBY21lIENvMB4XDTE4MDIxNDEyNTk1OVoXDTE5MDIxNDEyNTk1
OVowEjEQMA4GA1UEChMHQWNtZSBDbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAMmRGUTMDxOaoEZ3osG1ZpGj4enHl6ToWaoCXvRXvI6RB/99QOFlwLdL
8lGjIbXyovNkH686pVsfgCTOLRGzftWHmWgfmaSUv0TToBW8F9DN4ww9YgiLZjvV
YZunRyp1n0x9OrBXMs7xEBBa4q0AG1IvlRJTrd7CW519FlVq7T95LLB7P6t6K54C
ksG4kEzXLRPD/FMdU7LWbhWnQSOxPMCq8erTv3kW3A3Y9hSAKOFQKQHH/3O2HDrM
CbK5ldNklswg2rIHxx7kg1fteLD1lVCNPfCMfuwlLUaMeoRZ03HDof8wFlRz3pzw
hQRWPvfLfRvFCZ0LFNvfgAqXtmG/ywUCAwEAAaNmMGQwDgYDVR0PAQH/BAQDAgKk
MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wLAYDVR0RBCUw
I4IJbG9jYWxob3N0ggZoZWxpb3OCCGhlbGlvcy5yhwR/AAABMA0GCSqGSIb3DQEB
CwUAA4IBAQBzrPb3NmAn60awoJG3d4BystaotaFKsO3iAnP4Lfve1bhKRELIjJ30
hX/mRYkEVRbfwKRgkkLab4zpJ/abjb3DjFNo8E4QPNeCqS+8xxeBOf7x61Kg/0Ox
jRQ95fTATyItiChwNkoxYjVIwosqxBVsbe3KxwhkmKPQ6wH/nvr6URX/IGUz2qWY
EqHdjsop83u4Rjn3C0u46U0P+W4U5IFiLfcE3RzFFYh67ko5YEhkyXP+tBNSgrTM
zFisVoQZdXpMCWWxBVWulB4FvvTx3jKUPRZVOrfexBfY4TA/PyhXLoz7FeEK9n2a
qFkrxy+GrHBXfSRZgCaHQFdKorg2fwwa
-----END CERTIFICATE-----
'')
]; ];
programs.adb.enable = true; programs.adb.enable = true;

2
lass/1systems/icarus/config.nix
View file

@ -14,9 +14,9 @@
<stockholm/lass/2configs/browsers.nix> <stockholm/lass/2configs/browsers.nix>
<stockholm/lass/2configs/programs.nix> <stockholm/lass/2configs/programs.nix>
<stockholm/lass/2configs/fetchWallpaper.nix> <stockholm/lass/2configs/fetchWallpaper.nix>
<stockholm/lass/2configs/backups.nix>
<stockholm/lass/2configs/games.nix> <stockholm/lass/2configs/games.nix>
<stockholm/lass/2configs/bitcoin.nix> <stockholm/lass/2configs/bitcoin.nix>
<stockholm/lass/2configs/backup.nix>
]; ];
krebs.build.host = config.krebs.hosts.icarus; krebs.build.host = config.krebs.hosts.icarus;

2
lass/1systems/littleT/config.nix
View file

@ -8,7 +8,7 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/boot/stock-x220.nix> <stockholm/lass/2configs/boot/stock-x220.nix>
<stockholm/lass/2configs/retiolum.nix> <stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/backups.nix> <stockholm/lass/2configs/backup.nix>
<stockholm/lass/2configs/steam.nix> <stockholm/lass/2configs/steam.nix>
{ {
users.users.blacky = { users.users.blacky = {

46
lass/1systems/mors/config.nix
View file

@ -33,6 +33,7 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/ableton.nix> <stockholm/lass/2configs/ableton.nix>
<stockholm/lass/2configs/dunst.nix> <stockholm/lass/2configs/dunst.nix>
<stockholm/lass/2configs/rtl-sdr.nix> <stockholm/lass/2configs/rtl-sdr.nix>
<stockholm/lass/2configs/backup.nix>
{ {
#risk of rain port #risk of rain port
krebs.iptables.tables.filter.INPUT.rules = [ krebs.iptables.tables.filter.INPUT.rules = [
@ -140,7 +141,18 @@ with import <stockholm/lib>;
dpass dpass
dnsutils dnsutils
woeusb
l-gen-secrets
generate-secrets generate-secrets
(pkgs.writeDashBin "btc-coinbase" ''
${pkgs.curl}/bin/curl -Ss 'https://api.coinbase.com/v2/prices/spot?currency=EUR' | ${pkgs.jq}/bin/jq '.data.amount'
'')
(pkgs.writeDashBin "btc-wex" ''
${pkgs.curl}/bin/curl -Ss 'https://wex.nz/api/3/ticker/btc_eur' | ${pkgs.jq}/bin/jq '.btc_eur.avg'
'')
(pkgs.writeDashBin "btc-kraken" ''
${pkgs.curl}/bin/curl -Ss 'https://api.kraken.com/0/public/Ticker?pair=BTCEUR' | ${pkgs.jq}/bin/jq '.result.XXBTZEUR.a[0]'
'')
]; ];
#TODO: fix this shit #TODO: fix this shit
@ -177,4 +189,38 @@ with import <stockholm/lib>;
programs.adb.enable = true; programs.adb.enable = true;
users.users.mainUser.extraGroups = [ "adbusers" "docker" ]; users.users.mainUser.extraGroups = [ "adbusers" "docker" ];
virtualisation.docker.enable = true; virtualisation.docker.enable = true;
services.redshift = {
enable = true;
provider = "geoclue2";
};
lass.restic = genAttrs [
"daedalus"
"icarus"
"littleT"
"prism"
"shodan"
"skynet"
] (dest: {
dirs = [
"/home/lass/src"
"/home/lass/work"
"/home/lass/.gnupg"
"/home/lass/Maildir"
"/home/lass/stockholm"
"/home/lass/.password-store"
"/home/bitcoin"
"/home/bch"
];
passwordFile = (toString <secrets>) + "/restic/${dest}";
repo = "sftp:backup@${dest}.r:/backups/mors";
#sshPrivateKey = config.krebs.build.host.ssh.privkey.path;
extraArguments = [
"sftp.command='ssh backup@${dest}.r -i ${config.krebs.build.host.ssh.privkey.path} -s sftp'"
];
timerConfig = {
OnCalendar = "00:05";
RandomizedDelaySec = "5h";
};
});
} }

114
lass/1systems/prism/config.nix
View file

@ -8,11 +8,15 @@ in {
imports = [ imports = [
<stockholm/lass> <stockholm/lass>
{ {
networking.interfaces.et0.ip4 = [ networking.interfaces.et0.ipv4.addresses = [
{ {
address = ip; address = ip;
prefixLength = 27; prefixLength = 27;
} }
{
address = "46.4.114.243";
prefixLength = 27;
}
]; ];
networking.defaultGateway = "46.4.114.225"; networking.defaultGateway = "46.4.114.225";
networking.nameservers = [ networking.nameservers = [
@ -100,6 +104,7 @@ in {
]; ];
} }
{ # TODO make new hfos.nix out of this vv { # TODO make new hfos.nix out of this vv
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
users.users.riot = { users.users.riot = {
uid = genid "riot"; uid = genid "riot";
isNormalUser = true; isNormalUser = true;
@ -110,29 +115,13 @@ in {
}; };
# TODO write function for proxy_pass (ssl/nonssl) # TODO write function for proxy_pass (ssl/nonssl)
services.nginx.virtualHosts."hackerfleet.de" = {
serverAliases = [ krebs.iptables.tables.filter.FORWARD.rules = [
"*.hackerfleet.de" { v6 = false; precedence = 1000; predicate = "-d 192.168.122.92"; target = "ACCEPT"; }
]; ];
locations."/".extraConfig = '' krebs.iptables.tables.nat.PREROUTING.rules = [
proxy_pass http://192.168.122.92:80; { v6 = false; precedence = 1000; predicate = "-d 46.4.114.243"; target = "DNAT --to-destination 192.168.122.92"; }
''; ];
};
services.nginx.virtualHosts."hackerfleet.de-s" = {
serverName = "hackerfleet.de";
listen = [
{
addr = "0.0.0.0";
port = 443;
}
];
serverAliases = [
"*.hackerfleet.de"
];
locations."/".extraConfig = ''
proxy_pass http://192.168.122.92:443;
'';
};
} }
{ {
users.users.tv = { users.users.tv = {
@ -201,26 +190,6 @@ in {
localAddress = "10.233.2.2"; localAddress = "10.233.2.2";
}; };
} }
{
#kaepsele
systemd.services."container@kaepsele".reloadIfChanged = mkForce false;
containers.kaepsele = {
config = { ... }: {
imports = [ <stockholm/lass/2configs/rebuild-on-boot.nix> ];
environment.systemPackages = [ pkgs.git ];
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = with config.krebs.users; [
lass.pubkey
tv.pubkey
];
};
autoStart = true;
enableTun = true;
privateNetwork = true;
hostAddress = "10.233.2.3";
localAddress = "10.233.2.4";
};
}
{ {
#onondaga #onondaga
systemd.services."container@onondaga".reloadIfChanged = mkForce false; systemd.services."container@onondaga".reloadIfChanged = mkForce false;
@ -249,13 +218,12 @@ in {
<stockholm/lass/2configs/repo-sync.nix> <stockholm/lass/2configs/repo-sync.nix>
<stockholm/lass/2configs/binary-cache/server.nix> <stockholm/lass/2configs/binary-cache/server.nix>
<stockholm/lass/2configs/iodined.nix> <stockholm/lass/2configs/iodined.nix>
<stockholm/lass/2configs/monitoring/server.nix>
<stockholm/lass/2configs/monitoring/monit-alarms.nix>
<stockholm/lass/2configs/paste.nix> <stockholm/lass/2configs/paste.nix>
<stockholm/lass/2configs/syncthing.nix> <stockholm/lass/2configs/syncthing.nix>
<stockholm/lass/2configs/reaktor-coders.nix> <stockholm/lass/2configs/reaktor-coders.nix>
<stockholm/lass/2configs/ciko.nix> <stockholm/lass/2configs/ciko.nix>
<stockholm/lass/2configs/container-networking.nix> <stockholm/lass/2configs/container-networking.nix>
<stockholm/lass/2configs/monitoring/prometheus-server.nix>
{ # quasi bepasty.nix { # quasi bepasty.nix
imports = [ imports = [
<stockholm/lass/2configs/bepasty.nix> <stockholm/lass/2configs/bepasty.nix>
@ -336,6 +304,60 @@ in {
{ predicate = "-p tcp --dport 53589"; target = "ACCEPT"; } { predicate = "-p tcp --dport 53589"; target = "ACCEPT"; }
]; ];
} }
<stockholm/lass/2configs/go.nix>
{
environment.systemPackages = [ pkgs.cryptsetup ];
systemd.services."container@red".reloadIfChanged = mkForce false;
containers.red = {
config = { ... }: {
environment.systemPackages = [ pkgs.git ];
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [
config.krebs.users.lass.pubkey
];
};
autoStart = false;
enableTun = true;
privateNetwork = true;
hostAddress = "10.233.2.3";
localAddress = "10.233.2.4";
};
services.nginx.virtualHosts."rote-allez-fraktion.de" = {
enableACME = true;
addSSL = true;
locations."/" = {
extraConfig = ''
proxy_set_header Host rote-allez-fraktion.de;
proxy_pass http://10.233.2.4;
'';
};
};
}
{
imports = [ <stockholm/lass/2configs/backup.nix> ];
lass.restic = genAttrs [
"daedalus"
"icarus"
"littleT"
"mors"
"shodan"
"skynet"
] (dest: {
dirs = [
"/home/chat/.weechat"
"/bku/sql_dumps"
];
passwordFile = (toString <secrets>) + "/restic/${dest}";
repo = "sftp:backup@${dest}.r:/backups/prism";
extraArguments = [
"sftp.command='ssh backup@${dest}.r -i ${config.krebs.build.host.ssh.privkey.path} -s sftp'"
];
timerConfig = {
OnCalendar = "00:05";
RandomizedDelaySec = "5h";
};
});
}
]; ];
krebs.build.host = config.krebs.hosts.prism; krebs.build.host = config.krebs.hosts.prism;

31
lass/1systems/red/config.nix Normal file
View file

@ -0,0 +1,31 @@
with import <stockholm/lib>;
{ config, lib, pkgs, ... }:
let
inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;})
servephpBB
;
in
{
imports = [
<stockholm/lass>
<stockholm/lass/2configs>
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/websites>
<stockholm/lass/2configs/websites/sqlBackup.nix>
(servephpBB [ "rote-allez-fraktion.de" ])
];
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p tcp --dport 80"; target = "ACCEPT"; }
];
krebs.build.host = config.krebs.hosts.red;
boot.isContainer = true;
networking.useDHCP = false;
services.nginx.enable = true;
environment.variables.NIX_REMOTE = "daemon";
environment.systemPackages = [
pkgs.mk_sql_pair
];
}

3
lass/1systems/echelon/source.nix → lass/1systems/red/source.nix
View file

@ -1,3 +1,4 @@
import <stockholm/lass/source.nix> { import <stockholm/lass/source.nix> {
name = "echelon"; name = "red";
secure = true;
} }

2
lass/1systems/shodan/config.nix
View file

@ -15,9 +15,9 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/browsers.nix> <stockholm/lass/2configs/browsers.nix>
<stockholm/lass/2configs/programs.nix> <stockholm/lass/2configs/programs.nix>
<stockholm/lass/2configs/fetchWallpaper.nix> <stockholm/lass/2configs/fetchWallpaper.nix>
<stockholm/lass/2configs/backups.nix>
<stockholm/lass/2configs/wine.nix> <stockholm/lass/2configs/wine.nix>
<stockholm/lass/2configs/bitcoin.nix> <stockholm/lass/2configs/bitcoin.nix>
<stockholm/lass/2configs/backup.nix>
]; ];
krebs.build.host = config.krebs.hosts.shodan; krebs.build.host = config.krebs.hosts.shodan;

1
lass/1systems/skynet/config.nix
View file

@ -9,7 +9,6 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/retiolum.nix> <stockholm/lass/2configs/retiolum.nix>
#<stockholm/lass/2configs/exim-retiolum.nix> #<stockholm/lass/2configs/exim-retiolum.nix>
<stockholm/lass/2configs/fetchWallpaper.nix> <stockholm/lass/2configs/fetchWallpaper.nix>
<stockholm/lass/2configs/backups.nix>
{ {
# discordius config # discordius config
services.xserver.enable = true; services.xserver.enable = true;

6
lass/1systems/xerxes/source.nix
View file

@ -2,10 +2,4 @@ with import <stockholm/lib>;
import <stockholm/lass/source.nix> { import <stockholm/lass/source.nix> {
name = "xerxes"; name = "xerxes";
secure = true; secure = true;
override = {
nixpkgs.git = mkForce {
url = https://github.com/lassulus/nixpkgs;
ref = "3eccd0b";
};
};
} }

77
lass/2configs/AP.nix Normal file
View file

@ -0,0 +1,77 @@
{ config, pkgs, ... }:
with import <stockholm/lib>;
let
wifi = "wlp0s29u1u2";
in {
boot.extraModulePackages = [
pkgs.linuxPackages.rtl8814au
];
networking.networkmanager.unmanaged = [ wifi ];
systemd.services.hostapd = {
description = "hostapd wireless AP";
path = [ pkgs.hostapd ];
wantedBy = [ "network.target" ];
after = [ "${wifi}-cfg.service" "nat.service" "bind.service" "dhcpd.service" "sys-subsystem-net-devices-${wifi}.device" ];
serviceConfig = {
ExecStart = "${pkgs.hostapd}/bin/hostapd ${pkgs.writeText "hostapd.conf" ''
interface=${wifi}
hw_mode=a
channel=36
ieee80211d=1
country_code=DE
ieee80211n=1
ieee80211ac=1
wmm_enabled=1
# 5ghz
ssid=krebsing
auth_algs=1
wpa=2
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP
wpa_passphrase=aidsballz
''}";
Restart = "always";
};
};
networking.interfaces.${wifi}.ipv4.addresses = [
{ address = "10.99.0.1"; prefixLength = 24; }
];
services.dhcpd4 = {
enable = true;
interfaces = [ wifi ];
extraConfig = ''
option subnet-mask 255.255.255.0;
option routers 10.99.0.1;
option domain-name-servers 1.1.1.1, 8.8.8.8;
subnet 10.99.0.0 netmask 255.255.255.0 {
range 10.99.0.100 10.99.0.200;
}
'';
};
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
krebs.iptables.tables.filter.FORWARD.rules = [
{ v6 = false; predicate = "-d 10.99.0.0/24 -o ${wifi} -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
{ v6 = false; predicate = "-s 10.99.0.0/24 -i ${wifi}"; target = "ACCEPT"; }
{ v6 = false; predicate = "-i ${wifi} -o ${wifi}"; target = "ACCEPT"; }
{ v6 = false; predicate = "-o ${wifi}"; target = "REJECT --reject-with icmp-port-unreachable"; }
{ v6 = false; predicate = "-i ${wifi}"; target = "REJECT --reject-with icmp-port-unreachable"; }
];
krebs.iptables.tables.nat.PREROUTING.rules = [
{ v6 = false; predicate = "-s 10.99.0.0/24"; target = "ACCEPT"; precedence = 1000; }
];
krebs.iptables.tables.nat.POSTROUTING.rules = [
#TODO find out what this is about?
{ v6 = false; predicate = "-s 10.99.0.0/24 -d 224.0.0.0/24"; target = "RETURN"; }
{ v6 = false; predicate = "-s 10.99.0.0/24 -d 255.255.255.255"; target = "RETURN"; }
{ v6 = false; predicate = "-s 10.99.0.0/24 ! -d 10.99.0.0/24"; target = "MASQUERADE"; }
{ v6 = false; predicate = "-s 10.99.0.0/24 ! -d 10.99.0.0/24 -p tcp"; target = "MASQUERADE --to-ports 1024-65535"; }
{ v6 = false; predicate = "-s 10.99.0.0/24 ! -d 10.99.0.0/24 -p udp"; target = "MASQUERADE --to-ports 1024-65535"; }
];
}

20
lass/2configs/backup.nix Normal file
View file

@ -0,0 +1,20 @@
{ config, lib, ... }:
with import <stockholm/lib>;
{
fileSystems = {
"/backups" = {
device = "/dev/pool/backup";
fsType = "ext4";
};
};
users.users.backup = {
useDefaultShell = true;
home = "/backups";
createHome = true;
openssh.authorizedKeys.keys = with config.krebs.hosts; [
mors.ssh.pubkey
prism.ssh.pubkey
];
};
}

173
lass/2configs/backups.nix
View file

@ -1,173 +0,0 @@
{ config, lib, ... }:
with import <stockholm/lib>;
{
# TODO add timerConfig to krebs.backup and randomize startup
# TODO define plans more abstract
krebs.backup.plans = {
} // mapAttrs (_: recursiveUpdate {
snapshots = {
daily = { format = "%Y-%m-%d"; retain = 7; };
weekly = { format = "%YW%W"; retain = 4; };
monthly = { format = "%Y-%m"; retain = 12; };
yearly = { format = "%Y"; };
};
}) {
dishfire-http-prism = {
method = "pull";
src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; };
dst = { host = config.krebs.hosts.prism; path = "/bku/dishfire-http"; };
startAt = "03:00";
};
dishfire-http-icarus = {
method = "pull";
src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; };
dst = { host = config.krebs.hosts.icarus; path = "/bku/dishfire-http"; };
startAt = "03:10";
};
dishfire-http-mors = {
method = "pull";
src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; };
dst = { host = config.krebs.hosts.mors; path = "/bku/dishfire-http"; };
startAt = "03:05";
};
dishfire-http-shodan = {
method = "pull";
src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; };
dst = { host = config.krebs.hosts.shodan; path = "/bku/dishfire-http"; };
startAt = "03:10";
};
dishfire-sql-prism = {
method = "pull";
src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; };
dst = { host = config.krebs.hosts.prism; path = "/bku/dishfire-sql"; };
startAt = "03:15";
};
dishfire-sql-icarus = {
method = "pull";
src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; };
dst = { host = config.krebs.hosts.icarus; path = "/bku/dishfire-sql"; };
startAt = "03:25";
};
dishfire-sql-mors = {
method = "pull";
src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; };
dst = { host = config.krebs.hosts.mors; path = "/bku/dishfire-sql"; };
startAt = "03:20";
};
dishfire-sql-shodan = {
method = "pull";
src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; };
dst = { host = config.krebs.hosts.shodan; path = "/bku/dishfire-sql"; };
startAt = "03:25";
};
prism-bitlbee-icarus = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/var/lib/bitlbee"; };
dst = { host = config.krebs.hosts.icarus; path = "/bku/prism-bitlbee"; };
startAt = "03:25";
};
prism-bitlbee-mors = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/var/lib/bitlbee"; };
dst = { host = config.krebs.hosts.mors; path = "/bku/prism-bitlbee"; };
startAt = "03:25";
};
prism-bitlbee-shodan = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/var/lib/bitlbee"; };
dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-bitlbee"; };
startAt = "03:25";
};
prism-chat-icarus = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/home/chat"; };
dst = { host = config.krebs.hosts.icarus; path = "/bku/prism-chat"; };
startAt = "03:35";
};
prism-chat-mors = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/home/chat"; };
dst = { host = config.krebs.hosts.mors; path = "/bku/prism-chat"; };
startAt = "03:30";
};
prism-chat-shodan = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/home/chat"; };
dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-chat"; };
startAt = "03:35";
};
prism-sql-icarus = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; };
dst = { host = config.krebs.hosts.icarus; path = "/bku/prism-sql_dumps"; };
startAt = "03:45";
};
prism-sql-mors = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; };
dst = { host = config.krebs.hosts.mors; path = "/bku/prism-sql_dumps"; };
startAt = "03:40";
};
prism-sql-shodan = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; };
dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-sql_dumps"; };
startAt = "03:45";
};
prism-http-icarus = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/srv/http"; };
dst = { host = config.krebs.hosts.icarus; path = "/bku/prism-http"; };
startAt = "03:55";
};
prism-http-mors = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/srv/http"; };
dst = { host = config.krebs.hosts.mors; path = "/bku/prism-http"; };
startAt = "03:50";
};
prism-http-shodan = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/srv/http"; };
dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-http"; };
startAt = "03:55";
};
icarus-home-mors = {
method = "pull";
src = { host = config.krebs.hosts.icarus; path = "/home"; };
dst = { host = config.krebs.hosts.mors; path = "/bku/icarus-home"; };
startAt = "05:00";
};
icarus-home-shodan = {
method = "push";
src = { host = config.krebs.hosts.icarus; path = "/home"; };
dst = { host = config.krebs.hosts.shodan; path = "/bku/icarus-home"; };
startAt = "05:00";
};
mors-home-icarus = {
method = "push";
src = { host = config.krebs.hosts.mors; path = "/home"; };
dst = { host = config.krebs.hosts.icarus; path = "/bku/mors-home"; };
startAt = "05:00";
};
mors-home-shodan = {
method = "push";
src = { host = config.krebs.hosts.mors; path = "/home"; };
dst = { host = config.krebs.hosts.shodan; path = "/bku/mors-home"; };
startAt = "05:00";
};
shodan-home-icarus = {
method = "pull";
src = { host = config.krebs.hosts.shodan; path = "/home"; };
dst = { host = config.krebs.hosts.icarus; path = "/bku/shodan-home"; };
startAt = "04:00";
};
shodan-home-mors = {
method = "pull";
src = { host = config.krebs.hosts.shodan; path = "/home"; };
dst = { host = config.krebs.hosts.mors; path = "/bku/shodan-home"; };
startAt = "04:00";
};
};
}

1
lass/2configs/baseX.nix
View file

@ -9,7 +9,6 @@ in {
./power-action.nix ./power-action.nix
./copyq.nix ./copyq.nix
./livestream.nix ./livestream.nix
./dns-stuff.nix
./urxvt.nix ./urxvt.nix
./network-manager.nix ./network-manager.nix
{ {

10
lass/2configs/bitcoin.nix
View file

@ -10,9 +10,6 @@ in {
krebs.per-user.bitcoin.packages = [ krebs.per-user.bitcoin.packages = [
pkgs.electrum pkgs.electrum
]; ];
krebs.per-user.ethereum.packages = [
pkgs.go-ethereum
];
users.extraUsers = { users.extraUsers = {
bch = { bch = {
name = "bch"; name = "bch";
@ -28,13 +25,6 @@ in {
useDefaultShell = true; useDefaultShell = true;
createHome = true; createHome = true;
}; };
ethereum = {
name = "ethereum";
description = "user for ethereum stuff";
home = "/home/ethereum";
useDefaultShell = true;
createHome = true;
};
}; };
security.sudo.extraConfig = '' security.sudo.extraConfig = ''
${mainUser.name} ALL=(bitcoin) NOPASSWD: ALL ${mainUser.name} ALL=(bitcoin) NOPASSWD: ALL

1
lass/2configs/dcso-dev.nix
View file

@ -9,6 +9,7 @@ in {
dev = { dev = {
name = "dev"; name = "dev";
uid = genid "dev"; uid = genid "dev";
extraGroups = [ "docker" ];
description = "user for collaborative development"; description = "user for collaborative development";
home = "/home/dev"; home = "/home/dev";
useDefaultShell = true; useDefaultShell = true;

3
lass/2configs/default.nix
View file

@ -6,10 +6,9 @@ with import <stockholm/lib>;
./gc.nix ./gc.nix
./mc.nix ./mc.nix
./vim.nix ./vim.nix
./monitoring/client.nix ./monitoring/node-exporter.nix
./zsh.nix ./zsh.nix
./htop.nix ./htop.nix
./backups.nix
./security-workarounds.nix ./security-workarounds.nix
{ {
users.extraUsers = users.extraUsers =

16
lass/2configs/dns-stuff.nix
View file

@ -1,16 +0,0 @@
{ config, pkgs, ... }:
with import <stockholm/lib>;
{
services.dnscrypt-proxy = {
enable = true;
localAddress = "127.1.0.1";
customResolver = {
address = config.krebs.hosts.gum.nets.internet.ip4.addr;
port = 15251;
name = "2.dnscrypt-cert.euer.krebsco.de";
key = "1AFC:E58D:F242:0FBB:9EE9:4E51:47F4:5373:D9AE:C2AB:DD96:8448:333D:5D79:272C:A44C";
};
};
services.resolved.enable = true;
services.resolved.fallbackDns = [ "127.1.0.1" ];
}

1
lass/2configs/exim-smarthost.nix
View file

@ -79,6 +79,7 @@ with import <stockholm/lib>;
{ from = "ovh@lassul.us"; to = lass.mail; } { from = "ovh@lassul.us"; to = lass.mail; }
{ from = "hetzner@lassul.us"; to = lass.mail; } { from = "hetzner@lassul.us"; to = lass.mail; }
{ from = "allygator@lassul.us"; to = lass.mail; } { from = "allygator@lassul.us"; to = lass.mail; }
{ from = "immoscout@lassul.us"; to = lass.mail; }
]; ];
system-aliases = [ system-aliases = [
{ from = "mailer-daemon"; to = "postmaster"; } { from = "mailer-daemon"; to = "postmaster"; }

2
lass/2configs/gc.nix
View file

@ -3,6 +3,6 @@
with import <stockholm/lib>; with import <stockholm/lib>;
{ {
nix.gc = { nix.gc = {
automatic = ! elem config.krebs.build.host.name [ "prism" "mors" "helios" ]; automatic = ! (elem config.krebs.build.host.name [ "prism" "mors" "helios" ] || config.boot.isContainer);
}; };
} }

14
lass/2configs/git.nix
View file

@ -57,6 +57,16 @@ let
cgit.desc = "Fork of nix-user-chroot my lethalman"; cgit.desc = "Fork of nix-user-chroot my lethalman";
cgit.section = "software"; cgit.section = "software";
}; };
nixos-aws = {
collaborators = [ {
name = "fabio";
pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFst8DvnfOu4pQJYxcwdf//jWTvP+jj0iSrOdt59c9Gbujm/8K1mBXhcSQhHj/GBRC1Qc1wipf9qZsWnEHMI+SRwq6tDr8gqlAcdWmHAs1bU96jJtc8EgmUKbXTFG/VmympMPi4cEbNUtH93v6NUjQKwq9szvDhhqSW4Y8zE32xLkySwobQapNaUrGAtQp3eTxu5Lkx+cEaaartaAspt8wSosXjUHUJktg0O5/XOP+CiWAx89AXxbQCy4XTQvUExoRGdw9sdu0lF0/A0dF4lFF/dDUS7+avY8MrKEcQ8Fwk8NcW1XrKMmCdNdpvou0whL9aHCdTJ+522dsSB1zZWh63Si4CrLKlc1TiGKCXdvzmCYrD+6WxbPJdRpMM4dFNtpAwhCm/dM+CBXfDkP0s5veFiYvp1ri+3hUqV/sep9r5/+d+5/R1gQs8WDNjWqcshveFbD5LxE6APEySB4QByGxIrw7gFbozE+PNxtlVP7bq4MyE6yIzL6ofQgO1e4THquPcqSCfCvyib5M2Q1phi5DETlMemWp84AsNkqbhRa4BGRycuOXXrBzE+RgQokcIY7t3xcu3q0xJo2+HxW/Lqi72zYU1NdT4nJMETEaG49FfIAnUuoVaQWWvOz8mQuVEmmdw2Yzo2ikILYSUdHTp1VPOeo6aNPvESkPw1eM0xDRlQ== ada";
} ];
};
krops = {
cgit.desc = "krebs deployment";
cgit.section = "software";
};
} // mapAttrs make-public-repo-silent { } // mapAttrs make-public-repo-silent {
}; };
@ -70,8 +80,8 @@ let
import <secrets/repos.nix> { inherit config lib pkgs; } import <secrets/repos.nix> { inherit config lib pkgs; }
); );
make-public-repo = name: { cgit ? {}, ... }: { make-public-repo = name: { cgit ? {}, collaborators ? [], ... }: {
inherit cgit name; inherit cgit collaborators name;
public = true; public = true;
hooks = { hooks = {
post-receive = pkgs.git-hooks.irc-announce { post-receive = pkgs.git-hooks.irc-announce {

19
lass/2configs/go.nix Normal file
View file

@ -0,0 +1,19 @@
{ config, lib, pkgs, ... }:
{
krebs.go = {
enable = true;
};
services.nginx = {
enable = true;
virtualHosts.go = {
locations."/".extraConfig = ''
proxy_set_header Host go.lassul.us;
proxy_pass http://localhost:1337;
'';
serverAliases = [
"go.lassul.us"
];
};
};
}

5
lass/2configs/mail.nix
View file

@ -206,8 +206,11 @@ in {
msmtp msmtp
mutt mutt
pkgs.much pkgs.much
pkgs.notmuch
tag-new-mails tag-new-mails
tag-old-mails tag-old-mails
]; ];
nixpkgs.config.packageOverrides = opkgs: {
notmuch = (opkgs.notmuch.overrideAttrs (o: { doCheck = false; }));
};
} }

26
lass/2configs/monitoring/client.nix
View file

@ -1,26 +0,0 @@
{pkgs, config, ...}:
with import <stockholm/lib>;
{
services.telegraf = {
enable = true;
extraConfig = {
agent.interval = "1s";
outputs = {
influxdb = {
urls = ["http://prism:8086"];
database = "telegraf_db";
user_agent = "telegraf";
};
};
inputs = {
cpu = {
percpu = false;
totalcpu = true;
};
mem = {};
net = {};
};
};
};
}

44
lass/2configs/monitoring/monit-alarms.nix
View file

@ -1,44 +0,0 @@
{pkgs, config, ...}:
with import <stockholm/lib>;
let
echoToIrc = msg:
pkgs.writeDash "echo_irc" ''
set -euf
export LOGNAME=prism-alarm
${pkgs.irc-announce}/bin/irc-announce \
irc.r 6667 ${config.networking.hostName}-alarm \#noise "${msg}" >/dev/null
'';
in {
krebs.monit = {
enable = true;
http.enable = true;
alarms = {
nirwanabluete = {
test = "${pkgs.curl}/bin/curl -sf 'https://nirwanabluete.de/'";
alarm = echoToIrc "test nirwanabluete failed";
};
ubik = {
test = "${pkgs.curl}/bin/curl -sf 'https://ubikmedia.de'";
alarm = echoToIrc "test ubik failed";
};
cac-panel = {
test = "${pkgs.curl}/bin/curl -sf 'https://panel.cloudatcost.com/login.php'";
alarm = echoToIrc "test cac-panel failed";
};
radio = {
test = pkgs.writeBash "check_stream" ''
${pkgs.curl}/bin/curl -sif http://lassul.us:8000/radio.ogg \
| ${pkgs.gawk}/bin/awk '/^\r$/{exit}{print $0}' \
| ${pkgs.gnugrep}/bin/grep -q "200 OK" || exit "''${PIPESTATUS[0]}"
'';
alarm = echoToIrc "test radio failed";
};
};
};
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p tcp -i retiolum --dport 9093"; target = "ACCEPT"; }
];
}

15
lass/2configs/monitoring/node-exporter.nix Normal file
View file

@ -0,0 +1,15 @@
{ config, lib, pkgs, ... }:
{
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-i retiolum -p tcp --dport 9100 -s ${config.krebs.hosts.prism.nets.retiolum.ip4.addr}"; target = "ACCEPT"; v6 = false; }
{ predicate = "-i retiolum -p tcp --dport 9100 -s ${config.krebs.hosts.prism.nets.retiolum.ip6.addr}"; target = "ACCEPT"; v4 = false; }
];
services.prometheus.exporters = {
node = {
enable = true;
enabledCollectors = [
"systemd"
];
};
};
}

217
lass/2configs/monitoring/prometheus-server.nix Normal file
View file

@ -0,0 +1,217 @@
{ pkgs, lib, config, ... }:
{
#networking = {
# firewall.allowedTCPPorts = [
# 3000 # grafana
# 9090 # prometheus
# 9093 # alertmanager
# ];
# useDHCP = true;
#};
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-i retiolum -p tcp --dport 3000"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p tcp --dport 9090"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p tcp --dport 9093"; target = "ACCEPT"; }
];
services = {
prometheus = {
enable = true;
extraFlags = [
"-storage.local.retention 8760h"
"-storage.local.series-file-shrink-ratio 0.3"
"-storage.local.memory-chunks 2097152"
"-storage.local.max-chunks-to-persist 1048576"
"-storage.local.index-cache-size.fingerprint-to-metric 2097152"
"-storage.local.index-cache-size.fingerprint-to-timerange 1048576"
"-storage.local.index-cache-size.label-name-to-label-values 2097152"
"-storage.local.index-cache-size.label-pair-to-fingerprints 41943040"
];
alertmanagerURL = [ "http://localhost:9093" ];
rules = [
''
ALERT node_down
IF up == 0
FOR 5m
LABELS {
severity="page"
}
ANNOTATIONS {
summary = "{{$labels.alias}}: Node is down.",
description = "{{$labels.alias}} has been down for more than 5 minutes."
}
ALERT node_systemd_service_failed
IF node_systemd_unit_state{state="failed"} == 1
FOR 4m
LABELS {
severity="page"
}
ANNOTATIONS {
summary = "{{$labels.alias}}: Service {{$labels.name}} failed to start.",
description = "{{$labels.alias}} failed to (re)start service {{$labels.name}}."
}
ALERT node_filesystem_full_90percent
IF sort(node_filesystem_free{device!="ramfs"} < node_filesystem_size{device!="ramfs"} * 0.1) / 1024^3
FOR 5m
LABELS {
severity="page"
}
ANNOTATIONS {
summary = "{{$labels.alias}}: Filesystem is running out of space soon.",
description = "{{$labels.alias}} device {{$labels.device}} on {{$labels.mountpoint}} got less than 10% space left on its filesystem."
}
ALERT node_filesystem_full_in_4h
IF predict_linear(node_filesystem_free{device!="ramfs"}[1h], 4*3600) <= 0
FOR 5m
LABELS {
severity="page"
}
ANNOTATIONS {
summary = "{{$labels.alias}}: Filesystem is running out of space in 4 hours.",
description = "{{$labels.alias}} device {{$labels.device}} on {{$labels.mountpoint}} is running out of space of in approx. 4 hours"
}
ALERT node_filedescriptors_full_in_3h
IF predict_linear(node_filefd_allocated[1h], 3*3600) >= node_filefd_maximum
FOR 20m
LABELS {
severity="page"
}
ANNOTATIONS {
summary = "{{$labels.alias}} is running out of available file descriptors in 3 hours.",
description = "{{$labels.alias}} is running out of available file descriptors in approx. 3 hours"
}
ALERT node_load1_90percent
IF node_load1 / on(alias) count(node_cpu{mode="system"}) by (alias) >= 0.9
FOR 1h
LABELS {
severity="page"
}
ANNOTATIONS {
summary = "{{$labels.alias}}: Running on high load.",
description = "{{$labels.alias}} is running with > 90% total load for at least 1h."
}
ALERT node_cpu_util_90percent
IF 100 - (avg by (alias) (irate(node_cpu{mode="idle"}[5m])) * 100) >= 90
FOR 1h
LABELS {
severity="page"
}
ANNOTATIONS {
summary = "{{$labels.alias}}: High CPU utilization.",
description = "{{$labels.alias}} has total CPU utilization over 90% for at least 1h."
}
ALERT node_ram_using_90percent
IF node_memory_MemFree + node_memory_Buffers + node_memory_Cached < node_memory_MemTotal * 0.1
FOR 30m
LABELS {
severity="page"
}
ANNOTATIONS {
summary="{{$labels.alias}}: Using lots of RAM.",
description="{{$labels.alias}} is using at least 90% of its RAM for at least 30 minutes now.",
}
ALERT node_swap_using_80percent
IF node_memory_SwapTotal - (node_memory_SwapFree + node_memory_SwapCached) > node_memory_SwapTotal * 0.8
FOR 10m
LABELS {
severity="page"
}
ANNOTATIONS {
summary="{{$labels.alias}}: Running out of swap soon.",
description="{{$labels.alias}} is using 80% of its swap space for at least 10 minutes now."
}
''
];
scrapeConfigs = [
{
job_name = "node";
scrape_interval = "10s";
static_configs = [
{
targets = [
] ++ map (host: "${host}:9100") (lib.attrNames (lib.filterAttrs (_: host: host.owner.name == "lass" && host.monitoring) config.krebs.hosts));
#labels = {
# alias = "prometheus.example.com";
#};
}
];
}
];
alertmanager = {
enable = true;
listenAddress = "0.0.0.0";
configuration = {
"global" = {
"smtp_smarthost" = "smtp.example.com:587";
"smtp_from" = "alertmanager@example.com";
};
"route" = {
"group_by" = [ "alertname" "alias" ];
"group_wait" = "30s";
"group_interval" = "2m";
"repeat_interval" = "4h";
"receiver" = "team-admins";
};
"receivers" = [
{
"name" = "team-admins";
"email_configs" = [
{
"to" = "devnull@example.com";
"send_resolved" = true;
}
];
"webhook_configs" = [
{
"url" = "http://127.0.0.1:14813/prometheus-alerts";
"send_resolved" = true;
}
];
}
];
};
};
};
grafana = {
enable = true;
addr = "0.0.0.0";
domain = "grafana.example.com";
rootUrl = "https://grafana.example.com/";
security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""}
};
};
services.logstash = {
enable = true;
inputConfig = ''
http {
port => 14813
host => "127.0.0.1"
}
'';
filterConfig = ''
if ([alerts]) {
ruby {
code => '
lines = []
event["alerts"].each {|p|
lines << "#{p["labels"]["instance"]}#{p["annotations"]["summary"]} #{p["status"]}"
}
event["output"] = lines.join("\n")
'
}
}
'';
outputConfig = ''
file { path => "/tmp/logs.json" codec => "json_lines" }
irc {
channels => [ "#noise" ]
host => "irc.r"
nick => "alarm"
codec => "json_lines"
format => "%{output}"
}
'';
#plugins = [ ];
};
}

87
lass/2configs/monitoring/server.nix
View file

@ -1,87 +0,0 @@
{pkgs, config, ...}:
with import <stockholm/lib>;
{
services.influxdb.enable = true;
services.influxdb.extraConfig = {
meta.hostname = config.krebs.build.host.name;
# meta.logging-enabled = true;
http.bind-address = ":8086";
admin.bind-address = ":8083";
http.log-enabled = false;
monitoring = {
enabled = false;
# write-interval = "24h";
};
collectd = [{
enabled = true;
typesdb = "${pkgs.collectd}/share/collectd/types.db";
database = "collectd_db";
port = 25826;
}];
};
krebs.kapacitor =
let
db = "telegraf_db";
echoToIrc = pkgs.writeDash "echo_irc" ''
set -euf
data="$(${pkgs.jq}/bin/jq -r .message)"
export LOGNAME=prism-alarm
${pkgs.irc-announce}/bin/irc-announce \
irc.r 6667 prism-alarm \#noise "$data" >/dev/null
'';
in {
enable = true;
alarms = {
cpu = {
database = db;
text = ''
var data = batch
|query(${"'''"}
SELECT mean("usage_user") AS mean
FROM "${db}"."default"."cpu"
${"'''"})
.period(10m)
.every(1m)
.groupBy('host')
data |alert()
.crit(lambda: "mean" > 90)
.exec('${echoToIrc}')
data |deadman(1.0,5m)
.stateChangesOnly()
.exec('${echoToIrc}')
'';
};
ram = {
database = db;
text = ''
var data = batch
|query(${"'''"}
SELECT mean("used_percent") AS mean
FROM "${db}"."default"."mem"
${"'''"})
.period(10m)
.every(1m)
.groupBy('host')
data |alert()
.crit(lambda: "mean" > 90)
.exec('${echoToIrc}')
'';
};
};
};
services.grafana = {
enable = true;
addr = "0.0.0.0";
auth.anonymous.enable = true;
security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""}
};
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p tcp -i retiolum --dport 8086"; target = "ACCEPT"; }
{ predicate = "-p tcp -i retiolum --dport 3000"; target = "ACCEPT"; }
{ predicate = "-p udp -i retiolum --dport 25826"; target = "ACCEPT"; }
];
}

15
lass/2configs/reaktor-coders.nix
View file

@ -4,7 +4,7 @@ with import <stockholm/lib>;
{ {
krebs.Reaktor.coders = { krebs.Reaktor.coders = {
nickname = "Reaktor|lass"; nickname = "Reaktor|lass";
channels = [ "#coders" "#germany" ]; channels = [ "#coders" "#germany" "#panthermoderns" ];
extraEnviron = { extraEnviron = {
REAKTOR_HOST = "irc.hackint.org"; REAKTOR_HOST = "irc.hackint.org";
}; };
@ -87,6 +87,19 @@ with import <stockholm/lib>;
exec /run/wrappers/bin/ping -q -c1 "$1" 2>&1 | tail -1 exec /run/wrappers/bin/ping -q -c1 "$1" 2>&1 | tail -1
''; '';
}) })
(buildSimpleReaktorPlugin "google" {
pattern = "^!g (?P<args>.*)$$";
script = pkgs.writeDash "google" ''
exec ${pkgs.ddgr}/bin/ddgr -C -n1 --json "$@" | \
${pkgs.jq}/bin/jq '@text "\(.[0].abstract) \(.[0].url)"'
'';
})
(buildSimpleReaktorPlugin "blockchain" {
pattern = ".*[Bb]lockchain.*$$";
script = pkgs.writeDash "blockchain" ''
exec echo 'DID SOMEBODY SAY BLOCKCHAIN? https://paste.krebsco.de/r99pMoQq/+inline'
'';
})
]; ];
}; };
} }

1
lass/2configs/repo-sync.nix
View file

@ -135,7 +135,6 @@ in {
(sync-retiolum "populate") (sync-retiolum "populate")
(sync-retiolum "stockholm") (sync-retiolum "stockholm")
(sync-retiolum "wai-middleware-time") (sync-retiolum "wai-middleware-time")
(sync-retiolum "web-routes-wai-custom")
(sync-retiolum "xmonad-stockholm") (sync-retiolum "xmonad-stockholm")
]; ];
} }

1
lass/2configs/syncthing.nix
View file

@ -3,7 +3,6 @@ with import <stockholm/lib>;
{ {
services.syncthing = { services.syncthing = {
enable = true; enable = true;
useInotify = true;
}; };
krebs.iptables.tables.filter.INPUT.rules = [ krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p tcp --dport 22000"; target = "ACCEPT";} { predicate = "-p tcp --dport 22000"; target = "ACCEPT";}

56
lass/2configs/websites/lassulus.nix
View file

@ -6,66 +6,10 @@ let
genid genid
; ;
servephpBB = domains:
let
domain = head domains;
in {
services.nginx.virtualHosts."${domain}" = {
enableACME = true;
forceSSL = true;
serverAliases = domains;
extraConfig = ''
index index.php;
root /srv/http/${domain}/;
access_log /tmp/nginx_acc.log;
error_log /tmp/nginx_err.log;
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
client_max_body_size 100m;
'';
locations."/".extraConfig = ''
try_files $uri $uri/ /index.php?$args;
'';
locations."~ \.php(?:$|/)".extraConfig = ''
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include ${pkgs.nginx}/conf/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool;
fastcgi_intercept_errors on;
'';
#Directives to send expires headers and turn off 404 error logging.
locations."~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$".extraConfig = ''
access_log off;
log_not_found off;
expires max;
'';
};
services.phpfpm.poolConfigs."${domain}" = ''
listen = /srv/http/${domain}/phpfpm.pool
user = nginx
group = nginx
pm = dynamic
pm.max_children = 25
pm.start_servers = 5
pm.min_spare_servers = 3
pm.max_spare_servers = 20
listen.owner = nginx
listen.group = nginx
php_admin_value[error_log] = 'stderr'
php_admin_flag[log_errors] = on
catch_workers_output = yes
'';
};
in { in {
imports = [ imports = [
./default.nix ./default.nix
../git.nix ../git.nix
(servephpBB [ "rote-allez-fraktion.de" ])
]; ];
security.acme = { security.acme = {

59
lass/2configs/websites/util.nix
View file

@ -16,7 +16,7 @@ rec {
in { in {
services.nginx.virtualHosts.${domain} = { services.nginx.virtualHosts.${domain} = {
enableACME = true; enableACME = true;
enableSSL = true; onlySSL = true;
extraConfig = '' extraConfig = ''
listen 80; listen 80;
listen [::]:80; listen [::]:80;
@ -28,13 +28,66 @@ rec {
}; };
}; };
servephpBB = domains:
let
domain = head domains;
in {
services.nginx.virtualHosts."${domain}" = {
serverAliases = domains;
extraConfig = ''
index index.php;
root /srv/http/${domain}/;
access_log /tmp/nginx_acc.log;
error_log /tmp/nginx_err.log;
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
client_max_body_size 100m;
'';
locations."/".extraConfig = ''
try_files $uri $uri/ /index.php?$args;
'';
locations."~ \.php(?:$|/)".extraConfig = ''
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include ${pkgs.nginx}/conf/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool;
fastcgi_intercept_errors on;
'';
#Directives to send expires headers and turn off 404 error logging.
locations."~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$".extraConfig = ''
access_log off;
log_not_found off;
expires max;
'';
};
services.phpfpm.poolConfigs."${domain}" = ''
listen = /srv/http/${domain}/phpfpm.pool
user = nginx
group = nginx
pm = dynamic
pm.max_children = 25
pm.start_servers = 5
pm.min_spare_servers = 3
pm.max_spare_servers = 20
listen.owner = nginx
listen.group = nginx
php_admin_value[error_log] = 'stderr'
php_admin_flag[log_errors] = on
catch_workers_output = yes
'';
};
serveOwncloud = domains: serveOwncloud = domains:
let let
domain = head domains; domain = head domains;
in { in {
services.nginx.virtualHosts."${domain}" = { services.nginx.virtualHosts."${domain}" = {
enableACME = true; enableACME = true;
enableSSL = true; onlySSL = true;
serverAliases = domains; serverAliases = domains;
extraConfig = '' extraConfig = ''
listen 80; listen 80;
@ -148,7 +201,7 @@ rec {
in { in {
services.nginx.virtualHosts."${domain}" = { services.nginx.virtualHosts."${domain}" = {
enableACME = true; enableACME = true;
enableSSL = true; onlySSL = true;
serverAliases = domains; serverAliases = domains;
extraConfig = '' extraConfig = ''
listen 80; listen 80;

4
lass/2configs/zsh.nix
View file

@ -54,8 +54,8 @@
eval $(dircolors -b ${pkgs.fetchFromGitHub { eval $(dircolors -b ${pkgs.fetchFromGitHub {
owner = "trapd00r"; owner = "trapd00r";
repo = "LS_COLORS"; repo = "LS_COLORS";
rev = "master"; rev = "a75fca8545f91abb8a5f802981033ef54bf1eac0";
sha256="05lh5w3bgj9h8d8lrbbwbzw8788709cnzzkl8yh7m1dawkpf6nlp"; sha256="1lzj0qnj89mzh76ha137mnz2hf86k278rh0y9x124ghxj9yqsnb4";
}}/LS_COLORS) }}/LS_COLORS)
alias ls='ls --color' alias ls='ls --color'
zstyle ':completion:*:default' list-colors ''${(s.:.)LS_COLORS} zstyle ':completion:*:default' list-colors ''${(s.:.)LS_COLORS}

1
lass/3modules/default.nix
View file

@ -8,6 +8,7 @@ _:
./mysql-backup.nix ./mysql-backup.nix
./news.nix ./news.nix
./pyload.nix ./pyload.nix
./restic.nix
./screenlock.nix ./screenlock.nix
./umts.nix ./umts.nix
./usershadow.nix ./usershadow.nix

119
lass/3modules/restic.nix Normal file
View file

@ -0,0 +1,119 @@
{ config, lib, pkgs, ... }:
with import <stockholm/lib>;
{
options.lass.restic = mkOption {
type = types.attrsOf (types.submodule ({ config, ... }: {
options = {
name = mkOption {
type = types.str;
default = config._module.args.name;
};
passwordFile = mkOption {
type = types.str;
default = toString <secrets/restic-password>;
description = ''
read the repository password from a file.
'';
example = "/etc/nixos/restic-password";
};
repo = mkOption {
type = types.str;
default = "sftp:backup@prism.r:/backups/${config.name}";
description = ''
repository to backup to.
'';
example = "sftp:backup@192.168.1.100:/backups/${config.name}";
};
dirs = mkOption {
type = types.listOf types.str;
default = [];
description = ''
which directories to backup.
'';
example = [
"/var/lib/postgresql"
"/home/user/backup"
];
};
timerConfig = mkOption {
type = types.attrsOf types.str;
default = {
OnCalendar = "daily";
};
description = ''
When to run the backup. See man systemd.timer for details.
'';
example = {
OnCalendar = "00:05";
RandomizedDelaySec = "5h";
};
};
user = mkOption {
type = types.str;
default = "root";
description = ''
As which user the backup should run.
'';
example = "postgresql";
};
extraArguments = mkOption {
type = types.listOf types.str;
default = [];
description = ''
Extra arguments to append to the restic command.
'';
example = [
"sftp.command='ssh backup@192.168.1.100 -i /home/user/.ssh/id_rsa -s sftp"
];
};
initialize = mkOption {
type = types.bool;
default = false;
description = ''
Create the repository if it doesn't exist.
'';
};
};
}));
default = {};
};
config = {
systemd.services =
mapAttrs' (_: plan:
let
extraArguments = concatMapStringsSep " " (arg: "-o ${arg}") plan.extraArguments;
connectTo = elemAt (splitString ":" plan.repo) 1;
resticCmd = "${pkgs.restic}/bin/restic ${extraArguments}";
in nameValuePair "backup.${plan.name}" {
environment = {
RESTIC_PASSWORD_FILE = plan.passwordFile;
RESTIC_REPOSITORY = plan.repo;
};
path = with pkgs; [
openssh
];
restartIfChanged = false;
serviceConfig = {
ExecStartPre = mkIf plan.initialize (pkgs.writeScript "rustic-${plan.name}-init" ''
#! ${pkgs.bash}/bin/bash
${resticCmd} snapshots || ${resticCmd} init
'');
ExecStart = pkgs.writeDash "rustic-${plan.name}" (
"#! ${pkgs.bash}/bin/bash\n" +
concatMapStringsSep "\n" (dir: "${resticCmd} backup ${dir}") plan.dirs
);
User = plan.user;
};
}
) config.lass.restic;
systemd.timers =
mapAttrs' (_: plan: nameValuePair "backup.${plan.name}" {
wantedBy = [ "timers.target" ];
timerConfig = plan.timerConfig;
}) config.lass.restic;
};
}

6
lass/5pkgs/generate-secrets/default.nix → lass/5pkgs/l-gen-secrets/default.nix
View file

@ -1,5 +1,5 @@
{ pkgs }: { pkgs }:
pkgs.writeDashBin "generate-secrets" '' pkgs.writeDashBin "l-gen-secrets" ''
HOSTNAME="$1" HOSTNAME="$1"
TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d) TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d)
PASSWORD=$(${pkgs.pwgen}/bin/pwgen 25 1) PASSWORD=$(${pkgs.pwgen}/bin/pwgen 25 1)
@ -17,9 +17,9 @@ pkgs.writeDashBin "generate-secrets" ''
cd $TMPDIR cd $TMPDIR
for x in *; do for x in *; do
${pkgs.coreutils}/bin/cat $x | ${pkgs.pass}/bin/pass insert -m hosts/$HOSTNAME/$x > /dev/null ${pkgs.coreutils}/bin/cat $x | ${pkgs.pass}/bin/pass insert -m krebs-secrets/$HOSTNAME/$x > /dev/null
done done
echo $PASSWORD | ${pkgs.pass}/bin/pass insert -m admin/hosts/$HOSTNAME/pass > /dev/null echo $PASSWORD | ${pkgs.pass}/bin/pass insert -m hosts/$HOSTNAME/pass > /dev/null
cat <<EOF cat <<EOF
$HOSTNAME = { $HOSTNAME = {

8
lib/types.nix
View file

@ -50,6 +50,14 @@ rec {
default = false; default = false;
}; };
monitoring = mkOption {
description = ''
Whether the host should be monitored by monitoring tools like Prometheus.
'';
type = bool;
default = false;
};
owner = mkOption { owner = mkOption {
type = user; type = user;
}; };

5
makefu/1systems/gum/config.nix
View file

@ -62,10 +62,13 @@ in {
## Web ## Web
<stockholm/makefu/2configs/nginx/share-download.nix> <stockholm/makefu/2configs/nginx/share-download.nix>
<stockholm/makefu/2configs/nginx/euer.test.nix> <stockholm/makefu/2configs/nginx/euer.test.nix>
<stockholm/makefu/2configs/nginx/euer.mon.nix>
<stockholm/makefu/2configs/nginx/euer.wiki.nix> <stockholm/makefu/2configs/nginx/euer.wiki.nix>
<stockholm/makefu/2configs/nginx/euer.blog.nix> <stockholm/makefu/2configs/nginx/euer.blog.nix>
# <stockholm/makefu/2configs/nginx/gum.krebsco.de.nix>
<stockholm/makefu/2configs/nginx/public_html.nix> <stockholm/makefu/2configs/nginx/public_html.nix>
<stockholm/makefu/2configs/nginx/update.connector.one.nix> <stockholm/makefu/2configs/nginx/update.connector.one.nix>
<stockholm/makefu/2configs/nginx/misa-felix-hochzeit.ml.nix>
<stockholm/makefu/2configs/deployment/photostore.krebsco.de.nix> <stockholm/makefu/2configs/deployment/photostore.krebsco.de.nix>
<stockholm/makefu/2configs/deployment/graphs.nix> <stockholm/makefu/2configs/deployment/graphs.nix>
@ -222,6 +225,8 @@ in {
25 25
# http # http
80 443 80 443
# httptunnel
8080 8443
# tinc # tinc
655 655
# tinc-shack # tinc-shack

1
makefu/1systems/gum/source.nix
View file

@ -1,4 +1,5 @@
import <stockholm/makefu/source.nix> { import <stockholm/makefu/source.nix> {
name="gum"; name="gum";
torrent = true; torrent = true;
clever_kexec = true;
} }

5
makefu/1systems/omo/config.nix
View file

@ -50,6 +50,7 @@ in {
<stockholm/makefu/2configs/smart-monitor.nix> <stockholm/makefu/2configs/smart-monitor.nix>
<stockholm/makefu/2configs/mail-client.nix> <stockholm/makefu/2configs/mail-client.nix>
<stockholm/makefu/2configs/mosh.nix> <stockholm/makefu/2configs/mosh.nix>
<stockholm/makefu/2configs/tools/mobility.nix>
# <stockholm/makefu/2configs/disable_v6.nix> # <stockholm/makefu/2configs/disable_v6.nix>
#<stockholm/makefu/2configs/graphite-standalone.nix> #<stockholm/makefu/2configs/graphite-standalone.nix>
#<stockholm/makefu/2configs/share-user-sftp.nix> #<stockholm/makefu/2configs/share-user-sftp.nix>
@ -85,7 +86,7 @@ in {
<stockholm/makefu/2configs/sshd-totp.nix> <stockholm/makefu/2configs/sshd-totp.nix>
# <stockholm/makefu/2configs/logging/central-logging-client.nix> # <stockholm/makefu/2configs/logging/central-logging-client.nix>
# <stockholm/makefu/2configs/torrent.nix> <stockholm/makefu/2configs/torrent.nix>
# <stockholm/makefu/2configs/elchos/search.nix> # <stockholm/makefu/2configs/elchos/search.nix>
# <stockholm/makefu/2configs/elchos/log.nix> # <stockholm/makefu/2configs/elchos/log.nix>
@ -100,7 +101,7 @@ in {
makefu.full-populate = true; makefu.full-populate = true;
makefu.server.primary-itf = primaryInterface; makefu.server.primary-itf = primaryInterface;
krebs.rtorrent = { krebs.rtorrent = {
downloadDir = lib.mkForce "/media/crypt0/torrent"; downloadDir = lib.mkForce "/media/cryptX/torrent";
extraConfig = '' extraConfig = ''
upload_rate = 200 upload_rate = 200
''; '';

7
makefu/1systems/wbob/config.nix
View file

@ -33,6 +33,9 @@ in {
<stockholm/makefu/2configs/share/wbob.nix> <stockholm/makefu/2configs/share/wbob.nix>
<stockholm/makefu/2configs/bluetooth-mpd.nix> <stockholm/makefu/2configs/bluetooth-mpd.nix>
{
users.users.makefu.extraGroups = [ "pulse" ];
}
# Sensors # Sensors
<stockholm/makefu/2configs/stats/telegraf> <stockholm/makefu/2configs/stats/telegraf>
@ -49,9 +52,10 @@ in {
db = "collectd_db"; db = "collectd_db";
logging-interface = "enp0s25"; logging-interface = "enp0s25";
in { in {
networking.firewall.allowedTCPPorts = [ 3000 ];
services.grafana.enable = true; services.grafana.enable = true;
services.grafana.addr = "0.0.0.0"; services.grafana.addr = "0.0.0.0";
services.influxdb.enable = true; services.influxdb.enable = true;
services.influxdb.extraConfig = { services.influxdb.extraConfig = {
meta.hostname = config.krebs.build.host.name; meta.hostname = config.krebs.build.host.name;
@ -121,6 +125,7 @@ in {
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
655 655
8081 #smokeping 8081 #smokeping
8086 #influx
49152 49152
]; ];
networking.firewall.trustedInterfaces = [ "enp0s25" ]; networking.firewall.trustedInterfaces = [ "enp0s25" ];

10
makefu/1systems/x/config.nix
View file

@ -141,15 +141,6 @@ with import <stockholm/lib>;
# connect via https://nixos.wiki/wiki/Bluetooth#Using_Bluetooth_headsets_with_PulseAudio # connect via https://nixos.wiki/wiki/Bluetooth#Using_Bluetooth_headsets_with_PulseAudio
hardware.bluetooth.enable = true; hardware.bluetooth.enable = true;
} }
{ # auto-mounting
services.udisks2.enable = true;
services.devmon.enable = true;
# services.gnome3.gvfs.enable = true;
users.users.makefu.packages = with pkgs;[
gvfs pcmanfm lxmenu-data
];
environment.variables.GIO_EXTRA_MODULES = [ "${pkgs.gvfs}/lib/gio/modules" ];
}
]; ];
@ -170,6 +161,7 @@ with import <stockholm/lib>;
networking.extraHosts = '' networking.extraHosts = ''
192.168.1.11 omo.local 192.168.1.11 omo.local
80.92.65.53 www.wifionice.de wifionice.de
''; '';
# hard dependency because otherwise the device will not be unlocked # hard dependency because otherwise the device will not be unlocked
boot.initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; allowDiscards=true; }]; boot.initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; allowDiscards=true; }];

17
makefu/2configs/bluetooth-mpd.nix
View file

@ -34,7 +34,7 @@ in {
hardware.pulseaudio = { hardware.pulseaudio = {
enable = true; enable = true;
package = pkgs.pulseaudioFull; package = pkgs.pulseaudioFull;
# systemWide = true; # systemWide = true;
support32Bit = true; support32Bit = true;
zeroconf.discovery.enable = true; zeroconf.discovery.enable = true;
zeroconf.publish.enable = true; zeroconf.publish.enable = true;
@ -42,12 +42,13 @@ in {
enable = true; enable = true;
# PULSE_SERVER=192.168.1.11 pavucontrol # PULSE_SERVER=192.168.1.11 pavucontrol
anonymousClients.allowAll = true; anonymousClients.allowAll = true;
anonymousClients.allowedIpRanges = [ "127.0.0.1" "192.168.0.0/16" ];
}; };
configFile = pkgs.writeText "default.pa" '' configFile = pkgs.writeText "default.pa" ''
load-module module-udev-detect load-module module-udev-detect
load-module module-bluetooth-policy load-module module-bluetooth-policy
load-module module-bluetooth-discover load-module module-bluetooth-discover
load-module module-native-protocol-unix load-module module-native-protocol-unix auth-anonymous=1
load-module module-always-sink load-module module-always-sink
load-module module-console-kit load-module module-console-kit
load-module module-systemd-login load-module module-systemd-login
@ -56,13 +57,15 @@ in {
load-module module-filter-heuristics load-module module-filter-heuristics
load-module module-filter-apply load-module module-filter-apply
load-module module-switch-on-connect load-module module-switch-on-connect
#load-module module-bluez5-device
#load-module module-bluez5-discover
''; '';
}; };
# connect via https://nixos.wiki/wiki/Bluetooth#Using_Bluetooth_headsets_with_PulseAudio # connect via https://nixos.wiki/wiki/Bluetooth#Using_Bluetooth_headsets_with_PulseAudio
hardware.bluetooth.enable = true; hardware.bluetooth.enable = true;
#hardware.bluetooth.extraConfig = '' # environment.etc."bluetooth/audio.conf".text = ''
# [general] # [General]
# Enable=Source,Sink,Media,Socket # Enable = Source,Sink,Media,Socket
#''; # '';
}; };
} }

1
makefu/2configs/git/cgit-retiolum.nix
View file

@ -30,6 +30,7 @@ let
euer_blog = { }; euer_blog = { };
ampel = { }; ampel = { };
europastats = { }; europastats = { };
arafetch = { };
init-stockholm = { init-stockholm = {
cgit.desc = "Init stuff for stockholm"; cgit.desc = "Init stuff for stockholm";
}; };

44
makefu/2configs/gui/automatic-diskmount.nix Normal file
View file

@ -0,0 +1,44 @@
{ pkgs, ... }:
with import <stockholm/lib>; #genid
{ # auto-mounting via polkit
services.udisks2.enable = true;
## automount all disks:
# services.devmon.enable = true;
# services.gnome3.gvfs.enable = true;
users.groups.storage = {
gid = genid "storage";
members = [ "makefu" ];
};
users.users.makefu.packages = with pkgs;[
gvfs pcmanfm lxmenu-data
];
environment.variables.GIO_EXTRA_MODULES = [ "${pkgs.gvfs}/lib/gio/modules" ];
## allow users in group "storage" to mount disk
# https://github.com/coldfix/udiskie/wiki/Permissions
security.polkit.extraConfig =
''
polkit.addRule(function(action, subject) {
var YES = polkit.Result.YES;
var permission = {
"org.freedesktop.udisks.filesystem-mount": YES,
"org.freedesktop.udisks.luks-unlock": YES,
"org.freedesktop.udisks.drive-eject": YES,
"org.freedesktop.udisks.drive-detach": YES,
"org.freedesktop.udisks2.filesystem-mount": YES,
"org.freedesktop.udisks2.encrypted-unlock": YES,
"org.freedesktop.udisks2.eject-media": YES,
"org.freedesktop.udisks2.power-off-drive": YES,
"org.freedesktop.udisks2.filesystem-mount-other-seat": YES,
"org.freedesktop.udisks2.filesystem-unmount-others": YES,
"org.freedesktop.udisks2.encrypted-unlock-other-seat": YES,
"org.freedesktop.udisks2.eject-media-other-seat": YES,
"org.freedesktop.udisks2.power-off-drive-other-seat": YES
};
if (subject.isInGroup("storage")) {
return permission[action.id];
}
});
'';
}

3
makefu/2configs/hw/network-manager.nix
View file

@ -11,9 +11,8 @@
systemd.services.modemmanager = { systemd.services.modemmanager = {
description = "ModemManager"; description = "ModemManager";
after = [ "network-manager.service" ];
bindsTo = [ "network-manager.service" ]; bindsTo = [ "network-manager.service" ];
wantedBy = [ "network-manager.service" ]; wantedBy = [ "network-manager.service" "multi-user.target" ];
serviceConfig = { serviceConfig = {
ExecStart = "${pkgs.modemmanager}/bin/ModemManager"; ExecStart = "${pkgs.modemmanager}/bin/ModemManager";
PrivateTmp = true; PrivateTmp = true;

1
makefu/2configs/hydra/stockholm.nix
View file

@ -5,7 +5,6 @@
{ {
# TODO postgres backup # TODO postgres backup
services.postgresql.enable = true;
services.hydra = { services.hydra = {
enable = true; enable = true;

1
makefu/2configs/main-laptop.nix
View file

@ -16,6 +16,7 @@ in {
./zsh-user.nix ./zsh-user.nix
./tools/core.nix ./tools/core.nix
./tools/core-gui.nix ./tools/core-gui.nix
./gui/automatic-diskmount.nix
]; ];
users.users.${config.krebs.build.user.name}.extraGroups = [ "dialout" ]; users.users.${config.krebs.build.user.name}.extraGroups = [ "dialout" ];

26
makefu/2configs/nginx/euer.mon.nix Normal file
View file

@ -0,0 +1,26 @@
{ config, lib, pkgs, ... }:
with import <stockholm/lib>;
let
hostname = config.krebs.build.host.name;
user = config.services.nginx.user;
group = config.services.nginx.group;
external-ip = config.krebs.build.host.nets.internet.ip4.addr;
internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr;
in {
services.nginx = {
enable = mkDefault true;
virtualHosts."mon.euer.krebsco.de" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://wbob.r:3000/";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
'';
};
};
};
}

17
makefu/2configs/nginx/misa-felix-hochzeit.ml.nix Normal file
View file

@ -0,0 +1,17 @@
{ config, lib, pkgs, ... }:
{
services.nginx = {
enable = lib.mkDefault true;
virtualHosts."misa-felix-hochzeit.ml" = {
serverAliases = [ "www.misa-felix-hochzeit.ml" "misa-felix.ml" "www.misa-felix.ml" ];
forceSSL = true;
enableACME = true;
locations = {
"/" = {
index = "index.html";
root = "/var/www/misa-felix-hochzeit.ml";
};
};
};
};
}

14
makefu/2configs/remote-build/master.nix
View file

@ -1,14 +0,0 @@
{ pkgs, ...}:
let
sshKey = (toString <secrets>) + "/id_nixBuild";
in {
nix.distributedBuilds = true;
# TODO: iterate over krebs.hosts
nix.buildMachines = map ( hostName:
{ inherit hostName sshKey;
sshUser = "nixBuild";
system = "x86_64-linux";
maxJobs = 8;
}) [ "hotdog.r" ];
# puyak.r "wbob.r" "omo.r" "gum.r" "latte.r"
}

19
makefu/2configs/stats/arafetch.nix
View file

@ -3,7 +3,7 @@ with import <stockholm/lib>;
let let
pkg = with pkgs.python3Packages;buildPythonPackage rec { pkg = with pkgs.python3Packages;buildPythonPackage rec {
rev = "762d747"; rev = "762d747";
name = "europastats-${rev}"; name = "arafetch-${rev}";
propagatedBuildInputs = [ propagatedBuildInputs = [
requests requests
docopt docopt
@ -25,12 +25,25 @@ in {
}; };
systemd.services.arafetch = { systemd.services.arafetch = {
startAt = "Mon 09:15:00"; startAt = "Mon,Wed,Fri 09:15:00";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
environment = { environment = {
OUTDIR = home; OUTDIR = home;
}; };
path = [ pkg pkgs.git pkgs.wget ]; path = [ pkg pkgs.git pkgs.wget ];
script = "${pkg}/bin/weekrun"; serviceConfig = {
User = "arafetch";
WorkingDirectory = home;
PrivateTmp = true;
ExecStart = pkgs.writeDash "start-weekrun" ''
set -x
weekrun || echo "weekrun failed!"
find $OUTDIR/db -name \*.json | while read path;do
file=''${path##*/}
cantine=''${file%%.json}
ara2influx $path --cantine $cantine --host wbob.r
done
'';
};
}; };
} }

4
makefu/2configs/tools/core-gui.nix
View file

@ -1,10 +1,6 @@
{ pkgs, ... }: { pkgs, ... }:
{ {
nixpkgs.config.firefox = {
enableAdobeFlash = true;
};
krebs.per-user.makefu.packages = with pkgs; [ krebs.per-user.makefu.packages = with pkgs; [
chromium chromium
clipit clipit

1
makefu/2configs/urlwatch/default.nix
View file

@ -25,7 +25,6 @@ in {
# pypi # pypi
https://pypi.python.org/simple/bepasty/ https://pypi.python.org/simple/bepasty/
https://pypi.python.org/simple/devpi-client/ https://pypi.python.org/simple/devpi-client/
https://pypi.python.org/simple/oslo.config/
https://pypi.python.org/simple/sqlalchemy_migrate/ https://pypi.python.org/simple/sqlalchemy_migrate/
https://pypi.python.org/simple/xstatic/ https://pypi.python.org/simple/xstatic/
https://pypi.python.org/simple/pyserial/ https://pypi.python.org/simple/pyserial/

6
makefu/5pkgs/ampel/default.nix
View file

@ -2,7 +2,7 @@
with pkgs.python3Packages;buildPythonPackage rec { with pkgs.python3Packages;buildPythonPackage rec {
name = "ampel-${version}"; name = "ampel-${version}";
version = "0.2"; version = "0.2.1";
propagatedBuildInputs = [ propagatedBuildInputs = [
docopt docopt
@ -16,8 +16,8 @@ with pkgs.python3Packages;buildPythonPackage rec {
src = pkgs.fetchgit { src = pkgs.fetchgit {
url = "http://cgit.euer.krebsco.de/ampel"; url = "http://cgit.euer.krebsco.de/ampel";
rev = "d8a0250"; rev = "92321d7";
sha256 = "0n36lc17ca5db6pl6dswdqd5w9f881rfqck9yc4w33a5qpsxj85f"; sha256 = "0mvpbpf1rx8sc589qjb73gl8z6fir2zs3gl3br1pbhg5jgn0ij4n";
}; };
meta = { meta = {
homepage = http://cgit.euer.krebsco.de/ampel; homepage = http://cgit.euer.krebsco.de/ampel;

3
makefu/5pkgs/awesomecfg/full.cfg
View file

@ -412,8 +412,7 @@ clientkeys = awful.util.table.join(
end), end),
awful.key({ modkey, }, "m", awful.key({ modkey, }, "m",
function (c) function (c)
c.maximized_horizontal = not c.maximized_horizontal c.maximized = not c.maximized
c.maximized_vertical = not c.maximized_vertical
end) end)
) )

13
makefu/5pkgs/devpi/default.nix
View file

@ -16,16 +16,17 @@ let
}; };
devpi-web = pkgs.python3Packages.buildPythonPackage rec { devpi-web = pkgs.python3Packages.buildPythonPackage rec {
name = "devpi-web"; name = "devpi-web";
version = "3.1.1"; version = "3.2.2";
src = pkgs.fetchurl { src = pkgs.fetchurl {
url = "mirror://pypi/d/devpi-web/devpi-web-${version}.tar.gz"; url = "mirror://pypi/d/devpi-web/devpi-web-${version}.tar.gz";
sha256 = "0bvqv52jmasfm4sdyccwsgvk9a663d3grj7zjw8r9x7xm7l3svqv"; sha256 = "1mwg2fcw88rn47ypnhg5f4s1r066129z922113shyinwrwfddhay";
}; };
propagatedBuildInputs = with pkgs.python3Packages; propagatedBuildInputs = with pkgs.python3Packages; builtins.trace pkgs.devpi-server.version
[ pkgs.devpi-server pyramid_chameleon beautifulsoup4 defusedxml readme-renderer ]; [ pkgs.devpi-server pyramid_chameleon pygments docutils devpi-common
whoosh beautifulsoup4 defusedxml readme-renderer ];
meta = { meta = {
homepage = https://bitbucket.org/hpk42/devpi; homepage = https://bitbucket.org/hpk42/devpi;
@ -37,6 +38,6 @@ let
in { in {
devpi-web = pkgs.python3.buildEnv.override { devpi-web = pkgs.python3.buildEnv.override {
extraLibs = [ devpi-web devpi-server ]; extraLibs = [ devpi-web pkgs.devpi-server ];
}; };
} }

58
makefu/source.nix
View file

@ -1,14 +1,16 @@
with import <stockholm/lib>; with import <stockholm/lib>;
host@{ name, host@{ name,
override ? {} override ? {}
, secure ? false , secure ? false
, full ? false , full ? false
, torrent ? false , torrent ? false
, hw ? false , hw ? false
, musnix ? false , musnix ? false
, python ? false , python ? false
, unstable ? false #unstable channel checked out , unstable ? false #unstable channel checked out
, mic92 ? false , mic92 ? false
, nms ? false
, clever_kexec ?false
}: }:
let let
builder = if getEnv "dummy_secrets" == "true" builder = if getEnv "dummy_secrets" == "true"
@ -21,9 +23,8 @@ let
]; ];
}; };
# TODO: automate updating of this ref + cherry-picks # TODO: automate updating of this ref + cherry-picks
ref = "6583793"; # nixos-17.09 @ 2018-03-07 ref = "a09afbfb8a4"; # nixos-18.03 @ 2018-04-04
# + do_sqlite3 ruby: 55a952be5b5 # + do_sqlite3 ruby: 55a952be5b5
# + signal: 0f19beef3, 50ad913, 9449782, b7046ab2
in in
evalSource (toString _file) [ evalSource (toString _file) [
@ -43,18 +44,22 @@ in
file = "/home/makefu/store/${ref}"; file = "/home/makefu/store/${ref}";
}; };
secrets.file = getAttr builder { secrets = getAttr builder {
buildbot = toString <stockholm/makefu/6tests/data/secrets>; buildbot.file = toString <stockholm/makefu/6tests/data/secrets>;
makefu = "/home/makefu/secrets/${name}"; makefu.pass = {
inherit name;
dir = "${getEnv "HOME"}/.secrets-pass";
};
}; };
stockholm.file = toString <stockholm>; stockholm.file = toString <stockholm>;
stockholm-version.pipe = "${pkgs.stockholm}/bin/get-version"; stockholm-version.pipe = "${pkgs.stockholm}/bin/get-version";
} }
(mkIf ( musnix ) { (mkIf ( musnix ) {
musnix.git = { musnix.git = {
url = https://github.com/musnix/musnix.git; url = https://github.com/musnix/musnix.git;
ref = "d8b989f"; ref = "master"; # follow the musnix channel, lets see how this works out
}; };
}) })
@ -73,9 +78,12 @@ in
}) })
(mkIf ( torrent ) { (mkIf ( torrent ) {
torrent-secrets.file = getAttr builder { torrent-secrets = getAttr builder {
buildbot = toString <stockholm/makefu/6tests/data/secrets>; buildbot.file = toString <stockholm/makefu/6tests/data/secrets>;
makefu = "/home/makefu/secrets/torrent" ; makefu.pass = {
name = "torrent";
dir = "${getEnv "HOME"}/.secrets-pass";
};
}; };
}) })
@ -93,5 +101,19 @@ in
}; };
}) })
(mkIf ( nms ) {
nms.git = {
url = https://github.com/r-raymond/nixos-mailserver;
ref = "v2.1.2";
};
})
(mkIf ( clever_kexec ) {
clever_kexec.git = {
url = https://github.com/cleverca22/nix-tests;
ref = "5a670de7f2decfaafc95c34ffeb0f1896662f3d7";
};
})
override override
] ]

1
nin/2configs/vim.nix
View file

@ -349,6 +349,7 @@ let
let b:current_syntax = "nix" let b:current_syntax = "nix"
set isk=@,48-57,_,192-255,-,' set isk=@,48-57,_,192-255,-,'
set bg=dark
''; '';
in in
out out