diff --git a/krebs/1systems/puyak/config.nix b/krebs/1systems/puyak/config.nix
new file mode 100644
index 000000000..5e5f6cdb2
--- /dev/null
+++ b/krebs/1systems/puyak/config.nix
@@ -0,0 +1,55 @@
+{ config, pkgs, ... }:
+
+{
+ imports = [
+ <stockholm/krebs>
+ <stockholm/krebs/2configs>
+ <stockholm/krebs/2configs/secret-passwords.nix>
+ ];
+
+ krebs.build.host = config.krebs.hosts.puyak;
+
+ boot = {
+ loader.systemd-boot.enable = true;
+ loader.efi.canTouchEfiVariables = true;
+
+ initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda3"; } ];
+ initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ];
+ initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ];
+ };
+
+ fileSystems = {
+ "/" = {
+ device = "/dev/mapper/pool-root";
+ fsType = "btrfs";
+ options = ["defaults" "noatime" "ssd" "compress=lzo"];
+ };
+ "/boot" = {
+ device = "/dev/sda2";
+ };
+ "/home" = {
+ device = "/dev/mapper/pool-home";
+ fsType = "btrfs";
+ options = ["defaults" "noatime" "ssd" "compress=lzo"];
+ };
+ "/tmp" = {
+ device = "tmpfs";
+ fsType = "tmpfs";
+ options = ["nosuid" "nodev" "noatime"];
+ };
+ };
+
+ hardware.enableAllFirmware = true;
+ networking.wireless.enable = true;
+ nixpkgs.config.allowUnfree = true;
+
+ services.logind.extraConfig = ''
+ HandleLidSwitch=ignore
+ '';
+
+ services.udev.extraRules = ''
+ SUBSYSTEM=="net", ATTR{address}=="8c:70:5a:b2:84:58", NAME="wl0"
+ SUBSYSTEM=="net", ATTR{address}=="3c:97:0e:07:b9:14", NAME="et0"
+ '';
+
+}
diff --git a/krebs/1systems/puyak/source.nix b/krebs/1systems/puyak/source.nix
new file mode 100644
index 000000000..a21651899
--- /dev/null
+++ b/krebs/1systems/puyak/source.nix
@@ -0,0 +1,3 @@
+import <stockholm/krebs/source.nix> {
+ name = "puyak";
+}
diff --git a/krebs/2configs/default.nix b/krebs/2configs/default.nix
index 53ad56d65..901516e50 100644
--- a/krebs/2configs/default.nix
+++ b/krebs/2configs/default.nix
@@ -46,6 +46,6 @@ with import <stockholm/lib>;
# The NixOS release to be compatible with for stateful data such as databases.
- system.stateVersion = "15.09";
+ system.stateVersion = "17.03";
}
diff --git a/krebs/2configs/shared-buildbot.nix b/krebs/2configs/shared-buildbot.nix
index efb41cc3e..51984209c 100644
--- a/krebs/2configs/shared-buildbot.nix
+++ b/krebs/2configs/shared-buildbot.nix
@@ -14,7 +14,7 @@
locations."/".extraConfig = ''
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
- proxy_pass http://localhost:${toString config.krebs.buildbot.master.web.port};
+ proxy_pass http://127.0.0.1:${toString config.krebs.buildbot.master.web.port};
'';
};
diff --git a/krebs/3modules/krebs/default.nix b/krebs/3modules/krebs/default.nix
index 0aa0cac9d..f11b8ef48 100644
--- a/krebs/3modules/krebs/default.nix
+++ b/krebs/3modules/krebs/default.nix
@@ -30,6 +30,30 @@ let
});
in {
hosts = {
+ puyak = {
+ owner = config.krebs.users.krebs;
+ nets = {
+ retiolum = {
+ ip4.addr = "10.243.77.2";
+ ip6.addr = "42:0:0:0:0:0:77:2";
+ aliases = [
+ "puyak.r"
+ ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIIBCgKCAQEAwwDvaVKSJmAi1fpbsmjLz1DQVTgqnx56GkHKbz5sHwAfPVQej955
+ SwotAPBrOT5P3pZ52Pu326SR5nj9XWfN6GD0CkcDQddtRG5OOtUWlvkYzZraNh33
+ p9l8TBgHJKogGe6umbs+4v7pWfbS0k708L2ttwY0ceju6RL6UqShIYB6qhDzwalU
+ p8s7pypl7BwrsTwYkUGleIptiN78cYv/NHvXhvXBuVGz4J0tCH4GMvdTHCah1l1r
+ zwEpKlAq0FD6bgYTJL94Tvxe2xzyr8c+xn1+XbJtMudGmrRjIHS6YupzO/Y2MO7w
+ UkbMKDhYVhSPFEyk6PMm0SU9uAh4I1+8BQIDAQAB
+ -----END RSA PUBLIC KEY-----
+ '';
+ };
+ };
+ ssh.privkey.path = <secrets/ssh.id_ed25519>;
+ ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPpVwKv9mQGfcn5oFwuitq+b6Dz4jBG9sGhVoCYFw5RY";
+ };
wolf = {
owner = config.krebs.users.krebs;
nets = {
diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix
index 05b7b5078..139f02ddd 100644
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@@ -335,5 +335,8 @@ with import <stockholm/lib>;
};
sokratess = {
};
+ wine-mors = {
+ pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEKfTIKmbe1RjX1fjAn//08363zAsI0CijWnaYyAC842";
+ };
};
}
diff --git a/lass/1systems/echelon/config.nix b/lass/1systems/echelon/config.nix
index f064a4788..77958267d 100644
--- a/lass/1systems/echelon/config.nix
+++ b/lass/1systems/echelon/config.nix
@@ -31,17 +31,6 @@ in {
{
sound.enable = false;
}
- {
- lass.dnsmasq = {
- enable = true;
- config = ''
- interface=retiolum
- '';
- };
- krebs.iptables.tables.filter.INPUT.rules = [
- { predicate = "-i retiolum -p udp --dport 53"; target = "ACCEPT"; }
- ];
- }
{
users.extraUsers = {
satan = {
diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix
index 45b3f740f..29dacf8dc 100644
--- a/lass/1systems/mors/config.nix
+++ b/lass/1systems/mors/config.nix
@@ -24,6 +24,7 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/ircd.nix>
<stockholm/lass/2configs/logf.nix>
<stockholm/lass/2configs/syncthing.nix>
+ <stockholm/lass/2configs/otp-ssh.nix>
{
#risk of rain port
krebs.iptables.tables.filter.INPUT.rules = [
@@ -110,11 +111,11 @@ with import <stockholm/lib>;
"/boot" = {
device = "/dev/sda2";
};
- #"/bku" = {
- # device = "/dev/mapper/pool-bku";
- # fsType = "btrfs";
- # options = ["defaults" "noatime" "ssd" "compress=lzo"];
- #};
+ "/bku" = {
+ device = "/dev/mapper/pool-bku";
+ fsType = "btrfs";
+ options = ["defaults" "noatime" "ssd" "compress=lzo"];
+ };
"/home" = {
device = "/dev/mapper/pool-home";
fsType = "btrfs";
diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix
index 9faa4d473..6c1453c94 100644
--- a/lass/1systems/prism/config.nix
+++ b/lass/1systems/prism/config.nix
@@ -36,7 +36,6 @@ in {
<stockholm/lass/2configs/iodined.nix>
<stockholm/lass/2configs/libvirt.nix>
<stockholm/lass/2configs/hfos.nix>
- <stockholm/lass/2configs/makefu-sip.nix>
<stockholm/lass/2configs/monitoring/server.nix>
<stockholm/lass/2configs/monitoring/monit-alarms.nix>
<stockholm/lass/2configs/paste.nix>
@@ -213,6 +212,26 @@ in {
config.krebs.users.tv.pubkey
];
};
+ users.users.makefu = {
+ uid = genid "makefu";
+ isNormalUser = true;
+ openssh.authorizedKeys.keys = [
+ config.krebs.users.makefu.pubkey
+ ];
+ };
+ users.users.nin = {
+ uid = genid "nin";
+ inherit (config.krebs.users.nin) home;
+ group = "users";
+ createHome = true;
+ useDefaultShell = true;
+ openssh.authorizedKeys.keys = [
+ config.krebs.users.nin.pubkey
+ ];
+ extraGroups = [
+ "libvirtd"
+ ];
+ };
}
{
krebs.repo-sync.timerConfig = {
@@ -235,28 +254,6 @@ in {
enable = true;
};
}
- {
- # Nin stuff
- users.users.nin = {
- uid = genid "nin";
- inherit (config.krebs.users.nin) home;
- group = "users";
- createHome = true;
- useDefaultShell = true;
- openssh.authorizedKeys.keys = [
- config.krebs.users.nin.pubkey
- ];
- extraGroups = [
- "libvirtd"
- ];
- };
- krebs.iptables.tables.nat.PREROUTING.rules = [
- { v6 = false; precedence = 1000; predicate = "-d 213.239.205.240 -p tcp --dport 1337"; target = "DNAT --to-destination 192.168.122.24:22"; }
- ];
- krebs.iptables.tables.filter.FORWARD.rules = [
- { v6 = false; precedence = 1000; predicate = "-d 192.168.122.24 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
- ];
- }
{
krebs.Reaktor.prism = {
nickname = "Reaktor|lass";
diff --git a/lass/2configs/downloading.nix b/lass/2configs/downloading.nix
index d32262810..9582413ed 100644
--- a/lass/2configs/downloading.nix
+++ b/lass/2configs/downloading.nix
@@ -17,6 +17,7 @@ with import <stockholm/lib>;
lass-shodan.pubkey
lass-icarus.pubkey
makefu.pubkey
+ wine-mors.pubkey
];
};
diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix
index 4137c482e..a66d08927 100644
--- a/lass/2configs/git.nix
+++ b/lass/2configs/git.nix
@@ -49,6 +49,7 @@ let
{
brain = {
collaborators = with config.krebs.users; [ tv makefu ];
+ announce = true;
};
} //
import <secrets/repos.nix> { inherit config lib pkgs; }
@@ -75,9 +76,20 @@ let
public = true;
};
- make-restricted-repo = name: { collaborators ? [], ... }: {
+ make-restricted-repo = name: { collaborators ? [], announce ? false, ... }: {
inherit collaborators name;
public = false;
+ hooks = optionalAttrs announce {
+ post-receive = pkgs.git-hooks.irc-announce {
+ # TODO make nick = config.krebs.build.host.name the default
+ nick = config.krebs.build.host.name;
+ channel = "#retiolum";
+ server = "ni.r";
+ verbose = true;
+ # TODO define branches in some kind of option per repo
+ branches = [ "master" "staging*" ];
+ };
+ };
};
make-rules =
diff --git a/lass/2configs/makefu-sip.nix b/lass/2configs/makefu-sip.nix
deleted file mode 100644
index 9d2e9b696..000000000
--- a/lass/2configs/makefu-sip.nix
+++ /dev/null
@@ -1,21 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with import <stockholm/lib>;
-{
- users.users.makefu = {
- uid = genid "makefu";
- isNormalUser = true;
- extraGroups = [ "libvirtd" ];
- openssh.authorizedKeys.keys = [
- config.krebs.users.makefu.pubkey
- ];
- };
-
- krebs.iptables.tables.nat.PREROUTING.rules = [
- { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 10022"; target = "DNAT --to-destination 192.168.122.136:22"; }
- ];
-
- krebs.iptables.tables.filter.FORWARD.rules = [
- { v6 = false; precedence = 1000; predicate = "-d 192.168.122.136 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
- ];
-}
diff --git a/lass/2configs/otp-ssh.nix b/lass/2configs/otp-ssh.nix
new file mode 100644
index 000000000..f9984e245
--- /dev/null
+++ b/lass/2configs/otp-ssh.nix
@@ -0,0 +1,18 @@
+{ pkgs, ... }:
+# Enables second factor for ssh password login
+
+## Usage:
+# gen-oath-safe <username> totp
+## scan the qrcode with google authenticator (or FreeOTP)
+## copy last line into secrets/<host>/users.oath (chmod 700)
+{
+ security.pam.oath = {
+ # enabling it will make it a requisite of `all` services
+ # enable = true;
+ digits = 6;
+ # TODO assert existing
+ usersFile = (toString <secrets>) + "/users.oath";
+ };
+ # I want TFA only active for sshd with password-auth
+ security.pam.services.sshd.oathAuth = true;
+}
diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix
index 3bc5570c4..3e1ad6638 100644
--- a/lass/2configs/websites/domsen.nix
+++ b/lass/2configs/websites/domsen.nix
@@ -25,9 +25,15 @@ in {
imports = [
./sqlBackup.nix
(servePage [ "reich-gebaeudereinigung.de" "www.reich-gebaeudereinigung.de" ])
- (servePage [ "karlaskop.de" ])
+ (servePage [
+ "karlaskop.de"
+ "www.karlaskop.de"
+ ])
(servePage [ "makeup.apanowicz.de" ])
- (servePage [ "pixelpocket.de" ])
+ (servePage [
+ "pixelpocket.de"
+ "www.pixelpocket.de"
+ ])
(servePage [
"habsys.de"
"habsys.eu"
diff --git a/lass/2configs/wine.nix b/lass/2configs/wine.nix
index d4a91e645..2444d32d3 100644
--- a/lass/2configs/wine.nix
+++ b/lass/2configs/wine.nix
@@ -5,7 +5,8 @@ let
in {
krebs.per-user.wine.packages = with pkgs; [
- wineUnstable
+ wineFull
+ #(wineFull.override { wineBuild = "wine64"; })
];
users.users= {
wine = {
diff --git a/lass/source.nix b/lass/source.nix
index 836460d07..63adbd95c 100644
--- a/lass/source.nix
+++ b/lass/source.nix
@@ -19,6 +19,6 @@ in
# 87a4615 & 334ac4f
# + acme permissions for groups
# fd7a8f1
- ref = "67956cc";
+ ref = "d486531";
};
}