From 5b3d5572a56dfe4b8cbec615a3c4b3566c835610 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sun, 16 Jul 2017 21:34:23 +0200
Subject: [PATCH 01/14] krebs lass: add wine-mors pubkey
---
krebs/3modules/lass/default.nix | 3 +++
1 file changed, 3 insertions(+)
diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix
index 05b7b5078..139f02ddd 100644
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@@ -335,5 +335,8 @@ with import <stockholm/lib>;
};
sokratess = {
};
+ wine-mors = {
+ pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEKfTIKmbe1RjX1fjAn//08363zAsI0CijWnaYyAC842";
+ };
};
}
From 1c4a5e175ae59eb14e986e8db26bc731959fa917 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sun, 16 Jul 2017 21:34:47 +0200
Subject: [PATCH 02/14] l mors: reactivate /bku
---
lass/1systems/mors/config.nix | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix
index 45b3f740f..b93ead6db 100644
--- a/lass/1systems/mors/config.nix
+++ b/lass/1systems/mors/config.nix
@@ -110,11 +110,11 @@ with import <stockholm/lib>;
"/boot" = {
device = "/dev/sda2";
};
- #"/bku" = {
- # device = "/dev/mapper/pool-bku";
- # fsType = "btrfs";
- # options = ["defaults" "noatime" "ssd" "compress=lzo"];
- #};
+ "/bku" = {
+ device = "/dev/mapper/pool-bku";
+ fsType = "btrfs";
+ options = ["defaults" "noatime" "ssd" "compress=lzo"];
+ };
"/home" = {
device = "/dev/mapper/pool-home";
fsType = "btrfs";
From 6b0e0cc09996e2ea92446f546dc50938da7aa2dd Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sun, 16 Jul 2017 21:35:04 +0200
Subject: [PATCH 03/14] lass downloading: add wine-mors to authorized_keys
---
lass/2configs/downloading.nix | 1 +
1 file changed, 1 insertion(+)
diff --git a/lass/2configs/downloading.nix b/lass/2configs/downloading.nix
index d32262810..9582413ed 100644
--- a/lass/2configs/downloading.nix
+++ b/lass/2configs/downloading.nix
@@ -17,6 +17,7 @@ with import <stockholm/lib>;
lass-shodan.pubkey
lass-icarus.pubkey
makefu.pubkey
+ wine-mors.pubkey
];
};
From 2d6447d9669ba74780a57dd4ddcdb19110bd4928 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Mon, 17 Jul 2017 08:01:33 +0200
Subject: [PATCH 04/14] l wine: use wineFull
---
lass/2configs/wine.nix | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/lass/2configs/wine.nix b/lass/2configs/wine.nix
index d4a91e645..2444d32d3 100644
--- a/lass/2configs/wine.nix
+++ b/lass/2configs/wine.nix
@@ -5,7 +5,8 @@ let
in {
krebs.per-user.wine.packages = with pkgs; [
- wineUnstable
+ wineFull
+ #(wineFull.override { wineBuild = "wine64"; })
];
users.users= {
wine = {
From d2f766b1968fd431c4eb210e8d0753449b4af568 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Mon, 17 Jul 2017 09:55:57 +0200
Subject: [PATCH 05/14] l nixpkgs: 67956cc -> d486531
---
lass/source.nix | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lass/source.nix b/lass/source.nix
index 836460d07..63adbd95c 100644
--- a/lass/source.nix
+++ b/lass/source.nix
@@ -19,6 +19,6 @@ in
# 87a4615 & 334ac4f
# + acme permissions for groups
# fd7a8f1
- ref = "67956cc";
+ ref = "d486531";
};
}
From 53f8fa81e58c426d2a88b1bba4bfc0524dcb9387 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Mon, 17 Jul 2017 14:53:14 +0200
Subject: [PATCH 06/14] l git: announce brain
---
lass/2configs/git.nix | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix
index 4137c482e..a66d08927 100644
--- a/lass/2configs/git.nix
+++ b/lass/2configs/git.nix
@@ -49,6 +49,7 @@ let
{
brain = {
collaborators = with config.krebs.users; [ tv makefu ];
+ announce = true;
};
} //
import <secrets/repos.nix> { inherit config lib pkgs; }
@@ -75,9 +76,20 @@ let
public = true;
};
- make-restricted-repo = name: { collaborators ? [], ... }: {
+ make-restricted-repo = name: { collaborators ? [], announce ? false, ... }: {
inherit collaborators name;
public = false;
+ hooks = optionalAttrs announce {
+ post-receive = pkgs.git-hooks.irc-announce {
+ # TODO make nick = config.krebs.build.host.name the default
+ nick = config.krebs.build.host.name;
+ channel = "#retiolum";
+ server = "ni.r";
+ verbose = true;
+ # TODO define branches in some kind of option per repo
+ branches = [ "master" "staging*" ];
+ };
+ };
};
make-rules =
From 5f743cbd32572a25e0df73b823cd866f1d80f01a Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Mon, 17 Jul 2017 15:11:54 +0200
Subject: [PATCH 07/14] lass: init otp-ssh
---
lass/1systems/mors/config.nix | 1 +
lass/2configs/otp-ssh.nix | 18 ++++++++++++++++++
2 files changed, 19 insertions(+)
create mode 100644 lass/2configs/otp-ssh.nix
diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix
index b93ead6db..29dacf8dc 100644
--- a/lass/1systems/mors/config.nix
+++ b/lass/1systems/mors/config.nix
@@ -24,6 +24,7 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/ircd.nix>
<stockholm/lass/2configs/logf.nix>
<stockholm/lass/2configs/syncthing.nix>
+ <stockholm/lass/2configs/otp-ssh.nix>
{
#risk of rain port
krebs.iptables.tables.filter.INPUT.rules = [
diff --git a/lass/2configs/otp-ssh.nix b/lass/2configs/otp-ssh.nix
new file mode 100644
index 000000000..f9984e245
--- /dev/null
+++ b/lass/2configs/otp-ssh.nix
@@ -0,0 +1,18 @@
+{ pkgs, ... }:
+# Enables second factor for ssh password login
+
+## Usage:
+# gen-oath-safe <username> totp
+## scan the qrcode with google authenticator (or FreeOTP)
+## copy last line into secrets/<host>/users.oath (chmod 700)
+{
+ security.pam.oath = {
+ # enabling it will make it a requisite of `all` services
+ # enable = true;
+ digits = 6;
+ # TODO assert existing
+ usersFile = (toString <secrets>) + "/users.oath";
+ };
+ # I want TFA only active for sshd with password-auth
+ security.pam.services.sshd.oathAuth = true;
+}
From 32d09aa9d5b95f91acd14489b7802ad8cb449355 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Thu, 20 Jul 2017 13:40:04 +0200
Subject: [PATCH 08/14] l: rip makefu-sip
---
lass/1systems/prism/config.nix | 1 -
lass/2configs/makefu-sip.nix | 21 ---------------------
2 files changed, 22 deletions(-)
delete mode 100644 lass/2configs/makefu-sip.nix
diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix
index 9faa4d473..a6bb824ab 100644
--- a/lass/1systems/prism/config.nix
+++ b/lass/1systems/prism/config.nix
@@ -36,7 +36,6 @@ in {
<stockholm/lass/2configs/iodined.nix>
<stockholm/lass/2configs/libvirt.nix>
<stockholm/lass/2configs/hfos.nix>
- <stockholm/lass/2configs/makefu-sip.nix>
<stockholm/lass/2configs/monitoring/server.nix>
<stockholm/lass/2configs/monitoring/monit-alarms.nix>
<stockholm/lass/2configs/paste.nix>
diff --git a/lass/2configs/makefu-sip.nix b/lass/2configs/makefu-sip.nix
deleted file mode 100644
index 9d2e9b696..000000000
--- a/lass/2configs/makefu-sip.nix
+++ /dev/null
@@ -1,21 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with import <stockholm/lib>;
-{
- users.users.makefu = {
- uid = genid "makefu";
- isNormalUser = true;
- extraGroups = [ "libvirtd" ];
- openssh.authorizedKeys.keys = [
- config.krebs.users.makefu.pubkey
- ];
- };
-
- krebs.iptables.tables.nat.PREROUTING.rules = [
- { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 10022"; target = "DNAT --to-destination 192.168.122.136:22"; }
- ];
-
- krebs.iptables.tables.filter.FORWARD.rules = [
- { v6 = false; precedence = 1000; predicate = "-d 192.168.122.136 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
- ];
-}
From 30c2940ee57f675091fb363807ec1046814c69f1 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Thu, 20 Jul 2017 14:49:18 +0200
Subject: [PATCH 09/14] l prism: define all krebs users in one place
---
lass/1systems/prism/config.nix | 42 ++++++++++++++++------------------
1 file changed, 20 insertions(+), 22 deletions(-)
diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix
index a6bb824ab..6c1453c94 100644
--- a/lass/1systems/prism/config.nix
+++ b/lass/1systems/prism/config.nix
@@ -212,6 +212,26 @@ in {
config.krebs.users.tv.pubkey
];
};
+ users.users.makefu = {
+ uid = genid "makefu";
+ isNormalUser = true;
+ openssh.authorizedKeys.keys = [
+ config.krebs.users.makefu.pubkey
+ ];
+ };
+ users.users.nin = {
+ uid = genid "nin";
+ inherit (config.krebs.users.nin) home;
+ group = "users";
+ createHome = true;
+ useDefaultShell = true;
+ openssh.authorizedKeys.keys = [
+ config.krebs.users.nin.pubkey
+ ];
+ extraGroups = [
+ "libvirtd"
+ ];
+ };
}
{
krebs.repo-sync.timerConfig = {
@@ -234,28 +254,6 @@ in {
enable = true;
};
}
- {
- # Nin stuff
- users.users.nin = {
- uid = genid "nin";
- inherit (config.krebs.users.nin) home;
- group = "users";
- createHome = true;
- useDefaultShell = true;
- openssh.authorizedKeys.keys = [
- config.krebs.users.nin.pubkey
- ];
- extraGroups = [
- "libvirtd"
- ];
- };
- krebs.iptables.tables.nat.PREROUTING.rules = [
- { v6 = false; precedence = 1000; predicate = "-d 213.239.205.240 -p tcp --dport 1337"; target = "DNAT --to-destination 192.168.122.24:22"; }
- ];
- krebs.iptables.tables.filter.FORWARD.rules = [
- { v6 = false; precedence = 1000; predicate = "-d 192.168.122.24 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
- ];
- }
{
krebs.Reaktor.prism = {
nickname = "Reaktor|lass";
From 0cb248134f801a9e2e520d0b9a2b4a8992ec84d7 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Thu, 20 Jul 2017 14:43:43 +0200
Subject: [PATCH 10/14] l echelon: remove deprecated dnsmasq settings
---
lass/1systems/echelon/config.nix | 11 -----------
1 file changed, 11 deletions(-)
diff --git a/lass/1systems/echelon/config.nix b/lass/1systems/echelon/config.nix
index f064a4788..77958267d 100644
--- a/lass/1systems/echelon/config.nix
+++ b/lass/1systems/echelon/config.nix
@@ -31,17 +31,6 @@ in {
{
sound.enable = false;
}
- {
- lass.dnsmasq = {
- enable = true;
- config = ''
- interface=retiolum
- '';
- };
- krebs.iptables.tables.filter.INPUT.rules = [
- { predicate = "-i retiolum -p udp --dport 53"; target = "ACCEPT"; }
- ];
- }
{
users.extraUsers = {
satan = {
From 9cb4a46b53a9ca5fe90d3166fa0f42a38a1732d6 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Thu, 20 Jul 2017 14:50:19 +0200
Subject: [PATCH 11/14] l websites domsen: serve some www. sites
---
lass/2configs/websites/domsen.nix | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix
index 3bc5570c4..3e1ad6638 100644
--- a/lass/2configs/websites/domsen.nix
+++ b/lass/2configs/websites/domsen.nix
@@ -25,9 +25,15 @@ in {
imports = [
./sqlBackup.nix
(servePage [ "reich-gebaeudereinigung.de" "www.reich-gebaeudereinigung.de" ])
- (servePage [ "karlaskop.de" ])
+ (servePage [
+ "karlaskop.de"
+ "www.karlaskop.de"
+ ])
(servePage [ "makeup.apanowicz.de" ])
- (servePage [ "pixelpocket.de" ])
+ (servePage [
+ "pixelpocket.de"
+ "www.pixelpocket.de"
+ ])
(servePage [
"habsys.de"
"habsys.eu"
From a86f505f5d011ce5a5dba539bbda53fdc1b07a3c Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Thu, 20 Jul 2017 23:40:58 +0200
Subject: [PATCH 12/14] krebs: init puyak
---
krebs/1systems/puyak/config.nix | 55 ++++++++++++++++++++++++++++++++
krebs/1systems/puyak/source.nix | 3 ++
krebs/3modules/krebs/default.nix | 24 ++++++++++++++
3 files changed, 82 insertions(+)
create mode 100644 krebs/1systems/puyak/config.nix
create mode 100644 krebs/1systems/puyak/source.nix
diff --git a/krebs/1systems/puyak/config.nix b/krebs/1systems/puyak/config.nix
new file mode 100644
index 000000000..5e5f6cdb2
--- /dev/null
+++ b/krebs/1systems/puyak/config.nix
@@ -0,0 +1,55 @@
+{ config, pkgs, ... }:
+
+{
+ imports = [
+ <stockholm/krebs>
+ <stockholm/krebs/2configs>
+ <stockholm/krebs/2configs/secret-passwords.nix>
+ ];
+
+ krebs.build.host = config.krebs.hosts.puyak;
+
+ boot = {
+ loader.systemd-boot.enable = true;
+ loader.efi.canTouchEfiVariables = true;
+
+ initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda3"; } ];
+ initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ];
+ initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ];
+ };
+
+ fileSystems = {
+ "/" = {
+ device = "/dev/mapper/pool-root";
+ fsType = "btrfs";
+ options = ["defaults" "noatime" "ssd" "compress=lzo"];
+ };
+ "/boot" = {
+ device = "/dev/sda2";
+ };
+ "/home" = {
+ device = "/dev/mapper/pool-home";
+ fsType = "btrfs";
+ options = ["defaults" "noatime" "ssd" "compress=lzo"];
+ };
+ "/tmp" = {
+ device = "tmpfs";
+ fsType = "tmpfs";
+ options = ["nosuid" "nodev" "noatime"];
+ };
+ };
+
+ hardware.enableAllFirmware = true;
+ networking.wireless.enable = true;
+ nixpkgs.config.allowUnfree = true;
+
+ services.logind.extraConfig = ''
+ HandleLidSwitch=ignore
+ '';
+
+ services.udev.extraRules = ''
+ SUBSYSTEM=="net", ATTR{address}=="8c:70:5a:b2:84:58", NAME="wl0"
+ SUBSYSTEM=="net", ATTR{address}=="3c:97:0e:07:b9:14", NAME="et0"
+ '';
+
+}
diff --git a/krebs/1systems/puyak/source.nix b/krebs/1systems/puyak/source.nix
new file mode 100644
index 000000000..a21651899
--- /dev/null
+++ b/krebs/1systems/puyak/source.nix
@@ -0,0 +1,3 @@
+import <stockholm/krebs/source.nix> {
+ name = "puyak";
+}
diff --git a/krebs/3modules/krebs/default.nix b/krebs/3modules/krebs/default.nix
index 0aa0cac9d..f11b8ef48 100644
--- a/krebs/3modules/krebs/default.nix
+++ b/krebs/3modules/krebs/default.nix
@@ -30,6 +30,30 @@ let
});
in {
hosts = {
+ puyak = {
+ owner = config.krebs.users.krebs;
+ nets = {
+ retiolum = {
+ ip4.addr = "10.243.77.2";
+ ip6.addr = "42:0:0:0:0:0:77:2";
+ aliases = [
+ "puyak.r"
+ ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIIBCgKCAQEAwwDvaVKSJmAi1fpbsmjLz1DQVTgqnx56GkHKbz5sHwAfPVQej955
+ SwotAPBrOT5P3pZ52Pu326SR5nj9XWfN6GD0CkcDQddtRG5OOtUWlvkYzZraNh33
+ p9l8TBgHJKogGe6umbs+4v7pWfbS0k708L2ttwY0ceju6RL6UqShIYB6qhDzwalU
+ p8s7pypl7BwrsTwYkUGleIptiN78cYv/NHvXhvXBuVGz4J0tCH4GMvdTHCah1l1r
+ zwEpKlAq0FD6bgYTJL94Tvxe2xzyr8c+xn1+XbJtMudGmrRjIHS6YupzO/Y2MO7w
+ UkbMKDhYVhSPFEyk6PMm0SU9uAh4I1+8BQIDAQAB
+ -----END RSA PUBLIC KEY-----
+ '';
+ };
+ };
+ ssh.privkey.path = <secrets/ssh.id_ed25519>;
+ ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPpVwKv9mQGfcn5oFwuitq+b6Dz4jBG9sGhVoCYFw5RY";
+ };
wolf = {
owner = config.krebs.users.krebs;
nets = {
From 1afc9c7a71907026e89f51d5fde06f554a537eaa Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Fri, 21 Jul 2017 00:35:08 +0200
Subject: [PATCH 13/14] krebs: bump nixos-version
---
krebs/2configs/default.nix | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/krebs/2configs/default.nix b/krebs/2configs/default.nix
index 53ad56d65..901516e50 100644
--- a/krebs/2configs/default.nix
+++ b/krebs/2configs/default.nix
@@ -46,6 +46,6 @@ with import <stockholm/lib>;
# The NixOS release to be compatible with for stateful data such as databases.
- system.stateVersion = "15.09";
+ system.stateVersion = "17.03";
}
From 8bfcf85531c4b8455c301504ccd74f95487e86d0 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Fri, 21 Jul 2017 00:35:30 +0200
Subject: [PATCH 14/14] krebs shared-buildbot: use ipv4 localhost
---
krebs/2configs/shared-buildbot.nix | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/krebs/2configs/shared-buildbot.nix b/krebs/2configs/shared-buildbot.nix
index efb41cc3e..51984209c 100644
--- a/krebs/2configs/shared-buildbot.nix
+++ b/krebs/2configs/shared-buildbot.nix
@@ -14,7 +14,7 @@
locations."/".extraConfig = ''
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
- proxy_pass http://localhost:${toString config.krebs.buildbot.master.web.port};
+ proxy_pass http://127.0.0.1:${toString config.krebs.buildbot.master.web.port};
'';
};