makefu/stockholm
1
0
Fork 0
Code Issues Pull requests Actions1 Packages Projects Releases Wiki Activity

Merge branch 'master' of prism.r:stockholm

Browse source
This commit is contained in:
jeschli 2018-12-16 20:28:28 +01:00
parent 5030b74cc5 8705b4dbc8
commit 8605ac91ae
93 changed files with 1576 additions and 1281 deletions
krebs
2configs
binary-cache
prism.nix
cache.nsupdate.info.nixnews-spam.nix
3modules
Reaktor.nixbepasty-server.nixcachecache.nixdefault.nix
external
default.nix
fetchWallpaper.nixgit.nix
jeschli
default.nix
krebs
default.nix
lass
default.nix
makefu
default.nix
ssh
ulrich.pub
tinc_graphs.nix
tv
default.nix
5pkgs/simple
cabal-read.nix
lass
1systems
archprism
config.nix
littleT
config.nixphysical.nix
morpheus
config.nixphysical.nix
mors
config.nix
prism
config.nix
shodan
config.nix
skynet
config.nix
xerxes
config.nixphysical.nix
yellow
config.nix
2configs
baseX.nixblue-host.nixblue.nixbrowsers.nixdefault.nixexim-smarthost.nixgames.nixgit.nixmail.nixmouse.nixradio.nix
websites
domsen.nixlassulus.nix
wiregrill.nix
3modules
xjail.nix
5pkgs
custom/xmonad-lass
default.nix
l-gen-secrets
default.nix
lib
default.nix
krebs
default.nixgenipv6.nix
types.nix
makefu
0tests/data/secrets
netdata-stream.confnsupdate-cache.nix
1systems
full
source.nix
gum
config.nixhardware-config.nixrescue.txtsource.nix
iso
config.nix
omo
config.nix
hw
omo.nix
wbob
config.nix
2configs
bgt
auphonic.pubdownload.binaergewitter.de.nixhidden_service.nix
binary-cache
lass.nix
bitlbee.nix
bureautomation
default.nixhass.nixmpd.nix
elchos
search.nix
homeautomation
default.nixgoogle-muell.nixmqtt.nix
mail
mail.euer.nix
minimal.nix
nginx
gum.krebsco.de.nix
shack/events-publisher
default.nix
share
omo.nixwbob.nix
stats
client.nixcollectd-client.nixnetdata-server.nixserver.nix
tinc
retiolum.nix
3modules
default.nixnetdata.nix
5pkgs/libopencm3
default.nix
krops.nixupdate-channel.sh
submodules
krops
tv
2configs/xserver
default.nix
5pkgs/haskell/xmonad-tv
shell.nix

2
krebs/2configs/binary-cache/prism.nix
View file

@ -3,7 +3,7 @@
{
nix = {
binaryCaches = [
"http://cache.prism.r"
"https://cache.krebsco.de"
];
binaryCachePublicKeys = [
"cache.prism-1:+S+6Lo/n27XEtvdlQKuJIcb1yO5NUqUCE2lolmTgNJU="

8
krebs/2configs/cache.nsupdate.info.nix
View file

@ -1,4 +1,4 @@
{lib, ... }:
{ pkgs, lib, ... }:
with lib;
let
domain = "cache.nsupdate.info";
@ -17,9 +17,13 @@ in {
};
krebs.cachecache = {
enable = true;
enableSSL = false; # disable letsencrypt for testing
enableSSL = true; # disable letsencrypt for testing
cacheDir = "/var/cache/nix-cache-cache";
maxSize = "10g";
indexFile = pkgs.fetchurl {
url = "https://raw.githubusercontent.com/krebs/35c3-nixos-cache/master/index.html";
sha256 = "1vlngzbn0jipigspccgikd7xgixksimdl4wf8ix7d30ljx47p9n0";
};
# assumes that the domain is reachable from the internet
virtualHost = domain;

310
krebs/2configs/news-spam.nix
View file

@ -4,161 +4,161 @@
krebs.newsbot-js.news-spam = {
urlShortenerHost = "go.lassul.us";
feeds = pkgs.writeText "feeds" ''
[SPAM]aje|http://www.aljazeera.com/Services/Rss/?PostingId=2007731105943979989|#snews
[SPAM]allafrica|http://allafrica.com/tools/headlines/rdf/latest/headlines.rdf|#snews
[SPAM]antirez|http://antirez.com/rss|#snews
[SPAM]archlinux|http://www.archlinux.org/feeds/news/|#snews
[SPAM]ars|http://feeds.arstechnica.com/arstechnica/index?format=xml|#snews
[SPAM]augustl|http://augustl.com/atom.xml|#snews
[SPAM]bbc|http://feeds.bbci.co.uk/news/rss.xml|#snews
[SPAM]bdt_aktuelle_themen|http://www.bundestag.de/blueprint/servlet/service/de/14154/asFeed/index.rss|#snews
[SPAM]bdt_drucksachen|http://www.bundestag.de/dip21rss/bundestag_drucksachen.rss|#snews
[SPAM]bdt_plenarproto|http://www.bundestag.de/rss_feeds/plenarprotokolle.rss|#snews
[SPAM]bdt_pressemitteilungen|http://www.bundestag.de/blueprint/servlet/service/de/273112/asFeed/index.rss|#snews
[SPAM]bitcoinpakistan|https://bitcoinspakistan.com/feed/|#snews
[SPAM]cancer|http://feeds.feedburner.com/ncinewsreleases?format=xml|#snews
[SPAM]carta|http://feeds2.feedburner.com/carta-standard-rss|#snews
[SPAM]catholic_news|http://feeds.feedburner.com/catholicnewsagency/dailynews|#snews
[SPAM]cbc_busi|http://rss.cbc.ca/lineup/business.xml|#snews
[SPAM]cbc_offbeat|http://www.cbc.ca/cmlink/rss-offbeat|#snews
[SPAM]cbc_pol|http://rss.cbc.ca/lineup/politics.xml|#snews
[SPAM]cbc_tech|http://rss.cbc.ca/lineup/technology.xml|#snews
[SPAM]cbc_top|http://rss.cbc.ca/lineup/topstories.xml|#snews
[SPAM]ccc|http://www.ccc.de/rss/updates.rdf|#snews
[SPAM]chan_biz|http://boards.4chan.org/biz/index.rss|#snews
[SPAM]chan_g|http://boards.4chan.org/g/index.rss|#snews
[SPAM]chan_int|http://boards.4chan.org/int/index.rss|#snews
[SPAM]chan_sci|http://boards.4chan.org/sci/index.rss|#snews
[SPAM]chan_x|http://boards.4chan.org/x/index.rss|#snews
[SPAM]c|http://www.tempolimit-lichtgeschwindigkeit.de/news.xml|#snews
[SPAM]cryptogon|http://www.cryptogon.com/?feed=rss2|#snews
[SPAM]csm|http://rss.csmonitor.com/feeds/csm|#snews
[SPAM]csm_world|http://rss.csmonitor.com/feeds/world|#snews
[SPAM]danisch|http://www.danisch.de/blog/feed/|#snews
[SPAM]dod|http://www.defense.gov/news/afps2.xml|#snews
[SPAM]dwn|http://deutsche-wirtschafts-nachrichten.de/feed/customfeed/|#snews
[SPAM]ecat|http://ecat.com/feed|#snews
[SPAM]eia_press|http://www.eia.gov/rss/press_rss.xml|#snews
[SPAM]eia_today|http://www.eia.gov/rss/todayinenergy.xml|#snews
[SPAM]embargowatch|https://embargowatch.wordpress.com/feed/|#snews
[SPAM]ethereum-comments|http://blog.ethereum.org/comments/feed|#snews
[SPAM]ethereum|http://blog.ethereum.org/feed|#snews
[SPAM]europa_ric|http://ec.europa.eu/research/infocentre/rss/infocentre-rss.xml|#snews
[SPAM]eu_survei|http://www.eurosurveillance.org/public/RSSFeed/RSS.aspx|#snews
[SPAM]exploitdb|http://www.exploit-db.com/rss.xml|#snews
[SPAM]fars|http://www.farsnews.com/rss.php|#snews #test
[SPAM]faz_feui|http://www.faz.net/rss/aktuell/feuilleton/|#snews
[SPAM]faz_politik|http://www.faz.net/rss/aktuell/politik/|#snews
[SPAM]faz_wirtschaft|http://www.faz.net/rss/aktuell/wirtschaft/|#snews
[SPAM]fbi|https://www.fbi.gov/news/rss.xml|#snews
[SPAM]fedreserve|http://www.federalreserve.gov/feeds/press_all.xml|#snews
[SPAM]fefe|http://blog.fefe.de/rss.xml|#snews
[SPAM]forbes|http://www.forbes.com/forbes/feed2/|#snews
[SPAM]forbes_realtime|http://www.forbes.com/real-time/feed2/|#snews
[SPAM]fox|http://feeds.foxnews.com/foxnews/latest|#snews
[SPAM]geheimorganisation|http://geheimorganisation.org/feed/|#snews
[SPAM]GerForPol|http://www.german-foreign-policy.com/de/news/rss-2.0|#snews
[SPAM]gmanet|http://www.gmanetwork.com/news/rss/news|#snews
[SPAM]golem|http://rss.golem.de/rss.php|#snews
[SPAM]google|http://news.google.com/?output=rss|#snews
[SPAM]greenpeace|http://feeds.feedburner.com/GreenpeaceNews|#snews
[SPAM]guardian_uk|http://feeds.theguardian.com/theguardian/uk-news/rss|#snews
[SPAM]gulli|http://ticker.gulli.com/rss/|#snews
[SPAM]hackernews|https://news.ycombinator.com/rss|#snews
[SPAM]handelsblatt|http://www.handelsblatt.com/contentexport/feed/schlagzeilen|#snews
[SPAM]heise|https://www.heise.de/newsticker/heise-atom.xml|#snews
[SPAM]hindu_business|http://www.thehindubusinessline.com/?service=rss|#snews
[SPAM]hindu|http://www.thehindu.com/?service=rss|#snews
[SPAM]ign|http://feeds.ign.com/ign/all|#snews
[SPAM]independent|http://www.independent.com/rss/headlines/|#snews
[SPAM]indymedia|https://de.indymedia.org/rss.xml|#snews
[SPAM]info_libera|http://www.informationliberation.com/rss.xml|#snews
[SPAM]klagen-gegen-rundfuckbeitrag|http://klagen-gegen-rundfunkbeitrag.blogspot.com/feeds/posts/default|#snews
[SPAM]korea_herald|http://www.koreaherald.com/rss_xml.php|#snews
[SPAM]linuxinsider|http://www.linuxinsider.com/perl/syndication/rssfull.pl|#snews
[SPAM]lisp|http://planet.lisp.org/rss20.xml|#snews
[SPAM]liveleak|http://www.liveleak.com/rss|#snews
[SPAM]lolmythesis|http://lolmythesis.com/rss|#snews
[SPAM]LtU|http://lambda-the-ultimate.org/rss.xml|#snews
[SPAM]lukepalmer|http://lukepalmer.wordpress.com/feed/|#snews
[SPAM]mit|http://web.mit.edu/newsoffice/rss-feeds.feed?type=rss|#snews
[SPAM]mongrel2_master|https://github.com/zedshaw/mongrel2/commits/master.atom|#snews
[SPAM]nds|http://www.nachdenkseiten.de/?feed=atom|#snews
[SPAM]netzpolitik|https://netzpolitik.org/feed/|#snews
[SPAM]newsbtc|http://newsbtc.com/feed/|#snews
[SPAM]nnewsg|http://www.net-news-global.net/rss/rssfeed.xml|#snews
[SPAM]npr_busi|http://www.npr.org/rss/rss.php?id=1006|#snews
[SPAM]npr_headlines|http://www.npr.org/rss/rss.php?id=1001|#snews
[SPAM]npr_pol|http://www.npr.org/rss/rss.php?id=1012|#snews
[SPAM]npr_world|http://www.npr.org/rss/rss.php?id=1004|#snews
[SPAM]nsa|https://www.nsa.gov/rss.xml|#snews #bullerei
[SPAM]nytimes|http://rss.nytimes.com/services/xml/rss/nyt/World.xml|#snews
[SPAM]painload|https://github.com/krebs/painload/commits/master.atom|#snews
[SPAM]phys|http://phys.org/rss-feed/|#snews
[SPAM]piraten|https://www.piratenpartei.de/feed/|#snews
[SPAM]polizei_berlin|http://www.berlin.de/polizei/presse-fahndung/_rss_presse.xml|#snews
[SPAM]presse_polizei|http://www.presseportal.de/rss/polizei.rss2|#snews
[SPAM]presseportal|http://www.presseportal.de/rss/presseportal.rss2|#snews
[SPAM]prisonplanet|http://prisonplanet.com/feed.rss|#snews
[SPAM]rawstory|http://www.rawstory.com/rs/feed/|#snews
[SPAM]reddit_4chan|http://www.reddit.com/r/4chan/new/.rss|#snews
[SPAM]reddit_anticonsum|http://www.reddit.com/r/Anticonsumption/new/.rss|#snews
[SPAM]reddit_btc|http://www.reddit.com/r/Bitcoin/new/.rss|#snews
[SPAM]reddit_consp|http://reddit.com/r/conspiracy/.rss|#snews
[SPAM]reddit_haskell|http://www.reddit.com/r/haskell/.rss|#snews
[SPAM]reddit_nix|http://www.reddit.com/r/nixos/.rss|#snews
[SPAM]reddit_prog|http://www.reddit.com/r/programming/new/.rss|#snews
[SPAM]reddit_sci|http://www.reddit.com/r/science/.rss|#snews
[SPAM]reddit_tech|http://www.reddit.com/r/technology/.rss|#snews
[SPAM]reddit_tpp|http://www.reddit.com/r/twitchplayspokemon/.rss|#snews
[SPAM]reddit_world|http://www.reddit.com/r/worldnews/.rss|#snews
[SPAM]r-ethereum|http://www.reddit.com/r/ethereum/.rss|#snews
[SPAM]reuters|http://feeds.reuters.com/Reuters/worldNews|#snews
[SPAM]reuters-odd|http://feeds.reuters.com/reuters/oddlyEnoughNews?format=xml|#snews
[SPAM]rt|http://rt.com/rss/news/|#snews
[SPAM]schallurauch|http://feeds.feedburner.com/SchallUndRauch|#snews
[SPAM]sciencemag|http://news.sciencemag.org/rss/current.xml|#snews
[SPAM]scmp|http://www.scmp.com/rss/91/feed|#snews
[SPAM]sec-db|http://feeds.security-database.com/SecurityDatabaseToolsWatch|#snews
[SPAM]shackspace|http://shackspace.de/atom.xml|#snews
[SPAM]shz_news|http://www.shz.de/nachrichten/newsticker/rss|#snews
[SPAM]sky_busi|http://feeds.skynews.com/feeds/rss/business.xml|#snews
[SPAM]sky_pol|http://feeds.skynews.com/feeds/rss/politics.xml|#snews
[SPAM]sky_strange|http://feeds.skynews.com/feeds/rss/strange.xml|#snews
[SPAM]sky_tech|http://feeds.skynews.com/feeds/rss/technology.xml|#snews
[SPAM]sky_world|http://feeds.skynews.com/feeds/rss/world.xml|#snews
[SPAM]slashdot|http://rss.slashdot.org/Slashdot/slashdot|#snews
[SPAM]slate|http://feeds.slate.com/slate|#snews
[SPAM]spiegel_eil|http://www.spiegel.de/schlagzeilen/eilmeldungen/index.rss|#snews
[SPAM]spiegel_top|http://www.spiegel.de/schlagzeilen/tops/index.rss|#snews
[SPAM]standardmedia_ke|http://www.standardmedia.co.ke/rss/headlines.php|#snews
[SPAM]stern|http://www.stern.de/feed/standard/all/|#snews
[SPAM]stz|http://www.stuttgarter-zeitung.de/rss/topthemen.rss.feed|#snews
[SPAM]sz_politik|http://rss.sueddeutsche.de/rss/Politik|#snews
[SPAM]sz_wirtschaft|http://rss.sueddeutsche.de/rss/Wirtschaft|#snews
[SPAM]sz_wissen|http://rss.sueddeutsche.de/rss/Wissen|#snews
[SPAM]tagesschau|http://www.tagesschau.de/newsticker.rdf|#snews
[SPAM]taz|http://taz.de/Themen-des-Tages/!p15;rss/|#snews
[SPAM]telegraph|http://www.telegraph.co.uk/rss.xml|#snews
[SPAM]telepolis|http://www.heise.de/tp/rss/news-atom.xml|#snews
[SPAM]the_insider|http://www.theinsider.org/rss/news/headlines-xml.asp|#snews
[SPAM]tigsource|http://www.tigsource.com/feed/|#snews
[SPAM]tinc|http://tinc-vpn.org/news/index.rss|#snews
[SPAM]torr_bits|http://feeds.feedburner.com/TorrentfreakBits|#snews
[SPAM]torrentfreak|http://feeds.feedburner.com/Torrentfreak|#snews
[SPAM]torr_news|http://feed.torrentfreak.com/Torrentfreak/|#snews
[SPAM]travel_warnings|http://feeds.travel.state.gov/ca/travelwarnings-alerts|#snews
[SPAM]un_afr|http://www.un.org/apps/news/rss/rss_africa.asp|#snews
[SPAM]un_am|http://www.un.org/apps/news/rss/rss_americas.asp|#snews
[SPAM]un_eu|http://www.un.org/apps/news/rss/rss_europe.asp|#snews
[SPAM]un_me|http://www.un.org/apps/news/rss/rss_mideast.asp|#snews
[SPAM]un_pac|http://www.un.org/apps/news/rss/rss_asiapac.asp|#snews
[SPAM]un_top|http://www.un.org/apps/news/rss/rss_top.asp|#snews
[SPAM]us_math_society|http://www.ams.org/cgi-bin/content/news_items.cgi?rss=1|#snews
[SPAM]vimperator|https://sites.google.com/a/vimperator.org/www/blog/posts.xml|#snews
[SPAM]weechat|http://dev.weechat.org/feed/atom|#snews
[SPAM]xkcd|https://xkcd.com/rss.xml|#snews
[SPAM]zdnet|http://www.zdnet.com/news/rss.xml|#snews
_aje|http://www.aljazeera.com/Services/Rss/?PostingId=2007731105943979989|#snews
_allafrica|http://allafrica.com/tools/headlines/rdf/latest/headlines.rdf|#snews
_antirez|http://antirez.com/rss|#snews
_archlinux|http://www.archlinux.org/feeds/news/|#snews
_ars|http://feeds.arstechnica.com/arstechnica/index?format=xml|#snews
_augustl|http://augustl.com/atom.xml|#snews
_bbc|http://feeds.bbci.co.uk/news/rss.xml|#snews
_bdt_aktuelle_themen|http://www.bundestag.de/blueprint/servlet/service/de/14154/asFeed/index.rss|#snews
_bdt_drucksachen|http://www.bundestag.de/dip21rss/bundestag_drucksachen.rss|#snews
_bdt_plenarproto|http://www.bundestag.de/rss_feeds/plenarprotokolle.rss|#snews
_bdt_pressemitteilungen|http://www.bundestag.de/blueprint/servlet/service/de/273112/asFeed/index.rss|#snews
_bitcoinpakistan|https://bitcoinspakistan.com/feed/|#snews
_cancer|http://feeds.feedburner.com/ncinewsreleases?format=xml|#snews
_carta|http://feeds2.feedburner.com/carta-standard-rss|#snews
_catholic_news|http://feeds.feedburner.com/catholicnewsagency/dailynews|#snews
_cbc_busi|http://rss.cbc.ca/lineup/business.xml|#snews
_cbc_offbeat|http://www.cbc.ca/cmlink/rss-offbeat|#snews
_cbc_pol|http://rss.cbc.ca/lineup/politics.xml|#snews
_cbc_tech|http://rss.cbc.ca/lineup/technology.xml|#snews
_cbc_top|http://rss.cbc.ca/lineup/topstories.xml|#snews
_ccc|http://www.ccc.de/rss/updates.rdf|#snews
_chan_biz|http://boards.4chan.org/biz/index.rss|#snews
_chan_g|http://boards.4chan.org/g/index.rss|#snews
_chan_int|http://boards.4chan.org/int/index.rss|#snews
_chan_sci|http://boards.4chan.org/sci/index.rss|#snews
_chan_x|http://boards.4chan.org/x/index.rss|#snews
_c|http://www.tempolimit-lichtgeschwindigkeit.de/news.xml|#snews
_cryptogon|http://www.cryptogon.com/?feed=rss2|#snews
_csm|http://rss.csmonitor.com/feeds/csm|#snews
_csm_world|http://rss.csmonitor.com/feeds/world|#snews
_danisch|http://www.danisch.de/blog/feed/|#snews
_dod|http://www.defense.gov/news/afps2.xml|#snews
_dwn|http://deutsche-wirtschafts-nachrichten.de/feed/customfeed/|#snews
_ecat|http://ecat.com/feed|#snews
_eia_press|http://www.eia.gov/rss/press_rss.xml|#snews
_eia_today|http://www.eia.gov/rss/todayinenergy.xml|#snews
_embargowatch|https://embargowatch.wordpress.com/feed/|#snews
_ethereum-comments|http://blog.ethereum.org/comments/feed|#snews
_ethereum|http://blog.ethereum.org/feed|#snews
_europa_ric|http://ec.europa.eu/research/infocentre/rss/infocentre-rss.xml|#snews
_eu_survei|http://www.eurosurveillance.org/public/RSSFeed/RSS.aspx|#snews
_exploitdb|http://www.exploit-db.com/rss.xml|#snews
_fars|http://www.farsnews.com/rss.php|#snews #test
_faz_feui|http://www.faz.net/rss/aktuell/feuilleton/|#snews
_faz_politik|http://www.faz.net/rss/aktuell/politik/|#snews
_faz_wirtschaft|http://www.faz.net/rss/aktuell/wirtschaft/|#snews
_fbi|https://www.fbi.gov/news/rss.xml|#snews
_fedreserve|http://www.federalreserve.gov/feeds/press_all.xml|#snews
_fefe|http://blog.fefe.de/rss.xml|#snews
_forbes|http://www.forbes.com/forbes/feed2/|#snews
_forbes_realtime|http://www.forbes.com/real-time/feed2/|#snews
_fox|http://feeds.foxnews.com/foxnews/latest|#snews
_geheimorganisation|http://geheimorganisation.org/feed/|#snews
_GerForPol|http://www.german-foreign-policy.com/de/news/rss-2.0|#snews
_gmanet|http://www.gmanetwork.com/news/rss/news|#snews
_golem|http://rss.golem.de/rss.php|#snews
_google|http://news.google.com/?output=rss|#snews
_greenpeace|http://feeds.feedburner.com/GreenpeaceNews|#snews
_guardian_uk|http://feeds.theguardian.com/theguardian/uk-news/rss|#snews
_gulli|http://ticker.gulli.com/rss/|#snews
_hackernews|https://news.ycombinator.com/rss|#snews
_handelsblatt|http://www.handelsblatt.com/contentexport/feed/schlagzeilen|#snews
_heise|https://www.heise.de/newsticker/heise-atom.xml|#snews
_hindu_business|http://www.thehindubusinessline.com/?service=rss|#snews
_hindu|http://www.thehindu.com/?service=rss|#snews
_ign|http://feeds.ign.com/ign/all|#snews
_independent|http://www.independent.com/rss/headlines/|#snews
_indymedia|https://de.indymedia.org/rss.xml|#snews
_info_libera|http://www.informationliberation.com/rss.xml|#snews
_klagen-gegen-rundfuckbeitrag|http://klagen-gegen-rundfunkbeitrag.blogspot.com/feeds/posts/default|#snews
_korea_herald|http://www.koreaherald.com/rss_xml.php|#snews
_linuxinsider|http://www.linuxinsider.com/perl/syndication/rssfull.pl|#snews
_lisp|http://planet.lisp.org/rss20.xml|#snews
_liveleak|http://www.liveleak.com/rss|#snews
_lolmythesis|http://lolmythesis.com/rss|#snews
_LtU|http://lambda-the-ultimate.org/rss.xml|#snews
_lukepalmer|http://lukepalmer.wordpress.com/feed/|#snews
_mit|http://web.mit.edu/newsoffice/rss-feeds.feed?type=rss|#snews
_mongrel2_master|https://github.com/zedshaw/mongrel2/commits/master.atom|#snews
_nds|http://www.nachdenkseiten.de/?feed=atom|#snews
_netzpolitik|https://netzpolitik.org/feed/|#snews
_newsbtc|http://newsbtc.com/feed/|#snews
_nnewsg|http://www.net-news-global.net/rss/rssfeed.xml|#snews
_npr_busi|http://www.npr.org/rss/rss.php?id=1006|#snews
_npr_headlines|http://www.npr.org/rss/rss.php?id=1001|#snews
_npr_pol|http://www.npr.org/rss/rss.php?id=1012|#snews
_npr_world|http://www.npr.org/rss/rss.php?id=1004|#snews
_nsa|https://www.nsa.gov/rss.xml|#snews #bullerei
_nytimes|http://rss.nytimes.com/services/xml/rss/nyt/World.xml|#snews
_painload|https://github.com/krebs/painload/commits/master.atom|#snews
_phys|http://phys.org/rss-feed/|#snews
_piraten|https://www.piratenpartei.de/feed/|#snews
_polizei_berlin|http://www.berlin.de/polizei/presse-fahndung/_rss_presse.xml|#snews
_presse_polizei|http://www.presseportal.de/rss/polizei.rss2|#snews
_presseportal|http://www.presseportal.de/rss/presseportal.rss2|#snews
_prisonplanet|http://prisonplanet.com/feed.rss|#snews
_rawstory|http://www.rawstory.com/rs/feed/|#snews
_reddit_4chan|http://www.reddit.com/r/4chan/new/.rss|#snews
_reddit_anticonsum|http://www.reddit.com/r/Anticonsumption/new/.rss|#snews
_reddit_btc|http://www.reddit.com/r/Bitcoin/new/.rss|#snews
_reddit_consp|http://reddit.com/r/conspiracy/.rss|#snews
_reddit_haskell|http://www.reddit.com/r/haskell/.rss|#snews
_reddit_nix|http://www.reddit.com/r/nixos/.rss|#snews
_reddit_prog|http://www.reddit.com/r/programming/new/.rss|#snews
_reddit_sci|http://www.reddit.com/r/science/.rss|#snews
_reddit_tech|http://www.reddit.com/r/technology/.rss|#snews
_reddit_tpp|http://www.reddit.com/r/twitchplayspokemon/.rss|#snews
_reddit_world|http://www.reddit.com/r/worldnews/.rss|#snews
_r-ethereum|http://www.reddit.com/r/ethereum/.rss|#snews
_reuters|http://feeds.reuters.com/Reuters/worldNews|#snews
_reuters-odd|http://feeds.reuters.com/reuters/oddlyEnoughNews?format=xml|#snews
_rt|http://rt.com/rss/news/|#snews
_schallurauch|http://feeds.feedburner.com/SchallUndRauch|#snews
_sciencemag|http://news.sciencemag.org/rss/current.xml|#snews
_scmp|http://www.scmp.com/rss/91/feed|#snews
_sec-db|http://feeds.security-database.com/SecurityDatabaseToolsWatch|#snews
_shackspace|http://shackspace.de/atom.xml|#snews
_shz_news|http://www.shz.de/nachrichten/newsticker/rss|#snews
_sky_busi|http://feeds.skynews.com/feeds/rss/business.xml|#snews
_sky_pol|http://feeds.skynews.com/feeds/rss/politics.xml|#snews
_sky_strange|http://feeds.skynews.com/feeds/rss/strange.xml|#snews
_sky_tech|http://feeds.skynews.com/feeds/rss/technology.xml|#snews
_sky_world|http://feeds.skynews.com/feeds/rss/world.xml|#snews
_slashdot|http://rss.slashdot.org/Slashdot/slashdot|#snews
_slate|http://feeds.slate.com/slate|#snews
_spiegel_eil|http://www.spiegel.de/schlagzeilen/eilmeldungen/index.rss|#snews
_spiegel_top|http://www.spiegel.de/schlagzeilen/tops/index.rss|#snews
_standardmedia_ke|http://www.standardmedia.co.ke/rss/headlines.php|#snews
_stern|http://www.stern.de/feed/standard/all/|#snews
_stz|http://www.stuttgarter-zeitung.de/rss/topthemen.rss.feed|#snews
_sz_politik|http://rss.sueddeutsche.de/rss/Politik|#snews
_sz_wirtschaft|http://rss.sueddeutsche.de/rss/Wirtschaft|#snews
_sz_wissen|http://rss.sueddeutsche.de/rss/Wissen|#snews
_tagesschau|http://www.tagesschau.de/newsticker.rdf|#snews
_taz|http://taz.de/Themen-des-Tages/!p15;rss/|#snews
_telegraph|http://www.telegraph.co.uk/rss.xml|#snews
_telepolis|http://www.heise.de/tp/rss/news-atom.xml|#snews
_the_insider|http://www.theinsider.org/rss/news/headlines-xml.asp|#snews
_tigsource|http://www.tigsource.com/feed/|#snews
_tinc|http://tinc-vpn.org/news/index.rss|#snews
_torr_bits|http://feeds.feedburner.com/TorrentfreakBits|#snews
_torrentfreak|http://feeds.feedburner.com/Torrentfreak|#snews
_torr_news|http://feed.torrentfreak.com/Torrentfreak/|#snews
_travel_warnings|http://feeds.travel.state.gov/ca/travelwarnings-alerts|#snews
_un_afr|http://www.un.org/apps/news/rss/rss_africa.asp|#snews
_un_am|http://www.un.org/apps/news/rss/rss_americas.asp|#snews
_un_eu|http://www.un.org/apps/news/rss/rss_europe.asp|#snews
_un_me|http://www.un.org/apps/news/rss/rss_mideast.asp|#snews
_un_pac|http://www.un.org/apps/news/rss/rss_asiapac.asp|#snews
_un_top|http://www.un.org/apps/news/rss/rss_top.asp|#snews
_us_math_society|http://www.ams.org/cgi-bin/content/news_items.cgi?rss=1|#snews
_vimperator|https://sites.google.com/a/vimperator.org/www/blog/posts.xml|#snews
_weechat|http://dev.weechat.org/feed/atom|#snews
_xkcd|https://xkcd.com/rss.xml|#snews
_zdnet|http://www.zdnet.com/news/rss.xml|#snews
'';
};
}

2
krebs/3modules/Reaktor.nix
View file

@ -8,7 +8,7 @@ let
out = {
options.krebs.Reaktor = api;
config = imp;
config = mkIf (cfg != {}) imp;
};
api = mkOption {

4
krebs/3modules/bepasty-server.nix
View file

@ -143,12 +143,12 @@ let
) cfg.servers;
users.extraUsers.bepasty = {
uid = genid "bepasty";
uid = genid_uint31 "bepasty";
group = "bepasty";
home = "/var/lib/bepasty-server";
};
users.extraGroups.bepasty = {
gid = genid "bepasty";
gid = genid_uint31 "bepasty";
};
};

20
krebs/3modules/cachecache.nix
View file

@ -1,4 +1,4 @@
{ config, lib, ... }:
{ pkgs, config, lib, ... }:
# fork of https://gist.github.com/rycee/f495fc6cc4130f155e8b670609a1e57b
@ -59,15 +59,6 @@ in
'';
};
# webRoot = mkOption {
# type = types.str;
# default = "/";
# description = ''
# Directory on virtual host that serves the cache. Must end in
# <literal>/</literal>.
# '';
# };
resolver = mkOption {
type = types.str;
description = "Address of DNS resolver.";
@ -82,6 +73,13 @@ in
Where nginx should store cached data.
'';
};
indexFile = mkOption {
type = types.path;
default = pkgs.writeText "myindex" "<html>hello world</html>";
description = ''
Path to index.html file.
'';
};
maxSize = mkOption {
type = types.str;
@ -98,6 +96,7 @@ in
systemd.services.nginx.preStart = ''
mkdir -p ${cfg.cacheDir} /srv/www/nix-cache-cache
chmod 700 ${cfg.cacheDir} /srv/www/nix-cache-cache
ln -fs ${cfg.indexFile} /srv/www/nix-cache-cache/index.html
chown ${nginxCfg.user}:${nginxCfg.group} \
${cfg.cacheDir} /srv/www/nix-cache-cache
'';
@ -143,6 +142,7 @@ in
locations."/" =
{
root = "/srv/www/nix-cache-cache";
index = "index.html";
extraConfig = ''
expires max;
add_header Cache-Control $nix_cache_cache_header always;

2
krebs/3modules/default.nix
View file

@ -109,6 +109,7 @@ let
};
imp = lib.mkMerge [
{ krebs = import ./external { inherit config; }; }
{ krebs = import ./jeschli { inherit config; }; }
{ krebs = import ./krebs { inherit config; }; }
{ krebs = import ./lass { inherit config; }; }
@ -121,6 +122,7 @@ let
shack = "hosts";
i = "hosts";
r = "hosts";
w = "hosts";
};
krebs.users = {

306
krebs/3modules/external/default.nix vendored Normal file
View file

@ -0,0 +1,306 @@
with import <stockholm/lib>;
{ config, ... }: let
hostDefaults = hostName: host: flip recursiveUpdate host ({
ci = false;
external = true;
monitoring = false;
} // optionalAttrs (host.nets?retiolum) {
nets.retiolum.ip6.addr =
(krebs.genipv6 "retiolum" "external" { inherit hostName; }).address;
});
in {
hosts = mapAttrs hostDefaults {
sokrateslaptop = {
owner = config.krebs.users.sokratess;
nets = {
retiolum = {
ip4.addr = "10.243.142.104";
aliases = [
"sokrateslaptop.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEA0EMbBv5NCSns4V/VR/NJHhwe2qNLUYjWWtCDY4zDuoiJdm3JNZJ2
t0iKNxFwd6Mmg3ahAlndsH4FOjOBGBQCgBG25VRnQgli1sypI/gYTsSgIWHVIRoZ
rgrng0K3oyJ6FuTP+nH1rd7UAYkrOQolXQBY+LqAbxOVjiJl+DpbAXIxCIs5TBeW
egtBiXZ1S53Lv5EGFXug716XlgZLHjw7PzRLJXSlvUAIRZj0Sjq4UD9VrhazM9s5
aDuxJIdknccEEXm6NK7a51hU/o8L+T0IUpZxhaXOdi6fvO/y3TbffKb1yRTbN0/V
VBjBh18Le7h0SmAEED5tz7NOCrAjMZQtJQIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
};
kruck = {
owner = config.krebs.users.palo;
nets = {
retiolum = {
ip4.addr = "10.243.29.201";
aliases = [
"kruck.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAxcui2sirT5YY9HrSauj9nSF3AxUnfd2CCEGyzmzbi5+qw8T9jdNh
QcIG3s+eC3uEy6leL/eeR4NjVtQRt8CDmhGul95Vs3I1jx9gdvYR+HOatPgK0YQA
EFwk0jv8Z8tOc87X1qwA00Gb+25+kAzsf+8+4HQuh/szSGje3RBmBFkUyNHh8R0U
uzs8NSTRdN+edvYtzjnYcE1sq59HFBPkVcJNp5I3qYTp6m9SxGHMvsq6vRpNnjq/
/RZVBhnPDBlgxia/aVfVQKeEOHZV3svLvsJzGDrUWsJCEvF0YwW4bvohY19myTNR
9lXo/VFx86qAkY09il2OloE7iu5cA2RV+FWwLeajE9vIDA06AD7nECVgthNoZd1s
qsDfuu3WqlpyBmr6XhRkYOFFE4xVLrZ0vItGYlgR2UPp9TjHrzfsedoyJoJAbhMH
gDlFgiHlAy1fhG1sCX5883XmSjWn0eJwmZ2O9sZNBP5dxfGUXg/x8NWfQj7E1lqj
jQ59UC6yiz7bFtObKvpdn1D4tPbqBvndZzn19U/3wKo+cCBRjtLmUD7HQHC65dCs
fAiCFvUTVMM3SNDvYChm0U/KGjZZFwQ+cCLj1JNVPet2C+CJ0qI2muXOnCuv/0o5
TBZrrHMpj6Th8AiOgeMVuxzjX1FsmAThWj9Qp/jQu6O0qvnkUNaU7I8CAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
};
};
};
scardanelli = {
owner = config.krebs.users.kmein;
nets = {
retiolum = {
ip4.addr = "10.243.2.2";
aliases = [
"scardanelli.r"
];
tinc.pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxM93+YgGhk5PtcOrE7E/
MAOMF/c9c4Ps6m8xd4VZat3ru07yH8Yfox1yM6jwZBwIwK2AC9DK0/k3WIvZQUge
UKSTiXpE4z/0ceaesugLQ9KTjUty1e/2vQ78bOqmd7EG3aPV2QsjlgpjJ6qQxeFi
kjlHoFi9NNBLVkIyaAdlAhwvZuYFmAY/FQEmm6+XOb+Nmo+fccQlG6+NinA2GOg0
gdY/dKYxa04Ns/yu7TK3sBQIt6cg/YUk9VpyC4yIIRPMdyVcAPz3Kd2mp23fhSvx
we80prWXYtdct4vXaBZm9FUY5y4SL3c0TEScuM73VXtr2tPAxjD5W4XMWhrjnIiY
QzoyAquVS9rR4fCaoP+hw3Tjy7Att3voa/YlHEDaendxjZ3nuO0m0vcgOa+SfCNm
SqLsqb8to1y8yJ8LnR2og4MbtasxqSe1L9VLTsb4k/AGfmAdlqyG4Q1h5pCBh0GL
2F6FbYHzwrwqBvVCz4DTPygPtta5o7THpP50PgojtzNLm1yKWpfdcWeMgGQJSI0f
m3yenytM1u0jjw7KbBG79Z3etFNIYZy4Uq/dryEJnwpTFls+zZn9Q3tDEnO4a38Q
FgzV0VLQpRM/uf1powSDzoWp+/JYgB9464OKcTsSlVJpi3crxF86xFqqc39U2/u5
lM61fOMcVW1KREdWypiDtu8CAwEAAQ==
-----END PUBLIC KEY-----
'';
};
};
};
homeros = {
owner = config.krebs.users.kmein;
nets = {
retiolum = {
ip4.addr = "10.243.2.1";
aliases = [
"homeros.r"
];
tinc.pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoZq6BwB6rV6EfTf8PWOd
ZhEWig5VcK1FcH0qi7KgojAhGSHhWmtFlvRSoGpQrSFRN0g5eTnrrguuTiIs6djc
6Al9HMqwSD1IOkqFm8jM4aG5NqjYg3in6blOFarBEOglfnsYHiUPt6T4fERxRZ9v
RguEWrishNMSv+D4vclKwctTB/6dQNsTAfnplcyDZ9un/ql9BG2cgU9yqeYLDdXd
vRvrWX9eZKGJvTrQmAiKONlSvspr1d28FxcUrUnCsdRLvP3Cc4JZiUhSA7ixFxn3
+LgGIZiMKTnl8syrsHk5nvLi5EUER7xkVX8iBlKA4JD4XTZVyBxPB1mJnOCUShQc
QK6nVr6auvJbRn7DHHKxDflSBgYt4qaf92+5A4xEsZtgMpmIFH5t6ifGQsQwgYsm
fOexviy9gMyZrHjQDUs4smQxxYq3AJLdfOg2jQXeAbgZpCVw5l8YHk3ECoAk7Fvh
VMJVPwukErGuVn2LpCHeVyFBXNft4bem1g0gtaf2SuGFEnl7ABetQ0bRwClRSLd7
k7PGDbdcCImsWhqyuLpkNcm95DfBrXa12GETm48Wv9jV52C5tfWFmOnJ0mOnvtxX
gpizJjFzHz275TVnJHhmIr2DkiGpaIVUL4FRkTslejSJQoUTZfDAvKF2gRyk+n6N
mJ/hywVtvLxNkNimyztoKKMCAwEAAQ==
-----END PUBLIC KEY-----
'';
};
};
};
turingmachine = {
owner = config.krebs.users.Mic92;
nets = {
retiolum = {
ip4.addr = "10.243.29.168";
aliases = [
"turingmachine.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAxh+5HD1oAFTvMWEra2pYrA3HF8T4EnkP917lIUiuN7xUj7sawu0C
t1/1IfIlH9dbxgFe5CD/gXvokxHdovPTGVH11L+thZgq6hg/xbYvZAl76yLxj7t9
6+Ocac08TQZYMqWKShz5jqTVE/DLz4Cdy0Qk9sMJ1++OmH8jsWgK5BkogF99Gwf8
ZiI0t3n3lCZsm3v592lveDcVIh6hjuCIvFVxc+7cOj0MKm1LxLWbCHZlUIE3he4g
nZu4XiYaE4Y2LicMs8zKehnQkkXrP1amT56SqUfbSnWR+HZc2+KjwRDI5BPeTS06
5WHwkQs0ScOn7vFZci3rElIc7vilu2eKGF1VLce9kXw9SU2RFciqavaEUXbwPnwT
1WF35Ct+qIOP0rXoObm6mrsj7hJnlBPlVpb58/kTxLHMSHPzqQRbFZ35f6tZodJ1
gRMKKEnMX8/VWm6TqLUIpFCCTZ5PH1fxaAnulHCxksK03UyfUOvExCTU4x8KS9fl
DIoLlV9PFBlAW8mTuIgRKYtHacsc31/5Tehcx0If09NuMFT9Qfl2/Q3p6QJomRFL
W5SCP9wx2ONhvZUkRbeihBiTN5/h3DepjOeNWd1DvE6K0Ag8SXMyBGtyKfer4ykW
OR0iCiRQQ5QBmNuJrBLRUyfoPqFUXBATT1SrRj8vzXO1TjTmANEMFD0CAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
};
};
};
eddie = {
owner = config.krebs.users.Mic92;
nets = rec {
internet = {
# eddie.thalheim.io
ip4.addr = "129.215.197.11";
aliases = [ "eddie.i" ];
};
retiolum = {
via = internet;
addrs = [
config.krebs.hosts.eddie.nets.retiolum.ip4.addr
config.krebs.hosts.eddie.nets.retiolum.ip6.addr
];
ip4.addr = "10.243.29.170";
aliases = [ "eddie.r" ];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAuRQphRlSIC/aqRTfvStPdJOJCx1ACeFIDEjRdgoxuu32qoBl7i6d
j7Voh+Msditf2a5+f0fVsNDaPnjPGfk0NkZBjmn+RZQDRXk0krpTNj2Vb6W5quTm
3yrjJMFJR9CU5khfppc47X+ir8bjn7RusWTFNEuDvUswHmRmnJHLS3Y+utOaRbCF
2hxpyxCn423gpsaBfORPEK8X90nPbuNpFDugWPnC+R45TpNmIf4qyKvfhd9OKrua
KNanGHG30xhBW/DclUwwWi8D44d94xFnIRVcG1O+Uto93WoUWZn90lI1qywSj5Aq
iWstBK4tc7VwvAj0UzPlaRYYPfFjOEkPQzj8xC6l/leJcgxkup252uo6m1njMx3t
6QWMgevjqosY22OZReZfIwb14aDWFKLTWs30J+zmWK4TjlRITdsOEKxlpODMbJAD
kfSoPwuwkWIzFhNOrFiD/NtKaRYmV8bTBCT3a9cvvObshJx13BP+IUFzBS1N1n/u
hJWYH5WFsQZn/8rHDwZGkS1zKPEaNoydjqCZNyJpJ5nhggyl6gpuD7wpXM/8tFay
pAjRP40+qRQLUWXmswV0hsZTOX1tvZs4f68y3WJ+GwCWw9HvvwmzYes5ayJrPsbJ
lyK301Jb42wGEsVWxu3Eo/PLtp8OdD+Wdh6o/ELcc0k/YCUGFMujUM8CAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
tinc.subnets = [
# edinburgh university
"129.215.0.0/16"
];
};
};
};
rock = {
owner = config.krebs.users.Mic92;
nets = {
retiolum = {
ip4.addr = "10.243.29.171";
aliases = [ "rock.r" ];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAsMJbXDhkaLZcEzCIe8G+rHyLulWIqrUAmDT4Vbtv4r0QhPBsqwjM
DuvRtX5SNHdjfZWnUZoOlmXrmIo07exPFQvyrnppm6DNx+IZ5mNMNVIFUoojRhF7
HS2jubcjTEib56XEYWKly0olrVMbsJk5THJqRQyOQuTPCFToxXVRcT5t/UK6Dzgh
mp+suJ7IcmmO80IwfZrQrQslkQ6TdOy1Vs908GacSQJyRxdRxLraU/98iMhFbAQf
Ap+qVSUU88iCi+tcoSYzKhqU2N0AhRGcsE073B3Px8CAgPK/juwTrFElKEc17X9M
Rh41DvUjrtG4ERPmbwKPtsLagmnZUlU8A5YC8wtV08RI5QBsbbOsKInareV1aLeD
91ZVCBPFTz8IM6Mc6H435eMCMC2ynFCDyRGdcue3tBQoaTGe1dbduIZkPGn+7cg4
fef1db6SQD4HCwDLv8CTFLACR/jmAapwZEgvJ3u3bpgMGzt+QNvL1cxUr3TBUWRv
3f0R+Dj8DCUWTJUE7K5LO7bL4p9Ht0yIsVH+/DucyoMQqRwCwWSr7+H2MAsWviav
ZRRfH0RqZPEzCxyLDBtkVrx+GRAUZxy1xlqmN16O/sRHiqq3bv8Jk3dwuRZlFu6q
cOFu4g9XsamHkmCuVkvTGjnC2h21MjUUr3PGHzOMtiM/18LcfX730f8CAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
};
};
};
inspector = {
owner = config.krebs.users.Mic92;
nets = rec {
internet = {
ip4.addr = "141.76.44.154";
aliases = [ "inspector.i" ];
};
retiolum = {
via = internet;
ip4.addr = "10.243.29.172";
aliases = [ "inspector.r" ];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAr3l/u7qcxmFa2hUICU3oPDhB2ij2R3lKHyjSsVFVLNfl6TpOdppG
EDXOapeXL0s+PfBRHdRI3v/dibj4PG9eyKmFxsUJ2gRz4ghb1UE23aQ3pkr3x8sZ
7GR+nJYATYf+jolFF9O1x+f0Uo5xaYWkGOMH8wVVzm6+kcsZOYuTEbJAsbTRZywF
m1MdRfk54hLiDsj2rjGRZIR+ZfUKVs2MTWOLCpBAHLJK+r3HfUiR2nAgeNkJCFLw
WIir1ftDIViT3Ly6b7enaOkVZ695FNYdPWFZCE4AJI0s9wsbMClzUqCl+0mUkumd
eRXgWXkmvBsxR4GECnxUhxs6U8Wh3kbQavvemt4vcIKNhkw32+toYc1AFK/n4G03
OUJBbRqgJYx9wIvo8PEu4DTTdsPlQZnMwiaKsn+Gi4Ap6JAnG/iLN8sChoQf7Dau
ARZA3sf9CkKx5sZ+9dVrLbzGynKE18Z/ysvf1BLd/rVVOps1B/YRBxDwPj8MZJ0x
B7b0j+hRVV5palp3RRdcExuWaBrMQQGsXwLUZOFHJJaZUHF9XRdy+5XVJdNOArkG
q1+yGhosL1DLTQE/VwCxmBHyYTr3L7yZ2lSaeWdIeYvcRvouDROUjREVFrQjdqwj
7vIP1cvDxSSqA07h/xEC4YZKACBYc/PI2mqYK5dvAUG3mGrEsjHktPUCAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
};
};
};
dpdkm = {
owner = config.krebs.users.Mic92;
nets = rec {
retiolum = {
ip4.addr = "10.243.29.173";
aliases = [ "dpdkm.r" ];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAuW31xGBdPMSS45KmsCX81yuTcDZv1z7wSpsGQiAw7RsApG0fbBDj
NvzWZaZpTTUueG7gtt7U9Gk8DhWYR1hNt8bLXxE5QlY+gxVjU8+caRvlv10Y9XYp
qZEr1n1O5R7jS1srvutPt74uiA8I3hBoeP5TXndu8tVcehjRWXPqJj4VCy9pT2gP
X880Z30cXm0jUIu9XKhzQU2UNaxbqRzhJTvFUG04M+0a9olsUoN7PnDV6MC5Dxzn
f0ZZZDgHkcx6vsSkN/C8Tik/UCXr3tS/VX6/3+PREz6Z3bPd2QfaWdowrlFQPeYa
bELPvuqYiq7zR/jw3vVsWX2e91goAfKH5LYKNmzJCj5yYq+knB7Wil3HgBn86zvL
Joj56VsuB8fQrrUxjrDetNgtdwci+yFeXkJouQRLM0r0W24liyCuBX4B6nqbj71T
B6rAMzhBbl1yixgf31EgiCYFSusk+jiT+hye5lAhes4gBW9GAWxGNU9zE4QeAc1w
tkPH/CxRIAeuPYNwmjvYI2eQH9UQkgSBa3/Kz7/KT9scbykbs8nhDHCXwT6oAp+n
dR5aHkuBrTQOCU3Xx5ZwU5A0T83oLExIeH8jR1h2mW1JoJDdO85dAOrIBHWnjLls
mqrJusBh2gbgvNqIrDaQ9J+o1vefw1QeSvcF71JjF1CEBUmTbUAp8KMCAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
};
};
};
eve = {
owner = config.krebs.users.Mic92;
nets = rec {
internet = {
# eve.thalheim.io
ip4.addr = "188.68.39.17";
ip6.addr = "2a03:4000:13:31e::1";
aliases = [ "eve.i" ];
};
retiolum = {
via = internet;
addrs = [
config.krebs.hosts.eve.nets.retiolum.ip4.addr
config.krebs.hosts.eve.nets.retiolum.ip6.addr
];
ip4.addr = "10.243.29.174";
aliases = [ "eve.r" ];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAw5cxGjnWCG8dcuhTddvGHzH0/VjxHA5V8qJXH2R5k8ki8dsM5FRH
XRcH/aYg+IL03cyx4wU7oJKxiOTNGbysglnbTVthfYhqeQY+NRTzR1Thb2Fo+P82
08Eovwlgb0uwCjaiH8ZoH3BKjXyMn/Ezrni7hc5zyyRb88XJLosTykO2USlrsoIk
6OCA3A34HyJH0/G6GbNYCPrB/a/r1ji7OWDlg3Ft9c3ViVOkcNV1d9FV0RULX9EI
+xRDbAs1fkK5wMkC2BpkJRHTpImPbYlwQvDrL2sp+JNAEVni84xGxWn9Wjd9WVv3
dn+iPUD7HF9bFVDsj0rbVL78c63MEgr0pVyONDBK+XxogMTOqjgicmkLRxlhaSPW
pnfZHJzJ727crBbwosORY+lTq6MNIMjEjNcJnzAEVS5uTJikLYL9Y5EfIztGp7LP
c298AtKjEYOftiyMcohTGnHhio6zteuW/i2sv4rCBxHyH5sWulaHB7X1ej0eepJi
YX6/Ff+y9vDLCuDxb6mvPGT1xpnNmt1jxAUJhiRNuAvbtvjtPwYfWjQXOf7xa2xI
61Oahtwy/szBj9mWIAymMfnvFGpeiIcww3ZGzYNyKBCjp1TkkgFRV3Y6eoq1sJ13
Pxol8FwH5+Q72bLtvg5Zva8D0Vx2U1jYSHEkRDDzaS5Z6Fus+zeZVMsCAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
};
};
};
};
users = {
Mic92 = {
pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbBp2dH2X3dcU1zh+xW3ZsdYROKpJd3n13ssOP092qE";
mail = "joerg@higgsboson.tk";
};
kmein = {
};
palo = {
};
sokratess = {
};
};
}

2
krebs/3modules/fetchWallpaper.nix
View file

@ -53,7 +53,7 @@ let
imp = {
users.users.fetchWallpaper = {
name = "fetchWallpaper";
uid = genid "fetchWallpaper";
uid = genid_uint31 "fetchWallpaper";
description = "fetchWallpaper user";
home = cfg.stateDir;
createHome = true;

2
krebs/3modules/git.nix
View file

@ -427,7 +427,7 @@ let
system.activationScripts.cgit = ''
mkdir -m 0770 -p ${cfg.cgit.settings.cache-root}
chmod 0770 ${cfg.cgit.settings.cache-root}
chown ${toString cfg.cgit.fcgiwrap.user.uid}:${toString cfg.cgit.fcgiwrap.group.gid} ${cfg.cgit.settings.cache-root}
chown ${toString cfg.cgit.fcgiwrap.user.name}:${toString cfg.cgit.fcgiwrap.group.name} ${cfg.cgit.settings.cache-root}
'';
services.nginx.virtualHosts.cgit = {

19
krebs/3modules/jeschli/default.nix
View file

@ -1,17 +1,20 @@
{ config, ... }:
with import <stockholm/lib>;
{ config, ... }: let
{
hosts = mapAttrs (_: recursiveUpdate {
owner = config.krebs.users.jeschli;
hostDefaults = hostName: host: flip recursiveUpdate host ({
ci = true;
}) {
owner = config.krebs.users.jeschli;
} // optionalAttrs (host.nets?retiolum) {
nets.retiolum.ip6.addr =
(krebs.genipv6 "retiolum" "jeschli" { inherit hostName; }).address;
});
in {
hosts = mapAttrs hostDefaults {
brauerei = {
nets = {
retiolum = {
ip4.addr = "10.243.27.29";
ip6.addr = "42::29";
aliases = [
"brauerei.r"
];
@ -55,7 +58,6 @@ with import <stockholm/lib>;
retiolum = {
via = internet;
ip4.addr = "10.243.27.30";
ip6.addr = "42::30";
aliases = [
"enklave.r"
"cgit.enklave.r"
@ -94,7 +96,6 @@ with import <stockholm/lib>;
nets = {
retiolum = {
ip4.addr = "10.243.27.31";
ip6.addr = "42::31";
aliases = [
"bolide.r"
];

26
krebs/3modules/krebs/default.nix
View file

@ -1,20 +1,24 @@
{ config, ... }:
with import <stockholm/lib>;
let
{ config, ... }: let
hostDefaults = hostName: host: flip recursiveUpdate host ({
owner = config.krebs.users.krebs;
} // optionalAttrs (host.nets?retiolum) {
nets.retiolum.ip6.addr =
(krebs.genipv6 "retiolum" "krebs" { inherit hostName; }).address;
});
testHosts = genAttrs [
"test-arch"
"test-centos6"
"test-centos7"
"test-all-krebs-modules"
] (name: {
owner = config.krebs.users.krebs;
inherit name;
cores = 1;
nets = {
retiolum = {
ip4.addr = "10.243.73.57";
ip6.addr = "42:0:0:0:0:0:0:7357";
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAy41YKF/wpHLnN370MSdnAo63QUW30aw+6O79cnaJyxoL6ZQkk4Nd
@ -29,14 +33,12 @@ let
};
});
in {
hosts = {
hosts = mapAttrs hostDefaults ({
hotdog = {
ci = true;
owner = config.krebs.users.krebs;
nets = {
retiolum = {
ip4.addr = "10.243.77.3";
ip6.addr = "42:0:0:0:0:0:77:3";
aliases = [
"hotdog.r"
"build.r"
@ -61,11 +63,9 @@ in {
};
onebutton = {
cores = 1;
owner = config.krebs.users.krebs;
nets = {
retiolum = {
ip4.addr = "10.243.0.101";
ip6.addr = "42:0:0:0:0:0:0:101";
aliases = [
"onebutton.r"
];
@ -92,11 +92,9 @@ in {
};
puyak = {
ci = true;
owner = config.krebs.users.krebs;
nets = {
retiolum = {
ip4.addr = "10.243.77.2";
ip6.addr = "42:0:0:0:0:0:77:2";
aliases = [
"puyak.r"
"build.puyak.r"
@ -120,7 +118,6 @@ in {
};
wolf = {
ci = true;
owner = config.krebs.users.krebs;
nets = {
shack = {
ip4.addr = "10.42.2.150" ;
@ -135,7 +132,6 @@ in {
};
retiolum = {
ip4.addr = "10.243.77.1";
ip6.addr = "42:0:0:0:0:0:77:1";
aliases = [
"wolf.r"
"build.wolf.r"
@ -157,7 +153,7 @@ in {
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKYMXMWZIK0jjnZDM9INiYAKcwjXs2241vew54K8veCR";
};
} // testHosts;
} // testHosts);
users = {
krebs = {
pubkey = "lol"; # TODO krebs.users.krebs.pubkey should be unnecessary

464
krebs/3modules/lass/default.nix
View file

@ -1,16 +1,20 @@
{ config, ... }:
with import <stockholm/lib>;
{ config, ... }: let
{
hostDefaults = hostName: host: flip recursiveUpdate host {
ci = true;
monitoring = true;
owner = config.krebs.users.lass;
};
r6 = ip: (krebs.genipv6 "retiolum" "lass" ip).address;
w6 = ip: (krebs.genipv6 "wiregrill" "lass" ip).address;
in {
dns.providers = {
"lassul.us" = "zones";
};
hosts = mapAttrs (_: recursiveUpdate {
owner = config.krebs.users.lass;
ci = true;
monitoring = true;
}) {
hosts = mapAttrs hostDefaults {
prism = rec {
cores = 4;
extraZones = {
@ -50,7 +54,7 @@ with import <stockholm/lib>;
retiolum = {
via = internet;
ip4.addr = "10.243.0.103";
ip6.addr = "42:0000:0000:0000:0000:0000:0000:15ab";
ip6.addr = r6 "1";
aliases = [
"prism.r"
"cache.prism.r"
@ -85,11 +89,22 @@ with import <stockholm/lib>;
-----END RSA PUBLIC KEY-----
'';
};
wiregrill = {
via = internet;
ip4.addr = "10.244.1.1";
ip6.addr = w6 "1";
aliases = [
"prism.w"
];
wireguard = {
pubkey = "oKJotppdEJqQBjrqrommEUPw+VFryvEvNJr/WikXohk=";
subnets = [ "10.244.1.0/24" "42:1::/32" ];
};
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsANFdMi825qWQXQbWLYuNZ6/fARt3lnh1KStQHQQMD";
};
archprism = {
cores = 1;
nets = rec {
@ -103,7 +118,6 @@ with import <stockholm/lib>;
retiolum = {
via = internet;
ip4.addr = "10.243.0.123";
ip6.addr = "42:0:0:0:0:0:0:123";
aliases = [
"archprism.r"
];
@ -129,32 +143,13 @@ with import <stockholm/lib>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAsANFdMi825qWQXQbWLYuNZ6/fARt3lnh1KStQHQQMD";
};
domsen-nas = {
ci = false;
monitoring = false;
external = true;
nets = rec {
internet = {
aliases = [
"domsen-nas.internet"
];
ip4.addr = "87.138.180.167";
ssh.port = 2223;
};
};
};
uriel = {
monitoring = false;
cores = 1;
nets = {
gg23 = {
ip4.addr = "10.23.1.12";
aliases = ["uriel.gg23"];
ssh.port = 45621;
};
retiolum = {
ip4.addr = "10.243.81.176";
ip6.addr = "42:dc25:60cf:94ef:759b:d2b6:98a9:2e56";
ip6.addr = r6 "1e1";
aliases = [
"uriel.r"
"cgit.uriel.r"
@ -178,14 +173,9 @@ with import <stockholm/lib>;
mors = {
cores = 2;
nets = {
gg23 = {
ip4.addr = "10.23.1.11";
aliases = ["mors.gg23"];
ssh.port = 45621;
};
retiolum = {
ip4.addr = "10.243.0.2";
ip6.addr = "42:0:0:0:0:0:0:dea7";
ip6.addr = r6 "dea7";
aliases = [
"mors.r"
"cgit.mors.r"
@ -201,6 +191,13 @@ with import <stockholm/lib>;
-----END RSA PUBLIC KEY-----
'';
};
wiregrill = {
ip6.addr = w6 "dea7";
aliases = [
"mors.w"
];
wireguard.pubkey = "FkcxMathQzJYwuJBli/nibh0C0kHe9/T2xU0za3J3SQ=";
};
};
secure = true;
ssh.privkey.path = <secrets/ssh.id_ed25519>;
@ -211,7 +208,7 @@ with import <stockholm/lib>;
nets = {
retiolum = {
ip4.addr = "10.243.0.4";
ip6.addr = "42:0:0:0:0:0:0:50d4";
ip6.addr = r6 "50da";
aliases = [
"shodan.r"
"cgit.shodan.r"
@ -227,6 +224,13 @@ with import <stockholm/lib>;
-----END RSA PUBLIC KEY-----
'';
};
wiregrill = {
ip6.addr = w6 "50da";
aliases = [
"shodan.w"
];
wireguard.pubkey = "0rI/I8FYQ3Pba7fQ9oyvtP4a54GWsPa+3zAiGIuyV30=";
};
};
secure = true;
ssh.privkey.path = <secrets/ssh.id_ed25519>;
@ -237,7 +241,7 @@ with import <stockholm/lib>;
nets = rec {
retiolum = {
ip4.addr = "10.243.133.114";
ip6.addr = "42:0:0:0:0:0:01ca:1205";
ip6.addr = r6 "1205";
aliases = [
"icarus.r"
"cgit.icarus.r"
@ -253,6 +257,13 @@ with import <stockholm/lib>;
-----END RSA PUBLIC KEY-----
'';
};
wiregrill = {
ip6.addr = w6 "1205";
aliases = [
"icarus.w"
];
wireguard.pubkey = "mVe3YdlWOlVF5+YD5vgNha3s03dv6elmNVsARtPLXQQ=";
};
};
secure = true;
ssh.privkey.path = <secrets/ssh.id_ed25519>;
@ -263,7 +274,7 @@ with import <stockholm/lib>;
nets = rec {
retiolum = {
ip4.addr = "10.243.133.115";
ip6.addr = "42:0:0:0:0:0:daed:a105";
ip6.addr = r6 "dead";
aliases = [
"daedalus.r"
"cgit.daedalus.r"
@ -289,7 +300,7 @@ with import <stockholm/lib>;
nets = rec {
retiolum = {
ip4.addr = "10.243.133.116";
ip6.addr = "42:0:0:0:0:0:0:1101";
ip6.addr = r6 "5ce7";
aliases = [
"skynet.r"
"cgit.skynet.r"
@ -315,7 +326,7 @@ with import <stockholm/lib>;
nets = {
retiolum = {
ip4.addr = "10.243.133.77";
ip6.addr = "42:0:0:0:0:0:717:7137";
ip6.addr = r6 "771e";
aliases = [
"littleT.r"
];
@ -351,306 +362,13 @@ with import <stockholm/lib>;
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJzb9BPFClubs6wSOi/ivqPFVPlowXwAxBS0jHaB29hX";
};
iso = {
monitoring = false;
ci = false;
cores = 1;
};
sokrateslaptop = {
monitoring = false;
ci = false;
external = true;
nets = {
retiolum = {
ip4.addr = "10.243.142.104";
ip6.addr = "42:f8a1:044d:0f75:9d73:56d8:f432:c6cc";
aliases = [
"sokrateslaptop.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEA0EMbBv5NCSns4V/VR/NJHhwe2qNLUYjWWtCDY4zDuoiJdm3JNZJ2
t0iKNxFwd6Mmg3ahAlndsH4FOjOBGBQCgBG25VRnQgli1sypI/gYTsSgIWHVIRoZ
rgrng0K3oyJ6FuTP+nH1rd7UAYkrOQolXQBY+LqAbxOVjiJl+DpbAXIxCIs5TBeW
egtBiXZ1S53Lv5EGFXug716XlgZLHjw7PzRLJXSlvUAIRZj0Sjq4UD9VrhazM9s5
aDuxJIdknccEEXm6NK7a51hU/o8L+T0IUpZxhaXOdi6fvO/y3TbffKb1yRTbN0/V
VBjBh18Le7h0SmAEED5tz7NOCrAjMZQtJQIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
};
kruck = {
monitoring = false;
ci = false;
external = true;
nets = {
retiolum = {
ip4.addr = "10.243.29.201";
ip6.addr = "42:4234:6a6d:600::1";
aliases = [
"kruck.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAxcui2sirT5YY9HrSauj9nSF3AxUnfd2CCEGyzmzbi5+qw8T9jdNh
QcIG3s+eC3uEy6leL/eeR4NjVtQRt8CDmhGul95Vs3I1jx9gdvYR+HOatPgK0YQA
EFwk0jv8Z8tOc87X1qwA00Gb+25+kAzsf+8+4HQuh/szSGje3RBmBFkUyNHh8R0U
uzs8NSTRdN+edvYtzjnYcE1sq59HFBPkVcJNp5I3qYTp6m9SxGHMvsq6vRpNnjq/
/RZVBhnPDBlgxia/aVfVQKeEOHZV3svLvsJzGDrUWsJCEvF0YwW4bvohY19myTNR
9lXo/VFx86qAkY09il2OloE7iu5cA2RV+FWwLeajE9vIDA06AD7nECVgthNoZd1s
qsDfuu3WqlpyBmr6XhRkYOFFE4xVLrZ0vItGYlgR2UPp9TjHrzfsedoyJoJAbhMH
gDlFgiHlAy1fhG1sCX5883XmSjWn0eJwmZ2O9sZNBP5dxfGUXg/x8NWfQj7E1lqj
jQ59UC6yiz7bFtObKvpdn1D4tPbqBvndZzn19U/3wKo+cCBRjtLmUD7HQHC65dCs
fAiCFvUTVMM3SNDvYChm0U/KGjZZFwQ+cCLj1JNVPet2C+CJ0qI2muXOnCuv/0o5
TBZrrHMpj6Th8AiOgeMVuxzjX1FsmAThWj9Qp/jQu6O0qvnkUNaU7I8CAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
};
};
};
turingmachine = {
monitoring = false;
ci = false;
external = true;
nets = {
retiolum = {
ip4.addr = "10.243.29.168";
ip6.addr = "42:4992:6a6d:600::1";
aliases = [
"turingmachine.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAxh+5HD1oAFTvMWEra2pYrA3HF8T4EnkP917lIUiuN7xUj7sawu0C
t1/1IfIlH9dbxgFe5CD/gXvokxHdovPTGVH11L+thZgq6hg/xbYvZAl76yLxj7t9
6+Ocac08TQZYMqWKShz5jqTVE/DLz4Cdy0Qk9sMJ1++OmH8jsWgK5BkogF99Gwf8
ZiI0t3n3lCZsm3v592lveDcVIh6hjuCIvFVxc+7cOj0MKm1LxLWbCHZlUIE3he4g
nZu4XiYaE4Y2LicMs8zKehnQkkXrP1amT56SqUfbSnWR+HZc2+KjwRDI5BPeTS06
5WHwkQs0ScOn7vFZci3rElIc7vilu2eKGF1VLce9kXw9SU2RFciqavaEUXbwPnwT
1WF35Ct+qIOP0rXoObm6mrsj7hJnlBPlVpb58/kTxLHMSHPzqQRbFZ35f6tZodJ1
gRMKKEnMX8/VWm6TqLUIpFCCTZ5PH1fxaAnulHCxksK03UyfUOvExCTU4x8KS9fl
DIoLlV9PFBlAW8mTuIgRKYtHacsc31/5Tehcx0If09NuMFT9Qfl2/Q3p6QJomRFL
W5SCP9wx2ONhvZUkRbeihBiTN5/h3DepjOeNWd1DvE6K0Ag8SXMyBGtyKfer4ykW
OR0iCiRQQ5QBmNuJrBLRUyfoPqFUXBATT1SrRj8vzXO1TjTmANEMFD0CAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
};
};
};
eddie = {
monitoring = false;
ci = false;
external = true;
nets = rec {
internet = {
# eddie.thalheim.io
ip4.addr = "129.215.197.11";
aliases = [ "eddie.i" ];
};
retiolum = rec {
via = internet;
addrs = [
ip4.addr
ip6.addr
];
ip4.addr = "10.243.29.170";
ip6.addr = "42:4992:6a6d:700::1";
aliases = [ "eddie.r" ];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAuRQphRlSIC/aqRTfvStPdJOJCx1ACeFIDEjRdgoxuu32qoBl7i6d
j7Voh+Msditf2a5+f0fVsNDaPnjPGfk0NkZBjmn+RZQDRXk0krpTNj2Vb6W5quTm
3yrjJMFJR9CU5khfppc47X+ir8bjn7RusWTFNEuDvUswHmRmnJHLS3Y+utOaRbCF
2hxpyxCn423gpsaBfORPEK8X90nPbuNpFDugWPnC+R45TpNmIf4qyKvfhd9OKrua
KNanGHG30xhBW/DclUwwWi8D44d94xFnIRVcG1O+Uto93WoUWZn90lI1qywSj5Aq
iWstBK4tc7VwvAj0UzPlaRYYPfFjOEkPQzj8xC6l/leJcgxkup252uo6m1njMx3t
6QWMgevjqosY22OZReZfIwb14aDWFKLTWs30J+zmWK4TjlRITdsOEKxlpODMbJAD
kfSoPwuwkWIzFhNOrFiD/NtKaRYmV8bTBCT3a9cvvObshJx13BP+IUFzBS1N1n/u
hJWYH5WFsQZn/8rHDwZGkS1zKPEaNoydjqCZNyJpJ5nhggyl6gpuD7wpXM/8tFay
pAjRP40+qRQLUWXmswV0hsZTOX1tvZs4f68y3WJ+GwCWw9HvvwmzYes5ayJrPsbJ
lyK301Jb42wGEsVWxu3Eo/PLtp8OdD+Wdh6o/ELcc0k/YCUGFMujUM8CAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
tinc.subnets = [
# edinburgh university
"129.215.0.0/16"
];
};
};
};
rock = {
monitoring = false;
ci = false;
external = true;
nets = {
retiolum = {
ip4.addr = "10.243.29.171";
ip6.addr = "42:4992:6a6d:700::2";
aliases = [ "rock.r" ];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAsMJbXDhkaLZcEzCIe8G+rHyLulWIqrUAmDT4Vbtv4r0QhPBsqwjM
DuvRtX5SNHdjfZWnUZoOlmXrmIo07exPFQvyrnppm6DNx+IZ5mNMNVIFUoojRhF7
HS2jubcjTEib56XEYWKly0olrVMbsJk5THJqRQyOQuTPCFToxXVRcT5t/UK6Dzgh
mp+suJ7IcmmO80IwfZrQrQslkQ6TdOy1Vs908GacSQJyRxdRxLraU/98iMhFbAQf
Ap+qVSUU88iCi+tcoSYzKhqU2N0AhRGcsE073B3Px8CAgPK/juwTrFElKEc17X9M
Rh41DvUjrtG4ERPmbwKPtsLagmnZUlU8A5YC8wtV08RI5QBsbbOsKInareV1aLeD
91ZVCBPFTz8IM6Mc6H435eMCMC2ynFCDyRGdcue3tBQoaTGe1dbduIZkPGn+7cg4
fef1db6SQD4HCwDLv8CTFLACR/jmAapwZEgvJ3u3bpgMGzt+QNvL1cxUr3TBUWRv
3f0R+Dj8DCUWTJUE7K5LO7bL4p9Ht0yIsVH+/DucyoMQqRwCwWSr7+H2MAsWviav
ZRRfH0RqZPEzCxyLDBtkVrx+GRAUZxy1xlqmN16O/sRHiqq3bv8Jk3dwuRZlFu6q
cOFu4g9XsamHkmCuVkvTGjnC2h21MjUUr3PGHzOMtiM/18LcfX730f8CAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
};
};
};
inspector = {
monitoring = false;
ci = false;
external = true;
nets = rec {
internet = {
ip4.addr = "141.76.44.154";
aliases = [ "inspector.i" ];
};
retiolum = {
via = internet;
ip4.addr = "10.243.29.172";
ip6.addr = "42:4992:6a6d:800::1";
aliases = [ "inspector.r" ];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAr3l/u7qcxmFa2hUICU3oPDhB2ij2R3lKHyjSsVFVLNfl6TpOdppG
EDXOapeXL0s+PfBRHdRI3v/dibj4PG9eyKmFxsUJ2gRz4ghb1UE23aQ3pkr3x8sZ
7GR+nJYATYf+jolFF9O1x+f0Uo5xaYWkGOMH8wVVzm6+kcsZOYuTEbJAsbTRZywF
m1MdRfk54hLiDsj2rjGRZIR+ZfUKVs2MTWOLCpBAHLJK+r3HfUiR2nAgeNkJCFLw
WIir1ftDIViT3Ly6b7enaOkVZ695FNYdPWFZCE4AJI0s9wsbMClzUqCl+0mUkumd
eRXgWXkmvBsxR4GECnxUhxs6U8Wh3kbQavvemt4vcIKNhkw32+toYc1AFK/n4G03
OUJBbRqgJYx9wIvo8PEu4DTTdsPlQZnMwiaKsn+Gi4Ap6JAnG/iLN8sChoQf7Dau
ARZA3sf9CkKx5sZ+9dVrLbzGynKE18Z/ysvf1BLd/rVVOps1B/YRBxDwPj8MZJ0x
B7b0j+hRVV5palp3RRdcExuWaBrMQQGsXwLUZOFHJJaZUHF9XRdy+5XVJdNOArkG
q1+yGhosL1DLTQE/VwCxmBHyYTr3L7yZ2lSaeWdIeYvcRvouDROUjREVFrQjdqwj
7vIP1cvDxSSqA07h/xEC4YZKACBYc/PI2mqYK5dvAUG3mGrEsjHktPUCAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
};
};
};
dpdkm = {
monitoring = false;
ci = false;
external = true;
nets = rec {
retiolum = {
ip4.addr = "10.243.29.173";
ip6.addr = "42:4992:6a6d:900::1";
aliases = [ "dpdkm.r" ];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAuW31xGBdPMSS45KmsCX81yuTcDZv1z7wSpsGQiAw7RsApG0fbBDj
NvzWZaZpTTUueG7gtt7U9Gk8DhWYR1hNt8bLXxE5QlY+gxVjU8+caRvlv10Y9XYp
qZEr1n1O5R7jS1srvutPt74uiA8I3hBoeP5TXndu8tVcehjRWXPqJj4VCy9pT2gP
X880Z30cXm0jUIu9XKhzQU2UNaxbqRzhJTvFUG04M+0a9olsUoN7PnDV6MC5Dxzn
f0ZZZDgHkcx6vsSkN/C8Tik/UCXr3tS/VX6/3+PREz6Z3bPd2QfaWdowrlFQPeYa
bELPvuqYiq7zR/jw3vVsWX2e91goAfKH5LYKNmzJCj5yYq+knB7Wil3HgBn86zvL
Joj56VsuB8fQrrUxjrDetNgtdwci+yFeXkJouQRLM0r0W24liyCuBX4B6nqbj71T
B6rAMzhBbl1yixgf31EgiCYFSusk+jiT+hye5lAhes4gBW9GAWxGNU9zE4QeAc1w
tkPH/CxRIAeuPYNwmjvYI2eQH9UQkgSBa3/Kz7/KT9scbykbs8nhDHCXwT6oAp+n
dR5aHkuBrTQOCU3Xx5ZwU5A0T83oLExIeH8jR1h2mW1JoJDdO85dAOrIBHWnjLls
mqrJusBh2gbgvNqIrDaQ9J+o1vefw1QeSvcF71JjF1CEBUmTbUAp8KMCAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
};
};
};
eve = {
monitoring = false;
ci = false;
external = true;
nets = rec {
internet = {
# eve.thalheim.io
ip4.addr = "188.68.39.17";
ip6.addr = "2a03:4000:13:31e::1";
aliases = [ "eve.i" ];
};
retiolum = rec {
via = internet;
addrs = [
ip4.addr
ip6.addr
];
ip4.addr = "10.243.29.174";
ip6.addr = "42:4992:6a6d:a00::1";
aliases = [ "eve.r" ];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAw5cxGjnWCG8dcuhTddvGHzH0/VjxHA5V8qJXH2R5k8ki8dsM5FRH
XRcH/aYg+IL03cyx4wU7oJKxiOTNGbysglnbTVthfYhqeQY+NRTzR1Thb2Fo+P82
08Eovwlgb0uwCjaiH8ZoH3BKjXyMn/Ezrni7hc5zyyRb88XJLosTykO2USlrsoIk
6OCA3A34HyJH0/G6GbNYCPrB/a/r1ji7OWDlg3Ft9c3ViVOkcNV1d9FV0RULX9EI
+xRDbAs1fkK5wMkC2BpkJRHTpImPbYlwQvDrL2sp+JNAEVni84xGxWn9Wjd9WVv3
dn+iPUD7HF9bFVDsj0rbVL78c63MEgr0pVyONDBK+XxogMTOqjgicmkLRxlhaSPW
pnfZHJzJ727crBbwosORY+lTq6MNIMjEjNcJnzAEVS5uTJikLYL9Y5EfIztGp7LP
c298AtKjEYOftiyMcohTGnHhio6zteuW/i2sv4rCBxHyH5sWulaHB7X1ej0eepJi
YX6/Ff+y9vDLCuDxb6mvPGT1xpnNmt1jxAUJhiRNuAvbtvjtPwYfWjQXOf7xa2xI
61Oahtwy/szBj9mWIAymMfnvFGpeiIcww3ZGzYNyKBCjp1TkkgFRV3Y6eoq1sJ13
Pxol8FwH5+Q72bLtvg5Zva8D0Vx2U1jYSHEkRDDzaS5Z6Fus+zeZVMsCAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
};
};
};
xerxes = {
cores = 2;
nets = rec {
retiolum = {
ip4.addr = "10.243.1.3";
ip6.addr = "42::1:3";
aliases = [
"xerxes.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIECgKCBAEArqEaK+m7WZe/9/Vbc+qx2TjkkRJ9lDgDMr1dvj98xb8/EveUME6U
MZyAqNjLuKq3CKzJLo02ZmdFs4CT1Hj28p5IC0wLUWn53hrqdy8cCJDvIiKIv+Jk
gItsxJyMnRtsdDbB6IFJ08D5ReGdAFJT5lqpN0DZuNC6UQRxzUK5fwKYVVzVX2+W
/EZzEPe5XbE69V/Op2XJ2G6byg9KjOzNJyJxyjwVco7OXn1OBNp94NXoFrUO7kxb
mTNnh3D+iB4c3qv8woLhmb+Uh/9MbXS14QrSf85ou4kfUjb5gdhjIlzz+jfA/6XO
X4t86uv8L5IzrhSGb0TmhrIh5HhUmSKT4RdHJom0LB7EASMR2ZY9AqIG11XmXuhj
+2b5INBZSj8Cotv5aoRXiPSaOd7bw7lklYe4ZxAU+avXot9K3/4XVLmi6Wa6Okim
hz+MEYjW5gXY+YSUWXOR4o24jTmDjQJpdL83eKwLVAtbrE7TcVszHX6zfMoQZ5M9
3EtOkDMxhC+WfkL+DLQAURhgcPTZoaj0cAlvpb0TELZESwTBI09jh/IBMXHBZwI4
H1gOD5YENpf0yUbLjVu4p82Qly10y58XFnUmYay0EnEgdPOOVViovGEqTiAHMmm5
JixtwJDz7a6Prb+owIg27/eE1/E6hpfXpU8U83qDYGkIJazLnufy32MTFE4T9fI4
hS8icFcNlsobZp+1pB3YK4GV5BnvMwOIVXVlP8yMCRTDRWZ4oYmAZ5apD7OXyNwe
SUP2mCNNlQCqyjRsxj5S1lZQRy1sLQztU5Sff4xYNK+5aPgJACmvSi3uaJAxBloo
4xCCYzxhaBlvwVISJXZTq76VSPybeQ+pmSZFMleNnWOstvevLFeOoH2Is0Ioi1Fe
vnu5r0D0VYsb746wyRooiEuOAjBmni8X/je6Vwr1gb/WZfZ23EwYpGyakJdxLNv3
Li+LD9vUfOR80WL608sUU45tAx1RAy6QcH/YDtdClbOdK53+cQVTsYnCvDW8uGlO
scQWgk+od3qvo6yCPO7pRlEd3nedcPSGh/KjBHao6eP+bsVERp733Vb9qrEVwmxv
jlZ1m12V63wHVu9uMAGi9MhK+2Q/l7uLTj03OYpi4NYKL2Bu01VXfoxuauuZLdIJ
Z3ZV+qUcjzZI0PBlGxubq6CqVFoSB7nhHUbcdPQ66WUnwoKq0cKmE7VOlJQvJ07u
/Wsl8BIsxODVt0rTzEAx0hTd5mJCX7sCawRt+NF+1DZizl9ouebNMkNlsEAg4Ps0
bQerZLcOmpYjGa5+lWDwJIMXVIcxwTmQR86stlP/KQm0vdOvH2ZUWTXcYvCYlHkQ
sgVnnA2wt+7UpZnEBHy04ry+jYaSsPdYgwIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
secure = true;
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5HyLyaIvVH0qHIQ4ciKhDiElhSqsK+uXcA6lTvL+5n";
};
red = {
monitoring = false;
cores = 1;
nets = {
retiolum = {
ip4.addr = "10.243.0.13";
ip6.addr = "42:0:0:0:0:0:0:12ed";
ip6.addr = r6 "12ed";
aliases = [
"red.r"
];
@ -680,7 +398,7 @@ with import <stockholm/lib>;
nets = {
retiolum = {
ip4.addr = "10.243.0.14";
ip6.addr = "42:0:0:0:0:0:0:14";
ip6.addr = r6 "3110";
aliases = [
"yellow.r"
];
@ -701,6 +419,13 @@ with import <stockholm/lib>;
-----END PUBLIC KEY-----
'';
};
wiregrill = {
ip6.addr = w6 "3110";
aliases = [
"yellow.w"
];
wireguard.pubkey = "YeWbR3mW+nOVBE7bcNSzF5fjj9ppd8OGHBJqERAUVxU=";
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC03TCO73NQZHo7NKZiVJp2iiUbe6PQP14Kg3Bnlkqje ";
@ -710,7 +435,7 @@ with import <stockholm/lib>;
nets = {
retiolum = {
ip4.addr = "10.243.0.77";
ip6.addr = "42:0:0:0:0:0:0:77";
ip6.addr = r6 "b1ce";
aliases = [
"blue.r"
];
@ -731,10 +456,67 @@ with import <stockholm/lib>;
-----END PUBLIC KEY-----
'';
};
wiregrill = {
ip6.addr = w6 "b1ce";
aliases = [
"blue.w"
];
wireguard.pubkey = "emftvx8v8GdoKe68MFVL53QZ187Ei0zhMmvosU1sr3U=";
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSBxtPf8yJfzzI7/iYpoRSc/TT+zYmE/HM9XWS3MZlv";
};
phone = {
nets = {
wiregrill = {
ip4.addr = "10.244.1.2";
ip6.addr = w6 "a";
aliases = [
"phone.w"
];
wireguard.pubkey = "zVunBVOxsMETlnHkgjfH71HaZjjNUOeYNveAVv5z3jw=";
};
};
external = true;
ci = false;
};
morpheus = {
cores = 1;
nets = {
retiolum = {
ip4.addr = "10.243.0.19";
ip6.addr = r6 "012f";
aliases = [
"morpheus.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIICCgKCAgEAptrlSKQKsBH2QMQxllZR94S/fXneajpJifRjXR5bi+7ME2ThdQXY
T7yWiKaUuBJThWged9PdPltLUEMmv+ubQqpWHZq442VWSS36r1yMSGpUeKK+oYMN
/Sfu+1yC4m2uXno95wpJZIcDfbbn26jT6ldJ4Yd97zyrXKljvcdrz3wZzQq0tojh
S5Q59x/aQMJbnQpnlFnMIEVgULuFPW16+vPGsXIPdYNggaF1avcBaFl8i3M0EZVz
Swn4hArDynDJhR7M0QdlwOpOh7O+1iOnmXqqei3LxMVHb+YtzfHgxOPxggUsy7CR
bj9uBR9loGwgmZwaxXd1Vfbw8kn/feOb9FcW73u+SZyzwEA9HFRV0jGQe3P9mGfI
Bwe02DOTVXEB8jTAGCw5T3bXLIOX8kqdlCECuAWFfrt8H+GjZDuGUWRcMn32orMz
sMvkab95ZOHK6Q31mrhILOIOdyZWKPZIabL3HF6CZtu52h6MDHbmGS0w0OJYhj2+
VnT9ZBoaeooVg8QOE43rCXvmL5vzhLKrj4s/53wTGG5SpzLs9Q9rrJVgAnz4YQ7j
3Ov5q3Zxyr+vO6O7Pb5X49vCQw/jzK41S0/15GEmKcoxXemzeZCpX1mbeeTUtLvA
U7OJwldrElzictBJ1gT94L4BDvoGZVqAkXJCJPamfsWaiw6SsMqtTfECAwEAAQ==
-----END RSA PUBLIC KEY-----
'';
};
wiregrill = {
ip6.addr = w6 "012f";
aliases = [
"morpheus.w"
];
wireguard.pubkey = "BdiIHJjJQThmZD8DehxPGA+bboBHjljedwaRaV5yyDY=";
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHXS60mmNWMdMRvaPxGn91Cm/hm7zY8xn5rkI4n2KG/f ";
};
};
users = rec {
lass = lass-blue;
@ -786,14 +568,8 @@ with import <stockholm/lib>;
pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGv6N/UjFnX5vUicT9Sw0+3x4mR0760iaVWZ/JDtdV4h";
mail = "lass@mors.r";
};
sokratess = {
};
wine-mors = {
pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEKfTIKmbe1RjX1fjAn//08363zAsI0CijWnaYyAC842";
};
Mic92 = {
pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbBp2dH2X3dcU1zh+xW3ZsdYROKpJd3n13ssOP092qE";
mail = "joerg@higgsboson.tk";
};
};
}

112
krebs/3modules/makefu/default.nix
View file

@ -1,20 +1,27 @@
{ config, ... }:
with import <stockholm/lib>;
## generate keys with:
# tinc generate-keys
# ssh-keygen -f ssh.id_ed25519 -t ed25519 -C host
let
with import <stockholm/lib>;
{ config, ... }: let
hostDefaults = hostName: host: flip recursiveUpdate host ({
owner = config.krebs.users.makefu;
} // optionalAttrs (host.nets?retiolum) {
nets.retiolum.ip6.addr =
(krebs.genipv6 "retiolum" "makefu" { inherit hostName; }).address;
});
pub-for = name: builtins.readFile (./ssh + "/${name}.pub");
in {
hosts = mapAttrs (_: setAttr "owner" config.krebs.users.makefu) {
hosts = mapAttrs hostDefaults {
cake = rec {
cores = 4;
ci = false;
nets = {
retiolum = {
ip4.addr = "10.243.136.236";
ip6.addr = "42:b3b2:9552:eef0:ee67:f3b3:8d33:eee1";
aliases = [
"cake.r"
];
@ -39,7 +46,6 @@ in {
nets = {
retiolum = {
ip4.addr = "10.243.136.237";
ip6.addr = "42:b3b2:9552:eef0:ee67:f3b3:8d33:eee2";
aliases = [
"crapi.r"
];
@ -65,7 +71,6 @@ in {
nets = {
retiolum = {
ip4.addr = "10.243.177.9";
ip6.addr = "42:f63:ddf8:7520:cfec:9b61:d807:1dce";
aliases = [
"drop.r"
];
@ -90,7 +95,6 @@ in {
nets = {
retiolum = {
ip4.addr = "10.243.227.163";
ip6.addr = "42:e23f:ae0e:ea25:72ff:4ab8:9bd9:38a6";
aliases = [
"studio.r"
];
@ -116,7 +120,6 @@ in {
nets = {
retiolum = {
ip4.addr = "10.243.113.98";
# ip6.addr = "42:5cf1:e7f2:3fd:cd4c:a1ee:ec71:7096";
aliases = [
"fileleech.r"
];
@ -147,7 +150,6 @@ in {
};
retiolum = {
ip4.addr = "10.243.80.249";
ip6.addr = "42:ecb0:376:b37d:cf47:1ecf:f32b:a3b9";
aliases = [
"latte.r"
];
@ -171,7 +173,6 @@ in {
nets = {
retiolum = {
ip4.addr = "10.243.0.210";
ip6.addr = "42:f9f1:0000:0000:0000:0000:0000:0001";
aliases = [
"pnp.r"
"cgit.pnp.r"
@ -195,7 +196,6 @@ in {
nets = {
retiolum = {
ip4.addr = "10.243.0.84";
ip6.addr = "42:ff6b:5f0b:460d:2cee:4d05:73f7:5566";
aliases = [
"darth.r"
];
@ -267,7 +267,6 @@ in {
nets = {
retiolum = {
ip4.addr = "10.243.0.212";
ip6.addr = "42:f9f1:0000:0000:0000:0000:0000:0002";
aliases = [
"tsp.r"
];
@ -295,7 +294,6 @@ in {
nets = {
retiolum = {
ip4.addr = "10.243.0.91";
ip6.addr = "42:0b2c:d90e:e717:03dc:9ac1:7c30:a4db";
aliases = [
"x.r"
];
@ -329,7 +327,6 @@ in {
'';
};
#wiregrill = {
# ip6.addr = "42:4200:0000:0000:0000:0000:0000:a4db";
# aliases = [
# "x.w"
# ];
@ -347,7 +344,6 @@ in {
nets = {
retiolum = {
ip4.addr = "10.243.1.91";
ip6.addr = "42:0b2c:d90e:e717:03dd:9ac1:0000:a400";
aliases = [
"vbob.r"
];
@ -386,7 +382,6 @@ in {
};
retiolum = {
ip4.addr = "10.243.0.153";
ip6.addr = "42:9143:b4c0:f981:6030:7aa2:8bc5:4110";
aliases = [
"pigstarter.r"
];
@ -422,7 +417,6 @@ in {
retiolum = {
via = internet;
ip4.addr = "10.243.29.169";
ip6.addr = "42:6e1e:cc8a:7cef:827:f938:8c64:baad";
aliases = [
"wry.r"
"graph.wry.r"
@ -460,7 +454,6 @@ in {
};
retiolum = {
ip4.addr = "10.243.153.102";
ip6.addr = "42:4b0b:d990:55ba:8da8:630f:dc0e:aae0";
aliases = [
"filepimp.r"
];
@ -491,7 +484,6 @@ in {
};
retiolum = {
ip4.addr = "10.243.0.89";
ip6.addr = "42:f9f0::10";
aliases = [
"omo.r"
"dcpp.omo.r"
@ -536,7 +528,6 @@ in {
};
retiolum = {
ip4.addr = "10.243.214.15";
# ip6.addr = "42:5a02:2c30:c1b1:3f2e:7c19:2496:a732";
aliases = [
"wbob.r"
"hydra.wbob.r"
@ -560,27 +551,28 @@ in {
ci = true;
extraZones = {
"krebsco.de" = ''
boot.euer IN A ${nets.internet.ip4.addr}
cache.euer IN A ${nets.internet.ip4.addr}
cache.gum IN A ${nets.internet.ip4.addr}
graph IN A ${nets.internet.ip4.addr}
gold IN A ${nets.internet.ip4.addr}
iso.euer IN A ${nets.internet.ip4.addr}
wg.euer IN A ${nets.internet.ip4.addr}
photostore IN A ${nets.internet.ip4.addr}
o.euer IN A ${nets.internet.ip4.addr}
mon.euer IN A ${nets.internet.ip4.addr}
boot.euer IN A ${nets.internet.ip4.addr}
wiki.euer IN A ${nets.internet.ip4.addr}
pigstarter IN A ${nets.internet.ip4.addr}
cgit.euer IN A ${nets.internet.ip4.addr}
git.euer IN A ${nets.internet.ip4.addr}
euer IN A ${nets.internet.ip4.addr}
share.euer IN A ${nets.internet.ip4.addr}
gum IN A ${nets.internet.ip4.addr}
wikisearch IN A ${nets.internet.ip4.addr}
dl.euer IN A ${nets.internet.ip4.addr}
ghook IN A ${nets.internet.ip4.addr}
dockerhub IN A ${nets.internet.ip4.addr}
euer IN A ${nets.internet.ip4.addr}
ghook IN A ${nets.internet.ip4.addr}
git.euer IN A ${nets.internet.ip4.addr}
gold IN A ${nets.internet.ip4.addr}
graph IN A ${nets.internet.ip4.addr}
gum IN A ${nets.internet.ip4.addr}
iso.euer IN A ${nets.internet.ip4.addr}
mon.euer IN A ${nets.internet.ip4.addr}
netdata.euer IN A ${nets.internet.ip4.addr}
o.euer IN A ${nets.internet.ip4.addr}
photostore IN A ${nets.internet.ip4.addr}
pigstarter IN A ${nets.internet.ip4.addr}
share.euer IN A ${nets.internet.ip4.addr}
wg.euer IN A ${nets.internet.ip4.addr}
wiki.euer IN A ${nets.internet.ip4.addr}
wikisearch IN A ${nets.internet.ip4.addr}
io IN NS gum.krebsco.de.
'';
};
@ -596,7 +588,6 @@ in {
};
#wiregrill = {
# via = internet;
# ip6.addr = "42:4200:0000:0000:0000:0000:0000:70d3";
# aliases = [
# "gum.w"
# ];
@ -605,26 +596,26 @@ in {
retiolum = {
via = internet;
ip4.addr = "10.243.0.213";
ip6.addr = "42:f9f0:0000:0000:0000:0000:0000:70d3";
aliases = [
"nextgum.r"
"graph.r"
"cache.gum.r"
"logs.makefu.r"
"stats.makefu.r"
"backup.makefu.r"
"dcpp.nextgum.r"
"gum.r"
"cgit.gum.r"
"o.gum.r"
"tracker.makefu.r"
"search.makefu.r"
"wiki.makefu.r"
"wiki.gum.r"
"blog.makefu.r"
"blog.gum.r"
"blog.makefu.r"
"cache.gum.r"
"cgit.gum.r"
"dcpp.gum.r"
"dcpp.nextgum.r"
"graph.r"
"gum.r"
"logs.makefu.r"
"netdata.makefu.r"
"nextgum.r"
"o.gum.r"
"search.makefu.r"
"stats.makefu.r"
"torrent.gum.r"
"tracker.makefu.r"
"wiki.gum.r"
"wiki.makefu.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
@ -673,7 +664,6 @@ in {
};
retiolum = {
ip4.addr = "10.243.205.131";
ip6.addr = "42:490d:cd82:d2bb:56d5:abd1:b88b:e8b4";
aliases = [
"shoney.r"
];
@ -698,7 +688,6 @@ in {
nets = {
retiolum = {
ip4.addr = "10.243.83.237";
ip6.addr = "42:af50:99cf:c185:f1a8:14d5:acb:8101";
aliases = [
"sdev.r"
];
@ -736,7 +725,6 @@ in {
};
retiolum = {
ip4.addr = "10.243.211.172";
ip6.addr = "42:472a:3d01:bbe4:4425:567e:592b:065d";
aliases = [
"flap.r"
];
@ -759,7 +747,6 @@ in {
nets = {
retiolum = {
ip4.addr = "10.243.231.219";
ip6.addr = "42:f7bf:178d:4b68:1c1b:42e8:6b27:6a72";
aliases = [
"nukular.r"
];
@ -782,7 +769,6 @@ in {
nets = {
retiolum = {
ip4.addr = "10.243.124.21";
ip6.addr = "42:9898:a8be:ce56:0ee3:b99c:42c5:109e";
aliases = [
"heidi.r"
];
@ -872,7 +858,6 @@ in {
nets = {
retiolum = {
ip4.addr = "10.243.189.130";
ip6.addr = "42:c64e:011f:9755:31e1:c3e6:73c0:af2d";
aliases = [
"filebitch.r"
];
@ -895,7 +880,6 @@ in {
nets = {
retiolum = {
ip4.addr = "10.243.26.29";
ip6.addr = "42:927a:3d59:1cb3:29d6:1a08:78d3:812e";
aliases = [
"excobridge.r"
];
@ -918,7 +902,6 @@ in {
nets = {
retiolum = {
ip4.addr = "10.243.226.213";
ip6.addr = "42:432e:2379:0cd2:8486:f3b5:335a:5d83";
aliases = [
"horisa.r"
];
@ -947,7 +930,6 @@ in {
};
retiolum = {
ip4.addr = "10.243.57.85";
ip6.addr = "42:2f06:b899:a3b5:1dcf:51a4:a02b:8731";
aliases = [
"wooki.r"
];
@ -970,7 +952,6 @@ in {
nets = {
retiolum = {
ip4.addr = "10.243.0.163";
ip6.addr = "42:b67b:5752:a730:5f28:d80d:6b37:5bda";
aliases = [
"senderechner.r"
];
@ -995,7 +976,6 @@ in {
nets = {
retiolum = {
ip4.addr = "10.243.144.142";
ip6.addr = "42:4bf8:94b:eec5:69e2:c837:686e:f278";
aliases = [
"tcac-0-1.r"
];
@ -1025,7 +1005,6 @@ in {
};
retiolum = {
ip4.addr = "10.243.139.184";
ip6.addr = "42:d568:6106:ba30:753b:0f2a:8225:b1fb";
aliases = [
"muhbaasu.r"
];
@ -1048,7 +1027,6 @@ in {
nets = {
retiolum = {
ip4.addr = "10.243.183.236";
ip6.addr = "42:8ca8:d2e4:adf6:5c0f:38cb:e9ef:eb3c";
aliases = [
"tpsw.r"
];

2
krebs/3modules/makefu/ssh/ulrich.pub
View file

@ -1 +1 @@
AAAAB3NzaC1yc2EAAAADAQABAAACAQC1sobyfvUu/G2Ms+T0cI4CSgtjCoO2qEYVK1jkqC2A9mLJfNoPsToLowfGszpOAM9S4Rtn+OJ+vPMvs2E4pkZmXcmJZFAKKPNadmzwqCQyskBdoyszkj7DXngX56ZQ+ZEf+vPp2tu/IN0CFNVUllUcWP2TD2ECH5qkBODBHLyGf4PvV35yGpuYNFhFSWkTxwXZ7d5eat2kmwTfryX91Z+M901t6MK0ADyUwBkbotwSn/B6xUEZzExlGhRziRlIM0MrmSMvUA1mcmMJWVfHbb5Sw8yVstUuaU98C3EzDPNlVTbu5al2sDk4+jjireMMMVHC0j8aj7DlhvcF2t7ZpAKy+HN/PFuV7+RgN3DmIMLwbSRfykH3ATVdBzoL0/XmGBRXht6M22igAMFt9o/oHtwWt2JYcNX5poS8kLcjPzGHcx7KOslZ7VZev4BTpFAZIeMYhlzsNCI88bxUqdFxIcofNIQMy4Ep4qJXlgMduQbYtPDRpclDe82yiblhz48+HF/j8+0ZBx4w3jb4XBtgeTfwM2nARsD7MRzokfMfbGf6cZ8AU0/h69ECdsy2KYCKzgFxV/SHN2fDk6SZWLHmxDZ8N02VqgXMTvkYHvDBiaNxM0/iNMKqYCfuxjQPSusBENSgwhUnBGgoGYZuz0r2oMdtzqrkC/VbDxi5gSKl+ZoaMQ== shackspace.de@myvdr.de
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1sobyfvUu/G2Ms+T0cI4CSgtjCoO2qEYVK1jkqC2A9mLJfNoPsToLowfGszpOAM9S4Rtn+OJ+vPMvs2E4pkZmXcmJZFAKKPNadmzwqCQyskBdoyszkj7DXngX56ZQ+ZEf+vPp2tu/IN0CFNVUllUcWP2TD2ECH5qkBODBHLyGf4PvV35yGpuYNFhFSWkTxwXZ7d5eat2kmwTfryX91Z+M901t6MK0ADyUwBkbotwSn/B6xUEZzExlGhRziRlIM0MrmSMvUA1mcmMJWVfHbb5Sw8yVstUuaU98C3EzDPNlVTbu5al2sDk4+jjireMMMVHC0j8aj7DlhvcF2t7ZpAKy+HN/PFuV7+RgN3DmIMLwbSRfykH3ATVdBzoL0/XmGBRXht6M22igAMFt9o/oHtwWt2JYcNX5poS8kLcjPzGHcx7KOslZ7VZev4BTpFAZIeMYhlzsNCI88bxUqdFxIcofNIQMy4Ep4qJXlgMduQbYtPDRpclDe82yiblhz48+HF/j8+0ZBx4w3jb4XBtgeTfwM2nARsD7MRzokfMfbGf6cZ8AU0/h69ECdsy2KYCKzgFxV/SHN2fDk6SZWLHmxDZ8N02VqgXMTvkYHvDBiaNxM0/iNMKqYCfuxjQPSusBENSgwhUnBGgoGYZuz0r2oMdtzqrkC/VbDxi5gSKl+ZoaMQ== shackspace.de@myvdr.de

2
krebs/3modules/tinc_graphs.nix
View file

@ -124,7 +124,7 @@ let
};
users.extraUsers.tinc_graphs = {
uid = genid "tinc_graphs";
uid = genid_uint31 "tinc_graphs";
home = "/var/spool/tinc_graphs";
};
services.nginx = mkIf cfg.nginx.enable {

22
krebs/3modules/tv/default.nix
View file

@ -1,19 +1,24 @@
{ config, ... }:
with import <stockholm/lib>;
{ config, ... }: let
{
hostDefaults = hostName: host: flip recursiveUpdate host ({
owner = config.krebs.users.tv;
} // optionalAttrs (host.nets?retiolum) {
nets.retiolum.ip6.addr =
(krebs.genipv6 "retiolum" "tv" { inherit hostName; }).address;
});
in {
dns.providers = {
"viljetic.de" = "regfish";
};
hosts = mapAttrs (_: setAttr "owner" config.krebs.users.tv) {
hosts = mapAttrs hostDefaults {
alnus = {
ci = true;
cores = 2;
nets = {
retiolum = {
ip4.addr = "10.243.21.1";
ip6.addr = "42::2101";
aliases = [
"alnus.r"
];
@ -38,7 +43,6 @@ with import <stockholm/lib>;
nets = {
retiolum = {
ip4.addr = "10.243.20.1";
ip6.addr = "42::2001";
aliases = [
"mu.r"
];
@ -79,7 +83,6 @@ with import <stockholm/lib>;
retiolum = {
via = config.krebs.hosts.ni.nets.internet;
ip4.addr = "10.243.113.223";
ip6.addr = "42:4522:25f8:36bb:8ccb:150:231a:2af4";
aliases = [
"ni.r"
"cgit.ni.r"
@ -114,7 +117,6 @@ with import <stockholm/lib>;
};
retiolum = {
ip4.addr = "10.243.0.110";
ip6.addr = "42:2d5:733f:d6da:c0f5:2bb7:2b18:9ec";
aliases = [
"nomic.r"
"cgit.nomic.r"
@ -158,7 +160,6 @@ with import <stockholm/lib>;
};
retiolum = {
ip4.addr = "10.243.13.37";
ip6.addr = "42::1337";
aliases = [
"wu.r"
"cgit.wu.r"
@ -185,7 +186,6 @@ with import <stockholm/lib>;
nets = {
retiolum = {
ip4.addr = "10.243.22.22";
ip6.addr = "42::2222";
aliases = [
"querel.r"
];
@ -226,7 +226,6 @@ with import <stockholm/lib>;
};
retiolum = {
ip4.addr = "10.243.13.38";
ip6.addr = "42::1338";
aliases = [
"xu.r"
"cgit.xu.r"
@ -261,7 +260,6 @@ with import <stockholm/lib>;
};
retiolum = {
ip4.addr = "10.243.13.40";
ip6.addr = "42::1340";
aliases = [
"zu.r"
];

35
krebs/5pkgs/simple/cabal-read.nix Normal file
View file

@ -0,0 +1,35 @@
{ writeHaskellPackage }:
# Because `sed -n 's/.*\<ghc-options:\s\+\(.*\)/\1/p'` is too simple.
writeHaskellPackage "cabal-read" {
executables.ghc-options = {
extra-depends = ["Cabal"];
text = /* haskell */ ''
module Main (main) where
import Data.List
import Data.Maybe
import Distribution.Compiler
import Distribution.PackageDescription.Parsec
import Distribution.Types.BuildInfo
import Distribution.Types.CondTree
import Distribution.Types.Executable
import Distribution.Types.GenericPackageDescription
import Distribution.Types.UnqualComponentName
import Distribution.Verbosity
import System.Environment
main :: IO ()
main = do
[path, name] <- getArgs
desc <- readGenericPackageDescription normal path
case lookup (mkUnqualComponentName name) (condExecutables desc) of
Just exe ->
putStrLn . intercalate " " . fromMaybe [] . lookup GHC
. options . buildInfo . condTreeData $ exe
Nothing ->
error ("executable " <> name <> " not found in " <> path)
'';
};
}

276
lass/1systems/archprism/config.nix
View file

@ -6,26 +6,10 @@ with import <stockholm/lib>;
<stockholm/lass>
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/libvirt.nix>
{
services.nginx.enable = true;
imports = [
<stockholm/lass/2configs/websites/domsen.nix>
<stockholm/lass/2configs/websites/lassulus.nix>
];
# needed by domsen.nix ^^
lass.usershadow = {
enable = true;
};
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p tcp --dport http"; target = "ACCEPT"; }
{ predicate = "-p tcp --dport https"; target = "ACCEPT"; }
];
}
{ # TODO make new hfos.nix out of this vv
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
users.users.riot = {
uid = genid "riot";
uid = genid_uint31 "riot";
isNormalUser = true;
extraGroups = [ "libvirtd" ];
openssh.authorizedKeys.keys = [
@ -42,153 +26,7 @@ with import <stockholm/lib>;
{ v6 = false; precedence = 1000; predicate = "-d 46.4.114.243"; target = "DNAT --to-destination 192.168.122.179"; }
];
}
{
users.users.tv = {
uid = genid "tv";
isNormalUser = true;
openssh.authorizedKeys.keys = [
config.krebs.users.tv.pubkey
];
};
users.users.makefu = {
uid = genid "makefu";
isNormalUser = true;
openssh.authorizedKeys.keys = [
config.krebs.users.makefu.pubkey
];
};
users.extraUsers.dritter = {
uid = genid "dritter";
isNormalUser = true;
extraGroups = [
"download"
];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnqOWDDk7QkSAvrSLkEoz7dY22+xPyv5JDn2zlfUndfavmTMfZvPx9REMjgULbcCSM4m3Ncf40yUjciDpVleGoEz82+p/ObHAkVWPQyXRS3ZRM2IJJultBHEFc61+61Pi8k3p5pBhPPaig6VncJ4uUuuNqen9jqLesSTVXNtdntU2IvnC8B8k1Kq6fu9q1T2yEOMxkD31D5hVHlqAly0LdRiYvtsRIoCSmRvlpGl70uvPprhQxhtoiEUeDqmIL7BG9x7gU0Swdl7R0/HtFXlFuOwSlNYDmOf/Zrb1jhOpj4AlCliGUkM0iKIJhgH0tnJna6kfkGKHDwuzITGIh6SpZ dritter@Janeway"
];
};
users.extraUsers.juhulian = {
uid = 1339;
isNormalUser = true;
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBQhLGvfv4hyQ/nqJGy1YgHXPSVl6igeWTroJSvAhUFgoh+rG+zvqY0EahKXNb3sq0/OYDCTJVuucc0hgCg7T2KqTqMtTb9EEkRmCFbD7F7DWZojCrh/an6sHneqT5eFvzAPZ8E5hup7oVQnj5P5M3I9keRHBWt1rq6q0IcOEhsFvne4qJc73aLASTJkxzlo5U8ju3JQOl6474ECuSn0lb1fTrQ/SR1NgF7jV11eBldkS8SHEB+2GXjn4Yrn+QUKOnDp+B85vZmVlJSI+7XR1/U/xIbtAjGTEmNwB6cTbBv9NCG9jloDDOZG4ZvzzHYrlBXjaigtQh2/4mrHoKa5eV juhulian@juhulian"
];
};
users.users.hellrazor = {
uid = genid "hellrazor";
isNormalUser = true;
extraGroups = [
"download"
];
openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDQFaYOWRUvHP6I37q9Dd4PJOq8FNQqAeJZ8pLx0G62uC450kbPGcG80rHHvXmk7HqQP6biJmMg48bOsvXAScPot2Qhp1Qc35CuUqVhLiTvUAsi8l/iJjhjZ23yRGDCAmW5+JIOzIvECkcbMnG7YoYAQ9trNGHe9qwGzQGhpt3QVClE23WtE3PVKRLQx1VbiabSnAm6tXVd2zpUoSdpWt8Gpi2taM4XXJ5+l744MNxFHvDapN5xqpYzwrA34Ii13jNLWcGbtgxESpR+VjnamdWByrkBsW4X5/xn2K1I1FrujaM/DBHV1QMaDKst9V8+uL5X7aYNt0OUBu2eyZdg6aujY2BYovB9uRyR1JIuSbA/a54MM96yN9WirMUufJF/YZrV0L631t9EW8ORyWUo1GRzMuBHVHQlfApj7NCU/jEddUuTqKgwyRgTmMFMUI4M0tRULAB/7pBE1Vbcx9tg6RsKIk8VkskfbBJW9Y6Sx6YoFlxPdgMNIrBefqEjIV62piP7YLMlvfIDCJ7TNd9dLN86XGggZ/nD5zt6SL1o61vVnw9If8pHosppxADPJsJvcdN6fOe16/tFAeE0JRo0jTcyFVTBGfhpey+rFfuW8wtUyuO5WPUxkOn7xMHGMWHJAtWX2vwVIDtLxvqn48B4SmEOpPD6ii+vcpwqAex3ycqBUQ==" ];
};
}
{
#hotdog
systemd.services."container@hotdog".reloadIfChanged = mkForce false;
containers.hotdog = {
config = { ... }: {
imports = [ <stockholm/lass/2configs/rebuild-on-boot.nix> ];
environment.systemPackages = [ pkgs.git ];
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [
config.krebs.users.lass.pubkey
];
};
autoStart = true;
enableTun = true;
privateNetwork = true;
hostAddress = "10.233.2.1";
localAddress = "10.233.2.2";
};
}
<stockholm/lass/2configs/exim-smarthost.nix>
<stockholm/lass/2configs/ts3.nix>
<stockholm/lass/2configs/privoxy-retiolum.nix>
<stockholm/lass/2configs/radio.nix>
<stockholm/lass/2configs/binary-cache/server.nix>
<stockholm/lass/2configs/iodined.nix>
<stockholm/lass/2configs/paste.nix>
<stockholm/lass/2configs/syncthing.nix>
<stockholm/lass/2configs/ciko.nix>
<stockholm/lass/2configs/container-networking.nix>
<stockholm/lass/2configs/monitoring/prometheus-server.nix>
{ # quasi bepasty.nix
imports = [
<stockholm/lass/2configs/bepasty.nix>
];
krebs.bepasty.servers."paste.r".nginx.extraConfig = ''
if ( $server_addr = "${config.krebs.build.host.nets.internet.ip4.addr}" ) {
return 403;
}
'';
}
{
services.tor = {
enable = true;
};
}
{
lass.ejabberd = {
enable = true;
hosts = [ "lassul.us" ];
};
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p tcp --dport xmpp-client"; target = "ACCEPT"; }
{ predicate = "-p tcp --dport xmpp-server"; target = "ACCEPT"; }
];
}
{
imports = [
<stockholm/lass/2configs/realwallpaper.nix>
];
services.nginx.virtualHosts."lassul.us".locations."/wallpaper.png".extraConfig = ''
alias /var/realwallpaper/realwallpaper.png;
'';
}
{
users.users.jeschli = {
uid = genid "jeschli";
isNormalUser = true;
openssh.authorizedKeys.keys = with config.krebs.users; [
jeschli.pubkey
jeschli-bln.pubkey
jeschli-bolide.pubkey
jeschli-brauerei.pubkey
];
};
krebs.git.rules = [
{
user = with config.krebs.users; [
jeschli
jeschli-bln
jeschli-bolide
jeschli-brauerei
];
repo = [ config.krebs.git.repos.xmonad-stockholm ];
perm = with git; push "refs/heads/jeschli*" [ fast-forward non-fast-forward create delete merge ];
}
{
user = with config.krebs.users; [
jeschli
jeschli-bln
jeschli-bolide
jeschli-brauerei
];
repo = [ config.krebs.git.repos.stockholm ];
perm = with git; push "refs/heads/staging/jeschli*" [ fast-forward non-fast-forward create delete merge ];
}
];
}
{
krebs.repo-sync.repos.stockholm.timerConfig = {
OnBootSec = "5min";
OnUnitInactiveSec = "2min";
RandomizedDelaySec = "2min";
};
}
<stockholm/lass/2configs/downloading.nix>
<stockholm/lass/2configs/minecraft.nix>
{
services.taskserver = {
enable = true;
@ -201,123 +39,11 @@ with import <stockholm/lib>;
{ predicate = "-p tcp --dport 53589"; target = "ACCEPT"; }
];
}
#<stockholm/lass/2configs/go.nix>
{
environment.systemPackages = [ pkgs.cryptsetup ];
systemd.services."container@red".reloadIfChanged = mkForce false;
containers.red = {
config = { ... }: {
environment.systemPackages = [ pkgs.git ];
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [
config.krebs.users.lass.pubkey
];
};
autoStart = false;
enableTun = true;
privateNetwork = true;
hostAddress = "10.233.2.3";
localAddress = "10.233.2.4";
};
services.nginx.virtualHosts."rote-allez-fraktion.de" = {
enableACME = true;
forceSSL = true;
locations."/" = {
extraConfig = ''
proxy_set_header Host rote-allez-fraktion.de;
proxy_pass http://10.233.2.4;
'';
};
};
}
#{
# imports = [ <stockholm/lass/2configs/backup.nix> ];
# lass.restic = genAttrs [
# "daedalus"
# "icarus"
# "littleT"
# "mors"
# "shodan"
# "skynet"
# ] (dest: {
# dirs = [
# "/home/chat/.weechat"
# "/bku/sql_dumps"
# ];
# passwordFile = (toString <secrets>) + "/restic/${dest}";
# repo = "sftp:backup@${dest}.r:/backups/prism";
# extraArguments = [
# "sftp.command='ssh backup@${dest}.r -i ${config.krebs.build.host.ssh.privkey.path} -s sftp'"
# ];
# timerConfig = {
# OnCalendar = "00:05";
# RandomizedDelaySec = "5h";
# };
# });
#}
{
users.users.download.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDB0d0JA20Vqn7I4lCte6Ne2EOmLZyMJyS9yIKJYXNLjbLwkQ4AYoQKantPBkTxR75M09E7d3j5heuWnCjWH45TrfQfe1EOSSC3ppCI6C6aIVlaNs+KhAYZS0m2Y8WkKn+TT5JLEa8yybYVN/RlZPOilpj/1QgjU6CQK+eJ1k/kK+QFXcwN82GDVh5kbTVcKUNp2tiyxFA+z9LY0xFDg/JHif2ROpjJVLQBJ+YPuOXZN5LDnVcuyLWKThjxy5srQ8iDjoxBg7dwLHjby5Mv41K4W61Gq6xM53gDEgfXk4cQhJnmx7jA/pUnsn2ZQDeww3hcc7vRf8soogXXz2KC9maiq0M/svaATsa9Ul4hrKnqPZP9Q8ScSEAUX+VI+x54iWrnW0p/yqBiRAzwsczdPzaQroUFTBxrq8R/n5TFdSHRMX7fYNOeVMjhfNca/gtfw9dYBVquCvuqUuFiRc0I7yK44rrMjjVQRcAbw6F8O7+04qWCmaJ8MPlmApwu2c05VMv9hiJo5p6PnzterRSLCqF6rIdhSnuOwrUIt1s/V+EEZXHCwSaNLaQJnYL0H9YjaIuGz4c8kVzxw4c0B6nl+hqW5y5/B2cuHiumnlRIDKOIzlv8ufhh21iN7QpIsPizahPezGoT1XqvzeXfH4qryo8O4yTN/PWoA+f7o9POU7L6hQ== lhebendanz@nixos"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACADLPxtB2f2tocXHxD3ul9D1537hTht6/un87JYZNnoYABveasyIcdFIfp5lPJmj3PjwqXNTA4M/3V+ufrpZ91dxFeXWI5mOI4YB3xRu+Elja8g7nfvCz1HrH3sD1equos/7ltQ1GZYvHGw40qD1/ZtOODwRwrYJ7l/DUBrjk/tzXRjm0+ZgyQsb3G9a80cA8d3fiuQDxbAzdoJF46wt36ZfuSMpJ/Td8CbCoLlV/uL9QZemOglyxNxR607qGfRNXF1An+P+fFq24GmdHpMJ00DfjZ/dJRL9QSs7vd07uyB4Qty4VHwRhc46XH6KL7VTF1D3INF/BeBZx90GBxOvpgEji7Zrf7O5eSAjM2Do1+t+Ev2IIuiltB+QqTir4rZcrCBrJ2+zD3DDymKffVi8sz15AvdrFkIplzZxpOcgm9Ns2w/uh8sxeV6J58aoLEVmd2KRUfJFYiS1EuEjYo2OHlj8ltIh3VlfYdWksGpQc71IT0iEWvzvjYcfCda9uzFLKdLfBy4GB8+s4zR2CX9aGDyJaIY1kt/xqDeztnYwW1owG+fLMrDJlq3Mu+KmJljb30jzrOPhFYVZgWenmMFgH2RBzVEmnsR0f2LFVLj6N/a9fpEJ3WhxMOc5Ybdpgg/l9KUdgvWLk6KOtba+z9fuYT1YgwtZBoMgHAdZLmZ/DGtff palo@pepe"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDGMjbYFmmvpF60YBShyFISbjN+O3e4GPkfsre6xFqz20joi8YqpD/5PtrMsGrPd1ZoZ9qSwXJtbb1WBomFg0xzRSNa1/FliKiE1ilcaB3aUZRtP0OWHIvWD3/YL/0h+/YXDGTfb8FNvpgJmnbN3Q0gw8cwWw+eve5BMyqDhzFvycxO4qDuP2JXkGpdhJqjaYZhP5rPH2mgv1oU1RnOA3A7APZVGf1m6JSmV7FZR514aGlFV+NpsvS29Mib8fcswgpoGhMN6jeh/nf49tp01LUAOmXSqdHIWNOTt3Mt7S4rU7RZwEhswdSRbKdKFRMj+uRkhJ4CPcNuuGtSY3id0Ja7IvrvxNaQUk1L8nBcza709jvSBYWSY5/aGL1ocA/PNWXDpOTp2PWwxkh39aPMqZXPTH3KC4IkRp5SiKibEhdmjnToV7nUAJe4IWn1b7QdoqS03ib0X87DnHWIbvi8UZlImM7pn0rs+rwnOo4lQwrTz7kbBHPaa6XOZAuDYND2728vtcrhwzVrKgiXWbyF6VzvwxPeeStmn1gENvozbj1hl9gbQ1cH/a4pZFBV/OFl/ryzDnB2ghM4acNJazXx/6/us9hX+np1YxIzJaxENj677MLc6HitM2g6XJGaixBQ0U2NNjcjIuQT0ZaeKXsSLnu1Y7+uslbVAwsQ4pJmSxxMMQ== palo@workhorse"
];
}
{
}
{
lass.nichtparasoup.enable = true;
services.nginx = {
enable = true;
virtualHosts."lol.lassul.us" = {
forceSSL = true;
enableACME = true;
locations."/".extraConfig = ''
proxy_pass http://localhost:5001;
'';
};
};
}
{
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p udp --dport 51820"; target = "ACCEPT"; }
];
krebs.iptables.tables.nat.PREROUTING.rules = [
{ v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; }
];
krebs.iptables.tables.filter.FORWARD.rules = [
{ v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; }
{ v6 = false; precedence = 1000; predicate = "-s 10.243.0.0/16 -d 10.244.1.0/24"; target = "ACCEPT"; }
];
krebs.iptables.tables.nat.POSTROUTING.rules = [
{ v6 = false; predicate = "-s 10.244.1.0/24 ! -d 10.244.1.0/24"; target = "MASQUERADE"; }
];
networking.wireguard.interfaces.wg0 = {
ips = [ "10.244.1.1/24" ];
listenPort = 51820;
privateKeyFile = (toString <secrets>) + "/wireguard.key";
allowedIPsAsRoutes = true;
peers = [
{
# lass-android
allowedIPs = [ "10.244.1.2/32" ];
publicKey = "zVunBVOxsMETlnHkgjfH71HaZjjNUOeYNveAVv5z3jw=";
}
];
};
}
{
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p udp --dport 60000:61000"; target = "ACCEPT";}
];
}
{
services.murmur.enable = true;
services.murmur.registerName = "lassul.us";
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p tcp --dport 64738"; target = "ACCEPT";}
];
}
];
krebs.build.host = config.krebs.hosts.archprism;

47
lass/1systems/littleT/config.nix
View file

@ -6,52 +6,11 @@ with import <stockholm/lib>;
<stockholm/lass>
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/backup.nix>
<stockholm/lass/2configs/steam.nix>
{
users.users.blacky = {
uid = genid "blacky";
home = "/home/blacky";
group = "users";
createHome = true;
extraGroups = [
"audio"
"networkmanager"
"video"
];
useDefaultShell = true;
};
networking.networkmanager.enable = true;
networking.wireless.enable = mkForce false;
hardware.pulseaudio = {
enable = true;
systemWide = true;
};
environment.systemPackages = with pkgs; [
pavucontrol
chromium
hexchat
networkmanagerapplet
vlc
];
services.xserver.enable = true;
services.xserver.displayManager.lightdm.enable = true;
services.xserver.desktopManager.plasma5.enable = true;
services.xserver.layout = "de";
users.mutableUsers = mkForce true;
services.xserver.synaptics.enable = true;
}
{
#remote control
environment.systemPackages = with pkgs; [
x11vnc
];
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p tcp -i retiolum --dport 5900"; target = "ACCEPT"; }
];
}
<stockholm/lass/2configs/blue-host.nix>
];
networking.networkmanager.enable = true;
networking.wireless.enable = mkForce false;
time.timeZone = "Europe/Berlin";
hardware.trackpoint = {

22
lass/1systems/littleT/physical.nix
View file

@ -1,7 +1,25 @@
{
imports = [
./config.nix
<stockholm/lass/2configs/hw/x220.nix>
<stockholm/lass/2configs/boot/stock-x220.nix>
<nixpkgs/nixos/modules/installer/scan/not-detected.nix>
];
fileSystems."/" =
{ device = "rpool/root";
fsType = "zfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/5B2E-3734";
fsType = "vfat";
};
boot.loader.grub.enable = true;
boot.loader.grub.version = 2;
boot.loader.grub.efiSupport = true;
boot.loader.grub.efiInstallAsRemovable = true;
boot.loader.grub.device = "nodev";
networking.hostId = "584248c6";
boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usb_storage" "sd_mod" "sdhci_pci" ];
boot.kernelModules = [ "kvm-intel" ];
}

33
lass/1systems/morpheus/config.nix Normal file
View file

@ -0,0 +1,33 @@
{ config, pkgs, ... }:
with import <stockholm/lib>;
{
imports = [
<stockholm/lass>
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/power-action.nix>
<stockholm/lass/2configs/baseX.nix>
<stockholm/lass/2configs/games.nix>
<stockholm/lass/2configs/steam.nix>
];
krebs.build.host = config.krebs.hosts.morpheus;
networking.wireless.enable = false;
networking.networkmanager.enable = true;
services.logind.extraConfig = ''
HandleLidSwitch=ignore
'';
nixpkgs.config.packageOverrides = super: {
steam = super.steam.override {
withPrimus = true;
extraPkgs = p: with p; [
glxinfo
nettools
bumblebee
];
};
};
}

32
lass/1systems/morpheus/physical.nix Normal file
View file

@ -0,0 +1,32 @@
{ lib, ... }:
{
imports = [
<nixpkgs/nixos/modules/installer/scan/not-detected.nix>
./config.nix
];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostId = "60ce7e88";
boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" ];
boot.kernelModules = [ "kvm-intel" ];
boot.kernelParams = [ "acpi_osi=!" ''acpi_osi="Windows 2009"'' ];
hardware.bumblebee.enable = true;
hardware.bumblebee.group = "video";
fileSystems."/" =
{ device = "rpool/root";
fsType = "zfs";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/DF3B-4528";
fsType = "vfat";
};
nix.maxJobs = lib.mkDefault 8;
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
}

1
lass/1systems/mors/config.nix
View file

@ -34,6 +34,7 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/backup.nix>
<stockholm/lass/2configs/print.nix>
<stockholm/lass/2configs/blue-host.nix>
<stockholm/lass/2configs/network-manager.nix>
{
krebs.iptables.tables.filter.INPUT.rules = [
#risk of rain

43
lass/1systems/prism/config.nix
View file

@ -25,7 +25,7 @@ with import <stockholm/lib>;
{ # TODO make new hfos.nix out of this vv
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
users.users.riot = {
uid = genid "riot";
uid = genid_uint31 "riot";
isNormalUser = true;
extraGroups = [ "libvirtd" ];
openssh.authorizedKeys.keys = [
@ -44,21 +44,21 @@ with import <stockholm/lib>;
}
{
users.users.tv = {
uid = genid "tv";
uid = genid_uint31 "tv";
isNormalUser = true;
openssh.authorizedKeys.keys = [
config.krebs.users.tv.pubkey
];
};
users.users.makefu = {
uid = genid "makefu";
uid = genid_uint31 "makefu";
isNormalUser = true;
openssh.authorizedKeys.keys = [
config.krebs.users.makefu.pubkey
];
};
users.extraUsers.dritter = {
uid = genid "dritter";
uid = genid_uint31 "dritter";
isNormalUser = true;
extraGroups = [
"download"
@ -75,7 +75,7 @@ with import <stockholm/lib>;
];
};
users.users.hellrazor = {
uid = genid "hellrazor";
uid = genid_uint31 "hellrazor";
isNormalUser = true;
extraGroups = [
"download"
@ -168,7 +168,7 @@ with import <stockholm/lib>;
}
{
users.users.jeschli = {
uid = genid "jeschli";
uid = genid_uint31 "jeschli";
isNormalUser = true;
openssh.authorizedKeys.keys = with config.krebs.users; [
jeschli.pubkey
@ -297,31 +297,30 @@ with import <stockholm/lib>;
};
}
{
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p udp --dport 51820"; target = "ACCEPT"; }
imports = [
<stockholm/lass/2configs/wiregrill.nix>
];
krebs.iptables.tables.nat.PREROUTING.rules = [
{ v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; }
{ v4 = false; precedence = 1000; predicate = "-s 42:1::/32"; target = "ACCEPT"; }
];
krebs.iptables.tables.filter.FORWARD.rules = [
{ v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; }
{ v6 = false; precedence = 1000; predicate = "-s 10.243.0.0/16 -d 10.244.1.0/24"; target = "ACCEPT"; }
{ precedence = 1000; predicate = "-i wiregrill -o retiolum"; target = "ACCEPT"; }
{ precedence = 1000; predicate = "-i retiolum -o wiregrill"; target = "ACCEPT"; }
];
krebs.iptables.tables.nat.POSTROUTING.rules = [
{ v4 = false; predicate = "-s 42:1:ce16::/48 ! -d 42:1:ce16::48"; target = "MASQUERADE"; }
{ v6 = false; predicate = "-s 10.244.1.0/24 ! -d 10.244.1.0/24"; target = "MASQUERADE"; }
];
networking.wireguard.interfaces.wg0 = {
ips = [ "10.244.1.1/24" ];
listenPort = 51820;
privateKeyFile = (toString <secrets>) + "/wireguard.key";
allowedIPsAsRoutes = true;
peers = [
{
# lass-android
allowedIPs = [ "10.244.1.2/32" ];
publicKey = "zVunBVOxsMETlnHkgjfH71HaZjjNUOeYNveAVv5z3jw=";
}
];
services.dnsmasq = {
enable = true;
resolveLocalQueries = false;
extraConfig= ''
listen-address=42:1:ce16::1
except-interface=lo
interface=wg0
'';
};
}
{

2
lass/1systems/shodan/config.nix
View file

@ -8,11 +8,9 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/mouse.nix>
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/baseX.nix>
<stockholm/lass/2configs/git.nix>
<stockholm/lass/2configs/exim-retiolum.nix>
<stockholm/lass/2configs/browsers.nix>
<stockholm/lass/2configs/programs.nix>
<stockholm/lass/2configs/fetchWallpaper.nix>
<stockholm/lass/2configs/wine.nix>
<stockholm/lass/2configs/bitcoin.nix>
<stockholm/lass/2configs/backup.nix>

1
lass/1systems/skynet/config.nix
View file

@ -5,7 +5,6 @@ with import <stockholm/lib>;
<stockholm/lass>
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/fetchWallpaper.nix>
<stockholm/lass/2configs/blue-host.nix>
<stockholm/lass/2configs/power-action.nix>
{

16
lass/1systems/xerxes/config.nix
View file

@ -1,16 +0,0 @@
{ config, pkgs, ... }:
{
imports = [
<stockholm/lass>
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/exim-retiolum.nix>
<stockholm/lass/2configs/baseX.nix>
<stockholm/lass/2configs/browsers.nix>
<stockholm/lass/2configs/programs.nix>
<stockholm/lass/2configs/fetchWallpaper.nix>
];
krebs.build.host = config.krebs.hosts.xerxes;
}

29
lass/1systems/xerxes/physical.nix
View file

@ -1,29 +0,0 @@
{
imports = [
./config.nix
<stockholm/lass/2configs/hw/gpd-pocket.nix>
<stockholm/lass/2configs/boot/stock-x220.nix>
];
services.udev.extraRules = ''
SUBSYSTEM=="net", ATTR{address}=="b0:f1:ec:9f:5c:78", NAME="wl0"
'';
fileSystems."/" = {
device = "/dev/disk/by-uuid/d227d88f-bd24-4e8a-aa14-9e966b471437";
fsType = "btrfs";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/16C8-D053";
fsType = "vfat";
};
fileSystems."/home" = {
device = "/dev/disk/by-uuid/1ec4193b-7f41-490d-8782-7677d437b358";
fsType = "btrfs";
};
boot.initrd.luks.devices = [ { name = "luksroot"; device = "/dev/disk/by-uuid/d17f19a3-dcba-456d-b5da-e45cc15dc9c8"; } ];
networking.wireless.enable = true;
}

44
lass/1systems/yellow/config.nix
View file

@ -19,7 +19,11 @@ with import <stockholm/lib>;
users.groups.download.members = [ "transmission" ];
users.users.transmission.group = mkForce "download";
systemd.services.transmission.serviceConfig.bindsTo = [ "openvpn-nordvpn.service" ];
systemd.services.transmission.bindsTo = [ "openvpn-nordvpn.service" ];
systemd.services.transmission.after = [ "openvpn-nordvpn.service" ];
systemd.services.transmission.postStart = ''
chmod 775 /var/download/finished
'';
services.transmission = {
enable = true;
settings = {
@ -34,10 +38,40 @@ with import <stockholm/lib>;
services.nginx = {
enable = true;
virtualHosts."yellow.r".locations."/dl".extraConfig = ''
autoindex on;
alias /var/download/finished;
'';
package = pkgs.nginx.override {
modules = with pkgs.nginxModules; [
fancyindex
];
};
virtualHosts."dl" = {
default = true;
locations."/Nginx-Fancyindex-Theme-dark" = {
extraConfig = ''
alias ${pkgs.fetchFromGitHub {
owner = "Naereen";
repo = "Nginx-Fancyindex-Theme";
rev = "e84f7d6a32085c2b6238f85f5fdebe9ceb710fc4";
sha256 = "0wzl4ws2w8f0749vxfd1c8c21p3jw463wishgfcmaljbh4dwplg6";
}}/Nginx-Fancyindex-Theme-dark;
autoindex on;
'';
};
locations."/dl".extraConfig = ''
return 301 /;
'';
locations."/" = {
root = "/var/download/finished";
extraConfig = ''
fancyindex on;
fancyindex_header "/Nginx-Fancyindex-Theme-dark/header.html";
fancyindex_footer "/Nginx-Fancyindex-Theme-dark/footer.html";
dav_methods PUT DELETE MKCOL COPY MOVE;
create_full_put_path on;
dav_access all:r;
'';
};
};
};
krebs.iptables = {

6
lass/2configs/baseX.nix
View file

@ -9,7 +9,6 @@ in {
./power-action.nix
./copyq.nix
./urxvt.nix
./network-manager.nix
{
hardware.pulseaudio = {
enable = true;
@ -65,6 +64,7 @@ in {
dic
dmenu
font-size
fzfmenu
gitAndTools.qgit
git-preview
gnome3.dconf
@ -97,9 +97,9 @@ in {
enable = true;
layout = "us";
display = mkForce 0;
xkbModel = "evdev";
xkbVariant = "altgr-intl";
xkbOptions = "caps:backspace";
xkbOptions = "caps:escape";
libinput.enable = true;
displayManager.lightdm.enable = true;
windowManager.default = "xmonad";
windowManager.session = [{

1
lass/2configs/blue-host.nix
View file

@ -7,6 +7,7 @@ let
"daedalus"
"skynet"
"prism"
"littleT"
];
remote_hosts = filter (h: h != config.networking.hostName) all_hosts;

2
lass/2configs/blue.nix
View file

@ -22,7 +22,9 @@ with (import <stockholm/lib>);
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-i retiolum -p udp --dport 60000:61000"; target = "ACCEPT";}
{ predicate = "-i wiregrill -p udp --dport 60000:61000"; target = "ACCEPT";}
{ predicate = "-i retiolum -p tcp --dport 9999"; target = "ACCEPT";}
{ predicate = "-i wiregrill -p tcp --dport 9999"; target = "ACCEPT";}
];
systemd.services.chat = let

6
lass/2configs/browsers.nix
View file

@ -45,7 +45,7 @@ let
createFirefoxUser = name: groups: precedence:
createUser (pkgs.writeDash name ''
${pkgs.firefox-devedition-bin}/bin/firefox-devedition "$@"
${pkgs.firefox}/bin/firefox "$@"
'') name groups precedence 80;
createQuteUser = name: groups: precedence:
@ -89,8 +89,8 @@ in {
}));
};
}
( createQuteUser "qb" [ "audio" ] 20 )
( createFirefoxUser "ff" [ "audio" ] 10 )
( createFirefoxUser "ff" [ "audio" ] 11 )
( createQuteUser "qb" [ "audio" ] 10 )
( createChromiumUser "cr" [ "audio" "video" ] 9 )
( createChromiumUser "gm" [ "video" "audio" ] 8 )
( createChromiumUser "wk" [ "audio" ] 0 )

1
lass/2configs/default.nix
View file

@ -10,6 +10,7 @@ with import <stockholm/lib>;
./zsh.nix
./htop.nix
./security-workarounds.nix
./wiregrill.nix
{
users.extraUsers =
mapAttrs (_: h: { hashedPassword = h; })

1
lass/2configs/exim-smarthost.nix
View file

@ -94,6 +94,7 @@ with import <stockholm/lib>;
{ from = "osmocom@lassul.us"; to = lass.mail; }
{ from = "lesswrong@lassul.us"; to = lass.mail; }
{ from = "nordvpn@lassul.us"; to = lass.mail; }
{ from = "csv-direct@lassul.us"; to = lass.mail; }
];
system-aliases = [
{ from = "mailer-daemon"; to = "postmaster"; }

1
lass/2configs/games.nix
View file

@ -57,6 +57,7 @@ let
in {
environment.systemPackages = with pkgs; [
dolphinEmu
doom1
doom2
vdoom1

2
lass/2configs/git.nix
View file

@ -154,7 +154,7 @@ let
public = true;
};
make-restricted-repo = name: { admins ? [], collaborators ? [], announce ? false, hooks ? {}, ... }: {
make-restricted-repo = name: { admins ? [], collaborators ? [], announce ? true, hooks ? {}, ... }: {
inherit admins collaborators name;
public = false;
hooks = {

2
lass/2configs/mail.nix
View file

@ -82,7 +82,7 @@ let
source ${pkgs.neomutt}/share/doc/neomutt/samples/gpg.rc
set pgp_use_gpg_agent = yes
set pgp_sign_as = 0xDC2A43EF4F11E854B44D599A89E82952976A7E4D
set crypt_autosign = yes
set crypt_autosign = no
set crypt_replyencrypt = yes
set crypt_verify_sig = yes
set pgp_verify_command = "gpg --no-verbose --batch --output - --verify %s %f"

3
lass/2configs/mouse.nix
View file

@ -1,4 +1,4 @@
{ ... }:
{ lib, ... }:
{
hardware.trackpoint = {
enable = true;
@ -7,6 +7,7 @@
emulateWheel = true;
};
services.xserver.libinput.enable = lib.mkForce false;
services.xserver.synaptics = {
enable = true;
horizEdgeScroll = false;

3
lass/2configs/radio.nix
View file

@ -5,7 +5,6 @@ with import <stockholm/lib>;
let
name = "radio";
mainUser = config.users.extraUsers.mainUser;
inherit (import <stockholm/lib>) genid;
admin-password = import <secrets/icecast-admin-pw>;
source-password = import <secrets/icecast-source-pw>;
@ -31,7 +30,7 @@ in {
"${name}" = rec {
inherit name;
group = name;
uid = genid name;
uid = genid_uint31 name;
description = "radio manager";
home = "/home/${name}";
useDefaultShell = true;

8
lass/2configs/websites/domsen.nix
View file

@ -126,6 +126,7 @@ in {
{ from = "ubik@ubikmedia.eu"; to = "domsen, jms, ms"; }
{ from = "akayguen@freemonkey.art"; to ="akayguen"; }
{ from = "bui@freemonkey.art"; to ="bui"; }
{ from = "kontakt@alewis.de"; to ="klabusterbeere"; }
{ from = "testuser@lassul.us"; to = "testuser"; }
{ from = "testuser@ubikmedia.eu"; to = "testuser"; }
@ -204,5 +205,12 @@ in {
createHome = true;
};
users.users.klabusterbeere = {
uid = genid_uint31 "klabusterbeere";
home = "/home/klabusterbeere";
useDefaultShell = true;
createHome = true;
};
}

6
lass/2configs/websites/lassulus.nix
View file

@ -3,7 +3,7 @@
with lib;
let
inherit (import <stockholm/lib>)
genid
genid_uint31
;
in {
@ -22,7 +22,7 @@ in {
krebs.tinc_graphs.enable = true;
users.users.lass-stuff = {
uid = genid "lass-stuff";
uid = genid_uint31 "lass-stuff";
description = "lassul.us blog cgi stuff";
home = "/var/empty";
};
@ -124,7 +124,7 @@ in {
};
users.users.blog = {
uid = genid "blog";
uid = genid_uint31 "blog";
description = "lassul.us blog deployment";
home = "/srv/http/lassul.us";
useDefaultShell = true;

44
lass/2configs/wiregrill.nix Normal file
View file

@ -0,0 +1,44 @@
with import <stockholm/lib>;
{ config, pkgs, ... }: let
self = config.krebs.build.host.nets.wiregrill;
isRouter = !isNull self.via;
in mkIf (hasAttr "wiregrill" config.krebs.build.host.nets) {
#hack for modprobe inside containers
systemd.services."wireguard-wiregrill".path = mkIf config.boot.isContainer (mkBefore [
(pkgs.writeDashBin "modprobe" ":")
]);
boot.kernel.sysctl = mkIf isRouter {
"net.ipv6.conf.all.forwarding" = 1;
};
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p udp --dport ${toString self.wireguard.port}"; target = "ACCEPT"; }
];
krebs.iptables.tables.filter.FORWARD.rules = mkIf isRouter [
{ precedence = 1000; predicate = "-i wiregrill -o wiregrill"; target = "ACCEPT"; }
];
networking.wireguard.interfaces.wiregrill = {
ips =
(optional (!isNull self.ip4) self.ip4.addr) ++
(optional (!isNull self.ip6) self.ip6.addr);
listenPort = 51820;
privateKeyFile = (toString <secrets>) + "/wiregrill.key";
allowedIPsAsRoutes = true;
peers = mapAttrsToList
(_: host: {
allowedIPs = if isRouter then
(optional (!isNull host.nets.wiregrill.ip4) host.nets.wiregrill.ip4.addr) ++
(optional (!isNull host.nets.wiregrill.ip6) host.nets.wiregrill.ip6.addr)
else
host.nets.wiregrill.wireguard.subnets
;
endpoint = mkIf (!isNull host.nets.wiregrill.via) (host.nets.wiregrill.via.ip4.addr + ":${toString host.nets.wiregrill.wireguard.port}");
persistentKeepalive = mkIf (!isNull host.nets.wiregrill.via) 61;
publicKey = host.nets.wiregrill.wireguard.pubkey;
})
(filterAttrs (_: h: hasAttr "wiregrill" h.nets) config.krebs.hosts);
};
}

2
lass/3modules/xjail.nix
View file

@ -142,7 +142,7 @@ with import <stockholm/lib>;
users.users = mapAttrs' (_: cfg:
nameValuePair cfg.name {
uid = genid cfg.name;
uid = genid_uint31 cfg.name;
home = "/home/${cfg.name}";
useDefaultShell = true;
createHome = true;

2
lass/5pkgs/custom/xmonad-lass/default.nix
View file

@ -78,7 +78,7 @@ main = getArgs >>= \case
main' :: IO ()
main' = do
handleShutdownEvent <- newShutdownEventHandler
xmonad $ ewmh
launch $ ewmh
$ withUrgencyHook LibNotifyUrgencyHook
$ def
{ terminal = myTerm

11
lass/5pkgs/l-gen-secrets/default.nix
View file

@ -8,6 +8,8 @@ pkgs.writeDashBin "l-gen-secrets" ''
${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f $TMPDIR/ssh.id_ed25519 -P "" -C "" >/dev/null
${pkgs.openssl}/bin/openssl genrsa -out $TMPDIR/retiolum.rsa_key.priv 4096 2>/dev/null > /dev/null
${pkgs.openssl}/bin/openssl rsa -in $TMPDIR/retiolum.rsa_key.priv -pubout -out $TMPDIR/retiolum.rsa_key.pub 2>/dev/null > /dev/null
${pkgs.wireguard}/bin/wg genkey > $TMPDIR/wiregrill.key
${pkgs.coreutils}/bin/cat $TMPDIR/wiregrill.key | ${pkgs.wireguard}/bin/wg pubkey > $TMPDIR/wiregrill.pub
cat <<EOF > $TMPDIR/hashedPasswords.nix
{
root = "$HASHED_PASSWORD";
@ -35,6 +37,15 @@ pkgs.writeDashBin "l-gen-secrets" ''
$(cat $TMPDIR/retiolum.rsa_key.pub)
${"''"};
};
wiregrill = {
ip6.addr = (wip6 "changeme").address;
aliases = [
"$HOSTNAME.w"
];
wireguard.pubkey = ${"''"}
$(cat $TMPDIR/wiregrill.pub)
${"''"};
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "$(cat $TMPDIR/ssh.id_ed25519.pub)";

44
lib/default.nix
View file

@ -5,6 +5,7 @@ let
evalSource = import ./eval-source.nix;
git = import ./git.nix { inherit lib; };
krebs = import ./krebs lib;
krops = import ../submodules/krops/lib;
shell = import ./shell.nix { inherit lib; };
types = nixpkgs-lib.types // import ./types.nix { inherit lib; };
@ -28,8 +29,6 @@ let
listToAttrs (map (name: nameValuePair name set.${name})
(filter (flip hasAttr set) names));
setAttr = name: value: set: set // { ${name} = value; };
test = re: x: isString x && testString re x;
testString = re: x: match re x != null;
@ -94,7 +93,13 @@ let
in
if max.pos == 0
then a
else "${concatStringsSep ":" lhs}::${concatStringsSep ":" rhs}";
else let
sep =
if 8 - (length lhs + length rhs) == 1
then ":0:"
else "::";
in
"${concatStringsSep ":" lhs}${sep}${concatStringsSep ":" rhs}";
drop-leading-zeros =
let
@ -108,7 +113,38 @@ let
in
a: concatStringsSep ":" (map f (splitString ":" a));
in
a: toLower (group-zeros (drop-leading-zeros a));
a:
toLower
(if test ".*::.*" a
then a
else group-zeros (drop-leading-zeros a));
hashToLength = n: s: substring 0 n (hashString "sha256" s);
dropLast = n: xs: reverseList (drop n (reverseList xs));
takeLast = n: xs: reverseList (take n (reverseList xs));
# Split string into list of chunks where each chunk is at most n chars long.
# The leftmost chunk might shorter.
# Example: stringToGroupsOf "123456" -> ["12" "3456"]
stringToGroupsOf = n: s: let
acc =
foldl'
(acc: c: if stringLength acc.chunk < n then {
chunk = acc.chunk + c;
chunks = acc.chunks;
} else {
chunk = c;
chunks = acc.chunks ++ [acc.chunk];
})
{
chunk = "";
chunks = [];
}
(stringToCharacters s);
in
filter (x: x != []) ([acc.chunk] ++ acc.chunks);
};
in

3
lib/krebs/default.nix Normal file
View file

@ -0,0 +1,3 @@
lib:
with lib;
mapNixDir (flip import lib) ./.

109
lib/krebs/genipv6.nix Normal file
View file

@ -0,0 +1,109 @@
lib:
with lib;
let {
body = netname: subnetname: suffixSpec: rec {
address = let
suffix' = prependZeros suffixLength suffix;
in
normalize-ip6-addr
(checkAddress addressLength (joinAddress subnetPrefix suffix'));
addressCIDR = "${address}/${toString addressLength}";
addressLength = 128;
inherit netname;
netCIDR = "${netAddress}/${toString netPrefixLength}";
netAddress =
normalize-ip6-addr (appendZeros addressLength netPrefix);
netHash = toString {
retiolum = 0;
wiregrill = 1;
}.${netname};
netPrefix = "42:${netHash}";
netPrefixLength = {
retiolum = 32;
wiregrill = 32;
}.${netname};
inherit subnetname;
subnetCIDR = "${subnetAddress}/${toString subnetPrefixLength}";
subnetAddress =
normalize-ip6-addr (appendZeros addressLength subnetPrefix);
subnetHash = hashToLength 4 subnetname;
subnetPrefix = joinAddress netPrefix subnetHash;
subnetPrefixLength = netPrefixLength + 16;
suffix = getAttr (typeOf suffixSpec) {
set =
concatStringsSep
":"
(stringToGroupsOf
4
(hashToLength (suffixLength / 4) suffixSpec.hostName));
string = suffixSpec;
};
suffixLength = addressLength - subnetPrefixLength;
};
appendZeros = n: s: let
n' = n / 16;
zeroCount = n' - length parsedaddr;
parsedaddr = parseAddress s;
in
formatAddress (parsedaddr ++ map (const "0") (range 1 zeroCount));
prependZeros = n: s: let
n' = n / 16;
zeroCount = n' - length parsedaddr;
parsedaddr = parseAddress s;
in
formatAddress (map (const "0") (range 1 zeroCount) ++ parsedaddr);
hasEmptyPrefix = xs: take 2 xs == ["" ""];
hasEmptySuffix = xs: takeLast 2 xs == ["" ""];
hasEmptyInfix = xs: any (x: x == "") (trimEmpty 2 xs);
hasEmptyGroup = xs:
any (p: p xs) [hasEmptyPrefix hasEmptyInfix hasEmptySuffix];
ltrimEmpty = n: xs: if hasEmptyPrefix xs then drop n xs else xs;
rtrimEmpty = n: xs: if hasEmptySuffix xs then dropLast n xs else xs;
trimEmpty = n: xs: rtrimEmpty n (ltrimEmpty n xs);
parseAddress = splitString ":";
formatAddress = concatStringsSep ":";
check = s: c: if !c then throw "${s}" else true;
checkAddress = maxaddrlen: addr: let
parsedaddr = parseAddress addr;
normalizedaddr = trimEmpty 1 parsedaddr;
in
assert (check "address malformed; lone leading colon: ${addr}" (
head parsedaddr == "" -> tail (take 2 parsedaddr) == ""
));
assert (check "address malformed; lone trailing colon ${addr}" (
last parsedaddr == "" -> head (takeLast 2 parsedaddr) == ""
));
assert (check "address malformed; too many successive colons: ${addr}" (
length (filter (x: x == "") normalizedaddr) > 1 -> addr == [""]
));
assert (check "address malformed: ${addr}" (
all (test "[0-9a-f]{0,4}") parsedaddr
));
assert (check "address is too long: ${addr}" (
length normalizedaddr * 16 <= maxaddrlen
));
addr;
joinAddress = prefix: suffix: let
parsedPrefix = parseAddress prefix;
parsedSuffix = parseAddress suffix;
normalizePrefix = rtrimEmpty 2 parsedPrefix;
normalizeSuffix = ltrimEmpty 2 parsedSuffix;
delimiter =
optional (length (normalizePrefix ++ normalizeSuffix) < 8 &&
(hasEmptySuffix parsedPrefix || hasEmptyPrefix parsedSuffix))
"";
in
formatAddress (normalizePrefix ++ delimiter ++ normalizeSuffix);
}

26
lib/types.nix
View file

@ -19,7 +19,7 @@ rec {
default = config._module.args.name;
};
cores = mkOption {
type = positive;
type = uint;
};
nets = mkOption {
type = attrsOf net;
@ -192,6 +192,28 @@ rec {
}));
default = null;
};
wireguard = mkOption {
type = nullOr (submodule ({ config, ... }: {
options = {
port = mkOption {
type = int;
description = "tinc port to use to connect to host";
default = 51820;
};
pubkey = mkOption {
type = wireguard-pubkey;
};
subnets = mkOption {
type = listOf cidr;
description = ''
wireguard subnets,
this defines how routing behaves for hosts that can't reach each other.
'';
default = [];
};
};
}));
};
};
});
@ -548,4 +570,6 @@ rec {
check = filename.check;
merge = mergeOneOption;
};
wireguard-pubkey = str;
}

0
makefu/0tests/data/secrets/netdata-stream.conf Normal file
View file

1
makefu/0tests/data/secrets/nsupdate-cache.nix Normal file
View file

@ -0,0 +1 @@
"derp"

5
makefu/1systems/full/source.nix
View file

@ -1,5 +0,0 @@
{
name="gum";
torrent = true;
clever_kexec = true;
}

117
makefu/1systems/gum/config.nix
View file

@ -4,13 +4,14 @@ with import <stockholm/lib>;
let
external-ip = config.krebs.build.host.nets.internet.ip4.addr;
ext-if = config.makefu.server.primary-itf;
allDisks = [ "/dev/sda" "/dev/sdb" ];
in {
imports = [
<stockholm/makefu>
./hardware-config.nix
{
users.users.lass = {
uid = 9002;
uid = 19002;
isNormalUser = true;
createHome = true;
useDefaultShell = true;
@ -20,8 +21,12 @@ in {
];
};
}
# <stockholm/makefu/2configs/stats/client.nix>
<stockholm/makefu/2configs/stats/netdata-server.nix>
<stockholm/makefu/2configs/headless.nix>
# <stockholm/makefu/2configs/smart-monitor.nix>
<stockholm/makefu/2configs/smart-monitor.nix>
{ services.smartd.devices = builtins.map (x: { device = x; }) allDisks; }
# Security
<stockholm/makefu/2configs/sshd-totp.nix>
@ -30,6 +35,8 @@ in {
<stockholm/makefu/2configs/tools/core.nix>
<stockholm/makefu/2configs/tools/dev.nix>
<stockholm/makefu/2configs/tools/sec.nix>
<stockholm/makefu/2configs/tools/desktop.nix>
<stockholm/makefu/2configs/zsh-user.nix>
<stockholm/makefu/2configs/mosh.nix>
# <stockholm/makefu/2configs/gui/xpra.nix>
@ -41,17 +48,47 @@ in {
<stockholm/makefu/2configs/iodined.nix>
# <stockholm/makefu/2configs/backup.nix>
<stockholm/makefu/2configs/tinc/retiolum.nix>
{ # bonus retiolum config for connecting more hosts
krebs.tinc.retiolum = {
extraConfig = ''
ListenAddress = ${external-ip} 53
ListenAddress = ${external-ip} 655
ListenAddress = ${external-ip} 21031
'';
connectTo = [
"prism" "ni" "enklave" "eve" "archprism"
];
};
networking.firewall = {
allowedTCPPorts =
[
53
655
21031
];
allowedUDPPorts =
[
53
655
21031
];
};
}
# ci
# <stockholm/makefu/2configs/exim-retiolum.nix>
<stockholm/makefu/2configs/git/cgit-retiolum.nix>
<stockholm/makefu/2configs/shack/events-publisher>
<stockholm/makefu/2configs/shack/gitlab-runner>
<stockholm/makefu/2configs/remote-build/slave.nix>
<stockholm/makefu/2configs/taskd.nix>
# services
<stockholm/makefu/2configs/sabnzbd.nix>
# <stockholm/makefu/2configs/sabnzbd.nix>
<stockholm/makefu/2configs/mail/mail.euer.nix>
{
krebs.exim.enable = mkForce false;
}
# sharing
<stockholm/makefu/2configs/share/gum.nix>
@ -59,13 +96,6 @@ in {
#<stockholm/makefu/2configs/retroshare.nix>
## <stockholm/makefu/2configs/ipfs.nix>
#<stockholm/makefu/2configs/syncthing.nix>
{ # ncdc
environment.systemPackages = [ pkgs.ncdc ];
networking.firewall = {
allowedUDPPorts = [ 51411 ];
allowedTCPPorts = [ 51411 ];
};
}
# <stockholm/makefu/2configs/opentracker.nix>
## network
@ -91,17 +121,17 @@ in {
#<stockholm/makefu/2configs/nginx/public_html.nix>
#<stockholm/makefu/2configs/nginx/update.connector.one.nix>
<stockholm/makefu/2configs/nginx/misa-felix-hochzeit.ml.nix>
<stockholm/makefu/2configs/nginx/gold.krebsco.de.nix>
# <stockholm/makefu/2configs/nginx/gold.krebsco.de.nix>
<stockholm/makefu/2configs/nginx/iso.euer.nix>
<stockholm/makefu/2configs/shack/events-publisher>
<stockholm/krebs/2configs/cache.nsupdate.info.nix>
<stockholm/makefu/2configs/deployment/photostore.krebsco.de.nix>
<stockholm/makefu/2configs/deployment/graphs.nix>
<stockholm/makefu/2configs/deployment/owncloud.nix>
<stockholm/makefu/2configs/deployment/boot-euer.nix>
<stockholm/makefu/2configs/deployment/bgt/hidden_service.nix>
<stockholm/makefu/2configs/bgt/download.binaergewitter.de.nix>
<stockholm/makefu/2configs/bgt/hidden_service.nix>
<stockholm/makefu/2configs/stats/client.nix>
# <stockholm/makefu/2configs/logging/client.nix>
# sharing
@ -115,7 +145,8 @@ in {
# krebs infrastructure services
<stockholm/makefu/2configs/stats/server.nix>
];
];
makefu.dl-dir = "/var/download";
services.openssh.hostKeys = [
@ -125,70 +156,14 @@ in {
services.nginx.virtualHosts.cgit.serverAliases = [ "cgit.euer.krebsco.de" ];
krebs.build.host = config.krebs.hosts.gum;
krebs.tinc.retiolum = {
extraConfig = ''
ListenAddress = ${external-ip} 53
ListenAddress = ${external-ip} 655
ListenAddress = ${external-ip} 21031
'';
connectTo = [
"prism" "ni" "enklave" "dishfire" "echelon" "hotdog"
];
};
# access
users.users = {
root.openssh.authorizedKeys.keys = [ config.krebs.users.makefu-omo.pubkey ];
makefu.openssh.authorizedKeys.keys = [ config.krebs.users.makefu-vbob.pubkey config.krebs.users.makefu-bob.pubkey ];
};
# Chat
environment.systemPackages = with pkgs;[
weechat
bepasty-client-cli
tmux
];
# Hardware
# Network
networking = {
firewall = {
allowPing = true;
logRefusedConnections = false;
allowedTCPPorts = [
# smtp
25
# http
80 443
# httptunnel
8080 8443
# tinc
655
# tinc-shack
21032
# tinc-retiolum
21031
# taskserver
53589
# temp vnc
18001
# temp reverseshell
31337
];
allowedUDPPorts = [
# tinc
655 53
# tinc-retiolum
21031
# tinc-shack
21032
];
};
nameservers = [ "8.8.8.8" ];
};
users.users.makefu.extraGroups = [ "download" "nginx" ];
boot.tmpOnTmpfs = true;
state = [ "/home/makefu/.weechat" ];
}

11
makefu/1systems/gum/hardware-config.nix
View file

@ -46,7 +46,7 @@ in {
"ata_piix" "vmw_pvscsi" "virtio_pci" "sd_mod" "ahci"
"xhci_pci" "ehci_pci" "ahci" "sd_mod"
];
boot.kernelModules = [ "kvm-intel" ];
boot.kernelModules = [ "dm-thin-pool" "kvm-intel" ];
hardware.enableRedistributableFirmware = true;
fileSystems."/" = {
device = "/dev/mapper/nixos-root";
@ -56,10 +56,19 @@ in {
device = "/dev/mapper/nixos-lib";
fsType = "ext4";
};
fileSystems."/var/log" = {
device = "/dev/mapper/nixos-log";
fsType = "ext4";
};
fileSystems."/var/download" = {
device = "/dev/mapper/nixos-download";
fsType = "ext4";
};
fileSystems."/var/www/binaergewitter" = {
device = "/dev/mapper/nixos-binaergewitter";
fsType = "ext4";
options = [ "nofail" ];
};
fileSystems."/var/lib/borgbackup" = {
device = "/dev/mapper/nixos-backup";
fsType = "ext4";

4
makefu/1systems/gum/rescue.txt
View file

@ -1,10 +1,14 @@
ssh gum.i -o StrictHostKeyChecking=no
mount /dev/mapper/nixos-root /mnt
mount /dev/sda2 /mnt/boot
chroot-prepare /mnt
chroot /mnt /bin/sh
journalctl -D /mnt/var/log/journal --since today # find the active system (or check grub)
# ... activating ...
export PATH=/nix/store/9incs5sfn7n1vh1lavgp95v761nh11w3-nixos-system-nextgum-18.03pre-git/sw/bin
/nix/store/9incs5sfn7n1vh1lavgp95v761nh11w3-nixos-system-nextgum-18.03pre-git/activate

2
makefu/1systems/gum/source.nix
View file

@ -1,5 +1,5 @@
{
name="nextgum";
name="gum";
torrent = true;
clever_kexec = true;
}

2
makefu/1systems/iso/config.nix
View file

@ -10,7 +10,7 @@ with import <stockholm/lib>;
];
# TODO: NIX_PATH and nix.nixPath are being set by default.nix right now
# cd ~/stockholm ; nix-build -A config.system.build.isoImage -I nixos-config=makefu/1systems/iso.nix -I secrets=/home/makefu/secrets/iso /var/src/nixpkgs/nixos
krebs.build.host = config.krebs.hosts.iso;
krebs.build.host = { cores = 0; };
isoImage.isoBaseName = lib.mkForce "stockholm";
krebs.hidden-ssh.enable = true;
environment.systemPackages = with pkgs; [

6
makefu/1systems/omo/config.nix
View file

@ -44,7 +44,8 @@ in {
# <stockholm/makefu/2configs/share/omo-timemachine.nix>
<stockholm/makefu/2configs/tinc/retiolum.nix>
# statistics
<stockholm/makefu/2configs/stats/client.nix>
# Logging
#influx + grafana
<stockholm/makefu/2configs/stats/server.nix>
@ -74,7 +75,8 @@ in {
"homeassistant-0.77.2"
];
}
<stockholm/makefu/2configs/deployment/homeautomation>
<stockholm/makefu/2configs/homeautomation>
<stockholm/makefu/2configs/homeautomation/google-muell.nix>
{
makefu.ps3netsrv = {
enable = true;

5
makefu/1systems/omo/hw/omo.nix
View file

@ -48,9 +48,8 @@ in {
makefu.snapraid = {
enable = true;
# TODO: 3 is not protected
disks = map toMapper [ 0 1 ];
parity = toMapper 2;
disks = map toMapper [ 0 2 3 ];
parity = toMapper 1;
};
fileSystems = let
cryptMount = name:

11
makefu/1systems/wbob/config.nix
View file

@ -20,9 +20,6 @@ in {
<stockholm/makefu/2configs/mqtt.nix>
<stockholm/makefu/2configs/gui/wbob-kiosk.nix>
<stockholm/makefu/2configs/stats/client.nix>
# <stockholm/makefu/2configs/gui/studio-virtual.nix>
# <stockholm/makefu/2configs/audio/jack-on-pulse.nix>
# <stockholm/makefu/2configs/audio/realtime-audio.nix>
@ -35,6 +32,8 @@ in {
<stockholm/makefu/2configs/bluetooth-mpd.nix>
# Sensors
<stockholm/makefu/2configs/stats/client.nix>
<stockholm/makefu/2configs/stats/collectd-client.nix>
<stockholm/makefu/2configs/stats/telegraf>
<stockholm/makefu/2configs/stats/telegraf/airsensor.nix>
<stockholm/makefu/2configs/stats/telegraf/europastats.nix>
@ -51,9 +50,9 @@ in {
"homeassistant-0.77.2"
];
}
<stockholm/makefu/2configs/deployment/bureautomation>
<stockholm/makefu/2configs/deployment/bureautomation/mpd.nix>
<stockholm/makefu/2configs/deployment/bureautomation/hass.nix>
<stockholm/makefu/2configs/bureautomation>
<stockholm/makefu/2configs/bureautomation/mpd.nix>
<stockholm/makefu/2configs/bureautomation/hass.nix>
(let
collectd-port = 25826;
influx-port = 8086;

1
makefu/2configs/bgt/auphonic.pub Normal file
View file

@ -0,0 +1 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDvP50lgtHhlC3LKzC1/4yzJNxkZFDSIBvEfavNfchNKJUEBPo82oVtfFgJR5XfjI7c2U9dHl+0q4qMl+9ZiZWr2YgDpAr78kpur4gjWKrnBa2eT9GIfXB3Tm1+OpI2HoeOHUKEK1gKqqe9tJfS+CLb7DLCjulW8zdLiiH6KmvyaH78hGjZv+bpx7H4rItAinl8vGe+ceRIk4tZbmkyhphXbQZa3Ov+imiJXIr7fmX3tkOhUp4YwrVlUK8J0MEa1Kf7ZYWRqvGnKYFQ73LwLPz7UIOZ93zPF4d0R7xqvdEEhIx+u1/gToQZSMUczbVqg3dixr3yeBhFA/6h0lTA61mx

23
makefu/2configs/nginx/download.binaergewitter.de.nix → makefu/2configs/bgt/download.binaergewitter.de.nix
View file

@ -1,12 +1,25 @@
{ config, lib, pkgs, ... }:
with import <stockholm/lib>;
let
ident = (toString <secrets>) + "/mirrorsync.gum.id_ed25519";
ident = (builtins.readFile ./auphonic.pub);
in {
systemd.services.mirrorsync = {
startAt = "08:00:00";
path = with pkgs; [ rsync openssh ];
script = ''rsync -av -e "ssh -i ${ident}" mirrorsync@159.69.132.234:/var/www/html/ /var/www/binaergewitter'';
services.openssh = {
allowSFTP = true;
sftpFlags = [ "-l VERBOSE" ];
extraConfig = ''
Match User auphonic
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
PasswordAuthentication no
'';
};
users.users.auphonic = {
uid = genid "auphonic";
group = "nginx";
useDefaultShell = true;
openssh.authorizedKeys.keys = [ ident config.krebs.users.makefu.pubkey ];
};
services.nginx = {
enable = lib.mkDefault true;

0
makefu/2configs/deployment/bgt/hidden_service.nix → makefu/2configs/bgt/hidden_service.nix
View file

2
makefu/2configs/binary-cache/lass.nix
View file

@ -3,7 +3,7 @@
{
nix = {
binaryCaches = [
"http://cache.prism.r"
"https://cache.krebsco.de"
];
binaryCachePublicKeys = [
"cache.prism-1:+S+6Lo/n27XEtvdlQKuJIcb1yO5NUqUCE2lolmTgNJU="

2
makefu/2configs/bitlbee.nix
View file

@ -3,6 +3,6 @@
{
services.bitlbee = {
enable = true;
libpurple_plugins = [ pkgs.telegram-purple ];
libpurple_plugins = [ pkgs.telegram-purple pkgs.pidgin-skypeweb];
};
}

0
makefu/2configs/deployment/bureautomation/default.nix → makefu/2configs/bureautomation/default.nix
View file

42
makefu/2configs/deployment/bureautomation/hass.nix → makefu/2configs/bureautomation/hass.nix
View file

@ -112,7 +112,6 @@ in {
"temperature" # "temperature_high" "temperature_low"
"apparent_temperature"
"hourly_summary" # next 24 hours text
"minutely_summary"
"humidity"
"pressure"
"uv_index" ];
@ -212,27 +211,44 @@ in {
to = "on";
};
action = {
service= "homeassistant.turn_on";
entity_id= "switch.fernseher";
service = "homeassistant.turn_on";
entity_id = [ "switch.fernseher" "switch.blitzdings" ];
};
}
{ alias = "Turn off Fernseher 10 minutes after last movement";
trigger = {
trigger = [
{ # trigger when movement was detected at the time
platform = "state";
entity_id = "binary_sensor.motion";
to = "off";
for.minutes = 10;
};
}
{ # trigger at 20:00 no matter what
# to avoid 'everybody left before 18:00:00'
platform = "time";
at = "18:00:00";
}
];
action = {
service= "homeassistant.turn_off";
entity_id= "switch.fernseher";
service = "homeassistant.turn_off";
entity_id = [ "switch.fernseher" "switch.blitzdings" ];
};
condition =
{ condition = "and";
conditions = [
{
condition = "time";
before = "06:30:00"; #only turn off between 6:30 and 18:00
after = "18:00:00";
# weekday = [ "mon" "tue" "wed" "thu" "fri" ];
}
{
condition = "state";
entity_id = "binary_sensor.motion";
state = "off";
}
];
};
condition = [{
condition = "time";
before = "06:30:00"; #only turn off between 6:30 and 18:00
after = "18:00:00";
weekday = [ "mon" "tue" "wed" "thu" "fri" ];
}];
}
];
};

0
makefu/2configs/deployment/bureautomation/mpd.nix → makefu/2configs/bureautomation/mpd.nix
View file

2
makefu/2configs/elchos/search.nix
View file

@ -32,7 +32,7 @@ let
${user}
protocol=dyndns2
usev5=if, if=${primary-itf}
usev6=if, if=${primary-itf}
ssl=yes
server=ipv6.nsupdate.info
login=${user}

2
makefu/2configs/deployment/homeautomation/default.nix → makefu/2configs/homeautomation/default.nix
View file

@ -31,7 +31,7 @@ let
brightness_scale = 100;
# color
rgb_state_topic = "/ham/${topic}/stat/Color";
rgb_command_topic = "/ham/${topic}/cmnd/Color2";
rgb_command_topic = "/ham/${topic}/cmnd/MEM1"; # use enabled tasmota rule
rgb_command_mode = "hex";
rgb_command_template = "{{ '%02x%02x%02x' | format(red, green, blue)}}";
# effects

0
makefu/2configs/deployment/google-muell.nix → makefu/2configs/homeautomation/google-muell.nix
View file

0
makefu/2configs/deployment/homeautomation/mqtt.nix → makefu/2configs/homeautomation/mqtt.nix
View file

2
makefu/2configs/mail/mail.euer.nix
View file

@ -1,7 +1,7 @@
{ config, pkgs, ... }:
{
imports = [
(builtins.fetchTarball "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/v2.1.4/nixos-mailserver-v2.1.4.tar.gz")
(builtins.fetchTarball "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/v2.2.0/nixos-mailserver-v2.2.0.tar.gz")
];
mailserver = {

6
makefu/2configs/minimal.nix
View file

@ -7,8 +7,8 @@
# the only true timezone (even after the the removal of DST)
time.timeZone = "Europe/Berlin";
networking.hostName = config.krebs.build.host.name;
nix.buildCores = config.krebs.build.host.cores;
networking.hostName = lib.mkIf (lib.hasAttr "host" config.krebs.build) config.krebs.build.host.name;
nix.buildCores = 0; # until https://github.com/NixOS/nixpkgs/pull/50440 is in stable
# we use gpg if necessary (or nothing at all)
programs.ssh.startAgent = false;
@ -85,4 +85,6 @@
"net.ipv6.conf.all.use_tempaddr" = 2;
"net.ipv6.conf.default.use_tempaddr" = 2;
};
services.nscd.enable = false;
}

21
makefu/2configs/nginx/gum.krebsco.de.nix Normal file
View file

@ -0,0 +1,21 @@
{ config, lib, pkgs, ... }:
with import <stockholm/lib>;
let
in {
services.nginx = {
enable = mkDefault true;
virtualHosts."gum.krebsco.de" = {
forceSSL = true;
enableACME = true;
locations."/" = {
# proxyPass = "http://localhost:8000/";
# extraConfig = ''
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# '';
};
};
};
}

4
makefu/2configs/shack/events-publisher/default.nix
View file

@ -2,8 +2,8 @@
with import <stockholm/lib>;
let
shack-announce = pkgs.callPackage (builtins.fetchTarball {
url = "https://github.com/makefu/events-publisher/archive/670f4d7182a41b6763296e301612499d2986f213.tar.gz";
sha256 = "1yf9cb08v4rc6x992yx5lcyn62sm3p8i2b48rsmr4m66xdi4bpnd";
url = "https://github.com/makefu/events-publisher/archive/419afdfe16ebf7f2360d2ba64b67ca88948832bd.tar.gz";
sha256 = "0rn1ykgjbd79zg03maa49kzi6hpzn4xzf4j93qgx5wax7h12qjx0";
}) {} ;
home = "/var/lib/shackannounce";
user = "shackannounce";

6
makefu/2configs/share/omo.nix
View file

@ -30,6 +30,12 @@ in {
browseable = "yes";
"guest ok" = "yes";
};
audiobook = {
path = "/media/crypt1/audiobooks";
"read only" = "yes";
browseable = "yes";
"guest ok" = "yes";
};
crypt0 = {
path = "/media/crypt0";
"read only" = "yes";

7
makefu/2configs/share/wbob.nix
View file

@ -8,6 +8,7 @@
home = "/home/share";
createHome = true;
};
users.groups.mpd.members = [ "makefu" ];
services.samba = {
enable = true;
enableNmbd = true;
@ -24,6 +25,12 @@
browseable = "yes";
"guest ok" = "yes";
};
music-rw = {
path = "/data/music";
"read only" = "no";
browseable = "yes";
"guest ok" = "no";
};
};
extraConfig = ''
guest account = smbguest

60
makefu/2configs/stats/client.nix
View file

@ -1,61 +1,7 @@
{pkgs, config, ...}:
{
services.collectd = {
makefu.netdata = {
enable = true;
autoLoadPlugin = true;
extraConfig = ''
Hostname ${config.krebs.build.host.name}
LoadPlugin load
LoadPlugin disk
LoadPlugin memory
LoadPlugin df
Interval 30.0
LoadPlugin interface
<Plugin "interface">
Interface "*Link"
Interface "lo"
Interface "vboxnet*"
Interface "virbr*"
IgnoreSelected true
</Plugin>
LoadPlugin df
<Plugin "df">
MountPoint "/nix/store"
# MountPoint "/run*"
# MountPoint "/sys*"
# MountPoint "/dev"
# MountPoint "/dev/shm"
# MountPoint "/tmp"
FSType "tmpfs"
FSType "binfmt_misc"
FSType "debugfs"
FSType "tracefs"
FSType "mqueue"
FSType "hugetlbfs"
FSType "systemd-1"
FSType "cgroup"
FSType "securityfs"
FSType "ramfs"
FSType "proc"
FSType "devpts"
FSType "devtmpfs"
MountPoint "/var/lib/docker/devicemapper"
IgnoreSelected true
</Plugin>
LoadPlugin cpu
<Plugin cpu>
ReportByCpu true
ReportByState true
ValuesPercentage true
</Plugin>
LoadPlugin network
<Plugin "network">
Server "${config.makefu.stats-server}" "25826"
</Plugin>
'';
stream.role = "slave";
# stream.destination = "netdata.makefu.r";
};
}

61
makefu/2configs/stats/collectd-client.nix Normal file
View file

@ -0,0 +1,61 @@
{pkgs, config, ...}:
{
services.collectd = {
enable = true;
autoLoadPlugin = true;
extraConfig = ''
Hostname ${config.krebs.build.host.name}
LoadPlugin load
LoadPlugin disk
LoadPlugin memory
LoadPlugin df
Interval 30.0
LoadPlugin interface
<Plugin "interface">
Interface "*Link"
Interface "lo"
Interface "vboxnet*"
Interface "virbr*"
IgnoreSelected true
</Plugin>
LoadPlugin df
<Plugin "df">
MountPoint "/nix/store"
# MountPoint "/run*"
# MountPoint "/sys*"
# MountPoint "/dev"
# MountPoint "/dev/shm"
# MountPoint "/tmp"
FSType "tmpfs"
FSType "binfmt_misc"
FSType "debugfs"
FSType "tracefs"
FSType "mqueue"
FSType "hugetlbfs"
FSType "systemd-1"
FSType "cgroup"
FSType "securityfs"
FSType "ramfs"
FSType "proc"
FSType "devpts"
FSType "devtmpfs"
MountPoint "/var/lib/docker/devicemapper"
IgnoreSelected true
</Plugin>
LoadPlugin cpu
<Plugin cpu>
ReportByCpu true
ReportByState true
ValuesPercentage true
</Plugin>
LoadPlugin network
<Plugin "network">
Server "${config.makefu.stats-server}" "25826"
</Plugin>
'';
};
}

17
makefu/2configs/stats/netdata-server.nix Normal file
View file

@ -0,0 +1,17 @@
{
makefu.netdata = {
enable = true;
stream.role = "master";
};
services.nginx = {
virtualHosts."netdata.euer.krebsco.de" = {
addSSL = true;
enableACME = true;
locations."/".proxyPass = "http://localhost:19999";
};
virtualHosts."netdata.makefu.r" = {
locations."/".proxyPass = "http://localhost:19999";
};
};
}

7
makefu/2configs/stats/server.nix
View file

@ -21,6 +21,13 @@ in {
services.influxdb.extraConfig = {
meta.hostname = config.krebs.build.host.name;
# meta.logging-enabled = true;
logging.level = "info";
http.log-enabled = true;
http.write-tracing = false;
http.suppress-write-log = true;
data.trace-logging-enabled = false;
data.query-log-enabled = false;
http.bind-address = ":${toString influx-port}";
admin.bind-address = ":8083";
monitoring = {

4
makefu/2configs/tinc/retiolum.nix
View file

@ -1,8 +1,10 @@
{ pkgs, ... }:
{ pkgs, config, ... }:
{
imports = [
../binary-cache/lass.nix
];
krebs.tinc.retiolum.enable = true;
environment.systemPackages = [ pkgs.tinc ];
networking.firewall.allowedTCPPorts = [ config.krebs.build.host.nets.retiolum.tinc.port ];
networking.firewall.allowedUDPPorts = [ config.krebs.build.host.nets.retiolum.tinc.port ];
}

1
makefu/3modules/default.nix
View file

@ -5,6 +5,7 @@ _:
./awesome-extra.nix
./deluge.nix
./forward-journal.nix
./netdata.nix
./opentracker.nix
./ps3netsrv.nix
./logging-config.nix

150
makefu/3modules/netdata.nix Normal file
View file

@ -0,0 +1,150 @@
{ config, lib, pkgs, ... }:
# fork of https://github.com/Mic92/dotfiles/blob/master/nixos/vms/modules/netdata.nix
with lib;
let
cfg = config.makefu.netdata;
in
{
options.makefu.netdata = {
enable = mkEnableOption "netdata";
# TODO only apikey from file, set remote host manually
stream.file = mkOption {
type = types.str;
default = toString <secrets/netdata-stream.conf>;
description = "path to stream data file";
};
stream.role = mkOption {
type = types.enum [ "master" "slave" ];
default = "slave";
description = "Wether to stream data";
};
httpcheck.checks = mkOption {
type = types.attrsOf (types.submodule ({
options = {
url = mkOption {
type = types.str;
example = "https://thalheim.io";
description = "Url to check";
};
regex = mkOption {
type = types.nullOr types.str;
default = null;
example = "My homepage";
description = "Regex that is matched against the returned content";
};
statusAccepted = mkOption {
type = types.listOf types.int;
default = [ 200 ];
example = [ 401 ];
description = "Expected http status code";
};
};
}));
default = {};
description = ''
httpcheck plugin: https://github.com/netdata/netdata/blob/master/collectors/python.d.plugin/httpcheck/httpcheck.conf
'';
};
portcheck.checks = mkOption {
type = types.attrsOf (types.submodule ({
options = {
host = mkOption {
type = types.str;
default = "127.0.0.1";
description = "Dns name/IP to check";
};
port = mkOption {
type = types.int;
description = "Tcp port number";
};
};
}));
default = {};
description = ''
portcheck plugin: https://github.com/netdata/netdata/tree/master/collectors/python.d.plugin/portcheck
'';
};
};
config = mkIf cfg.enable {
systemd.services.netdata = {
requires = [ "secret.service" ];
after = [ "secret.service" ];
};
krebs.secret.files.netdata-stream = {
path = "/run/secret/netdata-stream.conf";
owner.name = "netdata";
source-path = cfg.stream.file;
};
environment.etc."netdata/stream.conf".source = "/run/secret/netdata-stream.conf";
services.netdata = {
enable = true;
config = {
global = {
"bind to" = "0.0.0.0:19999 [::]:19999";
"error log" = "stderr";
"update every" = "5";
};
health.enable = if cfg.stream.role == "master" then "yes" else "no";
};
};
services.netdata.python.extraPackages = ps: [
ps.psycopg2 ps.docker ps.dnspython
];
makefu.netdata.portcheck.checks.openssh.port = (lib.head config.services.openssh.ports);
networking.firewall.allowedTCPPorts = [ 19999 ];
environment.etc."netdata/python.d/httpcheck.conf".text = ''
update_every: 30
${lib.concatStringsSep "\n" (mapAttrsToList (site: options:
''
${site}:
url: '${options.url}'
${optionalString (options.regex != null) "regex: '${options.regex}'"}
status_accepted: [ ${lib.concatStringsSep " " (map toString options.statusAccepted) } ]
'') cfg.httpcheck.checks)
}
'';
environment.etc."netdata/python.d/portcheck.conf".text = ''
${lib.concatStringsSep "\n" (mapAttrsToList (service: options:
''
${service}:
host: '${options.host}'
port: ${toString options.port}
'') cfg.portcheck.checks)
}
'';
systemd.services.netdata.restartTriggers = [
config.environment.etc."netdata/python.d/httpcheck.conf".source
config.environment.etc."netdata/python.d/portcheck.conf".source
config.environment.etc."netdata/stream.conf".source
];
environment.etc."netdata/health.d/httpcheck.conf".text = ''
# taken from the original but warn only if a request is at least 300ms slow
template: web_service_slow
families: *
on: httpcheck.responsetime
lookup: average -3m unaligned of time
units: ms
every: 10s
warn: ($this > ($1h_web_service_response_time * 4) && $this > 1000)
crit: ($this > ($1h_web_service_response_time * 6) && $this > 1000)
info: average response time over the last 3 minutes, compared to the average over the last hour
delay: down 5m multiplier 1.5 max 1h
options: no-clear-notification
to: webmaster
'';
};
# TODO: notification
# environment.etc."netdata/health_alarm_notify.conf".source = "/run/keys/netdata-pushover.conf";
}

30
makefu/5pkgs/libopencm3/default.nix
View file

@ -1,30 +0,0 @@
{ lib, stdenv, fetchFromGitHub, gcc-arm-embedded, python }:
stdenv.mkDerivation rec {
name = "libopencm-${version}";
version = "2017-04-01";
src = fetchFromGitHub {
owner = "libopencm3";
repo = "libopencm3";
rev = "383fafc862c0d47f30965f00409d03a328049278";
sha256 = "0ar67icxl39cf7yb5glx3zd5413vcs7zp1jq0gzv1napvmrv3jv9";
};
buildInputs = [ gcc-arm-embedded python ];
buildPhase = ''
sed -i 's#/usr/bin/env python#${python}/bin/python#' ./scripts/irq2nvic_h
make
'';
installPhase = ''
mkdir -p $out
cp -r lib $out/
'';
meta = {
description = "Open Source ARM cortex m microcontroller library";
homepage = https://github.com/libopencm3/libopencm3;
license = stdenv.lib.licenses.gpl2;
platforms = stdenv.lib.platforms.linux;
maintainers = with stdenv.lib.maintainers; [ makefu ];
};
}

15
makefu/krops.nix
View file

@ -7,7 +7,6 @@
host-src = {
secure = false;
full = false;
torrent = false;
hw = false;
musnix = false;
@ -23,7 +22,11 @@
{
# nixos-18.09 @ 2018-09-18
# + uhub/sqlite: 5dd7610401747
nixpkgs = if test then {
# + hovercraft: 7134801b17d72
nixpkgs = if host-src.arm6 then {
# TODO: we want to track the unstable channel
symlink = "/nix/var/nix/profiles/per-user/root/channels/nixos/";
} else {
file = {
path = toString (pkgs.fetchFromGitHub {
owner = "makefu";
@ -33,14 +36,6 @@
});
useChecksum = true;
};
} else if host-src.full then {
git.ref = nixpkgs-src.rev;
git.url = nixpkgs-src.url;
} else if host-src.arm6 then {
# TODO: we want to track the unstable channel
symlink = "/nix/var/nix/profiles/per-user/root/channels/nixos/";
} else {
file = "/home/makefu/store/${nixpkgs-src.rev}";
};
nixos-config.symlink = "stockholm/makefu/1systems/${name}/config.nix";

2
makefu/update-channel.sh
View file

@ -6,4 +6,4 @@ nix-shell -p nix-prefetch-git --run 'nix-prefetch-git \
--rev refs/heads/master' \
> $dir/nixpkgs.json
newref=$(cat $dir/nixpkgs.json | jq -r .rev | sed 's/\(.\{7\}\).*/\1/')
echo git commit $dir/nixpkgs.json -m "nixpkgs: $oldref -> $newref"
echo "git commit $dir/nixpkgs.json -m 'ma nixpkgs: $oldref -> $newref'"

2
submodules/krops

@ -1 +1 @@
Subproject commit eb68146cc4848cfc0c0339c72a44a96fdeb4a1de
Subproject commit 61b5ef3b8e7e4d601db67a20f14a5022e9de8398

42
tv/2configs/xserver/default.nix
View file

@ -48,31 +48,35 @@ in {
systemd.services.xmonad = let
xmonad = "${pkgs.haskellPackages.xmonad-tv}/bin/xmonad";
xmonad-prepare = pkgs.writeDash "xmonad-prepare" ''
${pkgs.coreutils}/bin/mkdir -p "$XMONAD_CACHE_DIR"
${pkgs.coreutils}/bin/mkdir -p "$XMONAD_CONFIG_DIR"
${pkgs.coreutils}/bin/mkdir -p "$XMONAD_DATA_DIR"
'';
xmonad-ready = pkgs.writeDash "xmonad-ready" ''
{
${pkgs.xorg.xhost}/bin/xhost +SI:localuser:${cfg.user.name}
${pkgs.xorg.xhost}/bin/xhost -LOCAL:
} &
${pkgs.xorg.xmodmap}/bin/xmodmap ${import ./Xmodmap.nix args} &
${pkgs.xorg.xrdb}/bin/xrdb ${import ./Xresources.nix args} &
${pkgs.xorg.xsetroot}/bin/xsetroot -solid '#1c1c1c' &
wait
'';
in {
wantedBy = [ "graphical.target" ];
requires = [ "xserver.service" ];
environment = {
DISPLAY = ":${toString config.services.xserver.display}";
FZMENU_FZF_DEFAULT_OPTS = toString [
"--color=dark,border:126,bg+:090"
"--inline-info"
];
XMONAD_CACHE_DIR = cfg.cacheDir;
XMONAD_CONFIG_DIR = cfg.configDir;
XMONAD_DATA_DIR = cfg.dataDir;
XMONAD_STARTUP_HOOK = pkgs.writeDash "xmonad-startup-hook" ''
${pkgs.xorg.xhost}/bin/xhost +LOCAL: &
${pkgs.xorg.xmodmap}/bin/xmodmap ${import ./Xmodmap.nix args} &
${pkgs.xorg.xrdb}/bin/xrdb ${import ./Xresources.nix args} &
${pkgs.xorg.xsetroot}/bin/xsetroot -solid '#1c1c1c' &
wait
'';
# XXX JSON is close enough :)
XMONAD_WORKSPACES0_FILE = pkgs.writeText "xmonad.workspaces0" (toJSON [
XMONAD_STARTUP_HOOK = xmonad-ready;
XMONAD_WORKSPACES0_FILE = pkgs.writeJSON "xmonad-workspaces0.json" [
"Dashboard" # we start here
"23"
"cr"
@ -82,7 +86,7 @@ in {
"mail"
"stockholm"
"za" "zh" "zj" "zs"
]);
];
};
path = [
config.tv.slock.package
@ -93,14 +97,10 @@ in {
"/run/wrappers" # for su
];
serviceConfig = {
SyslogIdentifier = "xmonad";
ExecStartPre = "${pkgs.coreutils}/bin/mkdir -p ${toString [
"\${XMONAD_CACHE_DIR}"
"\${XMONAD_CONFIG_DIR}"
"\${XMONAD_DATA_DIR}"
]}";
ExecStart = "@${xmonad} xmonad-${currentSystem} ";
ExecStartPre = "@${xmonad-prepare} xmonad-prepare";
ExecStart = "@${xmonad} xmonad-${currentSystem}";
ExecStop = "@${xmonad} xmonad-${currentSystem} --shutdown";
SyslogIdentifier = "xmonad";
User = cfg.user.name;
WorkingDirectory = cfg.user.home;
};

13
tv/5pkgs/haskell/xmonad-tv/shell.nix
View file

@ -46,7 +46,7 @@ in
xmonad_restart() {(
set -efu
cd "$WORKDIR"
if systemctl is-active xmonad; then
if systemctl --quiet is-active xmonad; then
sudo systemctl stop xmonad
cp -b "$config_XMONAD_CACHE_DIR"/xmonad.state "$CACHEDIR"/
echo "xmonad.state: $(cat "$CACHEDIR"/xmonad.state)"
@ -59,9 +59,14 @@ in
xmonad_yield() {(
set -efu
"$xmonad" --shutdown
cp -b "$CACHEDIR"/xmonad.state "$config_XMONAD_CACHE_DIR"/
sudo systemctl start xmonad
if ! systemctl --quiet is-active xmonad; then
"$xmonad" --shutdown
cp -b "$CACHEDIR"/xmonad.state "$config_XMONAD_CACHE_DIR"/
sudo systemctl start xmonad
else
echo "xmonad.service is already running" >&2
exit -1
fi
)}
export PATH=${config.systemd.services.xmonad.path}:$PATH