Merge remote-tracking branch 'gum/master'

2017-07-03 00:02:34 +02:00 · 2017-07-03 00:02:34 +02:00 · c30e1fbc74
parent d5aca8696c 5f3bece0d6
commit c30e1fbc74
12 changed files with 163 additions and 70 deletions
--- a/krebs/3modules/makefu/default.nix
+++ b/krebs/3modules/makefu/default.nix
@ -308,7 +308,6 @@ with import <stockholm/lib>;
      extraZones = {
        "krebsco.de" = ''
          wry               IN A      ${nets.internet.ip4.addr}
-          io                IN NS     wry.krebsco.de.
          tinc              IN A      ${nets.internet.ip4.addr}
        '';
      };
@ -470,6 +469,7 @@ with import <stockholm/lib>;
          wiki.euer         IN A      ${nets.internet.ip4.addr}
          graph             IN A      ${nets.internet.ip4.addr}
          ghook             IN A      ${nets.internet.ip4.addr}
+          io                IN NS     gum.krebsco.de.
        '';
      };
      nets = rec {
--- a/krebs/3modules/urlwatch.nix
+++ b/krebs/3modules/urlwatch.nix
@ -60,6 +60,7 @@ let
      description = "URL to watch.";
      example = [
        https://nixos.org/channels/nixos-unstable/git-revision
+        { url = http://localhost ; filter = "grep:important.*stuff"; }
      ];
      apply = map (x: getAttr (typeOf x) {
        set = x;
@ -79,7 +80,8 @@ let
  };

  urlsFile = pkgs.writeText "urls"
-    (concatMapStringsSep "\n---\n" toJSON cfg.urls);
+    (concatMapStringsSep "\n---\n"
+      (x: toJSON (filterAttrs (n: v: n != "_module") x)) cfg.urls);

  hooksFile = cfg.hooksFile;

@ -142,17 +144,6 @@ let
        PrivateTmp = "true";
        SyslogIdentifier = "urlwatch";
        Type = "oneshot";
-        ExecStartPre =
-          pkgs.writeDash "urlwatch-prestart" ''
-            set -euf
-
-            dataDir=$HOME
-
-            if ! test -e "$dataDir"; then
-              mkdir -m 0700 -p "$dataDir"
-              chown ${user.name}: "$dataDir"
-            fi
-          '';
        ExecStart = pkgs.writeDash "urlwatch" ''
          set -euf

@ -185,6 +176,8 @@ let
    };
    users.extraUsers = singleton {
      inherit (user) name uid;
+      home = cfg.dataDir;
+      createHome = true;
    };
  };

--- a/makefu/1systems/gum.nix
+++ b/makefu/1systems/gum.nix
@ -24,7 +24,10 @@ in {
      # ../2configs/disable_v6.nix
      ../2configs/exim-retiolum.nix
      ../2configs/tinc/retiolum.nix
-      ../2configs/urlwatch.nix
+      ../2configs/urlwatch
+
+      # Security
+      ../2configs/sshd-totp.nix

      # Tools
      ../2configs/tools/core.nix
--- a/makefu/1systems/vbob.nix
+++ b/makefu/1systems/vbob.nix
@ -8,6 +8,7 @@
      (toString <nixpkgs/nixos/modules/virtualisation/virtualbox-image.nix>)
      (toString <nixpkgs/nixos/modules/virtualisation/virtualbox-guest.nix>)
      ../2configs/main-laptop.nix #< base-gui
+      ../2configs/sshd-totp.nix

      # Tools
      ../2configs/tools/core.nix
--- a/makefu/1systems/x.nix
+++ b/makefu/1systems/x.nix
@ -19,6 +19,8 @@ with import <stockholm/lib>;
      # ../2configs/disable_v6.nix

      # Testing
+      # ../2configs/lanparty/lancache.nix
+      # ../2configs/lanparty/lancache-dns.nix
      # ../2configs/deployment/dirctator.nix
      # ../2configs/vncserver.nix
      # ../2configs/deployment/led-fader
@ -58,6 +60,9 @@ with import <stockholm/lib>;
      # Filesystem
      ../2configs/fs/sda-crypto-root-home.nix

+      # Security
+      ../2configs/sshd-totp.nix
+
    ];

  makefu.server.primary-itf = "wlp3s0";
--- a/makefu/2configs/lanparty/lancache.nix
+++ b/makefu/2configs/lanparty/lancache.nix
@ -36,38 +36,39 @@ let
  };
 in {
  systemd.services.nginx-lancache = {
-      description = "Nginx lancache Server";
-      after = [ "network.target" ];
-      wantedBy = [ "multi-user.target" ];
-      restartIfChanged = true;
+    description = "Nginx lancache Server";
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+    restartIfChanged = true;

-      preStart = ''
-        mkdir -p ${cfg.statedir} && cd ${cfg.statedir}
-        PATH_CACHE=$PATH_BASE/cache
-        PATH_LOGS=$PATH_BASE/logs
+    preStart = ''
+      mkdir -p ${cfg.statedir} && cd ${cfg.statedir}
+      PATH_CACHE=$PATH_BASE/cache
+      PATH_LOGS=$PATH_BASE/logs

-        mkdir -p cache/{installers,tmp} logs
-        rm -f conf; ln -s ${lancache} conf
-        chown -R ${cfg.user}:${cfg.group} .
-        '';
-      serviceConfig = {
-        ExecStart = "${cfg.package}/bin/nginx  -p ${cfg.statedir}";
-        ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
-        Restart = "always";
-        RestartSec = "10s";
-        StartLimitInterval = "1min";
-      };
+      mkdir -p cache/{installers,tmp} logs
+      rm -f conf; ln -s ${lancache} conf
+      chown -R ${cfg.user}:${cfg.group} .
+      '';
+    serviceConfig = {
+      ExecStart = "${cfg.package}/bin/nginx  -p ${cfg.statedir}";
+      ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+      Restart = "always";
+      RestartSec = "10s";
+      StartLimitInterval = "1min";
    };
-    environment.etc.nginx.source = lancache;
-      users.extraUsers = (singleton
-    { name = cfg.user;
-      group = cfg.group;
-      uid = genid cfg.group;
-    });
+  };

-    users.extraGroups = (singleton
-      { name = "${cfg.group}";
-        gid = genid cfg.group;
-    });
+  environment.etc.nginx.source = lancache;
+    users.extraUsers = (singleton
+  { name = cfg.user;
+    group = cfg.group;
+    uid = genid cfg.group;
+  });

+  users.extraGroups = (singleton
+    { name = "${cfg.group}";
+      gid = genid cfg.group;
+  });
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
 }
--- a/makefu/2configs/sshd-totp.nix
+++ b/makefu/2configs/sshd-totp.nix
@ -0,0 +1,18 @@
+{ pkgs, ... }:
+# Enables second factor for ssh password login
+
+## Usage:
+#  gen-oath-safe <username> totp
+## scan the qrcode with google authenticator (or FreeOTP)
+## copy last line into secrets/<host>/users.oath (chmod 700)
+{
+  security.pam.oath = {
+    # enabling it will make it a requisite of `all` services
+    # enable = true;
+    digits = 6;
+    # TODO assert existing
+    usersFile = (toString <secrets>) + "/users.oath";
+  };
+  # I want TFA only active for sshd with password-auth
+  security.pam.services.sshd.oathAuth = true;
+}
--- a/makefu/2configs/tools/dev.nix
+++ b/makefu/2configs/tools/dev.nix
@ -14,5 +14,6 @@
    ovh-zone
    whatsupnix
    brain
+    gen-oath-safe
  ];
 }
--- a/makefu/2configs/urlwatch.nix
+++ b/makefu/2configs/urlwatch.nix
@ -1,27 +0,0 @@
-{ config, lib, ... }:
-
-{
-  krebs.urlwatch = {
-    enable = true;
-    mailto = config.krebs.users.makefu.mail;
-    onCalendar = "*-*-* 05:00:00";
-    urls = [
-      ## nixpkgs maintenance
-      https://api.github.com/repos/ovh/python-ovh/tags
-      https://api.github.com/repos/embray/d2to1/tags
-      https://api.github.com/repos/Mic92/vicious/tags
-      https://pypi.python.org/simple/bepasty/
-      https://pypi.python.org/simple/xstatic/
-      http://guest:derpi@cvs2svn.tigris.org/svn/cvs2svn/tags/
-      http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/
-      https://github.com/amadvance/snapraid/releases.atom
-      https://erdgeist.org/gitweb/opentracker/info/refs?service=git-upload-pack
-      https://api.github.com/repos/embray/d2to1/tags
-      https://api.github.com/repos/dorimanx/exfat-nofuse/commits
-      https://api.github.com/repos/dorimanx/exfat-nofuse/tags
-      https://api.github.com/repos/radare/radare2/tags
-      https://api.github.com/repos/rapid7/metasploit-framework/tags
-    ];
-  };
-}
-
--- a/makefu/2configs/urlwatch/default.nix
+++ b/makefu/2configs/urlwatch/default.nix
@ -0,0 +1,45 @@
+{ config, lib, ... }:
+
+{
+  krebs.urlwatch = {
+    enable = true;
+    mailto = config.krebs.users.makefu.mail;
+    onCalendar = "*-*-* 05:00:00";
+    hooksFile = ./hook.py;
+    urls = [
+      ## nixpkgs maintenance
+      # github 
+      ## No rate limit
+      https://github.com/amadvance/snapraid/releases.atom
+      https://github.com/radare/radare2/releases.atom
+      https://github.com/ovh/python-ovh/releases.atom
+      https://github.com/embray/d2to1/releases.atom
+      https://github.com/Mic92/vicious/releases.atom
+      https://github.com/embray/d2to1/releases.atom
+      https://github.com/dorimanx/exfat-nofuse/releases.atom
+      https://github.com/rapid7/metasploit-framework/releases.atom
+      ## rate limited
+      # https://api.github.com/repos/dorimanx/exfat-nofuse/commits
+      # https://api.github.com/repos/mcepl/gen-oath-safe/commits
+      https://api.github.com/repos/naim94a/udpt/commits
+      https://api.github.com/repos/dirkvdb/ps3netsrv--/commits
+
+      # pypi
+      https://pypi.python.org/simple/bepasty/
+      https://pypi.python.org/simple/xstatic/
+      https://pypi.python.org/simple/devpi-client/
+      # weird shit
+      http://guest:derpi@cvs2svn.tigris.org/svn/cvs2svn/tags/
+      http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/
+      https://erdgeist.org/gitweb/opentracker/info/refs?service=git-upload-pack
+      https://git.tasktools.org/TM/taskd/info/refs?service=git-upload-pack
+
+      {
+        url = https://newellrubbermaid.secure.force.com/dymopkb/articles/en_US/FAQ/Dymo-Drivers-and-Downloads/?l=en_US&c=Segment:Dymo&fs=Search&pn=1 ;
+        filter = "grep:Software/Linux/dymo-cups-drivers";
+      }
+      # TODO: dymo cups
+    ];
+  };
+}
+
--- a/makefu/2configs/urlwatch/hook.py
+++ b/makefu/2configs/urlwatch/hook.py
@ -0,0 +1,16 @@
+import logging
+logging.basicConfig(level=logging.INFO)
+log = logging.getLogger()
+log.setLevel(level=logging.INFO)
+
+import re
+import json
+
+from urlwatch import filters
+
+
+class JsonFilter(filters.RegexMatchFilter):
+    MATCH = {'url': re.compile('https?://api.github.com/.*')}
+
+    def filter(self, data):
+        return json.dumps(json.loads(data),indent=2,sort_keys=True)
--- a/makefu/5pkgs/gen-oath-safe/default.nix
+++ b/makefu/5pkgs/gen-oath-safe/default.nix
@ -0,0 +1,37 @@
+{ coreutils, makeWrapper, openssl, libcaca, qrencode, fetchFromGitHub, yubikey-manager, python, stdenv, ... }:
+
+stdenv.mkDerivation {
+  name = "geno-oath-safe-2017-06-30";
+  src = fetchFromGitHub {
+    owner = "mcepl";
+    repo = "gen-oath-safe";
+    rev = "fb53841";
+    sha256 = "0018kqmhg0861r5xkbis2a1rx49gyn0dxcyj05wap5ms7zz69m0m";
+  };
+
+  phases = [
+    "unpackPhase"
+    "installPhase"
+    "fixupPhase"
+  ];
+
+  buildInputs = [ makeWrapper ];
+
+  installPhase =
+    let
+      path = stdenv.lib.makeBinPath [
+        coreutils
+        openssl
+        qrencode
+        yubikey-manager
+        libcaca
+        python
+      ];
+    in
+    ''
+      mkdir -p $out/bin
+      cp gen-oath-safe $out/bin/
+      wrapProgram $out/bin/gen-oath-safe \
+        --prefix PATH : ${path}
+    '';
+}