Merge remote-tracking branch 'gum/master'

krebs/3modules/default.nix

@@ -28,6 +28,7 @@ let
       ./on-failure.nix
       ./os-release.nix
       ./per-user.nix
+      ./power-action.nix
       ./Reaktor.nix
       ./realwallpaper.nix
       ./retiolum-bootstrap.nix

krebs/3modules/exim-smarthost.nix

@@ -2,6 +2,7 @@
 
 with config.krebs.lib;
 let
+  indent = replaceChars ["\n"] ["\n  "];
   cfg = config.krebs.exim-smarthost;
 
   out = {
@@ -12,6 +13,11 @@ let
   api = {
     enable = mkEnableOption "krebs.exim-smarthost";
 
+    authenticators = mkOption {
+      type = types.attrsOf types.str;
+      default = {};
+    };
+
     dkim = mkOption {
       type = types.listOf (types.submodule ({ config, ... }: {
         options = {
@@ -80,6 +86,16 @@ let
       default = [];
     };
 
+    ssl_cert = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+    };
+
+    ssl_key = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+    };
+
     system-aliases = mkOption {
       type = types.listOf (types.submodule ({
         options = {
@@ -136,7 +152,9 @@ let
         syslog_timestamp = false
         syslog_duplication = false
 
-        tls_advertise_hosts =
+        ${optionalString (cfg.ssl_cert != null) "tls_certificate = ${cfg.ssl_cert}"}
+        ${optionalString (cfg.ssl_key != null) "tls_privatekey = ${cfg.ssl_key}"}
+        tls_advertise_hosts =${optionalString (cfg.ssl_cert != null) " *"}
 
         begin acl
 
@@ -257,6 +275,10 @@ let
 
         begin rewrite
         begin authenticators
+        ${concatStringsSep "\n" (mapAttrsToList (name: text: ''
+        ${name}:
+          ${indent text}
+        '') cfg.authenticators)}
       '';
     };
   };

krebs/3modules/makefu/default.nix

@@ -49,10 +49,22 @@ with config.krebs.lib;
           '';
         };
         siem = {
-          ip4.addr = "10.8.10.2";
+          ip4.addr   = "10.8.10.2";
+          ip4.prefix = "10.8.10.0/24";
           aliases = [
             "darth.siem"
           ];
+          tinc.pubkey = ''
+            Ed25519PublicKey = 24t9ye4gRLg6UbVxBvuuDlvU/cnByxMjYjym4LO6GkK
+            -----BEGIN RSA PUBLIC KEY-----
+            MIIBCQKCAQEApcUeTecVahqNIfLEkfgNiaW+eHQ9Y90DxHhy9vdPZh8dmLqoFBoW
+            TCPcZIRpyj7hxRkNIhh34Ewpul0oQ1tzrUGcT2xvMNwaCupRDmhZn9jR9aFFEYKb
+            fUOplCxb4y2UKbWAA6hie3PKH9wnPfbwSsexb2BSQAqSt4iNIVCV6j7LXpiopbGS
+            Exs3/Pz+IeMtGyuMYA3rUmJsVRKR1o7axLtlhYK7JSMbqdYhaQJ4NZrvIXw//w21
+            kM/TJTPZ4j47ME18jQInO62X5h+xVch6DtvwvjBMMMKbS0am9qw1P3qo7MP3PmQh
+            rvVQRth8L63q4NLOnT29XmnxPSVGL1PBQQICEAE=
+            -----END RSA PUBLIC KEY-----
+          '';
         };
       };
     };
@@ -60,9 +72,20 @@ with config.krebs.lib;
       nets = {
         siem = {
           ip4.addr = "10.8.10.6";
+          ip4.prefix = "10.8.10.0/24";
           aliases = [
             "ossim.siem"
           ];
+        tinc.pubkey = ''
+          -----BEGIN RSA PUBLIC KEY-----
+          MIIBCgKCAQEAv5qv9R3E1AHJOhTnHJ2E5zWjItRdXSw/inpz/W+KcBeM/HSG0XEl
+          RyGAwty7VP4CiLp7CagWmtVsz/5ytnXJzLDeRLn5t+KzO6am0aOpvAt6ZggZXPhL
+          cQkn4IGi1TJE5tw+lzabBkUZm3zD1KEXpqJeZ6spA4e9lB/+T3Tx23g9WDEOKand
+          mAJrsdsvTCIiVJefidOAmgeZVVOV3ltBonNP1nqEy+5v4B3EBT/Uj7ImL2aRj/pd
+          dPs6dGV2LqSQvnrSbFZzuKVXKpD1M+wgT/5NQk/hVJJxBQC6rxvpg1XyQkepcLWL
+          WjvogOl4NjXStmKDX2+gPPFx6XTmwDenOwIDAQAB
+          -----END RSA PUBLIC KEY-----
+        '';
         };
       };
     };
@@ -103,15 +126,15 @@ with config.krebs.lib;
         };
       };
     };
-    pornocauster = {
+    x = {
       cores = 2;
       nets = {
         retiolum = {
           ip4.addr = "10.243.0.91";
           ip6.addr = "42:0b2c:d90e:e717:03dc:9ac1:7c30:a4db";
           aliases = [
-            "pornocauster.retiolum"
+            "x.retiolum"
-            "pornocauster.r"
+            "x.r"
           ];
           tinc.pubkey = ''
             -----BEGIN RSA PUBLIC KEY-----
@@ -126,13 +149,25 @@ with config.krebs.lib;
         };
         siem = {
           ip4.addr = "10.8.10.4";
+          ip4.prefix = "10.8.10.0/24";
           aliases = [
-            "arch.siem"
+            "makefu.siem"
           ];
+          tinc.pubkey = ''
+            Ed25519PublicKey = rFTglGxm563e/w82Q9Qqy/E+V/ipT4DOTyTuYrWrtmI
+            -----BEGIN RSA PUBLIC KEY-----
+            MIIBCQKCAQEAx+OQXQj6rlXIByo48JZXSexRz5G5oJVZTHAJ0GF5f70U65C0x83p
+            XtNp4LGYti+cyyzmQjf/N7jr2CxUlOATN2nRO4CT+JaMM2MoqnPWqTZBPMDiHq2y
+            ce0zjLPPl0hVc5mg+6F0tgolbUvTIo2CgAIl5lNvJiVfmXRSehmMprf1NPkxJd/O
+            vAOD7mgnCjkEAWElf1cfxSGZqSLbNltRK340nE5x6A5tY7iEueP/r9chEmOnVjKm
+            t+GJAJIe1PClWJHJYAXF8I7R3g+XQIqgw+VTN3Ng5cS5W/mbTFIzLWMZpdZaAhWR
+            56pthtZAE5FZ+4vxMpDQ4yeDu0b6gajWNQICEAE=
+            -----END RSA PUBLIC KEY-----
+          '';
         };
       };
       ssh.privkey.path = <secrets/ssh_host_ed25519_key>;
-      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHDM0E608d/6rGzXqGbNSuMb2RlCojCJSiiz6QcPOC2G root@pornocauster";
+      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHDM0E608d/6rGzXqGbNSuMb2RlCojCJSiiz6QcPOC2G root@x";
 
     };
 
@@ -167,6 +202,7 @@ with config.krebs.lib;
       extraZones = {
         "krebsco.de" = ''
           euer              IN MX 1   aspmx.l.google.com.
+          nixos.unstable    IN CNAME  krebscode.github.io.
           pigstarter        IN A      ${nets.internet.ip4.addr}
           gold              IN A      ${nets.internet.ip4.addr}
           boot              IN A      ${nets.internet.ip4.addr}
@@ -324,7 +360,21 @@ with config.krebs.lib;
       nets = {
         siem = {
           ip4.addr = "10.8.10.7";
+          ip4.prefix = "10.8.10.0/24";
           aliases = [ "display.siem" ];
+          tinc.pubkey = ''
+            -----BEGIN RSA PUBLIC KEY-----
+            MIIBCgKCAQEA+/TpxsVIBL9J9QAe/+jB6sgu/O6J+KY4YrAzZ6dM4kbFv5JA64f5
+            6znv8EFqn6loS9Aez3e08P5scyGjiwWytdKN5Yztlffc0xDD7MUU2RiCsQF1X74J
+            +1i8NhSq3PJ6UeUURxYYnAYzBlFvsxev4vpniFTsIR9tmcAYX9NT9420D6nV7xq7
+            FdkoBlYj4eUQqQzHH1T/Lmt+BGmf+BufIJas+Oo/Sg59vIk9OM08WyAjHVT2iNbg
+            LXDhzVaeGOOM3GOa0YGG0giM3Rd245YPaPiVbwrMy8HQRBpMzXOPjcC1nYZSjxrW
+            LQxtRS+dmfEMG7MJ8T2T2bseX6z6mONc1QIDAQAB
+            -----END RSA PUBLIC KEY-----
+            -----BEGIN ED25519 PUBLIC KEY-----
+            3JGeGnADWR+hfb4TEoHDyopEYgkfGNJKwy71bqcsNrO
+            -----END ED25519 PUBLIC KEY-----
+          '';
         };
         retiolum = {
           ip4.addr = "10.243.214.15";
@@ -391,13 +441,26 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
     };
     shoney = rec {
       cores = 1;
-      nets = {
+      nets = rec {
         siem = {
+          via = internet;
           ip4.addr = "10.8.10.1";
+          ip4.prefix = "10.8.10.0/24";
           aliases = [
-            "sjump.siem"
+            "shoney.siem"
             "graphs.siem"
           ];
+          tinc.pubkey = ''
+            -----BEGIN RSA PUBLIC KEY-----
+            MIIBCgKCAQEA0OK28PHsMGMxAqVRiRGv93zzEWJgV3hMFquWrpbYC3OZwHDYcNHu
+            74skwRRwwnbcq0ZtWroEvUTmZczuPt2FewdtuEutT7uZJnAYnzSOrB9lmmdoXKQU
+            l4ho1LEf/J0sMBi7RU/OJosuruQTAl53ca5KQbRCXkcPlmq4KzUpvgPINpEpYQjB
+            CGC3ErOvw2jXESbDnWomYZgJl3uilJUEYlyQEwyWVG+fO8uxlz9qKLXMlkoJTbs4
+            fTIcxh7y6ZA7QfMN3Ruq1R66smfXQ4xu1hybvqL66RLiDQgH3BRyKIgobS1UxI4z
+            L+xhIsiMXQIo2hv8aOUnf/7Ac9DXNR83GwIDAQAB
+            -----END RSA PUBLIC KEY-----
+          '';
+          tinc.port = 1655;
         };
         internet = {
           ip4.addr = "64.137.234.215";
@@ -729,8 +792,8 @@ TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB
   };
   users = rec {
     makefu = {
-      mail = "makefu@pornocauster.retiolum";
+      mail = "makefu@x.retiolum";
-      pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCl3RTOHd5DLiVeUbUr/GSiKoRWknXQnbkIf+uNiFO+XxiqZVojPlumQUVhasY8UzDzj9tSDruUKXpjut50FhIO5UFAgsBeMJyoZbgY/+R+QKU00Q19+IiUtxeFol/9dCO+F4o937MC0OpAC10LbOXN/9SYIXueYk3pJxIycXwUqhYmyEqtDdVh9Rx32LBVqlBoXRHpNGPLiswV2qNe0b5p919IGcslzf1XoUzfE3a3yjk/XbWh/59xnl4V7Oe7+iQheFxOT6rFA30WYwEygs5As//ZYtxvnn0gA02gOnXJsNjOW9irlxOUeP7IOU6Ye3WRKFRR0+7PS+w8IJLag2xb makefu@pornocauster";
+      pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCl3RTOHd5DLiVeUbUr/GSiKoRWknXQnbkIf+uNiFO+XxiqZVojPlumQUVhasY8UzDzj9tSDruUKXpjut50FhIO5UFAgsBeMJyoZbgY/+R+QKU00Q19+IiUtxeFol/9dCO+F4o937MC0OpAC10LbOXN/9SYIXueYk3pJxIycXwUqhYmyEqtDdVh9Rx32LBVqlBoXRHpNGPLiswV2qNe0b5p919IGcslzf1XoUzfE3a3yjk/XbWh/59xnl4V7Oe7+iQheFxOT6rFA30WYwEygs5As//ZYtxvnn0gA02gOnXJsNjOW9irlxOUeP7IOU6Ye3WRKFRR0+7PS+w8IJLag2xb makefu@x";
       pgp.pubkeys.default = builtins.readFile ./default.pgp;
       pgp.pubkeys.brain = builtins.readFile ./brain.pgp;
     };

krebs/3modules/nginx.nix

@@ -71,6 +71,14 @@ let
                   type = bool;
                   default = true;
                 };
+                force_encryption = mkOption {
+                  type = bool;
+                  default = false;
+                  description = ''
+                    redirect all `http` traffic to the same domain but with ssl
+                    protocol.
+                  '';
+                };
                 protocols = mkOption {
                   type = listOf (enum [ "SSLv2" "SSLv3" "TLSv1" "TLSv1.1" "TLSv1.2" ]);
                   default = [ "TLSv1.1" "TLSv1.2" ];
@@ -120,6 +128,11 @@ let
       server_name ${toString (unique server-names)};
       ${concatMapStringsSep "\n" (x: indent "listen ${x};") listen}
       ${optionalString ssl.enable (indent ''
+        ${optionalString ssl.force_encryption ''
+          if ($scheme = http){
+            return 301 https://$server_name$request_uri;
+          }
+        ''}
         listen 443 ssl;
         ssl_certificate ${ssl.certificate};
         ssl_certificate_key ${ssl.certificate_key};

krebs/3modules/power-action.nix

@@ -3,10 +3,10 @@
 with config.krebs.lib;
 
 let
-  cfg = config.lass.power-action;
+  cfg = config.krebs.power-action;
 
   out = {
-    options.lass.power-action = api;
+    options.krebs.power-action = api;
     config = lib.mkIf cfg.enable imp;
   };
 
@@ -17,10 +17,8 @@ let
       default = "BAT0";
     };
     user = mkOption {
-      type = types.user;
+      type = types.string;
-      default = {
+      default = "power-action";
-        name = "power-action";
-      };
     };
     startAt = mkOption {
       type = types.str;
@@ -35,7 +33,7 @@ let
             description = ''
               check for charging status.
               null = don't care
-              true = only if system is charging
+              true = only if system is charging or unknown
               false = only if system is discharging
             '';
           };
@@ -57,13 +55,10 @@ let
     systemd.services.power-action = {
       serviceConfig = rec {
         ExecStart = startScript;
-        User = cfg.user.name;
+        User = cfg.user;
       };
       startAt = cfg.startAt;
     };
-    users.users.${cfg.user.name} = {
-      inherit (cfg.user) name uid;
-    };
   };
 
   startScript = pkgs.writeDash "power-action" ''

krebs/3modules/retiolum.nix

@@ -12,9 +12,11 @@ let
       define a tinc network
     '';
     type = with types; attrsOf (submodule (tinc: {
-      options = {
+      options = let
+        netname = tinc.config._module.args.name;
+      in {
 
-        enable = mkEnableOption "krebs.tinc.${tinc.config._module.args.name}" // { default = true; };
+        enable = mkEnableOption "krebs.tinc.${netname}" // { default = true; };
 
         host = mkOption {
           type = types.host;
@@ -23,7 +25,7 @@ let
 
         netname = mkOption {
           type = types.enum (attrNames tinc.config.host.nets);
-          default = tinc.config._module.args.name;
+          default = netname;
           description = ''
             The tinc network name.
             It is used to name the TUN device and to generate the default value for
@@ -38,6 +40,27 @@ let
             Extra Configuration to be appended to tinc.conf
           '';
         };
+        tincUp = mkOption {
+          type = types.string;
+          default = let
+            net = tinc.config.host.nets.${netname};
+            iproute = tinc.config.iproutePackage;
+          in ''
+            ${optionalString (net.ip4 != null) /* sh */ ''
+              ${iproute}/sbin/ip -4 addr add ${net.ip4.addr} dev ${netname}
+              ${iproute}/sbin/ip -4 route add ${net.ip4.prefix} dev ${netname}
+            ''}
+            ${optionalString (net.ip6 != null) /* sh */ ''
+              ${iproute}/sbin/ip -6 addr add ${net.ip6.addr} dev ${netname}
+              ${iproute}/sbin/ip -6 route add ${net.ip6.prefix} dev ${netname}
+            ''}
+          '';
+          description = ''
+            tinc-up script to be used. Defaults to setting the
+            krebs.host.nets.<netname>.ip4 and ip6 for the new ips and
+            configures forwarding of the respecitive netmask as subnet.
+          '';
+        };
 
         tincPackage = mkOption {
           type = types.package;
@@ -109,8 +132,8 @@ let
             routeable IPv4 or IPv6 address.
 
             In stockholm this can be done by configuring:
-              krebs.hosts.${connect-host}.nets.${netname?"retiolum"}.via.addrs4 =
+              krebs.hosts.${connect-host}.nets.${netname?"retiolum"}.via.ip4.addr = external-ip
-                [ "${external-ip} ${external-port}" ]
+              krebs.hosts.${connect-host}.nets.${netname?"retiolum"}.tinc.port = 1655;
           '';
         };
 
@@ -131,6 +154,7 @@ let
 
     krebs.secret.files = mapAttrs' (netname: cfg:
       nameValuePair "${netname}.rsa_key.priv" cfg.privkey ) config.krebs.tinc;
+
     users.users = mapAttrs' (netname: cfg:
       nameValuePair "${netname}" {
         inherit (cfg.user) home name uid;
@@ -140,7 +164,6 @@ let
 
     systemd.services = mapAttrs (netname: cfg:
       let
-        net = cfg.host.nets.${netname};
         tinc = cfg.tincPackage;
         iproute = cfg.iproutePackage;
 
@@ -153,18 +176,12 @@ let
               Interface = ${netname}
               ${concatStrings (map (c: "ConnectTo = ${c}\n") cfg.connectTo)}
               PrivateKeyFile = ${cfg.privkey.path}
+              Port = ${toString cfg.host.nets.${cfg.netname}.tinc.port}
               ${cfg.extraConfig}
             '';
             "tinc-up" = pkgs.writeDash "${netname}-tinc-up" ''
               ${iproute}/sbin/ip link set ${netname} up
-              ${optionalString (net.ip4 != null) /* sh */ ''
+              ${cfg.tincUp}
-                ${iproute}/sbin/ip -4 addr add ${net.ip4.addr} dev ${netname}
-                ${iproute}/sbin/ip -4 route add ${net.ip4.prefix} dev ${netname}
-              ''}
-              ${optionalString (net.ip6 != null) /* sh */ ''
-                ${iproute}/sbin/ip -6 addr add ${net.ip6.addr} dev ${netname}
-                ${iproute}/sbin/ip -6 route add ${net.ip6.prefix} dev ${netname}
-              ''}
             '';
           }
         );

krebs/4lib/default.nix

@@ -33,6 +33,7 @@ let out = import <stockholm/lib> // rec {
   dir.has-default-nix = path: pathExists (path + "/default.nix");
 
   genid = import ./genid.nix { lib = lib // out; };
+  genid_signed = x: ((genid x) + 16777216) / 2;
   git = import ./git.nix { lib = lib // out; };
   tree = import ./tree.nix { inherit lib; };
 

krebs/4lib/types.nix

@@ -130,16 +130,28 @@ types // rec {
               type = str;
               default = concatStringsSep "\n" (
                 (optionals (net.via != null)
-                  (map (a: "Address = ${a}") net.via.addrs))
+                  (map (a: "Address = ${a} ${toString config.port}") net.via.addrs))
                 ++
                 (map (a: "Subnet = ${a}") net.addrs)
                 ++
+                [config.extraConfig]
+                ++
                 [config.pubkey]
               );
             };
             pubkey = mkOption {
               type = tinc-pubkey;
             };
+            extraConfig = mkOption {
+              description = "Extra Configuration to be appended to the hosts file";
+              default = "";
+              type = string;
+            };
+            port = mkOption {
+              type = int;
+              description = "tinc port to use to connect to host";
+              default = 655;
+            };
           };
         }));
         default = null;

krebs/5pkgs/exim/default.nix

@@ -1,4 +1,4 @@
-{ coreutils, fetchurl, db, openssl, pcre, perl, pkgconfig, stdenv }:
+{ coreutils, fetchurl, db, openssl, pam, pcre, perl, pkgconfig, stdenv }:
 
 stdenv.mkDerivation rec {
   name = "exim-4.87";
@@ -8,7 +8,7 @@ stdenv.mkDerivation rec {
     sha256 = "1jbxn13shq90kpn0s73qpjnx5xm8jrpwhcwwgqw5s6sdzw6iwsbl";
   };
 
-  buildInputs = [ coreutils db openssl pcre perl pkgconfig ];
+  buildInputs = [ coreutils db openssl pam pcre perl pkgconfig ];
 
   preBuild = ''
     sed '
@@ -24,6 +24,7 @@ stdenv.mkDerivation rec {
       s:^# \(SUPPORT_TLS\)=.*:\1=yes:
       s:^# \(USE_OPENSSL_PC=openssl\)$:\1:
       s:^# \(LOG_FILE_PATH=syslog\)$:\1:
+      s:^# \(SUPPORT_PAM\)=.*:\1=yes\nEXTRALIBS=-lpam:
       s:^# \(HAVE_IPV6=yes\)$:\1:
       s:^# \(CHOWN_COMMAND\)=.*:\1=${coreutils}/bin/chown:
       s:^# \(CHGRP_COMMAND\)=.*:\1=${coreutils}/bin/chgrp:

lass/1systems/helios.nix

@@ -58,7 +58,7 @@ with config.krebs.lib;
     #  };
     #}
     {
-      lass.power-action.battery = "BAT1";
+      krebs.power-action.battery = "BAT1";
     }
   ];
 

lass/2configs/buildbot-standalone.nix

@@ -3,8 +3,13 @@
 with config.krebs.lib;
 
 let
+  sshHostConfig = pkgs.writeText "ssh-config" ''
+    ControlMaster auto
+    ControlPath /tmp/%u_sshmux_%r@%h:%p
+    ControlPersist 4h
+  '';
   sshWrapper = pkgs.writeDash "ssh-wrapper" ''
-    ${pkgs.openssh}/bin/ssh -i ${shell.escape config.lass.build-ssh-privkey.path} "$@"
+    ${pkgs.openssh}/bin/ssh -F ${sshHostConfig} -i ${shell.escape config.lass.build-ssh-privkey.path} "$@"
   '';
 
 in {
@@ -90,7 +95,7 @@ in {
                             method=build \
                             system={}".format(i)])
 
-        for i in [ "pornocauster", "wry", "vbob", "wbob", "shoney" ]:
+        for i in [ "x", "wry", "vbob", "wbob", "shoney" ]:
           addShell(f,name="build-{}".format(i),env=env_makefu,
                   command=nixshell + \
                       ["make \

lass/2configs/git.nix

@@ -80,7 +80,7 @@ let
         perm = push "refs/*" [ non-fast-forward create delete merge ];
       } ++
       optional repo.public {
-        user = [ tv makefu ];
+        user = attrValues config.krebs.users;
         repo = [ repo ];
         perm = fetch;
       } ++

lass/2configs/power-action.nix

@@ -11,7 +11,7 @@ let
     '';
 
 in {
-  lass.power-action = {
+  krebs.power-action = {
     enable = true;
     plans.low-battery = {
       upperLimit = 30;
@@ -29,6 +29,7 @@ in {
         /var/setuid-wrappers/sudo ${suspend}
       '';
     };
+    user = "lass";
   };
 
   users.users.power-action.extraGroups = [
@@ -36,6 +37,6 @@ in {
   ];
 
   security.sudo.extraConfig = ''
-    ${config.lass.power-action.user.name} ALL= (root) NOPASSWD: ${suspend}
+    ${config.krebs.power-action.user} ALL= (root) NOPASSWD: ${suspend}
   '';
 }

lass/3modules/default.nix

@@ -4,7 +4,6 @@ _:
     ./ejabberd
     ./folderPerms.nix
     ./mysql-backup.nix
-    ./power-action.nix
     ./umts.nix
     ./urxvtd.nix
     ./wordpress_nginx.nix

makefu/1systems/filepimp.nix

@@ -3,6 +3,7 @@ let
   byid = dev: "/dev/disk/by-id/" + dev;
   part1 = disk: disk + "-part1";
   rootDisk = byid "ata-SanDisk_SDSSDP064G_140237402890";
+  primary-interface = "enp2s0"; # c8:cb:b8:cf:e4:dc
   # N54L Chassis:
   # ____________________
   # |______FRONT_______|
@@ -75,4 +76,11 @@ in {
     (xfsmount "j2" (part1 jDisk2))   //
     (xfsmount "par0" (part1 jDisk3))
     ;
+  services.wakeonlan.interfaces = [
+    {
+      interface = primary-interface;
+      method = "password";
+      password = "CA:FE:BA:BE:13:37";
+    }
+  ];
 }

makefu/1systems/omo.nix

@@ -4,6 +4,7 @@
 
 { config, pkgs, lib, ... }:
 let
+  toMapper = id: "/media/crypt${builtins.toString id}";
   byid = dev: "/dev/disk/by-id/" + dev;
   keyFile = byid "usb-Verbatim_STORE_N_GO_070B3CEE0B223954-0:0";
   rootDisk = byid "ata-SanDisk_SD8SNAT128G1122_162099420904";
@@ -33,7 +34,8 @@ let
   # all physical disks
 
   # TODO callPackage ../3modules/MonitorDisks { disks = allDisks }
-  allDisks = [ rootDisk cryptDisk0 cryptDisk1 cryptDisk2 ];
+  dataDisks = [ cryptDisk0 cryptDisk1 cryptDisk2 ];
+  allDisks = [ rootDisk ] ++ dataDisks;
 in {
   imports =
     [
@@ -72,26 +74,41 @@ in {
   systemd.services.sabnzbd.environment.SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
 
   virtualisation.docker.enable = true;
-
+  makefu.ps3netsrv = {
-
+    enable = true;
+    servedir = "/media/cryptX/emu/ps3";
+  };
   # HDD Array stuff
-  environment.systemPackages = [ pkgs.mergerfs ];
   services.smartd.devices = builtins.map (x: { device = x; }) allDisks;
 
-  makefu.snapraid = let
+  makefu.snapraid = {
-    toMapper = id: "/media/crypt${builtins.toString id}";
-  in {
     enable = true;
     disks = map toMapper [ 0 1 ];
     parity = toMapper 2;
   };
 
+  # TODO create folders in /media
+  system.activationScripts.createCryptFolders = ''
+    ${lib.concatMapStringsSep "\n"
+      (d: "install -m 755 -d " + (toMapper d) )
+      [ 0 1 2 "X" ]}
+  '';
+  environment.systemPackages = with pkgs;[ 
+    mergerfs # hard requirement for mount
+    wol # wake up filepimp
+  ];
   fileSystems = let
     cryptMount = name:
       { "/media/${name}" = { device = "/dev/mapper/${name}"; fsType = "xfs"; };};
   in   cryptMount "crypt0"
     // cryptMount "crypt1"
-    // cryptMount "crypt2";
+    // cryptMount "crypt2"
+    // { "/media/cryptX" = {
+            device = (lib.concatMapStringsSep ":" (d: (toMapper d)) [ 0 1 2 ]);
+            fsType = "mergerfs";
+            options = [ "defaults" "allow_other" ];
+          };
+       };
 
   powerManagement.powerUpCommands = lib.concatStrings (map (disk: ''
       ${pkgs.hdparm}/sbin/hdparm -S 100 ${disk}

makefu/1systems/wbob.nix

@@ -66,7 +66,7 @@ in {
     client = {
       enable = true;
       screenName = "wbob";
-      serverAddress = "pornocauster.r";
+      serverAddress = "x.r";
     };
   };
 }

makefu/1systems/x.nix

@@ -43,16 +43,8 @@
       ../2configs/temp/share-samba.nix
       # ../2configs/temp/elkstack.nix
       # ../2configs/temp/sabnzbd.nix
+      ../2configs/tinc/siem.nix
     ];
-
-  services.tinc.networks.siem = {
-    name = "makefu";
-    extraConfig = ''
-      ConnectTo = sdarth
-      ConnectTo = sjump
-    '';
-  };
-
   krebs.nginx = {
     default404 = false;
     servers.default.listen = [ "80 default_server" ];
@@ -65,10 +57,10 @@
 
   # configure pulseAudio to provide a HDMI sink as well
   networking.firewall.enable = true;
-  networking.firewall.allowedTCPPorts = [ 80 24800 ];
+  networking.firewall.allowedTCPPorts = [ 80 24800 26061 ];
-  networking.firewall.allowedUDPPorts = [ 665 ];
+  networking.firewall.allowedUDPPorts = [ 665 26061 ];
 
-  krebs.build.host = config.krebs.hosts.pornocauster;
+  krebs.build.host = config.krebs.hosts.x;
   krebs.hosts.omo.nets.retiolum.via.ip4.addr = "192.168.1.11";
 
   krebs.tinc.retiolum.connectTo = [ "omo" "gum" "prism" ];

makefu/2configs/base-gui.nix

@@ -55,7 +55,7 @@ in
 
   hardware.pulseaudio = {
      enable = true;
-   #  systemWide = true;
+     systemWide = true;
   };
   services.xserver.displayManager.sessionCommands = let
     xdefaultsfile = pkgs.writeText "Xdefaults"  ''
@@ -87,5 +87,8 @@ in
       URxvt.url-select.underline: true
       URxvt.searchable-scrollback: CM-s
     '';
-    in "cat ${xdefaultsfile} | xrdb -merge";
+    in ''
+      cat ${xdefaultsfile} | xrdb -merge
+      ${pkgs.xorg.xhost}/bin/xhost +local:
+    '';
 }

makefu/2configs/bepasty-dual.nix

@@ -45,6 +45,7 @@ in {
             #certificate =   "${sec}/wildcard.krebsco.de.crt";
             #certificate_key = "${sec}/wildcard.krebsco.de.key";
             ciphers = "RC4:HIGH:!aNULL:!MD5" ;
+            force_encryption = true;
           };
           locations = singleton ( nameValuePair  "/.well-known/acme-challenge" ''
             root ${acmechall}/${ext-dom}/;
@@ -54,10 +55,7 @@ in {
           ssl_session_timeout  10m;
           ssl_verify_client off;
           proxy_ssl_session_reuse off;
-
+          '';
-          if ($scheme = http){
-            return 301 https://$server_name$request_uri;
-          }'';
         };
         defaultPermissions = "read";
         secretKey = secKey;

makefu/2configs/fetchWallpaper.nix

@@ -3,7 +3,7 @@
 {
   krebs.fetchWallpaper = {
     enable = true;
-    display = ":0";
+    display = ":0.0";
     unitConfig.ConditionPathExists = "!/var/run/ppp0.pid";
     timerConfig = {
       OnCalendar = "*:0/30";

makefu/2configs/hw/tp-x2x0.nix

@@ -12,6 +12,12 @@ with config.krebs.lib;
   zramSwap.enable = true;
   zramSwap.numDevices = 2;
 
+  # enable synaptics so we can easily disable the touchpad
+  #   enable the touchpad with `synclient TouchpadOff=0`
+  services.xserver.synaptics = {
+    enable = true;
+    additionalOptions = ''Option "TouchpadOff" "1"'';
+  };
   hardware.trackpoint = {
     enable = true;
     sensitivity = 220;
@@ -19,7 +25,6 @@ with config.krebs.lib;
     emulateWheel = true;
   };
 
-
   services.tlp.enable = true;
   services.tlp.extraConfig = ''
     # BUG: http://linrunner.de/en/tlp/docs/tlp-faq.html#erratic-battery

makefu/2configs/main-laptop.nix

@@ -6,7 +6,10 @@
 # TODO split generic desktop stuff and laptop-specifics like lidswitching
 
 with config.krebs.lib;
-{
+let
+  window-manager = "awesome";
+  user = config.krebs.build.user.name;
+in {
   imports = [
     ./base-gui.nix
     ./fetchWallpaper.nix
@@ -16,6 +19,52 @@ with config.krebs.lib;
 
   users.users.${config.krebs.build.user.name}.extraGroups = [ "dialout" ];
 
+  krebs.power-action = let
+    #speak = "XDG_RUNTIME_DIR=/run/user/$(id -u) ${pkgs.espeak}/bin/espeak"; # when run as user
+    speak = "${pkgs.espeak}/bin/espeak"; # systemwide pulse
+    whisper = text: ''${speak} -v +whisper -s 110 "${text}"'';
+
+    note = pkgs.writeDash "note-as-user" ''
+      eval "export $(egrep -z DBUS_SESSION_BUS_ADDRESS /proc/$(${pkgs.procps}/bin/pgrep -u ${user} ${window-manager})/environ)"
+      ${pkgs.libnotify}/bin/notify-send "$@";
+    '';
+  in {
+    enable = true;
+    inherit user;
+    plans.low-battery = {
+      upperLimit = 25;
+      lowerLimit = 15;
+      charging = false;
+      action = pkgs.writeDash "low-speak" ''
+        ${whisper "power level low, please plug me in"}
+      '';
+    };
+    plans.nag-harder = {
+      upperLimit = 15;
+      lowerLimit = 5;
+      charging = false;
+      action = pkgs.writeDash "crit-speak" ''
+        ${note} Battery -u critical -t 60000 "Power level critical, do something!"
+        ${whisper "Power level critical, do something"}
+      '';
+    };
+    plans.last-chance = {
+      upperLimit = 5;
+      lowerLimit = 3;
+      charging = false;
+      action = pkgs.writeDash "suspend-wrapper" ''
+        ${note} Battery -u crit "You've had your chance, suspend in 5 seconds"
+        ${concatMapStringsSep "\n" (i: ''
+            ${note} -u critical -t 1000 ${toString i}
+            ${speak} ${toString i} &
+            sleep 1
+          '')
+          [ 5 4 3 2 1 ]}
+        /var/setuid-wrappers/sudo ${pkgs.systemd}/bin/systemctl suspend
+      '';
+    };
+  };
+  security.sudo.extraConfig = "${config.krebs.power-action.user} ALL= (root) NOPASSWD: ${pkgs.systemd}/bin/systemctl suspend";
 
   services.redshift = {
     enable = true;

makefu/2configs/nginx/euer.wiki.nix

@@ -3,8 +3,15 @@
 with config.krebs.lib;
 let
   sec = toString <secrets>;
-  ssl_cert = "${sec}/wildcard.krebsco.de.crt";
+  ext-dom = "wiki.euer.krebsco.de";
-  ssl_key  = "${sec}/wildcard.krebsco.de.key";
+  acmepath = "/var/lib/acme/";
+  acmechall = acmepath + "/challenges/";
+
+  #ssl_cert = "${sec}/wildcard.krebsco.de.crt";
+  #ssl_key  = "${sec}/wildcard.krebsco.de.key";
+  ssl_cert = "${acmepath}/${ext-dom}/fullchain.pem";
+  ssl_key = "${acmepath}/${ext-dom}/key.pem";
+
   user = config.services.nginx.user;
   group = config.services.nginx.group;
   fpm-socket = "/var/run/php5-fpm.sock";
@@ -80,22 +87,23 @@ in {
         listen = [ "${external-ip}:80" "${external-ip}:443 ssl"
                    "${internal-ip}:80" "${internal-ip}:443 ssl" ];
         server-names = [
-          "wiki.euer.krebsco.de"
+          ext-dom
           "wiki.makefu.retiolum"
           "wiki.makefu"
         ];
+        ssl = {
+          enable = true;
+          # these certs will be needed if acme has not yet created certificates:
+          certificate =   ssl_cert;
+          certificate_key = ssl_key;
+          force_encryption = true;
+        };
         extraConfig = ''
           gzip on;
           gzip_buffers 4 32k;
           gzip_types  text/plain application/x-javascript text/css;
-          ssl_certificate ${ssl_cert};
-          ssl_certificate_key ${ssl_key};
           default_type text/plain;
 
-          if ($scheme = http){
-            return 301 https://$server_name$request_uri;
-          }
-
         '';
         locations = [
           (nameValuePair "/" ''
@@ -111,8 +119,20 @@ in {
             include ${pkgs.nginx}/conf/fastcgi_params;
             include ${pkgs.nginx}/conf/fastcgi.conf;
           '')
+          (nameValuePair  "/.well-known/acme-challenge" ''
+            root ${acmechall}/${ext-dom}/;
+          '')
+
         ];
       };
     };
   };
+  security.acme.certs."${ext-dom}" = {
+    email = "acme@syntax-fehler.de";
+    webroot = "${acmechall}/${ext-dom}/";
+    group = "nginx";
+    allowKeysForGroup = true;
+    postRun = "systemctl reload nginx.service";
+    extraDomains."${ext-dom}" = null ;
+  };
 }

makefu/2configs/tinc/siem.nix

@@ -0,0 +1,12 @@
+{lib, config, ... }:
+{
+  # TODO do not know why we need to force it, port is only set via default to 655
+  krebs.build.host.nets.siem.tinc.port = lib.mkForce 1655;
+  krebs.dns.providers.siem = "hosts";
+  networking.firewall.allowedUDPPorts = [ 1665 ];
+  networking.firewall.allowedTCPPorts = [ 1655 ];
+  krebs.tinc.siem = {
+    enable = true;
+    connectTo = [ "shoney" ];
+  };
+}

makefu/2configs/zsh-user.nix

@@ -22,7 +22,7 @@ in
       bindkey "\e[3~" delete-char
       zstyle ':completion:*' menu select
 
-      gpg-connect-agent updatestartuptty /bye >/dev/null
+      ${pkgs.gnupg}/bin/gpg-connect-agent updatestartuptty /bye >/dev/null
       GPG_TTY=$(tty)
       export GPG_TTY
       unset SSH_AGENT_PID

makefu/3modules/default.nix

@@ -2,11 +2,12 @@ _:
 
 {
   imports = [
-    ./snapraid.nix
-    ./umts.nix
-    ./taskserver.nix
     ./awesome-extra.nix
     ./forward-journal.nix
+    ./ps3netsrv.nix
+    ./snapraid.nix
+    ./taskserver.nix
+    ./umts.nix
   ];
 }
 

makefu/3modules/ps3netsrv.nix

@@ -0,0 +1,58 @@
+{ config, lib, pkgs, ... }:
+
+with config.krebs.lib;
+let
+  cfg = config.makefu.ps3netsrv;
+
+  out = {
+    options.makefu.ps3netsrv = api;
+    config = lib.mkIf cfg.enable imp;
+  };
+
+  api = {
+    enable = mkEnableOption "ps3netsrv";
+
+    servedir = mkOption {
+      description = "path to serve, must be set";
+      type = types.str;
+    };
+
+    package = mkOption {
+      type = types.package;
+      default = pkgs.ps3netsrv;
+    };
+
+    user = mkOption {
+      description = ''user which will run ps3netsrv'';
+      type = types.str;
+      default = "ps3netsrv";
+    };
+  };
+
+  imp = {
+    systemd.services.ps3netsrv = {
+      description = "ps3netsrv server";
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
+      restartIfChanged = true;
+      unitConfig = {
+        Documentation = "https://www.arm-blog.com/playing-ps3-games-from-your-nas/" ;
+        ConditionPathExists = cfg.servedir;
+      };
+      serviceConfig = {
+        Type = "simple";
+        ExecStart = "${cfg.package}/bin/ps3netsrv++ ${shell.escape cfg.servedir}";
+        PrivateTmp = true;
+        User = "${cfg.user}";
+      };
+    };
+
+    # TODO only create if user is ps3netsrv
+    users.users.ps3netsrv = {
+      uid = genid "ps3netsrv";
+    };
+    users.groups.ps3netsrv.gid = genid "ps3netsrv";
+  };
+in
+out
+

makefu/5pkgs/default.nix

@@ -5,20 +5,22 @@ let
 in
 {
   nixpkgs.config.packageOverrides = rec {
-    alsa-hdspmixer = callPackage ./alsa-tools { alsaToolTarget="hdspmixer";};
     alsa-hdspconf = callPackage ./alsa-tools { alsaToolTarget="hdspconf";};
+    alsa-hdspmixer = callPackage ./alsa-tools { alsaToolTarget="hdspmixer";};
     alsa-hdsploader = callPackage ./alsa-tools { alsaToolTarget="hdsploader";};
     awesomecfg = callPackage ./awesomecfg {};
     bintray-upload = callPackage ./bintray-upload {};
+    inherit (callPackage ./devpi {}) devpi-web devpi-server;
+    f3 = callPackage ./f3 {};
+    farpd = callPackage ./farpd {};
     git-xlsx-textconv = callPackage ./git-xlsx-textconv {};
     mergerfs = callPackage ./mergerfs {};
     mycube-flask = callPackage ./mycube-flask {};
     nodemcu-uploader = callPackage ./nodemcu-uploader {};
+    ps3netsrv = callPackage ./ps3netsrv {};
     tw-upload-plugin = callPackage ./tw-upload-plugin {};
-    inherit (callPackage ./devpi {}) devpi-web devpi-server;
     skytraq-logger = callPackage ./skytraq-logger {};
     taskserver = callPackage ./taskserver {};
-    ps3netsrv = callPackage ./ps3netsrv {};
+    wol = callPackage ./wol {};
-    farpd = callPackage ./farpd {};
   };
 }

makefu/5pkgs/f3/default.nix

@@ -0,0 +1,26 @@
+{ stdenv, fetchFromGitHub }:
+
+stdenv.mkDerivation rec {
+  name = "f3-${version}";
+  version = "6.0";
+
+  enableParallelBuilding = true;
+
+  src = fetchFromGitHub {
+    owner = "AltraMayor";
+    repo = "f3";
+    rev = "v${version}";
+    sha256 = "1azi10ba0h9z7m0gmfnyymmfqb8380k9za8hn1rrw1s442hzgnz2";
+  };
+
+  makeFlags = [ "PREFIX=$(out)" ];
+  patchPhase = "sed -i 's/-oroot -groot//' Makefile";
+
+  meta = {
+    description = "Fight Flash Fraud";
+    homepage = http://oss.digirati.com.br/f3/;
+    license = stdenv.lib.licenses.gpl2;
+    platforms = stdenv.lib.platforms.linux;
+    maintainers = with stdenv.lib.maintainers; [ makefu ];
+  };
+}

makefu/5pkgs/git-xlsx-textconv/default.nix

@@ -1,6 +1,6 @@
-{ stdenv, lib, goPackages, fetchFromGitHub }:
+{ stdenv, lib, buildGoPackage, fetchFromGitHub }:
 let
-  go-xlsx = goPackages.buildGoPackage rec {
+  go-xlsx = buildGoPackage rec {
   name = "go-xlsx-${version}";
   version = "46e6e472d";
 
@@ -13,7 +13,7 @@ let
   };
 };
 in
-(goPackages.buildGoPackage rec {
+(buildGoPackage rec {
   name = "git-xlsx-textconv-${version}";
   version = "70685e7f8";
 

makefu/5pkgs/ps3netsrv/default.nix

@@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
     url = "https://github.com/dirkvdb/ps3netsrv--";
     fetchSubmodules = true;
     rev = "e54a66cbf142b86e2cffc1701984b95adb921e81"; # latest @ 2016-05-24
-    sha256 = "0l7bp18cs3xr2qgsmcf18diccski49mj9whngxm9isi8wd4r9inj";
+    sha256 = "09hvmfzqy2jckpsml0z1gkcnar8sigmgs1q66k718fph2d3g54sa";
   };
 
   nativeBuildInputs = [ gnugrep ];

makefu/5pkgs/wol/default.nix

@@ -0,0 +1,22 @@
+{ stdenv, fetchurl }:
+
+stdenv.mkDerivation rec {
+  proj = "wake-on-lan";
+  name = "wol-${version}";
+  version = "0.7.1";
+
+  enableParallelBuilding = true;
+
+  src = fetchurl {
+    url = "mirror://sourceforge/${proj}/${name}.tar.gz";
+    sha256 = "08i6l5lr14mh4n3qbmx6kyx7vjqvzdnh3j9yfvgjppqik2dnq270";
+  };
+
+  meta = {
+    description = "simple wake-on-lan client";
+    homepage = https://sourceforge.net/projects/wake-on-lan/;
+    license = stdenv.lib.licenses.gpl2;
+    platforms = stdenv.lib.platforms.linux;
+    maintainers = with stdenv.lib.maintainers; [ makefu ];
+  };
+}