Merge remote-tracking branch 'cloudkrebs/master'

10 files changed, 155 insertions, 23 deletions

diff --git a/lass/2configs/base.nix b/lass/2configs/base.nix
index 66e12b262..4c73fc0ce 100644
--- a/lass/2configs/base.nix
+++ b/lass/2configs/base.nix
@@ -17,7 +17,8 @@ with lib;
         root = {
           openssh.authorizedKeys.keys = [
             config.krebs.users.lass.pubkey
-            config.krebs.users.uriel.pubkey
+            config.krebs.users.lass-uriel.pubkey
+            config.krebs.users.lass-helios.pubkey
           ];
         };
         mainUser = {
@@ -31,7 +32,7 @@ with lib;
           ];
           openssh.authorizedKeys.keys = [
             config.krebs.users.lass.pubkey
-            config.krebs.users.uriel.pubkey
+            config.krebs.users.lass-uriel.pubkey
           ];
         };
       };
@@ -47,20 +48,21 @@ with lib;
     exim-retiolum.enable = true;
     build = {
       user = config.krebs.users.lass;
-      source = {
-        git.nixpkgs = {
+      source = mapAttrs (_: mkDefault) ({
+        nixos-config = "symlink:stockholm/lass/1systems/${config.krebs.build.host.name}.nix";
+        nixpkgs = symlink:stockholm/nixpkgs;
+        secrets = "/home/lass/secrets/${config.krebs.build.host.name}";
+        #secrets-common = "/home/lass/secrets/common";
+        stockholm = "/home/lass/stockholm";
+        stockholm-user = "symlink:stockholm/lass";
+        upstream-nixpkgs = {
           url = https://github.com/Lassulus/nixpkgs;
-          rev = "93d8671e2c6d1d25f126ed30e5e6f16764330119";
+          rev = "d0e3cca04edd5d1b3d61f188b4a5f61f35cdf1ce";
+          dev = "/home/lass/src/nixpkgs";
         };
-        dir.secrets = {
-          host = config.krebs.hosts.mors;
-          path = "/home/lass/secrets/${config.krebs.build.host.name}";
-        };
-        dir.stockholm = {
-          host = config.krebs.hosts.mors;
-          path = "/home/lass/stockholm";
-        };
-      };
+      } // optionalAttrs config.krebs.build.host.secure {
+        #secrets-master = "/home/lass/secrets/master";
+      });
     };
   };
 
@@ -89,6 +91,7 @@ with lib;
     git
     jq
     parallel
+    proot
 
   #style
     most
@@ -176,4 +179,10 @@ with lib;
     noipv4ll
   '';
 
+  #CVE-2016-0777 and CVE-2016-0778 workaround
+  #https://www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt
+  programs.ssh.extraConfig = ''
+    UseRoaming no
+  '';
+
 }
diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix
index 0596682df..ede1c7b7b 100644
--- a/lass/2configs/baseX.nix
+++ b/lass/2configs/baseX.nix
@@ -31,6 +31,7 @@ in {
 
   environment.systemPackages = with pkgs; [
 
+    dmenu
     gitAndTools.qgit
     mpv
     much
diff --git a/lass/2configs/bitcoin.nix b/lass/2configs/bitcoin.nix
index d3bccbf5c..2f4cd5710 100644
--- a/lass/2configs/bitcoin.nix
+++ b/lass/2configs/bitcoin.nix
@@ -1,6 +1,8 @@
 { config, pkgs, ... }:
 
-{
+let
+  mainUser = config.users.extraUsers.mainUser;
+in {
   environment.systemPackages = with pkgs; [
     electrum
   ];
@@ -14,4 +16,7 @@
       createHome = true;
     };
   };
+  security.sudo.extraConfig = ''
+    ${mainUser.name} ALL=(bitcoin) NOPASSWD: ALL
+  '';
 }
diff --git a/lass/2configs/browsers.nix b/lass/2configs/browsers.nix
index d36801863..61016fed0 100644
--- a/lass/2configs/browsers.nix
+++ b/lass/2configs/browsers.nix
@@ -54,8 +54,6 @@ in {
   ];
 
   imports = [
-    ../3modules/per-user.nix
-  ] ++ [
     ( createFirefoxUser "ff" [ "audio" ] [ ] )
     ( createChromiumUser "cr" [ "audio" ] [ pkgs.chromium ] )
     ( createChromiumUser "fb" [ ] [ pkgs.chromium ] )
diff --git a/lass/2configs/buildbot-standalone.nix b/lass/2configs/buildbot-standalone.nix
new file mode 100644
index 000000000..8c71553fe
--- /dev/null
+++ b/lass/2configs/buildbot-standalone.nix
@@ -0,0 +1,78 @@
+{ lib, config, pkgs, ... }:
+{
+  #networking.firewall.allowedTCPPorts = [ 8010 9989 ];
+  krebs.buildbot.master = {
+    slaves = {
+      testslave = "lasspass";
+    };
+    change_source.stockholm = ''
+      stockholm_repo = 'http://cgit.mors/stockholm'
+      cs.append(changes.GitPoller(
+              stockholm_repo,
+              workdir='stockholm-poller', branch='master',
+              project='stockholm',
+              pollinterval=120))
+    '';
+    scheduler = {
+      force-scheduler = ''
+        sched.append(schedulers.ForceScheduler(
+                                    name="force",
+                                    builderNames=["fast-tests"]))
+      '';
+      fast-tests-scheduler = ''
+        # test the master real quick
+        sched.append(schedulers.SingleBranchScheduler(
+                                    change_filter=util.ChangeFilter(branch="master"),
+                                    name="fast-master-test",
+                                    builderNames=["fast-tests"]))
+      '';
+    };
+    builder_pre = ''
+      # prepare grab_repo step for stockholm
+      grab_repo = steps.Git(repourl=stockholm_repo, mode='incremental')
+
+      env = {"LOGNAME": "lass", "NIX_REMOTE": "daemon"}
+
+      # prepare nix-shell
+      # the dependencies which are used by the test script
+      deps = [ "gnumake", "jq","nix","rsync" ]
+      # TODO: --pure , prepare ENV in nix-shell command:
+      #                   SSL_CERT_FILE,LOGNAME,NIX_REMOTE
+      nixshell = ["nix-shell", "-I", "stockholm=.", "-p" ] + deps + [ "--run" ]
+
+      # prepare addShell function
+      def addShell(factory,**kwargs):
+        factory.addStep(steps.ShellCommand(**kwargs))
+    '';
+    builder = {
+      fast-tests = ''
+        f = util.BuildFactory()
+        f.addStep(grab_repo)
+        addShell(f,name="mors-eval",env=env,
+                  command=nixshell + ["make -s eval get=krebs.deploy filter=json system=mors"])
+
+        bu.append(util.BuilderConfig(name="fast-tests",
+              slavenames=slavenames,
+              factory=f))
+      '';
+    };
+    enable = true;
+    web.enable = true;
+    irc = {
+      enable = true;
+      nick = "buildbot-lass";
+      server = "cd.retiolum";
+      channels = [ "retiolum" ];
+      allowForce = true;
+    };
+  };
+
+  krebs.buildbot.slave = {
+    enable = true;
+    masterhost = "localhost";
+    username = "testslave";
+    password = "lasspass";
+    packages = with pkgs;[ git nix ];
+    extraEnviron = { NIX_PATH="nixpkgs=${toString <nixpkgs>}"; };
+  };
+}
diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix
index 16ecaefec..ac6aae44f 100644
--- a/lass/2configs/git.nix
+++ b/lass/2configs/git.nix
@@ -69,12 +69,12 @@ let
     with git // config.krebs.users;
     repo:
       singleton {
-        user = lass;
+        user = [ lass lass-helios lass-uriel ];
         repo = [ repo ];
         perm = push "refs/*" [ non-fast-forward create delete merge ];
       } ++
       optional repo.public {
-        user = [ tv makefu uriel ];
+        user = [ tv makefu miefda ];
         repo = [ repo ];
         perm = fetch;
       } ++
diff --git a/lass/2configs/newsbot-js.nix b/lass/2configs/newsbot-js.nix
index 74d09b7fa..4482c4e9d 100644
--- a/lass/2configs/newsbot-js.nix
+++ b/lass/2configs/newsbot-js.nix
@@ -161,7 +161,7 @@ let
     torrentfreak|http://feeds.feedburner.com/Torrentfreak|#news
     torr_news|http://feed.torrentfreak.com/Torrentfreak/|#news
     travel_warnings|http://feeds.travel.state.gov/ca/travelwarnings-alerts|#news
-    truther|http://truthernews.wordpress.com/feed/|#news
+    #truther|http://truthernews.wordpress.com/feed/|#news
     un_afr|http://www.un.org/apps/news/rss/rss_africa.asp|#news
     un_am|http://www.un.org/apps/news/rss/rss_americas.asp|#news
     un_eu|http://www.un.org/apps/news/rss/rss_europe.asp|#news
diff --git a/lass/2configs/websites/fritz.nix b/lass/2configs/websites/fritz.nix
new file mode 100644
index 000000000..073f3de14
--- /dev/null
+++ b/lass/2configs/websites/fritz.nix
@@ -0,0 +1,33 @@
+{ config, pkgs, ... }:
+
+{
+
+  imports = [
+    ../../3modules/static_nginx.nix
+    ../../3modules/owncloud_nginx.nix
+    ../../3modules/wordpress_nginx.nix
+  ];
+
+  lass.staticPage = {
+    "biostase.de" = {};
+    "gs-maubach.de" = {};
+    "spielwaren-kern.de" = {};
+    "societyofsimtech.de" = {};
+    "ttf-kleinaspach.de" = {};
+    "edsn.de" = {};
+    "eab.berkeley.edu" = {};
+    "habsys.de" = {};
+  };
+
+  #lass.owncloud = {
+  #  "o.ubikmedia.de" = {
+  #    instanceid = "oc8n8ddbftgh";
+  #  };
+  #};
+
+  #services.mysql = {
+  #  enable = true;
+  #  package = pkgs.mariadb;
+  #  rootPassword = toString (<secrets/mysql_rootPassword>);
+  #};
+}
diff --git a/lass/2configs/websites/wohnprojekt-rhh.de.nix b/lass/2configs/websites/wohnprojekt-rhh.de.nix
index cd31450c5..ac784d4c7 100644
--- a/lass/2configs/websites/wohnprojekt-rhh.de.nix
+++ b/lass/2configs/websites/wohnprojekt-rhh.de.nix
@@ -8,5 +8,11 @@
   lass.staticPage = {
     "wohnprojekt-rhh.de" = {};
   };
+
+  users.users.laura = {
+    home = "/srv/http/wohnprojekt-rhh.de";
+    createHome = true;
+    useDefaultShell = true;
+  };
 }
 
diff --git a/lass/2configs/xserver/default.nix b/lass/2configs/xserver/default.nix
index 04d14c7ce..c407bb59e 100644
--- a/lass/2configs/xserver/default.nix
+++ b/lass/2configs/xserver/default.nix
@@ -44,7 +44,7 @@ let
       "slock"
     ];
 
-    systemd.services.display-manager = mkForce {};
+    systemd.services.display-manager.enable = false;
 
     services.xserver.enable = true;
 
@@ -93,9 +93,11 @@ let
   xmonad-start = pkgs.writeScriptBin "xmonad" ''
     #! ${pkgs.bash}/bin/bash
     set -efu
-    export PATH; PATH=${makeSearchPath "bin" ([
+    export PATH; PATH=${makeSearchPath "bin" [
+      pkgs.alsaUtils
+      pkgs.pulseaudioLight
       pkgs.rxvt_unicode
-    ] ++ config.environment.systemPackages)}:/var/setuid-wrappers
+    ]}:/var/setuid-wrappers
     settle() {(
       # Use PATH for a clean journal
       command=''${1##*/}