diff options
30 files changed, 717 insertions, 50 deletions
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 6d2b090a2..740ba67b8 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -12,6 +12,7 @@ let ./current.nix ./exim-retiolum.nix ./exim-smarthost.nix + ./fetchWallpaper.nix ./github-hosts-sync.nix ./git.nix ./go.nix diff --git a/krebs/3modules/fetchWallpaper.nix b/krebs/3modules/fetchWallpaper.nix new file mode 100644 index 000000000..83ecf4177 --- /dev/null +++ b/krebs/3modules/fetchWallpaper.nix @@ -0,0 +1,89 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.krebs.fetchWallpaper; + + out = { + options.krebs.fetchWallpaper = api; + config = mkIf cfg.enable imp; + }; + + api = { + enable = mkEnableOption "fetch wallpaper"; + predicate = mkOption { + type = with types; nullOr path; + default = null; + }; + url = mkOption { + type = types.str; + }; + timerConfig = mkOption { + type = types.unspecified; + default = { + OnCalendar = "*:00,10,20,30,40,50"; + }; + }; + stateDir = mkOption { + type = types.str; + default = "/var/lib/wallpaper"; + }; + display = mkOption { + type = types.str; + default = ":11"; + }; + }; + + fetchWallpaperScript = pkgs.writeScript "fetchWallpaper" '' + #! ${pkgs.bash}/bin/bash + ${optionalString (cfg.predicate != null) '' + if ! ${cfg.predicate}; then + echo "predicate failed - will not fetch from remote" + exit 0 + fi + ''} + mkdir -p ${shell.escape cfg.stateDir} + curl -s -o ${shell.escape cfg.stateDir}/wallpaper -z ${shell.escape cfg.stateDir}/wallpaper ${shell.escape cfg.url} + feh --no-fehbg --bg-scale ${shell.escape cfg.stateDir}/wallpaper + ''; + + imp = { + users.users.fetchWallpaper = { + name = "fetchWallpaper"; + uid = 3332383611; #genid fetchWallpaper + description = "fetchWallpaper user"; + home = cfg.stateDir; + createHome = true; + }; + + systemd.timers.fetchWallpaper = { + description = "fetch wallpaper timer"; + wantedBy = [ "timers.target" ]; + + timerConfig = cfg.timerConfig; + }; + systemd.services.fetchWallpaper = { + description = "fetch wallpaper"; + after = [ "network.target" ]; + + path = with pkgs; [ + curl + feh + ]; + + environment = { + URL = cfg.url; + DISPLAY = cfg.display; + }; + + restartIfChanged = true; + + serviceConfig = { + Type = "simple"; + ExecStart = fetchWallpaperScript; + User = "fetchWallpaper"; + }; + }; + }; +in out diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index 5a128a28f..d9cb83aaf 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -84,6 +84,31 @@ with lib; }; }; }; + + vbob = { + cores = 2; + dc = "makefu"; #vm local + nets = { + retiolum = { + addrs4 = ["10.243.1.91"]; + addrs6 = ["42:0b2c:d90e:e717:03dd:9ac1:0000:a400"]; + aliases = [ + "vbob.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEA+0TIo0dS9LtSdrmH0ClPHLO7dHtV9Dj7gaBAsbyuwxAI5cQgYKwr + 4G6t7IcJW+Gu2bh+LKtPP91+zYXq4Qr1nAaKw4ajsify6kpxsCBzknmwi6ibIJMI + AK114dr/XSk/Pc6hOSA8kqDP4c0MZXwitRBiNjrWbTrQh6GJ3CXhmpZ2lJkoAyNP + hjdPerbTUrhQlNW8FanyQQzOgN5I7/PXsZShmb3iNKz1Ban5yWKFCVpn8fjWQs5o + Un2AKowH4Y+/g8faGemL8uy/k5xrHSrn05L92TPDUpAXrcZXzo6ao1OBiwJJVl7s + AVduOY18FU82GUw7edR0e/b2UC6hUONflwIDAQAB + -----END RSA PUBLIC KEY----- + + ''; + }; + }; + }; flap = rec { cores = 1; dc = "cac"; #vps diff --git a/krebs/3modules/retiolum.nix b/krebs/3modules/retiolum.nix index 633642537..28ac67306 100644 --- a/krebs/3modules/retiolum.nix +++ b/krebs/3modules/retiolum.nix @@ -50,6 +50,14 @@ let ''; }; + extraConfig = mkOption { + type = types.str; + default = ""; + description = '' + Extra Configuration to be appended to tinc.conf + ''; + }; + tincPackage = mkOption { type = types.package; default = pkgs.tinc; @@ -203,6 +211,7 @@ let Interface = ${cfg.network} ${concatStrings (map (c : "ConnectTo = " + c + "\n") cfg.connectTo)} PrivateKeyFile = /tmp/retiolum-rsa_key.priv + ${cfg.extraConfig} EOF # source: krebscode/painload/retiolum/scripts/tinc_setup/tinc-up diff --git a/krebs/Zhosts/gum b/krebs/Zhosts/gum index d43bb0d08..7a1a305d6 100644 --- a/krebs/Zhosts/gum +++ b/krebs/Zhosts/gum @@ -1,5 +1,7 @@ Address= 195.154.108.70 Address= 195.154.108.70 53 +Address= 195.154.108.70 21031 + Subnet = 10.243.0.211 Subnet = 42:f9f0:0000:0000:0000:0000:0000:70d2 diff --git a/krebs/Zhosts/vbob b/krebs/Zhosts/vbob new file mode 100644 index 000000000..b233a46b0 --- /dev/null +++ b/krebs/Zhosts/vbob @@ -0,0 +1,9 @@ +-----BEGIN RSA PUBLIC KEY----- +MIIBCgKCAQEA+0TIo0dS9LtSdrmH0ClPHLO7dHtV9Dj7gaBAsbyuwxAI5cQgYKwr +4G6t7IcJW+Gu2bh+LKtPP91+zYXq4Qr1nAaKw4ajsify6kpxsCBzknmwi6ibIJMI +AK114dr/XSk/Pc6hOSA8kqDP4c0MZXwitRBiNjrWbTrQh6GJ3CXhmpZ2lJkoAyNP +hjdPerbTUrhQlNW8FanyQQzOgN5I7/PXsZShmb3iNKz1Ban5yWKFCVpn8fjWQs5o +Un2AKowH4Y+/g8faGemL8uy/k5xrHSrn05L92TPDUpAXrcZXzo6ao1OBiwJJVl7s +AVduOY18FU82GUw7edR0e/b2UC6hUONflwIDAQAB +-----END RSA PUBLIC KEY----- +Subnet = 10.243.1.91/32 diff --git a/krebs/Zpubkeys/makefu_vbob.ssh.pub b/krebs/Zpubkeys/makefu_vbob.ssh.pub new file mode 100644 index 000000000..e5063aeb5 --- /dev/null +++ b/krebs/Zpubkeys/makefu_vbob.ssh.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCiKvLKaRQPL/Y/4EWx3rNhrY5YGKK4AeqDOFTLgJ7djwJnMo7FP+OIH/4pFxS6Ri2TZwS9QsR3hsycA4n8Z15jXAOXuK52kP65Ei3lLyz9mF+/s1mJsV0Ui/UKF3jE7PEAVky7zXuyYirJpMK8LhXydpFvH95aGrL1Dk30R9/vNkE9rc1XylBfNpT0X0GXmldI+r5OPOtiKLA5BHJdlV8qDYhQsU2fH8S0tmAHF/ir2bh7+PtLE2hmRT+b8I7y1ZagkJsC0sn9GT1AS8ys5s65V2xTTIfQO1zQ4sUH0LczuRuY8MLaO33GAzhyoSQdbdRAmwZQpY/JRJ3C/UROgHYt makefu@nixos diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index 7b91fa6be..4ba9df6f9 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -22,6 +22,9 @@ ../2configs/bitlbee.nix ../2configs/firefoxPatched.nix ../2configs/skype.nix + ../2configs/teamviewer.nix + ../2configs/libvirt.nix + ../2configs/fetchWallpaper.nix { #risk of rain port krebs.iptables.tables.filter.INPUT.rules = [ diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index 599f4704e..95c55533c 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -116,6 +116,23 @@ in { { predicate = "-p tcp --dport 8080"; target = "ACCEPT";} ]; } + { + users.users.chat.openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDJJKlOeAHyi7lToCqRF/hdA2TrtVbrTUd2ayuWsXe9JWiyeyKH/LNY3SrgxCWPZSItE9VK68ghMuVYK/A8IAcgzNhzFYLDxmtsidjiOJBj2ZGsjqevoQ5HuKB/pob8CLW3dr1Rx38Any/XXxpfeO6vemCJMGLTe5gSlrCI+Tk1qNt0Rz+rke73Hwt9wW39g8X3prF2q9ryL9OFCcsoYUE7PIOV9xM1GaDFfTR4bKux7HyFKmG+rBvmJHB5OPW8UAtVZGY/FIChwlmF6QNO5Zym497bG1RCOGplaLpRXVJrmoUkZUO7EazePPxIjz2duWYqFtwl5R9YGy1+a+F58G19DS7wJHM29td117/ZANjRTxE5q/aJm2okJYOVSqhYzdhji+BWVZ5ai7cktpAdtPo++yiZN90LvogXNB64kFxVGuX52xZcA3KLKmvrd47o9k0pzO+oCoArxPFIx0YkHfy/yw7OG8Z+KLK8l9WXWBZO5TpjcydnEcRZ8OEqVhtmDh+9h1zhPphuFBtT1JPbt8m132RUy23qsNRtZ/lnnfQbrxgHPRzVuvA8o4ahOEUdvV9SYnzKb6qMFXGp25EhlcWnR4/toyG6I3paBtByeHkaxjgCuvm9Hob6f/xFr3kEJ4WXTVguyrcFgNg2EcEfdkrTMhNn9OIHEFFQ8whIBv5jlw== JuiceSSH" + ]; + } + { + time.timeZone = "Europe/Berlin"; + } + { + imports = [ + ../2configs/websites/wohnprojekt-rhh.de.nix + ../2configs/websites/domsen.nix + ]; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport 80"; target = "ACCEPT"; } + ]; + } ]; krebs.build.host = config.krebs.hosts.prism; diff --git a/lass/2configs/base.nix b/lass/2configs/base.nix index 61023057b..40f4e12c7 100644 --- a/lass/2configs/base.nix +++ b/lass/2configs/base.nix @@ -17,6 +17,7 @@ with lib; root = { openssh.authorizedKeys.keys = [ config.krebs.users.lass.pubkey + config.krebs.users.uriel.pubkey ]; }; mainUser = { @@ -30,6 +31,7 @@ with lib; ]; openssh.authorizedKeys.keys = [ config.krebs.users.lass.pubkey + config.krebs.users.uriel.pubkey ]; }; }; @@ -48,7 +50,7 @@ with lib; source = { git.nixpkgs = { url = https://github.com/Lassulus/nixpkgs; - rev = "8d1ce129361312334bf914ce0d27e463cb0bb21b"; + rev = "363c8430f1efad8b03d5feae6b3a4f2fe7b29251"; }; dir.secrets = { host = config.krebs.hosts.mors; diff --git a/lass/2configs/browsers.nix b/lass/2configs/browsers.nix index 849778a7a..d36801863 100644 --- a/lass/2configs/browsers.nix +++ b/lass/2configs/browsers.nix @@ -1,16 +1,6 @@ { config, lib, pkgs, ... }: let - simpleScript = name: content: - pkgs.stdenv.mkDerivation { - inherit name; - phases = [ "installPhase" ]; - installPhase = '' - mkdir -p $out/bin - ln -s ${pkgs.writeScript name content} $out/bin/${name} - ''; - }; - mainUser = config.users.extraUsers.mainUser; createChromiumUser = name: extraGroups: packages: { @@ -26,8 +16,8 @@ let ${mainUser.name} ALL=(${name}) NOPASSWD: ALL ''; environment.systemPackages = [ - (simpleScript name '' - sudo -u ${name} -i chromium $@ + (pkgs.writeScriptBin name '' + /var/setuid-wrappers/sudo -u ${name} -i chromium $@ '') ]; }; @@ -46,8 +36,8 @@ let ${mainUser.name} ALL=(${name}) NOPASSWD: ALL ''; environment.systemPackages = [ - (simpleScript name '' - sudo -u ${name} -i firefox $@ + (pkgs.writeScriptBin name '' + /var/setuid-wrappers/sudo -u ${name} -i firefox $@ '') ]; }; @@ -57,7 +47,7 @@ let in { environment.systemPackages = [ - (simpleScript "browser-select" '' + (pkgs.writeScriptBin "browser-select" '' BROWSER=$(echo -e "ff\ncr\nfb\ngm\nflash" | dmenu) $BROWSER $@ '') @@ -70,7 +60,7 @@ in { ( createChromiumUser "cr" [ "audio" ] [ pkgs.chromium ] ) ( createChromiumUser "fb" [ ] [ pkgs.chromium ] ) ( createChromiumUser "gm" [ ] [ pkgs.chromium ] ) - # ( createChromiumUser "flash" [ ] [ pkgs.flash ] ) + ( createChromiumUser "flash" [ ] [ pkgs.flash ] ) ]; nixpkgs.config.packageOverrides = pkgs : { diff --git a/lass/2configs/elster.nix b/lass/2configs/elster.nix index 1edd01896..e3a88c789 100644 --- a/lass/2configs/elster.nix +++ b/lass/2configs/elster.nix @@ -14,6 +14,9 @@ in { createHome = true; }; }; + krebs.per-user.elster.packages = [ + pkgs.chromium + ]; security.sudo.extraConfig = '' ${mainUser.name} ALL=(elster) NOPASSWD: ALL ''; diff --git a/lass/2configs/fetchWallpaper.nix b/lass/2configs/fetchWallpaper.nix new file mode 100644 index 000000000..9c27706cb --- /dev/null +++ b/lass/2configs/fetchWallpaper.nix @@ -0,0 +1,11 @@ +{ config, pkgs, ... }: + +let + +in { + krebs.fetchWallpaper = { + enable = true; + url = "echelon/wallpaper.png"; + }; +} + diff --git a/lass/2configs/libvirt.nix b/lass/2configs/libvirt.nix new file mode 100644 index 000000000..368722e77 --- /dev/null +++ b/lass/2configs/libvirt.nix @@ -0,0 +1,22 @@ +{ config, pkgs, ... }: + +let + mainUser = config.users.extraUsers.mainUser; + +in { + virtualisation.libvirtd.enable = true; + + users.extraUsers = { + libvirt = { + uid = 358821352; # genid libvirt + description = "user for running libvirt stuff"; + home = "/home/libvirt"; + useDefaultShell = true; + extraGroups = [ "libvirtd" "audio" ]; + createHome = true; + }; + }; + security.sudo.extraConfig = '' + ${mainUser.name} ALL=(libvirt) NOPASSWD: ALL + ''; +} diff --git a/lass/2configs/teamviewer.nix b/lass/2configs/teamviewer.nix new file mode 100644 index 000000000..48053d7db --- /dev/null +++ b/lass/2configs/teamviewer.nix @@ -0,0 +1,6 @@ +{ config, lib, pkgs, ... }: + +with lib; +{ + services.teamviewer.enable = true; +} diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix new file mode 100644 index 000000000..109c216c0 --- /dev/null +++ b/lass/2configs/websites/domsen.nix @@ -0,0 +1,35 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ../../3modules/static_nginx.nix + ../../3modules/owncloud_nginx.nix + ../../3modules/wordpress_nginx.nix + ]; + + lass.staticPage = { + "karlaskop.de" = {}; + "makeup.apanowicz.de" = {}; + "pixelpocket.de" = {}; + "reich-gebaeudereinigung.de" = {}; + }; + + lass.owncloud = { + "o.ubikmedia.de" = { + instanceid = "oc8n8ddbftgh"; + }; + }; + + services.mysql = { + enable = true; + package = pkgs.mariadb; + rootPassword = toString (<secrets/mysql_rootPassword>); + }; + + #lass.wordpress = { + # "ubikmedia.de" = { + # }; + #}; + +} + diff --git a/lass/2configs/websites/wohnprojekt-rhh.de.nix b/lass/2configs/websites/wohnprojekt-rhh.de.nix new file mode 100644 index 000000000..cd31450c5 --- /dev/null +++ b/lass/2configs/websites/wohnprojekt-rhh.de.nix @@ -0,0 +1,12 @@ +{ config, ... }: + +{ + imports = [ + ../../3modules/static_nginx.nix + ]; + + lass.staticPage = { + "wohnprojekt-rhh.de" = {}; + }; +} + diff --git a/lass/2configs/xserver/default.nix b/lass/2configs/xserver/default.nix index ceccf5fee..da337f6a7 100644 --- a/lass/2configs/xserver/default.nix +++ b/lass/2configs/xserver/default.nix @@ -108,7 +108,6 @@ let pkgs.rxvt_unicode pkgs.i3lock pkgs.haskellPackages.yeganesh - pkgs.haskellPackages.xmobar pkgs.dmenu ] ++ config.environment.systemPackages)}:/var/setuid-wrappers settle() {( diff --git a/lass/3modules/owncloud_nginx.nix b/lass/3modules/owncloud_nginx.nix new file mode 100644 index 000000000..a0db87b0b --- /dev/null +++ b/lass/3modules/owncloud_nginx.nix @@ -0,0 +1,215 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.lass.owncloud; + + out = { + options.lass.owncloud = api; + config = imp; + }; + + api = mkOption { + type = with types; attrsOf (submodule ({ config, ... }: { + options = { + domain = mkOption { + type = str; + default = config._module.args.name; + }; + dataDir = mkOption { + type = str; + default = "${config.folder}/data"; + }; + dbUser = mkOption { + type = str; + default = replaceStrings ["."] ["_"] config.domain; + }; + dbName = mkOption { + type = str; + default = replaceStrings ["."] ["_"] config.domain; + }; + dbType = mkOption { + # TODO: check for valid dbType + type = str; + default = "mysql"; + }; + folder = mkOption { + type = str; + default = "/srv/http/${config.domain}"; + }; + auto = mkOption { + type = bool; + default = false; + }; + instanceid = mkOption { + type = str; + }; + ssl = mkOption { + type = bool; + default = false; + }; + }; + })); + default = {}; + }; + + user = config.services.nginx.user; + group = config.services.nginx.group; + + imp = { + krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, ... }: { + server-names = [ + "${domain}" + "www.${domain}" + ]; + locations = [ + (nameValuePair "/" '' + # The following 2 rules are only needed with webfinger + rewrite ^/.well-known/host-meta /public.php?service=host-meta last; + rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; + + rewrite ^/.well-known/carddav /remote.php/carddav/ redirect; + rewrite ^/.well-known/caldav /remote.php/caldav/ redirect; + + rewrite ^(/core/doc/[^\/]+/)$ $1/index.html; + + try_files $uri $uri/ /index.php; + '') + (nameValuePair "~ \.php$" '' + fastcgi_split_path_info ^(.+\.php)(/.+)$; + include ${pkgs.nginx}/conf/fastcgi.conf; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_pass unix:${folder}/phpfpm.pool; + '') + (nameValuePair "~ /\\." '' + deny all; + '') + ]; + extraConfig = '' + root ${folder}/; + #index index.php; + access_log /tmp/nginx_acc.log; + error_log /tmp/nginx_err.log; + + # set max upload size + client_max_body_size 10G; + fastcgi_buffers 64 4K; + + rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect; + rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect; + rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect; + + error_page 403 /core/templates/403.php; + error_page 404 /core/templates/404.php; + ''; + }); + services.phpfpm.poolConfigs = flip mapAttrs cfg (name: { domain, folder, ... }: '' + listen = ${folder}/phpfpm.pool + user = ${user} + group = ${group} + pm = dynamic + pm.max_children = 5 + pm.start_servers = 2 + pm.min_spare_servers = 1 + pm.max_spare_servers = 3 + listen.owner = ${user} + listen.group = ${group} + # errors to journal + php_admin_value[error_log] = 'stderr' + php_admin_flag[log_errors] = on + catch_workers_output = yes + ''); + #systemd.services = flip mapAttrs' cfg (name: { domain, folder, dbName, dbUser, dbType, dataDir, instanceid, ... }: { + # name = "owncloudInit-${name}"; + # value = { + # path = [ + # pkgs.mysql + # pkgs.su + # pkgs.gawk + # pkgs.jq + # ]; + # requiredBy = [ "nginx.service" ]; + # serviceConfig = let + # php.define = name: value: + # "define(${php.newdoc name}, ${php.newdoc value});"; + # php.toString = x: + # "'${x}'"; + # php.newdoc = s: + # let b = "EOF${builtins.hashString "sha256" s}"; in + # ''<<<'${b}' + # ${s} + # ${b} + # ''; + # in { + # Type = "oneshot"; + # ExecStart = pkgs.writeScript "wordpressInit" '' + # #!/bin/sh + # set -euf + # oc_secrets=${shell.escape "${toString <secrets>}/${domain}/oc-secrets"} + # db_password=$(cat ${shell.escape "${toString <secrets>}/${domain}/sql-db-pw"}) + # get_secret() { + # echo "'$1' => $(jq -r ."$1" "$oc_secrets" | to_php_string)," + # } + # to_php_string() { + # echo "base64_decode('$(base64)')" + # } + # { + # cat ${toString <secrets/mysql_rootPassword>} + # password=$(cat ${shell.escape (toString (<secrets/mysql_rootPassword>))}) + # # TODO passwordhash=$(su nobody_oc -c mysql <<< "SELECT PASSWORD($(toSqlString <<< "$password"));") + # # TODO as package pkgs.sqlHashPassword + # # TODO not using mysql + # # SET SESSION sql_mode = 'NO_BACKSLASH_ESCAPES'; + # passwordhash=$(su nobody_oc -c 'mysql -u nobody --silent' <<< "SELECT PASSWORD('$db_password');") + # user=${shell.escape dbUser}@localhost + # database=${shell.escape dbName} + # cat << EOF + # CREATE DATABASE IF NOT EXISTS $database; + # GRANT USAGE ON *.* TO $user IDENTIFIED BY PASSWORD '$passwordhash'; + # GRANT ALL PRIVILEGES ON $database.* TO $user; + # FLUSH PRIVILEGES; + # EOF + # } | mysql -u root -p + # # TODO nix2php for wp-config.php + # mkdir -p ${folder}/config + # cat > ${folder}/config/config.php << EOF + # <?php + # \$CONFIG = array ( + # 'dbhost' => 'localhost', + # 'dbtableprefix' => 'oc_', + # 'dbpassword' => '$db_password', + # 'installed' => 'true', + # 'trusted_domains' => + # array ( + # 0 => '${domain}', + # ), + # 'overwrite.cli.url' => 'http://${domain}', + + # ${concatStringsSep "\n" (mapAttrsToList (name: value: + # "'${name}' => $(printf '%s' ${shell.escape value} | to_php_string)," + # ) { + # instanceid = instanceid; + # datadirectory = dataDir; + # dbtype = dbType; + # dbname = dbName; + # dbuser = dbUser; + # })} + + # ${concatMapStringsSep "\n" (key: "$(get_secret ${shell.escape key})") [ + # "secret" + # "passwordsalt" + # ]} + # ); + # EOF + # ''; + # }; + # }; + #}); + users.users.nobody_oc = { + uid = 1651469147; # genid nobody_oc + useDefaultShell = true; + }; + }; + +in out diff --git a/lass/3modules/static_nginx.nix b/lass/3modules/static_nginx.nix new file mode 100644 index 000000000..cc2641af2 --- /dev/null +++ b/lass/3modules/static_nginx.nix @@ -0,0 +1,49 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.lass.staticPage; + + out = { + options.lass.staticPage = api; + config = imp; + }; + + api = mkOption { + type = with types; attrsOf (submodule ({ config, ... }: { + options = { + domain = mkOption { + type = str; + default = config._module.args.name; + }; + folder = mkOption { + type = str; + default = "/srv/http/${config.domain}"; + }; + }; + })); + default = {}; + }; + + user = config.services.nginx.user; + group = config.services.nginx.group; + + imp = { + krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, ... }: { + server-names = [ + "${domain}" + "www.${domain}" + ]; + locations = [ + (nameValuePair "/" '' + root ${folder}; + '') + (nameValuePair "~ /\\." '' + deny all; + '') + ]; + }); + }; + +in out diff --git a/lass/3modules/wordpress_nginx.nix b/lass/3modules/wordpress_nginx.nix index 65170698f..2f31f6e02 100644 --- a/lass/3modules/wordpress_nginx.nix +++ b/lass/3modules/wordpress_nginx.nix @@ -45,35 +45,70 @@ let type = bool; default = false; }; + multiSite = mkOption { + type = attrsOf str; + default = {}; + example = { + "0" = "bla.testsite.de"; + "1" = "test.testsite.de"; + }; + }; }; })); default = {}; }; - dataFolder = "/srv/http"; user = config.services.nginx.user; group = config.services.nginx.group; imp = { - krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, ... }: { + #services.nginx.appendConfig = mkIf (cfg.multiSite != {}) '' + # map $http_host $blogid { + # ${concatStringsSep "\n" (mapAttrsToList (n: v: indent "v n;") multiSite)} + # } + #''; + + krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, multiSite, ... }: { server-names = [ "${domain}" "www.${domain}" ]; - locations = [ + #(mkIf (multiSite != {}) + #) + locations = (if (multiSite != {}) then + [ + (nameValuePair "~ ^/files/(.*)$" '' + try_files /wp-content/blogs.dir/$blogid/$uri /wp-includes/ms-files.php?file=$1 ; + '') + (nameValuePair "^~ /blogs.dir" '' + internal; + alias ${folder}/wp-content/blogs.dir ; + access_log off; log_not_found off; expires max; + '') + ] + else + [] + ) ++ + [ (nameValuePair "/" '' try_files $uri $uri/ /index.php?$args; '') (nameValuePair "~ \.php$" '' - fastcgi_pass unix:${dataFolder}/${domain}/phpfpm.pool; + fastcgi_pass unix:${folder}/phpfpm.pool; include ${pkgs.nginx}/conf/fastcgi.conf; '') (nameValuePair "~ /\\." '' deny all; '') + #Directives to send expires headers and turn off 404 error logging. + (nameValuePair "~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$" '' + access_log off; + log_not_found off; + expires max; + '') ]; extraConfig = '' - root ${dataFolder}/${domain}/; + root ${folder}/; index index.php; access_log /tmp/nginx_acc.log; error_log /tmp/nginx_err.log; @@ -81,8 +116,8 @@ let error_page 500 502 503 504 /50x.html; ''; }); - services.phpfpm.poolConfigs = flip mapAttrs cfg (name: { domain, ... }: '' - listen = ${dataFolder}/${domain}/phpfpm.pool + services.phpfpm.poolConfigs = flip mapAttrs cfg (name: { domain, folder, ... }: '' + listen = ${folder}/phpfpm.pool user = ${user} group = ${group} pm = dynamic @@ -97,7 +132,7 @@ let php_admin_flag[log_errors] = on catch_workers_output = yes ''); - systemd.services = flip mapAttrs' cfg (name: { domain, folder, charset, collate, dbName, dbUser, debug, ... }: { + systemd.services = flip mapAttrs' cfg (name: { domain, folder, charset, collate, dbName, dbUser, debug, multiSite, ... }: { name = "wordpressInit-${name}"; value = { path = [ @@ -175,6 +210,13 @@ let ]} \$table_prefix = 'wp_'; + + ${if (multiSite != {}) then + "define('WP_ALLOW_MULTISITE', true);" + else + "" + } + define('WP_DEBUG', ${toJSON debug}); if ( !defined('ABSPATH') ) define('ABSPATH', dirname(__FILE__) . '/'); @@ -186,10 +228,12 @@ let }; }; }); - users.users.nobody2 = { - uid = 125816384; # genid nobody2 - useDefaultShell = true; + users.users.nobody2 = mkDefault { + uid = mkDefault 125816384; # genid nobody2 + useDefaultShell = mkDefault true; }; }; + indent = replaceChars ["\n"] ["\n "]; + in out diff --git a/lass/5pkgs/xmonad-lass/Main.hs b/lass/5pkgs/xmonad-lass/Main.hs index 10a3c5638..ce5afe33a 100644 --- a/lass/5pkgs/xmonad-lass/Main.hs +++ b/lass/5pkgs/xmonad-lass/Main.hs @@ -49,6 +49,7 @@ import XMonad.Stockholm.Pager import XMonad.Stockholm.Rhombus import XMonad.Stockholm.Shutdown + myTerm :: String myTerm = "urxvtc" @@ -65,6 +66,7 @@ main = getArgs >>= \case mainNoArgs :: IO () mainNoArgs = do + workspaces0 <- getWorkspaces0 xmonad' -- $ withUrgencyHookC dzenUrgencyHook { args = ["-bg", "magenta", "-fg", "magenta", "-h", "2"], duration = 500000 } -- urgencyConfig { remindWhen = Every 1 } @@ -74,6 +76,7 @@ mainNoArgs = do $ defaultConfig { terminal = myTerm , modMask = mod4Mask + , workspaces = workspaces0 , layoutHook = smartBorders $ myLayoutHook -- , handleEventHook = myHandleEventHooks <+> handleTimerEvent --, handleEventHook = handleTimerEvent @@ -100,16 +103,26 @@ xmonad' conf = do hPutStrLn stderr (displaySomeException e) xmonad conf +getWorkspaces0 :: IO [String] +getWorkspaces0 = + try (getEnv "XMONAD_WORKSPACES0_FILE") >>= \case + Left e -> warn (displaySomeException e) + Right p -> try (readFile p) >>= \case + Left e -> warn (displaySomeException e) + Right x -> case readEither x of + Left e -> warn e + Right y -> return y + where + warn msg = hPutStrLn stderr ("getWorkspaces0: " ++ msg) >> return [] displaySomeException :: SomeException -> String displaySomeException = displayException myKeyMap = - [ ("M4-<F11>", spawn "i3lock -i ~/lock.png -u" ) + [ ("M4-<F11>", spawn "/var/setuid-wrappers/slock") , ("M4-p", spawn "passmenu --type") - , ("M4-r", spawn "exe=$(yeganesh -x) && eval \"exec $exe\"") - -- , ("M4-r", io (readProcess "yeganesh" ["-x"] "" >>= putStrLn ) ) + --, ("M4-r", spawn "exe=$(yeganesh -x) && eval \"exec $exe\"") , ("<XF86AudioRaiseVolume>", spawn "pactl -- set-sink-volume 0 +4%") , ("<XF86AudioLowerVolume>", spawn "pactl -- set-sink-volume 0 -4%") , ("<XF86Launch1>", gridselectWorkspace myWSConfig W.view) diff --git a/makefu/1systems/gum.nix b/makefu/1systems/gum.nix index 75607aa46..417a020fa 100644 --- a/makefu/1systems/gum.nix +++ b/makefu/1systems/gum.nix @@ -14,14 +14,20 @@ in { # ../2configs/iodined.nix ../2configs/git/cgit-retiolum.nix ../2configs/mattermost-docker.nix + ../2configs/nginx/euer.test.nix ]; + nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; }; ###### stable krebs.build.target = "root@gum.krebsco.de"; krebs.build.host = config.krebs.hosts.gum; - + krebs.retiolum.extraConfig = '' + ListenAddress = ${external-ip} 53 + ListenAddress = ${external-ip} 655 + ListenAddress = ${external-ip} 21031 + ''; # Chat environment.systemPackages = with pkgs;[ @@ -53,10 +59,18 @@ in { 80 443 # tinc 655 + # tinc-shack + 21032 + # tinc-retiolum + 21031 ]; allowedUDPPorts = [ # tinc 655 53 + # tinc-retiolum + 21031 + # tinc-shack + 21032 ]; }; interfaces.et0.ip4 = [{ diff --git a/makefu/1systems/vbob.nix b/makefu/1systems/vbob.nix new file mode 100644 index 000000000..4d8e8ced1 --- /dev/null +++ b/makefu/1systems/vbob.nix @@ -0,0 +1,44 @@ +# +# +# +{ config, pkgs, ... }: + +{ + krebs.build.host = config.krebs.hosts.vbob; + krebs.build.target = "root@10.10.10.220"; + imports = + [ # Include the results of the hardware scan. + <nixpkgs/nixos/modules/virtualisation/virtualbox-image.nix> + ../2configs/main-laptop.nix #< base-gui + + # environment + ../2configs/zsh-user.nix + ../2configs/virtualization.nix + ]; + nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; }; + environment.systemPackages = with pkgs;[ + get + ]; + + networking.firewall.allowedTCPPorts = [ + 25 + 80 + ]; + + krebs.retiolum = { + enable = true; + extraConfig = "Proxy = http global.proxy.alcatel-lucent.com 8000"; + hosts = ../../krebs/Zhosts; + connectTo = [ + "gum" + ]; + + }; + networking.proxy.default = "http://global.proxy.alcatel-lucent.com:8000"; + fileSystems."/media/share" = { + fsType = "vboxsf"; + device = "share"; + options = "rw,uid=9001,gid=9001"; + }; + +} diff --git a/makefu/2configs/default.nix b/makefu/2configs/default.nix index 760c70789..519635281 100644 --- a/makefu/2configs/default.nix +++ b/makefu/2configs/default.nix @@ -80,7 +80,14 @@ with lib; "d /tmp 1777 root root - -" ]; - environment.variables.EDITOR = mkForce "vim"; + environment.variables = { + NIX_PATH = with config.krebs.build.source; with dir; with git; + mkForce (concatStringsSep ":" [ + "nixpkgs=${nixpkgs.target-path}" + "${nixpkgs.target-path}" + ]); + EDITOR = mkForce "vim"; + }; environment.systemPackages = with pkgs; [ jq @@ -124,6 +131,14 @@ with lib; services.cron.enable = false; services.nscd.enable = false; + services.ntp.enable = false; + services.timesyncd.enable = true; + services.ntp.servers = [ + "pool.ntp.org" + "time.windows.com" + "time.apple.com" + "time.nist.gov" + ]; security.setuidPrograms = [ "sendmail" ]; services.journald.extraConfig = '' diff --git a/makefu/2configs/fetchWallpaper.nix b/makefu/2configs/fetchWallpaper.nix new file mode 100644 index 000000000..b071a128d --- /dev/null +++ b/makefu/2configs/fetchWallpaper.nix @@ -0,0 +1,24 @@ +{ config, pkgs, ... }: + +let + # check if laptop runs on umts + weaksauce-internet = with pkgs;writeScript "weaksauce-internet" '' + #! /bin/sh + if ${iproute}/bin/ip addr show dev ppp0 2>/dev/null \ + | ${gnugrep}/bin/grep -q inet;then + exit 1 + fi + ''; + +in { + krebs.fetchWallpaper = { + enable = true; + display = ":0"; + predicate = weaksauce-internet; + timerConfig = { + OnCalendar = "*:0/30"; + }; + url = "http://echelon/wallpaper.png"; + }; +} + diff --git a/makefu/2configs/git/cgit-retiolum.nix b/makefu/2configs/git/cgit-retiolum.nix index 304d39fcd..68fd976d6 100644 --- a/makefu/2configs/git/cgit-retiolum.nix +++ b/makefu/2configs/git/cgit-retiolum.nix @@ -24,6 +24,7 @@ let connector-repos = mapAttrs make-priv-repo { connector = { }; + minikrebs = { }; mattermost = { desc = "Mattermost Docker files"; }; @@ -42,7 +43,7 @@ let hooks = { post-receive = pkgs.git-hooks.irc-announce { nick = config.networking.hostName; - verbose = config.krebs.build.host.name == "pnp"; + verbose = config.krebs.build.host.name == "gum"; channel = "#retiolum"; # TODO remove the hardcoded hostname server = "cd.retiolum"; @@ -54,7 +55,7 @@ let # TODO: get the list of all krebsministers krebsminister = with config.krebs.users; [ lass tv uriel ]; - all-makefu = with config.krebs.users; [ makefu makefu-omo makefu-tsp ]; + all-makefu = with config.krebs.users; [ makefu makefu-omo makefu-tsp makefu-vbob ]; all-exco = with config.krebs.users; [ exco ]; priv-rules = repo: set-owners repo all-makefu; @@ -85,6 +86,10 @@ in { name = "makefu-omo" ; pubkey= with builtins; readFile ../../../krebs/Zpubkeys/makefu_omo.ssh.pub; }; + makefu-vbob = { + name = "makefu-vbob" ; + pubkey= with builtins; readFile ../../../krebs/Zpubkeys/makefu_vbob.ssh.pub; + }; makefu-tsp = { name = "makefu-tsp" ; pubkey= with builtins; readFile ../../../krebs/Zpubkeys/makefu_tsp.ssh.pub; diff --git a/makefu/2configs/main-laptop.nix b/makefu/2configs/main-laptop.nix index dfc8c1c07..00a3e73ca 100644 --- a/makefu/2configs/main-laptop.nix +++ b/makefu/2configs/main-laptop.nix @@ -6,7 +6,10 @@ with lib; { - imports = [ ./base-gui.nix ]; + imports = [ + ./base-gui.nix + ./fetchWallpaper.nix + ]; environment.systemPackages = with pkgs;[ vlc firefox diff --git a/makefu/2configs/tinc-basic-retiolum.nix b/makefu/2configs/tinc-basic-retiolum.nix index fd6d1683d..2abf4f188 100644 --- a/makefu/2configs/tinc-basic-retiolum.nix +++ b/makefu/2configs/tinc-basic-retiolum.nix @@ -9,6 +9,7 @@ with lib; "gum" "pigstarter" "fastpoke" + "ire" ]; }; } diff --git a/makefu/5pkgs/awesomecfg/full.cfg b/makefu/5pkgs/awesomecfg/full.cfg index b3f94e655..15711a5d5 100644 --- a/makefu/5pkgs/awesomecfg/full.cfg +++ b/makefu/5pkgs/awesomecfg/full.cfg @@ -12,6 +12,8 @@ local beautiful = require("beautiful") local naughty = require("naughty") local menubar = require("menubar") + + -- {{{ Error handling -- Check if awesome encountered an error during startup and fell back to -- another config (This code will only ever execute for the fallback config) @@ -90,6 +92,20 @@ vicious.register(batwidget, vicious.widgets.bat, "$2%", 61, "BAT0") -- -- beautiful.init("/nix/store/qbx8r72yzaxpz41zq00902zwajl31b5h-awesome-3.5.6/share/awesome/themes/default/theme.lua") +function find_default_theme() + -- find the default lua theme in the package path + for path in package.path:gmatch('([^;]+);') do + if path:match('awesome.*share') then + theme_path = path:match('^([^?]*)') .. '../themes/default/theme.lua' + if awful.util.file_readable(theme_path) then return theme_path end + end + end +end + +beautiful.init(find_default_theme()) +client.connect_signal("focus", function(c) c.border_color = beautiful.border_focus end) +client.connect_signal("unfocus", function(c) c.border_color = beautiful.border_normal end) + -- This is used later as the default terminal and editor to run. terminal = "urxvt" editor = os.getenv("EDITOR") or "vim" @@ -494,21 +510,9 @@ local os = { date = os.date, time = os.time } + -- }}} -function find_default_theme() - -- find the default lua theme in the package path - for path in package.path:gmatch('([^;]+);') do - if path:match('awesome.*share') then - theme_path = path:match('^([^?]*)') .. '../themes/default/theme.lua' - if awful.util.file_readable(theme_path) then return theme_path end - end - end -end - -beautiful.init(find_default_theme()) -client.connect_signal("focus", function(c) c.border_color = beautiful.border_focus end) -client.connect_signal("unfocus", function(c) c.border_color = beautiful.border_normal end) -- }}} |