diff options
| -rw-r--r-- | 0make/lass/cloudkrebs.makefile | 4 | ||||
| -rw-r--r-- | 2configs/lass/git-repos.nix | 140 | ||||
| -rw-r--r-- | 2configs/lass/mors/retiolum.nix | 21 | ||||
| -rw-r--r-- | default.nix | 2 | ||||
| -rw-r--r-- | krebs/3modules/default.nix (renamed from 3modules/krebs/default.nix) | 83 | ||||
| -rw-r--r-- | krebs/3modules/git.nix (renamed from 3modules/krebs/git.nix) | 6 | ||||
| -rw-r--r-- | krebs/3modules/github-hosts-sync.nix (renamed from 3modules/krebs/github-hosts-sync.nix) | 6 | ||||
| -rw-r--r-- | krebs/3modules/nginx.nix (renamed from 3modules/krebs/nginx.nix) | 0 | ||||
| -rw-r--r-- | krebs/3modules/retiolum.nix (renamed from 3modules/krebs/retiolum.nix) | 0 | ||||
| -rw-r--r-- | krebs/3modules/urlwatch.nix (renamed from 3modules/krebs/urlwatch.nix) | 0 | ||||
| -rw-r--r-- | krebs/4lib/default.nix (renamed from 4lib/krebs/default.nix) | 0 | ||||
| -rw-r--r-- | krebs/4lib/dns.nix (renamed from 4lib/krebs/dns.nix) | 0 | ||||
| -rw-r--r-- | krebs/4lib/listset.nix (renamed from 4lib/krebs/listset.nix) | 0 | ||||
| -rw-r--r-- | krebs/4lib/tree.nix (renamed from 4lib/krebs/tree.nix) | 0 | ||||
| -rw-r--r-- | krebs/4lib/types.nix (renamed from 4lib/krebs/types.nix) | 0 | ||||
| -rw-r--r-- | krebs/5pkgs/default.nix (renamed from Zpkgs/krebs/default.nix) | 0 | ||||
| -rw-r--r-- | krebs/5pkgs/dic.nix (renamed from Zpkgs/krebs/dic.nix) | 0 | ||||
| -rw-r--r-- | krebs/5pkgs/genid.nix (renamed from Zpkgs/krebs/genid.nix) | 0 | ||||
| -rw-r--r-- | krebs/5pkgs/github-hosts-sync.nix (renamed from Zpkgs/krebs/github-hosts-sync.nix) | 0 | ||||
| -rw-r--r-- | krebs/5pkgs/github-known_hosts.nix (renamed from Zpkgs/krebs/github-known_hosts.nix) | 0 | ||||
| -rw-r--r-- | krebs/5pkgs/hashPassword.nix (renamed from Zpkgs/krebs/hashPassword.nix) | 0 | ||||
| -rw-r--r-- | lass/1systems/cloudkrebs.nix | 46 | ||||
| -rw-r--r-- | lass/1systems/mors.nix (renamed from 1systems/lass/mors.nix) | 94 | ||||
| -rw-r--r-- | lass/1systems/uriel.nix (renamed from 1systems/lass/uriel.nix) | 69 | ||||
| -rw-r--r-- | lass/2configs/base.nix (renamed from 2configs/lass/base.nix) | 77 | ||||
| -rw-r--r-- | lass/2configs/binary-caches.nix (renamed from 2configs/lass/binary-caches.nix) | 0 | ||||
| -rw-r--r-- | lass/2configs/bird.nix (renamed from 2configs/lass/bird.nix) | 0 | ||||
| -rw-r--r-- | lass/2configs/bitcoin.nix (renamed from 2configs/lass/bitcoin.nix) | 0 | ||||
| -rw-r--r-- | lass/2configs/browsers.nix (renamed from 2configs/lass/browsers.nix) | 0 | ||||
| -rw-r--r-- | lass/2configs/chromium-patched.nix (renamed from 2configs/lass/chromium-patched.nix) | 0 | ||||
| -rw-r--r-- | lass/2configs/desktop-base.nix (renamed from 2configs/lass/desktop-base.nix) | 6 | ||||
| -rw-r--r-- | lass/2configs/elster.nix (renamed from 2configs/lass/elster.nix) | 0 | ||||
| -rw-r--r-- | lass/2configs/fastpoke-pages.nix | 97 | ||||
| -rw-r--r-- | lass/2configs/games.nix (renamed from 2configs/lass/games.nix) | 0 | ||||
| -rw-r--r-- | lass/2configs/gitolite-base.nix (renamed from 2configs/lass/gitolite-base.nix) | 0 | ||||
| -rw-r--r-- | lass/2configs/identity.nix | 50 | ||||
| -rw-r--r-- | lass/2configs/ircd.nix (renamed from 2configs/lass/ircd.nix) | 0 | ||||
| -rw-r--r-- | lass/2configs/mors/repos.nix (renamed from 2configs/lass/mors/repos.nix) | 0 | ||||
| -rw-r--r-- | lass/2configs/new-repos.nix | 77 | ||||
| -rw-r--r-- | lass/2configs/pass.nix (renamed from 2configs/lass/pass.nix) | 0 | ||||
| -rw-r--r-- | lass/2configs/programs.nix (renamed from 2configs/lass/programs.nix) | 0 | ||||
| -rw-r--r-- | lass/2configs/retiolum.nix | 28 | ||||
| -rw-r--r-- | lass/2configs/sshkeys.nix (renamed from 2configs/lass/sshkeys.nix) | 2 | ||||
| -rw-r--r-- | lass/2configs/steam.nix (renamed from 2configs/lass/steam.nix) | 0 | ||||
| -rw-r--r-- | lass/2configs/texlive.nix (renamed from 2configs/lass/texlive.nix) | 0 | ||||
| -rw-r--r-- | lass/2configs/urxvt.nix (renamed from 2configs/lass/urxvt.nix) | 4 | ||||
| -rw-r--r-- | lass/2configs/vim.nix (renamed from 2configs/lass/vim.nix) | 0 | ||||
| -rw-r--r-- | lass/2configs/virtualbox.nix (renamed from 2configs/lass/virtualbox.nix) | 0 | ||||
| -rw-r--r-- | lass/2configs/wine.nix (renamed from 2configs/lass/wine.nix) | 0 | ||||
| -rw-r--r-- | lass/3modules/default.nix | 8 | ||||
| -rw-r--r-- | lass/3modules/iptables.nix (renamed from 3modules/lass/iptables.nix) | 2 | ||||
| -rw-r--r-- | lass/3modules/sshkeys.nix (renamed from 3modules/lass/sshkeys.nix) | 0 | ||||
| -rw-r--r-- | lass/3modules/urxvtd.nix (renamed from 3modules/lass/urxvtd.nix) | 0 | ||||
| -rw-r--r-- | lass/3modules/xresources.nix (renamed from 3modules/lass/xresources.nix) | 2 | ||||
| -rw-r--r-- | tv/4lib/default.nix | 2 | ||||
| -rw-r--r-- | tv/5pkgs/default.nix | 4 |
56 files changed, 520 insertions, 310 deletions
diff --git a/0make/lass/cloudkrebs.makefile b/0make/lass/cloudkrebs.makefile new file mode 100644 index 000000000..baf7660b4 --- /dev/null +++ b/0make/lass/cloudkrebs.makefile @@ -0,0 +1,4 @@ +deploy_host := root@cloudkrebs +nixpkgs_url := https://github.com/Lassulus/nixpkgs +nixpkgs_rev := 1879a011925c561f0a7fd4043da0768bbff41d0b +secrets_dir := /home/lass/secrets/cloudkrebs diff --git a/2configs/lass/git-repos.nix b/2configs/lass/git-repos.nix deleted file mode 100644 index c0c305b85..000000000 --- a/2configs/lass/git-repos.nix +++ /dev/null @@ -1,140 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - inherit (builtins) map readFile; - inherit (lib) concatMap listToAttrs; - # TODO lib should already include our stuff - inherit (import ../../4lib/tv { inherit lib pkgs; }) addNames git; - - x-repos = [ - (krebs-private "brain") - - (public "painload") - (public "shitment") - (public "wai-middleware-time") - (public "web-routes-wai-custom") - - (secret "pass") - - (tv-lass "emse-drywall") - (tv-lass "emse-hsdb") - ]; - - users = addNames { - tv = { pubkey = readFile ../../Zpubkeys/tv_wu.ssh.pub; }; - lass = { pubkey = readFile ../../Zpubkeys/lass.ssh.pub; }; - uriel = { pubkey = readFile ../../Zpubkeys/uriel.ssh.pub; }; - makefu = { pubkey = readFile ../../Zpubkeys/makefu.ssh.pub; }; - }; - - repos = listToAttrs (map ({ repo, ... }: { name = repo.name; value = repo; }) x-repos); - - rules = concatMap ({ rules, ... }: rules) x-repos; - - krebs-private = repo-name: - rec { - repo = { - name = repo-name; - hooks = { - post-receive = git.irc-announce { - nick = config.networking.hostName; # TODO make this the default - channel = "#retiolum"; - server = "ire.retiolum"; - }; - }; - }; - rules = with git; with users; [ - { user = lass; - repo = [ repo ]; - perm = push "refs/*" [ non-fast-forward create delete merge ]; - } - { user = [ tv makefu uriel ]; - repo = [ repo ]; - perm = fetch; - } - ]; - }; - - public = repo-name: - rec { - repo = { - name = repo-name; - hooks = { - post-receive = git.irc-announce { - nick = config.networking.hostName; # TODO make this the default - channel = "#retiolum"; - server = "ire.retiolum"; - }; - }; - public = true; - }; - rules = with git; with users; [ - { user = lass; - repo = [ repo ]; - perm = push "refs/*" [ non-fast-forward create delete merge ]; - } - { user = [ tv makefu uriel ]; - repo = [ repo ]; - perm = fetch; - } - ]; - }; - - secret = repo-name: - rec { - repo = { - name = repo-name; - hooks = {}; - }; - rules = with git; with users; [ - { user = lass; - repo = [ repo ]; - perm = push "refs/*" [ non-fast-forward create delete merge ]; - } - { user = [ uriel ]; - repo = [ repo ]; - perm = fetch; - } - ]; - }; - - tv-lass = repo-name: - rec { - repo = { - name = repo-name; - hooks = {}; - }; - rules = with git; with users; [ - { user = lass; - repo = [ repo ]; - perm = push "refs/*" [ non-fast-forward create delete merge ]; - } - { user = [ tv ]; - repo = [ repo ]; - perm = fetch; - } - ]; - }; - -in - -{ - imports = [ - ../../3modules/tv/git.nix - ../../3modules/lass/iptables.nix - ]; - - tv.git = { - enable = true; - inherit repos rules users; - }; - - lass.iptables = { - tables = { - filter.INPUT.rules = [ - { predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; } - ]; - }; - }; - -} diff --git a/2configs/lass/mors/retiolum.nix b/2configs/lass/mors/retiolum.nix deleted file mode 100644 index 1148bee9c..000000000 --- a/2configs/lass/mors/retiolum.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ config, pkgs, ... }: - -{ - imports = [ - ../tv/retiolum - ]; - - tv.retiolum = { - enable = true; - hosts = <retiolum-hosts>; - privateKeyFile = "/etc/nixos/secrets/mors.retiolum.rsa_key.priv"; - connectTo = [ - "fastpoke" - "gum" - "ire" - ]; - }; - - networking.firewall.allowedTCPPorts = [ 655 ]; - networking.firewall.allowedUDPPorts = [ 655 ]; -} diff --git a/default.nix b/default.nix index 0ee1c3d05..59a76f81b 100644 --- a/default.nix +++ b/default.nix @@ -7,7 +7,7 @@ let modules = map (p: ./. + "/${p}") [ "${user-name}/1systems/${system-name}.nix" "${user-name}/3modules" - "3modules/krebs" + "krebs/3modules" ]; }; diff --git a/3modules/krebs/default.nix b/krebs/3modules/default.nix index 9e25df0bf..668d66ccf 100644 --- a/3modules/krebs/default.nix +++ b/krebs/3modules/default.nix @@ -1,6 +1,6 @@ { config, lib, ... }: -with import ../../4lib/krebs { inherit lib; }; +with import ../4lib { inherit lib; }; let cfg = config.krebs; @@ -188,6 +188,87 @@ let lass-imp = { hosts = addNames { + cloudkrebs = { + cores = 1; + dc = "lass"; #dc = "cac"; + nets = rec { + internet = { + addrs4 = ["104.167.113.104"]; + aliases = [ + "cloudkrebs.internet" + ]; + }; + retiolum = { + via = internet; + addrs4 = ["10.243.206.102"]; + addrs6 = ["42:941e:2816:35f4:5c5e:206b:3f0b:f762"]; + aliases = [ + "cloudkrebs.retiolum" + "cgit.cloudkrebs.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAttUygCu7G6lIA9y+9rfTpLKIy2UgNDglUVoKZYLs8JPjtAtQVbtA + OcWwwPc8ijLQvwJWa8e/shqSzSIrtOe+HJbRGdXLdBLtOuLKpz+ZFHcS+95RS5aF + QTehg+QY7pvhbrrwKX936tkMR568suTQG6C8qNC/5jWYO/wIxFMhnQ2iRRKQOq1v + 3aGGPC16KeXKVioY9KoV98S3n1rZW1JK07CIsZU4qb5txtLlW6FplJ7UmhVku1WC + sgOOj9yi6Zk1t8R2Pwv9gxa3Hc270voj5U+I2hgLV/LjheE8yhQgYHEA4vXerPdO + TGSATlSmMtE2NYGrKsLM7pKn286aSpXinwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + uriel = { + cores = 1; + dc = "lass"; + nets = rec { + retiolum = { + addrs4 = ["10.243.81.176"]; + addrs6 = ["42:dc25:60cf:94ef:759b:d2b6:98a9:2e56"]; + aliases = [ + "uriel.retiolum" + "cgit.uriel.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAzw0pvoEmqeqiZrzSOPH0IT99gr1rrvMZbvabXoU4MAiVgGoGrkmR + duJkk8Fj12ftMc+Of1gnwDkFhRcfAKOeH1RSc4CTircWVq99WyecTwEZoaR/goQb + MND022kIBoG6NQNxv1Y5I1B/h7hfloMFEPym9oFtOAXoGhBY2vVl4g64NNz+RLME + m1RipLXKANAh6LRNPGPQCUYX4TVY2ZJVxM3CM1XdomUAdOYXJmWFyUg9NcIKaacx + uRrmuy7J9yFBcihZX5Y7NV361kINrpRmZYxJRf9cr0hb5EkJJ7bMIKQMEFQ5RnYo + u7MPGKD7aNHa6hLLCeIfJ5u0igVmSLh3pwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + mors = { + cores = 2; + dc = "lass"; + nets = rec { + retiolum = { + addrs4 = ["10.243.0.2"]; + addrs6 = ["42:0:0:0:0:0:0:dea7"]; + aliases = [ + "mors.retiolum" + "cgit.mors.retiolum" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAsj1PCibKOfF68gmFQ+wwyfhUWpqKqpznrJX1dZ+daae7l7nBHvsE + H0QwkiMmk3aZy1beq3quM6gX13aT+/wMfWnLyuvT11T5C9JEf/IS91STpM2BRN+R + +P/DhbuDcW4UsdEe6uwQDGEJbXRN5ZA7GI0bmcYcwHJ9SQmW5v7P9Z3oZ+09hMD+ + 1cZ3HkPN7weSdMLMPpUpmzCsI92cXGW0xRC4iBEt1ZeBwjkLCRsBFBGcUMuKWwVa + 9sovca0q3DUar+kikEKVrVy26rZUlGuBLobMetDGioSawWkRSxVlfZvTHjAK5JzU + O6y6hj0yQ1sp6W2JjU8ntDHf63aM71dB9QIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + secure = true; + }; + }; users = addNames { lass = { diff --git a/3modules/krebs/git.nix b/krebs/3modules/git.nix index 604645189..64b7820b2 100644 --- a/3modules/krebs/git.nix +++ b/krebs/3modules/git.nix @@ -6,15 +6,11 @@ # TODO when authorized_keys changes, then restart ssh # (or kill already connected users somehow) -with import ../../4lib/krebs { inherit lib; }; +with import ../4lib { inherit lib; }; let cfg = config.krebs.git; out = { - # TODO don't import krebs.nginx here - imports = [ - ../../3modules/krebs/nginx.nix - ]; options.krebs.git = api; config = mkIf cfg.enable (mkMerge [ (mkIf cfg.cgit cgit-imp) diff --git a/3modules/krebs/github-hosts-sync.nix b/krebs/3modules/github-hosts-sync.nix index c3b56ef94..0274b9d15 100644 --- a/3modules/krebs/github-hosts-sync.nix +++ b/krebs/3modules/github-hosts-sync.nix @@ -61,9 +61,9 @@ let ${cfg.ssh-identity-file} \ "$ssh_identity_file_target" - ln -snf ${Zpkgs.github-known_hosts} ${cfg.dataDir}/.ssh/known_hosts + ln -snf ${kpkgs.github-known_hosts} ${cfg.dataDir}/.ssh/known_hosts ''; - ExecStart = "${Zpkgs.github-hosts-sync}/bin/github-hosts-sync"; + ExecStart = "${kpkgs.github-hosts-sync}/bin/github-hosts-sync"; }; }; @@ -78,6 +78,6 @@ let uid = 3220554646; # genid github-hosts-sync }; - Zpkgs = import ../../Zpkgs/krebs { inherit pkgs; }; + kpkgs = import ../../krebs/5pkgs { inherit pkgs; }; in out diff --git a/3modules/krebs/nginx.nix b/krebs/3modules/nginx.nix index 702e8a7f6..702e8a7f6 100644 --- a/3modules/krebs/nginx.nix +++ b/krebs/3modules/nginx.nix diff --git a/3modules/krebs/retiolum.nix b/krebs/3modules/retiolum.nix index 481d6565c..481d6565c 100644 --- a/3modules/krebs/retiolum.nix +++ b/krebs/3modules/retiolum.nix diff --git a/3modules/krebs/urlwatch.nix b/krebs/3modules/urlwatch.nix index 39d9fec54..39d9fec54 100644 --- a/3modules/krebs/urlwatch.nix +++ b/krebs/3modules/urlwatch.nix diff --git a/4lib/krebs/default.nix b/krebs/4lib/default.nix index b67585335..b67585335 100644 --- a/4lib/krebs/default.nix +++ b/krebs/4lib/default.nix diff --git a/4lib/krebs/dns.nix b/krebs/4lib/dns.nix index b2cf3c24c..b2cf3c24c 100644 --- a/4lib/krebs/dns.nix +++ b/krebs/4lib/dns.nix diff --git a/4lib/krebs/listset.nix b/krebs/4lib/listset.nix index 3aae22f20..3aae22f20 100644 --- a/4lib/krebs/listset.nix +++ b/krebs/4lib/listset.nix diff --git a/4lib/krebs/tree.nix b/krebs/4lib/tree.nix index 1cd83b3f6..1cd83b3f6 100644 --- a/4lib/krebs/tree.nix +++ b/krebs/4lib/tree.nix diff --git a/4lib/krebs/types.nix b/krebs/4lib/types.nix index 92410dd58..92410dd58 100644 --- a/4lib/krebs/types.nix +++ b/krebs/4lib/types.nix diff --git a/Zpkgs/krebs/default.nix b/krebs/5pkgs/default.nix index 231fda797..231fda797 100644 --- a/Zpkgs/krebs/default.nix +++ b/krebs/5pkgs/default.nix diff --git a/Zpkgs/krebs/dic.nix b/krebs/5pkgs/dic.nix index 571773d22..571773d22 100644 --- a/Zpkgs/krebs/dic.nix +++ b/krebs/5pkgs/dic.nix diff --git a/Zpkgs/krebs/genid.nix b/krebs/5pkgs/genid.nix index c75bec317..c75bec317 100644 --- a/Zpkgs/krebs/genid.nix +++ b/krebs/5pkgs/genid.nix diff --git a/Zpkgs/krebs/github-hosts-sync.nix b/krebs/5pkgs/github-hosts-sync.nix index d69b2b12b..d69b2b12b 100644 --- a/Zpkgs/krebs/github-hosts-sync.nix +++ b/krebs/5pkgs/github-hosts-sync.nix diff --git a/Zpkgs/krebs/github-known_hosts.nix b/krebs/5pkgs/github-known_hosts.nix index 302fdd8d5..302fdd8d5 100644 --- a/Zpkgs/krebs/github-known_hosts.nix +++ b/krebs/5pkgs/github-known_hosts.nix diff --git a/Zpkgs/krebs/hashPassword.nix b/krebs/5pkgs/hashPassword.nix index a10340cc4..a10340cc4 100644 --- a/Zpkgs/krebs/hashPassword.nix +++ b/krebs/5pkgs/hashPassword.nix diff --git a/lass/1systems/cloudkrebs.nix b/lass/1systems/cloudkrebs.nix new file mode 100644 index 000000000..a60024b03 --- /dev/null +++ b/lass/1systems/cloudkrebs.nix @@ -0,0 +1,46 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ../../2configs/tv/CAC-Developer-2.nix + ../../2configs/tv/CAC-CentOS-7-64bit.nix + ../../2configs/lass/base.nix + ../../2configs/lass/retiolum.nix + ../../2configs/lass/fastpoke-pages.nix + ../../2configs/lass/new-repos.nix + { + networking.interfaces.enp2s1.ip4 = [ + { + address = "104.167.113.104"; + prefixLength = 24; + } + ]; + networking.defaultGateway = "104.167.113.1"; + networking.nameservers = [ + "8.8.8.8" + ]; + + } + ]; + + krebs.build = { + user = config.krebs.users.lass; + target = "root@cloudkrebs"; + host = config.krebs.hosts.cloudkrebs; + deps = { + nixpkgs = { + url = https://github.com/Lassulus/nixpkgs; + rev = "1879a011925c561f0a7fd4043da0768bbff41d0b"; + }; + secrets = { + url = "/home/lass/secrets/${config.krebs.build.host.name}"; + }; + stockholm = { + url = toString ../..; + }; + }; + }; + + networking.hostName = "cloudkrebs"; + +} diff --git a/1systems/lass/mors.nix b/lass/1systems/mors.nix index 940dc4fdb..5bef56682 100644 --- a/1systems/lass/mors.nix +++ b/lass/1systems/mors.nix @@ -2,44 +2,43 @@ { imports = [ - ../../2configs/lass/desktop-base.nix - ../../2configs/lass/programs.nix - ../../2configs/lass/bitcoin.nix - ../../2configs/lass/browsers.nix - ../../2configs/lass/games.nix - ../../2configs/lass/pass.nix - ../../2configs/lass/vim.nix - ../../2configs/lass/virtualbox.nix - ../../2configs/lass/elster.nix - ../../2configs/lass/urxvt.nix - ../../2configs/lass/steam.nix - ../../2configs/lass/wine.nix - ../../2configs/lass/texlive.nix - ../../2configs/lass/binary-caches.nix - ../../2configs/lass/ircd.nix - ../../2configs/lass/chromium-patched.nix - ../../2configs/lass/git-repos.nix - ../../2configs/tv/synaptics.nix - ../../2configs/tv/exim-retiolum.nix - { - imports = [ ../../3modules/tv/retiolum.nix ]; - tv.retiolum = { - enable = true; - hosts = ../../Zhosts; - connectTo = [ - "fastpoke" - "gum" - "pigstarter" - ]; + ../2configs/desktop-base.nix + ../2configs/programs.nix + ../2configs/bitcoin.nix + ../2configs/browsers.nix + ../2configs/games.nix + ../2configs/pass.nix + ../2configs/virtualbox.nix + ../2configs/elster.nix + ../2configs/urxvt.nix + ../2configs/steam.nix + ../2configs/wine.nix + ../2configs/texlive.nix + ../2configs/binary-caches.nix + ../2configs/ircd.nix + ../2configs/chromium-patched.nix + ../2configs/new-repos.nix + #../../2configs/tv/synaptics.nix + ../2configs/retiolum.nix + ]; + + krebs.build = { + user = config.krebs.users.lass; + target = "root@mors"; + host = config.krebs.hosts.mors; + deps = { + nixpkgs = { + url = https://github.com/Lassulus/nixpkgs; + rev = "1879a011925c561f0a7fd4043da0768bbff41d0b"; }; - } - { - imports = [ ../../3modules/tv/identity.nix ]; - tv.identity = { - enable = true; + secrets = { + url = "/home/lass/secrets/${config.krebs.build.host.name}"; }; - } - ]; + stockholm = { + url = toString ../..; + }; + }; + }; networking.hostName = "mors"; networking.wireless.enable = true; @@ -168,21 +167,6 @@ ''; }; - users.extraUsers = { - #main user - mainUser = { - uid = 1337; - name = "lass"; - #isNormalUser = true; - group = "users"; - createHome = true; - home = "/home/lass"; - useDefaultShell = true; - isSystemUser = false; - extraGroups = [ "wheel" "audio" ]; - }; - }; - environment.systemPackages = with pkgs; [ ]; @@ -217,4 +201,12 @@ services.mongodb = { enable = true; }; + + lass.iptables = { + tables = { + filter.INPUT.rules = [ + { predicate = "-p tcp --dport 8000"; target = "ACCEPT"; precedence = 9001; } + ]; + }; + }; } diff --git a/1systems/lass/uriel.nix b/lass/1systems/uriel.nix index 25745d055..74d995560 100644 --- a/1systems/lass/uriel.nix +++ b/lass/1systems/uriel.nix @@ -1,38 +1,48 @@ { config, pkgs, ... }: +with builtins; { imports = [ ../../2configs/lass/desktop-base.nix ../../2configs/lass/browsers.nix ../../2configs/lass/games.nix ../../2configs/lass/pass.nix - ../../2configs/lass/vim.nix ../../2configs/lass/urxvt.nix ../../2configs/lass/bird.nix - ../../2configs/lass/git-repos.nix + ../../2configs/lass/new-repos.nix ../../2configs/lass/chromium-patched.nix - ../../2configs/tv/exim-retiolum.nix + ../../2configs/lass/retiolum.nix { - imports = [ ../../3modules/tv/retiolum.nix ]; - tv.retiolum = { - enable = true; - hosts = ../../Zhosts; - connectTo = [ - "fastpoke" - "gum" - "pigstarter" - ]; - }; - } - { - imports = [ ../../3modules/tv/identity.nix ]; - tv.identity = { - enable = true; + users.extraUsers = { + root = { + openssh.authorizedKeys.keys = map readFile [ + ../../Zpubkeys/uriel.ssh.pub + ]; + }; }; } ]; + krebs.build = { + user = config.krebs.users.lass; + target = "root@uriel"; + host = config.krebs.hosts.uriel; + deps = { + nixpkgs = { + url = https://github.com/Lassulus/nixpkgs; + rev = "961fcbabd7643171ea74bd550fee1ce5c13c2e90"; + }; + secrets = { + url = "/home/lass/secrets/${config.krebs.build.host.name}"; + }; + stockholm = { + url = toString ../..; + }; + }; + }; + networking.hostName = "uriel"; + networking.wireless.enable = true; nix.maxJobs = 2; @@ -87,29 +97,6 @@ ''; }; - users.extraUsers = { - root = { - openssh.authorizedKeys.keys = [ - config.sshKeys.lass.pub - ]; - }; - mainUser = { - uid = 1337; - name = "lass"; - #isNormalUser = true; - group = "users"; - createHome = true; - home = "/home/lass"; - useDefaultShell = true; - isSystemUser = false; - description = "lassulus"; - extraGroups = [ "wheel" "audio" ]; - openssh.authorizedKeys.keys = [ - config.sshKeys.lass.pub - ]; - }; - }; - environment.systemPackages = with pkgs; [ ]; diff --git a/2configs/lass/base.nix b/lass/2configs/base.nix index 5e5b8a7b1..8379f14e4 100644 --- a/2configs/lass/base.nix +++ b/lass/2configs/base.nix @@ -3,16 +3,44 @@ with lib; { imports = [ - ./sshkeys.nix - ../../3modules/lass/iptables.nix + ../3modules/iptables.nix + ../2configs/vim.nix { users.extraUsers = mapAttrs (_: h: { hashedPassword = h; }) (import /root/src/secrets/hashedPasswords.nix); } - + { + users.extraUsers = { + root = { + openssh.authorizedKeys.keys = map readFile [ + ../../Zpubkeys/lass.ssh.pub + ]; + }; + mainUser = { + name = "lass"; + uid = 1337; + home = "/home/lass"; + group = "users"; + createHome = true; + useDefaultShell = true; + extraGroups = [ + "audio" + "wheel" + ]; + openssh.authorizedKeys.keys = map readFile [ + ../../Zpubkeys/lass.ssh.pub + ]; + }; + }; + } ]; + krebs = { + enable = true; + search-domain = "retiolum"; + }; + nix.useChroot = true; users.mutableUsers = false; @@ -30,6 +58,8 @@ with lib; ''; environment.systemPackages = with pkgs; [ + nmap + git most rxvt_unicode.terminfo @@ -77,11 +107,11 @@ with lib; "sendmail" ]; - services.gitolite = { - enable = true; - dataDir = "/home/gitolite"; - adminPubkey = config.sshKeys.lass.pub; - }; + #services.gitolite = { + # enable = true; + # dataDir = "/home/gitolite"; + # adminPubkey = config.sshKeys.lass.pub; + #}; services.openssh = { enable = true; @@ -102,35 +132,12 @@ with lib; filter.INPUT.policy = "DROP"; filter.FORWARD.policy = "DROP"; filter.INPUT.rules = [ - { predicate = "-i lo"; target = "ACCEPT"; } - { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } - { predicate = "-p icmp"; target = "ACCEPT"; } - { predicate = "-p tcp --dport 22"; target = "ACCEPT"; } + { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; } + { predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; } + { predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; } + { predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; } ]; }; }; - #Networking.firewall = { - # enable = true; - - # allowedTCPPorts = [ - # 22 - # ]; - - # extraCommands = '' - # iptables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED - # iptables -A INPUT -j ACCEPT -i lo - # #http://serverfault.com/questions/84963/why-not-block-icmp - # iptables -A INPUT -j ACCEPT -p icmp - - # #TODO: fix Retiolum firewall - # #iptables -N RETIOLUM - # #iptables -A INPUT -j RETIOLUM -i retiolum - # #iptables -A RETIOLUM -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED - # #iptables -A RETIOLUM -j REJECT -p tcp --reject-with tcp-reset - # #iptables -A RETIOLUM -j REJECT -p udp --reject-with icmp-port-unreachable - # #iptables -A RETIOLUM -j REJECT --reject-with icmp-proto-unreachable - # #iptables -A RETIOLUM -j REJECT - # ''; - #}; } diff --git a/2configs/lass/binary-caches.nix b/lass/2configs/binary-caches.nix index c2727520d..c2727520d 100644 --- a/2configs/lass/binary-caches.nix +++ b/lass/2configs/binary-caches.nix diff --git a/2configs/lass/bird.nix b/lass/2configs/bird.nix index 3fc265cd7..3fc265cd7 100644 --- a/2configs/lass/bird.nix +++ b/lass/2configs/bird.nix diff --git a/2configs/lass/bitcoin.nix b/lass/2configs/bitcoin.nix index d3bccbf5c..d3bccbf5c 100644 --- a/2configs/lass/bitcoin.nix +++ b/lass/2configs/bitcoin.nix diff --git a/2configs/lass/browsers.nix b/lass/2configs/browsers.nix index 8aecea925..8aecea925 100644 --- a/2configs/lass/browsers.nix +++ b/lass/2configs/browsers.nix diff --git a/2configs/lass/chromium-patched.nix b/lass/2configs/chromium-patched.nix index 715181778..715181778 100644 --- a/2configs/lass/chromium-patched.nix +++ b/lass/2configs/chromium-patched.nix diff --git a/2configs/lass/desktop-base.nix b/lass/2configs/desktop-base.nix index ee7a94bc9..9b98e4a8b 100644 --- a/2configs/lass/desktop-base.nix +++ b/lass/2configs/desktop-base.nix @@ -55,11 +55,9 @@ in { displayManager.auto.enable = true; displayManager.auto.user = mainUser.name; - layout = "us,de"; + layout = "us"; xkbModel = "evdev"; - xkbVariant = "altgr-intl,nodeadkeys"; - xkbOptions = "grp:caps_toggle"; - + xkbVariant = "altgr-intl"; }; } diff --git a/2configs/lass/elster.nix b/lass/2configs/elster.nix index 1edd01896..1edd01896 100644 --- a/2configs/lass/elster.nix +++ b/lass/2configs/elster.nix diff --git a/lass/2configs/fastpoke-pages.nix b/lass/2configs/fastpoke-pages.nix new file mode 100644 index 000000000..74e92ccc3 --- /dev/null +++ b/lass/2configs/fastpoke-pages.nix @@ -0,0 +1,97 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + createStaticPage = domain: + { + krebs.nginx.servers."${domain}" = { + server-names = [ + "${domain}" + "www.${domain}" + ]; + locations = [ + (nameValuePair "/" '' + root /var/lib/http/${domain}; + '') + ]; + }; + #networking.extraHosts = '' + # 10.243.206.102 ${domain} + #''; + }; + +in { + imports = [ + ../../3modules/lass/iptables.nix + ] ++ map createStaticPage [ + "habsys.de" + "pixelpocket.de" + "karlaskop.de" + "ubikmedia.de" + "apanowicz.de" + ]; + + lass.iptables = { + tables = { + filter.INPUT.rules = [ + { predicate = "-p tcp --dport http"; target = "ACCEPT"; } + ]; + }; + }; + + + krebs.nginx = { + enable = true; + servers = { + + #"habsys.de" = { + # server-names = [ + # "habsys.de" + # "www.habsys.de" + # ]; + # locations = [ + # (nameValuePair "/" '' + # root /var/lib/http/habsys.de; + # '') + # ]; + #}; + + #"karlaskop.de" = { + # server-names = [ + # "karlaskop.de" + # "www.karlaskop.de" + # ]; + # locations = [ + # (nameValuePair "/" '' + # root /var/lib/http/karlaskop.de; + # '') + # ]; + #}; + + #"pixelpocket.de" = { + # server-names = [ + # "pixelpocket.de" + # "www.karlaskop.de" + # ]; + # locations = [ + # (nameValuePair "/" '' + # root /var/lib/http/karlaskop.de; + # '') + # ]; + #}; + + }; + }; + + #services.postgresql = { + # enable = true; + #}; + + #config.services.vsftpd = { + # enable = true; + # userlistEnable = true; + # userlistFile = pkgs.writeFile "vsftpd-userlist" '' + # ''; + #}; +} diff --git a/2configs/lass/games.nix b/lass/2configs/games.nix index 6043a8759..6043a8759 100644 --- a/2configs/lass/games.nix +++ b/lass/2configs/games.nix diff --git a/2configs/lass/gitolite-base.nix b/lass/2configs/gitolite-base.nix index b47629956..b47629956 100644 --- a/2configs/lass/gitolite-base.nix +++ b/lass/2configs/gitolite-base.nix diff --git a/lass/2configs/identity.nix b/lass/2configs/identity.nix new file mode 100644 index 000000000..e712b16ac --- /dev/null +++ b/lass/2configs/identity.nix @@ -0,0 +1,50 @@ +{ config, ... }: + +{ + imports = [ + ../../tv/3modules/identity.nix + ]; + tv.identity = { + enable = true; + search = "retiolum"; + hosts = { + cloudkrebs = { + cores = 1; + dc = "lass"; #dc = "cac"; + nets = rec { + internet = { + addrs4 = ["104.167.113.104"]; + aliases = [ + "cloudkrebs.internet" + ]; + }; + retiolum = { + via = internet; + addrs4 = ["10.243.206.102"]; + addrs6 = ["42:941e:2816:35f4:5c5e:206b:3f0b:f762"]; + aliases = [ + "cloudkrebs.retiolum" + "cgit.cloudkrebs.retiolum" + "habsys.de" + "pixelpocket.de" + "karlaskop.de" + "ubikmedia.de" + "apanowicz.de" + "aidsballs.de" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAttUygCu7G6lIA9y+9rfTpLKIy2UgNDglUVoKZYLs8JPjtAtQVbtA + OcWwwPc8ijLQvwJWa8e/shqSzSIrtOe+HJbRGdXLdBLtOuLKpz+ZFHcS+95RS5aF + QTehg+QY7pvhbrrwKX936tkMR568suTQG6C8qNC/5jWYO/wIxFMhnQ2iRRKQOq1v + 3aGGPC16KeXKVioY9KoV98S3n1rZW1JK07CIsZU4qb5txtLlW6FplJ7UmhVku1WC + sgOOj9yi6Zk1t8R2Pwv9gxa3Hc270voj5U+I2hgLV/LjheE8yhQgYHEA4vXerPdO + TGSATlSmMtE2NYGrKsLM7pKn286aSpXinwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + }; + }; + }; +} diff --git a/2configs/lass/ircd.nix b/lass/2configs/ircd.nix index f71b769fd..f71b769fd 100644 --- a/2configs/lass/ircd.nix +++ b/lass/2configs/ircd.nix diff --git a/2configs/lass/mors/repos.nix b/lass/2configs/mors/repos.nix index 1f7f33456..1f7f33456 100644 --- a/2configs/lass/mors/repos.nix +++ b/lass/2configs/mors/repos.nix diff --git a/lass/2configs/new-repos.nix b/lass/2configs/new-repos.nix new file mode 100644 index 000000000..64e9a7f14 --- /dev/null +++ b/lass/2configs/new-repos.nix @@ -0,0 +1,77 @@ +{ config, lib, pkgs, ... }: + +with import ../../tv/4lib { inherit lib pkgs; }; +let + + out = { + krebs.git = { + enable = true; + root-title = "public repositories at ${config.krebs.build.host.name}"; + root-desc = "keep calm and engage"; + inherit repos rules; + }; + }; + + repos = mapAttrs (_: s: removeAttrs s ["collaborators"]) ( + public-repos // + optionalAttrs config.krebs.build.host.secure restricted-repos + ); + + rules = concatMap make-rules (attrValues repos); + + public-repos = mapAttrs make-public-repo { + painload = {}; + stockholm = { + desc = "take all the computers hostage, they'll love you!"; + }; + wai-middleware-time = {}; + web-routes-wai-custom = {}; + }; + + restricted-repos = mapAttrs make-restricted-repo ( + { + brain = { + collaborators = with config.krebs.users; [ tv makefu ]; + }; + } // + import /root/src/secrets/repos.nix { inherit config lib pkgs; } + ); + + make-public-repo = name: { desc ? null, ... }: { + inherit name desc; + public = true; + hooks = { + post-receive = git.irc-announce { + # TODO make nick = config.krebs.build.host.name the default + nick = config.krebs.build.host.name; + channel = "#retiolum"; + server = "cd.retiolum"; + }; + }; + }; + + make-restricted-repo = name: { desc ? null, ... }: { + inherit name desc; + public = false; + }; + + make-rules = + with git // config.krebs.users; + repo: + singleton { + user = lass; + repo = [ repo ]; + perm = push "refs/*" [ non-fast-forward create delete merge ]; + } ++ + optional repo.public { + user = [ tv makefu uriel ]; + repo = [ repo ]; + perm = fetch; + } ++ + optional (length (repo.collaborators or []) > 0) { + user = repo.collaborators; + repo = [ repo ]; + perm = fetch; + }; + +in out diff --git a/2configs/lass/pass.nix b/lass/2configs/pass.nix index 33eca0a17..33eca0a17 100644 --- a/2configs/lass/pass.nix +++ b/lass/2configs/pass.nix diff --git a/2configs/lass/programs.nix b/lass/2configs/programs.nix index 41d241bac..41d241bac 100644 --- a/2configs/lass/programs.nix +++ b/lass/2configs/programs.nix diff --git a/lass/2configs/retiolum.nix b/lass/2configs/retiolum.nix new file mode 100644 index 000000000..b8a9cec72 --- /dev/null +++ b/lass/2configs/retiolum.nix @@ -0,0 +1,28 @@ +{ ... }: + +{ + imports = [ + ../3modules/iptables.nix + ../../tv/2configs/exim-retiolum.nix + ]; + + lass.iptables = { + tables = { + filter.INPUT.rules = [ + { predicate = "-p tcp --dport smtp"; target = "ACCEPT"; } + { predicate = "-p tcp --dport tinc"; target = "ACCEPT"; } + { predicate = "-p udp --dport tinc"; target = "ACCEPT"; } + ]; + }; + }; + + krebs.retiolum = { + enable = true; + hosts = ../../Zhosts; + connectTo = [ + "fastpoke" + "cloudkrebs" + "pigstarter" + ]; + }; +} diff --git a/2configs/lass/sshkeys.nix b/lass/2configs/sshkeys.nix index 114a2596b..f6081cf37 100644 --- a/2configs/lass/sshkeys.nix +++ b/lass/2configs/sshkeys.nix @@ -2,7 +2,7 @@ { imports = [ - ../../3modules/lass/sshkeys.nix + ../3modules/sshkeys.nix ]; config.sshKeys.lass.pub = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAp83zynhIueJJsWlSEykVSBrrgBFKq38+vT8bRfa+csqyjZBl2SQFuCPo+Qbh49mwchpZRshBa9jQEIGqmXxv/PYdfBFQuOFgyUq9ZcTZUXqeynicg/SyOYFW86iiqYralIAkuGPfQ4howLPVyjTZtWeEeeEttom6p6LMY5Aumjz2em0FG0n9rRFY2fBzrdYAgk9C0N6ojCs/Gzknk9SGntA96MDqHJ1HXWFMfmwOLCnxtE5TY30MqSmkrJb7Fsejwjoqoe9Y/mCaR0LpG2cStC1+37GbHJNH0caCMaQCX8qdfgMVbWTVeFWtV6aWOaRgwLrPDYn4cHWQJqTfhtPrNQ== lass@mors"; diff --git a/2configs/lass/steam.nix b/lass/2configs/steam.nix index 7d088fc6a..7d088fc6a 100644 --- a/2configs/lass/steam.nix +++ b/lass/2configs/steam.nix diff --git a/2configs/lass/texlive.nix b/lass/2configs/texlive.nix index 295df31cd..295df31cd 100644 --- a/2configs/lass/texlive.nix +++ b/lass/2configs/texlive.nix diff --git a/2configs/lass/urxvt.nix b/lass/2configs/urxvt.nix index a2074ba02..1358dde7a 100644 --- a/2configs/lass/urxvt.nix +++ b/lass/2configs/urxvt.nix @@ -7,8 +7,8 @@ in { imports = [ - ../../3modules/lass/urxvtd.nix - ../../3modules/lass/xresources.nix + ../3modules/urxvtd.nix + ../3modules/xresources.nix ]; services.urxvtd = { diff --git a/2configs/lass/vim.nix b/lass/2configs/vim.nix index 3fe45e1d1..3fe45e1d1 100644 --- a/2configs/lass/vim.nix +++ b/lass/2configs/vim.nix diff --git a/2configs/lass/virtualbox.nix b/lass/2configs/virtualbox.nix index 026203124..026203124 100644 --- a/2configs/lass/virtualbox.nix +++ b/lass/2configs/virtualbox.nix diff --git a/2configs/lass/wine.nix b/lass/2configs/wine.nix index 8d55da7fd..8d55da7fd 100644 --- a/2configs/lass/wine.nix +++ b/lass/2configs/wine.nix diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix new file mode 100644 index 000000000..d4e231ec7 --- /dev/null +++ b/lass/3modules/default.nix @@ -0,0 +1,8 @@ +_: + +{ + imports = [ + ./xresources.nix + ./iptables.nix + ]; +} diff --git a/3modules/lass/iptables.nix b/lass/3modules/iptables.nix index c97b9f730..8c6ad3fa1 100644 --- a/3modules/lass/iptables.nix +++ b/lass/3modules/iptables.nix @@ -106,7 +106,7 @@ let buildChain = tn: cn: let - sortedRules = sort (a: b: a.precedence < b.precedence) ts."${tn}"."${cn}".rules; + sortedRules = sort (a: b: a.precedence > b.precedence) ts."${tn}"."${cn}".rules; in #TODO: double check should be unneccessary, refactor! diff --git a/3modules/lass/sshkeys.nix b/lass/3modules/sshkeys.nix index 5f1c60668..5f1c60668 100644 --- a/3modules/lass/sshkeys.nix +++ b/lass/3modules/sshkeys.nix diff --git a/3modules/lass/urxvtd.nix b/lass/3modules/urxvtd.nix index 469616a9f..469616a9f 100644 --- a/3modules/lass/urxvtd.nix +++ b/lass/3modules/urxvtd.nix diff --git a/3modules/lass/xresources.nix b/lass/3modules/xresources.nix index 15c5b8b74..074963022 100644 --- a/3modules/lass/xresources.nix +++ b/lass/3modules/xresources.nix @@ -12,7 +12,7 @@ with lib; let - inherit (import ../../4lib/tv { inherit pkgs lib; }) shell-escape; + inherit (import ../../tv/4lib { inherit pkgs lib; }) shell-escape; inherit (pkgs) writeScript; in diff --git a/tv/4lib/default.nix b/tv/4lib/default.nix index e0a295f17..352689af4 100644 --- a/tv/4lib/default.nix +++ b/tv/4lib/default.nix @@ -1,7 +1,7 @@ { lib, pkgs, ... }: let - krebs = import ../../4lib/krebs { inherit lib; }; + krebs = import ../../krebs/4lib { inherit lib; }; in with krebs; diff --git a/tv/5pkgs/default.nix b/tv/5pkgs/default.nix index 50625f868..7b5d10a60 100644 --- a/tv/5pkgs/default.nix +++ b/tv/5pkgs/default.nix @@ -2,10 +2,10 @@ let inherit (pkgs) callPackage; - krebs = import ../../Zpkgs/krebs { inherit pkgs; }; + kpkgs = import ../../krebs/5pkgs { inherit pkgs; }; in -krebs // { +kpkgs // { charybdis = callPackage ./charybdis {}; lentil = callPackage ./lentil {}; much = callPackage ./much.nix {}; |