diff options
Diffstat (limited to 'lass')
| -rw-r--r-- | lass/1systems/cloudkrebs.nix | 2 | ||||
| -rw-r--r-- | lass/1systems/dishfire.nix | 15 | ||||
| -rw-r--r-- | lass/1systems/echelon.nix | 1 | ||||
| -rw-r--r-- | lass/1systems/helios.nix | 1 | ||||
| -rw-r--r-- | lass/1systems/mors.nix | 133 | ||||
| -rw-r--r-- | lass/1systems/prism.nix | 18 | ||||
| -rw-r--r-- | lass/1systems/uriel.nix | 6 | ||||
| -rw-r--r-- | lass/2configs/backups.nix | 99 | ||||
| -rw-r--r-- | lass/2configs/base.nix | 26 | ||||
| -rw-r--r-- | lass/2configs/downloading.nix | 1 | ||||
| -rw-r--r-- | lass/2configs/exim-retiolum.nix | 14 | ||||
| -rw-r--r-- | lass/2configs/exim-smarthost.nix | 50 | ||||
| -rw-r--r-- | lass/2configs/fastpoke-pages.nix | 101 | ||||
| -rw-r--r-- | lass/2configs/games.nix | 2 | ||||
| -rw-r--r-- | lass/2configs/newsbot-js.nix | 1 | ||||
| -rw-r--r-- | lass/2configs/pass.nix | 1 | ||||
| -rw-r--r-- | lass/2configs/websites/domsen.nix | 75 | ||||
| -rw-r--r-- | lass/2configs/websites/fritz.nix | 61 | ||||
| -rw-r--r-- | lass/2configs/websites/wohnprojekt-rhh.de.nix | 17 | ||||
| -rw-r--r-- | lass/4lib/default.nix | 225 | ||||
| -rw-r--r-- | lass/5pkgs/acronym/default.nix | 11 | ||||
| -rw-r--r-- | lass/5pkgs/default.nix | 2 | ||||
| -rw-r--r-- | lass/5pkgs/mk_sql_pair/default.nix | 19 | ||||
| -rw-r--r-- | lass/5pkgs/urban/default.nix | 21 |
24 files changed, 622 insertions, 280 deletions
diff --git a/lass/1systems/cloudkrebs.nix b/lass/1systems/cloudkrebs.nix index 6cfba567a..82c172050 100644 --- a/lass/1systems/cloudkrebs.nix +++ b/lass/1systems/cloudkrebs.nix @@ -9,8 +9,8 @@ in { ../. ../2configs/os-templates/CAC-CentOS-7-64bit.nix ../2configs/base.nix + ../2configs/exim-retiolum.nix ../2configs/retiolum.nix - ../2configs/fastpoke-pages.nix ../2configs/git.nix ../2configs/realwallpaper.nix { diff --git a/lass/1systems/dishfire.nix b/lass/1systems/dishfire.nix index c7d016cd3..4e3b84bd0 100644 --- a/lass/1systems/dishfire.nix +++ b/lass/1systems/dishfire.nix @@ -5,6 +5,7 @@ ../. <nixpkgs/nixos/modules/profiles/qemu-guest.nix> ../2configs/base.nix + ../2configs/exim-retiolum.nix ../2configs/git.nix ../2configs/websites/fritz.nix { @@ -26,10 +27,19 @@ fsType = "ext4"; }; + fileSystems."/srv/http" = { + device = "/dev/pool/srv_http"; + fsType = "ext4"; + }; + fileSystems."/boot" = { device = "/dev/vda1"; fsType = "ext4"; }; + fileSystems."/bku" = { + device = "/dev/pool/bku"; + fsType = "ext4"; + }; } { networking.dhcpcd.allowInterfaces = [ @@ -40,6 +50,11 @@ { sound.enable = false; } + { + environment.systemPackages = with pkgs; [ + mk_sql_pair + ]; + } ]; krebs.build.host = config.krebs.hosts.dishfire; diff --git a/lass/1systems/echelon.nix b/lass/1systems/echelon.nix index 80611ee80..e2fa1c5f4 100644 --- a/lass/1systems/echelon.nix +++ b/lass/1systems/echelon.nix @@ -9,6 +9,7 @@ in { ../. ../2configs/os-templates/CAC-CentOS-7-64bit.nix ../2configs/base.nix + ../2configs/exim-retiolum.nix ../2configs/retiolum.nix ../2configs/realwallpaper-server.nix ../2configs/privoxy-retiolum.nix diff --git a/lass/1systems/helios.nix b/lass/1systems/helios.nix index cc98c2c5b..0c7c0d8e3 100644 --- a/lass/1systems/helios.nix +++ b/lass/1systems/helios.nix @@ -5,6 +5,7 @@ with builtins; imports = [ ../. ../2configs/baseX.nix + ../2configs/exim-retiolum.nix ../2configs/browsers.nix ../2configs/programs.nix ../2configs/git.nix diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index 1f7a13c56..bdc9c3242 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -4,6 +4,7 @@ imports = [ ../. ../2configs/baseX.nix + ../2configs/exim-retiolum.nix ../2configs/programs.nix ../2configs/bitcoin.nix ../2configs/browsers.nix @@ -33,124 +34,28 @@ { predicate = "-p tcp --dport 11100"; target = "ACCEPT"; } ]; } - { - #static-nginx-test - imports = [ - ../3modules/static_nginx.nix - ]; - lass.staticPage."testserver.de" = { - #sslEnable = true; - #certificate = "${toString <secrets>}/testserver.de/server.cert"; - #certificate_key = "${toString <secrets>}/testserver.de/server.pem"; - ssl = { - enable = true; - certificate = "${toString <secrets>}/testserver.de/server.cert"; - certificate_key = "${toString <secrets>}/testserver.de/server.pem"; - }; - }; - networking.extraHosts = '' - 10.243.0.2 testserver.de - ''; - } #{ - # #wordpress-test - # #imports = singleton (sitesGenerators.createWordpress "testserver.de"); - # imports = [ - # ../3modules/wordpress_nginx.nix - # ]; - # lass.wordpress."testserver.de" = { - # multiSite = { - # "1" = "testserver.de"; - # "2" = "bla.testserver.de"; - # }; - # }; - # services.mysql = { # enable = true; # package = pkgs.mariadb; # rootPassword = "<secrets>/mysql_rootPassword"; # }; - # networking.extraHosts = '' - # 10.243.0.2 testserver.de - # ''; - # krebs.iptables.tables.filter.INPUT.rules = [ - # { predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; precedence = 9998; } - # ]; #} #{ - # #owncloud-test - # #imports = singleton (sitesGenerators.createWordpress "testserver.de"); - # imports = [ - # ../3modules/owncloud_nginx.nix - # ]; - # lass.owncloud."owncloud-test.de" = { + # services.elasticsearch = { + # enable = true; + # plugins = [ + # # pkgs.elasticsearchPlugins.elasticsearch_kopf + # ]; + # }; + #} + #{ + # services.postgresql = { + # enable = true; + # package = pkgs.postgresql; # }; - - # #services.mysql = { - # # enable = true; - # # package = pkgs.mariadb; - # # rootPassword = "<secrets>/mysql_rootPassword"; - # #}; - # networking.extraHosts = '' - # 10.243.0.2 owncloud-test.de - # ''; - # krebs.iptables.tables.filter.INPUT.rules = [ - # { predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; precedence = 9998; } - # ]; #} { - containers.pythonenv = { - config = { - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keys = [ - config.krebs.users.lass.pubkey - ]; - - environment = { - systemPackages = with pkgs; [ - git - libxml2 - libxslt - libzip - python27Full - python27Packages.buildout - stdenv - zlib - ]; - - pathsToLink = [ "/include" ]; - - shellInit = '' - # help pip to find libz.so when building lxml - export LIBRARY_PATH=/var/run/current-system/sw/lib - # ditto for header files, e.g. sqlite - export C_INCLUDE_PATH=/var/run/current-system/sw/include - ''; - }; - - }; - }; - } - { - services.mysql = { - enable = true; - package = pkgs.mariadb; - rootPassword = "<secrets>/mysql_rootPassword"; - }; - } - { - services.elasticsearch = { - enable = true; - plugins = [ - # pkgs.elasticsearchPlugins.elasticsearch_kopf - ]; - }; - } - { - services.postgresql = { - enable = true; - package = pkgs.postgresql; - }; } ]; @@ -158,15 +63,6 @@ networking.wireless.enable = true; - networking.extraHosts = '' - 213.239.205.240 wohnprojekt-rhh.de - 213.239.205.240 karlaskop.de - 213.239.205.240 makeup.apanowicz.de - 213.239.205.240 pixelpocket.de - 213.239.205.240 reich-gebaeudereinigung.de - 213.239.205.240 o.ubikmedia.de - ''; - hardware.enableAllFirmware = true; nixpkgs.config.allowUnfree = true; @@ -206,7 +102,7 @@ fsType = "ext4"; }; - "/mnt/backups" = { + "/bku" = { device = "/dev/big/backups"; fsType = "ext4"; }; @@ -293,6 +189,9 @@ get teamspeak_client hashPassword + urban + mk_sql_pair + skype ]; #TODO: fix this shit diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index 20c919b9b..e1743c997 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -6,6 +6,7 @@ in { imports = [ ../. ../2configs/base.nix + ../2configs/exim-smarthost.nix ../2configs/downloading.nix ../2configs/git.nix ../2configs/ts3.nix @@ -77,6 +78,18 @@ in { device = "/dev/pool/download"; }; + fileSystems."/srv/http" = { + device = "/dev/pool/http"; + }; + + fileSystems."/srv/o.ubikmedia.de-data" = { + device = "/dev/pool/owncloud-ubik-data"; + }; + + fileSystems."/bku" = { + device = "/dev/pool/bku"; + }; + } { sound.enable = false; @@ -117,7 +130,7 @@ in { } { users.users.chat.openssh.authorizedKeys.keys = [ - "ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAFhFJUMTfPbv3SzqlT9S67Av/m/ctLfTd3mMhD4O9hZc+t+dZmaHWj3v1KujzMBiDp3Yfo2YdVVZLTwTluHD8yNoQH418Vm01nrYHwOsc5J0br3mb0URZSstPiz6/6Fc+PNCDfQ2skUAWUidWiH+JolROFQ4y2lfpLOw+wsK2jj+Gqx6w== JuiceSSH" + "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBBQjn/3n283RZkBs2CFqbpukyQ3zkLIjewRpKttPa5d4PUiT7/vOlutWH5EP4BxXQSoeZStx8D2alGjxfK+nfDvRJGGofpm23cN4j4i24Fcam1y1H7wqRXO1qbz5AB3qPg== JuiceSSH" config.krebs.users.lass-uriel.pubkey ]; } @@ -130,7 +143,8 @@ in { ../2configs/websites/domsen.nix ]; krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport 80"; target = "ACCEPT"; } + { predicate = "-p tcp --dport http"; target = "ACCEPT"; } + { predicate = "-p tcp --dport https"; target = "ACCEPT"; } ]; } { diff --git a/lass/1systems/uriel.nix b/lass/1systems/uriel.nix index 4e4eca21f..92996c181 100644 --- a/lass/1systems/uriel.nix +++ b/lass/1systems/uriel.nix @@ -5,6 +5,7 @@ with builtins; imports = [ ../. ../2configs/baseX.nix + ../2configs/exim-retiolum.nix ../2configs/browsers.nix ../2configs/games.nix ../2configs/pass.nix @@ -47,6 +48,11 @@ with builtins; fsType = "ext4"; }; + "/bku" = { + device = "/dev/pool/bku"; + fsType = "ext4"; + }; + "/boot" = { device = "/dev/sda1"; }; diff --git a/lass/2configs/backups.nix b/lass/2configs/backups.nix new file mode 100644 index 000000000..ca9ff20a1 --- /dev/null +++ b/lass/2configs/backups.nix @@ -0,0 +1,99 @@ +{ config, lib, ... }: +with config.krebs.lib; +{ + + krebs.backup.plans = { + } // mapAttrs (_: recursiveUpdate { + snapshots = { + daily = { format = "%Y-%m-%d"; retain = 7; }; + weekly = { format = "%YW%W"; retain = 4; }; + monthly = { format = "%Y-%m"; retain = 12; }; + yearly = { format = "%Y"; }; + }; + }) { + dishfire-http-prism = { + method = "pull"; + src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; }; + dst = { host = config.krebs.hosts.prism; path = "/bku/dishfire-http"; }; + startAt = "03:00"; + }; + dishfire-http-mors = { + method = "pull"; + src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; }; + dst = { host = config.krebs.hosts.mors; path = "/bku/dishfire-http"; }; + startAt = "03:05"; + }; + dishfire-http-uriel = { + method = "pull"; + src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; }; + dst = { host = config.krebs.hosts.uriel; path = "/bku/dishfire-http"; }; + startAt = "03:10"; + }; + dishfire-sql-prism = { + method = "pull"; + src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; }; + dst = { host = config.krebs.hosts.prism; path = "/bku/dishfire-sql"; }; + startAt = "03:15"; + }; + dishfire-sql-mors = { + method = "pull"; + src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; }; + dst = { host = config.krebs.hosts.mors; path = "/bku/dishfire-sql"; }; + startAt = "03:20"; + }; + dishfire-sql-uriel = { + method = "pull"; + src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; }; + dst = { host = config.krebs.hosts.uriel; path = "/bku/dishfire-sql"; }; + startAt = "03:25"; + }; + prism-chat-mors = { + method = "pull"; + src = { host = config.krebs.hosts.prism; path = "/home/chat"; }; + dst = { host = config.krebs.hosts.mors; path = "/bku/prism-chat"; }; + startAt = "03:30"; + }; + prism-chat-uriel = { + method = "pull"; + src = { host = config.krebs.hosts.prism; path = "/home/chat"; }; + dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-chat"; }; + startAt = "03:35"; + }; + prism-sql-mors = { + method = "pull"; + src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; }; + dst = { host = config.krebs.hosts.mors; path = "/bku/prism-sql_dumps"; }; + startAt = "03:40"; + }; + prism-sql-uriel = { + method = "pull"; + src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; }; + dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-sql_dumps"; }; + startAt = "03:45"; + }; + prism-http-mors = { + method = "pull"; + src = { host = config.krebs.hosts.prism; path = "/srv/http"; }; + dst = { host = config.krebs.hosts.mors; path = "/bku/prism-http"; }; + startAt = "03:50"; + }; + prism-http-uriel = { + method = "pull"; + src = { host = config.krebs.hosts.prism; path = "/srv/http"; }; + dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-http"; }; + startAt = "03:55"; + }; + uriel-home-mors = { + method = "pull"; + src = { host = config.krebs.hosts.uriel; path = "/home"; }; + dst = { host = config.krebs.hosts.mors; path = "/bku/uriel-home"; }; + startAt = "04:00"; + }; + mors-home-uriel = { + method = "push"; + src = { host = config.krebs.hosts.mors; path = "/home"; }; + dst = { host = config.krebs.hosts.uriel; path = "/bku/mors-home"; }; + startAt = "05:00"; + }; + }; +} diff --git a/lass/2configs/base.nix b/lass/2configs/base.nix index 8017d4270..8c6078ba5 100644 --- a/lass/2configs/base.nix +++ b/lass/2configs/base.nix @@ -7,10 +7,11 @@ with config.krebs.lib; ../2configs/zsh.nix ../2configs/mc.nix ../2configs/retiolum.nix + ./backups.nix { users.extraUsers = mapAttrs (_: h: { hashedPassword = h; }) - (import /root/secrets/hashedPasswords.nix); + (import <secrets/hashedPasswords.nix>); } { users.extraUsers = { @@ -18,7 +19,6 @@ with config.krebs.lib; openssh.authorizedKeys.keys = [ config.krebs.users.lass.pubkey config.krebs.users.lass-uriel.pubkey - config.krebs.users.lass-helios.pubkey ]; }; mainUser = { @@ -45,7 +45,6 @@ with config.krebs.lib; krebs = { enable = true; search-domain = "retiolum"; - exim-retiolum.enable = true; build = { user = config.krebs.users.lass; source = mapAttrs (_: mkDefault) ({ @@ -55,7 +54,7 @@ with config.krebs.lib; stockholm = "/home/lass/stockholm"; nixpkgs = { url = https://github.com/NixOS/nixpkgs; - rev = "40c586b7ce2c559374df435f46d673baf711c543"; + rev = "e781a8257b4312f6b138c7d0511c77d8c06ed819"; dev = "/home/lass/src/nixpkgs"; }; } // optionalAttrs config.krebs.build.host.secure { @@ -85,9 +84,12 @@ with config.krebs.lib; MANPAGER=most ''; + nixpkgs.config.allowUnfree = true; + environment.systemPackages = with pkgs; [ #stockholm git + gnumake jq parallel proot @@ -108,6 +110,11 @@ with config.krebs.lib; #neat utils krebspaste + + #unpack stuff + p7zip + unzip + unrar ]; programs.bash = { @@ -145,10 +152,6 @@ with config.krebs.lib; ''; }; - security.setuidPrograms = [ - "sendmail" - ]; - services.openssh = { enable = true; hostKeys = [ @@ -165,6 +168,13 @@ with config.krebs.lib; krebs.iptables = { enable = true; tables = { + nat.PREROUTING.rules = [ + { predicate = "! -i retiolum -p tcp -m tcp --dport 22"; target = "REDIRECT --to-ports 0"; precedence = 100; } + { predicate = "-p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 99; } + ]; + nat.OUTPUT.rules = [ + { predicate = "-o lo -p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 100; } + ]; filter.INPUT.policy = "DROP"; filter.FORWARD.policy = "DROP"; filter.INPUT.rules = [ diff --git a/lass/2configs/downloading.nix b/lass/2configs/downloading.nix index 115cb8b61..ccd751413 100644 --- a/lass/2configs/downloading.nix +++ b/lass/2configs/downloading.nix @@ -20,6 +20,7 @@ in { ]; openssh.authorizedKeys.keys = [ config.krebs.users.lass.pubkey + config.krebs.users.lass-uriel.pubkey ]; }; diff --git a/lass/2configs/exim-retiolum.nix b/lass/2configs/exim-retiolum.nix new file mode 100644 index 000000000..ea2f553b8 --- /dev/null +++ b/lass/2configs/exim-retiolum.nix @@ -0,0 +1,14 @@ +{ config, lib, pkgs, ... }: + +with config.krebs.lib; + +{ + krebs.exim-retiolum.enable = true; + krebs.setuid.sendmail = { + filename = "${pkgs.exim}/bin/exim"; + mode = "4111"; + }; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-i retiolum -p tcp --dport smtp"; target = "ACCEPT"; } + ]; +} diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix new file mode 100644 index 000000000..e1aa29c49 --- /dev/null +++ b/lass/2configs/exim-smarthost.nix @@ -0,0 +1,50 @@ +{ config, lib, pkgs, ... }: + +with config.krebs.lib; + +{ + krebs.exim-smarthost = { + enable = true; + dkim = [ + { domain = "lassul.us"; } + ]; + sender_domains = [ + "lassul.us" + ]; + relay_from_hosts = map (host: host.nets.retiolum.ip4.addr) [ + config.krebs.hosts.mors + config.krebs.hosts.uriel + config.krebs.hosts.helios + ]; + internet-aliases = with config.krebs.users; [ + { from = "postmaster@lassul.us"; to = lass.mail; } # RFC 822 + { from = "lass@lassul.us"; to = lass.mail; } + { from = "lassulus@lassul.us"; to = lass.mail; } + { from = "test@lassul.us"; to = lass.mail; } + { from = "outlook@lassul.us"; to = lass.mail; } + ]; + system-aliases = [ + { from = "mailer-daemon"; to = "postmaster"; } + { from = "postmaster"; to = "root"; } + { from = "nobody"; to = "root"; } + { from = "hostmaster"; to = "root"; } + { from = "usenet"; to = "root"; } + { from = "news"; to = "root"; } + { from = "webmaster"; to = "root"; } + { from = "www"; to = "root"; } + { from = "ftp"; to = "root"; } + { from = "abuse"; to = "root"; } + { from = "noc"; to = "root"; } + { from = "security"; to = "root"; } + { from = "root"; to = "lass"; } + ]; + }; + + krebs.setuid.sendmail = { + filename = "${pkgs.exim}/bin/exim"; + mode = "4111"; + }; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport smtp"; target = "ACCEPT"; } + ]; +} diff --git a/lass/2configs/fastpoke-pages.nix b/lass/2configs/fastpoke-pages.nix deleted file mode 100644 index bf6ea8952..000000000 --- a/lass/2configs/fastpoke-pages.nix +++ /dev/null @@ -1,101 +0,0 @@ -{ config, lib, pkgs, ... }: - -with config.krebs.lib; - -let - createStaticPage = domain: - { - krebs.nginx.servers."${domain}" = { - server-names = [ - "${domain}" - "www.${domain}" - ]; - locations = [ - (nameValuePair "/" '' - root /var/lib/http/${domain}; - '') - ]; - }; - #networking.extraHosts = '' - # 10.243.206.102 ${domain} - #''; - users.extraUsers = { - ${domain} = { - name = domain; - home = "/var/lib/http/${domain}"; - createHome = true; - }; - }; - }; - -in { - imports = map createStaticPage [ - "habsys.de" - "pixelpocket.de" - "karlaskop.de" - "ubikmedia.de" - "apanowicz.de" - ]; - - krebs.iptables = { - tables = { - filter.INPUT.rules = [ - { predicate = "-p tcp --dport http"; target = "ACCEPT"; } - ]; - }; - }; - - - krebs.nginx = { - enable = true; - servers = { - #"habsys.de" = { - # server-names = [ - # "habsys.de" - # "www.habsys.de" - # ]; - # locations = [ - # (nameValuePair "/" '' - # root /var/lib/http/habsys.de; - # '') - # ]; - #}; - - #"karlaskop.de" = { - # server-names = [ - # "karlaskop.de" - # "www.karlaskop.de" - # ]; - # locations = [ - # (nameValuePair "/" '' - # root /var/lib/http/karlaskop.de; - # '') - # ]; - #}; - - #"pixelpocket.de" = { - # server-names = [ - # "pixelpocket.de" - # "www.karlaskop.de" - # ]; - # locations = [ - # (nameValuePair "/" '' - # root /var/lib/http/karlaskop.de; - # '') - # ]; - #}; - - }; - }; - - #services.postgresql = { - # enable = true; - #}; - - #config.services.vsftpd = { - # enable = true; - # userlistEnable = true; - # userlistFile = pkgs.writeFile "vsftpd-userlist" '' - # ''; - #}; -} diff --git a/lass/2configs/games.nix b/lass/2configs/games.nix index 6043a8759..0eec97922 100644 --- a/lass/2configs/games.nix +++ b/lass/2configs/games.nix @@ -13,7 +13,7 @@ in { name = "games"; description = "user playing games"; home = "/home/games"; - extraGroups = [ "audio" "video" "input" ]; + extraGroups = [ "audio" "video" "input" "loot" ]; createHome = true; useDefaultShell = true; }; diff --git a/lass/2configs/newsbot-js.nix b/lass/2configs/newsbot-js.nix index d7c68bd7d..636b44395 100644 --- a/lass/2configs/newsbot-js.nix +++ b/lass/2configs/newsbot-js.nix @@ -154,7 +154,6 @@ let telepolis|http://www.heise.de/tp/rss/news-atom.xml|#news the_insider|http://www.theinsider.org/rss/news/headlines-xml.asp|#news tigsource|http://www.tigsource.com/feed/|#news - times|http://www.thetimes.co.uk/tto/news/rss|#news tinc|http://tinc-vpn.org/news/index.rss|#news topix_b|http://www.topix.com/rss/wire/de/berlin|#news torr_bits|http://feeds.feedburner.com/TorrentfreakBits|#news diff --git a/lass/2configs/pass.nix b/lass/2configs/pass.nix index 33eca0a17..610887621 100644 --- a/lass/2configs/pass.nix +++ b/lass/2configs/pass.nix @@ -6,5 +6,4 @@ gnupg1 ]; - services.xserver.startGnuPGAgent = true; } diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index 109c216c0..caaee96bb 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -1,24 +1,36 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: -{ +let + inherit (config.krebs.lib) genid; + inherit (import ../../4lib { inherit lib pkgs; }) + manageCert + manageCerts + activateACME + ssl + servePage + serveOwncloud + serveWordpress; + +in { imports = [ - ../../3modules/static_nginx.nix - ../../3modules/owncloud_nginx.nix - ../../3modules/wordpress_nginx.nix - ]; + ( ssl [ "reich-gebaeudereinigung.de" ]) + ( servePage [ "reich-gebaeudereinigung.de" ]) - lass.staticPage = { - "karlaskop.de" = {}; - "makeup.apanowicz.de" = {}; - "pixelpocket.de" = {}; - "reich-gebaeudereinigung.de" = {}; - }; + ( manageCerts [ "karlaskop.de" ]) + ( servePage [ "karlaskop.de" ]) - lass.owncloud = { - "o.ubikmedia.de" = { - instanceid = "oc8n8ddbftgh"; - }; - }; + ( ssl [ "makeup.apanowicz.de" ]) + ( servePage [ "makeup.apanowicz.de" ]) + + ( manageCerts [ "pixelpocket.de" ]) + ( servePage [ "pixelpocket.de" ]) + + ( ssl [ "o.ubikmedia.de" ]) + ( serveOwncloud [ "o.ubikmedia.de" ]) + + ( ssl [ "ubikmedia.de" "aldona.ubikmedia.de" "apanowicz.de" "nirwanabluete.de" "aldonasiech.com" "360gradvideo.tv" "ubikmedia.eu" ] ) + ( serveWordpress [ "ubikmedia.de" "*.ubikmedia.de" "apanowicz.de" "nirwanabluete.de" "aldonasiech.com" "360gradvideo.tv" "ubikmedia.eu" ] ) + ]; services.mysql = { enable = true; @@ -26,10 +38,31 @@ rootPassword = toString (<secrets/mysql_rootPassword>); }; - #lass.wordpress = { - # "ubikmedia.de" = { - # }; - #}; + services.mysqlBackup = { + enable = true; + databases = [ + "ubikmedia_de" + "o_ubikmedia_de" + ]; + location = "/bku/sql_dumps"; + }; + + users.users.domsen = { + uid = genid "domsen"; + description = "maintenance acc for domsen"; + home = "/home/domsen"; + useDefaultShell = true; + extraGroups = [ "nginx" ]; + createHome = true; + }; + services.phpfpm.phpIni = pkgs.runCommand "php.ini" { + options = '' + extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so + ''; + } '' + cat ${pkgs.php}/etc/php-recommended.ini > $out + echo "$options" >> $out + ''; } diff --git a/lass/2configs/websites/fritz.nix b/lass/2configs/websites/fritz.nix index 073f3de14..c022dfbe2 100644 --- a/lass/2configs/websites/fritz.nix +++ b/lass/2configs/websites/fritz.nix @@ -1,22 +1,55 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: -{ +let + inherit (import ../../4lib { inherit lib pkgs; }) + manageCerts + activateACME + ssl + servePage + serveWordpress; +in { imports = [ - ../../3modules/static_nginx.nix - ../../3modules/owncloud_nginx.nix - ../../3modules/wordpress_nginx.nix + #( manageCerts [ "biostase.de" ]) + #( servePage [ "biostase.de" ]) + + #( manageCerts [ "gs-maubach.de" ]) + #( servePage [ "gs-maubach.de" ]) + + #( manageCerts [ "spielwaren-kern.de" ]) + #( servePage [ "spielwaren-kern.de" ]) + + #( manageCerts [ "societyofsimtech.de" ]) + #( servePage [ "societyofsimtech.de" ]) + + #( manageCerts [ "ttf-kleinaspach.de" ]) + #( servePage [ "ttf-kleinaspach.de" ]) + + #( manageCerts [ "edsn.de" ]) + #( servePage [ "edsn.de" ]) + + #( manageCerts [ "eab.berkeley.edu" ]) + #( servePage [ "eab.berkeley.edu" ]) + + ( manageCerts [ "eastuttgart.de" ]) + ( serveWordpress [ "eastuttgart.de" ]) + + ( manageCerts [ "habsys.de" ]) + ( servePage [ "habsys.de" ]) ]; - lass.staticPage = { - "biostase.de" = {}; - "gs-maubach.de" = {}; - "spielwaren-kern.de" = {}; - "societyofsimtech.de" = {}; - "ttf-kleinaspach.de" = {}; - "edsn.de" = {}; - "eab.berkeley.edu" = {}; - "habsys.de" = {}; + services.mysql = { + enable = true; + package = pkgs.mariadb; + rootPassword = toString (<secrets/mysql_rootPassword>); + }; + + services.mysqlBackup = { + enable = true; + databases = [ + "eastuttgart_de" + ]; + location = "/bku/sql_dumps"; }; #lass.owncloud = { diff --git a/lass/2configs/websites/wohnprojekt-rhh.de.nix b/lass/2configs/websites/wohnprojekt-rhh.de.nix index ac784d4c7..858054531 100644 --- a/lass/2configs/websites/wohnprojekt-rhh.de.nix +++ b/lass/2configs/websites/wohnprojekt-rhh.de.nix @@ -1,14 +1,17 @@ -{ config, ... }: +{ config, pkgs, lib, ... }: -{ +let + inherit (config.krebs.lib) genid; + inherit (import ../../4lib { inherit lib pkgs; }) + ssl + servePage; + +in { imports = [ - ../../3modules/static_nginx.nix + ( ssl [ "wohnprojekt-rhh.de" ]) + ( servePage [ "wohnprojekt-rhh.de" ]) ]; - lass.staticPage = { - "wohnprojekt-rhh.de" = {}; - }; - users.users.laura = { home = "/srv/http/wohnprojekt-rhh.de"; createHome = true; diff --git a/lass/4lib/default.nix b/lass/4lib/default.nix index a751a2995..30cbced49 100644 --- a/lass/4lib/default.nix +++ b/lass/4lib/default.nix @@ -1,10 +1,231 @@ -{ lib, ... }: +{ lib, pkgs, ... }: with lib; -{ +rec { getDefaultGateway = ip: concatStringsSep "." (take 3 (splitString "." ip) ++ ["1"]); + manageCerts = domains: + let + domain = head domains; + in { + security.acme = { + certs."${domain}" = { + email = "lassulus@gmail.com"; + webroot = "/var/lib/acme/challenges/${domain}"; + plugins = [ + "account_key.json" + "key.pem" + "fullchain.pem" + ]; + group = "nginx"; + allowKeysForGroup = true; + extraDomains = genAttrs domains (_: null); + }; + }; + + krebs.nginx.servers."${domain}" = { + locations = [ + (nameValuePair "/.well-known/acme-challenge" '' + root /var/lib/acme/challenges/${domain}/; + '') + ]; + }; + }; + + ssl = domains: + { + imports = [ + ( manageCerts domains ) + ( activateACME (head domains) ) + ]; + }; + + activateACME = domain: + { + krebs.nginx.servers."${domain}" = { + ssl = { + enable = true; + certificate = "/var/lib/acme/${domain}/fullchain.pem"; + certificate_key = "/var/lib/acme/${domain}/key.pem"; + }; + }; + }; + + servePage = domains: + let + domain = head domains; + in { + krebs.nginx.servers."${domain}" = { + server-names = domains; + locations = [ + (nameValuePair "/" '' + root /srv/http/${domain}; + '') + ]; + }; + }; + + serveOwncloud = domains: + let + domain = head domains; + in { + krebs.nginx.servers."${domain}" = { + server-names = domains; + extraConfig = '' + # Add headers to serve security related headers + add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + + # Path to the root of your installation + root /srv/http/${domain}/; + # set max upload size + client_max_body_size 10G; + fastcgi_buffers 64 4K; + + # Disable gzip to avoid the removal of the ETag header + gzip off; + + # Uncomment if your server is build with the ngx_pagespeed module + # This module is currently not supported. + #pagespeed off; + + index index.php; + error_page 403 /core/templates/403.php; + error_page 404 /core/templates/404.php; + + rewrite ^/.well-known/carddav /remote.php/carddav/ permanent; + rewrite ^/.well-known/caldav /remote.php/caldav/ permanent; + + # The following 2 rules are only needed for the user_webfinger app. + # Uncomment it if you're planning to use this app. + rewrite ^/.well-known/host-meta /public.php?service=host-meta last; + rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; + ''; + locations = [ + (nameValuePair "/robots.txt" '' + allow all; + log_not_found off; + access_log off; + '') + (nameValuePair "~ ^/(build|tests|config|lib|3rdparty|templates|data)/" '' + deny all; + '') + + (nameValuePair "~ ^/(?:autotest|occ|issue|indie|db_|console)" '' + deny all; + '') + + (nameValuePair "/" '' + rewrite ^/remote/(.*) /remote.php last; + rewrite ^(/core/doc/[^\/]+/)$ $1/index.html; + try_files $uri $uri/ =404; + '') + + (nameValuePair "~ \.php(?:$|/)" '' + fastcgi_split_path_info ^(.+\.php)(/.+)$; + include ${pkgs.nginx}/conf/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param HTTPS on; + fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice + fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool; + fastcgi_intercept_errors on; + '') + + # Adding the cache control header for js and css files + # Make sure it is BELOW the location ~ \.php(?:$|/) { block + (nameValuePair "~* \.(?:css|js)$" '' + add_header Cache-Control "public, max-age=7200"; + # Add headers to serve security related headers + add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + # Optional: Don't log access to assets + access_log off; + '') + + # Optional: Don't log access to other assets + (nameValuePair "~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$" '' + access_log off; + '') + ]; + }; + services.phpfpm.poolConfigs."${domain}" = '' + listen = /srv/http/${domain}/phpfpm.pool + user = nginx + group = nginx + pm = dynamic + pm.max_children = 5 + pm.start_servers = 2 + pm.min_spare_servers = 1 + pm.max_spare_servers = 3 + listen.owner = nginx + listen.group = nginx + # errors to journal + php_admin_value[error_log] = 'stderr' + php_admin_flag[log_errors] = on + catch_workers_output = yes + ''; + }; + + serveWordpress = domains: + let + domain = head domains; + + in { + krebs.nginx.servers."${domain}" = { + server-names = domains; + extraConfig = '' + root /srv/http/${domain}/; + index index.php; + access_log /tmp/nginx_acc.log; + error_log /tmp/nginx_err.log; + error_page 404 /404.html; + error_page 500 502 503 504 /50x.html; + ''; + locations = [ + (nameValuePair "/" '' + try_files $uri $uri/ /index.php?$args; + '') + (nameValuePair "~ \.php$" '' + fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool; + include ${pkgs.nginx}/conf/fastcgi.conf; + '') + #(nameValuePair "~ /\\." '' + # deny all; + #'') + #Directives to send expires headers and turn off 404 error logging. + (nameValuePair "~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$" '' + access_log off; + log_not_found off; + expires max; + '') + ]; + }; + services.phpfpm.poolConfigs."${domain}" = '' + listen = /srv/http/${domain}/phpfpm.pool + user = nginx + group = nginx + pm = dynamic + pm.max_children = 5 + pm.start_servers = 2 + pm.min_spare_servers = 1 + pm.max_spare_servers = 3 + listen.owner = nginx + listen.group = nginx + # errors to journal + php_admin_value[error_log] = 'stderr' + php_admin_flag[log_errors] = on + catch_workers_output = yes + ''; + }; + } diff --git a/lass/5pkgs/acronym/default.nix b/lass/5pkgs/acronym/default.nix index 53d5d015a..9f6f95587 100644 --- a/lass/5pkgs/acronym/default.nix +++ b/lass/5pkgs/acronym/default.nix @@ -1,13 +1,16 @@ { pkgs, ... }: pkgs.writeScriptBin "acronym" '' + #! ${pkgs.bash}/bin/bash acro=$1 curl -s http://www.acronymfinder.com/$acro.html \ - | grep 'class="result-list__body__rank"' \ - | sed 's/.*title="\([^"]*\)".*/\1/' \ - | sed 's/^.* - //' \ - | sed "s/'/'/g" + | grep 'class="result-list__body__rank"' \ + | sed ' + s/.*title="\([^"]*\)".*/\1/ + s/^.* - // + s/'/'\'''/g + ' '' diff --git a/lass/5pkgs/default.nix b/lass/5pkgs/default.nix index 0c9dd94ca..1dacf6c7a 100644 --- a/lass/5pkgs/default.nix +++ b/lass/5pkgs/default.nix @@ -8,7 +8,9 @@ ublock = pkgs.callPackage ./firefoxPlugins/ublock.nix {}; vimperator = pkgs.callPackage ./firefoxPlugins/vimperator.nix {}; }; + mk_sql_pair = pkgs.callPackage ./mk_sql_pair/default.nix {}; mpv-poll = pkgs.callPackage ./mpv-poll/default.nix {}; + urban = pkgs.callPackage ./urban/default.nix {}; xmonad-lass = let src = pkgs.writeNixFromCabal "xmonad-lass.nix" ./xmonad-lass; in pkgs.haskellPackages.callPackage src {}; diff --git a/lass/5pkgs/mk_sql_pair/default.nix b/lass/5pkgs/mk_sql_pair/default.nix new file mode 100644 index 000000000..a9f0d2797 --- /dev/null +++ b/lass/5pkgs/mk_sql_pair/default.nix @@ -0,0 +1,19 @@ +{ pkgs, ... }: + +pkgs.writeScriptBin "mk_sql_pair" '' + #!/bin/sh + + name=$1 + password=$2 + + if [ $# -ne 2 ]; then + echo '$1=name, $2=password' + exit 23; + fi + + cat <<EOF + create database $name; + create user $name; + grant all on $name.* to $name@'localhost' identified by '$password'; + EOF +'' diff --git a/lass/5pkgs/urban/default.nix b/lass/5pkgs/urban/default.nix new file mode 100644 index 000000000..fb8adaed9 --- /dev/null +++ b/lass/5pkgs/urban/default.nix @@ -0,0 +1,21 @@ +{ pkgs, ... }: + +pkgs.writeScriptBin "urban" '' + #!/bin/sh + set -euf + term=$1 + curl -LsS 'http://www.urbandictionary.com/define.php?term='"$term" \ + | sed 's/<\/\?a\>[^>]*>//g' \ + | sed 's/<\([^>]*\)>/\n<\1\n/g' \ + | grep . \ + | sed -n '/<div class=.meaning./,/<\/div/p' \ + | sed 's/<div class=.meaning./-----/' \ + | grep -v '^</div\>' \ + | grep -v '^<br\>' \ + | sed ' + s/"/"/g + s/'/'\'''/g + s/>/>/g + s/</>/g + ' +'' |