From 6860a92d8b4640bcb7cc6314589332bf3e940589 Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 17 Feb 2016 17:07:16 +0100 Subject: tv.mail: wu -> nomic --- tv/1systems/nomic.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/tv/1systems/nomic.nix b/tv/1systems/nomic.nix index 2c9775d..c247bf7 100644 --- a/tv/1systems/nomic.nix +++ b/tv/1systems/nomic.nix @@ -10,6 +10,7 @@ with config.krebs.lib; ../2configs/hw/AO753.nix ../2configs/exim-retiolum.nix ../2configs/git.nix + ../2configs/mail-client.nix ../2configs/nginx-public_html.nix ../2configs/pulse.nix ../2configs/retiolum.nix -- cgit v1.2.3 From b100a6222013be6ceb16cdaf6660292a69211e47 Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 17 Feb 2016 17:23:19 +0100 Subject: tv im: init --- tv/1systems/nomic.nix | 1 + tv/1systems/wu.nix | 20 +------------------- tv/2configs/im.nix | 24 ++++++++++++++++++++++++ 3 files changed, 26 insertions(+), 19 deletions(-) create mode 100644 tv/2configs/im.nix diff --git a/tv/1systems/nomic.nix b/tv/1systems/nomic.nix index c247bf7..4532069 100644 --- a/tv/1systems/nomic.nix +++ b/tv/1systems/nomic.nix @@ -10,6 +10,7 @@ with config.krebs.lib; ../2configs/hw/AO753.nix ../2configs/exim-retiolum.nix ../2configs/git.nix + ../2configs/im.nix ../2configs/mail-client.nix ../2configs/nginx-public_html.nix ../2configs/pulse.nix diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix index 6154e4d..7615c4e 100644 --- a/tv/1systems/wu.nix +++ b/tv/1systems/wu.nix @@ -10,6 +10,7 @@ with config.krebs.lib; ../2configs/hw/w110er.nix ../2configs/exim-retiolum.nix ../2configs/git.nix + ../2configs/im.nix ../2configs/mail-client.nix ../2configs/nginx-public_html.nix ../2configs/pulse.nix @@ -23,19 +24,6 @@ with config.krebs.lib; hashPassword haskellPackages.lentil parallel - (pkgs.writeScriptBin "im" '' - #! ${pkgs.bash}/bin/bash - export PATH=${makeSearchPath "bin" (with pkgs; [ - tmux - gnugrep - weechat - ])} - if tmux list-sessions -F\#S | grep -q '^im''$'; then - exec tmux attach -t im - else - exec tmux new -s im weechat - fi - '') # root cryptsetup @@ -201,12 +189,6 @@ with config.krebs.lib; KERNEL=="hpet", GROUP="audio" ''; - services.bitlbee = { - enable = true; - plugins = [ - pkgs.bitlbee-facebook - ]; - }; services.tor.client.enable = true; services.tor.enable = true; services.virtualboxHost.enable = true; diff --git a/tv/2configs/im.nix b/tv/2configs/im.nix new file mode 100644 index 0000000..db1be7f --- /dev/null +++ b/tv/2configs/im.nix @@ -0,0 +1,24 @@ +{ config, lib, pkgs, ... }: +with config.krebs.lib; +{ + environment.systemPackages = with pkgs; [ + (pkgs.writeDashBin "im" '' + export PATH=${makeSearchPath "bin" (with pkgs; [ + tmux + gnugrep + weechat + ])} + if tmux list-sessions -F\#S | grep -q '^im''$'; then + exec tmux attach -t im + else + exec tmux new -s im weechat + fi + '') + ]; + services.bitlbee = { + enable = true; + plugins = [ + pkgs.bitlbee-facebook + ]; + }; +} -- cgit v1.2.3 From 453b03f81801e2e1272cf4505a36dc1f4d164339 Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 17 Feb 2016 17:30:39 +0100 Subject: tv krebs.backup.plans.nomic-home-xu: init --- tv/2configs/backup.nix | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/tv/2configs/backup.nix b/tv/2configs/backup.nix index 641e2d5..decd8b2 100644 --- a/tv/2configs/backup.nix +++ b/tv/2configs/backup.nix @@ -2,6 +2,18 @@ with config.krebs.lib; { krebs.backup.plans = { + nomic-home-xu = { + method = "push"; + src = { host = config.krebs.hosts.nomic; path = "/home"; }; + dst = { host = config.krebs.hosts.xu; path = "/bku/nomic-home"; }; + startAt = "05:00"; + snapshots = { + daily = { format = "%Y-%m-%d"; retain = 7; }; + weekly = { format = "%YW%W"; retain = 4; }; + monthly = { format = "%Y-%m"; retain = 12; }; + yearly = { format = "%Y"; }; + }; + }; wu-home-xu = { method = "push"; src = { host = config.krebs.hosts.wu; path = "/home"; }; -- cgit v1.2.3 From ae2e125e5b107f4265b37adc63306a546c47b12e Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 17 Feb 2016 17:45:58 +0100 Subject: xu,wu: rm pkgs that belong to xserver --- tv/1systems/wu.nix | 5 ----- tv/1systems/xu.nix | 4 ---- 2 files changed, 9 deletions(-) diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix index 7615c4e..2b6dca1 100644 --- a/tv/1systems/wu.nix +++ b/tv/1systems/wu.nix @@ -153,11 +153,7 @@ with config.krebs.lib; hardware.opengl.driSupport32Bit = true; environment.systemPackages = with pkgs; [ - xlibs.fontschumachermisc - slock ethtool - #firefoxWrapper # with plugins - #chromiumDevWrapper tinc iptables #jack2 @@ -165,7 +161,6 @@ with config.krebs.lib; security.setuidPrograms = [ "sendmail" # for cron - "slock" ]; services.printing.enable = true; diff --git a/tv/1systems/xu.nix b/tv/1systems/xu.nix index 5ec1fe5..d4295d3 100644 --- a/tv/1systems/xu.nix +++ b/tv/1systems/xu.nix @@ -163,11 +163,7 @@ with config.krebs.lib; #hardware.opengl.driSupport32Bit = true; environment.systemPackages = with pkgs; [ - #xlibs.fontschumachermisc - #slock ethtool - #firefoxWrapper # with plugins - #chromiumDevWrapper tinc iptables #jack2 -- cgit v1.2.3 From 5fdf654a06df16c100d2509ea9476cd6b7cf39ab Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 17 Feb 2016 22:28:02 +0100 Subject: tv sudo: !lecture --- tv/2configs/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix index c4a2d6b..13699a3 100644 --- a/tv/2configs/default.nix +++ b/tv/2configs/default.nix @@ -50,6 +50,7 @@ with config.krebs.lib; { security.sudo.extraConfig = '' Defaults mailto="${config.krebs.users.tv.mail}" + Defaults !lecture ''; time.timeZone = "Europe/Berlin"; } -- cgit v1.2.3 From 369c6653872e361d95422bddbd384a3e33e64661 Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 17 Feb 2016 23:23:13 +0100 Subject: xu-qemu0: disable systemd-networkd-wait-online --- tv/2configs/xu-qemu0.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tv/2configs/xu-qemu0.nix b/tv/2configs/xu-qemu0.nix index 720a8ac..2b67a8b 100644 --- a/tv/2configs/xu-qemu0.nix +++ b/tv/2configs/xu-qemu0.nix @@ -27,6 +27,8 @@ with config.krebs.lib; networking.dhcpcd.denyInterfaces = [ "qemubr0" ]; systemd.network.enable = true; + systemd.services.systemd-networkd-wait-online.enable = false; + services.resolved.enable = mkForce false; boot.kernel.sysctl."net.ipv4.ip_forward" = 1; -- cgit v1.2.3 From 22061f0fce538773c8fff17fcaeaa21a95e41879 Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 17 Feb 2016 23:35:25 +0100 Subject: tv man: init --- tv/1systems/wu.nix | 3 +-- tv/1systems/xu.nix | 3 +-- tv/2configs/man.nix | 7 +++++++ 3 files changed, 9 insertions(+), 4 deletions(-) create mode 100644 tv/2configs/man.nix diff --git a/tv/1systems/wu.nix b/tv/1systems/wu.nix index 2b6dca1..8c363d9 100644 --- a/tv/1systems/wu.nix +++ b/tv/1systems/wu.nix @@ -12,6 +12,7 @@ with config.krebs.lib; ../2configs/git.nix ../2configs/im.nix ../2configs/mail-client.nix + ../2configs/man.nix ../2configs/nginx-public_html.nix ../2configs/pulse.nix ../2configs/retiolum.nix @@ -40,14 +41,12 @@ with config.krebs.lib; haskellPackages.hledger htop jq - manpages mkpasswd netcat nix-repl nmap nq p7zip - posix_man_pages push qrencode texLive diff --git a/tv/1systems/xu.nix b/tv/1systems/xu.nix index d4295d3..c6a69a8 100644 --- a/tv/1systems/xu.nix +++ b/tv/1systems/xu.nix @@ -11,6 +11,7 @@ with config.krebs.lib; ../2configs/exim-retiolum.nix ../2configs/git.nix ../2configs/mail-client.nix + ../2configs/man.nix ../2configs/nginx-public_html.nix ../2configs/pulse.nix ../2configs/retiolum.nix @@ -52,7 +53,6 @@ with config.krebs.lib; haskellPackages.hledger htop jq - manpages mkpasswd netcat nix-repl @@ -60,7 +60,6 @@ with config.krebs.lib; nq p7zip pass - posix_man_pages qrencode texLive tmux diff --git a/tv/2configs/man.nix b/tv/2configs/man.nix new file mode 100644 index 0000000..686e574 --- /dev/null +++ b/tv/2configs/man.nix @@ -0,0 +1,7 @@ +{ config, lib, pkgs, ... }: +{ + environment.systemPackages = with pkgs; [ + manpages + posix_man_pages + ]; +} -- cgit v1.2.3 From e09ef6ad6875c822848db809e462d6fffa11c176 Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 17 Feb 2016 23:35:43 +0100 Subject: tv man: inhibit warning break --- tv/2configs/man.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tv/2configs/man.nix b/tv/2configs/man.nix index 686e574..a84e60b 100644 --- a/tv/2configs/man.nix +++ b/tv/2configs/man.nix @@ -1,5 +1,10 @@ { config, lib, pkgs, ... }: { + environment.etc."man.conf".source = pkgs.runCommand "man.conf" {} '' + ${pkgs.gnused}/bin/sed <${pkgs.man}/lib/man.conf >$out ' + s:^NROFF\t.*:& -Wbreak: + ' + ''; environment.systemPackages = with pkgs; [ manpages posix_man_pages -- cgit v1.2.3 From 0402f725bcfc8a6966bafc74f40b9acd2341a88d Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 18 Feb 2016 00:50:10 +0100 Subject: xu-qemu0 host: setup iptables --- tv/2configs/xu-qemu0.nix | 18 ++++++++++++------ tv/3modules/iptables.nix | 22 ++++++++++++++++++++++ 2 files changed, 34 insertions(+), 6 deletions(-) diff --git a/tv/2configs/xu-qemu0.nix b/tv/2configs/xu-qemu0.nix index 2b67a8b..5be4899 100644 --- a/tv/2configs/xu-qemu0.nix +++ b/tv/2configs/xu-qemu0.nix @@ -15,17 +15,23 @@ in # # make [install] system=xu-qemu0 target_host=10.56.0.101 -# TODO iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -# TODO iptables -A FORWARD -i qemubr0 -s 10.56.0.1/24 -m conntrack --ctstate NEW -j ACCEPT -# TODO iptables -A POSTROUTING -t nat -j MASQUERADE -# TODO iptables -A INPUT -i qemubr0 -p udp -m udp --dport bootps -j ACCEPT -# TODO iptables -A INPUT -i qemubr0 -p udp -m udp --dport domain -j ACCEPT - with config.krebs.lib; { networking.dhcpcd.denyInterfaces = [ "qemubr0" ]; + tv.iptables.extra = { + nat.POSTROUTING = ["-j MASQUERADE"]; + filter.FORWARD = [ + "-m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT" + "-i qemubr0 -s 10.56.0.1/24 -m conntrack --ctstate NEW -j ACCEPT" + ]; + filter.INPUT = [ + "-i qemubr0 -p udp -m udp --dport bootps -j ACCEPT" + "-i qemubr0 -p udp -m udp --dport domain -j ACCEPT" + ]; + }; + systemd.network.enable = true; systemd.services.systemd-networkd-wait-online.enable = false; diff --git a/tv/3modules/iptables.nix b/tv/3modules/iptables.nix index c0fd7ec..c0e71f2 100644 --- a/tv/3modules/iptables.nix +++ b/tv/3modules/iptables.nix @@ -26,6 +26,21 @@ let type = with types; listOf (either int str); default = []; }; + + extra = { + nat.POSTROUTING = mkOption { + type = with types; listOf str; + default = []; + }; + filter.FORWARD = mkOption { + type = with types; listOf str; + default = []; + }; + filter.INPUT = mkOption { + type = with types; listOf str; + default = []; + }; + }; }; imp = { @@ -57,6 +72,11 @@ let }; }; + formatTable = table: + (concatStringsSep "\n" + (mapAttrsToList + (chain: concatMapStringsSep "\n" (rule: "-A ${chain} ${rule}")) + table)); rules = iptables-version: let accept-echo-request = { @@ -79,6 +99,7 @@ let ${concatMapStringsSep "\n" (rule: "-A OUTPUT ${rule}") [ "-o lo -p tcp -m tcp --dport 11423 -j REDIRECT --to-ports 22" ]} + ${formatTable cfg.extra.nat} COMMIT *filter :INPUT DROP [0:0] @@ -94,6 +115,7 @@ let ++ map accept-new-tcp (unique (map toString cfg.input-internet-accept-new-tcp)) ++ ["-i retiolum -j Retiolum"] )} + ${formatTable cfg.extra.filter} ${concatMapStringsSep "\n" (rule: "-A Retiolum ${rule}") ([] ++ optional (cfg.accept-echo-request == "retiolum") accept-echo-request ++ map accept-new-tcp (unique (map toString cfg.input-retiolum-accept-new-tcp)) -- cgit v1.2.3 From 00eee96fbac91743442816ebbc1c4e5e76de832b Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 18 Feb 2016 01:15:58 +0100 Subject: krebs.build: use $F5 to prefix verbose commands --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 60dfe80..9dcd475 100644 --- a/Makefile +++ b/Makefile @@ -51,7 +51,7 @@ evaluate = \ execute = \ result=$$($(call evaluate,-A config.krebs.build.$(1) --json)) && \ script=$$(echo "$$result" | jq -r .) && \ - echo "$$script" | sh + echo "$$script" | PS5=% sh # usage: make deploy system=foo [target_host=bar] deploy: ssh ?= ssh -- cgit v1.2.3 From 4dfd89de1781c699a8c8b04abf109cafb18105ae Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 18 Feb 2016 02:55:46 +0100 Subject: tv: init backup plans xu-pull-cd-{ejabberd,home} --- tv/2configs/backup.nix | 38 ++++++++++++++++++++------------------ 1 file changed, 20 insertions(+), 18 deletions(-) diff --git a/tv/2configs/backup.nix b/tv/2configs/backup.nix index decd8b2..b551266 100644 --- a/tv/2configs/backup.nix +++ b/tv/2configs/backup.nix @@ -2,41 +2,43 @@ with config.krebs.lib; { krebs.backup.plans = { + } // mapAttrs (_: recursiveUpdate { + snapshots = { + daily = { format = "%Y-%m-%d"; retain = 7; }; + weekly = { format = "%YW%W"; retain = 4; }; + monthly = { format = "%Y-%m"; retain = 12; }; + yearly = { format = "%Y"; }; + }; + }) { nomic-home-xu = { method = "push"; src = { host = config.krebs.hosts.nomic; path = "/home"; }; dst = { host = config.krebs.hosts.xu; path = "/bku/nomic-home"; }; startAt = "05:00"; - snapshots = { - daily = { format = "%Y-%m-%d"; retain = 7; }; - weekly = { format = "%YW%W"; retain = 4; }; - monthly = { format = "%Y-%m"; retain = 12; }; - yearly = { format = "%Y"; }; - }; }; wu-home-xu = { method = "push"; src = { host = config.krebs.hosts.wu; path = "/home"; }; dst = { host = config.krebs.hosts.xu; path = "/bku/wu-home"; }; startAt = "05:00"; - snapshots = { - daily = { format = "%Y-%m-%d"; retain = 7; }; - weekly = { format = "%YW%W"; retain = 4; }; - monthly = { format = "%Y-%m"; retain = 12; }; - yearly = { format = "%Y"; }; - }; }; xu-home-wu = { method = "push"; src = { host = config.krebs.hosts.xu; path = "/home"; }; dst = { host = config.krebs.hosts.wu; path = "/bku/xu-home"; }; startAt = "06:00"; - snapshots = { - daily = { format = "%Y-%m-%d"; retain = 7; }; - weekly = { format = "%YW%W"; retain = 4; }; - monthly = { format = "%Y-%m"; retain = 12; }; - yearly = { format = "%Y"; }; - }; + }; + xu-pull-cd-ejabberd = { + method = "pull"; + src = { host = config.krebs.hosts.cd; path = "/var/ejabberd"; }; + dst = { host = config.krebs.hosts.xu; path = "/bku/cd-ejabberd"; }; + startAt = "07:00"; + }; + xu-pull-cd-home = { + method = "pull"; + src = { host = config.krebs.hosts.cd; path = "/home"; }; + dst = { host = config.krebs.hosts.xu; path = "/bku/cd-home"; }; + startAt = "07:00"; }; } // mapAttrs (_: recursiveUpdate { snapshots = { -- cgit v1.2.3 From 482180639dcf6064f0b249aeb350347f6e8e461f Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 18 Feb 2016 14:14:30 +0100 Subject: tv urlwatch: filter pypi/vncdotool/json through jq --- tv/2configs/urlwatch.nix | 41 ++++++++++++++++++++++++++++++++++++++--- 1 file changed, 38 insertions(+), 3 deletions(-) diff --git a/tv/2configs/urlwatch.nix b/tv/2configs/urlwatch.nix index 0106cdd..51b5323 100644 --- a/tv/2configs/urlwatch.nix +++ b/tv/2configs/urlwatch.nix @@ -1,5 +1,5 @@ -{ config, ... }: - +{ config, pkgs, ... }: +with config.krebs.lib; { krebs.urlwatch = { enable = true; @@ -52,8 +52,43 @@ # is derived from `configFile` in: https://raw.githubusercontent.com/NixOS/nixpkgs/master/nixos/modules/services/x11/xserver.nix - https://pypi.python.org/pypi/vncdotool + { + url = https://pypi.python.org/pypi/vncdotool/json; + filter = "system:${pkgs.jq}/bin/jq -r '.releases|keys[]'"; + } https://api.github.com/repos/kanaka/noVNC/tags ]; + hooksFile = toFile "hooks.py" '' + import subprocess + import urlwatch + + class CaseFilter(urlwatch.filters.FilterBase): + """Filter for piping data through an external process""" + + __kind__ = 'system' + + def filter(self, data, subfilter=None): + if subfilter is None: + raise ValueError('The system filter needs a command') + + proc = subprocess.Popen( + subfilter, + shell=True, + stdin=subprocess.PIPE, + stdout=subprocess.PIPE, + stderr=subprocess.PIPE, + ) + + (stdout, stderr) = proc.communicate(data.encode()) + + if proc.returncode != 0: + raise RuntimeError( + "system filter returned non-zero exit status %d; stderr:\n" + % proc.returncode + + stderr.decode() + ) + + return stdout.decode() + ''; }; } -- cgit v1.2.3