summaryrefslogtreecommitdiffstats
path: root/lass
diff options
context:
space:
mode:
authortv <tv@krebsco.de>2017-03-05 00:28:32 +0100
committertv <tv@krebsco.de>2017-03-05 00:28:32 +0100
commit4499cc406560963d65b016075ba2df6451c834cd (patch)
treeffea19187190a105e7b0caf617a0215c02c281da /lass
parentd7761aed6559adba3cfa61d822165c42c90fc276 (diff)
parent39fd77b84c7c14d6460722721726b378bdab7acd (diff)
Merge remote-tracking branch 'prism/master'
Diffstat (limited to 'lass')
-rw-r--r--lass/1systems/mors.nix59
-rw-r--r--lass/1systems/prism.nix25
-rw-r--r--lass/1systems/shodan.nix23
-rw-r--r--lass/2configs/baseX.nix76
-rw-r--r--lass/2configs/binary-cache/client.nix10
-rw-r--r--lass/2configs/browsers.nix4
-rw-r--r--lass/2configs/buildbot-standalone.nix2
-rw-r--r--lass/2configs/copyq.nix38
-rw-r--r--lass/2configs/default.nix13
-rw-r--r--lass/2configs/exim-smarthost.nix3
-rw-r--r--lass/2configs/fetchWallpaper.nix4
-rw-r--r--lass/2configs/games.nix32
-rw-r--r--lass/2configs/git.nix1
-rw-r--r--lass/2configs/hfos.nix7
-rw-r--r--lass/2configs/hw/tp-x220.nix5
-rw-r--r--lass/2configs/livestream.nix12
-rw-r--r--lass/2configs/monitoring/monit-alarms.nix44
-rw-r--r--lass/2configs/monitoring/server.nix2
-rw-r--r--lass/2configs/nixpkgs.nix2
-rw-r--r--lass/2configs/screenlock.nix2
-rw-r--r--lass/2configs/security-workarounds.nix8
-rw-r--r--lass/2configs/termite.nix22
-rw-r--r--lass/2configs/vim.nix3
-rw-r--r--lass/2configs/websites/lassulus.nix10
-rw-r--r--lass/2configs/websites/util.nix15
-rw-r--r--lass/2configs/websites/wohnprojekt-rhh.de.nix23
-rw-r--r--lass/2configs/xresources.nix55
-rw-r--r--lass/2configs/xserver/Xresources.nix66
-rw-r--r--lass/2configs/xserver/default.nix147
-rw-r--r--lass/2configs/xserver/xserver.conf.nix40
-rw-r--r--lass/5pkgs/xmonad-lass.nix24
31 files changed, 362 insertions, 415 deletions
diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix
index a5eaaed9d..bffb08ad3 100644
--- a/lass/1systems/mors.nix
+++ b/lass/1systems/mors.nix
@@ -76,56 +76,15 @@ with import <stockholm/lib>;
{
services.redis.enable = true;
}
- #{
- # #gitit magic
- # imports = [ <nixpkgs/nixos/modules/services/misc/gitit.nix> ];
- # services.gitit = {
- # enable = true;
- # haskellPackages = pkgs.haskell.packages.ghc7103;
- # };
- #}
- #{
- # lass.icinga2 = {
- # enable = true;
- # configFiles = [
- # ''
- # template Service "generic-service" {
- # max_check_attempts = 3
- # check_interval = 5m
- # retry_interval = 1m
- # enable_perfdata = true
- # }
- # apply Service "ping4" {
- # }
- # ''
- # ];
- # };
- # services.mysql = {
- # enable = true;
- # package = pkgs.mariadb;
- # rootPassword = "<secrets>/mysql_rootPassword";
- # };
- # lass.icingaweb2 = {
- # enable = true;
- # initialRootPasswordHash = "$1$HpWDCehI$ITbAoyfOB6HEN1ftooxZq0";
- # resources = {
- # icinga2db = {
- # type = "mysql";
- # host = "localhost";
- # user = "icingaweb2";
- # db = "icinga";
- # passfile = <secrets/icinga2-pw>;
- # };
- # icingaweb2db = {
- # type = "mysql";
- # host = "localhost";
- # user = "icingaweb2";
- # db = "icingaweb2";
- # passfile = <secrets/icinga2-pw>;
- # };
- # };
- # };
- #}
+ {
+ #ipfs-testing
+ services.ipfs.enable = true;
+ }
+ {
+ environment.systemPackages = [
+ pkgs.krebszones
+ ];
+ }
];
krebs.build.host = config.krebs.hosts.mors;
diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix
index c0c22a0de..b55732f65 100644
--- a/lass/1systems/prism.nix
+++ b/lass/1systems/prism.nix
@@ -44,6 +44,7 @@ in {
../2configs/hfos.nix
../2configs/makefu-sip.nix
../2configs/monitoring/server.nix
+ ../2configs/monitoring/monit-alarms.nix
{
imports = [
../2configs/bepasty.nix
@@ -164,7 +165,6 @@ in {
}
{
imports = [
- ../2configs/websites/wohnprojekt-rhh.de.nix
../2configs/websites/domsen.nix
../2configs/websites/lassulus.nix
];
@@ -215,7 +215,8 @@ in {
}
{
krebs.repo-sync.timerConfig = {
- OnUnitInactiveSec = "5min";
+ OnBootSec = "5min";
+ OnUnitInactiveSec = "3min";
RandomizedDelaySec = "2min";
};
}
@@ -247,7 +248,13 @@ in {
];
}
{
- krebs.Reaktor.coders = {
+ krebs.Reaktor.coders = let
+ lambdabot = (import (pkgs.fetchFromGitHub {
+ owner = "NixOS"; repo = "nixpkgs";
+ rev = "a4ec1841da14fc98c5c35cc72242c23bb698d4ac";
+ sha256 = "148fpw31s922hxrf28yhrci296f7c7zd81hf0k6zs05rq0i3szgy";
+ }) {}).lambdabot;
+ in {
nickname = "reaktor-lass";
channels = [ "#coders" ];
extraEnviron = {
@@ -263,7 +270,7 @@ in {
(buildSimpleReaktorPlugin "lambdabot-pl" {
pattern = "^@pl (?P<args>.*)$$";
script = pkgs.writeDash "lambda-pl" ''
- exec ${pkgs.lambdabot}/bin/lambdabot \
+ exec ${lambdabot}/bin/lambdabot \
${indent lambdabotflags}
-e "@pl $1"
'';
@@ -271,7 +278,7 @@ in {
(buildSimpleReaktorPlugin "lambdabot-type" {
pattern = "^@type (?P<args>.*)$$";
script = pkgs.writeDash "lambda-type" ''
- exec ${pkgs.lambdabot}/bin/lambdabot \
+ exec ${lambdabot}/bin/lambdabot \
${indent lambdabotflags}
-e "@type $1"
'';
@@ -279,7 +286,7 @@ in {
(buildSimpleReaktorPlugin "lambdabot-let" {
pattern = "^@let (?P<args>.*)$$";
script = pkgs.writeDash "lambda-let" ''
- exec ${pkgs.lambdabot}/bin/lambdabot \
+ exec ${lambdabot}/bin/lambdabot \
${indent lambdabotflags}
-e "@let $1"
'';
@@ -287,7 +294,7 @@ in {
(buildSimpleReaktorPlugin "lambdabot-run" {
pattern = "^@run (?P<args>.*)$$";
script = pkgs.writeDash "lambda-run" ''
- exec ${pkgs.lambdabot}/bin/lambdabot \
+ exec ${lambdabot}/bin/lambdabot \
${indent lambdabotflags}
-e "@run $1"
'';
@@ -295,7 +302,7 @@ in {
(buildSimpleReaktorPlugin "lambdabot-kind" {
pattern = "^@kind (?P<args>.*)$$";
script = pkgs.writeDash "lambda-kind" ''
- exec ${pkgs.lambdabot}/bin/lambdabot \
+ exec ${lambdabot}/bin/lambdabot \
${indent lambdabotflags}
-e "@kind $1"
'';
@@ -303,7 +310,7 @@ in {
(buildSimpleReaktorPlugin "lambdabot-kind" {
pattern = "^@kind (?P<args>.*)$$";
script = pkgs.writeDash "lambda-kind" ''
- exec ${pkgs.lambdabot}/bin/lambdabot \
+ exec ${lambdabot}/bin/lambdabot \
${indent lambdabotflags}
-e "@kind $1"
'';
diff --git a/lass/1systems/shodan.nix b/lass/1systems/shodan.nix
index 232e91d90..dca616936 100644
--- a/lass/1systems/shodan.nix
+++ b/lass/1systems/shodan.nix
@@ -42,6 +42,29 @@ with import <stockholm/lib>;
pkgs.python27Packages.python
];
}
+ {
+ krebs.monit = let
+ echoToIrc = msg:
+ pkgs.writeDash "echo_irc" ''
+ set -euf
+ export LOGNAME=prism-alarm
+ ${pkgs.irc-announce}/bin/irc-announce \
+ ni.r 6667 ${config.networking.hostName}-alarm \#noise "${msg}" >/dev/null
+ '';
+ in {
+ enable = true;
+ http.enable = true;
+ alarms = {
+ hfos = {
+ test = "${pkgs.curl}/bin/curl -sf --insecure 'https://hfos.hackerfleet.de'";
+ alarm = echoToIrc "test hfos failed";
+ };
+ };
+ };
+ krebs.iptables.tables.filter.INPUT.rules = [
+ { predicate = "-p tcp -i retiolum --dport 9093"; target = "ACCEPT"; }
+ ];
+ }
];
krebs.build.host = config.krebs.hosts.shodan;
diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix
index 2933ca0e4..275b93f26 100644
--- a/lass/2configs/baseX.nix
+++ b/lass/2configs/baseX.nix
@@ -1,13 +1,15 @@
{ config, pkgs, ... }:
-
+with import <stockholm/lib>;
let
- mainUser = config.users.extraUsers.mainUser;
+ user = config.krebs.build.user;
in {
imports = [
- ./xserver
./mpv.nix
./power-action.nix
./screenlock.nix
+ ./copyq.nix
+ ./xresources.nix
+ ./livestream.nix
{
hardware.pulseaudio = {
enable = true;
@@ -32,15 +34,15 @@ in {
programs.ssh.startAgent = false;
- security.setuidPrograms = [ "slock" ];
-
services.printing = {
enable = true;
- drivers = [ pkgs.foomatic_filters ];
+ drivers = [
+ pkgs.foomatic_filters
+ pkgs.gutenprint
+ ];
};
environment.systemPackages = with pkgs; [
-
acpi
dic
dmenu
@@ -66,37 +68,37 @@ in {
youtube-tools
rxvt_unicode
- #window manager stuff
- #haskellPackages.xmobar
- #haskellPackages.yeganesh
- #dmenu2
- #xlibs.fontschumachermisc
];
- #fonts.fonts = [
- # pkgs.xlibs.fontschumachermisc
- #];
-
- #services.xserver = {
- # enable = true;
-
- # windowManager.xmonad.extraPackages = hspkgs: with hspkgs; [
- # X11-xshape
- # ];
- # windowManager.xmonad.enable = true;
- # windowManager.xmonad.enableContribAndExtras = true;
- # windowManager.default = "xmonad";
- # desktopManager.default = "none";
- # desktopManager.xterm.enable = false;
- # displayManager.slim.enable = true;
- # displayManager.auto.enable = true;
- # displayManager.auto.user = mainUser.name;
-
- # layout = "us";
- # xkbModel = "evdev";
- # xkbVariant = "altgr-intl";
- # xkbOptions = "caps:backspace";
- #};
+ fonts.fonts = [
+ pkgs.xlibs.fontschumachermisc
+ ];
+
+ services.xserver = {
+ enable = true;
+
+ desktopManager.xterm.enable = false;
+ desktopManager.default = "none";
+ displayManager.lightdm.enable = true;
+ displayManager.lightdm.autoLogin = {
+ enable = true;
+ user = "lass";
+ };
+ windowManager.default = "xmonad";
+ windowManager.session = [{
+ name = "xmonad";
+ start = ''
+ ${pkgs.xorg.xhost}/bin/xhost +LOCAL:
+ ${pkgs.xmonad-lass}/bin/xmonad &
+ waitPID=$!
+ '';
+ }];
+
+ layout = "us";
+ xkbModel = "evdev";
+ xkbVariant = "altgr-intl";
+ xkbOptions = "caps:backspace";
+ };
services.logind.extraConfig = ''
HandleLidSwitch=ignore
@@ -107,4 +109,6 @@ in {
twoFingerScroll = true;
accelFactor = "0.035";
};
+
+ services.urxvtd.enable = true;
}
diff --git a/lass/2configs/binary-cache/client.nix b/lass/2configs/binary-cache/client.nix
index 108ff7a1e..9dba5fbfb 100644
--- a/lass/2configs/binary-cache/client.nix
+++ b/lass/2configs/binary-cache/client.nix
@@ -2,8 +2,14 @@
{
nix = {
- binaryCaches = ["http://cache.prism.r"];
- binaryCachePublicKeys = ["cache.prism-1:+S+6Lo/n27XEtvdlQKuJIcb1yO5NUqUCE2lolmTgNJU="];
+ binaryCaches = [
+ "http://cache.prism.r"
+ "https://cache.nixos.org/"
+ ];
+ binaryCachePublicKeys = [
+ "cache.prism-1:+S+6Lo/n27XEtvdlQKuJIcb1yO5NUqUCE2lolmTgNJU="
+ "hydra.nixos.org-1:CNHJZBh9K4tP3EKF6FkkgeVYsS3ohTl+oS0Qa8bezVs="
+ ];
};
}
diff --git a/lass/2configs/browsers.nix b/lass/2configs/browsers.nix
index 88ee70802..6c381863c 100644
--- a/lass/2configs/browsers.nix
+++ b/lass/2configs/browsers.nix
@@ -20,7 +20,7 @@ let
createChromiumUser = name: extraGroups:
let
bin = pkgs.writeScriptBin name ''
- /var/setuid-wrappers/sudo -u ${name} -i ${pkgs.chromium}/bin/chromium $@
+ /var/run/wrappers/bin/sudo -u ${name} -i ${pkgs.chromium}/bin/chromium $@
'';
in {
users.extraUsers.${name} = {
@@ -43,7 +43,7 @@ let
createFirefoxUser = name: extraGroups:
let
bin = pkgs.writeScriptBin name ''
- /var/setuid-wrappers/sudo -u ${name} -i ${pkgs.firefox}/bin/firefox $@
+ /var/run/wrappers/bin/sudo -u ${name} -i ${pkgs.firefox}/bin/firefox $@
'';
in {
users.extraUsers.${name} = {
diff --git a/lass/2configs/buildbot-standalone.nix b/lass/2configs/buildbot-standalone.nix
index cd11254d6..2bd3e9914 100644
--- a/lass/2configs/buildbot-standalone.nix
+++ b/lass/2configs/buildbot-standalone.nix
@@ -216,7 +216,7 @@ in {
enable = true;
nick = "buildbot-lass";
server = "ni.r";
- channels = [ { channel = "retiolum"; } ];
+ channels = [ { channel = "retiolum"; } { channel = "noise"; } ];
allowForce = true;
};
};
diff --git a/lass/2configs/copyq.nix b/lass/2configs/copyq.nix
new file mode 100644
index 000000000..0616c4025
--- /dev/null
+++ b/lass/2configs/copyq.nix
@@ -0,0 +1,38 @@
+{ config, pkgs, ... }:
+with import <stockholm/lib>;
+let
+ copyqConfig = pkgs.writeDash "copyq-config" ''
+ ${pkgs.copyq}/bin/copyq config check_clipboard true
+ ${pkgs.copyq}/bin/copyq config check_selection true
+ ${pkgs.copyq}/bin/copyq config copy_clipboard true
+ ${pkgs.copyq}/bin/copyq config copy_selection true
+
+ ${pkgs.copyq}/bin/copyq config activate_closes true
+ ${pkgs.copyq}/bin/copyq config clipboard_notification_lines 0
+ ${pkgs.copyq}/bin/copyq config clipboard_tab clipboard
+ ${pkgs.copyq}/bin/copyq config disable_tray true
+ ${pkgs.copyq}/bin/copyq config hide_tabs true
+ ${pkgs.copyq}/bin/copyq config hide_toolbar true
+ ${pkgs.copyq}/bin/copyq config item_popup_interval true
+ ${pkgs.copyq}/bin/copyq config maxitems 1000
+ ${pkgs.copyq}/bin/copyq config move true
+ ${pkgs.copyq}/bin/copyq config text_wrap true
+ '';
+in {
+ systemd.user.services.copyq = {
+ after = [ "graphical.target" ];
+ wants = [ "graphical.target" ];
+ wantedBy = [ "default.target" ];
+ environment = {
+ DISPLAY = ":0";
+ };
+ serviceConfig = {
+ SyslogIdentifier = "copyq";
+ ExecStart = "${pkgs.copyq}/bin/copyq";
+ ExecStartPost = copyqConfig;
+ Restart = "always";
+ RestartSec = "2s";
+ StartLimitBurst = 0;
+ };
+ };
+}
diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix
index d1810c00c..3e7881fb4 100644
--- a/lass/2configs/default.nix
+++ b/lass/2configs/default.nix
@@ -1,5 +1,4 @@
-{ config, lib, pkgs, ... }:
-
+{ config, pkgs, ... }:
with import <stockholm/lib>;
{
imports = [
@@ -11,6 +10,7 @@ with import <stockholm/lib>;
../2configs/vim.nix
../2configs/monitoring/client.nix
./backups.nix
+ ./security-workarounds.nix
{
users.extraUsers =
mapAttrs (_: h: { hashedPassword = h; })
@@ -62,6 +62,12 @@ with import <stockholm/lib>;
pkgs.pythonPackages.python
];
}
+ {
+ services.dnscrypt-proxy.enable = true;
+ networking.extraResolvconfConf = ''
+ name_servers='127.0.0.1'
+ '';
+ }
];
networking.hostName = config.krebs.build.host.name;
@@ -129,6 +135,7 @@ with import <stockholm/lib>;
#neat utils
krebspaste
+ mosh
pciutils
pop
psmisc
@@ -155,6 +162,7 @@ with import <stockholm/lib>;
shopt -s histappend histreedit histverify
shopt -s no_empty_cmd_completion
complete -d cd
+ LS_COLORS=$LS_COLORS:'di=1;31:' ; export LS_COLORS
'';
promptInit = ''
if test $UID = 0; then
@@ -202,6 +210,7 @@ with import <stockholm/lib>;
filter.INPUT.rules = [
{ predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; }
{ predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; }
+ { predicate = "-p ipv6-icmp"; target = "ACCEPT"; v4 = false; precedence = 10000; }
{ predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; }
{ predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; }
{ predicate = "-p tcp -i retiolum"; target = "REJECT --reject-with tcp-reset"; precedence = -10000; }
diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix
index d120dfcad..3353cdac0 100644
--- a/lass/2configs/exim-smarthost.nix
+++ b/lass/2configs/exim-smarthost.nix
@@ -8,11 +8,12 @@ with import <stockholm/lib>;
dkim = [
{ domain = "lassul.us"; }
];
+ primary_hostname = "lassul.us";
sender_domains = [
"lassul.us"
"aidsballs.de"
];
- relay_from_hosts = map (host: host.nets.retiolum.ip4.addr) [
+ relay_from_hosts = map (host: host.nets.retiolum.ip6.addr) [
config.krebs.hosts.mors
config.krebs.hosts.uriel
config.krebs.hosts.helios
diff --git a/lass/2configs/fetchWallpaper.nix b/lass/2configs/fetchWallpaper.nix
index 29f321994..971be9588 100644
--- a/lass/2configs/fetchWallpaper.nix
+++ b/lass/2configs/fetchWallpaper.nix
@@ -9,9 +9,5 @@ in {
url = "prism/wallpaper.png";
maxTime = 10;
};
- systemd.services.fetchWallpaper = {
- after = [ "xmonad.service" ];
- wantedBy = [ "xmonad.service" ];
- };
}
diff --git a/lass/2configs/games.nix b/lass/2configs/games.nix
index 1bcb8c676..d114a826d 100644
--- a/lass/2configs/games.nix
+++ b/lass/2configs/games.nix
@@ -11,7 +11,6 @@ let
DOOM_DIR=''${DOOM_DIR:-~/doom/}
${vdoom} \
-file $DOOM_DIR/lib/brutalv20.pk3 \
- -file $DOOM_DIR/lib/RebotStarcraftMarines.pk3 \
"$@"
'';
doom1 = pkgs.writeDashBin "doom1" ''
@@ -31,6 +30,31 @@ let
${vdoom} -iwad $DOOM_DIR/wads/stock/doom2.wad "$@"
'';
+ doomservercfg = pkgs.writeText "doomserver.cfg" ''
+ skill 7
+ #survival true
+ #sv_maxlives 4
+ #sv_norespawn true
+ #sv_weapondrop true
+ no_jump true
+ #sv_noweaponspawn true
+ sv_sharekeys true
+ sv_survivalcountdowntime 1
+ sv_noteamselect true
+ sv_updatemaster false
+ #sv_coop_loseinventory true
+ #cl_startasspectator false
+ #lms_spectatorview false
+ '';
+
+ vdoomserver = pkgs.writeDashBin "vdoomserver" ''
+ DOOM_DIR=''${DOOM_DIR:-~/doom/}
+
+ ${pkgs.zandronum-bin}/bin/zandronum-server \
+ +exec ${doomservercfg} \
+ "$@"
+ '';
+
in {
environment.systemPackages = with pkgs; [
dwarf_fortress
@@ -38,6 +62,7 @@ in {
doom2
vdoom1
vdoom2
+ vdoomserver
];
users.extraUsers = {
@@ -56,4 +81,9 @@ in {
security.sudo.extraConfig = ''
${mainUser.name} ALL=(games) NOPASSWD: ALL
'';
+
+ krebs.iptables.tables.filter.INPUT.rules = [
+ { predicate = "-p tcp --dport 10666"; target = "ACCEPT"; }
+ { predicate = "-p udp --dport 10666"; target = "ACCEPT"; }
+ ];
}
diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix
index bdd65ce09..3e1b2c6e3 100644
--- a/lass/2configs/git.nix
+++ b/lass/2configs/git.nix
@@ -5,6 +5,7 @@ with import <stockholm/lib>;
let
out = {
+ services.nginx.enable = true;
krebs.git = {
enable = true;
cgit = {
diff --git a/lass/2configs/hfos.nix b/lass/2configs/hfos.nix
index 7d4d544aa..a28a6a5d2 100644
--- a/lass/2configs/hfos.nix
+++ b/lass/2configs/hfos.nix
@@ -8,7 +8,6 @@ with import <stockholm/lib>;
extraGroups = [ "libvirtd" ];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDMkyCwdwBrsbs3qrNQcy/SqQpex4aaQoAMuT+NDefFc8KVHOMfmkDccEyAggDTgQhUrEVIvo/fFUmGBd9sm1vN1IthO2Qh5nX+qiK/A2R7sxci0Ry6piU03R27JfpZqi6g8TSPNi1C9rC8eBqOfO3OB8oQOkFmM48Q9cmS8AV3ERLR0LaHoEqUbs86JELbtHrMdKk4Hzo8zTM/isP3GO8iDHRt4dBS/03Ve7+WVxgNwWU2HW3a3jJd3tWHrqGmS/ZfCEC/47eIj4WSW+JiH9Q0BarNEbkkMV1Mvm32MX52stGPd5FaIIUtFqD4745iVSiw8esUGFUxJ1RjWgUHr99h riot@vortex"
- config.krebs.users.lass.pubkey
];
};
@@ -32,4 +31,10 @@ with import <stockholm/lib>;
{ v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 1080 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
{ v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 1443 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
];
+
+ krebs.iptables.tables.nat.OUTPUT.rules = [
+ { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 443"; target = "DNAT --to-destination 192.168.122.208:1443"; }
+ ];
+
+ systemd.services.krebs-iptables.after = [ "libvirtd.service" ];
}
diff --git a/lass/2configs/hw/tp-x220.nix b/lass/2configs/hw/tp-x220.nix
index d551cd44e..1e75271ca 100644
--- a/lass/2configs/hw/tp-x220.nix
+++ b/lass/2configs/hw/tp-x220.nix
@@ -48,4 +48,9 @@ with import <stockholm/lib>;
];
security.rngd.enable = true;
+
+ services.xserver.synaptics = {
+ enable = true;
+ additionalOptions = ''Option "TouchpadOff" "1"'';
+ };
}
diff --git a/lass/2configs/livestream.nix b/lass/2configs/livestream.nix
new file mode 100644
index 000000000..c877a8c0a
--- /dev/null
+++ b/lass/2configs/livestream.nix
@@ -0,0 +1,12 @@
+{ config, pkgs, ... }:
+with import <stockholm/lib>;
+
+let
+
+ stream = pkgs.writeDashBin "stream" ''
+ ${pkgs.python27Packages.livestreamer}/bin/livestreamer --http-header Client-ID=jzkbprff40iqj646a697cyrvl0zt2m6 -p mpv "$@"
+ '';
+
+in {
+ environment.systemPackages = [ stream ];
+}
diff --git a/lass/2configs/monitoring/monit-alarms.nix b/lass/2configs/monitoring/monit-alarms.nix
new file mode 100644
index 000000000..65b91a745
--- /dev/null
+++ b/lass/2configs/monitoring/monit-alarms.nix
@@ -0,0 +1,44 @@
+{pkgs, config, ...}:
+with import <stockholm/lib>;
+let
+ echoToIrc = msg:
+ pkgs.writeDash "echo_irc" ''
+ set -euf
+ export LOGNAME=prism-alarm
+ ${pkgs.irc-announce}/bin/irc-announce \
+ ni.r 6667 ${config.networking.hostName}-alarm \#noise "${msg}" >/dev/null
+ '';
+
+in {
+ krebs.monit = {
+ enable = true;
+ http.enable = true;
+ alarms = {
+ nirwanabluete = {
+ test = "${pkgs.curl}/bin/curl -sf 'https://nirwanabluete.de/'";
+ alarm = echoToIrc "test nirwanabluete failed";
+ };
+ ubik = {
+ test = "${pkgs.curl}/bin/curl -sf 'https://ubikmedia.de'";
+ alarm = echoToIrc "test ubik failed";
+ };
+ cac-panel = {
+ test = "${pkgs.curl}/bin/curl -sf 'https://panel.cloudatcost.com/login.php'";
+ alarm = echoToIrc "test cac-panel failed";
+ };
+ radio = {
+ test = pkgs.writeBash "check_stream" ''
+ ${pkgs.curl}/bin/curl -sif http://lassul.us:8000/radio.ogg \
+ | ${pkgs.gawk}/bin/awk '/^\r$/{exit}{print $0}' \
+ | ${pkgs.gnugrep}/bin/grep -q "200 OK" || exit "''${PIPESTATUS[0]}"
+ '';
+ alarm = echoToIrc "test radio failed";
+ };
+ };
+ };
+
+ krebs.iptables.tables.filter.INPUT.rules = [
+ { predicate = "-p tcp -i retiolum --dport 9093"; target = "ACCEPT"; }
+ ];
+}
+
diff --git a/lass/2configs/monitoring/server.nix b/lass/2configs/monitoring/server.nix
index bbae4511e..b6ccf9cc1 100644
--- a/lass/2configs/monitoring/server.nix
+++ b/lass/2configs/monitoring/server.nix
@@ -29,7 +29,7 @@ with import <stockholm/lib>;
data="$(${pkgs.jq}/bin/jq -r .message)"
export LOGNAME=prism-alarm
${pkgs.irc-announce}/bin/irc-announce \
- ni.r 6667 prism-alarm \#retiolum "$data" >/dev/null
+ ni.r 6667 prism-alarm \#noise "$data" >/dev/null
'';
in {
enable = true;
diff --git a/lass/2configs/nixpkgs.nix b/lass/2configs/nixpkgs.nix
index aef9dd8b4..9c3eafffd 100644
--- a/lass/2configs/nixpkgs.nix
+++ b/lass/2configs/nixpkgs.nix
@@ -3,6 +3,6 @@
{
krebs.build.source.nixpkgs.git = {
url = https://github.com/nixos/nixpkgs;
- ref = "f7b7d8e";
+ ref = "5b0c9d4";
};
}
diff --git a/lass/2configs/screenlock.nix b/lass/2configs/screenlock.nix
index 237127f69..b5bc4ee2a 100644
--- a/lass/2configs/screenlock.nix
+++ b/lass/2configs/screenlock.nix
@@ -5,7 +5,7 @@
before = [ "sleep.target" ];
wantedBy = [ "sleep.target" ];
environment = {
- DISPLAY = ":${toString config.services.xserver.display}";
+ DISPLAY = ":0";
};
serviceConfig = {
SyslogIdentifier = "screenlock";
diff --git a/lass/2configs/security-workarounds.nix b/lass/2configs/security-workarounds.nix
new file mode 100644
index 000000000..537c8a59b
--- /dev/null
+++ b/lass/2configs/security-workarounds.nix
@@ -0,0 +1,8 @@
+{ config, pkgs, ... }:
+with import <stockholm/lib>;
+{
+ # http://seclists.org/oss-sec/2017/q