diff options
26 files changed, 150 insertions, 68 deletions
| diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix index 2ed5607f1..c96b14723 100644 --- a/krebs/3modules/exim-smarthost.nix +++ b/krebs/3modules/exim-smarthost.nix @@ -246,12 +246,12 @@ let          remote_smtp:            driver = smtp -          ${optionalString (cfg.dkim != []) '' +          ${optionalString (cfg.dkim != []) (indent ''              dkim_canon = relaxed              dkim_domain = $sender_address_domain              dkim_private_key = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_private_key}}}              dkim_selector = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_selector}}} -          ''} +          '')}            helo_data = ''${if eq{$acl_m_special_dom}{}  \                                 {$primary_hostname}   \                                 {$acl_m_special_dom} } diff --git a/krebs/3modules/go.nix b/krebs/3modules/go.nix index a86f444dc..218ac9221 100644 --- a/krebs/3modules/go.nix +++ b/krebs/3modules/go.nix @@ -44,7 +44,7 @@ let        wantedBy = [ "multi-user.target" ];        path = with pkgs; [ -        go +        go-shortener        ];        environment = { @@ -57,7 +57,7 @@ let        serviceConfig = {          User = "go";          Restart = "always"; -        ExecStart = "${pkgs.go}/bin/go"; +        ExecStart = "${pkgs.go-shortener}/bin/go";        };      };    }; diff --git a/krebs/5pkgs/go/default.nix b/krebs/5pkgs/go-shortener/default.nix index 2871e5a99..996f7072a 100644 --- a/krebs/5pkgs/go/default.nix +++ b/krebs/5pkgs/go-shortener/default.nix @@ -19,7 +19,7 @@ let    };  in np.buildNodePackage { -  name = "go"; +  name = "go-shortener";    src = fetchgit {      url = "http://cgit.lassul.us/go/"; diff --git a/krebs/5pkgs/go/packages.nix b/krebs/5pkgs/go-shortener/packages.nix index 9acfd7658..9acfd7658 100644 --- a/krebs/5pkgs/go/packages.nix +++ b/krebs/5pkgs/go-shortener/packages.nix diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index c3d027edc..742d42bf8 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -54,7 +54,7 @@ with import <stockholm/lib>;          enable = true;          package = pkgs.postgresql;        }; -      #virtualisation.docker.enable = true; +      virtualisation.docker.enable = true;        #users.users.mainUser.extraGroups = [ "docker" ];      }      { diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index 76710ac9d..555e7fe1a 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -224,6 +224,14 @@ in {          OnCalendar = "*:0/5";        };      } +    { +      lass.usershadow = { +        enable = true; +      }; +    } +    { +      virtualisation.libvirtd.enable = true; +    }    ];    krebs.build.host = config.krebs.hosts.prism; diff --git a/lass/1systems/shodan.nix b/lass/1systems/shodan.nix index 9d1df1d72..095898380 100644 --- a/lass/1systems/shodan.nix +++ b/lass/1systems/shodan.nix @@ -75,6 +75,10 @@ with import <stockholm/lib>;        fsType = "tmpfs";        options = ["nosuid" "nodev" "noatime"];      }; +    "/bku" = { +      device = "/dev/pool/bku"; +      fsType = "ext4"; +    };    };    services.udev.extraRules = '' diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index 43c4d5b0d..a7d2a6cef 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -46,6 +46,13 @@ with import <stockholm/lib>;          NIX_PATH = mkForce "secrets=/var/src/stockholm/null:/var/src";        };      } +    (let ca-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; in { +      environment.variables = { +        CURL_CA_BUNDLE = ca-bundle; +        GIT_SSL_CAINFO = ca-bundle; +        SSL_CERT_FILE = ca-bundle; +      }; +    })    ];    networking.hostName = config.krebs.build.host.name; diff --git a/lass/2configs/go.nix b/lass/2configs/go.nix index 7d694c173..f6ddbe96d 100644 --- a/lass/2configs/go.nix +++ b/lass/2configs/go.nix @@ -3,7 +3,7 @@  with import <stockholm/lib>;  {    environment.systemPackages = [ -    pkgs.go +    pkgs.go-shortener    ];    krebs.go = {      enable = true; diff --git a/lass/2configs/nixpkgs.nix b/lass/2configs/nixpkgs.nix index 4ef4c6ce7..e665b6c6f 100644 --- a/lass/2configs/nixpkgs.nix +++ b/lass/2configs/nixpkgs.nix @@ -3,6 +3,6 @@  {    krebs.build.source.nixpkgs.git = {      url = https://github.com/nixos/nixpkgs; -    ref = "686bc9c5ccafbec2b6d2db61bd0803c2b7bc2b7d"; +    ref = "0195ab84607ac3a3aa07a79d2d6c2781b1bb6731";    };  } diff --git a/lass/2configs/repo-sync.nix b/lass/2configs/repo-sync.nix index f88149730..f2e4de6a7 100644 --- a/lass/2configs/repo-sync.nix +++ b/lass/2configs/repo-sync.nix @@ -93,6 +93,7 @@ in {      (sync-remote "xintmap" "https://github.com/4z3/xintmap")      (sync-remote "realwallpaper" "https://github.com/lassulus/realwallpaper")      (sync-remote "lassulus-blog" "https://github.com/lassulus/lassulus-blog") +    (sync-remote "painload" "https://github.com/krebscode/painload")      (sync-remote-silent "nixpkgs" "https://github.com/nixos/nixpkgs")      (sync-retiolum "go")      (sync-retiolum "much") diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index 18c771fad..2a6df06ff 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -103,27 +103,6 @@ in {      "o_ubikmedia_de"    ]; -  krebs.backup.plans = { -    prism-sql-domsen = { -      method = "push"; -      src = { host = config.krebs.hosts.prism;      path = "/bku/sql_dumps"; }; -      dst = { host = config.krebs.hosts.domsen-nas; path = "/mnt/UBIK-9TB-Pool/BACKUP/XXXX-MAX-UND-ANDERES/prism-sql"; }; -      startAt = "00:01"; -    }; -    prism-http-domsen = { -      method = "push"; -      src = { host = config.krebs.hosts.prism;      path = "/srv/http"; }; -      dst = { host = config.krebs.hosts.domsen-nas; path = "/mnt/UBIK-9TB-Pool/BACKUP/XXXX-MAX-UND-ANDERES/prism-http"; }; -      startAt = "00:10"; -    }; -    prism-o-ubikmedia-domsen = { -      method = "push"; -      src = { host = config.krebs.hosts.prism;      path = "/srv/o.ubikmedia.de-data"; }; -      dst = { host = config.krebs.hosts.domsen-nas; path = "/mnt/UBIK-9TB-Pool/BACKUP/XXXX-MAX-UND-ANDERES/prism-owncloud"; }; -      startAt = "00:30"; -    }; -  }; -    services.phpfpm.phpOptions = ''      sendmail_path = ${sendmail} -t      upload_max_filesize = 100M @@ -142,28 +121,26 @@ in {    krebs.iptables.tables.filter.INPUT.rules = [      { predicate = "-p tcp --dport pop3s"; target = "ACCEPT"; }      { predicate = "-p tcp --dport imaps"; target = "ACCEPT"; } -    { predicate = "-p tcp --dport 465"; target = "ACCEPT"; }    ];    krebs.exim-smarthost = {      authenticators.PLAIN = ''        driver = plaintext -      server_prompts = : -      server_condition = "''${if pam{$auth2:$auth3}{yes}{no}}" -      server_set_id = $auth2 +      public_name = PLAIN +      server_condition = ''${run{${config.lass.usershadow.path}/bin/verify_arg ${config.lass.usershadow.pattern} $auth2 $auth3}{yes}{no}}      '';      authenticators.LOGIN = ''        driver = plaintext +      public_name = LOGIN        server_prompts = "Username:: : Password::" -      server_condition = "''${if pam{$auth1:$auth2}{yes}{no}}" -      server_set_id = $auth1 +      server_condition = ''${run{${config.lass.usershadow.path}/bin/verify_arg ${config.lass.usershadow.pattern} $auth1 $auth2}{yes}{no}}      '';      internet-aliases = [        { from = "dominik@apanowicz.de"; to = "dominik_a@gmx.de"; }        { from = "mail@jla-trading.com"; to = "jla-trading"; } -      { from = "testuser@lassul.us"; to = "testuser"; }      ]; -    system-aliases = [ +    sender_domains = [ +      "jla-trading.com"      ];      ssl_cert = "/var/lib/acme/lassul.us/fullchain.pem";      ssl_key = "/var/lib/acme/lassul.us/key.pem"; diff --git a/lass/2configs/websites/fritz.nix b/lass/2configs/websites/fritz.nix index d93d310da..52914f444 100644 --- a/lass/2configs/websites/fritz.nix +++ b/lass/2configs/websites/fritz.nix @@ -88,13 +88,7 @@ in {      ];    }; -  services.phpfpm.phpIni = pkgs.runCommand "php.ini" { -     options = '' -      extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so -      sendmail_path = "${sendmail} -t -i" -    ''; -  } '' -    cat ${pkgs.php}/etc/php-recommended.ini > $out -    echo "$options" >> $out +  services.phpfpm.phpOptions = '' +    sendmail_path = ${sendmail} -t    '';  } diff --git a/lass/3modules/usershadow.nix b/lass/3modules/usershadow.nix index 1ee01e8d9..a8ab1c52a 100644 --- a/lass/3modules/usershadow.nix +++ b/lass/3modules/usershadow.nix @@ -13,22 +13,27 @@        type = types.str;        default = "/home/%/.shadow";      }; +    path = mkOption { +      type = types.str; +    };    };    imp = {      environment.systemPackages = [ usershadow ]; +    lass.usershadow.path = "${usershadow}";      security.pam.services.sshd.text = '' -      auth required pam_exec.so expose_authtok ${usershadow}/bin/verify ${cfg.pattern} +      auth required pam_exec.so expose_authtok ${usershadow}/bin/verify_pam ${cfg.pattern}        auth required pam_permit.so        account required pam_permit.so        session required pam_permit.so      ''; -    security.pam.services.exim.text = '' -      auth required pam_exec.so expose_authtok ${usershadow}/bin/verify ${cfg.pattern} +    security.pam.services.dovecot2.text = '' +      auth required pam_exec.so expose_authtok ${usershadow}/bin/verify_pam ${cfg.pattern}        auth required pam_permit.so        account required pam_permit.so        session required pam_permit.so +      session required pam_env.so envfile=${config.system.build.pamEnvironment}      '';    }; @@ -38,7 +43,7 @@        "bytestring"      ];      body = pkgs.writeHaskell "passwords" { -      executables.verify = { +      executables.verify_pam = {          extra-depends = deps;          text = ''            import Data.Monoid @@ -61,18 +66,42 @@              if res then exitSuccess else exitFailure          '';        }; +      executables.verify_arg = { +        extra-depends = deps; +        text = '' +          import Data.Monoid +          import System.IO +          import Data.Char (chr) +          import System.Environment (getEnv, getArgs) +          import Crypto.PasswordStore (verifyPasswordWith, pbkdf2) +          import qualified Data.ByteString.Char8 as BS8 +          import System.Exit (exitFailure, exitSuccess) + +          main :: IO () +          main = do +            argsList <- getArgs +            let shadowFilePattern = argsList !! 0 +            let user = argsList !! 1 +            let password = argsList !! 2 +            let shadowFile = lhs <> user <> tail rhs +                (lhs, rhs) = span (/= '%') shadowFilePattern +            hash <- readFile shadowFile +            let res = verifyPasswordWith pbkdf2 (2^) (BS8.pack password) (BS8.pack hash) +            if res then do (putStr "yes") else exitFailure +        ''; +      };        executables.passwd = {          extra-depends = deps;          text = ''            import System.Environment (getEnv)            import Crypto.PasswordStore (makePasswordWith, pbkdf2)            import qualified Data.ByteString.Char8 as BS8 -          import System.IO (stdin, hSetEcho, putStr) +          import System.IO (stdin, hSetEcho, putStrLn)            main :: IO ()            main = do              home <- getEnv "HOME" -            putStr "password:" +            putStrLn "password:"              hSetEcho stdin False              password <- BS8.hGetLine stdin              hash <- makePasswordWith pbkdf2 password 10 diff --git a/lass/5pkgs/xmonad-lass.nix b/lass/5pkgs/xmonad-lass.nix index 96b12b9d4..0b05d514a 100644 --- a/lass/5pkgs/xmonad-lass.nix +++ b/lass/5pkgs/xmonad-lass.nix @@ -112,14 +112,13 @@ displaySomeException = displayException  myKeyMap :: [([Char], X ())]  myKeyMap =      [ ("M4-<F11>", spawn "${pkgs.i3lock}/bin/i3lock -i /var/lib/wallpaper/wallpaper -f") +    , ("M4-C-p", spawn "${pkgs.scrot}/bin/scrot ~/public_html/scrot.png")      , ("M4-p", spawn "${pkgs.pass}/bin/passmenu --type")      , ("<XF86AudioRaiseVolume>", spawn "${pkgs.pulseaudioLight.out}/bin/pactl -- set-sink-volume 0 +4%")      , ("<XF86AudioLowerVolume>", spawn "${pkgs.pulseaudioLight.out}/bin/pactl -- set-sink-volume 0 -4%")      , ("<XF86AudioMute>", spawn "${pkgs.pulseaudioLight.out}/bin/pactl -- set-sink-mute 0 toggle")      , ("<XF86AudioMicMute>", spawn "${pkgs.pulseaudioLight.out}/bin/pactl -- set-source-mute 1 toggle")      , ("<XF86Launch1>", gridselectWorkspace gridConfig W.view) -    , ("<XF86MonBrightnessUp>", spawn "xbacklight -steps 1 -time 1 -inc 10") -    , ("<XF86MonBrightnessDown>", spawn "xbacklight -steps 1 -time 1 -dec 10")      , ("M4-a", focusUrgent)      , ("M4-S-r", renameWorkspace    def) @@ -129,6 +128,7 @@ myKeyMap =      , ("M4-<Esc>", toggleWS)      , ("M4-S-<Enter>", spawn urxvtcPath)      , ("M4-x", floatNext True >> spawn urxvtcPath) +    , ("M4-z", floatNext True >> spawn "${pkgs.termite}/bin/termite")      , ("M4-f", floatNext True)      , ("M4-b", sendMessage ToggleStruts) diff --git a/makefu/1systems/gum.nix b/makefu/1systems/gum.nix index bfd880b88..8a43d25ff 100644 --- a/makefu/1systems/gum.nix +++ b/makefu/1systems/gum.nix @@ -24,6 +24,7 @@ in {        ../2configs/torrent.nix        ../2configs/graphite-standalone.nix        ../2configs/sabnzbd.nix +      ../2configs/gum-share.nix        ../2configs/opentracker.nix diff --git a/makefu/1systems/x.nix b/makefu/1systems/x.nix index e7f5d0dae..e1aec360d 100644 --- a/makefu/1systems/x.nix +++ b/makefu/1systems/x.nix @@ -32,7 +32,7 @@        # ../2configs/buildbot-standalone.nix        # hardware specifics are in here -      ../2configs/hw/tp-x220.nix +      ../2configs/hw/tp-x230.nix        ../2configs/hw/rtl8812au.nix        ../2configs/hw/bcm4352.nix        # mount points @@ -46,7 +46,7 @@        # temporary modules        ../2configs/temp/share-samba.nix        ../2configs/laptop-backup.nix -      ../2configs/temp/elkstack.nix +      #../2configs/temp/elkstack.nix        # ../2configs/temp/sabnzbd.nix        ../2configs/tinc/siem.nix        #../2configs/torrent.nix @@ -62,7 +62,7 @@    environment.systemPackages = [ pkgs.passwdqc-utils pkgs.bintray-upload ]; -  # virtualisation.docker.enable = true; +  virtualisation.docker.enable = true;    # configure pulseAudio to provide a HDMI sink as well    networking.firewall.enable = true; diff --git a/makefu/2configs/default.nix b/makefu/2configs/default.nix index cb6fe55b8..db69be2fa 100644 --- a/makefu/2configs/default.nix +++ b/makefu/2configs/default.nix @@ -10,7 +10,6 @@ with import <stockholm/lib>;      }      ./vim.nix      ./binary-cache/nixos.nix -    ./binary-cache/lass.nix    ];    nixpkgs.config.allowUnfreePredicate =  (pkg: pkgs.lib.hasPrefix "unrar-" pkg.name); @@ -90,9 +89,14 @@ with import <stockholm/lib>;      "d /tmp 1777 root root - -"    ];    nix.nixPath = [ "/var/src" ]; -  environment.variables = { +  environment.variables = let +    ca-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; +  in {      NIX_PATH = mkForce "/var/src";      EDITOR = mkForce "vim"; +    CURL_CA_BUNDLE = ca-bundle; +    GIT_SSL_CAINFO = ca-bundle; +    SSL_CERT_FILE  = ca-bundle;    };    environment.systemPackages = with pkgs; [ diff --git a/makefu/2configs/deployment/mycube.connector.one.nix b/makefu/2configs/deployment/mycube.connector.one.nix index 2877d2227..091b7f21b 100644 --- a/makefu/2configs/deployment/mycube.connector.one.nix +++ b/makefu/2configs/deployment/mycube.connector.one.nix @@ -6,7 +6,11 @@ let    external-ip = config.krebs.build.host.nets.internet.ip4.addr;    wsgi-sock = "${config.services.uwsgi.runDir}/uwsgi.sock";  in { -  services.redis.enable = true; +  services.redis = { +    enable = true; +  }; +  systemd.services.redis.serviceConfig.LimitNOFILE=10032; +    services.uwsgi = {      enable = true;      user = "nginx"; diff --git a/makefu/2configs/gum-share.nix b/makefu/2configs/gum-share.nix new file mode 100644 index 000000000..e578f43d3 --- /dev/null +++ b/makefu/2configs/gum-share.nix @@ -0,0 +1,39 @@ +{ config, lib, pkgs, ... }: + +with config.krebs.lib; +let +  hostname = config.krebs.build.host.name; +in { +  # users.users.smbguest = { +  #   name = "smbguest"; +  #   uid = config.ids.uids.smbguest; +  #   description = "smb guest user"; +  #   home = "/var/empty"; +  # }; + +  users.users.download = { }; +  services.samba = { +    enable = true; +    shares = { +      download = { +        path = "/var/download"; +        "read only" = "no"; +        browseable = "yes"; +        "guest ok" = "no"; +        "valid users" = "download"; +      }; +    }; +    extraConfig = '' +      # guest account = smbguest +      # map to guest = bad user +      # disable printing +      load printers = no +      printing = bsd +      printcap name = /dev/null +      disable spoolss = yes +    ''; +  }; +  networking.firewall.extraCommands = '' +      iptables -A INPUT -i retiolum -p tcp --dport 445 -j ACCEPT +  ''; +} diff --git a/makefu/2configs/hw/bcm4352.nix b/makefu/2configs/hw/bcm4352.nix index 516637eb8..5dc8a1449 100644 --- a/makefu/2configs/hw/bcm4352.nix +++ b/makefu/2configs/hw/bcm4352.nix @@ -1,6 +1,7 @@  {config, ...}:  {    networking.enableB43Firmware = true; +  boot.kernelModules = [ "wl" ];    boot.extraModulePackages = [ config.boot.kernelPackages.broadcom_sta ];  } diff --git a/makefu/2configs/hw/tp-x220.nix b/makefu/2configs/hw/tp-x230.nix index ce3e34ad3..99563a771 100644 --- a/makefu/2configs/hw/tp-x220.nix +++ b/makefu/2configs/hw/tp-x230.nix @@ -5,9 +5,19 @@ with import <stockholm/lib>;    imports = [ ./tp-x2x0.nix ];    boot = { -    kernelModules = [ "kvm-intel" "acpi_call" "tpm-rng" "tp_smapi" ]; -    extraModulePackages = [ config.boot.kernelPackages.tp_smapi ]; +    # tp-smapi is not supported bt x230 anymore +    kernelModules = [ +      "kvm-intel" +      "thinkpad_ec" +   #   "acpi_call" +   #   "thinkpad_acpi" +   #   "tpm-rng" +    ]; +    extraModulePackages = [ +    #  config.boot.kernelPackages.acpi_call +    ];    }; +  services.acpid.enable = true;    hardware.opengl.extraPackages =  [ pkgs.vaapiIntel pkgs.vaapiVdpau ];    services.xserver = {      videoDriver = "intel"; @@ -15,8 +25,8 @@ with import <stockholm/lib>;        Option "AccelMethod" "sna"      '';    }; - -  security.rngd.enable = true; +  # no entropy source working +  # security.rngd.enable = true;    services.xserver.displayManager.sessionCommands =''      xinput set-int-prop "TPPS/2 IBM TrackPoint" "Evdev Wheel Emulation" 8 1 diff --git a/makefu/2configs/hw/tp-x2x0.nix b/makefu/2configs/hw/tp-x2x0.nix index 2b615ecfa..02bd8bb01 100644 --- a/makefu/2configs/hw/tp-x2x0.nix +++ b/makefu/2configs/hw/tp-x2x0.nix @@ -28,8 +28,9 @@ with import <stockholm/lib>;    services.tlp.enable = true;    services.tlp.extraConfig = ''      # BUG: http://linrunner.de/en/tlp/docs/tlp-faq.html#erratic-battery -    #START_CHARGE_THRESH_BAT0=80 -    STOP_CHARGE_THRESH_BAT0=95 +    START_CHARGE_THRESH_BAT0=67 +    STOP_CHARGE_THRESH_BAT0=100 +      CPU_SCALING_GOVERNOR_ON_AC=performance      CPU_SCALING_GOVERNOR_ON_BAT=ondemand @@ -40,6 +41,6 @@ with import <stockholm/lib>;    '';    powerManagement.resumeCommands = '' -    {pkgs.rfkill}/bin/rfkill unblock all +    ${pkgs.rfkill}/bin/rfkill unblock all    '';  } diff --git a/makefu/2configs/nginx/euer.wiki.nix b/makefu/2configs/nginx/euer.wiki.nix index 22cf9c9b7..9d0b74871 100644 --- a/makefu/2configs/nginx/euer.wiki.nix +++ b/makefu/2configs/nginx/euer.wiki.nix @@ -44,7 +44,6 @@ in {          pm.min_spare_servers = 1          pm.max_spare_servers = 3          chdir = / -        # errors to journal          php_admin_value[error_log] = 'stderr'          php_admin_flag[log_errors] = on          catch_workers_output = yes diff --git a/makefu/2configs/tinc/retiolum.nix b/makefu/2configs/tinc/retiolum.nix index dcb072461..c55b94466 100644 --- a/makefu/2configs/tinc/retiolum.nix +++ b/makefu/2configs/tinc/retiolum.nix @@ -1,4 +1,7 @@  _:  { +  imports = [ +    ../binary-cache/lass.nix +  ];    krebs.tinc.retiolum.enable = true;  } diff --git a/makefu/2configs/urlwatch.nix b/makefu/2configs/urlwatch.nix index 0d8f888fa..d575d18bc 100644 --- a/makefu/2configs/urlwatch.nix +++ b/makefu/2configs/urlwatch.nix @@ -15,7 +15,7 @@        http://guest:derpi@cvs2svn.tigris.org/svn/cvs2svn/tags/        http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/        https://github.com/amadvance/snapraid/releases.atom -      https://erdgeist.org/gitweb/opentracker/commit/ +      https://erdgeist.org/gitweb/opentracker/info/refs?service=git-upload-pack      ];    };  } | 
