diff options
72 files changed, 1690 insertions, 2227 deletions
diff --git a/krebs/1systems/puyak/config.nix b/krebs/1systems/puyak/config.nix index 9ee61c6f8..19cf22280 100644 --- a/krebs/1systems/puyak/config.nix +++ b/krebs/1systems/puyak/config.nix @@ -1,12 +1,16 @@ { config, pkgs, ... }: - { imports = [ + ./net.nix <stockholm/krebs> <stockholm/krebs/2configs> <stockholm/krebs/2configs/secret-passwords.nix> <stockholm/krebs/2configs/hw/x220.nix> + # see documentation in included getty-for-esp.nix: + # brain hosts/puyak/root + <stockholm/krebs/2configs/hw/getty-for-esp.nix> + ## initrd unlocking # (brain hosts/puyak/luks-ssd;echo) | ssh root@$(brain krebs-secrets/puyak/initrd/hostname) 'cat > /crypt-ramfs/passphrase' @@ -20,8 +24,7 @@ #### NEWS #### <stockholm/krebs/2configs/ircd.nix> - #<stockholm/krebs/2configs/news.nix> - #<stockholm/krebs/2configs/news-spam.nix> + <stockholm/krebs/2configs/news.nix> ### shackspace ### @@ -118,7 +121,6 @@ krebs.build.host = config.krebs.hosts.puyak; sound.enable = false; - boot = { loader.systemd-boot.enable = true; loader.efi.canTouchEfiVariables = true; @@ -163,10 +165,6 @@ services.logind.lidSwitchExternalPower = "ignore"; - services.udev.extraRules = '' - SUBSYSTEM=="net", ATTR{address}=="8c:70:5a:b2:84:58", NAME="wl0" - SUBSYSTEM=="net", ATTR{address}=="3c:97:0e:07:b9:14", NAME="et0" - ''; environment.systemPackages = [ pkgs.zsh ]; @@ -179,5 +177,4 @@ isNormalUser = true; shell = "/run/current-system/sw/bin/zsh"; }; - networking.firewall.allowedTCPPorts = [ 5901 ]; } diff --git a/krebs/1systems/puyak/net.nix b/krebs/1systems/puyak/net.nix new file mode 100644 index 000000000..4cb8d247c --- /dev/null +++ b/krebs/1systems/puyak/net.nix @@ -0,0 +1,23 @@ +let + ext-if = "enp0s25"; + shack-ip = "10.42.22.184"; + shack-gw = "10.42.20.1"; +in { + services.udev.extraRules = '' + SUBSYSTEM=="net", ATTR{address}=="8c:70:5a:b2:84:58", NAME="wl0" + SUBSYSTEM=="net", ATTR{address}=="3c:97:0e:07:b9:14", NAME="et0" + ''; + networking = { + firewall.enable = false; + firewall.allowedTCPPorts = [ 8088 8086 8083 5901 ]; + interfaces."${ext-if}".ipv4.addresses = [ + { + address = shack-ip; + prefixLength = 20; + } + ]; + + defaultGateway = shack-gw; + nameservers = [ "10.42.0.100" "10.42.0.200" ]; + }; +} diff --git a/krebs/2configs/go.nix b/krebs/2configs/go.nix index c39b08a8e..ce5db62d4 100644 --- a/krebs/2configs/go.nix +++ b/krebs/2configs/go.nix @@ -2,9 +2,6 @@ with import <stockholm/lib>; { - environment.systemPackages = [ - pkgs.go-shortener - ]; krebs.go = { enable = true; }; diff --git a/krebs/2configs/hw/getty-for-esp.nix b/krebs/2configs/hw/getty-for-esp.nix new file mode 100644 index 000000000..18c912353 --- /dev/null +++ b/krebs/2configs/hw/getty-for-esp.nix @@ -0,0 +1,17 @@ +{ + # 1. Program an esp8266 devboard (esp8266+usb-ttl) with # https://github.com/jeelabs/esp-link + # tested vesion: esp-link v3.2.47-g9c6530d + # Pin Preset: esp-bridge + # tx-enable: false + # uart-pins: normal + # 2. connect directly with usb-cable to device, check that vendorID and ProductID match + # 3. nc <esp-link-ip> 23 + # Info: for puyak the root pw is `brain hosts/puyak/root` + services.udev.extraRules = '' + SUBSYSTEM=="tty", ATTRS{idVendor}=="1a86", ATTRS{idProduct}=="7523", SYMLINK+="ilo", MODE="0660" + ''; + systemd.services."serial-getty@ilo".enable = true; + systemd.services."serial-getty@ilo".wantedBy = [ "multi-user.target" ]; + systemd.services."serial-getty@ilo".serviceConfig.Restart = "always"; +} + diff --git a/krebs/2configs/ircd.nix b/krebs/2configs/ircd.nix index 65972aacc..789fc2f2f 100644 --- a/krebs/2configs/ircd.nix +++ b/krebs/2configs/ircd.nix @@ -11,12 +11,12 @@ hello ''; config = '' + loadmodule "extensions/m_omode"; serverinfo { name = "${config.krebs.build.host.name}.irc.r"; sid = "1as"; description = "miep!"; network_name = "irc.r"; - hub = yes; vhost = "0.0.0.0"; vhost6 = "::"; @@ -26,7 +26,7 @@ #ssl_dh_params = "etc/dh.pem"; #ssld_count = 1; - default_max_clients = 10000; + default_max_clients = 100000; #nicklen = 30; }; @@ -43,19 +43,31 @@ /* Listen on IPv6 (if you used host= above). */ host = "::"; port = 6667; - sslport = 9999; + sslport = 6697; }; class "users" { ping_time = 2 minutes; number_per_ident = 10; - number_per_ip = 2048; + number_per_ip = 4096; number_per_ip_global = 4096; cidr_ipv4_bitlen = 24; cidr_ipv6_bitlen = 64; number_per_cidr = 65536; - max_number = 3000; - sendq = 1 megabyte; + max_number = 100000; + sendq = 10 megabyte; + }; + + privset "op" { + privs = oper:admin; + }; + + operator "aids" { + user = "*@*"; + password = "balls"; + flags = ~encrypted; + snomask = "+s"; + privset = "op"; }; exempt { @@ -93,12 +105,13 @@ channel_target_change = yes; disable_local_channels = no; }; + general { #maybe we want ident someday? - default_floodcount = 1000; + default_floodcount = 10000; disable_auth = yes; throttle_duration = 1; - throttle_count = 1000; + throttle_count = 10000; }; ''; }; diff --git a/krebs/2configs/news-spam.nix b/krebs/2configs/news-spam.nix deleted file mode 100644 index a8c658858..000000000 --- a/krebs/2configs/news-spam.nix +++ /dev/null @@ -1,164 +0,0 @@ -{ pkgs, ... }: - -{ - krebs.newsbot-js.news-spam = { - urlShortenerHost = "go.lassul.us"; - feeds = pkgs.writeText "feeds" '' - _aje|http://www.aljazeera.com/Services/Rss/?PostingId=2007731105943979989|#snews - _allafrica|http://allafrica.com/tools/headlines/rdf/latest/headlines.rdf|#snews - _antirez|http://antirez.com/rss|#snews - _archlinux|http://www.archlinux.org/feeds/news/|#snews - _ars|http://feeds.arstechnica.com/arstechnica/index?format=xml|#snews - _augustl|http://augustl.com/atom.xml|#snews - _bbc|http://feeds.bbci.co.uk/news/rss.xml|#snews - _bdt_aktuelle_themen|http://www.bundestag.de/blueprint/servlet/service/de/14154/asFeed/index.rss|#snews - _bdt_drucksachen|http://www.bundestag.de/dip21rss/bundestag_drucksachen.rss|#snews - _bdt_plenarproto|http://www.bundestag.de/rss_feeds/plenarprotokolle.rss|#snews - _bdt_pressemitteilungen|http://www.bundestag.de/blueprint/servlet/service/de/273112/asFeed/index.rss|#snews - _bitcoinpakistan|https://bitcoinspakistan.com/feed/|#snews - _cancer|http://feeds.feedburner.com/ncinewsreleases?format=xml|#snews - _carta|http://feeds2.feedburner.com/carta-standard-rss|#snews - _catholic_news|http://feeds.feedburner.com/catholicnewsagency/dailynews|#snews - _cbc_busi|http://rss.cbc.ca/lineup/business.xml|#snews - _cbc_offbeat|http://www.cbc.ca/cmlink/rss-offbeat|#snews - _cbc_pol|http://rss.cbc.ca/lineup/politics.xml|#snews - _cbc_tech|http://rss.cbc.ca/lineup/technology.xml|#snews - _cbc_top|http://rss.cbc.ca/lineup/topstories.xml|#snews - _ccc|http://www.ccc.de/rss/updates.rdf|#snews - _chan_biz|http://boards.4chan.org/biz/index.rss|#snews - _chan_g|http://boards.4chan.org/g/index.rss|#snews - _chan_int|http://boards.4chan.org/int/index.rss|#snews - _chan_sci|http://boards.4chan.org/sci/index.rss|#snews - _chan_x|http://boards.4chan.org/x/index.rss|#snews - _c|http://www.tempolimit-lichtgeschwindigkeit.de/news.xml|#snews - _cryptogon|http://www.cryptogon.com/?feed=rss2|#snews - _csm|http://rss.csmonitor.com/feeds/csm|#snews - _csm_world|http://rss.csmonitor.com/feeds/world|#snews - _danisch|http://www.danisch.de/blog/feed/|#snews - _dod|http://www.defense.gov/news/afps2.xml|#snews - _dwn|http://deutsche-wirtschafts-nachrichten.de/feed/customfeed/|#snews - _ecat|http://ecat.com/feed|#snews - _eia_press|http://www.eia.gov/rss/press_rss.xml|#snews - _eia_today|http://www.eia.gov/rss/todayinenergy.xml|#snews - _embargowatch|https://embargowatch.wordpress.com/feed/|#snews - _ethereum-comments|http://blog.ethereum.org/comments/feed|#snews - _ethereum|http://blog.ethereum.org/feed|#snews - _europa_ric|http://ec.europa.eu/research/infocentre/rss/infocentre-rss.xml|#snews - _eu_survei|http://www.eurosurveillance.org/public/RSSFeed/RSS.aspx|#snews - _exploitdb|http://www.exploit-db.com/rss.xml|#snews - _fars|http://www.farsnews.com/rss.php|#snews #test - _faz_feui|http://www.faz.net/rss/aktuell/feuilleton/|#snews - _faz_politik|http://www.faz.net/rss/aktuell/politik/|#snews - _faz_wirtschaft|http://www.faz.net/rss/aktuell/wirtschaft/|#snews - _fbi|https://www.fbi.gov/news/rss.xml|#snews - _fedreserve|http://www.federalreserve.gov/feeds/press_all.xml|#snews - _fefe|http://blog.fefe.de/rss.xml|#snews - _forbes|http://www.forbes.com/forbes/feed2/|#snews - _forbes_realtime|http://www.forbes.com/real-time/feed2/|#snews - _fox|http://feeds.foxnews.com/foxnews/latest|#snews - _geheimorganisation|http://geheimorganisation.org/feed/|#snews - _GerForPol|http://www.german-foreign-policy.com/de/news/rss-2.0|#snews - _gmanet|http://www.gmanetwork.com/news/rss/news|#snews - _golem|http://rss.golem.de/rss.php|#snews - _google|http://news.google.com/?output=rss|#snews - _greenpeace|http://feeds.feedburner.com/GreenpeaceNews|#snews - _guardian_uk|http://feeds.theguardian.com/theguardian/uk-news/rss|#snews - _gulli|http://ticker.gulli.com/rss/|#snews - _hackernews|https://news.ycombinator.com/rss|#snews - _handelsblatt|http://www.handelsblatt.com/contentexport/feed/schlagzeilen|#snews - _heise|https://www.heise.de/newsticker/heise-atom.xml|#snews - _hindu_business|http://www.thehindubusinessline.com/?service=rss|#snews - _hindu|http://www.thehindu.com/?service=rss|#snews - _ign|http://feeds.ign.com/ign/all|#snews - _independent|http://www.independent.com/rss/headlines/|#snews - _indymedia|https://de.indymedia.org/rss.xml|#snews - _info_libera|http://www.informationliberation.com/rss.xml|#snews - _klagen-gegen-rundfuckbeitrag|http://klagen-gegen-rundfunkbeitrag.blogspot.com/feeds/posts/default|#snews - _korea_herald|http://www.koreaherald.com/rss_xml.php|#snews - _linuxinsider|http://www.linuxinsider.com/perl/syndication/rssfull.pl|#snews - _lisp|http://planet.lisp.org/rss20.xml|#snews - _liveleak|http://www.liveleak.com/rss|#snews - _lolmythesis|http://lolmythesis.com/rss|#snews - _LtU|http://lambda-the-ultimate.org/rss.xml|#snews - _lukepalmer|http://lukepalmer.wordpress.com/feed/|#snews - _mit|http://web.mit.edu/newsoffice/rss-feeds.feed?type=rss|#snews - _mongrel2_master|https://github.com/zedshaw/mongrel2/commits/master.atom|#snews - _nds|http://www.nachdenkseiten.de/?feed=atom|#snews - _netzpolitik|https://netzpolitik.org/feed/|#snews - _newsbtc|http://newsbtc.com/feed/|#snews - _nnewsg|http://www.net-news-global.net/rss/rssfeed.xml|#snews - _npr_busi|http://www.npr.org/rss/rss.php?id=1006|#snews - _npr_headlines|http://www.npr.org/rss/rss.php?id=1001|#snews - _npr_pol|http://www.npr.org/rss/rss.php?id=1012|#snews - _npr_world|http://www.npr.org/rss/rss.php?id=1004|#snews - _nsa|https://www.nsa.gov/rss.xml|#snews #bullerei - _nytimes|http://rss.nytimes.com/services/xml/rss/nyt/World.xml|#snews - _painload|https://github.com/krebs/painload/commits/master.atom|#snews - _phys|http://phys.org/rss-feed/|#snews - _piraten|https://www.piratenpartei.de/feed/|#snews - _polizei_berlin|http://www.berlin.de/polizei/presse-fahndung/_rss_presse.xml|#snews - _presse_polizei|http://www.presseportal.de/rss/polizei.rss2|#snews - _presseportal|http://www.presseportal.de/rss/presseportal.rss2|#snews - _prisonplanet|http://prisonplanet.com/feed.rss|#snews - _rawstory|http://www.rawstory.com/rs/feed/|#snews - _reddit_4chan|http://www.reddit.com/r/4chan/new/.rss|#snews - _reddit_anticonsum|http://www.reddit.com/r/Anticonsumption/new/.rss|#snews - _reddit_btc|http://www.reddit.com/r/Bitcoin/new/.rss|#snews - _reddit_consp|http://reddit.com/r/conspiracy/.rss|#snews - _reddit_haskell|http://www.reddit.com/r/haskell/.rss|#snews - _reddit_nix|http://www.reddit.com/r/nixos/.rss|#snews - _reddit_prog|http://www.reddit.com/r/programming/new/.rss|#snews - _reddit_sci|http://www.reddit.com/r/science/.rss|#snews - _reddit_tech|http://www.reddit.com/r/technology/.rss|#snews - _reddit_tpp|http://www.reddit.com/r/twitchplayspokemon/.rss|#snews - _reddit_world|http://www.reddit.com/r/worldnews/.rss|#snews - _r-ethereum|http://www.reddit.com/r/ethereum/.rss|#snews - _reuters|http://feeds.reuters.com/Reuters/worldNews|#snews - _reuters-odd|http://feeds.reuters.com/reuters/oddlyEnoughNews?format=xml|#snews - _rt|http://rt.com/rss/news/|#snews - _schallurauch|http://feeds.feedburner.com/SchallUndRauch|#snews - _sciencemag|http://news.sciencemag.org/rss/current.xml|#snews - _scmp|http://www.scmp.com/rss/91/feed|#snews - _sec-db|http://feeds.security-database.com/SecurityDatabaseToolsWatch|#snews - _shackspace|http://shackspace.de/atom.xml|#snews - _shz_news|http://www.shz.de/nachrichten/newsticker/rss|#snews - _sky_busi|http://feeds.skynews.com/feeds/rss/business.xml|#snews - _sky_pol|http://feeds.skynews.com/feeds/rss/politics.xml|#snews - _sky_strange|http://feeds.skynews.com/feeds/rss/strange.xml|#snews - _sky_tech|http://feeds.skynews.com/feeds/rss/technology.xml|#snews - _sky_world|http://feeds.skynews.com/feeds/rss/world.xml|#snews - _slashdot|http://rss.slashdot.org/Slashdot/slashdot|#snews - _slate|http://feeds.slate.com/slate|#snews - _spiegel_eil|http://www.spiegel.de/schlagzeilen/eilmeldungen/index.rss|#snews - _spiegel_top|http://www.spiegel.de/schlagzeilen/tops/index.rss|#snews - _standardmedia_ke|http://www.standardmedia.co.ke/rss/headlines.php|#snews - _stern|http://www.stern.de/feed/standard/all/|#snews - _stz|http://www.stuttgarter-zeitung.de/rss/topthemen.rss.feed|#snews - _sz_politik|http://rss.sueddeutsche.de/rss/Politik|#snews - _sz_wirtschaft|http://rss.sueddeutsche.de/rss/Wirtschaft|#snews - _sz_wissen|http://rss.sueddeutsche.de/rss/Wissen|#snews - _tagesschau|http://www.tagesschau.de/newsticker.rdf|#snews - _taz|http://taz.de/Themen-des-Tages/!p15;rss/|#snews - _telegraph|http://www.telegraph.co.uk/rss.xml|#snews - _telepolis|http://www.heise.de/tp/rss/news-atom.xml|#snews - _the_insider|http://www.theinsider.org/rss/news/headlines-xml.asp|#snews - _tigsource|http://www.tigsource.com/feed/|#snews - _tinc|http://tinc-vpn.org/news/index.rss|#snews - _torr_bits|http://feeds.feedburner.com/TorrentfreakBits|#snews - _torrentfreak|http://feeds.feedburner.com/Torrentfreak|#snews - _torr_news|http://feed.torrentfreak.com/Torrentfreak/|#snews - _travel_warnings|http://feeds.travel.state.gov/ca/travelwarnings-alerts|#snews - _un_afr|http://www.un.org/apps/news/rss/rss_africa.asp|#snews - _un_am|http://www.un.org/apps/news/rss/rss_americas.asp|#snews - _un_eu|http://www.un.org/apps/news/rss/rss_europe.asp|#snews - _un_me|http://www.un.org/apps/news/rss/rss_mideast.asp|#snews - _un_pac|http://www.un.org/apps/news/rss/rss_asiapac.asp|#snews - _un_top|http://www.un.org/apps/news/rss/rss_top.asp|#snews - _us_math_society|http://www.ams.org/cgi-bin/content/news_items.cgi?rss=1|#snews - _vimperator|https://sites.google.com/a/vimperator.org/www/blog/posts.xml|#snews - _weechat|http://dev.weechat.org/feed/atom|#snews - _xkcd|https://xkcd.com/rss.xml|#snews - _zdnet|http://www.zdnet.com/news/rss.xml|#snews - ''; - }; -} diff --git a/krebs/2configs/news.nix b/krebs/2configs/news.nix index 6c59f4d84..f40997f82 100644 --- a/krebs/2configs/news.nix +++ b/krebs/2configs/news.nix @@ -1,22 +1,39 @@ { pkgs, ... }: { - krebs.newsbot-js.news = { - feeds = pkgs.writeText "feeds" '' - antirez|http://antirez.com/rss|#news - archlinux|http://www.archlinux.org/feeds/news/|#news - ethereum|http://blog.ethereum.org/feed|#news - LtU|http://lambda-the-ultimate.org/rss.xml|#news |