diff options
| -rw-r--r-- | krebs/1systems/hope/config.nix | 41 | ||||
| -rw-r--r-- | krebs/1systems/hope/source.nix | 3 | ||||
| -rw-r--r-- | krebs/3modules/krebs/default.nix | 32 | ||||
| -rw-r--r-- | lass/1systems/mors/config.nix | 12 | ||||
| -rw-r--r-- | lass/1systems/shodan/config.nix | 6 | ||||
| -rw-r--r-- | lass/2configs/default.nix | 1 | ||||
| -rw-r--r-- | lass/2configs/mail.nix | 6 | ||||
| -rw-r--r-- | lass/2configs/mpv.nix | 26 | ||||
| -rw-r--r-- | lass/3modules/umts.nix | 21 | ||||
| -rw-r--r-- | mv/1systems/stro/config.nix (renamed from mv/1systems/stro.nix) | 23 | ||||
| -rw-r--r-- | mv/1systems/stro/source.nix | 3 | ||||
| -rw-r--r-- | mv/source.nix | 23 |
12 files changed, 141 insertions, 56 deletions
diff --git a/krebs/1systems/hope/config.nix b/krebs/1systems/hope/config.nix new file mode 100644 index 000000000..c19b210c5 --- /dev/null +++ b/krebs/1systems/hope/config.nix @@ -0,0 +1,41 @@ +with import <stockholm/lib>; +{ config, pkgs, ... }: let + + ip = config.krebs.build.host.nets.internet.ip4.addr; + bestGuessGateway = addr: elemAt (match "(.*)(\.[^.])" addr) 0 + ".1"; + +in { + imports = [ + <stockholm/krebs> + <stockholm/krebs/2configs> + <stockholm/krebs/2configs/os-templates/CAC-CentOS-7-64bit.nix> + + <stockholm/krebs/2configs/secret-passwords.nix> + { + users.extraUsers = { + satan = { + name = "satan"; + uid = 1338; + home = "/home/satan"; + group = "users"; + createHome = true; + useDefaultShell = true; + initialPassword = "test"; + }; + }; + } + ]; + + krebs.build.host = config.krebs.hosts.hope; + + networking = let + address = config.krebs.build.host.nets.internet.ip4.addr; + in { + defaultGateway = bestGuessGateway address; + interfaces.enp2s1.ip4 = singleton { + inherit address; + prefixLength = 24; + }; + nameservers = ["8.8.8.8"]; + }; +} diff --git a/krebs/1systems/hope/source.nix b/krebs/1systems/hope/source.nix new file mode 100644 index 000000000..7121d1d9d --- /dev/null +++ b/krebs/1systems/hope/source.nix @@ -0,0 +1,3 @@ +import <stockholm/krebs/source.nix> { + name = "hope"; +} diff --git a/krebs/3modules/krebs/default.nix b/krebs/3modules/krebs/default.nix index 27fbb7088..9cd103175 100644 --- a/krebs/3modules/krebs/default.nix +++ b/krebs/3modules/krebs/default.nix @@ -30,6 +30,38 @@ let }); in { hosts = { + hope = { + owner = config.krebs.users.krebs; + managed = true; + nets = { + internet = { + ip4.addr = "45.62.225.18"; + aliases = [ + "hope.i" + ]; + ssh.port = 45621; + }; + retiolum = { + ip4.addr = "10.243.77.4"; + ip6.addr = "42:0:0:0:0:0:77:4"; + aliases = [ + "hope.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAsQVWCoNZZd77tYw1qEDlUsfcF0ld+jVorq2uR5il1D8sqER644l5 + uaWxPQjSl27xdq5kvzIH24Ab6/xF2EDgE2fUTwpO5coBYafeiGyi5AwURQmYMp2a + 2CV7uUAagFQaSzD0Aj796r1BXPn1IeE+uRSBmmc/+/7L0hweRGLiha34NOMZkq+4 + A0pwI/CjnyRXdV4AqfORHXkelykJPATm+m3bC+KYogPBeNMP2AV2aYgY8a0UJPMK + fjAJCzxYJjiYxm8faJlm2U1bWytZODQa8pRZOrYQa4he2UoU6x78CNcrQkYLPOFC + K2Q7+B5WJNKV6CqYztXuU/6LTHJRmV0FiwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + ssh.privkey.path = <secrets/ssh.id_ed25519>; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOdLHRI29xJj1jmfSidE2Dh7EsDNszm+WH3Kj4zYBkP/"; + }; hotdog = { owner = config.krebs.users.krebs; managed = true; diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix index bb6f84c7b..58f55ce68 100644 --- a/lass/1systems/mors/config.nix +++ b/lass/1systems/mors/config.nix @@ -40,15 +40,6 @@ with import <stockholm/lib>; }; } { - #zalando project - services.postgresql = { - enable = true; - package = pkgs.postgresql; - }; - virtualisation.docker.enable = true; - #users.users.mainUser.extraGroups = [ "docker" ]; - } - { lass.umts = { enable = true; modem = "/dev/serial/by-id/usb-Lenovo_F5521gw_C12AD95CB7B78F90-if09"; @@ -91,6 +82,9 @@ with import <stockholm/lib>; client.enable = true; }; } + { + services.mongodb.enable = true; + } ]; krebs.build.host = config.krebs.hosts.mors; diff --git a/lass/1systems/shodan/config.nix b/lass/1systems/shodan/config.nix index b6d49d6e4..ef015aebc 100644 --- a/lass/1systems/shodan/config.nix +++ b/lass/1systems/shodan/config.nix @@ -41,7 +41,11 @@ with import <stockholm/lib>; "/boot" = { device = "/dev/sda1"; }; - + "/home" = { + device = "/dev/mapper/pool-home"; + fsType = "btrfs"; + options = ["defaults" "noatime" "ssd" "compress=lzo"]; + }; "/tmp" = { device = "tmpfs"; fsType = "tmpfs"; diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index 22a7b1c19..e96f4dc7e 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -200,6 +200,7 @@ with import <stockholm/lib>; filter.INPUT.policy = "DROP"; filter.FORWARD.policy = "DROP"; filter.INPUT.rules = [ + { predicate = "-i retiolum -p udp --dport 60000:61000"; target = "ACCEPT";} { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; } { predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; } { predicate = "-p ipv6-icmp"; target = "ACCEPT"; v4 = false; precedence = 10000; } diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix index 9f9bb24fa..7a9881186 100644 --- a/lass/2configs/mail.nix +++ b/lass/2configs/mail.nix @@ -78,11 +78,13 @@ let and NOT to:shackspace \ and NOT to:c-base \ and NOT from:security-alert@hpe.com \ - and NOT to:nix-devel"\ + and NOT to:nix-devel\ + and NOT to:radio"\ "shack" "notmuch://?query=to:shackspace"\ "c-base" "notmuch://?query=to:c-base"\ "security" "notmuch://?query=to:securityfocus or from:security-alert@hpe.com"\ "nix" "notmuch://?query=to:nix-devel"\ + "radio" "notmuch://?query=to:radio or tag:radio"\ "TODO" "notmuch://?query=tag:TODO"\ "Starred" "notmuch://?query=tag:*"\ "Archive" "notmuch://?query=tag:archive"\ @@ -126,7 +128,7 @@ let bind index t noop bind pager t noop - macro index t "<modify-labels>+TODO\n" # tag as Archived + macro index t "<modify-labels>" # tag as Archived # top index bar in email view set pager_index_lines=7 diff --git a/lass/2configs/mpv.nix b/lass/2configs/mpv.nix index 04fd9213e..b3de42c7b 100644 --- a/lass/2configs/mpv.nix +++ b/lass/2configs/mpv.nix @@ -2,40 +2,16 @@ let - scripts = lib.concatStringsSep "," [ - good - delete - ]; - mpv = pkgs.symlinkJoin { name = "mpv"; paths = [ (pkgs.writeDashBin "mpv" '' - exec ${pkgs.mpv}/bin/mpv --no-config --script=${scripts} "$@" + exec ${pkgs.mpv}/bin/mpv --no-config "$@" '') pkgs.mpv ]; }; - moveToDir = key: dir: pkgs.writeText "move-with-${key}.lua" '' - tmp_dir = "${dir}" - - function move_current_track_${key}() - track = mp.get_property("path") - os.execute("mkdir -p '" .. tmp_dir .. "'") - os.execute("mv '" .. track .. "' '" .. tmp_dir .. "'") - print("moved '" .. track .. "' to " .. tmp_dir) - end - - mp.add_key_binding("${key}", "move_current_track_${key}", move_current_track_${key}) - ''; - - good = moveToDir "G" "./.good"; - delete = moveToDir "D" "./.graveyard"; - - up = moveToDir "U" "./up"; - down = moveToDir "Y" "./down"; - in { environment.systemPackages = [ mpv diff --git a/lass/3modules/umts.nix b/lass/3modules/umts.nix index 83de4d403..c93c65ad2 100644 --- a/lass/3modules/umts.nix +++ b/lass/3modules/umts.nix @@ -31,6 +31,16 @@ let type = types.str; default = "default"; }; + pppDefaults = mkOption { + type = types.str; + default = '' + noipdefault + usepeerdns + defaultroute + persist + noauth + ''; + }; }; nixpkgs-1509 = import (pkgs.fetchFromGitHub { @@ -71,7 +81,16 @@ let lass ALL= (root) NOPASSWD: ${umts-bin}/bin/umts ''; - environment.wvdial.dialerDefaults = wvdial-defaults; + environment.etc = [ + { + source = pkgs.writeText "wvdial.conf" wvdial-defaults; + target = "wvdial.conf"; + } + { + source = pkgs.writeText "wvdial" cfg.pppDefaults; + target = "ppp/peers/wvdial"; + } + ]; systemd.services.umts = { description = "UMTS wvdial Service"; diff --git a/mv/1systems/stro.nix b/mv/1systems/stro/config.nix index bb37aedda..669655eec 100644 --- a/mv/1systems/stro.nix +++ b/mv/1systems/stro/config.nix @@ -8,18 +8,6 @@ with import <stockholm/lib>; build = { user = config.krebs.users.mv; host = config.krebs.hosts.stro; - source = let - HOME = getEnv "HOME"; - host = config.krebs.build.host; - in { - nixos-config.symlink = "stockholm/mv/1systems/${host.name}.nix"; - secrets.file = "${HOME}/secrets/${host.name}"; - stockholm.file = "${HOME}/stockholm"; - nixpkgs.git = { - url = https://github.com/NixOS/nixpkgs; - ref = "8bf31d7d27cae435d7c1e9e0ccb0a320b424066f"; - }; - }; }; }; @@ -27,7 +15,7 @@ with import <stockholm/lib>; <secrets> <stockholm/krebs> <stockholm/tv/2configs/audit.nix> - <stockholm/tv/2configs/bash.nix> + <stockholm/tv/2configs/bash> <stockholm/tv/2configs/exim-retiolum.nix> <stockholm/tv/2configs/hw/x220.nix> <stockholm/tv/2configs/im.nix> @@ -40,7 +28,6 @@ with import <stockholm/lib>; <stockholm/tv/2configs/xdg.nix> <stockholm/tv/2configs/xserver> <stockholm/tv/3modules> - <stockholm/tv/5pkgs> ]; boot.kernel.sysctl = { @@ -124,13 +111,13 @@ with import <stockholm/lib>; nix = { binaryCaches = ["https://cache.nixos.org"]; - # TODO check if both are required: - chrootDirs = [ "/etc/protocols" pkgs.iana_etc.outPath ]; requireSignedBinaryCaches = true; - useChroot = true; + # TODO check if both are required: + sandboxPaths = [ "/etc/protocols" pkgs.iana_etc.outPath ]; + useSandbox = true; }; - nixpkgs.config.allowUnfree = false; + nixpkgs.config.packageOverrides = import <stockholm/tv/5pkgs> pkgs; users = { defaultUserShell = "/run/current-system/sw/bin/bash"; diff --git a/mv/1systems/stro/source.nix b/mv/1systems/stro/source.nix new file mode 100644 index 000000000..888d616c8 --- /dev/null +++ b/mv/1systems/stro/source.nix @@ -0,0 +1,3 @@ +import <stockholm/mv/source.nix> { + name = "stro"; +} diff --git a/mv/source.nix b/mv/source.nix new file mode 100644 index 000000000..8b1563914 --- /dev/null +++ b/mv/source.nix @@ -0,0 +1,23 @@ +with import <stockholm/lib>; +host@{ name, override ? {} }: let + builder = if getEnv "dummy_secrets" == "true" + then "buildbot" + else "mv"; + _file = <stockholm> + "/mv/1systems/${name}/source.nix"; +in + evalSource (toString _file) [ + { + nixos-config.symlink = "stockholm/mv/1systems/${name}/config.nix"; + nixpkgs.git = { + # nixos-17.03 + ref = mkDefault "94941cb0455bfc50b1bf63186cfad7136d629f78"; + url = https://github.com/NixOS/nixpkgs; + }; + secrets.file = getAttr builder { + buildbot = toString <stockholm/mv/dummy_secrets>; + mv = "/home/mv/secrets/${name}"; + }; + stockholm.file = toString <stockholm>; + } + override + ] |