diff options
Diffstat (limited to 'lass')
| -rw-r--r-- | lass/1systems/echelon/config.nix | 11 | ||||
| -rw-r--r-- | lass/1systems/mors/config.nix | 11 | ||||
| -rw-r--r-- | lass/1systems/prism/config.nix | 43 | ||||
| -rw-r--r-- | lass/2configs/downloading.nix | 1 | ||||
| -rw-r--r-- | lass/2configs/git.nix | 14 | ||||
| -rw-r--r-- | lass/2configs/makefu-sip.nix | 21 | ||||
| -rw-r--r-- | lass/2configs/otp-ssh.nix | 18 | ||||
| -rw-r--r-- | lass/2configs/websites/domsen.nix | 10 | ||||
| -rw-r--r-- | lass/2configs/wine.nix | 3 | ||||
| -rw-r--r-- | lass/source.nix | 2 |
10 files changed, 69 insertions, 65 deletions
diff --git a/lass/1systems/echelon/config.nix b/lass/1systems/echelon/config.nix index f064a4788..77958267d 100644 --- a/lass/1systems/echelon/config.nix +++ b/lass/1systems/echelon/config.nix @@ -32,17 +32,6 @@ in { sound.enable = false; } { - lass.dnsmasq = { - enable = true; - config = '' - interface=retiolum - ''; - }; - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-i retiolum -p udp --dport 53"; target = "ACCEPT"; } - ]; - } - { users.extraUsers = { satan = { name = "satan"; diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix index 45b3f740f..29dacf8dc 100644 --- a/lass/1systems/mors/config.nix +++ b/lass/1systems/mors/config.nix @@ -24,6 +24,7 @@ with import <stockholm/lib>; <stockholm/lass/2configs/ircd.nix> <stockholm/lass/2configs/logf.nix> <stockholm/lass/2configs/syncthing.nix> + <stockholm/lass/2configs/otp-ssh.nix> { #risk of rain port krebs.iptables.tables.filter.INPUT.rules = [ @@ -110,11 +111,11 @@ with import <stockholm/lib>; "/boot" = { device = "/dev/sda2"; }; - #"/bku" = { - # device = "/dev/mapper/pool-bku"; - # fsType = "btrfs"; - # options = ["defaults" "noatime" "ssd" "compress=lzo"]; - #}; + "/bku" = { + device = "/dev/mapper/pool-bku"; + fsType = "btrfs"; + options = ["defaults" "noatime" "ssd" "compress=lzo"]; + }; "/home" = { device = "/dev/mapper/pool-home"; fsType = "btrfs"; diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 9faa4d473..6c1453c94 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -36,7 +36,6 @@ in { <stockholm/lass/2configs/iodined.nix> <stockholm/lass/2configs/libvirt.nix> <stockholm/lass/2configs/hfos.nix> - <stockholm/lass/2configs/makefu-sip.nix> <stockholm/lass/2configs/monitoring/server.nix> <stockholm/lass/2configs/monitoring/monit-alarms.nix> <stockholm/lass/2configs/paste.nix> @@ -213,6 +212,26 @@ in { config.krebs.users.tv.pubkey ]; }; + users.users.makefu = { + uid = genid "makefu"; + isNormalUser = true; + openssh.authorizedKeys.keys = [ + config.krebs.users.makefu.pubkey + ]; + }; + users.users.nin = { + uid = genid "nin"; + inherit (config.krebs.users.nin) home; + group = "users"; + createHome = true; + useDefaultShell = true; + openssh.authorizedKeys.keys = [ + config.krebs.users.nin.pubkey + ]; + extraGroups = [ + "libvirtd" + ]; + }; } { krebs.repo-sync.timerConfig = { @@ -236,28 +255,6 @@ in { }; } { - # Nin stuff - users.users.nin = { - uid = genid "nin"; - inherit (config.krebs.users.nin) home; - group = "users"; - createHome = true; - useDefaultShell = true; - openssh.authorizedKeys.keys = [ - config.krebs.users.nin.pubkey - ]; - extraGroups = [ - "libvirtd" - ]; - }; - krebs.iptables.tables.nat.PREROUTING.rules = [ - { v6 = false; precedence = 1000; predicate = "-d 213.239.205.240 -p tcp --dport 1337"; target = "DNAT --to-destination 192.168.122.24:22"; } - ]; - krebs.iptables.tables.filter.FORWARD.rules = [ - { v6 = false; precedence = 1000; predicate = "-d 192.168.122.24 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; } - ]; - } - { krebs.Reaktor.prism = { nickname = "Reaktor|lass"; channels = [ "#retiolum" ]; diff --git a/lass/2configs/downloading.nix b/lass/2configs/downloading.nix index d32262810..9582413ed 100644 --- a/lass/2configs/downloading.nix +++ b/lass/2configs/downloading.nix @@ -17,6 +17,7 @@ with import <stockholm/lib>; lass-shodan.pubkey lass-icarus.pubkey makefu.pubkey + wine-mors.pubkey ]; }; diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix index 4137c482e..a66d08927 100644 --- a/lass/2configs/git.nix +++ b/lass/2configs/git.nix @@ -49,6 +49,7 @@ let { brain = { collaborators = with config.krebs.users; [ tv makefu ]; + announce = true; }; } // import <secrets/repos.nix> { inherit config lib pkgs; } @@ -75,9 +76,20 @@ let public = true; }; - make-restricted-repo = name: { collaborators ? [], ... }: { + make-restricted-repo = name: { collaborators ? [], announce ? false, ... }: { inherit collaborators name; public = false; + hooks = optionalAttrs announce { + post-receive = pkgs.git-hooks.irc-announce { + # TODO make nick = config.krebs.build.host.name the default + nick = config.krebs.build.host.name; + channel = "#retiolum"; + server = "ni.r"; + verbose = true; + # TODO define branches in some kind of option per repo + branches = [ "master" "staging*" ]; + }; + }; }; make-rules = diff --git a/lass/2configs/makefu-sip.nix b/lass/2configs/makefu-sip.nix deleted file mode 100644 index 9d2e9b696..000000000 --- a/lass/2configs/makefu-sip.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ config, lib, pkgs, ... }: - -with import <stockholm/lib>; -{ - users.users.makefu = { - uid = genid "makefu"; - isNormalUser = true; - extraGroups = [ "libvirtd" ]; - openssh.authorizedKeys.keys = [ - config.krebs.users.makefu.pubkey - ]; - }; - - krebs.iptables.tables.nat.PREROUTING.rules = [ - { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 10022"; target = "DNAT --to-destination 192.168.122.136:22"; } - ]; - - krebs.iptables.tables.filter.FORWARD.rules = [ - { v6 = false; precedence = 1000; predicate = "-d 192.168.122.136 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; } - ]; -} diff --git a/lass/2configs/otp-ssh.nix b/lass/2configs/otp-ssh.nix new file mode 100644 index 000000000..f9984e245 --- /dev/null +++ b/lass/2configs/otp-ssh.nix @@ -0,0 +1,18 @@ +{ pkgs, ... }: +# Enables second factor for ssh password login + +## Usage: +# gen-oath-safe <username> totp +## scan the qrcode with google authenticator (or FreeOTP) +## copy last line into secrets/<host>/users.oath (chmod 700) +{ + security.pam.oath = { + # enabling it will make it a requisite of `all` services + # enable = true; + digits = 6; + # TODO assert existing + usersFile = (toString <secrets>) + "/users.oath"; + }; + # I want TFA only active for sshd with password-auth + security.pam.services.sshd.oathAuth = true; +} diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index 3bc5570c4..3e1ad6638 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -25,9 +25,15 @@ in { imports = [ ./sqlBackup.nix (servePage [ "reich-gebaeudereinigung.de" "www.reich-gebaeudereinigung.de" ]) - (servePage [ "karlaskop.de" ]) + (servePage [ + "karlaskop.de" + "www.karlaskop.de" + ]) (servePage [ "makeup.apanowicz.de" ]) - (servePage [ "pixelpocket.de" ]) + (servePage [ + "pixelpocket.de" + "www.pixelpocket.de" + ]) (servePage [ "habsys.de" "habsys.eu" diff --git a/lass/2configs/wine.nix b/lass/2configs/wine.nix index d4a91e645..2444d32d3 100644 --- a/lass/2configs/wine.nix +++ b/lass/2configs/wine.nix @@ -5,7 +5,8 @@ let in { krebs.per-user.wine.packages = with pkgs; [ - wineUnstable + wineFull + #(wineFull.override { wineBuild = "wine64"; }) ]; users.users= { wine = { diff --git a/lass/source.nix b/lass/source.nix index 836460d07..63adbd95c 100644 --- a/lass/source.nix +++ b/lass/source.nix @@ -19,6 +19,6 @@ in # 87a4615 & 334ac4f # + acme permissions for groups # fd7a8f1 - ref = "67956cc"; + ref = "d486531"; }; } |