From 3b2cb2a3f73ad58c489ae854f829d5a4bf723e17 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 15 Apr 2016 14:39:03 +0200 Subject: l 2: base.nix -> default.nix --- lass/1systems/cloudkrebs.nix | 2 +- lass/1systems/dishfire.nix | 2 +- lass/1systems/echelon.nix | 2 +- lass/1systems/prism.nix | 2 +- lass/2configs/base.nix | 200 ------------------------------------------- lass/2configs/baseX.nix | 2 +- lass/2configs/default.nix | 200 +++++++++++++++++++++++++++++++++++++++++++ 7 files changed, 205 insertions(+), 205 deletions(-) delete mode 100644 lass/2configs/base.nix create mode 100644 lass/2configs/default.nix diff --git a/lass/1systems/cloudkrebs.nix b/lass/1systems/cloudkrebs.nix index 82c172050..1bfb11502 100644 --- a/lass/1systems/cloudkrebs.nix +++ b/lass/1systems/cloudkrebs.nix @@ -8,7 +8,7 @@ in { imports = [ ../. ../2configs/os-templates/CAC-CentOS-7-64bit.nix - ../2configs/base.nix + ../2configs/default.nix ../2configs/exim-retiolum.nix ../2configs/retiolum.nix ../2configs/git.nix diff --git a/lass/1systems/dishfire.nix b/lass/1systems/dishfire.nix index 4e3b84bd0..dd1d1e541 100644 --- a/lass/1systems/dishfire.nix +++ b/lass/1systems/dishfire.nix @@ -4,7 +4,7 @@ imports = [ ../. - ../2configs/base.nix + ../2configs/default.nix ../2configs/exim-retiolum.nix ../2configs/git.nix ../2configs/websites/fritz.nix diff --git a/lass/1systems/echelon.nix b/lass/1systems/echelon.nix index e2fa1c5f4..97734a7bd 100644 --- a/lass/1systems/echelon.nix +++ b/lass/1systems/echelon.nix @@ -8,7 +8,7 @@ in { imports = [ ../. ../2configs/os-templates/CAC-CentOS-7-64bit.nix - ../2configs/base.nix + ../2configs/default.nix ../2configs/exim-retiolum.nix ../2configs/retiolum.nix ../2configs/realwallpaper-server.nix diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index e1743c997..6b674a10f 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -5,7 +5,7 @@ let in { imports = [ ../. - ../2configs/base.nix + ../2configs/default.nix ../2configs/exim-smarthost.nix ../2configs/downloading.nix ../2configs/git.nix diff --git a/lass/2configs/base.nix b/lass/2configs/base.nix deleted file mode 100644 index 8c6078ba5..000000000 --- a/lass/2configs/base.nix +++ /dev/null @@ -1,200 +0,0 @@ -{ config, lib, pkgs, ... }: - -with config.krebs.lib; -{ - imports = [ - ../2configs/vim.nix - ../2configs/zsh.nix - ../2configs/mc.nix - ../2configs/retiolum.nix - ./backups.nix - { - users.extraUsers = - mapAttrs (_: h: { hashedPassword = h; }) - (import ); - } - { - users.extraUsers = { - root = { - openssh.authorizedKeys.keys = [ - config.krebs.users.lass.pubkey - config.krebs.users.lass-uriel.pubkey - ]; - }; - mainUser = { - name = "lass"; - uid = 1337; - home = "/home/lass"; - group = "users"; - createHome = true; - useDefaultShell = true; - extraGroups = [ - ]; - openssh.authorizedKeys.keys = [ - config.krebs.users.lass.pubkey - config.krebs.users.lass-uriel.pubkey - ]; - }; - }; - } - ]; - - networking.hostName = config.krebs.build.host.name; - nix.maxJobs = config.krebs.build.host.cores; - - krebs = { - enable = true; - search-domain = "retiolum"; - build = { - user = config.krebs.users.lass; - source = mapAttrs (_: mkDefault) ({ - nixos-config = "symlink:stockholm/lass/1systems/${config.krebs.build.host.name}.nix"; - secrets = "/home/lass/secrets/${config.krebs.build.host.name}"; - #secrets-common = "/home/lass/secrets/common"; - stockholm = "/home/lass/stockholm"; - nixpkgs = { - url = https://github.com/NixOS/nixpkgs; - rev = "e781a8257b4312f6b138c7d0511c77d8c06ed819"; - dev = "/home/lass/src/nixpkgs"; - }; - } // optionalAttrs config.krebs.build.host.secure { - #secrets-master = "/home/lass/secrets/master"; - }); - }; - }; - - nix.useChroot = true; - - users.mutableUsers = false; - - services.timesyncd.enable = true; - - #why is this on in the first place? - services.nscd.enable = false; - - boot.tmpOnTmpfs = true; - # see tmpfiles.d(5) - systemd.tmpfiles.rules = [ - "d /tmp 1777 root root - -" - ]; - - # multiple-definition-problem when defining environment.variables.EDITOR - environment.extraInit = '' - EDITOR=vim - MANPAGER=most - ''; - - nixpkgs.config.allowUnfree = true; - - environment.systemPackages = with pkgs; [ - #stockholm - git - gnumake - jq - parallel - proot - - #style - most - rxvt_unicode.terminfo - - #monitoring tools - htop - iotop - - #network - iptables - - #stuff for dl - aria2 - - #neat utils - krebspaste - - #unpack stuff - p7zip - unzip - unrar - ]; - - programs.bash = { - enableCompletion = true; - interactiveShellInit = '' - HISTCONTROL='erasedups:ignorespace' - HISTSIZE=65536 - HISTFILESIZE=$HISTSIZE - - shopt -s checkhash - shopt -s histappend histreedit histverify - shopt -s no_empty_cmd_completion - complete -d cd - - #fancy colors - if [ -e ~/LS_COLORS ]; then - eval $(dircolors ~/LS_COLORS) - fi - - if [ -e /etc/nixos/dotfiles/link ]; then - /etc/nixos/dotfiles/link - fi - ''; - promptInit = '' - if test $UID = 0; then - PS1='\[\033[1;31m\]\w\[\033[0m\] ' - elif test $UID = 1337; then - PS1='\[\033[1;32m\]\w\[\033[0m\] ' - else - PS1='\[\033[1;33m\]\u@\w\[\033[0m\] ' - fi - if test -n "$SSH_CLIENT"; then - PS1='\[\033[35m\]\h'" $PS1" - fi - ''; - }; - - services.openssh = { - enable = true; - hostKeys = [ - # XXX bits here make no science - { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } - ]; - }; - - services.journald.extraConfig = '' - SystemMaxUse=1G - RuntimeMaxUse=128M - ''; - - krebs.iptables = { - enable = true; - tables = { - nat.PREROUTING.rules = [ - { predicate = "! -i retiolum -p tcp -m tcp --dport 22"; target = "REDIRECT --to-ports 0"; precedence = 100; } - { predicate = "-p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 99; } - ]; - nat.OUTPUT.rules = [ - { predicate = "-o lo -p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 100; } - ]; - filter.INPUT.policy = "DROP"; - filter.FORWARD.policy = "DROP"; - filter.INPUT.rules = [ - { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; } - { predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; } - { predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; } - { predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; } - { predicate = "-i retiolum"; target = "REJECT"; precedence = -10000; } - ]; - }; - }; - - networking.dhcpcd.extraConfig = '' - noipv4ll - ''; - - #CVE-2016-0777 and CVE-2016-0778 workaround - #https://www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt - programs.ssh.extraConfig = '' - UseRoaming no - ''; - -} diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index 6c52240af..1e28fdccc 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -4,7 +4,7 @@ let mainUser = config.users.extraUsers.mainUser; in { imports = [ - ./base.nix + ./default.nix #./urxvt.nix ./xserver ]; diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix new file mode 100644 index 000000000..8c6078ba5 --- /dev/null +++ b/lass/2configs/default.nix @@ -0,0 +1,200 @@ +{ config, lib, pkgs, ... }: + +with config.krebs.lib; +{ + imports = [ + ../2configs/vim.nix + ../2configs/zsh.nix + ../2configs/mc.nix + ../2configs/retiolum.nix + ./backups.nix + { + users.extraUsers = + mapAttrs (_: h: { hashedPassword = h; }) + (import ); + } + { + users.extraUsers = { + root = { + openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + config.krebs.users.lass-uriel.pubkey + ]; + }; + mainUser = { + name = "lass"; + uid = 1337; + home = "/home/lass"; + group = "users"; + createHome = true; + useDefaultShell = true; + extraGroups = [ + ]; + openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + config.krebs.users.lass-uriel.pubkey + ]; + }; + }; + } + ]; + + networking.hostName = config.krebs.build.host.name; + nix.maxJobs = config.krebs.build.host.cores; + + krebs = { + enable = true; + search-domain = "retiolum"; + build = { + user = config.krebs.users.lass; + source = mapAttrs (_: mkDefault) ({ + nixos-config = "symlink:stockholm/lass/1systems/${config.krebs.build.host.name}.nix"; + secrets = "/home/lass/secrets/${config.krebs.build.host.name}"; + #secrets-common = "/home/lass/secrets/common"; + stockholm = "/home/lass/stockholm"; + nixpkgs = { + url = https://github.com/NixOS/nixpkgs; + rev = "e781a8257b4312f6b138c7d0511c77d8c06ed819"; + dev = "/home/lass/src/nixpkgs"; + }; + } // optionalAttrs config.krebs.build.host.secure { + #secrets-master = "/home/lass/secrets/master"; + }); + }; + }; + + nix.useChroot = true; + + users.mutableUsers = false; + + services.timesyncd.enable = true; + + #why is this on in the first place? + services.nscd.enable = false; + + boot.tmpOnTmpfs = true; + # see tmpfiles.d(5) + systemd.tmpfiles.rules = [ + "d /tmp 1777 root root - -" + ]; + + # multiple-definition-problem when defining environment.variables.EDITOR + environment.extraInit = '' + EDITOR=vim + MANPAGER=most + ''; + + nixpkgs.config.allowUnfree = true; + + environment.systemPackages = with pkgs; [ + #stockholm + git + gnumake + jq + parallel + proot + + #style + most + rxvt_unicode.terminfo + + #monitoring tools + htop + iotop + + #network + iptables + + #stuff for dl + aria2 + + #neat utils + krebspaste + + #unpack stuff + p7zip + unzip + unrar + ]; + + programs.bash = { + enableCompletion = true; + interactiveShellInit = '' + HISTCONTROL='erasedups:ignorespace' + HISTSIZE=65536 + HISTFILESIZE=$HISTSIZE + + shopt -s checkhash + shopt -s histappend histreedit histverify + shopt -s no_empty_cmd_completion + complete -d cd + + #fancy colors + if [ -e ~/LS_COLORS ]; then + eval $(dircolors ~/LS_COLORS) + fi + + if [ -e /etc/nixos/dotfiles/link ]; then + /etc/nixos/dotfiles/link + fi + ''; + promptInit = '' + if test $UID = 0; then + PS1='\[\033[1;31m\]\w\[\033[0m\] ' + elif test $UID = 1337; then + PS1='\[\033[1;32m\]\w\[\033[0m\] ' + else + PS1='\[\033[1;33m\]\u@\w\[\033[0m\] ' + fi + if test -n "$SSH_CLIENT"; then + PS1='\[\033[35m\]\h'" $PS1" + fi + ''; + }; + + services.openssh = { + enable = true; + hostKeys = [ + # XXX bits here make no science + { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } + ]; + }; + + services.journald.extraConfig = '' + SystemMaxUse=1G + RuntimeMaxUse=128M + ''; + + krebs.iptables = { + enable = true; + tables = { + nat.PREROUTING.rules = [ + { predicate = "! -i retiolum -p tcp -m tcp --dport 22"; target = "REDIRECT --to-ports 0"; precedence = 100; } + { predicate = "-p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 99; } + ]; + nat.OUTPUT.rules = [ + { predicate = "-o lo -p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 100; } + ]; + filter.INPUT.policy = "DROP"; + filter.FORWARD.policy = "DROP"; + filter.INPUT.rules = [ + { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; } + { predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; } + { predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; } + { predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; } + { predicate = "-i retiolum"; target = "REJECT"; precedence = -10000; } + ]; + }; + }; + + networking.dhcpcd.extraConfig = '' + noipv4ll + ''; + + #CVE-2016-0777 and CVE-2016-0778 workaround + #https://www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt + programs.ssh.extraConfig = '' + UseRoaming no + ''; + +} -- cgit v1.2.3