From 55df7c1df55aaa8dc3f48ae83dbd87ce4d3057ba Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 22 Mar 2016 17:40:59 +0100 Subject: l 1 mors: remove broken pythonenv container --- lass/2configs/base.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'lass/2configs') diff --git a/lass/2configs/base.nix b/lass/2configs/base.nix index 8017d4270..a50df128e 100644 --- a/lass/2configs/base.nix +++ b/lass/2configs/base.nix @@ -88,6 +88,7 @@ with config.krebs.lib; environment.systemPackages = with pkgs; [ #stockholm git + gnumake jq parallel proot -- cgit v1.2.3 From 780ba9bd1197191d9a6a9bf156683fafaac385b7 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 23 Mar 2016 13:44:21 +0100 Subject: l 2 base: fix hashedPasswords path --- lass/2configs/base.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lass/2configs') diff --git a/lass/2configs/base.nix b/lass/2configs/base.nix index a50df128e..30ab90997 100644 --- a/lass/2configs/base.nix +++ b/lass/2configs/base.nix @@ -10,7 +10,7 @@ with config.krebs.lib; { users.extraUsers = mapAttrs (_: h: { hashedPassword = h; }) - (import /root/secrets/hashedPasswords.nix); + (import ); } { users.extraUsers = { -- cgit v1.2.3 From e7c6d97f7cfd743f1dc6ad5cf4883daebc20d5ca Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 23 Mar 2016 13:44:41 +0100 Subject: l 2 downloading: add uriel to authorized_keys --- lass/2configs/downloading.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'lass/2configs') diff --git a/lass/2configs/downloading.nix b/lass/2configs/downloading.nix index 115cb8b61..ccd751413 100644 --- a/lass/2configs/downloading.nix +++ b/lass/2configs/downloading.nix @@ -20,6 +20,7 @@ in { ]; openssh.authorizedKeys.keys = [ config.krebs.users.lass.pubkey + config.krebs.users.lass-uriel.pubkey ]; }; -- cgit v1.2.3 From 18d0cc3048243d15cf6108ccd05d62390ecf5503 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 23 Mar 2016 13:45:06 +0100 Subject: l 2 websites domsen: add domsen user --- lass/2configs/websites/domsen.nix | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) (limited to 'lass/2configs') diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index 109c216c0..895146d25 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -1,6 +1,8 @@ { config, pkgs, ... }: -{ +let + inherit (config.krebs.lib) genid; +in { imports = [ ../../3modules/static_nginx.nix ../../3modules/owncloud_nginx.nix @@ -26,6 +28,15 @@ rootPassword = toString (); }; + users.users.domsen = { + uid = genid "domsen"; + description = "maintenance acc for domsen"; + home = "/home/domsen"; + useDefaultShell = true; + extraGroups = [ "nginx" ]; + createHome = true; + }; + #lass.wordpress = { # "ubikmedia.de" = { # }; -- cgit v1.2.3 From 5268f22ee99672a2185b959231208a23fd24f073 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 9 Apr 2016 00:43:33 +0200 Subject: l 2 fastpoke-pages: remove file --- lass/2configs/fastpoke-pages.nix | 101 --------------------------------------- 1 file changed, 101 deletions(-) delete mode 100644 lass/2configs/fastpoke-pages.nix (limited to 'lass/2configs') diff --git a/lass/2configs/fastpoke-pages.nix b/lass/2configs/fastpoke-pages.nix deleted file mode 100644 index bf6ea8952..000000000 --- a/lass/2configs/fastpoke-pages.nix +++ /dev/null @@ -1,101 +0,0 @@ -{ config, lib, pkgs, ... }: - -with config.krebs.lib; - -let - createStaticPage = domain: - { - krebs.nginx.servers."${domain}" = { - server-names = [ - "${domain}" - "www.${domain}" - ]; - locations = [ - (nameValuePair "/" '' - root /var/lib/http/${domain}; - '') - ]; - }; - #networking.extraHosts = '' - # 10.243.206.102 ${domain} - #''; - users.extraUsers = { - ${domain} = { - name = domain; - home = "/var/lib/http/${domain}"; - createHome = true; - }; - }; - }; - -in { - imports = map createStaticPage [ - "habsys.de" - "pixelpocket.de" - "karlaskop.de" - "ubikmedia.de" - "apanowicz.de" - ]; - - krebs.iptables = { - tables = { - filter.INPUT.rules = [ - { predicate = "-p tcp --dport http"; target = "ACCEPT"; } - ]; - }; - }; - - - krebs.nginx = { - enable = true; - servers = { - #"habsys.de" = { - # server-names = [ - # "habsys.de" - # "www.habsys.de" - # ]; - # locations = [ - # (nameValuePair "/" '' - # root /var/lib/http/habsys.de; - # '') - # ]; - #}; - - #"karlaskop.de" = { - # server-names = [ - # "karlaskop.de" - # "www.karlaskop.de" - # ]; - # locations = [ - # (nameValuePair "/" '' - # root /var/lib/http/karlaskop.de; - # '') - # ]; - #}; - - #"pixelpocket.de" = { - # server-names = [ - # "pixelpocket.de" - # "www.karlaskop.de" - # ]; - # locations = [ - # (nameValuePair "/" '' - # root /var/lib/http/karlaskop.de; - # '') - # ]; - #}; - - }; - }; - - #services.postgresql = { - # enable = true; - #}; - - #config.services.vsftpd = { - # enable = true; - # userlistEnable = true; - # userlistFile = pkgs.writeFile "vsftpd-userlist" '' - # ''; - #}; -} -- cgit v1.2.3 From 76be13147a300e9449ab826e009f4c61b9330b60 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 9 Apr 2016 14:14:43 +0200 Subject: l 2 base: nixpkgs rev 40c586b -> e781a82 --- lass/2configs/base.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lass/2configs') diff --git a/lass/2configs/base.nix b/lass/2configs/base.nix index 30ab90997..77646a03e 100644 --- a/lass/2configs/base.nix +++ b/lass/2configs/base.nix @@ -55,7 +55,7 @@ with config.krebs.lib; stockholm = "/home/lass/stockholm"; nixpkgs = { url = https://github.com/NixOS/nixpkgs; - rev = "40c586b7ce2c559374df435f46d673baf711c543"; + rev = "e781a8257b4312f6b138c7d0511c77d8c06ed819"; dev = "/home/lass/src/nixpkgs"; }; } // optionalAttrs config.krebs.build.host.secure { -- cgit v1.2.3 From c9529ca1e781f023c1280dd96cb589a2c198177a Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 9 Apr 2016 14:16:21 +0200 Subject: l 2 base: add unpackers to pkgs --- lass/2configs/base.nix | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'lass/2configs') diff --git a/lass/2configs/base.nix b/lass/2configs/base.nix index 77646a03e..88bb3ff60 100644 --- a/lass/2configs/base.nix +++ b/lass/2configs/base.nix @@ -85,6 +85,8 @@ with config.krebs.lib; MANPAGER=most ''; + nixpkgs.config.allowUnfree = true; + environment.systemPackages = with pkgs; [ #stockholm git @@ -109,6 +111,11 @@ with config.krebs.lib; #neat utils krebspaste + + #unpack stuff + p7zip + unzip + unrar ]; programs.bash = { -- cgit v1.2.3 From d5ccc03a5cc8d30443d81ff4aba7a613c198d268 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 9 Apr 2016 14:16:47 +0200 Subject: l 2 games: add user to loot group --- lass/2configs/games.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lass/2configs') diff --git a/lass/2configs/games.nix b/lass/2configs/games.nix index 6043a8759..0eec97922 100644 --- a/lass/2configs/games.nix +++ b/lass/2configs/games.nix @@ -13,7 +13,7 @@ in { name = "games"; description = "user playing games"; home = "/home/games"; - extraGroups = [ "audio" "video" "input" ]; + extraGroups = [ "audio" "video" "input" "loot" ]; createHome = true; useDefaultShell = true; }; -- cgit v1.2.3 From 9113a203848d9ceab57fd9c1e891066f96443e6e Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 9 Apr 2016 14:17:09 +0200 Subject: l 2 newsbot-js: remove times feed --- lass/2configs/newsbot-js.nix | 1 - 1 file changed, 1 deletion(-) (limited to 'lass/2configs') diff --git a/lass/2configs/newsbot-js.nix b/lass/2configs/newsbot-js.nix index d7c68bd7d..636b44395 100644 --- a/lass/2configs/newsbot-js.nix +++ b/lass/2configs/newsbot-js.nix @@ -154,7 +154,6 @@ let telepolis|http://www.heise.de/tp/rss/news-atom.xml|#news the_insider|http://www.theinsider.org/rss/news/headlines-xml.asp|#news tigsource|http://www.tigsource.com/feed/|#news - times|http://www.thetimes.co.uk/tto/news/rss|#news tinc|http://tinc-vpn.org/news/index.rss|#news topix_b|http://www.topix.com/rss/wire/de/berlin|#news torr_bits|http://feeds.feedburner.com/TorrentfreakBits|#news -- cgit v1.2.3 From e907a52246bd206eddd2a48c92f63215ff37a53a Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 9 Apr 2016 14:17:30 +0200 Subject: l 2 pass: remove obsolete startGnuPGAgent --- lass/2configs/pass.nix | 1 - 1 file changed, 1 deletion(-) (limited to 'lass/2configs') diff --git a/lass/2configs/pass.nix b/lass/2configs/pass.nix index 33eca0a17..610887621 100644 --- a/lass/2configs/pass.nix +++ b/lass/2configs/pass.nix @@ -6,5 +6,4 @@ gnupg1 ]; - services.xserver.startGnuPGAgent = true; } -- cgit v1.2.3 From 7af3dfe9bf367f02619881c47060b4645d12f71e Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 9 Apr 2016 14:21:39 +0200 Subject: l 2 websites: use helper functions --- lass/2configs/websites/domsen.nix | 38 ++++++++++++--------- lass/2configs/websites/fritz.nix | 48 ++++++++++++++++++--------- lass/2configs/websites/wohnprojekt-rhh.de.nix | 20 +++++++---- 3 files changed, 67 insertions(+), 39 deletions(-) (limited to 'lass/2configs') diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index 895146d25..173e87864 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -1,26 +1,32 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: let inherit (config.krebs.lib) genid; + inherit (import ../../4lib { inherit lib pkgs; }) + manageCert + activateACME + ssl + servePage + serveOwncloud; + in { imports = [ - ../../3modules/static_nginx.nix - ../../3modules/owncloud_nginx.nix - ../../3modules/wordpress_nginx.nix - ]; + ( ssl "reich-gebaeudereinigung.de" ) + ( servePage "reich-gebaeudereinigung.de" ) - lass.staticPage = { - "karlaskop.de" = {}; - "makeup.apanowicz.de" = {}; - "pixelpocket.de" = {}; - "reich-gebaeudereinigung.de" = {}; - }; + ( servePage "karlaskop.de" ) + ( manageCert "karlaskop.de" ) - lass.owncloud = { - "o.ubikmedia.de" = { - instanceid = "oc8n8ddbftgh"; - }; - }; + ( servePage "makeup.apanowicz.de" ) + ( manageCert "makeup.apanowicz.de" ) + + ( servePage "pixelpocket.de" ) + ( manageCert "pixelpocket.de" ) + + ( ssl "o.ubikmedia.de" ) + ( serveOwncloud "o.ubikmedia.de" ) + + ]; services.mysql = { enable = true; diff --git a/lass/2configs/websites/fritz.nix b/lass/2configs/websites/fritz.nix index 073f3de14..16a240d7c 100644 --- a/lass/2configs/websites/fritz.nix +++ b/lass/2configs/websites/fritz.nix @@ -1,23 +1,39 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: -{ +let + inherit (import ../../4lib { inherit lib pkgs; }) + manageCert + activateACME + ssl + servePage + serveOwncloud; +in { imports = [ - ../../3modules/static_nginx.nix - ../../3modules/owncloud_nginx.nix - ../../3modules/wordpress_nginx.nix - ]; + ( manageCert "biostase.de" ) + ( servePage "biostase.de" ) + + ( manageCert "gs-maubach.de" ) + ( servePage "gs-maubach.de" ) + + ( manageCert "spielwaren-kern.de" ) + ( servePage "spielwaren-kern.de" ) + + ( manageCert "societyofsimtech.de" ) + ( servePage "societyofsimtech.de" ) - lass.staticPage = { - "biostase.de" = {}; - "gs-maubach.de" = {}; - "spielwaren-kern.de" = {}; - "societyofsimtech.de" = {}; - "ttf-kleinaspach.de" = {}; - "edsn.de" = {}; - "eab.berkeley.edu" = {}; - "habsys.de" = {}; - }; + ( manageCert "ttf-kleinaspach.de" ) + ( servePage "ttf-kleinaspach.de" ) + + ( manageCert "edsn.de" ) + ( servePage "edsn.de" ) + + ( manageCert "eab.berkeley.edu" ) + ( servePage "eab.berkeley.edu" ) + + ( manageCert "habsys.de" ) + ( servePage "habsys.de" ) + ]; #lass.owncloud = { # "o.ubikmedia.de" = { diff --git a/lass/2configs/websites/wohnprojekt-rhh.de.nix b/lass/2configs/websites/wohnprojekt-rhh.de.nix index ac784d4c7..4e3eb071a 100644 --- a/lass/2configs/websites/wohnprojekt-rhh.de.nix +++ b/lass/2configs/websites/wohnprojekt-rhh.de.nix @@ -1,14 +1,20 @@ -{ config, ... }: +{ config, pkgs, lib, ... }: -{ +let + inherit (config.krebs.lib) genid; + inherit (import ../../4lib { inherit lib pkgs; }) + manageCert + activateACME + ssl + servePage + serveOwncloud; + +in { imports = [ - ../../3modules/static_nginx.nix + ( ssl "wohnprojekt-rhh.de" ) + ( servePage "wohnprojekt-rhh.de" ) ]; - lass.staticPage = { - "wohnprojekt-rhh.de" = {}; - }; - users.users.laura = { home = "/srv/http/wohnprojekt-rhh.de"; createHome = true; -- cgit v1.2.3 From a638c4eecd55420e3a579763561e4cfa672d1cd5 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 11 Apr 2016 16:50:22 +0200 Subject: l 2 websites domsen: serve wordpress --- lass/2configs/websites/domsen.nix | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) (limited to 'lass/2configs') diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index 173e87864..b02f31629 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -4,28 +4,32 @@ let inherit (config.krebs.lib) genid; inherit (import ../../4lib { inherit lib pkgs; }) manageCert + manageCerts activateACME ssl servePage - serveOwncloud; + serveOwncloud + serveWordpress; in { imports = [ ( ssl "reich-gebaeudereinigung.de" ) ( servePage "reich-gebaeudereinigung.de" ) - ( servePage "karlaskop.de" ) ( manageCert "karlaskop.de" ) + ( servePage "karlaskop.de" ) - ( servePage "makeup.apanowicz.de" ) ( manageCert "makeup.apanowicz.de" ) + ( servePage "makeup.apanowicz.de" ) - ( servePage "pixelpocket.de" ) ( manageCert "pixelpocket.de" ) + ( servePage "pixelpocket.de" ) ( ssl "o.ubikmedia.de" ) ( serveOwncloud "o.ubikmedia.de" ) + ( manageCerts [ "ubikmedia.de" "apanowicz.de" "nirwanabluete.de" "aldonasiech.com" "360gradvideo.tv" "ubikmedia.eu" ] ) + ( serveWordpress [ "ubikmedia.de" "*.ubikmedia.de" "apanowicz.de" "nirwanabluete.de" "aldonasiech.com" "360gradvideo.tv" "ubikmedia.eu" ] ) ]; services.mysql = { -- cgit v1.2.3 From 72e46878ea759f8909c90d2f5f293bfb8f3a6104 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 11 Apr 2016 16:50:49 +0200 Subject: l 2 websites: activate sqlBackups --- lass/2configs/websites/domsen.nix | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'lass/2configs') diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index b02f31629..cbda7b99e 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -38,6 +38,15 @@ in { rootPassword = toString (); }; + services.mysqlBackup = { + enable = true; + databases = [ + "ubikmedia_de" + "o_ubikmedia_de" + ]; + location = "/bku/sql_dumps"; + }; + users.users.domsen = { uid = genid "domsen"; description = "maintenance acc for domsen"; -- cgit v1.2.3 From 2723a1fcd85ccaf9fea6faa6ec51358f706b8883 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 11 Apr 2016 16:51:12 +0200 Subject: l 2 websites domsen: add apcu to phpfpm --- lass/2configs/websites/domsen.nix | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) (limited to 'lass/2configs') diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index cbda7b99e..1b62bd977 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -56,10 +56,13 @@ in { createHome = true; }; - #lass.wordpress = { - # "ubikmedia.de" = { - # }; - #}; - + services.phpfpm.phpIni = pkgs.runCommand "php.ini" { + options = '' + extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so + ''; + } '' + cat ${pkgs.php}/etc/php-recommended.ini > $out + echo "$options" >> $out + ''; } -- cgit v1.2.3 From 4bd4e58baa56635f08661a7a5c1dfe9f59a719a7 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 11 Apr 2016 16:51:49 +0200 Subject: l 2: add backups.nix --- lass/2configs/backups.nix | 63 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 lass/2configs/backups.nix (limited to 'lass/2configs') diff --git a/lass/2configs/backups.nix b/lass/2configs/backups.nix new file mode 100644 index 000000000..c3275aece --- /dev/null +++ b/lass/2configs/backups.nix @@ -0,0 +1,63 @@ +{ config, lib, ... }: +with config.krebs.lib; +{ + + krebs.backup.plans = { + } // mapAttrs (_: recursiveUpdate { + snapshots = { + daily = { format = "%Y-%m-%d"; retain = 7; }; + weekly = { format = "%YW%W"; retain = 4; }; + monthly = { format = "%Y-%m"; retain = 12; }; + yearly = { format = "%Y"; }; + }; + }) { + prism-chat-uriel = { + method = "pull"; + src = { host = config.krebs.hosts.prism; path = "/home/chat"; }; + dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-chat"; }; + startAt = "03:00"; + }; + prism-chat-mors = { + method = "pull"; + src = { host = config.krebs.hosts.prism; path = "/home/chat"; }; + dst = { host = config.krebs.hosts.mors; path = "/bku/prism-chat"; }; + startAt = "03:00"; + }; + mors-home-uriel = { + method = "push"; + src = { host = config.krebs.hosts.mors; path = "/home"; }; + dst = { host = config.krebs.hosts.uriel; path = "/bku/mors-home"; }; + startAt = "04:00"; + }; + uriel-home-mors = { + method = "pull"; + src = { host = config.krebs.hosts.uriel; path = "/home"; }; + dst = { host = config.krebs.hosts.mors; path = "/bku/uriel-home"; }; + startAt = "04:00"; + }; + prism-http-uriel = { + method = "pull"; + src = { host = config.krebs.hosts.prism; path = "/srv/http"; }; + dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-http"; }; + startAt = "04:30"; + }; + prism-http-mors = { + method = "pull"; + src = { host = config.krebs.hosts.prism; path = "/srv/http"; }; + dst = { host = config.krebs.hosts.mors; path = "/bku/prism-http"; }; + startAt = "04:30"; + }; + prism-sql-uriel = { + method = "pull"; + src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; }; + dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-sql_dumps"; }; + startAt = "05:00"; + }; + prism-sql-mors = { + method = "pull"; + src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; }; + dst = { host = config.krebs.hosts.mors; path = "/bku/prism-sql_dumps"; }; + startAt = "05:00"; + }; + }; +} -- cgit v1.2.3 From 84c7ba200a02dff803023388d54e2dea8e16ae2f Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 11 Apr 2016 16:52:15 +0200 Subject: l 2 base: import backups.nix --- lass/2configs/base.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'lass/2configs') diff --git a/lass/2configs/base.nix b/lass/2configs/base.nix index 88bb3ff60..ad5df26e8 100644 --- a/lass/2configs/base.nix +++ b/lass/2configs/base.nix @@ -7,6 +7,7 @@ with config.krebs.lib; ../2configs/zsh.nix ../2configs/mc.nix ../2configs/retiolum.nix + ./backups.nix { users.extraUsers = mapAttrs (_: h: { hashedPassword = h; }) -- cgit v1.2.3 From a1d80db7cc499bb9a850250357b0921fa61f5a59 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 12 Apr 2016 15:09:56 +0200 Subject: l 2 base: remove helios from authorized_keys(root) --- lass/2configs/base.nix | 1 - 1 file changed, 1 deletion(-) (limited to 'lass/2configs') diff --git a/lass/2configs/base.nix b/lass/2configs/base.nix index ad5df26e8..d83e53772 100644 --- a/lass/2configs/base.nix +++ b/lass/2configs/base.nix @@ -19,7 +19,6 @@ with config.krebs.lib; openssh.authorizedKeys.keys = [ config.krebs.users.lass.pubkey config.krebs.users.lass-uriel.pubkey - config.krebs.users.lass-helios.pubkey ]; }; mainUser = { -- cgit v1.2.3 From be6bfb17365046486abdd3af01f05b0cb99331ea Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 12 Apr 2016 15:11:31 +0200 Subject: l 2 base: redirect internet ssh port to 45621 --- lass/2configs/base.nix | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'lass/2configs') diff --git a/lass/2configs/base.nix b/lass/2configs/base.nix index d83e53772..4a4468300 100644 --- a/lass/2configs/base.nix +++ b/lass/2configs/base.nix @@ -173,6 +173,13 @@ with config.krebs.lib; krebs.iptables = { enable = true; tables = { + nat.PREROUTING.rules = [ + { predicate = "! -i retiolum -p tcp -m tcp --dport 22"; target = "REDIRECT --to-ports 0"; precedence = 100; } + { predicate = "-p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 99; } + ]; + nat.OUTPUT.rules = [ + { predicate = "-o lo -p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 100; } + ]; filter.INPUT.policy = "DROP"; filter.FORWARD.policy = "DROP"; filter.INPUT.rules = [ -- cgit v1.2.3 From 4f04085d5239e2c688a370706f9007edd0a0d5bb Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 12 Apr 2016 15:16:17 +0200 Subject: l 2: add exim-retiolum.nix --- lass/2configs/exim-retiolum.nix | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 lass/2configs/exim-retiolum.nix (limited to 'lass/2configs') diff --git a/lass/2configs/exim-retiolum.nix b/lass/2configs/exim-retiolum.nix new file mode 100644 index 000000000..ea2f553b8 --- /dev/null +++ b/lass/2configs/exim-retiolum.nix @@ -0,0 +1,14 @@ +{ config, lib, pkgs, ... }: + +with config.krebs.lib; + +{ + krebs.exim-retiolum.enable = true; + krebs.setuid.sendmail = { + filename = "${pkgs.exim}/bin/exim"; + mode = "4111"; + }; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-i retiolum -p tcp --dport smtp"; target = "ACCEPT"; } + ]; +} -- cgit v1.2.3 From 6da220c50848843a4d6e546a8639d0a573bf210b Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 12 Apr 2016 15:16:40 +0200 Subject: l 2: add exim-smarthost configuration --- lass/2configs/exim-smarthost.nix | 49 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 lass/2configs/exim-smarthost.nix (limited to 'lass/2configs') diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix new file mode 100644 index 000000000..7f838a316 --- /dev/null +++ b/lass/2configs/exim-smarthost.nix @@ -0,0 +1,49 @@ +{ config, lib, pkgs, ... }: + +with config.krebs.lib; + +{ + krebs.exim-smarthost = { + enable = true; + #dkim = [ + # { domain = "lassul.us"; } + #]; + sender_domains = [ + "lassul.us" + ]; + relay_from_hosts = map (host: host.nets.retiolum.ip4.addr) [ + config.krebs.hosts.mors + config.krebs.hosts.uriel + config.krebs.hosts.helios + ]; + internet-aliases = with config.krebs.users; [ + { from = "postmaster@lassul.us"; to = lass.mail; } # RFC 822 + { from = "lass@lassul.us"; to = lass.mail; } + { from = "lassulus@lassul.us"; to = lass.mail; } + { from = "test@lassul.us"; to = lass.mail; } + ]; + system-aliases = [ + { from = "mailer-daemon"; to = "postmaster"; } + { from = "postmaster"; to = "root"; } + { from = "nobody"; to = "root"; } + { from = "hostmaster"; to = "root"; } + { from = "usenet"; to = "root"; } + { from = "news"; to = "root"; } + { from = "webmaster"; to = "root"; } + { from = "www"; to = "root"; } + { from = "ftp"; to = "root"; } + { from = "abuse"; to = "root"; } + { from = "noc"; to = "root"; } + { from = "security"; to = "root"; } + { from = "root"; to = "lass"; } + ]; + }; + + krebs.setuid.sendmail = { + filename = "${pkgs.exim}/bin/exim"; + mode = "4111"; + }; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport smtp"; target = "ACCEPT"; } + ]; +} -- cgit v1.2.3 From 3d8689494f994a6849b1815b98dcbd027f59b1c6 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 12 Apr 2016 15:16:58 +0200 Subject: l 2 base: remove exim & sendmail stuff --- lass/2configs/base.nix | 5 ----- 1 file changed, 5 deletions(-) (limited to 'lass/2configs') diff --git a/lass/2configs/base.nix b/lass/2configs/base.nix index 4a4468300..8c6078ba5 100644 --- a/lass/2configs/base.nix +++ b/lass/2configs/base.nix @@ -45,7 +45,6 @@ with config.krebs.lib; krebs = { enable = true; search-domain = "retiolum"; - exim-retiolum.enable = true; build = { user = config.krebs.users.lass; source = mapAttrs (_: mkDefault) ({ @@ -153,10 +152,6 @@ with config.krebs.lib; ''; }; - security.setuidPrograms = [ - "sendmail" - ]; - services.openssh = { enable = true; hostKeys = [ -- cgit v1.2.3 From 1b717d487791ce6874caa439461d4deeb942a835 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 12 Apr 2016 16:32:58 +0200 Subject: l 2 exim-smarthost: activate DKIM --- lass/2configs/exim-smarthost.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'lass/2configs') diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix index 7f838a316..f1c682416 100644 --- a/lass/2configs/exim-smarthost.nix +++ b/lass/2configs/exim-smarthost.nix @@ -5,9 +5,9 @@ with config.krebs.lib; { krebs.exim-smarthost = { enable = true; - #dkim = [ - # { domain = "lassul.us"; } - #]; + dkim = [ + { domain = "lassul.us"; } + ]; sender_domains = [ "lassul.us" ]; -- cgit v1.2.3 From 40ce314996762fe286a5f8d27873cd0ae9fab145 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 13 Apr 2016 16:29:52 +0200 Subject: l 2 exim-smarthost: add outlook@lassul.us --- lass/2configs/exim-smarthost.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'lass/2configs') diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix index f1c682416..e1aa29c49 100644 --- a/lass/2configs/exim-smarthost.nix +++ b/lass/2configs/exim-smarthost.nix @@ -21,6 +21,7 @@ with config.krebs.lib; { from = "lass@lassul.us"; to = lass.mail; } { from = "lassulus@lassul.us"; to = lass.mail; } { from = "test@lassul.us"; to = lass.mail; } + { from = "outlook@lassul.us"; to = lass.mail; } ]; system-aliases = [ { from = "mailer-daemon"; to = "postmaster"; } -- cgit v1.2.3 From 4c4ac83e1fb21611e947c40d612d51bbab91257e Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 13 Apr 2016 16:30:17 +0200 Subject: l 2 backups: more backups --- lass/2configs/backups.nix | 86 +++++++++++++++++++++++++++++++++-------------- 1 file changed, 61 insertions(+), 25 deletions(-) (limited to 'lass/2configs') diff --git a/lass/2configs/backups.nix b/lass/2configs/backups.nix index c3275aece..ca9ff20a1 100644 --- a/lass/2configs/backups.nix +++ b/lass/2configs/backups.nix @@ -11,52 +11,88 @@ with config.krebs.lib; yearly = { format = "%Y"; }; }; }) { - prism-chat-uriel = { + dishfire-http-prism = { method = "pull"; - src = { host = config.krebs.hosts.prism; path = "/home/chat"; }; - dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-chat"; }; + src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; }; + dst = { host = config.krebs.hosts.prism; path = "/bku/dishfire-http"; }; startAt = "03:00"; }; + dishfire-http-mors = { + method = "pull"; + src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; }; + dst = { host = config.krebs.hosts.mors; path = "/bku/dishfire-http"; }; + startAt = "03:05"; + }; + dishfire-http-uriel = { + method = "pull"; + src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; }; + dst = { host = config.krebs.hosts.uriel; path = "/bku/dishfire-http"; }; + startAt = "03:10"; + }; + dishfire-sql-prism = { + method = "pull"; + src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; }; + dst = { host = config.krebs.hosts.prism; path = "/bku/dishfire-sql"; }; + startAt = "03:15"; + }; + dishfire-sql-mors = { + method = "pull"; + src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; }; + dst = { host = config.krebs.hosts.mors; path = "/bku/dishfire-sql"; }; + startAt = "03:20"; + }; + dishfire-sql-uriel = { + method = "pull"; + src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; }; + dst = { host = config.krebs.hosts.uriel; path = "/bku/dishfire-sql"; }; + startAt = "03:25"; + }; prism-chat-mors = { method = "pull"; src = { host = config.krebs.hosts.prism; path = "/home/chat"; }; dst = { host = config.krebs.hosts.mors; path = "/bku/prism-chat"; }; - startAt = "03:00"; + startAt = "03:30"; }; - mors-home-uriel = { - method = "push"; - src = { host = config.krebs.hosts.mors; path = "/home"; }; - dst = { host = config.krebs.hosts.uriel; path = "/bku/mors-home"; }; - startAt = "04:00"; + prism-chat-uriel = { + method = "pull"; + src = { host = config.krebs.hosts.prism; path = "/home/chat"; }; + dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-chat"; }; + startAt = "03:35"; }; - uriel-home-mors = { + prism-sql-mors = { method = "pull"; - src = { host = config.krebs.hosts.uriel; path = "/home"; }; - dst = { host = config.krebs.hosts.mors; path = "/bku/uriel-home"; }; - startAt = "04:00"; + src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; }; + dst = { host = config.krebs.hosts.mors; path = "/bku/prism-sql_dumps"; }; + startAt = "03:40"; }; - prism-http-uriel = { + prism-sql-uriel = { method = "pull"; - src = { host = config.krebs.hosts.prism; path = "/srv/http"; }; - dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-http"; }; - startAt = "04:30"; + src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; }; + dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-sql_dumps"; }; + startAt = "03:45"; }; prism-http-mors = { method = "pull"; src = { host = config.krebs.hosts.prism; path = "/srv/http"; }; dst = { host = config.krebs.hosts.mors; path = "/bku/prism-http"; }; - startAt = "04:30"; + startAt = "03:50"; }; - prism-sql-uriel = { + prism-http-uriel = { method = "pull"; - src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; }; - dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-sql_dumps"; }; - startAt = "05:00"; + src = { host = config.krebs.hosts.prism; path = "/srv/http"; }; + dst = { host = config.krebs.hosts.uriel; path = "/bku/prism-http"; }; + startAt = "03:55"; }; - prism-sql-mors = { + uriel-home-mors = { method = "pull"; - src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; }; - dst = { host = config.krebs.hosts.mors; path = "/bku/prism-sql_dumps"; }; + src = { host = config.krebs.hosts.uriel; path = "/home"; }; + dst = { host = config.krebs.hosts.mors; path = "/bku/uriel-home"; }; + startAt = "04:00"; + }; + mors-home-uriel = { + method = "push"; + src = { host = config.krebs.hosts.mors; path = "/home"; }; + dst = { host = config.krebs.hosts.uriel; path = "/bku/mors-home"; }; startAt = "05:00"; }; }; -- cgit v1.2.3 From de6e888da9ed85ebbe35fa23569fbd8617734798 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 13 Apr 2016 16:32:04 +0200 Subject: l websites: use lists in helpers --- lass/2configs/websites/domsen.nix | 22 +++++++-------- lass/2configs/websites/fritz.nix | 39 ++++++++++++++------------- lass/2configs/websites/wohnprojekt-rhh.de.nix | 9 +++---- 3 files changed, 35 insertions(+), 35 deletions(-) (limited to 'lass/2configs') diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index 1b62bd977..caaee96bb 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -13,22 +13,22 @@ let in { imports = [ - ( ssl "reich-gebaeudereinigung.de" ) - ( servePage "reich-gebaeudereinigung.de" ) + ( ssl [ "reich-gebaeudereinigung.de" ]) + ( servePage [ "reich-gebaeudereinigung.de" ]) - ( manageCert "karlaskop.de" ) - ( servePage "karlaskop.de" ) + ( manageCerts [ "karlaskop.de" ]) + ( servePage [ "karlaskop.de" ]) - ( manageCert "makeup.apanowicz.de" ) - ( servePage "makeup.apanowicz.de" ) + ( ssl [ "makeup.apanowicz.de" ]) + ( servePage [ "makeup.apanowicz.de" ]) - ( manageCert "pixelpocket.de" ) - ( servePage "pixelpocket.de" ) + ( manageCerts [ "pixelpocket.de" ]) + ( servePage [ "pixelpocket.de" ]) - ( ssl "o.ubikmedia.de" ) - ( serveOwncloud "o.ubikmedia.de" ) + ( ssl [ "o.ubikmedia.de" ]) + ( serveOwncloud [ "o.ubikmedia.de" ]) - ( manageCerts [ "ubikmedia.de" "apanowicz.de" "nirwanabluete.de" "aldonasiech.com" "360gradvideo.tv" "ubikmedia.eu" ] ) + ( ssl [ "ubikmedia.de" "aldona.ubikmedia.de" "apanowicz.de" "nirwanabluete.de" "aldonasiech.com" "360gradvideo.tv" "ubikmedia.eu" ] ) ( serveWordpress [ "ubikmedia.de" "*.ubikmedia.de" "apanowicz.de" "nirwanabluete.de" "aldonasiech.com" "360gradvideo.tv" "ubikmedia.eu" ] ) ]; diff --git a/lass/2configs/websites/fritz.nix b/lass/2configs/websites/fritz.nix index 16a240d7c..7a35ba75b 100644 --- a/lass/2configs/websites/fritz.nix +++ b/lass/2configs/websites/fritz.nix @@ -2,37 +2,40 @@ let inherit (import ../../4lib { inherit lib pkgs; }) - manageCert + manageCerts activateACME ssl servePage - serveOwncloud; + serveWordpress; in { imports = [ - ( manageCert "biostase.de" ) - ( servePage "biostase.de" ) + #( manageCerts [ "biostase.de" ]) + #( servePage [ "biostase.de" ]) - ( manageCert "gs-maubach.de" ) - ( servePage "gs-maubach.de" ) + #( manageCerts [ "gs-maubach.de" ]) + #( servePage [ "gs-maubach.de" ]) - ( manageCert "spielwaren-kern.de" ) - ( servePage "spielwaren-kern.de" ) + #( manageCerts [ "spielwaren-kern.de" ]) + #( servePage [ "spielwaren-kern.de" ]) - ( manageCert "societyofsimtech.de" ) - ( servePage "societyofsimtech.de" ) + #( manageCerts [ "societyofsimtech.de" ]) + #( servePage [ "societyofsimtech.de" ]) - ( manageCert "ttf-kleinaspach.de" ) - ( servePage "ttf-kleinaspach.de" ) + #( manageCerts [ "ttf-kleinaspach.de" ]) + #( servePage [ "ttf-kleinaspach.de" ]) - ( manageCert "edsn.de" ) - ( servePage "edsn.de" ) + #( manageCerts [ "edsn.de" ]) + #( servePage [ "edsn.de" ]) - ( manageCert "eab.berkeley.edu" ) - ( servePage "eab.berkeley.edu" ) + #( manageCerts [ "eab.berkeley.edu" ]) + #( servePage [ "eab.berkeley.edu" ]) - ( manageCert "habsys.de" ) - ( servePage "habsys.de" ) + ( manageCerts [ "eastuttgart.de" ]) + ( serveWordpress [ "eastuttgart.de" ]) + + ( manageCerts [ "habsys.de" ]) + ( servePage [ "habsys.de" ]) ]; #lass.owncloud = { diff --git a/lass/2configs/websites/wohnprojekt-rhh.de.nix b/lass/2configs/websites/wohnprojekt-rhh.de.nix index 4e3eb071a..858054531 100644 --- a/lass/2configs/websites/wohnprojekt-rhh.de.nix +++ b/lass/2configs/websites/wohnprojekt-rhh.de.nix @@ -3,16 +3,13 @@ let inherit (config.krebs.lib) genid; inherit (import ../../4lib { inherit lib pkgs; }) - manageCert - activateACME ssl - servePage - serveOwncloud; + servePage; in { imports = [ - ( ssl "wohnprojekt-rhh.de" ) - ( servePage "wohnprojekt-rhh.de" ) + ( ssl [ "wohnprojekt-rhh.de" ]) + ( servePage [ "wohnprojekt-rhh.de" ]) ]; users.users.laura = { -- cgit v1.2.3 From c9c10168082f648b2d5c25355f55ab4dce885135 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 13 Apr 2016 16:33:25 +0200 Subject: l 2 websites fritz: activate mysql & mysqlBackup --- lass/2configs/websites/fritz.nix | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'lass/2configs') diff --git a/lass/2configs/websites/fritz.nix b/lass/2configs/websites/fritz.nix index 7a35ba75b..c022dfbe2 100644 --- a/lass/2configs/websites/fritz.nix +++ b/lass/2configs/websites/fritz.nix @@ -38,6 +38,20 @@ in { ( servePage [ "habsys.de" ]) ]; + services.mysql = { + enable = true; + package = pkgs.mariadb; + rootPassword = toString (); + }; + + services.mysqlBackup = { + enable = true; + databases = [ + "eastuttgart_de" + ]; + location = "/bku/sql_dumps"; + }; + #lass.owncloud = { # "o.ubikmedia.de" = { # instanceid = "oc8n8ddbftgh"; -- cgit v1.2.3 From 3b2cb2a3f73ad58c489ae854f829d5a4bf723e17 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 15 Apr 2016 14:39:03 +0200 Subject: l 2: base.nix -> default.nix --- lass/2configs/base.nix | 200 ---------------------------------------------- lass/2configs/baseX.nix | 2 +- lass/2configs/default.nix | 200 ++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 201 insertions(+), 201 deletions(-) delete mode 100644 lass/2configs/base.nix create mode 100644 lass/2configs/default.nix (limited to 'lass/2configs') diff --git a/lass/2configs/base.nix b/lass/2configs/base.nix deleted file mode 100644 index 8c6078ba5..000000000 --- a/lass/2configs/base.nix +++ /dev/null @@ -1,200 +0,0 @@ -{ config, lib, pkgs, ... }: - -with config.krebs.lib; -{ - imports = [ - ../2configs/vim.nix - ../2configs/zsh.nix - ../2configs/mc.nix - ../2configs/retiolum.nix - ./backups.nix - { - users.extraUsers = - mapAttrs (_: h: { hashedPassword = h; }) - (import ); - } - { - users.extraUsers = { - root = { - openssh.authorizedKeys.keys = [ - config.krebs.users.lass.pubkey - config.krebs.users.lass-uriel.pubkey - ]; - }; - mainUser = { - name = "lass"; - uid = 1337; - home = "/home/lass"; - group = "users"; - createHome = true; - useDefaultShell = true; - extraGroups = [ - ]; - openssh.authorizedKeys.keys = [ - config.krebs.users.lass.pubkey - config.krebs.users.lass-uriel.pubkey - ]; - }; - }; - } - ]; - - networking.hostName = config.krebs.build.host.name; - nix.maxJobs = config.krebs.build.host.cores; - - krebs = { - enable = true; - search-domain = "retiolum"; - build = { - user = config.krebs.users.lass; - source = mapAttrs (_: mkDefault) ({ - nixos-config = "symlink:stockholm/lass/1systems/${config.krebs.build.host.name}.nix"; - secrets = "/home/lass/secrets/${config.krebs.build.host.name}"; - #secrets-common = "/home/lass/secrets/common"; - stockholm = "/home/lass/stockholm"; - nixpkgs = { - url = https://github.com/NixOS/nixpkgs; - rev = "e781a8257b4312f6b138c7d0511c77d8c06ed819"; - dev = "/home/lass/src/nixpkgs"; - }; - } // optionalAttrs config.krebs.build.host.secure { - #secrets-master = "/home/lass/secrets/master"; - }); - }; - }; - - nix.useChroot = true; - - users.mutableUsers = false; - - services.timesyncd.enable = true; - - #why is this on in the first place? - services.nscd.enable = false; - - boot.tmpOnTmpfs = true; - # see tmpfiles.d(5) - systemd.tmpfiles.rules = [ - "d /tmp 1777 root root - -" - ]; - - # multiple-definition-problem when defining environment.variables.EDITOR - environment.extraInit = '' - EDITOR=vim - MANPAGER=most - ''; - - nixpkgs.config.allowUnfree = true; - - environment.systemPackages = with pkgs; [ - #stockholm - git - gnumake - jq - parallel - proot - - #style - most - rxvt_unicode.terminfo - - #monitoring tools - htop - iotop - - #network - iptables - - #stuff for dl - aria2 - - #neat utils - krebspaste - - #unpack stuff - p7zip - unzip - unrar - ]; - - programs.bash = { - enableCompletion = true; - interactiveShellInit = '' - HISTCONTROL='erasedups:ignorespace' - HISTSIZE=65536 - HISTFILESIZE=$HISTSIZE - - shopt -s checkhash - shopt -s histappend histreedit histverify - shopt -s no_empty_cmd_completion - complete -d cd - - #fancy colors - if [ -e ~/LS_COLORS ]; then - eval $(dircolors ~/LS_COLORS) - fi - - if [ -e /etc/nixos/dotfiles/link ]; then - /etc/nixos/dotfiles/link - fi - ''; - promptInit = '' - if test $UID = 0; then - PS1='\[\033[1;31m\]\w\[\033[0m\] ' - elif test $UID = 1337; then - PS1='\[\033[1;32m\]\w\[\033[0m\] ' - else - PS1='\[\033[1;33m\]\u@\w\[\033[0m\] ' - fi - if test -n "$SSH_CLIENT"; then - PS1='\[\033[35m\]\h'" $PS1" - fi - ''; - }; - - services.openssh = { - enable = true; - hostKeys = [ - # XXX bits here make no science - { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } - ]; - }; - - services.journald.extraConfig = '' - SystemMaxUse=1G - RuntimeMaxUse=128M - ''; - - krebs.iptables = { - enable = true; - tables = { - nat.PREROUTING.rules = [ - { predicate = "! -i retiolum -p tcp -m tcp --dport 22"; target = "REDIRECT --to-ports 0"; precedence = 100; } - { predicate = "-p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 99; } - ]; - nat.OUTPUT.rules = [ - { predicate = "-o lo -p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 100; } - ]; - filter.INPUT.policy = "DROP"; - filter.FORWARD.policy = "DROP"; - filter.INPUT.rules = [ - { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; } - { predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; } - { predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; } - { predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; } - { predicate = "-i retiolum"; target = "REJECT"; precedence = -10000; } - ]; - }; - }; - - networking.dhcpcd.extraConfig = '' - noipv4ll - ''; - - #CVE-2016-0777 and CVE-2016-0778 workaround - #https://www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt - programs.ssh.extraConfig = '' - UseRoaming no - ''; - -} diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index 6c52240af..1e28fdccc 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -4,7 +4,7 @@ let mainUser = config.users.extraUsers.mainUser; in { imports = [ - ./base.nix + ./default.nix #./urxvt.nix ./xserver ]; diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix new file mode 100644 index 000000000..8c6078ba5 --- /dev/null +++ b/lass/2configs/default.nix @@ -0,0 +1,200 @@ +{ config, lib, pkgs, ... }: + +with config.krebs.lib; +{ + imports = [ + ../2configs/vim.nix + ../2configs/zsh.nix + ../2configs/mc.nix + ../2configs/retiolum.nix + ./backups.nix + { + users.extraUsers = + mapAttrs (_: h: { hashedPassword = h; }) + (import ); + } + { + users.extraUsers = { + root = { + openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + config.krebs.users.lass-uriel.pubkey + ]; + }; + mainUser = { + name = "lass"; + uid = 1337; + home = "/home/lass"; + group = "users"; + createHome = true; + useDefaultShell = true; + extraGroups = [ + ]; + openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + config.krebs.users.lass-uriel.pubkey + ]; + }; + }; + } + ]; + + networking.hostName = config.krebs.build.host.name; + nix.maxJobs = config.krebs.build.host.cores; + + krebs = { + enable = true; + search-domain = "retiolum"; + build = { + user = config.krebs.users.lass; + source = mapAttrs (_: mkDefault) ({ + nixos-config = "symlink:stockholm/lass/1systems/${config.krebs.build.host.name}.nix"; + secrets = "/home/lass/secrets/${config.krebs.build.host.name}"; + #secrets-common = "/home/lass/secrets/common"; + stockholm = "/home/lass/stockholm"; + nixpkgs = { + url = https://github.com/NixOS/nixpkgs; + rev = "e781a8257b4312f6b138c7d0511c77d8c06ed819"; + dev = "/home/lass/src/nixpkgs"; + }; + } // optionalAttrs config.krebs.build.host.secure { + #secrets-master = "/home/lass/secrets/master"; + }); + }; + }; + + nix.useChroot = true; + + users.mutableUsers = false; + + services.timesyncd.enable = true; + + #why is this on in the first place? + services.nscd.enable = false; + + boot.tmpOnTmpfs = true; + # see tmpfiles.d(5) + systemd.tmpfiles.rules = [ + "d /tmp 1777 root root - -" + ]; + + # multiple-definition-problem when defining environment.variables.EDITOR + environment.extraInit = '' + EDITOR=vim + MANPAGER=most + ''; + + nixpkgs.config.allowUnfree = true; + + environment.systemPackages = with pkgs; [ + #stockholm + git + gnumake + jq + parallel + proot + + #style + most + rxvt_unicode.terminfo + + #monitoring tools + htop + iotop + + #network + iptables + + #stuff for dl + aria2 + + #neat utils + krebspaste + + #unpack stuff + p7zip + unzip + unrar + ]; + + programs.bash = { + enableCompletion = true; + interactiveShellInit = '' + HISTCONTROL='erasedups:ignorespace' + HISTSIZE=65536 + HISTFILESIZE=$HISTSIZE + + shopt -s checkhash + shopt -s histappend histreedit histverify + shopt -s no_empty_cmd_completion + complete -d cd + + #fancy colors + if [ -e ~/LS_COLORS ]; then + eval $(dircolors ~/LS_COLORS) + fi + + if [ -e /etc/nixos/dotfiles/link ]; then + /etc/nixos/dotfiles/link + fi + ''; + promptInit = '' + if test $UID = 0; then + PS1='\[\033[1;31m\]\w\[\033[0m\] ' + elif test $UID = 1337; then + PS1='\[\033[1;32m\]\w\[\033[0m\] ' + else + PS1='\[\033[1;33m\]\u@\w\[\033[0m\] ' + fi + if test -n "$SSH_CLIENT"; then + PS1='\[\033[35m\]\h'" $PS1" + fi + ''; + }; + + services.openssh = { + enable = true; + hostKeys = [ + # XXX bits here make no science + { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } + ]; + }; + + services.journald.extraConfig = '' + SystemMaxUse=1G + RuntimeMaxUse=128M + ''; + + krebs.iptables = { + enable = true; + tables = { + nat.PREROUTING.rules = [ + { predicate = "! -i retiolum -p tcp -m tcp --dport 22"; target = "REDIRECT --to-ports 0"; precedence = 100; } + { predicate = "-p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 99; } + ]; + nat.OUTPUT.rules = [ + { predicate = "-o lo -p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 100; } + ]; + filter.INPUT.policy = "DROP"; + filter.FORWARD.policy = "DROP"; + filter.INPUT.rules = [ + { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; } + { predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; } + { predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; } + { predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; } + { predicate = "-i retiolum"; target = "REJECT"; precedence = -10000; } + ]; + }; + }; + + networking.dhcpcd.extraConfig = '' + noipv4ll + ''; + + #CVE-2016-0777 and CVE-2016-0778 workaround + #https://www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt + programs.ssh.extraConfig = '' + UseRoaming no + ''; + +} -- cgit v1.2.3 From 3e59f5fb4c9d110d5f91d60c875ca49a414c2a6f Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 15 Apr 2016 16:19:50 +0200 Subject: l 2 baseX: add xclip to pkgs --- lass/2configs/baseX.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'lass/2configs') diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index 1e28fdccc..79fc4744f 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -39,6 +39,7 @@ in { push slock sxiv + xclip xorg.xbacklight xsel zathura -- cgit v1.2.3 From 22a9fcdf8e9c3fa47e4ba6cbad47f4f5b74b57ed Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 19 Apr 2016 12:05:49 +0200 Subject: 2 buildbot-standalone: make everything work again --- lass/2configs/buildbot-standalone.nix | 55 ++++++++++++++++++++++++++--------- 1 file changed, 42 insertions(+), 13 deletions(-) (limited to 'lass/2configs') diff --git a/lass/2configs/buildbot-standalone.nix b/lass/2configs/buildbot-standalone.nix index 8c71553fe..604d0728d 100644 --- a/lass/2configs/buildbot-standalone.nix +++ b/lass/2configs/buildbot-standalone.nix @@ -1,15 +1,16 @@ { lib, config, pkgs, ... }: { - #networking.firewall.allowedTCPPorts = [ 8010 9989 ]; - krebs.buildbot.master = { + krebs.buildbot.master = let + stockholm-mirror-url = http://cgit.prism/stockholm ; + in { slaves = { testslave = "lasspass"; }; change_source.stockholm = '' - stockholm_repo = 'http://cgit.mors/stockholm' + stockholm_repo = '${stockholm-mirror-url}' cs.append(changes.GitPoller( stockholm_repo, - workdir='stockholm-poller', branch='master', + workdir='stockholm-poller', branches=True, project='stockholm', pollinterval=120)) ''; @@ -20,10 +21,12 @@ builderNames=["fast-tests"])) ''; fast-tests-scheduler = '' - # test the master real quick + # test everything real quick sched.append(schedulers.SingleBranchScheduler( - change_filter=util.ChangeFilter(branch="master"), - name="fast-master-test", + ## all branches + change_filter=util.ChangeFilter(branch_re=".*"), + # treeStableTimer=10, + name="fast-all-branches", builderNames=["fast-tests"])) ''; }; @@ -38,7 +41,10 @@ deps = [ "gnumake", "jq","nix","rsync" ] # TODO: --pure , prepare ENV in nix-shell command: # SSL_CERT_FILE,LOGNAME,NIX_REMOTE - nixshell = ["nix-shell", "-I", "stockholm=.", "-p" ] + deps + [ "--run" ] + nixshell = ["nix-shell", + "-I", "stockholm=.", + "-I", "nixpkgs=/var/src/nixpkgs", + "-p" ] + deps + [ "--run" ] # prepare addShell function def addShell(factory,**kwargs): @@ -48,13 +54,26 @@ fast-tests = '' f = util.BuildFactory() f.addStep(grab_repo) - addShell(f,name="mors-eval",env=env, - command=nixshell + ["make -s eval get=krebs.deploy filter=json system=mors"]) + for i in [ "prism", "mors", "echelon" ]: + addShell(f,name="populate-{}".format(i),env=env, + command=nixshell + \ + ["{}( make system={} eval.config.krebs.build.populate \ + | jq -er .)".format("!" if "failing" in i else "",i)]) + + addShell(f,name="build-test-minimal",env=env, + command=nixshell + \ + ["nix-instantiate \ + --show-trace --eval --strict --json \ + -I nixos-config=./shared/1systems/test-minimal-deploy.nix \ + -I secrets=. \ + -A config.system.build.toplevel"] + ) bu.append(util.BuilderConfig(name="fast-tests", slavenames=slavenames, factory=f)) - ''; + + ''; }; enable = true; web.enable = true; @@ -72,7 +91,17 @@ masterhost = "localhost"; username = "testslave"; password = "lasspass"; - packages = with pkgs;[ git nix ]; - extraEnviron = { NIX_PATH="nixpkgs=${toString }"; }; + packages = with pkgs;[ git nix gnumake jq rsync ]; + extraEnviron = { + NIX_PATH="nixpkgs=/var/src/nixpkgs:nixos-config=./shared/1systems/wolf.nix"; + }; + }; + krebs.iptables = { + tables = { + filter.INPUT.rules = [ + { predicate = "-p tcp --dport 8010"; target = "ACCEPT"; } + { predicate = "-p tcp --dport 9989"; target = "ACCEPT"; } + ]; + }; }; } -- cgit v1.2.3 From 3d7b41fb0bfa8e428bebc58eb42b978d784eed15 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 19 Apr 2016 12:06:50 +0200 Subject: l 2 exim-smarthost: add aidsballs.de mails --- lass/2configs/exim-smarthost.nix | 3 +++ 1 file changed, 3 insertions(+) (limited to 'lass/2configs') diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix index e1aa29c49..2efb6f367 100644 --- a/lass/2configs/exim-smarthost.nix +++ b/lass/2configs/exim-smarthost.nix @@ -10,6 +10,7 @@ with config.krebs.lib; ]; sender_domains = [ "lassul.us" + "aidsballs.de" ]; relay_from_hosts = map (host: host.nets.retiolum.ip4.addr) [ config.krebs.hosts.mors @@ -22,6 +23,8 @@ with config.krebs.lib; { from = "lassulus@lassul.us"; to = lass.mail; } { from = "test@lassul.us"; to = lass.mail; } { from = "outlook@lassul.us"; to = lass.mail; } + { from = "steuer@aidsballs.de"; to = lass.mail; } + { from = "lass@aidsballs.de"; to = lass.mail; } ]; system-aliases = [ { from = "mailer-daemon"; to = "postmaster"; } -- cgit v1.2.3 From 4ee39c0d71bb6a91bb5c64342ede2f5731c9c1e7 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 19 Apr 2016 13:23:12 +0200 Subject: l 2 websites fritz: manage more habsys domains --- lass/2configs/websites/fritz.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'lass/2configs') diff --git a/lass/2configs/websites/fritz.nix b/lass/2configs/websites/fritz.nix index c022dfbe2..0eff39908 100644 --- a/lass/2configs/websites/fritz.nix +++ b/lass/2configs/websites/fritz.nix @@ -34,8 +34,8 @@ in { ( manageCerts [ "eastuttgart.de" ]) ( serveWordpress [ "eastuttgart.de" ]) - ( manageCerts [ "habsys.de" ]) - ( servePage [ "habsys.de" ]) + ( manageCerts [ "habsys.de" "habsys.eu" ]) + ( servePage [ "habsys.de" "habsys.eu" ]) ]; services.mysql = { -- cgit v1.2.3 From 2680064f0d6c14204e5ce3796b18bcde633e5f8e Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 19 Apr 2016 13:23:38 +0200 Subject: l 2: add mail.nix --- lass/2configs/mail.nix | 88 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 88 insertions(+) create mode 100644 lass/2configs/mail.nix (limited to 'lass/2configs') diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix new file mode 100644 index 000000000..ff4dff090 --- /dev/null +++ b/lass/2configs/mail.nix @@ -0,0 +1,88 @@ +{ pkgs, ... }: + +let + + msmtprc = pkgs.writeText "msmtprc" '' + defaults + logfile ~/.msmtp.log + account prism + host prism.r + account default: prism + ''; + + msmtp = pkgs.writeScriptBin "msmtp" '' + ${pkgs.msmtp}/bin/msmtp -C ${msmtprc} $@ + ''; + + muttrc = pkgs.writeText "muttrc" '' + # notmuch + set nm_default_uri="notmuch://$HOME/Maildir" # path to the maildir + set nm_record = yes + set nm_record_tags = "-inbox me archive" + set virtual_spoolfile=yes # enable virtual folders + set sendmail="msmtp" # enables parsing of outgoing mail + set use_from=yes + set envelope_from=yes + + set index_format="%4C %Z %?GI?%GI& ? %[%d/%b] %-16.15F %?M?(%3M)& ? %s %> %?g?%g?" + + virtual-mailboxes \ + "INBOX" "notmuch://?query=tag:inbox and NOT tag:killed"\ + "Unread" "notmuch://?query=tag:unread"\ + "TODO" "notmuch://?query=tag:TODO"\ + "Starred" "notmuch://?query=tag:*"\ + "Archive" "notmuch://?query=tag:archive"\ + "Sent" "notmuch://?query=tag:sent"\ + "Junk" "notmuch://?query=tag:junk" + + tag-transforms "junk" "k" \ + "unread" "u" \ + "replied" "↻" \ + "TODO" "T" \ + + # notmuch bindings + macro index \\\\ "" # looks up a hand made query + macro index A "+archive -unread -inbox\n" # tag as Archived + macro index + "+*\n" # tag as starred + macro index - "-*\n" # tag as unstarred + + + #killed + bind index d noop + bind pager d noop + + bind pager S noop + macro index S "-inbox -unread +junk\n" # tag as Junk mail + macro pager S "-inbox -unread +junk\n" # tag as Junk mail + + bind index t noop + bind pager t noop + macro index t "+TODO\n" # tag as Archived + + + # sidebar + set sidebar_width = 20 + set sidebar_visible = yes # set to "no" to disable sidebar view at startup + color sidebar_new yellow default + # sidebar bindings + bind index sidebar-prev # got to previous folder in sidebar + bind index sidebar-next # got to next folder in sidebar + bind index sidebar-open # open selected folder from sidebar + # sidebar toggle + macro index ,@) " set sidebar_visible=no; macro index ~ ,@( 'Toggle sidebar'" + macro index ,@( " set sidebar_visible=yes; macro index ~ ,@) 'Toggle sidebar'" + macro index ~ ,@( 'Toggle sidebar' # toggle the sidebar + ''; + + mutt = pkgs.writeScriptBin "mutt" '' + ${pkgs.mutt-kz}/bin/mutt -F ${muttrc} $@ + ''; + +in { + environment.systemPackages = [ + msmtp + mutt + pkgs.much + pkgs.notmuch + ]; +} -- cgit v1.2.3 From b5f18ab839432b07a88ee34e0e98dc343a50e854 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 19 Apr 2016 13:37:23 +0200 Subject: l 2 mail: use exec and writeDashBin --- lass/2configs/mail.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'lass/2configs') diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix index ff4dff090..e29b6d9b2 100644 --- a/lass/2configs/mail.nix +++ b/lass/2configs/mail.nix @@ -10,8 +10,8 @@ let account default: prism ''; - msmtp = pkgs.writeScriptBin "msmtp" '' - ${pkgs.msmtp}/bin/msmtp -C ${msmtprc} $@ + msmtp = pkgs.writeDashBin "msmtp" '' + exec ${pkgs.msmtp}/bin/msmtp -C ${msmtprc} $@ ''; muttrc = pkgs.writeText "muttrc" '' @@ -74,8 +74,8 @@ let macro index ~ ,@( 'Toggle sidebar' # toggle the sidebar ''; - mutt = pkgs.writeScriptBin "mutt" '' - ${pkgs.mutt-kz}/bin/mutt -F ${muttrc} $@ + mutt = pkgs.writeDashBin "mutt" '' + exec ${pkgs.mutt-kz}/bin/mutt -F ${muttrc} $@ ''; in { -- cgit v1.2.3 From 90f8f75a2c751efc57679d3c79d77c016062a7d7 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 19 Apr 2016 16:57:56 +0200 Subject: l 2 mail: add gpg stuff --- lass/2configs/mail.nix | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'lass/2configs') diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix index e29b6d9b2..3c7dfcaf6 100644 --- a/lass/2configs/mail.nix +++ b/lass/2configs/mail.nix @@ -15,6 +15,13 @@ let ''; muttrc = pkgs.writeText "muttrc" '' + # gpg + source ${pkgs.mutt-kz}/share/doc/mutt-kz/samples/gpg.rc + set pgp_use_gpg_agent = yes + set pgp_sign_as = 0x976A7E4D + set crypt_autosign = yes + set crypt_replyencrypt = yes + # notmuch set nm_default_uri="notmuch://$HOME/Maildir" # path to the maildir set nm_record = yes -- cgit v1.2.3 From b8aee5d8f5c325f7b3b01201aadbe048aa2e5bda Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 20 Apr 2016 13:58:10 +0200 Subject: l 2 default: add iftop to pkgs --- lass/2configs/default.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'lass/2configs') diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index 8c6078ba5..2f6ffa18e 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -104,6 +104,7 @@ with config.krebs.lib; #network iptables + iftop #stuff for dl aria2 -- cgit v1.2.3 From 20d4383d1f0ed484e402478d92da24d4aed44285 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 20 Apr 2016 13:59:49 +0200 Subject: l 2 websites: use lass.mysqlBackup --- lass/2configs/websites/domsen.nix | 10 ++++++++++ lass/2configs/websites/fritz.nix | 18 +++++++----------- 2 files changed, 17 insertions(+), 11 deletions(-) (limited to 'lass/2configs') diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index caaee96bb..a6fdad645 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -38,6 +38,16 @@ in { rootPassword = toString (); }; + lass.mysqlBackup = { + enable = true; + config.domsen = { + password = toString (); + databases = [ + "ubikmedia_de" + "o_ubikmedia_de" + ]; + }; + }; services.mysqlBackup = { enable = true; databases = [ diff --git a/lass/2configs/websites/fritz.nix b/lass/2configs/websites/fritz.nix index 0eff39908..b02c2e878 100644 --- a/lass/2configs/websites/fritz.nix +++ b/lass/2configs/websites/fritz.nix @@ -44,12 +44,14 @@ in { rootPassword = toString (); }; - services.mysqlBackup = { + lass.mysqlBackup = { enable = true; - databases = [ - "eastuttgart_de" - ]; - location = "/bku/sql_dumps"; + config.fritz = { + password = toString (); + databases = [ + "eastuttgart_de" + ]; + }; }; #lass.owncloud = { @@ -57,10 +59,4 @@ in { # instanceid = "oc8n8ddbftgh"; # }; #}; - - #services.mysql = { - # enable = true; - # package = pkgs.mariadb; - # rootPassword = toString (); - #}; } -- cgit v1.2.3 From f0291b0f6001f9bf050b1fd4ba0001f46d2911e4 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 20 Apr 2016 16:36:29 +0200 Subject: l 2: add krebs-pass --- l