From 04d10421ed339a2342e92f5cabda83afbd7fd450 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Wed, 6 Mar 2019 16:54:31 +0100
Subject: l: NIX_REMOTE is now set by nixos correctly

---
 lass/1systems/blue/physical.nix   | 1 -
 lass/1systems/red/physical.nix    | 1 -
 lass/1systems/yellow/physical.nix | 1 -
 3 files changed, 3 deletions(-)

(limited to 'lass')

diff --git a/lass/1systems/blue/physical.nix b/lass/1systems/blue/physical.nix
index 7499ff723..b6aa3a894 100644
--- a/lass/1systems/blue/physical.nix
+++ b/lass/1systems/blue/physical.nix
@@ -4,5 +4,4 @@
   ];
   boot.isContainer = true;
   networking.useDHCP = false;
-  environment.variables.NIX_REMOTE = "daemon";
 }
diff --git a/lass/1systems/red/physical.nix b/lass/1systems/red/physical.nix
index 7499ff723..b6aa3a894 100644
--- a/lass/1systems/red/physical.nix
+++ b/lass/1systems/red/physical.nix
@@ -4,5 +4,4 @@
   ];
   boot.isContainer = true;
   networking.useDHCP = false;
-  environment.variables.NIX_REMOTE = "daemon";
 }
diff --git a/lass/1systems/yellow/physical.nix b/lass/1systems/yellow/physical.nix
index 7499ff723..b6aa3a894 100644
--- a/lass/1systems/yellow/physical.nix
+++ b/lass/1systems/yellow/physical.nix
@@ -4,5 +4,4 @@
   ];
   boot.isContainer = true;
   networking.useDHCP = false;
-  environment.variables.NIX_REMOTE = "daemon";
 }
-- 
cgit v1.2.3


From 8f0b3d939eb933bfb1d9a3b2ac2147960abbbfd8 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Mon, 8 Apr 2019 18:56:09 +0200
Subject: l green.r: don't set NIX_REMOTE

---
 lass/1systems/green/physical.nix | 1 -
 1 file changed, 1 deletion(-)

(limited to 'lass')

diff --git a/lass/1systems/green/physical.nix b/lass/1systems/green/physical.nix
index 7499ff723..b6aa3a894 100644
--- a/lass/1systems/green/physical.nix
+++ b/lass/1systems/green/physical.nix
@@ -4,5 +4,4 @@
   ];
   boot.isContainer = true;
   networking.useDHCP = false;
-  environment.variables.NIX_REMOTE = "daemon";
 }
-- 
cgit v1.2.3


From 07a56f4d03da08739cafe7c0006a01a9ff8e345a Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Mon, 8 Apr 2019 19:02:42 +0200
Subject: l mors.r: disable hardening

---
 lass/1systems/mors/config.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lass')

diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix
index 250d96e53..fa5fb5518 100644
--- a/lass/1systems/mors/config.nix
+++ b/lass/1systems/mors/config.nix
@@ -36,7 +36,7 @@ with import <stockholm/lib>;
     <stockholm/lass/2configs/blue-host.nix>
     <stockholm/lass/2configs/network-manager.nix>
     <stockholm/lass/2configs/nfs-dl.nix>
-    <stockholm/lass/2configs/hardening.nix>
+    #<stockholm/lass/2configs/hardening.nix>
     {
       krebs.iptables.tables.filter.INPUT.rules = [
         #risk of rain
-- 
cgit v1.2.3


From 72cd01d104bb61b5a5e28c2c10e0bd2bd55ce681 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Thu, 11 Apr 2019 15:43:25 +0200
Subject: l domsen: increment duckdns domain

---
 lass/2configs/websites/domsen.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'lass')

diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix
index b58484773..5bd5a7cac 100644
--- a/lass/2configs/websites/domsen.nix
+++ b/lass/2configs/websites/domsen.nix
@@ -237,8 +237,8 @@ in {
   krebs.on-failure.plans.restic-backups-domsen = {};
   services.restic.backups.domsen = {
     initialize = true;
-    extraOptions = [ "sftp.command='ssh efOVcMWSZ@wilhelmstr.duckdns.org -S none -v -p 52222 -i ${toString <secrets> + "/ssh.id_ed25519"} -s sftp'" ];
-    repository = "sftp:efOVcMWSZ@wilhelmstr.duckdns.org:/mnt/UBIK-9TB-Pool/BACKUP/XXXX-MAX-UND-ANDERES";
+    extraOptions = [ "sftp.command='ssh efOVcMWSZ@wilhelmstr2.duckdns.org -S none -v -p 52222 -i ${toString <secrets> + "/ssh.id_ed25519"} -s sftp'" ];
+    repository = "sftp:efOVcMWSZ@wilhelmstr2.duckdns.org:/mnt/UBIK-9TB-Pool/BACKUP/XXXX-MAX-UND-ANDERES";
     passwordFile = toString <secrets> + "/domsen_backup_pw";
     timerConfig = { OnCalendar = "00:05"; RandomizedDelaySec = "5h"; };
     paths = [
-- 
cgit v1.2.3


From d03c70bb86ef1fb3e88a2dc9143faf34240feec0 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sat, 13 Apr 2019 14:48:26 +0200
Subject: l hw x220: disable lid via new api

---
 lass/2configs/hw/x220.nix | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

(limited to 'lass')

diff --git a/lass/2configs/hw/x220.nix b/lass/2configs/hw/x220.nix
index f5651da13..5649041f9 100644
--- a/lass/2configs/hw/x220.nix
+++ b/lass/2configs/hw/x220.nix
@@ -30,8 +30,7 @@
     };
   };
 
-  services.logind.extraConfig = ''
-    HandleLidSwitch=ignore
-  '';
+  services.logind.lidSwitch = "ignore";
+  services.logind.lidSwitchDocked = "ignore";
 
 }
-- 
cgit v1.2.3


From ec4b7f30f5f4dfbc5b2164fdb6f25ff32e841cde Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sat, 13 Apr 2019 14:49:48 +0200
Subject: l usershadow: add setuid wrapper for check_pw

---
 lass/3modules/usershadow.nix | 21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

(limited to 'lass')

diff --git a/lass/3modules/usershadow.nix b/lass/3modules/usershadow.nix
index cb2890969..383b9a537 100644
--- a/lass/3modules/usershadow.nix
+++ b/lass/3modules/usershadow.nix
@@ -31,13 +31,20 @@
       session required pam_loginuid.so
     '';
 
-    security.pam.services.dovecot2.text = ''
-      auth required pam_exec.so expose_authtok ${usershadow}/bin/verify_pam ${cfg.pattern}
-      auth required pam_permit.so
-      account required pam_permit.so
-      session required pam_permit.so
-      session required pam_env.so envfile=${config.system.build.pamEnvironment}
-    '';
+    security.pam.services.dovecot2 = {
+      text = ''
+        auth required pam_exec.so debug expose_authtok log=/tmp/lol /run/wrappers/bin/shadow_verify_pam ${cfg.pattern}
+        auth required pam_permit.so
+        account required pam_permit.so
+        session required pam_permit.so
+        session required pam_env.so envfile=${config.system.build.pamEnvironment}
+      '';
+    };
+
+    security.wrappers.shadow_verify_pam = {
+      source = "${usershadow}/bin/verify_pam";
+      owner = "root";
+    };
   };
 
   usershadow = let {
-- 
cgit v1.2.3


From 91bab57c35d61550ae4fec98cd8e985c037ed7f7 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sat, 13 Apr 2019 14:54:29 +0200
Subject: l usershadow: build without -threaded

---
 lass/3modules/usershadow.nix | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'lass')

diff --git a/lass/3modules/usershadow.nix b/lass/3modules/usershadow.nix
index 383b9a537..d967a108a 100644
--- a/lass/3modules/usershadow.nix
+++ b/lass/3modules/usershadow.nix
@@ -53,10 +53,13 @@
       "bytestring"
     ];
     body = pkgs.writeHaskellPackage "passwords" {
+      ghc-options = [
+        "-rtsopts"
+        "-Wall"
+      ];
       executables.verify_pam = {
         extra-depends = deps;
         text = ''
-          import Data.Monoid
           import System.IO
           import Data.Char (chr)
           import System.Environment (getEnv, getArgs)
@@ -79,7 +82,6 @@
       executables.verify_arg = {
         extra-depends = deps;
         text = ''
-          import Data.Monoid
           import System.Environment (getArgs)
           import Crypto.PasswordStore (verifyPasswordWith, pbkdf2)
           import qualified Data.ByteString.Char8 as BS8
-- 
cgit v1.2.3


From 6e28354f923f25b4bddc4835fe1d1457de71412c Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sat, 13 Apr 2019 16:36:34 +0200
Subject: l: sync .weechat

---
 lass/1systems/blue/config.nix | 2 ++
 lass/1systems/mors/config.nix | 2 ++
 2 files changed, 4 insertions(+)

(limited to 'lass')

diff --git a/lass/1systems/blue/config.nix b/lass/1systems/blue/config.nix
index a287f548b..43c80d52f 100644
--- a/lass/1systems/blue/config.nix
+++ b/lass/1systems/blue/config.nix
@@ -15,9 +15,11 @@ with import <stockholm/lib>;
 
   krebs.syncthing.folders = [
     { id = "contacts"; path = "/home/lass/contacts"; peers = [ "mors" "blue" "green" "phone" ]; }
+    { path = "/home/lass/.weechat"; peers = [ "blue" "green" "mors" ]; }
   ];
   lass.ensure-permissions = [
     { folder = "/home/lass/contacts"; owner = "lass"; group = "syncthing"; }
+    { folder = "/home/lass/.weechat"; owner = "lass"; group = "syncthing"; }
   ];
 
   environment.shellAliases = {
diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix
index fa5fb5518..52bcc9e15 100644
--- a/lass/1systems/mors/config.nix
+++ b/lass/1systems/mors/config.nix
@@ -52,10 +52,12 @@ with import <stockholm/lib>;
       krebs.syncthing.folders = [
         { id = "contacts"; path = "/home/lass/contacts"; peers = [ "mors" "blue" "green" "phone" ]; }
         { id = "the_playlist"; path = "/home/lass/tmp/the_playlist"; peers = [ "mors" "phone" ]; }
+        { path = "/home/lass/.weechat"; peers = [ "blue" "green" "mors" ]; }
       ];
       lass.ensure-permissions = [
         { folder = "/home/lass/contacts"; owner = "lass"; group = "syncthing"; }
         { folder = "/home/lass/tmp/the_playlist"; owner = "lass"; group = "syncthing"; }
+        { folder = "/home/lass/.weechat"; owner = "lass"; group = "syncthing"; }
       ];
     }
     {
-- 
cgit v1.2.3


From 167f19018d856d233cd405612e215869ffc925b4 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Sat, 13 Apr 2019 16:37:21 +0200
Subject: l syncthing: set configDir to 18.09 default

---
 lass/2configs/syncthing.nix | 1 +
 1 file changed, 1 insertion(+)

(limited to 'lass')

diff --git a/lass/2configs/syncthing.nix b/lass/2configs/syncthing.nix
index 842abc195..d8b3c9f90 100644
--- a/lass/2configs/syncthing.nix
+++ b/lass/2configs/syncthing.nix
@@ -4,6 +4,7 @@ with import <stockholm/lib>;
   services.syncthing = {
     enable = true;
     group = "syncthing";
+    configDir = "/var/lib/syncthing";
   };
   krebs.iptables.tables.filter.INPUT.rules = [
     { predicate = "-p tcp --dport 22000"; target = "ACCEPT";}
-- 
cgit v1.2.3


From a224e77dfbb8dc88119891c492651458cfacd39a Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Sat, 13 Apr 2019 21:41:58 +0200
Subject: lass paste: add p.krebsco.de

---
 lass/2configs/paste.nix | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'lass')

diff --git a/lass/2configs/paste.nix b/lass/2configs/paste.nix
index 293691c0f..3c3d8e636 100644
--- a/lass/2configs/paste.nix
+++ b/lass/2configs/paste.nix
@@ -10,6 +10,16 @@ with import <stockholm/lib>;
       proxy_pass http://localhost:9081;
     '';
   };
+  services.nginx.virtualHosts.paste-readonly = {
+    serverAliases = [ "p.krebsco.de" ];
+    locations."/".extraConfig = ''
+      if ($request_method != GET) {
+        return 403;
+      }
+      proxy_set_header Host $host;
+      proxy_pass http://localhost:9081;
+    '';
+  };
   krebs.htgen.paste = {
     port = 9081;
     script = toString [
-- 
cgit v1.2.3


From d61f9654f294f4e491e6ff8bb04f34c916d7cf67 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Wed, 17 Apr 2019 17:38:57 +0200
Subject: l daedalus.r: add ublock origin

---
 lass/1systems/daedalus/config.nix | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'lass')

diff --git a/lass/1systems/daedalus/config.nix b/lass/1systems/daedalus/config.nix
index e28fbf2f8..56c9c5fba 100644
--- a/lass/1systems/daedalus/config.nix
+++ b/lass/1systems/daedalus/config.nix
@@ -27,6 +27,12 @@ with import <stockholm/lib>;
         enable = true;
         systemWide = true;
       };
+      programs.chromium = {
+        enable = true;
+        extensions = [
+          "cjpalhdlnbpafiamejdnhcphjbkeiagm" # ublock origin
+        ];
+      };
       environment.systemPackages = with pkgs; [
         pavucontrol
         #firefox
-- 
cgit v1.2.3


From cef929303a5c0a992aeddedc6aa57d503c7891df Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Wed, 17 Apr 2019 17:39:50 +0200
Subject: l littleT: import green-host

---
 lass/1systems/littleT/config.nix | 1 +
 1 file changed, 1 insertion(+)

(limited to 'lass')

diff --git a/lass/1systems/littleT/config.nix b/lass/1systems/littleT/config.nix
index eee23ee60..d44e62053 100644
--- a/lass/1systems/littleT/config.nix
+++ b/lass/1systems/littleT/config.nix
@@ -8,6 +8,7 @@ with import <stockholm/lib>;
     <stockholm/lass/2configs/retiolum.nix>
     <stockholm/lass/2configs/blue-host.nix>
     <stockholm/lass/2configs/syncthing.nix>
+    <stockholm/lass/2configs/green-host.nix>
   ];
 
   networking.networkmanager.enable = true;
-- 
cgit v1.2.3


From 0dc099791b311afabf4ce26de98e9ab628b2d2a0 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Wed, 17 Apr 2019 17:41:51 +0200
Subject: l mors.r: add dns update scripts

---
 lass/1systems/mors/config.nix | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'lass')

diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix
index 52bcc9e15..3db29a712 100644
--- a/lass/1systems/mors/config.nix
+++ b/lass/1systems/mors/config.nix
@@ -137,6 +137,18 @@ with import <stockholm/lib>;
     (pkgs.writeDashBin "btc-kraken" ''
       ${pkgs.curl}/bin/curl -Ss  'https://api.kraken.com/0/public/Ticker?pair=BTCEUR' | ${pkgs.jq}/bin/jq '.result.XXBTZEUR.a[0]'
     '')
+    (pkgs.writeDashBin "krebsco.de" ''
+      TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d)
+      ${pkgs.brain}/bin/brain show krebs-secrets/ovh-secrets.json > "$TMPDIR"/ovh-secrets.json
+      OVH_ZONE_CONFIG="$TMPDIR"/ovh-secrets.json ${pkgs.krebszones}/bin/krebszones import
+      ${pkgs.coreutils}/bin/rm -rf "$TMPDIR"
+    '')
+    (pkgs.writeDashBin "lassul.us" ''
+      TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d)
+      ${pkgs.pass}/bin/pass show admin/ovh/api.config > "$TMPDIR"/ovh-secrets.json
+      OVH_ZONE_CONFIG="$TMPDIR"/ovh-secrets.json ${pkgs.ovh-zone}/bin/ovh-zone import /etc/zones/lassul.us lassul.us
+      ${pkgs.coreutils}/bin/rm -rf "$TMPDIR"
+    '')
   ];
 
   #TODO: fix this shit
-- 
cgit v1.2.3


From 8d6957c64f310b38df47da587ee1a01437bd6489 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Wed, 17 Apr 2019 17:48:20 +0200
Subject: l green.r: sync .weechat

---
 lass/1systems/green/config.nix | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'lass')

diff --git a/lass/1systems/green/config.nix b/lass/1systems/green/config.nix
index 6ae157e38..3abc03c2f 100644
--- a/lass/1systems/green/config.nix
+++ b/lass/1systems/green/config.nix
@@ -16,12 +16,13 @@ with import <stockholm/lib>;
 
   krebs.syncthing.folders = [
     { id = "contacts"; path = "/home/lass/contacts"; peers = [ "mors" "blue" "green" "phone" ]; }
+    { path = "/home/lass/.weechat"; peers = [ "blue" "green" "mors" ]; }
   ];
   lass.ensure-permissions = [
     { folder = "/home/lass/contacts"; owner = "lass"; group = "syncthing"; }
+    { folder = "/home/lass/.weechat"; owner = "lass"; group = "syncthing"; }
   ];
 
-
   #networking.nameservers = [ "1.1.1.1" ];
 
   #time.timeZone = "Europe/Berlin";
-- 
cgit v1.2.3


From 2e6376fbd04000597557e69bce0c00ee0db5277e Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Wed, 17 Apr 2019 17:50:47 +0200
Subject: l mors.r: sync the_playlist with prism.r

---
 lass/1systems/mors/config.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lass')

diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix
index 3db29a712..706c3f58b 100644
--- a/lass/1systems/mors/config.nix
+++ b/lass/1systems/mors/config.nix
@@ -51,7 +51,7 @@ with import <stockholm/lib>;
     {
       krebs.syncthing.folders = [
         { id = "contacts"; path = "/home/lass/contacts"; peers = [ "mors" "blue" "green" "phone" ]; }
-        { id = "the_playlist"; path = "/home/lass/tmp/the_playlist"; peers = [ "mors" "phone" ]; }
+        { id = "the_playlist"; path = "/home/lass/tmp/the_playlist"; peers = [ "mors" "phone" "prism" ]; }
         { path = "/home/lass/.weechat"; peers = [ "blue" "green" "mors" ]; }
       ];
       lass.ensure-permissions = [
-- 
cgit v1.2.3


From 631bc1c48068a3649762074178f85e3024bd1736 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Wed, 17 Apr 2019 18:10:23 +0200
Subject: l: add more green.r hosts

---
 lass/1systems/shodan/config.nix | 1 +
 lass/1systems/skynet/config.nix | 1 +
 2 files changed, 2 insertions(+)

(limited to 'lass')

diff --git a/lass/1systems/shodan/config.nix b/lass/1systems/shodan/config.nix
index 39c0791fc..7236d5e9f 100644
--- a/lass/1systems/shodan/config.nix
+++ b/lass/1systems/shodan/config.nix
@@ -15,6 +15,7 @@ with import <stockholm/lib>;
     <stockholm/lass/2configs/bitcoin.nix>
     <stockholm/lass/2configs/backup.nix>
     <stockholm/lass/2configs/blue-host.nix>
+    <stockholm/lass/2configs/green-host.nix>
   ];
 
   krebs.build.host = config.krebs.hosts.shodan;
diff --git a/lass/1systems/skynet/config.nix b/lass/1systems/skynet/config.nix
index 0bf3e6b4d..70787e514 100644
--- a/lass/1systems/skynet/config.nix
+++ b/lass/1systems/skynet/config.nix
@@ -8,6 +8,7 @@ with import <stockholm/lib>;
     <stockholm/lass/2configs/blue-host.nix>
     <stockholm/lass/2configs/power-action.nix>
     <stockholm/lass/2configs/syncthing.nix>
+    <stockholm/lass/2configs/green-host.nix>
     {
       services.xserver.enable = true;
       services.xserver.desktopManager.xfce.enable = true;
-- 
cgit v1.2.3


From ff86e4a137ff28b0a3ef2279d7397aa81cea1c03 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Wed, 17 Apr 2019 18:12:47 +0200
Subject: l shodan.r & icarus.r: decrypt via ssh

---
 lass/1systems/icarus/config.nix  |  1 +
 lass/1systems/shodan/config.nix  |  1 +
 lass/2configs/ssh-cryptsetup.nix | 17 +++++++++++++++++
 3 files changed, 19 insertions(+)
 create mode 100644 lass/2configs/ssh-cryptsetup.nix

(limited to 'lass')

diff --git a/lass/1systems/icarus/config.nix b/lass/1systems/icarus/config.nix
index 06b1e7366..d8c8699ae 100644
--- a/lass/1systems/icarus/config.nix
+++ b/lass/1systems/icarus/config.nix
@@ -20,6 +20,7 @@
     <stockholm/lass/2configs/syncthing.nix>
     <stockholm/lass/2configs/nfs-dl.nix>
     <stockholm/lass/2configs/prism-share.nix>
+    <stockholm/lass/2configs/ssh-cryptsetup.nix>
   ];
 
   krebs.build.host = config.krebs.hosts.icarus;
diff --git a/lass/1systems/shodan/config.nix b/lass/1systems/shodan/config.nix
index 7236d5e9f..5de87d790 100644
--- a/lass/1systems/shodan/config.nix
+++ b/lass/1systems/shodan/config.nix
@@ -16,6 +16,7 @@ with import <stockholm/lib>;
     <stockholm/lass/2configs/backup.nix>
     <stockholm/lass/2configs/blue-host.nix>
     <stockholm/lass/2configs/green-host.nix>
+    <stockholm/lass/2configs/ssh-cryptsetup.nix>
   ];
 
   krebs.build.host = config.krebs.hosts.shodan;
diff --git a/lass/2configs/ssh-cryptsetup.nix b/lass/2configs/ssh-cryptsetup.nix
new file mode 100644
index 000000000..c5e1c5928
--- /dev/null
+++ b/lass/2configs/ssh-cryptsetup.nix
@@ -0,0 +1,17 @@
+{ config, ... }:
+{
+  boot.initrd = {
+    network = {
+      enable = true;
+      ssh = {
+        enable = true;
+        authorizedKeys = with config.krebs.users; [
+          config.krebs.users.lass-mors.pubkey
+          config.krebs.users.lass-blue.pubkey
+          config.krebs.users.lass-shodan.pubkey
+          config.krebs.users.lass-icarus.pubkey
+        ];
+      };
+    };
+  };
+}
-- 
cgit v1.2.3


From f6e73456d0a3acbd8c59fdfde2faf930ec085bf9 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Wed, 17 Apr 2019 19:41:33 +0200
Subject: l: add green-host.nix

---
 lass/2configs/green-host.nix | 83 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 83 insertions(+)
 create mode 100644 lass/2configs/green-host.nix

(limited to 'lass')

diff --git a/lass/2configs/green-host.nix b/lass/2configs/green-host.nix
new file mode 100644
index 000000000..860d7c113
--- /dev/null
+++ b/lass/2configs/green-host.nix
@@ -0,0 +1,83 @@
+{ config, lib, pkgs, ... }:
+with import <stockholm/lib>;
+
+{
+  imports = [
+    <stockholm/lass/2configs/container-networking.nix>
+    <stockholm/lass/2configs/syncthing.nix>
+    { #hack for already defined
+      systemd.services."container@green".reloadIfChanged = mkForce false;
+      systemd.services."container@green".preStart = ''
+        ${pkgs.mount}/bin/mount | ${pkgs.gnugrep}/bin/grep -q ' on /var/lib/containers/green '
+      '';
+      systemd.services."container@green".postStop = ''
+        set -x
+        ${pkgs.umount}/bin/umount /var/lib/containers/green
+        ls -la /dev/mapper/control
+        ${pkgs.devicemapper}/bin/dmsetup ls
+        ${pkgs.cryptsetup}/bin/cryptsetup -v luksClose /var/lib/sync-containers/green.img
+      '';
+    }
+  ];
+
+  lass.ensure-permissions = [
+    { folder = "/var/lib/sync-containers"; owner = "root"; group = "syncthing"; }
+  ];
+
+  krebs.syncthing.folders = [
+    { path = "/var/lib/sync-containers"; peers = [ "icarus" "skynet" "littleT" "shodan" ]; }
+  ];
+
+  system.activationScripts.containerPermissions = ''
+    mkdir -p /var/lib/containers
+    chmod 711 /var/lib/containers
+  '';
+
+  containers.green = {
+    config = { ... }: {
+      environment.systemPackages = [
+        pkgs.git
+        pkgs.rxvt_unicode.terminfo
+      ];
+      services.openssh.enable = true;
+      users.users.root.openssh.authorizedKeys.keys = [
+        config.krebs.users.lass.pubkey
+      ];
+    };
+    autoStart = false;
+    enableTun = true;
+    privateNetwork = true;
+    hostAddress = "10.233.2.15";
+    localAddress = "10.233.2.16";
+  };
+
+  environment.systemPackages = [
+    (pkgs.writeDashBin "start-green" ''
+      set -fu
+      CONTAINER='green'
+      IMAGE='/var/lib/sync-containers/green.img'
+
+      ${pkgs.cryptsetup}/bin/cryptsetup status "$CONTAINER" >/dev/null
+      if [ "$?" -ne 0 ]; then
+        ${pkgs.cryptsetup}/bin/cryptsetup luksOpen "$IMAGE" "$CONTAINER"
+      fi
+
+      mkdir -p /var/lib/containers/"$CONTAINER"
+
+      ${pkgs.mount}/bin/mount | grep -q " on /var/lib/containers/"$CONTAINER" "
+      if [ "$?" -ne 0 ]; then
+        ${pkgs.mount}/bin/mount -o sync /dev/mapper/"$CONTAINER" /var/lib/containers/"$CONTAINER"
+      fi
+
+      STATE=$(${pkgs.nixos-container}/bin/nixos-container status "$CONTAINER")
+      if [ "$STATE" = 'down' ]; then
+        ${pkgs.nixos-container}/bin/nixos-container start "$CONTAINER"
+      fi
+      ping -c1 green.r
+      if [ "$?" -ne 0 ]; then
+        ${pkgs.nixos-container}/bin/nixos-container run green -- nixos-rebuild -I /var/src switch
+      fi
+
+    '')
+  ];
+}
-- 
cgit v1.2.3


From bfff3b0a698bd5a7ea1f90511c2578bdb4828b97 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Wed, 17 Apr 2019 20:00:06 +0200
Subject: l: reorganize syncs

---
 lass/1systems/blue/config.nix  | 11 ++---------
 lass/1systems/green/config.nix | 12 ++----------
 lass/1systems/mors/config.nix  |  6 ++----
 lass/2configs/sync/decsync.nix |  8 ++++++++
 lass/2configs/sync/weechat.nix |  8 ++++++++
 5 files changed, 22 insertions(+), 23 deletions(-)
 create mode 100644 lass/2configs/sync/decsync.nix
 create mode 100644 lass/2configs/sync/weechat.nix

(limited to 'lass')

diff --git a/lass/1systems/blue/config.nix b/lass/1systems/blue/config.nix
index 43c80d52f..14f4971f7 100644
--- a/lass/1systems/blue/config.nix
+++ b/lass/1systems/blue/config.nix
@@ -9,19 +9,12 @@ with import <stockholm/lib>;
 
     <stockholm/lass/2configs/blue.nix>
     <stockholm/lass/2configs/syncthing.nix>
+    <stockholm/lass/2configs/sync/decsync.nix>
+    <stockholm/lass/2configs/sync/weechat.nix>
   ];
 
   krebs.build.host = config.krebs.hosts.blue;
 
-  krebs.syncthing.folders = [
-    { id = "contacts"; path = "/home/lass/contacts"; peers = [ "mors" "blue" "green" "phone" ]; }
-    { path = "/home/lass/.weechat"; peers = [ "blue" "green" "mors" ]; }
-  ];
-  lass.ensure-permissions = [
-    { folder = "/home/lass/contacts"; owner = "lass"; group = "syncthing"; }
-    { folder = "/home/lass/.weechat"; owner = "lass"; group = "syncthing"; }
-  ];
-
   environment.shellAliases = {
     deploy = pkgs.writeDash "deploy" ''
       set -eu
diff --git a/lass/1systems/green/config.nix b/lass/1systems/green/config.nix
index 3abc03c2f..0b4b50ee4 100644
--- a/lass/1systems/green/config.nix
+++ b/lass/1systems/green/config.nix
@@ -8,21 +8,13 @@ with import <stockholm/lib>;
     <stockholm/lass/2configs/exim-retiolum.nix>
     <stockholm/lass/2configs/mail.nix>
 
-    #<stockholm/lass/2configs/blue.nix>
     <stockholm/lass/2configs/syncthing.nix>
+    <stockholm/lass/2configs/sync/decsync.nix>
+    <stockholm/lass/2configs/sync/weechat.nix>
   ];
 
   krebs.build.host = config.krebs.hosts.green;
 
-  krebs.syncthing.folders = [
-    { id = "contacts"; path = "/home/lass/contacts"; peers = [ "mors" "blue" "green" "phone" ]; }
-    { path = "/home/lass/.weechat"; peers = [ "blue" "green" "mors" ]; }
-  ];
-  lass.ensure-permissions = [
-    { folder = "/home/lass/contacts"; owner = "lass"; group = "syncthing"; }
-    { folder = "/home/lass/.weechat"; owner = "lass"; group = "syncthing"; }
-  ];
-
   #networking.nameservers = [ "1.1.1.1" ];
 
   #time.timeZone = "Europe/Berlin";
diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix
index 706c3f58b..01410cdb6 100644
--- a/lass/1systems/mors/config.nix
+++ b/lass/1systems/mors/config.nix
@@ -26,6 +26,8 @@ with import <stockholm/lib>;
     <stockholm/lass/2configs/syncthing.nix>
     <stockholm/lass/2configs/otp-ssh.nix>
     <stockholm/lass/2configs/c-base.nix>
+    <stockholm/lass/2configs/sync/decsync.nix>
+    <stockholm/lass/2configs/sync/weechat.nix>
     <stockholm/lass/2configs/br.nix>
     <stockholm/lass/2configs/ableton.nix>
     <stockholm/lass/2configs/starcraft.nix>
@@ -50,14 +52,10 @@ with import <stockholm/lib>;
     }
     {
       krebs.syncthing.folders = [
-        { id = "contacts"; path = "/home/lass/contacts"; peers = [ "mors" "blue" "green" "phone" ]; }
         { id = "the_playlist"; path = "/home/lass/tmp/the_playlist"; peers = [ "mors" "phone" "prism" ]; }
-        { path = "/home/lass/.weechat"; peers = [ "blue" "green" "mors" ]; }
       ];
       lass.ensure-permissions = [
-        { folder = "/home/lass/contacts"; owner = "lass"; group = "syncthing"; }
         { folder = "/home/lass/tmp/the_playlist"; owner = "lass"; group = "syncthing"; }
-        { folder = "/home/lass/.weechat"; owner = "lass"; group = "syncthing"; }
       ];
     }
     {
diff --git a/lass/2configs/sync/decsync.nix b/lass/2configs/sync/decsync.nix
new file mode 100644
index 000000000..94569c94d
--- /dev/null
+++ b/lass/2configs/sync/decsync.nix
@@ -0,0 +1,8 @@
+{
+  krebs.syncthing.folders = [
+    { id = "decsync"; path = "/home/lass/decsync"; peers = [ "mors" "blue" "green" "phone" ]; }
+  ];
+  lass.ensure-permissions = [
+    { folder = "/home/lass/decsync"; owner = "lass"; group = "syncthing"; }
+  ];
+}
diff --git a/lass/2configs/sync/weechat.nix b/lass/2configs/sync/weechat.nix
new file mode 100644
index 000000000..d10177b1d
--- /dev/null
+++ b/lass/2configs/sync/weechat.nix
@@ -0,0 +1,8 @@
+{
+  krebs.syncthing.folders = [
+    { path = "/home/lass/.weechat"; peers = [ "blue" "green" "mors" ]; }
+  ];
+  lass.ensure-permissions = [
+    { folder = "/home/lass/.weechat"; owner = "lass"; group = "syncthing"; }
+  ];
+}
-- 
cgit v1.2.3


From 23e81c6a15f1617fc9064eb13372fb7e12498ff3 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Wed, 17 Apr 2019 20:01:03 +0200
Subject: l daedalus.r: add zsnes

---
 lass/1systems/daedalus/config.nix | 1 +
 1 file changed, 1 insertion(+)

(limited to 'lass')

diff --git a/lass/1systems/daedalus/config.nix b/lass/1systems/daedalus/config.nix
index 56c9c5fba..37a1b6d4c 100644
--- a/lass/1systems/daedalus/config.nix
+++ b/lass/1systems/daedalus/config.nix
@@ -47,6 +47,7 @@ with import <stockholm/lib>;
         geeqie
         vlc
         minecraft
+        zsnes
       ];
       nixpkgs.config.firefox.enableAdobeFlash = true;
       services.xserver.enable = true;
-- 
cgit v1.2.3


From ee89afab29f40c70fc863ea1aa27f72ed0411d3d Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Wed, 17 Apr 2019 20:01:14 +0200
Subject: l daedalus.r: remove minecraft

---
 lass/1systems/daedalus/config.nix | 1 -
 1 file changed, 1 deletion(-)

(limited to 'lass')

diff --git a/lass/1systems/daedalus/config.nix b/lass/1systems/daedalus/config.nix
index 37a1b6d4c..6e3df12f0 100644
--- a/lass/1systems/daedalus/config.nix
+++ b/lass/1systems/daedalus/config.nix
@@ -46,7 +46,6 @@ with import <stockholm/lib>;
         wine
         geeqie
         vlc
-        minecraft
         zsnes
       ];
       nixpkgs.config.firefox.enableAdobeFlash = true;
-- 
cgit v1.2.3


From 61da9d16449409f02509c1c2ec201f8dc7ad87b2 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Wed, 17 Apr 2019 20:01:34 +0200
Subject: l iso: fix build

---
 lass/1systems/iso.nix | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

(limited to 'lass')

diff --git a/lass/1systems/iso.nix b/lass/1systems/iso.nix
index be064bed2..a814cc6b9 100644
--- a/lass/1systems/iso.nix
+++ b/lass/1systems/iso.nix
@@ -6,7 +6,6 @@ with import <stockholm/lib>;
     <nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix>
     <stockholm/krebs>
     <stockholm/lass/3modules>
-    <stockholm/lass/5pkgs>
     <stockholm/lass/2configs/mc.nix>
     <stockholm/lass/2configs/vim.nix>
     {
@@ -40,9 +39,10 @@ with import <stockholm/lib>;
       networking.hostName = "lass-iso";
     }
     {
+      nixpkgs.config.packageOverrides = import <stockholm/lass/5pkgs> pkgs;
       krebs.enable = true;
       krebs.build.user = config.krebs.users.lass;
-      krebs.build.host = config.krebs.hosts.iso;
+      krebs.build.host = {};
     }
     {
       nixpkgs.config.allowUnfree = true;
@@ -174,11 +174,13 @@ with import <stockholm/lib>;
           user = "lass";
         };
         windowManager.default = "xmonad";
-        windowManager.session = [{
+        windowManager.session = let
+          xmonad-lass = pkgs.callPackage <stockholm/lass/5pkgs/custom/xmonad-lass> { inherit config; };
+        in [{
           name = "xmonad";
           start = ''
             ${pkgs.xorg.xhost}/bin/xhost +LOCAL:
-            ${pkgs.xmonad-lass}/bin/xmonad &
+            ${xmonad-lass}/bin/xmonad &
             waitPID=$!
           '';
         }];
-- 
cgit v1.2.3


From 9f19b5f9619688a8249c0db5fcc9aec4d2fc7fbf Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Wed, 17 Apr 2019 20:05:20 +0200
Subject: l mors.r: add transgui to pkgs

---
 lass/1systems/mors/config.nix | 1 +
 1 file changed, 1 insertion(+)

(limited to 'lass')

diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix
index 01410cdb6..69b931a95 100644
--- a/lass/1systems/mors/config.nix
+++ b/lass/1systems/mors/config.nix
@@ -92,6 +92,7 @@ with import <stockholm/lib>;
         pkgs.ovh-zone
         pkgs.bank
         pkgs.adb-sync
+        pkgs.transgui
       ];
     }
     {
-- 
cgit v1.2.3


From b246b8ac43c0ab552617956357cc12b36d5a18fd Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Wed, 17 Apr 2019 20:08:14 +0200
Subject: l morpheus.r: add autologin

---
 lass/1systems/morpheus/config.nix | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'lass')

diff --git a/lass/1systems/morpheus/config.nix b/lass/1systems/morpheus/config.nix
index 0d82ba611..cab267d54 100644
--- a/lass/1systems/morpheus/config.nix
+++ b/lass/1systems/morpheus/config.nix
@@ -30,4 +30,12 @@ with import <stockholm/lib>;
       ];
     };
   };
+
+
+  services.xserver.desktopManager.default = "none";
+  services.xserver.displayManager.lightdm.autoLogin = {
+    enable = true;
+    user = "lass";
+    timeout = 5;
+  };
 }
-- 
cgit v1.2.3


From 40968c0129b389415bdca5647b71b3a82b1ddd15 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Wed, 17 Apr 2019 20:10:20 +0200
Subject: l prism.r: add samba wiregrill share

---
 lass/1systems/prism/config.nix | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

(limited to 'lass')

diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix
index b3b7ac0df..d7b0b701a 100644
--- a/lass/1systems/prism/config.nix
+++ b/lass/1systems/prism/config.nix
@@ -413,6 +413,42 @@ with import <stockholm/lib>;
         ];
       };
     }
+    { #macos mounting of yellow
+      krebs.iptables.tables.filter.INPUT.rules = [
+        { predicate = "-i wiregrill -p tcp --dport 139"; target = "ACCEPT"; }
+        { predicate = "-i wiregrill -p tcp --dport 445"; target = "ACCEPT"; }
+        { predicate = "-i wiregrill -p udp --dport 137"; target = "ACCEPT"; }
+        { predicate = "-i wiregrill -p udp --dport 138"; target = "ACCEPT"; }
+      ];
+      users.users.smbguest = {
+        name = "smbguest";
+        uid = config.ids.uids.smbguest;
+        description = "smb guest user";
+        home = "/home/share";
+        createHome = true;
+      };
+      services.samba = {
+        enable = true;
+        enableNmbd = true;
+        shares = {
+          download = {
+            path = "/var/download/finished";
+            "read only" = "yes";
+            browseable = "yes";
+            "guest ok" = "yes";
+          };
+        };
+        extraConfig = ''
+          guest account = smbguest
+          map to guest = bad user
+          # disable printing
+          load printers = no
+          printing = bsd
+          printcap name = /dev/null
+          disable spoolss = yes
+        '';
+      };
+    }
   ];
 
   krebs.build.host = config.krebs.hosts.prism;
-- 
cgit v1.2.3


From e4c59ba54992a80671c45d38ab96f7ff0d22b900 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Wed, 17 Apr 2019 20:11:20 +0200
Subject: l yellow.r: reduce transmission journal spam

---
 lass/1systems/yellow/config.nix | 1 +
 1 file changed, 1 insertion(+)

(limited to 'lass')

diff --git a/lass/1systems/yellow/config.nix b/lass/1systems/yellow/config.nix
index 8b3b2814f..cda0d0a33 100644
--- a/lass/1systems/yellow/config.nix
+++ b/lass/1systems/yellow/config.nix
@@ -31,6 +31,7 @@ with import <stockholm/lib>;
       download-dir = "/var/download/finished";
       incomplete-dir = "/var/download/incoming";
       incomplete-dir-enable = true;
+      message-level = 1;
       umask = "002";
       rpc-whitelist-enabled = false;
       rpc-host-whitelist-enabled = false;
-- 
cgit v1.2.3


From d06a5ce073133f74de8d5513d457e2c470d1eaa2 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Wed, 17 Apr 2019 20:12:01 +0200
Subject: l: add xdg-open settings

---
 lass/2configs/baseX.nix    |  1 +
 lass/2configs/xdg-open.nix | 66 ++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 67 insertions(+)
 create mode 100644 lass/2configs/xdg-open.nix

(limited to 'lass')

diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix
index 26d6622ae..5003d2279 100644
--- a/lass/2configs/baseX.nix
+++ b/lass/2configs/baseX.nix
@@ -9,6 +9,7 @@ in {
     ./power-action.nix
     ./copyq.nix
     ./urxvt.nix
+    ./xdg-open.nix
     {
       hardware.pulseaudio = {
         enable = true;
diff --git a/lass/2configs/xdg-open.nix b/lass/2configs/xdg-open.nix
new file mode 100644
index 000000000..824c36dc7
--- /dev/null
+++ b/lass/2configs/xdg-open.nix
@@ -0,0 +1,66 @@
+{ config, pkgs, lib, ... }: with import <stockholm/lib>; let
+
+  xdg-open-wrapper = pkgs.writeDashBin "xdg-open" ''
+    /run/wrappers/bin/sudo -u lass ${xdg-open} "$@"
+  '';
+
+  xdg-open = pkgs.writeBash "xdg-open" ''
+    set -e
+    FILE="$1"
+    mime=
+
+    case "$FILE" in
+      http://*|https://*)
+        mime=text/html
+        ;;
+      mailto:*)
+        mime=special/mailaddress
+        ;;
+      magnet:*)
+        mime=application/x-bittorrent
+        ;;
+      irc:*)
+        mime=x-scheme-handler/irc
+        ;;
+      *)
+        # it’s a file
+
+        # strip possible protocol
+        FILE=''${FILE#file://}
+        mime=''$(file -E --brief --mime-type "$FILE") \
+          || (echo "$mime" 1>&2; exit 1)
+          # ^ echo the error message of file
+        ;;
+    esac
+
+    case "$mime" in
+      special/mailaddress)
+        urxvtc --execute vim "$FILE" ;;
+      ${optionalString (hasAttr "browser" config.lass) ''
+      text/html)
+        ${config.lass.browser.select}/bin/browser-select "$FILE" ;;
+      text/xml)
+        ${config.lass.browser.select}/bin/browser-select "$FILE" ;;
+      ''}
+      text/*)
+        urxvtc --execute vim "$FILE" ;;
+      image/*)
+        sxiv "$FILE" ;;
+      application/x-bittorrent)
+        env DISPLAY=:0 transgui "$FILE" ;;
+      application/pdf)
+        zathura "$FILE" ;;
+      inode/directory)
+        sudo -u lass -i urxvtc --execute mc "$FILE" ;;
+      *)
+        # open dmenu and ask for program to open with
+        $(dmenu_path | dmenu) "$FILE";;
+    esac
+  '';
+in {
+  environment.systemPackages = [ xdg-open-wrapper ];
+
+  security.sudo.extraConfig = ''
+    cr ALL=(lass) NOPASSWD: ${xdg-open} *
+  '';
+}
-- 
cgit v1.2.3


From cc986ff84ba2893b8f68b95842b46fb65987e437 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Wed, 17 Apr 2019 20:12:38 +0200
Subject: l: add more emails

---
 lass/2configs/exim-smarthost.nix | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'lass')

diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix
index aec59261c..4216bd67a 100644
--- a/lass/2configs/exim-smarthost.nix
+++ b/lass/2configs/exim-smarthost.nix
@@ -100,6 +100,9 @@ with import <stockholm/lib>;
       { from = "box@lassul.us"; to = lass.mail; }
       { from = "paloalto@lassul.us"; to = lass.mail; }
       { from = "subtitles@lassul.us"; to = lass.mail; }
+      { from = "lobsters@lassul.us"; to = lass.mail; }
+      { from = "fysitech@lassul.us"; to = lass.mail; }
+      { from = "threema@lassul.us"; to = lass.mail; }
     ];
     system-aliases = [
       { from = "mailer-daemon"; to = "postmaster"; }
-- 
cgit v1.2.3


From 5e4e3fb82edee271204021cc9d44624a2fb3ff26 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Wed, 17 Apr 2019 20:13:10 +0200
Subject: l mail: remove deprecated notmuch fix

---
 lass/2configs/mail.nix | 4 ----
 1 file changed, 4 deletions(-)

(limited to 'lass')

diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix
index 0803846aa..6de111ba8 100644
--- a/lass/2configs/mail.nix
+++ b/lass/2configs/mail.nix
@@ -233,8 +233,4 @@ in {
     tag-new-mails
     tag-old-mails
   ];
-
-  nixpkgs.config.packageOverrides = opkgs: {
-    notmuch = (opkgs.notmuch.overrideAttrs (o: { doCheck = false; }));
-  };
 }
-- 
cgit v1.2.3


From 32664bdbd53f1989169278d9196ecabf350cddf2 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Wed, 17 Apr 2019 20:14:06 +0200
Subject: l radio: reduce journal spam

---
 lass/2configs/radio.nix | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'lass')

diff --git a/lass/2configs/radio.nix b/lass/2configs/radio.nix
index f88b2627b..f14b28219 100644
--- a/lass/2configs/radio.nix
+++ b/lass/2configs/radio.nix
@@ -59,6 +59,9 @@ in {
     group = "radio";
     musicDirectory = "/home/radio/the_playlist/music";
     extraConfig = ''
+      log_level "default"
+      auto_update "yes"
+
       audio_output {
         type        "shout"
         encoding    "lame"
-- 
cgit v1.2.3


From c48e24665017cce5a1a859799f7060bbad8ccc83 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Wed, 17 Apr 2019 20:14:36 +0200
Subject: l prism-share: set export to ro

---
 lass/2configs/prism-share.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lass')

diff --git a/lass/2configs/prism-share.nix b/lass/2configs/prism-share.nix
index 70e616ec6..aa3eb541d 100644
--- a/lass/2configs/prism-share.nix
+++ b/lass/2configs/prism-share.nix
@@ -21,7 +21,7 @@ with import <stockholm/lib>;
     shares = {
       incoming = {
         path = "/mnt/prism";
-        "read only" = "no";
+        "read only" = "yes";
         browseable = "yes";
         "guest ok" = "yes";
       };
-- 
cgit v1.2.3


From f35ccc7529427e543044998549104191b5bdbb06 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Wed, 17 Apr 2019 20:15:07 +0200
Subject: l radio: sync the_playlist folder

---
 lass/2configs/radio.nix | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'lass')

diff --git a/lass/2configs/radio.nix b/lass/2configs/radio.nix
index f14b28219..d67d970f8 100644
--- a/lass/2configs/radio.nix
+++ b/lass/2configs/radio.nix
@@ -248,4 +248,10 @@ in {
       alias ${html};
     '';
   };
+  krebs.syncthing.folders = [
+    { id = "the_playlist"; path = "/home/radio/music/the_playlist"; peers = [ "mors" "phone" "prism" ]; }
+  ];
+  lass.ensure-permissions = [
+    { folder = "/home/radio/music/the_playlist"; owner = "radio"; group = "syncthing"; }
+  ];
 }
-- 
cgit v1.2.3


From 47c4919a066b9ac06b822d9f4111b4e06f9ad17b Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Wed, 17 Apr 2019 20:15:38 +0200
Subject: l syncthing: share sync with shodan

---
 lass/2configs/syncthing.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lass')

diff --git a/lass/2configs/syncthing.nix b/lass/2configs/syncthing.nix
index d8b3c9f90..fc10b2cb4 100644
--- a/lass/2configs/syncthing.nix
+++ b/lass/2configs/syncthing.nix
@@ -16,7 +16,7 @@ with import <stockholm/lib>;
     key = toString <secrets/syncthing.key>;
     peers = mapAttrs (n: v: { id = v.syncthing.id; }) (filterAttrs (n: v: v.syncthing.id != null) config.krebs.hosts);
     folders = [
-      { path = "/home/lass/sync"; peers = [ "icarus" "mors" "skynet" "blue" "green" "littleT" "prism"]; }
+      { path = "/home/lass/sync"; peers = [ "icarus" "mors" "skynet" "blue" "green" "littleT" "prism" "shodan" ]; }
     ];
   };
 
-- 
cgit v1.2.3


From 24d7e2fa03a4533368a8ec90599211366feb1510 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Wed, 17 Apr 2019 20:16:06 +0200
Subject: l domsen: run verify_arg as root

---
 lass/2configs/websites/domsen.nix | 2 +-
 lass/3modules/usershadow.nix      | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

(limited to 'lass')

diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix
index 5bd5a7cac..2131c7c62 100644
--- a/lass/2configs/websites/domsen.nix
+++ b/lass/2configs/websites/domsen.nix
@@ -119,7 +119,7 @@ in {
     authenticators.PLAIN = ''
       driver = plaintext
       public_name = PLAIN
-      server_condition = ''${run{${config.lass.usershadow.path}/bin/verify_arg ${config.lass.usershadow.pattern} $auth2 $auth3}{yes}{no}}
+      server_condition = ''${run{/run/wrappers/bin/shadow_verify_arg ${config.lass.usershadow.pattern} $auth2 $auth3}{yes}{no}}
     '';
     authenticators.LOGIN = ''
       driver = plaintext
diff --git a/lass/3modules/usershadow.nix b/lass/3modules/usershadow.nix
index d967a108a..51da2ec93 100644
--- a/lass/3modules/usershadow.nix
+++ b/lass/3modules/usershadow.nix
@@ -45,6 +45,10 @@
       source = "${usershadow}/bin/verify_pam";
       owner = "root";
     };
+    security.wrappers.shadow_verify_arg = {
+      source = "${usershadow}/bin/verify_arg";
+      owner = "root";
+    };
   };
 
   usershadow = let {
-- 
cgit v1.2.3


From d0d3fcb2d2b9ed82dd1ff2864b9fbbd88aa65ff4 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Wed, 17 Apr 2019 20:24:50 +0200
Subject: l mors.r: remove chromecast firewall rule

---
 lass/1systems/mors/config.nix | 2 --
 1 file changed, 2 deletions(-)

(limited to 'lass')

diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix
index 69b931a95..7e183f40f 100644
--- a/lass/1systems/mors/config.nix
+++ b/lass/1systems/mors/config.nix
@@ -43,8 +43,6 @@ with import <stockholm/lib>;
       krebs.iptables.tables.filter.INPUT.rules = [
         #risk of rain
         { predicate = "-p tcp --dport 11100"; target = "ACCEPT"; }
-        #chromecast
-        { predicate = "-p udp -m multiport --sports 32768:61000 -m multiport --dports 32768:61000"; target = "ACCEPT"; }
         #quake3
         { predicate = "-p tcp --dport 27950:27965"; target = "ACCEPT"; }
         { predicate = "-p udp --dport 27950:27965"; target = "ACCEPT"; }
-- 
cgit v1.2.3


From e4744b723728293fda24fccd9180f9e0bbdd80e8 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Thu, 18 Apr 2019 10:13:57 +0200
Subject: l: RIP ensure-permissions

---
 lass/3modules/default.nix            |  1 -
 lass/3modules/ensure-permissions.nix | 66 ------------------------------------
 2 files changed, 67 deletions(-)
 delete mode 100644 lass/3modules/ensure-permissions.nix

(limited to 'lass')

diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix
index 59043aeb1..613c7c8ac 100644
--- a/lass/3modules/default.nix
+++ b/lass/3modules/default.nix
@@ -3,7 +3,6 @@ _:
   imports = [
     ./dnsmasq.nix
     ./ejabberd
-    ./ensure-permissions.nix
     ./folderPerms.nix
     ./hosts.nix
     ./mysql-backup.nix
diff --git a/lass/3modules/ensure-permissions.nix b/lass/3modules/ensure-permissions.nix
deleted file mode 100644
index 36edc1127..000000000
--- a/lass/3modules/ensure-permissions.nix
+++ /dev/null
@@ -1,66 +0,0 @@
-{ config, pkgs, ... }: with import <stockholm/lib>;
-
-let
-
-  cfg = config.lass.ensure-permissions;
-
-in
-
-{
-  options.lass.ensure-permissions = mkOption {
-    default = [];
-    type = types.listOf (types.submodule ({
-      options = {
-
-        folder = mkOption {
-          type = types.absolute-pathname;
-        };
-
-        owner = mkOption {
-          # TODO user type
-          type = types.str;
-          default = "root";
-        };
-
-        group = mkOption {
-          # TODO group type
-          type = types.str;
-          default = "root";
-        };
-
-        permission = mkOption {
-          # TODO permission type
-          type = types.str;
-          default = "u+rw,g+rw";
-        };
-
-      };
-    }));
-  };
-
-  config = mkIf (cfg != []) {
-
-  system.activationScripts.ensure-permissions = concatMapStringsSep "\n" (plan: ''
-    ${pkgs.coreutils}/bin/mkdir -p ${plan.folder}
-    ${pkgs.coreutils}/bin/chmod -R ${plan.permission} ${plan.folder}
-    ${pkgs.coreutils}/bin/chown -R ${plan.owner}:${plan.group} ${plan.folder}
-  '') cfg;
-    systemd.services =
-      listToAttrs (map (plan: nameValuePair "ensure-permisson.${replaceStrings ["/"] ["_"] plan.folder}" {
-        wantedBy = [ "multi-user.target" ];
-        serviceConfig = {
-          Restart = "always";
-          RestartSec = 10;
-          ExecStart = pkgs.writeDash "ensure-perms" ''
-            ${pkgs.inotifyTools}/bin/inotifywait -mrq -e CREATE --format %w%f ${plan.folder} \
-              | while IFS= read -r FILE; do
-                ${pkgs.coreutils}/bin/chmod -R ${plan.permission} "$FILE" 2>/dev/null
-                ${pkgs.coreutils}/bin/chown -R ${plan.owner}:${plan.group} "$FILE" 2>/dev/null
-              done
-          '';
-        };
-      }) cfg)
-    ;
-
-  };
-}
-- 
cgit v1.2.3


From 2a89d6587d5ee5d3151b5e5be05e152a539e78d0 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Thu, 18 Apr 2019 10:16:02 +0200
Subject: l syncs: use permown, use attrs

---
 lass/1systems/mors/config.nix  | 15 +++++++++------
 lass/2configs/green-host.nix   | 13 ++++++-------
 lass/2configs/radio.nix        | 15 +++++++++------
 lass/2configs/sync/decsync.nix | 15 +++++++++------
 lass/2configs/sync/weechat.nix | 12 ++++++------
 lass/2configs/syncthing.nix    | 20 ++++++++++----------
 6 files changed, 49 insertions(+), 41 deletions(-)

(limited to 'lass')

diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix
index 7e183f40f..f911b79d6 100644
--- a/lass/1systems/mors/config.nix
+++ b/lass/1systems/mors/config.nix
@@ -49,12 +49,15 @@ with import <stockholm/lib>;
       ];
     }
     {
-      krebs.syncthing.folders = [
-        { id = "the_playlist"; path = "/home/lass/tmp/the_playlist"; peers = [ "mors" "phone" "prism" ]; }
-      ];
-      lass.ensure-permissions = [
-        { folder = "/home/lass/tmp/the_playlist"; owner = "lass"; group = "syncthing"; }
-      ];
+      krebs.syncthing.folders."the_playlist" = {
+        path = "/home/lass/tmp/the_playlist";
+        peers = [ "mors" "phone" "prism" ];
+      };
+      krebs.permown."/home/lass/tmp/the_playlist" = {
+        owner = "lass";
+        group = "syncthing";
+        umask = "0007";
+      };
     }
     {
       lass.umts = {
diff --git a/lass/2configs/green-host.nix b/lass/2configs/green-host.nix
index 860d7c113..1421eede7 100644
--- a/lass/2configs/green-host.nix
+++ b/lass/2configs/green-host.nix
@@ -20,13 +20,12 @@ with import <stockholm/lib>;
     }
   ];
 
-  lass.ensure-permissions = [
-    { folder = "/var/lib/sync-containers"; owner = "root"; group = "syncthing"; }
-  ];
-
-  krebs.syncthing.folders = [
-    { path = "/var/lib/sync-containers"; peers = [ "icarus" "skynet" "littleT" "shodan" ]; }
-  ];
+  krebs.syncthing.folders."/var/lib/sync-containers".peers = [ "icarus" "skynet" "littleT" "shodan" ];
+  krebs.permown."/var/lib/sync-containers" = {
+    owner = "root";
+    group = "syncthing";
+    umask = "0007";
+  };
 
   system.activationScripts.containerPermissions = ''
     mkdir -p /var/lib/containers
diff --git a/lass/2configs/radio.nix b/lass/2configs/radio.nix
index d67d970f8..521b3c050 100644
--- a/lass/2configs/radio.nix
+++ b/lass/2configs/radio.nix
@@ -248,10 +248,13 @@ in {
       alias ${html};
     '';
   };
-  krebs.syncthing.folders = [
-    { id = "the_playlist"; path = "/home/radio/music/the_playlist"; peers = [ "mors" "phone" "prism" ]; }
-  ];
-  lass.ensure-permissions = [
-    { folder = "/home/radio/music/the_playlist"; owner = "radio"; group = "syncthing"; }
-  ];
+  krebs.syncthing.folders."the_playlist" = {
+    path = "/home/radio/music/the_playlist";
+    peers = [ "mors" "phone" "prism" ];
+  };
+  krebs.permown."/home/radio/music/the_playlist" = {
+    owner = "radio";
+    group = "syncthing";
+    umask = "0007";
+  };
 }
diff --git a/lass/2configs/sync/decsync.nix b/lass/2configs/sync/decsync.nix
index 94569c94d..c3f6511c2 100644
--- a/lass/2configs/sync/decsync.nix
+++ b/lass/2configs/sync/decsync.nix
@@ -1,8 +1,11 @@
 {
-  krebs.syncthing.folders = [
-    { id = "decsync"; path = "/home/lass/decsync"; peers = [ "mors" "blue" "green" "phone" ]; }
-  ];
-  lass.ensure-permissions = [
-    { folder = "/home/lass/decsync"; owner = "lass"; group = "syncthing"; }
-  ];
+  krebs.syncthing.folders.decsync = {
+    path = "/home/lass/decsync";
+    peers = [ "mors" "blue" "green" "phone" ];
+  };
+  krebs.permown."/home/lass/decsync" = {
+    owner = "lass";
+    group = "syncthing";
+    umask = "0007";
+  };
 }
diff --git a/lass/2configs/sync/weechat.nix b/lass/2configs/sync/weechat.nix
index d10177b1d..30c7b262b 100644
--- a/lass/2configs/sync/weechat.nix
+++ b/lass/2configs/sync/weechat.nix
@@ -1,8 +1,8 @@
 {
-  krebs.syncthing.folders = [
-    { path = "/home/lass/.weechat"; peers = [ "blue" "green" "mors" ]; }
-  ];
-  lass.ensure-permissions = [
-    { folder = "/home/lass/.weechat"; owner = "lass"; group = "syncthing"; }
-  ];
+  krebs.syncthing.folders."/home/lass/.weechat".peers = [ "blue" "green" "mors" ];
+  krebs.permown."/home/lass/.weechat" = {
+    owner = "lass";
+    group = "syncthing";
+    umask = "0007";
+  };
 }
diff --git a/lass/2configs/syncthing.nix b/lass/2configs/syncthing.nix
index fc10b2cb4..48f2625c1 100644
--- a/lass/2configs/syncthing.nix
+++ b/lass/2configs/syncthing.nix
@@ -1,6 +1,6 @@
-{ config, pkgs, ... }:
-with import <stockholm/lib>;
-{
+{ config, pkgs, ... }: with import <stockholm/lib>; let
+  peers = mapAttrs (n: v: { id = v.syncthing.id; }) (filterAttrs (n: v: v.syncthing.id != null) config.krebs.hosts);
+in {
   services.syncthing = {
     enable = true;
     group = "syncthing";
@@ -14,17 +14,17 @@ with import <stockholm/lib>;
     enable = true;
     cert = toString <secrets/syncthing.cert>;
     key = toString <secrets/syncthing.key>;
-    peers = mapAttrs (n: v: { id = v.syncthing.id; }) (filterAttrs (n: v: v.syncthing.id != null) config.krebs.hosts);
-    folders = [
-      { path = "/home/lass/sync"; peers = [ "icarus" "mors" "skynet" "blue" "green" "littleT" "prism" "shodan" ]; }
-    ];
+    peers = peers;
+    folders."/home/lass/sync".peers = attrNames peers;
   };
 
   system.activationScripts.syncthing-home = ''
     ${pkgs.coreutils}/bin/chmod a+x /home/lass
   '';
 
-  lass.ensure-permissions = [
-    { folder = "/home/lass/sync"; owner = "lass"; group = "syncthing"; }
-  ];
+  krebs.permown."/home/lass/sync" = {
+    owner = "lass";
+    group = "syncthing";
+    umask = "0007";
+  };
 }
-- 
cgit v1.2.3


From da336abf88d620648580a8e0a25e2b31c7d110ff Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Thu, 18 Apr 2019 13:39:00 +0200
Subject: l radio: set new music directory

---
 lass/2configs/radio.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'lass')

diff --git a/lass/2configs/radio.nix b/lass/2configs/radio.nix
index 521b3c050..b26237c6d 100644
--- a/lass/2configs/radio.nix
+++ b/lass/2configs/radio.nix
@@ -10,7 +10,7 @@ let
   source-password = import <secrets/icecast-source-pw>;
 
   add_random = pkgs.writeDashBin "add_random" ''
-    ${pkgs.mpc_cli}/bin/mpc add "$(${pkgs.mpc_cli}/bin/mpc ls | shuf -n1)"
+    ${pkgs.mpc_cli}/bin/mpc add "$(${pkgs.mpc_cli}/bin/mpc ls the_playlist/music | grep '\.ogg$' | shuf -n1)"
   '';
 
   skip_track = pkgs.writeDashBin "skip_track" ''
@@ -57,7 +57,7 @@ in {
   services.mpd = {
     enable = true;
     group = "radio";
-    musicDirectory = "/home/radio/the_playlist/music";
+    musicDirectory = "/home/radio/music";
     extraConfig = ''
       log_level "default"
       auto_update "yes"
-- 
cgit v1.2.3


From 8b3030a08d69317404470b96f097635b39be2027 Mon Sep 17 00:00:00 2001
From: lassulus <lassulus@lassul.us>
Date: Thu, 18 Apr 2019 13:39:54 +0200
Subject: l radio: grant mpd access to music dir

---
 lass/2configs/radio.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lass')

diff --git a/lass/2configs/radio.nix b/lass/2configs/radio.nix
index b26237c6d..88899c554 100644
--- a/lass/2configs/radio.nix
+++ b/lass/2configs/radio.nix
@@ -255,6 +255,6 @@ in {
   krebs.permown."/home/radio/music/the_playlist" = {
     owner = "radio";
     group = "syncthing";
-    umask = "0007";
+    umask = "0002";
   };
 }
-- 
cgit v1.2.3