From 34e628453dda4e7aec9f715703eb6c21b05a8a82 Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 18 Jul 2016 15:34:46 +0200 Subject: k 2 bepasty-dual: use krebs.nginx.ssl + acme --- makefu/2configs/bepasty-dual.nix | 33 ++++++++++++++++++++++++++------- 1 file changed, 26 insertions(+), 7 deletions(-) (limited to 'makefu') diff --git a/makefu/2configs/bepasty-dual.nix b/makefu/2configs/bepasty-dual.nix index 5682f5eb6..f675c4ac8 100644 --- a/makefu/2configs/bepasty-dual.nix +++ b/makefu/2configs/bepasty-dual.nix @@ -15,6 +15,9 @@ let sec = toString ; # secKey is nothing worth protecting on a local machine secKey = import ; + acmepath = "/var/lib/acme/"; + acmechall = acmepath + "/challenges/"; + ext-dom = "paste.krebsco.de" ; in { krebs.nginx.enable = mkDefault true; @@ -25,7 +28,7 @@ in { servers = { internal = { nginx = { - server-names = [ "paste.retiolum" "paste.${config.krebs.build.host.name}" ]; + server-names = [ "paste.retiolum" "paste.r" "paste.${config.krebs.build.host.name}" ]; }; defaultPermissions = "admin,list,create,read,delete"; secretKey = secKey; @@ -33,17 +36,25 @@ in { external = { nginx = { - server-names = [ "paste.krebsco.de" ]; + server-names = [ ext-dom ]; + ssl = { + enable = true; + certificate = "${acmepath}/${ext-dom}/fullchain.pem"; + certificate_key = "${acmepath}/${ext-dom}/key.pem"; + # these certs will be needed if acme has not yet created certificates: + #certificate = "${sec}/wildcard.krebsco.de.crt"; + #certificate_key = "${sec}/wildcard.krebsco.de.key"; + ciphers = "RC4:HIGH:!aNULL:!MD5" ; + }; + locations = singleton ( nameValuePair "/.well-known/acme-challenge" '' + root ${acmechall}/${ext-dom}/; + ''); extraConfig = '' ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; - ssl_certificate ${sec}/wildcard.krebsco.de.crt; - ssl_certificate_key ${sec}/wildcard.krebsco.de.key; ssl_verify_client off; proxy_ssl_session_reuse off; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers RC4:HIGH:!aNULL:!MD5; - ssl_prefer_server_ciphers on; + if ($scheme = http){ return 301 https://$server_name$request_uri; }''; @@ -53,4 +64,12 @@ in { }; }; }; + security.acme.certs."${ext-dom}" = { + email = "acme@syntax-fehler.de"; + webroot = "${acmechall}/${ext-dom}/"; + group = "nginx"; + allowKeysForGroup = true; + postRun = "systemctl reload nginx.service"; + extraDomains."${ext-dom}" = null ; + }; } -- cgit v1.2.3 From 835ddb0de049850c113de4f9870edb49fff05494 Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 18 Jul 2016 18:57:36 +0200 Subject: m 1 vbob: document forticlientsslvpn mess --- makefu/1systems/vbob.nix | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) (limited to 'makefu') diff --git a/makefu/1systems/vbob.nix b/makefu/1systems/vbob.nix index 3fcb173ce..4818cea2a 100644 --- a/makefu/1systems/vbob.nix +++ b/makefu/1systems/vbob.nix @@ -8,7 +8,7 @@ (toString ) (toString ) ../2configs/main-laptop.nix #< base-gui - # (toString )/extra-hosts.nix + # environment @@ -28,8 +28,15 @@ openssh.authorizedKeys.keys = [ config.krebs.users.makefu-vbob.pubkey ]; }; }; + + environment.shellAliases = { + forti = "cat ~/vpn/pw.txt | xclip; sudo forticlientsslvpn"; + }; + # TODO: for forticleintsslpn + # ln -s /r/current-system/sw/bin/pppd /usr/sbin/pppd + # ln -s /r/current-system/sw/bin/tail /usr/bin/tail environment.systemPackages = with pkgs;[ - fortclientsslvpn + fortclientsslvpn ppp xclip get logstash docker -- cgit v1.2.3 From 46232b30beba336ccc6a1a75e1cc9d66646b5dcc Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 20 Jul 2016 17:18:57 +0200 Subject: makefu: s/krebs\.retiolum/krebs.tinc.retiolum/g --- makefu/1systems/darth.nix | 2 +- makefu/1systems/filepimp.nix | 2 +- makefu/1systems/gum.nix | 4 ++-- makefu/1systems/omo.nix | 2 +- makefu/1systems/pnp.nix | 5 +++-- makefu/1systems/pornocauster.nix | 10 +++++----- makefu/1systems/repunit.nix | 9 +-------- makefu/1systems/shoney.nix | 2 +- makefu/1systems/tsp.nix | 2 +- makefu/1systems/vbob.nix | 8 +------- makefu/1systems/wry.nix | 3 ++- 11 files changed, 19 insertions(+), 30 deletions(-) (limited to 'makefu') diff --git a/makefu/1systems/darth.nix b/makefu/1systems/darth.nix index 87029a693..c63dcb492 100644 --- a/makefu/1systems/darth.nix +++ b/makefu/1systems/darth.nix @@ -17,6 +17,7 @@ in { ../2configs/exim-retiolum.nix ../2configs/virtualization.nix + ../2configs/tinc/retiolum.nix ../2configs/temp-share-samba.nix ]; services.samba.shares = { @@ -39,7 +40,6 @@ in { }; #networking.firewall.enable = false; - krebs.retiolum.enable = true; boot.kernelModules = [ "coretemp" "f71882fg" ]; hardware.enableAllFirmware = true; diff --git a/makefu/1systems/filepimp.nix b/makefu/1systems/filepimp.nix index 593f77378..c6966c99c 100644 --- a/makefu/1systems/filepimp.nix +++ b/makefu/1systems/filepimp.nix @@ -22,8 +22,8 @@ in { ../. ../2configs/fs/single-partition-ext4.nix ../2configs/smart-monitor.nix + ../2configs/tinc/retiolum.nix ]; - krebs.retiolum.enable = true; krebs.build.host = config.krebs.hosts.filepimp; # AMD N54L boot = { diff --git a/makefu/1systems/gum.nix b/makefu/1systems/gum.nix index 17b2b5093..a4e2d1760 100644 --- a/makefu/1systems/gum.nix +++ b/makefu/1systems/gum.nix @@ -19,6 +19,7 @@ in { ../2configs/deployment/mycube.connector.one.nix ../2configs/exim-retiolum.nix + ../2configs/tinc/retiolum.nix ../2configs/urlwatch.nix ]; @@ -27,8 +28,7 @@ in { ###### stable krebs.build.host = config.krebs.hosts.gum; - krebs.retiolum = { - enable = true; + krebs.tinc.retiolum = { extraConfig = '' ListenAddress = ${external-ip} 53 ListenAddress = ${external-ip} 655 diff --git a/makefu/1systems/omo.nix b/makefu/1systems/omo.nix index 8c24e0ff5..e11abd40d 100644 --- a/makefu/1systems/omo.nix +++ b/makefu/1systems/omo.nix @@ -47,12 +47,12 @@ in { #../2configs/graphite-standalone.nix #../2configs/share-user-sftp.nix ../2configs/omo-share.nix + ../2configs/tinc/retiolum.nix ## as long as pyload is not in nixpkgs: # docker run -d -v /var/lib/pyload:/opt/pyload/pyload-config -v /media/crypt0/pyload:/opt/pyload/Downloads --name pyload --restart=always -p 8112:8000 -P writl/pyload ]; - krebs.retiolum.enable = true; networking.firewall.trustedInterfaces = [ primaryInterface ]; # udp:137 udp:138 tcp:445 tcp:139 - samba, allowed in local net # tcp:80 - nginx for sharing files diff --git a/makefu/1systems/pnp.nix b/makefu/1systems/pnp.nix index 4b8d39c89..a460a87e7 100644 --- a/makefu/1systems/pnp.nix +++ b/makefu/1systems/pnp.nix @@ -15,11 +15,12 @@ ../2configs/fs/vm-single-partition.nix + ../2configs/tinc/retiolum.nix + # config.system.build.vm - + (toString ) ]; - krebs.retiolum.enable = true; virtualisation.graphics = false; # also export secrets, see Usage above fileSystems = pkgs.lib.mkVMOverride { diff --git a/makefu/1systems/pornocauster.nix b/makefu/1systems/pornocauster.nix index 2ab030916..b683e5630 100644 --- a/makefu/1systems/pornocauster.nix +++ b/makefu/1systems/pornocauster.nix @@ -38,8 +38,9 @@ #../2configs/wordpress.nix ../2configs/nginx/public_html.nix + ../2configs/tinc/retiolum.nix # temporary modules - # ../2configs/temp/share-samba.nix + ../2configs/temp/share-samba.nix # ../2configs/temp/elkstack.nix # ../2configs/temp/sabnzbd.nix ]; @@ -69,10 +70,9 @@ krebs.build.host = config.krebs.hosts.pornocauster; krebs.hosts.omo.nets.retiolum.via.ip4.addr = "192.168.1.11"; - krebs.retiolum = { - enable = true; - connectTo = [ "omo" "gum" "prism" ]; - }; + + krebs.tinc.retiolum.connectTo = [ "omo" "gum" "prism" ]; + networking.extraHosts = '' 192.168.1.11 omo.local ''; diff --git a/makefu/1systems/repunit.nix b/makefu/1systems/repunit.nix index bf6ff9fb6..7102b8f81 100644 --- a/makefu/1systems/repunit.nix +++ b/makefu/1systems/repunit.nix @@ -10,6 +10,7 @@ ../. ../2configs/git/cgit-retiolum.nix + ../2configs/tinc/retiolum.nix ]; krebs.build.host = config.krebs.hosts.repunit; @@ -31,14 +32,6 @@ { device = "/dev/disk/by-label/nixos"; fsType = "ext4"; }; - krebs.retiolum = { - enable = true; - connectTo = [ - "gum" - "pigstarter" - "fastpoke" - ]; - }; # $ nix-env -qaP | grep wget environment.systemPackages = with pkgs; [ diff --git a/makefu/1systems/shoney.nix b/makefu/1systems/shoney.nix index 3a3ac9c7c..0e6ae6e17 100644 --- a/makefu/1systems/shoney.nix +++ b/makefu/1systems/shoney.nix @@ -13,6 +13,7 @@ in { ../2configs/save-diskspace.nix ../2configs/hw/CAC.nix ../2configs/fs/CAC-CentOS-7-64bit.nix + ../2configs/tinc/retiolum.nix ]; @@ -21,7 +22,6 @@ in { krebs = { enable = true; - retiolum.enable = true; build.host = config.krebs.hosts.shoney; nginx.enable = true; tinc_graphs = { diff --git a/makefu/1systems/tsp.nix b/makefu/1systems/tsp.nix index 302ba6f99..9809abf4c 100644 --- a/makefu/1systems/tsp.nix +++ b/makefu/1systems/tsp.nix @@ -17,9 +17,9 @@ ../2configs/zsh-user.nix ../2configs/exim-retiolum.nix + ../2configs/tinc/retiolum.nix ]; # not working in vm - krebs.retiolum.enable = true; krebs.build.host = config.krebs.hosts.tsp; networking.firewall.allowedTCPPorts = [ diff --git a/makefu/1systems/vbob.nix b/makefu/1systems/vbob.nix index 4818cea2a..129a06021 100644 --- a/makefu/1systems/vbob.nix +++ b/makefu/1systems/vbob.nix @@ -11,6 +11,7 @@ # environment + ../2configs/tinc/retiolum.nix ]; # workaround for https://github.com/NixOS/nixpkgs/issues/16641 @@ -52,13 +53,6 @@ 8010 ]; - krebs.retiolum = { - enable = true; - connectTo = [ - "omo" - "gum" - ]; - }; virtualisation.docker.enable = false; fileSystems."/media/share" = { diff --git a/makefu/1systems/wry.nix b/makefu/1systems/wry.nix index 5788cb654..3764ab4b5 100644 --- a/makefu/1systems/wry.nix +++ b/makefu/1systems/wry.nix @@ -25,8 +25,9 @@ in { # collectd ../2configs/collectd/collectd-base.nix + + ../2configs/tinc/retiolum.nix ]; - krebs.retiolum.enable = true; krebs.build.host = config.krebs.hosts.wry; -- cgit v1.2.3 From df7416dc319e6815e32fa5fb32ba00d41481d368 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 20 Jul 2016 20:09:47 +0200 Subject: m 2 tinc: add missing retiolum config --- makefu/2configs/tinc/retiolum.nix | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 makefu/2configs/tinc/retiolum.nix (limited to 'makefu') diff --git a/makefu/2configs/tinc/retiolum.nix b/makefu/2configs/tinc/retiolum.nix new file mode 100644 index 000000000..dcb072461 --- /dev/null +++ b/makefu/2configs/tinc/retiolum.nix @@ -0,0 +1,4 @@ +_: +{ + krebs.tinc.retiolum.enable = true; +} -- cgit v1.2.3 From e03ae6d79d77e654bb586475b52c7e6aa24ac06f Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 20 Jul 2016 20:35:30 +0200 Subject: m 1 wbob: add missing --- makefu/1systems/wbob.nix | 14 ++++++++------ makefu/2configs/temp/share-samba.nix | 36 ++++++++++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+), 6 deletions(-) create mode 100644 makefu/2configs/temp/share-samba.nix (limited to 'makefu') diff --git a/makefu/1systems/wbob.nix b/makefu/1systems/wbob.nix index 45b935af0..e8e0b091f 100644 --- a/makefu/1systems/wbob.nix +++ b/makefu/1systems/wbob.nix @@ -1,5 +1,7 @@ { config, pkgs, ... }: -{ +let rootdisk = "/dev/disk/by-id/ata-TS256GMTS800_C613840115"; +in { + makefu.awesome = { modkey = "Mod1"; #TODO: integrate kiosk config into full config by templating the autostart @@ -9,19 +11,19 @@ [ # Include the results of the hardware scan. ../. ../2configs/main-laptop.nix + ../2configs/virtualization.nix + ../2configs/tinc/retiolum.nix ]; krebs = { enable = true; - retiolum.enable = true; build.host = config.krebs.hosts.wbob; }; networking.firewall.allowedUDPPorts = [ 1655 ]; - networking.firewall.allowedTCPPorts = [ 1655 ]; + networking.firewall.allowedTCPPorts = [ 1655 49152 ]; services.tinc.networks.siem = { name = "display"; extraConfig = '' ConnectTo = sjump - Port = 1655 ''; }; @@ -35,12 +37,12 @@ # nuc hardware - boot.loader.grub.device = "/dev/sda"; + boot.loader.grub.device = rootdisk; hardware.cpu.intel.updateMicrocode = true; boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; boot.kernelModules = [ "kvm-intel" ]; fileSystems."/" = { - device = "/dev/sda1"; + device = rootdisk + "-part1"; fsType = "ext4"; }; diff --git a/makefu/2configs/temp/share-samba.nix b/makefu/2configs/temp/share-samba.nix new file mode 100644 index 000000000..c021e66c6 --- /dev/null +++ b/makefu/2configs/temp/share-samba.nix @@ -0,0 +1,36 @@ +{config, ... }:{ + users.users.smbguest = { + name = "smbguest"; + uid = config.ids.uids.smbguest; + description = "smb guest user"; + home = "/var/empty"; + }; + + networking.firewall.allowedTCPPorts = [ + 139 445 # samba + ]; + + networking.firewall.allowedUDPPorts = [ + 137 138 + ]; + services.samba = { + enable = true; + shares = { + share-home = { + path = "/home/share/"; + "read only" = "no"; + browseable = "yes"; + "guest ok" = "yes"; + }; + }; + extraConfig = '' + guest account = smbguest + map to guest = bad user + # disable printing + load printers = no + printing = bsd + printcap name = /dev/null + disable spoolss = yes + ''; + }; +} -- cgit v1.2.3 From 2b862262f2878c9f4ef35894a8343d94f6d636be Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 20 Jul 2016 20:36:16 +0200 Subject: m 1 vbob: comment out extra-hosts --- makefu/1systems/vbob.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'makefu') diff --git a/makefu/1systems/vbob.nix b/makefu/1systems/vbob.nix index 129a06021..27a216316 100644 --- a/makefu/1systems/vbob.nix +++ b/makefu/1systems/vbob.nix @@ -8,7 +8,7 @@ (toString ) (toString ) ../2configs/main-laptop.nix #< base-gui - + # # environment ../2configs/tinc/retiolum.nix -- cgit v1.2.3 From 3c628cd4a29938ecf14e0e891f621a742987ddab Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 20 Jul 2016 22:55:19 +0200 Subject: m 2 default: bump ref to 125ffff --- makefu/2configs/default.nix | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'makefu') diff --git a/makefu/2configs/default.nix b/makefu/2configs/default.nix index 4562a123f..cba7462f1 100644 --- a/makefu/2configs/default.nix +++ b/makefu/2configs/default.nix @@ -17,7 +17,6 @@ with config.krebs.lib; krebs = { enable = true; - dns.providers.siem = "hosts"; dns.providers.lan = "hosts"; search-domain = "retiolum"; build = { @@ -25,7 +24,7 @@ with config.krebs.lib; source = let inherit (config.krebs.build) host user; in { nixpkgs.git = { url = https://github.com/nixos/nixpkgs; - ref = "0546a4a"; # stable @ 2016-06-11 + ref = "125ffff"; # stable @ 2016-07-20 }; secrets.file = if getEnv "dummy_secrets" == "true" @@ -171,4 +170,10 @@ with config.krebs.lib; consoleKeyMap = "us"; defaultLocale = "en_US.UTF-8"; }; + # suppress chrome autit event messages + security.audit = { + rules = [ + "-a task,never" + ]; + }; } -- cgit v1.2.3 From db4d4b8890b87064bf721c312f9e2229f489c2c2 Mon Sep 17 00:00:00 2001 From: makefu Date: Thu, 21 Jul 2016 00:11:24 +0200 Subject: m 5 honeyd: remove --- makefu/5pkgs/default.nix | 1 - makefu/5pkgs/honeyd/default.nix | 62 ----------------------------------- makefu/5pkgs/honeyd/fix-autogen.patch | 42 ------------------------ 3 files changed, 105 deletions(-) delete mode 100644 makefu/5pkgs/honeyd/default.nix delete mode 100644 makefu/5pkgs/honeyd/fix-autogen.patch (limited to 'makefu') diff --git a/makefu/5pkgs/default.nix b/makefu/5pkgs/default.nix index f94136c0b..718b23c9e 100644 --- a/makefu/5pkgs/default.nix +++ b/makefu/5pkgs/default.nix @@ -19,7 +19,6 @@ in skytraq-logger = callPackage ./skytraq-logger {}; taskserver = callPackage ./taskserver {}; ps3netsrv = callPackage ./ps3netsrv {}; - honeyd = callPackage ./honeyd {}; farpd = callPackage ./farpd {}; }; } diff --git a/makefu/5pkgs/honeyd/default.nix b/makefu/5pkgs/honeyd/default.nix deleted file mode 100644 index 5dca35f33..000000000 --- a/makefu/5pkgs/honeyd/default.nix +++ /dev/null @@ -1,62 +0,0 @@ -{ stdenv, lib, pkgs, fetchurl,fetchFromGitHub, - libpcap, libdnet, libevent, readline, autoconf, automake, libtool, zlib, pcre, - ... }: -stdenv.mkDerivation rec { - name = "honeyd-${version}"; - - #version = "1.5c"; #original, does not compile due to libc errors - #src = fetchurl { - # url = "http://www.honeyd.org/uploads/honeyd-${version}.tar.gz"; - # sha256 = "0vcih16fk5pir5ssfil8x79nvi62faw0xvk8s5klnysv111db1ii"; - #}; - - #version = "64d087c"; # honeyd-1.6.7 - # sha256 = "0zhnn13r24y1q494xcfx64vyp84zqk8qmsl41fq2674230bn0p31"; - - version = "c135fea08"; #nova-13.09 - src = fetchFromGitHub { - owner = "DataSoft"; - repo = "honeyd"; - rev = version; - sha256 = "1r9qds7a1yp3nkccwh3isrizpr2njhpf1m6qp3lqkj0i9c4w6x44"; - }; - - buildInputs = with pkgs;[ - automake - gnugrep - libpcap - libdnet - pcre - libevent - readline - autoconf - libtool - zlib - coreutils - python - pythonPackages.sqlite3 - ]; - patches = [ ./fix-autogen.patch ]; - - # removes user install script from Makefile before automake - preConfigure = '' - sed -i '/init.py$/d' Makefile.am - sh ./autogen.sh - ''; - - makeFlags = [ "LIBS=-lz" ]; - configureFlags = [ - "--with-libpcap=${libpcap}" - "--with-libevent=${libevent}" - "--with-zlib=${zlib}" - "--with-python" - "--with-libpcre=${pcre}" - "--with-libreadline=${readline}" - ]; - - meta = { - homepage = http://www.honeyd.org/; - description = "virtual Honeypots"; - license = lib.licenses.gpl2; - }; -} diff --git a/makefu/5pkgs/honeyd/fix-autogen.patch b/makefu/5pkgs/honeyd/fix-autogen.patch deleted file mode 100644 index 9fccafa82..000000000 --- a/makefu/5pkgs/honeyd/fix-autogen.patch +++ /dev/null @@ -1,42 +0,0 @@ ---- ./configure.in 2016-06-27 18:36:06.640779048 +0200 -+++ ./configure.in 2016-06-27 18:34:53.968803854 +0200 -@@ -119,11 +119,11 @@ - ;; - *) - AC_MSG_RESULT($withval) -- if test -f $withval/pcap.h -a -f $withval/libpcap.a; then -+ if test -f $withval/include/pcap.h -a -f $withval/lib/libpcap.so; then - owd=`pwd` - if cd $withval; then withval=`pwd`; cd $owd; fi -- PCAPINC="-I$withval -I$withval/bpf" -- PCAPLIB="-L$withval -lpcap" -+ PCAPINC="-I$withval/include -I$withval/include/bpf" -+ PCAPLIB="-L$withval/lib -lpcap" - else - AC_ERROR(pcap.h or libpcap.a not found in $withval) - fi -@@ -230,7 +230,7 @@ - if cd $withval; then withval=`pwd`; cd $owd; fi - EVENTINC="-I$withval" - EVENTLIB="-L$withval -levent" -- elif test -f $withval/include/event.h -a -f $withval/lib/libevent.a; then -+ elif test -f $withval/include/event.h -a -f $withval/lib/libevent.so; then - owd=`pwd` - if cd $withval; then withval=`pwd`; cd $owd; fi - EVENTINC="-I$withval/include" -@@ -354,12 +354,12 @@ - ;; - *) - AC_MSG_RESULT($withval) -- if test -f $withval/readline/readline.h -a -f $withval/libreadline.a; then -+ if test -f $withval/include/readline/readline.h -o -f $withval/lib/libreadline.so; then - owd=`pwd` - if cd $withval; then withval=`pwd`; cd $owd; fi - AC_DEFINE(HAVE_LIBREADLINE, 1, [Define if you have libreadline]) -- EDITINC="-I$withval" -- EDITLIB="-L$withval -lreadline" -+ EDITINC="-I$withval/include" -+ EDITLIB="-L$withval/lib -lreadline" - else - AC_ERROR(readline/readline.h or libreadline.a not found in $withval) - fi -- cgit v1.2.3 From fbe1fcdd8e145493602da65f0a22b1907c2b3a95 Mon Sep 17 00:00:00 2001 From: makefu Date: Thu, 21 Jul 2016 00:13:01 +0200 Subject: m : update legacy options ,remove honeyd usage in shoney --- makefu/1systems/shoney.nix | 3 --- makefu/2configs/default.nix | 2 +- makefu/2configs/hw/tp-x220.nix | 3 +-- makefu/2configs/virtualization-virtualbox.nix | 12 +++++++----- 4 files changed, 9 insertions(+), 11 deletions(-) (limited to 'makefu') diff --git a/makefu/1systems/shoney.nix b/makefu/1systems/shoney.nix index 0e6ae6e17..7081f6a95 100644 --- a/makefu/1systems/shoney.nix +++ b/makefu/1systems/shoney.nix @@ -17,9 +17,6 @@ in { ]; - environment.systemPackages = [ pkgs.honeyd ]; - services.tinc.networks.siem.name = "sjump"; - krebs = { enable = true; build.host = config.krebs.hosts.shoney; diff --git a/makefu/2configs/default.nix b/makefu/2configs/default.nix index cba7462f1..c94f1be7d 100644 --- a/makefu/2configs/default.nix +++ b/makefu/2configs/default.nix @@ -66,7 +66,7 @@ with config.krebs.lib; startAgent = false; }; services.openssh.enable = true; - nix.useChroot = true; + nix.useSandbox = true; users.mutableUsers = false; diff --git a/makefu/2configs/hw/tp-x220.nix b/makefu/2configs/hw/tp-x220.nix index 1c9a34965..58390e48d 100644 --- a/makefu/2configs/hw/tp-x220.nix +++ b/makefu/2configs/hw/tp-x220.nix @@ -8,10 +8,9 @@ with config.krebs.lib; kernelModules = [ "kvm-intel" "acpi_call" "tpm-rng" ]; extraModulePackages = [ config.boot.kernelPackages.tp_smapi ]; }; - + hardware.opengl.extraPackages = [ pkgs.vaapiIntel pkgs.vaapiVdpau ]; services.xserver = { videoDriver = "intel"; - vaapiDrivers = [ pkgs.vaapiIntel pkgs.vaapiVdpau ]; deviceSection = '' Option "AccelMethod" "sna" ''; diff --git a/makefu/2configs/virtualization-virtualbox.nix b/makefu/2configs/virtualization-virtualbox.nix index 2b4e24774..7a14dea7f 100644 --- a/makefu/2configs/virtualization-virtualbox.nix +++ b/makefu/2configs/virtualization-virtualbox.nix @@ -2,20 +2,22 @@ let mainUser = config.krebs.build.user; - version = "5.0.20"; - rev = "106931"; - vboxguestpkg = pkgs.fetchurl { + vboxguestpkg = lib.stdenv.mkDerivation rec { + name = "Virtualbox-Extensions-${version}-${rev}"; + version = "5.0.20"; + rev = "106931"; + src = pkgs.fetchurl { url = "http://download.virtualbox.org/virtualbox/${version}/Oracle_VM_VirtualBox_Extension_Pack-${version}-${rev}.vbox-extpack"; sha256 = "1dc70x2m7x266zzw5vw36mxqj7xykkbk357fc77f9zrv4lylzvaf"; }; + }; in { - #inherit vboxguestpkg; virtualisation.virtualbox.host.enable = true; nixpkgs.config.virtualbox.enableExtensionPack = true; users.extraGroups.vboxusers.members = [ "${mainUser.name}" ]; nixpkgs.config.packageOverrides = super: { - boot.kernelPackages = super.boot.kernelPackages.virtualbox.override { + boot.kernelPackages.virtualbox = super.boot.kernelPackages.virtualbox.override { buildInputs = super.boot.kernelPackages.virtualBox.buildInputs ++ [ vboxguestpkg ]; }; -- cgit v1.2.3 From 123f1f4b6b39f1e2f8397399c2d94f828c9c4966 Mon Sep 17 00:00:00 2001 From: makefu Date: Thu, 21 Jul 2016 00:22:08 +0200 Subject: m 5 devpi: disable test for execnet14 --- makefu/5pkgs/devpi/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'makefu') diff --git a/makefu/5pkgs/devpi/default.nix b/makefu/5pkgs/devpi/default.nix index 0df8ecd2c..3ccc35c79 100644 --- a/makefu/5pkgs/devpi/default.nix +++ b/makefu/5pkgs/devpi/default.nix @@ -8,7 +8,7 @@ let url = "https://pypi.python.org/packages/source/e/execnet/${name}.tar.gz"; sha256 = "1rpk1vyclhg911p3hql0m0nrpq7q7mysxnaaw6vs29cpa6kx8vgn"; }; - + doCheck = false; # http://prism:8010/builders/build-all/builds/177/steps/build-vbob/logs/stdio propagatedBuildInputs = with pkgs.python3Packages; [ setuptools_scm apipkg ]; meta = { -- cgit v1.2.3 From 964062c8071b7b069ec6a2661a3530629a95a1c2 Mon Sep 17 00:00:00 2001 From: makefu Date: Thu, 21 Jul 2016 02:04:45 +0200 Subject: m 2 zsh-user: use gpg-agent 2.1 style daemon --- makefu/2configs/zsh-user.nix | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) (limited to 'makefu') diff --git a/makefu/2configs/zsh-user.nix b/makefu/2configs/zsh-user.nix index 9527ead1a..99c1315e1 100644 --- a/makefu/2configs/zsh-user.nix +++ b/makefu/2configs/zsh-user.nix @@ -22,15 +22,11 @@ in bindkey "\e[3~" delete-char zstyle ':completion:*' menu select - # load gpg-agent - envfile="$HOME/.gnupg/gpg-agent.env" - if [ -e "$envfile" ] && kill -0 $(grep GPG_AGENT_INFO "$envfile" | cut -d: -f 2) 2>/dev/null; then - eval "$(cat "$envfile")" - else - eval "$(${pkgs.gnupg}/bin/gpg-agent --daemon --enable-ssh-support --write-env-file "$envfile")" - fi - export GPG_AGENT_INFO - export SSH_AUTH_SOCK + gpg-connect-agent updatestartuptty /bye >/dev/null + GPG_TTY=$(tty) + export GPG_TTY + unset SSH_AGENT_PID + export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh" ''; promptInit = '' -- cgit v1.2.3