From 8b5a7fb02cb8fd76efa0e96fa6dc219fd35144b3 Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 3 May 2018 18:41:08 +0200 Subject: [PATCH 01/65] tv gitrepos: kops -> krops --- tv/2configs/gitrepos.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tv/2configs/gitrepos.nix b/tv/2configs/gitrepos.nix index c3418e7ee..a4e3aafca 100644 --- a/tv/2configs/gitrepos.nix +++ b/tv/2configs/gitrepos.nix @@ -42,7 +42,7 @@ let { kirk = { cgit.desc = "IRC tools"; }; - kops = { + krops = { cgit.desc = "deployment tools"; }; load-env = {}; From 6e35be71f64dbb6d83bfd1d6fd8a2d8e1c9eb842 Mon Sep 17 00:00:00 2001 From: tv Date: Thu, 3 May 2018 18:49:46 +0200 Subject: [PATCH 02/65] kops 1.1.0 -> krops 1.0.0 --- krebs/5pkgs/simple/kops.nix | 7 ------- krebs/5pkgs/simple/krops.nix | 7 +++++++ 2 files changed, 7 insertions(+), 7 deletions(-) delete mode 100644 krebs/5pkgs/simple/kops.nix create mode 100644 krebs/5pkgs/simple/krops.nix diff --git a/krebs/5pkgs/simple/kops.nix b/krebs/5pkgs/simple/kops.nix deleted file mode 100644 index 8db4b8ddd..000000000 --- a/krebs/5pkgs/simple/kops.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ fetchgit, ... }: - -fetchgit { - url = https://cgit.krebsco.de/kops; - rev = "refs/tags/v1.1.0"; - sha256 = "0k3zhv2830z4bljcdvf6ciwjihk2zzcn9y23p49c6sba5hbsd6jb"; -} diff --git a/krebs/5pkgs/simple/krops.nix b/krebs/5pkgs/simple/krops.nix new file mode 100644 index 000000000..29bfb52f5 --- /dev/null +++ b/krebs/5pkgs/simple/krops.nix @@ -0,0 +1,7 @@ +{ fetchgit, ... }: + +fetchgit { + url = https://cgit.krebsco.de/krops; + rev = "refs/tags/v1.0.0"; + sha256 = "0ahp3fxb3l1vcjylxw0cd0f4hfp98bxskkf3z9d37hl3m7v4pcb4"; +} From b81fe57e3e137a2449fb8cc5e627e484d84bb00e Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 3 May 2018 22:49:27 +0200 Subject: [PATCH 03/65] all hope is lost. RIP --- krebs/1systems/hope/config.nix | 41 -------------------------------- krebs/1systems/hope/source.nix | 3 --- krebs/3modules/krebs/default.nix | 32 ------------------------- 3 files changed, 76 deletions(-) delete mode 100644 krebs/1systems/hope/config.nix delete mode 100644 krebs/1systems/hope/source.nix diff --git a/krebs/1systems/hope/config.nix b/krebs/1systems/hope/config.nix deleted file mode 100644 index c19b210c5..000000000 --- a/krebs/1systems/hope/config.nix +++ /dev/null @@ -1,41 +0,0 @@ -with import ; -{ config, pkgs, ... }: let - - ip = config.krebs.build.host.nets.internet.ip4.addr; - bestGuessGateway = addr: elemAt (match "(.*)(\.[^.])" addr) 0 + ".1"; - -in { - imports = [ - - - - - - { - users.extraUsers = { - satan = { - name = "satan"; - uid = 1338; - home = "/home/satan"; - group = "users"; - createHome = true; - useDefaultShell = true; - initialPassword = "test"; - }; - }; - } - ]; - - krebs.build.host = config.krebs.hosts.hope; - - networking = let - address = config.krebs.build.host.nets.internet.ip4.addr; - in { - defaultGateway = bestGuessGateway address; - interfaces.enp2s1.ip4 = singleton { - inherit address; - prefixLength = 24; - }; - nameservers = ["8.8.8.8"]; - }; -} diff --git a/krebs/1systems/hope/source.nix b/krebs/1systems/hope/source.nix deleted file mode 100644 index 7121d1d9d..000000000 --- a/krebs/1systems/hope/source.nix +++ /dev/null @@ -1,3 +0,0 @@ -import { - name = "hope"; -} diff --git a/krebs/3modules/krebs/default.nix b/krebs/3modules/krebs/default.nix index a916c1873..a938f8ec9 100644 --- a/krebs/3modules/krebs/default.nix +++ b/krebs/3modules/krebs/default.nix @@ -30,38 +30,6 @@ let }); in { hosts = { - hope = { - ci = true; - owner = config.krebs.users.krebs; - nets = { - internet = { - ip4.addr = "45.62.225.18"; - aliases = [ - "hope.i" - ]; - ssh.port = 45621; - }; - retiolum = { - ip4.addr = "10.243.77.4"; - ip6.addr = "42:0:0:0:0:0:77:4"; - aliases = [ - "hope.r" - ]; - tinc.pubkey = '' - -----BEGIN RSA PUBLIC KEY----- - MIIBCgKCAQEAsQVWCoNZZd77tYw1qEDlUsfcF0ld+jVorq2uR5il1D8sqER644l5 - uaWxPQjSl27xdq5kvzIH24Ab6/xF2EDgE2fUTwpO5coBYafeiGyi5AwURQmYMp2a - 2CV7uUAagFQaSzD0Aj796r1BXPn1IeE+uRSBmmc/+/7L0hweRGLiha34NOMZkq+4 - A0pwI/CjnyRXdV4AqfORHXkelykJPATm+m3bC+KYogPBeNMP2AV2aYgY8a0UJPMK - fjAJCzxYJjiYxm8faJlm2U1bWytZODQa8pRZOrYQa4he2UoU6x78CNcrQkYLPOFC - K2Q7+B5WJNKV6CqYztXuU/6LTHJRmV0FiwIDAQAB - -----END RSA PUBLIC KEY----- - ''; - }; - }; - ssh.privkey.path = ; - ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOdLHRI29xJj1jmfSidE2Dh7EsDNszm+WH3Kj4zYBkP/"; - }; hotdog = { ci = true; owner = config.krebs.users.krebs; From 4f2bf83ff906b9ee0421dabba4ff7e9dab5b7802 Mon Sep 17 00:00:00 2001 From: jeschli Date: Fri, 4 May 2018 16:51:08 +0200 Subject: [PATCH 04/65] j conflicts resolve. dirty commit --- jeschli/1systems/bln/config.nix | 25 ++++++++----------- .../1systems/bln/hardware-configuration.nix | 2 ++ jeschli/2configs/xserver/Xresources.nix | 4 +++ jeschli/2configs/xserver/default.nix | 2 ++ 4 files changed, 18 insertions(+), 15 deletions(-) diff --git a/jeschli/1systems/bln/config.nix b/jeschli/1systems/bln/config.nix index c9a7a34e2..ad397728d 100644 --- a/jeschli/1systems/bln/config.nix +++ b/jeschli/1systems/bln/config.nix @@ -1,13 +1,15 @@ { config, lib, pkgs, ... }: # bln config file { - imports = - [ - - - - ./hardware-configuration.nix - ]; + imports = [ + ./hardware-configuration.nix + + + + + + + ]; boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; @@ -91,18 +93,11 @@ services.printing.drivers = [ pkgs.postscript-lexmark ]; # Enable the X11 windowing system. - services.xserver.enable = true; services.xserver.videoDrivers = [ "nvidia" ]; - services.xserver.windowManager.xmonad.enable = true; - services.xserver.windowManager.xmonad.enableContribAndExtras = true; - services.xserver.displayManager.sddm.enable = true; - services.xserver.dpi = 100; - fonts.fontconfig.dpi = 100; - users.extraUsers.jeschli = { isNormalUser = true; - extraGroups = ["docker" "vboxusers"]; + extraGroups = ["docker" "vboxusers" "audio"]; uid = 1000; }; diff --git a/jeschli/1systems/bln/hardware-configuration.nix b/jeschli/1systems/bln/hardware-configuration.nix index b774bfc19..35f0b3bca 100644 --- a/jeschli/1systems/bln/hardware-configuration.nix +++ b/jeschli/1systems/bln/hardware-configuration.nix @@ -30,4 +30,6 @@ nix.maxJobs = lib.mkDefault 8; powerManagement.cpuFreqGovernor = "powersave"; + + hardware.pulseaudio.enable = true; } diff --git a/jeschli/2configs/xserver/Xresources.nix b/jeschli/2configs/xserver/Xresources.nix index e433a855e..e8154912c 100644 --- a/jeschli/2configs/xserver/Xresources.nix +++ b/jeschli/2configs/xserver/Xresources.nix @@ -3,6 +3,10 @@ with import ; pkgs.writeText "Xresources" /* xdefaults */ '' + Xcursor.theme: aero-large-drop + Xcursor.size: 128 + Xft.dpi: 144 + URxvt*cutchars: "\\`\"'&()*,;<=>?@[]^{|}‘’" URxvt*eightBitInput: false URxvt*font: -*-clean-*-*-*-*-*-*-*-*-*-*-iso10646-1 diff --git a/jeschli/2configs/xserver/default.nix b/jeschli/2configs/xserver/default.nix index df06000f3..4e646811d 100644 --- a/jeschli/2configs/xserver/default.nix +++ b/jeschli/2configs/xserver/default.nix @@ -43,6 +43,8 @@ in { enable = true; display = 11; tty = 11; + + dpi = 200; synaptics = { enable = true; From 6cd3f1607b3c0e9b42fc41f5e3545e324d0fe43a Mon Sep 17 00:00:00 2001 From: jeschli Date: Fri, 4 May 2018 16:58:43 +0200 Subject: [PATCH 05/65] j: changed cert hashes --- jeschli/1systems/bln/config.nix | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/jeschli/1systems/bln/config.nix b/jeschli/1systems/bln/config.nix index 190f6f539..c5f8101ea 100644 --- a/jeschli/1systems/bln/config.nix +++ b/jeschli/1systems/bln/config.nix @@ -123,15 +123,17 @@ # DCSO Certificates security.pki.certificateFiles = [ - (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC1G1.pem"; sha256 = "14vz9c0fk6li0a26vx0s5ha6y3yivnshx9pjlh9vmnpkbph5a7rh"; }) - (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC2G1.pem"; sha256 = "0r1dd48a850cv7whk4g2maik550rd0vsrsl73r6x0ivzz7ap1xz5"; }) - (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC3G1.pem"; sha256 = "0b5cdchdkvllnr0kz35d8jrmrf9cjw0kd98mmvzr0x6nkc8hwpdy"; }) - (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC2G1.pem"; sha256 = "0rn57zv1ry9vj4p2248mxmafmqqmdhbrfx1plszrxsphshbk2hfz"; }) - (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC3G1.pem"; sha256 = "0w88qaqhwxzvdkx40kzj2gka1yi85ipppjdkxah4mscwfhlryrnk"; }) - (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC2G1.pem"; sha256 = "1z2qkyhgjvri13bvi06ynkb7mjmpcznmc9yw8chx1lnwc3cxa7kf"; }) - (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC3G1.pem"; sha256 = "0smdjjvz95n652cb45yhzdb2lr83zg52najgbzf6lm3w71f8mv7f"; }) + (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC1G1.pem"; sha256 = "006j61q2z44z6d92638iin6r46r4cj82ipwm37784h34i5x4mp0d"; }) + (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC2G1.pem"; sha256 = "1nkd1rjcn02q9xxjg7sw79lbwy08i7hb4v4pn98djknvcmplpz5m"; }) + (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC3G1.pem"; sha256 = "094m12npglnnv1nf1ijcv70p8l15l00id44qq7rwynhcgxi5539i"; }) + + (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC2G1.pem"; sha256 = "1anfncdf5xsp219kryncv21ra87flpzcjwcc85hzvlwbxhid3g4x"; }) + (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC3G1.pem"; sha256 = "035kkfizyl5dndj7rhvmy91rr75lakqbqgjx4dpiw0kqq369mz8r"; }) + (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC2G1.pem"; sha256 = "14fpzx1qjs9ws9sz0y7pb6j40336xlckkqcm2rc5j86yn7r22lp7"; }) + (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC3G1.pem"; sha256 = "1yjl3kyw4chc8vw7bnqac2h9vn8dxryw7lr7i03lqi9sdvs4108s"; }) ]; + hardware.bluetooth.enable = true; krebs.build.host = config.krebs.hosts.bln; } From 3b6c1b0efcfb848a3e3c380664dcc5315169549a Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 4 May 2018 17:15:50 +0200 Subject: [PATCH 06/65] j zsh: pin LS_COLORS rev --- jeschli/2configs/zsh.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/jeschli/2configs/zsh.nix b/jeschli/2configs/zsh.nix index be5b661b4..0f6775efb 100644 --- a/jeschli/2configs/zsh.nix +++ b/jeschli/2configs/zsh.nix @@ -53,8 +53,8 @@ eval $(dircolors -b ${pkgs.fetchFromGitHub { owner = "trapd00r"; repo = "LS_COLORS"; - rev = "master"; - sha256="05lh5w3bgj9h8d8lrbbwbzw8788709cnzzkl8yh7m1dawkpf6nlp"; + rev = "a75fca8545f91abb8a5f802981033ef54bf1eac0"; + sha256="1lzj0qnj89mzh76ha137mnz2hf86k278rh0y9x124ghxj9yqsnb4"; }}/LS_COLORS) #beautiful colors From c1e6915ccf9dbdd38c35f4849fd2a8a89c35a62d Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 4 May 2018 20:28:15 +0200 Subject: [PATCH 07/65] l: add lol.lassul.us --- krebs/3modules/lass/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index 48df04bcb..36fd5fc63 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -65,6 +65,7 @@ with import ; io 60 IN NS ions.lassul.us. ions 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} paste 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} + lol 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} ''; }; nets = rec { From f4c7c3ebdce7c4a248140d20464fbdf65ea0c921 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 4 May 2018 20:30:19 +0200 Subject: [PATCH 08/65] l mors: open chromecast ports --- lass/1systems/mors/config.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix index f8a16ad2e..586a957cf 100644 --- a/lass/1systems/mors/config.nix +++ b/lass/1systems/mors/config.nix @@ -35,9 +35,11 @@ with import ; { - #risk of rain port krebs.iptables.tables.filter.INPUT.rules = [ + #risk of rain { predicate = "-p tcp --dport 11100"; target = "ACCEPT"; } + #chromecast + { predicate = "-p udp -m multiport --sports 32768:61000 -m multiport --dports 32768:61000"; target = "ACCEPT"; } ]; } { From 5fe30a149d649b24cb0c55e398064adfce51614c Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 4 May 2018 20:30:51 +0200 Subject: [PATCH 09/65] l: init nichtparasoup --- lass/5pkgs/nichtparasoup/default.nix | 25 ++++++++++++++++++++++++ lass/5pkgs/nichtparasoup/exception.patch | 13 ++++++++++++ 2 files changed, 38 insertions(+) create mode 100644 lass/5pkgs/nichtparasoup/default.nix create mode 100644 lass/5pkgs/nichtparasoup/exception.patch diff --git a/lass/5pkgs/nichtparasoup/default.nix b/lass/5pkgs/nichtparasoup/default.nix new file mode 100644 index 000000000..cf34c683f --- /dev/null +++ b/lass/5pkgs/nichtparasoup/default.nix @@ -0,0 +1,25 @@ +{ stdenv, pkgs, ... }: +let + py = pkgs.python3Packages.python.withPackages (p: [ + p.werkzeug + p.beautifulsoup4 + ]); + src = pkgs.fetchFromGitHub { + owner = "k4cg"; + repo = "nichtparasoup"; + rev = "cf164b5"; + sha256 = "09bwh76agp14j8rv7bp47jcwhffc1b0bak0ikvzxyphph5lyidk9"; + }; + patchedSrc = stdenv.mkDerivation { + name = "nichtparasoup"; + inherit src; + patches = [ ./exception.patch ]; + phases = [ "unpackPhase" "patchPhase" "installPhase" ]; + installPhase = '' + mkdir -p $out + cp -r * $out/ + ''; + }; +in pkgs.writeDashBin "nichtparasoup" '' + ${py}/bin/python ${patchedSrc}/nichtparasoup.py "$@" +'' diff --git a/lass/5pkgs/nichtparasoup/exception.patch b/lass/5pkgs/nichtparasoup/exception.patch new file mode 100644 index 000000000..34c177de0 --- /dev/null +++ b/lass/5pkgs/nichtparasoup/exception.patch @@ -0,0 +1,13 @@ +diff --git a/nichtparasoup.py b/nichtparasoup.py +index 9da9a2b..833ca71 100755 +--- a/nichtparasoup.py ++++ b/nichtparasoup.py +@@ -211,7 +211,7 @@ def cache_fill_loop(): + try: + sources[crawler][site].crawl() + info = Crawler.info() +- except Exception, e: ++ except Exception as e: + logger.error("Error in crawler %s - %s: %s" % (crawler, site, e)) + break + From 80cb62753405364cedb40f7591704dde56593de3 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 4 May 2018 20:31:12 +0200 Subject: [PATCH 10/65] l: add nichtparasoup module --- lass/3modules/default.nix | 1 + lass/3modules/nichtparasoup.nix | 48 +++++++++++++++++++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 lass/3modules/nichtparasoup.nix diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix index 5e7e6dff3..2cf6a66b9 100644 --- a/lass/3modules/default.nix +++ b/lass/3modules/default.nix @@ -7,6 +7,7 @@ _: ./hosts.nix ./mysql-backup.nix ./news.nix + ./nichtparasoup.nix ./pyload.nix ./restic.nix ./screenlock.nix diff --git a/lass/3modules/nichtparasoup.nix b/lass/3modules/nichtparasoup.nix new file mode 100644 index 000000000..dd1419f24 --- /dev/null +++ b/lass/3modules/nichtparasoup.nix @@ -0,0 +1,48 @@ +{ config, lib, pkgs, ... }: + +with import ; + +{ + options.lass.nichtparasoup = { + enable = mkEnableOption "nichtparasoup funny image page"; + config = mkOption { + type = types.str; + default = '' + [General] + Port: 5001 + IP: 0.0.0.0 + Useragent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25 + + [Cache] + Images_min_limit: 15 + + [Logging] + ;; possible destinations: file syslog + Destination: syslog + Verbosity: ERROR + + [Sites] + SoupIO: everyone + Pr0gramm: new,top + Reddit: gifs,pics,aww,aww_gifs,reactiongifs,wtf,FoodPorn,cats,StarWars,ANormalDayInRussia,perfectloops,reallifedoodles + NineGag: geeky,wtf,hot,trending + Instagram: cats,animals,nerdy_gaming_art,nature,wtf + Fourchan: sci + ''; + }; + }; + + config = mkIf config.lass.nichtparasoup.enable { + systemd.services.nichtparasoup = { + description = "nichtparasoup"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + restartIfChanged = true; + serviceConfig = { + Restart = "always"; + ExecStart = "${pkgs.nichtparasoup}/bin/nichtparasoup -c ${pkgs.writeText "config.ini"config.lass.nichtparasoup.config}"; + }; + }; + }; +} From 67047f9e8dc18e43ce37927b19a6aae62c2ab4a1 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 4 May 2018 20:32:23 +0200 Subject: [PATCH 11/65] l prism.r: add pubkey to download --- lass/1systems/prism/config.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 564315e8f..76aaf0cdc 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -358,6 +358,11 @@ in { }; }); } + { + users.users.download.openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDB0d0JA20Vqn7I4lCte6Ne2EOmLZyMJyS9yIKJYXNLjbLwkQ4AYoQKantPBkTxR75M09E7d3j5heuWnCjWH45TrfQfe1EOSSC3ppCI6C6aIVlaNs+KhAYZS0m2Y8WkKn+TT5JLEa8yybYVN/RlZPOilpj/1QgjU6CQK+eJ1k/kK+QFXcwN82GDVh5kbTVcKUNp2tiyxFA+z9LY0xFDg/JHif2ROpjJVLQBJ+YPuOXZN5LDnVcuyLWKThjxy5srQ8iDjoxBg7dwLHjby5Mv41K4W61Gq6xM53gDEgfXk4cQhJnmx7jA/pUnsn2ZQDeww3hcc7vRf8soogXXz2KC9maiq0M/svaATsa9Ul4hrKnqPZP9Q8ScSEAUX+VI+x54iWrnW0p/yqBiRAzwsczdPzaQroUFTBxrq8R/n5TFdSHRMX7fYNOeVMjhfNca/gtfw9dYBVquCvuqUuFiRc0I7yK44rrMjjVQRcAbw6F8O7+04qWCmaJ8MPlmApwu2c05VMv9hiJo5p6PnzterRSLCqF6rIdhSnuOwrUIt1s/V+EEZXHCwSaNLaQJnYL0H9YjaIuGz4c8kVzxw4c0B6nl+hqW5y5/B2cuHiumnlRIDKOIzlv8ufhh21iN7QpIsPizahPezGoT1XqvzeXfH4qryo8O4yTN/PWoA+f7o9POU7L6hQ== lhebendanz@nixos" + ]; + } ]; krebs.build.host = config.krebs.hosts.prism; From 24a3d64301ccbc39bdc6e46d5b6201b48311ed80 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 4 May 2018 20:37:21 +0200 Subject: [PATCH 12/65] l prism.r: enable nichtparasoup --- lass/1systems/prism/config.nix | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 76aaf0cdc..90decc35e 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -363,6 +363,22 @@ in { "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDB0d0JA20Vqn7I4lCte6Ne2EOmLZyMJyS9yIKJYXNLjbLwkQ4AYoQKantPBkTxR75M09E7d3j5heuWnCjWH45TrfQfe1EOSSC3ppCI6C6aIVlaNs+KhAYZS0m2Y8WkKn+TT5JLEa8yybYVN/RlZPOilpj/1QgjU6CQK+eJ1k/kK+QFXcwN82GDVh5kbTVcKUNp2tiyxFA+z9LY0xFDg/JHif2ROpjJVLQBJ+YPuOXZN5LDnVcuyLWKThjxy5srQ8iDjoxBg7dwLHjby5Mv41K4W61Gq6xM53gDEgfXk4cQhJnmx7jA/pUnsn2ZQDeww3hcc7vRf8soogXXz2KC9maiq0M/svaATsa9Ul4hrKnqPZP9Q8ScSEAUX+VI+x54iWrnW0p/yqBiRAzwsczdPzaQroUFTBxrq8R/n5TFdSHRMX7fYNOeVMjhfNca/gtfw9dYBVquCvuqUuFiRc0I7yK44rrMjjVQRcAbw6F8O7+04qWCmaJ8MPlmApwu2c05VMv9hiJo5p6PnzterRSLCqF6rIdhSnuOwrUIt1s/V+EEZXHCwSaNLaQJnYL0H9YjaIuGz4c8kVzxw4c0B6nl+hqW5y5/B2cuHiumnlRIDKOIzlv8ufhh21iN7QpIsPizahPezGoT1XqvzeXfH4qryo8O4yTN/PWoA+f7o9POU7L6hQ== lhebendanz@nixos" ]; } + { + lass.nichtparasoup.enable = true; + services.nginx = { + enable = true; + virtualHosts.lol = { + forceSSL = true; + enableACME = true; + locations."/".extraConfig = '' + proxy_pass http://localhost:5001; + ''; + serverAliases = [ + "lol.lassul.us" + ]; + }; + }; + } ]; krebs.build.host = config.krebs.hosts.prism; From e1a0d9409d7f7e1c60f98ef2ee69cfecc445aa08 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 4 May 2018 20:59:08 +0200 Subject: [PATCH 13/65] l nichtparasoup: cf164b5 -> c6dcd0d --- lass/5pkgs/nichtparasoup/default.nix | 16 +++------------- 1 file changed, 3 insertions(+), 13 deletions(-) diff --git a/lass/5pkgs/nichtparasoup/default.nix b/lass/5pkgs/nichtparasoup/default.nix index cf34c683f..fcff7ad54 100644 --- a/lass/5pkgs/nichtparasoup/default.nix +++ b/lass/5pkgs/nichtparasoup/default.nix @@ -7,19 +7,9 @@ let src = pkgs.fetchFromGitHub { owner = "k4cg"; repo = "nichtparasoup"; - rev = "cf164b5"; - sha256 = "09bwh76agp14j8rv7bp47jcwhffc1b0bak0ikvzxyphph5lyidk9"; - }; - patchedSrc = stdenv.mkDerivation { - name = "nichtparasoup"; - inherit src; - patches = [ ./exception.patch ]; - phases = [ "unpackPhase" "patchPhase" "installPhase" ]; - installPhase = '' - mkdir -p $out - cp -r * $out/ - ''; + rev = "c6dcd0d"; + sha256 = "10xy20bjdnd5bjv2hf6v5y5wi0mc9555awxkjqf57rk6ngc5w6ss"; }; in pkgs.writeDashBin "nichtparasoup" '' - ${py}/bin/python ${patchedSrc}/nichtparasoup.py "$@" + ${py}/bin/python ${src}/nichtparasoup.py "$@" '' From 8d6ab1e0bb0be7f779b721c797b937be8e452e02 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 7 May 2018 00:35:28 +0200 Subject: [PATCH 14/65] l: add icarus.pgp --- krebs/3modules/lass/default.nix | 1 + krebs/3modules/lass/pgp/icarus.pgp | 51 ++++++++++++++++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 krebs/3modules/lass/pgp/icarus.pgp diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index 36fd5fc63..aa0b43f9a 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -698,6 +698,7 @@ with import ; lass-icarus = { mail = "lass@icarus.r"; pubkey = builtins.readFile ./ssh/icarus.rsa; + pgp.pubkeys.default = builtins.readFile ./pgp/icarus.pgp; }; lass-xerxes = { mail = "lass@xerxes.r"; diff --git a/krebs/3modules/lass/pgp/icarus.pgp b/krebs/3modules/lass/pgp/icarus.pgp new file mode 100644 index 000000000..f41478a09 --- /dev/null +++ b/krebs/3modules/lass/pgp/icarus.pgp @@ -0,0 +1,51 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFpqAGEBEADWiwVYVFXuK9kM7Y1XFL70jb2ZAZBRIpcZF81URMDFhm6ulvHq +fEhXTpiKKmfnv5Mz6r6wAWLJFKOKZuEvg8NwplRrlBHMkR3iEx4+7sP/dVey7U6f ++gI61ytFHTOKr52gstPVdXO3xhNmdrAI1hFuF2DxoXKloz8tPP92dZcCdm7+5C+2 +KSYEBrIp/Zv1cjkbAFwek5y4ut65sBh/VM+RhSLbqwzyCxwfBE9QAJdIEiSmChql +Lcz6CToYrdXhOY0ykx+QhT092k/6Xh66JeZ63WVHGrF+SSabq5NNcbWi7EISioHd +N6JXZmbXMpS/BxgMe145e3mWnd3KOSeOxaiORqev8VOycjRQJfSm8Ky+GtWIyxp7 +rwEHbY8vlG2X9RMW5UxVmSRPWLykZoX0Xvmnrpwcohb5WdkuCp9NjqF0gDswU8do +bCqASfeWBvJAQkoAlMLU7YH+ymmeQcSVdLy4Jpv1fk5FocQBihTBnC1+ztt7Rm8m +8VGEpH1h174/z4Xn+bCkRZqopl9GlvpilLT8m8N8jdL7QLZJlQwrHVtima8Rg3XZ +TriW1Ha/NxHZ8nN7pbisqXHCrJB0szzu++yVeQ7Ebr7HA0tIHqDhqVR0s6a1g5AX +JYI8vCErowhvPf+BVCUYfmh5dJAY6tt9zrvCneaZ7ogPzOH9kRnZXYi7ZQARAQAB +tBZpY2FydXMgPGxhc3NAaWNhcnVzLnI+iQJOBBMBCAA4FiEEbimq9dgDayT9DrQy +FSODpr2bDFMFAlpqAGECGwMFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQFSOD +pr2bDFNVohAAiY6Pp4whrAIKwNkzqLkUl2SyQCVSGOce906jthKSixdfaUORZPdD +AnyYUmPyVpWxKYjZl7IfmDDo7D6m21tP8FxCRK8/oYAtz3uRK5b5sb0/5YR77O9+ +s65sNhU8jiHetUEHQ0Z9UJKfm1DpanJ37uIhVcye8BC8OuSD0v0s+hZ+2ZaN1qdn +qqCkujAILxOWo1ZDqpXfHaV11AotzlgyYmxlXzClsLB0SGhU7HUZesKETn3JUmrV +88kkpug8gn9MpTSPDIWsTeNUWpNhqdDRA+2TUygtpQSKzJC8sdkFaWkMrH3cF6wA +BZ+4tS2mRMQWq9BNMK+xnkWPvYO9e6v4ddXtlcVgGTUhSo+opCXza3dcXE5Xbv8x +a1T5HJSV0HQPTrlAUoXZveu7ZgYVO5SOTCm1jBNKX8WCmvO6yJRalxo9N/d6gswq +tKAGm9tlXpTXnG6tvebmSxjzjVwjbQMDJGy4Cj4bw0GGCdapDFrPidUDY/INmU7D +TWtNsAJlJRuu7ddxIVTspZ7rmDBAOhYzXxGuU3ntZFTiFm9BpCmHYWpeQ5EKuxhJ +mgxzC9wKDoS8NRKwt5ak/mX0vpXkJjF2Lrza0wCAZ1ZYWFNaehEwhNT51s9kZIi3 +w1v2z8xmu7VDq/n2sMRtMe7MVIOh1Nu7l/5Uqeb+EYnEc1NGZsFxcYK5Ag0EWmoA +YQEQALMaaF9HeDpeqDjDpxanjjIz4YXMZoMkXwrLS/Rn2mobG5lJzxU+1AkwXxTD +K45A0YHWsnAH1S8V9Gx+NlUMS/S/m9BruSXNohUKARIJLbltEM/EufOThjgfhW0Y +cLorZ1kOSZvORR9+Ctuq/RcvGFwyLB/4OpcGHUezTIcAkLUo0lKPS4HtT2ogSUIx +UstAMwEOSQIDR6sDDiS0BXNdlkKK6daLpH+snQMGP+ILAyRHGu1MlYkACDQZa5aP +9vpany7zC9Ls7vaewCevZCUJfs00VF72pdCRdBV8oPQqwPfhS+uSCV58WwWCqHTq +8PtxCVVzQdngOvScRvjrijtzlseyyTW3w9DPoDsQ16oM3y0kcnnv2hdfTVuv4+YK +9fVRIrWEAlU3cxud7iws9+vUO9GwyWy+epFLiCgNgJR/RVIIjcHUExn/XAcFStjw +QtW+3BxjYmdJpsh5wvmMJSMZDJFMEdKYPm4RI7ZfKVwl6yFeJt3hNkLxxF7k2fXB +84pIvl03hXA3tRQ5t46wS7L2EPlWT00+MCraczvbIS+SX1nCp4ZXLBs0YmicioBS +Os0zEtVs+80eWMf86MTT7YLwre4t+QRbM/RyIvJFTqBT3ad7/7ZMyEuVJBwDJlpx +LGwZGa6zwnbzcf8Us4kAIRzQoK8VOg/xC/ymJYCk3oJCKD9RABEBAAGJAjYEGAEI +ACAWIQRuKar12ANrJP0OtDIVI4OmvZsMUwUCWmoAYQIbDAAKCRAVI4OmvZsMU1vw +EACDJDmZR5BIPxwr9+1Z5ZgT7XcBUbu4F2w84J3xqCUYqcti6I4lSMtxfw94crMp +HoexOVOhvoTneIliv0a4ZSu84u4CGoFn4M7RA0Ka1SVvbuasXf57sVwRptXjr3LL +f/0olra5rkIyZbsvKm0g2N/bfmCfmtOClFDst2yK/FovW5PJBRx2mT38qBhHG8j2 +P7zG0/vO846FxjAGvOMGlEVGmN+R9BeecomOKsKgvUbsycAwzZi/2vWAUGbJBYjx +Yd+K8wjPE8g5CumxaLSH/dlY/0BOZygjank+aHLrwMtNnplYVJmmqDhdbgwN6DDk +cCQNLQyk61IdhtZ7UzJyFTkXnXiirrO4WzL6GJjunNzvcTUAU5vNiG+2he1GdxZF +WiLRrcC+oIMWVST8fNRwJZU+Ibw/UIfEV/rHau0fJlxZatks7Qd8gjxSHIyElUVj +CYrizbFPZ85IhkCirX2tvhycK/nseAYjDuJkJIp3Io0sl3cQ9M8Kx790LUbYzNC4 +bZn8vA1YwTr1ny3+vEhMhaaVSTeVrWYV8023kwzcLRWra7F1hJcc9+LNmqHvXR67 +uBW2KPIrXKrjJmGkMVBSrf9PJu5jNfvCWOntck7C7xOWoUcgyt3uTpP7FkHVdolh +HFNPouS3w0HoB20zdCpmyFNs6Rjhey2r5JIttd6ATVRVYA== +=gJia +-----END PGP PUBLIC KEY BLOCK----- From 4b9ad61e03c18ae2687d49a365fb4e95ac2dbeec Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 7 May 2018 19:51:21 +0200 Subject: [PATCH 15/65] l icarus.r: add dpass & macchanger --- lass/1systems/icarus/config.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/lass/1systems/icarus/config.nix b/lass/1systems/icarus/config.nix index b6a0822b9..f9754ee92 100644 --- a/lass/1systems/icarus/config.nix +++ b/lass/1systems/icarus/config.nix @@ -33,4 +33,9 @@ SUBSYSTEM=="net", ATTR{address}=="00:24:d7:f0:a0:0c", NAME="wl0" SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:71:cb:35", NAME="et0" ''; + + environment.systemPackages = with pkgs; [ + macchanger + dpass + ]; } From 2dc18fb83a0c8fcd9c4cb04de9470e73c29fcedd Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 7 May 2018 19:55:38 +0200 Subject: [PATCH 16/65] l prism.r: simplify lol.lassul.us nginx --- lass/1systems/prism/config.nix | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 90decc35e..d4be2faaf 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -367,15 +367,12 @@ in { lass.nichtparasoup.enable = true; services.nginx = { enable = true; - virtualHosts.lol = { + virtualHosts."lol.lassul.us" = { forceSSL = true; enableACME = true; locations."/".extraConfig = '' proxy_pass http://localhost:5001; ''; - serverAliases = [ - "lol.lassul.us" - ]; }; }; } From c0f7f7bab5447ebf95f4873f7ff9679938ff6d27 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 7 May 2018 19:56:26 +0200 Subject: [PATCH 17/65] l baseX: add dconf --- lass/2configs/baseX.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index e2e44b6fc..809297655 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -74,6 +74,7 @@ in { gi git-preview gitAndTools.qgit + gnome3.dconf lm_sensors mpv-poll much From e8c4f7c0e40a1612731ad9f68ef7f5bb1ec7ce1c Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 7 May 2018 19:57:44 +0200 Subject: [PATCH 18/65] l websites utils: forceSSL --- lass/2configs/websites/util.nix | 16 +++------------- 1 file changed, 3 insertions(+), 13 deletions(-) diff --git a/lass/2configs/websites/util.nix b/lass/2configs/websites/util.nix index 61b5543ce..a11e8e692 100644 --- a/lass/2configs/websites/util.nix +++ b/lass/2configs/websites/util.nix @@ -16,11 +16,7 @@ rec { in { services.nginx.virtualHosts.${domain} = { enableACME = true; - onlySSL = true; - extraConfig = '' - listen 80; - listen [::]:80; - ''; + forceSSL = true; serverAliases = domains; locations."/".extraConfig = '' root /srv/http/${domain}; @@ -87,12 +83,9 @@ rec { in { services.nginx.virtualHosts."${domain}" = { enableACME = true; - onlySSL = true; + forceSSL = true; serverAliases = domains; extraConfig = '' - listen 80; - listen [::]:80; - # Add headers to serve security related headers add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; add_header X-Content-Type-Options nosniff; @@ -201,12 +194,9 @@ rec { in { services.nginx.virtualHosts."${domain}" = { enableACME = true; - onlySSL = true; + forceSSL = true; serverAliases = domains; extraConfig = '' - listen 80; - listen [::]:80; - root /srv/http/${domain}/; index index.php; access_log /tmp/nginx_acc.log; From 06402dba84c42396a911ceff56c15a26b9f5ee9c Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 8 May 2018 08:28:21 +0200 Subject: [PATCH 19/65] l icarus.r: import wine.nix --- lass/1systems/icarus/config.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/lass/1systems/icarus/config.nix b/lass/1systems/icarus/config.nix index f9754ee92..eb2be5869 100644 --- a/lass/1systems/icarus/config.nix +++ b/lass/1systems/icarus/config.nix @@ -17,6 +17,7 @@ + ]; krebs.build.host = config.krebs.hosts.icarus; @@ -38,4 +39,8 @@ macchanger dpass ]; + services.redshift = { + enable = true; + provider = "geoclue2"; + }; } From 603db72c0d4bb98ca0b56aa94fa69299123d784c Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 8 May 2018 08:30:10 +0200 Subject: [PATCH 20/65] l nichtparasoup: update default feeds --- lass/3modules/nichtparasoup.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lass/3modules/nichtparasoup.nix b/lass/3modules/nichtparasoup.nix index dd1419f24..14f4fffc8 100644 --- a/lass/3modules/nichtparasoup.nix +++ b/lass/3modules/nichtparasoup.nix @@ -24,9 +24,9 @@ with import ; [Sites] SoupIO: everyone Pr0gramm: new,top - Reddit: gifs,pics,aww,aww_gifs,reactiongifs,wtf,FoodPorn,cats,StarWars,ANormalDayInRussia,perfectloops,reallifedoodles + Reddit: gifs,reactiongifs,ANormalDayInRussia,perfectloops,reallifedoodles,bizarrebuildings,cablefail,cableporn,cableporn,cableporn,educationalgifs,EngineeringPorn,forbiddensnacks,holdmybeer,itsaunixsystem,loadingicon,michaelbaygifs,nononoyesno,oddlysatisfying,ofcoursethatsathing,OSHA,PeopleFuckingDying,PerfectTiming,PixelArt,RetroFuturism,robotsbeingjerks,scriptedasiangifs,shittyrobots,startrekstabilized,ThingsCutInHalfPorn,totallynotrobots,Unexpected NineGag: geeky,wtf,hot,trending - Instagram: cats,animals,nerdy_gaming_art,nature,wtf + Instagram: nature,wtf Fourchan: sci ''; }; From af75b96fbe412527c4bf9129de850bcab3e7c7cb Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 8 May 2018 08:31:53 +0200 Subject: [PATCH 21/65] l xmonad: change default layout order --- lass/5pkgs/custom/xmonad-lass/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lass/5pkgs/custom/xmonad-lass/default.nix b/lass/5pkgs/custom/xmonad-lass/default.nix index 18cb25b5b..868c1072a 100644 --- a/lass/5pkgs/custom/xmonad-lass/default.nix +++ b/lass/5pkgs/custom/xmonad-lass/default.nix @@ -90,7 +90,7 @@ main' = do myLayoutHook = defLayout where - defLayout = minimize $ ((avoidStruts $ Tall 1 (3/100) (1/2) ||| Full ||| Mirror (Tall 1 (3/100) (1/2))) ||| FixedColumn 2 80 80 1 ||| simplestFloat) + defLayout = minimize $ ((avoidStruts $ Mirror (Tall 1 (3/100) (1/2))) ||| Full ||| FixedColumn 2 80 80 1 ||| Tall 1 (3/100) (1/2) ||| simplestFloat) floatHooks :: Query (Endo WindowSet) floatHooks = composeAll . concat $ From edafe24e94252e2be936a760ce47485c8e4fa0af Mon Sep 17 00:00:00 2001 From: tv Date: Tue, 8 May 2018 19:25:59 +0200 Subject: [PATCH 22/65] tv nixpkgs: 53e6d67 -> 7cbf6ca --- tv/source.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tv/source.nix b/tv/source.nix index e5e5e0413..14527d956 100644 --- a/tv/source.nix +++ b/tv/source.nix @@ -16,8 +16,7 @@ in { nixos-config.symlink = "stockholm/tv/1systems/${name}/config.nix"; nixpkgs.git = { - # nixos-17.09 - ref = mkDefault "53e6d671a9662922080635482b7e1c418d2cdc72"; + ref = mkDefault "7cbf6ca1c84dfc917c1a99524e082fb677501844"; url = https://github.com/NixOS/nixpkgs; }; secrets.file = getAttr builder { From 47c0b0261eabdf230bfc7a375a3a008a04b61c4a Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 9 May 2018 11:11:50 +0200 Subject: [PATCH 23/65] krebs: 6tests -> 0tests --- krebs/{6tests => 0tests}/data/secrets/grafana_security.nix | 0 krebs/{6tests => 0tests}/data/secrets/hashedPasswords.nix | 0 krebs/{6tests => 0tests}/data/secrets/retiolum.rsa_key.priv | 0 .../data/secrets/shackspace-gitlab-ci-token.nix | 0 krebs/{6tests => 0tests}/data/secrets/ssh.id_ed25519 | 0 krebs/{6tests => 0tests}/data/test-config.nix | 0 krebs/{6tests => 0tests}/data/test-source.nix | 0 krebs/{6tests => 0tests}/default.nix | 0 krebs/{6tests => 0tests}/deploy.nix | 2 +- krebs/3modules/ci.nix | 2 +- krebs/kops.nix | 2 +- krebs/source.nix | 2 +- makefu/{6tests => 0tests}/data/secrets/auth.nix | 0 makefu/{6tests => 0tests}/data/secrets/bepasty-secret.nix | 0 .../data/secrets/bgt_cyberwar_hidden_service/hostname | 0 makefu/{6tests => 0tests}/data/secrets/daemon-pw | 0 .../data/secrets/dl.euer.krebsco.de-auth.nix | 0 makefu/{6tests => 0tests}/data/secrets/extra-hosts.nix | 0 makefu/{6tests => 0tests}/data/secrets/grafana_security.nix | 0 makefu/{6tests => 0tests}/data/secrets/hashedPasswords.nix | 0 makefu/{6tests => 0tests}/data/secrets/iodinepw.nix | 0 makefu/{6tests => 0tests}/data/secrets/kibana-auth.nix | 0 makefu/{6tests => 0tests}/data/secrets/nsupdate-data.nix | 0 makefu/{6tests => 0tests}/data/secrets/nsupdate-search.nix | 0 .../{6tests => 0tests}/data/secrets/retiolum-ci.rsa_key.priv | 0 makefu/{6tests => 0tests}/data/secrets/retiolum.rsa_key.priv | 0 makefu/{6tests => 0tests}/data/secrets/retiolum.rsa_key.pub | 0 makefu/{6tests => 0tests}/data/secrets/sambacred | 0 .../data/secrets/shackspace-gitlab-ci-token.nix | 0 makefu/{6tests => 0tests}/data/secrets/ssh.id_ed25519 | 0 makefu/{6tests => 0tests}/data/secrets/ssh.makefu.id_rsa | 0 makefu/{6tests => 0tests}/data/secrets/ssh.makefu.id_rsa.pub | 0 makefu/{6tests => 0tests}/data/secrets/ssh_host_ed25519_key | 0 makefu/{6tests => 0tests}/data/secrets/ssh_host_rsa_key | 0 makefu/{6tests => 0tests}/data/secrets/tinc.krebsco.de.crt | 0 makefu/{6tests => 0tests}/data/secrets/tinc.krebsco.de.key | 0 makefu/{6tests => 0tests}/data/secrets/tw-pass.ini | 0 .../{6tests => 0tests}/data/secrets/wildcard.krebsco.de.crt | 0 .../{6tests => 0tests}/data/secrets/wildcard.krebsco.de.key | 0 makefu/source.nix | 4 ++-- nin/{6tests => 0tests}/dummysecrets/hashedPasswords.nix | 0 nin/{6tests => 0tests}/dummysecrets/ssh.id_ed25519 | 0 nin/source.nix | 2 +- 43 files changed, 7 insertions(+), 7 deletions(-) rename krebs/{6tests => 0tests}/data/secrets/grafana_security.nix (100%) rename krebs/{6tests => 0tests}/data/secrets/hashedPasswords.nix (100%) rename krebs/{6tests => 0tests}/data/secrets/retiolum.rsa_key.priv (100%) rename krebs/{6tests => 0tests}/data/secrets/shackspace-gitlab-ci-token.nix (100%) rename krebs/{6tests => 0tests}/data/secrets/ssh.id_ed25519 (100%) rename krebs/{6tests => 0tests}/data/test-config.nix (100%) rename krebs/{6tests => 0tests}/data/test-source.nix (100%) rename krebs/{6tests => 0tests}/default.nix (100%) rename krebs/{6tests => 0tests}/deploy.nix (97%) rename makefu/{6tests => 0tests}/data/secrets/auth.nix (100%) rename makefu/{6tests => 0tests}/data/secrets/bepasty-secret.nix (100%) rename makefu/{6tests => 0tests}/data/secrets/bgt_cyberwar_hidden_service/hostname (100%) rename makefu/{6tests => 0tests}/data/secrets/daemon-pw (100%) rename makefu/{6tests => 0tests}/data/secrets/dl.euer.krebsco.de-auth.nix (100%) rename makefu/{6tests => 0tests}/data/secrets/extra-hosts.nix (100%) rename makefu/{6tests => 0tests}/data/secrets/grafana_security.nix (100%) rename makefu/{6tests => 0tests}/data/secrets/hashedPasswords.nix (100%) rename makefu/{6tests => 0tests}/data/secrets/iodinepw.nix (100%) rename makefu/{6tests => 0tests}/data/secrets/kibana-auth.nix (100%) rename makefu/{6tests => 0tests}/data/secrets/nsupdate-data.nix (100%) rename makefu/{6tests => 0tests}/data/secrets/nsupdate-search.nix (100%) rename makefu/{6tests => 0tests}/data/secrets/retiolum-ci.rsa_key.priv (100%) rename makefu/{6tests => 0tests}/data/secrets/retiolum.rsa_key.priv (100%) rename makefu/{6tests => 0tests}/data/secrets/retiolum.rsa_key.pub (100%) rename makefu/{6tests => 0tests}/data/secrets/sambacred (100%) rename makefu/{6tests => 0tests}/data/secrets/shackspace-gitlab-ci-token.nix (100%) rename makefu/{6tests => 0tests}/data/secrets/ssh.id_ed25519 (100%) rename makefu/{6tests => 0tests}/data/secrets/ssh.makefu.id_rsa (100%) rename makefu/{6tests => 0tests}/data/secrets/ssh.makefu.id_rsa.pub (100%) rename makefu/{6tests => 0tests}/data/secrets/ssh_host_ed25519_key (100%) rename makefu/{6tests => 0tests}/data/secrets/ssh_host_rsa_key (100%) rename makefu/{6tests => 0tests}/data/secrets/tinc.krebsco.de.crt (100%) rename makefu/{6tests => 0tests}/data/secrets/tinc.krebsco.de.key (100%) rename makefu/{6tests => 0tests}/data/secrets/tw-pass.ini (100%) rename makefu/{6tests => 0tests}/data/secrets/wildcard.krebsco.de.crt (100%) rename makefu/{6tests => 0tests}/data/secrets/wildcard.krebsco.de.key (100%) rename nin/{6tests => 0tests}/dummysecrets/hashedPasswords.nix (100%) rename nin/{6tests => 0tests}/dummysecrets/ssh.id_ed25519 (100%) diff --git a/krebs/6tests/data/secrets/grafana_security.nix b/krebs/0tests/data/secrets/grafana_security.nix similarity index 100% rename from krebs/6tests/data/secrets/grafana_security.nix rename to krebs/0tests/data/secrets/grafana_security.nix diff --git a/krebs/6tests/data/secrets/hashedPasswords.nix b/krebs/0tests/data/secrets/hashedPasswords.nix similarity index 100% rename from krebs/6tests/data/secrets/hashedPasswords.nix rename to krebs/0tests/data/secrets/hashedPasswords.nix diff --git a/krebs/6tests/data/secrets/retiolum.rsa_key.priv b/krebs/0tests/data/secrets/retiolum.rsa_key.priv similarity index 100% rename from krebs/6tests/data/secrets/retiolum.rsa_key.priv rename to krebs/0tests/data/secrets/retiolum.rsa_key.priv diff --git a/krebs/6tests/data/secrets/shackspace-gitlab-ci-token.nix b/krebs/0tests/data/secrets/shackspace-gitlab-ci-token.nix similarity index 100% rename from krebs/6tests/data/secrets/shackspace-gitlab-ci-token.nix rename to krebs/0tests/data/secrets/shackspace-gitlab-ci-token.nix diff --git a/krebs/6tests/data/secrets/ssh.id_ed25519 b/krebs/0tests/data/secrets/ssh.id_ed25519 similarity index 100% rename from krebs/6tests/data/secrets/ssh.id_ed25519 rename to krebs/0tests/data/secrets/ssh.id_ed25519 diff --git a/krebs/6tests/data/test-config.nix b/krebs/0tests/data/test-config.nix similarity index 100% rename from krebs/6tests/data/test-config.nix rename to krebs/0tests/data/test-config.nix diff --git a/krebs/6tests/data/test-source.nix b/krebs/0tests/data/test-source.nix similarity index 100% rename from krebs/6tests/data/test-source.nix rename to krebs/0tests/data/test-source.nix diff --git a/krebs/6tests/default.nix b/krebs/0tests/default.nix similarity index 100% rename from krebs/6tests/default.nix rename to krebs/0tests/default.nix diff --git a/krebs/6tests/deploy.nix b/krebs/0tests/deploy.nix similarity index 97% rename from krebs/6tests/deploy.nix rename to krebs/0tests/deploy.nix index 156e9239f..d96963500 100644 --- a/krebs/6tests/deploy.nix +++ b/krebs/0tests/deploy.nix @@ -3,7 +3,7 @@ import ({ ... }: let pkgs = import { overlays = [(import ../5pkgs)]; }; - test-config = ; + test-config = ; privKey = '' -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW diff --git a/krebs/3modules/ci.nix b/krebs/3modules/ci.nix index bb19f0602..e97aa16eb 100644 --- a/krebs/3modules/ci.nix +++ b/krebs/3modules/ci.nix @@ -147,7 +147,7 @@ in "dummy_secrets": "true", }, command=[ - "nix-build", "-I", "stockholm=.", "krebs/6tests", + "nix-build", "-I", "stockholm=.", "krebs/0tests", "-A", "{}".format(test) ], timeout=90001 diff --git a/krebs/kops.nix b/krebs/kops.nix index abd60ee5a..561b017b9 100644 --- a/krebs/kops.nix +++ b/krebs/kops.nix @@ -38,7 +38,7 @@ secrets = if test then { - file = toString ; + file = toString ; } else { pass = { diff --git a/krebs/source.nix b/krebs/source.nix index 3ee12b37f..49f464f61 100644 --- a/krebs/source.nix +++ b/krebs/source.nix @@ -14,7 +14,7 @@ in { nixos-config.symlink = "stockholm/krebs/1systems/${name}/config.nix"; secrets = getAttr builder { - buildbot.file = toString ; + buildbot.file = toString ; krebs.pass = { dir = "${getEnv "HOME"}/brain"; name = "krebs-secrets/${name}"; diff --git a/makefu/6tests/data/secrets/auth.nix b/makefu/0tests/data/secrets/auth.nix similarity index 100% rename from makefu/6tests/data/secrets/auth.nix rename to makefu/0tests/data/secrets/auth.nix diff --git a/makefu/6tests/data/secrets/bepasty-secret.nix b/makefu/0tests/data/secrets/bepasty-secret.nix similarity index 100% rename from makefu/6tests/data/secrets/bepasty-secret.nix rename to makefu/0tests/data/secrets/bepasty-secret.nix diff --git a/makefu/6tests/data/secrets/bgt_cyberwar_hidden_service/hostname b/makefu/0tests/data/secrets/bgt_cyberwar_hidden_service/hostname similarity index 100% rename from makefu/6tests/data/secrets/bgt_cyberwar_hidden_service/hostname rename to makefu/0tests/data/secrets/bgt_cyberwar_hidden_service/hostname diff --git a/makefu/6tests/data/secrets/daemon-pw b/makefu/0tests/data/secrets/daemon-pw similarity index 100% rename from makefu/6tests/data/secrets/daemon-pw rename to makefu/0tests/data/secrets/daemon-pw diff --git a/makefu/6tests/data/secrets/dl.euer.krebsco.de-auth.nix b/makefu/0tests/data/secrets/dl.euer.krebsco.de-auth.nix similarity index 100% rename from makefu/6tests/data/secrets/dl.euer.krebsco.de-auth.nix rename to makefu/0tests/data/secrets/dl.euer.krebsco.de-auth.nix diff --git a/makefu/6tests/data/secrets/extra-hosts.nix b/makefu/0tests/data/secrets/extra-hosts.nix similarity index 100% rename from makefu/6tests/data/secrets/extra-hosts.nix rename to makefu/0tests/data/secrets/extra-hosts.nix diff --git a/makefu/6tests/data/secrets/grafana_security.nix b/makefu/0tests/data/secrets/grafana_security.nix similarity index 100% rename from makefu/6tests/data/secrets/grafana_security.nix rename to makefu/0tests/data/secrets/grafana_security.nix diff --git a/makefu/6tests/data/secrets/hashedPasswords.nix b/makefu/0tests/data/secrets/hashedPasswords.nix similarity index 100% rename from makefu/6tests/data/secrets/hashedPasswords.nix rename to makefu/0tests/data/secrets/hashedPasswords.nix diff --git a/makefu/6tests/data/secrets/iodinepw.nix b/makefu/0tests/data/secrets/iodinepw.nix similarity index 100% rename from makefu/6tests/data/secrets/iodinepw.nix rename to makefu/0tests/data/secrets/iodinepw.nix diff --git a/makefu/6tests/data/secrets/kibana-auth.nix b/makefu/0tests/data/secrets/kibana-auth.nix similarity index 100% rename from makefu/6tests/data/secrets/kibana-auth.nix rename to makefu/0tests/data/secrets/kibana-auth.nix diff --git a/makefu/6tests/data/secrets/nsupdate-data.nix b/makefu/0tests/data/secrets/nsupdate-data.nix similarity index 100% rename from makefu/6tests/data/secrets/nsupdate-data.nix rename to makefu/0tests/data/secrets/nsupdate-data.nix diff --git a/makefu/6tests/data/secrets/nsupdate-search.nix b/makefu/0tests/data/secrets/nsupdate-search.nix similarity index 100% rename from makefu/6tests/data/secrets/nsupdate-search.nix rename to makefu/0tests/data/secrets/nsupdate-search.nix diff --git a/makefu/6tests/data/secrets/retiolum-ci.rsa_key.priv b/makefu/0tests/data/secrets/retiolum-ci.rsa_key.priv similarity index 100% rename from makefu/6tests/data/secrets/retiolum-ci.rsa_key.priv rename to makefu/0tests/data/secrets/retiolum-ci.rsa_key.priv diff --git a/makefu/6tests/data/secrets/retiolum.rsa_key.priv b/makefu/0tests/data/secrets/retiolum.rsa_key.priv similarity index 100% rename from makefu/6tests/data/secrets/retiolum.rsa_key.priv rename to makefu/0tests/data/secrets/retiolum.rsa_key.priv diff --git a/makefu/6tests/data/secrets/retiolum.rsa_key.pub b/makefu/0tests/data/secrets/retiolum.rsa_key.pub similarity index 100% rename from makefu/6tests/data/secrets/retiolum.rsa_key.pub rename to makefu/0tests/data/secrets/retiolum.rsa_key.pub diff --git a/makefu/6tests/data/secrets/sambacred b/makefu/0tests/data/secrets/sambacred similarity index 100% rename from makefu/6tests/data/secrets/sambacred rename to makefu/0tests/data/secrets/sambacred diff --git a/makefu/6tests/data/secrets/shackspace-gitlab-ci-token.nix b/makefu/0tests/data/secrets/shackspace-gitlab-ci-token.nix similarity index 100% rename from makefu/6tests/data/secrets/shackspace-gitlab-ci-token.nix rename to makefu/0tests/data/secrets/shackspace-gitlab-ci-token.nix diff --git a/makefu/6tests/data/secrets/ssh.id_ed25519 b/makefu/0tests/data/secrets/ssh.id_ed25519 similarity index 100% rename from makefu/6tests/data/secrets/ssh.id_ed25519 rename to makefu/0tests/data/secrets/ssh.id_ed25519 diff --git a/makefu/6tests/data/secrets/ssh.makefu.id_rsa b/makefu/0tests/data/secrets/ssh.makefu.id_rsa similarity index 100% rename from makefu/6tests/data/secrets/ssh.makefu.id_rsa rename to makefu/0tests/data/secrets/ssh.makefu.id_rsa diff --git a/makefu/6tests/data/secrets/ssh.makefu.id_rsa.pub b/makefu/0tests/data/secrets/ssh.makefu.id_rsa.pub similarity index 100% rename from makefu/6tests/data/secrets/ssh.makefu.id_rsa.pub rename to makefu/0tests/data/secrets/ssh.makefu.id_rsa.pub diff --git a/makefu/6tests/data/secrets/ssh_host_ed25519_key b/makefu/0tests/data/secrets/ssh_host_ed25519_key similarity index 100% rename from makefu/6tests/data/secrets/ssh_host_ed25519_key rename to makefu/0tests/data/secrets/ssh_host_ed25519_key diff --git a/makefu/6tests/data/secrets/ssh_host_rsa_key b/makefu/0tests/data/secrets/ssh_host_rsa_key similarity index 100% rename from makefu/6tests/data/secrets/ssh_host_rsa_key rename to makefu/0tests/data/secrets/ssh_host_rsa_key diff --git a/makefu/6tests/data/secrets/tinc.krebsco.de.crt b/makefu/0tests/data/secrets/tinc.krebsco.de.crt similarity index 100% rename from makefu/6tests/data/secrets/tinc.krebsco.de.crt rename to makefu/0tests/data/secrets/tinc.krebsco.de.crt diff --git a/makefu/6tests/data/secrets/tinc.krebsco.de.key b/makefu/0tests/data/secrets/tinc.krebsco.de.key similarity index 100% rename from makefu/6tests/data/secrets/tinc.krebsco.de.key rename to makefu/0tests/data/secrets/tinc.krebsco.de.key diff --git a/makefu/6tests/data/secrets/tw-pass.ini b/makefu/0tests/data/secrets/tw-pass.ini similarity index 100% rename from makefu/6tests/data/secrets/tw-pass.ini rename to makefu/0tests/data/secrets/tw-pass.ini diff --git a/makefu/6tests/data/secrets/wildcard.krebsco.de.crt b/makefu/0tests/data/secrets/wildcard.krebsco.de.crt similarity index 100% rename from makefu/6tests/data/secrets/wildcard.krebsco.de.crt rename to makefu/0tests/data/secrets/wildcard.krebsco.de.crt diff --git a/makefu/6tests/data/secrets/wildcard.krebsco.de.key b/makefu/0tests/data/secrets/wildcard.krebsco.de.key similarity index 100% rename from makefu/6tests/data/secrets/wildcard.krebsco.de.key rename to makefu/0tests/data/secrets/wildcard.krebsco.de.key diff --git a/makefu/source.nix b/makefu/source.nix index 40aeac8b6..1039ba654 100644 --- a/makefu/source.nix +++ b/makefu/source.nix @@ -45,7 +45,7 @@ in }; secrets = getAttr builder { - buildbot.file = toString ; + buildbot.file = toString ; makefu.pass = { inherit name; dir = "${getEnv "HOME"}/.secrets-pass"; @@ -79,7 +79,7 @@ in (mkIf ( torrent ) { torrent-secrets = getAttr builder { - buildbot.file = toString ; + buildbot.file = toString ; makefu.pass = { name = "torrent"; dir = "${getEnv "HOME"}/.secrets-pass"; diff --git a/nin/6tests/dummysecrets/hashedPasswords.nix b/nin/0tests/dummysecrets/hashedPasswords.nix similarity index 100% rename from nin/6tests/dummysecrets/hashedPasswords.nix rename to nin/0tests/dummysecrets/hashedPasswords.nix diff --git a/nin/6tests/dummysecrets/ssh.id_ed25519 b/nin/0tests/dummysecrets/ssh.id_ed25519 similarity index 100% rename from nin/6tests/dummysecrets/ssh.id_ed25519 rename to nin/0tests/dummysecrets/ssh.id_ed25519 diff --git a/nin/source.nix b/nin/source.nix index 9fb2cb390..ae13c5583 100644 --- a/nin/source.nix +++ b/nin/source.nix @@ -13,7 +13,7 @@ in evalSource (toString _file) { nixos-config.symlink = "stockholm/nin/1systems/${name}/config.nix"; secrets.file = getAttr builder { - buildbot = toString ; + buildbot = toString ; nin = "/home/nin/secrets/${name}"; }; stockholm.file = toString ; From ce3a38dab187cbe085f83ea92771aa47bcdf709b Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 10 May 2018 10:50:29 +0200 Subject: [PATCH 24/65] thesauron: init --- krebs/5pkgs/simple/thesauron/default.nix | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 krebs/5pkgs/simple/thesauron/default.nix diff --git a/krebs/5pkgs/simple/thesauron/default.nix b/krebs/5pkgs/simple/thesauron/default.nix new file mode 100644 index 000000000..99ab2b728 --- /dev/null +++ b/krebs/5pkgs/simple/thesauron/default.nix @@ -0,0 +1,7 @@ +{ fetchgit, callPackage }: let + src = fetchgit { + url = "https://github.com/krebscode/thesauron"; + rev = "8ac22588cf2c20465e3c9348e7ce04885599c2a5"; + "sha256"= "1ivkjl235dnm5aaqqvarnxkz7zh0gvah22b0fqwlsflrcd5wmgva"; + }; +in callPackage src {} From 079396f9e11573228bd6cf498f161c49660a7549 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 12 May 2018 15:18:15 +0200 Subject: [PATCH 25/65] l icarus.r: enable adb --- lass/1systems/icarus/config.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/lass/1systems/icarus/config.nix b/lass/1systems/icarus/config.nix index eb2be5869..59cd12afb 100644 --- a/lass/1systems/icarus/config.nix +++ b/lass/1systems/icarus/config.nix @@ -43,4 +43,5 @@ enable = true; provider = "geoclue2"; }; + programs.adb.enable = true; } From 0c0d527bec3a6a3d6435203253edb2ef27f9655b Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 12 May 2018 15:51:24 +0200 Subject: [PATCH 26/65] l: hw config into physical.nix --- lass/1systems/cabal/config.nix | 15 ----- lass/1systems/cabal/physical.nix | 12 ++++ lass/1systems/daedalus/config.nix | 15 ----- lass/1systems/daedalus/physical.nix | 20 +++++++ lass/1systems/dishfire/config.nix | 34 ------------ lass/1systems/dishfire/physical.nix | 39 +++++++++++++ lass/1systems/helios/config.nix | 56 +------------------ lass/1systems/helios/physical.nix | 65 ++++++++++++++++++++++ lass/1systems/icarus/config.nix | 15 ----- lass/1systems/icarus/physical.nix | 20 +++++++ lass/1systems/littleT/config.nix | 15 ----- lass/1systems/littleT/physical.nix | 7 +++ lass/1systems/mors/config.nix | 39 ------------- lass/1systems/mors/physical.nix | 44 +++++++++++++++ lass/1systems/prism/config.nix | 83 +--------------------------- lass/1systems/prism/physical.nix | 85 +++++++++++++++++++++++++++++ lass/1systems/red/config.nix | 2 - lass/1systems/red/physical.nix | 7 +++ lass/1systems/shodan/config.nix | 42 -------------- lass/1systems/shodan/physical.nix | 47 ++++++++++++++++ lass/1systems/skynet/config.nix | 15 ----- lass/1systems/skynet/physical.nix | 12 ++++ lass/1systems/uriel/config.nix | 55 ------------------- lass/1systems/uriel/physical.nix | 59 ++++++++++++++++++++ lass/1systems/xerxes/config.nix | 24 -------- lass/1systems/xerxes/physical.nix | 29 ++++++++++ 26 files changed, 448 insertions(+), 408 deletions(-) create mode 100644 lass/1systems/cabal/physical.nix create mode 100644 lass/1systems/daedalus/physical.nix create mode 100644 lass/1systems/dishfire/physical.nix create mode 100644 lass/1systems/helios/physical.nix create mode 100644 lass/1systems/icarus/physical.nix create mode 100644 lass/1systems/littleT/physical.nix create mode 100644 lass/1systems/mors/physical.nix create mode 100644 lass/1systems/prism/physical.nix create mode 100644 lass/1systems/red/physical.nix create mode 100644 lass/1systems/shodan/physical.nix create mode 100644 lass/1systems/skynet/physical.nix create mode 100644 lass/1systems/uriel/physical.nix create mode 100644 lass/1systems/xerxes/physical.nix diff --git a/lass/1systems/cabal/config.nix b/lass/1systems/cabal/config.nix index 9ac3cb681..b117b5116 100644 --- a/lass/1systems/cabal/config.nix +++ b/lass/1systems/cabal/config.nix @@ -3,8 +3,6 @@ { imports = [ - - @@ -19,17 +17,4 @@ ]; krebs.build.host = config.krebs.hosts.cabal; - - #fileSystems = { - # "/bku" = { - # device = "/dev/mapper/pool-bku"; - # fsType = "btrfs"; - # options = ["defaults" "noatime" "ssd" "compress=lzo"]; - # }; - #}; - - #services.udev.extraRules = '' - # SUBSYSTEM=="net", ATTR{address}=="00:24:d7:f0:a0:0c", NAME="wl0" - # SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:71:cb:35", NAME="et0" - #''; } diff --git a/lass/1systems/cabal/physical.nix b/lass/1systems/cabal/physical.nix new file mode 100644 index 000000000..3cc4af03b --- /dev/null +++ b/lass/1systems/cabal/physical.nix @@ -0,0 +1,12 @@ +{ + imports = [ + ./config.nix + + + ]; + + services.udev.extraRules = '' + SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:45:85:ac", NAME="wl0" + SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:62:2b:1b", NAME="et0" + ''; +} diff --git a/lass/1systems/daedalus/config.nix b/lass/1systems/daedalus/config.nix index c15fcdc21..eafc0d06c 100644 --- a/lass/1systems/daedalus/config.nix +++ b/lass/1systems/daedalus/config.nix @@ -4,8 +4,6 @@ with import ; { imports = [ - - @@ -94,17 +92,4 @@ with import ; ''; krebs.build.host = config.krebs.hosts.daedalus; - - fileSystems = { - "/bku" = { - device = "/dev/mapper/pool-bku"; - fsType = "btrfs"; - options = ["defaults" "noatime" "ssd" "compress=lzo"]; - }; - }; - - services.udev.extraRules = '' - SUBSYSTEM=="net", ATTR{address}=="08:11:96:0a:5d:6c", NAME="wl0" - SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:71:cb:35", NAME="et0" - ''; } diff --git a/lass/1systems/daedalus/physical.nix b/lass/1systems/daedalus/physical.nix new file mode 100644 index 000000000..33a0cb473 --- /dev/null +++ b/lass/1systems/daedalus/physical.nix @@ -0,0 +1,20 @@ +{ + imports = [ + ./config.nix + + + ]; + + fileSystems = { + "/bku" = { + device = "/dev/mapper/pool-bku"; + fsType = "btrfs"; + options = ["defaults" "noatime" "ssd" "compress=lzo"]; + }; + }; + + services.udev.extraRules = '' + SUBSYSTEM=="net", ATTR{address}=="08:11:96:0a:5d:6c", NAME="wl0" + SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:71:cb:35", NAME="et0" + ''; +} diff --git a/lass/1systems/dishfire/config.nix b/lass/1systems/dishfire/config.nix index 7993c763e..3d5f32180 100644 --- a/lass/1systems/dishfire/config.nix +++ b/lass/1systems/dishfire/config.nix @@ -4,41 +4,7 @@ imports = [ - - { - boot.loader.grub = { - device = "/dev/vda"; - splashImage = null; - }; - - boot.initrd.availableKernelModules = [ - "ata_piix" - "ehci_pci" - "uhci_hcd" - "virtio_pci" - "virtio_blk" - ]; - - fileSystems."/" = { - device = "/dev/mapper/pool-nix"; - fsType = "ext4"; - }; - - fileSystems."/srv/http" = { - device = "/dev/pool/srv_http"; - fsType = "ext4"; - }; - - fileSystems."/boot" = { - device = "/dev/vda1"; - fsType = "ext4"; - }; - fileSystems."/bku" = { - device = "/dev/pool/bku"; - fsType = "ext4"; - }; - } { networking.dhcpcd.allowInterfaces = [ "enp*" diff --git a/lass/1systems/dishfire/physical.nix b/lass/1systems/dishfire/physical.nix new file mode 100644 index 000000000..64e3904e0 --- /dev/null +++ b/lass/1systems/dishfire/physical.nix @@ -0,0 +1,39 @@ +{ config, lib, pkgs, ... }: +{ + imports = [ + ./config.nix + + ]; + + boot.loader.grub = { + device = "/dev/vda"; + splashImage = null; + }; + + boot.initrd.availableKernelModules = [ + "ata_piix" + "ehci_pci" + "uhci_hcd" + "virtio_pci" + "virtio_blk" + ]; + + fileSystems."/" = { + device = "/dev/mapper/pool-nix"; + fsType = "ext4"; + }; + + fileSystems."/srv/http" = { + device = "/dev/pool/srv_http"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/vda1"; + fsType = "ext4"; + }; + fileSystems."/bku" = { + device = "/dev/pool/bku"; + fsType = "ext4"; + }; +} diff --git a/lass/1systems/helios/config.nix b/lass/1systems/helios/config.nix index 759bb6d06..bd7f75c3e 100644 --- a/lass/1systems/helios/config.nix +++ b/lass/1systems/helios/config.nix @@ -12,48 +12,12 @@ with import ; # TODO fix krebs.git.rules.[definition 2-entry 2].lass not defined # - + # - { # automatic hardware detection - boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; - boot.kernelModules = [ "kvm-intel" ]; - - fileSystems."/" = { - device = "/dev/pool/root"; - fsType = "btrfs"; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/1F60-17C6"; - fsType = "vfat"; - }; - - fileSystems."/home" = { - device = "/dev/pool/home"; - fsType = "btrfs"; - }; - - fileSystems."/tmp" = { - device = "tmpfs"; - fsType = "tmpfs"; - options = ["nosuid" "nodev" "noatime"]; - }; - - nix.maxJobs = lib.mkDefault 8; - } - { # crypto stuff - boot.initrd.luks = { - cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; - devices = [{ - name = "luksroot"; - device = "/dev/nvme0n1p3"; - }]; - }; - } { services.xserver.dpi = 200; fonts.fontconfig.dpi = 200; @@ -99,13 +63,6 @@ with import ; } ]; - # Use the systemd-boot EFI boot loader. - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - - networking.wireless.enable = true; - hardware.enableRedistributableFirmware = true; - environment.systemPackages = with pkgs; [ ag vim @@ -124,17 +81,6 @@ with import ; services.tlp.enable = true; - services.xserver.videoDrivers = [ "nvidia" ]; - services.xserver.xrandrHeads = [ - { output = "DP-2"; primary = true; } - { output = "DP-4"; monitorConfig = ''Option "Rotate" "left"''; } - { output = "DP-0"; } - ]; - - services.xserver.displayManager.sessionCommands = '' - ${pkgs.xorg.xrandr}/bin/xrandr --output DP-6 --off --output DP-5 --off --output DP-4 --mode 2560x1440 --pos 3840x0 --rotate left --output DP-3 --off --output DP-2 --primary --mode 3840x2160 --scale 0.5x0.5 --pos 0x400 --rotate normal --output DP-1 --off --output DP-0 --mode 2560x1440 --pos 5280x1120 --rotate normal - ''; - networking.hostName = lib.mkForce "BLN02NB0162"; security.pki.certificateFiles = [ diff --git a/lass/1systems/helios/physical.nix b/lass/1systems/helios/physical.nix new file mode 100644 index 000000000..549506c29 --- /dev/null +++ b/lass/1systems/helios/physical.nix @@ -0,0 +1,65 @@ +{ + imports = [ + ./config.nix + { # automatic hardware detection + boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; + boot.kernelModules = [ "kvm-intel" ]; + + fileSystems."/" = { + device = "/dev/pool/root"; + fsType = "btrfs"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/1F60-17C6"; + fsType = "vfat"; + }; + + fileSystems."/home" = { + device = "/dev/pool/home"; + fsType = "btrfs"; + }; + + fileSystems."/tmp" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = ["nosuid" "nodev" "noatime"]; + }; + + nix.maxJobs = lib.mkDefault 8; + } + { # crypto stuff + boot.initrd.luks = { + cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; + devices = [{ + name = "luksroot"; + device = "/dev/nvme0n1p3"; + }]; + }; + } + ]; + + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking.wireless.enable = true; + hardware.enableRedistributableFirmware = true; + + + services.udev.extraRules = '' + SUBSYSTEM=="net", ATTR{address}=="f8:59:71:a9:05:65", NAME="wl0" + SUBSYSTEM=="net", ATTR{address}=="54:e1:ad:4f:06:83", NAME="et0" + ''; + + services.xserver.videoDrivers = [ "nvidia" ]; + services.xserver.xrandrHeads = [ + { output = "DP-2"; primary = true; } + { output = "DP-4"; monitorConfig = ''Option "Rotate" "left"''; } + { output = "DP-0"; } + ]; + + services.xserver.displayManager.sessionCommands = '' + ${pkgs.xorg.xrandr}/bin/xrandr --output DP-6 --off --output DP-5 --off --output DP-4 --mode 2560x1440 --pos 3840x0 --rotate left --output DP-3 --off --output DP-2 --primary --mode 3840x2160 --scale 0.5x0.5 --pos 0x400 --rotate normal --output DP-1 --off --output DP-0 --mode 2560x1440 --pos 5280x1120 --rotate normal + ''; +} diff --git a/lass/1systems/icarus/config.nix b/lass/1systems/icarus/config.nix index 59cd12afb..d54bd3e9e 100644 --- a/lass/1systems/icarus/config.nix +++ b/lass/1systems/icarus/config.nix @@ -3,8 +3,6 @@ { imports = [ - - @@ -22,19 +20,6 @@ krebs.build.host = config.krebs.hosts.icarus; - fileSystems = { - "/bku" = { - device = "/dev/mapper/pool-bku"; - fsType = "btrfs"; - options = ["defaults" "noatime" "ssd" "compress=lzo"]; - }; - }; - - services.udev.extraRules = '' - SUBSYSTEM=="net", ATTR{address}=="00:24:d7:f0:a0:0c", NAME="wl0" - SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:71:cb:35", NAME="et0" - ''; - environment.systemPackages = with pkgs; [ macchanger dpass diff --git a/lass/1systems/icarus/physical.nix b/lass/1systems/icarus/physical.nix new file mode 100644 index 000000000..6cc77a47d --- /dev/null +++ b/lass/1systems/icarus/physical.nix @@ -0,0 +1,20 @@ +{ + imports = [ + ./config.nix + + + ]; + + fileSystems = { + "/bku" = { + device = "/dev/mapper/pool-bku"; + fsType = "btrfs"; + options = ["defaults" "noatime" "ssd" "compress=lzo"]; + }; + }; + + services.udev.extraRules = '' + SUBSYSTEM=="net", ATTR{address}=="00:24:d7:f0:a0:0c", NAME="wl0" + SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:71:cb:35", NAME="et0" + ''; +} diff --git a/lass/1systems/littleT/config.nix b/lass/1systems/littleT/config.nix index ef19e8d16..44617d3e7 100644 --- a/lass/1systems/littleT/config.nix +++ b/lass/1systems/littleT/config.nix @@ -4,8 +4,6 @@ with import ; { imports = [ - - @@ -68,17 +66,4 @@ with import ; ''; krebs.build.host = config.krebs.hosts.littleT; - - #fileSystems = { - # "/bku" = { - # device = "/dev/mapper/pool-bku"; - # fsType = "btrfs"; - # options = ["defaults" "noatime" "ssd" "compress=lzo"]; - # }; - #}; - - #services.udev.extraRules = '' - # SUBSYSTEM=="net", ATTR{address}=="08:11:96:0a:5d:6c", NAME="wl0" - # SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:71:cb:35", NAME="et0" - #''; } diff --git a/lass/1systems/littleT/physical.nix b/lass/1systems/littleT/physical.nix new file mode 100644 index 000000000..9776211ae --- /dev/null +++ b/lass/1systems/littleT/physical.nix @@ -0,0 +1,7 @@ +{ + imports = [ + ./config.nix + + + ]; +} diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix index 586a957cf..2e6c8bc8a 100644 --- a/lass/1systems/mors/config.nix +++ b/lass/1systems/mors/config.nix @@ -4,8 +4,6 @@ with import ; { imports = [ - - @@ -88,43 +86,6 @@ with import ; krebs.build.host = config.krebs.hosts.mors; - fileSystems = { - "/bku" = { - device = "/dev/mapper/pool-bku"; - fsType = "btrfs"; - options = ["defaults" "noatime" "ssd" "compress=lzo"]; - }; - "/home/virtual" = { - device = "/dev/mapper/pool-virtual"; - fsType = "ext4"; - }; - }; - - services.udev.extraRules = '' - SUBSYSTEM=="net", ATTR{address}=="00:24:d7:f0:e8:c8", NAME="wl0" - SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:8f:8a:78", NAME="et0" - ''; - - #TODO activationScripts seem broken, fix them! - #activationScripts - #split up and move into base - system.activationScripts.powertopTunables = '' - #Runtime PMs - echo 'auto' > '/sys/bus/pci/devices/0000:00:02.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:00.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.3/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.2/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1d.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.3/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1b.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1a.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:19.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.1/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.4/power/control' - ''; - environment.systemPackages = with pkgs; [ acronym brain diff --git a/lass/1systems/mors/physical.nix b/lass/1systems/mors/physical.nix new file mode 100644 index 000000000..f99d6bd52 --- /dev/null +++ b/lass/1systems/mors/physical.nix @@ -0,0 +1,44 @@ +{ + imports = [ + ./config.nix + + + ]; + + fileSystems = { + "/bku" = { + device = "/dev/mapper/pool-bku"; + fsType = "btrfs"; + options = ["defaults" "noatime" "ssd" "compress=lzo"]; + }; + "/home/virtual" = { + device = "/dev/mapper/pool-virtual"; + fsType = "ext4"; + }; + }; + + services.udev.extraRules = '' + SUBSYSTEM=="net", ATTR{address}=="00:24:d7:f0:e8:c8", NAME="wl0" + SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:8f:8a:78", NAME="et0" + ''; + + #TODO activationScripts seem broken, fix them! + #activationScripts + #split up and move into base + system.activationScripts.powertopTunables = '' + #Runtime PMs + echo 'auto' > '/sys/bus/pci/devices/0000:00:02.0/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:00.0/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.3/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.2/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.0/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:1d.0/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.3/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.0/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:1b.0/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:1a.0/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:19.0/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.1/power/control' + echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.4/power/control' + ''; +} diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index d4be2faaf..c7b877deb 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -1,90 +1,9 @@ { config, lib, pkgs, ... }: with import ; -let - ip = config.krebs.build.host.nets.internet.ip4.addr; - -in { +{ imports = [ - { - networking.interfaces.et0.ipv4.addresses = [ - { - address = ip; - prefixLength = 27; - } - { - address = "46.4.114.243"; - prefixLength = 27; - } - ]; - networking.defaultGateway = "46.4.114.225"; - networking.nameservers = [ - "8.8.8.8" - ]; - services.udev.extraRules = '' - SUBSYSTEM=="net", ATTR{address}=="08:60:6e:e7:87:04", NAME="et0" - ''; - } - { - imports = [ ]; - - boot.loader.grub = { - devices = [ - "/dev/sda" - "/dev/sdb" - ]; - splashImage = null; - }; - - boot.initrd.availableKernelModules = [ - "ata_piix" - "vmw_pvscsi" - "ahci" "sd_mod" - ]; - - boot.kernelModules = [ "kvm-intel" ]; - - fileSystems."/" = { - device = "/dev/pool/nix_root"; - fsType = "ext4"; - }; - - fileSystems."/tmp" = { - device = "tmpfs"; - fsType = "tmpfs"; - options = ["nosuid" "nodev" "noatime"]; - }; - - fileSystems."/var/download" = { - device = "/dev/pool/download"; - fsType = "ext4"; - }; - - fileSystems."/srv/http" = { - device = "/dev/pool/http"; - fsType = "ext4"; - }; - - fileSystems."/home" = { - device = "/dev/pool/home"; - fsType = "ext4"; - }; - - fileSystems."/bku" = { - device = "/dev/pool/bku"; - fsType = "ext4"; - }; - - swapDevices = [ - { label = "swap1"; } - { label = "swap2"; } - ]; - - sound.enable = false; - nixpkgs.config.allowUnfree = true; - time.timeZone = "Europe/Berlin"; - } { diff --git a/lass/1systems/prism/physical.nix b/lass/1systems/prism/physical.nix new file mode 100644 index 000000000..83f127c22 --- /dev/null +++ b/lass/1systems/prism/physical.nix @@ -0,0 +1,85 @@ +{ config, lib, pkgs, ... }: +{ + imports = [ + ./config.nix + { + networking.interfaces.et0.ipv4.addresses = [ + { + address = config.krebs.build.host.nets.internet.ip4.addr; + prefixLength = 27; + } + { + address = "46.4.114.243"; + prefixLength = 27; + } + ]; + networking.defaultGateway = "46.4.114.225"; + networking.nameservers = [ + "8.8.8.8" + ]; + services.udev.extraRules = '' + SUBSYSTEM=="net", ATTR{address}=="08:60:6e:e7:87:04", NAME="et0" + ''; + } + { + imports = [ ]; + + boot.loader.grub = { + devices = [ + "/dev/sda" + "/dev/sdb" + ]; + splashImage = null; + }; + + boot.initrd.availableKernelModules = [ + "ata_piix" + "vmw_pvscsi" + "ahci" "sd_mod" + ]; + + boot.kernelModules = [ "kvm-intel" ]; + + fileSystems."/" = { + device = "/dev/pool/nix_root"; + fsType = "ext4"; + }; + + fileSystems."/tmp" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = ["nosuid" "nodev" "noatime"]; + }; + + fileSystems."/var/download" = { + device = "/dev/pool/download"; + fsType = "ext4"; + }; + + fileSystems."/srv/http" = { + device = "/dev/pool/http"; + fsType = "ext4"; + }; + + fileSystems."/home" = { + device = "/dev/pool/home"; + fsType = "ext4"; + }; + + fileSystems."/bku" = { + device = "/dev/pool/bku"; + fsType = "ext4"; + }; + + swapDevices = [ + { label = "swap1"; } + { label = "swap2"; } + ]; + + sound.enable = false; + nixpkgs.config.allowUnfree = true; + time.timeZone = "Europe/Berlin"; + } + ]; + +} diff --git a/lass/1systems/red/config.nix b/lass/1systems/red/config.nix index 31e2de966..04bbf1ee8 100644 --- a/lass/1systems/red/config.nix +++ b/lass/1systems/red/config.nix @@ -20,8 +20,6 @@ in ]; krebs.build.host = config.krebs.hosts.red; - boot.isContainer = true; - networking.useDHCP = false; services.nginx.enable = true; environment.variables.NIX_REMOTE = "daemon"; diff --git a/lass/1systems/red/physical.nix b/lass/1systems/red/physical.nix new file mode 100644 index 000000000..b6aa3a894 --- /dev/null +++ b/lass/1systems/red/physical.nix @@ -0,0 +1,7 @@ +{ + imports = [ + ./config.nix + ]; + boot.isContainer = true; + networking.useDHCP = false; +} diff --git a/lass/1systems/shodan/config.nix b/lass/1systems/shodan/config.nix index 42a46c5f5..8405b0f1f 100644 --- a/lass/1systems/shodan/config.nix +++ b/lass/1systems/shodan/config.nix @@ -4,8 +4,6 @@ with import ; { imports = [ - #TODO reinstall with correct layout and use lass/hw/x220 - @@ -22,46 +20,6 @@ with import ; krebs.build.host = config.krebs.hosts.shodan; - boot = { - loader.grub.enable = true; - loader.grub.version = 2; - loader.grub.device = "/dev/sda"; - - initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ]; - initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; - initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; - #kernelModules = [ "kvm-intel" "msr" ]; - }; - fileSystems = { - "/" = { - device = "/dev/pool/nix"; - fsType = "btrfs"; - }; - - "/boot" = { - device = "/dev/sda1"; - }; - "/home" = { - device = "/dev/mapper/pool-home"; - fsType = "btrfs"; - options = ["defaults" "noatime" "ssd" "compress=lzo"]; - }; - "/tmp" = { - device = "tmpfs"; - fsType = "tmpfs"; - options = ["nosuid" "nodev" "noatime"]; - }; - "/bku" = { - device = "/dev/pool/bku"; - fsType = "btrfs"; - }; - }; - - services.udev.extraRules = '' - SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:29:26:bc", NAME="wl0" - SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:0c:a7:63", NAME="et0" - ''; - services.logind.extraConfig = '' HandleLidSwitch=ignore ''; diff --git a/lass/1systems/shodan/physical.nix b/lass/1systems/shodan/physical.nix new file mode 100644 index 000000000..4a550d0a4 --- /dev/null +++ b/lass/1systems/shodan/physical.nix @@ -0,0 +1,47 @@ +{ + #TODO reinstall with correct layout and use lass/hw/x220 + imports = [ + ./config.nix + + ]; + + boot = { + loader.grub.enable = true; + loader.grub.version = 2; + loader.grub.device = "/dev/sda"; + + initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ]; + initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; + initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; + #kernelModules = [ "kvm-intel" "msr" ]; + }; + fileSystems = { + "/" = { + device = "/dev/pool/nix"; + fsType = "btrfs"; + }; + + "/boot" = { + device = "/dev/sda1"; + }; + "/home" = { + device = "/dev/mapper/pool-home"; + fsType = "btrfs"; + options = ["defaults" "noatime" "ssd" "compress=lzo"]; + }; + "/tmp" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = ["nosuid" "nodev" "noatime"]; + }; + "/bku" = { + device = "/dev/pool/bku"; + fsType = "btrfs"; + }; + }; + + services.udev.extraRules = '' + SUBSYSTEM=="net", ATTR{address}=="a0:88:b4:29:26:bc", NAME="wl0" + SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:0c:a7:63", NAME="et0" + ''; +} diff --git a/lass/1systems/skynet/config.nix b/lass/1systems/skynet/config.nix index b2210282f..b6c08f797 100644 --- a/lass/1systems/skynet/config.nix +++ b/lass/1systems/skynet/config.nix @@ -3,8 +3,6 @@ with import ; { imports = [ - - # @@ -46,17 +44,4 @@ with import ; services.logind.extraConfig = '' HandleLidSwitch=ignore ''; - - #fileSystems = { - # "/bku" = { - # device = "/dev/mapper/pool-bku"; - # fsType = "btrfs"; - # options = ["defaults" "noatime" "ssd" "compress=lzo"]; - # }; - #}; - - services.udev.extraRules = '' - SUBSYSTEM=="net", ATTR{address}=="10:0b:a9:a6:44:04", NAME="wl0" - SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:d1:90:fc", NAME="et0" - ''; } diff --git a/lass/1systems/skynet/physical.nix b/lass/1systems/skynet/physical.nix new file mode 100644 index 000000000..358e1f511 --- /dev/null +++ b/lass/1systems/skynet/physical.nix @@ -0,0 +1,12 @@ +{ + imports = [ + ./config.nix + + + ]; + + services.udev.extraRules = '' + SUBSYSTEM=="net", ATTR{address}=="10:0b:a9:a6:44:04", NAME="wl0" + SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:d1:90:fc", NAME="et0" + ''; +} diff --git a/lass/1systems/uriel/config.nix b/lass/1systems/uriel/config.nix index 70bef9883..3eddcfc52 100644 --- a/lass/1systems/uriel/config.nix +++ b/lass/1systems/uriel/config.nix @@ -41,60 +41,5 @@ with import ; ]; krebs.build.host = config.krebs.hosts.uriel; - - hardware.enableAllFirmware = true; nixpkgs.config.allowUnfree = true; - - boot = { - #kernelParams = [ - # "acpi.brightness_switch_enabled=0" - #]; - #loader.grub.enable = true; - #loader.grub.version = 2; - #loader.grub.device = "/dev/sda"; - - loader.systemd-boot.enable = true; - loader.timeout = 5; - - initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ]; - initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; - initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; - #kernelModules = [ "kvm-intel" "msr" ]; - kernelModules = [ "msr" ]; - }; - fileSystems = { - "/" = { - device = "/dev/pool/root"; - fsType = "ext4"; - }; - - "/bku" = { - device = "/dev/pool/bku"; - fsType = "ext4"; - }; - - "/boot" = { - device = "/dev/sda1"; - }; - "/tmp" = { - device = "tmpfs"; - fsType = "tmpfs"; - options = ["nosuid" "nodev" "noatime"]; - }; - }; - - services.udev.extraRules = '' - SUBSYSTEM=="net", ATTR{address}=="64:27:37:7d:d8:ae", NAME="wl0" - SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:b8:c8:2e", NAME="et0" - ''; - - services.xserver.synaptics = { - enable = true; - twoFingerScroll = true; - accelFactor = "0.035"; - additionalOptions = '' - Option "FingerHigh" "60" - Option "FingerLow" "60" - ''; - }; } diff --git a/lass/1systems/uriel/physical.nix b/lass/1systems/uriel/physical.nix new file mode 100644 index 000000000..9ac3468a8 --- /dev/null +++ b/lass/1systems/uriel/physical.nix @@ -0,0 +1,59 @@ +{ + imports = [ + ./config.nix + ]; + + hardware.enableAllFirmware = true; + boot = { + #kernelParams = [ + # "acpi.brightness_switch_enabled=0" + #]; + #loader.grub.enable = true; + #loader.grub.version = 2; + #loader.grub.device = "/dev/sda"; + + loader.systemd-boot.enable = true; + loader.timeout = 5; + + initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ]; + initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; + initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; + #kernelModules = [ "kvm-intel" "msr" ]; + kernelModules = [ "msr" ]; + }; + fileSystems = { + "/" = { + device = "/dev/pool/root"; + fsType = "ext4"; + }; + + "/bku" = { + device = "/dev/pool/bku"; + fsType = "ext4"; + }; + + "/boot" = { + device = "/dev/sda1"; + }; + "/tmp" = { + device = "tmpfs"; + fsType = "tmpfs"; + options = ["nosuid" "nodev" "noatime"]; + }; + }; + + services.udev.extraRules = '' + SUBSYSTEM=="net", ATTR{address}=="64:27:37:7d:d8:ae", NAME="wl0" + SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:b8:c8:2e", NAME="et0" + ''; + + services.xserver.synaptics = { + enable = true; + twoFingerScroll = true; + accelFactor = "0.035"; + additionalOptions = '' + Option "FingerHigh" "60" + Option "FingerLow" "60" + ''; + }; +} diff --git a/lass/1systems/xerxes/config.nix b/lass/1systems/xerxes/config.nix index 0669748f5..1bd6cf2c5 100644 --- a/lass/1systems/xerxes/config.nix +++ b/lass/1systems/xerxes/config.nix @@ -3,8 +3,6 @@ { imports = [ - - @@ -15,26 +13,4 @@ ]; krebs.build.host = config.krebs.hosts.xerxes; - - services.udev.extraRules = '' - SUBSYSTEM=="net", ATTR{address}=="b0:f1:ec:9f:5c:78", NAME="wl0" - ''; - - fileSystems."/" = { - device = "/dev/disk/by-uuid/d227d88f-bd24-4e8a-aa14-9e966b471437"; - fsType = "btrfs"; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/16C8-D053"; - fsType = "vfat"; - }; - - fileSystems."/home" = { - device = "/dev/disk/by-uuid/1ec4193b-7f41-490d-8782-7677d437b358"; - fsType = "btrfs"; - }; - - boot.initrd.luks.devices = [ { name = "luksroot"; device = "/dev/disk/by-uuid/d17f19a3-dcba-456d-b5da-e45cc15dc9c8"; } ]; - networking.wireless.enable = true; } diff --git a/lass/1systems/xerxes/physical.nix b/lass/1systems/xerxes/physical.nix new file mode 100644 index 000000000..17caccfe6 --- /dev/null +++ b/lass/1systems/xerxes/physical.nix @@ -0,0 +1,29 @@ +{ + imports = [ + ./config.nix + + + ]; + services.udev.extraRules = '' + SUBSYSTEM=="net", ATTR{address}=="b0:f1:ec:9f:5c:78", NAME="wl0" + ''; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/d227d88f-bd24-4e8a-aa14-9e966b471437"; + fsType = "btrfs"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/16C8-D053"; + fsType = "vfat"; + }; + + fileSystems."/home" = { + device = "/dev/disk/by-uuid/1ec4193b-7f41-490d-8782-7677d437b358"; + fsType = "btrfs"; + }; + + boot.initrd.luks.devices = [ { name = "luksroot"; device = "/dev/disk/by-uuid/d17f19a3-dcba-456d-b5da-e45cc15dc9c8"; } ]; + + networking.wireless.enable = true; +} From 178ee92dcab1955b06c19ddb941957c098716ec0 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 12 May 2018 15:53:04 +0200 Subject: [PATCH 27/65] l kops: nix-config is physical.nix --- lass/kops.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lass/kops.nix b/lass/kops.nix index 9d0ab911a..2dda0e8fb 100644 --- a/lass/kops.nix +++ b/lass/kops.nix @@ -8,7 +8,7 @@ source = { test }: lib.evalSource [ krebs-source { - nixos-config.symlink = "stockholm/lass/1systems/${name}/config.nix"; + nixos-config.symlink = "stockholm/lass/1systems/${name}/physical.nix"; secrets = if test then { file = "/home/lass/stockholm/lass/2configs/tests/dummy-secrets"; } else { From 8b1d1b8d913004951e0c2fd46c6b7d2a3c27148a Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 13 May 2018 19:35:28 +0200 Subject: [PATCH 28/65] l git: don't announce nixos-aws --- lass/2configs/git.nix | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix index 43085ba5e..f9e326333 100644 --- a/lass/2configs/git.nix +++ b/lass/2configs/git.nix @@ -57,17 +57,17 @@ let cgit.desc = "Fork of nix-user-chroot my lethalman"; cgit.section = "software"; }; + krops = { + cgit.desc = "krebs deployment"; + cgit.section = "software"; + }; + } // mapAttrs make-public-repo-silent { nixos-aws = { collaborators = [ { name = "fabio"; pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFst8DvnfOu4pQJYxcwdf//jWTvP+jj0iSrOdt59c9Gbujm/8K1mBXhcSQhHj/GBRC1Qc1wipf9qZsWnEHMI+SRwq6tDr8gqlAcdWmHAs1bU96jJtc8EgmUKbXTFG/VmympMPi4cEbNUtH93v6NUjQKwq9szvDhhqSW4Y8zE32xLkySwobQapNaUrGAtQp3eTxu5Lkx+cEaaartaAspt8wSosXjUHUJktg0O5/XOP+CiWAx89AXxbQCy4XTQvUExoRGdw9sdu0lF0/A0dF4lFF/dDUS7+avY8MrKEcQ8Fwk8NcW1XrKMmCdNdpvou0whL9aHCdTJ+522dsSB1zZWh63Si4CrLKlc1TiGKCXdvzmCYrD+6WxbPJdRpMM4dFNtpAwhCm/dM+CBXfDkP0s5veFiYvp1ri+3hUqV/sep9r5/+d+5/R1gQs8WDNjWqcshveFbD5LxE6APEySB4QByGxIrw7gFbozE+PNxtlVP7bq4MyE6yIzL6ofQgO1e4THquPcqSCfCvyib5M2Q1phi5DETlMemWp84AsNkqbhRa4BGRycuOXXrBzE+RgQokcIY7t3xcu3q0xJo2+HxW/Lqi72zYU1NdT4nJMETEaG49FfIAnUuoVaQWWvOz8mQuVEmmdw2Yzo2ikILYSUdHTp1VPOeo6aNPvESkPw1eM0xDRlQ== ada"; } ]; }; - krops = { - cgit.desc = "krebs deployment"; - cgit.section = "software"; - }; - } // mapAttrs make-public-repo-silent { }; restricted-repos = mapAttrs make-restricted-repo ( From 3d815f1becbc5c9c4a7e6d40a644bc18f69af5ee Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 13 May 2018 19:39:19 +0200 Subject: [PATCH 29/65] l source: nix-config is physical.nix --- lass/source.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lass/source.nix b/lass/source.nix index 1d840f38f..e7991da2a 100644 --- a/lass/source.nix +++ b/lass/source.nix @@ -12,7 +12,7 @@ host@{ name, secure ? false, override ? {} }: let in evalSource (toString _file) [ { - nixos-config.symlink = "stockholm/lass/1systems/${name}/config.nix"; + nixos-config.symlink = "stockholm/lass/1systems/${name}/physical.nix"; nixpkgs = (import host).nixpkgs; secrets = getAttr builder { buildbot.file = toString ; From 8642d7c3bcd6edcfc63a3837b4985dd7380bfdb2 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 13 May 2018 19:52:22 +0200 Subject: [PATCH 30/65] l helios.r: remove maxJobs --- lass/1systems/helios/physical.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/lass/1systems/helios/physical.nix b/lass/1systems/helios/physical.nix index 549506c29..a224f81df 100644 --- a/lass/1systems/helios/physical.nix +++ b/lass/1systems/helios/physical.nix @@ -25,8 +25,6 @@ fsType = "tmpfs"; options = ["nosuid" "nodev" "noatime"]; }; - - nix.maxJobs = lib.mkDefault 8; } { # crypto stuff boot.initrd.luks = { From 364c99bd295e2a44170991cd94d39a1cd546a128 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 13 May 2018 20:38:10 +0200 Subject: [PATCH 31/65] l helios.r: import pkgs --- lass/1systems/helios/physical.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/lass/1systems/helios/physical.nix b/lass/1systems/helios/physical.nix index a224f81df..a5212454f 100644 --- a/lass/1systems/helios/physical.nix +++ b/lass/1systems/helios/physical.nix @@ -1,3 +1,4 @@ +{ pkgs, ... }: { imports = [ ./config.nix From 619131d246ead21ba001644be82686ce31138773 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 13 May 2018 22:27:15 +0200 Subject: [PATCH 32/65] l git: add icarus to admin users --- lass/2configs/git.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix index f9e326333..712a15342 100644 --- a/lass/2configs/git.nix +++ b/lass/2configs/git.nix @@ -121,7 +121,7 @@ let with git // config.krebs.users; repo: singleton { - user = [ lass lass-shodan ]; + user = [ lass lass-shodan lass-icarus ]; repo = [ repo ]; perm = push "refs/*" [ non-fast-forward create delete merge ]; } ++ From aa1fef9f93027aaa3ee074821e82002d81dcf712 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 14 May 2018 09:36:37 +0200 Subject: [PATCH 33/65] nixpkgs: b50443b -> ef74caf --- krebs/kops.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krebs/kops.nix b/krebs/kops.nix index 561b017b9..add1a359c 100644 --- a/krebs/kops.nix +++ b/krebs/kops.nix @@ -13,7 +13,7 @@ krebs-source = { nixpkgs.git = { - ref = "b50443b5c4ac0f382c49352a892b9d5d970eb4e7"; + ref = "ef74cafd3e5914fdadd08bf20303328d72d65d6c"; url = https://github.com/NixOS/nixpkgs; }; stockholm.file = toString ../.; From 91b1eec4162bf16ce3c4ae698cebd7236b968f9f Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 14 May 2018 22:04:59 +0200 Subject: [PATCH 34/65] l: set 32bit dri in games.nix --- lass/2configs/games.nix | 1 + lass/2configs/steam.nix | 2 -- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/lass/2configs/games.nix b/lass/2configs/games.nix index 3ee3a98a5..81f53bf69 100644 --- a/lass/2configs/games.nix +++ b/lass/2configs/games.nix @@ -80,6 +80,7 @@ in { }; }; + hardware.opengl.driSupport32Bit = true; hardware.pulseaudio.support32Bit = true; security.sudo.extraConfig = '' diff --git a/lass/2configs/steam.nix b/lass/2configs/steam.nix index 225ddd308..e1b523e3a 100644 --- a/lass/2configs/steam.nix +++ b/lass/2configs/steam.nix @@ -10,8 +10,6 @@ # source: https://nixos.org/wiki/Talk:Steam # ##TODO: make steam module - hardware.opengl.driSupport32Bit = true; - nixpkgs.config.steam.java = true; environment.systemPackages = with pkgs; [ steam From 9e95c2b2d12cf18fcda266cc3b69d685d288b77f Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 14 May 2018 22:05:49 +0200 Subject: [PATCH 35/65] l baseX: add thesauron --- lass/2configs/baseX.nix | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index 809297655..a387f2c5d 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -69,11 +69,12 @@ in { environment.systemPackages = with pkgs; [ acpi bank + cabal2nix dic dmenu gi - git-preview gitAndTools.qgit + git-preview gnome3.dconf lm_sensors mpv-poll @@ -87,19 +88,18 @@ in { rxvt_unicode_with-plugins slock sxiv - timewarrior taskwarrior termite + thesauron + timewarrior xclip + xephyrify xorg.xbacklight xorg.xhost xsel youtube-tools yt-next zathura - - cabal2nix - xephyrify ]; fonts.fonts = with pkgs; [ From aecf06a8bfa5e5d444bff6d5c4430250a2684d34 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 14 May 2018 22:06:50 +0200 Subject: [PATCH 36/65] l websites domsen: remove old, add new --- lass/2configs/websites/domsen.nix | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index 7a72499c9..c75cc81fc 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -26,12 +26,7 @@ in { ./default.nix ./sqlBackup.nix (servePage [ "reich-gebaeudereinigung.de" "www.reich-gebaeudereinigung.de" ]) - (servePage [ - "habsys.de" - "habsys.eu" - "www.habsys.de" - "www.habsys.eu" - ]) + (servePage [ "freemonkey.art" ]) (serveOwncloud [ "o.ubikmedia.de" ]) (serveWordpress [ "ubikmedia.de" From cb41b35641eba3c0e88c87604072405ecc8fc5f7 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 14 May 2018 22:09:50 +0200 Subject: [PATCH 37/65] l websites domsen: add akayguen --- lass/2configs/websites/domsen.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index c75cc81fc..4e8361a17 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -115,6 +115,7 @@ in { { from = "jms@ubikmedia.eu"; to = "jms"; } { from = "ms@ubikmedia.eu"; to = "ms"; } { from = "ubik@ubikmedia.eu"; to = "domsen, jms, ms"; } + { from = "akayguen@freemonkey.art"; to ="akayguen"; } { from = "testuser@lassul.us"; to = "testuser"; } { from = "testuser@ubikmedia.eu"; to = "testuser"; } @@ -172,5 +173,12 @@ in { createHome = true; }; + users.users.akayguen = { + uid = genid_signed "akayguen"; + home = "/home/akayguen"; + useDefaultShell = true; + createHome = true; + }; + } From 3fc6ff613ff9a1c5e439d6061a2580271dcfc368 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 14 May 2018 22:15:54 +0200 Subject: [PATCH 38/65] l mails: add elitedangerous@lassul.us --- lass/2configs/exim-smarthost.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix index e05ed2427..fe79ce82b 100644 --- a/lass/2configs/exim-smarthost.nix +++ b/lass/2configs/exim-smarthost.nix @@ -80,6 +80,7 @@ with import ; { from = "hetzner@lassul.us"; to = lass.mail; } { from = "allygator@lassul.us"; to = lass.mail; } { from = "immoscout@lassul.us"; to = lass.mail; } + { from = "elitedangerous@lassul.us"; to = lass.mail; } ]; system-aliases = [ { from = "mailer-daemon"; to = "postmaster"; } From efb7452a0c5f0d4109ae188dc6abda46a20e394c Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 14 May 2018 22:20:08 +0200 Subject: [PATCH 39/65] l websites util: make ssl optional again --- lass/2configs/websites/util.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lass/2configs/websites/util.nix b/lass/2configs/websites/util.nix index a11e8e692..816449c14 100644 --- a/lass/2configs/websites/util.nix +++ b/lass/2configs/websites/util.nix @@ -16,7 +16,7 @@ rec { in { services.nginx.virtualHosts.${domain} = { enableACME = true; - forceSSL = true; + addSSL = true; serverAliases = domains; locations."/".extraConfig = '' root /srv/http/${domain}; @@ -83,7 +83,7 @@ rec { in { services.nginx.virtualHosts."${domain}" = { enableACME = true; - forceSSL = true; + addSSL = true; serverAliases = domains; extraConfig = '' # Add headers to serve security related headers @@ -194,7 +194,7 @@ rec { in { services.nginx.virtualHosts."${domain}" = { enableACME = true; - forceSSL = true; + addSSL = true; serverAliases = domains; extraConfig = '' root /srv/http/${domain}/; From 4cdffe8351ecc47b5b34797660f7644935004c95 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 14 May 2018 22:25:26 +0200 Subject: [PATCH 40/65] l nichtparasoup: remove some feeds --- lass/3modules/nichtparasoup.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lass/3modules/nichtparasoup.nix b/lass/3modules/nichtparasoup.nix index 14f4fffc8..632481b69 100644 --- a/lass/3modules/nichtparasoup.nix +++ b/lass/3modules/nichtparasoup.nix @@ -24,7 +24,7 @@ with import ; [Sites] SoupIO: everyone Pr0gramm: new,top - Reddit: gifs,reactiongifs,ANormalDayInRussia,perfectloops,reallifedoodles,bizarrebuildings,cablefail,cableporn,cableporn,cableporn,educationalgifs,EngineeringPorn,forbiddensnacks,holdmybeer,itsaunixsystem,loadingicon,michaelbaygifs,nononoyesno,oddlysatisfying,ofcoursethatsathing,OSHA,PeopleFuckingDying,PerfectTiming,PixelArt,RetroFuturism,robotsbeingjerks,scriptedasiangifs,shittyrobots,startrekstabilized,ThingsCutInHalfPorn,totallynotrobots,Unexpected + Reddit: gifs,reactiongifs,ANormalDayInRussia,perfectloops,reallifedoodles,bizarrebuildings,cablefail,cableporn,educationalgifs,EngineeringPorn,holdmybeer,itsaunixsystem,loadingicon,michaelbaygifs,nononoyesno,oddlysatisfying,ofcoursethatsathing,OSHA,PeopleFuckingDying,PerfectTiming,PixelArt,RetroFuturism,robotsbeingjerks,scriptedasiangifs,shittyrobots,startrekstabilized,ThingsCutInHalfPorn,totallynotrobots,Unexpected NineGag: geeky,wtf,hot,trending Instagram: nature,wtf Fourchan: sci From 942375e134fd70876ee81924ff83955473883cad Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 16 May 2018 17:26:19 +0200 Subject: [PATCH 41/65] l: add blue.r --- krebs/3modules/lass/default.nix | 30 ++++++++++++++++++++++++++++++ lass/1systems/blue/config.nix | 11 +++++++++++ lass/1systems/blue/physical.nix | 8 ++++++++ lass/1systems/blue/source.nix | 4 ++++ 4 files changed, 53 insertions(+) create mode 100644 lass/1systems/blue/config.nix create mode 100644 lass/1systems/blue/physical.nix create mode 100644 lass/1systems/blue/source.nix diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index aa0b43f9a..029a0a890 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -671,6 +671,36 @@ with import ; ssh.privkey.path = ; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd/6eCR8yxC14zBJLIQgVa4Zbutv5yr2S8k08ztmBpp"; }; + blue = { + cores = 1; + nets = { + retiolum = { + ip4.addr = "10.243.0.77"; + ip6.addr = "42:0:0:0:0:0:0:77"; + aliases = [ + "blue.r" + ]; + tinc.pubkey = '' + -----BEGIN PUBLIC KEY----- + MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA28b+WMiQaWbwUPcJlacd + QwyX4PvVm9WItPmmNy+RE2y0Mf04LxZ7RLm5+e0wPuhXXQyhZ06CNd6tjeaKfXUc + sNeC1Vjuh1hsyYJLR5Xf/YRNJQKoaHjbkXGt+rSK7PPuCcsUPOSZSEAgHYVvcFzM + wWE4kTDcBZeISB4+yLmPIZXhnDImRRMEurFNRiocoMmEIu/zyYVq8rnlTl972Agu + PMGo1HqVxCouEWstRvtX5tJmV8yruRbH4tADAruLXErLLwUAx/AYDNRjY1TYYetJ + RoaxejmZVVIvR+hWaDLkHZO89+to6wS5IVChs1anFxMNN6Chq2v8Bb2Nyy1oG/H/ + HzXxj1Rn7CN9es5Wl0UX4h9Zg+hfspoI75lQ509GLusYOyFwgmFF02eMpxgHBiWm + khSJzPkFdYJKUKaZI0nQEGGsFJOe/Se5jj70x3Q5XEuUoQqyahAqwQIYh6uwhbuP + 49RBPHpE+ry6smhUPLTitrRsqeBU4RZRNsUAYyCbwyAH1i+K3Q5PSovgPtlHVr2N + w+VZCzsrtOY2fxXw0e+mncrx/Qga62s4m6a/dyukA5RytA9f6bBsvSTqr7/EQTs6 + ZEBoPudk7ULNEbfjmJtBkeG7wKIlpgzVg/JaCAwMuSgVjrpIHrZmjOVvmOwB8W6J + Ch/o7chVljAwW4JmyRnhZbMCAwEAAQ== + -----END PUBLIC KEY----- + ''; + }; + }; + ssh.privkey.path = ; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSBxtPf8yJfzzI7/iYpoRSc/TT+zYmE/HM9XWS3MZlv"; + }; }; users = { lass = { diff --git a/lass/1systems/blue/config.nix b/lass/1systems/blue/config.nix new file mode 100644 index 000000000..b068c34b0 --- /dev/null +++ b/lass/1systems/blue/config.nix @@ -0,0 +1,11 @@ +with import ; +{ config, lib, pkgs, ... }: +{ + imports = [ + + + + ]; + + krebs.build.host = config.krebs.hosts.blue; +} diff --git a/lass/1systems/blue/physical.nix b/lass/1systems/blue/physical.nix new file mode 100644 index 000000000..7499ff723 --- /dev/null +++ b/lass/1systems/blue/physical.nix @@ -0,0 +1,8 @@ +{ + imports = [ + ./config.nix + ]; + boot.isContainer = true; + networking.useDHCP = false; + environment.variables.NIX_REMOTE = "daemon"; +} diff --git a/lass/1systems/blue/source.nix b/lass/1systems/blue/source.nix new file mode 100644 index 000000000..d8b979812 --- /dev/null +++ b/lass/1systems/blue/source.nix @@ -0,0 +1,4 @@ +import { + name = "blue"; + secure = true; +} From b39efc716232405abf3cfaa95f77e7025f6d3d1d Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 16 May 2018 17:29:32 +0200 Subject: [PATCH 42/65] l mors.r: enable libvirtd --- lass/1systems/mors/config.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix index 2e6c8bc8a..de6963eb5 100644 --- a/lass/1systems/mors/config.nix +++ b/lass/1systems/mors/config.nix @@ -186,4 +186,5 @@ with import ; RandomizedDelaySec = "5h"; }; }); + virtualisation.libvirtd.enable = true; } From f1349ff0bb4c12fd57076d31eaf634568ec1f818 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 16 May 2018 17:30:17 +0200 Subject: [PATCH 43/65] l mors.r: new hardware --- lass/1systems/mors/physical.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lass/1systems/mors/physical.nix b/lass/1systems/mors/physical.nix index f99d6bd52..580252000 100644 --- a/lass/1systems/mors/physical.nix +++ b/lass/1systems/mors/physical.nix @@ -18,8 +18,8 @@ }; services.udev.extraRules = '' - SUBSYSTEM=="net", ATTR{address}=="00:24:d7:f0:e8:c8", NAME="wl0" - SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:8f:8a:78", NAME="et0" + SUBSYSTEM=="net", ATTR{address}=="5a:37:e4:6e:1f:9d", NAME="wl0" + SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:c4:7a:f1", NAME="et0" ''; #TODO activationScripts seem broken, fix them! From dbcdae5e38bddcb7683ae115c222c098d8e3c6a5 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 16 May 2018 17:31:13 +0200 Subject: [PATCH 44/65] l red: NIX_REMOTE should be in physical.nix --- lass/1systems/red/config.nix | 1 - lass/1systems/red/physical.nix | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/lass/1systems/red/config.nix b/lass/1systems/red/config.nix index 04bbf1ee8..3139e94a2 100644 --- a/lass/1systems/red/config.nix +++ b/lass/1systems/red/config.nix @@ -22,7 +22,6 @@ in krebs.build.host = config.krebs.hosts.red; services.nginx.enable = true; - environment.variables.NIX_REMOTE = "daemon"; environment.systemPackages = [ pkgs.mk_sql_pair ]; diff --git a/lass/1systems/red/physical.nix b/lass/1systems/red/physical.nix index b6aa3a894..7499ff723 100644 --- a/lass/1systems/red/physical.nix +++ b/lass/1systems/red/physical.nix @@ -4,4 +4,5 @@ ]; boot.isContainer = true; networking.useDHCP = false; + environment.variables.NIX_REMOTE = "daemon"; } From 2e7bcebfd07080db071f07c3ad8e42e136857c31 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 16 May 2018 17:32:00 +0200 Subject: [PATCH 45/65] l container-networking: set ipv4.ip_forward --- lass/2configs/container-networking.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lass/2configs/container-networking.nix b/lass/2configs/container-networking.nix index 3dae3420d..98b56bd41 100644 --- a/lass/2configs/container-networking.nix +++ b/lass/2configs/container-networking.nix @@ -1,4 +1,4 @@ -{ ... }: +{ lib, ... }: { #krebs.iptables.tables.filter.INPUT.rules = [ @@ -24,4 +24,5 @@ { v6 = false; predicate = "-s 10.233.2.0/24 ! -d 10.233.2.0/24 -p tcp"; target = "MASQUERADE --to-ports 1024-65535"; } { v6 = false; predicate = "-s 10.233.2.0/24 ! -d 10.233.2.0/24 -p udp"; target = "MASQUERADE --to-ports 1024-65535"; } ]; + boot.kernel.sysctl."net.ipv4.ip_forward" = lib.mkDefault 1; } From dca292c905b09eff69e0219472c7846a55a0bb72 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 16 May 2018 17:32:29 +0200 Subject: [PATCH 46/65] l l-gen-secrets: fix secret paths --- lass/5pkgs/l-gen-secrets/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lass/5pkgs/l-gen-secrets/default.nix b/lass/5pkgs/l-gen-secrets/default.nix index 4b25fbd4c..b6cb2ec7e 100644 --- a/lass/5pkgs/l-gen-secrets/default.nix +++ b/lass/5pkgs/l-gen-secrets/default.nix @@ -17,9 +17,9 @@ pkgs.writeDashBin "l-gen-secrets" '' cd $TMPDIR for x in *; do - ${pkgs.coreutils}/bin/cat $x | ${pkgs.pass}/bin/pass insert -m krebs-secrets/$HOSTNAME/$x > /dev/null + ${pkgs.coreutils}/bin/cat $x | ${pkgs.pass}/bin/pass insert -m hosts/$HOSTNAME/$x > /dev/null done - echo $PASSWORD | ${pkgs.pass}/bin/pass insert -m hosts/$HOSTNAME/pass > /dev/null + echo $PASSWORD | ${pkgs.pass}/bin/pass insert -m admin/$HOSTNAME/pass > /dev/null cat < Date: Wed, 16 May 2018 20:19:08 +0200 Subject: [PATCH 47/65] l: add lass-blue user --- krebs/3modules/lass/default.nix | 9 +++++++-- krebs/3modules/lass/ssh/blue.rsa | 1 + 2 files changed, 8 insertions(+), 2 deletions(-) create mode 100644 krebs/3modules/lass/ssh/blue.rsa diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index 029a0a890..4aae26e13 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -702,8 +702,13 @@ with import ; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILSBxtPf8yJfzzI7/iYpoRSc/TT+zYmE/HM9XWS3MZlv"; }; }; - users = { - lass = { + users = rec { + lass = lass-mors; + lass-blue = { + mail = "lass@blue.r"; + pubkey = builtins.readFile ./ssh/blue.rsa; + }; + lass-mors = { mail = "lass@mors.r"; pubkey = builtins.readFile ./ssh/mors.rsa; pgp.pubkeys.default = builtins.readFile ./pgp/mors.pgp; diff --git a/krebs/3modules/lass/ssh/blue.rsa b/krebs/3modules/lass/ssh/blue.rsa new file mode 100644 index 000000000..c0bf9b817 --- /dev/null +++ b/krebs/3modules/lass/ssh/blue.rsa @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEZgHYLHcHSumTUr0jTu1XmmwRMqjLHYvo4AYuEg1QdishDbwU5KCqarSf7sxLTjeBgOugHP/oJZclin+e9GTQ5hlBEtc26IVQqirNVD1BCZrt/y5ok0p8p+2Rhzh89kfRI6Etp+8cPbot4h3Vg6tY57icKn3visaMdH0cI2pAQbPWwSY+cmyXU5cfcFC8ahcZpEgth4ycC5yM/qdHxZek2wN+58ApgjEjuvTD6y4iXqdWmqHVoGaeNV7OFiiKVaYoJND1igHLNw2VEQR5aPsmc8gadBtGIQb43YqObNBDWwMjvozmQVFPycMmMTDwA1n+IWxvwz34KEzyw5jQShUTCRDji4vK58WfC16fPLbW+ohCe+9Yyg7TRdjDFA5jTA3rFM7tZS8EhpLgyHupNi1GbUVmeyhqTdWp+H66u5zTzC5Q/PYOk1M0D/X/C6dXyIcB4lLr9mDTGvS1aOZVZJuDF4pLyI2oZzaySALjcofCJyNpBBUtUXHsiT4VNuJExl4XEXjvQKnPKojEzpTsK1rm/ZSa3vBCv0gBbjQ8uU1q86ODIDy35q2GQvsLMkAbduBLeA9m1EdZXLYComSfVLalArw3Q+4vd/FHhoOicVkrwIzcPiYg9uQZm2NrjiBkYlWCdXTFc49ghIDrPXLnwwWqPuZcs430u6Somk8XzuRZBC7ZDdjbiS5D8vQkDThQrmmFPRs+bp1N9VkC+LaBtFnbFaYARF6i2yFUD9YNSEEu2r14u+KGlg5P7ndIkE+BhAOIp4XcHejVFWfvKvYpMRZ4LDVkPIJdmZ4gIIfGbdBNMv1zRsX6O0NOhiEP1pNYb+HdY5R2YYIvtxn1sC/TrjoN3ELAQA9YBszHEaYjvmqHh08/CWCEpgHIagCccYdSzbtM9GsoAcePL4E7kqSZxIfbNjrYQEBEQbu16pj7bMxVhH8QaouOdjiioqr2tBr5HwA05HP1poGProOzsmJxdph7pb4hJ1P+OEeuwTRIVLudYYl6iBajGW2IdsUo+xGANpuPBpQyB4RajJ4XcXP8K3xVY6x7DfH3DwKfCFAc6KzyADa2xw7/uwBRi2HOyKazkPe5ESYLWY29krqH2tO+IYkgm5tAEkf79j4R9aCeZe/HyjPDlSPZ2NwAZpWKJFkBTveiwoe2noZSAeVKrcblFN5ic0or+ci+CSbmctce8mbqB7QHEJJh5flLDzBMIuh4eroH/Dp5MBbDqxu/T8yCCRHFz70KXpaIFSGlSIebTRt1Om9+CWTgTp95cM0HrAhZDnN/W9FRdAFsA/IjEJ2Eh3tHpdvFZ3XgIq52MrHJdopQo7KUoOVhJiFCo5L0PcKNRVpMbcCKVk1i9k8jqyM9AVgwGrnijiaafUaFmBIlC/U2FZZ+KRtIyDcIRrnGGKE7DEyhBQ9YavxpOFDDSXuC5aPjMNcSGydGArtDd5+5Yp0YraY0oe6UTuzypsxdI8W6IbePryvEeOXG5b/6YayC2sq+7wRconaa9DU= lass@blue From 2ed1a763c8db130262394649a0cc0ca3eb6cf8f2 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 16 May 2018 20:19:57 +0200 Subject: [PATCH 48/65] l: don't redirect ssh port from inner networks --- lass/2configs/container-networking.nix | 12 +++--------- lass/2configs/libvirt.nix | 3 +++ 2 files changed, 6 insertions(+), 9 deletions(-) diff --git a/lass/2configs/container-networking.nix b/lass/2configs/container-networking.nix index 98b56bd41..f04e4342d 100644 --- a/lass/2configs/container-networking.nix +++ b/lass/2configs/container-networking.nix @@ -1,12 +1,6 @@ { lib, ... }: { - #krebs.iptables.tables.filter.INPUT.rules = [ - # { v6 = false; predicate = "-i ve-+ -p udp -m udp --dport 53"; target = "ACCEPT"; } - # { v6 = false; predicate = "-i ve-+ -p tcp -m tcp --dport 53"; target = "ACCEPT"; } - # { v6 = false; predicate = "-i ve-+ -p udp -m udp --dport 67"; target = "ACCEPT"; } - # { v6 = false; predicate = "-i ve-+ -p tcp -m tcp --dport 67"; target = "ACCEPT"; } - #]; krebs.iptables.tables.filter.FORWARD.rules = [ { v6 = false; predicate = "-d 10.233.2.0/24 -o ve-+ -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } { v6 = false; predicate = "-s 10.233.2.0/24 -i ve-+"; target = "ACCEPT"; } @@ -14,9 +8,9 @@ { v6 = false; predicate = "-o ve-+"; target = "REJECT --reject-with icmp-port-unreachable"; } { v6 = false; predicate = "-i ve-+"; target = "REJECT --reject-with icmp-port-unreachable"; } ]; - #krebs.iptables.tables.filter.OUTPUT.rules = [ - # { v6 = false; predicate = "-o ve-+ -p udp -m udp --dport 68"; target = "ACCEPT"; } - #]; + krebs.iptables.tables.nat.PREROUTING.rules = [ + { v6 = false; predicate = "-s 10.233.2.0/24"; target = "ACCEPT"; precedence = 1000; } + ]; krebs.iptables.tables.nat.POSTROUTING.rules = [ { v6 = false; predicate = "-s 10.233.2.0/24 -d 224.0.0.0/24"; target = "RETURN"; } { v6 = false; predicate = "-s 10.233.2.0/24 -d 255.255.255.255"; target = "RETURN"; } diff --git a/lass/2configs/libvirt.nix b/lass/2configs/libvirt.nix index a71638323..78d5ae0e9 100644 --- a/lass/2configs/libvirt.nix +++ b/lass/2configs/libvirt.nix @@ -20,6 +20,9 @@ krebs.iptables.tables.filter.OUTPUT.rules = [ { v6 = false; predicate = "-o virbr0 -p udp -m udp --dport 68"; target = "ACCEPT"; } ]; + krebs.iptables.tables.nat.PREROUTING.rules = [ + { v6 = false; predicate = "-s 192.168.122.0/24"; target = "ACCEPT"; precedence = 1000; } + ]; krebs.iptables.tables.nat.POSTROUTING.rules = [ { v6 = false; predicate = "-s 192.168.122.0/24 -d 224.0.0.0/24"; target = "RETURN"; } { v6 = false; predicate = "-s 192.168.122.0/24 -d 255.255.255.255"; target = "RETURN"; } From 82704cb35cd74f58c3246f39f89d3e13267b716b Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 16 May 2018 23:07:27 +0200 Subject: [PATCH 49/65] l AP: use network bridge --- lass/2configs/AP.nix | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/lass/2configs/AP.nix b/lass/2configs/AP.nix index 5ce7cfff8..dfffbfdf9 100644 --- a/lass/2configs/AP.nix +++ b/lass/2configs/AP.nix @@ -6,7 +6,7 @@ in { boot.extraModulePackages = [ pkgs.linuxPackages.rtl8814au ]; - networking.networkmanager.unmanaged = [ wifi ]; + networking.networkmanager.unmanaged = [ wifi "et0" ]; systemd.services.hostapd = { description = "hostapd wireless AP"; @@ -38,12 +38,17 @@ in { }; }; - networking.interfaces.${wifi}.ipv4.addresses = [ + networking.bridges.br0.interfaces = [ + wifi + "et0" + ]; + + networking.interfaces.br0.ipv4.addresses = [ { address = "10.99.0.1"; prefixLength = 24; } ]; services.dhcpd4 = { enable = true; - interfaces = [ wifi ]; + interfaces = [ "br0" ]; extraConfig = '' option subnet-mask 255.255.255.0; option routers 10.99.0.1; @@ -56,11 +61,12 @@ in { boot.kernel.sysctl."net.ipv4.ip_forward" = 1; krebs.iptables.tables.filter.FORWARD.rules = [ - { v6 = false; predicate = "-d 10.99.0.0/24 -o ${wifi} -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } - { v6 = false; predicate = "-s 10.99.0.0/24 -i ${wifi}"; target = "ACCEPT"; } - { v6 = false; predicate = "-i ${wifi} -o ${wifi}"; target = "ACCEPT"; } - { v6 = false; predicate = "-o ${wifi}"; target = "REJECT --reject-with icmp-port-unreachable"; } - { v6 = false; predicate = "-i ${wifi}"; target = "REJECT --reject-with icmp-port-unreachable"; } + { v6 = false; predicate = "-d 10.99.0.0/24 -o br0 -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } + { v6 = false; predicate = "-s 10.99.0.0/24 -i br0"; target = "ACCEPT"; } + { v6 = false; predicate = "-i br0 -o br0"; target = "ACCEPT"; } + { v6 = false; predicate = "-i br0 -o br0"; target = "ACCEPT"; } + { v6 = false; predicate = "-o br0"; target = "REJECT --reject-with icmp-port-unreachable"; } + { v6 = false; predicate = "-i br0"; target = "REJECT --reject-with icmp-port-unreachable"; } ]; krebs.iptables.tables.nat.PREROUTING.rules = [ { v6 = false; predicate = "-s 10.99.0.0/24"; target = "ACCEPT"; precedence = 1000; } From 72a094546e6a934fa57950ebc0d5f0bdaa21bd49 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 16 May 2018 23:08:00 +0200 Subject: [PATCH 50/65] l: add blue to authorizedKeys --- lass/2configs/default.nix | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index 12a814605..ed97b4897 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -19,7 +19,8 @@ with import ; users.extraUsers = { root = { openssh.authorizedKeys.keys = [ - config.krebs.users.lass.pubkey + config.krebs.users.lass-mors.pubkey + config.krebs.users.lass-blue.pubkey config.krebs.users.lass-shodan.pubkey config.krebs.users.lass-icarus.pubkey config.krebs.users.lass-xerxes.pubkey @@ -38,7 +39,8 @@ with import ; "wheel" ]; openssh.authorizedKeys.keys = [ - config.krebs.users.lass.pubkey + config.krebs.users.lass-mors.pubkey + config.krebs.users.lass-blue.pubkey config.krebs.users.lass-shodan.pubkey config.krebs.users.lass-icarus.pubkey ]; From e437f49a1b604f92d875a1209b4e4f9f5b46c893 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 17 May 2018 18:54:51 +0200 Subject: [PATCH 51/65] l: add blue.pgp --- krebs/3modules/lass/default.nix | 1 + krebs/3modules/lass/pgp/blue.pgp | 51 ++++++++++++++++++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 krebs/3modules/lass/pgp/blue.pgp diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index 4aae26e13..e921b1ec4 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -707,6 +707,7 @@ with import ; lass-blue = { mail = "lass@blue.r"; pubkey = builtins.readFile ./ssh/blue.rsa; + pgp.pubkeys.default = builtins.readFile ./pgp/blue.pgp; }; lass-mors = { mail = "lass@mors.r"; diff --git a/krebs/3modules/lass/pgp/blue.pgp b/krebs/3modules/lass/pgp/blue.pgp new file mode 100644 index 000000000..e7a1ac0e1 --- /dev/null +++ b/krebs/3modules/lass/pgp/blue.pgp @@ -0,0 +1,51 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFr9fAEBEACz2E2E7uBulVBBtPmk9IR2yB+uAWSe8Hi7vNiGc1Dbs40jzWuy +AqouqyC5xnVw66+cQaYOsgXiwencmu/cFEV2x2uRLDVh1E/fvc8yxAOizEIY0jm/ +WZ/4IWvTZLVPF3BOhM4p/HGNbdZhRc4RoljLTB34VuY1KSMhs3Vx7n3HgZzdbD7D +itUFU4oY5CnkQp4yl1Htat08cZmbD51VTZB1hDw2Uea+VuMQ/ImRtTqW+Ss4xyPA +DwUE/vRM3CKwBvcjbNL3uUqc5dtZuvruuFeK3ScmdNLytcgXqJzLlwuzHmSt/Tnc +DQZWKGiHnMvrAOkMEvsmiKhboWSAq4sRUPhISqZ7MSvPfhaH5Gcmhi+hL8FZhGY0 +qF7MNLHoimw6MBV6FIIA0vCDn2p5Vwc7L+LqLjWqAvxdfVoeUJjUWbWWNNWg4Tw7 +9e7rAR86e4AvhCZRubRn1aOfKGF5vg/El98OeIwBFQHpr7uznKfjmAEpoGveV+vG +amptMCBAr4Hw76U708XWOQkZ2GDY9cfdxUllhAmmPrNQ/OcT2b4x0xKvMi4nA5G8 +PBOFErkS61zNxsHgpFe2isG+VDqYLfeQhOdB101Qn6IHw3KxyW85CwImUpdRLMUi +0wtcA7M5GB94HRZ8qW6LtFBjwqm2NGudB0alfIWIq7KuRMXus3sJKQ2gDQARAQAB +tBlsYXNzQGJsdWUuciA8bGFzc0BibHVlLnI+iQJOBBMBCAA4FiEEuOpc8JA44Pd5 +NXyK8UJeZkL6H7wFAlr9fAECGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ +8UJeZkL6H7ygPQ/+JydbB0IX64ojm34YaeWKVdM5D7JFBdNuKgbAMf0Uhcja6YcU +0YRvuOPpw4lNZqV/1yxDXGHJrVfGolq6uz28oWr+9VUD8QXH9ODm1EMLsU8Jb1Nh +SE+rWSAhEmdw8l9Bi12wq4v/z/JC93/VJLnBGOL8LDEsJ9OatUw71KIt/a50ERoz +uCZbMeLPym8WqSK1kjQehL5pj97BzxmBNpFYwqaniTAuqTN6bhs2ws+k89vjaWIP +T+bEqsJV/vR9KZcNlmKlTQwbsjQ1BZ9EuV4EBL6IAMrqxDeY3mFnT+EpkabfIVSh +38KmG+4PZDXaj6rCsrsH2pUKaZ/Z6Mr3lmFb/1aaK3xKiQyxcMrbcixIIVI8ihTM +HUC3DFFlA7+02b67QomWFLRiZid4gCry7xhZyryQJkN2l20fzRjWf0myzcPO0qxc +y39gUyEqy1oeaffCc1QgDJH2Hvf+P9StyMZIulNuCKJ9tfQR5nkkDAy/2p405Lmf +mdKOMha6bZ+mA5HbmjMqwyFPHEtU6t/mUhlh7mYqNYAJikuqV00N6nTKVrBb2IfK +atoHeUcmvMWBGL7+x3zxwf2pnum6a5iDES2ir87ltOGKGDeMt2Y/Ap30P+uZGnn1 +AiRu2bGkCiQ/WH1StJhAhJeleUfdbOa7/voc14nl3rewqyhqYd8dlI+TWAu5Ag0E +Wv18AQEQAOFMwY2ky5TyRrDqJosq0y/9+8D6RiXlyOnyTQ+bqu4mDEaVu3xNcKLH +CQsTM7gDR9pivapoDo84CK8w519DHCA2EpNGTDO4twcQ3jKqPth809LnibwdKJCe +qsfxsIfN8LbpKDOygZ2av11gcT0ye9uOMkiiRSE2MMGDU/50sskecavUAExDgwFs +v72ReU3fXRfTqYT6p/i/qMB7GbS8PlKFz61JKHDceS5GJUZJ5OWOoq7ZMCz6zrLW +2mQIJ7kblGCJKUnx/lZ5y9nqSCk7jer2qENxWNPOCwD48A78u1Bz8xSN5D1gFO3f +YSKh60kK5UljwkvRD7NvAcg2ifwL1e+/7v8WV9OsHDUBEiJO05tsjJ76QwHnEq6j +4peArcTAHWZ4uGncAgYN/Uii+0vs3oVDsZ9d2uLJxuR3h6T4XVejeuZ3j3o/XX/E +aZwcdH3VpKqEjdG4c4TMz96bN7ZN2DbgTf40rwPFKgWnvhCA9dWlmfy9pW2z2hyg +rJaRGXd/4znj5YlMliDrL4/Yp9j1J1CsoZM68er6/zMU1SA9U/y+MVqMoPCPlczx +mbwWQm1JH6fZv2SzHbZOrZYWKVWX+jPZQV6SjKwSiVrLlZJ0Z8u00HBRRRzXLwXa +OLL/dGP1v+msMv1oCJT1AsMcBEE3bY1efnDP1XK8vBLzoMKGS1RtABEBAAGJAjYE +GAEIACAWIQS46lzwkDjg93k1fIrxQl5mQvofvAUCWv18AQIbDAAKCRDxQl5mQvof +vOC1D/wO+tGKz/y5dc/ifJGTndxoHnU8tarboDll0kcdpTGU7It+ReNustqJZj5v +HK4V/ZXUw5+y6ZasNa/mFYY8oACOI40SlMdyt708XfPqYKXOpnM0oGRGfALi+oKg +iIzYtXsqYk5ZYSFWpgxajHef9HMmHNJ8riSVRugUPubPMKPR65DOXl+BdVIlQw7o +2g3s4Lii0IRKov3BvB51oJMhRK2Ne55VDBid32oIoqXLXS2E2gJQegioAiDUA5J4 +1f96RCeYfxOgaPj/o4eiXK0H3owA3W78/tIjq5218PCIYFsOKPhrSqJ7ZF/5yGwW +ppVzsaz1sE9oULR0VOFUwjpYmyH32WwKkLF6mKumb8Q7Pd/FJq0I3/kxD/OrlNVZ +8UCX0CzxMyfEeSUfScunKLMfopEGxXTR4l8jew7CwxX08H0nkqyegDZSN8MjYxQL +V/zoL+aPjYh1WYf1L8wyBZjQbA6khHwYRZPaHrGfGaCGC8MHiSjPb/nt54+vZXtt +17LcX4VvHwWIBf88JpZO9eyTFPdYIZANSyo6ltbRoomuAywuA5IibCwh/BXi/aVa +Jro4UvbiwMqbVgSAt15VAwEK1Re/NNLBTcVVMHsWr5WNmo0s2C7+j+iIMPEOwhRs +ZFj74cztyOF/dGeCv9ycW29g+ejXaPpFOYQz0A9bBdkEdTGWhQ== +=D854 +-----END PGP PUBLIC KEY BLOCK----- From e1fec918a64a6c0aff0b758b4ea8a5e228623012 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 20 May 2018 10:04:05 +0200 Subject: [PATCH 52/65] l cabal.r: provice host for blue.r --- lass/1systems/cabal/config.nix | 1 + lass/2configs/blue-host.nix | 22 ++++++++++++++++++++++ 2 files changed, 23 insertions(+) create mode 100644 lass/2configs/blue-host.nix diff --git a/lass/1systems/cabal/config.nix b/lass/1systems/cabal/config.nix index b117b5116..64c179e67 100644 --- a/lass/1systems/cabal/config.nix +++ b/lass/1systems/cabal/config.nix @@ -14,6 +14,7 @@ + ]; krebs.build.host = config.krebs.hosts.cabal; diff --git a/lass/2configs/blue-host.nix b/lass/2configs/blue-host.nix new file mode 100644 index 000000000..657234bc1 --- /dev/null +++ b/lass/2configs/blue-host.nix @@ -0,0 +1,22 @@ +{ config, lib, pkgs, ... }: +with import ; + +{ + imports = [ + + ]; + containers.blue = { + config = { ... }: { + environment.systemPackages = [ pkgs.git ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + ]; + }; + autoStart = true; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.9"; + localAddress = "10.233.2.10"; + }; +} From 32b66b6def41a6d33718e14b09135b234a4036b8 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 20 May 2018 10:06:29 +0200 Subject: [PATCH 53/65] l mors.r: use correct wifi mac --- lass/1systems/mors/physical.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lass/1systems/mors/physical.nix b/lass/1systems/mors/physical.nix index 580252000..680dc9bde 100644 --- a/lass/1systems/mors/physical.nix +++ b/lass/1systems/mors/physical.nix @@ -18,7 +18,7 @@ }; services.udev.extraRules = '' - SUBSYSTEM=="net", ATTR{address}=="5a:37:e4:6e:1f:9d", NAME="wl0" + SUBSYSTEM=="net", ATTR{address}=="10:0b:a9:72:f4:88", NAME="wl0" SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:c4:7a:f1", NAME="et0" ''; From c7a49e7ac91eef1833992d9801b11febad726afe Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 20 May 2018 10:09:54 +0200 Subject: [PATCH 54/65] l prism.r: forward weechat port to blue.r --- lass/1systems/prism/config.nix | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index c7b877deb..9bfd90c14 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -295,6 +295,21 @@ with import ; }; }; } + { #weechat port forwarding to blue + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport 9998"; target = "ACCEPT";} + ]; + krebs.iptables.tables.nat.PREROUTING.rules = [ + { v6 = false; precedence = 1000; predicate = "-d ${config.krebs.hosts.prism.nets.internet.ip4.addr} -p tcp --dport 9998"; target = "DNAT --to-destination ${config.krebs.hosts.blue.nets.retiolum.ip4.addr}:9999"; } + ]; + krebs.iptables.tables.filter.FORWARD.rules = [ + { v6 = false; precedence = 1000; predicate = "-d ${config.krebs.hosts.blue.nets.retiolum.ip4.addr} -p tcp --dport 9999"; target = "ACCEPT"; } + { v6 = false; precedence = 1000; predicate = "-s ${config.krebs.hosts.blue.nets.retiolum.ip4.addr}"; target = "ACCEPT"; } + ]; + krebs.iptables.tables.nat.POSTROUTING.rules = [ + { v6 = false; predicate = "-d ${config.krebs.hosts.blue.nets.retiolum.ip4.addr} -p tcp --dport 9999"; target = "MASQUERADE"; } + ]; + } ]; krebs.build.host = config.krebs.hosts.prism; From d72657a57be63ff6eeeaa0b84cd7761b2d38c8b4 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 20 May 2018 10:20:10 +0200 Subject: [PATCH 55/65] l blue.r: add weechat, backups & mail --- lass/1systems/blue/config.nix | 30 +++++++++++++++++++ lass/2configs/blue.nix | 55 +++++++++++++++++++++++++++++++++++ 2 files changed, 85 insertions(+) create mode 100644 lass/2configs/blue.nix diff --git a/lass/1systems/blue/config.nix b/lass/1systems/blue/config.nix index b068c34b0..aef055cf0 100644 --- a/lass/1systems/blue/config.nix +++ b/lass/1systems/blue/config.nix @@ -5,7 +5,37 @@ with import ; + + + ]; krebs.build.host = config.krebs.hosts.blue; + + networking.nameservers = [ "1.1.1.1" ]; + + lass.restic = genAttrs [ + "daedalus" + "icarus" + "littleT" + "prism" + "shodan" + "skynet" + ] (dest: { + dirs = [ + "/home/" + "/var/lib" + ]; + passwordFile = (toString ) + "/restic/${dest}"; + repo = "sftp:backup@${dest}.r:/backups/blue"; + extraArguments = [ + "sftp.command='ssh backup@${dest}.r -i ${config.krebs.build.host.ssh.privkey.path} -s sftp'" + ]; + timerConfig = { + OnCalendar = "00:05"; + RandomizedDelaySec = "5h"; + }; + }); + time.timeZone = "Europe/Berlin"; + users.users.mainUser.openssh.authorizedKeys.keys = [ config.krebs.users.lass-android.pubkey ]; } diff --git a/lass/2configs/blue.nix b/lass/2configs/blue.nix new file mode 100644 index 000000000..c0417b865 --- /dev/null +++ b/lass/2configs/blue.nix @@ -0,0 +1,55 @@ +with (import ); +{ config, lib, pkgs, ... }: + +{ + + imports = [ + ./bitlbee.nix + ./mail.nix + ./pass.nix + ]; + + services.tor.enable = true; + + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-i retiolum -p udp --dport 60000:61000"; target = "ACCEPT";} + { predicate = "-i retiolum -p tcp --dport 9999"; target = "ACCEPT";} + ]; + + systemd.services.chat = let + tmux = pkgs.writeDash "tmux" '' + exec ${pkgs.tmux}/bin/tmux -f ${pkgs.writeText "tmux.conf" '' + set-option -g prefix ` + unbind-key C-b + bind ` send-prefix + + set-option -g status off + set-option -g default-terminal screen-256color + + #use session instead of windows + bind-key c new-session + bind-key p switch-client -p + bind-key n switch-client -n + bind-key C-s switch-client -l + ''} "$@" + ''; + in { + description = "chat environment setup"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + restartIfChanged = false; + + path = [ + pkgs.rxvt_unicode.terminfo + ]; + + serviceConfig = { + User = "lass"; + RemainAfterExit = true; + Type = "oneshot"; + ExecStart = "${tmux} -2 new-session -d -s IM ${pkgs.weechat}/bin/weechat"; + ExecStop = "${tmux} kill-session -t IM"; + }; + }; +} From f0ff6a61e6ae48c893b8d8a56d80a3d03f13dc35 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 20 May 2018 10:21:40 +0200 Subject: [PATCH 56/65] l: lass is now lass@blue.r --- krebs/3modules/lass/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index e921b1ec4..fd74983fa 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -703,7 +703,7 @@ with import ; }; }; users = rec { - lass = lass-mors; + lass = lass-blue; lass-blue = { mail = "lass@blue.r"; pubkey = builtins.readFile ./ssh/blue.rsa; From c7d373f814fb18c0ced8da1a4c364b3aadd9d450 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 20 May 2018 10:28:49 +0200 Subject: [PATCH 57/65] l exim: allow sending from blue.r --- lass/2configs/exim-smarthost.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix index fe79ce82b..5248f4d63 100644 --- a/lass/2configs/exim-smarthost.nix +++ b/lass/2configs/exim-smarthost.nix @@ -14,7 +14,7 @@ with import ; ]; relay_from_hosts = map (host: host.nets.retiolum.ip6.addr) [ config.krebs.hosts.mors - config.krebs.hosts.uriel + config.krebs.hosts.blue ]; internet-aliases = with config.krebs.users; [ { from = "postmaster@lassul.us"; to = lass.mail; } # RFC 822 From cd145bb426bef35aecaf5e2f86be300241606c1b Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 20 May 2018 10:32:07 +0200 Subject: [PATCH 58/65] l backup: add blue to authorizedKeys --- lass/2configs/backup.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/lass/2configs/backup.nix b/lass/2configs/backup.nix index 27adf6d2a..d23cf9a43 100644 --- a/lass/2configs/backup.nix +++ b/lass/2configs/backup.nix @@ -15,6 +15,7 @@ with import ; openssh.authorizedKeys.keys = with config.krebs.hosts; [ mors.ssh.pubkey prism.ssh.pubkey + blue.ssh.pubkey ]; }; } From 141fa0117c0aaa994a7b0776976631044afc193b Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 20 May 2018 10:32:47 +0200 Subject: [PATCH 59/65] l exim: add new mail addresses --- lass/2configs/exim-smarthost.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lass/2configs/exim-smarthost.nix b/lass/2configs/exim-smarthost.nix index 5248f4d63..371f20885 100644 --- a/lass/2configs/exim-smarthost.nix +++ b/lass/2configs/exim-smarthost.nix @@ -81,6 +81,8 @@ with import ; { from = "allygator@lassul.us"; to = lass.mail; } { from = "immoscout@lassul.us"; to = lass.mail; } { from = "elitedangerous@lassul.us"; to = lass.mail; } + { from = "boardgamegeek@lassul.us"; to = lass.mail; } + { from = "qwertee@lassul.us"; to = lass.mail; } ]; system-aliases = [ { from = "mailer-daemon"; to = "postmaster"; } From de7ee966dfb6923e9b9ebab55eb4f6f17a88ed43 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 20 May 2018 10:33:42 +0200 Subject: [PATCH 60/65] l monitoring: don't send resolved status --- lass/2configs/monitoring/prometheus-server.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/lass/2configs/monitoring/prometheus-server.nix b/lass/2configs/monitoring/prometheus-server.nix index e16d421a0..aef671636 100644 --- a/lass/2configs/monitoring/prometheus-server.nix +++ b/lass/2configs/monitoring/prometheus-server.nix @@ -159,7 +159,6 @@ "email_configs" = [ { "to" = "devnull@example.com"; - "send_resolved" = true; } ]; "webhook_configs" = [ From 3277fac9b6941ece359efed2884c440d2e03837c Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 20 May 2018 10:42:46 +0200 Subject: [PATCH 61/65] l git: add blue & mors to allowed users --- lass/2configs/git.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix index 712a15342..e41ff606f 100644 --- a/lass/2configs/git.nix +++ b/lass/2configs/git.nix @@ -121,7 +121,7 @@ let with git // config.krebs.users; repo: singleton { - user = [ lass lass-shodan lass-icarus ]; + user = [ lass-mors lass-shodan lass-icarus lass-blue ]; repo = [ repo ]; perm = push "refs/*" [ non-fast-forward create delete merge ]; } ++ From 5af3134c0084ac98fbd504865925aeba61f06d94 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 21 May 2018 08:25:11 +0200 Subject: [PATCH 62/65] l red: forceSSL --- lass/1systems/prism/config.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 9bfd90c14..b2669c4ac 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -243,7 +243,7 @@ with import ; }; services.nginx.virtualHosts."rote-allez-fraktion.de" = { enableACME = true; - addSSL = true; + forceSSL = true; locations."/" = { extraConfig = '' proxy_set_header Host rote-allez-fraktion.de; From 4829b6b9d7ce2b19e84473ecb254e68219b1d0b6 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 21 May 2018 08:25:53 +0200 Subject: [PATCH 63/65] l: add bitlbee.nix --- lass/2configs/bitlbee.nix | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 lass/2configs/bitlbee.nix diff --git a/lass/2configs/bitlbee.nix b/lass/2configs/bitlbee.nix new file mode 100644 index 000000000..1220fa0cd --- /dev/null +++ b/lass/2configs/bitlbee.nix @@ -0,0 +1,15 @@ +with (import ); +{ config, lib, pkgs, ... }: + +{ + services.bitlbee = { + enable = true; + portNumber = 6666; + plugins = [ + pkgs.bitlbee-facebook + pkgs.bitlbee-steam + pkgs.bitlbee-discord + ]; + libpurple_plugins = [ pkgs.telegram-purple ]; + }; +} From 9173c08145836c1ee34674a15a488c7099f203af Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 21 May 2018 08:26:20 +0200 Subject: [PATCH 64/65] l: remove IM.nix --- lass/1systems/prism/config.nix | 1 - lass/2configs/IM.nix | 73 ---------------------------------- 2 files changed, 74 deletions(-) delete mode 100644 lass/2configs/IM.nix diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index b2669c4ac..6d03a2694 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -131,7 +131,6 @@ with import ; } - diff --git a/lass/2configs/IM.nix b/lass/2configs/IM.nix deleted file mode 100644 index 7d3dfd428..000000000 --- a/lass/2configs/IM.nix +++ /dev/null @@ -1,73 +0,0 @@ -with (import ); -{ config, lib, pkgs, ... }: - -let - tmux = pkgs.writeDash "tmux" '' - exec ${pkgs.tmux}/bin/tmux -f ${pkgs.writeText "tmux.conf" '' - set-option -g prefix ` - unbind-key C-b - bind ` send-prefix - - set-option -g status off - set-option -g default-terminal screen-256color - - #use session instead of windows - bind-key c new-session - bind-key p switch-client -p - bind-key n switch-client -n - bind-key C-s switch-client -l - ''} "$@" - ''; -in { - - services.bitlbee = { - enable = true; - portNumber = 6666; - plugins = [ - pkgs.bitlbee-facebook - pkgs.bitlbee-steam - pkgs.bitlbee-discord - ]; - libpurple_plugins = [ pkgs.telegram-purple ]; - }; - - users.extraUsers.chat = { - home = "/home/chat"; - uid = genid "chat"; - useDefaultShell = true; - createHome = true; - openssh.authorizedKeys.keys = with config.krebs.users; [ - lass.pubkey - lass-shodan.pubkey - lass-icarus.pubkey - lass-android.pubkey - lass-helios.pubkey - ]; - }; - - # mosh - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p udp --dport 60000:61000"; target = "ACCEPT";} - { predicate = "-p tcp --dport 9999"; target = "ACCEPT";} - ]; - - systemd.services.chat = { - description = "chat environment setup"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - - restartIfChanged = false; - - path = [ - pkgs.rxvt_unicode.terminfo - ]; - - serviceConfig = { - User = "chat"; - RemainAfterExit = true; - Type = "oneshot"; - ExecStart = "${tmux} -2 new-session -d -s IM ${pkgs.weechat}/bin/weechat"; - ExecStop = "${tmux} kill-session -t IM"; - }; - }; -} From 4277c251906100bc103808af7a674fe2fbb3851b Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 21 May 2018 08:28:08 +0200 Subject: [PATCH 65/65] l prism.r: add wireguard config --- lass/1systems/prism/config.nix | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 6d03a2694..7a9537b64 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -309,6 +309,34 @@ with import ; { v6 = false; predicate = "-d ${config.krebs.hosts.blue.nets.retiolum.ip4.addr} -p tcp --dport 9999"; target = "MASQUERADE"; } ]; } + { + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p udp --dport 51820"; target = "ACCEPT"; } + ]; + krebs.iptables.tables.nat.PREROUTING.rules = [ + { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; } + ]; + krebs.iptables.tables.filter.FORWARD.rules = [ + { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; } + { v6 = false; precedence = 1000; predicate = "-s 10.243.0.0/16 -d 10.244.1.0/24"; target = "ACCEPT"; } + ]; + krebs.iptables.tables.nat.POSTROUTING.rules = [ + { v6 = false; predicate = "-s 10.244.1.0/24 ! -d 10.244.1.0/24"; target = "MASQUERADE"; } + ]; + networking.wireguard.interfaces.wg0 = { + ips = [ "10.244.1.1/24" ]; + listenPort = 51820; + privateKeyFile = (toString ) + "/wireguard.key"; + allowedIPsAsRoutes = true; + peers = [ + { + # lass-android + allowedIPs = [ "10.244.1.2/32" ]; + publicKey = "63+ns9AGv6e6a8WgxiZNFEt1xQT0YKFlEHzRaYJWtmk="; + } + ]; + }; + } ]; krebs.build.host = config.krebs.hosts.prism;