Merge remote-tracking branch 'lass/master'
This commit is contained in:
commit
12f77bbed6
@ -2,10 +2,10 @@
|
||||
|
||||
with import <stockholm/lib>;
|
||||
let
|
||||
gunicorn = pkgs.pythonPackages.gunicorn;
|
||||
bepasty = pkgs.bepasty;
|
||||
gevent = pkgs.pythonPackages.gevent;
|
||||
python = pkgs.pythonPackages.python;
|
||||
gunicorn = pkgs.python27Packages.gunicorn;
|
||||
bepasty = pkgs.bepasty.override { python3Packages = pkgs.python27Packages; };
|
||||
gevent = pkgs.python27Packages.gevent;
|
||||
python = pkgs.python27Packages.python;
|
||||
cfg = config.krebs.bepasty;
|
||||
|
||||
out = {
|
||||
|
@ -108,10 +108,12 @@ let
|
||||
name=str(new_step),
|
||||
command=[
|
||||
"${pkgs.writeDash "build-stepper.sh" ''
|
||||
set -efu
|
||||
set -xefu
|
||||
profile=${shell.escape profileRoot}/$build_name
|
||||
result=$("$build_script")
|
||||
if [ -n "$result" ]; then
|
||||
${pkgs.nix}/bin/nix-env -p "$profile" --set "$result"
|
||||
fi
|
||||
''}"
|
||||
],
|
||||
env={
|
||||
|
13
krebs/3modules/external/default.nix
vendored
13
krebs/3modules/external/default.nix
vendored
@ -429,6 +429,17 @@ in {
|
||||
};
|
||||
};
|
||||
};
|
||||
ada = {
|
||||
owner = config.krebs.users.filly;
|
||||
nets = {
|
||||
wiregrill = {
|
||||
aliases = [ "ada.w" ];
|
||||
wireguard = {
|
||||
pubkey = "+t0j9j7TZqvSFPzgunnON/ArXVGpMS/L3DldpanLoUk=";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
users = {
|
||||
ciko = {
|
||||
@ -464,6 +475,8 @@ in {
|
||||
};
|
||||
miaoski = {
|
||||
};
|
||||
filly = {
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
|
@ -20,6 +20,7 @@ in {
|
||||
extraZones = {
|
||||
"krebsco.de" = ''
|
||||
cache IN A ${nets.internet.ip4.addr}
|
||||
p IN A ${nets.internet.ip4.addr}
|
||||
paste IN A ${nets.internet.ip4.addr}
|
||||
prism IN A ${nets.internet.ip4.addr}
|
||||
'';
|
||||
@ -38,6 +39,7 @@ in {
|
||||
io 60 IN NS ions.lassul.us.
|
||||
ions 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
|
||||
lol 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
|
||||
matrix 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
|
||||
paste 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
|
||||
radio 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
|
||||
'';
|
||||
@ -239,6 +241,7 @@ in {
|
||||
secure = true;
|
||||
ssh.privkey.path = <secrets/ssh.id_ed25519>;
|
||||
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC9vup68R0I+62FK+8LNtwM90V9P4ukBmU7G7d54wf4C";
|
||||
syncthing.id = "AU5RTWC-HXNMDRT-TN4ZHXY-JMQ6EQB-4ZPOZL7-AICZMCZ-LNS2XXQ-DGTI2Q6";
|
||||
};
|
||||
icarus = {
|
||||
cores = 2;
|
||||
|
@ -78,7 +78,7 @@ let
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
ExecStart = pkgs.writeDash "generate-wallpaper" ''
|
||||
set -xeuf
|
||||
set -euf
|
||||
|
||||
# usage: getimg FILENAME URL
|
||||
fetch() {
|
||||
|
@ -21,8 +21,8 @@ let
|
||||
default = config._module.args.name;
|
||||
};
|
||||
envp = mkOption {
|
||||
type = types.attrsOf types.str;
|
||||
default = {};
|
||||
type = types.nullOr (types.attrsOf types.str);
|
||||
default = null;
|
||||
};
|
||||
filename = mkOption {
|
||||
type = mkOptionType {
|
||||
|
@ -1,5 +1,6 @@
|
||||
{ curl, writeDashBin }:
|
||||
{ curl, gnused, writeDashBin }:
|
||||
|
||||
writeDashBin "kpaste" ''
|
||||
exec ${curl}/bin/curl -sS http://p.r --data-binary @-
|
||||
${curl}/bin/curl -sS http://p.r --data-binary @- |
|
||||
${gnused}/bin/sed '$ {p;s/\<r\>/krebsco.de/}'
|
||||
''
|
||||
|
@ -1,6 +1,12 @@
|
||||
{ writeDashBin, bepasty-client-cli }:
|
||||
{ bepasty-client-cli, gnused, writeDashBin }:
|
||||
|
||||
# TODO use `pkgs.exec` instead?
|
||||
writeDashBin "krebspaste" ''
|
||||
exec ${bepasty-client-cli}/bin/bepasty-cli -L 1m --url http://paste.r "$@" | sed '$ s/$/\/+inline/g'
|
||||
${bepasty-client-cli}/bin/bepasty-cli -L 1m --url http://paste.r "$@" |
|
||||
${gnused}/bin/sed '
|
||||
$ {
|
||||
s/$/\/+inline/
|
||||
p
|
||||
s/\<r\>/krebsco.de/
|
||||
}
|
||||
'
|
||||
''
|
||||
|
@ -9,17 +9,12 @@ with import <stockholm/lib>;
|
||||
|
||||
<stockholm/lass/2configs/blue.nix>
|
||||
<stockholm/lass/2configs/syncthing.nix>
|
||||
<stockholm/lass/2configs/sync/decsync.nix>
|
||||
<stockholm/lass/2configs/sync/weechat.nix>
|
||||
];
|
||||
|
||||
krebs.build.host = config.krebs.hosts.blue;
|
||||
|
||||
krebs.syncthing.folders = [
|
||||
{ id = "contacts"; path = "/home/lass/contacts"; peers = [ "mors" "blue" "green" "phone" ]; }
|
||||
];
|
||||
lass.ensure-permissions = [
|
||||
{ folder = "/home/lass/contacts"; owner = "lass"; group = "syncthing"; }
|
||||
];
|
||||
|
||||
environment.shellAliases = {
|
||||
deploy = pkgs.writeDash "deploy" ''
|
||||
set -eu
|
||||
|
@ -27,6 +27,12 @@ with import <stockholm/lib>;
|
||||
enable = true;
|
||||
systemWide = true;
|
||||
};
|
||||
programs.chromium = {
|
||||
enable = true;
|
||||
extensions = [
|
||||
"cjpalhdlnbpafiamejdnhcphjbkeiagm" # ublock origin
|
||||
];
|
||||
};
|
||||
environment.systemPackages = with pkgs; [
|
||||
pavucontrol
|
||||
#firefox
|
||||
@ -40,7 +46,7 @@ with import <stockholm/lib>;
|
||||
wine
|
||||
geeqie
|
||||
vlc
|
||||
minecraft
|
||||
zsnes
|
||||
];
|
||||
nixpkgs.config.firefox.enableAdobeFlash = true;
|
||||
services.xserver.enable = true;
|
||||
|
@ -8,20 +8,13 @@ with import <stockholm/lib>;
|
||||
<stockholm/lass/2configs/exim-retiolum.nix>
|
||||
<stockholm/lass/2configs/mail.nix>
|
||||
|
||||
#<stockholm/lass/2configs/blue.nix>
|
||||
<stockholm/lass/2configs/syncthing.nix>
|
||||
<stockholm/lass/2configs/sync/decsync.nix>
|
||||
<stockholm/lass/2configs/sync/weechat.nix>
|
||||
];
|
||||
|
||||
krebs.build.host = config.krebs.hosts.green;
|
||||
|
||||
krebs.syncthing.folders = [
|
||||
{ id = "contacts"; path = "/home/lass/contacts"; peers = [ "mors" "blue" "green" "phone" ]; }
|
||||
];
|
||||
lass.ensure-permissions = [
|
||||
{ folder = "/home/lass/contacts"; owner = "lass"; group = "syncthing"; }
|
||||
];
|
||||
|
||||
|
||||
#networking.nameservers = [ "1.1.1.1" ];
|
||||
|
||||
#time.timeZone = "Europe/Berlin";
|
||||
|
@ -20,6 +20,7 @@
|
||||
<stockholm/lass/2configs/syncthing.nix>
|
||||
<stockholm/lass/2configs/nfs-dl.nix>
|
||||
<stockholm/lass/2configs/prism-share.nix>
|
||||
<stockholm/lass/2configs/ssh-cryptsetup.nix>
|
||||
];
|
||||
|
||||
krebs.build.host = config.krebs.hosts.icarus;
|
||||
|
@ -6,7 +6,6 @@ with import <stockholm/lib>;
|
||||
<nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-minimal.nix>
|
||||
<stockholm/krebs>
|
||||
<stockholm/lass/3modules>
|
||||
<stockholm/lass/5pkgs>
|
||||
<stockholm/lass/2configs/mc.nix>
|
||||
<stockholm/lass/2configs/vim.nix>
|
||||
{
|
||||
@ -40,9 +39,10 @@ with import <stockholm/lib>;
|
||||
networking.hostName = "lass-iso";
|
||||
}
|
||||
{
|
||||
nixpkgs.config.packageOverrides = import <stockholm/lass/5pkgs> pkgs;
|
||||
krebs.enable = true;
|
||||
krebs.build.user = config.krebs.users.lass;
|
||||
krebs.build.host = config.krebs.hosts.iso;
|
||||
krebs.build.host = {};
|
||||
}
|
||||
{
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
@ -174,11 +174,13 @@ with import <stockholm/lib>;
|
||||
user = "lass";
|
||||
};
|
||||
windowManager.default = "xmonad";
|
||||
windowManager.session = [{
|
||||
windowManager.session = let
|
||||
xmonad-lass = pkgs.callPackage <stockholm/lass/5pkgs/custom/xmonad-lass> { inherit config; };
|
||||
in [{
|
||||
name = "xmonad";
|
||||
start = ''
|
||||
${pkgs.xorg.xhost}/bin/xhost +LOCAL:
|
||||
${pkgs.xmonad-lass}/bin/xmonad &
|
||||
${xmonad-lass}/bin/xmonad &
|
||||
waitPID=$!
|
||||
'';
|
||||
}];
|
||||
|
@ -8,6 +8,7 @@ with import <stockholm/lib>;
|
||||
<stockholm/lass/2configs/retiolum.nix>
|
||||
<stockholm/lass/2configs/blue-host.nix>
|
||||
<stockholm/lass/2configs/syncthing.nix>
|
||||
<stockholm/lass/2configs/green-host.nix>
|
||||
];
|
||||
|
||||
networking.networkmanager.enable = true;
|
||||
|
@ -30,4 +30,12 @@ with import <stockholm/lib>;
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
services.xserver.desktopManager.default = "none";
|
||||
services.xserver.displayManager.lightdm.autoLogin = {
|
||||
enable = true;
|
||||
user = "lass";
|
||||
timeout = 5;
|
||||
};
|
||||
}
|
||||
|
@ -26,6 +26,8 @@ with import <stockholm/lib>;
|
||||
<stockholm/lass/2configs/syncthing.nix>
|
||||
<stockholm/lass/2configs/otp-ssh.nix>
|
||||
<stockholm/lass/2configs/c-base.nix>
|
||||
<stockholm/lass/2configs/sync/decsync.nix>
|
||||
<stockholm/lass/2configs/sync/weechat.nix>
|
||||
<stockholm/lass/2configs/br.nix>
|
||||
<stockholm/lass/2configs/ableton.nix>
|
||||
<stockholm/lass/2configs/starcraft.nix>
|
||||
@ -41,8 +43,6 @@ with import <stockholm/lib>;
|
||||
krebs.iptables.tables.filter.INPUT.rules = [
|
||||
#risk of rain
|
||||
{ predicate = "-p tcp --dport 11100"; target = "ACCEPT"; }
|
||||
#chromecast
|
||||
{ predicate = "-p udp -m multiport --sports 32768:61000 -m multiport --dports 32768:61000"; target = "ACCEPT"; }
|
||||
#quake3
|
||||
{ predicate = "-p tcp --dport 27950:27965"; target = "ACCEPT"; }
|
||||
{ predicate = "-p udp --dport 27950:27965"; target = "ACCEPT"; }
|
||||
@ -50,11 +50,9 @@ with import <stockholm/lib>;
|
||||
}
|
||||
{
|
||||
krebs.syncthing.folders = [
|
||||
{ id = "contacts"; path = "/home/lass/contacts"; peers = [ "mors" "blue" "green" "phone" ]; }
|
||||
{ id = "the_playlist"; path = "/home/lass/tmp/the_playlist"; peers = [ "mors" "phone" ]; }
|
||||
{ id = "the_playlist"; path = "/home/lass/tmp/the_playlist"; peers = [ "mors" "phone" "prism" ]; }
|
||||
];
|
||||
lass.ensure-permissions = [
|
||||
{ folder = "/home/lass/contacts"; owner = "lass"; group = "syncthing"; }
|
||||
{ folder = "/home/lass/tmp/the_playlist"; owner = "lass"; group = "syncthing"; }
|
||||
];
|
||||
}
|
||||
@ -92,6 +90,7 @@ with import <stockholm/lib>;
|
||||
pkgs.ovh-zone
|
||||
pkgs.bank
|
||||
pkgs.adb-sync
|
||||
pkgs.transgui
|
||||
];
|
||||
}
|
||||
{
|
||||
@ -135,6 +134,18 @@ with import <stockholm/lib>;
|
||||
(pkgs.writeDashBin "btc-kraken" ''
|
||||
${pkgs.curl}/bin/curl -Ss 'https://api.kraken.com/0/public/Ticker?pair=BTCEUR' | ${pkgs.jq}/bin/jq '.result.XXBTZEUR.a[0]'
|
||||
'')
|
||||
(pkgs.writeDashBin "krebsco.de" ''
|
||||
TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d)
|
||||
${pkgs.brain}/bin/brain show krebs-secrets/ovh-secrets.json > "$TMPDIR"/ovh-secrets.json
|
||||
OVH_ZONE_CONFIG="$TMPDIR"/ovh-secrets.json ${pkgs.krebszones}/bin/krebszones import
|
||||
${pkgs.coreutils}/bin/rm -rf "$TMPDIR"
|
||||
'')
|
||||
(pkgs.writeDashBin "lassul.us" ''
|
||||
TMPDIR=$(${pkgs.coreutils}/bin/mktemp -d)
|
||||
${pkgs.pass}/bin/pass show admin/ovh/api.config > "$TMPDIR"/ovh-secrets.json
|
||||
OVH_ZONE_CONFIG="$TMPDIR"/ovh-secrets.json ${pkgs.ovh-zone}/bin/ovh-zone import /etc/zones/lassul.us lassul.us
|
||||
${pkgs.coreutils}/bin/rm -rf "$TMPDIR"
|
||||
'')
|
||||
];
|
||||
|
||||
#TODO: fix this shit
|
||||
|
@ -413,6 +413,42 @@ with import <stockholm/lib>;
|
||||
];
|
||||
};
|
||||
}
|
||||
{ #macos mounting of yellow
|
||||
krebs.iptables.tables.filter.INPUT.rules = [
|
||||
{ predicate = "-i wiregrill -p tcp --dport 139"; target = "ACCEPT"; }
|
||||
{ predicate = "-i wiregrill -p tcp --dport 445"; target = "ACCEPT"; }
|
||||
{ predicate = "-i wiregrill -p udp --dport 137"; target = "ACCEPT"; }
|
||||
{ predicate = "-i wiregrill -p udp --dport 138"; target = "ACCEPT"; }
|
||||
];
|
||||
users.users.smbguest = {
|
||||
name = "smbguest";
|
||||
uid = config.ids.uids.smbguest;
|
||||
description = "smb guest user";
|
||||
home = "/home/share";
|
||||
createHome = true;
|
||||
};
|
||||
services.samba = {
|
||||
enable = true;
|
||||
enableNmbd = true;
|
||||
shares = {
|
||||
download = {
|
||||
path = "/var/download/finished";
|
||||
"read only" = "yes";
|
||||
browseable = "yes";
|
||||
"guest ok" = "yes";
|
||||
};
|
||||
};
|
||||
extraConfig = ''
|
||||
guest account = smbguest
|
||||
map to guest = bad user
|
||||
# disable printing
|
||||
load printers = no
|
||||
printing = bsd
|
||||
printcap name = /dev/null
|
||||
disable spoolss = yes
|
||||
'';
|
||||
};
|
||||
}
|
||||
];
|
||||
|
||||
krebs.build.host = config.krebs.hosts.prism;
|
||||
|
@ -15,6 +15,8 @@ with import <stockholm/lib>;
|
||||
<stockholm/lass/2configs/bitcoin.nix>
|
||||
<stockholm/lass/2configs/backup.nix>
|
||||
<stockholm/lass/2configs/blue-host.nix>
|
||||
<stockholm/lass/2configs/green-host.nix>
|
||||
<stockholm/lass/2configs/ssh-cryptsetup.nix>
|
||||
];
|
||||
|
||||
krebs.build.host = config.krebs.hosts.shodan;
|
||||
|
@ -8,6 +8,7 @@ with import <stockholm/lib>;
|
||||
<stockholm/lass/2configs/blue-host.nix>
|
||||
<stockholm/lass/2configs/power-action.nix>
|
||||
<stockholm/lass/2configs/syncthing.nix>
|
||||
<stockholm/lass/2configs/green-host.nix>
|
||||
{
|
||||
services.xserver.enable = true;
|
||||
services.xserver.desktopManager.xfce.enable = true;
|
||||
|
@ -31,6 +31,7 @@ with import <stockholm/lib>;
|
||||
download-dir = "/var/download/finished";
|
||||
incomplete-dir = "/var/download/incoming";
|
||||
incomplete-dir-enable = true;
|
||||
message-level = 1;
|
||||
umask = "002";
|
||||
rpc-whitelist-enabled = false;
|
||||
rpc-host-whitelist-enabled = false;
|
||||
|
@ -9,6 +9,7 @@ in {
|
||||
./power-action.nix
|
||||
./copyq.nix
|
||||
./urxvt.nix
|
||||
./xdg-open.nix
|
||||
{
|
||||
hardware.pulseaudio = {
|
||||
enable = true;
|
||||
|
@ -100,6 +100,9 @@ with import <stockholm/lib>;
|
||||
{ from = "box@lassul.us"; to = lass.mail; }
|
||||
{ from = "paloalto@lassul.us"; to = lass.mail; }
|
||||
{ from = "subtitles@lassul.us"; to = lass.mail; }
|
||||
{ from = "lobsters@lassul.us"; to = lass.mail; }
|
||||
{ from = "fysitech@lassul.us"; to = lass.mail; }
|
||||
{ from = "threema@lassul.us"; to = lass.mail; }
|
||||
];
|
||||
system-aliases = [
|
||||
{ from = "mailer-daemon"; to = "postmaster"; }
|
||||
|
83
lass/2configs/green-host.nix
Normal file
83
lass/2configs/green-host.nix
Normal file
@ -0,0 +1,83 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
with import <stockholm/lib>;
|
||||
|
||||
{
|
||||
imports = [
|
||||
<stockholm/lass/2configs/container-networking.nix>
|
||||
<stockholm/lass/2configs/syncthing.nix>
|
||||
{ #hack for already defined
|
||||
systemd.services."container@green".reloadIfChanged = mkForce false;
|
||||
systemd.services."container@green".preStart = ''
|
||||
${pkgs.mount}/bin/mount | ${pkgs.gnugrep}/bin/grep -q ' on /var/lib/containers/green '
|
||||
'';
|
||||
systemd.services."container@green".postStop = ''
|
||||
set -x
|
||||
${pkgs.umount}/bin/umount /var/lib/containers/green
|
||||
ls -la /dev/mapper/control
|
||||
${pkgs.devicemapper}/bin/dmsetup ls
|
||||
${pkgs.cryptsetup}/bin/cryptsetup -v luksClose /var/lib/sync-containers/green.img
|
||||
'';
|
||||
}
|
||||
];
|
||||
|
||||
lass.ensure-permissions = [
|
||||
{ folder = "/var/lib/sync-containers"; owner = "root"; group = "syncthing"; }
|
||||
];
|
||||
|
||||
krebs.syncthing.folders = [
|
||||
{ path = "/var/lib/sync-containers"; peers = [ "icarus" "skynet" "littleT" "shodan" ]; }
|
||||
];
|
||||
|
||||
system.activationScripts.containerPermissions = ''
|
||||
mkdir -p /var/lib/containers
|
||||
chmod 711 /var/lib/containers
|
||||
'';
|
||||
|
||||
containers.green = {
|
||||
config = { ... }: {
|
||||
environment.systemPackages = [
|
||||
pkgs.git
|
||||
pkgs.rxvt_unicode.terminfo
|
||||
];
|
||||
services.openssh.enable = true;
|
||||
users.users.root.openssh.authorizedKeys.keys = [
|
||||
config.krebs.users.lass.pubkey
|
||||
];
|
||||
};
|
||||
autoStart = false;
|
||||
enableTun = true;
|
||||
privateNetwork = true;
|
||||
hostAddress = "10.233.2.15";
|
||||
localAddress = "10.233.2.16";
|
||||
};
|
||||
|
||||
environment.systemPackages = [
|
||||
(pkgs.writeDashBin "start-green" ''
|
||||
set -fu
|
||||
CONTAINER='green'
|
||||
IMAGE='/var/lib/sync-containers/green.img'
|
||||
|
||||
${pkgs.cryptsetup}/bin/cryptsetup status "$CONTAINER" >/dev/null
|
||||
if [ "$?" -ne 0 ]; then
|
||||
${pkgs.cryptsetup}/bin/cryptsetup luksOpen "$IMAGE" "$CONTAINER"
|
||||
fi
|
||||
|
||||
mkdir -p /var/lib/containers/"$CONTAINER"
|
||||
|
||||
${pkgs.mount}/bin/mount | grep -q " on /var/lib/containers/"$CONTAINER" "
|
||||
if [ "$?" -ne 0 ]; then
|
||||
${pkgs.mount}/bin/mount -o sync /dev/mapper/"$CONTAINER" /var/lib/containers/"$CONTAINER"
|
||||
fi
|
||||
|
||||
STATE=$(${pkgs.nixos-container}/bin/nixos-container status "$CONTAINER")
|
||||
if [ "$STATE" = 'down' ]; then
|
||||
${pkgs.nixos-container}/bin/nixos-container start "$CONTAINER"
|
||||
fi
|
||||
ping -c1 green.r
|
||||
if [ "$?" -ne 0 ]; then
|
||||
${pkgs.nixos-container}/bin/nixos-container run green -- nixos-rebuild -I /var/src switch
|
||||
fi
|
||||
|
||||
'')
|
||||
];
|
||||
}
|
@ -30,8 +30,7 @@
|
||||
};
|
||||
};
|
||||
|
||||
services.logind.extraConfig = ''
|
||||
HandleLidSwitch=ignore
|
||||
'';
|
||||
services.logind.lidSwitch = "ignore";
|
||||
services.logind.lidSwitchDocked = "ignore";
|
||||
|
||||
}
|
||||
|
@ -233,8 +233,4 @@ in {
|
||||
tag-new-mails
|
||||
tag-old-mails
|
||||
];
|
||||
|
||||
nixpkgs.config.packageOverrides = opkgs: {
|
||||
notmuch = (opkgs.notmuch.overrideAttrs (o: { doCheck = false; }));
|
||||
};
|
||||
}
|
||||
|
@ -10,6 +10,16 @@ with import <stockholm/lib>;
|
||||
proxy_pass http://localhost:9081;
|
||||
'';
|
||||
};
|
||||
services.nginx.virtualHosts.paste-readonly = {
|
||||
serverAliases = [ "p.krebsco.de" ];
|
||||
locations."/".extraConfig = ''
|
||||
if ($request_method != GET) {
|
||||
return 403;
|
||||
}
|
||||
proxy_set_header Host $host;
|
||||
proxy_pass http://localhost:9081;
|
||||
'';
|
||||
};
|
||||
krebs.htgen.paste = {
|
||||
port = 9081;
|
||||
script = toString [
|
||||
|
@ -21,7 +21,7 @@ with import <stockholm/lib>;
|
||||
shares = {
|
||||
incoming = {
|
||||
path = "/mnt/prism";
|
||||
"read only" = "no";
|
||||
"read only" = "yes";
|
||||
browseable = "yes";
|
||||
"guest ok" = "yes";
|
||||
};
|
||||
|
@ -59,6 +59,9 @@ in {
|
||||
group = "radio";
|
||||
musicDirectory = "/home/radio/the_playlist/music";
|
||||
extraConfig = ''
|
||||
log_level "default"
|
||||
auto_update "yes"
|
||||
|
||||
audio_output {
|
||||
type "shout"
|
||||
encoding "lame"
|
||||
@ -245,4 +248,10 @@ in {
|
||||
alias ${html};
|
||||
'';
|
||||
};
|
||||
krebs.syncthing.folders = [
|
||||
{ id = "the_playlist"; path = "/home/radio/music/the_playlist"; peers = [ "mors" "phone" "prism" ]; }
|
||||
];
|
||||
lass.ensure-permissions = [
|
||||
{ folder = "/home/radio/music/the_playlist"; owner = "radio"; group = "syncthing"; }
|
||||
];
|
||||
}
|
||||
|
17
lass/2configs/ssh-cryptsetup.nix
Normal file
17
lass/2configs/ssh-cryptsetup.nix
Normal file
@ -0,0 +1,17 @@
|
||||
{ config, ... }:
|
||||
{
|
||||
boot.initrd = {
|
||||
network = {
|
||||
enable = true;
|
||||
ssh = {
|
||||
enable = true;
|
||||
authorizedKeys = with config.krebs.users; [
|
||||
config.krebs.users.lass-mors.pubkey
|
||||
config.krebs.users.lass-blue.pubkey
|
||||
config.krebs.users.lass-shodan.pubkey
|
||||
config.krebs.users.lass-icarus.pubkey
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
8
lass/2configs/sync/decsync.nix
Normal file
8
lass/2configs/sync/decsync.nix
Normal file
@ -0,0 +1,8 @@
|
||||
{
|
||||
krebs.syncthing.folders = [
|
||||
{ id = "decsync"; path = "/home/lass/decsync"; peers = [ "mors" "blue" "green" "phone" ]; }
|
||||
];
|
||||
lass.ensure-permissions = [
|
||||
{ folder = "/home/lass/decsync"; owner = "lass"; group = "syncthing"; }
|
||||
];
|
||||
}
|
8
lass/2configs/sync/weechat.nix
Normal file
8
lass/2configs/sync/weechat.nix
Normal file
@ -0,0 +1,8 @@
|
||||
{
|
||||
krebs.syncthing.folders = [
|
||||
{ path = "/home/lass/.weechat"; peers = [ "blue" "green" "mors" ]; }
|
||||
];
|
||||
lass.ensure-permissions = [
|
||||
{ folder = "/home/lass/.weechat"; owner = "lass"; group = "syncthing"; }
|
||||
];
|
||||
}
|
@ -4,6 +4,7 @@ with import <stockholm/lib>;
|
||||
services.syncthing = {
|
||||
enable = true;
|
||||
group = "syncthing";
|
||||
configDir = "/var/lib/syncthing";
|
||||
};
|
||||
krebs.iptables.tables.filter.INPUT.rules = [
|
||||
{ predicate = "-p tcp --dport 22000"; target = "ACCEPT";}
|
||||
@ -15,7 +16,7 @@ with import <stockholm/lib>;
|
||||
key = toString <secrets/syncthing.key>;
|
||||
peers = mapAttrs (n: v: { id = v.syncthing.id; }) (filterAttrs (n: v: v.syncthing.id != null) config.krebs.hosts);
|
||||
folders = [
|
||||
{ path = "/home/lass/sync"; peers = [ "icarus" "mors" "skynet" "blue" "green" "littleT" "prism"]; }
|
||||
{ path = "/home/lass/sync"; peers = [ "icarus" "mors" "skynet" "blue" "green" "littleT" "prism" "shodan" ]; }
|
||||
];
|
||||
};
|
||||
|
||||
|
@ -119,7 +119,7 @@ in {
|
||||
authenticators.PLAIN = ''
|
||||
driver = plaintext
|
||||
public_name = PLAIN
|
||||
server_condition = ''${run{${config.lass.usershadow.path}/bin/verify_arg ${config.lass.usershadow.pattern} $auth2 $auth3}{yes}{no}}
|
||||
server_condition = ''${run{/run/wrappers/bin/shadow_verify_arg ${config.lass.usershadow.pattern} $auth2 $auth3}{yes}{no}}
|
||||
'';
|
||||
authenticators.LOGIN = ''
|
||||
driver = plaintext
|
||||
|
66
lass/2configs/xdg-open.nix
Normal file
66
lass/2configs/xdg-open.nix
Normal file
@ -0,0 +1,66 @@
|
||||
{ config, pkgs, lib, ... }: with import <stockholm/lib>; let
|
||||
|
||||
xdg-open-wrapper = pkgs.writeDashBin "xdg-open" ''
|
||||
/run/wrappers/bin/sudo -u lass ${xdg-open} "$@"
|
||||
'';
|
||||
|
||||
xdg-open = pkgs.writeBash "xdg-open" ''
|
||||
set -e
|
||||
FILE="$1"
|
||||
mime=
|
||||
|
||||
case "$FILE" in
|
||||
http://*|https://*)
|
||||
mime=text/html
|
||||
;;
|
||||
mailto:*)
|
||||
mime=special/mailaddress
|
||||
;;
|
||||
magnet:*)
|
||||
mime=application/x-bittorrent
|
||||
;;
|
||||
irc:*)
|
||||
mime=x-scheme-handler/irc
|
||||
;;
|
||||
*)
|
||||
# it’s a file
|
||||
|
||||
# strip possible protocol
|
||||
FILE=''${FILE#file://}
|
||||
mime=''$(file -E --brief --mime-type "$FILE") \
|
||||
|| (echo "$mime" 1>&2; exit 1)
|
||||
# ^ echo the error message of file
|
||||
;;
|
||||
esac
|
||||
|
||||
case "$mime" in
|
||||
special/mailaddress)
|
||||
urxvtc --execute vim "$FILE" ;;
|
||||
${optionalString (hasAttr "browser" config.lass) ''
|
||||
text/html)
|
||||
${config.lass.browser.select}/bin/browser-select "$FILE" ;;
|
||||
text/xml)
|
||||
${config.lass.browser.select}/bin/browser-select "$FILE" ;;
|
||||
''}
|
||||
text/*)
|
||||
urxvtc --execute vim "$FILE" ;;
|
||||
image/*)
|
||||
sxiv "$FILE" ;;
|
||||
application/x-bittorrent)
|
||||
env DISPLAY=:0 transgui "$FILE" ;;
|
||||
application/pdf)
|
||||
zathura "$FILE" ;;
|
||||
inode/directory)
|
||||
sudo -u lass -i urxvtc --execute mc "$FILE" ;;
|
||||
*)
|
||||
# open dmenu and ask for program to open with
|
||||
$(dmenu_path | dmenu) "$FILE";;
|
||||
esac
|
||||
'';
|
||||
in {
|
||||
environment.systemPackages = [ xdg-open-wrapper ];
|
||||
|
||||
security.sudo.extraConfig = ''
|
||||
cr ALL=(lass) NOPASSWD: ${xdg-open} *
|
||||
'';
|
||||
}
|
@ -31,8 +31,9 @@
|
||||
session required pam_loginuid.so
|
||||
'';
|
||||
|
||||
security.pam.services.dovecot2.text = ''
|
||||
auth required pam_exec.so expose_authtok ${usershadow}/bin/verify_pam ${cfg.pattern}
|
||||
security.pam.services.dovecot2 = {
|
||||
text = ''
|
||||
auth required pam_exec.so debug expose_authtok log=/tmp/lol /run/wrappers/bin/shadow_verify_pam ${cfg.pattern}
|
||||
auth required pam_permit.so
|
||||
account required pam_permit.so
|
||||
session required pam_permit.so
|
||||
@ -40,16 +41,29 @@
|
||||
'';
|
||||
};
|
||||
|
||||
security.wrappers.shadow_verify_pam = {
|
||||
source = "${usershadow}/bin/verify_pam";
|
||||
owner = "root";
|
||||
};
|
||||
security.wrappers.shadow_verify_arg = {
|
||||
source = "${usershadow}/bin/verify_arg";
|
||||
owner = "root";
|
||||
};
|
||||
};
|
||||
|
||||
usershadow = let {
|
||||
deps = [
|
||||
"pwstore-fast"
|
||||
"bytestring"
|
||||
];
|
||||
body = pkgs.writeHaskellPackage "passwords" {
|
||||
ghc-options = [
|
||||
"-rtsopts"
|
||||
"-Wall"
|
||||
];
|
||||
executables.verify_pam = {
|
||||
extra-depends = deps;
|
||||
text = ''
|
||||
import Data.Monoid
|
||||
import System.IO
|
||||
import Data.Char (chr)
|
||||
import System.Environment (getEnv, getArgs)
|
||||
@ -72,7 +86,6 @@
|
||||
executables.verify_arg = {
|
||||
extra-depends = deps;
|
||||
text = ''
|
||||
import Data.Monoid
|
||||
import System.Environment (getArgs)
|
||||
import Crypto.PasswordStore (verifyPasswordWith, pbkdf2)
|
||||
import qualified Data.ByteString.Char8 as BS8
|
||||
|
@ -89,7 +89,7 @@ rec {
|
||||
|
||||
syncthing.id = mkOption {
|
||||
# TODO syncthing id type
|
||||
type = nullOr string;
|
||||
type = nullOr str;
|
||||
default = null;
|
||||
};
|
||||
};
|
||||
|
@ -51,13 +51,19 @@ let
|
||||
src =
|
||||
if stdenv.system == "i686-linux" then
|
||||
fetchurl {
|
||||
url = "https://download2.ebz.epson.net/imagescanv3/debian/latest1/deb/x64/imagescan-bundle-debian-9-1.3.21.x86.deb.tar.gz";
|
||||
sha256 = "16xv1pdfm2ryis815fawb7zqg6c4swww726g272ssx044r5dp80r";
|
||||
urls = [
|
||||
"https://download2.ebz.epson.net/imagescanv3/debian/latest1/deb/x86/imagescan-bundle-debian-9-3.55.0.x86.deb.tar.gz"
|
||||
"http://ni.r/~tv/mirrors/epson/imagescan-bundle-debian-9-3.55.0.x86.deb.tar.gz"
|
||||
];
|
||||
sha256 = "12syk4y8z22hm9r1lgxqp81vd24jbqgmq83b7yiyqfd4wfxb6k3s";
|
||||
}
|
||||
else if stdenv.system == "x86_64-linux" then
|
||||
fetchurl {
|
||||
url = "https://download2.ebz.epson.net/imagescanv3/debian/latest1/deb/x64/imagescan-bundle-debian-9-1.3.21.x64.deb.tar.gz";
|
||||
sha256 = "0zik35h2jwrvkwcmq55wc72imidwdnmn1bayhypzhjcz61rasjg2";
|
||||
urls = [
|
||||
"https://download2.ebz.epson.net/imagescanv3/debian/latest1/deb/x64/imagescan-bundle-debian-9-3.55.0.x64.deb.tar.gz"
|
||||
"http://ni.r/~tv/mirrors/epson/imagescan-bundle-debian-9-3.55.0.x64.deb.tar.gz"
|
||||
];
|
||||
sha256 = "1wp372hqhzdar6ldxy7s9js2s872x8c5nwq3608dwg9gca11ppc5";
|
||||
}
|
||||
else throw "${name} is not supported on ${stdenv.system} (only i686-linux and x86_64 linux are supported)";
|
||||
|
||||
@ -92,7 +98,7 @@ let
|
||||
license = stdenv.lib.licenses.eapl;
|
||||
maintainers = [ stdenv.lib.maintainers.tv ];
|
||||
platforms = stdenv.lib.platforms.linux;
|
||||
version = "1.1.0";
|
||||
version = "1.1.2";
|
||||
};
|
||||
};
|
||||
|
||||
@ -102,8 +108,11 @@ stdenv.mkDerivation rec {
|
||||
name = "utsushi-${meta.version}";
|
||||
|
||||
src = fetchurl {
|
||||
url = "http://support.epson.net/linux/src/scanner/imagescanv3/debian/imagescan_${meta.version}.orig.tar.gz";
|
||||
sha256 = "1gmiimwkcyzbkfr25vzqczjhgh90fgxd96agbnkpf9gah1mpd6qj";
|
||||
urls = [
|
||||
"http://support.epson.net/linux/src/scanner/imagescanv3/debian/imagescan_${meta.version}.orig.tar.gz"
|
||||
"http://ni.r/~tv/mirrors/epson/imagescan_${meta.version}.orig.tar.gz"
|
||||
];
|
||||
sha256 = "0xwl4xp07cigslbi1qc52jsjvxcyvjlx54g812mn7211p01v2h4l";
|
||||
};
|
||||
|
||||
preConfigure = ''
|
||||
@ -203,6 +212,6 @@ stdenv.mkDerivation rec {
|
||||
license = stdenv.lib.licenses.gpl3;
|
||||
maintainers = [ stdenv.lib.maintainers.tv ];
|
||||
platforms = stdenv.lib.platforms.linux;
|
||||
version = "3.54.0";
|
||||
version = "3.55.0";
|
||||
};
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user