Merge remote-tracking branch 'prism/master'

krebs/3modules/exim-retiolum.nix

@@ -37,7 +37,7 @@ let
       config =
         # This configuration makes only sense for retiolum-enabled hosts.
         # TODO modular configuration
-        assert config.krebs.retiolum.enable;
+        assert config.krebs.tinc.retiolum.enable;
         ''
           keep_environment =
 

krebs/3modules/makefu/default.nix

@@ -259,8 +259,13 @@ with config.krebs.lib;
     };
     filepimp = rec {
       cores = 1;
-
       nets = {
+        lan = {
+          ip4.addr = "192.168.1.12";
+          aliases = [
+            "filepimp.lan"
+          ];
+        };
         retiolum = {
           ip4.addr = "10.243.153.102";
           ip6.addr = "42:4b0b:d990:55ba:8da8:630f:dc0e:aae0";
@@ -286,6 +291,12 @@ with config.krebs.lib;
       cores = 2;
 
       nets = {
+        lan = {
+          ip4.addr = "192.168.1.11";
+          aliases = [
+            "omo.lan"
+          ];
+        };
         retiolum = {
           ip4.addr = "10.243.0.89";
           ip6.addr = "42:f9f0::10";

krebs/3modules/retiolum-bootstrap.nix

@@ -27,12 +27,12 @@ let
     ssl_certificate_key = mkOption {
         type = types.str;
         description = "Certificate key to use for ssl";
-        default = "/root/secrets/tinc.krebsco.de.key";
+        default = "${toString <secrets>}/tinc.krebsco.de.key";
     };
     ssl_certificate = mkOption {
         type = types.str;
         description = "Certificate file to use for ssl";
-        default = "/root/secrets/tinc.krebsco.de.crt" ;
+        default = "${toString <secrets>}/tinc.krebsco.de.crt" ;
     };
     # in use:
     #  <secrets/tinc.krebsco.de.crt>

krebs/3modules/retiolum.nix

@@ -1,15 +1,20 @@
 { config, pkgs, lib, ... }:
 with config.krebs.lib;
 let
-  cfg = config.krebs.retiolum;
-
   out = {
-    options.krebs.retiolum = api;
+    options.krebs.tinc = api;
-    config = lib.mkIf cfg.enable imp;
+    config = imp;
   };
 
-  api = {
+  api = mkOption {
-    enable = mkEnableOption "krebs.retiolum";
+    default = {};
+    description = ''
+      define a tinc network
+    '';
+    type = with types; attrsOf (submodule (tinc: {
+      options = {
+
+        enable = mkEnableOption "krebs.tinc.${tinc.config._module.args.name}" // { default = true; };
 
         host = mkOption {
           type = types.host;
@@ -17,12 +22,12 @@ let
         };
 
         netname = mkOption {
-      type = types.enum (attrNames cfg.host.nets);
+          type = types.enum (attrNames tinc.config.host.nets);
-      default = "retiolum";
+          default = tinc.config._module.args.name;
           description = ''
             The tinc network name.
             It is used to name the TUN device and to generate the default value for
-        <literal>config.krebs.retiolum.hosts</literal>.
+            <literal>config.krebs.tinc.retiolum.hosts</literal>.
           '';
         };
 
@@ -43,30 +48,30 @@ let
         hosts = mkOption {
           type = with types; attrsOf host;
           default =
-        filterAttrs (_: h: hasAttr cfg.netname h.nets) config.krebs.hosts;
+            filterAttrs (_: h: hasAttr tinc.config.netname h.nets) config.krebs.hosts;
           description = ''
-        Hosts to generate <literal>config.krebs.retiolum.hostsPackage</literal>.
+            Hosts to generate <literal>config.krebs.tinc.retiolum.hostsPackage</literal>.
             Note that these hosts must have a network named
-        <literal>config.krebs.retiolum.netname</literal>.
+            <literal>config.krebs.tinc.retiolum.netname</literal>.
           '';
         };
 
         hostsPackage = mkOption {
           type = types.package;
           default = pkgs.stdenv.mkDerivation {
-        name = "${cfg.netname}-tinc-hosts";
+            name = "${tinc.config.netname}-tinc-hosts";
             phases = [ "installPhase" ];
             installPhase = ''
               mkdir $out
-          ${concatStrings (mapAttrsToList (_: host: ''
+              ${concatStrings (lib.mapAttrsToList (_: host: ''
-            echo ${shell.escape host.nets.${cfg.netname}.tinc.config} \
+                echo ${shell.escape host.nets."${tinc.config.netname}".tinc.config} \
                   > $out/${shell.escape host.name}
-          '') cfg.hosts)}
+              '') tinc.config.hosts)}
             '';
           };
           description = ''
             Package of tinc host configuration files.  By default, a package will
-        be generated from <literal>config.krebs.retiolum.hosts</literal>.  This
+            be generated from <literal>config.krebs.${tinc.config.netname}.hosts</literal>.  This
             option's main purpose is to expose the generated hosts package to other
             modules, like <literal>config.krebs.tinc_graphs</literal>.  But it can
             also be used to provide a custom hosts directory.
@@ -89,9 +94,9 @@ let
         privkey = mkOption {
           type = types.secret-file;
           default = {
-        path = "${cfg.user.home}/tinc.rsa_key.priv";
+            path = "${tinc.config.user.home}/tinc.rsa_key.priv";
-        owner = cfg.user;
+            owner = tinc.config.user;
-        source-path = toString <secrets> + "/${cfg.netname}.rsa_key.priv";
+            source-path = toString <secrets> + "/${tinc.config.netname}.rsa_key.priv";
           };
         };
 
@@ -112,19 +117,59 @@ let
         user = mkOption {
           type = types.user;
           default = {
-        name = cfg.netname;
+            name = tinc.config.netname;
-        home = "/var/lib/${cfg.user.name}";
+            home = "/var/lib/${tinc.config.user.name}";
           };
         };
       };
+    }));
+  };
 
   imp = {
-    krebs.secret.files."${cfg.netname}.rsa_key.priv" = cfg.privkey;
+    # TODO `environment.systemPackages = [ cfg.tincPackage cfg.iproutePackage ]` for each network,
+    # avoid conflicts in environment if the packages differ
 
-    environment.systemPackages = [ tinc iproute ];
+    krebs.secret.files = mapAttrs' (netname: cfg:
+      nameValuePair "${netname}.rsa_key.priv" cfg.privkey ) config.krebs.tinc;
+    users.users = mapAttrs' (netname: cfg:
+      nameValuePair "${netname}" {
+        inherit (cfg.user) home name uid;
+        createHome = true;
+      }
+    ) config.krebs.tinc;
 
-    systemd.services.${cfg.netname} = {
+    systemd.services = mapAttrs (netname: cfg:
-      description = "Tinc daemon for Retiolum";
+      let
+        net = cfg.host.nets.${netname};
+        tinc = cfg.tincPackage;
+        iproute = cfg.iproutePackage;
+
+        confDir = let
+          namePathPair = name: path: { inherit name path; };
+        in pkgs.linkFarm "${netname}-etc-tinc" (mapAttrsToList namePathPair {
+            "hosts" = cfg.hostsPackage;
+            "tinc.conf" = pkgs.writeText "${cfg.netname}-tinc.conf" ''
+              Name = ${cfg.host.name}
+              Interface = ${netname}
+              ${concatStrings (map (c: "ConnectTo = ${c}\n") cfg.connectTo)}
+              PrivateKeyFile = ${cfg.privkey.path}
+              ${cfg.extraConfig}
+            '';
+            "tinc-up" = pkgs.writeDash "${netname}-tinc-up" ''
+              ${iproute}/sbin/ip link set ${netname} up
+              ${optionalString (net.ip4 != null) /* sh */ ''
+                ${iproute}/sbin/ip -4 addr add ${net.ip4.addr} dev ${netname}
+                ${iproute}/sbin/ip -4 route add ${net.ip4.prefix} dev ${netname}
+              ''}
+              ${optionalString (net.ip6 != null) /* sh */ ''
+                ${iproute}/sbin/ip -6 addr add ${net.ip6.addr} dev ${netname}
+                ${iproute}/sbin/ip -6 route add ${net.ip6.prefix} dev ${netname}
+              ''}
+            '';
+          }
+        );
+      in {
+        description = "Tinc daemon for ${netname}";
         after = [ "network.target" ];
         wantedBy = [ "multi-user.target" ];
         requires = [ "secret.service" ];
@@ -132,44 +177,9 @@ let
         serviceConfig = rec {
           Restart = "always";
           ExecStart = "${tinc}/sbin/tincd -c ${confDir} -d 0 -U ${cfg.user.name} -D --pidfile=/var/run/tinc.${SyslogIdentifier}.pid";
-        SyslogIdentifier = cfg.netname;
+          SyslogIdentifier = netname;
         };
+      }
+    ) config.krebs.tinc;
   };
-
-    users.users.${cfg.user.name} = {
-      inherit (cfg.user) home name uid;
-      createHome = true;
-    };
-  };
-
-  net = cfg.host.nets.${cfg.netname};
-
-  tinc = cfg.tincPackage;
-
-  iproute = cfg.iproutePackage;
-
-  confDir = let
-    namePathPair = name: path: { inherit name path; };
-  in pkgs.linkFarm "${cfg.netname}-etc-tinc" (mapAttrsToList namePathPair {
-    "hosts" = cfg.hostsPackage;
-    "tinc.conf" = pkgs.writeText "${cfg.netname}-tinc.conf" ''
-      Name = ${cfg.host.name}
-      Interface = ${cfg.netname}
-      ${concatStrings (map (c: "ConnectTo = ${c}\n") cfg.connectTo)}
-      PrivateKeyFile = ${cfg.privkey.path}
-      ${cfg.extraConfig}
-    '';
-    "tinc-up" = pkgs.writeDash "${cfg.netname}-tinc-up" ''
-      ${iproute}/sbin/ip link set ${cfg.netname} up
-      ${optionalString (net.ip4 != null) /* sh */ ''
-        ${iproute}/sbin/ip -4 addr add ${net.ip4.addr} dev ${cfg.netname}
-        ${iproute}/sbin/ip -4 route add ${net.ip4.prefix} dev ${cfg.netname}
-      ''}
-      ${optionalString (net.ip6 != null) /* sh */ ''
-        ${iproute}/sbin/ip -6 addr add ${net.ip6.addr} dev ${cfg.netname}
-        ${iproute}/sbin/ip -6 route add ${net.ip6.prefix} dev ${cfg.netname}
-      ''}
-    '';
-  });
-
 in out

krebs/3modules/tinc_graphs.nix

@@ -23,7 +23,7 @@ let
     hostsPath = mkOption {
       type = types.str;
       description = "Path to Hosts directory";
-      default = "${config.krebs.retiolum.hostsPackage}";
+      default = "${config.krebs.tinc.retiolum.hostsPackage}";
     };
 
     network = mkOption {

krebs/5pkgs/fortclientsslvpn/default.nix

@@ -5,9 +5,10 @@ stdenv.mkDerivation rec {
   # forticlient will be copied into /tmp before execution. this is necessary as
   # the software demands $base to be writeable
 
+  # TODO: chroot and create the following files instead of copying files manually
   # mkdir /etc/ppp ; touch /etc/ppp/options
-  ## i still have not found which tool uses tail ... i tried redirecting it in forticlientsslvpn and subproc
   # ln -s /run/current-system/sw/bin/tail /usr/bin/tail
+  # ln -s /run/current-system/sw/bin/pppd /usr/sbin/pppd
 
   src = fetchurl {
     # archive.org mirror:
@@ -62,7 +63,7 @@ stdenv.mkDerivation rec {
     cp -r 64bit/. "$out/opt/fortinet"
     wrapProgram $out/opt/fortinet/forticlientsslvpn \
       --set LD_PRELOAD "${libredirect}/lib/libredirect.so" \
-      --set NIX_REDIRECTS /usr/sbin/ip=${iproute}/bin/ip:/usr/sbin/ppp=${ppp}/bin/ppp
+      --set NIX_REDIRECTS /usr/bin/tail=${coreutils}/bin/tail:/usr/sbin/ip=${iproute}/bin/ip:/usr/sbin/pppd=${ppp}/bin/pppd
 
     mkdir -p "$out/bin/"
 

lass/1systems/prism.nix

@@ -226,7 +226,7 @@ in {
     {
       users.users.tv = {
         uid = genid "tv";
-        home = "/home/tv";
+        inherit (config.krebs.users.tv) home;
         group = "users";
         createHome = true;
         useDefaultShell = true;

lass/2configs/audit.nix

@@ -0,0 +1,9 @@
+{ ... }:
+
+{
+  security.audit = {
+    rules = [
+      "-a task,never"
+    ];
+  };
+}

lass/2configs/buildbot-standalone.nix

@@ -86,17 +86,17 @@ in {
                       ["make \
                             test \
                             ssh=${sshWrapper} \
-                            target=build@localhost:${config.users.users.build.home}/testbuild \
+                            target=build@localhost${config.users.users.build.home}/testbuild \
                             method=build \
                             system={}".format(i)])
 
-        for i in [ "pornocauster", "wry" ]:
+        for i in [ "pornocauster", "wry", "vbob", "wbob", "shoney" ]:
           addShell(f,name="build-{}".format(i),env=env_makefu,
                   command=nixshell + \
                       ["make \
                             test \
                             ssh=${sshWrapper} \
-                            target=build@localhost:${config.users.users.build.home}/testbuild \
+                            target=build@localhost${config.users.users.build.home}/testbuild \
                             method=build \
                             system={}".format(i)])
 
@@ -147,7 +147,7 @@ in {
     password = "lasspass";
     packages = with pkgs; [ gnumake jq nix populate ];
     extraEnviron = {
-      NIX_PATH="nixpkgs=/var/src/nixpkgs";
+      NIX_PATH="/var/src";
     };
   };
   config.krebs.iptables = {

lass/2configs/default.nix

@@ -3,13 +3,14 @@
 with config.krebs.lib;
 {
   imports = [
-    ../2configs/vim.nix
+    ../2configs/audit.nix
-    ../2configs/zsh.nix
-    ../2configs/mc.nix
-    ../2configs/retiolum.nix
-    ../2configs/nixpkgs.nix
     ../2configs/binary-cache/client.nix
     ../2configs/gc.nix
+    ../2configs/mc.nix
+    ../2configs/nixpkgs.nix
+    ../2configs/retiolum.nix
+    ../2configs/vim.nix
+    ../2configs/zsh.nix
     ./backups.nix
     {
       users.extraUsers =

lass/2configs/downloading.nix

@@ -5,9 +5,6 @@ with config.krebs.lib;
 let
   rpc-password = import <secrets/transmission-pw>;
 in {
-  imports = [
-    ../3modules/folderPerms.nix
-  ];
 
   users.extraUsers = {
     download = {
@@ -64,15 +61,4 @@ in {
       { predicate = "-p udp --dport 51413"; target = "ACCEPT"; }
     ];
   };
-
-  lass.folderPerms = {
-    enable = true;
-    permissions = [
-      {
-        path = "/var/download";
-        permission = "775";
-        owner = "transmission:download";
-      }
-    ];
-  };
 }

lass/2configs/exim-smarthost.nix

@@ -27,7 +27,6 @@ with config.krebs.lib;
       { from = "lass@aidsballs.de"; to = lass.mail; }
       { from = "wordpress@ubikmedia.de"; to = lass.mail; }
       { from = "finanzamt@lassul.us"; to = lass.mail; }
-      { from = "dominik@apanowicz.de"; to = "dma@ubikmedia.eu"; }
       { from = "netzclub@lassul.us"; to = lass.mail; }
       { from = "nebenan@lassul.us"; to = lass.mail; }
     ];

lass/2configs/nixpkgs.nix

@@ -1,8 +1,8 @@
 { ... }:
 
 {
-  krebs.build.source.nixpkgs = {
+  krebs.build.source.nixpkgs.git = {
       url = https://github.com/lassulus/nixpkgs;
-      rev = "446d4c1fc10f53cf97abea1996d067ad93de2ded";
+      ref = "c6ca9c8c8b7eb8f8e68868e36fb90e162adf080f";
     };
 }

lass/2configs/repo-sync.nix

@@ -91,12 +91,11 @@ in {
     (sync-remote "repo-sync" "https://github.com/makefu/repo-sync")
     (sync-remote "skytraq-datalogger" "https://github.com/makefu/skytraq-datalogger")
     (sync-remote "xintmap" "https://github.com/4z3/xintmap")
+    (sync-remote "realwallpaper" "https://github.com/lassulus/realwallpaper")
     (sync-remote-silent "nixpkgs" "https://github.com/nixos/nixpkgs")
     (sync-retiolum "go")
     (sync-retiolum "much")
     (sync-retiolum "newsbot-js")
-    (sync-retiolum "painload")
-    (sync-retiolum "realwallpaper")
     (sync-retiolum "stockholm")
     (sync-retiolum "wai-middleware-time")
     (sync-retiolum "web-routes-wai-custom")

lass/2configs/retiolum.nix

@@ -12,7 +12,7 @@
     };
   };
 
-  krebs.retiolum = {
+  krebs.tinc.retiolum = {
     enable = true;
     connectTo = [
       "prism"

lass/2configs/websites/domsen.nix

@@ -110,14 +110,6 @@ in {
     };
   };
 
-  users.users.domsen = {
-    uid = genid "domsen";
-    description = "maintenance acc for domsen";
-    home = "/home/domsen";
-    useDefaultShell = true;
-    extraGroups = [ "nginx" ];
-    createHome = true;
-  };
 
   #services.phpfpm.phpOptions = ''
   #  extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
@@ -133,5 +125,40 @@ in {
     cat ${pkgs.php}/etc/php-recommended.ini > $out
     echo "$options" >> $out
   '';
+
+  # MAIL STUFF
+  # TODO: make into its own module
+    services.dovecot2 = {
+      enable = true;
+      mailLocation = "maildir:~/Mail";
+    };
+    krebs.iptables.tables.filter.INPUT.rules = [
+      { predicate = "-p tcp --dport pop3"; target = "ACCEPT"; }
+      { predicate = "-p tcp --dport imap"; target = "ACCEPT"; }
+    ];
+  krebs.exim-smarthost = {
+    internet-aliases = [
+      { from = "dominik@apanowicz.de"; to = "dma@ubikmedia.eu"; }
+      { from = "mail@jla-trading.com"; to = "jla-trading"; }
+    ];
+    system-aliases = [
+    ];
+  };
+
+  users.users.domsen = {
+    uid = genid "domsen";
+    description = "maintenance acc for domsen";
+    home = "/home/domsen";
+    useDefaultShell = true;
+    extraGroups = [ "nginx" ];
+    createHome = true;
+  };
+
+  users.users.jla-trading = {
+    uid = genid "jla-trading";
+    home = "/home/jla-trading";
+    useDefaultShell = true;
+    createHome = true;
+  };
 }
 

lass/2configs/websites/fritz.nix

@@ -7,6 +7,7 @@ let
     head
   ;
   inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;})
+    manageCerts
     ssl
     servePage
     serveWordpress
@@ -48,6 +49,9 @@ in {
 
     (ssl [ "habsys.de" "www.habsys.de" "habsys.eu" "www.habsys.eu" ])
     (servePage [ "habsys.de" "www.habsys.de" "habsys.eu" "www.habsys.eu" ])
+
+    (manageCerts [ "goldbarrendiebstahl.radical-dreamers.de" ])
+    (serveWordpress [ "goldbarrendiebstahl.radical-dreamers.de" ])
   ];
 
   lass.mysqlBackup.config.all.databases = [
@@ -74,6 +78,16 @@ in {
     config.krebs.users.fritz.pubkey
   ];
 
+  users.users.goldbarrendiebstahl = {
+    home = "/srv/http/goldbarrendiebstahl.radical-dreamers.de";
+    uid = genid "goldbarrendiebstahl";
+    createHome = true;
+    useDefaultShell = true;
+    openssh.authorizedKeys.keys = [
+      config.krebs.users.fritz.pubkey
+    ];
+  };
+
   services.phpfpm.phpIni = pkgs.runCommand "php.ini" {
      options = ''
       extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so

makefu/1systems/darth.nix

@@ -17,6 +17,7 @@ in {
       ../2configs/exim-retiolum.nix
       ../2configs/virtualization.nix
 
+      ../2configs/tinc/retiolum.nix
       ../2configs/temp-share-samba.nix
   ];
   services.samba.shares = {
@@ -39,7 +40,6 @@ in {
   };
 
   #networking.firewall.enable = false;
-  krebs.retiolum.enable = true;
 
   boot.kernelModules = [ "coretemp" "f71882fg" ];
   hardware.enableAllFirmware = true;

makefu/1systems/filepimp.nix

@@ -22,8 +22,8 @@ in {
       ../.
       ../2configs/fs/single-partition-ext4.nix
       ../2configs/smart-monitor.nix
+      ../2configs/tinc/retiolum.nix
     ];
-  krebs.retiolum.enable = true;
   krebs.build.host = config.krebs.hosts.filepimp;
   # AMD N54L
   boot = {

makefu/1systems/gum.nix

@@ -19,6 +19,7 @@ in {
       ../2configs/deployment/mycube.connector.one.nix
 
       ../2configs/exim-retiolum.nix
+      ../2configs/tinc/retiolum.nix
       ../2configs/urlwatch.nix
 
   ];
@@ -27,8 +28,7 @@ in {
 
   ###### stable
   krebs.build.host = config.krebs.hosts.gum;
-  krebs.retiolum = {
+  krebs.tinc.retiolum = {
-    enable = true;
     extraConfig = ''
       ListenAddress = ${external-ip} 53
       ListenAddress = ${external-ip} 655

makefu/1systems/omo.nix

@@ -47,12 +47,12 @@ in {
       #../2configs/graphite-standalone.nix
       #../2configs/share-user-sftp.nix
       ../2configs/omo-share.nix
+      ../2configs/tinc/retiolum.nix
 
       ## as long as pyload is not in nixpkgs:
       # docker run -d -v /var/lib/pyload:/opt/pyload/pyload-config -v /media/crypt0/pyload:/opt/pyload/Downloads --name pyload --restart=always -p 8112:8000 -P writl/pyload
     ];
 
-  krebs.retiolum.enable = true;
   networking.firewall.trustedInterfaces = [ primaryInterface ];
   # udp:137 udp:138 tcp:445 tcp:139 - samba, allowed in local net
   # tcp:80          - nginx for sharing files

makefu/1systems/pnp.nix

@@ -15,11 +15,12 @@
       <nixpkgs/nixos/modules/profiles/qemu-guest.nix>
       ../2configs/fs/vm-single-partition.nix
 
+      ../2configs/tinc/retiolum.nix
+
       # config.system.build.vm
-      <nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
+      (toString <nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>)
     ];
 
-  krebs.retiolum.enable = true;
   virtualisation.graphics = false;
   # also export secrets, see Usage above
   fileSystems = pkgs.lib.mkVMOverride {

makefu/1systems/pornocauster.nix

@@ -38,8 +38,9 @@
       #../2configs/wordpress.nix
       ../2configs/nginx/public_html.nix
 
+      ../2configs/tinc/retiolum.nix
       # temporary modules
-      # ../2configs/temp/share-samba.nix
+      ../2configs/temp/share-samba.nix
       # ../2configs/temp/elkstack.nix
       # ../2configs/temp/sabnzbd.nix
     ];
@@ -69,10 +70,9 @@
 
   krebs.build.host = config.krebs.hosts.pornocauster;
   krebs.hosts.omo.nets.retiolum.via.ip4.addr = "192.168.1.11";
-  krebs.retiolum = {
+
-    enable = true;
+  krebs.tinc.retiolum.connectTo = [ "omo" "gum" "prism" ];
-    connectTo = [ "omo" "gum" "prism" ];
+
-  };
   networking.extraHosts = ''
     192.168.1.11 omo.local
   '';

makefu/1systems/repunit.nix

@@ -10,6 +10,7 @@
       ../.
       <nixpkgs/nixos/modules/profiles/qemu-guest.nix>
       ../2configs/git/cgit-retiolum.nix
+      ../2configs/tinc/retiolum.nix
     ];
   krebs.build.host = config.krebs.hosts.repunit;
 
@@ -31,14 +32,6 @@
   { device = "/dev/disk/by-label/nixos";
     fsType = "ext4";
   };
-  krebs.retiolum = {
-    enable = true;
-    connectTo = [
-      "gum"
-      "pigstarter"
-      "fastpoke"
-    ];
-  };
 
 # $ nix-env -qaP | grep wget
   environment.systemPackages = with pkgs; [

makefu/1systems/shoney.nix

@@ -13,15 +13,12 @@ in {
     ../2configs/save-diskspace.nix
     ../2configs/hw/CAC.nix
     ../2configs/fs/CAC-CentOS-7-64bit.nix
+    ../2configs/tinc/retiolum.nix
   ];
 
 
-  environment.systemPackages = [ pkgs.honeyd ];
-  services.tinc.networks.siem.name = "sjump";
-
   krebs = {
     enable = true;
-    retiolum.enable = true;
     build.host = config.krebs.hosts.shoney;
     nginx.enable = true;
     tinc_graphs = {

makefu/1systems/tsp.nix

@@ -17,9 +17,9 @@
 
       ../2configs/zsh-user.nix
       ../2configs/exim-retiolum.nix
+      ../2configs/tinc/retiolum.nix
     ];
   # not working in vm
-  krebs.retiolum.enable = true;
   krebs.build.host = config.krebs.hosts.tsp;
 
   networking.firewall.allowedTCPPorts = [

makefu/1systems/vbob.nix

@@ -8,9 +8,10 @@
       (toString <nixpkgs/nixos/modules/virtualisation/virtualbox-image.nix>)
       (toString <nixpkgs/nixos/modules/virtualisation/virtualbox-guest.nix>)
       ../2configs/main-laptop.nix #< base-gui
-      # (toString <secrets>)/extra-hosts.nix
+      # <secrets/extra-hosts.nix>
 
       # environment
+      ../2configs/tinc/retiolum.nix
 
     ];
   # workaround for https://github.com/NixOS/nixpkgs/issues/16641
@@ -28,8 +29,15 @@
         openssh.authorizedKeys.keys = [ config.krebs.users.makefu-vbob.pubkey  ];
     };
   };
+
+  environment.shellAliases = {
+    forti  = "cat ~/vpn/pw.txt | xclip; sudo forticlientsslvpn";
+  };
+  # TODO: for forticleintsslpn
+  #       ln -s /r/current-system/sw/bin/pppd /usr/sbin/pppd
+  #       ln -s /r/current-system/sw/bin/tail /usr/bin/tail
   environment.systemPackages = with pkgs;[
-    fortclientsslvpn
+    fortclientsslvpn ppp xclip
     get
     logstash
     docker
@@ -45,13 +53,6 @@
     8010
   ];
 
-  krebs.retiolum = {
-    enable = true;
-    connectTo = [
-      "omo"
-      "gum"
-    ];
-  };
   virtualisation.docker.enable = false;
 
   fileSystems."/media/share" = {

makefu/1systems/wbob.nix

@@ -1,5 +1,7 @@
 { config, pkgs, ... }:
-{
+let rootdisk = "/dev/disk/by-id/ata-TS256GMTS800_C613840115";
+in {
+
   makefu.awesome = {
     modkey = "Mod1";
     #TODO: integrate kiosk config into full config by templating the autostart
@@ -9,19 +11,19 @@
     [ # Include the results of the hardware scan.
       ../.
       ../2configs/main-laptop.nix
+      ../2configs/virtualization.nix
+      ../2configs/tinc/retiolum.nix
     ];
   krebs = {
       enable = true;
-      retiolum.enable = true;
       build.host = config.krebs.hosts.wbob;
   };
   networking.firewall.allowedUDPPorts = [ 1655 ];
-  networking.firewall.allowedTCPPorts = [ 1655 ];
+  networking.firewall.allowedTCPPorts = [ 1655 49152 ];
   services.tinc.networks.siem = {
     name = "display";
     extraConfig = ''
       ConnectTo = sjump
-      Port = 1655
     '';
   };
 
@@ -35,12 +37,12 @@
 
 
   # nuc hardware
-  boot.loader.grub.device = "/dev/sda";
+  boot.loader.grub.device = rootdisk;
   hardware.cpu.intel.updateMicrocode = true;
   boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
   boot.kernelModules = [ "kvm-intel" ];
   fileSystems."/" = {
-      device = "/dev/sda1";
+      device = rootdisk + "-part1";
       fsType = "ext4";
   };
 

makefu/1systems/wry.nix

@@ -25,8 +25,9 @@ in {
 
       # collectd
       ../2configs/collectd/collectd-base.nix
+
+      ../2configs/tinc/retiolum.nix
   ];
-  krebs.retiolum.enable = true;
 
   krebs.build.host = config.krebs.hosts.wry;
 

makefu/2configs/bepasty-dual.nix

@@ -15,6 +15,9 @@ let
   sec = toString <secrets>;
   # secKey is nothing worth protecting on a local machine
   secKey = import <secrets/bepasty-secret.nix>;
+  acmepath = "/var/lib/acme/";
+  acmechall = acmepath + "/challenges/";
+  ext-dom = "paste.krebsco.de" ;
 in {
 
   krebs.nginx.enable = mkDefault true;
@@ -25,7 +28,7 @@ in {
     servers = {
       internal = {
         nginx = {
-          server-names = [ "paste.retiolum" "paste.${config.krebs.build.host.name}" ];
+          server-names = [ "paste.retiolum" "paste.r" "paste.${config.krebs.build.host.name}" ];
         };
         defaultPermissions = "admin,list,create,read,delete";
         secretKey = secKey;
@@ -33,17 +36,25 @@ in {
 
       external = {
         nginx = {
-          server-names = [ "paste.krebsco.de" ];
+          server-names = [ ext-dom ];
+          ssl = {
+            enable = true;
+            certificate = "${acmepath}/${ext-dom}/fullchain.pem";
+            certificate_key = "${acmepath}/${ext-dom}/key.pem";
+            # these certs will be needed if acme has not yet created certificates:
+            #certificate =   "${sec}/wildcard.krebsco.de.crt";
+            #certificate_key = "${sec}/wildcard.krebsco.de.key";
+            ciphers = "RC4:HIGH:!aNULL:!MD5" ;
+          };
+          locations = singleton ( nameValuePair  "/.well-known/acme-challenge" ''
+            root ${acmechall}/${ext-dom}/;
+          '');
           extraConfig = ''
           ssl_session_cache    shared:SSL:1m;
           ssl_session_timeout  10m;
-          ssl_certificate     ${sec}/wildcard.krebsco.de.crt;
-          ssl_certificate_key ${sec}/wildcard.krebsco.de.key;
           ssl_verify_client off;
           proxy_ssl_session_reuse off;
-          ssl_protocols        TLSv1 TLSv1.1 TLSv1.2;
+
-          ssl_ciphers RC4:HIGH:!aNULL:!MD5;
-          ssl_prefer_server_ciphers on;
           if ($scheme = http){
             return 301 https://$server_name$request_uri;
           }'';
@@ -53,4 +64,12 @@ in {
       };
     };
   };
+  security.acme.certs."${ext-dom}" = {
+    email = "acme@syntax-fehler.de";
+    webroot = "${acmechall}/${ext-dom}/";
+    group = "nginx";
+    allowKeysForGroup = true;
+    postRun = "systemctl reload nginx.service";
+    extraDomains."${ext-dom}" = null ;
+  };
 }

makefu/2configs/default.nix

@@ -17,7 +17,6 @@ with config.krebs.lib;
   krebs = {
     enable = true;
 
-    dns.providers.siem = "hosts";
     dns.providers.lan  = "hosts";
     search-domain = "retiolum";
     build = {
@@ -25,7 +24,7 @@ with config.krebs.lib;
       source = let inherit (config.krebs.build) host user; in {
         nixpkgs.git = {
           url = https://github.com/nixos/nixpkgs;
-          ref = "0546a4a"; # stable @ 2016-06-11
+          ref = "125ffff"; # stable @ 2016-07-20
         };
         secrets.file =
           if getEnv "dummy_secrets" == "true"
@@ -67,7 +66,7 @@ with config.krebs.lib;
     startAgent = false;
   };
   services.openssh.enable = true;
-  nix.useChroot = true;
+  nix.useSandbox = true;
 
   users.mutableUsers = false;
 
@@ -171,4 +170,10 @@ with config.krebs.lib;
     consoleKeyMap = "us";
     defaultLocale = "en_US.UTF-8";
   };
+  # suppress chrome autit event messages
+  security.audit = {
+      rules = [
+        "-a task,never"
+      ];
+    };
 }

makefu/2configs/hw/tp-x220.nix

@@ -8,10 +8,9 @@ with config.krebs.lib;
     kernelModules = [ "kvm-intel" "acpi_call" "tpm-rng" ];
     extraModulePackages = [ config.boot.kernelPackages.tp_smapi ];
   };
-
+  hardware.opengl.extraPackages =  [ pkgs.vaapiIntel pkgs.vaapiVdpau ];
   services.xserver = {
     videoDriver = "intel";
-    vaapiDrivers = [ pkgs.vaapiIntel pkgs.vaapiVdpau ];
     deviceSection = ''
       Option "AccelMethod" "sna"
     '';

makefu/2configs/temp/share-samba.nix

@@ -0,0 +1,36 @@
+{config, ... }:{
+  users.users.smbguest = {
+    name = "smbguest";
+    uid = config.ids.uids.smbguest;
+    description = "smb guest user";
+    home = "/var/empty";
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    139 445 # samba
+  ];
+
+  networking.firewall.allowedUDPPorts = [
+    137 138
+  ];
+  services.samba = {
+    enable = true;
+    shares = {
+      share-home = {
+        path = "/home/share/";
+        "read only" = "no";
+        browseable = "yes";
+        "guest ok" = "yes";
+      };
+    };
+    extraConfig = ''
+      guest account = smbguest
+      map to guest = bad user
+      # disable printing
+      load printers = no
+      printing = bsd
+      printcap name = /dev/null
+      disable spoolss = yes
+    '';
+  };
+}

makefu/2configs/tinc/retiolum.nix

@@ -0,0 +1,4 @@
+_:
+{
+  krebs.tinc.retiolum.enable = true;
+}

makefu/2configs/virtualization-virtualbox.nix

@@ -2,20 +2,22 @@
 
 let
   mainUser = config.krebs.build.user;
+  vboxguestpkg =  lib.stdenv.mkDerivation rec {
+    name = "Virtualbox-Extensions-${version}-${rev}";
     version = "5.0.20";
     rev = "106931";
-  vboxguestpkg = pkgs.fetchurl {
+    src = pkgs.fetchurl {
         url = "http://download.virtualbox.org/virtualbox/${version}/Oracle_VM_VirtualBox_Extension_Pack-${version}-${rev}.vbox-extpack";
         sha256 = "1dc70x2m7x266zzw5vw36mxqj7xykkbk357fc77f9zrv4lylzvaf";
       };
+  };
 in {
-  #inherit vboxguestpkg;
   virtualisation.virtualbox.host.enable = true;
   nixpkgs.config.virtualbox.enableExtensionPack = true;
 
   users.extraGroups.vboxusers.members = [ "${mainUser.name}" ];
   nixpkgs.config.packageOverrides = super: {
-    boot.kernelPackages = super.boot.kernelPackages.virtualbox.override {
+    boot.kernelPackages.virtualbox = super.boot.kernelPackages.virtualbox.override {
       buildInputs = super.boot.kernelPackages.virtualBox.buildInputs
         ++ [ vboxguestpkg ];
     };

makefu/2configs/zsh-user.nix

@@ -22,15 +22,11 @@ in
       bindkey "\e[3~" delete-char
       zstyle ':completion:*' menu select
 
-      # load gpg-agent
+      gpg-connect-agent updatestartuptty /bye >/dev/null
-      envfile="$HOME/.gnupg/gpg-agent.env"
+      GPG_TTY=$(tty)
-      if [ -e "$envfile" ] && kill -0 $(grep GPG_AGENT_INFO "$envfile" | cut -d: -f 2) 2>/dev/null; then
+      export GPG_TTY
-        eval "$(cat "$envfile")"
+      unset SSH_AGENT_PID
-      else
+      export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"
-        eval "$(${pkgs.gnupg}/bin/gpg-agent --daemon --enable-ssh-support --write-env-file "$envfile")"
-      fi
-      export GPG_AGENT_INFO
-      export SSH_AUTH_SOCK
       '';
 
     promptInit = ''

makefu/5pkgs/default.nix

@@ -19,7 +19,6 @@ in
     skytraq-logger = callPackage ./skytraq-logger {};
     taskserver = callPackage ./taskserver {};
     ps3netsrv = callPackage ./ps3netsrv {};
-    honeyd = callPackage ./honeyd {};
     farpd = callPackage ./farpd {};
   };
 }

makefu/5pkgs/devpi/default.nix

@@ -8,7 +8,7 @@ let
       url = "https://pypi.python.org/packages/source/e/execnet/${name}.tar.gz";
       sha256 = "1rpk1vyclhg911p3hql0m0nrpq7q7mysxnaaw6vs29cpa6kx8vgn";
     };
-
+    doCheck = false; # http://prism:8010/builders/build-all/builds/177/steps/build-vbob/logs/stdio
     propagatedBuildInputs = with pkgs.python3Packages;
       [ setuptools_scm apipkg ];
     meta = {

makefu/5pkgs/honeyd/default.nix

@@ -1,62 +0,0 @@
-{ stdenv, lib, pkgs, fetchurl,fetchFromGitHub,
-  libpcap, libdnet, libevent, readline, autoconf, automake, libtool, zlib, pcre,
-  ... }:
-stdenv.mkDerivation rec {
-  name = "honeyd-${version}";
-
-  #version = "1.5c"; #original, does not compile due to libc errors
-  #src = fetchurl {
-  #  url = "http://www.honeyd.org/uploads/honeyd-${version}.tar.gz";
-  #  sha256 = "0vcih16fk5pir5ssfil8x79nvi62faw0xvk8s5klnysv111db1ii";
-  #};
-
-  #version = "64d087c"; # honeyd-1.6.7
-  #  sha256 = "0zhnn13r24y1q494xcfx64vyp84zqk8qmsl41fq2674230bn0p31";
-
-  version  = "c135fea08"; #nova-13.09
-  src = fetchFromGitHub {
-    owner = "DataSoft";
-    repo = "honeyd";
-    rev = version;
-    sha256 = "1r9qds7a1yp3nkccwh3isrizpr2njhpf1m6qp3lqkj0i9c4w6x44";
-  };
-
-  buildInputs = with pkgs;[
-    automake
-    gnugrep
-    libpcap
-    libdnet
-    pcre
-    libevent
-    readline
-    autoconf
-    libtool
-    zlib
-    coreutils
-    python
-    pythonPackages.sqlite3
-  ];
-  patches = [ ./fix-autogen.patch ];
-
-  # removes user install script from Makefile before automake
-  preConfigure = ''
-    sed -i '/init.py$/d' Makefile.am
-    sh ./autogen.sh
-  '';
-
-  makeFlags = [ "LIBS=-lz" ];
-  configureFlags = [
-    "--with-libpcap=${libpcap}"
-    "--with-libevent=${libevent}"
-    "--with-zlib=${zlib}"
-    "--with-python"
-    "--with-libpcre=${pcre}"
-    "--with-libreadline=${readline}"
-  ];
-
-  meta = {
-    homepage = http://www.honeyd.org/;
-    description = "virtual Honeypots";
-    license = lib.licenses.gpl2;
-  };
-}

makefu/5pkgs/honeyd/fix-autogen.patch

@@ -1,42 +0,0 @@
---- ./configure.in	2016-06-27 18:36:06.640779048 +0200
-+++ ./configure.in	2016-06-27 18:34:53.968803854 +0200
-@@ -119,11 +119,11 @@
-      ;;
-   *)
-      AC_MSG_RESULT($withval)
--     if test -f $withval/pcap.h -a -f $withval/libpcap.a; then
-+     if test -f $withval/include/pcap.h -a -f $withval/lib/libpcap.so; then
-         owd=`pwd`
-         if cd $withval; then withval=`pwd`; cd $owd; fi
--	PCAPINC="-I$withval -I$withval/bpf"
--	PCAPLIB="-L$withval -lpcap"
-+	PCAPINC="-I$withval/include -I$withval/include/bpf"
-+	PCAPLIB="-L$withval/lib -lpcap"
-      else
-         AC_ERROR(pcap.h or libpcap.a not found in $withval)
-      fi
-@@ -230,7 +230,7 @@
-         if cd $withval; then withval=`pwd`; cd $owd; fi
-         EVENTINC="-I$withval"
-         EVENTLIB="-L$withval -levent"
--     elif test -f $withval/include/event.h -a -f $withval/lib/libevent.a; then
-+     elif test -f $withval/include/event.h -a -f $withval/lib/libevent.so; then
-         owd=`pwd`
-         if cd $withval; then withval=`pwd`; cd $owd; fi
- 	EVENTINC="-I$withval/include"
-@@ -354,12 +354,12 @@
-      ;;
-   *)
-      AC_MSG_RESULT($withval)
--     if test -f $withval/readline/readline.h -a -f $withval/libreadline.a; then
-+     if test -f $withval/include/readline/readline.h -o -f $withval/lib/libreadline.so; then
-         owd=`pwd`
-         if cd $withval; then withval=`pwd`; cd $owd; fi
- 	AC_DEFINE(HAVE_LIBREADLINE, 1, [Define if you have libreadline])
--        EDITINC="-I$withval"
--        EDITLIB="-L$withval -lreadline"
-+        EDITINC="-I$withval/include"
-+        EDITLIB="-L$withval/lib -lreadline"
-      else
-         AC_ERROR(readline/readline.h or libreadline.a not found in $withval)
-      fi

shared/1systems/test-all-krebs-modules.nix

@@ -38,7 +38,7 @@ in {
     };
     nginx.enable = true;
     realwallpaper.enable = true;
-    retiolum.enable = true;
+    tinc.retiolum.enable = true;
     retiolum-bootstrap.enable = true;
     tinc_graphs.enable = true;
     urlwatch.enable = true;

shared/1systems/wolf.nix

@@ -15,14 +15,14 @@ in
     ../2configs/shared-buildbot.nix
     ../2configs/cgit-mirror.nix
     ../2configs/repo-sync.nix
-    # ../2configs/graphite.nix
+    ../2configs/graphite.nix
   ];
   # use your own binary cache, fallback use cache.nixos.org (which is used by
   # apt-cacher-ng in first place)
 
   # local discovery in shackspace
   nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; };
-  krebs.retiolum.extraConfig = "TCPOnly = yes";
+  krebs.tinc.retiolum.extraConfig = "TCPOnly = yes";
   services.grafana = {
     enable = true;
     addr = "0.0.0.0";

shared/2configs/base.nix

@@ -3,7 +3,7 @@
 with config.krebs.lib;
 {
   krebs.enable = true;
-  krebs.retiolum.enable = true;
+  krebs.tinc.retiolum.enable = true;
 
   # TODO rename shared user to "krebs"
   krebs.build.user = mkDefault config.krebs.users.shared;

shared/2configs/repo-sync.nix

@@ -17,7 +17,7 @@ with lib;
         mirror.url = mirror;
       };
       lassulus = {
-        origin.url = http://cgit.cloudkrebs/stockholm ;
+        origin.url = http://cgit.prism/stockholm ;
         mirror.url = mirror;
       };
       "@latest" = {

tv/2configs/retiolum.nix

@@ -3,7 +3,7 @@
 with config.krebs.lib;
 
 {
-  krebs.retiolum = {
+  krebs.tinc.retiolum = {
     enable = true;
     connectTo = filter (ne config.krebs.build.host.name) [
       "gum"