Merge remote-tracking branch 'prism/master'

This commit is contained in:
tv 2016-07-22 13:22:13 +02:00
commit 45c62ec4d3
45 changed files with 386 additions and 378 deletions

View File

@ -37,7 +37,7 @@ let
config = config =
# This configuration makes only sense for retiolum-enabled hosts. # This configuration makes only sense for retiolum-enabled hosts.
# TODO modular configuration # TODO modular configuration
assert config.krebs.retiolum.enable; assert config.krebs.tinc.retiolum.enable;
'' ''
keep_environment = keep_environment =

View File

@ -259,8 +259,13 @@ with config.krebs.lib;
}; };
filepimp = rec { filepimp = rec {
cores = 1; cores = 1;
nets = { nets = {
lan = {
ip4.addr = "192.168.1.12";
aliases = [
"filepimp.lan"
];
};
retiolum = { retiolum = {
ip4.addr = "10.243.153.102"; ip4.addr = "10.243.153.102";
ip6.addr = "42:4b0b:d990:55ba:8da8:630f:dc0e:aae0"; ip6.addr = "42:4b0b:d990:55ba:8da8:630f:dc0e:aae0";
@ -286,6 +291,12 @@ with config.krebs.lib;
cores = 2; cores = 2;
nets = { nets = {
lan = {
ip4.addr = "192.168.1.11";
aliases = [
"omo.lan"
];
};
retiolum = { retiolum = {
ip4.addr = "10.243.0.89"; ip4.addr = "10.243.0.89";
ip6.addr = "42:f9f0::10"; ip6.addr = "42:f9f0::10";

View File

@ -27,12 +27,12 @@ let
ssl_certificate_key = mkOption { ssl_certificate_key = mkOption {
type = types.str; type = types.str;
description = "Certificate key to use for ssl"; description = "Certificate key to use for ssl";
default = "/root/secrets/tinc.krebsco.de.key"; default = "${toString <secrets>}/tinc.krebsco.de.key";
}; };
ssl_certificate = mkOption { ssl_certificate = mkOption {
type = types.str; type = types.str;
description = "Certificate file to use for ssl"; description = "Certificate file to use for ssl";
default = "/root/secrets/tinc.krebsco.de.crt" ; default = "${toString <secrets>}/tinc.krebsco.de.crt" ;
}; };
# in use: # in use:
# <secrets/tinc.krebsco.de.crt> # <secrets/tinc.krebsco.de.crt>

View File

@ -1,15 +1,20 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
with config.krebs.lib; with config.krebs.lib;
let let
cfg = config.krebs.retiolum;
out = { out = {
options.krebs.retiolum = api; options.krebs.tinc = api;
config = lib.mkIf cfg.enable imp; config = imp;
}; };
api = { api = mkOption {
enable = mkEnableOption "krebs.retiolum"; default = {};
description = ''
define a tinc network
'';
type = with types; attrsOf (submodule (tinc: {
options = {
enable = mkEnableOption "krebs.tinc.${tinc.config._module.args.name}" // { default = true; };
host = mkOption { host = mkOption {
type = types.host; type = types.host;
@ -17,12 +22,12 @@ let
}; };
netname = mkOption { netname = mkOption {
type = types.enum (attrNames cfg.host.nets); type = types.enum (attrNames tinc.config.host.nets);
default = "retiolum"; default = tinc.config._module.args.name;
description = '' description = ''
The tinc network name. The tinc network name.
It is used to name the TUN device and to generate the default value for It is used to name the TUN device and to generate the default value for
<literal>config.krebs.retiolum.hosts</literal>. <literal>config.krebs.tinc.retiolum.hosts</literal>.
''; '';
}; };
@ -43,30 +48,30 @@ let
hosts = mkOption { hosts = mkOption {
type = with types; attrsOf host; type = with types; attrsOf host;
default = default =
filterAttrs (_: h: hasAttr cfg.netname h.nets) config.krebs.hosts; filterAttrs (_: h: hasAttr tinc.config.netname h.nets) config.krebs.hosts;
description = '' description = ''
Hosts to generate <literal>config.krebs.retiolum.hostsPackage</literal>. Hosts to generate <literal>config.krebs.tinc.retiolum.hostsPackage</literal>.
Note that these hosts must have a network named Note that these hosts must have a network named
<literal>config.krebs.retiolum.netname</literal>. <literal>config.krebs.tinc.retiolum.netname</literal>.
''; '';
}; };
hostsPackage = mkOption { hostsPackage = mkOption {
type = types.package; type = types.package;
default = pkgs.stdenv.mkDerivation { default = pkgs.stdenv.mkDerivation {
name = "${cfg.netname}-tinc-hosts"; name = "${tinc.config.netname}-tinc-hosts";
phases = [ "installPhase" ]; phases = [ "installPhase" ];
installPhase = '' installPhase = ''
mkdir $out mkdir $out
${concatStrings (mapAttrsToList (_: host: '' ${concatStrings (lib.mapAttrsToList (_: host: ''
echo ${shell.escape host.nets.${cfg.netname}.tinc.config} \ echo ${shell.escape host.nets."${tinc.config.netname}".tinc.config} \
> $out/${shell.escape host.name} > $out/${shell.escape host.name}
'') cfg.hosts)} '') tinc.config.hosts)}
''; '';
}; };
description = '' description = ''
Package of tinc host configuration files. By default, a package will Package of tinc host configuration files. By default, a package will
be generated from <literal>config.krebs.retiolum.hosts</literal>. This be generated from <literal>config.krebs.${tinc.config.netname}.hosts</literal>. This
option's main purpose is to expose the generated hosts package to other option's main purpose is to expose the generated hosts package to other
modules, like <literal>config.krebs.tinc_graphs</literal>. But it can modules, like <literal>config.krebs.tinc_graphs</literal>. But it can
also be used to provide a custom hosts directory. also be used to provide a custom hosts directory.
@ -89,9 +94,9 @@ let
privkey = mkOption { privkey = mkOption {
type = types.secret-file; type = types.secret-file;
default = { default = {
path = "${cfg.user.home}/tinc.rsa_key.priv"; path = "${tinc.config.user.home}/tinc.rsa_key.priv";
owner = cfg.user; owner = tinc.config.user;
source-path = toString <secrets> + "/${cfg.netname}.rsa_key.priv"; source-path = toString <secrets> + "/${tinc.config.netname}.rsa_key.priv";
}; };
}; };
@ -112,19 +117,59 @@ let
user = mkOption { user = mkOption {
type = types.user; type = types.user;
default = { default = {
name = cfg.netname; name = tinc.config.netname;
home = "/var/lib/${cfg.user.name}"; home = "/var/lib/${tinc.config.user.name}";
}; };
}; };
}; };
}));
};
imp = { imp = {
krebs.secret.files."${cfg.netname}.rsa_key.priv" = cfg.privkey; # TODO `environment.systemPackages = [ cfg.tincPackage cfg.iproutePackage ]` for each network,
# avoid conflicts in environment if the packages differ
environment.systemPackages = [ tinc iproute ]; krebs.secret.files = mapAttrs' (netname: cfg:
nameValuePair "${netname}.rsa_key.priv" cfg.privkey ) config.krebs.tinc;
users.users = mapAttrs' (netname: cfg:
nameValuePair "${netname}" {
inherit (cfg.user) home name uid;
createHome = true;
}
) config.krebs.tinc;
systemd.services.${cfg.netname} = { systemd.services = mapAttrs (netname: cfg:
description = "Tinc daemon for Retiolum"; let
net = cfg.host.nets.${netname};
tinc = cfg.tincPackage;
iproute = cfg.iproutePackage;
confDir = let
namePathPair = name: path: { inherit name path; };
in pkgs.linkFarm "${netname}-etc-tinc" (mapAttrsToList namePathPair {
"hosts" = cfg.hostsPackage;
"tinc.conf" = pkgs.writeText "${cfg.netname}-tinc.conf" ''
Name = ${cfg.host.name}
Interface = ${netname}
${concatStrings (map (c: "ConnectTo = ${c}\n") cfg.connectTo)}
PrivateKeyFile = ${cfg.privkey.path}
${cfg.extraConfig}
'';
"tinc-up" = pkgs.writeDash "${netname}-tinc-up" ''
${iproute}/sbin/ip link set ${netname} up
${optionalString (net.ip4 != null) /* sh */ ''
${iproute}/sbin/ip -4 addr add ${net.ip4.addr} dev ${netname}
${iproute}/sbin/ip -4 route add ${net.ip4.prefix} dev ${netname}
''}
${optionalString (net.ip6 != null) /* sh */ ''
${iproute}/sbin/ip -6 addr add ${net.ip6.addr} dev ${netname}
${iproute}/sbin/ip -6 route add ${net.ip6.prefix} dev ${netname}
''}
'';
}
);
in {
description = "Tinc daemon for ${netname}";
after = [ "network.target" ]; after = [ "network.target" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
requires = [ "secret.service" ]; requires = [ "secret.service" ];
@ -132,44 +177,9 @@ let
serviceConfig = rec { serviceConfig = rec {
Restart = "always"; Restart = "always";
ExecStart = "${tinc}/sbin/tincd -c ${confDir} -d 0 -U ${cfg.user.name} -D --pidfile=/var/run/tinc.${SyslogIdentifier}.pid"; ExecStart = "${tinc}/sbin/tincd -c ${confDir} -d 0 -U ${cfg.user.name} -D --pidfile=/var/run/tinc.${SyslogIdentifier}.pid";
SyslogIdentifier = cfg.netname; SyslogIdentifier = netname;
}; };
}
) config.krebs.tinc;
}; };
users.users.${cfg.user.name} = {
inherit (cfg.user) home name uid;
createHome = true;
};
};
net = cfg.host.nets.${cfg.netname};
tinc = cfg.tincPackage;
iproute = cfg.iproutePackage;
confDir = let
namePathPair = name: path: { inherit name path; };
in pkgs.linkFarm "${cfg.netname}-etc-tinc" (mapAttrsToList namePathPair {
"hosts" = cfg.hostsPackage;
"tinc.conf" = pkgs.writeText "${cfg.netname}-tinc.conf" ''
Name = ${cfg.host.name}
Interface = ${cfg.netname}
${concatStrings (map (c: "ConnectTo = ${c}\n") cfg.connectTo)}
PrivateKeyFile = ${cfg.privkey.path}
${cfg.extraConfig}
'';
"tinc-up" = pkgs.writeDash "${cfg.netname}-tinc-up" ''
${iproute}/sbin/ip link set ${cfg.netname} up
${optionalString (net.ip4 != null) /* sh */ ''
${iproute}/sbin/ip -4 addr add ${net.ip4.addr} dev ${cfg.netname}
${iproute}/sbin/ip -4 route add ${net.ip4.prefix} dev ${cfg.netname}
''}
${optionalString (net.ip6 != null) /* sh */ ''
${iproute}/sbin/ip -6 addr add ${net.ip6.addr} dev ${cfg.netname}
${iproute}/sbin/ip -6 route add ${net.ip6.prefix} dev ${cfg.netname}
''}
'';
});
in out in out

View File

@ -23,7 +23,7 @@ let
hostsPath = mkOption { hostsPath = mkOption {
type = types.str; type = types.str;
description = "Path to Hosts directory"; description = "Path to Hosts directory";
default = "${config.krebs.retiolum.hostsPackage}"; default = "${config.krebs.tinc.retiolum.hostsPackage}";
}; };
network = mkOption { network = mkOption {

View File

@ -5,9 +5,10 @@ stdenv.mkDerivation rec {
# forticlient will be copied into /tmp before execution. this is necessary as # forticlient will be copied into /tmp before execution. this is necessary as
# the software demands $base to be writeable # the software demands $base to be writeable
# TODO: chroot and create the following files instead of copying files manually
# mkdir /etc/ppp ; touch /etc/ppp/options # mkdir /etc/ppp ; touch /etc/ppp/options
## i still have not found which tool uses tail ... i tried redirecting it in forticlientsslvpn and subproc
# ln -s /run/current-system/sw/bin/tail /usr/bin/tail # ln -s /run/current-system/sw/bin/tail /usr/bin/tail
# ln -s /run/current-system/sw/bin/pppd /usr/sbin/pppd
src = fetchurl { src = fetchurl {
# archive.org mirror: # archive.org mirror:
@ -62,7 +63,7 @@ stdenv.mkDerivation rec {
cp -r 64bit/. "$out/opt/fortinet" cp -r 64bit/. "$out/opt/fortinet"
wrapProgram $out/opt/fortinet/forticlientsslvpn \ wrapProgram $out/opt/fortinet/forticlientsslvpn \
--set LD_PRELOAD "${libredirect}/lib/libredirect.so" \ --set LD_PRELOAD "${libredirect}/lib/libredirect.so" \
--set NIX_REDIRECTS /usr/sbin/ip=${iproute}/bin/ip:/usr/sbin/ppp=${ppp}/bin/ppp --set NIX_REDIRECTS /usr/bin/tail=${coreutils}/bin/tail:/usr/sbin/ip=${iproute}/bin/ip:/usr/sbin/pppd=${ppp}/bin/pppd
mkdir -p "$out/bin/" mkdir -p "$out/bin/"

View File

@ -226,7 +226,7 @@ in {
{ {
users.users.tv = { users.users.tv = {
uid = genid "tv"; uid = genid "tv";
home = "/home/tv"; inherit (config.krebs.users.tv) home;
group = "users"; group = "users";
createHome = true; createHome = true;
useDefaultShell = true; useDefaultShell = true;

9
lass/2configs/audit.nix Normal file
View File

@ -0,0 +1,9 @@
{ ... }:
{
security.audit = {
rules = [
"-a task,never"
];
};
}

View File

@ -86,17 +86,17 @@ in {
["make \ ["make \
test \ test \
ssh=${sshWrapper} \ ssh=${sshWrapper} \
target=build@localhost:${config.users.users.build.home}/testbuild \ target=build@localhost${config.users.users.build.home}/testbuild \
method=build \ method=build \
system={}".format(i)]) system={}".format(i)])
for i in [ "pornocauster", "wry" ]: for i in [ "pornocauster", "wry", "vbob", "wbob", "shoney" ]:
addShell(f,name="build-{}".format(i),env=env_makefu, addShell(f,name="build-{}".format(i),env=env_makefu,
command=nixshell + \ command=nixshell + \
["make \ ["make \
test \ test \
ssh=${sshWrapper} \ ssh=${sshWrapper} \
target=build@localhost:${config.users.users.build.home}/testbuild \ target=build@localhost${config.users.users.build.home}/testbuild \
method=build \ method=build \
system={}".format(i)]) system={}".format(i)])
@ -147,7 +147,7 @@ in {
password = "lasspass"; password = "lasspass";
packages = with pkgs; [ gnumake jq nix populate ]; packages = with pkgs; [ gnumake jq nix populate ];
extraEnviron = { extraEnviron = {
NIX_PATH="nixpkgs=/var/src/nixpkgs"; NIX_PATH="/var/src";
}; };
}; };
config.krebs.iptables = { config.krebs.iptables = {

View File

@ -3,13 +3,14 @@
with config.krebs.lib; with config.krebs.lib;
{ {
imports = [ imports = [
../2configs/vim.nix ../2configs/audit.nix
../2configs/zsh.nix
../2configs/mc.nix
../2configs/retiolum.nix
../2configs/nixpkgs.nix
../2configs/binary-cache/client.nix ../2configs/binary-cache/client.nix
../2configs/gc.nix ../2configs/gc.nix
../2configs/mc.nix
../2configs/nixpkgs.nix
../2configs/retiolum.nix
../2configs/vim.nix
../2configs/zsh.nix
./backups.nix ./backups.nix
{ {
users.extraUsers = users.extraUsers =

View File

@ -5,9 +5,6 @@ with config.krebs.lib;
let let
rpc-password = import <secrets/transmission-pw>; rpc-password = import <secrets/transmission-pw>;
in { in {
imports = [
../3modules/folderPerms.nix
];
users.extraUsers = { users.extraUsers = {
download = { download = {
@ -64,15 +61,4 @@ in {
{ predicate = "-p udp --dport 51413"; target = "ACCEPT"; } { predicate = "-p udp --dport 51413"; target = "ACCEPT"; }
]; ];
}; };
lass.folderPerms = {
enable = true;
permissions = [
{
path = "/var/download";
permission = "775";
owner = "transmission:download";
}
];
};
} }

View File

@ -27,7 +27,6 @@ with config.krebs.lib;
{ from = "lass@aidsballs.de"; to = lass.mail; } { from = "lass@aidsballs.de"; to = lass.mail; }
{ from = "wordpress@ubikmedia.de"; to = lass.mail; } { from = "wordpress@ubikmedia.de"; to = lass.mail; }
{ from = "finanzamt@lassul.us"; to = lass.mail; } { from = "finanzamt@lassul.us"; to = lass.mail; }
{ from = "dominik@apanowicz.de"; to = "dma@ubikmedia.eu"; }
{ from = "netzclub@lassul.us"; to = lass.mail; } { from = "netzclub@lassul.us"; to = lass.mail; }
{ from = "nebenan@lassul.us"; to = lass.mail; } { from = "nebenan@lassul.us"; to = lass.mail; }
]; ];

View File

@ -1,8 +1,8 @@
{ ... }: { ... }:
{ {
krebs.build.source.nixpkgs = { krebs.build.source.nixpkgs.git = {
url = https://github.com/lassulus/nixpkgs; url = https://github.com/lassulus/nixpkgs;
rev = "446d4c1fc10f53cf97abea1996d067ad93de2ded"; ref = "c6ca9c8c8b7eb8f8e68868e36fb90e162adf080f";
}; };
} }

View File

@ -91,12 +91,11 @@ in {
(sync-remote "repo-sync" "https://github.com/makefu/repo-sync") (sync-remote "repo-sync" "https://github.com/makefu/repo-sync")
(sync-remote "skytraq-datalogger" "https://github.com/makefu/skytraq-datalogger") (sync-remote "skytraq-datalogger" "https://github.com/makefu/skytraq-datalogger")
(sync-remote "xintmap" "https://github.com/4z3/xintmap") (sync-remote "xintmap" "https://github.com/4z3/xintmap")
(sync-remote "realwallpaper" "https://github.com/lassulus/realwallpaper")
(sync-remote-silent "nixpkgs" "https://github.com/nixos/nixpkgs") (sync-remote-silent "nixpkgs" "https://github.com/nixos/nixpkgs")
(sync-retiolum "go") (sync-retiolum "go")
(sync-retiolum "much") (sync-retiolum "much")
(sync-retiolum "newsbot-js") (sync-retiolum "newsbot-js")
(sync-retiolum "painload")
(sync-retiolum "realwallpaper")
(sync-retiolum "stockholm") (sync-retiolum "stockholm")
(sync-retiolum "wai-middleware-time") (sync-retiolum "wai-middleware-time")
(sync-retiolum "web-routes-wai-custom") (sync-retiolum "web-routes-wai-custom")

View File

@ -12,7 +12,7 @@
}; };
}; };
krebs.retiolum = { krebs.tinc.retiolum = {
enable = true; enable = true;
connectTo = [ connectTo = [
"prism" "prism"

View File

@ -110,14 +110,6 @@ in {
}; };
}; };
users.users.domsen = {
uid = genid "domsen";
description = "maintenance acc for domsen";
home = "/home/domsen";
useDefaultShell = true;
extraGroups = [ "nginx" ];
createHome = true;
};
#services.phpfpm.phpOptions = '' #services.phpfpm.phpOptions = ''
# extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so # extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
@ -133,5 +125,40 @@ in {
cat ${pkgs.php}/etc/php-recommended.ini > $out cat ${pkgs.php}/etc/php-recommended.ini > $out
echo "$options" >> $out echo "$options" >> $out
''; '';
# MAIL STUFF
# TODO: make into its own module
services.dovecot2 = {
enable = true;
mailLocation = "maildir:~/Mail";
};
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p tcp --dport pop3"; target = "ACCEPT"; }
{ predicate = "-p tcp --dport imap"; target = "ACCEPT"; }
];
krebs.exim-smarthost = {
internet-aliases = [
{ from = "dominik@apanowicz.de"; to = "dma@ubikmedia.eu"; }
{ from = "mail@jla-trading.com"; to = "jla-trading"; }
];
system-aliases = [
];
};
users.users.domsen = {
uid = genid "domsen";
description = "maintenance acc for domsen";
home = "/home/domsen";
useDefaultShell = true;
extraGroups = [ "nginx" ];
createHome = true;
};
users.users.jla-trading = {
uid = genid "jla-trading";
home = "/home/jla-trading";
useDefaultShell = true;
createHome = true;
};
} }

View File

@ -7,6 +7,7 @@ let
head head
; ;
inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;}) inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;})
manageCerts
ssl ssl
servePage servePage
serveWordpress serveWordpress
@ -48,6 +49,9 @@ in {
(ssl [ "habsys.de" "www.habsys.de" "habsys.eu" "www.habsys.eu" ]) (ssl [ "habsys.de" "www.habsys.de" "habsys.eu" "www.habsys.eu" ])
(servePage [ "habsys.de" "www.habsys.de" "habsys.eu" "www.habsys.eu" ]) (servePage [ "habsys.de" "www.habsys.de" "habsys.eu" "www.habsys.eu" ])
(manageCerts [ "goldbarrendiebstahl.radical-dreamers.de" ])
(serveWordpress [ "goldbarrendiebstahl.radical-dreamers.de" ])
]; ];
lass.mysqlBackup.config.all.databases = [ lass.mysqlBackup.config.all.databases = [
@ -74,6 +78,16 @@ in {
config.krebs.users.fritz.pubkey config.krebs.users.fritz.pubkey
]; ];
users.users.goldbarrendiebstahl = {
home = "/srv/http/goldbarrendiebstahl.radical-dreamers.de";
uid = genid "goldbarrendiebstahl";
createHome = true;
useDefaultShell = true;
openssh.authorizedKeys.keys = [
config.krebs.users.fritz.pubkey
];
};
services.phpfpm.phpIni = pkgs.runCommand "php.ini" { services.phpfpm.phpIni = pkgs.runCommand "php.ini" {
options = '' options = ''
extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so

View File

@ -17,6 +17,7 @@ in {
../2configs/exim-retiolum.nix ../2configs/exim-retiolum.nix
../2configs/virtualization.nix ../2configs/virtualization.nix
../2configs/tinc/retiolum.nix
../2configs/temp-share-samba.nix ../2configs/temp-share-samba.nix
]; ];
services.samba.shares = { services.samba.shares = {
@ -39,7 +40,6 @@ in {
}; };
#networking.firewall.enable = false; #networking.firewall.enable = false;
krebs.retiolum.enable = true;
boot.kernelModules = [ "coretemp" "f71882fg" ]; boot.kernelModules = [ "coretemp" "f71882fg" ];
hardware.enableAllFirmware = true; hardware.enableAllFirmware = true;

View File

@ -22,8 +22,8 @@ in {
../. ../.
../2configs/fs/single-partition-ext4.nix ../2configs/fs/single-partition-ext4.nix
../2configs/smart-monitor.nix ../2configs/smart-monitor.nix
../2configs/tinc/retiolum.nix
]; ];
krebs.retiolum.enable = true;
krebs.build.host = config.krebs.hosts.filepimp; krebs.build.host = config.krebs.hosts.filepimp;
# AMD N54L # AMD N54L
boot = { boot = {

View File

@ -19,6 +19,7 @@ in {
../2configs/deployment/mycube.connector.one.nix ../2configs/deployment/mycube.connector.one.nix
../2configs/exim-retiolum.nix ../2configs/exim-retiolum.nix
../2configs/tinc/retiolum.nix
../2configs/urlwatch.nix ../2configs/urlwatch.nix
]; ];
@ -27,8 +28,7 @@ in {
###### stable ###### stable
krebs.build.host = config.krebs.hosts.gum; krebs.build.host = config.krebs.hosts.gum;
krebs.retiolum = { krebs.tinc.retiolum = {
enable = true;
extraConfig = '' extraConfig = ''
ListenAddress = ${external-ip} 53 ListenAddress = ${external-ip} 53
ListenAddress = ${external-ip} 655 ListenAddress = ${external-ip} 655

View File

@ -47,12 +47,12 @@ in {
#../2configs/graphite-standalone.nix #../2configs/graphite-standalone.nix
#../2configs/share-user-sftp.nix #../2configs/share-user-sftp.nix
../2configs/omo-share.nix ../2configs/omo-share.nix
../2configs/tinc/retiolum.nix
## as long as pyload is not in nixpkgs: ## as long as pyload is not in nixpkgs:
# docker run -d -v /var/lib/pyload:/opt/pyload/pyload-config -v /media/crypt0/pyload:/opt/pyload/Downloads --name pyload --restart=always -p 8112:8000 -P writl/pyload # docker run -d -v /var/lib/pyload:/opt/pyload/pyload-config -v /media/crypt0/pyload:/opt/pyload/Downloads --name pyload --restart=always -p 8112:8000 -P writl/pyload
]; ];
krebs.retiolum.enable = true;
networking.firewall.trustedInterfaces = [ primaryInterface ]; networking.firewall.trustedInterfaces = [ primaryInterface ];
# udp:137 udp:138 tcp:445 tcp:139 - samba, allowed in local net # udp:137 udp:138 tcp:445 tcp:139 - samba, allowed in local net
# tcp:80 - nginx for sharing files # tcp:80 - nginx for sharing files

View File

@ -15,11 +15,12 @@
<nixpkgs/nixos/modules/profiles/qemu-guest.nix> <nixpkgs/nixos/modules/profiles/qemu-guest.nix>
../2configs/fs/vm-single-partition.nix ../2configs/fs/vm-single-partition.nix
../2configs/tinc/retiolum.nix
# config.system.build.vm # config.system.build.vm
<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix> (toString <nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>)
]; ];
krebs.retiolum.enable = true;
virtualisation.graphics = false; virtualisation.graphics = false;
# also export secrets, see Usage above # also export secrets, see Usage above
fileSystems = pkgs.lib.mkVMOverride { fileSystems = pkgs.lib.mkVMOverride {

View File

@ -38,8 +38,9 @@
#../2configs/wordpress.nix #../2configs/wordpress.nix
../2configs/nginx/public_html.nix ../2configs/nginx/public_html.nix
../2configs/tinc/retiolum.nix
# temporary modules # temporary modules
# ../2configs/temp/share-samba.nix ../2configs/temp/share-samba.nix
# ../2configs/temp/elkstack.nix # ../2configs/temp/elkstack.nix
# ../2configs/temp/sabnzbd.nix # ../2configs/temp/sabnzbd.nix
]; ];
@ -69,10 +70,9 @@
krebs.build.host = config.krebs.hosts.pornocauster; krebs.build.host = config.krebs.hosts.pornocauster;
krebs.hosts.omo.nets.retiolum.via.ip4.addr = "192.168.1.11"; krebs.hosts.omo.nets.retiolum.via.ip4.addr = "192.168.1.11";
krebs.retiolum = {
enable = true; krebs.tinc.retiolum.connectTo = [ "omo" "gum" "prism" ];
connectTo = [ "omo" "gum" "prism" ];
};
networking.extraHosts = '' networking.extraHosts = ''
192.168.1.11 omo.local 192.168.1.11 omo.local
''; '';

View File

@ -10,6 +10,7 @@
../. ../.
<nixpkgs/nixos/modules/profiles/qemu-guest.nix> <nixpkgs/nixos/modules/profiles/qemu-guest.nix>
../2configs/git/cgit-retiolum.nix ../2configs/git/cgit-retiolum.nix
../2configs/tinc/retiolum.nix
]; ];
krebs.build.host = config.krebs.hosts.repunit; krebs.build.host = config.krebs.hosts.repunit;
@ -31,14 +32,6 @@
{ device = "/dev/disk/by-label/nixos"; { device = "/dev/disk/by-label/nixos";
fsType = "ext4"; fsType = "ext4";
}; };
krebs.retiolum = {
enable = true;
connectTo = [
"gum"
"pigstarter"
"fastpoke"
];
};
# $ nix-env -qaP | grep wget # $ nix-env -qaP | grep wget
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [

View File

@ -13,15 +13,12 @@ in {
../2configs/save-diskspace.nix ../2configs/save-diskspace.nix
../2configs/hw/CAC.nix ../2configs/hw/CAC.nix
../2configs/fs/CAC-CentOS-7-64bit.nix ../2configs/fs/CAC-CentOS-7-64bit.nix
../2configs/tinc/retiolum.nix
]; ];
environment.systemPackages = [ pkgs.honeyd ];
services.tinc.networks.siem.name = "sjump";
krebs = { krebs = {
enable = true; enable = true;
retiolum.enable = true;
build.host = config.krebs.hosts.shoney; build.host = config.krebs.hosts.shoney;
nginx.enable = true; nginx.enable = true;
tinc_graphs = { tinc_graphs = {

View File

@ -17,9 +17,9 @@
../2configs/zsh-user.nix ../2configs/zsh-user.nix
../2configs/exim-retiolum.nix ../2configs/exim-retiolum.nix
../2configs/tinc/retiolum.nix
]; ];
# not working in vm # not working in vm
krebs.retiolum.enable = true;
krebs.build.host = config.krebs.hosts.tsp; krebs.build.host = config.krebs.hosts.tsp;
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [

View File

@ -8,9 +8,10 @@
(toString <nixpkgs/nixos/modules/virtualisation/virtualbox-image.nix>) (toString <nixpkgs/nixos/modules/virtualisation/virtualbox-image.nix>)
(toString <nixpkgs/nixos/modules/virtualisation/virtualbox-guest.nix>) (toString <nixpkgs/nixos/modules/virtualisation/virtualbox-guest.nix>)
../2configs/main-laptop.nix #< base-gui ../2configs/main-laptop.nix #< base-gui
# (toString <secrets>)/extra-hosts.nix # <secrets/extra-hosts.nix>
# environment # environment
../2configs/tinc/retiolum.nix
]; ];
# workaround for https://github.com/NixOS/nixpkgs/issues/16641 # workaround for https://github.com/NixOS/nixpkgs/issues/16641
@ -28,8 +29,15 @@
openssh.authorizedKeys.keys = [ config.krebs.users.makefu-vbob.pubkey ]; openssh.authorizedKeys.keys = [ config.krebs.users.makefu-vbob.pubkey ];
}; };
}; };
environment.shellAliases = {
forti = "cat ~/vpn/pw.txt | xclip; sudo forticlientsslvpn";
};
# TODO: for forticleintsslpn
# ln -s /r/current-system/sw/bin/pppd /usr/sbin/pppd
# ln -s /r/current-system/sw/bin/tail /usr/bin/tail
environment.systemPackages = with pkgs;[ environment.systemPackages = with pkgs;[
fortclientsslvpn fortclientsslvpn ppp xclip
get get
logstash logstash
docker docker
@ -45,13 +53,6 @@
8010 8010
]; ];
krebs.retiolum = {
enable = true;
connectTo = [
"omo"
"gum"
];
};
virtualisation.docker.enable = false; virtualisation.docker.enable = false;
fileSystems."/media/share" = { fileSystems."/media/share" = {

View File

@ -1,5 +1,7 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
{ let rootdisk = "/dev/disk/by-id/ata-TS256GMTS800_C613840115";
in {
makefu.awesome = { makefu.awesome = {
modkey = "Mod1"; modkey = "Mod1";
#TODO: integrate kiosk config into full config by templating the autostart #TODO: integrate kiosk config into full config by templating the autostart
@ -9,19 +11,19 @@
[ # Include the results of the hardware scan. [ # Include the results of the hardware scan.
../. ../.
../2configs/main-laptop.nix ../2configs/main-laptop.nix
../2configs/virtualization.nix
../2configs/tinc/retiolum.nix
]; ];
krebs = { krebs = {
enable = true; enable = true;
retiolum.enable = true;
build.host = config.krebs.hosts.wbob; build.host = config.krebs.hosts.wbob;
}; };
networking.firewall.allowedUDPPorts = [ 1655 ]; networking.firewall.allowedUDPPorts = [ 1655 ];
networking.firewall.allowedTCPPorts = [ 1655 ]; networking.firewall.allowedTCPPorts = [ 1655 49152 ];
services.tinc.networks.siem = { services.tinc.networks.siem = {
name = "display"; name = "display";
extraConfig = '' extraConfig = ''
ConnectTo = sjump ConnectTo = sjump
Port = 1655
''; '';
}; };
@ -35,12 +37,12 @@
# nuc hardware # nuc hardware
boot.loader.grub.device = "/dev/sda"; boot.loader.grub.device = rootdisk;
hardware.cpu.intel.updateMicrocode = true; hardware.cpu.intel.updateMicrocode = true;
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ "kvm-intel" ];
fileSystems."/" = { fileSystems."/" = {
device = "/dev/sda1"; device = rootdisk + "-part1";
fsType = "ext4"; fsType = "ext4";
}; };

View File

@ -25,8 +25,9 @@ in {
# collectd # collectd
../2configs/collectd/collectd-base.nix ../2configs/collectd/collectd-base.nix
../2configs/tinc/retiolum.nix
]; ];
krebs.retiolum.enable = true;
krebs.build.host = config.krebs.hosts.wry; krebs.build.host = config.krebs.hosts.wry;

View File

@ -15,6 +15,9 @@ let
sec = toString <secrets>; sec = toString <secrets>;
# secKey is nothing worth protecting on a local machine # secKey is nothing worth protecting on a local machine
secKey = import <secrets/bepasty-secret.nix>; secKey = import <secrets/bepasty-secret.nix>;
acmepath = "/var/lib/acme/";
acmechall = acmepath + "/challenges/";
ext-dom = "paste.krebsco.de" ;
in { in {
krebs.nginx.enable = mkDefault true; krebs.nginx.enable = mkDefault true;
@ -25,7 +28,7 @@ in {
servers = { servers = {
internal = { internal = {
nginx = { nginx = {
server-names = [ "paste.retiolum" "paste.${config.krebs.build.host.name}" ]; server-names = [ "paste.retiolum" "paste.r" "paste.${config.krebs.build.host.name}" ];
}; };
defaultPermissions = "admin,list,create,read,delete"; defaultPermissions = "admin,list,create,read,delete";
secretKey = secKey; secretKey = secKey;
@ -33,17 +36,25 @@ in {
external = { external = {
nginx = { nginx = {
server-names = [ "paste.krebsco.de" ]; server-names = [ ext-dom ];
ssl = {
enable = true;
certificate = "${acmepath}/${ext-dom}/fullchain.pem";
certificate_key = "${acmepath}/${ext-dom}/key.pem";
# these certs will be needed if acme has not yet created certificates:
#certificate = "${sec}/wildcard.krebsco.de.crt";
#certificate_key = "${sec}/wildcard.krebsco.de.key";
ciphers = "RC4:HIGH:!aNULL:!MD5" ;
};
locations = singleton ( nameValuePair "/.well-known/acme-challenge" ''
root ${acmechall}/${ext-dom}/;
'');
extraConfig = '' extraConfig = ''
ssl_session_cache shared:SSL:1m; ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m; ssl_session_timeout 10m;
ssl_certificate ${sec}/wildcard.krebsco.de.crt;
ssl_certificate_key ${sec}/wildcard.krebsco.de.key;
ssl_verify_client off; ssl_verify_client off;
proxy_ssl_session_reuse off; proxy_ssl_session_reuse off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
if ($scheme = http){ if ($scheme = http){
return 301 https://$server_name$request_uri; return 301 https://$server_name$request_uri;
}''; }'';
@ -53,4 +64,12 @@ in {
}; };
}; };
}; };
security.acme.certs."${ext-dom}" = {
email = "acme@syntax-fehler.de";
webroot = "${acmechall}/${ext-dom}/";
group = "nginx";
allowKeysForGroup = true;
postRun = "systemctl reload nginx.service";
extraDomains."${ext-dom}" = null ;
};
} }

View File

@ -17,7 +17,6 @@ with config.krebs.lib;
krebs = { krebs = {
enable = true; enable = true;
dns.providers.siem = "hosts";
dns.providers.lan = "hosts"; dns.providers.lan = "hosts";
search-domain = "retiolum"; search-domain = "retiolum";
build = { build = {
@ -25,7 +24,7 @@ with config.krebs.lib;
source = let inherit (config.krebs.build) host user; in { source = let inherit (config.krebs.build) host user; in {
nixpkgs.git = { nixpkgs.git = {
url = https://github.com/nixos/nixpkgs; url = https://github.com/nixos/nixpkgs;
ref = "0546a4a"; # stable @ 2016-06-11 ref = "125ffff"; # stable @ 2016-07-20
}; };
secrets.file = secrets.file =
if getEnv "dummy_secrets" == "true" if getEnv "dummy_secrets" == "true"
@ -67,7 +66,7 @@ with config.krebs.lib;
startAgent = false; startAgent = false;
}; };
services.openssh.enable = true; services.openssh.enable = true;
nix.useChroot = true; nix.useSandbox = true;
users.mutableUsers = false; users.mutableUsers = false;
@ -171,4 +170,10 @@ with config.krebs.lib;
consoleKeyMap = "us"; consoleKeyMap = "us";
defaultLocale = "en_US.UTF-8"; defaultLocale = "en_US.UTF-8";
}; };
# suppress chrome autit event messages
security.audit = {
rules = [
"-a task,never"
];
};
} }

View File

@ -8,10 +8,9 @@ with config.krebs.lib;
kernelModules = [ "kvm-intel" "acpi_call" "tpm-rng" ]; kernelModules = [ "kvm-intel" "acpi_call" "tpm-rng" ];
extraModulePackages = [ config.boot.kernelPackages.tp_smapi ]; extraModulePackages = [ config.boot.kernelPackages.tp_smapi ];
}; };
hardware.opengl.extraPackages = [ pkgs.vaapiIntel pkgs.vaapiVdpau ];
services.xserver = { services.xserver = {
videoDriver = "intel"; videoDriver = "intel";
vaapiDrivers = [ pkgs.vaapiIntel pkgs.vaapiVdpau ];
deviceSection = '' deviceSection = ''
Option "AccelMethod" "sna" Option "AccelMethod" "sna"
''; '';

View File

@ -0,0 +1,36 @@
{config, ... }:{
users.users.smbguest = {
name = "smbguest";
uid = config.ids.uids.smbguest;
description = "smb guest user";
home = "/var/empty";
};
networking.firewall.allowedTCPPorts = [
139 445 # samba
];
networking.firewall.allowedUDPPorts = [
137 138
];
services.samba = {
enable = true;
shares = {
share-home = {
path = "/home/share/";
"read only" = "no";
browseable = "yes";
"guest ok" = "yes";
};
};
extraConfig = ''
guest account = smbguest
map to guest = bad user
# disable printing
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
'';
};
}

View File

@ -0,0 +1,4 @@
_:
{
krebs.tinc.retiolum.enable = true;
}

View File

@ -2,20 +2,22 @@
let let
mainUser = config.krebs.build.user; mainUser = config.krebs.build.user;
vboxguestpkg = lib.stdenv.mkDerivation rec {
name = "Virtualbox-Extensions-${version}-${rev}";
version = "5.0.20"; version = "5.0.20";
rev = "106931"; rev = "106931";
vboxguestpkg = pkgs.fetchurl { src = pkgs.fetchurl {
url = "http://download.virtualbox.org/virtualbox/${version}/Oracle_VM_VirtualBox_Extension_Pack-${version}-${rev}.vbox-extpack"; url = "http://download.virtualbox.org/virtualbox/${version}/Oracle_VM_VirtualBox_Extension_Pack-${version}-${rev}.vbox-extpack";
sha256 = "1dc70x2m7x266zzw5vw36mxqj7xykkbk357fc77f9zrv4lylzvaf"; sha256 = "1dc70x2m7x266zzw5vw36mxqj7xykkbk357fc77f9zrv4lylzvaf";
}; };
};
in { in {
#inherit vboxguestpkg;
virtualisation.virtualbox.host.enable = true; virtualisation.virtualbox.host.enable = true;
nixpkgs.config.virtualbox.enableExtensionPack = true; nixpkgs.config.virtualbox.enableExtensionPack = true;
users.extraGroups.vboxusers.members = [ "${mainUser.name}" ]; users.extraGroups.vboxusers.members = [ "${mainUser.name}" ];
nixpkgs.config.packageOverrides = super: { nixpkgs.config.packageOverrides = super: {
boot.kernelPackages = super.boot.kernelPackages.virtualbox.override { boot.kernelPackages.virtualbox = super.boot.kernelPackages.virtualbox.override {
buildInputs = super.boot.kernelPackages.virtualBox.buildInputs buildInputs = super.boot.kernelPackages.virtualBox.buildInputs
++ [ vboxguestpkg ]; ++ [ vboxguestpkg ];
}; };

View File

@ -22,15 +22,11 @@ in
bindkey "\e[3~" delete-char bindkey "\e[3~" delete-char
zstyle ':completion:*' menu select zstyle ':completion:*' menu select
# load gpg-agent gpg-connect-agent updatestartuptty /bye >/dev/null
envfile="$HOME/.gnupg/gpg-agent.env" GPG_TTY=$(tty)
if [ -e "$envfile" ] && kill -0 $(grep GPG_AGENT_INFO "$envfile" | cut -d: -f 2) 2>/dev/null; then export GPG_TTY
eval "$(cat "$envfile")" unset SSH_AGENT_PID
else export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"
eval "$(${pkgs.gnupg}/bin/gpg-agent --daemon --enable-ssh-support --write-env-file "$envfile")"
fi
export GPG_AGENT_INFO
export SSH_AUTH_SOCK
''; '';
promptInit = '' promptInit = ''

View File

@ -19,7 +19,6 @@ in
skytraq-logger = callPackage ./skytraq-logger {}; skytraq-logger = callPackage ./skytraq-logger {};
taskserver = callPackage ./taskserver {}; taskserver = callPackage ./taskserver {};
ps3netsrv = callPackage ./ps3netsrv {}; ps3netsrv = callPackage ./ps3netsrv {};
honeyd = callPackage ./honeyd {};
farpd = callPackage ./farpd {}; farpd = callPackage ./farpd {};
}; };
} }

View File

@ -8,7 +8,7 @@ let
url = "https://pypi.python.org/packages/source/e/execnet/${name}.tar.gz"; url = "https://pypi.python.org/packages/source/e/execnet/${name}.tar.gz";
sha256 = "1rpk1vyclhg911p3hql0m0nrpq7q7mysxnaaw6vs29cpa6kx8vgn"; sha256 = "1rpk1vyclhg911p3hql0m0nrpq7q7mysxnaaw6vs29cpa6kx8vgn";
}; };
doCheck = false; # http://prism:8010/builders/build-all/builds/177/steps/build-vbob/logs/stdio
propagatedBuildInputs = with pkgs.python3Packages; propagatedBuildInputs = with pkgs.python3Packages;
[ setuptools_scm apipkg ]; [ setuptools_scm apipkg ];
meta = { meta = {

View File

@ -1,62 +0,0 @@
{ stdenv, lib, pkgs, fetchurl,fetchFromGitHub,
libpcap, libdnet, libevent, readline, autoconf, automake, libtool, zlib, pcre,
... }:
stdenv.mkDerivation rec {
name = "honeyd-${version}";
#version = "1.5c"; #original, does not compile due to libc errors
#src = fetchurl {
# url = "http://www.honeyd.org/uploads/honeyd-${version}.tar.gz";
# sha256 = "0vcih16fk5pir5ssfil8x79nvi62faw0xvk8s5klnysv111db1ii";
#};
#version = "64d087c"; # honeyd-1.6.7
# sha256 = "0zhnn13r24y1q494xcfx64vyp84zqk8qmsl41fq2674230bn0p31";
version = "c135fea08"; #nova-13.09
src = fetchFromGitHub {
owner = "DataSoft";
repo = "honeyd";
rev = version;
sha256 = "1r9qds7a1yp3nkccwh3isrizpr2njhpf1m6qp3lqkj0i9c4w6x44";
};
buildInputs = with pkgs;[
automake
gnugrep
libpcap
libdnet
pcre
libevent
readline
autoconf
libtool
zlib
coreutils
python
pythonPackages.sqlite3
];
patches = [ ./fix-autogen.patch ];
# removes user install script from Makefile before automake
preConfigure = ''
sed -i '/init.py$/d' Makefile.am
sh ./autogen.sh
'';
makeFlags = [ "LIBS=-lz" ];
configureFlags = [
"--with-libpcap=${libpcap}"
"--with-libevent=${libevent}"
"--with-zlib=${zlib}"
"--with-python"
"--with-libpcre=${pcre}"
"--with-libreadline=${readline}"
];
meta = {
homepage = http://www.honeyd.org/;
description = "virtual Honeypots";
license = lib.licenses.gpl2;
};
}

View File

@ -1,42 +0,0 @@
--- ./configure.in 2016-06-27 18:36:06.640779048 +0200
+++ ./configure.in 2016-06-27 18:34:53.968803854 +0200
@@ -119,11 +119,11 @@
;;
*)
AC_MSG_RESULT($withval)
- if test -f $withval/pcap.h -a -f $withval/libpcap.a; then
+ if test -f $withval/include/pcap.h -a -f $withval/lib/libpcap.so; then
owd=`pwd`
if cd $withval; then withval=`pwd`; cd $owd; fi
- PCAPINC="-I$withval -I$withval/bpf"
- PCAPLIB="-L$withval -lpcap"
+ PCAPINC="-I$withval/include -I$withval/include/bpf"
+ PCAPLIB="-L$withval/lib -lpcap"
else
AC_ERROR(pcap.h or libpcap.a not found in $withval)
fi
@@ -230,7 +230,7 @@
if cd $withval; then withval=`pwd`; cd $owd; fi
EVENTINC="-I$withval"
EVENTLIB="-L$withval -levent"
- elif test -f $withval/include/event.h -a -f $withval/lib/libevent.a; then
+ elif test -f $withval/include/event.h -a -f $withval/lib/libevent.so; then
owd=`pwd`
if cd $withval; then withval=`pwd`; cd $owd; fi
EVENTINC="-I$withval/include"
@@ -354,12 +354,12 @@
;;
*)
AC_MSG_RESULT($withval)
- if test -f $withval/readline/readline.h -a -f $withval/libreadline.a; then
+ if test -f $withval/include/readline/readline.h -o -f $withval/lib/libreadline.so; then
owd=`pwd`
if cd $withval; then withval=`pwd`; cd $owd; fi
AC_DEFINE(HAVE_LIBREADLINE, 1, [Define if you have libreadline])
- EDITINC="-I$withval"
- EDITLIB="-L$withval -lreadline"
+ EDITINC="-I$withval/include"
+ EDITLIB="-L$withval/lib -lreadline"
else
AC_ERROR(readline/readline.h or libreadline.a not found in $withval)
fi

View File

@ -38,7 +38,7 @@ in {
}; };
nginx.enable = true; nginx.enable = true;
realwallpaper.enable = true; realwallpaper.enable = true;
retiolum.enable = true; tinc.retiolum.enable = true;
retiolum-bootstrap.enable = true; retiolum-bootstrap.enable = true;
tinc_graphs.enable = true; tinc_graphs.enable = true;
urlwatch.enable = true; urlwatch.enable = true;

View File

@ -15,14 +15,14 @@ in
../2configs/shared-buildbot.nix ../2configs/shared-buildbot.nix
../2configs/cgit-mirror.nix ../2configs/cgit-mirror.nix
../2configs/repo-sync.nix ../2configs/repo-sync.nix
# ../2configs/graphite.nix ../2configs/graphite.nix
]; ];
# use your own binary cache, fallback use cache.nixos.org (which is used by # use your own binary cache, fallback use cache.nixos.org (which is used by
# apt-cacher-ng in first place) # apt-cacher-ng in first place)
# local discovery in shackspace # local discovery in shackspace
nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; }; nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; };
krebs.retiolum.extraConfig = "TCPOnly = yes"; krebs.tinc.retiolum.extraConfig = "TCPOnly = yes";
services.grafana = { services.grafana = {
enable = true; enable = true;
addr = "0.0.0.0"; addr = "0.0.0.0";

View File

@ -3,7 +3,7 @@
with config.krebs.lib; with config.krebs.lib;
{ {
krebs.enable = true; krebs.enable = true;
krebs.retiolum.enable = true; krebs.tinc.retiolum.enable = true;
# TODO rename shared user to "krebs" # TODO rename shared user to "krebs"
krebs.build.user = mkDefault config.krebs.users.shared; krebs.build.user = mkDefault config.krebs.users.shared;

View File

@ -17,7 +17,7 @@ with lib;
mirror.url = mirror; mirror.url = mirror;
}; };
lassulus = { lassulus = {
origin.url = http://cgit.cloudkrebs/stockholm ; origin.url = http://cgit.prism/stockholm ;
mirror.url = mirror; mirror.url = mirror;
}; };
"@latest" = { "@latest" = {

View File

@ -3,7 +3,7 @@
with config.krebs.lib; with config.krebs.lib;
{ {
krebs.retiolum = { krebs.tinc.retiolum = {
enable = true; enable = true;
connectTo = filter (ne config.krebs.build.host.name) [ connectTo = filter (ne config.krebs.build.host.name) [
"gum" "gum"