Merge remote-tracking branch 'prism/master'
This commit is contained in:
commit
45c62ec4d3
@ -37,7 +37,7 @@ let
|
|||||||
config =
|
config =
|
||||||
# This configuration makes only sense for retiolum-enabled hosts.
|
# This configuration makes only sense for retiolum-enabled hosts.
|
||||||
# TODO modular configuration
|
# TODO modular configuration
|
||||||
assert config.krebs.retiolum.enable;
|
assert config.krebs.tinc.retiolum.enable;
|
||||||
''
|
''
|
||||||
keep_environment =
|
keep_environment =
|
||||||
|
|
||||||
|
@ -259,8 +259,13 @@ with config.krebs.lib;
|
|||||||
};
|
};
|
||||||
filepimp = rec {
|
filepimp = rec {
|
||||||
cores = 1;
|
cores = 1;
|
||||||
|
|
||||||
nets = {
|
nets = {
|
||||||
|
lan = {
|
||||||
|
ip4.addr = "192.168.1.12";
|
||||||
|
aliases = [
|
||||||
|
"filepimp.lan"
|
||||||
|
];
|
||||||
|
};
|
||||||
retiolum = {
|
retiolum = {
|
||||||
ip4.addr = "10.243.153.102";
|
ip4.addr = "10.243.153.102";
|
||||||
ip6.addr = "42:4b0b:d990:55ba:8da8:630f:dc0e:aae0";
|
ip6.addr = "42:4b0b:d990:55ba:8da8:630f:dc0e:aae0";
|
||||||
@ -286,6 +291,12 @@ with config.krebs.lib;
|
|||||||
cores = 2;
|
cores = 2;
|
||||||
|
|
||||||
nets = {
|
nets = {
|
||||||
|
lan = {
|
||||||
|
ip4.addr = "192.168.1.11";
|
||||||
|
aliases = [
|
||||||
|
"omo.lan"
|
||||||
|
];
|
||||||
|
};
|
||||||
retiolum = {
|
retiolum = {
|
||||||
ip4.addr = "10.243.0.89";
|
ip4.addr = "10.243.0.89";
|
||||||
ip6.addr = "42:f9f0::10";
|
ip6.addr = "42:f9f0::10";
|
||||||
|
@ -27,12 +27,12 @@ let
|
|||||||
ssl_certificate_key = mkOption {
|
ssl_certificate_key = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
description = "Certificate key to use for ssl";
|
description = "Certificate key to use for ssl";
|
||||||
default = "/root/secrets/tinc.krebsco.de.key";
|
default = "${toString <secrets>}/tinc.krebsco.de.key";
|
||||||
};
|
};
|
||||||
ssl_certificate = mkOption {
|
ssl_certificate = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
description = "Certificate file to use for ssl";
|
description = "Certificate file to use for ssl";
|
||||||
default = "/root/secrets/tinc.krebsco.de.crt" ;
|
default = "${toString <secrets>}/tinc.krebsco.de.crt" ;
|
||||||
};
|
};
|
||||||
# in use:
|
# in use:
|
||||||
# <secrets/tinc.krebsco.de.crt>
|
# <secrets/tinc.krebsco.de.crt>
|
||||||
|
@ -1,175 +1,185 @@
|
|||||||
{ config, pkgs, lib, ... }:
|
{ config, pkgs, lib, ... }:
|
||||||
with config.krebs.lib;
|
with config.krebs.lib;
|
||||||
let
|
let
|
||||||
cfg = config.krebs.retiolum;
|
|
||||||
|
|
||||||
out = {
|
out = {
|
||||||
options.krebs.retiolum = api;
|
options.krebs.tinc = api;
|
||||||
config = lib.mkIf cfg.enable imp;
|
config = imp;
|
||||||
};
|
};
|
||||||
|
|
||||||
api = {
|
api = mkOption {
|
||||||
enable = mkEnableOption "krebs.retiolum";
|
default = {};
|
||||||
|
description = ''
|
||||||
|
define a tinc network
|
||||||
|
'';
|
||||||
|
type = with types; attrsOf (submodule (tinc: {
|
||||||
|
options = {
|
||||||
|
|
||||||
host = mkOption {
|
enable = mkEnableOption "krebs.tinc.${tinc.config._module.args.name}" // { default = true; };
|
||||||
type = types.host;
|
|
||||||
default = config.krebs.build.host;
|
|
||||||
};
|
|
||||||
|
|
||||||
netname = mkOption {
|
host = mkOption {
|
||||||
type = types.enum (attrNames cfg.host.nets);
|
type = types.host;
|
||||||
default = "retiolum";
|
default = config.krebs.build.host;
|
||||||
description = ''
|
};
|
||||||
The tinc network name.
|
|
||||||
It is used to name the TUN device and to generate the default value for
|
|
||||||
<literal>config.krebs.retiolum.hosts</literal>.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
extraConfig = mkOption {
|
netname = mkOption {
|
||||||
type = types.str;
|
type = types.enum (attrNames tinc.config.host.nets);
|
||||||
default = "";
|
default = tinc.config._module.args.name;
|
||||||
description = ''
|
description = ''
|
||||||
Extra Configuration to be appended to tinc.conf
|
The tinc network name.
|
||||||
'';
|
It is used to name the TUN device and to generate the default value for
|
||||||
};
|
<literal>config.krebs.tinc.retiolum.hosts</literal>.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
tincPackage = mkOption {
|
extraConfig = mkOption {
|
||||||
type = types.package;
|
type = types.str;
|
||||||
default = pkgs.tinc;
|
default = "";
|
||||||
description = "Tincd package to use.";
|
description = ''
|
||||||
};
|
Extra Configuration to be appended to tinc.conf
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
hosts = mkOption {
|
tincPackage = mkOption {
|
||||||
type = with types; attrsOf host;
|
type = types.package;
|
||||||
default =
|
default = pkgs.tinc;
|
||||||
filterAttrs (_: h: hasAttr cfg.netname h.nets) config.krebs.hosts;
|
description = "Tincd package to use.";
|
||||||
description = ''
|
};
|
||||||
Hosts to generate <literal>config.krebs.retiolum.hostsPackage</literal>.
|
|
||||||
Note that these hosts must have a network named
|
|
||||||
<literal>config.krebs.retiolum.netname</literal>.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
hostsPackage = mkOption {
|
hosts = mkOption {
|
||||||
type = types.package;
|
type = with types; attrsOf host;
|
||||||
default = pkgs.stdenv.mkDerivation {
|
default =
|
||||||
name = "${cfg.netname}-tinc-hosts";
|
filterAttrs (_: h: hasAttr tinc.config.netname h.nets) config.krebs.hosts;
|
||||||
phases = [ "installPhase" ];
|
description = ''
|
||||||
installPhase = ''
|
Hosts to generate <literal>config.krebs.tinc.retiolum.hostsPackage</literal>.
|
||||||
mkdir $out
|
Note that these hosts must have a network named
|
||||||
${concatStrings (mapAttrsToList (_: host: ''
|
<literal>config.krebs.tinc.retiolum.netname</literal>.
|
||||||
echo ${shell.escape host.nets.${cfg.netname}.tinc.config} \
|
'';
|
||||||
> $out/${shell.escape host.name}
|
};
|
||||||
'') cfg.hosts)}
|
|
||||||
'';
|
hostsPackage = mkOption {
|
||||||
|
type = types.package;
|
||||||
|
default = pkgs.stdenv.mkDerivation {
|
||||||
|
name = "${tinc.config.netname}-tinc-hosts";
|
||||||
|
phases = [ "installPhase" ];
|
||||||
|
installPhase = ''
|
||||||
|
mkdir $out
|
||||||
|
${concatStrings (lib.mapAttrsToList (_: host: ''
|
||||||
|
echo ${shell.escape host.nets."${tinc.config.netname}".tinc.config} \
|
||||||
|
> $out/${shell.escape host.name}
|
||||||
|
'') tinc.config.hosts)}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
description = ''
|
||||||
|
Package of tinc host configuration files. By default, a package will
|
||||||
|
be generated from <literal>config.krebs.${tinc.config.netname}.hosts</literal>. This
|
||||||
|
option's main purpose is to expose the generated hosts package to other
|
||||||
|
modules, like <literal>config.krebs.tinc_graphs</literal>. But it can
|
||||||
|
also be used to provide a custom hosts directory.
|
||||||
|
'';
|
||||||
|
example = literalExample ''
|
||||||
|
(pkgs.stdenv.mkDerivation {
|
||||||
|
name = "my-tinc-hosts";
|
||||||
|
src = /home/tv/my-tinc-hosts;
|
||||||
|
installPhase = "cp -R . $out";
|
||||||
|
})
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
iproutePackage = mkOption {
|
||||||
|
type = types.package;
|
||||||
|
default = pkgs.iproute;
|
||||||
|
description = "Iproute2 package to use.";
|
||||||
|
};
|
||||||
|
|
||||||
|
privkey = mkOption {
|
||||||
|
type = types.secret-file;
|
||||||
|
default = {
|
||||||
|
path = "${tinc.config.user.home}/tinc.rsa_key.priv";
|
||||||
|
owner = tinc.config.user;
|
||||||
|
source-path = toString <secrets> + "/${tinc.config.netname}.rsa_key.priv";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
connectTo = mkOption {
|
||||||
|
type = types.listOf types.str;
|
||||||
|
default = [ "fastpoke" "cd" "prism" "gum" ];
|
||||||
|
description = ''
|
||||||
|
The list of hosts in the network which the client will try to connect
|
||||||
|
to. These hosts should have an 'Address' configured which points to a
|
||||||
|
routeable IPv4 or IPv6 address.
|
||||||
|
|
||||||
|
In stockholm this can be done by configuring:
|
||||||
|
krebs.hosts.${connect-host}.nets.${netname?"retiolum"}.via.addrs4 =
|
||||||
|
[ "${external-ip} ${external-port}" ]
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
user = mkOption {
|
||||||
|
type = types.user;
|
||||||
|
default = {
|
||||||
|
name = tinc.config.netname;
|
||||||
|
home = "/var/lib/${tinc.config.user.name}";
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
description = ''
|
}));
|
||||||
Package of tinc host configuration files. By default, a package will
|
|
||||||
be generated from <literal>config.krebs.retiolum.hosts</literal>. This
|
|
||||||
option's main purpose is to expose the generated hosts package to other
|
|
||||||
modules, like <literal>config.krebs.tinc_graphs</literal>. But it can
|
|
||||||
also be used to provide a custom hosts directory.
|
|
||||||
'';
|
|
||||||
example = literalExample ''
|
|
||||||
(pkgs.stdenv.mkDerivation {
|
|
||||||
name = "my-tinc-hosts";
|
|
||||||
src = /home/tv/my-tinc-hosts;
|
|
||||||
installPhase = "cp -R . $out";
|
|
||||||
})
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
iproutePackage = mkOption {
|
|
||||||
type = types.package;
|
|
||||||
default = pkgs.iproute;
|
|
||||||
description = "Iproute2 package to use.";
|
|
||||||
};
|
|
||||||
|
|
||||||
privkey = mkOption {
|
|
||||||
type = types.secret-file;
|
|
||||||
default = {
|
|
||||||
path = "${cfg.user.home}/tinc.rsa_key.priv";
|
|
||||||
owner = cfg.user;
|
|
||||||
source-path = toString <secrets> + "/${cfg.netname}.rsa_key.priv";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
connectTo = mkOption {
|
|
||||||
type = types.listOf types.str;
|
|
||||||
default = [ "fastpoke" "cd" "prism" "gum" ];
|
|
||||||
description = ''
|
|
||||||
The list of hosts in the network which the client will try to connect
|
|
||||||
to. These hosts should have an 'Address' configured which points to a
|
|
||||||
routeable IPv4 or IPv6 address.
|
|
||||||
|
|
||||||
In stockholm this can be done by configuring:
|
|
||||||
krebs.hosts.${connect-host}.nets.${netname?"retiolum"}.via.addrs4 =
|
|
||||||
[ "${external-ip} ${external-port}" ]
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
user = mkOption {
|
|
||||||
type = types.user;
|
|
||||||
default = {
|
|
||||||
name = cfg.netname;
|
|
||||||
home = "/var/lib/${cfg.user.name}";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
imp = {
|
imp = {
|
||||||
krebs.secret.files."${cfg.netname}.rsa_key.priv" = cfg.privkey;
|
# TODO `environment.systemPackages = [ cfg.tincPackage cfg.iproutePackage ]` for each network,
|
||||||
|
# avoid conflicts in environment if the packages differ
|
||||||
|
|
||||||
environment.systemPackages = [ tinc iproute ];
|
krebs.secret.files = mapAttrs' (netname: cfg:
|
||||||
|
nameValuePair "${netname}.rsa_key.priv" cfg.privkey ) config.krebs.tinc;
|
||||||
|
users.users = mapAttrs' (netname: cfg:
|
||||||
|
nameValuePair "${netname}" {
|
||||||
|
inherit (cfg.user) home name uid;
|
||||||
|
createHome = true;
|
||||||
|
}
|
||||||
|
) config.krebs.tinc;
|
||||||
|
|
||||||
systemd.services.${cfg.netname} = {
|
systemd.services = mapAttrs (netname: cfg:
|
||||||
description = "Tinc daemon for Retiolum";
|
let
|
||||||
after = [ "network.target" ];
|
net = cfg.host.nets.${netname};
|
||||||
wantedBy = [ "multi-user.target" ];
|
tinc = cfg.tincPackage;
|
||||||
requires = [ "secret.service" ];
|
iproute = cfg.iproutePackage;
|
||||||
path = [ tinc iproute ];
|
|
||||||
serviceConfig = rec {
|
|
||||||
Restart = "always";
|
|
||||||
ExecStart = "${tinc}/sbin/tincd -c ${confDir} -d 0 -U ${cfg.user.name} -D --pidfile=/var/run/tinc.${SyslogIdentifier}.pid";
|
|
||||||
SyslogIdentifier = cfg.netname;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
users.users.${cfg.user.name} = {
|
confDir = let
|
||||||
inherit (cfg.user) home name uid;
|
namePathPair = name: path: { inherit name path; };
|
||||||
createHome = true;
|
in pkgs.linkFarm "${netname}-etc-tinc" (mapAttrsToList namePathPair {
|
||||||
};
|
"hosts" = cfg.hostsPackage;
|
||||||
|
"tinc.conf" = pkgs.writeText "${cfg.netname}-tinc.conf" ''
|
||||||
|
Name = ${cfg.host.name}
|
||||||
|
Interface = ${netname}
|
||||||
|
${concatStrings (map (c: "ConnectTo = ${c}\n") cfg.connectTo)}
|
||||||
|
PrivateKeyFile = ${cfg.privkey.path}
|
||||||
|
${cfg.extraConfig}
|
||||||
|
'';
|
||||||
|
"tinc-up" = pkgs.writeDash "${netname}-tinc-up" ''
|
||||||
|
${iproute}/sbin/ip link set ${netname} up
|
||||||
|
${optionalString (net.ip4 != null) /* sh */ ''
|
||||||
|
${iproute}/sbin/ip -4 addr add ${net.ip4.addr} dev ${netname}
|
||||||
|
${iproute}/sbin/ip -4 route add ${net.ip4.prefix} dev ${netname}
|
||||||
|
''}
|
||||||
|
${optionalString (net.ip6 != null) /* sh */ ''
|
||||||
|
${iproute}/sbin/ip -6 addr add ${net.ip6.addr} dev ${netname}
|
||||||
|
${iproute}/sbin/ip -6 route add ${net.ip6.prefix} dev ${netname}
|
||||||
|
''}
|
||||||
|
'';
|
||||||
|
}
|
||||||
|
);
|
||||||
|
in {
|
||||||
|
description = "Tinc daemon for ${netname}";
|
||||||
|
after = [ "network.target" ];
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
requires = [ "secret.service" ];
|
||||||
|
path = [ tinc iproute ];
|
||||||
|
serviceConfig = rec {
|
||||||
|
Restart = "always";
|
||||||
|
ExecStart = "${tinc}/sbin/tincd -c ${confDir} -d 0 -U ${cfg.user.name} -D --pidfile=/var/run/tinc.${SyslogIdentifier}.pid";
|
||||||
|
SyslogIdentifier = netname;
|
||||||
|
};
|
||||||
|
}
|
||||||
|
) config.krebs.tinc;
|
||||||
};
|
};
|
||||||
|
|
||||||
net = cfg.host.nets.${cfg.netname};
|
|
||||||
|
|
||||||
tinc = cfg.tincPackage;
|
|
||||||
|
|
||||||
iproute = cfg.iproutePackage;
|
|
||||||
|
|
||||||
confDir = let
|
|
||||||
namePathPair = name: path: { inherit name path; };
|
|
||||||
in pkgs.linkFarm "${cfg.netname}-etc-tinc" (mapAttrsToList namePathPair {
|
|
||||||
"hosts" = cfg.hostsPackage;
|
|
||||||
"tinc.conf" = pkgs.writeText "${cfg.netname}-tinc.conf" ''
|
|
||||||
Name = ${cfg.host.name}
|
|
||||||
Interface = ${cfg.netname}
|
|
||||||
${concatStrings (map (c: "ConnectTo = ${c}\n") cfg.connectTo)}
|
|
||||||
PrivateKeyFile = ${cfg.privkey.path}
|
|
||||||
${cfg.extraConfig}
|
|
||||||
'';
|
|
||||||
"tinc-up" = pkgs.writeDash "${cfg.netname}-tinc-up" ''
|
|
||||||
${iproute}/sbin/ip link set ${cfg.netname} up
|
|
||||||
${optionalString (net.ip4 != null) /* sh */ ''
|
|
||||||
${iproute}/sbin/ip -4 addr add ${net.ip4.addr} dev ${cfg.netname}
|
|
||||||
${iproute}/sbin/ip -4 route add ${net.ip4.prefix} dev ${cfg.netname}
|
|
||||||
''}
|
|
||||||
${optionalString (net.ip6 != null) /* sh */ ''
|
|
||||||
${iproute}/sbin/ip -6 addr add ${net.ip6.addr} dev ${cfg.netname}
|
|
||||||
${iproute}/sbin/ip -6 route add ${net.ip6.prefix} dev ${cfg.netname}
|
|
||||||
''}
|
|
||||||
'';
|
|
||||||
});
|
|
||||||
|
|
||||||
in out
|
in out
|
||||||
|
@ -23,7 +23,7 @@ let
|
|||||||
hostsPath = mkOption {
|
hostsPath = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
description = "Path to Hosts directory";
|
description = "Path to Hosts directory";
|
||||||
default = "${config.krebs.retiolum.hostsPackage}";
|
default = "${config.krebs.tinc.retiolum.hostsPackage}";
|
||||||
};
|
};
|
||||||
|
|
||||||
network = mkOption {
|
network = mkOption {
|
||||||
|
@ -5,9 +5,10 @@ stdenv.mkDerivation rec {
|
|||||||
# forticlient will be copied into /tmp before execution. this is necessary as
|
# forticlient will be copied into /tmp before execution. this is necessary as
|
||||||
# the software demands $base to be writeable
|
# the software demands $base to be writeable
|
||||||
|
|
||||||
|
# TODO: chroot and create the following files instead of copying files manually
|
||||||
# mkdir /etc/ppp ; touch /etc/ppp/options
|
# mkdir /etc/ppp ; touch /etc/ppp/options
|
||||||
## i still have not found which tool uses tail ... i tried redirecting it in forticlientsslvpn and subproc
|
|
||||||
# ln -s /run/current-system/sw/bin/tail /usr/bin/tail
|
# ln -s /run/current-system/sw/bin/tail /usr/bin/tail
|
||||||
|
# ln -s /run/current-system/sw/bin/pppd /usr/sbin/pppd
|
||||||
|
|
||||||
src = fetchurl {
|
src = fetchurl {
|
||||||
# archive.org mirror:
|
# archive.org mirror:
|
||||||
@ -62,7 +63,7 @@ stdenv.mkDerivation rec {
|
|||||||
cp -r 64bit/. "$out/opt/fortinet"
|
cp -r 64bit/. "$out/opt/fortinet"
|
||||||
wrapProgram $out/opt/fortinet/forticlientsslvpn \
|
wrapProgram $out/opt/fortinet/forticlientsslvpn \
|
||||||
--set LD_PRELOAD "${libredirect}/lib/libredirect.so" \
|
--set LD_PRELOAD "${libredirect}/lib/libredirect.so" \
|
||||||
--set NIX_REDIRECTS /usr/sbin/ip=${iproute}/bin/ip:/usr/sbin/ppp=${ppp}/bin/ppp
|
--set NIX_REDIRECTS /usr/bin/tail=${coreutils}/bin/tail:/usr/sbin/ip=${iproute}/bin/ip:/usr/sbin/pppd=${ppp}/bin/pppd
|
||||||
|
|
||||||
mkdir -p "$out/bin/"
|
mkdir -p "$out/bin/"
|
||||||
|
|
||||||
|
@ -226,7 +226,7 @@ in {
|
|||||||
{
|
{
|
||||||
users.users.tv = {
|
users.users.tv = {
|
||||||
uid = genid "tv";
|
uid = genid "tv";
|
||||||
home = "/home/tv";
|
inherit (config.krebs.users.tv) home;
|
||||||
group = "users";
|
group = "users";
|
||||||
createHome = true;
|
createHome = true;
|
||||||
useDefaultShell = true;
|
useDefaultShell = true;
|
||||||
|
9
lass/2configs/audit.nix
Normal file
9
lass/2configs/audit.nix
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
{ ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
security.audit = {
|
||||||
|
rules = [
|
||||||
|
"-a task,never"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
}
|
@ -86,17 +86,17 @@ in {
|
|||||||
["make \
|
["make \
|
||||||
test \
|
test \
|
||||||
ssh=${sshWrapper} \
|
ssh=${sshWrapper} \
|
||||||
target=build@localhost:${config.users.users.build.home}/testbuild \
|
target=build@localhost${config.users.users.build.home}/testbuild \
|
||||||
method=build \
|
method=build \
|
||||||
system={}".format(i)])
|
system={}".format(i)])
|
||||||
|
|
||||||
for i in [ "pornocauster", "wry" ]:
|
for i in [ "pornocauster", "wry", "vbob", "wbob", "shoney" ]:
|
||||||
addShell(f,name="build-{}".format(i),env=env_makefu,
|
addShell(f,name="build-{}".format(i),env=env_makefu,
|
||||||
command=nixshell + \
|
command=nixshell + \
|
||||||
["make \
|
["make \
|
||||||
test \
|
test \
|
||||||
ssh=${sshWrapper} \
|
ssh=${sshWrapper} \
|
||||||
target=build@localhost:${config.users.users.build.home}/testbuild \
|
target=build@localhost${config.users.users.build.home}/testbuild \
|
||||||
method=build \
|
method=build \
|
||||||
system={}".format(i)])
|
system={}".format(i)])
|
||||||
|
|
||||||
@ -147,7 +147,7 @@ in {
|
|||||||
password = "lasspass";
|
password = "lasspass";
|
||||||
packages = with pkgs; [ gnumake jq nix populate ];
|
packages = with pkgs; [ gnumake jq nix populate ];
|
||||||
extraEnviron = {
|
extraEnviron = {
|
||||||
NIX_PATH="nixpkgs=/var/src/nixpkgs";
|
NIX_PATH="/var/src";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
config.krebs.iptables = {
|
config.krebs.iptables = {
|
||||||
|
@ -3,13 +3,14 @@
|
|||||||
with config.krebs.lib;
|
with config.krebs.lib;
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
../2configs/vim.nix
|
../2configs/audit.nix
|
||||||
../2configs/zsh.nix
|
|
||||||
../2configs/mc.nix
|
|
||||||
../2configs/retiolum.nix
|
|
||||||
../2configs/nixpkgs.nix
|
|
||||||
../2configs/binary-cache/client.nix
|
../2configs/binary-cache/client.nix
|
||||||
../2configs/gc.nix
|
../2configs/gc.nix
|
||||||
|
../2configs/mc.nix
|
||||||
|
../2configs/nixpkgs.nix
|
||||||
|
../2configs/retiolum.nix
|
||||||
|
../2configs/vim.nix
|
||||||
|
../2configs/zsh.nix
|
||||||
./backups.nix
|
./backups.nix
|
||||||
{
|
{
|
||||||
users.extraUsers =
|
users.extraUsers =
|
||||||
|
@ -5,9 +5,6 @@ with config.krebs.lib;
|
|||||||
let
|
let
|
||||||
rpc-password = import <secrets/transmission-pw>;
|
rpc-password = import <secrets/transmission-pw>;
|
||||||
in {
|
in {
|
||||||
imports = [
|
|
||||||
../3modules/folderPerms.nix
|
|
||||||
];
|
|
||||||
|
|
||||||
users.extraUsers = {
|
users.extraUsers = {
|
||||||
download = {
|
download = {
|
||||||
@ -64,15 +61,4 @@ in {
|
|||||||
{ predicate = "-p udp --dport 51413"; target = "ACCEPT"; }
|
{ predicate = "-p udp --dport 51413"; target = "ACCEPT"; }
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
lass.folderPerms = {
|
|
||||||
enable = true;
|
|
||||||
permissions = [
|
|
||||||
{
|
|
||||||
path = "/var/download";
|
|
||||||
permission = "775";
|
|
||||||
owner = "transmission:download";
|
|
||||||
}
|
|
||||||
];
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
|
@ -27,7 +27,6 @@ with config.krebs.lib;
|
|||||||
{ from = "lass@aidsballs.de"; to = lass.mail; }
|
{ from = "lass@aidsballs.de"; to = lass.mail; }
|
||||||
{ from = "wordpress@ubikmedia.de"; to = lass.mail; }
|
{ from = "wordpress@ubikmedia.de"; to = lass.mail; }
|
||||||
{ from = "finanzamt@lassul.us"; to = lass.mail; }
|
{ from = "finanzamt@lassul.us"; to = lass.mail; }
|
||||||
{ from = "dominik@apanowicz.de"; to = "dma@ubikmedia.eu"; }
|
|
||||||
{ from = "netzclub@lassul.us"; to = lass.mail; }
|
{ from = "netzclub@lassul.us"; to = lass.mail; }
|
||||||
{ from = "nebenan@lassul.us"; to = lass.mail; }
|
{ from = "nebenan@lassul.us"; to = lass.mail; }
|
||||||
];
|
];
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
{ ... }:
|
{ ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
krebs.build.source.nixpkgs = {
|
krebs.build.source.nixpkgs.git = {
|
||||||
url = https://github.com/lassulus/nixpkgs;
|
url = https://github.com/lassulus/nixpkgs;
|
||||||
rev = "446d4c1fc10f53cf97abea1996d067ad93de2ded";
|
ref = "c6ca9c8c8b7eb8f8e68868e36fb90e162adf080f";
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@ -91,12 +91,11 @@ in {
|
|||||||
(sync-remote "repo-sync" "https://github.com/makefu/repo-sync")
|
(sync-remote "repo-sync" "https://github.com/makefu/repo-sync")
|
||||||
(sync-remote "skytraq-datalogger" "https://github.com/makefu/skytraq-datalogger")
|
(sync-remote "skytraq-datalogger" "https://github.com/makefu/skytraq-datalogger")
|
||||||
(sync-remote "xintmap" "https://github.com/4z3/xintmap")
|
(sync-remote "xintmap" "https://github.com/4z3/xintmap")
|
||||||
|
(sync-remote "realwallpaper" "https://github.com/lassulus/realwallpaper")
|
||||||
(sync-remote-silent "nixpkgs" "https://github.com/nixos/nixpkgs")
|
(sync-remote-silent "nixpkgs" "https://github.com/nixos/nixpkgs")
|
||||||
(sync-retiolum "go")
|
(sync-retiolum "go")
|
||||||
(sync-retiolum "much")
|
(sync-retiolum "much")
|
||||||
(sync-retiolum "newsbot-js")
|
(sync-retiolum "newsbot-js")
|
||||||
(sync-retiolum "painload")
|
|
||||||
(sync-retiolum "realwallpaper")
|
|
||||||
(sync-retiolum "stockholm")
|
(sync-retiolum "stockholm")
|
||||||
(sync-retiolum "wai-middleware-time")
|
(sync-retiolum "wai-middleware-time")
|
||||||
(sync-retiolum "web-routes-wai-custom")
|
(sync-retiolum "web-routes-wai-custom")
|
||||||
|
@ -12,7 +12,7 @@
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
krebs.retiolum = {
|
krebs.tinc.retiolum = {
|
||||||
enable = true;
|
enable = true;
|
||||||
connectTo = [
|
connectTo = [
|
||||||
"prism"
|
"prism"
|
||||||
|
@ -110,14 +110,6 @@ in {
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
users.users.domsen = {
|
|
||||||
uid = genid "domsen";
|
|
||||||
description = "maintenance acc for domsen";
|
|
||||||
home = "/home/domsen";
|
|
||||||
useDefaultShell = true;
|
|
||||||
extraGroups = [ "nginx" ];
|
|
||||||
createHome = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
#services.phpfpm.phpOptions = ''
|
#services.phpfpm.phpOptions = ''
|
||||||
# extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
|
# extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
|
||||||
@ -133,5 +125,40 @@ in {
|
|||||||
cat ${pkgs.php}/etc/php-recommended.ini > $out
|
cat ${pkgs.php}/etc/php-recommended.ini > $out
|
||||||
echo "$options" >> $out
|
echo "$options" >> $out
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
# MAIL STUFF
|
||||||
|
# TODO: make into its own module
|
||||||
|
services.dovecot2 = {
|
||||||
|
enable = true;
|
||||||
|
mailLocation = "maildir:~/Mail";
|
||||||
|
};
|
||||||
|
krebs.iptables.tables.filter.INPUT.rules = [
|
||||||
|
{ predicate = "-p tcp --dport pop3"; target = "ACCEPT"; }
|
||||||
|
{ predicate = "-p tcp --dport imap"; target = "ACCEPT"; }
|
||||||
|
];
|
||||||
|
krebs.exim-smarthost = {
|
||||||
|
internet-aliases = [
|
||||||
|
{ from = "dominik@apanowicz.de"; to = "dma@ubikmedia.eu"; }
|
||||||
|
{ from = "mail@jla-trading.com"; to = "jla-trading"; }
|
||||||
|
];
|
||||||
|
system-aliases = [
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
users.users.domsen = {
|
||||||
|
uid = genid "domsen";
|
||||||
|
description = "maintenance acc for domsen";
|
||||||
|
home = "/home/domsen";
|
||||||
|
useDefaultShell = true;
|
||||||
|
extraGroups = [ "nginx" ];
|
||||||
|
createHome = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
users.users.jla-trading = {
|
||||||
|
uid = genid "jla-trading";
|
||||||
|
home = "/home/jla-trading";
|
||||||
|
useDefaultShell = true;
|
||||||
|
createHome = true;
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -7,6 +7,7 @@ let
|
|||||||
head
|
head
|
||||||
;
|
;
|
||||||
inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;})
|
inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;})
|
||||||
|
manageCerts
|
||||||
ssl
|
ssl
|
||||||
servePage
|
servePage
|
||||||
serveWordpress
|
serveWordpress
|
||||||
@ -48,6 +49,9 @@ in {
|
|||||||
|
|
||||||
(ssl [ "habsys.de" "www.habsys.de" "habsys.eu" "www.habsys.eu" ])
|
(ssl [ "habsys.de" "www.habsys.de" "habsys.eu" "www.habsys.eu" ])
|
||||||
(servePage [ "habsys.de" "www.habsys.de" "habsys.eu" "www.habsys.eu" ])
|
(servePage [ "habsys.de" "www.habsys.de" "habsys.eu" "www.habsys.eu" ])
|
||||||
|
|
||||||
|
(manageCerts [ "goldbarrendiebstahl.radical-dreamers.de" ])
|
||||||
|
(serveWordpress [ "goldbarrendiebstahl.radical-dreamers.de" ])
|
||||||
];
|
];
|
||||||
|
|
||||||
lass.mysqlBackup.config.all.databases = [
|
lass.mysqlBackup.config.all.databases = [
|
||||||
@ -74,6 +78,16 @@ in {
|
|||||||
config.krebs.users.fritz.pubkey
|
config.krebs.users.fritz.pubkey
|
||||||
];
|
];
|
||||||
|
|
||||||
|
users.users.goldbarrendiebstahl = {
|
||||||
|
home = "/srv/http/goldbarrendiebstahl.radical-dreamers.de";
|
||||||
|
uid = genid "goldbarrendiebstahl";
|
||||||
|
createHome = true;
|
||||||
|
useDefaultShell = true;
|
||||||
|
openssh.authorizedKeys.keys = [
|
||||||
|
config.krebs.users.fritz.pubkey
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
services.phpfpm.phpIni = pkgs.runCommand "php.ini" {
|
services.phpfpm.phpIni = pkgs.runCommand "php.ini" {
|
||||||
options = ''
|
options = ''
|
||||||
extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
|
extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
|
||||||
|
@ -17,6 +17,7 @@ in {
|
|||||||
../2configs/exim-retiolum.nix
|
../2configs/exim-retiolum.nix
|
||||||
../2configs/virtualization.nix
|
../2configs/virtualization.nix
|
||||||
|
|
||||||
|
../2configs/tinc/retiolum.nix
|
||||||
../2configs/temp-share-samba.nix
|
../2configs/temp-share-samba.nix
|
||||||
];
|
];
|
||||||
services.samba.shares = {
|
services.samba.shares = {
|
||||||
@ -39,7 +40,6 @@ in {
|
|||||||
};
|
};
|
||||||
|
|
||||||
#networking.firewall.enable = false;
|
#networking.firewall.enable = false;
|
||||||
krebs.retiolum.enable = true;
|
|
||||||
|
|
||||||
boot.kernelModules = [ "coretemp" "f71882fg" ];
|
boot.kernelModules = [ "coretemp" "f71882fg" ];
|
||||||
hardware.enableAllFirmware = true;
|
hardware.enableAllFirmware = true;
|
||||||
|
@ -22,8 +22,8 @@ in {
|
|||||||
../.
|
../.
|
||||||
../2configs/fs/single-partition-ext4.nix
|
../2configs/fs/single-partition-ext4.nix
|
||||||
../2configs/smart-monitor.nix
|
../2configs/smart-monitor.nix
|
||||||
|
../2configs/tinc/retiolum.nix
|
||||||
];
|
];
|
||||||
krebs.retiolum.enable = true;
|
|
||||||
krebs.build.host = config.krebs.hosts.filepimp;
|
krebs.build.host = config.krebs.hosts.filepimp;
|
||||||
# AMD N54L
|
# AMD N54L
|
||||||
boot = {
|
boot = {
|
||||||
|
@ -19,6 +19,7 @@ in {
|
|||||||
../2configs/deployment/mycube.connector.one.nix
|
../2configs/deployment/mycube.connector.one.nix
|
||||||
|
|
||||||
../2configs/exim-retiolum.nix
|
../2configs/exim-retiolum.nix
|
||||||
|
../2configs/tinc/retiolum.nix
|
||||||
../2configs/urlwatch.nix
|
../2configs/urlwatch.nix
|
||||||
|
|
||||||
];
|
];
|
||||||
@ -27,8 +28,7 @@ in {
|
|||||||
|
|
||||||
###### stable
|
###### stable
|
||||||
krebs.build.host = config.krebs.hosts.gum;
|
krebs.build.host = config.krebs.hosts.gum;
|
||||||
krebs.retiolum = {
|
krebs.tinc.retiolum = {
|
||||||
enable = true;
|
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
ListenAddress = ${external-ip} 53
|
ListenAddress = ${external-ip} 53
|
||||||
ListenAddress = ${external-ip} 655
|
ListenAddress = ${external-ip} 655
|
||||||
|
@ -47,12 +47,12 @@ in {
|
|||||||
#../2configs/graphite-standalone.nix
|
#../2configs/graphite-standalone.nix
|
||||||
#../2configs/share-user-sftp.nix
|
#../2configs/share-user-sftp.nix
|
||||||
../2configs/omo-share.nix
|
../2configs/omo-share.nix
|
||||||
|
../2configs/tinc/retiolum.nix
|
||||||
|
|
||||||
## as long as pyload is not in nixpkgs:
|
## as long as pyload is not in nixpkgs:
|
||||||
# docker run -d -v /var/lib/pyload:/opt/pyload/pyload-config -v /media/crypt0/pyload:/opt/pyload/Downloads --name pyload --restart=always -p 8112:8000 -P writl/pyload
|
# docker run -d -v /var/lib/pyload:/opt/pyload/pyload-config -v /media/crypt0/pyload:/opt/pyload/Downloads --name pyload --restart=always -p 8112:8000 -P writl/pyload
|
||||||
];
|
];
|
||||||
|
|
||||||
krebs.retiolum.enable = true;
|
|
||||||
networking.firewall.trustedInterfaces = [ primaryInterface ];
|
networking.firewall.trustedInterfaces = [ primaryInterface ];
|
||||||
# udp:137 udp:138 tcp:445 tcp:139 - samba, allowed in local net
|
# udp:137 udp:138 tcp:445 tcp:139 - samba, allowed in local net
|
||||||
# tcp:80 - nginx for sharing files
|
# tcp:80 - nginx for sharing files
|
||||||
|
@ -15,11 +15,12 @@
|
|||||||
<nixpkgs/nixos/modules/profiles/qemu-guest.nix>
|
<nixpkgs/nixos/modules/profiles/qemu-guest.nix>
|
||||||
../2configs/fs/vm-single-partition.nix
|
../2configs/fs/vm-single-partition.nix
|
||||||
|
|
||||||
|
../2configs/tinc/retiolum.nix
|
||||||
|
|
||||||
# config.system.build.vm
|
# config.system.build.vm
|
||||||
<nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>
|
(toString <nixpkgs/nixos/modules/virtualisation/qemu-vm.nix>)
|
||||||
];
|
];
|
||||||
|
|
||||||
krebs.retiolum.enable = true;
|
|
||||||
virtualisation.graphics = false;
|
virtualisation.graphics = false;
|
||||||
# also export secrets, see Usage above
|
# also export secrets, see Usage above
|
||||||
fileSystems = pkgs.lib.mkVMOverride {
|
fileSystems = pkgs.lib.mkVMOverride {
|
||||||
|
@ -38,8 +38,9 @@
|
|||||||
#../2configs/wordpress.nix
|
#../2configs/wordpress.nix
|
||||||
../2configs/nginx/public_html.nix
|
../2configs/nginx/public_html.nix
|
||||||
|
|
||||||
|
../2configs/tinc/retiolum.nix
|
||||||
# temporary modules
|
# temporary modules
|
||||||
# ../2configs/temp/share-samba.nix
|
../2configs/temp/share-samba.nix
|
||||||
# ../2configs/temp/elkstack.nix
|
# ../2configs/temp/elkstack.nix
|
||||||
# ../2configs/temp/sabnzbd.nix
|
# ../2configs/temp/sabnzbd.nix
|
||||||
];
|
];
|
||||||
@ -69,10 +70,9 @@
|
|||||||
|
|
||||||
krebs.build.host = config.krebs.hosts.pornocauster;
|
krebs.build.host = config.krebs.hosts.pornocauster;
|
||||||
krebs.hosts.omo.nets.retiolum.via.ip4.addr = "192.168.1.11";
|
krebs.hosts.omo.nets.retiolum.via.ip4.addr = "192.168.1.11";
|
||||||
krebs.retiolum = {
|
|
||||||
enable = true;
|
krebs.tinc.retiolum.connectTo = [ "omo" "gum" "prism" ];
|
||||||
connectTo = [ "omo" "gum" "prism" ];
|
|
||||||
};
|
|
||||||
networking.extraHosts = ''
|
networking.extraHosts = ''
|
||||||
192.168.1.11 omo.local
|
192.168.1.11 omo.local
|
||||||
'';
|
'';
|
||||||
|
@ -10,6 +10,7 @@
|
|||||||
../.
|
../.
|
||||||
<nixpkgs/nixos/modules/profiles/qemu-guest.nix>
|
<nixpkgs/nixos/modules/profiles/qemu-guest.nix>
|
||||||
../2configs/git/cgit-retiolum.nix
|
../2configs/git/cgit-retiolum.nix
|
||||||
|
../2configs/tinc/retiolum.nix
|
||||||
];
|
];
|
||||||
krebs.build.host = config.krebs.hosts.repunit;
|
krebs.build.host = config.krebs.hosts.repunit;
|
||||||
|
|
||||||
@ -31,14 +32,6 @@
|
|||||||
{ device = "/dev/disk/by-label/nixos";
|
{ device = "/dev/disk/by-label/nixos";
|
||||||
fsType = "ext4";
|
fsType = "ext4";
|
||||||
};
|
};
|
||||||
krebs.retiolum = {
|
|
||||||
enable = true;
|
|
||||||
connectTo = [
|
|
||||||
"gum"
|
|
||||||
"pigstarter"
|
|
||||||
"fastpoke"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
# $ nix-env -qaP | grep wget
|
# $ nix-env -qaP | grep wget
|
||||||
environment.systemPackages = with pkgs; [
|
environment.systemPackages = with pkgs; [
|
||||||
|
@ -13,15 +13,12 @@ in {
|
|||||||
../2configs/save-diskspace.nix
|
../2configs/save-diskspace.nix
|
||||||
../2configs/hw/CAC.nix
|
../2configs/hw/CAC.nix
|
||||||
../2configs/fs/CAC-CentOS-7-64bit.nix
|
../2configs/fs/CAC-CentOS-7-64bit.nix
|
||||||
|
../2configs/tinc/retiolum.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
|
|
||||||
environment.systemPackages = [ pkgs.honeyd ];
|
|
||||||
services.tinc.networks.siem.name = "sjump";
|
|
||||||
|
|
||||||
krebs = {
|
krebs = {
|
||||||
enable = true;
|
enable = true;
|
||||||
retiolum.enable = true;
|
|
||||||
build.host = config.krebs.hosts.shoney;
|
build.host = config.krebs.hosts.shoney;
|
||||||
nginx.enable = true;
|
nginx.enable = true;
|
||||||
tinc_graphs = {
|
tinc_graphs = {
|
||||||
|
@ -17,9 +17,9 @@
|
|||||||
|
|
||||||
../2configs/zsh-user.nix
|
../2configs/zsh-user.nix
|
||||||
../2configs/exim-retiolum.nix
|
../2configs/exim-retiolum.nix
|
||||||
|
../2configs/tinc/retiolum.nix
|
||||||
];
|
];
|
||||||
# not working in vm
|
# not working in vm
|
||||||
krebs.retiolum.enable = true;
|
|
||||||
krebs.build.host = config.krebs.hosts.tsp;
|
krebs.build.host = config.krebs.hosts.tsp;
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = [
|
networking.firewall.allowedTCPPorts = [
|
||||||
|
@ -8,9 +8,10 @@
|
|||||||
(toString <nixpkgs/nixos/modules/virtualisation/virtualbox-image.nix>)
|
(toString <nixpkgs/nixos/modules/virtualisation/virtualbox-image.nix>)
|
||||||
(toString <nixpkgs/nixos/modules/virtualisation/virtualbox-guest.nix>)
|
(toString <nixpkgs/nixos/modules/virtualisation/virtualbox-guest.nix>)
|
||||||
../2configs/main-laptop.nix #< base-gui
|
../2configs/main-laptop.nix #< base-gui
|
||||||
# (toString <secrets>)/extra-hosts.nix
|
# <secrets/extra-hosts.nix>
|
||||||
|
|
||||||
# environment
|
# environment
|
||||||
|
../2configs/tinc/retiolum.nix
|
||||||
|
|
||||||
];
|
];
|
||||||
# workaround for https://github.com/NixOS/nixpkgs/issues/16641
|
# workaround for https://github.com/NixOS/nixpkgs/issues/16641
|
||||||
@ -28,8 +29,15 @@
|
|||||||
openssh.authorizedKeys.keys = [ config.krebs.users.makefu-vbob.pubkey ];
|
openssh.authorizedKeys.keys = [ config.krebs.users.makefu-vbob.pubkey ];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
environment.shellAliases = {
|
||||||
|
forti = "cat ~/vpn/pw.txt | xclip; sudo forticlientsslvpn";
|
||||||
|
};
|
||||||
|
# TODO: for forticleintsslpn
|
||||||
|
# ln -s /r/current-system/sw/bin/pppd /usr/sbin/pppd
|
||||||
|
# ln -s /r/current-system/sw/bin/tail /usr/bin/tail
|
||||||
environment.systemPackages = with pkgs;[
|
environment.systemPackages = with pkgs;[
|
||||||
fortclientsslvpn
|
fortclientsslvpn ppp xclip
|
||||||
get
|
get
|
||||||
logstash
|
logstash
|
||||||
docker
|
docker
|
||||||
@ -45,13 +53,6 @@
|
|||||||
8010
|
8010
|
||||||
];
|
];
|
||||||
|
|
||||||
krebs.retiolum = {
|
|
||||||
enable = true;
|
|
||||||
connectTo = [
|
|
||||||
"omo"
|
|
||||||
"gum"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
virtualisation.docker.enable = false;
|
virtualisation.docker.enable = false;
|
||||||
|
|
||||||
fileSystems."/media/share" = {
|
fileSystems."/media/share" = {
|
||||||
|
@ -1,5 +1,7 @@
|
|||||||
{ config, pkgs, ... }:
|
{ config, pkgs, ... }:
|
||||||
{
|
let rootdisk = "/dev/disk/by-id/ata-TS256GMTS800_C613840115";
|
||||||
|
in {
|
||||||
|
|
||||||
makefu.awesome = {
|
makefu.awesome = {
|
||||||
modkey = "Mod1";
|
modkey = "Mod1";
|
||||||
#TODO: integrate kiosk config into full config by templating the autostart
|
#TODO: integrate kiosk config into full config by templating the autostart
|
||||||
@ -9,19 +11,19 @@
|
|||||||
[ # Include the results of the hardware scan.
|
[ # Include the results of the hardware scan.
|
||||||
../.
|
../.
|
||||||
../2configs/main-laptop.nix
|
../2configs/main-laptop.nix
|
||||||
|
../2configs/virtualization.nix
|
||||||
|
../2configs/tinc/retiolum.nix
|
||||||
];
|
];
|
||||||
krebs = {
|
krebs = {
|
||||||
enable = true;
|
enable = true;
|
||||||
retiolum.enable = true;
|
|
||||||
build.host = config.krebs.hosts.wbob;
|
build.host = config.krebs.hosts.wbob;
|
||||||
};
|
};
|
||||||
networking.firewall.allowedUDPPorts = [ 1655 ];
|
networking.firewall.allowedUDPPorts = [ 1655 ];
|
||||||
networking.firewall.allowedTCPPorts = [ 1655 ];
|
networking.firewall.allowedTCPPorts = [ 1655 49152 ];
|
||||||
services.tinc.networks.siem = {
|
services.tinc.networks.siem = {
|
||||||
name = "display";
|
name = "display";
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
ConnectTo = sjump
|
ConnectTo = sjump
|
||||||
Port = 1655
|
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -35,12 +37,12 @@
|
|||||||
|
|
||||||
|
|
||||||
# nuc hardware
|
# nuc hardware
|
||||||
boot.loader.grub.device = "/dev/sda";
|
boot.loader.grub.device = rootdisk;
|
||||||
hardware.cpu.intel.updateMicrocode = true;
|
hardware.cpu.intel.updateMicrocode = true;
|
||||||
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
|
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
|
||||||
boot.kernelModules = [ "kvm-intel" ];
|
boot.kernelModules = [ "kvm-intel" ];
|
||||||
fileSystems."/" = {
|
fileSystems."/" = {
|
||||||
device = "/dev/sda1";
|
device = rootdisk + "-part1";
|
||||||
fsType = "ext4";
|
fsType = "ext4";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -25,8 +25,9 @@ in {
|
|||||||
|
|
||||||
# collectd
|
# collectd
|
||||||
../2configs/collectd/collectd-base.nix
|
../2configs/collectd/collectd-base.nix
|
||||||
|
|
||||||
|
../2configs/tinc/retiolum.nix
|
||||||
];
|
];
|
||||||
krebs.retiolum.enable = true;
|
|
||||||
|
|
||||||
krebs.build.host = config.krebs.hosts.wry;
|
krebs.build.host = config.krebs.hosts.wry;
|
||||||
|
|
||||||
|
@ -15,6 +15,9 @@ let
|
|||||||
sec = toString <secrets>;
|
sec = toString <secrets>;
|
||||||
# secKey is nothing worth protecting on a local machine
|
# secKey is nothing worth protecting on a local machine
|
||||||
secKey = import <secrets/bepasty-secret.nix>;
|
secKey = import <secrets/bepasty-secret.nix>;
|
||||||
|
acmepath = "/var/lib/acme/";
|
||||||
|
acmechall = acmepath + "/challenges/";
|
||||||
|
ext-dom = "paste.krebsco.de" ;
|
||||||
in {
|
in {
|
||||||
|
|
||||||
krebs.nginx.enable = mkDefault true;
|
krebs.nginx.enable = mkDefault true;
|
||||||
@ -25,7 +28,7 @@ in {
|
|||||||
servers = {
|
servers = {
|
||||||
internal = {
|
internal = {
|
||||||
nginx = {
|
nginx = {
|
||||||
server-names = [ "paste.retiolum" "paste.${config.krebs.build.host.name}" ];
|
server-names = [ "paste.retiolum" "paste.r" "paste.${config.krebs.build.host.name}" ];
|
||||||
};
|
};
|
||||||
defaultPermissions = "admin,list,create,read,delete";
|
defaultPermissions = "admin,list,create,read,delete";
|
||||||
secretKey = secKey;
|
secretKey = secKey;
|
||||||
@ -33,17 +36,25 @@ in {
|
|||||||
|
|
||||||
external = {
|
external = {
|
||||||
nginx = {
|
nginx = {
|
||||||
server-names = [ "paste.krebsco.de" ];
|
server-names = [ ext-dom ];
|
||||||
|
ssl = {
|
||||||
|
enable = true;
|
||||||
|
certificate = "${acmepath}/${ext-dom}/fullchain.pem";
|
||||||
|
certificate_key = "${acmepath}/${ext-dom}/key.pem";
|
||||||
|
# these certs will be needed if acme has not yet created certificates:
|
||||||
|
#certificate = "${sec}/wildcard.krebsco.de.crt";
|
||||||
|
#certificate_key = "${sec}/wildcard.krebsco.de.key";
|
||||||
|
ciphers = "RC4:HIGH:!aNULL:!MD5" ;
|
||||||
|
};
|
||||||
|
locations = singleton ( nameValuePair "/.well-known/acme-challenge" ''
|
||||||
|
root ${acmechall}/${ext-dom}/;
|
||||||
|
'');
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
ssl_session_cache shared:SSL:1m;
|
ssl_session_cache shared:SSL:1m;
|
||||||
ssl_session_timeout 10m;
|
ssl_session_timeout 10m;
|
||||||
ssl_certificate ${sec}/wildcard.krebsco.de.crt;
|
|
||||||
ssl_certificate_key ${sec}/wildcard.krebsco.de.key;
|
|
||||||
ssl_verify_client off;
|
ssl_verify_client off;
|
||||||
proxy_ssl_session_reuse off;
|
proxy_ssl_session_reuse off;
|
||||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
||||||
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
if ($scheme = http){
|
if ($scheme = http){
|
||||||
return 301 https://$server_name$request_uri;
|
return 301 https://$server_name$request_uri;
|
||||||
}'';
|
}'';
|
||||||
@ -53,4 +64,12 @@ in {
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
security.acme.certs."${ext-dom}" = {
|
||||||
|
email = "acme@syntax-fehler.de";
|
||||||
|
webroot = "${acmechall}/${ext-dom}/";
|
||||||
|
group = "nginx";
|
||||||
|
allowKeysForGroup = true;
|
||||||
|
postRun = "systemctl reload nginx.service";
|
||||||
|
extraDomains."${ext-dom}" = null ;
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
@ -17,7 +17,6 @@ with config.krebs.lib;
|
|||||||
krebs = {
|
krebs = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
||||||
dns.providers.siem = "hosts";
|
|
||||||
dns.providers.lan = "hosts";
|
dns.providers.lan = "hosts";
|
||||||
search-domain = "retiolum";
|
search-domain = "retiolum";
|
||||||
build = {
|
build = {
|
||||||
@ -25,7 +24,7 @@ with config.krebs.lib;
|
|||||||
source = let inherit (config.krebs.build) host user; in {
|
source = let inherit (config.krebs.build) host user; in {
|
||||||
nixpkgs.git = {
|
nixpkgs.git = {
|
||||||
url = https://github.com/nixos/nixpkgs;
|
url = https://github.com/nixos/nixpkgs;
|
||||||
ref = "0546a4a"; # stable @ 2016-06-11
|
ref = "125ffff"; # stable @ 2016-07-20
|
||||||
};
|
};
|
||||||
secrets.file =
|
secrets.file =
|
||||||
if getEnv "dummy_secrets" == "true"
|
if getEnv "dummy_secrets" == "true"
|
||||||
@ -67,7 +66,7 @@ with config.krebs.lib;
|
|||||||
startAgent = false;
|
startAgent = false;
|
||||||
};
|
};
|
||||||
services.openssh.enable = true;
|
services.openssh.enable = true;
|
||||||
nix.useChroot = true;
|
nix.useSandbox = true;
|
||||||
|
|
||||||
users.mutableUsers = false;
|
users.mutableUsers = false;
|
||||||
|
|
||||||
@ -171,4 +170,10 @@ with config.krebs.lib;
|
|||||||
consoleKeyMap = "us";
|
consoleKeyMap = "us";
|
||||||
defaultLocale = "en_US.UTF-8";
|
defaultLocale = "en_US.UTF-8";
|
||||||
};
|
};
|
||||||
|
# suppress chrome autit event messages
|
||||||
|
security.audit = {
|
||||||
|
rules = [
|
||||||
|
"-a task,never"
|
||||||
|
];
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
@ -8,10 +8,9 @@ with config.krebs.lib;
|
|||||||
kernelModules = [ "kvm-intel" "acpi_call" "tpm-rng" ];
|
kernelModules = [ "kvm-intel" "acpi_call" "tpm-rng" ];
|
||||||
extraModulePackages = [ config.boot.kernelPackages.tp_smapi ];
|
extraModulePackages = [ config.boot.kernelPackages.tp_smapi ];
|
||||||
};
|
};
|
||||||
|
hardware.opengl.extraPackages = [ pkgs.vaapiIntel pkgs.vaapiVdpau ];
|
||||||
services.xserver = {
|
services.xserver = {
|
||||||
videoDriver = "intel";
|
videoDriver = "intel";
|
||||||
vaapiDrivers = [ pkgs.vaapiIntel pkgs.vaapiVdpau ];
|
|
||||||
deviceSection = ''
|
deviceSection = ''
|
||||||
Option "AccelMethod" "sna"
|
Option "AccelMethod" "sna"
|
||||||
'';
|
'';
|
||||||
|
36
makefu/2configs/temp/share-samba.nix
Normal file
36
makefu/2configs/temp/share-samba.nix
Normal file
@ -0,0 +1,36 @@
|
|||||||
|
{config, ... }:{
|
||||||
|
users.users.smbguest = {
|
||||||
|
name = "smbguest";
|
||||||
|
uid = config.ids.uids.smbguest;
|
||||||
|
description = "smb guest user";
|
||||||
|
home = "/var/empty";
|
||||||
|
};
|
||||||
|
|
||||||
|
networking.firewall.allowedTCPPorts = [
|
||||||
|
139 445 # samba
|
||||||
|
];
|
||||||
|
|
||||||
|
networking.firewall.allowedUDPPorts = [
|
||||||
|
137 138
|
||||||
|
];
|
||||||
|
services.samba = {
|
||||||
|
enable = true;
|
||||||
|
shares = {
|
||||||
|
share-home = {
|
||||||
|
path = "/home/share/";
|
||||||
|
"read only" = "no";
|
||||||
|
browseable = "yes";
|
||||||
|
"guest ok" = "yes";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
extraConfig = ''
|
||||||
|
guest account = smbguest
|
||||||
|
map to guest = bad user
|
||||||
|
# disable printing
|
||||||
|
load printers = no
|
||||||
|
printing = bsd
|
||||||
|
printcap name = /dev/null
|
||||||
|
disable spoolss = yes
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
}
|
4
makefu/2configs/tinc/retiolum.nix
Normal file
4
makefu/2configs/tinc/retiolum.nix
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
_:
|
||||||
|
{
|
||||||
|
krebs.tinc.retiolum.enable = true;
|
||||||
|
}
|
@ -2,20 +2,22 @@
|
|||||||
|
|
||||||
let
|
let
|
||||||
mainUser = config.krebs.build.user;
|
mainUser = config.krebs.build.user;
|
||||||
version = "5.0.20";
|
vboxguestpkg = lib.stdenv.mkDerivation rec {
|
||||||
rev = "106931";
|
name = "Virtualbox-Extensions-${version}-${rev}";
|
||||||
vboxguestpkg = pkgs.fetchurl {
|
version = "5.0.20";
|
||||||
|
rev = "106931";
|
||||||
|
src = pkgs.fetchurl {
|
||||||
url = "http://download.virtualbox.org/virtualbox/${version}/Oracle_VM_VirtualBox_Extension_Pack-${version}-${rev}.vbox-extpack";
|
url = "http://download.virtualbox.org/virtualbox/${version}/Oracle_VM_VirtualBox_Extension_Pack-${version}-${rev}.vbox-extpack";
|
||||||
sha256 = "1dc70x2m7x266zzw5vw36mxqj7xykkbk357fc77f9zrv4lylzvaf";
|
sha256 = "1dc70x2m7x266zzw5vw36mxqj7xykkbk357fc77f9zrv4lylzvaf";
|
||||||
};
|
};
|
||||||
|
};
|
||||||
in {
|
in {
|
||||||
#inherit vboxguestpkg;
|
|
||||||
virtualisation.virtualbox.host.enable = true;
|
virtualisation.virtualbox.host.enable = true;
|
||||||
nixpkgs.config.virtualbox.enableExtensionPack = true;
|
nixpkgs.config.virtualbox.enableExtensionPack = true;
|
||||||
|
|
||||||
users.extraGroups.vboxusers.members = [ "${mainUser.name}" ];
|
users.extraGroups.vboxusers.members = [ "${mainUser.name}" ];
|
||||||
nixpkgs.config.packageOverrides = super: {
|
nixpkgs.config.packageOverrides = super: {
|
||||||
boot.kernelPackages = super.boot.kernelPackages.virtualbox.override {
|
boot.kernelPackages.virtualbox = super.boot.kernelPackages.virtualbox.override {
|
||||||
buildInputs = super.boot.kernelPackages.virtualBox.buildInputs
|
buildInputs = super.boot.kernelPackages.virtualBox.buildInputs
|
||||||
++ [ vboxguestpkg ];
|
++ [ vboxguestpkg ];
|
||||||
};
|
};
|
||||||
|
@ -22,15 +22,11 @@ in
|
|||||||
bindkey "\e[3~" delete-char
|
bindkey "\e[3~" delete-char
|
||||||
zstyle ':completion:*' menu select
|
zstyle ':completion:*' menu select
|
||||||
|
|
||||||
# load gpg-agent
|
gpg-connect-agent updatestartuptty /bye >/dev/null
|
||||||
envfile="$HOME/.gnupg/gpg-agent.env"
|
GPG_TTY=$(tty)
|
||||||
if [ -e "$envfile" ] && kill -0 $(grep GPG_AGENT_INFO "$envfile" | cut -d: -f 2) 2>/dev/null; then
|
export GPG_TTY
|
||||||
eval "$(cat "$envfile")"
|
unset SSH_AGENT_PID
|
||||||
else
|
export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"
|
||||||
eval "$(${pkgs.gnupg}/bin/gpg-agent --daemon --enable-ssh-support --write-env-file "$envfile")"
|
|
||||||
fi
|
|
||||||
export GPG_AGENT_INFO
|
|
||||||
export SSH_AUTH_SOCK
|
|
||||||
'';
|
'';
|
||||||
|
|
||||||
promptInit = ''
|
promptInit = ''
|
||||||
|
@ -19,7 +19,6 @@ in
|
|||||||
skytraq-logger = callPackage ./skytraq-logger {};
|
skytraq-logger = callPackage ./skytraq-logger {};
|
||||||
taskserver = callPackage ./taskserver {};
|
taskserver = callPackage ./taskserver {};
|
||||||
ps3netsrv = callPackage ./ps3netsrv {};
|
ps3netsrv = callPackage ./ps3netsrv {};
|
||||||
honeyd = callPackage ./honeyd {};
|
|
||||||
farpd = callPackage ./farpd {};
|
farpd = callPackage ./farpd {};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@ -8,7 +8,7 @@ let
|
|||||||
url = "https://pypi.python.org/packages/source/e/execnet/${name}.tar.gz";
|
url = "https://pypi.python.org/packages/source/e/execnet/${name}.tar.gz";
|
||||||
sha256 = "1rpk1vyclhg911p3hql0m0nrpq7q7mysxnaaw6vs29cpa6kx8vgn";
|
sha256 = "1rpk1vyclhg911p3hql0m0nrpq7q7mysxnaaw6vs29cpa6kx8vgn";
|
||||||
};
|
};
|
||||||
|
doCheck = false; # http://prism:8010/builders/build-all/builds/177/steps/build-vbob/logs/stdio
|
||||||
propagatedBuildInputs = with pkgs.python3Packages;
|
propagatedBuildInputs = with pkgs.python3Packages;
|
||||||
[ setuptools_scm apipkg ];
|
[ setuptools_scm apipkg ];
|
||||||
meta = {
|
meta = {
|
||||||
|
@ -1,62 +0,0 @@
|
|||||||
{ stdenv, lib, pkgs, fetchurl,fetchFromGitHub,
|
|
||||||
libpcap, libdnet, libevent, readline, autoconf, automake, libtool, zlib, pcre,
|
|
||||||
... }:
|
|
||||||
stdenv.mkDerivation rec {
|
|
||||||
name = "honeyd-${version}";
|
|
||||||
|
|
||||||
#version = "1.5c"; #original, does not compile due to libc errors
|
|
||||||
#src = fetchurl {
|
|
||||||
# url = "http://www.honeyd.org/uploads/honeyd-${version}.tar.gz";
|
|
||||||
# sha256 = "0vcih16fk5pir5ssfil8x79nvi62faw0xvk8s5klnysv111db1ii";
|
|
||||||
#};
|
|
||||||
|
|
||||||
#version = "64d087c"; # honeyd-1.6.7
|
|
||||||
# sha256 = "0zhnn13r24y1q494xcfx64vyp84zqk8qmsl41fq2674230bn0p31";
|
|
||||||
|
|
||||||
version = "c135fea08"; #nova-13.09
|
|
||||||
src = fetchFromGitHub {
|
|
||||||
owner = "DataSoft";
|
|
||||||
repo = "honeyd";
|
|
||||||
rev = version;
|
|
||||||
sha256 = "1r9qds7a1yp3nkccwh3isrizpr2njhpf1m6qp3lqkj0i9c4w6x44";
|
|
||||||
};
|
|
||||||
|
|
||||||
buildInputs = with pkgs;[
|
|
||||||
automake
|
|
||||||
gnugrep
|
|
||||||
libpcap
|
|
||||||
libdnet
|
|
||||||
pcre
|
|
||||||
libevent
|
|
||||||
readline
|
|
||||||
autoconf
|
|
||||||
libtool
|
|
||||||
zlib
|
|
||||||
coreutils
|
|
||||||
python
|
|
||||||
pythonPackages.sqlite3
|
|
||||||
];
|
|
||||||
patches = [ ./fix-autogen.patch ];
|
|
||||||
|
|
||||||
# removes user install script from Makefile before automake
|
|
||||||
preConfigure = ''
|
|
||||||
sed -i '/init.py$/d' Makefile.am
|
|
||||||
sh ./autogen.sh
|
|
||||||
'';
|
|
||||||
|
|
||||||
makeFlags = [ "LIBS=-lz" ];
|
|
||||||
configureFlags = [
|
|
||||||
"--with-libpcap=${libpcap}"
|
|
||||||
"--with-libevent=${libevent}"
|
|
||||||
"--with-zlib=${zlib}"
|
|
||||||
"--with-python"
|
|
||||||
"--with-libpcre=${pcre}"
|
|
||||||
"--with-libreadline=${readline}"
|
|
||||||
];
|
|
||||||
|
|
||||||
meta = {
|
|
||||||
homepage = http://www.honeyd.org/;
|
|
||||||
description = "virtual Honeypots";
|
|
||||||
license = lib.licenses.gpl2;
|
|
||||||
};
|
|
||||||
}
|
|
@ -1,42 +0,0 @@
|
|||||||
--- ./configure.in 2016-06-27 18:36:06.640779048 +0200
|
|
||||||
+++ ./configure.in 2016-06-27 18:34:53.968803854 +0200
|
|
||||||
@@ -119,11 +119,11 @@
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
AC_MSG_RESULT($withval)
|
|
||||||
- if test -f $withval/pcap.h -a -f $withval/libpcap.a; then
|
|
||||||
+ if test -f $withval/include/pcap.h -a -f $withval/lib/libpcap.so; then
|
|
||||||
owd=`pwd`
|
|
||||||
if cd $withval; then withval=`pwd`; cd $owd; fi
|
|
||||||
- PCAPINC="-I$withval -I$withval/bpf"
|
|
||||||
- PCAPLIB="-L$withval -lpcap"
|
|
||||||
+ PCAPINC="-I$withval/include -I$withval/include/bpf"
|
|
||||||
+ PCAPLIB="-L$withval/lib -lpcap"
|
|
||||||
else
|
|
||||||
AC_ERROR(pcap.h or libpcap.a not found in $withval)
|
|
||||||
fi
|
|
||||||
@@ -230,7 +230,7 @@
|
|
||||||
if cd $withval; then withval=`pwd`; cd $owd; fi
|
|
||||||
EVENTINC="-I$withval"
|
|
||||||
EVENTLIB="-L$withval -levent"
|
|
||||||
- elif test -f $withval/include/event.h -a -f $withval/lib/libevent.a; then
|
|
||||||
+ elif test -f $withval/include/event.h -a -f $withval/lib/libevent.so; then
|
|
||||||
owd=`pwd`
|
|
||||||
if cd $withval; then withval=`pwd`; cd $owd; fi
|
|
||||||
EVENTINC="-I$withval/include"
|
|
||||||
@@ -354,12 +354,12 @@
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
AC_MSG_RESULT($withval)
|
|
||||||
- if test -f $withval/readline/readline.h -a -f $withval/libreadline.a; then
|
|
||||||
+ if test -f $withval/include/readline/readline.h -o -f $withval/lib/libreadline.so; then
|
|
||||||
owd=`pwd`
|
|
||||||
if cd $withval; then withval=`pwd`; cd $owd; fi
|
|
||||||
AC_DEFINE(HAVE_LIBREADLINE, 1, [Define if you have libreadline])
|
|
||||||
- EDITINC="-I$withval"
|
|
||||||
- EDITLIB="-L$withval -lreadline"
|
|
||||||
+ EDITINC="-I$withval/include"
|
|
||||||
+ EDITLIB="-L$withval/lib -lreadline"
|
|
||||||
else
|
|
||||||
AC_ERROR(readline/readline.h or libreadline.a not found in $withval)
|
|
||||||
fi
|
|
@ -38,7 +38,7 @@ in {
|
|||||||
};
|
};
|
||||||
nginx.enable = true;
|
nginx.enable = true;
|
||||||
realwallpaper.enable = true;
|
realwallpaper.enable = true;
|
||||||
retiolum.enable = true;
|
tinc.retiolum.enable = true;
|
||||||
retiolum-bootstrap.enable = true;
|
retiolum-bootstrap.enable = true;
|
||||||
tinc_graphs.enable = true;
|
tinc_graphs.enable = true;
|
||||||
urlwatch.enable = true;
|
urlwatch.enable = true;
|
||||||
|
@ -15,14 +15,14 @@ in
|
|||||||
../2configs/shared-buildbot.nix
|
../2configs/shared-buildbot.nix
|
||||||
../2configs/cgit-mirror.nix
|
../2configs/cgit-mirror.nix
|
||||||
../2configs/repo-sync.nix
|
../2configs/repo-sync.nix
|
||||||
# ../2configs/graphite.nix
|
../2configs/graphite.nix
|
||||||
];
|
];
|
||||||
# use your own binary cache, fallback use cache.nixos.org (which is used by
|
# use your own binary cache, fallback use cache.nixos.org (which is used by
|
||||||
# apt-cacher-ng in first place)
|
# apt-cacher-ng in first place)
|
||||||
|
|
||||||
# local discovery in shackspace
|
# local discovery in shackspace
|
||||||
nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; };
|
nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; };
|
||||||
krebs.retiolum.extraConfig = "TCPOnly = yes";
|
krebs.tinc.retiolum.extraConfig = "TCPOnly = yes";
|
||||||
services.grafana = {
|
services.grafana = {
|
||||||
enable = true;
|
enable = true;
|
||||||
addr = "0.0.0.0";
|
addr = "0.0.0.0";
|
||||||
|
@ -3,7 +3,7 @@
|
|||||||
with config.krebs.lib;
|
with config.krebs.lib;
|
||||||
{
|
{
|
||||||
krebs.enable = true;
|
krebs.enable = true;
|
||||||
krebs.retiolum.enable = true;
|
krebs.tinc.retiolum.enable = true;
|
||||||
|
|
||||||
# TODO rename shared user to "krebs"
|
# TODO rename shared user to "krebs"
|
||||||
krebs.build.user = mkDefault config.krebs.users.shared;
|
krebs.build.user = mkDefault config.krebs.users.shared;
|
||||||
|
@ -17,7 +17,7 @@ with lib;
|
|||||||
mirror.url = mirror;
|
mirror.url = mirror;
|
||||||
};
|
};
|
||||||
lassulus = {
|
lassulus = {
|
||||||
origin.url = http://cgit.cloudkrebs/stockholm ;
|
origin.url = http://cgit.prism/stockholm ;
|
||||||
mirror.url = mirror;
|
mirror.url = mirror;
|
||||||
};
|
};
|
||||||
"@latest" = {
|
"@latest" = {
|
||||||
|
@ -3,7 +3,7 @@
|
|||||||
with config.krebs.lib;
|
with config.krebs.lib;
|
||||||
|
|
||||||
{
|
{
|
||||||
krebs.retiolum = {
|
krebs.tinc.retiolum = {
|
||||||
enable = true;
|
enable = true;
|
||||||
connectTo = filter (ne config.krebs.build.host.name) [
|
connectTo = filter (ne config.krebs.build.host.name) [
|
||||||
"gum"
|
"gum"
|
||||||
|
Loading…
Reference in New Issue
Block a user