From e205e09a20c0ad310e7397d8e4fd69f13259050c Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 28 Dec 2016 12:41:54 +0100 Subject: [PATCH 01/10] l 2 tests dummy-secrets: add grafana security --- lass/2configs/tests/dummy-secrets/grafana_security.nix | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 lass/2configs/tests/dummy-secrets/grafana_security.nix diff --git a/lass/2configs/tests/dummy-secrets/grafana_security.nix b/lass/2configs/tests/dummy-secrets/grafana_security.nix new file mode 100644 index 000000000..ef75d4e0f --- /dev/null +++ b/lass/2configs/tests/dummy-secrets/grafana_security.nix @@ -0,0 +1,4 @@ +{ + adminUser = "bla"; + adminPassword = "blub"; +} From 9d3e73b66ab4cb42939c414c3e8dedad8c1f035b Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 28 Dec 2016 18:13:14 +0100 Subject: [PATCH 02/10] m 2 elchos: update irc-token --- makefu/2configs/elchos/irc-token.nix | 27 +++++++++++++++++++++------ 1 file changed, 21 insertions(+), 6 deletions(-) diff --git a/makefu/2configs/elchos/irc-token.nix b/makefu/2configs/elchos/irc-token.nix index 3f3c4ffc3..a91223b28 100644 --- a/makefu/2configs/elchos/irc-token.nix +++ b/makefu/2configs/elchos/irc-token.nix @@ -3,19 +3,20 @@ with import ; let secret = (import ); in { - systemd.services.elchos-irctoken = { - startAt = "*:0/30"; + systemd.services.elchos-irctoken2 = { + startAt = "*:0/5"; serviceConfig = { RuntimeMaxSec = "20"; }; script = '' set -euf now=$(date -u +%Y-%m-%dT%H:%M) - sec=$(echo -n "${secret}$now" | md5sum | cut -d\ -f1) - message="The secret valid for 30 minutes is $sec" - echo "token for $now (UTC) is $sec" + sleep 5 + sec=$(cat /tmp/irc-secret) + message="The current secret is $sec" + echo "$message" LOGNAME=sec-announcer - HOSTNAME=$(${pkgs.systemd}/bin/hostnamectl --static) + HOSTNAME=$(${pkgs.systemd}/bin/hostnamectl --transient) IRC_SERVER=irc.freenode.net IRC_PORT=6667 IRC_NICK=$HOSTNAME-$$ @@ -59,4 +60,18 @@ in { | ${pkgs.netcat}/bin/netcat "$IRC_SERVER" "$IRC_PORT" |tee -a ircin ''; }; + systemd.services.elchos-create-token = { + startAt = "*:0/30"; + serviceConfig = { + RuntimeMaxSec = "20"; + }; + script = '' + set -euf + now=$(date -u +%Y-%m-%dT%H:%M) + sec=$(echo -n "${secret}$now" | md5sum | cut -d\ -f1) + message="The secret valid for 30 minutes is $sec" + echo -n "$sec" > /tmp/irc-secret + echo "token for $now (UTC) is $sec" + ''; + }; } From 4fcc9718c99b403bd11398c89ae2f0c81ddd9ac8 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 28 Dec 2016 18:13:50 +0100 Subject: [PATCH 03/10] m 2 elchos/stats: trigger for all hosts --- makefu/2configs/elchos/stats.nix | 59 ++++++++++++++++++++++++++++++-- 1 file changed, 56 insertions(+), 3 deletions(-) diff --git a/makefu/2configs/elchos/stats.nix b/makefu/2configs/elchos/stats.nix index b6133205f..feb8c5bae 100644 --- a/makefu/2configs/elchos/stats.nix +++ b/makefu/2configs/elchos/stats.nix @@ -39,8 +39,57 @@ with import ; }; services.graphite = { - api = { + beacon = { enable = true; + config = { + graphite_url = "http://localhost:18080"; + + no_data = "critical"; + loading_error = "normal"; + + prefix = "[elchos]"; + + cli = { + command = ''${pkgs.irc-announce}/bin/irc-announce irc.freenode.org 6667 alert0r \#elchos ' [elchos] ''${level} ''${name} ''${value}' ''; + }; + #smtp = { + # from = "beacon@mors.r"; + # to = [ + # "lass@mors.r" + # ]; + #}; + normal_handlers = [ + # "smtp" + "cli" + ]; + warning_handlers = [ + # "smtp" + "cli" + ]; + critical_handlers = [ + # "smtp" + "cli" + ]; + alerts = let + high-load = hostid: let + host = "elch-${toString hostid}"; in { + name = "high-cpu-load-${host}"; + query = "aliasByNode(perSecond(elchos.${host}.cpu.0.cpu.idle),1)"; + method = "average"; + interval = "1minute"; + logging = "info"; + repeat_interval = "5minute"; + rules = [ + # "warning: < 30.0" + "critical: < 1.0" + ]; + }; + in map high-load [ 1 2 3 4 5 6 7 8 ]; + }; + }; + api = { + enable = true; + package = pkgs.graphiteApi; listenAddress = "127.0.0.1"; port = 18080; }; @@ -50,8 +99,8 @@ with import ; config = '' [cache] MAX_CACHE_SIZE = inf - MAX_UPDATES_PER_SECOND = 1 - MAX_CREATES_PER_MINUTE = 500 + MAX_UPDATES_PER_SECOND = 10 + MAX_CREATES_PER_MINUTE = 5000 ''; storageSchemas = '' [carbon] @@ -62,6 +111,10 @@ with import ; patterhn = ^elchos\. retentions = 10s:30d,60s:3y + + [default] + pattern = ^krebs\. + retentions = 1s:30d,30s:3m,300s:1y [default] pattern = .* retentions = 30s:30d,300s:1y From 9edef0af0fe067cf31f26181b2745076c9767901 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 29 Dec 2016 18:13:01 +0100 Subject: [PATCH 04/10] l 1 icarus: import games --- lass/1systems/icarus.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/lass/1systems/icarus.nix b/lass/1systems/icarus.nix index 9a6654648..3998fc177 100644 --- a/lass/1systems/icarus.nix +++ b/lass/1systems/icarus.nix @@ -13,6 +13,7 @@ with import ; ../2configs/programs.nix ../2configs/fetchWallpaper.nix ../2configs/backups.nix + ../2configs/games.nix #{ # users.extraUsers = { # root = { From 543365d2d727b0175f87008bdefbdd35c418255a Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 29 Dec 2016 18:13:21 +0100 Subject: [PATCH 05/10] l 1 mors: remove obsolete powertop activations --- lass/1systems/mors.nix | 4 ---- 1 file changed, 4 deletions(-) diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index 3498f662b..012bd359f 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -307,20 +307,16 @@ with import ; #Runtime PMs echo 'auto' > '/sys/bus/pci/devices/0000:00:02.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:16.0/power/control' echo 'auto' > '/sys/bus/pci/devices/0000:00:00.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:03:00.0/power/control' echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.3/power/control' echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.2/power/control' echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.0/power/control' echo 'auto' > '/sys/bus/pci/devices/0000:00:1d.0/power/control' echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.3/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:0d:00.0/power/control' echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.0/power/control' echo 'auto' > '/sys/bus/pci/devices/0000:00:1b.0/power/control' echo 'auto' > '/sys/bus/pci/devices/0000:00:1a.0/power/control' echo 'auto' > '/sys/bus/pci/devices/0000:00:19.0/power/control' - echo 'auto' > '/sys/bus/pci/devices/0000:00:16.3/power/control' echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.1/power/control' echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.4/power/control' ''; From d5e88676b24f7d14420ba836741b00972049e614 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 29 Dec 2016 18:13:46 +0100 Subject: [PATCH 06/10] l 2: add icarus to authorizedKeys --- lass/2configs/default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index 900dd36b3..6fea97728 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -22,6 +22,7 @@ with import ; openssh.authorizedKeys.keys = [ config.krebs.users.lass.pubkey config.krebs.users.lass-shodan.pubkey + config.krebs.users.lass-icarus.pubkey ]; }; mainUser = { @@ -38,6 +39,7 @@ with import ; openssh.authorizedKeys.keys = [ config.krebs.users.lass.pubkey config.krebs.users.lass-shodan.pubkey + config.krebs.users.lass-icarus.pubkey ]; }; }; From ecc89618f8fc127ea4e51cfd56858d30c381eabb Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 29 Dec 2016 18:14:02 +0100 Subject: [PATCH 07/10] l 2 websites fritz: also enable nginx --- lass/2configs/websites/fritz.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lass/2configs/websites/fritz.nix b/lass/2configs/websites/fritz.nix index f9035dd13..00e987116 100644 --- a/lass/2configs/websites/fritz.nix +++ b/lass/2configs/websites/fritz.nix @@ -23,6 +23,9 @@ let ''; in { + + services.nginx.enable = true; + imports = [ ./sqlBackup.nix From 88c6a1ddc699e92142d32051381ca843d037a60c Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 29 Dec 2016 18:15:41 +0100 Subject: [PATCH 08/10] l: add & import makefu-sip config --- lass/1systems/prism.nix | 1 + lass/2configs/makefu-sip.nix | 21 +++++++++++++++++++++ 2 files changed, 22 insertions(+) create mode 100644 lass/2configs/makefu-sip.nix diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index 39026d102..854c98f46 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -26,6 +26,7 @@ in { ../2configs/iodined.nix ../2configs/libvirt.nix ../2configs/hfos.nix + ../2configs/makefu-sip.nix { users.extraGroups = { # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories diff --git a/lass/2configs/makefu-sip.nix b/lass/2configs/makefu-sip.nix new file mode 100644 index 000000000..9d2e9b696 --- /dev/null +++ b/lass/2configs/makefu-sip.nix @@ -0,0 +1,21 @@ +{ config, lib, pkgs, ... }: + +with import ; +{ + users.users.makefu = { + uid = genid "makefu"; + isNormalUser = true; + extraGroups = [ "libvirtd" ]; + openssh.authorizedKeys.keys = [ + config.krebs.users.makefu.pubkey + ]; + }; + + krebs.iptables.tables.nat.PREROUTING.rules = [ + { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 10022"; target = "DNAT --to-destination 192.168.122.136:22"; } + ]; + + krebs.iptables.tables.filter.FORWARD.rules = [ + { v6 = false; precedence = 1000; predicate = "-d 192.168.122.136 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; } + ]; +} From e541818517e6f9e3932108ce1bcf21995bf3b7c3 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 2 Jan 2017 20:08:18 +0100 Subject: [PATCH 09/10] l 2 baseX: remove pulse.nix and use pulseaudio --- lass/2configs/baseX.nix | 7 ++- lass/2configs/pulse.nix | 96 ----------------------------------------- 2 files changed, 6 insertions(+), 97 deletions(-) delete mode 100644 lass/2configs/pulse.nix diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index e98f382e3..1e796015a 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -7,7 +7,12 @@ in { ./xserver ./mpv.nix ./power-action.nix - ./pulse.nix + { + hardware.pulseaudio = { + enable = true; + systemWide = true; + }; + } ]; users.extraUsers.mainUser.extraGroups = [ "audio" "video" ]; diff --git a/lass/2configs/pulse.nix b/lass/2configs/pulse.nix deleted file mode 100644 index 55efaea13..000000000 --- a/lass/2configs/pulse.nix +++ /dev/null @@ -1,96 +0,0 @@ -{ config, lib, pkgs, ... }: - -with import ; -let - pkg = pkgs.pulseaudioLight; - runDir = "/run/pulse"; - - alsaConf = pkgs.writeText "asound.conf" '' - ctl_type.pulse { - libs.native = ${pkgs.alsaPlugins}/lib/alsa-lib/libasound_module_ctl_pulse.so; - } - pcm_type.pulse { - libs.native = ${pkgs.alsaPlugins}/lib/alsa-lib/libasound_module_pcm_pulse.so; - } - ctl.!default { - type pulse - } - pcm.!default { - type pulse - } - ''; - - clientConf = pkgs.writeText "client.conf" '' - autospawn=no - default-server = unix:${runDir}/socket - ''; - - daemonConf = pkgs.writeText "daemon.conf" '' - exit-idle-time=-1 - flat-volumes = no - default-fragments = 4 - default-fragment-size-msec = 25 - ''; - - configFile = pkgs.writeText "default.pa" '' - .include ${pkg}/etc/pulse/default.pa - load-module ${toString [ - "module-native-protocol-unix" - "auth-anonymous=1" - "socket=${runDir}/socket" - ]} - ''; -in - -{ - environment = { - etc = { - "asound.conf".source = alsaConf; - # XXX mkForce is not strong enough (and neither is mkOverride) to create - # /etc/pulse/client.conf, see pulseaudio-hack below for a solution. - #"pulse/client.conf" = mkForce { source = clientConf; }; - #"pulse/client.conf".source = mkForce clientConf; - "pulse/default.pa".source = configFile; - "pulse/daemon.pa".source = daemonConf; - }; - systemPackages = [ - pkg - ] ++ optionals config.services.xserver.enable [ - pkgs.pavucontrol - ]; - }; - - # Allow PulseAudio to get realtime priority using rtkit. - security.rtkit.enable = true; - - system.activationScripts.pulseaudio-hack = '' - ln -fns ${clientConf} /etc/pulse/client.conf - ''; - - systemd.services.pulse = { - wantedBy = [ "sound.target" ]; - before = [ "sound.target" ]; - environment = { - PULSE_RUNTIME_PATH = "${runDir}/home"; - }; - serviceConfig = { - ExecStart = "${pkg}/bin/pulseaudio"; - ExecStartPre = pkgs.writeDash "pulse-start" '' - install -o pulse -g audio -m 0750 -d ${runDir} - install -o pulse -g audio -m 0700 -d ${runDir}/home - ''; - PermissionsStartOnly = "true"; - User = "pulse"; - }; - }; - - users = { - groups.pulse.gid = config.users.users.pulse.uid; - users.pulse = { - uid = genid "pulse"; - group = "pulse"; - extraGroups = [ "audio" ]; - home = "${runDir}/home"; - }; - }; -} From 2e9d5f604c32c9c938a90c3211d5b7726d17f9ee Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 2 Jan 2017 20:10:05 +0100 Subject: [PATCH 10/10] l 2 games: add 32bit support for pulseaudio --- lass/2configs/games.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lass/2configs/games.nix b/lass/2configs/games.nix index e7c7de938..1bcb8c676 100644 --- a/lass/2configs/games.nix +++ b/lass/2configs/games.nix @@ -51,6 +51,8 @@ in { }; }; + hardware.pulseaudio.support32Bit = true; + security.sudo.extraConfig = '' ${mainUser.name} ALL=(games) NOPASSWD: ALL '';