Merge remote-tracking branch 'prism/lassulus'
This commit is contained in:
commit
62372f917e
@ -13,6 +13,7 @@ with import <stockholm/lib>;
|
|||||||
../2configs/programs.nix
|
../2configs/programs.nix
|
||||||
../2configs/fetchWallpaper.nix
|
../2configs/fetchWallpaper.nix
|
||||||
../2configs/backups.nix
|
../2configs/backups.nix
|
||||||
|
../2configs/games.nix
|
||||||
#{
|
#{
|
||||||
# users.extraUsers = {
|
# users.extraUsers = {
|
||||||
# root = {
|
# root = {
|
||||||
|
@ -307,20 +307,16 @@ with import <stockholm/lib>;
|
|||||||
|
|
||||||
#Runtime PMs
|
#Runtime PMs
|
||||||
echo 'auto' > '/sys/bus/pci/devices/0000:00:02.0/power/control'
|
echo 'auto' > '/sys/bus/pci/devices/0000:00:02.0/power/control'
|
||||||
echo 'auto' > '/sys/bus/pci/devices/0000:00:16.0/power/control'
|
|
||||||
echo 'auto' > '/sys/bus/pci/devices/0000:00:00.0/power/control'
|
echo 'auto' > '/sys/bus/pci/devices/0000:00:00.0/power/control'
|
||||||
echo 'auto' > '/sys/bus/pci/devices/0000:03:00.0/power/control'
|
|
||||||
echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.3/power/control'
|
echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.3/power/control'
|
||||||
echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.2/power/control'
|
echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.2/power/control'
|
||||||
echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.0/power/control'
|
echo 'auto' > '/sys/bus/pci/devices/0000:00:1f.0/power/control'
|
||||||
echo 'auto' > '/sys/bus/pci/devices/0000:00:1d.0/power/control'
|
echo 'auto' > '/sys/bus/pci/devices/0000:00:1d.0/power/control'
|
||||||
echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.3/power/control'
|
echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.3/power/control'
|
||||||
echo 'auto' > '/sys/bus/pci/devices/0000:0d:00.0/power/control'
|
|
||||||
echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.0/power/control'
|
echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.0/power/control'
|
||||||
echo 'auto' > '/sys/bus/pci/devices/0000:00:1b.0/power/control'
|
echo 'auto' > '/sys/bus/pci/devices/0000:00:1b.0/power/control'
|
||||||
echo 'auto' > '/sys/bus/pci/devices/0000:00:1a.0/power/control'
|
echo 'auto' > '/sys/bus/pci/devices/0000:00:1a.0/power/control'
|
||||||
echo 'auto' > '/sys/bus/pci/devices/0000:00:19.0/power/control'
|
echo 'auto' > '/sys/bus/pci/devices/0000:00:19.0/power/control'
|
||||||
echo 'auto' > '/sys/bus/pci/devices/0000:00:16.3/power/control'
|
|
||||||
echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.1/power/control'
|
echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.1/power/control'
|
||||||
echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.4/power/control'
|
echo 'auto' > '/sys/bus/pci/devices/0000:00:1c.4/power/control'
|
||||||
'';
|
'';
|
||||||
|
@ -26,6 +26,7 @@ in {
|
|||||||
../2configs/iodined.nix
|
../2configs/iodined.nix
|
||||||
../2configs/libvirt.nix
|
../2configs/libvirt.nix
|
||||||
../2configs/hfos.nix
|
../2configs/hfos.nix
|
||||||
|
../2configs/makefu-sip.nix
|
||||||
{
|
{
|
||||||
users.extraGroups = {
|
users.extraGroups = {
|
||||||
# ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories
|
# ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories
|
||||||
|
@ -7,7 +7,12 @@ in {
|
|||||||
./xserver
|
./xserver
|
||||||
./mpv.nix
|
./mpv.nix
|
||||||
./power-action.nix
|
./power-action.nix
|
||||||
./pulse.nix
|
{
|
||||||
|
hardware.pulseaudio = {
|
||||||
|
enable = true;
|
||||||
|
systemWide = true;
|
||||||
|
};
|
||||||
|
}
|
||||||
];
|
];
|
||||||
|
|
||||||
users.extraUsers.mainUser.extraGroups = [ "audio" "video" ];
|
users.extraUsers.mainUser.extraGroups = [ "audio" "video" ];
|
||||||
|
@ -22,6 +22,7 @@ with import <stockholm/lib>;
|
|||||||
openssh.authorizedKeys.keys = [
|
openssh.authorizedKeys.keys = [
|
||||||
config.krebs.users.lass.pubkey
|
config.krebs.users.lass.pubkey
|
||||||
config.krebs.users.lass-shodan.pubkey
|
config.krebs.users.lass-shodan.pubkey
|
||||||
|
config.krebs.users.lass-icarus.pubkey
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
mainUser = {
|
mainUser = {
|
||||||
@ -38,6 +39,7 @@ with import <stockholm/lib>;
|
|||||||
openssh.authorizedKeys.keys = [
|
openssh.authorizedKeys.keys = [
|
||||||
config.krebs.users.lass.pubkey
|
config.krebs.users.lass.pubkey
|
||||||
config.krebs.users.lass-shodan.pubkey
|
config.krebs.users.lass-shodan.pubkey
|
||||||
|
config.krebs.users.lass-icarus.pubkey
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -51,6 +51,8 @@ in {
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
hardware.pulseaudio.support32Bit = true;
|
||||||
|
|
||||||
security.sudo.extraConfig = ''
|
security.sudo.extraConfig = ''
|
||||||
${mainUser.name} ALL=(games) NOPASSWD: ALL
|
${mainUser.name} ALL=(games) NOPASSWD: ALL
|
||||||
'';
|
'';
|
||||||
|
21
lass/2configs/makefu-sip.nix
Normal file
21
lass/2configs/makefu-sip.nix
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
with import <stockholm/lib>;
|
||||||
|
{
|
||||||
|
users.users.makefu = {
|
||||||
|
uid = genid "makefu";
|
||||||
|
isNormalUser = true;
|
||||||
|
extraGroups = [ "libvirtd" ];
|
||||||
|
openssh.authorizedKeys.keys = [
|
||||||
|
config.krebs.users.makefu.pubkey
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
krebs.iptables.tables.nat.PREROUTING.rules = [
|
||||||
|
{ v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 10022"; target = "DNAT --to-destination 192.168.122.136:22"; }
|
||||||
|
];
|
||||||
|
|
||||||
|
krebs.iptables.tables.filter.FORWARD.rules = [
|
||||||
|
{ v6 = false; precedence = 1000; predicate = "-d 192.168.122.136 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
|
||||||
|
];
|
||||||
|
}
|
@ -1,96 +0,0 @@
|
|||||||
{ config, lib, pkgs, ... }:
|
|
||||||
|
|
||||||
with import <stockholm/lib>;
|
|
||||||
let
|
|
||||||
pkg = pkgs.pulseaudioLight;
|
|
||||||
runDir = "/run/pulse";
|
|
||||||
|
|
||||||
alsaConf = pkgs.writeText "asound.conf" ''
|
|
||||||
ctl_type.pulse {
|
|
||||||
libs.native = ${pkgs.alsaPlugins}/lib/alsa-lib/libasound_module_ctl_pulse.so;
|
|
||||||
}
|
|
||||||
pcm_type.pulse {
|
|
||||||
libs.native = ${pkgs.alsaPlugins}/lib/alsa-lib/libasound_module_pcm_pulse.so;
|
|
||||||
}
|
|
||||||
ctl.!default {
|
|
||||||
type pulse
|
|
||||||
}
|
|
||||||
pcm.!default {
|
|
||||||
type pulse
|
|
||||||
}
|
|
||||||
'';
|
|
||||||
|
|
||||||
clientConf = pkgs.writeText "client.conf" ''
|
|
||||||
autospawn=no
|
|
||||||
default-server = unix:${runDir}/socket
|
|
||||||
'';
|
|
||||||
|
|
||||||
daemonConf = pkgs.writeText "daemon.conf" ''
|
|
||||||
exit-idle-time=-1
|
|
||||||
flat-volumes = no
|
|
||||||
default-fragments = 4
|
|
||||||
default-fragment-size-msec = 25
|
|
||||||
'';
|
|
||||||
|
|
||||||
configFile = pkgs.writeText "default.pa" ''
|
|
||||||
.include ${pkg}/etc/pulse/default.pa
|
|
||||||
load-module ${toString [
|
|
||||||
"module-native-protocol-unix"
|
|
||||||
"auth-anonymous=1"
|
|
||||||
"socket=${runDir}/socket"
|
|
||||||
]}
|
|
||||||
'';
|
|
||||||
in
|
|
||||||
|
|
||||||
{
|
|
||||||
environment = {
|
|
||||||
etc = {
|
|
||||||
"asound.conf".source = alsaConf;
|
|
||||||
# XXX mkForce is not strong enough (and neither is mkOverride) to create
|
|
||||||
# /etc/pulse/client.conf, see pulseaudio-hack below for a solution.
|
|
||||||
#"pulse/client.conf" = mkForce { source = clientConf; };
|
|
||||||
#"pulse/client.conf".source = mkForce clientConf;
|
|
||||||
"pulse/default.pa".source = configFile;
|
|
||||||
"pulse/daemon.pa".source = daemonConf;
|
|
||||||
};
|
|
||||||
systemPackages = [
|
|
||||||
pkg
|
|
||||||
] ++ optionals config.services.xserver.enable [
|
|
||||||
pkgs.pavucontrol
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
# Allow PulseAudio to get realtime priority using rtkit.
|
|
||||||
security.rtkit.enable = true;
|
|
||||||
|
|
||||||
system.activationScripts.pulseaudio-hack = ''
|
|
||||||
ln -fns ${clientConf} /etc/pulse/client.conf
|
|
||||||
'';
|
|
||||||
|
|
||||||
systemd.services.pulse = {
|
|
||||||
wantedBy = [ "sound.target" ];
|
|
||||||
before = [ "sound.target" ];
|
|
||||||
environment = {
|
|
||||||
PULSE_RUNTIME_PATH = "${runDir}/home";
|
|
||||||
};
|
|
||||||
serviceConfig = {
|
|
||||||
ExecStart = "${pkg}/bin/pulseaudio";
|
|
||||||
ExecStartPre = pkgs.writeDash "pulse-start" ''
|
|
||||||
install -o pulse -g audio -m 0750 -d ${runDir}
|
|
||||||
install -o pulse -g audio -m 0700 -d ${runDir}/home
|
|
||||||
'';
|
|
||||||
PermissionsStartOnly = "true";
|
|
||||||
User = "pulse";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
users = {
|
|
||||||
groups.pulse.gid = config.users.users.pulse.uid;
|
|
||||||
users.pulse = {
|
|
||||||
uid = genid "pulse";
|
|
||||||
group = "pulse";
|
|
||||||
extraGroups = [ "audio" ];
|
|
||||||
home = "${runDir}/home";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
4
lass/2configs/tests/dummy-secrets/grafana_security.nix
Normal file
4
lass/2configs/tests/dummy-secrets/grafana_security.nix
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
{
|
||||||
|
adminUser = "bla";
|
||||||
|
adminPassword = "blub";
|
||||||
|
}
|
@ -23,6 +23,9 @@ let
|
|||||||
'';
|
'';
|
||||||
|
|
||||||
in {
|
in {
|
||||||
|
|
||||||
|
services.nginx.enable = true;
|
||||||
|
|
||||||
imports = [
|
imports = [
|
||||||
./sqlBackup.nix
|
./sqlBackup.nix
|
||||||
|
|
||||||
|
@ -3,19 +3,20 @@ with import <stockholm/lib>;
|
|||||||
let
|
let
|
||||||
secret = (import <secrets/elchos-token.nix>);
|
secret = (import <secrets/elchos-token.nix>);
|
||||||
in {
|
in {
|
||||||
systemd.services.elchos-irctoken = {
|
systemd.services.elchos-irctoken2 = {
|
||||||
startAt = "*:0/30";
|
startAt = "*:0/5";
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
RuntimeMaxSec = "20";
|
RuntimeMaxSec = "20";
|
||||||
};
|
};
|
||||||
script = ''
|
script = ''
|
||||||
set -euf
|
set -euf
|
||||||
now=$(date -u +%Y-%m-%dT%H:%M)
|
now=$(date -u +%Y-%m-%dT%H:%M)
|
||||||
sec=$(echo -n "${secret}$now" | md5sum | cut -d\ -f1)
|
sleep 5
|
||||||
message="The secret valid for 30 minutes is $sec"
|
sec=$(cat /tmp/irc-secret)
|
||||||
echo "token for $now (UTC) is $sec"
|
message="The current secret is $sec"
|
||||||
|
echo "$message"
|
||||||
LOGNAME=sec-announcer
|
LOGNAME=sec-announcer
|
||||||
HOSTNAME=$(${pkgs.systemd}/bin/hostnamectl --static)
|
HOSTNAME=$(${pkgs.systemd}/bin/hostnamectl --transient)
|
||||||
IRC_SERVER=irc.freenode.net
|
IRC_SERVER=irc.freenode.net
|
||||||
IRC_PORT=6667
|
IRC_PORT=6667
|
||||||
IRC_NICK=$HOSTNAME-$$
|
IRC_NICK=$HOSTNAME-$$
|
||||||
@ -59,4 +60,18 @@ in {
|
|||||||
| ${pkgs.netcat}/bin/netcat "$IRC_SERVER" "$IRC_PORT" |tee -a ircin
|
| ${pkgs.netcat}/bin/netcat "$IRC_SERVER" "$IRC_PORT" |tee -a ircin
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
systemd.services.elchos-create-token = {
|
||||||
|
startAt = "*:0/30";
|
||||||
|
serviceConfig = {
|
||||||
|
RuntimeMaxSec = "20";
|
||||||
|
};
|
||||||
|
script = ''
|
||||||
|
set -euf
|
||||||
|
now=$(date -u +%Y-%m-%dT%H:%M)
|
||||||
|
sec=$(echo -n "${secret}$now" | md5sum | cut -d\ -f1)
|
||||||
|
message="The secret valid for 30 minutes is $sec"
|
||||||
|
echo -n "$sec" > /tmp/irc-secret
|
||||||
|
echo "token for $now (UTC) is $sec"
|
||||||
|
'';
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
@ -39,8 +39,57 @@ with import <stockholm/lib>;
|
|||||||
};
|
};
|
||||||
|
|
||||||
services.graphite = {
|
services.graphite = {
|
||||||
|
beacon = {
|
||||||
|
enable = true;
|
||||||
|
config = {
|
||||||
|
graphite_url = "http://localhost:18080";
|
||||||
|
|
||||||
|
no_data = "critical";
|
||||||
|
loading_error = "normal";
|
||||||
|
|
||||||
|
prefix = "[elchos]";
|
||||||
|
|
||||||
|
cli = {
|
||||||
|
command = ''${pkgs.irc-announce}/bin/irc-announce irc.freenode.org 6667 alert0r \#elchos ' [elchos] ''${level} ''${name} ''${value}' '';
|
||||||
|
};
|
||||||
|
#smtp = {
|
||||||
|
# from = "beacon@mors.r";
|
||||||
|
# to = [
|
||||||
|
# "lass@mors.r"
|
||||||
|
# ];
|
||||||
|
#};
|
||||||
|
normal_handlers = [
|
||||||
|
# "smtp"
|
||||||
|
"cli"
|
||||||
|
];
|
||||||
|
warning_handlers = [
|
||||||
|
# "smtp"
|
||||||
|
"cli"
|
||||||
|
];
|
||||||
|
critical_handlers = [
|
||||||
|
# "smtp"
|
||||||
|
"cli"
|
||||||
|
];
|
||||||
|
alerts = let
|
||||||
|
high-load = hostid: let
|
||||||
|
host = "elch-${toString hostid}"; in {
|
||||||
|
name = "high-cpu-load-${host}";
|
||||||
|
query = "aliasByNode(perSecond(elchos.${host}.cpu.0.cpu.idle),1)";
|
||||||
|
method = "average";
|
||||||
|
interval = "1minute";
|
||||||
|
logging = "info";
|
||||||
|
repeat_interval = "5minute";
|
||||||
|
rules = [
|
||||||
|
# "warning: < 30.0"
|
||||||
|
"critical: < 1.0"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
in map high-load [ 1 2 3 4 5 6 7 8 ];
|
||||||
|
};
|
||||||
|
};
|
||||||
api = {
|
api = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
package = pkgs.graphiteApi;
|
||||||
listenAddress = "127.0.0.1";
|
listenAddress = "127.0.0.1";
|
||||||
port = 18080;
|
port = 18080;
|
||||||
};
|
};
|
||||||
@ -50,8 +99,8 @@ with import <stockholm/lib>;
|
|||||||
config = ''
|
config = ''
|
||||||
[cache]
|
[cache]
|
||||||
MAX_CACHE_SIZE = inf
|
MAX_CACHE_SIZE = inf
|
||||||
MAX_UPDATES_PER_SECOND = 1
|
MAX_UPDATES_PER_SECOND = 10
|
||||||
MAX_CREATES_PER_MINUTE = 500
|
MAX_CREATES_PER_MINUTE = 5000
|
||||||
'';
|
'';
|
||||||
storageSchemas = ''
|
storageSchemas = ''
|
||||||
[carbon]
|
[carbon]
|
||||||
@ -62,6 +111,10 @@ with import <stockholm/lib>;
|
|||||||
patterhn = ^elchos\.
|
patterhn = ^elchos\.
|
||||||
retentions = 10s:30d,60s:3y
|
retentions = 10s:30d,60s:3y
|
||||||
|
|
||||||
|
|
||||||
|
[default]
|
||||||
|
pattern = ^krebs\.
|
||||||
|
retentions = 1s:30d,30s:3m,300s:1y
|
||||||
[default]
|
[default]
|
||||||
pattern = .*
|
pattern = .*
|
||||||
retentions = 30s:30d,300s:1y
|
retentions = 30s:30d,300s:1y
|
||||||
|
Loading…
Reference in New Issue
Block a user