From 549c89dd99db41b2869e6255d1551fce900eb656 Mon Sep 17 00:00:00 2001 From: makefu Date: Thu, 13 Apr 2017 14:03:36 +0200 Subject: [PATCH 01/58] k 5 krebspaste: output with +inline --- krebs/5pkgs/krebspaste/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krebs/5pkgs/krebspaste/default.nix b/krebs/5pkgs/krebspaste/default.nix index 8c6676d0e..31ad12780 100644 --- a/krebs/5pkgs/krebspaste/default.nix +++ b/krebs/5pkgs/krebspaste/default.nix @@ -2,5 +2,5 @@ # TODO use `execve` instead? writeDashBin "krebspaste" '' - exec ${bepasty-client-cli}/bin/bepasty-cli -L 1m --url http://paste.r "$@" + exec ${bepasty-client-cli}/bin/bepasty-cli -L 1m --url http://paste.r "$@" | sed '$ s/$/\/+inline/g' '' From 621758d990ec5c25d797ffb17f2bec4e27d54728 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 13 Apr 2017 15:25:04 +0200 Subject: [PATCH 02/58] l 1 prism: change nickname for #coders Reaktor --- lass/1systems/prism.nix | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index e5cbacfc8..8eecaa350 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -254,19 +254,20 @@ in { ]; } { - krebs.Reaktor.coders = let - lambdabot = (import (pkgs.fetchFromGitHub { - owner = "NixOS"; repo = "nixpkgs"; - rev = "a4ec1841da14fc98c5c35cc72242c23bb698d4ac"; - sha256 = "148fpw31s922hxrf28yhrci296f7c7zd81hf0k6zs05rq0i3szgy"; - }) {}).lambdabot; - in { - nickname = "reaktor-lass"; + krebs.Reaktor.coders = { + nickname = "Reaktor|lass"; channels = [ "#coders" ]; extraEnviron = { REAKTOR_HOST = "irc.hackint.org"; }; plugins = with pkgs.ReaktorPlugins; let + + lambdabot = (import (pkgs.fetchFromGitHub { + owner = "NixOS"; repo = "nixpkgs"; + rev = "a4ec1841da14fc98c5c35cc72242c23bb698d4ac"; + sha256 = "148fpw31s922hxrf28yhrci296f7c7zd81hf0k6zs05rq0i3szgy"; + }) {}).lambdabot; + lambdabotflags = '' -XStandaloneDeriving -XGADTs -XFlexibleContexts \ -XFlexibleInstances -XMultiParamTypeClasses \ From b033fd53af2bac56b4bd4b2882f64818dec9acb0 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 13 Apr 2017 15:25:28 +0200 Subject: [PATCH 03/58] l 1 prism: add Reaktor for #retiolum --- lass/1systems/prism.nix | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index 8eecaa350..50b222338 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -350,6 +350,18 @@ in { ]; }; } + { + krebs.Reaktor.prism = { + nickname = "Reaktor|lass"; + channels = [ "#retiolum" ]; + extraEnviron = { + REAKTOR_HOST = "ni.r"; + }; + plugins = with pkgs.ReaktorPlugins; [ + sed-plugin + ]; + }; + } ]; krebs.build.host = config.krebs.hosts.prism; From d65226176267098db98ad36d8c56cf14bea28587 Mon Sep 17 00:00:00 2001 From: lassulus Date: Thu, 13 Apr 2017 15:25:37 +0200 Subject: [PATCH 04/58] l 1 prism: update chat authorized_key --- lass/1systems/prism.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index 50b222338..343c45561 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -158,7 +158,7 @@ in { } { users.users.chat.openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCkmIvB8BekIE2W24+I0gnzkvkEoeulz/zQkDUVJK4oScbIvgTYmcHzQuHJyPueTm67bJCOcYaTwEDNhcR/ZvcyiCQ7Jwa5cLDTkCkcR9LQq8ry5jMNEanvTgrnBIEcwfS7jFpyFb/PRVG6hh2bPOfP+ksFplkq1BTzKt/UTaCBwVEZqi5XuFIlq/MqJg+FIjh+wyeNR5jHtqgAhVjR+YLVNXLgtVPE+dlSfbyRQHuA9FTkUj8BxxnTdwM5Sx33S61ddik1XvRn++IYqFl68fZhzyTME7t/Mvjdz8J7ew2bF2IbJrXt37yQCAOEEp9/RC5OloA7dd/5ZJjZxSzT2HnYROILsYr3S0WV4e+H2G66ZN0ftdUCYh1o5rtY7IrSes6yHsKYbpoij1IAkRkyt2XgEH5EZCk1Omx8AY3ekW1KFIEhz2DZEfnCEjPf4AGCYZ0uy4XEztxzTDkh25TVs/tym1+96qCJ1yAxwWZDbVhS/Z6aSBpsyeDRKcak8qoWVC2dEPdYuTUmwvmo3pmGn/a4UfOLNJTn0jSRjy3kSv1hYzosN4NSYZqEylFB0ABnlqoLpX3tmWtrkiKv19S+djVGxbaaYm3hjPJfds3qCWTJWPvxPPeCE8wGXVLYqOQxa5ZPYeoTwRof5YNSbj5RFYy9sDLTlHl+U4ASTHZM5S3akQ== JuiceSSH" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDjesiOnhpT9XgWZqw/64M5lVQg3q0k22BtMyCv+33sGX8VmfTyD11GuwSjNGf5WiswKLqFvYBQsHfDDtS3k0ZNTDncGw3Pbilm6QoCuHEyDPaQYin0P+JmkocrL/6QF5uhZVFnsXCH5wntwOa00VFGwpMgQYSfRlReRx42Pu9Jk+iJduZMRBbOMvJI68Z7iJ4DgW/1U9J4MQdCsk7QlFgUstQQfV1zk4VfVfXuxDP3hjx6Q05nDChjpmzJbFunzb7aiy/1/Sl0QhROTpvxrQLksg7yYLw4BRs9ptjehX45A2Sxi8WKOb/g5u3xJNy0X07rE+N+o5v2hS7wF0DLQdK5+4TGtO+Y+ABUCqqA+T1ynAjNBWvsgY5uD4PZjuPgCMSw0JBmIy/P0THi3v5/8Cohvfnspl7Jpf80qENMu3unvvE9EePzgSRZY1PvDjPQfkWy0yBX1yQMhHuVGke9QgaletitwuahRujml37waeUuOl8Rpz+2iV+6OIS4tfO368uLFHKWbobXTbTDXODBgxZ/IyvO7vxM2uDX/kIWaeYKrip3nSyWBYnixwrcS4vm6ZQcoejwp2KCfGQwIE4MnGYRlwcOEYjvyjLkZHDiZEivUQ0rThMYBzec8bQ08QW8oxF+NXkFKG3awt3f7TKTRkYqQcOMpFKmV24KDiwgwm0miQ== JuiceSSH" ]; } { From 48d37be5dea8c74c929bd23153361f3cf419f43e Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 14 Apr 2017 11:25:18 +0200 Subject: [PATCH 05/58] l 2 nixpkgs: a563923 -> 5acb454 --- lass/2configs/nixpkgs.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lass/2configs/nixpkgs.nix b/lass/2configs/nixpkgs.nix index 24437d040..5309c9551 100644 --- a/lass/2configs/nixpkgs.nix +++ b/lass/2configs/nixpkgs.nix @@ -3,6 +3,6 @@ { krebs.build.source.nixpkgs.git = { url = https://cgit.lassul.us/nixpkgs; - ref = "a563923"; + ref = "5acb454"; }; } From a80cbaa6e962ea6dcdbf4c01f7e1188ac71c631f Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 15 Apr 2017 17:13:40 +0200 Subject: [PATCH 06/58] realwallpaper: introduce marker_file --- krebs/3modules/realwallpaper.nix | 8 ++++---- krebs/5pkgs/realwallpaper/default.nix | 8 ++------ 2 files changed, 6 insertions(+), 10 deletions(-) diff --git a/krebs/3modules/realwallpaper.nix b/krebs/3modules/realwallpaper.nix index f9eae8c92..1e7a9faae 100644 --- a/krebs/3modules/realwallpaper.nix +++ b/krebs/3modules/realwallpaper.nix @@ -32,9 +32,9 @@ let default = "http://xplanetclouds.com/free/local/clouds_2048.jpg"; }; - outFile = mkOption { + marker = mkOption { type = types.str; - default = "/tmp/wallpaper.png"; + default = "http://graphs.r/marker.json"; }; timerConfig = mkOption { @@ -43,7 +43,6 @@ let OnCalendar = "*:0/15"; }; }; - }; imp = { @@ -63,6 +62,7 @@ let imagemagick curl file + jq ]; environment = { @@ -70,7 +70,7 @@ let nightmap_url = cfg.nightmap; daymap_url = cfg.daymap; cloudmap_url = cfg.cloudmap; - out_file = cfg.outFile; + marker_url = cfg.marker; }; restartIfChanged = true; diff --git a/krebs/5pkgs/realwallpaper/default.nix b/krebs/5pkgs/realwallpaper/default.nix index 4fea977ec..dec2dada4 100644 --- a/krebs/5pkgs/realwallpaper/default.nix +++ b/krebs/5pkgs/realwallpaper/default.nix @@ -5,8 +5,8 @@ stdenv.mkDerivation { src = fetchgit { url = https://github.com/Lassulus/realwallpaper; - rev = "c2778c3c235fc32edc8115d533a0d0853ab101c5"; - sha256 = "0yhbjz19zk8sj5dsvccm6skkqq2vardn1yi70qmd5li7qvp17mvs"; + rev = "b8408cfb295b6ce5b965309b30358ca6c6409efd"; + sha256 = "0yyl8hhqshw9bx04xs8glvir3c0qzvfrwzmbvyg318mnz5xalcl0"; }; phases = [ @@ -15,10 +15,6 @@ stdenv.mkDerivation { ]; buildInputs = [ - xplanet - imagemagick - curl - file ]; installPhase = '' From 930971c9e2c3aa601f4cd87586b987c312607bc7 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 15 Apr 2017 17:16:20 +0200 Subject: [PATCH 07/58] lass: update realwallpaper locations --- lass/1systems/prism.nix | 2 +- lass/2configs/realwallpaper.nix | 10 ++++++++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index 343c45561..9c17c4433 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -194,7 +194,7 @@ in { ../2configs/realwallpaper.nix ]; services.nginx.virtualHosts."lassul.us".locations."/wallpaper.png".extraConfig = '' - alias /tmp/wallpaper.png; + alias /var/realwallpaper/realwallpaper.png; ''; } { diff --git a/lass/2configs/realwallpaper.nix b/lass/2configs/realwallpaper.nix index cf9795071..4794823ce 100644 --- a/lass/2configs/realwallpaper.nix +++ b/lass/2configs/realwallpaper.nix @@ -13,8 +13,14 @@ in { serverAliases = [ hostname ]; - locations."/wallpaper.png".extraConfig = '' - root /tmp/; + locations."/realwallpaper.png".extraConfig = '' + root /var/realwallpaper/; + ''; + locations."/realwallpaper-sat.png".extraConfig = '' + root /var/realwallpaper/; + ''; + locations."/realwallpaper-sat-krebs.png".extraConfig = '' + root /var/realwallpaper/; ''; }; From c45cd788d2df7d14175de59d31506d970eb72382 Mon Sep 17 00:00:00 2001 From: makefu Date: Sat, 15 Apr 2017 17:58:20 +0200 Subject: [PATCH 08/58] m: graphs -> graph --- krebs/3modules/makefu/default.nix | 12 ++++++------ makefu/2configs/deployment/graphs.nix | 4 ++-- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index 56df451b7..cef6a4fd6 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -33,7 +33,7 @@ with import ; nets = { retiolum = { ip4.addr = "10.243.113.98"; - ip6.addr = "42:5cf1:e7f2:3fd:cd4c:a1ee:ec71:7096"; + # ip6.addr = "42:5cf1:e7f2:3fd:cd4c:a1ee:ec71:7096"; aliases = [ "fileleech.r" ]; @@ -247,7 +247,6 @@ with import ; "krebsco.de" = '' euer IN MX 1 aspmx.l.google.com. nixos.unstable IN CNAME krebscode.github.io. - pigstarter IN A ${nets.internet.ip4.addr} gold IN A ${nets.internet.ip4.addr} boot IN A ${nets.internet.ip4.addr} ''; @@ -301,7 +300,7 @@ with import ; ip6.addr = "42:6e1e:cc8a:7cef:827:f938:8c64:baad"; aliases = [ "wry.r" - "graphs.wry.r" + "graph.wry.r" "paste.wry.r" ]; tinc.pubkey = '' @@ -436,12 +435,13 @@ with import ; mattermost.euer IN A ${nets.internet.ip4.addr} git.euer IN A ${nets.internet.ip4.addr} gum IN A ${nets.internet.ip4.addr} + pigstarter IN A ${nets.internet.ip4.addr} cgit.euer IN A ${nets.internet.ip4.addr} o.euer IN A ${nets.internet.ip4.addr} dl.euer IN A ${nets.internet.ip4.addr} euer IN A ${nets.internet.ip4.addr} wiki.euer IN A ${nets.internet.ip4.addr} - graphs IN A ${nets.internet.ip4.addr} + graph IN A ${nets.internet.ip4.addr} ''; }; nets = rec { @@ -461,7 +461,7 @@ with import ; "o.gum.r" "tracker.makefu.r" - "graphs.r" + "graph.r" "wiki.makefu.r" "wiki.gum.r" "blog.makefu.r" @@ -491,7 +491,7 @@ with import ; ip4.prefix = "10.8.10.0/24"; aliases = [ "shoney.siem" - "graphs.siem" + "graph.siem" ]; tinc.pubkey = '' -----BEGIN RSA PUBLIC KEY----- diff --git a/makefu/2configs/deployment/graphs.nix b/makefu/2configs/deployment/graphs.nix index 35a724f6a..b33ddece0 100644 --- a/makefu/2configs/deployment/graphs.nix +++ b/makefu/2configs/deployment/graphs.nix @@ -23,8 +23,8 @@ in { } ''; serverAliases = [ - "graphs.r" "graphs.retiolum" - "graphs.${hn}" "graphs.${hn}.retiolum" + "graph.r" + "graph.${hn}" "graph.${hn}.r" ]; }; anonymous = { From 4feb0e8e91d228bf4754d130e7d134f41047dc32 Mon Sep 17 00:00:00 2001 From: makefu Date: Sat, 15 Apr 2017 18:04:19 +0200 Subject: [PATCH 09/58] k 3 hidden-ssh: init --- krebs/3modules/default.nix | 1 + krebs/3modules/hidden-ssh.nix | 53 +++++++++++++++++++++++++++++++++++ 2 files changed, 54 insertions(+) create mode 100644 krebs/3modules/hidden-ssh.nix diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index d24cea1a2..0364792b5 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -20,6 +20,7 @@ let ./github-hosts-sync.nix ./git.nix ./go.nix + ./hidden-ssh.nix ./htgen.nix ./iptables.nix ./kapacitor.nix diff --git a/krebs/3modules/hidden-ssh.nix b/krebs/3modules/hidden-ssh.nix new file mode 100644 index 000000000..2f75ded9b --- /dev/null +++ b/krebs/3modules/hidden-ssh.nix @@ -0,0 +1,53 @@ +{ config, lib, pkgs, ... }: + +with import ; +let + cfg = config.krebs.hidden-ssh; + + out = { + options.krebs.hidden-ssh = api; + config = lib.mkIf cfg.enable imp; + }; + + api = { + enable = mkEnableOption "hidden SSH announce"; + }; + + imp = let + torDirectory = "/var/lib/tor"; # from tor.nix + hiddenServiceDir = torDirectory + "/ssh-announce-service"; + in { + services.tor = { + enable = true; + extraConfig = '' + HiddenServiceDir ${hiddenServiceDir} + HiddenServicePort 22 127.0.0.1:22 + ''; + client.enable = true; + }; + systemd.services.hidden-ssh-announce = { + description = "irc announce hidden ssh"; + after = [ "tor.service" ]; + wants = [ "tor.service" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + # ${pkgs.tor}/bin/torify + ExecStart = pkgs.writeDash "irc-announce-ssh" '' + set -efu + until test -e ${hiddenServiceDir}/hostname; do + echo "still waiting for ${hiddenServiceDir}/hostname" + sleep 1 + done + ${pkgs.irc-announce}/bin/irc-announce \ + irc.freenode.org 6667 ${config.krebs.build.host.name}-ssh \ + \#krebs-announce \ + "SSH Hidden Service at $(cat ${hiddenServiceDir}/hostname)" + ''; + PrivateTmp = "true"; + User = "tor"; + Type = "oneshot"; + }; + }; + }; +in +out From 64ac9ab74f1cb448da51880a0776848ddd7c63b3 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 15 Apr 2017 18:19:15 +0200 Subject: [PATCH 10/58] l 2 realwallpaper: allow only from .r --- lass/2configs/realwallpaper.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/lass/2configs/realwallpaper.nix b/lass/2configs/realwallpaper.nix index 4794823ce..9e26d677c 100644 --- a/lass/2configs/realwallpaper.nix +++ b/lass/2configs/realwallpaper.nix @@ -10,6 +10,11 @@ in { krebs.realwallpaper.enable = true; services.nginx.virtualHosts.wallpaper = { + extraConfig = '' + if ( $server_addr = "${config.krebs.build.host.nets.internet.ip4.addr}" ) { + return 403; + } + ''; serverAliases = [ hostname ]; From fbc29e63da7fca719dc20df13d31402a8d9c449b Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 15 Apr 2017 18:19:45 +0200 Subject: [PATCH 11/58] l 2 realwallpaper: listen on .r --- lass/2configs/realwallpaper.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/lass/2configs/realwallpaper.nix b/lass/2configs/realwallpaper.nix index 9e26d677c..116d66276 100644 --- a/lass/2configs/realwallpaper.nix +++ b/lass/2configs/realwallpaper.nix @@ -17,6 +17,7 @@ in { ''; serverAliases = [ hostname + "${hostname}.r" ]; locations."/realwallpaper.png".extraConfig = '' root /var/realwallpaper/; From 270157937b67c9aeda0b8d245141e6943d78188f Mon Sep 17 00:00:00 2001 From: makefu Date: Sat, 15 Apr 2017 18:55:15 +0200 Subject: [PATCH 12/58] k 5 tinc_graphs: bump to 0.3.10 --- krebs/5pkgs/tinc_graphs/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/krebs/5pkgs/tinc_graphs/default.nix b/krebs/5pkgs/tinc_graphs/default.nix index e5f1e40e8..20bbc53ba 100644 --- a/krebs/5pkgs/tinc_graphs/default.nix +++ b/krebs/5pkgs/tinc_graphs/default.nix @@ -2,14 +2,14 @@ python3Packages.buildPythonPackage rec { name = "tinc_graphs-${version}"; - version = "0.3.9"; + version = "0.3.10"; propagatedBuildInputs = with pkgs;[ python3Packages.pygeoip ## ${geolite-legacy}/share/GeoIP/GeoIPCity.dat ]; src = fetchurl { - url = "https://pypi.python.org/packages/source/t/tinc_graphs/tinc_graphs-${version}.tar.gz"; - sha256 = "0hjmkiclvyjb3707285x4b8mk5aqjcvh383hvkad1h7p1n61qrfx"; + url = "mirror://pypi/t/tinc_graphs/${name}.tar.gz"; + sha256 = "0f4cvb9424fhfmc0hbzmynzh9528fyhx00ayq1nbpgd1p89yw7mc"; }; preFixup = with pkgs;'' wrapProgram $out/bin/build-graphs --prefix PATH : "$out/bin" From 6dfee5d766d16bd90aaf846f591c7168563554cd Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 15 Apr 2017 22:27:59 +0200 Subject: [PATCH 13/58] l 1 iso: enable hidden-ssh --- lass/1systems/iso.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lass/1systems/iso.nix b/lass/1systems/iso.nix index 9dfbf7cb8..bee1c148f 100644 --- a/lass/1systems/iso.nix +++ b/lass/1systems/iso.nix @@ -148,5 +148,8 @@ with import ; }; }; } + { + krebs.hidden-ssh.enable = true; + } ]; } From 8f89bb5d3d5e8f2e2deb70a7029321d05c5d256f Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 16 Apr 2017 23:31:46 +0200 Subject: [PATCH 14/58] k 3 hidden-ssh: start after network-online.target --- krebs/3modules/hidden-ssh.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krebs/3modules/hidden-ssh.nix b/krebs/3modules/hidden-ssh.nix index 2f75ded9b..3930dbf42 100644 --- a/krebs/3modules/hidden-ssh.nix +++ b/krebs/3modules/hidden-ssh.nix @@ -27,7 +27,7 @@ let }; systemd.services.hidden-ssh-announce = { description = "irc announce hidden ssh"; - after = [ "tor.service" ]; + after = [ "tor.service" "network-online.target" ]; wants = [ "tor.service" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { From 6187206a02ed9bc7b21fdfd9c32e0b57f6f23365 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 16 Apr 2017 23:32:05 +0200 Subject: [PATCH 15/58] irc-announce: fix cat2 on live systems --- krebs/5pkgs/irc-announce/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krebs/5pkgs/irc-announce/default.nix b/krebs/5pkgs/irc-announce/default.nix index e1f4919d5..6eb725b71 100644 --- a/krebs/5pkgs/irc-announce/default.nix +++ b/krebs/5pkgs/irc-announce/default.nix @@ -24,7 +24,7 @@ pkgs.writeDashBin "irc-announce" '' # echo2 and cat2 are used output to both, stdout and stderr # This is used to see what we send to the irc server. (debug output) echo2() { echo "$*"; echo "$*" >&2; } - cat2() { tee /dev/stderr; } + cat2() { awk '{print;print > "/dev/stderr"}'; } # privmsg_cat transforms stdin to a privmsg privmsg_cat() { awk '{ print "PRIVMSG "ENVIRON["IRC_CHANNEL"]" :"$0 }'; } From 7ea694323bf791e6a2dae4897fefa0f09bc2a654 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 16 Apr 2017 23:32:43 +0200 Subject: [PATCH 16/58] l 1 mors: disable ipfs --- lass/1systems/mors.nix | 4 ---- 1 file changed, 4 deletions(-) diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index c196b391a..8891d1829 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -76,10 +76,6 @@ with import ; { services.redis.enable = true; } - { - #ipfs-testing - services.ipfs.enable = true; - } { environment.systemPackages = [ pkgs.krebszones From faa8318d13a4b8932e9fd15ebae116d380ede497 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 16 Apr 2017 23:33:54 +0200 Subject: [PATCH 17/58] l 1 iso: make sshd work --- lass/1systems/iso.nix | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/lass/1systems/iso.nix b/lass/1systems/iso.nix index bee1c148f..01d698c4c 100644 --- a/lass/1systems/iso.nix +++ b/lass/1systems/iso.nix @@ -15,7 +15,6 @@ with import ; krebs.enable = true; krebs.build.user = config.krebs.users.lass; krebs.build.host = config.krebs.hosts.iso; - krebs.build.source.nixos-config.symlink = "stockholm/lass/1systems/${config.krebs.buil.host.name}.nix"; } { nixpkgs.config.allowUnfree = true; @@ -122,18 +121,12 @@ with import ; { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } ]; }; + systemd.services.sshd.wantedBy = mkForce [ "multi-user.target" ]; } { krebs.iptables = { enable = true; tables = { - nat.PREROUTING.rules = [ - { predicate = "! -i retiolum -p tcp -m tcp --dport 22"; target = "REDIRECT --to-ports 0"; precedence = 100; } - { predicate = "-p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 99; } - ]; - nat.OUTPUT.rules = [ - { predicate = "-o lo -p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 100; } - ]; filter.INPUT.policy = "DROP"; filter.FORWARD.policy = "DROP"; filter.INPUT.rules = [ From 6e6a01957d86bffc0ee43978f80c449355365103 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 16 Apr 2017 23:34:25 +0200 Subject: [PATCH 18/58] l 2: add sshn to pkgs --- lass/2configs/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index 69f8a681e..b53efa75d 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -151,6 +151,10 @@ with import ; p7zip unzip unrar + + (pkgs.writeDashBin "sshn" '' + ${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no "$@" + '') ]; programs.bash = { From b6b39b69ff8cf5aea15e9d31a23c58e9a2cd5ab1 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 16 Apr 2017 23:35:02 +0200 Subject: [PATCH 19/58] l 1 mors: enable tor --- lass/1systems/mors.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index 8891d1829..d80665a6b 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -85,6 +85,12 @@ with import ; #ps vita stuff boot.extraModulePackages = [ config.boot.kernelPackages.exfat-nofuse ]; } + { + services.tor = { + enable = true; + client.enable = true; + }; + } ]; krebs.build.host = config.krebs.hosts.mors; From 7a48255b5a88e548eaf36ecdebb66fac96a04602 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 16 Apr 2017 23:35:25 +0200 Subject: [PATCH 20/58] l 2: add syncthing.nix --- lass/1systems/mors.nix | 1 + lass/1systems/prism.nix | 1 + lass/2configs/syncthing.nix | 12 ++++++++++++ 3 files changed, 14 insertions(+) create mode 100644 lass/2configs/syncthing.nix diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index d80665a6b..c8d9465d5 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -25,6 +25,7 @@ with import ; ../2configs/repo-sync.nix ../2configs/ircd.nix ../2configs/logf.nix + ../2configs/syncthing.nix { #risk of rain port krebs.iptables.tables.filter.INPUT.rules = [ diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index 9c17c4433..41a909f16 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -46,6 +46,7 @@ in { ../2configs/monitoring/server.nix ../2configs/monitoring/monit-alarms.nix ../2configs/paste.nix + ../2configs/syncthing.nix { imports = [ ../2configs/bepasty.nix diff --git a/lass/2configs/syncthing.nix b/lass/2configs/syncthing.nix new file mode 100644 index 000000000..cef43d1e6 --- /dev/null +++ b/lass/2configs/syncthing.nix @@ -0,0 +1,12 @@ +{ config, pkgs, ... }: +with import ; +{ + services.syncthing = { + enable = true; + useInotify = true; + }; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport 22000"; target = "ACCEPT";} + { predicate = "-p udp --dport 21027"; target = "ACCEPT";} + ]; +} From eeffa28de533a4a02f67f28ab789bbc89d084043 Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 17 Apr 2017 13:08:36 +0200 Subject: [PATCH 21/58] m: init syncthing for hosts --- makefu/1systems/fileleech.nix | 2 +- makefu/1systems/gum.nix | 5 +++-- makefu/1systems/omo.nix | 5 +++-- makefu/2configs/ipfs.nix | 5 +++++ makefu/2configs/syncthing.nix | 11 +++++++++++ 5 files changed, 23 insertions(+), 5 deletions(-) create mode 100644 makefu/2configs/ipfs.nix create mode 100644 makefu/2configs/syncthing.nix diff --git a/makefu/1systems/fileleech.nix b/makefu/1systems/fileleech.nix index 4f92c2b90..3aa5a54f8 100644 --- a/makefu/1systems/fileleech.nix +++ b/makefu/1systems/fileleech.nix @@ -32,7 +32,6 @@ in { ../2configs/elchos/log.nix ../2configs/elchos/search.nix ../2configs/elchos/stats.nix - ../2configs/stats-srv.nix ]; systemd.services.grafana.serviceConfig.LimitNOFILE=10032; @@ -129,6 +128,7 @@ in { # createHome = true; openssh.authorizedKeys.keys = [ config.krebs.users.makefu.pubkey + config.krebs.users.lass.pubkey "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC7betFnMWVeBYRhJ+2f0B5WbDdbpteIVg/BlyimXbx79R7lZ7nUq5GyMLrp7B00frUuA0su8oFFN3ODPJDstgBslBIP7kWPR2zW8NOXorrbFo3J2fKvlO77k6/wD5/M11m5nS01/aVJgAgMGLg2W12G7EMf5Wq75YsQJC/S9p8kMca589djMPRuQETu7fWq0t/Gmwq+2ELLL0csRK87LvybA92JYkAIneRnGzIlCguOXq0Vcq6pGQ1J1PfVEP76Do33X29l2hZc/+vR9ExW6s2g7fs5/5LDX9Wnq7+AEsxiEf4IOeL0hCG4/CGGCN23J+6cDrNKOP94AHO1si0O2lxFsxgNU2vdVWPNgSLottiUFBPPNEZFD++sZyutzH6PIz6D90hB2Q52X6WN9ZUtlDfQ91rHd+S2BhR6f4dAqiRDXlI5MNNDdoTT4S5R0wU/UrNwjiV/xiu/hWZYGQK7YgY4grFRblr378r8FqjLvumPDFMDLVa9eJKq1ad1x/GV5tZpsttzWj4nbixaKlZOg+TN2GHboujLx3bANz1Jqfvfto8UOeKTtA8pkb8E1PJPpBMOZcA7oHaqJrp6Vuf/SkmglHnQvGbi60OK3s61nuRmIcBiTXd+4qeAJpq1QyEDj3X/+hV0Gwz8rCo6JGkF1ETW37ZYvqU9rxNXjS+/Pfktw== jules@kvasir-2015-02-13" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDINUD+p2yrc9KoTbCiuYhdfLlRu/eNX6BftToSMLs8O9qWQORjgXbDn8M9iUWXCHzdUZ9sm6Rz8TMdEV0jZq/nB01zYnW4NhMrt+NGtrmGqDa+eYrRZ4G7Rx8AYzM/ZSwERKX10txAVugV44xswRxWvFbCedujjXyWsxelf1ngb+Hiy9/CPuWNYEhTZs/YuvNkupCui2BuKuoSivJAkLhGk5YqwwcllCr39YXa/tFJWsgoQNcB9hwpzfhFm6Cc7m5DhmTWSVhQHEWyaas8Lukmd4v+mRY+KZpuhbomCHWzkxqzdBun8SXiiAKlgem9rtBIgeTEfz9OtOfF3/6VfqE7 toerb@mittagspause ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB0IP143FAHBHWjEEKGOnM8SSTIgNF1MJxGCMKaJvTHf momo@k2.local" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1ZJSpBb7Cxo+c2r2JJIcbYOTm/sJxOv2NFRoDfjxGS9CCwzRbzrwJcv2d23j35mu97x3+fUvo8DyMFLvLvume2PFCijqhMDzZZvjYXZdvXA+hnh53nqZf+Pjq8Xc3tSWBHQxUokaBmZbd4LlKHh8NgKVrP2zve6OPZMzo/Es93v37KEmT8d/PfVMrQEMPZzFrCVdq2RbpdQ1nhx09zRFW7OJOazgotafjx6IYXbVq2VDnjffXInsE9ZxDzYq1cNKIH0c2BLpTd3mv76iD9i+nD6W6s48+usFQnVLt2TY1uKkfMr7043E6jBxx5kNHBe5Xxr6Zs0SkR8kKOEhMO//4ucviUYKZJn8wk2SLkAyMYVBexx8jrTdlI4xgQ7RLpSIDTCm9dfbZY/YhZDJ21lsWduQqu7DFWMe05gg4NZDjf2kwYQOzATyqISGA7ttSEPT1iymr/ffAOgLBLSqWQAteUbI2U5cnflWZGwm33JF/Pyb4S3k3/f2mIBKiRx2lsGv6mx1w0SaYRtJxDWqGYMHuFiNYbq9r/bZfLqV3Fy9kRODFJTfJh8mcTnC4zabpiQ7fnqbh1qHu0WrrBSgFW0PR2WWCJ0e5Btj1yRgXp0+d5OuxxlVInRs+l2HogdxjonMhAHrTCzJtI8UJTKXKN0FBPRDRcepeExhvNqcOUz4Kvw== me@andreaskist.de" diff --git a/makefu/1systems/gum.nix b/makefu/1systems/gum.nix index c39997ebf..3186f8887 100644 --- a/makefu/1systems/gum.nix +++ b/makefu/1systems/gum.nix @@ -35,10 +35,12 @@ in { ../2configs/nginx/update.connector.one.nix ../2configs/deployment/mycube.connector.one.nix ../2configs/deployment/graphs.nix + # ../2configs/ipfs.nix + ../2configs/syncthing.nix # ../2configs/opentracker.nix ../2configs/logging/central-stats-client.nix - ../2configs/logging/central-logging-client.nix + # ../2configs/logging/central-logging-client.nix ]; services.smartd.devices = [ { device = "/dev/sda";} ]; @@ -79,7 +81,6 @@ in { ]; services.bitlbee.enable = true; systemd.services.bitlbee.environment.BITLBEE_DEBUG="1"; - # systemd.services.bitlbee.serviceConfig.ExecStart = "${pkgs.bitlbee}/bin/bitlbee -Dnv -c # Hardware boot.loader.grub.device = "/dev/sda"; diff --git a/makefu/1systems/omo.nix b/makefu/1systems/omo.nix index 99303b604..ff34ee843 100644 --- a/makefu/1systems/omo.nix +++ b/makefu/1systems/omo.nix @@ -53,9 +53,10 @@ in { ../2configs/omo-share.nix ../2configs/tinc/retiolum.nix ../2configs/logging/central-stats-server.nix - ../2configs/logging/central-logging-server.nix + # ../2configs/logging/central-logging-server.nix ../2configs/logging/central-stats-client.nix - ../2configs/logging/central-logging-client.nix + ../2configs/syncthing.nix + # ../2configs/logging/central-logging-client.nix # ../2configs/torrent.nix diff --git a/makefu/2configs/ipfs.nix b/makefu/2configs/ipfs.nix new file mode 100644 index 000000000..cc07e063d --- /dev/null +++ b/makefu/2configs/ipfs.nix @@ -0,0 +1,5 @@ +{...}: +{ + services.ipfs.enable = true; + networking.firewall.allowedTCPPorts = [ 4001 ]; +} diff --git a/makefu/2configs/syncthing.nix b/makefu/2configs/syncthing.nix new file mode 100644 index 000000000..6b758ea2d --- /dev/null +++ b/makefu/2configs/syncthing.nix @@ -0,0 +1,11 @@ +{...}: + +with import ; { + services.syncthing = { + enable = true; + openDefaultPorts = true; + useInotify = true; + group = "download"; + }; + users.extraGroups.download.gid = genid "download"; +} From ff038698d1dd68b5d4c512c2214198b5d975594c Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 17 Apr 2017 13:11:32 +0200 Subject: [PATCH 22/58] m 2 urxvtd: init --- makefu/1systems/x.nix | 3 ++- makefu/2configs/base-gui.nix | 5 ++++- makefu/2configs/urxvtd.nix | 21 +++++++++++++++++++++ makefu/5pkgs/awesomecfg/full.cfg | 2 +- 4 files changed, 28 insertions(+), 3 deletions(-) create mode 100644 makefu/2configs/urxvtd.nix diff --git a/makefu/1systems/x.nix b/makefu/1systems/x.nix index 9cedc04a8..51c9543ef 100644 --- a/makefu/1systems/x.nix +++ b/makefu/1systems/x.nix @@ -2,6 +2,7 @@ # # { config, pkgs, ... }: +with import ; { imports = @@ -78,7 +79,7 @@ }; boot.extraModulePackages = [ config.boot.kernelPackages.exfat-nofuse ]; - environment.systemPackages = [ pkgs.passwdqc-utils pkgs.bintray-upload ]; + environment.systemPackages = [ pkgs.passwdqc-utils ]; virtualisation.docker.enable = true; diff --git a/makefu/2configs/base-gui.nix b/makefu/2configs/base-gui.nix index ba4c551b3..1a19ab36b 100644 --- a/makefu/2configs/base-gui.nix +++ b/makefu/2configs/base-gui.nix @@ -16,7 +16,10 @@ let mainUser = config.krebs.build.user.name; in { - imports = [ ]; + imports = [ + ./urxvtd.nix + ]; + services.xserver = { enable = true; layout = "us"; diff --git a/makefu/2configs/urxvtd.nix b/makefu/2configs/urxvtd.nix new file mode 100644 index 000000000..286b87ab3 --- /dev/null +++ b/makefu/2configs/urxvtd.nix @@ -0,0 +1,21 @@ +{ config, pkgs, ... }: + +let + mainUser = config.krebs.build.user.name; +in { + systemd.services.urxvtd = { + wantedBy = [ "multi-user.target" ]; + before = [ "graphical.target" ]; + reloadIfChanged = true; + serviceConfig = { + SyslogIdentifier = "urxvtd"; + ExecReload = "${pkgs.coreutils}/bin/echo NOP"; + ExecStart = "${pkgs.rxvt_unicode_with-plugins}/bin/urxvtd"; + Restart = "always"; + RestartSec = "2s"; + StartLimitBurst = 0; + User = mainUser; + }; + }; + # TODO: sessionCommands from base-gui related to urxvt in this file +} diff --git a/makefu/5pkgs/awesomecfg/full.cfg b/makefu/5pkgs/awesomecfg/full.cfg index e43341d25..73ff42e9f 100644 --- a/makefu/5pkgs/awesomecfg/full.cfg +++ b/makefu/5pkgs/awesomecfg/full.cfg @@ -90,7 +90,7 @@ client.connect_signal("focus", function(c) c.border_color = beautiful.border_foc client.connect_signal("unfocus", function(c) c.border_color = beautiful.border_normal end) -- This is used later as the default terminal and editor to run. -terminal = "urxvt" +terminal = "urxvtc" editor = os.getenv("EDITOR") or "vim" editor_cmd = terminal .. " -e " .. editor browser = "firefox" From 24260ff6d43e390d500655de5991e95f11654d8c Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 17 Apr 2017 13:12:16 +0200 Subject: [PATCH 23/58] m 2 default: 2982661 -> 4fac473 --- makefu/2configs/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/makefu/2configs/default.nix b/makefu/2configs/default.nix index cd9b4c056..0865c3a31 100644 --- a/makefu/2configs/default.nix +++ b/makefu/2configs/default.nix @@ -11,7 +11,7 @@ with import ; ./vim.nix ./binary-cache/nixos.nix ]; - + programs.command-not-found.enable = false; nixpkgs.config.allowUnfreePredicate = (pkg: pkgs.lib.hasPrefix "unrar-" pkg.name); krebs = { enable = true; @@ -22,7 +22,7 @@ with import ; user = config.krebs.users.makefu; source = let inherit (config.krebs.build) host user; - ref = "2982661"; # unstable @ 2017-03-31 + cups-dymo + snapraid-11.1 + ref = "4fac473"; # unstable @ 2017-03-31 + command-not-found in { nixpkgs = if config.makefu.full-populate || (getEnv "dummy_secrets" == "true") then { From 729b0ed1c0779480cae6fb9c8d1dde314fd6f4ad Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 17 Apr 2017 13:13:07 +0200 Subject: [PATCH 24/58] m 2 tools: add packages --- makefu/2configs/tools/core-gui.nix | 2 +- makefu/2configs/tools/core.nix | 1 + makefu/2configs/tools/extra-gui.nix | 1 + makefu/2configs/tools/sec.nix | 1 + 4 files changed, 4 insertions(+), 1 deletion(-) diff --git a/makefu/2configs/tools/core-gui.nix b/makefu/2configs/tools/core-gui.nix index 6d62e92c0..0538647ae 100644 --- a/makefu/2configs/tools/core-gui.nix +++ b/makefu/2configs/tools/core-gui.nix @@ -12,11 +12,11 @@ firefox keepassx pcmanfm + evince skype mirage tightvnc gnome3.dconf - wireshark xdotool xorg.xbacklight scrot diff --git a/makefu/2configs/tools/core.nix b/makefu/2configs/tools/core.nix index 86d72c662..6ae2951eb 100644 --- a/makefu/2configs/tools/core.nix +++ b/makefu/2configs/tools/core.nix @@ -40,6 +40,7 @@ cac-api cac-panel krebspaste + krebszones ledger pass ]; diff --git a/makefu/2configs/tools/extra-gui.nix b/makefu/2configs/tools/extra-gui.nix index 9cfacf408..596734dd5 100644 --- a/makefu/2configs/tools/extra-gui.nix +++ b/makefu/2configs/tools/extra-gui.nix @@ -4,6 +4,7 @@ krebs.per-user.makefu.packages = with pkgs;[ inkscape gimp + libreoffice skype virtmanager synergy diff --git a/makefu/2configs/tools/sec.nix b/makefu/2configs/tools/sec.nix index 5ab699f35..e53d9ee8e 100644 --- a/makefu/2configs/tools/sec.nix +++ b/makefu/2configs/tools/sec.nix @@ -11,5 +11,6 @@ nmap msf thc-hydra + wireshark ]; } From 9d7e9bf4a9630bb763d7d7bff7880c70405c7ea3 Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 17 Apr 2017 13:13:35 +0200 Subject: [PATCH 25/58] m 1 shoney: graphs -> graph --- makefu/1systems/shoney.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/makefu/1systems/shoney.nix b/makefu/1systems/shoney.nix index 96aeb2856..9f04e97eb 100644 --- a/makefu/1systems/shoney.nix +++ b/makefu/1systems/shoney.nix @@ -31,7 +31,7 @@ in { anonymous-domain = "localhost.localdomain"; anonymous.extraConfig = "return 403;"; complete = { - serverAliases = [ "graphs.siem" ]; + serverAliases = [ "graph.siem" ]; extraConfig = '' if ( $server_addr = "${ip}" ) { return 403; From 865aa9c1d0198fbd57342c7593396bf4f007e71f Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 16 Apr 2017 23:32:43 +0200 Subject: [PATCH 26/58] l 1 mors: disable ipfs --- lass/1systems/mors.nix | 4 ---- 1 file changed, 4 deletions(-) diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index c196b391a..8891d1829 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -76,10 +76,6 @@ with import ; { services.redis.enable = true; } - { - #ipfs-testing - services.ipfs.enable = true; - } { environment.systemPackages = [ pkgs.krebszones From 6a53a331d11fcf1ff1d36645c3bd42c4c9d0c51c Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 16 Apr 2017 23:33:54 +0200 Subject: [PATCH 27/58] l 1 iso: make sshd work --- lass/1systems/iso.nix | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/lass/1systems/iso.nix b/lass/1systems/iso.nix index bee1c148f..01d698c4c 100644 --- a/lass/1systems/iso.nix +++ b/lass/1systems/iso.nix @@ -15,7 +15,6 @@ with import ; krebs.enable = true; krebs.build.user = config.krebs.users.lass; krebs.build.host = config.krebs.hosts.iso; - krebs.build.source.nixos-config.symlink = "stockholm/lass/1systems/${config.krebs.buil.host.name}.nix"; } { nixpkgs.config.allowUnfree = true; @@ -122,18 +121,12 @@ with import ; { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } ]; }; + systemd.services.sshd.wantedBy = mkForce [ "multi-user.target" ]; } { krebs.iptables = { enable = true; tables = { - nat.PREROUTING.rules = [ - { predicate = "! -i retiolum -p tcp -m tcp --dport 22"; target = "REDIRECT --to-ports 0"; precedence = 100; } - { predicate = "-p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 99; } - ]; - nat.OUTPUT.rules = [ - { predicate = "-o lo -p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 100; } - ]; filter.INPUT.policy = "DROP"; filter.FORWARD.policy = "DROP"; filter.INPUT.rules = [ From bd58053b7e8123850ca04601505efadace807100 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 16 Apr 2017 23:34:25 +0200 Subject: [PATCH 28/58] l 2: add sshn to pkgs --- lass/2configs/default.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index 69f8a681e..b53efa75d 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -151,6 +151,10 @@ with import ; p7zip unzip unrar + + (pkgs.writeDashBin "sshn" '' + ${pkgs.openssh}/bin/ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no "$@" + '') ]; programs.bash = { From cb36b4fb7cd4c51b89328a06ba0b994d627813aa Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 16 Apr 2017 23:35:02 +0200 Subject: [PATCH 29/58] l 1 mors: enable tor --- lass/1systems/mors.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index 8891d1829..d80665a6b 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -85,6 +85,12 @@ with import ; #ps vita stuff boot.extraModulePackages = [ config.boot.kernelPackages.exfat-nofuse ]; } + { + services.tor = { + enable = true; + client.enable = true; + }; + } ]; krebs.build.host = config.krebs.hosts.mors; From b3463a3b8227a0732b1c3c4c90998f24c8ab1edf Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 16 Apr 2017 23:35:25 +0200 Subject: [PATCH 30/58] l 2: add syncthing.nix --- lass/1systems/mors.nix | 1 + lass/1systems/prism.nix | 1 + lass/2configs/syncthing.nix | 12 ++++++++++++ 3 files changed, 14 insertions(+) create mode 100644 lass/2configs/syncthing.nix diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index d80665a6b..c8d9465d5 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -25,6 +25,7 @@ with import ; ../2configs/repo-sync.nix ../2configs/ircd.nix ../2configs/logf.nix + ../2configs/syncthing.nix { #risk of rain port krebs.iptables.tables.filter.INPUT.rules = [ diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index 9c17c4433..41a909f16 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -46,6 +46,7 @@ in { ../2configs/monitoring/server.nix ../2configs/monitoring/monit-alarms.nix ../2configs/paste.nix + ../2configs/syncthing.nix { imports = [ ../2configs/bepasty.nix diff --git a/lass/2configs/syncthing.nix b/lass/2configs/syncthing.nix new file mode 100644 index 000000000..cef43d1e6 --- /dev/null +++ b/lass/2configs/syncthing.nix @@ -0,0 +1,12 @@ +{ config, pkgs, ... }: +with import ; +{ + services.syncthing = { + enable = true; + useInotify = true; + }; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport 22000"; target = "ACCEPT";} + { predicate = "-p udp --dport 21027"; target = "ACCEPT";} + ]; +} From 87acf579a91c5fb41393d5ffe027d287194205a4 Mon Sep 17 00:00:00 2001 From: makefu Date: Sat, 15 Apr 2017 18:55:15 +0200 Subject: [PATCH 31/58] k 5 tinc_graphs: bump to 0.3.10 --- krebs/5pkgs/tinc_graphs/default.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/krebs/5pkgs/tinc_graphs/default.nix b/krebs/5pkgs/tinc_graphs/default.nix index e5f1e40e8..20bbc53ba 100644 --- a/krebs/5pkgs/tinc_graphs/default.nix +++ b/krebs/5pkgs/tinc_graphs/default.nix @@ -2,14 +2,14 @@ python3Packages.buildPythonPackage rec { name = "tinc_graphs-${version}"; - version = "0.3.9"; + version = "0.3.10"; propagatedBuildInputs = with pkgs;[ python3Packages.pygeoip ## ${geolite-legacy}/share/GeoIP/GeoIPCity.dat ]; src = fetchurl { - url = "https://pypi.python.org/packages/source/t/tinc_graphs/tinc_graphs-${version}.tar.gz"; - sha256 = "0hjmkiclvyjb3707285x4b8mk5aqjcvh383hvkad1h7p1n61qrfx"; + url = "mirror://pypi/t/tinc_graphs/${name}.tar.gz"; + sha256 = "0f4cvb9424fhfmc0hbzmynzh9528fyhx00ayq1nbpgd1p89yw7mc"; }; preFixup = with pkgs;'' wrapProgram $out/bin/build-graphs --prefix PATH : "$out/bin" From 3b0fa5dbe7a7e4f0b6047746545b1ce602f8e65f Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 17 Apr 2017 15:43:10 +0200 Subject: [PATCH 32/58] l 2 baseX: remove redundant libvirt --- lass/2configs/baseX.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index 3032e244f..9c51effdc 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -32,8 +32,6 @@ in { time.timeZone = "Europe/Berlin"; - virtualisation.libvirtd.enable = true; - programs.ssh.startAgent = false; services.printing = { From 7c89a9be2b7d41e0feba0a51c6e80bf046179f65 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 18 Apr 2017 17:04:40 +0200 Subject: [PATCH 33/58] l 2 buildbot: get stockholm source from cgit.prism --- lass/2configs/buildbot-standalone.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lass/2configs/buildbot-standalone.nix b/lass/2configs/buildbot-standalone.nix index 3006e9dfb..7b38e44c6 100644 --- a/lass/2configs/buildbot-standalone.nix +++ b/lass/2configs/buildbot-standalone.nix @@ -20,7 +20,7 @@ in { }; config.krebs.buildbot.master = let - stockholm-mirror-url = http://cgit.lassul.us/stockholm ; + stockholm-mirror-url = http://cgit.prism.r/stockholm ; in { workers = { testworker = "lasspass"; From 4e55661dc4e32af76f074f57c035136a7e7b3869 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 18 Apr 2017 17:04:59 +0200 Subject: [PATCH 34/58] l 2: set dnscrypt resolver to cs-de --- lass/2configs/default.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index b53efa75d..e964704c3 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -64,7 +64,10 @@ with import ; ]; } { - services.dnscrypt-proxy.enable = true; + services.dnscrypt-proxy = { + enable = true; + resolverName = "cs-de"; + }; networking.extraResolvconfConf = '' name_servers='127.0.0.1' ''; From 5443d2b08ba11323844dcd4b4b79c7580c4029ef Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 18 Apr 2017 17:05:18 +0200 Subject: [PATCH 35/58] l 2 fetchWallpaper: get new wp from prism --- lass/2configs/fetchWallpaper.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lass/2configs/fetchWallpaper.nix b/lass/2configs/fetchWallpaper.nix index 971be9588..31a01c754 100644 --- a/lass/2configs/fetchWallpaper.nix +++ b/lass/2configs/fetchWallpaper.nix @@ -6,7 +6,7 @@ in { krebs.fetchWallpaper = { enable = true; unitConfig.ConditionPathExists = "!/var/run/ppp0.pid"; - url = "prism/wallpaper.png"; + url = "prism/realwallpaper-sat-krebs.png"; maxTime = 10; }; } From a773c4c1db47312f5bc8b564b870a826e3bff5fc Mon Sep 17 00:00:00 2001 From: tv Date: Sat, 15 Apr 2017 14:32:05 +0200 Subject: [PATCH 36/58] tv nixpkgs: 5acb454 -> 76c6313 --- tv/2configs/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix index cbbd5c439..8d7ed2b4f 100644 --- a/tv/2configs/default.nix +++ b/tv/2configs/default.nix @@ -14,7 +14,7 @@ with import ; stockholm.file = "/home/tv/stockholm"; nixpkgs.git = { url = https://github.com/NixOS/nixpkgs; - ref = "5acb454e2ad3e3783e63b86a9a31e800d2507e66"; # nixos-17.03 + ref = "76c63133c5310d362c7c23157616b263db9a9510"; # nixos-17.03 }; } // optionalAttrs host.secure { secrets-master.file = "/home/tv/secrets/master"; From 0efdaf3a2d66a6166b135818748bd1da5e32ab12 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 17 Apr 2017 13:46:38 +0200 Subject: [PATCH 37/58] tv nixpkgs: 76c6313 -> b647a67 --- tv/2configs/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tv/2configs/default.nix b/tv/2configs/default.nix index 8d7ed2b4f..ede73f4e5 100644 --- a/tv/2configs/default.nix +++ b/tv/2configs/default.nix @@ -14,7 +14,7 @@ with import ; stockholm.file = "/home/tv/stockholm"; nixpkgs.git = { url = https://github.com/NixOS/nixpkgs; - ref = "76c63133c5310d362c7c23157616b263db9a9510"; # nixos-17.03 + ref = "b647a67dfee066b75d2f54b789f7646016662071"; # nixos-17.03 }; } // optionalAttrs host.secure { secrets-master.file = "/home/tv/secrets/master"; From 6df0b60f8af8a486ec89f6630e827720efd445ca Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 17 Apr 2017 15:45:32 +0200 Subject: [PATCH 38/58] wolf: cleanup --- shared/1systems/wolf.nix | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/shared/1systems/wolf.nix b/shared/1systems/wolf.nix index 722a08812..0b4448022 100644 --- a/shared/1systems/wolf.nix +++ b/shared/1systems/wolf.nix @@ -1,20 +1,18 @@ -{ config, lib, pkgs, ... }: - +{ config, pkgs, ... }: let shack-ip = config.krebs.build.host.nets.shack.ip4.addr; - internal-ip = config.krebs.build.host.nets.retiolum.ip4.addr; in { imports = [ ../. - ../2configs/collectd-base.nix - ../2configs/shack-nix-cacher.nix - ../2configs/shack-drivedroid.nix - ../2configs/shared-buildbot.nix ../2configs/cgit-mirror.nix - ../2configs/repo-sync.nix + ../2configs/collectd-base.nix ../2configs/graphite.nix + ../2configs/repo-sync.nix + ../2configs/shack-drivedroid.nix + ../2configs/shack-nix-cacher.nix + ../2configs/shared-buildbot.nix ../2configs/share-shack.nix ]; # use your own binary cache, fallback use cache.nixos.org (which is used by From 6b453f7068e4eff470821341e9fcfdbb6d5483ca Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 17 Apr 2017 15:46:45 +0200 Subject: [PATCH 39/58] shared shack-drivedroid: krebs.nginx -> services.nginx --- shared/2configs/shack-drivedroid.nix | 30 ++++++++++++++-------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/shared/2configs/shack-drivedroid.nix b/shared/2configs/shack-drivedroid.nix index 3581f9e96..07fcffa42 100644 --- a/shared/2configs/shack-drivedroid.nix +++ b/shared/2configs/shack-drivedroid.nix @@ -1,4 +1,4 @@ -{ pkgs, lib, config, ... }: +{ config, pkgs, ... }: with import ; let repodir = "/var/srv/drivedroid"; @@ -7,6 +7,20 @@ in { environment.systemPackages = [ pkgs.drivedroid-gen-repo ]; + services.nginx = { + enable = mkDefault true; + virtualHosts.shack-drivedroid = { + serverAliases = [ + "drivedroid.shack" + ]; + # TODO: prepare this somehow + locations."/".extraConfig = '' + root ${repodir}; + index main.json; + ''; + }; + }; + systemd.services.drivedroid = { description = "generates drivedroid repo file"; restartIfChanged = true; @@ -27,18 +41,4 @@ in ''; }; }; - - krebs.nginx = { - enable = lib.mkDefault true; - servers = { - drivedroid-repo = { - server-names = [ "drivedroid.shack" ]; - # TODO: prepare this somehow - locations = lib.singleton (lib.nameValuePair "/" '' - root ${repodir}; - index main.json; - ''); - }; - }; - }; } From 82aa7c6f101c16d7e2607f3429cfbb222c572438 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 17 Apr 2017 15:47:07 +0200 Subject: [PATCH 40/58] shared shack-nix-cacher: krebs.nginx -> services.nginx --- shared/2configs/shack-nix-cacher.nix | 37 +++++++++++++++------------- 1 file changed, 20 insertions(+), 17 deletions(-) diff --git a/shared/2configs/shack-nix-cacher.nix b/shared/2configs/shack-nix-cacher.nix index 7519bb3ac..4fcbf3a4e 100644 --- a/shared/2configs/shack-nix-cacher.nix +++ b/shared/2configs/shack-nix-cacher.nix @@ -1,25 +1,28 @@ -{ pkgs, lib, ... }: - +{ config, pkgs, ... }: +with import ; +let + cfg = config.krebs.apt-cacher-ng; +in { - krebs.nginx = { - enable = lib.mkDefault true; - servers = { - apt-cacher-ng = { - server-names = [ "acng.shack" ]; - locations = lib.singleton (lib.nameValuePair "/" '' - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_pass http://localhost:3142/; - ''); - }; - }; - }; - krebs.apt-cacher-ng = { enable = true; port = 3142; bindAddress = "localhost"; cacheExpiration = 30; }; + + services.nginx = { + enable = mkDefault true; + virtualHosts.shack-nix-cacher = { + serverAliases = [ + "acng.shack" + ]; + locations."/".extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_pass http://localhost:${toString cfg.port}/; + ''; + }; + }; } From d34d95ec3ed4230faa2dc9dd90938e9991dd73d7 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 17 Apr 2017 15:59:27 +0200 Subject: [PATCH 41/58] shared shack-drivedroid: cleanup --- shared/2configs/shack-drivedroid.nix | 27 ++++++++++++++++----------- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/shared/2configs/shack-drivedroid.nix b/shared/2configs/shack-drivedroid.nix index 07fcffa42..12e4a39c3 100644 --- a/shared/2configs/shack-drivedroid.nix +++ b/shared/2configs/shack-drivedroid.nix @@ -1,8 +1,7 @@ { config, pkgs, ... }: with import ; let - repodir = "/var/srv/drivedroid"; - srepodir = shell.escape repodir; + root = "/var/srv/drivedroid"; in { environment.systemPackages = [ pkgs.drivedroid-gen-repo ]; @@ -15,28 +14,34 @@ in ]; # TODO: prepare this somehow locations."/".extraConfig = '' - root ${repodir}; + root ${root}; index main.json; ''; }; }; - systemd.services.drivedroid = { + systemd.services.drivedroid-gen-repo = { description = "generates drivedroid repo file"; - restartIfChanged = true; + path = [ + pkgs.coreutils + pkgs.drivedroid-gen-repo + pkgs.inotify-tools + ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { Type = "simple"; Restart = "always"; - ExecStartPre = pkgs.writeScript "prepare-drivedroid-gen-repo" '' - #!/bin/sh - mkdir -p ${srepodir}/repos + ExecStartPre = pkgs.writeDash "prepare-drivedroid-gen-repo" '' + mkdir -p ${root}/repos ''; - ExecStart = pkgs.writeScript "start-drivedroid-gen-repo" '' - #!/bin/sh + ExecStart = pkgs.writeDash "start-drivedroid-gen-repo" '' + set -efu + cd ${root} while sleep 60; do - ${pkgs.inotify-tools}/bin/inotifywait -r ${srepodir} && ${pkgs.drivedroid-gen-repo}/bin/drivedroid-gen-repo --chdir "${srepodir}" repos/ > "${srepodir}/main.json" + if inotifywait -r .; then + drivedroid-gen-repo repos > main.json + fi done ''; }; From 57b4a87962e273525a0e3a955ae4a13ca45c59f3 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 17 Apr 2017 16:20:05 +0200 Subject: [PATCH 42/58] retiolum-bootstrap: krebs.nginx -> services.nginx --- krebs/3modules/retiolum-bootstrap.nix | 58 +++++++++------------------ 1 file changed, 20 insertions(+), 38 deletions(-) diff --git a/krebs/3modules/retiolum-bootstrap.nix b/krebs/3modules/retiolum-bootstrap.nix index 4bcd596d4..53b06a702 100644 --- a/krebs/3modules/retiolum-bootstrap.nix +++ b/krebs/3modules/retiolum-bootstrap.nix @@ -1,53 +1,38 @@ -{ config, lib, pkgs, ... }: - +{ config, pkgs, ... }: with import ; let cfg = config.krebs.retiolum-bootstrap; - - out = { - options.krebs.retiolum-bootstrap = api; - config = lib.mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "retiolum boot strap for tinc.krebsco.de"; - hostname = mkOption { +in +{ + options.krebs.retiolum-bootstrap = { + enable = mkEnableOption "retiolum boot strap for ${cfg.serverName}"; + serverName = mkOption { type = types.str; description = "hostname which serves tinc boot"; default = "tinc.krebsco.de" ; }; - listen = mkOption { - type = with types; listOf str; - description = ''Addresses to listen on (nginx-syntax). - ssl will be configured, http will be redirected to ssl. - Make sure to have at least 1 ssl port configured. - ''; - default = [ "80" "443 ssl" ] ; - }; - ssl_certificate_key = mkOption { - type = types.str; - description = "Certificate key to use for ssl"; - default = "${toString }/tinc.krebsco.de.key"; - }; - ssl_certificate = mkOption { + sslCertificate = mkOption { type = types.str; description = "Certificate file to use for ssl"; default = "${toString }/tinc.krebsco.de.crt" ; }; + sslCertificateKey = mkOption { + type = types.str; + description = "Certificate key to use for ssl"; + default = "${toString }/tinc.krebsco.de.key"; + }; # in use: # # }; - imp = { - krebs.nginx.servers = assert config.krebs.nginx.enable; { - retiolum-boot-ssl = { - server-names = singleton cfg.hostname; - listen = cfg.listen; - extraConfig = '' - ssl_certificate ${cfg.ssl_certificate}; - ssl_certificate_key ${cfg.ssl_certificate_key}; - + config = mkIf cfg.enable { + services.nginx = { + enable = mkDefault true; + virtualHosts.retiolum-bootstrap = { + inherit (cfg) serverName sslCertificate sslCertificateKey; + enableSSL = true; + extraConfig ='' if ($scheme = http){ return 301 https://$server_name$request_uri; } @@ -55,10 +40,7 @@ let root ${pkgs.retiolum-bootstrap}; try_files $uri $uri/retiolum.sh; ''; - locations = []; }; }; }; - -in -out +} From c577d6b9972203941c577d9fb5488345d5fe84b5 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 17 Apr 2017 16:22:09 +0200 Subject: [PATCH 43/58] krebs.nginx: RIP --- krebs/3modules/bepasty-server.nix | 2 +- krebs/3modules/buildbot/master.nix | 1 - krebs/3modules/default.nix | 1 - krebs/3modules/nginx.nix | 190 --------------------- shared/1systems/test-all-krebs-modules.nix | 1 - 5 files changed, 1 insertion(+), 194 deletions(-) delete mode 100644 krebs/3modules/nginx.nix diff --git a/krebs/3modules/bepasty-server.nix b/krebs/3modules/bepasty-server.nix index 4e035e725..0ca13366b 100644 --- a/krebs/3modules/bepasty-server.nix +++ b/krebs/3modules/bepasty-server.nix @@ -37,7 +37,7 @@ let # TODO use the correct type type = with types; attrsOf unspecified; description = '' - additional nginx configuration. see krebs.nginx for all options + Additional nginx configuration. ''; }; secretKey = mkOption { diff --git a/krebs/3modules/buildbot/master.nix b/krebs/3modules/buildbot/master.nix index b31661572..d75e6c880 100644 --- a/krebs/3modules/buildbot/master.nix +++ b/krebs/3modules/buildbot/master.nix @@ -78,7 +78,6 @@ let # stopAllBuilds = 'auth', # cancelPendingBuild = 'auth' #) - # TODO: configure krebs.nginx c['www'] = dict( port = ${toString cfg.web.port}, plugins = { 'waterfall_view':{}, 'console_view':{} } diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 37db5bfe7..d539d4166 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -26,7 +26,6 @@ let ./kapacitor.nix ./monit.nix ./newsbot-js.nix - ./nginx.nix ./nixpkgs.nix ./on-failure.nix ./os-release.nix diff --git a/krebs/3modules/nginx.nix b/krebs/3modules/nginx.nix deleted file mode 100644 index b28e97e37..000000000 --- a/krebs/3modules/nginx.nix +++ /dev/null @@ -1,190 +0,0 @@ -{ config, lib, pkgs, ... }: - -with import ; -let - cfg = config.krebs.nginx; - - out = { - options.krebs.nginx = api; - config = lib.mkIf cfg.enable imp; - }; - - api = { - enable = mkEnableOption "krebs.nginx"; - - default404 = mkOption { - type = types.bool; - default = true; - description = '' - By default all requests not directed to an explicit hostname are - replied with a 404 error to avoid accidental exposition of nginx - services. - - Set this value to `false` to disable this behavior - you will then be - able to configure a new `default_server` in the listen address entries - again. - ''; - }; - - servers = mkOption { - type = types.attrsOf (types.submodule { - options = { - server-names = mkOption { - type = with types; listOf str; - default = - [config.krebs.build.host.name] ++ - concatMap (getAttr "aliases") - (attrValues config.krebs.build.host.nets); - }; - listen = mkOption { - type = with types; either str (listOf str); - default = "80"; - apply = x: - if typeOf x != "list" - then [x] - else x; - }; - locations = mkOption { - type = with types; listOf (attrsOf str); - default = []; - }; - extraConfig = mkOption { - type = with types; string; - default = ""; - }; - ssl = mkOption { - type = with types; submodule ({ config, ... }: { - options = { - enable = mkEnableOption "ssl"; - acmeEnable = mkOption { - type = bool; - apply = x: - if x && config.enable - #conflicts because of certificate/certificate_key location - then throw "can't use ssl.enable and ssl.acmeEnable together" - else x; - default = false; - description = '' - enables automatical generation of lets-encrypt certificates and setting them as certificate - conflicts with ssl.enable - ''; - }; - certificate = mkOption { - type = str; - }; - certificate_key = mkOption { - type = str; - }; - #TODO: check for valid cipher - ciphers = mkOption { - type = str; - default = "AES128+EECDH:AES128+EDH"; - }; - prefer_server_ciphers = mkOption { - type = bool; - default = true; - }; - force_encryption = mkOption { - type = bool; - default = false; - description = '' - redirect all `http` traffic to the same domain but with ssl - protocol. - ''; - }; - protocols = mkOption { - type = listOf (enum [ "SSLv2" "SSLv3" "TLSv1" "TLSv1.1" "TLSv1.2" ]); - default = [ "TLSv1.1" "TLSv1.2" ]; - - }; - }; - }); - default = {}; - }; - }; - }); - default = {}; - }; - }; - - imp = { - security.acme.certs = mapAttrs (_: to-acme) (filterAttrs (_: server: server.ssl.acmeEnable) cfg.servers); - services.nginx = { - enable = true; - httpConfig = '' - default_type application/octet-stream; - sendfile on; - keepalive_timeout 65; - gzip on; - - ${optionalString cfg.default404 '' - server { - listen 80 default_server; - server_name _; - return 404; - }''} - - ${concatStrings (mapAttrsToList (_: to-server) cfg.servers)} - ''; - }; - }; - - to-acme = { server-names, ssl, ... }: - optionalAttrs ssl.acmeEnable { - email = "lassulus@gmail.com"; - webroot = "${config.security.acme.directory}/${head server-names}"; - }; - - to-location = { name, value }: '' - location ${name} { - ${indent value} - } - ''; - - to-server = { server-names, listen, locations, extraConfig, ssl, ... }: let - domain = head server-names; - acmeLocation = optionalAttrs ssl.acmeEnable (nameValuePair "/.well-known/acme-challenge" '' - root ${config.security.acme.certs.${domain}.webroot}; - ''); - in '' - server { - server_name ${toString (unique server-names)}; - ${concatMapStringsSep "\n" (x: indent "listen ${x};") listen} - ${optionalString ssl.enable (indent '' - ${optionalString ssl.force_encryption '' - if ($scheme = http){ - return 301 https://$server_name$request_uri; - } - ''} - listen 443 ssl; - ssl_certificate ${ssl.certificate}; - ssl_certificate_key ${ssl.certificate_key}; - ${optionalString ssl.prefer_server_ciphers '' - ssl_prefer_server_ciphers On; - ''} - ssl_ciphers ${ssl.ciphers}; - ssl_protocols ${toString ssl.protocols}; - '')} - ${optionalString ssl.acmeEnable (indent '' - ${optionalString ssl.force_encryption '' - if ($scheme = http){ - return 301 https://$server_name$request_uri; - } - ''} - listen 443 ssl; - ssl_certificate ${config.security.acme.directory}/${domain}/fullchain.pem; - ssl_certificate_key ${config.security.acme.directory}/${domain}/key.pem; - ${optionalString ssl.prefer_server_ciphers '' - ssl_prefer_server_ciphers On; - ''} - ssl_ciphers ${ssl.ciphers}; - ssl_protocols ${toString ssl.protocols}; - '')} - ${indent extraConfig} - ${optionalString ssl.acmeEnable (indent (to-location acmeLocation))} - ${indent (concatMapStrings to-location locations)} - } - ''; - -in -out diff --git a/shared/1systems/test-all-krebs-modules.nix b/shared/1systems/test-all-krebs-modules.nix index b42968cfb..39d7c494b 100644 --- a/shared/1systems/test-all-krebs-modules.nix +++ b/shared/1systems/test-all-krebs-modules.nix @@ -36,7 +36,6 @@ in { enable = true; tables = {}; }; - nginx.enable = true; realwallpaper.enable = true; tinc.retiolum.enable = true; retiolum-bootstrap.enable = true; From d53824e7b551759854c6e0ae77411c179a168754 Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 17 Apr 2017 13:08:36 +0200 Subject: [PATCH 44/58] m: init syncthing for hosts --- makefu/1systems/fileleech.nix | 2 +- makefu/1systems/gum.nix | 5 +++-- makefu/1systems/omo.nix | 5 +++-- makefu/2configs/ipfs.nix | 5 +++++ makefu/2configs/syncthing.nix | 11 +++++++++++ 5 files changed, 23 insertions(+), 5 deletions(-) create mode 100644 makefu/2configs/ipfs.nix create mode 100644 makefu/2configs/syncthing.nix diff --git a/makefu/1systems/fileleech.nix b/makefu/1systems/fileleech.nix index 4f92c2b90..3aa5a54f8 100644 --- a/makefu/1systems/fileleech.nix +++ b/makefu/1systems/fileleech.nix @@ -32,7 +32,6 @@ in { ../2configs/elchos/log.nix ../2configs/elchos/search.nix ../2configs/elchos/stats.nix - ../2configs/stats-srv.nix ]; systemd.services.grafana.serviceConfig.LimitNOFILE=10032; @@ -129,6 +128,7 @@ in { # createHome = true; openssh.authorizedKeys.keys = [ config.krebs.users.makefu.pubkey + config.krebs.users.lass.pubkey "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC7betFnMWVeBYRhJ+2f0B5WbDdbpteIVg/BlyimXbx79R7lZ7nUq5GyMLrp7B00frUuA0su8oFFN3ODPJDstgBslBIP7kWPR2zW8NOXorrbFo3J2fKvlO77k6/wD5/M11m5nS01/aVJgAgMGLg2W12G7EMf5Wq75YsQJC/S9p8kMca589djMPRuQETu7fWq0t/Gmwq+2ELLL0csRK87LvybA92JYkAIneRnGzIlCguOXq0Vcq6pGQ1J1PfVEP76Do33X29l2hZc/+vR9ExW6s2g7fs5/5LDX9Wnq7+AEsxiEf4IOeL0hCG4/CGGCN23J+6cDrNKOP94AHO1si0O2lxFsxgNU2vdVWPNgSLottiUFBPPNEZFD++sZyutzH6PIz6D90hB2Q52X6WN9ZUtlDfQ91rHd+S2BhR6f4dAqiRDXlI5MNNDdoTT4S5R0wU/UrNwjiV/xiu/hWZYGQK7YgY4grFRblr378r8FqjLvumPDFMDLVa9eJKq1ad1x/GV5tZpsttzWj4nbixaKlZOg+TN2GHboujLx3bANz1Jqfvfto8UOeKTtA8pkb8E1PJPpBMOZcA7oHaqJrp6Vuf/SkmglHnQvGbi60OK3s61nuRmIcBiTXd+4qeAJpq1QyEDj3X/+hV0Gwz8rCo6JGkF1ETW37ZYvqU9rxNXjS+/Pfktw== jules@kvasir-2015-02-13" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDINUD+p2yrc9KoTbCiuYhdfLlRu/eNX6BftToSMLs8O9qWQORjgXbDn8M9iUWXCHzdUZ9sm6Rz8TMdEV0jZq/nB01zYnW4NhMrt+NGtrmGqDa+eYrRZ4G7Rx8AYzM/ZSwERKX10txAVugV44xswRxWvFbCedujjXyWsxelf1ngb+Hiy9/CPuWNYEhTZs/YuvNkupCui2BuKuoSivJAkLhGk5YqwwcllCr39YXa/tFJWsgoQNcB9hwpzfhFm6Cc7m5DhmTWSVhQHEWyaas8Lukmd4v+mRY+KZpuhbomCHWzkxqzdBun8SXiiAKlgem9rtBIgeTEfz9OtOfF3/6VfqE7 toerb@mittagspause ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB0IP143FAHBHWjEEKGOnM8SSTIgNF1MJxGCMKaJvTHf momo@k2.local" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1ZJSpBb7Cxo+c2r2JJIcbYOTm/sJxOv2NFRoDfjxGS9CCwzRbzrwJcv2d23j35mu97x3+fUvo8DyMFLvLvume2PFCijqhMDzZZvjYXZdvXA+hnh53nqZf+Pjq8Xc3tSWBHQxUokaBmZbd4LlKHh8NgKVrP2zve6OPZMzo/Es93v37KEmT8d/PfVMrQEMPZzFrCVdq2RbpdQ1nhx09zRFW7OJOazgotafjx6IYXbVq2VDnjffXInsE9ZxDzYq1cNKIH0c2BLpTd3mv76iD9i+nD6W6s48+usFQnVLt2TY1uKkfMr7043E6jBxx5kNHBe5Xxr6Zs0SkR8kKOEhMO//4ucviUYKZJn8wk2SLkAyMYVBexx8jrTdlI4xgQ7RLpSIDTCm9dfbZY/YhZDJ21lsWduQqu7DFWMe05gg4NZDjf2kwYQOzATyqISGA7ttSEPT1iymr/ffAOgLBLSqWQAteUbI2U5cnflWZGwm33JF/Pyb4S3k3/f2mIBKiRx2lsGv6mx1w0SaYRtJxDWqGYMHuFiNYbq9r/bZfLqV3Fy9kRODFJTfJh8mcTnC4zabpiQ7fnqbh1qHu0WrrBSgFW0PR2WWCJ0e5Btj1yRgXp0+d5OuxxlVInRs+l2HogdxjonMhAHrTCzJtI8UJTKXKN0FBPRDRcepeExhvNqcOUz4Kvw== me@andreaskist.de" diff --git a/makefu/1systems/gum.nix b/makefu/1systems/gum.nix index c39997ebf..3186f8887 100644 --- a/makefu/1systems/gum.nix +++ b/makefu/1systems/gum.nix @@ -35,10 +35,12 @@ in { ../2configs/nginx/update.connector.one.nix ../2configs/deployment/mycube.connector.one.nix ../2configs/deployment/graphs.nix + # ../2configs/ipfs.nix + ../2configs/syncthing.nix # ../2configs/opentracker.nix ../2configs/logging/central-stats-client.nix - ../2configs/logging/central-logging-client.nix + # ../2configs/logging/central-logging-client.nix ]; services.smartd.devices = [ { device = "/dev/sda";} ]; @@ -79,7 +81,6 @@ in { ]; services.bitlbee.enable = true; systemd.services.bitlbee.environment.BITLBEE_DEBUG="1"; - # systemd.services.bitlbee.serviceConfig.ExecStart = "${pkgs.bitlbee}/bin/bitlbee -Dnv -c # Hardware boot.loader.grub.device = "/dev/sda"; diff --git a/makefu/1systems/omo.nix b/makefu/1systems/omo.nix index 99303b604..ff34ee843 100644 --- a/makefu/1systems/omo.nix +++ b/makefu/1systems/omo.nix @@ -53,9 +53,10 @@ in { ../2configs/omo-share.nix ../2configs/tinc/retiolum.nix ../2configs/logging/central-stats-server.nix - ../2configs/logging/central-logging-server.nix + # ../2configs/logging/central-logging-server.nix ../2configs/logging/central-stats-client.nix - ../2configs/logging/central-logging-client.nix + ../2configs/syncthing.nix + # ../2configs/logging/central-logging-client.nix # ../2configs/torrent.nix diff --git a/makefu/2configs/ipfs.nix b/makefu/2configs/ipfs.nix new file mode 100644 index 000000000..cc07e063d --- /dev/null +++ b/makefu/2configs/ipfs.nix @@ -0,0 +1,5 @@ +{...}: +{ + services.ipfs.enable = true; + networking.firewall.allowedTCPPorts = [ 4001 ]; +} diff --git a/makefu/2configs/syncthing.nix b/makefu/2configs/syncthing.nix new file mode 100644 index 000000000..6b758ea2d --- /dev/null +++ b/makefu/2configs/syncthing.nix @@ -0,0 +1,11 @@ +{...}: + +with import ; { + services.syncthing = { + enable = true; + openDefaultPorts = true; + useInotify = true; + group = "download"; + }; + users.extraGroups.download.gid = genid "download"; +} From 6436eac7b9081c3a2f06aff5c27c40a2f54a4eff Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 17 Apr 2017 13:11:32 +0200 Subject: [PATCH 45/58] m 2 urxvtd: init --- makefu/1systems/x.nix | 3 ++- makefu/2configs/base-gui.nix | 5 ++++- makefu/2configs/urxvtd.nix | 21 +++++++++++++++++++++ makefu/5pkgs/awesomecfg/full.cfg | 2 +- 4 files changed, 28 insertions(+), 3 deletions(-) create mode 100644 makefu/2configs/urxvtd.nix diff --git a/makefu/1systems/x.nix b/makefu/1systems/x.nix index 9cedc04a8..51c9543ef 100644 --- a/makefu/1systems/x.nix +++ b/makefu/1systems/x.nix @@ -2,6 +2,7 @@ # # { config, pkgs, ... }: +with import ; { imports = @@ -78,7 +79,7 @@ }; boot.extraModulePackages = [ config.boot.kernelPackages.exfat-nofuse ]; - environment.systemPackages = [ pkgs.passwdqc-utils pkgs.bintray-upload ]; + environment.systemPackages = [ pkgs.passwdqc-utils ]; virtualisation.docker.enable = true; diff --git a/makefu/2configs/base-gui.nix b/makefu/2configs/base-gui.nix index ba4c551b3..1a19ab36b 100644 --- a/makefu/2configs/base-gui.nix +++ b/makefu/2configs/base-gui.nix @@ -16,7 +16,10 @@ let mainUser = config.krebs.build.user.name; in { - imports = [ ]; + imports = [ + ./urxvtd.nix + ]; + services.xserver = { enable = true; layout = "us"; diff --git a/makefu/2configs/urxvtd.nix b/makefu/2configs/urxvtd.nix new file mode 100644 index 000000000..286b87ab3 --- /dev/null +++ b/makefu/2configs/urxvtd.nix @@ -0,0 +1,21 @@ +{ config, pkgs, ... }: + +let + mainUser = config.krebs.build.user.name; +in { + systemd.services.urxvtd = { + wantedBy = [ "multi-user.target" ]; + before = [ "graphical.target" ]; + reloadIfChanged = true; + serviceConfig = { + SyslogIdentifier = "urxvtd"; + ExecReload = "${pkgs.coreutils}/bin/echo NOP"; + ExecStart = "${pkgs.rxvt_unicode_with-plugins}/bin/urxvtd"; + Restart = "always"; + RestartSec = "2s"; + StartLimitBurst = 0; + User = mainUser; + }; + }; + # TODO: sessionCommands from base-gui related to urxvt in this file +} diff --git a/makefu/5pkgs/awesomecfg/full.cfg b/makefu/5pkgs/awesomecfg/full.cfg index e43341d25..73ff42e9f 100644 --- a/makefu/5pkgs/awesomecfg/full.cfg +++ b/makefu/5pkgs/awesomecfg/full.cfg @@ -90,7 +90,7 @@ client.connect_signal("focus", function(c) c.border_color = beautiful.border_foc client.connect_signal("unfocus", function(c) c.border_color = beautiful.border_normal end) -- This is used later as the default terminal and editor to run. -terminal = "urxvt" +terminal = "urxvtc" editor = os.getenv("EDITOR") or "vim" editor_cmd = terminal .. " -e " .. editor browser = "firefox" From c762622a293248f55e46ff83fb870df128a0fb59 Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 17 Apr 2017 13:12:16 +0200 Subject: [PATCH 46/58] m 2 default: 2982661 -> 4fac473 --- makefu/2configs/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/makefu/2configs/default.nix b/makefu/2configs/default.nix index cd9b4c056..0865c3a31 100644 --- a/makefu/2configs/default.nix +++ b/makefu/2configs/default.nix @@ -11,7 +11,7 @@ with import ; ./vim.nix ./binary-cache/nixos.nix ]; - + programs.command-not-found.enable = false; nixpkgs.config.allowUnfreePredicate = (pkg: pkgs.lib.hasPrefix "unrar-" pkg.name); krebs = { enable = true; @@ -22,7 +22,7 @@ with import ; user = config.krebs.users.makefu; source = let inherit (config.krebs.build) host user; - ref = "2982661"; # unstable @ 2017-03-31 + cups-dymo + snapraid-11.1 + ref = "4fac473"; # unstable @ 2017-03-31 + command-not-found in { nixpkgs = if config.makefu.full-populate || (getEnv "dummy_secrets" == "true") then { From 52ff49d7d5a7bc7a815fd457d69e028cfb9b8325 Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 17 Apr 2017 13:13:07 +0200 Subject: [PATCH 47/58] m 2 tools: add packages --- makefu/2configs/tools/core-gui.nix | 2 +- makefu/2configs/tools/core.nix | 1 + makefu/2configs/tools/extra-gui.nix | 1 + makefu/2configs/tools/sec.nix | 1 + 4 files changed, 4 insertions(+), 1 deletion(-) diff --git a/makefu/2configs/tools/core-gui.nix b/makefu/2configs/tools/core-gui.nix index 6d62e92c0..0538647ae 100644 --- a/makefu/2configs/tools/core-gui.nix +++ b/makefu/2configs/tools/core-gui.nix @@ -12,11 +12,11 @@ firefox keepassx pcmanfm + evince skype mirage tightvnc gnome3.dconf - wireshark xdotool xorg.xbacklight scrot diff --git a/makefu/2configs/tools/core.nix b/makefu/2configs/tools/core.nix index 86d72c662..6ae2951eb 100644 --- a/makefu/2configs/tools/core.nix +++ b/makefu/2configs/tools/core.nix @@ -40,6 +40,7 @@ cac-api cac-panel krebspaste + krebszones ledger pass ]; diff --git a/makefu/2configs/tools/extra-gui.nix b/makefu/2configs/tools/extra-gui.nix index 9cfacf408..596734dd5 100644 --- a/makefu/2configs/tools/extra-gui.nix +++ b/makefu/2configs/tools/extra-gui.nix @@ -4,6 +4,7 @@ krebs.per-user.makefu.packages = with pkgs;[ inkscape gimp + libreoffice skype virtmanager synergy diff --git a/makefu/2configs/tools/sec.nix b/makefu/2configs/tools/sec.nix index 5ab699f35..e53d9ee8e 100644 --- a/makefu/2configs/tools/sec.nix +++ b/makefu/2configs/tools/sec.nix @@ -11,5 +11,6 @@ nmap msf thc-hydra + wireshark ]; } From 456f20deda1d5d651a8c382aa8edc3cb59e26e7e Mon Sep 17 00:00:00 2001 From: makefu Date: Mon, 17 Apr 2017 13:13:35 +0200 Subject: [PATCH 48/58] m 1 shoney: graphs -> graph --- makefu/1systems/shoney.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/makefu/1systems/shoney.nix b/makefu/1systems/shoney.nix index 96aeb2856..9f04e97eb 100644 --- a/makefu/1systems/shoney.nix +++ b/makefu/1systems/shoney.nix @@ -31,7 +31,7 @@ in { anonymous-domain = "localhost.localdomain"; anonymous.extraConfig = "return 403;"; complete = { - serverAliases = [ "graphs.siem" ]; + serverAliases = [ "graph.siem" ]; extraConfig = '' if ( $server_addr = "${ip}" ) { return 403; From 0011f32a343a88ec1b7e5426d271a419bfeb6444 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 18 Apr 2017 19:55:19 +0200 Subject: [PATCH 49/58] l 1 iso: enable copytoram --- lass/1systems/iso.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lass/1systems/iso.nix b/lass/1systems/iso.nix index 01d698c4c..5bbd0c1d7 100644 --- a/lass/1systems/iso.nix +++ b/lass/1systems/iso.nix @@ -11,6 +11,9 @@ with import ; ../2configs/mc.nix ../2configs/nixpkgs.nix ../2configs/vim.nix + { + boot.kernelParams = [ "copytoram" ]; + } { krebs.enable = true; krebs.build.user = config.krebs.users.lass; From d528daf9e8d4ec59b3e5355576eaf001136763cc Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 18 Apr 2017 21:02:17 +0200 Subject: [PATCH 50/58] l 2 nixpkgs: 5acb454 -> c85f39e --- lass/2configs/nixpkgs.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lass/2configs/nixpkgs.nix b/lass/2configs/nixpkgs.nix index 5309c9551..5f9800b0f 100644 --- a/lass/2configs/nixpkgs.nix +++ b/lass/2configs/nixpkgs.nix @@ -3,6 +3,6 @@ { krebs.build.source.nixpkgs.git = { url = https://cgit.lassul.us/nixpkgs; - ref = "5acb454"; + ref = "c85f39e"; }; } From d40738d41573eca83d7e84f8a9946f8d8441a0d0 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 19 Apr 2017 00:13:52 +0200 Subject: [PATCH 51/58] l 1 iso: hack around buggy /dev/stderr in live iso --- lass/1systems/iso.nix | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/lass/1systems/iso.nix b/lass/1systems/iso.nix index 5bbd0c1d7..99399550c 100644 --- a/lass/1systems/iso.nix +++ b/lass/1systems/iso.nix @@ -12,6 +12,27 @@ with import ; ../2configs/nixpkgs.nix ../2configs/vim.nix { + # /dev/stderr doesn't work. I don't know why + # /proc/self doesn't seem to work correctly + # /dev/pts is empty except for 1 file + # my life sucks + nixpkgs.config.packageOverrides = super: { + irc-announce = super.callPackage { + pkgs = pkgs // { coreutils = pkgs.concat "coreutils-hack" [ + pkgs.coreutils + (pkgs.writeDashBin "tee" '' + if test "$1" = /dev/stderr; then + while read -r line; do + echo "$line" + echo "$line" >&2 + done + else + ${super.coreutils}/bin/tee "$@" + fi + '') + ];}; + }; + }; boot.kernelParams = [ "copytoram" ]; } { From 978e47eedd70476703aa7237efa084260638b287 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 19 Apr 2017 10:04:27 +0200 Subject: [PATCH 52/58] m 1 x: rm krebs.nginx --- makefu/1systems/x.nix | 5 ----- 1 file changed, 5 deletions(-) diff --git a/makefu/1systems/x.nix b/makefu/1systems/x.nix index 51c9543ef..866aac3bd 100644 --- a/makefu/1systems/x.nix +++ b/makefu/1systems/x.nix @@ -72,11 +72,6 @@ with import ; makefu.umts.apn = "web.vodafone.de"; nixpkgs.config.allowUnfree = true; - krebs.nginx = { - default404 = false; - servers.default.listen = [ "80 default_server" ]; - servers.default.server-names = [ "_" ]; - }; boot.extraModulePackages = [ config.boot.kernelPackages.exfat-nofuse ]; environment.systemPackages = [ pkgs.passwdqc-utils ]; From c815fda8161f899254ce3dd8debfad830a8f67ee Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 19 Apr 2017 10:04:39 +0200 Subject: [PATCH 53/58] m 2 dnscrypt: change resolver --- makefu/2configs/dnscrypt.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/makefu/2configs/dnscrypt.nix b/makefu/2configs/dnscrypt.nix index d810456f3..6e7ef0f82 100644 --- a/makefu/2configs/dnscrypt.nix +++ b/makefu/2configs/dnscrypt.nix @@ -1,5 +1,6 @@ { services.dnscrypt-proxy.enable = true; + services.dnscrypt-proxy.resolverName = "cs-de"; networking.extraResolvconfConf = '' name_servers='127.0.0.1' ''; From 55b77bd2ece03769e6df3ebdfa891bc255f92665 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 19 Apr 2017 10:05:12 +0200 Subject: [PATCH 54/58] s 1 wolf: send stats to omo --- shared/1systems/wolf.nix | 1 + shared/2configs/central-stats-client.nix | 68 ++++++++++++++++++++++++ 2 files changed, 69 insertions(+) create mode 100644 shared/2configs/central-stats-client.nix diff --git a/shared/1systems/wolf.nix b/shared/1systems/wolf.nix index 0b4448022..75307be12 100644 --- a/shared/1systems/wolf.nix +++ b/shared/1systems/wolf.nix @@ -14,6 +14,7 @@ in ../2configs/shack-nix-cacher.nix ../2configs/shared-buildbot.nix ../2configs/share-shack.nix + ../2configs/central-stats-client.nix ]; # use your own binary cache, fallback use cache.nixos.org (which is used by # apt-cacher-ng in first place) diff --git a/shared/2configs/central-stats-client.nix b/shared/2configs/central-stats-client.nix new file mode 100644 index 000000000..0412eba9a --- /dev/null +++ b/shared/2configs/central-stats-client.nix @@ -0,0 +1,68 @@ +{pkgs, config, ...}: +{ + services.collectd = { + enable = true; + autoLoadPlugin = true; + extraConfig = '' + Hostname ${config.krebs.build.host.name} + LoadPlugin load + LoadPlugin disk + LoadPlugin memory + LoadPlugin df + Interval 30.0 + + LoadPlugin interface + + Interface "*Link" + Interface "lo" + Interface "vboxnet*" + Interface "virbr*" + IgnoreSelected true + + + LoadPlugin df + + MountPoint "/nix/store" + # MountPoint "/run*" + # MountPoint "/sys*" + # MountPoint "/dev" + # MountPoint "/dev/shm" + # MountPoint "/tmp" + FSType "tmpfs" + FSType "binfmt_misc" + FSType "debugfs" + FSType "mqueue" + FSType "hugetlbfs" + FSType "systemd-1" + FSType "cgroup" + FSType "securityfs" + FSType "ramfs" + FSType "proc" + FSType "devpts" + FSType "devtmpfs" + MountPoint "/var/lib/docker/devicemapper" + IgnoreSelected true + + + LoadPlugin cpu + + ReportByCpu true + ReportByState true + ValuesPercentage true + + + LoadPlugin network + + Server "stats.makefu.r" "25826" + + + LoadPlugin curl + + + URL "http://smarthome.shack/"; + MeasureResponseTime true + + + ''; + }; +} From bc0e4fa234bb4b817efde7e6f8e7ad206359d115 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 19 Apr 2017 10:05:39 +0200 Subject: [PATCH 55/58] m 2 stats-server: also open ports for v6 --- makefu/2configs/logging/central-stats-server.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/makefu/2configs/logging/central-stats-server.nix b/makefu/2configs/logging/central-stats-server.nix index 30ad63879..4f7961f32 100644 --- a/makefu/2configs/logging/central-stats-server.nix +++ b/makefu/2configs/logging/central-stats-server.nix @@ -71,5 +71,12 @@ in { iptables -A INPUT -i ${logging-interface} -p udp --dport ${toString collectd-port} -j ACCEPT iptables -A INPUT -i ${logging-interface} -p tcp --dport ${toString influx-port} -j ACCEPT iptables -A INPUT -i ${logging-interface} -p tcp --dport ${toString grafana-port} -j ACCEPT + + ip6tables -A INPUT -i retiolum -p udp --dport ${toString collectd-port} -j ACCEPT + ip6tables -A INPUT -i retiolum -p tcp --dport ${toString influx-port} -j ACCEPT + ip6tables -A INPUT -i retiolum -p tcp --dport ${toString grafana-port} -j ACCEPT + ip6tables -A INPUT -i ${logging-interface} -p udp --dport ${toString collectd-port} -j ACCEPT + ip6tables -A INPUT -i ${logging-interface} -p tcp --dport ${toString influx-port} -j ACCEPT + ip6tables -A INPUT -i ${logging-interface} -p tcp --dport ${toString grafana-port} -j ACCEPT ''; } From de22f21195ee0f8d217b6377b0cf915bbfc2d2a8 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 19 Apr 2017 10:06:36 +0200 Subject: [PATCH 56/58] s 2 buildbot: configure nginx for buildbot --- krebs/3modules/shared/default.nix | 1 + shared/2configs/shared-buildbot.nix | 14 +++++++++++++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/krebs/3modules/shared/default.nix b/krebs/3modules/shared/default.nix index 5e4935e3a..17179a39f 100644 --- a/krebs/3modules/shared/default.nix +++ b/krebs/3modules/shared/default.nix @@ -47,6 +47,7 @@ in { ip6.addr = "42:0:0:0:0:0:77:1"; aliases = [ "wolf.r" + "build.wolf.r" "cgit.wolf.r" ]; tinc.pubkey = '' diff --git a/shared/2configs/shared-buildbot.nix b/shared/2configs/shared-buildbot.nix index cf08882a9..1d6883afe 100644 --- a/shared/2configs/shared-buildbot.nix +++ b/shared/2configs/shared-buildbot.nix @@ -9,11 +9,20 @@ { # due to the fact that we actually build stuff on the box via the daemon, # /nix/store should be cleaned up automatically as well + services.nginx.virtualHosts.build = { + serverAliases = [ "build.wolf.r" ]; + locations."/".extraConfig = '' + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_pass http://localhost:${toString config.krebs.buildbot.master.web.port}; + ''; + }; + nix.gc.automatic = true; nix.gc.dates = "05:23"; networking.firewall.allowedTCPPorts = [ 8010 9989 ]; krebs.buildbot.master = let - stockholm-mirror-url = http://cgit.wolf/stockholm-mirror ; + stockholm-mirror-url = http://cgit.wolf.r/stockholm-mirror ; in { secrets = [ "retiolum-ci.rsa_key.priv" "cac.json" ]; workers = { @@ -151,6 +160,9 @@ channels = [ { channel = "retiolum"; } ]; allowForce = true; }; + extraConfig = '' + c['buildbotURL'] = "http://build.wolf.r/" + ''; }; krebs.buildbot.worker = { From 371f8b9b7102c317150da37880dae44bd938d1b1 Mon Sep 17 00:00:00 2001 From: makefu Date: Wed, 19 Apr 2017 10:07:48 +0200 Subject: [PATCH 57/58] m 2 fetchwallpaper: use prism --- makefu/2configs/fetchWallpaper.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/makefu/2configs/fetchWallpaper.nix b/makefu/2configs/fetchWallpaper.nix index fb74919c4..16a7a13b2 100644 --- a/makefu/2configs/fetchWallpaper.nix +++ b/makefu/2configs/fetchWallpaper.nix @@ -8,7 +8,7 @@ timerConfig = { OnCalendar = "*:0/30"; }; - url = "http://echelon/wallpaper.png"; + url = "http://prism.r/realwallpaper-sat-krebs.png"; }; } From d05b989095acf4fd872c955b274a60a9621cd6ec Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 19 Apr 2017 10:20:34 +0200 Subject: [PATCH 58/58] k 3 realwallpaper: graphs.r -> graph.r --- krebs/3modules/realwallpaper.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krebs/3modules/realwallpaper.nix b/krebs/3modules/realwallpaper.nix index 1e7a9faae..044811c7d 100644 --- a/krebs/3modules/realwallpaper.nix +++ b/krebs/3modules/realwallpaper.nix @@ -34,7 +34,7 @@ let marker = mkOption { type = types.str; - default = "http://graphs.r/marker.json"; + default = "http://graph.r/marker.json"; }; timerConfig = mkOption {