Merge branch 'master' of prism:stockholm

krebs/1systems/puyak/config.nix

@@ -0,0 +1,55 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    <stockholm/krebs>
+    <stockholm/krebs/2configs>
+    <stockholm/krebs/2configs/secret-passwords.nix>
+  ];
+
+  krebs.build.host = config.krebs.hosts.puyak;
+
+  boot = {
+    loader.systemd-boot.enable = true;
+    loader.efi.canTouchEfiVariables = true;
+
+    initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda3"; } ];
+    initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ];
+    initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ];
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/mapper/pool-root";
+      fsType = "btrfs";
+      options = ["defaults" "noatime" "ssd" "compress=lzo"];
+    };
+    "/boot" = {
+      device = "/dev/sda2";
+    };
+    "/home" = {
+      device = "/dev/mapper/pool-home";
+      fsType = "btrfs";
+      options = ["defaults" "noatime" "ssd" "compress=lzo"];
+    };
+    "/tmp" = {
+      device = "tmpfs";
+      fsType = "tmpfs";
+      options = ["nosuid" "nodev" "noatime"];
+    };
+  };
+
+  hardware.enableAllFirmware = true;
+  networking.wireless.enable = true;
+  nixpkgs.config.allowUnfree = true;
+
+  services.logind.extraConfig = ''
+    HandleLidSwitch=ignore
+  '';
+
+  services.udev.extraRules = ''
+    SUBSYSTEM=="net", ATTR{address}=="8c:70:5a:b2:84:58", NAME="wl0"
+    SUBSYSTEM=="net", ATTR{address}=="3c:97:0e:07:b9:14", NAME="et0"
+  '';
+
+}

krebs/1systems/puyak/source.nix

@@ -0,0 +1,3 @@
+import <stockholm/krebs/source.nix> {
+  name = "puyak";
+}

krebs/2configs/default.nix

@@ -46,6 +46,6 @@ with import <stockholm/lib>;
 
 
   # The NixOS release to be compatible with for stateful data such as databases.
-  system.stateVersion = "15.09";
+  system.stateVersion = "17.03";
 
 }

krebs/2configs/shared-buildbot.nix

@@ -14,7 +14,7 @@
     locations."/".extraConfig = ''
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "upgrade";
-      proxy_pass http://localhost:${toString config.krebs.buildbot.master.web.port};
+      proxy_pass http://127.0.0.1:${toString config.krebs.buildbot.master.web.port};
     '';
   };
 

krebs/3modules/krebs/default.nix

@@ -30,6 +30,30 @@ let
   });
 in {
   hosts = {
+    puyak = {
+      owner = config.krebs.users.krebs;
+      nets = {
+        retiolum = {
+          ip4.addr = "10.243.77.2";
+          ip6.addr = "42:0:0:0:0:0:77:2";
+          aliases = [
+            "puyak.r"
+          ];
+          tinc.pubkey = ''
+            -----BEGIN RSA PUBLIC KEY-----
+            MIIBCgKCAQEAwwDvaVKSJmAi1fpbsmjLz1DQVTgqnx56GkHKbz5sHwAfPVQej955
+            SwotAPBrOT5P3pZ52Pu326SR5nj9XWfN6GD0CkcDQddtRG5OOtUWlvkYzZraNh33
+            p9l8TBgHJKogGe6umbs+4v7pWfbS0k708L2ttwY0ceju6RL6UqShIYB6qhDzwalU
+            p8s7pypl7BwrsTwYkUGleIptiN78cYv/NHvXhvXBuVGz4J0tCH4GMvdTHCah1l1r
+            zwEpKlAq0FD6bgYTJL94Tvxe2xzyr8c+xn1+XbJtMudGmrRjIHS6YupzO/Y2MO7w
+            UkbMKDhYVhSPFEyk6PMm0SU9uAh4I1+8BQIDAQAB
+            -----END RSA PUBLIC KEY-----
+          '';
+        };
+      };
+      ssh.privkey.path = <secrets/ssh.id_ed25519>;
+      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPpVwKv9mQGfcn5oFwuitq+b6Dz4jBG9sGhVoCYFw5RY";
+    };
     wolf = {
       owner = config.krebs.users.krebs;
       nets = {

krebs/3modules/lass/default.nix

@@ -335,5 +335,8 @@ with import <stockholm/lib>;
     };
     sokratess = {
     };
+    wine-mors = {
+      pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEKfTIKmbe1RjX1fjAn//08363zAsI0CijWnaYyAC842";
+    };
   };
 }

lass/1systems/echelon/config.nix

@@ -31,17 +31,6 @@ in {
     {
       sound.enable = false;
     }
-    {
-      lass.dnsmasq = {
-        enable = true;
-        config = ''
-          interface=retiolum
-        '';
-      };
-      krebs.iptables.tables.filter.INPUT.rules = [
-        { predicate = "-i retiolum -p udp --dport 53"; target = "ACCEPT"; }
-      ];
-    }
     {
       users.extraUsers = {
         satan = {

lass/1systems/mors/config.nix

@@ -24,6 +24,7 @@ with import <stockholm/lib>;
     <stockholm/lass/2configs/ircd.nix>
     <stockholm/lass/2configs/logf.nix>
     <stockholm/lass/2configs/syncthing.nix>
+    <stockholm/lass/2configs/otp-ssh.nix>
     {
       #risk of rain port
       krebs.iptables.tables.filter.INPUT.rules = [
@@ -110,11 +111,11 @@ with import <stockholm/lib>;
     "/boot" = {
       device = "/dev/sda2";
     };
-    #"/bku" = {
+    "/bku" = {
-    #  device = "/dev/mapper/pool-bku";
+      device = "/dev/mapper/pool-bku";
-    #  fsType = "btrfs";
+      fsType = "btrfs";
-    #  options = ["defaults" "noatime" "ssd" "compress=lzo"];
+      options = ["defaults" "noatime" "ssd" "compress=lzo"];
-    #};
+    };
     "/home" = {
       device = "/dev/mapper/pool-home";
       fsType = "btrfs";

lass/1systems/prism/config.nix

@@ -36,7 +36,6 @@ in {
     <stockholm/lass/2configs/iodined.nix>
     <stockholm/lass/2configs/libvirt.nix>
     <stockholm/lass/2configs/hfos.nix>
-    <stockholm/lass/2configs/makefu-sip.nix>
     <stockholm/lass/2configs/monitoring/server.nix>
     <stockholm/lass/2configs/monitoring/monit-alarms.nix>
     <stockholm/lass/2configs/paste.nix>
@@ -213,6 +212,26 @@ in {
           config.krebs.users.tv.pubkey
         ];
       };
+      users.users.makefu = {
+        uid = genid "makefu";
+        isNormalUser = true;
+        openssh.authorizedKeys.keys = [
+          config.krebs.users.makefu.pubkey
+        ];
+      };
+      users.users.nin = {
+        uid = genid "nin";
+        inherit (config.krebs.users.nin) home;
+        group = "users";
+        createHome = true;
+        useDefaultShell = true;
+        openssh.authorizedKeys.keys = [
+          config.krebs.users.nin.pubkey
+        ];
+        extraGroups = [
+          "libvirtd"
+        ];
+      };
     }
     {
       krebs.repo-sync.timerConfig = {
@@ -235,28 +254,6 @@ in {
         enable = true;
       };
     }
-    {
-      # Nin stuff
-      users.users.nin = {
-        uid = genid "nin";
-        inherit (config.krebs.users.nin) home;
-        group = "users";
-        createHome = true;
-        useDefaultShell = true;
-        openssh.authorizedKeys.keys = [
-          config.krebs.users.nin.pubkey
-        ];
-        extraGroups = [
-          "libvirtd"
-        ];
-      };
-      krebs.iptables.tables.nat.PREROUTING.rules = [
-        { v6 = false; precedence = 1000; predicate = "-d 213.239.205.240 -p tcp --dport 1337"; target = "DNAT --to-destination 192.168.122.24:22"; }
-      ];
-      krebs.iptables.tables.filter.FORWARD.rules = [
-        { v6 = false; precedence = 1000; predicate = "-d 192.168.122.24 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
-      ];
-    }
     {
       krebs.Reaktor.prism = {
         nickname = "Reaktor|lass";

lass/2configs/downloading.nix

@@ -17,6 +17,7 @@ with import <stockholm/lib>;
         lass-shodan.pubkey
         lass-icarus.pubkey
         makefu.pubkey
+        wine-mors.pubkey
       ];
     };
 

lass/2configs/git.nix

@@ -49,6 +49,7 @@ let
     {
       brain = {
         collaborators = with config.krebs.users; [ tv makefu ];
+        announce = true;
       };
     } //
     import <secrets/repos.nix> { inherit config lib pkgs; }
@@ -75,9 +76,20 @@ let
     public = true;
   };
 
-  make-restricted-repo = name: { collaborators ? [], ... }: {
+  make-restricted-repo = name: { collaborators ? [], announce ? false, ... }: {
     inherit collaborators name;
     public = false;
+    hooks = optionalAttrs announce {
+      post-receive = pkgs.git-hooks.irc-announce {
+        # TODO make nick = config.krebs.build.host.name the default
+        nick = config.krebs.build.host.name;
+        channel = "#retiolum";
+        server = "ni.r";
+        verbose = true;
+        # TODO define branches in some kind of option per repo
+        branches = [ "master" "staging*" ];
+      };
+    };
   };
 
   make-rules =

lass/2configs/makefu-sip.nix

@@ -1,21 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with import <stockholm/lib>;
-{
-  users.users.makefu = {
-    uid = genid "makefu";
-    isNormalUser = true;
-    extraGroups = [ "libvirtd" ];
-    openssh.authorizedKeys.keys = [
-      config.krebs.users.makefu.pubkey
-    ];
-  };
-
-  krebs.iptables.tables.nat.PREROUTING.rules = [
-    { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 10022"; target = "DNAT --to-destination 192.168.122.136:22"; }
-  ];
-
-  krebs.iptables.tables.filter.FORWARD.rules = [
-    { v6 = false; precedence = 1000; predicate = "-d 192.168.122.136 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
-  ];
-}

lass/2configs/otp-ssh.nix

@@ -0,0 +1,18 @@
+{ pkgs, ... }:
+# Enables second factor for ssh password login
+
+## Usage:
+#  gen-oath-safe <username> totp
+## scan the qrcode with google authenticator (or FreeOTP)
+## copy last line into secrets/<host>/users.oath (chmod 700)
+{
+  security.pam.oath = {
+    # enabling it will make it a requisite of `all` services
+    # enable = true;
+    digits = 6;
+    # TODO assert existing
+    usersFile = (toString <secrets>) + "/users.oath";
+  };
+  # I want TFA only active for sshd with password-auth
+  security.pam.services.sshd.oathAuth = true;
+}

lass/2configs/websites/domsen.nix

@@ -25,9 +25,15 @@ in {
   imports = [
     ./sqlBackup.nix
     (servePage [ "reich-gebaeudereinigung.de" "www.reich-gebaeudereinigung.de" ])
-    (servePage [ "karlaskop.de" ])
+    (servePage [
+      "karlaskop.de"
+      "www.karlaskop.de"
+    ])
     (servePage [ "makeup.apanowicz.de" ])
-    (servePage [ "pixelpocket.de" ])
+    (servePage [
+      "pixelpocket.de"
+      "www.pixelpocket.de"
+    ])
     (servePage [
       "habsys.de"
       "habsys.eu"

lass/2configs/wine.nix

@@ -5,7 +5,8 @@ let
 
 in {
   krebs.per-user.wine.packages = with pkgs; [
-    wineUnstable
+    wineFull
+    #(wineFull.override { wineBuild = "wine64"; })
   ];
   users.users= {
     wine = {

lass/source.nix

@@ -19,6 +19,6 @@ in
       #   87a4615 & 334ac4f
       # + acme permissions for groups
       #   fd7a8f1
-      ref = "67956cc";
+      ref = "d486531";
     };
   }