Merge branch 'master' of prism:stockholm
This commit is contained in:
commit
77ea3dc79b
55
krebs/1systems/puyak/config.nix
Normal file
55
krebs/1systems/puyak/config.nix
Normal file
|
@ -0,0 +1,55 @@
|
||||||
|
{ config, pkgs, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
<stockholm/krebs>
|
||||||
|
<stockholm/krebs/2configs>
|
||||||
|
<stockholm/krebs/2configs/secret-passwords.nix>
|
||||||
|
];
|
||||||
|
|
||||||
|
krebs.build.host = config.krebs.hosts.puyak;
|
||||||
|
|
||||||
|
boot = {
|
||||||
|
loader.systemd-boot.enable = true;
|
||||||
|
loader.efi.canTouchEfiVariables = true;
|
||||||
|
|
||||||
|
initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda3"; } ];
|
||||||
|
initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ];
|
||||||
|
initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems = {
|
||||||
|
"/" = {
|
||||||
|
device = "/dev/mapper/pool-root";
|
||||||
|
fsType = "btrfs";
|
||||||
|
options = ["defaults" "noatime" "ssd" "compress=lzo"];
|
||||||
|
};
|
||||||
|
"/boot" = {
|
||||||
|
device = "/dev/sda2";
|
||||||
|
};
|
||||||
|
"/home" = {
|
||||||
|
device = "/dev/mapper/pool-home";
|
||||||
|
fsType = "btrfs";
|
||||||
|
options = ["defaults" "noatime" "ssd" "compress=lzo"];
|
||||||
|
};
|
||||||
|
"/tmp" = {
|
||||||
|
device = "tmpfs";
|
||||||
|
fsType = "tmpfs";
|
||||||
|
options = ["nosuid" "nodev" "noatime"];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
hardware.enableAllFirmware = true;
|
||||||
|
networking.wireless.enable = true;
|
||||||
|
nixpkgs.config.allowUnfree = true;
|
||||||
|
|
||||||
|
services.logind.extraConfig = ''
|
||||||
|
HandleLidSwitch=ignore
|
||||||
|
'';
|
||||||
|
|
||||||
|
services.udev.extraRules = ''
|
||||||
|
SUBSYSTEM=="net", ATTR{address}=="8c:70:5a:b2:84:58", NAME="wl0"
|
||||||
|
SUBSYSTEM=="net", ATTR{address}=="3c:97:0e:07:b9:14", NAME="et0"
|
||||||
|
'';
|
||||||
|
|
||||||
|
}
|
3
krebs/1systems/puyak/source.nix
Normal file
3
krebs/1systems/puyak/source.nix
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
import <stockholm/krebs/source.nix> {
|
||||||
|
name = "puyak";
|
||||||
|
}
|
|
@ -46,6 +46,6 @@ with import <stockholm/lib>;
|
||||||
|
|
||||||
|
|
||||||
# The NixOS release to be compatible with for stateful data such as databases.
|
# The NixOS release to be compatible with for stateful data such as databases.
|
||||||
system.stateVersion = "15.09";
|
system.stateVersion = "17.03";
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -14,7 +14,7 @@
|
||||||
locations."/".extraConfig = ''
|
locations."/".extraConfig = ''
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
proxy_set_header Connection "upgrade";
|
proxy_set_header Connection "upgrade";
|
||||||
proxy_pass http://localhost:${toString config.krebs.buildbot.master.web.port};
|
proxy_pass http://127.0.0.1:${toString config.krebs.buildbot.master.web.port};
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -30,6 +30,30 @@ let
|
||||||
});
|
});
|
||||||
in {
|
in {
|
||||||
hosts = {
|
hosts = {
|
||||||
|
puyak = {
|
||||||
|
owner = config.krebs.users.krebs;
|
||||||
|
nets = {
|
||||||
|
retiolum = {
|
||||||
|
ip4.addr = "10.243.77.2";
|
||||||
|
ip6.addr = "42:0:0:0:0:0:77:2";
|
||||||
|
aliases = [
|
||||||
|
"puyak.r"
|
||||||
|
];
|
||||||
|
tinc.pubkey = ''
|
||||||
|
-----BEGIN RSA PUBLIC KEY-----
|
||||||
|
MIIBCgKCAQEAwwDvaVKSJmAi1fpbsmjLz1DQVTgqnx56GkHKbz5sHwAfPVQej955
|
||||||
|
SwotAPBrOT5P3pZ52Pu326SR5nj9XWfN6GD0CkcDQddtRG5OOtUWlvkYzZraNh33
|
||||||
|
p9l8TBgHJKogGe6umbs+4v7pWfbS0k708L2ttwY0ceju6RL6UqShIYB6qhDzwalU
|
||||||
|
p8s7pypl7BwrsTwYkUGleIptiN78cYv/NHvXhvXBuVGz4J0tCH4GMvdTHCah1l1r
|
||||||
|
zwEpKlAq0FD6bgYTJL94Tvxe2xzyr8c+xn1+XbJtMudGmrRjIHS6YupzO/Y2MO7w
|
||||||
|
UkbMKDhYVhSPFEyk6PMm0SU9uAh4I1+8BQIDAQAB
|
||||||
|
-----END RSA PUBLIC KEY-----
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
ssh.privkey.path = <secrets/ssh.id_ed25519>;
|
||||||
|
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPpVwKv9mQGfcn5oFwuitq+b6Dz4jBG9sGhVoCYFw5RY";
|
||||||
|
};
|
||||||
wolf = {
|
wolf = {
|
||||||
owner = config.krebs.users.krebs;
|
owner = config.krebs.users.krebs;
|
||||||
nets = {
|
nets = {
|
||||||
|
|
|
@ -335,5 +335,8 @@ with import <stockholm/lib>;
|
||||||
};
|
};
|
||||||
sokratess = {
|
sokratess = {
|
||||||
};
|
};
|
||||||
|
wine-mors = {
|
||||||
|
pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEKfTIKmbe1RjX1fjAn//08363zAsI0CijWnaYyAC842";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -31,17 +31,6 @@ in {
|
||||||
{
|
{
|
||||||
sound.enable = false;
|
sound.enable = false;
|
||||||
}
|
}
|
||||||
{
|
|
||||||
lass.dnsmasq = {
|
|
||||||
enable = true;
|
|
||||||
config = ''
|
|
||||||
interface=retiolum
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
krebs.iptables.tables.filter.INPUT.rules = [
|
|
||||||
{ predicate = "-i retiolum -p udp --dport 53"; target = "ACCEPT"; }
|
|
||||||
];
|
|
||||||
}
|
|
||||||
{
|
{
|
||||||
users.extraUsers = {
|
users.extraUsers = {
|
||||||
satan = {
|
satan = {
|
||||||
|
|
|
@ -24,6 +24,7 @@ with import <stockholm/lib>;
|
||||||
<stockholm/lass/2configs/ircd.nix>
|
<stockholm/lass/2configs/ircd.nix>
|
||||||
<stockholm/lass/2configs/logf.nix>
|
<stockholm/lass/2configs/logf.nix>
|
||||||
<stockholm/lass/2configs/syncthing.nix>
|
<stockholm/lass/2configs/syncthing.nix>
|
||||||
|
<stockholm/lass/2configs/otp-ssh.nix>
|
||||||
{
|
{
|
||||||
#risk of rain port
|
#risk of rain port
|
||||||
krebs.iptables.tables.filter.INPUT.rules = [
|
krebs.iptables.tables.filter.INPUT.rules = [
|
||||||
|
@ -110,11 +111,11 @@ with import <stockholm/lib>;
|
||||||
"/boot" = {
|
"/boot" = {
|
||||||
device = "/dev/sda2";
|
device = "/dev/sda2";
|
||||||
};
|
};
|
||||||
#"/bku" = {
|
"/bku" = {
|
||||||
# device = "/dev/mapper/pool-bku";
|
device = "/dev/mapper/pool-bku";
|
||||||
# fsType = "btrfs";
|
fsType = "btrfs";
|
||||||
# options = ["defaults" "noatime" "ssd" "compress=lzo"];
|
options = ["defaults" "noatime" "ssd" "compress=lzo"];
|
||||||
#};
|
};
|
||||||
"/home" = {
|
"/home" = {
|
||||||
device = "/dev/mapper/pool-home";
|
device = "/dev/mapper/pool-home";
|
||||||
fsType = "btrfs";
|
fsType = "btrfs";
|
||||||
|
|
|
@ -36,7 +36,6 @@ in {
|
||||||
<stockholm/lass/2configs/iodined.nix>
|
<stockholm/lass/2configs/iodined.nix>
|
||||||
<stockholm/lass/2configs/libvirt.nix>
|
<stockholm/lass/2configs/libvirt.nix>
|
||||||
<stockholm/lass/2configs/hfos.nix>
|
<stockholm/lass/2configs/hfos.nix>
|
||||||
<stockholm/lass/2configs/makefu-sip.nix>
|
|
||||||
<stockholm/lass/2configs/monitoring/server.nix>
|
<stockholm/lass/2configs/monitoring/server.nix>
|
||||||
<stockholm/lass/2configs/monitoring/monit-alarms.nix>
|
<stockholm/lass/2configs/monitoring/monit-alarms.nix>
|
||||||
<stockholm/lass/2configs/paste.nix>
|
<stockholm/lass/2configs/paste.nix>
|
||||||
|
@ -213,6 +212,26 @@ in {
|
||||||
config.krebs.users.tv.pubkey
|
config.krebs.users.tv.pubkey
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
users.users.makefu = {
|
||||||
|
uid = genid "makefu";
|
||||||
|
isNormalUser = true;
|
||||||
|
openssh.authorizedKeys.keys = [
|
||||||
|
config.krebs.users.makefu.pubkey
|
||||||
|
];
|
||||||
|
};
|
||||||
|
users.users.nin = {
|
||||||
|
uid = genid "nin";
|
||||||
|
inherit (config.krebs.users.nin) home;
|
||||||
|
group = "users";
|
||||||
|
createHome = true;
|
||||||
|
useDefaultShell = true;
|
||||||
|
openssh.authorizedKeys.keys = [
|
||||||
|
config.krebs.users.nin.pubkey
|
||||||
|
];
|
||||||
|
extraGroups = [
|
||||||
|
"libvirtd"
|
||||||
|
];
|
||||||
|
};
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
krebs.repo-sync.timerConfig = {
|
krebs.repo-sync.timerConfig = {
|
||||||
|
@ -235,28 +254,6 @@ in {
|
||||||
enable = true;
|
enable = true;
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
{
|
|
||||||
# Nin stuff
|
|
||||||
users.users.nin = {
|
|
||||||
uid = genid "nin";
|
|
||||||
inherit (config.krebs.users.nin) home;
|
|
||||||
group = "users";
|
|
||||||
createHome = true;
|
|
||||||
useDefaultShell = true;
|
|
||||||
openssh.authorizedKeys.keys = [
|
|
||||||
config.krebs.users.nin.pubkey
|
|
||||||
];
|
|
||||||
extraGroups = [
|
|
||||||
"libvirtd"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
krebs.iptables.tables.nat.PREROUTING.rules = [
|
|
||||||
{ v6 = false; precedence = 1000; predicate = "-d 213.239.205.240 -p tcp --dport 1337"; target = "DNAT --to-destination 192.168.122.24:22"; }
|
|
||||||
];
|
|
||||||
krebs.iptables.tables.filter.FORWARD.rules = [
|
|
||||||
{ v6 = false; precedence = 1000; predicate = "-d 192.168.122.24 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
|
|
||||||
];
|
|
||||||
}
|
|
||||||
{
|
{
|
||||||
krebs.Reaktor.prism = {
|
krebs.Reaktor.prism = {
|
||||||
nickname = "Reaktor|lass";
|
nickname = "Reaktor|lass";
|
||||||
|
|
|
@ -17,6 +17,7 @@ with import <stockholm/lib>;
|
||||||
lass-shodan.pubkey
|
lass-shodan.pubkey
|
||||||
lass-icarus.pubkey
|
lass-icarus.pubkey
|
||||||
makefu.pubkey
|
makefu.pubkey
|
||||||
|
wine-mors.pubkey
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -49,6 +49,7 @@ let
|
||||||
{
|
{
|
||||||
brain = {
|
brain = {
|
||||||
collaborators = with config.krebs.users; [ tv makefu ];
|
collaborators = with config.krebs.users; [ tv makefu ];
|
||||||
|
announce = true;
|
||||||
};
|
};
|
||||||
} //
|
} //
|
||||||
import <secrets/repos.nix> { inherit config lib pkgs; }
|
import <secrets/repos.nix> { inherit config lib pkgs; }
|
||||||
|
@ -75,9 +76,20 @@ let
|
||||||
public = true;
|
public = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
make-restricted-repo = name: { collaborators ? [], ... }: {
|
make-restricted-repo = name: { collaborators ? [], announce ? false, ... }: {
|
||||||
inherit collaborators name;
|
inherit collaborators name;
|
||||||
public = false;
|
public = false;
|
||||||
|
hooks = optionalAttrs announce {
|
||||||
|
post-receive = pkgs.git-hooks.irc-announce {
|
||||||
|
# TODO make nick = config.krebs.build.host.name the default
|
||||||
|
nick = config.krebs.build.host.name;
|
||||||
|
channel = "#retiolum";
|
||||||
|
server = "ni.r";
|
||||||
|
verbose = true;
|
||||||
|
# TODO define branches in some kind of option per repo
|
||||||
|
branches = [ "master" "staging*" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
make-rules =
|
make-rules =
|
||||||
|
|
|
@ -1,21 +0,0 @@
|
||||||
{ config, lib, pkgs, ... }:
|
|
||||||
|
|
||||||
with import <stockholm/lib>;
|
|
||||||
{
|
|
||||||
users.users.makefu = {
|
|
||||||
uid = genid "makefu";
|
|
||||||
isNormalUser = true;
|
|
||||||
extraGroups = [ "libvirtd" ];
|
|
||||||
openssh.authorizedKeys.keys = [
|
|
||||||
config.krebs.users.makefu.pubkey
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
krebs.iptables.tables.nat.PREROUTING.rules = [
|
|
||||||
{ v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 10022"; target = "DNAT --to-destination 192.168.122.136:22"; }
|
|
||||||
];
|
|
||||||
|
|
||||||
krebs.iptables.tables.filter.FORWARD.rules = [
|
|
||||||
{ v6 = false; precedence = 1000; predicate = "-d 192.168.122.136 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
|
|
||||||
];
|
|
||||||
}
|
|
18
lass/2configs/otp-ssh.nix
Normal file
18
lass/2configs/otp-ssh.nix
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
{ pkgs, ... }:
|
||||||
|
# Enables second factor for ssh password login
|
||||||
|
|
||||||
|
## Usage:
|
||||||
|
# gen-oath-safe <username> totp
|
||||||
|
## scan the qrcode with google authenticator (or FreeOTP)
|
||||||
|
## copy last line into secrets/<host>/users.oath (chmod 700)
|
||||||
|
{
|
||||||
|
security.pam.oath = {
|
||||||
|
# enabling it will make it a requisite of `all` services
|
||||||
|
# enable = true;
|
||||||
|
digits = 6;
|
||||||
|
# TODO assert existing
|
||||||
|
usersFile = (toString <secrets>) + "/users.oath";
|
||||||
|
};
|
||||||
|
# I want TFA only active for sshd with password-auth
|
||||||
|
security.pam.services.sshd.oathAuth = true;
|
||||||
|
}
|
|
@ -25,9 +25,15 @@ in {
|
||||||
imports = [
|
imports = [
|
||||||
./sqlBackup.nix
|
./sqlBackup.nix
|
||||||
(servePage [ "reich-gebaeudereinigung.de" "www.reich-gebaeudereinigung.de" ])
|
(servePage [ "reich-gebaeudereinigung.de" "www.reich-gebaeudereinigung.de" ])
|
||||||
(servePage [ "karlaskop.de" ])
|
(servePage [
|
||||||
|
"karlaskop.de"
|
||||||
|
"www.karlaskop.de"
|
||||||
|
])
|
||||||
(servePage [ "makeup.apanowicz.de" ])
|
(servePage [ "makeup.apanowicz.de" ])
|
||||||
(servePage [ "pixelpocket.de" ])
|
(servePage [
|
||||||
|
"pixelpocket.de"
|
||||||
|
"www.pixelpocket.de"
|
||||||
|
])
|
||||||
(servePage [
|
(servePage [
|
||||||
"habsys.de"
|
"habsys.de"
|
||||||
"habsys.eu"
|
"habsys.eu"
|
||||||
|
|
|
@ -5,7 +5,8 @@ let
|
||||||
|
|
||||||
in {
|
in {
|
||||||
krebs.per-user.wine.packages = with pkgs; [
|
krebs.per-user.wine.packages = with pkgs; [
|
||||||
wineUnstable
|
wineFull
|
||||||
|
#(wineFull.override { wineBuild = "wine64"; })
|
||||||
];
|
];
|
||||||
users.users= {
|
users.users= {
|
||||||
wine = {
|
wine = {
|
||||||
|
|
|
@ -19,6 +19,6 @@ in
|
||||||
# 87a4615 & 334ac4f
|
# 87a4615 & 334ac4f
|
||||||
# + acme permissions for groups
|
# + acme permissions for groups
|
||||||
# fd7a8f1
|
# fd7a8f1
|
||||||
ref = "67956cc";
|
ref = "d486531";
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user