Merge remote-tracking branch 'lass/master'

This commit is contained in:
makefu 2018-05-03 18:45:55 +02:00
commit 8156ab9237
No known key found for this signature in database
GPG Key ID: 36F7711F3FC0F225
43 changed files with 409 additions and 599 deletions

View File

@ -1,12 +1,14 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
# bln config file # bln config file
{ {
imports = imports = [
[ <stockholm/jeschli> ./hardware-configuration.nix
<stockholm/jeschli>
<stockholm/jeschli/2configs/virtualbox.nix> <stockholm/jeschli/2configs/virtualbox.nix>
<stockholm/jeschli/2configs/urxvt.nix> <stockholm/jeschli/2configs/urxvt.nix>
<stockholm/jeschli/2configs/emacs.nix> <stockholm/jeschli/2configs/emacs.nix>
./hardware-configuration.nix <stockholm/jeschli/2configs/xdg.nix>
<stockholm/jeschli/2configs/xserver>
]; ];
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
@ -91,14 +93,14 @@
services.printing.drivers = [ pkgs.postscript-lexmark ]; services.printing.drivers = [ pkgs.postscript-lexmark ];
# Enable the X11 windowing system. # Enable the X11 windowing system.
services.xserver.enable = true; # services.xserver.enable = true;
services.xserver.videoDrivers = [ "nvidia" ]; services.xserver.videoDrivers = [ "nvidia" ];
services.xserver.windowManager.xmonad.enable = true; # services.xserver.windowManager.xmonad.enable = true;
services.xserver.windowManager.xmonad.enableContribAndExtras = true; # services.xserver.windowManager.xmonad.enableContribAndExtras = true;
services.xserver.displayManager.sddm.enable = true; # services.xserver.displayManager.sddm.enable = true;
services.xserver.dpi = 100; # services.xserver.dpi = 100;
fonts.fontconfig.dpi = 100; # fonts.fontconfig.dpi = 100;
users.extraUsers.jeschli = { users.extraUsers.jeschli = {
isNormalUser = true; isNormalUser = true;

View File

@ -44,6 +44,9 @@ in {
display = 11; display = 11;
tty = 11; tty = 11;
dpi = 100;
videoDrivers = [ "nvidia" ];
synaptics = { synaptics = {
enable = true; enable = true;
twoFingerScroll = true; twoFingerScroll = true;

View File

@ -44,6 +44,7 @@ import XMonad.Layout.Reflect (reflectVert)
import XMonad.Layout.FixedColumn (FixedColumn(..)) import XMonad.Layout.FixedColumn (FixedColumn(..))
import XMonad.Hooks.Place (placeHook, smart) import XMonad.Hooks.Place (placeHook, smart)
import XMonad.Hooks.FloatNext (floatNextHook) import XMonad.Hooks.FloatNext (floatNextHook)
import XMonad.Hooks.SetWMName
import XMonad.Actions.PerWorkspaceKeys (chooseAction) import XMonad.Actions.PerWorkspaceKeys (chooseAction)
import XMonad.Layout.PerWorkspace (onWorkspace) import XMonad.Layout.PerWorkspace (onWorkspace)
--import XMonad.Layout.BinarySpacePartition --import XMonad.Layout.BinarySpacePartition
@ -86,7 +87,8 @@ mainNoArgs = do
-- , handleEventHook = myHandleEventHooks <+> handleTimerEvent -- , handleEventHook = myHandleEventHooks <+> handleTimerEvent
--, handleEventHook = handleTimerEvent --, handleEventHook = handleTimerEvent
, manageHook = placeHook (smart (1,0)) <+> floatNextHook , manageHook = placeHook (smart (1,0)) <+> floatNextHook
, startupHook = , startupHook = do
setWMName "LG3D"
whenJustM (liftIO (lookupEnv "XMONAD_STARTUP_HOOK")) whenJustM (liftIO (lookupEnv "XMONAD_STARTUP_HOOK"))
(\path -> forkFile path [] Nothing) (\path -> forkFile path [] Nothing)
, normalBorderColor = "#1c1c1c" , normalBorderColor = "#1c1c1c"
@ -217,7 +219,7 @@ myKeys conf = Map.fromList $
pagerConfig :: PagerConfig pagerConfig :: PagerConfig
pagerConfig = def pagerConfig = def
{ pc_font = myFont { pc_font = myFont
, pc_cellwidth = 64 , pc_cellwidth = 256
--, pc_cellheight = 36 -- TODO automatically keep screen aspect --, pc_cellheight = 36 -- TODO automatically keep screen aspect
--, pc_borderwidth = 1 --, pc_borderwidth = 1
--, pc_matchcolor = "#f0b000" --, pc_matchcolor = "#f0b000"

View File

@ -21,4 +21,5 @@
boot.isContainer = true; boot.isContainer = true;
networking.useDHCP = false; networking.useDHCP = false;
krebs.ci.stockholmSrc = "http://cgit.prism.r/stockholm"; krebs.ci.stockholmSrc = "http://cgit.prism.r/stockholm";
environment.variables.NIX_REMOTE = "daemon";
} }

View File

@ -2,6 +2,7 @@
{ {
krebs.newsbot-js.news-spam = { krebs.newsbot-js.news-spam = {
urlShortenerHost = "go.lassul.us";
feeds = pkgs.writeText "feeds" '' feeds = pkgs.writeText "feeds" ''
[SPAM]aje|http://www.aljazeera.com/Services/Rss/?PostingId=2007731105943979989|#snews [SPAM]aje|http://www.aljazeera.com/Services/Rss/?PostingId=2007731105943979989|#snews
[SPAM]allafrica|http://allafrica.com/tools/headlines/rdf/latest/headlines.rdf|#snews [SPAM]allafrica|http://allafrica.com/tools/headlines/rdf/latest/headlines.rdf|#snews

View File

@ -9,6 +9,7 @@ with import <stockholm/lib>;
hosts = mapAttrs (_: recursiveUpdate { hosts = mapAttrs (_: recursiveUpdate {
owner = config.krebs.users.lass; owner = config.krebs.users.lass;
ci = true; ci = true;
monitoring = true;
}) { }) {
dishfire = { dishfire = {
cores = 4; cores = 4;
@ -43,39 +44,6 @@ with import <stockholm/lib>;
ssh.privkey.path = <secrets/ssh.id_ed25519>; ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGv0JMp0y+E5433GRSFKVK3cQmP0AAlS9aH9fk49yFxy"; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGv0JMp0y+E5433GRSFKVK3cQmP0AAlS9aH9fk49yFxy";
}; };
echelon = {
cores = 2;
nets = rec {
internet = {
ip4.addr = "64.137.242.41";
aliases = [
"echelon.i"
];
ssh.port = 45621;
};
retiolum = {
via = internet;
ip4.addr = "10.243.206.103";
ip6.addr = "42:941e:2816:35f4:5c5e:206b:3f0b:f763";
aliases = [
"echelon.r"
"cgit.echelon.r"
];
tinc.pubkey = ''
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAuscWOYdHu0bpWacvwTNd6bcmrAQ0YFxJWHZF8kPZr+bMKIhnXLkJ
oJheENIM6CA9lQQQFUxh2P2pxZavW5rgVlJxIKeiB+MB4v6ZO60LmZgpCsWGD/dX
MipM2tLtQxYhvLJIJxEBWn3rxIgeEnCtZsH1KLWyLczb+QpvTjMJ4TNh1nEBPE/f
4LUH1JHaGhcaHl2dLemR9wnnDIjmSj0ENJp2al+hWnIggcA/Zp0e4b86Oqbbs5wA
n++n5j971cTrBdA89nJDYOEtepisglScVRbgLqJG81lDA+n24RWFynn+U3oD/L8p
do+kxlwZUEDRbPU4AO5L+UeIbimsuIfXiQIDAQAB
-----END RSA PUBLIC KEY-----
'';
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL21QDOEFdODFh6WAfNp6odrXo15pEsDQuGJfMu/cKzK";
};
prism = rec { prism = rec {
cores = 4; cores = 4;
extraZones = { extraZones = {
@ -90,7 +58,10 @@ with import <stockholm/lib>;
60 IN NS dns16.ovh.net. 60 IN NS dns16.ovh.net.
60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
60 IN TXT v=spf1 mx a:lassul.us -all 60 IN TXT v=spf1 mx a:lassul.us -all
60 IN TXT ( "v=DKIM1; k=rsa; t=s; s=*; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUv3DMndFellqu208feABEzT/PskOfTSdJCOF/HELBR0PHnbBeRoeHEm9XAcOe/Mz2t/ysgZ6JFXeFxCtoM5fG20brUMRzsVRxb9Ur5cEvOYuuRrbChYcKa+fopu8pYrlrqXD3miHISoy6ErukIYCRpXWUJHi1TlNQhLWFYqAaywIDAQAB" )
default._domainkey 60 IN TXT "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUv3DMndFellqu208feABEzT/PskOfTSdJCOF/HELBR0PHnbBeRoeHEm9XAcOe/Mz2t/ysgZ6JFXeFxCtoM5fG20brUMRzsVRxb9Ur5cEvOYuuRrbChYcKa+fopu8pYrlrqXD3miHISoy6ErukIYCRpXWUJHi1TlNQhLWFYqAaywIDAQAB"
cgit 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} cgit 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
go 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
io 60 IN NS ions.lassul.us. io 60 IN NS ions.lassul.us.
ions 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} ions 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
paste 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} paste 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr}
@ -149,6 +120,7 @@ with import <stockholm/lib>;
}; };
domsen-nas = { domsen-nas = {
ci = false; ci = false;
monitoring = false;
external = true; external = true;
nets = rec { nets = rec {
internet = { internet = {
@ -161,6 +133,7 @@ with import <stockholm/lib>;
}; };
}; };
uriel = { uriel = {
monitoring = false;
cores = 1; cores = 1;
nets = { nets = {
gg23 = { gg23 = {
@ -399,10 +372,12 @@ with import <stockholm/lib>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJzb9BPFClubs6wSOi/ivqPFVPlowXwAxBS0jHaB29hX"; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJzb9BPFClubs6wSOi/ivqPFVPlowXwAxBS0jHaB29hX";
}; };
iso = { iso = {
monitoring = false;
ci = false; ci = false;
cores = 1; cores = 1;
}; };
sokrateslaptop = { sokrateslaptop = {
monitoring = false;
ci = false; ci = false;
external = true; external = true;
nets = { nets = {
@ -426,6 +401,7 @@ with import <stockholm/lib>;
}; };
}; };
turingmachine = { turingmachine = {
monitoring = false;
ci = false; ci = false;
external = true; external = true;
nets = { nets = {
@ -454,6 +430,7 @@ with import <stockholm/lib>;
}; };
}; };
eddie = { eddie = {
monitoring = false;
ci = false; ci = false;
external = true; external = true;
nets = rec { nets = rec {
@ -494,6 +471,7 @@ with import <stockholm/lib>;
}; };
}; };
borg = { borg = {
monitoring = false;
ci = false; ci = false;
external = true; external = true;
nets = { nets = {
@ -521,6 +499,7 @@ with import <stockholm/lib>;
}; };
}; };
inspector = { inspector = {
monitoring = false;
ci = false; ci = false;
external = true; external = true;
nets = rec { nets = rec {
@ -552,6 +531,7 @@ with import <stockholm/lib>;
}; };
}; };
dpdkm = { dpdkm = {
monitoring = false;
ci = false; ci = false;
external = true; external = true;
nets = rec { nets = rec {
@ -659,6 +639,37 @@ with import <stockholm/lib>;
ssh.privkey.path = <secrets/ssh.id_ed25519>; ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPsTeSAedrbp7/KmZX8Mvka702fIUy77Mvqo9HwzCbym"; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPsTeSAedrbp7/KmZX8Mvka702fIUy77Mvqo9HwzCbym";
}; };
red = {
monitoring = false;
cores = 1;
nets = {
retiolum = {
ip4.addr = "10.243.0.13";
ip6.addr = "42:0:0:0:0:0:0:12ed";
aliases = [
"red.r"
];
tinc.pubkey = ''
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArAN/62V2MV18wsZ9VMTG
4/cqsjvHlffAN8jYDq+GImgREvbiLlFhhHgxwKh0gcDTR8P1xX/00P3/fx/g5bRF
Te7LZT2AFmVFFFfx1n9NBweN/gG2/hzB9J8epbWLNT+RzpzHuAoREvDZ+jweSXaI
phdmQY2s36yrR3TAShqq0q4cwlXuHT00J+InDutM0mTftBQG/fvYkBhHOfq4WSY0
FeMK7DTKNbsqQiKKQ/kvWi7KfTW0F0c7SDpi7BLwbQzP2WbogtGy9MIrw9ZhE6Ox
TVdAksPKw0TlYdb16X/MkbzBqTYbxFlmWzpMJABMxIVwAfQx3ZGYvJDdDXmQS2qa
mDN2xBb/5pj3fbfp4wbwWlRVSd/AJQtRvaNY24F+UsRJb0WinIguDI6oRZx7Xt8w
oYirKqqq1leb3EYUt8TMIXQsOw0/Iq+JJCwB+ZyLLGVNB19XOxdR3RN1JYeZANpE
cMSS3SdFGgZ//ZAdhIN5kw9yMeKo6Rnt+Vdz3vZWTuSVp/xYO3IMGXNGAdIWIwrJ
7fwSl/rfXGG816h0sD46U0mxd+i68YOtHlzOKe+vMZ4/FJZYd/E5/IDQluV8HLwa
5lODfZXUmfStdV+GDA9KVEGUP5xSkC3rMnir66NgHzKpIL002/g/HfGu7O3MrvpW
ng7AMvRv5vbsYcJBj2HUhKUCAwEAAQ==
-----END PUBLIC KEY-----
'';
};
};
ssh.privkey.path = <secrets/ssh.id_ed25519>;
ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKd/6eCR8yxC14zBJLIQgVa4Zbutv5yr2S8k08ztmBpp";
};
}; };
users = { users = {
lass = { lass = {

View File

@ -13,7 +13,7 @@
krebs-source = { krebs-source = {
nixpkgs.git = { nixpkgs.git = {
ref = "4b4bbce199d3b3a8001ee93495604289b01aaad3"; ref = "b50443b5c4ac0f382c49352a892b9d5d970eb4e7";
url = https://github.com/NixOS/nixpkgs; url = https://github.com/NixOS/nixpkgs;
}; };
stockholm.file = toString ../.; stockholm.file = toString ../.;

View File

@ -13,9 +13,9 @@
<stockholm/lass/2configs/browsers.nix> <stockholm/lass/2configs/browsers.nix>
<stockholm/lass/2configs/programs.nix> <stockholm/lass/2configs/programs.nix>
<stockholm/lass/2configs/fetchWallpaper.nix> <stockholm/lass/2configs/fetchWallpaper.nix>
<stockholm/lass/2configs/backups.nix>
<stockholm/lass/2configs/games.nix> <stockholm/lass/2configs/games.nix>
<stockholm/lass/2configs/bitcoin.nix> <stockholm/lass/2configs/bitcoin.nix>
<stockholm/lass/2configs/AP.nix>
]; ];
krebs.build.host = config.krebs.hosts.cabal; krebs.build.host = config.krebs.hosts.cabal;

View File

@ -8,9 +8,9 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/boot/coreboot.nix> <stockholm/lass/2configs/boot/coreboot.nix>
<stockholm/lass/2configs/retiolum.nix> <stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/backups.nix>
<stockholm/lass/2configs/games.nix> <stockholm/lass/2configs/games.nix>
<stockholm/lass/2configs/steam.nix> <stockholm/lass/2configs/steam.nix>
<stockholm/lass/2configs/backup.nix>
{ {
# bubsy config # bubsy config
users.users.bubsy = { users.users.bubsy = {

View File

@ -1,50 +0,0 @@
{ config, lib, pkgs, ... }:
let
inherit (import <stockholm/lass/4lib> { inherit pkgs lib; }) getDefaultGateway;
ip = config.krebs.build.host.nets.internet.ip4.addr;
in {
imports = [
<stockholm/lass>
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/os-templates/CAC-CentOS-7-64bit.nix>
<stockholm/lass/2configs/exim-retiolum.nix>
<stockholm/lass/2configs/privoxy-retiolum.nix>
<stockholm/lass/2configs/git.nix>
{
networking.interfaces.enp2s1.ip4 = [
{
address = ip;
prefixLength = 24;
}
];
networking.defaultGateway = getDefaultGateway ip;
networking.nameservers = [
"8.8.8.8"
];
}
{
sound.enable = false;
}
{
users.extraUsers = {
satan = {
name = "satan";
uid = 1338;
home = "/home/satan";
group = "users";
createHome = true;
useDefaultShell = true;
extraGroups = [
];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+l3ajjOd80uJBM8oHO9HRbtA5hK6hvrpxxnk7qWW7OloT9IXcoM8bbON755vK0O6XyxZo1JZ1SZ7QIaOREGVIRDjcbJbqD3O+nImc6Rzxnrz7hvE+tuav9Yylwcw5HeQi82UIMGTEAwMHwLvsW6R/xyMCuOTbbzo9Ib8vlJ8IPDECY/05RhL7ZYFR0fdphI7jq7PobnO8WEpCZDhMvSYjO9jf3ac53wyghT3gH7AN0cxTR9qgQlPHhTbw+nZEI0sUKtrIhjfVE80wgK3NQXZZj7YAplRs/hYwSi7i8V0+8CBt2epc/5RKnJdDHFQnaTENq9kYQPOpUCP6YUwQIo8X nineinchnade@gmail.com"
];
};
};
}
];
krebs.build.host = config.krebs.hosts.echelon;
}

View File

@ -17,6 +17,7 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/dcso-dev.nix> <stockholm/lass/2configs/dcso-dev.nix>
<stockholm/lass/2configs/steam.nix> <stockholm/lass/2configs/steam.nix>
<stockholm/lass/2configs/rtl-sdr.nix> <stockholm/lass/2configs/rtl-sdr.nix>
<stockholm/lass/2configs/backup.nix>
{ # automatic hardware detection { # automatic hardware detection
boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; boot.initrd.availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
boot.kernelModules = [ "kvm-intel" ]; boot.kernelModules = [ "kvm-intel" ];
@ -137,35 +138,14 @@ with import <stockholm/lib>;
networking.hostName = lib.mkForce "BLN02NB0162"; networking.hostName = lib.mkForce "BLN02NB0162";
security.pki.certificateFiles = [ security.pki.certificateFiles = [
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC1G1.pem"; sha256 = "14vz9c0fk6li0a26vx0s5ha6y3yivnshx9pjlh9vmnpkbph5a7rh"; }) (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC1G1.pem"; sha256 = "006j61q2z44z6d92638iin6r46r4cj82ipwm37784h34i5x4mp0d"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC2G1.pem"; sha256 = "0r1dd48a850cv7whk4g2maik550rd0vsrsl73r6x0ivzz7ap1xz5"; }) (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC2G1.pem"; sha256 = "1nkd1rjcn02q9xxjg7sw79lbwy08i7hb4v4pn98djknvcmplpz5m"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC3G1.pem"; sha256 = "0b5cdchdkvllnr0kz35d8jrmrf9cjw0kd98mmvzr0x6nkc8hwpdy"; }) (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAROOTC3G1.pem"; sha256 = "094m12npglnnv1nf1ijcv70p8l15l00id44qq7rwynhcgxi5539i"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC2G1.pem"; sha256 = "0rn57zv1ry9vj4p2248mxmafmqqmdhbrfx1plszrxsphshbk2hfz"; }) (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC2G1.pem"; sha256 = "1anfncdf5xsp219kryncv21ra87flpzcjwcc85hzvlwbxhid3g4x"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC3G1.pem"; sha256 = "0w88qaqhwxzvdkx40kzj2gka1yi85ipppjdkxah4mscwfhlryrnk"; }) (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCACOMPC3G1.pem"; sha256 = "035kkfizyl5dndj7rhvmy91rr75lakqbqgjx4dpiw0kqq369mz8r"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC2G1.pem"; sha256 = "1z2qkyhgjvri13bvi06ynkb7mjmpcznmc9yw8chx1lnwc3cxa7kf"; }) (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC2G1.pem"; sha256 = "14fpzx1qjs9ws9sz0y7pb6j40336xlckkqcm2rc5j86yn7r22lp7"; })
(pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC3G1.pem"; sha256 = "0smdjjvz95n652cb45yhzdb2lr83zg52najgbzf6lm3w71f8mv7f"; }) (pkgs.fetchurl { url = "http://pki.dcso.de/ca/PEM/DCSOCAIDENC3G1.pem"; sha256 = "1yjl3kyw4chc8vw7bnqac2h9vn8dxryw7lr7i03lqi9sdvs4108s"; })
(pkgs.writeText "minio.cert" ''
-----BEGIN CERTIFICATE-----
MIIDFDCCAfygAwIBAgIQBEKYm9VmbR6T/XNLP2P5kDANBgkqhkiG9w0BAQsFADAS
MRAwDgYDVQQKEwdBY21lIENvMB4XDTE4MDIxNDEyNTk1OVoXDTE5MDIxNDEyNTk1
OVowEjEQMA4GA1UEChMHQWNtZSBDbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAMmRGUTMDxOaoEZ3osG1ZpGj4enHl6ToWaoCXvRXvI6RB/99QOFlwLdL
8lGjIbXyovNkH686pVsfgCTOLRGzftWHmWgfmaSUv0TToBW8F9DN4ww9YgiLZjvV
YZunRyp1n0x9OrBXMs7xEBBa4q0AG1IvlRJTrd7CW519FlVq7T95LLB7P6t6K54C
ksG4kEzXLRPD/FMdU7LWbhWnQSOxPMCq8erTv3kW3A3Y9hSAKOFQKQHH/3O2HDrM
CbK5ldNklswg2rIHxx7kg1fteLD1lVCNPfCMfuwlLUaMeoRZ03HDof8wFlRz3pzw
hQRWPvfLfRvFCZ0LFNvfgAqXtmG/ywUCAwEAAaNmMGQwDgYDVR0PAQH/BAQDAgKk
MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wLAYDVR0RBCUw
I4IJbG9jYWxob3N0ggZoZWxpb3OCCGhlbGlvcy5yhwR/AAABMA0GCSqGSIb3DQEB
CwUAA4IBAQBzrPb3NmAn60awoJG3d4BystaotaFKsO3iAnP4Lfve1bhKRELIjJ30
hX/mRYkEVRbfwKRgkkLab4zpJ/abjb3DjFNo8E4QPNeCqS+8xxeBOf7x61Kg/0Ox
jRQ95fTATyItiChwNkoxYjVIwosqxBVsbe3KxwhkmKPQ6wH/nvr6URX/IGUz2qWY
EqHdjsop83u4Rjn3C0u46U0P+W4U5IFiLfcE3RzFFYh67ko5YEhkyXP+tBNSgrTM
zFisVoQZdXpMCWWxBVWulB4FvvTx3jKUPRZVOrfexBfY4TA/PyhXLoz7FeEK9n2a
qFkrxy+GrHBXfSRZgCaHQFdKorg2fwwa
-----END CERTIFICATE-----
'')
]; ];
programs.adb.enable = true; programs.adb.enable = true;

View File

@ -14,9 +14,9 @@
<stockholm/lass/2configs/browsers.nix> <stockholm/lass/2configs/browsers.nix>
<stockholm/lass/2configs/programs.nix> <stockholm/lass/2configs/programs.nix>
<stockholm/lass/2configs/fetchWallpaper.nix> <stockholm/lass/2configs/fetchWallpaper.nix>
<stockholm/lass/2configs/backups.nix>
<stockholm/lass/2configs/games.nix> <stockholm/lass/2configs/games.nix>
<stockholm/lass/2configs/bitcoin.nix> <stockholm/lass/2configs/bitcoin.nix>
<stockholm/lass/2configs/backup.nix>
]; ];
krebs.build.host = config.krebs.hosts.icarus; krebs.build.host = config.krebs.hosts.icarus;

View File

@ -8,7 +8,7 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/boot/stock-x220.nix> <stockholm/lass/2configs/boot/stock-x220.nix>
<stockholm/lass/2configs/retiolum.nix> <stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/backups.nix> <stockholm/lass/2configs/backup.nix>
<stockholm/lass/2configs/steam.nix> <stockholm/lass/2configs/steam.nix>
{ {
users.users.blacky = { users.users.blacky = {

View File

@ -33,6 +33,7 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/ableton.nix> <stockholm/lass/2configs/ableton.nix>
<stockholm/lass/2configs/dunst.nix> <stockholm/lass/2configs/dunst.nix>
<stockholm/lass/2configs/rtl-sdr.nix> <stockholm/lass/2configs/rtl-sdr.nix>
<stockholm/lass/2configs/backup.nix>
{ {
#risk of rain port #risk of rain port
krebs.iptables.tables.filter.INPUT.rules = [ krebs.iptables.tables.filter.INPUT.rules = [
@ -140,6 +141,8 @@ with import <stockholm/lib>;
dpass dpass
dnsutils dnsutils
woeusb
l-gen-secrets
generate-secrets generate-secrets
(pkgs.writeDashBin "btc-coinbase" '' (pkgs.writeDashBin "btc-coinbase" ''
${pkgs.curl}/bin/curl -Ss 'https://api.coinbase.com/v2/prices/spot?currency=EUR' | ${pkgs.jq}/bin/jq '.data.amount' ${pkgs.curl}/bin/curl -Ss 'https://api.coinbase.com/v2/prices/spot?currency=EUR' | ${pkgs.jq}/bin/jq '.data.amount'
@ -186,6 +189,10 @@ with import <stockholm/lib>;
programs.adb.enable = true; programs.adb.enable = true;
users.users.mainUser.extraGroups = [ "adbusers" "docker" ]; users.users.mainUser.extraGroups = [ "adbusers" "docker" ];
virtualisation.docker.enable = true; virtualisation.docker.enable = true;
services.redshift = {
enable = true;
provider = "geoclue2";
};
lass.restic = genAttrs [ lass.restic = genAttrs [
"daedalus" "daedalus"

View File

@ -104,6 +104,7 @@ in {
]; ];
} }
{ # TODO make new hfos.nix out of this vv { # TODO make new hfos.nix out of this vv
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
users.users.riot = { users.users.riot = {
uid = genid "riot"; uid = genid "riot";
isNormalUser = true; isNormalUser = true;
@ -189,26 +190,6 @@ in {
localAddress = "10.233.2.2"; localAddress = "10.233.2.2";
}; };
} }
{
#kaepsele
systemd.services."container@kaepsele".reloadIfChanged = mkForce false;
containers.kaepsele = {
config = { ... }: {
imports = [ <stockholm/lass/2configs/rebuild-on-boot.nix> ];
environment.systemPackages = [ pkgs.git ];
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = with config.krebs.users; [
lass.pubkey
tv.pubkey
];
};
autoStart = true;
enableTun = true;
privateNetwork = true;
hostAddress = "10.233.2.3";
localAddress = "10.233.2.4";
};
}
{ {
#onondaga #onondaga
systemd.services."container@onondaga".reloadIfChanged = mkForce false; systemd.services."container@onondaga".reloadIfChanged = mkForce false;
@ -237,13 +218,12 @@ in {
<stockholm/lass/2configs/repo-sync.nix> <stockholm/lass/2configs/repo-sync.nix>
<stockholm/lass/2configs/binary-cache/server.nix> <stockholm/lass/2configs/binary-cache/server.nix>
<stockholm/lass/2configs/iodined.nix> <stockholm/lass/2configs/iodined.nix>
<stockholm/lass/2configs/monitoring/server.nix>
<stockholm/lass/2configs/monitoring/monit-alarms.nix>
<stockholm/lass/2configs/paste.nix> <stockholm/lass/2configs/paste.nix>
<stockholm/lass/2configs/syncthing.nix> <stockholm/lass/2configs/syncthing.nix>
<stockholm/lass/2configs/reaktor-coders.nix> <stockholm/lass/2configs/reaktor-coders.nix>
<stockholm/lass/2configs/ciko.nix> <stockholm/lass/2configs/ciko.nix>
<stockholm/lass/2configs/container-networking.nix> <stockholm/lass/2configs/container-networking.nix>
<stockholm/lass/2configs/monitoring/prometheus-server.nix>
{ # quasi bepasty.nix { # quasi bepasty.nix
imports = [ imports = [
<stockholm/lass/2configs/bepasty.nix> <stockholm/lass/2configs/bepasty.nix>
@ -324,6 +304,35 @@ in {
{ predicate = "-p tcp --dport 53589"; target = "ACCEPT"; } { predicate = "-p tcp --dport 53589"; target = "ACCEPT"; }
]; ];
} }
<stockholm/lass/2configs/go.nix>
{
environment.systemPackages = [ pkgs.cryptsetup ];
systemd.services."container@red".reloadIfChanged = mkForce false;
containers.red = {
config = { ... }: {
environment.systemPackages = [ pkgs.git ];
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [
config.krebs.users.lass.pubkey
];
};
autoStart = false;
enableTun = true;
privateNetwork = true;
hostAddress = "10.233.2.3";
localAddress = "10.233.2.4";
};
services.nginx.virtualHosts."rote-allez-fraktion.de" = {
enableACME = true;
addSSL = true;
locations."/" = {
extraConfig = ''
proxy_set_header Host rote-allez-fraktion.de;
proxy_pass http://10.233.2.4;
'';
};
};
}
]; ];
krebs.build.host = config.krebs.hosts.prism; krebs.build.host = config.krebs.hosts.prism;

View File

@ -0,0 +1,31 @@
with import <stockholm/lib>;
{ config, lib, pkgs, ... }:
let
inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;})
servephpBB
;
in
{
imports = [
<stockholm/lass>
<stockholm/lass/2configs>
<stockholm/lass/2configs/retiolum.nix>
<stockholm/lass/2configs/websites>
<stockholm/lass/2configs/websites/sqlBackup.nix>
(servephpBB [ "rote-allez-fraktion.de" ])
];
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p tcp --dport 80"; target = "ACCEPT"; }
];
krebs.build.host = config.krebs.hosts.red;
boot.isContainer = true;
networking.useDHCP = false;
services.nginx.enable = true;
environment.variables.NIX_REMOTE = "daemon";
environment.systemPackages = [
pkgs.mk_sql_pair
];
}

View File

@ -1,3 +1,4 @@
import <stockholm/lass/source.nix> { import <stockholm/lass/source.nix> {
name = "echelon"; name = "red";
secure = true;
} }

View File

@ -15,9 +15,9 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/browsers.nix> <stockholm/lass/2configs/browsers.nix>
<stockholm/lass/2configs/programs.nix> <stockholm/lass/2configs/programs.nix>
<stockholm/lass/2configs/fetchWallpaper.nix> <stockholm/lass/2configs/fetchWallpaper.nix>
<stockholm/lass/2configs/backups.nix>
<stockholm/lass/2configs/wine.nix> <stockholm/lass/2configs/wine.nix>
<stockholm/lass/2configs/bitcoin.nix> <stockholm/lass/2configs/bitcoin.nix>
<stockholm/lass/2configs/backup.nix>
]; ];
krebs.build.host = config.krebs.hosts.shodan; krebs.build.host = config.krebs.hosts.shodan;

View File

@ -9,7 +9,6 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/retiolum.nix> <stockholm/lass/2configs/retiolum.nix>
#<stockholm/lass/2configs/exim-retiolum.nix> #<stockholm/lass/2configs/exim-retiolum.nix>
<stockholm/lass/2configs/fetchWallpaper.nix> <stockholm/lass/2configs/fetchWallpaper.nix>
<stockholm/lass/2configs/backups.nix>
{ {
# discordius config # discordius config
services.xserver.enable = true; services.xserver.enable = true;

View File

@ -2,10 +2,4 @@ with import <stockholm/lib>;
import <stockholm/lass/source.nix> { import <stockholm/lass/source.nix> {
name = "xerxes"; name = "xerxes";
secure = true; secure = true;
override = {
nixpkgs.git = mkForce {
url = https://github.com/lassulus/nixpkgs;
ref = "3eccd0b";
};
};
} }

77
lass/2configs/AP.nix Normal file
View File

@ -0,0 +1,77 @@
{ config, pkgs, ... }:
with import <stockholm/lib>;
let
wifi = "wlp0s29u1u2";
in {
boot.extraModulePackages = [
pkgs.linuxPackages.rtl8814au
];
networking.networkmanager.unmanaged = [ wifi ];
systemd.services.hostapd = {
description = "hostapd wireless AP";
path = [ pkgs.hostapd ];
wantedBy = [ "network.target" ];
after = [ "${wifi}-cfg.service" "nat.service" "bind.service" "dhcpd.service" "sys-subsystem-net-devices-${wifi}.device" ];
serviceConfig = {
ExecStart = "${pkgs.hostapd}/bin/hostapd ${pkgs.writeText "hostapd.conf" ''
interface=${wifi}
hw_mode=a
channel=36
ieee80211d=1
country_code=DE
ieee80211n=1
ieee80211ac=1
wmm_enabled=1
# 5ghz
ssid=krebsing
auth_algs=1
wpa=2
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP
wpa_passphrase=aidsballz
''}";
Restart = "always";
};
};
networking.interfaces.${wifi}.ipv4.addresses = [
{ address = "10.99.0.1"; prefixLength = 24; }
];
services.dhcpd4 = {
enable = true;
interfaces = [ wifi ];
extraConfig = ''
option subnet-mask 255.255.255.0;
option routers 10.99.0.1;
option domain-name-servers 1.1.1.1, 8.8.8.8;
subnet 10.99.0.0 netmask 255.255.255.0 {
range 10.99.0.100 10.99.0.200;
}
'';
};
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
krebs.iptables.tables.filter.FORWARD.rules = [
{ v6 = false; predicate = "-d 10.99.0.0/24 -o ${wifi} -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
{ v6 = false; predicate = "-s 10.99.0.0/24 -i ${wifi}"; target = "ACCEPT"; }
{ v6 = false; predicate = "-i ${wifi} -o ${wifi}"; target = "ACCEPT"; }
{ v6 = false; predicate = "-o ${wifi}"; target = "REJECT --reject-with icmp-port-unreachable"; }
{ v6 = false; predicate = "-i ${wifi}"; target = "REJECT --reject-with icmp-port-unreachable"; }
];
krebs.iptables.tables.nat.PREROUTING.rules = [
{ v6 = false; predicate = "-s 10.99.0.0/24"; target = "ACCEPT"; precedence = 1000; }
];
krebs.iptables.tables.nat.POSTROUTING.rules = [
#TODO find out what this is about?
{ v6 = false; predicate = "-s 10.99.0.0/24 -d 224.0.0.0/24"; target = "RETURN"; }
{ v6 = false; predicate = "-s 10.99.0.0/24 -d 255.255.255.255"; target = "RETURN"; }
{ v6 = false; predicate = "-s 10.99.0.0/24 ! -d 10.99.0.0/24"; target = "MASQUERADE"; }
{ v6 = false; predicate = "-s 10.99.0.0/24 ! -d 10.99.0.0/24 -p tcp"; target = "MASQUERADE --to-ports 1024-65535"; }
{ v6 = false; predicate = "-s 10.99.0.0/24 ! -d 10.99.0.0/24 -p udp"; target = "MASQUERADE --to-ports 1024-65535"; }
];
}

20
lass/2configs/backup.nix Normal file
View File

@ -0,0 +1,20 @@
{ config, lib, ... }:
with import <stockholm/lib>;
{
fileSystems = {
"/backups" = {
device = "/dev/pool/backup";
fsType = "ext4";
};
};
users.users.backup = {
useDefaultShell = true;
home = "/backups";
createHome = true;
openssh.authorizedKeys.keys = with config.krebs.hosts; [
mors.ssh.pubkey
prism.ssh.pubkey
];
};
}

View File

@ -1,173 +0,0 @@
{ config, lib, ... }:
with import <stockholm/lib>;
{
# TODO add timerConfig to krebs.backup and randomize startup
# TODO define plans more abstract
krebs.backup.plans = {
} // mapAttrs (_: recursiveUpdate {
snapshots = {
daily = { format = "%Y-%m-%d"; retain = 7; };
weekly = { format = "%YW%W"; retain = 4; };
monthly = { format = "%Y-%m"; retain = 12; };
yearly = { format = "%Y"; };
};
}) {
dishfire-http-prism = {
method = "pull";
src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; };
dst = { host = config.krebs.hosts.prism; path = "/bku/dishfire-http"; };
startAt = "03:00";
};
dishfire-http-icarus = {
method = "pull";
src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; };
dst = { host = config.krebs.hosts.icarus; path = "/bku/dishfire-http"; };
startAt = "03:10";
};
dishfire-http-mors = {
method = "pull";
src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; };
dst = { host = config.krebs.hosts.mors; path = "/bku/dishfire-http"; };
startAt = "03:05";
};
dishfire-http-shodan = {
method = "pull";
src = { host = config.krebs.hosts.dishfire; path = "/srv/http"; };
dst = { host = config.krebs.hosts.shodan; path = "/bku/dishfire-http"; };
startAt = "03:10";
};
dishfire-sql-prism = {
method = "pull";
src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; };
dst = { host = config.krebs.hosts.prism; path = "/bku/dishfire-sql"; };
startAt = "03:15";
};
dishfire-sql-icarus = {
method = "pull";
src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; };
dst = { host = config.krebs.hosts.icarus; path = "/bku/dishfire-sql"; };
startAt = "03:25";
};
dishfire-sql-mors = {
method = "pull";
src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; };
dst = { host = config.krebs.hosts.mors; path = "/bku/dishfire-sql"; };
startAt = "03:20";
};
dishfire-sql-shodan = {
method = "pull";
src = { host = config.krebs.hosts.dishfire; path = "/bku/sql_dumps"; };
dst = { host = config.krebs.hosts.shodan; path = "/bku/dishfire-sql"; };
startAt = "03:25";
};
prism-bitlbee-icarus = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/var/lib/bitlbee"; };
dst = { host = config.krebs.hosts.icarus; path = "/bku/prism-bitlbee"; };
startAt = "03:25";
};
prism-bitlbee-mors = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/var/lib/bitlbee"; };
dst = { host = config.krebs.hosts.mors; path = "/bku/prism-bitlbee"; };
startAt = "03:25";
};
prism-bitlbee-shodan = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/var/lib/bitlbee"; };
dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-bitlbee"; };
startAt = "03:25";
};
prism-chat-icarus = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/home/chat"; };
dst = { host = config.krebs.hosts.icarus; path = "/bku/prism-chat"; };
startAt = "03:35";
};
prism-chat-mors = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/home/chat"; };
dst = { host = config.krebs.hosts.mors; path = "/bku/prism-chat"; };
startAt = "03:30";
};
prism-chat-shodan = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/home/chat"; };
dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-chat"; };
startAt = "03:35";
};
prism-sql-icarus = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; };
dst = { host = config.krebs.hosts.icarus; path = "/bku/prism-sql_dumps"; };
startAt = "03:45";
};
prism-sql-mors = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; };
dst = { host = config.krebs.hosts.mors; path = "/bku/prism-sql_dumps"; };
startAt = "03:40";
};
prism-sql-shodan = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; };
dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-sql_dumps"; };
startAt = "03:45";
};
prism-http-icarus = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/srv/http"; };
dst = { host = config.krebs.hosts.icarus; path = "/bku/prism-http"; };
startAt = "03:55";
};
prism-http-mors = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/srv/http"; };
dst = { host = config.krebs.hosts.mors; path = "/bku/prism-http"; };
startAt = "03:50";
};
prism-http-shodan = {
method = "pull";
src = { host = config.krebs.hosts.prism; path = "/srv/http"; };
dst = { host = config.krebs.hosts.shodan; path = "/bku/prism-http"; };
startAt = "03:55";
};
icarus-home-mors = {
method = "pull";
src = { host = config.krebs.hosts.icarus; path = "/home"; };
dst = { host = config.krebs.hosts.mors; path = "/bku/icarus-home"; };
startAt = "05:00";
};
icarus-home-shodan = {
method = "push";
src = { host = config.krebs.hosts.icarus; path = "/home"; };
dst = { host = config.krebs.hosts.shodan; path = "/bku/icarus-home"; };
startAt = "05:00";
};
mors-home-icarus = {
method = "push";
src = { host = config.krebs.hosts.mors; path = "/home"; };
dst = { host = config.krebs.hosts.icarus; path = "/bku/mors-home"; };
startAt = "05:00";
};
mors-home-shodan = {
method = "push";
src = { host = config.krebs.hosts.mors; path = "/home"; };
dst = { host = config.krebs.hosts.shodan; path = "/bku/mors-home"; };
startAt = "05:00";
};
shodan-home-icarus = {
method = "pull";
src = { host = config.krebs.hosts.shodan; path = "/home"; };
dst = { host = config.krebs.hosts.icarus; path = "/bku/shodan-home"; };
startAt = "04:00";
};
shodan-home-mors = {
method = "pull";
src = { host = config.krebs.hosts.shodan; path = "/home"; };
dst = { host = config.krebs.hosts.mors; path = "/bku/shodan-home"; };
startAt = "04:00";
};
};
}

View File

@ -9,7 +9,6 @@ in {
./power-action.nix ./power-action.nix
./copyq.nix ./copyq.nix
./livestream.nix ./livestream.nix
./dns-stuff.nix
./urxvt.nix ./urxvt.nix
./network-manager.nix ./network-manager.nix
{ {

View File

@ -10,9 +10,6 @@ in {
krebs.per-user.bitcoin.packages = [ krebs.per-user.bitcoin.packages = [
pkgs.electrum pkgs.electrum
]; ];
krebs.per-user.ethereum.packages = [
pkgs.go-ethereum
];
users.extraUsers = { users.extraUsers = {
bch = { bch = {
name = "bch"; name = "bch";
@ -28,13 +25,6 @@ in {
useDefaultShell = true; useDefaultShell = true;
createHome = true; createHome = true;
}; };
ethereum = {
name = "ethereum";
description = "user for ethereum stuff";
home = "/home/ethereum";
useDefaultShell = true;
createHome = true;
};
}; };
security.sudo.extraConfig = '' security.sudo.extraConfig = ''
${mainUser.name} ALL=(bitcoin) NOPASSWD: ALL ${mainUser.name} ALL=(bitcoin) NOPASSWD: ALL

View File

@ -9,6 +9,7 @@ in {
dev = { dev = {
name = "dev"; name = "dev";
uid = genid "dev"; uid = genid "dev";
extraGroups = [ "docker" ];
description = "user for collaborative development"; description = "user for collaborative development";
home = "/home/dev"; home = "/home/dev";
useDefaultShell = true; useDefaultShell = true;

View File

@ -6,10 +6,9 @@ with import <stockholm/lib>;
./gc.nix ./gc.nix
./mc.nix ./mc.nix
./vim.nix ./vim.nix
./monitoring/client.nix ./monitoring/node-exporter.nix
./zsh.nix ./zsh.nix
./htop.nix ./htop.nix
./backups.nix
./security-workarounds.nix ./security-workarounds.nix
{ {
users.extraUsers = users.extraUsers =

View File

@ -1,16 +0,0 @@
{ config, pkgs, ... }:
with import <stockholm/lib>;
{
services.dnscrypt-proxy = {
enable = true;
localAddress = "127.1.0.1";
customResolver = {
address = config.krebs.hosts.gum.nets.internet.ip4.addr;
port = 15251;
name = "2.dnscrypt-cert.euer.krebsco.de";
key = "1AFC:E58D:F242:0FBB:9EE9:4E51:47F4:5373:D9AE:C2AB:DD96:8448:333D:5D79:272C:A44C";
};
};
services.resolved.enable = true;
services.resolved.fallbackDns = [ "127.1.0.1" ];
}

View File

@ -79,6 +79,7 @@ with import <stockholm/lib>;
{ from = "ovh@lassul.us"; to = lass.mail; } { from = "ovh@lassul.us"; to = lass.mail; }
{ from = "hetzner@lassul.us"; to = lass.mail; } { from = "hetzner@lassul.us"; to = lass.mail; }
{ from = "allygator@lassul.us"; to = lass.mail; } { from = "allygator@lassul.us"; to = lass.mail; }
{ from = "immoscout@lassul.us"; to = lass.mail; }
]; ];
system-aliases = [ system-aliases = [
{ from = "mailer-daemon"; to = "postmaster"; } { from = "mailer-daemon"; to = "postmaster"; }

View File

@ -3,6 +3,6 @@
with import <stockholm/lib>; with import <stockholm/lib>;
{ {
nix.gc = { nix.gc = {
automatic = ! elem config.krebs.build.host.name [ "prism" "mors" "helios" ]; automatic = ! (elem config.krebs.build.host.name [ "prism" "mors" "helios" ] || config.boot.isContainer);
}; };
} }

View File

@ -57,6 +57,16 @@ let
cgit.desc = "Fork of nix-user-chroot my lethalman"; cgit.desc = "Fork of nix-user-chroot my lethalman";
cgit.section = "software"; cgit.section = "software";
}; };
nixos-aws = {
collaborators = [ {
name = "fabio";
pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDFst8DvnfOu4pQJYxcwdf//jWTvP+jj0iSrOdt59c9Gbujm/8K1mBXhcSQhHj/GBRC1Qc1wipf9qZsWnEHMI+SRwq6tDr8gqlAcdWmHAs1bU96jJtc8EgmUKbXTFG/VmympMPi4cEbNUtH93v6NUjQKwq9szvDhhqSW4Y8zE32xLkySwobQapNaUrGAtQp3eTxu5Lkx+cEaaartaAspt8wSosXjUHUJktg0O5/XOP+CiWAx89AXxbQCy4XTQvUExoRGdw9sdu0lF0/A0dF4lFF/dDUS7+avY8MrKEcQ8Fwk8NcW1XrKMmCdNdpvou0whL9aHCdTJ+522dsSB1zZWh63Si4CrLKlc1TiGKCXdvzmCYrD+6WxbPJdRpMM4dFNtpAwhCm/dM+CBXfDkP0s5veFiYvp1ri+3hUqV/sep9r5/+d+5/R1gQs8WDNjWqcshveFbD5LxE6APEySB4QByGxIrw7gFbozE+PNxtlVP7bq4MyE6yIzL6ofQgO1e4THquPcqSCfCvyib5M2Q1phi5DETlMemWp84AsNkqbhRa4BGRycuOXXrBzE+RgQokcIY7t3xcu3q0xJo2+HxW/Lqi72zYU1NdT4nJMETEaG49FfIAnUuoVaQWWvOz8mQuVEmmdw2Yzo2ikILYSUdHTp1VPOeo6aNPvESkPw1eM0xDRlQ== ada";
} ];
};
krops = {
cgit.desc = "krebs deployment";
cgit.section = "software";
};
} // mapAttrs make-public-repo-silent { } // mapAttrs make-public-repo-silent {
}; };
@ -70,8 +80,8 @@ let
import <secrets/repos.nix> { inherit config lib pkgs; } import <secrets/repos.nix> { inherit config lib pkgs; }
); );
make-public-repo = name: { cgit ? {}, ... }: { make-public-repo = name: { cgit ? {}, collaborators ? [], ... }: {
inherit cgit name; inherit cgit collaborators name;
public = true; public = true;
hooks = { hooks = {
post-receive = pkgs.git-hooks.irc-announce { post-receive = pkgs.git-hooks.irc-announce {

19
lass/2configs/go.nix Normal file
View File

@ -0,0 +1,19 @@
{ config, lib, pkgs, ... }:
{
krebs.go = {
enable = true;
};
services.nginx = {
enable = true;
virtualHosts.go = {
locations."/".extraConfig = ''
proxy_set_header Host go.lassul.us;
proxy_pass http://localhost:1337;
'';
serverAliases = [
"go.lassul.us"
];
};
};
}

View File

@ -206,8 +206,11 @@ in {
msmtp msmtp
mutt mutt
pkgs.much pkgs.much
pkgs.notmuch
tag-new-mails tag-new-mails
tag-old-mails tag-old-mails
]; ];
nixpkgs.config.packageOverrides = opkgs: {
notmuch = (opkgs.notmuch.overrideAttrs (o: { doCheck = false; }));
};
} }

View File

@ -1,26 +0,0 @@
{pkgs, config, ...}:
with import <stockholm/lib>;
{
services.telegraf = {
enable = true;
extraConfig = {
agent.interval = "1s";
outputs = {
influxdb = {
urls = ["http://prism:8086"];
database = "telegraf_db";
user_agent = "telegraf";
};
};
inputs = {
cpu = {
percpu = false;
totalcpu = true;
};
mem = {};
net = {};
};
};
};
}

View File

@ -1,44 +0,0 @@
{pkgs, config, ...}:
with import <stockholm/lib>;
let
echoToIrc = msg:
pkgs.writeDash "echo_irc" ''
set -euf
export LOGNAME=prism-alarm
${pkgs.irc-announce}/bin/irc-announce \
irc.r 6667 ${config.networking.hostName}-alarm \#noise "${msg}" >/dev/null
'';
in {
krebs.monit = {
enable = true;
http.enable = true;
alarms = {
nirwanabluete = {
test = "${pkgs.curl}/bin/curl -sf 'https://nirwanabluete.de/'";
alarm = echoToIrc "test nirwanabluete failed";
};
ubik = {
test = "${pkgs.curl}/bin/curl -sf 'https://ubikmedia.de'";
alarm = echoToIrc "test ubik failed";
};
cac-panel = {
test = "${pkgs.curl}/bin/curl -sf 'https://panel.cloudatcost.com/login.php'";
alarm = echoToIrc "test cac-panel failed";
};
radio = {
test = pkgs.writeBash "check_stream" ''
${pkgs.curl}/bin/curl -sif http://lassul.us:8000/radio.ogg \
| ${pkgs.gawk}/bin/awk '/^\r$/{exit}{print $0}' \
| ${pkgs.gnugrep}/bin/grep -q "200 OK" || exit "''${PIPESTATUS[0]}"
'';
alarm = echoToIrc "test radio failed";
};
};
};
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p tcp -i retiolum --dport 9093"; target = "ACCEPT"; }
];
}

View File

@ -1,7 +1,9 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
{ {
networking.firewall.allowedTCPPorts = [ 9100 ]; krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-i retiolum -p tcp --dport 9100 -s ${config.krebs.hosts.prism.nets.retiolum.ip4.addr}"; target = "ACCEPT"; v6 = false; }
{ predicate = "-i retiolum -p tcp --dport 9100 -s ${config.krebs.hosts.prism.nets.retiolum.ip6.addr}"; target = "ACCEPT"; v4 = false; }
];
services.prometheus.exporters = { services.prometheus.exporters = {
node = { node = {
enable = true; enable = true;

View File

@ -9,6 +9,12 @@
# useDHCP = true; # useDHCP = true;
#}; #};
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-i retiolum -p tcp --dport 3000"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p tcp --dport 9090"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p tcp --dport 9093"; target = "ACCEPT"; }
];
services = { services = {
prometheus = { prometheus = {
enable = true; enable = true;
@ -124,11 +130,10 @@
static_configs = [ static_configs = [
{ {
targets = [ targets = [
"localhost:9100" ] ++ map (host: "${host}:9100") (lib.attrNames (lib.filterAttrs (_: host: host.owner.name == "lass" && host.monitoring) config.krebs.hosts));
]; #labels = {
labels = { # alias = "prometheus.example.com";
alias = "prometheus.example.com"; #};
};
} }
]; ];
} }
@ -159,7 +164,7 @@
]; ];
"webhook_configs" = [ "webhook_configs" = [
{ {
"url" = "https://example.com/prometheus-alerts"; "url" = "http://127.0.0.1:14813/prometheus-alerts";
"send_resolved" = true; "send_resolved" = true;
} }
]; ];
@ -176,4 +181,37 @@
security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""} security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""}
}; };
}; };
services.logstash = {
enable = true;
inputConfig = ''
http {
port => 14813
host => "127.0.0.1"
}
'';
filterConfig = ''
if ([alerts]) {
ruby {
code => '
lines = []
event["alerts"].each {|p|
lines << "#{p["labels"]["instance"]}#{p["annotations"]["summary"]} #{p["status"]}"
}
event["output"] = lines.join("\n")
'
}
}
'';
outputConfig = ''
file { path => "/tmp/logs.json" codec => "json_lines" }
irc {
channels => [ "#noise" ]
host => "irc.r"
nick => "alarm"
codec => "json_lines"
format => "%{output}"
}
'';
#plugins = [ ];
};
} }

View File

@ -1,87 +0,0 @@
{pkgs, config, ...}:
with import <stockholm/lib>;
{
services.influxdb.enable = true;
services.influxdb.extraConfig = {
meta.hostname = config.krebs.build.host.name;
# meta.logging-enabled = true;
http.bind-address = ":8086";
admin.bind-address = ":8083";
http.log-enabled = false;
monitoring = {
enabled = false;
# write-interval = "24h";
};
collectd = [{
enabled = true;
typesdb = "${pkgs.collectd}/share/collectd/types.db";
database = "collectd_db";
port = 25826;
}];
};
krebs.kapacitor =
let
db = "telegraf_db";
echoToIrc = pkgs.writeDash "echo_irc" ''
set -euf
data="$(${pkgs.jq}/bin/jq -r .message)"
export LOGNAME=prism-alarm
${pkgs.irc-announce}/bin/irc-announce \
irc.r 6667 prism-alarm \#noise "$data" >/dev/null
'';
in {
enable = true;
alarms = {
cpu = {
database = db;
text = ''
var data = batch
|query(${"'''"}
SELECT mean("usage_user") AS mean
FROM "${db}"."default"."cpu"
${"'''"})
.period(10m)
.every(1m)
.groupBy('host')
data |alert()
.crit(lambda: "mean" > 90)
.exec('${echoToIrc}')
data |deadman(1.0,5m)
.stateChangesOnly()
.exec('${echoToIrc}')
'';
};
ram = {
database = db;
text = ''
var data = batch
|query(${"'''"}
SELECT mean("used_percent") AS mean
FROM "${db}"."default"."mem"
${"'''"})
.period(10m)
.every(1m)
.groupBy('host')
data |alert()
.crit(lambda: "mean" > 90)
.exec('${echoToIrc}')
'';
};
};
};
services.grafana = {
enable = true;
addr = "0.0.0.0";
auth.anonymous.enable = true;
security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""}
};
krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p tcp -i retiolum --dport 8086"; target = "ACCEPT"; }
{ predicate = "-p tcp -i retiolum --dport 3000"; target = "ACCEPT"; }
{ predicate = "-p udp -i retiolum --dport 25826"; target = "ACCEPT"; }
];
}

View File

@ -6,66 +6,10 @@ let
genid genid
; ;
servephpBB = domains:
let
domain = head domains;
in {
services.nginx.virtualHosts."${domain}" = {
enableACME = true;
forceSSL = true;
serverAliases = domains;
extraConfig = ''
index index.php;
root /srv/http/${domain}/;
access_log /tmp/nginx_acc.log;
error_log /tmp/nginx_err.log;
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
client_max_body_size 100m;
'';
locations."/".extraConfig = ''
try_files $uri $uri/ /index.php?$args;
'';
locations."~ \.php(?:$|/)".extraConfig = ''
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include ${pkgs.nginx}/conf/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool;
fastcgi_intercept_errors on;
'';
#Directives to send expires headers and turn off 404 error logging.
locations."~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$".extraConfig = ''
access_log off;
log_not_found off;
expires max;
'';
};
services.phpfpm.poolConfigs."${domain}" = ''
listen = /srv/http/${domain}/phpfpm.pool
user = nginx
group = nginx
pm = dynamic
pm.max_children = 25
pm.start_servers = 5
pm.min_spare_servers = 3
pm.max_spare_servers = 20
listen.owner = nginx
listen.group = nginx
php_admin_value[error_log] = 'stderr'
php_admin_flag[log_errors] = on
catch_workers_output = yes
'';
};
in { in {
imports = [ imports = [
./default.nix ./default.nix
../git.nix ../git.nix
(servephpBB [ "rote-allez-fraktion.de" ])
]; ];
security.acme = { security.acme = {

View File

@ -28,6 +28,59 @@ rec {
}; };
}; };
servephpBB = domains:
let
domain = head domains;
in {
services.nginx.virtualHosts."${domain}" = {
serverAliases = domains;
extraConfig = ''
index index.php;
root /srv/http/${domain}/;
access_log /tmp/nginx_acc.log;
error_log /tmp/nginx_err.log;
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
client_max_body_size 100m;
'';
locations."/".extraConfig = ''
try_files $uri $uri/ /index.php?$args;
'';
locations."~ \.php(?:$|/)".extraConfig = ''
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include ${pkgs.nginx}/conf/fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool;
fastcgi_intercept_errors on;
'';
#Directives to send expires headers and turn off 404 error logging.
locations."~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$".extraConfig = ''
access_log off;
log_not_found off;
expires max;
'';
};
services.phpfpm.poolConfigs."${domain}" = ''
listen = /srv/http/${domain}/phpfpm.pool
user = nginx
group = nginx
pm = dynamic
pm.max_children = 25
pm.start_servers = 5
pm.min_spare_servers = 3
pm.max_spare_servers = 20
listen.owner = nginx
listen.group = nginx
php_admin_value[error_log] = 'stderr'
php_admin_flag[log_errors] = on
catch_workers_output = yes
'';
};
serveOwncloud = domains: serveOwncloud = domains:
let let
domain = head domains; domain = head domains;

View File

@ -54,8 +54,8 @@
eval $(dircolors -b ${pkgs.fetchFromGitHub { eval $(dircolors -b ${pkgs.fetchFromGitHub {
owner = "trapd00r"; owner = "trapd00r";
repo = "LS_COLORS"; repo = "LS_COLORS";
rev = "master"; rev = "a75fca8545f91abb8a5f802981033ef54bf1eac0";
sha256="05lh5w3bgj9h8d8lrbbwbzw8788709cnzzkl8yh7m1dawkpf6nlp"; sha256="1lzj0qnj89mzh76ha137mnz2hf86k278rh0y9x124ghxj9yqsnb4";
}}/LS_COLORS) }}/LS_COLORS)
alias ls='ls --color' alias ls='ls --color'
zstyle ':completion:*:default' list-colors ''${(s.:.)LS_COLORS} zstyle ':completion:*:default' list-colors ''${(s.:.)LS_COLORS}

View File

@ -50,6 +50,14 @@ rec {
default = false; default = false;
}; };
monitoring = mkOption {
description = ''
Whether the host should be monitored by monitoring tools like Prometheus.
'';
type = bool;
default = false;
};
owner = mkOption { owner = mkOption {
type = user; type = user;
}; };

View File

@ -349,6 +349,7 @@ let
let b:current_syntax = "nix" let b:current_syntax = "nix"
set isk=@,48-57,_,192-255,-,' set isk=@,48-57,_,192-255,-,'
set bg=dark
''; '';
in in
out out