Merge remote-tracking branch 'lass/master'
This commit is contained in:
commit
ab5b81b0b4
@ -29,9 +29,10 @@ let
|
||||
tables = mkOption {
|
||||
type = with types; attrsOf (attrsOf (submodule ({
|
||||
options = {
|
||||
#TODO: find out good defaults.
|
||||
policy = mkOption {
|
||||
type = str;
|
||||
default = "-";
|
||||
default = "ACCEPT";
|
||||
};
|
||||
rules = mkOption {
|
||||
type = nullOr (listOf (submodule ({
|
||||
@ -133,30 +134,9 @@ let
|
||||
#=====
|
||||
|
||||
rules = iptables-version:
|
||||
let
|
||||
#TODO: find out good defaults.
|
||||
tables-defaults = {
|
||||
nat.PREROUTING.policy = "ACCEPT";
|
||||
nat.INPUT.policy = "ACCEPT";
|
||||
nat.OUTPUT.policy = "ACCEPT";
|
||||
nat.POSTROUTING.policy = "ACCEPT";
|
||||
filter.INPUT.policy = "ACCEPT";
|
||||
filter.FORWARD.policy = "ACCEPT";
|
||||
filter.OUTPUT.policy = "ACCEPT";
|
||||
|
||||
#if someone specifies any other rules on this chain, the default rules get lost.
|
||||
#is this wanted beahiviour or a bug?
|
||||
#TODO: implement abstraction of rules
|
||||
filter.INPUT.rules = [
|
||||
{ predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
|
||||
];
|
||||
};
|
||||
tables = tables-defaults // cfg.tables;
|
||||
|
||||
in
|
||||
pkgs.writeText "krebs-iptables-rules${iptables-version}" ''
|
||||
${buildTables iptables-version tables}
|
||||
'';
|
||||
pkgs.writeText "krebs-iptables-rules${iptables-version}" ''
|
||||
${buildTables iptables-version cfg.tables}
|
||||
'';
|
||||
|
||||
startScript = pkgs.writeDash "krebs-iptables_start" ''
|
||||
set -euf
|
||||
|
@ -17,7 +17,6 @@ with import <stockholm/lib>;
|
||||
../2configs/elster.nix
|
||||
../2configs/steam.nix
|
||||
../2configs/wine.nix
|
||||
../2configs/chromium-patched.nix
|
||||
../2configs/git.nix
|
||||
../2configs/skype.nix
|
||||
../2configs/teamviewer.nix
|
||||
|
@ -31,6 +31,7 @@ in {
|
||||
environment.systemPackages = with pkgs; [
|
||||
|
||||
acpi
|
||||
dic
|
||||
dmenu
|
||||
gitAndTools.qgit
|
||||
lm_sensors
|
||||
|
@ -36,7 +36,7 @@ in {
|
||||
};
|
||||
builder_pre = ''
|
||||
# prepare grab_repo step for stockholm
|
||||
grab_repo = steps.Git(repourl=stockholm_repo, mode='incremental', alwaysUseLatest=True)
|
||||
grab_repo = steps.Git(repourl=stockholm_repo, mode='full')
|
||||
|
||||
# TODO: get nixpkgs/stockholm paths from krebs
|
||||
env_lass = {
|
||||
|
@ -1,48 +0,0 @@
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
#settings to test:
|
||||
#
|
||||
#"ForceEphemeralProfiles": true,
|
||||
let
|
||||
masterPolicy = pkgs.writeText "master.json" ''
|
||||
{
|
||||
"PasswordManagerEnabled": false,
|
||||
"DefaultGeolocationSetting": 2,
|
||||
"RestoreOnStartup": 1,
|
||||
"AutoFillEnabled": false,
|
||||
"BackgroundModeEnabled": false,
|
||||
"DefaultBrowserSettingEnabled": false,
|
||||
"SafeBrowsingEnabled": false,
|
||||
"ExtensionInstallForcelist": [
|
||||
"cjpalhdlnbpafiamejdnhcphjbkeiagm;https://clients2.google.com/service/update2/crx",
|
||||
"ihlenndgcmojhcghmfjfneahoeklbjjh;https://clients2.google.com/service/update2/crx"
|
||||
]
|
||||
}
|
||||
'';
|
||||
|
||||
master_preferences = pkgs.writeText "master_preferences" ''
|
||||
{
|
||||
"browser": {
|
||||
"custom_chrome_frame": true
|
||||
},
|
||||
|
||||
"extensions": {
|
||||
"theme": {
|
||||
"id": "",
|
||||
"use_system": true
|
||||
}
|
||||
}
|
||||
}
|
||||
'';
|
||||
in {
|
||||
environment.etc."chromium/policies/managed/master.json".source = pkgs.lib.mkForce masterPolicy;
|
||||
|
||||
#environment.systemPackages = [
|
||||
# #pkgs.chromium
|
||||
# (pkgs.lib.overrideDerivation pkgs.chromium (attrs: {
|
||||
# buildCommand = attrs.buildCommand + ''
|
||||
# touch $out/TEST123
|
||||
# '';
|
||||
# }))
|
||||
#];
|
||||
}
|
@ -14,8 +14,8 @@ with import <stockholm/lib>;
|
||||
];
|
||||
openssh.authorizedKeys.keys = with config.krebs.users; [
|
||||
lass.pubkey
|
||||
lass-uriel.pubkey
|
||||
lass-shodan.pubkey
|
||||
lass-helios.pubkey
|
||||
makefu.pubkey
|
||||
];
|
||||
};
|
||||
|
@ -3,6 +3,6 @@
|
||||
{
|
||||
krebs.build.source.nixpkgs.git = {
|
||||
url = https://github.com/nixos/nixpkgs;
|
||||
ref = "ee52e9809185bdf44452f2913e3f6ef839c15c4e";
|
||||
ref = "ece0cea127f0a8799a6bd3b12c368193491f9058";
|
||||
};
|
||||
}
|
||||
|
@ -175,8 +175,8 @@ let
|
||||
"Syntastic config
|
||||
let g:syntastic_python_checkers=['flake8']
|
||||
|
||||
nmap <esc>q :buffer
|
||||
nmap <M-q> :buffer
|
||||
nmap <esc>q :buffer
|
||||
nmap <M-q> :buffer
|
||||
|
||||
cnoremap <C-A> <Home>
|
||||
|
||||
|
@ -88,6 +88,7 @@ rec {
|
||||
# set max upload size
|
||||
client_max_body_size 10G;
|
||||
fastcgi_buffers 64 4K;
|
||||
fastcgi_read_timeout 120;
|
||||
|
||||
# Disable gzip to avoid the removal of the ETag header
|
||||
gzip off;
|
||||
@ -164,10 +165,11 @@ rec {
|
||||
user = nginx
|
||||
group = nginx
|
||||
pm = dynamic
|
||||
pm.max_children = 5
|
||||
pm.max_children = 32
|
||||
pm.max_requests = 500
|
||||
pm.start_servers = 2
|
||||
pm.min_spare_servers = 1
|
||||
pm.max_spare_servers = 3
|
||||
pm.min_spare_servers = 2
|
||||
pm.max_spare_servers = 5
|
||||
listen.owner = nginx
|
||||
listen.group = nginx
|
||||
php_admin_value[error_log] = 'stderr'
|
||||
|
Loading…
Reference in New Issue
Block a user