diff --git a/krebs/3modules/iptables.nix b/krebs/3modules/iptables.nix index a4a4de6f9..09b493c20 100644 --- a/krebs/3modules/iptables.nix +++ b/krebs/3modules/iptables.nix @@ -29,9 +29,10 @@ let tables = mkOption { type = with types; attrsOf (attrsOf (submodule ({ options = { + #TODO: find out good defaults. policy = mkOption { type = str; - default = "-"; + default = "ACCEPT"; }; rules = mkOption { type = nullOr (listOf (submodule ({ @@ -133,30 +134,9 @@ let #===== rules = iptables-version: - let - #TODO: find out good defaults. - tables-defaults = { - nat.PREROUTING.policy = "ACCEPT"; - nat.INPUT.policy = "ACCEPT"; - nat.OUTPUT.policy = "ACCEPT"; - nat.POSTROUTING.policy = "ACCEPT"; - filter.INPUT.policy = "ACCEPT"; - filter.FORWARD.policy = "ACCEPT"; - filter.OUTPUT.policy = "ACCEPT"; - - #if someone specifies any other rules on this chain, the default rules get lost. - #is this wanted beahiviour or a bug? - #TODO: implement abstraction of rules - filter.INPUT.rules = [ - { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } - ]; - }; - tables = tables-defaults // cfg.tables; - - in - pkgs.writeText "krebs-iptables-rules${iptables-version}" '' - ${buildTables iptables-version tables} - ''; + pkgs.writeText "krebs-iptables-rules${iptables-version}" '' + ${buildTables iptables-version cfg.tables} + ''; startScript = pkgs.writeDash "krebs-iptables_start" '' set -euf diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index 742d42bf8..99705cbf1 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -17,7 +17,6 @@ with import ; ../2configs/elster.nix ../2configs/steam.nix ../2configs/wine.nix - ../2configs/chromium-patched.nix ../2configs/git.nix ../2configs/skype.nix ../2configs/teamviewer.nix diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index 4b05e3296..fbab23500 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -31,6 +31,7 @@ in { environment.systemPackages = with pkgs; [ acpi + dic dmenu gitAndTools.qgit lm_sensors diff --git a/lass/2configs/buildbot-standalone.nix b/lass/2configs/buildbot-standalone.nix index 7422abdc8..e7fbccb77 100644 --- a/lass/2configs/buildbot-standalone.nix +++ b/lass/2configs/buildbot-standalone.nix @@ -36,7 +36,7 @@ in { }; builder_pre = '' # prepare grab_repo step for stockholm - grab_repo = steps.Git(repourl=stockholm_repo, mode='incremental', alwaysUseLatest=True) + grab_repo = steps.Git(repourl=stockholm_repo, mode='full') # TODO: get nixpkgs/stockholm paths from krebs env_lass = { diff --git a/lass/2configs/chromium-patched.nix b/lass/2configs/chromium-patched.nix deleted file mode 100644 index d9d7760dd..000000000 --- a/lass/2configs/chromium-patched.nix +++ /dev/null @@ -1,48 +0,0 @@ -{ config, pkgs, ... }: - -#settings to test: -# - #"ForceEphemeralProfiles": true, -let - masterPolicy = pkgs.writeText "master.json" '' - { - "PasswordManagerEnabled": false, - "DefaultGeolocationSetting": 2, - "RestoreOnStartup": 1, - "AutoFillEnabled": false, - "BackgroundModeEnabled": false, - "DefaultBrowserSettingEnabled": false, - "SafeBrowsingEnabled": false, - "ExtensionInstallForcelist": [ - "cjpalhdlnbpafiamejdnhcphjbkeiagm;https://clients2.google.com/service/update2/crx", - "ihlenndgcmojhcghmfjfneahoeklbjjh;https://clients2.google.com/service/update2/crx" - ] - } - ''; - - master_preferences = pkgs.writeText "master_preferences" '' - { - "browser": { - "custom_chrome_frame": true - }, - - "extensions": { - "theme": { - "id": "", - "use_system": true - } - } - } - ''; -in { - environment.etc."chromium/policies/managed/master.json".source = pkgs.lib.mkForce masterPolicy; - - #environment.systemPackages = [ - # #pkgs.chromium - # (pkgs.lib.overrideDerivation pkgs.chromium (attrs: { - # buildCommand = attrs.buildCommand + '' - # touch $out/TEST123 - # ''; - # })) - #]; -} diff --git a/lass/2configs/downloading.nix b/lass/2configs/downloading.nix index 79a609e2b..ca0aded78 100644 --- a/lass/2configs/downloading.nix +++ b/lass/2configs/downloading.nix @@ -14,8 +14,8 @@ with import ; ]; openssh.authorizedKeys.keys = with config.krebs.users; [ lass.pubkey - lass-uriel.pubkey lass-shodan.pubkey + lass-helios.pubkey makefu.pubkey ]; }; diff --git a/lass/2configs/nixpkgs.nix b/lass/2configs/nixpkgs.nix index caca98746..be54d120a 100644 --- a/lass/2configs/nixpkgs.nix +++ b/lass/2configs/nixpkgs.nix @@ -3,6 +3,6 @@ { krebs.build.source.nixpkgs.git = { url = https://github.com/nixos/nixpkgs; - ref = "ee52e9809185bdf44452f2913e3f6ef839c15c4e"; + ref = "ece0cea127f0a8799a6bd3b12c368193491f9058"; }; } diff --git a/lass/2configs/vim.nix b/lass/2configs/vim.nix index aac2b96d4..bfaae24c8 100644 --- a/lass/2configs/vim.nix +++ b/lass/2configs/vim.nix @@ -175,8 +175,8 @@ let "Syntastic config let g:syntastic_python_checkers=['flake8'] - nmap q :buffer - nmap :buffer + nmap q :buffer + nmap :buffer cnoremap diff --git a/lass/2configs/websites/util.nix b/lass/2configs/websites/util.nix index 3356fe9a8..0b2a6faac 100644 --- a/lass/2configs/websites/util.nix +++ b/lass/2configs/websites/util.nix @@ -88,6 +88,7 @@ rec { # set max upload size client_max_body_size 10G; fastcgi_buffers 64 4K; + fastcgi_read_timeout 120; # Disable gzip to avoid the removal of the ETag header gzip off; @@ -164,10 +165,11 @@ rec { user = nginx group = nginx pm = dynamic - pm.max_children = 5 + pm.max_children = 32 + pm.max_requests = 500 pm.start_servers = 2 - pm.min_spare_servers = 1 - pm.max_spare_servers = 3 + pm.min_spare_servers = 2 + pm.max_spare_servers = 5 listen.owner = nginx listen.group = nginx php_admin_value[error_log] = 'stderr'