From d9cc50653d0c7998052284cfb66b2229e0ce849b Mon Sep 17 00:00:00 2001 From: makefu Date: Fri, 30 Jun 2017 22:36:25 +0200 Subject: [PATCH 01/12] ma gen-oath-safe: init --- makefu/5pkgs/gen-oath-safe/default.nix | 37 ++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 makefu/5pkgs/gen-oath-safe/default.nix diff --git a/makefu/5pkgs/gen-oath-safe/default.nix b/makefu/5pkgs/gen-oath-safe/default.nix new file mode 100644 index 000000000..245e65174 --- /dev/null +++ b/makefu/5pkgs/gen-oath-safe/default.nix @@ -0,0 +1,37 @@ +{ coreutils, makeWrapper, openssl, libcaca, qrencode, fetchFromGitHub, yubikey-manager, python, stdenv, ... }: + +stdenv.mkDerivation { + name = "geno-oath-safe-2017-06-30"; + src = fetchFromGitHub { + owner = "mcepl"; + repo = "gen-oath-safe"; + rev = "fb53841"; + sha256 = "0018kqmhg0861r5xkbis2a1rx49gyn0dxcyj05wap5ms7zz69m0m"; + }; + + phases = [ + "unpackPhase" + "installPhase" + "fixupPhase" + ]; + + buildInputs = [ makeWrapper ]; + + installPhase = + let + path = stdenv.lib.makeBinPath [ + coreutils + openssl + qrencode + yubikey-manager + libcaca + python + ]; + in + '' + mkdir -p $out/bin + cp gen-oath-safe $out/bin/ + wrapProgram $out/bin/gen-oath-safe \ + --prefix PATH : ${path} + ''; +} From 7cd2ff2679b688e8fa0c98bc9ecf1d99602c0421 Mon Sep 17 00:00:00 2001 From: makefu Date: Fri, 30 Jun 2017 23:49:05 +0200 Subject: [PATCH 02/12] ma 2fa: init and enable for gum --- makefu/1systems/gum.nix | 3 +++ makefu/2configs/sshd-totp.nix | 18 ++++++++++++++++++ 2 files changed, 21 insertions(+) create mode 100644 makefu/2configs/sshd-totp.nix diff --git a/makefu/1systems/gum.nix b/makefu/1systems/gum.nix index 519313f57..6e57d1404 100644 --- a/makefu/1systems/gum.nix +++ b/makefu/1systems/gum.nix @@ -26,6 +26,9 @@ in { ../2configs/tinc/retiolum.nix ../2configs/urlwatch.nix + # Security + ../2configs/sshd-totp.nix + # Tools ../2configs/tools/core.nix ../2configs/tools/dev.nix diff --git a/makefu/2configs/sshd-totp.nix b/makefu/2configs/sshd-totp.nix new file mode 100644 index 000000000..f9984e245 --- /dev/null +++ b/makefu/2configs/sshd-totp.nix @@ -0,0 +1,18 @@ +{ pkgs, ... }: +# Enables second factor for ssh password login + +## Usage: +# gen-oath-safe totp +## scan the qrcode with google authenticator (or FreeOTP) +## copy last line into secrets//users.oath (chmod 700) +{ + security.pam.oath = { + # enabling it will make it a requisite of `all` services + # enable = true; + digits = 6; + # TODO assert existing + usersFile = (toString ) + "/users.oath"; + }; + # I want TFA only active for sshd with password-auth + security.pam.services.sshd.oathAuth = true; +} From 09e31fb8a27d1f9f7acfc1f40f0b2ae598a22e34 Mon Sep 17 00:00:00 2001 From: makefu Date: Sat, 1 Jul 2017 01:10:31 +0200 Subject: [PATCH 03/12] ma lancache: retab --- makefu/2configs/lanparty/lancache.nix | 59 ++++++++++++++------------- 1 file changed, 30 insertions(+), 29 deletions(-) diff --git a/makefu/2configs/lanparty/lancache.nix b/makefu/2configs/lanparty/lancache.nix index ff5b0d788..3df2e3f59 100644 --- a/makefu/2configs/lanparty/lancache.nix +++ b/makefu/2configs/lanparty/lancache.nix @@ -36,38 +36,39 @@ let }; in { systemd.services.nginx-lancache = { - description = "Nginx lancache Server"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - restartIfChanged = true; + description = "Nginx lancache Server"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + restartIfChanged = true; - preStart = '' - mkdir -p ${cfg.statedir} && cd ${cfg.statedir} - PATH_CACHE=$PATH_BASE/cache - PATH_LOGS=$PATH_BASE/logs + preStart = '' + mkdir -p ${cfg.statedir} && cd ${cfg.statedir} + PATH_CACHE=$PATH_BASE/cache + PATH_LOGS=$PATH_BASE/logs - mkdir -p cache/{installers,tmp} logs - rm -f conf; ln -s ${lancache} conf - chown -R ${cfg.user}:${cfg.group} . - ''; - serviceConfig = { - ExecStart = "${cfg.package}/bin/nginx -p ${cfg.statedir}"; - ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; - Restart = "always"; - RestartSec = "10s"; - StartLimitInterval = "1min"; - }; + mkdir -p cache/{installers,tmp} logs + rm -f conf; ln -s ${lancache} conf + chown -R ${cfg.user}:${cfg.group} . + ''; + serviceConfig = { + ExecStart = "${cfg.package}/bin/nginx -p ${cfg.statedir}"; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + Restart = "always"; + RestartSec = "10s"; + StartLimitInterval = "1min"; }; - environment.etc.nginx.source = lancache; - users.extraUsers = (singleton - { name = cfg.user; - group = cfg.group; - uid = genid cfg.group; - }); + }; - users.extraGroups = (singleton - { name = "${cfg.group}"; - gid = genid cfg.group; - }); + environment.etc.nginx.source = lancache; + users.extraUsers = (singleton + { name = cfg.user; + group = cfg.group; + uid = genid cfg.group; + }); + users.extraGroups = (singleton + { name = "${cfg.group}"; + gid = genid cfg.group; + }); + networking.firewall.allowedTCPPorts = [ 80 443 ]; } From 4d9d70c6cc7c47cf62a83e838d70134c33594065 Mon Sep 17 00:00:00 2001 From: makefu Date: Sat, 1 Jul 2017 01:11:31 +0200 Subject: [PATCH 04/12] ma: add gen-oath-safe to dev tools --- makefu/2configs/tools/dev.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/makefu/2configs/tools/dev.nix b/makefu/2configs/tools/dev.nix index e40f5b36f..42006eb22 100644 --- a/makefu/2configs/tools/dev.nix +++ b/makefu/2configs/tools/dev.nix @@ -14,5 +14,6 @@ ovh-zone whatsupnix brain + gen-oath-safe ]; } From d95039620550368bcee37f74d9828db97d38722f Mon Sep 17 00:00:00 2001 From: makefu Date: Sat, 1 Jul 2017 01:12:52 +0200 Subject: [PATCH 05/12] ma vbob: enable totp --- makefu/1systems/vbob.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/makefu/1systems/vbob.nix b/makefu/1systems/vbob.nix index b79ec64c0..d8e275bf6 100644 --- a/makefu/1systems/vbob.nix +++ b/makefu/1systems/vbob.nix @@ -8,6 +8,7 @@ (toString ) (toString ) ../2configs/main-laptop.nix #< base-gui + ../2configs/sshd-totp.nix # Tools ../2configs/tools/core.nix From 38a9f8f6d51bbaa83c7bbd50525844a3039f53fc Mon Sep 17 00:00:00 2001 From: makefu Date: Sat, 1 Jul 2017 01:13:28 +0200 Subject: [PATCH 06/12] ma x.r: enable 2fa for sshd --- makefu/1systems/x.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/makefu/1systems/x.nix b/makefu/1systems/x.nix index b37c32944..235862e85 100644 --- a/makefu/1systems/x.nix +++ b/makefu/1systems/x.nix @@ -19,6 +19,8 @@ with import ; # ../2configs/disable_v6.nix # Testing + # ../2configs/lanparty/lancache.nix + # ../2configs/lanparty/lancache-dns.nix # ../2configs/deployment/dirctator.nix # ../2configs/vncserver.nix # ../2configs/deployment/led-fader @@ -58,6 +60,9 @@ with import ; # Filesystem ../2configs/fs/sda-crypto-root-home.nix + # Security + ../2configs/sshd-totp.nix + ]; makefu.server.primary-itf = "wlp3s0"; From 01a4ed89c72af0beefd2ba4bcd894017002720ff Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 2 Jul 2017 12:41:14 +0200 Subject: [PATCH 07/12] gum.r: provide iodine endpoint gum now runs io.krebsco.de (was configured before but not exposed via the DNS zone file) --- krebs/3modules/makefu/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index 4c0ce0fe3..c517ac1d8 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -308,7 +308,6 @@ with import ; extraZones = { "krebsco.de" = '' wry IN A ${nets.internet.ip4.addr} - io IN NS wry.krebsco.de. tinc IN A ${nets.internet.ip4.addr} ''; }; @@ -470,6 +469,7 @@ with import ; wiki.euer IN A ${nets.internet.ip4.addr} graph IN A ${nets.internet.ip4.addr} ghook IN A ${nets.internet.ip4.addr} + io IN NS gum.krebsco.de. ''; }; nets = rec { From c36d644059049dba69cf4e5a072f2c5b4c6f5856 Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 2 Jul 2017 21:06:04 +0200 Subject: [PATCH 08/12] urlwatch: set dataDir to home of urlwatch user otherwise /var/empty will be used which then will clash with exim which tries to create Maildir in this folder explicitly setting the home directory in users also avoids the usage of execstartpre in favor of createHome --- krebs/3modules/urlwatch.nix | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/krebs/3modules/urlwatch.nix b/krebs/3modules/urlwatch.nix index c06e5ddb1..380e30ae3 100644 --- a/krebs/3modules/urlwatch.nix +++ b/krebs/3modules/urlwatch.nix @@ -142,17 +142,6 @@ let PrivateTmp = "true"; SyslogIdentifier = "urlwatch"; Type = "oneshot"; - ExecStartPre = - pkgs.writeDash "urlwatch-prestart" '' - set -euf - - dataDir=$HOME - - if ! test -e "$dataDir"; then - mkdir -m 0700 -p "$dataDir" - chown ${user.name}: "$dataDir" - fi - ''; ExecStart = pkgs.writeDash "urlwatch" '' set -euf @@ -185,6 +174,8 @@ let }; users.extraUsers = singleton { inherit (user) name uid; + home = cfg.dataDir; + createHome = true; }; }; From b4bcf2b0a4dd5fbc69a4b539b32f82fb3eccc4a2 Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 2 Jul 2017 23:06:36 +0200 Subject: [PATCH 09/12] ma urlwatch: use hook for json api --- .../2configs/{urlwatch.nix => urlwatch/default.nix} | 8 ++++++++ makefu/2configs/urlwatch/hook.py | 12 ++++++++++++ 2 files changed, 20 insertions(+) rename makefu/2configs/{urlwatch.nix => urlwatch/default.nix} (73%) create mode 100644 makefu/2configs/urlwatch/hook.py diff --git a/makefu/2configs/urlwatch.nix b/makefu/2configs/urlwatch/default.nix similarity index 73% rename from makefu/2configs/urlwatch.nix rename to makefu/2configs/urlwatch/default.nix index 9493b2b7b..54c8ee924 100644 --- a/makefu/2configs/urlwatch.nix +++ b/makefu/2configs/urlwatch/default.nix @@ -5,6 +5,7 @@ enable = true; mailto = config.krebs.users.makefu.mail; onCalendar = "*-*-* 05:00:00"; + hooksFile = ./hook.py; urls = [ ## nixpkgs maintenance https://api.github.com/repos/ovh/python-ovh/tags @@ -12,6 +13,7 @@ https://api.github.com/repos/Mic92/vicious/tags https://pypi.python.org/simple/bepasty/ https://pypi.python.org/simple/xstatic/ + https://pypi.python.org/simple/devpi-client/ http://guest:derpi@cvs2svn.tigris.org/svn/cvs2svn/tags/ http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/ https://github.com/amadvance/snapraid/releases.atom @@ -21,6 +23,12 @@ https://api.github.com/repos/dorimanx/exfat-nofuse/tags https://api.github.com/repos/radare/radare2/tags https://api.github.com/repos/rapid7/metasploit-framework/tags + https://api.github.com/repos/mcepl/gen-oath-safe/commits + https://api.github.com/repos/naim94a/udpt/commits + https://git.tasktools.org/TM/taskd/info/refs?service=git-upload-pack + https://api.github.com/repos/dirkvdb/ps3netsrv--/commits + # TODO: dymo cups + ]; }; } diff --git a/makefu/2configs/urlwatch/hook.py b/makefu/2configs/urlwatch/hook.py new file mode 100644 index 000000000..fc598423f --- /dev/null +++ b/makefu/2configs/urlwatch/hook.py @@ -0,0 +1,12 @@ +import logging +logging.basicConfig(level=logging.INFO) +log = logging.getLogger() +# log.setLevel(level=logging.INFO) +def filter(url, data): + log.info("handling url '{}'".format(url)) + if "api.github.com" in url: + import json + log.info("url is a github api link, assuming json") + return json.dumps(json.loads(data),indent=2) + + return data From 5c26d65ae48aa73c8a738e4ef22dcb3ad6daa00d Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 2 Jul 2017 23:08:09 +0200 Subject: [PATCH 10/12] urlwatch: filter _module with kv before this commit { url= ...; filter=... } didn't work because the result contained _module --- krebs/3modules/urlwatch.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/krebs/3modules/urlwatch.nix b/krebs/3modules/urlwatch.nix index 380e30ae3..463fa26ba 100644 --- a/krebs/3modules/urlwatch.nix +++ b/krebs/3modules/urlwatch.nix @@ -60,6 +60,7 @@ let description = "URL to watch."; example = [ https://nixos.org/channels/nixos-unstable/git-revision + { url = http://localhost ; filter = "grep:important.*stuff"; } ]; apply = map (x: getAttr (typeOf x) { set = x; @@ -79,7 +80,8 @@ let }; urlsFile = pkgs.writeText "urls" - (concatMapStringsSep "\n---\n" toJSON cfg.urls); + (concatMapStringsSep "\n---\n" + (x: toJSON (filterAttrs (n: v: n != "_module") x)) cfg.urls); hooksFile = cfg.hooksFile; From 2eb910183a92bd6e8d3796d821c783d878ae956b Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 2 Jul 2017 23:09:12 +0200 Subject: [PATCH 11/12] ma urlwatch: refactor --- makefu/2configs/urlwatch/default.nix | 36 ++++++++++++++++++---------- makefu/2configs/urlwatch/hook.py | 20 +++++++++------- 2 files changed, 35 insertions(+), 21 deletions(-) diff --git a/makefu/2configs/urlwatch/default.nix b/makefu/2configs/urlwatch/default.nix index 54c8ee924..f17bcdc3a 100644 --- a/makefu/2configs/urlwatch/default.nix +++ b/makefu/2configs/urlwatch/default.nix @@ -8,27 +8,37 @@ hooksFile = ./hook.py; urls = [ ## nixpkgs maintenance - https://api.github.com/repos/ovh/python-ovh/tags - https://api.github.com/repos/embray/d2to1/tags - https://api.github.com/repos/Mic92/vicious/tags + # github + ## No rate limit + https://github.com/amadvance/snapraid/releases.atom + https://github.com/radare/radare2/releases.atom + https://github.com/ovh/python-ovh/releases.atom + https://github.com/embray/d2to1/releases.atom + https://github.com/Mic92/vicious/releases.atom + https://github.com/embray/d2to1/releases.atom + https://github.com/dorimanx/exfat-nofuse/releases.atom + https://github.com/rapid7/metasploit-framework/releases.atom + ## rate limited + # https://api.github.com/repos/dorimanx/exfat-nofuse/commits + # https://api.github.com/repos/mcepl/gen-oath-safe/commits + https://api.github.com/repos/naim94a/udpt/commits + https://api.github.com/repos/dirkvdb/ps3netsrv--/commits + + # pypi https://pypi.python.org/simple/bepasty/ https://pypi.python.org/simple/xstatic/ https://pypi.python.org/simple/devpi-client/ + # weird shit http://guest:derpi@cvs2svn.tigris.org/svn/cvs2svn/tags/ http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/ - https://github.com/amadvance/snapraid/releases.atom https://erdgeist.org/gitweb/opentracker/info/refs?service=git-upload-pack - https://api.github.com/repos/embray/d2to1/tags - https://api.github.com/repos/dorimanx/exfat-nofuse/commits - https://api.github.com/repos/dorimanx/exfat-nofuse/tags - https://api.github.com/repos/radare/radare2/tags - https://api.github.com/repos/rapid7/metasploit-framework/tags - https://api.github.com/repos/mcepl/gen-oath-safe/commits - https://api.github.com/repos/naim94a/udpt/commits https://git.tasktools.org/TM/taskd/info/refs?service=git-upload-pack - https://api.github.com/repos/dirkvdb/ps3netsrv--/commits - # TODO: dymo cups + { + url = https://newellrubbermaid.secure.force.com/dymopkb/articles/en_US/FAQ/Dymo-Drivers-and-Downloads/?l=en_US&c=Segment:Dymo&fs=Search&pn=1 ; + filter = "grep:Software/Linux/dymo-cups-drivers"; + } + # TODO: dymo cups ]; }; } diff --git a/makefu/2configs/urlwatch/hook.py b/makefu/2configs/urlwatch/hook.py index fc598423f..7d9282c7e 100644 --- a/makefu/2configs/urlwatch/hook.py +++ b/makefu/2configs/urlwatch/hook.py @@ -1,12 +1,16 @@ import logging logging.basicConfig(level=logging.INFO) log = logging.getLogger() -# log.setLevel(level=logging.INFO) -def filter(url, data): - log.info("handling url '{}'".format(url)) - if "api.github.com" in url: - import json - log.info("url is a github api link, assuming json") - return json.dumps(json.loads(data),indent=2) +log.setLevel(level=logging.INFO) - return data +import re +import json + +from urlwatch import filters + + +class JsonFilter(filters.RegexMatchFilter): + MATCH = {'url': re.compile('https?://api.github.com/.*')} + + def filter(self, data): + return json.dumps(json.loads(data),indent=2,sort_keys=True) From 5f3bece0d647f65c2354ae0944a50d775a3b488e Mon Sep 17 00:00:00 2001 From: makefu Date: Sun, 2 Jul 2017 23:09:30 +0200 Subject: [PATCH 12/12] ma gum: use urlwatch folder --- makefu/1systems/gum.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/makefu/1systems/gum.nix b/makefu/1systems/gum.nix index 6e57d1404..51761d3fd 100644 --- a/makefu/1systems/gum.nix +++ b/makefu/1systems/gum.nix @@ -24,7 +24,7 @@ in { # ../2configs/disable_v6.nix ../2configs/exim-retiolum.nix ../2configs/tinc/retiolum.nix - ../2configs/urlwatch.nix + ../2configs/urlwatch # Security ../2configs/sshd-totp.nix