Mic92/stockholm
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge remote-tracking branch 'gum/master'

Browse Source
This commit is contained in:
lassulus 2017-07-03 00:02:34 +02:00
commit c30e1fbc74
12 changed files with 163 additions and 70 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
krebs/3modules/makefu/default.nix
View File

@ -308,7 +308,6 @@ with import <stockholm/lib>;
extraZones = { extraZones = {
"krebsco.de" = '' "krebsco.de" = ''
wry IN A ${nets.internet.ip4.addr} wry IN A ${nets.internet.ip4.addr}
io IN NS wry.krebsco.de.
tinc IN A ${nets.internet.ip4.addr} tinc IN A ${nets.internet.ip4.addr}
''; '';
}; };
@ -470,6 +469,7 @@ with import <stockholm/lib>;
wiki.euer IN A ${nets.internet.ip4.addr} wiki.euer IN A ${nets.internet.ip4.addr}
graph IN A ${nets.internet.ip4.addr} graph IN A ${nets.internet.ip4.addr}
ghook IN A ${nets.internet.ip4.addr} ghook IN A ${nets.internet.ip4.addr}
io IN NS gum.krebsco.de.
''; '';
}; };
nets = rec { nets = rec {

17
krebs/3modules/urlwatch.nix
View File

@ -60,6 +60,7 @@ let
description = "URL to watch."; description = "URL to watch.";
example = [ example = [
https://nixos.org/channels/nixos-unstable/git-revision https://nixos.org/channels/nixos-unstable/git-revision
{ url = http://localhost ; filter = "grep:important.*stuff"; }
]; ];
apply = map (x: getAttr (typeOf x) { apply = map (x: getAttr (typeOf x) {
set = x; set = x;
@ -79,7 +80,8 @@ let
}; };
urlsFile = pkgs.writeText "urls" urlsFile = pkgs.writeText "urls"
(concatMapStringsSep "\n---\n" toJSON cfg.urls); (concatMapStringsSep "\n---\n"
(x: toJSON (filterAttrs (n: v: n != "_module") x)) cfg.urls);
hooksFile = cfg.hooksFile; hooksFile = cfg.hooksFile;
@ -142,17 +144,6 @@ let
PrivateTmp = "true"; PrivateTmp = "true";
SyslogIdentifier = "urlwatch"; SyslogIdentifier = "urlwatch";
Type = "oneshot"; Type = "oneshot";
ExecStartPre =
pkgs.writeDash "urlwatch-prestart" ''
set -euf
dataDir=$HOME
if ! test -e "$dataDir"; then
mkdir -m 0700 -p "$dataDir"
chown ${user.name}: "$dataDir"
fi
'';
ExecStart = pkgs.writeDash "urlwatch" '' ExecStart = pkgs.writeDash "urlwatch" ''
set -euf set -euf
@ -185,6 +176,8 @@ let
}; };
users.extraUsers = singleton { users.extraUsers = singleton {
inherit (user) name uid; inherit (user) name uid;
home = cfg.dataDir;
createHome = true;
}; };
}; };

5
makefu/1systems/gum.nix
View File

@ -24,7 +24,10 @@ in {
# ../2configs/disable_v6.nix # ../2configs/disable_v6.nix
../2configs/exim-retiolum.nix ../2configs/exim-retiolum.nix
../2configs/tinc/retiolum.nix ../2configs/tinc/retiolum.nix
../2configs/urlwatch.nix ../2configs/urlwatch
# Security
../2configs/sshd-totp.nix
# Tools # Tools
../2configs/tools/core.nix ../2configs/tools/core.nix

1
makefu/1systems/vbob.nix
View File

@ -8,6 +8,7 @@
(toString <nixpkgs/nixos/modules/virtualisation/virtualbox-image.nix>) (toString <nixpkgs/nixos/modules/virtualisation/virtualbox-image.nix>)
(toString <nixpkgs/nixos/modules/virtualisation/virtualbox-guest.nix>) (toString <nixpkgs/nixos/modules/virtualisation/virtualbox-guest.nix>)
../2configs/main-laptop.nix #< base-gui ../2configs/main-laptop.nix #< base-gui
../2configs/sshd-totp.nix
# Tools # Tools
../2configs/tools/core.nix ../2configs/tools/core.nix

5
makefu/1systems/x.nix
View File

@ -19,6 +19,8 @@ with import <stockholm/lib>;
# ../2configs/disable_v6.nix # ../2configs/disable_v6.nix
# Testing # Testing
# ../2configs/lanparty/lancache.nix
# ../2configs/lanparty/lancache-dns.nix
# ../2configs/deployment/dirctator.nix # ../2configs/deployment/dirctator.nix
# ../2configs/vncserver.nix # ../2configs/vncserver.nix
# ../2configs/deployment/led-fader # ../2configs/deployment/led-fader
@ -58,6 +60,9 @@ with import <stockholm/lib>;
# Filesystem # Filesystem
../2configs/fs/sda-crypto-root-home.nix ../2configs/fs/sda-crypto-root-home.nix
# Security
../2configs/sshd-totp.nix
]; ];
makefu.server.primary-itf = "wlp3s0"; makefu.server.primary-itf = "wlp3s0";

59
makefu/2configs/lanparty/lancache.nix
View File

@ -36,38 +36,39 @@ let
}; };
in { in {
systemd.services.nginx-lancache = { systemd.services.nginx-lancache = {
description = "Nginx lancache Server"; description = "Nginx lancache Server";
after = [ "network.target" ]; after = [ "network.target" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
restartIfChanged = true; restartIfChanged = true;
preStart = '' preStart = ''
mkdir -p ${cfg.statedir} && cd ${cfg.statedir} mkdir -p ${cfg.statedir} && cd ${cfg.statedir}
PATH_CACHE=$PATH_BASE/cache PATH_CACHE=$PATH_BASE/cache
PATH_LOGS=$PATH_BASE/logs PATH_LOGS=$PATH_BASE/logs
mkdir -p cache/{installers,tmp} logs mkdir -p cache/{installers,tmp} logs
rm -f conf; ln -s ${lancache} conf rm -f conf; ln -s ${lancache} conf
chown -R ${cfg.user}:${cfg.group} . chown -R ${cfg.user}:${cfg.group} .
''; '';
serviceConfig = { serviceConfig = {
ExecStart = "${cfg.package}/bin/nginx -p ${cfg.statedir}"; ExecStart = "${cfg.package}/bin/nginx -p ${cfg.statedir}";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
Restart = "always"; Restart = "always";
RestartSec = "10s"; RestartSec = "10s";
StartLimitInterval = "1min"; StartLimitInterval = "1min";
};
}; };
environment.etc.nginx.source = lancache; };
users.extraUsers = (singleton
{ name = cfg.user;
group = cfg.group;
uid = genid cfg.group;
});
users.extraGroups = (singleton environment.etc.nginx.source = lancache;
{ name = "${cfg.group}"; users.extraUsers = (singleton
gid = genid cfg.group; { name = cfg.user;
}); group = cfg.group;
uid = genid cfg.group;
});
users.extraGroups = (singleton
{ name = "${cfg.group}";
gid = genid cfg.group;
});
networking.firewall.allowedTCPPorts = [ 80 443 ];
} }

18
makefu/2configs/sshd-totp.nix Normal file
View File

@ -0,0 +1,18 @@
{ pkgs, ... }:
# Enables second factor for ssh password login
## Usage:
# gen-oath-safe <username> totp
## scan the qrcode with google authenticator (or FreeOTP)
## copy last line into secrets/<host>/users.oath (chmod 700)
{
security.pam.oath = {
# enabling it will make it a requisite of `all` services
# enable = true;
digits = 6;
# TODO assert existing
usersFile = (toString <secrets>) + "/users.oath";
};
# I want TFA only active for sshd with password-auth
security.pam.services.sshd.oathAuth = true;
}

1
makefu/2configs/tools/dev.nix
View File

@ -14,5 +14,6 @@
ovh-zone ovh-zone
whatsupnix whatsupnix
brain brain
gen-oath-safe
]; ];
} }

27
makefu/2configs/urlwatch.nix
View File

@ -1,27 +0,0 @@
{ config, lib, ... }:
{
krebs.urlwatch = {
enable = true;
mailto = config.krebs.users.makefu.mail;
onCalendar = "*-*-* 05:00:00";
urls = [
## nixpkgs maintenance
https://api.github.com/repos/ovh/python-ovh/tags
https://api.github.com/repos/embray/d2to1/tags
https://api.github.com/repos/Mic92/vicious/tags
https://pypi.python.org/simple/bepasty/
https://pypi.python.org/simple/xstatic/
http://guest:derpi@cvs2svn.tigris.org/svn/cvs2svn/tags/
http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/
https://github.com/amadvance/snapraid/releases.atom
https://erdgeist.org/gitweb/opentracker/info/refs?service=git-upload-pack
https://api.github.com/repos/embray/d2to1/tags
https://api.github.com/repos/dorimanx/exfat-nofuse/commits
https://api.github.com/repos/dorimanx/exfat-nofuse/tags
https://api.github.com/repos/radare/radare2/tags
https://api.github.com/repos/rapid7/metasploit-framework/tags
];
};
}

45
makefu/2configs/urlwatch/default.nix Normal file
View File

@ -0,0 +1,45 @@
{ config, lib, ... }:
{
krebs.urlwatch = {
enable = true;
mailto = config.krebs.users.makefu.mail;
onCalendar = "*-*-* 05:00:00";
hooksFile = ./hook.py;
urls = [
## nixpkgs maintenance
# github
## No rate limit
https://github.com/amadvance/snapraid/releases.atom
https://github.com/radare/radare2/releases.atom
https://github.com/ovh/python-ovh/releases.atom
https://github.com/embray/d2to1/releases.atom
https://github.com/Mic92/vicious/releases.atom
https://github.com/embray/d2to1/releases.atom
https://github.com/dorimanx/exfat-nofuse/releases.atom
https://github.com/rapid7/metasploit-framework/releases.atom
## rate limited
# https://api.github.com/repos/dorimanx/exfat-nofuse/commits
# https://api.github.com/repos/mcepl/gen-oath-safe/commits
https://api.github.com/repos/naim94a/udpt/commits
https://api.github.com/repos/dirkvdb/ps3netsrv--/commits
# pypi
https://pypi.python.org/simple/bepasty/
https://pypi.python.org/simple/xstatic/
https://pypi.python.org/simple/devpi-client/
# weird shit
http://guest:derpi@cvs2svn.tigris.org/svn/cvs2svn/tags/
http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/
https://erdgeist.org/gitweb/opentracker/info/refs?service=git-upload-pack
https://git.tasktools.org/TM/taskd/info/refs?service=git-upload-pack
{
url = https://newellrubbermaid.secure.force.com/dymopkb/articles/en_US/FAQ/Dymo-Drivers-and-Downloads/?l=en_US&c=Segment:Dymo&fs=Search&pn=1 ;
filter = "grep:Software/Linux/dymo-cups-drivers";
}
# TODO: dymo cups
];
};
}

16
makefu/2configs/urlwatch/hook.py Normal file
View File

@ -0,0 +1,16 @@
import logging
logging.basicConfig(level=logging.INFO)
log = logging.getLogger()
log.setLevel(level=logging.INFO)
import re
import json
from urlwatch import filters
class JsonFilter(filters.RegexMatchFilter):
MATCH = {'url': re.compile('https?://api.github.com/.*')}
def filter(self, data):
return json.dumps(json.loads(data),indent=2,sort_keys=True)

37
makefu/5pkgs/gen-oath-safe/default.nix Normal file
View File

@ -0,0 +1,37 @@
{ coreutils, makeWrapper, openssl, libcaca, qrencode, fetchFromGitHub, yubikey-manager, python, stdenv, ... }:
stdenv.mkDerivation {
name = "geno-oath-safe-2017-06-30";
src = fetchFromGitHub {
owner = "mcepl";
repo = "gen-oath-safe";
rev = "fb53841";
sha256 = "0018kqmhg0861r5xkbis2a1rx49gyn0dxcyj05wap5ms7zz69m0m";
};
phases = [
"unpackPhase"
"installPhase"
"fixupPhase"
];
buildInputs = [ makeWrapper ];
installPhase =
let
path = stdenv.lib.makeBinPath [
coreutils
openssl
qrencode
yubikey-manager
libcaca
python
];
in
''
mkdir -p $out/bin
cp gen-oath-safe $out/bin/
wrapProgram $out/bin/gen-oath-safe \
--prefix PATH : ${path}
'';
}