Mic92/stockholm
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge remote-tracking branch 'gum/master'

Browse Source
This commit is contained in:
lassulus 2017-07-03 00:02:34 +02:00
commit c30e1fbc74
12 changed files with 163 additions and 70 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
krebs/3modules/makefu/default.nix
View File

@ -308,7 +308,6 @@ with import <stockholm/lib>;
extraZones = {
"krebsco.de" = ''
wry IN A ${nets.internet.ip4.addr}
io IN NS wry.krebsco.de.
tinc IN A ${nets.internet.ip4.addr}
'';
};
@ -470,6 +469,7 @@ with import <stockholm/lib>;
wiki.euer IN A ${nets.internet.ip4.addr}
graph IN A ${nets.internet.ip4.addr}
ghook IN A ${nets.internet.ip4.addr}
io IN NS gum.krebsco.de.
'';
};
nets = rec {

17
krebs/3modules/urlwatch.nix
View File

@ -60,6 +60,7 @@ let
description = "URL to watch.";
example = [
https://nixos.org/channels/nixos-unstable/git-revision
{ url = http://localhost ; filter = "grep:important.*stuff"; }
];
apply = map (x: getAttr (typeOf x) {
set = x;
@ -79,7 +80,8 @@ let
};
urlsFile = pkgs.writeText "urls"
(concatMapStringsSep "\n---\n" toJSON cfg.urls);
(concatMapStringsSep "\n---\n"
(x: toJSON (filterAttrs (n: v: n != "_module") x)) cfg.urls);
hooksFile = cfg.hooksFile;
@ -142,17 +144,6 @@ let
PrivateTmp = "true";
SyslogIdentifier = "urlwatch";
Type = "oneshot";
ExecStartPre =
pkgs.writeDash "urlwatch-prestart" ''
set -euf
dataDir=$HOME
if ! test -e "$dataDir"; then
mkdir -m 0700 -p "$dataDir"
chown ${user.name}: "$dataDir"
fi
'';
ExecStart = pkgs.writeDash "urlwatch" ''
set -euf
@ -185,6 +176,8 @@ let
};
users.extraUsers = singleton {
inherit (user) name uid;
home = cfg.dataDir;
createHome = true;
};
};

5
makefu/1systems/gum.nix
View File

@ -24,7 +24,10 @@ in {
# ../2configs/disable_v6.nix
../2configs/exim-retiolum.nix
../2configs/tinc/retiolum.nix
../2configs/urlwatch.nix
../2configs/urlwatch
# Security
../2configs/sshd-totp.nix
# Tools
../2configs/tools/core.nix

1
makefu/1systems/vbob.nix
View File

@ -8,6 +8,7 @@
(toString <nixpkgs/nixos/modules/virtualisation/virtualbox-image.nix>)
(toString <nixpkgs/nixos/modules/virtualisation/virtualbox-guest.nix>)
../2configs/main-laptop.nix #< base-gui
../2configs/sshd-totp.nix
# Tools
../2configs/tools/core.nix

5
makefu/1systems/x.nix
View File

@ -19,6 +19,8 @@ with import <stockholm/lib>;
# ../2configs/disable_v6.nix
# Testing
# ../2configs/lanparty/lancache.nix
# ../2configs/lanparty/lancache-dns.nix
# ../2configs/deployment/dirctator.nix
# ../2configs/vncserver.nix
# ../2configs/deployment/led-fader
@ -58,6 +60,9 @@ with import <stockholm/lib>;
# Filesystem
../2configs/fs/sda-crypto-root-home.nix
# Security
../2configs/sshd-totp.nix
];
makefu.server.primary-itf = "wlp3s0";

3
makefu/2configs/lanparty/lancache.nix
View File

@ -58,6 +58,7 @@ in {
StartLimitInterval = "1min";
};
};
environment.etc.nginx.source = lancache;
users.extraUsers = (singleton
{ name = cfg.user;
@ -69,5 +70,5 @@ in {
{ name = "${cfg.group}";
gid = genid cfg.group;
});
networking.firewall.allowedTCPPorts = [ 80 443 ];
}

18
makefu/2configs/sshd-totp.nix Normal file
View File

@ -0,0 +1,18 @@
{ pkgs, ... }:
# Enables second factor for ssh password login
## Usage:
# gen-oath-safe <username> totp
## scan the qrcode with google authenticator (or FreeOTP)
## copy last line into secrets/<host>/users.oath (chmod 700)
{
security.pam.oath = {
# enabling it will make it a requisite of `all` services
# enable = true;
digits = 6;
# TODO assert existing
usersFile = (toString <secrets>) + "/users.oath";
};
# I want TFA only active for sshd with password-auth
security.pam.services.sshd.oathAuth = true;
}

1
makefu/2configs/tools/dev.nix
View File

@ -14,5 +14,6 @@
ovh-zone
whatsupnix
brain
gen-oath-safe
];
}

27
makefu/2configs/urlwatch.nix
View File

@ -1,27 +0,0 @@
{ config, lib, ... }:
{
krebs.urlwatch = {
enable = true;
mailto = config.krebs.users.makefu.mail;
onCalendar = "*-*-* 05:00:00";
urls = [
## nixpkgs maintenance
https://api.github.com/repos/ovh/python-ovh/tags
https://api.github.com/repos/embray/d2to1/tags
https://api.github.com/repos/Mic92/vicious/tags
https://pypi.python.org/simple/bepasty/
https://pypi.python.org/simple/xstatic/
http://guest:derpi@cvs2svn.tigris.org/svn/cvs2svn/tags/
http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/
https://github.com/amadvance/snapraid/releases.atom
https://erdgeist.org/gitweb/opentracker/info/refs?service=git-upload-pack
https://api.github.com/repos/embray/d2to1/tags
https://api.github.com/repos/dorimanx/exfat-nofuse/commits
https://api.github.com/repos/dorimanx/exfat-nofuse/tags
https://api.github.com/repos/radare/radare2/tags
https://api.github.com/repos/rapid7/metasploit-framework/tags
];
};
}

45
makefu/2configs/urlwatch/default.nix Normal file
View File

@ -0,0 +1,45 @@
{ config, lib, ... }:
{
krebs.urlwatch = {
enable = true;
mailto = config.krebs.users.makefu.mail;
onCalendar = "*-*-* 05:00:00";
hooksFile = ./hook.py;
urls = [
## nixpkgs maintenance
# github
## No rate limit
https://github.com/amadvance/snapraid/releases.atom
https://github.com/radare/radare2/releases.atom
https://github.com/ovh/python-ovh/releases.atom
https://github.com/embray/d2to1/releases.atom
https://github.com/Mic92/vicious/releases.atom
https://github.com/embray/d2to1/releases.atom
https://github.com/dorimanx/exfat-nofuse/releases.atom
https://github.com/rapid7/metasploit-framework/releases.atom
## rate limited
# https://api.github.com/repos/dorimanx/exfat-nofuse/commits
# https://api.github.com/repos/mcepl/gen-oath-safe/commits
https://api.github.com/repos/naim94a/udpt/commits
https://api.github.com/repos/dirkvdb/ps3netsrv--/commits
# pypi
https://pypi.python.org/simple/bepasty/
https://pypi.python.org/simple/xstatic/
https://pypi.python.org/simple/devpi-client/
# weird shit
http://guest:derpi@cvs2svn.tigris.org/svn/cvs2svn/tags/
http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/
https://erdgeist.org/gitweb/opentracker/info/refs?service=git-upload-pack
https://git.tasktools.org/TM/taskd/info/refs?service=git-upload-pack
{
url = https://newellrubbermaid.secure.force.com/dymopkb/articles/en_US/FAQ/Dymo-Drivers-and-Downloads/?l=en_US&c=Segment:Dymo&fs=Search&pn=1 ;
filter = "grep:Software/Linux/dymo-cups-drivers";
}
# TODO: dymo cups
];
};
}

16
makefu/2configs/urlwatch/hook.py Normal file
View File

@ -0,0 +1,16 @@
import logging
logging.basicConfig(level=logging.INFO)
log = logging.getLogger()
log.setLevel(level=logging.INFO)
import re
import json
from urlwatch import filters
class JsonFilter(filters.RegexMatchFilter):
MATCH = {'url': re.compile('https?://api.github.com/.*')}
def filter(self, data):
return json.dumps(json.loads(data),indent=2,sort_keys=True)

37
makefu/5pkgs/gen-oath-safe/default.nix Normal file
View File

@ -0,0 +1,37 @@
{ coreutils, makeWrapper, openssl, libcaca, qrencode, fetchFromGitHub, yubikey-manager, python, stdenv, ... }:
stdenv.mkDerivation {
name = "geno-oath-safe-2017-06-30";
src = fetchFromGitHub {
owner = "mcepl";
repo = "gen-oath-safe";
rev = "fb53841";
sha256 = "0018kqmhg0861r5xkbis2a1rx49gyn0dxcyj05wap5ms7zz69m0m";
};
phases = [
"unpackPhase"
"installPhase"
"fixupPhase"
];
buildInputs = [ makeWrapper ];
installPhase =
let
path = stdenv.lib.makeBinPath [
coreutils
openssl
qrencode
yubikey-manager
libcaca
python
];
in
''
mkdir -p $out/bin
cp gen-oath-safe $out/bin/
wrapProgram $out/bin/gen-oath-safe \
--prefix PATH : ${path}
'';
}