Mic92/stockholm
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge branch 'master' of prism:stockholm

Browse Source
This commit is contained in:
nin 2017-07-06 20:36:05 +02:00
commit de8baa21bf
59 changed files with 912 additions and 281 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
Makefile
View File

@ -51,13 +51,23 @@ $(if $(target_user),,$(error unbound variable: target_user))
$(if $(target_port),,$(error unbound variable: target_port)) $(if $(target_port),,$(error unbound variable: target_port))
$(if $(target_path),,$(error unbound variable: target_path)) $(if $(target_path),,$(error unbound variable: target_path))
whatsupnix = \
if type whatsupnix >/dev/null 2>&1; then \
whatsupnix $(1); \
else \
cat; \
fi
build = \ build = \
nix-build \ nix-build \
-Q \
--no-out-link \ --no-out-link \
--show-trace \ --show-trace \
-I nixos-config=$(nixos-config) \ -I nixos-config=$(nixos-config) \
-I stockholm=$(stockholm) \ -I stockholm=$(stockholm) \
-E "with import <stockholm>; $(1)" -E "with import <stockholm>; $(1)" \
$(2) \
|& $(call whatsupnix)
evaluate = \ evaluate = \
nix-instantiate \ nix-instantiate \
@ -66,7 +76,8 @@ evaluate = \
--show-trace \ --show-trace \
-I nixos-config=$(nixos-config) \ -I nixos-config=$(nixos-config) \
-I stockholm=$(stockholm) \ -I stockholm=$(stockholm) \
-E "let eval = import <stockholm>; in with eval; $(1)" -E "let eval = import <stockholm>; in with eval; $(1)" \
$(2)
ifeq ($(MAKECMDGOALS),) ifeq ($(MAKECMDGOALS),)
$(error No goals specified) $(error No goals specified)
@ -84,11 +95,7 @@ deploy:
$(ssh) $(target_user)@$(target_host) -p $(target_port) \ $(ssh) $(target_user)@$(target_host) -p $(target_port) \
env STOCKHOLM_VERSION="$$STOCKHOLM_VERSION" \ env STOCKHOLM_VERSION="$$STOCKHOLM_VERSION" \
nixos-rebuild -Q $(rebuild-command) --show-trace -I $(target_path) \ nixos-rebuild -Q $(rebuild-command) --show-trace -I $(target_path) \
|& if type whatsupnix 2>/dev/null; then \ |& $(call whatsupnix,$(target_user)@$(target_host):$(target_port))
whatsupnix $(target_user)@$(target_host):$(target_port); \
else \
cat; \
fi
# usage: make populate system=foo # usage: make populate system=foo
populate: populate-target = \ populate: populate-target = \
@ -126,10 +133,10 @@ install:
# usage: make test system=foo [target=bar] [method={eval,build}] # usage: make test system=foo [target=bar] [method={eval,build}]
method ?= eval method ?= eval
ifeq ($(method),build) ifeq ($(method),build)
test: command = nix-build --no-out-link test: test = $(call build,$(1),$(2))
else else
ifeq ($(method),eval) ifeq ($(method),eval)
test: command ?= nix-instantiate --eval --json --readonly-mode --strict test: test ?= $(call evaluate,$(1),$(2)) --json --strict | jq -r .
else else
$(error bad method: $(method)) $(error bad method: $(method))
endif endif
@ -141,6 +148,4 @@ else
test: wrapper = $(ssh) $(target_user)@$(target_host) -p $(target_port) test: wrapper = $(ssh) $(target_user)@$(target_host) -p $(target_port)
endif endif
test: populate test: populate
$(wrapper) \ $(wrapper) $(call test,config.system.build.toplevel,-I $(target_path))
$(command) --show-trace -I $(target_path) \
-A config.system.build.toplevel $(target_path)/stockholm

53
doc/Commit_Messages_Guideline.md Normal file
View File

@ -0,0 +1,53 @@
# Commit Messages Guideline
Commits SHOULD have the following format:
```
<namespace?> <component>: <change>
<rationale>
(<reference-name>: <reference-id>)?
```
## `<namespace>`
Defines where the change took place. This can be omitted if the
namespace is `krebs`. Namespaces may be shortened to one to four characters (
lassulus -> lass, makefu -> make, tv -> tv, shared -> sha)
## `<component>`
Name of the component which was touched. `component` is
rather fuzzy and may mean different things, just choose what would fit best.
Here are a numbers of samples for defining the component:
* Change `gum` in `krebs/3modules/makefu/default.nix`: `gum.r: change ip`
* Change `prepare.sh` in `krebs/4libs/infest`: `infest: prepare stockholm ISO`
* Remove `concat` in `krebs/5pkgs`: `concat: RIP`, this commit may like some `<rationale>`
* Update `types` in `krebs/3modules`: `lib/types: add managed bool to host type`
* Change host `gum` in `makefu/1systems/gum`: `ma gum.r: add taskserver`
* Change `tinc` module in `krebs/3modules`: `tinc module: add option enableLegacy`
## `<rationale>`
Describe some trivia why the commit was done:
```
whatsupnix: init
Import from https://github.com/NixOS/nix/issues/443#issuecomment-296752535
```
## `<reference>`
Defines external resouces related to the commit:
```
Closes: #123533
CVE: CVE-2016-00001
URL: https://example.com/CVE-2016-00001
```
## Remarks
As a general rule of thumb you can check out: https://www.slideshare.net/TarinGamberini/commit-messages-goodpractices
Of course the pattern not always fits perfectly (for example for refactoring),
just apply some common sense and define a useful commit message,
like `refactor krebs.setuid`.

17
doc/makefu/logbook/install_fileleech.md Normal file
View File

@ -0,0 +1,17 @@
# install fileleech
```
builder$ python3 host.py --create-ssh-keys --create-passwords fileleech
iso$ fdisk /dev/sda # 3 partitions, grub,boot,crypt
iso$ cryptsetup luksFormat /dev/sda3 --cipher aes-xts-plain64 -s 512 -h sha512
iso$ cryptsetup luksAddKey /dev/sda3 hddkey
iso$ cryptsetup luksOpen --keyfile-size=4096 -d /dev/disk/by-id/usb-Intuix_DiskOnKey_09A07360336198F8-0:0 /dev/disk/by-id/ata-INTEL_SSDSA2M080G2GC_CVPO003402PB080BGN-part3 luksroot
iso$ mkfs.ext4 -Lnixboot /dev/sda2
iso$ mkfs.ext4 -Lroot /dev/mapper/luksroot
iso$ echo 1 > /proc/sys/net/ipv6/conf/enp8s0f0/disable_ipv6
iso$ mount /dev/mapper/luksroot /mnt
iso$ mkdir /mnt/boot
iso$ mount /dev/sda2 /mnt/boot
iso$ mkdir -p /mnt/var/src
iso$ touch /mnt/var/src/.populate
```

16
doc/makefu/logbook/transfer_gum.md Normal file
View File

@ -0,0 +1,16 @@
# transfer gum to new hosts
```
builder$ vim krebs/3modules/makefu/default.nix
## update ip
builder$ vim makefu/1systems/gum.nix
## update hardware config
old-gum$ rsync --progress -lprtvzF . <newip>:/mnt/
new-gum$ touch /mnt/var/src/.populate
new-gum$ gdisk /dev/sda r;g;w # gpt to mbr
builder$ make -C ~/stockholm system=gum target=vcygfnhdxyxr47zu.onion install
```

2
krebs/3modules/build.nix
View File

@ -24,4 +24,6 @@ with import <stockholm/lib>;
type = types.user; type = types.user;
}; };
}; };
config.krebs.build.source.stockholm.file = mkDefault (toString <stockholm>);
} }

2
krebs/3modules/makefu/default.nix
View File

@ -308,7 +308,6 @@ with import <stockholm/lib>;
extraZones = { extraZones = {
"krebsco.de" = '' "krebsco.de" = ''
wry IN A ${nets.internet.ip4.addr} wry IN A ${nets.internet.ip4.addr}
io IN NS wry.krebsco.de.
tinc IN A ${nets.internet.ip4.addr} tinc IN A ${nets.internet.ip4.addr}
''; '';
}; };
@ -470,6 +469,7 @@ with import <stockholm/lib>;
wiki.euer IN A ${nets.internet.ip4.addr} wiki.euer IN A ${nets.internet.ip4.addr}
graph IN A ${nets.internet.ip4.addr} graph IN A ${nets.internet.ip4.addr}
ghook IN A ${nets.internet.ip4.addr} ghook IN A ${nets.internet.ip4.addr}
io IN NS gum.krebsco.de.
''; '';
}; };
nets = rec { nets = rec {

17
krebs/3modules/urlwatch.nix
View File

@ -60,6 +60,7 @@ let
description = "URL to watch."; description = "URL to watch.";
example = [ example = [
https://nixos.org/channels/nixos-unstable/git-revision https://nixos.org/channels/nixos-unstable/git-revision
{ url = http://localhost ; filter = "grep:important.*stuff"; }
]; ];
apply = map (x: getAttr (typeOf x) { apply = map (x: getAttr (typeOf x) {
set = x; set = x;
@ -79,7 +80,8 @@ let
}; };
urlsFile = pkgs.writeText "urls" urlsFile = pkgs.writeText "urls"
(concatMapStringsSep "\n---\n" toJSON cfg.urls); (concatMapStringsSep "\n---\n"
(x: toJSON (filterAttrs (n: v: n != "_module") x)) cfg.urls);
hooksFile = cfg.hooksFile; hooksFile = cfg.hooksFile;
@ -142,17 +144,6 @@ let
PrivateTmp = "true"; PrivateTmp = "true";
SyslogIdentifier = "urlwatch"; SyslogIdentifier = "urlwatch";
Type = "oneshot"; Type = "oneshot";
ExecStartPre =
pkgs.writeDash "urlwatch-prestart" ''
set -euf
dataDir=$HOME
if ! test -e "$dataDir"; then
mkdir -m 0700 -p "$dataDir"
chown ${user.name}: "$dataDir"
fi
'';
ExecStart = pkgs.writeDash "urlwatch" '' ExecStart = pkgs.writeDash "urlwatch" ''
set -euf set -euf
@ -185,6 +176,8 @@ let
}; };
users.extraUsers = singleton { users.extraUsers = singleton {
inherit (user) name uid; inherit (user) name uid;
home = cfg.dataDir;
createHome = true;
}; };
}; };

15
krebs/5pkgs/simple/ucspi-tcp/chmod.patch Normal file
View File

@ -0,0 +1,15 @@
diff --git a/hier.c b/hier.c
index 5663ada..1d73b84 100644
--- a/hier.c
+++ b/hier.c
@@ -2,8 +2,8 @@
void hier()
{
- h(auto_home,-1,-1,02755);
- d(auto_home,"bin",-1,-1,02755);
+ h(auto_home,-1,-1,0755);
+ d(auto_home,"bin",-1,-1,0755);
c(auto_home,"bin","tcpserver",-1,-1,0755);
c(auto_home,"bin","tcprules",-1,-1,0755);

86
krebs/5pkgs/simple/ucspi-tcp/default.nix Normal file
View File

@ -0,0 +1,86 @@
{ stdenv, fetchurl }:
stdenv.mkDerivation rec {
name = "ucspi-tcp-0.88";
src = fetchurl {
url = "http://cr.yp.to/ucspi-tcp/${name}.tar.gz";
sha256 = "171yl9kfm8w7l17dfxild99mbf877a9k5zg8yysgb1j8nz51a1ja";
};
# Plain upstream tarball doesn't build, get patches from Debian
patches = [
(fetchurl {
url = "http://ftp.de.debian.org/debian/pool/main/u/ucspi-tcp/ucspi-tcp_0.88-3.diff.gz";
sha256 = "0mzmhz8hjkrs0khmkzs5i0s1kgmgaqz07h493bd5jj5fm5njxln6";
})
./chmod.patch
];
# Apply Debian patches
postPatch = ''
for fname in debian/diff/*.diff; do
echo "Applying patch $fname"
patch < "$fname"
done
'';
# The build system is weird; 'make install' doesn't install anything, instead
# it builds an executable called ./install (from C code) which installs
# binaries to the directory given on line 1 in ./conf-home.
#
# Also, assume getgroups and setgroups work, instead of doing a build time
# test that breaks on NixOS (I think because nixbld users lack CAP_SETGID
# capability).
preBuild = ''
echo "$out" > conf-home
echo "main() { return 0; }" > chkshsgr.c
'';
installPhase = ''
mkdir -p "$out/bin"
mkdir -p "$out/share/man/man1"
# run the newly built installer
./install
# Install Debian man pages (upstream has none)
cp debian/ucspi-tcp-man/*.1 "$out/share/man/man1"
'';
meta = with stdenv.lib; {
description = "Command-line tools for building TCP client-server applications";
longDescription = ''
tcpserver waits for incoming connections and, for each connection, runs a
program of your choice. Your program receives environment variables
showing the local and remote host names, IP addresses, and port numbers.
tcpserver offers a concurrency limit to protect you from running out of
processes and memory. When you are handling 40 (by default) simultaneous
connections, tcpserver smoothly defers acceptance of new connections.
tcpserver also provides TCP access control features, similar to
tcp-wrappers/tcpd's hosts.allow but much faster. Its access control rules
are compiled into a hashed format with cdb, so it can easily deal with
thousands of different hosts.
This package includes a recordio tool that monitors all the input and
output of a server.
tcpclient makes a TCP connection and runs a program of your choice. It
sets up the same environment variables as tcpserver.
This package includes several sample clients built on top of tcpclient:
who@, date@, finger@, http@, tcpcat, and mconnect.
tcpserver and tcpclient conform to UCSPI, the UNIX Client-Server Program
Interface, using the TCP protocol. UCSPI tools are available for several
different networks.
'';
homepage = http://cr.yp.to/ucspi-tcp.html;
license = licenses.publicDomain;
platforms = platforms.linux;
maintainers = [ maintainers.bjornfor ];
};
}

9
krebs/5pkgs/simple/whatsupnix/whatsupnix.bash
View File

@ -17,25 +17,22 @@
# 2 Build error; at least one failed derivation could be found. # 2 Build error; at least one failed derivation could be found.
# #
GAWK=${GAWK:-gawk}
NIX_STORE=${NIX_STORE:-nix-store}
failed_drvs=$(mktemp --tmpdir whatsupnix.XXXXXXXX) failed_drvs=$(mktemp --tmpdir whatsupnix.XXXXXXXX)
trap 'rm -f -- "$failed_drvs"' EXIT trap 'rm -f -- "$failed_drvs"' EXIT
exec >&2 exec >&2
$GAWK -v failed_drvs="$failed_drvs" ' gawk -v failed_drvs="$failed_drvs" '
match($0, /^builder for (\/nix\/store\/[^]+\.drv) failed/, m) { match($0, /^builder for (\/nix\/store\/[^]+\.drv) failed/, m) {
print m[1] >> failed_drvs print m[1] >> failed_drvs
} }
{ print $0 } { print $0; fflush("/dev/stdout") }
' '
case $# in case $# in
0) 0)
print_log() { print_log() {
NIX_PAGER= $NIX_STORE -l "$1" NIX_PAGER= nix-store -l "$1"
} }
;; ;;
1) 1)

17
lass/1systems/icarus.nix
View File

@ -6,9 +6,9 @@ with import <stockholm/lib>;
../. ../.
../2configs/retiolum.nix ../2configs/retiolum.nix
../2configs/hw/tp-x220.nix ../2configs/hw/tp-x220.nix
../2configs/baseX.nix
../2configs/git.nix ../2configs/git.nix
../2configs/exim-retiolum.nix ../2configs/exim-retiolum.nix
../2configs/baseX.nix
../2configs/browsers.nix ../2configs/browsers.nix
../2configs/programs.nix ../2configs/programs.nix
../2configs/fetchWallpaper.nix ../2configs/fetchWallpaper.nix
@ -22,9 +22,9 @@ with import <stockholm/lib>;
loader.grub.enable = true; loader.grub.enable = true;
loader.grub.version = 2; loader.grub.version = 2;
loader.grub.device = "/dev/sda"; loader.grub.device = "/dev/sda";
loader.grub.enableCryptodisk = true; loader.grub.efiSupport = true;
initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ]; initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda3"; } ];
initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ];
initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ];
}; };
@ -34,11 +34,14 @@ with import <stockholm/lib>;
fsType = "btrfs"; fsType = "btrfs";
options = ["defaults" "noatime" "ssd" "compress=lzo"]; options = ["defaults" "noatime" "ssd" "compress=lzo"];
}; };
"/bku" = { "/boot" = {
device = "/dev/mapper/pool-bku"; device = "/dev/sda2";
fsType = "btrfs";
options = ["defaults" "noatime" "ssd" "compress=lzo"];
}; };
#"/bku" = {
# device = "/dev/mapper/pool-bku";
# fsType = "btrfs";
# options = ["defaults" "noatime" "ssd" "compress=lzo"];
#};
"/home" = { "/home" = {
device = "/dev/mapper/pool-home"; device = "/dev/mapper/pool-home";
fsType = "btrfs"; fsType = "btrfs";

47
lass/1systems/mors.nix
View File

@ -96,49 +96,30 @@ with import <stockholm/lib>;
loader.grub.enable = true; loader.grub.enable = true;
loader.grub.version = 2; loader.grub.version = 2;
loader.grub.device = "/dev/sda"; loader.grub.device = "/dev/sda";
loader.grub.efiSupport = true;
initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ]; initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda3"; } ];
initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ];
initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ];
}; };
fileSystems = { fileSystems = {
"/" = { "/" = {
device = "/dev/big/nix"; device = "/dev/mapper/pool-root";
fsType = "ext4"; fsType = "btrfs";
options = ["defaults" "noatime" "ssd" "compress=lzo"];
}; };
"/boot" = { "/boot" = {
device = "/dev/sda1"; device = "/dev/sda2";
}; };
#"/bku" = {
"/mnt/loot" = { # device = "/dev/mapper/pool-bku";
device = "/dev/big/loot"; # fsType = "btrfs";
fsType = "ext4"; # options = ["defaults" "noatime" "ssd" "compress=lzo"];
}; #};
"/home" = { "/home" = {
device = "/dev/big/home"; device = "/dev/mapper/pool-home";
fsType = "ext4"; fsType = "btrfs";
}; options = ["defaults" "noatime" "ssd" "compress=lzo"];
"/home/lass" = {
device = "/dev/big/home-lass";
fsType = "ext4";
};
"/home/games/.local/share/Steam" = {
device = "/dev/big/steam";
fsType = "ext4";
};
"/home/virtual/virtual" = {
device = "/dev/big/virtual";
fsType = "ext4";
};
"/mnt/conf" = {
device = "/dev/big/conf";
fsType = "ext4";
}; };
"/tmp" = { "/tmp" = {
device = "tmpfs"; device = "tmpfs";

4
lass/1systems/prism.nix
View File

@ -229,6 +229,10 @@ in {
OnUnitInactiveSec = "2min"; OnUnitInactiveSec = "2min";
RandomizedDelaySec = "2min"; RandomizedDelaySec = "2min";
}; };
krebs.repo-sync.repos.nixpkgs.timerConfig = {
OnBootSec = "90min";
OnUnitInactiveSec = "24h";
};
} }
{ {
lass.usershadow = { lass.usershadow = {

1
lass/1systems/shodan.nix
View File

@ -13,6 +13,7 @@ with import <stockholm/lib>;
../2configs/programs.nix ../2configs/programs.nix
../2configs/fetchWallpaper.nix ../2configs/fetchWallpaper.nix
../2configs/backups.nix ../2configs/backups.nix
../2configs/wine.nix
#{ #{
# users.extraUsers = { # users.extraUsers = {
# root = { # root = {

80
lass/2configs/buildbot-standalone.nix
View File

@ -56,51 +56,6 @@ in {
mode='full' mode='full'
) )
# TODO: get nixpkgs/stockholm paths from krebs
env_lass = {
"LOGNAME": "lass",
"NIX_REMOTE": "daemon",
"dummy_secrets": "true",
}
env_makefu = {
"LOGNAME": "makefu",
"NIX_REMOTE": "daemon",
"dummy_secrets": "true",
}
env_nin = {
"LOGNAME": "nin",
"NIX_REMOTE": "daemon",
"dummy_secrets": "true",
}
env_shared = {
"LOGNAME": "shared",
"NIX_REMOTE": "daemon",
"dummy_secrets": "true",
}
env_tv = {
"LOGNAME": "tv",
"NIX_REMOTE": "daemon",
"dummy_secrets": "true",
}
# prepare nix-shell
# the dependencies which are used by the test script
deps = [
"gnumake",
"jq",
"nix",
"(import <stockholm>).pkgs.populate",
"openssh"
]
# TODO: --pure , prepare ENV in nix-shell command:
# SSL_CERT_FILE,LOGNAME,NIX_REMOTE
nixshell = [
"nix-shell",
"-I", "/var/src",
"-I", "stockholm=.",
"-p"
] + deps + [ "--run" ]
# prepare addShell function # prepare addShell function
def addShell(factory,**kwargs): def addShell(factory,**kwargs):
factory.addStep(steps.ShellCommand(**kwargs)) factory.addStep(steps.ShellCommand(**kwargs))
@ -110,30 +65,35 @@ in {
f = util.BuildFactory() f = util.BuildFactory()
f.addStep(grab_repo) f.addStep(grab_repo)
def build_host(env, host): def build_host(user, host):
addShell(f,name="build-{}".format(i),env=env, addShell(f,
command=nixshell + ["mkdir -p $HOME/$LOGNAME && touch $HOME/$LOGNAME/.populate; \ name="{}".format(i),
echo $HOME; echo $LOGNAME; \ env={
test -e $HOME/$LOGNAME/nixpkgs || cp -r /var/src/nixpkgs $HOME/$LOGNAME/; \ "LOGNAME": user,
make NIX_PATH=$HOME/$LOGNAME:secrets=/var/src/stockholm/null test method=build \ "NIX_PATH": "secrets=/var/src/stockholm/null:/var/src",
target=buildbotworker@${config.krebs.build.host.name}$HOME/$LOGNAME \ "NIX_REMOTE": "daemon",
system={}".format(host)] "dummy_secrets": "true",
},
command=[
"nix-shell", "--run",
"test --system={} --target=buildbotworker@${config.krebs.build.host.name}$HOME/$LOGNAME".format(host)
]
) )
for i in [ "alnus", "mu", "nomic", "wu", "xu", "zu" ]:
build_host(env_tv, i)
for i in [ "mors", "uriel", "shodan", "icarus", "cloudkrebs", "echelon", "dishfire", "prism" ]: for i in [ "mors", "uriel", "shodan", "icarus", "cloudkrebs", "echelon", "dishfire", "prism" ]:
build_host(env_lass, i) build_host("lass", i)
for i in [ "x", "wry", "vbob", "wbob", "shoney" ]: for i in [ "x", "wry", "vbob", "wbob", "shoney" ]:
build_host(env_makefu, i) build_host("makefu", i)
for i in [ "hiawatha", "onondaga" ]: for i in [ "hiawatha", "onondaga" ]:
build_host(env_nin, i) build_host("nin", i)
for i in [ "test-minimal-deploy", "test-all-krebs-modules", "wolf", "test-centos7" ]: for i in [ "test-minimal-deploy", "test-all-krebs-modules", "wolf", "test-centos7" ]:
build_host(env_shared, i) build_host("shared", i)
for i in [ "alnus", "mu", "nomic", "wu", "xu", "zu" ]:
build_host("tv", i)
bu.append( bu.append(
util.BuilderConfig( util.BuilderConfig(

1
lass/2configs/default.nix
View File

@ -79,7 +79,6 @@ with import <stockholm/lib>;
if getEnv "dummy_secrets" == "true" if getEnv "dummy_secrets" == "true"
then toString <stockholm/lass/2configs/tests/dummy-secrets> then toString <stockholm/lass/2configs/tests/dummy-secrets>
else "/home/lass/secrets/${host.name}"; else "/home/lass/secrets/${host.name}";
stockholm.file = getEnv "PWD";
}; };
}; };
}; };

2
lass/2configs/exim-smarthost.nix
View File

@ -32,6 +32,8 @@ with import <stockholm/lib>;
{ from = "feed@lassul.us"; to = lass.mail; } { from = "feed@lassul.us"; to = lass.mail; }
{ from = "art@lassul.us"; to = lass.mail; } { from = "art@lassul.us"; to = lass.mail; }
{ from = "irgendwas@lassul.us"; to = lass.mail; } { from = "irgendwas@lassul.us"; to = lass.mail; }
{ from = "polo@lassul.us"; to = lass.mail; }
{ from = "shack@lassul.us"; to = lass.mail; }
]; ];
system-aliases = [ system-aliases = [
{ from = "mailer-daemon"; to = "postmaster"; } { from = "mailer-daemon"; to = "postmaster"; }

2
lass/2configs/mail.nix
View File

@ -48,6 +48,8 @@ let
set use_from=yes set use_from=yes
set envelope_from=yes set envelope_from=yes
set sort=threads
set index_format="%4C %Z %?GI?%GI& ? %[%d/%b] %-16.15F %?M?(%3M)& ? %s %> %?g?%g?" set index_format="%4C %Z %?GI?%GI& ? %[%d/%b] %-16.15F %?M?(%3M)& ? %s %> %?g?%g?"
virtual-mailboxes \ virtual-mailboxes \

2
lass/2configs/nixpkgs.nix
View File

@ -3,6 +3,6 @@
{ {
krebs.build.source.nixpkgs.git = { krebs.build.source.nixpkgs.git = {
url = https://cgit.lassul.us/nixpkgs; url = https://cgit.lassul.us/nixpkgs;
ref = "4847963"; ref = "2e983f1";
}; };
} }

5
lass/2configs/websites/domsen.nix
View File

@ -61,6 +61,11 @@ in {
"karlaskop.ubikmedia.de" "karlaskop.ubikmedia.de"
"nb.ubikmedia.de" "nb.ubikmedia.de"
"youthtube.ubikmedia.de" "youthtube.ubikmedia.de"
"weirdwednesday.ubikmedia.de"
"weirdwednesday.de"
"www.weirdwednesday.de"
"freemonkey.ubikmedia.de"
"jarugadesign.ubikmedia.de"
]) ])
]; ];

30
lass/5pkgs/init/default.nix
View File

@ -19,14 +19,15 @@ pkgs.writeText "init" ''
disk=${disk} disk=${disk}
luksdev=${disk}2 luksdev=${disk}3
luksmap=/dev/mapper/${luksmap} luksmap=/dev/mapper/${luksmap}
vgname=${vgname} vgname=${vgname}
bootdev=/dev/sda2
rootdev=/dev/mapper/${vgname}-root rootdev=/dev/mapper/${vgname}-root
homedev=/dev/mapper/${vgname}-home homedev=/dev/mapper/${vgname}-home
bkudev=/dev/mapper/${vgname}-bku
# #
#generate keyfile #generate keyfile
@ -49,7 +50,8 @@ pkgs.writeText "init" ''
mklabel gpt \ mklabel gpt \
mkpart no-fs 0 1024KiB \ mkpart no-fs 0 1024KiB \
set 1 bios_grub on \ set 1 bios_grub on \
mkpart primary 1025KiB 100% mkpart ESP fat32 1025KiB 1024MiB set 2 boot on \
mkpart primary 1025MiB 100%
fi fi
if ! test "$(blkid -o value -s PARTLABEL "$luksdev")" = primary; then if ! test "$(blkid -o value -s PARTLABEL "$luksdev")" = primary; then
@ -78,9 +80,8 @@ pkgs.writeText "init" ''
lvchange -a y /dev/mapper/"$vgname" lvchange -a y /dev/mapper/"$vgname"
if ! test -e "$rootdev"; then lvcreate -L 100G -n root "$vgname"; fi if ! test -e "$rootdev"; then lvcreate -L 7G -n root "$vgname"; fi
if ! test -e "$homedev"; then lvcreate -L 100G -n home "$vgname"; fi if ! test -e "$homedev"; then lvcreate -L 100M -n home "$vgname"; fi
if ! test -e "$bkudev"; then lvcreate -L 200G -n bku "$vgname"; fi
# lvchange -a n "$vgname" # lvchange -a n "$vgname"
@ -89,6 +90,10 @@ pkgs.writeText "init" ''
# formatting # formatting
# #
if ! test "$(blkid -o value -s TYPE "$bootdev")" = vfat; then
mkfs.vfat "$bootdev"
fi
if ! test "$(blkid -o value -s TYPE "$rootdev")" = btrfs; then if ! test "$(blkid -o value -s TYPE "$rootdev")" = btrfs; then
mkfs.btrfs "$rootdev" mkfs.btrfs "$rootdev"
fi fi
@ -97,22 +102,18 @@ pkgs.writeText "init" ''
mkfs.btrfs "$homedev" mkfs.btrfs "$homedev"
fi fi
if ! test "$(blkid -o value -s TYPE "$bkudev")" = btrfs; then
mkfs.btrfs "$bkudev"
fi
if ! test "$(lsblk -n -o MOUNTPOINT "$rootdev")" = /mnt; then if ! test "$(lsblk -n -o MOUNTPOINT "$rootdev")" = /mnt; then
mount "$rootdev" /mnt mount "$rootdev" /mnt
fi fi
if ! test "$(lsblk -n -o MOUNTPOINT "$bootdev")" = /mnt/boot; then
mkdir -m 0000 -p /mnt/boot
mount "$bootdev" /mnt/boot
fi
if ! test "$(lsblk -n -o MOUNTPOINT "$homedev")" = /mnt/home; then if ! test "$(lsblk -n -o MOUNTPOINT "$homedev")" = /mnt/home; then
mkdir -m 0000 -p /mnt/home mkdir -m 0000 -p /mnt/home
mount "$homedev" /mnt/home mount "$homedev" /mnt/home
fi fi
if ! test "$(lsblk -n -o MOUNTPOINT "$bkudev")" = /mnt/bku; then
mkdir -m 0000 -p /mnt/bku
mount "$bkudev" /mnt/bku
fi
# umount -R /mnt # umount -R /mnt
@ -122,6 +123,7 @@ pkgs.writeText "init" ''
nix-env -iA nixos.git nix-env -iA nixos.git
# TODO: get sentinal file from target_path
mkdir -p /mnt/var/src mkdir -p /mnt/var/src
touch /mnt/var/src/.populate touch /mnt/var/src/.populate

5
makefu/1systems/gum.nix
View File

@ -24,7 +24,10 @@ in {
# ../2configs/disable_v6.nix # ../2configs/disable_v6.nix
../2configs/exim-retiolum.nix ../2configs/exim-retiolum.nix
../2configs/tinc/retiolum.nix ../2configs/tinc/retiolum.nix
../2configs/urlwatch.nix ../2configs/urlwatch
# Security
../2configs/sshd-totp.nix
# Tools # Tools
../2configs/tools/core.nix ../2configs/tools/core.nix

13
makefu/1systems/vbob.nix
View File

@ -8,14 +8,23 @@
(toString <nixpkgs/nixos/modules/virtualisation/virtualbox-image.nix>) (toString <nixpkgs/nixos/modules/virtualisation/virtualbox-image.nix>)
(toString <nixpkgs/nixos/modules/virtualisation/virtualbox-guest.nix>) (toString <nixpkgs/nixos/modules/virtualisation/virtualbox-guest.nix>)
../2configs/main-laptop.nix #< base-gui ../2configs/main-laptop.nix #< base-gui
../2configs/sshd-totp.nix
# Tools
../2configs/tools/core.nix
../2configs/tools/core-gui.nix
../2configs/tools/dev.nix
../2configs/tools/extra-gui.nix
../2configs/tools/sec.nix
# environment # environment
../2configs/tinc/retiolum.nix ../2configs/tinc/retiolum.nix
../2configs/audio/jack-on-pulse.nix
../2configs/audio/realtime-audio.nix
]; ];
networking.extraHosts = import (toString <secrets/extra-hosts.nix>); networking.extraHosts = import (toString <secrets/extra-hosts.nix>);
# workaround for https://github.com/NixOS/nixpkgs/issues/16641
services.xserver.videoDrivers = lib.mkOverride 45 [ "virtualbox" "modesetting" ];
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
fileSystems."/nix" = { fileSystems."/nix" = {

59
makefu/1systems/x.nix
View File

@ -13,61 +13,56 @@ with import <stockholm/lib>;
../2configs/tools/all.nix ../2configs/tools/all.nix
../2configs/laptop-backup.nix ../2configs/laptop-backup.nix
../2configs/dnscrypt.nix ../2configs/dnscrypt.nix
../2configs/avahi.nix
# testing # Debugging
# ../2configs/openvpn/vpngate.nix # ../2configs/disable_v6.nix
#../2configs/temp/share-samba.nix
# ../2configs/mediawiki.nix
# ../2configs/wordpress.nix
# ../2configs/nginx/public_html.nix
# ../2configs/nginx/icecult.nix
# ../2configs/elchos/irc-token.nix
# ../2configs/elchos/log.nix
#../2configs/elchos/search.nix
#../2configs/elchos/stats.nix
#../2configs/elchos/test/ftpservers.nix
# ../2configs/tinc/siem.nix
#../2configs/torrent.nix
# temporary modules
# ../2configs/torrent.nix
#../2configs/temp/elkstack.nix
# ../2configs/temp/sabnzbd.nix
# Testing
# ../2configs/lanparty/lancache.nix
# ../2configs/lanparty/lancache-dns.nix
# ../2configs/deployment/dirctator.nix
# ../2configs/vncserver.nix
# ../2configs/deployment/led-fader
# ../2configs/deployment/hound
# development # development
../2configs/sources ../2configs/sources
# Krebs # Krebs
# ../2configs/disable_v6.nix
../2configs/tinc/retiolum.nix ../2configs/tinc/retiolum.nix
# applications # applications
../2configs/exim-retiolum.nix ../2configs/exim-retiolum.nix
../2configs/mail-client.nix ../2configs/mail-client.nix
../2configs/printer.nix ../2configs/printer.nix
../2configs/virtualization.nix ../2configs/task-client.nix
../2configs/virtualization-virtualbox.nix
../2configs/wwan.nix
../2configs/rad1o.nix
# services # Virtualization
../2configs/virtualization.nix
../2configs/docker.nix
../2configs/virtualization-virtualbox.nix
# Services
../2configs/git/brain-retiolum.nix ../2configs/git/brain-retiolum.nix
../2configs/tor.nix ../2configs/tor.nix
../2configs/steam.nix ../2configs/steam.nix
# ../2configs/buildbot-standalone.nix # ../2configs/buildbot-standalone.nix
# hardware specifics are in here # Hardware
../2configs/hw/tp-x230.nix ../2configs/hw/tp-x230.nix
../2configs/hw/rtl8812au.nix ../2configs/hw/rtl8812au.nix
../2configs/hw/stk1160.nix ../2configs/hw/exfat-nofuse.nix
../2configs/hw/wwan.nix
# ../2configs/hw/stk1160.nix
# ../2configs/rad1o.nix
# mount points # Filesystem
../2configs/fs/sda-crypto-root-home.nix ../2configs/fs/sda-crypto-root-home.nix
# Security
../2configs/sshd-totp.nix
]; ];
makefu.server.primary-itf = "wlp3s0"; makefu.server.primary-itf = "wlp3s0";
@ -76,10 +71,8 @@ with import <stockholm/lib>;
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
boot.extraModulePackages = [ config.boot.kernelPackages.exfat-nofuse ];
environment.systemPackages = [ pkgs.passwdqc-utils ]; environment.systemPackages = [ pkgs.passwdqc-utils ];
virtualisation.docker.enable = true;
# configure pulseAudio to provide a HDMI sink as well # configure pulseAudio to provide a HDMI sink as well
networking.firewall.enable = true; networking.firewall.enable = true;

5
makefu/2configs/audio/jack-on-pulse.nix
View File

@ -11,7 +11,10 @@ in
package = pulse; package = pulse;
}; };
environment.systemPackages = with pkgs; [ jack2Full ]; environment.systemPackages = with pkgs; [
jack2Full
jack_capture
];
# from http://anderspapitto.com/posts/2015-11-26-overtone-on-nixos-with-jack-and-pulseaudio.html # from http://anderspapitto.com/posts/2015-11-26-overtone-on-nixos-with-jack-and-pulseaudio.html
systemd.user.services = { systemd.user.services = {

2
makefu/2configs/audio/realtime-audio.nix
View File

@ -10,7 +10,7 @@ in
musnix.enable = true; musnix.enable = true;
musnix.kernel.optimize = true; musnix.kernel.optimize = true;
musnix.kernel.realtime = true; musnix.kernel.realtime = true;
# TODO: musnix.kernel.packages = pkgs.linuxPackages_latest_rt; musnix.kernel.packages = pkgs.linuxPackages_latest_rt;
users.users."${user}".extraGroups = [ "audio" ]; users.users."${user}".extraGroups = [ "audio" ];
} }

2
makefu/2configs/default.nix
View File

@ -22,7 +22,7 @@ with import <stockholm/lib>;
user = config.krebs.users.makefu; user = config.krebs.users.makefu;
source = let source = let
inherit (config.krebs.build) host user; inherit (config.krebs.build) host user;
ref = "7a7c39c"; # unstable @ 2017-05-09 + graceful requests2 + logstash5 ref = "06734d1"; # unstable @ 2017-07-03 + graceful requests2 (a772c3aa)
in { in {
nixpkgs = if config.makefu.full-populate || (getEnv "dummy_secrets" == "true") then nixpkgs = if config.makefu.full-populate || (getEnv "dummy_secrets" == "true") then
{ {

6
makefu/2configs/deployment/dirctator.nix
View File

@ -25,6 +25,10 @@ in {
stdout { codec => rubydebug } stdout { codec => rubydebug }
exec { command => "${runit} '%{message}" } exec { command => "${runit} '%{message}" }
''; '';
plugins = [ ]; extraSettings = ''
path.plugins: [ "${pkgs.logstash-output-exec}" ]
'';
## NameError: `@path.plugins' is not allowable as an instance variable name
# plugins = [ pkgs.logstash-output-exec ];
}; };
} }

1
makefu/2configs/deployment/led-fader.nix
View File

@ -31,6 +31,7 @@ in {
}; };
# after = [ (lib.optional config.services.mosqitto.enable "mosquitto.service") ]; # after = [ (lib.optional config.services.mosqitto.enable "mosquitto.service") ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
after = [ "network-online.target" ];
serviceConfig = { serviceConfig = {
# User = "nobody"; # need a user with permissions to run nix-shell # User = "nobody"; # need a user with permissions to run nix-shell
ExecStart = "${pkg}/bin/ampel 4 ${pkg}/share/times.json"; ExecStart = "${pkg}/bin/ampel 4 ${pkg}/share/times.json";

4
makefu/2configs/docker.nix Normal file
View File

@ -0,0 +1,4 @@
{...}:
{
virtualisation.docker.enable = true;
}

4
makefu/2configs/hw/exfat-nofuse.nix Normal file
View File

@ -0,0 +1,4 @@
{ config, ... }:
{
boot.extraModulePackages = [ config.boot.kernelPackages.exfat-nofuse ];
}

3
makefu/2configs/hw/stk1160.nix
View File

@ -1,9 +1,8 @@
{ pkgs, ... }: { pkgs, ... }:
{ {
# TODO: un-pin linuxPackages somehow # TODO: un-pin linuxPackages somehow
boot.kernelPackages = builtins.trace "Warning: overriding kernel Packages with 4.9" pkgs.linuxPackages_4_9;
nixpkgs.config.packageOverrides = pkgs: { nixpkgs.config.packageOverrides = pkgs: {
linux_4_9 = pkgs.linux_4_9.override { linux_latest = pkgs.linux_latest.override {
extraConfig = '' extraConfig = ''
MEDIA_ANALOG_TV_SUPPORT y MEDIA_ANALOG_TV_SUPPORT y
VIDEO_STK1160_COMMON m VIDEO_STK1160_COMMON m

3
makefu/2configs/hw/tp-x230.nix
View File

@ -44,8 +44,7 @@ with import <stockholm/lib>;
''; '';
# enable HDMI output switching with pulseaudio # enable HDMI output switching with pulseaudio
hardware.pulseaudio.configFile = pkgs.writeText "pulse-default-pa" '' hardware.pulseaudio.extraConfig = ''
${builtins.readFile "${config.hardware.pulseaudio.package.out}/etc/pulse/default.pa"}
load-module module-alsa-sink device=hw:0,3 sink_properties=device.description="HDMIOutput" sink_name="HDMI" load-module module-alsa-sink device=hw:0,3 sink_properties=device.description="HDMIOutput" sink_name="HDMI"
''; '';

0
makefu/2configs/wwan.nix → makefu/2configs/hw/wwan.nix
View File

55
makefu/2configs/lanparty/lancache-dns.nix Normal file
View File

@ -0,0 +1,55 @@
{ pkgs, lib, config, ... }:
with import <stockholm/lib>;
let
# see https://github.com/zeropingheroes/lancache for full docs
lancache-dns = pkgs.stdenv.mkDerivation rec {
name = "lancache-dns-2017-06-28";
src = pkgs.fetchFromGitHub {
# forked: https://github.com/zeropingheroes/lancache-dns
repo = "lancache-dns";
owner = "zeropingheroes";
rev = "420aa62";
sha256 = "0ik7by7ripdv2avyy5kk9jp1i7rz9ksc8xmg7n9iik365q9pv94m";
};
phases = [ "unpackPhase" "installPhase" ];
# here we can chance to edit `includes/proxy-cache-paths.conf`
installPhase = ''
mkdir -p $out
cp -r * $out/
'';
};
stateDir = "/var/lib/unbound";
user = "unbound";
upstream-server = "8.8.8.8";
in {
services.unbound = {
enable = true;
allowedAccess = [ "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" ];
interfaces = ["0.0.0.0" "::" ];
forwardAddresses = [ upstream-server ];
extraConfig = ''
include: "${stateDir}/lancache/*.conf"
'';
};
services.dnscrypt-proxy.enable = lib.mkForce false;
virtualisation.libvirtd.enable = lib.mkForce false;
systemd.services.dns-lancache-prepare = {
wantedBy = [ "unbound.service" ];
before = [ "unbound.service" ];
after = [ "network-online.target" ];
partOf= [ "unbound.service" ];
path = [ pkgs.gawk pkgs.iproute pkgs.gnused ];
script = ''
set -xeu
current_ip=$(ip route get 8.8.8.8 | awk '/8.8.8.8/ {print $NF}')
old_ip=10.1.1.250
mkdir -p ${stateDir}
rm -rvf ${stateDir}/lancache
cp -r ${lancache-dns}/upstreams-available ${stateDir}/lancache
sed -i "s/$old_ip/$current_ip/g" ${stateDir}/lancache/*.conf
chown -R unbound ${stateDir}
'';
};
networking.firewall.allowedUDPPorts = [ 53 ];
}

74
makefu/2configs/lanparty/lancache.nix Normal file
View File

@ -0,0 +1,74 @@
{ pkgs, lib, config, ... }:
with import <stockholm/lib>;
let
# see https://github.com/zeropingheroes/lancache for full docs
lancache= pkgs.stdenv.mkDerivation rec {
name = "lancache-2017-06-26";
src = pkgs.fetchFromGitHub {
# origin: https://github.com/multiplay/lancache
# forked: https://github.com/zeropingheroes/lancache
repo = "lancache";
owner = "zeropingheroes";
rev = "143f7bb";
sha256 = "1ra4l7qz3k231j5wabr89s5hh80n1kk8vgd3dsh0xx5mdpjhvdl6";
};
phases = [ "unpackPhase" "installPhase" ];
# here we can chance to edit `includes/proxy-cache-paths.conf`
installPhase = ''
mkdir -p $out
cp -r * $out/
sed -i -e 's/^\(user\).*/\1 ${cfg.user} ${cfg.group};/' \
-e '1 idaemon off;' \
$out/nginx.conf
'';
};
cfg = {
group = "nginx-lancache";
user = "nginx-lancache";
statedir = "/var/lancache";
package = pkgs.stdenv.lib.overrideDerivation pkgs.nginx (old:{
configureFlags = old.configureFlags ++ [
"--with-http_slice_module"
"--with-stream"
"--with-pcre"
];
});
};
in {
systemd.services.nginx-lancache = {
description = "Nginx lancache Server";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
restartIfChanged = true;
preStart = ''
mkdir -p ${cfg.statedir} && cd ${cfg.statedir}
PATH_CACHE=$PATH_BASE/cache
PATH_LOGS=$PATH_BASE/logs
mkdir -p cache/{installers,tmp} logs
rm -f conf; ln -s ${lancache} conf
chown -R ${cfg.user}:${cfg.group} .
'';
serviceConfig = {
ExecStart = "${cfg.package}/bin/nginx -p ${cfg.statedir}";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
Restart = "always";
RestartSec = "10s";
StartLimitInterval = "1min";
};
};
environment.etc.nginx.source = lancache;
users.extraUsers = (singleton
{ name = cfg.user;
group = cfg.group;
uid = genid cfg.group;
});
users.extraGroups = (singleton
{ name = "${cfg.group}";
gid = genid cfg.group;
});
networking.firewall.allowedTCPPorts = [ 80 443 ];
}

2
makefu/2configs/sources/musnix.nix
View File

@ -1,6 +1,6 @@
{ {
krebs.build.source.musnix.git = { krebs.build.source.musnix.git = {
url = https://github.com/musnix/musnix.git; url = https://github.com/musnix/musnix.git;
ref = "37a8378"; ref = "f0ec1f3";
}; };
} }

18
makefu/2configs/sshd-totp.nix Normal file
View File

@ -0,0 +1,18 @@
{ pkgs, ... }:
# Enables second factor for ssh password login
## Usage:
# gen-oath-safe <username> totp
## scan the qrcode with google authenticator (or FreeOTP)
## copy last line into secrets/<host>/users.oath (chmod 700)
{
security.pam.oath = {
# enabling it will make it a requisite of `all` services
# enable = true;
digits = 6;
# TODO assert existing
usersFile = (toString <secrets>) + "/users.oath";
};
# I want TFA only active for sshd with password-auth
security.pam.services.sshd.oathAuth = true;
}

14
makefu/2configs/task-client.nix Normal file
View File

@ -0,0 +1,14 @@
{ pkgs, ... }:
{
krebs.per-user.makefu.packages = [
pkgs.taskwarrior
];
environment.shellAliases = {
tshack = "task project:shack";
twork = "task project:soc";
tpki = "task project:pki";
tkrebs = "task project:krebs";
t = "task project: ";
};
}

3
makefu/2configs/tools/dev.nix
View File

@ -12,5 +12,8 @@
cac-api cac-api
cac-panel cac-panel
ovh-zone ovh-zone
whatsupnix
brain
gen-oath-safe
]; ];
} }

5
makefu/2configs/tools/extra-gui.nix
View File

@ -2,13 +2,16 @@
{ {
krebs.per-user.makefu.packages = with pkgs;[ krebs.per-user.makefu.packages = with pkgs;[
# media
gimp gimp
inkscape inkscape
libreoffice libreoffice
saleae-logic
skype skype
synergy synergy
tdesktop tdesktop
virtmanager virtmanager
# Dev
saleae-logic
arduino-user-env
]; ];
} }

27
makefu/2configs/urlwatch.nix
View File

@ -1,27 +0,0 @@
{ config, lib, ... }:
{
krebs.urlwatch = {
enable = true;
mailto = config.krebs.users.makefu.mail;
onCalendar = "*-*-* 05:00:00";
urls = [
## nixpkgs maintenance
https://api.github.com/repos/ovh/python-ovh/tags
https://api.github.com/repos/embray/d2to1/tags
https://api.github.com/repos/Mic92/vicious/tags
https://pypi.python.org/simple/bepasty/
https://pypi.python.org/simple/xstatic/
http://guest:derpi@cvs2svn.tigris.org/svn/cvs2svn/tags/
http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/
https://github.com/amadvance/snapraid/releases.atom
https://erdgeist.org/gitweb/opentracker/info/refs?service=git-upload-pack
https://api.github.com/repos/embray/d2to1/tags
https://api.github.com/repos/dorimanx/exfat-nofuse/commits
https://api.github.com/repos/dorimanx/exfat-nofuse/tags
https://api.github.com/repos/radare/radare2/tags
https://api.github.com/repos/rapid7/metasploit-framework/tags
];
};
}

45
makefu/2configs/urlwatch/default.nix Normal file
View File

@ -0,0 +1,45 @@
{ config, lib, ... }:
{
krebs.urlwatch = {
enable = true;
mailto = config.krebs.users.makefu.mail;
onCalendar = "*-*-* 05:00:00";
hooksFile = ./hook.py;
urls = [
## nixpkgs maintenance
# github
## No rate limit
https://github.com/amadvance/snapraid/releases.atom
https://github.com/radare/radare2/releases.atom
https://github.com/ovh/python-ovh/releases.atom
https://github.com/embray/d2to1/releases.atom
https://github.com/Mic92/vicious/releases.atom
https://github.com/embray/d2to1/releases.atom
https://github.com/dorimanx/exfat-nofuse/releases.atom
https://github.com/rapid7/metasploit-framework/releases.atom
## rate limited
# https://api.github.com/repos/dorimanx/exfat-nofuse/commits
# https://api.github.com/repos/mcepl/gen-oath-safe/commits
https://api.github.com/repos/naim94a/udpt/commits
https://api.github.com/repos/dirkvdb/ps3netsrv--/commits
# pypi
https://pypi.python.org/simple/bepasty/
https://pypi.python.org/simple/xstatic/
https://pypi.python.org/simple/devpi-client/
# weird shit
http://guest:derpi@cvs2svn.tigris.org/svn/cvs2svn/tags/
http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/
https://erdgeist.org/gitweb/opentracker/info/refs?service=git-upload-pack
https://git.tasktools.org/TM/taskd/info/refs?service=git-upload-pack
{
url = https://newellrubbermaid.secure.force.com/dymopkb/articles/en_US/FAQ/Dymo-Drivers-and-Downloads/?l=en_US&c=Segment:Dymo&fs=Search&pn=1 ;
filter = "grep:Software/Linux/dymo-cups-drivers";
}
# TODO: dymo cups
];
};
}

16
makefu/2configs/urlwatch/hook.py Normal file
View File

@ -0,0 +1,16 @@
import logging
logging.basicConfig(level=logging.INFO)
log = logging.getLogger()
log.setLevel(level=logging.INFO)
import re
import json
from urlwatch import filters
class JsonFilter(filters.RegexMatchFilter):
MATCH = {'url': re.compile('https?://api.github.com/.*')}
def filter(self, data):
return json.dumps(json.loads(data),indent=2,sort_keys=True)

35
makefu/5pkgs/arduino-user-env/default.nix Normal file
View File

@ -0,0 +1,35 @@
{ lib, pkgs, ... }: let
#TODO: make sure env exists prior to running
env_nix = pkgs.writeText "env.nix" ''
{ pkgs ? import <nixpkgs> {} }:
(pkgs.buildFHSUserEnv {
name = "arduino-user-env";
targetPkgs = pkgs: with pkgs; [
coreutils
];
multiPkgs = pkgs: with pkgs; [
arduino
alsaLib
zlib
xorg.libXxf86vm
curl
openal
openssl_1_0_2
xorg.libXext
xorg.libX11
xorg.libXrandr
xorg.libXcursor
xorg.libXinerama
xorg.libXi
mesa_glu
];
runScript = "zsh";
}).env
'';
in pkgs.writeDashBin "arduino-user-env" ''
nix-shell ${env_nix}
''

37
makefu/5pkgs/gen-oath-safe/default.nix Normal file
View File

@ -0,0 +1,37 @@
{ coreutils, makeWrapper, openssl, libcaca, qrencode, fetchFromGitHub, yubikey-manager, python, stdenv, ... }:
stdenv.mkDerivation {
name = "geno-oath-safe-2017-06-30";
src = fetchFromGitHub {
owner = "mcepl";
repo = "gen-oath-safe";
rev = "fb53841";
sha256 = "0018kqmhg0861r5xkbis2a1rx49gyn0dxcyj05wap5ms7zz69m0m";
};
phases = [
"unpackPhase"
"installPhase"
"fixupPhase"
];
buildInputs = [ makeWrapper ];
installPhase =
let
path = stdenv.lib.makeBinPath [
coreutils
openssl
qrencode
yubikey-manager
libcaca
python
];
in
''
mkdir -p $out/bin
cp gen-oath-safe $out/bin/
wrapProgram $out/bin/gen-oath-safe \
--prefix PATH : ${path}
'';
}

2
shared/2configs/default.nix
View File

@ -11,7 +11,7 @@ with import <stockholm/lib>;
nixos-config.symlink = "stockholm/${user.name}/1systems/${host.name}.nix"; nixos-config.symlink = "stockholm/${user.name}/1systems/${host.name}.nix";
nixpkgs.git = { nixpkgs.git = {
url = https://github.com/NixOS/nixpkgs; url = https://github.com/NixOS/nixpkgs;
ref = "58e227052d40021d82d015f3f8da011ae54ea430"; # nixos-17.03 @ 2017-05-24 ref = "72c9ed78d0b1d9d5f531805ddf5bf06bfd447614"; # nixos-17.03 @ 2017-06-17
}; };
secrets.file = secrets.file =
if getEnv "dummy_secrets" == "true" if getEnv "dummy_secrets" == "true"

186
shell.nix Normal file
View File

@ -0,0 +1,186 @@
let
lib = import ./lib;
pkgs = import <nixpkgs> { overlays = [(import ./krebs/5pkgs)]; };
# usage: deploy --system=SYSTEM [--target=TARGET]
cmds.deploy = pkgs.writeDash "cmds.deploy" ''
set -efu
command=deploy
. ${init.args}
\test -n "''${target-}" || target=$system
. ${init.env}
exec ${utils.deploy}
'';
# usage: test --system=SYSTEM --target=TARGET
cmds.test = pkgs.writeDash "cmds.test" /* sh */ ''
set -efu
command=test
. ${init.args}
. ${init.env}
export dummy_secrets=true
exec ${utils.build} config.system.build.toplevel
'';
init.args = pkgs.writeText "init.args" /* sh */ ''
args=$(${pkgs.utillinux}/bin/getopt -n "$command" -s sh \
-o s:t: \
-l system:,target: \
-- "$@")
if \test $? != 0; then exit 1; fi
eval set -- "$args"
while :; do case $1 in
-s|--system) system=$2; shift 2;;
-t|--target) target=$2; shift 2;;
--) shift; break;;
esac; done
for arg; do echo "$command: bad argument: $arg" >&2; done
if \test $# != 0; then exit 2; fi
'';
init.env = pkgs.writeText "init.env" /* sh */ ''
config=''${config-$LOGNAME/1systems/$system.nix}
export config
export system
export target
export target_object="$(${init.env.parsetarget} $target)"
export target_user="$(echo $target_object | ${pkgs.jq}/bin/jq -r .user)"
export target_host="$(echo $target_object | ${pkgs.jq}/bin/jq -r .host)"
export target_port="$(echo $target_object | ${pkgs.jq}/bin/jq -r .port)"
export target_path="$(echo $target_object | ${pkgs.jq}/bin/jq -r .path)"
export target_local="$(echo $target_object | ${pkgs.jq}/bin/jq -r .local)"
if \test "''${using_proxy-}" != true; then
${init.env.populate}
if \test "$target_local" != true; then
exec ${init.env.proxy} "$command" "$@"
fi
fi
'' // {
parsetarget = pkgs.writeDash "init.env.parsetarget" ''
set -efu
exec ${pkgs.jq}/bin/jq \
-enr \
--arg target "$1" \
-f ${init.env.parsetarget.jq}
'' // {
jq = pkgs.writeText "init.env.parsetarget.jq" ''
def when(c; f): if c then f else . end;
def capturesDef(i; v): .captures[i].string | when(. == null; v);
$target | match("^(?:([^@]+)@)?([^:/]+)?(?::([0-9]+))?(/.*)?$") | {
user: capturesDef(0; "root"),
host: capturesDef(1; env.system),
port: capturesDef(2; "22"),
path: capturesDef(3; "/var/src"),
} | . + {
local: (.user == env.LOGNAME and .host == env.HOSTNAME),
}
'';
};
populate = pkgs.writeDash "init.env.populate" ''
set -efu
${pkgs.nix}/bin/nix-instantiate \
--eval \
--json \
--readonly-mode \
--show-trace \
--strict \
-I nixos-config="$config" \
-E 'with import <stockholm>; config.krebs.build.source' \
|
${pkgs.populate}/bin/populate \
"$target_user@$target_host:$target_port$target_path" \
>&2
'';
proxy = pkgs.writeDash "init.env.proxy" ''
set -efu
q() {
${pkgs.jq}/bin/jq -nr --arg x "$*" '$x | @sh "\(.)"'
}
exec ${pkgs.openssh}/bin/ssh \
"$target_user@$target_host" -p "$target_port" \
cd "$target_path/stockholm" \; \
NIX_PATH=$(q "$target_path") \
STOCKHOLM_VERSION=$STOCKHOLM_VERSION \
nix-shell \
--command $(q \
config=$config \
system=$system \
target=$target \
using_proxy=true \
"$*"
)
'';
};
utils.build = pkgs.writeDash "utils.build" ''
set -efu
${pkgs.nix}/bin/nix-build \
-Q \
--no-out-link \
--show-trace \
-E "with import <stockholm>; $1" \
-I "$target_path" \
2>&1 |
${pkgs.whatsupnix}/bin/whatsupnix
'';
utils.deploy = pkgs.writeDash "utils.deploy" ''
set -efu
PATH=/run/current-system/sw/bin nixos-rebuild switch \
-Q \
--show-trace \
-I "$target_path" \
2>&1 |
${pkgs.whatsupnix}/bin/whatsupnix
'';
shell.get-version = pkgs.writeDash "shell.get-version" ''
set -efu
version=git.$(${pkgs.git}/bin/git describe --always --dirty)
case $version in (*-dirty)
version=$version@$HOSTNAME
esac
date=$(${pkgs.coreutils}/bin/date +%y.%m)
echo "$date.$version"
'';
shell.cmdspkg = pkgs.writeOut "shell.cmdspkg" (lib.mapAttrs' (name: link:
lib.nameValuePair "/bin/${name}" { inherit link; }
) cmds);
in pkgs.stdenv.mkDerivation {
name = "stockholm";
shellHook = /* sh */ ''
export NIX_PATH="stockholm=$PWD''${NIX_PATH+:$NIX_PATH}"
export PATH=${lib.makeBinPath [
shell.cmdspkg
]}
eval "$(declare -F | ${pkgs.gnused}/bin/sed s/declare/unset/)"
shopt -u no_empty_cmd_completion
unalias -a
enable -n \
. [ alias bg bind break builtin caller cd command compgen complete \
compopt continue dirs disown eval exec false fc fg getopts hash \
help history jobs kill let local logout mapfile popd printf pushd \
pwd read readarray readonly shift source suspend test times trap \
true typeset ulimit umask unalias wait
exitHandler() {
:
}
export HOSTNAME="$(${pkgs.nettools}/bin/hostname)"
export STOCKHOLM_VERSION="''${STOCKHOLM_VERSION-$(${shell.get-version})}"
PS1='\[\e[38;5;162m\]\w\[\e[0m\] '
'';
}

2
tv/1systems/alnus.nix
View File

@ -58,7 +58,7 @@ with import <stockholm/lib>;
krebs.build = { krebs.build = {
host = config.krebs.hosts.alnus; host = config.krebs.hosts.alnus;
user = mkForce config.krebs.users.dv; user = mkForce config.krebs.users.dv;
source.nixpkgs.git.ref = mkForce "e924319cb6c74aa2a9c943eddeb0caef79db01bc"; source.nixpkgs.git.ref = mkForce "9b948ea439ddbaa26740ce35543e7e35d2aa6d18";
}; };
networking.networkmanager.enable = true; networking.networkmanager.enable = true;

1
tv/1systems/cd.nix
View File

@ -25,7 +25,6 @@ with import <stockholm/lib>;
}; };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
htop
iftop iftop
iotop iotop
iptables iptables

11
tv/1systems/mu.nix
View File

@ -79,15 +79,12 @@ with import <stockholm/lib>;
gimp gimp
xsane xsane
firefoxWrapper firefoxWrapper
chromiumDev chromium
skype skype
libreoffice libreoffice
kde4.l10n.de
kde4.plasma-nm
pidgin-with-plugins pidgin-with-plugins
pidginotr pidginotr
kde4.print_manager
#foomatic_filters #foomatic_filters
#gutenprint #gutenprint
#cups_pdf_filter #cups_pdf_filter
@ -101,7 +98,7 @@ with import <stockholm/lib>;
security.wrappers = { security.wrappers = {
sendmail.source = "${pkgs.exim}/bin/sendmail"; # for cron sendmail.source = "${pkgs.exim}/bin/sendmail"; # for cron
slock.slock = "${pkgs.slock}/bin/slock"; slock.source = "${pkgs.slock}/bin/slock";
}; };
security.pam.loginLimits = [ security.pam.loginLimits = [
@ -138,7 +135,9 @@ with import <stockholm/lib>;
twoFingerScroll = true; twoFingerScroll = true;
}; };
services.xserver.desktopManager.kde4.enable = true; services.xserver.desktopManager.plasma5 = {
enable = true;
};
services.xserver.displayManager.auto = { services.xserver.displayManager.auto = {
enable = true; enable = true;
user = "vv"; user = "vv";

1
tv/1systems/wu.nix
View File

@ -31,7 +31,6 @@ with import <stockholm/lib>;
get get
gnupg1compat gnupg1compat
haskellPackages.hledger haskellPackages.hledger
htop
jq jq
mkpasswd mkpasswd
netcat netcat

1
tv/1systems/xu.nix
View File

@ -34,7 +34,6 @@ with import <stockholm/lib>;
file file
gnupg1compat gnupg1compat
haskellPackages.hledger haskellPackages.hledger
htop
jq jq
krebszones krebszones
mkpasswd mkpasswd

1
tv/1systems/zu.nix
View File

@ -36,7 +36,6 @@ with import <stockholm/lib>;
file file
gnupg1compat gnupg1compat
haskellPackages.hledger haskellPackages.hledger
htop
jq jq
mkpasswd mkpasswd
netcat netcat

21
tv/2configs/default.nix
View File

@ -1,20 +1,20 @@
{ config, lib, pkgs, ... }:
with import <stockholm/lib>; with import <stockholm/lib>;
{ config, lib, pkgs, ... }: let
{ builder = if getEnv "dummy_secrets" == "true"
then "buildbot"
else "tv";
in {
krebs.enable = true; krebs.enable = true;
krebs.build = { krebs.build = {
user = config.krebs.users.tv; user = config.krebs.users.tv;
source = let inherit (config.krebs.build) host; in { source = let inherit (config.krebs.build) host; in {
nixos-config.symlink = "stockholm/tv/1systems/${host.name}.nix"; nixos-config.symlink = "stockholm/tv/1systems/${host.name}.nix";
secrets.file = secrets.file = getAttr builder {
if getEnv "dummy_secrets" == "true" buildbot = toString <stockholm/tv/dummy_secrets>;
then toString <stockholm/tv/dummy_secrets> tv = "/home/tv/secrets/${host.name}";
else "/home/tv/secrets/${host.name}"; };
secrets-common.file = "/home/tv/secrets/common"; secrets-common.file = "/home/tv/secrets/common";
stockholm.file = "/home/tv/stockholm";
nixpkgs.git = { nixpkgs.git = {
url = https://github.com/NixOS/nixpkgs; url = https://github.com/NixOS/nixpkgs;
ref = "412b0a17aa2975e092c7ab95a38561c5f82908d4"; # nixos-17.03 ref = "412b0a17aa2975e092c7ab95a38561c5f82908d4"; # nixos-17.03
@ -158,9 +158,10 @@ with import <stockholm/lib>;
{ {
environment.systemPackages = [ environment.systemPackages = [
pkgs.get pkgs.get
pkgs.htop
pkgs.krebspaste pkgs.krebspaste
pkgs.ovh-zone
pkgs.nix-prefetch-scripts pkgs.nix-prefetch-scripts
pkgs.ovh-zone
pkgs.push pkgs.push
]; ];
} }

2
tv/2configs/htop.nix
View File

@ -7,7 +7,6 @@ with import <stockholm/lib>;
htop = pkgs.symlinkJoin { htop = pkgs.symlinkJoin {
name = "htop"; name = "htop";
paths = [ paths = [
super.htop
(pkgs.writeDashBin "htop" '' (pkgs.writeDashBin "htop" ''
export HTOPRC=${pkgs.writeText "htoprc" '' export HTOPRC=${pkgs.writeText "htoprc" ''
fields=0 48 17 18 38 39 40 2 46 47 49 1 fields=0 48 17 18 38 39 40 2 46 47 49 1
@ -37,6 +36,7 @@ with import <stockholm/lib>;
''} ''}
exec ${super.htop}/bin/htop "$@" exec ${super.htop}/bin/htop "$@"
'') '')
super.htop
]; ];
}; };
}; };

2
tv/2configs/vim.nix
View File

@ -300,7 +300,6 @@ let {
vim-wrapper = pkgs.symlinkJoin { vim-wrapper = pkgs.symlinkJoin {
name = "vim"; name = "vim";
paths = [ paths = [
pkgs.vim_configurable
(pkgs.writeDashBin "vim" '' (pkgs.writeDashBin "vim" ''
set -efu set -efu
(umask 0077; exec ${pkgs.coreutils}/bin/mkdir -p ${toString mkdirs}) (umask 0077; exec ${pkgs.coreutils}/bin/mkdir -p ${toString mkdirs})
@ -310,6 +309,7 @@ let {
# vim-orgmode needs Python, thus vim_configurable instead of just vim # vim-orgmode needs Python, thus vim_configurable instead of just vim
exec ${pkgs.vim_configurable}/bin/vim "$@" exec ${pkgs.vim_configurable}/bin/vim "$@"
'') '')
pkgs.vim_configurable
]; ];
}; };

84
tv/5pkgs/default.nix
View File

@ -1,40 +1,54 @@
{ config, pkgs, ... }:
with import <stockholm/lib>; with import <stockholm/lib>;
{ self: super: let
nixpkgs.config.packageOverrides = super: let
# This callPackage will try to detect obsolete overrides. # This callPackage will try to detect obsolete overrides.
callPackage = path: args: let callPackage = path: args: let
override = super.callPackage path args; override = super.callPackage path args;
upstream = optionalAttrs (override ? "name") upstream = optionalAttrs (override ? "name")
(super.${(parseDrvName override.name).name} or {}); (super.${(parseDrvName override.name).name} or {});
in if upstream ? "name" && in if upstream ? "name" &&
override ? "name" && override ? "name" &&
compareVersions upstream.name override.name != -1 compareVersions upstream.name override.name != -1
then trace "Upstream `${upstream.name}' gets overridden by `${override.name}'." override then
else override; trace
"Upstream `${upstream.name}' gets overridden by `${override.name}'."
override
else override;
in {} in {
// mapAttrs (_: flip callPackage {})
(filterAttrs (_: dir: pathExists (dir + "/default.nix")) # TODO use XDG_RUNTIME_DIR?
(subdirsOf ./.)) cr = self.writeDashBin "cr" ''
// { set -efu
# TODO use XDG_RUNTIME_DIR? export LC_TIME=de_DE.utf8
cr = pkgs.writeDashBin "cr" '' exec ${self.chromium}/bin/chromium \
set -efu --ssl-version-min=tls1 \
export LC_TIME=de_DE.utf8 --disk-cache-dir=/tmp/chromium-disk-cache_"$LOGNAME" \
exec ${pkgs.chromium}/bin/chromium \ --disk-cache-size=50000000 \
--ssl-version-min=tls1 \ "$@"
--disk-cache-dir=/tmp/chromium-disk-cache_"$LOGNAME" \ '';
--disk-cache-size=50000000 \
"$@" ejabberd = callPackage ./ejabberd {
''; erlang = self.erlangR16;
ejabberd = callPackage ./ejabberd {
erlang = pkgs.erlangR16;
};
ff = pkgs.writeDashBin "ff" ''
exec ${pkgs.firefoxWrapper}/bin/firefox "$@"
'';
gnupg = pkgs.gnupg21;
}; };
ff = self.writeDashBin "ff" ''
exec ${self.firefoxWrapper}/bin/firefox "$@"
'';
gnupg = self.gnupg21;
# https://github.com/NixOS/nixpkgs/issues/16113
wvdial = let
nixpkgs-1509 = import (self.fetchFromGitHub {
owner = "NixOS"; repo = "nixpkgs-channels";
rev = "91371c2bb6e20fc0df7a812332d99c38b21a2bda";
sha256 = "1as1i0j9d2n3iap9b471y4x01561r2s3vmjc5281qinirlr4al73";
}) {};
in nixpkgs-1509.wvdial;
} }
// mapAttrs (_: flip callPackage {})
(filterAttrs (_: dir: pathExists (dir + "/default.nix"))
(subdirsOf ./.))

4
tv/default.nix
View File

@ -1,9 +1,9 @@
_: { pkgs, ... }:
{ {
imports = [ imports = [
../krebs ../krebs
./2configs ./2configs
./3modules ./3modules
./5pkgs
]; ];
nixpkgs.config.packageOverrides = import ./5pkgs pkgs;
} }