From 3607bd0832d0f47a4bf56cae7e4cb14f6e257bc9 Mon Sep 17 00:00:00 2001 From: tv Date: Wed, 4 Jan 2017 11:50:37 +0100 Subject: cd: hart eingeCACt --- krebs/3modules/tv/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'krebs/3modules') diff --git a/krebs/3modules/tv/default.nix b/krebs/3modules/tv/default.nix index d44c322aa..1220143a7 100644 --- a/krebs/3modules/tv/default.nix +++ b/krebs/3modules/tv/default.nix @@ -85,7 +85,7 @@ with import ; }; nets = { internet = { - ip4.addr = "45.62.237.203"; + ip4.addr = "64.137.177.226"; aliases = [ "cd.i" "cd.krebsco.de" -- cgit v1.3.1 From 9779351be952095ed55ad4ccee98452a8838cfb9 Mon Sep 17 00:00:00 2001 From: tv Date: Sat, 7 Jan 2017 13:28:23 +0100 Subject: krebs.git: add authorizedKeys only for users found in rules --- krebs/3modules/git.nix | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'krebs/3modules') diff --git a/krebs/3modules/git.nix b/krebs/3modules/git.nix index 164831846..a08dbb32c 100644 --- a/krebs/3modules/git.nix +++ b/krebs/3modules/git.nix @@ -339,9 +339,11 @@ let description = "Git repository hosting user"; shell = "/bin/sh"; openssh.authorizedKeys.keys = - mapAttrsToList (_: makeAuthorizedKey git-ssh-command) - (filterAttrs (_: user: isString user.pubkey) - config.krebs.users); + unique + (sort lessThan + (map (makeAuthorizedKey git-ssh-command) + (filter (user: isString user.pubkey) + (concatMap (getAttr "user") cfg.rules)))); }; }; -- cgit v1.3.1 From 270f385c72beea35d797d807c28a08811ebb614b Mon Sep 17 00:00:00 2001 From: nin Date: Thu, 12 Jan 2017 22:21:21 +0100 Subject: nin: init --- krebs/3modules/default.nix | 1 + krebs/3modules/nin/default.nix | 40 ++++++++++ nin/1systems/hiawatha.nix | 125 +++++++++++++++++++++++++++++++ nin/2configs/default.nix | 165 +++++++++++++++++++++++++++++++++++++++++ nin/2configs/nixpkgs.nix | 8 ++ nin/2configs/retiolum.nix | 28 +++++++ nin/default.nix | 7 ++ 7 files changed, 374 insertions(+) create mode 100644 krebs/3modules/nin/default.nix create mode 100644 nin/1systems/hiawatha.nix create mode 100644 nin/2configs/default.nix create mode 100644 nin/2configs/nixpkgs.nix create mode 100644 nin/2configs/retiolum.nix create mode 100644 nin/default.nix (limited to 'krebs/3modules') diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index bf09b7424..05982bd54 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -93,6 +93,7 @@ let { krebs = import ./lass { inherit config; }; } { krebs = import ./makefu { inherit config; }; } { krebs = import ./mv { inherit config; }; } + { krebs = import ./nin { inherit config; }; } { krebs = import ./shared { inherit config; }; } { krebs = import ./tv { inherit config; }; } { diff --git a/krebs/3modules/nin/default.nix b/krebs/3modules/nin/default.nix new file mode 100644 index 000000000..6f488fd25 --- /dev/null +++ b/krebs/3modules/nin/default.nix @@ -0,0 +1,40 @@ +{ config, ... }: + +with import ; + +{ + hosts = mapAttrs (_: setAttr "owner" config.krebs.users.lass) { + hiawatha = { + cores = 2; + nets = { + retiolum = { + ip4.addr = "10.243.132.96"; + ip6.addr = "42:0000:0000:0000:0000:0000:0000:2342"; + aliases = [ + "hiawatha.retiolum" + "hiawatha.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAucIe5yLzKJ8F982XRpZT6CvyXuPrtnNTmw/E/T6Oyq88m/OVHh6o + Viho1XAlJZZwqNniItD0AQB98uFB3+3yA7FepnwwC+PEceIfBG4bTDNyYD3ZCsAB + iWpmRar9SQ7LFnoZ6X2lYaJkUD9afmvXqJJLR5MClnRQo5OSqXaFdp7ryWinHP7E + UkPSNByu4LbQ9CnBEW8mmCVZSBLb8ezxg3HpJSigmUcJgiDBJ6aj22BsZ5L+j1Sr + lvUuaCr8WOS41AYsD5dbTYk7EG42tU5utrOS6z5yHmhbA5r8Ro2OFi/R3Td68BIJ + yw/m8sfItBCvjJSMEpKHEDfGMBCfQKltCwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + ssh.privkey.path = ; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFizK5kauDlnjm/IzyzLi+W4hLKqjSWMkfuxzLwg6egx"; + }; + + }; + users = { + nin = { + mail = "nin@hiawatha.retiolum"; + pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDicZLUPEVNX7SgqYWcjPo0UESRizEfIvVVbiwa1aApA8x25u/5R3sevcgbIpLHYKDMl5tebny9inr6G2zqB6oq/pocQjHxrPnuLzqjvqeSpbjQjlNWJ9GaHT5koTXZHdkEXGL0vfv1SRDNWUiK0rNymr3GXab4DyrnRnuNl/G1UtLf4Zka94YUD0SSPdS9y6knnRrUWKjGMFBZEbNSgHqMGATPQP9VDwKHIO2OWGfiBAJ4nj/MWj+BxHDleCMY9zbym8yY7p/0PLaUe9eIyLC8MftJ5suuMmASlj+UGWgnqUxWxsMHax9y7CTAc23r1NNCXN5LC6/facGt0rEQrdrTizBgOA1FSHAPCl5f0DBEgWBrRuygEcAueuGWvI8/uvtvQQZLhosDbXEfs/3vm2xoYBe7wH4NZHm+d2LqgIcPXehH9hVQsl6pczngTCJt0Q/6tIMffjhDHeYf6xbe/n3AqFT0PylUSvOw/H5iHws3R6rxtgnOio7yTJ4sq0NMzXCtBY6LYPGnkwf0oKsgB8KavZVnxzF8B1TD4nNi0a7ma7bd1LMzI/oGE6i8kDMROgisIECOcoe8YYJZXIne/wimhhRKZAsd+VrKUo4SzNIavCruCodGAVh2vfrqRJD+HD/aWH7Vr1fCEexquaxeKpRtKGIPW9LRCcEsTilqpZdAiw== nin@hiawatha"; + }; + }; +} diff --git a/nin/1systems/hiawatha.nix b/nin/1systems/hiawatha.nix new file mode 100644 index 000000000..26de00d18 --- /dev/null +++ b/nin/1systems/hiawatha.nix @@ -0,0 +1,125 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, lib, pkgs, ... }: + +with lib; + +{ + imports = [ + ../. + + ../2configs/retiolum.nix + ]; + + krebs.build.host = config.krebs.hosts.hiawatha; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "sd_mod" "sr_mod" "rtsx_pci_sdmmc" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/b83f8830-84f3-4282-b10e-015c4b76bd9e"; + fsType = "ext4"; + }; + + fileSystems."/tmp" = + { device = "tmpfs"; + fsType = "tmpfs"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/2f319b08-2560-401d-b53c-2abd28f1a010"; + fsType = "ext2"; + }; + + boot.initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ]; + boot.initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; + + swapDevices = [ ]; + + nix.maxJobs = lib.mkDefault 4; + # Use the GRUB 2 boot loader. + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + # Define on which hard drive you want to install Grub. + boot.loader.grub.device = "/dev/sda"; + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + + # Enable CUPS to print documents. + # services.printing.enable = true; + + fileSystems."/home/nin/.local/share/Steam" = { + device = "/dev/fam/steam"; + }; + + # nin config + time.timeZone = "Europe/Berlin"; + services.xserver.enable = true; + + networking.networkmanager.enable = true; + #networking.wireless.enable = true; + + hardware.pulseaudio = { + enable = true; + systemWide = true; + }; + + hardware.bluetooth.enable = true; + + hardware.opengl.driSupport32Bit = true; + + #nixpkgs.config.steam.java = true; + + environment.variables.EDITOR = mkForce "vim"; + environment.variables.VIMINIT = ":so /etc/vimrc"; + environment.etc.vimrc.source = pkgs.writeText "vimrc" '' + set nocp + ''; + + environment.systemPackages = with pkgs; [ + firefox + steam + thunderbird + vim + git + hexchat + networkmanagerapplet + ]; + + nixpkgs.config = { + + allowUnfree = true; + + firefox = { + enableGoogleTalkPlugin = true; + enableAdobeFlash = true; + }; + }; + + #services.logind.extraConfig = "HandleLidSwitch=ignore"; + + services.xserver.synaptics = { + enable = true; + }; + + + services.xserver.desktopManager.xfce = let + xbindConfig = pkgs.writeText "xbindkeysrc" '' + "${pkgs.pass}/bin/passmenu --type" + Control + p + ''; + in { + enable = true; + extraSessionCommands = '' + ${pkgs.xbindkeys}/bin/xbindkeys -f ${xbindConfig} + ''; + }; + + # The NixOS release to be compatible with for stateful data such as databases. + system.stateVersion = "17.03"; + +} diff --git a/nin/2configs/default.nix b/nin/2configs/default.nix new file mode 100644 index 000000000..9b33e9c4a --- /dev/null +++ b/nin/2configs/default.nix @@ -0,0 +1,165 @@ +{ config, lib, pkgs, ... }: + +with import ; +{ + imports = [ + ../2configs/nixpkgs.nix + { + users.extraUsers = + mapAttrs (_: h: { hashedPassword = h; }) + (import ); + } + { + users.extraUsers = { + root = { + openssh.authorizedKeys.keys = [ + config.krebs.users.nin.pubkey + ]; + }; + mainUser = { + name = "nin"; + uid = 1337; + home = "/home/nin"; + group = "users"; + createHome = true; + useDefaultShell = true; + extraGroups = [ + "audio" + "fuse" + ]; + openssh.authorizedKeys.keys = [ + config.krebs.users.nin.pubkey + ]; + }; + }; + } + { + environment.variables = { + NIX_PATH = mkForce "secrets=/var/src/stockholm/null:/var/src"; + }; + } + (let ca-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; in { + environment.variables = { + CURL_CA_BUNDLE = ca-bundle; + GIT_SSL_CAINFO = ca-bundle; + SSL_CERT_FILE = ca-bundle; + }; + }) + ]; + + networking.hostName = config.krebs.build.host.name; + nix.maxJobs = config.krebs.build.host.cores; + + krebs = { + enable = true; + search-domain = "retiolum"; + build = { + user = config.krebs.users.nin; + source = let inherit (config.krebs.build) host; in { + nixos-config.symlink = "stockholm/nin/1systems/${host.name}.nix"; + secrets.file = "/home/nin/secrets/${host.name}"; + stockholm.file = getEnv "PWD"; + }; + }; + }; + + nix.useSandbox = true; + + services.timesyncd.enable = true; + + #why is this on in the first place? + services.nscd.enable = false; + + boot.tmpOnTmpfs = true; + # see tmpfiles.d(5) + systemd.tmpfiles.rules = [ + "d /tmp 1777 root root - -" + ]; + + # multiple-definition-problem when defining environment.variables.EDITOR + environment.extraInit = '' + EDITOR=vim + MANPAGER=most + ''; + + nixpkgs.config.allowUnfree = true; + + environment.systemPackages = with pkgs; [ + #stockholm + git + gnumake + jq + proot + populate + p7zip + unzip + unrar + ]; + + programs.bash = { + enableCompletion = true; + interactiveShellInit = '' + HISTCONTROL='erasedups:ignorespace' + HISTSIZE=65536 + HISTFILESIZE=$HISTSIZE + + shopt -s checkhash + shopt -s histappend histreedit histverify + shopt -s no_empty_cmd_completion + complete -d cd + ''; + promptInit = '' + if test $UID = 0; then + PS1='\[\033[1;31m\]\w\[\033[0m\] ' + elif test $UID = 1337; then + PS1='\[\033[1;32m\]\w\[\033[0m\] ' + else + PS1='\[\033[1;33m\]\u@\w\[\033[0m\] ' + fi + if test -n "$SSH_CLIENT"; then + PS1='\[\033[35m\]\h'" $PS1" + fi + ''; + }; + + services.openssh = { + enable = true; + hostKeys = [ + # XXX bits here make no science + { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } + ]; + }; + + services.journald.extraConfig = '' + SystemMaxUse=1G + RuntimeMaxUse=128M + ''; + + krebs.iptables = { + enable = true; + tables = { + nat.PREROUTING.rules = [ + { predicate = "! -i retiolum -p tcp -m tcp --dport 22"; target = "REDIRECT --to-ports 0"; precedence = 100; } + { predicate = "-p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 99; } + ]; + nat.OUTPUT.rules = [ + { predicate = "-o lo -p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 100; } + ]; + filter.INPUT.policy = "DROP"; + filter.FORWARD.policy = "DROP"; + filter.INPUT.rules = [ + { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; } + { predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; } + { predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; } + { predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; } + { predicate = "-p tcp -i retiolum"; target = "REJECT --reject-with tcp-reset"; precedence = -10000; } + { predicate = "-p udp -i retiolum"; target = "REJECT --reject-with icmp-port-unreachable"; v6 = false; precedence = -10000; } + { predicate = "-i retiolum"; target = "REJECT --reject-with icmp-proto-unreachable"; v6 = false; precedence = -10000; } + ]; + }; + }; + + networking.dhcpcd.extraConfig = '' + noipv4ll + ''; +} diff --git a/nin/2configs/nixpkgs.nix b/nin/2configs/nixpkgs.nix new file mode 100644 index 000000000..eceab7e7b --- /dev/null +++ b/nin/2configs/nixpkgs.nix @@ -0,0 +1,8 @@ +{ ... }: + +{ + krebs.build.source.nixpkgs.git = { + url = https://github.com/nixos/nixpkgs; + ref = "fd1dbe551cf6338c5f4e4f80c2f5dde9f9e6a271"; + }; +} diff --git a/nin/2configs/retiolum.nix b/nin/2configs/retiolum.nix new file mode 100644 index 000000000..821e3cc00 --- /dev/null +++ b/nin/2configs/retiolum.nix @@ -0,0 +1,28 @@ +{ ... }: + +{ + + krebs.iptables = { + tables = { + filter.INPUT.rules = [ + { predicate = "-i retiolum -p tcp --dport smtp"; target = "ACCEPT"; } + { predicate = "-p tcp --dport tinc"; target = "ACCEPT"; } + { predicate = "-p udp --dport tinc"; target = "ACCEPT"; } + ]; + }; + }; + + krebs.tinc.retiolum = { + enable = true; + connectTo = [ + "prism" + "pigstarter" + "gum" + "flap" + ]; + }; + + nixpkgs.config.packageOverrides = pkgs: { + tinc = pkgs.tinc_pre; + }; +} diff --git a/nin/default.nix b/nin/default.nix new file mode 100644 index 000000000..c31d6d949 --- /dev/null +++ b/nin/default.nix @@ -0,0 +1,7 @@ +_: +{ + imports = [ + ../krebs + ./2configs + ]; +} -- cgit v1.3.1 From 89e859a2cf5a6e9cbf07b3c92cc967f0e7ac0571 Mon Sep 17 00:00:00 2001 From: nin Date: Thu, 12 Jan 2017 22:21:21 +0100 Subject: nin: init --- krebs/3modules/default.nix | 1 + krebs/3modules/nin/default.nix | 40 ++++++++++ nin/1systems/hiawatha.nix | 125 +++++++++++++++++++++++++++++++ nin/2configs/default.nix | 165 +++++++++++++++++++++++++++++++++++++++++ nin/2configs/nixpkgs.nix | 8 ++ nin/2configs/retiolum.nix | 28 +++++++ nin/default.nix | 7 ++ 7 files changed, 374 insertions(+) create mode 100644 krebs/3modules/nin/default.nix create mode 100644 nin/1systems/hiawatha.nix create mode 100644 nin/2configs/default.nix create mode 100644 nin/2configs/nixpkgs.nix create mode 100644 nin/2configs/retiolum.nix create mode 100644 nin/default.nix (limited to 'krebs/3modules') diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index bf09b7424..05982bd54 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -93,6 +93,7 @@ let { krebs = import ./lass { inherit config; }; } { krebs = import ./makefu { inherit config; }; } { krebs = import ./mv { inherit config; }; } + { krebs = import ./nin { inherit config; }; } { krebs = import ./shared { inherit config; }; } { krebs = import ./tv { inherit config; }; } { diff --git a/krebs/3modules/nin/default.nix b/krebs/3modules/nin/default.nix new file mode 100644 index 000000000..6f488fd25 --- /dev/null +++ b/krebs/3modules/nin/default.nix @@ -0,0 +1,40 @@ +{ config, ... }: + +with import ; + +{ + hosts = mapAttrs (_: setAttr "owner" config.krebs.users.lass) { + hiawatha = { + cores = 2; + nets = { + retiolum = { + ip4.addr = "10.243.132.96"; + ip6.addr = "42:0000:0000:0000:0000:0000:0000:2342"; + aliases = [ + "hiawatha.retiolum" + "hiawatha.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAucIe5yLzKJ8F982XRpZT6CvyXuPrtnNTmw/E/T6Oyq88m/OVHh6o + Viho1XAlJZZwqNniItD0AQB98uFB3+3yA7FepnwwC+PEceIfBG4bTDNyYD3ZCsAB + iWpmRar9SQ7LFnoZ6X2lYaJkUD9afmvXqJJLR5MClnRQo5OSqXaFdp7ryWinHP7E + UkPSNByu4LbQ9CnBEW8mmCVZSBLb8ezxg3HpJSigmUcJgiDBJ6aj22BsZ5L+j1Sr + lvUuaCr8WOS41AYsD5dbTYk7EG42tU5utrOS6z5yHmhbA5r8Ro2OFi/R3Td68BIJ + yw/m8sfItBCvjJSMEpKHEDfGMBCfQKltCwIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + ssh.privkey.path = ; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFizK5kauDlnjm/IzyzLi+W4hLKqjSWMkfuxzLwg6egx"; + }; + + }; + users = { + nin = { + mail = "nin@hiawatha.retiolum"; + pubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDicZLUPEVNX7SgqYWcjPo0UESRizEfIvVVbiwa1aApA8x25u/5R3sevcgbIpLHYKDMl5tebny9inr6G2zqB6oq/pocQjHxrPnuLzqjvqeSpbjQjlNWJ9GaHT5koTXZHdkEXGL0vfv1SRDNWUiK0rNymr3GXab4DyrnRnuNl/G1UtLf4Zka94YUD0SSPdS9y6knnRrUWKjGMFBZEbNSgHqMGATPQP9VDwKHIO2OWGfiBAJ4nj/MWj+BxHDleCMY9zbym8yY7p/0PLaUe9eIyLC8MftJ5suuMmASlj+UGWgnqUxWxsMHax9y7CTAc23r1NNCXN5LC6/facGt0rEQrdrTizBgOA1FSHAPCl5f0DBEgWBrRuygEcAueuGWvI8/uvtvQQZLhosDbXEfs/3vm2xoYBe7wH4NZHm+d2LqgIcPXehH9hVQsl6pczngTCJt0Q/6tIMffjhDHeYf6xbe/n3AqFT0PylUSvOw/H5iHws3R6rxtgnOio7yTJ4sq0NMzXCtBY6LYPGnkwf0oKsgB8KavZVnxzF8B1TD4nNi0a7ma7bd1LMzI/oGE6i8kDMROgisIECOcoe8YYJZXIne/wimhhRKZAsd+VrKUo4SzNIavCruCodGAVh2vfrqRJD+HD/aWH7Vr1fCEexquaxeKpRtKGIPW9LRCcEsTilqpZdAiw== nin@hiawatha"; + }; + }; +} diff --git a/nin/1systems/hiawatha.nix b/nin/1systems/hiawatha.nix new file mode 100644 index 000000000..26de00d18 --- /dev/null +++ b/nin/1systems/hiawatha.nix @@ -0,0 +1,125 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, lib, pkgs, ... }: + +with lib; + +{ + imports = [ + ../. + + ../2configs/retiolum.nix + ]; + + krebs.build.host = config.krebs.hosts.hiawatha; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "sd_mod" "sr_mod" "rtsx_pci_sdmmc" ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/b83f8830-84f3-4282-b10e-015c4b76bd9e"; + fsType = "ext4"; + }; + + fileSystems."/tmp" = + { device = "tmpfs"; + fsType = "tmpfs"; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/2f319b08-2560-401d-b53c-2abd28f1a010"; + fsType = "ext2"; + }; + + boot.initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ]; + boot.initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; + + swapDevices = [ ]; + + nix.maxJobs = lib.mkDefault 4; + # Use the GRUB 2 boot loader. + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + # Define on which hard drive you want to install Grub. + boot.loader.grub.device = "/dev/sda"; + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + + # Enable CUPS to print documents. + # services.printing.enable = true; + + fileSystems."/home/nin/.local/share/Steam" = { + device = "/dev/fam/steam"; + }; + + # nin config + time.timeZone = "Europe/Berlin"; + services.xserver.enable = true; + + networking.networkmanager.enable = true; + #networking.wireless.enable = true; + + hardware.pulseaudio = { + enable = true; + systemWide = true; + }; + + hardware.bluetooth.enable = true; + + hardware.opengl.driSupport32Bit = true; + + #nixpkgs.config.steam.java = true; + + environment.variables.EDITOR = mkForce "vim"; + environment.variables.VIMINIT = ":so /etc/vimrc"; + environment.etc.vimrc.source = pkgs.writeText "vimrc" '' + set nocp + ''; + + environment.systemPackages = with pkgs; [ + firefox + steam + thunderbird + vim + git + hexchat + networkmanagerapplet + ]; + + nixpkgs.config = { + + allowUnfree = true; + + firefox = { + enableGoogleTalkPlugin = true; + enableAdobeFlash = true; + }; + }; + + #services.logind.extraConfig = "HandleLidSwitch=ignore"; + + services.xserver.synaptics = { + enable = true; + }; + + + services.xserver.desktopManager.xfce = let + xbindConfig = pkgs.writeText "xbindkeysrc" '' + "${pkgs.pass}/bin/passmenu --type" + Control + p + ''; + in { + enable = true; + extraSessionCommands = '' + ${pkgs.xbindkeys}/bin/xbindkeys -f ${xbindConfig} + ''; + }; + + # The NixOS release to be compatible with for stateful data such as databases. + system.stateVersion = "17.03"; + +} diff --git a/nin/2configs/default.nix b/nin/2configs/default.nix new file mode 100644 index 000000000..9b33e9c4a --- /dev/null +++ b/nin/2configs/default.nix @@ -0,0 +1,165 @@ +{ config, lib, pkgs, ... }: + +with import ; +{ + imports = [ + ../2configs/nixpkgs.nix + { + users.extraUsers = + mapAttrs (_: h: { hashedPassword = h; }) + (import ); + } + { + users.extraUsers = { + root = { + openssh.authorizedKeys.keys = [ + config.krebs.users.nin.pubkey + ]; + }; + mainUser = { + name = "nin"; + uid = 1337; + home = "/home/nin"; + group = "users"; + createHome = true; + useDefaultShell = true; + extraGroups = [ + "audio" + "fuse" + ]; + openssh.authorizedKeys.keys = [ + config.krebs.users.nin.pubkey + ]; + }; + }; + } + { + environment.variables = { + NIX_PATH = mkForce "secrets=/var/src/stockholm/null:/var/src"; + }; + } + (let ca-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; in { + environment.variables = { + CURL_CA_BUNDLE = ca-bundle; + GIT_SSL_CAINFO = ca-bundle; + SSL_CERT_FILE = ca-bundle; + }; + }) + ]; + + networking.hostName = config.krebs.build.host.name; + nix.maxJobs = config.krebs.build.host.cores; + + krebs = { + enable = true; + search-domain = "retiolum"; + build = { + user = config.krebs.users.nin; + source = let inherit (config.krebs.build) host; in { + nixos-config.symlink = "stockholm/nin/1systems/${host.name}.nix"; + secrets.file = "/home/nin/secrets/${host.name}"; + stockholm.file = getEnv "PWD"; + }; + }; + }; + + nix.useSandbox = true; + + services.timesyncd.enable = true; + + #why is this on in the first place? + services.nscd.enable = false; + + boot.tmpOnTmpfs = true; + # see tmpfiles.d(5) + systemd.tmpfiles.rules = [ + "d /tmp 1777 root root - -" + ]; + + # multiple-definition-problem when defining environment.variables.EDITOR + environment.extraInit = '' + EDITOR=vim + MANPAGER=most + ''; + + nixpkgs.config.allowUnfree = true; + + environment.systemPackages = with pkgs; [ + #stockholm + git + gnumake + jq + proot + populate + p7zip + unzip + unrar + ]; + + programs.bash = { + enableCompletion = true; + interactiveShellInit = '' + HISTCONTROL='erasedups:ignorespace' + HISTSIZE=65536 + HISTFILESIZE=$HISTSIZE + + shopt -s checkhash + shopt -s histappend histreedit histverify + shopt -s no_empty_cmd_completion + complete -d cd + ''; + promptInit = '' + if test $UID = 0; then + PS1='\[\033[1;31m\]\w\[\033[0m\] ' + elif test $UID = 1337; then + PS1='\[\033[1;32m\]\w\[\033[0m\] ' + else + PS1='\[\033[1;33m\]\u@\w\[\033[0m\] ' + fi + if test -n "$SSH_CLIENT"; then + PS1='\[\033[35m\]\h'" $PS1" + fi + ''; + }; + + services.openssh = { + enable = true; + hostKeys = [ + # XXX bits here make no science + { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } + ]; + }; + + services.journald.extraConfig = '' + SystemMaxUse=1G + RuntimeMaxUse=128M + ''; + + krebs.iptables = { + enable = true; + tables = { + nat.PREROUTING.rules = [ + { predicate = "! -i retiolum -p tcp -m tcp --dport 22"; target = "REDIRECT --to-ports 0"; precedence = 100; } + { predicate = "-p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 99; } + ]; + nat.OUTPUT.rules = [ + { predicate = "-o lo -p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 100; } + ]; + filter.INPUT.policy = "DROP"; + filter.FORWARD.policy = "DROP"; + filter.INPUT.rules = [ + { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; } + { predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; } + { predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; } + { predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; } + { predicate = "-p tcp -i retiolum"; target = "REJECT --reject-with tcp-reset"; precedence = -10000; } + { predicate = "-p udp -i retiolum"; target = "REJECT --reject-with icmp-port-unreachable"; v6 = false; precedence = -10000; } + { predicate = "-i retiolum"; target = "REJECT --reject-with icmp-proto-unreachable"; v6 = false; precedence = -10000; } + ]; + }; + }; + + networking.dhcpcd.extraConfig = '' + noipv4ll + ''; +} diff --git a/nin/2configs/nixpkgs.nix b/nin/2configs/nixpkgs.nix new file mode 100644 index 000000000..eceab7e7b --- /dev/null +++ b/nin/2configs/nixpkgs.nix @@ -0,0 +1,8 @@ +{ ... }: + +{ + krebs.build.source.nixpkgs.git = { + url = https://github.com/nixos/nixpkgs; + ref = "fd1dbe551cf6338c5f4e4f80c2f5dde9f9e6a271"; + }; +} diff --git a/nin/2configs/retiolum.nix b/nin/2configs/retiolum.nix new file mode 100644 index 000000000..821e3cc00 --- /dev/null +++ b/nin/2configs/retiolum.nix @@ -0,0 +1,28 @@ +{ ... }: + +{ + + krebs.iptables = { + tables = { + filter.INPUT.rules = [ + { predicate = "-i retiolum -p tcp --dport smtp"; target = "ACCEPT"; } + { predicate = "-p tcp --dport tinc"; target = "ACCEPT"; } + { predicate = "-p udp --dport tinc"; target = "ACCEPT"; } + ]; + }; + }; + + krebs.tinc.retiolum = { + enable = true; + connectTo = [ + "prism" + "pigstarter" + "gum" + "flap" + ]; + }; + + nixpkgs.config.packageOverrides = pkgs: { + tinc = pkgs.tinc_pre; + }; +} diff --git a/nin/default.nix b/nin/default.nix new file mode 100644 index 000000000..c31d6d949 --- /dev/null +++ b/nin/default.nix @@ -0,0 +1,7 @@ +_: +{ + imports = [ + ../krebs + ./2configs + ]; +} -- cgit v1.3.1 From 44a5157845119132022ab9cbde7df2594824db24 Mon Sep 17 00:00:00 2001 From: nin Date: Sun, 15 Jan 2017 19:40:20 +0100 Subject: k 3 n: set owner to nin --- krebs/3modules/nin/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'krebs/3modules') diff --git a/krebs/3modules/nin/default.nix b/krebs/3modules/nin/default.nix index 6f488fd25..375faf808 100644 --- a/krebs/3modules/nin/default.nix +++ b/krebs/3modules/nin/default.nix @@ -3,7 +3,7 @@ with import ; { - hosts = mapAttrs (_: setAttr "owner" config.krebs.users.lass) { + hosts = mapAttrs (_: setAttr "owner" config.krebs.users.nin) { hiawatha = { cores = 2; nets = { -- cgit v1.3.1 From c7d4d6149814a1ac11ede8575d3e4bcf72b19517 Mon Sep 17 00:00:00 2001 From: nin Date: Sun, 15 Jan 2017 19:40:20 +0100 Subject: k 3 n: set owner to nin --- krebs/3modules/nin/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'krebs/3modules') diff --git a/krebs/3modules/nin/default.nix b/krebs/3modules/nin/default.nix index 6f488fd25..375faf808 100644 --- a/krebs/3modules/nin/default.nix +++ b/krebs/3modules/nin/default.nix @@ -3,7 +3,7 @@ with import ; { - hosts = mapAttrs (_: setAttr "owner" config.krebs.users.lass) { + hosts = mapAttrs (_: setAttr "owner" config.krebs.users.nin) { hiawatha = { cores = 2; nets = { -- cgit v1.3.1 From 08fd9d3ae398f6b7158d05be0bfd0122da4d4e98 Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 16 Jan 2017 05:27:29 +0100 Subject: github: update URL to IP addresses --- krebs/3modules/default.nix | 2 +- tv/2configs/urlwatch.nix | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'krebs/3modules') diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index bf09b7424..c0b5f0670 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -200,7 +200,7 @@ let }) // # GitHub's IPv4 address range is 192.30.252.0/22 - # Refs https://help.github.com/articles/what-ip-addresses-does-github-use-that-i-should-whitelist/ + # Refs https://help.github.com/articles/github-s-ip-addresses/ # 192.30.252.0/22 = 192.30.252.0-192.30.255.255 (1024 addresses) # Because line length is limited by OPENSSH_LINE_MAX (= 8192), # we split each /24 into its own entry. diff --git a/tv/2configs/urlwatch.nix b/tv/2configs/urlwatch.nix index b34590908..6e11e0251 100644 --- a/tv/2configs/urlwatch.nix +++ b/tv/2configs/urlwatch.nix @@ -47,7 +47,7 @@ with import ; #http://hackage.haskell.org/package/web-page # ref , services.openssh.knownHosts.github* - https://help.github.com/articles/what-ip-addresses-does-github-use-that-i-should-whitelist/ + https://help.github.com/articles/github-s-ip-addresses/ # # is derived from `configFile` in: -- cgit v1.3.1 From 20cb28918b2b75b24e7401b718446e2e8f1701f9 Mon Sep 17 00:00:00 2001 From: nin Date: Thu, 19 Jan 2017 23:15:43 +0100 Subject: k 3 n: add onondaga --- krebs/3modules/nin/default.nix | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) (limited to 'krebs/3modules') diff --git a/krebs/3modules/nin/default.nix b/krebs/3modules/nin/default.nix index 375faf808..3231c0e23 100644 --- a/krebs/3modules/nin/default.nix +++ b/krebs/3modules/nin/default.nix @@ -29,6 +29,31 @@ with import ; ssh.privkey.path = ; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFizK5kauDlnjm/IzyzLi+W4hLKqjSWMkfuxzLwg6egx"; }; + onondaga = { + cores = 1; + nets = { + retiolum = { + ip4.addr = "10.243.132.55"; + ip6.addr = "42:0000:0000:0000:0000:0000:0000:1357"; + aliases = [ + "onondaga.retiolum" + "onondaga.r" + ]; + tinc.pubkey = '' + -----BEGIN RSA PUBLIC KEY----- + MIIBCgKCAQEAqj6NPhRVsr8abz9FFx9+ld3amfxN7SRNccbksUOqkufGS0vaupFR + OWsgj4Qmt3lQ82YVt5yjx0FZHkAsenCEKM3kYoIb4nipT0e1MWkQ7plVveMfGkiu + htaJ1aCbI2Adxfmk4YbyAr8k3G+Zl9t7gTikBRh7cf5PMiu2JhGUZHzx9urR0ieH + xyashZFjl4TtIy4q6QTiyST9kfzteh8k7CJ72zfYkdHl9dPlr5Nk22zH9xPkyzmO + kCNeknuDqKeTT9erNtRLk6pjEcyutt0y2/Uq6iZ38z5qq9k4JzcMuQ3YPpNy8bxn + hVuk2qBu6kBTUW3iLchoh0d4cfFLWLx1SQIDAQAB + -----END RSA PUBLIC KEY----- + ''; + }; + }; + ssh.privkey.path = ; + ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGmQk7AXsYLzjUrOjsuhZ3+gT7FjhPtjwxv5XnuU8GJO"; + }; }; users = { -- cgit v1.3.1 From 0ff2496de4acbc5b7bc009a3ea28dbcd7504ed1a Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 21 Jan 2017 21:55:59 +0100 Subject: k 3 Reaktor: allow multiple Reaktor configurations --- krebs/3modules/Reaktor.nix | 216 +++++++++++++++++++++++---------------------- 1 file changed, 109 insertions(+), 107 deletions(-) (limited to 'krebs/3modules') diff --git a/krebs/3modules/Reaktor.nix b/krebs/3modules/Reaktor.nix index d87003ac2..a70f1ef5d 100644 --- a/krebs/3modules/Reaktor.nix +++ b/krebs/3modules/Reaktor.nix @@ -3,99 +3,88 @@ with import ; let - ReaktorConfig = pkgs.writeText "config.py" '' - ${if (isString cfg.overrideConfig ) then '' - # Overriden Config - ${cfg.overrideConfig} - '' else ""} - ## Extra Config - ${concatStringsSep "\n" (map (plug: plug.config) cfg.plugins)} - ${cfg.extraConfig} - ''; cfg = config.krebs.Reaktor; + workdir = "/var/lib/Reaktor"; + out = { options.krebs.Reaktor = api; - config = lib.mkIf cfg.enable imp; + config = imp; }; - api = { - enable = mkOption { - default = false; - description = '' - Start Reaktor at system boot - ''; - }; + api = mkOption { + default = {}; + type = with types; attrsOf (submodule ({ options = { - nickname = mkOption { - default = config.krebs.build.host.name + "|r"; - type = types.string; - description = '' - The nick name of the irc bot. - Defaults to {hostname}|r - ''; - }; + nickname = mkOption { + default = config.krebs.build.host.name + "|r"; + type = types.string; + description = '' + The nick name of the irc bot. + Defaults to {hostname}|r + ''; + }; - overrideConfig = mkOption { - default = null; - type = types.nullOr types.str; - description = '' - configuration to be used instead of default ones. - Reaktor default cfg can be retrieved via `reaktor get-config` - ''; - }; - plugins = mkOption { - default = [pkgs.ReaktorPlugins.nixos-version]; - }; - extraConfig = mkOption { - default = ""; - type = types.string; - description = '' - configuration appended to the default or overridden configuration - ''; - }; + overrideConfig = mkOption { + default = null; + type = types.nullOr types.str; + description = '' + configuration to be used instead of default ones. + Reaktor default cfg can be retrieved via `reaktor get-config` + ''; + }; - workdir = mkOption { - default = "/var/lib/Reaktor"; - type = types.str; - description = '' - Reaktor working directory - ''; - }; - extraEnviron = mkOption { - default = {}; - type = types.attrsOf types.str; - description = '' - Environment to be provided to the service, can be: - REAKTOR_HOST - REAKTOR_PORT - REAKTOR_STATEDIR - - debug and nickname can be set separately via the Reaktor api - ''; - }; - channels = mkOption { - default = [ "#krebs" ]; - type = types.listOf types.str; - description = '' - Channels the Reaktor should connect to at startup. - ''; - }; - debug = mkOption { - default = false; - description = '' - Reaktor debug output - ''; - }; + plugins = mkOption { + default = [pkgs.ReaktorPlugins.nixos-version]; + }; + + extraConfig = mkOption { + default = ""; + type = types.string; + description = '' + configuration appended to the default or overridden configuration + ''; + }; + + extraEnviron = mkOption { + default = {}; + type = types.attrsOf types.str; + description = '' + Environment to be provided to the service, can be: + REAKTOR_HOST + REAKTOR_PORT + REAKTOR_STATEDIR + + debug and nickname can be set separately via the Reaktor api + ''; + }; + + channels = mkOption { + default = [ "#krebs" ]; + type = types.listOf types.str; + description = '' + Channels the Reaktor should connect to at startup. + ''; + }; + + debug = mkOption { + default = false; + description = '' + Reaktor debug output + ''; + }; + };})); }; imp = { + # TODO get user per configured bot + # TODO get home from api # for reaktor get-config users.extraUsers = singleton rec { name = "Reaktor"; uid = genid name; description = "Reaktor user"; - home = cfg.workdir; + home = workdir; createHome = true; }; @@ -104,39 +93,52 @@ let # gid = config.ids.gids.Reaktor; #}; - systemd.services.Reaktor = { - path = with pkgs; [ - utillinux #flock for tell_on-join - git # for nag - python # for caps - ]; - description = "Reaktor IRC Bot"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - environment = { - GIT_SSL_CAINFO = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; - REAKTOR_NICKNAME = cfg.nickname; - REAKTOR_DEBUG = (if cfg.debug then "True" else "False"); - REAKTOR_CHANNELS = lib.concatStringsSep "," cfg.channels; - state_dir = cfg.workdir; - - } // cfg.extraEnviron; - serviceConfig= { - ExecStartPre = pkgs.writeScript "Reaktor-init" '' - #! /bin/sh - ${if (isString cfg.overrideConfig) then - ''cp ${ReaktorConfig} /tmp/config.py'' - else - ''(${pkgs.Reaktor}/bin/reaktor get-config;cat "${ReaktorConfig}" ) > /tmp/config.py'' - } + systemd.services = mapAttrs' (name: botcfg: + let + ReaktorConfig = pkgs.writeText "config.py" '' + ${if (isString botcfg.overrideConfig ) then '' + # Overriden Config + ${botcfg.overrideConfig} + '' else ""} + ## Extra Config + ${concatStringsSep "\n" (map (plug: plug.config) botcfg.plugins)} + ${botcfg.extraConfig} ''; - ExecStart = "${pkgs.Reaktor}/bin/reaktor run /tmp/config.py"; - PrivateTmp = "true"; - User = "Reaktor"; - Restart = "always"; - RestartSec= "30" ; + in nameValuePair "Reaktor-${name}" { + path = with pkgs; [ + utillinux #flock for tell_on-join + git # for nag + python # for caps + ]; + description = "Reaktor IRC Bot"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + environment = { + GIT_SSL_CAINFO = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; + REAKTOR_NICKNAME = botcfg.nickname; + REAKTOR_DEBUG = (if botcfg.debug then "True" else "False"); + REAKTOR_CHANNELS = lib.concatStringsSep "," botcfg.channels; + state_dir = workdir; + + } // botcfg.extraEnviron; + serviceConfig= { + ExecStartPre = pkgs.writeScript "Reaktor-init" '' + #! /bin/sh + ${if (isString botcfg.overrideConfig) then + ''cp ${ReaktorConfig} /tmp/reaktor-${name}-config.py'' + else + ''(${pkgs.Reaktor}/bin/reaktor get-config;cat "${ReaktorConfig}" ) > /tmp/reaktor-${name}-config.py'' + } + ''; + ExecStart = "${pkgs.Reaktor}/bin/reaktor run /tmp/reaktor-${name}-config.py"; + PrivateTmp = "true"; + User = "Reaktor"; + Restart = "always"; + RestartSec= "30" ; }; - }; + } + ) cfg; + }; in -- cgit v1.3.1 From cc928ccbc60b5c2dfcb6417d187dae78ffe7cb6f Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 21 Jan 2017 23:26:48 +0100 Subject: move indent to lib --- krebs/3modules/exim-smarthost.nix | 1 - krebs/3modules/nginx.nix | 2 -- lib/default.nix | 2 ++ 3 files changed, 2 insertions(+), 3 deletions(-) (limited to 'krebs/3modules') diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix index c96b14723..bda563f8d 100644 --- a/krebs/3modules/exim-smarthost.nix +++ b/krebs/3modules/exim-smarthost.nix @@ -2,7 +2,6 @@ with import ; let - indent = replaceChars ["\n"] ["\n "]; cfg = config.krebs.exim-smarthost; out = { diff --git a/krebs/3modules/nginx.nix b/krebs/3modules/nginx.nix index 933c2e513..b28e97e37 100644 --- a/krebs/3modules/nginx.nix +++ b/krebs/3modules/nginx.nix @@ -129,8 +129,6 @@ let }; }; - indent = replaceChars ["\n"] ["\n "]; - to-acme = { server-names, ssl, ... }: optionalAttrs ssl.acmeEnable { email = "lassulus@gmail.com"; diff --git a/lib/default.nix b/lib/default.nix index 2b12fa4bf..7e61c9413 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -39,6 +39,8 @@ let string = toJSON x; # close enough }.${type} or reject; + indent = replaceChars ["\n"] ["\n "]; + }; in -- cgit v1.3.1 From 13e5a3d41ae42e8d2ef623dcbb26c66b409c66d8 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 21 Jan 2017 23:50:02 +0100 Subject: l 3 fetchWallpaper: set wallpaper everytime --- krebs/3modules/fetchWallpaper.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'krebs/3modules') diff --git a/krebs/3modules/fetchWallpaper.nix b/krebs/3modules/fetchWallpaper.nix index 94bcbed9d..aed5f595c 100644 --- a/krebs/3modules/fetchWallpaper.nix +++ b/krebs/3modules/fetchWallpaper.nix @@ -45,7 +45,7 @@ let mkdir -p ${shell.escape cfg.stateDir} cd ${shell.escape cfg.stateDir} - curl -s -o wallpaper.tmp -z wallpaper ${shell.escape cfg.url} && mv wallpaper.tmp wallpaper + (curl -s -o wallpaper.tmp -z wallpaper ${shell.escape cfg.url} && mv wallpaper.tmp wallpaper) || : feh --no-fehbg --bg-scale ${shell.escape cfg.stateDir}/wallpaper ''; -- cgit v1.3.1