From 2185fb0bfa56b365e33d0baf0274499076c1166b Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 23 Jan 2021 18:08:37 +0100 Subject: l blue.r: remove weechat --- lass/1systems/blue/config.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lass/1systems') diff --git a/lass/1systems/blue/config.nix b/lass/1systems/blue/config.nix index f6dc23d20..c4286cca3 100644 --- a/lass/1systems/blue/config.nix +++ b/lass/1systems/blue/config.nix @@ -9,8 +9,8 @@ with import ; + - ]; krebs.build.host = config.krebs.hosts.blue; -- cgit v1.3.1 From 0b5b4b8eab751d0d1d32573c6f69d08a82b4af1e Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 23 Jan 2021 18:09:13 +0100 Subject: l green.r: setup with sync-containers --- lass/1systems/green/config.nix | 71 ++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 69 insertions(+), 2 deletions(-) (limited to 'lass/1systems') diff --git a/lass/1systems/green/config.nix b/lass/1systems/green/config.nix index 0b4b50ee4..d7683ff5f 100644 --- a/lass/1systems/green/config.nix +++ b/lass/1systems/green/config.nix @@ -9,13 +9,80 @@ with import ; + + + + + + ]; krebs.build.host = config.krebs.hosts.green; - #networking.nameservers = [ "1.1.1.1" ]; + users.users.mainUser.openssh.authorizedKeys.keys = [ + config.krebs.users.lass-android.pubkey + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICMe23IAHn4Ow4J4i8M9GJshqvY80U11NKPLum6b1XLn" # weechat ssh tunnel + ]; + + lass.bindfs = { + "/home/lass/.weechat" = { + source = "/var/state/lass_weechat"; + options = [ + "-M ${concatMapStringsSep ":" (u: toString config.users.users.${u}.uid) [ "syncthing" "mainUser" ]}" + "--create-for-user=${toString config.users.users.syncthing.uid}" + ]; + }; + "/home/lass/Maildir" = { + source = "/var/state/lass_mail"; + options = [ + "-M ${toString config.users.users.mainUser.uid}" + ]; + }; + "/home/lass/sync" = { + source = "/var/state/lass_sync"; + options = [ + "-M ${concatMapStringsSep ":" (u: toString config.users.users.${u}.uid) [ "syncthing" "mainUser" ]}" + "--create-for-user=${toString config.users.users.syncthing.uid}" + ]; + }; + "/var/lib/bitlbee" = { + source = "/var/state/bitlbee"; + options = [ + "-M ${toString config.users.users.bitlbee.uid}" + ]; + clearTarget = true; + }; + "/home/lass/.ssh" = { + source = "/var/state/lass_ssh"; + options = [ + "-M ${toString config.users.users.mainUser.uid}" + ]; + clearTarget = true; + }; + "/home/lass/.gnupg" = { + source = "/var/state/lass_gnupg"; + options = [ + "-M ${toString config.users.users.mainUser.uid}" + ]; + clearTarget = true; + }; + }; - #time.timeZone = "Europe/Berlin"; + systemd.services."bindfs-_home_lass_Maildir".serviceConfig.ExecStartPost = pkgs.writeDash "symlink-notmuch" '' + sleep 1 + mkdir -p /home/lass/notmuch + chown lass: /home/lass/notmuch + ln -sfTr /home/lass/notmuch /home/lass/Maildir/.notmuch + + mkdir -p /home/lass/notmuch/muchsync + chown lass: /home/lass/notmuch/muchsync + mkdir -p /home/lass/Maildir/.muchsync + ln -sfTr /home/lass/Maildir/.muchsync /home/lass/notmuch/muchsync/tmp + ''; + + krebs.iptables.tables.nat.PREROUTING.rules = [ + { predicate = "-i eth0 -p tcp -m tcp --dport 22"; target = "ACCEPT"; precedence = 101; } + ]; } -- cgit v1.3.1 From b40754586d80b1063cba3e9e0bf0b41bd1d63932 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 23 Jan 2021 19:36:09 +0100 Subject: l icarus.r: fix thinkfan values --- lass/1systems/icarus/physical.nix | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) (limited to 'lass/1systems') diff --git a/lass/1systems/icarus/physical.nix b/lass/1systems/icarus/physical.nix index bd74c29f3..837872bf5 100644 --- a/lass/1systems/icarus/physical.nix +++ b/lass/1systems/icarus/physical.nix @@ -51,12 +51,10 @@ (1, 48, 60) (2, 50, 61) (3, 52, 63) - (6, 60, 65) - (7, 80, 85) - (127, 90, 32767) + (6, 60, 85) + (7, 80, 90) + (127, 89, 32767) ''; services.logind.lidSwitch = "ignore"; - services.logind.lidSwitchDocked = "ignore"; - } -- cgit v1.3.1 From 78e687f288dc22d22d1cb88319f941caa0316623 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 23 Jan 2021 20:23:56 +0100 Subject: l littleT.r: add as green-host --- lass/1systems/littleT/config.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'lass/1systems') diff --git a/lass/1systems/littleT/config.nix b/lass/1systems/littleT/config.nix index eee23ee60..adf8aeeb1 100644 --- a/lass/1systems/littleT/config.nix +++ b/lass/1systems/littleT/config.nix @@ -7,6 +7,7 @@ with import ; + ]; -- cgit v1.3.1 From e0708ab3ba6b9bb5dd826ea225d61745687a2f28 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 23 Jan 2021 20:24:10 +0100 Subject: l morpheus.r: add green-host --- lass/1systems/morpheus/config.nix | 3 +++ 1 file changed, 3 insertions(+) (limited to 'lass/1systems') diff --git a/lass/1systems/morpheus/config.nix b/lass/1systems/morpheus/config.nix index 79fbe4c97..79d4f528d 100644 --- a/lass/1systems/morpheus/config.nix +++ b/lass/1systems/morpheus/config.nix @@ -4,6 +4,9 @@ with import ; imports = [ + + + ]; krebs.build.host = config.krebs.hosts.morpheus; -- cgit v1.3.1 From 34470a6e92439ffeb4cf9112343e9745d97b709c Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 23 Jan 2021 20:34:21 +0100 Subject: l: remove deprecated backup user --- lass/1systems/daedalus/config.nix | 1 - lass/1systems/mors/config.nix | 1 - lass/1systems/shodan/config.nix | 1 - lass/2configs/backup.nix | 14 -------------- lass/2configs/default.nix | 1 - 5 files changed, 18 deletions(-) delete mode 100644 lass/2configs/backup.nix (limited to 'lass/1systems') diff --git a/lass/1systems/daedalus/config.nix b/lass/1systems/daedalus/config.nix index bd559944a..d84502b3f 100644 --- a/lass/1systems/daedalus/config.nix +++ b/lass/1systems/daedalus/config.nix @@ -6,7 +6,6 @@ with import ; - { # bubsy config diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix index b03d95c49..21abb9c3f 100644 --- a/lass/1systems/mors/config.nix +++ b/lass/1systems/mors/config.nix @@ -33,7 +33,6 @@ with import ; - diff --git a/lass/1systems/shodan/config.nix b/lass/1systems/shodan/config.nix index 9e01396bc..b34afe5e6 100644 --- a/lass/1systems/shodan/config.nix +++ b/lass/1systems/shodan/config.nix @@ -13,7 +13,6 @@ with import ; - diff --git a/lass/2configs/backup.nix b/lass/2configs/backup.nix deleted file mode 100644 index f5c241785..000000000 --- a/lass/2configs/backup.nix +++ /dev/null @@ -1,14 +0,0 @@ -{ config, lib, ... }: -with import ; - -{ - users.users.backup = { - useDefaultShell = true; - home = "/backups"; - createHome = true; - group = "syncthing"; - openssh.authorizedKeys.keys = with config.krebs.hosts; [ - blue.ssh.pubkey - ]; - }; -} diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index f3534d94d..7b6f01148 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -3,7 +3,6 @@ with import ; { imports = [ ./binary-cache/client.nix - ./backup.nix ./gc.nix ./mc.nix ./vim.nix -- cgit v1.3.1 From 4ce8f6e13046574e287b599f4d0e87a74f04c13a Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 23 Jan 2021 20:43:56 +0100 Subject: l mors.r: remove old imports, add new ones --- lass/1systems/mors/config.nix | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'lass/1systems') diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix index 21abb9c3f..907242500 100644 --- a/lass/1systems/mors/config.nix +++ b/lass/1systems/mors/config.nix @@ -18,27 +18,27 @@ with import ; - - - + + # - - - # - + + + + # + # { krebs.iptables.tables.filter.INPUT.rules = [ #risk of rain -- cgit v1.3.1 From 7fc98767397a8f0ae7aa2bb1e764bb441b244bd7 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 23 Jan 2021 20:58:05 +0100 Subject: l prism.r: use as green-host --- lass/1systems/prism/config.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'lass/1systems') diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index f63c6a05a..54ba0089f 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -118,6 +118,7 @@ with import ; + -- cgit v1.3.1 From 8adbc446bfe2e577d4140d63e0f5bd1f8adf2c31 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 23 Jan 2021 20:59:54 +0100 Subject: l: remove ejabberd --- lass/1systems/prism/config.nix | 10 --- lass/3modules/default.nix | 1 - lass/3modules/ejabberd/config.nix | 128 ------------------------------------- lass/3modules/ejabberd/default.nix | 103 ----------------------------- 4 files changed, 242 deletions(-) delete mode 100644 lass/3modules/ejabberd/config.nix delete mode 100644 lass/3modules/ejabberd/default.nix (limited to 'lass/1systems') diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 54ba0089f..81159573d 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -138,16 +138,6 @@ with import ; enable = true; }; } - { - lass.ejabberd = { - enable = true; - hosts = [ "lassul.us" ]; - }; - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport xmpp-client"; target = "ACCEPT"; } - { predicate = "-p tcp --dport xmpp-server"; target = "ACCEPT"; } - ]; - } { imports = [ diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix index 8bee08caa..3587e0f88 100644 --- a/lass/3modules/default.nix +++ b/lass/3modules/default.nix @@ -3,7 +3,6 @@ _: imports = [ ./bindfs.nix ./dnsmasq.nix - ./ejabberd ./folderPerms.nix ./hosts.nix ./klem.nix diff --git a/lass/3modules/ejabberd/config.nix b/lass/3modules/ejabberd/config.nix deleted file mode 100644 index 4630f25c1..000000000 --- a/lass/3modules/ejabberd/config.nix +++ /dev/null @@ -1,128 +0,0 @@ -with import ; -{ config, ... }: let - - # See https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example - - ciphers = concatStringsSep ":" [ - "ECDHE-ECDSA-AES256-GCM-SHA384" - "ECDHE-RSA-AES256-GCM-SHA384" - "ECDHE-ECDSA-CHACHA20-POLY1305" - "ECDHE-RSA-CHACHA20-POLY1305" - "ECDHE-ECDSA-AES128-GCM-SHA256" - "ECDHE-RSA-AES128-GCM-SHA256" - "ECDHE-ECDSA-AES256-SHA384" - "ECDHE-RSA-AES256-SHA384" - "ECDHE-ECDSA-AES128-SHA256" - "ECDHE-RSA-AES128-SHA256" - ]; - - protocol_options = [ - "no_sslv2" - "no_sslv3" - "no_tlsv1" - "no_tlsv1_10" - ]; - -in /* yaml */ '' - - access_rules: - announce: - - allow: admin - local: - - allow: local - configure: - - allow: admin - register: - - allow - s2s: - - allow - trusted_network: - - allow: loopback - - acl: - local: - user_regexp: "" - loopback: - ip: - - "127.0.0.0/8" - - "::1/128" - - "::FFFF:127.0.0.1/128" - - hosts: ${toJSON config.hosts} - - language: "en" - - listen: - - - port: 5222 - ip: "::" - module: ejabberd_c2s - shaper: c2s_shaper - certfile: ${toJSON config.certfile.path} - ciphers: ${toJSON ciphers} - dhfile: ${toJSON config.dhfile.path} - protocol_options: ${toJSON protocol_options} - starttls: true - starttls_required: true - tls: false - tls_compression: false - max_stanza_size: 65536 - - - port: 5269 - ip: "::" - module: ejabberd_s2s_in - shaper: s2s_shaper - max_stanza_size: 131072 - - loglevel: 4 - - modules: - mod_adhoc: {} - mod_admin_extra: {} - mod_announce: - access: announce - mod_caps: {} - mod_carboncopy: {} - mod_client_state: {} - mod_configure: {} - mod_disco: {} - mod_echo: {} - mod_bosh: {} - mod_last: {} - mod_offline: - access_max_user_messages: max_user_offline_messages - mod_ping: {} - mod_privacy: {} - mod_private: {} - mod_register: - access_from: allow - access: register - # ip_access: trusted_network - registration_watchers: ${toJSON config.registration_watchers} - mod_roster: {} - mod_shared_roster: {} - mod_stats: {} - mod_time: {} - mod_vcard: - search: false - mod_version: {} - mod_http_api: {} - - s2s_access: s2s - s2s_certfile: ${toJSON config.s2s_certfile.path} - s2s_ciphers: ${toJSON ciphers} - s2s_dhfile: ${toJSON config.dhfile.path} - s2s_protocol_options: ${toJSON protocol_options} - s2s_tls_compression: false - s2s_use_starttls: required - - shaper_rules: - max_user_offline_messages: - - 5000: admin - - 100 - max_user_sessions: 10 - c2s_shaper: - - none: admin - - normal - s2s_shaper: fast -'' diff --git a/lass/3modules/ejabberd/default.nix b/lass/3modules/ejabberd/default.nix deleted file mode 100644 index 20a38d572..000000000 --- a/lass/3modules/ejabberd/default.nix +++ /dev/null @@ -1,103 +0,0 @@ -{ config, lib, pkgs, ... }@args: with import ; let - cfg = config.lass.ejabberd; - - gen-dhparam = pkgs.writeDash "gen-dhparam" '' - set -efu - path=$1 - bits=2048 - # TODO regenerate dhfile after some time? - if ! test -e "$path"; then - ${pkgs.openssl}/bin/openssl dhparam "$bits" > "$path" - fi - ''; - -in { - options.lass.ejabberd = { - enable = mkEnableOption "lass.ejabberd"; - certfile = mkOption { - type = types.secret-file; - default = { - name = "ejabberd-certfile"; - path = "${cfg.user.home}/ejabberd.pem"; - owner = cfg.user; - source-path = "/var/lib/acme/lassul.us/full.pem"; - }; - }; - dhfile = mkOption { - type = types.secret-file; - default = { - name = "ejabberd-dhfile"; - path = "${cfg.user.home}/dhparams.pem"; - owner = cfg.user; - source-path = "/dev/null"; - }; - }; - hosts = mkOption { - type = with types; listOf str; - }; - pkgs.ejabberdctl = mkOption { - type = types.package; - default = pkgs.writeDashBin "ejabberdctl" '' - exec ${pkgs.ejabberd}/bin/ejabberdctl \ - --config ${toFile "ejabberd.yaml" (import ./config.nix { - inherit pkgs; - config = cfg; - })} \ - --logs ${shell.escape cfg.user.home} \ - --spool ${shell.escape cfg.user.home} \ - "$@" - ''; - }; - registration_watchers = mkOption { - type = types.listOf types.str; - default = [ - config.krebs.users.tv.mail - ]; - }; - s2s_certfile = mkOption { - type = types.secret-file; - default = cfg.certfile; - }; - user = mkOption { - type = types.user; - default = { - name = "ejabberd"; - home = "/var/ejabberd"; - }; - }; - }; - config = lib.mkIf cfg.enable { - environment.systemPackages = [ cfg.pkgs.ejabberdctl ]; - - krebs.secret.files = { - ejabberd-certfile = cfg.certfile; - ejabberd-s2s_certfile = cfg.s2s_certfile; - }; - - systemd.services.ejabberd = { - wantedBy = [ "multi-user.target" ]; - after = [ - config.krebs.secret.files.ejabberd-certfile.service - config.krebs.secret.files.ejabberd-s2s_certfile.service - "network.target" - ]; - partOf = [ - config.krebs.secret.files.ejabberd-certfile.service - config.krebs.secret.files.ejabberd-s2s_certfile.service - ]; - serviceConfig = { - ExecStartPre = "${gen-dhparam} ${cfg.dhfile.path}"; - ExecStart = "${cfg.pkgs.ejabberdctl}/bin/ejabberdctl foreground"; - PermissionsStartOnly = true; - SyslogIdentifier = "ejabberd"; - User = cfg.user.name; - TimeoutStartSec = 60; - }; - }; - - users.users.${cfg.user.name} = { - inherit (cfg.user) home name uid; - createHome = true; - }; - }; -} -- cgit v1.3.1 From c9aac57896de2b3be96ca136d4fdbcfe1eaf5266 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 23 Jan 2021 21:00:51 +0100 Subject: l prism.r: serve maker wallpaper publicly --- lass/1systems/prism/config.nix | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) (limited to 'lass/1systems') diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 81159573d..da26e6b21 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -142,9 +142,14 @@ with import ; imports = [ ]; - services.nginx.virtualHosts."lassul.us".locations."= /wallpaper.png".extraConfig = '' - alias /var/realwallpaper/realwallpaper.png; - ''; + services.nginx.virtualHosts."lassul.us".locations = { + "= /wallpaper-marker.png".extraConfig = '' + alias /var/realwallpaper/realwallpaper-marker.png; + ''; + "= /wallpaper.png".extraConfig = '' + alias /var/realwallpaper/realwallpaper.png; + ''; + }; } { users.users.jeschli = { -- cgit v1.3.1 From 7e77033bfde0de1236a16b072a92236166facf3a Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 23 Jan 2021 21:01:11 +0100 Subject: l prism.r: set murmur autobanTime --- lass/1systems/prism/config.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'lass/1systems') diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index da26e6b21..1b6b07569 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -278,8 +278,9 @@ with import ; services.murmur = { enable = true; bandwidth = 10000000; + registerName = "lassul.us"; + autobanTime = 30; }; - services.murmur.registerName = "lassul.us"; krebs.iptables.tables.filter.INPUT.rules = [ { predicate = "-p tcp --dport 64738"; target = "ACCEPT";} { predicate = "-p udp --dport 64738"; target = "ACCEPT";} -- cgit v1.3.1 From 7258d96e4e41fc03cfbefebb1aa2d52c20fd62ea Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 23 Jan 2021 21:01:38 +0100 Subject: l prism.r: add mic92 & qubasa to authorized downloaders --- lass/1systems/prism/config.nix | 2 ++ 1 file changed, 2 insertions(+) (limited to 'lass/1systems') diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 1b6b07569..958c20351 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -351,6 +351,8 @@ with import ; palo.pubkey "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDB0d0JA20Vqn7I4lCte6Ne2EOmLZyMJyS9yIKJYXNLjbLwkQ4AYoQKantPBkTxR75M09E7d3j5heuWnCjWH45TrfQfe1EOSSC3ppCI6C6aIVlaNs+KhAYZS0m2Y8WkKn+TT5JLEa8yybYVN/RlZPOilpj/1QgjU6CQK+eJ1k/kK+QFXcwN82GDVh5kbTVcKUNp2tiyxFA+z9LY0xFDg/JHif2ROpjJVLQBJ+YPuOXZN5LDnVcuyLWKThjxy5srQ8iDjoxBg7dwLHjby5Mv41K4W61Gq6xM53gDEgfXk4cQhJnmx7jA/pUnsn2ZQDeww3hcc7vRf8soogXXz2KC9maiq0M/svaATsa9Ul4hrKnqPZP9Q8ScSEAUX+VI+x54iWrnW0p/yqBiRAzwsczdPzaQroUFTBxrq8R/n5TFdSHRMX7fYNOeVMjhfNca/gtfw9dYBVquCvuqUuFiRc0I7yK44rrMjjVQRcAbw6F8O7+04qWCmaJ8MPlmApwu2c05VMv9hiJo5p6PnzterRSLCqF6rIdhSnuOwrUIt1s/V+EEZXHCwSaNLaQJnYL0H9YjaIuGz4c8kVzxw4c0B6nl+hqW5y5/B2cuHiumnlRIDKOIzlv8ufhh21iN7QpIsPizahPezGoT1XqvzeXfH4qryo8O4yTN/PWoA+f7o9POU7L6hQ== lhebendanz@nixos" "AAAAB3NzaC1yc2EAAAADAQABAAABgQC4ECL9NSCWqs4KVe+FF+2BPtl5Bv5aQPHqnXllCyiESZykwRKLx6/AbF5SbUAUMVZtp9oDSdp28m3BvVeWJ/q7hAbIxUtfd/jp+JBRZ8Kj6K5GzUO7Bhgl/o0A7xEjAeOKHiYuLjdPMcFUyl6Ah4ey/mcQYf6AdU0+hYUDeUlKe/YxxYD6202W0GJq2xGdIqs/TbopT9iaX+sv0wdXDVfFY72nFqOUwJW3u6O2viKKRugrz/eo50Eo3ts7pYz/FpDXExrUvV9Vu/bQ34pa8nKgF3/AKQHgmzljNQSVZKyAV8OY0UFonjBMXCBg2tXtwfnlzdx2SyuQVv55x+0AuRKsi85G2xLpXu1A3921pseBTW6Q6kbYK9eqxAay2c/kNbwNqFnO+nCvQ6Ier/hvGddOtItMu96IuU2E7mPN6WgvM8/3fjJRFWnZxFxqu/k7iH+yYT8qwRgdiSqZc76qvkYEuabdk2itstTRY0A3SpI3hFMZDw/7bxgMZtqpfyoRk5s= philip@shiki11:15 AAAAB3NzaC1yc2EAAAADAQABAAABgQC4ECL9NSCWqs4KVe+FF+2BPtl5Bv5aQPHqnXllCyiESZykwRKLx6/AbF5SbUAUMVZtp9oDSdp28m3BvVeWJ/q7hAbIxUtfd/jp+JBRZ8Kj6K5GzUO7Bhgl/o0A7xEjAeOKHiYuLjdPMcFUyl6Ah4ey/mcQYf6AdU0+hYUDeUlKe/YxxYD6202W0GJq2xGdIqs/TbopT9iaX+sv0wdXDVfFY72nFqOUwJW3u6O2viKKRugrz/eo50Eo3ts7pYz/FpDXExrUvV9Vu/bQ34pa8nKgF3/AKQHgmzljNQSVZKyAV8OY0UFonjBMXCBg2tXtwfnlzdx2SyuQVv55x+0AuRKsi85G2xLpXu1A3921pseBTW6Q6kbYK9eqxAay2c/kNbwNqFnO+nCvQ6Ier/hvGddOtItMu96IuU2E7mPN6WgvM8/3fjJRFWnZxFxqu/k7iH+yYT8qwRgdiSqZc76qvkYEuabdk2itstTRY0A3SpI3hFMZDw/7bxgMZtqpfyoRk5s= philip@shiki" + mic92.pubkey + qubasa.pubkey ]; }; }; -- cgit v1.3.1 From 2b83ce10c504be19b54d22032e9471d72f9dbfcf Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 23 Jan 2021 21:03:21 +0100 Subject: l prism.r: remove deprecated samba stuff --- lass/1systems/prism/config.nix | 36 ------------------------------------ 1 file changed, 36 deletions(-) (limited to 'lass/1systems') diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 958c20351..6f61ea57e 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -411,42 +411,6 @@ with import ; ]; }; } - { #macos mounting of yellow - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-i wiregrill -p tcp --dport 139"; target = "ACCEPT"; } - { predicate = "-i wiregrill -p tcp --dport 445"; target = "ACCEPT"; } - { predicate = "-i wiregrill -p udp --dport 137"; target = "ACCEPT"; } - { predicate = "-i wiregrill -p udp --dport 138"; target = "ACCEPT"; } - ]; - users.users.smbguest = { - name = "smbguest"; - uid = config.ids.uids.smbguest; - description = "smb guest user"; - home = "/home/share"; - createHome = true; - }; - services.samba = { - enable = true; - enableNmbd = true; - shares = { - download = { - path = "/var/download/finished"; - "read only" = "yes"; - browseable = "yes"; - "guest ok" = "yes"; - }; - }; - extraConfig = '' - guest account = smbguest - map to guest = bad user - # disable printing - load printers = no - printing = bsd - printcap name = /dev/null - disable spoolss = yes - ''; - }; - } ]; krebs.build.host = config.krebs.hosts.prism; -- cgit v1.3.1 From da975dabdd29fa795b07a6c6a9a3155f3505c4c5 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 23 Jan 2021 21:03:47 +0100 Subject: l skynet.r: use as green-host --- lass/1systems/skynet/config.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'lass/1systems') diff --git a/lass/1systems/skynet/config.nix b/lass/1systems/skynet/config.nix index 507ccd14d..4da4dffb8 100644 --- a/lass/1systems/skynet/config.nix +++ b/lass/1systems/skynet/config.nix @@ -6,6 +6,7 @@ with import ; + { -- cgit v1.3.1 From 1a79d3865e250904507c18d9376ef708e9a6bda8 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 23 Jan 2021 21:07:04 +0100 Subject: l styx.r: set interface names --- lass/1systems/styx/physical.nix | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'lass/1systems') diff --git a/lass/1systems/styx/physical.nix b/lass/1systems/styx/physical.nix index a3899f87d..ae0cdf489 100644 --- a/lass/1systems/styx/physical.nix +++ b/lass/1systems/styx/physical.nix @@ -31,4 +31,9 @@ nix.maxJobs = lib.mkDefault 4; powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + + services.udev.extraRules = '' + SUBSYSTEM=="net", ATTR{address}=="3c:7c:3f:7e:e2:39", NAME="et0" + SUBSYSTEM=="net", ATTR{address}=="00:e0:4c:78:91:50", NAME="int0" + ''; } -- cgit v1.3.1 From 2970004fb29472d7fcb8b2eef3a71a91c028d0e6 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 23 Jan 2021 21:08:56 +0100 Subject: l yellow.r: use new transmission options --- lass/1systems/yellow/config.nix | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) (limited to 'lass/1systems') diff --git a/lass/1systems/yellow/config.nix b/lass/1systems/yellow/config.nix index d400697d7..16762e9a1 100644 --- a/lass/1systems/yellow/config.nix +++ b/lass/1systems/yellow/config.nix @@ -9,30 +9,21 @@ with import ; krebs.build.host = config.krebs.hosts.yellow; - system.activationScripts.downloadFolder = '' - mkdir -p /var/download - chown transmission:download /var/download - chown transmission:download /var/download/finished - chmod 775 /var/download - ''; - - users.users.download = { uid = genid "download"; }; users.groups.download.members = [ "transmission" ]; - users.users.transmission.group = mkForce "download"; systemd.services.transmission.bindsTo = [ "openvpn-nordvpn.service" ]; systemd.services.transmission.after = [ "openvpn-nordvpn.service" ]; - systemd.services.transmission.postStart = '' - chmod 775 /var/download/finished - ''; services.transmission = { enable = true; + group = "download"; + downloadDirPermissions = "775"; settings = { download-dir = "/var/download/finished"; incomplete-dir = "/var/download/incoming"; incomplete-dir-enable = true; + rpc-bind-address = "0.0.0.0"; message-level = 1; - umask = "002"; + umask = 18; rpc-whitelist-enabled = false; rpc-host-whitelist-enabled = false; }; -- cgit v1.3.1 From 0344e09941f404a7a3b09a62ffe5d3708ac7a96e Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 23 Jan 2021 21:09:11 +0100 Subject: l yellow.r: use another nordvpn server --- lass/1systems/yellow/config.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'lass/1systems') diff --git a/lass/1systems/yellow/config.nix b/lass/1systems/yellow/config.nix index 16762e9a1..1afad003c 100644 --- a/lass/1systems/yellow/config.nix +++ b/lass/1systems/yellow/config.nix @@ -163,7 +163,7 @@ with import ; client dev tun proto udp - remote 185.230.127.27 1194 + remote 91.207.172.77 1194 resolv-retry infinite remote-random nobind @@ -186,6 +186,7 @@ with import ; fast-io cipher AES-256-CBC auth SHA512 + -----BEGIN CERTIFICATE----- MIIFCjCCAvKgAwIBAgIBATANBgkqhkiG9w0BAQ0FADA5MQswCQYDVQQGEwJQQTEQ -- cgit v1.3.1 From ed7bd5a9ce5b2893925c3a35faffc6d369d6c4bc Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 23 Jan 2021 21:09:41 +0100 Subject: l xerxes.r: sync basic dir --- lass/1systems/xerxes/config.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'lass/1systems') diff --git a/lass/1systems/xerxes/config.nix b/lass/1systems/xerxes/config.nix index 8c4362865..22c80b4da 100644 --- a/lass/1systems/xerxes/config.nix +++ b/lass/1systems/xerxes/config.nix @@ -11,6 +11,7 @@ + -- cgit v1.3.1 From cefb50f5f1509c06f92453e09fb63ad71a746fe0 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 24 Jan 2021 11:26:39 +0100 Subject: bindfs: l -> krebs --- krebs/3modules/bindfs.nix | 61 ++++++++++++++++++++++++++++++++++++++++++ krebs/3modules/default.nix | 1 + lass/1systems/green/config.nix | 2 +- lass/3modules/bindfs.nix | 61 ------------------------------------------ lass/3modules/default.nix | 1 - 5 files changed, 63 insertions(+), 63 deletions(-) create mode 100644 krebs/3modules/bindfs.nix delete mode 100644 lass/3modules/bindfs.nix (limited to 'lass/1systems') diff --git a/krebs/3modules/bindfs.nix b/krebs/3modules/bindfs.nix new file mode 100644 index 000000000..7e3730e86 --- /dev/null +++ b/krebs/3modules/bindfs.nix @@ -0,0 +1,61 @@ +with import ; +{ config, pkgs, ... }: +let + cfg = config.krebs.bindfs; +in { + options.krebs.bindfs = mkOption { + type = types.attrsOf (types.submodule ({ config, ... }: { + options = { + target = mkOption { + description = '' + destination where bindfs mounts to. + second positional argument to bindfs. + ''; + default = config._module.args.name; + type = types.absolute-pathname; + }; + source = mkOption { + description = '' + source folder where the mounted directory is originally. + first positional argument to bindfs. + ''; + type = types.absolute-pathname; + }; + options = mkOption { + description = '' + additional arguments to bindfs + ''; + type = types.listOf types.str; + default = []; + }; + clearTarget = mkOption { + description = '' + whether to clear the target folder before mounting + ''; + type = types.bool; + default = false; + }; + }; + })); + default = {}; + }; + + config = mkIf (cfg != {}) { + systemd.services = mapAttrs' (n: mount: let + name = replaceStrings [ "/" ] [ "_" ] n; + in nameValuePair "bindfs-${name}" { + wantedBy = [ "local-fs.target" ]; + path = [ pkgs.coreutils ]; + serviceConfig = { + ExecStartPre = pkgs.writeDash "bindfs-init-${name}" '' + ${optionalString mount.clearTarget '' + rm -rf '${mount.target}' + ''} + mkdir -p '${mount.source}' + mkdir -p '${mount.target}' + ''; + ExecStart = "${pkgs.bindfs}/bin/bindfs -f ${concatStringsSep " " mount.options} ${mount.source} ${mount.target}"; + }; + }) cfg; + }; +} diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix index 285db40f9..e7d04ead8 100644 --- a/krebs/3modules/default.nix +++ b/krebs/3modules/default.nix @@ -11,6 +11,7 @@ let ./apt-cacher-ng.nix ./backup.nix ./bepasty-server.nix + ./bindfs.nix ./brockman.nix ./buildbot/master.nix ./buildbot/slave.nix diff --git a/lass/1systems/green/config.nix b/lass/1systems/green/config.nix index d7683ff5f..fbd2d223f 100644 --- a/lass/1systems/green/config.nix +++ b/lass/1systems/green/config.nix @@ -26,7 +26,7 @@ with import ; "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICMe23IAHn4Ow4J4i8M9GJshqvY80U11NKPLum6b1XLn" # weechat ssh tunnel ]; - lass.bindfs = { + krebs.bindfs = { "/home/lass/.weechat" = { source = "/var/state/lass_weechat"; options = [ diff --git a/lass/3modules/bindfs.nix b/lass/3modules/bindfs.nix deleted file mode 100644 index c489ef163..000000000 --- a/lass/3modules/bindfs.nix +++ /dev/null @@ -1,61 +0,0 @@ -with import ; -{ config, pkgs, ... }: -let - cfg = config.lass.bindfs; -in { - options.lass.bindfs = mkOption { - type = types.attrsOf (types.submodule ({ config, ... }: { - options = { - target = mkOption { - description = '' - destination where bindfs mounts to. - second positional argument to bindfs. - ''; - default = config._module.args.name; - type = types.absolute-pathname; - }; - source = mkOption { - description = '' - source folder where the mounted directory is originally. - first positional argument to bindfs. - ''; - type = types.absolute-pathname; - }; - options = mkOption { - description = '' - additional arguments to bindfs - ''; - type = types.listOf types.str; - default = []; - }; - clearTarget = mkOption { - description = '' - whether to clear the target folder before mounting - ''; - type = types.bool; - default = false; - }; - }; - })); - default = {}; - }; - - config = mkIf (cfg != {}) { - systemd.services = mapAttrs' (n: mount: let - name = replaceStrings [ "/" ] [ "_" ] n; - in nameValuePair "bindfs-${name}" { - wantedBy = [ "local-fs.target" ]; - path = [ pkgs.coreutils ]; - serviceConfig = { - ExecStartPre = pkgs.writeDash "bindfs-init-${name}" '' - ${optionalString mount.clearTarget '' - rm -rf '${mount.target}' - ''} - mkdir -p '${mount.source}' - mkdir -p '${mount.target}' - ''; - ExecStart = "${pkgs.bindfs}/bin/bindfs -f ${concatStringsSep " " mount.options} ${mount.source} ${mount.target}"; - }; - }) cfg; - }; -} diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix index 9f8ae98e5..1ce88b238 100644 --- a/lass/3modules/default.nix +++ b/lass/3modules/default.nix @@ -1,7 +1,6 @@ _: { imports = [ - ./bindfs.nix ./dnsmasq.nix ./folderPerms.nix ./hosts.nix -- cgit v1.3.1 From 2c8ba1536325e7488b0c29868dcc2dd34a1b0263 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 24 Jan 2021 17:00:29 +0100 Subject: l mors.r: add as news-host --- lass/1systems/mors/config.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'lass/1systems') diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix index 907242500..95b688590 100644 --- a/lass/1systems/mors/config.nix +++ b/lass/1systems/mors/config.nix @@ -35,6 +35,7 @@ with import ; + # -- cgit v1.3.1 From a47c709c4a5227ad064bea3fbe89e8a5398c2c75 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 24 Jan 2021 17:01:52 +0100 Subject: l shodan.r: add as host for news & green --- lass/1systems/shodan/config.nix | 2 ++ 1 file changed, 2 insertions(+) (limited to 'lass/1systems') diff --git a/lass/1systems/shodan/config.nix b/lass/1systems/shodan/config.nix index b34afe5e6..a7e934573 100644 --- a/lass/1systems/shodan/config.nix +++ b/lass/1systems/shodan/config.nix @@ -14,6 +14,8 @@ with import ; + + -- cgit v1.3.1 From f141ac6092861d1490ce0d0d86bcc75df104f742 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 24 Jan 2021 17:02:20 +0100 Subject: l shodan.r: remove legacy gg23, add base syncthing --- lass/1systems/shodan/config.nix | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) (limited to 'lass/1systems') diff --git a/lass/1systems/shodan/config.nix b/lass/1systems/shodan/config.nix index a7e934573..7695e637b 100644 --- a/lass/1systems/shodan/config.nix +++ b/lass/1systems/shodan/config.nix @@ -17,16 +17,14 @@ with import ; - - - + + ]; krebs.build.host = config.krebs.hosts.shodan; services.logind.lidSwitch = "ignore"; services.logind.lidSwitchDocked = "ignore"; - } -- cgit v1.3.1 From feed3c9d7b81dafe6a6eb45a2339fb22262076fb Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 24 Jan 2021 17:03:00 +0100 Subject: l styx.r: add gg23, container hosts, umts --- lass/1systems/styx/config.nix | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) (limited to 'lass/1systems') diff --git a/lass/1systems/styx/config.nix b/lass/1systems/styx/config.nix index 4c3ae1411..016d1480f 100644 --- a/lass/1systems/styx/config.nix +++ b/lass/1systems/styx/config.nix @@ -12,14 +12,17 @@ with import ; - # - # + + + + # - # - # + + # + ]; krebs.build.host = config.krebs.hosts.styx; @@ -27,6 +30,8 @@ with import ; krebs.iptables.tables.filter.INPUT.rules = [ { predicate = "-p tcp --dport ${toString config.services.smokeping.port}"; target = "ACCEPT"; } ]; + krebs.power-action.enable = mkForce false; + services.smokeping = { enable = true; targetConfig = '' -- cgit v1.3.1 From 71206dc6a2852dd69664e85aa6dcb49676ec1f6e Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 24 Jan 2021 19:54:40 +0100 Subject: l archprism.r: RIP --- lass/1systems/archprism/config.nix | 54 ------------------------- lass/1systems/archprism/physical.nix | 77 ------------------------------------ 2 files changed, 131 deletions(-) delete mode 100644 lass/1systems/archprism/config.nix delete mode 100644 lass/1systems/archprism/physical.nix (limited to 'lass/1systems') diff --git a/lass/1systems/archprism/config.nix b/lass/1systems/archprism/config.nix deleted file mode 100644 index 0a2ab1611..000000000 --- a/lass/1systems/archprism/config.nix +++ /dev/null @@ -1,54 +0,0 @@ -{ config, lib, pkgs, ... }: -with import ; - -{ - imports = [ - - - - { # TODO make new hfos.nix out of this vv - boot.kernel.sysctl."net.ipv4.ip_forward" = 1; - users.users.riot = { - uid = genid_uint31 "riot"; - isNormalUser = true; - extraGroups = [ "libvirtd" ]; - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6o6sdTu/CX1LW2Ff5bNDqGEAGwAsjf0iIe5DCdC7YikCct+7x4LTXxY+nDlPMeGcOF88X9/qFwdyh+9E4g0nUAZaeL14Uc14QDqDt/aiKjIXXTepxE/i4JD9YbTqStAnA/HYAExU15yqgUdj2dnHu7OZcGxk0ZR1OY18yclXq7Rq0Fd3pN3lPP1T4QHM9w66r83yJdFV9szvu5ral3/QuxQnCNohTkR6LoJ4Ny2RbMPTRtb+jPbTQYTWUWwV69mB8ot5nRTP4MRM9pu7vnoPF4I2S5DvSnx4C5zdKzsb7zmIvD4AmptZLrXj4UXUf00Xf7Js5W100Ne2yhYyhq+35 riot@lagrange" - ]; - }; - - # TODO write function for proxy_pass (ssl/nonssl) - - krebs.iptables.tables.filter.FORWARD.rules = [ - { v6 = false; precedence = 1000; predicate = "-d 192.168.122.179"; target = "ACCEPT"; } - ]; - krebs.iptables.tables.nat.PREROUTING.rules = [ - { v6 = false; precedence = 1000; predicate = "-d 46.4.114.243"; target = "DNAT --to-destination 192.168.122.179"; } - ]; - } - - { - services.taskserver = { - enable = true; - fqdn = "lassul.us"; - listenHost = "::"; - listenPort = 53589; - organisations.lass.users = [ "lass" "android" ]; - }; - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport 53589"; target = "ACCEPT"; } - ]; - } - { - krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p udp --dport 60000:61000"; target = "ACCEPT";} - ]; - } - ]; - - krebs.build.host = config.krebs.hosts.archprism; - services.earlyoom = { - enable = true; - freeMemThreshold = 5; - }; -} diff --git a/lass/1systems/archprism/physical.nix b/lass/1systems/archprism/physical.nix deleted file mode 100644 index 36de7dc17..000000000 --- a/lass/1systems/archprism/physical.nix +++ /dev/null @@ -1,77 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - imports = [ - ./config.nix - { - boot.kernelParams = [ "net.ifnames=0" ]; - networking = { - defaultGateway = "46.4.114.225"; - # Use google's public DNS server - nameservers = [ "8.8.8.8" ]; - interfaces.eth0 = { - ipAddress = "46.4.114.247"; - prefixLength = 27; - }; - }; - # TODO use this network config - networking.interfaces.eth0.ipv4.addresses = [ - { - address = config.krebs.build.host.nets.internet.ip4.addr; - prefixLength = 27; - } - { - address = "46.4.114.243"; - prefixLength = 27; - } - ]; - #networking.defaultGateway = "46.4.114.225"; - #networking.nameservers = [ - # "8.8.8.8" - #]; - #services.udev.extraRules = '' - # SUBSYSTEM=="net", ATTR{address}=="08:60:6e:e7:87:04", NAME="et0" - #''; - } - { - imports = [ ]; - - networking.hostId = "fb4173ea"; - boot.loader.grub = { - devices = [ - "/dev/sda" - "/dev/sdb" - ]; - splashImage = null; - }; - - boot.initrd.availableKernelModules = [ - "ata_piix" - "vmw_pvscsi" - "ahci" "sd_mod" - ]; - - boot.kernelModules = [ "kvm-intel" ]; - - sound.enable = false; - nixpkgs.config.allowUnfree = true; - time.timeZone = "Europe/Berlin"; - - fileSystems."/" = { - device = "rpool/root/nixos"; - fsType = "zfs"; - }; - - fileSystems."/home" = { - device = "rpool/home"; - fsType = "zfs"; - }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/b67c3370-1597-4ce8-8a46-e257ca32150d"; - fsType = "ext4"; - }; - - } - ]; - -} -- cgit v1.3.1