From 55df7c1df55aaa8dc3f48ae83dbd87ce4d3057ba Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 22 Mar 2016 17:40:59 +0100 Subject: l 1 mors: remove broken pythonenv container --- lass/1systems/mors.nix | 33 --------------------------------- 1 file changed, 33 deletions(-) (limited to 'lass/1systems') diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index 1f7a13c56..9b5c92ff3 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -98,39 +98,6 @@ # { predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; precedence = 9998; } # ]; #} - { - containers.pythonenv = { - config = { - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keys = [ - config.krebs.users.lass.pubkey - ]; - - environment = { - systemPackages = with pkgs; [ - git - libxml2 - libxslt - libzip - python27Full - python27Packages.buildout - stdenv - zlib - ]; - - pathsToLink = [ "/include" ]; - - shellInit = '' - # help pip to find libz.so when building lxml - export LIBRARY_PATH=/var/run/current-system/sw/lib - # ditto for header files, e.g. sqlite - export C_INCLUDE_PATH=/var/run/current-system/sw/include - ''; - }; - - }; - }; - } { services.mysql = { enable = true; -- cgit v1.3.1 From c4350d4f28b3a021791b70d104848f3419ffc498 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 9 Apr 2016 00:18:51 +0200 Subject: l 1 prism: add new mount for o.ubikmedia.de --- lass/1systems/prism.nix | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'lass/1systems') diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index 4d40c8d59..9eb1d54d3 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -79,6 +79,10 @@ in { device = "/dev/pool/download"; }; + fileSystems."/srv/http/o.ubikmedia.de" = { + device = "/dev/pool/owncloud-ubik"; + }; + } { sound.enable = false; -- cgit v1.3.1 From fae50b203d7d3211eec1221fb07f97416edc729c Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 9 Apr 2016 00:36:22 +0200 Subject: l 1 prism: update JuiceSSH key --- lass/1systems/prism.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lass/1systems') diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index 9eb1d54d3..db4f1f606 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -123,7 +123,7 @@ in { } { users.users.chat.openssh.authorizedKeys.keys = [ - "ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAFhFJUMTfPbv3SzqlT9S67Av/m/ctLfTd3mMhD4O9hZc+t+dZmaHWj3v1KujzMBiDp3Yfo2YdVVZLTwTluHD8yNoQH418Vm01nrYHwOsc5J0br3mb0URZSstPiz6/6Fc+PNCDfQ2skUAWUidWiH+JolROFQ4y2lfpLOw+wsK2jj+Gqx6w== JuiceSSH" + "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBBQjn/3n283RZkBs2CFqbpukyQ3zkLIjewRpKttPa5d4PUiT7/vOlutWH5EP4BxXQSoeZStx8D2alGjxfK+nfDvRJGGofpm23cN4j4i24Fcam1y1H7wqRXO1qbz5AB3qPg== JuiceSSH" config.krebs.users.lass-uriel.pubkey ]; } -- cgit v1.3.1 From 38e5cc513cabd4a145bb78db71aa7387bb4278fa Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 9 Apr 2016 00:36:38 +0200 Subject: l 1 prism: allow https in iptables --- lass/1systems/prism.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'lass/1systems') diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index db4f1f606..4f6770c38 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -136,7 +136,8 @@ in { ../2configs/websites/domsen.nix ]; krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p tcp --dport 80"; target = "ACCEPT"; } + { predicate = "-p tcp --dport http"; target = "ACCEPT"; } + { predicate = "-p tcp --dport https"; target = "ACCEPT"; } ]; } { -- cgit v1.3.1 From 5268f22ee99672a2185b959231208a23fd24f073 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 9 Apr 2016 00:43:33 +0200 Subject: l 2 fastpoke-pages: remove file --- lass/1systems/cloudkrebs.nix | 1 - lass/2configs/fastpoke-pages.nix | 101 --------------------------------------- 2 files changed, 102 deletions(-) delete mode 100644 lass/2configs/fastpoke-pages.nix (limited to 'lass/1systems') diff --git a/lass/1systems/cloudkrebs.nix b/lass/1systems/cloudkrebs.nix index 98f509050..fb949ce33 100644 --- a/lass/1systems/cloudkrebs.nix +++ b/lass/1systems/cloudkrebs.nix @@ -11,7 +11,6 @@ in { ../2configs/os-templates/CAC-CentOS-7-64bit.nix ../2configs/base.nix ../2configs/retiolum.nix - ../2configs/fastpoke-pages.nix ../2configs/git.nix ../2configs/realwallpaper.nix { diff --git a/lass/2configs/fastpoke-pages.nix b/lass/2configs/fastpoke-pages.nix deleted file mode 100644 index bf6ea8952..000000000 --- a/lass/2configs/fastpoke-pages.nix +++ /dev/null @@ -1,101 +0,0 @@ -{ config, lib, pkgs, ... }: - -with config.krebs.lib; - -let - createStaticPage = domain: - { - krebs.nginx.servers."${domain}" = { - server-names = [ - "${domain}" - "www.${domain}" - ]; - locations = [ - (nameValuePair "/" '' - root /var/lib/http/${domain}; - '') - ]; - }; - #networking.extraHosts = '' - # 10.243.206.102 ${domain} - #''; - users.extraUsers = { - ${domain} = { - name = domain; - home = "/var/lib/http/${domain}"; - createHome = true; - }; - }; - }; - -in { - imports = map createStaticPage [ - "habsys.de" - "pixelpocket.de" - "karlaskop.de" - "ubikmedia.de" - "apanowicz.de" - ]; - - krebs.iptables = { - tables = { - filter.INPUT.rules = [ - { predicate = "-p tcp --dport http"; target = "ACCEPT"; } - ]; - }; - }; - - - krebs.nginx = { - enable = true; - servers = { - #"habsys.de" = { - # server-names = [ - # "habsys.de" - # "www.habsys.de" - # ]; - # locations = [ - # (nameValuePair "/" '' - # root /var/lib/http/habsys.de; - # '') - # ]; - #}; - - #"karlaskop.de" = { - # server-names = [ - # "karlaskop.de" - # "www.karlaskop.de" - # ]; - # locations = [ - # (nameValuePair "/" '' - # root /var/lib/http/karlaskop.de; - # '') - # ]; - #}; - - #"pixelpocket.de" = { - # server-names = [ - # "pixelpocket.de" - # "www.karlaskop.de" - # ]; - # locations = [ - # (nameValuePair "/" '' - # root /var/lib/http/karlaskop.de; - # '') - # ]; - #}; - - }; - }; - - #services.postgresql = { - # enable = true; - #}; - - #config.services.vsftpd = { - # enable = true; - # userlistEnable = true; - # userlistFile = pkgs.writeFile "vsftpd-userlist" '' - # ''; - #}; -} -- cgit v1.3.1 From 5a85d6b6964a0906df0d562b03415217f50aa17d Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 9 Apr 2016 14:14:19 +0200 Subject: l 1 dishfire: add mount for /srv/http --- lass/1systems/dishfire.nix | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'lass/1systems') diff --git a/lass/1systems/dishfire.nix b/lass/1systems/dishfire.nix index c7d016cd3..7043809a5 100644 --- a/lass/1systems/dishfire.nix +++ b/lass/1systems/dishfire.nix @@ -26,6 +26,11 @@ fsType = "ext4"; }; + fileSystems."/srv/http" = { + device = "/dev/pool/srv_http"; + fsType = "ext4"; + }; + fileSystems."/boot" = { device = "/dev/vda1"; fsType = "ext4"; -- cgit v1.3.1 From b8b7ba2890d658081c59bd3d5e2f143f825e47e7 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 9 Apr 2016 14:16:07 +0200 Subject: l 1 mors: remove old test cases --- lass/1systems/mors.nix | 74 -------------------------------------------------- 1 file changed, 74 deletions(-) (limited to 'lass/1systems') diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index 9b5c92ff3..4fa8e412d 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -33,71 +33,6 @@ { predicate = "-p tcp --dport 11100"; target = "ACCEPT"; } ]; } - { - #static-nginx-test - imports = [ - ../3modules/static_nginx.nix - ]; - lass.staticPage."testserver.de" = { - #sslEnable = true; - #certificate = "${toString }/testserver.de/server.cert"; - #certificate_key = "${toString }/testserver.de/server.pem"; - ssl = { - enable = true; - certificate = "${toString }/testserver.de/server.cert"; - certificate_key = "${toString }/testserver.de/server.pem"; - }; - }; - networking.extraHosts = '' - 10.243.0.2 testserver.de - ''; - } - #{ - # #wordpress-test - # #imports = singleton (sitesGenerators.createWordpress "testserver.de"); - # imports = [ - # ../3modules/wordpress_nginx.nix - # ]; - # lass.wordpress."testserver.de" = { - # multiSite = { - # "1" = "testserver.de"; - # "2" = "bla.testserver.de"; - # }; - # }; - - # services.mysql = { - # enable = true; - # package = pkgs.mariadb; - # rootPassword = "/mysql_rootPassword"; - # }; - # networking.extraHosts = '' - # 10.243.0.2 testserver.de - # ''; - # krebs.iptables.tables.filter.INPUT.rules = [ - # { predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; precedence = 9998; } - # ]; - #} - #{ - # #owncloud-test - # #imports = singleton (sitesGenerators.createWordpress "testserver.de"); - # imports = [ - # ../3modules/owncloud_nginx.nix - # ]; - # lass.owncloud."owncloud-test.de" = { - # }; - - # #services.mysql = { - # # enable = true; - # # package = pkgs.mariadb; - # # rootPassword = "/mysql_rootPassword"; - # #}; - # networking.extraHosts = '' - # 10.243.0.2 owncloud-test.de - # ''; - # krebs.iptables.tables.filter.INPUT.rules = [ - # { predicate = "-i retiolum -p tcp --dport 80"; target = "ACCEPT"; precedence = 9998; } - # ]; - #} { services.mysql = { enable = true; @@ -125,15 +60,6 @@ networking.wireless.enable = true; - networking.extraHosts = '' - 213.239.205.240 wohnprojekt-rhh.de - 213.239.205.240 karlaskop.de - 213.239.205.240 makeup.apanowicz.de - 213.239.205.240 pixelpocket.de - 213.239.205.240 reich-gebaeudereinigung.de - 213.239.205.240 o.ubikmedia.de - ''; - hardware.enableAllFirmware = true; nixpkgs.config.allowUnfree = true; -- cgit v1.3.1 From c60d7637bd84ab0fc34798f68544d02c34da88c9 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 11 Apr 2016 16:43:25 +0200 Subject: l 1 mors: /mnt/backup is now /bku --- lass/1systems/mors.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lass/1systems') diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index 4fa8e412d..0d8db212a 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -99,7 +99,7 @@ fsType = "ext4"; }; - "/mnt/backups" = { + "/bku" = { device = "/dev/big/backups"; fsType = "ext4"; }; -- cgit v1.3.1 From 375277a3c67102fc887b7b67837c8977035d8227 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 11 Apr 2016 16:43:52 +0200 Subject: l 1 prism: new fileschema for better backups --- lass/1systems/prism.nix | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) (limited to 'lass/1systems') diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index 80dd8c4e9..09a802b53 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -77,8 +77,16 @@ in { device = "/dev/pool/download"; }; - fileSystems."/srv/http/o.ubikmedia.de" = { - device = "/dev/pool/owncloud-ubik"; + fileSystems."/srv/http" = { + device = "/dev/pool/http"; + }; + + fileSystems."/srv/o.ubikmedia.de-data" = { + device = "/dev/pool/owncloud-ubik-data"; + }; + + fileSystems."/bku" = { + device = "/dev/pool/bku"; }; } -- cgit v1.3.1 From 0a5f8b64b2b34e7d24ee9e7573eebd7937341e01 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 11 Apr 2016 16:47:06 +0200 Subject: l 1 uriel: add /bku --- lass/1systems/uriel.nix | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'lass/1systems') diff --git a/lass/1systems/uriel.nix b/lass/1systems/uriel.nix index 4e4eca21f..8bb2348e6 100644 --- a/lass/1systems/uriel.nix +++ b/lass/1systems/uriel.nix @@ -47,6 +47,11 @@ with builtins; fsType = "ext4"; }; + "/bku" = { + device = "/dev/pool/bku"; + fsType = "ext4"; + }; + "/boot" = { device = "/dev/sda1"; }; -- cgit v1.3.1 From fa039a83d8c2d5f2756856794461ac9795a6ee11 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 12 Apr 2016 15:17:42 +0200 Subject: l 1 *: import exim config from l 2 exim-* --- lass/1systems/cloudkrebs.nix | 1 + lass/1systems/dishfire.nix | 1 + lass/1systems/echelon.nix | 1 + lass/1systems/helios.nix | 1 + lass/1systems/mors.nix | 1 + lass/1systems/prism.nix | 1 + lass/1systems/uriel.nix | 1 + 7 files changed, 7 insertions(+) (limited to 'lass/1systems') diff --git a/lass/1systems/cloudkrebs.nix b/lass/1systems/cloudkrebs.nix index 636d6a855..82c172050 100644 --- a/lass/1systems/cloudkrebs.nix +++ b/lass/1systems/cloudkrebs.nix @@ -9,6 +9,7 @@ in { ../. ../2configs/os-templates/CAC-CentOS-7-64bit.nix ../2configs/base.nix + ../2configs/exim-retiolum.nix ../2configs/retiolum.nix ../2configs/git.nix ../2configs/realwallpaper.nix diff --git a/lass/1systems/dishfire.nix b/lass/1systems/dishfire.nix index 7043809a5..04ebca588 100644 --- a/lass/1systems/dishfire.nix +++ b/lass/1systems/dishfire.nix @@ -5,6 +5,7 @@ ../. ../2configs/base.nix + ../2configs/exim-retiolum.nix ../2configs/git.nix ../2configs/websites/fritz.nix { diff --git a/lass/1systems/echelon.nix b/lass/1systems/echelon.nix index 80611ee80..e2fa1c5f4 100644 --- a/lass/1systems/echelon.nix +++ b/lass/1systems/echelon.nix @@ -9,6 +9,7 @@ in { ../. ../2configs/os-templates/CAC-CentOS-7-64bit.nix ../2configs/base.nix + ../2configs/exim-retiolum.nix ../2configs/retiolum.nix ../2configs/realwallpaper-server.nix ../2configs/privoxy-retiolum.nix diff --git a/lass/1systems/helios.nix b/lass/1systems/helios.nix index cc98c2c5b..0c7c0d8e3 100644 --- a/lass/1systems/helios.nix +++ b/lass/1systems/helios.nix @@ -5,6 +5,7 @@ with builtins; imports = [ ../. ../2configs/baseX.nix + ../2configs/exim-retiolum.nix ../2configs/browsers.nix ../2configs/programs.nix ../2configs/git.nix diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index 0d8db212a..18f86ef91 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -4,6 +4,7 @@ imports = [ ../. ../2configs/baseX.nix + ../2configs/exim-retiolum.nix ../2configs/programs.nix ../2configs/bitcoin.nix ../2configs/browsers.nix diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index 09a802b53..e1743c997 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -6,6 +6,7 @@ in { imports = [ ../. ../2configs/base.nix + ../2configs/exim-smarthost.nix ../2configs/downloading.nix ../2configs/git.nix ../2configs/ts3.nix diff --git a/lass/1systems/uriel.nix b/lass/1systems/uriel.nix index 8bb2348e6..92996c181 100644 --- a/lass/1systems/uriel.nix +++ b/lass/1systems/uriel.nix @@ -5,6 +5,7 @@ with builtins; imports = [ ../. ../2configs/baseX.nix + ../2configs/exim-retiolum.nix ../2configs/browsers.nix ../2configs/games.nix ../2configs/pass.nix -- cgit v1.3.1 From 4382ba5b9ddad77a1e0f44b5ff88862678a5d33e Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 13 Apr 2016 16:27:41 +0200 Subject: l 1 dishfire: add /bku mount --- lass/1systems/dishfire.nix | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'lass/1systems') diff --git a/lass/1systems/dishfire.nix b/lass/1systems/dishfire.nix index 04ebca588..532ccb29a 100644 --- a/lass/1systems/dishfire.nix +++ b/lass/1systems/dishfire.nix @@ -36,6 +36,10 @@ device = "/dev/vda1"; fsType = "ext4"; }; + fileSystems."/bku" = { + device = "/dev/pool/bku"; + fsType = "ext4"; + }; } { networking.dhcpcd.allowInterfaces = [ -- cgit v1.3.1 From 8a8d2c8ec979b30901e69cb6a0d063968b5c42b6 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 13 Apr 2016 16:29:13 +0200 Subject: l 1 mors: disable test dbs --- lass/1systems/mors.nix | 40 +++++++++++++++++++++------------------- 1 file changed, 21 insertions(+), 19 deletions(-) (limited to 'lass/1systems') diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index 18f86ef91..6e89b2957 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -34,26 +34,28 @@ { predicate = "-p tcp --dport 11100"; target = "ACCEPT"; } ]; } + #{ + # services.mysql = { + # enable = true; + # package = pkgs.mariadb; + # rootPassword = "/mysql_rootPassword"; + # }; + #} + #{ + # services.elasticsearch = { + # enable = true; + # plugins = [ + # # pkgs.elasticsearchPlugins.elasticsearch_kopf + # ]; + # }; + #} + #{ + # services.postgresql = { + # enable = true; + # package = pkgs.postgresql; + # }; + #} { - services.mysql = { - enable = true; - package = pkgs.mariadb; - rootPassword = "/mysql_rootPassword"; - }; - } - { - services.elasticsearch = { - enable = true; - plugins = [ - # pkgs.elasticsearchPlugins.elasticsearch_kopf - ]; - }; - } - { - services.postgresql = { - enable = true; - package = pkgs.postgresql; - }; } ]; -- cgit v1.3.1 From 7cd2fe545b80507c6b5393b6e47f19ed4dfb312f Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 13 Apr 2016 16:47:47 +0200 Subject: l 1 mors: add some pkgs --- lass/1systems/mors.nix | 3 +++ 1 file changed, 3 insertions(+) (limited to 'lass/1systems') diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index 6e89b2957..bdc9c3242 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -189,6 +189,9 @@ get teamspeak_client hashPassword + urban + mk_sql_pair + skype ]; #TODO: fix this shit -- cgit v1.3.1 From 9717e5a2e0cb5b0bf9fae0ec62423af30ecd2051 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 13 Apr 2016 16:48:00 +0200 Subject: l 1 dishfire: add mk_sql_pair pkg --- lass/1systems/dishfire.nix | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'lass/1systems') diff --git a/lass/1systems/dishfire.nix b/lass/1systems/dishfire.nix index 532ccb29a..4e3b84bd0 100644 --- a/lass/1systems/dishfire.nix +++ b/lass/1systems/dishfire.nix @@ -50,6 +50,11 @@ { sound.enable = false; } + { + environment.systemPackages = with pkgs; [ + mk_sql_pair + ]; + } ]; krebs.build.host = config.krebs.hosts.dishfire; -- cgit v1.3.1 From 3b2cb2a3f73ad58c489ae854f829d5a4bf723e17 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 15 Apr 2016 14:39:03 +0200 Subject: l 2: base.nix -> default.nix --- lass/1systems/cloudkrebs.nix | 2 +- lass/1systems/dishfire.nix | 2 +- lass/1systems/echelon.nix | 2 +- lass/1systems/prism.nix | 2 +- lass/2configs/base.nix | 200 ------------------------------------------- lass/2configs/baseX.nix | 2 +- lass/2configs/default.nix | 200 +++++++++++++++++++++++++++++++++++++++++++ 7 files changed, 205 insertions(+), 205 deletions(-) delete mode 100644 lass/2configs/base.nix create mode 100644 lass/2configs/default.nix (limited to 'lass/1systems') diff --git a/lass/1systems/cloudkrebs.nix b/lass/1systems/cloudkrebs.nix index 82c172050..1bfb11502 100644 --- a/lass/1systems/cloudkrebs.nix +++ b/lass/1systems/cloudkrebs.nix @@ -8,7 +8,7 @@ in { imports = [ ../. ../2configs/os-templates/CAC-CentOS-7-64bit.nix - ../2configs/base.nix + ../2configs/default.nix ../2configs/exim-retiolum.nix ../2configs/retiolum.nix ../2configs/git.nix diff --git a/lass/1systems/dishfire.nix b/lass/1systems/dishfire.nix index 4e3b84bd0..dd1d1e541 100644 --- a/lass/1systems/dishfire.nix +++ b/lass/1systems/dishfire.nix @@ -4,7 +4,7 @@ imports = [ ../. - ../2configs/base.nix + ../2configs/default.nix ../2configs/exim-retiolum.nix ../2configs/git.nix ../2configs/websites/fritz.nix diff --git a/lass/1systems/echelon.nix b/lass/1systems/echelon.nix index e2fa1c5f4..97734a7bd 100644 --- a/lass/1systems/echelon.nix +++ b/lass/1systems/echelon.nix @@ -8,7 +8,7 @@ in { imports = [ ../. ../2configs/os-templates/CAC-CentOS-7-64bit.nix - ../2configs/base.nix + ../2configs/default.nix ../2configs/exim-retiolum.nix ../2configs/retiolum.nix ../2configs/realwallpaper-server.nix diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index e1743c997..6b674a10f 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -5,7 +5,7 @@ let in { imports = [ ../. - ../2configs/base.nix + ../2configs/default.nix ../2configs/exim-smarthost.nix ../2configs/downloading.nix ../2configs/git.nix diff --git a/lass/2configs/base.nix b/lass/2configs/base.nix deleted file mode 100644 index 8c6078ba5..000000000 --- a/lass/2configs/base.nix +++ /dev/null @@ -1,200 +0,0 @@ -{ config, lib, pkgs, ... }: - -with config.krebs.lib; -{ - imports = [ - ../2configs/vim.nix - ../2configs/zsh.nix - ../2configs/mc.nix - ../2configs/retiolum.nix - ./backups.nix - { - users.extraUsers = - mapAttrs (_: h: { hashedPassword = h; }) - (import ); - } - { - users.extraUsers = { - root = { - openssh.authorizedKeys.keys = [ - config.krebs.users.lass.pubkey - config.krebs.users.lass-uriel.pubkey - ]; - }; - mainUser = { - name = "lass"; - uid = 1337; - home = "/home/lass"; - group = "users"; - createHome = true; - useDefaultShell = true; - extraGroups = [ - ]; - openssh.authorizedKeys.keys = [ - config.krebs.users.lass.pubkey - config.krebs.users.lass-uriel.pubkey - ]; - }; - }; - } - ]; - - networking.hostName = config.krebs.build.host.name; - nix.maxJobs = config.krebs.build.host.cores; - - krebs = { - enable = true; - search-domain = "retiolum"; - build = { - user = config.krebs.users.lass; - source = mapAttrs (_: mkDefault) ({ - nixos-config = "symlink:stockholm/lass/1systems/${config.krebs.build.host.name}.nix"; - secrets = "/home/lass/secrets/${config.krebs.build.host.name}"; - #secrets-common = "/home/lass/secrets/common"; - stockholm = "/home/lass/stockholm"; - nixpkgs = { - url = https://github.com/NixOS/nixpkgs; - rev = "e781a8257b4312f6b138c7d0511c77d8c06ed819"; - dev = "/home/lass/src/nixpkgs"; - }; - } // optionalAttrs config.krebs.build.host.secure { - #secrets-master = "/home/lass/secrets/master"; - }); - }; - }; - - nix.useChroot = true; - - users.mutableUsers = false; - - services.timesyncd.enable = true; - - #why is this on in the first place? - services.nscd.enable = false; - - boot.tmpOnTmpfs = true; - # see tmpfiles.d(5) - systemd.tmpfiles.rules = [ - "d /tmp 1777 root root - -" - ]; - - # multiple-definition-problem when defining environment.variables.EDITOR - environment.extraInit = '' - EDITOR=vim - MANPAGER=most - ''; - - nixpkgs.config.allowUnfree = true; - - environment.systemPackages = with pkgs; [ - #stockholm - git - gnumake - jq - parallel - proot - - #style - most - rxvt_unicode.terminfo - - #monitoring tools - htop - iotop - - #network - iptables - - #stuff for dl - aria2 - - #neat utils - krebspaste - - #unpack stuff - p7zip - unzip - unrar - ]; - - programs.bash = { - enableCompletion = true; - interactiveShellInit = '' - HISTCONTROL='erasedups:ignorespace' - HISTSIZE=65536 - HISTFILESIZE=$HISTSIZE - - shopt -s checkhash - shopt -s histappend histreedit histverify - shopt -s no_empty_cmd_completion - complete -d cd - - #fancy colors - if [ -e ~/LS_COLORS ]; then - eval $(dircolors ~/LS_COLORS) - fi - - if [ -e /etc/nixos/dotfiles/link ]; then - /etc/nixos/dotfiles/link - fi - ''; - promptInit = '' - if test $UID = 0; then - PS1='\[\033[1;31m\]\w\[\033[0m\] ' - elif test $UID = 1337; then - PS1='\[\033[1;32m\]\w\[\033[0m\] ' - else - PS1='\[\033[1;33m\]\u@\w\[\033[0m\] ' - fi - if test -n "$SSH_CLIENT"; then - PS1='\[\033[35m\]\h'" $PS1" - fi - ''; - }; - - services.openssh = { - enable = true; - hostKeys = [ - # XXX bits here make no science - { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } - ]; - }; - - services.journald.extraConfig = '' - SystemMaxUse=1G - RuntimeMaxUse=128M - ''; - - krebs.iptables = { - enable = true; - tables = { - nat.PREROUTING.rules = [ - { predicate = "! -i retiolum -p tcp -m tcp --dport 22"; target = "REDIRECT --to-ports 0"; precedence = 100; } - { predicate = "-p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 99; } - ]; - nat.OUTPUT.rules = [ - { predicate = "-o lo -p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 100; } - ]; - filter.INPUT.policy = "DROP"; - filter.FORWARD.policy = "DROP"; - filter.INPUT.rules = [ - { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; } - { predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; } - { predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; } - { predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; } - { predicate = "-i retiolum"; target = "REJECT"; precedence = -10000; } - ]; - }; - }; - - networking.dhcpcd.extraConfig = '' - noipv4ll - ''; - - #CVE-2016-0777 and CVE-2016-0778 workaround - #https://www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt - programs.ssh.extraConfig = '' - UseRoaming no - ''; - -} diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index 6c52240af..1e28fdccc 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -4,7 +4,7 @@ let mainUser = config.users.extraUsers.mainUser; in { imports = [ - ./base.nix + ./default.nix #./urxvt.nix ./xserver ]; diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix new file mode 100644 index 000000000..8c6078ba5 --- /dev/null +++ b/lass/2configs/default.nix @@ -0,0 +1,200 @@ +{ config, lib, pkgs, ... }: + +with config.krebs.lib; +{ + imports = [ + ../2configs/vim.nix + ../2configs/zsh.nix + ../2configs/mc.nix + ../2configs/retiolum.nix + ./backups.nix + { + users.extraUsers = + mapAttrs (_: h: { hashedPassword = h; }) + (import ); + } + { + users.extraUsers = { + root = { + openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + config.krebs.users.lass-uriel.pubkey + ]; + }; + mainUser = { + name = "lass"; + uid = 1337; + home = "/home/lass"; + group = "users"; + createHome = true; + useDefaultShell = true; + extraGroups = [ + ]; + openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + config.krebs.users.lass-uriel.pubkey + ]; + }; + }; + } + ]; + + networking.hostName = config.krebs.build.host.name; + nix.maxJobs = config.krebs.build.host.cores; + + krebs = { + enable = true; + search-domain = "retiolum"; + build = { + user = config.krebs.users.lass; + source = mapAttrs (_: mkDefault) ({ + nixos-config = "symlink:stockholm/lass/1systems/${config.krebs.build.host.name}.nix"; + secrets = "/home/lass/secrets/${config.krebs.build.host.name}"; + #secrets-common = "/home/lass/secrets/common"; + stockholm = "/home/lass/stockholm"; + nixpkgs = { + url = https://github.com/NixOS/nixpkgs; + rev = "e781a8257b4312f6b138c7d0511c77d8c06ed819"; + dev = "/home/lass/src/nixpkgs"; + }; + } // optionalAttrs config.krebs.build.host.secure { + #secrets-master = "/home/lass/secrets/master"; + }); + }; + }; + + nix.useChroot = true; + + users.mutableUsers = false; + + services.timesyncd.enable = true; + + #why is this on in the first place? + services.nscd.enable = false; + + boot.tmpOnTmpfs = true; + # see tmpfiles.d(5) + systemd.tmpfiles.rules = [ + "d /tmp 1777 root root - -" + ]; + + # multiple-definition-problem when defining environment.variables.EDITOR + environment.extraInit = '' + EDITOR=vim + MANPAGER=most + ''; + + nixpkgs.config.allowUnfree = true; + + environment.systemPackages = with pkgs; [ + #stockholm + git + gnumake + jq + parallel + proot + + #style + most + rxvt_unicode.terminfo + + #monitoring tools + htop + iotop + + #network + iptables + + #stuff for dl + aria2 + + #neat utils + krebspaste + + #unpack stuff + p7zip + unzip + unrar + ]; + + programs.bash = { + enableCompletion = true; + interactiveShellInit = '' + HISTCONTROL='erasedups:ignorespace' + HISTSIZE=65536 + HISTFILESIZE=$HISTSIZE + + shopt -s checkhash + shopt -s histappend histreedit histverify + shopt -s no_empty_cmd_completion + complete -d cd + + #fancy colors + if [ -e ~/LS_COLORS ]; then + eval $(dircolors ~/LS_COLORS) + fi + + if [ -e /etc/nixos/dotfiles/link ]; then + /etc/nixos/dotfiles/link + fi + ''; + promptInit = '' + if test $UID = 0; then + PS1='\[\033[1;31m\]\w\[\033[0m\] ' + elif test $UID = 1337; then + PS1='\[\033[1;32m\]\w\[\033[0m\] ' + else + PS1='\[\033[1;33m\]\u@\w\[\033[0m\] ' + fi + if test -n "$SSH_CLIENT"; then + PS1='\[\033[35m\]\h'" $PS1" + fi + ''; + }; + + services.openssh = { + enable = true; + hostKeys = [ + # XXX bits here make no science + { bits = 8192; type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } + ]; + }; + + services.journald.extraConfig = '' + SystemMaxUse=1G + RuntimeMaxUse=128M + ''; + + krebs.iptables = { + enable = true; + tables = { + nat.PREROUTING.rules = [ + { predicate = "! -i retiolum -p tcp -m tcp --dport 22"; target = "REDIRECT --to-ports 0"; precedence = 100; } + { predicate = "-p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 99; } + ]; + nat.OUTPUT.rules = [ + { predicate = "-o lo -p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 100; } + ]; + filter.INPUT.policy = "DROP"; + filter.FORWARD.policy = "DROP"; + filter.INPUT.rules = [ + { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; } + { predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; } + { predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; } + { predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; } + { predicate = "-i retiolum"; target = "REJECT"; precedence = -10000; } + ]; + }; + }; + + networking.dhcpcd.extraConfig = '' + noipv4ll + ''; + + #CVE-2016-0777 and CVE-2016-0778 workaround + #https://www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt + programs.ssh.extraConfig = '' + UseRoaming no + ''; + +} -- cgit v1.3.1 From 49dcb0771e2e0f2592e356e22f9b784b7ec1a158 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 15 Apr 2016 16:15:22 +0200 Subject: l 1 prism: import privoxy config --- lass/1systems/prism.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'lass/1systems') diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index 6b674a10f..233ae564c 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -12,6 +12,7 @@ in { ../2configs/ts3.nix ../2configs/bitlbee.nix ../2configs/weechat.nix + ../2configs/privoxy-retiolum.nix { users.extraGroups = { # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories -- cgit v1.3.1 From 9a8179c39069a290433add4c8829eceb8a726e98 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 15 Apr 2016 16:16:36 +0200 Subject: l 1 prism: disable tor client mode --- lass/1systems/prism.nix | 1 - 1 file changed, 1 deletion(-) (limited to 'lass/1systems') diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index 233ae564c..3eb208935 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -151,7 +151,6 @@ in { { services.tor = { enable = true; - client.enable = true; }; } ]; -- cgit v1.3.1 From 6584cf5b92422c525a60dda5f8381fb10ec763bc Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 19 Apr 2016 12:06:13 +0200 Subject: l 1 prism: import buildbot-standalone --- lass/1systems/prism.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'lass/1systems') diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index 3eb208935..2587a8b6e 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -13,6 +13,7 @@ in { ../2configs/bitlbee.nix ../2configs/weechat.nix ../2configs/privoxy-retiolum.nix + ../2configs/buildbot-standalone.nix { users.extraGroups = { # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories -- cgit v1.3.1 From e1140ef7ea4c644707b24911f779c276a14a268e Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 19 Apr 2016 13:22:43 +0200 Subject: l 1 dishfire: open http[s] ports --- lass/1systems/dishfire.nix | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'lass/1systems') diff --git a/lass/1systems/dishfire.nix b/lass/1systems/dishfire.nix index dd1d1e541..b5e551952 100644 --- a/lass/1systems/dishfire.nix +++ b/lass/1systems/dishfire.nix @@ -7,7 +7,6 @@ ../2configs/default.nix ../2configs/exim-retiolum.nix ../2configs/git.nix - ../2configs/websites/fritz.nix { boot.loader.grub = { device = "/dev/vda"; @@ -55,6 +54,15 @@ mk_sql_pair ]; } + { + imports = [ + ../2configs/websites/fritz.nix + ]; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport http"; target = "ACCEPT"; } + { predicate = "-p tcp --dport https"; target = "ACCEPT"; } + ]; + } ]; krebs.build.host = config.krebs.hosts.dishfire; -- cgit v1.3.1 From cafbb3102b53c925734dcc48ac30f87e972ee3f4 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 19 Apr 2016 13:23:49 +0200 Subject: l 1 mors: import mail.nix --- lass/1systems/mors.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'lass/1systems') diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index bdc9c3242..e0efa4cb3 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -27,6 +27,7 @@ ../2configs/libvirt.nix ../2configs/fetchWallpaper.nix ../2configs/cbase.nix + ../2configs/mail.nix #../2configs/buildbot-standalone.nix { #risk of rain port -- cgit v1.3.1 From 99d6704398ad24bb42b0dc0a9ca12620caa0220a Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 19 Apr 2016 15:44:34 +0200 Subject: l 1 prism: override nixpkgs for buildbot --- lass/1systems/prism.nix | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) (limited to 'lass/1systems') diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index 2587a8b6e..4c0b4e690 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -13,7 +13,16 @@ in { ../2configs/bitlbee.nix ../2configs/weechat.nix ../2configs/privoxy-retiolum.nix - ../2configs/buildbot-standalone.nix + { + #we need to use old sqlite for buildbot + imports = [ + ../2configs/buildbot-standalone.nix + ]; + krebs.build.source.nixpkgs = lib.mkForce { + url = https://github.com/NixOS/nixpkgs; + rev = "0d05f172b27e94d9eea3257f42d7e03371e63acc"; + }; + } { users.extraGroups = { # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories -- cgit v1.3.1 From d4cb24edb28d4662b98a7f1dc4bf4ed8b4e89f23 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 20 Apr 2016 16:45:15 +0200 Subject: l 1 mors: add krebs-pass --- lass/1systems/mors.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'lass/1systems') diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index e0efa4cb3..39225abf5 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -28,6 +28,7 @@ ../2configs/fetchWallpaper.nix ../2configs/cbase.nix ../2configs/mail.nix + ../2configs/krebs-pass.nix #../2configs/buildbot-standalone.nix { #risk of rain port -- cgit v1.3.1 From 2067d4efe941439d8ead5a452b20e96905bea020 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 27 Apr 2016 12:47:31 +0200 Subject: l 1 helios: mount /bku --- lass/1systems/helios.nix | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'lass/1systems') diff --git a/lass/1systems/helios.nix b/lass/1systems/helios.nix index 0c7c0d8e3..2437d4c6d 100644 --- a/lass/1systems/helios.nix +++ b/lass/1systems/helios.nix @@ -53,6 +53,11 @@ with builtins; "/boot" = { device = "/dev/sda1"; }; + + "/bku" = { + device = "/dev/pool/bku"; + fsType = "ext4"; + }; }; #services.udev.extraRules = '' -- cgit v1.3.1 From e5a82d2a2bf7f21f88c06c6e01647cddb92e063e Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 27 Apr 2016 12:48:50 +0200 Subject: l 1 helios: import fetchWallpaper --- lass/1systems/helios.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'lass/1systems') diff --git a/lass/1systems/helios.nix b/lass/1systems/helios.nix index 2437d4c6d..97f03870c 100644 --- a/lass/1systems/helios.nix +++ b/lass/1systems/helios.nix @@ -10,6 +10,7 @@ with builtins; ../2configs/programs.nix ../2configs/git.nix ../2configs/pass.nix + ../2configs/fetchWallpaper.nix #{ # users.extraUsers = { # root = { -- cgit v1.3.1 From ee438ee8b638feb286d229f0df3fb7592afddde6 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 27 Apr 2016 12:49:21 +0200 Subject: l 1 helios: import backups --- lass/1systems/helios.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'lass/1systems') diff --git a/lass/1systems/helios.nix b/lass/1systems/helios.nix index 97f03870c..bc210c995 100644 --- a/lass/1systems/helios.nix +++ b/lass/1systems/helios.nix @@ -11,6 +11,7 @@ with builtins; ../2configs/git.nix ../2configs/pass.nix ../2configs/fetchWallpaper.nix + ../2configs/backups.nix #{ # users.extraUsers = { # root = { -- cgit v1.3.1 From e4aea49d657a20f8ce4b2c29ade0d0336231699b Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 4 May 2016 17:19:57 +0200 Subject: l 1 mors: remove skype from pkgs --- lass/1systems/mors.nix | 1 - 1 file changed, 1 deletion(-) (limited to 'lass/1systems') diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index 39225abf5..e12c8321f 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -193,7 +193,6 @@ hashPassword urban mk_sql_pair - skype ]; #TODO: fix this shit -- cgit v1.3.1 From 640886ed7f2ffd932948b74edd388ace7a4efe66 Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 9 May 2016 11:15:02 +0200 Subject: l 1 cloudkrebs: import privoxy-retiolum --- lass/1systems/cloudkrebs.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'lass/1systems') diff --git a/lass/1systems/cloudkrebs.nix b/lass/1systems/cloudkrebs.nix index 1bfb11502..5aa35f5a7 100644 --- a/lass/1systems/cloudkrebs.nix +++ b/lass/1systems/cloudkrebs.nix @@ -13,6 +13,7 @@ in { ../2configs/retiolum.nix ../2configs/git.nix ../2configs/realwallpaper.nix + ../2configs/privoxy-retiolum.nix { networking.interfaces.enp2s1.ip4 = [ { -- cgit v1.3.1 From 1f3840bedc2ec40be704bbbff9acb615784b967f Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 17 May 2016 11:46:32 +0200 Subject: l 1 cloudkrebs: serve realwallpaper --- lass/1systems/cloudkrebs.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'lass/1systems') diff --git a/lass/1systems/cloudkrebs.nix b/lass/1systems/cloudkrebs.nix index 5aa35f5a7..a3cc9d7b3 100644 --- a/lass/1systems/cloudkrebs.nix +++ b/lass/1systems/cloudkrebs.nix @@ -13,6 +13,7 @@ in { ../2configs/retiolum.nix ../2configs/git.nix ../2configs/realwallpaper.nix + ../2configs/realwallpaper-server.nix ../2configs/privoxy-retiolum.nix { networking.interfaces.enp2s1.ip4 = [ -- cgit v1.3.1 From 0faab43d096053b455b7cb03518d47088ab98acf Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 17 May 2016 11:47:07 +0200 Subject: l 1 helios: add /home lv --- lass/1systems/helios.nix | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'lass/1systems') diff --git a/lass/1systems/helios.nix b/lass/1systems/helios.nix index bc210c995..10b00de47 100644 --- a/lass/1systems/helios.nix +++ b/lass/1systems/helios.nix @@ -56,6 +56,11 @@ with builtins; device = "/dev/sda1"; }; + "/home" = { + device = "/dev/pool/home"; + fsType = "ext4"; + }; + "/bku" = { device = "/dev/pool/bku"; fsType = "ext4"; -- cgit v1.3.1 From ac35c00c0454842b20146fad4be16fce628b6816 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 20 May 2016 00:02:10 +0200 Subject: l 1 prism: remove nixpkgs override --- lass/1systems/prism.nix | 4 ---- 1 file changed, 4 deletions(-) (limited to 'lass/1systems') diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index 4c0b4e690..e69fc545f 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -18,10 +18,6 @@ in { imports = [ ../2configs/buildbot-standalone.nix ]; - krebs.build.source.nixpkgs = lib.mkForce { - url = https://github.com/NixOS/nixpkgs; - rev = "0d05f172b27e94d9eea3257f42d7e03371e63acc"; - }; } { users.extraGroups = { -- cgit v1.3.1 From 3c4c71436ade88ec1e6e74bd8af4b4d77a03884e Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 20 May 2016 00:02:29 +0200 Subject: l 1 prism: start ejabberd & acme --- lass/1systems/prism.nix | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) (limited to 'lass/1systems') diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index e69fc545f..406acda5b 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -2,6 +2,10 @@ let ip = config.krebs.build.host.nets.internet.ip4.addr; + + inherit (import ../../4lib { inherit lib pkgs; }) + manageCerts; + in { imports = [ ../. @@ -159,6 +163,38 @@ in { enable = true; }; } + { + security.acme = { + certs."lassul.us" = { + email = "lass@lassul.us"; + webroot = "/var/lib/acme/challenges/lassul.us"; + plugins = [ + "account_key.json" + "key.pem" + "fullchain.pem" + "full.pem" + ]; + user = "ejabberd"; + }; + }; + krebs.nginx.servers."lassul.us" = { + server-names = [ "lassul.us" ]; + locations = [ + (lib.nameValuePair "/.well-known/acme-challenge" '' + root /var/lib/acme/challenges/lassul.us/; + '') + ]; + }; + lass.ejabberd = { + enable = true; + hosts = [ "lassul.us" ]; + certfile = "/var/lib/acme/lassul.us/full.pem"; + }; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport xmpp-client"; target = "ACCEPT"; } + { predicate = "-p tcp --dport xmpp-server"; target = "ACCEPT"; } + ]; + } ]; krebs.build.host = config.krebs.hosts.prism; -- cgit v1.3.1 From ba41135bfde877e619c85b77a2fe631b66a37184 Mon Sep 17 00:00:00 2001 From: lassulus Date: Fri, 20 May 2016 00:17:21 +0200 Subject: l 1: add shodan --- lass/1systems/shodan.nix | 57 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 lass/1systems/shodan.nix (limited to 'lass/1systems') diff --git a/lass/1systems/shodan.nix b/lass/1systems/shodan.nix new file mode 100644 index 000000000..873a580d9 --- /dev/null +++ b/lass/1systems/shodan.nix @@ -0,0 +1,57 @@ +{ config, pkgs, ... }: + +with builtins; +{ + imports = [ + ../. + ../2configs/baseX.nix + ../2configs/exim-retiolum.nix + ../2configs/browsers.nix + ../2configs/programs.nix + ../2configs/fetchWallpaper.nix + ../2configs/backups.nix + #{ + # users.extraUsers = { + # root = { + # openssh.authorizedKeys.keys = map readFile [ + # ../../krebs/Zpubkeys/uriel.ssh.pub + # ]; + # }; + # }; + #} + ]; + + krebs.build.host = config.krebs.hosts.shodan; + + networking.wireless.enable = true; + + hardware.enableAllFirmware = true; + nixpkgs.config.allowUnfree = true; + + boot = { + loader.grub.enable = true; + loader.grub.version = 2; + loader.grub.device = "/dev/sda"; + + initrd.luks.devices = [ { name = "luksroot"; device = "/dev/sda2"; } ]; + initrd.luks.cryptoModules = [ "aes" "sha512" "sha1" "xts" ]; + initrd.availableKernelModules = [ "xhci_hcd" "ehci_pci" "ahci" "usb_storage" ]; + #kernelModules = [ "kvm-intel" "msr" ]; + kernelModules = [ "msr" ]; + }; + fileSystems = { + "/" = { + device = "/dev/pool/nix"; + fsType = "ext4"; + }; + + "/boot" = { + device = "/dev/sda1"; + }; + }; + + #services.udev.extraRules = '' + # SUBSYSTEM=="net", ATTR{address}=="64:27:37:7d:d8:ae", NAME="wl0" + # SUBSYSTEM=="net", ATTR{address}=="f0:de:f1:b8:c8:2e", NAME="et0" + #''; +} -- cgit v1.3.1 From 1a0a03a6e5e6001001f37f115834bbfaba555a5b Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 21 May 2016 13:48:46 +0200 Subject: l 1 mors: remove broken touchpad config --- lass/1systems/mors.nix | 12 ------------ 1 file changed, 12 deletions(-) (limited to 'lass/1systems') diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index e12c8321f..e2ab562fa 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -224,16 +224,4 @@ ]; }; }; - - #touchpad config - services.xserver.synaptics = { - enable = true; - accelFactor = "0.035"; - additionalOptions = '' - Option "FingerHigh" "60" - Option "FingerLow" "60" - ''; - tapButtons = false; - twoFingerScroll = true; - }; } -- cgit v1.3.1 From 6aa93b8c99f6c2433178777bb5a2531efac8bbb2 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 21 May 2016 13:49:12 +0200 Subject: l 1 shodan: add x220 specific config --- lass/1systems/shodan.nix | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) (limited to 'lass/1systems') diff --git a/lass/1systems/shodan.nix b/lass/1systems/shodan.nix index 873a580d9..6829428ff 100644 --- a/lass/1systems/shodan.nix +++ b/lass/1systems/shodan.nix @@ -19,6 +19,25 @@ with builtins; # }; # }; #} + { + #x220 config from mors + #TODO: make x220 config file (or look in other user dir) + hardware.trackpoint = { + enable = true; + sensitivity = 220; + speed = 0; + emulateWheel = true; + }; + + services.xserver = { + videoDriver = "intel"; + vaapiDrivers = [ pkgs.vaapiIntel ]; + deviceSection = '' + Option "AccelMethod" "sna" + BusID "PCI:0:2:0" + ''; + }; + } ]; krebs.build.host = config.krebs.hosts.shodan; -- cgit v1.3.1 From 7559fbb735ced3a3d6216fdf1bf8ec9e57f25ddb Mon Sep 17 00:00:00 2001 From: lassulus Date: Sat, 21 May 2016 13:49:31 +0200 Subject: l 1 prism: import radio.nix --- lass/1systems/prism.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'lass/1systems') diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index 406acda5b..aa524720d 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -17,6 +17,7 @@ in { ../2configs/bitlbee.nix ../2configs/weechat.nix ../2configs/privoxy-retiolum.nix + ../2configs/radio.nix { #we need to use old sqlite for buildbot imports = [ -- cgit v1.3.1 From 3ae4e25a1b2af518df6ccaab18703163bd37f51f Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 24 May 2016 23:54:36 +0200 Subject: l 1 mors: dont import texlive --- lass/1systems/mors.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lass/1systems') diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index e2ab562fa..27548c9b7 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -14,7 +14,7 @@ ../2configs/elster.nix ../2configs/steam.nix ../2configs/wine.nix - ../2configs/texlive.nix + #../2configs/texlive.nix ../2configs/binary-caches.nix #../2configs/ircd.nix ../2configs/chromium-patched.nix -- cgit v1.3.1 From ac4f86e40f99f4e39c538cef2641b99663774bfd Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 24 May 2016 23:54:55 +0200 Subject: l 1 mors: reactivate sna --- lass/1systems/mors.nix | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) (limited to 'lass/1systems') diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index 27548c9b7..776bc54c9 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -175,14 +175,14 @@ emulateWheel = true; }; - #services.xserver = { - # videoDriver = "intel"; - # vaapiDrivers = [ pkgs.vaapiIntel ]; - # deviceSection = '' - # Option "AccelMethod" "sna" - # BusID "PCI:0:2:0" - # ''; - #}; + services.xserver = { + videoDriver = "intel"; + vaapiDrivers = [ pkgs.vaapiIntel ]; + deviceSection = '' + Option "AccelMethod" "sna" + BusID "PCI:0:2:0" + ''; + }; environment.systemPackages = with pkgs; [ acronym -- cgit v1.3.1 From 0f2fc7c4a6a9bb41b965c905949aefebbb6c3f49 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 24 May 2016 23:55:11 +0200 Subject: l 1 prism: serve wallpaper.png under lassul.us --- lass/1systems/prism.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'lass/1systems') diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index aa524720d..b9542bc8e 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -196,6 +196,16 @@ in { { predicate = "-p tcp --dport xmpp-server"; target = "ACCEPT"; } ]; } + { + imports = [ + ../2configs/realwallpaper-server.nix + ]; + krebs.nginx.servers."lassul.us".locations = [ + (lib.nameValuePair "/wallpaper.png" '' + alias /tmp/wallpaper.png; + '') + ]; + } ]; krebs.build.host = config.krebs.hosts.prism; -- cgit v1.3.1 From 80e50fd8a05192faaf0e6f87faa3ea9c0313aa32 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 31 May 2016 23:26:35 +0200 Subject: l: move websites libs to 2/websites/util --- lass/1systems/prism.nix | 5 +- lass/2configs/websites/domsen.nix | 8 +- lass/2configs/websites/fritz.nix | 12 +- lass/2configs/websites/util.nix | 228 ++++++++++++++++++++++++++ lass/2configs/websites/wohnprojekt-rhh.de.nix | 10 +- lass/4lib/default.nix | 223 +------------------------ 6 files changed, 248 insertions(+), 238 deletions(-) create mode 100644 lass/2configs/websites/util.nix (limited to 'lass/1systems') diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index b9542bc8e..c83f198cb 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -3,8 +3,9 @@ let ip = config.krebs.build.host.nets.internet.ip4.addr; - inherit (import ../../4lib { inherit lib pkgs; }) - manageCerts; + inherit (import {inherit lib pkgs;}) + manageCerts + ; in { imports = [ diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index 43f9b3924..35a391d1b 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -1,14 +1,10 @@ { config, pkgs, lib, ... }: let - inherit (config.krebs.lib) + inherit (import { config = {}; inherit lib; }) genid - readFile ; - inherit (import ../../4lib { inherit lib pkgs; }) - manageCert - manageCerts - activateACME + inherit (import {inherit lib pkgs;}) ssl servePage serveOwncloud diff --git a/lass/2configs/websites/fritz.nix b/lass/2configs/websites/fritz.nix index b063504f0..487c4644e 100644 --- a/lass/2configs/websites/fritz.nix +++ b/lass/2configs/websites/fritz.nix @@ -1,12 +1,16 @@ { config, pkgs, lib, ... }: let - inherit (import ../../4lib { inherit lib pkgs; }) - manageCerts - activateACME + inherit (import { config = {}; inherit lib; }) + genid + head + nameValuePair + ; + inherit (import {inherit lib pkgs;}) ssl servePage - serveWordpress; + serveWordpress + ; in { imports = [ diff --git a/lass/2configs/websites/util.nix b/lass/2configs/websites/util.nix new file mode 100644 index 000000000..84a20c711 --- /dev/null +++ b/lass/2configs/websites/util.nix @@ -0,0 +1,228 @@ +{ lib, pkgs, ... }: + +with lib; + +rec { + + manageCerts = domains: + let + domain = head domains; + in { + security.acme = { + certs."${domain}" = { + email = "lassulus@gmail.com"; + webroot = "/var/lib/acme/challenges/${domain}"; + plugins = [ + "account_key.json" + "key.pem" + "fullchain.pem" + ]; + group = "nginx"; + allowKeysForGroup = true; + extraDomains = genAttrs domains (_: null); + }; + }; + + krebs.nginx.servers."${domain}" = { + locations = [ + (nameValuePair "/.well-known/acme-challenge" '' + root /var/lib/acme/challenges/${domain}/; + '') + ]; + }; + }; + + ssl = domains: + { + imports = [ + ( manageCerts domains ) + ( activateACME (head domains) ) + ]; + }; + + activateACME = domain: + { + krebs.nginx.servers.${domain} = { + ssl = { + enable = true; + certificate = "/var/lib/acme/${domain}/fullchain.pem"; + certificate_key = "/var/lib/acme/${domain}/key.pem"; + }; + }; + }; + + servePage = domains: + let + domain = head domains; + in { + krebs.nginx.servers.${domain} = { + server-names = domains; + locations = [ + (nameValuePair "/" '' + root /srv/http/${domain}; + '') + ]; + }; + }; + + serveOwncloud = domains: + let + domain = head domains; + in { + krebs.nginx.servers."${domain}" = { + server-names = domains; + extraConfig = '' + # Add headers to serve security related headers + add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + + # Path to the root of your installation + root /srv/http/${domain}/; + # set max upload size + client_max_body_size 10G; + fastcgi_buffers 64 4K; + + # Disable gzip to avoid the removal of the ETag header + gzip off; + + # Uncomment if your server is build with the ngx_pagespeed module + # This module is currently not supported. + #pagespeed off; + + index index.php; + error_page 403 /core/templates/403.php; + error_page 404 /core/templates/404.php; + + rewrite ^/.well-known/carddav /remote.php/carddav/ permanent; + rewrite ^/.well-known/caldav /remote.php/caldav/ permanent; + + # The following 2 rules are only needed for the user_webfinger app. + # Uncomment it if you're planning to use this app. + rewrite ^/.well-known/host-meta /public.php?service=host-meta last; + rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; + ''; + locations = [ + (nameValuePair "/robots.txt" '' + allow all; + log_not_found off; + access_log off; + '') + (nameValuePair "~ ^/(build|tests|config|lib|3rdparty|templates|data)/" '' + deny all; + '') + + (nameValuePair "~ ^/(?:autotest|occ|issue|indie|db_|console)" '' + deny all; + '') + + (nameValuePair "/" '' + rewrite ^/remote/(.*) /remote.php last; + rewrite ^(/core/doc/[^\/]+/)$ $1/index.html; + try_files $uri $uri/ =404; + '') + + (nameValuePair "~ \.php(?:$|/)" '' + fastcgi_split_path_info ^(.+\.php)(/.+)$; + include ${pkgs.nginx}/conf/fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param HTTPS on; + fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice + fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool; + fastcgi_intercept_errors on; + '') + + # Adding the cache control header for js and css files + # Make sure it is BELOW the location ~ \.php(?:$|/) { block + (nameValuePair "~* \.(?:css|js)$" '' + add_header Cache-Control "public, max-age=7200"; + # Add headers to serve security related headers + add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + # Optional: Don't log access to assets + access_log off; + '') + + # Optional: Don't log access to other assets + (nameValuePair "~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$" '' + access_log off; + '') + ]; + }; + services.phpfpm.poolConfigs."${domain}" = '' + listen = /srv/http/${domain}/phpfpm.pool + user = nginx + group = nginx + pm = dynamic + pm.max_children = 5 + pm.start_servers = 2 + pm.min_spare_servers = 1 + pm.max_spare_servers = 3 + listen.owner = nginx + listen.group = nginx + # errors to journal + php_admin_value[error_log] = 'stderr' + php_admin_flag[log_errors] = on + catch_workers_output = yes + ''; + }; + + serveWordpress = domains: + let + domain = head domains; + + in { + krebs.nginx.servers."${domain}" = { + server-names = domains; + extraConfig = '' + root /srv/http/${domain}/; + index index.php; + access_log /tmp/nginx_acc.log; + error_log /tmp/nginx_err.log; + error_page 404 /404.html; + error_page 500 502 503 504 /50x.html; + ''; + locations = [ + (nameValuePair "/" '' + try_files $uri $uri/ /index.php?$args; + '') + (nameValuePair "~ \.php$" '' + fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool; + include ${pkgs.nginx}/conf/fastcgi.conf; + '') + #(nameValuePair "~ /\\." '' + # deny all; + #'') + #Directives to send expires headers and turn off 404 error logging. + (nameValuePair "~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$" '' + access_log off; + log_not_found off; + expires max; + '') + ]; + }; + services.phpfpm.poolConfigs."${domain}" = '' + listen = /srv/http/${domain}/phpfpm.pool + user = nginx + group = nginx + pm = dynamic + pm.max_children = 5 + pm.start_servers = 2 + pm.min_spare_servers = 1 + pm.max_spare_servers = 3 + listen.owner = nginx + listen.group = nginx + # errors to journal + php_admin_value[error_log] = 'stderr' + php_admin_flag[log_errors] = on + catch_workers_output = yes + ''; + }; + +} diff --git a/lass/2configs/websites/wohnprojekt-rhh.de.nix b/lass/2configs/websites/wohnprojekt-rhh.de.nix index 858054531..fb1a58109 100644 --- a/lass/2configs/websites/wohnprojekt-rhh.de.nix +++ b/lass/2configs/websites/wohnprojekt-rhh.de.nix @@ -1,11 +1,13 @@ { config, pkgs, lib, ... }: let - inherit (config.krebs.lib) genid; - inherit (import ../../4lib { inherit lib pkgs; }) + inherit (import { config = {}; inherit lib; }) + genid + ; + inherit (import {inherit lib pkgs;}) ssl - servePage; - + servePage + ; in { imports = [ ( ssl [ "wohnprojekt-rhh.de" ]) diff --git a/lass/4lib/default.nix b/lass/4lib/default.nix index 30cbced49..56943b7ac 100644 --- a/lass/4lib/default.nix +++ b/lass/4lib/default.nix @@ -1,4 +1,4 @@ -{ lib, pkgs, ... }: +{ lib, ... }: with lib; @@ -7,225 +7,4 @@ rec { getDefaultGateway = ip: concatStringsSep "." (take 3 (splitString "." ip) ++ ["1"]); - manageCerts = domains: - let - domain = head domains; - in { - security.acme = { - certs."${domain}" = { - email = "lassulus@gmail.com"; - webroot = "/var/lib/acme/challenges/${domain}"; - plugins = [ - "account_key.json" - "key.pem" - "fullchain.pem" - ]; - group = "nginx"; - allowKeysForGroup = true; - extraDomains = genAttrs domains (_: null); - }; - }; - - krebs.nginx.servers."${domain}" = { - locations = [ - (nameValuePair "/.well-known/acme-challenge" '' - root /var/lib/acme/challenges/${domain}/; - '') - ]; - }; - }; - - ssl = domains: - { - imports = [ - ( manageCerts domains ) - ( activateACME (head domains) ) - ]; - }; - - activateACME = domain: - { - krebs.nginx.servers."${domain}" = { - ssl = { - enable = true; - certificate = "/var/lib/acme/${domain}/fullchain.pem"; - certificate_key = "/var/lib/acme/${domain}/key.pem"; - }; - }; - }; - - servePage = domains: - let - domain = head domains; - in { - krebs.nginx.servers."${domain}" = { - server-names = domains; - locations = [ - (nameValuePair "/" '' - root /srv/http/${domain}; - '') - ]; - }; - }; - - serveOwncloud = domains: - let - domain = head domains; - in { - krebs.nginx.servers."${domain}" = { - server-names = domains; - extraConfig = '' - # Add headers to serve security related headers - add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; - add_header X-Content-Type-Options nosniff; - add_header X-Frame-Options "SAMEORIGIN"; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag none; - - # Path to the root of your installation - root /srv/http/${domain}/; - # set max upload size - client_max_body_size 10G; - fastcgi_buffers 64 4K; - - # Disable gzip to avoid the removal of the ETag header - gzip off; - - # Uncomment if your server is build with the ngx_pagespeed module - # This module is currently not supported. - #pagespeed off; - - index index.php; - error_page 403 /core/templates/403.php; - error_page 404 /core/templates/404.php; - - rewrite ^/.well-known/carddav /remote.php/carddav/ permanent; - rewrite ^/.well-known/caldav /remote.php/caldav/ permanent; - - # The following 2 rules are only needed for the user_webfinger app. - # Uncomment it if you're planning to use this app. - rewrite ^/.well-known/host-meta /public.php?service=host-meta last; - rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; - ''; - locations = [ - (nameValuePair "/robots.txt" '' - allow all; - log_not_found off; - access_log off; - '') - (nameValuePair "~ ^/(build|tests|config|lib|3rdparty|templates|data)/" '' - deny all; - '') - - (nameValuePair "~ ^/(?:autotest|occ|issue|indie|db_|console)" '' - deny all; - '') - - (nameValuePair "/" '' - rewrite ^/remote/(.*) /remote.php last; - rewrite ^(/core/doc/[^\/]+/)$ $1/index.html; - try_files $uri $uri/ =404; - '') - - (nameValuePair "~ \.php(?:$|/)" '' - fastcgi_split_path_info ^(.+\.php)(/.+)$; - include ${pkgs.nginx}/conf/fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $fastcgi_path_info; - fastcgi_param HTTPS on; - fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice - fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool; - fastcgi_intercept_errors on; - '') - - # Adding the cache control header for js and css files - # Make sure it is BELOW the location ~ \.php(?:$|/) { block - (nameValuePair "~* \.(?:css|js)$" '' - add_header Cache-Control "public, max-age=7200"; - # Add headers to serve security related headers - add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; - add_header X-Content-Type-Options nosniff; - add_header X-Frame-Options "SAMEORIGIN"; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag none; - # Optional: Don't log access to assets - access_log off; - '') - - # Optional: Don't log access to other assets - (nameValuePair "~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$" '' - access_log off; - '') - ]; - }; - services.phpfpm.poolConfigs."${domain}" = '' - listen = /srv/http/${domain}/phpfpm.pool - user = nginx - group = nginx - pm = dynamic - pm.max_children = 5 - pm.start_servers = 2 - pm.min_spare_servers = 1 - pm.max_spare_servers = 3 - listen.owner = nginx - listen.group = nginx - # errors to journal - php_admin_value[error_log] = 'stderr' - php_admin_flag[log_errors] = on - catch_workers_output = yes - ''; - }; - - serveWordpress = domains: - let - domain = head domains; - - in { - krebs.nginx.servers."${domain}" = { - server-names = domains; - extraConfig = '' - root /srv/http/${domain}/; - index index.php; - access_log /tmp/nginx_acc.log; - error_log /tmp/nginx_err.log; - error_page 404 /404.html; - error_page 500 502 503 504 /50x.html; - ''; - locations = [ - (nameValuePair "/" '' - try_files $uri $uri/ /index.php?$args; - '') - (nameValuePair "~ \.php$" '' - fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool; - include ${pkgs.nginx}/conf/fastcgi.conf; - '') - #(nameValuePair "~ /\\." '' - # deny all; - #'') - #Directives to send expires headers and turn off 404 error logging. - (nameValuePair "~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$" '' - access_log off; - log_not_found off; - expires max; - '') - ]; - }; - services.phpfpm.poolConfigs."${domain}" = '' - listen = /srv/http/${domain}/phpfpm.pool - user = nginx - group = nginx - pm = dynamic - pm.max_children = 5 - pm.start_servers = 2 - pm.min_spare_servers = 1 - pm.max_spare_servers = 3 - listen.owner = nginx - listen.group = nginx - # errors to journal - php_admin_value[error_log] = 'stderr' - php_admin_flag[log_errors] = on - catch_workers_output = yes - ''; - }; - } -- cgit v1.3.1 From 041e00002dbfcb1fc700bf53e77f4fe6157e2fc2 Mon Sep 17 00:00:00 2001 From: lassulus Date: Tue, 31 May 2016 23:34:06 +0200 Subject: l 1 prism: import buildbot normally --- lass/1systems/prism.nix | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) (limited to 'lass/1systems') diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index c83f198cb..693556ded 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -19,12 +19,7 @@ in { ../2configs/weechat.nix ../2configs/privoxy-retiolum.nix ../2configs/radio.nix - { - #we need to use old sqlite for buildbot - imports = [ - ../2configs/buildbot-standalone.nix - ]; - } + ../2configs/buildbot-standalone.nix { users.extraGroups = { # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories -- cgit v1.3.1 From f223287ea2c8bde42e04d477e1bcb160f4448304 Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 1 Jun 2016 00:06:49 +0200 Subject: l 1 prism: add cgit for cgit.lassul.us --- lass/1systems/prism.nix | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'lass/1systems') diff --git a/lass/1systems/prism.nix b/lass/1systems/prism.nix index 693556ded..6ed80ac39 100644 --- a/lass/1systems/prism.nix +++ b/lass/1systems/prism.nix @@ -13,13 +13,21 @@ in { ../2configs/default.nix ../2configs/exim-smarthost.nix ../2configs/downloading.nix - ../2configs/git.nix ../2configs/ts3.nix ../2configs/bitlbee.nix ../2configs/weechat.nix ../2configs/privoxy-retiolum.nix ../2configs/radio.nix ../2configs/buildbot-standalone.nix + { + imports = [ + ../2configs/git.nix + ( manageCerts [ "cgit.lassul.us" ]) + ]; + krebs.nginx.servers.cgit.server-names = [ + "cgit.lassul.us" + ]; + } { users.extraGroups = { # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories -- cgit v1.3.1 From 681a0bccc5b36eb1526159215eea914767aabf8d Mon Sep 17 00:00:00 2001 From: lassulus Date: Wed, 1 Jun 2016 00:10:13 +0200 Subject: l 1 mors: add remmina to pkgs --- lass/1systems/mors.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'lass/1systems') diff --git a/lass/1systems/mors.nix b/lass/1systems/mors.nix index 776bc54c9..a7a1fd253 100644 --- a/lass/1systems/mors.nix +++ b/lass/1systems/mors.nix @@ -193,6 +193,7 @@ hashPassword urban mk_sql_pair + remmina ]; #TODO: fix this shit -- cgit v1.3.1 [cgit] Unable to lock slot /tmp/cgit/d1000000.lock: No such file or directory (2)