Merge remote-tracking branch 'ni/master'

7 files changed, 89 insertions, 152 deletions

diff --git a/krebs/1systems/hotdog/config.nix b/krebs/1systems/hotdog/config.nix
index a34df4bd..9849937d 100644
--- a/krebs/1systems/hotdog/config.nix
+++ b/krebs/1systems/hotdog/config.nix
@@ -22,6 +22,7 @@
 
   krebs.build.host = config.krebs.hosts.hotdog;
   krebs.github-hosts-sync.enable = true;
+  krebs.pages.enable = true;
 
   boot.isContainer = true;
   networking.useDHCP = false;
diff --git a/krebs/1systems/ponte/config.nix b/krebs/1systems/ponte/config.nix
index 8250ebad..2f55995c 100644
--- a/krebs/1systems/ponte/config.nix
+++ b/krebs/1systems/ponte/config.nix
@@ -7,5 +7,31 @@
     <stockholm/krebs/2configs/matterbridge.nix>
   ];
 
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  networking.firewall.logRefusedConnections = false;
+  networking.firewall.logRefusedUnicastsOnly = false;
+
+  # Move Internet-facing SSH port to reduce logspam.
+  networking.firewall.extraCommands = let
+    host = config.krebs.build.host;
+  in /* sh */ ''
+    iptables -t nat -A OUTPUT -o lo -p tcp --dport 11423 -j REDIRECT --to-ports 22
+    iptables -t nat -A PREROUTING -p tcp --dport 11423 -j REDIRECT --to-ports 22
+    iptables -t nat -A PREROUTING -d ${host.nets.retiolum.ip4.addr} -p tcp --dport 22 -j ACCEPT
+    iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-ports 0
+
+    ip6tables -t nat -A OUTPUT -o lo -p tcp --dport 11423 -j REDIRECT --to-ports 22
+    ip6tables -t nat -A PREROUTING -p tcp --dport 11423 -j REDIRECT --to-ports 22
+    ip6tables -t nat -A PREROUTING -d ${host.nets.retiolum.ip6.addr} -p tcp --dport 22 -j ACCEPT
+    ip6tables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-ports 0
+  '';
+
   krebs.build.host = config.krebs.hosts.ponte;
+
+  krebs.pages.enable = true;
+  krebs.pages.nginx.addSSL = true;
+  krebs.pages.nginx.enableACME = true;
+
+  security.acme.acceptTerms = true;
+  security.acme.certs.${config.krebs.pages.domain}.email = "spam@krebsco.de";
 }
diff --git a/krebs/3modules/default.nix b/krebs/3modules/default.nix
index 0ac8cb74..6babac72 100644
--- a/krebs/3modules/default.nix
+++ b/krebs/3modules/default.nix
@@ -34,6 +34,7 @@ let
       ./iptables.nix
       ./kapacitor.nix
       ./konsens.nix
+      ./krebs-pages.nix
       ./monit.nix
       ./nixpkgs.nix
       ./on-failure.nix
@@ -83,10 +84,6 @@ let
           @ IN SOA dns19.ovh.net. tech.ovh.net. (2015052000 86400 3600 3600000 86400)
                                 IN NS     ns19.ovh.net.
                                 IN NS     dns19.ovh.net.
-                                IN A      185.199.108.153
-                                IN A      185.199.109.153
-                                IN A      185.199.110.153
-                                IN A      185.199.111.153
         '';
       };
     };
diff --git a/krebs/3modules/krebs-pages.nix b/krebs/3modules/krebs-pages.nix
new file mode 100644
index 00000000..a2a5b723
--- /dev/null
+++ b/krebs/3modules/krebs-pages.nix
@@ -0,0 +1,44 @@
+{ config, modulesPath, pkgs, ... }: let
+  cfg = config.krebs.pages;
+  lib = import ../../lib;
+  extraTypes.nginx-vhost = lib.types.submodule (
+    lib.recursiveUpdate
+      (import (modulesPath + "/services/web-servers/nginx/vhost-options.nix")
+              { inherit config lib; })
+      {}
+  );
+in {
+  options.krebs.pages = {
+    enable = lib.mkEnableOption "krebs-pages";
+    domain = lib.mkOption {
+      type = lib.types.hostname;
+      default = "krebsco.de";
+    };
+    nginx = lib.mkOption {
+      type = extraTypes.nginx-vhost;
+      default = {};
+      example = lib.literalExpression /* nix */ ''
+        {
+          # To enable encryption and let let's encrypt take care of certificate
+          enableACME = true;
+          forceSSL = true;
+        }
+      '';
+      description = lib.mkDoc ''
+        With this option, you can customize the nginx virtualHost settings.
+      '';
+    };
+    package = lib.mkOption {
+      type = lib.types.package;
+      default = pkgs.krebs-pages;
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    services.nginx = {
+      enable = lib.mkDefault true;
+      virtualHosts.${cfg.domain} = lib.mkMerge [ cfg.nginx {
+        root = lib.mkForce cfg.package;
+      }];
+    };
+  };
+}
diff --git a/krebs/5pkgs/simple/krebs-pages/fixtures/index.html b/krebs/5pkgs/simple/krebs-pages/fixtures/index.html
index e6b7034b..68b2cbad 100644
--- a/krebs/5pkgs/simple/krebs-pages/fixtures/index.html
+++ b/krebs/5pkgs/simple/krebs-pages/fixtures/index.html
@@ -24,19 +24,10 @@
   }
 </script>
 <body>
-  <p>
-    <a href="http://krebscode.github.io/minikrebs/linuxtag">
-      Linuxtag Heckenkrebs Presentation
-    </a>
-  </p>
-  <p>
-    <a href="http://krebscode.github.io/writeups">
-      CTF Writeups
-    </a>
-  </p>
-  <p>
-    <a href="thesauron.html">
-      Thesauron
-    </a>
-  </p>
+  <p><a href='https://cgit.krebsco.de/krops/about/'>krops</a></p>
+  <p><a href='https://github.com/krebs/cholerab/blob/master/thesauron.adoc'>Thesauron</a></p>
+  <p><a href='https://nixos.wiki/'>Project: The new NixOS wiki</a></p>
+  <p><a target="_blank" href="https://www.amazon.de/?&_encoding=UTF8&tag=krebscode06-21&linkCode=ur2&linkId=d4430b368b8aceeca92101cd4a4cdd1d&camp=1638&creative=6742">Go through this amazon affiliate link and generate krebsgold</a><img src="//ir-de.amazon-adsystem.com/e/ir?t=krebscode06-21&l=ur2&o=3" width="1" height="1" border="0" alt="" style="border:none !important; margin:0px !important;" /></p>
+  <p>  <a href="https://s.click.aliexpress.com/e/_A5luNt" target="_parent">Go through this aliexpress affiliate link and generate krebsgold</a></p>
+
 </body>
diff --git a/krebs/5pkgs/simple/krebs-pages/fixtures/thesauron.html b/krebs/5pkgs/simple/krebs-pages/fixtures/thesauron.html
deleted file mode 100644
index bcf1c5d4..00000000
--- a/krebs/5pkgs/simple/krebs-pages/fixtures/thesauron.html
+++ /dev/null
@@ -1,133 +0,0 @@
-<p>Cholerab n.
-[de]
-- Kunstwort aus Kollaboration und Cholera. Beschreibt den Zustand, dass
- Zusammenarbeit niemals gut, einfach und ohne Schmerzen funktioniert.
-- Teamwork-Plattform für Krebscode.</p>
-
-<p>eigentlich adv.
-[de]
-- Hinweis darauf, dass der Inhalt eines Satzes eine Soll-Realität beschreibt,
- die nicht der Fall ist.
-Antonym: tatsaechlich</p>
-
-<p>ghost n.
-[de]
-- Host im Darknet welcher evtl. irgendwie noch da ist (als dd image auf anderen
- Festplatten) aber wohl nie wieder kommen wird.
-Siehe: Wiederbelebung</p>
-
-<p>KD;RP abbr. (pronounciation: kah-derp)
-[en]
-- Short for Krebs Darknet / Retiolum Prefix.</p>
-
-<p>krebs
-[de]
-- krebs ist ein soziales Experiment, eine Organisation, das zweit aelteste
- Softwareprojekt im Shack und viel verteilte infrastruktur.</p>
-
-<p>kremium
-[en]
-- coinage derived from the words premium and krebs
-see: broken
-usage: Reaktor ircbot has unfixed broken behavior since ever-&gt;&#8220;Kremium Software&#8221;</p>
-
-<p>KRI abbr. (pronounciation: [en] cry)
-[en]
-- Short for Krebs Request for Implementation.
- Derived from Scheme Requests for Implementation (SRFI).</p>
-
-<p>litterate programming n.
-[en]
-- any code that has not been proved mathematically.</p>
-
-<p>Nahziel n.
-[de]
-- Ziel mit höchst möglicher Priorität.</p>
-
-<p>Nahzielerfahrung n.
-[de]
-- das Erlebnis der (endgültigen) Nichterreichung eines Nahziels (obwohl
- nur noch wenig ((quasi-) infinitesimal viel) nötig gewesen wäre).</p>
-
-<p>parentheses of fear
-[en]
-- unnecessary parentheses, usually used when order of precedence is unknown.
- - Examples: 1 + (2 * 3)</p>
-
-<p>Protip n.
-[en]
-- (Probably vague) description how a task can be solved.
- - Antonym: Spoiler
- - Example:
- - To defeat the Cyberdaemon, shoot at it until it dies.
- - RTFM</p>
-
-<p>Punching Lemma n.
-[de]
-- Sozialer Druck zur Aufrechterhaltung der Ordnung in dem sozialen Geflaecht
- von Krebs</p>
-
-<p>ref, n.
-[en]
-- A reference like an URI, ISBN, name of a person, etc.</p>
-
-<p>reftrace, n.
-[en]
-- A stacktrace-like representation of refs that lead to some (any kind of)
- conclusion. Usually generated by a human. The conclusion can be either on
- the top or on the bottom of the stack. If the order is ambiguous, then it
- should be communicated explicitly.
- - Example: (conclusion first)
- - http://en.wikipedia.org/wiki/Stack_trace
- - google &#8220;stacktrace&#8221; (first entry / 2014&#8211;12&#8211;05T12:13:58Z)
- - think about some example [this could be omitted, as it&#8217;s obvious&#8230;]</p>
-
-<p>Retiolum n.
-[en]
-- The official darknet of Krebs which utilizes the Retiolum Prefix to
- address individual nodes.</p>
-
-<p>Retiolum Prefix n.
-[en]
-- The universally accepted IPv6-prefix, 42::/16. Anyone can has a
- /128-subnet and, if require, anything larger.</p>
-
-<p>Retiolum Realtime Map n.
-[en]
-- The network map of the public visible part of Retiolum.</p>
-
-<p>RRM [abbr.][en]
-- Short for Retiolum Retiolum Map.</p>
-
-<p>Sanatorium n.
-[en]
-- The Krebs Control and Command Center.
-- An Retiolum-based IRC-channel where all Reaktor-enabled nodes gather
- and lurk for relevant input.</p>
-
-<p>Spoiler n.
-[en]
-- A subset of walkthrough, i.e. any individual steps may be omitted.
- - Antonym: Protip</p>
-
-<p>tatsaechlich, adv.
-[de]
-- Hinweis darauf, dass der Inhalt eines Satzes exakt der Realität entspricht.
-Antonym: eigentlich</p>
-
-<p>Verkrebsung n.
-[de]
-- Synonym fuer die Installation von Krebs (oder eine einzelnen Krebs
- Komponente) auf einem beliebigem System.</p>
-
-<p>Walkthrough n.
-[en]
-- Description of the individual steps to complete a task.
- - Examples:
- - program code
- - small-step semantics</p>
-
-<p>Wiederbelebung n.
-[de]
-- Ein ghost wird im Darknet wieder erreichbar
-Siehe: ghost</p>
diff --git a/krebs/5pkgs/simple/ukrepl.nix b/krebs/5pkgs/simple/ukrepl.nix
new file mode 100644
index 00000000..bdea4181
--- /dev/null
+++ b/krebs/5pkgs/simple/ukrepl.nix
@@ -0,0 +1,11 @@
+{ lib, pkgs,stdenv }:
+let 
+  src = pkgs.fetchFromGitHub {
+    owner = "makefu";
+    repo = "ukrepl";
+    rev = "0baa5cc4d5c3c17af704b69a800dd1f520ded8e3";
+    hash = "sha256:1lnhkf02f18fvf3l2fcszvs4x115lql17akabd5ph9ff9z33k8rv";
+  };
+in
+  pkgs.writers.writePython3Bin "ukrepl" {} (builtins.readFile (src + "/ukrepl"))
+