summaryrefslogtreecommitdiffstats
path: root/lass
diff options
context:
space:
mode:
authormakefu <github@syntax-fehler.de>2018-11-05 18:20:42 +0100
committermakefu <github@syntax-fehler.de>2018-11-05 18:20:42 +0100
commit254e9e62b95951cecadd2b4800c03ef96f95b3c0 (patch)
tree6892ca816d01eb712b80af9dbd79cc6690f21752 /lass
parent8b57f04ff84b53742ef6a8a9677560745075ffb1 (diff)
parent100ca928ad483471d61b36bd9e977e34441d404b (diff)
Merge remote-tracking branch 'lassul.us/master'
Diffstat (limited to 'lass')
-rw-r--r--lass/1systems/archprism/config.nix356
-rw-r--r--lass/1systems/archprism/physical.nix77
-rw-r--r--lass/1systems/prism/physical.nix84
-rw-r--r--lass/2configs/baseX.nix1
-rw-r--r--lass/2configs/git.nix24
-rw-r--r--lass/2configs/mail.nix1
-rw-r--r--lass/2configs/urxvt.nix2
-rw-r--r--lass/2configs/vim.nix4
-rw-r--r--lass/2configs/websites/domsen.nix6
-rw-r--r--lass/2configs/websites/lassulus.nix5
-rw-r--r--lass/3modules/xjail.nix7
-rw-r--r--lass/krops.nix5
12 files changed, 510 insertions, 62 deletions
diff --git a/lass/1systems/archprism/config.nix b/lass/1systems/archprism/config.nix
new file mode 100644
index 000000000..0a286c6f0
--- /dev/null
+++ b/lass/1systems/archprism/config.nix
@@ -0,0 +1,356 @@
+{ config, lib, pkgs, ... }:
+with import <stockholm/lib>;
+
+{
+ imports = [
+ <stockholm/lass>
+ <stockholm/lass/2configs/retiolum.nix>
+ <stockholm/lass/2configs/libvirt.nix>
+ {
+ services.nginx.enable = true;
+ imports = [
+ <stockholm/lass/2configs/websites/domsen.nix>
+ <stockholm/lass/2configs/websites/lassulus.nix>
+ ];
+ # needed by domsen.nix ^^
+ lass.usershadow = {
+ enable = true;
+ };
+
+ krebs.iptables.tables.filter.INPUT.rules = [
+ { predicate = "-p tcp --dport http"; target = "ACCEPT"; }
+ { predicate = "-p tcp --dport https"; target = "ACCEPT"; }
+ ];
+ }
+ { # TODO make new hfos.nix out of this vv
+ boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+ users.users.riot = {
+ uid = genid "riot";
+ isNormalUser = true;
+ extraGroups = [ "libvirtd" ];
+ openssh.authorizedKeys.keys = [
+ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6o6sdTu/CX1LW2Ff5bNDqGEAGwAsjf0iIe5DCdC7YikCct+7x4LTXxY+nDlPMeGcOF88X9/qFwdyh+9E4g0nUAZaeL14Uc14QDqDt/aiKjIXXTepxE/i4JD9YbTqStAnA/HYAExU15yqgUdj2dnHu7OZcGxk0ZR1OY18yclXq7Rq0Fd3pN3lPP1T4QHM9w66r83yJdFV9szvu5ral3/QuxQnCNohTkR6LoJ4Ny2RbMPTRtb+jPbTQYTWUWwV69mB8ot5nRTP4MRM9pu7vnoPF4I2S5DvSnx4C5zdKzsb7zmIvD4AmptZLrXj4UXUf00Xf7Js5W100Ne2yhYyhq+35 riot@lagrange"
+ ];
+ };
+
+ # TODO write function for proxy_pass (ssl/nonssl)
+
+ krebs.iptables.tables.filter.FORWARD.rules = [
+ { v6 = false; precedence = 1000; predicate = "-d 192.168.122.92"; target = "ACCEPT"; }
+ ];
+ krebs.iptables.tables.nat.PREROUTING.rules = [
+ { v6 = false; precedence = 1000; predicate = "-d 46.4.114.243"; target = "DNAT --to-destination 192.168.122.92"; }
+ ];
+ }
+ {
+ users.users.tv = {
+ uid = genid "tv";
+ isNormalUser = true;
+ openssh.authorizedKeys.keys = [
+ config.krebs.users.tv.pubkey
+ ];
+ };
+ users.users.makefu = {
+ uid = genid "makefu";
+ isNormalUser = true;
+ openssh.authorizedKeys.keys = [
+ config.krebs.users.makefu.pubkey
+ ];
+ };
+ users.users.nin = {
+ uid = genid "nin";
+ isNormalUser = true;
+ openssh.authorizedKeys.keys = [
+ config.krebs.users.nin.pubkey
+ ];
+ };
+ users.extraUsers.dritter = {
+ uid = genid "dritter";
+ isNormalUser = true;
+ extraGroups = [
+ "download"
+ ];
+ openssh.authorizedKeys.keys = [
+ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnqOWDDk7QkSAvrSLkEoz7dY22+xPyv5JDn2zlfUndfavmTMfZvPx9REMjgULbcCSM4m3Ncf40yUjciDpVleGoEz82+p/ObHAkVWPQyXRS3ZRM2IJJultBHEFc61+61Pi8k3p5pBhPPaig6VncJ4uUuuNqen9jqLesSTVXNtdntU2IvnC8B8k1Kq6fu9q1T2yEOMxkD31D5hVHlqAly0LdRiYvtsRIoCSmRvlpGl70uvPprhQxhtoiEUeDqmIL7BG9x7gU0Swdl7R0/HtFXlFuOwSlNYDmOf/Zrb1jhOpj4AlCliGUkM0iKIJhgH0tnJna6kfkGKHDwuzITGIh6SpZ dritter@Janeway"
+ ];
+ };
+ users.extraUsers.juhulian = {
+ uid = 1339;
+ isNormalUser = true;
+ openssh.authorizedKeys.keys = [
+ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBQhLGvfv4hyQ/nqJGy1YgHXPSVl6igeWTroJSvAhUFgoh+rG+zvqY0EahKXNb3sq0/OYDCTJVuucc0hgCg7T2KqTqMtTb9EEkRmCFbD7F7DWZojCrh/an6sHneqT5eFvzAPZ8E5hup7oVQnj5P5M3I9keRHBWt1rq6q0IcOEhsFvne4qJc73aLASTJkxzlo5U8ju3JQOl6474ECuSn0lb1fTrQ/SR1NgF7jV11eBldkS8SHEB+2GXjn4Yrn+QUKOnDp+B85vZmVlJSI+7XR1/U/xIbtAjGTEmNwB6cTbBv9NCG9jloDDOZG4ZvzzHYrlBXjaigtQh2/4mrHoKa5eV juhulian@juhulian"
+ ];
+ };
+ users.users.hellrazor = {
+ uid = genid "hellrazor";
+ isNormalUser = true;
+ extraGroups = [
+ "download"
+ ];
+ openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDQFaYOWRUvHP6I37q9Dd4PJOq8FNQqAeJZ8pLx0G62uC450kbPGcG80rHHvXmk7HqQP6biJmMg48bOsvXAScPot2Qhp1Qc35CuUqVhLiTvUAsi8l/iJjhjZ23yRGDCAmW5+JIOzIvECkcbMnG7YoYAQ9trNGHe9qwGzQGhpt3QVClE23WtE3PVKRLQx1VbiabSnAm6tXVd2zpUoSdpWt8Gpi2taM4XXJ5+l744MNxFHvDapN5xqpYzwrA34Ii13jNLWcGbtgxESpR+VjnamdWByrkBsW4X5/xn2K1I1FrujaM/DBHV1QMaDKst9V8+uL5X7aYNt0OUBu2eyZdg6aujY2BYovB9uRyR1JIuSbA/a54MM96yN9WirMUufJF/YZrV0L631t9EW8ORyWUo1GRzMuBHVHQlfApj7NCU/jEddUuTqKgwyRgTmMFMUI4M0tRULAB/7pBE1Vbcx9tg6RsKIk8VkskfbBJW9Y6Sx6YoFlxPdgMNIrBefqEjIV62piP7YLMlvfIDCJ7TNd9dLN86XGggZ/nD5zt6SL1o61vVnw9If8pHosppxADPJsJvcdN6fOe16/tFAeE0JRo0jTcyFVTBGfhpey+rFfuW8wtUyuO5WPUxkOn7xMHGMWHJAtWX2vwVIDtLxvqn48B4SmEOpPD6ii+vcpwqAex3ycqBUQ==" ];
+ };
+ }
+ {
+ #hotdog
+ systemd.services."container@hotdog".reloadIfChanged = mkForce false;
+ containers.hotdog = {
+ config = { ... }: {
+ imports = [ <stockholm/lass/2configs/rebuild-on-boot.nix> ];
+ environment.systemPackages = [ pkgs.git ];
+ services.openssh.enable = true;
+ users.users.root.openssh.authorizedKeys.keys = [
+ config.krebs.users.lass.pubkey
+ ];
+ };
+ autoStart = true;
+ enableTun = true;
+ privateNetwork = true;
+ hostAddress = "10.233.2.1";
+ localAddress = "10.233.2.2";
+ };
+ }
+ {
+ #onondaga
+ systemd.services."container@onondaga".reloadIfChanged = mkForce false;
+ containers.onondaga = {
+ config = { ... }: {
+ imports = [ <stockholm/lass/2configs/rebuild-on-boot.nix> ];
+ environment.systemPackages = [ pkgs.git ];
+ services.openssh.enable = true;
+ users.users.root.openssh.authorizedKeys.keys = [
+ config.krebs.users.lass.pubkey
+ config.krebs.users.nin.pubkey
+ ];
+ };
+ autoStart = true;
+ enableTun = true;
+ privateNetwork = true;
+ hostAddress = "10.233.2.5";
+ localAddress = "10.233.2.6";
+ };
+ }
+ <stockholm/lass/2configs/exim-smarthost.nix>
+ <stockholm/lass/2configs/ts3.nix>
+ <stockholm/lass/2configs/privoxy-retiolum.nix>
+ <stockholm/lass/2configs/radio.nix>
+ <stockholm/lass/2configs/binary-cache/server.nix>
+ <stockholm/lass/2configs/iodined.nix>
+ <stockholm/lass/2configs/paste.nix>
+ <stockholm/lass/2configs/syncthing.nix>
+ <stockholm/lass/2configs/reaktor-coders.nix>
+ <stockholm/lass/2configs/ciko.nix>
+ <stockholm/lass/2configs/container-networking.nix>
+ <stockholm/lass/2configs/monitoring/prometheus-server.nix>
+ { # quasi bepasty.nix
+ imports = [
+ <stockholm/lass/2configs/bepasty.nix>
+ ];
+ krebs.bepasty.servers."paste.r".nginx.extraConfig = ''
+ if ( $server_addr = "${config.krebs.build.host.nets.internet.ip4.addr}" ) {
+ return 403;
+ }
+ '';
+ }
+ {
+ services.tor = {
+ enable = true;
+ };
+ }
+ {
+ lass.ejabberd = {
+ enable = true;
+ hosts = [ "lassul.us" ];
+ };
+ krebs.iptables.tables.filter.INPUT.rules = [
+ { predicate = "-p tcp --dport xmpp-client"; target = "ACCEPT"; }
+ { predicate = "-p tcp --dport xmpp-server"; target = "ACCEPT"; }
+ ];
+ }
+ {
+ imports = [
+ <stockholm/lass/2configs/realwallpaper.nix>
+ ];
+ services.nginx.virtualHosts."lassul.us".locations."/wallpaper.png".extraConfig = ''
+ alias /var/realwallpaper/realwallpaper.png;
+ '';
+ }
+ {
+ users.users.jeschli = {
+ uid = genid "jeschli";
+ isNormalUser = true;
+ openssh.authorizedKeys.keys = with config.krebs.users; [
+ jeschli.pubkey
+ jeschli-bln.pubkey
+ jeschli-bolide.pubkey
+ jeschli-brauerei.pubkey
+ ];
+ };
+ krebs.git.rules = [
+ {
+ user = with config.krebs.users; [
+ jeschli
+ jeschli-bln
+ jeschli-bolide
+ jeschli-brauerei
+ ];
+ repo = [ config.krebs.git.repos.xmonad-stockholm ];
+ perm = with git; push "refs/heads/jeschli*" [ fast-forward non-fast-forward create delete merge ];
+ }
+ {
+ user = with config.krebs.users; [
+ jeschli
+ jeschli-bln
+ jeschli-bolide
+ jeschli-brauerei
+ ];
+ repo = [ config.krebs.git.repos.stockholm ];
+ perm = with git; push "refs/heads/staging/jeschli*" [ fast-forward non-fast-forward create delete merge ];
+ }
+ ];
+ }
+ {
+ krebs.repo-sync.repos.stockholm.timerConfig = {
+ OnBootSec = "5min";
+ OnUnitInactiveSec = "2min";
+ RandomizedDelaySec = "2min";
+ };
+ }
+ <stockholm/lass/2configs/downloading.nix>
+ <stockholm/lass/2configs/minecraft.nix>
+ {
+ services.taskserver = {
+ enable = true;
+ fqdn = "lassul.us";
+ listenHost = "::";
+ listenPort = 53589;
+ organisations.lass.users = [ "lass" "android" ];
+ };
+ krebs.iptables.tables.filter.INPUT.rules = [
+ { predicate = "-p tcp --dport 53589"; target = "ACCEPT"; }
+ ];
+ }
+ #<stockholm/lass/2configs/go.nix>
+ {
+ environment.systemPackages = [ pkgs.cryptsetup ];
+ systemd.services."container@red".reloadIfChanged = mkForce false;
+ containers.red = {
+ config = { ... }: {
+ environment.systemPackages = [ pkgs.git ];
+ services.openssh.enable = true;
+ users.users.root.openssh.authorizedKeys.keys = [
+ config.krebs.users.lass.pubkey
+ ];
+ };
+ autoStart = false;
+ enableTun = true;
+ privateNetwork = true;
+ hostAddress = "10.233.2.3";
+ localAddress = "10.233.2.4";
+ };
+ services.nginx.virtualHosts."rote-allez-fraktion.de" = {
+ enableACME = true;
+ forceSSL = true;
+ locations."/" = {
+ extraConfig = ''
+ proxy_set_header Host rote-allez-fraktion.de;
+ proxy_pass http://10.233.2.4;
+ '';
+ };
+ };
+ }
+ #{
+ # imports = [ <stockholm/lass/2configs/backup.nix> ];
+ # lass.restic = genAttrs [
+ # "daedalus"
+ # "icarus"
+ # "littleT"
+ # "mors"
+ # "shodan"
+ # "skynet"
+ # ] (dest: {
+ # dirs = [
+ # "/home/chat/.weechat"
+ # "/bku/sql_dumps"
+ # ];
+ # passwordFile = (toString <secrets>) + "/restic/${dest}";
+ # repo = "sftp:backup@${dest}.r:/backups/prism";
+ # extraArguments = [
+ # "sftp.command='ssh backup@${dest}.r -i ${config.krebs.build.host.ssh.privkey.path} -s sftp'"
+ # ];
+ # timerConfig = {
+ # OnCalendar = "00:05";
+ # RandomizedDelaySec = "5h";
+ # };
+ # });
+ #}
+ {
+ users.users.download.openssh.authorizedKeys.keys = [
+ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDB0d0JA20Vqn7I4lCte6Ne2EOmLZyMJyS9yIKJYXNLjbLwkQ4AYoQKantPBkTxR75M09E7d3j5heuWnCjWH45TrfQfe1EOSSC3ppCI6C6aIVlaNs+KhAYZS0m2Y8WkKn+TT5JLEa8yybYVN/RlZPOilpj/1QgjU6CQK+eJ1k/kK+QFXcwN82GDVh5kbTVcKUNp2tiyxFA+z9LY0xFDg/JHif2ROpjJVLQBJ+YPuOXZN5LDnVcuyLWKThjxy5srQ8iDjoxBg7dwLHjby5Mv41K4W61Gq6xM53gDEgfXk4cQhJnmx7jA/pUnsn2ZQDeww3hcc7vRf8soogXXz2KC9maiq0M/svaATsa9Ul4hrKnqPZP9Q8ScSEAUX+VI+x54iWrnW0p/yqBiRAzwsczdPzaQroUFTBxrq8R/n5TFdSHRMX7fYNOeVMjhfNca/gtfw9dYBVquCvuqUuFiRc0I7yK44rrMjjVQRcAbw6F8O7+04qWCmaJ8MPlmApwu2c05VMv9hiJo5p6PnzterRSLCqF6rIdhSnuOwrUIt1s/V+EEZXHCwSaNLaQJnYL0H9YjaIuGz4c8kVzxw4c0B6nl+hqW5y5/B2cuHiumnlRIDKOIzlv8ufhh21iN7QpIsPizahPezGoT1XqvzeXfH4qryo8O4yTN/PWoA+f7o9POU7L6hQ== lhebendanz@nixos"
+ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACADLPxtB2f2tocXHxD3ul9D1537hTht6/un87JYZNnoYABveasyIcdFIfp5lPJmj3PjwqXNTA4M/3V+ufrpZ91dxFeXWI5mOI4YB3xRu+Elja8g7nfvCz1HrH3sD1equos/7ltQ1GZYvHGw40qD1/ZtOODwRwrYJ7l/DUBrjk/tzXRjm0+ZgyQsb3G9a80cA8d3fiuQDxbAzdoJF46wt36ZfuSMpJ/Td8CbCoLlV/uL9QZemOglyxNxR607qGfRNXF1An+P+fFq24GmdHpMJ00DfjZ/dJRL9QSs7vd07uyB4Qty4VHwRhc46XH6KL7VTF1D3INF/BeBZx90GBxOvpgEji7Zrf7O5eSAjM2Do1+t+Ev2IIuiltB+QqTir4rZcrCBrJ2+zD3DDymKffVi8sz15AvdrFkIplzZxpOcgm9Ns2w/uh8sxeV6J58aoLEVmd2KRUfJFYiS1EuEjYo2OHlj8ltIh3VlfYdWksGpQc71IT0iEWvzvjYcfCda9uzFLKdLfBy4GB8+s4zR2CX9aGDyJaIY1kt/xqDeztnYwW1owG+fLMrDJlq3Mu+KmJljb30jzrOPhFYVZgWenmMFgH2RBzVEmnsR0f2LFVLj6N/a9fpEJ3WhxMOc5Ybdpgg/l9KUdgvWLk6KOtba+z9fuYT1YgwtZBoMgHAdZLmZ/DGtff palo@pepe"
+ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDGMjbYFmmvpF60YBShyFISbjN+O3e4GPkfsre6xFqz20joi8YqpD/5PtrMsGrPd1ZoZ9qSwXJtbb1WBomFg0xzRSNa1/FliKiE1ilcaB3aUZRtP0OWHIvWD3/YL/0h+/YXDGTfb8FNvpgJmnbN3Q0gw8cwWw+eve5BMyqDhzFvycxO4qDuP2JXkGpdhJqjaYZhP5rPH2mgv1oU1RnOA3A7APZVGf1m6JSmV7FZR514aGlFV+NpsvS29Mib8fcswgpoGhMN6jeh/nf49tp01LUAOmXSqdHIWNOTt3Mt7S4rU7RZwEhswdSRbKdKFRMj+uRkhJ4CPcNuuGtSY3id0Ja7IvrvxNaQUk1L8nBcza709jvSBYWSY5/aGL1ocA/PNWXDpOTp2PWwxkh39aPMqZXPTH3KC4IkRp5SiKibEhdmjnToV7nUAJe4IWn1b7QdoqS03ib0X87DnHWIbvi8UZlImM7pn0rs+rwnOo4lQwrTz7kbBHPaa6XOZAuDYND2728vtcrhwzVrKgiXWbyF6VzvwxPeeStmn1gENvozbj1hl9gbQ1cH/a4pZFBV/OFl/ryzDnB2ghM4acNJazXx/6/us9hX+np1YxIzJaxENj677MLc6HitM2g6XJGaixBQ0U2NNjcjIuQT0ZaeKXsSLnu1Y7+uslbVAwsQ4pJmSxxMMQ== palo@workhorse"
+ ];
+ }
+ {
+ }
+ {
+ lass.nichtparasoup.enable = true;
+ services.nginx = {
+ enable = true;
+ virtualHosts."lol.lassul.us" = {
+ forceSSL = true;
+ enableACME = true;
+ locations."/".extraConfig = ''
+ proxy_pass http://localhost:5001;
+ '';
+ };
+ };
+ }
+ {
+ krebs.iptables.tables.filter.INPUT.rules = [
+ { predicate = "-p udp --dport 51820"; target = "ACCEPT"; }
+ ];
+ krebs.iptables.tables.nat.PREROUTING.rules = [
+ { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; }
+ ];
+ krebs.iptables.tables.filter.FORWARD.rules = [
+ { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; }
+ { v6 = false; precedence = 1000; predicate = "-s 10.243.0.0/16 -d 10.244.1.0/24"; target = "ACCEPT"; }
+ ];
+ krebs.iptables.tables.nat.POSTROUTING.rules = [
+ { v6 = false; predicate = "-s 10.244.1.0/24 ! -d 10.244.1.0/24"; target = "MASQUERADE"; }
+ ];
+ networking.wireguard.interfaces.wg0 = {
+ ips = [ "10.244.1.1/24" ];
+ listenPort = 51820;
+ privateKeyFile = (toString <secrets>) + "/wireguard.key";
+ allowedIPsAsRoutes = true;
+ peers = [
+ {
+ # lass-android
+ allowedIPs = [ "10.244.1.2/32" ];
+ publicKey = "zVunBVOxsMETlnHkgjfH71HaZjjNUOeYNveAVv5z3jw=";
+ }
+ ];
+ };
+ }
+ {
+ krebs.iptables.tables.filter.INPUT.rules = [
+ { predicate = "-p udp --dport 60000:61000"; target = "ACCEPT";}
+ ];
+ }
+ {
+ services.murmur.enable = true;
+ services.murmur.registerName = "lassul.us";
+ krebs.iptables.tables.filter.INPUT.rules = [
+ { predicate = "-p tcp --dport 64738"; target = "ACCEPT";}
+ ];
+
+ }
+ ];
+
+ krebs.build.host = config.krebs.hosts.archprism;
+ services.earlyoom = {
+ enable = true;
+ freeMemThreshold = 5;
+ };
+}
diff --git a/lass/1systems/archprism/physical.nix b/lass/1systems/archprism/physical.nix
new file mode 100644
index 000000000..56348d0ab
--- /dev/null
+++ b/lass/1systems/archprism/physical.nix
@@ -0,0 +1,77 @@
+{ config, lib, pkgs, ... }:
+{
+ imports = [
+ ./config.nix
+ {
+ boot.kernelParams = [ "net.ifnames=0" ];
+ networking = {
+ defaultGateway = "46.4.114.225";
+ # Use google's public DNS server
+ nameservers = [ "8.8.8.8" ];
+ interfaces.eth0 = {
+ ipAddress = "46.4.114.247";
+ prefixLength = 27;
+ };
+ };
+ # TODO use this network config
+ #networking.interfaces.et0.ipv4.addresses = [
+ # {
+ # address = config.krebs.build.host.nets.internet.ip4.addr;
+ # prefixLength = 27;
+ # }
+ # {
+ # address = "46.4.114.243";
+ # prefixLength = 27;
+ # }
+ #];
+ #networking.defaultGateway = "46.4.114.225";
+ #networking.nameservers = [
+ # "8.8.8.8"
+ #];
+ #services.udev.extraRules = ''
+ # SUBSYSTEM=="net", ATTR{address}=="08:60:6e:e7:87:04", NAME="et0"
+ #'';
+ }
+ {
+ imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
+
+ networking.hostId = "fb4173ea";
+ boot.loader.grub = {
+ devices = [
+ "/dev/sda"
+ "/dev/sdb"
+ ];
+ splashImage = null;
+ };
+
+ boot.initrd.availableKernelModules = [
+ "ata_piix"
+ "vmw_pvscsi"
+ "ahci" "sd_mod"
+ ];
+
+ boot.kernelModules = [ "kvm-intel" ];
+
+ sound.enable = false;
+ nixpkgs.config.allowUnfree = true;
+ time.timeZone = "Europe/Berlin";
+
+ fileSystems."/" = {
+ device = "rpool/root/nixos";
+ fsType = "zfs";
+ };
+
+ fileSystems."/home" = {
+ device = "rpool/home";
+ fsType = "zfs";
+ };
+
+ fileSystems."/boot" = {
+ device = "/dev/disk/by-uuid/b67c3370-1597-4ce8-8a46-e257ca32150d";
+ fsType = "ext4";
+ };
+
+ }
+ ];
+
+}
diff --git a/lass/1systems/prism/physical.nix b/lass/1systems/prism/physical.nix
index 83f127c22..56348d0ab 100644
--- a/lass/1systems/prism/physical.nix
+++ b/lass/1systems/prism/physical.nix
@@ -3,27 +3,39 @@
imports = [
./config.nix
{
- networking.interfaces.et0.ipv4.addresses = [
- {
- address = config.krebs.build.host.nets.internet.ip4.addr;
+ boot.kernelParams = [ "net.ifnames=0" ];
+ networking = {
+ defaultGateway = "46.4.114.225";
+ # Use google's public DNS server
+ nameservers = [ "8.8.8.8" ];
+ interfaces.eth0 = {
+ ipAddress = "46.4.114.247";
prefixLength = 27;
- }
- {
- address = "46.4.114.243";
- prefixLength = 27;
- }
- ];
- networking.defaultGateway = "46.4.114.225";
- networking.nameservers = [
- "8.8.8.8"
- ];
- services.udev.extraRules = ''
- SUBSYSTEM=="net", ATTR{address}=="08:60:6e:e7:87:04", NAME="et0"
- '';
+ };
+ };
+ # TODO use this network config
+ #networking.interfaces.et0.ipv4.addresses = [
+ # {
+ # address = config.krebs.build.host.nets.internet.ip4.addr;
+ # prefixLength = 27;
+ # }
+ # {
+ # address = "46.4.114.243";
+ # prefixLength = 27;
+ # }
+ #];
+ #networking.defaultGateway = "46.4.114.225";
+ #networking.nameservers = [
+ # "8.8.8.8"
+ #];
+ #services.udev.extraRules = ''
+ # SUBSYSTEM=="net", ATTR{address}=="08:60:6e:e7:87:04", NAME="et0"
+ #'';
}
{
imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ];
+ networking.hostId = "fb4173ea";
boot.loader.grub = {
devices = [
"/dev/sda"
@@ -40,45 +52,25 @@
boot.kernelModules = [ "kvm-intel" ];
- fileSystems."/" = {
- device = "/dev/pool/nix_root";
- fsType = "ext4";
- };
-
- fileSystems."/tmp" = {
- device = "tmpfs";
- fsType = "tmpfs";
- options = ["nosuid" "nodev" "noatime"];
- };
-
- fileSystems."/var/download" = {
- device = "/dev/pool/download";
- fsType = "ext4";
- };
+ sound.enable = false;
+ nixpkgs.config.allowUnfree = true;
+ time.timeZone = "Europe/Berlin";
- fileSystems."/srv/http" = {
- device = "/dev/pool/http";
- fsType = "ext4";
+ fileSystems."/" = {
+ device = "rpool/root/nixos";
+ fsType = "zfs";
};
fileSystems."/home" = {
- device = "/dev/pool/home";
- fsType = "ext4";
+ device = "rpool/home";
+ fsType = "zfs";
};
- fileSystems."/bku" = {
- device = "/dev/pool/bku";
+ fileSystems."/boot" = {
+ device = "/dev/disk/by-uuid/b67c3370-1597-4ce8-8a46-e257ca32150d";
fsType = "ext4";
};
- swapDevices = [
- { label = "swap1"; }
- { label = "swap2"; }
- ];
-
- sound.enable = false;
- nixpkgs.config.allowUnfree = true;
- time.timeZone = "Europe/Berlin";
}
];
diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix
index e8a2539f3..9b44e8f0e 100644
--- a/lass/2configs/baseX.nix
+++ b/lass/2configs/baseX.nix
@@ -74,7 +74,6 @@ in {
nmap
pavucontrol
powertop
- push
rxvt_unicode_with-plugins
sxiv
taskwarrior
diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix
index 253c56e48..c5b5c01fb 100644
--- a/lass/2configs/git.nix
+++ b/lass/2configs/git.nix
@@ -50,14 +50,30 @@ let
cgit.desc = "take a description of your disk layout and produce a format script";
cgit.section = "software";
};
+ go = {
+ cgit.desc = "url shortener";
+ cgit.section = "software";
+ };
krebspage = {
cgit.desc = "homepage of krebs";
cgit.section = "configuration";
};
+ krops = {
+ cgit.desc = "krebs deployment";
+ cgit.section = "software";
+ };
news = {
cgit.desc = "take a rss feed and a timeout and print it to stdout";
cgit.section = "software";
};
+ newsbot-js = {
+ cgit.desc = "print rss feeds to irc channels";
+ cgit.section = "software";
+ };
+ nix-user-chroot = {
+ cgit.desc = "Fork of nix-user-chroot by lethalman";
+ cgit.section = "software";
+ };
nix-writers = {
cgit.desc = "high level writers for nix";
cgit.section = "software";
@@ -85,14 +101,6 @@ let
cgit.desc = "Good Music collection + tools";
cgit.section = "art";
};
- nix-user-chroot = {
- cgit.desc = "Fork of nix-user-chroot by lethalman";
- cgit.section = "software";
- };
- krops = {
- cgit.desc = "krebs deployment";
- cgit.section = "software";
- };
xmonad-stockholm = {
cgit.desc = "krebs xmonad modules";
cgit.section = "configuration";
diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix
index 9246abfed..e50689254 100644
--- a/lass/2configs/mail.nix
+++ b/lass/2configs/mail.nix
@@ -210,6 +210,7 @@ in {
environment.systemPackages = [
msmtp
mutt
+ pkgs.notmuch
pkgs.much
tag-new-mails
tag-old-mails
diff --git a/lass/2configs/urxvt.nix b/lass/2configs/urxvt.nix
index fa63ddf25..82f3fb2e6 100644
--- a/lass/2configs/urxvt.nix
+++ b/lass/2configs/urxvt.nix
@@ -5,7 +5,7 @@ with import <stockholm/lib>;
services.urxvtd.enable = true;
krebs.xresources.resources.urxvt = ''
- URxvt*SaveLines: 1000000
+ URxvt.saveLines: 100000
URxvt*scrollBar: false
URxvt*urgentOnBell: true
URxvt.perl-ext-common: default,clipboard,url-select,keyboard-select
diff --git a/lass/2configs/vim.nix b/lass/2configs/vim.nix
index 855c30b3e..4f7bd4437 100644
--- a/lass/2configs/vim.nix
+++ b/lass/2configs/vim.nix
@@ -63,6 +63,8 @@ let
au Syntax * syn match Garbage containedin=ALL /\s\+$/
\ | syn match TabStop containedin=ALL /\t\+/
\ | syn keyword Todo containedin=ALL TODO
+ \ | syn match NBSP '\%xa0'
+ \ | syn match NarrowNBSP '\%u202F'
au BufRead,BufNewFile *.hs so ${hs.vim}
@@ -165,6 +167,8 @@ let
hi Garbage ctermbg=088
hi TabStop ctermbg=016
+ hi NBSP ctermbg=094
+ hi NarrowNBSP ctermbg=097
hi Todo ctermfg=174 ctermbg=NONE
hi NixCode ctermfg=148
diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix
index e1c1313ea..828cab95f 100644
--- a/lass/2configs/websites/domsen.nix
+++ b/lass/2configs/websites/domsen.nix
@@ -66,6 +66,12 @@ in {
])
];
+ services.mysql.ensureDatabases = [ "ubikmedia_de" "o_ubikmedia_de" ];
+ services.mysql.ensureUsers = [
+ { ensurePermissions = { "ubikmedia_de.*" = "ALL"; }; name = "nginx"; }
+ { ensurePermissions = { "o_ubikmedia_de.*" = "ALL"; }; name = "nginx"; }
+ ];
+
services.nginx.virtualHosts."ubikmedia.de".locations."/piwika".extraConfig = ''
try_files $uri $uri/ /index.php?$args;
'';
diff --git a/lass/2configs/websites/lassulus.nix b/lass/2configs/websites/lassulus.nix
index 4c29831a2..b72b20928 100644
--- a/lass/2configs/websites/lassulus.nix
+++ b/lass/2configs/websites/lassulus.nix
@@ -145,8 +145,9 @@ in {
home = "/srv/http/lassul.us";
useDefaultShell = true;
createHome = true;
- openssh.authorizedKeys.keys = [
- config.krebs.users.lass.pubkey
+ openssh.authorizedKeys.keys = with config.krebs.users; [
+ lass.pubkey
+ lass-mors.pubkey
];
};
}
diff --git a/lass/3modules/xjail.nix b/lass/3modules/xjail.nix
index 5b450ed42..974e11c6e 100644
--- a/lass/3modules/xjail.nix
+++ b/lass/3modules/xjail.nix
@@ -120,10 +120,13 @@ with import <stockholm/lib>;
${pkgs.coreutils}/bin/kill $WM_PID
${pkgs.coreutils}/bin/kill $XEPHYR_PID
'';
+ # TODO fix xephyr which doesn't honor resizes anymore
sudo_ = pkgs.writeDash "${cfg.name}-sudo" (if cfg.vglrun then ''
/var/run/wrappers/bin/sudo -u ${cfg.name} -i ${vglrun_} "$@"
'' else ''
- /var/run/wrappers/bin/sudo -u ${cfg.name} -i env DISPLAY=:${cfg.display} ${cfg.script} "$@"
+ #/var/run/wrappers/bin/sudo -u ${cfg.name} -i env DISPLAY=:${cfg.display} ${cfg.script} "$@"
+ /var/run/wrappers/bin/sudo -u ${cfg.name} -i ${cfg.script} "$@"
+
'');
vglrun_ = pkgs.writeDash "${cfg.name}-vglrun" ''
DISPLAY=:${cfg.display} ${pkgs.virtualgl}/bin/vglrun ${cfg.extraVglrunArgs} ${cfg.script} "$@"
@@ -163,7 +166,7 @@ with import <stockholm/lib>;
lass.xjail-bins = mapAttrs' (name: cfg:
nameValuePair name (pkgs.writeScriptBin cfg.name ''
- ${scripts.${name}.existing} "$@"
+ ${scripts.${name}.sudo} "$@"
'')
) config.lass.xjail;
};
diff --git a/lass/krops.nix b/lass/krops.nix
index 4e045c6db..a898164c3 100644
--- a/lass/krops.nix
+++ b/lass/krops.nix
@@ -22,13 +22,14 @@
in {
# usage: $(nix-build --no-out-link --argstr name HOSTNAME -A deploy)
- deploy = pkgs.krops.writeDeploy "${name}-deploy" {
+ deploy = { target ? "root@${name}/var/src" }: pkgs.krops.writeDeploy "${name}-deploy" {
source = source { test = false; };
- target = "root@${name}/var/src";
+ inherit target;
};
# usage: $(nix-build --no-out-link --argstr name HOSTNAME --argstr target PATH -A test)
test = { target }: pkgs.krops.writeTest "${name}-test" {
+ force = true;
inherit target;
source = source { test = true; };
};