diff options
author | makefu <github@syntax-fehler.de> | 2018-11-05 18:20:42 +0100 |
---|---|---|
committer | makefu <github@syntax-fehler.de> | 2018-11-05 18:20:42 +0100 |
commit | 254e9e62b95951cecadd2b4800c03ef96f95b3c0 (patch) | |
tree | 6892ca816d01eb712b80af9dbd79cc6690f21752 /lass | |
parent | 8b57f04ff84b53742ef6a8a9677560745075ffb1 (diff) | |
parent | 100ca928ad483471d61b36bd9e977e34441d404b (diff) |
Merge remote-tracking branch 'lassul.us/master'
Diffstat (limited to 'lass')
-rw-r--r-- | lass/1systems/archprism/config.nix | 356 | ||||
-rw-r--r-- | lass/1systems/archprism/physical.nix | 77 | ||||
-rw-r--r-- | lass/1systems/prism/physical.nix | 84 | ||||
-rw-r--r-- | lass/2configs/baseX.nix | 1 | ||||
-rw-r--r-- | lass/2configs/git.nix | 24 | ||||
-rw-r--r-- | lass/2configs/mail.nix | 1 | ||||
-rw-r--r-- | lass/2configs/urxvt.nix | 2 | ||||
-rw-r--r-- | lass/2configs/vim.nix | 4 | ||||
-rw-r--r-- | lass/2configs/websites/domsen.nix | 6 | ||||
-rw-r--r-- | lass/2configs/websites/lassulus.nix | 5 | ||||
-rw-r--r-- | lass/3modules/xjail.nix | 7 | ||||
-rw-r--r-- | lass/krops.nix | 5 |
12 files changed, 510 insertions, 62 deletions
diff --git a/lass/1systems/archprism/config.nix b/lass/1systems/archprism/config.nix new file mode 100644 index 000000000..0a286c6f0 --- /dev/null +++ b/lass/1systems/archprism/config.nix @@ -0,0 +1,356 @@ +{ config, lib, pkgs, ... }: +with import <stockholm/lib>; + +{ + imports = [ + <stockholm/lass> + <stockholm/lass/2configs/retiolum.nix> + <stockholm/lass/2configs/libvirt.nix> + { + services.nginx.enable = true; + imports = [ + <stockholm/lass/2configs/websites/domsen.nix> + <stockholm/lass/2configs/websites/lassulus.nix> + ]; + # needed by domsen.nix ^^ + lass.usershadow = { + enable = true; + }; + + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport http"; target = "ACCEPT"; } + { predicate = "-p tcp --dport https"; target = "ACCEPT"; } + ]; + } + { # TODO make new hfos.nix out of this vv + boot.kernel.sysctl."net.ipv4.ip_forward" = 1; + users.users.riot = { + uid = genid "riot"; + isNormalUser = true; + extraGroups = [ "libvirtd" ]; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6o6sdTu/CX1LW2Ff5bNDqGEAGwAsjf0iIe5DCdC7YikCct+7x4LTXxY+nDlPMeGcOF88X9/qFwdyh+9E4g0nUAZaeL14Uc14QDqDt/aiKjIXXTepxE/i4JD9YbTqStAnA/HYAExU15yqgUdj2dnHu7OZcGxk0ZR1OY18yclXq7Rq0Fd3pN3lPP1T4QHM9w66r83yJdFV9szvu5ral3/QuxQnCNohTkR6LoJ4Ny2RbMPTRtb+jPbTQYTWUWwV69mB8ot5nRTP4MRM9pu7vnoPF4I2S5DvSnx4C5zdKzsb7zmIvD4AmptZLrXj4UXUf00Xf7Js5W100Ne2yhYyhq+35 riot@lagrange" + ]; + }; + + # TODO write function for proxy_pass (ssl/nonssl) + + krebs.iptables.tables.filter.FORWARD.rules = [ + { v6 = false; precedence = 1000; predicate = "-d 192.168.122.92"; target = "ACCEPT"; } + ]; + krebs.iptables.tables.nat.PREROUTING.rules = [ + { v6 = false; precedence = 1000; predicate = "-d 46.4.114.243"; target = "DNAT --to-destination 192.168.122.92"; } + ]; + } + { + users.users.tv = { + uid = genid "tv"; + isNormalUser = true; + openssh.authorizedKeys.keys = [ + config.krebs.users.tv.pubkey + ]; + }; + users.users.makefu = { + uid = genid "makefu"; + isNormalUser = true; + openssh.authorizedKeys.keys = [ + config.krebs.users.makefu.pubkey + ]; + }; + users.users.nin = { + uid = genid "nin"; + isNormalUser = true; + openssh.authorizedKeys.keys = [ + config.krebs.users.nin.pubkey + ]; + }; + users.extraUsers.dritter = { + uid = genid "dritter"; + isNormalUser = true; + extraGroups = [ + "download" + ]; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnqOWDDk7QkSAvrSLkEoz7dY22+xPyv5JDn2zlfUndfavmTMfZvPx9REMjgULbcCSM4m3Ncf40yUjciDpVleGoEz82+p/ObHAkVWPQyXRS3ZRM2IJJultBHEFc61+61Pi8k3p5pBhPPaig6VncJ4uUuuNqen9jqLesSTVXNtdntU2IvnC8B8k1Kq6fu9q1T2yEOMxkD31D5hVHlqAly0LdRiYvtsRIoCSmRvlpGl70uvPprhQxhtoiEUeDqmIL7BG9x7gU0Swdl7R0/HtFXlFuOwSlNYDmOf/Zrb1jhOpj4AlCliGUkM0iKIJhgH0tnJna6kfkGKHDwuzITGIh6SpZ dritter@Janeway" + ]; + }; + users.extraUsers.juhulian = { + uid = 1339; + isNormalUser = true; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBQhLGvfv4hyQ/nqJGy1YgHXPSVl6igeWTroJSvAhUFgoh+rG+zvqY0EahKXNb3sq0/OYDCTJVuucc0hgCg7T2KqTqMtTb9EEkRmCFbD7F7DWZojCrh/an6sHneqT5eFvzAPZ8E5hup7oVQnj5P5M3I9keRHBWt1rq6q0IcOEhsFvne4qJc73aLASTJkxzlo5U8ju3JQOl6474ECuSn0lb1fTrQ/SR1NgF7jV11eBldkS8SHEB+2GXjn4Yrn+QUKOnDp+B85vZmVlJSI+7XR1/U/xIbtAjGTEmNwB6cTbBv9NCG9jloDDOZG4ZvzzHYrlBXjaigtQh2/4mrHoKa5eV juhulian@juhulian" + ]; + }; + users.users.hellrazor = { + uid = genid "hellrazor"; + isNormalUser = true; + extraGroups = [ + "download" + ]; + openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDQFaYOWRUvHP6I37q9Dd4PJOq8FNQqAeJZ8pLx0G62uC450kbPGcG80rHHvXmk7HqQP6biJmMg48bOsvXAScPot2Qhp1Qc35CuUqVhLiTvUAsi8l/iJjhjZ23yRGDCAmW5+JIOzIvECkcbMnG7YoYAQ9trNGHe9qwGzQGhpt3QVClE23WtE3PVKRLQx1VbiabSnAm6tXVd2zpUoSdpWt8Gpi2taM4XXJ5+l744MNxFHvDapN5xqpYzwrA34Ii13jNLWcGbtgxESpR+VjnamdWByrkBsW4X5/xn2K1I1FrujaM/DBHV1QMaDKst9V8+uL5X7aYNt0OUBu2eyZdg6aujY2BYovB9uRyR1JIuSbA/a54MM96yN9WirMUufJF/YZrV0L631t9EW8ORyWUo1GRzMuBHVHQlfApj7NCU/jEddUuTqKgwyRgTmMFMUI4M0tRULAB/7pBE1Vbcx9tg6RsKIk8VkskfbBJW9Y6Sx6YoFlxPdgMNIrBefqEjIV62piP7YLMlvfIDCJ7TNd9dLN86XGggZ/nD5zt6SL1o61vVnw9If8pHosppxADPJsJvcdN6fOe16/tFAeE0JRo0jTcyFVTBGfhpey+rFfuW8wtUyuO5WPUxkOn7xMHGMWHJAtWX2vwVIDtLxvqn48B4SmEOpPD6ii+vcpwqAex3ycqBUQ==" ]; + }; + } + { + #hotdog + systemd.services."container@hotdog".reloadIfChanged = mkForce false; + containers.hotdog = { + config = { ... }: { + imports = [ <stockholm/lass/2configs/rebuild-on-boot.nix> ]; + environment.systemPackages = [ pkgs.git ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + ]; + }; + autoStart = true; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.1"; + localAddress = "10.233.2.2"; + }; + } + { + #onondaga + systemd.services."container@onondaga".reloadIfChanged = mkForce false; + containers.onondaga = { + config = { ... }: { + imports = [ <stockholm/lass/2configs/rebuild-on-boot.nix> ]; + environment.systemPackages = [ pkgs.git ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + config.krebs.users.nin.pubkey + ]; + }; + autoStart = true; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.5"; + localAddress = "10.233.2.6"; + }; + } + <stockholm/lass/2configs/exim-smarthost.nix> + <stockholm/lass/2configs/ts3.nix> + <stockholm/lass/2configs/privoxy-retiolum.nix> + <stockholm/lass/2configs/radio.nix> + <stockholm/lass/2configs/binary-cache/server.nix> + <stockholm/lass/2configs/iodined.nix> + <stockholm/lass/2configs/paste.nix> + <stockholm/lass/2configs/syncthing.nix> + <stockholm/lass/2configs/reaktor-coders.nix> + <stockholm/lass/2configs/ciko.nix> + <stockholm/lass/2configs/container-networking.nix> + <stockholm/lass/2configs/monitoring/prometheus-server.nix> + { # quasi bepasty.nix + imports = [ + <stockholm/lass/2configs/bepasty.nix> + ]; + krebs.bepasty.servers."paste.r".nginx.extraConfig = '' + if ( $server_addr = "${config.krebs.build.host.nets.internet.ip4.addr}" ) { + return 403; + } + ''; + } + { + services.tor = { + enable = true; + }; + } + { + lass.ejabberd = { + enable = true; + hosts = [ "lassul.us" ]; + }; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport xmpp-client"; target = "ACCEPT"; } + { predicate = "-p tcp --dport xmpp-server"; target = "ACCEPT"; } + ]; + } + { + imports = [ + <stockholm/lass/2configs/realwallpaper.nix> + ]; + services.nginx.virtualHosts."lassul.us".locations."/wallpaper.png".extraConfig = '' + alias /var/realwallpaper/realwallpaper.png; + ''; + } + { + users.users.jeschli = { + uid = genid "jeschli"; + isNormalUser = true; + openssh.authorizedKeys.keys = with config.krebs.users; [ + jeschli.pubkey + jeschli-bln.pubkey + jeschli-bolide.pubkey + jeschli-brauerei.pubkey + ]; + }; + krebs.git.rules = [ + { + user = with config.krebs.users; [ + jeschli + jeschli-bln + jeschli-bolide + jeschli-brauerei + ]; + repo = [ config.krebs.git.repos.xmonad-stockholm ]; + perm = with git; push "refs/heads/jeschli*" [ fast-forward non-fast-forward create delete merge ]; + } + { + user = with config.krebs.users; [ + jeschli + jeschli-bln + jeschli-bolide + jeschli-brauerei + ]; + repo = [ config.krebs.git.repos.stockholm ]; + perm = with git; push "refs/heads/staging/jeschli*" [ fast-forward non-fast-forward create delete merge ]; + } + ]; + } + { + krebs.repo-sync.repos.stockholm.timerConfig = { + OnBootSec = "5min"; + OnUnitInactiveSec = "2min"; + RandomizedDelaySec = "2min"; + }; + } + <stockholm/lass/2configs/downloading.nix> + <stockholm/lass/2configs/minecraft.nix> + { + services.taskserver = { + enable = true; + fqdn = "lassul.us"; + listenHost = "::"; + listenPort = 53589; + organisations.lass.users = [ "lass" "android" ]; + }; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport 53589"; target = "ACCEPT"; } + ]; + } + #<stockholm/lass/2configs/go.nix> + { + environment.systemPackages = [ pkgs.cryptsetup ]; + systemd.services."container@red".reloadIfChanged = mkForce false; + containers.red = { + config = { ... }: { + environment.systemPackages = [ pkgs.git ]; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + config.krebs.users.lass.pubkey + ]; + }; + autoStart = false; + enableTun = true; + privateNetwork = true; + hostAddress = "10.233.2.3"; + localAddress = "10.233.2.4"; + }; + services.nginx.virtualHosts."rote-allez-fraktion.de" = { + enableACME = true; + forceSSL = true; + locations."/" = { + extraConfig = '' + proxy_set_header Host rote-allez-fraktion.de; + proxy_pass http://10.233.2.4; + ''; + }; + }; + } + #{ + # imports = [ <stockholm/lass/2configs/backup.nix> ]; + # lass.restic = genAttrs [ + # "daedalus" + # "icarus" + # "littleT" + # "mors" + # "shodan" + # "skynet" + # ] (dest: { + # dirs = [ + # "/home/chat/.weechat" + # "/bku/sql_dumps" + # ]; + # passwordFile = (toString <secrets>) + "/restic/${dest}"; + # repo = "sftp:backup@${dest}.r:/backups/prism"; + # extraArguments = [ + # "sftp.command='ssh backup@${dest}.r -i ${config.krebs.build.host.ssh.privkey.path} -s sftp'" + # ]; + # timerConfig = { + # OnCalendar = "00:05"; + # RandomizedDelaySec = "5h"; + # }; + # }); + #} + { + users.users.download.openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDB0d0JA20Vqn7I4lCte6Ne2EOmLZyMJyS9yIKJYXNLjbLwkQ4AYoQKantPBkTxR75M09E7d3j5heuWnCjWH45TrfQfe1EOSSC3ppCI6C6aIVlaNs+KhAYZS0m2Y8WkKn+TT5JLEa8yybYVN/RlZPOilpj/1QgjU6CQK+eJ1k/kK+QFXcwN82GDVh5kbTVcKUNp2tiyxFA+z9LY0xFDg/JHif2ROpjJVLQBJ+YPuOXZN5LDnVcuyLWKThjxy5srQ8iDjoxBg7dwLHjby5Mv41K4W61Gq6xM53gDEgfXk4cQhJnmx7jA/pUnsn2ZQDeww3hcc7vRf8soogXXz2KC9maiq0M/svaATsa9Ul4hrKnqPZP9Q8ScSEAUX+VI+x54iWrnW0p/yqBiRAzwsczdPzaQroUFTBxrq8R/n5TFdSHRMX7fYNOeVMjhfNca/gtfw9dYBVquCvuqUuFiRc0I7yK44rrMjjVQRcAbw6F8O7+04qWCmaJ8MPlmApwu2c05VMv9hiJo5p6PnzterRSLCqF6rIdhSnuOwrUIt1s/V+EEZXHCwSaNLaQJnYL0H9YjaIuGz4c8kVzxw4c0B6nl+hqW5y5/B2cuHiumnlRIDKOIzlv8ufhh21iN7QpIsPizahPezGoT1XqvzeXfH4qryo8O4yTN/PWoA+f7o9POU7L6hQ== lhebendanz@nixos" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACADLPxtB2f2tocXHxD3ul9D1537hTht6/un87JYZNnoYABveasyIcdFIfp5lPJmj3PjwqXNTA4M/3V+ufrpZ91dxFeXWI5mOI4YB3xRu+Elja8g7nfvCz1HrH3sD1equos/7ltQ1GZYvHGw40qD1/ZtOODwRwrYJ7l/DUBrjk/tzXRjm0+ZgyQsb3G9a80cA8d3fiuQDxbAzdoJF46wt36ZfuSMpJ/Td8CbCoLlV/uL9QZemOglyxNxR607qGfRNXF1An+P+fFq24GmdHpMJ00DfjZ/dJRL9QSs7vd07uyB4Qty4VHwRhc46XH6KL7VTF1D3INF/BeBZx90GBxOvpgEji7Zrf7O5eSAjM2Do1+t+Ev2IIuiltB+QqTir4rZcrCBrJ2+zD3DDymKffVi8sz15AvdrFkIplzZxpOcgm9Ns2w/uh8sxeV6J58aoLEVmd2KRUfJFYiS1EuEjYo2OHlj8ltIh3VlfYdWksGpQc71IT0iEWvzvjYcfCda9uzFLKdLfBy4GB8+s4zR2CX9aGDyJaIY1kt/xqDeztnYwW1owG+fLMrDJlq3Mu+KmJljb30jzrOPhFYVZgWenmMFgH2RBzVEmnsR0f2LFVLj6N/a9fpEJ3WhxMOc5Ybdpgg/l9KUdgvWLk6KOtba+z9fuYT1YgwtZBoMgHAdZLmZ/DGtff palo@pepe" + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDGMjbYFmmvpF60YBShyFISbjN+O3e4GPkfsre6xFqz20joi8YqpD/5PtrMsGrPd1ZoZ9qSwXJtbb1WBomFg0xzRSNa1/FliKiE1ilcaB3aUZRtP0OWHIvWD3/YL/0h+/YXDGTfb8FNvpgJmnbN3Q0gw8cwWw+eve5BMyqDhzFvycxO4qDuP2JXkGpdhJqjaYZhP5rPH2mgv1oU1RnOA3A7APZVGf1m6JSmV7FZR514aGlFV+NpsvS29Mib8fcswgpoGhMN6jeh/nf49tp01LUAOmXSqdHIWNOTt3Mt7S4rU7RZwEhswdSRbKdKFRMj+uRkhJ4CPcNuuGtSY3id0Ja7IvrvxNaQUk1L8nBcza709jvSBYWSY5/aGL1ocA/PNWXDpOTp2PWwxkh39aPMqZXPTH3KC4IkRp5SiKibEhdmjnToV7nUAJe4IWn1b7QdoqS03ib0X87DnHWIbvi8UZlImM7pn0rs+rwnOo4lQwrTz7kbBHPaa6XOZAuDYND2728vtcrhwzVrKgiXWbyF6VzvwxPeeStmn1gENvozbj1hl9gbQ1cH/a4pZFBV/OFl/ryzDnB2ghM4acNJazXx/6/us9hX+np1YxIzJaxENj677MLc6HitM2g6XJGaixBQ0U2NNjcjIuQT0ZaeKXsSLnu1Y7+uslbVAwsQ4pJmSxxMMQ== palo@workhorse" + ]; + } + { + } + { + lass.nichtparasoup.enable = true; + services.nginx = { + enable = true; + virtualHosts."lol.lassul.us" = { + forceSSL = true; + enableACME = true; + locations."/".extraConfig = '' + proxy_pass http://localhost:5001; + ''; + }; + }; + } + { + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p udp --dport 51820"; target = "ACCEPT"; } + ]; + krebs.iptables.tables.nat.PREROUTING.rules = [ + { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; } + ]; + krebs.iptables.tables.filter.FORWARD.rules = [ + { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; } + { v6 = false; precedence = 1000; predicate = "-s 10.243.0.0/16 -d 10.244.1.0/24"; target = "ACCEPT"; } + ]; + krebs.iptables.tables.nat.POSTROUTING.rules = [ + { v6 = false; predicate = "-s 10.244.1.0/24 ! -d 10.244.1.0/24"; target = "MASQUERADE"; } + ]; + networking.wireguard.interfaces.wg0 = { + ips = [ "10.244.1.1/24" ]; + listenPort = 51820; + privateKeyFile = (toString <secrets>) + "/wireguard.key"; + allowedIPsAsRoutes = true; + peers = [ + { + # lass-android + allowedIPs = [ "10.244.1.2/32" ]; + publicKey = "zVunBVOxsMETlnHkgjfH71HaZjjNUOeYNveAVv5z3jw="; + } + ]; + }; + } + { + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p udp --dport 60000:61000"; target = "ACCEPT";} + ]; + } + { + services.murmur.enable = true; + services.murmur.registerName = "lassul.us"; + krebs.iptables.tables.filter.INPUT.rules = [ + { predicate = "-p tcp --dport 64738"; target = "ACCEPT";} + ]; + + } + ]; + + krebs.build.host = config.krebs.hosts.archprism; + services.earlyoom = { + enable = true; + freeMemThreshold = 5; + }; +} diff --git a/lass/1systems/archprism/physical.nix b/lass/1systems/archprism/physical.nix new file mode 100644 index 000000000..56348d0ab --- /dev/null +++ b/lass/1systems/archprism/physical.nix @@ -0,0 +1,77 @@ +{ config, lib, pkgs, ... }: +{ + imports = [ + ./config.nix + { + boot.kernelParams = [ "net.ifnames=0" ]; + networking = { + defaultGateway = "46.4.114.225"; + # Use google's public DNS server + nameservers = [ "8.8.8.8" ]; + interfaces.eth0 = { + ipAddress = "46.4.114.247"; + prefixLength = 27; + }; + }; + # TODO use this network config + #networking.interfaces.et0.ipv4.addresses = [ + # { + # address = config.krebs.build.host.nets.internet.ip4.addr; + # prefixLength = 27; + # } + # { + # address = "46.4.114.243"; + # prefixLength = 27; + # } + #]; + #networking.defaultGateway = "46.4.114.225"; + #networking.nameservers = [ + # "8.8.8.8" + #]; + #services.udev.extraRules = '' + # SUBSYSTEM=="net", ATTR{address}=="08:60:6e:e7:87:04", NAME="et0" + #''; + } + { + imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ]; + + networking.hostId = "fb4173ea"; + boot.loader.grub = { + devices = [ + "/dev/sda" + "/dev/sdb" + ]; + splashImage = null; + }; + + boot.initrd.availableKernelModules = [ + "ata_piix" + "vmw_pvscsi" + "ahci" "sd_mod" + ]; + + boot.kernelModules = [ "kvm-intel" ]; + + sound.enable = false; + nixpkgs.config.allowUnfree = true; + time.timeZone = "Europe/Berlin"; + + fileSystems."/" = { + device = "rpool/root/nixos"; + fsType = "zfs"; + }; + + fileSystems."/home" = { + device = "rpool/home"; + fsType = "zfs"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/b67c3370-1597-4ce8-8a46-e257ca32150d"; + fsType = "ext4"; + }; + + } + ]; + +} diff --git a/lass/1systems/prism/physical.nix b/lass/1systems/prism/physical.nix index 83f127c22..56348d0ab 100644 --- a/lass/1systems/prism/physical.nix +++ b/lass/1systems/prism/physical.nix @@ -3,27 +3,39 @@ imports = [ ./config.nix { - networking.interfaces.et0.ipv4.addresses = [ - { - address = config.krebs.build.host.nets.internet.ip4.addr; + boot.kernelParams = [ "net.ifnames=0" ]; + networking = { + defaultGateway = "46.4.114.225"; + # Use google's public DNS server + nameservers = [ "8.8.8.8" ]; + interfaces.eth0 = { + ipAddress = "46.4.114.247"; prefixLength = 27; - } - { - address = "46.4.114.243"; - prefixLength = 27; - } - ]; - networking.defaultGateway = "46.4.114.225"; - networking.nameservers = [ - "8.8.8.8" - ]; - services.udev.extraRules = '' - SUBSYSTEM=="net", ATTR{address}=="08:60:6e:e7:87:04", NAME="et0" - ''; + }; + }; + # TODO use this network config + #networking.interfaces.et0.ipv4.addresses = [ + # { + # address = config.krebs.build.host.nets.internet.ip4.addr; + # prefixLength = 27; + # } + # { + # address = "46.4.114.243"; + # prefixLength = 27; + # } + #]; + #networking.defaultGateway = "46.4.114.225"; + #networking.nameservers = [ + # "8.8.8.8" + #]; + #services.udev.extraRules = '' + # SUBSYSTEM=="net", ATTR{address}=="08:60:6e:e7:87:04", NAME="et0" + #''; } { imports = [ <nixpkgs/nixos/modules/installer/scan/not-detected.nix> ]; + networking.hostId = "fb4173ea"; boot.loader.grub = { devices = [ "/dev/sda" @@ -40,45 +52,25 @@ boot.kernelModules = [ "kvm-intel" ]; - fileSystems."/" = { - device = "/dev/pool/nix_root"; - fsType = "ext4"; - }; - - fileSystems."/tmp" = { - device = "tmpfs"; - fsType = "tmpfs"; - options = ["nosuid" "nodev" "noatime"]; - }; - - fileSystems."/var/download" = { - device = "/dev/pool/download"; - fsType = "ext4"; - }; + sound.enable = false; + nixpkgs.config.allowUnfree = true; + time.timeZone = "Europe/Berlin"; - fileSystems."/srv/http" = { - device = "/dev/pool/http"; - fsType = "ext4"; + fileSystems."/" = { + device = "rpool/root/nixos"; + fsType = "zfs"; }; fileSystems."/home" = { - device = "/dev/pool/home"; - fsType = "ext4"; + device = "rpool/home"; + fsType = "zfs"; }; - fileSystems."/bku" = { - device = "/dev/pool/bku"; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/b67c3370-1597-4ce8-8a46-e257ca32150d"; fsType = "ext4"; }; - swapDevices = [ - { label = "swap1"; } - { label = "swap2"; } - ]; - - sound.enable = false; - nixpkgs.config.allowUnfree = true; - time.timeZone = "Europe/Berlin"; } ]; diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix index e8a2539f3..9b44e8f0e 100644 --- a/lass/2configs/baseX.nix +++ b/lass/2configs/baseX.nix @@ -74,7 +74,6 @@ in { nmap pavucontrol powertop - push rxvt_unicode_with-plugins sxiv taskwarrior diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix index 253c56e48..c5b5c01fb 100644 --- a/lass/2configs/git.nix +++ b/lass/2configs/git.nix @@ -50,14 +50,30 @@ let cgit.desc = "take a description of your disk layout and produce a format script"; cgit.section = "software"; }; + go = { + cgit.desc = "url shortener"; + cgit.section = "software"; + }; krebspage = { cgit.desc = "homepage of krebs"; cgit.section = "configuration"; }; + krops = { + cgit.desc = "krebs deployment"; + cgit.section = "software"; + }; news = { cgit.desc = "take a rss feed and a timeout and print it to stdout"; cgit.section = "software"; }; + newsbot-js = { + cgit.desc = "print rss feeds to irc channels"; + cgit.section = "software"; + }; + nix-user-chroot = { + cgit.desc = "Fork of nix-user-chroot by lethalman"; + cgit.section = "software"; + }; nix-writers = { cgit.desc = "high level writers for nix"; cgit.section = "software"; @@ -85,14 +101,6 @@ let cgit.desc = "Good Music collection + tools"; cgit.section = "art"; }; - nix-user-chroot = { - cgit.desc = "Fork of nix-user-chroot by lethalman"; - cgit.section = "software"; - }; - krops = { - cgit.desc = "krebs deployment"; - cgit.section = "software"; - }; xmonad-stockholm = { cgit.desc = "krebs xmonad modules"; cgit.section = "configuration"; diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix index 9246abfed..e50689254 100644 --- a/lass/2configs/mail.nix +++ b/lass/2configs/mail.nix @@ -210,6 +210,7 @@ in { environment.systemPackages = [ msmtp mutt + pkgs.notmuch pkgs.much tag-new-mails tag-old-mails diff --git a/lass/2configs/urxvt.nix b/lass/2configs/urxvt.nix index fa63ddf25..82f3fb2e6 100644 --- a/lass/2configs/urxvt.nix +++ b/lass/2configs/urxvt.nix @@ -5,7 +5,7 @@ with import <stockholm/lib>; services.urxvtd.enable = true; krebs.xresources.resources.urxvt = '' - URxvt*SaveLines: 1000000 + URxvt.saveLines: 100000 URxvt*scrollBar: false URxvt*urgentOnBell: true URxvt.perl-ext-common: default,clipboard,url-select,keyboard-select diff --git a/lass/2configs/vim.nix b/lass/2configs/vim.nix index 855c30b3e..4f7bd4437 100644 --- a/lass/2configs/vim.nix +++ b/lass/2configs/vim.nix @@ -63,6 +63,8 @@ let au Syntax * syn match Garbage containedin=ALL /\s\+$/ \ | syn match TabStop containedin=ALL /\t\+/ \ | syn keyword Todo containedin=ALL TODO + \ | syn match NBSP '\%xa0' + \ | syn match NarrowNBSP '\%u202F' au BufRead,BufNewFile *.hs so ${hs.vim} @@ -165,6 +167,8 @@ let hi Garbage ctermbg=088 hi TabStop ctermbg=016 + hi NBSP ctermbg=094 + hi NarrowNBSP ctermbg=097 hi Todo ctermfg=174 ctermbg=NONE hi NixCode ctermfg=148 diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index e1c1313ea..828cab95f 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -66,6 +66,12 @@ in { ]) ]; + services.mysql.ensureDatabases = [ "ubikmedia_de" "o_ubikmedia_de" ]; + services.mysql.ensureUsers = [ + { ensurePermissions = { "ubikmedia_de.*" = "ALL"; }; name = "nginx"; } + { ensurePermissions = { "o_ubikmedia_de.*" = "ALL"; }; name = "nginx"; } + ]; + services.nginx.virtualHosts."ubikmedia.de".locations."/piwika".extraConfig = '' try_files $uri $uri/ /index.php?$args; ''; diff --git a/lass/2configs/websites/lassulus.nix b/lass/2configs/websites/lassulus.nix index 4c29831a2..b72b20928 100644 --- a/lass/2configs/websites/lassulus.nix +++ b/lass/2configs/websites/lassulus.nix @@ -145,8 +145,9 @@ in { home = "/srv/http/lassul.us"; useDefaultShell = true; createHome = true; - openssh.authorizedKeys.keys = [ - config.krebs.users.lass.pubkey + openssh.authorizedKeys.keys = with config.krebs.users; [ + lass.pubkey + lass-mors.pubkey ]; }; } diff --git a/lass/3modules/xjail.nix b/lass/3modules/xjail.nix index 5b450ed42..974e11c6e 100644 --- a/lass/3modules/xjail.nix +++ b/lass/3modules/xjail.nix @@ -120,10 +120,13 @@ with import <stockholm/lib>; ${pkgs.coreutils}/bin/kill $WM_PID ${pkgs.coreutils}/bin/kill $XEPHYR_PID ''; + # TODO fix xephyr which doesn't honor resizes anymore sudo_ = pkgs.writeDash "${cfg.name}-sudo" (if cfg.vglrun then '' /var/run/wrappers/bin/sudo -u ${cfg.name} -i ${vglrun_} "$@" '' else '' - /var/run/wrappers/bin/sudo -u ${cfg.name} -i env DISPLAY=:${cfg.display} ${cfg.script} "$@" + #/var/run/wrappers/bin/sudo -u ${cfg.name} -i env DISPLAY=:${cfg.display} ${cfg.script} "$@" + /var/run/wrappers/bin/sudo -u ${cfg.name} -i ${cfg.script} "$@" + ''); vglrun_ = pkgs.writeDash "${cfg.name}-vglrun" '' DISPLAY=:${cfg.display} ${pkgs.virtualgl}/bin/vglrun ${cfg.extraVglrunArgs} ${cfg.script} "$@" @@ -163,7 +166,7 @@ with import <stockholm/lib>; lass.xjail-bins = mapAttrs' (name: cfg: nameValuePair name (pkgs.writeScriptBin cfg.name '' - ${scripts.${name}.existing} "$@" + ${scripts.${name}.sudo} "$@" '') ) config.lass.xjail; }; diff --git a/lass/krops.nix b/lass/krops.nix index 4e045c6db..a898164c3 100644 --- a/lass/krops.nix +++ b/lass/krops.nix @@ -22,13 +22,14 @@ in { # usage: $(nix-build --no-out-link --argstr name HOSTNAME -A deploy) - deploy = pkgs.krops.writeDeploy "${name}-deploy" { + deploy = { target ? "root@${name}/var/src" }: pkgs.krops.writeDeploy "${name}-deploy" { source = source { test = false; }; - target = "root@${name}/var/src"; + inherit target; }; # usage: $(nix-build --no-out-link --argstr name HOSTNAME --argstr target PATH -A test) test = { target }: pkgs.krops.writeTest "${name}-test" { + force = true; inherit target; source = source { test = true; }; }; |