Merge remote-tracking branch 'prism/master'

19 files changed, 108 insertions, 151 deletions

diff --git a/lass/1systems/littleT/config.nix b/lass/1systems/littleT/config.nix
index 44617d3e7..7fe143c3c 100644
--- a/lass/1systems/littleT/config.nix
+++ b/lass/1systems/littleT/config.nix
@@ -6,52 +6,11 @@ with import <stockholm/lib>;
     <stockholm/lass>
 
     <stockholm/lass/2configs/retiolum.nix>
-    <stockholm/lass/2configs/backup.nix>
-    <stockholm/lass/2configs/steam.nix>
-    {
-      users.users.blacky = {
-        uid = genid "blacky";
-        home = "/home/blacky";
-        group = "users";
-        createHome = true;
-        extraGroups = [
-          "audio"
-          "networkmanager"
-          "video"
-        ];
-        useDefaultShell = true;
-      };
-      networking.networkmanager.enable = true;
-      networking.wireless.enable = mkForce false;
-      hardware.pulseaudio = {
-        enable = true;
-        systemWide = true;
-      };
-      environment.systemPackages = with pkgs; [
-        pavucontrol
-        chromium
-        hexchat
-        networkmanagerapplet
-        vlc
-      ];
-      services.xserver.enable = true;
-      services.xserver.displayManager.lightdm.enable = true;
-      services.xserver.desktopManager.plasma5.enable = true;
-      services.xserver.layout = "de";
-      users.mutableUsers = mkForce true;
-      services.xserver.synaptics.enable = true;
-    }
-    {
-      #remote control
-      environment.systemPackages = with pkgs; [
-        x11vnc
-      ];
-      krebs.iptables.tables.filter.INPUT.rules = [
-        { predicate = "-p tcp -i retiolum --dport 5900"; target = "ACCEPT"; }
-      ];
-    }
+    <stockholm/lass/2configs/blue-host.nix>
   ];
 
+  networking.networkmanager.enable = true;
+  networking.wireless.enable = mkForce false;
   time.timeZone = "Europe/Berlin";
 
   hardware.trackpoint = {
diff --git a/lass/1systems/littleT/physical.nix b/lass/1systems/littleT/physical.nix
index 9776211ae..550f058a8 100644
--- a/lass/1systems/littleT/physical.nix
+++ b/lass/1systems/littleT/physical.nix
@@ -1,7 +1,25 @@
 {
   imports = [
     ./config.nix
-    <stockholm/lass/2configs/hw/x220.nix>
-    <stockholm/lass/2configs/boot/stock-x220.nix>
+    <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
   ];
+  fileSystems."/" =
+    { device = "rpool/root";
+      fsType = "zfs";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/5B2E-3734";
+      fsType = "vfat";
+    };
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  boot.loader.grub.efiSupport = true;
+  boot.loader.grub.efiInstallAsRemovable = true;
+  boot.loader.grub.device = "nodev";
+  networking.hostId = "584248c6";
+
+  boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usb_storage" "sd_mod" "sdhci_pci" ];
+  boot.kernelModules = [ "kvm-intel" ];
+
 }
diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix
index 207c7c640..46cdbbb66 100644
--- a/lass/1systems/mors/config.nix
+++ b/lass/1systems/mors/config.nix
@@ -34,6 +34,7 @@ with import <stockholm/lib>;
     <stockholm/lass/2configs/backup.nix>
     <stockholm/lass/2configs/print.nix>
     <stockholm/lass/2configs/blue-host.nix>
+    <stockholm/lass/2configs/network-manager.nix>
     {
       krebs.iptables.tables.filter.INPUT.rules = [
         #risk of rain
diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix
index ec3976519..6c454b4ac 100644
--- a/lass/1systems/prism/config.nix
+++ b/lass/1systems/prism/config.nix
@@ -298,16 +298,18 @@ with import <stockholm/lib>;
     }
     {
       imports = [
-        <stockholm/lass/2configs/wirelum.nix>
+        <stockholm/lass/2configs/wiregrill.nix>
+      ];
+      krebs.iptables.tables.nat.PREROUTING.rules = [
+        { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; }
+        { v4 = false; precedence = 1000; predicate = "-s 42:1::/32"; target = "ACCEPT"; }
       ];
-      #krebs.iptables.tables.nat.PREROUTING.rules = [
-      #  { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; }
-      #];
       krebs.iptables.tables.filter.FORWARD.rules = [
-        { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24 -d 10.243.0.0/16"; target = "ACCEPT"; }
-        { v6 = false; precedence = 1000; predicate = "-s 10.243.0.0/16 -d 10.244.1.0/24"; target = "ACCEPT"; }
+        { precedence = 1000; predicate = "-i wiregrill -o retiolum"; target = "ACCEPT"; }
+        { precedence = 1000; predicate = "-i retiolum -o wiregrill"; target = "ACCEPT"; }
       ];
       krebs.iptables.tables.nat.POSTROUTING.rules = [
+        { v4 = false; predicate = "-s 42:1:ce16::/48 ! -d 42:1:ce16::48"; target = "MASQUERADE"; }
         { v6 = false; predicate = "-s 10.244.1.0/24 ! -d 10.244.1.0/24"; target = "MASQUERADE"; }
       ];
       services.dnsmasq = {
@@ -315,7 +317,7 @@ with import <stockholm/lib>;
         resolveLocalQueries = false;
 
         extraConfig= ''
-          listen-address=10.244.1.1
+          listen-address=42:1:ce16::1
           except-interface=lo
           interface=wg0
         '';
diff --git a/lass/1systems/skynet/config.nix b/lass/1systems/skynet/config.nix
index 13a8b3e41..4b806af7b 100644
--- a/lass/1systems/skynet/config.nix
+++ b/lass/1systems/skynet/config.nix
@@ -5,7 +5,6 @@ with import <stockholm/lib>;
     <stockholm/lass>
 
     <stockholm/lass/2configs/retiolum.nix>
-    <stockholm/lass/2configs/fetchWallpaper.nix>
     <stockholm/lass/2configs/blue-host.nix>
     <stockholm/lass/2configs/power-action.nix>
     {
diff --git a/lass/1systems/xerxes/config.nix b/lass/1systems/xerxes/config.nix
deleted file mode 100644
index 1bd6cf2c5..000000000
--- a/lass/1systems/xerxes/config.nix
+++ /dev/null
@@ -1,16 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  imports = [
-    <stockholm/lass>
-
-    <stockholm/lass/2configs/retiolum.nix>
-    <stockholm/lass/2configs/exim-retiolum.nix>
-    <stockholm/lass/2configs/baseX.nix>
-    <stockholm/lass/2configs/browsers.nix>
-    <stockholm/lass/2configs/programs.nix>
-    <stockholm/lass/2configs/fetchWallpaper.nix>
-  ];
-
-  krebs.build.host = config.krebs.hosts.xerxes;
-}
diff --git a/lass/1systems/xerxes/physical.nix b/lass/1systems/xerxes/physical.nix
deleted file mode 100644
index 17caccfe6..000000000
--- a/lass/1systems/xerxes/physical.nix
+++ /dev/null
@@ -1,29 +0,0 @@
-{
-  imports = [
-    ./config.nix
-    <stockholm/lass/2configs/hw/gpd-pocket.nix>
-    <stockholm/lass/2configs/boot/stock-x220.nix>
-  ];
-  services.udev.extraRules = ''
-    SUBSYSTEM=="net", ATTR{address}=="b0:f1:ec:9f:5c:78", NAME="wl0"
-  '';
-
-  fileSystems."/" = {
-    device = "/dev/disk/by-uuid/d227d88f-bd24-4e8a-aa14-9e966b471437";
-    fsType = "btrfs";
-  };
-
-  fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/16C8-D053";
-    fsType = "vfat";
-  };
-
-  fileSystems."/home" = {
-    device = "/dev/disk/by-uuid/1ec4193b-7f41-490d-8782-7677d437b358";
-    fsType = "btrfs";
-  };
-
-  boot.initrd.luks.devices = [ { name = "luksroot"; device = "/dev/disk/by-uuid/d17f19a3-dcba-456d-b5da-e45cc15dc9c8"; } ];
-
-  networking.wireless.enable = true;
-}
diff --git a/lass/2configs/baseX.nix b/lass/2configs/baseX.nix
index 53d90ed7d..1b6a1d593 100644
--- a/lass/2configs/baseX.nix
+++ b/lass/2configs/baseX.nix
@@ -9,7 +9,6 @@ in {
     ./power-action.nix
     ./copyq.nix
     ./urxvt.nix
-    ./network-manager.nix
     {
       hardware.pulseaudio = {
         enable = true;
@@ -65,6 +64,7 @@ in {
     dic
     dmenu
     font-size
+    fzfmenu
     gitAndTools.qgit
     git-preview
     gnome3.dconf
diff --git a/lass/2configs/blue-host.nix b/lass/2configs/blue-host.nix
index 9cf294afd..718a92e9c 100644
--- a/lass/2configs/blue-host.nix
+++ b/lass/2configs/blue-host.nix
@@ -7,6 +7,7 @@ let
     "daedalus"
     "skynet"
     "prism"
+    "littleT"
   ];
   remote_hosts = filter (h: h != config.networking.hostName) all_hosts;
 
diff --git a/lass/2configs/blue.nix b/lass/2configs/blue.nix
index 4d4a92eb9..cdd77e847 100644
--- a/lass/2configs/blue.nix
+++ b/lass/2configs/blue.nix
@@ -22,7 +22,9 @@ with (import <stockholm/lib>);
 
   krebs.iptables.tables.filter.INPUT.rules = [
     { predicate = "-i retiolum -p udp --dport 60000:61000"; target = "ACCEPT";}
+    { predicate = "-i wiregrill -p udp --dport 60000:61000"; target = "ACCEPT";}
     { predicate = "-i retiolum -p tcp --dport 9999"; target = "ACCEPT";}
+    { predicate = "-i wiregrill -p tcp --dport 9999"; target = "ACCEPT";}
   ];
 
   systemd.services.chat = let
diff --git a/lass/2configs/browsers.nix b/lass/2configs/browsers.nix
index 425e0ee13..d214e224d 100644
--- a/lass/2configs/browsers.nix
+++ b/lass/2configs/browsers.nix
@@ -45,7 +45,7 @@ let
 
   createFirefoxUser = name: groups: precedence:
     createUser (pkgs.writeDash name ''
-      ${pkgs.firefox-devedition-bin}/bin/firefox-devedition "$@"
+      ${pkgs.firefox}/bin/firefox "$@"
     '') name groups precedence 80;
 
   createQuteUser = name: groups: precedence:
@@ -89,8 +89,8 @@ in {
         }));
       };
     }
-    ( createQuteUser "qb" [ "audio" ] 20 )
-    ( createFirefoxUser "ff" [ "audio" ] 10 )
+    ( createFirefoxUser "ff" [ "audio" ] 11 )
+    ( createQuteUser "qb" [ "audio" ] 10 )
     ( createChromiumUser "cr" [ "audio" "video" ] 9 )
     ( createChromiumUser "gm" [ "video" "audio" ] 8 )
     ( createChromiumUser "wk" [ "audio" ] 0 )
diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix
index dea32d4d4..62a42baf9 100644
--- a/lass/2configs/default.nix
+++ b/lass/2configs/default.nix
@@ -10,7 +10,7 @@ with import <stockholm/lib>;
     ./zsh.nix
     ./htop.nix
     ./security-workarounds.nix
-    ./wirelum.nix
+    ./wiregrill.nix
     {
       users.extraUsers =
         mapAttrs (_: h: { hashedPassword = h; })
diff --git a/lass/2configs/git.nix b/lass/2configs/git.nix
index 62173e33f..7650f4294 100644
--- a/lass/2configs/git.nix
+++ b/lass/2configs/git.nix
@@ -154,7 +154,7 @@ let
     public = true;
   };
 
-  make-restricted-repo = name: { admins ? [], collaborators ? [], announce ? false, hooks ? {}, ... }: {
+  make-restricted-repo = name: { admins ? [], collaborators ? [], announce ? true, hooks ? {}, ... }: {
     inherit admins collaborators name;
     public = false;
     hooks = {
diff --git a/lass/2configs/mail.nix b/lass/2configs/mail.nix
index 36e797a96..21b9d7b49 100644
--- a/lass/2configs/mail.nix
+++ b/lass/2configs/mail.nix
@@ -82,7 +82,7 @@ let
     source ${pkgs.neomutt}/share/doc/neomutt/samples/gpg.rc
     set pgp_use_gpg_agent = yes
     set pgp_sign_as = 0xDC2A43EF4F11E854B44D599A89E82952976A7E4D
-    set crypt_autosign = yes
+    set crypt_autosign = no
     set crypt_replyencrypt = yes
     set crypt_verify_sig = yes
     set pgp_verify_command = "gpg --no-verbose --batch --output - --verify %s %f"
diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix
index 4935268a4..25dac0ac4 100644
--- a/lass/2configs/websites/domsen.nix
+++ b/lass/2configs/websites/domsen.nix
@@ -126,6 +126,7 @@ in {
       { from = "ubik@ubikmedia.eu"; to = "domsen, jms, ms"; }
       { from = "akayguen@freemonkey.art"; to ="akayguen"; }
       { from = "bui@freemonkey.art"; to ="bui"; }
+      { from = "kontakt@alewis.de"; to ="klabusterbeere"; }
 
       { from = "testuser@lassul.us"; to = "testuser"; }
       { from = "testuser@ubikmedia.eu"; to = "testuser"; }
@@ -134,6 +135,7 @@ in {
       "jla-trading.com"
       "ubikmedia.eu"
       "ubikmedia.de"
+      "alewis.de"
     ];
     ssl_cert = "/var/lib/acme/lassul.us/fullchain.pem";
     ssl_key = "/var/lib/acme/lassul.us/key.pem";
@@ -204,5 +206,12 @@ in {
     createHome = true;
   };
 
+  users.users.klabusterbeere = {
+    uid = genid_uint31 "klabusterbeere";
+    home = "/home/klabusterbeere";
+    useDefaultShell = true;
+    createHome = true;
+  };
+
 }
 
diff --git a/lass/2configs/wiregrill.nix b/lass/2configs/wiregrill.nix
new file mode 100644
index 000000000..b2ee35df3
--- /dev/null
+++ b/lass/2configs/wiregrill.nix
@@ -0,0 +1,44 @@
+with import <stockholm/lib>;
+{ config, pkgs, ... }: let
+
+  self = config.krebs.build.host.nets.wiregrill;
+  isRouter = !isNull self.via;
+
+in mkIf (hasAttr "wiregrill" config.krebs.build.host.nets) {
+  #hack for modprobe inside containers
+  systemd.services."wireguard-wiregrill".path = mkIf config.boot.isContainer (mkBefore [
+    (pkgs.writeDashBin "modprobe" ":")
+  ]);
+
+  boot.kernel.sysctl = mkIf isRouter {
+    "net.ipv6.conf.all.forwarding" = 1;
+  };
+  krebs.iptables.tables.filter.INPUT.rules = [
+     { predicate = "-p udp --dport ${toString self.wireguard.port}"; target = "ACCEPT"; }
+  ];
+  krebs.iptables.tables.filter.FORWARD.rules = mkIf isRouter [
+    { precedence = 1000; predicate = "-i wiregrill -o wiregrill"; target = "ACCEPT"; }
+  ];
+
+  networking.wireguard.interfaces.wiregrill = {
+    ips =
+      (optional (!isNull self.ip4) self.ip4.addr) ++
+      (optional (!isNull self.ip6) self.ip6.addr);
+    listenPort = 51820;
+    privateKeyFile = (toString <secrets>) + "/wiregrill.key";
+    allowedIPsAsRoutes = true;
+    peers = mapAttrsToList
+      (_: host: {
+        allowedIPs = if isRouter then
+          (optional (!isNull host.nets.wiregrill.ip4) host.nets.wiregrill.ip4.addr) ++
+          (optional (!isNull host.nets.wiregrill.ip6) host.nets.wiregrill.ip6.addr)
+        else
+          host.nets.wiregrill.wireguard.subnets
+        ;
+        endpoint = mkIf (!isNull host.nets.wiregrill.via) (host.nets.wiregrill.via.ip4.addr + ":${toString host.nets.wiregrill.wireguard.port}");
+        persistentKeepalive = mkIf (!isNull host.nets.wiregrill.via) 61;
+        publicKey = host.nets.wiregrill.wireguard.pubkey;
+      })
+      (filterAttrs (_: h: hasAttr "wiregrill" h.nets) config.krebs.hosts);
+  };
+}
diff --git a/lass/2configs/wirelum.nix b/lass/2configs/wirelum.nix
deleted file mode 100644
index cd8a20c6b..000000000
--- a/lass/2configs/wirelum.nix
+++ /dev/null
@@ -1,44 +0,0 @@
-with import <stockholm/lib>;
-{ config, pkgs, ... }: let
-
-  self = config.krebs.build.host.nets.wirelum;
-  isRouter = !isNull self.via;
-
-in mkIf (hasAttr "wirelum" config.krebs.build.host.nets) {
-  #hack for modprobe inside containers
-  systemd.services."wireguard-wirelum".path = mkIf config.boot.isContainer (mkBefore [
-    (pkgs.writeDashBin "modprobe" ":")
-  ]);
-
-  boot.kernel.sysctl = mkIf isRouter {
-    "net.ipv6.conf.all.forwarding" = 1;
-  };
-  krebs.iptables.tables.filter.INPUT.rules = [
-     { predicate = "-p udp --dport ${toString self.wireguard.port}"; target = "ACCEPT"; }
-  ];
-  krebs.iptables.tables.filter.FORWARD.rules = mkIf isRouter [
-    { precedence = 1000; predicate = "-i wirelum -o wirelum"; target = "ACCEPT"; }
-  ];
-
-  networking.wireguard.interfaces.wirelum = {
-    ips =
-      (optional (!isNull self.ip4) self.ip4.addr) ++
-      (optional (!isNull self.ip6) self.ip6.addr);
-    listenPort = 51820;
-    privateKeyFile = (toString <secrets>) + "/wirelum.key";
-    allowedIPsAsRoutes = true;
-    peers = mapAttrsToList
-      (_: host: {
-        allowedIPs = if isRouter then
-          (optional (!isNull host.nets.wirelum.ip4) host.nets.wirelum.ip4.addr) ++
-          (optional (!isNull host.nets.wirelum.ip6) host.nets.wirelum.ip6.addr)
-        else
-          host.nets.wirelum.wireguard.subnets
-        ;
-        endpoint = mkIf (!isNull host.nets.wirelum.via) (host.nets.wirelum.via.ip4.addr + ":${toString host.nets.wirelum.wireguard.port}");
-        persistentKeepalive = mkIf (!isNull host.nets.wirelum.via) 61;
-        publicKey = host.nets.wirelum.wireguard.pubkey;
-      })
-      (filterAttrs (_: h: hasAttr "wirelum" h.nets) config.krebs.hosts);
-  };
-}
diff --git a/lass/5pkgs/custom/xmonad-lass/default.nix b/lass/5pkgs/custom/xmonad-lass/default.nix
index f86a4a69b..79e6416e1 100644
--- a/lass/5pkgs/custom/xmonad-lass/default.nix
+++ b/lass/5pkgs/custom/xmonad-lass/default.nix
@@ -78,7 +78,7 @@ main = getArgs >>= \case
 main' :: IO ()
 main' = do
     handleShutdownEvent <- newShutdownEventHandler
-    xmonad $ ewmh
+    launch $ ewmh
         $ withUrgencyHook LibNotifyUrgencyHook
         $ def
             { terminal           = myTerm
diff --git a/lass/5pkgs/l-gen-secrets/default.nix b/lass/5pkgs/l-gen-secrets/default.nix
index b6cb2ec7e..85b050644 100644
--- a/lass/5pkgs/l-gen-secrets/default.nix
+++ b/lass/5pkgs/l-gen-secrets/default.nix
@@ -8,6 +8,8 @@ pkgs.writeDashBin "l-gen-secrets" ''
   ${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f $TMPDIR/ssh.id_ed25519 -P "" -C "" >/dev/null
   ${pkgs.openssl}/bin/openssl genrsa -out $TMPDIR/retiolum.rsa_key.priv 4096 2>/dev/null > /dev/null
   ${pkgs.openssl}/bin/openssl rsa -in $TMPDIR/retiolum.rsa_key.priv -pubout -out $TMPDIR/retiolum.rsa_key.pub 2>/dev/null > /dev/null
+  ${pkgs.wireguard}/bin/wg genkey > $TMPDIR/wiregrill.key
+  ${pkgs.coreutils}/bin/cat $TMPDIR/wiregrill.key | ${pkgs.wireguard}/bin/wg pubkey > $TMPDIR/wiregrill.pub
   cat <<EOF > $TMPDIR/hashedPasswords.nix
   {
     root = "$HASHED_PASSWORD";
@@ -35,6 +37,15 @@ pkgs.writeDashBin "l-gen-secrets" ''
   $(cat $TMPDIR/retiolum.rsa_key.pub)
           ${"''"};
         };
+        wiregrill = {
+          ip6.addr = (wip6 "changeme").address;
+          aliases = [
+            "$HOSTNAME.w"
+          ];
+          wireguard.pubkey = ${"''"}
+  $(cat $TMPDIR/wiregrill.pub)
+          ${"''"};
+        };
       };
       ssh.privkey.path = <secrets/ssh.id_ed25519>;
       ssh.pubkey = "$(cat $TMPDIR/ssh.id_ed25519.pub)";