diff options
31 files changed, 400 insertions, 71 deletions
diff --git a/krebs/3modules/makefu/default.nix b/krebs/3modules/makefu/default.nix index 31516d591..38e773b53 100644 --- a/krebs/3modules/makefu/default.nix +++ b/krebs/3modules/makefu/default.nix @@ -297,6 +297,30 @@ with lib; ssh.privkey.path = <secrets/ssh_host_ed25519_key>; ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIujMZ3ZFxKpWeB/cjfKfYRr77+VRZk0Eik+92t03NoA root@servarch"; }; + wbob = rec { + cores = 1; + dc = "none"; + nets = { + retiolm = { + addrs4 = ["10.243.214.15/32"]; + addrs6 = ["42:5a02:2c30:c1b1:3f2e:7c19:2496:a732/128"]; + aliases = [ + "wbob.retiolum" + ]; + tinc.pubkey = '' +-----BEGIN RSA PUBLIC KEY----- +MIIBCgKCAQEAqLTJx91OdR0FlJAc2JGh+AJde95oMzzh8o36JBFpsaN7styNfD3e +QGM/bDXFjk4ieIe5At0Z63P2KWxRp3cz8LWKJsn5cGsX2074YWMAGmKX+ZZJNlal +cJ994xX+8MJ6L2tVKpY7Ace7gqDN+l650PrEzV2SLisIqOdxoBlbAupdwHieUBt8 +khm4NLNUCxPYUx2RtHn4iGdgSgUD/SnyHEFdyDA17lWAGfEi4yFFjFMYQce/TFrs +rQV9t5hGaofu483Epo6mEfcBcsR4GIHI4a4WKYANsIyvFvzyGFEHOMusG6nRRqE9 +TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB +-----END RSA PUBLIC KEY----- +''; + }; + }; + }; + gum = rec { cores = 1; dc = "online.net"; #root-server diff --git a/krebs/5pkgs/apt-cacher-ng/default.nix b/krebs/5pkgs/apt-cacher-ng/default.nix index f253cdba0..f71d17c54 100644 --- a/krebs/5pkgs/apt-cacher-ng/default.nix +++ b/krebs/5pkgs/apt-cacher-ng/default.nix @@ -2,11 +2,11 @@ stdenv.mkDerivation rec { name = "apt-cacher-ng-${version}"; - version = "0.8.6"; + version = "0.8.8"; src = fetchurl { url = "http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/apt-cacher-ng_${version}.orig.tar.xz"; - sha256 = "0044dfks8djl11fs28jj8894i4rq424xix3d3fkvzz2i6lnp8nr5"; + sha256 = "0n7yy4h8g7j0g94xngbywmfhrkg9xl3j2c4wzrjknfwvxmqgjivq"; }; NIX_LDFLAGS = "-lpthread"; diff --git a/krebs/5pkgs/fortclientsslvpn/default.nix b/krebs/5pkgs/fortclientsslvpn/default.nix index 720d4004f..e1c813479 100644 --- a/krebs/5pkgs/fortclientsslvpn/default.nix +++ b/krebs/5pkgs/fortclientsslvpn/default.nix @@ -81,7 +81,7 @@ stdenv.mkDerivation rec { meta = { homepage = http://www.fortinet.com; description = "Forticlient SSL-VPN client"; - license = lib.licenses.nonfree; + license = lib.licenses.unfree; maintainers = [ lib.maintainers.makefu ]; }; } diff --git a/krebs/5pkgs/krebszones/default.nix b/krebs/5pkgs/krebszones/default.nix index f6fd672dc..9230192bd 100644 --- a/krebs/5pkgs/krebszones/default.nix +++ b/krebs/5pkgs/krebszones/default.nix @@ -1,5 +1,10 @@ { lib, pkgs,python3Packages,fetchurl, ... }: +# TODO: Prepare a diff of future and current +## ovh-zone export krebsco.de --config ~/secrets/krebs/cfg.json |sed 's/[ ]\+/ /g' | sort current +## sed 's/[ ]\+/ /g'/etc/zones/krebsco.de | sort > future +## diff future.sorted current.sorted + python3Packages.buildPythonPackage rec { name = "krebszones-${version}"; version = "0.4.4"; diff --git a/krebs/5pkgs/test/infest-cac-centos7/default.nix b/krebs/5pkgs/test/infest-cac-centos7/default.nix index ebea5ae1c..f7b2a5a08 100644 --- a/krebs/5pkgs/test/infest-cac-centos7/default.nix +++ b/krebs/5pkgs/test/infest-cac-centos7/default.nix @@ -28,7 +28,9 @@ stdenv.mkDerivation rec { cp ${src} $out/bin/${shortname} chmod +x $out/bin/${shortname} wrapProgram $out/bin/${shortname} \ - --prefix PATH : ${path} + --prefix PATH : ${path} \ + --set SSL_CERT_FILE ${./panel.cloudatcost.com.crt} \ + --set REQUESTS_CA_BUNDLE ${./panel.cloudatcost.com.crt} ''; meta = with stdenv.lib; { homepage = http://krebsco.de; diff --git a/krebs/5pkgs/test/infest-cac-centos7/panel.cloudatcost.com.crt b/krebs/5pkgs/test/infest-cac-centos7/panel.cloudatcost.com.crt new file mode 100644 index 000000000..9d02b6bcf --- /dev/null +++ b/krebs/5pkgs/test/infest-cac-centos7/panel.cloudatcost.com.crt @@ -0,0 +1,88 @@ +-----BEGIN CERTIFICATE----- +MIIFWzCCBEOgAwIBAgIQXWIKGWRZf838+wW1zLdK0DANBgkqhkiG9w0BAQsFADCBkDELMAkGA1UE +BhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgG +A1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNVBAMTLUNPTU9ETyBSU0EgRG9tYWluIFZhbGlk +YXRpb24gU2VjdXJlIFNlcnZlciBDQTAeFw0xNTEwMjMwMDAwMDBaFw0xODEwMjIyMzU5NTlaMF8x +ITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEeMBwGA1UECxMVRXNzZW50aWFsU1NM +IFdpbGRjYXJkMRowGAYDVQQDDBEqLmNsb3VkYXRjb3N0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBAM9CyL8uUPoE3zYbvnwtUW69h0f+rkND1/Jsi15EEBFPQqiYCmPiSaJLn6JB +Hri34t4lArGrPA6K01x18LJqFoYDy5ya37J8Bd4jF3cijWe/IQEWAw0r2ufhd4LTNMvEyJIECida +LMhBxpORRdijmvEXCf9D0OEGBV3qfizcCH7+VPordCY3y9fwgbk0wAB1lAk29aRosK3gZJceu57Q +YkEKjee6pZ473+xpCjaeTBUlPuGA95A2jPf8c+QSPegczOd9Hwo4JqAJSjTzzuHiSbEhd+8JIC/P +6GYVOvwnNqCPuuXsoBy8xBQ8lHuZcWd5sh4MDRvm5YxVFhYN6kOgf1ECAwEAAaOCAd8wggHbMB8G +A1UdIwQYMBaAFJCvajqUWgvYkOoSVnPfQ7Q6KNrnMB0GA1UdDgQWBBSC9dSGoIEPHBTUQJjOxxPg +lhRLPDAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYI +KwYBBQUHAwIwTwYDVR0gBEgwRjA6BgsrBgEEAbIxAQICBzArMCkGCCsGAQUFBwIBFh1odHRwczov +L3NlY3VyZS5jb21vZG8uY29tL0NQUzAIBgZngQwBAgEwVAYDVR0fBE0wSzBJoEegRYZDaHR0cDov +L2NybC5jb21vZG9jYS5jb20vQ09NT0RPUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNB +LmNybDCBhQYIKwYBBQUHAQEEeTB3ME8GCCsGAQUFBzAChkNodHRwOi8vY3J0LmNvbW9kb2NhLmNv +bS9DT01PRE9SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3J0MCQGCCsGAQUFBzAB +hhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wLQYDVR0RBCYwJIIRKi5jbG91ZGF0Y29zdC5jb22C +D2Nsb3VkYXRjb3N0LmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAPfUXBGDYOQnJuykm8I9cB2rBFVvt +HgzKIM+SXRz/jRt4HN/fsQkq2mI8SUPigWbtrtL1yim0hHdTR4m6vn7eHqj8erjjEJy16OfyRwp8 +LfjjHvcPxAxiRcFdv+8Pu/o0umqtxmRn4enyAZWhqAp3TBjkJPkJgh/toJqGpE7dN1Jw1AF75rrA +DXS8J5fcJYZQydJce+kacMHLh4C0Q37NgZKPfM+9jsygqY3Fhqh5GIt/CXNx2vlDPQP87QEtK7y7 +dCGd/MwrdKkUvOpsmqWiO1+02DesZSdIow/YW+8cUhPvYMqpM9zKbqVdRj3FJK56+/xNfNX5tiU1 +1VE7rIcEbw== +-----END CERTIFICATE----- + +-----BEGIN CERTIFICATE----- +MIIGCDCCA/CgAwIBAgIQKy5u6tl1NmwUim7bo3yMBzANBgkqhkiG9w0BAQwFADCBhTELMAkGA1UE +BhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgG +A1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNVBAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlv +biBBdXRob3JpdHkwHhcNMTQwMjEyMDAwMDAwWhcNMjkwMjExMjM1OTU5WjCBkDELMAkGA1UEBhMC +R0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UE +ChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNVBAMTLUNPTU9ETyBSU0EgRG9tYWluIFZhbGlkYXRp +b24gU2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI7CAhnh +oFmk6zg1jSz9AdDTScBkxwtiBUUWOqigwAwCfx3M28ShbXcDow+G+eMGnD4LgYqbSRutA776S9uM +IO3Vzl5ljj4Nr0zCsLdFXlIvNN5IJGS0Qa4Al/e+Z96e0HqnU4A7fK31llVvl0cKfIWLIpeNs4Tg +llfQcBhglo/uLQeTnaG6ytHNe+nEKpooIZFNb5JPJaXyejXdJtxGpdCsWTWM/06RQ1A/WZMebFEh +7lgUq/51UHg+TLAchhP6a5i84DuUHoVS3AOTJBhuyydRReZw3iVDpA3hSqXttn7IzW3uLh0nc13c +RTCAquOyQQuvvUSH2rnlG51/ruWFgqUCAwEAAaOCAWUwggFhMB8GA1UdIwQYMBaAFLuvfgI9+qbx +PISOre44mOzZMjLUMB0GA1UdDgQWBBSQr2o6lFoL2JDqElZz30O0Oija5zAOBgNVHQ8BAf8EBAMC +AYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGwYD +VR0gBBQwEjAGBgRVHSAAMAgGBmeBDAECATBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vY3JsLmNv +bW9kb2NhLmNvbS9DT01PRE9SU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDBxBggrBgEFBQcB +AQRlMGMwOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET1JTQUFkZFRy +dXN0Q0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wDQYJKoZIhvcN +AQEMBQADggIBAE4rdk+SHGI2ibp3wScF9BzWRJ2pmj6q1WZmAT7qSeaiNbz69t2Vjpk1mA42GHWx +3d1Qcnyu3HeIzg/3kCDKo2cuH1Z/e+FE6kKVxF0NAVBGFfKBiVlsit2M8RKhjTpCipj4SzR7JzsI +tG8kO3KdY3RYPBpsP0/HEZrIqPW1N+8QRcZs2eBelSaz662jue5/DJpmNXMyYE7l3YphLG5SEXdo +ltMYdVEVABt0iN3hxzgEQyjpFv3ZBdRdRydg1vs4O2xyopT4Qhrf7W8GjEXCBgCq5Ojc2bXhc3js +9iPc0d1sjhqPpepUfJa3w/5Vjo1JXvxku88+vZbrac2/4EjxYoIQ5QxGV/Iz2tDIY+3GH5QFlkoa +kdH368+PUq4NCNk+qKBR6cGHdNXJ93SrLlP7u3r7l+L4HyaPs9Kg4DdbKDsx5Q5XLVq4rXmsXiBm +GqW5prU5wfWYQ//u+aen/e7KJD2AFsQXj4rBYKEMrltDR5FL1ZoXX/nUh8HCjLfn4g8wGTeGrODc +QgPmlKidrv0PJFGUzpII0fxQ8ANAe4hZ7Q7drNJ3gjTcBpUC2JD5Leo31Rpg0Gcg19hCC0Wvgmje +3WYkN5AplBlGGSW4gNfL1IYoakRwJiNiqZ+Gb7+6kHDSVneFeO/qJakXzlByjAA6quPbYzSf+AZx +AeKCINT+b72x +-----END CERTIFICATE----- + +-----BEGIN CERTIFICATE----- +MIIF2DCCA8CgAwIBAgIQTKr5yttjb+Af907YWwOGnTANBgkqhkiG9w0BAQwFADCBhTELMAkGA1UE +BhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgG +A1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNVBAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlv +biBBdXRob3JpdHkwHhcNMTAwMTE5MDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBhTELMAkGA1UEBhMC +R0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UE +ChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNVBAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlvbiBB +dXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCR6FSS0gpWsawNJN3Fz0Rn +dJkrN6N9I3AAcbxT38T6KhKPS38QVr2fcHK3YX/JSw8Xpz3jsARh7v8Rl8f0hj4K+j5c+ZPmNHrZ +FGvnnLOFoIJ6dq9xkNfs/Q36nGz637CC9BR++b7Epi9Pf5l/tfxnQ3K9DADWietrLNPtj5gcFKt+ +5eNu/Nio5JIk2kNrYrhV/erBvGy2i/MOjZrkm2xpmfh4SDBF1a3hDTxFYPwyllEnvGfDyi62a+pG +x8cgoLEfZd5ICLqkTqnyg0Y3hOvozIFIQ2dOciqbXL1MGyiKXCJ7tKuY2e7gUYPDCUZObT6Z+pUX +2nwzV0E8jVHtC7ZcryxjGt9XyD+86V3Em69FmeKjWiS0uqlWPc9vqv9JWL7wqP/0uK3pN/u6uPQL +OvnoQ0IeidiEyxPx2bvhiWC4jChWrBQdnArncevPDt09qZahSL0896+1DSJMwBGB7FY79tOi4lu3 +sgQiUpWAk2nojkxl8ZEDLXB0AuqLZxUpaVICu9ffUGpVRr+goyhhf3DQw6KqLCGqR84onAZFdr+C +GCe01a60y1Dma/RMhnEw6abfFobg2P9A3fvQQoh/ozM6LlweQRGBY84YcWsr7KaKtzFcOmpH4MN5 +WdYgGq/yapiqcrxXStJLnbsQ/LBMQeXtHT1eKJ2czL+zUdqnR+WEUwIDAQABo0IwQDAdBgNVHQ4E +FgQUu69+Aj36pvE8hI6t7jiY7NkyMtQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8w +DQYJKoZIhvcNAQEMBQADggIBAArx1UaEt65Ru2yyTUEUAJNMnMvlwFTPoCWOAvn9sKIN9SCYPBMt +rFaisNZ+EZLpLrqeLppysb0ZRGxhNaKatBYSaVqM4dc+pBroLwP0rmEdEBsqpIt6xf4FpuHA1sj+ +nq6PK7o9mfjYcwlYRm6mnPTXJ9OV2jeDchzTc+CiR5kDOF3VSXkAKRzH7JsgHAckaVd4sjn8OoSg +tZx8jb8uk2IntznaFxiuvTwJaP+EmzzV1gsD41eeFPfR60/IvYcjt7ZJQ3mFXLrrkguhxuhoqEwW +sRqZCuhTLJK7oQkYdQxlqHvLI7cawiiFwxv/0Cti76R7CZGYZ4wUAc1oBmpjIXUDgIiKboHGhfKp +pC3n9KUkEEeDys30jXlYsQab5xoq2Z0B15R97QNKyvDb6KkBPvVWmckejkk9u+UJueBPSZI9FoJA +zMxZxuY67RIuaTxslbH9qh17f4a+Hg4yRvv7E491f0yLS0Zj/gA0QHDBw7mh3aZw4gSzQbzpgJHq +ZJx64SIDqZxubw5lT2yHh17zbqD5daWbQOhTsiedSrnAdyGN/4fy3ryM7xfft0kL0fJuMAsaDk52 +7RH89elWsn2/x20Kk4yl0MC2Hb46TpSi125sC8KKfPog88Tk5c0NqMuRkrF8hey1FGlmDoLnzc7I +LaZRfyHBNVOFBkpdn627G190 +-----END CERTIFICATE----- diff --git a/krebs/Zhosts/wbob b/krebs/Zhosts/wbob new file mode 100644 index 000000000..829a59110 --- /dev/null +++ b/krebs/Zhosts/wbob @@ -0,0 +1,10 @@ +Subnet = 10.243.214.15/32 +Subnet = 42:5a02:2c30:c1b1:3f2e:7c19:2496:a732/128 +-----BEGIN RSA PUBLIC KEY----- +MIIBCgKCAQEAqLTJx91OdR0FlJAc2JGh+AJde95oMzzh8o36JBFpsaN7styNfD3e +QGM/bDXFjk4ieIe5At0Z63P2KWxRp3cz8LWKJsn5cGsX2074YWMAGmKX+ZZJNlal +cJ994xX+8MJ6L2tVKpY7Ace7gqDN+l650PrEzV2SLisIqOdxoBlbAupdwHieUBt8 +khm4NLNUCxPYUx2RtHn4iGdgSgUD/SnyHEFdyDA17lWAGfEi4yFFjFMYQce/TFrs +rQV9t5hGaofu483Epo6mEfcBcsR4GIHI4a4WKYANsIyvFvzyGFEHOMusG6nRRqE9 +TNs2RYfwDy/r6H/hDeB/BSngPouedEVcPwIDAQAB +-----END RSA PUBLIC KEY----- diff --git a/makefu/1systems/gum.nix b/makefu/1systems/gum.nix index 1907424ec..ac7524506 100644 --- a/makefu/1systems/gum.nix +++ b/makefu/1systems/gum.nix @@ -21,7 +21,7 @@ in { ]; - + services.smartd.devices = [ { device = "/dev/sda";} ]; nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; }; ###### stable @@ -32,6 +32,9 @@ in { ListenAddress = ${external-ip} 655 ListenAddress = ${external-ip} 21031 ''; + krebs.nginx.servers.cgit.server-names = [ + "cgit.euer.krebsco.de" + ]; # Chat environment.systemPackages = with pkgs;[ diff --git a/makefu/1systems/omo.nix b/makefu/1systems/omo.nix index e19205a95..19183fea8 100644 --- a/makefu/1systems/omo.nix +++ b/makefu/1systems/omo.nix @@ -27,10 +27,56 @@ in { ../2configs/exim-retiolum.nix ../2configs/smart-monitor.nix ../2configs/mail-client.nix + ../2configs/share-user-sftp.nix + ../2configs/nginx/omo-share.nix ../3modules ]; - krebs.build.host = config.krebs.hosts.omo; + networking.firewall.trustedInterfaces = [ "enp3s0" ]; + # udp:137 udp:138 tcp:445 tcp:139 - samba, allowed in local net + # tcp:80 - nginx for sharing files + # tcp:655 udp:655 - tinc + # tcp:8080 - sabnzbd + networking.firewall.allowedUDPPorts = [ 655 ]; + networking.firewall.allowedTCPPorts = [ 80 655 8080 ]; + + # services.openssh.allowSFTP = false; + krebs.build.source.git.nixpkgs.rev = "d0e3cca04edd5d1b3d61f188b4a5f61f35cdf1ce"; + + # samba share /media/crypt1/share + users.users.smbguest = { + name = "smbguest"; + uid = config.ids.uids.smbguest; + description = "smb guest user"; + home = "/var/empty"; + }; + services.samba = { + enable = true; + shares = { + winshare = { + path = "/media/crypt1/share"; + "read only" = "no"; + browseable = "yes"; + "guest ok" = "yes"; + }; + }; + extraConfig = '' + guest account = smbguest + map to guest = bad user + # disable printing + load printers = no + printing = bsd + printcap name = /dev/null + disable spoolss = yes + ''; + }; + + # copy config from <secrets/sabnzbd.ini> to /var/lib/sabnzbd/ + services.sabnzbd.enable = true; + systemd.services.sabnzbd.environment.SSL_CERT_FILE = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; + + # HDD Array stuff services.smartd.devices = builtins.map (x: { device = x; }) allDisks; + makefu.snapraid = let toMapper = id: "/media/crypt${builtins.toString id}"; in { @@ -38,7 +84,6 @@ in { disks = map toMapper [ 0 1 ]; parity = toMapper 2; }; - # AMD E350 fileSystems = let cryptMount = name: { "/media/${name}" = { device = "/dev/mapper/${name}"; fsType = "xfs"; };}; @@ -56,6 +101,8 @@ in { ${pkgs.hdparm}/sbin/hdparm -B 127 ${disk} ${pkgs.hdparm}/sbin/hdparm -y ${disk} '') allDisks); + + # crypto unlocking boot = { initrd.luks = { devices = let @@ -86,11 +133,11 @@ in { extraModulePackages = [ ]; }; - networking.firewall.allowedUDPPorts = [ 655 ]; hardware.enableAllFirmware = true; hardware.cpu.amd.updateMicrocode = true; - #zramSwap.enable = true; + zramSwap.enable = true; zramSwap.numDevices = 2; + krebs.build.host = config.krebs.hosts.omo; } diff --git a/makefu/1systems/pornocauster.nix b/makefu/1systems/pornocauster.nix index 690e26b36..d7fa8edc5 100644 --- a/makefu/1systems/pornocauster.nix +++ b/makefu/1systems/pornocauster.nix @@ -35,12 +35,14 @@ # ../2configs/mediawiki.nix #../2configs/wordpress.nix ]; + hardware.sane.enable = true; + hardware.sane.extraBackends = [ pkgs.samsungUnifiedLinuxDriver ]; nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; }; krebs.Reaktor = { - enable = true; + enable = false; nickname = "makefu|r"; plugins = with pkgs.ReaktorPlugins; [ nixos-version random-emoji ]; }; @@ -59,6 +61,7 @@ hardware.pulseaudio.configFile = pkgs.writeText "pulse-default-pa" '' ${builtins.readFile "${config.hardware.pulseaudio.package}/etc/pulse/default.pa"} load-module module-alsa-sink device=hw:0,3 sink_properties=device.description="HDMIOutput" sink_name="HDMI"''; + networking.firewall.enable = false; networking.firewall.allowedTCPPorts = [ 25 ]; diff --git a/makefu/1systems/vbob.nix b/makefu/1systems/vbob.nix index b8c02cb67..d95362919 100644 --- a/makefu/1systems/vbob.nix +++ b/makefu/1systems/vbob.nix @@ -2,9 +2,7 @@ # # { lib, config, pkgs, ... }: -let - pkgs-unst = import (fetchTarball https://github.com/NixOS/nixpkgs-channels/archive/nixos-unstable.tar.gz) {}; -in { +{ krebs.build.host = config.krebs.hosts.vbob; krebs.build.target = "root@10.10.10.220"; imports = @@ -15,14 +13,13 @@ in { # environment ]; + nixpkgs.config.allowUnfree = true; nixpkgs.config.packageOverrides = pkgs: { tinc = pkgs.tinc_pre; - buildbot = pkgs-unst.buildbot; - buildbot-slave = pkgs-unst.buildbot-slave; }; makefu.buildbot.master = { - enable = true; + enable = false; irc = { enable = true; server = "cd.retiolum"; @@ -30,8 +27,9 @@ in { allowForce = true; }; }; + # services.logstash.enable = true; makefu.buildbot.slave = { - enable = true; + enable = false; masterhost = "localhost"; username = "testslave"; password = "krebspass"; @@ -41,8 +39,8 @@ in { krebs.build.source.git.nixpkgs = { #url = https://github.com/nixos/nixpkgs; - # HTTP Everywhere - rev = "a3974e"; + # HTTP Everywhere + libredir + rev = "8239ac6"; }; fileSystems."/nix" = { device ="/dev/disk/by-label/nixstore"; @@ -56,9 +54,12 @@ in { }; }; environment.systemPackages = with pkgs;[ + fortclientsslvpn buildbot buildbot-slave get + genid + logstash ]; networking.firewall.allowedTCPPorts = [ diff --git a/makefu/1systems/wbob.nix b/makefu/1systems/wbob.nix new file mode 100644 index 000000000..d6916f006 --- /dev/null +++ b/makefu/1systems/wbob.nix @@ -0,0 +1,19 @@ +{ config, pkgs, ... }: +{ + imports = + [ # Include the results of the hardware scan. + ../2configs/main-laptop.nix + ]; + krebs = { + enable = true; + retiolum.enable = true; + build.host = config.krebs.hosts.wbob; + }; + boot.loader.grub.device = "/dev/sda"; + boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" ]; + boot.kernelModules = [ "kvm-intel" ]; + fileSystems."/" = { + device = "/dev/sda1"; + fsType = "ext4"; + }; +} diff --git a/makefu/2configs/default.nix b/makefu/2configs/default.nix index 7593eaff7..ec1100582 100644 --- a/makefu/2configs/default.nix +++ b/makefu/2configs/default.nix @@ -13,7 +13,7 @@ with lib; ./vim.nix ]; - + nixpkgs.config.allowUnfreePredicate = (pkg: pkgs.lib.hasPrefix "unrar-" pkg.name); krebs = { enable = true; search-domain = "retiolum"; @@ -65,7 +65,12 @@ with lib; time.timeZone = "Europe/Berlin"; #nix.maxJobs = 1; - programs.ssh.startAgent = false; + programs.ssh = { + startAgent = false; + extraConfig = '' + UseRoaming no + ''; + }; services.openssh.enable = true; nix.useChroot = true; diff --git a/makefu/2configs/git/cgit-retiolum.nix b/makefu/2configs/git/cgit-retiolum.nix index 35bb169cf..7d85eb8d1 100644 --- a/makefu/2configs/git/cgit-retiolum.nix +++ b/makefu/2configs/git/cgit-retiolum.nix @@ -16,6 +16,9 @@ let desc = "Tinc Advanced Graph Generation"; }; cac = { }; + init-stockholm = { + desc = "Init stuff for stockholm"; + }; }; priv-repos = mapAttrs make-priv-repo { diff --git a/makefu/2configs/hw/tp-x2x0.nix b/makefu/2configs/hw/tp-x2x0.nix index 047895ce6..ebc72a06e 100644 --- a/makefu/2configs/hw/tp-x2x0.nix +++ b/makefu/2configs/hw/tp-x2x0.nix @@ -24,5 +24,12 @@ with lib; services.tlp.enable = true; services.tlp.extraConfig = '' START_CHARGE_THRESH_BAT0=80 + + CPU_SCALING_GOVERNOR_ON_AC=performance + CPU_SCALING_GOVERNOR_ON_BAT=ondemand + CPU_MIN_PERF_ON_AC=0 + CPU_MAX_PERF_ON_AC=100 + CPU_MIN_PERF_ON_BAT=0 + CPU_MAX_PERF_ON_BAT=30 ''; } diff --git a/makefu/2configs/nginx/omo-share.nix b/makefu/2configs/nginx/omo-share.nix new file mode 100644 index 000000000..ce85e0442 --- /dev/null +++ b/makefu/2configs/nginx/omo-share.nix @@ -0,0 +1,34 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + hostname = config.krebs.build.host.name; + # TODO local-ip from the nets config + local-ip = "192.168.1.11"; + # local-ip = head config.krebs.build.host.nets.retiolum.addrs4; +in { + krebs.nginx = { + enable = mkDefault true; + servers = { + omo-share = { + listen = [ "${local-ip}:80" ]; + locations = singleton (nameValuePair "/" '' + autoindex on; + root /media; + limit_rate_after 100m; + limit_rate 5m; + mp4_buffer_size 4M; + mp4_max_buffer_size 10M; + allow all; + access_log off; + keepalive_timeout 65; + keepalive_requests 200; + reset_timedout_connection on; + sendfile on; + tcp_nopush on; + gzip off; + ''); + }; + }; + }; +} diff --git a/makefu/2configs/share-user-sftp.nix b/makefu/2configs/share-user-sftp.nix new file mode 100644 index 000000000..2c93143ec --- /dev/null +++ b/makefu/2configs/share-user-sftp.nix @@ -0,0 +1,21 @@ +{ config, ... }: + +{ + users.users = { + share = { + uid = 9002; + home = "/var/empty"; + openssh.authorizedKeys.keys = [ config.krebs.users.makefu.pubkey ]; + }; + }; + # we will use internal-sftp to make uncomplicated Chroot work + services.openssh.extraConfig = '' + Match User share + ChrootDirectory /media + ForceCommand internal-sftp + AllowTcpForwarding no + PermitTunnel no + X11Forwarding no + Match All + ''; +} diff --git a/makefu/2configs/smart-monitor.nix b/makefu/2configs/smart-monitor.nix index 9b0290a9b..daf3aad01 100644 --- a/makefu/2configs/smart-monitor.nix +++ b/makefu/2configs/smart-monitor.nix @@ -3,6 +3,7 @@ krebs.exim-retiolum.enable = lib.mkDefault true; services.smartd = { enable = true; + autodetect = false; notifications = { mail = { enable = true; @@ -12,8 +13,6 @@ # short daily, long weekly, check on boot defaults.monitored = "-a -o on -s (S/../.././02|L/../../7/04)"; - devices = lib.mkDefault [{ - device = "/dev/sda"; - }]; + devices = lib.mkDefault [ ]; }; } diff --git a/makefu/2configs/tinc-basic-retiolum.nix b/makefu/2configs/tinc-basic-retiolum.nix index 2abf4f188..f49c596fc 100644 --- a/makefu/2configs/tinc-basic-retiolum.nix +++ b/makefu/2configs/tinc-basic-retiolum.nix @@ -4,7 +4,6 @@ with lib; { krebs.retiolum = { enable = true; - hosts = ../../krebs/Zhosts; connectTo = [ "gum" "pigstarter" diff --git a/makefu/2configs/urlwatch.nix b/makefu/2configs/urlwatch.nix index a83279ba2..f869f5a78 100644 --- a/makefu/2configs/urlwatch.nix +++ b/makefu/2configs/urlwatch.nix @@ -29,6 +29,7 @@ https://pypi.python.org/simple/bepasty/ https://pypi.python.org/simple/xstatic/ http://guest:derpi@cvs2svn.tigris.org/svn/cvs2svn/tags/ + http://ftp.debian.org/debian/pool/main/a/apt-cacher-ng/ ]; }; } diff --git a/makefu/2configs/vim.nix b/makefu/2configs/vim.nix index 02a46d22a..227d73c81 100644 --- a/makefu/2configs/vim.nix +++ b/makefu/2configs/vim.nix @@ -122,7 +122,7 @@ in { vimrcConfig.vam.knownPlugins = pkgs.vimPlugins // customPlugins; vimrcConfig.vam.pluginDictionaries = [ { names = [ "undotree" - "YouCompleteMe" + # "YouCompleteMe" "vim-better-whitespace" ]; } { names = [ "vim-addon-nix" ]; ft_regex = "^nix\$"; } ]; diff --git a/makefu/2configs/virtualization.nix b/makefu/2configs/virtualization.nix index b3f8c8284..b90467ab8 100644 --- a/makefu/2configs/virtualization.nix +++ b/makefu/2configs/virtualization.nix @@ -5,4 +5,5 @@ let in { virtualisation.libvirtd.enable = true; users.extraUsers.${mainUser.name}.extraGroups = [ "libvirtd" ]; + networking.firewall.checkReversePath = false; # TODO: unsolved issue in nixpkgs:#9067 [bug] } diff --git a/makefu/2configs/wwan.nix b/makefu/2configs/wwan.nix index 29a610ac6..1e76cd28a 100644 --- a/makefu/2configs/wwan.nix +++ b/makefu/2configs/wwan.nix @@ -1,33 +1,9 @@ -{ config, lib, pkgs, ... }: +_: -#usage: $ wvdial - -let - mainUser = config.krebs.build.user; -in { - environment.systemPackages = with pkgs;[ - wvdial - ]; - - environment.shellAliases = { - umts = "sudo wvdial netzclub"; +{ + imports = [ ../3modules ]; + makefu.umts = { + enable = true; + modem-device = "/dev/serial/by-id/usb-Lenovo_H5321_gw_2D5A51BA0D3C3A90-if01"; }; - - # configure for NETZCLUB - environment.wvdial.dialerDefaults = '' - Phone = *99***1# - Dial Command = ATDT - Modem = /dev/ttyACM0 - Baud = 460800 - Init1 = AT+CGDCONT=1,"IP","pinternet.interkom.de","",0,0 - Init2 = ATZ - Init3 = ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0 - ISDN = 0 - Modem Type = Analog Modem - Username = netzclub - Password = netzclub - Stupid Mode = 1 - Idle Seconds = 0''; - - users.extraUsers.${mainUser.name}.extraGroups = [ "dialout" ]; } diff --git a/makefu/2configs/zsh-user.nix b/makefu/2configs/zsh-user.nix index 1b1762418..f79f258f3 100644 --- a/makefu/2configs/zsh-user.nix +++ b/makefu/2configs/zsh-user.nix @@ -19,8 +19,7 @@ in bindkey -e # shift-tab bindkey '^[[Z' reverse-menu-complete - - autoload -U compinit && compinit + bindkey "\e[3~" delete-char zstyle ':completion:*' menu select # load gpg-agent diff --git a/makefu/3modules/default.nix b/makefu/3modules/default.nix index 218c9138e..f007a8418 100644 --- a/makefu/3modules/default.nix +++ b/makefu/3modules/default.nix @@ -3,6 +3,7 @@ _: { imports = [ ./snapraid.nix + ./umts.nix ]; } diff --git a/makefu/3modules/umts.nix b/makefu/3modules/umts.nix new file mode 100644 index 000000000..d7be45f62 --- /dev/null +++ b/makefu/3modules/umts.nix @@ -0,0 +1,76 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + # TODO: currently it is only netzclub + umts-bin = pkgs.writeScriptBin "umts" '' + #!/bin/sh + set -euf + systemctl start umts + trap "systemctl stop umts;trap - INT TERM EXIT;exit" INT TERM EXIT + echo nameserver 8.8.8.8 | tee -a /etc/resolv.conf + journalctl -xfu umts + ''; + + wvdial-defaults = '' + Phone = *99***1# + Dial Command = ATDT + Modem = ${cfg.modem-device} + Baud = 460800 + Init1 = AT+CGDCONT=1,"IP","pinternet.interkom.de","",0,0 + Init2 = ATZ + Init3 = ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0 + ISDN = 0 + Modem Type = Analog Modem + Username = netzclub + Password = netzclub + Stupid Mode = 1 + Idle Seconds = 0''; + + cfg = config.makefu.umts; + + out = { + options.makefu.umts = api; + config = mkIf cfg.enable imp; + }; + + api = { + enable = mkEnableOption "umts"; + + modem-device = mkOption { + default = "/dev/ttyUSB0"; + type = types.str; + description = '' + path to modem device, use <filename>/dev/serial/by-id/...</filename> + to avoid race conditions. + ''; + }; + }; + + imp = { + environment.shellAliases = { + umts = "sudo ${umts-bin}/bin/umts"; + }; + environment.systemPackages = [ ]; + + environment.wvdial.dialerDefaults = wvdial-defaults; + + systemd.targets.network-umts = { + description = "System is running on UMTS"; + unitConfig.StopWhenUnneeded = true;< |