diff options
Diffstat (limited to 'krebs/2configs')
63 files changed, 2132 insertions, 308 deletions
diff --git a/krebs/2configs/buildbot-stockholm.nix b/krebs/2configs/buildbot-stockholm.nix index 5784f2cd..43a38a9f 100644 --- a/krebs/2configs/buildbot-stockholm.nix +++ b/krebs/2configs/buildbot-stockholm.nix @@ -5,7 +5,7 @@ services.nginx = { enable = true; virtualHosts.build = { - serverAliases = [ "build.${config.networking.hostName}.r" ]; + serverAliases = [ "build.r" "build.${config.networking.hostName}.r" ]; locations."/".extraConfig = '' proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; @@ -26,13 +26,12 @@ "http://cgit.hotdog.r/krops" "http://cgit.ni.r/krops" "http://cgit.prism.r/krops" - "https://git.ingolf-wagner.de/krebs/krops.git" + "https://github.com/krebs/krops.git" ]; nix_writers.urls = [ "http://cgit.hotdog.r/nix-writers" "http://cgit.ni.r/nix-writers" "http://cgit.prism.r/nix-writers" - "https://git.ingolf-wagner.de/krebs/nix-writers.git" ]; stockholm.urls = [ "http://cgit.enklave.r/stockholm" diff --git a/krebs/2configs/default.nix b/krebs/2configs/default.nix index fafcd72c..f56f6045 100644 --- a/krebs/2configs/default.nix +++ b/krebs/2configs/default.nix @@ -14,18 +14,13 @@ with import <stockholm/lib>; ]; krebs.announce-activation.enable = true; krebs.enable = true; - krebs.tinc.retiolum.enable = true; + krebs.tinc.retiolum.enable = mkDefault true; krebs.build.user = mkDefault config.krebs.users.krebs; networking.hostName = config.krebs.build.host.name; nix.maxJobs = 1; - nix.trustedBinaryCaches = [ - "https://cache.nixos.org" - "http://cache.nixos.org" - "http://hydra.nixos.org" - ]; nix.useSandbox = true; environment.systemPackages = with pkgs; [ @@ -34,6 +29,11 @@ with import <stockholm/lib>; rxvt_unicode.terminfo ]; + console.keyMap = "us"; + i18n = { + defaultLocale = lib.mkForce "C"; + }; + programs.ssh.startAgent = false; services.openssh = { @@ -43,23 +43,17 @@ with import <stockholm/lib>; ]; }; services.cron.enable = false; - services.nscd.enable = false; services.ntp.enable = false; users.mutableUsers = false; users.extraUsers.root.openssh.authorizedKeys.keys = [ - # TODO config.krebs.users.jeschli-brauerei.pubkey config.krebs.users.lass.pubkey config.krebs.users.lass-mors.pubkey config.krebs.users.makefu.pubkey - # TODO HARDER: - config.krebs.users.makefu-omo.pubkey config.krebs.users.tv.pubkey ]; - # The NixOS release to be compatible with for stateful data such as databases. system.stateVersion = "17.03"; - } diff --git a/krebs/2configs/exim-smarthost.nix b/krebs/2configs/exim-smarthost.nix index 5dc24f1d..224a38ac 100644 --- a/krebs/2configs/exim-smarthost.nix +++ b/krebs/2configs/exim-smarthost.nix @@ -15,22 +15,20 @@ in { makefu tv ]; - eloop-ml = spam-ml ++ [ ciko ]; + eloop-ml = spam-ml; spam-ml = [ lass makefu tv ]; - ciko.mail = "ciko@slash16.net"; in { "anmeldung@eloop.org" = eloop-ml; "brain@krebsco.de" = brain-ml; - "cfp@eloop.org" = eloop-ml; + "cfp2019@eloop.org" = eloop-ml; + "eloop2019@krebsco.de" = eloop-ml; "kontakt@eloop.org" = eloop-ml; "root@eloop.org" = eloop-ml; "youtube@eloop.org" = eloop-ml; - "eloop2016@krebsco.de" = eloop-ml; - "eloop2017@krebsco.de" = eloop-ml; "postmaster@krebsco.de" = spam-ml; # RFC 822 "lass@krebsco.de" = lass; "makefu@krebsco.de" = makefu; diff --git a/krebs/2configs/gitlab-runner-shackspace.nix b/krebs/2configs/gitlab-runner-shackspace.nix deleted file mode 100644 index f4247b6d..00000000 --- a/krebs/2configs/gitlab-runner-shackspace.nix +++ /dev/null @@ -1,33 +0,0 @@ -{ config, pkgs, ... }: -let - url = "https://git.shackspace.de/"; - # generate token from CI-token via: - ## gitlab-runner register - ## cat /etc/gitlab-runner/config.toml - token = import <secrets/shackspace-gitlab-ci-token.nix> ; -in { - systemd.services.gitlab-runner.path = [ - "/run/wrappers" # /run/wrappers/bin/su - "/" # /bin/sh - ]; - systemd.services.gitlab-runner.serviceConfig.PrivateTmp = true; - virtualisation.docker.enable = true; - services.gitlab-runner = { - enable = true; - # configFile, configOptions and gracefulTimeout not yet in stable - # gracefulTimeout = "120min"; - configFile = pkgs.writeText "gitlab-runner.cfg" '' - concurrent = 1 - check_interval = 0 - - [[runners]] - name = "krebs-shell" - url = "${url}" - token = "${token}" - executor = "shell" - shell = "sh" - environment = ["PATH=/bin:/run/wrappers/bin:/etc/per-user/gitlab-runner/bin:/etc/per-user-pkgs/gitlab-runner/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin"] - [runners.cache] - ''; - }; -} diff --git a/krebs/2configs/go.nix b/krebs/2configs/go.nix index f4c1290c..ce5db62d 100644 --- a/krebs/2configs/go.nix +++ b/krebs/2configs/go.nix @@ -2,9 +2,6 @@ with import <stockholm/lib>; { - environment.systemPackages = [ - pkgs.go-shortener - ]; krebs.go = { enable = true; }; @@ -13,7 +10,7 @@ with import <stockholm/lib>; enable = true; virtualHosts.go = { locations."/".extraConfig = '' - proxy_set_header Host go; + proxy_set_header Host go.r; proxy_pass http://localhost:1337; ''; serverAliases = [ diff --git a/krebs/2configs/hw/getty-for-esp.nix b/krebs/2configs/hw/getty-for-esp.nix new file mode 100644 index 00000000..18c91235 --- /dev/null +++ b/krebs/2configs/hw/getty-for-esp.nix @@ -0,0 +1,17 @@ +{ + # 1. Program an esp8266 devboard (esp8266+usb-ttl) with # https://github.com/jeelabs/esp-link + # tested vesion: esp-link v3.2.47-g9c6530d + # Pin Preset: esp-bridge + # tx-enable: false + # uart-pins: normal + # 2. connect directly with usb-cable to device, check that vendorID and ProductID match + # 3. nc <esp-link-ip> 23 + # Info: for puyak the root pw is `brain hosts/puyak/root` + services.udev.extraRules = '' + SUBSYSTEM=="tty", ATTRS{idVendor}=="1a86", ATTRS{idProduct}=="7523", SYMLINK+="ilo", MODE="0660" + ''; + systemd.services."serial-getty@ilo".enable = true; + systemd.services."serial-getty@ilo".wantedBy = [ "multi-user.target" ]; + systemd.services."serial-getty@ilo".serviceConfig.Restart = "always"; +} + diff --git a/krebs/2configs/ircd.nix b/krebs/2configs/ircd.nix index 65972aac..0de07a02 100644 --- a/krebs/2configs/ircd.nix +++ b/krebs/2configs/ircd.nix @@ -5,18 +5,20 @@ 6667 6669 ]; + systemd.services.charybdis.serviceConfig.LimitNOFILE = 16384; + krebs.charybdis = { enable = true; motd = '' hello ''; config = '' + loadmodule "extensions/m_omode"; serverinfo { name = "${config.krebs.build.host.name}.irc.r"; sid = "1as"; - description = "miep!"; + description = "irc!"; network_name = "irc.r"; - hub = yes; vhost = "0.0.0.0"; vhost6 = "::"; @@ -26,7 +28,7 @@ #ssl_dh_params = "etc/dh.pem"; #ssld_count = 1; - default_max_clients = 10000; + default_max_clients = 2048; #nicklen = 30; }; @@ -38,24 +40,36 @@ */ host = "0.0.0.0"; port = 6667; - sslport = 6697; + #sslport = 6697; /* Listen on IPv6 (if you used host= above). */ host = "::"; port = 6667; - sslport = 9999; + #sslport = 6697; }; class "users" { ping_time = 2 minutes; number_per_ident = 10; - number_per_ip = 2048; + number_per_ip = 4096; number_per_ip_global = 4096; cidr_ipv4_bitlen = 24; cidr_ipv6_bitlen = 64; - number_per_cidr = 65536; - max_number = 3000; - sendq = 1 megabyte; + number_per_cidr = 65535; + max_number = 65535; + sendq = 1000 megabyte; + }; + + privset "op" { + privs = oper:admin; + }; + + operator "aids" { + user = "*@*"; + password = "balls"; + flags = ~encrypted; + snomask = "+s"; + privset = "op"; }; exempt { @@ -79,7 +93,7 @@ use_knock = yes; knock_delay = 5 minutes; knock_delay_channel = 1 minute; - max_chans_per_user = 15; + max_chans_per_user = 150; max_bans = 100; max_bans_large = 500; default_split_user_count = 0; @@ -93,12 +107,13 @@ channel_target_change = yes; disable_local_channels = no; }; + general { #maybe we want ident someday? - default_floodcount = 1000; + default_floodcount = 10000; disable_auth = yes; throttle_duration = 1; - throttle_count = 1000; + throttle_count = 10000; }; ''; }; diff --git a/krebs/2configs/news-host.nix b/krebs/2configs/news-host.nix new file mode 100644 index 00000000..82360a67 --- /dev/null +++ b/krebs/2configs/news-host.nix @@ -0,0 +1,12 @@ +{ + krebs.sync-containers.containers.news = { + peers = [ + "shodan" + "mors" + "styx" + ]; + hostIp = "10.233.2.101"; + localIp = "10.233.2.102"; + format = "plain"; + }; +} diff --git a/krebs/2configs/news-spam.nix b/krebs/2configs/news-spam.nix deleted file mode 100644 index a8c65885..00000000 --- a/krebs/2configs/news-spam.nix +++ /dev/null @@ -1,164 +0,0 @@ -{ pkgs, ... }: - -{ - krebs.newsbot-js.news-spam = { - urlShortenerHost = "go.lassul.us"; - feeds = pkgs.writeText "feeds" '' - _aje|http://www.aljazeera.com/Services/Rss/?PostingId=2007731105943979989|#snews - _allafrica|http://allafrica.com/tools/headlines/rdf/latest/headlines.rdf|#snews - _antirez|http://antirez.com/rss|#snews - _archlinux|http://www.archlinux.org/feeds/news/|#snews - _ars|http://feeds.arstechnica.com/arstechnica/index?format=xml|#snews - _augustl|http://augustl.com/atom.xml|#snews - _bbc|http://feeds.bbci.co.uk/news/rss.xml|#snews - _bdt_aktuelle_themen|http://www.bundestag.de/blueprint/servlet/service/de/14154/asFeed/index.rss|#snews - _bdt_drucksachen|http://www.bundestag.de/dip21rss/bundestag_drucksachen.rss|#snews - _bdt_plenarproto|http://www.bundestag.de/rss_feeds/plenarprotokolle.rss|#snews - _bdt_pressemitteilungen|http://www.bundestag.de/blueprint/servlet/service/de/273112/asFeed/index.rss|#snews - _bitcoinpakistan|https://bitcoinspakistan.com/feed/|#snews - _cancer|http://feeds.feedburner.com/ncinewsreleases?format=xml|#snews - _carta|http://feeds2.feedburner.com/carta-standard-rss|#snews - _catholic_news|http://feeds.feedburner.com/catholicnewsagency/dailynews|#snews - _cbc_busi|http://rss.cbc.ca/lineup/business.xml|#snews - _cbc_offbeat|http://www.cbc.ca/cmlink/rss-offbeat|#snews - _cbc_pol|http://rss.cbc.ca/lineup/politics.xml|#snews - _cbc_tech|http://rss.cbc.ca/lineup/technology.xml|#snews - _cbc_top|http://rss.cbc.ca/lineup/topstories.xml|#snews - _ccc|http://www.ccc.de/rss/updates.rdf|#snews - _chan_biz|http://boards.4chan.org/biz/index.rss|#snews - _chan_g|http://boards.4chan.org/g/index.rss|#snews - _chan_int|http://boards.4chan.org/int/index.rss|#snews - _chan_sci|http://boards.4chan.org/sci/index.rss|#snews - _chan_x|http://boards.4chan.org/x/index.rss|#snews - _c|http://www.tempolimit-lichtgeschwindigkeit.de/news.xml|#snews - _cryptogon|http://www.cryptogon.com/?feed=rss2|#snews - _csm|http://rss.csmonitor.com/feeds/csm|#snews - _csm_world|http://rss.csmonitor.com/feeds/world|#snews - _danisch|http://www.danisch.de/blog/feed/|#snews - _dod|http://www.defense.gov/news/afps2.xml|#snews - _dwn|http://deutsche-wirtschafts-nachrichten.de/feed/customfeed/|#snews - _ecat|http://ecat.com/feed|#snews - _eia_press|http://www.eia.gov/rss/press_rss.xml|#snews - _eia_today|http://www.eia.gov/rss/todayinenergy.xml|#snews - _embargowatch|https://embargowatch.wordpress.com/feed/|#snews - _ethereum-comments|http://blog.ethereum.org/comments/feed|#snews - _ethereum|http://blog.ethereum.org/feed|#snews - _europa_ric|http://ec.europa.eu/research/infocentre/rss/infocentre-rss.xml|#snews - _eu_survei|http://www.eurosurveillance.org/public/RSSFeed/RSS.aspx|#snews - _exploitdb|http://www.exploit-db.com/rss.xml|#snews - _fars|http://www.farsnews.com/rss.php|#snews #test - _faz_feui|http://www.faz.net/rss/aktuell/feuilleton/|#snews - _faz_politik|http://www.faz.net/rss/aktuell/politik/|#snews - _faz_wirtschaft|http://www.faz.net/rss/aktuell/wirtschaft/|#snews - _fbi|https://www.fbi.gov/news/rss.xml|#snews - _fedreserve|http://www.federalreserve.gov/feeds/press_all.xml|#snews - _fefe|http://blog.fefe.de/rss.xml|#snews - _forbes|http://www.forbes.com/forbes/feed2/|#snews - _forbes_realtime|http://www.forbes.com/real-time/feed2/|#snews - _fox|http://feeds.foxnews.com/foxnews/latest|#snews - _geheimorganisation|http://geheimorganisation.org/feed/|#snews - _GerForPol|http://www.german-foreign-policy.com/de/news/rss-2.0|#snews - _gmanet|http://www.gmanetwork.com/news/rss/news|#snews - _golem|http://rss.golem.de/rss.php|#snews - _google|http://news.google.com/?output=rss|#snews - _greenpeace|http://feeds.feedburner.com/GreenpeaceNews|#snews - _guardian_uk|http://feeds.theguardian.com/theguardian/uk-news/rss|#snews - _gulli|http://ticker.gulli.com/rss/|#snews - _hackernews|https://news.ycombinator.com/rss|#snews - _handelsblatt|http://www.handelsblatt.com/contentexport/feed/schlagzeilen|#snews - _heise|https://www.heise.de/newsticker/heise-atom.xml|#snews - _hindu_business|http://www.thehindubusinessline.com/?service=rss|#snews - _hindu|http://www.thehindu.com/?service=rss|#snews - _ign|http://feeds.ign.com/ign/all|#snews - _independent|http://www.independent.com/rss/headlines/|#snews - _indymedia|https://de.indymedia.org/rss.xml|#snews - _info_libera|http://www.informationliberation.com/rss.xml|#snews - _klagen-gegen-rundfuckbeitrag|http://klagen-gegen-rundfunkbeitrag.blogspot.com/feeds/posts/default|#snews - _korea_herald|http://www.koreaherald.com/rss_xml.php|#snews - _linuxinsider|http://www.linuxinsider.com/perl/syndication/rssfull.pl|#snews - _lisp|http://planet.lisp.org/rss20.xml|#snews - _liveleak|http://www.liveleak.com/rss|#snews - _lolmythesis|http://lolmythesis.com/rss|#snews - _LtU|http://lambda-the-ultimate.org/rss.xml|#snews - _lukepalmer|http://lukepalmer.wordpress.com/feed/|#snews - _mit|http://web.mit.edu/newsoffice/rss-feeds.feed?type=rss|#snews - _mongrel2_master|https://github.com/zedshaw/mongrel2/commits/master.atom|#snews - _nds|http://www.nachdenkseiten.de/?feed=atom|#snews - _netzpolitik|https://netzpolitik.org/feed/|#snews - _newsbtc|http://newsbtc.com/feed/|#snews - _nnewsg|http://www.net-news-global.net/rss/rssfeed.xml|#snews - _npr_busi|http://www.npr.org/rss/rss.php?id=1006|#snews - _npr_headlines|http://www.npr.org/rss/rss.php?id=1001|#snews - _npr_pol|http://www.npr.org/rss/rss.php?id=1012|#snews - _npr_world|http://www.npr.org/rss/rss.php?id=1004|#snews - _nsa|https://www.nsa.gov/rss.xml|#snews #bullerei - _nytimes|http://rss.nytimes.com/services/xml/rss/nyt/World.xml|#snews - _painload|https://github.com/krebs/painload/commits/master.atom|#snews - _phys|http://phys.org/rss-feed/|#snews - _piraten|https://www.piratenpartei.de/feed/|#snews - _polizei_berlin|http://www.berlin.de/polizei/presse-fahndung/_rss_presse.xml|#snews - _presse_polizei|http://www.presseportal.de/rss/polizei.rss2|#snews - _presseportal|http://www.presseportal.de/rss/presseportal.rss2|#snews - _prisonplanet|http://prisonplanet.com/feed.rss|#snews - _rawstory|http://www.rawstory.com/rs/feed/|#snews - _reddit_4chan|http://www.reddit.com/r/4chan/new/.rss|#snews - _reddit_anticonsum|http://www.reddit.com/r/Anticonsumption/new/.rss|#snews - _reddit_btc|http://www.reddit.com/r/Bitcoin/new/.rss|#snews - _reddit_consp|http://reddit.com/r/conspiracy/.rss|#snews - _reddit_haskell|http://www.reddit.com/r/haskell/.rss|#snews - _reddit_nix|http://www.reddit.com/r/nixos/.rss|#snews - _reddit_prog|http://www.reddit.com/r/programming/new/.rss|#snews - _reddit_sci|http://www.reddit.com/r/science/.rss|#snews - _reddit_tech|http://www.reddit.com/r/technology/.rss|#snews - _reddit_tpp|http://www.reddit.com/r/twitchplayspokemon/.rss|#snews - _reddit_world|http://www.reddit.com/r/worldnews/.rss|#snews - _r-ethereum|http://www.reddit.com/r/ethereum/.rss|#snews - _reuters|http://feeds.reuters.com/Reuters/worldNews|#snews - _reuters-odd|http://feeds.reuters.com/reuters/oddlyEnoughNews?format=xml|#snews - _rt|http://rt.com/rss/news/|#snews - _schallurauch|http://feeds.feedburner.com/SchallUndRauch|#snews - _sciencemag|http://news.sciencemag.org/rss/current.xml|#snews - _scmp|http://www.scmp.com/rss/91/feed|#snews - _sec-db|http://feeds.security-database.com/SecurityDatabaseToolsWatch|#snews - _shackspace|http://shackspace.de/atom.xml|#snews - _shz_news|http://www.shz.de/nachrichten/newsticker/rss|#snews - _sky_busi|http://feeds.skynews.com/feeds/rss/business.xml|#snews - _sky_pol|http://feeds.skynews.com/feeds/rss/politics.xml|#snews - _sky_strange|http://feeds.skynews.com/feeds/rss/strange.xml|#snews - _sky_tech|http://feeds.skynews.com/feeds/rss/technology.xml|#snews - _sky_world|http://feeds.skynews.com/feeds/rss/world.xml|#snews - _slashdot|http://rss.slashdot.org/Slashdot/slashdot|#snews - _slate|http://feeds.slate.com/slate|#snews - _spiegel_eil|http://www.spiegel.de/schlagzeilen/eilmeldungen/index.rss|#snews - _spiegel_top|http://www.spiegel.de/schlagzeilen/tops/index.rss|#snews - _standardmedia_ke|http://www.standardmedia.co.ke/rss/headlines.php|#snews - _stern|http://www.stern.de/feed/standard/all/|#snews - _stz|http://www.stuttgarter-zeitung.de/rss/topthemen.rss.feed|#snews - _sz_politik|http://rss.sueddeutsche.de/rss/Politik|#snews - _sz_wirtschaft|http://rss.sueddeutsche.de/rss/Wirtschaft|#snews - _sz_wissen|http://rss.sueddeutsche.de/rss/Wissen|#snews - _tagesschau|http://www.tagesschau.de/newsticker.rdf|#snews - _taz|http://taz.de/Themen-des-Tages/!p15;rss/|#snews - _telegraph|http://www.telegraph.co.uk/rss.xml|#snews - _telepolis|http://www.heise.de/tp/rss/news-atom.xml|#snews - _the_insider|http://www.theinsider.org/rss/news/headlines-xml.asp|#snews - _tigsource|http://www.tigsource.com/feed/|#snews - _tinc|http://tinc-vpn.org/news/index.rss|#snews - _torr_bits|http://feeds.feedburner.com/TorrentfreakBits|#snews - _torrentfreak|http://feeds.feedburner.com/Torrentfreak|#snews - _torr_news|http://feed.torrentfreak.com/Torrentfreak/|#snews - _travel_warnings|http://feeds.travel.state.gov/ca/travelwarnings-alerts|#snews - _un_afr|http://www.un.org/apps/news/rss/rss_africa.asp|#snews |